>On 09/07/2013 02:53 PM, Ray Dillinger wrote:
>Is he referring to the "standard" set of ECC curves in use?  Is it possible
>to select ECC curves specifically so that there's a backdoor in cryptography
>based on those curves?
>I know that hardly anybody using ECC bothers to find their own curve; they
>tend to use the standard ones because finding their own involves counting all
>the integral points and would be sort of compute expensive, in addition to
>being involved and possibly error prone if there's a flaw in the 

Take a trip down memory lane and research the historical roots of the Data 
Encryption Standard, especially the pre-DES Lucifer standard with IBM.  Some 
hints would be the last minute reduction to 56-bit, as well as the replacement 
S-Boxes that were mandated for use by IBM before Lucifer became the DES.

And then if you were in the Beltway region back in '98, you might also remember 
the entire federal government freaking out about EFF's Deep Crack, which almost 
overnight caused 56-bit DES to be deprecated in favor of 3DES.  But then there 
were the complaints about the computational expensiveness of 3DES, so our 
superheros at NIST jumped in with the Advanced Encryption Standard contest and 
here were are again.

In the '90s there were a few papers written about optimal DES S-Box 
calculation; they disappeared from publication.  There was also a fellow who 
released a software application used for alternate DES S-Box generation, that 
got yanked as well.  I am not suggesting black helicopters or extrajudicial 
renditions, just that once they were on the Internet and then a few weeks later 
they were not online anymore, anywhere.

An oldie but goodie in this category of discussion is SANS' "S-Box 
Modifications and Their Effect in DES-like Encryption Systems", Joe Gargiulo, 
July 25, 2002.

The cryptography mailing list

Reply via email to