Elliptic Curve Cryptography in Practice

In this paper we perform a review of elliptic curve cryptography (ECC) as it is used in practice today in order to reveal unique mistakes and vulnerabilities that arise in implementations of ECC. We study four popular protocols that make use of this type of public-key cryptography: Bitcoin, secure shell (SSH), transport layer security (TLS), and the Austrian e-ID card. We are pleased to observe that about 1 in 10 systems support ECC across the TLS and SSH protocols. However, we find that despite the high stakes of money, access and resources protected by ECC, implementations suffer from vulnerabilities similar to those that plague previous cryptographic systems.

[1]  Elaine B. Barker,et al.  Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography , 2007 .

[2]  Nigel P. Smart,et al.  Lattice Attacks on Digital Signature Schemes , 2001, Des. Codes Cryptogr..

[3]  Ramarathnam Venkatesan,et al.  Bits Security of the Elliptic Curve Diffie-Hellman Secret Keys , 2008, CRYPTO.

[4]  Igor E. Shparlinski,et al.  On the Unpredictability of Bits of the Elliptic Curve Diffie--Hellman Scheme , 2001, CRYPTO.

[5]  Hovav Shacham,et al.  When private keys are public: results from the 2008 Debian OpenSSL vulnerability , 2009, IMC '09.

[6]  Scott A. Vanstone,et al.  Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms , 2001, CRYPTO.

[7]  Elaine B. Barker,et al.  SP 800-56A. Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) , 2007 .

[8]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[9]  Jeremy Clark,et al.  CommitCoin: Carbon Dating Commitments with Bitcoin - (Short Paper) , 2012, Financial Cryptography.

[10]  Iwan M. Duursma,et al.  Speeding up the Discrete Log Computation on Curves with Automorphisms , 1999, ASIACRYPT.

[11]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[12]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[13]  Adi Shamir,et al.  Quantitative Analysis of the Full Bitcoin Transaction Graph , 2013, Financial Cryptography.

[14]  Arjen K. Lenstra,et al.  Public Keys , 2012, CRYPTO.

[15]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[16]  Risto M. Hakala,et al.  Cache-Timing Template Attacks , 2009, ASIACRYPT.

[17]  Douglas Stebila,et al.  Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer , 2009, RFC.

[18]  Thomas Pornin Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) , 2013, RFC.

[19]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[20]  Denis Réal,et al.  Fault Attack on Elliptic Curve Montgomery Ladder Implementation , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[21]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[22]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[23]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[24]  Marc Joye,et al.  Weierstraß Elliptic Curves and Side-Channel Attacks , 2002, Public Key Cryptography.

[25]  Tanja Lange,et al.  Factoring RSA keys from certified smart cards: Coppersmith in the wild , 2013, IACR Cryptol. ePrint Arch..

[26]  Margo I. Seltzer,et al.  Berkeley DB , 1999, USENIX Annual Technical Conference, FREENIX Track.

[27]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[28]  Elaine Shi,et al.  Bitter to Better - How to Make Bitcoin a Better Currency , 2012, Financial Cryptography.

[29]  Fergal Reid,et al.  An Analysis of Anonymity in the Bitcoin System , 2011, PASSAT 2011.

[30]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[31]  J. Solinas CORR 99-39 Generalized Mersenne Numbers , 1999 .

[32]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[33]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[34]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Public Key Cryptography.

[35]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[36]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[37]  Bodo Möller,et al.  Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) , 2006, RFC.

[38]  Jörg Schwenk,et al.  Randomly Failed! The State of Randomness in Current Java Implementations , 2013, CT-RSA.

[39]  Frederik Vercauteren,et al.  Practical Realisation and Elimination of an ECC-Related Software Bug Attack , 2012, CT-RSA.

[40]  Bart Preneel,et al.  RIPEMD-160: A Strengthened Version of RIPEMD , 1996, FSE.

[41]  Matthew Green,et al.  Zerocoin: Anonymous Distributed E-Cash from Bitcoin , 2013, 2013 IEEE Symposium on Security and Privacy.