[Cryptography] [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards

Tony Arcieri bascule at gmail.com
Thu May 14 21:57:24 EDT 2015

On Thu, May 14, 2015 at 4:28 PM, Ryan Carboni <ryacko at gmail.com> wrote:

> In order for there to be some kind of preimage attack using the constants, which were generated using SHA-1, then there has to be some sort of preimage attack on SHA-1.
> I think you misunderstand how NSA could hypothetically select weak curves
despite using SHA-1 to create "verifiably random" curves.

No weaknesses in the SHA-1 function are necessary. Instead, NSA could
simply do a brute force search for, say, a curve that belongs to a
one-in-a-million (or rarer) class of weak curves with a vulnerability known
only to NSA, and after finding an input value that generates such a weak
curve, publish that as the standard.

On Fri, May 15, 2015 at 6:54 AM, <dj at deadhat.com> wrote:

> So if the NSA were good with Montgomery or
> Edwards or <some other good> curve crypto and left the Weierstrass curves
> for the great unwashed, it would make complete sense.

Perhaps you could make that argument for Montgomery curves and the
Montgomery ladder, but Edwards curves weren't discovered until 2007...

That said, I strongly agree the field arithmetic for Weierstrass is whack
and easy to get wrong.

I am glad to see the CFRG focusing on Edwards/Montgomery. Hopefully
Weierstrass is on its way out for anything other than legacy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150515/61e91983/attachment.html>

More information about the cryptography mailing list