1995-11-26 - Re: Elliptic curves, current status?

Header Data

From: norm@netcom.com (Norman Hardy)
To: “James A. Donald” <jamesd@echeque.com>
Message Hash: 8f1aa3d73b2302e61c3861289290f99709ee2034596349a566fc65862ee9d6d6
Message ID: <acde968205021004b44c@DialupEudora>
Reply To: N/A
UTC Datetime: 1995-11-26 23:24:46 UTC
Raw Date: Mon, 27 Nov 1995 07:24:46 +0800

Raw message

From: norm@netcom.com (Norman Hardy)
Date: Mon, 27 Nov 1995 07:24:46 +0800
To: "James A. Donald" <jamesd@echeque.com>
Subject: Re: Elliptic curves, current status?
Message-ID: <acde968205021004b44c@DialupEudora>
MIME-Version: 1.0
Content-Type: text/plain


At 12:07 PM 11/25/95, James A. Donald wrote:

....
>Can someone tell me the true story?

Not with any assurance. I don't trust my own knowledge yet.
I think that the opinion is that the discrete log problem is harder
with elliptic curves than for prime modulus arithmetic for numbers
of a given size. That is why you can use fewer bits.
The inner loop in some elliptic curve systems is not multiply-add
(as is the case with number fields)
but other operations that are as efficient with gates but less
efficient with normal machine instructions.

There are probably an order of magnitude more people that
have studied and published about the problems of breaking
prime modulus crypto than elliptic curves. Perhaps progress
will be faster should elliptic curves be studied by more people.
There are a lot of tricks to speed up discrete logs in for prime
modulus schemes that don't seem to work for elliptic curves.

There are many parameters to an elliptic curve crypto system.
I haven't seen any taxonomy of which kinds are good and which
have been shown to be week. In contrast there seems to be a
consensus about how to pick primes for RSA or Diffie-Hellman.

I am certainly no expert. Perhaps this will prompt comments
from someone who can point to real information.







Thread