[cryptbe]

So maybe we should generate our own curves. I propose something as follows:

1. Locate a public string. A tweet or a quote should suffice.

2. SHA-512 the string to obtain a seed.

3. Use that seed to generate b, and calculate N = #E(Fp) = n * h, and choose a base point P. Of course we need to ensure that these parameters are safe against known attacks.

4. Mandate that the new set of parameters MUST be supported wherever NIST prime curves are supported.

The last step is probably the most difficult. You don't need that if you don't need to interoperate with other implementations though.

[tptacek]

The only thing you want not to happen is for software to start generating and negotiating its own curves, because that then requires all interoperable implementations to parse and validate random curves from attackers.

[cryptbe]

No, I didn't say that everyone generates their own curves. I meant the security community should generate our own curves. Somebody should email Thomas Pornin.

[pbsd]

There are already several alternative curve sets, satisfying various degrees of paranoia:

- http://certivox.org/display/EXT/CertiVox+Standard+Curves

- http://tools.ietf.org/html/rfc5639

- curve25519 and the other djb et al curves.

[tptacek]

Sorry, I didn't mean to imply you were saying that.