Articles

Elliptic Curve Back Door – Computerphile

July 22, 2019


Yeah, we talked about elliptic curves
And how we can use them as a sort of drop-in replacement for the mathematics in things like diffie-hellman key exchange
and the digital signature algorithm and so on.
There’s another interesting story that people are asking me to talk about which is the story of the
Dual EC-DRGB or the Dual Elliptic Curve
Deterministic Random Bit Generator, which is a pseudo-random
generator for generating random numbers.
Most of the time you do programming, you don’t need something that’s truly random, right.
If you’re writing a computer game, and you need the AI to act in a kind of unpredictable way, a normal
general mathematical random number generator, but just move some bits around and produces numbers between a minimum and a maximum
Should be fine
For cryptography that is not the case for cryptography
What you need to not be able to do is predict anything to do with what it’s going to output it needs to be as
Random as you can and of course the problem of computers is they aren’t random?
They don’t operate in a random way
So if I produce any mathematical function or any logic circuit that produces something that looks random the problem is it isn’t actually
random
What a normal operating system will do is combine an
Actual source of randomness so for example the decay on over radioactive isotope or my mouse clicks which are kind of random
Or my typing which is sort of the pace of which is a bit odd?
and
It’ll combine that actual randomness with something that produces a very long stream of random bits for use by
Applications on a machine like these. Oh these are called cryptographic random number generators. We’re not talking about the actual randomness today
We’re talking about the generators for generating these random bits
but they used all the time if you go onto if you perform a
Handshake on the Internet
you’re going to be generating a random number used once you’re going to be generating the private part of a
Different key exchange and so on so these need to be unpredictable if I can predict your private diffie-hellman key
Then I can just get straight in on your conversation
That’s not a good thing the way
Normally a random number generator like this works is a bit like this so we have some kind of state
Which we’ll call s and that’s the current internals for our random number generator, and that is a secret now
This is seeded based on real random date so for example the keyboard taps or the hard disk
Latency and things like this on a computer now what we do
I ask this random number generator to generate some random bits for me, and it passes this state
Through a function G. Which is a one-way function like a hash function and this produces some seemingly random bits?
Which I can use in my application for something secure now if I ask it to produce G of s again
It’s going to be the same thing the hash is always the same
So what happens is at this point?
We pass s through another function f of s
And it comes back down here to be s plus 1 and so the state gets updated. This is in general
What a random number generator will do so we seed the random number generator
With something actually random and we keep doing that whenever we can, but it doesn’t happen all the time
And then we can update the state and we can generate
Random bits as required now usually these are different functions
But often hash functions of what we use the reason is because it has to be one way
What we absolutely want to make sure is that I can’t work out as an attacker what this state is because if I can I?
Can predict the next random value you’re going to be that could be your password, but you’re generating on your password manager
So I’ve seen this output. This is something you sent in the clear. Let’s say a random number or something I’ve seen it
Can I calculate what the state is well no because it to do that I have to reverse this one-way function this hash function
So I can’t do it. I’m stuck here
That’s the idea now in the early two-thousands the National Institute for Standards and technology’s in the US
Published a list of four new random number generators the idea being that these would be adopted by
the kind of key players who are actually building these libraries like open SSL so most of these were kind of standard like like I’m
Showing you here one of them was based on elliptic curves and was a little bit unusual
And so it kind of piqued everyone’s interest and though I say peak devil and suspicion at the time this was called the dual
Elliptic curve drbg which I was going to call Julie C from now on otherwise
I’m going to get very tongue-tied it works very much like this using elliptic curves
just to remind you when we talked about elliptic curves an elliptic curve looks a bit like this and it has a
formula of the type Y squared is XQ plus a X plus B
The idea is that this can be used to perform a one-way function like our hash if we have a point here
P on our curve. We can produce a multiple of P
Let’s say here. Which is a P, and if I give you that you can’t tell me? What a was right?
That would be solving the elliptic curve discrete log problem
very very difficult
right
That’s all we really need to know about the mathematics for this particular one so we could replace these two one-way
Functions with these elliptic curve functions this point addition and kind of get the same kind of structure going and the and the nice thing
About it
If it worked would be that this is kind of mathematically
Provable in some sense because we know how difficult this problem is we don’t know for sure what the difficulty of this hash function is
Because no one’s broken it yet right we all fought sha-1 with unbreakable and then what happen
All right
So how does Julie C work all right? So we have our two random variables on our curve right P?
Thank you. It doesn’t matter where they are for this example
They just points on the curve, so those each have an X and a y-coordinate
We have a state for a random number generator s. That is not a point on the curve
It’s just a number so what we do we want to use s to generate some random bits
But then we also need to update the state and their state has to remain secret remember
So the first thing we do is we calculate s
P all right, so we’re moving P around the curve s x right and that gives us our R is
Just the x coordinate of this so this is going to be a point on the curve
we take the x coordinate and that’s our number now ah
It’s sort of an intermediate variable we’re going to use it to generate our random bits, so we
