[Cryptography] Fw: how could ECC params be subverted & other evidence

Perry E. Metzger perry at piermont.com
Tue Sep 10 10:37:43 EDT 2013

Forwarding because Adam apparently has distinct envelope and From:
addresses and didn't notice the bounce.

Note that anyone replying and attributing this message to *me* will
be laughed at mercilessly as their message is rejected.


Begin forwarded message:

Date: Tue, 10 Sep 2013 13:42:57 +0200
From: Adam Back <adam at cypherspace.org>
To: "Perry E. Metzger" <perry at piermont.com>
Cc: Alexander Klimov <alserkli at inbox.ru>, Cryptography List
<cryptography at metzdowd.com>, Adam Back <adam at cypherspace.org>
Subject: Re: [Cryptography] how could ECC params be subverted & other

Perry wrote:
>The Times reported that a standard [...] had been subverted, and
>there had been much internal congratulation in a memorandum.  
>[...]This was only an example, the context in the Guardian and the
>Times made it clear others are probably lurking.

The important potential backdoor is NIST 186-3 curves in Peter
Fairbrother's reply, and I think that would be a good place to focus

(DRBG is largely irrelevant due suspected compromised state since
2007, and very limited use.  It is also a different type of issue -
not backdoored curves, arguably backdoored parameters).

I would like to hear also from other readers, who may have a deeper
understanding of EC math and parameter selection.

I do think people should be careful to distinguish between three

1 political "confirmed" backdoor claims from whistleblower documents
as interpreted by journalists (technical articles by eg Schneier

2 possible backdoor (showing that a parameter or key generation lacks
   sufficient fairness in its generation)

3 actual verifiable sabotage (the actual backdoor keys, previously
   unpublished implausible design failure, software backdoor etc.)

We need accuracy because once the dust has settled people will be
making crypto protocol design & implementation decisions based on
what is concluded.  Speculate away, but be clear.


More information about the cryptography mailing list