[OTR-dev] Fwd: Some DH groups found weak; is OTR vulnerable?

Taylor R Campbell campbell+otr at mumble.net
Mon Jun 1 16:50:05 EDT 2015


   Date: Mon, 1 Jun 2015 16:32:03 -0400 (EDT)
   From: Paul Wouters <paul at cypherpunks.ca>

   On Tue, 26 May 2015, Taylor R Campbell wrote:

   > The curve shape and every parameter in Curve25519 are fully justified
   > in in the paper <http://cr.yp.to/ecdh/curve25519-20060209.pdf> to
   > provide the maximum performance for a prescribed security level, or to
   > be the smallest values for an arbitrary choice satisfying all security
   > criteria.

   But how do you know those arguments aren't cherry-picked ?

   It's like saying, "I picked red because it is provably the most prominent
   warning colour in nature, and the fastest" while hiding a "I have a back
   door for red" in my pocket.

Find any other relevant security criteria for a DH function built on
elliptic-curve crypto, and then we can discuss that.


More information about the OTR-dev mailing list