"Meanwhile, RSA and simple prime-field DL crypto are the subject of serious progress, while whole avenues of attacks seem to be precluded for the ECDL problem."
When last I checked, the 20-year-old GNFS algorithm was the most efficient way to attack RSA. Yes, this is faster than the best known attacks on ECDLP, but ECDLP attacks are still subexponential. Nothing has changed in the past ten years about the complexity class of ECDLP (it is still both in NP and in coNP).
Really, the future of cryptography is not elliptic curves, it is systems based on lattices, hidden linear codes, and hard learning problems (these are all related). You can do some interesting things with ECC, but there are far more interesting lattice cryptosystems being developed by researchers.
"ECC is increasingly common in commercial systems. Who's asserting patents against those systems?"
Really though, Dan Bernstein is not a lawyer, and I would not trust his analysis if I had a business to run. Even if he is right, that does not change the fact that ECC deployment is lagging because of fears about patent suits. The NSA's response to concerns about patents was to get a special license, specifically for government uses of ECC; they did nothing at all to encourage ECC deployment elsewhere, and they did not demonstrate that such deployment was a priority.
I've never seen anyone use McEliece, NTRU, &c commercially. Unlike ECC, these schemes aren't on the horizon for TLS.
ECC goes back to Lenstra and Koblitz in the mid-80's. I'm not wading into the validity of the patents the way DJB does, just saying, we're coming to the end of their lifespan.
When last I checked, the 20-year-old GNFS algorithm was the most efficient way to attack RSA. Yes, this is faster than the best known attacks on ECDLP, but ECDLP attacks are still subexponential. Nothing has changed in the past ten years about the complexity class of ECDLP (it is still both in NP and in coNP).
Really, the future of cryptography is not elliptic curves, it is systems based on lattices, hidden linear codes, and hard learning problems (these are all related). You can do some interesting things with ECC, but there are far more interesting lattice cryptosystems being developed by researchers.
"ECC is increasingly common in commercial systems. Who's asserting patents against those systems?"
Certicom filed this famous lawsuit:
http://www.certicom.com/index.php/2007-press-releases/20-cer...
Really though, Dan Bernstein is not a lawyer, and I would not trust his analysis if I had a business to run. Even if he is right, that does not change the fact that ECC deployment is lagging because of fears about patent suits. The NSA's response to concerns about patents was to get a special license, specifically for government uses of ECC; they did nothing at all to encourage ECC deployment elsewhere, and they did not demonstrate that such deployment was a priority.