[Cryptography] composing EC & RSA encryption?
ianG
iang at iang.org
Sun Oct 25 08:42:27 EDT 2015
The recent "distancing" news from NSA concerning ECC and their view that
QC is coming sooner [0] rather than later has somewhat upset things.
Before, we seemed comfortable with the trend to ECC as the future. Now,
it's not clear.
Yet bets have to be made - a protocol invented today should probably
want to survive between 10 and 20 years if we draw from the OODA loop of
good upgraders versus lazy laggards. I'm at the moment wondering which
way a new OpenPGP PK algorithm would go, which should preferably last
even longer because of its traffic matter.
Is it possible / reasonable / practical to compose the two together into
one algorithm? And thus achieve some sort of agnostic defence against
future developments that favour a break in one over the other?
An EC/RSA signing form is easy - just make one signature in RSA and one
in EC, and we're done. At least at a trivial level, this works,
although I imagine it might be possible to do better - interesting work
for a grad student perhaps.
But what about encryption? Doing that in parallel makes it weaker, it
would have to be done in serial.
If one encrypts using RSA and then EC, does that run into problems with
"groups"?
Does the ordering matter? If there is an easy break in EC would it
matter much if it were the first or the second?
Or, do we copy the triple DES construction and do EC-RSA-EC? Chosen
that way because the EC part is faster...
As a side comment, it does rather seem that there will be pressure to
preserve the key length as an option in PK protocols. Which is IMHO
unfortunate because it opens the door to weak keylengths in future
downgrade attacks instead of an orderly length upgrade process to deal
with the lazy laggards problem. But that fight seems unwinnable for the
moment.
iang
[0] a confirming commentary on NSA position is here:
https://twitter.com/amarchenkova/status/657250390035992576
More information about the cryptography
mailing list