Comments: CryptoKids, education or propaganda, ECC, speed or agenda capture?

>> What is of more worry is the continued policy of organised
>> and paid-for propaganda by western governments through all
>> sorts of channels, domestic and foreign. This in my view
>> is unacceptable. In a democratic nation, the people decide
>> such questions and vote. In a dictatorship, the dictator
>> decides and imposes by means of control of the media.

In the US the following is quite common. Local government bureaucrats and politicians want to do something for which voter approval (eg for a bond issue) is required. The voters obstinantly and repeatedly vote it down. The government then hires a political science research firm (paid for with tax revenue) to conduct surveys etc. to figure out what lies need to be told to get the voters to vote "yes" and then hire a PR firm (paid with tax revenue) to roll out the recommended campaign.

It is futile to call it unacceptable. They do it and get away with it. Furthermore, this (thru whatever pretense necessary) will always happen in any democracy.


Posted by CCS at June 5, 2006 02:22 AM

Increasing crypto key size is to security what turning lights off is to energy conservation. It's a very simple and visible act, and thus signals that you care about security (or energy conservation, respectively), but doesn't actually contribute much directly to the goal.

Posted by nick at June 5, 2006 02:29 PM

I do not agree with the assertion that ECC is much faster than RSA. It is actually not.

The modern way of doing RSA is using multiprime RSA, where the equivalent strength of 168-bit ECC keys would be a modulus with 6 192-bit prime factors. For encryption, since you only need to encrypt 80-bit symmetric keys, you can use the "RSA for paranoids" approach and pad it to a value smaller than the smallest prime factor (let's say to 184 bits). Then you can do encryption by taking four squares in 1152-bit modulus and decryption by doing a single exponentiation in a 192 bit modulus. Quite competitive with 160-bit ECC.

For digital signatures, it is true that ECC generally beats multiprime RSA on speed and signature size, but it has a covert channel just like traditional ElGamal-based signature schemes, which is fine with automatic applications but can be a problem when digital signatures are used for legal purposes.

The big problem with RSA is the excessive cost of key generation. On a regular, cheap cellphone, it takes about an hour to generate a secure RSA key (maybe we can speed it up by a factor of 10, but even that seems quite a challenge on one hand and not even nearly enough for user convenience on the other hand). Even if it has to be done only once in a lifetime of the mobile device, making sign-up time an hour will drive many users away.

DH key generation takes about a minute, ECC key generation would take about 10 seconds. DSS signatures are of the same size as EC-DSS signatures and take the same amount of time to compute (provided that the expensive exponentiation is pre-computed). Verification takes about the same time as key generation.

On general purpose computers (notebooks and workstations) none of this matters. Everything (except for RSA key generation, which takes about 10 seconds) happens faster than one can say "elliptic curve".

Posted by Daniel Nagy at June 8, 2006 02:30 PM

Afterthoughts. On-the-margin hardware does matter. Far more people have cellphones than computers and they are not getting any faster over time (you can always trade speed for battery life and batterly life is valued higher by the market). Cellphones, as the experimental data from my previous post shows, are not quite well equipped for public key crypto.
In other bad news, multiprime RSA is also patent-encumbered: it's a Compaq patent, AFAIK. It expires soon, and it is probably safe to ignore even at this point, but still...
I am increasingly confident that my partially PGP-compatible cellular project will stick to traditional D-H in a Schnorr group for encryption and DSA for signatures. All public key operations are doable within a minute and most can be done in the background while the user is typing the message. Signature verification will be done upon request, not automagically; once signatures are verifiable, there is no need to actually verify all of them.

Posted by Daniel Nagy at June 8, 2006 04:33 PM

Posted by Daniel Nagy at June 9, 2006 03:57 PM

Posted by Daniel Nagy at June 9, 2006 03:57 PM
Post a comment

Remember personal info?

Hit Preview to see your comment.
MT::App::Comments=HASH(0x55a3c137e308) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/ line 125.