[cryptography] NSA's position in the dominance stakes
marsh at extendedsubset.com
Mon Nov 15 22:36:58 EST 2010
On 11/15/2010 06:38 PM, Jon Callas wrote:
> No matter how you slice it, we want to move away from RSA to EC by
> 2050-2060. (Yes, yes, quantum, blah, lattice, blah, Lamport blah.)
> The only question is when.
Maybe when the patents expire.
It would kind of suck for NIST to try force adoption of something with a
patent thicket around it.
For one thing, open source projects wouldn't go along with it.
It's not a case like HDTV where the FCC can mandate that transmissions
of the perfectly usable existing signal must cease. (My only TV
continues to get its signal from the cable company, but I no longer have
the capability to receive over-the-air broadcasts.)
So it'd probably end up with US government procurements being outside
the mainstream market and paying more to do so in the process. Situation
Encryption and signing could easily end up like the current zoo of audio
and video formats. It's simply not possible to build systems that
interchange data with widely used AV formats without a set of license
agreements (or accepting some open-ended liability). The best rates are
probably per-unit. Which presumes the project now has "paying customers"
and you have some way of counting "units". Which for software projects
means...well, a more complicated design to say the least.
Seems to me like that's exactly the kind of situation NIST should be
working to prevent.
One might say "oh but they license it at no charge" or come up with some
other reason why it's not actually the way it looks. But that would be
missing the point.
I'm a software developer, and once in a blue moon the occasion comes
around where some crypto-related algorithm needs to be selected. Having
heard about this:
There is simply no way that I could even consider recommending some
piece of patented math. Certainly not in place of a gold standard like
RSA which has many open an interoperable implementations. (Unless the
legal agreements were somehow part of the product's design in order to
limit its potential for interoperability, which is not unheard of, but
seems a bit unlikely.)
In fact, my perception is that because of how the patent lottery
triple-bonus damage category works, it's probably better for my current
and future employers (and my value by extension) that I know as little
about it as possible!
All I know is that it is said that one can do asymmetric crypto with
elliptic curves using keys a bit shorter than RSA, but that those who do
so sometimes end up paying ++$M. From my perspective, this is
effectively equivalent to the algorithm having a rather severe form of
Thus ECC just does not seem technically relevant to me at this time.
> I think NIST is smart enough to know that
> if they wait until 2040, it's going to take until 2100.
At some future time the math may become free to compute. If it's still
viewed as the best solution by a noticeable margin one might expect the
market to adopt it. At least those who specify their own crypto.
On the other hand, something better might come along by then. Or maybe
people using future systems just don't notice the overhead of RSA enough
to make it worth switching.
More information about the cryptography