Comment by tptacek

2 years ago

I don't believe that is anybody's guess on what may be happening with the NIST ECC curves. Ordinarily, when people on HN say things like this, they're confusing Dual EC, a public key random number generator, known to be backdoored, with the NIST curve standards.

12 comments

tptacek

Reply
dfox  2 years ago

The issue with the NIST curves is that they were generated from a PRNG with some kind of completely random seed. The conspiracy theory there is that the seed was selected such as to make the curve exploitable for NSA and NSA only. Choosing such a seed is somewhat harder than complete break of the hash function (IIRC SHA-2) used in the PRNG that was used to derive the curve.

On the other hand, there is a lot of reasons to use elliptic curve that was intentionally designed, so, DJB's designs. And well, in 2009 I would not imagine that the kinds of stuff that DJB publishes will end up being TLS1.3.

  • tptacek  2 years ago

    It's very unlikely the seeds were random, and they weren't even ostensibly generated from a PRNG, as I understand it. Rather, they were passed through SHA1 (remember: this is the 1990s), as a means to destroy any possible structure in the original seed. The actual seeds themselves aren't my story to tell, but are a story that other people are talking about. For my part, I'll just point again to Koblitz and Menenzes on the actual cryptographic problems with the NIST P-curve seed conspiracy:

    https://eprint.iacr.org/2015/1018.pdf

api  2 years ago

Also: if the NIST ECC curves actually are backdoored then why would the NSA need to try to push a backdoored random number generator? Just exploit the already-backdoored curves.