
Elliptic Curve Cryptography: a gentle introduction - onestone
http://andrea.corbellini.name/2015/05/17/elliptic-curve-cryptography-a-gentle-introduction/
======
jgrahamc
For a slightly less mathematical introduction:
[https://blog.cloudflare.com/a-relatively-easy-to-
understand-...](https://blog.cloudflare.com/a-relatively-easy-to-understand-
primer-on-elliptic-curve-cryptography/)

~~~
ColinWright
By my understanding, there's an inaccuracy in that article. It describes a
one-way function, but calls it a trapdoor function. I thought that a one-way
function is only a trapdoor function if there exists the possibility of
reversing it with an extra piece of information. The wikipedia link[0] given
seems to confirm that understanding:

    
    
        A trapdoor function is a function that is easy
        to compute in one direction, yet difficult to
        compute in the opposite direction (finding its
        inverse) without special information, called the
        "trapdoor".
    

I know the article is trying to be informal, but that seems a simple thing to
get right, and quite important. If I'm wrong I'd welcome being corrected.

[0]
[http://en.wikipedia.org/wiki/Trapdoor_function](http://en.wikipedia.org/wiki/Trapdoor_function)

~~~
Retr0spectrum
Wouldn't the "special information" be the private key in this case?

~~~
agwa
No, because in elliptic curve Diffie-Hellman, the private key isn't used to
invert anything, as opposed to RSA (a true example of a trapdoor), where it
is.

~~~
ecesena
Well... it's used to invert the scalar multiplication and compute the discrete
logarithm - with a notation similar to other comments:

    
    
      Easy: given int n, point P -> compute Q = nP
    
      Hard: given points P, Q (known to be nP for some n) -> compute n
    

This said, similarly as RSA vs factorization, DHP vs DLP (and other problems)
are only assumed to be equivalent, meaning that one could find an easy way to
break DH without computing the DLP.

~~~
pbsd
While the equivalence between RSA and integer factorization is still an open
question, the Rabin (exponent 2) trapdoor permutation is tightly equivalent to
factoring.

Furthermore, for most groups the DHP is polynomially equivalent to the DLP.
The requirement for this to be true is that there _exists_ an elliptic curve
with smooth order modulo the Diffie-Hellman group's order. Such smooth-order
curves are hard to actually _find_ for large groups, exponentially so (this is
a fine example of the chasm between uniform and nonuniform reductions); but
for elliptic curves groups used in practice, it is possible to find them. In
other words, an easy way to break the DHP in smallish elliptic curve groups
would lead to ECDLP solving with only polynomial overhead.

------
aw3c2
Also check out
[https://events.ccc.de/congress/2014/Fahrplan/events/6369.htm...](https://events.ccc.de/congress/2014/Fahrplan/events/6369.html)

Video of the talk:
[http://media.ccc.de/browse/congress/2014/31c3_-_6369_-_en_-_...](http://media.ccc.de/browse/congress/2014/31c3_-_6369_-_en_-
_saal_1_-_201412272145_-_ecchacks_-_djb_-_tanja_lange.html#video)

~~~
ufo
Really liked this version. All the time I was wondering when they would
transition from the "toy" clock curve that is easy to understand to the
complicated y^3 curves that are mentioned in the OP but it turns out that the
easy to understand curve was just as good all along and much easier to
implement correctly.

------
valgaze
If you want to experiment with the graph try adjusting the a/b parameters
here:
[https://www.desmos.com/calculator/3ugvl6yz4i](https://www.desmos.com/calculator/3ugvl6yz4i)

------
willchang
There is no design trend more inimical to the function of the web than gray on
white text. If only it stopped at gray values of #444444, which is bad enough
on old displays or in bright ambient light. The text on this site is #7f8d8c —
more white than black — and the strokes on the letters in the equations are
quite fine. Yes, it looks nice and clean to have so little black on the page,
but the tradeoff is that I have to squint to read it.

~~~
freework
I can't help but to point out the irony of a post complaining about grey text,
being... in grey text (referring to the downvotes)

------
S4M
It's not gonna be the most constructive comment, but I would like to thank the
author for writing this article and the poster for submitting it. I worked a
bit during my undergraduate studies on the Elliptic Curve method to factor
products of large prime numbers, and found it interesting, and sometimes wish
I could learn more about that.

------
ndesaulniers
> Those of you who know what public-key cryptography

For those of you that don't, might I suggest my:
[https://nickdesaulniers.github.io/blog/2015/02/22/public-
key...](https://nickdesaulniers.github.io/blog/2015/02/22/public-key-crypto-
code-example/)

~~~
chris_wot
You are awesome. Thank you!

------
tagawa
For those who prefer audio/video, this was also covered in Security Now
episode 374: [http://twit.tv/show/security-
now/374](http://twit.tv/show/security-now/374)

------
chris_wot
Can someone help me out here: I'm a bit rusty on my set builder notation... Is
the following correct?

The set of natural numbers isn't a group because a group is a set partially
defined by { ∀a∃b | a + b = 0 } - or in other words for every element a in the
group there exists an element b in the group such that a + b = 0; or to put it
yet another way, every element a has an element b that is its arithmetic
inverse. As the set of natural numbers are only positive, you can't satisfy
this condition.

~~~
haversoe
A group is a set equipped with a binary operator that obeys a few rules. One
of the rules is the existence of inverses. If the operator is addition, then
your description is correct. That is, every element x of the underlying set
has an additive inverse x^-1 also in the set such that x + x^-1 = 0.
Obviously, zero needs to be in the set as well and in some constructions of
the natural numbers it is not.

~~~
chris_wot
Thank you!

------
ufo
Needs javascript to read... sigh.

~~~
PhantomGremlin
No it doesn't. At least not with Firefox. Just use

    
    
       View --> Page Style --> No Style
    

But as for the other complaint elsewhere in the comments, about light gray
text, unfortunately Firefox can't help with that. Normally such misguided text
is countered with

    
    
       Preferences --> Content --> Colors --> override ...
    

but in this case the gray is unfortunately in _images_ and not text.

And it gets even worse for the light gray text. OS X Accessibility has a
setting to "Enhance Contrast". But in this case the gray is closer to white
than to black, so all that "enhancing" does is make the text even lighter!

Sigh.

------
tsmarsh
When I was in college there was a distinct worry about elliptic curves vs rsa.
My professors were intuitively worried that discrete logs over elliptic curves
may well have a simple solution, unlike factorization which has millenia of
research proving that it is hard. They were worried enough that I just assumed
that GCHQ had already cracked it. Is that still a worry?

~~~
pbsd
Such worries have mostly faded by now, though you will see some conservative
people still preferring RSA. Keep in mind that the _computational_ study of
integer factorization only started seriously in the 70s with CFRAC, making the
"milennia" argument somewhat moot.

There is a fascinating article by (among others) Neal Koblitz, one of the
inventors of elliptic curve cryptography, which describes the history and
development of ECC through the 80s, 90s, and 00s, and some of the worries that
developed:
[https://eprint.iacr.org/2008/390](https://eprint.iacr.org/2008/390).

------
master-lincoln
I don't like how 0 is used as three different symbols in the beginning: the
number, the point of infinity and the identity element. I know 0 is a common
symbol for each of the three cases respectively but in the same context it
feels rather confusing. Is that a common thing to do?

~~~
jordigh
Yes, it's a very common thing to use the same symbol to mean different things
in mathematics.

