GNU bug report logs - #57599
[PATCH] openpgp: Add support for ECDSA with NIST curves.

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Mon, 5 Sep 2022 16:10:02 UTC

Severity: normal

Tags: patch, wontfix

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Andreas Enge <andreas <at> enge.fr>
To: Maxime Devos <maximedevos <at> telenet.be>
Cc: 57576 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org>, 57599 <at> debbugs.gnu.org, Zhu Zihao <all_but_last <at> 163.com>
Subject: [bug#57599] bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.
Date: Wed, 7 Sep 2022 14:02:37 +0200

Am Wed, Sep 07, 2022 at 01:13:25PM +0200 schrieb Maxime Devos:
> Also, we _do_ have concrete evidence that the curves are flawed -- the website
> on the link mentions many issues in the process

The website (you mean the blog by D. Bernstein?) also mentions the use of
a hash function to arrive at the parameters. Maybe I overlooked something,
but I did not find other mentions of the curves (but I did not read the
page from A to Z).

> past that the NSA is in the habit of subverting communications.

But this is not concrete evidence that these curves are flawed.
As far as is publicly known, there are a few weak (and sparse) classes
of insecure elliptic curves, and the NIST curves do not belong to them.

So the only way these curves could be flawed is that there is an unknown
class of insecure curves, where the insecurity is known by the NSA.
Then if this class is sufficiently dense, one could start with a random
seed, hash the seed, and repeat until one obtains a weak instance;
see this link by a well-known cryptologist
   https://miracl.com/blog/backdoors-in-nist-elliptic-curves/
and the link given there (to another post by Bernstein).

This is possible, but speculation instead of evidence.

Newer constructions are better, but not perfect; optimally one would want
a process of "generation of public random numbers" as described here:
   https://eprint.iacr.org/2015/366

> Channels are for sharing things between multiple people.  The keys are for
> authenticating channels.  As multiple people are involved for a channel, this
> seems be be a non-personal decision by definition.

I said "political", which fits well the setting of multiple people involved.
And I meant this in opposition to "scientific", given the lack of evidence
against the NIST curves.

Andreas
This bug report was last modified 2 years and 292 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.