[OTR-dev] Fwd: Some DH groups found weak; is OTR vulnerable?
Peter Fairbrother
zenadsl6186 at zen.co.uk
Mon Jun 1 17:24:24 EDT 2015
On 01/06/15 21:43, Shnatsel . wrote:
>> But how do you know those arguments aren't cherry-picked ?
>
> We don't. We don't know they're good, all we know is they're
> relatively better than NIST curves, both based on publicly available
> research and on their developers having better rationale for their
> parameters than NIST as well as potentially less of an incentive to
> backdoor them.
>
> If crypto primitive backdoors are real a problem, BADA55 curves with
> verifiably random parameters might be worth considering:
> http://safecurves.cr.yp.to/bada55.html
The NIST curves are "verifiably random" too.
I personally do not think NIST could have started with a desired curve,
and then calculate the seed by reversing the hashing etc process (it's
too complicated, IMO).
Only thing is, as with any "verifiably random" curve, you can still
calculate a lot of "verifiably random" curves, then cherry-pick one
which suits you...
-- Peter Fairbrother
More information about the OTR-dev
mailing list