|
|
| Line 1: |
Line 1: |
| '''Elliptic curve cryptography (ECC)''' is an approach to [[public-key cryptography]] based on the algebraic structure of [[elliptic curve]]s over [[finite field]]s.
| | The initial popular kind are the lotions and ointments where we rub a drugs onto the outside of your rectum. It intends to treat the hemorrhoid by soothing the blood vessels. This relaxes the tissues thus that it no longer continues to bulge. Once the cells go down, the hemorrhoids may not flare up as much. This is great for a little temporary relief, but the hemorrhoid may usually flare up again whenever utilizing this method of primary treatment.<br><br>Another house [http://hemorrhoidtreatmentfix.com/hemorrhoid-symptoms hemorrhoids symptoms] is to consume healthy, perfectly balanced food. This might help keep you from becoming constipated and may aid we have a bowel movement. Create sure we eat a lot of fruits plus veggies. Also, add foods that contain lots of fiber inside them. An example of some foods with fiber are complete wheat breads, whole wheat pastas, plus oatmeal.<br><br>: one. The first approach to naturally treat hemorrhoids is with the stiz tub. The proper system to create a sitz bath is to add warm water to a little bath. Set several bath solutions to the water, once you've completed this. This can support you using the pain, swelling, plus distress. The shower solution could be got by you for an herb store that is inside your city.<br><br>However there are certain aspects which clearly state certain hemorrhoid natural remedies are more effective because they have no side effects, they have relaxing qualities, they heal the condition from inside and they additionally prevent the same from coming back.<br><br>Some of the all-natural elements are Horse Chestnut that stops the bleeding, Fluoride of Lime that repairs damaged anus tissue, Witch Hazel which relaxes the veins of the anus, St. Mary's Thistle which reduces the swelling and Krameria' Mapato which gives relief from pain. These ingredients are generally safe.<br><br>Witch Hazel, you can carry this with we and utilize it whenever we are out. Pour a small of it on a toilet paper plus employ it to wash oneself. Not just usually we be cleaner, and this really is important to heal the hemorrhoids, however, Witch Hazel may actively shrink the hemorrhoids.<br><br>When utilizing a sitz bathtub tub, you can employ unique soaps and lotions that is created to be employ with all the bath. This will enable treat different symptoms of the hemorrhoids, also. You are able to choose up any sitz tub at a localized wellness retailer or you are able to buy 1 online. |
| Elliptic curves are also used in several [[integer factorization]] [[algorithm]]s that have applications in cryptography, such as [[Lenstra elliptic curve factorization]].
| |
| | |
| The use of elliptic curves in cryptography was suggested independently by [[Neal Koblitz]]<ref>{{cite journal |first=N. |last=Koblitz |title=Elliptic curve cryptosystems |journal=Mathematics of Computation |volume=48 |issue=177 |year=1987 |pages=203–209 |doi= |jstor=2007884 }}</ref> and [[Victor S. Miller]]<ref>{{cite journal |first=V. |last=Miller |title=Use of elliptic curves in cryptography |journal=CRYPTO |volume=85 |year=1985 |issue= |pages=417–426 |doi=10.1007/3-540-39799-X_31 }}</ref> in 1985.
| |
| Elliptic curve cryptography algorithms entered wide use in 2004 to 2005.
| |
| | |
| ==Introduction==
| |
| Public-key cryptography is based on the [[Intractability (complexity)#Intractability|intractability]] of certain mathematical problems. Early public-key systems are secure assuming that it is difficult to [[Integer factorization|factor]] a large integer composed of two or more large prime factors.
| |
| For elliptic-curve-based protocols, it is assumed that finding the [[discrete logarithm]] of a random elliptic curve element with respect to a publicly known base point is infeasible –this is the "elliptic curve discrete logarithm problem" or ECDLP. The entire security of ECC depends on the ability to compute a [[elliptic curve point multiplication|point multiplication]] and the inability to compute the multiplicand given the original and product points.
| |
| The size of the elliptic curve determines the difficulty of the problem.
| |
| | |
| The primary benefit promised by ECC is a smaller key size, reducing storage and transmission requirements, i.e. that an elliptic curve group could provide the same level of security afforded by an RSA-based system with a large modulus and correspondingly larger key – e.g., a 256-bit ECC public key should provide comparable security to a 3072-bit RSA public key (see ''[[#Key sizes|key sizes]]'' below).
| |
| | |
| For current cryptographic purposes, an ''elliptic curve'' is a [[plane curve]] which consists of the points satisfying the equation
| |
| | |
| : <math>y^2 = x^3 + ax + b, \, </math>
| |
| | |
| along with a distinguished [[point at infinity]], denoted ∞. (The coordinates here are to be chosen from a fixed [[finite field]] of [[Characteristic (algebra)#Case of fields|characteristic]] not equal to 2 or 3, or the curve equation will be somewhat more complicated.)
| |
| | |
| This set together with the [[Elliptic curve#The group law|group operation of the elliptic group theory]] form an [[Abelian group]], with the point at infinity as identity element. The structure of the group is inherited from the [[Divisor (algebraic geometry)|divisor group]] of the underlying [[algebraic variety]]. As for other popular public key cryptosystems, no mathematical proof of security has been published for ECC {{As of|2009|lc=on}}. | |
| | |
| The U.S. [[NIST|National Institute of Standards and Technology (NIST)]] has endorsed ECC by including schemes based on ECC in its [[NSA Suite B|Suite B]] set of recommended algorithms and allows their use for protecting information classified up to [[Classified information in the United States|top secret]] with 384-bit keys.{{year needed|date=September 2013}}<ref>{{cite web |url=http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml |title=Fact Sheet NSA Suite B Cryptography |work=U.S. National Security Agency }}</ref>
| |
| | |
| While the RSA patent expired in 2000, there are [[ECC patents|patents in force covering certain aspects of ECC technology]], though some (including [[RSA (security firm)|RSA Laboratories]]<ref>{{cite web |first=RSA Laboratories|url=http://www.rsa.com/rsalabs/node.asp?id=2325 |title=6.3.4 Are elliptic curve cryptosystems patented? }}</ref> and [[Daniel J. Bernstein]]<ref>{{cite web |first=D. J. |last=Bernstein |url=http://cr.yp.to/ecdh/patents.html |title=Irrelevant patents on elliptic-curve cryptography }}</ref>) argue that the Federal elliptic curve digital signature standard (ECDSA; NIST FIPS 186-3) and certain practical ECC-based key exchange schemes (including ECDH) can be implemented without infringing them.
| |
| | |
| ==Cryptographic schemes==
| |
| Several [[discrete logarithm]]-based protocols have been adapted to elliptic curves, replacing the group <math>(\mathbb{Z}_{p})^\times</math> with an elliptic curve:
| |
| * the [[elliptic curve Diffie–Hellman]] (ECDH) key agreement scheme is based on the [[Diffie–Hellman]] scheme,
| |
| * the Elliptic Curve [[Integrated Encryption Scheme]] (ECIES), also known as Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme,
| |
| * the [[Elliptic Curve DSA|Elliptic Curve Digital Signature Algorithm]] (ECDSA) is based on the [[Digital Signature Algorithm]],
| |
| * the [[ECMQV]] key agreement scheme is based on the [[Menezes–Qu–Vanstone|MQV]] key agreement scheme.
| |
| * the [[Implicit certificate|ECQV]] implicit certificate scheme.
| |
| | |
| At the RSA Conference 2005, the [[National Security Agency]] (NSA) announced [[NSA Suite B|Suite B]] which exclusively uses ECC for digital signature generation and key exchange. The suite is intended to protect both classified and unclassified national security systems and information.<ref>{{cite web |url=http://www.nsa.gov/business/programs/elliptic_curve.shtml |title=The Case for Elliptic Curve Cryptography |work=NSA }}</ref>
| |
| | |
| Recently, a large number of cryptographic primitives based on bilinear mappings on various elliptic curve groups, such as the [[Weil pairing|Weil]] and [[Tate pairing]]s, have been introduced. Schemes based on these primitives provide efficient [[identity-based encryption]] as well as pairing-based signatures, [[signcryption]], [[key agreement]], and [[proxy re-encryption]].
| |
| | |
| ==Implementation considerations==
| |
| | |
| Although the details of each particular elliptic curve scheme are described in the article referenced above, some common implementation considerations are discussed here.
| |
| | |
| ===Domain parameters===
| |
| | |
| To use ECC all parties must agree on all the elements defining the elliptic curve, that is, the ''domain parameters'' of the scheme. The field is defined by ''p'' in the prime case and the pair of ''m'' and ''f''<!--m and f are no longer defined before this in this article--> in the binary case. The elliptic curve is defined by the constants ''a'' and ''b'' used in its defining equation. Finally, the cyclic subgroup is defined by its ''generator'' (aka. ''base point'') ''G''. For cryptographic application the [[order (group theory)|order]] of ''G'', that is the smallest non-negative number ''n'' such that <math>n G = \infty</math>, is normally prime. Since ''n'' is the size of a subgroup of <math>E(\mathbb{F}_p)</math> it follows from [[Lagrange's theorem (group theory)|Lagrange's theorem]] that the number <math>h = \frac{|E(\mathbb{F}_p)|}{n}</math> is an integer. In cryptographic applications this number ''h'', called the ''cofactor'', must be small (<math>h \le 4</math>) and, preferably, <math>h = 1</math>. Let us summarize: in the prime case the domain parameters are <math>(p,a,b,G,n,h)</math> and in the binary case they are <math>(m,f,a,b,G,n,h)</math>.
| |
| | |
| Unless there is an assurance that domain parameters were generated by a party trusted with respect to their use, the domain parameters ''must'' be validated before use.<!--TBD: validation procedure-->
| |
| | |
| The generation of domain parameters is not usually done by each participant since this involves [[counting points on elliptic curves|counting the number of points on a curve]] which is time-consuming and troublesome to implement. As a result several standard bodies published domain parameters of elliptic curves for several common field sizes. Such domain parameters are commonly known as "standard curves" or "named curves"; a named curve can be referenced either by name or by the unique [[object identifier]] defined in the standard documents:
| |
| * NIST, [http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf Recommended Elliptic Curves for Government Use]
| |
| * SECG, [http://www.secg.org/download/aid-386/sec2_final.pdf SEC 2: Recommended Elliptic Curve Domain Parameters]
| |
| * ECC Brainpool, [http://www.ecc-brainpool.org/download/Domain-parameters.pdf ECC Brainpool Standard Curves and Curve Generation]
| |
| SECG test vectors are also available.<ref>http://www.secg.org/download/aid-390/gec2.pdf</ref> NIST has approved many SECG curves, so there is a significant overlap between the specifications published by NIST and SECG. EC domain parameters may be either specified by value or by name.
| |
| | |
| If one (despite the above) wants to construct one's own domain parameters, one should select the underlying field and then use one of the following strategies to find a curve with appropriate (i.e., near prime) number of points using one of the following methods:
| |
| * select a random curve and use a general point-counting algorithm, for example, [[Schoof's algorithm]] or [[Schoof–Elkies–Atkin algorithm]],
| |
| * select a random curve from a family which allows easy calculation of the number of points (e.g., Koblitz curves), or
| |
| * select the number of points and generate a curve with this number of points using ''complex multiplication'' technique.<ref>{{cite journal |first=G. |last=Lay |first2=H. |last2=Zimmer |title=Constructing elliptic curves with given group order over large finite fields |work=Algorithmic Number Theory Symposium |year=1994 |series=Lecture Notes in Computer Science |volume=877 |issue= |pages=250–263 |doi=10.1007/3-540-58691-1_64 }}</ref>
| |
| | |
| Several classes of curves are weak and should be avoided:
| |
| * curves over <math>\mathbb{F}_{2^m}</math> with non-prime ''m'' are vulnerable to [[Weil descent]] attacks.<ref>{{cite journal |first=S. D. |last=Galbraith |first2=N. P. |last2=Smart |title=A cryptographic application of the Weil descent |work=Cryptography and Coding |year=1999 |series=Lecture Notes in Computer Science |volume=1746 |pages=799 |doi=10.1007/3-540-46665-7_23 }}</ref><ref>{{cite web |first=P. |last=Gaudry |first2=F. |last2=Hess |first3=N. P. |last3=Smart |url=http://www.hpl.hp.com/techreports/2000/HPL-2000-10.pdf |title=Constructive and destructive facets of Weil descent on elliptic curves |work=Hewlett Packard Laboratories Technical Report |year=2000 }}</ref>
| |
| * curves such that ''n'' divides <math>p^B-1</math> (where ''p'' is the characteristic of the field – ''q'' for a prime field, or <math>2</math> for a binary field) for sufficiently small ''B'' are vulnerable to Menezes-Okamoto-Vanstone (MOV) attack<ref>{{cite journal |first=A. |last=Menezes |first2=T. |last2=Okamoto |first3=S. A. |last3=Vanstone |title=Reducing elliptic curve logarithms to logarithms in a finite field |work=IEEE Transactions on Information Theory |volume=39 |year=1993 }}</ref><ref>{{cite journal |first=L. |last=Hitt |url=http://eprint.iacr.org/2006/415 |title=On an Improved Definition of Embedding Degree |work=IACR ePrint report |year=2006 |volume=415 }}</ref> which applies usual Discrete Logarithm Problem (DLP) in a small degree extension field of <math>\mathbb{F}_p</math> to solve ECDLP. The bound ''B'' should be chosen so that discrete logarithms in the field <math>\mathbb{F}_{p^B}</math> are at least as difficult to compute as discrete logs on the elliptic curve <math>E(\mathbb{F}_q)</math>.<ref>IEEE [http://grouper.ieee.org/groups/1363/P1363/index.html P1363], section A.12.1</ref>
| |
| * curves such that <math>|E(\mathbb{F}_q)| = q</math> are vulnerable to the attack that maps the points on the curve to the additive group of <math>\mathbb{F}_q</math><ref>{{cite journal |first=I. |last=Semaev |title=Evaluation of discrete logarithm in a group of ''p''-torsion points of an elliptic curve in characteristic ''p'' |journal=Mathematics of Computation |volume=67 |issue=221 |year=1998 |pages=353–356 |doi=10.1090/S0025-5718-98-00887-4 }}</ref><ref>{{cite journal |first=N. |last=Smart |title=The discrete logarithm problem on elliptic curves of trace one |journal=Journal of Cryptology |volume=12 |year=1999 |issue=3 |pages=193–196 |doi=10.1007/s001459900052 }}</ref><ref>{{cite journal |first=T. |last=Satoh |first2=K. |last2=Araki |title=Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves |journal=Commentarii Mathematici Universitatis Sancti Pauli |volume=47 |year=1998 }}</ref>
| |
| | |
| ===Key sizes===
| |
| | |
| {{see also|Discrete logarithm records#Elliptic curves}}
| |
| | |
| Since all the fastest known algorithms that allow one to solve the ECDLP ([[baby-step giant-step]], [[Pollard's rho algorithm for logarithms|Pollard's rho]], etc.), need <math>O(\sqrt{n})</math> steps, it follows that the size of the underlying field should be roughly twice the security parameter. For example, for 128-bit security one needs a curve over <math>\mathbb{F}_q</math>, where <math>q \approx 2^{256}</math>. This can be contrasted with finite-field cryptography (e.g., [[Digital Signature Algorithm|DSA]]) which requires<ref>NIST, [http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf Recommendation for Key Management—Part 1: general], Special Publication 800-57, August 2005.</ref> 3072-bit public keys and 256-bit private keys, and integer factorization cryptography (e.g., [[RSA (algorithm)|RSA]]) which requires 3072-bit public and private keys.
| |
| | |
| The hardest ECC scheme (publicly) broken to date had a 112-bit key for the prime field case and a 109-bit key for the binary field case. For the prime field case this was broken in July 2009 using a cluster of over 200 [[PlayStation 3]] game consoles and could have been finished in 3.5 months using this cluster when running continuously (see <ref>http://lacal.epfl.ch/page81774.html</ref>). For the binary field case, it was broken in April 2004 using 2600 computers for 17 months.<ref>{{cite web |url=http://www.certicom.com/index.php/2004-press-releases/36-2004-press-releases/300-solution-required-team-of-mathematicians-2600-computers-and-17-months- |title=Certicom Announces Elliptic Curve Cryptography Challenge Winner |work=Certicom |date=April 27, 2004 }}</ref>
| |
| | |
| A current project is aiming at breaking the ECC2K-130 challenge by Certicom, by using a wide range of different hardware: CPUs, GPUs, FPGA.<ref>http://www.ecc-challenge.info/</ref>
| |
| | |
| ===Projective coordinates===
| |
| | |
| A close examination of the addition rules shows that in order to add two points one needs not only several additions and multiplications in <math>\mathbb{F}_q</math> but also an inversion operation. The inversion (for given <math>x \in \mathbb{F}_q</math> find <math>y \in \mathbb{F}_q</math> such that <math>x y = 1</math>) is one to two orders of magnitude slower<ref>{{cite journal |first=Y. |last=Hitchcock |first2=E. |last2=Dawson |first3=A. |last3=Clark |first4=P. |last4=Montague |url=http://anziamj.austms.org.au/V44/CTAC2001/Hitc/Hitc.pdf |title=Implementing an efficient elliptic curve cryptosystem over GF(p) on a smart card |year=2002 |journal=ANZIAM Journal |volume=44 }}</ref> than multiplication. Fortunately, points on a curve can be represented in different coordinate systems which do not require an inversion operation to add two points. Several such systems were proposed: in the ''projective'' system each point is represented by three coordinates <math>(X,Y,Z)</math> using the following relation: <math>x = \frac{X}{Z}</math>, <math>y = \frac{Y}{Z}</math>; in the ''Jacobian system'' a point is also represented with three coordinates <math>(X,Y,Z)</math>, but a different relation is used: <math>x = \frac{X}{Z^2}</math>, <math>y = \frac{Y}{Z^3}</math>; in the ''López–Dahab system'' the relation is <math>x = \frac{X}{Z}</math>, <math>y = \frac{Y}{Z^2}</math>; in the ''modified Jacobian'' system the same relations are used but four coordinates are stored and used for calculations <math>(X,Y,Z,aZ^4)</math>; and in the ''Chudnovsky Jacobian'' system five coordinates are used <math>(X,Y,Z,Z^2,Z^3)</math>. Note that there may be different naming conventions, for example, [[IEEE P1363]]-2000 standard uses "projective coordinates" to refer to what is commonly called Jacobian coordinates.<!--TBD: insert formulas--> An additional speed-up is possible if mixed coordinates are used.<ref>{{cite journal |first=H. |last=Cohen |first2=A. |last2=Miyaji |first3=T. |last3=Ono |title=Efficient Elliptic Curve Exponentiation Using Mixed Coordinates |journal=Advances in Cryptology – AsiaCrypt '98 |year=1998 |series=Lecture Notes in Computer Science |volume=1514 |pages=51–65 |doi=10.1007/3-540-49649-1_6 }}</ref>
| |
| | |
| ===Fast reduction (NIST curves)===
| |
| | |
| Reduction modulo ''p'' (which is needed for addition and multiplication) can be executed much faster if the prime ''p'' is a pseudo-[[Mersenne prime]] that is <math>p \approx 2^d</math>, for example, <math>p = 2^{521} - 1</math> or <math>p = 2^{256} - 2^{32} - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1.</math> Compared to [[Barrett reduction]] there can be an order of magnitude speedup.<ref>{{cite journal |first=M. |last=Brown |first2=D. |last2=Hankerson |first3=J. |last3=Lopez |first4=A. |last4=Menezes |title=Software Implementation of the NIST Elliptic Curves Over Prime Fields |journal=Topics in Cryptology – CT-RSA 2001 |series=Lecture Notes in Computer Science |year=2001 |volume=2020 |pages=250–265 |doi=10.1007/3-540-45353-9_19 }}</ref> The speedup here is a practical rather than theoretical one, and derives from the fact that the moduli of numbers against numbers near powers of two can be performed efficiently by computers operating on binary numbers with [[bitwise operation]]s.
| |
| | |
| The curves over <math>\mathbb{F}_p</math> with pseudo-Mersenne ''p'' are recommended by NIST. Yet another advantage of the NIST curves is the fact that they use ''a'' = −3 which improves addition in Jacobian coordinates.
| |
| | |
| Many of the efficiency-related decisions in NIST FIPS 186-2 are sub-optimal.
| |
| Other curves are more secure and run just as fast.<ref>
| |
| Daniel J. Bernstein and Tanja Lange.
| |
| "SafeCurves: choosing safe curves for elliptic-curve cryptography."
| |
| http://safecurves.cr.yp.to
| |
| accessed 1 December 2013.
| |
| </ref>
| |
| | |
| ===NIST-recommended elliptic curves===
| |
| | |
| NIST recommended{{year needed|date=September 2013}} fifteen elliptic curves. Specifically, FIPS 186-3 has ten recommended finite fields:
| |
| * Five prime fields <math>\mathbb{F}_p</math> for certain primes ''p'' of sizes 192, 224, 256, 384, and 521<ref>The sequence may seem suggestive of a typographic error. Nevertheless, the last value is 521 and not 512 bits.</ref> bits. For each of the prime fields, one elliptic curve is recommended.
| |
| * Five binary fields <math>\mathbb{F}_{2^m}</math> for ''m'' equal 163, 233, 283, 409, and 571. For each of the binary fields, one elliptic curve and one [[Neal Koblitz|Koblitz]] curve was selected.
| |
| | |
| The NIST recommendation thus contains a total of five prime curves and ten binary curves. The curves were ostensibly chosen for optimal security and implementation efficiency.<ref>FIPS PUB 186-3, [http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf Digital Signature Standard (DSS)].</ref>
| |
| | |
| In 2013, the ''[[New York Times]]'' revealed that [[Dual_EC_DRBG|Dual Elliptic Curve Deterministic Random Bit Generation]] (or Dual_EC_DRBG) had been included as a NIST national standard due to the influence of [[NSA]], which had included a deliberate weakness in the algorithm and the recommended elliptic curve.
| |
| [[RSA Security]] in September 2013 issued an advisory recommending that its customers discontinue using any software based on Dual_EC_DRBG.<ref>Kim Zetter, [http://www.wired.com/threatlevel/2013/09/rsa-advisory-nsa-algorithm/ RSA Tells Its Developer Customers: Stop Using NSA-Linked Algorithm] ''[[Wired (magazine)|Wired]]'', 19 September 2013.
| |
| | |
| "Due to the debate around the Dual EC DRBG standard highlighted recently by the National Institute of Standards and Technology (NIST), NIST re-opened for public comment its SP 800-90 standard which covers Pseudo-random Number Generators (PRNG)."
| |
| | |
| [http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-90-A%20Rev%201%20B%20and%20C csrc.nist.gov]
| |
| | |
| “Recommending against the use of SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation: NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used.”
| |
| </ref> | |
| In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover operation", cryptography experts have also expressed concern over the security of the NIST recommended elliptic curves, suggesting a return to encryption based on the discrete logarithms.<ref>
| |
| [[Bruce Schneier]] (5 September) "I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry."
| |
| See [http://it.slashdot.org/firehose.pl?op=view&type=story&sid=13/09/11/1224252 Are the NIST Standard Elliptic Curves Back-doored?], ''[[Slashdot]]'', 11 September 2013.</ref>
| |
| | |
| ===Side-channel attacks===
| |
| | |
| Unlike [[Discrete Logarithm|DLP]] systems (where it is possible to use the same procedure for squaring and multiplication) the EC addition is significantly different for doubling (<math>P = Q</math>) and general addition (<math>P \ne Q</math>) depending on the coordinate system used. Consequently, it is important to counteract [[side channel attack]]s (e.g., timing or [[Power analysis|simple/differential power analysis attacks]]) using, for example, fixed pattern window (aka. comb) methods{{clarify|date=December 2011}}<ref>{{cite journal |first=M. |last=Hedabou |first2=P. |last2=Pinel |first3=L. |last3=Beneteau |url=http://eprint.iacr.org/2004/342.pdf |title=A comb method to render ECC resistant against Side Channel Attacks |year=2004 }}</ref> (note that this does not increase the computation time). Another concern for ECC-systems is the danger of [[Differential fault analysis|fault attacks]], especially when running on [[smart card]]s.<ref>See, for example, {{cite journal |title=Differential Fault Attacks on Elliptic Curve Cryptosystems |first=Ingrid |last=Biehl |first2=Bernd |last2=Meyer |first3=Volker |last3=Müller |journal=Advances in Cryptology – CRYPTO 2000 |series=Lecture Notes in Computer Science |volume=1880 |year=2000 |pages=131–146 |doi=10.1007/3-540-44598-6_8 }}</ref>
| |
| | |
| Cryptographic experts have also expressed concerns that the National Security Agency has inserted a backdoor into at least one elliptic curve-based pseudo random generator.<ref>http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115</ref> One analysis of the possible backdoor concluded that an adversary in possession of the algorithm's secret key could obtain encryption keys given only 32 bytes of ciphertext.<ref>http://rump2007.cr.yp.to/15-shumow.pdf</ref>
| |
| | |
| ===Quantum computing attacks===
| |
| | |
| Elliptic curve cryptography is vulnerable to a modified [[Shor's algorithm]] for solving the discrete logarithm problem on elliptic curves.<ref>{{cite book
| |
| |last= Nielsen
| |
| |first= Michael A.
| |
| |coauthors= Chuang, Isaac L.
| |
| |title= Quantum Computation and Quantum Information
| |
| |page=202
| |
| }}</ref>
| |
| | |
| ===Patents===
| |
| {{main|ECC patents}}
| |
| At least one ECC scheme ([[ECMQV]]) and some implementation techniques are covered by patents.
| |
| | |
| ==Alternative representations of elliptic curves==
| |
| * [[Hessian curves]]
| |
| * [[Edwards curves]]
| |
| * [[Twisted curves]]
| |
| * [[Twisted Hessian curves]]
| |
| * [[Twisted Edwards curve]]
| |
| * [[Doubling-oriented Doche–Icart–Kohel curve]]
| |
| * [[Tripling-oriented Doche–Icart–Kohel curve]]
| |
| * [[Jacobian curve]]
| |
| * [[Montgomery curve]]
| |
| | |
| ==See also==
| |
| * [[DNSCurve]]
| |
| * [[ECC patents]]
| |
| * [[ECDH]]
| |
| * [[ECDSA]]
| |
| * [[ECMQV]]
| |
| * [[Curve25519]]
| |
| * [[Public-key cryptography]]
| |
| * [[Quantum cryptography]]
| |
| * [[Pairing-based cryptography]]
| |
| * [[Homomorphic Signatures for Network Coding]]
| |
| * [[Elliptic curve point multiplication|Elliptic Curve Point Multiplication]]
| |
| | |
| ==Notes==
| |
| {{reflist|30em}}
| |
| | |
| ==References==
| |
| * [[SECG|Standards for Efficient Cryptography Group (SECG)]], [http://www.secg.org/download/aid-385/sec1_final.pdf SEC 1: Elliptic Curve Cryptography], Version 1.0, September 20, 2000.
| |
| * D. Hankerson, A. Menezes, and S.A. Vanstone, ''Guide to Elliptic Curve Cryptography'', Springer-Verlag, 2004.
| |
| * I. Blake, G. Seroussi, and N. Smart, ''Elliptic Curves in Cryptography'', London Mathematical Society 265, Cambridge University Press, 1999.
| |
| * I. Blake, G. Seroussi, and N. Smart, editors, ''Advances in Elliptic Curve Cryptography'', London Mathematical Society 317, Cambridge University Press, 2005.
| |
| * L. Washington, ''Elliptic Curves: Number Theory and Cryptography'', Chapman & Hall / CRC, 2003.
| |
| * [http://www.nsa.gov/business/programs/elliptic_curve.shtml The Case for Elliptic Curve Cryptography], National Security Agency
| |
| * [http://www.certicom.com/index.php/ecc-tutorial Online Elliptic Curve Cryptography Tutorial], Certicom Corp.
| |
| * K. Malhotra, S. Gardner, and R. Patz, Implementation of Elliptic-Curve Cryptography on Mobile Healthcare Devices, Networking, Sensing and Control, 2007 IEEE International Conference on, London, 15–17 April 2007 Page(s):239–244
| |
| * Saikat Basu, [http://ijns.femto.com.tw/download_paper.jsp?PaperID=IJNS-2010-07-24-3&PaperName=ijns-v13-n3/ijns-2011-v13-n3-p234-241.pdf A New Parallel Window-Based Implementation of the Elliptic Curve Point Multiplication in Multi-Core Architectures], International Journal of Network Security, Vol. 13, No. 3, 2011, Page(s):234-241
| |
| * Christof Paar, Jan Pelzl, [http://wiki.crypto.rub.de/Buch/movies.php "Elliptic Curve Cryptosystems"], Chapter 9 of "Understanding Cryptography, A Textbook for Students and Practitioners". (companion web site contains online cryptography course that covers elliptic curve cryptography), Springer, 2009.
| |
| | |
| ==External links==
| |
| {{commons|Elliptic curve|Elliptic curve}}
| |
| * [http://www.certicom.com/index.php/ecc-tutorial Certicom ECC Tutorial]
| |
| * [http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/ a relatively easy to understand primer on elliptic curve cryptography]
| |
| * [http://www.imperialviolet.org/2010/12/04/ecc.html Elliptic curves and their implementation] by Adam Langley (OpenSSL dev).
| |
| * [http://sagenb.org/home/pub/1126/ Interactive introduction to elliptic curves and elliptic curve cryptography with SAGE]
| |
| * [http://www.infoworld.com/t/encryption/how-the-nsa-was-able-snoop-our-email-233508 How the NSA Was Able to Snoop Our Email] explained by Mathematician [[Edward Frenkel]]
| |
| | |
| {{Cryptography navbox | public-key}}
| |
| | |
| {{DEFAULTSORT:Elliptic Curve Cryptography}}
| |
| [[Category:Elliptic curve cryptography]]
| |
| [[Category:Public-key cryptography]]
| |
| [[Category:Finite fields]]
| |