Review of Cryptanalysis of Elliptic Curve Cryptography Drew Wicke Introduction One interesting crypto system is the elliptic curve

cryptosystems. In 2005, versions of Elliptic Curve Cryptography joined the NSAs Suite B cryptography which is used to secure unclassified information [9]. In order for a cipher to be part of this group, the National Institute for Standards and Technology must endorse it ensuring its usefulness to the US government [10]. The purpose of this paper is to explore the various attacks on elliptic curve cryptography. In so doing, I provide the reader with a better understanding of how to more securely implement the cipher. I first give a brief history and overview of elliptic curve cryptography. Then, I discuss various security issues with elliptic curve encryption. History Elliptic curve cryptography (ECC) was discovered independently by Victor S. Miller in 1986 and Neal Koblitz in 1987. Miller, in his paper entitled Use of Elliptic Curves in Cryptography, describes his idea [18]. Also, Neal Koblitz, in his 1987 paper Elliptic Curve Cryptosystems, published the same scheme [19].
Victor S. Miller (1947-) Neal Koblitz (1948-) [3]

The foundational mathematics that was needed to create ECC was laid by Diophantus who lived sometime around 250 AD. He published his equation for the elliptic curve in his book Arithmetica [2]. Diophantus also discovered elliptic curve point doubling [1]. However, We refer to these as Weierstra equations, in honor of Karl Weierstra, who studied them in the 1800s [3]. In order to better understand the attacks on ECC, a basic understanding of how the system works is needed. First, I show the mathematics of elliptic curves and then I explain how they are used in cryptography. Mathematics The security of public key cryptography is dependent upon the underlying mathematical concepts. For a public key system to be useful, public keys must be easily and quickly generated in order to encipher. However, the private key must be very difficult to discover from the public key. The two major mathematical concepts used in elliptical curve cryptography are elliptic curves and discrete logarithms. Elliptic curves are rich mathematical structures which have shown themselves to be remarkably useful in a range of applications including primality testing and integer factorization [22]. For purposes of cryptography, an elliptic curve E can be described by the Weierstrass equation where and . Note that . The variables a and b where p is a prime. The

must be elements of the finite field of integers

reason for using a finite field is because of the inexactness of real number representations on computers. Also, the variables a and b are constrained so that the equation will not contain multiple roots or singularities. The singularity of the curve is related to its smoothness. More specifically, a curve is singular if its slope at a point is not defined [20]. This constraint is made

so that elliptic curves can be used in cryptography. For if an elliptic curve is singular, it is isomorphic to either the multiplicative or the additive group over the underlying field itself, depending on the type of singularity therefore making it useless for cryptography [20]. We must also look at the elliptic curve discrete log problem, ECDLP. The difficulty of solving the elliptic curve discrete logarithm problem, ECDLP is the main reason that ECC is secure. The problem is that you are given two points P and B on an elliptic curve and must find an integer x such that xB = P which can also be written as . This problem is very similar to the discrete logarithm problem DLP. However, many authors claim that ECDLP is much more difficult than DLP. Certicom claims that this is because Unlike the ordinary discrete logarithm problem and the integer factorization problem, no subexponential-time algorithm is known for the elliptic curve discrete logarithm problem [6]. Elliptic Curve Cryptography: Using the math of elliptic curves, I can describe how they are applied to public key cryptography. One method of encryption using elliptic curve cryptography is using DiffieHellman. The following are the steps to carry out the ECC version of Diffie-Hellman in order to securely agree on keys. 1. Alice and Bob first agree on an elliptic curve E mod p, for some prime p. 2. They then publicly agree on a point B on their shared curve E. 3. Alice selects a random private integer a used to compute aB, which she sends to Bob. 4. Bob selects a random private integer b used to compute bB, which he sends to Alice.

5. Finally, both Alice and Bob are now able to compute abB. From this the x coordinate can be adapted to act as their secret key for a symmetric system. Once the key has been agreed upon, Alice and Bob can send encrypted messages by using Koblitzs method of pairing characters and points [3]. Attacks on ECC Now that we have refreshed our understanding of how ECC works, I explore the current methods of attacking ECC. There are two main ways to attack ECC brute, force and statistical analysis of the source. There are also known attacks when the user picks a weak curve [21]. However, I do not discuss this attack because it is known to be easily prevented. I first show the brute force methods of solving the ECDLP and show how it is computationally infeasible on current computers. Then, I explore how certain characteristics of electronic devices can lead to breaking ECC. At the core of ECC lies the extreme difficulty in solving the Elliptic Curve Discrete Logarithm Problem. The extreme difficulty is in the fact that the ECDLP is in NP. It should be noted that there is no mathematical proof that the ECDLP is intractable [15]. For, if there was then it would be shown that P does not equal NP. Pohlig-Hellman and Pollard-Rho are two of many methods for solving the ECDLP. After explaining how these methods attack the ECDLP, I mention how quantum computers can solve the ECDLP. Pohlig-Hellman is a well known attack that takes advantage of the fact that solving the ECDLP can be reduced to solving discrete logarithms in prime order subgroups [15]. This method utilizes the Chinese Remainder Theorem in order to solve for x in Pohlig-Hellman can be described by computing for values of i s.t. . Formally, . In

the inequality r is the number of values in the prime factorization of p. Also, p is the power of the base B in the discrete log. Then, by using the Chinese Remainder theorem, a unique solution for x is obtained [15]. The next attack considered is the Pollard-Rho algorithm which also has an exponential runtime since again we must solve the discrete log problem. However, it is widely held that the best brute force method of computing the ECDLP is Pollards Rho algorithm. This attack has a few advantages. For example, this method can be easily parallelized and is easily implemented [15]. Also, this algorithm is very flexible in solving various DLP over different fields [15]. The main formula behind Pollard-Rho is the fact that Noting the fact that x is the x in .

and n is the prime order of the field. The algorithm

runs by randomly picking values for c and d and recording them as well as the result of cB +dP. The algorithm continues to pick values for c and d until the value of cB + dP is repeated. Therefore, giving the values for c, c, d and d and thus x solving the problem. An example is given in the appendix of this attack. Quantum attacks can solve the ECDLP in polynomial time rather than the exponential time it takes on standard computers [8 and 14]. Shors algorithm is a quantum attack on the ECDLP and was explained in [14] and an improvement was made in [8]. However, at this point, quantum computer algorithms are not too much of a concern due to the fact that quantum computing is not available at this time. The fact that ECDLP is so difficult to solve is the main reason for the following indirect types of attacks. Rather than trying to solve the hard ECDLP, researchers find points at which ECC can be broken without needing to solve the ECDLP to read an encrypted message. This is, they do not attack the math, but the predictability of the algorithm. These methods can exploit

the power consumption of ECC devices to retrieve secret keys [12]. There are two main types of attacks that are considered Side-Channel-Attacks or SCAs that perform power analysis. They are Simple Power Analysis and Differential Power Analysis.

[23] First, I consider the Simple Power Analysis or SPA. This attack requires access to the cryptographic device that is performing the ECC operations in order to obtain the private key. Essentially, this attack takes advantage of the fact that all microprocessors are carrying out the instructions in hardware that the software has specified. Therefore, by measuring the current flowing through the wires of the device over time and knowledge of how the device works, the different parts of the ECC algorithm can be identified. For example, one way to perform point multiplication is by using the standard square-and-multiply (or double-and-add) exponentiation method [13]. When using this method the algorithm performs certain operations such as addition and doubling based on the value of each bit in the key. Hence, it is easy to translate from a sequence of adds and doubles obtained through a side channel into a sequence of bits which reveals the secret key [13].

A more advanced version of SPA is Differential Power Analysis or DPA. This mode of attacking ECC is done by collecting power consumption traces and averaging over a series of acquisitions [11]. With more data it allows for the attacker to use statistical analysis and other methods to obtain the key. Conclusion As the paper shows, elliptic curve cryptography can be attacked in various ways. However, they require a supercomputer and a long time or a high degree of mathematical and engineering experience to implement. I believe this is why ECC was selected to be part of the NSAs Suite B cryptography. Also, elliptic curves provide a more efficient use of bits on computer systems making them faster and more useful for embedded systems. I believe that ECC is a good choice for securing data as long as measures are taken to prevent the attacks mentioned in this paper.

References / Further Reading [1] E Brown & B Myers: Elliptic Curves from Mordell to Diophantus and Back The Mathematical Association of America Monthly 109, AugustSeptember 2002, 639-649. [2] Thomas L. Heath, Diophantus of Alexandria, Cambridge University Press, New York, 1910. [3] Craig Bauer, Cryptology in Context section 2.14, 2011. Unpublished manuscript. [4] H.W. Lenstra, Jr. Factoring integers with elliptic curves. Annuals of Mathematics, 126: 649673, 1987. [5] A. Menezes. Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, 1993. [6] D. Johnson and A. Menezes, The elliptic curve digital signature algorithm (ECDSA), Technical report CORR 99-34, Dept. of C&O, University of Waterloo, 1999. [7] Elliptic Curve groupts and the Discrete Logarithm Problem, http://www.certicom.com/index.php/ -50-elliptic-curve-groups-and-the-discrete-logarithm-problem [8] Cheung, D., D. Maslov, J. Mathew, and D. Pradhan, 2008, On the design and optimization of a quantum polynomial-time attack on elliptic curve cryptography, Proceedings of the 3rd Workshop on Theory of Quantum Computation, Communication, and Cryptography, volume 5106 of Lecture Notes in Computer Science, pp. 96104. [9] Elliptic Curve Cryptography (ECC), http://www.certicom.com/index.php/ecc [10] NSA Suite B Cryptography,http://www.nsa.gov/ia/programs/suiteb_cryptography/ index.shtml

[11] Marc Joye, Pascal Paillier, and Berry Schoenmakers. On Second-Order Differential Power Analysis. In Cryptographic Hardware and Embedded Systems - Proceedings of CHES 2005. Springer, 2005. [12] F. Zhang and Z. J. Shi, An efficient window-based countermeasure to power analysis of ECC algorithms, in Proc. IEEE Int. Conf. Information Technology New Generations, pp. 120126, 2008. [13] C.Walter. Simple power analysis of unified code for ecc double and add. In M. Joye and J. J. Quisquater, editors, Cryptographic Hardware and Embedded Systems - CHES 04, volume 3156 of Lecture Notes in Computer Science, pages 191- 204, 2004. [14] J. PROOS AND C. ZALKA. Shors discrete logarithm quantum algorithm for elliptic curves. Quantum Information and Computation, 3:317344, 2003. [15] D. Hankerson, A. J. Menezes, and S. Vanstone. Guide to Elliptic Curve Cryptography. Springer-Verlag, 2004. [16] N. Gura et al., Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs, CHES 2004, Aug. 2004. [17] V. Gupta et al., Speeding up Secure Web Transactions Using Elliptic Curve Cryptography, NDSS 2004, Feb. 2004. [18] V.S.Miller, Use of elliptic curves in cryptography", Advances in CryptologyCRYPTO'85(LNCS 218), pp.417-426, 1986. [19] N.Koblitz, Elliptic curve cryptosystems", Mathematics of Computation 48, pp.203-

209, 1987. [20] Avi Kak, Lecture 14: Elliptic Curve Cryptography and Digital Rights Management http://cobweb.ecn.purdue.edu/~kak/compsec/NewLectures/Lecture14.pdf [21] Peter Novotney, Weak Curves In Elliptic Curve Cryptography, modular.math.washington.edu/edu/2010/414/projects/novotney.pdf [22] M.J.B. Robshaw, Ph.D. and Yiqun Lisa Yin, Ph.D Overview of Elliptic Curve Cryptosystems. http://www.rsa.com/rsalabs/node.asp?id=2013 [23] Security Measures for Mobile Devices http://www.hitachi.com/rd/yrl/people/mof/ index04.html General Links http://www.certicom.com/index.php/ecc-tutorial - good tutorial on ECC http://www.deviceforge.com/articles/AT4234154468.html - compares ECC to other ciphers http://labs.oracle.com/projects/crypto/ - list of research papers on ECC http://www.dkrypt.com/home/ecc - an implementation tutorial on ECC http://www.rsa.com/rsalabs/node.asp?id=2013 interesting overview of ECC http://saluc.engr.uconn.edu/refs/sidechannel/index.html - list of references on Side Chanel Attacks

Appendix Point Addition The negative of the point is the point . If P and Z are

distinct points such that P is not Q, then P + Q = R where

Note that s is the slope of the line through P and Q. Point Doubling Provided that 2P = R where is not 0,

Recall that a is one of the parameters chosen with the elliptic curve and that s is the slope of the line through P and Q. The above was taken from: http://www.certicom.com/index.php/32-arithmetic-in-an-elliptic-curve-group-over-fp.

The following example is of Pollards rho algorithm which was taken from [15] to better show how the attack works.

The algorithm that is mentioned in above example is below [15].

Please note that example and algorithm were taken from [15].