Nails it again. There should be an entire series Prof Parr explains Math for unruly Germans

Thank you very much Christof Paar, you are the best Professor I have ever seen in my life! Yes, that's really what I think of you. For me you are very smart, so pedagogical, so clear, so humble (necessary for any teaching) and so funny too! I discovered this course in 2014 in Morocco when I started my studies on Cryptography at the University of Rabat, Morocco. I really enjoyed this course at that time, and I can't tell you how it helped me to understand these topics that seemed very complicated (unfortunately due to the lack of explanation by other professors). You made them very easy for me, like magic. Your method is really inspiring and I really appreciate it. And I know if I am now working in this field as a security analyst with a background in cryptography, it is somehow thanks to your wonderful courses! After seven years, I still enjoy these courses and now I decided to go back to this elliptic curve course because I am interested in CHESS-2021 this year about white box cryptography based on elliptic curves. Thanks again my best professor!

This lecture and lecture 16 are the best explanation for ECC I have found on the internet. Thank you so much for putting this online!

Generator point can be represented as an x integer and 1 bit for y. Y can be determined as one lying on a curve and this one y bit determines "upper" or "lower" part of solution. So we can "compress" point representation and operate only on x(int) + 1 y bit point representation AND save some memory space. And finally all points lying on a curve can be represented like this.

Great lecture, as always

Dear Prof. Paar, Great Lecture, always enjoys your detailed and meta-knowledge explanation. I have one question on the "hardness of ECDLP", could you please persuade me why is it so difficult to compute the # of hops in a publicly known standard EC? I was thinking, if the cardinality of the NIST EC is known, then there may be a database recording every points/elements in the group,right? And then given the starting point and ending point, why isn't the problem as easy as item query in a database? Appreciate your time!

The board content is not visible clearly professor

As the discrete logarithm problem produce same results when no squared reaches the point when its square in modNo-1 so do this happens in ecc to

Hahaha. "Back to sleep" -> subscribed!

Why do they call this a discrete logarithm problem? It is multiplying P by d to get dP. It looks more of a discrete division in an elliptic group to me. I agree that it look a lot like the DLP we saw before. Is that the reason?

Very nice lecture. One comment at ~ 1:06:43. The proof uses P = (XB, YB). Think P = (x, y) must be the same for both Alice and Bob. This sounded like different Ps.

Dear Prof. Paar, thank you for the nice lecture. A small typo in your book on page-212 last paragraph (that) is two time. I am sorry if it is the old version of the book.

EC Discrete Logarithm Problem 2:00 EC DH 54:20

I really really love this lecture! One question though, at 21:27 why is 3P in this quadrant? Shouldn't it be mirrored and therefore be below the y-axis?

Given d = 173 and generator point p (5,1). How do I calculate the resulting point T?

Does best known algorithm requires square root of d steps for solving ECDH.where d is the cardinality of the set.

hasses schranke? - ich kenn nur pommes schranke. xD

Dear Professor As far as I understood, the ECDLP describes that the attacker not knowing d would have to keep adding up p with itself (1p, 2p, 3p, ... Ep) until he has found the point and the curve he is looking for (brute-force), which is not feasible, because there are too many points so it would take too long for the attacker. I know that you spoke of an attack which is faster (square-root of p) but let's leave that aside for the realm of this question. The contradiction with this explanation is that you also explained that Alice calculates the PubKey the exact same way (adding up p for a times). As such, Alice would have to deal with the exact same difficulty as the attacker, which makes this cryptosystem useless. Then, at the end of the Video, you explain that Alice can actually use a more efficient algorithm because she knows d. Namely she'd use the double-and-add algorithm. The attacker can obviously not do this, because knowing d is necessary for applying this algorithm. Is it because of this advantage for Alice, that it becomes feasible for her to calculate the PubKey in little time while it would take hundreds of years for the attacker to do so? Besten Dank für Ihre Hilfe, aber vorallem fürs Teilen Ihres exzellenten Unterrichts!

0:10 Lecture info 0:20 Lecture program 2:10 ECDLP 54:16 ECDH

Hello Profesor Paar, I'm a huge fan of you and your lectures, which are conveyed in a very understandable way. At first I started watching your lectures (from the begining) as a supplementry information for Cryptography course that I take now, but very soon they became my 1st source for Cryptography learning. Ich danke dir sehr (Hope I wrote it right :-)) I have two questions regarding the EC private (secret) key, and EC public key: 1. Alice anb Bob should (randomally) choose a and b (respectievly) from the range of {2, 3, ... , #E-1}, but as you explained in your lecture #E cannot be exactly computed, and it is roughly considered to be in the range of p+1 - 2*sqrt(p)

"I am not going to continue until an answer" at 06:40 minutes was the best part. Thanks professor

At 5:30, Prof. Paar writes the EC as E: y^2 = x^3 + 2x + 12 mod 17. His comments confirm that formulation of E. At 7:00, Prof. Paar states that P=(5,1) is a primitive element of the EC. I tried to work this out to make sure I really understood what EC were all about, and found that my understanding may be mistaken. Either that, Prof. Paar made a transcription error somewhere. I am pretty certain the latter is the case, and the EC should have been written E: y^2 = x^3 + 2x + 2 mod 17. If my understanding is correct, (5,1) is indeed a primitive element of my corrected equation. PS: At about 15:30 Prof. Paar is advised of the discrepancy. Spent about an hour questioning whether I understood EC. It wasn't waste of time because now I'm fairly sure that I get the concept.

how come the students sleep. this lecturer is awesome.

well...I generate a random number, which is also my PrivKey. My PubKey is n*P. But how I can generate that PubKey without brute force ?

What a wonderful lecturer. Much love from the states.

Why do the groups (the curves) have to be cyclic? Wouldn't it be enough to have an element that generates ALMOST the whole group so when you calculate with that element you would still have a cyclic behaviour but with a bit less elements?

Best crypto course on the web but here is my question. I see the math but conceptually I don't see why the order of the group isn't equal to (mod p) which subtracting zero it is in standard DH if I am not mistaken

Actually, finding the order of an elliptic curve group is NOT computationally hard. See this: en.wikipedia.org/wiki/Schoof%E2%80%93Elkies%E2%80%93Atkin_algorithm

In Lecture 17, I was totally and completely lost until he corrected the equation @15:30. I was lost but now I'm found.

sir, do you have video lecture about DSA and undeniable signature???? and thanks in advance....

Hi Professor Paar, I have been studying asymmetric cryptography since last fall. I am struggling with how to build an ECC cryptosystem and encrypt a string of integers (that were originally a message). Do you have any advice on how to approach this?

Cyclic Groups make great state machines in EE and CS. Yes!?

Any programming explanation of these lessons. Or any resources to learn programming for these lecture. Any helps

I am still looking into this topic :) In Lecture 16, at the end there was a theorem: "The points on an elliptic curve, including the point at infinity have cyclic subgroups. Under certain conditions all points on an EC form a cyclic group." What are these certain conditions or is there a good book regarding this? Also, when we are talking about #E, is this the number of points of the elliptic curve or the number of elements of the cyclic group, since we stated above that not alway ALL points of the EC form a cyclic group, these two values should be different or not? Kind regards, Katharina

FYI: Man sagt im Englischen (Amerikanischen) nicht "one way function" sondern eher "trapdoor function". Interessantes Thema. Thanks. ---- FYI: You better say "trapdoor function" in english than "one way function". Interesting topic. Thanks.

Many thanks for this, a very thorough explanation! I'm trying to get my head around the random choice of the private key. {2, 3, ..., E-1 }, that's fine. But if you pick 2 by mistake then I suppose the ec discrete log problem happens to be trivial in this case? On the other hand if we restrict the choice of d to say 0.5E - E-1 then we are shrinking the search space for an attacker, but forcing them to take at least a certain amount of steps. Do we just hope that #E is so large that the choice of accidentally weakening the key with a small Kpr is infinitesimally small?

How individual points of elliptic curve can be represented with about 1 + log2 p bits ?

when you highlight parts of the textbook, its unclear

Thank you

Sir, Please explain s value? 2p, value 6,3? 3p=2p+p=10,6? why p is selected as 17 ?also take a message encrypt it and decrypt using elliptic curve cryptography

Professor Paar, Your videos are excellent. Thank you for sharing. I have a quick question on Double-and-ADD algorithm. If a number n is ranging between 2 power 20 ... 2 power 30 then it has approximately 20...30 bits based on the fact that the number of bits is logH (H being the exponent) to the base 2. Do the number of point additions and doublings for an average multiplication follow the same rules as S-a-M? Meaning does Add take - 0.5t and Double = t where t=20 or 30 based on the range chosen above? Assuming one group operation takes about 1 sec may be. Then 1 D-a-d operation would take 1.5t where t is total number of bits multiplied by time for one group operation. So for the case of t=30 bits. Total operations is 1.5*30 = 45 at the rate of 1 sec so it takes in total 45 sec for one D-a-D operation?

Thank you sir. This is a very good lecture.

I'm wondering about some demonstration: "If we consider a point A on an elliptic curve mod(p), there exists an integer n that verifies: n*P=0 (point at infinity)" Do you know where I can find the demonstration? thank you,

Ok, one more question :) Can you maybe recommend a book, youtube video, podcast or really anything that discusses lattice-based cryptography, especially Ring learning with errors key exchange for engineers/IT-students (M.Sc. level)? Its just that I find your lecture incredible helpful and I struggle finding similar helpfull material on these topics. :)

Does anyone know the book mr Christof is referring to during this lecture?

Oh jiggly puff...!!

++

Great

Dear Professor, I try to solve problem 9.5 related to elliptic curves. I just want to make sure I did it correctly. For alpha=(0,3) my points are: 2P=(2,4), 3P=(0,4), 4P=neutral element. So order of alpha=4 right? and I can say alpha is primitive because at 3P=(0,4) the x coordinate is equal to x coordinate of alpha and y coordinate is additive inverse of 3 ( which will be -3). Is this right?

First, thank you for this amazing lecture and the series in general. I assume the "mod p" at 58:40 is referring to a different p than the "primitive element p=(x,y)"? The fact that both variables have the same name confused me a bit. Cheers!