[147361] in cryptography@c2.net mail archive
Re: [Cryptography] RSA equivalent key length/strength
daemon@ATHENA.MIT.EDU (John Kelsey)
Mon Sep 30 20:35:30 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <5248BDB8.8010903@echeque.com>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Mon, 30 Sep 2013 18:35:24 -0400
To: "jamesd@echeque.com" <jamesd@echeque.com>
Cc: cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Having read the mail you linked to, it doesn't say the curves weren't generated according to the claimed procedure. Instead, it repeats Dan Bernstein's comment that the seed looks random, and that this would have allowed NSA to generate lots of curves till they found a bad one.
it looks to me like there is no new information here, and no evidence of wrongdoing that I can see. If there is a weak curve class of greater than about 2^{80} that NSA knew about 15 years ago and were sure nobody were ever going to find that weak curve class and exploit it to break classified communications protected by it, then they could have generated 2^{80} or so seeds to hit that weak curve class.
What am I missing? Do you have evidence that the NIST curves are cooked? Because the message I saw didn't provide anything like that.
--John
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
