1 00:00:00,850 --> 00:00:03,220 The following content is provided under a Creative 2 00:00:03,220 --> 00:00:04,610 Commons license. 3 00:00:04,610 --> 00:00:06,820 Your support will help MIT OpenCourseWare 4 00:00:06,820 --> 00:00:10,910 continue to offer high-quality educational resources for free. 5 00:00:10,910 --> 00:00:13,480 To make a donation or to view additional materials 6 00:00:13,480 --> 00:00:17,440 from hundreds of MIT courses, visit MIT OpenCourseWare 7 00:00:17,440 --> 00:00:18,313 at ocw.mit.edu. 8 00:00:22,948 --> 00:00:24,490 TADGE DRYJA: Today, I'm going to talk 9 00:00:24,490 --> 00:00:29,770 about signatures and all sorts of different signature 10 00:00:29,770 --> 00:00:30,490 kind of things. 11 00:00:30,490 --> 00:00:33,343 In the problem set, you're working with signatures, 12 00:00:33,343 --> 00:00:35,510 but you're working with hash-based signatures, which 13 00:00:35,510 --> 00:00:38,405 are not actually used in bitcoin at all. 14 00:00:38,405 --> 00:00:39,580 But we'll talk about those. 15 00:00:39,580 --> 00:00:40,080 OK. 16 00:00:40,080 --> 00:00:43,630 So if you've gotten through the homework, 17 00:00:43,630 --> 00:00:46,810 there's lamport signatures, right? 18 00:00:46,810 --> 00:00:49,040 These are hash-based signatures. 19 00:00:49,040 --> 00:00:52,010 And they use hash functions. 20 00:00:52,010 --> 00:00:53,940 So it's fairly straightforward. 21 00:00:53,940 --> 00:00:54,940 You can understand them. 22 00:00:54,940 --> 00:00:57,350 There's nothing super crazy going on. 23 00:00:57,350 --> 00:00:58,720 The code is fairly compact. 24 00:00:58,720 --> 00:00:59,830 So that's cool. 25 00:00:59,830 --> 00:01:03,340 What are some disadvantages of these lamport signatures? 26 00:01:03,340 --> 00:01:05,342 Does anyone-- yeah? 27 00:01:05,342 --> 00:01:06,800 AUDIENCE: You can only use it once. 28 00:01:06,800 --> 00:01:07,410 TADGE DRYJA: Yeah. 29 00:01:07,410 --> 00:01:07,910 OK. 30 00:01:07,910 --> 00:01:09,045 So plus. 31 00:01:09,045 --> 00:01:09,670 This is hashes. 32 00:01:09,670 --> 00:01:10,480 That's cool. 33 00:01:10,480 --> 00:01:13,570 One-time use. 34 00:01:13,570 --> 00:01:18,830 Other possible disadvantages of them relative to other systems, 35 00:01:18,830 --> 00:01:20,350 if you're aware. 36 00:01:20,350 --> 00:01:26,420 Another is they're kind of huge, kind of big, right? 37 00:01:26,420 --> 00:01:28,080 You can deal with it. 38 00:01:28,080 --> 00:01:30,740 But if you were looking in the forge, 39 00:01:30,740 --> 00:01:33,260 or that file with the signatures, 40 00:01:33,260 --> 00:01:37,930 it's like, what, 8K for a signature-- 41 00:01:37,930 --> 00:01:40,520 8 kilobytes-- kind of big. 42 00:01:40,520 --> 00:01:42,470 Keys are 16 kilobytes-- 43 00:01:42,470 --> 00:01:43,400 kind of annoying. 44 00:01:43,400 --> 00:01:46,790 Private keys are also 16 kilobytes. 45 00:01:46,790 --> 00:01:55,080 So yes, sig 8K, 16K priv/pub key. 46 00:01:55,080 --> 00:01:58,800 So that's some disadvantages. 47 00:01:58,800 --> 00:02:00,820 So since I don't have slides, I'm 48 00:02:00,820 --> 00:02:04,810 gonna make this more fun and interactive. 49 00:02:04,810 --> 00:02:07,930 What are some solutions for these problems? 50 00:02:07,930 --> 00:02:11,710 So we can actually mitigate/solve 51 00:02:11,710 --> 00:02:15,280 both of these things to a pretty good extent. 52 00:02:15,280 --> 00:02:17,470 So how about the first one, one-time use? 53 00:02:17,470 --> 00:02:20,170 What would be a fairly obvious way 54 00:02:20,170 --> 00:02:23,090 to mitigate the one-time use problem? 55 00:02:23,090 --> 00:02:26,903 And don't think the answer is too stupid. 56 00:02:26,903 --> 00:02:29,070 It may be a fairly stupid answer, and it might work. 57 00:02:29,070 --> 00:02:30,140 So yeah? 58 00:02:30,140 --> 00:02:33,200 AUDIENCE: Not actually revealing pieces of your private key? 59 00:02:33,200 --> 00:02:37,303 Instead, reveal something else. 60 00:02:37,303 --> 00:02:39,220 TADGE DRYJA: There's probably some clever way. 61 00:02:39,220 --> 00:02:40,780 But that might be too clever. 62 00:02:40,780 --> 00:02:47,200 Something really simple for, OK, I can only use a key once. 63 00:02:47,200 --> 00:02:49,850 How can I use a "key," quote unquote, more than once? 64 00:02:49,850 --> 00:02:50,350 Yeah? 65 00:02:50,350 --> 00:02:51,050 AUDIENCE: Make another one. 66 00:02:51,050 --> 00:02:51,330 TADGE DRYJA: Yeah. 67 00:02:51,330 --> 00:02:52,540 You can make another key. 68 00:02:52,540 --> 00:02:56,500 So you could say, well, I've got this 16 kilobyte public key. 69 00:02:56,500 --> 00:03:00,050 Well, I'm going to make a 32 kilobyte public key. 70 00:03:00,050 --> 00:03:03,040 And it's just two public keys stuck together. 71 00:03:06,550 --> 00:03:08,410 And now, when I make a signature, 72 00:03:08,410 --> 00:03:10,540 I just put an extra bit in the front. 73 00:03:10,540 --> 00:03:13,870 And I say, well, this signature is using key 0 74 00:03:13,870 --> 00:03:15,490 or this signature is using key 1, 75 00:03:15,490 --> 00:03:18,100 and it's got the whole signature after. 76 00:03:18,100 --> 00:03:21,280 And then you look through this 32 kilobyte public key, 77 00:03:21,280 --> 00:03:23,560 and you say, OK, well, it starts with a zero, 78 00:03:23,560 --> 00:03:28,090 so that means it's using the first key, the first subkey 79 00:03:28,090 --> 00:03:30,580 in this 32 byte public key block. 80 00:03:30,580 --> 00:03:32,340 And in this case, it's using one, 81 00:03:32,340 --> 00:03:35,928 so that means it's using the latter subkey. 82 00:03:35,928 --> 00:03:36,720 So that would work. 83 00:03:36,720 --> 00:03:41,020 That would let you use your public key twice, 84 00:03:41,020 --> 00:03:44,260 at the cost of doubling your public key size, which 85 00:03:44,260 --> 00:03:48,043 is not really great, right? 86 00:03:48,043 --> 00:03:49,210 And it's not very efficient. 87 00:03:49,210 --> 00:03:51,220 But it does sort of work. 88 00:03:51,220 --> 00:03:51,790 OK. 89 00:03:51,790 --> 00:03:58,700 Any clever ways to do it more efficiently? 90 00:03:58,700 --> 00:03:59,770 Or wait. 91 00:03:59,770 --> 00:04:04,330 So OK, also, I'll give you sort of a hint. 92 00:04:04,330 --> 00:04:10,210 In this case, let's say this is pub sub 0 and pub sub 1, right? 93 00:04:10,210 --> 00:04:13,780 And then, your 32 byte pubkey is just them 94 00:04:13,780 --> 00:04:15,730 concatenated together, right-- 95 00:04:15,730 --> 00:04:16,930 pub0, pub1. 96 00:04:20,240 --> 00:04:27,270 What would happen to the private keys in this case, right? 97 00:04:27,270 --> 00:04:30,000 How would private keys work here? 98 00:04:30,000 --> 00:04:34,650 Same expansion of size, I guess. 99 00:04:34,650 --> 00:04:40,200 Can anyone think of a way to mitigate the expansion of size 100 00:04:40,200 --> 00:04:42,410 of private keys in this case? 101 00:04:42,410 --> 00:04:45,540 So the private keys are the preimages here, right? 102 00:04:45,540 --> 00:04:48,833 They lead into these public key blocks. 103 00:04:48,833 --> 00:04:50,250 So you could just say, OK, well, I 104 00:04:50,250 --> 00:04:54,000 have twice the size private key leading into twice the size 105 00:04:54,000 --> 00:04:55,050 public key. 106 00:04:55,050 --> 00:04:56,520 Could you do that more efficiently? 107 00:04:56,520 --> 00:04:57,020 Yeah? 108 00:04:57,020 --> 00:04:59,070 AUDIENCE: Could you just hash the private key 109 00:04:59,070 --> 00:05:02,610 so that you have two hashes instead of one? 110 00:05:02,610 --> 00:05:04,400 TADGE DRYJA: Yes. 111 00:05:04,400 --> 00:05:08,470 So let's say you have this 16k block, 112 00:05:08,470 --> 00:05:12,240 and you want this to turn into two public key. 113 00:05:12,240 --> 00:05:15,520 So that's the basic good way to do it. 114 00:05:15,520 --> 00:05:17,730 And it sort of turns in like that. 115 00:05:17,730 --> 00:05:21,115 How exactly-- what's the way you do that? 116 00:05:21,115 --> 00:05:23,640 AUDIENCE: You can keep the same private key as before 117 00:05:23,640 --> 00:05:26,550 and just add something like zero or one to indicate-- 118 00:05:26,550 --> 00:05:27,540 TADGE DRYJA: Yeah. 119 00:05:27,540 --> 00:05:29,690 So this is a hash function, right? 120 00:05:29,690 --> 00:05:34,320 And so before, we just said, OK, hash of this is block 0, 121 00:05:34,320 --> 00:05:36,570 this is block 1, this is block 2. 122 00:05:36,570 --> 00:05:40,272 So the idea of pub-- 123 00:05:40,272 --> 00:05:41,270 let's see. 124 00:05:41,270 --> 00:05:42,460 Is this visible? 125 00:05:42,460 --> 00:05:44,287 This might be too small, right? 126 00:05:44,287 --> 00:05:44,870 AUDIENCE: Yes. 127 00:05:44,870 --> 00:05:45,845 TADGE DRYJA: Yes, OK. 128 00:05:45,845 --> 00:05:47,480 Let me make this bigger. 129 00:05:50,680 --> 00:05:52,460 Sorry. 130 00:05:52,460 --> 00:05:52,960 OK. 131 00:05:52,960 --> 00:06:00,680 So in these diagrams, you've got your private key right now. 132 00:06:00,680 --> 00:06:02,030 And it's in these big blocks. 133 00:06:02,030 --> 00:06:05,940 And there's 256 of them, but let's keep it small. 134 00:06:05,940 --> 00:06:08,660 And the idea is these are 32 byte blocks with random numbers 135 00:06:08,660 --> 00:06:09,410 in it. 136 00:06:09,410 --> 00:06:12,110 And then you hash it to get your public key. 137 00:06:15,290 --> 00:06:17,832 So we say, OK, pub2-- 138 00:06:17,832 --> 00:06:21,430 and this is public, this is private, and, let's say, 139 00:06:21,430 --> 00:06:23,410 secret-- 140 00:06:23,410 --> 00:06:30,050 pub2 is just the hash of secret2, right? 141 00:06:30,050 --> 00:06:30,550 But yeah. 142 00:06:30,550 --> 00:06:33,050 What we could do is we could sort of have two different hash 143 00:06:33,050 --> 00:06:34,540 functions. 144 00:06:34,540 --> 00:06:36,760 And then a real simple way to make 145 00:06:36,760 --> 00:06:38,650 a whole bunch of different hash functions 146 00:06:38,650 --> 00:06:43,180 is we define, OK, well hash0 is defined 147 00:06:43,180 --> 00:06:48,310 as the hash function of whatever your input x is concatenated 148 00:06:48,310 --> 00:06:50,230 with the number 0. 149 00:06:50,230 --> 00:06:56,260 And then hash1, we define as just x comma 1 and so on. 150 00:06:56,260 --> 00:06:57,670 And this is actually secure. 151 00:06:57,670 --> 00:06:59,260 You could do this. 152 00:06:59,260 --> 00:07:02,345 Any questions or possible objections? 153 00:07:02,345 --> 00:07:04,970 AUDIENCE: I was thinking that if someone knew the hash function 154 00:07:04,970 --> 00:07:06,763 you're using, wouldn't they only define 155 00:07:06,763 --> 00:07:09,180 x because they know that it won't help with [INAUDIBLE] x. 156 00:07:09,180 --> 00:07:09,700 [INAUDIBLE] 157 00:07:09,700 --> 00:07:10,420 TADGE DRYJA: Yes. 158 00:07:10,420 --> 00:07:11,110 Yes. 159 00:07:11,110 --> 00:07:19,140 So there's no real entropy or secrets in this 0 and 1. 160 00:07:19,140 --> 00:07:22,420 But it's purely riding on x, right? 161 00:07:22,420 --> 00:07:26,140 But the idea is, well, if I do this, 162 00:07:26,140 --> 00:07:30,880 and I say, OK, well pub2 is the hash 163 00:07:30,880 --> 00:07:34,890 of secret2 concatenated with 0, yeah, if you know secret2, 164 00:07:34,890 --> 00:07:36,290 you can go back. 165 00:07:36,290 --> 00:07:37,330 Because 0 is obvious. 166 00:07:37,330 --> 00:07:40,210 But the idea is if you don't know secret2, the fact that you 167 00:07:40,210 --> 00:07:45,040 know the last byte of the hash input doesn't really help you. 168 00:07:45,040 --> 00:07:48,400 Because there's all this data that you don't know. 169 00:07:48,400 --> 00:07:50,650 And so you're not going to be able to find a preimage. 170 00:07:50,650 --> 00:07:52,540 You're like, OK, I know the preimage 171 00:07:52,540 --> 00:07:55,540 to public2 ends with a 0 byte. 172 00:07:55,540 --> 00:07:59,080 What are the other 32 bytes that come before that? 173 00:07:59,080 --> 00:08:01,404 You still can't go back to make a preimage. 174 00:08:01,404 --> 00:08:05,615 AUDIENCE: But it feels like there's some sort of-- 175 00:08:05,615 --> 00:08:08,470 what's the word-- you'd make a similar statement saying, oh, 176 00:08:08,470 --> 00:08:10,360 if the last byte is not important, 177 00:08:10,360 --> 00:08:13,600 then the second-to-last byte is not important, either, right? 178 00:08:17,950 --> 00:08:20,620 TADGE DRYJA: So the attack is I've got pub2, 179 00:08:20,620 --> 00:08:23,320 which is a 32 byte hash output. 180 00:08:23,320 --> 00:08:27,820 I want to find what this thing is. 181 00:08:27,820 --> 00:08:29,800 Now, I do know what the last byte is, right? 182 00:08:29,800 --> 00:08:32,320 It's going to be, let's say, 33 bytes, 183 00:08:32,320 --> 00:08:34,780 and the last byte is a 0. 184 00:08:34,780 --> 00:08:37,570 And this is going to be some random numbers 185 00:08:37,570 --> 00:08:38,500 all the way back. 186 00:08:38,500 --> 00:08:43,539 So I have some insight into what the preimage is. 187 00:08:43,539 --> 00:08:45,970 I know the last byte is a 0. 188 00:08:45,970 --> 00:08:47,950 But that doesn't help because I don't 189 00:08:47,950 --> 00:08:51,160 know all the bytes before that. 190 00:08:51,160 --> 00:08:54,130 So I can't really do-- 191 00:08:54,130 --> 00:08:56,770 I can't sign because I need to be able to reveal 192 00:08:56,770 --> 00:08:57,945 all these things. 193 00:08:57,945 --> 00:09:00,070 And the way the hash functions, if it's a good hash 194 00:09:00,070 --> 00:09:03,722 function, the fact that you know some part of the preimage 195 00:09:03,722 --> 00:09:05,680 shouldn't give you insight into the other parts 196 00:09:05,680 --> 00:09:07,270 of the preimage. 197 00:09:07,270 --> 00:09:08,930 Because it looks really random. 198 00:09:08,930 --> 00:09:14,380 And adding stuff to the end here shouldn't reveal anything. 199 00:09:14,380 --> 00:09:16,660 There are hash functions where this can be dangerous, 200 00:09:16,660 --> 00:09:19,840 and you can consider those like broken hash functions, where 201 00:09:19,840 --> 00:09:22,690 if I concatenate a lot of known data at the end, 202 00:09:22,690 --> 00:09:27,110 it might give me properties of the public key that I can find. 203 00:09:27,110 --> 00:09:30,070 [INAUDIBLE],, as far as we know, it works fine. 204 00:09:30,070 --> 00:09:32,440 Most of the hash functions work fine this way. 205 00:09:32,440 --> 00:09:34,750 So yeah, you can do this. 206 00:09:34,750 --> 00:09:36,370 And then you can say, OK, well, I'm 207 00:09:36,370 --> 00:09:42,710 going to use hash function 0 to make pubkey 0, right? 208 00:09:42,710 --> 00:09:44,020 This is pubkey 0. 209 00:09:44,020 --> 00:09:50,470 And if I use hash function 1, I make pubkey 1. 210 00:09:50,470 --> 00:09:55,910 Now I have a 16 kilobyte-- let me erase this-- 211 00:09:58,152 --> 00:09:59,985 so now what I can do is I can say, OK, well, 212 00:09:59,985 --> 00:10:03,990 I have a 16 kilobyte secret key, private key, 213 00:10:03,990 --> 00:10:10,050 but I have a 32 kilobyte public key 214 00:10:10,050 --> 00:10:11,927 that I can use twice that has two subkeys 215 00:10:11,927 --> 00:10:14,260 so I don't have to store as much of my private key data. 216 00:10:14,260 --> 00:10:15,250 So that's cool. 217 00:10:15,250 --> 00:10:18,228 That makes it quite a bit more efficient. 218 00:10:18,228 --> 00:10:20,770 Does anyone have an idea of how to get it even more efficient 219 00:10:20,770 --> 00:10:21,770 for private key storage? 220 00:10:24,260 --> 00:10:27,480 You can actually get it very efficient 221 00:10:27,480 --> 00:10:30,408 using this kind of idea. 222 00:10:30,408 --> 00:10:31,360 Any ideas? 223 00:10:35,644 --> 00:10:36,600 Yeah. 224 00:10:36,600 --> 00:10:37,310 Well, you-- 225 00:10:40,220 --> 00:10:42,380 So some hints. 226 00:10:42,380 --> 00:10:44,000 This is pretty useful, right? 227 00:10:44,000 --> 00:10:46,190 The idea is, well, even if you know 228 00:10:46,190 --> 00:10:49,550 what the sort of suffix of all these things 229 00:10:49,550 --> 00:10:51,290 are, if you don't know x, you're not 230 00:10:51,290 --> 00:10:54,740 going to be able to find the preimage, right? 231 00:10:54,740 --> 00:10:57,540 So maybe add some more stuff here. 232 00:10:57,540 --> 00:10:58,040 Any idea? 233 00:11:01,640 --> 00:11:02,600 Oh, yeah? 234 00:11:02,600 --> 00:11:04,560 AUDIENCE: Could you hash the index? 235 00:11:04,560 --> 00:11:05,610 TADGE DRYJA: Right. 236 00:11:05,610 --> 00:11:06,110 Right. 237 00:11:06,110 --> 00:11:10,210 So instead of just saying 0 and 1, 238 00:11:10,210 --> 00:11:14,650 we can say here, well, why not just have one chunk? 239 00:11:14,650 --> 00:11:25,510 And there's one chunk, and it's got random number x. 240 00:11:25,510 --> 00:11:27,880 Well, this is hash x comma 0. 241 00:11:27,880 --> 00:11:31,840 This is hash x comma 1. 242 00:11:31,840 --> 00:11:35,330 This is hash x comma 2. 243 00:11:35,330 --> 00:11:35,830 OK. 244 00:11:35,830 --> 00:11:36,330 So yeah. 245 00:11:36,330 --> 00:11:40,600 So what you can do is you can-- 246 00:11:40,600 --> 00:11:43,690 this was before, right, where I said, OK, yeah, 247 00:11:43,690 --> 00:11:48,700 but this is basically how to do a 32 byte private key where 248 00:11:48,700 --> 00:11:51,040 your private key is actually quite small, 249 00:11:51,040 --> 00:11:55,330 and you just derive all of the public keys 250 00:11:55,330 --> 00:11:59,110 by adding numbers at the end, concatenating them 251 00:11:59,110 --> 00:11:59,990 into your hash. 252 00:11:59,990 --> 00:12:01,240 And now you're like, OK, cool. 253 00:12:01,240 --> 00:12:04,420 I have a 32 byte private key, and I 254 00:12:04,420 --> 00:12:06,640 can make enormous public keys from them, 255 00:12:06,640 --> 00:12:08,260 and it's still secure, right? 256 00:12:08,260 --> 00:12:11,410 Because I can add whatever number I want here. 257 00:12:11,410 --> 00:12:13,488 And I can do this a million times, 258 00:12:13,488 --> 00:12:16,030 and no one will be able to find the preimage, even though I'm 259 00:12:16,030 --> 00:12:18,580 giving you all these related hashes, right? 260 00:12:18,580 --> 00:12:21,900 It's x comma 0, x comma 1, x comma a million. 261 00:12:21,900 --> 00:12:23,340 I can give you millions of them. 262 00:12:23,340 --> 00:12:25,390 And each time I do it, it doesn't give you 263 00:12:25,390 --> 00:12:27,880 any insight into how to find what x is-- 264 00:12:27,880 --> 00:12:29,597 if it's a good hash function. 265 00:12:29,597 --> 00:12:30,680 So that's really powerful. 266 00:12:30,680 --> 00:12:33,520 And now I can say, OK, the private key problem is solved. 267 00:12:33,520 --> 00:12:37,420 I have 0 of 1 growth in my private key. 268 00:12:37,420 --> 00:12:39,670 I can make as many public keys as I want, never 269 00:12:39,670 --> 00:12:40,570 gets any bigger. 270 00:12:40,570 --> 00:12:42,112 Cool. 271 00:12:42,112 --> 00:12:44,320 Still have this problem with the public keys, though. 272 00:12:44,320 --> 00:12:46,820 Let's say I want to sign four times. 273 00:12:46,820 --> 00:12:47,320 OK. 274 00:12:47,320 --> 00:12:50,957 Well, I make a 64 kilobyte pubkey. 275 00:12:54,640 --> 00:12:56,270 Now I can sign four times. 276 00:12:56,270 --> 00:12:56,770 Great. 277 00:12:56,770 --> 00:13:00,820 But my public key size expands with the number of signatures 278 00:13:00,820 --> 00:13:04,100 I ever want to do. 279 00:13:04,100 --> 00:13:07,250 Any ideas on how you could mitigate that 280 00:13:07,250 --> 00:13:10,130 or how you could still make a usable system, 281 00:13:10,130 --> 00:13:11,060 despite this fact? 282 00:13:14,410 --> 00:13:18,270 There's a couple different techniques. 283 00:13:18,270 --> 00:13:18,770 Any ideas? 284 00:13:21,000 --> 00:13:21,500 OK. 285 00:13:21,500 --> 00:13:25,180 So one would be every time I sign, 286 00:13:25,180 --> 00:13:29,830 I also sign my next pubkey. 287 00:13:29,830 --> 00:13:31,540 You can do that. 288 00:13:31,540 --> 00:13:33,160 It's got some downsides, right? 289 00:13:33,160 --> 00:13:37,540 So the idea is I first publish one 16 kilobyte pubkey. 290 00:13:37,540 --> 00:13:41,620 And then I say, OK, when I sign, I'm going to sign my message. 291 00:13:41,620 --> 00:13:45,610 And concatenated to that message will be my next pubkey. 292 00:13:45,610 --> 00:13:48,040 And so I'm signing something and also indicating 293 00:13:48,040 --> 00:13:51,190 what my next public key will be that I sign with. 294 00:13:51,190 --> 00:13:54,160 Then I can still maintain a small private key 295 00:13:54,160 --> 00:13:55,570 and then keep signing. 296 00:13:55,570 --> 00:13:58,690 The problem is, in order for someone to verify, 297 00:13:58,690 --> 00:14:01,370 they're going to need to look at all of my previous signatures, 298 00:14:01,370 --> 00:14:01,870 right? 299 00:14:01,870 --> 00:14:05,430 So if I'm saying, hey, here's my 500th public key 300 00:14:05,430 --> 00:14:07,180 that I'm signing with, here's the message, 301 00:14:07,180 --> 00:14:09,722 you're going to have to go back and look at my entire history 302 00:14:09,722 --> 00:14:14,000 of signing, which is not great. 303 00:14:14,000 --> 00:14:14,500 OK. 304 00:14:14,500 --> 00:14:19,418 So other ideas of how to deal with large pubkeys? 305 00:14:19,418 --> 00:14:20,710 What's a way you could do this? 306 00:14:23,500 --> 00:14:25,570 So hints. 307 00:14:25,570 --> 00:14:28,700 Is there any kind of data function 308 00:14:28,700 --> 00:14:31,570 we've seen here where it takes an arbitrary sized amount 309 00:14:31,570 --> 00:14:34,630 of data and outputs a fixed size? 310 00:14:34,630 --> 00:14:36,610 [LAUGHING] 311 00:14:36,610 --> 00:14:38,250 In fact, it's the only thing we've 312 00:14:38,250 --> 00:14:40,750 been talking about so far. 313 00:14:40,750 --> 00:14:43,867 So what would you do to make your public keys smaller? 314 00:14:43,867 --> 00:14:44,492 AUDIENCE: Hash. 315 00:14:44,492 --> 00:14:45,450 TADGE DRYJA: Hash them. 316 00:14:45,450 --> 00:14:46,030 Right. 317 00:14:46,030 --> 00:14:46,530 OK. 318 00:14:46,530 --> 00:14:49,620 So you say, well, yeah, 32 byte pubkey. 319 00:14:49,620 --> 00:14:52,050 Well, you just commit to the pubkey 320 00:14:52,050 --> 00:14:54,570 with the hash of the whole thing, right? 321 00:14:54,570 --> 00:15:02,040 And I say, well, I've got my 16 kilobyte by pubkey. 322 00:15:02,040 --> 00:15:04,580 I just hash it, right? 323 00:15:04,580 --> 00:15:09,600 And now I have a 32 byte public key. 324 00:15:09,600 --> 00:15:11,240 And I've committed. 325 00:15:11,240 --> 00:15:12,000 That works, right? 326 00:15:12,000 --> 00:15:14,160 I've committed to my public key. 327 00:15:14,160 --> 00:15:19,990 However, when I sign, I need to provide the whole public key 328 00:15:19,990 --> 00:15:21,570 in order for you to verify. 329 00:15:21,570 --> 00:15:25,150 I need to provide this whole 16 original pubkey, 330 00:15:25,150 --> 00:15:27,620 original version pubkey, after when I sign. 331 00:15:27,620 --> 00:15:34,880 So now my signature goes from 8K to, what, 24K. 332 00:15:34,880 --> 00:15:38,530 So I haven't really made it more efficient, right, 333 00:15:38,530 --> 00:15:42,840 in that the total thing with public keys and signatures 334 00:15:42,840 --> 00:15:44,680 stays the same size-- 335 00:15:44,680 --> 00:15:46,660 actually, slightly larger. 336 00:15:46,660 --> 00:15:48,220 But this is kind of a game. 337 00:15:48,220 --> 00:15:53,260 Because the public key, it might be 338 00:15:53,260 --> 00:15:56,050 like I'm showing it to you beforehand, 339 00:15:56,050 --> 00:15:57,695 and we're space-constrained there. 340 00:15:57,695 --> 00:15:59,320 And then, when I'm doing the signature, 341 00:15:59,320 --> 00:16:01,960 I have more space or time or something like that. 342 00:16:01,960 --> 00:16:03,250 So this is actually useful. 343 00:16:03,250 --> 00:16:05,020 And actually, this technique is used 344 00:16:05,020 --> 00:16:09,400 in Bitcoin and all different cryptocurrencies, 345 00:16:09,400 --> 00:16:12,220 where you can call this a pubkey hash-- 346 00:16:17,660 --> 00:16:21,300 pubkey hash, or they say PKH. 347 00:16:21,300 --> 00:16:23,562 And the main benefit is size, right? 348 00:16:23,562 --> 00:16:25,770 You could say, well, if I've got a really big pubkey, 349 00:16:25,770 --> 00:16:29,040 I can commit to it by sending to the hash of the pubkey. 350 00:16:29,040 --> 00:16:31,230 And then, when I later want to sign, 351 00:16:31,230 --> 00:16:33,780 I reveal the actual pubkey. 352 00:16:33,780 --> 00:16:35,020 You can do it that way. 353 00:16:35,020 --> 00:16:35,520 OK. 354 00:16:35,520 --> 00:16:38,370 So then this is pretty cool, right? 355 00:16:38,370 --> 00:16:42,840 We've now taken our system, which had fairly large-- 356 00:16:42,840 --> 00:16:45,660 16 kilobyte-- private keys, turned them 357 00:16:45,660 --> 00:16:47,010 into 32 byte private keys. 358 00:16:47,010 --> 00:16:47,610 Great. 359 00:16:47,610 --> 00:16:50,970 And also, this is 0 of 1-- never expands. 360 00:16:50,970 --> 00:16:52,050 Awesome. 361 00:16:52,050 --> 00:16:55,680 We've taken a system with large, potentially huge-- 362 00:16:55,680 --> 00:16:59,130 32 kilobyte, 64 kilobyte-- public keys. 363 00:16:59,130 --> 00:17:01,080 We've got it down to 32 bytes. 364 00:17:01,080 --> 00:17:01,630 Awesome. 365 00:17:01,630 --> 00:17:02,130 OK. 366 00:17:02,130 --> 00:17:05,579 We've now made this thing much more efficient, much more 367 00:17:05,579 --> 00:17:06,450 useful. 368 00:17:06,450 --> 00:17:08,880 The problem-- the signatures are still big. 369 00:17:08,880 --> 00:17:11,250 They actually got a little bit bigger 370 00:17:11,250 --> 00:17:14,490 because they include the full public key in the signature. 371 00:17:14,490 --> 00:17:17,940 And let's say we had one of these things, 372 00:17:17,940 --> 00:17:20,190 where we make a bunch of public keys 373 00:17:20,190 --> 00:17:22,109 and commit to them at the outset. 374 00:17:22,109 --> 00:17:25,890 So you say, OK, I've got a 64 kilobyte pubkey. 375 00:17:25,890 --> 00:17:28,410 I can commit to the whole thing by hashing it. 376 00:17:28,410 --> 00:17:32,460 However, then, when I reveal and want to give you a signature, 377 00:17:32,460 --> 00:17:37,050 my signature is now whatever it'll be-- 378 00:17:37,050 --> 00:17:38,600 72, right? 379 00:17:38,600 --> 00:17:41,820 The signature would be 72 kilobytes-- 380 00:17:41,820 --> 00:17:45,090 kind of huge. 381 00:17:45,090 --> 00:17:48,570 So I can add a bunch of keys, but I'm just 382 00:17:48,570 --> 00:17:50,700 sort of pushing the problem somewhere else-- 383 00:17:50,700 --> 00:17:52,680 into the signature, right? 384 00:17:52,680 --> 00:17:55,920 There's a better way to commit to many public keys. 385 00:17:55,920 --> 00:17:59,820 It's maybe not super obvious unless you've seen it before. 386 00:17:59,820 --> 00:18:01,990 But if you have, do you know what 387 00:18:01,990 --> 00:18:05,682 the better way to commit to many public keys is? 388 00:18:05,682 --> 00:18:07,390 Or you could come up with it on the spot, 389 00:18:07,390 --> 00:18:09,265 and it'd be like, wow, you should have gotten 390 00:18:09,265 --> 00:18:12,610 this stuff named after you. 391 00:18:12,610 --> 00:18:13,730 Any idea? 392 00:18:13,730 --> 00:18:15,010 OK. 393 00:18:15,010 --> 00:18:17,140 So what you can do-- 394 00:18:17,140 --> 00:18:19,000 it's a little non-obvious-- 395 00:18:19,000 --> 00:18:21,100 you can make a tree, right? 396 00:18:21,100 --> 00:18:23,860 So the idea is instead of just saying, 397 00:18:23,860 --> 00:18:28,090 oh, I'm going to take all four of my big pubkeys, 398 00:18:28,090 --> 00:18:31,240 stick them all in a row, take the hash of that whole thing 399 00:18:31,240 --> 00:18:33,610 and publish that as my public hash, 400 00:18:33,610 --> 00:18:36,790 I'm going to have a little bit more complex design. 