[cryptography] [Cryptography] are ECDSA curves provably not cooked? (Re: RSA equivalent key length/strength)

Tony Arcieri bascule at gmail.com
Tue Oct 1 11:47:49 EDT 2013


On Tue, Oct 1, 2013 at 3:08 AM, Adam Back <adam at cypherspace.org> wrote:

> But I do think it is a very interesting and pressing research question as
> to
> whether there are ways to plausibly deniably symmetrically weaken or even
> trapdoor weaken DL curve parameters, when the seeds are allowed to look
> random as the DSA FIPS 186-3 ones do.


See slide #28 in this djb deck:

http://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf

Specifically:

http://i.imgur.com/C7mg3T4.png

If e.g. the NSA knew of an entire class of weak curves, they could perform
a brute force search with random looking seeds, continuing until the curve
parameters, after the seed is run through SHA1, fall into the class that's
known to be weak to them.

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20131001/87bfb1af/attachment.html>


More information about the cryptography mailing list