Elliptic-curve cryptography


Elliptic-curve cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modular exponentiation in finite fields, such as the RSA cryptosystem and ElGamal cryptosystem.
Elliptic curves are applicable for key agreement, digital signatures, pseudo-random generators and other tasks. Indirectly, they can be used for encryption by combining the key agreement with a symmetric encryption scheme. They are also used in several integer factorization algorithms that have applications in cryptography, such as Lenstra elliptic-curve factorization.

History

The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S. Miller in 1985. Elliptic curve cryptography algorithms entered wide use starting in 2004.
In 1999, NIST recommended fifteen elliptic curves. Specifically, FIPS 186-4 has ten recommended finite fields:
  • Five prime fields for certain primes p of sizes 192, 224, 256, 384, and bits. For each of the prime fields, one elliptic curve is recommended.
  • Five binary fields for m equal 163, 233, 283, 409, and 571. For each of the binary fields, one elliptic curve and one Koblitz curve was selected.
The NIST recommendation thus contains a total of five prime curves and ten binary curves. The curves were chosen for optimal security and implementation efficiency.
At the RSA Conference 2005, the National Security Agency announced Suite B, which exclusively uses ECC for digital signature generation and key exchange. The suite is intended to protect both classified and unclassified national security systems and information. National Institute of Standards and Technology has endorsed elliptic curve cryptography in its Suite B set of recommended algorithms, specifically elliptic-curve Diffie–Hellman for key exchange and Elliptic Curve Digital Signature Algorithm for digital signature. The NSA allows their use for protecting information classified up to top secret with 384-bit keys.
Recently, a large number of cryptographic primitives based on bilinear mappings on various elliptic curve groups, such as the Weil and Tate pairings, have been introduced. Schemes based on these primitives provide efficient identity-based encryption as well as pairing-based signatures, signcryption, key agreement, and proxy re-encryption.
Elliptic curve cryptography is used successfully in numerous popular protocols, such as Transport Layer Security and Bitcoin.

Security concerns

In 2013, The New York Times stated that Dual Elliptic Curve Deterministic Random Bit Generation had been included as a NIST national standard due to the influence of NSA, which had included a deliberate weakness in the algorithm and the recommended elliptic curve. RSA Security in September 2013 issued an advisory recommending that its customers discontinue using any software based on Dual_EC_DRBG. In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover operation", cryptography experts have also expressed concern over the security of the NIST recommended elliptic curves, suggesting a return to encryption based on non-elliptic-curve groups.
Additionally, in August 2015, the NSA announced that it plans to replace Suite B with a new cipher suite due to concerns about quantum computing attacks on ECC.

Patents

While the RSA patent expired in 2000, there may be patents in force covering certain aspects of ECC technology, including at least one ECC scheme. However, RSA Laboratories and Daniel J. Bernstein have argued that the US government elliptic curve digital signature standard and certain practical ECC-based key exchange schemes can be implemented without infringing those patents.

Elliptic curve theory

For the purposes of this article, an elliptic curve is a plane curve over a finite field which consists of the points satisfying the equation
along with a distinguished point at infinity, denoted ∞. The coordinates here are to be chosen from a fixed finite field of characteristic not equal to 2 or 3, or the curve equation would be somewhat more complicated.
This set of points, together with the group operation of elliptic curves, is an abelian group, with the point at infinity as an identity element. The structure of the group is inherited from the divisor group of the underlying algebraic variety:

Application to cryptography

is based on the intractability of certain mathematical problems. Early public-key systems, such as RSA's 1983 patent, based their security on the assumption that it is difficult to factor a large integer composed of two or more large prime factors which are far apart. For later elliptic-curve-based protocols, the base assumption is that finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point is infeasible : this is the "elliptic curve discrete logarithm problem". The security of elliptic curve cryptography depends on the ability to compute a point multiplication and the inability to compute the multiplicand given the original point and product point. The size of the elliptic curve, measured by the total number of discrete integer pairs satisfying the curve equation, determines the difficulty of the problem.
The primary benefit promised by elliptic curve cryptography over alternatives such as RSA is a smaller key size, reducing storage and transmission requirements. For example, a 256-bit elliptic curve public key should provide comparable security to a 3072-bit RSA public key.

