Hash: SHA1

On Sep 5, 2013, at 7:01 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:

> "Perry E. Metzger" <pe...@piermont.com> writes:
>> I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH
>> that you're thinking of?
> It's not just randomness, it's problems with DLP-based crypto in general.  For
> example there's the scary tendency of DLP-based ops to leak the private key
> (or at least key bits) if you get even the tiniest thing wrong.  For example
> if you follow DSA's:
>  k = G(t,KKEY) mod q
> then you've leaked your x after a series of signatures, so you need to know 
> that you generate a large-than-required value before reducing mod q.  The 
> whole DLP family is just incredibly brittle.

I don't disagree by any means, but I've been through brittleness with both 
discrete log and RSA, and it seems like only a month ago that people were 
screeching to get off RSA over to ECC to avert the "cryptocalypse." And that 
the ostensible reason was that there are new discrete log attacks -- which was 
just from Mars and I thought that that proved the people didn't know what they 
were talking about. Oh, wait, it *was* only a month ago! Silly me.

"Crypto experts issue a call to arms to avert the cryptopocalypse"


Discrete log has brittleness. RSA has brittleness. ECC is discrete log over a 
finite field that's hard to understand. It all sucks.

>> RSA certainly appears to require vastly longer keys for the same level of
>> assurance as ECC.
> That's assuming that the threat is cryptanalysis rather than bypass.  Why
> bother breaking even 1024-bit RSA when you can bypass?

And now we're back to the hymnal you and I have been singing from. It ain't the 
crypto, it's the software.


Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

The cryptography mailing list

Reply via email to