
Elliptic Curve Cryptography: A Gentle Introduction – Part II - noobie
http://andrea.corbellini.name/2015/05/23/elliptic-curve-cryptography-finite-fields-and-discrete-logarithms
======
noobie
Part I: [https://andrea.corbellini.name/2015/05/17/elliptic-curve-
cry...](https://andrea.corbellini.name/2015/05/17/elliptic-curve-cryptography-
a-gentle-introduction/)

Part I HN discussion:
[https://news.ycombinator.com/item?id=9560839](https://news.ycombinator.com/item?id=9560839)

------
dnautics
Hm. Very good intro to the topic.

One nitpick: Part I says "Thanks to the fact that we are in an abelian group,
we can write P + Q + R = 0 as P + Q = –R" I'm pretty sure abelianness is not
necessary. P + Q + R = 0 => P + Q + R + -R = 0 + -R => P + Q + 0 = -R => P + Q
= -R

~~~
peter2783
Yes, abelian is not necessary. "P + Q = - R" is not necessary commutative, it
is associative.

------
caf
_For our ECC algorithms, we want subgroups with a high order. So in general we
will choose an elliptic curve, calculate its order (N), choose a high divisor
as the subgroup order (n) and eventually find a suitable base point._

Why don't we just look for a curve and field which has prime order - then we
know that any point on the curve (except 0) is a generator of a subgroup with
the same large prime order as the curve itself?

~~~
mti
> Why don't we just look for a curve and field which has prime order

We very often do. These days, though, cofactors of 2, 3, 4 or perhaps 8 are
getting more common because people like to use curves with more
efficient/easier to implement arithmetic (such as Montgomery curves or Edwards
curves), and those curves always have nontrivial points of small order.

This doesn't really explain why older cryptographic standards mandating
Weierstrass curves allow cofactors greater than 1, admittedly. The reason is
probably that generating good elliptic curve parameters back then was very
time-consuming, and so it may have made sense to allow people to stop when
they hit a curve with almost-but-not-quite prime order.

Unrelatedly, a couple of errors in the OP:

* "in fact, these equations work in every field, finite or infinite (with the exception of \mathbb{F}_2 and \mathbb{F}_3, which are special cased)": all fields of characteristic 2 or 3 are special cases. There are many more than just those two, including infinite fields.

* "RSA’s discrete logarithm problem can be stated as follows: if we know a and b, what’s k such that b = a^k mod p?": RSA and discrete logs don't have much to do with each other. Perhaps you meant DSA? (not sure I would call the finite field DLP "DSA's DLP", though).

------
simonebrunozzi
Andrea, great work - as always. I really enjoyed your Part I too. I think it
would be useful to create a video series describing it, as a different way to
consume it - perhaps with a gentler learning curve.

------
ecesena
Congrats Andrea, keep on the great work!

If you'd like material for the case of fields of char 2 (aka binary fields) I
have plenty of that and I'm happy to share.

------
istvan__
Very informative, I really like the visuals, help a lot.

------
kjson
This is really awesome! Could part 4 be on the Schoof–Elkies–Atkin algorithm
or perhaps Hyperelliptic curves? That'd be super cool

------
ckozlowski
Thanks for this!