401 00:18:36,790 --> 00:18:40,860 And that design is a binary tree. 402 00:18:40,860 --> 00:18:41,690 OK. 403 00:18:41,690 --> 00:18:46,220 So the idea is here are my four public keys that take up 64K 404 00:18:46,220 --> 00:18:47,510 each. 405 00:18:47,510 --> 00:18:49,550 I can make these intermediate hashes. 406 00:18:49,550 --> 00:18:52,310 So I make a binary tree where I say, OK, this 407 00:18:52,310 --> 00:18:56,570 is the hash of the first two keys stuck together. 408 00:18:56,570 --> 00:19:00,820 This is the hash of the second two keys stuck together. 409 00:19:00,820 --> 00:19:04,420 The top is the hash of these two intermediate hashes 410 00:19:04,420 --> 00:19:06,790 stuck together. 411 00:19:06,790 --> 00:19:10,510 And then, this top is my root, which is 412 00:19:10,510 --> 00:19:12,760 equivalent to my pubkey hash. 413 00:19:12,760 --> 00:19:17,440 And so I can publish this, and it commits me to all four 414 00:19:17,440 --> 00:19:20,020 of my public keys. 415 00:19:20,020 --> 00:19:24,580 So it might not be obvious. 416 00:19:24,580 --> 00:19:26,410 Do you see any advantages that this 417 00:19:26,410 --> 00:19:29,530 could have over just concatenating all four 418 00:19:29,530 --> 00:19:30,730 of the keys and hashing it? 419 00:19:30,730 --> 00:19:31,040 Yes? 420 00:19:31,040 --> 00:19:31,998 AUDIENCE: I'm confused. 421 00:19:31,998 --> 00:19:33,970 Where is your private key in this? 422 00:19:33,970 --> 00:19:36,620 TADGE DRYJA: The private key is down here, right? 423 00:19:36,620 --> 00:19:38,060 The private key is not shown. 424 00:19:38,060 --> 00:19:39,820 But I have a private key. 425 00:19:39,820 --> 00:19:42,123 It turns into these pubkeys. 426 00:19:42,123 --> 00:19:43,540 And we can use the technique here, 427 00:19:43,540 --> 00:19:47,650 where we just have, really, one 32 byte private key 428 00:19:47,650 --> 00:19:51,310 and create all the different chunks of all the public keys 429 00:19:51,310 --> 00:19:54,100 by concatenating different indices. 430 00:19:54,100 --> 00:19:54,600 Yes? 431 00:19:54,600 --> 00:19:57,880 AUDIENCE: You can do [INAUDIBLE] systems and log-in time instead 432 00:19:57,880 --> 00:19:59,120 of linear time. 433 00:19:59,120 --> 00:20:00,710 TADGE DRYJA: Yeah, exactly. 434 00:20:00,710 --> 00:20:04,880 I can prove that, hey, this is public key 0, which 435 00:20:04,880 --> 00:20:10,910 is in here, this root hash, and I don't have to reveal all four 436 00:20:10,910 --> 00:20:12,130 in order to do it. 437 00:20:12,130 --> 00:20:13,370 So yeah. 438 00:20:13,370 --> 00:20:15,640 Did someone else have, probably, the same idea? 439 00:20:15,640 --> 00:20:16,500 Yeah, OK. 440 00:20:16,500 --> 00:20:17,000 OK. 441 00:20:17,000 --> 00:20:19,610 So how are we going to do that? 442 00:20:22,210 --> 00:20:23,070 You obviously know. 443 00:20:23,070 --> 00:20:23,670 Anyone else? 444 00:20:23,670 --> 00:20:24,820 Yeah. 445 00:20:24,820 --> 00:20:27,440 AUDIENCE: So assuming you wanted the public key 0, 446 00:20:27,440 --> 00:20:31,680 you would publish that and 1, and also hash of 2, 3. 447 00:20:31,680 --> 00:20:33,150 TADGE DRYJA: Right, yeah. 448 00:20:33,150 --> 00:20:35,800 And then you can prove up to the top. 449 00:20:35,800 --> 00:20:37,230 So I have little colors. 450 00:20:37,230 --> 00:20:43,740 So the idea is the verifier who's verifying the signature, 451 00:20:43,740 --> 00:20:46,680 he already knows the root, right? 452 00:20:46,680 --> 00:20:49,130 Because you've pre-published that as your public key, 453 00:20:49,130 --> 00:20:51,450 as your public key root and your public key hash. 454 00:20:51,450 --> 00:20:54,300 And then that verifier is provided 455 00:20:54,300 --> 00:20:57,390 with public key 0 saying, hey, here's a signature. 456 00:20:57,390 --> 00:20:58,510 Here's the message. 457 00:20:58,510 --> 00:21:00,870 Here is public key 0. 458 00:21:00,870 --> 00:21:02,460 So you've got both of these things. 459 00:21:02,460 --> 00:21:07,650 Now, the prover needs to prove that public key 0 is 460 00:21:07,650 --> 00:21:09,870 contained within the root. 461 00:21:09,870 --> 00:21:13,860 And to do that, the only two things the prover needs to add 462 00:21:13,860 --> 00:21:16,380 is pub1-- 463 00:21:16,380 --> 00:21:21,510 OK, so the prover says, here's public key 1. 464 00:21:21,510 --> 00:21:25,770 That allows the verifier to compute this. 465 00:21:25,770 --> 00:21:27,510 And then the prover says, hey, here's 466 00:21:27,510 --> 00:21:32,190 hash 2, 3, which allows the verifier to compute the root 467 00:21:32,190 --> 00:21:33,800 and then check that it's equal. 468 00:21:33,800 --> 00:21:36,300 So yeah, you only need two extra hashes instead of all four. 469 00:21:36,300 --> 00:21:39,127 So saves some space. 470 00:21:39,127 --> 00:21:41,460 It doesn't save that much space when you only have four. 471 00:21:41,460 --> 00:21:45,540 It saves a lot of space when you have 1,000, right? 472 00:21:45,540 --> 00:21:49,050 So you can add 0 of n elements. 473 00:21:49,050 --> 00:21:51,330 And the root stays the same size. 474 00:21:51,330 --> 00:21:53,190 The root stays 32 bytes, regardless 475 00:21:53,190 --> 00:21:56,000 of how many leaf nodes you have. 476 00:21:56,000 --> 00:21:58,110 And you can prove an element with log n-- 477 00:21:58,110 --> 00:22:00,176 oh, those parentheses are wrong-- 478 00:22:00,176 --> 00:22:02,340 0 log n intermediate hashes. 479 00:22:02,340 --> 00:22:06,510 So if you have 1,000 keys, your root stays 32 bytes, 480 00:22:06,510 --> 00:22:10,830 and your proofs are going to be not too, too big, right-- 481 00:22:10,830 --> 00:22:15,000 320 bytes of overhead, which is a bunch smaller 482 00:22:15,000 --> 00:22:17,550 than a signature, right? 483 00:22:17,550 --> 00:22:18,580 So this is really cool. 484 00:22:18,580 --> 00:22:21,450 And you can use this much more practically 485 00:22:21,450 --> 00:22:24,150 than the raw lamport signatures that 486 00:22:24,150 --> 00:22:25,680 were in the first problem set. 487 00:22:25,680 --> 00:22:29,760 Because those, if you're just doing 488 00:22:29,760 --> 00:22:32,640 one key and one signature, it's about the same size. 489 00:22:32,640 --> 00:22:34,920 But this actually lets you use it multiple times, 490 00:22:34,920 --> 00:22:37,230 lets you store a much smaller private key, 491 00:22:37,230 --> 00:22:39,180 commit to much smaller public keys. 492 00:22:39,180 --> 00:22:40,740 It's a more usable system. 493 00:22:40,740 --> 00:22:46,072 The signatures, though, still are kind of huge, right? 494 00:22:46,072 --> 00:22:48,030 Your signatures are going to be a little over 8 495 00:22:48,030 --> 00:22:49,620 kilobytes, which is OK, right? 496 00:22:49,620 --> 00:22:51,690 Computers can deal with 8 kilobytes. 497 00:22:51,690 --> 00:22:55,230 That's called a Merkle tree made by Ralph Merkle 498 00:22:55,230 --> 00:22:58,680 in '76 or something. 499 00:22:58,680 --> 00:23:01,820 And it was originally made for exactly that purpose. 500 00:23:01,820 --> 00:23:04,900 Anyway, so these are called Merkle trees. 501 00:23:04,900 --> 00:23:07,120 Ralph Merkle. 502 00:23:07,120 --> 00:23:09,025 He doesn't really work on crypto now. 503 00:23:09,025 --> 00:23:11,590 He works on biotech stuff now, I think. 504 00:23:11,590 --> 00:23:12,456 Anyway. 505 00:23:12,456 --> 00:23:14,013 But he's cool. 506 00:23:14,013 --> 00:23:15,930 And he gets, like, everything named after him. 507 00:23:15,930 --> 00:23:18,190 So you will see the word Merkle everywhere. 508 00:23:18,190 --> 00:23:21,160 And it's, you know, he invented something cool. 509 00:23:21,160 --> 00:23:21,873 Awesome. 510 00:23:21,873 --> 00:23:23,290 This is one of the kind of things, 511 00:23:23,290 --> 00:23:24,490 though, where it seems like, yeah, 512 00:23:24,490 --> 00:23:25,950 I might have been able to think of that, right? 513 00:23:25,950 --> 00:23:28,270 It's sort of a binary tree and hash functions. 514 00:23:28,270 --> 00:23:30,560 It's nothing that crazy. 515 00:23:30,560 --> 00:23:32,710 But so there's all sorts of Merkle trees. 516 00:23:32,710 --> 00:23:35,440 You can make a different thing. 517 00:23:35,440 --> 00:23:36,330 It's used in Bitcoin. 518 00:23:36,330 --> 00:23:39,520 It's used in a bunch of different cryptocurrencies. 519 00:23:39,520 --> 00:23:40,750 Oh, cool. 520 00:23:40,750 --> 00:23:46,060 It's a very powerful way to take a whole bunch 521 00:23:46,060 --> 00:23:48,770 of different things and commit to them in one small thing. 522 00:23:48,770 --> 00:23:49,270 OK. 523 00:23:49,270 --> 00:23:50,530 So this is very cool. 524 00:23:50,530 --> 00:23:52,360 But we can do better. 525 00:23:52,360 --> 00:23:54,820 And so the next things are things that I definitely 526 00:23:54,820 --> 00:23:58,180 would never have thought of because it's much more 527 00:23:58,180 --> 00:24:00,400 complex than just, like, hey, let's use a binary tree 528 00:24:00,400 --> 00:24:02,530 with hashes. 529 00:24:02,530 --> 00:24:05,260 And I will mention RSA and then go 530 00:24:05,260 --> 00:24:10,510 into ECDSA and elliptic curve [INAUDIBLE] signatures, which 531 00:24:10,510 --> 00:24:15,012 do different things and are not based on just hash functions. 532 00:24:15,012 --> 00:24:16,720 So I'll talk about RSA for a few minutes, 533 00:24:16,720 --> 00:24:19,067 and then we'll have a little break, like intermission. 534 00:24:19,067 --> 00:24:20,900 And then we'll go into elliptic curve stuff. 535 00:24:20,900 --> 00:24:21,400 OK. 536 00:24:21,400 --> 00:24:23,260 So RSA was invented by locals. 537 00:24:23,260 --> 00:24:24,790 The R is Ron-- 538 00:24:24,790 --> 00:24:26,290 no, I think the R stands for Rivest, 539 00:24:26,290 --> 00:24:29,870 but Ron Rivest is at CSAIL, and he's still 540 00:24:29,870 --> 00:24:32,230 working on cool crypto stuff. 541 00:24:32,230 --> 00:24:34,960 It's not used in Bitcoin or any currency, actually-- 542 00:24:34,960 --> 00:24:38,560 well, any currently operating cryptocurrency. 543 00:24:38,560 --> 00:24:42,880 Because the signatures and keys are 544 00:24:42,880 --> 00:24:45,550 a bit larger than the later systems we'll see-- 545 00:24:45,550 --> 00:24:50,500 smaller than the hash-based things, but still a bit larger. 546 00:24:50,500 --> 00:24:52,420 Was used in chaumian blinded cash. 547 00:24:52,420 --> 00:24:55,070 Because you can do blinded signatures, where you say, 548 00:24:55,070 --> 00:24:58,272 OK, I'm going to have you sign something for me, 549 00:24:58,272 --> 00:24:59,980 and then after you give me the signature, 550 00:24:59,980 --> 00:25:04,000 I can pull apart the signature. 551 00:25:04,000 --> 00:25:05,650 Because I'll have you sign something 552 00:25:05,650 --> 00:25:07,870 that you don't know what you're signing, right? 553 00:25:07,870 --> 00:25:10,630 I'm going to mask this message and blind it 554 00:25:10,630 --> 00:25:12,550 so that you sign the message, and then I 555 00:25:12,550 --> 00:25:15,310 can get your signature on the real message 556 00:25:15,310 --> 00:25:17,080 without you knowing what you signed. 557 00:25:17,080 --> 00:25:19,540 So basically, the idea is, well, I actually 558 00:25:19,540 --> 00:25:26,230 have message prime equals message plus randomness. 559 00:25:26,230 --> 00:25:28,210 And I say, hey, can you sign m prime? 560 00:25:28,210 --> 00:25:28,990 And you say, OK. 561 00:25:28,990 --> 00:25:33,970 I produce a signature on m prime with my private key. 562 00:25:33,970 --> 00:25:36,370 And we'll call that s prime. 563 00:25:36,370 --> 00:25:41,420 And then what I can do is I can s equals s prime 564 00:25:41,420 --> 00:25:45,050 minus the randomness, or, really, some function 565 00:25:45,050 --> 00:25:46,520 of that randomness. 566 00:25:46,520 --> 00:25:48,240 And now I have a signature. 567 00:25:48,240 --> 00:25:51,530 And this is a valid signature on m. 568 00:25:51,530 --> 00:25:52,760 So that's kind of cool. 569 00:25:52,760 --> 00:25:54,802 It's like, hey, can you sign this message for me? 570 00:25:54,802 --> 00:25:57,670 And we're not going to tell you what you're signing. 571 00:25:57,670 --> 00:25:59,420 It seems sort of useless, like why would I 572 00:25:59,420 --> 00:26:01,430 sign something I have no idea what I'm signing? 573 00:26:01,430 --> 00:26:05,180 But it can be used in that chaumian blinded cash. 574 00:26:05,180 --> 00:26:08,150 Because I then have a proof that, well, this bank didn't 575 00:26:08,150 --> 00:26:10,550 know what they were signing, but they signed this, 576 00:26:10,550 --> 00:26:13,550 and this is their signature, and they gave it to me. 577 00:26:13,550 --> 00:26:17,090 And I can use that as a thing to represent money. 578 00:26:17,090 --> 00:26:19,340 There's all sorts of cool things you can do with this. 579 00:26:19,340 --> 00:26:24,890 The basic setup of RSA is make two prime numbers, p and q. 580 00:26:24,890 --> 00:26:28,880 And then compute n, which is the product p times q. 581 00:26:28,880 --> 00:26:31,400 So this seems fairly straightforward, right? 582 00:26:31,400 --> 00:26:32,660 It's not too hard. 583 00:26:32,660 --> 00:26:34,583 Everyone knows what prime numbers are. 584 00:26:34,583 --> 00:26:36,500 Now you have this composite number, p times q. 585 00:26:39,470 --> 00:26:43,040 How do I make a leading question for the next slide? 586 00:26:43,040 --> 00:26:46,532 Does this have any relation to things that we've looked at? 587 00:26:46,532 --> 00:26:48,740 This doesn't look at all like a hash function, right? 588 00:26:48,740 --> 00:26:51,080 But are there any properties similar to a hash function 589 00:26:51,080 --> 00:26:51,580 here? 590 00:26:54,230 --> 00:26:55,995 Yeah? 591 00:26:55,995 --> 00:26:57,620 AUDIENCE: It's hard to route the image. 592 00:26:57,620 --> 00:26:58,860 It's hard to [INAUDIBLE]. 593 00:26:58,860 --> 00:26:59,700 TADGE DRYJA: Yeah. 594 00:26:59,700 --> 00:27:02,570 It's a one-way function in that if I know p and q, 595 00:27:02,570 --> 00:27:04,610 I can compute n, right? 596 00:27:04,610 --> 00:27:08,810 But given n, I can't necessarily find p and q, right? 597 00:27:08,810 --> 00:27:10,760 If they're small, sure, I just check. 598 00:27:10,760 --> 00:27:14,150 And there's all sorts of algorithms to find factors. 599 00:27:14,150 --> 00:27:18,020 But if p and q are pretty big, like hundreds of bits long 600 00:27:18,020 --> 00:27:20,690 or thousands of bits long, finding n 601 00:27:20,690 --> 00:27:24,380 may be impractical, whereas if p and q are really long, 602 00:27:24,380 --> 00:27:27,170 finding the product of both of them will be very practical. 603 00:27:27,170 --> 00:27:31,950 Even if huge, multiplying two integers is really easy. 604 00:27:31,950 --> 00:27:34,880 So this is a one-way function but not a hash function. 605 00:27:34,880 --> 00:27:38,540 And so a lot of these signature systems use one-way functions, 606 00:27:38,540 --> 00:27:41,810 but trickier one-way functions that aren't hash functions, 607 00:27:41,810 --> 00:27:45,810 and still have cool things that you can do. 608 00:27:45,810 --> 00:27:49,760 So I'm not going to go into RSA in super detail. 609 00:27:49,760 --> 00:27:51,917 I'm going to run through it really quick, 610 00:27:51,917 --> 00:27:53,750 and you'll be like, huh, how does that work? 611 00:27:53,750 --> 00:27:56,230 But if you think it's interesting, you can look it up 612 00:27:56,230 --> 00:27:57,980 and then maybe you go to CSAIL and ask Ron 613 00:27:57,980 --> 00:28:00,350 how it works, although maybe try to look it up first. 614 00:28:00,350 --> 00:28:02,100 He's probably explained it a lot of times. 615 00:28:04,880 --> 00:28:06,600 But it has different properties. 616 00:28:06,600 --> 00:28:09,050 So you could say, I'm going to use this p times 617 00:28:09,050 --> 00:28:12,440 q equals n as a hash function and make a lamport signature 618 00:28:12,440 --> 00:28:16,850 out of it where my private key is a whole bunch of p and q 619 00:28:16,850 --> 00:28:20,000 pairs, and my public key is a whole bunch of n's, and I 620 00:28:20,000 --> 00:28:21,590 reveal them and stuff. 621 00:28:21,590 --> 00:28:22,460 You could do that. 622 00:28:22,460 --> 00:28:24,350 That would work. 623 00:28:24,350 --> 00:28:26,240 But you can do much more powerful things 624 00:28:26,240 --> 00:28:29,360 because of the mathematical properties of these things. 625 00:28:29,360 --> 00:28:32,590 So yeah, I'm just going to go through it really fast. 626 00:28:32,590 --> 00:28:35,480 But if you know anything, this is kind of cool. 627 00:28:35,480 --> 00:28:40,730 The idea is you can do a bunch of multiplication 628 00:28:40,730 --> 00:28:43,580 and exponential modulo n. 629 00:28:43,580 --> 00:28:47,810 And so because n is almost prime, 630 00:28:47,810 --> 00:28:49,640 there's some interesting properties, 631 00:28:49,640 --> 00:28:53,180 where if you know the factors of n, 632 00:28:53,180 --> 00:28:54,965 you have these shortcuts you can do. 633 00:28:54,965 --> 00:28:56,840 And someone who doesn't know the factors of n 634 00:28:56,840 --> 00:28:58,290 can't do these shortcuts. 635 00:28:58,290 --> 00:29:02,090 So you publish e, which is a constant-- this is sort 636 00:29:02,090 --> 00:29:04,490 of a parameter system. 637 00:29:04,490 --> 00:29:06,560 So RSA is used today all over the place. 638 00:29:06,560 --> 00:29:08,780 If your computer is open and you've 639 00:29:08,780 --> 00:29:10,670 been using the web in the last five seconds, 640 00:29:10,670 --> 00:29:14,030 your computer has performed RSA calculations. 641 00:29:14,030 --> 00:29:18,380 Every time you connect to a website, you're doing RSA. 642 00:29:18,380 --> 00:29:21,202 So generally, it's 65537. 643 00:29:21,202 --> 00:29:22,160 They just make this up. 644 00:29:22,160 --> 00:29:25,800 You could also use three-- some small number. 645 00:29:25,800 --> 00:29:28,670 And then d is a number that you can compute 646 00:29:28,670 --> 00:29:30,530 if you know what p and q are. 647 00:29:30,530 --> 00:29:34,040 So this is sort of the private key, right? 648 00:29:34,040 --> 00:29:36,740 p and q itself can be seen as the private key. 649 00:29:36,740 --> 00:29:39,080 But you can actually compute this d number 650 00:29:39,080 --> 00:29:43,100 and then discard p and q. 651 00:29:43,100 --> 00:29:45,320 And so this is how you compute d or whatever. 652 00:29:45,320 --> 00:29:49,490 But the idea is n is your public key, and d is your private key. 653 00:29:49,490 --> 00:29:52,430 e is always the same, and p and q, you can discard afterwards. 654 00:29:52,430 --> 00:29:53,740 And then what you can do-- 655 00:29:53,740 --> 00:29:58,020 and not going to get into it-- but you can say, OK, 656 00:29:58,020 --> 00:30:00,590 my signature s is message, right-- 657 00:30:00,590 --> 00:30:03,065 I can take the hash and make a message m-- 658 00:30:03,065 --> 00:30:06,830 message to the d power modulo n. 659 00:30:06,830 --> 00:30:10,940 And if I verify, if I take that signature to the e power modulo 660 00:30:10,940 --> 00:30:13,040 n, it should equal m again, which 661 00:30:13,040 --> 00:30:16,760 is crazy and kind of awesome. 662 00:30:16,760 --> 00:30:18,530 Because the idea is to sign, OK, I 663 00:30:18,530 --> 00:30:20,660 just raised to the d power mod n. 664 00:30:20,660 --> 00:30:24,620 It's going to be some number on the same size as n, right? 665 00:30:24,620 --> 00:30:27,230 And then I give that to someone. 666 00:30:27,230 --> 00:30:32,750 They take that signature to the 65537 power modulo 667 00:30:32,750 --> 00:30:35,480 m again and see if m-- 668 00:30:35,480 --> 00:30:36,800 the message-- comes back out. 669 00:30:36,800 --> 00:30:39,260 And if it does, they know I signed, 670 00:30:39,260 --> 00:30:43,580 and I have the private key that corresponds to n. 671 00:30:43,580 --> 00:30:47,240 Now, the cool thing is I can use this any number of times. 672 00:30:47,240 --> 00:30:50,630 I can use the same thing a bazillion times 673 00:30:50,630 --> 00:30:54,890 with different m's, and that doesn't give any help 674 00:30:54,890 --> 00:30:58,520 on how to factor n or how to compute d. 675 00:30:58,520 --> 00:31:04,320 So this was late 70s, also, RSA, and one of the first, 676 00:31:04,320 --> 00:31:07,430 hey, we can do better than hash functions. 677 00:31:07,430 --> 00:31:11,060 It was developed at around the same time 678 00:31:11,060 --> 00:31:12,800 as hash-based signatures. 679 00:31:12,800 --> 00:31:15,830 All of these things were sort of coming out at the same time. 680 00:31:15,830 --> 00:31:18,650 You can do lots of cool stuff because there's 681 00:31:18,650 --> 00:31:25,100 these properties where we can make m prime plus m 682 00:31:25,100 --> 00:31:29,070 and take the exponentiation of all that, and it still works. 683 00:31:29,070 --> 00:31:29,570 OK. 684 00:31:29,570 --> 00:31:30,487 So that's really cool. 685 00:31:30,487 --> 00:31:32,360 You can do lots of cool stuff. 686 00:31:32,360 --> 00:31:36,440 But this is also not used in Bitcoin. 687 00:31:36,440 --> 00:31:37,940 One of the things is the size. 688 00:31:37,940 --> 00:31:42,800 So key sizes are smaller than with lamport signatures. 689 00:31:42,800 --> 00:31:48,277 And they're often about 2 kilobits, or 256 bytes, 690 00:31:48,277 --> 00:31:48,860 which is fine. 691 00:31:48,860 --> 00:31:51,900 And that's the same size as signatures. 692 00:31:51,900 --> 00:31:53,435 So if you use your web browser-- 693 00:31:56,200 --> 00:31:59,720 secure-- well, how secure? 694 00:31:59,720 --> 00:32:00,950 Certificate, valid. 695 00:32:00,950 --> 00:32:03,700 Oh, this browser might not show me. 696 00:32:03,700 --> 00:32:05,263 OK, never mind. 697 00:32:05,263 --> 00:32:06,680 AUDIENCE: In Firefox, it'll do it. 698 00:32:06,680 --> 00:32:08,970 TADGE DRYJA: In Firefox, it tells you more. 699 00:32:08,970 --> 00:32:09,470 OK. 700 00:32:09,470 --> 00:32:11,030 Well, anyway, anyway, anyway. 701 00:32:11,030 --> 00:32:16,250 But yeah, there's RSA keys in, basically, every certificate 702 00:32:16,250 --> 00:32:18,020 for web browsers and websites. 703 00:32:18,020 --> 00:32:21,060 And they're generally 2,048 bits long. 704 00:32:21,060 --> 00:32:23,840 That's seen as pretty secure. 705 00:32:23,840 --> 00:32:27,500 Even 1,024 bits has not been hacked. 706 00:32:27,500 --> 00:32:29,000 But people think it probably could 707 00:32:29,000 --> 00:32:31,720 be by a very motivated actor. 708 00:32:31,720 --> 00:32:34,550 So this is decent size. 709 00:32:34,550 --> 00:32:37,133 One thing about RSA is that it's a little tricky to implement, 710 00:32:37,133 --> 00:32:37,633 right? 711 00:32:37,633 --> 00:32:39,440 There's a whole bunch of weird math there. 712 00:32:39,440 --> 00:32:41,540 It's not like the lamport signatures, 713 00:32:41,540 --> 00:32:44,410 where it's like, OK, I have a hash function, use it, right? 714 00:32:44,410 --> 00:32:45,920 It's kind of hard to shoot yourself 715 00:32:45,920 --> 00:32:49,070 in the foot with the lamport signature scheme. 716 00:32:49,070 --> 00:32:50,960 You can, right, but it's sort of obvious 717 00:32:50,960 --> 00:32:52,280 if you do, so if you're doing the homework 718 00:32:52,280 --> 00:32:54,322 and it just doesn't work at all, and you're like, 719 00:32:54,322 --> 00:32:57,680 oh, I was hashing twice, or, oh, I was reversing the order, 720 00:32:57,680 --> 00:33:02,300 or it just didn't work. 721 00:33:02,300 --> 00:33:05,150 But there's no subtle ways where, oh, I was off by one, 722 00:33:05,150 --> 00:33:07,190 and now it reveals all my private keys. 723 00:33:07,190 --> 00:33:11,270 That's hard to do, whereas in RSA, it's actually quite easy. 724 00:33:11,270 --> 00:33:14,090 If your p and q values, for example-- 725 00:33:14,090 --> 00:33:16,520 what's a really crazy gotcha-- 726 00:33:16,520 --> 00:33:21,410 if p or q minus 1-- so if p minus 1 or q minus 1-- 727 00:33:21,410 --> 00:33:24,320 is smooth-- essentially, a number that's highly composite 728 00:33:24,320 --> 00:33:26,330 has many small factors-- 729 00:33:26,330 --> 00:33:28,460 you can find someone's private key. 730 00:33:28,460 --> 00:33:29,590 You can factor it. 731 00:33:29,590 --> 00:33:31,850 So it's not just that p and q have to be prime. 732 00:33:31,850 --> 00:33:37,700 P minus 1 and q minus 1 have to be not too unprime. 733 00:33:37,700 --> 00:33:39,878 It can't be a power of two or something. 734 00:33:39,878 --> 00:33:41,420 Otherwise, you can lose your privacy. 735 00:33:41,420 --> 00:33:46,700 So there's all sorts of crazy things that happen with RSA. 736 00:33:46,700 --> 00:33:49,640 Bitcoin and other coins use elliptic curve signatures, 737 00:33:49,640 --> 00:33:55,760 which I'll talk about next, that are sort of displacing RSA, 738 00:33:55,760 --> 00:33:56,700 in many cases. 739 00:33:56,700 --> 00:34:04,370 So it hasn't really taken off for web certificates 740 00:34:04,370 --> 00:34:07,220 but a lot of other types of encryption, signing, things 741 00:34:07,220 --> 00:34:07,760 like that. 742 00:34:07,760 --> 00:34:11,150 Cryptocurrencies are also one of the big uses of elliptic curve 743 00:34:11,150 --> 00:34:13,730 signatures because they're somewhat more 744 00:34:13,730 --> 00:34:16,670 powerful and somewhat smaller and really cool. 745 00:34:16,670 --> 00:34:20,090 And we will talk about those in three minutes. 746 00:34:20,090 --> 00:34:22,699 So intermission, three minutes. 747 00:34:22,699 --> 00:34:24,650 Stretch. 748 00:34:24,650 --> 00:34:25,949 Ask random questions. 749 00:34:25,949 --> 00:34:27,540 Talk to the neighbors. 750 00:34:27,540 --> 00:34:28,040 OK. 751 00:34:28,040 --> 00:34:32,659 So they're using these elliptic curves, 752 00:34:32,659 --> 00:34:34,790 which are curves of the form y squared 753 00:34:34,790 --> 00:34:38,150 plus x cubed plus some coefficient x squared 754 00:34:38,150 --> 00:34:41,239 plus some constant. 755 00:34:41,239 --> 00:34:43,670 And in the case of Bitcoin, it's very simple. 756 00:34:43,670 --> 00:34:46,960 It's y squared equals x cubed plus 7. 757 00:34:46,960 --> 00:34:49,340 And that's the curve Bitcoin uses. 758 00:34:49,340 --> 00:34:52,300 And this is what it looks like if you plot it. 759 00:34:52,300 --> 00:34:54,920 And that seems really simple. 760 00:34:54,920 --> 00:34:56,239 We can totally understand that. 761 00:34:56,239 --> 00:34:58,220 But it gets a little weird. 762 00:34:58,220 --> 00:35:02,330 With elliptic curves, you have these points on the curves, 763 00:35:02,330 --> 00:35:02,870 right? 764 00:35:02,870 --> 00:35:06,530 And another property is if you draw a straight line that 765 00:35:06,530 --> 00:35:08,463 intersects this curve-- 766 00:35:08,463 --> 00:35:10,130 you could also draw a line which doesn't 767 00:35:10,130 --> 00:35:11,218 intersect at all, fine-- 768 00:35:11,218 --> 00:35:13,260 but if you draw a line that intersects the curve, 769 00:35:13,260 --> 00:35:16,575 it will intersect in three places. 770 00:35:16,575 --> 00:35:18,950 So if I draw a line here, it intersects these three dots. 771 00:35:18,950 --> 00:35:21,560 If I draw a line here, it intersects here, here, 772 00:35:21,560 --> 00:35:23,520 and then it'll intersect somewhere down here. 773 00:35:23,520 --> 00:35:26,690 It'll intersect in three places unless I take a tangent. 774 00:35:26,690 --> 00:35:28,430 If I draw, and I try to be like, oh, I'm 775 00:35:28,430 --> 00:35:30,230 going only intersect in two, well, I 776 00:35:30,230 --> 00:35:32,480 can take a tangent here, and it'll 777 00:35:32,480 --> 00:35:34,160 intersect in one more place. 778 00:35:34,160 --> 00:35:36,430 What we can do, though, is we can say, well, 779 00:35:36,430 --> 00:35:38,180 if you intersect at a tangent, that's kind 780 00:35:38,180 --> 00:35:40,893 of like intersecting twice. 