BlueHat v13 crypto talks - request for leaks ;)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Dec 14 11:51:07 PST 2013


Tom Ritter <tom at ritter.vg> writes:

>ECC has other attributes that make it attractive too, so let's get the
>plumbing ready, so we can support a quick pivot away from RSA and over to ECC
>if we have to.

ECC however has the downside that it's incredibly brittle.  For example
there's the scary tendency of DLP-based ops to leak the private key (or at
least key bits) if you get even the tiniest thing wrong.  For example if you
follow DSA's:

  k = G(t,KKEY) mod q

then you've leaked your x after a series of signatures, so you need to know 
that you generate a large-than-required value before reducing mod q.  The 
whole DLP family is just incredibly brittle, a problem that RSA doesn't have. 
I'm much more comfortable with RSA, there's far fewer things that can go 
wrong.

Peter.



More information about the cypherpunks mailing list