
Very Basic Intro to Elliptic Curve Cryptography - igoose1
https://qvault.io/2020/07/21/very-basic-intro-to-elliptic-curve-cryptography/
======
plopilop
Big mistake in the article: the discrete log is not a trapdoor function, as
far as we know, and elliptic curve crypto does not rely on trapdoors.

A trapdoor function is when you have a function hard to invert (for any x,
given y = f(x), find x), which inversion becomes very easy once you know some
additional info. For instance in RSA, given c = m^e mod N, it is hard to find
m. Unless you know d such that e*d = 1 mod phi(N), then you can easily find m
by computing m = c^d mod N.

There is no known way of easily inverting exponentiation on finite groups.

To quote Wikipedia, "Functions related to the hardness of the discrete
logarithm problem [...] are not known to be trapdoor functions, because there
is no known "trapdoor" information about the group that enables the efficient
computation of discrete logarithms. "

~~~
lanecwagner
Author here, thanks for bringing this up. I'll be looking into this and
updating the article

~~~
curyous
Doesn't elliptic curve crypto rely on trap doors because it uses finite
fields? The wrap around caused by the finite field is a trap door, isn't it?

------
quaker20
[https://fangpenlin.com/posts/2019/10/07/elliptic-curve-
crypt...](https://fangpenlin.com/posts/2019/10/07/elliptic-curve-cryptography-
explained/)

~~~
agazso
I found this to be a much better article than the original post. It also
explains how the elliptic curve Diffie-Hellman works.

Thanks!

------
thatsmee
> This is a great trapdoor function because if you know where the starting
> point (A) is and how many hops are required to get to the ending point (E),
> it is very easy to find the ending point. On the other hand, if all you know
> is where the starting point and ending point are, it is nearly impossible to
> find how many hops it took to get there.

> Public Key: Starting Point A, Ending Point E

> Private Key: Number of hops from A to E

So basically the number of hops is the secret. Couldn't I simply "brute force"
the hop count? Does this mean that a higher hop count is equal to a better
private key?

~~~
mratsim
You can't, this is called ECDLP (Elliptic Curve Discrete Logarithm Problem)
and the cornerstone of elliptic curve cryptography security.

Currently the ECDLP problem can only be solved by Pollard Rho which requires
exponential time though recent advances by Barbulescu et al on the Tower
Number Field Sieve significantly reduced the security of ECC in 2017 (by 10~30
bits, i.e. what was though 128-bit secure i.e. 256-bit curves keys are now
somewhere between 100~115-bit secure).

Note that the DLP problem (Discrete Logarithm Problem) which is the corner
stone of RSA security has significantly more efficient algorithms than Pollard
Rho as it can use techniques taken from integer factorization.

[https://en.wikipedia.org/wiki/Discrete_logarithm](https://en.wikipedia.org/wiki/Discrete_logarithm)

It is known however that asymmetric ECC can be broken by quantum computers in
polynomial (?) or polylogarithmic (?) time by quantum computer and so new
techniques, for example Isogeny-based ECC are being actively researched.

~~~
nmadden
The Tower Number Field Sieve is only applicable to pairing-based ECC though,
right? It doesn't impact the security of the curves used in most mainstream
crypto (Curve25519, NIST P-256 etc).

~~~
mratsim
Indeed, though if the authors are saying

> The number field sieve algorithm is still far from being fully understood,
> in particular for extension fields that are so important for pairing-based
> cryptography.

I won't say I understand it either. But it indeed seems to only be applicable
in towers of extension fields which are only used for pairing-based
cryptography.

