[cryptography] [Cryptography] are ECDSA curves provably not cooked? (Re: RSA equivalent key length/strength)
yersinia
yersinia.spiros at gmail.com
Tue Oct 1 15:38:15 EDT 2013
On Tue, Oct 1, 2013 at 9:00 PM, Jeffrey Goldberg <jeffrey at goldmark.org>wrote:
> On 2013-10-01, at 12:54 PM, Tony Arcieri <bascule at gmail.com> wrote:
>
> > I wouldn't put it past them to intentionally weaken the NIST curves.
>
> This is what has changed. Previously, I believed that they *wouldn’t* try
> to do something like that. Now we need to review things in terms of
> capability.
>
> > That said, my gut feeling is they probably didn’t.
>
> My exceedingly untrained intuition conforms to yours. But we do need to
> evaluate whether there are non-implausible mathematical and procedural
> mechanisms by which they could have. So the question for me is how
> implausible is it for there to be whole families of weak curves known to
> the NSA. I simply don’t understand the math well enough to even begin to
> approach that question, but …
>
> If the NSA had the capability to pick weak curves while covering their
> tracks in such a way, why wouldn’t they have pulled the same trick with
> Dual_EC_DRBG? If they could have made the selection of P and Q appear
> random, it seems that they would have. I know that this isn’t the
> identical situation, but again my (untrained) intuition suggests that there
> are meaningful similarities in ways they could (or couldn’t) cover their
> tracks.
>
Yes. Apparently.
"Purely for the entertainment value to the audience here, I offer that it
occurred to me that the suspect P-Q could have been a test case provided by
the NSA, along the lines of "Given how the algorithm is supposed to work,
if we corrupt the P-Q pair by making them non-random using a specific
mathematical relationship between them, then the algorithm should be
provably not secure. Demonstrating this should increase the confidence that
the correctly implemented algorithm is secure." Then what happened is some
arrogant scientist at NIST (full disclosure--I was formerly a NIST
employee, and the terms of my departure still burn as a fire in the pit of
my stomach) conveniently "forgot" to put the correct ones in the standard,
or did it on purpose since "Anyone of modest skill in cryptography will
detect the problem and come up with their own P-Q pair correctly. Anyone
who doesn't deserves what they get." There are, in my estimation, people
that arrogant employed by NIST."
Look here
http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html#!
> Cheers,
>
> --
> Jeffrey Goldberg
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20131001/4981a6a9/attachment.html>
More information about the cryptography
mailing list