
Elliptic Curves - CarolineW
https://math.mit.edu/classes/18.783/2015/lectures.html
======
ice109
the profusion of posted slides on the internet is a detriment to researchers
everywhere. so many times i've googled something technical (CS, math,
engineering) and what percolates to the top are lecture slides, which are
almost useless for actual in depth learning.

edit: spoke too soon - only the first link is slides.

~~~
stablemap
It believe mathematicians will continue to favor boards. Sitting in the
audience I greatly prefer this; however, such lectures have less chance of
being posted at all.

For this topic we are lucky to have Silverman's book [1], which everyone seems
to like.

[1]
[https://www.math.brown.edu/~jhs/AECHome.html](https://www.math.brown.edu/~jhs/AECHome.html)

~~~
ice109
can you explain to me why an elliptic curve over C is a quotient manifold
(like the torus on page 7 of the first set of slides)?

~~~
stablemap
I would expect him to spell this out in lectures 15 and 16. It does take work.
What is surprising is that despite their all looking the same -- certainly
they are the same as real manifolds -- there are tons of elliptic curves. The
difference is in the complex analytic structure.

~~~
williamstein
They (the space of complex points on any elliptic curve over C) are the same
(homeomorphic) as topological spaces. However, they are not the same as
complex analytic manifolds, which is a stronger condition (requiring an
analytic isomorphism, not just a topological one).

~~~
stablemap
I should have said real manifolds; I thought that was what the parent comment
had in mind but the brevity wasn't worth it.

Of course, I've learned a lot about these things from your writings.

------
lukejduncan
I've seen a few links to resources on elliptic curves on HN, but I don't
understand their importance or why they're trending with folks here.

Can someone give me some context?

~~~
ColinWright
Ignoring many important details ...

Many algorithms for crypto and similar can be phrased elegantly and abstractly
not in terms of the actual numbers, but in terms of what are called
"Groups"[0].

A group is a set of things, and a binary operation that satisfies certain
rules.

At first glance a group appears to be pointless abstract nonsense, but most of
the properties of numbers that we use in, say, RSA, or Diffie-Hellman-Merkle-
Williamson, or in factoring via Pollard P-1, use the fact that the numbers we
are using are an example of a group.

The groups being used are usually:

* For DHMW, the integers modulo a large prime, or

* For RSA, the integers that are co-prime to the product of two large primes.

In each case the operation is multiplication modulo something.

So then we can ask if the same algorithms work if we use a different group
instead, and whether the result will have better or worse characteristics. The
answers to that are (1) yes, the algorithms work in other groups, and (2) it
depends on the particular group or groups used.

So given an elliptic curve, it turns out that the points can form a group if
we define a particular operation[1]. Then it turns out that the rational
points form a group. Then we can convert that to work modulo a prime, and we
end up with a finite group.

And that's exactly what we need to use some of our algorithms.

The question of whether this group is better depends, and is too long to fit
in a single HN comment, but the main point is that there are many possible
elliptic curves to choose from, and many possible primes to use, and so we
have more choice. That alone makes it worth considering.

But the answer turns out to be yes, some of the algorithms have better
characteristics on these new groups. For example, using elliptic curves we can
use smaller keys for RSA or DHMW, and the elliptic curve version of Pollard
P-1 is now the third fastest known factoring algorithm, and probably fastest
over a certain range of sizes.

I would be happy to answer any questions, either here or by email.

[0]
[https://en.wikipedia.org/wiki/Group_(mathematics)](https://en.wikipedia.org/wiki/Group_\(mathematics\))

[1] And augment the points, and avoid certain pathological curves

~~~
ColinWright
As to why they are trending ...

With recent(ish) leaks about what the NSA is doing in terms of breaking
widely-available crypto, the question has arising about what weaknesses might
exist in current classical techniques. RSA and DHMW have been around for a
long time, and much is known about specific weaknesses. Some primes need to be
avoided, for example in DHMW one should avoid primes P where (P-1)/2 has lots
of small factors.

But all the elliptic curve cryptography is comparatively new, and weaknesses
are still being found. It's plausible that there are simple things to avoid
when choosing an elliptic curve, and so perhaps we should just use the
elliptic curves recommended to us by security experts.

But after Snowdon, _etc.,_ people are becoming wary of trusting experts, so
they want to know more about the implications of their choices, and what
options they might have. This is an on-going issues, and now, as people are
starting to understand the mechanics of implementing systems that use elliptic
curves instead of just Z_p, so articles are being written aimed at the non-
security-community people.

And so articles appear that are readable and relevant.

Just my $0.02

~~~
tptacek
I'm going to push back a little on "new" and "weaknesses still being found".
The underlying theory of curves and their hardness has been pretty stable for
awhile --- since well before 2000, I think. More progress has been made
against conventional multiplicative group Diffie-Hellman than has against
curves.

The complicating factor isn't the curve problems themselves, but rather
_implementation details_ , some of them particular to specific curves.

~~~
ColinWright
That's a reasonable point and I agree with you, but I think you've read into
my comment something that's not there. I said:

>> _But all the elliptic curve cryptography is comparatively new, and
weaknesses are still being found._

It's the elliptic curve _cryptography_ that's comparatively new, and the
weaknesses are being found in the _full crypto package._ That includes, and in
many cases is primarily in, the implementation.

So actually I think you're not pushing back, I think you're clarifying exactly
what I said.

Of course, I may yet have misunderstood you, so feel free to add more. You
certainly know more about this than I do, and I'm happy to learn (or have it
clarified further).

~~~
tptacek
Sure! I think we agree.

The whole field of misuse-resistant cryptography is very new, relative to the
field as a whole. We didn't even have a usage model of cryptography that was
sound until the later 1990s, when the connection was made between
authentication and indistinguishability. It's only in the last few years that
we've begun to prioritize constructions that make implementation bugs harder
to blunder into.

Which is a long way of saying, that's true, but also still an issue relevant
to RSA and DH and DSA.

I think the primary reason we read a lot about elliptic curves today is that
the field has, at least to the extent that it's not directly promoting post-
quantum algorithms, pretty much coalesced around curves as the best modern way
to implement asymmetric cryptography.

