 All right, sorry for the technical difficulties for the actual useful part of the talk I'll turn things over to Tonya here Well, I'm Tonya. That's then just in case it wasn't clear So this is about crypto and some elliptic curves, so We hope this is a gentle enough introduction if it's too boring Well, it's late in the evening take a short nap and wake up every once in a while to check with it So comprehensible so why cryptography so when you when use crypto on the internet or for electronic payments Then for instance, you see an SSL certificate That's where crypto is in there if you have an e-passport or an e-identity card that is using signatures if you're using TLS to send secret data, then you actually want to have encryption And so when you have an SSL exchange, then you use say RSA or if your helmet or ECDH and the EC and the ECDH and the EC and the ECDSA is what this talk is about today There's also a huge clump of crypto which is secret key cryptography, which is really really cool stuff It's much much faster than anything we're gonna tell you about today But it requires that the two parties who want to talk to each other already know each other that they have done some key exchange We're gonna show you how to do the key exchange and afterwards the symmetric crypto. That's what's gonna happen maybe next year Okay, so Within public key crypto, why would you want to use ECC? What has caused all sorts of people to be interested in ECC the basic answer to that is an attack strategy called index calculus Now this is if you want to factor somebody's RSA keys if you want to break somebody's original non elliptic Diffie Hellman Then you use index calculus It's all sorts of fancy math and algorithms that come into it And the bottom line is it keeps getting faster and faster, so we don't even know how fast it's gonna end up being Here's some of the history of when these algorithms were developed 1975 was one of the first index calculus algorithms C frack for factoring big numbers and then there were all sorts of advances 1977 82 90 94 you've heard about the crypt apocalypse last year And this is something where this is one of the newest advances in index calculus That's not something that matters for breaking RSA But it's just an example of how index calculus this general strategy is something that keeps getting more refined More sophisticated and faster and faster. I mean this is not the whole story if you look at academic literature There's also lots of improvements I mean we're happy if you can factor twice as fast But these are the big steps when you look at the security of two typical sizes of RSA So there's RSA 1024 which you still see a lot on the internet and there's RSA 2048 Which hopefully your bank is using then there's two rows of numbers It's sorry two columns of numbers where you can see how much the security has decreased so back in 1975 so the C frack algorithm would still take two to the hundred and twenty to do the same work that Well many years later with a number filled syph. So in the 80s would only take to the 80s So there's a big decrease from two to the hundred twenty operations down to 80 and actually it's not just losing 40 in the exponent It's much bigger than that. It's something which takes hundred seventy down to hundred and twelve So it's not just a linear decrease. It's more than linear decrease in the exponent so in 85 when basically the the Number filled syph or the critic syph was already out the number filled syph was in work. Miller was proposing elliptic curves So as a different as an alternative to factorization based methods So factorization or differ how man would be broken by all of these algorithms and then Miller says well I've looked at this new primitive at elliptic curves and It is extremely unlikely that an indexed calculus attack on the elliptic curve method will ever be able to work So we can completely ignore all of these improvements all of these methods that made factorization and find field based if you have one so much weaker okay, so to get into elliptic curve cryptography the Gentle way to get into it is clock cryptography now. This is a picture of the clock Do you actually have a clock to show people in case you're not used to what a clock used to look like some sort of circular thing? You know if you think a clock is like showing you know some digits next to each other This is what a clock used to look like for math people. It's x squared plus y squared equals one. It's kind of broken That's why we're late The Elliptic curves that we're going to show you later in the talk those do not include the clock the clock Cryptography is not an example of elliptic curve cryptography, but it's really really close So we're going to start with clock cryptography And then once you're comfortable with that then we'll make one little change and then that'll that'll be elliptic curve cryptography All right, so here's to prove that I pass kindergarten here's some points on the clock So there is the 12 o'clock that's up there learned Now I also became a mathematician sometime afterwards and mathematicians like to work with coordinates. So the 12 o'clock point has Zero in the x direction and one in the y direction. I Know the one because it should suppose it should satisfy x squared. So zero squared plus y squared is one So why is one? But there's many more points. So there's also the 6 p.m There it's when you start having breakfast lunch There's a 3 o'clock point. There is the 9 p.m. Point. There is oh, what's that? I didn't learn that part in kindergarten. So it's it's Half up if I then look up where the one half goes over that looks like the two o'clock point then This is kind of flipping the coordinates So now x is one half. So we're somewhere over here and then negative So that would be five o'clock and more points and more points and more points wasn't supposed to be gentle Is this gentle? Okay, okay, so hey, hey, there's some points, but I didn't see oh, I'm sorry So yeah, what I guess you wanted to tell you about more points like this three fifths four fifths I mean that one you really have to use some fancy math to see that one has three fifths squared plus four fifths squared is one That is another point on the clock and it's not obvious Which o'clock it is you have to really look at your watch to figure that out He's bailing out of the tricky stuff. I'm sorry now. You're bailing out of the tricky stuff bailing out of the tricky stuff You mean okay, okay You really want me to do the square to one half square to one half? No, no, it's just I don't know where that point is But I know it's on the clock. Okay, you can figure out where the three fifths four fifths point is in terms of time You can make this a little more complicated By parameterizing the clock so when people take points on the clock They're thinking of time moving forward like there's two o'clock three o'clock and you can add those and get five o'clock two hours after Three o'clock or three hours after two o'clock and that's five o'clock and here's a picture Which is something like maybe that's 130 plus two o'clock giving you 330 something like that So those are some points p1 p2 and p3 on the clock and you can add p1 and p2 to get p3 and Here comes the really horrendous math part, which fortunately we're going to throw away in a moment, which is trigonometry So if you want to do the point on the clock Which has an angle of alpha a time of alpha starting from 12 o'clock Then that point is x equals sine of alpha y equals cosine alpha and then if you remember there were these horrendous trig formulas for sine of the sum of two angles and Cosine of the sum of two angles and sine of alpha one plus alpha two is okay sine of alpha one cosine of alpha two plus Cosine of alpha one sine of alpha two and there was something else like that for the for the cosine So you can add points on the clock using these sine and cosine formulas now Usually it may convince people to come over to the crypto side We tell them well you can forget all of those non discreet mathematics We like discreet mathematics with the discrete guys So there won't be any sines and cosines wandering around so well, let's get rid of them So we don't want to have sine cosine. We actually would like to work with normal clock numbers What I have over there with the sine one Cosine two and so on well those are just my x and y coordinates All I said here was that the x coordinate is a sine of alpha the y coordinate is the cosine of alpha So then in this whole mess here with the trigonometry formulas I can just replace every sine of alpha by the corresponding x and every cosine of alpha by the corresponding y Which makes this much nicer shorter? No trigonometry addition formula, so additional on the clock if somebody gives you two points x1 y1 x2 y2 then all you're gonna do is you take the x coordinate of the first point and the y coordinate of the second point Multiply those take the y corner of the first point x corner of the second point Multiply those and then add those together that gives you the new x coordinate Why will We went through the pain once and now we can just forget about where it came from and then we do the same thing with the Y coordinate which is a product of y coordinates minus a part of the x coordinates Okay, so here's some examples of clock addition We still don't have the computer helping out here So this is going to be some more painful arithmetic two o'clock plus five o'clock We all remember this is going to be on the test two o'clock was this square to three quarters One half that you was talking about at the beginning and five o'clock was one half and minus square to three quarters And if you plug those into the formulas there, alright, I'll try this x1 is square to three quarters And y1 is one half and x2 is one half and y2 is minus square to three quarters If you do x1 times y2, that's the square to three quarters times the minus square to three quarters Which is minus three quarters and then the y1 x2 Sounds like one half times one half, which is one quarter add those together And it's something like minus one half and you do a similar calculation You get the second part of the result and you realize the two o'clock plus five o'clock with these formulas is what you wanted To be namely seven o'clock and similarly you can do five o'clock plus nine o'clock, which I think I will skip Maybe you would have liked to go through that one, but let's try another example You can take three-fifths and four-fifths and add it to itself. That's what that two times three-fifths four-fifths means it's three-fifths four-fifths plus three-fifths four-fifths and You can just well plug those into the formulas and you don't have to know which o'clock it is You just get some answer out of that twenty four twenty-fifths and seven twenty-fifths And you can keep adding more and more copies of this Point to itself three times three-fifths four-fifths So that's the point plus itself plus itself again and just plug it into the formulas and you get something with Well more digits and as you keep adding more and more copies you get more and more digits in the denominators there the 625 And it keeps getting bigger You can also try adding any point you want without even knowing what it is to 12 o'clock 12 o'clock was 0 comma 1 If you plug those into the formulas you get 12 o'clock plus 3 o'clock is 3 o'clock 12 o'clock plus 5 o'clock is 5 o'clock 12 o'clock plus anything is that thing back again And that just pops right out of the the general formula for adding two points one last example of how you can work with This addition formula if you take say 10 o'clock plus 2 o'clock that should be 12 o'clock and Well 10 plus 2 is 12 if you take anything that's sort of opposite like that was 10 and 2 if you take 9 and 3 or 11 and 1 anything where it's the same height same y-coordinate But the x's are negative those will add together to get 12 o'clock and you can just try plugging x1 y1 and minus x1 y1 Into the formula. Let's try that if you say x2 is minus x1 and y2 is y1 And you plug that into the formula then you see the first cool the first Coordinate of the answer here is x1 times y2 was y1 And then y1 is minus x1 times x2 Let's see. Let's x2. Sorry x2 is minus x1 so you get minus x1 y1 and x1 y1 which adds up to zero Which is what we wanted for 12 o'clock and then with a little more work the second part here y1 y2 that's y1 times y1 and then minus x1 x2 that's Minus x1 times minus x1 is plus x1 squared so y1 squared plus x1 squared Which equals one? So the second part of the answer is one so just a little bit of playing around with additions and multiplications And you can use this formula to add all sorts of points Okay, now let's make this even more discreet. Let's forget about like the circle which has infinitely many points You can just take any real number and just takes quotes. Let's do this with a very small set of elements Let's do clocks over Find it fields. So I'm now just restricting myself to the numbers zero one till six So that's what this f7 is there and I will also want to add those numbers. I want to multiply those numbers now If I multiply those numbers say two times five, this is bigger. That's ten. That's bigger than the set that I have Available there if I'm only allowing six as the largest number than ten is not in the set So then I will reduce I will take the remainder more to seven So we promised some python snippets So here is how we can for instance find all those elements So I'll just run through all x between zero and seven or y between zero and seven and just check whether x times x plus y times y is one If so, I print the table x y and Then push return and you get those points and those points now for the picture We didn't use zero till six you would like to keep the symmetry. So here we used Minus three till plus three so minus three is over here plus three is over here minus three in the y direction Plus three in the y direction. So this is the point zero one the same point that we had on the clock before This is the one zero and this here then is the Clock point as I see the find field clock to do Okay If you want to use clock addition with the same clock addition function that you might have written Which we'll show you in a moment to add points on the clock over the reels Then it's helpful if you can write plus and minus and times which automatically do this reduction mod seven and Well in Python you can set up a plus and minus and times for an f7 type and f7 class Which are separate from the usual plus minus and times for integers if you want to set this up first thing to do is well Here's an f7 class which will read an integer x and Initialize construct an f7 element, which is that integer mod 7 stored in the dot int component of this New instance for instance if you take f7 of 7 it'll compute 7 mod 7 and The remainder there is what quotient is one remainder is zero and Put zero into self dot int and then this stir and repper or maybe not the most professional ways of printing things You might want to print something like print out the fact that this is all mod 7 We're just printing the integer that you get if you take 7 and initialize one of these things 7 mod 7 gives you 0 and 10 Mod 7 that was the example Tanya had a moment ago That gives you a remainder of 3 and 20 mod 7 subtract a 7 subtract a 7 again You get a 6 so you can put in anything you want into this f7 any integer you want you get that integer mod 7 and now We can add in some more functions To f7 instances for instance you can have an equality test Python's default equality is pretty stupid so you tell it what I actually want equality to do is compare these dot int Parts of the of the f7 Values and then okay now this f7 type has been augmented with an equality and you can see that f7 of 10 and f7 of 3 are equal to each Other f7 of 0 and f7 of 2 are not equal to each other So you've got 0 through 6 expresses the possibilities for the values of a variable with this type and then Here goes the addition subtraction and multiplication what you can see let's look at the addition That's the typical case you take 2a and b coming in and then take the integer inside a 0 through 6 integer inside Be 0 through 6 add them together get 0 through 12 and then put that back into the f7 Constructor and so now you've got 0 through 6 again And there's some examples at the bottom of well 2 plus 5 is 0 2 minus 5 is minus 3 Which is 4 if you're programming and see by the way be where the percent doesn't do the mod that we want Mathematically pythons percent does the right thing and see it'll give you negative numbers percent in python always gives you 0 through 6 or 0 through whatever number you took And 2 times 5 that was that example again of 10 which mod 7 gives you 3 Okay, so now we have seen a small clock where I could just draw all the elements where it could just run through Well 49 elements and try them now everything that Dan just showed with the python setup I can replace by 7 by a larger number say a million 3 That's also a prime and now I would like to define an addition of curve points. So this is just what we did on the Real clock before now. I'm gonna plug in elements modern building and three So I take my points and I do the x1 y2 y1 x1 X2 and so on and I return the point So let's take an example of this so one of those many points I plug in the x cornet is a thousand remember It's a thousand more than a million three and then I check is their y coordinate which fits with this and now in this case Nice enough to works Well, yeah, kind of so if I have thousand that gives me a million when I squared and To gives me four and that's just one larger than a million three. So yep, that's a valid point so I can now take this point and Add it to itself Just plug in P and P into the addition that gives 4007 I can add it to itself again. I can add it again again again till I get say six times the point So six times a point means take the point plus a point plus a point in the end. I have six copies Add them together and I get this point Now of course when you see this girl, I wait a second. Do I really need to do all these five additions? No, if I for instance had stopped at p3 It's three times a point and then do the addition p3 plus p3 So that's three copies plus another three copies. That's also six copies. So these two things give me the same So if I want to do this more professionally here is how I would define the scale of multiplication Okay, so this is a recursive function for computing n times p You have any clockpoint p and any scalar any integer n that you want any non negative integer n We're only going to work with with non negative integers here And you take that n if it's zero then you return the 12 o'clock point if it's one you return the point p one times P is p and then well if n is Even then that n slash slash two Python slightly changing its notation over the year slash slash is the right way to take an Integer divide it by two throw away the remainder so that n slash slash two if n is even that's exactly n over two and This recursively computes n over two times p like three times p for instance if n equals six And then does clock add of q comma q to double that n over two times p getting NP If n is odd then that n over two is well n slash slash two means take away the remainder of one You get n minus one divided by two and then take that times p double that that gives you n minus one times p add p to that that's that if n is in my two is non-zero then you add p to q and finally you get n times p in all the different cases and Then we tried this for some six-digit number n which isn't shown here on the slide It's secret. It's secret and it took something like 30 Clock additions not very many multiplications to compute n times p was very fast instantly comes out and there's the answer There's the x and y coordinates of n times p for whichever secret n it was and now It's not so obvious how to figure out what the n is if you see this n times p then working backwards to the end You know what p is you know what n times p is you know n is not too big okay? It's only a million possibilities. This is not some really fancy computation, but it's still it'll take a moment to do It'll it's something where the computer will have to chug along through some computations Well, maybe you can try to make that faster, but then we could try to make the numbers bigger instead of a million three We could still do n times p when n is much bigger and and the million and three is a much bigger prime So there's a little challenge if you'd like to try figuring out what this end is This is harder than then sending an SMS to that phone number that doesn't work All right now let's assume that we make this much much harder So we make it so hard that if you like you want to use it for crypto So if somebody would like to standardize clock cryptography Then here's what you do is you start by standardizing a big prime p So like big not a million like really big like several thousand bits And you also standardize a base point so that means this p on the previous slide the p where we say well We give you p we give you n times p. We just don't give you n So let's assume that somebody gives you a little p which is the prime and this base point big p x and y coordinates which are on the clock Then what Alice and Bob are doing if they want to communicate so I would send like to send something over to the Bob here. I'm Bob Then Alice picks what I pick my secret a compute a times this base point now That's the computation you just saw on the previous slide. It's still still visible there So that's just like logarithmic time in the size of L Of a and then I sent this over to Dan And now I guess I have to compute I take my own big secret B Which I'm not going to tell anybody and I do my computation of b times that same standard x comma y and I send back my b times X comma y over Dallas. Alright, so now I have his b times the base point He has my a times the base point now. I still remember what my a was I Know take this a and the bay at the new point that he just sent me and plug this point into the scalar multiplication So I'm doing the same steps the same Well at the point to itself and sometimes at the point to the point he sent me So the same steps here except for now This p is the point that he sent me is no longer the base point and this way I compute a times b times p Okay, now I get her a times x comma y and I take my secret b and multiply by the a times x comma y and I get my b times a times the point x comma y and Now we've got the same result now. We've got she's computed a b times x y I've computed b a times x y which is the same thing They're both a times b multiples of x y a times b copies of x y added together And now we use this shared secret to encrypt data All right, we also have a picture of this just if we don't make good else's and Bob So here you see how the message is flying now if you're the eavesdropper You want to figure out what we've been doing you can't see What I'm doing here. You can't see what Dan is doing here All you can see is what's sent here, and you know what the little p is and what the base point is At least we wish so well, so there's some caveats They won't use just any prime P many choices of PR unsafe wanting to This is still the clock and we said at the beginning clocks are not elliptic curves and only elliptic curves are good So actually the clocks are pretty much the same as doing say RSA or find a field when it comes to security So if you want to match something which is RSA 3072 bits then your clock needs to have the prime of the clock needs to have a thousand 536 so half as many bits as the RSA number. That's not actually what you wanted and then Okay, third warning is timing attacks a lot of you were at the talk earlier about life in Bacher attacks against SSL Where a lot of the information coming out of a server under attack or a client under attack is From timing the attacker doesn't just look at the eavesdropping of a times x y and b times x y the public keys The attacker sees how long it took you to do computations a lot of times the attacker can even see How long it took you for each individual operation that you were doing because there's electromagnetic emissions or radio emissions or cash effects on Virtual machines that affect other virtual machines running under the same hypervisor on the same physical hardware And then you get to as an attacker see all sorts of fine grained information about the time that Alice and Bob are taking Don't read exactly see this computation But you see the physical effects of this computation. Just imagine Eve's ear is right here She can hear she can sense what the computations are doing You can actually hear the audio buzz from your CPU if you put a good enough microphone next to it And that depends on the computations. It's doing there's some real examples of timing attacks here Two of the three examples that we selected our ECC examples one of them is the lucky 13 attack Which was not against ECC another different kind of timing attack just to give you the idea of timing attacks are really important This is a big part of what's going wrong with real deployed crypto beyond its unusability and other little problems The fix for this particular problem of somebody seeing the timing is to always do computations in constant time So no matter what your scaler is you're not allowed to spend a different amount of time depending on that scale And if you just always follow this rule that every secret you have no secret timing of anything Then the attacker doesn't learn anything all your timing is public Of course, it's a bit of a hassle to do computations that way you can always do it But it slows things down quite a bit. All right. I mean that's easier said than done, but let's Go back to warning number two let's assume that constant time limitation takes care of warning number three Let's go back to warning number two clocks are not elliptic and let's turn this circle this clock into an elliptic curve All right, so we take the circle and push inwards now mathematically what we're doing is we introduce one extra term instead of having x square plus y square equals one We say x square plus y square equals one minus 30 times x y squared so this extra term here is Is the difference between a circle and an average curve or an elliptic curve So this particular curve is called an average curve, but it's an example of elliptic curves Now if I want to add points now, then let's remember what it looked like on the circle So on the circle I had the neutral element at the top I keep that so that was the adding anything to 12 o'clock doesn't change the value That's still the same here Now here was just adding p1 p2 getting p3 by these Formulas now these won't generally work on the elliptic curve on The elliptic curve because there is this minus 30 x square y square We also need to introduce a little tweak down here So there's now a denominator if you take d equals zero Then well the formula changes to the circle and also the addition formulas just change the circle Because all this 30 here is zero. So it's just divided by one So the circle comes out as a special case for this elliptic curve But now we take a minus 30 and have a nice elliptic curve and the addition formulas are not much worse Just a little extra term there Okay, you can take if you want any prime number p 7 million and 3 something much bigger You can take any Non-square d that's that like that minus 30 any d that's not a square of anything modulo p that's something you can check quickly and Then write down the curve x squared plus y squared equals 1 plus d x squared y squared This is an elliptic curve and it's just that extra little d. That's all the extra complication if you felt like okay You understand clock cryptography then the extra little complication is all you need for Elliptic curve cryptography. There's the addition formula just translated from the math formulas a couple slides ago into python Looks very much the same as before except the x3 and y3 have that d coming in at the as denominators Now you might complain about this saying wait a minute when you divide are you are you necessarily able to divide? What happens if you divide by zero maybe these formulas don't always work and That's a an important point It's something which you have to watch out for if you're dividing by something then you're not allowed to divide by zero But it turns out that The denominators there the one plus dx one x2 y1 y2 and the one minus dx one x2 y1 y2 Those are never equal to zero These formulas are complete. They always work, which is what you expect. I mean you think formulas should always work It's kind of annoying if there's exceptional cases, but well In elliptic curve cryptography There's actually lots and lots of exceptional cases that people often worry about and one of the reasons that we like this Kind of elliptic curve is that there's no exceptional cases The addition law is what we call complete if you look at how the Math part of the proof works then it's important here that that d was not a square But again, that's something you can easily check and once you've settled on a d That's not square that everybody can use then you will never have exceptions in the in the in the formulas if you have your d being a Square then you can write down the same formulas and most of the time they work But you have exceptional cases and we're going to see lots and lots more about exceptional cases and What's annoying about those is not just well. It's hard to program But if you make any mistakes, it's going to be hard to find those mistakes and test for those mistakes And if an attacker thinks about it more and can give you some points that exploit those mistakes this often breaks real ECC So it's better to take a curve where the d is not square and then you don't have to worry about this at all Okay, quick aside with over fine field every second d is not a square. So this is not a big restriction It's just removing half of the possibilities Divisions are also really slow So when you when you implement those you saw before in the in the pison script We didn't even include Divisions we do have them online, but it's like well it takes a while. It's unpleasant It's takes even longer if you're worried about constant time limitations. So let's get rid of divisions It's like dr. Dr. My knee hurts and you say well, don't use it them But method here We actually can avoid using divisions if you remember how you worked with with fractions a over b plus c over d Then you keep them as fraction. You just multiply the denominators and you cross multiply the numerators and you can add So we're going to do the same with our points. So we're going to introduce an extra coordinate The z coordinate, which is just the denominator So instead of storing x y as a point. We now store x y and z Where the x and y means the old x and y are x divided by z and y divided by z Or you can be a little bit more adventurous and actually get some somewhat better speed and also introduce an extra Coordinate called t which is x y divided by z and if you're interested in how to do this Efficiently and actually get computer verified formulas. Please visit the explicit form is database on the link there to see How we actually do the additions then Okay Let's now go back to how crypto looked, but let's replace the clock with an elliptic curve Just makes that extra little complication in the formulas There's also an extra choice to make so it's not just standardized of prime p for everybody to use But you also have to standardize this d which is not a square for everybody to use This has to has to be a safe choice Remember that warning number one that there's lots of unsafe choices There's all sorts of standard criteria that you have to check to make sure that these are safe choices of curves We'll say a bit more about standards at the end of the talk Then Alice as before has her secret key and multiplies that secret key by X comma y and oh, I'm skipping ahead of what this slide says the slide says that Alice has also Bob's public key v times x y and this all sounds just like it was on the clock Alice now takes the b times x y and Then multiplies her a by that gets a times b times x y and then Remembers that a times b times x y as a secret to use to encrypt and authenticate data and more concretely now that we've got elliptic curves We don't have to worry about an index calculus breaking everything We don't need to have thousands of bits here's some actual real sizes for elliptic curve cryptography including all the Secret key encryption and authentication the public key you can have a prime which is just 256 bits long and We'll say later that you can squish x and y into together just 256 bits And then that reduces Alice's public key a times x comma y Down to just 32 bytes that Alice is going to send along to Bob And then there's a little bit of extra stuff for a knots a random number So you don't end up encrypting the same message the same way every time you send it someone would be able to see that encryption repeating There's also an authenticator so that Bob can verify that the packet is correct and then Bob receives his packet Says oh, yeah, it's a packet from Alice There's Alice's public key if Bob didn't know the shared secret already Bob takes Bob's secret multiplies by the public key gets the same b times a times x comma y and then does secret key Cryptography verifies the packet coming in verifies the authenticator using the nonce and Alice's public key And at that point has verified that yes This is from Alice of course if Bob's never heard of Alice's public key before then doesn't know who that Alice is But he gets continuity between the different uses and then when you add in certificates or other public key infrastructure You actually know who you're talking to Everything happening here all of the public key and secret key stuff is so fast that we can afford to do this for every Single packet going through the internet Well at this moment we haven't actually told you yet what to use so here's a save example You shut up so this is a safe example, which then shouldn't advertise because it's his own But I can say it's a good example So if you take as your prime a big prime it has 255 bits. It's a very nice prime So computations mod to this prime are fast because it's it's very close to a power of two So when you do this mod this this percent operation there Reducing what this number is very fast and then D looks reasonably small and here you have an address curve Also, here's another address curve taking the same D But just putting a minus there and putting also a minus in front of the x squared is Another curve actually it's pretty much the same curve So for every x y that you had before on the first curve You now have a squared of minus one x y same y slightly different x So you just taking a little tweak. It's the first curve in disguise And actually we have lots of ways of writing elliptic curves So here's a whole list of different ways of writing curves So the first thing that we showed you so far the clock where you're squishing in the corners is an address curve if I now would like to have an extra term here like this minus one here I generally serve an a coefficient here, then I can put in Minus one for instance that is called a twisted address curve But then there's also some other things which you still find in the normal textbooks which are called wire stress curves They look like that and then there is Montgomery curves, which you can think of as a special case of Wire trust curves. They have a similar y square equals x cubed shape But there's some different slightly different terms here And when you have one of the curves you can go from one to the other and back for instance to go from a Montgomery curve to an address curve. There are the formulas Okay, what you'll typically find in standards for ECC for historical reasons Okay, stand back. That's gonna be horrible is wire stress curves. Now. Here's the addition law Here's how you add two points on a wire stress curve Oh, that isn't too bad. Alright, there's only six different cases. Let's go through them. No, no, let's not go through them this is If you just take one piece of this then it might seem like it works most of the time the first formulas work most of the time until you Do something crazy like P plus P and then it doesn't work And then you have more and more exceptional cases and some of these cases You don't even realize it first and then you try writing code for this And it's just it goes on and on and then you try testing it and you're not sure you've gotten all the tests right But okay, that's what you find in ECC standards All right much nicer than via stress Montgomery coasts another of our favorite curves So here you see the entire arithmetic except for I didn't show you how I will do the constant time Conditional swap here. So there's a conditional bit here which swaps the x2 with the x3 We can do this in constant time just Replaces instruction by something which says well it stays or it swaps That's a whole addition on Montgomery So for every bit you do these few steps and you run through the 255 bits that are stated there So that's another nice case of arithmetic Note though that here. We only use an x coordinate For the Edwards curve. We had x and y so there are some differences in what we're doing with them All right, so then announce we're gonna talk about standards So how where do you get your standards from so how to defend you get yourself against somebody who comes with the mathematician? Methodist are scary people that know all kinds of attacks And if you want to see these attacks we have some URLs at the end, but we know those attacks and all of those standards Long list of things basically agree on certain properties that you want your curve to have What these standards guarantee you if you pick one of those standards then it will the curve will be secure For the following attacks somebody sees the result of your computation knows the base