A backdoored curve could be easily generated using the algorithm used to generate the NIST curves. https://bada55.cr.yp.to/vr.html The algorithm that generates a backdoored curve is very simple: Suppose the NSA (the author of the curves) knows a way to solve ECDLP in polynominal time for some rare (one in 2^32) curves. In this case, they simply keep generating the curves until they will find one that is weak to their algorithm for solving ECDLP. The computations required only take two days on a cluster of 41 GTX 780 GPUs, and was feasible to do with a cluster of specialized hardware in 1999, when the curves were generated. Neither RSA nor Curve25519 are vulnerable to similar attacks. On Mon, May 28, 2018 at 1:36 AM, Damien Miller <djm@xxxxxxxxxxx> wrote: > On Mon, 28 May 2018, Yegor Ievlev wrote: > >> Can we prefer RSA to ECDSA? For example: >> HostKeyAlgorithms >> ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 > > not without a good reason _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
