[147204] in cryptography@c2.net mail archive
Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd:
daemon@ATHENA.MIT.EDU (Paul Crowley)
Tue Sep 17 19:53:00 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <F46025E3-7659-42D5-9F76-317F08BCCF7C@gmail.com>
From: Paul Crowley <paul@ciphergoth.org>
Date: Tue, 17 Sep 2013 22:01:26 +0100
To: Cryptography Mailing List <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============4990234038434886285==
Content-Type: multipart/alternative; boundary=e89a8ff1ca7833010b04e69aa290
--e89a8ff1ca7833010b04e69aa290
Content-Type: text/plain; charset=UTF-8
At a stretch, one can imagine circumstances in which trying multiple seeds
to choose a curve would lead to an attack that we would not easily
replicate. I don't suggest that this is really what happened; I'm just
trying to work out whether it's possible.
Suppose you can easily break an elliptic curve with the right "attack
string". Attack strings are very expensive to generate, at say 2^80
operations. Moreover, you can't tell what curves they break until they are
generated, but it's cheap to test whether a given string breaks a given
curve. Each string breaks about one curve in 2^80. Thus the NSA generate an
attack string, then generate 2^80 curves looking for one that is broken by
the string they generated. They can safely publish this curve, knowing
that unless a new attack is developed it will take 2^160 effort for anyone
else to generate an attack string that breaks the curve they have chosen.
--e89a8ff1ca7833010b04e69aa290
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><span style=3D"font-family:arial,sans-serif;font-size:13px=
">At a stretch, one can imagine circumstances in which trying multiple seed=
s to choose a curve would lead to an attack that we would not easily replic=
ate. I don't suggest that this is really what happened; I'm just tr=
ying to work out whether it's possible.</span><div style=3D"font-family=
:arial,sans-serif;font-size:13px">
<br></div><div style=3D"font-family:arial,sans-serif;font-size:13px">Suppos=
e you can easily break an elliptic curve with the right "attack string=
". =C2=A0Attack strings are very expensive to generate, at say 2^80 op=
erations. Moreover, you can't tell what curves they break until they ar=
e generated, but it's cheap to test whether a given string breaks a giv=
en curve. Each string breaks about one curve in 2^80. Thus the NSA generate=
an attack string, then generate 2^80 curves looking for one that is broken=
by the string they generated. =C2=A0They can safely publish this curve, kn=
owing that unless a new attack is developed it will take 2^160 effort for a=
nyone else to generate an attack string that breaks the curve they have cho=
sen.</div>
</div>
--e89a8ff1ca7833010b04e69aa290--
--===============4990234038434886285==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============4990234038434886285==--
