Comment by aaomidi
2 years ago
> Why would they be willing to risk that here?
Certain types of attacks basically make it so you need to have a specific private key to act as a backdoor. That's the current guess on what may be happening with the NIST ECC curves.
If so, this can be effectively a US-only backdoor for a long, long time.
I don't believe that is anybody's guess on what may be happening with the NIST ECC curves. Ordinarily, when people on HN say things like this, they're confusing Dual EC, a public key random number generator, known to be backdoored, with the NIST curve standards.
The issue with the NIST curves is that they were generated from a PRNG with some kind of completely random seed. The conspiracy theory there is that the seed was selected such as to make the curve exploitable for NSA and NSA only. Choosing such a seed is somewhat harder than complete break of the hash function (IIRC SHA-2) used in the PRNG that was used to derive the curve.
On the other hand, there is a lot of reasons to use elliptic curve that was intentionally designed, so, DJB's designs. And well, in 2009 I would not imagine that the kinds of stuff that DJB publishes will end up being TLS1.3.
It's very unlikely the seeds were random, and they weren't even ostensibly generated from a PRNG, as I understand it. Rather, they were passed through SHA1 (remember: this is the 1990s), as a means to destroy any possible structure in the original seed. The actual seeds themselves aren't my story to tell, but are a story that other people are talking about. For my part, I'll just point again to Koblitz and Menenzes on the actual cryptographic problems with the NIST P-curve seed conspiracy:
https://eprint.iacr.org/2015/1018.pdf
6 replies →
Yeah I've noticed people mixing them up. They happened around the same time, so I can excuse it a bit.
The problem with the NIST ECC curves are that we still do not know where the heck that seed came from and why that seed specifically.
See Koblitz and Menenzes:
https://eprint.iacr.org/2015/1018.pdf
Also: if the NIST ECC curves actually are backdoored then why would the NSA need to try to push a backdoored random number generator? Just exploit the already-backdoored curves.
Redundancy, so if one backdoor is closed/fixed/avoided, you still have more.
No, it’s really not. Ask Neal Koblitz.