12

I am surely not an expert on the field, but I heard some people say that NIST P-256 somehow has backdoors. I don't know about the seriousness of this claim; maybe it's just a conspiracy theory.

If there is some truth to the hearsay, why is NIST P-256 still implemented? Almost everyone I asked said it's a bad idea to use P-256. If this is true:

  1. Why is it still in GPG (as of 2017)?
  2. Does it have any use (expect legacy and compatibility)?
  3. Is it really broken to the point to be unsafe to be used, in a professional environment?
Patriot
  • 3,162
  • 3
  • 20
  • 66
Richard R. Matthews
  • 4,545
  • 9
  • 31
  • 49

2 Answers2

24

Because P-256 is the most used elliptic curve and there are no certain reasons to believe it's insecure. It's the first standardized curve at the 128 bit security level (which is very popular).

The rumors about its backdoor came from 3 factors:

  • The Snowden's revelations included a generic claim of the NSA trying to backdoor NIST standardized crypto
  • DualEC DRBG being a NIST standard actually backdoored by the NSA
  • Daniel J. Bernstein trying to push for his own curve25519

But there is no backdoor connection between DuelEC DRBG and NIST Curves and we have no idea about how to backdoor an elliptic curve. Bernstein and Lange built a site claiming P-256 is not safe. But it actually boils down to the fact that NIST curves, generated in the 90s, lack some of the fancy features of more modern elliptic curves, as the fancy techniques were not known at the time.

To address your questions directly:

  1. For compatibility reasons, since it's the most used elliptic curve.
  2. Yes of course, e.g. TLS.
  3. No, we believe it's secure.
Ruggero
  • 7,339
  • 33
  • 42
7

Daniel J. Bernstein's Safe Curves page has most of the info you want. To summarize:

1) Because it is approved for use by the US government, and they require the use of approved curves when interacting with them. Other agencies have similar requirements.

2) Outside of such contracts, no.

3) Possibly not, but there are curves which are safer and more efficient. Thus, if you don't have to use it you shouldn't. It isn't broken, but it is brittle: there are several very subtle errors that can be made when implementing it which will cause a break.

SAI Peregrinus
  • 5,968
  • 20
  • 27