[Cryptography] Opening Discussion: Speculation on "BULLRUN"

Perry E. Metzger perry at piermont.com
Fri Sep 6 13:05:59 EDT 2013

On Fri, 6 Sep 2013 09:03:27 +0200 Kristian Gjøsteen
<kristian.gjosteen at math.ntnu.no> wrote:
> As a co-author of an analysis of Dual-EC-DRBG that did not
> emphasize this problem (we only stated that Q had to be chosen at
> random, Ferguson &co were right to emphasize this point), I would
> like to ask:
> 	Has anyone, anywhere ever seen someone use Dual-EC-DRBG?
> I mean, who on earth would be daft enough to use the slowest
> possible DRBG? If this is the best NSA can do, they are over-hyped.
> (If you really do want to use Dual-EC-DRBG: truncate more than 16
> bits, and don't use NSA's points, choose your own - at random.)

I have re-read the NY Times article. It appears to only indicate that
this was *a* standard that was sabotaged, not that it was the only
one. In particular, the Times merely indicates that they can now
confirm that this particular standard was sabotaged, but presumably
it was far from the only target.

Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list