On 11/10/2014 08:31 AM, Robert J. Hansen wrote: > What Nan means to be talking about is the Dual Elliptical Curve > Deterministic Random Bit Generator (Dual_EC_DRBG) specification -- a way > of generating random numbers, but *not* a signature algorithm. It was > released in 2004 to a great yawn: it was inefficient, slow, and the > parameters gave some people the heebie-jeebies. In 2007, Shumow and > Ferguson presented at CRYPTO some results that made this design look > like it might be backdoored. > > An algorithm that nobody used in the first place ... remained an > algorithm that nobody used in the first place.
Nobody may have used Dual_EC_DRBG "in the first place" (since of course it didn't exist before it was proposed), but that doesn't mean that nobody used it. Despite its terrible performance, RSA's BSAFE library used Dual_EC_DRBG as the default CSPRNG for 9 years (most of them well after Shumow and Ferguson's results), removing it only in 2013 when forced to by leaked documents confirming the backdoor: https://en.wikipedia.org/wiki/RSA_BSAFE#Dual_EC_DRBG_backdoor http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220 --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
