Elliptic curve cryptographic systems

Remark 3 To resist generic attacks on the discrete logarithm problem, elliptic curve cryptosystems are implemented in the prime order cyclic subgroup of maximal cardinality n inside E(Fq). For representing group elements with the minimum number of bits, it is desirable that the curve order itself be prime. Except for special cases (see Section 1.3 and [59, 61, 65]), only generic attacks are known on the elliptic curve discrete logarithm problem (ECDLP), with a running time on the order of √ n. A security level of m bits, corresponding to a symmetric-key cryptosystem with 2m keys, thus requires an order n of 2m bits. Extrapolating the theoretical subexponential complexity for factoring or the DLP in finite fields allows to derive heuristic security estimates for the corresponding public key cryptosystems. Several studies have been carried out in the literature, taking added heuristics on technological progress into account, see [36]. They are summarized in the following table; the figures for the factorization based RSA system essentially