[Cryptography] Opening Discussion: Speculation on "BULLRUN"
Perry E. Metzger
perry at piermont.com
Thu Sep 5 21:02:00 EDT 2013
On Fri, 06 Sep 2013 12:13:48 +1200 Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> "Perry E. Metzger" <perry at piermont.com> writes:
>
> >I would like to open the floor to *informed speculation* about
> >BULLRUN.
>
> Not informed since I don't work for them, but a connect-the-dots:
>
> 1. ECDSA/ECDH (and DLP algorithms in general) are incredibly
> brittle unless you get everything absolutely perfectly right.
I'm aware of the randomness issues for ECDSA, but what's the issue
with ECDH that you're thinking of?
> 2. The NSA has been pushing awfully hard to get everyone to switch
> to ECDSA/ECDH.
Yes, and 24 hours ago I would have said that was because they
themselves depended on the use of commercial products with such
algorithms available (as in Suite B.) Now I'm less sure.
> Wasn't Suite B promulgated in the 2005-2006 period?
Yes, though it doesn't sound like Suite B is what the article
meant when discussing standards.
> Peter (who choses RSA over ECC any time, follow a few basic rules
> and you're safe with RSA while ECC is vulnerable to all manner of
> attacks, including many yet to be discovered).
Many people out there seem to claim the opposite of course. The
current situation doesn't give us a definitive way to resolve such an
argument.
RSA certainly appears to require vastly longer keys for the same
level of assurance as ECC.
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list