[Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

Paul Crowley paul at ciphergoth.org
Tue Sep 17 17:01:26 EDT 2013

At a stretch, one can imagine circumstances in which trying multiple seeds
to choose a curve would lead to an attack that we would not easily
replicate. I don't suggest that this is really what happened; I'm just
trying to work out whether it's possible.

Suppose you can easily break an elliptic curve with the right "attack
string".  Attack strings are very expensive to generate, at say 2^80
operations. Moreover, you can't tell what curves they break until they are
generated, but it's cheap to test whether a given string breaks a given
curve. Each string breaks about one curve in 2^80. Thus the NSA generate an
attack string, then generate 2^80 curves looking for one that is broken by
the string they generated.  They can safely publish this curve, knowing
that unless a new attack is developed it will take 2^160 effort for anyone
else to generate an attack string that breaks the curve they have chosen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130917/e189b882/attachment.html>

More information about the cryptography mailing list