 Thank you. Thanks for having me. Thanks to the organizers for this being great for getting together such a great event for having me and being accommodating in various ways. So that's me. Yay in Bosta syndrome. I joined security quite late. I was doing a career in... I was going for a career in mathematics. I was originally going for a career in mathematics. I was a mathematician and I was dreaming to become, you know, to spend the rest of my life doing math. Now life doesn't always go the way you want it. And by accident I ended up in insecurity, which I haven't regretted a single day since. But at the same time, when I discovered that these objects, these elliptic curves that I used to use in... they used to study as a mathematician, do play a big role in security in elliptic curve cartography. It was very exciting. So I don't do this in my day job, but I do study... I do like talking about elliptic curve cartography. And thanks for having... yeah, I hope you'll enjoy it. And I should actually add two more disclaimers. The first disclaimer is that something went wrong with the slides I realized. So they're supposed to appear in steps and they now appear the final version every time. I hope that's okay. And the second somewhat related disclaimer that I need to add is that I'm feeling not particularly great this morning and that affects my brain in all sorts of ways. I'll try and be as coherent as possible, but apologies in advance when I'm not. So three other disclaimers that I had put on the slides. First is that I am not a cartographer and I shouldn't pretend to be one. I've studied elliptic curves well enough that I could implement the algorithms, but I would make mistakes. I would make catastrophic mistakes and I'm definitely not qualifying to study other people's algorithms. And the second disclaimer is that if you want to be someone who studies elliptic curve cartography, you really have to study the math. You really have to spend probably years studying the algebra, the geometry, the cryptography. And that's not something that I can do in 45 minutes. So I will really hope that after this talk you have some high-level idea of what's going on in elliptic curve cartography, which you may come across in various ways in your day job or in your free time. But I don't want to pretend that this is actually something that you can use in practice straight away. And finally, my goal is really to explain things, to help you understand very broadly what's going on. And I find that more important than to be correct and to include all edge cases. So there are various places where I just skip a corner and sometimes saying a few things that are technically wrong. And if some of you have studied elliptic curve cartography, you probably know this and I apologize. I don't think they're wrong in a crucial way, but technically not everything is correct. So this is what elliptic curve looks like. This is every introduction to elliptic curve starts with this formula of y squared equals x cubed plus a times x plus b and the prime number p. And that's always the prime number p because this is cryptography and that's always prime numbers. That's true. I also find this particularly unhelpful. This doesn't give you any insight. The only thing, the only part of this that I think is worth understanding is that there's a choice to a mate. In fact, there are three choices to be made. Different a, different b, and different b give different elliptic curves. And some curves are far more suitable for elliptic curve cartography than others. So every elliptic curve algorithm always starts by choose a curve e. This I think is helpful. This is a picture of an elliptic curve. Now you've probably seen this. If you have ever read anything about elliptic curve, they include a picture like this. Sometimes they include a different picture which has two parts. Like there's kind of a circle like this thing on the left and then just a simple curve to the right. There's no difference between one and two curves. Not in a way that is relevant here. I find this less confusing. But if you read an article that used the other picture, that's just as fine. There's nothing wrong there. Now on this curve are points. A great many points in general, though a finite number of points or use it later on. The fact that there are finite number of points is because it's prime number p. Everything is over mod p. And that makes computers able to deal with it, because computers can only deal with finite sets. So here's an important construction. We take two points on the left of the curve called a p and q. And we take the line through p and q. And as it turns out, this line has a unique third crossing point. That's a property of elliptic curves. That's generally true. And that's very helpful. And that's because of the x cubed in the formula. Anyway, there is always such a third point. That's what's relevant. Now, from this point, we can take the vertical line through this point. Alternatively, we can take the mirror image in the horizontal axis which I've drawn there. And this gives another point. And this point, I call p plus q. I cannot stress enough that this is not supposed to make sense. I'm not explaining how you add p and q. I'm just saying, here's a construction, taking a point p and a point q. And this construction gives a point, a third point that I call or that we call p plus q. And that's it. And that's a related construction. And that's not with a single point p. And I'm trying to add p to itself. Now, you can't really take the line through p and p, because there are many of them. But it turns out, you can take the unique line through p that is tangent to the curve that touches the curve. And this line again has another unique second point of crossing. And we can take again the vertical line through it or the mirror image and find another crossing point. And this I call p plus p. And actually, I call it two times p. Again, not supposed to make sense, I'm just defining something. And we can combine these things. So I can add p and two times p. So again, take the line, take the mirror image. We've got two times p plus p, which I call three times p, as you probably would have guessed. And you can go on like this. You can get four times p and five times p, and et cetera. And computers can calculate these things. And you'll notice that going from p, two times p, three times p goes all over the place of the curve. There's no structure. This all over the place-ness word I just made up, that's crucial to lip-to-curve photography. As we'll see in a second. OK. Everything works like you'd expect. So it's not supposed to make sense in this addition, but it turns out it's not completely stupid either, because this works like normal addition in many ways. So p plus q equals q plus p. That's something that you can see if you think back to the construction. Less obvious, but something that you can figure out yourself at home if you feel like it. If you add two points and then add a third point, it doesn't matter in which order you do it. So you can add p plus q and then add r, or you can add q plus r and then add p. It's the same. And the same with integer multiplication. So you take a point p, you multiply it with m, and then with n. And you get n, but you can also multiply n and m first and then multiply it with p, et cetera. All the rules that you expect work. And the points in the lip-to-curve call what mathematicians, or form what mathematicians call an ambillian group. Yeah, OK. There are a few places where my slides will be a bit funny because of the PDF issues. And it's my mistake. So I apologize for that. You're supposed to not look beyond the first line. Just pretend that's only the first line. And just pretend that the first line says, the goal is given a point p, calculate n times p for some n. And I use n as a hundred as an example. And it takes 99 steps. Don't cheat. It takes 99 steps. Trust me. I mean, two times p, three times p, four times p, it's five times p, et cetera. Ninety-nine steps to get a hundred times p. Actually, no. As you can see, computers can do it faster. But I combine, cleverly combining, doubling, and adding points. So from p, you go to two times p. This is doubling. You add p, three times p, and you double again and again and again. You get 24 times p. And then you add 25 times p by adding p, and then doubling twice, you get a hundred times p. So that's eight steps to go from p to a hundred times p. You can probably do it a little bit faster even. But that's the kind of order of things. Which means that if you do this, say six times in a row, you go from p to a trillion times p in 48 steps. So the kind of numbers you see in lithographic photography, they're usually of the form a trillion times a trillion, that, or the need of the form of the order of magnitude. Which would take about a hundred steps. So computer can do that in a fraction of a second. That's cool. Now, the opposite is not true. So if I give someone, if I give a computer a point n times p, and n times p is a point on the curve. So I'm not saying here's n and here's p. I'm saying here's a point, say q, and q is n times p, and here's p. Find n. And a computer can't do much else than just trying two times p, three times p, four times p, five times p, et cetera. Nothing significantly faster it can do. Which means that if my numbers are a trillion times a trillion big, then computer needs to do so many steps. And even for very large computers, at some point it's going to take millions of years. So this is called the discrete logarithm problem of elliptic curves. And that's the core of all elliptic curve cryptography. So probably the most important implementation, or at least the most well known implementation of elliptic curves, is the elliptic curve Diffie-Hellman key agreement protocol. So this cryptography, so we always have Alice and Bob. And Alice and Bob want to agree on a secret key over a public channel. And so Alice and Bob, you can think of it as Alice and Bob being here in this room, and they don't trust anyone else, but they want to find some kind of encryption key that they can use then, another algorithm to encrypt some messages. And I would agree in inverted commas, because they don't agree, they actually construct the curve as we'll see, the key as we'll see. So each has kind of half of the key, and together they make the full key. So we assume that Alice and Bob already know, and some are established, that they're talking to each other. There's no man in the middle, there's no Eve in the middle, or Mallory, who's pretending to be Bob and to be Alice. We assume they've already done that, and that's crucial, but there are ways to do that with certificates, for example. And it's helpful to think in practice that Alice is a web browser, and Bob is a web server. So first Alice and Bob agree on elliptic curve E and a point P on the curve. They do this publicly, they usually refer to some kind of standard where E and P are defined. Now Alice chooses a large random number A, trillion times a trillion, that sort of numbers, to keep that secret. Bob also chooses a large random number, lowercase B, also keeps that secret. Alice calculates A times P and sends this point to Bob. So Alice says, hey, Bob, here's a point A times P. And remember, anyone can see this, anyone knows P, anyone can see A times P, but thanks to this read, look, written problem, no one can actually find A. Likewise, Bob calculates B times P and sends this point B times P to Alice. And Alice then calculates, so Alice takes this B times P to the Bob center, keeps, uses her own secret number A, and calculates A times B times P. And Bob calculates B times A times P because Bob knows B, that's a secret number, and Alice sends them A times P. And as we've seen before, the order doesn't matter because that's how integer multiplication works. So this is the same point. So this point somehow converted to a number is, can be used as a secret key. This is used widely. This is how elliptic curve divvy helmet works. So here's a summary, because I'll refer to it a few times, so it's good to have a very general picture. Publicly known are a curve E and a point P on this curve, again referring to some standard. Alice uses a random number A, Bob a random number B, Alice sends A times P to Bob, Bob sends B times P to Alice, and the shared secret key is A times B times P, or B times A times P, which is the same. Sometimes you see not E, C, D, H, but E, C, D, H, E, which is the ephemeral version of elliptic curve divvy helmet, which means that Alice and Bob choose different A and B for each connection. So Alice and Bob can choose a fixed random number that they keep it to themselves, but they can also choose a different A and B in each connection. If they do that, that means they can't use A and B for authentication because I'll show you later, there's a signature algorithm where you can use your private key. They can't use it this way. The advantage of this is forward secrecy. Forward secrecy means that forward secrecy is best understood when something is not forward secret. So if Bob used the same B all the time for Alice, but for everyone else, Bob is a web server, so many connections, and someone knocks on Bob's door, uses a wrench, says, give me your number B, someone who has that number B can then decrypt any conversation they have seen in the past, because assuming they've recorded the A times B that Alice sent them, because they can multiply it with B that they now know and they can find the key, and they can decrypt everything else, which is not what you want. So this is why, despite the disadvantage, this is why elliptic curve divvy helmet is usually used in this ephemeral form. So let's see something in practice. You're not supposed to be able to read this, so don't worry. Many of you will recognize this. Hey, that's Wireshark. Yeah, so this is actually a Wireshark session of HTTPS connection between my laptop, this one here, and some random web server at nsac.io, which as it should use HTTPS. So my laptop says, okay, we're going to talk HTTPS, so let's agree on a cybersuite. And a cybersuite includes a number of algorithms, because in TLS there are actually a number of algorithms used for different things, but one of them is the key exchange algorithm. And my laptop, my fine fox, suggested 11 cybers, the first eight of which, the first eight most preferable ones, all in use elliptic curve divvy helmet and its ephemeral version. Okay, so server responds and says, okay, let's use this one, with the elliptic curve divvy helmet ephemeral, with rsa, as256, with the color quantum mode, and 3, 8, 4, 4 hashing, whatever that means. We care about elliptic curve divvy helmet. Now the client, my laptop, then send a certificate to, or checks a certificate to authenticate, that's not relevant here. This is again the server, the server says, okay, let's use a named curve, let's use a curve that's referred to in a standard, which I've implemented, and let's use the name curve, NIST curve, p256, that's a widely used curve that we'll actually see later. And my public key, which is my point, the b times p, has a length 65, 65 bytes, I told you by trillion times trillion, and probably more than that. And it looks like in hacks 0, 4, 9, 6, et cetera. And my browser then sends 8 times p, and from now on they can together, each of them can calculate the same encryption key, and I can't see what happens in my wire succession, because I haven't hacked my browser, so yeah, from then on everything is invisible. So this is how elliptic curve divvy helmet is widely used in practice. Okay, and crypto or key exchange is one important property, another important property of elliptic curve, sorry, another important use case of elliptic curve cryptography is digital signatures. And you've all seen digital signatures, and it shows, basically there are two ways digital signatures are used, one to authenticate an important piece of document, like okay, I've seen this document, I've had my signature, so I've seen it, I agree with it, but also, and for example, in an HTTPS, is to prove who you are, like okay, here's a random, some random data, I signed it with my key to show that it can only be me, not someone else. So I signed it with my private key, you can check, corresponds to my public key. I need a few definitions to explain this. So the first one is that I mentioned that on a curve, a curve has a finite number of points, which means in practice, if I start with p, and go two times p, and three times p, and four times p, just in theory, theoretically, you know, at some point I need to get back to p. And the order is the number of points you've met this way. So n times p is the last new point, and then n plus one times p is p again. So the order is the smallest n, but n plus one times p is p, it's the number of points in the loop. And that's actually easy to calculate, because, because mathematics, basically, you don't have to worry about really trying all the numbers, there are very easy ways, various easy ways to do this. Secondly, for the number k, and k is just a number, it's not a elliptic curve. I mean, I'll write k inverse to be the inverse of k in mod n, and this is order number. If you don't, if you're not familiar with these things, that's fine, don't worry about it, but it works like, like you, you expect one divided by k to work. The definition is that k times k inverse equals one mod n. So k times k inverse minus one is a, is a multiple of n. Anyway, don't, don't worry too much about it, it just works like an inverse. And finally, there are a number of cases here and later on where we need to turn p, the point, a point p into a number. The point p can be represented by a computer, and a computer can turn this into a number in a number of ways, different ways in different cases, but that's one of these details that I'll skip over. But I run, when I write p between vertical bars, pipes, like someone's called them, that's just p seen as an actual number, a number that you can add up, multiply, in the same way that you've known since primary school. Okay, so Alice has some data, and, and data is always assumed to be a large number m, and if data is larger, it's an even larger number than we hash it first. That's not very relevant here, but that always happens to your algorithms. We assume there is a large number m, and Alice wants to sign, so she wants to show, okay, I add at some point this number m, which is public, but I also had my private key, which only I know, and anyone can check my public key and then confirm that I have signed it, and no one else did. Okay, again, given our elliptic curve p and a point p of odd n on, on that curve, and Alice has a private key a, and the public key a times p, right, and p is public, p is known, but you can't calculate a, because it's a good problem. So the algorithm goes as follows. Alice uses a random number k between one and m, that's not particularly relevant, but a random large number. Alice then calculates k times the point p and sees it as a number, and she calls it r. She can do it easily, p is public, k is her random number, r doesn't give away anything about k, it just is a number. k times p is a point and we do it with a number. Then she can calculate m, which is the message, plus r times a, a is her secret number, divided by k, or times k inverse, and she calls it s. And I should make it clear, you know, she uses her a here, but the way it's used, the fact that k is unknown, means that someone who doesn't know k can't, in any way, can't find any information about a. Signature is then r, commas, the pair of numbers. What I always find counterintuitive, and I guess many find counterintuitive, that there isn't a unique signature. A different random number leads to a different, a different signature, a different pair of numbers, different r commas, and they're all fine. It matters that, what matters is that there are, out of the gazillion times gazillion possible signatures, there are only a trillion times a trillion possible right ones, which means that there's a probability of exactly zero that you ever, that the random combination is the right one. So, but there are multiple signatures and number k needs to be chosen randomly. Someone else, some Bob, tries to get this, this number, get this, this pair, can actually very easily confirm that this is, this is a value signature signed by Alice, based on the public k, a times p and these two numbers and the information about the curve that's public. I haven't written down how it works because it requires a few extra things out of the curve that are probably more confusing, but you can look it up. It's on Wikipedia, for example. Okay, so what if k isn't chosen randomly? What if Alice just misread the standard and thought, okay now I've got a nice random number k, I'll use it all the time. I mean saves me CPU power, I mean maybe Alice is, Alice is Sony or something. You know I think, hey I can save CPU power. I'll explain why Sony is relevant here in a sec. So, we get two signatures, two pairs of r and s, which are generated with the same k. And actually, if you look back how r is generated, r only depends on k and the point p, which is the same, which means that if k is the same, then r is the same in two signatures. So, only s is different. There is an s in an s prime because I use different messages. So, okay Alice signs two messages, m and m prime, this little accent is called the prime in math, and she signs them using the same random number. You can easily see that it's really primary school math. If you combine these two things, then m minus m prime, which are public, you know message are public, divided by s minus s prime, which again, there are signatures that are seen, that actually gives the number k, is reused number. And if you know k, then from the definition of s, you can easily solve a. So, if Alice only uses the same random number twice, you don't have to know which it is, but you can calculate the random number, you can calculate their private key, and everything else is disastrous from there. This was used in this way incorrectly by Sony in its PlayStation, I think people in 2013 it was, people were able to upload arbitrary code or something, which was normally is a signature check. Yeah, okay, if you know the private key, you can just sign it yourself. There's a slightly more subtle variant of this, which is if k is different, but not completely random, and actually in that case, takes a bit of time, but if ks are related, then you can still solve a Bitcoin wallet has made a mistake at some point. I think every crypto mistake ever has been made in Bitcoin wallets, probably the ones that we knew, we didn't know about. Let's see how we're doing for time. Okay, okay, I've mentioned random numbers a few times. Random numbers are very important in cryptography, elliptic cryptography is no exception. Computers unfortunately are not very good at randomness, that's kind of a feature of computers, they are predictable, I know it doesn't always feel like it when this morning I was doing something with my slides, but in general computers are predictable, they're very bad at random things, so they don't have enough randomness. They have some randomness, sometimes there's a random number generator device, like some using radioactive something, or you can measure how long it takes to store certain data on a hard drive, and then take the least significant numbers behind a decimal dot, and that also gives you some random numbers, but usually you don't have enough crew through randomness, so what a computer does is it uses a pseudo random number generator, which generate numbers that are random for all practical purposes, but are generated by an algorithm with a true random input, a true random seed. It works kind of like this in the picture, so you get through randomness, you input it in your algorithm, you get an internal state that's kept secret, and then based on that you output some random data, internal state fed back into the algorithm, and you get more data. I always imagine it's something like a machine that churns out random numbers while you turn some handle. Okay, one way to look at this grid-local problem, and I'm going to show you a random number generator to use elliptic curve cryptography, is that it looks that taking n, and then taking n times p, looks like a random operation, n times p taking the number, because it doesn't give away any information about n, so if you just see n times p that looks completely round, it's completely mangled up this number, you don't get any information about n, so this is, we can use this, so this is a very simple way, and ignore the red bit for a bit, so okay, there's a random c, they call it n zero, multiply with a fixed point p, p is given on a curve, and take the number, the vertical bar, the corresponding number, called n one, that's my output, so the green one is the internal state and the blue one is the output, get n two, etc. You can do this, this is easy, it can be done fast, you can't predict what's going on, unless you somehow see one of the outputs, say you somehow see n one, and that's not a bug, it's a feature in random number generators that sometimes the output is public, there are lots of ways in which random numbers are published in as part of an algorithm, like there's an algorithm that needs the server to send some random data, so we can assume that at some point someone has access to n one, that's a feature, but well if they do that, then they can kind of calculate n two by using the red thing, which is exactly the same as the arrow up there, I mean the vertical arrows, they don't do anything, just take the same number, so if you know the one output n one, then you know the whole internal state, you can predict all random numbers, so this doesn't work, thankfully we can vary a bit, because the problem here is, is that these vertical lines there, they're actually they're equal signs, you know, so you can go back, this is easily, but what if we use a second random number, sorry a second point on the curve q, and we multiply n one, sorry multiply this point q by n one first, then we get r one, this is an actual algorithm, so it generates 32 bytes numbers, actually throws away two bytes, the rest is the output, so this is where you can't go back, so if you see r one, if you see the 30 bytes of r one, you may be able to calculate the full output, but you can't go back, because that's the discrete logarithm problem, so okay you're stuck, seeing one output, which is a feature, doesn't give you any information about the elliptic, about the random number generator, about the internal state, so that's a good random number generator, yeah okay here, I just, I'm gonna explain things by hand, and I'll publish a slide later when I, when I fix them, so I apologize again for this, there's a fact, these points p and q are both on the curve, and there is actually, and that's some math there, there is a large number d, so the p equals d times q, okay cool, find that you can prove that there is such a number, but we also know from the discrete logarithm problem, you can't calculate the number, but imagine someone knows, someone knows this number d, someone has this number d, I don't know, maybe you're you're paragnostic and you see what number d is, okay, now is this someone first, and again I apologize for the mess, first they're able to calculate the whole output, not just r one, but the missing bit, the missing two bytes, it needs to check 65,000 points on whether one of them is a curve, and there's only one, and that's easy, computers can do it trivially, so we can assume the computer knows the whole output, not just 30 bytes, but the whole 32 bytes, and then they know r one, sorry, they know, yeah they know r one, they also know d, so they can take d times this number, which is, okay no sorry, I should say one more thing, so they know r one, so they know n one times q as a number, but actually find the corresponding point is also trivial, so okay, they know the point n one times q, see it doesn't give you n one, but they can multiply it with d, which they paragnostically know, so okay, d times n one times q, which is the same as n one times d times q, and n one times d times q is n one times p, so if you know this number d, you can go from r one to the next internal state to n two and to n three etc, so if you know d, then you've cracked this algorithm, so there's a ten million dollar question, and this would be nice if this appeared gradually, does anyone know d, and thankfully this is like all these algorithms there, they're public, you can look them up, it's a NIST algorithm, and NIST hopefully acknowledges and might boil and marry base from the National Security Agency for assistance in developing the recommendation, and I think that's a subtle way of saying they come up with these points p and q, and they chose the p and q in a way they knew d, so they basically, they choose a random point q on the curve, a random number d and another number p, and this is in the algorithm, and this is the famous dual EC DRBG backdoor to random number generator, dual refers to the two points ec, obviously it occurs, and DRBG is another way of saying pseudo-random number generator, it's the termistic random big generator, it's good to, there's a few things to say about this, firstly this has been used and there's a subtle reference here, RSA the maker of various crypto libraries, they use it as a default random number generator, allegedly after they got paid 10 million dollars by the NSA, which is probably a bad deal, secondly if you're not worried about the NSA, and you know you may be worried about the NSA, but in many cases individual cases you're not, and if you're using online banking, you know if the NSA wanted to they could just go to the bank and say what are you spending, what is this person spending your money on, so there's a lot of cases where we're not worried about the NSA, and in these cases this is a fine algorithm, it's completely secure, assuming NSA doesn't share this d with criminals, but okay it's fine, but actually for many other reasons it's a rubbish algorithm, it is slow, it's unnecessarily slow basically, there was no good reason to accept this, but the NSA using some money and some of its powers to do that, so there are two consequences of the RBC, which happened a few years ago, I think we can public in 2013 after Snowden leaked, people distrust any algorithm provided by the NSA, and I think that's wrong, not because I'm such a big fan of the NSA, but I think algorithms should be fine even if they're written by your arts enemy, you should just make sure that algorithm doesn't have backdoors, it's a bit like open source code, if you're supportive of open source software, you kind of expect you should be able to verify the software, you should trust the software regardless of who wrote it, I know it's a bit more complicated in practice, but yeah I think that just throwing away algorithms because the NSA designed them is not helpful, maybe makes people trust other parties more than they should, and NSA has some really good cryptographers, but what is a better trend is nothing of my sleep numbers, so numbers in elliptic curve cryptography in standards are often coming out of nowhere, so I printed a curve here, y squared equals x cubed minus 3x plus 41058 and then another 40 odd numbers, this is this curve P256 that we used, that I used to connect to an NSA.io, there's absolutely no reason to assume this is a backdoor, in fact we can be fair, everyone maybe except for extremely paranoid that people like Bruce Nyer, they all agree that this is not backdoor, but it's still bad practice, so people are moving now towards something called curve 25519 and this number refers to the prime number actually, but this number, this curve has parameters that you can explain, like why did I choose this parameters, I was looking for a number with these five properties and this is the smallest one that satisfies it, that's okay, that can't be backdoor, if everyone agrees these properties need to be satisfied and saying the smallest number that's not a backdoor, if you're saying well we're looking for these five properties and here's a very large number and trust this, you can check, then you should be wary, okay, almost done, do we have enough time still, okay, okay, there's a few attacks on elliptic curve calligraphy, this is one of the better known attacks on poor implementations, so ignore the blue and the red bit for a bit, this is again elliptic calligraphy helman, so it's a very long curve, E and a point P on the curve and then Alice and Bob choose random numbers A and B and they send A times B and B times B, but now we're in a situation where Bob is not using the ephemeral version, they're actually using a static V for all connections, which some algorithms, some implementations still do and there are, I think this advantage is outweigh the advantages, but in general I think this is, there are sometimes good reasons to do this, so Bob is a web server, talks to anyone and he's not suddenly not talking to some kind of Alice, but he's talking to Mallory and Mallory doesn't choose a random number A, Mallory chooses a point P of, sorry, a point Q of small order, say order five, which means that you go one times Q, two times Q, three times Q, four times Q, five times Q and then six times Q is Q again, so you keep going in circles, so there are only five possibilities for multiples of Q and he uses that and that's what she sends to Bob, Bob thinks this is some kind of A times P for some A, so Bob thinks okay, B times A times P, actually he's calculating B times Q and that's his, that he thinks that's the shared key, now there's two things to say about this, the first is this point is not even on the curve, there are, sometimes Bob, some poor implications that is don't check if a point sent to you by Alice or Mallory is on the curve and there are curves related to a fixed curve that don't give any problems, like if you do calculations you won't notice it, if you never check if a point is on the curve, the calculations work, you're just calculating it on a different curve without realizing, so the second thing to notice is that there are only few possibilities, only five in my example of B times Q which Bob is using as a private key, so Bob is encrypting some data with Mallory and Mallory can just check the five possibilities because she knows