point knows your public key and is not able to figure out what your a or b was So this is called elliptic curve discreet logarithm problem and we have well Papers over papers to study the hardness of this So that's what we as mathematicians do study how hard it is on a certain curve to break the elliptic curve discreet log problem One thing for instance you want that your point when you add it to itself many many times that For a long long long time you get different points Until you get back to the same point say after L times you're back That is the order of the point that should be a large number. We're large. I mean like two to the 250 or something really large And yeah, they're all the strips. So that's one of the criteria. There's many more Okay, so let's see you're an implementer you take any of these standards and again They all pretty much say the same thing minor differences in details But they all protect you and you implement the standard and you you say, okay, we're in Germany Let's take the brain pool curves because that's what's used in the German passports. All right So we take brain pool p256 t1 it tells you some big prime number 256 bits long it tells you a virus stress curve y squared equals x cubed minus 3x plus something big and Then it tells you the base point x comma y to use and then you look at this and realize all the nice formulas We were telling you with no exceptional cases like Edwards and Montgomery those formulas don't work for This curve if you have a curve compatible with the formulas you standardize that curve Then every point you can add successfully and you just forget about all the exceptions but you need a curve that works with those formulas and Unfortunately this curve doesn't work with Edwards and doesn't work with Montgomery. So you have to go back to that messy Virus stress series of formulas. So you okay. You're very careful You do exactly what the formulas say you figure out test cases for everything You have correctly implemented the virus stress addition all six cases and You do everything constant time so not going to leak any information to an attacker and then you have something which is painfully slow, but you're confident about the security until The attacker comes along Hey, let's do the common. Here's my point. Okay, I'll take my I guess I'm Alice. Hi I I'm sorry. So now I'm Alice. I've got an a I take my a times the point that she sent me which is her public key and That's not the original x y it's some different x prime y prime that she sent and I send back my a times that x prime y prime and Then I've done this computation correctly and then I've now Used the the encryption authentication mechanisms that somebody's told me to use standard mechanisms And I've encrypted some data and sent that through the network I'm on the network. I see his his ASG Sam encrypted message. Now what he doesn't know is That no matter what his a is They're not actually that many different points. I didn't give him a point on the brain pool curve I gave him a point on a much nicer curve. Look, it only has a five here The brain curve is something much much bigger here. This is a friendly curve Also, this point only has four thousand nine ninety nine different copies, which means He's not actually computing what he thinks he's computing oops Now the reason that this works is that in this whole mess of the virus trust curve. There's no a six So no matter whether it's the a six which is the huge number for the painful curve or the five Which is nice curve. I gave him it doesn't matter. He'll just use those formulas and then the a Gives me one of those four ninety nine different points from which I learned a modulo four thousand nine ninety nine Let's do this again. Oh, she's gonna send me another point Hi, Dan. He has another point. So I take that new x prime y prime I compute my a times that I send back the something encrypted using that shared secret and Now she does the same kind of computation She has secretly sent me a point that has small order and I never noticed that it had small order So now she's figured out my secret modulo some other number and again and again and again And this happens 20 times maybe and then she uses the Chinese remainder theorem to figure out my whole secret a Even getting a few of these leaks is enough information that it does a lot of damage to the security of the system And well if this happens 20 times then I Well, I'm screwed So what do people normally say in response to this they say? Oh, didn't you notice the footnote in the standard that said when you have a point coming in you have to check Whether it's on the curve because somebody might have been trying this evil attack So this is blaming the implementer which is how we get secure systems by blaming the implementer That's good. If something's gone wrong with the system, then it's the implementers fault for not checking Don't even get me started on stir copy. You should have checked the length of your string You were caught. Oh, I'm sorry wrong talk You should have checked that this point was on the curve You should have checked it had the right order another kind of attack like this You should have by the way paid patent fees to sort of calm Okay, okay, let's not just saying I mean if you do this you might get a phone call Saying we have a patent on point validation Yeah, so instead of blaming the implementer for not jumping through these hoops Why don't we get rid of the hoops? Why don't we design the crypto? Why don't we design the curves so that it's not actually possible for somebody to screw this up We know how implementers think we are implementers. We know what we do wrong and it's it's not that creative I mean we keep making the same mistakes again and again and again So let's actually protect against those mistakes and design a system that's robust against those which for ECC says You take your X comma Y coming through the network don't allow an X comma Y to go through the network just have an X and Then Y was Y squared equals something you could if you want to communicate Y You can send one bit that says whether it's plus or minus the square root of whatever Y is the square root of Or don't bother sending Y at all remember those Montgomery formulas don't even need to look at the Y So this if you just send along an X then there's very few possibilities for the