# Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

```At a stretch, one can imagine circumstances in which trying multiple seeds
to choose a curve would lead to an attack that we would not easily
replicate. I don't suggest that this is really what happened; I'm just
trying to work out whether it's possible.```
```
Suppose you can easily break an elliptic curve with the right "attack
string".  Attack strings are very expensive to generate, at say 2^80
operations. Moreover, you can't tell what curves they break until they are
generated, but it's cheap to test whether a given string breaks a given
curve. Each string breaks about one curve in 2^80. Thus the NSA generate an
attack string, then generate 2^80 curves looking for one that is broken by
the string they generated.  They can safely publish this curve, knowing
that unless a new attack is developed it will take 2^160 effort for anyone
else to generate an attack string that breaks the curve they have chosen.
```
```_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography```