0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/323 Thanks! 1 00:00:09,270 --> 00:00:10,709 All right, sorry for the technical 2 00:00:10,710 --> 00:00:12,719 difficulties, for the actual useful part 3 00:00:12,720 --> 00:00:13,949 of the talk. I'll turn things over to 4 00:00:13,950 --> 00:00:15,839 Tanya here. Well, I'm Tanya. 5 00:00:15,840 --> 00:00:17,460 That's just in case it wasn't clear. 6 00:00:20,280 --> 00:00:22,229 So this is about Corrupter and some of 7 00:00:22,230 --> 00:00:23,230 the curves. So 8 00:00:24,570 --> 00:00:25,859 we hope this is a gentle enough 9 00:00:25,860 --> 00:00:27,429 introduction. If it's too boring. 10 00:00:27,430 --> 00:00:28,649 Well, it's late in the evening. 11 00:00:28,650 --> 00:00:30,149 Take a short nap and wake up every once 12 00:00:30,150 --> 00:00:31,529 in a while to check whether it's still 13 00:00:31,530 --> 00:00:32,548 comprehensible. 14 00:00:32,549 --> 00:00:34,769 So why cryptography? 15 00:00:34,770 --> 00:00:36,839 So when you when you skip to on the 16 00:00:36,840 --> 00:00:38,999 Internet of electronic payments, 17 00:00:39,000 --> 00:00:40,499 then, for instance, you see an SSL 18 00:00:40,500 --> 00:00:42,179 certificate. That's where crypto is in 19 00:00:42,180 --> 00:00:43,739 there. If you have an E passport on 20 00:00:43,740 --> 00:00:45,959 identity card, that is using 21 00:00:45,960 --> 00:00:47,159 signatures. 22 00:00:47,160 --> 00:00:49,439 If you're using tools to 23 00:00:49,440 --> 00:00:51,569 send secret data, then you actually want 24 00:00:51,570 --> 00:00:52,859 to have encryption. 25 00:00:52,860 --> 00:00:55,379 And so when you have an exchange, 26 00:00:55,380 --> 00:00:57,479 then you use, say, RSA, or if you 27 00:00:57,480 --> 00:00:59,669 Halman or DH and 28 00:00:59,670 --> 00:01:02,039 the ESSI and the age and the 29 00:01:02,040 --> 00:01:04,289 in the act is a is what this talk 30 00:01:04,290 --> 00:01:05,879 is about today. 31 00:01:05,880 --> 00:01:07,949 There's also a huge clump of 32 00:01:07,950 --> 00:01:09,659 crypto, which is secret key cryptography, 33 00:01:09,660 --> 00:01:11,039 which is really cool stuff. 34 00:01:11,040 --> 00:01:12,309 It's much, much faster than anything 35 00:01:12,310 --> 00:01:14,489 we're going to tell you about today. 36 00:01:14,490 --> 00:01:16,499 But it requires that the two parties who 37 00:01:16,500 --> 00:01:18,479 want to talk to each other already know 38 00:01:18,480 --> 00:01:20,459 each other, that they have done some key 39 00:01:20,460 --> 00:01:22,169 exchange. We're going to show you how to 40 00:01:22,170 --> 00:01:24,149 do the key exchange. And afterwards, the 41 00:01:24,150 --> 00:01:26,339 symmetric crypto, that's what's 42 00:01:26,340 --> 00:01:28,349 going to happen maybe next year. 43 00:01:29,650 --> 00:01:32,039 OK, so within 44 00:01:32,040 --> 00:01:34,109 public crypto, why would you want 45 00:01:34,110 --> 00:01:36,359 to use what has caused 46 00:01:36,360 --> 00:01:38,969 all sorts of people to be interested in? 47 00:01:38,970 --> 00:01:41,279 The basic answer to that is an attack 48 00:01:41,280 --> 00:01:43,559 strategy called index calculus. 49 00:01:43,560 --> 00:01:45,179 Now, this is if you want to factor 50 00:01:45,180 --> 00:01:47,489 somebody's RSA keys, if you want to break 51 00:01:47,490 --> 00:01:49,679 somebody's original non elliptic diffie 52 00:01:49,680 --> 00:01:52,109 Hulman, then you use index calculous. 53 00:01:52,110 --> 00:01:53,609 It's all sorts of fancy math and 54 00:01:53,610 --> 00:01:55,019 algorithms that come into it. 55 00:01:55,020 --> 00:01:57,149 And the bottom line is it keeps getting 56 00:01:57,150 --> 00:01:58,229 faster and faster. 57 00:01:58,230 --> 00:01:59,939 So we don't even know how fast it's going 58 00:01:59,940 --> 00:02:01,169 to end up being. Here's some of the 59 00:02:01,170 --> 00:02:03,149 history of when these algorithms were 60 00:02:03,150 --> 00:02:04,079 developed. 61 00:02:04,080 --> 00:02:06,029 Nineteen seventy five was one of the 62 00:02:06,030 --> 00:02:08,099 first index calculus algorithm C 63 00:02:08,100 --> 00:02:09,839 Freck for factoring big numbers. 64 00:02:09,840 --> 00:02:11,429 And then there were all sorts of events 65 00:02:11,430 --> 00:02:14,609 since 1977, 82, 1994. 66 00:02:14,610 --> 00:02:16,589 You've heard about the Crypt Apocalypse 67 00:02:16,590 --> 00:02:18,659 last year. And this is something where 68 00:02:18,660 --> 00:02:20,879 this is one of the newest advances 69 00:02:20,880 --> 00:02:21,869 in index calculus. 70 00:02:21,870 --> 00:02:23,729 That's not something that matters for 71 00:02:23,730 --> 00:02:25,889 breaking RSA, but it's just an example 72 00:02:25,890 --> 00:02:27,779 of how index calculus, this general 73 00:02:27,780 --> 00:02:29,639 strategy is something that keeps getting 74 00:02:29,640 --> 00:02:31,859 more refined, more sophisticated and 75 00:02:31,860 --> 00:02:33,180 faster and faster. 76 00:02:36,080 --> 00:02:37,879 I mean, this is not the whole story, if 77 00:02:37,880 --> 00:02:39,319 you look at academic literature, there's 78 00:02:39,320 --> 00:02:40,889 also lots of improvements. 79 00:02:40,890 --> 00:02:42,769 I mean, we're happy if we can factor 80 00:02:42,770 --> 00:02:43,849 twice as fast. 81 00:02:43,850 --> 00:02:45,949 But these are the big steps when 82 00:02:45,950 --> 00:02:47,959 you look at the security of to typical 83 00:02:47,960 --> 00:02:49,009 sizes of ours. 84 00:02:49,010 --> 00:02:51,199 So this is a 10 24, 85 00:02:51,200 --> 00:02:52,609 which you still see a lot on the 86 00:02:52,610 --> 00:02:55,069 Internet. And there's hours a 2014, 87 00:02:55,070 --> 00:02:57,179 which hopefully your bank is using. 88 00:02:57,180 --> 00:03:00,019 Then there's two rows of numbers. 89 00:03:00,020 --> 00:03:01,939 So I two columns of numbers where you can 90 00:03:01,940 --> 00:03:04,429 see how much the security has decreased. 91 00:03:04,430 --> 00:03:06,679 So back in 1975, 92 00:03:06,680 --> 00:03:08,479 so the chief algorithm would still take 93 00:03:08,480 --> 00:03:10,579 two to 120 to do the 94 00:03:10,580 --> 00:03:13,039 same work that well, many years later 95 00:03:13,040 --> 00:03:13,999 was a number filled. 96 00:03:14,000 --> 00:03:16,129 SIFISO in the 80s, would 97 00:03:16,130 --> 00:03:17,059 only take to the 80s. 98 00:03:17,060 --> 00:03:19,279 So there's a big decrease from two to 120 99 00:03:19,280 --> 00:03:21,259 operations down to 80. 100 00:03:21,260 --> 00:03:23,449 And actually it's not just losing 40 101 00:03:23,450 --> 00:03:25,309 in the exponent, it's much bigger than 102 00:03:25,310 --> 00:03:27,369 that. It's something which takes 103 00:03:27,370 --> 00:03:29,809 170 down to 112. 104 00:03:29,810 --> 00:03:32,029 So it's not just a linear decrease, 105 00:03:32,030 --> 00:03:34,129 it's more than linear decrease in the 106 00:03:34,130 --> 00:03:35,130 exponent. 107 00:03:35,870 --> 00:03:38,569 So in 85, 108 00:03:38,570 --> 00:03:40,909 when basically the 109 00:03:40,910 --> 00:03:43,159 number two was or the 110 00:03:43,160 --> 00:03:45,499 felt safe was in work, Miller 111 00:03:45,500 --> 00:03:47,779 was proposing elliptic curves. 112 00:03:47,780 --> 00:03:49,849 So as a different as an alternative 113 00:03:49,850 --> 00:03:52,249 to factorization based methods. 114 00:03:52,250 --> 00:03:54,499 So Factorization or the Fellman 115 00:03:54,500 --> 00:03:55,699 would be broken by all of these 116 00:03:55,700 --> 00:03:56,629 algorithms. 117 00:03:56,630 --> 00:03:59,119 And then Miller says, well, 118 00:03:59,120 --> 00:04:00,529 I've looked at this new primitive at 119 00:04:00,530 --> 00:04:02,809 elliptic curves and 120 00:04:02,810 --> 00:04:05,179 it is extremely unlikely that an index, 121 00:04:05,180 --> 00:04:07,069 Keiko's attack on the elliptic curve 122 00:04:07,070 --> 00:04:08,809 method would ever be able to work. 123 00:04:08,810 --> 00:04:11,089 So we can completely ignore 124 00:04:11,090 --> 00:04:13,339 all of these improvements, all of these 125 00:04:13,340 --> 00:04:15,469 methods that made 126 00:04:15,470 --> 00:04:17,719 factorization and find field 127 00:04:17,720 --> 00:04:19,430 basti for Hollman so much weaker. 128 00:04:20,690 --> 00:04:21,690 OK, so 129 00:04:22,910 --> 00:04:25,279 to get into elliptic curve cryptography, 130 00:04:25,280 --> 00:04:27,349 the gentle way to get into it 131 00:04:27,350 --> 00:04:29,959 is Klok cryptography. 132 00:04:29,960 --> 00:04:32,499 Now this is a picture of the clock. 133 00:04:32,500 --> 00:04:34,069 Do you actually have a clock to show 134 00:04:34,070 --> 00:04:35,989 people in case you're not used to what a 135 00:04:35,990 --> 00:04:37,609 clock used to look like some sort of 136 00:04:37,610 --> 00:04:38,539 circular thing? 137 00:04:38,540 --> 00:04:40,189 You know, if you think a clock is like 138 00:04:40,190 --> 00:04:41,839 showing, you know, some digits next to 139 00:04:41,840 --> 00:04:43,759 each other, this is what a clock used to 140 00:04:43,760 --> 00:04:45,439 look like. For most people, it's X 141 00:04:45,440 --> 00:04:47,419 squared plus Y squared equals one. 142 00:04:47,420 --> 00:04:48,259 It's kind of broken. 143 00:04:48,260 --> 00:04:49,260 That's why we let 144 00:04:51,050 --> 00:04:53,209 the elliptic curves 145 00:04:53,210 --> 00:04:54,439 that we're going to show you later in the 146 00:04:54,440 --> 00:04:56,959 talk. Those do not include the clock. 147 00:04:56,960 --> 00:04:59,449 The clock. Cryptography is not an example 148 00:04:59,450 --> 00:05:01,789 of elliptic curve cryptography, but 149 00:05:01,790 --> 00:05:03,199 it's really, really close. 150 00:05:03,200 --> 00:05:04,429 So we're going to start with clock 151 00:05:04,430 --> 00:05:05,629 cryptography. And then once you're 152 00:05:05,630 --> 00:05:07,339 comfortable with that, then we'll make 153 00:05:07,340 --> 00:05:09,559 one little change and then that'll be 154 00:05:09,560 --> 00:05:11,629 elliptic curve cryptography. 155 00:05:11,630 --> 00:05:13,729 All right. So he has to prove that I 156 00:05:13,730 --> 00:05:15,019 passed kindergarten. 157 00:05:15,020 --> 00:05:16,579 He has some points on the clock. 158 00:05:16,580 --> 00:05:18,859 So that is the 12 o'clock that's 159 00:05:18,860 --> 00:05:21,109 up there. I learned now also became 160 00:05:21,110 --> 00:05:22,819 a mathematician sometime afterwards. 161 00:05:22,820 --> 00:05:24,169 And mathematicians like to work with 162 00:05:24,170 --> 00:05:25,159 coordinates. 163 00:05:25,160 --> 00:05:26,899 So the twelve o'clock point has 164 00:05:28,220 --> 00:05:30,499 zero in the X direction and 165 00:05:30,500 --> 00:05:32,989 one in the Y direction. 166 00:05:32,990 --> 00:05:35,299 I know the one because it should suppost 167 00:05:35,300 --> 00:05:36,919 should satisfy X squared. 168 00:05:36,920 --> 00:05:39,019 So zero squared plus Y square 169 00:05:39,020 --> 00:05:41,419 is one, so why is one. 170 00:05:41,420 --> 00:05:42,889 But there's many more points. 171 00:05:42,890 --> 00:05:45,199 So there's also the six p.m. 172 00:05:45,200 --> 00:05:46,129 there. 173 00:05:46,130 --> 00:05:48,289 It's when you start having breakfast, 174 00:05:48,290 --> 00:05:49,579 lunch. 175 00:05:49,580 --> 00:05:50,809 There's a three o'clock point. 176 00:05:50,810 --> 00:05:52,279 There is the nine p.m. 177 00:05:52,280 --> 00:05:53,719 point. There is. 178 00:05:53,720 --> 00:05:54,799 Oh what's that. 179 00:05:56,980 --> 00:05:58,689 I didn't learn that part in kindergarten, 180 00:05:58,690 --> 00:06:00,819 so it's it's half 181 00:06:00,820 --> 00:06:02,919 up. Well, then look up for the one 182 00:06:02,920 --> 00:06:05,019 half goes over. That looks like 183 00:06:05,020 --> 00:06:07,989 the two o'clock point, then 184 00:06:07,990 --> 00:06:09,970 this is kind of flipping the coordinates. 185 00:06:11,080 --> 00:06:12,669 So now X is one half. 186 00:06:12,670 --> 00:06:14,739 So we're somewhere over here and the 187 00:06:14,740 --> 00:06:15,729 negative. 188 00:06:15,730 --> 00:06:18,339 So there would be five o'clock 189 00:06:18,340 --> 00:06:20,109 and more points and more points and more 190 00:06:20,110 --> 00:06:20,589 points. 191 00:06:20,590 --> 00:06:21,939 Wasn't supposed to be gentle. 192 00:06:24,760 --> 00:06:25,760 Is a gentle. 193 00:06:32,760 --> 00:06:35,099 OK, OK, so hey, hey, at some points, 194 00:06:35,100 --> 00:06:37,169 you didn't say, oh, I'm sorry, so 195 00:06:37,170 --> 00:06:39,209 what I guess you want to tell you about 196 00:06:39,210 --> 00:06:40,589 more points like this? Three fifths. 197 00:06:40,590 --> 00:06:41,939 Four fifths. I mean that when you really 198 00:06:41,940 --> 00:06:43,559 have to use some fancy math to see that 199 00:06:43,560 --> 00:06:45,569 one has three fifths squared plus four 200 00:06:45,570 --> 00:06:46,570 fifths squared, it's one 201 00:06:47,640 --> 00:06:48,989 that is another point on the clock. 202 00:06:48,990 --> 00:06:51,029 And it's not obvious which O clock it is. 203 00:06:51,030 --> 00:06:52,439 You have to really look at your watch to 204 00:06:52,440 --> 00:06:53,729 figure that. Always bailing out of the 205 00:06:53,730 --> 00:06:54,539 tricky stuff. 206 00:06:54,540 --> 00:06:56,099 I'm sorry. Now you're bailing out of the 207 00:06:56,100 --> 00:06:57,929 tricky stuff. Bailing out of the tricky 208 00:06:57,930 --> 00:06:58,930 stuff. 209 00:07:01,170 --> 00:07:02,879 You mean, OK, OK, you really want me to 210 00:07:02,880 --> 00:07:04,239 do the square root of one half square and 211 00:07:04,240 --> 00:07:06,719 one half? No, no, no, it's just 212 00:07:06,720 --> 00:07:08,339 I don't know where that point is, but I 213 00:07:08,340 --> 00:07:09,809 know it's on the clock. OK, you can 214 00:07:09,810 --> 00:07:11,369 figure out where the three fifths four 215 00:07:11,370 --> 00:07:13,259 fifths point is in terms of time. 216 00:07:13,260 --> 00:07:15,539 You can make this a little more 217 00:07:15,540 --> 00:07:16,540 complicated 218 00:07:18,420 --> 00:07:20,219 by parametrized in the clock. 219 00:07:20,220 --> 00:07:22,319 So when people take points on 220 00:07:22,320 --> 00:07:23,909 the clock, they're thinking of time 221 00:07:23,910 --> 00:07:25,559 moving forward, like there's two o'clock, 222 00:07:25,560 --> 00:07:27,269 three o'clock, and you can add those and 223 00:07:27,270 --> 00:07:29,429 get five o'clock, two hours after three 224 00:07:29,430 --> 00:07:31,529 o'clock or three hours after two o'clock, 225 00:07:31,530 --> 00:07:32,649 and that's five o'clock. 226 00:07:32,650 --> 00:07:34,079 And here's a picture, which is something 227 00:07:34,080 --> 00:07:35,849 like maybe that's one thirty plus two 228 00:07:35,850 --> 00:07:37,859 o'clock is giving you three thirty, 229 00:07:37,860 --> 00:07:39,029 something like that. 230 00:07:39,030 --> 00:07:41,609 So those are some points, P1, P2 and P3 231 00:07:41,610 --> 00:07:43,709 on the clock and you can add P one and 232 00:07:43,710 --> 00:07:45,179 two to get P three. 233 00:07:45,180 --> 00:07:47,669 And here comes the really horrendous 234 00:07:47,670 --> 00:07:49,259 math part, which fortunately we're going 235 00:07:49,260 --> 00:07:51,089 to throw in a moment, which is 236 00:07:51,090 --> 00:07:51,989 trigonometry. 237 00:07:51,990 --> 00:07:54,299 So if you want to do the 238 00:07:54,300 --> 00:07:56,999 point on the clock, which 239 00:07:57,000 --> 00:07:59,459 has an angle of Alpha time 240 00:07:59,460 --> 00:08:01,439 of Alpha starting from twelve o'clock, 241 00:08:01,440 --> 00:08:03,719 then that point is X equals sign 242 00:08:03,720 --> 00:08:05,849 of Alpha, Y equals cosine alpha. 243 00:08:05,850 --> 00:08:07,649 And then if you remember, there were 244 00:08:07,650 --> 00:08:10,169 these horrendous trig formulas for sign 245 00:08:10,170 --> 00:08:12,359 of the sum of two angles and 246 00:08:12,360 --> 00:08:14,609 cosine of the sum of two angles and 247 00:08:14,610 --> 00:08:16,979 sign of Alpha one plus Alpha two is a 248 00:08:16,980 --> 00:08:19,049 sign of alpha one, cosine of Alpha two 249 00:08:19,050 --> 00:08:21,299 plus cosine of Alpha one sign of Alpha 250 00:08:21,300 --> 00:08:22,589 two. And there was something else like 251 00:08:22,590 --> 00:08:24,569 that for the for the cosine. 252 00:08:24,570 --> 00:08:26,939 So you can add points on the clock 253 00:08:26,940 --> 00:08:29,339 using these sine and cosine formulas. 254 00:08:29,340 --> 00:08:31,049 Now usually a convince people to come 255 00:08:31,050 --> 00:08:33,029 over to the crypto side to tell them, 256 00:08:33,030 --> 00:08:35,249 well, you can forget all of those 257 00:08:35,250 --> 00:08:36,989 nondescript mathematics. 258 00:08:36,990 --> 00:08:38,529 We like discrete mathematics with the 259 00:08:38,530 --> 00:08:39,509 discrete guys. 260 00:08:39,510 --> 00:08:41,579 So there won't be any signs and cosigns 261 00:08:41,580 --> 00:08:42,599 wandering around. 262 00:08:42,600 --> 00:08:44,850 So, well, let's get rid of them 263 00:08:45,990 --> 00:08:48,239 so we don't want to have 264 00:08:48,240 --> 00:08:49,919 signed cosine. We actually would like to 265 00:08:49,920 --> 00:08:52,019 work with normal clock numbers. 266 00:08:54,060 --> 00:08:56,309 What I have over there with a sign 267 00:08:56,310 --> 00:08:58,469 one cosine two 268 00:08:58,470 --> 00:08:59,399 and so on. 269 00:08:59,400 --> 00:09:00,779 Well, those are just my X and Y 270 00:09:00,780 --> 00:09:02,879 coordinates. All I said here was that the 271 00:09:02,880 --> 00:09:04,949 X coordinate is a sign of 272 00:09:04,950 --> 00:09:07,199 Alpha. The Y coordinate is the cosine 273 00:09:07,200 --> 00:09:08,200 alfalfa. 274 00:09:09,200 --> 00:09:11,149 So then in this whole mess here with the 275 00:09:11,150 --> 00:09:13,399 trigonometry formulas, I can just 276 00:09:13,400 --> 00:09:16,159 replace every sign of Alpha 277 00:09:16,160 --> 00:09:18,139 by the corresponding X and every cosine 278 00:09:18,140 --> 00:09:19,880 of Alpha, but the corresponding Y, 279 00:09:21,080 --> 00:09:23,209 which makes this much nicer, 280 00:09:23,210 --> 00:09:25,639 shorter, no trigonometry 281 00:09:25,640 --> 00:09:26,779 edition formula. 282 00:09:26,780 --> 00:09:28,099 So edition on the clock. 283 00:09:28,100 --> 00:09:30,799 If somebody gives you two points x1 y one 284 00:09:30,800 --> 00:09:32,959 extra y two, then all you're going to do 285 00:09:32,960 --> 00:09:34,909 is you take the X calling off the first 286 00:09:34,910 --> 00:09:37,339 point in the wake of the second point, 287 00:09:37,340 --> 00:09:39,619 multiply those, take the Y quadrant 288 00:09:39,620 --> 00:09:40,969 of the first point X squared off the 289 00:09:40,970 --> 00:09:43,039 second point, multiply those and 290 00:09:43,040 --> 00:09:44,299 then add those together. 291 00:09:44,300 --> 00:09:45,980 That gives you the new X cornet 292 00:09:47,330 --> 00:09:47,879 y. 293 00:09:47,880 --> 00:09:49,969 Well we went through the 294 00:09:49,970 --> 00:09:51,709 pain once and now we can just forget 295 00:09:51,710 --> 00:09:53,419 about where it came from. 296 00:09:53,420 --> 00:09:55,729 And then we do the same thing with the Y 297 00:09:55,730 --> 00:09:57,529 coordinate, which is the product of Y 298 00:09:57,530 --> 00:09:59,179 coordinates minus a part of the X 299 00:09:59,180 --> 00:10:00,180 coordinate. 300 00:10:01,830 --> 00:10:04,199 OK, so here's some examples 301 00:10:04,200 --> 00:10:06,269 of Clock Edition, we still don't have the 302 00:10:06,270 --> 00:10:07,439 computer helping out here. 303 00:10:07,440 --> 00:10:09,239 So this is going to be some more painful 304 00:10:09,240 --> 00:10:11,189 arithmetic. Two o'clock plus five 305 00:10:11,190 --> 00:10:12,929 o'clock. We all remember this is going to 306 00:10:12,930 --> 00:10:14,549 be on the test. Two o'clock was this 307 00:10:14,550 --> 00:10:16,529 squared of three quarters, one half that 308 00:10:16,530 --> 00:10:17,849 she was talking about at the beginning. 309 00:10:17,850 --> 00:10:20,309 And five o'clock was one half and minus 310 00:10:20,310 --> 00:10:21,509 square root of three quarters. 311 00:10:21,510 --> 00:10:23,429 And if you plug those into the formulas, 312 00:10:23,430 --> 00:10:25,529 they're all right. I'll try this X1 is 313 00:10:25,530 --> 00:10:27,479 square to three quarters and why one is 314 00:10:27,480 --> 00:10:29,579 one 1/2 and X 315 00:10:29,580 --> 00:10:31,859 two is one 1/2 and Y two is minus squared 316 00:10:31,860 --> 00:10:34,109 and three quarters. If you do X one times 317 00:10:34,110 --> 00:10:36,089 Y two, that's the square root of three 318 00:10:36,090 --> 00:10:37,769 quarters times the minus square root of 319 00:10:37,770 --> 00:10:39,809 three quarters, which is minus three 320 00:10:39,810 --> 00:10:42,419 quarters. And then the Y one x2 321 00:10:42,420 --> 00:10:44,369 sounds like one half times one half, 322 00:10:44,370 --> 00:10:45,959 which is one quarter. 323 00:10:45,960 --> 00:10:47,729 Add those together and it's something 324 00:10:47,730 --> 00:10:49,769 like minus one half and you do a similar 325 00:10:49,770 --> 00:10:51,569 calculation. You get the second part of 326 00:10:51,570 --> 00:10:53,279 the result and you realize the two 327 00:10:53,280 --> 00:10:54,689 o'clock plus five o'clock with these 328 00:10:54,690 --> 00:10:56,639 formulas is what you wanted it to be, 329 00:10:56,640 --> 00:10:58,169 namely seven o'clock. 330 00:10:58,170 --> 00:11:00,059 And similarly, you can do five o'clock 331 00:11:00,060 --> 00:11:01,979 plus nine o'clock, which I think I will 332 00:11:01,980 --> 00:11:03,719 skip. Maybe you would have like to go 333 00:11:03,720 --> 00:11:05,429 through that one. But let's try another 334 00:11:05,430 --> 00:11:07,139 example. You can take three fifths and 335 00:11:07,140 --> 00:11:08,969 four fifths and add it to itself. 336 00:11:08,970 --> 00:11:11,129 That's what that two times three fifths, 337 00:11:11,130 --> 00:11:12,059 four fifths means. 338 00:11:12,060 --> 00:11:13,769 And three fifths. Four fifths plus three 339 00:11:13,770 --> 00:11:14,939 fifths. Four fifths. 340 00:11:14,940 --> 00:11:17,039 And you can just well plug those 341 00:11:17,040 --> 00:11:18,389 into the formulas and you don't have to 342 00:11:18,390 --> 00:11:19,499 know which oclock it is. 343 00:11:19,500 --> 00:11:21,119 You just get some answer out of that. 344 00:11:21,120 --> 00:11:22,979 Twenty four. Twenty fifth and seven. 345 00:11:22,980 --> 00:11:24,779 Twenty fifth. And you can keep adding 346 00:11:24,780 --> 00:11:26,939 more and more copies of this 347 00:11:26,940 --> 00:11:28,169 point to itself. 348 00:11:28,170 --> 00:11:29,519 Three times three fifths. 349 00:11:29,520 --> 00:11:31,199 Four fifths. So that's the point. 350 00:11:31,200 --> 00:11:32,939 Plus itself plus itself again. 351 00:11:32,940 --> 00:11:34,499 And just plug it into the formulas and 352 00:11:34,500 --> 00:11:36,599 you get something with 353 00:11:36,600 --> 00:11:38,879 well more digits and as you keep adding 354 00:11:38,880 --> 00:11:40,199 more and more copies you get more and 355 00:11:40,200 --> 00:11:42,359 more digits in the denominator there, the 356 00:11:42,360 --> 00:11:43,709 six twenty five. And it keeps getting 357 00:11:43,710 --> 00:11:44,710 bigger. 358 00:11:45,150 --> 00:11:47,429 You can also try adding any point 359 00:11:47,430 --> 00:11:49,139 you want without even knowing what it is 360 00:11:49,140 --> 00:11:51,239 to 12:00, 12:00 361 00:11:51,240 --> 00:11:52,709 with zero comma one. 362 00:11:52,710 --> 00:11:54,269 And if you plug those into the formulas, 363 00:11:54,270 --> 00:11:56,039 you get twelve o'clock plus three o'clock 364 00:11:56,040 --> 00:11:57,689 at 3:00 o'clock plus five o'clock. 365 00:11:57,690 --> 00:11:58,979 It's five o'clock, twelve o'clock plus 366 00:11:58,980 --> 00:12:01,589 anything. Is that thing back again. 367 00:12:01,590 --> 00:12:03,239 And that just pops right out of the 368 00:12:03,240 --> 00:12:05,759 general formula for adding two point 369 00:12:05,760 --> 00:12:07,859 one last example of how you can 370 00:12:07,860 --> 00:12:09,479 work with this addition formula. 371 00:12:09,480 --> 00:12:11,579 If you take, say, ten o'clock plus 372 00:12:11,580 --> 00:12:13,469 two o'clock, that should be twelve 373 00:12:13,470 --> 00:12:15,689 o'clock and while ten plus 374 00:12:15,690 --> 00:12:17,429 two is twelve, if you take anything 375 00:12:17,430 --> 00:12:19,199 that's sort of opposite, like that was 376 00:12:19,200 --> 00:12:21,149 ten and two. If you take nine and three 377 00:12:21,150 --> 00:12:23,039 or eleven and one and anything where it's 378 00:12:23,040 --> 00:12:25,049 the same height, same Y coordinate, but 379 00:12:25,050 --> 00:12:26,969 the Xs are negative, those will add 380 00:12:26,970 --> 00:12:29,039 together to get twelve o'clock and you 381 00:12:29,040 --> 00:12:31,319 can just try plugging X one, Y one 382 00:12:31,320 --> 00:12:33,269 and minus one one into the formula. 383 00:12:33,270 --> 00:12:34,259 Let's try that. 384 00:12:34,260 --> 00:12:36,359 If you say X two is minus one 385 00:12:36,360 --> 00:12:37,829 and Y two is why one. 386 00:12:37,830 --> 00:12:40,019 And you plug that into the formula, then 387 00:12:40,020 --> 00:12:42,689 you see the first call, the first 388 00:12:42,690 --> 00:12:44,849 coordinate of the answer here is 389 00:12:44,850 --> 00:12:47,069 X one times Y two was Y 390 00:12:47,070 --> 00:12:49,509 one and then Y one is minus 391 00:12:49,510 --> 00:12:51,120 X one times X two. 392 00:12:52,530 --> 00:12:53,999 Let's see, let's X two. 393 00:12:54,000 --> 00:12:56,099 Sorry, x2 is minus X once you get minus 394 00:12:56,100 --> 00:12:58,199 X one, Y one and x1 one which 395 00:12:58,200 --> 00:13:00,329 adds up to zero, which is 396 00:13:00,330 --> 00:13:01,979 what we wanted for twelve o'clock. 397 00:13:01,980 --> 00:13:03,329 And then with a little more work, the 398 00:13:03,330 --> 00:13:05,549 second part here, why one y two. 399 00:13:05,550 --> 00:13:07,799 That's why one times Y one 400 00:13:07,800 --> 00:13:10,469 and then minus X one x two that's 401 00:13:10,470 --> 00:13:12,599 minus X one times minus X 402 00:13:12,600 --> 00:13:14,669 one is plus X one squared. 403 00:13:14,670 --> 00:13:17,039 So Y one squared plus X one squared 404 00:13:17,040 --> 00:13:18,839 which equals one. 405 00:13:18,840 --> 00:13:21,149 So the second part of the answer is one. 406 00:13:21,150 --> 00:13:22,619 So just a little bit of playing around 407 00:13:22,620 --> 00:13:24,119 with additions and multiplications and 408 00:13:24,120 --> 00:13:26,309 you can use this formula to add all 409 00:13:26,310 --> 00:13:27,759 sorts of points. 410 00:13:27,760 --> 00:13:29,859 OK, now let's make this even more 411 00:13:29,860 --> 00:13:32,249 discrete. Let's forget about like 412 00:13:32,250 --> 00:13:34,049 the circle, which has infinitely many 413 00:13:34,050 --> 00:13:36,179 points. You can just take any real 414 00:13:36,180 --> 00:13:38,069 number and just take scrotes. 415 00:13:38,070 --> 00:13:40,199 Let's do this with a very small set of 416 00:13:40,200 --> 00:13:42,749 elements. Let's do Cluck's over 417 00:13:42,750 --> 00:13:44,309 find fields. 418 00:13:44,310 --> 00:13:46,589 So I'm now just restricting myself 419 00:13:46,590 --> 00:13:48,929 to the numbers. Zero one, two, six. 420 00:13:50,000 --> 00:13:52,309 So that's what this F7 421 00:13:52,310 --> 00:13:54,409 is there, and I will 422 00:13:54,410 --> 00:13:56,359 also want to add those numbers, I want to 423 00:13:56,360 --> 00:13:57,909 multiply those numbers. 424 00:13:57,910 --> 00:14:00,109 Now, if I multiply those numbers, say two 425 00:14:00,110 --> 00:14:01,709 times five, this is bigger. 426 00:14:01,710 --> 00:14:03,769 That's 10. That's bigger than the say 427 00:14:03,770 --> 00:14:06,109 that they have available there. 428 00:14:06,110 --> 00:14:07,909 If only allowing six is the largest 429 00:14:07,910 --> 00:14:09,949 number, then 10 is not in the set. 430 00:14:09,950 --> 00:14:12,049 So then I will reduce I will take the 431 00:14:12,050 --> 00:14:14,629 remainder. Moraldo seven. 432 00:14:14,630 --> 00:14:16,649 So we promise some python snippets. 433 00:14:18,170 --> 00:14:20,329 So here is how we can, for instance, find 434 00:14:20,330 --> 00:14:21,319 all those elements. 435 00:14:21,320 --> 00:14:23,629 So I'll just run through all X 436 00:14:23,630 --> 00:14:25,909 between zero and seven or Y between 437 00:14:25,910 --> 00:14:28,189 zero and seven and just check whether 438 00:14:28,190 --> 00:14:30,589 X, X plus Y times Y 439 00:14:30,590 --> 00:14:31,590 is one. 440 00:14:32,240 --> 00:14:35,299 If so, I print the Tuval X Y 441 00:14:35,300 --> 00:14:37,339 and then Bush return and you get those 442 00:14:37,340 --> 00:14:39,109 points and those points. 443 00:14:39,110 --> 00:14:41,629 Now for the picture we didn't use 444 00:14:41,630 --> 00:14:44,539 026, we would like to keep the symmetry. 445 00:14:44,540 --> 00:14:47,029 So here we used minus 446 00:14:47,030 --> 00:14:47,989 three to plus three. 447 00:14:47,990 --> 00:14:50,059 So minus three is over here, plus 448 00:14:50,060 --> 00:14:52,249 threes over here, minus three in the Y 449 00:14:52,250 --> 00:14:53,689 direction, plus three in the right 450 00:14:53,690 --> 00:14:55,999 direction. So this is a point zero one, 451 00:14:56,000 --> 00:14:57,439 the same point that we had on the clock 452 00:14:57,440 --> 00:14:58,519 before. 453 00:14:58,520 --> 00:15:00,439 This is the one zero. 454 00:15:00,440 --> 00:15:02,929 And this year then is the clock 455 00:15:02,930 --> 00:15:05,359 point. I see the find field clock 456 00:15:05,360 --> 00:15:06,360 two to. 457 00:15:08,940 --> 00:15:11,309 OK, if you want to use clock 458 00:15:11,310 --> 00:15:13,379 edition with the same clock 459 00:15:13,380 --> 00:15:14,909 edition function that you might have 460 00:15:14,910 --> 00:15:16,859 written, which will show you in a moment 461 00:15:16,860 --> 00:15:19,139 to add points on the clock over 462 00:15:19,140 --> 00:15:21,209 the reels, then it's 463 00:15:21,210 --> 00:15:23,489 helpful if you can write plus and minus 464 00:15:23,490 --> 00:15:25,409 and times which automatically do this 465 00:15:25,410 --> 00:15:27,839 reduction, what, seven and 12 466 00:15:27,840 --> 00:15:29,549 in Python, you can set up a plus and 467 00:15:29,550 --> 00:15:31,679 minus one times for an F seven type 468 00:15:31,680 --> 00:15:33,509 and F seven class, which are separate 469 00:15:33,510 --> 00:15:35,559 from the usual plus minus in times four 470 00:15:35,560 --> 00:15:37,439 for integers. If you want to set this up, 471 00:15:37,440 --> 00:15:39,179 first thing to do is, well, here's an F 472 00:15:39,180 --> 00:15:41,399 seven class which will read an 473 00:15:41,400 --> 00:15:43,799 integer X and initialize 474 00:15:43,800 --> 00:15:46,079 construct an F seven element, which 475 00:15:46,080 --> 00:15:48,239 is that integer mod seven stored 476 00:15:48,240 --> 00:15:50,879 in the component of this 477 00:15:50,880 --> 00:15:51,839 new instance. 478 00:15:51,840 --> 00:15:54,299 For instance, if you take F7 of 479 00:15:54,300 --> 00:15:56,709 seven, it'll compute seven mod 480 00:15:56,710 --> 00:15:58,859 seven and 481 00:15:58,860 --> 00:16:00,749 the remainder there is a quotient is one 482 00:16:00,750 --> 00:16:02,909 remainder of zero and put zero 483 00:16:02,910 --> 00:16:03,929 into self doddington. 484 00:16:03,930 --> 00:16:05,759 Then this Sture and repr, maybe not the 485 00:16:05,760 --> 00:16:07,319 most professional ways of printing 486 00:16:07,320 --> 00:16:08,639 things. You might want to print something 487 00:16:08,640 --> 00:16:10,559 like print out the fact that this is all 488 00:16:10,560 --> 00:16:12,419 seven. We're just printing the integer 489 00:16:12,420 --> 00:16:14,579 that you get if you take seven and 490 00:16:14,580 --> 00:16:16,289 initialize one of these things, seven, 491 00:16:16,290 --> 00:16:18,509 eight, seven, zero and ten mod seven. 492 00:16:18,510 --> 00:16:20,069 That was the example you had a moment 493 00:16:20,070 --> 00:16:22,019 ago. That gives you a remainder of three 494 00:16:22,020 --> 00:16:23,489 and twenty mod seven. 495 00:16:23,490 --> 00:16:25,409 Subtract a seven, subtract seven again. 496 00:16:25,410 --> 00:16:27,479 You get a six so you can put in anything 497 00:16:27,480 --> 00:16:28,919 you want into this F seven. 498 00:16:28,920 --> 00:16:30,389 Any integer you want, you get that 499 00:16:30,390 --> 00:16:32,909 integer mod seven and now 500 00:16:32,910 --> 00:16:36,239 we can add in some more functions 501 00:16:36,240 --> 00:16:38,519 to F seven instances. 502 00:16:38,520 --> 00:16:40,469 For instance, you can have any quality 503 00:16:40,470 --> 00:16:41,939 test by thousands default. 504 00:16:41,940 --> 00:16:43,409 Equality is pretty stupid. 505 00:16:43,410 --> 00:16:45,089 So you tell it. What I actually want 506 00:16:45,090 --> 00:16:47,549 equality to do is compare these 507 00:16:47,550 --> 00:16:49,709 different parts of 508 00:16:49,710 --> 00:16:51,839 the of the F seven values 509 00:16:51,840 --> 00:16:54,239 and then, OK, now this F seven type 510 00:16:54,240 --> 00:16:56,009 has been augmented with an equality and 511 00:16:56,010 --> 00:16:57,839 you can see that F seven of ten and F 512 00:16:57,840 --> 00:16:59,909 seven if three are equal to each other, F 513 00:16:59,910 --> 00:17:01,859 seven and zero and f seven or two are not 514 00:17:01,860 --> 00:17:02,819 equal to each other. 515 00:17:02,820 --> 00:17:04,889 So we got zero through six expresses 516 00:17:04,890 --> 00:17:07,379 the possibilities for the values 517 00:17:07,380 --> 00:17:09,509 of a variable with this type. 518 00:17:09,510 --> 00:17:11,818 And then here goes the 519 00:17:11,819 --> 00:17:14,459 addition, subtraction and multiplication. 520 00:17:14,460 --> 00:17:15,719 What you can see. Let's look at the 521 00:17:15,720 --> 00:17:17,699 addition. That's the typical case you 522 00:17:17,700 --> 00:17:19,889 take to A and B coming in 523 00:17:19,890 --> 00:17:22,139 and then take the integer 524 00:17:22,140 --> 00:17:24,449 inside a zero through six, integer inside 525 00:17:24,450 --> 00:17:26,608 zero through six. Adam together, get 526 00:17:26,609 --> 00:17:28,199 zero through twelve and then put that 527 00:17:28,200 --> 00:17:30,209 back into the F7 constructor. 528 00:17:30,210 --> 00:17:31,949 And so now you've got zero through six 529 00:17:31,950 --> 00:17:33,809 again. And there are some examples at the 530 00:17:33,810 --> 00:17:36,149 bottom of well two plus five is zero, 531 00:17:36,150 --> 00:17:38,729 two minus five is minus three, 532 00:17:38,730 --> 00:17:41,159 which is four if you're programing 533 00:17:41,160 --> 00:17:42,929 and C by the way, beware the percent 534 00:17:42,930 --> 00:17:44,639 doesn't do the mod that we want 535 00:17:44,640 --> 00:17:46,709 mathematically. Python's percent does the 536 00:17:46,710 --> 00:17:48,479 right thing and C it'll give you negative 537 00:17:48,480 --> 00:17:50,579 numbers. Percent in Python always gives 538 00:17:50,580 --> 00:17:52,619 you zero three six or zero through 539 00:17:52,620 --> 00:17:53,729 whatever number you took 540 00:17:55,110 --> 00:17:56,069 and two times five. 541 00:17:56,070 --> 00:17:57,869 That was that example again of ten which 542 00:17:57,870 --> 00:17:59,279 Mod seven gives you three. 543 00:18:01,930 --> 00:18:04,449 OK, so now we have seen a small clockwork 544 00:18:04,450 --> 00:18:06,309 with just all the elements we could just 545 00:18:06,310 --> 00:18:08,289 run through. Well, Florentin elements and 546 00:18:08,290 --> 00:18:09,879 try them now. 547 00:18:09,880 --> 00:18:11,409 Everything the dangers showed with the 548 00:18:11,410 --> 00:18:13,839 python set up, I can replace by 549 00:18:13,840 --> 00:18:16,539 seven by a larger number three. 550 00:18:16,540 --> 00:18:18,069 That's also a problem. 551 00:18:18,070 --> 00:18:19,929 And now I would like to define the 552 00:18:19,930 --> 00:18:21,489 addition of curve points. 553 00:18:21,490 --> 00:18:24,609 So this is just what we did on the 554 00:18:24,610 --> 00:18:26,229 real clock before. 555 00:18:26,230 --> 00:18:28,359 Now I'm going to plug in elements, 556 00:18:28,360 --> 00:18:30,129 what, a million and three. 557 00:18:30,130 --> 00:18:32,709 So I take my point and I 558 00:18:32,710 --> 00:18:35,259 do the x1 y to buy one x1 559 00:18:35,260 --> 00:18:37,509 x2 and so on, and then I return 560 00:18:37,510 --> 00:18:38,679 the plot. 561 00:18:38,680 --> 00:18:40,749 So let's take an example of 562 00:18:40,750 --> 00:18:42,909 this. So one of those 563 00:18:42,910 --> 00:18:44,829 many points I plug in, the X squared is a 564 00:18:44,830 --> 00:18:46,899 thousand, remember, it's a 565 00:18:46,900 --> 00:18:48,999 thousand multi-million three 566 00:18:49,000 --> 00:18:51,429 and then I check is there y coordinate 567 00:18:51,430 --> 00:18:52,359 which fits with this. 568 00:18:52,360 --> 00:18:54,279 And now in this case nice enough to 569 00:18:54,280 --> 00:18:55,629 works. 570 00:18:55,630 --> 00:18:57,579 Well yeah kind of. 571 00:18:57,580 --> 00:18:59,799 So if I have a thousand that gives me 572 00:18:59,800 --> 00:19:02,139 a million when I scored and two 573 00:19:02,140 --> 00:19:04,449 gives me four and that's just one 574 00:19:04,450 --> 00:19:05,799 larger than a million three. 575 00:19:05,800 --> 00:19:07,779 So that's a valid point. 576 00:19:07,780 --> 00:19:10,089 So I can now take this point 577 00:19:10,090 --> 00:19:12,219 and add it to itself. 578 00:19:13,330 --> 00:19:15,699 Just plug it into the addition that gives 579 00:19:15,700 --> 00:19:17,799 four thousand seven, I can edita 580 00:19:17,800 --> 00:19:19,899 itself again, I can edit again, 581 00:19:19,900 --> 00:19:22,239 again, again till I get to say six times 582 00:19:22,240 --> 00:19:22,869 the point. 583 00:19:22,870 --> 00:19:25,029 So six times a point means take 584 00:19:25,030 --> 00:19:27,429 the point plus a point plus a point. 585 00:19:27,430 --> 00:19:29,649 In the end, I have six copies, 586 00:19:29,650 --> 00:19:32,529 add them together and I get this point. 587 00:19:32,530 --> 00:19:33,899 Now, of course, when you see this girl 588 00:19:33,900 --> 00:19:35,589 like, oh, wait a second, do I really need 589 00:19:35,590 --> 00:19:37,259 to do all these five editions? 590 00:19:38,470 --> 00:19:40,659 No. If I, for instance, had stopped 591 00:19:40,660 --> 00:19:42,789 at P three, 592 00:19:42,790 --> 00:19:44,889 it's three times a point and 593 00:19:44,890 --> 00:19:47,079 then do the additional P three plus 594 00:19:47,080 --> 00:19:49,299 P three. So that's three copies plus 595 00:19:49,300 --> 00:19:50,319 another three copies. 596 00:19:50,320 --> 00:19:51,909 That's also six copies. 597 00:19:51,910 --> 00:19:53,979 So these two things give me the same. 598 00:19:56,150 --> 00:19:58,159 So if I want to do this well, 599 00:19:58,160 --> 00:20:00,139 professionally, here is how I would 600 00:20:00,140 --> 00:20:01,969 define the scale on my application. 601 00:20:01,970 --> 00:20:04,759 OK, so this is a recursive function 602 00:20:04,760 --> 00:20:07,549 for computing end times be 603 00:20:07,550 --> 00:20:10,009 you have any point in any scalar, 604 00:20:10,010 --> 00:20:11,809 any integer end that you want and in 605 00:20:11,810 --> 00:20:13,999 non-negative integer. And we're only 606 00:20:14,000 --> 00:20:15,379 going to work with with non-negative 607 00:20:15,380 --> 00:20:17,299 integers here. And you take that in. 608 00:20:17,300 --> 00:20:19,489 If it's zero, then you return the 12 609 00:20:19,490 --> 00:20:20,089 o'clock point. 610 00:20:20,090 --> 00:20:22,279 If it's one, you return the point one 611 00:20:22,280 --> 00:20:24,499 times VSP and then well 612 00:20:24,500 --> 00:20:26,749 if N is even 613 00:20:26,750 --> 00:20:29,059 then that ends to 614 00:20:29,060 --> 00:20:31,039 Pisin, slightly changing its notation 615 00:20:31,040 --> 00:20:33,439 over the years as a right way to take 616 00:20:33,440 --> 00:20:35,689 an integer, divide it by, to throw away 617 00:20:35,690 --> 00:20:37,969 the remainder so that in 618 00:20:37,970 --> 00:20:39,769 two event is even that's exactly an over 619 00:20:39,770 --> 00:20:41,989 two and this recursively computes 620 00:20:41,990 --> 00:20:44,209 and over two times be like three times P 621 00:20:44,210 --> 00:20:45,889 for instance if any equals six. 622 00:20:45,890 --> 00:20:48,169 And then does clock add a few 623 00:20:48,170 --> 00:20:50,419 Macu, to double that and over two times 624 00:20:50,420 --> 00:20:51,679 be getting ENPI. 625 00:20:51,680 --> 00:20:53,839 If N is odd then that and 626 00:20:53,840 --> 00:20:56,179 over two is well enough 627 00:20:56,180 --> 00:20:58,279 to means take away the remainder of 628 00:20:58,280 --> 00:21:00,769 one you get and minus one divided by two 629 00:21:00,770 --> 00:21:02,989 and then take that time to be double 630 00:21:02,990 --> 00:21:04,639 that. That gives you and minus one times 631 00:21:04,640 --> 00:21:05,809 op ed piece of that. 632 00:21:05,810 --> 00:21:07,939 That's that if and is in Mattoo 633 00:21:07,940 --> 00:21:10,099 is non-zero then you add Peter Q 634 00:21:10,100 --> 00:21:12,169 And finally you get end times in all 635 00:21:12,170 --> 00:21:13,519 the different cases. 636 00:21:13,520 --> 00:21:15,709 And then we tried this for some six 637 00:21:15,710 --> 00:21:17,809 digit number n which isn't shown here on 638 00:21:17,810 --> 00:21:20,299 the slide. It's secret, it's secret. 639 00:21:20,300 --> 00:21:23,089 And it took something like 30 640 00:21:23,090 --> 00:21:24,949 clock editions, not very many multiple 641 00:21:24,950 --> 00:21:26,119 occasions to compute. 642 00:21:26,120 --> 00:21:28,009 And times it was very fast, instantly 643 00:21:28,010 --> 00:21:29,719 comes out. And there's the answer. 644 00:21:29,720 --> 00:21:31,699 There's the X and Y coordinates of N 645 00:21:31,700 --> 00:21:33,949 times P for whichever 646 00:21:33,950 --> 00:21:35,179 secret and it was. 647 00:21:35,180 --> 00:21:37,309 And now it's not 648 00:21:37,310 --> 00:21:38,989 so obvious how to figure out what the end 649 00:21:38,990 --> 00:21:40,939 is. If you see this end times fee then 650 00:21:40,940 --> 00:21:42,439 working backwards to the end, you know 651 00:21:42,440 --> 00:21:45,109 what P is? You know what end times fee is 652 00:21:45,110 --> 00:21:47,329 and is not too big, OK is only a million 653 00:21:47,330 --> 00:21:49,189 possibilities. This is not some really 654 00:21:49,190 --> 00:21:51,259 fancy computation, but it's still it'll 655 00:21:51,260 --> 00:21:53,419 take a moment to do it. 656 00:21:53,420 --> 00:21:54,949 It's something where the computer all 657 00:21:54,950 --> 00:21:55,999 have to chug along through some 658 00:21:56,000 --> 00:21:57,739 computations and well, maybe you can try 659 00:21:57,740 --> 00:21:59,479 to make that faster, but then we could 660 00:21:59,480 --> 00:22:01,069 try to make the numbers bigger instead of 661 00:22:01,070 --> 00:22:02,869 a million three. We could still do end 662 00:22:02,870 --> 00:22:05,179 times P when is much bigger and the 663 00:22:05,180 --> 00:22:06,469 million and three is a much bigger 664 00:22:06,470 --> 00:22:07,429 problem. 665 00:22:07,430 --> 00:22:08,689 So there's a little challenge if you'd 666 00:22:08,690 --> 00:22:11,169 like to try figuring out what this is, 667 00:22:11,170 --> 00:22:12,829 this is harder than than sending an 668 00:22:12,830 --> 00:22:14,179 estimate to that phone number that 669 00:22:14,180 --> 00:22:15,180 doesn't work. 670 00:22:17,750 --> 00:22:19,639 All right. Now, let's assume that we make 671 00:22:19,640 --> 00:22:20,989 this much, much harder. 672 00:22:20,990 --> 00:22:22,639 So we make it so hard that we feel like 673 00:22:22,640 --> 00:22:24,529 we want to use it for crypto. 674 00:22:24,530 --> 00:22:26,419 So if somebody would like to standardize 675 00:22:26,420 --> 00:22:27,919 clock cryptography, then here's what you 676 00:22:27,920 --> 00:22:30,139 do, is you start by standardizing a 677 00:22:30,140 --> 00:22:31,219 big primary. 678 00:22:31,220 --> 00:22:33,559 So like big not a million, like 679 00:22:33,560 --> 00:22:35,749 really big, like several thousand 680 00:22:35,750 --> 00:22:36,889 bits. 681 00:22:36,890 --> 00:22:38,749 And you also standardize base points. 682 00:22:38,750 --> 00:22:40,549 So that means this P on the previous 683 00:22:40,550 --> 00:22:42,559 slide, the P where we say, well, we give 684 00:22:42,560 --> 00:22:44,659 you P, we give you end times P, we just 685 00:22:44,660 --> 00:22:46,219 don't give you N. 686 00:22:46,220 --> 00:22:47,629 So let's assume that somebody gives you a 687 00:22:47,630 --> 00:22:49,819 little P, which is the prime and this 688 00:22:49,820 --> 00:22:51,979 base point big P, X and Y 689 00:22:51,980 --> 00:22:53,660 coordinates which are on the clock. 690 00:22:54,740 --> 00:22:56,209 Then what Alice and Bob are doing is they 691 00:22:56,210 --> 00:22:57,289 want to communicate. 692 00:22:57,290 --> 00:22:59,359 So I would like to send something over to 693 00:22:59,360 --> 00:23:00,769 the lab here. 694 00:23:00,770 --> 00:23:01,770 I'm Bob. 695 00:23:02,450 --> 00:23:03,769 Then Alice picks. 696 00:23:03,770 --> 00:23:06,289 Well I pick my secret a compute 697 00:23:06,290 --> 00:23:08,419 eight times the base point. 698 00:23:08,420 --> 00:23:09,859 Now that's a computation you just saw on 699 00:23:09,860 --> 00:23:11,539 the previous slide. It's still still 700 00:23:11,540 --> 00:23:12,229 visible there. 701 00:23:12,230 --> 00:23:14,419 So that's just like logarithmic 702 00:23:14,420 --> 00:23:15,539 time the size of L 703 00:23:16,700 --> 00:23:19,009 of A and then I sent this over 704 00:23:19,010 --> 00:23:20,929 to them and now I guess I have to 705 00:23:20,930 --> 00:23:21,409 compute. 706 00:23:21,410 --> 00:23:23,389 I take my own big secret, which I'm not 707 00:23:23,390 --> 00:23:24,799 going to tell anybody and I do my 708 00:23:24,800 --> 00:23:27,289 computation of times that same standard 709 00:23:27,290 --> 00:23:29,839 X, Y and I send back my bedtime's 710 00:23:29,840 --> 00:23:31,459 X Carmeli over Dallas. 711 00:23:31,460 --> 00:23:31,939 All right. 712 00:23:31,940 --> 00:23:34,189 So now I have his B times 713 00:23:34,190 --> 00:23:36,439 the base point. He has my items, the base 714 00:23:36,440 --> 00:23:39,649 point. Now I still remember what my abels 715 00:23:39,650 --> 00:23:42,139 I know. Take this a and 716 00:23:42,140 --> 00:23:44,719 the the new point that he just send me 717 00:23:44,720 --> 00:23:47,629 and plug this point into the application. 718 00:23:47,630 --> 00:23:49,309 So I'm doing the same steps, the same 719 00:23:49,310 --> 00:23:51,499 well at the point of itself 720 00:23:51,500 --> 00:23:53,719 and sometimes at the point to 721 00:23:53,720 --> 00:23:54,649 the point you send me. 722 00:23:54,650 --> 00:23:56,839 So the same steps here except for 723 00:23:56,840 --> 00:23:59,089 now this is the point that you send me 724 00:23:59,090 --> 00:24:01,459 is no longer the base point. 725 00:24:01,460 --> 00:24:03,619 And this way I compute eight times B 726 00:24:03,620 --> 00:24:04,620 times P. 727 00:24:05,790 --> 00:24:08,069 OK, now I get her eight times X, comma 728 00:24:08,070 --> 00:24:10,239 Y, and I take my secret B and multiply 729 00:24:10,240 --> 00:24:12,299 by the eight times X Y 730 00:24:12,300 --> 00:24:14,699 and I get my B times eight times 731 00:24:14,700 --> 00:24:16,009 they point X come away 732 00:24:17,520 --> 00:24:19,799 and now we've got the same result. 733 00:24:19,800 --> 00:24:22,079 Now we've got she's computed a B 734 00:24:22,080 --> 00:24:24,239 times X, Y, I've computed by times X, 735 00:24:24,240 --> 00:24:25,439 Y, which is the same thing. 736 00:24:25,440 --> 00:24:27,689 They're both eight times B multiples of 737 00:24:27,690 --> 00:24:29,999 X Y, eight times B, copies 738 00:24:30,000 --> 00:24:31,409 of X Y added together. 739 00:24:31,410 --> 00:24:33,329 And now we use a shared secret to encrypt 740 00:24:33,330 --> 00:24:34,379 data. 741 00:24:34,380 --> 00:24:35,789 All right. We also have a picture of this 742 00:24:35,790 --> 00:24:37,469 just if we don't make good else is 743 00:24:37,470 --> 00:24:39,179 involved. So you see how the message is 744 00:24:39,180 --> 00:24:39,839 flying. 745 00:24:39,840 --> 00:24:41,999 Now, if you're the eavesdropper, 746 00:24:42,000 --> 00:24:43,289 you want to figure out what we've been 747 00:24:43,290 --> 00:24:44,820 doing, you can't see. 748 00:24:46,070 --> 00:24:47,809 What I'm doing here, you can see what Dan 749 00:24:47,810 --> 00:24:49,909 is doing here, all you can see is what 750 00:24:49,910 --> 00:24:51,979 sent here and you know what 751 00:24:51,980 --> 00:24:53,749 the little P is and what the base point 752 00:24:53,750 --> 00:24:54,750 is. 753 00:24:56,290 --> 00:24:58,629 At least we wish so well, 754 00:24:58,630 --> 00:24:59,799 so there are some caveats, 755 00:25:01,320 --> 00:25:03,579 don't use just any. 756 00:25:03,580 --> 00:25:05,499 Many choices of unsafe 757 00:25:06,520 --> 00:25:07,520 wanting to. 758 00:25:09,720 --> 00:25:11,579 This is still the clock, and we said at 759 00:25:11,580 --> 00:25:12,989 the beginning, clocks are not allowed to 760 00:25:12,990 --> 00:25:14,609 curves and only elliptical. 761 00:25:14,610 --> 00:25:16,439 So actually the clocks are pretty much 762 00:25:16,440 --> 00:25:18,359 the same as during, say, hours. 763 00:25:18,360 --> 00:25:19,709 I'll find the field when it comes to 764 00:25:19,710 --> 00:25:20,909 security. 765 00:25:20,910 --> 00:25:22,559 So if you want to match something which 766 00:25:22,560 --> 00:25:24,269 is are is a three thousand seventy two 767 00:25:24,270 --> 00:25:26,429 bits, then your clock needs to 768 00:25:26,430 --> 00:25:28,589 have the prime of the clock 769 00:25:28,590 --> 00:25:30,119 needs to have four thousand five hundred 770 00:25:30,120 --> 00:25:32,279 thirty six. So half as many bits as 771 00:25:32,280 --> 00:25:33,389 they a number. 772 00:25:33,390 --> 00:25:35,220 That's not actually what you wanted. 773 00:25:36,420 --> 00:25:37,420 And then. 774 00:25:39,290 --> 00:25:41,659 OK, third warning is timing 775 00:25:41,660 --> 00:25:43,879 attacks, a lot of you were at 776 00:25:43,880 --> 00:25:46,099 the talk earlier about life, about her 777 00:25:46,100 --> 00:25:48,679 attacks against SSL, where 778 00:25:48,680 --> 00:25:50,689 a lot of the information coming out of a 779 00:25:50,690 --> 00:25:53,029 server under attack or a client 780 00:25:53,030 --> 00:25:55,459 under attack is from timing. 781 00:25:55,460 --> 00:25:57,259 The attacker doesn't just look at the 782 00:25:57,260 --> 00:25:59,389 eavesdropping of eight times X, Y and B 783 00:25:59,390 --> 00:26:00,019 times X Y. 784 00:26:00,020 --> 00:26:02,359 The public sees the attacker sees how 785 00:26:02,360 --> 00:26:04,519 long it took you to do computations. 786 00:26:04,520 --> 00:26:07,339 A lot of times the attacker can even see 787 00:26:07,340 --> 00:26:09,469 how long it took you for each individual 788 00:26:09,470 --> 00:26:11,359 operation that you were doing, because 789 00:26:11,360 --> 00:26:13,099 there is electromagnetic emissions or 790 00:26:13,100 --> 00:26:15,679 radio emissions or cash effects 791 00:26:15,680 --> 00:26:17,929 on virtual machines that 792 00:26:17,930 --> 00:26:19,789 affect other virtual machines running 793 00:26:19,790 --> 00:26:21,769 under the same hypervisor on the same 794 00:26:21,770 --> 00:26:22,669 physical hardware. 795 00:26:22,670 --> 00:26:25,309 And then you get to, as an attacker, 796 00:26:25,310 --> 00:26:27,769 see all sorts of fine grained information 797 00:26:27,770 --> 00:26:30,109 about the time that Alison Bovver taking. 798 00:26:30,110 --> 00:26:32,899 You don't exactly see this computation, 799 00:26:32,900 --> 00:26:34,609 but you see the physical effects of this 800 00:26:34,610 --> 00:26:36,719 computation. Just imagine if it 801 00:26:36,720 --> 00:26:38,029 is right here. 802 00:26:38,030 --> 00:26:40,819 She can hear she can sense 803 00:26:40,820 --> 00:26:42,559 what the computations are doing. 804 00:26:42,560 --> 00:26:44,749 You can actually hear the audio buzz 805 00:26:44,750 --> 00:26:46,549 from your CPU if you put a good enough 806 00:26:46,550 --> 00:26:47,629 microphone next to it. 807 00:26:47,630 --> 00:26:49,309 And that depends on the computations it's 808 00:26:49,310 --> 00:26:51,199 doing. There's some real examples of 809 00:26:51,200 --> 00:26:52,699 timing attacks here. 810 00:26:52,700 --> 00:26:54,169 Two of the three examples that we 811 00:26:54,170 --> 00:26:55,909 selected are examples. 812 00:26:55,910 --> 00:26:58,159 One of them is the lucky 13 attack, 813 00:26:58,160 --> 00:27:00,319 which was not against another 814 00:27:00,320 --> 00:27:01,619 different kind of timing attack. 815 00:27:01,620 --> 00:27:03,229 Just to give you the idea of timing, 816 00:27:03,230 --> 00:27:04,349 attacks are really important. 817 00:27:04,350 --> 00:27:06,079 This is a big part of what's going wrong 818 00:27:06,080 --> 00:27:08,269 with real deployed crypto beyond 819 00:27:08,270 --> 00:27:09,709 it's on usability and other little 820 00:27:09,710 --> 00:27:10,710 problems. 821 00:27:12,320 --> 00:27:14,389 The fix for this particular 822 00:27:14,390 --> 00:27:16,399 problem, you have somebody seeing the 823 00:27:16,400 --> 00:27:18,949 timing is to always 824 00:27:18,950 --> 00:27:21,829 do computations in constant time. 825 00:27:21,830 --> 00:27:23,929 So no matter what your scalar is, you're 826 00:27:23,930 --> 00:27:25,879 not allowed to spend a different amount 827 00:27:25,880 --> 00:27:27,859 of time depending on that scale. 