[cryptography] Why non random EC curves are unacceptable.

James A. Donald jamesd at echeque.com
Sun Sep 29 20:36:12 EDT 2013

Although a typical EC curve is unbreakable except by a brute force 
algorithm of order 2^(n/2), a wide variety of special EC curves have 
been discovered that allow faster, much faster, methods of breaking. 
Some of these are so common that any freshly generated curve needs to be 
checked against them to make sure it is a strong curve.

Suppose that the NSA knows some of these that are not known outside the NSA.

Then it could generate a trillion curves, until it hits one that is a 
curve that the NSA can recognize as weak, but that other people cannot 
recognize as weak.

It then makes that curve a standard, and uses the usual state pressures 
to get it included in all widely used software.

Therefore, use Curve25519.  Don't use NIST curves.

More information about the cryptography mailing list