[1962] in cryptography@c2.net mail archive
Re: RSA Homepage on Eliptical Curves
daemon@ATHENA.MIT.EDU (Mike Rosing)
Sat Dec 13 19:11:11 1997
Date: Fri, 12 Dec 1997 21:25:40 -0600 (CST)
From: Mike Rosing <cryptech@Mcs.Net>
To: Alan Olsen <alan@clueserver.org>
cc: cryptography@c2.net
In-Reply-To: <199712120650.WAA06814@www.ctrl-alt-del.com>
On Thu, 11 Dec 1997, Alan Olsen wrote:
> The RSA homepage has an article on a weakness involving eliptical curves.
>
> Does anyone have any data on this? Is the break as bad as they make it?
>
> Unfortunatly, their web page does not have a whole lot of details beyond
> marketing-speak.
>
> Details would be helpful. (Or at lest interesting...)
It only applies to curves over GF(p) for p a prime and curves which have
coefficients with "Trace = 1". I'm not exactly sure what the latter
means, but it is easy enough to avoid by picking the correct coefficients
in equations of the curve.
It has absolutely nothing to do with GF(2^n) curves. At the elliptic
curve discreet log conference the guy from Japan who published the Trace=1
break (12 hours after the guys at HP :-) said it would only work over
GF(p). The math was way over my head, he used two different mappings to
make finding logs easy and said the mapings worked because of special
properties of the type of curve.
As far as anybody knows, Koblitz curves are still fully exponential to
solve. And those only work over GF(2^n).
The reason RSA won't tellyou much is because they could lose a lot of
money if people realize that elliptic curves are better, faster and
cheaper than what they offer :-)
Patience, persistence, truth,
Dr. mike
