[Cryptography] IETF discussion on new ECC curves.
Bear
bear at sonic.net
Wed Jul 30 16:42:30 EDT 2014
> On Mon, Jul 28, 2014 at 7:48 PM, Bear <bear at sonic.net> wrote:
> > On Sat, 2014-07-26 at 14:32 -0400, Phillip Hallam-Baker wrote:
> > So the first fermat-test prime number below 2^512 is 2^512 - 569? It's
> > a nice nothing-up-my-sleeve number, anyhow. What's the problem with it?
> > Are there some requirements I don't know?
> Yep, that is exactly what Microsoft did. The problem is that it is not
> exceptional speed wise. The fast moduli are 2^521 and 2^480.
Despite the non-exceptional speed, 512 = 2^9 is THE next
nothing-up-my-sleeve number for a bit width, and 2^512 -
569 is therefore THE next nothing-up-my-sleeve number for
an exponent modulus.
The minute there is debate, there is reasonable suspicion
that someone is trying to influence the debate for purposes
of subverting security.
Gratz to Microsoft, whatever their past sins, for making a
recommendation that marks them out as DEFINITELY not playing
that role in the current round.
The minute that there is suspicion that someone might be
trying to influence the debate for purposes of subverting
security, it raises a hard question.... one which sounds
like a paranoid wearing a too-tight hat, but which must be
raised....
Is at all reasonable to suspect that the same properties
that make a given calculation faster might also make it
easier to analyze or reverse?
IOW, when we look for 'fast' curves, is there a "reasonable
to suspect" chance that we're thereby looking for 'weak'
curves by some mathematical attack that we may finally notice
next week or the week after - but which the hypothetical
parties attempting to influence the debate may be aware of
now?
Bear
More information about the cryptography
mailing list