Previous slide Next slide Toggle fullscreen Open presenter view
Elliptic curves 101
This is very brief overview. There are better, and more complete introductions out there
© Tari Labs, 2018-2021. (License : CC BY-NC-SA 4.0)
Elliptic Curves
y 2 = x 3 + a x + b m o d p y^2 = x^3 + ax + b \mod p
y 2 = x 3 + a x + b mod p
Described by this function
But x, y are integers
And x, y are between 0 and some prime number p
© Tari Labs, 2018-2021. (License : CC BY-NC-SA 4.0)
The key properties
Addition (and multiplication by a scalar) is 'easy'
Division (undoing the multiplication) is 'hard'
© Tari Labs, 2018-2021. (License : CC BY-NC-SA 4.0)
Addition
Geometrically, P + Q + R = 0 P + Q + R = 0 P + Q + R = 0 P, Q, R all lie on the same "line" (mod p ).
Thus addition looks like: P + Q = − R P + Q = -R P + Q = − R
-R is R reflected around the line y = p / 2 y = p / 2 y = p /2
P + P P + P P + P p )
© Tari Labs, 2018-2021. (License : CC BY-NC-SA 4.0)
Scalar Multiplication
Define scalar multiplication as
n P = P + P + . . . + P ⏟ n times nP = \underbrace{P + P + ... + P} _{n\text{ times}}
n P = n times P + P + ... + P
This can be calculated in O ( log n ) O(\log n) O ( log n ) double and add
© Tari Labs, 2018-2021. (License : CC BY-NC-SA 4.0)
Multiplication properties
These elliptic curves have the associative property:
n P + m P = ( n + m ) P nP + mP = (n+m)P
n P + m P = ( n + m ) P
but they are also cyclic , meaning for some value n , the results of the multiplication start repeating:
k P = ( k m o d n ) P kP = (k \mod n)P
k P = ( k mod n ) P
P is called the base point or generator of the curve.n is the order of the cyclic subgroup of the curve generated by P .In ECC, P is chosen so that n is large
© Tari Labs, 2018-2021. (License : CC BY-NC-SA 4.0)
Discrete logarithm problem
If we know P and Q , and Q = k P m o d p Q = kP \mod p Q = k P mod p k ?
i.e. k = Q / P k = Q/P k = Q / P
No known 'easy' algorithm (i.e. runs in polynomial time)
need to do divide by trial and error (choose k , check, repeat)
for large k , this takes too long to be feasible
This is the basis of all ECC cryptography
© Tari Labs, 2018-2021. (License : CC BY-NC-SA 4.0)
Rules of cryptography (mod 3)
Never roll your own crypto
Never roll your own crypto
Don't. Roll. Your. Own. Crypto.
because you will shoot yourself in the foot
Exceptions:
© Tari Labs, 2018-2021. (License : CC BY-NC-SA 4.0)
Elliptic Curve Cryptography (ECC)
Private key a random integer d ∈ [ 1 , n − 1 ] d \in [1, n-1] d ∈ [ 1 , n − 1 ] n the order of the sub-group.Public key P = k G P = kG P = k G G is base point, or generator of the group
© Tari Labs, 2018-2021. (License : CC BY-NC-SA 4.0)
Encryption with Elliptic Curve Diffie-Hellman (ECDH)
DH is a method for two parties to securely exchange keys .
Alice
Bob
Create key pair P a = k a . G P_a = k_a.G P a = k a . G
Create key pair P b = k b . G P_b = k_b.G P b = k b . G
Sends Bob P a P_a P a
Sends Alice P b P_b P b
Calc P s = k a . H b = k a . k b . G P_s = k_a.H_b = k_a.k_b.G P s = k a . H b = k a . k b . G
Calc P s = k b . H a = k a . k b . G P_s = k_b.H_a = k_a.k_b.G P s = k b . H a = k a . k b . G
P s P_s P s
© Tari Labs, 2018-2021. (License : CC BY-NC-SA 4.0)
Signing and verifying messages
Alice wants to sign a message, m , that Bob (or anyone else) can verify with her public key, P a P_a P a
© Tari Labs, 2018-2021. (License : CC BY-NC-SA 4.0)
EdDSA algorithm
Signing
Alice has her public and private keys P a = k a G P_a = k_aG P a = k a G
Calculate a temporary key from random nonce j : R = r G R = rG R = r G
Calc e = Hash ( R ∣ ∣ m ) e = \text{Hash}(R || m) e = Hash ( R ∣∣ m )
Calc s = r + e k a s = r + ek_a s = r + e k a
Send m , R and s to Bob
© Tari Labs, 2018-2021. (License : CC BY-NC-SA 4.0)
EdDSA Verification
Bob has s , R , m , and P a P_a P a
He doesn't know k a k_a k a r .
s . G = ( r + e k a ) G = r G + e k a G = R + e P a s.G = (r + ek_a)G
= rG + ek_aG
= R + eP_a
s . G = ( r + e k a ) G = r G + e k a G = R + e P a
So Bob calculates s.G and e, and compares it to R + e P a R+ eP_a R + e P a
© Tari Labs, 2018-2021. (License : CC BY-NC-SA 4.0)
Note: Disclaimer. This is a rough guide for engineers wanting to get their hands wet with the nuts and bolts
of the cryptographic math behind blockchain security. Therefore I may be loosy goosy with some terminology
and most of the concepts oversimplified, so excuse that. However, if there are any _egregious_ errors in this
presentation, please [open an issue](https://github.com/tari-labs/tari-university/issues) on github.
Note: You can forget about all this technical detail. It's just included here for completeness.
note: Now that the abstract algebra stuff is largely out of the way, we can do some cryptography!
note: This should make sense now based on all the preliminary discussion. _k_ is kept secret, _kG_ is relatively
easy to calculate, giving you a public key, but finding _k_ from _kG_ involves solving the discrete logarithm problem.
note:
- When creating their keys, Alice and Bob use the same curve parameters: same curve, _G_ etc.
- When they exchange public keys, it can be over an insecure channel
note: This is a simplified algorithm. There are a few details ommitted,
like always using modular arithmetic at limits on the choice of nonce.