Content deleted Content added
Mightyname (talk | contribs) |
Mindmatrix (talk | contribs) m Reverted edit by 2404:1C40:43C:F97E:1D1C:5CB0:8012:1FA9 (talk) to last version by Harryboyles |
||
| (42 intermediate revisions by 30 users not shown) | |||
Line 1:
{{WikiProject
{{WikiProject Cryptography |importance=High}}
{{WikiProject Numismatics |importance=low }}
{{WikiProject Cryptocurrency|importance=mid}}
{{WikiProject Mathematics|priority=Mid }}
}}
{{annual readership|scale=log}}
==Security analysis of ECC==
Interesting research and summary of security for different ECC: https://safecurves.cr.yp.to/ <!-- Template:Unsigned IP --><small class="autosigned">— Preceding [[Wikipedia:Signatures|unsigned]] comment added by [[Special:Contributions/153.46.253.213|153.46.253.213]] ([[User talk:153.46.253.213#top|talk]]) 14:18, 4 August 2023 (UTC)</small> <!--Autosigned by SineBot-->
==Cite required==
Line 21 ⟶ 27:
See www.nist.gov/encryption for a list of recommended elliptic curves. ANSI X9 requires a minimum of 80 bits of *symmetric key equivalent* security. THis means use of SHA-1 with 160 bit output, use of RSA/DSA with 1024 bit keys and use of ECC with 160 bit keys. Don Johnson
The references of 256 bit ECC keys providing 128-bit security need citation.
[[User:Bdamm|Bdamm]] ([[User talk:Bdamm|talk]]) 17:23, 13 August 2018 (UTC)
== Non-mathematical description needed ==
Line 115 ⟶ 124:
I believe that [[Curve25519]] can be considered a cipher in its own right, and have added a page for it; however, I lack the time to write a full article for it, so I have redirected it here for the time being (rather than provide a meaningless stub.) I am not sure whether a Curve25519 section in the ECC page makes more sense than its own page; I suspect that it is best handled in a dedicated page. But at least now there's something for it. [[User:NoDepositNoReturn|NoDepositNoReturn]] ([[User talk:NoDepositNoReturn|talk]]) 06:51, 14 June 2008 (UTC)
:Looking at Bernstein's article "Curve25519: new Diffie-Hellman speed records", is see that the ___domain he use is y<sup>2</sup> = x<sup>3</sup> + '''a'''x<sup>2</sup> + x which is different from the one presented on this page. Being a non expert in elliptic curve cryptography I would like to know if this makes a significant difference ? If I take this page by the word, curve25519 is not performing elliptic cryptography. <small><span class="autosigned">— Preceding [[Wikipedia:Signatures|unsigned]] comment added by [[User:134.158.16.169|134.158.16.169]] ([[User talk:134.158.16.169|talk]] • [[Special:Contributions/134.158.16.169|contribs]]) 15:36, 25 March 2010</span></small><!-- Template:Unsigned -->
::That is a [[Montgomery curve]]. If you look at that article, there is a section on how to convert it into the Weierstrass form used by this article. --[[User:CesarB|cesarb]] ([[User talk:CesarB|talk]]) 15:40, 12 October 2013 (UTC)
== A Set forms a Group? ==
Line 154 ⟶ 165:
In reference to quantum computing attacks the article reads "Elliptic curve cryptography is vulnerable to a modified Shor's algorithm for solving the discrete logarithm problem on elliptic curves" with two citations (<ref>{{cite journal |title=Using the Quantum Computer to Break Elliptic Curve Cryptosystems |first=Jodie |last=Eicher |first2=Yaw |last2=Opoku |date=July 29, 1997 }}</ref><ref>{{cite journal |title=Shor's Discrete Logarithm Quantum Algorithm for Elliptic Curves |first=John |last=Proos |first2=Christof |last2=Zalka |year=2003 |journal=Quantum Information and Computing |volume=3 |issue=4 |pages=317–344 |doi= |arxiv=quant-ph/0301141 |bibcode=2003quant.ph..1141P }}</ref>). Looking through both of these citations, they both work over fields of prime order, with the latter paper explicitly stating that they did not consider fields of prime power order. If ECC over fields of prime power order is truly vulnerable to QC attacks, I think there should be a citation that references this. [[User:GromXXVII|GromXXVII]] ([[User talk:GromXXVII|talk]]) 22:20, 25 June 2012 (UTC)
:Good catch! I updated the reference. If you need more information or have any other ideas, please share. [[User:Skippydo|Skippydo]] ([[User talk:Skippydo|talk]]) 01:58, 26 June 2012 (UTC)
::I found a copy of the first 1997 Eicher reference if it is still of use: (cite tag: {{cite journal |title=Using the Quantum Computer to Break Elliptic Curve Cryptosystems |first=Jodie |last=Eicher |first2=Yaw |last2=Opoku |date=July 29, 1997 |url=http://www.mathcs.richmond.edu/~jad/summerwork/ellipticcurvequantum.pdf |archiveurl=http://web.archive.org/web/20030509012110/http://www.mathcs.richmond.edu/~jad/summerwork/ellipticcurvequantum.pdf |archivedate=2003-05-09 |dead-url=no}}). I (probably is) be outdated though, though it might be useful for background info (?). [[User:Jimw338|Jimw338]] ([[User talk:Jimw338|talk]]) 04:18, 12 September 2016 (UTC)
I just rewrote the whole section with an updated citation and what I hope is both clearer wording and a more NPOV. [[User:Tarcieri|Tarcieri]] ([[User talk:Tarcieri|talk]]) 18:40, 3 November 2017 (UTC)
{{reflist-talk}}
== Possible NSA backdoor ==
Line 170 ⟶ 186:
:Wrong place here. Go to the [[Dual_EC_DRBG]] article. Besides this is about a specific random number generator. It's about a possible weakness on the practicality of the technique based on geometrical identity of elliptic curves, I think. Something like finding a twin to get the answer. [[User:Mightyname|Mightyname]] ([[User talk:Mightyname|talk]]) 20:39, 6 September 2013 (UTC)
::I think it might be appropriate to mention it in the section about '''NIST-recommended elliptic curves'''. <br> I think there are good sources in the Slashdot summary: http://it.slashdot.org/firehose.pl?op=view&type=story&sid=13/09/11/1224252 <br> [[User:Yakatz|Yakatz]] ([[User talk:Yakatz|talk]]) 15:35, 11 September 2013 (UTC)
:::considering the gravity of the scandal, there should obviously be a paragraph dedicated to it here. Details can still go to [[Dual_EC_DRBG]], but the topic needs to be given [[WP:SS]] treatment on this page, because this page is the first people will come to when they read about the "NSA ECC backdoor". --[[User:Dbachmann|dab]] <small>[[User_talk:Dbachmann|(𒁳)]]</small> 10:10, 21 September 2013 (UTC)
::::I think this is quite out of topic and should be removed. Even though there are links between random number generation and cryptography, Dual_EC_DBRG is a random number generator, based on elliptic curves (the mathematical objects). This article should be about the cryptographic primitives. <code>#!/bin/[[User:DokReggar|DokReggar]] [[User_talk:DokReggar|-talk]]</code> 12:46, 3 January 2014 (UTC)
::::I strongly disagree. There is no such thing as an NSA ECC backdoor (that we know of), there is an NSA Dual_EC_DBRG backdoor. Furthermore, the fact that elliptic curves were used as the construct for this RNG is a mere detail; the NSA could have just as easily based this upon modular exponentiation in integer fields. Elliptic curves just ''happen'' to be used by this backdoored construct, but this coincidence is only of interest in other articles. It is irrelevant here, especially when positioned ''actual implementation issues specific to elliptic curve cryptography''. Please remove it here. <small><span class="autosigned">— Preceding [[Wikipedia:Signatures|unsigned]] comment added by [[User:130.89.106.70|130.89.106.70]] ([[User talk:130.89.106.70|talk]] • [[Special:Contributions/130.89.106.70|contribs]]) 15:22, 17 March 2014 (UTC)</span></small><!-- Template:Unsigned -->
:::::You should clearly read the text a little more closely. The fact that quotable sources are making comments about the possible untrustworthiness of the NSA-recommended elliptic curves, and hence on their use in ECC, is relevant in the section. —[[User_talk:Quondum|''Quondum'']] 18:09, 17 March 2014 (UTC)
Just have to agree with people saying it should be mentioned if only to disambiguate the issue from this page. I too expected to see something about it and had to read the talk page to understand that not all ECC was compromised. Only a very small number of potential readers here know enough to make the distinction required; the vast majority simply think ECC->NSA->backdoored. It's just the reality of the situation. <small class="autosigned">— Preceding [[Wikipedia:Signatures|unsigned]] comment added by [[Special:Contributions/68.45.155.10|68.45.155.10]] ([[User talk:68.45.155.10|talk]]) 15:42, 22 January 2015 (UTC)</small><!-- Template:Unsigned IP --> <!--Autosigned by SineBot-->
== Group Order ==
The article states, under the heading "Domain Parameters," that
: For cryptographic application the [[order (group theory)|order]] of ''G'', that is the smallest positive number ''n'' such that <math>n G = \infty</math>, is normally prime.
The ''order'' of an element ''G'' in an additive group is the smallest positive integer ''n'' such that <math>nG = 0</math>, not ∞ (Gallian, ''Contemporary Abstract Algebra'', ch. 4). This needs to be fixed.
[[User:John Palkovic|John]] ([[User talk:John Palkovic|talk]]) 15:37, 3 November 2014 (UTC)
:: I believe either is accurate -- it's equal to the identity element of the group (denoted 0 (zero), O (uppercase o), or e), which is a [[point at infinity]], specifically [0:1:0]. I suspect this is what the original author was trying to convey.... [[User:Gurnec|gurnec]] ([[User talk:Gurnec|talk]]) 21:33, 15 January 2015 (UTC)
== External links modified ==
Hello fellow Wikipedians,
I have just modified {{plural:2|one external link|2 external links}} on [[Elliptic curve cryptography]]. Please take a moment to review [https://en.wikipedia.org/w/index.php?diff=prev&oldid=738924504 my edit]. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit [[User:Cyberpower678/FaQs#InternetArchiveBot|this simple FaQ]] for additional information. I made the following changes:
*Added archive https://web.archive.org/web/20110719233751/https://www.certicom.com/index.php/2004-press-releases/36-2004-press-releases/300-solution-required-team-of-mathematicians-2600-computers-and-17-months- to http://www.certicom.com/index.php/2004-press-releases/36-2004-press-releases/300-solution-required-team-of-mathematicians-2600-computers-and-17-months-
*Added archive https://web.archive.org/web/20060327202009/https://anziamj.austms.org.au:80/V44/CTAC2001/Hitc/Hitc.pdf to http://anziamj.austms.org.au/V44/CTAC2001/Hitc/Hitc.pdf
When you have finished reviewing my changes, please set the ''checked'' parameter below to '''true''' or '''failed''' to let others know (documentation at {{tlx|Sourcecheck}}).
{{sourcecheck|checked=failed}}
Archive link for anziamj.austms.org.au fails with 504 Gateway Timeout
Cheers.—[[User:InternetArchiveBot|'''<span style="color:darkgrey;font-family:monospace">InternetArchiveBot</span>''']] <span style="color:green;font-family:Rockwell">([[User talk:InternetArchiveBot|Report bug]])</span> 20:15, 11 September 2016 (UTC)
== External links modified ==
Hello fellow Wikipedians,
I have just modified {{plural:1|one external link|1 external links}} on [[Elliptic curve cryptography]]. Please take a moment to review [https://en.wikipedia.org/w/index.php?diff=prev&oldid=756267458 my edit]. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit [[User:Cyberpower678/FaQs#InternetArchiveBot|this simple FaQ]] for additional information. I made the following changes:
*Added archive https://web.archive.org/web/20090117023500/http://www.nsa.gov/business/programs/elliptic_curve.shtml to http://www.nsa.gov/business/programs/elliptic_curve.shtml
When you have finished reviewing my changes, please set the ''checked'' parameter below to '''true''' or '''failed''' to let others know (documentation at {{tlx|Sourcecheck}}).
