Secure elliptic curves – the mathematical perspective – Elliptic Curves
8.4.3 Secure elliptic curves – the mathematical perspective
From the preceding discussion, it should be clear that not every elliptic curve is suitable for cryptography. An elliptic curve used for cryptographic purposes must be cryptographically strong, which is just another way of saying that the ECDLP instance for this curve must be computationally hard.
In their Technical Guideline 03111: Elliptic Curve Cryptography [42], the German Federal Office for Information Security define the following four criteria an elliptic curve must fulfill for the ECDLP to be computationally hard:
- The order n of the base point G is a sufficiently large prime number (as of today, it must be at least 224 bits)
- The order n must be different from prime p used to define the finite field 𝔽p to avoid the elliptic curve being anomalous
- The specific ECDLP instance must not be reducible to the DLP in a multiplicative group 𝔽pr for a small integer r (in other words, it must hold that p≠1 (mod n) for all 1 ≤ r ≤ 104)
- The class number of the principal order belonging to the endomorphism ring of the curve should be at least 200
As we will see later in this chapter, all elliptic curves supported by the TLS 1.3 standard meet the above criteria and so – from the mathematical point of view – can be considered to be cryptographically strong. This means the prime numbers involved and therefore the key lengths required for elliptic curves can be chosen much smaller than for RSA or Diffie-Hellman over 𝔽p∗ (see [126]):
| Security Strength in Bits | Block Cipher | Length of RSA Modulus n | Length of prime p in DH over 𝔽p∗ | Order of public base point G in ECDH |
| ≤ 80 | 2-Key 3DES | 1024 | 1024 | 160-223 |
| 112 | 3-Key 3DES | 2048 | 2048 | 224-255 |
| 128 | AES-128 | 3072 | 3072 | 256-383 |
| 192 | AES-192 | 7680 | 7680 | 384-511 |
| 256 | AES-256 | 15360 | 15360 | ≥ 512 |
Table 8.1: Equivalent key lengths of symmetric and asymmmetric algorithms