Cringely Gives KnowNow Some Unbelievable Free Press... (fwd)

Mon Jan 28 20:56:02 EST 2002

"Enzo Michelangeli" <em at who.net> writes:

> ----- Original Message -----
> From: "Eric Rescorla" <ekr at rtfm.com>
> To: "Eugene Leitl" <Eugene.Leitl at lrz.uni-muenchen.de>
> Sent: Monday, 28 January, 2002 6:33 AM
> 
> [...]
> > If you want to see EC used you need to describe a specific algorithm
> > which has the following three properties:
> >
> > (1) widely agreed to be unencumbered, particularly by the big players.
> >     [extra points if you're willing to indemnify]
> > (2) significantly better than RSA (this generally means faster)
> > (3) has seen a significant amount of analysis so that we can have
> > some reasonable confidence it's secure.
> >
> > Until someone does that, the cost of information in choosing an
> > EC algorithm is simply too high to justify replacing RSA in
> > most applications.
> 
> Well, a nice characteristic that RSA doesn't have is the ability of using as
> secret key a hash of the passphrase, which avoids the need of a secret
> keyring and the relative vulnerability to dictionary attacks. See e.g. the
> Pegwit application, which, in its version 9
I don't know exactly what Pegwit does, but most of these schemes
are still vulnerable to dictionary attacks by trying arbitrary
passphrases and seeing if they generate the correct public key.
It's of course slower since the test operation is slower.

And of course you can do the same sort of thing with RSA by using the
passphrase as the seed for the PRNG. This is quite practical on
modern machines where RSA key generation is extremely fast.
(And practical even on slow machines if you use Schiller's trick
of remembering a "hint").

-Ekr

-- 
[Eric Rescorla                                   ekr at rtfm.com]
                http://www.rtfm.com/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com