[146656] in cryptography@c2.net mail archive
Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Fri Sep 6 13:06:06 2013
X-Original-To: cryptography@metzdowd.com
Date: Fri, 6 Sep 2013 13:05:59 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: Kristian =?ISO-8859-1?Q?Gj=F8steen?= <kristian.gjosteen@math.ntnu.no>
In-Reply-To: <27AD9020-4050-4E2D-A0F7-F9B89DD67112@math.ntnu.no>
Cc: Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Fri, 6 Sep 2013 09:03:27 +0200 Kristian Gj=F8steen
<kristian.gjosteen@math.ntnu.no> wrote:
> As a co-author of an analysis of Dual-EC-DRBG that did not
> emphasize this problem (we only stated that Q had to be chosen at
> random, Ferguson &co were right to emphasize this point), I would
> like to ask:
> =
> Has anyone, anywhere ever seen someone use Dual-EC-DRBG?
> =
> I mean, who on earth would be daft enough to use the slowest
> possible DRBG? If this is the best NSA can do, they are over-hyped.
> =
> (If you really do want to use Dual-EC-DRBG: truncate more than 16
> bits, and don't use NSA's points, choose your own - at random.)
> =
I have re-read the NY Times article. It appears to only indicate that
this was *a* standard that was sabotaged, not that it was the only
one. In particular, the Times merely indicates that they can now
confirm that this particular standard was sabotaged, but presumably
it was far from the only target.
-- =
Perry E. Metzger perry@piermont.com
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
