Oddbean new post about | logout
waxwing | 10 months ago (raw) | export | reply | flag +15 
 I like this detail from Dan Bernstein's 2014 takedown of ECDSA (I have to specify the year,  he's probably written like 10 others):

"DSA was "invented" by NSA's David Kravitz, according to a patent application filed secretly in July 1991. It was proposed as a standard by NIST the next month. NIST didn't admit NSA's role until after a lawsuit was filed by Computer Professionals for Social Responsibility. NIST memos state that the "reasons for the selection" of DSA are summarized in an NSA document; as far as I know, that document is still classified Top Secret."

http://blog.cr.yp.to/20140323-ecdsa.html
the axiom | 10 months ago (raw) | root | parent | reply | flag +1 
 Does this mean ECDSA might be compromised by the NSA somehow?
freeborn | ἐλεύθερος | 10 months ago (raw) | root | parent | reply | flag 
 That's the implication, from what I understand. Not an expert though.

Satoshi planned for this, actually -- for advances in cryptography -- specifically the key pair abstraction possible -- but no one has implemented it yet that I know of. I got this from Anatonoppulos (sp?).
Theory of Everything | 10 months ago (raw) | root | parent | reply | flag 
 Elliptical curve was replaced by RSA, That is 2048 bit. There is no perfect entropy, But 2048 bit is significantly more complex than 256 bit. It is possible to decrypt 256 bit by RSA 2048, But not RSA by Elliptical curve. Your encryption is safe from people without RSA encryption. This is the relevance of Multisig in Bitcoin wallets, That the time investment needs to outweigh the rewards, And you should never trust one service provider to protect you, Instead you need to mutually ensure your security through their competition.
the axiom | 10 months ago (raw) | root | parent | reply | flag 
 Are you an AI bot?
Theory of Everything | 10 months ago (raw) | root | parent | reply | flag 
 Based on my personal life? Yes. Based on being born 
No
waxwing | 10 months ago (raw) | root | parent | reply | flag 
 It's not a simple question ... blatant hack-ability is mostly not considered realistic. 2 decades of usage in the wild speaks to this. Is (EC)DSA a bit weaker than Schnorr theoretically? Yes. It has some quirks. My guess, if NSA were motivated to get this in, it was more "we'll crack a few systems here and there because this is hard to get right", but even that is a stretch. The biggest pitfalls in DSA are there in Schnorr too: bad nonce randomness. DSA has more weird special cases though, like "forgeries" that aren't real forgeries.

😄 I like this conspiracy theory: NSA paid Claus Schnorr to apply for an extremely aggressive patent so no one could use the stronger signature scheme.