

A gentle introduction to elliptic-curve cryptography [video] - 0x006A
http://media.ccc.de/browse/congress/2014/31c3_-_6369_-_en_-_saal_1_-_201412272145_-_ecchacks_-_djb_-_tanja_lange.html#video

======
agwa
This video is excellent.

Slides:
[https://events.ccc.de/congress/2014/Fahrplan/system/attachme...](https://events.ccc.de/congress/2014/Fahrplan/system/attachments/2502/original/20141227-twopage.pdf)

Sample code: [http://ecchacks.cr.yp.to/](http://ecchacks.cr.yp.to/)

~~~
yuhong
The first https uses CAcert. I'd suggest using http instead.

~~~
agwa
Thanks for pointing that out. TIL that my browser trusts the CAcert root,
which is not something I remember doing.

Too late to edit my comment. Here is a non-HTTPS link:
[http://events.ccc.de/congress/2014/Fahrplan/system/attachmen...](http://events.ccc.de/congress/2014/Fahrplan/system/attachments/2502/original/20141227-twopage.pdf)

~~~
tedunangst
You may not be trusting the CAcert root, but just the ccc.de cert. I know I
added an exception for it, but not CAcert generally.

------
j2kun
I also wrote an introduction to ECC using Python. It's longer, less gentle,
more mathematical, and doesn't cover Edwards curves. But it ends with a
program allowing you to play EC's over any finite field, and implements and
explains some of the major protocols.

[http://jeremykun.com/2014/02/08/introducing-elliptic-
curves/](http://jeremykun.com/2014/02/08/introducing-elliptic-curves/)

~~~
nullc
No disrespect to the extensive work you did there-- and this is a general
complaint about basically all the "ECC explained" I've seen on the web, but I
think that jumping into the mechanics of explaining at the blades-of-grass
level how to implement point arithmetic without ever giving an clear intuition
as to how a cyclic group with intractable discrete log is cryptographically
useful does the reader a disservice.

E.g. after reading one of these tutorials, they might be able to go and
_implement_ the cryptosystem, but they won't actually understand it except at
a "Chinese Room" level, and as a result it won't actually be safe for them to
implement any of it, since they'll be unlikely to ask the right questions.
E.g. they'd make the Sony mistake.

Yours goes a little further, and for that I must give it credit: Many just
explain the addition law and russian peasants algorithm, throw out an equation
for ECDSA and call it a day. But if you do a revision, I'd encourage you to
rearrange and explain the cryptographic algorithms abstractly, and in depth,
first... before jumping into the mechanics of the machine implementation of a
particular group law.

~~~
j2kun
In writing them my main goal was to explain elliptic curves to my own
satisfaction (i.e. derive things and not shy away from projective space and
finite fields). To me they are interesting in their own right, as is realizing
them in code. I view the crypto as sort of a bonus. I do see your point that I
could have done everything with, say, multiplicative integers modulo a prime
and the core algorithms wouldn't change. I think I will redo that when I get
around to writing articles on abstract crypto (one-way functions, pseudorandom
generators, and the like).

------
pervycreeper
Particularly noteworthy is the part near the end regarding the selection
process for curves when standards are written, and the caginess of the
presenters in answering the audience question on the topic.

This is a good argument for software authors to really understand for
themselves at all levels what is going on with the cryptography/ packages they
are using.

~~~
orbifold
This has also bugged me in the case of other cryptographic algorithms, for
example SHA-1 has several magic input constants, whose choice is not obvious.
When casually reading through the original papers I could not find a clear
explanation of how those values were chosen. Pretty much everything in the
design seems fairly arbitrary and amendable to variation.

In physics there are multiple case where you can do seemingly very hard
calculations, if you do it in the wrong coordinate system and neglect
symmetries that are present, that collapse to almost nothing (In the case of
elliptic curves that was the fact that the curve points chosen by NSA were
related by Q = P + e, where e was some point on the curve only known to the
NSA)

~~~
tptacek
Regarding the SHA-1 constants:

[http://crypto.stackexchange.com/questions/10829/why-
initiali...](http://crypto.stackexchange.com/questions/10829/why-initialize-
sha1-with-specific-buffer)

Your latter example seems to be about the Dual-EC RNG, which is not an ECC
encryption algorithm.

~~~
orbifold
Ah that is good to know. Yes the latter example was not exactly on point, just
meant as a general illustration of possible vulnerabilties.

------
jestinjoy1
I found this introductory explanation worth reading.
[http://crypto.stackexchange.com/questions/653/basic-
explanat...](http://crypto.stackexchange.com/questions/653/basic-explanation-
of-elliptic-curve-cryptography?rq=1)

