Cryptography Reference
In-Depth Information
The most interesting comparison is perhaps between a given ECDLP size, such
as the 256-bits considered in the table, and the size of the corresponding asymmetric
keys which, as we can see, is estimated to be much larger as was to be expected
from our previous discussion. We also see that, although there is a wide variation in
the year estimates, 256-bit elliptic curve cryptography is thought to offer adequate
security for the near future:
Table 11.1
Method
Elliptic curve
Asymmetric
Symmetric
Hash
Year
A. Lenstra
256
4440
128
256
2090
ECRYPT II
256
3248
128
256
2031-2040
NIST
256
3072
128
256
>
2030
SECG
256
3072
128
-
2040
FNISA
256
4096
128
256
>
2020
RFC3766
257
3707
136
-
-
In order to monitor the algorithmic advances against the ECDLP there is an
ongoing challenge sponsored by Certicom, a company that produces ECC software.
The Certicom ECC Challenge offers prizes ranging from $20
000 for
the solution of several ECDL problems over fields of size varying from 131 bits 7 to
359 bits; see [47] for details.
,
000 to $100
,
11.4 Elliptic Curve Schemes
Standard elliptic curve cryptography—as opposed to IB cryptography—is defined
over elliptic curve groups in a way similar to the standard DL-based public-key
cryptography. In some specific cases there may be the added technical difficulty of
having to represent a message as a point on an elliptic curve but this is generally
not the case, as the points are often used only to 'mask' other values. For example,
it is quite frequent that the elliptic curve group is used in a hybrid scheme where
a symmetric encryption scheme is the one that actually encrypts the messages. For
a simple method, due to Koblitz, of representing messages as points on an elliptic
curve by embedding them into the x -coordinate, we refer to [197, p. 174].
11.4.1 ECC Schemes and Their Domain Parameters
One of the EC encryption schemes that requires the representation of messages as
elliptic curve points is the plain version of Elgamal which was described on a generic
cyclic group G
=
g
in Sect. 8.5 . The EC version of Elgamal is the particular case
7 As of this writing, there is an ongoing effort, expected to be completed soon, to solve one of these
131-bit challenges using the rho method and massive parallelism, see [23] for the details.
 
 
Search WWH ::




Custom Search