"Perry E. Metzger" <pe...@piermont.com> writes: >I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH >that you're thinking of?
It's not just randomness, it's problems with DLP-based crypto in general. For example there's the scary tendency of DLP-based ops to leak the private key (or at least key bits) if you get even the tiniest thing wrong. For example if you follow DSA's: k = G(t,KKEY) mod q then you've leaked your x after a series of signatures, so you need to know that you generate a large-than-required value before reducing mod q. The whole DLP family is just incredibly brittle. >RSA certainly appears to require vastly longer keys for the same level of >assurance as ECC. That's assuming that the threat is cryptanalysis rather than bypass. Why bother breaking even 1024-bit RSA when you can bypass? Peter. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography