The Cloudflare ECC introduction is well written and very accessible - however I notice that it omits a very crucial bit of explanation.
In the billards example it's stated that for a given player starting at point A:
"It is easy for him to hit the ball over and over following the rules described above."
arriving at some point B after some number of hits N. However, regarding some other player who knows point A and B
"they cannot determine the number of times the ball was struck to get there without running through the whole game again"
The question of course, is "Why not? Why can't the second player just start at point A and keep hitting the ball until it gets to point B, and count the hits?
The answer is that the first player does not run through the the sequence one hit at a time! Knowing N, you can take a mathematical shortcut from A to B. The simplest of these is known as "double and add" for elliptic curves. This is similar to the "square and multiply" method for fast exponentiation. The shortcut is the critical advantage, because it's the enormous computational complexity of running through the entire game without the shortcut that is the basis of ECC's security.
By my understanding, there's an inaccuracy in that article. It describes a one-way function, but calls it a trapdoor function. I thought that a one-way function is only a trapdoor function if there exists the possibility of reversing it with an extra piece of information. The wikipedia link[0] given seems to confirm that understanding:
A trapdoor function is a function that is easy
to compute in one direction, yet difficult to
compute in the opposite direction (finding its
inverse) without special information, called the
"trapdoor".
I know the article is trying to be informal, but that seems a simple thing to get right, and quite important. If I'm wrong I'd welcome being corrected.
>A function f from a set X to a set Y is called a one-way function if f(x) is “easy” to compute for all x \in X but for “essentially all” elements y \in Im(f) it is “computationally infeasible” to find any x \in X such that f(x) = y. [0]
>1.16 Definition
>A trapdoor one-way function is a one-way function f : X -> Y with the additional property that given some extra information (called the trapdoor information) it becomes feasible to find for any given y \in Im(f), an x \in X such that f(x) = y. [0]
[0]; Menezes, A.; Oorschot, P. van; Vanstone, S. (2001). Handbook of Applied Cryptography (5th ed.). CRC Press.
Choose p, q, and let n=pq
Note: phi(n) = (p-1)(q-1)
Choose e
Compute d such that de = 1 (mod phi(n))
The number d is your private key.
Given a message M, E(M) = M^e (mod n)
Given an encrypted message E, D = E^d (mod n).
Magically, D=M.
Now multiplying the numbers p and q is a one-way function, because there is no effective way to factor n (if p and q are chosen suitably.) The exponentiation M^e is a trap-door function because normally you can't undo it, but with any of the extra knowledge p, q, or d, then you can undo it.
There are nuances, and time and time again I meet people who think lots of things are the same when in fact they are different, and the differences matter.
A one-way function is not necessarily a trap-door function.
In this case many things are equivalent in the sense that one can easily be computed given another, but the details actually matter.
The point, though, is that there are on-way functions that do not have trap-doors and hence are not trap-door functions. The definition as given in the blog post seems to conflate the two, when in fact the difference is important. PKCs are often made by starting with a provably one-way function and trying to find a way of inserting a trap-door without weakening it.
(Sorry if this is a little incoherent, it's late here, and I need to do some stuff before going to bed, and I have an early start tomorrow.)
Perhaps a better example of a one-way function vs. a trap door is with symmetric cryptography? Let's look at two examples of a 2^128 -> 2^128 function f(n):
- The first 128 bits of SHA2(n). It should be computationally infeasible to find n from the output.
- AES128(n, k). It should be computationally infeasible to find n from the output, unless you know k.
No, because in elliptic curve Diffie-Hellman, the private key isn't used to invert anything, as opposed to RSA (a true example of a trapdoor), where it is.
Thanks for this. I was unclear on this point. So looking at the discrete log problem vs a trapdoor function:
Discrete log: for f(x) = y
- Easy: given f and x find y.
- Hard: given f and y find x.
Trapdoor: for f(x) = y
- Easy: given f and y find x, given a secret, e.g. (p-1)(q-1) in RSA.
- Hard: given f and y find x, without possesion of the secret.
Is that accurate, or have I misstated the essential difference somehow?
Well... it's used to invert the scalar multiplication and compute the discrete logarithm - with a notation similar to other comments:
Easy: given int n, point P -> compute Q = nP
Hard: given points P, Q (known to be nP for some n) -> compute n
This said, similarly as RSA vs factorization, DHP vs DLP (and other problems) are only assumed to be equivalent, meaning that one could find an easy way to break DH without computing the DLP.
While the equivalence between RSA and integer factorization is still an open question, the Rabin (exponent 2) trapdoor permutation is tightly equivalent to factoring.
Furthermore, for most groups the DHP is polynomially equivalent to the DLP. The requirement for this to be true is that there exists an elliptic curve with smooth order modulo the Diffie-Hellman group's order. Such smooth-order curves are hard to actually find for large groups, exponentially so (this is a fine example of the chasm between uniform and nonuniform reductions); but for elliptic curves groups used in practice, it is possible to find them. In other words, an easy way to break the DHP in smallish elliptic curve groups would lead to ECDLP solving with only polynomial overhead.
It is likely that some of the functions are trap door functions. That is basically what is the theory behind the random number generator that the NSA paid to have set as default in BSAFE library. https://en.wikipedia.org/wiki/Dual_EC_DRBG
I'd advise anyone trying to learn by implementing ECC to be careful using this article as an introduction. It's written as if you can follow along, but there are some omissions (see the comments section).
James D'Angelo has some good videos that go into some of the detail too