calculate our
Q and we take the x value so our Q X in some sense and we scrap the first 16 bits of that we take
the least significant bits of that from
16 to the end
I’m using sort of Python notation. Why not write what sort of size and in bits is that number? They’re going to be approximately
256 bits because they’re modulo upon bits 256 bits and this particular curve now this has been our random number
Right so so far so good. We’ve got some random bits out
We then use our we pass it through P again, so we say our P. Don’t doesn’t so why and that?
Produces our new s but by taking just VX again
So what we’ve got is the exact same framework that I showed you at the beginning
We’ve got a state. We update the state by moving
It around the elliptic curve a bit and taking just the x coordinate
But we also can output some bits in principle
Which is not a terrible idea for a random number generator
except for actually this is much slower than a normal hash based one by about a thousand times right which
For you know for someone who really cares about security
Maybe they would be able to accept that but in fact actually
there are some other bigger problems with this that mean that the thousand times is really the
Good part of the deal in SATs in some sense
Remember that the whole point of this is that if I get this in the clear?
I can’t reverse to find this internal state the reason
I can’t do that is because first of all I don’t know what our Q was and even if I did I
Can’t go backwards through this to find R. And then go this way right so we can’t reverse that because that is a one-way function
Remember just because of the elliptic curve problem if I was an attacker how might I attack this well the first thing is to notice
Is for 16 bits it’s not actually very many
So I can brute-force through the possible our Q’s quite quickly to to the 16 operations
65,000 operations even on a laptop not going to take very long so I go through and I find all the possible
X’s for this random data
And only some of them are going to adhere properly
To that elliptic curve formula where we can find an actual Y that goes with them. All right?
So let’s say we go from 65,000 to 10. We have 10 candidates
That’s a real problem, so we found that our Q fat alone
Wouldn’t actually be much of a problem
So then the question becomes can we reverse this discrete log problem and find our way into this state
Which would be a huge issue and the answer is?
If these two a random no we can’t do that all right if P
And Q are truly random we have to brute force it we have to start with as one doesn’t work ours, too
Doesn’t work and how many how many of those are there?
256 bits worth which is
not
Yeah, it gets a bit more complicated that not all point to valid on the curve and so on but is a lot of them
Now what if there was a secret mathematical relationship between would that change anything?
What if he was actually equal to some multiple of hue like this now it will be very difficult to prove that
Because if we can’t solve that problem we’d have to find that a by brute force ago
Or there is a relationship between the two brilliant
Right we don’t know but the problem was that when this standard came out
It was implied that the NSA were the ones that generated these points
And they did not explain how they did it you remember the video on nothing up my sleeve numbers
Let’s pick a number at random
I don’t know 24, and then did some trick with it you think well that’s great but clearly 24 wasn’t random
There’s something up the sleeve. We’re not sure about it. If this is true. If there’s a secret e
Which we can multiply by Q to get to P, then? Here’s what happens? We have our Q because we’ve derived it from bith here
All right, we can calculate e
Our secret e times our cue, it’s associative so it’s actually our times EQ
EQ is P so we’ve got R
Of P which is this and we’ve calculated the internal state?
Right this should be impossible to go backwards from here to get to here. It’s trivial if we know this secretly
Right which is kind of worrying? What’s more interesting about this
It’s not so much the mathematical backdoor, but could exist it’s wherever it exists. No one knows and
What happened when this NIST standard was announced so when it was announced?
Cryptographers said well first of all this is not enough bits. You’re cutting off here right. There’s a slight bias in the output
We don’t like it. It doesn’t look random enough. That’s a problem. It’s a thousand times slower. That’s a problem
All right, this didn’t worry too much about this. They said it’s fine. Why we’re gonna put it in
then in
2007 dan sumo and Niels Ferguson from Microsoft did a short talk
Explaining that this backdoor could exist you know that should have killed this off straight away
But the problem was but it was an agreed standard in this it was starting to be implemented in some of these libraries
And that’s deeply concerning. We don’t know whether this exists
Hypothetically it could all right
But no one can find this e so how can we know but then the Snowden leaks came along?
And it looks even more suspicious money was changing hands between the NSA in companies to have them install this as their star
For a number generation. That’s deeply suspicious and so
The strong opinion should he be consensus of the cryptographic community is that this is indeed a backdoor?
someone knows that a but it isn’t me and
But we don’t know for sure, but it’s a really interesting issue because
There could be a backdoor
But they might not now of course when you’re using this you can generate your own P&Q and
Then it’s not it hasn’t got a backdoor. Well if you put it in yourself
But the interesting thing was in my list standard they said you have to use this P, and Q if you don’t we won’t
Give you a fits accreditation for being extra secure which is also suspicious
So it’s a really interesting read if you read the history of this
People were coming up with problems. They were publishing papers saying that’s not right and
They were being ignored and the standard was put through anyway, which is you know very interesting?
if I was on stage I
Don’t do magic right, but if I was on stage and I said to you let’s pick a number at random
I don’t know 24
And then did some trick with it you think well that’s great but clearly
24 wasn’t mathematics to do with lines and the tangent of this curve
It’s actually not very complicated the point is of what we’re doing is by multiplying G
By both numbers or adding it to itself this point addition. We’re moving around this curve

You Might Also Like

100 Comments

  • Reply finlay February 16, 2018 at 5:43 am

    This man is my hero

  • Reply Valle Marx February 16, 2018 at 6:47 am

    "Computers don't operate in a random way."
    Ever used Windows?

  • Reply PixelPhobiac February 16, 2018 at 8:31 am

    That's why Bitcoin is using a non-standard"nothing-up-the-sleeve" elliptic curve

  • Reply Griswold27 February 16, 2018 at 9:30 am

    ya, our government isn't known for wanting to let people have their privacy, same as our corps. I try not to be paranoid but I will still take the time to learn cyber security so I can implement it myself

  • Reply Cmdr Benkai February 16, 2018 at 9:49 am

    Socially engineered hacking works because Humans are lazy.

  • Reply Joe Chief February 16, 2018 at 9:58 am

    Can you guys cover the new deeplearning based face swap thing? After watching your video on generative adversarial networks I'm curious what combination of networks was used to make faceswapping work…

  • Reply Jivan Pal February 16, 2018 at 10:29 am

    Is this comparable to the potential for a backdoor in the prime256v1 / P-256 / SECP256R1 / [insert alternative name here] elliptic curve? Are the technical details different? Part of me thinks you already did a video on that, actually…

  • Reply Anthony Salvatore February 16, 2018 at 1:55 pm

    El is the ruler of this MATRIX of the computer cube of Saturn

  • Reply Geo February 16, 2018 at 2:55 pm

    As an end user what can I do to make sure none of my devices and programs are using dual ec drbg?

  • Reply Wanders Gion February 16, 2018 at 3:33 pm

    NIST were also the ones tasked with explaining the structural collapse of the World Trade Center buildings for the 9/11 Commission Report.

  • Reply KX36 February 16, 2018 at 6:42 pm

    Might just be a case of Hanlon's razor…

  • Reply Jay Wilkins February 16, 2018 at 6:46 pm

    Being slow can be an advantage. It makes brute force attacks harder.

  • Reply Martin Ninov February 16, 2018 at 7:53 pm

    It's too dodgy to be a coincidence.

  • Reply Samuel Vidal February 16, 2018 at 9:19 pm

    2^256 = 115792089237316195423570985008687907853269984665640564039457584007913129639936 a looooot

  • Reply Colin Taylor February 16, 2018 at 10:26 pm

    9:42

  • Reply Chris Craven February 16, 2018 at 10:29 pm

    Best quote I heard was 'Random number generation is too important to be left to chance'

  • Reply Edward Doernberg February 17, 2018 at 4:21 am

    ok, I clearly missed something about the nature of P and Q.
    if you know e such that P=eQ you have a back door. and the standard P and Q are known.

    why can't you solve e=P/Q

  • Reply mkaatr February 17, 2018 at 4:41 am

    When I was in collage our security teacher could not explain most of the things well. I find these videos very educational and interesting. Thanks for explaining these 😆😆😆

  • Reply highkari February 17, 2018 at 6:08 am

    Epic! Thank you for the video.

  • Reply Koen Th February 17, 2018 at 10:50 am

    I notice you are writing on the chain paper that was used much for line printers 2 or 3 decades ago. Is this still used today, or did you have tons of the stuff left over from those days? (I remember using those as a music score!)

  • Reply Naté Slough February 17, 2018 at 3:18 pm

    Do a video on 0x5F3759DF.

  • Reply Bananenbrot February 17, 2018 at 5:02 pm

    Great idea: why symbols like the one from the Indian telugu language can break an app on Apple devices. And why this bug happens all the time.

  • Reply tomaten salat February 17, 2018 at 7:04 pm

    So, who is actually using this method with the given value?

  • Reply Dan D February 17, 2018 at 7:20 pm

    ahh p = np, the million dollar question…

  • Reply elraviv February 17, 2018 at 10:03 pm

    A very important point you forgot, NIST Removed that Algorithm from the list of Random Number Generator back in 21-Apr-2014, so it is not used anymore.

  • Reply macronencer February 18, 2018 at 1:12 pm

    The concept of multiplying a point on the curve by some number to get another point on the curve wasn't fully explained here, and seems incoherent to me. How would one do that?

  • Reply staindk February 18, 2018 at 2:15 pm

    Dr Pound's hand gestures in this video are so… man this sounds weird… but they're so nice to watch hahaha

  • Reply Alex Holker February 18, 2018 at 5:41 pm

    In other words: if there may or may not be a backdoor, but the NSA is showing an awful lot of interest in the alleyway behind the building, there's probably a backdoor.

  • Reply Krzysztof Szumny February 19, 2018 at 6:31 am

    Guys, could you consider putting your stuff on Steemit or on DTube? Both services are based on decentralized blockchain Steem. It would be great ot have you there 🙂

  • Reply Eben Cowley February 19, 2018 at 6:39 am

    So is there a way to ensure that our systems don't use elliptic curve cryptography? Or would that require that everyone we exchange information with also not use it?

  • Reply David Parry February 19, 2018 at 12:37 pm

    Maybe… this was an 'obvious attempt' to divert attention from a genuinely clever backdoor in another security system in the same round of releases.
    'Burying the Bad News' is an old security services trick, after all…

  • Reply Draugo February 19, 2018 at 5:08 pm

    "Here, you must use this key and lock I provide, otherwise we won't agree that your house is safe. By the way we made this key and lock but we promise we didn't make a copy of this key"… right, doesn't sound suspicious at all.

