[Cryptography] [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
Ryan Carboni
ryacko at gmail.com
Thu May 14 03:28:12 EDT 2015
>
> I think it's unlikely that the NSA had advance knowledge of some sort of
> class of weak curves / attack in the late '90s and baked that attack into
> the NIST curves in such a way that civilian cryptographers are yet to
> discover it in 2015.
>
> However, the NIST curves definitely have (unintentional?) security problems
> in addition to large mystery constants which do not inspire confidence.
> Hence djb and friends / MS / CFRG's desire to have rigid curve generation
> guidelines.
>
> Dual EC DRBG smelled much more of a backdoor.
>
>
In order for there to be some kind of preimage attack using the constants,
which were generated using SHA-1, then there has to be some sort of
preimage attack on SHA-1.
Now assuming the $50 million 1982 DES bruteforce attack was possible, and
factoring in that the value of breaking all the cryptography is more than
just one key, assuming that it would be worth two months of computation
(thus reducing the cost of the attack by 30), and assuming that budgets
increase 10% year after year...
There must approximately be a 72-bit preimage attack on SHA-1.
That no one has discovered.
So there's two possibilities...
1. all the cryptography is trivially broken
2. NIST is incompetent
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150514/9d51acdf/attachment.html>
More information about the cryptography
mailing list