On 09/09/13 23:03, Perry E. Metzger wrote:
On Mon, 9 Sep 2013, Daniel wrote:
[...] They are widely used curves and thus a good way to reduce
conspiracy theories that they were chosen in some malicious way to
subvert DRBG.
Er, don't we currently have documents from the New York Times and the
Guardian that say that in fact they *did* subvert them?
Yes, a week ago this was paranoia, but now we have confirmation, so
it is no longer paranoia.
I did not see that, and as far as I can tell there is no actual
confirmation.
Also, the known possible subversion of DRBG did not involve curve
selection, but selection of a point to be used in DRBG. I think Kristian
G has posted about that.
As to elliptic curves, there are only two of significance, in terms of
being widely used: they are NIST P-256 and NIST P-384.
NIST P-224 is also occasionally used.
These are the same curves as the secp256/384r1 curves, and the same
curves as almost any other 256-bit or 384-bit curves you might want to
mention - eg the FIPS 186-3 curves, and so on.
These are all the same curves.
They all began in 1999 as the curves in the (NIST) RECOMMENDED ELLIPTIC
CURVES FOR FEDERAL GOVERNMENT USE
csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf
The way they were selected is supposed to be pseudo-random based on
SHA-1, though it's actually not quite like that (or not even close).
Full details, or at least all of the publicly available details about
the curve selection process, are in the link, but as I wrote earlier:
"Take FIPS P-256 as an example. The only seed which has been published
is s= c49d3608 86e70493 6a6678e1 139d26b7 819f7e90 (the string they
hashed and mashed in the process of deriving c).
I don't think they could reverse the perhaps rather overly-complicated
hashing/mashing process, but they could certainly cherry-pick the s
until they found one which gave a c which they could use.
c not being one of the usual parameters for an elliptic curve, I should
explain that it was then used as c = a^3/b^2 mod p.
However the choice of p, r, a and G was not seeded, and the methods by
which those were chosen are opaque.
I don't really know enough about ECC to say whether a perhaps
cherry-picked c = a^3/b^2 mod p is enough to ensure that the resulting
curve is secure against chosen curve attacks - but it does seem to me
that there is a whole lot of wiggle room between a cherry-picked c and
the final curve."
-- Peter Fairbrother
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
