[Cryptography] What to put in a new cryptography course

Ray Dillinger bear at sonic.net
Fri Jul 8 18:16:42 EDT 2016 


On 07/07/2016 02:45 PM, Ron Garret wrote:
> 
> On Jul 7, 2016, at 2:15 PM, Ray Dillinger <bear at sonic.net> wrote:
> 
>> I get the _mechanics_ of ECC as "geometry of lines tangent to curves in
>> modular coordinate systems"  but what makes a particular curve secure or
>> insecure in a particular modular coordinate system?
> 
> This seems like a good place to start:
> 
> https://safecurves.cr.yp.to/
> 


The site contains lots of assertions that curves with particular
properties are more secure than curves that don't have those
properties.  I've read it before. It is good practical advice
for selecting among known curves, and it is greatly appreciated
as a resource. However, it is yet another resource which
resolutely ignores the basic question I would want out of a
course on ECC and had intended to ask.

In fact evaluating the rationales given for most of the advice
would require that basic question to be answered first.

Having reread the whole site, I still have not discovered an
explanation of exactly how the mechanics of geometry on modular
coordinate systems are transformed in some cases into a specific
algebraic formula whose solution would require mathematical
operations believed to be Hard.  It seems to be treated as
something that everyone except maybe a few specialists is
simply expected to assume "because we say so."

What is the specific equation someone has to solve to break a
particular case of ECC, how exactly is that equation derived
from the geometry of particular curves on particular sets of
modular coordinates, and why do we believe that equation is
hard to solve?  IOW, don't just tell me how to pick parameters
believed secure; tell me enough to see exactly why parameters
satisfying those criteria lead to a hard case of that equation.

Lacking that understanding, I cannot evaluate the practical
advice given at the site about what kind of curves are and are
not recommended, nor know what forms and transformations and
special cases of the "Hard" equation that advice is intended
to promote or avoid.  I can only memorize the advice, as I
have already been doing, and continue to worry about what
potential attacks lurk in the gaps between the things I've
memorized.

				Bear






-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160708/d40196f6/attachment.sig>

More information about the cryptography mailing list