[curves] "Abandoning ECC" — Any replies to "A riddle wrapped in a curve"?

Ray Dillinger bear at sonic.net
Fri Oct 23 16:08:41 PDT 2015



On 10/22/2015 07:20 PM, Tao Effect wrote:
> From this blog post: http://blog.cryptographyengineering.com/2015/10/a-riddle-wrapped-in-curve.html <http://blog.cryptographyengineering.com/2015/10/a-riddle-wrapped-in-curve.html>
> 
> To quote Matthew Green:
> 
> <BEGIN>

> In other words, Koblitz and Menezes are saying that if you accept the weak curve hypothesis into your heart, the solution is not to replace the NIST elliptic curves <https://www.ietf.org/mail-archive/web/cfrg/current/msg06426.html> with anything at all, but rather, to leave the building as rapidly as possible and perhaps not shut the door on the way out. No joke.
> 
> On the gripping hand, this sounds very much like the plan NSA is currently implementing. Perhaps we should be worried.
> 
> </END>

I've seen no technical reason to suspect the weak curve hypothesis.  That
said, if it is actually true, then in the year it gets announced, 99.99%
of all the experts looking (and I don't even call myself an expert on
ECC) will have seen no reason to suspect the weak curve hypothesis.
It's that last *one* guy who has the insight that you have to wonder
about; those of us who don't see it are a dime a dozen, even in a
universe where it exists.

Of course, this action of the NSA's has dramatically focused the
attention of guys who *could* have this insight, so if it exists
expect an announcement soon.  Actually I'd have expected it by
now, because it's been a few months and if anybody was that close....

However, I don't think it does exist.  I think that if this were
being done for technical reasons - ie, if ECC is *really* weak or
has a large class of weak curves, or if someone is *really* close
to developing serious quantum-computer cryptography capabilities -
we'd have heard about *something* from some other source.  I mean,
there are lots of hard-math people who work on crypto now, and lots
of hard-physics people working on quantum computing, and at last
count I think less than a third of them work directly for governments.
Furthermore, the ones who do work for governments are less productive
because they mostly refuse to collaborate across borders.  The odds
that a break so significant would be completely unknown outside of
government agencies seems small.

Which IMO leaves non-technical reasons.  It could be a subterfuge
to try to hinder crypto adoption, or to get that focused analytical
attention on ECC, or an attempt to get people to stop using something
they don't know how to break. Heck, it could even be a legitimate
attempt to protect the security of the nation's infrastructure; you
just never know with these guys.

It could be the agency's move to quit a field where they've been
caught with their hand in the cookie jar. It could be somebody
"marking territory" by changing something - anything ! - just so
it doesn't look like they're not being proactive.  It could be
somebody making a power grab because they want an excuse to work
on something they won't get to work on unless there are new ciphers
to develop. It could be ....  the list goes on.  The quote with
which the article opened is particularly appropriate, and one could
speculate about the reasons operating within one of the world's most
opaque and unresponsive bureaucracies for days.

				Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20151023/de67d797/attachment.sig>


More information about the Curves mailing list