Cyber Physical Security Research Center, National Institute of Advanced Industrial Science and Technology, Aomi, Koto-ku, Tokyo, Japan.
PLoS One. 2019 Feb 19;14(2):e0212310. doi: 10.1371/journal.pone.0212310. eCollection 2019.
Wang et al. proposed a method for obtaining elliptic curves with embedding degree 1 for securing critical infrastructures, and presented several elliptic curves generated by their method with torsion points of 160 bits and 189 bits orders. They also presented some experimental results and claimed that their implementation of an elliptic curve generated with their method is faster than an implementation for embedded devices presented by Bertoni et al. In this paper, we point out that the security and efficiency claims given by Wang et al. are flawed. Specifically, we show that it is possible to solve finite field discrete logarithm problems defined over their elliptic curves in practice. On the elliptic curves with torsion points of 160 bits orders generated by Wang et al., their instances of finite field discrete logarithm problems are solved in around 4 hours by using a standard desktop PC. On the torsion points of 189 bits orders, their instances are solved in around 10 days by using two standard desktop PCs. The hardness of the finite field discrete logarithm problems is one of the most important bases of security; therefore, their elliptic curves should not be used for cryptographic purposes.
Wang 等人提出了一种获得嵌入度为 1 的椭圆曲线的方法,用于保护关键基础设施,并展示了他们的方法生成的具有 160 位和 189 位阶的扭点的几个椭圆曲线。他们还展示了一些实验结果,并声称他们实现的基于他们的方法生成的椭圆曲线比 Bertoni 等人提出的用于嵌入式设备的实现更快。在本文中,我们指出 Wang 等人给出的安全和效率的说法是有缺陷的。具体来说,我们表明,在实践中,可以解决他们的椭圆曲线上定义的有限域离散对数问题。对于 Wang 等人生成的 160 位阶扭点的椭圆曲线,使用标准桌面 PC 在大约 4 小时内解决了他们的有限域离散对数问题的实例。对于 189 位阶的扭点,使用两台标准桌面 PC 在大约 10 天内解决了他们的实例。有限域离散对数问题的难度是安全性的最重要基础之一;因此,他们的椭圆曲线不应该用于加密目的。
