A Las Vegas algorithm to solve the elliptic curve discrete logarithm problem [pdf]

Interesting, but no more.<p>The commonly used curve P-256 has the prime order 115792089210356248762697446949407573529996955224135760342422259061068512044369.<p>From the paper &quot;The largest group of elliptic group of prime order that we tested is 129159847, in which a discrete logarithm problem was solved.&quot;.

This algorithm is slower than existing approaches (Pollard&#x27;s rho); the ridiculously small &quot;largest group&quot; that the author considered can be easily tackled in a split second with even inefficient general algorithms such as Shank&#x27;s. It&#x27;s surprising that such a boring non-result made it to the front page of HN.

I think in general the technique of introducing some slack in the form of partitions and then constraining those using some property of the specific problem space, in this case linear relations of whether those points lie on some curve, is very strong and has general applicability. Sort of like branch and bound. It&#x27;s nice to see that this author started with a general idea that wasn&#x27;t that fast, and then used a lot of clever details to improve the implementation of that same idea over a number of years.

What is the estimated complexity of this attack? It is not clear to me how to use the probability of success formula for an arbitrary keysize.

Uh, wait a second. Is Elliptic Curve Diffie Hellman broken now? Does this work on curves used in TLS?

We don&#x27;t have to (and shouldn&#x27;t, IMO) American-ize &quot;Monte Carlo&quot;<p>Edit: TIL that they are different. (Thanks for the explanations below! esp: gmfawcett and 1001101)