Given an elliptic curve $E$ on $Z_q$. There is a subgroup $<G>$ on $E$, and the order of $<G>$ is $p$, where $p$ is a prime. And the discrete log problem on $<G>$ is hard. Now we randomly sample a group element $G_0$ of $E$. Let $Q$ be the event that $G_0$ falls in $<G>$. Can we say that the probability that $Q$ happens is negligible?
Asked
Active
Viewed 165 times
1 Answers
1
Yes, every finite group (including an elliptic curve over a finite field) either is a finite cyclic group or is the product (not sum) of at least two (not exactly two) finite cyclic groups, and in the latter case some (or even all) of those subgroups may be relatively small. But for crypto we only use a prime-order subgroup that is large enough to satisfy a specified security parameter, which in practice is set close to the size of the full group of the curve (and also close to the size of the underlying field, per Hasse's theorem). For example the widely-used X9/NIST/SECG curves over $F_p$ were chosen to have prime order, so the only subgroup is the full group and any point chosen as G has that order; this is also stated as having cofactor 1. Bernstein et al's Curve25519 has a full group of order near $2^{255}$ and uses a subgroup of order near $2^{252}$, also stated as cofactor 8; this is not negligible.
If a cryptographic scheme (or implementation of one) that intends to use such a sufficiently-large but proper subgroup fails to ensure or verify that elements (for EC points) purported to be in the subgroup actually are, an attacker may be able to cause it to use values constrained to one of the small subgroups, and thereby gain an advantage; these are generically called small-subgroup attacks and you will find quite a few existing Qs and As about them. 25519 makes privatekeys a multiple of 8 to block this.
That's why your question makes sense for EC mathematics, but not for EC crypto as practiced.
dave_thompson_085
- 6,523
- 1
- 22
- 25