With recent(ish) leaks about what the NSA is doing in terms of breaking widely-available crypto, the question has arising about what weaknesses might exist in current classical techniques. RSA and DHMW have been around for a long time, and much is known about specific weaknesses. Some primes need to be avoided, for example in DHMW one should avoid primes P where (P-1)/2 has lots of small factors.
But all the elliptic curve cryptography is comparatively new, and weaknesses are still being found. It's plausible that there are simple things to avoid when choosing an elliptic curve, and so perhaps we should just use the elliptic curves recommended to us by security experts.
But after Snowdon, etc., people are becoming wary of trusting experts, so they want to know more about the implications of their choices, and what options they might have. This is an on-going issues, and now, as people are starting to understand the mechanics of implementing systems that use elliptic curves instead of just Z_p, so articles are being written aimed at the non-security-community people.
And so articles appear that are readable and relevant.
I'm going to push back a little on "new" and "weaknesses still being found". The underlying theory of curves and their hardness has been pretty stable for awhile --- since well before 2000, I think. More progress has been made against conventional multiplicative group Diffie-Hellman than has against curves.
The complicating factor isn't the curve problems themselves, but rather implementation details, some of them particular to specific curves.
That's a reasonable point and I agree with you, but I think you've read into my comment something that's not there. I said:
>> But all the elliptic curve cryptography is comparatively new, and weaknesses are still being found.
It's the elliptic curve cryptography that's comparatively new, and the weaknesses are being found in the full crypto package. That includes, and in many cases is primarily in, the implementation.
So actually I think you're not pushing back, I think you're clarifying exactly what I said.
Of course, I may yet have misunderstood you, so feel free to add more. You certainly know more about this than I do, and I'm happy to learn (or have it clarified further).
The whole field of misuse-resistant cryptography is very new, relative to the field as a whole. We didn't even have a usage model of cryptography that was sound until the later 1990s, when the connection was made between authentication and indistinguishability. It's only in the last few years that we've begun to prioritize constructions that make implementation bugs harder to blunder into.
Which is a long way of saying, that's true, but also still an issue relevant to RSA and DH and DSA.
I think the primary reason we read a lot about elliptic curves today is that the field has, at least to the extent that it's not directly promoting post-quantum algorithms, pretty much coalesced around curves as the best modern way to implement asymmetric cryptography.
With recent(ish) leaks about what the NSA is doing in terms of breaking widely-available crypto, the question has arising about what weaknesses might exist in current classical techniques. RSA and DHMW have been around for a long time, and much is known about specific weaknesses. Some primes need to be avoided, for example in DHMW one should avoid primes P where (P-1)/2 has lots of small factors.
But all the elliptic curve cryptography is comparatively new, and weaknesses are still being found. It's plausible that there are simple things to avoid when choosing an elliptic curve, and so perhaps we should just use the elliptic curves recommended to us by security experts.
But after Snowdon, etc., people are becoming wary of trusting experts, so they want to know more about the implications of their choices, and what options they might have. This is an on-going issues, and now, as people are starting to understand the mechanics of implementing systems that use elliptic curves instead of just Z_p, so articles are being written aimed at the non-security-community people.
And so articles appear that are readable and relevant.
Just my $0.02