Why is a cyclic subgroup chosen in ECDSA?

2

1

One thing which I am wondering for a long time and to which I did not find an answer after doing a web search and hope to find an answer here.

When we construct the elliptic curve over a prime field why do we actually select a cyclic subgroup instead of taking the entire group of the elliptic curve?

On a side note the thing that confuses me most about this choice: We know that the cyclic subgroup of prime order p is isomorphic to Z/pZ and finding the isomorphism would mean solving the discrete log.

Switching to a cyclic group seems actually rather like making the problem easier in comparison to staying with the full elliptic curve.

Rene Pickhardt

Posted 2019-02-22T19:17:10.253

Reputation: 6 565

1You may get better answers on Crypto.SE.Nate Eldredge 2019-02-22T19:32:41.983

ah that is a good idea. I will repost it there if no answer comes in here (:Rene Pickhardt 2019-02-22T19:50:23.290

Answers

2

The security of the discrete logarithm problem in a group is only as hard as that of the largest prime subgroup.

Because of this, there is no security gain from working in the larger group. However; it's worse. If you're working in the larger group you must make sure to not accidentally ending up in a (much smaller) subgroup when multiplying.

Pieter Wuille

Posted 2019-02-22T19:17:10.253

Reputation: 54 032

first part of your answer I understand and makes sense. For the second part I have an add on question: When choosing a random element in the large group is there an obvious way to know if it lies in the largest subgroup or a smaller one? (Obviously I could use this element as a generator and start to compute powers to see the order of the subgroup it generates. But I guess that would only work fast in small groups which are the insecure ones? Or is that exactly the reason? )Rene Pickhardt 2019-02-22T20:07:20.923

1In a finite group, every subgroup has a size that divides the suoergroup's size. So it suffices to try multiplying your group element with every (n/p), where n is the supergroup's size, and p is every prime divisor of n, and checking you don't end up with 0 (the point at infinity).Pieter Wuille 2019-02-22T20:12:22.080

would still need to know the prime factors of n but yeah I see why it makes sense to just take a large (or the largest) cyclic subgroup. thanks a lot!Rene Pickhardt 2019-02-22T22:17:14.907

1Finding the prime factors of a 256-bit number is trivial.Pieter Wuille 2019-02-22T22:33:56.780

Oh, a small note: in elliptic curves, the largest prime subgroup is chosen to work with (which is always cyclic). However, there exist cyclic groups whose size is not a prime. In fact, a large portion of EC groups are cyclic, even the ones who are not prime.Pieter Wuille 2019-02-23T12:37:18.793

Asked: 2019-02-22T19:17:10.253

Viewed: 74 times

Active: 2019-02-22T19:58:38.013