On 01/06/15 21:43, Shnatsel . wrote:
But how do you know those arguments aren't cherry-picked ?
We don't. We don't know they're good, all we know is they're
relatively better than NIST curves, both based on publicly available
research and on their developers having better rationale for their
parameters than NIST as well as potentially less of an incentive to
backdoor them.
If crypto primitive backdoors are real a problem, BADA55 curves with
verifiably random parameters might be worth considering:
http://safecurves.cr.yp.to/bada55.html
The NIST curves are "verifiably random" too.
I personally do not think NIST could have started with a desired curve,
and then calculate the seed by reversing the hashing etc process (it's
too complicated, IMO).
Only thing is, as with any "verifiably random" curve, you can still
calculate a lot of "verifiably random" curves, then cherry-pick one
which suits you...
-- Peter Fairbrother
_______________________________________________
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
