[Cryptography] [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards

Ryan Carboni ryacko at gmail.com
Thu May 14 14:27:34 EDT 2015

On Thu, May 14, 2015 at 7:31 AM, Salz, Rich <rsalz at akamai.com> wrote:

> > In odd news, the US government has to pay private companies for
> certificates. You'd think they'd be able to get browser makers to allow a
> root certificate that can only verify ".gov" addresses and do some
> certificate pinning.
> They pay private companies for airplanes, too.  So?
1. They already own their own servers in many cases.
2. The whole point of certificates is to prevent a man-in-the-middle attack.
3. Certificate authorities have proven to be vulnerable to hacking. See
4. A certificate costs at least several hundred dollars. Multiply that
against a hundred .gov websites that use certificates.
5. The US government pays hundreds of millions of dollars per year for it's
own cybersecurity.
6. The US government usually operates those airplanes.

On Thu, May 14, 2015 at 9:00 AM, Salz, Rich <rsalz at akamai.com> wrote:

> >So there's two possibilities...
> > 1. all the cryptography is trivially broken
> > 2. NIST is incompetent
> 3.  Your assumptions are faulty
> 4. The extrapolation from those assumptions are faulty
> 5. Breaking a digest is really different from cracking a cipher.
> Good. My assumptions are faulty. So the NIST curves are adequately secure.
Or the NIST curves are not secure, nor is SHA-1, and if SHA-1 isn't secure
five years from it's release from the NSA, why would SHA-256 be secure
fifteen years after it's release from the NSA, and why would the NSA stop
at just SHA 1 and 2, why not AES and SHA-3?

So the question of whether the NIST curves are backdoored becomes a
question of... is the entire internet backdoored?

It's possible that the SHA-1 outputs weren't generated using a differential
attack but using random numbers, but wouldn't timestamps to nanosecond
precision equally work as well? And it's a lot more difficult to check if
some constants have backdoored properties that no one else would discover
than to find your own constant with unique properties, and attempt to
preimage that

But what do I know? Cryptographers don't trust the NIST curves, but they
trust SHA-1 for everything outside of collision resistance, I mean... it's
not like there's logic involved in decision making.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150514/7142c24e/attachment.html>

More information about the cryptography mailing list