[Cryptography] IETF discussion on new ECC curves.
Jerry Leichter
leichter at lrw.com
Sat Aug 2 07:25:42 EDT 2014
On Aug 1, 2014, at 5:26 PM, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> E-480 is not just slightly less secure than E-512, the work factor is
> reduced by 2^16, that's 65,536 times less security than we asked for.
> And the so-called 'Goldilocks curve' is twice as fast but the E-512 is
> 4 billion times harder to break....
I haven't dug into all the technical issues here, but I can't buy these assertions. A change in work factor of 2^16 when you change the number of bits in the key by 16 makes sense only for searches equivalent to brute force.
All of these numbers are way beyond any possible brute force search. (No, not just based on existing technologies, but based on any technology consistent with what we know about physics.) Answering that, sure, brute force isn't relevant, but that for *any* attack, more bits is always harder, ignores the important question of *how much* harder. Your assertions assume exponential scaling in the number of bits. That means attacks equivalent to brute force - so just as impractical as brute force at these sizes, regardless of the details.
-- Jerry
More information about the cryptography
mailing list