The following is a quotation from my cryptography course:
Recent results on the discrete logarithm raise big concerns on the security of elliptic curves over a binary field.
What are these results? Also, is characteristic three safe?
Asked
Active
Viewed 1,408 times
11
yyyyyyy
- 12,261
- 4
- 48
- 68
user1868607
- 1,243
- 12
- 29
1 Answers
2
There is no known subexponential-cost algorithm for computing discrete logs in elliptic curves over fields of small characteristic—barring standard generic algorithms on groups of smooth order, transfers to $\operatorname{GF}(2^n)$, etc.—but there seems to be exploitable structure that just hasn't been worked out yet. The most recent survey seems to be from 2015:
See in particular §10.2, ‘A subexponential algorithm for elliptic curves over $\mathbb F_{2^n}$?’, p. 18.
Squeamish Ossifrage
- 49,816
- 3
- 122
- 230