Algorithms for solving special cases of ECDLP – Elliptic Curves
8.4.2 Algorithms for solving special cases of ECDLP Because of their mathematical properties, some elliptic curves allow you to take shortcuts when solving ECDLP. In 1991, mathematicians Alfred Menezes, Scott Vanstone, and Tatsuaki Okamoto published an algorithm that reduces ECDLP to a DLP in the multiplicative group of a finite field. They showed that for…
Explore MoreSecure elliptic curves – the mathematical perspective – Elliptic Curves
8.4.3 Secure elliptic curves – the mathematical perspective From the preceding discussion, it should be clear that not every elliptic curve is suitable for cryptography. An elliptic curve used for cryptographic purposes must be cryptographically strong, which is just another way of saying that the ECDLP instance for this curve must be computationally hard. In…
Explore MoreA potential backdoor in Dual_EC_DRBG – Elliptic Curves
8.4.4 A potential backdoor in Dual_EC_DRBG Dual_EC_DRBG is a pseudorandom number generator based on elliptic curve cryptography. From 2006 to 2014, it was among the algorithms officially recommended by NIST in their Special Publication 800-90A Random Number Generation Using Deterministic Random Bit Generators. In 2014, NIST withdraw the algorithm based on substantial suspicion in the…
Explore MoreSecure elliptic curves: security engineering perspective – Elliptic Curves
8.4.5 Secure elliptic curves: security engineering perspective As illustrated by the Dual_EC_DRBG example, the mathematical perspective on the security of elliptic curves is not sufficient. As cryptographers Dan Bernstein and Tanja Lange explain in their SafeCurves initiative [22], preventing backdoors in cryptographic mechanisms based on elliptic curves requires rigidity. Rigidity refers to a curve generation…
Explore MoreCurve secp256r1 – Elliptic Curves
8.5.1 Curve secp256r1 Digital Signature Standard FIPS-186 [128] specifies 15 elliptic curves that the National Institute of Standards and Technology (NIST) recommends for use by the US federal government. All 15 curves were generated using a method described in the IEEE 1363-2000 and the ANS X9.62 standards. Curve secp256r1 is one of the elliptic curves…
Explore MoreCurve secp521r1 – Elliptic Curves
8.5.3 Curve secp521r1 The third NIST curve included in the TLS 1.3 standard is curve secp521r1. It is also defined in FIPS-186 where it is referred to as curve P-521. P-521 is defined over the prime field 𝔽p with p = 2521 − 1. Like P-256 and P-384, the curve P-521 is defined by the…
Explore MoreCurve 25519 – Elliptic Curves
8.5.4 Curve 25519 Curve 25519 is defined in RFC 7748, where it is referred to as curve25519. It was proposed in 2005 by the American-German cryptographer Dan Bernstein [24] and attracted interest from the wider cryptographic community after the discovery of a potential backdoor in the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) algorithm…
Explore MoreCurve 448 – Elliptic Curves
8.5.5 Curve 448 Curve 448 is also defined in RFC 7748 where it is referred to as curve448. It was proposed in 2015 by the American computer scientist and cryptographer Mike Hamburg [79] for inclusion in TLS, in order to equip the TLS standard with a cryptographically strong curve alongside curve25519. curve448 is named after…
Explore MoreElliptic curve Diffie-Hellman in TLS 1.3 – Elliptic Curves
8.5.6 Elliptic curve Diffie-Hellman in TLS 1.3 If Alice and Bob use the ECDH key agreement with elliptic curves secp256r1, secp384r1, or secp521r1, they follow the ECKAS-DH1 scheme defined in the IEEE 1363-2000 standard illustrated in Figure 8.5.6. When using the ECKAS-DH1 scheme, Alice and Bob first agree on the secret value derivation primitive. IEEE…
Explore MoreECDH parameters in TLS 1.3 – Elliptic Curves
8.5.7 ECDH parameters in TLS 1.3 Both server Alice and client Bob encode their ECDH parameters in the KeyShare structure, in the key˙exchange opaque field of a KeyShareEntry. When elliptic curves secp256r1, secp384r1, or secp521r1 are used, the key˙exchange field stores the serialized value of the UncompressedPointRepresentation structure shown in Listing 8.3. Listing 8.3: Uncompressed…
Explore More