Please post a sample application code to generate private and public key using EDCH calls of openssl package . I am struggling to get private key of 32 bytes .
Along any given named curve, y^2 = x^3 + 7 for example, not every point has both x and y being integers. Even if they are, how can we guarantee they still are after a number of iteration? When we choose a G, do we always choose a point with integers x and y? With a large integer private key n, do we expect nG to be a point of integers x and y?
Yes. Not all points are possible. Here is an example asecuritysite.com/ecc/ecc_points3 For G and any other point, the x- and y-values are always integers.
Nice. Few queries below How can we find the size of the keys using the curve name for example, secp128r1 is the curve what is the size of a private key ---As per my understanding the private key should be 128-bit key length what will be the size of the public key? what will be the size of the shared key?
The parameters are well published for all the known curves. No one uses secp128r1, as it has a key that is too small. 128-bit EC is not recommended, and we need at least 160-bit versions, and, if possible use 256-bit prime numbers. sepc256k1, Curve 25519 or P256 are a more normal curve, and have 256-bit prime numbers (and which define the size of the private key).
Hi Bill, thanks for this explanation. Its the first one that makes some sense to me but please elaborate on this G number (coordinate) because it seems to me that this is the key difference compared to straight forward Public/Private key exchange and it is not too clear in the video what is going on with this G in the process. Is it correct that this G is pre shared prior to the key exchange? Do I understand it correctly that the same G is part of the public keys on both sides? Also: I understood that a big ECDH advantage is smaller keys but who cares if a key that is exchanged is 256bytes to 1K bytes? these sizes are irrelevant with nowadays internet speeds.
G is a base point and is well known for the curve type. Here are some examples: asecuritysite.com/ecc/ecc_types G is known by both Bob and Alice in the exchange.
@@BillBuchanan Ok, after some full days of searching I just found out that the whole world is using the same G coordinate depending on the agreed key exchange in the Client Hello message. Why is no one mentioning this?
It is a extremely hard problem to find Db from Qb = Db G (mod p). The divide operation is normally done through the Euclidean method as we are using modulo of a prime [asecuritysite.com/encryption/inversemod] . Our numbers are within the field of p, so it is extrememly difficult to find the private key (Db). The prime for secp256k1 is: 00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:fe:ff:ff:fc:2f and which gives us exremely large calculations for finding Db. [asecuritysite.com/encryption/ecc]
addition is forever modulus calculation is forever / 2 for example no matter how big a number is, even % 2 = 0 and odd % 2 = 1 but form this you don't know the number like how many times 2 or how many times 2 and plus one at the end they all go around the dlog problem and give partial answers only since the answer is: impossible to compute unless a reference (backdoor) that is what I look for, the reference there is something on the elliptic curve which you cam compare if the given value is on or off and if it has odd or even private key
It is very confusing to leave out the critical part which makes this all work - "(mod p)", would love to see Bill modify this to explain why using modulus over the field p makes it easy to calculate 'going forward' but very very difficult to compute 'going backwards' (why it's so hard to compute Alice or Bob's private key despite all of the information being shared publicly.) It's the same magic found in 'regular' Diffie-Hellman. To be fair, it's covered later in the code walk through - but I suspect many people get lost before that because it's not mentioned.
Thanks Bill for the video for a good explanation. Watching all your videos. I'm new to cryptography. Now I study the digital signature between Bitcoins. Please explain this formula in more detail: X '= (X + H (X || C) * G) [with H a hash function, || concatenation, and G the secp256k1 generator point] How do I understand this formula is the same exchange of values for the authentication of the transaction between the buyer and the seller? Bill still has the question that if the sender puts an extra value in the "Transaction" and receives another "Signed transaction" completely different values of "RawTX". Does he violate the signature? A well-known example in the Bitcoin Blockchain. Many senders insert various encrypted values in "OP_RETURN". Can they, with these cunning manipulations, extract the recipient's private key?
Please post a sample application code to generate private and public key using EDCH calls of openssl package .
I am struggling to get private key of 32 bytes .
Along any given named curve, y^2 = x^3 + 7 for example, not every point has both x and y being integers. Even if they are, how can we guarantee they still are after a number of iteration? When we choose a G, do we always choose a point with integers x and y? With a large integer private key n, do we expect nG to be a point of integers x and y?
