White PaperElliptic Curve Cryptography Introduction Today, it is difficult to open a newspaper, watch a television programme or even have a conversation without some mention of the Internet, e-commerce, WAP and m-commerce. Despite all the hype, many people are still reluctant to use all this wonderful technology to perform transacti ons over the Internet. Why? There appear to be many complex sociologi cal reasons for this apparent reluctance to get “on-line”, but one reason commonly stated in surveys is the perceived lack of security of the Internet. In this Paper: Introduction 1 The RSA 1 Cryptosystem Elliptic Curve 3 CryptographyProblems & 4 Issues Conclusions 6References 7Security purists would say that the Internet is insecure, but the truth is that it is probably a lot more secure than many other systems that we use everyday. Indeed, you are far more likely to have your credit card copied in a restaurant than to have your credit card numberintercepted in cyberspace. Nonetheless, the percepti on is there. Cryptographic technology already exists to protect data during transmission over the Internet. For example, many applications support digital signatures and encryption, using extremely powerful algorithms (e.g. the Secure Electronic Transaction (SET) protocol, supported by Visa and MasterCard). Furthermore, the regulatory fr amework to support the legality and use of digital signatures is slow ly coming into being. The United Kingdom El ectronic Commerce Bill, essentially giving the same legal status to digital signatures as already enjoyed by written signatures, came into force earlier t his year (2000). Many other countries have similar l aws on their statute books. The de-facto cryptographic algorithm for digital signatures and for encryption of symmetric keys (for distribution purposes) is the Rivest, Shamir & Adleman (RSA) public key scheme (Ref.1). Although RSA is highly secu re and widely used, there are some potential proble ms with its use. The purpose of this paper is to describe an alternative technol ogy, based on mathematical objects known as elliptic curves, which can in some circumstances provide significant benefits over the use of RSA (or so it is believed!). The RSA Cryptosystem We begin with a brief review of the RS A scheme. It is based on the hard mathematical problem of integer factorisation, i.e. given a number that is the product of two large prime numbers, factorise the number to find the primes. RSA Key generation Given the “public exponent” e, generate two large prime numbers p and q, such that (p-1) and e have no common divisor greater than 1 and (q-1) and e have no prime divisor greaterthan 1. Let n = pq, the product of p and q. Solve (for d) the equation ed ≡ 1 mod (p-1)(q-1). The public key is the pair of numbers {n,e} and the private key is the pair {n,d}.
Today, it is difficult to open a newspaper, watch a television programme or even have aconversation without some mention of the Internet, e-commerce, WAP and m-commerce.Despite all the hype, many people are still reluctant to use all this wonderful technology toperform transactions over the Internet. Why? There appear to be many complex sociological
reasons for this apparent reluctance to get “on-line”, but one reason commonly stated insurveys is the perceived lack of security of the Internet.
In this Paper:
Introduction 1
The RSA 1Cryptosystem
Elliptic Curve 3Cryptography
Problems & 4Issues
Conclusions 6
References 7
Security purists would say that the Internet is insecure, but the truth is that it is probably a lotmore secure than many other systems that we use everyday. Indeed, you are far more likelyto have your credit card copied in a restaurant than to have your credit card number intercepted in cyberspace. Nonetheless, the perception is there.
Cryptographic technology already exists to protect data during transmission over the Internet.For example, many applications support digital signatures and encryption, using extremelypowerful algorithms (e.g. the Secure Electronic Transaction (SET) protocol, supported byVisa and MasterCard). Furthermore, the regulatory framework to support the legality and useof digital signatures is slowly coming into being. The United Kingdom Electronic Commerce
Bill, essentially giving the same legal status to digital signatures as already enjoyed by writtensignatures, came into force earlier this year (2000). Many other countries have similar lawson their statute books.
The de-facto cryptographic algorithm for digital signatures and for encryption of symmetrickeys (for distribution purposes) is the Rivest, Shamir & Adleman (RSA) public key scheme(Ref.1). Although RSA is highly secure and widely used, there are some potential problemswith its use. The purpose of this paper is to describe an alternative technology, based onmathematical objects known as elliptic curves, which can in some circumstances providesignificant benefits over the use of RSA (or so it is believed!).
The RSA Cryptosystem
We begin with a brief review of the RSA scheme. It is based on the hard mathematicalproblem of integer factorisation, i.e. given a number that is the product of two large primenumbers, factorise the number to find the primes.
RSA Key generation
Given the “public exponent” e, generate two large prime numbers p and q, such that (p-1)and e have no common divisor greater than 1 and (q-1) and e have no prime divisor greater than 1. Let n = pq, the product of p and q.
Solve (for d) the equation ed ≡ 1 mod (p-1)(q-1).The public key is the pair of numbers {n,e} and the private key is the pair {n,d}.
Encryption uses a public key, so that the ciphertext corresponding to plaintext m is c = me
(mod n).Decryption uses the corresponding private key, so m = c
d(mod n).
RSA Digital Signatures
In simple terms, signature generation is equivalent to decryption and signature verification isthe same as encryption.
Remarks
The security of RSA is thought to be equivalent to the difficulty of factorising the modulus, n.The size of an RSA key is usually measured in terms of the number of bits in the modulus. Ingeneral, the larger the key the higher the security level.A 512 bit RSA key was recently “cracked” (i.e. factorised), albeit using massive amounts of computer power. Nowadays it is recommended that much larger key sizes are used; newsystems frequently use keys that are 1024 bits or more.The Carte Bancaire system recently cracked by a French engineer was using a 320 bitmodulus.
RSA Problems
RSA is a highly secure algorithm and (provided keys are generated properly) the only knownway to attack it is to perform a “brute-force” attack on the modulus. This attack can be easilydefeated by simply increasing the key size. However, this approach can lead to a number of problems:
Increased processing time – as a rough guide, decryption time increases 8-fold as key sizesdouble.Increased key storage requirement – RSA key storage (private keys and public keycertificates) require significant amounts of memory for storage.
Furthermore,
Key generation is complex and time consuming – times increase significantly as key sizesincrease. Memory constrained devices cannot easily generate RSA keys and so may needto have keys generated by another system. However, this means that the non-repudiationservice may not be achievable.
The problems given above are not necessarily significant for a Personal Computer (for example), but they are potentially major problems for devices with limited memory capacityand processing power, such as smart cards or mobile phones. Consequently, in some casesalternative algorithms for generating digital signatures and encrypting symmetric keys aredesirable.
A number of alternative algorithms already exist, for example the Digital Signature Algorithm(DSA, Ref.2) for signatures and Diffie-Hellman (Ref.3) for key exchange. These algorithmsare based on a different hard mathematical problem, namely the Discrete LogarithmProblem
1. Unfortunately, in order to achieve levels of security comparable with RSA, these
algorithms require similar key sizes and so do not really solve the problem.What is really needed is a public key algorithm that achieves high levels of security, yet usesrelatively short keys. Algorithms based on mathematical objects known as elliptic curvesoffer some interesting possibilities.
Elliptic Curve Cryptography
We begin with a brief (and hopefully relatively non-mathematical) discussion about ellipticcurves. For simplicity, we will concentrate on the “odd case”. There is also an “even case”,similar to the odd case, that has some advantages, but it is rather more complicated todescribe. We will return to the even case later.
What is an Elliptic Curve?
An elliptic curve is a mathematical equation:
y2
= x3
+ ax + b,
where all calculations are performed modulo p, and 4a3
+ 27b2 ≠ 0, modulo p, for some odd
prime p.
This is the “odd” case. As mentioned earlier, the “even” case is similar, with calculationsperformed in the finite field GF(2
m), for some integer m.
The mathematical property that makes elliptic curves useful for cryptography is simply that if we take two (distinct) points on the curve, then the chord joining them intercepts the curve ina third point (because we have a cubic curve). If we then reflect that point in the x-axis weget another point on the curve (since the curve is symmetric about the x-axis). This allows usto define a form of arithmetic on the curve. If we denote the two original points by P and Qthen we will denote the final (reflected) point by P+Q. It turns out that this “addition” satisfiesall the usual algebraic properties that we associate with integers, provided we define a singleadditional point “the point at infinity”, which plays the role of 0 in the integers.
P
Q
P+Q
1 The Discrete Logarithm Problem (DLP) can be most easily summarised as “given a prime number, p,
a base element, g, and the value of gx (mod p), find x”. The problem can be generalised to any finite
In other words, we can define a form of arithmetic on the points of an elliptic curve (plus thepoint at infinity) that lends itself to normal algebraic manipulation. In mathematical terms, wecan define a finite additive abelian group on the points of the curve, with the zero being thepoint at infinity. In particular, if we let the points P and Q coincide, we can define P+P,naturally denoted 2P. Extending this idea, we can define kP, for any integer k, and hence
define the order of P, being the smallest integer k such that kP = Φ, where Φ denotes thepoint at infinity.
We are now in a position to define the “Elliptic Curve Discrete Logarithm Problem”, (ECDLP)which is the reason we are considering these systems:
“Given a “base point” P and the point kP, lying on the curve, find the value of k”
It is believed that, for suitable elliptic curves and base points, this is a really, really hardproblem! From a cryptographic point of view, we are in a position to define newcryptographic systems based on elliptic curves. In particular, any standard system that relieson the discrete logarithm problem has a direct analogy based on the ECDLP. For example,Elliptic Curve DSA (ECDSA) has already been standardised (ANSI X9.62 – Ref.4). Diffie-Hellman key exchange can be easily implemented in an elliptic curve framework.
Security of Elliptic Curve Cryptosystems
Because of the apparent difficulty of the ECDLP, highly secure systems can be designed thatrequire much smaller key sizes than (say) RSA or DSA in order to achieve comparable levelsof security. The following table gives approximate parameter sizes for comparable strengthelliptic curve systems and RSA. This is based on current best techniques for solving theECDLP and factorising large integers.
Elliptic curve system (order of base point P)
RSA (length of modulus n)
106 bits 512 bits
132 bits 768 bits
160 bits 1024 bits
224 bits 2048 bits
Consequently, using elliptic curves we can define highly secure systems that use muchsmaller keys compared with equivalent “traditional” systems, such as RSA or DSA. Inparticular, such systems require relatively modest computing capability and memory – ideal,for example, for a smart card or mobile phone!
Although everything in the elliptic curve garden appears to be very rosy, there are someproblems and issues that are inhibiting the widespread adoption of elliptic curvecryptographic systems.
Some Problems and Issues with Elliptic CurveSystems
Security
The main issue is that the true difficulty of the ECDLP is not fully understood. Recentresearch has shown that some elliptic curves that were believed suitable for elliptic curvecryptography are in fact not appropriate. For example, if the order of the base point P isequal to the prime p then it turns out that the ECDLP can be solved efficiently (see, for example, Ref.5). Such curves are so-called “anomalous” curves.
Research continues in this area, but potential users are understandably wary and many areadopting a “wait and see” approach.
When defining an elliptic curve system, a curve and a base point (P) are required. Note thatthese elements are not secret (and may be the same for all system users). For a given curveand base point, it is trivial to generate public and private keys for users (the private key issimply a random integer k and the public key is the point kP on the curve). However, it is anextremely difficult problem to generate a suitable curve and base point in the first place.
The main problem is how to count the number of points on the curve. Having done this, it isthen necessary to select a suitable base point P, which must have a large order to ensure thedifficulty of the ECDLP. But the order of P must divide the number of points on the curve(remember that the points on the curve, together with the point at infinity form a finite group).So, having found the number of points on the curve, it is quite likely that a suitable base pointcannot be found. There are a variety of other restrictions that must be satisfied whengenerating curves, see for example Ref.6.
The upshot of this is that curve generation is definitely a non-trivial task. Users can use“standard” curves (see, for example, Ref.4), use special curve generation software (such asthe Thales e-Security “Elliptic Curve Generation Bureau”) or spend a great deal of time andeffort generating their own curves.
Incompatible Systems
The “odd” and “even” elliptic curve implementations are similar, but sufficiently different toensure that an “odd” system will be incompatible with an “even” system. Furthermore, withinthe even case there are a number of ways to represent curves and base points and a user with a system appropriate for one representation may not be able to communicatesuccessfully with a user with a different representation.
This is different to the case of RSA, where (in theory) all implementations are compatible.
Ignoring issues of compatibility, there are good reasons to use “even” elliptic curve systems,mainly to do with speed of processing, but here again users need to be wary. A number of
experts in this area believe that the ECDLP may be easier to solve for the even case than theodd case, although it must be admitted that the evidence for such assertions is a little flimsy.
Royalties and Patents
The issue of royalties and patents relevant to elliptic curve cryptosystems is somewhatunclear. There are a number of patents in this area, mainly applicable to the even case.
Processing
We have already mentioned that because elliptic curve systems use small key sizes then lesscomputing power is required than (say) RSA. How does this translate into speed of processing? The following table provides comparative figures for RSA and ECDSA (oddcase) signature generation and verification, where both algorithms were implemented usingtwo parallel Motorola 56303 Digital Signal Processors (66 MHz). Note that the RSA signatureverify figures assume the use of a public exponent e = 65537.
Clearly, different implementations will yield different timings, but the pattern is clear. As keysizes increase, signature generation for ECDSA becomes significantly faster thancomparable RSA systems. This difference would be magnified even further if only a singleprocessor were available. On the other hand, signature verification using ECDSA is muchslower than for RSA and again this difference would be even greater if only a singleprocessor were available. Note that ECDSA processing could be improved somewhat if theeven case were implemented.
The time taken for signature verification when using (say) ECDSA may have an adverseimpact on system performance. Many systems have a large number of remote devicescommunicating with a central server. The time taken by the remote device to generate asignature may not be important (several seconds may be acceptable), but the server must beable to validate signatures quickly. RSA based systems (even using large keys) may bemore applicable in some circumstances than elliptic curve systems.
Conclusions
Elliptic curve systems are increasingly seen as an alternative to RSA, rather than areplacement. There are potential advantages, especially when used in devices with limitedprocessing capability and/or memory. Typical applications include:
m-commerce (e.g. WAP mobile phone, hand-held devices)smart card systems (e.g. EMV)e-commerce and banking applications (e.g. SET)internet based applications (e.g. SSL)
There are, however, some problems and issues that are inhibiting the widespread adoption of elliptic curve systems. These include:
the real security of such systems is still not well understooddifficulty of generating suitable curvesincompatibility of implementationsroyalties and patentsrelatively slow signature verification
So, what can be concluded from the above discussion? Elliptic curve systems certainlyappear to provide a viable alternative to RSA – they don’t solve all problems and, indeed,they introduce a few problems of their own. Clearly time will tell, but it does look as thoughsuch systems are here to stay!
R.L.Rivest, A.Shamir & L.M.Adleman, “A method for obtaining digital signatures and publickey cryptosystems”, Communications of the ACM, 21 (1978), 120-126.FIPS 186, “Digital Signature Standard”, 1994.W.Diffie & M.E.Hellman, “New directions in cryptography”, IEEE Transactions on Information
Theory, 22 (1976), 644-654.ANSI X9.62, “Public key cryptography for the financial services industry – the elliptic curvedigital signature algorithm (ECDSA)”, 1999.N.P.Smart, “The discrete logarithm problem on elliptic curves of trace one", Journal of Cryptology, Volume 12 (1999), Number 3, 193-196.A.Menezes, T.Okamoto & S.Vanstone, “Reducing elliptic curve logarithms to logarithms in afinite field”, IEEE Transactions on Information Theory, 39 (1993), 1639-1646.
