[Cryptography] [FORGED] Re: Why is ECC secure?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun May 31 08:52:08 EDT 2015


Tony Arcieri <bascule at gmail.com> writes:

>But RSA has failed spectacularly for lots and lots of reasons because it has
>sharp edges that don't exist in ECC

That's mostly just bad implementation issues, at which point you may as well
call using fixed pre-generated keys shared across tens of thousands of systems
and publishing your server.pem in webroot as RSA weaknesses as well.  It's the
DLP-based cryptosystems that are the really brittle ones, starting with their
scary propensity to leak bits of, or in some cases all of, the private key if
you get the slightest thing wrong.  Heck, even in normal operation with
nothing done wrong, you can still leak bits of private data (I'm thinking of
the recent discussion about the appropriate choice of DH primes on the TLS
list, where you end up leaking a bit of the private data for each DH
exchange).

(Another thing about this is that we've had 30 years of RSA use to try and
iron out the bugs, while ECC is just starting to take off.  Given an
intrinsically brittle algorithm and not too much experience so far in finding
all the ways you can get things wrong, I expect to see lots more ECC failures
in the upcoming years).

>tl;dr: RSA sucks. Stop using it.

I would have said the same thing for DLP-based PKCs.

Peter.


More information about the cryptography mailing list