[cryptography] cryptanalysis of 923-bit ECC?

Jon Callas jon at callas.org
Fri Jun 22 17:07:07 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jun 22, 2012, at 11:20 AM, Samuel Neves wrote:

> 
> Not exactly. If the target is ~80-bit security, ~160-bit elliptic curves are still fine, even for pairing-based crypto. The failure there was the choice of the particular *field* and *curve parameters*. Namely, choosing both the characteristic (3) and the embedding degree (6) to be small left it open to faster attacks.

Yeah, but we're all supposed to retire 80-bit crypto.

I'm well aware of my own lackadaisicalness in this regard (to wit, the 1024-bit DSA key that this message is signed with). That doesn't make the point invalid, it only means that I am a sinner, too.

I'm interested in knowing what the equivalent values for uprating are, and the rationales for them.

If ~1000 bit pairing is equivalent to 80 bits, what's equivalent to 128?

	Jon



-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: iso-8859-1

wj8DBQFP5N6CsTedWZOD3gYRAlBZAKDf1Yl6Z9sw7HY2kZYSJos8QAaa8ACfYFEO
6UmICgYZia5H9rw2b9IVTM8=
=SUPa
-----END PGP SIGNATURE-----



More information about the cryptography mailing list