[cryptography] What's the point of using non-NIST ECC Curves?

Krisztián Pintér pinterkr at gmail.com
Mon Oct 13 11:14:00 EDT 2014

On Mon, Oct 13, 2014 at 4:51 PM, Derek Miller <dreemkiller at gmail.com> wrote:
> However, considering one of the scenarios where these curves might be
> compromised (the NSA knew of weaknesses in certain curves, and engineered
> the NIST Prime curves to be subject to those weaknesses)

interestingly, this is the better case. because if so, we can assume a
minority of the curves are bad. if many curves were bad, they could
just try to find nicely parametrized curves that are weak. they had to
resort to that hashing strategy, which means that method is
unfeasible, thus the vast majority of the curves does not have the
property they wanted. therefore any non-NIST curve is probably safe by
pure chance.

however, there is the other case, namely NIST defends against some
vulnerability they don't disclose. if so, the logic goes the opposite
direction: most curves are vulnerable. in this case, other curves are
probably unsafe.

so actually we hope they were malicious, and then we can use all other
curves, there are plenty.

More information about the cryptography mailing list