[cryptography] [Cryptography] are ECDSA curves provably not cooked? (Re: RSA equivalent key length/strength)

Jeffrey Goldberg jeffrey at goldmark.org
Tue Oct 1 15:00:56 EDT 2013

On 2013-10-01, at 12:54 PM, Tony Arcieri <bascule at gmail.com> wrote:

> I wouldn't put it past them to intentionally weaken the NIST curves.

This is what has changed. Previously, I believed that they *wouldn’t* try to do something like that. Now we need to review things in terms of capability.

> That said, my gut feeling is they probably didn’t.

My exceedingly untrained intuition conforms to yours. But we do need to evaluate whether there are non-implausible mathematical and procedural mechanisms by which they could have. So the question for me is how implausible is it for there to be whole families of weak curves known to the NSA. I simply don’t understand the math well enough to even begin to approach that question, but …

If the NSA had the capability to pick weak curves while covering their tracks in such a way, why wouldn’t they have pulled the same trick with Dual_EC_DRBG? If they could have made the selection of P and Q appear random, it seems that they would have.  I know that this isn’t the identical situation, but again my (untrained) intuition suggests that there are meaningful similarities in ways they could (or couldn’t) cover their tracks.


Jeffrey Goldberg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4393 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20131001/872e28f6/attachment-0001.p7s>

More information about the cryptography mailing list