"Perry E. Metzger" <pe...@piermont.com> writes:

>I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH
>that you're thinking of?

It's not just randomness, it's problems with DLP-based crypto in general.  For
example there's the scary tendency of DLP-based ops to leak the private key
(or at least key bits) if you get even the tiniest thing wrong.  For example
if you follow DSA's:

  k = G(t,KKEY) mod q

then you've leaked your x after a series of signatures, so you need to know 
that you generate a large-than-required value before reducing mod q.  The 
whole DLP family is just incredibly brittle.

>RSA certainly appears to require vastly longer keys for the same level of
>assurance as ECC.

That's assuming that the threat is cryptanalysis rather than bypass.  Why
bother breaking even 1024-bit RSA when you can bypass?

The cryptography mailing list

Reply via email to