Breaking news:
the cryptography that we all know and use, such AES-128, SHA-1 and SHA-256, RSA/DH, and the most commonly used elliptic curve P-256 (a.k.a. secp256r1) are NO LONGER wholeheartedly supported by the NSA. In fact most of these, if not all, are not quite recommended anymore.
Until now and for the last 10+ years the NSA and the NIST urged everybody to use these things.
Now the NSA has a very different message:
- There will be a transition to new crypto algorithms coming very soon.
- For the time being all current algorithms are already UPGRADED: the NSA recommends now to use at least AES-256, SHA-384, RSA-3072, DH mod p 3072, and the elliptic curve P-384.
- These should be used only for now, in the ‘transition phase’. These cryptographic algorithms are NOT presented as long term solutions anymore!
- The security of elliptic curve cryptography takes a serious blow in a series of statements,
while RSA seems to come back as an acceptable solution for the time being. - Yes P-256 is no longer recommended, even though it is so massively used today (e.g. in 98% in SSL/TLS connections which use elliptic curves).
- Not to say some very dodgy very special elliptic curves such as used in Bitcoin, which should be avoided even a lot more!
- Even upgrading to P-384 today from maybe systems which use RSA or traditional discrete log mod p is NOT quite recommended anymore (the usage of elliptic curves was still increasing slowly and has not reached a very high level):
- the NSA states: “For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition”.
- Even more interesting: “For those vendors and partners that have already transitioned […] “elliptic curve cryptography is not the long term solution many once hoped it would be“. So that ECCs are going to disappear altogether and new forms of public key cryptography are going to become dominant.
This is absolutely incredible.- BTW: NSA does not admit however that better elliptic curves might exist outside of current NIST/NSA curves: “Where elliptic curve protocols are to be used, we prefer Suite B standards be used to the fullest extent possible as they have a long history of security evaluation and time tested implementation that newer proposals do not yet have”.
- Instead they make it very clear that “it is prudent to use larger key sizes in algorithms”, for example use the P-384 in the current transition period.
- In addition, even today, P-384 is NOT quite enough in high-security systems.
- More precisely the NSA states: “customers using layered commercial solutions to protect classified national security information with a long intelligence life should begin implementing a layer of quantum resistant protection. Such protection may be implemented today through the use of large symmetric keys and specific secure protocol standards.
For example, CSfC deployments involving an IKE/IPsec layer may use RFC 2409-conformant implementations of the IKE standard (IKEv1) together with large, high-entropy, pre-shared keys and the AES-256 encryption algorithm. RFC 2409 is the only version of the IKE standard that leverages symmetric pre-shared keys in a manner that may achieve quantum resistant confidentiality. Additionally, MACsec key agreement as specified in IEEE 802.1X-2010, and the RFC 4279 TLS specification provide further options for implementing quantum resistant security measures today.”
- More precisely the NSA states: “customers using layered commercial solutions to protect classified national security information with a long intelligence life should begin implementing a layer of quantum resistant protection. Such protection may be implemented today through the use of large symmetric keys and specific secure protocol standards.
- Overall the NSA promises to retire more or less all the cryptography that we know and they make it quite clear that the cryptography we are using today are NOT recommended anymore. Instead NEW crypto algorithms will be very soon standardized.
The official version is that all this is because of Quantum Computers…
There is however another explanation. It seems that someone finally got the message of the Catacrypt 2014 conference which took place in San Francisco on 29 Oct 2014.
UPDATES:
- Link to Catacrypt 2015 (30 Sept 2015).
- On explanations: We recall that Bruce Schneier has also said in Sept 2013 that he does no longer trust elliptic curves with magical constants and advised to move to discrete logs mod p, just after [reportedly] examining Snowden documents.
- A new paper on how to select elliptic curve parameters.
- On discrete logs in elliptic curves in general: this is no longer taken for granted, mostly based on NSA recent actions, less in actual crypto research.
- On future crypto: Wild speculation about what will be the NSA’s next move have started.
Very few alternative public schemes are known and their security does not inspire a lot of trust (the author of this blog has published some 20 papers on this topic, mostly breaking alternative public key schemes, and very few remain unbroken, for example HFEv- is not broken.).
Pingback: How Secure are NIST Elliptic Curves? | Financial Cryptography, Bitcoin, Crypto Currencies, Cryptanalysis
Pingback: Is Satoshi Nakamoto Back? | Financial Cryptography, Bitcoin, Crypto Currencies, Cryptanalysis
Pingback: Controversy Around Bitcoin Elliptic Curve | Financial Cryptography, Bitcoin, Crypto Currencies, Cryptanalysis