Elliptic-curve cryptography (ECC) is an approach topublic-key cryptography based on thealgebraic structure ofelliptic curves overfinite fields. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modular exponentiation infinite fields, such as the RSA cryptosystem and ElGamal cryptosystem.^[1]

Elliptic curves are applicable forkey agreement,digital signatures,pseudo-random generators and other tasks. Indirectly, they can be used forencryption by combining the key agreement with asymmetric encryption scheme. They are also used in severalinteger factorizationalgorithms that have applications in cryptography, such asLenstra elliptic-curve factorization.

The use of elliptic curves in cryptography was suggested independently byNeal Koblitz^[2] andVictor S. Miller^[3] in 1985. Elliptic curve cryptography algorithms entered wide use starting in 2004.

In 1999,NIST recommended fifteen elliptic curves. Specifically, FIPS 186-4^[4] has ten recommended finite fields:

• Fiveprime fields${\displaystyle {\mathbb{F}}_p}$ for certain primesp of sizes 192, 224, 256, 384, and 521 bits. For each of the prime fields, one elliptic curve is recommended.
• Fivebinary fields${\displaystyle {\mathbb{F}}_{2^m}}$ form equal 163, 233, 283, 409, and 571. For each of the binary fields, one elliptic curve and oneKoblitz curve was selected.

The NIST recommendation thus contains a total of five prime curves and ten binary curves. The curves were chosen for optimal security and implementation efficiency.^[5]

At theRSA Conference 2005, theNational Security Agency (NSA) announcedSuite B, which exclusively uses ECC for digital signature generation and key exchange. The suite is intended to protect both classified and unclassified national security systems and information.^[1]National Institute of Standards and Technology (NIST) has endorsed elliptic curve cryptography in itsSuite B set of recommended algorithms, specificallyelliptic-curve Diffie–Hellman (ECDH) for key exchange andElliptic Curve Digital Signature Algorithm (ECDSA) for digital signature. The NSA allows their use for protecting information classified up totop secret with 384-bit keys.^[6]

Recently,^[when?] a large number of cryptographic primitives based on bilinear mappings on various elliptic curve groups, such as theWeil andTate pairings, have been introduced. Schemes based on these primitives provide efficientidentity-based encryption as well as pairing-based signatures,signcryption,key agreement, andproxy re-encryption.^{[citation needed]}

Elliptic curve cryptography is used successfully in numerous popular protocols, such asTransport Layer Security andBitcoin.

In 2013,The New York Times stated thatDual Elliptic Curve Deterministic Random Bit Generation (or Dual_EC_DRBG) had been included as a NIST national standard due to the influence ofNSA, which had included a deliberate weakness in the algorithm and the recommended elliptic curve.^[7]RSA Security in September 2013 issued an advisory recommending that its customers discontinue using any software based on Dual_EC_DRBG.^[8][9] In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover operation", cryptography experts have also expressed concern over the security of the NIST recommended elliptic curves,^[10] suggesting a return to encryption based on non-elliptic-curve groups.

Additionally, in August 2015, the NSA announced that it plans to replace Suite B with a new cipher suite due to concerns aboutquantum computing attacks on ECC.^[11][12]

While the RSA patent expired in 2000, there may be patents in force covering certain aspects of ECC technology, including at least one ECC scheme (ECMQV). However,RSA Laboratories^[13] andDaniel J. Bernstein^[14] have argued that theUS government elliptic curve digital signature standard (ECDSA; NIST FIPS 186-3) and certain practical ECC-based key exchange schemes (including ECDH) can be implemented without infringing those patents.

For the purposes of this article, anelliptic curve is aplane curve over afinite field (rather than the real numbers) which consists of the points satisfying the equation

${\displaystyle y^2=x^3+ax+b,}$

along with a distinguishedpoint at infinity, denoted ∞. The coordinates here are to be chosen from a fixedfinite field ofcharacteristic not equal to 2 or 3, or the curve equation would be somewhat more complicated.

This set of points, together with thegroup operation of elliptic curves, is anabelian group, with the point at infinity as an identity element. The structure of the group is inherited from thedivisor group of the underlyingalgebraic variety:

${\displaystyle {\mathrm{Div}}^0(E)\to {\mathrm{Pic}}^0(E)\simeq E.}$

Public-key cryptography is based on theintractability of certain mathematicalproblems. Early public-key systems, such asRSA's 1983 patent, based their security on the assumption that it is difficult tofactor a large integer composed of two or more large prime factors which are far apart. For later elliptic-curve-based protocols, the base assumption is that finding thediscrete logarithm of a random elliptic curve element with respect to a publicly known base point is infeasible (thecomputational Diffie–Hellman assumption): this is the "elliptic curve discrete logarithm problem" (ECDLP). The security of elliptic curve cryptography depends on the ability to compute apoint multiplication and the inability to compute the multiplicand given the original point and product point. The size of the elliptic curve, measured by the total number of discrete integer pairs satisfying the curve equation, determines the difficulty of the problem.

The primary benefit promised by elliptic curve cryptography over alternatives such as RSA is a smallerkey size, reducing storage and transmission requirements.^[1] For example, a 256-bit elliptic curve public key should providecomparable security to a 3072-bit RSA public key.

Severaldiscrete logarithm-based protocols have been adapted to elliptic curves, replacing the group${\displaystyle ({\mathbb{Z}}_p{)}^{\times }}$ with an elliptic curve:

• TheElliptic-curve Diffie–Hellman (ECDH) key agreement scheme is based on theDiffie–Hellman scheme,
• The Elliptic CurveIntegrated Encryption Scheme (ECIES), also known as Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme,
• TheElliptic Curve Digital Signature Algorithm (ECDSA) is based on theDigital Signature Algorithm,
• The deformation scheme using Harrison's p-adic Manhattan metric,
• TheEdwards-curve Digital Signature Algorithm (EdDSA) is based onSchnorr signature and usestwisted Edwards curves,
• TheECMQV key agreement scheme is based on theMQV key agreement scheme,
• TheECQV implicit certificate scheme.

Some common implementation considerations include:

To use ECC, all parties must agree on all the elements defining the elliptic curve, that is, thedomain parameters of the scheme. The size of the field used is typically either prime (and denoted as p) or is a power of two (${\displaystyle 2^m}$); the latter case is calledthe binary case, and this case necessitates the choice of an auxiliary curve denoted byf. Thus the field is defined byp in the prime case and the pair ofm andf in the binary case. The elliptic curve is defined by the constantsa andb used in its defining equation. Finally, the cyclic subgroup is defined by itsgenerator (a.k.a.base point)G. For cryptographic application, theorder ofG, that is the smallest positive numbern such that${\displaystyle nG=\mathcal{O}}$ (thepoint at infinity of the curve, and theidentity element), is normally prime. Sincen is the size of a subgroup of${\displaystyle E({\mathbb{F}}_p)}$ it follows fromLagrange's theorem that the number${\displaystyle h=\frac{1}{n}|E({\mathbb{F}}_p)|}$ is an integer. In cryptographic applications, this numberh, called thecofactor, must be small (${\displaystyle h\le 4}$) and, preferably,${\displaystyle h=1}$. To summarize: in the prime case, the domain parameters are${\displaystyle (p,a,b,G,n,h)}$; in the binary case, they are${\displaystyle (m,f,a,b,G,n,h)}$.

Unless there is an assurance that domain parameters were generated by a party trusted with respect to their use, the domain parametersmust be validated before use.

The generation of domain parameters is not usually done by each participant because this involves computingthe number of points on a curve which is time-consuming and troublesome to implement. As a result, several standard bodies published domain parameters of elliptic curves for several common field sizes. Such domain parameters are commonly known as "standard curves" or "named curves"; a named curve can be referenced either by name or by the uniqueobject identifier defined in the standard documents:

• NIST,Recommended Elliptic Curves for Government Use
• SECG,SEC 2: Recommended Elliptic Curve Domain Parameters
• ECC Brainpool (RFC 5639),ECC Brainpool Standard Curves and Curve GenerationArchived 2018-04-17 at theWayback Machine^[15][16]

SECG test vectors are also available.^[17] NIST has approved many SECG curves, so there is a significant overlap between the specifications published by NIST and SECG. EC domain parameters may be specified either by value or by name.

If, despite the preceding admonition, one decides to construct one's own domain parameters, one should select the underlying field and then use one of the following strategies to find a curve with appropriate (i.e., near prime) number of points using one of the following methods:

• Select a random curve and use a general point-counting algorithm, for example,Schoof's algorithm or theSchoof–Elkies–Atkin algorithm,
• Select a random curve from a family which allows easy calculation of the number of points (e.g.,Koblitz curves), or
• Select the number of points and generate a curve with this number of points using thecomplex multiplication technique.^[18]

Several classes of curves are weak and should be avoided:

• Curves over${\displaystyle {\mathbb{F}}_{2^m}}$ with non-primem are vulnerable toWeil descent attacks.^[19][20]
• Curves such thatn divides${\displaystyle p^B-1}$ (wherep is the characteristic of the field:q for a prime field, or${\displaystyle 2}$ for a binary field) for sufficiently smallB are vulnerable to Menezes–Okamoto–Vanstone (MOV) attack^[21][22] which applies usualdiscrete logarithm problem (DLP) in a small-degree extension field of${\displaystyle {\mathbb{F}}_p}$ to solve ECDLP. The boundB should be chosen so thatdiscrete logarithms in the field${\displaystyle {\mathbb{F}}_{p^B}}$ are at least as difficult to compute as discrete logs on the elliptic curve${\displaystyle E({\mathbb{F}}_q)}$.^[23]
• Curves such that${\displaystyle |E({\mathbb{F}}_q)|=q}$ are vulnerable to the attack that maps the points on the curve to the additive group of${\displaystyle {\mathbb{F}}_q}$.^[24][25][26]

Because all the fastest known algorithms that allow one to solve the ECDLP (baby-step giant-step,Pollard's rho, etc.), need${\displaystyle O(\sqrt{n})}$ steps, it follows that the size of the underlying field should be roughly twice the security parameter. For example, for 128-bit security one needs a curve over${\displaystyle {\mathbb{F}}_q}$, where${\displaystyle q\approx 2^{256}}$. This can be contrasted with finite-field cryptography (e.g.,DSA) which requires^[27] 3072-bit public keys and 256-bit private keys, and integer factorization cryptography (e.g.,RSA) which requires a 3072-bit value ofn, where the private key should be just as large. However, the public key may be smaller to accommodate efficient encryption, especially when processing power is limited.

The hardest ECC scheme (publicly) broken to date^[when?] had a 112-bit key for the prime field case and a 109-bit key for the binary field case. For the prime field case, this was broken in July 2009 using a cluster of over 200PlayStation 3 game consoles and could have been finished in 3.5 months using this cluster when running continuously.^[28] The binary field case was broken in April 2004 using 2600 computers over 17 months.^[29]

A current project is aiming at breaking the ECC2K-130 challenge byCerticom, by using a wide range of different hardware: CPUs, GPUs, FPGA.^[30]

A close examination of the addition rules shows that in order to add two points, one needs not only several additions and multiplications in${\displaystyle {\mathbb{F}}_q}$ but also aninversion operation. Theinversion (for given${\displaystyle x\in {\mathbb{F}}_q}$ find${\displaystyle y\in {\mathbb{F}}_q}$ such that${\displaystyle xy=1}$) is one to two orders of magnitude slower^[31] than multiplication. However, points on a curve can be represented in different coordinate systems which do not require aninversion operation to add two points. Several such systems were proposed: in theprojective system each point is represented by three coordinates${\displaystyle (X,Y,Z)}$ using the following relation:${\displaystyle x=\frac{X}{Z}}$,${\displaystyle y=\frac{Y}{Z}}$; in theJacobian system a point is also represented with three coordinates${\displaystyle (X,Y,Z)}$, but a different relation is used:${\displaystyle x=\frac{X}{Z^2}}$,${\displaystyle y=\frac{Y}{Z^3}}$; in theLópez–Dahab system the relation is${\displaystyle x=\frac{X}{Z}}$,${\displaystyle y=\frac{Y}{Z^2}}$; in themodified Jacobian system the same relations are used but four coordinates are stored and used for calculations${\displaystyle (X,Y,Z,a{Z}^4)}$; and in theChudnovsky Jacobian system five coordinates are used${\displaystyle (X,Y,Z,Z^2,Z^3)}$. Note that there may be different naming conventions, for example,IEEE P1363-2000 standard uses "projective coordinates" to refer to what is commonly called Jacobian coordinates. An additional speed-up is possible if mixed coordinates are used.^[32]

Reduction modulop (which is needed for addition and multiplication) can be executed much faster if the primep is apseudo-Mersenne prime (Solinas prime), that is${\displaystyle p\approx 2^d}$; for example,${\displaystyle p=2^{521}-1}$ (P-521) or${\displaystyle p=2^{256}-2^{32}-2^9-2^8-2^7-2^6-2^4-1.}$ (P-256) Compared toBarrett reduction, there can be an order of magnitude speed-up.^[33] The speed-up here is a practical rather than theoretical one, and derives from the fact that the moduli of numbers against numbers near powers of two can be performed efficiently by computers operating on binary numbers withbitwise operations.

