The Security of Fixed versus Random Elliptic Curves in Cryptography

摘要

This paper examines the cryptographic security of fixed versus random elliptic curves over the field GF(p). Its basic assumption is that a large precomputation to aid in breaking the elliptic curve discrete logarithm problem (ECDLP) can be made for a fixed curve. We take this into account when examining curve security as well as considering a variation of Pollard's rho method where computations from solutions of previous ECDLPs can be used to solve subsequent ECDLPs on the same curve. We present a lower bound on the expected time to solve such ECDLPs using this method, as well as an approximation of the expected time remaining to solve an ECDLP when a given size of precomputation is available. We conclude that adding 5 bits to the size of a fixed curve to avoid general software attacks and an extra 6 bits to avoid attacks on special moduli and a parameters provides an equivalent level of security.