[147200] in cryptography@c2.net mail archive
Re: [Cryptography] PRISM-Proofing and PRISM-Hardening
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Tue Sep 17 19:33:59 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <20130917213121.GO29796@mournblade.imrryr.org>
Date: Tue, 17 Sep 2013 19:05:48 -0400
To: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sep 17, 2013, at 5:31 PM, Viktor Dukhovni <cryptography@dukhovni.org> wrote:
> ...And indeed the FUD around the NIST EC curves is rather unfortunate.
> Is secp256r1 better or worse than 1024-bit EDH?
Given our state of knowledge both of the mathematics, and of games NSA has been playing, I don't believe anyone can give a meaningful answer to that question. There's a second, related question: How are attacks on the two systems correlated? If one falls, do we need to lower our estimate of the strength of the other? In the case of an attack using a practical quantum computer, "very strongly correlated"; in the case of improvements along the lines of current integer factoring algorithms, "not very strongly correlated". Over all, one has to make guesses. I'd put them as "somewhat correlated".
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