The curves over${\displaystyle {\mathbb{F}}_p}$ with pseudo-Mersenne P-256 and P-384 are recommended by NIST. The NIST curves also usea = −3, which improves addition in Jacobian coordinates. However, this latter choice is suboptimal according to Bernstein and Lange, with other curves being likely more secure and run just as fast.^[34]

The use of pseudo-Mersennes is not one suboptimal decision: Bernstein's more preferred curves use similar forms such as${\displaystyle p=2^{255}-19}$ and${\displaystyle 2^{448}-2^{224}-1}$.^[34]

Unlike most otherDLP systems (where it is possible to use the same procedure for squaring and multiplication), the EC addition is significantly different for doubling (P =Q) and general addition (P ≠Q) depending on the coordinate system used. Consequently, it is important to counteractside-channel attacks (e.g., timing orsimple/differential power analysis attacks) using, for example, fixed pattern window (a.k.a. comb) methods^{[clarification needed][35]} (note that this does not increase computation time). Alternatively one can use anEdwards curve; this is a special family of elliptic curves for which doubling and addition can be done with the same operation.^[36] Another concern for ECC-systems is the danger offault attacks, especially when running onsmart cards.^[37]

Cryptographic experts have expressed concerns that theNational Security Agency has inserted akleptographic backdoor into at least one elliptic curve-based pseudo random generator.^[38] Internal memos leaked by former NSA contractorEdward Snowden suggest that the NSA put a backdoor in theDual EC DRBG standard.^[39] One analysis of the possible backdoor concluded that an adversary in possession of the algorithm's secret key could obtain encryption keys given only 32 bytes of PRNG output.^[40]

The SafeCurves project has been launched in order to catalog curves that are easy to implement securely and are designed in a fully publicly verifiable way to minimize the chance of a backdoor.^[41]

Shor's algorithm can be used to break elliptic curve cryptography by computing discrete logarithms on a hypotheticalquantum computer. The latest quantum resource estimates for breaking a curve with a 256-bit modulus (128-bit security level) are 2330qubits and 126 billionToffoli gates.^[42] For the binary elliptic curve case, 906 qubits are necessary (to break 128 bits of security).^[43] In comparison, using Shor's algorithm to break theRSA algorithm requires 4098 qubits and 5.2 trillion Toffoli gates for a 2048-bit RSA key, suggesting that ECC is an easier target for quantum computers than RSA. All of these figures vastly exceed any quantum computer that has ever been built, and estimates place the creation of such computers at a decade or more away.^{[when?][citation needed][44]}

Supersingular Isogeny Diffie–Hellman Key Exchange claimed to provide apost-quantum secure form of elliptic curve cryptography by usingisogenies to implementDiffie–Hellman key exchanges. This key exchange uses much of the same field arithmetic as existing elliptic curve cryptography and requires computational and transmission overhead similar to many currently used public key systems.^[45] However, new classical attacks undermined the security of this protocol.^[46]

In August 2015, the NSA announced that it planned to transition "in the not distant future" to a new cipher suite that is resistant toquantum attacks. "Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy."^[11]

When ECC is used invirtual machines, an attacker may use an invalid curve to get a complete PDH private key.^[47]

Alternative representations of elliptic curves include:

• Hessian curves
• Edwards curves
• Twisted curves
• Twisted Hessian curves
• Twisted Edwards curve
• Doubling-oriented Doche–Icart–Kohel curve
• Tripling-oriented Doche–Icart–Kohel curve
• Jacobian curve
• Montgomery curves

• Jacques Vélu,Courbes elliptiques (...), Société Mathématique de France,57, 1-152, Paris, 1978.

• Elliptic Curves atStanford University
• Interactive introduction to elliptic curves and elliptic curve cryptography with Sage byMaike Massierer and theCrypTool team
• Media related toElliptic curve at Wikimedia Commons

• Elliptic curve cryptography
• Public-key cryptography
• Finite fields

• CS1 maint: archived copy as title
• Webarchive template wayback links
• Articles with short description
• Short description is different from Wikidata
• All articles with vague or ambiguous time
• Vague or ambiguous time from October 2022
• All articles with unsourced statements
• Articles with unsourced statements from April 2023
• Vague or ambiguous time from November 2022
• Wikipedia articles needing clarification from December 2011
• Vague or ambiguous time from May 2025
• Articles with unsourced statements from September 2020
• Commons link is locally defined