[curves] "Abandoning ECC" — Any replies to "A riddle wrapped in a curve"?

Ron Garret ron at flownet.com
Thu Oct 22 20:12:46 PDT 2015 

On Oct 22, 2015, at 7:20 PM, Tao Effect <contact at taoeffect.com> wrote:

> From this blog post: http://blog.cryptographyengineering.com/2015/10/a-riddle-wrapped-in-curve.html
> 
> To quote Matthew Green:
> 
> <BEGIN>
> 
> By calculating the number of possible curve families, Koblitz and Menezes show that a vast proportion of curves (for P-256, around 2^{209} out of 2^{257}) would have to be weak in order for the NSA to succeed in this attack. The implications of such a large class of vulnerable curves is very bad for the field of ECC. It dwarfs every previous known weak curve class and would call into question the decision to use ECC at all.
> 
> In other words, Koblitz and Menezes are saying that if you accept the weak curve hypothesis into your heart, the solution is not to replace the NIST elliptic curves with anything at all, but rather, to leave the building as rapidly as possible and perhaps not shut the door on the way out. No joke.
> 
> On the gripping hand, this sounds very much like the plan NSA is currently implementing. Perhaps we should be worried.
> 
> </END>
> 
> So, I’m not a cryptographer, but ya’ll (supposedly) are. Any legitimacy to this?

(Originally posted  at: https://news.ycombinator.com/item?id=10433640)

I just read the full original paper, and this seems like the most likely explanation to me:

"[T]he main considerations might not have been technical at all, but rather Agency-specific — that is, related to the difficult situation the NSA was in following the Snowden leaks. The loss of trust and credibility from the scandal about Dual EC DRBG was so great that NSA might have anticipated that anything further it said about ECC standards would be mistrusted. The NSA might have felt that the quickest way to recover from the blow to its reputation would be to get a “clean slate” by abandoning its former role as promoters of ECC and moving ahead with the transition to post-quantum cryptography much earlier than it otherwise would have.”

I spent >10 years working for the government, and this scenario is entirely consistent with my experience there.

rg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20151022/21cdaf53/attachment.sig>

More information about the Curves mailing list