[Cryptography] New attacks on discrete logs?
Bear
bear at sonic.net
Sat May 24 14:47:45 EDT 2014
On Sat, 2014-05-24 at 08:07 -0400, Jerry Leichter wrote:
> On May 23, 2014, at 5:03 PM, Bear <bear at sonic.net> wrote:
> > Would anyone like to clarify what exactly they mean by
> > "small" and "large" characteristic here? Please?
> Ah, time for some fun math I haven't thought about in years.
>
> A (commutative) group G is a bunch of elements with a binary operation . with the following properties:
>
Thanks Jerry, for that lesson on group theory. It was genuinely
helpful. It permits me, at least, to formulate the question in
a more specific way.
What I really wanted to know was how to adjust security
estimates for modular groups as a function of the bit length
of the prime factor of the modulus.
Using modular addition as the operation, modular groups in the
integers are, for reasons you explained, necessarily integers
modulo some number which has exactly one prime factor.
And if that factor is "small" this algorithmic advance makes
operations in those groups somewhat easier to reverse, and if
that factor is "large" this algorithmic advance does not make
operations in those groups significantly easier to reverse.
Because reversing group operations is provably at least as
hard as factoring, (though in practice, at least as far as we
know how to do it now, much harder) I could conservatively
interpret "large" as meaning >4096 bits, or out of range of
current factoring technology, and "small" as <2048 bits.
But that's a very dire interpretation, and would effectively
destroy Elliptic Curve cryptosystems outright, which no one
so far is claiming that this advance does.
So what bit lengths (of the prime factor of the modulus) are
we talking about when we say "small" and "large" in this
context?
Bear
More information about the cryptography
mailing list