[cryptography] cryptanalysis of 923-bit ECC?

Charles Morris cmorris at cs.odu.edu
Wed Jun 20 10:59:58 EDT 2012

On Wed, Jun 20, 2012 at 10:07 AM, James Muir <muir.james.a at gmail.com> wrote:
> On 12-06-19 08:51 PM, Jonathan Katz wrote:
>> Anyone know any technical details about this? From the news reports I've
>> seen, it's not even clear to me what, exactly, was broken.
>> http://www.pcworld.com/businesscenter/article/257902/researchers_set_new_cryptanalysis_world_record_for_pairingbased_cryptography.html
> There is more detail here:
>  http://www.nict.go.jp/en/press/2012/06/18en-1.html
> See the subsection "Target problem and the solution" about halfway down.
> The field was GF(3^97) and the curve was y^2=x^3-x+1.  The discrete log
> problem was created using the eta pairing and the constants \pi and e.

"NIST guidelines state that ECC keys should be twice the length of
equivalent strength symmetric key algorithms."
So according to NIST solving a 923b ECC is like brute-forcing a 461b
bit symmetric key (I assume in a perfect cipher?).

Of course there are weak keys in almost any system e.g. badly
implemented RSA picking p=q

I wonder if a weak-key scenario has occurred, or if this is a genuine
generalized mathematical advance?
Comments from ECC experts?

More information about the cryptography mailing list