===Bruce Schneier===
I no longer trust the constants [of the NIST elliptic curves]. I
believe the NSA has manipulated them through their relationships with
industry.
> https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929
===Dan J. Bernstein===
In response to NSA's contributions, ANSI X9.62 developed "a method
for selecting an elliptic curve verifiably at random", and a
procedure to "verify that a given elliptic curve was indeed generated
at random"; it even claims that this procedure "serves as proof
(under the assumption that SHA-1 cannot be inverted) that the
parameters were indeed generated at random".
However, this procedure does not verify randomness; it verifies only
that the curve coefficients were produced as SHA-1 output. The
claimed "proof" is nonexistent. The ANSI X9.62 curve-generation
method is not trivially manipulatable but it is manipulatable.
> http://safecurves.cr.yp.to/rigid.html
===Slashdot===
"In the wake of Bruce Schneier's statements that he no longer trusts
the constants selected for elliptic curve cryptography, people have
started trying to reproduce the process that led to those constants
being selected ... and found it cannot be done.
As background, the most basic standard elliptic curves used for
digital signatures and other cryptography are called the SEC random
curves (SEC is 'Standards for Efficient Cryptography'), a good
example being secp256r1.
The random numbers in these curve parameters were supposed to be
selected via a "verifiably random" process (output of SHA1 on some
seed), which is a reasonable way to obtain a nothing up my sleeve
number if the input to the hash function is trustworthy, like a small
counter or the digits of PI.
Unfortunately it turns out the actual inputs used were opaque 256 bit
numbers, chosen ad-hoc with no justifications provided. [...] Unless
NIST/the NSA can explain why the random curve seed values are
trustworthy, it might be time to re-evaluate all NIST based elliptic
curve crypto in general."
> http://it.slashdot.org/story/13/09/11/1224252/are-the-nist-standard-elliptic-curves-back-doored
===Noch nicht verunsichert?===
Suche nach c49d360886e704936a6678e1139d26b7819f7e90
I no longer trust the constants [of the NIST elliptic curves]. I
believe the NSA has manipulated them through their relationships with
industry.
> https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929
===Dan J. Bernstein===
In response to NSA's contributions, ANSI X9.62 developed "a method
for selecting an elliptic curve verifiably at random", and a
procedure to "verify that a given elliptic curve was indeed generated
at random"; it even claims that this procedure "serves as proof
(under the assumption that SHA-1 cannot be inverted) that the
parameters were indeed generated at random".
However, this procedure does not verify randomness; it verifies only
that the curve coefficients were produced as SHA-1 output. The
claimed "proof" is nonexistent. The ANSI X9.62 curve-generation
method is not trivially manipulatable but it is manipulatable.
> http://safecurves.cr.yp.to/rigid.html
===Slashdot===
"In the wake of Bruce Schneier's statements that he no longer trusts
the constants selected for elliptic curve cryptography, people have
started trying to reproduce the process that led to those constants
being selected ... and found it cannot be done.
As background, the most basic standard elliptic curves used for
digital signatures and other cryptography are called the SEC random
curves (SEC is 'Standards for Efficient Cryptography'), a good
example being secp256r1.
The random numbers in these curve parameters were supposed to be
selected via a "verifiably random" process (output of SHA1 on some
seed), which is a reasonable way to obtain a nothing up my sleeve
number if the input to the hash function is trustworthy, like a small
counter or the digits of PI.
Unfortunately it turns out the actual inputs used were opaque 256 bit
numbers, chosen ad-hoc with no justifications provided. [...] Unless
NIST/the NSA can explain why the random curve seed values are
trustworthy, it might be time to re-evaluate all NIST based elliptic
curve crypto in general."
> http://it.slashdot.org/story/13/09/11/1224252/are-the-nist-standard-elliptic-curves-back-doored
===Noch nicht verunsichert?===
Suche nach c49d360886e704936a6678e1139d26b7819f7e90