781 00:35:40,893 --> 00:35:41,810 We can deal with that. 782 00:35:41,810 --> 00:35:43,637 AUDIENCE: What if you draw a vertical line? 783 00:35:43,637 --> 00:35:45,970 TADGE DRYJA: If you draw a vertical-- oh, yeah, vertical 784 00:35:45,970 --> 00:35:47,710 line, then there's a point at infinity, 785 00:35:47,710 --> 00:35:49,498 which shouldn't happen. 786 00:35:49,498 --> 00:35:51,070 AUDIENCE: But infinity is included-- 787 00:35:51,070 --> 00:35:51,385 TADGE DRYJA: Yeah. 788 00:35:51,385 --> 00:35:53,380 AUDIENCE: --in the set of points on the curve? 789 00:35:53,380 --> 00:35:55,130 So it's like there's three points, anyway. 790 00:35:55,130 --> 00:35:56,290 TADGE DRYJA: Yeah. 791 00:35:56,290 --> 00:35:57,950 There's a point up there-- 792 00:35:57,950 --> 00:35:58,450 sort of. 793 00:36:01,150 --> 00:36:02,920 In the practice of signing and stuff, 794 00:36:02,920 --> 00:36:05,910 you probably shouldn't hit it. 795 00:36:05,910 --> 00:36:08,290 Yeah. 796 00:36:08,290 --> 00:36:12,310 But so what we do is we say, OK, well, three points in a line 797 00:36:12,310 --> 00:36:14,630 equals zero. 798 00:36:14,630 --> 00:36:18,590 And so if we take this point plus this point 799 00:36:18,590 --> 00:36:20,570 plus this point, that's zero. 800 00:36:20,570 --> 00:36:25,550 Another way to say that is P plus Q minus R equals 0, 801 00:36:25,550 --> 00:36:30,500 or P plus Q equals negative R. And another property is 802 00:36:30,500 --> 00:36:34,790 the negation of a point is just that same point 803 00:36:34,790 --> 00:36:37,160 with the y-coordinate flipped. 804 00:36:37,160 --> 00:36:40,160 So if this is negative R, we just 805 00:36:40,160 --> 00:36:42,380 go down to the bottom side of this, 806 00:36:42,380 --> 00:36:44,857 and this is positive R. Similarly, minus P 807 00:36:44,857 --> 00:36:45,440 would be here. 808 00:36:45,440 --> 00:36:47,000 Minus Q would be here. 809 00:36:47,000 --> 00:36:51,830 And if you had a point Z here, negative Z would be up here. 810 00:36:51,830 --> 00:36:53,570 This is how it's constructed. 811 00:36:53,570 --> 00:36:58,460 However, we don't actually use these nice curves. 812 00:36:58,460 --> 00:37:00,778 We chop them up in modulo something. 813 00:37:00,778 --> 00:37:01,278 Yeah? 814 00:37:01,278 --> 00:37:03,680 AUDIENCE: You have P plus Q equals negative R. Should it 815 00:37:03,680 --> 00:37:04,509 be positive R? 816 00:37:08,050 --> 00:37:10,420 TADGE DRYJA: No. 817 00:37:10,420 --> 00:37:11,590 In this case, R is up here. 818 00:37:11,590 --> 00:37:13,360 Right. 819 00:37:13,360 --> 00:37:14,920 In this case-- 820 00:37:14,920 --> 00:37:17,470 P. Wait, hold on. 821 00:37:17,470 --> 00:37:18,352 [INTERPOSING VOICES] 822 00:37:18,352 --> 00:37:19,310 TADGE DRYJA: Oh, shoot. 823 00:37:19,310 --> 00:37:19,810 Sorry. 824 00:37:19,810 --> 00:37:21,790 P plus Q equals R. Right. 825 00:37:21,790 --> 00:37:23,840 Sorry. 826 00:37:23,840 --> 00:37:24,340 OK. 827 00:37:24,340 --> 00:37:25,140 Never mind. 828 00:37:25,140 --> 00:37:26,180 Yeah. 829 00:37:26,180 --> 00:37:29,490 The picture is correct. 830 00:37:29,490 --> 00:37:35,002 But so basically, P plus Q equals R 831 00:37:35,002 --> 00:37:35,960 because R is down here. 832 00:37:35,960 --> 00:37:36,460 Sorry. 833 00:37:36,460 --> 00:37:37,600 Yeah, that's why. 834 00:37:37,600 --> 00:37:38,120 OK. 835 00:37:38,120 --> 00:37:40,550 This is R. This is negative R. So yeah, 836 00:37:40,550 --> 00:37:47,720 P plus Q equals R, not negative R. Sorry. 837 00:37:47,720 --> 00:37:50,750 When you want to multiply a point, you can. 838 00:37:50,750 --> 00:37:52,712 Because you can take a tangent, right? 839 00:37:52,712 --> 00:37:54,170 So you can add these points, right? 840 00:37:54,170 --> 00:37:57,050 You can say, OK, I want the sum of P and Q, 841 00:37:57,050 --> 00:37:58,500 which will be down here-- 842 00:37:58,500 --> 00:38:03,320 R. I want 2P, for example. 843 00:38:03,320 --> 00:38:05,870 Well, with 2P, I can take a tangent 844 00:38:05,870 --> 00:38:07,460 and then find where it intersects 845 00:38:07,460 --> 00:38:09,450 and then go down below the curve. 846 00:38:09,450 --> 00:38:13,100 So for example, if this is G, I say OK, well, G 847 00:38:13,100 --> 00:38:16,400 starts here, take the tangent, find where it intersects 848 00:38:16,400 --> 00:38:17,840 and then drop down. 849 00:38:17,840 --> 00:38:19,850 And this is 2G. 850 00:38:19,850 --> 00:38:22,865 So it's a simple way to say, well, 851 00:38:22,865 --> 00:38:23,990 I'm not really multiplying. 852 00:38:23,990 --> 00:38:25,760 I'm just adding it to itself, which is 853 00:38:25,760 --> 00:38:27,613 sort of what multiplication is. 854 00:38:27,613 --> 00:38:29,030 And I can do this again and again. 855 00:38:29,030 --> 00:38:30,620 So I say, oh, I want 4G. 856 00:38:30,620 --> 00:38:33,700 I take the tangent at 2G, find the intersection here, 857 00:38:33,700 --> 00:38:34,370 drop down. 858 00:38:34,370 --> 00:38:34,870 OK. 859 00:38:34,870 --> 00:38:35,840 Here's 4G. 860 00:38:35,840 --> 00:38:38,030 Take the tangent here, it'll go-- 861 00:38:38,030 --> 00:38:41,630 I can keep doing that and get 2G, 4G, 8G. 862 00:38:41,630 --> 00:38:46,460 And if I want intermediate things, like, well, I want 3G, 863 00:38:46,460 --> 00:38:51,670 well, I draw a line between G and 2G, find the intersection, 864 00:38:51,670 --> 00:38:53,150 and find the sum. 865 00:38:53,150 --> 00:38:53,990 So yeah? 866 00:38:53,990 --> 00:38:54,490 Yes? 867 00:38:54,490 --> 00:38:57,370 AUDIENCE: When you find the intersection of that 868 00:38:57,370 --> 00:38:59,703 [INAUDIBLE] the intersection of the modulo of something, 869 00:38:59,703 --> 00:39:00,240 does it just-- 870 00:39:00,240 --> 00:39:01,240 TADGE DRYJA: Yeah, yeah. 871 00:39:01,240 --> 00:39:05,162 So the pictures look nice, in this case, right? 872 00:39:05,162 --> 00:39:06,620 It's like, hey, there's this curve. 873 00:39:06,620 --> 00:39:08,490 And it looks so simple. 874 00:39:08,490 --> 00:39:10,970 And we can graphically do it on graph paper. 875 00:39:10,970 --> 00:39:13,280 But when you're actually doing it on the computer, 876 00:39:13,280 --> 00:39:14,960 it looks more like this. 877 00:39:14,960 --> 00:39:18,890 Everything is modulo some giant prime number. 878 00:39:18,890 --> 00:39:20,300 You could still draw lines. 879 00:39:20,300 --> 00:39:24,560 It's just that the curve is now all these crazy-looking dots. 880 00:39:24,560 --> 00:39:28,850 And you still have that symmetry from the y-axis. 881 00:39:28,850 --> 00:39:32,060 But the way the computer does it is all modulo a number. 882 00:39:32,060 --> 00:39:37,770 So it doesn't actually map to a nice curve. 883 00:39:37,770 --> 00:39:40,370 So the fun thing about when you're doing modulo 884 00:39:40,370 --> 00:39:43,892 is all the properties stay the same, right? 885 00:39:43,892 --> 00:39:45,350 With regular numbers, you can still 886 00:39:45,350 --> 00:39:47,660 do addition, multiplication, division 887 00:39:47,660 --> 00:39:51,500 all modulo some number, and it still all works, right? 888 00:39:51,500 --> 00:39:53,600 So same with this. 889 00:39:53,600 --> 00:39:57,800 You still have the same draw a line between P and Q, 890 00:39:57,800 --> 00:39:59,780 and you get to here. 891 00:39:59,780 --> 00:40:05,240 And then you flip over the y-axis, and now this is R. 892 00:40:05,240 --> 00:40:07,670 Similarly, you can take a tangent-- 893 00:40:07,670 --> 00:40:10,610 although a tangent is harder to visually see because there's 894 00:40:10,610 --> 00:40:12,950 no obvious curve here-- 895 00:40:12,950 --> 00:40:15,100 but the equations work the same. 896 00:40:15,100 --> 00:40:15,600 OK. 897 00:40:15,600 --> 00:40:20,860 So you don't need to know exactly why these things work 898 00:40:20,860 --> 00:40:21,360 or curves. 899 00:40:21,360 --> 00:40:24,540 But we're going to go through what you can do with these 900 00:40:24,540 --> 00:40:25,820 and what properties you have. 901 00:40:25,820 --> 00:40:26,320 OK. 902 00:40:26,320 --> 00:40:30,480 So we've defined these points on a curve 903 00:40:30,480 --> 00:40:31,860 and how this curve works. 904 00:40:31,860 --> 00:40:35,520 And then we also have regular old numbers, right? 905 00:40:35,520 --> 00:40:39,520 So what we'll do from now on is say, like a and b, 906 00:40:39,520 --> 00:40:41,760 our lowercase numbers, these are scalars. 907 00:40:41,760 --> 00:40:44,880 Scalars just means regular old numbers. 908 00:40:44,880 --> 00:40:49,310 The uppercase A and B will refer to points on the curve, OK? 909 00:40:49,310 --> 00:40:52,080 So from now on, lowercase is regular number, 910 00:40:52,080 --> 00:40:54,150 uppercase is point on this curve, 911 00:40:54,150 --> 00:40:58,678 or point on this mashed-up thing that we still call a curve. 912 00:40:58,678 --> 00:40:59,510 OK. 913 00:40:59,510 --> 00:41:01,700 So I'll go through what operations we can do, 914 00:41:01,700 --> 00:41:05,090 and then we can see what use those have. 915 00:41:05,090 --> 00:41:07,190 So first, scalars. 916 00:41:07,190 --> 00:41:08,990 You can add, subtract, multiply, divide. 917 00:41:08,990 --> 00:41:10,490 You can do whatever you want, right? 918 00:41:10,490 --> 00:41:14,860 These are just regular numbers, like five or 17 or 22. 919 00:41:14,860 --> 00:41:17,090 Everything's OK, right? 920 00:41:17,090 --> 00:41:17,780 Easy. 921 00:41:17,780 --> 00:41:18,947 Everything here is integers. 922 00:41:18,947 --> 00:41:21,530 We're doing modulo some big prime number, 923 00:41:21,530 --> 00:41:24,598 so there's no decimal points. 924 00:41:24,598 --> 00:41:26,390 I think in this class, we'll probably never 925 00:41:26,390 --> 00:41:28,700 have to use floating point, which is great, 926 00:41:28,700 --> 00:41:32,360 because floating point always scares me. 927 00:41:32,360 --> 00:41:33,710 It's also uint. 928 00:41:33,710 --> 00:41:35,177 These are like unsigned integers. 929 00:41:35,177 --> 00:41:36,260 You can do it with signed. 930 00:41:36,260 --> 00:41:39,470 But since you're modulo some big number, 931 00:41:39,470 --> 00:41:42,380 it's like unsigned numbers that loop around. 932 00:41:42,380 --> 00:41:43,910 So it's really nice for computers. 933 00:41:43,910 --> 00:41:45,410 Computers deal very well with these things. 934 00:41:45,410 --> 00:41:47,030 Computers are good at floating point, as well. 935 00:41:47,030 --> 00:41:48,680 But the thing is, in cryptography, 936 00:41:48,680 --> 00:41:51,520 a lot of times floating point ends up with error, right, 937 00:41:51,520 --> 00:41:54,950 where you're pretty close, but you've 938 00:41:54,950 --> 00:41:58,670 got some fixed amount of decimal places you can store. 939 00:41:58,670 --> 00:42:01,010 Your floating point goes out to some precision. 940 00:42:01,010 --> 00:42:02,480 And then error can accumulate. 941 00:42:02,480 --> 00:42:06,470 And in a lot of cryptography, you want zero error, right? 942 00:42:06,470 --> 00:42:09,500 Like in a hash function, it's pretty exact. 943 00:42:09,500 --> 00:42:12,140 So a lot of times, the cryptography, 944 00:42:12,140 --> 00:42:14,960 you use integers instead of floating point or rational 945 00:42:14,960 --> 00:42:16,110 numbers. 946 00:42:16,110 --> 00:42:16,610 OK. 947 00:42:16,610 --> 00:42:20,600 So with scalars, these are just regular integers, 948 00:42:20,600 --> 00:42:22,520 natural numbers even. 949 00:42:22,520 --> 00:42:23,480 You can do these. 950 00:42:23,480 --> 00:42:25,940 All the operations, you're familiar with. 951 00:42:25,940 --> 00:42:28,070 That's fairly straightforward. 952 00:42:28,070 --> 00:42:29,300 With points. 953 00:42:29,300 --> 00:42:32,960 So you can add and subtract the points, right? 954 00:42:32,960 --> 00:42:36,020 We showed how you do that visually. 955 00:42:36,020 --> 00:42:38,030 And then the equations for it, the computer 956 00:42:38,030 --> 00:42:39,810 can do that pretty quick. 957 00:42:39,810 --> 00:42:41,630 However, this is not defined. 958 00:42:41,630 --> 00:42:46,320 Multiplication and division with two points is undefined. 959 00:42:46,320 --> 00:42:49,042 It's just not clear how you do it. 960 00:42:49,042 --> 00:42:50,750 It's not something in this system, right? 961 00:42:50,750 --> 00:42:51,400 It's a group. 962 00:42:51,400 --> 00:42:53,210 You've got one operation. 963 00:42:53,210 --> 00:42:55,052 You don't have this other one. 964 00:42:55,052 --> 00:42:56,510 So you can add and subtract points, 965 00:42:56,510 --> 00:42:58,430 but you can't multiply them. 966 00:42:58,430 --> 00:42:59,820 Any questions about this? 967 00:42:59,820 --> 00:43:03,010 This is pretty important. 968 00:43:03,010 --> 00:43:03,990 Make sense? 969 00:43:03,990 --> 00:43:04,490 Yes? 970 00:43:04,490 --> 00:43:08,100 AUDIENCE: In the previous case, when you were adding points, 971 00:43:08,100 --> 00:43:09,380 what is defined as addition? 972 00:43:09,380 --> 00:43:12,630 Are you adding only the y components? 973 00:43:12,630 --> 00:43:14,840 TADGE DRYJA: You use both the x and y-coordinates 974 00:43:14,840 --> 00:43:15,720 to add, right? 975 00:43:18,093 --> 00:43:19,760 So when you're doing it in the computer, 976 00:43:19,760 --> 00:43:21,135 you're saying, OK, well, what are 977 00:43:21,135 --> 00:43:22,665 the x- and y-coordinates of P? 978 00:43:22,665 --> 00:43:24,290 What are the x- and y-coordinates of Q? 979 00:43:27,980 --> 00:43:31,440 Find the slope here and where it intersects the axis. 980 00:43:31,440 --> 00:43:33,560 And then see where it'll intersect the curve 981 00:43:33,560 --> 00:43:34,615 at another point. 982 00:43:34,615 --> 00:43:38,290 AUDIENCE: Addition Is literally defined as compute that point. 983 00:43:38,290 --> 00:43:41,400 It is not a function of adding the x- and y-coordinates. 984 00:43:41,400 --> 00:43:42,230 AUDIENCE: Gotcha. 985 00:43:42,230 --> 00:43:42,980 TADGE DRYJA: Yeah. 986 00:43:42,980 --> 00:43:45,380 Well, I mean-- yeah. 987 00:43:45,380 --> 00:43:47,900 But the equation would be-- 988 00:43:47,900 --> 00:43:50,150 since the computer doesn't actually look at the curve, 989 00:43:50,150 --> 00:43:51,140 you just say, OK. 990 00:43:51,140 --> 00:43:52,700 Find the Px- and y-coordinate. 991 00:43:52,700 --> 00:43:54,200 Find the Qx- and y-coordinate. 992 00:43:54,200 --> 00:43:57,410 Find the slope, and then find where it intersects, 993 00:43:57,410 --> 00:44:03,800 and then compute for that for R. 994 00:44:03,800 --> 00:44:04,300 OK. 995 00:44:04,300 --> 00:44:05,770 So yeah. 996 00:44:05,770 --> 00:44:06,970 You can add and subtract. 997 00:44:06,970 --> 00:44:09,760 You cannot multiply and divide these points. 998 00:44:09,760 --> 00:44:10,420 Sounds good? 999 00:44:10,420 --> 00:44:11,670 Any other questions? 1000 00:44:11,670 --> 00:44:12,325 Yes? 1001 00:44:12,325 --> 00:44:13,700 AUDIENCE: How would you subtract? 1002 00:44:13,700 --> 00:44:14,990 TADGE DRYJA: Ah. 1003 00:44:14,990 --> 00:44:18,920 You just go down, right? 1004 00:44:18,920 --> 00:44:22,880 So if I want P minus Q, I should say P plus negative Q. 1005 00:44:22,880 --> 00:44:26,030 And negative Q is just right here, right down on the axis. 1006 00:44:26,030 --> 00:44:27,980 So I say, OK, I want P minus Q. I go here. 1007 00:44:27,980 --> 00:44:28,730 Find it. 1008 00:44:28,730 --> 00:44:31,920 It's going to be up there somewhere. 1009 00:44:31,920 --> 00:44:32,420 So yeah. 1010 00:44:32,420 --> 00:44:37,050 You just add the negative of the number. 1011 00:44:37,050 --> 00:44:40,470 I guess that's another thing. 1012 00:44:40,470 --> 00:44:43,320 Minus B-- negative B-- is also an operation I can do. 1013 00:44:43,320 --> 00:44:47,608 I can negate something, which lets me do subtraction. 1014 00:44:47,608 --> 00:44:49,650 AUDIENCE: For those of you with math backgrounds, 1015 00:44:49,650 --> 00:44:51,530 this is defining a group operation 1016 00:44:51,530 --> 00:44:54,337 on the field of natural numbers, modulo-- 1017 00:44:54,337 --> 00:44:55,670 TADGE DRYJA: Which is a big one. 1018 00:44:55,670 --> 00:44:56,950 AUDIENCE: --and using this elliptic curve. 1019 00:44:56,950 --> 00:44:59,340 So this is A. And the only thing that's defined 1020 00:44:59,340 --> 00:45:01,640 is addition and subtraction and not multiplication. 1021 00:45:01,640 --> 00:45:03,090 TADGE DRYJA: Right. 1022 00:45:03,090 --> 00:45:04,920 You can do the same group operations 1023 00:45:04,920 --> 00:45:06,420 without using elliptic curves. 1024 00:45:06,420 --> 00:45:08,910 And so you can just do exponential modulo 1025 00:45:08,910 --> 00:45:10,440 big prime number. 1026 00:45:10,440 --> 00:45:11,940 I'm going to use curves because it's 1027 00:45:11,940 --> 00:45:15,600 what is used in all the actual systems. 1028 00:45:15,600 --> 00:45:19,380 But you can sort of forget about the curve after this, right? 1029 00:45:19,380 --> 00:45:25,140 You can say, well, look, we just have these uppercase variables 1030 00:45:25,140 --> 00:45:26,460 and these lowercase variables. 1031 00:45:26,460 --> 00:45:29,070 And the fact that it's on a curve, we can sort of abstract 1032 00:45:29,070 --> 00:45:31,650 away and just know that we have these different types, 1033 00:45:31,650 --> 00:45:32,460 essentially. 1034 00:45:32,460 --> 00:45:34,110 And when you're in the computer, you're just like, 1035 00:45:34,110 --> 00:45:35,100 yeah, that's a point. 1036 00:45:35,100 --> 00:45:35,970 That's a scalar. 1037 00:45:35,970 --> 00:45:37,670 Here are the operations I can do, 1038 00:45:37,670 --> 00:45:39,820 and I just run the functions. 1039 00:45:39,820 --> 00:45:40,320 OK. 1040 00:45:40,320 --> 00:45:46,080 So the next part, when you mix scalars and points, 1041 00:45:46,080 --> 00:45:48,000 so mixed operations. 1042 00:45:48,000 --> 00:45:54,480 You cannot add a point and an integer or subtract a point 1043 00:45:54,480 --> 00:45:55,380 and an integer. 1044 00:45:55,380 --> 00:45:56,490 That's not defined, right? 1045 00:45:56,490 --> 00:46:00,300 You say, OK, here's this point p minus 7. 1046 00:46:00,300 --> 00:46:02,130 Well, does that mean move the x-axis? 1047 00:46:02,130 --> 00:46:03,840 Does that mean move the y? 1048 00:46:03,840 --> 00:46:05,320 It's not defined. 1049 00:46:05,320 --> 00:46:07,410 However, you can do this, right? 1050 00:46:07,410 --> 00:46:10,020 You can multiply and divide. 1051 00:46:10,020 --> 00:46:13,530 So you can say, well, A times 2, well, 1052 00:46:13,530 --> 00:46:14,700 you take the tangent, right? 1053 00:46:14,700 --> 00:46:19,080 It's just A plus A. Or A times 7, is we just break it down as 1054 00:46:19,080 --> 00:46:21,720 A plus A plus A plus A 17 times. 1055 00:46:21,720 --> 00:46:23,580 We can also divide, which is a little weird 1056 00:46:23,580 --> 00:46:27,600 because we have to find the inverse of B 1057 00:46:27,600 --> 00:46:29,640 and then multiply by that-- 1058 00:46:29,640 --> 00:46:33,825 the multiplicative inverse of B modulo the order. 1059 00:46:33,825 --> 00:46:35,958 But anyway, you can do these. 1060 00:46:35,958 --> 00:46:37,500 This is a little trickier because you 1061 00:46:37,500 --> 00:46:39,810 have to compute what, like, B to the negative 1 is 1062 00:46:39,810 --> 00:46:40,920 and multiply by that. 1063 00:46:40,920 --> 00:46:41,760 You can do it. 1064 00:46:41,760 --> 00:46:45,468 So you can do these things where you have points times scalars. 1065 00:46:45,468 --> 00:46:46,260 But you cannot add. 1066 00:46:46,260 --> 00:46:46,440 Yeah? 1067 00:46:46,440 --> 00:46:48,110 AUDIENCE: So 2A is basically joining 1068 00:46:48,110 --> 00:46:50,480 the tangent to A, [INAUDIBLE] beginning. 1069 00:46:50,480 --> 00:46:51,300 TADGE DRYJA: Yep. 1070 00:46:51,300 --> 00:46:54,060 So that was here. 1071 00:46:54,060 --> 00:46:55,800 If this is G, this is 2G. 1072 00:46:55,800 --> 00:47:00,140 Find the tangent, find the intersection, and then negate. 1073 00:47:00,140 --> 00:47:00,640 OK. 1074 00:47:00,640 --> 00:47:03,260 So you can do that. 1075 00:47:03,260 --> 00:47:03,760 That's cool. 1076 00:47:03,760 --> 00:47:06,220 You cannot do that. 1077 00:47:06,220 --> 00:47:06,720 OK. 1078 00:47:06,720 --> 00:47:10,540 So roster of operations we can do. 1079 00:47:10,540 --> 00:47:11,690 This is it. 1080 00:47:11,690 --> 00:47:13,600 And this is sort of, if you think of that, 1081 00:47:13,600 --> 00:47:15,410 you can do all these cool things. 1082 00:47:15,410 --> 00:47:17,260 It's sort of amazing, all the crazy things 1083 00:47:17,260 --> 00:47:19,690 you can do with just these operations, right? 1084 00:47:19,690 --> 00:47:22,010 With regular numbers, you can do whatever you want. 1085 00:47:22,010 --> 00:47:23,380 That's obvious. 1086 00:47:23,380 --> 00:47:26,260 And with these points, you can add and subtract them. 1087 00:47:26,260 --> 00:47:29,380 And when you mix, you can multiply and divide. 1088 00:47:29,380 --> 00:47:30,590 And that's it. 1089 00:47:30,590 --> 00:47:31,090 OK. 1090 00:47:31,090 --> 00:47:34,330 Any questions so far? 1091 00:47:34,330 --> 00:47:37,275 You don't have to worry too much about the curves and all 1092 00:47:37,275 --> 00:47:38,380 of the math and stuff. 1093 00:47:38,380 --> 00:47:41,105 But you just sort of say, OK, here's my toolbox. 1094 00:47:41,105 --> 00:47:41,980 Here's what I can do. 1095 00:47:44,950 --> 00:47:45,450 OK. 1096 00:47:45,450 --> 00:47:46,033 Any questions? 1097 00:47:46,033 --> 00:47:47,370 Good? 1098 00:47:47,370 --> 00:47:52,750 So now what we can do is we can define a one-way function 1099 00:47:52,750 --> 00:47:55,990 sort of like a hash function, sort of like multiplying 1100 00:47:55,990 --> 00:47:59,260 p times q to get n. 1101 00:47:59,260 --> 00:48:01,390 What we will need, in addition to this, 1102 00:48:01,390 --> 00:48:05,170 is everyone pick some point on the curve, and we call it G. 1103 00:48:05,170 --> 00:48:06,130 And it's random. 1104 00:48:06,130 --> 00:48:08,770 And we want it to be somewhat verifiably random. 1105 00:48:08,770 --> 00:48:12,220 We just all have to agree on a point. 1106 00:48:12,220 --> 00:48:15,760 And we'll call this the generator point. 1107 00:48:15,760 --> 00:48:20,290 Another property is that, since it's all modulo, this number, 1108 00:48:20,290 --> 00:48:23,950 if B is too big, you'll wrap around, right, 1109 00:48:23,950 --> 00:48:26,380 because it's all modulo, this n. 1110 00:48:26,380 --> 00:48:28,690 So it's called a generator point because-- 1111 00:48:28,690 --> 00:48:30,550 and every point on the curve can be one-- 1112 00:48:30,550 --> 00:48:33,790 if you keep, say, 2G, 3G, 4G, 5G, 1113 00:48:33,790 --> 00:48:37,360 eventually, you'll get back to G, right? 1114 00:48:37,360 --> 00:48:40,840 It's all finite. 1115 00:48:40,840 --> 00:48:44,080 OK so does anyone have an idea, OK, 1116 00:48:44,080 --> 00:48:48,070 how would we make some cool one-way function 1117 00:48:48,070 --> 00:48:49,960 given these operations and the fact 1118 00:48:49,960 --> 00:48:53,250 that we have an agreed-upon point? 1119 00:48:53,250 --> 00:48:55,140 It's not super obvious, but it's actually 1120 00:48:55,140 --> 00:48:56,850 fairly straightforward. 1121 00:48:56,850 --> 00:48:58,302 Once you see it, you're like, oh. 1122 00:49:01,020 --> 00:49:01,530 Any ideas? 1123 00:49:01,530 --> 00:49:01,710 Yeah. 1124 00:49:01,710 --> 00:49:03,285 AUDIENCE: So you take your point G, 1125 00:49:03,285 --> 00:49:05,935 and you multiply it by some scalar, 1126 00:49:05,935 --> 00:49:09,550 and you publish where the point is [INAUDIBLE] scalars. 1127 00:49:09,550 --> 00:49:11,260 TADGE DRYJA: Yep, yep. 1128 00:49:11,260 --> 00:49:11,760 OK. 1129 00:49:11,760 --> 00:49:13,630 So your private key-- 1130 00:49:13,630 --> 00:49:15,720 let's say private key, lowercase a, 1131 00:49:15,720 --> 00:49:18,930 it's just some 256 bit random number, scalar, 1132 00:49:18,930 --> 00:49:23,490 exactly the same as 32 bytes like in a lamport signature. 1133 00:49:23,490 --> 00:49:26,340 And your public key is just a times G. 1134 00:49:26,340 --> 00:49:30,810 And your public key is now a point on a curve. 1135 00:49:30,810 --> 00:49:32,280 We're going to call it uppercase A. 1136 00:49:32,280 --> 00:49:35,340 And you have a 32 byte x-coordinate, right-- 1137 00:49:35,340 --> 00:49:38,540 because the x dimension is 256 bits-- 1138 00:49:38,540 --> 00:49:39,930 32 byte y-coordinate. 1139 00:49:39,930 --> 00:49:41,250 So it's 64 bytes-- 1140 00:49:41,250 --> 00:49:42,150 pretty small. 1141 00:49:42,150 --> 00:49:45,420 Anyone have another quick optimization 1142 00:49:45,420 --> 00:49:47,520 on how you could reduce this? 1143 00:49:47,520 --> 00:49:50,430 So there's a lot of optimization going on 1144 00:49:50,430 --> 00:49:52,410 in all these different cryptocurrency systems. 1145 00:49:52,410 --> 00:49:53,827 Because they don't scale too well. 1146 00:49:53,827 --> 00:49:58,592 But any idea of how to get that down? 1147 00:49:58,592 --> 00:50:00,232 AUDIENCE: Can you hash it? 1148 00:50:00,232 --> 00:50:01,190 TADGE DRYJA: You could. 1149 00:50:01,190 --> 00:50:02,065 So you could hash it. 1150 00:50:02,065 --> 00:50:05,460 You'd make it into 32 bytes. 1151 00:50:05,460 --> 00:50:08,888 There's a more useful way. 1152 00:50:08,888 --> 00:50:11,430 But if you hash it, you still have to reveal it later, right? 1153 00:50:11,430 --> 00:50:14,190 So it helps, making a pubkey hash. 1154 00:50:14,190 --> 00:50:16,640 And that's what Bitcoin did initially 1155 00:50:16,640 --> 00:50:19,980 is you'd have the 64 byte public keys. 1156 00:50:19,980 --> 00:50:22,320 And then you'd send to the hash of them. 1157 00:50:22,320 --> 00:50:25,500 There's a nicer way. 1158 00:50:25,500 --> 00:50:26,470 Any ideas? 1159 00:50:26,470 --> 00:50:26,970 OK. 1160 00:50:26,970 --> 00:50:31,770 So the thing is it's symmetric, right? 1161 00:50:31,770 --> 00:50:36,630 So the curve is symmetric about the x-axis. 1162 00:50:39,490 --> 00:50:40,750 Any ideas? 1163 00:50:40,750 --> 00:50:41,380 yes. 1164 00:50:41,380 --> 00:50:43,880 AUDIENCE: Could you just code one of the x- or y-coordinates 1165 00:50:43,880 --> 00:50:44,948 and say which side? 1166 00:50:44,948 --> 00:50:45,740 TADGE DRYJA: Right. 1167 00:50:45,740 --> 00:50:49,643 So you take the x-coordinate and encode that. 1168 00:50:49,643 --> 00:50:50,810 And then just that one bit-- 1169 00:50:50,810 --> 00:50:51,790 4-- it's on the top. 1170 00:50:51,790 --> 00:50:53,030 It's on the bottom. 1171 00:50:53,030 --> 00:50:56,210 And then let them figure out exactly where it is, right? 1172 00:50:56,210 --> 00:50:58,760 So you can encode the x-coordinate only and 1 bit 1173 00:50:58,760 --> 00:51:01,370 for y, and then you're down to 33 bytes. 1174 00:51:01,370 --> 00:51:03,830 It's a little annoying because the 33 bytes, well, 1175 00:51:03,830 --> 00:51:06,160 one of those bytes is going to be empty. 1176 00:51:06,160 --> 00:51:08,780 It's just going to have one bit in it for up or down. 1177 00:51:08,780 --> 00:51:10,200 But whatever. 1178 00:51:10,200 --> 00:51:13,200 So you can do that, and that's also really cool. 1179 00:51:13,200 --> 00:51:14,060 OK. 1180 00:51:14,060 --> 00:51:17,210 Any questions so far? 1181 00:51:17,210 --> 00:51:21,310 AUDIENCE: Could you encode a [INAUDIBLE] and same 1182 00:51:21,310 --> 00:51:22,252 up and down? 1183 00:51:22,252 --> 00:51:24,136 Could you just encode an [INAUDIBLE]?? 1184 00:51:24,136 --> 00:51:25,550 TADGE DRYJA: Huh. 1185 00:51:25,550 --> 00:51:26,720 Probably. 1186 00:51:26,720 --> 00:51:29,750 But I don't think it would be smaller. 1187 00:51:29,750 --> 00:51:31,910 I think you'd have to probably have the same size 1188 00:51:31,910 --> 00:51:33,577 if you use some other coordinate system. 1189 00:51:36,110 --> 00:51:37,790 Hm. 1190 00:51:37,790 --> 00:51:39,907 Yeah, you could encode a slope-- 1191 00:51:39,907 --> 00:51:41,240 AUDIENCE: Yeah, the [INAUDIBLE]. 1192 00:51:41,240 --> 00:51:42,865 TADGE DRYJA: And you say it intersects, 1193 00:51:42,865 --> 00:51:44,960 and it's at the slope, and which side of the axis? 1194 00:51:44,960 --> 00:51:46,700 AUDIENCE: Yeah, and if it crosses multiple times, 1195 00:51:46,700 --> 00:51:47,450 which one of the-- 1196 00:51:47,450 --> 00:51:48,350 TADGE DRYJA: You probably could. 1197 00:51:48,350 --> 00:51:50,170 I think you would end up the same size. 1198 00:51:50,170 --> 00:51:50,715 But yeah. 1199 00:51:50,715 --> 00:51:52,340 But it might be faster for some things. 1200 00:51:52,340 --> 00:51:54,710 There's all sorts of different encodings. 1201 00:51:54,710 --> 00:51:57,990 AUDIENCE: I guarantee that you have an integer in the end. 1202 00:51:57,990 --> 00:51:58,795 TADGE DRYJA: Yeah. 1203 00:51:58,795 --> 00:52:00,170 So you might not be on the curve. 1204 00:52:00,170 --> 00:52:01,640 But there's a similar problem here 1205 00:52:01,640 --> 00:52:03,320 where it might not be on the curve. 1206 00:52:03,320 --> 00:52:06,360 You can encode a point that's also off the curve. 1207 00:52:06,360 --> 00:52:08,930 And so when you actually get a public key, 1208 00:52:08,930 --> 00:52:11,515 like over the wire in these systems, 1209 00:52:11,515 --> 00:52:12,890 the first thing you usually do is 1210 00:52:12,890 --> 00:52:14,432 make sure this is a valid public key, 1211 00:52:14,432 --> 00:52:16,217 and it's actually on the curve. 1212 00:52:16,217 --> 00:52:18,050 Because there's a lot of points that aren't. 1213 00:52:18,050 --> 00:52:20,690 And sometimes you can screw around with the code that way. 1214 00:52:20,690 --> 00:52:20,820 Yeah? 1215 00:52:20,820 --> 00:52:23,240 AUDIENCE: Can you define the scalar multiplication again? 1216 00:52:23,240 --> 00:52:24,010 how does it go? 1217 00:52:24,010 --> 00:52:24,677 TADGE DRYJA: OK. 1218 00:52:24,677 --> 00:52:29,120 So scalar multiplication-- a times G is, basically, 1219 00:52:29,120 --> 00:52:32,960 break it out as G plus G plus G plus G plus G a times. 1220 00:52:32,960 --> 00:52:36,890 And G plus G is find the tangent of G 1221 00:52:36,890 --> 00:52:39,980 and then find the intersection, right? 1222 00:52:39,980 --> 00:52:44,870 So this is G. This is 2G, right-- tangent, intersect, 1223 00:52:44,870 --> 00:52:46,940 and then the negation. 1224 00:52:46,940 --> 00:52:50,810 And so you just do that a bazillion times. 1225 00:52:50,810 --> 00:52:53,900 However, since you can find 2G and then you 1226 00:52:53,900 --> 00:52:57,320 can double 2G to get 4G and double 4G to get 8G, 1227 00:52:57,320 --> 00:53:00,140 you can come up with powers of 2 of G 1228 00:53:00,140 --> 00:53:02,240 and then add those powers of 2 to do 1229 00:53:02,240 --> 00:53:06,650 a much more efficient addition so that you can practically 1230 00:53:06,650 --> 00:53:07,570 make-- 1231 00:53:07,570 --> 00:53:12,890 because little a is going to be some huge decimal 50-digit 1232 00:53:12,890 --> 00:53:14,290 number or whatever. 1233 00:53:14,290 --> 00:53:17,450 So you're going to have to do this two, four, six, 1234 00:53:17,450 --> 00:53:20,820 eight binary expansion and then add them all up. 1235 00:53:20,820 --> 00:53:22,220 OK. 1236 00:53:22,220 --> 00:53:24,570 Yeah? 1237 00:53:24,570 --> 00:53:29,860 AUDIENCE: You're chucking everything into some grain size 1238 00:53:29,860 --> 00:53:30,800 to get these. 1239 00:53:30,800 --> 00:53:32,642 You're [INAUDIBLE] a continuous curve. 1240 00:53:32,642 --> 00:53:33,350 TADGE DRYJA: Yes. 1241 00:53:33,350 --> 00:53:37,630 AUDIENCE: It feels like if you have 306 bits in the original, 1242 00:53:37,630 --> 00:53:40,810 you shouldn't be able to get all the way down to 32 bits, right? 1243 00:53:40,810 --> 00:53:42,830 Because you just want to make sure that you-- 1244 00:53:42,830 --> 00:53:43,707 TADGE DRYJA: This? 1245 00:53:43,707 --> 00:53:44,332 AUDIENCE: Yeah. 1246 00:53:46,580 --> 00:53:49,150 If you removed a byte of precision, 1247 00:53:49,150 --> 00:53:52,640 would you actually be losing any power? 1248 00:53:52,640 --> 00:53:55,580 TADGE DRYJA: What you can do a little-- what you can do 1249 00:53:55,580 --> 00:53:58,520 is you can just say, look, I'm only 1250 00:53:58,520 --> 00:54:06,140 going to allow public keys that are on the top, positive y 1251 00:54:06,140 --> 00:54:07,070 component. 1252 00:54:07,070 --> 00:54:09,545 And everything else is disallowed. 1253 00:54:09,545 --> 00:54:11,420 You could have that as a rule of your system, 1254 00:54:11,420 --> 00:54:14,810 and then you can get rid of the y bit. 1255 00:54:14,810 --> 00:54:19,430 But the thing is the y-coordinate 1256 00:54:19,430 --> 00:54:23,103 does affect some of the things like signatures, things 1257 00:54:23,103 --> 00:54:24,020 that you'll later use. 1258 00:54:24,020 --> 00:54:28,580 So you can just say, OK, look, implicitly y bit is positive. 1259 00:54:28,580 --> 00:54:32,240 And you lose 1 bit of security. 1260 00:54:32,240 --> 00:54:34,250 Because there is a difference between 1261 00:54:34,250 --> 00:54:37,742 the positive and negative thing if you're doing signing. 1262 00:54:37,742 --> 00:54:38,460 But yeah. 1263 00:54:38,460 --> 00:54:40,950 And so some systems do do that. 1264 00:54:40,950 --> 00:54:42,340 And it makes things easier. 1265 00:54:42,340 --> 00:54:44,180 There's some signing systems that do that. 1266 00:54:44,180 --> 00:54:44,680 OK. 1267 00:54:44,680 --> 00:54:46,990 I'm going to go to the next part. 1268 00:54:50,690 --> 00:54:52,610 ECDSA is used in bitcoin. 1269 00:54:52,610 --> 00:54:56,010 I'm actually not going to explain it. 1270 00:54:56,010 --> 00:54:58,400 It's a worse signature system. 1271 00:54:58,400 --> 00:55:02,420 So the reason why this was used was the better system 1272 00:55:02,420 --> 00:55:04,490 was patented. 1273 00:55:04,490 --> 00:55:11,180 And so there's a clearer, more obvious, cleaner, more powerful 1274 00:55:11,180 --> 00:55:14,240 signature system that was patented by this German guy, 1275 00:55:14,240 --> 00:55:15,170 Claus Schnorr. 1276 00:55:15,170 --> 00:55:17,660 And so no one used it, or maybe a few people used it. 1277 00:55:17,660 --> 00:55:21,860 But in general, with open source things and web standards, 1278 00:55:21,860 --> 00:55:25,590 patents are really hard to work with. 1279 00:55:25,590 --> 00:55:27,140 And so all the cryptographers said, 1280 00:55:27,140 --> 00:55:29,360 well, we'll make this other system 1281 00:55:29,360 --> 00:55:32,540 that's different enough that it doesn't infringe on the patent. 1282 00:55:32,540 --> 00:55:36,200 And it's kind of ugly. 1283 00:55:36,200 --> 00:55:38,720 It does work as a signature scheme. 1284 00:55:38,720 --> 00:55:40,760 But actually, I'm going to explain 1285 00:55:40,760 --> 00:55:46,100 the Schnorr signatures, which make a lot more sense, 1286 00:55:46,100 --> 00:55:48,410 are easier to understand and manipulate, 1287 00:55:48,410 --> 00:55:50,840 and the patent has expired, so we can all use it. 1288 00:55:50,840 --> 00:55:53,780 And it will probably be going into Bitcoin. 1289 00:55:53,780 --> 00:55:56,490 And some cryptocurrencies use Schnorr signatures. 1290 00:55:56,490 --> 00:56:02,180 I think Monero uses a Schnorr-like signature. 1291 00:56:02,180 --> 00:56:05,480 But Bitcoin will probably be putting it 1292 00:56:05,480 --> 00:56:08,130 into Bitcoin in the next year or so. 1293 00:56:08,130 --> 00:56:10,220 So all these things will be much more applicable, 1294 00:56:10,220 --> 00:56:11,310 and you can use them. 1295 00:56:11,310 --> 00:56:12,185 And there's code out. 1296 00:56:12,185 --> 00:56:13,620 You can use them now. 1297 00:56:13,620 --> 00:56:14,120 OK. 1298 00:56:14,120 --> 00:56:14,410 Yeah. 1299 00:56:14,410 --> 00:56:15,008 Sorry. 1300 00:56:15,008 --> 00:56:16,800 Patent has expired-- free to use the better 1301 00:56:16,800 --> 00:56:18,350 algo that must not be named. 1302 00:56:18,350 --> 00:56:20,352 So yeah. 1303 00:56:20,352 --> 00:56:22,310 People don't call it Schnorr signature as much. 1304 00:56:22,310 --> 00:56:24,800 Because it's like, well, this is the guy who prevented us 1305 00:56:24,800 --> 00:56:28,900 from using this for 20 years. 1306 00:56:28,900 --> 00:56:31,300 And there's modifications to it. 1307 00:56:31,300 --> 00:56:31,800 OK. 1308 00:56:31,800 --> 00:56:36,350 So the elliptic curve signature, for lack of a better name. 1309 00:56:36,350 --> 00:56:38,360 This is something of a simplification. 1310 00:56:38,360 --> 00:56:41,000 And there's reading about how you can really 1311 00:56:41,000 --> 00:56:41,907 do it the right way. 1312 00:56:41,907 --> 00:56:43,490 But this does give you the right idea. 1313 00:56:43,490 --> 00:56:48,170 And for a single signer, this is secure, and it works. 1314 00:56:48,170 --> 00:56:51,050 But later things, you might want to actually add other stuff. 1315 00:56:51,050 --> 00:56:54,360 So the idea is you've got your message m, right? 1316 00:56:54,360 --> 00:56:56,570 Same as in lamport, same as in RSA, you've 1317 00:56:56,570 --> 00:56:59,620 got a message m and a private key lowercase a. 1318 00:56:59,620 --> 00:57:03,755 And your public key is a times G, like we said. 1319 00:57:03,755 --> 00:57:05,630 And then, when you want to sign, you actually 1320 00:57:05,630 --> 00:57:10,490 make a one-time use key pair for the signature only. 1321 00:57:10,490 --> 00:57:12,530 And they usually call that k. 1322 00:57:12,530 --> 00:57:15,650 And k is a new random number. 1323 00:57:15,650 --> 00:57:17,150 It's the private key. 1324 00:57:17,150 --> 00:57:20,308 And you're going to multiply it by G. 1325 00:57:20,308 --> 00:57:22,100 And they call this R. I don't know why they 1326 00:57:22,100 --> 00:57:25,460 use these letters, but anyway. 1327 00:57:25,460 --> 00:57:30,680 K times G is R. R is the other public key you're using just 1328 00:57:30,680 --> 00:57:33,720 for this signature. 1329 00:57:33,720 --> 00:57:37,170 And then the signature itself is quite straightforward. 1330 00:57:37,170 --> 00:57:40,590 As the signer, you compute s, which is k-- 1331 00:57:40,590 --> 00:57:42,750 this new private key you just made up-- 1332 00:57:42,750 --> 00:57:47,160 minus the hash of your message concatenated with R, 1333 00:57:47,160 --> 00:57:49,990 this public key-- so you encode the public key in 33 bytes, 1334 00:57:49,990 --> 00:57:50,910 stick it in there-- 1335 00:57:50,910 --> 00:57:55,650 multiplied by a, your normal private key. 1336 00:57:55,650 --> 00:57:57,990 And then your signature is the pair-- 1337 00:57:57,990 --> 00:58:00,990 the R point and the s scalar. 1338 00:58:00,990 --> 00:58:03,390 This is a little bit of a bunch to process. 1339 00:58:03,390 --> 00:58:06,150 But it's actually not too bad, right? 1340 00:58:06,150 --> 00:58:07,110 This is a scalar-- 1341 00:58:07,110 --> 00:58:08,490 32 bytes-- that you made up. 1342 00:58:08,490 --> 00:58:14,400 The hash, this is a message, also going to be however long. 1343 00:58:14,400 --> 00:58:15,348 This is 33 bytes. 1344 00:58:15,348 --> 00:58:16,890 You concatenate them together-- hash. 1345 00:58:16,890 --> 00:58:20,550 You end up with another 32 byte scalar. 1346 00:58:20,550 --> 00:58:23,320 You multiply those two scalars. 1347 00:58:23,320 --> 00:58:26,760 So actually, the only elliptic curve operation 1348 00:58:26,760 --> 00:58:29,160 here is calculating what R is. 1349 00:58:29,160 --> 00:58:30,810 When you're actually calculating s, 1350 00:58:30,810 --> 00:58:33,840 this is all just scalar, so it's very fast. 1351 00:58:33,840 --> 00:58:36,090 So in terms of practical computer stuff, 1352 00:58:36,090 --> 00:58:39,720 doing these operations is a little bit on the slow side. 1353 00:58:39,720 --> 00:58:42,270 Because you're doing those point additions quite a number 1354 00:58:42,270 --> 00:58:44,160 of times. 1355 00:58:44,160 --> 00:58:47,430 So a decent code, a decent CPU, can 1356 00:58:47,430 --> 00:58:53,100 do on the order of thousands of these types of operations 1357 00:58:53,100 --> 00:58:56,610 per second, which is decent. 1358 00:58:56,610 --> 00:58:59,190 You can do a decent amount, but it is kind of slow. 1359 00:58:59,190 --> 00:59:01,770 And it's considerably slower than hash functions. 1360 00:59:01,770 --> 00:59:04,770 You can do a million iterations of a hash function per second 1361 00:59:04,770 --> 00:59:07,350 on a core, or you can do, maybe, 1,000 or 2,000 1362 00:59:07,350 --> 00:59:11,980 of this kind of thing, so still pretty fast but slower. 1363 00:59:11,980 --> 00:59:16,585 And so this signing procedure, this takes a bit of time. 1364 00:59:16,585 --> 00:59:18,210 This takes, actually, very little time. 1365 00:59:18,210 --> 00:59:23,100 Because you're just subtracting and multiplying 32 byte scalar 1366 00:59:23,100 --> 00:59:25,810 integers, which is much faster. 1367 00:59:25,810 --> 00:59:26,310 OK. 1368 00:59:26,310 --> 00:59:29,300 So does this make sense? 1369 00:59:29,300 --> 00:59:31,750 We'll go a little bit of how you can't forge this. 1370 00:59:31,750 --> 00:59:32,250 OK. 1371 00:59:32,250 --> 00:59:32,750 Sorry. 1372 00:59:32,750 --> 00:59:33,680 So first verification. 1373 00:59:33,680 --> 00:59:34,280 Sorry. 1374 00:59:34,280 --> 00:59:39,140 So how would you, if anyone knows or can think, 1375 00:59:39,140 --> 00:59:43,010 how would you verify this, right? 1376 00:59:43,010 --> 00:59:44,460 I know their public key-- 1377 00:59:44,460 --> 00:59:47,420 capital A, which is little a times G-- 1378 00:59:47,420 --> 00:59:49,340 and then they're giving me a message m, 1379 00:59:49,340 --> 00:59:51,800 and they're giving me a signature, which is R and s. 1380 00:59:51,800 --> 00:59:53,900 And they've computed it this way. 1381 00:59:53,900 --> 00:59:57,020 I can't verify this equation myself 1382 00:59:57,020 --> 00:59:58,610 because I don't know what k is. 1383 00:59:58,610 --> 01:00:00,560 I don't know what little a is, right? 