1. okt. 2013 kl. 02:00 skrev "James A. Donald" <jam...@echeque.com>:
> On 2013-10-01 08:24, John Kelsey wrote: >> Maybe you should check your code first? A couple nist people verified that >> the curves were generated by the described process when the questions about >> the curves first came out. > > And a non NIST person verified that the curves were not generated by the > described process after the scandal broke. Checking the verification code may be a good idea. I just checked that the verification process described in Appendix 5 in the document RECOMMENDED ELLIPTIC CURVES FOR FEDERAL GOVERNMENT USE, July 1999 (http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf) accepts the NIST prime field curves listed in that document. Trivial python script follows. I am certainly not the first non-US non-government person to check. There is solid evidence that the US goverment does bad things. This isn't it. -- Kristian Gjøsteen
import hashlib def string_to_integer(s): n = 0 for byte in s: n = n*256 + ord(byte) return n def integer_to_string(n): if n == 0: return "" return integer_to_string(n/256) + chr(n%256) def verify_generation(s, p, l, b): assert(len(s) == 160/8) v = (l-1)/160 w = l - 160*v - 1 h = hashlib.sha1(s).digest() hh = integer_to_string(string_to_integer(h) % (2**w)) z = string_to_integer(s) + 1 # +1 because for loop goes from 0 to v-1 for i in range(v): hh = hh + hashlib.sha1(integer_to_string(z+i)).digest() c = string_to_integer(hh) if (b*b*c + 27)%p == 0: return True else: return False curve_data = [ ("P-192 wrong", 6277101735386680763835789423207666416083908700390324961279, 192, 0x3045ae6fc822f64ed579528d38120eae12196d5, 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1), ("P-192", 6277101735386680763835789423207666416083908700390324961279, 192, 0x3045ae6fc8422f64ed579528d38120eae12196d5, 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1), ("P-224", 26959946667150639794667015087019630673557916260026308143510066298881, 224, 0xbd71344799d5c7fcdc45b59fa3b9ab8f6a948bc5, 0xb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4), ("P-256", 115792089210356248762697446949407573530086143415290314195533631308867097853951, 256, 0xc49d360886e704936a6678e1139d26b7819f7e90, 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b), ("P-256 wrong", 115792089210356248762697446949407573530086143415290314195533631308867097853951, 256, 0xc49d360886e704936a6678e1139d26b7819f7e90, 0x7efba1662985be9403cb055c75d4f7e0ce8d84a9c5114abcaf3177680104fa0d), ("P-384", 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319, 384, 0xa335926aa319a27a1d00896a6773a4827acdac73, 0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef), ("P-521", 6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151, 521, 0xd09e8800291cb85396cc6717393284aaa0da64ba, 0x051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00) ] for cd in curve_data: (name, p, l, s, b) = cd print name, verify_generation(integer_to_string(s), p, l, b)
_______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography