Cringely ...or- long-lasting encryption - motivation for ECC?

Amir Herzberg amir at beesites.co.il
Wed Feb 6 10:34:42 EST 2002 

Eric Rescola [ER] replied to Eugene Leitl [EL]: 
...
> > EL:
> > Personally, I no longer trust RSA for long term security.
> >
> > This is public-key crypto, not symmetric, so a break of your RSA key
> > means that all your encrypted traffic becomes readable rather than
> > just one message.  E.g., if a few years ago you used 512-bit RSA to
> > encrypt a will that was not to be read by anybody until you die,
> > that's tough because it could be read today.  Doesn't matter that
you
> > moved to 768 bits and then 1024 in the meantime.
> If you care about Perfect Forward Secrecy, you shouldn't be using
> RSA at all. You should be using DH with a fresh key for each
> exchange. The probability that in the next 50 years your key will
> be compromised in some other way than factoring is sufficiently
> high to motivate this tactic. (In my view, it's vastly higher
> than that of your key being broken by factoring).

Correct... and furthermore - this only dealt with transmitting the
encrypted (and signed?) will, presumably to a trusted lawyer (or other
trusted party). I would also be more concerned about the risk that the
lawyer/party will be  corrupted (by software or otherwise...) within the
50 years. Again the solution has nothing to do with ECC vs. RSA... 

This is a bit besides the original debate but let me quickly recall the
three main techniques I know of protecting such a long-lasting secret
data:

-- Tamper-resistant hardware
-- Splitting the data (or a strong symmetric key with which the data is
encrypted) among several secure storage units (secret sharing)
-- The same, but proactively re-hashing the shares periodically, so that
an attacker must collect all shares during the same period (proactive
secret sharing). 
 
Regards, 

Amir Herzberg
See http://amir.beesites.co.il/book.html for lectures and draft-chapters
from `secure communication and commerce using cryptography`; feedback
welcome!


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list