Thanks for the compliment! It made my day!

Agreed. I scoured Internet all over today the whole day to find anything that gives me the basic understanding of ECDH, and this is the only one that made sense to me so far.

It's quite clear governments don't want people to understand cryptography, much less use it in my opinion. What screwed me up is that this is very different than RSA in that in RSA, the secret key is recovered, and in this, it's not. I'm doing some work with the libsodium library BTW - if anybody knows if their mailing list is still up, let me know. I've tried to sign onto it many times with no success.

Wow, thank you!

wrg

Not sure if it already has been mentioned but at 11:27 bob computer P with small a and b. This is impossible, right? As bob has no access to small a. It should be big A if I am correct.

@@fantaaa61 Sorry for the late reply ... You are correct, Bob does not know what small a (alpha) is. Bob only sees big A. I just show that big A = alpha*G to demonstrate that Bob and Alice are indeed computing the same thing since the point addition operation is commutative.

Agreed

Thanks Pawan, I really appreciate it.

Thanks!

Thanks, I’m glad it helped

Thanks!

did you impress your maths teacher 5 yeas ago?

😅😅😅

I still don't get it. How do you add two positive y coordinates together and end up with a negative y coordinate!?? WTH!

Thanks for watching

Thanks! Glad it helped!

Thanks!

You are correct. That correction was made, but unfortunately it doesn't show up on mobile devices.

@@robertpierce5142 Emmm, but if you are doing P+P, then obviously you fall in the first case, since x_p is always equal to x_p. So P+P is always infinity? Or the first rule only applies when P != Q?

@@lemague 1) P+Q=O if xp=xq and yp!=yq This is when the line connecting P and Q is parallel to the Y axis. In case both xp=xq and yp=yq, that implicates P=Q making P+Q=2P. 2P with xp=0 coincides with the Y axis and hence =O. 2) P+P=O if yp=0 The line representing 2P runs tangential to the curve at P. Only if P is located at the spot where the curve crosses the Y axis, then the tangential line is parallel to the Y axis.

Thanks for that explanation. You are exactly correct. The modular arithmetic is what trips a lot of people up on this.

@@robertpierce5142 OK, since you responded to me, how do you compute Q=kP at 5:58? It can't just be repeated addition, how does multiplication actually work in this? This is all theory, and I know there are a ton shortcuts with modular math. What are they? You can't be doing just repeated addition, because that would be trillions or trillions of operations and Eve can do the same thing, it would be insecure. ALSO - what makes a weak curve? It would be interesting to know a curve that is ENTIRELY unsuitable for cryptography. No offense, but this might be beyond your knowledge, but it's certainly beyond mine. It's so hard to get information about cryptography. Also, is the modulo number always prime? Is it CERTAIN to be prime, or just pretty likely to be prime? I know in RSA, you have a very good chance of the numbers being prime, but they aren't proven to be prime. I was always curious if RSA would completely break if the numbers went through the battery of tests to assure the number was prime, but it wasn't. I guess I should review the math in RSA again, I've never tested it with relatively small numbers.

I understand how scalar multiplication can be done now, although it took a few days. if Y = X+X+X and Z = X+X+X+X+X+X also Z = Y+Y Is that correct? If so, then multiplication is being done the same way a computer did multiplication back in the 1980s and I see how that can be translated to an elliptic curve although I cannot see how the order is of the curve at generator point G is determined.

@@robertpierce5142 Well, I was hoping for some free information, and didn't get it. That's fine, this tutorial did help, and it does seem that if: X = 2P and Y = 4P Z = 8P that Y also can be computed with 2X and Z can be computed as 2Y or 4X. If this is true, then I understand how numbers like 485728378320273X is computed with the distributive property where you calculate just powers of 2,4,8,16 etc, and then use those powers to do point addition until you get the result. The distributive property was used extensively in multiplication on early machines lacking an FPU or ALU.

