• Actionable
  • Timely
  • Informative
  • Executive
  • Strategic

Issue 44 What is Elliptic Curve Cryptography (ECC)?

An efficient encryption technique often used for the exchange of private keys and digital signatures.

Type Technology
Topic Data & Analytics
Urgency Not urgent at this time
Maturity Early adoption
Viability Unlikely to escape the lab
Impact Not changing the commercial landscape

Overview

What it is: Elliptic Curve Cryptography (ECC) is a variety of asymmetric cryptography (see below). Asymmetric cryptography has various applications, but it is most often used in digital communication to establish secure channels by way of secure passkeys. Although ECC is less prevalent than the most common asymmetric method, RSA, it’s arguably more effective.

What it does: In asymmetric cryptography, two parties begin with different private keys, but, through complex mathematical operations, mix those private keys with a publicly shared key to arrive at a final shared value. This value can then be used as the passkey for mutually secure information transfer. In ECC, the publicly shared value is a point on a curve, and the private value is the mathematical variable that was used to select that point. This mechanism is chosen because it is extremely difficult (to the point of requiring prohibitive levels computing power) to derive the private value from the publicly shared information.

Why it matters: Asymmetric cryptography techniques are the backbone of commonplace cryptography that keeps information secure. For example, every time a phone connects to a server, asymmetric cryptography is used to enable further security measures. ECC is, in some ways, more effective than the most commonly used protocol, RSA; it can achieve greater security with smaller private keys. RSA is the standard largely because it hit the market first, and because it is easier to implement. Nonetheless, ECC is still used frequently.

What to do about it: ECC is an established technology; there’s probably nothing to do about it, specifically, unless you’re a security researcher. If you’re a large enterprise designing a custom implementation of ECC, note that ECC is more difficult to implement correctly than RSA, the usual standard; be vigilant.

Advantages

  • Extremely secure if properly implemented
  • Requires smaller private keys than similar methods

Drawbacks

  • Implementation can be error-prone
  • In the future, theoretically vulnerable to quantum threats

Vulnerabilities

In January of 2020, it was revealed that Windows 10 contained a security bug stemming from poor implementation of ECC; essentially, it allowed attackers to fake the security certificates that ECC can produce. Meanwhile, it’s been speculated that ECC will become vulnerable to attacks from quantum computers. While this is currently a theoretical possibility, quantum-resistant varieties of ECC are being developed.

Thoughts, questions, or other feedback? Please contact us and let us know.