On 13/10/14 15:51, Derek Miller wrote: > Like many people, I consider the seed values used to generate the NIST > Prime curves suspicious. > However, considering one of the scenarios where these curves might be > compromised (the NSA knew of weaknesses in certain curves, and engineered > the NIST Prime curves to be subject to those weaknesses), does it even make > sense to use ECC at all? > If the NIST curves are weak in a way that we don't understand, this means > that ECC has properties that we don't understand. > Thus, if you don't trust the NIST Prime curves, does it make sense to trust > any ECC curves at all?
There are performance and implementation reasons (easier to avoid side-channel attacks) claimed for the additional curves that are being looked at by the IRTF's CFRG (at the request of the IETF's TLS, if that's not too acronym laden:-) Those claims seem credible at least, and are also spurring folks to look again at implementations of the NIST curves. S. > > I appreciate your responses, > D > > > > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
