-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sep 5, 2013, at 7:01 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > "Perry E. Metzger" <pe...@piermont.com> writes: > >> I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH >> that you're thinking of? > > It's not just randomness, it's problems with DLP-based crypto in general. For > example there's the scary tendency of DLP-based ops to leak the private key > (or at least key bits) if you get even the tiniest thing wrong. For example > if you follow DSA's: > > k = G(t,KKEY) mod q > > then you've leaked your x after a series of signatures, so you need to know > that you generate a large-than-required value before reducing mod q. The > whole DLP family is just incredibly brittle. I don't disagree by any means, but I've been through brittleness with both discrete log and RSA, and it seems like only a month ago that people were screeching to get off RSA over to ECC to avert the "cryptocalypse." And that the ostensible reason was that there are new discrete log attacks -- which was just from Mars and I thought that that proved the people didn't know what they were talking about. Oh, wait, it *was* only a month ago! Silly me. "Crypto experts issue a call to arms to avert the cryptopocalypse" http://arstechnica.com/security/2013/08/crytpo-experts-issue-a-call-to-arms-to-avert-the-cryptopocalypse/ Discrete log has brittleness. RSA has brittleness. ECC is discrete log over a finite field that's hard to understand. It all sucks. > >> RSA certainly appears to require vastly longer keys for the same level of >> assurance as ECC. > > That's assuming that the threat is cryptanalysis rather than bypass. Why > bother breaking even 1024-bit RSA when you can bypass? And now we're back to the hymnal you and I have been singing from. It ain't the crypto, it's the software. Jon -----BEGIN PGP SIGNATURE----- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFSKTuhsTedWZOD3gYRAhiJAKDaNIw1ztD/Lj1WAW3U/pOtkpoybQCgoW6o nd08pq+l1QiViF7cPATuPig= =Z3wh -----END PGP SIGNATURE----- _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography