Это видео недоступно.
Сожалеем об этом.
Lecture 16: Introduction to Elliptic Curves by Christof Paar
HTML-код
- Опубликовано: 29 янв 2014
- For slides, a problem set and more on learning cryptography, visit www.crypto-textbook.com
(Don't worry, I start in German but at minute 2:00 I am switiching to English for the remainder of the lecture :)
I have fixed delay audio in the lecture: ruclips.net/video/vIyywOLyA7Y/видео.html
thanks man, you are a life saver !!
Thanks man .. I suffered for 40 minutes and finally checked the comments :)
You realize how old these lectures are, when he describes blackberries as part of the "sexy new applications" 😂 Great lecture!
Thank you very much Christof Paar, you are the best Professor I have ever seen in my life!
Yes, that's really what I think of you. For me you are very smart, so pedagogical, so clear, so humble (necessary for any teaching) and so funny too!
I discovered this course in 2014 in Morocco when I started my studies on Cryptography at the University of Rabat, Morocco. I really enjoyed this course at that time, and I can't tell you how it helped me to understand these topics that seemed very complicated (unfortunately due to the lack of explanation by other professors). You made them very easy for me, like magic. Your method is really inspiring and I really appreciate it. And I know if I am now working in this field as a security analyst with a background in cryptography, it is somehow thanks to your wonderful courses!
After seven years, I still enjoy these courses and now I decided to go back to this elliptic curve course because I am interested in CHESS-2021 this year about white box cryptography based on elliptic curves.
Thanks again my best professor
Professor Christof Paar, i can't find the words to thank you
you are one of the best, today this morning it was easy for me to answer my final exam after watching the whole course
i really adore you Mr.Paar :)
my regards from Palestine :)
In case you want to sync the audio up using a chrome extension the delay is -7500 ms
you are a god
thank you so much oml
what is the extension name?
People like you make me believe again in the manking haha thanks
Thanks Professor. That is so helpful. Reading all this stuff from slides and books was so much painful. Your videos just made it so clear and simple .. Vielen Dank!
Awesome teacher! Awesome lectures! Thank you very much for posting these and I hope you will post the other crypto courses that you teach! I also really really apreciated the fact that he tried to be "a nice teacher" a derive the formulas (in all lectures) and not to throw them on the blackboard, as many of my university teachers did! Again...awesome course! Thanks a lot for making it available to the public!
Looking forward to look at the lectures of "Implementation of Cryptography" you teach in semester 5!
for anyone worried about the audio sync, install 'RUclips Audio/Video Sync extension' and set audio delay to -8026 ms.
-8100 is better for me
@@yihou6433 actually -6500 ms is better
-7950 is perfect
Prof. Paar: Great lecture. I am so inspired that I am going to start with lecture 1 (after lecture 17 - where you build the EC crypto system) and really learn about the crypto that I have been using as a programmer. Your English is excellent, and I am happy to say that I am picking up bits of German (important for mathematical heritage). Thank you for making these excellent lectures publicly available.
you are a very responsible and patient teacher! Thank you for sharing the video!
I haven't seen such kind of professor wordless jxt great man and i love the moment when u called nxt 60 second or so u awake
Best lecture on EC ever. Thanks loads.
1:59 english starts... :) I was worry..
Your actions in this video are lagging with your sound sir.so it's hectic to understand.While other videos are quite good and ur awesome professor
Today I learned ECC thoroughly thanks to Prof.Paar
6 days to the final so switching to x1.5 playback speed. Great course by the way!
If it enables me understand Prof. Christof Paar's lecture, I really do not mind taking extra efforts to learn German.
Prof., After listening to your lectures only, I understand the advanced topics in Cryptology like ECC, DH, DLP etc. Thanks and Regards. - Hannah.
Intro to Elliptic Curves 7:00
Group operation 36:00
Prof. Paar is a good teacher.
@48:55: In English, the equation of a line is usually denoted as "y = mx + b", where m is the slope and b in the y-intercept.
Ive learnt it as y = mx + c
Great lecture Prof. It is highly inspiring.
Excellent lecture, thanks!
Free advice:
Download the clip
Delay the audio by 0.1s using vlc
continue watching
Well, I was holding well throughout all of these lectures, but while trying to understand O (point in infinity), with proving property 3 and, 4 my head finally exploded. Now I'm cleaning my floor of confetti, popcorn and some brain nuggets.
Good Course and Good Teacher
Copy the URL and play it in VLC media player. It will solve the audio lag problem automatically.
means the definition of generator for EC is when the order plus itself until it find point of infinity?
Great lecture professor, It might help to refer to the inverse of P as P' to avoid the confusion of the signs. Also perhaps referring to the group operation as addition causes some confusion, since it is really just an arbitrarily defined operation. One question I had, is the geometric interpretation in R the source of the definition of the group operation, or was the group operation defined in Zp and the geometric interpretation in R just emerged from that?
why didn't you show how to find points on the elliptic curve using perfect squares.of x in mod p.
It would be great if you can add a lecture on ECDSA after the ECC lecture
Prof. Paar, Excellent videos....
Do you also have videos of your 5th semester class "Implementation of Cryptography" which you mentioned about in this video lecture? That will be a great continuation to the classes in this series.
Thanks again, for your outreach to help us all learn and understand.
+Sathyamurthi Sadhasivan Unfortunately, I do not have videos from my course "Implementation of Cryptographic Schemes". However, the lecture notes for the course, which are similar in style to our book Understanding
Cryptography, are available here: emsec.rub.de/teaching/literature/
regards, christof
good lecture, in english we use y = mx + b for equation for line
As a German (Bavaria), we used y = mx + t for lines :D
@@XozZzo As a Spanish we use y=mx+n XD
Please disregard my previous questions, I found the reasoning I was looking for.
You are really amazing...
Excellent lecture. the audio sync was a little distracting
I downloaded it in mp4 format from an online tool and the audio offset disappeared without doing anything else!
If not, just open it with VLC and adjust the audio delay with the first chalk stroke on the board ;)
@@ravard4336 Thanks for your suggestion!
The content is perfect, but there is a delay in voice, to avoid this, one may open the video on another tab and play it 6-7 seconds after. Keep its voice open and the main one's closed, by doing that it will sound like real time.
Sir y do v take the mirror image after addition?
Everyone in the comments section is learning for their exams and I am learning for starting into Blockchain. I just want to know if this much cryptography is needed in blockchain I mean should I go more advance?
rez
Thank you Professor for this great lecture on EC and wish you a happy new year as well. I have a question though. In @1:18:25 it's mentioned that P = (5, 1) is generator for E and that |E| = 19. My question is how could one determine the cardinality of such a group (i.e. Elliptic Curve) and the generators of the group as well since we are dealing here with points (i.e. a pair of integers) and not only integers?
For such toy examples, just keep additing P to itself using the point addition or point doubling formulae and check when you reach the neutral element, i.e., the point at infinity.That means you compute:
2P = ...
3P = ...
Before each computation i * P + P you check whether i*P is equal to -P. If so, i*P + P = O (point at infinity) and the group cardinality is i+1.
In practice, however, the curve is almost always given together with the cardinality of the group that is being used.
regards, christof
Thank you Sir for your reply. I still can not see though how could one figure out the generator element P = (5, 1) or any other primitive element of such a group G(E, +). I will be so pleased to have an answer for this particular question.
Thanks Professor,
One question on the same topic - How we assumed (5,1) is the generator.If we had chosen some other pair as "P" and if we had hit (i*p +p =0) when i = 10. why we don't conclude p is the generator and the cardinality of the group is 11
This (and the next video) is a nice introduction to Eliptic Curves.
Unfortunately, some important details are skipped.
Most importantly:
1) Why is the defined group operation associative?
2) How to do encryption/decryption with it?
(Or do we never do encryption/decryption with it because it's cheaper to do key exchange and then use AES?)
If anyone knows nice but also detailed/in-depth explanation of the subject, it would be highly appreciated!
Here are brief replies to your questions:
1) Showing associativity for elliptic curves is quite involved. You can find resources online, e.g. www.uni-regensburg.de/Fakultaeten/nat_Fak_I/friedl/papers/elliptic_2017.pdf
2) One can encrypt with ECC. There are various schemes, most of them are variants of Elgamal encryption. BUT, as you said, it is rarely used in practice because symmetric cryptography (AES; 3DES, ...) are about 100-1000 times faster.
regards, christof
@@introductiontocryptography4223
Thanks for the info and the link!
Checked the paper. Yeah, longer than I suspected.
I'll have to return to it a bit later, when I can dedicate some time.
> symmetric cryptography (AES; 3DES, ...) are about 100-1000 times faster
Wow, I knew it's faster, but I didn't know it's that much faster!
In English, at least American English, we use y = mx + b for the line equation. Where m and b comes from, I haven't the slighted idea.
Can any of my UK brethren chime in if this is shared with the King's math?
great lecture! do you know by any chance any basic reference for "Elliptic curves on the complex numbers C"? instead of Z_p
Thank you very much
You probably have to use one of the mathematical texts on elliptic curves. Two standard books are the one by Neal Koblitz and Joe Silverman's, both published by Springer. Again, both are quite heavy on math but otherwise recommended. regards, christof
Thank you Prof. Paar.
I am trying to find a deeper explanation for the exclusion of "4a cubed + 27b squared mod p = 0". I thought perhaps the curve might intersect itself or otherwise create an ambiguity but I was unsuccessful in finding a consistent definable problem. Can you point me to a reference? I have your textbook in kindle format and the search function fails me.
"I'm awake ! I'm awake!"
Alice
The requirement for the group construction to work is that the curve doesn't have singularities like sharp corners or self-intersections (imagine trying to make sense of the group operation on those!). Now it turns out, this requirement is equivalent to the discriminant of the curve being non-zero. That seemingly arbitrary polynomial is the discriminant of the polynomial defining the elliptical curve. It's nice to use this fact to quickly check if our choice of parameters will work or not.
@@ChumX100 thank you.
It would be nice if you add subtitles for German speaking part than all of understand what is the professor saying in his native tongue
It's something to the effect of "wake up and pay attention now because it's going to be a bitch to learn this by yourself". Source: am german
i have nearly watched the whole course
he rarely speaks in German
he often speaks in german whenever he wants to ask the students to be silent :D
Mr Paar Thank you for your lectures they very useful and I just wanted to know what year students in that your teaching
Rajae Hamma Thanks for your interest. I am mainly teaching to 1st year students in our B.Sc. program "Bachelor in IT Security". There are also a few M.Sc. students.
Professor - at 1.14.30 - How does (2) -1 become 9 ? (2 inverse becomes 9)
The inverse of 2 with respect to mod 17 is 9 since 2 * 9 = 1 mod 17 hence 9 is the inverse of 2.
Why do we need the group to be cyclic? The subgroup generated by a base element that we choose to be part of the public key is always cyclic.
+Road Kamelot You need a cyclic group for constructing a discrete logarithm problem. Please have a look at Lectures 13 and 14 of this series. Regards, christof
Anyway we could get a fixed version so the audio is in sync?
professor, how P+Q=R?
Thanks alot.
i am good at english but i don't understand german and i wonder what he says when you start to speak german :?
Hello Professor,
In this lecture, while calculating "s" in case of doubling (P+P), wats a?
Is it a constant or to be calculated?
"a" is the coefficient in the equation of the elliptic curve itself:
y^2 = x^3 + a x + b mod p
cheers, christof
The voice matching algorithm messed up a little.
ruclips.net/video/vIyywOLyA7Y/видео.html
What happens when P not = Q but x1=x2 so that slope s is not defined?
Well, if you pick x1=x2, then you get a straight line.
So if the second point Q = (x2, -y1), then you get the inverse of P, i.e. -P.
If Q is not -P, then the point by definition of your chosen elliptic curve, won't be on the curve.
Good question, had to think this through too.
Thank you very much for your very helpful lecture.
I'm just wondering, when you talk about the identity property of EC group, why didn't you consider that the mirror point is -P : P + 0 = P ==> P + (-P) = 0.
such that if P = (x, y), then -P = (x, -y)
Similarly, when add two points P (x1, y1) and Q (x2, y2), the result we get, by extending the line, before taking the mirror is presumably - (P+Q) ; (x3, -y3)!
Then, the line between P and -P is the vertical line which does not intersect with EC at a third point, thus we say the third point is infinity, which is part of the parallelism definition in the first place :)
Ibrahim Hejab
Yes, it is perfectly fine to explain it this way! I sometimes do this way too in my lecture. Thanks for your input, Christof
Introduction to Cryptography by Christof Paar
Thank you for your reply and concern. By the way, your book "Understanding Cryptography" and the lectures in this channel, made it super easy for me to understand cryptography.
Audio isn't in sync for you too?.
Audio is out of sync for me too
@@grover- ruclips.net/video/vIyywOLyA7Y/видео.html
guys, what's the name of the text book he use in this class? Any download or amazon link will be helpful!
The book is "Understanding Cryptography" and it is closely linked to the material in the videos. You find a link to Amazon on the companion web page: www.crypto-textbook.com
Regards, Christof
Introduction to Cryptography by Christof Paar Thank you sir!
There are two points on every elliptic curve that have no other intersection points. Its tangent never intersects the curve again. They are where the curve changes from convex to concave. At these points, does (P + P) = P ?? Or are these points never part of the group? Is this the equivalent of a cycle with order one?
Alice
how to calculate 101(2, 2) ??
Doubling the (2,2) six times and then adding 64(2,2) + 32(2,2) + 4(2,2) + (2,2) seems like the most efficient method
1:12:26 Example 9.4: isn't the point P=(5,1) NOT on the curve y^2=x^3+2x+2(mod17) ? To do 'point doubling', shouldn't the point be on the curve?
The point (5,1) is on the curve. To see this, insert the x coordinate in the elliptic curve equation:
y = x^3 + 2 x + 2 mod 17
5^3 + 2*5 + 2 mod 17
125 + 10 + 2 mod 17
137 mod 17
8 * 17 + 1 mod 17
1 mod 17
As you can see, the y coordinate that belongs to x=5 is in fact 1. Hence,
(x=5, y = 1) is a point on the curve. cheers, christof
@@introductiontocryptography4223 but isn't the function y^2 = x^3 + 2 x + 2 ?
So it would look like this?:
y^2 = x^3 + 2x + 2 mod(17)
y^2 = 5^3 + 2*5 + 2 mod(17)
y^2 = 137 mod(17)
y = √137 mod(17) (note: √137 < 17)
www.desmos.com/calculator/ilrmxnucrw
Best Regards,
Sorry, I forgot to write y^2 on the left hand side of my calculation above. Correct is:
y^2 = x^3 + 2 x + 2 mod 17
= 5^3 + 2*5 + 2 mod 17
= 125 + 10 + 2 mod 17
= 137 mod 17 8 * 17 + 1 mod 17
y^2 = 1 mod 17
This equation is fulfilled for y=1 since 1^2 = 1 mod 17.
I would not recommend to compute the square root. Computing square roots in finite fields (this is what you have if you do arithmetic modulo a prime number) needs a special algorithm. For our purpose here, it is sufficient to square y and to check whether the results is equal to the right side of the equation, cf. above. cheers, christof
@@Gem-gi7km
encrüption?
Professor, I want to learn this theory where can I start
I'm not a professor, but do you mean number theory (which is the general concept of all this)?
I suggest studying maths, but you can try to read books on number theory as well (if you're like super motivated) :D
Why choose your own P and Q for EC? Why not let the NSA do all the hard work and choose P and Q for you?
