User: Password:
Subscribe / Log in / New account



Posted Mar 20, 2014 13:57 UTC (Thu) by hmh (subscriber, #3838)
In reply to: Curve25519 by proski
Parent article: What's new in OpenSSH 6.5 (and 6.6)

The relevant issue is best described by this reply by Schneier:

Bruce Schneier • September 5, 2013 4:07 PM

On the crypto bits in your guardian piece, I found especially interesting that you suggest classic discrete log crypto over ecc. I want to ask if you could elaborate more on that.

I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry.

There is no such suspicion for curve25519 at this time, so it has nothing to do with "cracking" ECC. It has everything to do with ECCs engineered from the ground up to be compromised through a related curve that is only known by the designer, and the possibility of such a compromise in the NIST curves.

So, the logic behind a preference for curve25519 is not that the NSA cannot crack it, is that the NSA would have to crack it.

(Log in to post comments)


Posted Mar 20, 2014 18:33 UTC (Thu) by drag (guest, #31333) [Link]

very good. Thank you.


Posted Mar 20, 2014 20:12 UTC (Thu) by proski (subscriber, #104) [Link]

Thank you. I wrongly implied that Dual_EC_DRBG is based on Curve25519.

Perhaps there should be a way to generate constants in a way that they cannot be manipulated. for example, record noise of wind and run sha512 on the wav file. Or take a picture of the sky at night.


Posted Mar 21, 2014 2:37 UTC (Fri) by hkario (subscriber, #94864) [Link]

what you need, is "nothing up my sleeve" numbers, so ironically a generation that starts with an ASCII seed "NIST elliptic curve 1" would be less likely backdoored


Posted Mar 21, 2014 5:23 UTC (Fri) by djm (guest, #11651) [Link]

That's one of the benefits of Curve25519 - there are no magic constants; all values are simply the smallest possible values that will yield a curve of the desired strength.


Posted Mar 21, 2014 15:54 UTC (Fri) by jezuch (subscriber, #52988) [Link]

> That's one of the benefits of Curve25519 - there are no magic constants

...except for the curve's parameters, of course :) [You already have one magic constant in the name!]


Posted Mar 21, 2014 20:06 UTC (Fri) by nybble41 (subscriber, #55106) [Link]

The parameters for Curve25519 aren't "magic", they're the smallest values which have the necessary characteristics, as cesarb already explained here: The name is a reference to the prime number the curve is based on, 2^255-19.


Posted Mar 21, 2014 20:14 UTC (Fri) by dlang (subscriber, #313) [Link]

The thought is that the curve parameters aren't "magic", the reasons for what they are have been explained, including why they are the smallest ones they can be.

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds