[curves] Any interest in random curves?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jun 26 10:39:04 PDT 2014

On 06/26/2014 01:17 AM, Mike Hamburg wrote:
> There's been some flak thrown up at "verifiably random" curves recently,
> and I'm wondering if there's any interest in doing it right.  Of course,
> it's not obvious at all that random curves should have any quality which
> is better than, say, the Microsoft "2^NIST - minimal such that 3 mod 4"
> curves.  But if anyone cares about the random case, CRYPTO would be the
> place to generate the curves.
> I would suggest a procedure like the following.

I like this proposal, not because i have any intuitions that randomness
is necessarily useful in curve generation, but because it highlights the
dubious origins of the entropy in NIST curve generation.  It's also
pretty neat as a "performative act" :)

Some suggestions for the "performative act" part of this proposal:

 0) I think you'd want video in addition to still photography.  A
photograph of a boggle set in a particular configuration with the
footage behind it doesn't show the actual shaking of the boggle set that
preceded the answer.  real-world video footage can also include panning
shots of the people engaged in the process.   Video footage could also
be projected on the overhead so that people in the room but not close to
the action can see the information  (compromising this would require
collusion of all people close to the action, as well as some very
interesting real-time video modifications).

 1) the people who participate should be explicitly asked for permission
to be photographed or filmed, and provisions should be made for people
who want to observe but do not want to be recorded.  Maybe a certain
part of the room could be designated for observers who do not want to be

 2) it might be nice to have a well-defined way for those people present
who have well-known cryptographic credentials (e.g. people with OpenPGP
certificates?) to make publicly-signed assertions about the seeds they
saw generated at the event.

My main concern with this proposal is the possibility of further
fragmentation by the creation of yet another set of curves.  But it
seems to me that curves generated by this proposal would be strictly
preferable to any other ostensibly random-seeded curve.

It'd be nice to set precedent for future proposals that need entropy for
some public commitment, that it can't be generated in a secret closed
room any more if the entire public is expected to rely on it.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20140626/7839c9e4/attachment.sig>

More information about the Curves mailing list