Cryptographic schemes

Several discrete logarithm-based protocols have been adapted to elliptic curves, replacing the group with an elliptic curve:
Some common implementation considerations include:

Domain parameters

To use ECC, all parties must agree on all the elements defining the elliptic curve, that is, the domain parameters of the scheme. The size of the field used is typically either prime or is a power of two ; the latter case is called the binary case, and this case necessitates the choice of an auxiliary curve denoted by f. Thus the field is defined by p in the prime case and the pair of m and f in the binary case. The elliptic curve is defined by the constants a and b used in its defining equation. Finally, the cyclic subgroup is defined by its generator G. For cryptographic application, the order of G, that is the smallest positive number n such that , is normally prime. Since n is the size of a subgroup of it follows from Lagrange's theorem that the number is an integer. In cryptographic applications, this number h, called the cofactor, must be small and, preferably,. To summarize: in the prime case, the domain parameters are ; in the binary case, they are.
Unless there is an assurance that domain parameters were generated by a party trusted with respect to their use, the domain parameters must be validated before use.
The generation of domain parameters is not usually done by each participant because this involves computing the number of points on a curve which is time-consuming and troublesome to implement. As a result, several standard bodies published domain parameters of elliptic curves for several common field sizes. Such domain parameters are commonly known as "standard curves" or "named curves"; a named curve can be referenced either by name or by the unique object identifier defined in the standard documents:
  • NIST,
  • SECG,
  • ECC Brainpool,
SECG test vectors are also available. NIST has approved many SECG curves, so there is a significant overlap between the specifications published by NIST and SECG. EC domain parameters may be specified either by value or by name.
If, despite the preceding admonition, one decides to construct one's own domain parameters, one should select the underlying field and then use one of the following strategies to find a curve with appropriate number of points using one of the following methods:
  • Select a random curve and use a general point-counting algorithm, for example, Schoof's algorithm or the Schoof–Elkies–Atkin algorithm,
  • Select a random curve from a family which allows easy calculation of the number of points, or
  • Select the number of points and generate a curve with this number of points using the complex multiplication technique.
Several classes of curves are weak and should be avoided:
  • Curves over with non-prime m are vulnerable to Weil descent attacks.
  • Curves such that n divides for sufficiently small B are vulnerable to Menezes–Okamoto–Vanstone attack which applies usual discrete logarithm problem in a small-degree extension field of to solve ECDLP. The bound B should be chosen so that discrete logarithms in the field are at least as difficult to compute as discrete logs on the elliptic curve.
  • Curves such that are vulnerable to the attack that maps the points on the curve to the additive group of.

    Key sizes

Because all the fastest known algorithms that allow one to solve the ECDLP, need steps, it follows that the size of the underlying field should be roughly twice the security parameter. For example, for 128-bit security one needs a curve over, where. This can be contrasted with finite-field cryptography which requires 3072-bit public keys and 256-bit private keys, and integer factorization cryptography which requires a 3072-bit value of n, where the private key should be just as large. However, the public key may be smaller to accommodate efficient encryption, especially when processing power is limited.
The hardest ECC scheme broken to date had a 112-bit key for the prime field case and a 109-bit key for the binary field case. For the prime field case, this was broken in July 2009 using a cluster of over 200 PlayStation 3 game consoles and could have been finished in 3.5 months using this cluster when running continuously. The binary field case was broken in April 2004 using 2600 computers over 17 months.
A current project is aiming at breaking the ECC2K-130 challenge by Certicom, by using a wide range of different hardware: CPUs, GPUs, FPGA.