[Cryptography] [FORGED] Re: Why is ECC secure?
Tony Arcieri
bascule at gmail.com
Sun May 31 12:55:46 EDT 2015
On Sun, May 31, 2015 at 5:52 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz>
wrote:
> Tony Arcieri <bascule at gmail.com> writes:
>
> >But RSA has failed spectacularly for lots and lots of reasons because it
> has
> >sharp edges that don't exist in ECC
>
> That's mostly just bad implementation issues
Yes, but these are implementation issues which come up quite frequently in
practice and where I can point to specific examples of crypto tools that
have been broken because of them.
> It's the DLP-based cryptosystems that are the really brittle ones,
> starting with their
> scary propensity to leak bits of, or in some cases all of, the private key
> if
> you get the slightest thing wrong.
Show me one real-world example of a Montgomery ladder-based ECC system
leaking a private key because of a usage mistake.
> Heck, even in normal operation with
> nothing done wrong, you can still leak bits of private data (I'm thinking
> of
> the recent discussion about the appropriate choice of DH primes on the TLS
> list, where you end up leaking a bit of the private data for each DH
> exchange).
>
Lumping ECC together with classical finite field-based DH is a category
fallacy. They have different characteristics, so comparing them this way is
apples to oranges.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150531/25f420be/attachment.html>
More information about the cryptography
mailing list