-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Jun 20, 2012, at 8:35 AM, Matthew Green wrote:
> I'm definitely /not/ an ECC expert, but this is a pairing-friendly curve,
> which means it's vulnerable to a type of attack where EC group elements can
> be mapped into a field (using a bilinear map), then attacked using an
> efficient field-based solver. (Coppersmith's).
>
> NIST curves don't have this property. In fact, they're specifically chosen so
> that there's no efficiently-computable pairing.
>
> Moreover, it seems that this particular pairing-friendly curve is
> particularly tractable. The attack they used has an estimated running time of
> 2^53 steps. While the 'steps' here aren't directly analogous to the
> operations you'd use to brute-force a symmetric cryptosystem, it gives a
> rough estimate of the symmetric-equivalent key size.
>
> (Apologies to any real ECC experts whose work I've mangled hereā¦ :)
Thanks, anyway, as things seem to be detail-lite where I'm getting them.
Do we have anyone who can speak authoritatively on this? I am also not at all
an expert on pairing-friendly curves.
Is this merely a case where 973 bits is equivalent to ~60 bits symmetric? If
so, what's equivalent to AES-128 and 256? Is there something inherently weak in
pairing-friendly curves, like there are in p^n curves?
I have no idea what this result *means* and would love to know.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: windows-1252
wj8DBQFP4jy5sTedWZOD3gYRAoL9AJ9iVVSj1RY3SCLQCo8WJutsRq4IEwCfYUdZ
xzcsltQaPQZELJ0joMs7UjU=
=l3BW
-----END PGP SIGNATURE-----
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