Yes. Not all points are possible. Here is an example asecuritysite.com/ecc/ecc_points3 For G and any other point, the x- and y-values are always integers.
Nice. Few queries below
How can we find the size of the keys using the curve name
for example, secp128r1 is the curve
what is the size of a private key ---As per my understanding the private key should be 128-bit key length
what will be the size of the public key?
what will be the size of the shared key?
The parameters are well published for all the known curves. No one uses secp128r1, as it has a key that is too small. 128-bit EC is not recommended, and we need at least 160-bit versions, and, if possible use 256-bit prime numbers. sepc256k1, Curve 25519 or P256 are a more normal curve, and have 256-bit prime numbers (and which define the size of the private key).
Hi Bill, thanks for this explanation. Its the first one that makes some sense to me but please elaborate on this G number (coordinate) because it seems to me that this is the key difference compared to straight forward Public/Private key exchange and it is not too clear in the video what is going on with this G in the process. Is it correct that this G is pre shared prior to the key exchange? Do I understand it correctly that the same G is part of the public keys on both sides?
Also: I understood that a big ECDH advantage is smaller keys but who cares if a key that is exchanged is 256bytes to 1K bytes? these sizes are irrelevant with nowadays internet speeds.
G is a base point and is well known for the curve type. Here are some examples: asecuritysite.com/ecc/ecc_types
G is known by both Bob and Alice in the exchange.
@@BillBuchanan Ok, after some full days of searching I just found out that the whole world is using the same G coordinate depending on the agreed key exchange in the Client Hello message. Why is no one mentioning this?
@@anthonynolan186 well known means it is publicly known = whole world knows it. So he actually said that
If G is the same on both sides, and Qb=Db*G, then Alice can compute Db by Db=Qb/G, and know Bob's private key. I'm probably missing something?
It is a extremely hard problem to find Db from Qb = Db G (mod p). The divide operation is normally done through the Euclidean method as we are using modulo of a prime [asecuritysite.com/encryption/inversemod] . Our numbers are within the field of p, so it is extrememly difficult to find the private key (Db). The prime for secp256k1 is: 00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:fe:ff:ff:fc:2f and which gives us exremely large calculations for finding Db. [asecuritysite.com/encryption/ecc]
Is there a way to know if a private key is odd or even?
Perform (mod 2) on y axis point
@@BillBuchanan low range is possible but how do we deal with the big ranges?
addition is forever
modulus calculation is forever / 2
for example no matter how big a number is, even % 2 = 0 and odd % 2 = 1
but form this you don't know the number
like how many times 2 or how many times 2 and plus one at the end
they all go around the dlog problem and give partial answers only
since the answer is: impossible to compute unless a reference (backdoor)
that is what I look for, the reference
there is something on the elliptic curve which you cam compare if the given value is on or off and if it has odd or even private key
@@exodus8213 Numbers are always Big Integers such as with Python
@@BillBuchanan is there any way to solve this?
hi , i have this key but i dont know how to generate it to get all my keys , can you help me ? thank you
It is very confusing to leave out the critical part which makes this all work - "(mod p)", would love to see Bill modify this to explain why using modulus over the field p makes it easy to calculate 'going forward' but very very difficult to compute 'going backwards' (why it's so hard to compute Alice or Bob's private key despite all of the information being shared publicly.) It's the same magic found in 'regular' Diffie-Hellman. To be fair, it's covered later in the code walk through - but I suspect many people get lost before that because it's not mentioned.
I do love listening to Bill describe things though, I especially like watching him work through ECDSA and EdDSA in real time.
Thanks Bill for the video for a good explanation. Watching all your videos. I'm new to cryptography.
Now I study the digital signature between Bitcoins.
Please explain this formula in more detail:
X '= (X + H (X || C) * G)
[with H a hash function, || concatenation, and G the secp256k1 generator point]
How do I understand this formula is the same exchange of values for the authentication of the transaction between the buyer and the seller?
Bill still has the question that if the sender puts an extra value in the "Transaction" and receives another "Signed transaction"
completely different values of "RawTX". Does he violate the signature? A well-known example in the Bitcoin Blockchain. Many senders insert various encrypted values in "OP_RETURN".
Can they, with these cunning manipulations, extract the recipient's private key?
Good one . Well explained.
Would like to understand more on how curve.g was shared to Bob. Apart from public key, how curve.g was shared to Bob.
When we communicate we send G and N to Bob, or they are well known values.