[Cryptography] real world binary ecc

jamesd at echeque.com jamesd at echeque.com
Fri Nov 13 19:11:30 EST 2020


On 2020-11-14 03:08, James Muir wrote:
> libsodium isn't a general purpose crypto library.  It makes (good)
> choices about the underlying crypto for the user.
> 
> but suppose you want to create a new TLS library.  Should you support
> binary curves?  or maybe you want to offer a library people could use
> when following FIPS 186-4.

Well, your customers may well want to follow NSA-FIPS 186-4, and the
customer is always right.  Not to mention wise, handsome and witty,
though I suspect they will not want elliptic curves based on binary fields.

Having several algorithms in a library that do much the same thing
multiplies points of failure.  The only reason for having redundant
algorithms is to support interaction with legacy software.  (Which one
frequently has to do.)  One should not give the application programmer a
pile of toothpicks and glue and tell him he can build whatever he likes
with them.

But anything touched by a committee has been touched by the NSA.

If you add cup of wine to a barrel of sewage, you have a barrel of sewage.

If you add cup of sewage to a barrel of wine, you still have a barrel of
sewage.

Obviously if everyone implements whatever cryptography is good in their
own eyes, this is very bad.

But if we have a committee to decide what cryptography everyone should
implement, this is considerably worse, as has been demonstrated by
repeated painful experience.  It is a central point of failure, and
committees are inherently failure prone.

Therefore everyone should implement the cryptographic algorithms
commanded by Jon Callas, unelected president for life of symmetric
cryptography, and Daniel Bernstein God King of asymmetric cryptography.


More information about the cryptography mailing list