[Cryptography] On the Impending Crypto Monoculture

Phillip Hallam-Baker phill at hallambaker.com
Sat Mar 26 12:30:20 EDT 2016


On Fri, Mar 25, 2016 at 4:08 PM, Stephen Farrell
<stephen.farrell at cs.tcd.ie> wrote:
>
>
> On 25/03/16 08:51, Brian Gladman wrote:
>> So I can understand the IETF
>> motivation for wanting to 'start again and do it better this time'. But
>> I don't see their argument for throwing out primitives such as AES that
>> are now very widely supported and have proved to be effective in real
>> use.
>
> The IETF is not doing that.
>
> Peter's essay is misleading.
>
> We are not heading for a monoculture.
>
> AES, HMAC, RSA, ECDH and ECDSA are not going away for
> sure.
>
> It is true that the set of new algorithms being considered
> recently is DJB-dominated. (Passwrord hashing is not his.)

We ended up with a different construction for Curve25519 crypto and
Curve448 in fact.

Remember that you don't get stronger crypto protocols by adding
stronger algorithms. You get stronger crypto by taking out the weak
ones.

Right now, about 70% of the crypto algorithms commonly deployed are
junk and we have a lot of pointless variation in variants between
protocols. In particular the EC curves situation is a mess. We had too
many choices and no idea which were backdoored or not. And no,
brainpool didn't solve that

I would like us to get to the point where we have two algorithms for
each primitive that are implemented for every active IETF protocol.
These are a current algorithm and a backup in case of problems.

I am not so happy with the Cha-Cha and poly choices. I would prefer
that we had a competition to choose a backup symmetric algorithm.

Right now RSA is still the default algorithm and the Elliptic Curve
algorithms are going to be backups. I suspect that will remain the
situation for quite a while, possibly until we start getting quantum
resistant algorithms we can use.


More information about the cryptography mailing list