Setting the Record Straight on ECC
Recent articles appearing in The New York Times, Der Speigel, Canada's The Globe and Mail, Britain's The Guardian and a host of other media have suggested that the US National Security Agency (NSA) has successfully unraveled encryption standards and implementations, allowing the Agency to eavesdrop on internet communications. However, analysis by cooler heads suggests that strong encryption algorithms are not broken; rather, that the NSA may be taking advantage of known weakness in software and hardware that employ weak encryption methods.
For instance, in a September 6, 2013 article published in The Guardian, a security expert is cited as saying that conventional discrete-based systems such as Diffie-Hellman or RSA encryption and authentication algorithms, currently used to secure banking transactions and other Internet applications, should be preferred over elliptic curves.
As a cryptographer and a proponent of elliptic curve cryptography (ECC), I feel compelled to set the record straight.
Elliptic Curve Cryptography (ECC) is today the public-key system of choice worldwide, and provides the most security per bit of any known public-key algorithm. As such ECC is widely deployed in constrained Machine to Machine (M2M) applications such as Smart Energy, Near Field Communications, and Vehicle to Vehicle, and can certainly provide a high level of security efficiently in traditional environments once dominated by RSA.
I am not alone in my opinion on this matter. Indeed, in a direct contrast to the opinions put forward in the September 6th article, a recent presentation by Alex Stamos, CTO of the online security company Artemis, at the 2013 Black Hat Conference in Las Vegas called upon the security industry to move away from Diffie-Hellman/RSA to ECC. Stamos' call to action was reported upon in the MIT Technology Review:
“Stamos called on the security industry to think about how to move away from Diffie-Hellman and RSA, and specifically to use an alternative known as elliptic curve cryptography (ECC), which is significantly younger but relies on more intractable mathematical challenges to secure encrypted data.”
Simply and plainly put, the statements in the September 6, 2013 article that elliptic curve systems have constants that are influenced by the NSA are ludicrous.
The choices one has when constructing an elliptic curve are coefficients a and b and the generating element P. The coefficient b is selected verifibly at random. (See pages 176-178, Algorithm 4.17, Algorithm 4.18 and Algorithm 4. 19 in The Guide to Elliptic Curve Cryptography for more details on how this is done using a random seed (S) and the SHA-1.) The coefficient a has been selected by NIST to be small to increase efficiency.
NIST published a list of 15 curves that they recommended for U.S. Federal Government use. This list first appeared in print in July 1999. The publication describes how to construct the parameters of the curve. Researchers worldwide have had ample opportunity (over 14 years to date) to review and publish any results that they find. To insinuate otherwise is an insult to the cryptographic research community.
Cryptographers and developers worldwide have studied the security of ECC for almost thirty years, and ECC has been standardized in international bodies including IEEE, NFC Forum, ISO and ETSI.
To make bold claims that the NSA is able to manipulate the standards organizations is utterly misleading, and once again is insulting to the many experts who attend and participate in the drafting of these standards.
In summary, I find claims made by “security experts” in these articles unjustified, sensationalistic and irresponsible, and strongly advocate that these statements do a great disservice to the commercial cryptographic world.