 Elliptic curve cryptography

Elliptic curve cryptography (ECC) is an approach to publickey cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz^{[1]} and Victor S. Miller^{[2]} in 1985.
Elliptic curves are also used in several integer factorization algorithms that have applications in cryptography, such as Lenstra elliptic curve factorization.
Contents
Introduction
Publickey cryptography is based on the intractability of certain mathematical problems. Early publickey systems are secure assuming that it is difficult to factor a large integer composed of two or more large prime factors. For ellipticcurvebased protocols, it is assumed that finding the discrete logarithm of a random elliptic curve element with respect to a publiclyknown base point is infeasible. The size of the elliptic curve determines the difficulty of the problem. It is believed^{[by whom?]} that the same level of security afforded by an RSAbased system with a large modulus can be achieved with a much smaller elliptic curve group. Using a small group reduces storage and transmission requirements.
For current cryptographic purposes, an elliptic curve is a plane curve which consists of the points satisfying the equation
along with a distinguished point at infinity, denoted . (The coordinates here are to be chosen from a fixed finite field of characteristic not equal to 2 or 3, or the curve equation will be somewhat more complicated.) This set together with the group operation of the elliptic group theory form an Abelian group, with the point at infinity as identity element. The structure of the group is inherited from the divisor group of the underlying algebraic variety.
As for other popular public key cryptosystems, no mathematical proof of security has been published for ECC as of 2009^{[update]}. However, the U.S. National Security Agency has endorsed ECC by including schemes based on it in its Suite B set of recommended algorithms and allows their use for protecting information classified up to top secret with 384bit keys.^{[3]} While the RSA patent expired in 2000, there are patents in force covering certain aspects of ECC technology, though some^{[who?]} argue that the Federal elliptic curve digital signature standard (ECDSA; NIST FIPS 1863) and certain practical ECCbased key exchange schemes (including ECDH) can be implemented without infringing them.^{[4]}
Cryptographic premise
The entire security of ECC depends on the ability to compute a point multiplication and the inability to compute the multiplicand given the original and product points.
Cryptographic schemes
Several discrete logarithmbased protocols have been adapted to elliptic curves, replacing the group with an elliptic curve:
 the elliptic curve Diffie–Hellman key agreement scheme is based on the Diffie–Hellman scheme,
 the Elliptic Curve Integrated Encryption Scheme (ECIES), also known as Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme,
 the Elliptic Curve Digital Signature Algorithm is based on the Digital Signature Algorithm,
 the ECMQV key agreement scheme is based on the MQV key agreement scheme.
 the ECQV implicit certificate scheme.
At the RSA Conference 2005, the National Security Agency (NSA) announced Suite B which exclusively uses ECC for digital signature generation and key exchange. The suite is intended to protect both classified and unclassified national security systems and information.^{[5]}
Recently, a large number of cryptographic primitives based on bilinear mappings on various elliptic curve groups, such as the Weil and Tate pairings, have been introduced. Schemes based on these primitives provide efficient identitybased encryption as well as pairingbased signatures, signcryption, key agreement, and proxy reencryption.
Implementation considerations
Although the details of each particular elliptic curve scheme are described in the article referenced above some common implementation considerations are discussed here.
Domain parameters
To use ECC all parties must agree on all the elements defining the elliptic curve, that is, the domain parameters of the scheme. The field is defined by p in the prime case and the pair of m and f in the binary case. The elliptic curve is defined by the constants a and b used in its defining equation. Finally, the cyclic subgroup is defined by its generator (aka. base point) G. For cryptographic application the order of G, that is the smallest nonnegative number n such that , is normally prime. Since n is the size of a subgroup of it follows from Lagrange's theorem that the number is an integer. In cryptographic applications this number h, called the cofactor, must be small () and, preferably, h = 1. Let us summarize: in the prime case the domain parameters are (p,a,b,G,n,h) and in the binary case they are (m,f,a,b,G,n,h).
Unless there is an assurance that domain parameters were generated by a party trusted with respect to their use, the domain parameters must be validated before use.
The generation of domain parameters is not usually done by each participant since this involves counting the number of points on a curve which is timeconsuming and troublesome to implement. As a result several standard bodies published domain parameters of elliptic curves for several common field sizes:
 NIST, Recommended Elliptic Curves for Government Use
 SECG, SEC 2: Recommended Elliptic Curve Domain Parameters
Test vectors are also available.^{[6]}
If one (despite the said above) wants to build one's own domain parameters one should select the underlying field and then use one of the following strategies to find a curve with appropriate (i.e., near prime) number of points using one of the following methods:
 select a random curve and use a general pointcounting algorithm, for example, Schoof's algorithm or Schoof–Elkies–Atkin algorithm,
 select a random curve from a family which allows easy calculation of the number of points (e.g., Koblitz curves), or
 select the number of points and generate a curve with this number of points using complex multiplication technique.^{[7]}
Several classes of curves are weak and should be avoided:
 curves over with nonprime m are vulnerable to Weil descent attacks.^{[8]}^{[9]}
 curves such that n divides p^{B} − 1 (where p is the characteristic of the field – q for a prime field, or 2 for a binary field) for sufficiently small B are vulnerable to MOV attack^{[10]}^{[11]} which applies usual DLP in a small degree extension field of to solve ECDLP. The bound B should be chosen so that discrete logarithms in the field are at least as difficult to compute as discrete logs on the elliptic curve .^{[12]}
 curves such that are vulnerable to the attack that maps the points on the curve to the additive group of ^{[13]}^{[14]}^{[15]}
Key sizes
Since all the fastest known algorithms that allow to solve the ECDLP (babystep giantstep, Pollard's rho, etc.), need steps, it follows that the size of the underlying field shall be roughly twice the security parameter. For example, for 128bit security one needs a curve over , where . This can be contrasted with finitefield cryptography (e.g., DSA) which requires^{[16]} 3072bit public keys and 256bit private keys, and integer factorization cryptography (e.g., RSA) which requires 3072bit public and private keys.
The hardest ECC scheme (publicly) broken to date had a 112bit key for the prime field case and a 109bit key for the binary field case. For the prime field case this was broken in July 2009 using a cluster of over 200 PlayStation 3 game consoles and could have been finished in 3.5 months using this cluster when running continuously (see ^{[17]}). For the binary field case, it was broken in April 2004 using 2600 computers for 17 months.^{[18]}
A current project is aiming at breaking the ECC2K130 challenge by Certicom, by using a wide range of different hardware : CPUs, GPUs, FPGA.^{[19]}
Projective coordinates
A close examination of the addition rules shows that in order to add two points one needs not only several additions and multiplications in but also an inversion operation. The inversion (for given find such that xy = 1) is one to two orders of magnitude slower^{[20]} than multiplication. Fortunately, points on a curve can be represented in different coordinate systems which do not require an inversion operation to add two points. Several such systems were proposed: in the projective system each point is represented by three coordinates (X,Y,Z) using the following relation: , ; in the Jacobian system a point is also represented with three coordinates (X,Y,Z), but a different relation is used: , ; in the López–Dahab system the relation is , ; in the modified Jacobian system the same relations are used but four coordinates are stored and used for calculations (X,Y,Z,aZ^{4}); and in the Chudnovsky Jacobian system five coordinates are used (X,Y,Z,Z^{2},Z^{3}). Note that there may be different naming conventions, for example, IEEE P13632000 standard uses "projective coordinates" to refer to what is commonly called Jacobian coordinates. An additional speedup is possible if mixed coordinates are used.^{[21]}
Fast reduction (NIST curves)
Reduction modulo p (which is needed for addition and multiplication) can be executed much faster if the prime p is a pseudoMersenne prime that is , for example, p = 2^{521} − 1 or p = 2^{256} − 2^{32} − 2^{9} − 2^{8} − 2^{7} − 2^{6} − 2^{4} − 1. Compared to Barrett reduction there can be an order of magnitude speedup.^{[22]} The speedup here is a practical rather than theoretical one, and derives from the fact that the moduli of numbers against numbers near powers of two can be performed efficiently by computers operating on binary numbers with bitwise operations.
The curves over with pseudoMersenne p are recommended by NIST. Yet another advantage of the NIST curves is the fact that they use a = −3 which improves addition in Jacobian coordinates.
NISTrecommended elliptic curves
NIST recommends fifteen elliptic curves. Specifically, FIPS 1863 has ten recommended finite fields:
 Five prime fields for certain primes p of sizes 192, 224, 256, 384, and 521 bits. For each of the prime fields, one elliptic curve is recommended.
 Five binary fields for m equal 163, 233, 283, 409, and 571. For each of the binary fields, one elliptic curve and one Koblitz curve was selected.
The NIST recommendation thus contains a total of five prime curves and ten binary curves. The curves were chosen for optimal security and implementation efficiency.^{[23]}
Sidechannel attacks
Unlike DLP systems (where it is possible to use the same procedure for squaring and multiplication) the EC addition is significantly different for doubling (P = Q) and general addition () depending on the coordinate system used. Consequently, it is important to counteract side channel attacks (e.g., timing or simple/differential power analysis attacks) using, for example, fixed pattern window (aka. comb) methods^{[24]} (note that this does not increase the computation time). Another concern for ECCsystems is the danger of fault attacks, especially when running on smart cards.^{[25]}
Quantum computing attacks
Elliptic curve cryptography is vulnerable to a modified Shor's algorithm for solving the discrete logarithm problem on elliptic curves.^{[26]}^{[27]}
Patents
Main article: ECC patentsAt least one ECC scheme (ECMQV) and some implementation techniques are covered by patents.
Implementations
Open source
 OpenSSL  C library with ECC functionality
 Crypto++  C++ library with ECC functionality
 Botan  a BSDlicensed cryptographic library written in C++
 OpenSSH: A free version of the SSH communication tools for remote connections
 NSS: Open source crypto libraries with ECC
 seccure: minimal footprint GPLed ECC tool with public key encryption and digital signatures
 SKS: very small open source tool for ECC (like a simplified PGP)
 eccGnuPG: An experimental patch to GnuPG
 Curve25519: A stateoftheart Diffie–Hellman function by Dan Bernstein
 NaCl: Networking and Cryptography library
 TinyECC: a software package providing ECC operations on TinyOS
 libecc: Open source ECC library
 Bouncy Castle: Open source crypto package for Java and C# that includes ECC
 Eiffel Encryption Library: Open source cryptography library for the Eiffel language
 RSA BSAFE(R) Share for Java Platform and Share for C/C++: Free binary toolkits
 Implementation of Elliptic Curve Cryptography on an 8bit microcontroller
Proprietary/commercial
 MIRACL: Multiprecision Integer and Rational Arithmetic C/C++ Library
 CNG API in Windows Vista and Windows Server 2008 with managed wrappers for CNG in .NET Framework 3.5
 Sun Java System Web Server 7.0 and later
 Java SE 6
 Java Card
 Security Builder Crypto
 Elliptic Curve Point Multiply and Verify Core
 RSA BSAFE(R) CryptoJ and CryptoC ME
Alternative representations of elliptic curves
 Hessian curves
 Edwards curves
 Twisted curves
 Twisted Hessian curves
 Twisted Edwards curve
 Doublingoriented Doche–Icart–Kohel curve
 Triplingoriented Doche–Icart–Kohel curve
 Jacobian curve
 Montgomery curve
See also
 DNSCurve
 ECC patents
 ECDH
 ECDSA
 ECMQV
 Publickey cryptography
 Quantum cryptography
 Pairingbased cryptography
 Homomorphic Signatures for Network Coding
 Universal Metering Interface (UMI) an open standard, originally created by Cambridge Consultants for use in Smart Metering devices/systems and home automation, which uses AES128 alongside ECC256 for various security purposes.
Notes
 ^ Koblitz, N. (1987). "Elliptic curve cryptosystems". Mathematics of Computation 48 (177): 203–209. JSTOR 2007884.
 ^ Miller, V. (1985). "Use of elliptic curves in cryptography". CRYPTO 85: 417–426. doi:10.1007/354039799X_31.
 ^ "Fact Sheet NSA Suite B Cryptography". U.S. National Security Agency. http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml.
 ^ Bernstein, D. J.. "Irrelevant patents on ellipticcurve cryptography". http://cr.yp.to/ecdh/patents.html.
 ^ "The Case for Elliptic Curve Cryptography". NSA. http://www.nsa.gov/business/programs/elliptic_curve.shtml.
 ^ http://www.secg.org/download/aid390/gec2.pdf
 ^ Lay, G.; Zimmer, H. (1994). "Constructing elliptic curves with given group order over large finite fields". Algorithmic Number Theory Symposium. Lecture Notes in Computer Science 877: 250–263. doi:10.1007/3540586911_64.
 ^ Galbraith, S. D.; Smart, N. P. (1999). "A cryptographic application of the Weil descent". Cryptography and Coding. Lecture Notes in Computer Science 1746: 799. doi:10.1007/3540466657_23.
 ^ Gaudry, P.; Hess, F.; Smart, N. P. (2000). "Constructive and destructive facets of Weil descent on elliptic curves". Hewlett Packard Laboratories Technical Report. http://www.hpl.hp.com/techreports/2000/HPL200010.pdf.
 ^ Menezes, A.; Okamoto, T.; Vanstone, S. A. (1993). "Reducing elliptic curve logarithms to logarithms in a finite field". IEEE Transactions on Information Theory 39.
 ^ Hitt, L. (2006). "On an Improved Definition of Embedding Degree". IACR ePrint report. http://eprint.iacr.org/2006/415.
 ^ IEEE P1363, section A.12.1
 ^ Semaev, I. (1998). "Evaluation of discrete logarithm in a group of ptorsion points of an elliptic curve in characteristic p". Mathematics of Computation 67 (221): 353–356. doi:10.1090/S0025571898008874.
 ^ Smart, N. (1999). "The discrete logarithm problem on elliptic curves of trace one". Journal of Cryptology 12 (3): 193–196. doi:10.1007/s001459900052.
 ^ Satoh, T.; Araki, K. (1998). "Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves". Commentarii Mathematici Universitatis Sancti Pauli 47.
 ^ NIST, Recommendation for Key Management—Part 1: general, Special Publication 80057, August 2005.
 ^ http://lacal.epfl.ch/page81774.html
 ^ "Certicom Announces Elliptic Curve Cryptography Challenge Winner". Certicom. April 27, 2004. http://www.certicom.com/index.php/2004pressreleases/362004pressreleases/300solutionrequiredteamofmathematicians2600computersand17months.
 ^ http://www.eccchallenge.info/
 ^ Hitchcock, Y.; Dawson, E.; Clark, A.; Montague, P. (2002). "Implementing an efficient elliptic curve cryptosystem over GF(p) on a smart card". ANZIAM Journal 44. http://anziamj.austms.org.au/V44/CTAC2001/Hitc/Hitc.pdf.
 ^ Cohen, H.; Miyaji, A.; Ono, T. (1998). "Efficient Elliptic Curve Exponentiation Using Mixed Coordinates". Advances in Cryptology – AsiaCrypt '98. Lecture Notes in Computer Science 1514: 51–65. doi:10.1007/3540496491_6.
 ^ Brown, M.; Hankerson, D.; Lopez, J.; Menezes, A. (2001). "Software Implementation of the NIST Elliptic Curves Over Prime Fields". Topics in Cryptology – CTRSA 2001. Lecture Notes in Computer Science 2020: 250–265. doi:10.1007/3540453539_19.
 ^ FIPS PUB 1863, Digital Signature Standard (DSS).
 ^ Hedabou, M.; Pinel, P.; Beneteau, L. (2004). A comb method to render ECC resistant against Side Channel Attacks. http://eprint.iacr.org/2004/342.pdf.
 ^ See, for example, Biehl, Ingrid; Meyer, Bernd; Müller, Volker (2000). "Differential Fault Attacks on Elliptic Curve Cryptosystems". Advances in Cryptology – CRYPTO 2000. Lecture Notes in Computer Science 1880: 131–146. doi:10.1007/3540445986_8.
 ^ Eicher, Jodie; Opoku, Yaw (July 29, 1997). Using the Quantum Computer to Break Elliptic Curve Cryptosystems.
 ^ Proos, John; Zalka, Christof (2003). "Shor's Discrete Logarithm Quantum Algorithm for Elliptic Curves". Quantum Information and Computing 3 (4): 317–344. arXiv:quantph/0301141. Bibcode 2003quant.ph..1141P.
References
 Standards for Efficient Cryptography Group (SECG), SEC 1: Elliptic Curve Cryptography, Version 1.0, September 20, 2000.
 D. Hankerson, A. Menezes, and S.A. Vanstone, Guide to Elliptic Curve Cryptography, SpringerVerlag, 2004.
 I. Blake, G. Seroussi, and N. Smart, Elliptic Curves in Cryptography, London Mathematical Society 265, Cambridge University Press, 1999.
 I. Blake, G. Seroussi, and N. Smart, editors, Advances in Elliptic Curve Cryptography, London Mathematical Society 317, Cambridge University Press, 2005.
 L. Washington, Elliptic Curves: Number Theory and Cryptography, Chapman & Hall / CRC, 2003.
 The Case for Elliptic Curve Cryptography, National Security Agency
 Online Elliptic Curve Cryptography Tutorial, Certicom Corp.
 K. Malhotra, S. Gardner, and R. Patz, Implementation of EllipticCurve Cryptography on Mobile Healthcare Devices, Networking, Sensing and Control, 2007 IEEE International Conference on, London, 15–17 April 2007 Page(s):239–244
 Saikat Basu, A New Parallel WindowBased Implementation of the Elliptic Curve Point Multiplication in MultiCore Architectures, International Journal of Network Security, Vol. 13, No. 3, 2011, Page(s):234241
 Christof Paar, Jan Pelzl, "Elliptic Curve Cryptosystems", Chapter 9 of "Understanding Cryptography, A Textbook for Students and Practitioners". (companion web site contains online cryptography course that covers elliptic curve cryptography), Springer, 2009.
External links
Publickey cryptography Algorithms Benaloh · Blum–Goldwasser · Cayley–Purser · CEILIDH · Cramer–Shoup · Damgård–Jurik · DH · DSA · EPOC · ECDH · ECDSA · EKE · ElGamal (encryption · signature scheme) · GMR · Goldwasser–Micali · HFE · IES · Lamport · McEliece · Merkle–Hellman · MQV · Naccache–Stern · NTRUEncrypt · NTRUSign · Paillier · Rabin · RSA · Okamoto–Uchiyama · Schnorr · Schmidt–Samoa · SPEKE · SRP · STS · Threepass protocol · XTR
Theory Discrete logarithm · Elliptic curve cryptography · RSA problem
Standardization ANS X9F1 · CRYPTREC · IEEE P1363 · NESSIE · NSA Suite B
Topics Digital signature · OAEP · Fingerprint · PKI · Web of trust · Key size
Cryptography Categories: Cryptography
 Asymmetrickey cryptosystems
 Finite fields
Wikimedia Foundation. 2010.