[cryptography] cryptanalysis of 923-bit ECC?
bbrumley at gmail.com
Fri Jun 22 14:12:23 EDT 2012
I don't understand the last few posts here. In the paper linked to by
Table 3, towards the top. (I read that as 2^53 steps.)
So to me, the recent result is "we verified computationally that our
analysis is correct".
Maybe my brain is too simple.
On Fri, Jun 22, 2012 at 10:54 AM, Jon Callas <jon at callas.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Jun 22, 2012, at 2:01 AM, James A. Donald wrote:
>> On 2012-06-22 6:21 PM, James A. Donald wrote:
>>>> Is this merely a case where 973 bits is equivalent to ~60 bits symmetric?
>> As I, not an authority, understand this result, this result is not "oops, pairing based cryptography is broken"
>> It is "oops, pairing based cryptography requires elliptic curves over a slightly larger field than elliptic curve based cryptography does"
> Indeed. So kudos to the Fujitsu guys, and we make the curves bigger. Even 77 bits is really too small for serious work.
> Does anyone know what the ratio is for equivalences, either before or after?
> The usual rule of thumb is 2x bits for symmetric security equivalence on hashes and normal ECC, with integer public keys being 1024 maps to 80 symmetric, 2048 to 112, and 3K to 128.
> What creates the 953 -> 153 relation? Then of course there's the obvious 153 halved, but do we know at all how we'd compensate for the new result?
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Universal 3.2.0 (Build 1672)
> Charset: us-ascii
> -----END PGP SIGNATURE-----
> cryptography mailing list
> cryptography at randombit.net
More information about the cryptography