15.7 SUPERSINGULAR ELLIPTIC CURVES
The strength that cryptographic systems derive from elliptic curves depends on the difficulty of solving the elliptic curve discrete logarithm problem (ECDLP) and factorization in an elliptic curve: given x = pq, find p and q. It is believed that factorization algorithms have exponential execution times.
Are there bad elliptic curves? More precisely, are there some elliptic curves in which the factorization problem is not as hard?
If the order q of 
p(a, b) were p or a divisor of pm − 1 for some m, then bad news. Menezes et al. [1991] give a subexponential algorithm for the supersingular elliptic curves.
The National Institute of Standards [NIST, 2000, NIST186-2] has given its Good Crypto seal of approval to several elliptic groups; in each example, the coordinates (Gx, Gy) of the base point P and its order r are given. One of these groups, designated by NIST as P192, is based on the 192-bit prime p = 2192 − 264 + 1.
Say you are not satisfied – well, then try P521:
There are elliptic curves over binary fields; for example
- K163 is generated by the polynomial p(x) = 1 + x3 + x6 + x7 + x163, and
- K571 is generated by the polynomial p(x) = 1 + x2 + ...
Get Computer Security and Cryptography now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
