[Cryptography] PRISM-Proofing and PRISM-Hardening

Jerry Leichter leichter at lrw.com
Tue Sep 17 19:05:48 EDT 2013


On Sep 17, 2013, at 5:31 PM, Viktor Dukhovni <cryptography at dukhovni.org> wrote:
> ...And indeed the FUD around the NIST EC curves is rather unfortunate.
> Is secp256r1 better or worse than 1024-bit EDH?
Given our state of knowledge both of the mathematics, and of games NSA has been playing, I don't believe anyone can give a meaningful answer to that question.  There's a second, related question:  How are attacks on the two systems correlated?  If one falls, do we need to lower our estimate of the strength of the other?  In the case of an attack using a practical quantum computer, "very strongly correlated"; in the case of improvements along the lines of current integer factoring algorithms, "not very strongly correlated".  Over all, one has to make guesses.  I'd put them as "somewhat correlated".

                                                        -- Jerry



More information about the cryptography mailing list