Re: [Cfrg] Security proofs v DH backdoors

Hanno Böck <> Mon, 31 October 2016 09:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8417612962C for <>; Mon, 31 Oct 2016 02:58:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aengu0wSN4de for <>; Mon, 31 Oct 2016 02:58:54 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 917D4129497 for <>; Mon, 31 Oct 2016 02:58:54 -0700 (PDT)
Received: from pc1 ([::ffff:]) (AUTH: LOGIN, TLS: TLSv1/SSLv3, 256bits, ECDHE-RSA-AES256-GCM-SHA384) by with ESMTPSA; Mon, 31 Oct 2016 10:58:53 +0100 id 0000000000000071.00000000581715DD.00005620
Date: Mon, 31 Oct 2016 10:58:51 +0100
From: Hanno Böck <>
To: Peter Gutmann <>
Message-ID: <20161031105851.1a725d3f@pc1>
In-Reply-To: <>
References: <> <> <> <> <> <20161027125120.4d260334@pc1> <> <20161028114758.6a361db1@pc1> <> <20161028124319.082acf90@pc1> <> <20161030213315.1937114d@pc1> <>
X-Mailer: Claws Mail 3.14.0 (GTK+ 2.24.31; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: CFRG <>
Subject: Re: [Cfrg] Security proofs v DH backdoors
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 31 Oct 2016 09:58:56 -0000

On Mon, 31 Oct 2016 09:39:02 +0000
Peter Gutmann <> wrote:

> >You bring up an example that has nothing to do with ECC. The PS3
> >issue is a well known problem of both classic / finite field DSA and
> >ECDSA. How is that an argument for the brittleness of ECC?  
> Because a faulty RNG won't kill RSA?

But a faulty modular exponentiation will.

Just one last thing: Look at the subject of this mail - this discussion
started when I asked whether it's worthy trying to fix DH or if it'd be
better to switch to modern ECC for key exchanges. Now you're making it
a discussion whether ECDSA or RSA is better. (FWIW I would never
recommend replacing RSA with ECDSA, despite all the potnetial hazards
with RSA.) You're constantly shifting the discussion to other topics
trying to make your point that ECC is brittle by including unrelated

This will be my last mail in this thread, I don't find this discussion
helpful in this way.

Hanno Böck

GPG: FE73757FA60E4E21B937579FA5880072BBB51E42