@@robertpierce5142 You won't likely see this, but I think I will do a write up on this now that I (think) I completely understand this. Now I'm wondering if you do NOT do modulo math during the process, until the very end, of the calculation, if you'll come up with the same result as if you did modulo math at each step. I have the distinct feeling that there is effort to prevent people from easily understanding how this precisely works. If people better understood how this worked, they would be free from libraries, and I know from experience many of them have been infiltrated by the NSA. For example I know the NSA bribed a company to weaken the the random number generation in their library, I think it was BSAFE, but I'm not positive that was the corporation. Their "random numbers" for private keys weren't really random. I'm working in NaCL (LibSodium), and I can control the random number generation with that. OpenSSH is a mess by the way, basic errors like buffer overflows. It's difficult not to imagine the "errors" are intentional, but they are unfixable in that the code is so convoluted and just simply terrible, no offense to the original authors, I think it's adulterated. It's overly complex, which isn't surprising with OLD code, but, my goodness, it's insanely complex and when working with security, you have to be very careful and knowledgeable, and I'm not there yet. Side channel attacks are interesting, but not realistic unless somebody has direct access to your device. You know how the NSA actually breaks into MOST devices? How they "crack" encryption? They install malware through back doors and just grab data directly. They don't actually crack the encryption at all. They just illegally break into your computer without a warrant with the cooperation of corporations that provide backdoors. Welcome of East Germany circa 1985, with modern technology.

+Tim-J.Swan That's why we need a signature from trustable authority to prove their identities.

+nimo1993, alternatively, social media (or perhaps personnel records e.g. in an enterprise) as a platform to host identity assertions. Have you heard of this concept of "social crypto"?

public/private key cryptography is not about solving the "man in the middle" (MITM) attack, which is the one you are describing. To solve this, you will need anyway to "trust" e third "entity", which provides certificates that are installed already in your browsers, to solve this kind of problem.

All "textbook" Diffie Hellman constructions are vulnerable to Man in the Middle attacks. Does anybody know of a good source explaining how Diffie Hellman is done in practice? I really like to learn.

Diffie Hellman alone will never be secure against a active adversary performing a Man in the Middle attack. As a key exchange algorithm, it is intended to bootstrap confidentiality given that the messages already have integrity. To secure a communication channel against MITM attacks the messages in the key exchange protocol are usually signed with the private key of the person sending the message using a digital signature algorithm. This way, anybody with Alice's public key can be sure that Alice not the adversary generated that message. Distributing these public keys is the role of the PKI and that is where the trusted third parties come in. In short, the missing theoretical piece of the puzzle worth to learn about is how a digital signature algorithm works. If you are really want to know the dirty secrets behind implementation, you should turn to the TLS protocol and how it is actually implemented.

Hello there!

I have a doubt at minute 11:07. Bob computes P = Beta*Alfa*G, but Alfa is Alice private key. P shouldnt be P = Beta*A*G? and the same for P = B * Alfa * G?

Thank you

+Haji Akhundov Thanks! That sounds like a fun (but challenging) project.

challenging indeed

_Lets just take it from the bottom. First you need to know what a group is._ A group is a set of elements with *one* operation (usually denoted # (operation that is similar to or is adding) or * (operation that is similar to or is multiplying)) The set have to fulfill these 4 requirements under the operation. 1. *There have to excist an identity e so that e*a = a.* Example multiplicative identity is 1 and additive identity is 0 since a*1=a and a+0=a. 2. *Every element have to have an inverse aˉ¹ so that a*aˉ¹=e.* Example multiplicative inverse of 2 is 1/2 and additive inverse of 2 is -2. 3. *The set have to be closed under the operation.* if the set is whole numbers then when you add two whole numbers you get a new whole number so it's a group. Multiplication is not a group on the set of whole numbers since the inverses are fractions. 4. *The set have to be assosiative under the operation which means (a*b)*c=a*(b*c)* A field is a special kind of ring, and a ring is a set with two operations (R, +, *) with the following requirements. 1. *The set is an abelian group under the + operation.* Abelian means a*b = b*a. 2. *The set is assosiative and have a multiplicative identity.* 3. *The set is left and right distributive under multiplication.* a*(b+c)=ab+ac and (a+b)*c=ac+bc For a field every non-zero element have to have a multiplicative inverse and multiplication have to be commutative too. A finite field is a field with a finite number of elements. Lets see if the elliptic curve operations define a field Group 1 axiom: The identity have to be "point at infinity" O, since if you do P+O the line would go straight up to O and come straight down to P again, so P+O=P. Difficult to show algebraically, but I think it must be so. Group 2 axiom: The inverse of P is -P Group 3 axiom: Since O is included in the set you will eigther end up on the elliptic curve or at O, thus it's closed. However I'm not sure where you have P+Q where P=(x_P, y_P) and Q=(x_Q, y_Q) where y_P = y_Q, but x_P is not equal to x_Q. Does that go to O too? Group 4 axiom: My gut feeling tells me (P+Q)+R=(P+Q)+R Abelian: just draw an elliptic curve and do the operation P+Q and Q+P and you'll see tha P+Q=Q+P Ring 1 axiom: see above Ring 2 axiom: Multiplicative identity is 1, assosiativity is more of a challenge. Ring 3 axiom: This is challenging too. Sorry for the lazyness of not calculating it. I mainly wrote this post to understand ECC my self.

TL;DR A field requires: Associativity of addition and multiplication: a + (b + c) = (a + b) + c and a · (b · c) = (a · b) · c. Commutativity of addition and multiplication: a + b = b + a and a · b = b · a. Additive and multiplicative identity: there exist two different elements 0 and 1 in F such that a + 0 = a and a · 1 = a. Additive inverses: for every a in F, there exists an element in F, denoted −a, called additive inverse of a, such that a + (−a) = 0. Multiplicative inverses: for every a ≠ 0 in F, there exists an element in F, denoted by aˉ¹ or 1/a, called the multiplicative inverse of a, such that a · aˉ¹ = 1. Distributivity of multiplication over addition: a · (b + c) = (a · b) + (a · c) . Since it is a finite field it have a finite amount of elements. Look at 1:08, bigger field means more elements and more secure encrytion

+Multihuntr0 Ha ha ... you are right! I hadn't caught that until now!

I wouldn't really call it a typo. In the audio I call it out correctly, and in the graphic I am trying to demonstrate that A = alpha*G. You are correct, Bob never sees alpha, he just sees alpha*G. In hindsight I probably should have written it as P = beta * A = beta * alpha * G.

OK, thanks Yes typo is not the right word. It just jumps out at me when I see Bob with "alpha". Also, I prefer to call this a key "agreement" or key "establishment" technique as it clarifies that the main objective of this protocol is to arrive at a common shared secret. The public keys that happen to be exchanged are simply part of the protocol and not the desired end result. It also aligns with the NIST definitions. I realize that sounds a bit nit-picky but helps keep everyone straight about the end-goal. Thanks again for an excellent tutorial!

I was confused by P+P=0 when 2P is not 0 and kQ is Q + Q + Q... by k times. I was trying to ask a question, but after seeing your comment, I expanded the description and it said it was an error.

nitesh jain Thanks for watching. I completely agree with you. I made this video as part of a project for a number theory class at Ga Tech. There was a cap on how long the video could be. Therefore I cut it off where I did. But I would have liked to go more into the geometry and group structure of the curve and how to derive the group operations based off that geometry.

Just a quick question: Was this video presentation a final project for the class? Or was it just one of many assignments?

I would have liked to do that, but I didn’t have the time. I also needed to keep the video as short as possible. It was discussed briefly somewhere in the comments.

The point at infinity does act as the identity, but no I am not saying that the point at infinity can be used as a key. The point at infinity is basically what happens when your point addition formula breaks down, i.e. divide by zero. So we have two things here, the algebraic structure, which is the Elliptic curve and the group operations and then we have the crypto scheme built on top of that algebraic structure. The algebraic structure requires an identity element in order to satisfy the definition of a group. The 'point at infinity' satisfies the requirements for an identity element, i.e. x*identity_element == x. Go to 15:23 in the video, pick a point and then multiply it by the point at infinity, i.e. 19G. For example 4G*19G == 4G when you apply the group operations. Now for the crypto scheme, I am not personally sure what you do if someone chooses the point at infinity as a private key or they compute it as the public key. But I am willing to bet that situation is not allowed, i.e. that point is not allowed to be those keys in the crypto scheme. However the point at infinity is very much required for the underlying algebra.

Eve can do what you described. That is the brute force attack. I did not explain this in the video, but there are methods to calculate points on the curve without having to add every point up. If I were to do this video over again I would have added a section explaining this.

That's what I was thinking of

@@robertpierce5142 Is there a way to know the order and cofactor of G without computing every point on G like is done in the video? I assume for real curves used this has never been done due to the number points, otherwise you could just build a rainbow table... or is the order computed by guessing, and you use the formula you mention thats not in the video to verify (n-1)G is a point, and nG is infinity?

The solution is that we can take any point of your previous resulting points and add it to its self, which makes a tangent line that would cross the third point. That would make a confusion instead of iterating regularly

Yeah. This is exactly the point and ruins the whole show. As far as what's told in this video nothing stops Eve from doing the same group addition operation alpha many times until it yields A. Of course Eve doesn't know Alpha initially but she knows how to count. How is this brute force since Alice has done exactly the same thing to obtain A in the first place.

Good question. Yes your concern is the brute force attack. What the video doesn't go into is that there are shortcuts where you can "jump" to your point on the curve without having to calculate all of the previous steps. I've been out of this world for a while, but what I remember is that one approach is to break things down into powers of 2. Example to get to 33G you would calculate G+G = 2G -> 2(2G) = 4G -> 2(4G) = 8G -> 2(8G) = 16G -> 2(16G) = 32G -> 32G +G = 33G. So 6 steps.

@@robertpierce5142 oh okay, thanks for the reply that makes a lot of sense, and also great video! :)))

Eve can absolutely do what you are describing. This would be the brute force attack. For sake of example I chose a curve with a small order (number of elements). In the real world though the order of the groups that are used in these schemes are much, much larger. So large that given the computing power we have today Eve would need more time than the current age of the universe to check every element.

I would say because he's talking about an elliptic curve, not an elliptic function (which has eccentricity)? So, as you may already see, an elliptic curve is not an ellipse.

First this is something I should have addressed in the video, but I failed to. One method I am aware of is the fast modular exponentiation (using powers of two) which is exactly what you have demonstrated in your comment. What I disagree with is the claim that 3833 would require 3832 additions. We can write 3833 as 2^11 + 2^10 +2^9 + 2^7 +2^6 +2^5 +2^4 + 2^3 +2^0 = 2048 + 1024 + 512 + 128 + 64 + 32 + 16 + 8 + 1. This is 9 calculations

Good question. I am not sure exactly. It's been a while. But it has to do with the discriminate of the curve and it being non-singular.

+JcJohn Clarke Check out slide 27 at www.math.brown.edu/~jhs/Presentations/WyomingEllipticCurve.pdf

+JcJohn Clarke Basically you have two points on the curve. You draw a line through those two points. You want to find the x-coordinate of the third point of intersection on the curve. You take the equation of the line passing through the points and substitute that into the curve equation. You then set the curve equation equal to zero. You know there are three solutions to this equation (the two known points and the third unknown point). You factor out these solutions and solve for the missing third.

Its not really a mistake. Alice gets B so she computes alpha*B which algebraically is just alpha*(beta*G). Same for Bob. You are correct, they never exchange private keys. They exchange a private key multiplied by G (A or B respectively). But the commutative property tell us that this process exchanges a private key that has been "scrambled" from multiplication by G. The video just showed you algebraically what is going on under the hood.

alpha*G and beta*G are often written parenthetical for clarity, to indicate that the product is known but the factors are unknown.

Yeah the order (n) of curves used in practice are MUCH higher. Here is a curve used in bitcoin: en.bitcoin.it/wiki/Secp256k1. Here is the order of that curve (in decimal, in the link the order is given in hex): 115,792,089,237,316,195,423,570,985,008,687,907,852,837,564,279,074,904,382,605,163,141,518,161,494,337. This is 78 digits. The number of atoms estimated to be in the visible universe is around 10^78 to 10^82. As you can see the order for that curve is massive. This drives home the point that just b/c you are "choosing something from a set you know", which is true, doesn't mean that it is at all feasible to iterate over that set.

In short Bob doesn't know that A is made up of 3G when he receives A from Alice. All that Bob knows is that A is made up of some unknown multiple of G, let's call it k. Here k is Alice's secret key. So Bob receives A = kG from Alice. Likewise Alice receives B = qG (where q is just some unknown integer to Alice but is Bob's secret key). But when Bob multiplies A by his secret key q then Bob does know he has q*k*G. When Alice multiplies B times her secret key she knows she has k*q*G. And since the group is commutative they know that q*k*G = k*q*G. They have performed a key exchange.

"If my bruteforcing asuumption is wrong then how do Bob and Alice know A is 3G and B is 9G?" --- It is a wrong assumption. What you describe is the brute force attack and it would work for Eve as well. And this is why we choose very large group sizes such that the brute force attack effectiveness becomes practically zero. Bob and Alice utilize the commutative nature of point addition and the fact that they and only they know their own secret keys.

@@robertpierce5142 Ah yes now I realize where I misunderstood. When I first saw 9A=9(3G) I thought Bob knew that A=3G, but he only needs to calculate directly from A without knowing A=3G right? Same for Alice. Thanks for your response man!

Yes you could try alpha = 1,2,3.... until you find A. That is the brute force attack. In practice this approach becomes effectively impossible since the order of the curves used in the real world are extremely large, and the amount of time it would take to find the solution would be absurdly long.

Ok I googled me some Diffie Hellman and now I get the goal is to establish a common private key for some other code unspecified.

@@whatyouwantyouare Hey Joseph ... yeah you are right, this protocol only establishes the key exchange process and doesn't address what we actually do with that key to encrypt messages. I am not an expert by any means, but I think most of the time they use one of the coordinates and throw the other one away. That number is then used in some other encryption protocol