[Cryptography] Zoom publishes draft cryptographic design for end-to-end encryption

[Peter Gutmann]

Ray Dillinger <bear at sonic.net> writes:

>About secp256k1, Keep in mind [...] unlikely to use one that had been heavily
>promoted, or one frequently used by large organizations or projects whose
>selection of it might, in the paranoid view, have been because of undue
>influence.

I would avoid widely-used parameter sets for an entirely different reason,
namely the "don't be a target" defense strategy, one of the most effective
types of defence there is.  If you use the same parameters as any widely-used
protocol, IPsec's DH parameters [1] or the Bitcoin parameters, you make
yourself collateral damage to any attacker willing to commit the resources to
break IPsec or help themselves to BTC.  For BTC in particular the amount of
money involved both strongly motivates non-academic attackers to keep very
quiet about being able to break it while also strongly motivating otherwise
prohibitive attacks.

So I would avoid P256k1 like the plague in order to avoid being taken out as
collateral damage.  If you generate your own parameter set(s) using the same
mechanisms used to generate the well-known ones you get the same level of
security but without the collateral damage aspect.  In particular if your
protocol is relatively little-used or not protecting much of any value there's
little incentive for an attacker to even try attacking it.

Which makes P256k1 probably the most dangerous parameter set in the world to
use.

Peter.

[1] I've never understood why IPsec and the cargo-cult protocols that reused
    the parameters from it fixed on a single set of DH parameters.  IPsec is
    possibly one of the most unnecessarily flexible protocols in the world
    where absolutely everything is up for negotiation, but there's one single
    set of parameters that every single user has to share to create a single
    point of failure for attackers to exploit.