I still doubt that there's a backdoor in the NIST curves because they're still widely used and recommended for top secret information, among other reasons.
If there were a backdoor and it leaked (or the math behind it was independently rediscovered!) the result could be catastrophic. Snowden showed that the NSA is absolutely vulnerable to leaks.
A trapdoor back door would require knowing some secret value. It is very much possible that this secret value could remain secret by not being written down in any electronic document. It would exist on some code breaking hardware, but like the cocoa cola recipe it could be known by only a few people in the world and still be useful.
Seems like the typical heist movie at first, but the main action arc is just to steal the hardware key. Steeling the actual (digital) coins is then the most boring part of the film.
That's why you make the thieves be white-hats hired by the government to steal the key. Then it becomes a cloak-and-dagger affair where you have to unravel who's working for who and which side is really the bad guy.
And decrypting cryptocoins is too obscure. For maximum effect, make the key able to break all encryption.
When someone puts some effort into making an indirect reference like that, they appreciate their work having been noticed. That's the role my comment was performing.
The construction of the NIST curves essentially preludes trapdoors.
It doesn't completely preclude having a purposefully weak curve based on some publicly unknown weakness. ... but at the same time it also doesn't preclude the the curves having been selected to be stronger against some publicly unknown weakness (as was done with DES).
My comment was pointing out that those NIST curves like P-256 and P-224 can't have a trapdoor-- meaning a hidden secret key that allows the NSA and only the NSA to compromise the use-- in the curve themselves.
Some application of the curve could have its own trapdoor, as dualECdrbg did.
Well the NIST curves use random primes, and they're not the obvious, largest possible primes that meet the necessary security requirements. So maybe they were chosen according to their susceptibility to some unknown attack (or, charitably, their non-susceptibility). I think we agree up to this point.
But when the space of potential attacks is an unknown-unknown, can we really constrain with confidence what attacks might exist? Maybe the prime group was chosen to have some relationship to a composite group for which the NSA knows the prime factors? I know this doesn't jive with our current understanding of number theory, but the point is it is hard to speculate about unknown-unknowns. Can we be certain that every crazy thing we think of is ruled out by our proven, not conjectured understanding of number theory?
My post specifically pointed out "It doesn't completely preclude having a purposefully weak curve based on some publicly unknown weakness." -- just that there is nowhere to embed a secret key that only the NSA would know. The only room in it would be for narrow vulnerabilities that others could discover-- just because there aren't that many bits of control.
[As an, aside, the NIST curves do not use random primes, E.g. P-256 is 2^256 - 2^224 + 2^192 + 2^96 - 1, which is a solinas prime with a pretty obvious performance driven structure. As is the case for all the other NIST P-whatever curves. Using primes chosen for field performance is pretty common, e.g. curve 25519 uses a crandall prime]
If there were a backdoor and it leaked (or the math behind it was independently rediscovered!) the result could be catastrophic. Snowden showed that the NSA is absolutely vulnerable to leaks.
reply