Tom Ritter <tom@ritter.vg> writes:
ECC has other attributes that make it attractive too, so let's get the plumbing ready, so we can support a quick pivot away from RSA and over to ECC if we have to.
ECC however has the downside that it's incredibly brittle. For example there's the scary tendency of DLP-based ops to leak the private key (or at least key bits) if you get even the tiniest thing wrong. For example if you follow DSA's: k = G(t,KKEY) mod q then you've leaked your x after a series of signatures, so you need to know that you generate a large-than-required value before reducing mod q. The whole DLP family is just incredibly brittle, a problem that RSA doesn't have. I'm much more comfortable with RSA, there's far fewer things that can go wrong. Peter.