[Ach] choosing safe curves for elliptic-curve cryptography
Aaron Zauner
azet at azet.org
Mon May 12 21:03:41 CEST 2014
Hi,
ianG wrote:
> There is a clear contradiction here. There are two possible theories
> I've come across. One is that the NSA simply didn't know as much ECC at
> the time, and the other is that the NSA was using the standards
> organisations (and its own govt. secrecy functions) to push curves that
> they knew they had an asymmetric advantage in.
>
> Currently, I can't pick between the two.
Maybe it's a combination of both? They sure have good cryptanalysts -
but they're also just another government agency with low pay and
bureaucracy.
> The asymmetric advantage is rapidly narrowing as China can now build big
> crunchers as well as the USA (it's just chips, after all) and their
> mathematicians are pretty good as well (consider Shandong/MD5/SHA1), so
> maybe this is an argument that has passed its "sell-by" date.
You won't be able to guess the parameters that *might* exist - as far as
I can tell by what djb has spoken on in regard to NIST curves. Even for
large supercomputers (we're racing towards exascale - if you want to
believe HPC evangelists) that's a lot of work - i.e. a lot of money in
terms of power and engineering. As I work in HPC for a living I got to
see a presentation on Thiane-2 in November 2013: I'm still not sure what
those guys do on this machine, what i'm sure of is that most of their
"invented" technology (i.e interconnect) was actually stolen and badly
applied to chinese needs. One interesting thing to note is that Thiane-2
is designed, build and operated by the chinese defense university [sic!]:
https://en.wikipedia.org/wiki/National_University_of_Defense_Technology
> Another issue is that Suite A is unpublished -- so what does it do? So
> far, the hint I've heard is that it doesn't use PK or EC at all... If
> the case, then that's a *big hint*. But no real confirmation of that
> other than rumours.
My fair guess is that Suite A consists of NSA-only ciphers. Which would
mean that it's probably less secure than publicly audited algorithms and
ciphers.
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140512/8b9ca3ea/attachment.sig>
More information about the Ach
mailing list