[wolf550e]

No cryptographers believe the NIST curves are backdoored. OpenSSL's and NSS's implementations of P-256 have been reviewed and are considered secure. My conclusion is that if your CSPRNG is good, P-256 ECDHE with openssl should be fine.

Better ECDHE is ready to be rolled out though: https://tools.ietf.org/html/draft-irtf-cfrg-curves-11

Too bad how long CFRG take to get EdDSA ready.

[ultramancool]

> No cryptographers believe the NIST curves are backdoored.

That's not true. For an example, see Schneier's comment here:

https://www.schneier.com/blog/archives/2013/09/the_nsa_is_br...

Or Bernstein and Lange's comments here:

https://www.hyperelliptic.org/tanja/vortraege/20130531.pdf

(specifically the: Jerry Solinas at NSA used this to generate the NIST curves (or so he says))

I believe Matthew Green may have also made a similar statement, though I can't find it, so perhaps I'm not recalling correctly. In any case, I don't think you can outright say "No cryptographers believe the NIST curves are backdoored". You can at best say "No cryptographers have proven the NIST curves are backdoored", which is true.

However, those cryptographers have also raised concerns (including concerns about backdoors) and I just hope we move to safer alternatives quicker.

[tptacek]

Schneier's comment is misinformed, and Schneier has had a bias against ECC going back over a decade, which has, I think, kept him from learning as much about it as he's picked up about RSA. Schneier has published no research about ECC, and details of curve crypto are absent from his books.

It's worth keeping in mind that Schneier is also not an academic cryptographer, or really a serious practicing cryptography researcher of any sort. He's a great popularizer and he works with some very credible other researchers, but "Schneier said so" is never going to win a debate among cryptographers.

Bernstein makes the same kinds of comments about the Brainpool curves (the whole point of BADA55 was that the Brainpool curves aren't that much more trustworthy than the Solinas curves), and nobody, including Bernstein, will with a straight face say that the Brainpool curves are backdoored.

It's a valid process critique that has been interpreted by laypeople as an accusation, which is something Bernstein has taken flak for.

[tedunangst]

Curious that Schneier recommends discrete log crypto in response to a report that the NSA was breaking most crypto. In hindsight, there's a very good chance that the NSA attack in question was the logjam attack against discrete log DH. But, sure, stick with plain DH if it makes you feel safer.

[tptacek]

Yes, I think that recommendation was pretty irresponsible, and not just because of Logjam. You are probably safer using NIST P-curve crypto than you are with RSA, and not just because virtually all RSA applications use insecure RSA constructions, but also because RSA includes the huge footgun of having a direct and easy to (unsafely) use Encrypt/Decrypt primitive.

[ultramancool]

I assume he meant long 2048+ bit DH with user generated primes, which would arguably be safer, just due to sheer simplicity if nothing else.