BlueHat v13 crypto talks - request for leaks ;)
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sat Dec 14 11:51:07 PST 2013
Tom Ritter <tom at ritter.vg> writes:
>ECC has other attributes that make it attractive too, so let's get the
>plumbing ready, so we can support a quick pivot away from RSA and over to ECC
>if we have to.
ECC however has the downside that it's incredibly brittle. For example
there's the scary tendency of DLP-based ops to leak the private key (or at
least key bits) if you get even the tiniest thing wrong. For example if you
follow DSA's:
k = G(t,KKEY) mod q
then you've leaked your x after a series of signatures, so you need to know
that you generate a large-than-required value before reducing mod q. The
whole DLP family is just incredibly brittle, a problem that RSA doesn't have.
I'm much more comfortable with RSA, there's far fewer things that can go
wrong.
Peter.
More information about the cypherpunks
mailing list