2

Simple question, what are the limitations of ECC, both in terms of application and how secure it is?

I heard that the NSA were able to read emails a few years back due to a backdoor they had discovered on a particular NIST elliptic curve. Is this something we can continue to expect, and what other potential drawbacks exist?

Ali
  • 481
  • 2
  • 6
  • 12

1 Answers1

4

This is a rather open ended question, but I'll try to answer:

Limitations:

  • most ECDSA implementations require a secure random generator - if the same random value is reused (for different plaintext) then the private key parameter can simply be calculated;
  • ECDSA requires a hash function and cannot be (easily?) used for signatures with message recovery (then again, the signatures are generally much smaller than e.g. RSA in the first place);
  • ECC doesn't provide a direct method of encryption, instead EC-IES is commonly used - which means that that a key pair generation has to be performed and that the public key must be send along with the ciphertext;
  • ECC is much more efficient than RSA for signature generation and decryption, but it's still much slower than symmetric algorithms;
  • ECC requires some agreement on which type of curve and curve parameters to use;
  • support for ECC - especially more modern curves - is lacking from many libraries.

Security:

  • the fact that the calculations can be performed on relatively small integers (compared to e.g. DH/DSA or RSA) makes the algorithm rather efficient but it may also help quantum crypto-analysis;
  • many curves - such as the most used curves by NIST over prime fields - require additional verification of the public key to be performed;
  • RSA is much easier to understand than ECC (and a better understanding aids the security of protocols and implementations);
  • RSA is still much better researched, e.g. with regards to side channel attacks.
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323