5

I have been reading about recommendations on the correct use of crypto as a developer and I read at least two references to the obsolescence (so to say) of ECDSA.

  1. https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded

  2. https://crypto.stackexchange.com/a/58382/63254

Is that it? Is ECDSA really obsolete/deprecated ?

e-sushi
  • 17,891
  • 12
  • 83
  • 229
Tonatihu Sánchez
  • 53
  • 4

1 Answers1

6

Of course not. As long as it is used and - preferably - unbroken, the algorithm is still out there. Actually, it is used a lot in the smart card world and ECDSA certificates are still out there as well. Not all crypto libraries will probably support the newer curves either.

ECDSA is still secure when it is being used correctly. Sure, it is harder to secure but if it is used correctly then nothing short of a quantum computer can break it. It also has quite a few curves defined for it, so there are plenty of (stronger) key sizes allowed.

As far as I know, no standard defining ECDSA or build upon ECDSA has been redacted or withdrawn. You would expect that to happen if it would be considered obsolete / deprecated. If it is the best choice for new protocols is of course up to the designers - I'd probably prefer EdDSA for now.

And if MD5, RC4 and DES / two-key triple DES have taught us anything, it is that algorithms are being used even after they are broken and / or withdrawn. Unfortunately.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
  • 1
    Specifically, the references linked in the question allude to the the facts that 1) ECDSA is prone to catastrophic failure (leak of private key) when the RNG used by the signer hiccups. 2) More elegant math is possible with EdDSA, leading to faster implementations, especially if we want them to be constant-time for demonstrable security against timing attacks. However reports of ECDSA's unsuitability for practical purposes, and/or lack of security proof, are greatly exaggerated! – fgrieu Nov 07 '18 at 05:51
  • 1
    NSA's 'Suite B' requirement, which was one driver for use of ECDSA and ECDH, was partially withdrawn in 2015 in favor of some unknown post-quantum scheme(s) to be figured out later. Sometime. Probably. – dave_thompson_085 Nov 08 '18 at 04:14
  • 1
    Yeah, I think the word is "eventually". Hey, Duke Nukem forever came out in the end as well. Joking aside: better take some time instead of rushing crypto standards. – Maarten Bodewes Nov 08 '18 at 04:20