[cryptography] cryptanalysis of 923-bit ECC?

Jon Callas jon at callas.org
Wed Jun 20 17:12:25 EDT 2012

Hash: SHA1

On Jun 20, 2012, at 8:35 AM, Matthew Green wrote:

> I'm definitely /not/ an ECC expert, but this is a pairing-friendly curve, which means it's vulnerable to a type of attack where EC group elements can be mapped into a field (using a bilinear map), then attacked using an efficient field-based solver. (Coppersmith's).
> NIST curves don't have this property. In fact, they're specifically chosen so that there's no efficiently-computable pairing.
> Moreover, it seems that this particular pairing-friendly curve is particularly tractable. The attack they used has an estimated running time of 2^53 steps. While the 'steps' here aren't directly analogous to the operations you'd use to brute-force a symmetric cryptosystem, it gives a rough estimate of the symmetric-equivalent key size.
> (Apologies to any real ECC experts whose work I've mangled here… :)

Thanks, anyway, as things seem to be detail-lite where I'm getting them.

Do we have anyone who can speak authoritatively on this? I am also not at all an expert on pairing-friendly curves.

Is this merely a case where 973 bits is equivalent to ~60 bits symmetric? If so, what's equivalent to AES-128 and 256? Is there something inherently weak in pairing-friendly curves, like there are in p^n curves?

I have no idea what this result *means* and would love to know. 


Version: PGP Universal 3.2.0 (Build 1672)
Charset: windows-1252


More information about the cryptography mailing list