We're aware of those arguments but don't find them convincing enough to
switch early.
On Mon, 28 May 2018, Yegor Ievlev wrote:
> A backdoored curve could be easily generated using the algorithm used
> to generate the NIST curves.
> https://bada55.cr.yp.to/vr.html
>
> The algorithm that generates a backdoored curve is very simple:
> Suppose the NSA (the author of the curves) knows a way to solve ECDLP
> in polynominal time for some rare (one in 2^32) curves. In this case,
> they simply keep generating the curves until they will find one that
> is weak to their algorithm for solving ECDLP. The computations
> required only take two days on a cluster of 41 GTX 780 GPUs, and was
> feasible to do with a cluster of specialized hardware in 1999, when
> the curves were generated.
>
> Neither RSA nor Curve25519 are vulnerable to similar attacks.
>
> On Mon, May 28, 2018 at 1:36 AM, Damien Miller <djm at mindrot.org>
wrote:
> > On Mon, 28 May 2018, Yegor Ievlev wrote:
> >
> >> Can we prefer RSA to ECDSA? For example:
> >> HostKeyAlgorithms
> >>
ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
> >
> > not without a good reason
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>