How Secure are NIST Elliptic Curves?

A recent paper from September 2015 revisits a simple [well-known] attack in which a government agency manipulates elliptic curves under the assumption that there exists (a secret) method such that a certain proportion (say 1 in a million of 1 in a thousand) of curves are weak and breakable.

No convincing method to create a weak curve is known and this paper is speculative fiction.

This comes in an atmosphere of increasing incertitudes around more or less all elliptic curves which are no longer recommended by the NSA as long term solutions. For the short/medium term then NSA also re-iterates that the suite B curves remain the safest choice with an upgrade from P-256 to P-384, this is because these curves are those which have been more extensively studied. Interestingly they do not [not anymore] recommend people who would use RSA to upgrade to ECCs, see our summary here.

Added in 2016: Here is how to generate a curve such that manipulation is much harder(!).




Leave a Reply

Your email address will not be published. Required fields are marked *