[Cryptography] RSA equivalent key length/strength

Peter Fairbrother zenadsl6186 at zen.co.uk
Tue Oct 1 13:39:11 EDT 2013 

On 01/10/13 08:49, Kristian Gjøsteen wrote:
> 1. okt. 2013 kl. 02:00 skrev "James A. Donald" <jamesd at echeque.com>:
>
>> On 2013-10-01 08:24, John Kelsey wrote:
>>> Maybe you should check your code first?  A couple nist people verified that the curves were generated by the described process when the questions about the curves first came out.
>>
>> And a non NIST person verified that the curves were not generated by the described process after the scandal broke.
>
> Checking the verification code may be a good idea.
>
> I just checked that the verification process described in Appendix 5 in the document RECOMMENDED ELLIPTIC CURVES FOR FEDERAL GOVERNMENT USE, July 1999 (http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf) accepts the NIST prime field curves listed in that document. Trivial python script follows.
>
> I am certainly not the first non-US non-government person to check.
>
> There is solid evidence that the US goverment does bad things. This isn't it.

Agreed (though did you also check whether the supposed verification 
process actually matches the supposed generation process?).

Also agreed, NSA could not have reverse-engineered the parts of the 
generating process from "random" source to the curve's b component, ie 
they could not have started with a chosen b component and then generated 
the "random" source.



However they could easily have cherry-picked a result for b from trying 
several squillion source numbers. There is no real reason not to use 
something like the digits of pi as the source - which they did not do.

Also, the method by which the generators (and thus the actual groups in 
use, not the curves) were chosen is unclear.


Even assuming NSA tried their hardest to undermine the curve selection 
process, there is some doubt as to whether these two actual and easily 
verifiable failings in a supposedly "open" generation process are enough 
to make the final groups selected useful for NSA's nefarious purposes.

But there is a definite lack of clarity there.


-- Peter Fairbrother

More information about the cryptography mailing list