Tagged: standard Toggle Comment Threads | Keyboard Shortcuts
Several important things about ECC and some standards on GF(p) or GF(2^m) from this document :
What is excluded from an NSA sublicense?
The ﬁeld is restricted to GF(p) where p is a prime number greater than 2^255.
If you wish to use smaller ﬁeld size or the binary ﬁeld GF(2^m) in your products, then these products would be excluded from the sublicense.
Why the GF(p) ﬁeld size?
GF(p) was chosen because it has been well studied over the last 20 years. For national security applications, the NSA would like to see key sizes of at least 256 bits which is why they specify that p is a prime number greater than 2^255.
Why did the NSA not license the binary ﬁeld GF(2^m)?
The binary ﬁeld has been well studied over the last 20 years as well and is perfectly secure; however we believe the NSA wanted to limit the implementation choices. The NSA’s stated goal is to foster interoperability amongst secure communications equipment used across various government organizations. By limiting the implementation choices, this interoperability is easier to achieve.
What is Suite B?
The NSA announced Suite B at the RSA Conference February 2005. Suite B has two different levels of security, one for classiﬁed information and one for sensitive but unclassiﬁed information. The algorithms are as follows:
Why has the NSA deﬁned a Suite B?
We believe Suite B was deﬁned to take advantage of the cryptographic strength of ECC, and to narrow the choices in crypto algorithms. One of the goals is to facilitate sharing of information securely between government organizations which can only be accomplished by setting clear cryptographic standards for systems.
We believe another of the goals is to address the issue of homogeneous cryptographic strengths for symmetric and asymmetric algorithms. For example AES at 128 bits should be paired with ECC at 256 bits and SHA at 256 bits in order to have the whole system at one cryptographic level. Today there are no such rules, and as a result, there are widespread poor cryptographic practices such as using RSA 1024 to exchange keys for AES 128.
Why does the NSA like ECC?
ECC is the only proven pubic key technology that scales in a practical way over time. As computing power increases, it becomes easier to break all cryptosystems so cryptographic keys must increase in size to maintain their strength. The NIST chart below demonstrates this clearly. As you can see, in order to match the AES key strength at 256 bits, you would need to use RSA keys of size 15360 bits. Keys at this size are unusable. With ECC you can use a key size of 512 bits to offer equivalent security.
Why has the US Government endorsed ECC for both classiﬁed and sensitive but unclassiﬁed?
We believe the NSA is trying to promote the notion of sharing information securely between Government departments at all levels of communication for Homeland Security. This was a key point in the presentation by Mr. Daniel G. Wolf, the National Security Agency’s Director of Information Assurance, at the 14th Annual RSA Conference in 2005. Setting clearly deﬁned cryptographic standards & protocols are crucial for interoperability and making the sharing of information securely a reality.
Is the US alone in selecting ECC?
No. The NESSIE project (New European Schemes for Signatures, Integrity and Encryption) (2000-2003) did extensive evaluation on crypto algorithms. For more information, visit: https://www.cosic.esat.kuleuven.ac.be/nessie/ They recommend ECDSA as a signature scheme and published a chart of key size recommendations that proposes even larger keys than the one above for RSA algorithms.
In addition, in 2001, the Government of Japan formed the CRYPTREC Evaluation Committee which is composed of eminent Japanese cryptographers. They have aggressively evaluated various cryptographic techniques to recommend the optimum cryptographic techniques necessary for the security of future e-Government systems. They recommend a number of ECC-based protocols including ECDSA and ECDH. http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html
Is ECC found in standards?
Yes. ECC is found in many standards. Here is a brief list.