
A riddle wrapped in a curve - wbond
http://blog.cryptographyengineering.com/2015/10/a-riddle-wrapped-in-curve.html
======
lisper
I just read the full original paper, and this seems like the most likely
explanation to me:

"[T]he main considerations might not have been technical at all, but rather
Agency-specific — that is, related to the difficult situation the NSA was in
following the Snowden leaks. The loss of trust and credibility from the
scandal about Dual EC DRBG was so great that NSA might have anticipated that
anything further it said about ECC standards would be mistrusted. The NSA
might have felt that the quickest way to recover from the blow to its
reputation would be to get a “clean slate” by abandoning its former role as
promoters of ECC and moving ahead with the transition to post-quantum
cryptography much earlier than it otherwise would have."

I spent >10 years working for the government, and this scenario is entirely
consistent with my experience there.

------
charrisku
As a mathematician (though not a cryptographer), I have a great deal of
difficulty trusting cryptographic protocols which have a mathematical basis.
Whether they are based on factoring, elliptic curves, or any other
mathematical concept, they always "smelled" sketchy to me for the very simple
reason that they are easy to formulate in terms of mathematical ideas, hence
naturally lend themselves to the thought process of an algebraist or a number
theorist. In short, these problems look like precisely the sort of questions a
mathematical genius would find tractable. Without any solid proof that they
are actually computationally hard to break, it seems like they are inherently
dangerous to rely upon because they look like fair game to the next Ramanujan.

I'll also go out on a limb here and also say that I think the technology
community has a bias towards thinking something like "math == hard" is true,
so gives added weight towards using these same protocols. I know many people
here have deep knowledge of both cryptography and software development, so I'd
be very interested to hear other people's thoughts on these issues. Can anyone
speak about options to math-based public key algorithms, or ways to inject
some skepticism into the tech community about these algorithms, so perhaps
alternatives can start being implemented? A public key algorithm which doesn't
lend itself easily to algebraic analysis would feel much safer to me.

~~~
syntheticnature
The Discordians promulgated a code that might be a bit more mathematically
resistant. It involves this series of steps:

    
    
      CONVERSION:
      A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
      1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
    
      STEP 1. Write out the message (HAIL ERIS) and put all the vowels at the end (HLRSAIEI)
    
      STEP 2. Reverse order (IEIASRLH)
    
      STEP 3. Convert to numbers (9-5-9-1-19-18-12-8)
    
      STEP 4. Put into numerical order (1-5-8-9-9-12-18-19)
    
      STEP 5. Convert back to letters (AEHIILRS)
    

They assert 100% unbreakability, which isn't true, but on a sufficiently long
message one's anagram checker might give out, and then there is the task of
ordering the words so generated...

Mind you, decryption by the intended recipient is equally complex.

~~~
philh
Not 100% unbreakable in general, but I think it does pretty well in the real
world. There are plenty of messages that Eve simply can't decrypt with
complete confidence. For example, she can't tell ATTACK WILL AT DAWN from
ATTACK DAWN AT WILL. She'd have to resort to priors to guess which of those
was intended.

~~~
aparent
It is so good that even Alice can't decrypt those with confidence! :)

------
rockdoe
So the conclusion is that _the most reasonable theory_ is that the NSA has
made an advance on ECDLP making them believe they can get faster Pollard-Rho
(potentially n^1/3) or that they found signs the curve structures are weak?

Pretty mind blowing.

~~~
tptacek
Not really. The paper goes into much more detail, and _the most reasonable_
theory in the paper is that if you believe there are going to be practical
quantum computers in 15-20 years, there are lots of agencies and businesses
that have secrets that need more than 15-20 years of protection, so the switch
to PQ crypto needs to happen sooner than later.

~~~
rockdoe
Hmm, that's not the vibe I get.

The blog indeed doesn't say it is necessarily the most reasonable theory, but
goes in depth towards only one:

 _" I’d like to focus on what I think is the most intriguing hypotheses in the
paper. Namely, that the NSA isn’t worried about quantum computers at all, but
rather, that they’ve made a major advance in classical cryptanalysis of the
elliptic curve discrete logarithm problem — and panic is the result."_

As for the viability of practical quantum computers, the original paper says:

 _" If practical quantum computers are at least 15 years away, and possibly
much longer, and if it will take many years to develop and test the proposed
PQC systems and reach a consensus on standards, then a long time remains when
people will be relying on ECC. But the NSA’s PQC announcement makes it clear
that improved ECC standards (for example, an updated list of recommended
curves) are not on the Agency’s agenda."_

 _" However, for such users the NSA statement recommends using an additional
layer of AES to provide quantum resistance, without waiting for quantum-safe
public-key standards. In any case, the statement is directed at the general
public and obviously is going to have a big impact in the private sector. If
the NSA had wanted to give advice that was intended only for high-security
government users, they would have done so."_

The latter paragraph seems to contradict your conclusion directly. I read the
paper as saying that in the case you describe, it would have been reasonable
for the NSA to continue ECC work while fleshing out post QC alternatives.

But this did not happen.

~~~
tptacek
The banking system is as important a target as the government.

The paper stipulates that QC might be ~15 years out.

It is the case that if QC is 15 years out, then even though there's no
immediate danger to ECC and RSA, the switch needs to happen soon, because
there are secrets that have more longevity than that.

Apart from "the banking system is important", that's not conjecture; it's just
simple logic applied to the paper.

------
paulmd
One possibility I didn't see discussed - the NIST curves are indeed
kleptographically backdoored, and someone has managed to steal the key. That's
always worried me about backdoored crypto - as advantageous as such a key
would be for the NSA, it would be absolutely catastrophic for an adversary to
get it. And if you are using it, a possibility of it being stolen inherently
exists.

The problem with this theory is that in the event of compromise you'd expect
the NSA to deprecate all of the curves, and not just P-256. It is also
possible that this backdoor is not a magic bullet, and it merely makes an
attack computationally feasible instead of decrypting it outright.

It does smell a lot more like there's been an advance in analysis, whether
classical or quantum.

~~~
tptacek
Matt Green's blog post discusses this possibility, and a plurality of the
paper is dedicated to debunking it. To explain how, I'd have to restate stuff
that's in the paper and already on this thread, so it'd be better if you just
re-read it and then said what part of the arguments you found weren't
persuasive.

~~~
paulmd
I read the Koblitz/Menenzes paper a second time, and again it doesn't really
discuss the possibility of a _kleptographic_ vulnerability. Yes, it discusses
_weak_ curves and the possibility of extant or (NSA-internal) speculation of a
classical or quantum analysis technique at length - but those are
fundamentally different from a security standpoint.

A kleptographic vulnerability (one which cannot be exploited without breaking
a cryptographically strong problem) is entirely different from the plain "ECC
believed strong but actually weak" situation. Once the latter vulnerability is
known _anyone_ could break it, but the former vulnerability is strong even if
the theoretical basis for the backdoor is discovered.

It's the same fundamental difference between building a computational-
theoretical hard algorithm and security-by-obscurity. The NSA is not dumb
enough to bet on their trick remaining obscure - that stuff inevitably gets
rediscovered, whether it's 5 years or 20 years. But it's easy to precompute E
in the DUAL_EC_DRBN algorithm, while it's cryptographically strong to try and
reverse it after the fact. Trapdoor functions work like one-way secure hashes
(eg SHA) by design - easy in forwards, computationally infeasible (as a design
goal) in reverse.

The patent on the concept of using that as a backdoor (although not in that
exact phrasing) was filed in Jan 2005 [1] (years before the selection of the
NIST curves in FIPS 186-3) and it's reasonable to believe the NSA would know
of the existence of the backdoor since the filing at a minimum - if not
before. It was published for public comment in 2007 [1] but didn't gain much
publicity until granted in 2013(!) [2] after Snowden had gotten the disclosure
train rolling.

If you have a specific page/paragraph reference you'd like to cite: please do,
it's a topic I feel strongly about since the consequences of a compromised
kleptographic backdoor could be rather extreme for anyone who uses those
curves.

