From matthewdgreen@gmail.com Fri Jul 6 02:33:41 2018 From: Matthew Green To: cypherpunks-legacy@lists.cpunks.org Subject: Re: [cryptography] cryptanalysis of 923-bit ECC? Date: Fri, 06 Jul 2018 02:33:41 +0000 Message-ID: <172289101055.3849117.18255923424149927063.generated@mail.pglaf.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8263519669950993014==" --===============8263519669950993014== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable I'm definitely /not/ an ECC expert, but this is a pairing-friendly curve, whi= ch means it's vulnerable to a type of attack where EC group elements can be m= apped into a field (using a bilinear map), then attacked using an efficient f= ield-based solver. (Coppersmith's). NIST curves don't have this property. In fact, they're specifically chosen so= that there's no efficiently-computable pairing. Moreover, it seems that this particular pairing-friendly curve is particularl= y tractable. The attack they used has an estimated running time of 2^53 steps= . While the 'steps' here aren't directly analogous to the operations you'd us= e to brute-force a symmetric cryptosystem, it gives a rough estimate of the s= ymmetric-equivalent key size. (Apologies to any real ECC experts whose work I've mangled hereb& :) Matt On Jun 20, 2012, at 10:59 AM, Charles Morris wrote: > "NIST guidelines state that ECC keys should be twice the length of > equivalent strength symmetric key algorithms." > So according to NIST solving a 923b ECC is like brute-forcing a 461b > bit symmetric key (I assume in a perfect cipher?). >=20 > Of course there are weak keys in almost any system e.g. badly > implemented RSA picking p=3Dq >=20 > I wonder if a weak-key scenario has occurred, or if this is a genuine > generalized mathematical advance? > Comments from ECC experts? _______________________________________________ cryptography mailing list cryptography(a)randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- --=20 Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE --===============8263519669950993014==--