On 2013-10-01 08:35, John Kelsey wrote:
Having read the mail you linked to, it doesn't say the curves weren't generated
according to the claimed procedure. Instead, it repeats Dan Bernstein's
comment that the seed looks random, and that this would have allowed NSA to
generate lots of curves till they found a bad one.
The claimed procedure would have prevented the NSA from generating lots
of curves till they found a bad one - one with weaknesses that the NSA
knows how to detect, but which other people do not yet know how to detect.
That was the whole point of the claimed procedure.
As with SHA3, the NSA/NIST is deviating from its supposed procedures in
ways that remove the security properties of those procedures.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography