Marsh Ray <[email protected]> writes: On 12/30/2010 05:41 AM, Peter Gutmann wrote: >> [...] I've always regarded DLP >> algorithms (all DLP algorithms, including the ECDLP ones) as far riskier than >> RSA because there are so many things you can get wrong, many of them outside >> your direct control, while with RSA as long as you check your padding >> properly >> you're pretty much done. >> [...] >> - Most of them used crypto, and AFAICT in none of them was the crypto >> directly >> broken (Shamir's Law, crypto is bypassed not attacked). > >Wouldn't you have to consider this a "crypto break" then? At least to the >extent you regard EC as "risky crypto"?
Not in this case, because it wasn't really an attack on the cryptosystem. To look at it another way, no matter what key size you'd have used for your crypto (32-bit ECC all the way up to P521), it wouldn't have made any difference, so the attack was independent of the crypto strength. I guess we'd really need a taxonomy of attack types, I'd say something that uses mathematics, independent of the implementation, is an attack on the cryptosystem, and anything else, e.g. taking advantage of bad coding, is an end-run around the cryptosystem because no matter what you do with the cryptosystem itself, the bypass-attack still works. (This definition is probably open to an awful lot of debate :-). Peter. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
