I forget, what was the original inputs to the hash? On Mon, Oct 13, 2014 at 8:14 AM, Krisztián Pintér <pinte...@gmail.com> wrote:
> On Mon, Oct 13, 2014 at 4:51 PM, Derek Miller <dreemkil...@gmail.com> > wrote: > > However, considering one of the scenarios where these curves might be > > compromised (the NSA knew of weaknesses in certain curves, and engineered > > the NIST Prime curves to be subject to those weaknesses) > > interestingly, this is the better case. because if so, we can assume a > minority of the curves are bad. if many curves were bad, they could > just try to find nicely parametrized curves that are weak. they had to > resort to that hashing strategy, which means that method is > unfeasible, thus the vast majority of the curves does not have the > property they wanted. therefore any non-NIST curve is probably safe by > pure chance. > > however, there is the other case, namely NIST defends against some > vulnerability they don't disclose. if so, the logic goes the opposite > direction: most curves are vulnerable. in this case, other curves are > probably unsafe. > > so actually we hope they were malicious, and then we can use all other > curves, there are plenty. > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography >
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography