White Paper

Elliptic Curve Cryptography

Introduction
In this Paper:
Introduction The RSA Cryptosystem Elliptic Curve Cryptography Problems & Issues Conclusions References 1 1 3 4 6 7

Today, it is difficult to open a newspaper, watch a television programme or even have a conversation without some mention of the Internet, e-commerce, WAP and m-commerce. Despite all the hype, many people are still reluctant to use all this wonderful technology to perform transactions over the Internet. Why? There appear to be many complex sociological reasons for this apparent reluctance to get on-line, but one reason commonly stated in surveys is the perceived lack of security of the Internet. Security purists would say that the Internet is insecure, but the truth is that it is probably a lot more secure than many other systems that we use everyday. Indeed, you are far more likely to have your credit card copied in a restaurant than to have your credit card number intercepted in cyberspace. Nonetheless, the perception is there. Cryptographic technology already exists to protect data during transmission over the Internet. For example, many applications support digital signatures and encryption, using extremely powerful algorithms (e.g. the Secure Electronic Transaction (SET) protocol, supported by Visa and MasterCard). Furthermore, the regulatory framework to support the legality and use of digital signatures is slowly coming into being. The United Kingdom Electronic Commerce Bill, essentially giving the same legal status to digital signatures as already enjoyed by written signatures, came into force earlier this year (2000). Many other countries have similar laws on their statute books. The de-facto cryptographic algorithm for digital signatures and for encryption of symmetric keys (for distribution purposes) is the Rivest, Shamir & Adleman (RSA) public key scheme (Ref.1). Although RSA is highly secure and widely used, there are some potential problems with its use. The purpose of this paper is to describe an alternative technology, based on mathematical objects known as elliptic curves, which can in some circumstances provide significant benefits over the use of RSA (or so it is believed!).

The RSA Cryptosystem

We begin with a brief review of the RSA scheme. It is based on the hard mathematical problem of integer factorisation, i.e. given a number that is the product of two large prime numbers, factorise the number to find the primes. RSA Key generation Given the public exponent e, generate two large prime numbers p and q, such that (p-1) and e have no common divisor greater than 1 and (q-1) and e have no prime divisor greater than 1. Let n = pq, the product of p and q. Solve (for d) the equation ed 1 mod (p-1)(q-1). The public key is the pair of numbers {n,e} and the private key is the pair {n,d}.

RSA Encryption and Decryption Encryption uses a public key, so that the ciphertext corresponding to plaintext m is c = me (mod n). Decryption uses the corresponding private key, so m = cd (mod n). RSA Digital Signatures In simple terms, signature generation is equivalent to decryption and signature verification is the same as encryption. Remarks The security of RSA is thought to be equivalent to the difficulty of factorising the modulus, n. The size of an RSA key is usually measured in terms of the number of bits in the modulus. In general, the larger the key the higher the security level. A 512 bit RSA key was recently cracked (i.e. factorised), albeit using massive amounts of computer power. Nowadays it is recommended that much larger key sizes are used; new systems frequently use keys that are 1024 bits or more. The Carte Bancaire system recently cracked by a French engineer was using a 320 bit modulus. RSA Problems RSA is a highly secure algorithm and (provided keys are generated properly) the only known way to attack it is to perform a brute-force attack on the modulus. This attack can be easily defeated by simply increasing the key size. However, this approach can lead to a number of problems: Increased processing time as a rough guide, decryption time increases 8-fold as key sizes double. Increased key storage requirement RSA key storage (private keys and public key certificates) require significant amounts of memory for storage. Furthermore, Key generation is complex and time consuming times increase significantly as key sizes increase. Memory constrained devices cannot easily generate RSA keys and so may need to have keys generated by another system. However, this means that the non-repudiation service may not be achievable. The problems given above are not necessarily significant for a Personal Computer (for example), but they are potentially major problems for devices with limited memory capacity and processing power, such as smart cards or mobile phones. Consequently, in some cases alternative algorithms for generating digital signatures and encrypting symmetric keys are desirable.

RSA Alternatives A number of alternative algorithms already exist, for example the Digital Signature Algorithm (DSA, Ref.2) for signatures and Diffie-Hellman (Ref.3) for key exchange. These algorithms are based on a different hard mathematical problem, namely the Discrete Logarithm Problem1. Unfortunately, in order to achieve levels of security comparable with RSA, these algorithms require similar key sizes and so do not really solve the problem. What is really needed is a public key algorithm that achieves high levels of security, yet uses relatively short keys. Algorithms based on mathematical objects known as elliptic curves offer some interesting possibilities.

Elliptic Curve Cryptography

We begin with a brief (and hopefully relatively non-mathematical) discussion about elliptic curves. For simplicity, we will concentrate on the odd case. There is also an even case, similar to the odd case, that has some advantages, but it is rather more complicated to describe. We will return to the even case later. What is an Elliptic Curve? An elliptic curve is a mathematical equation: y2 = x3 + ax + b, where all calculations are performed modulo p, and 4a3 + 27b2 0, modulo p, for some odd prime p. This is the odd case. As mentioned earlier, the even case is similar, with calculations performed in the finite field GF(2m), for some integer m. The mathematical property that makes elliptic curves useful for cryptography is simply that if we take two (distinct) points on the curve, then the chord joining them intercepts the curve in a third point (because we have a cubic curve). If we then reflect that point in the x-axis we get another point on the curve (since the curve is symmetric about the x-axis). This allows us to define a form of arithmetic on the curve. If we denote the two original points by P and Q then we will denote the final (reflected) point by P+Q. It turns out that this addition satisfies all the usual algebraic properties that we associate with integers, provided we define a single additional point the point at infinity, which plays the role of 0 in the integers.

Q P P+Q

The Discrete Logarithm Problem (DLP) can be most easily summarised as given a prime number, p, a base element, g, and the value of gx (mod p), find x. The problem can be generalised to any finite field.

In other words, we can define a form of arithmetic on the points of an elliptic curve (plus the point at infinity) that lends itself to normal algebraic manipulation. In mathematical terms, we can define a finite additive abelian group on the points of the curve, with the zero being the point at infinity. In particular, if we let the points P and Q coincide, we can define P+P, naturally denoted 2P. Extending this idea, we can define kP, for any integer k, and hence define the order of P, being the smallest integer k such that kP = , where denotes the point at infinity. We are now in a position to define the Elliptic Curve Discrete Logarithm Problem, (ECDLP) which is the reason we are considering these systems: Given a base point P and the point kP, lying on the curve, find the value of k It is believed that, for suitable elliptic curves and base points, this is a really, really hard problem! From a cryptographic point of view, we are in a position to define new cryptographic systems based on elliptic curves. In particular, any standard system that relies on the discrete logarithm problem has a direct analogy based on the ECDLP. For example, Elliptic Curve DSA (ECDSA) has already been standardised (ANSI X9.62 Ref.4). DiffieHellman key exchange can be easily implemented in an elliptic curve framework. Security of Elliptic Curve Cryptosystems Because of the apparent difficulty of the ECDLP, highly secure systems can be designed that require much smaller key sizes than (say) RSA or DSA in order to achieve comparable levels of security. The following table gives approximate parameter sizes for comparable strength elliptic curve systems and RSA. This is based on current best techniques for solving the ECDLP and factorising large integers. Elliptic curve system (order of base point P) 106 bits 132 bits 160 bits 224 bits RSA (length of modulus n) 512 bits 768 bits 1024 bits 2048 bits

Consequently, using elliptic curves we can define highly secure systems that use much smaller keys compared with equivalent traditional systems, such as RSA or DSA. In particular, such systems require relatively modest computing capability and memory ideal, for example, for a smart card or mobile phone! Although everything in the elliptic curve garden appears to be very rosy, there are some problems and issues that are inhibiting the widespread adoption of elliptic curve cryptographic systems.

Some Problems and Issues with Elliptic Curve Systems

Security The main issue is that the true difficulty of the ECDLP is not fully understood. Recent research has shown that some elliptic curves that were believed suitable for elliptic curve cryptography are in fact not appropriate. For example, if the order of the base point P is equal to the prime p then it turns out that the ECDLP can be solved efficiently (see, for example, Ref.5). Such curves are so-called anomalous curves. Research continues in this area, but potential users are understandably wary and many are adopting a wait and see approach.

Curve Generation When defining an elliptic curve system, a curve and a base point (P) are required. Note that these elements are not secret (and may be the same for all system users). For a given curve and base point, it is trivial to generate public and private keys for users (the private key is simply a random integer k and the public key is the point kP on the curve). However, it is an extremely difficult problem to generate a suitable curve and base point in the first place. The main problem is how to count the number of points on the curve. Having done this, it is then necessary to select a suitable base point P, which must have a large order to ensure the difficulty of the ECDLP. But the order of P must divide the number of points on the curve (remember that the points on the curve, together with the point at infinity form a finite group). So, having found the number of points on the curve, it is quite likely that a suitable base point cannot be found. There are a variety of other restrictions that must be satisfied when generating curves, see for example Ref.6. The upshot of this is that curve generation is definitely a non-trivial task. Users can use standard curves (see, for example, Ref.4), use special curve generation software (such as the Thales e-Security Elliptic Curve Generation Bureau) or spend a great deal of time and effort generating their own curves. Incompatible Systems The odd and even elliptic curve implementations are similar, but sufficiently different to ensure that an odd system will be incompatible with an even system. Furthermore, within the even case there are a number of ways to represent curves and base points and a user with a system appropriate for one representation may not be able to communicate successfully with a user with a different representation. This is different to the case of RSA, where (in theory) all implementations are compatible. Ignoring issues of compatibility, there are good reasons to use even elliptic curve systems, mainly to do with speed of processing, but here again users need to be wary. A number of experts in this area believe that the ECDLP may be easier to solve for the even case than the odd case, although it must be admitted that the evidence for such assertions is a little flimsy. Royalties and Patents The issue of royalties and patents relevant to elliptic curve cryptosystems is somewhat unclear. There are a number of patents in this area, mainly applicable to the even case. Processing We have already mentioned that because elliptic curve systems use small key sizes then less computing power is required than (say) RSA. How does this translate into speed of processing? The following table provides comparative figures for RSA and ECDSA (odd case) signature generation and verification, where both algorithms were implemented using two parallel Motorola 56303 Digital Signal Processors (66 MHz). Note that the RSA signature verify figures assume the use of a public exponent e = 65537. Signature Generate 25 ms 32 ms 120 ms 68 ms Signature Verify < 2 ms 33 ms 5 ms 70 ms

RSA (1024 bits) ECDSA (160 bits) RSA (2048 bits) ECDSA (216 bits)

Clearly, different implementations will yield different timings, but the pattern is clear. As key sizes increase, signature generation for ECDSA becomes significantly faster than comparable RSA systems. This difference would be magnified even further if only a single processor were available. On the other hand, signature verification using ECDSA is much slower than for RSA and again this difference would be even greater if only a single processor were available. Note that ECDSA processing could be improved somewhat if the even case were implemented. The time taken for signature verification when using (say) ECDSA may have an adverse impact on system performance. Many systems have a large number of remote devices communicating with a central server. The time taken by the remote device to generate a signature may not be important (several seconds may be acceptable), but the server must be able to validate signatures quickly. RSA based systems (even using large keys) may be more applicable in some circumstances than elliptic curve systems.

Conclusions
Elliptic curve systems are increasingly seen as an alternative to RSA, rather than a replacement. There are potential advantages, especially when used in devices with limited processing capability and/or memory. Typical applications include: m-commerce (e.g. WAP mobile phone, hand-held devices) smart card systems (e.g. EMV) e-commerce and banking applications (e.g. SET) internet based applications (e.g. SSL) There are, however, some problems and issues that are inhibiting the widespread adoption of elliptic curve systems. These include: the real security of such systems is still not well understood difficulty of generating suitable curves incompatibility of implementations royalties and patents relatively slow signature verification So, what can be concluded from the above discussion? Elliptic curve systems certainly appear to provide a viable alternative to RSA they dont solve all problems and, indeed, they introduce a few problems of their own. Clearly time will tell, but it does look as though such systems are here to stay!

References
R.L.Rivest, A.Shamir & L.M.Adleman, A method for obtaining digital signatures and public key cryptosystems, Communications of the ACM, 21 (1978), 120-126. FIPS 186, Digital Signature Standard, 1994. W.Diffie & M.E.Hellman, New directions in cryptography, IEEE Transactions on Information Theory, 22 (1976), 644-654. ANSI X9.62, Public key cryptography for the financial services industry the elliptic curve digital signature algorithm (ECDSA), 1999. N.P.Smart, The discrete logarithm problem on elliptic curves of trace one", Journal of Cryptology, Volume 12 (1999), Number 3, 193-196. A.Menezes, T.Okamoto & S.Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field, IEEE Transactions on Information Theory, 39 (1993), 1639-1646.