[svnpenn]

> the trustworthiness of NIST-produced curves being questioned after revelations that the NSA willingly inserts backdoors into software, hardware components and published standards were made; well-known cryptographers have expressed doubts about how the NIST curves were designed, and voluntary tainting has already been proved in the past.

https://wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_...

[loeg]

Use Ed25519 for your SSH keys, then. (For the unfamiliar: it's not a NIST-chosen curve.)

[wolf550e]

'tptacek would write that no reputable cryptographer believes the NIST curves themselves are backdoored.

[1000units]

Is this a joke? Doesn't everybody believe they're backdoored?

[hannob]

There's two stories that often get mixed together. One is an elliptic curve based random number generator (Dual EC DRBG), and yes, everyone who knows the facts believes it's backdoored.

Then there's some much more general concerns about the NIST curves themselve. These concerns come down to that a) we don't really know how they were generated (there are some numbers in the paper that just "appear out of nowhere") and b) that they've been created by the NSA. But there's no concrete proof of any backdooring and it seems relatively implausible, as no method is known that would explain how that backdooring would work. I guess most people familiar with the facts don't believe they are backdoored.

[1000units]

Oh, just that once.

[tialaramex]

We don't actually know for sure that Dual EC is backdoored, we have unexplained constants plus subsequently a way to pick constants that backdoor the algorithm have been discovered. The constants could have been chosen randomly or based on something that would be embarrassing to reveal, e.g. the project leader picked their children's birthdays. Since this algorithm is worse in other ways there is no reason to use it and it's reasonable to treat things that pick Dual EC as problematic because they had no good reason to do that once it became controversial. But we shouldn't forget that it's not actually proven to be backdoored, we have only reasonable suspicions.

[wolf550e]

Reading this [1] and then saying that maybe it's not a backdoor, maybe it's the NSA cryptographer's kids' birthdays is completely nuts.

1 - https://eprint.iacr.org/2016/376.pdf

[ohazi]

We also know that the NSA secretly paid RSA-the-company $10 million to use dual ec as the default.

[lawnchair_larry]

We do know a lot more than that now. It was in the Snowden leaks.

[1000units]

We have a lot of competent people at the NSA.