[Cryptography] NIST Workshop on Elliptic Curve Cryptography Standards

Ryan Carboni ryacko at gmail.com
Fri May 15 18:52:36 EDT 2015

On Fri, May 15, 2015 at 12:38 AM, Tony Arcieri <bascule at gmail.com> wrote:

> On Fri, May 15, 2015 at 7:43 AM, Ryan Carboni <ryacko at gmail.com> wrote:
>> But my awareness of ECC issues is that the constants are suspicious
>> according to this web page: http://safecurves.cr.yp.to/rigid.html
> See also:
> http://safecurves.cr.yp.to/bada55.html
> This is a demonstration of how even though a "verifiably random" process
> (used by the NIST, Brainpool, and the GOST curves) is used, it's possible
> to tamper with curve parameters.
> BADA55's tampering was not malicious (and in fact they are "safe curves"
> per safecurves.cr.yp.to), but the possibility to tamper with curve
> parameters exists in any curves generated this way.
> This is why "nothing up my sleeve" curve constants generated through a
> rigid process are important (per your link).
> --
> Tony Arcieri

Look now I'm really confused. Before differential cryptanalysis, DES
s-boxes were viewed with suspicion.

But now people are saying, "we don't completely understand ECC, but we have
devised means of creating EC and hope we get lucky and it ends up secure
twenty years down the road."
Naturally RC4 as a cipher was created by accident. (and so was Penicillin
as a drug)
But no one wants accidents in cryptography.

And I don't really trust any process that no one understands to protect
anything important.

I suppose the most important takeaway I'm getting is that ECC is secure
enough for obfuscation-grade cryptography.

Otherwise one should should stick with 2048-bit RSA?

But what would I know?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150515/5f85ee30/attachment.html>

More information about the cryptography mailing list