[tptacek]

This comment is cringe enough that it is making the rounds on multiple Slacks. It's fine that you've never heard of Curve448. That just means you're not a cryptography engineer. Most people aren't! But if you're not one of those, be a little careful about connecting the dots to things like "Crypto AG". Saying "I've never heard of Curve448, it sounds sketchy" is a little like a systems programmer saying "I've never heard of Paxos before, it sounds sketchy". Most systems programmers are never going to do anything with Paxos. But all the competent ones can look it up in about 20 seconds and confirm that it isn't a conspiracy.

[Garbleflorp]

Damage control slacks?

[brohee]

No, Curve448 is as good as can be per the public knowledge, see https://safecurves.cr.yp.to/. What one could expect given Rambus history is undisclosed patents, possibly the most efficient hardware implementation. They have been known to get their tech standardized (not disclosing IP claims) and come back at adopters with patent violation suits.

[tptacek]

Curve448 was published almost 10 years ago. What aspects of it could have been patented, and what patents does Rambus have covering those claims?

[brohee]

Cryptography Research patented quite a few DPA/SPA countermeasures, if there is a non obvious patent on Curve448 it will likely be one of those making it hard to make a non infringing, fast yet not vulnerable HW implementation... Given their business in licencing those countermeasure (https://www.rambus.com/security/dpa-countermeasures/licensed...), one can see their eagerness to get some curves in widely used standards as suspicious in that light.

I'm not really concerned but I also understand why one wouldn't implement anything Rambus related given their history of patent trolling...