[curves] "Abandoning ECC" — Any replies to "A riddle wrapped in a curve"?

[Tao Effect]

From this blog post: http://blog.cryptographyengineering.com/2015/10/a-riddle-wrapped-in-curve.html <http://blog.cryptographyengineering.com/2015/10/a-riddle-wrapped-in-curve.html>

To quote Matthew Green:

<BEGIN>

By calculating the number of possible curve families, Koblitz and Menezes show that a vast proportion of curves (for P-256, around 2^{209} out of 2^{257}) would have to be weak in order for the NSA to succeed in this attack. The implications of such a large class of vulnerable curves is very bad for the field of ECC. It dwarfs every previous known weak curve class and would call into question the decision to use ECC at all.

In other words, Koblitz and Menezes are saying that if you accept the weak curve hypothesis into your heart, the solution is not to replace the NIST elliptic curves <https://www.ietf.org/mail-archive/web/cfrg/current/msg06426.html> with anything at all, but rather, to leave the building as rapidly as possible and perhaps not shut the door on the way out. No joke.

On the gripping hand, this sounds very much like the plan NSA is currently implementing. Perhaps we should be worried.

</END>

So, I’m not a cryptographer, but ya’ll (supposedly) are. Any legitimacy to this?

- Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20151022/e86c14e7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20151022/e86c14e7/attachment.sig>