[Cryptography] [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
Tony Arcieri
bascule at gmail.com
Thu May 14 21:57:24 EDT 2015
On Thu, May 14, 2015 at 4:28 PM, Ryan Carboni <ryacko at gmail.com> wrote:
> In order for there to be some kind of preimage attack using the constants, which were generated using SHA-1, then there has to be some sort of preimage attack on SHA-1.
>
> I think you misunderstand how NSA could hypothetically select weak curves
despite using SHA-1 to create "verifiably random" curves.
No weaknesses in the SHA-1 function are necessary. Instead, NSA could
simply do a brute force search for, say, a curve that belongs to a
one-in-a-million (or rarer) class of weak curves with a vulnerability known
only to NSA, and after finding an input value that generates such a weak
curve, publish that as the standard.
On Fri, May 15, 2015 at 6:54 AM, <dj at deadhat.com> wrote:
> So if the NSA were good with Montgomery or
> Edwards or <some other good> curve crypto and left the Weierstrass curves
> for the great unwashed, it would make complete sense.
>
Perhaps you could make that argument for Montgomery curves and the
Montgomery ladder, but Edwards curves weren't discovered until 2007...
That said, I strongly agree the field arithmetic for Weierstrass is whack
and easy to get wrong.
I am glad to see the CFRG focusing on Edwards/Montgomery. Hopefully
Weierstrass is on its way out for anything other than legacy
interoperability.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150515/61e91983/attachment.html>
More information about the cryptography
mailing list