[curves] "Abandoning ECC" — Any replies to "A riddle wrapped in a curve"?

Gregory Maxwell gmaxwell at gmail.com
Fri Oct 23 16:33:08 PDT 2015


On Fri, Oct 23, 2015 at 11:08 PM, Ray Dillinger <bear at sonic.net> wrote:
[snip]
> Which IMO leaves non-technical reasons.  It could be a subterfuge
> to try to hinder crypto adoption, or to get that focused analytical
> attention on ECC, or an attempt to get people to stop using something
> they don't know how to break. Heck, it could even be a legitimate
> attempt to protect the security of the nation's infrastructure; you
> just never know with these guys.

The timing was interestingly related to increased
adoption/standardization of 25519 based cryptosystems and helpfully
suggests a larger curve... which could be a nicely indirect way of
saying don't use _some_ particular curve at a smaller size.

But it's a zero information observation,  even if it were true it
might mean that the alternative which was being indirectly discouraged
was known to be weak, or known to be strong.

The "if the nist curves are rigged all ECC is broken" doesn't quite
apply to this: As there are numerous special characteristics
production curves are selected for that make them at least somewhat
unlike random curves. (E.g. prime shape or cofactor or ...).

I don't quite buy the argument that if there were some very large
class of random curves that were weak that we'd stop using ECC
entirely.   Selection of multiplicative groups for DH, -- we use
"safe" primes to avoid weakness, for ECC we do not use supersingular
curves, etc. Primes with structure 1 mod 3 and a curve with
j-invariant zero give rise to the efficient endomorphism that gives a
mild speedup in rho attacks; maybe it turns out that (say) primes
congruent to 1 mod 4 allow some actual attack, and if that were
discovered and well understood, the world would just stop using those
curves, exclude those primes in parameter searches (as many others are
already excluded), and probably continue using ECC.  The fact that we
already exclude large classes of curves to avoid weakness should be a
decisive argument on this point; an exception might be if the weak
class were computationally hard to distinguish even understanding the
weakness.


More information about the Curves mailing list