Re: [cryptography] What's the point of using non-NIST ECC Curves?
If the NIST curves are weak in a way that we don't understand, this means that ECC has properties that we don't understand. Thus, if you don't trust the NIST Prime curves, does it make sense to trust any ECC curves at all? All maths has properties we do not understand. the question is not whether we understand everything, but whether we don't understand something the NSA does. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] What's the point of using non-NIST ECC Curves?
Like many people, I consider the seed values used to generate the NIST Prime curves suspicious. However, considering one of the scenarios where these curves might be compromised (the NSA knew of weaknesses in certain curves, and engineered the NIST Prime curves to be subject to those weaknesses), does it even make sense to use ECC at all? If the NIST curves are weak in a way that we don't understand, this means that ECC has properties that we don't understand. Thus, if you don't trust the NIST Prime curves, does it make sense to trust any ECC curves at all? I appreciate your responses, D ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] What's the point of using non-NIST ECC Curves?
On Mon, Oct 13, 2014 at 4:51 PM, Derek Miller dreemkil...@gmail.com wrote: However, considering one of the scenarios where these curves might be compromised (the NSA knew of weaknesses in certain curves, and engineered the NIST Prime curves to be subject to those weaknesses) interestingly, this is the better case. because if so, we can assume a minority of the curves are bad. if many curves were bad, they could just try to find nicely parametrized curves that are weak. they had to resort to that hashing strategy, which means that method is unfeasible, thus the vast majority of the curves does not have the property they wanted. therefore any non-NIST curve is probably safe by pure chance. however, there is the other case, namely NIST defends against some vulnerability they don't disclose. if so, the logic goes the opposite direction: most curves are vulnerable. in this case, other curves are probably unsafe. so actually we hope they were malicious, and then we can use all other curves, there are plenty. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] What's the point of using non-NIST ECC Curves?
I forget, what was the original inputs to the hash? On Mon, Oct 13, 2014 at 8:14 AM, Krisztián Pintér pinte...@gmail.com wrote: On Mon, Oct 13, 2014 at 4:51 PM, Derek Miller dreemkil...@gmail.com wrote: However, considering one of the scenarios where these curves might be compromised (the NSA knew of weaknesses in certain curves, and engineered the NIST Prime curves to be subject to those weaknesses) interestingly, this is the better case. because if so, we can assume a minority of the curves are bad. if many curves were bad, they could just try to find nicely parametrized curves that are weak. they had to resort to that hashing strategy, which means that method is unfeasible, thus the vast majority of the curves does not have the property they wanted. therefore any non-NIST curve is probably safe by pure chance. however, there is the other case, namely NIST defends against some vulnerability they don't disclose. if so, the logic goes the opposite direction: most curves are vulnerable. in this case, other curves are probably unsafe. so actually we hope they were malicious, and then we can use all other curves, there are plenty. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] What's the point of using non-NIST ECC Curves?
On 13/10/14 15:51, Derek Miller wrote: Like many people, I consider the seed values used to generate the NIST Prime curves suspicious. However, considering one of the scenarios where these curves might be compromised (the NSA knew of weaknesses in certain curves, and engineered the NIST Prime curves to be subject to those weaknesses), does it even make sense to use ECC at all? If the NIST curves are weak in a way that we don't understand, this means that ECC has properties that we don't understand. Thus, if you don't trust the NIST Prime curves, does it make sense to trust any ECC curves at all? There are performance and implementation reasons (easier to avoid side-channel attacks) claimed for the additional curves that are being looked at by the IRTF's CFRG (at the request of the IETF's TLS, if that's not too acronym laden:-) Those claims seem credible at least, and are also spurring folks to look again at implementations of the NIST curves. S. I appreciate your responses, D ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] What's the point of using non-NIST ECC Curves?
On Mon, Oct 13, 2014 at 7:51 AM, Derek Miller dreemkil...@gmail.com wrote: If the NIST curves are weak in a way that we don't understand, this means that ECC has properties that we don't understand. While there's djb's worry that the NSA may have tweaked a curve parameter in such a way as to generate a curve with a one-in-a-million weakness that only they know how to exploit, the NIST curves are weak in other known ways: https://safecurves.cr.yp.to Additionally, newer curves are being picked with an emphasis on performance -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] What's the point of using non-NIST ECC Curves?
Krisztian, Thanks for the additional scenario (I had not even considered trusting the NSA, so had not considered that scenario). However, both scenarios (NSA engineered them to be bad, NSA engineered them to be good) mean that the NSA knows a great deal more about weaknesses in Elliptic Curve Cryptography than we do. Doesn't that give you great pause in using the algorithm at all? On Mon, Oct 13, 2014 at 10:53 AM, Derek Miller dreemkil...@gmail.com wrote: For curve P-192, SEED = 3045ae6f c8422f64 ed579528 d38120ea e12196d5 For curve P-224, SEED = bd713447 99d5c7fc dc45b59f a3b9ab8f 6a948bc5 For curve P-256, SEED = c49d3608 86e70493 6a6678e1 139d26b7 819f7e90 etcetera... On Mon, Oct 13, 2014 at 10:43 AM, Krisztián Pintér pinte...@gmail.com wrote: On Mon, Oct 13, 2014 at 5:38 PM, Ryan Carboni rya...@gmail.com wrote: However, considering one of the scenarios where these curves might be compromised (the NSA knew of weaknesses in certain curves, and engineered the NIST Prime curves to be subject to those weaknesses) I forget, what was the original inputs to the hash? another unexplained constant, if i'm not mistaken. it makes no sense in any circumstances. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] What's the point of using non-NIST ECC Curves?
On Mon, Oct 13, 2014 at 9:19 AM, Derek Miller dreemkil...@gmail.com wrote: However, both scenarios (NSA engineered them to be bad, NSA engineered them to be good) mean that the NSA knows a great deal more about weaknesses in Elliptic Curve Cryptography than we do. Doesn't that give you great pause in using the algorithm at all? Sure, that's why djb and friends are also working on implementing McEliece and Merkle signatures -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] What's the point of using non-NIST ECC Curves?
On 10/13/2014 06:14 PM, Tony Arcieri wrote: On Mon, Oct 13, 2014 at 7:51 AM, Derek Miller dreemkil...@gmail.com mailto:dreemkil...@gmail.com wrote: If the NIST curves are weak in a way that we don't understand, this means that ECC has properties that we don't understand. While there's djb's worry that the NSA may have tweaked a curve parameter in such a way as to generate a curve with a one-in-a-million weakness that only they know how to exploit, the NIST curves are weak in other known ways: https://safecurves.cr.yp.to Additionally, newer curves are being picked with an emphasis on performance dbj also tries to explain why his choices of curve parameters are of the nothing-up-my-sleeve variety (like smallest number that satisfies such and such security property). See for instance section 1.2 and 2 of the Curve41417 paper: http://eprint.iacr.org/2014/526.pdf Ondrej ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] What's the point of using non-NIST ECC Curves?
Derek Miller (at Monday, October 13, 2014, 6:19:07 PM): However, both scenarios (NSA engineered them to be bad, NSA engineered them to be good) mean that the NSA knows a great deal more about weaknesses in Elliptic Curve Cryptography than we do. Doesn't that give you great pause in using the algorithm at all? actually, you have a point. if there is any doubt, there is no doubt. without even doing anything, just by being secretive, NSA can weaken crypto. good job guys! ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography