Katana VentraIP

Elliptic-curve cryptography

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modular exponentiation in Galois fields, such as the RSA cryptosystem and ElGamal cryptosystem.[1]

Elliptic curves are applicable for key agreement, digital signatures, pseudo-random generators and other tasks. Indirectly, they can be used for encryption by combining the key agreement with a symmetric encryption scheme. They are also used in several integer factorization algorithms that have applications in cryptography, such as Lenstra elliptic-curve factorization.

Five for certain primes p of sizes 192, 224, 256, 384, and 521 bits. For each of the prime fields, one elliptic curve is recommended.

prime fields

Five for m equal 163, 233, 283, 409, and 571. For each of the binary fields, one elliptic curve and one Koblitz curve was selected.

binary fields

The (ECDH) key agreement scheme is based on the Diffie–Hellman scheme,

Elliptic-curve Diffie–Hellman

The Elliptic Curve (ECIES), also known as Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme,

Integrated Encryption Scheme

The (ECDSA) is based on the Digital Signature Algorithm,

Elliptic Curve Digital Signature Algorithm

The deformation scheme using Harrison's p-adic Manhattan metric,

The (EdDSA) is based on Schnorr signature and uses twisted Edwards curves,

Edwards-curve Digital Signature Algorithm

The key agreement scheme is based on the MQV key agreement scheme,

ECMQV

The implicit certificate scheme.

ECQV

Security[edit]

Side-channel attacks[edit]

Unlike most other DLP systems (where it is possible to use the same procedure for squaring and multiplication), the EC addition is significantly different for doubling (P = Q) and general addition (PQ) depending on the coordinate system used. Consequently, it is important to counteract side-channel attacks (e.g., timing or simple/differential power analysis attacks) using, for example, fixed pattern window (a.k.a. comb) methods[33] (note that this does not increase computation time). Alternatively one can use an Edwards curve; this is a special family of elliptic curves for which doubling and addition can be done with the same operation.[34] Another concern for ECC-systems is the danger of fault attacks, especially when running on smart cards.[35]

Backdoors[edit]

Cryptographic experts have expressed concerns that the National Security Agency has inserted a kleptographic backdoor into at least one elliptic curve-based pseudo random generator.[36] Internal memos leaked by former NSA contractor Edward Snowden suggest that the NSA put a backdoor in the Dual EC DRBG standard.[37] One analysis of the possible backdoor concluded that an adversary in possession of the algorithm's secret key could obtain encryption keys given only 32 bytes of PRNG output.[38]


The SafeCurves project has been launched in order to catalog curves that are easy to implement securely and are designed in a fully publicly verifiable way to minimize the chance of a backdoor.[39]

Quantum computing attack[edit]

Shor's algorithm can be used to break elliptic curve cryptography by computing discrete logarithms on a hypothetical quantum computer. The latest quantum resource estimates for breaking a curve with a 256-bit modulus (128-bit security level) are 2330 qubits and 126 billion Toffoli gates.[40] For the binary elliptic curve case, 906 qubits are necessary (to break 128 bits of security).[41] In comparison, using Shor's algorithm to break the RSA algorithm requires 4098 qubits and 5.2 trillion Toffoli gates for a 2048-bit RSA key, suggesting that ECC is an easier target for quantum computers than RSA. All of these figures vastly exceed any quantum computer that has ever been built, and estimates place the creation of such computers at a decade or more away.[42]


Supersingular Isogeny Diffie–Hellman Key Exchange claimed to provide a post-quantum secure form of elliptic curve cryptography by using isogenies to implement Diffie–Hellman key exchanges. This key exchange uses much of the same field arithmetic as existing elliptic curve cryptography and requires computational and transmission overhead similar to many currently used public key systems.[43] However, new classical attacks undermined the security of this protocol.[44]


In August 2015, the NSA announced that it planned to transition "in the not distant future" to a new cipher suite that is resistant to quantum attacks. "Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy."[11]

Invalid curve attack[edit]

When ECC is used in virtual machines, an attacker may use an invalid curve to get a complete PDH private key.[45]

Hessian curves

Edwards curves

Twisted curves

Twisted Hessian curves

Twisted Edwards curve

Doubling-oriented Doche–Icart–Kohel curve

Tripling-oriented Doche–Icart–Kohel curve

Jacobian curve

Montgomery curves

Alternative representations of elliptic curves include:

Jacques Vélu, Courbes elliptiques (...), Société Mathématique de France, 57, 1-152, Paris, 1978.

at Stanford University

Elliptic Curves

by Maike Massierer and the CrypTool team

Interactive introduction to elliptic curves and elliptic curve cryptography with Sage

Media related to Elliptic curve at Wikimedia Commons