User: Password:
Subscribe / Log in / New account



Posted Mar 20, 2014 15:10 UTC (Thu) by cesarb (subscriber, #6266)
In reply to: Curve25519 by proski
Parent article: What's new in OpenSSH 6.5 (and 6.6)

The question about the NIST curves (P-256, P-384, and others) is that they have large constants, and the rationale for choosing these exact constants has not been published anywhere.

Think about Dual_EC_DRBG: it had large constant numbers. It has been shown that whoever generated these numbers could at the same time generate a related set of numbers, which when known allows one to reverse the function. Recent revelations imply that the NSA knows these numbers.

AFAIK, no such mechanism is known to exist for the NIST curve constants, but that might be just because nobody has found one yet. And the NSA is known to be involved with it.

Now contrast it with Curve25519. Every single constant in the algorithm has been explained by its creator, and is the smallest value with some desirable property (performance or security). Unsurprisingly, all these constants are quite small. Quoting Wikipedia: "The curve used is y^2 = x^3 + 486662x^2 + x (a Montgomery curve) over the prime field defined by the prime number 2^255 − 19, and it uses the base point x = 9." That's it.

It's possible (and even probable) that the NIST curves do not in fact have a backdoor. But with the DJB curves, you can be certain that they do not have a backdoor, and they are also simpler and faster.

Take a look at for more on the subject.

(Log in to post comments)


Posted Mar 26, 2014 2:21 UTC (Wed) by plugwash (subscriber, #29694) [Link]

Of course it's also possible that the constants used in the NIST curves were chosen to protect against some attack that the US government knows about but the public crypto community does not.


Posted Mar 26, 2014 5:44 UTC (Wed) by dlang (subscriber, #313) [Link]

That's true, and we know that did happen way back when with DES, but it's a different NSA today, and from everything we know, far more interested in being able to get in to other systems than is helping defend anything but their own. They no longer have the benefit of any doubt, they threw that away.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds