[cryptography] NSA's position in the dominance stakes

Marsh Ray marsh at extendedsubset.com
Mon Nov 15 22:36:58 EST 2010

On 11/15/2010 06:38 PM, Jon Callas wrote:
> No matter how you slice it, we want to move away from RSA to EC by
> 2050-2060. (Yes, yes, quantum, blah, lattice, blah, Lamport blah.)
> The only question is when.

Maybe when the patents expire.

It would kind of suck for NIST to try force adoption of something with a 
patent thicket around it.

For one thing, open source projects wouldn't go along with it.

It's not a case like HDTV where the FCC can mandate that transmissions 
of the perfectly usable existing signal must cease. (My only TV 
continues to get its signal from the cable company, but I no longer have 
the capability to receive over-the-air broadcasts.)

So it'd probably end up with US government procurements being outside 
the mainstream market and paying more to do so in the process. Situation 

Encryption and signing could easily end up like the current zoo of audio 
and video formats. It's simply not possible to build systems that 
interchange data with widely used AV formats without a set of license 
agreements (or accepting some open-ended liability). The best rates are 
probably per-unit. Which presumes the project now has "paying customers" 
and you have some way of counting "units". Which for software projects 
means...well, a more complicated design to say the least.

Seems to me like that's exactly the kind of situation NIST should be 
working to prevent.

One might say "oh but they license it at no charge" or come up with some 
other reason why it's not actually the way it looks. But that would be 
missing the point.

I'm a software developer, and once in a blue moon the occasion comes 
around where some crypto-related algorithm needs to be selected. Having 
heard about this:
There is simply no way that I could even consider recommending some 
piece of patented math. Certainly not in place of a gold standard like 
RSA which has many open an interoperable implementations. (Unless the 
legal agreements were somehow part of the product's design in order to 
limit its potential for interoperability, which is not unheard of, but 
seems a bit unlikely.)

In fact, my perception is that because of how the patent lottery 
triple-bonus damage category works, it's probably better for my current 
and future employers (and my value by extension) that I know as little 
about it as possible!

All I know is that it is said that one can do asymmetric crypto with 
elliptic curves using keys a bit shorter than RSA, but that those who do 
so sometimes end up paying ++$M. From my perspective, this is 
effectively equivalent to the algorithm having a rather severe form of 
security vulnerability.

Thus ECC just does not seem technically relevant to me at this time.

> I think NIST is smart enough to know that
> if they wait until 2040, it's going to take until 2100.

At some future time the math may become free to compute. If it's still 
viewed as the best solution by a noticeable margin one might expect the 
market to adopt it. At least those who specify their own crypto.

On the other hand, something better might come along by then. Or maybe 
people using future systems just don't notice the overhead of RSA enough 
to make it worth switching.

- Marsh

More information about the cryptography mailing list