ECC usage on X.

509 digital certificates

Erik Papa Quiroz
Departamento de Ciencias
Universidad Privada del Norte
Universidad Nacional Mayor de San Marcos
[email protected]

Alvaro Cuno, Wilber Ramos Lovón

Departamento de Ingenierı́a de Sistemas e Informática
Universidad Nacional de San Agustı́n de Arequipa
{acunopa,wramos}@unsa.edu.pe

Ever Cruzado
Estudios Generales
Universidad Nacional Mayor de San Marcos
[email protected]

Abstract
This paper presents a review of the adoption of elliptic curve cryp-
tography (ECC) algorithms in X.509 digital certificates. It was analyzed
the cases of Estonia, United Arab Emirates (UAE), Australia, Brazil, and
Egypt. Although all five countries have considered using ECC algorithms,
only two (Estonia and UAE) use them throughout their entire PKI hi-
erarchy (root, intermediates, and end-entity certificates). Our findings
complement those of Bos et al. [1], which in 2014 identified only Austria
as an adopter of ECC in end-entity X.509 digital certificates for electronic
signatures.

Keywords: ECC adoption, PKI, Electronic signatures.

1 Introduction
Prompted by the increasing need to implement secure electronic government
services, several countries around the world have legalized the use of qualified
electronic signatures [2], which have gained more considerable notoriety due
to the COVID-19 pandemic, since they allow to provide integrity and non-
repudiation to electronic documents in an online world. This process involves

1
the implementation and deployment of public key infrastructure (PKI) systems
to issue X.509 digital certificates, which generally use the RSA algorithm.
Although the use of algorithms based on elliptic curve cryptography (ECC)
has been encouraged since the 80s, their adoption has not been widespread,
particularly regarding PKI systems for electronic signatures. However, recently,
their popularity has steadily increased, particularly for use in applications such
as bitcoin (B), secure shell (SSH), and transport layer security (TLS) [1, 3].
Considering the ROCA vulnerabilities that was recently discovered in one of the
RSA algorithm implementations [4,5] and the increase in the processing capacity
of computers (which can compromise the security of the RSA algorithm), it is
crucial to know the current status of the adoption of ECC in X.509 digital
certificates.
In this context, this study seeks to answer the following question: What is the
current adoption status of ECC used on X.509 digital certificates for electronic
signatures? For this, the article was organized as follow. Section II introduces
the basic concepts used in this study. Then, Section III discusses two related
works reported in the literature. Section IV addresses the materials and method
used in this study. Finally, Sections V, VI, and VII report the results from our
study, discussion and conclusions, respectively.

2 Background
2.1 Elliptic Curve Cryptography
The use of ECC gained momentum in the 80s. Its security is based on the diffi-
culty of solving the discrete logarithm problem (elliptic curve discrete logarithm
problem), which is considered to be more complex than the integer factorization
problem used by the RSA algorithm. ECC offers substantial advantages over
RSA cryptography because it equals the RSA security levels using smaller keys.
However, a key reason that has prevented ECC from becoming more mainstream
is technical, because the technical decisions (e.g. curve, parameters of the curve,
etc.) required for ECC-based implementations are generally larger in scale than
those required for RSA algorithm.

2.2 Public Key Infrastructure

PKI system facilitates the issuance, distribution, storage, and revocation of
X.509 digital certificates. This infrastructure commonly includes standards,
processes, procedures, hardware, software, certification policies (CP), and cer-
tification practice statements (CPS) for use by the following entities:
• Scheme Operator (SO): Issues provisions to guarantee proper system
operations.
• Certification Authorities (CA): Issues, signs, and stores digital cer-
tificates.

2
 • Registration Authorities (RA): Serves as an interface between the CA
and digital certificate applicants to verify their identity.
• Validation Authorities (VA): Validates the current validity status of
digital certificates.
• End Entities (EE): They are the holders of the corresponding digital
certificates.
It is important to distinguish the difference between a PKI for electronic signa-
tures from a PKI for secure channels, whose priority is to issue SSL/TLS digital
certificates.

2.3 X.509 digital certificates

X.509 digital certificates are digital documents issued by trusted certification
authorities that link a public key to an entity (person, software, device, thing,
etc.). When these digital certificates are issued and used within the context of
a specific legal framework, they generate electronic signatures having the same
validity as handwritten signatures, thereby enabling two unknown entities to
securely exchange documents.

2.4 ECC recommendations

2.4.1 NIST
The NIST (National Institute of Standards and Technology) standardized the
use of ECC in electronic signatures in the United States in compliance with
standard FIPS 186. NIST recommends that the Federal Government of the
United States of America must use the following 15 elliptic curves of varying
security levels [6]:
• Curves over binary fields: K-163, B-163, K-233, B-233, K-283, B-283,
K-409, B-409, K-571, B-571.
• Curves over prime fields: P-192, P-224, P-256, P-384, P-521.

2.4.2 IETF RFC 5639

The standardized elliptic curves recommended by the ECC brainpool-working
group in the IETF RFC 56391 are as follows [7]:
• ID brainpoolP160r1 | ID brainpoolP160t1
• ID brainpoolP192r1 | ID brainpoolP192t1
• ID brainpoolP224r1 | ID brainpoolP224t1
• ID brainpoolP256r1 | ID brainpoolP256t1
1 RFC 5639 was published in 2010 (https://tools.ietf.org/html/rfc5639)

3
 • ID brainpoolP320r1 | ID brainpoolP320t1
• ID brainpoolP384r1 | ID brainpoolP384t1
• ID brainpoolP512r1 | ID brainpoolP512t1

2.4.3 European Union

According to the ETSI TS 119 312 [8], the following elliptic curves were adopted
by European Union member countries in 2016:
• FRP256v1 (ANSSI)
• BrainpoolP256r1, BrainpoolP384r1, BrainpoolP512r1.
• NIST P-256, NIST P-384, NIST P-521

2.4.4 Russian Federation

According to Alekseev et al. [9], the elliptic curves adopted by the Russian
Federation are as follows:
• id-tc26-gost-3410-12-512-paramSetA, short Weierstrass
• id-tc26-gost-3410-12-512-paramSetB, short Weierstrass

• id-tc26-gost-3410-12-256-paramSetA, twisted Edwards

• id-tc26-gost-3410-12-512-paramSetC, twisted Edwards

2.4.5 Safecurves
Researchers Bernstein and Lange from the SafeCurves initiative [10] assessed
the generation mechanisms for the existing elliptic curves and, in several of
them, observed defects that may render them vulnerable to certain collateral
attacks. Hence, they published a series of requirements for the classification of
elliptic curves based on their security level. These requirements are grouped
into three categories (i) parameters (field, equation, base), (ii) ECDLP security
(rho, transfer, disc, rigid), and (iii) ECC security (ladders, twist, complete, ind).
Moreover, based on these requirements, a security analysis generated the
following classification:
• Safe curves: M-221, E-222, Curve1174, Curve25519, E-382, M-383, Curve383187,
Curve41417, Ed448-Goldilocks, M-511, E-521.
• Unsafe curves: NIST P-224, BN(2,254), brainpoolP256t1, ANSSI FRP256v1,
NIST P-256, secp256k1, brainpoolP384t1, NIST P-384.

4
3 Related work
In 2014, Bos et al. [1] examined ECC deployment in some practical applications.
They assessed the use of ECC in Bitcoin (B), Secure shell (SSH), TLS, and the
Austrian e-ID card. While they concluded that ECC adoption had gained con-
siderable popularity, it was still far from being the dominant crypto scheme in
2013. Furthermore, they reported that ECC implementations exhibited vulner-
abilities (insufficient entropy, repeated public keys, repeated ephemeral nonces,
software bugs, etc.) similar to those of other cryptographic systems.
Another relevant research for this work is one by Valenta et al. [3], where it
is surveyed elliptic curve implementations for TLS. They estimated that 0.77%
HTTPS hosts, 0.04% SSH hosts, and 4.04% IKEv2 hosts supporting elliptic
curves do not perform curve validity checks as specified in elliptic curve stan-
dards. Furthermore, they determined that NIST P-256, P-384, P-521, and
Curve25519 are the most common curve preference for TLS.

4 Materials and method

The following countries were selected for evaluation: Estonia (Europe), United
Arab Emirates (Asia), Egypt (Africa), Australia (Oceania), and Brazil (Amer-
ica). These countries were selected since our initial search for information in-
dicated that these countries were using ECC in their electronic signature PKI.
Because the information on the use or non-use of ECC in X.509 digital cer-
tificates is only available in non-scientific documents, it was not possible to
automate this search with academic search tools. Thus, the search was carried
out manually in the CP/CPS of just these five national CAs.

Table 1: PKI repositories by country

Estonia Certification Authority of the Estonian ID card
https://www.skidsolutions.eu/en/repository/
UAE UAE National PKI
https://ca.darkmatter.ae/UAE/index.html
Australia Gatekeeper Public Key Infrastructure Framework
https://www.dta.gov.au/our-projects/digital-
identity/gatekeeper-public-key-infrastructure-framework
Brazil Infraestrutura de Chaves Públicas Brasileira – ICP-
Brasil
https://www.iti.gov.br/repositorio
Egypt Egyptian Root Certificate Authority (Root CA)
https://www.itida.gov.eg/English/Pages/E-Signature.aspx

A national CA was identified for each selected country. This CA was then
used to collect their CP, CPS, and, where applicable, digital certificates for
the corresponding PKI hierarchy. Table 1 presents a list of the repositories of

5
Figure 1: Representation of certification hierarchies of Estonia, UAE, Australia,
and Brazil. Rectangles characterize X.509 certificates, and the arrows their
dependency in each hierarchy. We must highlight Estonia and UAE as those
countries that have implemented ECC throughout their entire PKI hierarchy.

the selected PKI hierarchies. Next, the inclusion and exclusion criteria were
established to define whether the PKI hierarchy uses ECC algorithms. The
inclusion criteria were as follows: (i) a pair of asymmetric keys were generated
using an elliptic curve algorithm, and (ii) the digital certificate was signed using
an elliptic curve algorithm. Both criteria were applied to all certificates in the
certification chain. However, a CA would be excluded from the analysis if the
CA issued ECC-based digital certificates for TLS/SSL only.

5 Results
Following we present the results of the analysis performed. Figure 1 denotes a
comparative summary.

5.1 Estonia
In September 2018, the Estonian government created a new certification hi-
erarchy under the “EE-GovCA2018” root. According to its CPS2 , this new
hierarchy supported the use of elliptic curve algorithms. In fact, both the root
and subordinate CAs of this hierarchy use ECC keys generated using the NIST
P-512 algorithm. Under the same hierarchy, the EE certificates issued to citizens
in their e-ID Card contain ECC keys generated using the NIST P-384 curve. All
2 See item “6.1.5 Key sizes” of the Certification Practice Statement, available here:

https://www.sk.ee/en/repository/CPS/

6
certificates in this new hierarchy are signed using the sha512ECDSA algorithm.
This new certification hierarchy was created as response against the potential
attack threat from Czech scientists [4], whereby it was possible to factorize, with
relatively little effort, “fast” generated RSA public keys.

5.2 United Arab Emirates

The United Arab Emirates uses two certification hierarchies, one of which, the
“UAE Global Root CA G3”, is ECC-based. According to its Certification Pol-
icy3 , this hierarchy supports elliptic curves with at least 256 bits of security.
All certificates in this hierarchy (root, intermediate, and EE) use 384-bit public
keys under the NIST P-384 curve and are signed using the sha384ECDSA al-
gorithm. These digital certificates are delivered to citizens in their national ID
cards, which are also smart cards (containing two X.509 digital certificates).

5.3 Australia
Since 1999, the Commonwealth Government has developed and maintained the
Gatekeeper Public Key Infrastructure (PKI) Framework. The Gatekeeper PKI
Framework [11] includes a suite of policies, standards and procedures that govern
the use of digital certificates in Government for the authentication of agencies
and their customers.
The Gatekeeper Competent Authority has granted accreditation to six CAs
(DigiCert, Department of Defense, Medicare, Verizon Australian Taxation Office
and Property Exchange Australia Limited), however, despite having enabled
the use of elliptic curves algorithms P-256, P-384 and P-521 (see number 11.5.5
in [11]), none of CAs still use them.

5.4 Brazil
Brazil created its PKI (called ICP-Brazil) in 2001. The ICP-Brazil comprises a
single root CA (both for the private and public sectors) and is overseen by the
National Institute of Information Technology (ITI)4 . This agency also grants
credentials to other intermediate CAs, which issue digital certificates to users
and clients as long as they are approved by RAs.
Through its only root CA5 , the ICP-Brazil manages a total of twelve certi-
fication hierarchies6 , with four, v3, v4, v6, and v7, being ECC-based. However,
v3 and v4 hierarchies, which used NIST Suite B and Brainpool-512 curves,
respectively, were revoked in 2014 without issuing a single certificate. The
root certificates issued by the v6 and v7 hierarchies in December 2018 used the
Ed448-Goldilocks (448 bits) and E-521 (521 bits) curves, respectively. Although
3 See item “6.1.5 Key sizes” of the CP, available here:
https://ca.darkmatter.ae/CPS/UAE CP V1.1.pdf
4 https://www.iti.gov.br/
5 http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
6 https://www.iti.gov.br/repositorio/84-repositorio/143-repositorio-ac-raiz

7
these certificates had already been published in the ICP-Brazil repository7 , as
of January 2020, none of the first-level CAs had requested an intermediate-level
certificate under these hierarchies. Therefore, no EE certificate had been issued
either. However, according to Regulatory Instruction No. 14 dated 09/11/2018,
the ITI has delimited the scope of ICP-Brazil in terms of using elliptic curves
as follows:
• Certification Entities can use: ECC-Brainpool of 512 bits (RFC 5639),
Ed448-Goldilocks of 448 bits (RFC 8032), o E-521 of 521 bits.
• End Entities can use: ECC-Brainpool of 256 bits (RFC 5639), Curve25519
of 256 bits (RFC 8032), Ed448-Goldilocks of 448 bits (RFC 8032), o E-521
of 521 bits.

5.5 Egypt
The E-Signature Egyptian Law, issued in 2004, established the Information
Technology Industry Development Agency (ITIDA), support Egypt’s e-commerce
industry by securing the Internet as a legally viable medium for online activi-
ties. For that, ITIDA operates the Egyptian Root CA and licenses e-signature
services providers. However, although its CPS clearly specifies that its root CA
only issues 2048-bit RSA keys, it also indicates that when the PSCs submit
a signed certificate request in PKCS#10 format, any request signed using the
ECDSA algorithm will be supported.

6 Discussion
Estonia and the UAE have implemented elliptic curves throughout their entire
PKI hierarchy and are currently issuing ID cards to their citizens containing
X.509 end-user certificates under these hierarchies. Within their regulatory
framework, Australia and Brazil have considered ECC; however, none have is-
sued this type of digital certificate to end-users. The Egyptian Root CA has
only defined in its CPS that any request signed using the ECDSA algorithm
will be supported.
Estonia, the UAE, and Australia have adopted NIST curves (P-256, P-
384, and P-521), and Brazil instead favored Ed-521, Ed-448, Brainpool-512,
Brainpool-256, and Curve25519 curves. Nevertheless, we must emphasize that
the P-256, P-384, and Brainpool-256 curves have been classified as unsafe be-
cause Bernstein and Lange identified theoretical risks [10]. Although the curves
Ed-521, Ed-448, and Curve25519 chosen by Brazil satisfy the security require-
ments, their availability is not necessarily guaranteed in cryptographic devices
currently available on the market.
Threats to validity. One limitation of this work is its external validity. Al-
though our assessment included one country per continent, this does not neces-
sarily constitute a representative sample of all countries across the globe. Before
7 https://www.iti.gov.br/repositorio

8
we can generalize our results, it will be necessary to include more countries from
around the world in our sample.

7 Conclusion
As determined by Bos et al. [1] and Valenta et al. [3], ECC is widely used in
applications, such as Bitcoin, SSH, and TLS. However, it does not happen the
same with the X.509 digital certificates used in electronic signature applications,
wherein the RSA algorithm still prevails. Of the five countries analyzed, only
Estonia and the United Arab Emirates implemented ECC throughout their
entire PKI hierarchy (root, intermediate, and end-entity certificates). Brazil has
only implemented ECC in the root certificate, and Australia and Egypt have
not yet; they have only approved ECC at the documentary level. These findings
complement the work of Bos et al. [1] published in 2014, who determined only
Austria as a user of ECC for the issuing end-entity X.509 digital certificates.

References
[1] J. W. Bos, J. A. Halderman, N. Heninger, J. Moore, M. Naehrig, and
E. Wustrow, “Elliptic curve cryptography in practice,” in International
Conference on Financial Cryptography and Data Security, pp. 157–175,
Springer, 2014.
[2] A. systems Inc., “Global guide to electronic signature
law: Country by country of law and enforceability.”
https://acrobat.adobe.com/content/dam/doc-cloud/en/pdfs/document-
cloud-global-guide-electronic-signature-law-ue.pdf, accessed march 2017.

[3] L. Valenta, N. Sullivan, A. Sanso, and N. Heninger, “In search of curveswap:

Measuring elliptic curve implementations in the wild,” in 2018 IEEE Euro-
pean Symposium on Security and Privacy (EuroS&P), pp. 384–398, IEEE,
2018.
[4] M. Nemec, M. Sys, P. Svenda, D. Klinec, and V. Matyas, “The return of
coppersmith’s attack: Practical factorization of widely used rsa moduli,”
in Proceedings of the 2017 ACM SIGSAC Conference on Computer and
Communications Security, pp. 1631–1648, 2017.
[5] B. Produit, “Optimization of the ROCA (CVE-2017-15361) Attack,” Mas-
ter’s thesis, UNIVERSITY OF TARTU, Institute of Computer Science,
Estonia, 2019.
[6] P. FIPS, “186-4: Federal information processing standards publication.
digital signature standard (dss),” Information Technology Laboratory, Na-
tional Institute of Standards and Technology (NIST), Gaithersburg, MD,
pp. 20899–8900, 2013.

9
 [7] M. Lochter and J. Merkle, “RFC 5639-Elliptic Curve Cryptography (ECC)
Brainpool Standard-Curves and Curve Generation,” Federal Office for In-
formation Security of the German Federal Republic, secunet Security Net-
works, IETF, 2010.
[8] T. ETSI, “119 312 v1. 2.1 (2017-05) electronic signature and infrastructures
(esi),” Cryptographic Suites, 2017.
[9] E. K. Alekseev, V. Nikolaev, and S. V. Smyshlyaev, “On the security
properties of russian standardized elliptic curves,” Mathematical Aspects
of Cryptography, vol. 9, no. 3, pp. 5–32, 2018.

[10] D. J. Bernstein and T. Lange, “Safecurves: choosing safe curves for elliptic-
curve cryptography.” https://safecurves.cr.yp.to, accessed march 2020.
[11] G. C. Authority, “Gatekeeper Public Key Infrastructure Framework,” tech.
rep., Digital Transformation Office, 2015.

10