Paulo Barreto (pbarreto@nw.com.br)
Tue, 14 Jul 1998 22:06:32 -0300
At 20:28 1998.07.14 +0200, Anonymous wrote:
>Er, ECDLP != DLP. (that wasn't the whole reply :)
Uh, actually it depends on exactly what notation you are using. I think
what Mike had in mind was DLP as the *general* discrete logarithnm problem
(i.e. defined for any group), so that ECDLP is a particular instance of
DLP. The "classical" DLP is defined on the multiplicative group of GF(p),
and for historic reasons, there seems to be no standard shorthand for this
instance.
>point clear -- 25>18, and however unimportant an advantage that may be,
Shouldn't these figures be 22 and 13, respectively? Anyway, notice that
there are subexponential algorithms for solving the DLP over the
multiplicative groups of GF(p) and GF(2^m), while the ECDLP still resists
all efforts.
However, as a side (and negative) note, some instances of the general DLP
are quite easy to solve, e.g. over the *additive* group of GF(p). Hence
Anonymous's concerns have a sound basis.
>(Actually, I think a better option for a PGP-like application than either
>DH-alone or ECDH-alone would be a compound cryptosystem including algos
>based on many hard problems -- see my other post for more on that)
Unfortunately, there are too few options here. The last instance of a
knapsack cryptosystem is said to have been broken, as well as the
Ajtai-Dwork lattice cryptosystem (both results will be presented at
Crypto'98). ECDLP seems currently the *only* problem giving rise to a PK
cryptosystem for which no subexponential algorithm is known.
On the other hand, I do agree that having more than one option is wise and
desirable.
Best wishes,
Paulo Barreto.
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:23 ADT