Hacker News new | past | comments | ask | show | jobs | submit login

> A random person on the internet advising which curve to use can be insecure as well.

First, the advise does not come from "a random person".

* The recommendation of Curve25519 is originally concluded by its author after evaluating all available elliptic-curve standards under a set of well-defined, objective criteria. The research is published here [0].

* It's not an one-man's claim. This conclusion has been peer-reviewed by many leading researchers and institutions in the past 10 years. There have been enormous amount of discussions made in various communities, including cryptographic developers working on community projects, like OpenBSD [1], OpenSSH [2], Tor [3], industry leaders such as Apple [4], Google [5], Microsoft [6], CloudFlare [7], as well as Internet institutions such as IETF [7], now it's officially part of TLSv1.3.

Nearly everyone agreed the security claims by Curve25519 is valid and it offers many desirable properties compared to previous standards.

> And even if it's a secure choose now it may not be in a few years.

The theoretical security margin is comparable to any other 256-bit ECC encryption, yet it offers a more conservative and robust design against known attacks than other curves, including a good complex-multiplication field discriminant D against potential speedups to Rho Method, immunity against invalid-curve attack, indistinguishability from uniform random strings, and allowing easier, more robust implementations of constant-time (anti side-channel) addition and multiplication.

In other words, in theoretical cryptography, there is no known, computationally-feasible way to attack it. Perhaps in the future someone could find a way, but ECC has been thoroughly analyzed in the past 20 years and it's reasonable to believe a major weakness is very unlikely. "You cannot be sure that it cannot be attacked in the future" is not valid logic in applied cryptography. The valid logic is "You only choose something with a high-level of confidence".

Currently, the only way to attack is using a quantum computer, but when they come, all the public-key algorithms deployed on the Internet are vulnerable without exceptions (it has been claimed that ECC needs fewer qubits to crack than RSA, that's true. But when quantum computers are large enough to attack ECC, attacking RSA is only a matter of time in the short-term. Giving up ECC entirely today and facing all the potential problems of RSA with long keys for 10-20 years, just to buy a few years of time from quantum attackers is a very questionable sacrifice). Therefore, the research on Post-Quantum Cryptography has already started [8], with possible candidates like McEliece and NTRU. They are expected to replace current standard in the next decade.

> which I don't even know what that is



[0] https://safecurves.cr.yp.to/

[1] http://www.openbsd.org/papers/bsdcan-signify.html

[2] https://tools.ietf.org/html/draft-ietf-curdle-ssh-curves-08

[3] https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt?...

[4] https://www.apple.com/business/docs/iOS_Security_Guide.pdf

[5] https://www.chromestatus.com/feature/5682529109540864

[6] https://www.microsoft.com/en-us/research/wp-content/uploads/...

[7] https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/

[8] https://en.wikipedia.org/wiki/Post-quantum_cryptography

What I have learned about crypto is that there people that understand it well. And those people are not random strangers, they are security experts.

And even then if you found good solid well supported security advice from reputable sources but they are 10 years old... You are still insecure.

Therefore modern up to date information from reputable sources is the only true way to stay secure. Its a running battle not a static one.

I feel you have assumed I meant something entirely different.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact