
Basic Intro to Elliptic Curve Cryptography (2019) - lanecwagner
https://qvault.io/2019/12/31/very-basic-intro-to-elliptic-curve-cryptography/
======
p0llard
Nigel Smart's _Cryptography Made Simple_ is a great book which covers elliptic
curve cryptography amougst many other topics; despite its name it's a very
technical book, but it's easily accessible to anyone with a
CS/EE/Maths/Physics degree.

You can grab a copy from SpringerLink for free at the moment here:
[https://link.springer.com/book/10.1007%2F978-3-319-21936-3](https://link.springer.com/book/10.1007%2F978-3-319-21936-3)

~~~
thr0w__4w4y
Agreed. Also Christof Paar's book [1] and 25-episode YouTube series[2] do an
excellent job of explaining not only elliptic curve cryptography, but also RSA
and a lot of other cryptography, including symmetric ciphers and cryptographic
hash functions.

The blog post seems to be essentially, "I read these good posts on Ars [3] and
F5 [4] [5] and here is my summary of my understanding of them". Nothing wrong
with that, but the post has some issues and doesn't add anything to the
sources cited IMO.

[1] [http://www.crypto-textbook.com/](http://www.crypto-textbook.com/) (ironic
that https isn't available?!?!)

[2]
[https://www.youtube.com/channel/UC1usFRN4LCMcfIV7UjHNuQg](https://www.youtube.com/channel/UC1usFRN4LCMcfIV7UjHNuQg)

[3] [https://arstechnica.com/information-
technology/2013/10/a-rel...](https://arstechnica.com/information-
technology/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-
cryptography/)

[4] [https://devcentral.f5.com/s/articles/real-cryptography-
has-c...](https://devcentral.f5.com/s/articles/real-cryptography-has-curves-
making-the-case-for-ecc-20832)

[5] [https://youtu.be/dCvB-mhkT0w](https://youtu.be/dCvB-mhkT0w)

------
lordgrenville
The Ars Technica article linked in the article is much better-written and more
comprehensive. [https://arstechnica.com/information-
technology/2013/10/a-rel...](https://arstechnica.com/information-
technology/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-
cryptography/)

Fun fact: elliptic curves (specifically the Taniyama–Shimura conjecture about
their relationship to modular forms) played a key role in Wiles' proof of
Fermat's Last Theorem, one of the most famous problems in mathematics.

~~~
nbardy
Yea. This article just hijacks all the graphics from the ars technica article
and makes it harder to read.

------
loup-vaillant
Those who seek to go a step further and actually implement elliptic curves
should see the ECC Hacks talk by djb and Tanja Lange:
[https://www.youtube.com/watch?v=vEt-D8xZmgE](https://www.youtube.com/watch?v=vEt-D8xZmgE)

A couple claims there are a little outdated (we now have better ways of
dealing with short Weierstraß curves), but the advice there is sound.

~~~
vmception
What class would one take to understand this?

I had a cryptography elective I wanted to take in undergrad but it was in the
wrong semester.

~~~
beefhash
If you want a to get this stuff into your head reasonably fast, go implement a
curve. Then do it again, but in Rust (or C) and in constant-time. Then do it
again, but actually computationally efficiently (i.e. optimize the hell out of
a Rust or C implementation once it works). Choose a different curve each time.
Then go and cook your own curve for shits and giggles.

You may easily spend a year upwards on this, but by the time you're done,
you've basically run into every resource worth knowing about and are able to
decently reason about elliptic curves (but by no means are in a position to
write papers still).

~~~
tinganho
Basically, doing this now. I tried to implement x25519 in a highly optimized
way in cpp/c and I’m in my 8 month. I dogged through countless of articles and
learned a ton of abstract algebra. Though, I still feel like a beginner in
this field.

I’ve done a few hard projects in my career (compilers, and graphic editor).
And I think implementing a elliptic curve in a optimized way, without a math
library, must be one of the hardest thing in programming.

------
techman9
It looks like several of the images in this post are taken (without credit?)
from Cloudflare's primer? [https://blog.cloudflare.com/a-relatively-easy-to-
understand-...](https://blog.cloudflare.com/a-relatively-easy-to-understand-
primer-on-elliptic-curve-cryptography/)

~~~
judge2020
Images (at least now) link to an ArsTechnica article [0] written by Nick
Sullivan, the same person who wrote said blog post (the article and CF's blog
post are the same thing, with ArsTechnica going up a day later).

[https://arstechnica.com/information-
technology/2013/10/a-rel...](https://arstechnica.com/information-
technology/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-
cryptography/)

------
seesawtron
Cool stuff. I wrote a similar post explaining and implementing RSA in python
on Colab[0]. I did NOT leave the math out because that was the most exciting
part that I enjoyed while studying RSA. Maybe you'd wanna make a similar
implementation for fun for ECC.

[0]
[https://colab.research.google.com/drive/1ccyVKHHXFczk_3u5WoV...](https://colab.research.google.com/drive/1ccyVKHHXFczk_3u5WoV-3OGtyS-
FJnO3?usp=sharing)

------
alecbenzer
I'm assuming that given a starting point A and a number of operations n,
there's a much faster way of computing the end point than just iterating n
times?

Otherwise, determining n given A and an end point would just be a matter of
iterating from A until you hit the end point and counting, right?

Also, how do you actually use the keys to encrypt/decrypt?

~~~
tialaramex
> Also, how do you actually use the keys to encrypt/decrypt?

One of the changes in modern cryptography compared to stuff from the 1990s is
that we rarely have cause to use public key _encryption_ at all.

A typical modern design uses a key agreement algorithm to choose a large
shared secret known to both parties which is then used to do encryption with
symmetric algorithms.

The elliptic curves show up in the key agreement algorithm and in a Digital
Signature scheme used after the encryption switches on to prove who you really
are, but we often don't use them to actually encrypt anything (and so likewise
we don't use them to decrypt anything either).

~~~
alecbenzer
Sure, fine, but even in RSA signing there's some message you transform with
one of the keys and then undo the transformation with the other key (the
transformation is encryption when the first key is the public key, and signing
when the first key is the private key). I just mean, given these EC keys, how
do you actually apply them to data?

~~~
tialaramex
I mean, firstly, no. What you're describing is what we call "Textbook RSA" and
that's a classroom exercise rather than a technology you should use in
practice - it's unsafe. Perhaps more importantly while you can (almost) do
this in RSA you really can't do it with something like Curve25519.

As a classroom exercise you can use RSA to encrypt the message "I like toast".
You turn "I like toast" into a big number. Using a public key you do the
(textbook) RSA operation and out comes a different big number. The recipient
uses the private key to get the first big number back - and it translates as
"I like toast". Nobody did that in real crypto systems, even in the 1990s, and
the way you'd do it as a classroom exercise is inherently unsafe, but you can
watch it being done and it's somewhat helpful in understanding RSA.

Nothing like that is usually done with elliptic curves.

Fortunately we didn't want to send a message like "I like toast" with public
key crypto anyway, we always actually want to agree symmetric cryptographic
keys.

And agreeing keys we can do with elliptic curves. Such as
[https://en.wikipedia.org/wiki/Elliptic-
curve_Diffie%E2%80%93...](https://en.wikipedia.org/wiki/Elliptic-
curve_Diffie%E2%80%93Hellman)

What's the difference? The key agreement protocol doesn't let you choose the
message. Alice and Bob will definitely agree on some shared key at the end of
the protocol, but neither Alice nor Bob can choose what it is. For a key this
doesn't matter, indeed it's arguably desirable to use random keys nobody
actually picked, lots of things to like about that outcome.

Does that help?

~~~
alecbenzer
> I mean, firstly, no. What you're describing is what we call "Textbook RSA"
> and that's a classroom exercise rather than a technology you should use in
> practice - it's unsafe.

? I'm not talking about encrypting data with RSA, but how else do you perform
signing with RSA except by using the private key to transform some message
that can then be verified with the public key?

I see now the article's trying to describe elliptic curve Diffie-Hellman,
which makes much more sense (but makes the comparison to RSA in the article
confusing...)

------
denysvitali
On an unrelated note, DKIM's latest RFC includes ed25519-sha256 but nobody is
actually accepting a properly signed email using this signature algorithm.
Bummer

~~~
LeonM
That would be RFC8463 "A New Cryptographic Signature Method for DomainKeys
Identified Mail (DKIM)" [0]

The biggest improvement on using EC over RSA in DKIM is that the public key
will fit in a single DNS TXT rr.

The problem here is that email servers are often horribly outdated, so don't
expect widespread adoption of the new RFC anytime soon.

The suggested transition method would be include both a EC and RSA signature
in the email, and publish both keys under separate selectors. The receiver
should ignore the EC signature if it doesn't support it, and when it is
supported the receiver should _only_ use the EC signature. However, it
wouldn't surprise me of this is going to be poorly implemented and you'll en
up with the receiver validating both signatures, thus performing multiple DNS
lookups.

I'm planning on doing a write-up about support for RFC8463 in popular email
services.

Disclaimer: Founder of an email hardening service.

[0] [https://www.rfc-editor.org/rfc/rfc8463.html](https://www.rfc-
editor.org/rfc/rfc8463.html)