828 00:27:27,860 --> 00:27:29,689 And if you just always follow this rule 829 00:27:29,690 --> 00:27:32,299 that every secret you have no secret 830 00:27:32,300 --> 00:27:34,639 timing of anything, then the attacker 831 00:27:34,640 --> 00:27:36,079 doesn't learn anything. All your timing 832 00:27:36,080 --> 00:27:37,159 is public. 833 00:27:37,160 --> 00:27:38,839 Of course, it's a bit of a hassle to do 834 00:27:38,840 --> 00:27:40,069 computations that way. 835 00:27:40,070 --> 00:27:41,839 You can always do it, but it slows things 836 00:27:41,840 --> 00:27:43,399 down quite a bit. 837 00:27:43,400 --> 00:27:44,899 All right. I mean, that's easier said 838 00:27:44,900 --> 00:27:46,430 than done, but let's. 839 00:27:48,430 --> 00:27:50,499 Go back to why, number two, let's assume 840 00:27:50,500 --> 00:27:52,629 that Constantine rotation takes care of 841 00:27:52,630 --> 00:27:54,509 one. Number three, let's go back to one. 842 00:27:54,510 --> 00:27:57,009 Number two, clocks are not elliptic. 843 00:27:57,010 --> 00:27:59,649 And let's turn this circle, this clock 844 00:27:59,650 --> 00:28:00,680 into an elliptical of. 845 00:28:02,230 --> 00:28:04,539 All right, so we take the circle and 846 00:28:04,540 --> 00:28:06,669 push inwards now, mathematically, 847 00:28:06,670 --> 00:28:08,439 what we're doing is we introduce one 848 00:28:08,440 --> 00:28:10,179 extra term instead of having X squared 849 00:28:10,180 --> 00:28:11,440 plus Y squiggles one. 850 00:28:12,970 --> 00:28:15,129 We say X plus Y square 851 00:28:15,130 --> 00:28:17,469 equals one minus 30 times 852 00:28:17,470 --> 00:28:19,209 X Y squared. 853 00:28:19,210 --> 00:28:21,130 So this extra term here. 854 00:28:22,670 --> 00:28:25,129 It's a difference between a circle 855 00:28:25,130 --> 00:28:27,349 and an Edwards curve or 856 00:28:27,350 --> 00:28:28,489 an elliptical. 857 00:28:28,490 --> 00:28:29,929 So this particular curve is called an 858 00:28:29,930 --> 00:28:32,179 Edwards curve, but it's an example 859 00:28:32,180 --> 00:28:33,919 of ellipticals. 860 00:28:33,920 --> 00:28:36,469 Now, if I want to add points now, 861 00:28:36,470 --> 00:28:38,479 then let's remember what it looked like 862 00:28:38,480 --> 00:28:39,480 on the circle. 863 00:28:41,130 --> 00:28:42,719 So on the circle, I have the neutral man 864 00:28:42,720 --> 00:28:44,429 at the top. I keep that. 865 00:28:44,430 --> 00:28:46,679 So that was he adding anything to 12 866 00:28:46,680 --> 00:28:48,779 o'clock doesn't change the value. 867 00:28:48,780 --> 00:28:50,579 That's still the same here. 868 00:28:50,580 --> 00:28:52,739 Now, here was just adding P1, 869 00:28:52,740 --> 00:28:55,559 P2 getting P3 by these 870 00:28:55,560 --> 00:28:56,879 formulas. 871 00:28:56,880 --> 00:28:59,069 Now, this won't generally work 872 00:28:59,070 --> 00:29:01,469 on the elliptic curve 873 00:29:01,470 --> 00:29:03,629 on elliptic curve because this is 874 00:29:03,630 --> 00:29:05,819 minus 30 x y square. 875 00:29:05,820 --> 00:29:07,979 We also need to introduce a little tweak 876 00:29:07,980 --> 00:29:10,529 down here. So there's now a denominator 877 00:29:10,530 --> 00:29:11,910 if you take the equals zero. 878 00:29:14,260 --> 00:29:16,599 Then, well, the formula changes 879 00:29:16,600 --> 00:29:18,669 to the circle and also the 880 00:29:18,670 --> 00:29:20,799 addition formulas just change the circle 881 00:29:20,800 --> 00:29:23,439 because all this 30 here is zero. 882 00:29:23,440 --> 00:29:25,419 So let's just divide by one. 883 00:29:25,420 --> 00:29:27,909 So the circle comes out as a special case 884 00:29:27,910 --> 00:29:29,439 for this elliptic curve. 885 00:29:29,440 --> 00:29:31,509 But now we take minus 30 and 886 00:29:31,510 --> 00:29:33,099 have a nice little curve and the 887 00:29:33,100 --> 00:29:35,170 different forms are not much versus 888 00:29:36,370 --> 00:29:38,190 just a little extra room there. 889 00:29:40,690 --> 00:29:43,509 OK, you can take if you want any 890 00:29:43,510 --> 00:29:45,729 prime number P seven 891 00:29:45,730 --> 00:29:48,099 million and three, something much bigger, 892 00:29:48,100 --> 00:29:50,329 you can take any non 893 00:29:50,330 --> 00:29:52,529 square deal that's 894 00:29:52,530 --> 00:29:54,969 like that minus 30 any D. 895 00:29:54,970 --> 00:29:57,249 That's not a square of anything 896 00:29:57,250 --> 00:29:58,659 modulo P. 897 00:29:58,660 --> 00:30:00,609 That's something you can check quickly 898 00:30:00,610 --> 00:30:02,469 and then write down the curve. 899 00:30:02,470 --> 00:30:04,689 X squared plus Y squared equals one plus 900 00:30:04,690 --> 00:30:06,639 the X squared Y squared. 901 00:30:06,640 --> 00:30:08,919 This is an elliptic curve 902 00:30:08,920 --> 00:30:10,989 and it's just that extra little D that's 903 00:30:10,990 --> 00:30:12,159 all the extra complication. 904 00:30:12,160 --> 00:30:14,049 If you felt like OK, you understand clock 905 00:30:14,050 --> 00:30:16,269 cryptography, then the extra little 906 00:30:16,270 --> 00:30:19,149 complication is all you need for 907 00:30:19,150 --> 00:30:20,709 elliptic curve cryptography. 908 00:30:20,710 --> 00:30:22,509 There's the addition formula just 909 00:30:22,510 --> 00:30:24,579 translated from the math formulas. 910 00:30:24,580 --> 00:30:26,709 A couple of slides ago into Python looks 911 00:30:26,710 --> 00:30:28,329 very much the same as before, except the 912 00:30:28,330 --> 00:30:30,429 X three and Y three have that D coming 913 00:30:30,430 --> 00:30:33,249 in at the Denominator's. 914 00:30:33,250 --> 00:30:35,559 Now you might complain about this saying, 915 00:30:35,560 --> 00:30:37,899 wait a minute, when you divide, are 916 00:30:37,900 --> 00:30:39,939 you are you necessarily able to divide 917 00:30:39,940 --> 00:30:41,799 what happens if you divide by zero? 918 00:30:41,800 --> 00:30:43,510 Maybe these formulas don't always work. 919 00:30:44,560 --> 00:30:46,539 And that's an important point. 920 00:30:46,540 --> 00:30:48,009 It's something which you have to watch 921 00:30:48,010 --> 00:30:49,659 out for. If you're dividing by something, 922 00:30:49,660 --> 00:30:50,889 then you're not allowed to divide by 923 00:30:50,890 --> 00:30:51,890 zero. 924 00:30:52,860 --> 00:30:55,499 But it turns out that 925 00:30:55,500 --> 00:30:57,659 the denominator's they're the one plus 926 00:30:57,660 --> 00:30:59,579 the one next to Y when Y two and the one 927 00:30:59,580 --> 00:31:02,039 minus the X one, X to Y when Y to 928 00:31:02,040 --> 00:31:03,719 those are never equal to zero. 929 00:31:04,800 --> 00:31:06,209 These formulas are complete. 930 00:31:06,210 --> 00:31:07,529 They always work, which is what you 931 00:31:07,530 --> 00:31:09,089 expect. I mean, you think formulas should 932 00:31:09,090 --> 00:31:10,619 always work. It's kind of annoying if 933 00:31:10,620 --> 00:31:11,939 there's exceptional cases. 934 00:31:11,940 --> 00:31:14,309 But well in 935 00:31:14,310 --> 00:31:16,169 elliptic curve cryptography, there's 936 00:31:16,170 --> 00:31:17,819 actually lots and lots of exceptional 937 00:31:17,820 --> 00:31:19,829 cases that people often worry about. 938 00:31:19,830 --> 00:31:21,899 And one of the reasons that we like 939 00:31:21,900 --> 00:31:24,029 this kind of elliptic curve is that 940 00:31:24,030 --> 00:31:26,189 there's no exceptional cases. 941 00:31:26,190 --> 00:31:28,019 The addition laws, what we call complete. 942 00:31:29,190 --> 00:31:31,649 If you look at how the 943 00:31:31,650 --> 00:31:33,839 math part of the proof works, then it's 944 00:31:33,840 --> 00:31:35,579 important here that that D was not a 945 00:31:35,580 --> 00:31:37,139 square. But again, that's something you 946 00:31:37,140 --> 00:31:38,039 can easily check. 947 00:31:38,040 --> 00:31:40,139 And once you've settled on a D, that's 948 00:31:40,140 --> 00:31:42,479 not square that everybody can use, then 949 00:31:42,480 --> 00:31:44,459 you will never have exceptions in the in 950 00:31:44,460 --> 00:31:46,109 the in the formulas. 951 00:31:46,110 --> 00:31:48,419 If you have your being 952 00:31:48,420 --> 00:31:50,639 square, then you 953 00:31:50,640 --> 00:31:52,469 can write down the same formulas and most 954 00:31:52,470 --> 00:31:54,269 of the time they work, but you have 955 00:31:54,270 --> 00:31:56,219 exceptional cases and we're going to see 956 00:31:56,220 --> 00:31:58,289 lots and lots more about exceptional 957 00:31:58,290 --> 00:32:00,389 cases. And what's annoying 958 00:32:00,390 --> 00:32:02,009 about those is not just well, it's hard 959 00:32:02,010 --> 00:32:04,469 to program, but if you make any mistakes, 960 00:32:04,470 --> 00:32:06,119 it's going to be hard to find those 961 00:32:06,120 --> 00:32:07,679 mistakes and test for those mistakes. 962 00:32:07,680 --> 00:32:09,749 And if an attacker thinks about it more 963 00:32:09,750 --> 00:32:11,549 and can give you some points that exploit 964 00:32:11,550 --> 00:32:14,039 those mistakes, this often breaks 965 00:32:14,040 --> 00:32:15,539 real s.E.C. 966 00:32:15,540 --> 00:32:17,459 So it's better to take a curve where the 967 00:32:17,460 --> 00:32:19,289 D is not square and then you don't have 968 00:32:19,290 --> 00:32:20,699 to worry about this at all. 969 00:32:20,700 --> 00:32:22,799 OK, quick aside, with our fine 970 00:32:22,800 --> 00:32:24,989 field every second D it's not 971 00:32:24,990 --> 00:32:26,639 a square, so it's not a big restriction, 972 00:32:26,640 --> 00:32:28,739 it's just removing half of the 973 00:32:28,740 --> 00:32:29,740 possible D 974 00:32:31,380 --> 00:32:32,660 divisions are also very slow. 975 00:32:33,870 --> 00:32:35,549 So when you, when you implement those who 976 00:32:35,550 --> 00:32:37,409 saw before in the Piceance group, you 977 00:32:37,410 --> 00:32:39,959 didn't even include divisions. 978 00:32:39,960 --> 00:32:41,819 We do have them online, but it's like, 979 00:32:41,820 --> 00:32:42,869 well, it takes a while. 980 00:32:42,870 --> 00:32:43,919 It's unpleasant. 981 00:32:43,920 --> 00:32:45,659 It's takes even longer if you're worried 982 00:32:45,660 --> 00:32:46,889 about Konstantinov reputation. 983 00:32:46,890 --> 00:32:49,139 So let's get rid of divisions. 984 00:32:49,140 --> 00:32:50,879 It's like, doctor, doctor, my knee hurts 985 00:32:50,880 --> 00:32:52,499 and you say, well, don't use them. 986 00:32:52,500 --> 00:32:54,809 But Mathie here, we actually 987 00:32:54,810 --> 00:32:57,269 can avoid using divisions. 988 00:32:57,270 --> 00:32:58,829 If you remember how you worked with with 989 00:32:58,830 --> 00:33:00,929 fractions, Alawa B plus C of 990 00:33:00,930 --> 00:33:03,359 A D, then you keep them as friction. 991 00:33:03,360 --> 00:33:05,369 You just multiply the denominator and you 992 00:33:05,370 --> 00:33:06,989 cross multiply the numerators and you can 993 00:33:06,990 --> 00:33:07,990 add. 994 00:33:08,610 --> 00:33:10,799 So we can do the same with all points, 995 00:33:10,800 --> 00:33:12,779 so we're going to introduce an extra 996 00:33:12,780 --> 00:33:15,329 coordinate, the Z Kornet, 997 00:33:15,330 --> 00:33:17,279 this is just the denominator. 998 00:33:17,280 --> 00:33:19,499 So instead of storing X Y as a point, 999 00:33:19,500 --> 00:33:21,329 we know store X, Y and Z. 1000 00:33:23,120 --> 00:33:25,789 Were the X and Y means 1001 00:33:25,790 --> 00:33:28,279 the old X and Y are X divided by the 1002 00:33:28,280 --> 00:33:30,349 end, Y divided by C, or 1003 00:33:30,350 --> 00:33:31,999 you can be a little bit more adventurous 1004 00:33:32,000 --> 00:33:34,069 and actually get some somewhat 1005 00:33:34,070 --> 00:33:35,959 better speed and also introduce an extra 1006 00:33:35,960 --> 00:33:38,119 coordinate called T, which is X Y 1007 00:33:38,120 --> 00:33:39,079 divided by XY. 1008 00:33:39,080 --> 00:33:40,279 And if you're interested in how to do 1009 00:33:40,280 --> 00:33:42,139 this efficiently and actually get 1010 00:33:42,140 --> 00:33:44,299 computer verified from this, please visit 1011 00:33:44,300 --> 00:33:46,369 the explicit Fondas database on the 1012 00:33:46,370 --> 00:33:48,529 link there to see how we actually do 1013 00:33:48,530 --> 00:33:49,530 the then. 1014 00:33:50,840 --> 00:33:51,840 OK. 1015 00:33:53,350 --> 00:33:55,659 Let's now go back to how Krypto 1016 00:33:55,660 --> 00:33:57,939 looked, but let's replace the clock with 1017 00:33:57,940 --> 00:34:00,069 an elliptic curve just makes that 1018 00:34:00,070 --> 00:34:01,329 extra little complication in the 1019 00:34:01,330 --> 00:34:03,399 formulas. There's also an extra choice to 1020 00:34:03,400 --> 00:34:05,539 make. So it's not just standard is 1021 00:34:05,540 --> 00:34:07,959 a problem for everybody to use, but 1022 00:34:07,960 --> 00:34:09,908 you also have to standardize this D, 1023 00:34:09,909 --> 00:34:11,678 which is not a square for everybody to 1024 00:34:11,679 --> 00:34:14,149 use. This has to be a safe choice. 1025 00:34:14,150 --> 00:34:15,609 Remember that warning, number one, that 1026 00:34:15,610 --> 00:34:17,259 there's lots of unsafe choices. 1027 00:34:17,260 --> 00:34:18,879 There's all sorts of standard criteria 1028 00:34:18,880 --> 00:34:20,499 that you have to check to make sure that 1029 00:34:20,500 --> 00:34:22,309 these are safe choices of curves. 1030 00:34:22,310 --> 00:34:24,158 We'll say a bit more about standards at 1031 00:34:24,159 --> 00:34:25,439 the end of the talk. 1032 00:34:25,440 --> 00:34:27,579 And then Alice, as before, has 1033 00:34:27,580 --> 00:34:29,888 her secret key and 1034 00:34:29,889 --> 00:34:31,600 multiplies that secret key by 1035 00:34:33,340 --> 00:34:35,468 X, comma Y and oh, 1036 00:34:35,469 --> 00:34:36,879 I'm skipping ahead of what this slide 1037 00:34:36,880 --> 00:34:37,359 says. 1038 00:34:37,360 --> 00:34:39,579 The slide says that Alice has also 1039 00:34:39,580 --> 00:34:41,799 bobs publicly V times X 1040 00:34:41,800 --> 00:34:43,988 Y, and this all sounds just like 1041 00:34:43,989 --> 00:34:45,009 it was on the clock. 1042 00:34:45,010 --> 00:34:47,649 Alice now takes the B times X Y 1043 00:34:47,650 --> 00:34:50,198 and then multiplies 1044 00:34:50,199 --> 00:34:52,329 her by. That gets eight times B times X 1045 00:34:52,330 --> 00:34:53,739 Y and then. 1046 00:34:54,750 --> 00:34:57,029 Remember that eight times B times X Y as 1047 00:34:57,030 --> 00:34:58,409 a secret to use to encrypt and 1048 00:34:58,410 --> 00:35:01,109 authenticate data, and more concretely, 1049 00:35:01,110 --> 00:35:02,669 now that we've got elliptic curves, we 1050 00:35:02,670 --> 00:35:04,889 don't have to worry about an index 1051 00:35:04,890 --> 00:35:06,329 calculus breaking everything. 1052 00:35:06,330 --> 00:35:08,209 We don't need to have thousands of bits. 1053 00:35:08,210 --> 00:35:10,529 Here's some actual real sizes for 1054 00:35:10,530 --> 00:35:12,419 elliptic curve cryptography, including 1055 00:35:12,420 --> 00:35:14,399 all the secret key encryption and 1056 00:35:14,400 --> 00:35:15,449 authentication. 1057 00:35:15,450 --> 00:35:16,529 The public key. 1058 00:35:16,530 --> 00:35:18,659 You can have a prime, which is just 1059 00:35:18,660 --> 00:35:21,749 two hundred fifty six bits long and 1060 00:35:21,750 --> 00:35:23,939 will say later that you can squish X 1061 00:35:23,940 --> 00:35:26,369 and Y into together just 256 1062 00:35:26,370 --> 00:35:28,529 bits and then that reduces 1063 00:35:28,530 --> 00:35:30,599 Alice's public key eight times 1064 00:35:30,600 --> 00:35:32,969 XCOM y down to just 1065 00:35:32,970 --> 00:35:34,979 thirty two bytes that Alice is going to 1066 00:35:34,980 --> 00:35:36,239 send along to Bob. 1067 00:35:36,240 --> 00:35:37,739 And then there's a little bit of extra 1068 00:35:37,740 --> 00:35:39,959 stuff for a nonce, a random number. 1069 00:35:39,960 --> 00:35:42,089 So you don't end up encrypting the same 1070 00:35:42,090 --> 00:35:43,919 message the same way every time you send 1071 00:35:43,920 --> 00:35:45,749 it, someone would be able to see that 1072 00:35:45,750 --> 00:35:47,579 encryption repeating. 1073 00:35:47,580 --> 00:35:49,559 There's also an authenticator so that Bob 1074 00:35:49,560 --> 00:35:51,869 can verify that the packet is 1075 00:35:51,870 --> 00:35:53,079 correct. 1076 00:35:53,080 --> 00:35:55,149 And then Bob receives 1077 00:35:55,150 --> 00:35:57,269 this packet, says, oh 1078 00:35:57,270 --> 00:35:58,379 yeah, it's a packet from Alice. 1079 00:35:58,380 --> 00:35:59,729 There's Alice's public key. 1080 00:35:59,730 --> 00:36:01,979 If Bob didn't know the shared secret 1081 00:36:01,980 --> 00:36:03,599 already, Bob takes Bob's secret 1082 00:36:03,600 --> 00:36:05,039 multiplies by the public. 1083 00:36:05,040 --> 00:36:07,469 He gets the same B times eight times X 1084 00:36:07,470 --> 00:36:10,079 Y and then does secret key cryptography, 1085 00:36:10,080 --> 00:36:12,569 verifies the packet coming in, verifies 1086 00:36:12,570 --> 00:36:14,879 the authenticator using the nonce and 1087 00:36:14,880 --> 00:36:17,159 Alice's public key and at that point has 1088 00:36:17,160 --> 00:36:19,619 verified that. Yes, this is from Alice. 1089 00:36:19,620 --> 00:36:21,119 Of course, if Bob's never heard of 1090 00:36:21,120 --> 00:36:22,889 Alice's public key before, then doesn't 1091 00:36:22,890 --> 00:36:23,969 know who that Alice is. 1092 00:36:23,970 --> 00:36:25,739 But he gets continuity between the 1093 00:36:25,740 --> 00:36:27,299 different uses. And then when you add in 1094 00:36:27,300 --> 00:36:29,069 certificates or other public key 1095 00:36:29,070 --> 00:36:30,839 infrastructure, you actually know who 1096 00:36:30,840 --> 00:36:32,399 you're talking to. 1097 00:36:32,400 --> 00:36:34,259 Everything happening here, all of the 1098 00:36:34,260 --> 00:36:36,329 public key and secret key stuff is 1099 00:36:36,330 --> 00:36:38,399 so fast that we can afford to do this 1100 00:36:38,400 --> 00:36:40,439 for every single packet going through the 1101 00:36:40,440 --> 00:36:41,440 Internet. 1102 00:36:41,910 --> 00:36:43,889 Well, at this moment, we haven't actually 1103 00:36:43,890 --> 00:36:45,419 told you yet what to use. 1104 00:36:45,420 --> 00:36:47,399 So here's a safe example. 1105 00:36:49,380 --> 00:36:50,399 You shut up. 1106 00:36:50,400 --> 00:36:52,139 So this is a safe example, which then 1107 00:36:52,140 --> 00:36:54,539 shouldn't advertise because it's his own, 1108 00:36:54,540 --> 00:36:56,069 but I can say it's a good example. 1109 00:36:56,070 --> 00:36:58,469 So if you take as your prime a big 1110 00:36:58,470 --> 00:37:00,299 it has 255 bits. 1111 00:37:00,300 --> 00:37:02,789 It's a very nice primatial computations 1112 00:37:02,790 --> 00:37:05,009 modulus prime afast because it's 1113 00:37:05,010 --> 00:37:06,839 very close to a part of two. 1114 00:37:06,840 --> 00:37:09,139 So when you do this mod 1115 00:37:09,140 --> 00:37:11,399 this operation, they're 1116 00:37:11,400 --> 00:37:13,739 reducing what this number is very fast 1117 00:37:13,740 --> 00:37:15,809 and then D looks reasonably 1118 00:37:15,810 --> 00:37:17,639 small. And here you have an Edwards 1119 00:37:17,640 --> 00:37:18,640 curve. 1120 00:37:19,790 --> 00:37:22,159 Also, he is not taking the same 1121 00:37:22,160 --> 00:37:24,439 deal, but putting a minus there 1122 00:37:24,440 --> 00:37:26,119 and putting also minus in front of the X 1123 00:37:26,120 --> 00:37:28,219 squared is 1124 00:37:28,220 --> 00:37:30,679 another curve. Actually, it's pretty much 1125 00:37:30,680 --> 00:37:31,789 the same curve. 1126 00:37:31,790 --> 00:37:34,069 So for every X Y that you had before 1127 00:37:34,070 --> 00:37:36,559 on the first curve, he not have a 1128 00:37:36,560 --> 00:37:38,659 square root of minus one X 1129 00:37:38,660 --> 00:37:40,879 Y, same Y, slightly different 1130 00:37:40,880 --> 00:37:43,129 X. So you're just taking a little 1131 00:37:43,130 --> 00:37:44,929 tweak. It's the first curve in disguise. 1132 00:37:46,190 --> 00:37:48,289 And actually we have lots of ways 1133 00:37:48,290 --> 00:37:49,579 of writing elliptic curves. 1134 00:37:49,580 --> 00:37:51,949 So he has a whole list of of different 1135 00:37:51,950 --> 00:37:52,939 ways of writing curve. 1136 00:37:52,940 --> 00:37:54,979 So the first thing that we showed you, 1137 00:37:54,980 --> 00:37:57,019 Safadi, the clock where you're squishing 1138 00:37:57,020 --> 00:37:59,089 in the corners is 1139 00:37:59,090 --> 00:38:00,799 an Edwards curve. 1140 00:38:00,800 --> 00:38:03,019 If I now would like to have an extra term 1141 00:38:03,020 --> 00:38:05,209 here like this minus one here, I 1142 00:38:05,210 --> 00:38:07,579 generally reserve an E coefficient here. 1143 00:38:07,580 --> 00:38:08,719 Then I can put in 1144 00:38:09,800 --> 00:38:11,749 minus one, for instance, that is called a 1145 00:38:11,750 --> 00:38:12,899 twisted Edwards curve. 1146 00:38:12,900 --> 00:38:14,569 But then there's also some other things 1147 00:38:14,570 --> 00:38:15,889 which you still find in the normal 1148 00:38:15,890 --> 00:38:17,419 textbooks, which are called vicious 1149 00:38:17,420 --> 00:38:19,129 curves. They look like that. 1150 00:38:19,130 --> 00:38:20,629 And then there is Montgomery curves, 1151 00:38:20,630 --> 00:38:23,119 which you can think of as a special case 1152 00:38:23,120 --> 00:38:24,499 of Biota's curves. 1153 00:38:24,500 --> 00:38:26,359 They have a similar y square equals 1154 00:38:26,360 --> 00:38:28,789 extubate shape, but they are some 1155 00:38:28,790 --> 00:38:30,769 slightly different terms here. 1156 00:38:30,770 --> 00:38:32,569 And when you have one of the curves, you 1157 00:38:32,570 --> 00:38:34,849 can go from one to the other and back, 1158 00:38:34,850 --> 00:38:37,189 for instance, to go from a Montgomery 1159 00:38:37,190 --> 00:38:38,539 curve to an Edwards curve. 1160 00:38:38,540 --> 00:38:39,540 There are other formulas. 1161 00:38:40,760 --> 00:38:43,069 OK, what you'll typically 1162 00:38:43,070 --> 00:38:46,249 find in standards for XY 1163 00:38:46,250 --> 00:38:47,689 for historical reasons. 1164 00:38:47,690 --> 00:38:48,799 OK, stand back. That's going to be 1165 00:38:48,800 --> 00:38:51,199 horrible is via Strus 1166 00:38:51,200 --> 00:38:53,299 curves. Now here's the addition 1167 00:38:53,300 --> 00:38:55,369 law. Here's how you add two points. 1168 00:38:55,370 --> 00:38:56,600 Arenavirus stress curve. 1169 00:39:01,870 --> 00:39:03,219 Oh, that isn't too bad. 1170 00:39:03,220 --> 00:39:04,569 All right, there's only six different 1171 00:39:04,570 --> 00:39:06,009 cases, let's go through them. 1172 00:39:06,010 --> 00:39:07,359 No, no, let's not go through them. 1173 00:39:07,360 --> 00:39:09,729 This is if 1174 00:39:09,730 --> 00:39:11,619 you just take one piece of this, then it 1175 00:39:11,620 --> 00:39:12,969 might seem like it works most of the 1176 00:39:12,970 --> 00:39:14,949 time. The first formulas work most of the 1177 00:39:14,950 --> 00:39:17,079 time until you do something crazy like P 1178 00:39:17,080 --> 00:39:18,579 plus P and then it doesn't work. 1179 00:39:18,580 --> 00:39:19,809 And then you have more and more 1180 00:39:19,810 --> 00:39:20,859 exceptional cases. 1181 00:39:20,860 --> 00:39:22,449 And some of these cases you don't even 1182 00:39:22,450 --> 00:39:23,379 realize at first. 1183 00:39:23,380 --> 00:39:25,389 And then you try writing code for this 1184 00:39:25,390 --> 00:39:27,159 and it's just it goes on and on and then 1185 00:39:27,160 --> 00:39:28,929 you try testing it and you're not sure 1186 00:39:28,930 --> 00:39:30,069 you've gotten all the tests. Right. 1187 00:39:30,070 --> 00:39:32,529 But OK, that's what you find 1188 00:39:32,530 --> 00:39:34,269 in standards. 1189 00:39:36,170 --> 00:39:37,129 All right. 1190 00:39:37,130 --> 00:39:39,079 Much nicer than Biota's Montgomery 1191 00:39:39,080 --> 00:39:40,909 curves, it's another of our favorite 1192 00:39:40,910 --> 00:39:43,099 curves. So here you see 1193 00:39:43,100 --> 00:39:44,779 the entire arithmetic, except for I 1194 00:39:44,780 --> 00:39:47,299 didn't show you how I will do the 1195 00:39:47,300 --> 00:39:49,579 constant time conditional swap 1196 00:39:49,580 --> 00:39:49,729 here. 1197 00:39:49,730 --> 00:39:51,319 So there is a conditional bid here which 1198 00:39:51,320 --> 00:39:53,270 swaps the two with the X3. 1199 00:39:54,530 --> 00:39:57,049 We can do this second time just 1200 00:39:57,050 --> 00:39:58,609 replaces instruction by something which 1201 00:39:58,610 --> 00:40:00,410 says it stays or it swaps. 1202 00:40:02,050 --> 00:40:04,239 That's a whole addition on Montgomery, so 1203 00:40:04,240 --> 00:40:06,339 for every bit you do these 1204 00:40:06,340 --> 00:40:09,009 few steps and you run through the 255 1205 00:40:09,010 --> 00:40:10,659 bits that are staged there. 1206 00:40:10,660 --> 00:40:12,699 So that's another nice case of 1207 00:40:12,700 --> 00:40:14,799 arithmetic, you know, so 1208 00:40:14,800 --> 00:40:16,869 that here we only use an 1209 00:40:16,870 --> 00:40:19,089 X coordinate for the Edwards 1210 00:40:19,090 --> 00:40:20,229 crew if we had X and Y. 1211 00:40:20,230 --> 00:40:22,029 So there are some differences in what 1212 00:40:22,030 --> 00:40:23,030 we're doing with them. 1213 00:40:24,760 --> 00:40:26,229 All right, so then announce we're going 1214 00:40:26,230 --> 00:40:27,579 to talk about standards. 1215 00:40:27,580 --> 00:40:29,889 So how do you get your standards from 1216 00:40:29,890 --> 00:40:31,689 so how to defend yourself against 1217 00:40:31,690 --> 00:40:33,280 somebody who comes with a mathematician? 1218 00:40:35,950 --> 00:40:37,419 Mathematicians go people that know all 1219 00:40:37,420 --> 00:40:38,919 kinds of attacks, and if you want to see 1220 00:40:38,920 --> 00:40:40,449 these attacks, we have some girls at the 1221 00:40:40,450 --> 00:40:42,999 end, but we know those attacks 1222 00:40:43,000 --> 00:40:45,729 and all of those standards. 1223 00:40:45,730 --> 00:40:48,069 Long list of things basically agree 1224 00:40:48,070 --> 00:40:49,669 on certain properties that you want. 1225 00:40:49,670 --> 00:40:50,670 You have to have 1226 00:40:51,850 --> 00:40:53,619 what these standards guarantee you. 1227 00:40:53,620 --> 00:40:55,869 If if you pick one of those standards, 1228 00:40:55,870 --> 00:40:56,809 then it will. 1229 00:40:56,810 --> 00:40:58,959 The curve will be secure 1230 00:40:58,960 --> 00:40:59,919 for the following attacks. 1231 00:40:59,920 --> 00:41:01,479 Somebody sees the result of your 1232 00:41:01,480 --> 00:41:03,999 computation, knows the base point, 1233 00:41:04,000 --> 00:41:06,189 knows you're public key and is 1234 00:41:06,190 --> 00:41:08,259 not able to figure out what you're A 1235 00:41:08,260 --> 00:41:09,699 or B was. 1236 00:41:09,700 --> 00:41:10,869 So this is called the elliptical, 1237 00:41:10,870 --> 00:41:12,339 discrete logarithm problem. 1238 00:41:12,340 --> 00:41:14,589 And we have filed papers 1239 00:41:14,590 --> 00:41:16,419 over papers to study the hardness of 1240 00:41:16,420 --> 00:41:16,899 this. 1241 00:41:16,900 --> 00:41:18,489 So that's what we as mathematicians do, 1242 00:41:18,490 --> 00:41:20,889 study how hard it is on a certain curve 1243 00:41:20,890 --> 00:41:22,629 to break that elliptical, discrete log 1244 00:41:22,630 --> 00:41:24,159 from one thing. 1245 00:41:24,160 --> 00:41:26,529 For instance, you want that your point 1246 00:41:26,530 --> 00:41:28,359 when you add it to itself many, many 1247 00:41:28,360 --> 00:41:29,649 times that 1248 00:41:30,700 --> 00:41:32,469 for a long, long, long time you get 1249 00:41:32,470 --> 00:41:33,470 different points. 1250 00:41:34,580 --> 00:41:36,679 Until you get back to the same point, 1251 00:41:36,680 --> 00:41:39,109 say, after L'il Times, you're back. 1252 00:41:39,110 --> 00:41:40,909 That is the order of the point that 1253 00:41:40,910 --> 00:41:42,289 should be allowed. No, we're not. 1254 00:41:42,290 --> 00:41:43,999 I mean, like two to two hundred fifty or 1255 00:41:44,000 --> 00:41:45,170 something really large. 1256 00:41:46,490 --> 00:41:47,849 And yet they're all the script. 1257 00:41:47,850 --> 00:41:48,929 So that's one of the criteria. 1258 00:41:48,930 --> 00:41:49,930 There's many more. 1259 00:41:51,620 --> 00:41:53,029 OK, so let's see. 1260 00:41:53,030 --> 00:41:54,019 You're an implementer. 1261 00:41:54,020 --> 00:41:55,999 You take any of these standards and 1262 00:41:56,000 --> 00:41:57,499 again, they all pretty much say the same 1263 00:41:57,500 --> 00:41:59,479 thing. Minor differences in details, but 1264 00:41:59,480 --> 00:42:01,819 they all protect you and you 1265 00:42:01,820 --> 00:42:04,249 implement the standard and you say, OK, 1266 00:42:04,250 --> 00:42:06,079 we're in Germany, let's take the brain 1267 00:42:06,080 --> 00:42:07,759 pool curse, because that's what's used in 1268 00:42:07,760 --> 00:42:09,199 the German passports. 1269 00:42:09,200 --> 00:42:10,909 All right. So we take brain pool up to 1270 00:42:10,910 --> 00:42:12,079 50. Sixty one. 1271 00:42:12,080 --> 00:42:14,149 It tells you some big prime number, 1272 00:42:14,150 --> 00:42:15,469 256 bits long. 1273 00:42:15,470 --> 00:42:17,539 It tells you a very strong curve. 1274 00:42:17,540 --> 00:42:19,399 Y squared equals execute minus three X 1275 00:42:19,400 --> 00:42:20,989 plus something big. 1276 00:42:20,990 --> 00:42:23,039 And then it tells you the base point XCOM 1277 00:42:23,040 --> 00:42:25,099 Y to use. And then you look 1278 00:42:25,100 --> 00:42:27,499 at this and realize all the nice formulas 1279 00:42:27,500 --> 00:42:29,239 we were telling you with no exceptional 1280 00:42:29,240 --> 00:42:31,609 cases like Edwards and Montgomery, 1281 00:42:31,610 --> 00:42:34,429 those formulas don't work for 1282 00:42:34,430 --> 00:42:35,689 this curve. 1283 00:42:35,690 --> 00:42:37,699 If you have a curve compatible with the 1284 00:42:37,700 --> 00:42:39,739 formulas, you standardize that curve, 1285 00:42:39,740 --> 00:42:42,259 then every point you can add successfully 1286 00:42:42,260 --> 00:42:43,519 and you just forget about all the 1287 00:42:43,520 --> 00:42:45,199 exceptions. But you need a curve that 1288 00:42:45,200 --> 00:42:46,459 works with those formulas. 1289 00:42:46,460 --> 00:42:48,589 And unfortunately, this 1290 00:42:48,590 --> 00:42:50,209 curve doesn't work with Edwards and 1291 00:42:50,210 --> 00:42:51,529 doesn't work with Montgomery. 1292 00:42:51,530 --> 00:42:54,199 So you have to go back to that messy 1293 00:42:54,200 --> 00:42:55,929 via stress series of formulas. 1294 00:42:55,930 --> 00:42:57,679 So you OK, you're very careful. 1295 00:42:57,680 --> 00:42:59,929 You do exactly what the formula say. 1296 00:42:59,930 --> 00:43:01,939 You figure out test cases for everything 1297 00:43:01,940 --> 00:43:04,209 you have correctly implemented the virus 1298 00:43:04,210 --> 00:43:06,559 stress edition, all six cases and 1299 00:43:06,560 --> 00:43:08,959 time, and you do everything 1300 00:43:08,960 --> 00:43:09,889 Konstantine. 1301 00:43:09,890 --> 00:43:11,809 So not going to leak any information to 1302 00:43:11,810 --> 00:43:12,919 an attacker. 1303 00:43:12,920 --> 00:43:15,049 And then you have something 1304 00:43:15,050 --> 00:43:17,329 which is painfully slow, 1305 00:43:17,330 --> 00:43:20,779 but you're confident about the security 1306 00:43:20,780 --> 00:43:23,239 until the attacker 1307 00:43:23,240 --> 00:43:24,240 comes along. 1308 00:43:25,040 --> 00:43:26,359 Hey, let's do this. You Halman. 1309 00:43:26,360 --> 00:43:27,529 Here's my point. 1310 00:43:27,530 --> 00:43:30,109 OK, I'll take my 1311 00:43:30,110 --> 00:43:31,639 I guess I'm Ellis' I. 1312 00:43:34,530 --> 00:43:36,179 I'm sorry. So now I'm Alice, I've got an 1313 00:43:36,180 --> 00:43:38,969 A I take my eight times the 1314 00:43:38,970 --> 00:43:40,589 point that she sent me, which is her 1315 00:43:40,590 --> 00:43:42,779 public key, and 1316 00:43:42,780 --> 00:43:44,099 that's not the original X Y time 1317 00:43:44,100 --> 00:43:45,809 different from Y prime that she said. 1318 00:43:45,810 --> 00:43:48,149 And I send back my eight times that 1319 00:43:48,150 --> 00:43:50,549 X Y, and 1320 00:43:50,550 --> 00:43:52,769 then I've done this computation 1321 00:43:52,770 --> 00:43:53,609 correctly. 1322 00:43:53,610 --> 00:43:56,219 And then I've now 1323 00:43:56,220 --> 00:43:58,349 used the the encryption 1324 00:43:58,350 --> 00:44:00,119 authentication mechanisms that somebody 1325 00:44:00,120 --> 00:44:02,069 told me to use standard mechanisms. 1326 00:44:02,070 --> 00:44:04,229 And I've encrypted some data and sent 1327 00:44:04,230 --> 00:44:05,230 that through the network. 1328 00:44:06,780 --> 00:44:07,949 I'm on the network. 1329 00:44:07,950 --> 00:44:10,259 I see his his RSG same encrypted 1330 00:44:10,260 --> 00:44:13,109 message. Now what he doesn't know 1331 00:44:13,110 --> 00:44:15,269 is that no matter what is a 1332 00:44:15,270 --> 00:44:16,270 is. 1333 00:44:16,790 --> 00:44:18,919 They're not actually that many different 1334 00:44:18,920 --> 00:44:20,629 points. I didn't give him a point on the 1335 00:44:20,630 --> 00:44:22,729 brainpower curve, I gave him a point on a 1336 00:44:22,730 --> 00:44:24,439 much nicer curve. Look, it only has a 1337 00:44:24,440 --> 00:44:25,729 five year. 1338 00:44:25,730 --> 00:44:27,049 The brain could cover something much, 1339 00:44:27,050 --> 00:44:28,439 much bigger. This is a frantic curve. 1340 00:44:29,450 --> 00:44:32,269 Also, this point only has four thousand 1341 00:44:32,270 --> 00:44:34,519 ninety nine different copies, 1342 00:44:34,520 --> 00:44:35,520 which means. 1343 00:44:36,570 --> 00:44:38,069 He's not actually computing what he 1344 00:44:38,070 --> 00:44:39,800 thinks he's computing, oops. 1345 00:44:41,130 --> 00:44:42,959 Now, the reason that this works is that 1346 00:44:42,960 --> 00:44:45,569 in this whole mess of the virus curve, 1347 00:44:45,570 --> 00:44:47,250 there's no A6. 1348 00:44:49,250 --> 00:44:51,319 So no matter whether it's the sex, which 1349 00:44:51,320 --> 00:44:52,759 is the huge number for the baneful curve 1350 00:44:52,760 --> 00:44:54,949 or the five, which is a nice curve 1351 00:44:54,950 --> 00:44:56,629 I gave him, it doesn't matter. 1352 00:44:56,630 --> 00:44:58,070 He'll just use those formulas. 1353 00:44:59,510 --> 00:45:00,510 And then. 1354 00:45:01,610 --> 00:45:03,769 The AI gives me one 1355 00:45:03,770 --> 00:45:05,989 of those ninety 99 different points 1356 00:45:05,990 --> 00:45:08,239 from which I learn a module 1357 00:45:08,240 --> 00:45:09,630 four thousand eight at night tonight. 1358 00:45:10,670 --> 00:45:11,670 Let's do this again. 1359 00:45:12,800 --> 00:45:14,839 She's going to send me another point. 1360 00:45:14,840 --> 00:45:16,099 Hi. He has another point. 1361 00:45:16,100 --> 00:45:18,079 So I take that new X from Prime. 1362 00:45:18,080 --> 00:45:20,249 I compute my eight times that I send back 1363 00:45:20,250 --> 00:45:22,459 the something encrypted using 1364 00:45:22,460 --> 00:45:23,600 that shared secret. 1365 00:45:24,770 --> 00:45:27,139 And now she does 1366 00:45:27,140 --> 00:45:29,029 the same kind of computation. 1367 00:45:29,030 --> 00:45:30,959 She has secretly sent me a point that has 1368 00:45:30,960 --> 00:45:32,899 small order and I never noticed that it 1369 00:45:32,900 --> 00:45:34,789 had smaller. So now she's figured out my 1370 00:45:34,790 --> 00:45:36,919 secret modulo some other 1371 00:45:36,920 --> 00:45:37,669 number. 1372 00:45:37,670 --> 00:45:38,569 And again. 1373 00:45:38,570 --> 00:45:39,649 And again and again. 1374 00:45:39,650 --> 00:45:41,509 And this happens 20 times maybe. 1375 00:45:41,510 --> 00:45:43,819 And then she uses the Chinese 1376 00:45:43,820 --> 00:45:45,589 remaindered theorem to figure out my 1377 00:45:45,590 --> 00:45:46,609 whole secret. 1378 00:45:46,610 --> 00:45:48,589 Even getting a few of these leaks is 1379 00:45:48,590 --> 00:45:50,659 enough information that it does a 1380 00:45:50,660 --> 00:45:52,159 lot of damage to the security of the 1381 00:45:52,160 --> 00:45:54,049 system. And, well, if this happens 20 1382 00:45:54,050 --> 00:45:55,050 times, then, 1383 00:45:56,210 --> 00:45:58,459 well, I'm screwed. 1384 00:45:58,460 --> 00:46:00,829 So what do people normally say 1385 00:46:00,830 --> 00:46:01,849 in response to this? 1386 00:46:01,850 --> 00:46:03,829 They say, oh, didn't you notice the 1387 00:46:03,830 --> 00:46:06,109 footnote in the standard that said when 1388 00:46:06,110 --> 00:46:08,149 you have a point coming in, you have to 1389 00:46:08,150 --> 00:46:10,399 check whether it's on the curve because 1390 00:46:10,400 --> 00:46:12,169 somebody might have been trying this evil 1391 00:46:12,170 --> 00:46:14,299 attack. So this is blaming the 1392 00:46:14,300 --> 00:46:16,699 implementor, which is how we get secure 1393 00:46:16,700 --> 00:46:18,589 systems by blaming the implementor. 1394 00:46:18,590 --> 00:46:19,069 That's good. 1395 00:46:19,070 --> 00:46:20,809 If something's gone wrong with the 1396 00:46:20,810 --> 00:46:23,119 system, then it's the implementors fault 1397 00:46:23,120 --> 00:46:24,229 for not checking. 1398 00:46:26,810 --> 00:46:28,909 Don't even get me started on Sturr 1399 00:46:28,910 --> 00:46:31,039 copy, you should have checked 1400 00:46:31,040 --> 00:46:33,229 the length of your string you were oh, 1401 00:46:33,230 --> 00:46:34,219 I'm sorry, wrong talk. 1402 00:46:34,220 --> 00:46:36,319 You should have checked that this point 1403 00:46:36,320 --> 00:46:37,309 was on the curve. 1404 00:46:37,310 --> 00:46:38,719 You should have checked it had the right 1405 00:46:38,720 --> 00:46:40,819 order. Another kind of attack like 1406 00:46:40,820 --> 00:46:42,889 this. You should have, by the way, paid 1407 00:46:42,890 --> 00:46:45,419 patent fees to Sadik-Khan. 1408 00:46:45,420 --> 00:46:47,479 OK, OK, let's not is saying 1409 00:46:47,480 --> 00:46:49,339 I mean, if you do this, you might get a 1410 00:46:49,340 --> 00:46:51,739 phone call saying we have a patent 1411 00:46:51,740 --> 00:46:52,789 on point validation. 1412 00:46:55,970 --> 00:46:58,279 Yeah. So instead of blaming 1413 00:46:58,280 --> 00:47:00,559 the Implementor for not jumping through 1414 00:47:00,560 --> 00:47:02,029 these hoops, why don't we get rid of the 1415 00:47:02,030 --> 00:47:04,399 hoops? Why don't we design the crypto, 1416 00:47:04,400 --> 00:47:07,009 why don't we design the curves so that 1417 00:47:07,010 --> 00:47:09,109 it's not actually possible for 1418 00:47:09,110 --> 00:47:10,549 somebody to screw this up? 1419 00:47:10,550 --> 00:47:12,979 We know how implementors 1420 00:47:12,980 --> 00:47:14,869 think we are implementors. 1421 00:47:14,870 --> 00:47:16,159 We know what we do wrong. 1422 00:47:16,160 --> 00:47:18,439 And it's not that creative. 1423 00:47:18,440 --> 00:47:19,999 I mean, we keep making the same mistakes 1424 00:47:20,000 --> 00:47:21,079 again and again and again. 1425 00:47:21,080 --> 00:47:23,029 So let's actually protect against those 1426 00:47:23,030 --> 00:47:24,949 mistakes and design a system that's 1427 00:47:24,950 --> 00:47:27,889 robust against those which for s.E.C. 1428 00:47:27,890 --> 00:47:30,109 Says you take your X, 1429 00:47:30,110 --> 00:47:31,849 comma, Y coming through the network. 1430 00:47:31,850 --> 00:47:33,919 Don't allow an X, comma Y to go through 1431 00:47:33,920 --> 00:47:36,140 the network. Just have an X. 1432 00:47:37,200 --> 00:47:39,389 And then why was Y 1433 00:47:39,390 --> 00:47:41,189 squared equals something you could if you 1434 00:47:41,190 --> 00:47:43,499 want to communicate why, you can send one 1435 00:47:43,500 --> 00:47:45,299 bit that says whether it's plus or minus 1436 00:47:45,300 --> 00:47:47,249 the square root of whatever Y is the 1437 00:47:47,250 --> 00:47:49,619 square root of or don't 1438 00:47:49,620 --> 00:47:50,909 bother sending Y at all. 1439 00:47:50,910 --> 00:47:52,499 Remember, those Montgomerie formulas 1440 00:47:52,500 --> 00:47:54,449 don't even need to to look at the Y. 1441 00:47:54,450 --> 00:47:56,999 So this if you just send along an X, 1442 00:47:57,000 --> 00:47:59,099 then there's very few possibilities 1443 00:47:59,100 --> 00:48:01,619 for the attacker to 1444 00:48:01,620 --> 00:48:03,989 choose, points to try 1445 00:48:03,990 --> 00:48:05,819 to fool you the way that we were fooled a 1446 00:48:05,820 --> 00:48:06,899 moment ago. 1447 00:48:06,900 --> 00:48:09,149 There's a couple more of these rules 1448 00:48:09,150 --> 00:48:11,669 which make which the the curve selector 1449 00:48:11,670 --> 00:48:13,799 and the protocol designer can put in, 1450 00:48:13,800 --> 00:48:16,469 which mean that you as an implementer 1451 00:48:16,470 --> 00:48:18,569 have a much easier time, like the 1452 00:48:18,570 --> 00:48:20,669 protocol designer can tell you to 1453 00:48:20,670 --> 00:48:22,979 always multiply the 1454 00:48:22,980 --> 00:48:25,109 SCALARS, the A and B, the secrets that 1455 00:48:25,110 --> 00:48:27,209 you're using for Diffie helmond always 1456 00:48:27,210 --> 00:48:29,159 multiply those by what's called the cool 1457 00:48:29,160 --> 00:48:30,899 factor of the curve. 1458 00:48:30,900 --> 00:48:33,299 There's this base point that has Ordell 1459 00:48:33,300 --> 00:48:34,619 Hasle different multiples. 1460 00:48:34,620 --> 00:48:36,899 There's going to be say four times L 1461 00:48:36,900 --> 00:48:38,789 or eight times L points total on the 1462 00:48:38,790 --> 00:48:40,349 curve. You're only seeing all of them. 1463 00:48:40,350 --> 00:48:42,299 And to make up for that gap and avoid 1464 00:48:42,300 --> 00:48:44,729 some other fancier attacks, you always 1465 00:48:44,730 --> 00:48:47,459 multiply your secrets and B by eight 1466 00:48:47,460 --> 00:48:49,379 and that completely protect you against 1467 00:48:49,380 --> 00:48:50,489 these attacks. And that's something that 1468 00:48:50,490 --> 00:48:52,829 can be put into the protocol and test 1469 00:48:52,830 --> 00:48:55,379 it. And similarly, 1470 00:48:55,380 --> 00:48:57,479 the curve designer can always 1471 00:48:57,480 --> 00:48:59,219 choose curves to be what are called 1472 00:48:59,220 --> 00:49:00,749 Twist's secure. 1473 00:49:00,750 --> 00:49:02,609 There's still a little bit of wiggle room 1474 00:49:02,610 --> 00:49:03,989 if somebody's sending you a compressed 1475 00:49:03,990 --> 00:49:06,179 point. And this twist security 1476 00:49:06,180 --> 00:49:08,459 says that, well, basically 1477 00:49:08,460 --> 00:49:10,229 the wiggle room lets you choose between 1478 00:49:10,230 --> 00:49:11,459 two different curves. 1479 00:49:11,460 --> 00:49:13,619 There's this curve and then a sibling of 1480 00:49:13,620 --> 00:49:15,569 the curve, what's called the twist of the 1481 00:49:15,570 --> 00:49:17,729 curve and the curve designer 1482 00:49:17,730 --> 00:49:19,949 can make sure that both of those are 1483 00:49:19,950 --> 00:49:20,849 secure. 1484 00:49:20,850 --> 00:49:22,619 Both of those have these big primes. 1485 00:49:22,620 --> 00:49:24,959 There's an L and a sibling L and 1486 00:49:24,960 --> 00:49:27,179 a cofactors small factor in another 1487 00:49:27,180 --> 00:49:28,229 small co factor. 1488 00:49:28,230 --> 00:49:30,179 And if the curve designer chooses one of 1489 00:49:30,180 --> 00:49:32,429 these twiss secure curves, then the 1490 00:49:32,430 --> 00:49:34,529 attacker has no flexibility left to 1491 00:49:34,530 --> 00:49:36,299 fool you. The attacker won't get any 1492 00:49:36,300 --> 00:49:38,009 information about your secrets. 1493 00:49:38,010 --> 00:49:40,319 And B, well, so then 1494 00:49:40,320 --> 00:49:41,699 why is this not happening? 1495 00:49:41,700 --> 00:49:43,619 Well, actually, it's kind of happening. 1496 00:49:43,620 --> 00:49:45,809 So there is some motion to get like 1497 00:49:45,810 --> 00:49:47,699 the next generation of easy standards. 1498 00:49:47,700 --> 00:49:50,039 So next generation, meaning curves, 1499 00:49:50,040 --> 00:49:51,479 we don't choose ourselves in the foot. 1500 00:49:51,480 --> 00:49:52,949 When you tried to implement them in the 1501 00:49:52,950 --> 00:49:54,779 simplest way with the simples 1502 00:49:54,780 --> 00:49:56,609 implementation is also a secure 1503 00:49:56,610 --> 00:49:57,610 implementation. 1504 00:49:58,500 --> 00:49:59,699 Turns out usually when you're on 1505 00:49:59,700 --> 00:50:01,709 something more secure, it gets slower. 1506 00:50:01,710 --> 00:50:03,329 In this case, the bonus is it gets 1507 00:50:03,330 --> 00:50:04,799 faster. 1508 00:50:04,800 --> 00:50:06,899 Or in 2010, Adam Langley from Google 1509 00:50:06,900 --> 00:50:08,699 was posting to the Tila's made list 1510 00:50:08,700 --> 00:50:11,339 saying, Hey guys in Abacus 1511 00:50:11,340 --> 00:50:12,959 Crypto has made some advances. 1512 00:50:12,960 --> 00:50:15,269 Wouldn't it be nice to have like 1513 00:50:15,270 --> 00:50:18,089 fifty five of nineteen as he named Curve, 1514 00:50:18,090 --> 00:50:19,170 then not much happened. 1515 00:50:20,280 --> 00:50:22,799 We did some work proposing 1516 00:50:22,800 --> 00:50:24,959 good methods to we 1517 00:50:24,960 --> 00:50:26,549 think it's good methods to generate 1518 00:50:26,550 --> 00:50:29,189 curves and well, 1519 00:50:29,190 --> 00:50:31,679 thanks to Snowden last September, 1520 00:50:31,680 --> 00:50:33,809 the suddenly motion coming into this 1521 00:50:33,810 --> 00:50:36,089 from other people going like given 1522 00:50:36,090 --> 00:50:38,249 that the discursive kind of their 1523 00:50:38,250 --> 00:50:40,499 respectability where we think, oh, maybe 1524 00:50:40,500 --> 00:50:42,359 the NSA is not just the good guys, 1525 00:50:42,360 --> 00:50:44,099 shouldn't we have enough emotion? 1526 00:50:44,100 --> 00:50:45,479 Luckily, there's lots of other people 1527 00:50:45,480 --> 00:50:46,829 saying, hey, look, it's not because 1528 00:50:46,830 --> 00:50:48,419 you're paranoid. We don't know whether 1529 00:50:48,420 --> 00:50:50,549 the Oscars are bad from a security point 1530 00:50:50,550 --> 00:50:52,109 of view, but they're certainly not 1531 00:50:52,110 --> 00:50:53,819 pleasant from implementation point of 1532 00:50:53,820 --> 00:50:55,949 view. We could be faster. 1533 00:50:55,950 --> 00:50:57,419 We could be more secure. 1534 00:50:57,420 --> 00:50:59,489 And so there's, well, a few 1535 00:50:59,490 --> 00:51:01,919 quotations and there's a draft 1536 00:51:01,920 --> 00:51:03,839 and then we make another coup. 1537 00:51:03,840 --> 00:51:05,339 If if somebody wants to have really 1538 00:51:05,340 --> 00:51:07,469 paranoid security level at seventeen. 1539 00:51:07,470 --> 00:51:09,599 But if. 1540 00:51:09,600 --> 00:51:10,600 Yeah. 1541 00:51:11,040 --> 00:51:13,349 And what if it's mockers. 1542 00:51:14,550 --> 00:51:16,739 We have a safe house page bla bla bla bla 1543 00:51:16,740 --> 00:51:18,449 bla stuff finally. 1544 00:51:18,450 --> 00:51:20,909 OK, a is moving on. 1545 00:51:20,910 --> 00:51:23,009 There was some and it's 1546 00:51:23,010 --> 00:51:24,809 a guy who was the leader of a psychology. 1547 00:51:24,810 --> 00:51:26,579 Sociology is the crypto research working 1548 00:51:26,580 --> 00:51:28,469 group from the Internet Engineering Task 1549 00:51:28,470 --> 00:51:29,470 Force. 1550 00:51:29,880 --> 00:51:32,039 Except for these and 1551 00:51:32,040 --> 00:51:34,019 as a culture will still be there to 1552 00:51:34,020 --> 00:51:36,299 advise them, you know, tell them whom 1553 00:51:36,300 --> 00:51:37,439 to listen to. 1554 00:51:37,440 --> 00:51:38,969 Now the hope was that we could finish 1555 00:51:38,970 --> 00:51:41,039 this on a happy note saying it's 1556 00:51:41,040 --> 00:51:42,059 all good now. 1557 00:51:42,060 --> 00:51:44,159 It's, hey, there's a happy 1558 00:51:44,160 --> 00:51:46,439 note here. Microsoft has chosen curse. 1559 00:51:46,440 --> 00:51:48,629 So once Microsoft stepped in, 1560 00:51:48,630 --> 00:51:49,739 that's the end of the discussion. 1561 00:51:51,720 --> 00:51:54,149 Embrace, extend, extinguish, stop 1562 00:51:54,150 --> 00:51:55,320 arguing. Oh, sorry. 1563 00:51:57,120 --> 00:51:59,219 Well, so the final slide would have 1564 00:51:59,220 --> 00:52:00,599 been something nice. But at the moment 1565 00:52:00,600 --> 00:52:03,119 it's just the discussion continues. 1566 00:52:03,120 --> 00:52:04,120 Thank you for your attention. 1567 00:52:17,830 --> 00:52:18,969 Thank you very much. 1568 00:52:18,970 --> 00:52:21,039 OK, we only 1569 00:52:21,040 --> 00:52:23,709 have very, very few minutes for Q&A, 1570 00:52:23,710 --> 00:52:25,389 so please quickly line up at the 1571 00:52:25,390 --> 00:52:27,129 microphones. We have like three to four 1572 00:52:27,130 --> 00:52:29,379 minutes, so be really quick short 1573 00:52:29,380 --> 00:52:31,299 questions only don't ask about your 1574 00:52:31,300 --> 00:52:33,690 thesis. Just ask questions. 1575 00:52:34,780 --> 00:52:37,209 OK, Mike to go. 1576 00:52:37,210 --> 00:52:39,759 Are you actually aware of any attacks 1577 00:52:39,760 --> 00:52:41,889 or weaknesses in any of the next 1578 00:52:41,890 --> 00:52:43,389 180 secesh to 1579 00:52:44,410 --> 00:52:45,849 sorry. Any weaknesses in. 1580 00:52:45,850 --> 00:52:48,279 Could you repeat curves included in this 1581 00:52:48,280 --> 00:52:49,869 one. Eighty six dash to. 1582 00:52:49,870 --> 00:52:51,999 Yeah. So for instance next 1583 00:52:52,000 --> 00:52:53,979 to twenty four is not Twist's secure. 1584 00:52:57,140 --> 00:52:59,269 Anything else that's the only 1585 00:52:59,270 --> 00:53:01,219 one that's known to be a problem? 1586 00:53:01,220 --> 00:53:03,589 Look, all of these are if you're willing 1587 00:53:03,590 --> 00:53:05,539 to do the work of implementing very, very 1588 00:53:05,540 --> 00:53:07,939 carefully and you check for 1589 00:53:07,940 --> 00:53:10,039 a point coming in, being on the curve, 1590 00:53:10,040 --> 00:53:11,299 having the right order, et cetera, et 1591 00:53:11,300 --> 00:53:12,739 cetera, if you're willing to do a lot of 1592 00:53:12,740 --> 00:53:15,019 work, has something that's slow 1593 00:53:15,020 --> 00:53:17,029 and fragile, hard to test, hard to 1594 00:53:17,030 --> 00:53:19,159 implement, then you can do something 1595 00:53:19,160 --> 00:53:21,319 secure with the next elliptic curves. 1596 00:53:21,320 --> 00:53:23,449 Then the steps forward that are 1597 00:53:23,450 --> 00:53:25,639 part of modern are 1598 00:53:25,640 --> 00:53:27,859 do something that's faster and 1599 00:53:27,860 --> 00:53:29,689 easier to implement correctly. 1600 00:53:29,690 --> 00:53:31,219 And that's something that, well, most 1601 00:53:31,220 --> 00:53:32,389 people are happier with. 1602 00:53:32,390 --> 00:53:33,469 Thank you. 1603 00:53:33,470 --> 00:53:35,270 OK, Internet, please. 1604 00:53:36,490 --> 00:53:38,479 Yeah, very short question. 1605 00:53:38,480 --> 00:53:40,939 If you read the NSA, could you influence 1606 00:53:40,940 --> 00:53:42,949 your own stand so that you could break 1607 00:53:42,950 --> 00:53:44,119 it? And how would you do that? 1608 00:53:47,030 --> 00:53:48,919 Well, short answer, the nice thing about 1609 00:53:48,920 --> 00:53:50,689 standards is that there's so many to 1610 00:53:50,690 --> 00:53:51,690 choose from. 1611 00:53:57,700 --> 00:53:58,700 Is that the answer? 1612 00:53:59,800 --> 00:54:01,909 OK, Mike, which one 1613 00:54:01,910 --> 00:54:04,089 I mean, three answers, if I'm 1614 00:54:04,090 --> 00:54:06,729 free to choose, say, the NCSA 1615 00:54:06,730 --> 00:54:08,319 to the French standard, there's no 1616 00:54:08,320 --> 00:54:10,129 justification given whatsoever. 1617 00:54:10,130 --> 00:54:12,159 I can feed you whatever I want. 1618 00:54:15,030 --> 00:54:16,919 OK, this Mike, I can't see the number 1619 00:54:16,920 --> 00:54:19,169 because there's too many people, how 1620 00:54:19,170 --> 00:54:21,629 do you come up with the killing of 1621 00:54:21,630 --> 00:54:23,839 45 bits and how do you know it's secure? 1622 00:54:23,840 --> 00:54:25,919 It's just the absence of something 1623 00:54:25,920 --> 00:54:27,989 like Enoch's calculus. 1624 00:54:27,990 --> 00:54:30,209 So the key to the fact 1625 00:54:30,210 --> 00:54:32,309 that index calculous doesn't apply 1626 00:54:32,310 --> 00:54:34,439 is what allows you to get away with 1627 00:54:34,440 --> 00:54:36,589 very small key sizes compared to 1628 00:54:36,590 --> 00:54:38,669 RSA and then something like two 1629 00:54:38,670 --> 00:54:41,069 fifty six bits that's coming from saying, 1630 00:54:41,070 --> 00:54:42,929 well, the biggest computations that 1631 00:54:42,930 --> 00:54:44,969 someone can do with current computer 1632 00:54:44,970 --> 00:54:46,979 technology ten years from now, computer 1633 00:54:46,980 --> 00:54:49,409 technology using say a sixty 1634 00:54:49,410 --> 00:54:51,719 five megawatt power substation, that 1635 00:54:51,720 --> 00:54:53,729 biggest computation they can do would 1636 00:54:53,730 --> 00:54:55,289 still not break a two hundred bit 1637 00:54:55,290 --> 00:54:57,029 elliptic curve. So we feel very 1638 00:54:57,030 --> 00:54:59,189 comfortable using two fifty six. 1639 00:54:59,190 --> 00:55:01,349 So for the, for 1640 00:55:01,350 --> 00:55:03,689 the text that we know how to do all 1641 00:55:03,690 --> 00:55:05,479 the numbers, I'd say of course that's 1642 00:55:05,480 --> 00:55:07,409 theodolite PTO. 1643 00:55:07,410 --> 00:55:09,479 So there you can see like how many 1644 00:55:09,480 --> 00:55:11,769 operations to do the 200 you need to do 1645 00:55:11,770 --> 00:55:13,829 for breaking a full forty one 1646 00:55:13,830 --> 00:55:14,900 414. But Kolff. 1647 00:55:16,780 --> 00:55:19,019 OK, we are unfortunately out of time. 1648 00:55:19,020 --> 00:55:20,969 So please again thank our speakers.