New embedded S
Known Attacks against Elliptic Curve Cryptosystems
Download 1.14 Mb.
|
- Navigate this page:
- Baby-Step Giant-Step Algorithm
- Parallelized Pollards Rho Algorithm
- Pohlig-Hellman Algorithm
- Supersingular Elliptic Curves
- Prime-Field Anomalous Curves
- Curves Defined Over a Small Field
- Curves Defined Over
6.5.5Known Attacks against Elliptic Curve CryptosystemsHere we present some known attacks against elliptic curve cryptosystems. The scope is limited to algorithms solving the elliptic curve discrete logarithm problem (ECDLP), i. e. to determine  given a point  and a point  , and it does not consider attacks against particular elements of digital signature algorithms based on elliptic curves.
Hence, the best known attack against a single instance of the ECDLP is Pollard's rho algorithm and has an expected running time of However, there are certain elliptic curves with special vulnerabilities that can be exploited by the following algorithms. These algorithms may have shorter running times as those mentioned before; therefore elliptic curves with these vulnerabilities should be avoided.
Let us take a look how secure elliptic curve cryptography is in practice. Certicom challenge is one source that gives a notion about the security of ECC. The challenge is to compute the ECC private keys from a given list of ECC public keys and associated system parameters. The challenge consists of two levels:
Concrete recommendations based on the expected cost of the Certicom challenge have been presented. They predict which elliptic curve key sizes can be considered as secure until which year using a model that incorporates technological and cryptanalytical advances. Table presents their recommendations for future years. Table - Minimum key size for elliptic curve cryptosystems providing a sufficient level of security
Directory: images images -> Pelan pentaksiran kursus images -> Military callsign list as of dec 2010 images -> For Date: 02/01/2013 Friday Call Number Time Call Reason Action 13-768 0008 motor vehicle stop warning Issued images -> Creating Buy-In – Building Relationships images -> Deadline: Saturday, March 12th, 2016 images -> News items from Raising Our Voices images -> Last year four of the best Afrikaans Christian singers joined forces to tour Down Under with the production ‘Manne wat Glo’ images -> World-renowned vocal ensemble sweet honey in the rock images -> Peoples Voice Café History images -> Simon Mckeown Artist C. V. DaDaFest International Artist of the Year 2010 Download 1.14 Mb. Share with your friends:
|
until the result is equal to 
. 
steps, where 
points, and its running time is roughly 
steps and it requires only a negligible amount of storage.
processors, the expected running time is roughly 
, where 
, the parallelized version of Pollard's lambda method is faster than the parallelized Pollard's rho algorithm.
and the same base point 
as much work as it does to solve one instance.
, which is fully exponential.
can be reduced to the ordinary discrete logarithm problem (DLP) in the multiplicative group of some extension field 
for 
. The DLP is the underlying computationally hard mathematical problem for the DSA and one can solve it using the number field sieve algorithm, which has a subexponential running time. To ensure that the reduction algorithm does not apply to a particular curve, one only needs to check that 
for all small 
for which the DLP in 
when 
.
is equal to 
, the ECDLP can be solved efficiently. This attack can be avoided by verifying that the number of points on an elliptic curve is not equal to the cardinality of the underlying field.
, Pollard's rho algorithm for computing 
can be further sped up by a factor of 
. For example, if 
) can be sped up by a factor of 
.
, 
Composite: The Weil descent might be used to solve the ECDLP for elliptic curves defined over 
, the ECDLP can be solved faster than with Pollard's rho algorithm. Thus, elliptic curves over composite fields should not be used.