[Cryptography] composing EC & RSA encryption?

ianG iang at iang.org
Sun Oct 25 08:42:27 EDT 2015


The recent "distancing" news from NSA concerning ECC and their view that 
QC is coming sooner [0] rather than later has somewhat upset things.

Before, we seemed comfortable with the trend to ECC as the future.  Now, 
it's not clear.

Yet bets have to be made - a protocol invented today should probably 
want to survive between 10 and 20 years if we draw from the OODA loop of 
good upgraders versus lazy laggards.  I'm at the moment wondering which 
way a new OpenPGP PK algorithm would go, which should preferably last 
even longer because of its traffic matter.



Is it possible / reasonable / practical to compose the two together into 
one algorithm?  And thus achieve some sort of agnostic defence against 
future developments that favour a break in one over the other?

An EC/RSA signing form is easy - just make one signature in RSA and one 
in EC, and we're done.  At least at a trivial level, this works, 
although I imagine it might be possible to do better - interesting work 
for a grad student perhaps.

But what about encryption?  Doing that in parallel makes it weaker, it 
would have to be done in serial.

If one encrypts using RSA and then EC, does that run into problems with 
"groups"?

Does the ordering matter?  If there is an easy break in EC would it 
matter much if it were the first or the second?

Or, do we copy the triple DES construction and do EC-RSA-EC?  Chosen 
that way because the EC part is faster...



As a side comment, it does rather seem that there will be pressure to 
preserve the key length as an option in PK protocols.  Which is IMHO 
unfortunate because it opens the door to weak keylengths in future 
downgrade attacks instead of an orderly length upgrade process to deal 
with the lazy laggards problem.  But that fight seems unwinnable for the 
moment.



iang


[0] a confirming commentary on NSA position is here:
https://twitter.com/amarchenkova/status/657250390035992576


More information about the cryptography mailing list