~~~
denysvitali
I wanted to point out this thing because I'm in the middle of migrating my
mail server and wanted to improve the whole setup by using chasquid and a set
of dkim tools [1] that I've forked an improved to include ed25519-sha256.
Unfortunately pretty much nobody has implemented RFC8463 yet, and my DNS
provider doesn't allow me to use RSA 2048bit DKIM keys because they have a
stupid limit on the TXT field value :(

[1]:
[https://github.com/denysvitali/dkim](https://github.com/denysvitali/dkim)

~~~
LeonM
You shouldn't rely on only ed25519 for DKIM, always double-sign your email
with RSA as a fallback

The problem with email will forever be that there are so many badly configured
email servers out there. Any new standard in email will always need a
backwards compatibility ad infinitum.

In your case I'd recommend moving your DNS to another DNS provider. Just pick
any and go with that.

------
staycoolboy
Very cool. I would love an ELI5 why some curves are more or less secure than
others (e.g. p256r1 is the hot curve now, but why?)

~~~
john_alan
When you say p-256r1 are you talking about secp256r1 or Brainpool?

The security of a curve is defined by p, the prime field over which it is
defined, a and b the curve co-efficient.

There exists attacks against curves in various ways, composite order attacks,
anomalous curves (where the curve order === field order).

~~~
staycoolboy
secp256r1

> There exists attacks against curves in various ways, composite order
> attacks, anomalous curves (where the curve order === field order).

This is where I need the ELI5 part. :) But I realize some things just require
hard work to understand... like ECC theory.

~~~
john_alan
Haha, well I guess.

To start you off:

Composite order attacks: things that are prime tend to be hard to attack. If
your curve doesn’t use prime stuff then you can take the factors of the thing
and attack it in little groups.

Anomalous curves: elliptic curves have a total number of points. We call that
the order. So does the “field” (kinda like a box) that the curve lives in. If
the number of elements in the field and the number of elements in the curve
are the same, you can kinda “lift” the curve out of its box and put it in
another box that’s easier to smash it in. :)

~~~
staycoolboy
Thanks, this answer is helpful for focusing my search terms!

------
null0pointer
Jeremy Kun also has a good blog series on ECC. Although from memory it gets
pretty technical into pure maths pretty quickly.

[https://jeremykun.com/2014/02/08/introducing-elliptic-
curves...](https://jeremykun.com/2014/02/08/introducing-elliptic-curves/)

------
svnpenn
I finally get it now. I feel like "public key" is a misnomer. It's really a
"public safe". You put something in the public safe and then it's locked. Then
only the person with the private key can unlock it.

~~~
nyolfen
i saw someone on twitter suggest that public keys should be called 'padlocks';
definitely a more intuitive way to think of them

------
blackrock
How trustworthy is ECC? Considering it was developed in collaboration with the
NSA.

~~~
john_alan
ECC wasn’t developed by the NSA.

Elliptic curves have been studied in mathematics for 150 years. Elliptic curve
cryptography was introduced by Victor Miller and Neal Koblitz in 1985.

The NSA just released some compromised tech using curves.

------
anothermoron
I don't know much about Cryptography but this article made me want to ask
this:

In his example with facebook and trump, the original handshake to get
facebook's public key isn't encrypted, isn't that a problem ?

I may be totally not understanding this at all, but lets say when somebody
connect to Tor if the original connection isn't encrypted and everybody know
that I just connected to Tor isn't that bad even though they can't tell what
I'm doing afterward ?

~~~
ozim
I down voted the other responder. Because Trump is using public key to encrypt
the message. You can share your public key as much as you want and people will
be able to send you messages that only you(owner of private key) can decrypt.
There is no problem. That is normal use of public key to send encrypted
messages to the owner of private key.

You can do it also the other way around, encrypt data with private key and
only people who have your public key will be able to decrypt it. Which is a
bit less useful but it can confirm your identity. So they can be sure that you
sent the message.

------
sage3
I can't even escape US internal politics on a cryptography blog

~~~
JshWright
Yeah, maybe it's just the fact that things are particularly tense here at the
moment, but the choice of example definitely adds some extra baggage that
wasn't necessary. For me personally it interferes a bit with my ability to
simply read and enjoy the post.

~~~
irontoby
Just read the original Ars Technica article he "borrowed" all the images from.
It's a great article I've referred back to many times; it's better-written and
still easy to understand for those not familiar w/ the concepts.

The ECC-specific content begins on page 2.

[https://arstechnica.com/information-
technology/2013/10/a-rel...](https://arstechnica.com/information-
technology/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-
cryptography/)

