| > No cryptographers believe the NIST curves are backdoored. That's not true. For an example, see Schneier's comment here: https://www.schneier.com/blog/archives/2013/09/the_nsa_is_br... Or Bernstein and Lange's comments here: https://www.hyperelliptic.org/tanja/vortraege/20130531.pdf (specifically the: Jerry Solinas at NSA used this to generate the NIST curves (or so he says)) I believe Matthew Green may have also made a similar statement, though I can't find it, so perhaps I'm not recalling correctly. In any case, I don't think you can outright say "No cryptographers believe the NIST curves are backdoored". You can at best say "No cryptographers have proven the NIST curves are backdoored", which is true. However, those cryptographers have also raised concerns (including concerns about backdoors) and I just hope we move to safer alternatives quicker. |
It's worth keeping in mind that Schneier is also not an academic cryptographer, or really a serious practicing cryptography researcher of any sort. He's a great popularizer and he works with some very credible other researchers, but "Schneier said so" is never going to win a debate among cryptographers.
Bernstein makes the same kinds of comments about the Brainpool curves (the whole point of BADA55 was that the Brainpool curves aren't that much more trustworthy than the Solinas curves), and nobody, including Bernstein, will with a straight face say that the Brainpool curves are backdoored.
It's a valid process critique that has been interpreted by laypeople as an accusation, which is something Bernstein has taken flak for.