[Cryptography] NIST Workshop on Elliptic Curve Cryptography Standards

Tony Arcieri bascule at gmail.com
Sat May 16 03:12:52 EDT 2015


On Sat, May 16, 2015 at 11:09 AM, Ryan Carboni <ryacko at gmail.com> wrote:

> And AFAIK, the NSA curves (besides Dual_EC_DRBG) have not been proven to
> be backdoored, they've only been proven to be suspicious. How would you
> know that the NSA didn't choose the constants for additional security, like
> the DES s-boxes?
>

We don't know, although 20/20 hindsight tells us that the NIST curves have
security problems, i.e. they fail all four dimensions of the SafeCurves ECC
rubric.

Personally I don't think they were backdoored, but they are suspicious.


> The performance difference between RSA and ECC is about 20x. So it
> ultimately depends on how much you're willing to pay for additional
> /provable/ security.
>

RSA's security isn't provable. It relies on factoring large numbers
presently being a hard problem. That's something that could potentially
change tomorrow if a sufficiently smart mathematician were to come up with
an algorithm for doing so.

perhaps one should not use a NSA ECC. Afterall. At least your key exchange
> algorithm /might/ be more than the NSA's versus the NSA.
>

The NIST curves should also be considered legacy at this point, IMO. The
CFRG has almost finished standardizing Curve25519 (and Ed448-Goldilocks as
a "spinal tap grade" curve).

New programs and protocols should be using Curve25519.

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150516/a933feee/attachment.html>


More information about the cryptography mailing list