1. 20
  1.  

    1. 7

      Thank you! I basically never watch videos, so I’m glad I clicked into the comments here and saw your link. :-)

      Developers could theoretically build an ECC implementation with terrible parameters and fail to check for things like invalid curve points, but they tend to not do this. A likely explanation is that the math behind ECC is so complicated that very few people feel confident enough to actually implement it. In other words, it intimidates people into using libraries built by cryptographers who know what they’re doing. RSA on the other hand is so simple that it can be (poorly) implemented in an hour.

      Yyyyyyep. I implemented RSA as a teenager. It was way too easy. Deceptively easy. And my implementation didn’t use any padding, so it would have been vulnerable.

    2. 5

      Developers could theoretically build an ECC implementation with terrible parameters and fail to check for things like invalid curve points, but they tend to not do this.

      This might be less protective than the author seems to believe, in light of the grievous CAPI bug that was patched this week. That doesn’t invalidate the author’s commentary about the footguns RSA leaves lying around, but it makes the argument that they’re absent from ECC much less persuasive.

      1. 1

        But wasn’t the crypt32.dll bug simply that that implementation didn’t check all 4 parameters of a ECC curve, not that ECC is inherently flawed?

        1. 5

          As I understand it, yes. But the author was arguing that we’re better off with ECC because it’s more difficult to misuse in a way that will harm our systems. I’m saying that, while it might well prove more difficult to misuse, that doesn’t seem to have protected some very smart crypto people from doing so. And I’m betting they’re not the only ones.

          Put differently, we know about more footguns in RSA. I’d argue that says more about how many people have been using it and for how long than it says about the relative safety of systems built around either primitive.

          1. 2

            Thanks, having read up a bit more I agree with you.

      2. 2

        I can’t get past the first 30 seconds, sorry.