On Fri, 6 Sep 2013 09:03:27 +0200 Kristian Gjøsteen
<kristian.gjost...@math.ntnu.no> wrote:
> As a co-author of an analysis of Dual-EC-DRBG that did not
> emphasize this problem (we only stated that Q had to be chosen at
> random, Ferguson &co were right to emphasize this point), I would
> like to ask:
>       Has anyone, anywhere ever seen someone use Dual-EC-DRBG?
> I mean, who on earth would be daft enough to use the slowest
> possible DRBG? If this is the best NSA can do, they are over-hyped.
> (If you really do want to use Dual-EC-DRBG: truncate more than 16
> bits, and don't use NSA's points, choose your own - at random.)

I have re-read the NY Times article. It appears to only indicate that
this was *a* standard that was sabotaged, not that it was the only
one. In particular, the Times merely indicates that they can now
confirm that this particular standard was sabotaged, but presumably
it was far from the only target.

Perry E. Metzger                pe...@piermont.com
The cryptography mailing list

Reply via email to