[Cryptography] Fw: how could ECC params be subverted & other evidence
Perry E. Metzger
perry at piermont.com
Tue Sep 10 10:37:43 EDT 2013
Forwarding because Adam apparently has distinct envelope and From:
addresses and didn't notice the bounce.
Note that anyone replying and attributing this message to *me* will
be laughed at mercilessly as their message is rejected.
Perry
Begin forwarded message:
Date: Tue, 10 Sep 2013 13:42:57 +0200
From: Adam Back <adam at cypherspace.org>
To: "Perry E. Metzger" <perry at piermont.com>
Cc: Alexander Klimov <alserkli at inbox.ru>, Cryptography List
<cryptography at metzdowd.com>, Adam Back <adam at cypherspace.org>
Subject: Re: [Cryptography] how could ECC params be subverted & other
evidence
Perry wrote:
>The Times reported that a standard [...] had been subverted, and
>there had been much internal congratulation in a memorandum.
>
>[...]This was only an example, the context in the Guardian and the
>Times made it clear others are probably lurking.
The important potential backdoor is NIST 186-3 curves in Peter
Fairbrother's reply, and I think that would be a good place to focus
analysis.
(DRBG is largely irrelevant due suspected compromised state since
2007, and very limited use. It is also a different type of issue -
not backdoored curves, arguably backdoored parameters).
I would like to hear also from other readers, who may have a deeper
understanding of EC math and parameter selection.
I do think people should be careful to distinguish between three
things:
1 political "confirmed" backdoor claims from whistleblower documents
as interpreted by journalists (technical articles by eg Schneier
exempted);
2 possible backdoor (showing that a parameter or key generation lacks
sufficient fairness in its generation)
3 actual verifiable sabotage (the actual backdoor keys, previously
unpublished implausible design failure, software backdoor etc.)
We need accuracy because once the dust has settled people will be
making crypto protocol design & implementation decisions based on
what is concluded. Speculate away, but be clear.
Adam
More information about the cryptography
mailing list