On 10/22/2015 07:20 PM, Tao Effect wrote: > From this blog post: > http://blog.cryptographyengineering.com/2015/10/a-riddle-wrapped-in-curve.html > > <http://blog.cryptographyengineering.com/2015/10/a-riddle-wrapped-in-curve.html> > > To quote Matthew Green: > > <BEGIN>
> In other words, Koblitz and Menezes are saying that if you accept the weak > curve hypothesis into your heart, the solution is not to replace the NIST > elliptic curves > <https://www.ietf.org/mail-archive/web/cfrg/current/msg06426.html> with > anything at all, but rather, to leave the building as rapidly as possible and > perhaps not shut the door on the way out. No joke. > > On the gripping hand, this sounds very much like the plan NSA is currently > implementing. Perhaps we should be worried. > > </END> I've seen no technical reason to suspect the weak curve hypothesis. That said, if it is actually true, then in the year it gets announced, 99.99% of all the experts looking (and I don't even call myself an expert on ECC) will have seen no reason to suspect the weak curve hypothesis. It's that last *one* guy who has the insight that you have to wonder about; those of us who don't see it are a dime a dozen, even in a universe where it exists. Of course, this action of the NSA's has dramatically focused the attention of guys who *could* have this insight, so if it exists expect an announcement soon. Actually I'd have expected it by now, because it's been a few months and if anybody was that close.... However, I don't think it does exist. I think that if this were being done for technical reasons - ie, if ECC is *really* weak or has a large class of weak curves, or if someone is *really* close to developing serious quantum-computer cryptography capabilities - we'd have heard about *something* from some other source. I mean, there are lots of hard-math people who work on crypto now, and lots of hard-physics people working on quantum computing, and at last count I think less than a third of them work directly for governments. Furthermore, the ones who do work for governments are less productive because they mostly refuse to collaborate across borders. The odds that a break so significant would be completely unknown outside of government agencies seems small. Which IMO leaves non-technical reasons. It could be a subterfuge to try to hinder crypto adoption, or to get that focused analytical attention on ECC, or an attempt to get people to stop using something they don't know how to break. Heck, it could even be a legitimate attempt to protect the security of the nation's infrastructure; you just never know with these guys. It could be the agency's move to quit a field where they've been caught with their hand in the cookie jar. It could be somebody "marking territory" by changing something - anything ! - just so it doesn't look like they're not being proactive. It could be somebody making a power grab because they want an excuse to work on something they won't get to work on unless there are new ciphers to develop. It could be .... the list goes on. The quote with which the article opened is particularly appropriate, and one could speculate about the reasons operating within one of the world's most opaque and unresponsive bureaucracies for days. Bear
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves
