1. okt. 2013 kl. 02:00 skrev "James A. Donald" <jam...@echeque.com>:
> On 2013-10-01 08:24, John Kelsey wrote:
>> Maybe you should check your code first? A couple nist people verified that
>> the curves were generated by the described process when the questions about
>> the curves first came out.
>
> And a non NIST person verified that the curves were not generated by the
> described process after the scandal broke.
Checking the verification code may be a good idea.
I just checked that the verification process described in Appendix 5 in the
document RECOMMENDED ELLIPTIC CURVES FOR FEDERAL GOVERNMENT USE, July 1999
(http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf) accepts
the NIST prime field curves listed in that document. Trivial python script
follows.
I am certainly not the first non-US non-government person to check.
There is solid evidence that the US goverment does bad things. This isn't it.
--
Kristian Gjøsteen
import hashlib
def string_to_integer(s):
n = 0
for byte in s:
n = n*256 + ord(byte)
return n
def integer_to_string(n):
if n == 0:
return ""
return integer_to_string(n/256) + chr(n%256)
def verify_generation(s, p, l, b):
assert(len(s) == 160/8)
v = (l-1)/160
w = l - 160*v - 1
h = hashlib.sha1(s).digest()
hh = integer_to_string(string_to_integer(h) % (2**w))
z = string_to_integer(s) + 1 # +1 because for loop goes from 0 to v-1
for i in range(v):
hh = hh + hashlib.sha1(integer_to_string(z+i)).digest()
c = string_to_integer(hh)
if (b*b*c + 27)%p == 0:
return True
else:
return False
curve_data = [
("P-192 wrong", 6277101735386680763835789423207666416083908700390324961279, 192, 0x3045ae6fc822f64ed579528d38120eae12196d5, 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1),
("P-192", 6277101735386680763835789423207666416083908700390324961279, 192, 0x3045ae6fc8422f64ed579528d38120eae12196d5, 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1),
("P-224", 26959946667150639794667015087019630673557916260026308143510066298881, 224, 0xbd71344799d5c7fcdc45b59fa3b9ab8f6a948bc5, 0xb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4),
("P-256", 115792089210356248762697446949407573530086143415290314195533631308867097853951, 256, 0xc49d360886e704936a6678e1139d26b7819f7e90, 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b),
("P-256 wrong", 115792089210356248762697446949407573530086143415290314195533631308867097853951, 256, 0xc49d360886e704936a6678e1139d26b7819f7e90, 0x7efba1662985be9403cb055c75d4f7e0ce8d84a9c5114abcaf3177680104fa0d),
("P-384", 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319, 384, 0xa335926aa319a27a1d00896a6773a4827acdac73, 0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef),
("P-521", 6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151, 521, 0xd09e8800291cb85396cc6717393284aaa0da64ba, 0x051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00) ]
for cd in curve_data:
(name, p, l, s, b) = cd
print name, verify_generation(integer_to_string(s), p, l, b)
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
