[Cryptography] [FORGED] Brainpool Curves Found to Be Suspicious

[Peter Gutmann]

Ryan Carboni <ryacko at gmail.com> writes:

>However, the BADA55 Research Team has discovered that none of the standard
>Brainpool curves below 512 bits were generated by the standard Brainpool
>curve-generation procedure.

It's not just those curves, it's hard to find other crypto parameters that
have been validated independently.  In March 2014 I asked whether there were
any independent evaluations of the widely-used DH primes from RFC 2409 and RFC
3526 (my code verifies the integrity of the values, but then I realised that I
didn't know whether the published values in the RFC were correct, or at least
matched the derivation parameters given there).  Cryptographer Henrick
Hellström was kind enough to check the values at that point, but I couldn't
find any evidence of any independent verification before then (and RFC 2409
was published seventeen years ago).

>Apparently the public never actually tried to verify the curves.

... nor do they audit crypto source code (unless they're paid to or ordered
to), because the assumption is always that someone else has done it for them,
the Bystander Effect taken to extremes since the diffusion of responsibility
has been scaled out to the population of the Internet.

Maybe a new design criterion for any crypto parameters should be that, before
a spec can be published, the parameters in it have to be independently derived
using the published derivation technique by three unrelated groups of people,
with their names listed in the final spec.  You don't necessarily need a full-
blown Byzantine agreement mechanism, but you do want a bit more assurance than
the authors saying "here are the values, they should be all right".

Peter.