[cryptography] [Cryptography] RSA is dead.

D. J. Bernstein djb at cr.yp.to
Mon Dec 23 11:13:40 EST 2013

Peter Gutmann writes (on the moderated cryptography at metzdowd.com list):
> Any sufficiently capable developer of crypto software should be
> competent enought to backdoor their own source code in such a way that
> it can't be detected by an audit.

Some of us have been working on an auditable crypto library:


The original, nicely indented, version is 809 lines, 16621 bytes. The
Python script to print tweetnacl.h is 1811 bytes. The accompanying paper
(to be posted soon) says "Of course, compilers also need to be audited
(or to produce proofs of correct translations), as do other critical
system components"---but there's progress on that too. In general it
seems that Peter's fatalist view consists entirely of "nobody has done
this yet" rather than "it's impossible".

TweetNaCl's speed doesn't match the asm in NaCl, but if you can tolerate
OpenSSL's 4.2 million cycles for RSA-2048 decryption then you should be
able to tolerate TweetNaCl's 2.5 million cycles for Curve25519.


More information about the cryptography mailing list