[147371] in cryptography@c2.net mail archive
Re: [Cryptography] RSA equivalent key length/strength
daemon@ATHENA.MIT.EDU (James A. Donald)
Mon Sep 30 20:43:10 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 01 Oct 2013 10:04:25 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: cryptography <cryptography@metzdowd.com>
In-Reply-To: <11546552-EF9E-4310-883F-8507C1EC2CDC@gmail.com>
Reply-To: jamesd@echeque.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 2013-10-01 08:35, John Kelsey wrote:
> Having read the mail you linked to, it doesn't say the curves weren't generated according to the claimed procedure. Instead, it repeats Dan Bernstein's comment that the seed looks random, and that this would have allowed NSA to generate lots of curves till they found a bad one.
The claimed procedure would have prevented the NSA from generating lots
of curves till they found a bad one - one with weaknesses that the NSA
knows how to detect, but which other people do not yet know how to detect.
That was the whole point of the claimed procedure.
As with SHA3, the NSA/NIST is deviating from its supposed procedures in
ways that remove the security properties of those procedures.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography