[Cryptography] Why is ECC secure?

[Ryan Carboni]

Okay, the difference between ECC and RSA is that RSA is so simple that it
can be incompetently implemented, and ECC is so complex that it can be
incompetently implemented.

True, if you're talking about ECDSA, but ECDSA sucks. Use EdDSA and this
> isn't a problem.
>
>
Nonce reuse is still a problem.

tl;dr: RSA sucks. Stop using it.
>
>
There is such as thing as SSL accelerators. ASICs aren't just for the NSA
and the EFF.


And it's the cost of security. If your threat model requires security
against agencies, ECC isn't sufficiently proven. No one has shown how the
NIST curves leak. Not even a weak attack.

2048-bit RSA will provide security for the indefinite future, even versus
TWIRL.

Considering that Gost was designed in the 80s, and the Slide Attack was
discovered a decade later, and DES was designed in the seventies and the
Differential Attack was discovered a decade and a half later, I won't be
confident in non-NSA designed ECC against cryptanalytic attack until 2020.

That and, how do you protect against attacks you don't understand? It is
quite an accomplishment for a blind man to become a fencing champion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150531/7acad6de/attachment.html>