<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Jun 10, 2015 at 9:13 PM, Bill Cox <span dir="ltr"><<a href="mailto:waywardgeek@gmail.com" target="_blank" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=waywardgeek@gmail.com&cc=&bcc=&su=&body=','_blank');return false;">waywardgeek@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class="">On Fri, May 29, 2015 at 5:21 PM, Tony Arcieri <span dir="ltr"><<a href="mailto:bascule@gmail.com" target="_blank" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=bascule@gmail.com&cc=&bcc=&su=&body=','_blank');return false;">bascule@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span>On Fri, May 29, 2015 at 12:26 PM, Bill Cox <span dir="ltr"><<a href="mailto:waywardgeek@gmail.com" target="_blank" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=waywardgeek@gmail.com&cc=&bcc=&su=&body=','_blank');return false;">waywardgeek@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><span style="color:rgb(37,37,37);font-family:sans-serif;font-size:14px;line-height:8.96000003814697px">Why do we believe this is secure, other than the fact that in EEC's short life, no one has cracked it? Compared to DLP and integer factorization, I doubt many people have tried.</span></div></div></blockquote><div><br></div></span><div>For what it's worth, you can say the same thing about factorization. The only reason RSA is secure is because factoring large numbers is generally considered a hard problem.</div></div></div></div></blockquote><div><br></div></span><div>Is the following problem hard? I'm still trying to grok the basics of what make ECC hard to attack. The simplified system I'm trying to attack is just the unit circle, which is basically an Edwards Curve with d = 0. I think I might be able to find the discrete log on the circle if I could just map the (x, y) mod p point back to a rational point on the circle.</div></div></div></div></blockquote><div><br></div><div>I think the fundamental problem is you need to reason about things in terms of finite fields, and everything you've just described suggests you're thinking about a finite field of characteristic 0, a.k.a. your basic two dimensional plane.</div><div><br></div><div>Elliptic curve cryptography uses finite fields of (incomprehensibly) large characteristic.</div><div><br></div><div>When an elliptic curve is plotted across a finite field, it completely ceases to look like the curve you're probably thinking about:</div><div><br></div><div><a href="https://cdn.arstechnica.net/wp-content/uploads/2013/10/elliptic-curve-crypt-image01.gif">https://cdn.arstechnica.net/wp-content/uploads/2013/10/elliptic-curve-crypt-image01.gif</a><br></div><div><br></div><div>Kind of looks like stars ;)</div><div><br></div></div>-- <br><div class="gmail_signature">Tony Arcieri<br></div>
</div></div>