On Mon, Oct 13, 2014 at 4:51 PM, Derek Miller <dreemkil...@gmail.com> wrote: > However, considering one of the scenarios where these curves might be > compromised (the NSA knew of weaknesses in certain curves, and engineered > the NIST Prime curves to be subject to those weaknesses)
interestingly, this is the better case. because if so, we can assume a minority of the curves are bad. if many curves were bad, they could just try to find nicely parametrized curves that are weak. they had to resort to that hashing strategy, which means that method is unfeasible, thus the vast majority of the curves does not have the property they wanted. therefore any non-NIST curve is probably safe by pure chance. however, there is the other case, namely NIST defends against some vulnerability they don't disclose. if so, the logic goes the opposite direction: most curves are vulnerable. in this case, other curves are probably unsafe. so actually we hope they were malicious, and then we can use all other curves, there are plenty. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography