Skip to main content

curve

Elliptic curve arithmetic

About the Curve Itself

Field Size: 168 bits Field Modulus (p): 481 2^159 + 3 Equation: x^2 + y^2 = 1 + 122 x^2 * y^2 Parameters: Edwards Curve with d = 122 Curve Order (n): 351491143778082151827986174289773107581916088585564 Cofactor (h): 4 Generator Order (q): 87872785944520537956996543572443276895479022146391

About the Curve's Security

Current best attack security: 81.777 bits (Small Subgroup + Rho) Rho Security: log2(0.884 * sqrt(q)) = 82.777 bits Transfer Security? Yes: p ~= q; k > 20 Field Discriminant Security? Yes: t = 27978492958645335688000168 s = 10 |D| = 6231685068753619775430107799412237267322159383147 > 2^100 Rigidity? No, not at all. XZ/YZ Ladder Security? No: Single coordinate ladders are insecure. Small Subgroup Security? No. Invalid Curve Security? Yes: Points are checked before every operation. Invalid Curve Twist Security? No: Don't use single coordinate ladders. Completeness? Yes: The curve is complete. Indistinguishability? Yes (Elligator 2), but not implemented.

Show raw api
{
    "functions": [],
    "properties": [],
    "types": [],
    "name": "curve",
    "desc": "Elliptic curve arithmetic\n\n## About the Curve Itself\nField Size: 168 bits\nField Modulus (p): 481 * 2^159 + 3\nEquation: x^2 + y^2 = 1 + 122 * x^2 * y^2\nParameters: Edwards Curve with d = 122\nCurve Order (n): 351491143778082151827986174289773107581916088585564\nCofactor (h): 4\nGenerator Order (q): 87872785944520537956996543572443276895479022146391\n\n## About the Curve's Security\nCurrent best attack security: 81.777 bits (Small Subgroup + Rho)\nRho Security: log2(0.884 * sqrt(q)) = 82.777 bits\nTransfer Security? Yes: p ~= q; k > 20\nField Discriminant Security? Yes:\n   t = 27978492958645335688000168\n   s = 10\n   |D| = 6231685068753619775430107799412237267322159383147 > 2^100\nRigidity? No, not at all.\nXZ/YZ Ladder Security? No: Single coordinate ladders are insecure.\nSmall Subgroup Security? No.\nInvalid Curve Security? Yes: Points are checked before every operation.\nInvalid Curve Twist Security? No: Don't use single coordinate ladders.\nCompleteness? Yes: The curve is complete.\nIndistinguishability? Yes (Elligator 2), but not implemented.",
    "source": {
        "line": 33,
        "path": "src/ellipticcurvecryptography/src/Shared/EllipticCurveCryptography/curve.lua"
    }
}