[cryptography] [Cryptography] are ECDSA curves provably not cooked? (Re: RSA equivalent key length/strength)

Jeffrey Goldberg jeffrey at goldmark.org
Tue Oct 1 17:45:01 EDT 2013

On 2013-10-01, at 3:10 PM, Tony Arcieri <bascule at gmail.com> wrote:

> On Tue, Oct 1, 2013 at 12:00 PM, Jeffrey Goldberg <jeffrey at goldmark.org> wrote:
> If the NSA had the capability to pick weak curves while covering their tracks in such a way, why wouldn’t they have pulled the same trick with Dual_EC_DRBG?
> <tinfoilhat>They wanted us to think they were incompetent, so we would expect that Dual_EC_DRBG was their failed attempt to tamper with a cryptographic standard, and so we would overlook the more sinister and subtle attempts to tamper with the NIST curves</tinfoilhat> 

Well of course I’d thought of that. (I think the difference between the tinfoil hat crowd and the rest of us is not in what we can imagine. If we can’t imagine things like that, then we aren’t doing our jobs. I think the difference is which of our imaginings we consider to be meaningfully plausible.)

Anyway, my “answer” to that is that it would be far far better for them to conceal that they were sabotaging standards at all. After all, they’d earned a great deal of trust and respect for helping to make standards better. So unless they anticipated something like the Snowden leaks and were playing a very long (and risky game),…  it just doesn’t pan out.

Either way -- and to reiterate what we’ve all learned -- they are willing to sabotage at least some standards. We can’t ignore that fact when looking at standards and the standards process.



Jeffrey Goldberg

More information about the cryptography mailing list