On Tue, Mar 04, 2014 at 02:33:23PM -0600, Gunnar Wolf wrote: > Umh, I feel I have to answer this message, but I clearly don't have > enough information to do so in an authoritative way¹. AIUI, ECDSA has > not been shown to be *stronger* than RSA ??? RSA works based on modulus > operations, ECDSA on curve crypto. ECDSA keys can be smaller and > achieve (again, AIUI) the same level of security. But nothing so far > shows that RSA will be broken before or after ECDSA.
Let me add two aspects concerning ECDSA and RSA: RSA relies on factorization of large numbers being hard. While it certainly is hard, it may not be hard enough. The interesting question is: How long does a signature operation take on a key strong enough to defeat the current global computing power? Unfortunately this time raises faster than our hardware becomes faster for RSA while it is a bit better for ECDSA. At some point in the very far future it will be infeasible to use RSA simply because your device will take ages to emit a signature that is strong enough. ECDSA is a DSA algorithm and therefore relies on the creation of secure random numbers. It has this problem, that if you happen to choose the same number for two signatures, your private key is broken. With RSA it is harder to accidentally disclose your private key by using bad random numbers for signatures. As far as I can tell a malicious random number generator is part of our threat model now. Bernstein addresses this issue in EdDSA. Bottom line: I think it is a bit early to jump on ECDSA. Hope this helps Helmut -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140306124821.ga2...@alf.mars