  • Reply freeman account February 20, 2018 at 2:00 am

    Dr P, watch out for the men in black, they don't like snitches.

  • Reply Jimme Reashu February 20, 2018 at 7:54 am

    One thing I didn't understand: If there is a recommendation for P and Q, how can it be hard to find their quotient? Why does it even need to be "found"?

  • Reply Cruzer February 20, 2018 at 1:01 pm

    Get your tinfoil hats boys!

  • Reply Firaro February 21, 2018 at 2:12 am

    Why is it hard to check if one is a multiple of the other? Is it because it is modular arithmetic?

  • Reply Kenichi Mori February 21, 2018 at 10:04 am

    Point Proof

  • Reply Chris Contact February 22, 2018 at 7:43 am

    The interesting thing would be if say the NSA got gaming vendors to push it on lotteries. Forget the mob running numbers, how about the NSA? At least somebody has the winning numbers.

  • Reply Jan Michael Vincent February 22, 2018 at 1:24 pm

    Dr Pound ❤️❤️❤️❤️

  • Reply MrWicked505 February 28, 2018 at 11:16 pm

    Can you explain how the symbol in the iPhone works the one where it crashes the messenger and any app that had keyboard use.

  • Reply Samy Lemzaoui March 1, 2018 at 2:02 pm

    I really wanted to keep on watching this video but i can't stand how he replaces all the "th" sounds (like in "the") by "v" sounds …

  • Reply Simona de André March 6, 2018 at 3:32 am

    I have been watching Dr Pounds videos for quite a while now on this channel and I must say I love the way in which he explains things. Please convince this man to also explain other things like political stuff or so! I know he might not be an expert in those fields, but I feel like computer scientists might have a super logical take on things. (And I just love his voice. <3)

  • Reply kori228 March 6, 2018 at 8:55 pm

    lol Dual EC turns into Julie C in the subs.

  • Reply Ioo Ooi March 7, 2018 at 12:51 am

    At an angle looks like he has fancy moustache.

  • Reply Odd-Ramon H.Steen March 12, 2018 at 10:36 pm

    Great video, great channel! I don't understand half of the things described(wish I had a bigger interest in mathematics as a kid) but somehow I can follow the principles mentioned. Thanks, and keep posting!

  • Reply joe1987uk March 20, 2018 at 8:05 pm

    Hi Dr Pound. Can you do a video on Hellman tables and time-memory trade-offs, please?

  • Reply oldcowbb March 22, 2018 at 8:41 pm

    the subtitle say "ah" every time he say "R"

  • Reply Bechir Mihoub April 1, 2018 at 1:48 pm

    no chicks lol

  • Reply Mats Eriksson April 4, 2018 at 10:34 am

    0:50 "The problem with computers is they aren't random. They don't operate in a random way."
    WHAT???
    The problem with MY computer is that is it IS random.
    It does all kinds of stuff I can't predict all the time!

  • Reply Michael Zumpano April 14, 2018 at 6:38 pm

    Dr. Pound, could you please do a video on security tokens? I trust your videos to get the details right. Most of the videos on security tokens discuss selling features or legal basis. I’m interested in understanding the mechanics and limitations of the model. Sort of like what you did with these excellent videos on elliptic encryption.

  • Reply crashnburn1987 April 21, 2018 at 1:54 pm

    So I guess you could say the NSA should really watch its Ps and Qs…

  • Reply Bryan W April 23, 2018 at 3:53 am

    if i tell you the answer to e, can you guarantee my safety?

  • Reply Sebastian J May 8, 2018 at 6:48 pm

    Wow, dot printer paper still exists.. 😛

  • Reply David Gordon May 11, 2018 at 10:26 pm

    No videos from Mike for a while now??

  • Reply Bernd P May 16, 2018 at 12:46 pm

    since computers take counters, regular clockspeeds and therefor timedependent states into account it is actually difficult to guarantee absolute randomness for parameters. Of course if a random generator seems to be deterministic in any way (dependent calculation times for specific bit lenghts is enough – timing attacks) it is to be discarded.

  • Reply James Palmer May 24, 2018 at 11:40 pm

    Whats this used in?

  • Reply SoCalFreelance June 10, 2018 at 3:48 am

    Interesting that elliptic curve is also used in bitcoin which many suspect is also a product of No Such Agency (i.e. 1996 white paper)

  • Reply Rob Fielding June 12, 2018 at 6:38 pm

    When I worked at NFR Security, we had a co-worker Jason Wright (immortalized in the Wikipedia page on IPSEC). He was an OpenBSD-associated dev that wrote our ethernet drivers. He was publicly accused of inserting code into OpenBSD to weaken its random number generator on behalf of the FBI. We came in that morning, and he had to make a public statement about how it was a nonsense accusation. All his commits to OpenBSD were given strong scrutiny. I think there were minor bugs found in the commit, but no clear evidence that he managed to break random number generation in OpenBSD.

  • Reply Karl Muster June 15, 2018 at 5:23 am

    The answer is 42.

  • Reply Black Hermit June 22, 2018 at 12:18 am

    I like dodgy elliptic curves! Please make your offer.

  • Reply Willow Cardinal June 24, 2018 at 7:44 am

    I know a few ladies with curvy back doors lol

  • Reply LexVale July 7, 2018 at 10:16 am

    I learn so much from your channel. thanks for just being here 😀

  • Reply johan Larsson July 13, 2018 at 10:14 am

    Conspiracy theories…. This one sounds plausible

  • Reply John von Horn July 15, 2018 at 9:23 pm

    The NSA is minding it's P's and Q's

  • Reply Rahul Samanta August 1, 2018 at 12:04 pm

    The best teacher in cryptography. Can we have more Dr. Pound videos please? 😁🙂

  • Reply sdf wer September 7, 2018 at 11:33 am

    NIST: we did not find any evidence of 'e' in our design process
    Mike: did you look?
    NIST: um well no not really

  • Reply Hassan Selim September 13, 2018 at 11:00 pm

    I read somewhere that Bitcoin uses different P & Q in its elliptic curve calculations, which would be interesting!

  • Reply Dan Reznik September 27, 2018 at 8:56 pm

    so the implication is that the back door might have been a deliberate action on the part of NIST to selectively spy on folks?

  • Reply Bruce Houdini November 6, 2018 at 4:39 pm

    Clean up your office.

  • Reply Johan Larsson November 6, 2018 at 10:28 pm

    Well, you were right.
    PortSmash:
    "In a paper scheduled for release soon, researchers document how they were able to exploit the newly discovered leak to recover an elliptic curve private key from a server running an OpenSSL-powered TLS server. The attack, which was carried out on servers running Intel Skylake and Kaby Lake chips and Ubuntu, worked by sending one logical core a steady stream of instructions and carefully measuring the time it took for them to get executed."

  • Reply HMan November 8, 2018 at 3:35 am

    In the realm of IT security "There could be a backdoor" means exactly the same thing as "There definitely is a backdoor".

  • Reply raedon 707 November 12, 2018 at 2:24 am

    34 dislikes are random.. 😐

  • Reply HOLD FAST November 12, 2018 at 6:00 pm

    Mike has exciting charisma of Jeremey Clarkson with James May's intellect.

  • Reply kwastek November 14, 2018 at 9:51 am

    Really, anyone surprised NIST pushes standards they hid backdoors in?

  • Reply Warwagon November 19, 2018 at 4:43 pm

    Mike should be doing all the videos, he's fantastic.

  • Reply masoud ghashghaei November 28, 2018 at 4:37 pm

    i love the way they advertised the energizer battery !

  • Reply vcokltfre November 29, 2018 at 4:04 pm

    Cloudflare has its own way of making rabdom numbers… Lava lamps

  • Reply vcokltfre November 29, 2018 at 4:29 pm

    Basically, "If you don't use this, that may have a backdoor, and instead use your own to make it more secure, we'll say you're less secure…" Well that makes sense…

  • Reply HalloFrogie December 21, 2018 at 10:26 am

    Why do britains say "poblem" instead of "problem"?

  • Reply jessie tessie January 12, 2019 at 7:39 am

    use SHA-256 PRNG instead!

  • Reply avatar098 January 31, 2019 at 8:23 pm

    All of a sudden, PuTTY's generator for RSA keys make sense.

  • Reply Nathan E Harvey February 7, 2019 at 7:25 am

    Doesn’t bitcoin use elliptic curve? Does that mean the NSA might be able to calculate everyone’s private keys?

  • Reply Mr Booshit February 16, 2019 at 7:43 pm

    this hurts my head.

  • Reply Jack Sparrow February 20, 2019 at 4:37 pm

    this computherphile guys are so smart. they can become professors.

  • Reply Iori Tatsuguchi March 9, 2019 at 2:40 pm

    Oh wow I'm becoming an conspiracy theorist after a decade of hiatus.

  • Reply luke lucky March 13, 2019 at 11:53 pm

    Whats about the Bernstein Curves? Do you think these have also a "back-dor"? ( f.i. curve25519 and ed25519 )

  • Reply randomguy8196 March 17, 2019 at 8:11 am

    Interesting.

  • Reply YoniMek April 9, 2019 at 10:22 am

    Why are computers not fitted with a true random generator (tapping into some quantum event)?

  • Reply Robert Prescott April 10, 2019 at 8:55 pm

    This has a hint of conspiracy… 🤔🤔🤔

  • Reply David Szabries April 18, 2019 at 5:28 pm

    your vids are worth gold!

  • Reply Niklas Paulsson April 23, 2019 at 6:42 am

    Given that the numbers chosen for the s-boxes in DES were deliberately weak to allow for an easy backdoor, we probably shouldn't trust any more numbers from nist.

    Fool me once, shame on you, fool me twice – shame on me!

  • Reply dlbiggins April 23, 2019 at 5:43 pm

    "Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin. "

    John Von Neumann

  • Reply plain reflex April 23, 2019 at 8:38 pm

    Why is the state updated with "rP" and not just with "r". Imo this would solve the backdoor problem

  • Reply matte espo April 25, 2019 at 11:07 am

    i know e it's 2.71 😎😎😎

  • Reply Matthias Liszt May 1, 2019 at 7:52 pm

    So, always use your own random numbers … I bought some icosaeders , dodecaeders etc. for that.

  • Reply B Bowling May 12, 2019 at 11:40 pm

    Excellent video Dr. Pound. You have a great way of explaining things at just the right level of detail. Making notes on 132 column tractor feed paper is just an aded bonus! Keep up the great work.

  • Reply Toadal Chaos May 22, 2019 at 6:43 am

    "We all thought SHA1 was unbreakable, and then what happened"
    Best nerd quote of the year.

  • Reply Luky0805 June 15, 2019 at 6:45 am

    11:55 so you say it's even on my computer?

  • Reply jan harald June 19, 2019 at 2:57 pm

    /me wondered about if other curves such as Curve25519 might have been similarly affected,

    thankfully not AND the bad one's not in use anymore, afaik…

  • Reply Jeffrey Black June 29, 2019 at 4:24 am

    I wouldn't call SHA-1 broken, just not complex enough for people motivated enough to break it.
    Sure there are vulnerabilities which make it easier to find a collision, but it still takes a lot of computing power to do so.
    SHA-256 could also be "broken" if people were motivated enough.

  • Leave a Reply