Why can we not use the group $Z_p^*$ for cryptography?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












Sorry if this is a noob question, but for instance in ECDSA, we start by considering the field $mathbb F_p$, whose the elements also form a group under multiplication. Why don't we just use this group instead of the one that is generated by the solutions of an elliptic curve equation lying in this field? I.E. choose an element lying in this field $g$ and choose a random number $n$ as a private key, and let $g^n$ be the public key. Is is just because of the reduction in key size? It seems like a high price to pay for the additional structure imposed by the curve equation.






rsa dsa







share|improve this question









New contributor




Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Are you specifically asking about DSA vs ECDSA?
    – mikeazo
    3 hours ago










  • Rather about ElGamal v.s. ECDSA, I think
    – Erik
    2 hours ago










  • I was almost sure we already had a question like "why use ECDSA instead of plain DSA?" lying around, but it looks like we don't. The closest thing I could find was this, which is not quite it.
    – Ilmari Karonen
    2 hours ago











  • ...although we do also have this general question with some pretty nice answers.
    – Ilmari Karonen
    2 hours ago














up vote
2
down vote

favorite












Sorry if this is a noob question, but for instance in ECDSA, we start by considering the field $mathbb F_p$, whose the elements also form a group under multiplication. Why don't we just use this group instead of the one that is generated by the solutions of an elliptic curve equation lying in this field? I.E. choose an element lying in this field $g$ and choose a random number $n$ as a private key, and let $g^n$ be the public key. Is is just because of the reduction in key size? It seems like a high price to pay for the additional structure imposed by the curve equation.






rsa dsa







share|improve this question









New contributor




Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Are you specifically asking about DSA vs ECDSA?
    – mikeazo
    3 hours ago










  • Rather about ElGamal v.s. ECDSA, I think
    – Erik
    2 hours ago










  • I was almost sure we already had a question like "why use ECDSA instead of plain DSA?" lying around, but it looks like we don't. The closest thing I could find was this, which is not quite it.
    – Ilmari Karonen
    2 hours ago











  • ...although we do also have this general question with some pretty nice answers.
    – Ilmari Karonen
    2 hours ago












up vote
2
down vote

favorite









up vote
2
down vote

favorite











Sorry if this is a noob question, but for instance in ECDSA, we start by considering the field $mathbb F_p$, whose the elements also form a group under multiplication. Why don't we just use this group instead of the one that is generated by the solutions of an elliptic curve equation lying in this field? I.E. choose an element lying in this field $g$ and choose a random number $n$ as a private key, and let $g^n$ be the public key. Is is just because of the reduction in key size? It seems like a high price to pay for the additional structure imposed by the curve equation.






rsa dsa







share|improve this question









New contributor




Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Sorry if this is a noob question, but for instance in ECDSA, we start by considering the field $mathbb F_p$, whose the elements also form a group under multiplication. Why don't we just use this group instead of the one that is generated by the solutions of an elliptic curve equation lying in this field? I.E. choose an element lying in this field $g$ and choose a random number $n$ as a private key, and let $g^n$ be the public key. Is is just because of the reduction in key size? It seems like a high price to pay for the additional structure imposed by the curve equation.






rsa dsa




rsa dsa






share|improve this question









New contributor




Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 50 mins ago





















New contributor




Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 3 hours ago









Erik

113




113




New contributor




Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











  • Are you specifically asking about DSA vs ECDSA?
    – mikeazo
    3 hours ago










  • Rather about ElGamal v.s. ECDSA, I think
    – Erik
    2 hours ago










  • I was almost sure we already had a question like "why use ECDSA instead of plain DSA?" lying around, but it looks like we don't. The closest thing I could find was this, which is not quite it.
    – Ilmari Karonen
    2 hours ago











  • ...although we do also have this general question with some pretty nice answers.
    – Ilmari Karonen
    2 hours ago
















  • Are you specifically asking about DSA vs ECDSA?
    – mikeazo
    3 hours ago










  • Rather about ElGamal v.s. ECDSA, I think
    – Erik
    2 hours ago










  • I was almost sure we already had a question like "why use ECDSA instead of plain DSA?" lying around, but it looks like we don't. The closest thing I could find was this, which is not quite it.
    – Ilmari Karonen
    2 hours ago











  • ...although we do also have this general question with some pretty nice answers.
    – Ilmari Karonen
    2 hours ago















Are you specifically asking about DSA vs ECDSA?
– mikeazo
3 hours ago




Are you specifically asking about DSA vs ECDSA?
– mikeazo
3 hours ago












Rather about ElGamal v.s. ECDSA, I think
– Erik
2 hours ago




Rather about ElGamal v.s. ECDSA, I think
– Erik
2 hours ago












I was almost sure we already had a question like "why use ECDSA instead of plain DSA?" lying around, but it looks like we don't. The closest thing I could find was this, which is not quite it.
– Ilmari Karonen
2 hours ago





I was almost sure we already had a question like "why use ECDSA instead of plain DSA?" lying around, but it looks like we don't. The closest thing I could find was this, which is not quite it.
– Ilmari Karonen
2 hours ago













...although we do also have this general question with some pretty nice answers.
– Ilmari Karonen
2 hours ago




...although we do also have this general question with some pretty nice answers.
– Ilmari Karonen
2 hours ago










1 Answer
1






active

oldest

votes

















up vote
5
down vote













You can use the multiplicative group $mathbbZ_p^*$, provided you use a key long enough to be secure.



Diffie-Hellman key exchange, DSA and the ElGamal cryptosystem were originally defined based on the hardness of the Discrete Logarithm Problem (DLP) over finite fields.



The challenge is that since then several methods have been found to reduce the complexity of the DLP (e.g. number field sieve, Pohlig-Hellman algorithm, Pollard's Rho algorithm). Consequently for these algorithms to be secure today it is necessary to use long (>3072 bits) prime fields. Additionally, since the scaling of hardness is sub-exponential in p, doubling the hardness of the problem requires that p is increased by much more than 2 (so secure key lengths will grow near-exponentially over time).



The advantage of using cryptography over elliptic curve groups is that you end up with smaller key lengths and ciphertexts for equivalent hardness (e.g. 256-bit ECC versus 3072 bit) and it scales better (so doubling the complexity means adding a single bit instead of adding many bits).






share|improve this answer






















  • @fgrieu, thanks... I assumed the multiplicative group but good to be explicit.
    – jadb
    1 hour ago










Your Answer




StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






Erik is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62436%2fwhy-can-we-not-use-the-group-z-p-for-cryptography%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
5
down vote













You can use the multiplicative group $mathbbZ_p^*$, provided you use a key long enough to be secure.



Diffie-Hellman key exchange, DSA and the ElGamal cryptosystem were originally defined based on the hardness of the Discrete Logarithm Problem (DLP) over finite fields.



The challenge is that since then several methods have been found to reduce the complexity of the DLP (e.g. number field sieve, Pohlig-Hellman algorithm, Pollard's Rho algorithm). Consequently for these algorithms to be secure today it is necessary to use long (>3072 bits) prime fields. Additionally, since the scaling of hardness is sub-exponential in p, doubling the hardness of the problem requires that p is increased by much more than 2 (so secure key lengths will grow near-exponentially over time).



The advantage of using cryptography over elliptic curve groups is that you end up with smaller key lengths and ciphertexts for equivalent hardness (e.g. 256-bit ECC versus 3072 bit) and it scales better (so doubling the complexity means adding a single bit instead of adding many bits).






share|improve this answer






















  • @fgrieu, thanks... I assumed the multiplicative group but good to be explicit.
    – jadb
    1 hour ago














up vote
5
down vote













You can use the multiplicative group $mathbbZ_p^*$, provided you use a key long enough to be secure.



Diffie-Hellman key exchange, DSA and the ElGamal cryptosystem were originally defined based on the hardness of the Discrete Logarithm Problem (DLP) over finite fields.



The challenge is that since then several methods have been found to reduce the complexity of the DLP (e.g. number field sieve, Pohlig-Hellman algorithm, Pollard's Rho algorithm). Consequently for these algorithms to be secure today it is necessary to use long (>3072 bits) prime fields. Additionally, since the scaling of hardness is sub-exponential in p, doubling the hardness of the problem requires that p is increased by much more than 2 (so secure key lengths will grow near-exponentially over time).



The advantage of using cryptography over elliptic curve groups is that you end up with smaller key lengths and ciphertexts for equivalent hardness (e.g. 256-bit ECC versus 3072 bit) and it scales better (so doubling the complexity means adding a single bit instead of adding many bits).






share|improve this answer






















  • @fgrieu, thanks... I assumed the multiplicative group but good to be explicit.
    – jadb
    1 hour ago












up vote
5
down vote










up vote
5
down vote









You can use the multiplicative group $mathbbZ_p^*$, provided you use a key long enough to be secure.



Diffie-Hellman key exchange, DSA and the ElGamal cryptosystem were originally defined based on the hardness of the Discrete Logarithm Problem (DLP) over finite fields.



The challenge is that since then several methods have been found to reduce the complexity of the DLP (e.g. number field sieve, Pohlig-Hellman algorithm, Pollard's Rho algorithm). Consequently for these algorithms to be secure today it is necessary to use long (>3072 bits) prime fields. Additionally, since the scaling of hardness is sub-exponential in p, doubling the hardness of the problem requires that p is increased by much more than 2 (so secure key lengths will grow near-exponentially over time).



The advantage of using cryptography over elliptic curve groups is that you end up with smaller key lengths and ciphertexts for equivalent hardness (e.g. 256-bit ECC versus 3072 bit) and it scales better (so doubling the complexity means adding a single bit instead of adding many bits).






share|improve this answer














You can use the multiplicative group $mathbbZ_p^*$, provided you use a key long enough to be secure.



Diffie-Hellman key exchange, DSA and the ElGamal cryptosystem were originally defined based on the hardness of the Discrete Logarithm Problem (DLP) over finite fields.



The challenge is that since then several methods have been found to reduce the complexity of the DLP (e.g. number field sieve, Pohlig-Hellman algorithm, Pollard's Rho algorithm). Consequently for these algorithms to be secure today it is necessary to use long (>3072 bits) prime fields. Additionally, since the scaling of hardness is sub-exponential in p, doubling the hardness of the problem requires that p is increased by much more than 2 (so secure key lengths will grow near-exponentially over time).



The advantage of using cryptography over elliptic curve groups is that you end up with smaller key lengths and ciphertexts for equivalent hardness (e.g. 256-bit ECC versus 3072 bit) and it scales better (so doubling the complexity means adding a single bit instead of adding many bits).







share|improve this answer














share|improve this answer



share|improve this answer








edited 11 mins ago









Ella Rose

13.5k33372




13.5k33372










answered 2 hours ago









jadb

3507




3507











  • @fgrieu, thanks... I assumed the multiplicative group but good to be explicit.
    – jadb
    1 hour ago
















  • @fgrieu, thanks... I assumed the multiplicative group but good to be explicit.
    – jadb
    1 hour ago















@fgrieu, thanks... I assumed the multiplicative group but good to be explicit.
– jadb
1 hour ago




@fgrieu, thanks... I assumed the multiplicative group but good to be explicit.
– jadb
1 hour ago










Erik is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















Erik is a new contributor. Be nice, and check out our Code of Conduct.












Erik is a new contributor. Be nice, and check out our Code of Conduct.











Erik is a new contributor. Be nice, and check out our Code of Conduct.













 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62436%2fwhy-can-we-not-use-the-group-z-p-for-cryptography%23new-answer', 'question_page');

);

Post as a guest
































































Comments

Post a Comment

Popular posts from this blog

What does second last employer means? [closed]

Image
Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote -3 down vote favorite Say, for example I have worked in the following companies, Company A => 2010 - 2011 Company B => 2011 - 2012 Company C => 2012 - Till Date Company D => Have offer Now assume Company D is asking to submit documents from my second last employer. So from the list of companies given, which company would be qualified as second last employer? software-industry employer share | improve this question asked Aug 10 '14 at 5:16 Rajaprabhu Aravindasamy 559 1 6 13 closed as off-topic by Jim G., jmort253 ♦ Aug 11 '14 at 1:58 This question appears to be off-topic. The users who voted to close gave this specific reason: "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address...
Read more

List of Gilmore Girls characters

Image
The season three cast—(Back row): Lane, Michel, Paris, Emily, Richard, Sookie, Miss Patty, Kirk; Front row: Jess, Luke, Lorelai, Rory, Dean This is a list of characters for the comedy-drama television series Gilmore Girls . Contents 1 Main characters 1.1 Lorelai Gilmore 1.2 Rory Gilmore 1.3 Sookie St. James 1.4 Lane Kim 1.5 Michel Gerard 1.6 Luke Danes 1.7 Emily Gilmore 1.8 Richard Gilmore 1.9 Paris Geller 1.10 Dean Forester 1.11 Jess Mariano 1.12 Kirk Gleason 1.13 Jason Stiles 1.14 Logan Huntzberger 2 Major recurring characters 2.1 Christopher Hayden 2.2 Jackson Belleville 2.3 Mrs. Kim 2.4 Tristin DuGray 2.5 Max Medina 2.6 Taylor Doose 2.7 Dave Rygalski 2.8 Marty 3 Recurring characters 3.1 Stars Hollow 3.2 Chilton 3.3 Yale 3.4 Other 4 Notable guest stars 5 Unseen characters 6 Notes 7 References Main characters Actor Character Appearances Season 1 Season 2 Season 3 Season 4 Season 5 Season 6 Season 7 A Year in the Life Lauren Graham Lorelai Gilmore...
Read more

Confectionery

Image
Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of ...
Read more