On Oct 2, 2013, at 9:54 AM, Paul Crowley <p...@ciphergoth.org> wrote:
> On 30 September 2013 23:35, John Kelsey <crypto....@gmail.com> wrote:
>> If there is a weak curve class of greater than about 2^{80} that NSA knew
>> about 15 years ago and were sure nobody were ever going to find that weak
>> curve class and exploit it to break classified communications protected by
>> it, then they could have generated 2^{80} or so seeds to hit that weak curve
>> class.
>
> If the NSA's attack involves generating some sort of collision between a
> curve and something else over a 160-bit space, they wouldn't have to be
> worried that someone else would find and attack that "weak curve class" with
> less than 2^160 work.
I don't know enough about elliptic curves to have an intelligent opinion on
whether this is possible. Has anyone worked out a way to do this?
The big question is how much work would have had to be done. If you're talking
about a birthday collision on the curve parameters, is that a collision on a
160 bit value, or on a 224 or 256 or 384 or 512 bit value? I can believe NSA
doing a 2^{80} search 15 years ago, but I think it would have had to be a top
priority. There is no way they were doing 2^{112} searches 15 years ago, as
far as I can see.
--John_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
