[Cryptography] New attacks on discrete logs?

[David Johnston]

On 5/22/2014 2:14 AM, Hanno Böck wrote:
>
> DSA, ElGamal, Diffie Hellmann, ECC-based crypto etc. are all still safe.
>
> So there are two things to learn from this research:
> a) If you invent a new cryptosystem, don't rely on discrete log
> hardness in finite fields of small characteristics.
> b) maybe (but very very unlikely) these results can be extended to
> discrete logs in general. Then lots of crypto is screwed. But most
> people who know this stuff don't think there's any chance this can be
> extended to normal discrete logs.
>
>
However I have to think about what crypto to adopt to put in mass market 
chips and they take a long time to put into those chips and those chips 
persist in the market for a long time. So I have to imagine the worst 
case that might occur in the next 6 or so years.

a) Was presented two weeks ago. I was there, it was the first 
presentation of the week and we were all jetlagged and the response was 
rather muted compared to the breathless press articles. But it's one in 
a series of findings. They're digging rich seam and I expect the bounds 
to be expanded.

What I see is a chipping away at the some curves and the DLP in some 
classes of finite fields in some contexts. GF(2^n) is very popular due 
to its engineering simplicity. Extend that a few years and there is a 
risk that the attacks against the DLP might become more general and the 
small characteristic limit might become less small. I don't consider (b) 
to be so very unlikely, or at least it's not something to bet billions 
of dollars of business on.

So that tells me
1) If RSA is fine, use it
2) If you do things in fields (EC etc) use prime fields.
3) Be skeptical of new schemes. The world of small things is throwing up 
lots of these 'resource constrained' solutions.

 From a 'crypto is fun' perspective, ECC and EDH are great. From a 
laying down silicon perspective, they're rather scary.