# [cryptography] cryptanalysis of 923-bit ECC?

Charles Morris cmorris at cs.odu.edu
Wed Jun 20 10:59:58 EDT 2012

On Wed, Jun 20, 2012 at 10:07 AM, James Muir <muir.james.a at gmail.com> wrote:
> On 12-06-19 08:51 PM, Jonathan Katz wrote:
>> seen, it's not even clear to me what, exactly, was broken.
>>
>>
>
> There is more detail here:
>
>  http://www.nict.go.jp/en/press/2012/06/18en-1.html
>
> See the subsection "Target problem and the solution" about halfway down.
>
> The field was GF(3^97) and the curve was y^2=x^3-x+1.  The discrete log
> problem was created using the eta pairing and the constants \pi and e.
>

"NIST guidelines state that ECC keys should be twice the length of
equivalent strength symmetric key algorithms."
So according to NIST solving a 923b ECC is like brute-forcing a 461b
bit symmetric key (I assume in a perfect cipher?).

Of course there are weak keys in almost any system e.g. badly
implemented RSA picking p=q

I wonder if a weak-key scenario has occurred, or if this is a genuine