24. sep. 2013 kl. 18:01 skrev Jerry Leichter <leich...@lrw.com>:

> At the time this default was chosen (2005 or thereabouts), it was *not* a 
> "mistake".  Dual EC DRBG was in a just-published NIST standard.  ECC was 
> "hot" as the best of the new stuff - with endorsements not just from NSA but 
> from academic researchers.

Choosing Dual-EC-DRBG has been a mistake for its entire lifetime, because it is 
so slow.

While some reasonable people seem to have a preference for cryptography based 
on number theory, I've never met anyone who would actually use Dual-EC-DRBG. 
(Blum-Blum-Shub-fanatics show up all the time, but they are all nutcases.)

I claim that RSA was either malicious, easily fooled or incompetent to use the 
generator. I will not buy anything from RSA in the future. Were I using RSA 
products or services, I would find replacements.

(For what it's worth, I discounted the press reports about a trapdoor in 
Dual-EC-DRBG because I didn't think anyone would be daft enough to use it. I 
was wrong.)

Kristian Gjøsteen

The cryptography mailing list

Reply via email to