[146607] in cryptography@c2.net mail archive
Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Thu Sep 5 21:02:30 2013
X-Original-To: cryptography@metzdowd.com
Date: Thu, 5 Sep 2013 21:02:00 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
In-Reply-To: <E1VHjgK-00075S-Ld@login01.fos.auckland.ac.nz>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Fri, 06 Sep 2013 12:13:48 +1200 Peter Gutmann
<pgut001@cs.auckland.ac.nz> wrote:
> "Perry E. Metzger" <perry@piermont.com> writes:
>
> >I would like to open the floor to *informed speculation* about
> >BULLRUN.
>
> Not informed since I don't work for them, but a connect-the-dots:
>
> 1. ECDSA/ECDH (and DLP algorithms in general) are incredibly
> brittle unless you get everything absolutely perfectly right.
I'm aware of the randomness issues for ECDSA, but what's the issue
with ECDH that you're thinking of?
> 2. The NSA has been pushing awfully hard to get everyone to switch
> to ECDSA/ECDH.
Yes, and 24 hours ago I would have said that was because they
themselves depended on the use of commercial products with such
algorithms available (as in Suite B.) Now I'm less sure.
> Wasn't Suite B promulgated in the 2005-2006 period?
Yes, though it doesn't sound like Suite B is what the article
meant when discussing standards.
> Peter (who choses RSA over ECC any time, follow a few basic rules
> and you're safe with RSA while ECC is vulnerable to all manner of
> attacks, including many yet to be discovered).
Many people out there seem to claim the opposite of course. The
current situation doesn't give us a definitive way to resolve such an
argument.
RSA certainly appears to require vastly longer keys for the same
level of assurance as ECC.
--
Perry E. Metzger perry@piermont.com
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
