Re: newbie need help (ECC and wireless)

"Peter Pearson" <ppearson@xxxxxxxxxxxxxxx> wrote in message
On Mon, 15 Jan 2007 07:13:52 GMT, Joseph Ashwood <ashwood@xxxxxxx> wrote:
"Ray" <ryan1219@xxxxxxxxx> wrote in message
Hi all:
I am not sure if I post in the right place, please inform me if you
know a better place to go.
I am new to encryptography. I review some paper on encryptography and
it seems that ECC is the most suitable
public key algorithm to be implemented on wireless devices. (smaller
and faster compared to RSA)

But I am wondering why it is not widely uesed in commercial

For products it all comes down to business decisions. RSA is the most
recognised name in asymmetric cryptography, and as such is the safest
business decision. As for "best" I will grant that ECC is faster and
smaller, but for situations that require dependable long term security I
admit I often recommend RSA simply because the problem is better
making it more dependable long term.

But note that NSA's "Suite B", promulgated "to protect
national security systems and information", uses ECC, not
RSA. In fact, public-key cryptographic standards with which
one might reasonably expect NSA to have been involved (e.g.,
DSA) have generally blessed discrete-log-based algorithms
rather than factorization-based algorithms like RSA.

There is a fairly simple reason for that, it has been proven that iDLP is at
least as hard as IFP (through a proof by reduction, there are several
available), since we believe that RSA reduces to IFP and DH reduces to iDLP,
it follows that DH is at least as secure as RSA, and so DH-based solutions
are better than RSA-based solutions where both exist. It is also worth
noting that the NSA appears to only examine things for what we would
consider relatively short term secrets (5-10 years), anything stronger and
for their usage model a few Marines is cheaper. When I say long term
dependability I'm talking about planning for 50 years of use, and over that
term I feel we can more dependably predict the path of IFP than ecDLP, and
over that term is appears that IFP and iDLP will be the same problem, but it
is often easier to solve and/or prove a solution to a problem using RSA than

For things where it only needs to be secure for 10 years, and is implemented
by programmers that understand what they are doing (RSA is easier to
describe than ECDH), ECC makes sense. For longer terms than 10 years I think
going conservative becomes extremely critical, and RSA/DH-based solutions
have superior security reliability, even if they are slower, bulkier,
clumsier, etc-ier.

The NSA Suite B page, at

also discusses the patent situation, which I think Joe
correctly identifies as a source of (probably inappropriate)

Regardless, that page makes a good reference on what should be used in many
situations, although I really don't understand why they require 192 or 256
bits AES but don't allow SHA-512 (it's not speed SHA-384 is the same the
same speed and is allowed).


Relevant Pages

  • Re: Public Key Encryption: The Weakest Link
    ... we'll call this the RSA number because they are the most likely ... going that close to the line with ECC, and you'll find that in anything I ... 256-bit ECC key should cover a 128-bit symm, I'd still recommend 512 though ... NTRU, I honestly haven't kept up on it, the constraints I work in very often ...
  • Re: 128bit RSA public key - time to break?
    ... > RSA key? ... a 128bit ECC key? ... les accusations de malhonneteté sont fondées sur des arguments ... cf. tous les posts d'Alain Beyrand sur le fonctionnement du comité. ...
  • Re: Elliptic Curve Cryptography algorithm for key exchange
    ... With 1024 bit RSA considered standard industry strength, ... CryptoAPI does not support ECC. ... >> May I conclude from your answer that Microsoft CryptoAPI ...
  • Re: Breaking RSA & Securing RSA
    ... > than RSA. ... Maybe you're wrong on saying that RSA-like cryptosystems are not RSA. ... RSA is potentiation in a finite ring, which is the direct sum of multiple ... So RSA-like ECC is in fact RSA over ECC. ...
  • Re: newbie need help (ECC and wireless)
    ... Joseph Ashwood wrote: ... least as hard as IFP (through a proof by reduction, ... available), since we believe that RSA reduces to IFP and DH reduces to iDLP, ... it follows that DH is at least as secure as RSA, ...