Errant Security

Once you get to a certain point in mathmatics education, you tend to just give up and hit the I believe button. At least, thats how it was for me in my first Signal Processing class as an undergrad. When Dr. Reza started solving diffrential equations in his head and explained Fourier Transforms on the board, I practically gave up.

Attempting to grasp those topics teaches you an important lesson of wrapping your head around complex mathmatical topics.The skills I learned struggling in that class and studying electrical engineering were invaluable.

Fast forward a few years and im typing away on slack when I should be paying attention to someone giving a powerpoint and my buddy Trey mentions something about “elliptic curves”. I recognized the name and placed it from all the CTF challenges i skipped and let trey do because even though i am fasicated by Crytography, i rather suck at it.

What he starts to do is explain it to me ELI5 style (i had to explain to him what ELI5 meanthowever so i felt somewhat redeemed). What he said about Eleptic Curve Cryptography (ECC) was

Thorn [10:02 AM] Basically if you mess with how math works, for examples what + means you can make your own math. So people decided to make their own math that would only work for numbers on an elliptic curve. It follows all the rules the “rings” need to follow so other mathematicians can replicate the special kind of math that is going on. They then used these special rules of math to make a function that is mathematically simple to calculate but difficult to reverse. It can be thought of like “bouncing a ball around an elliptic curve” if people know where the ball started and at what angle it was thrown, anyone can calculate the end result but getting the initial position from the end result is very difficult. They used that as their trapdoor function and built a cryptosystem off of it. :slightly_smiling_face:

lightningmar [10:02 AM] and why does it matter what is it used in and should people invest time in learning it thourghly

Thorn [10:03 AM] because the keys are significantly smaller than a RSA key. you get roughly 3-4 times the security. If they want.

That last part is crucial. The keys are significantly smaller. Maybe not all applications have to care about that but if you have ever used RSA PKI (public key infrasturcture) via SATCOM (think 2000ms latency) you will quickly learn how even a few packets back and forth can cripple applications. cough microsoft exchange signed emails cough.

Now yes, Elliptic Curve Cryptography is also a form PKI and the exact implementation is beyond the scope of this article, but the impact is all should understand. Something to try yourself is to see the diffrence in speeds of the algoithms (and yes before someone puts it in the comments I do realize there are multiple variations and this test is not conclusive.) The openssl library has a built in speed checker you can use.

[jules@alexaXPS ~]$ openssl speed rsa2048 ecdsap224

                           sign       verify     sign/s   verify/s
rsa 2048 bits              0.000660s  0.000030s  1514.7   33639.2
                           sign       verify     sign/s   verify/s
224 bit ecdsa (nistp224)   0.0001s    0.0002s    9300.9   4582.8

Some people will argue it is because more people understand how RSA works. The security of RSA resides in that factoring large numbers is incredibly complex. Mathmeticians have been studying the field for more than 2500 years ( by the greeks intially) and Diffie-Hellman key transport and digital signing schemes proposed by Rivest, Shamir and Adleman (RSA) since 1977. Elliptic curves came around slightly later in 1985.

It could also be that RSA had a few more years to become widespread before ECC was introduced, or the many political and finicial reasons and hurdles on widespread swiching to ECC.

In the end though, ECC is pretty cool and its important to know it exists.

TLDR: You have some crazy curve (y1 = x12+ ax + b) and have an equation on said curve that is easy to perfom (x1,y1) , (x2,y2) --> (x,y) but nearly impossible invert (x,y) --??--> (x1,y1), (x2,y2).