[Cryptography] Opening Discussion: Speculation on "BULLRUN"

Perry E. Metzger perry at piermont.com
Thu Sep 5 21:02:00 EDT 2013


On Fri, 06 Sep 2013 12:13:48 +1200 Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> "Perry E. Metzger" <perry at piermont.com> writes:
> 
> >I would like to open the floor to *informed speculation* about
> >BULLRUN.
> 
> Not informed since I don't work for them, but a connect-the-dots:
> 
> 1. ECDSA/ECDH (and DLP algorithms in general) are incredibly
> brittle unless you get everything absolutely perfectly right.

I'm aware of the randomness issues for ECDSA, but what's the issue
with ECDH that you're thinking of?

> 2. The NSA has been pushing awfully hard to get everyone to switch
> to ECDSA/ECDH.

Yes, and 24 hours ago I would have said that was because they
themselves depended on the use of commercial products with such
algorithms available (as in Suite B.) Now I'm less sure.

> Wasn't Suite B promulgated in the 2005-2006 period?

Yes, though it doesn't sound like Suite B is what the article
meant when discussing standards.

> Peter (who choses RSA over ECC any time, follow a few basic rules
> and you're safe with RSA while ECC is vulnerable to all manner of
> attacks, including many yet to be discovered).

Many people out there seem to claim the opposite of course. The
current situation doesn't give us a definitive way to resolve such an
argument.

RSA certainly appears to require vastly longer keys for the same
level of assurance as ECC.

-- 
Perry E. Metzger		perry at piermont.com


More information about the cryptography mailing list