[Cryptography] Why is ECC secure?
Tony Arcieri
bascule at gmail.com
Sat May 30 21:16:29 EDT 2015
On Sat, May 30, 2015 at 11:08 AM, Ryan Carboni <ryacko at gmail.com> wrote:
> There have been attacks as a result of nonce reuse and poorly generated
> nonces for ECC.
>
True, if you're talking about ECDSA, but ECDSA sucks. Use EdDSA and this
isn't a problem.
> There may be as of yet unknown attacks against ECC private keys that are
> heavily used but with random nonces.
>
FUD!
> No such attacks for public key cryptosystems using prime factorization.
>
a.k.a. RSA signatures don't use a nonce
But RSA has failed spectacularly for lots and lots of reasons because it
has sharp edges that don't exist in ECC, like:
- Using a bad public exponent (e.g. 1):
http://www.cryptofails.com/post/70059600123/saltstack-rsa-e-d-1
- Failing to use padding, or using a weak padding mode (e.g. PKCS#1v1.5)
- Implementing RSA naively in a way that's vulnerable to trivial timing
attacks (e.g. failure to use random blinding)
Then there's the part where RSA is slow (especially on the server side for
things like TLS) and has ginormous keys.
The latter can be used for amplification attacks in contexts like DNSSEC.
tl;dr: RSA sucks. Stop using it.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150530/e932fe11/attachment.html>
More information about the cryptography
mailing list