{{sourcecheck|checked=true}}
Cheers.—[[User:InternetArchiveBot|'''<span style="color:darkgrey;font-family:monospace">InternetArchiveBot</span>''']] <span style="color:green;font-family:Rockwell">([[User talk:InternetArchiveBot|Report bug]])</span> 02:32, 23 December 2016 (UTC)
== External links modified ==
Hello fellow Wikipedians,
I have just modified 2 external links on [[Elliptic-curve cryptography]]. Please take a moment to review [https://en.wikipedia.org/w/index.php?diff=prev&oldid=801469098 my edit]. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit [[User:Cyberpower678/FaQs#InternetArchiveBot|this simple FaQ]] for additional information. I made the following changes:
*Added archive https://web.archive.org/web/20140503190338/http://eprint.iacr.org/2011/506 to https://eprint.iacr.org/2011/506
*Added archive https://archive.is/20121208212741/http://wiki.crypto.rub.de/Buch/movies.php to http://wiki.crypto.rub.de/Buch/movies.php
When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.
{{sourcecheck|checked=false|needhelp=}}
Cheers.—[[User:InternetArchiveBot|'''<span style="color:darkgrey;font-family:monospace">InternetArchiveBot</span>''']] <span style="color:green;font-family:Rockwell">([[User talk:InternetArchiveBot|Report bug]])</span> 21:14, 19 September 2017 (UTC)
==Algorithm needed==
This article doesn't contain the algorithm for ECC like the RSA article does. <!-- Template:Unsigned IP --><small class="autosigned">— Preceding [[Wikipedia:Signatures|unsigned]] comment added by [[Special:Contributions/198.52.160.180|198.52.160.180]] ([[User talk:198.52.160.180#top|talk]]) 20:30, 6 December 2019 (UTC)</small> <!--Autosigned by SineBot-->
== The first paragraph seems self-contradictory ==
The first paragraph states that ECC is based on finite fields, as opposed to non-EC cryptography, which is based on plain Galois fields. However, the referenced article on [[Finite field|finite fields]] explains that finite fields and Galois fields are one and the same. I suspect the intended meaning is that non-EC crypto is based structures over finite fields which are not elliptic curves. If so, this is not clear from the text. I won't change the formulation myself, since I'm not an expert in the field. <!-- Template:Unsigned --><small class="autosigned">— Preceding [[Wikipedia:Signatures|unsigned]] comment added by [[User:VecLuci|VecLuci]] ([[User talk:VecLuci#top|talk]] • [[Special:Contributions/VecLuci|contribs]]) 04:13, 10 October 2018 (UTC)</small> <!--Autosigned by SineBot-->
== Not a typo. 521, not 512. ==
"Five prime fields <math>\mathbb{F}_p</math> for certain primes ''p'' of sizes 192, 224, 256, 384, and <nowiki>{{Not a typo|521}}</nowiki> bits. For each of the prime fields, one elliptic curve is recommended."
Should there be a footnote about that 521 not being a typo? It really is 521 (see [https://crypto.stackexchange.com/questions/62083/why-would-diffie-hellman-group-21-be-521-bits-rather-than-512] among many, many sources) but it really looks like someone mis-typed "512". [[Special:Contributions/76.216.220.191|76.216.220.191]] ([[User talk:76.216.220.191|talk]]) 04:00, 28 December 2021 (UTC)
| |||