On Tue, Oct 1, 2013 at 9:00 PM, Jeffrey Goldberg <jeff...@goldmark.org>wrote:
> On 2013-10-01, at 12:54 PM, Tony Arcieri <basc...@gmail.com> wrote: > > > I wouldn't put it past them to intentionally weaken the NIST curves. > > This is what has changed. Previously, I believed that they *wouldn’t* try > to do something like that. Now we need to review things in terms of > capability. > > > That said, my gut feeling is they probably didn’t. > > My exceedingly untrained intuition conforms to yours. But we do need to > evaluate whether there are non-implausible mathematical and procedural > mechanisms by which they could have. So the question for me is how > implausible is it for there to be whole families of weak curves known to > the NSA. I simply don’t understand the math well enough to even begin to > approach that question, but … > > If the NSA had the capability to pick weak curves while covering their > tracks in such a way, why wouldn’t they have pulled the same trick with > Dual_EC_DRBG? If they could have made the selection of P and Q appear > random, it seems that they would have. I know that this isn’t the > identical situation, but again my (untrained) intuition suggests that there > are meaningful similarities in ways they could (or couldn’t) cover their > tracks. > Yes. Apparently. "Purely for the entertainment value to the audience here, I offer that it occurred to me that the suspect P-Q could have been a test case provided by the NSA, along the lines of "Given how the algorithm is supposed to work, if we corrupt the P-Q pair by making them non-random using a specific mathematical relationship between them, then the algorithm should be provably not secure. Demonstrating this should increase the confidence that the correctly implemented algorithm is secure." Then what happened is some arrogant scientist at NIST (full disclosure--I was formerly a NIST employee, and the terms of my departure still burn as a fire in the pit of my stomach) conveniently "forgot" to put the correct ones in the standard, or did it on purpose since "Anyone of modest skill in cryptography will detect the problem and come up with their own P-Q pair correctly. Anyone who doesn't deserves what they get." There are, in my estimation, people that arrogant employed by NIST." Look here http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html#! > Cheers, > > -- > Jeffrey Goldberg > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > >
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
