Gregory Maxwell [ARCHIVE] on Nostr: 📅 Original date posted:2018-01-22 📝 Original message:On Mon, Jan 22, 2018 at ...
📅 Original date posted:2018-01-22
📝 Original message:On Mon, Jan 22, 2018 at 7:21 PM, Russell O'Connor
<roconnor at blockstream.io> wrote:
> At this point, is it better just to use GF(2^256+n)? Is GF(2^256+n) going
> to be that much slower than GF(2^8) that we care to make things this
> complicated? (I honestly don't know the answer.)
I expect it would be especially since operations must be implemented
in sidechannel resistant manners.
Also, binary extension fields are doing to have linear subgroup
properties where leaking part of elements wouldn't be good. Not as
obviously broken as the example I gave above, but still in the domain
of "get chunks of a lot of a supra threshold set of shares, and setup
a latices basis problem that can provide an efficient subspace to
search".
📝 Original message:On Mon, Jan 22, 2018 at 7:21 PM, Russell O'Connor
<roconnor at blockstream.io> wrote:
> At this point, is it better just to use GF(2^256+n)? Is GF(2^256+n) going
> to be that much slower than GF(2^8) that we care to make things this
> complicated? (I honestly don't know the answer.)
I expect it would be especially since operations must be implemented
in sidechannel resistant manners.
Also, binary extension fields are doing to have linear subgroup
properties where leaking part of elements wouldn't be good. Not as
obviously broken as the example I gave above, but still in the domain
of "get chunks of a lot of a supra threshold set of shares, and setup
a latices basis problem that can provide an efficient subspace to
search".