On 2013-10-01, at 12:54 PM, Tony Arcieri <basc...@gmail.com> wrote: > I wouldn't put it past them to intentionally weaken the NIST curves.
This is what has changed. Previously, I believed that they *wouldn’t* try to do something like that. Now we need to review things in terms of capability. > That said, my gut feeling is they probably didn’t. My exceedingly untrained intuition conforms to yours. But we do need to evaluate whether there are non-implausible mathematical and procedural mechanisms by which they could have. So the question for me is how implausible is it for there to be whole families of weak curves known to the NSA. I simply don’t understand the math well enough to even begin to approach that question, but … If the NSA had the capability to pick weak curves while covering their tracks in such a way, why wouldn’t they have pulled the same trick with Dual_EC_DRBG? If they could have made the selection of P and Q appear random, it seems that they would have. I know that this isn’t the identical situation, but again my (untrained) intuition suggests that there are meaningful similarities in ways they could (or couldn’t) cover their tracks. Cheers, -- Jeffrey Goldberg
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography