[curves] Fwd: Crash Course on ECC poster

Mike Hamburg mike at shiftleft.org
Tue Jul 7 23:02:18 PDT 2015 

Nice poster, Tony!

An interesting variant of the "clock cryptography" is to imagine
Diffie-Hellman on the complex unit clock, as described in Bernstein and
Lange's intro.  I think it's a more intuitive analogy to ECC than powers
of the generator, and you don't necessarily need primitive roots.

So pick some amount of time -- 1/q of the day -- and Alice tells Bob
where the clock hands are pointing at a/q of the day, and Bob tells
Alice where they're pointing at b/q of the day.  They can both compute
where the hands are pointing at ab/q of the day, and that's the DH secret.

They express where the hands are pointing as (x,y), where x^2 + y^2 =
1.  The identity is (0,1) = midnight.  The formulas for adding times are
the same as multiplication of complex numbers, except x and y are
swapped because midnight is at the top: (x,y)+(X,Y) = (xY+Xy, yY-xX).

With real numbers this is a pain because of rounding errors.  It
actually works and is not trivially breakable if you do it mod a prime,
particularly a 3-mod-4 prime.  But it's susceptible to index calculus.

Then if you want you can say "... but on a warped clock ..." and get an
Edwards curve.  The Edwards curve has equation x^2 + y^2 = 1 + dx^2y^2. 
It has addition formulas ((xY+Xy)/(1+dxXyY), (yY-xX)/(1-dxXyY)),
limiting to the circle when d=0.  There's also sooort of a way to turn
it into the Weierstrass equation, but it's probably not worth doing.

Just my two cents.

Cheers,
-- Mike


On 07/07/2015 08:12 PM, Tony Arcieri wrote:
> I made this poster for the DEFCON Crypto and Privacy Village. It's
> intended for audiences of mixed ability levels:
>
> https://i.imgur.com/hwbSRHh.png
>
> Would appreciate technical feedback on it. If you'd like to suggest
> copy changes, please consider design constraints (i.e. available room
> on the page).
>
> Thanks!
>
> -- 
> Tony Arcieri
>
>
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20150707/5e8ae895/attachment.html>

More information about the Curves mailing list