Q, she's sent Q to Bob and one of these five is correct, that doesn't give her B, but it gives her B mod five, she can find out whether B ends on a one over four or one over six or two or seven or three or eight, so she reduces the number of possibilities for B by a factor of five and she can continue this and know B is static, so you can choose another curve with another Q of order three and then seven and then eleven and she knows B mod a lot of prime numbers and there's something in a math called the Chinese remainder theorem which helps her find the original B, so if Bob doesn't check, doesn't check if points are on a curve you can attack it this way and it's actually used in practice, there's Java, I think Oracle library somewhere, there's quite a few libraries that don't check this, okay last thing, this is, so you know Diffie-Hellman, the curve Diffie-Hellman depends on the discrete localism problem, one way to see it you know this is all over the placeness, computers can't see structure when it's all over the placeness, but there is actually some structure, it's really just a circle, it just that it doesn't look like a circle because you go all the way over the curve and a trillion times, a trillion times, but there is some structure and quantum computers which are these new magical things that maybe we get at some point are able to see the structure, that's one way of feeling it and they can crack this algorithm relatively easily, so we need to find new algorithms if we're worried about quantum computers and people are already worried about this because sometimes government data is stored for a long time you know, if you store data for 30 years, you want to store it for 30 years, then you need to protect against computers that we have in 30 years, so people are already playing it, I don't know whether we'll get quantum computers, whether we'll get good ones ever and people are still not sure about that, but okay we may and there is a Diffie-Hellman variant that uses elliptic curve cryptography in a different way, so this is the general Diffie-Hellman and there's a standard version of Diffie-Hellman which is maybe one of the oldest public key algorithm so 40 years old, it's an elliptic curve Diffie-Hellman that we just thought, but in general there's a structure like an elliptic curve with integer multiplication in the way I defined it and a base element B a point and then okay this is A and B chosen randomly and A times B times B etc, so there's a more general algorithm, there is an elliptic curve variant that works post quantum computers, the structure here is the class of elliptic curves or a class of particular elliptic curve in fact for some irony it's a class of elliptic curves that are very unsuitable for normal elliptic curve cryptography but for some reason this class is very suitable for post quantum cryptography, integer multiplication is or multiplication is more than one curve into another curve and you can if you move from curve to another curve and then follow the same morphing and follow the same morphing you know if you get five times you multiply by five, I know I'm not explaining this really well, I'd almost say I mean yeah no I have to admit I do find this also confusing, I can follow the steps the algorithm which is again is on Wikipedia but that's that's about it but still this is morphing of curves into each other that's what you see in the base element is a fixed curve E, so what Alice and Bob do in this case is they morph E into two different curves which they kind of exchange and together they then combine this to get a new key which is their shared key curve is going to a number in some magical way and this this my number is shared the shared key okay that's almost done conclusion elliptic cryptography is hard and hard in inverted commas Chinese is hard if you don't if you never studied Chinese English is hard if you live in China never studied English but the cryptography like like a language requires years of studying and years of studying mathematics and it's easy to make mistakes and that's a weakness I think elliptic cryptography compared to say RSA algorithm it's just easier to make mistakes if people implement an algorithm understand them less well I understand them less well I find RSA easier less fun but it's easier we know how it's attacked I don't think the duality backdoor could have worked in some RSA like algorithm because it's easier to spot the reason why people still use elliptic cryptography despite this weakness and I can't emphasize enough this is a weakness this is not a strength you want your algorithms to be as well as possible you want you don't want an algorithm where three people in this room kind of understand what's going on you want to wonder everyone can just read it and follow it and check mistakes but okay yeah sometimes you need to compromise a bit elliptic curves there are enough people that understand it the keys you can use are a little shorter algorithms are faster that's just about worth it but don't go further than that and actually people are looking at ways to do post quantum elliptic curve cryptography in a way that I just explained super singular isogenese as they're called and and there was recently a paper by animal angley which is cryptographer from google and he actually pointed out that this very point this is a weakness that the fact that that this is a very hard algorithm it's a weakness it may have advantageous but actually maybe we can find an easier algorithm you slide the longer keys but maybe that's that's better um that's it I I hope it's somewhat understandable um that's my email address is my my twitter handle um yeah that there's probably some time for questions or or comments or anything I'm fine either way so