[curves] Climbing the elliptic learning curve (was: Re: Finalizing XEdDSA)

Ron Garret ron at flownet.com
Tue Nov 8 17:23:06 PST 2016


On Nov 8, 2016, at 4:00 PM, Trevor Perrin <trevp at trevp.net> wrote:

> On Mon, Nov 7, 2016 at 12:51 AM, Ben Smith <hyperelliptic at gmail.com> wrote:
>> 
>> Here's a rather longish explanation that might be helpful (I hope).
>> It's sort of a geometric complement to Mike's reply on curve shapes.
>> It should really be a link to a blog post, I suppose---but in the
>> absence of a blog, I'm posting it here.
>> 
>> What I'm aiming to do here is
>> * Connect the Edwards equation with a Weierstrass equation (actually a
>> Montgomery curve);
>> * Show how the usual magic birational map appears in a more natural way;
>> * Resolve Ron's apparent degree-3-vs-degree-4 incompatibility; and
>> * Explain how we can ignore the whole resolution-of-singularities
>> issue by simply never having singularities in the first place.
>> 
>> (If the geometric language goes over your head, don't worry; there
>> will be variables and equations the whole time to to show what I mean.
> 
> 
> Thanks to you and Mike, that's awesome!
> 
> I wonder what the easiest path is to *learn* the geometric language
> that you and Mike are using, to the point of following along here?
> 
> A lot of crypto-interested people can roughly understand RSA and DH,
> and would like to understand ECC, but get lost with terms like
> (skimming recent mails):
> 
> twist
> torsion
> homogenous
> isogenies
> birational
> singularities / nonsingular
> affine
> projective (plane, closure, line)
> genus
> embedding

order
cofactor
characteristic
trace of frobenius

Another thing that has been driving me nuts for years is Theorem 2.1 in the Curve25519 paper.  I understand what it *says* but I still don’t understand what it *means*.

rg



More information about the Curves mailing list