[Cryptography] [cryptography] SSH uses secp256/384r1 which has the same parameters as what's in SEC2 which are the same the parameters as specified in SP800-90 for Dual EC DRBG!

Peter Fairbrother zenadsl6186 at zen.co.uk
Mon Sep 9 19:25:20 EDT 2013

On 09/09/13 23:03, Perry E. Metzger wrote:

>> On Mon, 9 Sep 2013, Daniel wrote:
>> [...] They are widely used curves and thus a good way to reduce
>> conspiracy theories that they were chosen in some malicious way to
>> subvert DRBG.
> Er, don't we currently have documents from the New York Times and the
> Guardian that say that in fact they *did* subvert them?
> Yes, a week ago this was paranoia, but now we have confirmation, so
> it is no longer paranoia.

I did not see that, and as far as I can tell there is no actual 

Also, the known possible subversion of DRBG did not involve curve 
selection, but selection of a point to be used in DRBG. I think Kristian 
G has posted about that.

As to elliptic curves, there are only two of significance, in terms of 
being widely used:  they are NIST P-256 and NIST P-384.

NIST P-224 is also occasionally used.

These are the same curves as the secp256/384r1 curves, and the same 
curves as almost any other 256-bit or 384-bit curves you might want to 
mention - eg the FIPS 186-3 curves, and so on.

These are all the same curves.

They all began in 1999 as the curves in the (NIST) RECOMMENDED ELLIPTIC 


The way they were selected is supposed to be pseudo-random based on 
SHA-1, though it's actually not quite like that (or not even close).

Full details, or at least all of the publicly available details about 
the curve selection process, are in the link, but as I wrote earlier:

"Take FIPS P-256 as an example. The only seed which has been published 
is s=  c49d3608 86e70493 6a6678e1 139d26b7 819f7e90 (the string they 
hashed and mashed in the process of deriving c).

I don't think they could reverse the perhaps rather overly-complicated 
hashing/mashing process, but they could certainly cherry-pick the s 
until they found one which gave a c which they could use.

c not being one of the usual parameters for an elliptic curve, I should 
explain that it was then used as c = a^3/b^2 mod p.

However the choice of p, r, a and G was not seeded, and the methods by 
which those were chosen are opaque.

I don't really know enough about ECC to say whether a perhaps 
cherry-picked c = a^3/b^2 mod p is enough to ensure that the resulting 
curve is secure against chosen curve attacks - but it does seem to me 
that there is a whole lot of wiggle room between a cherry-picked c and 
the final curve."

-- Peter Fairbrother

More information about the cryptography mailing list