-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sep 5, 2013, at 4:09 PM, "Perry E. Metzger" <[email protected]> wrote:
> Now, this certainly was a problem for the random number generator
> standard, but is it an actual worry in other contexts? I tend not to
> believe that but I'm curious about opinions.
If there is a place to worry, it would be about the specific curves.
I had a lively dinner-table conversation with Dan Bernstein and Tanja Lange at
CRYPTO this year, and Dan pointed out that there's been a lot of work on
cryptanalysis of specific curves and curve families. We know, for example that
anything over GF(p^n) is seeming dodgy, but GF(p) seems okay. There are recent
Eurocrypt papers on said.
The Suite B curves were picked some time ago. Maybe they have problems.
I have a small amount of raised eyebrow because the greatest bulwark we have
against the SIGINT capabilities of any intelligence agency are that agency's IA
cousins. I don't think that the Suite B curves would have been intentionally
weak. That would be a shock.
However, if the SIGINT guys (e.g.) discovered a weakness that gave P-256
something les than 128 bits of security, they might just sit on it. Certainly,
even if they wanted to release that, there would be politics compounded by
security compartments. Learning that they sat on a weakness would might be a
shock, but it wouldn't be a surprise.
If there is an issue, that's the place it would be. Not ECC as a technology,
but specific curves.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSKRprsTedWZOD3gYRAqEnAKDrFOI4v8DnYxZdPEbFHflTRktwcACg28/f
hyvPYuLAdM+58z0rTxg9Fss=
=EnSi
-----END PGP SIGNATURE-----
_______________________________________________
The cryptography mailing list
[email protected]
http://www.metzdowd.com/mailman/listinfo/cryptography
