Special vs Random Curves: Could the Conventional Wisdom Be Wrong?

The conventional wisdom in cryptography is that for greatest security one should choose parameters as randomly as possible. In particular, in elliptic and hyperelliptic curve cryptography this means making random choices of the coefficients of the defining equation. One can often achieve greater efficiency by working with special curves, but that should be done only if one is willing to risk a possible lowering of security. Namely, the extra structure that allows for greater efficiency could also some day lead to specialized attacks that would not apply to random curves.

This way of thinking is reasonable, and it is uncontroversial. However, some recent work opens up the possibility that it might sometimes be wrong.

This talk is based on a joint paper with Alfred Menezes and Ann Hibner Koblitz.

Speaker Details

Neal Koblitz received his Ph.D. in mathematics at Princeton in 1974, and since 1979 he has been at the University of Washington. He has been working in cryptography since 1985, when he and Victor Miller independently proposed elliptic curve cryptography. He has written six books, of which two are on cryptography and one (whose title “Random Curves” has nothing to do with the topic of the above talk) consists of autobiographical memoirs. In recent years he has been more successful at making enemies than friends, especially after publication of “The Uneasy Relationship Between Mathematics and Cryptography” in the AMS Notices last year.