Seriously, stop using RSA: comments

The author of this article has misunderstood the piece it&#x27;s responding to, and doesn&#x27;t appear to be familiar with the literature. For instance, this response is dubious about the security implications of primality testing bugs, claiming that Prime &amp; Prejudice --- famously relevant to RSA --- had no apparent connection to it (presumably they read the abstract and not the study itself, which repeatedly mentions RSA). It just goes on like this.<p>This is part of a pattern with this author. They&#x27;re extremely attached to PGP. PGP uses RSA. Therefore: RSA must be fine. Recurrence of the same pattern: PGP doesn&#x27;t use authenticated encryption. Therefore, authenticated encryption must not be important, or maybe it&#x27;s even a negative. There&#x27;s another example somewhere in the comments here about forward secrecy being overrated. (I can cite, but you should just take my word for it that these takes have been shared here).<p>It&#x27;s frustrating, because the pattern isn&#x27;t super clear in isolation (though this response actually mentions PGP as the impetus for the response) and, if you don&#x27;t work in the field, it might not be clear how far these takes stray from cryptographic engineering orthodoxy. It&#x27;s also frustrating because in general, we&#x27;re not supposed to write things like this on HN --- a list of floridly bad previous comments from this author would be way over the line --- so one has to sort of tiptoe around the edges of the guidelines to find a way to describe what&#x27;s going on here.<p>Anyways, caveat lector.<p>Hats off for describing Boneh&#x27;s fault attack paper as &quot;completely theoretical&quot;, though! Bold!

I’m a bit miffed after just a couple paragraphs. My reading of the original article was that the issue of people feeling tempted to implement RSA was just exacerbating the problem of how difficult it is to implement RSA securely.<p>I am not a cryptographer. I’d be rather cautious about implementing my own cryptography at all, less with my own code implementing the <i>primitives</i>. That said, Trail of Bits makes a compelling argument, that, in my reading, RSA is harder to get right in <i>subtle</i> ways, whereas ECC is just hard to <i>grok</i> period. A bad RSA implementation leads to weak cryptography, but a bad ECC implementation often leads to something that doesn’t work at all.<p>This, alongside other benefits of ECC like smaller key sizes for similar cryptographic security, faster and simpler key generation, more idiot-tolerant properties, etc. makes ECC an obvious choice <i>even disregarding if you can implement RSA</i>. It’s just that people like to choose RSA because they feel like they understand it, but the truth is they only understand the surface-level basics. (To be fair, me too. Though I feel I <i>also</i> can grok some surface-level basics of some ECC-based algorithms, too.)<p>Feel free to flame me for not reading the article entirely; I definitely earned it. But that opener made me not want to, sorry.

Simplicity in algorithm affords more capacity for studying implementation. Bugs are easier to find, even through very simple, automated fuzzing procedures, let alone formal verification.<p>Bugs scale in frequency according to total source line count. Don&#x27;t expect professionals to write perfect code, especially as complexity grows.<p>Simplicity of algorithm is critical for peer review of the implementation, as the pool of reviewers is incredibly small. It&#x27;s one thing to prefer community vetted implementations, but the implementation cannot be blindly trusted by everyone--that would be involve the logical fallacy of an appeal to authority.

One reason I like ECC (Curve25519 in particular) is speed and size of generated keys and signatures. It is a lot easier to compose crypto with business logic when you can basically assume instantaneous key gen (RSA takes a non-deterministic amount of ~seconds) as well as 32-byte signatures that are practical even for short messages (as opposed to 256-512 bytes).

Recent and related:<p><i>Seriously, Stop Using RSA (2019)</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=30879442" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=30879442</a> - April 2022 (101 comments)

I guess this could use a bit of context (author here). This is part of a series of PGP advocacy articles [1]. There was a post of &quot;Seriously, stop using RSA&quot; on here yesterday that prompted me to look at my article again. A better article was possible so I rewrote it and posted it.<p>So, yes, this is very focused and partisan by design. There is a larger discussion about RSA that I chose to ignore.<p>[1] <a href="https:&#x2F;&#x2F;articles.59.ca&#x2F;doku.php?id=pgpfan:index" rel="nofollow">https:&#x2F;&#x2F;articles.59.ca&#x2F;doku.php?id=pgpfan:index</a>

Either most of this is not really a response to the article, or I&#x27;m really misunderstanding something here.<p>(The article may be good or bad, I don&#x27;t know.)

Should both articles have been about implementing RSA rather than using it?

What kind of maniac would implement a crypto algorithm in production themselves, unless their last name is something like Schnier or Bernstein?