[Cryptography] Opening Discussion: Speculation on "BULLRUN"

Jon Callas jon at callas.org
Thu Sep 5 22:19:12 EDT 2013

Hash: SHA1

On Sep 5, 2013, at 7:01 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:

> "Perry E. Metzger" <perry at piermont.com> writes:
>> I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH
>> that you're thinking of?
> It's not just randomness, it's problems with DLP-based crypto in general.  For
> example there's the scary tendency of DLP-based ops to leak the private key
> (or at least key bits) if you get even the tiniest thing wrong.  For example
> if you follow DSA's:
>  k = G(t,KKEY) mod q
> then you've leaked your x after a series of signatures, so you need to know 
> that you generate a large-than-required value before reducing mod q.  The 
> whole DLP family is just incredibly brittle.

I don't disagree by any means, but I've been through brittleness with both discrete log and RSA, and it seems like only a month ago that people were screeching to get off RSA over to ECC to avert the "cryptocalypse." And that the ostensible reason was that there are new discrete log attacks -- which was just from Mars and I thought that that proved the people didn't know what they were talking about. Oh, wait, it *was* only a month ago! Silly me.

"Crypto experts issue a call to arms to avert the cryptopocalypse"


Discrete log has brittleness. RSA has brittleness. ECC is discrete log over a finite field that's hard to understand. It all sucks.

>> RSA certainly appears to require vastly longer keys for the same level of
>> assurance as ECC.
> That's assuming that the threat is cryptanalysis rather than bypass.  Why
> bother breaking even 1024-bit RSA when you can bypass?

And now we're back to the hymnal you and I have been singing from. It ain't the crypto, it's the software.


Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii


More information about the cryptography mailing list