In light of the NIST Dual EC DRBG scandal, I was intrigued by a NIST slide (slide 9) that said the two points P and Q can be chosen so that the chooser can prove they don't have a backdoor. This seems rather magical to me, so I'm looking for some more information. I'm assuming they're referring to something more substantial than "nothing up my sleeve", which is hardly "proof". Do Safe curves or Koblitz curves have this property?
Asked
Active
Viewed 796 times
1 Answers
3
You need to clearly distinguish between the DualEC DRBG algorithm and the elliptic curves over which it is defined.
The backdoor in DualEC DRBG needs the attacker to choose P and Q such that they know the scalar $k$ for which $P=kQ$. Pretty much any algorithm which fixes both public keys at the same time without going through private keys is fine. For example you could choose the hex expansion of $\sqrt{2}$ and $\sqrt{3}$, or SHA2(x), SHA2(x+1). This is pretty similar to nothing-up-my-sleeves numbers, but the requirements are pretty weak, since the only thing you need to prevent is the attacker knowing $k$.
Backdooring curves is an entirely different matter. You start with the conjecture that NSA knows a certain fraction of weak curves and tries to choose one of them. To avoid this, the curve must be as rigid as possible, i.e. allow as little choice to the designer as possible. This is where "safecurves" fare better than the common NIST curves. So your question about "safecurves" having this property misses the point.
The only coupling between the DualEC DRBG backdoor and the choice of curve I can think of is is choosing the curve parameters so that particular points have a known relation. I don't know if that's possible at all, but I expect this to require a lot of freedom in choosing the curve, more freedom than even the NIST curves have. Preventing this attack is easy: just include the serialization of the curve parameters in the inputs of the hash used to derive the points.
CodesInChaos
- 25,121
- 2
- 90
- 129