[147740] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

[Cryptography] NIST should publish Suite A

daemon@ATHENA.MIT.EDU (ianG)
Sat Oct 19 09:34:12 2013

X-Original-To: cryptography@metzdowd.com
Date: Sat, 19 Oct 2013 16:25:38 +0300
From: ianG <iang@iang.org>
To: Cryptography Mailing List <cryptography@metzdowd.com>
In-Reply-To: <CAAS2fgRZCS9y9LOG62fG5NOyz_DA8bek5L-rWMrhXrAt4EKLUA@mail.gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com

We now have a crisis of confidence in the cryptographic industry. 
Agreed?  The Snowden revelations have thrown the deck in the air, and 
while we have not seen all the cards land as yet, we can draw some 
points of agreement.

One point of agreement is that public key and Elliptic Curve 
Cryptography now has a cloud over it.  Just as one example, seen on 
OpenPGP list (archived therefore open for reposting) is discussion about 
using 1024 bit curves:

On 18/10/13 10:20 AM, Gregory Maxwell wrote:
> Jon Callas <jon at callas.org> wrote:
>> Why ever would you want a 1Kbit curve? Sure, arguably, but please make the argument. As it is, Curve3617 is more than one really needs. I'm genuinely interested.
> The fastest method for solving the discrete log problem in finite
> fields is index calculus. It is not known to be applicable to the
> elliptic curves we use for cryptography (or obviously we wouldn't be
> using them), modifications of the technique are applicable to
> super-singular curves / extension fields and where applicable they
> have sub-exponential scaling similar to the number field sieve for
> factoring. While it's not believed that there can exist a
> straightforward adaptation currently-believed strong curves, if one
> were to be discovered it would render any of the common sizes
> practically insecure.
> It would be terrible indeed to migrate to ECC only to end up with keys
> no more secure than 512 bit RSA.
> But by comparison to performance in other groups a of size to around
> 1024 bits but leave the crypto system secure in practice even if index
> calculus could be directly applied.
> (Sorry for delay in responding, but I spent a little while googling
> around to see if I was the only person thinking like this. I found a
> number of things, the most amusing an old post of Bruce Schneier's:
> "Realize, though, that someday -- next year, in ten years, in a
> century -- someone may figure out how to define smoothness, or
> something even more useful, in elliptic curves. If that happens, you
> will have to use the same key lengths as you would with conventional
> discrete logarithm algorithms, and there will be no reason to ever use
> elliptic curves. "
> https://www.schneier.com/crypto-gram-9911.html#EllipticCurvePublic-KeyCryptography
> )

The point here is not that the above argumentation is valid or 
otherwise, but that *the suspicion runs deep*.  How deep does the EC 
rabbithole go?

The best I've seen so far is as found on this site 
http://safecurves.cr.yp.to/ which seems to say (my reading only) that 
the prior standards work on curves is suspect, but we can do a good job 
ourselves if we recalculate to best of ability (us meaning not me).

But we really don't know.  Meanwhile, as a side pointer as to how far 
the 'defaults' trap has taken us, here's another pointer [0]:

Android is using the combination of horribly broken RC4 and MD5 as the 
first default cipher on all SSL connections . This impacts all apps that 
did not care enough to change the list of enabled ciphers (i.e. almost 
all existing apps). This post investigates why RC4-MD5 is the default 
cipher, and why it replaced better ciphers which were in use prior to 
the Android 2.3 release in December 2010.

If you're into Java or Android, and you love the JCE, this will leave a 
sinking pit in your stomach.  A herd of rabbits were stampeded deep down 
that hole...

I would suggest -- point of agreement? -- that we now have *a crisis of 
confidence in standards and crypto* .

If I was a standards organisation, or a player who was invested deeply 
in industry in some sense or other, I'd be also thinking about how to 
increase confidence.

There is one possibility to increase confidence dramatically:

      what's in Suite A?

If we knew what Suite A used for PK work, we would then be able to 
triangulate.  Although this is a claim based on absence of evidence, I 
predict that we'll be able to triangulate the question of ECC and settle 
the question of confidence.

Treason or revelation?  You pick. This revelation may even be so useful 
to industry (billion dollar losses?) that it might be a dominating 
interest over the normal unquestioning patriotic duty of following the 
say-so of those previously wiser heads in Fort Meade.

It might be cost-effective.  It might even be a 'fair cop'.



The cryptography mailing list

home help back first fref pref prev next nref lref last post