4

I've looked around and couldn't find a direct answer. As a general rule, I've read from various sources (here here, and here) that the strength of an elliptical curve key is half of the size of the prime field. I.e. for a 256-bit prime field (like a secp256r1 curve) the we have 128 bits of security and for a 384-bit prime field the symmetrical equivalent strength is 192 bits.

Why is this the case? As I understand it, an $n$-bit symmetric key has $2^n$ bits of security, and an ECC public key is some point $P$ such that $P=k \cdot G (\text{ mod }p)$ where $k$ is the private key and $p$ is the modulus prime field.

secp256r1 has a 256 bit prime field who's prime is a Mersenne prime. So what's going on? Do we use only half the field or...?

THG
  • 183
  • 7

1 Answers1

5

This is essentially because the best known generic algorithms for discrete logarithm, e.g., baby step giant step, have complexity $$O(\sqrt{G})=O(2^{n/2})$$ where $n$ is the number of bits to represent the elements of the elliptic curve group $G$.

If the elliptic curve group is carefully chosen, that is. So, avoid anomalous curves, for example.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
kodlu
  • 25,146
  • 2
  • 30
  • 63