[cryptography] Why non random EC curves are unacceptable.
James A. Donald
jamesd at echeque.com
Sun Sep 29 20:36:12 EDT 2013
Although a typical EC curve is unbreakable except by a brute force
algorithm of order 2^(n/2), a wide variety of special EC curves have
been discovered that allow faster, much faster, methods of breaking.
Some of these are so common that any freshly generated curve needs to be
checked against them to make sure it is a strong curve.
Suppose that the NSA knows some of these that are not known outside the NSA.
Then it could generate a trillion curves, until it hits one that is a
curve that the NSA can recognize as weak, but that other people cannot
recognize as weak.
It then makes that curve a standard, and uses the usual state pressures
to get it included in all widely used software.
Therefore, use Curve25519. Don't use NIST curves.
More information about the cryptography