[Cryptography] are ECDSA curves provably not cooked? (Re: RSA equivalent key length/strength)
Tony Arcieri
bascule at gmail.com
Tue Oct 1 11:47:49 EDT 2013
On Tue, Oct 1, 2013 at 3:08 AM, Adam Back <adam at cypherspace.org> wrote:
> But I do think it is a very interesting and pressing research question as
> to
> whether there are ways to plausibly deniably symmetrically weaken or even
> trapdoor weaken DL curve parameters, when the seeds are allowed to look
> random as the DSA FIPS 186-3 ones do.
See slide #28 in this djb deck:
http://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf
Specifically:
http://i.imgur.com/C7mg3T4.png
If e.g. the NSA knew of an entire class of weak curves, they could perform
a brute force search with random looking seeds, continuing until the curve
parameters, after the seed is run through SHA1, fall into the class that's
known to be weak to them.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131001/87bfb1af/attachment-0001.html>
More information about the cryptography
mailing list