This article is rated C-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||||||||||||||||||||||||||||||||
|
Daily pageviews of this article
A graph should have been displayed here but graphs are temporarily disabled. Until they are enabled again, visit the interactive graph at pageviews.wmcloud.org |
Interesting research and summary of security for different ECC: https://safecurves.cr.yp.to/ — Preceding unsigned comment added by 153.46.253.213 (talk) 14:18, 4 August 2023 (UTC)
From an earlier revision of the article:
For comparison, in 2001 some experts are suggesting these sizes for various public key systems for a security level appropriate to major business transactions that require secrecy:
RSA (based on difficulty of factorisation) 1024 bits.
DSA (based on difficulty of discrete log for integers modulo a prime) 1024 bits.
ECC (based on difficulty of discrete log for discrete ECC system) 200 bits.
I have removed this until it can be backed up firmly by a cite - instead, I have added external links to research papers in this field. -- The Anome
I refer you to What Wikipedia is not, item 9, and Most common Wikipedia faux pas "Deleting useful content". You have deleted some useful inline information and replaced it with external links. Bad idea. If you actually know anything about this subject and don't like my numbers, then change them, they are fairly fuzzy and there is no recognized reliable method for generating them. But don't delete them. You didn't even give a reason for deleting them. It is NOT necessary to give a cite for every single factlet on the whole of Wikipedia, and lack of a cite is NOT a good reason to delete content. I'll be back in a few days to revert the edit and maybe add some more discussion. -- Geronimo Jones
See www.nist.gov/encryption for a list of recommended elliptic curves. ANSI X9 requires a minimum of 80 bits of *symmetric key equivalent* security. THis means use of SHA-1 with 160 bit output, use of RSA/DSA with 1024 bit keys and use of ECC with 160 bit keys. Don Johnson
The references of 256 bit ECC keys providing 128-bit security need citation. Bdamm (talk) 17:23, 13 August 2018 (UTC)
I'm sure as ECC becomes more common, lay-people will be looking for information about it. A lot of these people (like me) are rather put off by seeing mathematical functions in the introductory section. Could someone write a lay description of ECC that doesn't use mathematical symbols?
I think a simplified mathematical explanation is desperately needed. It should be possible to make an example that uses numbers small enough to fit on an 8 digit calculator and is more easily understood. How is key generation done? How do I use the keys to en/de-crypt something. I understand math, but I'm not a genius or have a PhD in it. How about explaining this in a way that a common person can understand it? Note that they did a fairly good job explaining RSA on that page, but have dropped the ball here. —Preceding unsigned comment added by 74.93.34.241 (talk) 13:38, 19 April 2010 (UTC)
+1 72.177.115.161 (talk) 06:58, 7 January 2012 (UTC)
Hello. In the introduction, the article states that elliptic curves used in cryptography are defined over prime or binary fields. However, mainly due to pairing-based cryptography, there has been interest in elliptic curves over ternary fields as well. augustojd 14:25, 2 April 2006 (UTC)
Removed from todo:
If a picture does not communicate any information there is no reason to include it (there is already such a picture in EC—there is no need to copy it to ECC). BTW, this talk page needs major clean up GBL 08:29, 18 April 2006 (UTC)
The link for factoring in "recent advances in factoring" points to the general factorization article; wouldn't the Integer factorization article be more appropriate in this case? lordspaz 16:21, 10 August 2006 (UTC)
Just to note...
> (Another factor is that ElGamal scheme is vulnerable to chosen-ciphertext attacks.) That's certainly not a real factor as e.g. plain RSA is vulnerable to chosen-ciphertext attacks as well. That's what the padding schemes are for (PCKS, OAEP, SAEP...).
> ...cryptography based on integer factorization (e.g., RSA) and finite-field cryptography (e.g., DSA). Well, both RSA and standard DSA are based on finite-field cryptography.
