Review of Cryptanalysis of Elliptic Curve Cryptography

Drew Wicke

Introduction

One interesting crypto system is the elliptic curve cryptosystems. In 2005, versions of

Elliptic Curve Cryptography joined the NSA’s Suite B cryptography which is used to secure

unclassified information [9]. In order for a cipher to be part of this group, the National Institute

for Standards and Technology must endorse it ensuring its usefulness to the US government [10].

The purpose of this paper is to explore the various attacks on elliptic curve cryptography.

In so doing, I provide the reader with a better understanding of how to more securely implement

the cipher. I first give a brief history and overview of elliptic curve cryptography. Then, I

discuss various security issues with elliptic curve encryption.

History

Elliptic curve cryptography (ECC) was discovered independently by Victor S. Miller in

1986 and Neal Koblitz in 1987. Miller, in his paper entitled Use of Elliptic Curves in

Cryptography, describes his idea [18]. Also, Neal Koblitz, in his 1987 paper Elliptic Curve

Cryptosystems, published the same scheme [19].

Victor S. Miller (1947-) Neal Koblitz (1948-) [3]

The foundational mathematics that was needed to create ECC was laid by Diophantus

who lived sometime around 250 AD. He published his equation for the elliptic curve in his book

Arithmetica [2]. Diophantus also discovered elliptic curve point doubling [1]. However, “We

refer to these as Weierstraβ equations, in honor of Karl Weierstraβ, who studied them in the

1800s” [3].

In order to better understand the attacks on ECC, a basic understanding of how the

system works is needed. First, I show the mathematics of elliptic curves and then I explain how

they are used in cryptography.

Mathematics

The security of public key cryptography is dependent upon the underlying mathematical

concepts. For a public key system to be useful, public keys must be easily and quickly generated

in order to encipher. However, the private key must be very difficult to discover from the public

key. The two major mathematical concepts used in elliptical curve cryptography are elliptic

curves and discrete logarithms.

“Elliptic curves are rich mathematical structures which have shown themselves to be

remarkably useful in a range of applications including primality testing and integer factorization”

[22]. For purposes of cryptography, an elliptic curve E can be described by the Weierstrass

equation where and . The variables a and b

must be elements of the finite field of integers . Note that where p is a prime. The

reason for using a finite field is because of the inexactness of real number representations on

computers. Also, the variables a and b are constrained so that the equation will not contain

multiple roots or singularities. The “singularity of the curve is related to its smoothness. More

specifically, a curve is singular if its slope at a point is not defined” [20]. This constraint is made

so that elliptic curves can be used in cryptography. For if an elliptic curve is singular, it is

“isomorphic to either the multiplicative or the additive group over the underlying field itself,

depending on the type of singularity” therefore making it useless for cryptography [20]. We

must also look at the elliptic curve discrete log problem, ECDLP.

The difficulty of solving the elliptic curve discrete logarithm problem, ECDLP is the

main reason that ECC is secure. The problem is that you are given two points P and B on an

elliptic curve and must find an integer x such that xB = P which can also be written as

. This problem is very similar to the discrete logarithm problem DLP. However, many

authors claim that ECDLP is much more difficult than DLP. Certicom claims that this is because

“Unlike the ordinary discrete logarithm problem and the integer factorization problem, no

subexponential-time algorithm is known for the elliptic curve discrete logarithm problem” [6].

Elliptic Curve Cryptography:

Using the math of elliptic curves, I can describe how they are applied to public key

cryptography. One method of encryption using elliptic curve cryptography is using Diffie-

Hellman. The following are the steps to carry out the ECC version of Diffie-Hellman in order to

securely agree on keys.

1. Alice and Bob first agree on an elliptic curve E mod p, for some prime p.

2. They then publicly agree on a point B on their shared curve E.

3. Alice selects a random private integer a used to compute aB, which she sends to Bob.

4. Bob selects a random private integer b used to compute bB, which he sends to Alice.

5. Finally, both Alice and Bob are now able to compute abB. From this the x coordinate

can be adapted to act as their secret key for a symmetric system.

Once the key has been agreed upon, Alice and Bob can send encrypted messages by

using Koblitz’s “method of pairing characters and points” [3].

Attacks on ECC

Now that we have refreshed our understanding of how ECC works, I explore the current

methods of attacking ECC. There are two main ways to attack ECC brute, force and statistical

analysis of the source. There are also known attacks when the user picks a weak curve [21].

However, I do not discuss this attack because it is known to be easily prevented. I first show the

brute force methods of solving the ECDLP and show how it is computationally infeasible on

current computers. Then, I explore how certain characteristics of electronic devices can lead to

breaking ECC.

At the core of ECC lies the extreme difficulty in solving the Elliptic Curve Discrete

Logarithm Problem. The extreme difficulty is in the fact that the ECDLP is in NP. “It should be

noted that there is no mathematical proof that the ECDLP is intractable” [15]. For, if there was

then it would be shown that P does not equal NP. Pohlig-Hellman and Pollard-Rho are two of

many methods for solving the ECDLP. After explaining how these methods attack the ECDLP, I

mention how quantum computers can solve the ECDLP.

Pohlig-Hellman is a well known attack that takes advantage of the fact that solving the

ECDLP can be reduced to solving discrete logarithms in prime order subgroups [15]. This

method utilizes the Chinese Remainder Theorem in order to solve for x in . Formally,

Pohlig-Hellman can be described by computing for values of i s.t. . In

the inequality r is the number of values in the prime factorization of p. Also, p is the power of

the base B in the discrete log. Then, by using the Chinese Remainder theorem, a unique solution

for x is obtained [15].

The next attack considered is the Pollard-Rho algorithm which also has an exponential

runtime since again we must solve the discrete log problem. However, it is widely held that the

best brute force method of computing the ECDLP is Pollard’s Rho algorithm. This attack has a

few advantages. For example, this method can be easily parallelized and is easily implemented

[15]. Also, this algorithm is very flexible in solving various DLP over different fields [15].

The main formula behind Pollard-Rho is the fact that .

Noting the fact that x is the x in and n is the prime order of the field. The algorithm

runs by randomly picking values for c and d and recording them as well as the result of cB +dP.

The algorithm continues to pick values for c and d until the value of cB + dP is repeated.

Therefore, giving the values for c’, c’’, d’ and d’’ and thus x solving the problem. An example is

given in the appendix of this attack.

Quantum attacks can solve the ECDLP in polynomial time rather than the exponential

time it takes on standard computers [8 and 14]. Shor’s algorithm is a quantum attack on the

ECDLP and was explained in [14] and an improvement was made in [8]. However, at this point,

quantum computer algorithms are not too much of a concern due to the fact that quantum

computing is not available at this time.

The fact that ECDLP is so difficult to solve is the main reason for the following indirect

types of attacks. Rather than trying to solve the hard ECDLP, researchers find points at which

ECC can be broken without needing to solve the ECDLP to read an encrypted message. This is,

they do not attack the math, but the predictability of the algorithm. These methods “can exploit

the power consumption of ECC devices to retrieve secret keys” [12]. There are two main types

of attacks that are considered Side-Channel-Attacks or SCAs that perform power analysis. They

are Simple Power Analysis and Differential Power Analysis.

[23]

First, I consider the Simple Power Analysis or SPA. This attack requires access to the

cryptographic device that is performing the ECC operations in order to obtain the private key.

Essentially, this attack takes advantage of the fact that all microprocessors are carrying out the

instructions in hardware that the software has specified. Therefore, by measuring the current

flowing through the wires of the device over time and knowledge of how the device works, the

different parts of the ECC algorithm can be identified. For example, one way to perform point

multiplication is by “using the standard square-and-multiply (or double-and-add) exponentiation

method” [13]. When using this method the algorithm performs certain operations such as

addition and doubling based on the value of each bit in the key. “Hence, it is easy to translate

from a sequence of adds and doubles obtained through a side channel into a sequence of bits

which reveals the secret key” [13].

A more advanced version of SPA is Differential Power Analysis or DPA. This mode of

attacking ECC is done “by collecting power consumption traces and averaging over a series of

acquisitions” [11]. With more data it allows for the attacker to use statistical analysis and other

methods to obtain the key.

Conclusion

As the paper shows, elliptic curve cryptography can be attacked in various ways.

However, they require a supercomputer and a long time or a high degree of mathematical and

engineering experience to implement. I believe this is why ECC was selected to be part of the

NSA’s Suite B cryptography. Also, elliptic curves provide a more efficient use of bits on

computer systems making them faster and more useful for embedded systems. I believe that

ECC is a good choice for securing data as long as measures are taken to prevent the attacks

mentioned in this paper.

References / Further Reading

[1] E Brown & B Myers: Elliptic Curves from Mordell to Diophantus and Back The

Mathematical Association of America Monthly 109, August–September 2002, 639-649.

[2] Thomas L. Heath, Diophantus of Alexandria, Cambridge University Press, New York, 1910.

[3] Craig Bauer, Cryptology in Context section 2.14, 2011. Unpublished manuscript.

[4] H.W. Lenstra, Jr. Factoring integers with elliptic curves. Annuals of Mathematics, 126: 649-

673, 1987.

[5] A. Menezes. Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, 1993.

[6] D. Johnson and A. Menezes, “The elliptic curve digital signature algorithm (ECDSA)”,

Technical report CORR 99-34, Dept. of C&O, University of Waterloo, 1999.

[7] Elliptic Curve groupts and the Discrete Logarithm Problem,

http://www.certicom.com/index.php/

-50-elliptic-curve-groups-and-the-discrete-logarithm-problem

[8] Cheung, D., D. Maslov, J. Mathew, and D. Pradhan, 2008, On the design and optimization of

a quantum polynomial-time attack on elliptic curve cryptography, Proceedings of the 3rd

Workshop on Theory of Quantum Computation, Communication, and Cryptography, volume

5106 of Lecture Notes in Computer Science, pp. 96–104.

[9] Elliptic Curve Cryptography (ECC), http://www.certicom.com/index.php/ecc

[10] NSA Suite B Cryptography,http://www.nsa.gov/ia/programs/suiteb_cryptography/

index.shtml

[11] Marc Joye, Pascal Paillier, and Berry Schoenmakers. On Second-Order Differential Power

Analysis. In Cryptographic Hardware and Embedded Systems - Proceedings of CHES 2005.

Springer, 2005.

[12] F. Zhang and Z. J. Shi, “An efficient window-based countermeasure to power analysis of

ECC algorithms,” in Proc. IEEE Int. Conf. Information Technology New Generations, pp. 120-

126, 2008.

[13] C.Walter. Simple power analysis of unified code for ecc double and add. In M. Joye and J.

J. Quisquater, editors, Cryptographic Hardware and Embedded Systems - CHES 04, volume

3156 of Lecture Notes in Computer Science, pages 191- 204, 2004.

[14] J. PROOS AND C. ZALKA. Shor’s discrete logarithm quantum algorithm for elliptic

curves. Quantum Information and Computation, 3:317–344, 2003.

[15] D. Hankerson, A. J. Menezes, and S. Vanstone. Guide to Elliptic Curve Cryptography.

Springer-Verlag, 2004.

[16] N. Gura et al., “Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs”, CHES

2004, Aug. 2004.

[17] V. Gupta et al., “Speeding up Secure Web Transactions Using Elliptic Curve

Cryptography”, NDSS 2004, Feb. 2004.

[18] V.S.Miller, “Use of elliptic curves in cryptography", Advances in Cryptology-

CRYPTO'85(LNCS 218), pp.417-426, 1986.

[19] N.Koblitz, “Elliptic curve cryptosystems", Mathematics of Computation 48, pp.203-

209, 1987.

[20] Avi Kak, “Lecture 14: Elliptic Curve Cryptography and Digital

Rights Management” http://cobweb.ecn.purdue.edu/~kak/compsec/NewLectures/Lecture14.pdf

[21] Peter Novotney, “Weak Curves In Elliptic Curve Cryptography”,

modular.math.washington.edu/edu/2010/414/projects/novotney.pdf

[22] M.J.B. Robshaw, Ph.D. and Yiqun Lisa Yin, Ph.D “Overview of Elliptic Curve Cryptosystems.”

http://www.rsa.com/rsalabs/node.asp?id=2013

[23] “Security Measures for Mobile Devices” http://www.hitachi.com/rd/yrl/people/mof/

index04.html

General Links

http://www.certicom.com/index.php/ecc-tutorial - good tutorial on ECC

http://www.deviceforge.com/articles/AT4234154468.html - compares ECC to other ciphers

http://labs.oracle.com/projects/crypto/ - list of research papers on ECC

http://www.dkrypt.com/home/ecc - an implementation tutorial on ECC

http://www.rsa.com/rsalabs/node.asp?id=2013 – interesting overview of ECC

http://saluc.engr.uconn.edu/refs/sidechannel/index.html - list of references on Side Chanel Attacks

Appendix

Point Addition

The negative of the point is the point . If P and Z are

distinct points such that P is not –Q, then P + Q = R where

Note that s is the slope of the line through P and Q.

Point Doubling

Provided that is not 0,

2P = R where

Recall that a is one of the parameters chosen with the elliptic curve and that s is the slope of the

line through P and Q.

The above was taken from:

http://www.certicom.com/index.php/32-arithmetic-in-an-elliptic-curve-group-over-fp.

The following example is of Pollard’s rho algorithm which was taken from [15] to better show

how the attack works.

The algorithm that is mentioned in above example is below [15].

Please note that example and algorithm were taken from [15].