>On 09/07/2013 02:53 PM, Ray Dillinger wrote: > >Is he referring to the "standard" set of ECC curves in use? Is it possible >to select ECC curves specifically so that there's a backdoor in cryptography >based on those curves? > >I know that hardly anybody using ECC bothers to find their own curve; they >tend to use the standard ones because finding their own involves counting all >the integral points and would be sort of compute expensive, in addition to >being involved and possibly error prone if there's a flaw in the >implementation.
Take a trip down memory lane and research the historical roots of the Data Encryption Standard, especially the pre-DES Lucifer standard with IBM. Some hints would be the last minute reduction to 56-bit, as well as the replacement S-Boxes that were mandated for use by IBM before Lucifer became the DES. And then if you were in the Beltway region back in '98, you might also remember the entire federal government freaking out about EFF's Deep Crack, which almost overnight caused 56-bit DES to be deprecated in favor of 3DES. But then there were the complaints about the computational expensiveness of 3DES, so our superheros at NIST jumped in with the Advanced Encryption Standard contest and here were are again. In the '90s there were a few papers written about optimal DES S-Box calculation; they disappeared from publication. There was also a fellow who released a software application used for alternate DES S-Box generation, that got yanked as well. I am not suggesting black helicopters or extrajudicial renditions, just that once they were on the Internet and then a few weeks later they were not online anymore, anywhere. An oldie but goodie in this category of discussion is SANS' "S-Box Modifications and Their Effect in DES-like Encryption Systems", Joe Gargiulo, July 25, 2002. _______________________________________________ The cryptography mailing list email@example.com http://www.metzdowd.com/mailman/listinfo/cryptography