[Cryptography] [FORGED] Re: ratcheting DH strengths over time
ianG
iang at iang.org
Sat Nov 21 06:38:10 EST 2015
On 16/11/2015 02:25 am, Peter Gutmann wrote:
> Tony Arcieri <bascule at gmail.com> writes:
>
>> There is no reason to use FFDH anymore save for legacy compatibility or a
>> catastrophic failure of ECC. Use ECDH instead.
>
> [Citation needed]
>
> (Specifically, one that doesn't simply defer to numerology).
This one specifically refers to numerology, but in an appropriate way,
with citations and shakedowns ;-)
http://blog.cr.yp.to/20151120-batchattacks.html
...
The third response produces a reasonable level of security: ECDHE, as
actually implemented, doesn't allow any small groups. Properly
implementing ECDHE with NIST P-256 isn't easy, but all of the critical
pitfalls here are eliminated by next-generation ECC. The performance of
NIST P-256 is already acceptable for many sites, and I expect the
performance of next-generation ECC to be acceptable for almost all sites.
One can mix and match responses: for example, use ECDHE with a
server-specific elliptic curve. But it's better to use ECDHE with a
larger shared curve. Compared to a server-specific curve, a larger
shared curve saves bandwidth; in most situations ends up saving CPU
time; and has larger benefits against all known attacks.
...
(by djb)
iang
More information about the cryptography
mailing list