On Fri, 06 Sep 2013 12:13:48 +1200 Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > "Perry E. Metzger" <pe...@piermont.com> writes: > > >I would like to open the floor to *informed speculation* about > >BULLRUN. > > Not informed since I don't work for them, but a connect-the-dots: > > 1. ECDSA/ECDH (and DLP algorithms in general) are incredibly > brittle unless you get everything absolutely perfectly right.
I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH that you're thinking of? > 2. The NSA has been pushing awfully hard to get everyone to switch > to ECDSA/ECDH. Yes, and 24 hours ago I would have said that was because they themselves depended on the use of commercial products with such algorithms available (as in Suite B.) Now I'm less sure. > Wasn't Suite B promulgated in the 2005-2006 period? Yes, though it doesn't sound like Suite B is what the article meant when discussing standards. > Peter (who choses RSA over ECC any time, follow a few basic rules > and you're safe with RSA while ECC is vulnerable to all manner of > attacks, including many yet to be discovered). Many people out there seem to claim the opposite of course. The current situation doesn't give us a definitive way to resolve such an argument. RSA certainly appears to require vastly longer keys for the same level of assurance as ECC. -- Perry E. Metzger pe...@piermont.com _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography