[Ach] choosing safe curves for elliptic-curve cryptography

[Hanno Böck]

On Mon, 12 May 2014 10:03:21 -0700 (PDT)
"Joe St Sauver" <joe at oregon.uoregon.edu> wrote:

> US or non-US, people seem to do NIST crypto standards by default.

Just my personal opinion on that: The case for the NIST curves is one
of the reasons why I have lots of doubts if I'll ever trust NIST again.

Basically, after the Snowden revelations NIST has given some statements
that they want to improve their process and they have recalled the Dual
EC standard (although they haven't admitted that it's backdoored, but
that's pretty obvious).

The NIST curves contain unexplained constants and have been designed by
the NSA. Basically, this IMHO leaves two options:
a) NIST knows why and how these constants were chosen. If so, they
should tell the public.
b) NIST doesn't know why and how these constants where chosen. Then
they should consider the standard potentially compromised and recall it.

But at the moment they don't explain anything and don't recall the
standard.

(And for the record: I don't really believe that there's a backdoor in
the NIST curves. Assuming that would mean assuming that the NSA knew
some secret tricks about elliptic curves back in 1999 that up until
today nobody else has any idea about. But the bottom line is: I'd like
to be on the safe side. So even if I consider the probability of the
NIST curves to be backdoored quite low, I'd still like to be sure. And
if NIST can't give me that assurance, I'd like to avoid them.)


cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20140512/dd3039c3/attachment.sig>