On Tue, Oct 1, 2013 at 3:08 AM, Adam Back <a...@cypherspace.org> wrote:

> But I do think it is a very interesting and pressing research question as
> to
> whether there are ways to plausibly deniably symmetrically weaken or even
> trapdoor weaken DL curve parameters, when the seeds are allowed to look
> random as the DSA FIPS 186-3 ones do.

See slide #28 in this djb deck:




If e.g. the NSA knew of an entire class of weak curves, they could perform
a brute force search with random looking seeds, continuing until the curve
parameters, after the seed is run through SHA1, fall into the class that's
known to be weak to them.

Tony Arcieri
The cryptography mailing list

Reply via email to