Talk:Elliptic curve cryptography
|
Missing image Key-crypto-sideways.png WikiProject on Cryptography | This article is part of WikiProject Cryptography, an attempt to build a comprehensive and detailed guide to cryptography in the Wikipedia. If you would like to participate, you can choose to edit the article attached to this page, or visit the project page, where you can join the project and see a list of open tasks. |
Pending tasks for [[Template:Articlespace:Elliptic curve cryptography]]: (https://academickids.com:443/encyclopedia/index.php?title=Talk:Elliptic_curve_cryptography&action=purge) | edit (https://academickids.com:443/encyclopedia/index.php?title=Talk:Elliptic_curve_cryptography/to_do&action=edit) - watch (https://academickids.com:443/encyclopedia/index.php?title=Talk:Elliptic_curve_cryptography/to_do&action=watch) - purge (https://academickids.com:443/encyclopedia/index.php?title=Talk:Elliptic_curve_cryptography&action=purge) | |
---|---|---|
Mathematical description needed
Somebody should describe what ECC mathematically is in details. Better link to GPL'd ECC code should be added. Currently it points to quite big package. Taw
From an earlier revision of the article:
For comparison, in 2001 some experts are suggesting these sizes for various public key systems for a security level appropriate to major business transactions that require secrecy:
RSA (based on difficulty of factorisation) 1024 bits.
DSA (based on difficulty of discrete log for integers modulo a prime) 1024 bits.
ECC (based on difficulty of discrete log for discrete ECC system) 200 bits.
I have removed this until it can be backed up firmly by a cite - instead, I have added external links to research papers in this field. -- The Anome
I refer you to What Wikipedia is not, item 9, and Most common Wikipedia faux pas "Deleting useful content". You have deleted some useful inline information and replaced it with external links. Bad idea. If you actually know anything about this subject and don't like my numbers, then change them, they are fairly fuzzy and there is no recognized reliable method for generating them. But don't delete them. You didn't even give a reason for deleting them. It is NOT necessary to give a cite for every single factlet on the whole of Wikipedia, and lack of a cite is NOT a good reason to delete content. I'll be back in a few days to revert the edit and maybe add some more discussion. -- Geronimo Jones
See www.nist.gov/encryption for a list of recommended elliptic curves. ANSI X9 requires a minimum of 80 bits of *symmetric key equivalent* security. THis means use of SHA-1 with 160 bit output, use of RSA/DSA with 1024 bit keys and use of ECC with 160 bit keys. Don Johnson
Question:
- NIST and ANSI X9 have set minimum keysize requirements of 1024 bits for RSA and DSA and 160 bits for ECC. NIST has published a list of recommended elliptic curves for protection of 5 different symmetric keysizes (80, 112, 128, 192, 256). Near the beginning of 2003, an elliptic curve cyphertext was broken by brute force at a key length of 109 bits. It would appear, if the break is generally applicable to elliptic curve algorithms, that the NIST lower key lengths are somewhat optimistic, if not foolhardy.
The symmetric keysizes from NIST are not the keysizes for ECC, are they? (As ECC is not symmetric.) Apparently, ECC is used to encrypt a symmetric key of these lengths, correct? Now, the thing that was broken in 2003, was that an ECC of key length 109? If so, then the 109 has nothing to do with the 5 symmetric key lengths from NIST. AxelBoldt 01:09 Feb 16, 2003 (UTC)
- You are correct Axel. The key lengths noted above appear to be example symmetric key lengths for SKIPJACK and AES block ciphers; the NIST then compared these to equivalent public/private key lengths for ECC and RSA as shown at [1] (http://www.certicom.com/resources/news/news_100200.html); the 80 bit key length corresponds to a comparable security provided by an asymmetric 163 bit ECC key over a binary field, or 192 bits over a prime field. A pdf document from NIST regarding this is available at [2] (http://csrc.nist.gov/CryptoToolkit/dss/ecdsa/NISTReCur.pdf).
- Thus, the breakage of a 109 bit ECC key, which would correspond to a symmetric keylength of around 55 bits, doesn't seem to be particularly damaging to these recommendations. The 109-bit ECC key was broken using over 10,000 PCs running 24-7 for 549 days (see certicom's press release [3] (http://www.certicom.com/about/pr/02/021106_ecc_winner.html)); an amount of time and computer power which was roughly predicted by Certicom when they issued the challenge. Certicom estimates that the 163 bit ECC would require 10^8 times the calculations as the 109 bit version to crack; I think the paragraph in the article should be amended. Chas zzz brown 02:02 Feb 17, 2003 (UTC)
I made the above noted changes to the article; also I pulled out these references to symmetric key length calculations:
- Selecting Cryptographic Key Sizes (http://citeseer.nj.nec.com/lenstra99selecting.html) Arjen K. Lenstra, Eric R. Verheul, 1999
- Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security (http://www.counterpane.com/keylength.html) M. Blaze, W. Diffie, R. Rivest, B. Schneier, T. Shimomura, E. Thompson, and M. Weiner, 1996
since ECC is an asymmetric algorithm; maybe they should be incorporated into the block cipher pages (amongst others). Chas zzz brown 23:29 Feb 17, 2003 (UTC)
The following sentences need revision, they are goofy:
Note that given integers j and k, j*(k*P) = (j*k)*P = k*(j*P). The elliptic curve discrete logarithm problem (ECDLP) is then to determine the integer k, given points P and Q, and given that k*P = Q.
Copyvio explanation of MQV
I've moved this here: (it was nabbed from Slashdot).
- Menezes-Qu-Vanstone key agreement is essentially a varation/extension of Diffie-Hellman using a combination of a "static" and "ephemeral" public keys to compute the shared secret. The extra wrinkles in the procedure eliminate the possibility of a couple of subtle man in the middle attacks that can be made against EC Diffie-Hellman for certain parameters.
— Matt Crypto 14:36, 9 Mar 2005 (UTC)
- I've now created a stub article for MQV / ECMQV. — Matt Crypto 15:18, 9 Mar 2005 (UTC)