Should Elliptic Curve Cryptography Really be Deprecated? Connor - - PowerPoint PPT Presentation

Should Elliptic Curve Cryptography Really be Deprecated?

Connor Adsit cda8519@rit.edu May 13, 2016

Objectives

◮ Suite B Cryptography ◮ The controversial NSA statement ◮ A brief history of ECC (and the NSA’s involvement) ◮ Why would the NSA discourage ECC?

Suite B Cryptography

◮ Cryptographic algorithms that are endorsed by the NSA in

2005

◮ Protects information up to but not including TOP SECRET ◮ These algorithms are to be used until a Post Quantum

Cryptography (PQC) suite is developed AES ECDH ECDSA SHA DH* RSA* *Not part of the original suite

August 15, 2015

For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition. – National Security Agency

August 15, 2015

Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, which has made it clear that elliptic curve cryptography is not the long term solution many once hoped it would be. Thus, we have been obligated to update our strategy. – National Security Agency

Elliptic Curve Cryptography

Public key cryptography comes in two factions:

◮ Rivest-Shamir-Adleman (the first practical public-key

cryptosystem)

◮ Elliptic Curve Cryptography

◮ ECC was initially met with great skepticism (No Back Door)

Since the beginning, NSA had endorsed ECC

Snowden

Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG)

◮ PRNG based on elliptic curves ◮ Depends on Q = kP for independently random Q and P on

an elliptic curve

◮ Horribly inefficient, but had a “proof of security”

RSA Security received $10 million from the NSA to incorporate Dual EC DRBG into their libraries.

Snowden

What does this have to do with Edward Snowden?

Snowden

What does this have to do with Edward Snowden?

◮ In 2013, the New York Times reported that Snowden leaked

that the NSA put in a back-door to EC DRBG

◮ This means that anything the NSA could effectively decode

anything encrypted with RSA Snowden did not release any information that states that the NSA can easily decrypt ECC

Candidate Speculations

So, why would the NSA tell everyone to move away from ECC?

◮ RSA is not safe from the NSA ◮ NSA is distancing itself from ECC so that people will trust it

again

◮ Diversion tactics with Russia and China

Candidate Speculations

So, why would the NSA tell everyone to move away from ECC?

◮ RSA is not safe from the NSA ◮ NSA is distancing itself from ECC so that people will trust it

again

◮ Diversion tactics with Russia and China

However, the most worrisome is that ECC is not as strong as RSA

Is ECC weak compared to RSA?

Known weaknesses of certain curves:

◮ Discrete logarithms are easily computed for anomalous curves

(curves in Fp where p = #E and p is prime)

◮ Certain curves in prime fields can be lifted to a power of prime

field, which may be small enough to solve with Index Calculus

◮ Certin curves are in the same isogeny class as ones where it is

easy to find a discrete logarithm

Is ECC weak compared to RSA?

Pollard rho attacks on ECC – how do you step?

◮ Alternatively apply a well defined function f and negate ◮ Doubling

Is ECC weak compared to RSA?

For solving multiple instances of Pollard rho, parallelization is important:

◮ remember “distinguished points” while performing the walks ◮ requires much more storage than serial Pollard rho

It is possible to do precomputation to get a faster algorithm but it is very costly Certicom Challenge ECC2K-130 has not been compeleted (started 2009)

Is ECC weak compared to RSA?

The big takeaway:

◮ Currently, there are no practical ways to break ECC*

Is ECC weak compared to RSA?

The big takeaway:

◮ Currently, there are no practical ways to break ECC*

*Given smart curves

Questions?