Editing Elliptic-curve cryptography (section)

== History ==

The use of elliptic curves in cryptography was suggested independently by [[Neal Koblitz]]<ref>{{cite journal |first=N. |last=Koblitz |title=Elliptic curve cryptosystems |journal=Mathematics of Computation |volume=48 |issue=177 |year=1987 |pages=203–209 |doi= 10.2307/2007884|jstor=2007884 |doi-access=free }}</ref> and [[Victor S. Miller]]<ref>{{Cite book |first=V. |last=Miller |title=Advances in Cryptology — CRYPTO '85 Proceedings |chapter=Use of Elliptic Curves in Cryptography |volume=85 |pages=417–426 |doi=10.1007/3-540-39799-X_31 |series=Lecture Notes in Computer Science |date=1986 |isbn=978-3-540-16463-0 |s2cid=206617984 }}</ref> in 1985. Elliptic curve cryptography algorithms entered wide use in 2004 to 2005.

In 1999, NIST recommended fifteen elliptic curves. Specifically, FIPS 186-4<ref>{{Cite web|publisher= National Institute of Standards and Technology|date=2013-07-19|title=Digital Signature Standard (DSS)|doi=10.6028/NIST.FIPS.186-4|url=https://csrc.nist.gov/publications/detail/fips/186/4/final|language=en|doi-access=free}}</ref> has ten recommended finite fields:
* Five [[Finite Field|prime fields]] <math>\mathbb{F}_p</math> for certain primes ''p'' of sizes 192, 224, 256, 384, and {{Not a typo|521}} bits<!-- It may seem like a typographical error, but it is indeed 521 bits. -->. For each of the prime fields, one elliptic curve is recommended.
* Five [[Finite field|binary fields]] <math>\mathbb{F}_{2^m}</math> for ''m'' equal 163, 233, 283, 409, and 571. For each of the binary fields, one elliptic curve and one [[Neal Koblitz|Koblitz]] curve was selected.

The NIST recommendation thus contains a total of five prime curves and ten binary curves. The curves were chosen for optimal security and implementation efficiency.<ref>FIPS PUB 186-3, [http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf Digital Signature Standard (DSS)].</ref>

At the [[RSA Conference]] 2005, the [[National Security Agency]] (NSA) announced [[NSA Suite B|Suite B]], which exclusively uses ECC for digital signature generation and key exchange. The suite is intended to protect both classified and unclassified national security systems and information.<ref name=":0">{{cite web|url=http://www.nsa.gov/business/programs/elliptic_curve.shtml |title=The Case for Elliptic Curve Cryptography |work=NSA |url-status=dead |archive-url=https://web.archive.org/web/20090117023500/http://www.nsa.gov/business/programs/elliptic_curve.shtml |archive-date=2009-01-17 }}</ref> [[National Institute of Standards and Technology]] (NIST) has endorsed elliptic curve cryptography in its [[NSA Suite B|Suite B]] set of recommended algorithms, specifically [[elliptic-curve Diffie–Hellman]] (ECDH) for key exchange and [[Elliptic Curve Digital Signature Algorithm]] (ECDSA) for digital signature.  The NSA allows their use for protecting information classified up to [[Classified information in the United States|top secret]] with 384-bit keys.<ref>{{cite web |url=http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml |title=Fact Sheet NSA Suite B Cryptography |work=U.S. National Security Agency |archive-url=https://web.archive.org/web/20090207005135/http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml |archive-date=2009-02-07}}</ref>

Recently,{{when|date=October 2022}} a large number of cryptographic primitives based on bilinear mappings on various elliptic curve groups, such as the [[Weil pairing|Weil]] and [[Tate pairing]]s, have been introduced. Schemes based on these primitives provide efficient [[identity-based encryption]] as well as pairing-based signatures, [[signcryption]], [[key agreement]], and [[proxy re-encryption]].{{citation needed|date=April 2023}}

Elliptic curve cryptography is used successfully in numerous popular protocols, such as [[Transport Layer Security]] and [[Bitcoin]].

=== Security concerns ===

In 2013, ''[[The New York Times]]'' stated that [[Dual EC DRBG|Dual Elliptic Curve Deterministic Random Bit Generation]] (or Dual_EC_DRBG) had been included as a NIST national standard due to the influence of [[NSA]], which had included a deliberate weakness in the algorithm and the recommended elliptic curve.<ref>{{cite news |last1=Perlroth|first1=Nicole|last2=Larson|first2=Jeff|last3=Shane|first3=Scott |title=N.S.A. Able to Foil Basic Safeguards of Privacy on Web |url=https://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html |archive-url=https://ghostarchive.org/archive/20220101/https://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html |archive-date=2022-01-01 |url-access=limited |access-date=28 October 2018 |newspaper=New York Times |date=2013-09-05}}{{cbignore}}</ref> [[RSA Security]] in September 2013 issued an advisory recommending that its customers discontinue using any software based on Dual_EC_DRBG.<ref>Kim Zetter, [https://www.wired.com/threatlevel/2013/09/rsa-advisory-nsa-algorithm/ RSA Tells Its Developer Customers: Stop Using NSA-Linked Algorithm] ''[[Wired (magazine)|Wired]]'', 19 September 2013. "Recommending against the use of SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation: NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used."</ref><ref>{{cite web|url=http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-90-A+Rev+1+B+and+C|title=Search – CSRC|website=csrc.nist.gov}}</ref> In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover operation", cryptography experts have also expressed concern over the security of the NIST recommended elliptic curves,<ref>[[Bruce Schneier]] (5 September) "I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry." See [http://it.slashdot.org/firehose.pl?op=view&type=story&sid=13/09/11/1224252 Are the NIST Standard Elliptic Curves Back-doored?], ''[[Slashdot]]'', 11 September 2013.</ref> suggesting a return to encryption based on non-elliptic-curve groups.

{{further|#Quantum computing attack}}

Additionally, in August 2015, the NSA announced that it plans to replace Suite B with a new cipher suite due to concerns about [[quantum computing]] attacks on ECC.<ref name="nsaquantum" /><ref name=nsaQCfaq>[https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf Commercial National Security Algorithm Suite and Quantum Computing FAQ] U.S. National Security Agency, January 2016.</ref>

=== Patents ===
{{Main|ECC patents}}

While the RSA patent expired in 2000, there may be patents in force covering certain aspects of ECC technology, including at least one ECC scheme ([[ECMQV]]). However, [[RSA Security|RSA Laboratories]]<ref>{{cite web | author = RSA Laboratories | url = http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/are-elliptic-curve-cryptosystems-patented.htm | title = 6.3.4 Are elliptic curve cryptosystems patented? | archive-url = https://web.archive.org/web/20161101041810/http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/are-elliptic-curve-cryptosystems-patented.htm | archive-date = 2016-11-01}}</ref> and [[Daniel J. Bernstein]]<ref>{{cite web |first=D. J. |last=Bernstein |url=http://cr.yp.to/ecdh/patents.html |title=Irrelevant patents on elliptic-curve cryptography}}</ref> have argued that the [[Federal government of the United States|US government]] elliptic curve digital signature standard (ECDSA; NIST FIPS 186-3) and certain practical ECC-based key exchange schemes (including ECDH) can be implemented without infringing those patents.