On Fri, 6 Sep 2013 09:03:27 +0200 Kristian Gjøsteen <kristian.gjost...@math.ntnu.no> wrote: > As a co-author of an analysis of Dual-EC-DRBG that did not > emphasize this problem (we only stated that Q had to be chosen at > random, Ferguson &co were right to emphasize this point), I would > like to ask: > > Has anyone, anywhere ever seen someone use Dual-EC-DRBG? > > I mean, who on earth would be daft enough to use the slowest > possible DRBG? If this is the best NSA can do, they are over-hyped. > > (If you really do want to use Dual-EC-DRBG: truncate more than 16 > bits, and don't use NSA's points, choose your own - at random.) >
I have re-read the NY Times article. It appears to only indicate that this was *a* standard that was sabotaged, not that it was the only one. In particular, the Times merely indicates that they can now confirm that this particular standard was sabotaged, but presumably it was far from the only target. -- Perry E. Metzger pe...@piermont.com _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
