[Cryptography] RSA equivalent key length/strength

James A. Donald jamesd at echeque.com
Mon Sep 30 20:04:25 EDT 2013

On 2013-10-01 08:35, John Kelsey wrote:
> Having read the mail you linked to, it doesn't say the curves weren't generated according to the claimed procedure.  Instead, it repeats Dan Bernstein's comment that the seed looks random, and that this would have allowed NSA to generate lots of curves till they found a bad one.

The claimed procedure would have prevented the NSA from generating lots 
of curves till they found a bad one - one with weaknesses that the NSA 
knows how to detect, but which other people do not yet know how to detect.

That was the whole point of the claimed procedure.

As with SHA3, the NSA/NIST is deviating from its supposed procedures in 
ways that remove the security properties of those procedures.

More information about the cryptography mailing list