Hash: SHA1

On Sep 5, 2013, at 4:09 PM, "Perry E. Metzger" <pe...@piermont.com> wrote:

> Now, this certainly was a problem for the random number generator
> standard, but is it an actual worry in other contexts? I tend not to
> believe that but I'm curious about opinions.

If there is a place to worry, it would be about the specific curves.

I had a lively dinner-table conversation with Dan Bernstein and Tanja Lange at 
CRYPTO this year, and Dan pointed out that there's been a lot of work on 
cryptanalysis of specific curves and curve families. We know, for example that 
anything over GF(p^n) is seeming dodgy, but GF(p) seems okay. There are recent 
Eurocrypt papers on said.

The Suite B curves were picked some time ago. Maybe they have problems.

I have a small amount of raised eyebrow because the greatest bulwark we have 
against the SIGINT capabilities of any intelligence agency are that agency's IA 
cousins. I don't think that the Suite B curves would have been intentionally 
weak. That would be a shock.

However, if the SIGINT guys (e.g.) discovered a weakness that gave P-256 
something les than 128 bits of security, they might just sit on it. Certainly, 
even if they wanted to release that, there would be politics compounded by 
security compartments. Learning that they sat on a weakness would might be a 
shock, but it wouldn't be a surprise.

If there is an issue, that's the place it would be. Not ECC as a technology, 
but specific curves.


Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

The cryptography mailing list

Reply via email to