On Fri, Oct 23, 2015 at 11:08 PM, Ray Dillinger <[email protected]> wrote: [snip] > Which IMO leaves non-technical reasons. It could be a subterfuge > to try to hinder crypto adoption, or to get that focused analytical > attention on ECC, or an attempt to get people to stop using something > they don't know how to break. Heck, it could even be a legitimate > attempt to protect the security of the nation's infrastructure; you > just never know with these guys.
The timing was interestingly related to increased adoption/standardization of 25519 based cryptosystems and helpfully suggests a larger curve... which could be a nicely indirect way of saying don't use _some_ particular curve at a smaller size. But it's a zero information observation, even if it were true it might mean that the alternative which was being indirectly discouraged was known to be weak, or known to be strong. The "if the nist curves are rigged all ECC is broken" doesn't quite apply to this: As there are numerous special characteristics production curves are selected for that make them at least somewhat unlike random curves. (E.g. prime shape or cofactor or ...). I don't quite buy the argument that if there were some very large class of random curves that were weak that we'd stop using ECC entirely. Selection of multiplicative groups for DH, -- we use "safe" primes to avoid weakness, for ECC we do not use supersingular curves, etc. Primes with structure 1 mod 3 and a curve with j-invariant zero give rise to the efficient endomorphism that gives a mild speedup in rho attacks; maybe it turns out that (say) primes congruent to 1 mod 4 allow some actual attack, and if that were discovered and well understood, the world would just stop using those curves, exclude those primes in parameter searches (as many others are already excluded), and probably continue using ECC. The fact that we already exclude large classes of curves to avoid weakness should be a decisive argument on this point; an exception might be if the weak class were computationally hard to distinguish even understanding the weakness. _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
