Correct, but my point was that even if they're slower, we do have complete formulas that aren't the nightmare djb describes.
I do reckon however that having to chose between speed and safety is a big problem. Someone is bound to go the fast route and screw up some special case, or leak timing information.
I didn't know about possible patents, that sucks. (I live in the EU though, so I can still give them the finger if I need to.)
In any case, the best general purpose thing we have now is probably Decaf/Ristretto over (twisted) Edwards curves. Fast complete formulas and a prime order group. Dealing with the cofactor is not too hard, but it's not trivial either: http://loup-vaillant.fr/tutorials/cofactor
(I still love Montgomery curves for variable base scalar multiplication.)
> I didn't know about possible patents, that sucks. (I live in the EU, though, so I can still give them the finger if I need to.)
Hamburg made this IP risk pretty clear in the paper, for a bit more context on it, see [1]. Because in the U.S. you have a full year before you even need to file a patent after publishing, we'll still have to wait and see if Hamburg's employer files a patent on his method. If they don't, nice; if they do, fucking hell this is why we can't have nice things. Renes/Costello/Batina is unencumbered as far as I know.
I do reckon however that having to chose between speed and safety is a big problem. Someone is bound to go the fast route and screw up some special case, or leak timing information.
I didn't know about possible patents, that sucks. (I live in the EU though, so I can still give them the finger if I need to.)
In any case, the best general purpose thing we have now is probably Decaf/Ristretto over (twisted) Edwards curves. Fast complete formulas and a prime order group. Dealing with the cofactor is not too hard, but it's not trivial either: http://loup-vaillant.fr/tutorials/cofactor
(I still love Montgomery curves for variable base scalar multiplication.)