# Elliptic curve cryptography

**Elliptic curve cryptography** (**ECC**) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to non-ECC cryptography (based on plain Galois fields) to provide equivalent security.^{[1]}

Elliptic curves are applicable for key agreement, digital signatures, pseudo-random generators and other tasks. Indirectly, they can be used for encryption by combining the key agreement with a symmetric encryption scheme. They are also used in several integer factorization algorithms based on elliptic curves that have applications in cryptography, such as Lenstra elliptic curve factorization.

## Contents

## Rationale

Public-key cryptography is based on the intractability of certain mathematical problems. Early public-key systems are secure assuming that it is difficult to factor a large integer composed of two or more large prime factors. For elliptic-curve-based protocols, it is assumed that finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point is infeasible: this is the "elliptic curve discrete logarithm problem" (ECDLP). The security of elliptic curve cryptography depends on the ability to compute a point multiplication and the inability to compute the multiplicand given the original and product points. The size of the elliptic curve determines the difficulty of the problem.

The primary benefit promised by elliptic curve cryptography is a smaller key size, reducing storage and transmission requirements, i.e. that an elliptic curve group could provide the same level of security afforded by an RSA-based system with a large modulus and correspondingly larger key: for example, a 256-bit elliptic curve public key should provide comparable security to a 3072-bit RSA public key.

The U.S. National Institute of Standards and Technology (NIST) has endorsed elliptic curve cryptography in its Suite B set of recommended algorithms, specifically elliptic curve Diffie–Hellman (ECDH) for key exchange and Elliptic Curve Digital Signature Algorithm (ECDSA) for digital signature. The U.S. National Security Agency (NSA) allows their use for protecting information classified up to top secret with 384-bit keys.^{[2]} However, in August 2015, the NSA announced that it plans to replace Suite B with a new cipher suite due to concerns about quantum computing attacks on ECC.^{[3]}

While the RSA patent expired in 2000, there may be patents in force covering certain aspects of ECC technology. However some argue that the US government elliptic curve digital signature standard (ECDSA; NIST FIPS 186-3) and certain practical ECC-based key exchange schemes (including ECDH) can be implemented without infringing them, including RSA Laboratories^{[4]} and Daniel J. Bernstein^{[5]}

## History

The use of elliptic curves in cryptography was suggested independently by Neal Koblitz^{[6]} and Victor S. Miller^{[7]} in 1985. Elliptic curve cryptography algorithms entered wide use in 2004 to 2005.

## Theory

For current cryptographic purposes, an *elliptic curve* is a plane curve over a finite field (rather than the real numbers) which consists of the points satisfying the equation

- <math>y^2 = x^3 + ax + b, \, </math>

along with a distinguished point at infinity, denoted ∞. (The coordinates here are to be chosen from a fixed finite field of characteristic not equal to 2 or 3, or the curve equation will be somewhat more complicated.)

This set together with the group operation of elliptic curves is an Abelian group, with the point at infinity as identity element. The structure of the group is inherited from the divisor group of the underlying algebraic variety.

- <math>\mathrm{Div}^0 (E) \to \mathrm{Pic}^0 (E) \simeq E, \, </math>

## Cryptographic schemes

Several discrete logarithm-based protocols have been adapted to elliptic curves, replacing the group <math>(\mathbb{Z}_{p})^\times</math> with an elliptic curve:

- The elliptic curve Diffie–Hellman (ECDH) key agreement scheme is based on the Diffie–Hellman scheme,
- The Elliptic Curve Integrated Encryption Scheme (ECIES), also known as Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme,
- The Elliptic Curve Digital Signature Algorithm (ECDSA) is based on the Digital Signature Algorithm,
- The deformation scheme using Harrison's p-adic Manhattan metric,
- The Edwards-curve Digital Signature Algorithm (EdDSA) is based on Schnorr signature and uses twisted Edwards curves,
- The ECMQV key agreement scheme is based on the MQV key agreement scheme,
- The ECQV implicit certificate scheme.

At the RSA Conference 2005, the National Security Agency (NSA) announced Suite B which exclusively uses ECC for digital signature generation and key exchange. The suite is intended to protect both classified and unclassified national security systems and information.^{[8]}

Recently, a large number of cryptographic primitives based on bilinear mappings on various elliptic curve groups, such as the Weil and Tate pairings, have been introduced. Schemes based on these primitives provide efficient identity-based encryption as well as pairing-based signatures, signcryption, key agreement, and proxy re-encryption.

## Implementation

Some common implementation considerations include:

### Domain parameters

To use ECC, all parties must agree on all the elements defining the elliptic curve, that is, the *domain parameters* of the scheme. The field is defined by *p* in the prime case and the pair of *m* and *f* in the binary case. The elliptic curve is defined by the constants *a* and *b* used in its defining equation. Finally, the cyclic subgroup is defined by its *generator* (a.k.a. *base point*) *G*. For cryptographic application the order of *G*, that is the smallest positive number *n* such that <math>n G = \infty</math>, is normally prime. Since *n* is the size of a subgroup of <math>E(\mathbb{F}_p)</math> it follows from Lagrange's theorem that the number <math>h = \frac{1}{n}|E(\mathbb{F}_p)|</math> is an integer. In cryptographic applications this number *h*, called the *cofactor*, must be small (<math>h \le 4</math>) and, preferably, <math>h = 1</math>. To summarize: in the prime case, the domain parameters are <math>(p,a,b,G,n,h)</math>; in the binary case, they are <math>(m,f,a,b,G,n,h)</math>.

Unless there is an assurance that domain parameters were generated by a party trusted with respect to their use, the domain parameters *must* be validated before use.

The generation of domain parameters is not usually done by each participant because this involves computing the number of points on a curve which is time-consuming and troublesome to implement. As a result, several standard bodies published domain parameters of elliptic curves for several common field sizes. Such domain parameters are commonly known as "standard curves" or "named curves"; a named curve can be referenced either by name or by the unique object identifier defined in the standard documents:

- NIST, Recommended Elliptic Curves for Government Use
- SECG, SEC 2: Recommended Elliptic Curve Domain Parameters
- ECC Brainpool (RFC 5639), ECC Brainpool Standard Curves and Curve Generation

SECG test vectors are also available.^{[9]} NIST has approved many SECG curves, so there is a significant overlap between the specifications published by NIST and SECG. EC domain parameters may be either specified by value or by name.

If one (despite the above) wants to construct one's own domain parameters, one should select the underlying field and then use one of the following strategies to find a curve with appropriate (i.e., near prime) number of points using one of the following methods:

- Select a random curve and use a general point-counting algorithm, for example, Schoof's algorithm or Schoof–Elkies–Atkin algorithm,
- Select a random curve from a family which allows easy calculation of the number of points (e.g., Koblitz curves), or
- Select the number of points and generate a curve with this number of points using
*complex multiplication*technique.^{[10]}

Several classes of curves are weak and should be avoided:

- Curves over <math>\mathbb{F}_{2^m}</math> with non-prime
*m*are vulnerable to Weil descent attacks.^{[11]}^{[12]} - Curves such that
*n*divides <math>p^B-1</math> (where*p*is the characteristic of the field –*q*for a prime field, or <math>2</math> for a binary field) for sufficiently small*B*are vulnerable to Menezes–Okamoto–Vanstone (MOV) attack^{[13]}^{[14]}which applies usual Discrete Logarithm Problem (DLP) in a small degree extension field of <math>\mathbb{F}_p</math> to solve ECDLP. The bound*B*should be chosen so that discrete logarithms in the field <math>\mathbb{F}_{p^B}</math> are at least as difficult to compute as discrete logs on the elliptic curve <math>E(\mathbb{F}_q)</math>.^{[15]} - Curves such that <math>|E(\mathbb{F}_q)| = q</math> are vulnerable to the attack that maps the points on the curve to the additive group of <math>\mathbb{F}_q</math>
^{[16]}^{[17]}^{[18]}

### Key sizes

Because all the fastest known algorithms that allow one to solve the ECDLP (baby-step giant-step, Pollard's rho, etc.), need <math>O(\sqrt{n})</math> steps, it follows that the size of the underlying field should be roughly twice the security parameter. For example, for 128-bit security one needs a curve over <math>\mathbb{F}_q</math>, where <math>q \approx 2^{256}</math>. This can be contrasted with finite-field cryptography (e.g., DSA) which requires^{[19]} 3072-bit public keys and 256-bit private keys, and integer factorization cryptography (e.g., RSA) which requires a 3072-bit value of *n*, where the private key should be just as large. However the public key may be smaller to accommodate efficient encryption, especially when processing power is limited.

The hardest ECC scheme (publicly) broken to date had a 112-bit key for the prime field case and a 109-bit key for the binary field case. For the prime field case, this was broken in July 2009 using a cluster of over 200 PlayStation 3 game consoles and could have been finished in 3.5 months using this cluster when running continuously.^{[20]} The binary field case was broken in April 2004 using 2600 computers over 17 months.^{[21]}

A current project is aiming at breaking the ECC2K-130 challenge by Certicom, by using a wide range of different hardware: CPUs, GPUs, FPGA.^{[22]}

### Projective coordinates

A close examination of the addition rules shows that in order to add two points, one needs not only several additions and multiplications in <math>\mathbb{F}_q</math> but also an inversion operation. The inversion (for given <math>x \in \mathbb{F}_q</math> find <math>y \in \mathbb{F}_q</math> such that <math>x y = 1</math>) is one to two orders of magnitude slower^{[23]} than multiplication. Fortunately, points on a curve can be represented in different coordinate systems which do not require an inversion operation to add two points. Several such systems were proposed: in the *projective* system each point is represented by three coordinates <math>(X,Y,Z)</math> using the following relation: <math>x = \frac{X}{Z}</math>, <math>y = \frac{Y}{Z}</math>; in the *Jacobian system* a point is also represented with three coordinates <math>(X,Y,Z)</math>, but a different relation is used: <math>x = \frac{X}{Z^2}</math>, <math>y = \frac{Y}{Z^3}</math>; in the *López–Dahab system* the relation is <math>x = \frac{X}{Z}</math>, <math>y = \frac{Y}{Z^2}</math>; in the *modified Jacobian* system the same relations are used but four coordinates are stored and used for calculations <math>(X,Y,Z,aZ^4)</math>; and in the *Chudnovsky Jacobian* system five coordinates are used <math>(X,Y,Z,Z^2,Z^3)</math>. Note that there may be different naming conventions, for example, IEEE P1363-2000 standard uses "projective coordinates" to refer to what is commonly called Jacobian coordinates. An additional speed-up is possible if mixed coordinates are used.^{[24]}

### Fast reduction (NIST curves)

Reduction modulo *p* (which is needed for addition and multiplication) can be executed much faster if the prime *p* is a pseudo-Mersenne prime, that is <math>p \approx 2^d</math>; for example, <math>p = 2^{521} - 1</math> or <math>p = 2^{256} - 2^{32} - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1.</math> Compared to Barrett reduction, there can be an order of magnitude speed-up.^{[25]} The speed-up here is a practical rather than theoretical one, and derives from the fact that the moduli of numbers against numbers near powers of two can be performed efficiently by computers operating on binary numbers with bitwise operations.

The curves over <math>\mathbb{F}_p</math> with pseudo-Mersenne *p* are recommended by NIST. Yet another advantage of the NIST curves is that they use *a* = −3, which improves addition in Jacobian coordinates.

According to Bernstein and Lange, many of the efficiency-related decisions in NIST FIPS 186-2 are sub-optimal. Other curves are more secure and run just as fast.^{[26]}

## Applications

Elliptic curves are applicable for encryption, digital signatures, pseudo-random generators and other tasks. They are also used in several integer factorization algorithms that have applications in cryptography, such as Lenstra elliptic curve factorization.

In 1999, NIST recommended 15 elliptic curves.^{[citation needed]} Specifically, FIPS 186-3 has 10 recommended finite fields:

- Five prime fields <math>\mathbb{F}_p</math> for certain primes
*p*of sizes 192, 224, 256, 384, and 521^{[27]}bits. For each of the prime fields, one elliptic curve is recommended. - Five binary fields <math>\mathbb{F}_{2^m}</math> for
*m*equal 163, 233, 283, 409, and 571. For each of the binary fields, one elliptic curve and one Koblitz curve was selected.

The NIST recommendation thus contains a total of 5 prime curves and 10 binary curves. The curves were ostensibly chosen for optimal security and implementation efficiency.^{[28]}

In 2013, the *New York Times* stated that Dual Elliptic Curve Deterministic Random Bit Generation (or Dual_EC_DRBG) had been included as a NIST national standard due to the influence of NSA, which had included a deliberate weakness in the algorithm and the recommended elliptic curve. RSA Security in September 2013 issued an advisory recommending that its customers discontinue using any software based on Dual_EC_DRBG.^{[29]}^{[30]} In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover operation", cryptography experts have also expressed concern over the security of the NIST recommended elliptic curves,^{[31]} suggesting a return to encryption based on non-elliptic-curve groups.

## Security

### Side-channel attacks

Unlike most other DLP systems (where it is possible to use the same procedure for squaring and multiplication), the EC addition is significantly different for doubling (*P* = *Q*) and general addition (*P* ≠ *Q*) depending on the coordinate system used. Consequently, it is important to counteract side channel attacks (e.g., timing or simple/differential power analysis attacks) using, for example, fixed pattern window (a.k.a. comb) methodsTemplate:Clarify^{[32]} (note that this does not increase computation time). Alternatively one can use an Edwards curve; this is a special family of elliptic curves for which doubling and addition can be done with the same operation.^{[33]} Another concern for ECC-systems is the danger of fault attacks, especially when running on smart cards.^{[34]}

### Backdoors

Cryptographic experts have expressed concerns that the National Security Agency has inserted a kleptographic backdoor into at least one elliptic curve-based pseudo random generator.^{[35]} Internal memos leaked by former NSA contractor, Edward Snowden, suggest that the NSA put a backdoor in the Dual_EC_DRBG standard.^{[36]} One analysis of the possible backdoor concluded that an adversary in possession of the algorithm's secret key could obtain encryption keys given only 32 bytes of ciphertext.^{[37]}

The SafeCurves project has been launched in order to catalog curves that are easy to securely implement and are designed in a fully publicly verifiable way to minimize the chance of a backdoor.^{[38]}

### Quantum computing attacks

In contrast with its current standing over RSA, elliptic curve cryptography is expected to be more vulnerable to an attack based on Shor's algorithm.^{[39]} In theory, making a practical attack feasible many years before an attack on an equivalently secure RSA scheme is possible.^{[40]} This is because smaller elliptic curve keys are needed to match the classical security of RSA. The work of Proos and Zalka show how a quantum computer for breaking 2048-bit RSA requires roughly 4096 qubits, while a quantum computer to break the equivalently secure 224-bit Elliptic Curve Cryptography requires between 1300 and 1600 qubits.

To avoid quantum computing concerns, an elliptic curve-based alternative to Elliptic Curve Diffie Hellman which is not susceptible to Shor's attack is the Supersingular Isogeny Diffie–Hellman Key Exchange of De Feo, Jao and Plut. It uses elliptic curve isogenies to create a drop-in replacement for the quantum attackable Diffie–Hellman and Elliptic curve Diffie–Hellman key exchanges. This key exchange uses the same elliptic curve computational primitives of existing elliptic curve cryptography and requires computational and transmission overhead similar to many currently used public key systems.^{[41]}

In August, 2015, NSA announced that it planned to transition "in the not distant future" to a new cipher suite that is resistant to quantum attacks. "Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy."^{[3]}

## Patents

At least one ECC scheme (ECMQV) and some implementation techniques are covered by patents.

## Alternative representations

Alternative representations of elliptic curves include:

- Hessian curves
- Edwards curves
- Twisted curves
- Twisted Hessian curves
- Twisted Edwards curve
- Doubling-oriented Doche–Icart–Kohel curve
- Tripling-oriented Doche–Icart–Kohel curve
- Jacobian curve
- Montgomery curve

## See also

- Cryptocurrency
- Curve25519
- DNSCurve
- ECC patents
- ECDH
- Elliptic Curve Digital Signature Algorithm
- ECMQV
- Elliptic curve point multiplication
- Homomorphic Signatures for Network Coding
- Pairing-based cryptography
- Public-key cryptography
- Quantum cryptography

## Notes

## References

- Standards for Efficient Cryptography Group (SECG), SEC 1: Elliptic Curve Cryptography, Version 1.0, September 20, 2000. (archived as if Nov 11, 2014)
- D. Hankerson, A. Menezes, and S.A. Vanstone,
*Guide to Elliptic Curve Cryptography*, Springer-Verlag, 2004. - I. Blake, G. Seroussi, and N. Smart,
*Elliptic Curves in Cryptography*, London Mathematical Society 265, Cambridge University Press, 1999. - I. Blake, G. Seroussi, and N. Smart, editors,
*Advances in Elliptic Curve Cryptography*, London Mathematical Society 317, Cambridge University Press, 2005. - L. Washington,
*Elliptic Curves: Number Theory and Cryptography*, Chapman & Hall / CRC, 2003. - The Case for Elliptic Curve Cryptography, National Security Agency (archived January 17, 2009)
- Online Elliptic Curve Cryptography Tutorial, Certicom Corp. (archived here as of March 3, 2016)
- K. Malhotra, S. Gardner, and R. Patz, Implementation of Elliptic-Curve Cryptography on Mobile Healthcare Devices, Networking, Sensing and Control, 2007 IEEE International Conference on, London, 15–17 April 2007 Page(s):239–244
- Saikat Basu, A New Parallel Window-Based Implementation of the Elliptic Curve Point Multiplication in Multi-Core Architectures, International Journal of Network Security, Vol. 13, No. 3, 2011, Page(s):234–241 (archived here as of March 4, 2016)
- Christof Paar, Jan Pelzl, "Elliptic Curve Cryptosystems", Chapter 9 of "Understanding Cryptography, A Textbook for Students and Practitioners". (companion web site contains online cryptography course that covers elliptic curve cryptography), Springer, 2009. (archived here as of April 20, 2016)
- Luca De Feo, David Jao, Jerome Plut, Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies, Springer 2011. (archived here as of May 7, 2012)

## External links

{{#invoke:Side box|main}}

- Certicom ECC Tutorial
- a relatively easy to understand primer on elliptic curve cryptography
- Elliptic curves and their implementation by Adam Langley (OpenSSL dev).
- Interactive introduction to elliptic curves and elliptic curve cryptography with Sage by Maike Massierer and the CrypTool team
- How did the NSA hack our e-mails? explained by Mathematician Edward Frenkel
- How to design an elliptic-curve signature system by Daniel J. Bernstein

- ↑ Commercial National Security Algorithm Suite and Quantum Computing FAQ U.S. National Security Agency, January 2016
- ↑ "Fact Sheet NSA Suite B Cryptography".
*U.S. National Security Agency*. Archived from the original on 2009-02-07. https://web.archive.org/web/20090207005135/http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml. - ↑
^{3.0}^{3.1}https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml - ↑ RSA Laboratories. "6.3.4 Are elliptic curve cryptosystems patented?". http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/are-elliptic-curve-cryptosystems-patented.htm. Retrieved 15 December 2014.
- ↑ Bernstein, D. J.. "Irrelevant patents on elliptic-curve cryptography". http://cr.yp.to/ecdh/patents.html.
- ↑ Template:Cite journal
- ↑ Template:Cite journal
- ↑ "The Case for Elliptic Curve Cryptography".
*NSA*. Archived from the original on 2009-01-17. https://web.archive.org/web/20090117023500/http://www.nsa.gov/business/programs/elliptic_curve.shtml. - ↑ http://www.secg.org/download/aid-390/gec2.pdf
- ↑ Template:Cite journal
- ↑ Template:Cite journal
- ↑ Gaudry, P.; Hess, F.; Smart, N. P. (2000). "Constructive and destructive facets of Weil descent on elliptic curves".
*Hewlett Packard Laboratories Technical Report*. http://www.hpl.hp.com/techreports/2000/HPL-2000-10.pdf. - ↑ Template:Cite journal
- ↑ Template:Cite journal
- ↑ IEEE P1363, section A.12.1
- ↑ Template:Cite journal
- ↑ Template:Cite journal
- ↑ Template:Cite journal
- ↑ NIST, Recommendation for Key Management—Part 1: general, Special Publication 800-57, August 2005.
- ↑ http://lacal.epfl.ch/page81774.html
- ↑ "Certicom Announces Elliptic Curve Cryptography Challenge Winner".
*Certicom*. April 27, 2004. Archived from the original on 2011-07-19. https://web.archive.org/web/20110719233751/https://www.certicom.com/index.php/2004-press-releases/36-2004-press-releases/300-solution-required-team-of-mathematicians-2600-computers-and-17-months-. - ↑ http://www.ecc-challenge.info/
- ↑ Template:Cite journal
- ↑ Template:Cite journal
- ↑ Template:Cite journal
- ↑ Daniel J. Bernstein; Tanja Lange. "SafeCurves: choosing safe curves for elliptic-curve cryptography". https://safecurves.cr.yp.to/. Retrieved 1 December 2013.
- ↑ The sequence may seem suggestive of a typographic error. Nevertheless, the last value is 521 and not 512 bits.
- ↑ FIPS PUB 186-3, Digital Signature Standard (DSS).
- ↑ Kim Zetter, RSA Tells Its Developer Customers: Stop Using NSA-Linked Algorithm
*Wired*, 19 September 2013. "Recommending against the use of SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation: NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used." - ↑ "Due to the debate around the Dual EC DRBG standard highlighted recently by the National Institute of Standards and Technology (NIST), NIST re-opened for public comment its SP 800-90 standard which covers Pseudo-random Number Generators (PRNG)." csrc.nist.gov
- ↑ Bruce Schneier (5 September) "I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry." See Are the NIST Standard Elliptic Curves Back-doored?,
*Slashdot*, 11 September 2013. - ↑ Template:Cite journal
- ↑ http://blog.cr.yp.to/20140323-ecdsa.html
- ↑ See, for example, Template:Cite journal
- ↑ https://www.schneier.com/essay-198.html
- ↑ "Government Announces Steps to Restore Confidence on Encryption Standards". http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/. Retrieved 2015-11-06.
- ↑ http://rump2007.cr.yp.to/15-shumow.pdf
- ↑ Bernstein, Daniel J.; Lange, Tanja. "SafeCurves: choosing safe curves for elliptic-curve cryptography". http://safecurves.cr.yp.to/.
- ↑ Template:Cite book
- ↑ Template:Cite journal
- ↑ De Feo, Luca; Jao, Plut. "Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies".
*Cryptology ePrint Archive, Report 2011/506*. IACR. Archived from the original on 2011. https://eprint.iacr.org. Retrieved 3 May 2014.