[148894] in cryptography@c2.net mail archive
Re: [Cryptography] Dual_EC_DRBG backdoor: a proof of concept
daemon@ATHENA.MIT.EDU (=?iso-8859-15?Q?Kriszti=E1n_Pint=E)
Fri Jan 3 11:03:27 2014
X-Original-To: cryptography@metzdowd.com
Date: Fri, 3 Jan 2014 08:45:45 +0100
From: =?iso-8859-15?Q?Kriszti=E1n_Pint=E9r?= <pinterkr@gmail.com>
To: John Kelsey <crypto.jmk@gmail.com>
In-Reply-To: <71B7A226-63FE-4711-9F9E-4664820652D5@gmail.com>
Cc: Cryptography Mailing List <cryptography@metzdowd.com>,
Jon Callas <jon@callas.org>, ianG <iang@iang.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
John Kelsey (at Friday, January 3, 2014, 2:31:00 AM):
> If we replaced dual ec drbg's output function by taking the parity
> of the output point's scalar value, it looks to me like we'd have a
> secure drbg despite the potentially evil choice of P and Q, with
> whatever good theoretical properties came from dual ec drbg.
dual ec is easy to fix, but what is the point? it is even easier not
to use it, and use fortuna instead, which is better in every way
possible. people only use dual ec if they have to, to be compliant
with whatever standards. but then they can't change it, not even the
extraction part (heck, they can't even fix the mistakes in the
documentation, see the case of openssl).
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
