[147390] in cryptography@c2.net mail archive
Re: [Cryptography] are ECDSA curves provably not cooked? (Re: RSA
daemon@ATHENA.MIT.EDU (Tony Arcieri)
Tue Oct 1 11:50:38 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <20131001100822.GC5723@netbook.cypherspace.org>
From: Tony Arcieri <bascule@gmail.com>
Date: Tue, 1 Oct 2013 08:47:49 -0700
To: Adam Back <adam@cypherspace.org>
Cc: John Kelsey <crypto.jmk@gmail.com>, Gregory Maxwell <gmaxwell@gmail.com>,
cryptography <cryptography@metzdowd.com>,
Crypto List <cryptography@randombit.net>,
"jamesd@echeque.com" <jamesd@echeque.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============0941983765627658007==
Content-Type: multipart/alternative; boundary=bcaec51b9cfd2e4b2604e7afe1e4
--bcaec51b9cfd2e4b2604e7afe1e4
Content-Type: text/plain; charset=ISO-8859-1
On Tue, Oct 1, 2013 at 3:08 AM, Adam Back <adam@cypherspace.org> wrote:
> But I do think it is a very interesting and pressing research question as
> to
> whether there are ways to plausibly deniably symmetrically weaken or even
> trapdoor weaken DL curve parameters, when the seeds are allowed to look
> random as the DSA FIPS 186-3 ones do.
See slide #28 in this djb deck:
http://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf
Specifically:
http://i.imgur.com/C7mg3T4.png
If e.g. the NSA knew of an entire class of weak curves, they could perform
a brute force search with random looking seeds, continuing until the curve
parameters, after the seed is run through SHA1, fall into the class that's
known to be weak to them.
--
Tony Arcieri
--bcaec51b9cfd2e4b2604e7afe1e4
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">On Tue, Oct 1, 2013 at 3:08 AM, Adam Back <span dir=3D"ltr=
"><<a href=3D"mailto:adam@cypherspace.org" target=3D"_blank" onclick=3D"=
window.open('https://mail.google.com/mail/?view=3Dcm&tf=3D1&to=
=3Dadam@cypherspace.org&cc=3D&bcc=3D&su=3D&body=3D',=
9;_blank');return false;">adam@cypherspace.org</a>></span> wrote:<br=
>
<div class=3D"gmail_extra"><div class=3D"gmail_quote"><blockquote class=3D"=
gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border=
-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">But =
I do think it is a very interesting and pressing research question as to<br=
>
whether there are ways to plausibly deniably symmetrically weaken or even<b=
r>
trapdoor weaken DL curve parameters, when the seeds are allowed to look<br>
random as the DSA FIPS 186-3 ones do.</blockquote><div><br></div><div>See s=
lide #28 in this djb deck:</div><div><br></div><div><a href=3D"http://cr.yp=
.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf">http://cr.yp.to/tal=
ks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf</a>=A0</div>
</div><div><br></div><div>Specifically:</div><div><br></div><div><a href=3D=
"http://i.imgur.com/C7mg3T4.png">http://i.imgur.com/C7mg3T4.png</a><br></di=
v><div><br></div><div>If e.g. the NSA knew of an entire class of weak curve=
s, they could perform a brute force search with random looking seeds, conti=
nuing until the curve parameters, after the seed is run through SHA1, fall =
into the class that's known to be weak to them.</div>
<div><br></div>-- <br>Tony Arcieri<br>
</div></div>
--bcaec51b9cfd2e4b2604e7afe1e4--
--===============0941983765627658007==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============0941983765627658007==--
