Cryptography Reference
In-Depth Information
involving the KDF (called the
hash Diffie-Hellman problem
) is hard and that the
private-key encryption scheme and theMAC are also secure. There is another security
reduction that relies on a more standard variant of the Diffie-Hellman problem,
namely, the
gap Diffie-Hellman problem
which essentially is the problem of solving
the CDH problem given access to an oracle that solves the DDH problem. This proof,
however, requires another additional assumption, namely, that the KDF function is
a random oracle, and hence is a proof in the random oracle model. Yet another
security reduction for ECIES, due to Smart, trades off the assumptions on the KDF
function for the assumption that the elliptic group is modeled as a generic group:
it is, therefore, a proof in the 'generic group model'. A detailed discussion of these
proofs, written by A.W. Dent, can be found in Chap. III of [26].
11.5 Final Remarks on Elliptic Curve Cryptography
In this chapter we have given a brief account of the basics of ECC but there are many
other aspects that fall outside the scope of this topic. We have limited our specific
treatment to elliptic curves over prime fields of characteristic
3 but ECC may also
be developed over other fields and, in particular, over binary fields of the form
>
F
2
m
,
where
m
is a large positive integer. Not only is ECC being continuously developed
but also new cryptographically interesting discoveries on the mathematical theory
of elliptic curves are being made. A relevant example is the introduction by H.M.
Edwards, in 2007, of
Edwards curves
or
Edwards coordinates
. Edwards introduced a
new normal form for elliptic curves which is different from the Weierstrass equation
and has interesting cryptographic applications because it allows faster point addition
and scalar multiplication. A short introduction to Edwards coordinates is given in
[97, 2.6.3] and an account of some recent work on this subject by Bernstein and
Lange is given in the web page [24].
We have seen that one of the main advantages of elliptic curve cryptography
is that it requires smaller key sizes, which can be exploited either to obtain better
performance for a given security level or to obtain better security for a given key
size. There is also another important, more qualitative reason that we have only
mentioned in passing and gives ECC a special status because it allows things that
are very difficult to achieve in other cryptographic settings: the existence of bilinear
pairings on certain families of elliptic curves that allow the full development of
identity-based encryption.
Although some IBE schemes exist that do not rely on elliptic curves—such as
the Cocks IBE scheme described in Chap.
10
—it is really in the context of pairing-
based cryptography—which, for now, is an exclusive feature of ECC—where these
schemes fully realize their enormous potential. Pairing-based IBE schemes, such as
variants) on elliptic curves and on the fact that, for elliptic curves of low embedding
degree, these pairings can be efficiently computed. We refer to [26, 53, 81] for
in-depth treatments of pairing-based cryptography, as well as to [107], which is a
reference topic for identity-based cryptography.
