Elliptic Curve Cryptography
What is elliptic curve cryptography?
Elliptic curve cryptography, or ECC, is a powerful approach to cryptography and an alternative method from the well known RSA. It is an approach used for public key encryption by utilizing the mathematics behind elliptic curves in order to generate security between key pairs. ECC has been slowly gaining in popularity over the past few years due to it's ability to provide the same level of security as RSA with a much smaller key size.
The resources available to crack encrypted keys continues to expand, meaning the size of encrypted keys must continue to grow in order to remain secure. This can prove to be a burden to certain devices, particularly mobile, that do not have as much available computational power. However, elliptic curve cryptography helps to solve that problem.
How does elliptic curve cryptography work?
An elliptical curve can simply illustrated as a set of points defined by the following equation:
y2 = x3 + ax + b
Based on the values given to a and b, this will determine the shape of the curve. Elliptical curve cryptography uses these curves over finite fields to create a secret that only the private key holder is able to unlock. The larger the key size, the larger the curve, and the harder the problem is to solve.
A basic example of how this form of cryptography works is demonstrated in the following.
Based on the values given to points a and b, an elliptic curve is drawn. A line can then be drawn through these points until it reaches a third intersection point on the curve which we can call point c. At this stage, when the line reaches its third intersect point, we can reflect that point onto the other side of the x-axis.
Continuing from point c, we can then draw a line through from point a to point c which intersects with another part of the curve, point d. This point is also reflected to the other side of the x-axis and this process continues until an end point is defined.
Each intersection point is defined in terms of a "dot". In the example below, the intersection points would be described as:
- A dot A = B
- A dot B = C
- A dot C = D
- A dot D = E
The number of intersection point isn't unknown to those without the private key, thus making it very difficult to recreate the number of times the equation was "dotted".
ECC vs RSA
The difference in size to yield the same amount of security between RSA and ECC keys is quite substantial. As can be seen by the comparison table below, for the level of security that can be achieved by an elliptic curve cryptography key of 256 bit requires an RSA key to be 3072 bit. It has been noted by the NSA that the encryption of a top-secret document by elliptic curve cryptography requires a key length of 384 bit. A key length of the same size by RSA would deliver no where near the same level of security.
|RSA Key Length (bit)||ECC Key Length (bit)|
Why is ECC important?
As noted in the previous section, size is a major factor in the importance of elliptic curve cryptography. For keys of the same size, solving for an elliptic curve discrete logarithm is significantly harder than factoring, which is how RSA encrypts keys.
To put things into perspective, according a Universal Security study, breaking a 228-bit RSA key would take less energy than what is needed to boil a teaspoon of water. Alternatively, breaking a 228-bit ECC key would require more energy than it would take to boil all the water on earth.
Therefore, having the ability to significantly reduce the size of these keys can serve very useful for devices which have less computational power.
Operating system and browser compatibility
According to GlobalSign, elliptical curve cryptography can be used on most of today's modern browsers and operating systems. The list below shows which OS X and browser versions are known to be compatible with ECC.
|Operating System||Minimum Version Required|
|Apple OS X||OS X 10.6|
|Microsoft Windows||Windows Vista|
|Red Hat Enterprise Linux||6.5|
|Browser||Minimum Version Required|
|Microsoft Internet Explorer||7|
Some organizations are already using this form of cryptography although it currently isn't as widespread and popularized as RSA. Although some companies such as entrust.com are offering ECC demo certificates that allow you to test and devise a rollout plan for once they do become more prevalent.
Although elliptic curve cryptography hasn't yet reached the masses in terms of adoption, it has been said to be the next generation of cryptography. With it's ability to provide the same security as RSA while remaining much smaller in since, this make ECC an attractive alternative. As technology advances and computers become more powerful, the size of RSA keys will be forced to increase as the act of cracking an RSA key will become easier. This is sub-optimal for any device, the use of a larger RSA key will require more resources, however this is exactly what ECC sets out to rectify.
More ECC resources: