[Cryptography] open questions in secure protocol design?

[Tony Arcieri]

On Fri, May 29, 2015 at 6:24 PM, ianG <iang at iang.org> wrote:

> Strongly disagree. I have a long-form comment on this as part of this
>> blog post (see "A Bitcoin Crypto Meltdown")
>>
>> http://tonyarcieri.com/the-death-of-bitcoin
>>
>
>
> Except, you changed the topic.  Coming back to the topic ... do you
> disagree that Bitcoin uses one alg for each function?  Oh wait, your post
> is about how you agree that it's only using one alg.
>
> You're real disagreement is that you don't like that it is using one alg,
> and predict it will therefore melt-down :)
>

Satoshi chose a bad curve. Nobody who knows anything about ECC would
suggest using secp256k1 over Curve25519. They should switch, if only
because that 1-bit backdoor is particularly scary, but they can't do that
easily because the Bitcoin protocol has nothing to signal that wallet keys
are anything but ECDSA with secp256k1.

Actually, I suspect regardless of our views, Bitcoin is locked into the
> 1TCS for now.  Because if they add another algorithm, it is totally
> worthless until every client has got it.  Which to paraphrase Peter "will
> make them think."  And we will benefit from the experience.


I expect that Bitcoin and/or future pubkey-based decentralized transaction
consensus protocols will begin switching to Ed25519 soon. The interop
problem is a difficult one, and the reason why most sites continue to use
RSA certificates for TLS. But forward progress is possible. AES-GCM is
seeing widespread usage now where just a few years ago AES-CBC and RC4 were
the norm.

Given Bitcoin's lack of cipher agility, using Ed25519 instead of secp256k1
provides another checkmark on a gumball chart for any would-be Bitcoin
killer. Secure elliptic curve according to safecurves.cr.yp.to? Usurper:
check.

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150529/01e0371c/attachment.html>