[838] in cryptography@c2.net mail archive
RE: elliptic curve
daemon@ATHENA.MIT.EDU (Bill Frantz)
Thu May 15 13:37:55 1997
In-Reply-To: <970514224611.206206af@hobbes.orl.mmc.com>
Date: Thu, 15 May 1997 09:24:06 -0700
To: "A. Padgett Peterson P.E. Information Security" <PADGETT@hobbes.orl.mmc.com>,
smcdonal@iol.ie
From: Bill Frantz <frantz@netcom.com>
Cc: cryptography@c2.net
At 7:46 PM -0700 5/14/97, A. Padgett Peterson P.E. Information Security wrote:
>>Just wondering if anyone had any thoughts about elliptic curve & whether it
>>really blows RSA away -- I'm a tech writer (passing familiarity w/
>>encryption technologies) doing a quick news piece for an Irish Internet
>>magazine.
>
>Would not say it "blows RSA away" any more than a Metro blows a London bus
>away - both will get you to the same place, the big difference is "where
>do you park it ?".
IMHO, the advantages of elliptic curves over RSA are more in the political
layer than in the technical. The technical situation is:
RSA: Vulnerable to improvements in factoring. Well studied (comparatively).
Elliptic curves: Not vulnerable to factoring attacks. Have some nice
properties that RSA doesn't such as no meaningful concept of "near" which
may (or may not) reduce the available attacks. Not as well studied as RSA.
Bottom line: What worries you the most?
The political layer is much clearer:
RSA: Not encumbered by intellectual property (IP) restrictions outside the
USA. Inside the USA, you have to deal with RSADSI (even if you have a
license. Ref: PGP Inc.) RSADSI has a reputation of being extremely
difficult to do business with.
Elliptic curves: While elliptic curves in general aren't patented, three
specific forms, which can be computed in merely slow timeframes, are. One
of the most attractive (IMHO) of these patents is held by Apple Computer.
(They acquired it from Next when they payed many millions of dollars to
have Next do a hostile takeover.) With three patent holders, the chances
of at least one of them being reasonable is better. If none of them are
reasonable, you can still look for you own elliptic curve outside the ones
they have patented.
>
>Above is not as flip as it sounds when certificates are going to be vying for
>space in smart cards since a certificate must be at least as long as the key
>used to protect it. With smart cards typically in the 8k range, this means
>possibly 8 1024 bit certificates. If you use 256 bit EC keys, well, you
>can store more, possibly as many as 32.
Certificates do not need to hold the full public key they are certifying if
that key is available from another (untrusted) source. A secure hash is
enough. See the SPKI work for an example.
-------------------------------------------------------------------------
Bill Frantz | God could make the world | Periwinkle -- Consulting
(408)356-8506 | in six days because he did | 16345 Englewood Ave.
frantz@netcom.com | not have an installed base.| Los Gatos, CA 95032, USA
