mersenneforum.org  

Go Back   mersenneforum.org > Math Stuff > Tales From the Crypt(o)

Reply
 
Thread Tools
Old 2015-11-09, 14:40   #12
R.D. Silverman
 
R.D. Silverman's Avatar
 
Nov 2003

1D2416 Posts
Default

Quote:
Originally Posted by R.D. Silverman View Post
Go to nsa.gov and access the Crypto Suite B web page (under their 'programs' sub-tree)
Here is the exact url

https://www.nsa.gov/ia/programs/suiteb_cryptography/
R.D. Silverman is offline   Reply With Quote
Old 2015-11-09, 14:47   #13
R.D. Silverman
 
R.D. Silverman's Avatar
 
Nov 2003

22·5·373 Posts
Default

Quote:
Originally Posted by Dubslow View Post
I have not heard. Can you please provide any number of links?

Edit: Murder is an overly strong term.
I did not use it. I said "deprecate"


Quote:
I had thought you meant ECC was broken and dead.
Where did I say that?

Quote:
Instead, what merely seems to be the case is that the NSA is only noting that ECC is not quantum-proof.
This is the reason they are giving. But I don't buy it.

(0) It has been known for some time that RSA, DSA, DH, ECDH, and ECDSA are all vulnerable
to QC. This is nothing new.

(1) The development of QC has been extremely slow and we are (at current pace) decades away from
building a QC large enough to break EC. So one must ask: Why the urgency?

(2) Why deprecate all but the P384 curve? If QC is the reason for deprecation, then this curve is
just as vulnerable as all the others. Why not introduce a 512-bit (or larger) curve and field?

(3) It is believed by some (moi aussi) that it is far more likely that someone found an improved classical
attack.
R.D. Silverman is offline   Reply With Quote
Old 2015-11-09, 15:47   #14
Dubslow
Basketry That Evening!
 
Dubslow's Avatar
 
"Bunslow the Bold"
Jun 2011
40<A<43 -89<O<-88

3·29·83 Posts
Default

Quote:
Originally Posted by R.D. Silverman View Post
I did not use it. I said "deprecate"
From your OP:
Quote:
Originally Posted by R.D. Silverman View Post
We need a forum where we can discuss such things as the recent NSA
murder of Elliptic Curve based cryptography.

Quote:
Originally Posted by R.D. Silverman View Post

Where did I say that?
That's what I took "murder" to mean.

Quote:
Originally Posted by R.D. Silverman View Post
This is the reason they are giving. But I don't buy it.

(0) It has been known for some time that RSA, DSA, DH, ECDH, and ECDSA are all vulnerable
to QC. This is nothing new.

(1) The development of QC has been extremely slow and we are (at current pace) decades away from
building a QC large enough to break EC. So one must ask: Why the urgency?

(2) Why deprecate all but the P384 curve? If QC is the reason for deprecation, then this curve is
just as vulnerable as all the others. Why not introduce a 512-bit (or larger) curve and field?

(3) It is believed by some (moi aussi) that it is far more likely that someone found an improved classical
attack.
Indeed, these are all points addressed in the PDF that Nick linked. I feel relatively appraised of the situation now.
Dubslow is offline   Reply With Quote
Old 2015-11-09, 15:54   #15
R.D. Silverman
 
R.D. Silverman's Avatar
 
Nov 2003

22·5·373 Posts
Default

Quote:
Originally Posted by Dubslow View Post
From your OP:




That's what I took "murder" to mean.



Indeed, these are all points addressed in the PDF that Nick linked. I feel relatively appraised of the situation now.
Thanks for the feedback! Do you have an opinion on the subject?

Does anyone have a guess as to which algorithms the NSA will choose as replacements?
My money is on NTRU, or a variation.

The difficulty is that the possible candidates all lack the simplicity of the methods currently in
use. They tend to require finicky parameter choices and seem to lack mathematical 'elegance'
Furthermore, none of them have been scrutinized to the same extent as the current
methods.
R.D. Silverman is offline   Reply With Quote
Old 2015-11-09, 16:30   #16
bsquared
 
bsquared's Avatar
 
"Ben"
Feb 2007

3·1,193 Posts
Default

Quote:
Originally Posted by R.D. Silverman View Post
Thanks for the feedback! Do you have an opinion on the subject?

Does anyone have a guess as to which algorithms the NSA will choose as replacements?
My money is on NTRU, or a variation.

The difficulty is that the possible candidates all lack the simplicity of the methods currently in
use. They tend to require finicky parameter choices and seem to lack mathematical 'elegance'
Furthermore, none of them have been scrutinized to the same extent as the current
methods.
What about SIDH? It would seem to retain the simplicity and elegance of DH and is (so far) not patent encumbered. But it is relatively new and relatively unscrutinized. I don't know much about the underlying mathematics and would be interested in your thoughts.
bsquared is offline   Reply With Quote
Old 2015-11-09, 16:44   #17
jwaltos
 
jwaltos's Avatar
 
Apr 2012
Gracie on alert.

2·7·29 Posts
Default

Quote:
Originally Posted by R.D. Silverman View Post
Does anyone have a guess as to which algorithms the NSA will choose as replacements?
Kaspersky labs and Schneier may have some unique insights.
I was a little disappointed in the paper since Menezes has a vested financial interest in ECC which was not disclosed.
Setec astronomy and polonium-210 aside, "cherish those who search for the truth but beware those who find it."
jwaltos is offline   Reply With Quote
Old 2015-11-09, 17:08   #18
R.D. Silverman
 
R.D. Silverman's Avatar
 
Nov 2003

22×5×373 Posts
Default

Quote:
Originally Posted by bsquared View Post
What about SIDH? It would seem to retain the simplicity and elegance of DH and is (so far) not patent encumbered. But it is relatively new and relatively unscrutinized. I don't know much about the underlying mathematics and would be interested in your thoughts.
It is possible, but I think the community will be wary of anything involving supersingular curves,
given past history...

The computations are a lot more complex than simple ECDH and this may be a barrier to
implementation. Indeed, it has been suggested that the complexity of ECDH (relative to that
of ordinary DH) was a reason why it was not historically more widely used.

Note: I have not studied this protocol at all.
R.D. Silverman is offline   Reply With Quote
Old 2015-11-09, 17:10   #19
R.D. Silverman
 
R.D. Silverman's Avatar
 
Nov 2003

22·5·373 Posts
Default

Quote:
Originally Posted by jwaltos View Post
Kaspersky labs and Schneier may have some unique insights.
I was a little disappointed in the paper since Menezes has a vested financial interest in ECC which was not disclosed.
Setec astronomy and polonium-210 aside, "cherish those who search for the truth but beware those who find it."
Bruce didn't say much in his September newsletter....

Also, many of the Certicom patents on ECC have expired and the rest should expire
within about 2 more years.

I also do not believe that Alfred would act out of financial self-interest..
Furthermore, he is not pushing that ECDH/ECDSA should continue
to be used.

Last fiddled with by R.D. Silverman on 2015-11-09 at 17:13
R.D. Silverman is offline   Reply With Quote
Old 2015-11-09, 17:11   #20
Dubslow
Basketry That Evening!
 
Dubslow's Avatar
 
"Bunslow the Bold"
Jun 2011
40<A<43 -89<O<-88

3×29×83 Posts
Default

Quote:
Originally Posted by R.D. Silverman View Post
Do you have an opinion on the subject?
I'm not particularly qualified to have an opinion, other than a deep rooted suspicion of the modern NSA.
Dubslow is offline   Reply With Quote
Old 2015-11-09, 17:34   #21
R.D. Silverman
 
R.D. Silverman's Avatar
 
Nov 2003

746010 Posts
Default

Quote:
Originally Posted by Dubslow View Post
I'm not particularly qualified to have an opinion, other than a deep rooted suspicion of the modern NSA.
Shared by many.

With respect to the current topic: what is it that you do not trust?

If indeed they have discovered a classic attack on EC, they can have very good
reasons for not disclosing it. For one thing, it would cause panic with respect to
who/how/where it is currently being used. I would render criminal attacks on
IPSEC possible. Can you imagine the consequences to IFT?
R.D. Silverman is offline   Reply With Quote
Old 2015-11-09, 18:20   #22
chalsall
If I May
 
chalsall's Avatar
 
"Chris Halsall"
Sep 2002
Barbados

1005210 Posts
Default

Quote:
Originally Posted by R.D. Silverman View Post
Shared by many. ... If indeed they have discovered a classic attack on EC, they can have very good reasons for not disclosing it. For one thing, it would cause panic with respect to who/how/where it is currently being used. I [It] would render criminal attacks on IPSEC possible. Can you imagine the consequences to IFT?
chalsall is online now   Reply With Quote
Reply

Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
GMP-ECM Messages Killed/Aborted/cannot allocate memory EdH GMP-ECM 13 2016-11-11 04:15
19 Arizona firefighters killed in wildland blaze ewmayer Lounge 49 2013-10-12 03:59
bin Laden killed in groundstrike ixfd64 Soap Box 33 2011-05-12 02:00
Iran Exonerates Six Who Killed in Islam’s Name ewmayer Soap Box 6 2007-04-30 01:39

All times are UTC. The time now is 10:08.


Tue Dec 7 10:08:20 UTC 2021 up 137 days, 4:37, 0 users, load averages: 1.20, 1.50, 1.46

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.

This forum has received and complied with 0 (zero) government requests for information.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.
A copy of the license is included in the FAQ.