[Cryptography] RSA equivalent key length/strength

John Kelsey crypto.jmk at gmail.com
Mon Sep 30 18:35:24 EDT 2013

Having read the mail you linked to, it doesn't say the curves weren't generated according to the claimed procedure.  Instead, it repeats Dan Bernstein's comment that the seed looks random, and that this would have allowed NSA to generate lots of curves till they found a bad one.  

it looks to me like there is no new information here, and no evidence of wrongdoing that I can see.  If there is a weak curve class of greater than about 2^{80} that NSA knew about 15 years ago and were sure nobody were ever going to find that weak curve class and exploit it to break classified communications protected by it, then they could have generated 2^{80} or so seeds to hit that weak curve class.  

What am I missing?  Do you have evidence that the NIST curves are cooked?  Because the message I saw didn't provide anything like that.  


More information about the cryptography mailing list