At 12:00 PM 3/26/2016, Warren D Smith wrote:
Message: 4 Date: Sat, 26 Mar 2016 09:57:12 -0700 From: Henry Baker <hbaker1@pipeline.com> Subject: Re: [math-fun] Why elliptic curve superior to RSA
The problem with fixing a curve is that with enough memory, someone can do some pretty elaborate precomputation.
--Au contraire. With RSA, you fix your private primes p & q, then publish p*q. Somebody can precompute the hell out of that.
With EC, pick a curve, once and for all, publish it, and I don't care what precomputation anybody does on it, no matter how large, provided its results are concisely stated. And the entire world can examine this curve to be sure it seems good.
https://weakdh.org/ "Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieveÂthe most efficient algorithm for breaking a Diffie-Hellman connectionÂis dependent only on this prime. After this first step, an attacker can quickly break individual connections. "We carried out this computation against the most common 512-bit prime used for TLS and demonstrate that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHE_EXPORT. We further estimate that an academic team can break a 768-bit prime and that *a nation-state can break a 1024-bit prime.* Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break."