On Tue, Oct 1, 2013 at 3:08 AM, Adam Back <a...@cypherspace.org> wrote:
> But I do think it is a very interesting and pressing research question as > to > whether there are ways to plausibly deniably symmetrically weaken or even > trapdoor weaken DL curve parameters, when the seeds are allowed to look > random as the DSA FIPS 186-3 ones do. See slide #28 in this djb deck: http://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf Specifically: http://i.imgur.com/C7mg3T4.png If e.g. the NSA knew of an entire class of weak curves, they could perform a brute force search with random looking seeds, continuing until the curve parameters, after the seed is run through SHA1, fall into the class that's known to be weak to them. -- Tony Arcieri
_______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
