review of cryptanalysis of elliptic curve cryptography
DESCRIPTION
Review of Cryptanalysis of Elliptic Curve Cryptography Drew Wicke Introduction One interesting crypto system is the elliptic curve cryptosystems. In 2005, versions of Elliptic Curve Cryptography joined the NSA’s Suite B cryptography which is used to secure unclassified information [9]. In order for a cipher to be part of this group, the National Institute for Standards and Technology must endorse it ensuring its usefulness to the US government [10]. The purpose of this paper is to explore the vaTRANSCRIPT
Review of Cryptanalysis of Elliptic Curve Cryptography
Drew Wicke
Introduction
One interesting crypto system is the elliptic curve cryptosystems. In 2005, versions of
Elliptic Curve Cryptography joined the NSA’s Suite B cryptography which is used to secure
unclassified information [9]. In order for a cipher to be part of this group, the National Institute
for Standards and Technology must endorse it ensuring its usefulness to the US government [10].
The purpose of this paper is to explore the various attacks on elliptic curve cryptography.
In so doing, I provide the reader with a better understanding of how to more securely implement
the cipher. I first give a brief history and overview of elliptic curve cryptography. Then, I
discuss various security issues with elliptic curve encryption.
History
Elliptic curve cryptography (ECC) was discovered independently by Victor S. Miller in
1986 and Neal Koblitz in 1987. Miller, in his paper entitled Use of Elliptic Curves in
Cryptography, describes his idea [18]. Also, Neal Koblitz, in his 1987 paper Elliptic Curve
Cryptosystems, published the same scheme [19].
Victor S. Miller (1947-) Neal Koblitz (1948-) [3]
The foundational mathematics that was needed to create ECC was laid by Diophantus
who lived sometime around 250 AD. He published his equation for the elliptic curve in his book
Arithmetica [2]. Diophantus also discovered elliptic curve point doubling [1]. However, “We
refer to these as Weierstraβ equations, in honor of Karl Weierstraβ, who studied them in the
1800s” [3].
In order to better understand the attacks on ECC, a basic understanding of how the
system works is needed. First, I show the mathematics of elliptic curves and then I explain how
they are used in cryptography.
Mathematics
The security of public key cryptography is dependent upon the underlying mathematical
concepts. For a public key system to be useful, public keys must be easily and quickly generated
in order to encipher. However, the private key must be very difficult to discover from the public
key. The two major mathematical concepts used in elliptical curve cryptography are elliptic
curves and discrete logarithms.
“Elliptic curves are rich mathematical structures which have shown themselves to be
remarkably useful in a range of applications including primality testing and integer factorization”
[22]. For purposes of cryptography, an elliptic curve E can be described by the Weierstrass
equation where and . The variables a and b
must be elements of the finite field of integers . Note that where p is a prime. The
reason for using a finite field is because of the inexactness of real number representations on
computers. Also, the variables a and b are constrained so that the equation will not contain
multiple roots or singularities. The “singularity of the curve is related to its smoothness. More
specifically, a curve is singular if its slope at a point is not defined” [20]. This constraint is made
so that elliptic curves can be used in cryptography. For if an elliptic curve is singular, it is
“isomorphic to either the multiplicative or the additive group over the underlying field itself,
depending on the type of singularity” therefore making it useless for cryptography [20]. We
must also look at the elliptic curve discrete log problem, ECDLP.
The difficulty of solving the elliptic curve discrete logarithm problem, ECDLP is the
main reason that ECC is secure. The problem is that you are given two points P and B on an
elliptic curve and must find an integer x such that xB = P which can also be written as
. This problem is very similar to the discrete logarithm problem DLP. However, many
authors claim that ECDLP is much more difficult than DLP. Certicom claims that this is because
“Unlike the ordinary discrete logarithm problem and the integer factorization problem, no
subexponential-time algorithm is known for the elliptic curve discrete logarithm problem” [6].
Elliptic Curve Cryptography:
Using the math of elliptic curves, I can describe how they are applied to public key
cryptography. One method of encryption using elliptic curve cryptography is using Diffie-
Hellman. The following are the steps to carry out the ECC version of Diffie-Hellman in order to
securely agree on keys.
1. Alice and Bob first agree on an elliptic curve E mod p, for some prime p.
2. They then publicly agree on a point B on their shared curve E.
3. Alice selects a random private integer a used to compute aB, which she sends to Bob.
4. Bob selects a random private integer b used to compute bB, which he sends to Alice.
5. Finally, both Alice and Bob are now able to compute abB. From this the x coordinate
can be adapted to act as their secret key for a symmetric system.
Once the key has been agreed upon, Alice and Bob can send encrypted messages by
using Koblitz’s “method of pairing characters and points” [3].
Attacks on ECC
Now that we have refreshed our understanding of how ECC works, I explore the current
methods of attacking ECC. There are two main ways to attack ECC brute, force and statistical
analysis of the source. There are also known attacks when the user picks a weak curve [21].
However, I do not discuss this attack because it is known to be easily prevented. I first show the
brute force methods of solving the ECDLP and show how it is computationally infeasible on
current computers. Then, I explore how certain characteristics of electronic devices can lead to
breaking ECC.
At the core of ECC lies the extreme difficulty in solving the Elliptic Curve Discrete
Logarithm Problem. The extreme difficulty is in the fact that the ECDLP is in NP. “It should be
noted that there is no mathematical proof that the ECDLP is intractable” [15]. For, if there was
then it would be shown that P does not equal NP. Pohlig-Hellman and Pollard-Rho are two of
many methods for solving the ECDLP. After explaining how these methods attack the ECDLP, I
mention how quantum computers can solve the ECDLP.
Pohlig-Hellman is a well known attack that takes advantage of the fact that solving the
ECDLP can be reduced to solving discrete logarithms in prime order subgroups [15]. This
method utilizes the Chinese Remainder Theorem in order to solve for x in . Formally,
Pohlig-Hellman can be described by computing for values of i s.t. . In
the inequality r is the number of values in the prime factorization of p. Also, p is the power of
the base B in the discrete log. Then, by using the Chinese Remainder theorem, a unique solution
for x is obtained [15].
The next attack considered is the Pollard-Rho algorithm which also has an exponential
runtime since again we must solve the discrete log problem. However, it is widely held that the
best brute force method of computing the ECDLP is Pollard’s Rho algorithm. This attack has a
few advantages. For example, this method can be easily parallelized and is easily implemented
[15]. Also, this algorithm is very flexible in solving various DLP over different fields [15].
The main formula behind Pollard-Rho is the fact that .
Noting the fact that x is the x in and n is the prime order of the field. The algorithm
runs by randomly picking values for c and d and recording them as well as the result of cB +dP.
The algorithm continues to pick values for c and d until the value of cB + dP is repeated.
Therefore, giving the values for c’, c’’, d’ and d’’ and thus x solving the problem. An example is
given in the appendix of this attack.
Quantum attacks can solve the ECDLP in polynomial time rather than the exponential
time it takes on standard computers [8 and 14]. Shor’s algorithm is a quantum attack on the
ECDLP and was explained in [14] and an improvement was made in [8]. However, at this point,
quantum computer algorithms are not too much of a concern due to the fact that quantum
computing is not available at this time.
The fact that ECDLP is so difficult to solve is the main reason for the following indirect
types of attacks. Rather than trying to solve the hard ECDLP, researchers find points at which
ECC can be broken without needing to solve the ECDLP to read an encrypted message. This is,
they do not attack the math, but the predictability of the algorithm. These methods “can exploit
the power consumption of ECC devices to retrieve secret keys” [12]. There are two main types
of attacks that are considered Side-Channel-Attacks or SCAs that perform power analysis. They
are Simple Power Analysis and Differential Power Analysis.
[23]
First, I consider the Simple Power Analysis or SPA. This attack requires access to the
cryptographic device that is performing the ECC operations in order to obtain the private key.
Essentially, this attack takes advantage of the fact that all microprocessors are carrying out the
instructions in hardware that the software has specified. Therefore, by measuring the current
flowing through the wires of the device over time and knowledge of how the device works, the
different parts of the ECC algorithm can be identified. For example, one way to perform point
multiplication is by “using the standard square-and-multiply (or double-and-add) exponentiation
method” [13]. When using this method the algorithm performs certain operations such as
addition and doubling based on the value of each bit in the key. “Hence, it is easy to translate
from a sequence of adds and doubles obtained through a side channel into a sequence of bits
which reveals the secret key” [13].
A more advanced version of SPA is Differential Power Analysis or DPA. This mode of
attacking ECC is done “by collecting power consumption traces and averaging over a series of
acquisitions” [11]. With more data it allows for the attacker to use statistical analysis and other
methods to obtain the key.
Conclusion
As the paper shows, elliptic curve cryptography can be attacked in various ways.
However, they require a supercomputer and a long time or a high degree of mathematical and
engineering experience to implement. I believe this is why ECC was selected to be part of the
NSA’s Suite B cryptography. Also, elliptic curves provide a more efficient use of bits on
computer systems making them faster and more useful for embedded systems. I believe that
ECC is a good choice for securing data as long as measures are taken to prevent the attacks
mentioned in this paper.
References / Further Reading
[1] E Brown & B Myers: Elliptic Curves from Mordell to Diophantus and Back The
Mathematical Association of America Monthly 109, August–September 2002, 639-649.
[2] Thomas L. Heath, Diophantus of Alexandria, Cambridge University Press, New York, 1910.
