[Cryptography] Opening Discussion: Speculation on "BULLRUN"
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Sep 5 22:01:31 EDT 2013
"Perry E. Metzger" <perry at piermont.com> writes:
>I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH
>that you're thinking of?
It's not just randomness, it's problems with DLP-based crypto in general. For
example there's the scary tendency of DLP-based ops to leak the private key
(or at least key bits) if you get even the tiniest thing wrong. For example
if you follow DSA's:
k = G(t,KKEY) mod q
then you've leaked your x after a series of signatures, so you need to know
that you generate a large-than-required value before reducing mod q. The
whole DLP family is just incredibly brittle.
>RSA certainly appears to require vastly longer keys for the same level of
>assurance as ECC.
That's assuming that the threat is cryptanalysis rather than bypass. Why
bother breaking even 1024-bit RSA when you can bypass?
Peter.
More information about the cryptography
mailing list