Re: [Cryptography] Is ECC suspicious?
Op 6 sep. 2013, om 01:09 heeft "Perry E. Metzger" het volgende geschreven: > http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance …. > The Suite B curves were picked some time ago. Maybe they have problems. …. > Now, this certainly was a problem for the random number generator > standard, but is it an actual worry in other contexts? I tend not to > believe that but I'm curious about opinions. Given the use, including that of the wider security/intelligence community, I'd expect any issues to be more with very specific curves (either tweaked to be that way; or through soft means promoted/pushed/suggested those who by happenstance have an issue) that with the ECC as an algorithm/technology class. As anything deeper than a curve would assume very aligned/top-down control and little political entropy. Not something which 'just the' signal intelligence community could easily enforce on the other cats. Dw ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Is ECC suspicious?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 5, 2013, at 4:09 PM, "Perry E. Metzger" wrote: > Now, this certainly was a problem for the random number generator > standard, but is it an actual worry in other contexts? I tend not to > believe that but I'm curious about opinions. If there is a place to worry, it would be about the specific curves. I had a lively dinner-table conversation with Dan Bernstein and Tanja Lange at CRYPTO this year, and Dan pointed out that there's been a lot of work on cryptanalysis of specific curves and curve families. We know, for example that anything over GF(p^n) is seeming dodgy, but GF(p) seems okay. There are recent Eurocrypt papers on said. The Suite B curves were picked some time ago. Maybe they have problems. I have a small amount of raised eyebrow because the greatest bulwark we have against the SIGINT capabilities of any intelligence agency are that agency's IA cousins. I don't think that the Suite B curves would have been intentionally weak. That would be a shock. However, if the SIGINT guys (e.g.) discovered a weakness that gave P-256 something les than 128 bits of security, they might just sit on it. Certainly, even if they wanted to release that, there would be politics compounded by security compartments. Learning that they sat on a weakness would might be a shock, but it wouldn't be a surprise. If there is an issue, that's the place it would be. Not ECC as a technology, but specific curves. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFSKRprsTedWZOD3gYRAqEnAKDrFOI4v8DnYxZdPEbFHflTRktwcACg28/f hyvPYuLAdM+58z0rTxg9Fss= =EnSi -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Is ECC suspicious?
In this posting: http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance Bruce Schneier casts some doubt on the use of ECC 5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can. Now, this certainly was a problem for the random number generator standard, but is it an actual worry in other contexts? I tend not to believe that but I'm curious about opinions. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
