[Cryptography] Why is ECC secure?

Viktor Dukhovni cryptography at dukhovni.org
Sat Jun 13 09:41:03 EDT 2015 

On Wed, Jun 10, 2015 at 09:13:17PM -0700, Bill Cox wrote:

> Is the following problem hard?  I'm still trying to grok the basics of what
> make ECC hard to attack.  The simplified system I'm trying to attack is
> just the unit circle, which is basically an Edwards Curve with d = 0.  I
> think I might be able to find the discrete log on the circle if I could
> just map the (x, y) mod p point back to a rational point on the circle.

But d=0 is NOT an Edwards curve, the d=0 degeneracy makes it a very
different beast.

> For a given prime p, the given integer x, y point mod p satisfies
> 
>     (x, y) = s*G mod p
>
> where G is a generator point, and s is a secret value.  I'm trying to find
> s, which looks doable if I can map (x, y) back to a rational point on the
> circle, (l/n, m/n).

Since circle arithmetic is just multiplication of complex numbers
on the unit circle the relevant formula is:

	(a,b)*(c,d) = (ac - bd, ad + bc)

It is easy to verify that if norm((a,b)) = (a^2 + b^2) = 1 =
norm((c,d)), mod p or not, then also norm((a,b)*(c,d)) = 1.  The
inverse of any point (a,b) is (a,-b) and the identity is (1,0).

In this context, a useful mapping from the circle mod p to the
characteristic 0 (rational) circle needs to preserve the product,
(that is it needs to be a group homomorphism), otherwise the mapping
is of no use in mapping the DLP from (mod p) to the rationals.

Since there are only finitely mod p points, each point has a finite
order, i.e. (x,y)^n = 1 for for some n.  The same would have to be
true for any image of (x,y) under a homomorphism into the rational
circle.  However, there are only four rational points on the circle
with finite order:

	1, -1, i, -i

all other rational (p, q) with p^2 + q^2 = 1 have infinite order.
Otherwise, there'd be a primitive n^th root of unity for n > 2,
with rational real and imaginary parts, but all such numbers
have degree 2 over the rationals.

So the only viable homorphisms are into Z_4, and cannot be injective
for all but the smallest primes.

So this approach is a dead-end even for the circle, which is much
simpler than an actual Edwards curve with a non-zero "d".

-- 
	Viktor.

More information about the cryptography mailing list