[1]
[http://www.google.com/patents/US20070189527](http://www.google.com/patents/US20070189527)

[2]
[https://www.google.com/patents/US8396213](https://www.google.com/patents/US8396213)

~~~
sdevlin
Dual EC specifies two standard curve points. The "kleptographic" back door is
the relationship between them, i.e. the knowledge of d in the equation P = dQ.
This hidden relationship was apparent to cryptographers pretty quickly, see
[http://rump2007.cr.yp.to/15-shumow.pdf](http://rump2007.cr.yp.to/15-shumow.pdf).

What would it mean for a curve to have a "kleptographic" back door? Only one
base point P is defined in the curve parameters, so there is no hidden
relationship to take advantage of. It is possible there are weaknesses in the
NIST curves, but if so:

1\. They must lie in the curve parameters themselves, i.e. something anyone
could conceivably discover.

2\. They must rely on a significant advance in ECDLP, e.g. a new class of weak
curve.

------
jfindley
This is deeply alarming, and (at least to me) very unexpected.

For the minute I'm assuming that we shouldn't be changing anything right now -
it seems a bit drastic to immediately abandon ECC right now based on this -
but this is only my assumption. I'm waiting hopefully for more comments on
this from the crypto community.

------
vox_mollis
cperciva vindicated?

edit: For context, Colin has maintained a conservative position regarding ECC
for quite some time now.

~~~
tptacek
No. The crypto Colin advocates for also falls to QC.

~~~
vox_mollis
The article discusses the hypothesis that the NSA has broken ECC classically,
and is lying to us.

But conspiracy theories aside, does 3072 bit RSA fall along with 256 bit ECC
with the same quantum difficulty? Don't you have to have coherence of
substantially more qubits in the former case?

~~~
pbsd
Loosely speaking, you need n + epsilon qubits and 4n^3 operations to break
RSA-n, whereas you need ~6n qubits and 360n^3 operations to break ECC-n. For n
= 256, you need around 1536 qubits, whereas you need _at least_ 3072 for
RSA-3072.

This suggests a criterion to reject P-256: it needs fewer than 2048 qubits to
break. P-384 is above this threshold, at around 2.5k qubits. Hey, it's as good
speculation as any.

~~~
api
Does this mean that barring a quantum-hard alternative we could get
_effectively_ quantum-hard crypto by using crazy key sizes like RSA-131072 or
ECC-4096?

~~~
pbsd
Yes, though it would be quite impractical. See for example
[http://cr.yp.to/talks/2010.05.28/slides.pdf](http://cr.yp.to/talks/2010.05.28/slides.pdf)

~~~
Tomte
"Key almost fits on a hard drive" :-)

------
zmanian
It seems likely in a post Quantum computing world, we will have signatures and
key exchange protocols at least good enough for software signing and secure
communications.

But ECC has many ancillary properties for constructing homomorphic and zero
knowledge proof based systems that don't have an post Quantum equivalent.

~~~
JoachimSchipper
Lattice cryptography - although I wouldn't want to rely on it in 2015 - is
quite flexible and does support such advanced systems. Also, homomorphic
encryption and zero-knowledge proofs are almost entirely unused (and, due to
the enormous overhead of FHE in particular, unusable) in practice. We'll deal.

------
yuhong
Still it is pretty interesting that NIST P-224 has weaknesses that the other
ones don't. I wonder why?

------
api
Is NIST P-256 the same curve that Bitcoin uses?

[https://en.bitcoin.it/wiki/Secp256k1](https://en.bitcoin.it/wiki/Secp256k1)

Edit: NO, but it's a relative and has a similar background.

Bitcoin is an interesting player here because it's in effect the largest bug
bounty in history. If someone could crack it, they could _slowly_ manipulate
its price and bleed money out of the Bitcoin ecosystem to the tune of
(conservatively) tens of millions of dollars before someone noticed that
something more than a Bitcoin price crash was occurring. I'd assume that
anyone sophisticated enough to actually break Bitcoin would also be
sophisticated enough to use that break to do this by e.g. cracking wallets and
slowly draining them or creating price-manipulating transactions.

So I'd expect any leakage of an ECC break that was actually practical to use
in the real world (as opposed to an 'academic' break) to show up in the form
of an enigmatic draining of the Bitcoin piggy bank.

~~~
lisper
> they could slowly manipulate its price

How? The only way you can drive the price of bitcoin (relative to some other
currency) is to buy or sell it for that currency. You can't manipulate the
price simply by moving bitcoins around.

What you could do, of course, is drive the price down by making it known that
BTC had been cracked. You could probably even do this so that it played out
over a period of days before people were really convinced it was cracked and
the whole ecosystem collapsed. But it's hard to see how anyone could profit
off this. AFAIK there's no way to short bitcoin.

