Elliptic curves in action

After a slow start, elliptic curve based algorithms are gaining popularity, and the pace of adoption is accelerating. ECC is now used in a wide variety of applications: the US government uses it to protect internal communications, the Tor project uses it to help assure anonymity, it is the mechanism used to prove ownership of bitcoins, it provides signatures in Apple's iMessage service, it is used to encrypt DNS information with DNSCurve, and it is the preferred method for authentication for secure Web browsing over SSL/TLS. A growing number of sites use ECC to provide perfect forward secrecy, which is essential for online privacy. First generation cryptographic algorithms like RSA and Diffie-Hellman are still the norm in most arenas, but ECC is quickly becoming the go-to solution for privacy and security online.

If you are accessing an HTTPS version of the Cloudflare blog from a recent enough version of Chrome or Firefox, your browser is using ECC. You can check this yourself. In Chrome, you can click on the lock in the address bar and go to the connection tab to see which cryptographic algorithms were used in establishing the secure connection. Clicking on the lock in Chrome 30 should show the following image.

The relevant portions of the text to this discussion involve ECDHE_RSA. ECDHE stands for Elliptic Curve Diffie Hellman Ephemeral, and it is a key exchange mechanism based on elliptic curves. This algorithm is used by websites to provide perfect forward secrecy in SSL. The RSA component means that RSA is used to prove the identity of the server.

Sites that use RSA use it because their SSL certificate is bound to an RSA key pair. Modern browsers also support certificates based on elliptic curves. If a site's SSL certificate was an elliptic curve certificate, this part of the page would state ECDHE_ECDSA. The proof of the identity of the server would be done using ECDSA, the Elliptic Curve Digital Signature Algorithm.

Here's a sample ECC curve for ECDHE (This is the same curve used by Google.com):

max: 115792089210356248762697446949407573530086143415290314195533631308867097853951

curve: y2 = x3 + ax + b

a = 115792089210356248762697446949407573530086143415290314195533631308867097853948

b = 41058363725152142129326129780047268409114441015993725554835256314039467401291

The performance improvement of ECDSA over RSA is dramatic. Even with an older version of OpenSSL that does not have assembly-optimized elliptic curve code, an ECDSA signature with a 256-bit key is over 20 times faster than an RSA signature with a 2,048-bit key.

On a MacBook Pro with OpenSSL 0.9.8, the "speed" benchmark returns:

Doing 256 bit sign ecdsa's for 10s: 42874 256 bit ECDSA signs in 9.99s

Doing 2048 bit private rsa's for 10s: 1864 2048 bit private RSA's in 9.99s

That's 23 times as many signatures using ECDSA as RSA.

Using ECC saves time, power, and computational resources for both the server and the browser, helping us make the Web both faster and more secure.

The downside

It's not all roses in the world of elliptic curves. There have been some questions and uncertainties that have held them back from being fully embraced by everyone in the industry.

One point that has been in the news recently is the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG). This is a random number generator standardized by the National Institute of Standards and Technology (NIST) and promoted by the NSA. Dual_EC_DRBG generates random-looking numbers using the mathematics of elliptic curves. The algorithm itself involves taking points on a curve and repeatedly performing an elliptic curve "dot" operation. After publication, it was reported that it could have been designed with a backdoor, meaning that the sequence of numbers returned could be fully predicted by someone with the right secret number. Recently, the company RSA recalled several of its products because this random number generator was set as the default PRNG for its line of security products. Whether or not this random number generator was written with a backdoor or not does not change the strength of the elliptic curve technology itself, but it does raise questions about the standardization process for elliptic curves. It's also part of the reason that attention should be spent ensuring that your system is using adequately random numbers.

Some of the more skeptical cryptographers in the world now have a general distrust for NIST itself and the standards it has published that were supported by the NSA. Almost all of the widely implemented elliptic curves fall into this category. There are no known attacks on these special curves, chosen for their efficient arithmetic, but bad curves do exist and some feel it is better to be safe than sorry. There has been progress in developing curves with efficient arithmetic outside of NIST, including curve 25519 created by Daniel Bernstein (djb) and more recently computed curves by Paulo Baretto and collaborators. But widespread adoption of these curves is several years away. Until these non-traditional curves are implemented by browsers, they won't be able to be used for securing cryptographic transport on the Web.

Another uncertainty about ECC is related to patents. There are over 130 patents that cover specific uses of elliptic curves owned by BlackBerry (through its 2009 acquisition of Certicom). Many of these patents were licensed for use by private organizations and even the NSA. This has given some developers pause over whether their implementations of ECC infringe upon this patent portfolio. In 2007, Certicom filed suit against Sony for some uses of elliptic curves, but that lawsuit was dismissed in 2009. There are now many implementations of ECC that are thought to not infringe upon these patents and are in wide use.

The ECDSA digital signature has a drawback compared to RSA in that it requires a good source of entropy. Without proper randomness, the private key could be revealed. A flaw in the random number generator on Android allowed hackers to find the ECDSA private key used to protect the Bitcoin wallets of several people in early 2013. Sony's PlayStation implementation of ECDSA had a similar vulnerability. A good source of random numbers is needed on the machine making the signatures. Dual_EC_DRBG is not recommended.

Looking ahead

Even with the above cautions, the advantages of ECC over traditional RSA are widely accepted. Many experts are concerned that the mathematical algorithms behind RSA and Diffie-Hellman could be broken within as little as five years. With the clock ticking that fast, ECC may be left as the only reasonable alternative.