On Tue, Mar 04, 2014 at 02:33:23PM -0600, Gunnar Wolf wrote:
> Umh, I feel I have to answer this message, but I clearly don't have
> enough information to do so in an authoritative way¹. AIUI, ECDSA has
> not been shown to be *stronger* than RSA ??? RSA works based on modulus
> operations, ECDSA on curve crypto. ECDSA keys can be smaller and
> achieve (again, AIUI) the same level of security. But nothing so far
> shows that RSA will be broken before or after ECDSA.

Let me add two aspects concerning ECDSA and RSA:

RSA relies on factorization of large numbers being hard. While it
certainly is hard, it may not be hard enough. The interesting question
is: How long does a signature operation take on a key strong enough to
defeat the current global computing power? Unfortunately this time
raises faster than our hardware becomes faster for RSA while it is a bit
better for ECDSA. At some point in the very far future it will be
infeasible to use RSA simply because your device will take ages to emit
a signature that is strong enough.

ECDSA is a DSA algorithm and therefore relies on the creation of secure
random numbers. It has this problem, that if you happen to choose the
same number for two signatures, your private key is broken. With RSA it
is harder to accidentally disclose your private key by using bad random
numbers for signatures. As far as I can tell a malicious random number
generator is part of our threat model now. Bernstein addresses this
issue in EdDSA.

Bottom line: I think it is a bit early to jump on ECDSA.

Hope this helps

Helmut


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140306124821.ga2...@alf.mars

Reply via email to