On 01/10/13 08:49, Kristian Gjøsteen wrote:
1. okt. 2013 kl. 02:00 skrev "James A. Donald" <jam...@echeque.com>:
On 2013-10-01 08:24, John Kelsey wrote:
Maybe you should check your code first? A couple nist people verified that the
curves were generated by the described process when the questions about the
curves first came out.
And a non NIST person verified that the curves were not generated by the
described process after the scandal broke.
Checking the verification code may be a good idea.
I just checked that the verification process described in Appendix 5 in the
document RECOMMENDED ELLIPTIC CURVES FOR FEDERAL GOVERNMENT USE, July 1999
(http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf) accepts
the NIST prime field curves listed in that document. Trivial python script
follows.
I am certainly not the first non-US non-government person to check.
There is solid evidence that the US goverment does bad things. This isn't it.
Agreed (though did you also check whether the supposed verification
process actually matches the supposed generation process?).
Also agreed, NSA could not have reverse-engineered the parts of the
generating process from "random" source to the curve's b component, ie
they could not have started with a chosen b component and then generated
the "random" source.
However they could easily have cherry-picked a result for b from trying
several squillion source numbers. There is no real reason not to use
something like the digits of pi as the source - which they did not do.
Also, the method by which the generators (and thus the actual groups in
use, not the curves) were chosen is unclear.
Even assuming NSA tried their hardest to undermine the curve selection
process, there is some doubt as to whether these two actual and easily
verifiable failings in a supposedly "open" generation process are enough
to make the final groups selected useful for NSA's nefarious purposes.
But there is a definite lack of clarity there.
-- Peter Fairbrother
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography