[Cryptography] Opening Discussion: Speculation on "BULLRUN"
Jon Callas
jon at callas.org
Thu Sep 5 22:19:12 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sep 5, 2013, at 7:01 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> "Perry E. Metzger" <perry at piermont.com> writes:
>
>> I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH
>> that you're thinking of?
>
> It's not just randomness, it's problems with DLP-based crypto in general. For
> example there's the scary tendency of DLP-based ops to leak the private key
> (or at least key bits) if you get even the tiniest thing wrong. For example
> if you follow DSA's:
>
> k = G(t,KKEY) mod q
>
> then you've leaked your x after a series of signatures, so you need to know
> that you generate a large-than-required value before reducing mod q. The
> whole DLP family is just incredibly brittle.
I don't disagree by any means, but I've been through brittleness with both discrete log and RSA, and it seems like only a month ago that people were screeching to get off RSA over to ECC to avert the "cryptocalypse." And that the ostensible reason was that there are new discrete log attacks -- which was just from Mars and I thought that that proved the people didn't know what they were talking about. Oh, wait, it *was* only a month ago! Silly me.
"Crypto experts issue a call to arms to avert the cryptopocalypse"
http://arstechnica.com/security/2013/08/crytpo-experts-issue-a-call-to-arms-to-avert-the-cryptopocalypse/
Discrete log has brittleness. RSA has brittleness. ECC is discrete log over a finite field that's hard to understand. It all sucks.
>
>> RSA certainly appears to require vastly longer keys for the same level of
>> assurance as ECC.
>
> That's assuming that the threat is cryptanalysis rather than bypass. Why
> bother breaking even 1024-bit RSA when you can bypass?
And now we're back to the hymnal you and I have been singing from. It ain't the crypto, it's the software.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSKTuhsTedWZOD3gYRAhiJAKDaNIw1ztD/Lj1WAW3U/pOtkpoybQCgoW6o
nd08pq+l1QiViF7cPATuPig=
=Z3wh
-----END PGP SIGNATURE-----
More information about the cryptography
mailing list