1

I understand that given solutions for solving a discrete logarithm problem are on the order of (2/2), ergo, 256bit private keys based on 25519 or secp256k1 have an effective bit strength of 128bits.

I was wondering if anyone could explain how one can know the largest size private key supported by a curve. Is it to do with the curves prime field? I'm just trying to learn a bit more about ECC.

As people slowly look at RSA 3072+ as archaic and not strong enough, I wonder how long before 128bit strength ECC goes the same way.

Do we have any non NIST (NSA backdoored :) ) curves which support 512 bit private keys (yielding 256bit security?).

Thanks, John

Woodstock
  • 1,384
  • 1
  • 13
  • 23
  • 2
    First, the NIST curves themselves are most likely not backdoored (we have a question about this on this site), so P-521 should do. Second, have a look at Curve448 ("Goldilocks"). – SEJPM May 10 '19 at 12:37
  • @SEJPM thanks! I was being a little facetious regarding the NSA. Can I ask you how I can tell the largest key supported by a curve? What's the property of a curve that dictates this? – Woodstock May 10 '19 at 13:06
  • 2
    The curve order (which is closely related to the size of the underlying field / prime) – SEJPM May 10 '19 at 13:07
  • Even better than the kludgey semirigid ‘verifiably random’ short Weierstrass curve P-521 is the nice rigid Edwards curve E-521 found simultaneously by three independent research groups. But yes, you should use edwards448 instead. See https://crypto.stackexchange.com/a/51352 for discussion of the relation of the size of the coordinate field, the order of the curve group, and the cost of attacks, as well as a few other relevant security criteria. – Squeamish Ossifrage May 10 '19 at 14:37
  • 3
    That said: there is no particular reason to doubt a 128-bit security level today; the main predictable threats beyond unpredictable breakthroughs in cryptanalysis are the possibility of large quantum computers, which would devastate elliptic curve cryptography and RSA, and operational or implementation errors like not doing cryptography at all because it's too inconvenient or costly. You are probably better off just using X25519/Ed25519 for key agreement/signature, or secp256k1, because there are widely available high-quality low-cost implementations. – Squeamish Ossifrage May 10 '19 at 14:40

0 Answers0