Re: [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair]

Henrick Hellström <> Fri, 27 December 2013 20:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F16CB1AE555 for <>; Fri, 27 Dec 2013 12:58:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.45
X-Spam-Level: *
X-Spam-Status: No, score=1.45 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Acux-dL-HLan for <>; Fri, 27 Dec 2013 12:58:56 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id C0F511AE554 for <>; Fri, 27 Dec 2013 12:58:54 -0800 (PST)
Received: from (unknown []) by (Halon Mail Gateway) with ESMTP for <>; Fri, 27 Dec 2013 21:58:47 +0100 (CET)
Received: from [] ( []) (Authenticated sender: by (Postfix) with ESMTPSA id 9E5A011CE66 for <>; Fri, 27 Dec 2013 21:58:47 +0100 (CET)
Message-ID: <>
Date: Fri, 27 Dec 2013 21:58:24 +0100
From: =?UTF-8?B?SGVucmljayBIZWxsc3Ryw7Zt?= <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair]
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 27 Dec 2013 20:58:58 -0000

On 2013-12-27 21:43, Dan Brown wrote:
>> We have confirmation of RSA (inadvertently or not)
>> >accepting money to put a EC_DRBG as a default.
> My conclusion was regarding the standards, per se, not about
> implementations. I was not drawing any conclusions about implementations.

I think that is a mistake. It is a problem if a library that is widely 
used and even got certified, are using default parameters that are 
potentially backdoored. The relevant question isn't whether *any* 
standard compliant implementation will have a backdoor, but if it is 
possible to have a backdoor in an implementation and still get it certified.

That said, I am not entirely convinced NSA actually intended to put a 
backdoor in Dual EC DRBG, or rather, that this standard was part of the 
SIGINT enabling program. For all I know, it could just as well be a case 
of them generating the parameters randomly because they for some reason 
didn't trust the usual binary expansion of pi approach.