Quote from: kmfkewm on September 08, 2013, 06:13 amQuote from: SelfSovereignty on September 08, 2013, 02:41 amWait, wait... I'm really fucking confused now. We're *not* supposed to use elliptic curve cryptography? But... but I... but...wtf is going on?Right now expert cryptographers seem to hold conflicting opinions. Some are saying we need to switch to ECC right away, because they take the NSA revelations to mean that the NSA might be able to crack low bit strength RSA and DH (ie: The leak says that ten years ago the NSA had a break through allowing them to crack many forms of cryptography). Others are saying we need to stay far away from it. Personally I prefer ECC by a lot, but if it is broken well obvious it is no good. ECC has been the traditional wisdom up until very recently, with pretty nearly everybody suggesting it be switched to from RSA and DH. But with the NSA revelations, some people are getting cold feet in regard to the ECC algorithms, because the NSA has been their biggest supporter and trying to get everybody to switch to them for some years now (ie: The leak says that the NSA is trying to get people to use encryption that they can break). So use ECC if you think the NSA revelations mean RSA and DH are screwed, and use high bit strength RSA and DH if you think the NSA revelations mean ECC is screwed. Right now the experts are split. ECC is pretty new. I think the mathematics behind ECC is relatively new, only being formalized a bit over a hundred years ago, whereas the mathematics behind RSA go back several thousand years. On the other hand, most people thought ECC was much stronger than RSA bit-for-bit. I really cannot say which I would use. I think ECC has much nicer properties and I would much rather use ECC than RSA or DH, provided it is secure. Honestly though I would probably have to lean more toward RSA or DH with really high bit strength, because not many people are worried the NSA can break those, but some people are worried they can break ECC in general and the others are worried they can break low bit strength RSA/DH.Very curious. GPG also supposedly has had support for ECC algorithms in the development version for a year or two now, I believe -- yet it isn't in the general release. In fact, even after downloading and compiling the development version in question I decided not to use it because it has a big warning saying "do not use this version if you need strong security," or something to that effect (honestly I don't recall exactly, but that's close enough). The source of the development version is also quite a bit smaller in size than the general release's source (at least the versions I compared were), which seemed odd to me too.Initially I wondered if they weren't releasing it because somebody from the NSA paid them a visit or something, but now I'm wondering if it's the other way around... I see Schneier's point about constants that could be easily influenced. I think I agree with him, too. If anyone's curious, apparently in 2007 this (may or may not have) actually happened: http://rump2007.cr.yp.to/15-shumow.pdfIf you aren't comfortable with a PDF, it's just a brief few pages -- back of a napkin kind of thing -- detailing the mathematics & attack on a specific implementation of an elliptic curve pseudorandom number generator that had a constant which was never derived or explained, and that allowed the entire system to be broken with as few as 32 bytes of the private key being known or some such thing. Frankly the math is a level higher than I'm readily able to understand, but I believe that's accurate.