For a proper answer, You should follow pbarreto on Twitter and ask him. He's a nice guy and *very* willing to talk about this. Mostly because he found the press release so misleading.
But in any case, the answer to your question is: this is not a standard choice for a pairing friendly curve. It's a field of small characteristic, which makes it unusually vulnerable to these attacks. They could not use this attack against a similar MNT or BN curve. My understanding is that a 256-bit BN curve gives 128-bit security. Matt On Jun 20, 2012, at 5:12 PM, Jon Callas <j...@callas.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On Jun 20, 2012, at 8:35 AM, Matthew Green wrote: > >> I'm definitely /not/ an ECC expert, but this is a pairing-friendly curve, >> which means it's vulnerable to a type of attack where EC group elements can >> be mapped into a field (using a bilinear map), then attacked using an >> efficient field-based solver. (Coppersmith's). >> >> NIST curves don't have this property. In fact, they're specifically chosen >> so that there's no efficiently-computable pairing. >> >> Moreover, it seems that this particular pairing-friendly curve is >> particularly tractable. The attack they used has an estimated running time >> of 2^53 steps. While the 'steps' here aren't directly analogous to the >> operations you'd use to brute-force a symmetric cryptosystem, it gives a >> rough estimate of the symmetric-equivalent key size. >> >> (Apologies to any real ECC experts whose work I've mangled hereā¦ :) > > Thanks, anyway, as things seem to be detail-lite where I'm getting them. > > Do we have anyone who can speak authoritatively on this? I am also not at all > an expert on pairing-friendly curves. > > Is this merely a case where 973 bits is equivalent to ~60 bits symmetric? If > so, what's equivalent to AES-128 and 256? Is there something inherently weak > in pairing-friendly curves, like there are in p^n curves? > > I have no idea what this result *means* and would love to know. > > Jon > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Universal 3.2.0 (Build 1672) > Charset: windows-1252 > > wj8DBQFP4jy5sTedWZOD3gYRAoL9AJ9iVVSj1RY3SCLQCo8WJutsRq4IEwCfYUdZ > xzcsltQaPQZELJ0joMs7UjU= > =l3BW > -----END PGP SIGNATURE----- > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
