ECC vs RSA: Battle of the Crypto-Ninjas

James McGivern
ECC vs RSA:
Battle of the Crypto-Ninjas
Friday, 11 July 2014

About James

About James
Mathematician turned
Computer Scientist
Technical Evangelist
Lives in London
Talks fast
Likes cats
Hates Marmite

Objectives
the basics: terminology, concepts, etc
symmetric vs. asymmetric cryptography
RSA overview
theory of elliptic curves
elliptic curve cryptography (ECC)
RSA vs. ECC (performance, security, etc)
using ECC
ECC “in the wild”

Please Note
Aim: to provide enough basic information to
“springboard” your own forays into cryptography
No:
History lessons (but maybe a tangent or two)
Proofs - rigourous or otherwise
Key exchange protocols
I work for Cisco but all the views in this
presentation are mine and do not reﬂect the
views of Cisco.

Cryptography:
Refresh

All Hail Claude Shannon
Godfather of:
- Communication theory
- Information Theory
- Digital Computing & Digital Circuit Design
- Modern cryptography
Proved that the cryptographic one-time pad
is unbreakable
"the enemy knows the system"

Terminology
A plaintext document is encrypted with a
cipher to produce ciphertext
Decryption is the reverse of encryption
A cipher may utilise 1 or more keys

Cryptanalysis
Crypto-ninjas need to be constantly
vigilant for attack

Cryptanalysis can be classiﬁed by:

Computational resource requirements

Degree of information exposure

Degree of cryptosystem penetration

Degree of cryptosystem penetration
Do not underestimate: stupidity, spies,
traitors and other forms of social
engineering

Diffusion is a measure of the difference
between the statistical structure of the
plaintext and the ciphertext

Diffusion is a measure of the difference
between the statistical structure of the
plaintext and the ciphertext
Confusion is a measure of the complexity
of the relationship between the
ciphertext and the key(s)

Kerckhoff’s Principle
“A cryptosystem should be secure even if
everything about the system, except the
key, is public knowledge”

Warning! !
Even crypto-ninjas can’t herd cats

Cipher
Classical
Substitution Transposition
Rotor Machines
Modern
Symmetric
(public key)
Asymmetric
(private key)
Stream Block
A Cipher Class Diagram

http://xkcd.com/927

Cryptographic Standards
Created by “trusted” authorities, e.g. NIST
(US), ENISA (EU), CESG/HMG (UK)
Deﬁnes speciﬁc implementations of algorithms
& protocols, including:
key sizes
random number & seed generators
algorithm parameters
Allows in-depth cryptanalysis
Ensures support in hardware and software
applications

Symmetric
vs.
Asymmetric
Encryption

Alice Bob
Symmetric

Alice Bob
Asymmetric

Trapdoor Functions

The Mountains of
Complexity

Turing Machines
S - set of symbols
Q - set of states
q0 - the initial state, q0 Q
F - the set of ﬁnal states, F ⊆ Q
δ - the transition function

Decisions, Decisions, Decisions
Given some formal system, a decision
problem is a statement that is either true
or false. E.g.
Given any 2 integers x and y, is
(x/y) mod 2 = 0?
Is the real part of any non-trivial zero of
the Riemann zeta function 1/2?
Does a given algorithm return a value
within a ﬁnite amount of time?

P & NP
Decision problems in P can be solved in
polynomial time on a deterministic Turing
machine.
sorting lists, shortest path problem
A decision problem is in NP if a solution
can be veriﬁed in polynomial time on a
non-deterministic Turing machine.
multi-body collision detection

NP-Hard & NP-Complete
Not all problems in NP are equal!
NP-complete problems are “the hardest
problems in NP”
A decision problem D is NP-complete if:
1. D is in NP
2. Every problem in NP is reducible to D
in polynomial time
If only (2) is true then D is NP-hard

P versus NP

Is a fundamental part of HTTPS/SSL
Based on the Integer Factorisation
Problem
Believed to be in NP and co-NP but not
NP-complete
A factor is a number that divides evenly
into another number, e.g.
20 has factors { 1, 2, 5, 10 }

Primes, Co-Primes
A prime number is a natural number
greater than 1 with no positive divisors
except itself and 1
Two numbers p, q are co-prime iff the
greatest common divisor is 1, i.e
gcd(p,q) = 1
Examples:
gcd(15, 10) = 5
gcd(16, 10) = 2
gcd(17, 10) = 1

Integer Factorisation Problem
The fundamental theorem of arithmetic,
proves every positive integer has a unique
prime decomposition:
n = Σ pq
Where n, p, q are integers and p are
prime numbers
Examples:
15 = 5 * 3 20 = 5 * 22

Totatives & Euler’s Totients
A number t is a totative of n iff
0 < t < n and gcd(t,n) = 1
Euler’s totient function of a number n is
given by φ(n) = |T(n)|, where T(n) is the
set of all totatives of n
Example: if n = 9, then
T(n) = {1, 2, 4, 5, 7, 8}
φ(9) = |T(9)| = 6

RSA Key Generation
Choose two prime number p and q
Compute n = pq
Compute φ(n) = φ(p) φ(q) = (p - 1)/(q - 1)
Chose an integer e s.t.
1 < e < φ(n) & gcd(e, φ(n)) = 1
Compute d = 1 / e(mod F(n))
Public Key = (e, n)
Private Key = (e, d)

Encryption
Given a message M convert to an integer
m s.t. 0 < m < n using a padding protocol,
the ciphertext c is generated by:
c = me (mod n)
Decryption
Given a ciphertext c compute
m = cd (mod n)
and recover M by reversing the padding
protocol on m

Caution! !
Picking the prime numbers is hard
If p or q are too small or too close to
each other it greatly decreases the
security
If p-1 or q-1 only has small prime factors
n can be factored in polynomial time

Theory-based Attacks
Trial division
Euler’s algorithm
Fermat’s algorithm
Wheel factorisation
Quadratic sieve
General number ﬁeld sieve
Pollard’s ρ algorithm
Shor’s algorithm

Practical Attacks
Man-in-the-Middle:
BEAST - faulty cipher attack
CRIME & BREACH - secure cookie
compression attack
Side-Channel:
Lucky13 - padding attack
Bug:
Heartbleed - buffer overﬂow

A Detour through
the Garden of
Mathematics

Abstract Algebra
An algebraic structure is composed of one
or more sets with one or more n-ary
functions deﬁned on them.
Underpins a great deal of modern
sciences: codes, symmetries, dynamical
systems
A beautiful example of mathematics at
work

NOTA BENE! !
Mathematics is a precise language, the
notation less so
Different branches of maths use the same
symbol to mean different things
There are some “rules” which if you don’t know
can be confusing
In abstract algebra we use + and • which are
not always numeric addition and multiplication
Mathematicians are lazy: a • b = ab

A group G is a pair G(S, •) where S is a set
and • a binary operator that satisﬁes:
Closed: ∀ a, b S then a • b S
Associative: ∀ a, b, c S then
(a • b) • c = a • (b • c)
Identity element: e S s.t ∀ a S
e • a = a • e = a
Inverse element: ∀ a S, b S s.t
a • b = b • a = e
Groups
E
E

A group G(S, •) is an abelian group (or
commutative group) if it also satisﬁes the
commutativity condition:
∀ a, b S then a • b = b • a
Abelian Groups

A ring R is a tuple R(S,+,•) if it satisﬁes
the 8 ring axioms:
1-4 (S,+) is an abelian group
5-6 (S,•) is a monoid
7-8 distributivity
If the • operator is commutative then R is
a commutative ring
Rings

A field F is a tuple F(S,+,•) where F(S,+)
and F(S,•) are abelian groups, and the
distributivity property is satisfied, i.e.
∀ a, b, c S then:
a • (b + c) = (a • b) + (a • c)
(a + b) • c = (a • c) + (b • c)
Every field is a ring but not every ring a
field
Fields

Mathematics of
Elliptic Curves

Foreword
Elliptic curves have (almost) nothing to do
with ellipses, so put ellipses and conic
sections out of your thoughts

An elliptic curve E defined over a field k
is a curve given by the equation
y2 = x3 + Ax + B
where the discriminant
∆ = 4A3 + 27B2
must be non-zero and A, B, x, y in k.
We define E(k), together with the point at
infinity Θ, as the set of all points on E
over k.

An elliptic curve is given by the
Weierstrass equation:
y2 + Axy + By = x3 + Cx2 + Dx + E
where
A, B, C, D, E, x, y in k
But we generally consider the cases
where A, B, C are zero => ∆ = 0
Lies Lies Lies

Elliptic Curves Over Prime Fields
An elliptic curve E deﬁned over Zp is given
by the equation
y2 = x3 + Ax + B mod p
∆ = 4A3 + 27B2 mod p
where p is a prime number, and Zp is the
set of integers {0, ..., p-1} with modulo p
arithmetic

Adding Points on a Curve
Given two points P and Q on a elliptic curve,
how can we produce a 3rd point R = P + Q,
also on the curve?
1. If P ≠ Q, draw a line between P and Q
extending it until it intersects the curve;
If P = Q extend the tangent at P instead.
This intersection point is -(P + Q), or -R
2. Draw a line from the intersection parallel
to the y-axis until it intersects the curve
again at R = P + Q

P
Q
Case 0: Line between P
& Q not parallel to y-
axis

P
Q
-R
axis

P
Q
-R
R
axis

P
Case 1: P = Q

P
-R
Case 1: P = Q

P
-R
R
Case 1: P = Q

P
Q
Case 2: Q = -P, line
between P & Q parallel
to y-axis

P
Q
Case 2: Q = -P, line
between P & Q parallel
to y-axis
R = Θ

The set of all points on E over k, E(k), form
a group (E(k), +) under the point addition
operator.
Recall, a group has the properties:
P + Θ = Θ + P = P [Identity element]
P + (-P) = Θ [Inverse element]
P + (Q + R) = (P + Q) + R [Associative]
P + Q E(k) [Closed]
for all P, Q, R E(k)
Point Addition

Point Multiplication
Multiplication of a point by a scalar integer
is deﬁned by
n • P = P + P + ... + P
Examples:
2P = P + P
-3P = -3(P) = (-P) + (-P) + (-P)
0P = Θ
Point multiplication is more efﬁcient than
general point addition.

Elliptic Curve
Cryptography

Elliptic curve cryptography uses elliptic
curves over finite fields
A prime curve is defined over Zp
A binary curve is defined over GF(2m)
Hardware implementations of binary curve
systems are both small & fast
Prime curves are typically used in
software implementations

Discrete Logarithm Problem
Problem: find k where xk = y where x, y
in some group G
Note that xk = x • x • ... • x (k times)
If G is the set of points on an elliptic
curve we define the elliptic discrete
logarithm problem (ECDLP) as:
given P, Q G find k where Q = k • P

ECDLP Complexity
The elliptic curve discrete logarithm
problem is in NP and co-NP and not
thought to be in NP-complete or NP-hard
As key size increases performance of
implementations decreases

Domain Parameters
p: The prime number which defines the field in which
the curve operates, Fp. All point operations are taken
modulo p.
a, b: The two coefficients which define the curve.
These are integers.
G: The generator or base point. A distinct point of
the curve which resembles the "start" of the curve.
n: The order of the curve generator point G.
h: The cofactor of the curve. It is the quotient of
the number of curve-points, or #E(Fp), divided by n.

Key Generation
Generating a keypair for ECC is trivial. The private key
is a random integer dA, such that
0 < dA < n
Then we generate the public key QA using scalar point
multiplication of the private key with the generator
point G:
QA = dA • G
Note that the public and private key are not equally
exchangeable (like in RSA, where both are integers):
the private key dA is a integer, but the public key QA is
a point on the curve.

Encryption
First choose a random number r so that
0 < r < n
Then, calculate the “session” point R by multiplying r with the
generator point of the curve:
R = r . G
We also generate a secret using the public key of the
recipient:
S = r . QA
Now, R is publicly transmitted with the message and from the
point S a symmetric key is derived with which the message is
encrypted, e.g using AES.

Decryption
Given an encrypted message and session
key R, how do you recover S to decrypt
the message?
S = dA . R
= dA . (r . G)
= r . (dA . G)
= r . QA

ECC security correlates to:
Domain parameter generation and
validation (poor curve choice)
Small key sizes
Even small differences in parameters
can signifcantly change the security
Caution! !

Theory-Based Attacks
Brute-force O(2n/2)
Baby-step giant-step O(√n)
Function ﬁeld sieves O(√n)
Pollard’s ρ algorithm for logarithms O(~0.8√n)
Shor’s algorithm for logarithms O((log n)3)

Practical Attacks
Side channel attacks (passive)
Differential power analysis
Timing attacks
Zero-value point attacks
Fault analysis attacks (active)
Safe error analysis
Invalid point & invalid curve analysis

RSA vs. ECC

Security
ECC is not “more secure” than RSA
They both utilise similar mathematical
problems
These problems are not NP-complete or
NP-hard
As (quantum) computers become more
powerful both ECC and RSA are in trouble

Performance
1. Shorter keys are as strong as long keys for
RSA (in general 256-bit ECC is equivalent to
3072-bit RSA)
2. Low on CPU consumption.
3. Low on memory usage.
4. (2) & (3) => lower energy
5. Fast key generation
6. Processing ECC SSL certiﬁcates x2 faster

Pairing
Pairing allows for a 3-party key exchange
and cryptography system
Useful for example in ﬁnancial
transactions: buyer, seller, & bank
Active area of research, especially in
identity-based encryption (IBE), primarily
using elliptic curves

ECC “in the Wild”

ECC & Java
JCA
• java.security
• javax.security deprecated
JCE
• Oracle JCE + policies
Legion of the Bouncycastle

Standardised ECC
NIST curve P-256 [Safe]
y2 = x3- 3x + K
modulo p = 2224 - 296 + 1
where K = 18958286285566608000408668544493926415504680968679321075787234672564
SECp256k1 [Unsafe]
y2 = x3 + 7
modulo p = 2256 - 232 - 977
http://safecurves.cr.yp.to/

Curve25519
Is a high-speed Difﬁe-Hellman function
growing in popularity and as the “default
setting”
Uses the curve given by
y2 = x3 + 486662x2 + x
over the prime ﬁeld given by 2255 − 19, and
the base point x = 9
Supported apps: http://ianix.com/pub/
curve25519-deployment.htmlFriday, 11 July 2014

The NSA & ECC
Attack method: tampered with Dual
EC_DRBG (a CSPRNG), which is part of
the NIST SP 800-90A standard, to
introduce a “backdoor”
Attack summary: the CSPRNG did not
generate random points P & Q on the
curve meaning an attacker can recover
the keys relatively easily from ciphertext

The Pirate Bay & ECC
Bit-torrent is a peer-2-peer ﬁle transfer
protocol co-ordinated by centralised
trackers
Recently IPOs have sought IP and domain
name blockades against index sites
August 2013 PirateBrowser launched
Coming soon: P2P darknet where
authenticated index site DNS entries are
mapped to their ECC public key

The Now
RSA is still secure but consider using
bigger keys soon
ECC support is nearly universal (OS,
browser, switches/routers/etc)
ECC is growing because of faster
performance not “better” security
Attacks in the wild generally focus on
implementations not the mathematical
theory

The Future
ECC is a stepping stone technology
Advances in mathematics, computing power
and models threaten the security of ECC
and RSA
Lattice Cryptography will be the next
generation of non-quantum cryptosystems
Research in to NP-intermediate and the
rest of the complexity landscape

Thank you

Resouces
• Lance Fortnow “The Status of the P Versus NP
Problem” http://cacm.acm.org/magazines/
2009/9/38904-the-status-of-the-p-versus-np-
problem
• P. de Sautoy, “Music of the Primes”
• https://blogs.rsa.com/secure-crypto-lucky-
thirteen-attack/
• Bos, Joppe W., Marcelo E. Kaihara, and Peter L.
Montgomery. "Pollard rho on the PlayStation 3."
Workshop record of SHARCS. Vol. 9. 2009.

Resouces
• Joye, Marc, and Michael Tunstall. Fault Analysis in
Cryptography. Springer, 2012
• Matthew Green “The Many Flaws of
Dual_EC_DRBG”, http://
blog.cryptographyengineering.com/2013/09/the-
many-ﬂaws-of-dualecdrbg.html

ECC vs RSA: Battle of the Crypto-Ninjas

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to ECC vs RSA: Battle of the Crypto-Ninjas

Similar to ECC vs RSA: Battle of the Crypto-Ninjas (18)

Recently uploaded

Recently uploaded (20)

ECC vs RSA: Battle of the Crypto-Ninjas