Review of Cryptanalysis of Elliptic Curve Cryptography Drew Wicke Introduction One interesting crypto system is the elliptic curve cryptosystems. In 2005, versions of Elliptic Curve Cryptography joined the NSA’s Suite B cryptography which is used to secure unclassified information [9]. In order for a cipher to be part of this group, the National Institute for Standards and Technology must endorse it ensuring its usefulness to the US government [10]. The purpose of this paper is to explore the various attacks on elliptic curve cryptography. In so doing, I provide the reader with a better understanding of how to more securely implement the cipher. I first give a brief history and overview of elliptic curve cryptography. Then, I discuss various security issues with elliptic curve encryption. History Elliptic curve cryptography (ECC) was discovered independently by Victor S. Miller in 1986 and Neal Koblitz in 1987. Miller, in his paper entitled Use of Elliptic Curves in Cryptography, describes his idea [18]. Also, Neal Koblitz, in his 1987 paper Elliptic Curve Cryptosystems, published the same scheme [19]. Victor S. Miller (1947-) Neal Koblitz (1948-) [3]
13
Embed
Review of Cryptanalysis of Elliptic Curve Cryptography Drew ......Elliptic curve cryptography (ECC) was discovered independently by Victor S. Miller in 1986 and Neal Koblitz in 1987.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Review of Cryptanalysis of Elliptic Curve Cryptography
Drew Wicke
Introduction
One interesting crypto system is the elliptic curve cryptosystems. In 2005, versions of
Elliptic Curve Cryptography joined the NSA’s Suite B cryptography which is used to secure
unclassified information [9]. In order for a cipher to be part of this group, the National Institute
for Standards and Technology must endorse it ensuring its usefulness to the US government [10].
The purpose of this paper is to explore the various attacks on elliptic curve cryptography.
In so doing, I provide the reader with a better understanding of how to more securely implement
the cipher. I first give a brief history and overview of elliptic curve cryptography. Then, I
discuss various security issues with elliptic curve encryption.
History
Elliptic curve cryptography (ECC) was discovered independently by Victor S. Miller in
1986 and Neal Koblitz in 1987. Miller, in his paper entitled Use of Elliptic Curves in
Cryptography, describes his idea [18]. Also, Neal Koblitz, in his 1987 paper Elliptic Curve
Cryptosystems, published the same scheme [19].
Victor S. Miller (1947-) Neal Koblitz (1948-) [3]
The foundational mathematics that was needed to create ECC was laid by Diophantus
who lived sometime around 250 AD. He published his equation for the elliptic curve in his book
Arithmetica [2]. Diophantus also discovered elliptic curve point doubling [1]. However, “We
refer to these as Weierstraβ equations, in honor of Karl Weierstraβ, who studied them in the
1800s” [3].
In order to better understand the attacks on ECC, a basic understanding of how the
system works is needed. First, I show the mathematics of elliptic curves and then I explain how
they are used in cryptography.
Mathematics
The security of public key cryptography is dependent upon the underlying mathematical
concepts. For a public key system to be useful, public keys must be easily and quickly generated
in order to encipher. However, the private key must be very difficult to discover from the public
key. The two major mathematical concepts used in elliptical curve cryptography are elliptic
curves and discrete logarithms.
“Elliptic curves are rich mathematical structures which have shown themselves to be
remarkably useful in a range of applications including primality testing and integer factorization”
[22]. For purposes of cryptography, an elliptic curve E can be described by the Weierstrass
equation where and . The variables a and b
must be elements of the finite field of integers . Note that where p is a prime. The
reason for using a finite field is because of the inexactness of real number representations on
computers. Also, the variables a and b are constrained so that the equation will not contain
multiple roots or singularities. The “singularity of the curve is related to its smoothness. More
specifically, a curve is singular if its slope at a point is not defined” [20]. This constraint is made
so that elliptic curves can be used in cryptography. For if an elliptic curve is singular, it is
“isomorphic to either the multiplicative or the additive group over the underlying field itself,
depending on the type of singularity” therefore making it useless for cryptography [20]. We
must also look at the elliptic curve discrete log problem, ECDLP.
The difficulty of solving the elliptic curve discrete logarithm problem, ECDLP is the
main reason that ECC is secure. The problem is that you are given two points P and B on an
elliptic curve and must find an integer x such that xB = P which can also be written as
. This problem is very similar to the discrete logarithm problem DLP. However, many
authors claim that ECDLP is much more difficult than DLP. Certicom claims that this is because
“Unlike the ordinary discrete logarithm problem and the integer factorization problem, no
subexponential-time algorithm is known for the elliptic curve discrete logarithm problem” [6].
Elliptic Curve Cryptography:
Using the math of elliptic curves, I can describe how they are applied to public key
cryptography. One method of encryption using elliptic curve cryptography is using Diffie-
Hellman. The following are the steps to carry out the ECC version of Diffie-Hellman in order to
securely agree on keys.
1. Alice and Bob first agree on an elliptic curve E mod p, for some prime p.
2. They then publicly agree on a point B on their shared curve E.
3. Alice selects a random private integer a used to compute aB, which she sends to Bob.
4. Bob selects a random private integer b used to compute bB, which he sends to Alice.
5. Finally, both Alice and Bob are now able to compute abB. From this the x coordinate
can be adapted to act as their secret key for a symmetric system.
Once the key has been agreed upon, Alice and Bob can send encrypted messages by
using Koblitz’s “method of pairing characters and points” [3].
Attacks on ECC
Now that we have refreshed our understanding of how ECC works, I explore the current
methods of attacking ECC. There are two main ways to attack ECC brute, force and statistical
analysis of the source. There are also known attacks when the user picks a weak curve [21].
However, I do not discuss this attack because it is known to be easily prevented. I first show the
brute force methods of solving the ECDLP and show how it is computationally infeasible on
current computers. Then, I explore how certain characteristics of electronic devices can lead to
breaking ECC.
At the core of ECC lies the extreme difficulty in solving the Elliptic Curve Discrete
Logarithm Problem. The extreme difficulty is in the fact that the ECDLP is in NP. “It should be
noted that there is no mathematical proof that the ECDLP is intractable” [15]. For, if there was
then it would be shown that P does not equal NP. Pohlig-Hellman and Pollard-Rho are two of
many methods for solving the ECDLP. After explaining how these methods attack the ECDLP, I
mention how quantum computers can solve the ECDLP.
Pohlig-Hellman is a well known attack that takes advantage of the fact that solving the
ECDLP can be reduced to solving discrete logarithms in prime order subgroups [15]. This
method utilizes the Chinese Remainder Theorem in order to solve for x in . Formally,
Pohlig-Hellman can be described by computing for values of i s.t. . In
the inequality r is the number of values in the prime factorization of p. Also, p is the power of
the base B in the discrete log. Then, by using the Chinese Remainder theorem, a unique solution
for x is obtained [15].
The next attack considered is the Pollard-Rho algorithm which also has an exponential
runtime since again we must solve the discrete log problem. However, it is widely held that the
best brute force method of computing the ECDLP is Pollard’s Rho algorithm. This attack has a
few advantages. For example, this method can be easily parallelized and is easily implemented
[15]. Also, this algorithm is very flexible in solving various DLP over different fields [15].
The main formula behind Pollard-Rho is the fact that .
Noting the fact that x is the x in and n is the prime order of the field. The algorithm
runs by randomly picking values for c and d and recording them as well as the result of cB +dP.
The algorithm continues to pick values for c and d until the value of cB + dP is repeated.
Therefore, giving the values for c’, c’’, d’ and d’’ and thus x solving the problem. An example is
given in the appendix of this attack.
Quantum attacks can solve the ECDLP in polynomial time rather than the exponential
time it takes on standard computers [8 and 14]. Shor’s algorithm is a quantum attack on the
ECDLP and was explained in [14] and an improvement was made in [8]. However, at this point,
quantum computer algorithms are not too much of a concern due to the fact that quantum
computing is not available at this time.
The fact that ECDLP is so difficult to solve is the main reason for the following indirect
types of attacks. Rather than trying to solve the hard ECDLP, researchers find points at which
ECC can be broken without needing to solve the ECDLP to read an encrypted message. This is,
they do not attack the math, but the predictability of the algorithm. These methods “can exploit
the power consumption of ECC devices to retrieve secret keys” [12]. There are two main types
of attacks that are considered Side-Channel-Attacks or SCAs that perform power analysis. They
are Simple Power Analysis and Differential Power Analysis.
[23]
First, I consider the Simple Power Analysis or SPA. This attack requires access to the
cryptographic device that is performing the ECC operations in order to obtain the private key.
Essentially, this attack takes advantage of the fact that all microprocessors are carrying out the
instructions in hardware that the software has specified. Therefore, by measuring the current
flowing through the wires of the device over time and knowledge of how the device works, the
different parts of the ECC algorithm can be identified. For example, one way to perform point
multiplication is by “using the standard square-and-multiply (or double-and-add) exponentiation
method” [13]. When using this method the algorithm performs certain operations such as
addition and doubling based on the value of each bit in the key. “Hence, it is easy to translate
from a sequence of adds and doubles obtained through a side channel into a sequence of bits
which reveals the secret key” [13].
A more advanced version of SPA is Differential Power Analysis or DPA. This mode of
attacking ECC is done “by collecting power consumption traces and averaging over a series of
acquisitions” [11]. With more data it allows for the attacker to use statistical analysis and other
methods to obtain the key.
Conclusion
As the paper shows, elliptic curve cryptography can be attacked in various ways.
However, they require a supercomputer and a long time or a high degree of mathematical and
engineering experience to implement. I believe this is why ECC was selected to be part of the
NSA’s Suite B cryptography. Also, elliptic curves provide a more efficient use of bits on
computer systems making them faster and more useful for embedded systems. I believe that
ECC is a good choice for securing data as long as measures are taken to prevent the attacks
mentioned in this paper.
References / Further Reading
[1] E Brown & B Myers: Elliptic Curves from Mordell to Diophantus and Back The
Mathematical Association of America Monthly 109, August–September 2002, 639-649.
[2] Thomas L. Heath, Diophantus of Alexandria, Cambridge University Press, New York, 1910.