[cryptography] [Cryptography] are ECDSA curves provably not cooked? (Re: RSA equivalent key length/strength)

Tony Arcieri bascule at gmail.com
Tue Oct 1 11:47:49 EDT 2013

On Tue, Oct 1, 2013 at 3:08 AM, Adam Back <adam at cypherspace.org> wrote:

> But I do think it is a very interesting and pressing research question as
> to
> whether there are ways to plausibly deniably symmetrically weaken or even
> trapdoor weaken DL curve parameters, when the seeds are allowed to look
> random as the DSA FIPS 186-3 ones do.

See slide #28 in this djb deck:




If e.g. the NSA knew of an entire class of weak curves, they could perform
a brute force search with random looking seeds, continuing until the curve
parameters, after the seed is run through SHA1, fall into the class that's
known to be weak to them.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20131001/87bfb1af/attachment.html>

More information about the cryptography mailing list