[148899] in cryptography@c2.net mail archive
Re: [Cryptography] Dual_EC_DRBG backdoor: a proof of concept
daemon@ATHENA.MIT.EDU (dj@deadhat.com)
Fri Jan 3 11:07:40 2014
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <71B7A226-63FE-4711-9F9E-4664820652D5@gmail.com>
Date: Fri, 3 Jan 2014 15:50:27 -0000
From: dj@deadhat.com
To: "John Kelsey" <crypto.jmk@gmail.com>
Cc: Cryptography Mailing List <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
> If we replaced dual ec drbg's output function by taking the parity of the
> output point's scalar value, it looks to me like we'd have a secure drbg
> despite the potentially evil choice of P and Q, with whatever good
> theoretical properties came from dual ec drbg.
>
> --John
> _______________________________________________
>
Is NIST seriously considering this?
Has anyone proposed this?
I notice that the comment period on SP800-90A/B/C has long been closed,
but the comments have not been published. So it's hard to tell what is
going on.
A little more transparency would go a long way.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
