[146622] in cryptography@c2.net mail archive
Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Thu Sep 5 22:07:08 2013
X-Original-To: cryptography@metzdowd.com
Date: Fri, 06 Sep 2013 14:01:31 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: perry@piermont.com, pgut001@cs.auckland.ac.nz
In-Reply-To: <20130905210200.29b36032@jabberwock.cb.piermont.com>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
"Perry E. Metzger" <perry@piermont.com> writes:
>I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH
>that you're thinking of?
It's not just randomness, it's problems with DLP-based crypto in general. For
example there's the scary tendency of DLP-based ops to leak the private key
(or at least key bits) if you get even the tiniest thing wrong. For example
if you follow DSA's:
k = G(t,KKEY) mod q
then you've leaked your x after a series of signatures, so you need to know
that you generate a large-than-required value before reducing mod q. The
whole DLP family is just incredibly brittle.
>RSA certainly appears to require vastly longer keys for the same level of
>assurance as ECC.
That's assuming that the threat is cryptanalysis rather than bypass. Why
bother breaking even 1024-bit RSA when you can bypass?
Peter.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
