There is a newer family of asymmetric key ciphers called elliptic curve cryptography (ECC). The most well-known elliptic curve method for digital signatures is the ECDSA (Elliptic Curve Digital Signature Algorithm). Its mathematical foundation is much more complex than the RSA algorithm: the enciphering method is based on the so-called elliptic curve point operations. The elliptic curve is a set of (x, y) number pairs (points) that satisfies the equation of y2 = x3 + a x + b. The (x, y) coordinates and (a, b) parameters should not be selected from the set of real numbers, but typically from a finite field of prime order (e.g. integers modulo p) or a finite field of order 2n (2 to the power of n). So, in the case of ECDSA digital signatures both the signature creation and the verification process consist of much more complicated operations than in the case of RSA, but on the other hand, it does not require the usage of so large keys. For example, a 256-bit ECC key can provide a comparable cryptographic strength to a 3072-bit RSA key.
The security of elliptic curve cryptographic algorithms is based on the mathematical problem called elliptic curve discrete logarithm problem (ECDLP). According to cryptographers, it is a similarly difficult problem as factorization. Knowing this, the provided security of ECC with short keys makes it extremely attractive to modern applications.
According to the latest "SOGIS Agreed Cryptographic Mechanisms" recommendation, the most widespread 2048-bit RSA keys can be used until the end of 2024, that is, they are only considered secure for about the next 5 years. For longer periods of time, RSA keys longer than 3000 bits are proposed, which are currently supported by only a few smart cards and service providers. In contrast, for instance, the ECC algorithm with an at least 256-bit long key is considered secure and recommended without a deadline by the SOG-IS document.
Elliptic curve cryptography is already used in Hungary, for example, to protect the communication between the chips of EU passports containing biometric identifiers (fingerprints) and the corresponding readers. In addition, citizens can also use the ECDSA algorithm to create signatures with the Hungarian e-ID card’s electronic signature function.
At the end of 2017, Microsec established a whole new certification authority hierarchy based on elliptic curves, which has been authorized by the supervisory bodies to issue qualified and non-qualified certificates following the conformity assessment. So, Microsec is the first certificate authority in Hungary that can provide to its customers electronic signature tools and certificates based on either an RSA algorithm or an ECC algorithm.
References / Further information:
Author: Kornél RÉTI
© 2019 Microsec ltd. | Company registration number: 01-10-047218 | Tax number: 23584497-2-41