fermigier
2 days ago
This discovery was already commented a few months ago:
https://news.ycombinator.com/item?id=41475177
As I wrote in the comments, I was the record holder, twice, in the 90s:
Fermigier, Stéfane - Un exemple de courbe elliptique définie sur Q de rang ≥19. (French) [An example of an elliptic curve defined over Q with rank ≥19] C. R. Acad. Sci. Paris Sér. I Math. 315 (1992), no. 6, 719–722.
Fermigier, Stéfane - Une courbe elliptique définie sur Q de rang ≥22. (French) [An elliptic curve defined over Q of rank ≥22] Acta Arith. 82 (1997), no. 4, 359–363.
UI_at_80x24
2 days ago
As a professional and expert I would love to hear your thoughts and opinions on the use of elliptic curve crypto with SSH. There was a concern (unsure of the validity) that NSA/NIST had compromised the algorithm used and ECC was unfit for 'secure' communication.
2048bit RSA has been deprecated since that declaration and while 4096bit is still viable, the smaller key-size of ed25519 is appealing.41599799
a day ago
Ever since the DUAL_EC_DBRG backdoor[1], trust in cryptographic algorithms set by NIST has been reduced.
In the case of ECC curves, the NIST curves rely on a number of highly specific but unexplained constants. More info about the safety and security of curves can be found at https://safecurves.cr.yp.to/
For now, Curve25519 is considered a good bet.
[1] https://en.wikipedia.org/wiki/NIST_SP_800-90A#Backdoor_in_Du...
CarpaDorada
a day ago
2048bit RSA is not deprecated...
AlotOfReading
a day ago
NIST has deprecated it for government use after 2030, just not today.
fsckboy
a day ago
well, deprecated does not mean it stops, just that it comes with warnings, so not 2030 either.
AlotOfReading
21 hours ago
It puts it in the same category as triple DES.
wslh
2 days ago
Just saw this, congratulations! Would you mind giving an ELI5 explanation for a wider audience?
lisper
2 days ago
[Not the OP but I think I understand it well enough to take a whack at an ELI5.]
Elliptic curves are a particular kind of cubic equation, exactly like the quadratic equations you studied in junior high algebra, except with one term being raised to the third power instead of just squared (and a few other conditions). It turns out that these equations have vastly more complicated behavior than quadratics and give rise to a whole host of problems that mathematicians are still working to solve. One of the interesting problems arises when you ask: what are the solutions to the equation if we restrict ourselves only to rational numbers? It turns out that rational solutions to elliptic curve equations can be grouped into families of solutions where each member of the family can be derived from other members by linear operations (addition and multiplication by a constant). The number of such families of solutions is called the rank of the equation. (Note: it's actually a little more complicated than that, but that's the gist of it. See [1] if you want the details.)
It is observed empirically (by solving lots of elliptic curve equations) that the rank tends to be small. Indeed, the elliptic curve that made the news did so because it has a rank of 29, the largest rank currently known. But no one knows if this is the biggest possible (almost certainly not) or if there is an upper bound on the possible rank of an elliptic curve. Solving that would win you a Fields medal.
(Note: there are results on the upper bound of the average rank of families of elliptic curves [2] but that is not the same as an absolute upper bound.)
---
[1]https://en.wikipedia.org/wiki/Rank_of_an_elliptic_curve
[2] https://en.wikipedia.org/wiki/Rank_of_an_elliptic_curve#Uppe...
jjice
2 days ago
This is a fantastic ELI5, thank you!
lisper
2 days ago
Thanks! I try hard to produce quality technical pedagogy, so you just made my day.
ElijahLynn
a day ago
Not exactly the 5 year old level though, "you studied in junior high algebra".
Thank you for sharing, and I'm still looking for ELI5 though, because I don't remember algebra class that well.
fsckboy
a day ago
>Solving that would win you a Fields medal
it would not win me a Fields medal: ageism, it's only for under 40s.
eddd-ddde
2 days ago
For the longest time I thought elliptic curves where quadratic curves.
Wouldn't it had been more accurate to name them elliptic surfaces?
lisper
2 days ago
The name derives from the fact that they originally arose in connection with trying to determine the arc length of an ellipse. See:
https://people.math.rochester.edu/faculty/doug/mypapers/wayn...
CarpaDorada
a day ago
They're curves (one-dimensional), not surfaces. An example of an elliptic curve is y^2 = x^3 + 1. The polynomial P(x,y) = x^3 + 1 - y^2 has degree 3. A surface is a 2 dimensional geometric shape.
QuesnayJr
2 days ago
Just to be clear, an ellipse is a quadratic curve. Ellipses are not elliptic curves. (They are still curves, though, as long as you restrict to plugging in real numbers, not complex.) The terminology is unfortunate.
fermigier
2 days ago
Well, the basics, oversimplified, are this:
- In general, elliptic curves are solutions of P(x, y) = 0 where P is a polynomial of degree 3 in two variables. "Points" on the curve are solutions of this equation.
- If you intersect an elliptic curve with a straight line, you end up with a polynomial in one variable, of degree 3 (in general). Since a polynomial of degree 3 has 3 solutions (in the appropriate context), this means that if you have two points on the curve, and you draw a line through these two points, there is a third aligned with them which belongs to the curve. So we have an operation on the curve, which to every pair of points associates a third point. This can be explicitly calculated.
- It can be proven (again, by explicit calculation) that this operation is associative and commutative, and that there is a "zero" element, i.e. that this operation forms a "group".
Now we want to study these elliptic curves and their associated groups with one additional condition: that the points are rational, i.e. have coordinates that are rational numbers (a/b). For each curve with rational parameters (i.e. the coefficients of the polynomial are rational), we want to study the rational points of this curve.
For some elliptic curves, there is a finite number of points, so the associated group is a finite commutative group.
For other elliptic curves, however, there are infinitely many rational points, and mathematicians have wanted to classify their structure.
A foundational result in number theory known as the Mordell-Weil theorem states that the group of rational points on an elliptic curve over a number field (such as the rationals, ℚ) is finitely generated. In other words, although there may be infinitely many points, they can be expressed as a finite set of points (known as "generators") combined under the group operation. This structure forms what is called a "finitely generated abelian group", which can be decomposed into a direct sum of a finite subgroup (called the "torsion") and a free part of rank r, where r is called the "rank" of the elliptic curve.
This rank "r" essentially measures the "size" of the free part of the group and has deep implications in both theoretical and computational number theory. For example, if r=0, the group is finite, meaning that the set of rational points on the curve is limited to a finite collection. When r>0, there are infinitely many rational points, which can be generated by combining a finite number of points.
So the challenge is to find a curve with a large number of generators. All of these computations (for a given curve at least) are quite explicit, and can be carried out with a bignum library (the numbers tend to get quite large quickly). I used PARI/GP for my thesis.
Sniffnoy
2 days ago
> - If you intersect an elliptic curve with a straight line, you end up with a polynomial in one variable, of degree 3 (in general). Since a polynomial of degree 3 has 3 solutions (in the appropriate context), this means that if you have two points on the curve, and you draw a line through these two points, there is a third aligned with them which belongs to the curve. So we have an operation on the curve, which to every pair of points associates a third point. This can be explicitly calculated.
> - It can be proven (again, by explicit calculation) that this operation is associative and commutative, and that there is a "zero" element, i.e. that this operation forms a "group".
I feel like it's worth clarifying here that this operation is actually not the group operation, although the group operation is defined in terms of it.
oasisaimlessly
2 days ago
If you going to contradict someone, be specific about it. What is your "the group operation" and how is this not it? A given mathematical object can have more than one group operation defined for it.
wbl
2 days ago
In this case there is a negation missing. If a line intersects three points we have A+B+C=0. To get the group law you have to negate a point.
intuitionist
a day ago
Of course for this to make sense you have to have a notion of 0, which is traditionally taken to be the point at infinity (so negation is negating the y-coordinate). It’s been a while since my algebraic geometry classes but IIRC this is just a useful convention.
marton78
a day ago
This is a fantastic explanation, thank you very much!