Although the headers and quoting have gotten munged, this appears to be a reply to my message.
Eugene Leitl <[EMAIL PROTECTED]> writes: > -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> > ______________________________________________________________ > ICBMTO: N48 04'14.8'' E11 36'41.2'' http://www.leitl.org > 57F9CFD3: ED90 0433 EB74 E4A9 537F CFF5 86E7 629B 57F9 CFD3 > > ---------- Forwarded message ---------- > Date: Tue, 5 Feb 2002 11:10:49 +0100 (CET) > From: Robert Harley <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Cringely Gives KnowNow Some Unbelievable Free Press... > > Eugene Leitl wrote: > >If you want to see EC used you need to describe a specific algorithm > >which has the following three properties: > > > >(1) widely agreed to be unencumbered, [...] > > No problem. Use a random secure curve over a binary field with a > polynomial basis (or over a random prime field). Do it in software > using standard text-book algorithms. Use a protocol that is > in the clear such as plain Diffie-Hellman key exchange. And this is how fast? > EL: > >(2) significantly better than RSA (this generally means faster) > > This seems a little bit simplistic... Whatever way you cut it, RSA > will beat ECC on public key ops (encryption, signature verification...) > whereas ECC will beat RSA on private key ones (decryption, signing...) > > The speed argument can be compelling or not depending on what you want > to do. It's the only real argument that ECC's got going for it. RSA can be made arbitrarily fast by making it arbitrarily slow. > EL: > >Until someone does that, the cost of information in choosing an EC > >algorithm is simply too high to justify replacing RSA in most > >applications. > > Personally, I no longer trust RSA for long term security. > > This is public-key crypto, not symmetric, so a break of your RSA key > means that all your encrypted traffic becomes readable rather than > just one message. E.g., if a few years ago you used 512-bit RSA to > encrypt a will that was not to be read by anybody until you die, > that's tough because it could be read today. Doesn't matter that you > moved to 768 bits and then 1024 in the meantime. If you care about Perfect Forward Secrecy, you shouldn't be using RSA at all. You should be using DH with a fresh key for each exchange. The probability that in the next 50 years your key will be compromised in some other way than factoring is sufficiently high to motivate this tactic. (In my view, it's vastly higher than that of your key being broken by factoring). This message actually makes my point quite nicely. I frequently see long detailed arguments by ECC proponents about how wonderful ECC is and how it should replace RSA. This is one such argument. That's not what's needed. For ECC to take off, someone will have to actually write it into protocols. This requires someone to identify a specific ECC algorithm that meets the properties that I laid out, and document those properties with literature citations, performance numbers, securtiy estimates, etc. That's what's needed before the COMSEC people will feel comfortable adding ECC to their systems. Until someone's willing to step up to the plate on that, we're not going to see ECC deployment in standard protocols. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
