Author: Gregory Maxwell 2018-01-23 01:05:44
Published on: 2018-01-23T01:05:44+00:00
In an email conversation between Russell O'Connor and an unknown recipient on January 22, 2018, the question of whether it is better to use GF(2^256+n) instead of GF(2^8) was raised. The concern was whether using GF(2^256+n) would result in significantly slower operations than GF(2^8). However, it was noted that operations in GF(2^256+n) must be implemented in a sidechannel resistant manner due to security concerns. Additionally, binary extension fields have linear subgroup properties which can be exploited if parts of elements are leaked. While not as obvious as the example provided, this still falls under the category of providing an efficient subspace to search through setting up a lattice basis problem with chunks of a supra threshold set of shares.
Updated on: 2023-05-20T04:40:48.027089+00:00