Anonymous (nobody@replay.com)
Tue, 14 Jul 1998 04:49:02 +0200
If this message seems to lack context, you didn't read Paul Lambert's
Re: Elliptical Curve Encryption.
I was well aware of RSADSI's motives for knocking ECC when I read their
page on it, and freely admit, through the sociopsychological wonders
anonymity allows, to having been partially misled nonetheless.
However, anonymity hasn't cured me of all my stubbornness -- I still
wouldn't trust an EC algorithm alone for my key distribution. Although I
had a somewhat exaggerated idea of the disparity between the amounts of
study of ECDLP and DLP cryptosystems, the truth is still that DH _has_
been around longer than ECDH, and there simply aren't that many advantages
of replacing Diffie-Hellman with the EC variant in a PGP-like
key-distribution application (I know that there are many keydist
applications where having greater speed and shorter widgets to toss around
is more significant, and in those cases I'd certainly consider it).
I'd really like to see it "chained" in PGP-like applications with an IFP
or DLP cryptosystem, possibly with other less-common cryptosystems (NTRU,
Chor-Rivest, Miklos-Atjai) so that the resulting cryptosystem is provably
as hard to crack as the hardest of the ones in the "chain," thus providing
at the cost of speed and widget size any security benefit that the other
cryptosystems provide with no security risk whatsoever.
Right now, most crypto programs put all their eggs in one basket. With
shared-key crypto, the trouble required to chain algorithms in a
provably-effective manner is not worth the security gain (few shared-key
systems of good repute have been practically broken, at least in public),
but with public-key crypto, it is (less data expansion, less increase in
entropy requirements, and more risk, in my opinion, of a break).
I guess I shouldn't say that unless I'm prepared to code, but, oh well,
too late. :)
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:20 ADT