[147413] in cryptography@c2.net mail archive
Re: [Cryptography] RSA equivalent key length/strength
daemon@ATHENA.MIT.EDU (Peter Fairbrother)
Tue Oct 1 13:56:00 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 01 Oct 2013 18:39:11 +0100
From: Peter Fairbrother <zenadsl6186@zen.co.uk>
To: =?ISO-8859-1?Q?Kristian_Gj=F8steen?= <kristian.gjosteen@math.ntnu.no>,
Cryptography Mailing List <cryptography@metzdowd.com>
In-Reply-To: <01FC43BE-A54B-4790-8541-3CFB661D3809@math.ntnu.no>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 01/10/13 08:49, Kristian Gj=F8steen wrote:
> 1. okt. 2013 kl. 02:00 skrev "James A. Donald" <jamesd@echeque.com>:
>
>> On 2013-10-01 08:24, John Kelsey wrote:
>>> Maybe you should check your code first? A couple nist people verified =
that the curves were generated by the described process when the questions =
about the curves first came out.
>>
>> And a non NIST person verified that the curves were not generated by the=
described process after the scandal broke.
>
> Checking the verification code may be a good idea.
>
> I just checked that the verification process described in Appendix 5 in t=
he document RECOMMENDED ELLIPTIC CURVES FOR FEDERAL GOVERNMENT USE, July 19=
99 (http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf) acc=
epts the NIST prime field curves listed in that document. Trivial python sc=
ript follows.
>
> I am certainly not the first non-US non-government person to check.
>
> There is solid evidence that the US goverment does bad things. This isn't=
it.
Agreed (though did you also check whether the supposed verification =
process actually matches the supposed generation process?).
Also agreed, NSA could not have reverse-engineered the parts of the =
generating process from "random" source to the curve's b component, ie =
they could not have started with a chosen b component and then generated =
the "random" source.
However they could easily have cherry-picked a result for b from trying =
several squillion source numbers. There is no real reason not to use =
something like the digits of pi as the source - which they did not do.
Also, the method by which the generators (and thus the actual groups in =
use, not the curves) were chosen is unclear.
Even assuming NSA tried their hardest to undermine the curve selection =
process, there is some doubt as to whether these two actual and easily =
verifiable failings in a supposedly "open" generation process are enough =
to make the final groups selected useful for NSA's nefarious purposes.
But there is a definite lack of clarity there.
-- Peter Fairbrother
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography