Vin McLellan (vin@shore.net)
Tue, 14 Jul 1998 21:39:48 -0400
Anonymous wrote:
>> .... The whole problem is
>> relatively new and hasn't been studied much, so I wouldn't reccomend
>> putting ECC in any "mission-critical" applications (by which I mean key
>> distribution) soon.
Paul Lambert <plambert@sprintmail.com> replied:
>Now, now ... you've been reading the mis-information from RSADSI's web site.
>Many of the anti-ECC quotes were not approved and are now very old. Why would
>RSADSI ever support an algorithm that is not RSA?
(Ah, Paul? Aren't you supposed to wave a flag or otherwise
acknowledge your own bias when you snipe at the opinions of guys like Bruce
Schneier, Mike Wiener of Entrust, Arjen Lenstra of Citibank, and Taher
ElGamal of Netscape?
You are, I presume, the Paul A. who is VP at Certicom, right?
(To my mind, Sir, it does not invalidate the comments of
professionals when, as you suggest, their published comments are their own
technical judgements -- even when their quotes have not been "approved,"
vetted, shaded, and qualified by their respective PR and Marketing
managers.)
None of those quoted are lapdogs. None are likely to flipflop on a
technical judgement -- not for employers, not for clients, and certainly
not for RSA. Each of those quoted gave their opinion freely; each granted
RSA permission to publish it. None, so far as I know, has disavowed the
comments attributed to them. (As for the quotes being "very old," I can
only suggest that time moves at a different pace the closer you are to
marketing;-)
Paul may brush aside comments from Rivest, Len Adleman, Bob
Silverman, and Claude Schnorr, since all have overt RSA affiliations (as do
I, in a minor league sort of way) but others may credit their judgements
even so. No lapdogs in that lineup either!
None of those quoted about ECC on the RSA website -- except for an
uncharacteristicly acidic Len Adleman -- scorned or dismissed ECC. All the
rest called it relatively untested and unstudied, and recommended that it
not be used for mission critical apps where viable alternatives exist.
(RSA, I find, has now replaced their page of cautionary ECC Quotes
with something else, after having displayed the broadside for a year or so.
I, however, have an old file copy of the infamous Quotes which I'll send to
anyone who asks for it off-list. There is also another "very old" 1997 RSA
Labs' Technical Note -- by Matt Robshaw and Yiqun Lisa Yin, two of the
co-inventors of RC6 -- which makes a similar argument. See:
<http://www.rsa.com/rsalabs/ecc/html/elliptic_curve.html>)
Paul also wrote:
>Elliptic curve mathmatics has been around for hundreds of years. Elliptic
>curve cryptography's been around since 1985. Many mission-critical
>applications are now using elliptic curve technologies based on extensive
>evaluation of the risks and alternatives.
RSA has its pitch. Certicom has its pitch. The List can parse the
logic and assumptions behind each. It took seven or eight years of often
obsessive cryptanalytic scrutiny of RSAPKC before attacks using quadratic
sieve factoring became practical; 16 years before the number field sieve
offered a much more effective attack on the discrete logarithm problem.
(Years alone don't tell the story, as many on this List can attest.
During much of the past two decades, chewing on RSAPKC was a grad school
addiction. For many years it was seen as the only viable PKC, and it was
wonderously accessible. By contrast, ECC is indubitably elegant, but few
find it simple. And today, grad students fascinated with crypto have
multiple obsessions in math, hardware, software, wetware. Not to mention
food and sex.)
Whatever the current market for ECC, surely it will be greater as
ECC is tested, tempered, and likely refined or qualified as it gains the
benefits from some commensurate investment of man-years by the
cryptanalytic community. The Certicom ECC Challenge is a good start. Fine
idea.
Certicom is a company of considerable talents (cryptographers as
well as marketeers;-) But just as your competitors have to deal with the
size advantages of 160-bit ECC (and patent claims of the sort Certicom has
just lodged against X9.42, IEEE 1363, and the IETF's S/MIME,) Certicom has
to deal with the fact that competitors -- notably RSA -- hold some trust
advantage in the fact that their public key schemes have been subject to
intensive critical analysis for many more man-years than ECC.
It's an awkward Truth (because there is no way for a clever
youthful competitor to counter it directly,) but such cryptanalytic
endurance remains meaningful to many.
Of course, that's another old opinion, and no one has approved my
statements, so Paul and others may dismiss it as a further illustration of
my admitted pro-RSA bias.
Suerte,
_Vin
-----
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which by
its nature will resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A thinking man's Creed for Crypto/ vbm.
* Vin McLellan + The Privacy Guild + <vin@shore.net> *
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:24 ADT