just sayin, they also left out the koblitz version of P256, which is our known and loved secp256k1
the propaganda campaign against the koblitz curve was incredible, yet somehow they have given ed25519 a pass... which smells pretty fishy to me, almost like, they KNOW that the koblitz curve is even more secure than the edwards twisted curve
the only solution, as i see it, is a noise protocol implementation that uses sha256 and secp256k1 for HMAC, and i started on building one for #golang
i already spotted this egregiously obvious manipulation in the "academic" scene years ago, and i'm pretty sure that nostr:npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6 picked bip-340 secp256k1 X-only schnorr signatures for #nostr
you know why i don't trust edwards?
because all the shitcoins used it
because your precious fucking rust favorizes it
funny how still there is no viable shortcut to bruteforcing bitcoin's koblitz curve group now isn't it?
nice to see that you are thinking about this though, welcome to the NIST cryptography skeptics club
I have to agree on this one. ed25519 is suspicious by association.
Thread collapsed
I don't think the koblitz curve is bad as long as you program around its shortcomings. I didn't know there was an intense campaign against secp256k1. That is somewhat suspicious.
But secp256k1 does have some problems that ed25519 clearly does not have. It has some mathematical properties which open up certain kinds of attacks on the discrete log problem (several low numbered CM field discriminants, ladder cofactor of 1) and it has some properties making it hard to code correctly, specifically that the keys are not indistinguishable from random bits, and you cannot use just any sequence of random bits as a secret key. Nonetheless it hasn't been effectively cracked.
ed25519 has been given a "pass" because it has proven "nothing up it's sleeve" without any of these theoretical shortcomings. So I really am not suspicious of it. But notice that it was given a pass NOT by actual browsers, just by the RFCs. The actual browsers leave it out.
Everybody here seems to worship Satoshi and distrust everybody else, and you are welcome to make your choices. But I don't agree.
yeah, i seem to recall that there is a problem with the koblitz curve with relation to hierarchic deterministic keychain derivations, some weakness that made it easier to figure out upstream keys if you breach a downstream one
also if i remember correctly, the signature calculation for ed25519 is a little faster than even schnorr secp256k1, though that might just be because of using blake2, now i think about it
we have secp256k1 schnorr signatures in our relay and client libraries, and they are battle tested, and also most platforms now have a SIMD implementation of SHA256 which closes the gap a lot
there is a big element of contrarian anti-hipster in the nostr and bitcoin culture though, *except* for a large part of those who are instrumental in approving everything and elevated to high visibility artificially by the people running primal
not trusting things that are beeing deceptively promoted seems like a wise tactic in my view
progressivism in all its forms seems to quickly devolve into debauchery
Thread collapsed
Thread collapsed
