On Mon, Sep 21, 2015 at 12:53:08PM -0700, Alice Wonder wrote:

On 09/21/2015 03:58 AM, Peter Fairbrother wrote:

...

...

secp112r1 : SECG/WTLS curve over a 112 bit prime field secp112r2 : SECG curve over a 112 bit prime field

Yes. Pwnable.

I did not ask the question but thank you for your answer. I was a math major back in the early 90s but never really went that way career wise, but with the weak DH parameter revelations this topic has suddenly become a lot more interesting to me, and clearly I have a lot to learn. It is nice to see answers like yours that I can at least somewhat comprehend without hours of research.

And I think that is part of the problem, while all programming involves some math, most of us do not have good enough of a grasp of cryptography to understand when we are doing something that can be broken or circumvented.

(CC'ing cypherpunks@cpunks.org for trolling reasons). Your argument raises the question about the soundness of the so called ``theory of many eyes''. libressl/openssl ship elliptic curves of low quality, and they can be detected by man documented command. The low quality of the curves can be checked by going to wikipedia's page about ECC dlog records. AFAICT they probably implemented backdoored RFC (don't know if they knew it is backdoored). This raises the question about more obscure features buried in, say, obscure macros, misleading comments, etc. No math knowledge required, but the low quality curves are weaker that the backdoored DSA via generic dlog attack, unless DSA allows much faster dlog in the small subgroup by exploiting the sub-exponential attack of dlog modulo $p$ (or some other attack).