Jump to content

Talk:Elliptic-curve cryptography

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Gene.arboit (talk | contribs) at 01:36, 5 October 2005 (Victor Miller). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

WikiProject iconCryptography: Computer science Unassessed
WikiProject iconThis article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
???This article has not yet received a rating on Wikipedia's content assessment scale.
???This article has not yet received a rating on the importance scale.
Taskforce icon
This article is supported by WikiProject Computer science.

Template:CryptographyReader

Mathematical description needed

Somebody should describe what ECC mathematically is in details. Better link to GPL'd ECC code should be added. Currently it points to quite big package. Taw


From an earlier revision of the article:

For comparison, in 2001 some experts are suggesting these sizes for various public key systems for a security level appropriate to major business transactions that require secrecy:

RSA (based on difficulty of factorisation) 1024 bits.

DSA (based on difficulty of discrete log for integers modulo a prime) 1024 bits.

ECC (based on difficulty of discrete log for discrete ECC system) 200 bits.

I have removed this until it can be backed up firmly by a cite - instead, I have added external links to research papers in this field. -- The Anome


I refer you to What Wikipedia is not, item 9, and Most common Wikipedia faux pas "Deleting useful content". You have deleted some useful inline information and replaced it with external links. Bad idea. If you actually know anything about this subject and don't like my numbers, then change them, they are fairly fuzzy and there is no recognized reliable method for generating them. But don't delete them. You didn't even give a reason for deleting them. It is NOT necessary to give a cite for every single factlet on the whole of Wikipedia, and lack of a cite is NOT a good reason to delete content. I'll be back in a few days to revert the edit and maybe add some more discussion. -- Geronimo Jones

See www.nist.gov/encryption for a list of recommended elliptic curves. ANSI X9 requires a minimum of 80 bits of *symmetric key equivalent* security. THis means use of SHA-1 with 160 bit output, use of RSA/DSA with 1024 bit keys and use of ECC with 160 bit keys. Don Johnson


Question:

NIST and ANSI X9 have set minimum keysize requirements of 1024 bits for RSA and DSA and 160 bits for ECC. NIST has published a list of recommended elliptic curves for protection of 5 different symmetric keysizes (80, 112, 128, 192, 256). Near the beginning of 2003, an elliptic curve cyphertext was broken by brute force at a key length of 109 bits. It would appear, if the break is generally applicable to elliptic curve algorithms, that the NIST lower key lengths are somewhat optimistic, if not foolhardy.

The symmetric keysizes from NIST are not the keysizes for ECC, are they? (As ECC is not symmetric.) Apparently, ECC is used to encrypt a symmetric key of these lengths, correct? Now, the thing that was broken in 2003, was that an ECC of key length 109? If so, then the 109 has nothing to do with the 5 symmetric key lengths from NIST. AxelBoldt 01:09 Feb 16, 2003 (UTC)

You are correct Axel. The key lengths noted above appear to be example symmetric key lengths for SKIPJACK and AES block ciphers; the NIST then compared these to equivalent public/private key lengths for ECC and RSA as shown at [1]; the 80 bit key length corresponds to a comparable security provided by an asymmetric 163 bit ECC key over a binary field, or 192 bits over a prime field. A pdf document from NIST regarding this is available at [2].
Thus, the breakage of a 109 bit ECC key, which would correspond to a symmetric keylength of around 55 bits, doesn't seem to be particularly damaging to these recommendations. The 109-bit ECC key was broken using over 10,000 PCs running 24-7 for 549 days (see certicom's press release [3]); an amount of time and computer power which was roughly predicted by Certicom when they issued the challenge. Certicom estimates that the 163 bit ECC would require 10^8 times the calculations as the 109 bit version to crack; I think the paragraph in the article should be amended. Chas zzz brown 02:02 Feb 17, 2003 (UTC)

I made the above noted changes to the article; also I pulled out these references to symmetric key length calculations:

since ECC is an asymmetric algorithm; maybe they should be incorporated into the block cipher pages (amongst others). Chas zzz brown 23:29 Feb 17, 2003 (UTC)


The following sentences need revision, they are goofy:

Note that given integers j and k, j*(k*P) = (j*k)*P = k*(j*P). The elliptic curve discrete logarithm problem (ECDLP) is then to determine the integer k, given points P and Q, and given that k*P = Q.

Copyvio explanation of MQV

I've moved this here: (it was nabbed from Slashdot).

Menezes-Qu-Vanstone key agreement is essentially a varation/extension of Diffie-Hellman using a combination of a "static" and "ephemeral" public keys to compute the shared secret. The extra wrinkles in the procedure eliminate the possibility of a couple of subtle man in the middle attacks that can be made against EC Diffie-Hellman for certain parameters.

— Matt Crypto 14:36, 9 Mar 2005 (UTC)

I've now created a stub article for MQV / ECMQV. — Matt Crypto 15:18, 9 Mar 2005 (UTC)

Victor Miller

Hi. The link Victor Miller in the first paragraph points to somebody else. From Google, there seems to have been a number of people with this name. From [4] and [5], I believe that we are talking about Victor S. Miller who works at CCR and signs emails as follows:

Victor S. Miller     | " ... Meanwhile, those of us who can compute can hardly
victor@ccr-p.ida.org | be expected to keep writing papers saying 'I can do the 
CCR, Princeton, NJ   | following useless calculation in 2 seconds', and indeed
    08540 USA        | what editor would publish them?"  -- Oliver Atkin

... should Victor S. Miller or Victor Miller (mathematician) be created ? Thanks. Gene.arboit 01:36, 5 October 2005 (UTC)[reply]