[cryptography] NIST should publish Suite A
iang at iang.org
Sun Nov 10 07:24:17 EST 2013
On the question of "No trust in NIST no more..." here's an older thought
We now have a crisis of confidence in the cryptographic industry.
Agreed? The Snowden revelations have thrown the deck in the air, and
while we have not seen all the cards land as yet, we can draw some
points of agreement.
One point of agreement is that public key and Elliptic Curve
Cryptography now has a cloud over it. Just as one example, seen on
OpenPGP list (archived therefore open for reposting) is discussion about
using 1024 bit curves:
On 18/10/13 10:20 AM, Gregory Maxwell wrote:
> Jon Callas <jon at callas.org> wrote:
>> Why ever would you want a 1Kbit curve? Sure, arguably, but please make the argument. As it is, Curve3617 is more than one really needs. I'm genuinely interested.
> The fastest method for solving the discrete log problem in finite
> fields is index calculus. It is not known to be applicable to the
> elliptic curves we use for cryptography (or obviously we wouldn't be
> using them), modifications of the technique are applicable to
> super-singular curves / extension fields and where applicable they
> have sub-exponential scaling similar to the number field sieve for
> factoring. While it's not believed that there can exist a
> straightforward adaptation currently-believed strong curves, if one
> were to be discovered it would render any of the common sizes
> practically insecure.
> It would be terrible indeed to migrate to ECC only to end up with keys
> no more secure than 512 bit RSA.
> But by comparison to performance in other groups a of size to around
> 1024 bits but leave the crypto system secure in practice even if index
> calculus could be directly applied.
> (Sorry for delay in responding, but I spent a little while googling
> around to see if I was the only person thinking like this. I found a
> number of things, the most amusing an old post of Bruce Schneier's:
> "Realize, though, that someday -- next year, in ten years, in a
> century -- someone may figure out how to define smoothness, or
> something even more useful, in elliptic curves. If that happens, you
> will have to use the same key lengths as you would with conventional
> discrete logarithm algorithms, and there will be no reason to ever use
> elliptic curves. "
The point here is not that the above argumentation is valid or
otherwise, but that *the suspicion runs deep*. How deep does the EC
The best I've seen so far is as found on this site
http://safecurves.cr.yp.to/ which seems to say (my reading only) that
the prior standards work on curves is suspect, but we can do a good job
ourselves if we recalculate to best of ability (us meaning not me).
But we really don't know. Meanwhile, as a side pointer as to how far
the 'defaults' trap has taken us, here's another pointer :
Android is using the combination of horribly broken RC4 and MD5 as the
first default cipher on all SSL connections . This impacts all apps that
did not care enough to change the list of enabled ciphers (i.e. almost
all existing apps). This post investigates why RC4-MD5 is the default
cipher, and why it replaced better ciphers which were in use prior to
the Android 2.3 release in December 2010.
If you're into Java or Android, and you love the JCE, this will leave a
sinking pit in your stomach. A herd of rabbits were stampeded deep down
I would suggest -- point of agreement? -- that we now have *a crisis of
confidence in standards and crypto* .
If I was a standards organisation, or a player who was invested deeply
in industry in some sense or other, I'd be also thinking about how to
There is one possibility to increase confidence dramatically:
what's in Suite A?
If we knew what Suite A used for PK work, we would then be able to
triangulate. Although this is a claim based on absence of evidence, I
predict that we'll be able to triangulate the question of ECC and settle
the question of confidence.
Treason or revelation? You pick. This revelation may even be so useful
to industry (billion dollar losses?) that it might be a dominating
interest over the normal unquestioning patriotic duty of following the
say-so of those previously wiser heads in Fort Meade.
It might be cost-effective. It might even be a 'fair cop'.
More information about the cryptography