[OTR-users] OTR-encryption not safe - DSA 1024bit is too short

Pete Stephenson pete at heypete.com
Wed Dec 12 14:25:24 EST 2012

On 12/12/2012 8:05 PM, . wrote:
> Somewhere (and I really tried to find this site again by searching for
> like "nist" AND "own curves") I read not to use NIST's curves but use
> one's own curves, but why exactly -- maybe NIST can pre-calculate things
> and speed up encryption -- I don't know, not an expert on this.
> I guess it's also because one shouldn't always trust NIST anyway (in
> case of their recommendation which key-sizes to use I trust them because
> I can calculate and know more or less how long a key should be).

Since the NIST curves are used for protecting classified US government
information it would seem unlikely that they would be specifically
designed to be weakened in some way as there's no doubt many adversaries
who are testing such publicly-released curves to find any such weaknesses.

FIPS 186-3 describes how they generated the various NIST curves and the
reasoning and methods behind it. Appendix D of the document, which is
available at
http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf , goes
into specific detail.

These curves were chosen to have certain mathematical properties
described at
to be optimized for high performance (which doesn't sacrifice security).

It's pretty good to be skeptical of things provided by major governments
but my understanding of ECC is that the curves themselves aren't
intended to be secret and are merely a common starting point for key
generation (they're basically equivalent to DH parameters used for DH
key exchange).


More information about the OTR-users mailing list