[Cryptography] Why is ECC secure?
Viktor Dukhovni
cryptography at dukhovni.org
Tue Aug 18 14:15:23 EDT 2015
On Tue, Aug 18, 2015 at 08:36:58AM -0700, Bill Cox wrote:
> I think I'm finally getting the basics of why we like elliptic curve
> crypto. Here's my attempt to explain it in regular English.
>
> These are curves such that they fit into this form:
>
> a @ b = Finv(F(a) + F(b))
>
> The @ is the group "addition" operator and the + is some group operation,
> likely addition or multiplication. In the case of Edwards elliptic curves,
> F(a) is a line integral along a path on the unit sphere.
>
> These would all be trivially broken except:
>
> 1) F(a) is a transcendental function, with no modular arithmetic equivalent
> 2) Finv(F(a) + F(b)) is algebraic
I'm afraid this argument is largely misguided. The security of
Elliptic curves rests on deeper mathematics than mere lack of a
birational equivalence to the circle group.
Such a birational equivalence, if it existed, would of course spell
trouble for EC, but lack thereof just precludes the carrying over
of geometric attacks from continuous to discrete curves.
Even though the Lie group isomorphism of "d < 0" real Edwards curves
to the circle group is no use mod p, we can't immediately jump to
the conclusion that DH on Elliptic curves mod p is adequately
strong.
> That's the only potential use for obscuring the original point that I can
> think of...
The reasoning (which I did not quote) is much too naive. You'll
just have to trust experts (not me, I just enough more to know that
I don't know enough) on the security of ECC.
--
Viktor.
More information about the cryptography
mailing list