undefined | Better HN

0 pointsexe341y ago0 comments

does the move to elliptic crypto suggest that the people in the know expect prime factorisation to be broken soon?

0 comments

If anything, ECC is probably easier to break with qc. Shor's algorithm works "better" for discrete logarithms than for prime factorisation. "Better" as in requiring a smaller quantum computer. Still way beyond what is available today.

The reason for switching to ECC is speed and key size. The NSA recommends 3096bit rsa keys for 128 aes, but only 256 bit ecc keys for the same security against traditional attacks.

They also went ahead and recommended 348bit keys for ecc, but I don't know if something like that is widely used anywhere. Curve448 is nice but slow. Curve41417 is fast but largely unused.

Jach1y ago

Since no one mentioned, a major reason to prefer elliptic curves is that you can get equivalent security for much smaller key sizes.

kevin_thibedeau1y ago

I had to implement key generation on an embedded device @ 180MHz. RSA2048 would take upwards of five minutes if you didn't get lucky finding primes early on. Stronger ECC would be done within a second.

tommiegannert1y ago

And the key consituents don't have to be prime. That use of heuristics has always scared me a bit.

dspillett1y ago

Nit-pic: the key constituents only need to be co-prime rather than absolutely prime, though in practise this makes little or no difference.

1 more reply

eddd-ddde1y ago

I remember when I generated my first EC key and added it to an SSH client. I was so surprised by the size of the key I spent some time researching if I had made a mistake.

Honestly impressive.

exe34OP1y ago

nice thank you!

staunton1y ago

It's to do with "if we ever have big/good quantum computers, prime factorization is doable" and with "let's use the new shiny things".

On a related note, someone might discover some elliptic curve math tomorrow and your CPU can break all that stuff just as well...

exe34OP1y ago

so with my cynic hat on, maybe a bunch of people already have that and that's why we're being moved off the hard stuff.

staunton1y ago

The NSA had the option to do something like that when they (via NIST) standardized DES.

They chose to standardize a version that's secure against attacks that only they knew at the time, shorten the key length so they can still brute-force it if they really need to, and successfully kept the attack secret until researchers at a foreign university independently discovered it decades later.

1 more reply

temporary_name1y ago

https://en.wikipedia.org/wiki/Shor%27s_algorithm

As soon as quantum computers have enough qbits prime factorisation can be done very quickly. Not sure the timeline on that as there are a lot of challenges in the technology and it is hideously expensive, but a lot of the move away from RSA to elliptic curves is driven by readiness for quantum computing.

https://en.wikipedia.org/wiki/Post-quantum_cryptography

kamov1y ago

Elliptic curve cryptography can be broken by Shor's algorithm as well

https://arxiv.org/pdf/1706.06752

upofadown1y ago

... and easier than with RSA. Not that it would make a significant difference.

fragmede1y ago

sgt101 posted a good comment about this a couple months back: https://news.ycombinator.com/item?id=40187560

tl;dr: not in our lifetime.

shakow1y ago

Smaller key sizes and faster at a given level of security, PQ-safe (at least as far as we publically know).

j / k navigate · click thread line to collapse

0 comments

bjoli1y ago

The reason for switching to ECC is speed and key size. The NSA recommends 3096bit rsa keys for 128 aes, but only 256 bit ecc keys for the same security against traditional attacks.

They also went ahead and recommended 348bit keys for ecc, but I don't know if something like that is widely used anywhere. Curve448 is nice but slow. Curve41417 is fast but largely unused.

Jach1y ago

Since no one mentioned, a major reason to prefer elliptic curves is that you can get equivalent security for much smaller key sizes.

kevin_thibedeau1y ago

tommiegannert1y ago

And the key consituents don't have to be prime. That use of heuristics has always scared me a bit.

dspillett1y ago

Nit-pic: the key constituents only need to be co-prime rather than absolutely prime, though in practise this makes little or no difference.

1 more reply

eddd-ddde1y ago

I remember when I generated my first EC key and added it to an SSH client. I was so surprised by the size of the key I spent some time researching if I had made a mistake.

Honestly impressive.

exe34OP1y ago

nice thank you!

staunton1y ago

It's to do with "if we ever have big/good quantum computers, prime factorization is doable" and with "let's use the new shiny things".

On a related note, someone might discover some elliptic curve math tomorrow and your CPU can break all that stuff just as well...

exe34OP1y ago

so with my cynic hat on, maybe a bunch of people already have that and that's why we're being moved off the hard stuff.

staunton1y ago

The NSA had the option to do something like that when they (via NIST) standardized DES.

1 more reply

temporary_name1y ago

https://en.wikipedia.org/wiki/Shor%27s_algorithm

https://en.wikipedia.org/wiki/Post-quantum_cryptography

kamov1y ago

Elliptic curve cryptography can be broken by Shor's algorithm as well

https://arxiv.org/pdf/1706.06752

upofadown1y ago

... and easier than with RSA. Not that it would make a significant difference.

fragmede1y ago

sgt101 posted a good comment about this a couple months back: https://news.ycombinator.com/item?id=40187560

tl;dr: not in our lifetime.

shakow1y ago

Smaller key sizes and faster at a given level of security, PQ-safe (at least as far as we publically know).

j / k navigate · click thread line to collapse