- Joppe W. Bos18,
- J. Alex Halderman16,
- Nadia Heninger17,
- Jonathan Moore,
- Michael Naehrig15 &
- …
- Eric Wustrow16
Part of the book series:Lecture Notes in Computer Science ((LNSC,volume 8437))
Included in the following conference series:
Abstract
In this paper we perform a review of elliptic curve cryptography (ECC) as it is used in practice today in order to reveal unique mistakes and vulnerabilities that arise in implementations of ECC. We study four popular protocols that make use of this type of public-key cryptography: Bitcoin, secure shell (SSH), transport layer security (TLS), and the Austrian e-ID card. We are pleased to observe that about 1 in 10 systems support ECC across the TLS and SSH protocols. However, we find that despite the high stakes of money, access and resources protected by ECC, implementations suffer from vulnerabilities similar to those that plague previous cryptographic systems.
Joppe W. Bos—This work was conducted while this author was at Microsoft Research, Redmond, USA.
Jonathan Moore—Unaffiliated.
This is a preview of subscription content,log in via an institution to check access.
Access this chapter
Subscribe and save
- Get 10 units per month
- Download Article/Chapter or eBook
- 1 Unit = 1 Article or 1 Chapter
- Cancel anytime
Buy Now
- Chapter
- JPY 3498
- Price includes VAT (Japan)
- eBook
- JPY 5719
- Price includes VAT (Japan)
- Softcover Book
- JPY 7149
- Price includes VAT (Japan)
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
This invalid curve attack onsecp256k1 using fault injection has been mentioned before, for example by Paulo S.L.M. Barreto (@pbarreto):“In other words: given 13 faults and a good PC, one can break secp256k1 (and Bitcoin) in 1 min.”, October 21, 2013, 10:20 PM, Tweet.
References
Barber, S., Boyen, X., Shi, E., Uzun, E.: Bitter to better — How to make bitcoin a better currency. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 399–414. Springer, Heidelberg (2012)
Bernstein, D.J.: A software implementation of NIST P-224 (2001).http://cr.yp.to/talks.html#2001.10.29
Bernstein, D.J.: Curve25519: New Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006)
Bernstein, D.J., Chang, Y.-A., Cheng, C.-M., Chou, L.-P., Heninger, N., Lange, T., van Someren, N.: Factoring RSA keys from certified smart cards: Coppersmith in the wild. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 341–360. Springer, Heidelberg (2013)
Bernstein, D.J., Lange, T.: Safecurves: Choosing safe curves for elliptic-curve cryptography (2013).http://safecurves.cr.yp.to. Accessed 31 Oct 2013
Bernstein, D.J., Lange, T., (eds.) eBACS: ECRYPT Benchmarking of Cryptographic Systems (2013).http://bench.cr.yp.to
Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)
bitcoincard.org: Sample transaction (2012).http://bitcoincard.org/blog/?page=post&blog=bitcoincard_blog&post_id=sample_yransaction
Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., Moeller, B.: Elliptic curve cryptography (ECC) cipher suites for transport layer security (TLS). RFC 4492 (2006)
Boneh, D., Shparlinski, I.E.: On the unpredictability of bits of the elliptic curve Diffie–Hellman scheme. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 201. Springer, Heidelberg (2001)
Brier, E., Joye, M.: Weierstraß elliptic curves and side-channel attacks. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 335–345. Springer, Heidelberg (2002)
Brumley, B.B., Barbosa, M., Page, D., Vercauteren, F.: Practical realisation and elimination of an ECC-related software bug attack. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 171–186. Springer, Heidelberg (2012)
Brumley, B.B., Hakala, R.M.: Cache-timing template attacks. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 667–684. Springer, Heidelberg (2009)
“Bushing”, Cantero, H.M., Boessenkool, S., Peter, S.: PS3 epic fail (2010).http://events.ccc.de/congress/2010/Fahrplan/attachments/1780_27c3_console_hacking_2010.pdf
Certicom Research. Standards for efficient cryptography 2: Recommended elliptic curve domain parameters. Standard SEC2, Certicom (2000)
Certicom Research. Standards for efficient cryptography 1: Elliptic curve cryptography. Standard SEC1, Certicom (2009)
Clark, J., Essex, A.: CommitCoin: Carbon dating commitments with bitcoin. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 390–398. Springer, Heidelberg (2012)
Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Berin (2002)
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory22(6), 644–654 (1976)
DigitalOcean: Avoid duplicate SSH host keys (2013).https://www.digitalocean.com/blog_posts/avoid-duplicate-ssh-host-keys
Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: A strengthened version of RIPEMD. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 71–82. Springer, Heidelberg (1996)
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: Fast Internet-wide scanning and its security applications. In: USENIX Security Symposium, August 2013
Duursma, I.M., Gaudry, P., Morain, F.: Speeding up the discrete log computation on curves with automorphisms. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 103–121. Springer, Heidelberg (1999)
Fouque, P., Lercier, R., Real, D., Valette, F.: Fault attack on elliptic curve Montgomery ladder implementation. In: FDTC, pp. 92–98 (2008)
Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: Validating SSL certificates in non-browser software. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM Conference on Computer and Communications Security, pp. 38–49. ACM, New York (2012)
Gilson, D.: Blockchain.info issues refunds to Bitcoin theft victims, August 2013.http://www.coindesk.com/blockchain-info-issues-refunds-to-bitcoin-theft-victims/
Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: Detection of widespread weak keys in network devices. In: USENIX Security Symposium, August 2012
Hollosi, A., Karlinger, G., Rössler, T., Centner, M., et al.: Die österreichische bürgerkarte (2008).http://www.buergerkarte.at/konzept/securitylayer/spezifikation/20080220/
Howgrave-Graham, N., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Cryptogr.23(3), 283–290 (2001)
Jetchev, D., Venkatesan, R.: Bits security of the elliptic curve Diffie–Hellman secret keys. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 75–92. Springer, Heidelberg (2008)
Koblitz, N.: Elliptic curve cryptosystems. Math. Comput.48(177), 203–209 (1987)
Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Public keys. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 626–642. Springer, Heidelberg (2012)
Lenstra, A.K., Verheul, E.R.: Selecting cryptographic key sizes. J. Cryptol.14(4), 255–293 (2001)
Michaelis, K., Meyer, C., Schwenk, J.: Randomly failed! The state of randomness in current Java implementations. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 129–144. Springer, Heidelberg (2013)
Miers, I., Garman, C., Green, M., Rubin, A.D.: Zerocoin: Anonymous distributed E-Cash from Bitcoin. In: IEEE Symposium on Security and Privacy, pp. 397–411. IEEE Computer Society (2013)
Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)
Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2009).http://bitcoin.org/bitcoin.pdf
Olson, M.A., Bostic, K., Seltzer, M.I.: Berkeley DB. In: USENIX Annual Technical Conference, FREENIX Track, pp. 183–191. USENIX (1999)
Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: The case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)
Pollard, J.M.: Monte Carlo methods for index computation (mod\(p\)). Math. Comput.32(143), 918–924 (1978)
Pornin, T.: Deterministic usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA). RFC 6979 (2013)
Reid, F., Harrigan, M.: An analysis of anonymity in the bitcoin system. In: SocialCom/PASSAT, pp. 1318–1326. IEEE (2011)
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM21, 120–126 (1978)
Ron, D., Shamir, A.: Quantitative analysis of the full bitcoin transaction graph. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 6–24. Springer, Heidelberg (2013)
Solinas, J.A.: Generalized Mersenne numbers. Technical Report CORR 99–39, Centre for Applied Cryptographic Research, University of Waterloo (1999)
Stebila, D., Green, J.: Elliptic curve algorithm integration in the secure shell transport layer. RFC 5656 (2009)
U.S. Department of Commerce/National Institute of Standards and Technology. Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography. Special Publication 800–56A (2007).http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf
U.S. Department of Commerce/National Institute of Standards and Technology. Secure Hash Standard (SHS). FIPS-180-4 (2012).http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS-186-4 (2013).http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. In: Feldmann, A., Mathy, L. (eds.) Internet Measurement Conference, pp. 15–27. ACM, New York (2009)
Acknowledgments
We thank Jaap W. Bos for valuable discussions about the financial market, Andy Modell for support in TLS scanning, Sarah Meiklejohn for sharing her knowledge about Bitcoin, and Felipe Voloch for pointing out the existence of the private keys\(1\) and\(2\) in Bitcoin. We thank the Microsoft Security Vulnerability Research team for their help with responsibly disclosing the vulnerabilities we found to affected companies.
Author information
Authors and Affiliations
Microsoft Research, Redmond, USA
Michael Naehrig
University of Michigan, 2260 Hayward Street, Ann Arbor, MI, 48109, USA
J. Alex Halderman & Eric Wustrow
University of Pennsylvania, Philadelphia, USA
Nadia Heninger
NXP Semiconductors, Leuven, Belgium
Joppe W. Bos
- Joppe W. Bos
You can also search for this author inPubMed Google Scholar
- J. Alex Halderman
You can also search for this author inPubMed Google Scholar
- Nadia Heninger
You can also search for this author inPubMed Google Scholar
- Jonathan Moore
You can also search for this author inPubMed Google Scholar
- Michael Naehrig
You can also search for this author inPubMed Google Scholar
- Eric Wustrow
You can also search for this author inPubMed Google Scholar
Corresponding author
Correspondence toJ. Alex Halderman.
Editor information
Editors and Affiliations
Carnegie Mellon University, Pittsburgh, Pennsylvania, USA
Nicolas Christin
University of Calgary, Calgary, Alberta, Canada
Reihaneh Safavi-Naini
Rights and permissions
Copyright information
© 2014 International Financial Cryptography Association
About this paper
Cite this paper
Bos, J.W., Halderman, J.A., Heninger, N., Moore, J., Naehrig, M., Wustrow, E. (2014). Elliptic Curve Cryptography in Practice. In: Christin, N., Safavi-Naini, R. (eds) Financial Cryptography and Data Security. FC 2014. Lecture Notes in Computer Science(), vol 8437. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-45472-5_11
Download citation
Published:
Publisher Name:Springer, Berlin, Heidelberg
Print ISBN:978-3-662-45471-8
Online ISBN:978-3-662-45472-5
eBook Packages:Computer ScienceComputer Science (R0)
Share this paper
Anyone you share the following link with will be able to read this content:
Sorry, a shareable link is not currently available for this article.
Provided by the Springer Nature SharedIt content-sharing initiative