On Sep 7, 2013, at 2:36 PM, Ray Dillinger wrote: <SNIP!> > > Schneier states of discrete logs over ECC: "I no longer trust the constants. > I believe the NSA has manipulated them through their relationships with > industry." > > Is he referring to the "standard" set of ECC curves in use? Is it possible > to select ECC curves specifically so that there's a backdoor in cryptography > based on those curves?
That very statement prompted me to start the Suite B thread a couple of days ago. What concerns me most about ECC is that your choices seem to be the IEEE Standard curves (which have NSA input, IIRC), or ones that will bring down the wrath of Certicom (Slogan: "We're RSA Inc. for the 21st Century!"). I've said this repeatedly over the past year, but if whomever ends up buying Certicom-owner Blackberry would set them free, it would help humanity (at the cost of the patent revenues, alas). Dan _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
