[Cryptography] IETF discussion on new ECC curves.

[Bear]

> On Mon, Jul 28, 2014 at 7:48 PM, Bear <bear at sonic.net> wrote:
> > On Sat, 2014-07-26 at 14:32 -0400, Phillip Hallam-Baker wrote:

> > So the first fermat-test prime number below 2^512 is 2^512 - 569? It's
> > a nice nothing-up-my-sleeve number, anyhow. What's the problem with it?
> > Are there some requirements I don't know?

> Yep, that is exactly what Microsoft did. The problem is that it is not
> exceptional speed wise. The fast moduli are 2^521 and 2^480.

Despite the non-exceptional speed, 512 = 2^9 is THE next 
nothing-up-my-sleeve number for a bit width, and 2^512 - 
569 is therefore THE next nothing-up-my-sleeve number for 
an exponent modulus.  

The minute there is debate, there is reasonable suspicion 
that someone is trying to influence the debate for purposes 
of subverting security.

Gratz to Microsoft, whatever their past sins, for making a
recommendation that marks them out as DEFINITELY not playing 
that role in the current round.  

The minute that there is suspicion that someone might be 
trying to influence the debate for purposes of subverting 
security, it raises a hard question....  one which sounds 
like a paranoid wearing a too-tight hat, but which must be 
raised....  

Is at all reasonable to suspect that the same properties 
that make a given calculation faster might also make it 
easier to analyze or reverse?  

IOW, when we look for 'fast' curves, is there a "reasonable 
to  suspect" chance that we're thereby looking for 'weak' 
curves by some mathematical attack that we may finally notice 
next week or the week after - but which the hypothetical 
parties attempting to influence the debate may be aware of 
now? 

			Bear