83.64.176.129 11:13, 27 August 2006 (UTC)
==== Actually, RSA is based on Rings, not finite-field - BrunoX 16:24, 29 November 2006 (UTC)
The introductory states that "... a user picks two large random primes as his private key, and publishes their product as his public key. The difficulty of factoring ensures that no one else can derive the private key (i.e., the two prime factors) from the public one within a reasonable amount of time." This is wrong. Consider the article RSA; in short, RSA generates two primes, p and q, but these are not the private key. The user then creates two exponents d and e, such that de = k(p-1)(q-1) for some k. (There are other restrictions on e, and I'm unsure if the two are really interchangeable.) Unless certain shortcuts are taken, both p and q are deleted at the end of the key generation process (though n = pq is retained).
In any case, this is a rather crucial distinction: in the system described in the article currently, the public key doesn't contain any information that the holder of the private key (assuming they somehow don't have the public key) doesn't already have, and so it doesn't make sense that it could be used to encrypt data that only they could decrypt.
I've rewritten it, but I'm not very happy with my layman's explanations of things. Future editors, please reference the actual operation of RSA before writing about it; there are a lot of misconceptions about cryptography out there. grendel|khan 21:09, 27 February 2008 (UTC)
In RSA, the private key has several equivalent forms, including (n,d) and (p,q). The previous version article was written using the latter in mind, which is fine. This emphasizes the dependence of RSA on integer factorization, while ignoring other details (such as the RSA problem being required to hard too).
With this new edit, the article now appears to suggest that p, one of the primes, is to be included in the public key. This would be wrong. Given n and p, one can recover q, and therefore determine the private key. From your talk page comment above, I gather that you meant e was the value to be made public, not p, but this was not made sufficiently clear in the article edit.
Either the current version should be clarified, or the article should be put back the way it was. DRLB (talk) 21:34, 27 February 2008 (UTC)
I believe that Curve25519 can be considered a cipher in its own right, and have added a page for it; however, I lack the time to write a full article for it, so I have redirected it here for the time being (rather than provide a meaningless stub.) I am not sure whether a Curve25519 section in the ECC page makes more sense than its own page; I suspect that it is best handled in a dedicated page. But at least now there's something for it. NoDepositNoReturn (talk) 06:51, 14 June 2008 (UTC)
It's unhelpful to say that a set of points (x,y) forms a group, without giving some hint as to what the group operator is. How do (x1,y1) and (x2,y2) combine to form (x3,y3), also a solution? And why is the "point at infinity" (which point at infinity?) the identity element for this combination? 213.123.226.227
This article is written almost entirely from the mathematical POV. There are other important POVs which should be reflected here.
For example, what guides a design choice to incorporate ECC vs. alternatives? How does ECC compare to alternatives such as RSA? e.g. the key length is shorter, computational complexity on each side of an exchange, etc. —Preceding unsigned comment added by 192.118.32.80 (talk) 08:46, 13 December 2009 (UTC)
The link hxxp://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml in reference 3 is broken. –84.157.71.42 (talk) —Preceding undated comment added 19:32, 17 June 2010 (UTC).
The article currently states that "For cryptographic application the order of G [...] must be prime." This agrees with SP800-56A, but the only references I have seen that justify a restriction on the order only say that it should be large and divisible by a large prime. (E.g., Algebraic aspects of cryptography, Neal Koblitz.) Does anyone know of a reason why the order would have to be prime? Doctorhook (talk) 20:24, 22 December 2010 (UTC)
The first of the external links ([1]) shows a page with no substantial or interactive content to me? Gryllida 03:07, 21 November 2011 (UTC)
This is a link to a SAGE notebook. SAGE is an important open-source computer-algebra system. A notebook has to be run in your browser to use it -- when you just open it, without starting it, you see the source-code which may appear to be similar to TeX. To start the notebook just click "Evaluate". [BE] — Preceding unsigned comment added by BeEs1 (talk • contribs) 11:08, 1 December 2011 (UTC)
In reference to quantum computing attacks the article reads "Elliptic curve cryptography is vulnerable to a modified Shor's algorithm for solving the discrete logarithm problem on elliptic curves" with two citations ([1][2]). Looking through both of these citations, they both work over fields of prime order, with the latter paper explicitly stating that they did not consider fields of prime power order. If ECC over fields of prime power order is truly vulnerable to QC attacks, I think there should be a citation that references this. GromXXVII (talk) 22:20, 25 June 2012 (UTC)
((cite journal))
: Cite journal requires |journal=
(help); Unknown parameter |dead-url=
ignored (|url-status=
suggested) (help)). I (probably is) be outdated though, though it might be useful for background info (?). Jimw338 (talk) 04:18, 12 September 2016 (UTC)I just rewrote the whole section with an updated citation and what I hope is both clearer wording and a more NPOV. Tarcieri (talk) 18:40, 3 November 2017 (UTC)
References
((cite journal))
: Cite journal requires |journal=
(help)
I don't have the technical competence to write a section about this, but I think it is important to point out that there is serious speculation that the NSA inserted a backdoor into the NIST Special Publication 800-90 Dual_EC_DRBG elliptic curve pseudo random generator. If I understand the concern, it is basically that some defined constants in the standard are related to a second, unknown set of numbers, but whoever originally generated those constants does know those numbers. Cryptographic experts say that whoever knows those numbers can gain encryption keys given only 32 bytes of cyphertext.
The technical discussion of the issue is found in these sources:
http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 http://eprint.iacr.org/2007/048.pdf http://rump2007.cr.yp.to/15-shumow.pdf
And some analysis of the possibility that these concerns are founded, based on leaks from Edward Snowden, is found here:
http://arstechnica.com/security/2013/09/the-nsas-work-to-make-crypto-worse-and-better/ — Preceding unsigned comment added by 24.126.40.36 (talk) 17:29, 6 September 2013 (UTC)
#!/bin/DokReggar -talk
12:46, 3 January 2014 (UTC)Just have to agree with people saying it should be mentioned if only to disambiguate the issue from this page. I too expected to see something about it and had to read the talk page to understand that not all ECC was compromised. Only a very small number of potential readers here know enough to make the distinction required; the vast majority simply think ECC->NSA->backdoored. It's just the reality of the situation. — Preceding unsigned comment added by 68.45.155.10 (talk) 15:42, 22 January 2015 (UTC)
The article states, under the heading "Domain Parameters," that
The order of an element G in an additive group is the smallest positive integer n such that , not ∞ (Gallian, Contemporary Abstract Algebra, ch. 4). This needs to be fixed.
John (talk) 15:37, 3 November 2014 (UTC)
Hello fellow Wikipedians,
I have just modified 2 external links on Elliptic curve cryptography. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at ((Sourcecheck))
).
An editor has determined that the edit contains an error somewhere. Please follow the instructions below and mark the |checked=
to true
Archive link for anziamj.austms.org.au fails with 504 Gateway Timeout
Cheers.—InternetArchiveBot (Report bug) 20:15, 11 September 2016 (UTC)
Hello fellow Wikipedians,
I have just modified one external link on Elliptic curve cryptography. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at ((Sourcecheck))
).
An editor has reviewed this edit and fixed any errors that were found.
Cheers.—InternetArchiveBot (Report bug) 02:32, 23 December 2016 (UTC)
Hello fellow Wikipedians,
I have just modified 2 external links on Elliptic-curve cryptography. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.
This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template ((source check))
(last update: 18 January 2022).
Cheers.—InternetArchiveBot (Report bug) 21:14, 19 September 2017 (UTC)
This article doesn't contain the algorithm for ECC like the RSA article does. — Preceding unsigned comment added by 198.52.160.180 (talk) 20:30, 6 December 2019 (UTC)
The first paragraph states that ECC is based on finite fields, as opposed to non-EC cryptography, which is based on plain Galois fields. However, the referenced article on finite fields explains that finite fields and Galois fields are one and the same. I suspect the intended meaning is that non-EC crypto is based structures over finite fields which are not elliptic curves. If so, this is not clear from the text. I won't change the formulation myself, since I'm not an expert in the field. — Preceding unsigned comment added by VecLuci (talk • contribs) 04:13, 10 October 2018 (UTC)
"Five prime fields for certain primes p of sizes 192, 224, 256, 384, and ((Not a typo|521)) bits. For each of the prime fields, one elliptic curve is recommended."
Should there be a footnote about that 521 not being a typo? It really is 521 (see [2] among many, many sources) but it really looks like someone mis-typed "512". 76.216.220.191 (talk) 04:00, 28 December 2021 (UTC)