attacker to Choose points to try to fool you the way that we were full the moment ago There's a couple more of these Rules which make which the the curve selector and the protocol designer can put in which mean that you as an Implementer have a much easier time like the protocol designer can tell you to always multiply The scalars the A and B the secrets that you're using for Diffie Hellman always multiply those by what's called the co-factor of The curve there's this base point that has order L has L different multiples There's going to be say four times L or eight times L points total on the curve You're only seeing L of them and to make up for that gap and avoid some other fancier attacks You always multiply your secrets A and B by 8 and that completely protects you against these attacks and that's something that can be put into the protocol and test it and Similarly the curve designer can always choose curves to be what are called twist secure There's still a little bit of wiggle room if somebody's sending you a compressed point and this twist security says that well Basically the wiggle room lets you choose between two different curves There's this curve and then a sibling of the curve what's called the twist of the curve and the curve designer can make sure that both of those are Secure both of those have these big primes. There's an L and a sibling L and Co-factor small co-factor and another small co-factor And if the curve designer chooses one of these twist secure curves Then the attacker has no flexibility left to fool you the attacker won't get any information about your secrets and B Well, so then why is it not happening? Well, actually, it's kind of happening So there is some motion to get like the next generation of easy standards out so next generation meaning Curves we don't choose a self and a foot when you try to implement them in the simplest way with the simplest Implementation is also a secure implementation It turns out usually when you're on something more secure it gets slower in this case the bonus is it gets faster already in 2010 Adam Langley from Google was pointing to the TLS male list saying hey guys Of the curse crypto has made some advances. Wouldn't it be nice to have like Curve 255 19 as a named curve then not much happened We did some work proposing good methods to or we think it's good methods to generate curves and Well Thanks to snowden last September There's suddenly some motion coming into this from other people going like oops Given that the NIS curves have lost kind of their Respectability where we think oh, maybe the NSA is not just the good guys Shouldn't we have another motion? Luckily, there's lots of other people saying hey look it's not because you're paranoid We don't know whether the NIS curves are bad from a security point of view But they're certainly not pleasant from the limitations point of view we could be faster We could be more secure and so there's well a few quotations and there's a jaft and then We make another curve if somebody wants to have really paranoid security level 417 bits if and For 14 bits more curves We have a safe course page blah blah blah blah blah stuff Finally, okay, C of a G is moving on there was some NSA guy who was the co-leader of the C of a G. So C of a G is the crypto research working group from the internet engineering task force except for These NSA co-chair will still be there to advise them, you know Tell them whom to listen to now the hope was that we could finish this on a happy note saying oh, it's all good now It's hey, there's a there's a happy note here Microsoft has chosen curves So, you know once Microsoft stepped in that's the end of the discussion Embrace extend extinguish stop arguing. Oh, sorry Well, so the final slide would have been something nice, but at the moment it's just the discussion continues Thank you for your attention very much for our talk We only have very very few minutes for Q&A. So please quickly line up at the microphones We have like three to four minutes. So be really quick short questions only don't ask about your thesis Just ask short questions Okay, Mike to go Are you actually aware of any attacks or weaknesses in any of the knees to 186 dash to? Sorry any weaknesses in could you repeat curves included in knees to 186 dash to yeah, so for instance NIST P 224 is not twist secure Anything else? That's that's the only one that's known to be a problem look all of these are if you're willing to do the work of implementing very very carefully and You check for a point coming in being on the curve having the right order Etc. Etc. If you're willing to do a lot of work have something that's slow and fragile hard to test hard to implement Then you can do something secure with the NIST elliptic curves then the steps forward that are part of modern ECC are do something that's faster and Easier to implement correctly and that's something that well most people are happier with thank you Okay, internet, please Yeah, very short question if you were the NSA could you influence your own standard so that you could break it and how would you do that? Well short answer the nice thing about standards is that there's so many to choose from Is that the answer? Okay, Mike Which one I mean long answer is if I'm free to choose say the NC to the French standard There's no justification given whatsoever. I can feed you whatever I curve. I want Okay, this Mike. I can't see the number because there's too many people How do you come up with the key length of 45 bits? And how do you know it's secure? It's just the absence of something like index calculus So the the key length yeah The fact that index calculus doesn't apply is what allows ECC to get away with very small key sizes compared to RSA And then something like 256 bits that's coming from saying well the biggest computations that someone can do with current computer technology 10 years from now computer technology Using say a 65 megawatt power substation that biggest computation they can do would still not break a 200-bit elliptic curve So we feel very comfortable using 256 so for the For the attacks that we know how to do all the numbers are at safe curves that Seattle YP to So there you can see like how many operations to the 200 you need to do for breaking a 44 14 bit curve Okay, we are unfortunately out of time so please again, thank our speakers