ECC Curve Selection

1
ECCCurve Selection

• By
• Edward Yin
• CS 265 Project
• Spring 2005

2
Why ECC?

• Key Size, Speed, and Scalability
• NIST guidelines for equivalent strengths

Bits of Security Symmetric key algs. Hash algs. Discrete Logs (DSA, DH, MQV) RSA Elliptic Curves
80 SHA-1 L 1024 N 160 k 1024 f 160
112 TDES L 2048 N 224 k 2048 f 224
128 AES-128 SHA-256 L 3072 N 256 k 3072 f 256
192 AES-192 SHA-384 L 7680 N 384 k 7680 f 384
256 AES-256 SHA-512 L 15360 N 512 k 15360 f 512
3
ECC Basics

• Prime GF(p)
• Y2 X3 aX b with 4a3 27b2 ? 0
• Binary GF(2m)
• Y2 XY X3 aX2 b with b ? 0
• An elliptic curve means points on the curve
  plus the point at infinity.
• Private integer k
• Public a, b, point P, point QkP

4
Discrete Logs

• Discrete Log Problem (DLP)
• Given p, g, and y, find x such thatgx y (mod
  p).
• ECDLP
• Given P, Q, find k such that kP Q.
• Diffie-Hellman Problem (DHP)
• Given p, g, ga, gb, find gab (mod p).
• ECDHP
• Given P, sP, tP, find stP.

5
DLP and ECDLP
Regular DL (e.g. Diffie-Hellman) ECC with prime field ECC with binary field
Field GF(p) GF(p) GF(2m)
Field representation 0,1,,p-1 0,1,,p-1 Polynomial basis or normal basis
Field order (size) p p 2m
Group elements GF(p) E(GF(p)) curve E over GF(p) E(GF(2m)) curve E over GF(2m)
Basic operation Multiplication in GF(p) Addition of points on E Addition of points on E
Base element Generator g Base point P Base point P
Main operation Exponentiation Scalar multiplication Scalar multiplication
Group order (size) p-1 p1-2p1/2 E(GF(p)) p12p1/2 2m1-2m/21 E(GF(2m)) 2m12m/21
6
Known Attacks

• Best general attack is the Pollard rho method,
  taking O(n1/2) curve additions, where n is the
  order of the base point P (smallest positive
  integer such that nP 0).
• Shortcuts
• The Pohlig-Hellman algorithm reduces the size of
  the problem.
• ECDLP reduced to ECDLP modulo each prime factor
  of n
• ECDLP for anomalous curves in a prime field is
  solvable in polynomial time.
• Prime-field-anomalous if group order field
  order n
• ECDLP for some curves (e.g. supersingular curves)
  is solvable in subexponential time
• MOV reduction possible if (field order)k 1 (mod
  n) for some k

7
Avoiding Weak Curves

1. E(GF(q)) hn with large prime n, small h and
   nP0.
2. E(GF(q)) ? q.
3. The order n of point P should not divide qk-1
   for all 1 k C, C20 in practice.

8
Approaches to Curve Selection

• Choose the group order first
• Use the Complex Multiplication method (CM)
• Construct curve from another known curve
• Choose a random curve
• Count points with Schoofs algorithm or the
  Schoof-Elkies-Atkin (SEA) algorithm
• Use a published curve
• Algorithms see e.g. IEEE P1363 Annex A.
• Implementation see e.g. MIRACL at
  http//indigo.ie/mscott/