[Cryptography] Is ECC suspicious?

Jon Callas jon at callas.org
Thu Sep 5 19:57:30 EDT 2013

Hash: SHA1

On Sep 5, 2013, at 4:09 PM, "Perry E. Metzger" <perry at piermont.com> wrote:

> Now, this certainly was a problem for the random number generator
> standard, but is it an actual worry in other contexts? I tend not to
> believe that but I'm curious about opinions.

If there is a place to worry, it would be about the specific curves.

I had a lively dinner-table conversation with Dan Bernstein and Tanja Lange at CRYPTO this year, and Dan pointed out that there's been a lot of work on cryptanalysis of specific curves and curve families. We know, for example that anything over GF(p^n) is seeming dodgy, but GF(p) seems okay. There are recent Eurocrypt papers on said.

The Suite B curves were picked some time ago. Maybe they have problems.

I have a small amount of raised eyebrow because the greatest bulwark we have against the SIGINT capabilities of any intelligence agency are that agency's IA cousins. I don't think that the Suite B curves would have been intentionally weak. That would be a shock.

However, if the SIGINT guys (e.g.) discovered a weakness that gave P-256 something les than 128 bits of security, they might just sit on it. Certainly, even if they wanted to release that, there would be politics compounded by security compartments. Learning that they sat on a weakness would might be a shock, but it wouldn't be a surprise.

If there is an issue, that's the place it would be. Not ECC as a technology, but specific curves.


Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii


More information about the cryptography mailing list