

New algorithm shakes up cryptography - jonbaer
http://www.sciencedaily.com/releases/2014/05/140515163739.htm

======
djmdjm
This actually came out about half-way through last year. It's a good attack on
DLP-based cryptosystems, like ECDSA and ECDA when they use small-
characteristic fields.

Most EC crypto in use uses large-characteristic prime curve fields (often
abbreviated as GFp) and is unaffected by these attacks.

Small-characteristic GF2^m curve fields seems a little more popular in
embedded hardware, but I don't know any details. Relatively little software
uses GF2^m curve fields either, though a notable exception is Bitcoin (I have
no idea what this result meant for them).

Notably, the EC used in SSH and common SSL deployments use GFp keys and aren't
affected by this result. It does make one wonder whether the DLP will fall
more generally - it is only believed to be "hard" and AFAIK there is no proof
that it is.

~~~
olalonde
> This actually came out about half-way through last year.

What do you mean? I don't doubt you are right but the article doesn't seem to
mention that anywhere.

~~~
koios
He's referring to the previous work of Joux, such as this:
[https://eprint.iacr.org/2013/095.pdf](https://eprint.iacr.org/2013/095.pdf).

"Today's" result is an improvement over that and previous works. So what we
know is that attacks on curves over GF_{2^m} are getting better.

------
pbsd
There's some confusion going on here. This algorithm:

\- Has nothing to do with elliptic curves.

\- Has virtually zero repercussions in any real-world cryptosystem.

\- Is a mostly theoretical refinement of the 'cryptopocalypse' Joux algorithm,
which only affects some special kinds of fields (namely small characteristic).

\- Is only being reported again now because the paper has just been presented
at Eurocrypt.

Here are some previous threads on the subject:
[https://news.ycombinator.com/item?id=6240434](https://news.ycombinator.com/item?id=6240434)

~~~
djmdjm
AFAIK the relation to EC is that pairing-based cryptography is a popular
(among academics at least) user of GF2m elliptic curves.

~~~
tptacek
We're getting way past my comfort level, but the impact of the recent DLP
attacks on pairing curves is because they involve mapping the curve problem
into a multiplicative finite field, right? The DLP attacks themselves don't
directly impact the ECDLP.

------
yzzxy
The journal article in question (PDF):

[http://eprint.iacr.org/2013/400.pdf](http://eprint.iacr.org/2013/400.pdf)

------
rwinn
So what does this mean exactly?

> it is likely to have repercussions especially on the cryptographic
> applications of smart cards, RFID chips (2), etc.

It will be easier to bruteforce RSA/DSA?

~~~
nhaehnle
For the time being, it only applies to elliptic curves. However, the curves in
actual use are over fields of large characteristic, so this result does not
break them.

Obviously, any advance in understanding the discrete logarithm problem may be
a step forward in breaking elliptic curves, but as far as I know, this is not
a reason to change anything for the time being - at least for non-
cryptographers.

------
Sami_Lehtinen
New crypto is scary and unproven, until it's not.
[https://www.schneier.com/crypto-
gram-9902.html#snakeoil](https://www.schneier.com/crypto-
gram-9902.html#snakeoil)

------
general_failure
Gotta love these researchers who out their painstaking work in publications
and papers rather than patents.

~~~
ddebernardy
Alternative interpretation: Gotta love how European research funded by tax-
payer euros enters the public domain — as it should.

Fwiw, on this side of the pond some are somewhat bemused by how e.g. US big
pharma firms are allowed to patent research results that were funded by tax-
payer dollars.

------
nwh
Question to someone capable of understanding the paper; how screwed is ECDSA?

~~~
zarvox
Not terribly, at first glance. Crypto generally uses fields with no subfields
and large characteristic, whereas these attacks seem to generally be limited
to fields with subfields and small characteristic.

It's interesting work, but not immediately alarming.

------
broolstoryco
What are the implications for Bitcoin?

~~~
qnr
None

~~~
flyfishcxy
see

