11

I was looking into the predictions by some researchers that RSA and Diffie-Hellman may not be secure in the next few years due to advances in math and being able to calculate the discrete logarithm problem in new ways no longer making them "impossible" to solve backwards (Math Advances Raise the Prospect of an Internet Security Crisis). Would this cause problems with Elliptic Curves? I know they are based on different principles, but could continued advances in this area compromise ECC? Can we consider ECC a replacement if RSA and DH were compromised?

otus
  • 32,132
  • 5
  • 70
  • 165
Jesse
  • 415
  • 1
  • 5
  • 16

4 Answers4

20

A couple things:

  1. This article is two years old, so take its predictions with a grain of salt.
  2. In the two years that have elapsed, the predicted advances have not materialized, and there is little indication they will soon.

  3. The core of those arguments was Joux's 2013 result on the discrete logarithm problem in finite fields of small characteristic. Those methods do not directly apply to any standard cryptographic primitive like RSA or DH, and it is not known how to translate Joux's algorithm into an attack on these primitives. The underlying math is fundamentally different.

  4. It's important to be cautious and conservative when choosing cryptographic primitives, but people have been predicting the death of RSA and DH for many years, and they've lasted this long.

Again, it's not known how to translate Joux's methods into a general-purpose algorithm for the discrete log problem in any other group. Thus, while it's possible for his attack to work in elliptic curve groups, there simply isn't any indication that this is the case.

pg1989
  • 4,636
  • 23
  • 42
6

I just want to highlight:

  • The new advancement need to be realized and validated.
  • ECC and DH are quite similar although ECC discrete logarithm problem is harder. In other words, whatever effects the security of DH might not affect ECC with the same magnitude.
Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
Nayef
  • 215
  • 1
  • 7
  • 1
    I think the second point is an important addition. Though you can imagine advances that would only apply to one, a generic enough algorithm could break both. – otus Nov 30 '15 at 17:48
  • You can implement DH with ECC instead of the multiplicative group of a finite field, but saying that DH and ECC are quite similar is a bit sloppy. – mwhs Nov 30 '15 at 18:01
  • @mwhs both of them are based on discrete log problem – Nayef Nov 30 '15 at 18:03
  • DH is a protocol and ECC is a cryptographic algorithm, that just not the same class of things. Maybe you mean that modular exponentiation in a multiplicative group of a finite field and group operations in ECC are similar? – mwhs Nov 30 '15 at 18:27
  • 1
    @mwhs, ECC is a general term for a whole bunch of algorithms, but many of them use DH (which isn't just a protocol, but a problem), like ECIES does. – otus Nov 30 '15 at 20:50
  • 2
    Both of them use discrete log, but in different groups with very, very different algebraic properties. It's like saying a car is quite similar to a fighter jet because they both use fossil fuels. – pg1989 Dec 01 '15 at 03:51
  • @otus you're mixing up a few things here. There is a clear distinction between DH (which is a protocol), the DH Problem (DHP), which is a security scheme, and the Decisional DH Assumption (DDH), which is a theoretical construct used to prove hardness/security. All of them abstract from the concrete algebraic structure used to implement DH, as long as the structure/group holds under the DDH. This is why you can't say that ECC and DH are quite similar. – mwhs Dec 01 '15 at 10:23
  • 1
    @mwhs I agree that the language is sloppy, but "DH" is commonly used to refer to other uses of a Diffie–Hellman function than just a key-exchange protocol. – otus Dec 01 '15 at 10:27
  • @mwhs DH was identified for some reasons as protocol although it is just another public key crypto algorithm. Being abstracted will help to make the picture clear. – Nayef Dec 01 '15 at 10:35
  • @Nayef the cryptographic algorithm that DH uses is the n-fold application of a group operation to a generator of a cyclic group with specific charateristics. The counterpart of this algorithm is the Discrete Log Problem (DLP) which poses the question, how many times the group operation has been applied to the generator. So you can't say that DH is a crypto algorithm, but you can say it uses a crypto algorithm. – mwhs Dec 01 '15 at 11:01
3

It can affect several classes of Elliptic curves. In particular, if this curves have pairings or any other way to translate the problem to a finite field (or extension finite field). The tricky part about ECC is that if you do not pick your Elliptic curve properly, you might end up with a weak implementation. Or, with an implementation in which the problem can be reduced to a finite field.

Jhordany
  • 49
  • 2
1

With math and computational advances, for protecting systems we should increase key size. We know that recommended key size for elliptic curves is approximately $2s$ bit, which $s$ is a desired security level.Today $s=80$, but with the advances of math, $s$ is increasing. $s=96$ is believed to provide protection until $2020$. For more detail you can see "Yearly report on algorithms and key sizes".

Meysam Ghahramani
  • 2,313
  • 1
  • 17
  • 31