[Cryptography] RSA equivalent key length/strength
James A. Donald
jamesd at echeque.com
Mon Sep 30 20:04:25 EDT 2013
On 2013-10-01 08:35, John Kelsey wrote:
> Having read the mail you linked to, it doesn't say the curves weren't generated according to the claimed procedure. Instead, it repeats Dan Bernstein's comment that the seed looks random, and that this would have allowed NSA to generate lots of curves till they found a bad one.
The claimed procedure would have prevented the NSA from generating lots
of curves till they found a bad one - one with weaknesses that the NSA
knows how to detect, but which other people do not yet know how to detect.
That was the whole point of the claimed procedure.
As with SHA3, the NSA/NIST is deviating from its supposed procedures in
ways that remove the security properties of those procedures.
More information about the cryptography