[841] in cryptography@c2.net mail archive
RE: elliptic curve
daemon@ATHENA.MIT.EDU (Hoffman, Mort)
Thu May 15 14:38:48 1997
Date: Thu, 15 May 1997 14:27:52 -0400
From: "Hoffman, Mort" <Mort.Hoffman@GSC.GTE.Com>
To: "'smcdonal@iol.ie'" <smcdonal@iol.ie>, "'Bill Frantz'" <frantz@netcom.com>
Cc: "'cryptography@c2.net'" <cryptography@c2.net>
Actually, for many applications the issue is getting the certificate
there at all, and the hash won't do that. The critical advantage that
elliptic has in some applications is that it sharply reduces certificate
size, and certificates tend to run in packs.
Mort Hoffman
>----------
>From: Bill Frantz[SMTP:frantz@netcom.com]
>Sent: Thursday, May 15, 1997 12:24 PM
>To: A. Padgett Peterson P.E. Information Security; smcdonal@iol.ie
>Cc: cryptography@c2.net
>Subject: RE: elliptic curve
>
>At 7:46 PM -0700 5/14/97, A. Padgett Peterson P.E. Information Security
>wrote:
>>>Just wondering if anyone had any thoughts about elliptic curve & whether it
>>>really blows RSA away -- I'm a tech writer (passing familiarity w/
>>>encryption technologies) doing a quick news piece for an Irish Internet
>>>magazine.
>>
>>Would not say it "blows RSA away" any more than a Metro blows a London bus
>>away - both will get you to the same place, the big difference is "where
>>do you park it ?".
>
>IMHO, the advantages of elliptic curves over RSA are more in the political
>layer than in the technical. The technical situation is:
>
>RSA: Vulnerable to improvements in factoring. Well studied (comparatively).
>
>Elliptic curves: Not vulnerable to factoring attacks. Have some nice
>properties that RSA doesn't such as no meaningful concept of "near" which
>may (or may not) reduce the available attacks. Not as well studied as RSA.
>
>Bottom line: What worries you the most?
>
>
>The political layer is much clearer:
>
>RSA: Not encumbered by intellectual property (IP) restrictions outside the
>USA. Inside the USA, you have to deal with RSADSI (even if you have a
>license. Ref: PGP Inc.) RSADSI has a reputation of being extremely
>difficult to do business with.
>
>Elliptic curves: While elliptic curves in general aren't patented, three
>specific forms, which can be computed in merely slow timeframes, are. One
>of the most attractive (IMHO) of these patents is held by Apple Computer.
>(They acquired it from Next when they payed many millions of dollars to
>have Next do a hostile takeover.) With three patent holders, the chances
>of at least one of them being reasonable is better. If none of them are
>reasonable, you can still look for you own elliptic curve outside the ones
>they have patented.
>
>>
>>Above is not as flip as it sounds when certificates are going to be vying
>>for
>>space in smart cards since a certificate must be at least as long as the key
>>used to protect it. With smart cards typically in the 8k range, this means
>>possibly 8 1024 bit certificates. If you use 256 bit EC keys, well, you
>>can store more, possibly as many as 32.
>
>Certificates do not need to hold the full public key they are certifying if
>that key is available from another (untrusted) source. A secure hash is
>enough. See the SPKI work for an example.
>
>
>-------------------------------------------------------------------------
>Bill Frantz | God could make the world | Periwinkle -- Consulting
>(408)356-8506 | in six days because he did | 16345 Englewood Ave.
>frantz@netcom.com | not have an installed base.| Los Gatos, CA 95032, USA
>
>
>
