[curves] Fwd: Crash Course on ECC poster

Gregory Maxwell gmaxwell at gmail.com
Wed Jul 8 15:56:23 PDT 2015

On Wed, Jul 8, 2015 at 3:12 AM, Tony Arcieri <bascule at gmail.com> wrote:
> I made this poster for the DEFCON Crypto and Privacy Village. It's intended
> for audiences of mixed ability levels:
> https://i.imgur.com/hwbSRHh.png
> Would appreciate technical feedback on it. If you'd like to suggest copy
> changes, please consider design constraints (i.e. available room on the
> page).

Very nice poster;

Just an unsolicited opinion that won't help you with your poster...

There are many many things on the internet which have focused on the
point additional formula. Which is certantly interesting (because its
far from obvious that addition could work at all!) but it's my
expirence that too much attention on the addition mechnics results in
people knowing a lot of things without having a lot of understanding.

A concrete result of this is 1,001 _really_ slow, timing attack
vulnerable, naieve, incidentally insecure (e.g. bad RNGs), and
sometimes incorrect implementations of ECC in scripting language
dejure but very little work in doing interesting things algebraically
-- interesting optimizations, new protocols.. most of that is nowhere
to be found. Which is unfortunate, because you actually can often
those things while the point arithemetic is a blackbox.  I think
people might benefit more from some better understanding of how you
get rich and interesting cryptosystems out of such a simple construct
as an additively homorphic cryptographic hash (one way of looking at
what a DL hard group gives you), even ifs at the expense of teaching
them about the chord-and-tangent addition, which hopefully 99.999% of
them will never need to implement.   The
mechncial-knoweldge-of-the-procedure  is especially dangerous because
it gives people no intution about what is likely to be safe vs unsafe.

Hairsplitting on montogomery:  Off-curve points are potentially
problematic, at least in contrived protocols if the curve is not also
twist secure.  The x-only ladder lets you skip the sqrt needed to
recover y (hurray for speed!) but the sqrt would have also told you if
the point was on the curve.  So I think really the security point
being made there is about twist-secure not about montgomery.  With
respect to the speed; performing a multiply x-only is possible for
other curves too and isn't unique to montgomery (though perhaps
uniquely efficient there?)

It is also not correct that all curve equations can be converted into
all other ones (text under your curve forms headings). Rather any of
these can be converted to a Weierstrass equation, but -- for example--
Montgomery (at least as normally defined) can only be used when the
group has a cofactor which is divisible by 4.

More information about the Curves mailing list