Any idea what else might it be?

Regards,

Georgi

What I didn’t say but perhaps should have is that it’s thought the NSA possesses computing capacity capable of solving the discrete log problem for prime groups of up to 1024 bits which is why the recommended key length for RSA is now 2048 bits. However, the elliptic curve group generated by G is monocyclic, so it’s actually isomorphic to GF(n/h) and for a 256 bit elliptic curve, n/h is also 256 bits, which is well within the capacity of the NSA to solve. So the real fear is not that the NIST curves may be compromised in any way but that the NSA may possess a simple functional mapping from E(GF(p)) to GF(n/h). If that turns out to be true they can always recover your private key for a modest investment in computing resources because they’ve got a way of running the EC calculations on a simple 256 bit prime group which they’re known to be able to solve.

]]>In fact, it can be demonstrated mathematically that trying to compute n is equivalent to the discrete logarithm problem….

but as the linked Wikipedia article says

Popular choices for the group G in discrete logarithm cryptography are […] cyclic subgroups of elliptic curves over finite fields….

so in fact reversing multiplication in the group of an elliptic curve is not just equivalent to the discrete log problem, it is the discrete log problem in a certain class of finite group. As is pointed out in this post, there are elliptic curves where an adversary may have information that makes the discrete log problem unexpectedly easy, but the adversary is still solving the discrete log problem.

]]>The build environment is the standard Intel board support one.

]]>