So True!! I wish all my proffs were like Mike!! Everything he says makes instant sense!

Yeah as soon as I see him on thumbnail I watch that. I don't know what it is but his talks is more like inviting to think and get excited together than teaching to someone without knowledge: I don't know most of what he talked about but somehow I feel like I got the ticket to be included in enjoying excitement of some sort

Anybody who knows things can explain them

Why do you say you “STILL have respect for Mike” ?? Did other people _lose_ respect for him or something??

@@MrSkinkarde No you stuttering red faced gimp, that's not so.

You can defeat most of the backdoors they put in by picking your own random numbers. In ECC, the private key is just the random number. You can start with a random number given by the library, do an sha256sumk on this with the time of the system in milliseconds, grab another random number from the system, then sha256sum those two numbers together. That's pretty unpredictable. People are HONESTLY afraid to "pick their own random number" and they SHOULD BE. But remember F (random_number) = another random number and if the function F is a hash, it's not reversible. You can take random numbers and add your own (perhaps not at all secure) numbers as well to operating on a potentially compromised random number, which isn't really random.

??

You could even see the NSA badge portrays an eagle actually holding the key.

@@lingmui3255 lol

...there is one

Murphy warned us.

Mister Potatohead !

IIRC it's on the order of "[number of atoms in the universe] SQUARED". (Correct me if I'm wrong though.)

+Keiji Ikari A quick Google suggests that current estimates for the number of atoms in the *observable* universe (which is much larger than the amount of universe we can see, mind) is on the order of 10^80, or about 1000 fold larger than 2^256.

Getting quite close (in relative terms) isn't actually that hard. Every 10 bits is about three magnitudes. 256/10*3 = 76.80. Actual result 1.15e77 or 77.06 if you take the log of it. That's being off by a factor of less than two. Now being able to pronounce that number is something very different though ;) .

Ah, oops... I remembered the "80" part of "10^80", but assumed it was 2^80 and "rounded up" to 2^128... I also recall someone saying there were enough UUIDs, or IPv6 addresses (which are 128 bits, minus a few for special things) for every atom in the (observable) universe, but that clearly must be a mix up as well...

It's not just about calculating 2^256. Not all points on the curve are valid.

True dat

false.

😄 Well spotted.

ok?

P and Q were specified by the NSA and its the NSA that was throwing its weight around to get this standard implemented in commercial cryptographic libraries, you don't even need to guess here.

NSA is really sneaky. Sometimes, it ain’t (ECC or PRISM) too sneaky, but things like the hdd malware were really evil

It appears that it was exploitable. Google portsmash, an attack described in the last few days which deals with eliptic curves.

@@johanlarsson9805 Ohhh, now that video makes a whole lot more sense. Computerphile did not specify how an attacker would be able to reverse a key from just sniffing the operations running in a CPU, but if the objective is to figure out how many times a point was moved in an elliptic curve, this would be a way to do it

ok?

They're a spy agency. *It's their job* to do stuff like this.

i think you missed a joke there

@@RonJohn63 actually its HALF their job. Their other job is to ensure the communication security of the United States... a bit of a conflict isn't it?

@@OutdoorsWithChad I'm pretty sure "ensure the communication security of the United States" was tacked on a *lot* later.

That is graphic

Appendix C?

true randomness can only be acheived via nuclear decay or even just listening to the most common truly random thing most of us have heard; radio/tv static.

@@storm37000 True randomness can only be achieved via Quantum Mechanics (specifically, Heisenberg's Principle of Uncertainity)

@@themanofiron785 some might argue that even quantum mechanics isn't truly random (but for whatever it's needed for it's probably random enough)

@@hayden.A0 In that case you should probably define random.

@@themanofiron785 I'm no expert on this matter so I really shouldn't be defining anything, but, based on what I understand it's like this: any closed system cannot be truly random, and since the universe is a closed system it itself cannot be truly random. Obviously even if that's accurate the amount of "variables" that exist in the universe make it pretty much infeasible to replicate any given state, but again I'm no expert so I may just have some facts mixed up or I'm just completely wrong.

all the ecdsa/P-xxx algorithms are inherently flawed, lookup secure-secure-shell which is a guide on how to choose secure algorithms for SSH. The much more secure/robust algorithm called curve/ed25519 is what is recommended.

@@recodebrain792 you know thisisn't reddit right

@@v1Broadcaster HAHA

Or, more accurately, they SHOULDN'T.

false.

As far as I can tell, that's usually how it goes. But security isn't always the top priority, sometimes speed is. So it's a balancing act... Except in this case, where 1000 times slower and there possibly (definitely) being a backdoor was ok :') I don't think the community at large uses stuff like this tho, although I guess companies might?

Elliptic curves have one big advantage. You can get along with verry little memory and at least i don't know a common side channel attack. Which makes them great for embedded stuff like machines. The potential back door on the other hand is nothing great as machines usually run for a view decades.

I mean the NSA were very probably paying them to put it through, right?

@@Ping727 No probably, they did.

@@andymerrett 😆😆😆😆

??

Get in the van.

Black car more like predator drone

more like big black van

BBC is coming for you in 3…2…1

??

SSL certificates. So whenever you visit an online shop or "secure" website, you'll see the certificate, usually next to the address. If it says ECS or something similar, the NSA know what you're doing.

BIG Dave Every company based in the USA needs to give any detail that they detain if queried. Google, Facebook, Amazon, Apple, etc. Not only do they exploit your data, they give it to PRISM, a gigantic mass surveillance organization that is managed by the USA, and it is a known fact they collect data that passes by the Internet, so yeah, ECS is like their golden boy. They collect encrypted data, but they can’t use it. Now imagine they use ECS, the NSA would have access to all data. Better off using Axolotl

With "this standard" you mean the RNG function talked about in this video? Pretty much none. As it was either not used in the first place anyway or has been withdrawn for some years now. Especially what "BIG Dave" says is completely wrong, SSL does not use Dual_EC_DRBG.

whuzzzup As mentioned in the video, it actually was used in the real world by companies paid by the NSA. For example, it was used by default in stuff produced by RSA, inc., which notably included many security fobs.

You can always connect to a quantum random number generator ;) Only... is your connection secure? Hmm.. chicken, meet egg.

There never will be. Even with all the computation power in the world, 2^256 possibilities is way to many to brute force.

There are groups going through the effort of brute forcing the 2^96 possibilities of private keys to crack open bitcoin addresses. Maybe, if we make a great leap in computational power, some day we could start a cloud computing project to find e. Maybe...

@@tigerresearch2665 Two words: "Quantum Computing".

Robert Thompson Chinese Government wants to : *_bake that quantum cake_*

Wouldn't it raise just as many red flags if they were willing to let developers pick their own P and Q and certify whatever they chose? They'd be giving the green flag for developers to put their own back doors in. The real problem isn't that there could be a backdoor built into these P and Q values. The real problem is that ANY p and q values are suspect regardless of who picked them. And before anyone says "just use another rng to generate them", that doesn't work either, because that assumes that you can believe the person who says that they generated them from another rng. Sure maybe YOU would choose honest values with no back door, then again maybe the NIST did as well. You want to choose your own so that you know they didn't put a back door in. Maybe they want you to use theirs so that they know that you didn't put a back door in. Who can be trusted? Honestly, the fact that this type of back door CAN exist, effectively makes the entire process fundamentally flawed.

phiefer3 aha thanks for the clear explanation.

+phiefer3 If the whole idea is that Q must not be divisible by P, why not derive them from twin primes? The main issue here is that NIST didn't explain HOW they got these numbers.

You should go back and watch the original video on elliptic curves. When they say "multiple", they're not talking about simply multiplying or dividing a number by another number, they're talking about jumping being able to move some number of times from one point and end up at another point. (ie if you start at Q and then move e times you end up at P). And the video makes a little bit of a mistake when he says "if" they're a multiple, because the way elliptic curves work, there's almost definitely some number of jumps that can be made from any point on the curve that will land you on any other given point on the curve. In other words, there WILL be some e such that P=eQ. Now calculating the e of a given pair of points is prohibitively difficult, and would be pretty secure, but choosing points for a given e would be extremely simple. (as mentioned in this and the other video, elliptic curves are similar to hash functions in this way, it's simple to start at some point Q, pick a very large e and then calculate a P to create your back door, but doing it backwards to find the e of a pair of points is much much more difficult).

> Why would the NIST tell developers to use a specific P and Q and not generate their own? Because the NSA told them to. Simple as that.

It seems ECC is really secure. Of cause there is no proof, but it looks unlikely that this curves can be cracked somehow.

🤣

LoL

Predictably random.

Or any sort of GUI or x-server on Linux

??

You dont have that many atoms in universe squared.

With the normal computers we have right now? So many, that "never" is the best answer.

whuzzzup No I didn't say with the computer we have right now.

if your bank account is secured by this algorithm, then you're betting all of it

In principle, any (valid) point on the curve can be reached from any other (valid) point -- that's actually a somewhat important property or you risk your state update getting into a short (and therefore easily breakable) loop across only a small subset of the entire space. So yes, there absolutely _is_ an e. Its just a question of who (if anyone) knows what that specific e is. If they really wanted to make it secure, they'd be using two different curves rather than two points on the same curve so that rP has absolutely no relation to rQ (though that might just be pushing the problem up a level and show that the given a's and b's aren't related in some subtle way between the two curves.)

It probably is easy to solve in that way, but then of course when the NSA goes to pull some conversations from someone's "encrypted" chat logs and it doesn't work, a Cisco CEO wouldn't get that new yacht they've had their eye on all summer.

"I have a cunning plan!" prof. Baldrick at Dodgy University

Dr. Quack, Medical doctor

That's about as dodgy as research from Ball State. Bollocks!

Blackadder strikes again made brats @ twitter are furious and immediately proves him to be correct.

false.

So, it looks very likely that the NSA did really install a backdoor.

Technically you could probably edit an open source browser like chromium to not use it. However there really isnt any need, this standard has now been abandoned and elliptic curve cryptography is fine to use

@@JadeNeoma thanks for the info lol i forget i ever asked this

Its not proven _impossible_ on a classical computer. The general consensus is that it is impossible (short of brute force, which of course can solve any key finding problem given enough time.. but when multiple ages of the universe is not enough time, that's not really an issue worth considering.) On a quantum computer however, its not only theoretically possible but we know how to do it (Shor's algorithm.) I'm not sure that we have discovered any functions that are suitable for classic cryptography that (provably) can't be broken by a quantum computer. I don't think we have.. though I'm also pretty sure we haven't yet proven that such a function can't exist and is just waiting for us to find it. Discovering a cryptographically strong (and fast enough to be practical) classical function that can also be provably unbreakable by a quantum computer would lead to a significant overhaul of the computer security industry, and would remove the need for quantum cryptography (which is a very hard problem.. not because of the math, but because _everyone_ would need a quantum computer to do their cryptography and that's just not going to be practical in the foreseeable future.)

that's the standard discrete log problem (using integer factorization), not the elliptic curve discrete log problem, which as far as i know doesnt have a theoretical quantum algorithm associated with it.

And that is true for all elliptic curves with a prime larger than 2 ^ 160.

If the order of the curve is not a prime, we allways con find a subgroup with prime order. It is all we need.

The whole elliptic curve encryption seems like a bad idea in the first place, for the reason you state. Which is probably why NIST chose it?

@blucat4 The NIST wanted us to use only standard curves which are well known. So we should not know, that such curves are not required at all.

@@franzscheerer Can you tell me, is SHA-256 totally secure? (I'm new to this but I love it. :-)

Hardware implementation and ensuring the noise pool cannot be tainted. There are dedicated randomness modules you can use, but typically hard drive seek times, user mouse input and all sorts of unpredictable events are used to generate noise.

Choose RSA-4096 + AES-256 when given the choice. If not given a choice, consider the platform insecure.