[cryptography] What's the point of using non-NIST ECC Curves?

Ryan Carboni ryacko at gmail.com
Mon Oct 13 11:38:23 EDT 2014


I forget, what was the original inputs to the hash?

On Mon, Oct 13, 2014 at 8:14 AM, Krisztián Pintér <pinterkr at gmail.com>
wrote:

> On Mon, Oct 13, 2014 at 4:51 PM, Derek Miller <dreemkiller at gmail.com>
> wrote:
> > However, considering one of the scenarios where these curves might be
> > compromised (the NSA knew of weaknesses in certain curves, and engineered
> > the NIST Prime curves to be subject to those weaknesses)
>
> interestingly, this is the better case. because if so, we can assume a
> minority of the curves are bad. if many curves were bad, they could
> just try to find nicely parametrized curves that are weak. they had to
> resort to that hashing strategy, which means that method is
> unfeasible, thus the vast majority of the curves does not have the
> property they wanted. therefore any non-NIST curve is probably safe by
> pure chance.
>
> however, there is the other case, namely NIST defends against some
> vulnerability they don't disclose. if so, the logic goes the opposite
> direction: most curves are vulnerable. in this case, other curves are
> probably unsafe.
>
> so actually we hope they were malicious, and then we can use all other
> curves, there are plenty.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20141013/594eec78/attachment-0001.html>


More information about the cryptography mailing list