Elliptic Curve Cryptography – a small chink in the armor

Elliptic Curve Cryptography (ECC) was the shining star… the Holy Grail of crypto.  It doesn’t take up much processing time to calculate keys or memory storing information.  It is fast and works well in mobile devices.  The key material itself is small.  And it is strong.  Or at least was so.  Researchers at the École Polytechnique Fédérale (EPFL) in Lausanne, Switzerland, cracked the 112-bit encryption based on elliptical curves (ECCp-112).

The PlayStation 3 cluster at the École Polytechnique Fédérale used in breaking 112bit Elliptic Curve Cryptography

A so called np-hard problem, elliptic curve cryptography is based on the Discrete Logarithm Problem (DLP), or the ease of calculating the next value of a curve over a finite field.  Essentially, it’s easy to calculate the next value, but very hard to find the previous.  ECC is a type of public key crypto, and the DLP problem it is based on is the same mathematical issue used in RSA cryptography.

While this is a so-called brute force attack, where a computer tries all 260 key combinations to break the encryption, it still demonstrates the processing power to perform this sort of attack is available, and not that far from accessible.  The researchers used a bank of 200 Playstation 3s over one year, but estimate the computations would have taken only 3 months with optimizations they made throughout the experiment.  As Moore’s Law dictates computing power doubles every 18 months, so too must cryptographic methods.  The weakest ECC standard currently used is 160 bits, which is 1 million times stronger in terms of complexity than that broken by the Swiss researchers.  By 2010, the National Institute of Standards and Technology, the governing body for cryptography, will replace the 160 bit version with a higher strength, 224 bit version.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

  • Information Security (Foundations: II.C) including: Encryption (data-at-rest) and Threats & Vulnerabilities

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>