[Cryptography] RSA equivalent key length/strength
Peter Fairbrother
zenadsl6186 at zen.co.uk
Tue Oct 1 13:39:11 EDT 2013
On 01/10/13 08:49, Kristian Gjøsteen wrote:
> 1. okt. 2013 kl. 02:00 skrev "James A. Donald" <jamesd at echeque.com>:
>
>> On 2013-10-01 08:24, John Kelsey wrote:
>>> Maybe you should check your code first? A couple nist people verified that the curves were generated by the described process when the questions about the curves first came out.
>>
>> And a non NIST person verified that the curves were not generated by the described process after the scandal broke.
>
> Checking the verification code may be a good idea.
>
> I just checked that the verification process described in Appendix 5 in the document RECOMMENDED ELLIPTIC CURVES FOR FEDERAL GOVERNMENT USE, July 1999 (http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf) accepts the NIST prime field curves listed in that document. Trivial python script follows.
>
> I am certainly not the first non-US non-government person to check.
>
> There is solid evidence that the US goverment does bad things. This isn't it.
Agreed (though did you also check whether the supposed verification
process actually matches the supposed generation process?).
Also agreed, NSA could not have reverse-engineered the parts of the
generating process from "random" source to the curve's b component, ie
they could not have started with a chosen b component and then generated
the "random" source.
However they could easily have cherry-picked a result for b from trying
several squillion source numbers. There is no real reason not to use
something like the digits of pi as the source - which they did not do.
Also, the method by which the generators (and thus the actual groups in
use, not the curves) were chosen is unclear.
Even assuming NSA tried their hardest to undermine the curve selection
process, there is some doubt as to whether these two actual and easily
verifiable failings in a supposedly "open" generation process are enough
to make the final groups selected useful for NSA's nefarious purposes.
But there is a definite lack of clarity there.
-- Peter Fairbrother
More information about the cryptography
mailing list