The audio and video are several seconds out of synch for me. Anyone else?
ruclips.net/video/vIyywOLyA7Y/видео.html
Is it me or is the audio wildly out of sync?
Looks like audio encrypted with ECC whole video with RSA
Deep mistery
Ich schaue es mir noch einmal an, denn ellpitische Kurven sind viel interessanter als ich dachte. Es gibt nämlich ein Faktorisierungsverfahren auf Basis der elliptischen Kurven, das offenbar fast niemand verstanden hat.
Es hat fast niemand verstanden. Wer es verstanden hat, erkennt sofort, dass der Geheimdienst RSA schon immer knacken konnte.
Warum wird RSA immer noch verwendet?
Es gibt keinen Grund, außer Hintertüren für den Gehemdienst zu schaffen.
Sound and video is not synchronised
ruclips.net/video/vIyywOLyA7Y/видео.html
7:13
13:00
From this picoCTF 2014 problem:
Cryptosystem:
Elliptic Curve: y^2 ≡ x^3 + ax + b mod n
a = 0
b = 268892790095131465246420
n = 928669833265826932708591
Encryption: C = e * M mod n
Decryption: M = d * C mod n
e = 141597355687225811174313
d = 87441340171043308346177
C = (236857987845294655469221, 12418605208975891779391)
For this particular Elliptic Curve based cryptosystem, e is the encryption key and d is the decryption key. The original base-point C is reached as a result of e * d * C mod n, so I'm guessing that "e" and "d" have to be related in some way. If they are, how are the integers "e" and "d" related, and how do I generate two such integers that are related in this manner?
+Tom Lasky I am not aware of this problem. However, C = e * M mod n is NOT an ECC operation. Perhaps there is a misunderstanding of the problem?? Please check out ehsandev.com/pico2014/cryptography/ecc.html. regards, christof
+Introduction to Cryptography by Christof Paar Thank you for your help. It turns out that e and d were modular multiplicative inverses, and when multiplied together and divided by the cardinality of the curve, yielded a remainder of 1.
nice work sir., can u please send me the matlab code for elliptical curve cryptography....it will be very useful for my project....thank you
fix it
18P + P = 19P = Identity. so 18P is the inverse of P?, But the co-ordinates of 18P is different from -P
Good question. Please note that the inverse of a point P=(x,y) is defined as:
-P = (x, -y)
The tricky part: "-y" is defined with respect to modulo p arithmetic. Let's look at the example in the video:
P=(5,1)
18P=(5,16)
We have to check wethere 16 is really -1 WRT mod 17 arithmetic. This is actually the case since:
1 + 16 = 0 mod 17
hope this helps. regards, christof
@@introductiontocryptography4223 Got it!, Thanks a lot sir!
enjoy the homework lol
Bitcoin brought me here.
y^2 = x^3 -x modulo p, (p+1)/4 ist eine Primzahl, mindestens 160 Bits.
Mit G' = 4 * G haben wir eine Untergruppe deren Ordnung eine Primzahl ist.
Es gibt praktisch unendlich viele Primzahlen p mit diesen Eigenschaften, die wir wählen können.
Perfekt - besser geht es nicht!
Mehr brauchen wir nicht. Wir drehen uns nur im Kreis, wenn wir nach weiteren Verfahren suchen, denn es kann keine besseren geben. Es gibt ja auch bereits genügend Primzahlen p, die wir wählen können.
Standardkurven? Blödsinn - brauchen wir nicht. Je weniger der Hacker weiss, um so besser.
"What the heck"
Prof. in advanced cryptography talks about security... and then he uses Windows XP.
this is done in 2011
>title and tags in English
>video in german
Don't worry, only the first two minutes are in German, after that I switch to English :)
Introduction to Cryptography by Christof Paar thank you! I was a bit confused lol
iS HE SPEAKING GERMAN?
sorry, my mistake, I am switching to English at 2:00 min
Viel Erfolg beim Lernen :)