undefined | Better HN

0 pointsphicoh6y ago0 comments

Compare the NIST curves to RSA. For RSA we know there cannot be any backdoors. If you generate good quality primes you are in business (assuming you don't make mistakes elsewhere).

For NIST we cannot say anything about backdoors. We don't use those curves because we don't trust NIST. Not because we have any prove they are bad.

So to avoid that, there is a parameter selection process that supposedly leaves no room for backdoors, though at some CCC congress DJB described how you could use a similar process to add backdoors.

So basically, EC is based on magic. We cannot prove it is bad, we just have to hope there is no hidden magic.

Note you say 'only marginal room'. Soon the whole world will use exactly one curve. With 'only marginal room for hidden backdoors'.

I feel way more comfortable to know that with RSA what you see is what you get.

0 comments

tptacek6y ago

Even Bernstein doesn't really believe the NIST p-curves are backdoored, and the Koblitz/Menezes paper makes a pretty decent case that they couldn't be, but if you want to tinfoil hat it, just do what every modern system does and use Curve25519.

If any of this is new to you, though, you shouldn't be designing cryptosystems. Most people shouldn't! I sure shouldn't! It's an extremely specialized skill, and the world doesn't need that many new ones. Just use Nacl.

throw0101a6y ago

> but if you want to tinfoil hat it, just do what every modern system does and use Curve25519.

What is your take on the NIST curves being "officially" blessed for government data via Suite B (or whatever they're calling it)?

If it's good enough for government work, would it be good enough for us in the private sector? What are the chances the the NSA know weaknesses in Curve25519 or ChaCha like they knew about differential cryptanalysis attacks DES ahead of everyone else?

tptacek6y ago

Frankly I think the kremlinology is a lot less interesting and useful than the engineering facts, which are that Curve25519 is more misuse-resistant, faster, and easier to implement in constant time. People shouldn't be using the P-curves anymore.

ClumsyPilot6y ago

99.999% vulnerabilities come from bad implementation, not "magic"!

j / k navigate · click thread line to collapse

0 pointsphicoh6y ago0 comments

Compare the NIST curves to RSA. For RSA we know there cannot be any backdoors. If you generate good quality primes you are in business (assuming you don't make mistakes elsewhere).

For NIST we cannot say anything about backdoors. We don't use those curves because we don't trust NIST. Not because we have any prove they are bad.

So to avoid that, there is a parameter selection process that supposedly leaves no room for backdoors, though at some CCC congress DJB described how you could use a similar process to add backdoors.

So basically, EC is based on magic. We cannot prove it is bad, we just have to hope there is no hidden magic.

Note you say 'only marginal room'. Soon the whole world will use exactly one curve. With 'only marginal room for hidden backdoors'.

I feel way more comfortable to know that with RSA what you see is what you get.

0 comments

tptacek6y ago

throw0101a6y ago

> but if you want to tinfoil hat it, just do what every modern system does and use Curve25519.

What is your take on the NIST curves being "officially" blessed for government data via Suite B (or whatever they're calling it)?

tptacek6y ago

ClumsyPilot6y ago

99.999% vulnerabilities come from bad implementation, not "magic"!

j / k navigate · click thread line to collapse