[3] Craig Bauer, Cryptology in Context section 2.14, 2011. Unpublished manuscript.
[4] H.W. Lenstra, Jr. Factoring integers with elliptic curves. Annuals of Mathematics, 126: 649-
673, 1987.
[5] A. Menezes. Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, 1993.
[6] D. Johnson and A. Menezes, “The elliptic curve digital signature algorithm (ECDSA)”,
Technical report CORR 99-34, Dept. of C&O, University of Waterloo, 1999.
[7] Elliptic Curve groupts and the Discrete Logarithm Problem,
http://www.certicom.com/index.php/
-50-elliptic-curve-groups-and-the-discrete-logarithm-problem
[8] Cheung, D., D. Maslov, J. Mathew, and D. Pradhan, 2008, On the design and optimization of
a quantum polynomial-time attack on elliptic curve cryptography, Proceedings of the 3rd
Workshop on Theory of Quantum Computation, Communication, and Cryptography, volume
5106 of Lecture Notes in Computer Science, pp. 96–104.
[9] Elliptic Curve Cryptography (ECC), http://www.certicom.com/index.php/ecc
[10] NSA Suite B Cryptography,http://www.nsa.gov/ia/programs/suiteb_cryptography/
index.shtml
[11] Marc Joye, Pascal Paillier, and Berry Schoenmakers. On Second-Order Differential Power
Analysis. In Cryptographic Hardware and Embedded Systems - Proceedings of CHES 2005.
Springer, 2005.
[12] F. Zhang and Z. J. Shi, “An efficient window-based countermeasure to power analysis of
ECC algorithms,” in Proc. IEEE Int. Conf. Information Technology New Generations, pp. 120-
126, 2008.
[13] C.Walter. Simple power analysis of unified code for ecc double and add. In M. Joye and J.
J. Quisquater, editors, Cryptographic Hardware and Embedded Systems - CHES 04, volume
3156 of Lecture Notes in Computer Science, pages 191- 204, 2004.
[14] J. PROOS AND C. ZALKA. Shor’s discrete logarithm quantum algorithm for elliptic
curves. Quantum Information and Computation, 3:317–344, 2003.
[15] D. Hankerson, A. J. Menezes, and S. Vanstone. Guide to Elliptic Curve Cryptography.
Springer-Verlag, 2004.
[16] N. Gura et al., “Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs”, CHES
2004, Aug. 2004.
[17] V. Gupta et al., “Speeding up Secure Web Transactions Using Elliptic Curve
Cryptography”, NDSS 2004, Feb. 2004.
[18] V.S.Miller, “Use of elliptic curves in cryptography", Advances in Cryptology-
CRYPTO'85(LNCS 218), pp.417-426, 1986.
[19] N.Koblitz, “Elliptic curve cryptosystems", Mathematics of Computation 48, pp.203-
209, 1987.
[20] Avi Kak, “Lecture 14: Elliptic Curve Cryptography and Digital
Rights Management” http://cobweb.ecn.purdue.edu/~kak/compsec/NewLectures/Lecture14.pdf
[21] Peter Novotney, “Weak Curves In Elliptic Curve Cryptography”,
modular.math.washington.edu/edu/2010/414/projects/novotney.pdf
[22] M.J.B. Robshaw, Ph.D. and Yiqun Lisa Yin, Ph.D “Overview of Elliptic Curve Cryptosystems.”
http://www.rsa.com/rsalabs/node.asp?id=2013
[23] “Security Measures for Mobile Devices” http://www.hitachi.com/rd/yrl/people/mof/
index04.html
General Links
http://www.certicom.com/index.php/ecc-tutorial - good tutorial on ECC
http://www.deviceforge.com/articles/AT4234154468.html - compares ECC to other ciphers
http://labs.oracle.com/projects/crypto/ - list of research papers on ECC
http://www.dkrypt.com/home/ecc - an implementation tutorial on ECC
http://www.rsa.com/rsalabs/node.asp?id=2013 – interesting overview of ECC
http://saluc.engr.uconn.edu/refs/sidechannel/index.html - list of references on Side Chanel Attacks
Appendix
Point Addition
The negative of the point is the point . If P and Z are
distinct points such that P is not –Q, then P + Q = R where
Note that s is the slope of the line through P and Q.
Point Doubling
Provided that is not 0,
2P = R where
Recall that a is one of the parameters chosen with the elliptic curve and that s is the slope of the
line through P and Q.
The above was taken from:
http://www.certicom.com/index.php/32-arithmetic-in-an-elliptic-curve-group-over-fp.
The following example is of Pollard’s rho algorithm which was taken from [15] to better show
how the attack works.
The algorithm that is mentioned in above example is below [15].
Please note that example and algorithm were taken from [15].