Everything you wanted to know about Elliptic Curve Cryptography – Fission (2024)

Enough with the talk! I just need to figure out what all these funky acronyms mean!

What is asymmetric cryptography?

How on earth does that work?

Sweet good thing someone figured that out. Now we can all kick back and relax knowing all of our information is secure!

Is there no hope for privacy?!

There's a new one-way function on the block: Elliptic Curve Cryptography. Now with 100% less prime factorization!

What's an elliptic curve?

Elliptic curves are cool looking curves that look like this:

And are graphed with equations that looks like this:

y^2 = x^3 + ax + b

Except decimals are a bit unruly so we only take the integers, and then take a modulus of the function (basically wrap the graph around the edges like an old game of snake), so the graph actually ends up looking something like this (note there's still a horizontal line of symmetry):

Alright, but what do these have to do with cryptography?

The basic procedure of ECC is this:

• Choose a curve and a point P on the curve (everyone uses the same point)
• Choose an arbitrary very large number N (this is your private key).
• Using point addition, add P to itself N times
• The x-coordinate of N*P is your public-key

Can you ground this in reality a bit?

Sure! Let's draw an analogy to adjusting a clock. Here are the same steps listed out but with a clock instead of an elliptic curve:

• Grab a clock sitting at exactly midnight and choose an arbitrary number of seconds P
• Choose a very large number N
• Move the clock forward P seconds N times (pretend you have really fast hands 😜)
• Give the clock to a friend and tell them how big each step was (P) then see if they can figure out how many times you moved it (N) to arrive at the current location

And how well does this whole thing work?

It turns out this is a much more robust one-way function than prime factorization. In fact, we can achieve the same security as a 3072-bit RSA key with a 256-bit ECC key. Not bad!

What if someone guesses the same number N that I chose?

There's a mind-blowingly large range of numbers to choose from. Each key is 256 bits so you have 2^256 = 10^77 options. To give you a scale of how big this is, there are:

• ~10^18 grains of sand on earth
• ~10^22 stars in the observable universe
• ~10^78 atoms in the observable universe

So guessing someone's private key would be approximately equivalent to guessing a random atom in the universe.

Doesn't it take a long time to calculate my public key?

How do these keys translate into cryptographic functions?

ECDH is a key sharing algorithm, most commonly used to send encrypted messages. ECDH works by multiplying your private key by another's public key to get a shared secret, then using that shared secret to perform symmetric encryption.

To illustrate why this works:

• Alice and Bob agree on a curve with starting point P
• Alice has a private key a and public key A = a * P
• Bob has a private key b and public key B = b * P
• a * B = a * b * P = b * A
• So a * b * P ends up being the shared secret

ECDSA is a signature algorithm, used to prove authenticity of some information. The algorithm is a bit trickier than ECDH.
Warning: lots of equations, feel free to skip to the takeways below.

• Alice and bob agree on a curve with starting point P
• Alice has a private key a and public key A = a * P
• Alice chooses a random k and point K = k * P
• Alice takes r which is just the x-value of K
• Alice hashes her message to produce hash H
• Alice calculates a value s = inv(k)*(H+ra)
• Alice sends her message to Bob along with the signature (r, s)
• Bob calculates H from the message
• Bob ensures that r = H*inv(s)*P + r*inv(s)*A
• If it does, the signature is valid!

If you skipped those equations or they don't quite click, the key takeaways are:

• Alice sends a random value r and a calculated value s that could only be calculated with a combination of the private key, the message hash, and the random value, but gives away no information about her private key.
• Bob can verify r and s by using just the message hash and Alice's public key
• You need a good source of randomness to use ECDSA. If you're randomness function is broken, repeated signatures can disclose your private key

Real quick, you mentioned symmetric encryption. How does that work?

Symmetric encryption uses just one key to encrypt and decrypt a message. Encrypted messages just look like random jumbles of letters and numbers that give no information about the underlying message unless you have the key to "unjumble" it. Most algorithms use a block cipher. This involves choosing a block size (say 64 bits), and encrypting the message in blocks of that size.

We mentioned symmetric encryption when talking about ECDH. When people say "asymmetrically encrypted", they actually mean "symmetrically encrypted with a secret that is shared asymmetrically".

A few examples of algorithms are AES, Salsa20, or Triplesec (which is actually just a combo of the first two for extra security).

Okay, I generally understand how this works, but how do people decide on a curve and a point P?

A bunch of different ways, sometimes they're chosen for a specific reason, sometimes they're algorithmically determined. Different curves have different properties. Checkout Safe Curves for an analysis of different curves.

Can "faulty" curves give backdoors?

What's this "Edwards Curve" I keep hearing about?

Most Elliptic curves are Montgomery Curves. Edwards Curves were described by mathematician Harold Edwards and popularized by cryptographer Daniel Bernstein. They have a different structure that allows for a faster signature algorithm. This signature algorithm, when performed on an Edwards curve, is called EdDSA. This algorithm runs in constant time, meaning it's faster and leaks less information

Can Edwards Curves do key sharing?

Edwards curves are specifically used for signatures. There is not a related Diffie-Hellman key sharing algorithm.

So if I want to use both ECDH & EdDSA, I need two key pairs?

Not exactly. Let's take the most common Edwards curve Ed25519. This curve is related to Montgomery curve Curve25519. In fact Ed25519 is a twist of Curve25519. A "twist" basically means that the curves are mappable to one another. What this means is that you can use the same private key to generate a public key on both curves and then transform those public keys between one another without any knowledge of the private key. Specifically, with these equations.

(u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)(x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))

where (u, v) is the Curve25519 point and (x, y) is the Ed25519 point

You can read a more in-depth post about that Here.

What cryptography algorithms do protocols like Bitcoin, Ethereum, and IPFS use?

Bitcoin uses secp256k1 for completely arbitrary reasons
Etherem uses secp256k1 for interop with Bitcoin
IPFS uses Ed25519 and RSA.

Okay so what do you recommend?

We're using Ed25519 & Curve25519. We chose these because:

• They are well-recognized as safe curves
• They are one of the more commonly used curves, so we have easier interop
• They allow us to use EdDSA for signatures
• We're fairly certain that they don't have any backdoors in them

This is sweet! Why doesn't everyone have a private key??

We ask ourselves the same question everyday. The main reason is: it's a pain. Keys look scary (6A576D5A7134743777217A25432A462D4A614...). And if you lose a key, you're forever screwed. There's no "recovery by email" available.

What are people doing about this?

We need to fix the UX of public keys. Remove the scary hexadecimal strings and provide more painless recovery.

A few options are

• Replication: Share the same key across multiple devices. If you drop your phone in a lake, you can recover your key with your laptop
• Shamir Secret Sharing: This involves splitting a key up into separate "shares". Each share reveals nothing about the key, but by combining the shares back together, you can recover the private key. This leads to interesting solutions like social recovery or zero-knowledge key recovery which we implemented as a Proof of Concept.
• Secure Hardware Enclaves: Many phones and computers that are coming out these days have Secure Hardware Enclaves. These use both hardware and software to provide very strong security gurantees
• Hardware Secure Modules (HSMs): These are similar to Secure Hardware Enclaves, but larger and hold more information. Physical modules exist, and you can also rent space from cloud providers such as AWS. Less security-minded users might be interested in backing up their keys with a "trusted custodian" (this still ends up being quite a bit safer than the internet's current security model).

How are you using private keys?

Here at Fission, we wanted to get private keys into the hands of our users as quickly as possible. We just rolled out our new authentication scheme which uses private keys to power our command line tool: Fission Live. Give it a go and let us know what you think! We have other big projects coming down the pipeline soon that will use this public key infrastructure to power some really neat features: a global encrypted filesystem, cryptographically verifiable claims, and more!