Elliptic Curve Cryptography in Practice

  • Joppe W. Bos
  • J. Alex Halderman
  • Nadia Heninger
  • Jonathan Moore
  • Michael Naehrig
  • Eric Wustrow
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8437)


In this paper we perform a review of elliptic curve cryptography (ECC) as it is used in practice today in order to reveal unique mistakes and vulnerabilities that arise in implementations of ECC. We study four popular protocols that make use of this type of public-key cryptography: Bitcoin, secure shell (SSH), transport layer security (TLS), and the Austrian e-ID card. We are pleased to observe that about 1 in 10 systems support ECC across the TLS and SSH protocols. However, we find that despite the high stakes of money, access and resources protected by ECC, implementations suffer from vulnerabilities similar to those that plague previous cryptographic systems.


Elliptic Curve Smart Card Elliptic Curf Elliptic Curve Cryptography Transport Layer Security 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We thank Jaap W. Bos for valuable discussions about the financial market, Andy Modell for support in TLS scanning, Sarah Meiklejohn for sharing her knowledge about Bitcoin, and Felipe Voloch for pointing out the existence of the private keys \(1\) and \(2\) in Bitcoin. We thank the Microsoft Security Vulnerability Research team for their help with responsibly disclosing the vulnerabilities we found to affected companies.


  1. 1.
    Barber, S., Boyen, X., Shi, E., Uzun, E.: Bitter to better — How to make bitcoin a better currency. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 399–414. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  2. 2.
    Bernstein, D.J.: A software implementation of NIST P-224 (2001).
  3. 3.
    Bernstein, D.J.: Curve25519: New Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Bernstein, D.J., Chang, Y.-A., Cheng, C.-M., Chou, L.-P., Heninger, N., Lange, T., van Someren, N.: Factoring RSA keys from certified smart cards: Coppersmith in the wild. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 341–360. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J., Lange, T.: Safecurves: Choosing safe curves for elliptic-curve cryptography (2013). Accessed 31 Oct 2013
  6. 6.
    Bernstein, D.J., Lange, T., (eds.) eBACS: ECRYPT Benchmarking of Cryptographic Systems (2013).
  7. 7.
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
  9. 9.
    Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., Moeller, B.: Elliptic curve cryptography (ECC) cipher suites for transport layer security (TLS). RFC 4492 (2006)Google Scholar
  10. 10.
    Boneh, D., Shparlinski, I.E.: On the unpredictability of bits of the elliptic curve Diffie–Hellman scheme. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 201. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    Brier, E., Joye, M.: Weierstraß elliptic curves and side-channel attacks. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 335–345. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Brumley, B.B., Barbosa, M., Page, D., Vercauteren, F.: Practical realisation and elimination of an ECC-related software bug attack. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 171–186. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  13. 13.
    Brumley, B.B., Hakala, R.M.: Cache-timing template attacks. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 667–684. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
    “Bushing”, Cantero, H.M., Boessenkool, S., Peter, S.: PS3 epic fail (2010).
  15. 15.
    Certicom Research. Standards for efficient cryptography 2: Recommended elliptic curve domain parameters. Standard SEC2, Certicom (2000)Google Scholar
  16. 16.
    Certicom Research. Standards for efficient cryptography 1: Elliptic curve cryptography. Standard SEC1, Certicom (2009)Google Scholar
  17. 17.
    Clark, J., Essex, A.: CommitCoin: Carbon dating commitments with bitcoin. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 390–398. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Berin (2002)CrossRefGoogle Scholar
  19. 19.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)CrossRefzbMATHMathSciNetGoogle Scholar
  20. 20.
    DigitalOcean: Avoid duplicate SSH host keys (2013).
  21. 21.
    Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: A strengthened version of RIPEMD. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 71–82. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  22. 22.
    Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: Fast Internet-wide scanning and its security applications. In: USENIX Security Symposium, August 2013Google Scholar
  23. 23.
    Duursma, I.M., Gaudry, P., Morain, F.: Speeding up the discrete log computation on curves with automorphisms. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 103–121. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  24. 24.
    Fouque, P., Lercier, R., Real, D., Valette, F.: Fault attack on elliptic curve Montgomery ladder implementation. In: FDTC, pp. 92–98 (2008)Google Scholar
  25. 25.
    Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  26. 26.
    Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: Validating SSL certificates in non-browser software. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM Conference on Computer and Communications Security, pp. 38–49. ACM, New York (2012)Google Scholar
  27. 27.
    Gilson, D.: issues refunds to Bitcoin theft victims, August 2013.
  28. 28.
    Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: Detection of widespread weak keys in network devices. In: USENIX Security Symposium, August 2012Google Scholar
  29. 29.
    Hollosi, A., Karlinger, G., Rössler, T., Centner, M., et al.: Die österreichische bürgerkarte (2008).
  30. 30.
    Howgrave-Graham, N., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Cryptogr. 23(3), 283–290 (2001)CrossRefzbMATHMathSciNetGoogle Scholar
  31. 31.
    Jetchev, D., Venkatesan, R.: Bits security of the elliptic curve Diffie–Hellman secret keys. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 75–92. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  32. 32.
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)CrossRefzbMATHMathSciNetGoogle Scholar
  33. 33.
    Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Public keys. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 626–642. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  34. 34.
    Lenstra, A.K., Verheul, E.R.: Selecting cryptographic key sizes. J. Cryptol. 14(4), 255–293 (2001)zbMATHMathSciNetGoogle Scholar
  35. 35.
    Michaelis, K., Meyer, C., Schwenk, J.: Randomly failed! The state of randomness in current Java implementations. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 129–144. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  36. 36.
    Miers, I., Garman, C., Green, M., Rubin, A.D.: Zerocoin: Anonymous distributed E-Cash from Bitcoin. In: IEEE Symposium on Security and Privacy, pp. 397–411. IEEE Computer Society (2013)Google Scholar
  37. 37.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  38. 38.
    Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2009).
  39. 39.
    Olson, M.A., Bostic, K., Seltzer, M.I.: Berkeley DB. In: USENIX Annual Technical Conference, FREENIX Track, pp. 183–191. USENIX (1999)Google Scholar
  40. 40.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: The case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  41. 41.
    Pollard, J.M.: Monte Carlo methods for index computation (mod \(p\)). Math. Comput. 32(143), 918–924 (1978)zbMATHMathSciNetGoogle Scholar
  42. 42.
    Pornin, T.: Deterministic usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA). RFC 6979 (2013)Google Scholar
  43. 43.
    Reid, F., Harrigan, M.: An analysis of anonymity in the bitcoin system. In: SocialCom/PASSAT, pp. 1318–1326. IEEE (2011)Google Scholar
  44. 44.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978)CrossRefzbMATHMathSciNetGoogle Scholar
  45. 45.
    Ron, D., Shamir, A.: Quantitative analysis of the full bitcoin transaction graph. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 6–24. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  46. 46.
    Solinas, J.A.: Generalized Mersenne numbers. Technical Report CORR 99–39, Centre for Applied Cryptographic Research, University of Waterloo (1999)Google Scholar
  47. 47.
    Stebila, D., Green, J.: Elliptic curve algorithm integration in the secure shell transport layer. RFC 5656 (2009)Google Scholar
  48. 48.
    U.S. Department of Commerce/National Institute of Standards and Technology. Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography. Special Publication 800–56A (2007).
  49. 49.
    U.S. Department of Commerce/National Institute of Standards and Technology. Secure Hash Standard (SHS). FIPS-180-4 (2012).
  50. 50.
    U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS-186-4 (2013).
  51. 51.
    Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. In: Feldmann, A., Mathy, L. (eds.) Internet Measurement Conference, pp. 15–27. ACM, New York (2009)Google Scholar

Copyright information

© International Financial Cryptography Association 2014

Authors and Affiliations

  • Joppe W. Bos
    • 4
  • J. Alex Halderman
    • 2
  • Nadia Heninger
    • 3
  • Jonathan Moore
  • Michael Naehrig
    • 1
  • Eric Wustrow
    • 2
  1. 1.Microsoft ResearchRedmondUSA
  2. 2.University of MichiganAnn ArborUSA
  3. 3.University of PennsylvaniaPhiladelphiaUSA
  4. 4.NXP SemiconductorsLeuvenBelgium

Personalised recommendations