On Tue, May 12, 2015 at 11:14 AM, Thierry Moreau < thierry.mor...@connotech.com> wrote:
> I do not want to push any plot theory without a deep understanding of the > ECC fundamentals. But recalling that NSA had prior knowledge of > differential cryptanalysis (versus academia) and prior knowledge of RSA and > D-H, is there any specific research directions in the ECC field in which > the NSA could have advance knowledge that would induce them to push ECC > deployment over factoring-based RSA? I think it's unlikely that the NSA had advance knowledge of some sort of class of weak curves / attack in the late '90s and baked that attack into the NIST curves in such a way that civilian cryptographers are yet to discover it in 2015. However, the NIST curves definitely have (unintentional?) security problems in addition to large mystery constants which do not inspire confidence. Hence djb and friends / MS / CFRG's desire to have rigid curve generation guidelines. Dual EC DRBG smelled much more of a backdoor.
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
