Lecture 17: Elliptic Curve Cryptography (ECC) by Christof Paar

This lecture and lecture 16 are the best explanation for ECC I have found on the internet. Thank you so much for putting this online!

cherokeelol

Thank you very much Christof Paar, you are the best Professor I have ever seen in my life!
Yes, that's really what I think of you. For me you are very smart, so pedagogical, so clear, so humble (necessary for any teaching) and so funny too!
I discovered this course in 2014 in Morocco when I started my studies on Cryptography at the University of Rabat, Morocco. I really enjoyed this course at that time, and I can't tell you how it helped me to understand these topics that seemed very complicated (unfortunately due to the lack of explanation by other professors). You made them very easy for me, like magic. Your method is really inspiring and I really appreciate it. And I know if I am now working in this field as a security analyst with a background in cryptography, it is somehow thanks to your wonderful courses!
After seven years, I still enjoy these courses and now I decided to go back to this elliptic curve course because I am interested in CHESS-2021 this year about white box cryptography based on elliptic curves.
Thanks again my best professor!

zedmed

Nails it again. There should be an entire series Prof Parr explains Math for unruly Germans

eliatkinson

"I am not going to continue until an answer" at 06:40 minutes was the best part. Thanks professor

Adivasilover

What a wonderful lecturer. Much love from the states.

williamkimball

Dear Professor
As far as I understood, the ECDLP describes that the attacker not knowing d would have to keep adding up p with itself (1p, 2p, 3p, ... Ep) until he has found the point and the curve he is looking for (brute-force), which is not feasible, because there are too many points so it would take too long for the attacker. I know that you spoke of an attack which is faster (square-root of p) but let's leave that aside for the realm of this question. The contradiction with this explanation is that you also explained that Alice calculates the PubKey the exact same way (adding up p for a times). As such, Alice would have to deal with the exact same difficulty as the attacker, which makes this cryptosystem useless. Then, at the end of the Video, you explain that Alice can actually use a more efficient algorithm because she knows d. Namely she'd use the double-and-add algorithm. The attacker can obviously not do this, because knowing d is necessary for applying this algorithm. Is it because of this advantage for Alice, that it becomes feasible for her to calculate the PubKey in little time while it would take hundreds of years for the attacker to do so? Besten Dank für Ihre Hilfe, aber vorallem fürs Teilen Ihres exzellenten Unterrichts!

wohnungt

0:10 Lecture info
0:20 Lecture program
2:10 ECDLP
54:16 ECDH

Yuri-btwl

Dear Prof. Paar,

Great Lecture, always enjoys your detailed and meta-knowledge explanation.

I have one question on the "hardness of ECDLP", could you please persuade me why is it so difficult to compute the # of hops in a publicly known standard EC?

I was thinking, if the cardinality of the NIST EC is known, then there may be a database recording every points/elements in the group, right?

And then given the starting point and ending point, why isn't the problem as easy as item query in a database?

Appreciate your time!

alexxiong

Hello Profesor Paar, I'm a huge fan of you and your lectures, which are conveyed in a very understandable way.
At first I started watching your lectures (from the begining) as a supplementry information for Cryptography course that I take now, but very soon they became my 1st source for Cryptography learning.
Ich danke dir sehr (Hope I wrote it right :-))

I have two questions regarding the EC private (secret) key, and EC public key:
1. Alice anb Bob should (randomally) choose a and b (respectievly) from the range of {2, 3, ..., #E-1}, but as you explained in your lecture #E cannot be exactly computed, and it is roughly considered to be in the range of p+1 - 2*sqrt(p) <= #E <= p+1 + 2*sqrt(p). So my question is can the numbers a and b be chosen from the range {2, 3, ..., p+1 - 2*sqrt(p)}?
My concern, is because there's a possibility that the neutral element can fall in the range {p+1 - 2*sqrt(p), ..., #E -1} and actually the computation will cycle again (for some more steps) from the initial given point, and it would turn out that Alice or Bob are actually using too small private keys (or maybe my concern is wrong)?
2. You stated that one of the computed points (Xab, Yab) can be used as the public key. My question is why not use them both (for example XOR them)? and then use a hash function to extract the needed symetric key (128bit, 192bit, etc.)? I mean that by adding a XOR operation we add some confusion to the crypto system, aren't we?

yossigohar

At 5:30, Prof. Paar writes the EC as E: y^2 = x^3 + 2x + 12 mod 17. His comments confirm that formulation of E.
At 7:00, Prof. Paar states that P=(5, 1) is a primitive element of the EC.
I tried to work this out to make sure I really understood what EC were all about, and found that my understanding may be mistaken.
Either that, Prof. Paar made a transcription error somewhere. I am pretty certain the latter is the case, and the EC should have been written E: y^2 = x^3 + 2x + 2 mod 17.
If my understanding is correct, (5, 1) is indeed a primitive element of my corrected equation.
PS: At about 15:30 Prof. Paar is advised of the discrepancy. Spent about an hour questioning whether I understood EC. It wasn't waste of time because now I'm fairly sure that I get the concept.

jimbob

Generator point can be represented as an x integer and 1 bit for y. Y can be determined as one lying on a curve and this one y bit determines "upper" or "lower" part of solution. So we can "compress" point representation and operate only on x(int) + 1 y bit point representation AND save some memory space. And finally all points lying on a curve can be represented like this.

Coldwind

The board content is not visible clearly professor

karthikeyanS

In Lecture 17, I was totally and completely lost until he corrected the equation @15:30. I was lost but now I'm found.

hipsterkennyrogers

Why do they call this a discrete logarithm problem? It is multiplying P by d to get dP. It looks more of a discrete division in an elliptic group to me. I agree that it look a lot like the DLP we saw before. Is that the reason?

mojtabakomeili

Thank you sir. This is a very good lecture.

SimpleExplanation-hlzv

I am still looking into this topic :)
In Lecture 16, at the end there was a theorem: "The points on an elliptic curve, including the point at infinity have cyclic subgroups. Under certain conditions all points on an EC form a cyclic group." What are these certain conditions or is there a good book regarding this?

Also, when we are talking about #E, is this the number of points of the elliptic curve or the number of elements of the cyclic group, since we stated above that not alway ALL points of the EC form a cyclic group, these two values should be different or not?

Kind regards, Katharina

Mamacoka

Hi Professor Paar,
I have been studying asymmetric cryptography since last fall. I am struggling with how to build an ECC cryptosystem and encrypt a string of integers (that were originally a message).
Do you have any advice on how to approach this?

KLaRue

Dear Prof. Paar, thank you for the nice lecture. A small typo in your book on page-212 last paragraph (that) is two time. I am sorry if it is the old version of the book.

ubadify

Many thanks for this, a very thorough explanation! I'm trying to get my head around the random choice of the private key. {2, 3, ..., E-1 }, that's fine. But if you pick 2 by mistake then I suppose the ec discrete log problem happens to be trivial in this case? On the other hand if we restrict the choice of d to say 0.5E - E-1 then we are shrinking the search space for an attacker, but forcing them to take at least a certain amount of steps. Do we just hope that #E is so large that the choice of accidentally weakening the key with a small Kpr is infinitesimally small?

mppound

As the discrete logarithm problem produce same results when no squared reaches the point when its square in modNo-1 so do this happens in ecc to

funfest.