[824] in cryptography@c2.net mail archive
Re: elliptic curve
daemon@ATHENA.MIT.EDU (Ulf =?ISO-8859-1?Q?M=F6ller?=)
Wed May 14 21:59:04 1997
Date: Thu, 15 May 97 01:17 GMT+0200
From: 3umoelle@informatik.uni-hamburg.de (Ulf =?ISO-8859-1?Q?M=F6ller?=)
To: smcdonal@iol.ie
In-Reply-To: <3.0.1.32.19970514070356.007cfe50@gpo.iol.ie>
Cc: cryptography@c2.net
>If anyone has any strong opinions on this, they'd be welcome. RSA devotes
>so much time on its website to pouring cold water on elliptic curve, but
>Certicom seems to feel it's onto a good thing. Now I hear that a guy from
>Mastercard wants to put elliptic curve into some SET 1.0 pilots this year
>in the U.S.
RSADSI correctly states that it is an open research problem whether
the discrete logarithm problem on a non-supersingular elliptic curve
can be reduced to to the discrete logarithm problem in a finite field,
which would mean that elliptic curve cryptosystems would require key
sizes comparable to those of e.g. RSA.
However, other open problems are whether there are efficient factoring
algorithms, and whether or not breaking RSA is equivalent to
factoring. So, the security of both RSA and elliptic curve
cryptography relies solely on assumptions. It is my impression that
in evaluating these assumptions, RSADSI is guided more by commercial
interests than by scientific reasoning.
There have been substantial improvements to integer factoring since
the invention of RSA, and the recommended key size for RSA has
permanently increased -- a development that is likely to go on.
Elliptic curve cryptograpy has been proposed in 1985. In 1990, it has
been shown that for one (relatively small) set of special curves,
which are called supersingular, the discrete log problem can be
reduced to the discrete log problem in a finite field. For other
curves, the best known algorithms have exponential complexity.
For that reason most people agree that elliptic curve keys can be
substantially shorter than RSA keys for the same level of security.
That makes EC cryptography superior to RSA with regard to bandwith and
memory consumption and (to some degree) speed. Clearly, those are
crucial points in an SET environment.
