Should Elliptic Curve Cryptography Really be Deprecated? Connor Adsit cda8519@rit.edu May 13, 2016
Objectives ◮ Suite B Cryptography ◮ The controversial NSA statement ◮ A brief history of ECC (and the NSA’s involvement) ◮ Why would the NSA discourage ECC?
Suite B Cryptography ◮ Cryptographic algorithms that are endorsed by the NSA in 2005 ◮ Protects information up to but not including TOP SECRET ◮ These algorithms are to be used until a Post Quantum Cryptography (PQC) suite is developed AES ECDH ECDSA SHA DH* RSA* *Not part of the original suite
August 15, 2015 For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition. – National Security Agency
August 15, 2015 Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, which has made it clear that elliptic curve cryptography is not the long term solution many once hoped it would be. Thus, we have been obligated to update our strategy. – National Security Agency
Elliptic Curve Cryptography Public key cryptography comes in two factions: ◮ Rivest-Shamir-Adleman (the first practical public-key cryptosystem) ◮ Elliptic Curve Cryptography ◮ ECC was initially met with great skepticism (No Back Door) Since the beginning, NSA had endorsed ECC
Snowden Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) ◮ PRNG based on elliptic curves ◮ Depends on Q = kP for independently random Q and P on an elliptic curve ◮ Horribly inefficient, but had a “proof of security” RSA Security received $10 million from the NSA to incorporate Dual EC DRBG into their libraries.
Snowden What does this have to do with Edward Snowden?
Snowden What does this have to do with Edward Snowden? ◮ In 2013, the New York Times reported that Snowden leaked that the NSA put in a back-door to EC DRBG ◮ This means that anything the NSA could effectively decode anything encrypted with RSA Snowden did not release any information that states that the NSA can easily decrypt ECC
Candidate Speculations So, why would the NSA tell everyone to move away from ECC? ◮ RSA is not safe from the NSA ◮ NSA is distancing itself from ECC so that people will trust it again ◮ Diversion tactics with Russia and China
Candidate Speculations So, why would the NSA tell everyone to move away from ECC? ◮ RSA is not safe from the NSA ◮ NSA is distancing itself from ECC so that people will trust it again ◮ Diversion tactics with Russia and China However, the most worrisome is that ECC is not as strong as RSA
Is ECC weak compared to RSA? Known weaknesses of certain curves: ◮ Discrete logarithms are easily computed for anomalous curves (curves in F p where p = # E and p is prime) ◮ Certain curves in prime fields can be lifted to a power of prime field, which may be small enough to solve with Index Calculus ◮ Certin curves are in the same isogeny class as ones where it is easy to find a discrete logarithm
Is ECC weak compared to RSA? Pollard rho attacks on ECC – how do you step? ◮ Alternatively apply a well defined function f and negate ◮ Doubling
Is ECC weak compared to RSA? For solving multiple instances of Pollard rho, parallelization is important: ◮ remember “distinguished points” while performing the walks ◮ requires much more storage than serial Pollard rho It is possible to do precomputation to get a faster algorithm but it is very costly Certicom Challenge ECC2K-130 has not been compeleted (started 2009)
Is ECC weak compared to RSA? The big takeaway: ◮ Currently, there are no practical ways to break ECC*
Is ECC weak compared to RSA? The big takeaway: ◮ Currently, there are no practical ways to break ECC* *Given smart curves
Questions?
Recommend
More recommend
