

The Factoring Cryptopocalypse - cperciva
http://www.daemonology.net/blog/2013-08-10-the-factoring-cryptopocalypse.html

======
iuguy
I think Colin's bang on here. Now is the time for cryptographers and software
developers to act to implement a mature alternative to RSA, but it's not the
point for your average joe to switch to an as yet relatively untested/unproven
ECC implementation.

For what it's worth, Tom Ritter recently posted his notes on de-anonymizing
alt.anonymous.messages[1], something widely believed to be very anonymous and
very secure. It's an interesting read and shows why you not only need the
crypto to be sound, but the implementation and _your own use of it_ to be
right too.

[1] - [http://ritter.vg/blog-deanonymizing_amm.html](http://ritter.vg/blog-
deanonymizing_amm.html)

~~~
maaku
How is EC “relatively untested/unproven”? It's been in OpenSSL for ages (by
internet norms), is the subject of numerous national standards. It secures a
billion dollar bitcoin economy.

~~~
redthrowaway
He said it's not time for the average programmer to switch to a new and
untested ECC _implementation_ , not that ECC itself is new and untested. By
the standards of any of the common RSA libraries out there, their ECC
counterparts _would_ be relatively untested given how much comparative use
each has seen.

------
tptacek
Out of curiosity: If you were to design Tarsnap from scratch in 2013, would
you still use RSA?

~~~
cperciva
I think so.

~~~
tptacek
Am I right to guess its because you're more worried about what people get
wrong about ECC imementations in 2013, perhaps that we don't even really know
about in 2013, than about anything fundamental about ECC or RSA?

~~~
cperciva
Pretty much. RSA is the devil we know.

------
Mithrandir
Previous discussions on the presentation:

[https://news.ycombinator.com/item?id=6191171](https://news.ycombinator.com/item?id=6191171)

[https://news.ycombinator.com/item?id=6155502](https://news.ycombinator.com/item?id=6155502)

~~~
cperciva
Thanks, I missed the first discussion and was inspired to write only by the
second discussion.

------
kazagistar
For someone who is somewhat unfamiliar with cryptography, what is the obstacle
in creating cryptography that is provably secure: in other words, cryptography
that can be absolutely trusted within certain provided parameters.

~~~
bonzoesc
Usability. One time pads have been around forever, are provably secure, but a
pain in the ass.

Modern symmetric ciphers solve the "you need to securely exchange as much key
material as you wish to send data" using mathematical formulas to stretch key
material. Asymmetric ciphers use mathematical formulas to fix "you need a
secure way to exchange keys."

Unfortunately, the math can't be probably secure, only believed secure and
proved insecure.

~~~
Herring
> _Usability. One time pads have been around forever, are provably secure, but
> a pain in the ass._

With cell phones so widespread, I wondered why someone doesn't write a one
time pad app. People could share gigabyte-sized pads via trusted wireless or a
cable if they prefer.

[http://softthere.com/projects/otp/](http://softthere.com/projects/otp/)

~~~
damarquis
The only reason to use one-time pads is an extraordinary level of paranoia. If
you are paranoid enough to need a one-time pad then it makes little sense for
you as a private citizen to trust that hardware you take into public places
hasn't been compromised. Manual creation and transmission of the encrypted
message is the only approach that makes sense.

If lots of people adopted one-time pads it might hinder NSA et al but this
would be akin to trying to convince people to wear masks whenever they are in
public to hinder monitoring with CCTV.

------
hnha
ECC means "Elliptic curve cryptography" here, it is not about something with
"ECC memory". I've been so confused with all the discussion so far because of
this. Dear masters of your domain, if there are acronyms that are not unique,
please try not to use them or at least introduce them!

~~~
moocowduckquack
Alternatively, when trying to follow a conversation in a domain specific
context, learn the terms.