1384 01:00:00,560 --> 01:00:09,470 I'm just given R, s, m, and big A. So how would I verify this? 1385 01:00:09,470 --> 01:00:13,510 AUDIENCE: Can I, for example, take the hash of the message, 1386 01:00:13,510 --> 01:00:21,124 use R, and then try random a's and that-- 1387 01:00:21,124 --> 01:00:22,250 on, sorry. 1388 01:00:22,250 --> 01:00:23,000 TADGE DRYJA: Yeah. 1389 01:00:23,000 --> 01:00:24,350 Do you have one? 1390 01:00:24,350 --> 01:00:26,850 AUDIENCE: So trying random is probably [INAUDIBLE] because-- 1391 01:00:26,850 --> 01:00:27,685 TADGE DRYJA: There's a lot, yeah. 1392 01:00:27,685 --> 01:00:28,893 AUDIENCE: --there's too many. 1393 01:00:28,893 --> 01:00:30,550 The old one that you don't know it. 1394 01:00:30,550 --> 01:00:33,910 But I think one more thing you could do is take little s 1395 01:00:33,910 --> 01:00:35,872 and multiply it by big G. 1396 01:00:35,872 --> 01:00:36,580 TADGE DRYJA: Yes. 1397 01:00:36,580 --> 01:00:37,650 AUDIENCE: And then do some-- 1398 01:00:37,650 --> 01:00:38,430 TADGE DRYJA: Yeah. 1399 01:00:38,430 --> 01:00:41,320 So the basic idea-- yeah, you're right. 1400 01:00:41,320 --> 01:00:43,630 Multiply this side by G. Then you also 1401 01:00:43,630 --> 01:00:46,330 have to multiply the other side by G, right? 1402 01:00:46,330 --> 01:00:50,170 So you say, OK, well, as the verifier-- 1403 01:00:50,170 --> 01:00:51,732 I've got R, I've got s-- 1404 01:00:51,732 --> 01:00:53,590 I multiply s by G, and now I have 1405 01:00:53,590 --> 01:00:57,800 to multiply this side by G. And what'll that look like? 1406 01:00:57,800 --> 01:00:59,764 Well, what's k times G? 1407 01:00:59,764 --> 01:01:00,264 AUDIENCE: R. 1408 01:01:00,264 --> 01:01:03,490 TADGE DRYJA: R. What's little a times G? 1409 01:01:03,490 --> 01:01:07,140 Big A. So yeah. 1410 01:01:07,140 --> 01:01:09,090 I want to verify. 1411 01:01:09,090 --> 01:01:11,490 I want to verify that this equation was used, 1412 01:01:11,490 --> 01:01:15,120 right-- s equals k minus this hash times little a. 1413 01:01:15,120 --> 01:01:17,490 Multiply both sides by G, I get s times G 1414 01:01:17,490 --> 01:01:21,660 equals k times G minus the hash thing times little a times 1415 01:01:21,660 --> 01:01:26,070 G. This is big A. This is R. 1416 01:01:26,070 --> 01:01:29,490 Hey, now I know everything here as the verifier, right? 1417 01:01:29,490 --> 01:01:30,552 I know what s time G is. 1418 01:01:30,552 --> 01:01:31,260 I know what R is. 1419 01:01:31,260 --> 01:01:32,490 I know what big A is. 1420 01:01:32,490 --> 01:01:35,593 I know what's going into this hash function. 1421 01:01:35,593 --> 01:01:36,510 And so I just say, OK. 1422 01:01:36,510 --> 01:01:44,130 Well, I rearrange it a little, and I say, is R equal to this? 1423 01:01:44,130 --> 01:01:46,350 And if it is, that's a good signature. 1424 01:01:46,350 --> 01:01:50,620 If it's not, it's not a good signature. 1425 01:01:50,620 --> 01:01:51,900 Any questions about this? 1426 01:01:51,900 --> 01:01:56,850 Does this makes sense, mostly? 1427 01:01:59,850 --> 01:02:04,620 So for the verification, it's a bit more CPU-intense, right? 1428 01:02:04,620 --> 01:02:06,030 You're given a scalar. 1429 01:02:06,030 --> 01:02:13,270 You multiply by G. You also have to multiply A-- 1430 01:02:13,270 --> 01:02:14,720 this is actually more costly-- 1431 01:02:14,720 --> 01:02:16,870 you have to multiply A by this hash. 1432 01:02:16,870 --> 01:02:18,370 The reason that's more costly-- it's 1433 01:02:18,370 --> 01:02:20,660 still a scalar times a point. 1434 01:02:20,660 --> 01:02:25,060 The thing is, since G is used for multiplying a lot, 1435 01:02:25,060 --> 01:02:29,710 you precompute all sorts of coefficients times G, 1436 01:02:29,710 --> 01:02:34,590 and you store them in RAM or in your CPU somewhere. 1437 01:02:34,590 --> 01:02:36,370 So multiplying by G is a little bit faster 1438 01:02:36,370 --> 01:02:38,620 because you do it a lot, you can precompute a lot, 1439 01:02:38,620 --> 01:02:41,170 whereas multiplying by A is different each time for all 1440 01:02:41,170 --> 01:02:42,610 the different signatures. 1441 01:02:42,610 --> 01:02:45,340 So this is a little bit slower, in general. 1442 01:02:45,340 --> 01:02:48,190 So it takes a little bit more CPU time 1443 01:02:48,190 --> 01:02:51,820 to verify a signature than to create one, 1444 01:02:51,820 --> 01:02:53,660 something like twice as much. 1445 01:02:53,660 --> 01:02:55,690 But still, you can do this pretty fast. 1446 01:02:55,690 --> 01:02:59,000 On a modern computer, you can do thousands of these a second. 1447 01:02:59,000 --> 01:02:59,500 OK. 1448 01:02:59,500 --> 01:03:01,180 Any questions so far? 1449 01:03:01,180 --> 01:03:05,800 I'll go a little bit into why this is not forgible, right? 1450 01:03:05,800 --> 01:03:09,220 So I want to forge a signature. 1451 01:03:09,220 --> 01:03:14,980 Well, I don't know little a. 1452 01:03:14,980 --> 01:03:18,430 But why don't I make up a k and compute s and R? 1453 01:03:18,430 --> 01:03:20,470 But I need a, right? 1454 01:03:20,470 --> 01:03:23,140 So I'm going to say, OK, this is the equation I want. 1455 01:03:23,140 --> 01:03:28,120 I'll just make up my own k and make up my own k, s, 1456 01:03:28,120 --> 01:03:31,000 that'll satisfy this. 1457 01:03:31,000 --> 01:03:33,670 Without a, I really can't make a valid s, right? 1458 01:03:33,670 --> 01:03:34,945 I can make something up here. 1459 01:03:38,410 --> 01:03:42,400 But I can't compute it because I don't know here, right? 1460 01:03:42,400 --> 01:03:45,260 I can try to grind through hash functions, but it won't work. 1461 01:03:45,260 --> 01:03:48,040 The basic problem is if I make up an s 1462 01:03:48,040 --> 01:03:50,860 and solve for R, right-- 1463 01:03:50,860 --> 01:03:52,780 I can say, well, I know what R is-- 1464 01:03:52,780 --> 01:03:56,413 but the thing is R is in the hash function, as well. 1465 01:03:56,413 --> 01:03:58,330 It's the one-wayness of the hash function that 1466 01:03:58,330 --> 01:04:01,142 actually breaks this, right? 1467 01:04:01,142 --> 01:04:03,100 So I could say, well, let me solve for R. Well, 1468 01:04:03,100 --> 01:04:10,710 R is the hash of m and R times a plus s times G. 1469 01:04:10,710 --> 01:04:13,980 If I can come up with a valid R here, I can do this. 1470 01:04:13,980 --> 01:04:19,650 The problem is R is defined by the hash of R in this case. 1471 01:04:19,650 --> 01:04:22,630 I can't compute this, and I can't cancel this out, right? 1472 01:04:22,630 --> 01:04:25,920 So you can see just like, OK, I need to solve for R. Well, 1473 01:04:25,920 --> 01:04:27,450 but it's already in here. 1474 01:04:27,450 --> 01:04:28,440 I'm stuck. 1475 01:04:28,440 --> 01:04:32,480 If I don't know k, I can't come up with a signature, either. 1476 01:04:37,110 --> 01:04:37,610 OK. 1477 01:04:37,610 --> 01:04:40,940 There is one footgun with EC signatures. 1478 01:04:40,940 --> 01:04:46,160 If you use the same R value for different signatures 1479 01:04:46,160 --> 01:04:50,130 with the same pubkey, you reveal your private key. 1480 01:04:50,130 --> 01:04:53,420 So k has to be random and new every time. 1481 01:04:56,515 --> 01:04:57,890 If you look through the equation, 1482 01:04:57,890 --> 01:04:59,705 you'll see how you can solve-- 1483 01:04:59,705 --> 01:05:05,150 if you have two of the same k's with different s's-- 1484 01:05:05,150 --> 01:05:06,770 you can solve for k. 1485 01:05:06,770 --> 01:05:11,910 And then, once you solve for k given 1486 01:05:11,910 --> 01:05:15,030 this, if you know what k is, you can 1487 01:05:15,030 --> 01:05:17,400 find what little a is, right, as a verifier. 1488 01:05:17,400 --> 01:05:19,680 You can say, well, you gave me s. 1489 01:05:19,680 --> 01:05:21,090 That's part of the signature. 1490 01:05:21,090 --> 01:05:23,760 I know this whole coefficient. 1491 01:05:23,760 --> 01:05:27,410 If I know k, I can solve for little a by dividing this out. 1492 01:05:27,410 --> 01:05:29,220 So always use a new k value. 1493 01:05:29,220 --> 01:05:31,980 There have been many cases where people don't. 1494 01:05:31,980 --> 01:05:37,020 Probably the most famous one is PlayStation 3 used ECDSA. 1495 01:05:37,020 --> 01:05:40,470 And they used a fixed k value for signing all their code. 1496 01:05:40,470 --> 01:05:43,320 And that allowed people to calculate their private keys 1497 01:05:43,320 --> 01:05:45,870 and then run pirated games. 1498 01:05:45,870 --> 01:05:47,400 That was actually the first time I 1499 01:05:47,400 --> 01:05:49,594 learned about elliptic curve signatures, 1500 01:05:49,594 --> 01:05:53,670 in 2010 or something. 1501 01:05:53,670 --> 01:05:55,800 So actually, there's interesting tutorials 1502 01:05:55,800 --> 01:05:58,830 written by the hackers who broke Playstation 3 about how 1503 01:05:58,830 --> 01:05:59,590 this works. 1504 01:05:59,590 --> 01:06:02,500 And that's when I first read about it. 1505 01:06:02,500 --> 01:06:03,000 OK. 1506 01:06:03,000 --> 01:06:06,370 We're almost out of time. 1507 01:06:06,370 --> 01:06:10,090 Any questions about this stuff so far? 1508 01:06:10,090 --> 01:06:11,340 OK. 1509 01:06:11,340 --> 01:06:15,787 So this is a signature algorithm. 1510 01:06:15,787 --> 01:06:16,620 It's like, OK, fine. 1511 01:06:16,620 --> 01:06:17,130 This works. 1512 01:06:17,130 --> 01:06:20,460 I can sign, same as lamport signatures, same as RSA. 1513 01:06:20,460 --> 01:06:22,530 What's really nice about the elliptic curve stuff 1514 01:06:22,530 --> 01:06:26,580 is you can do more than just signatures. 1515 01:06:26,580 --> 01:06:28,890 There's all sorts of fun things you can do. 1516 01:06:28,890 --> 01:06:31,380 And it seems like a fairly unexplored area 1517 01:06:31,380 --> 01:06:34,440 in that I've found fun things that you 1518 01:06:34,440 --> 01:06:36,690 can do that I guess are novel. 1519 01:06:36,690 --> 01:06:38,610 And I'm not an expert on this at all. 1520 01:06:38,610 --> 01:06:40,800 It's just that it's a fairly new area of research 1521 01:06:40,800 --> 01:06:43,920 in how to do cool bitcoiny cryptocurrency 1522 01:06:43,920 --> 01:06:46,290 things with these curves and points and stuff. 1523 01:06:46,290 --> 01:06:51,900 So I'll go through a couple fun things you can do. 1524 01:06:51,900 --> 01:06:53,080 Fun with points. 1525 01:06:53,080 --> 01:06:53,580 OK. 1526 01:06:53,580 --> 01:06:55,650 So I'm not using an asterisk. 1527 01:06:55,650 --> 01:06:59,880 Just b times G. So let's say Alice 1528 01:06:59,880 --> 01:07:04,620 has a public key A. Bob has a public key B, right, 1529 01:07:04,620 --> 01:07:09,300 which is little a times G or little b times G. Well, 1530 01:07:09,300 --> 01:07:10,470 this is weird. 1531 01:07:10,470 --> 01:07:12,970 Little a times big B-- 1532 01:07:12,970 --> 01:07:16,290 Alice's private key multiplied by Bob's public key-- 1533 01:07:16,290 --> 01:07:18,480 you can do that, right?-- 1534 01:07:18,480 --> 01:07:21,850 is equal to Bob's private key times Alice's public 1535 01:07:21,850 --> 01:07:23,590 key, right? 1536 01:07:23,590 --> 01:07:24,310 It's commutative. 1537 01:07:24,310 --> 01:07:25,860 The multiplication is commutative. 1538 01:07:25,860 --> 01:07:27,030 That's weird, right? 1539 01:07:27,030 --> 01:07:30,468 It's just a times G times b, which is the same-- 1540 01:07:30,468 --> 01:07:32,010 or it doesn't matter the order-- it's 1541 01:07:32,010 --> 01:07:36,360 the same as b times G times a, which is the same as a times 1542 01:07:36,360 --> 01:07:40,320 b times G. And let's call that C. C-- this 1543 01:07:40,320 --> 01:07:42,950 is called a Diffie-Hellman key exchange point. 1544 01:07:42,950 --> 01:07:47,550 Diffie and Hellman are two also late-'70s PhD students who came 1545 01:07:47,550 --> 01:07:49,470 up with all this cool stuff. 1546 01:07:49,470 --> 01:07:50,908 No, wait. 1547 01:07:50,908 --> 01:07:51,950 Diffie was a PhD student. 1548 01:07:51,950 --> 01:07:52,950 Hellman was his advisor? 1549 01:07:52,950 --> 01:07:53,970 I don't remember. 1550 01:07:53,970 --> 01:07:57,540 Anyway, they came up with this idea. 1551 01:07:57,540 --> 01:07:59,340 And this is a shared point. 1552 01:07:59,340 --> 01:08:02,450 What would this be useful for? 1553 01:08:02,450 --> 01:08:04,070 It's actually super useful. 1554 01:08:04,070 --> 01:08:05,485 Can you think of like, oh, OK. 1555 01:08:05,485 --> 01:08:06,110 We can do this. 1556 01:08:06,110 --> 01:08:09,170 We can compute C. Why would we want to do that? 1557 01:08:09,170 --> 01:08:11,446 Any applications you can think of? 1558 01:08:11,446 --> 01:08:12,402 Yeah? 1559 01:08:12,402 --> 01:08:15,270 AUDIENCE: Trying to share keys with people without both 1560 01:08:15,270 --> 01:08:17,182 of them knowing who they are and evaluating 1561 01:08:17,182 --> 01:08:18,664 the other set of keys. 1562 01:08:18,664 --> 01:08:19,414 TADGE DRYJA: Yeah. 1563 01:08:19,414 --> 01:08:21,979 It's really cool to share keys. 1564 01:08:21,979 --> 01:08:25,609 So this is also done if you have a web browser. 1565 01:08:25,609 --> 01:08:28,460 I think it's all elliptic curve Diffie-Hellman now, mostly. 1566 01:08:28,460 --> 01:08:30,740 But if you have a web browser and you go to a website, 1567 01:08:30,740 --> 01:08:35,300 this is happening, basically, for every HTTPS request. 1568 01:08:35,300 --> 01:08:37,550 Because you can use C as a sort of 1569 01:08:37,550 --> 01:08:41,750 shared key and encrypt things with it. 1570 01:08:41,750 --> 01:08:45,620 The idea is big A can be public. 1571 01:08:45,620 --> 01:08:48,529 Big B can be public. 1572 01:08:48,529 --> 01:08:50,330 Point C will not be public. 1573 01:08:50,330 --> 01:08:52,130 The only way to compute it is to know 1574 01:08:52,130 --> 01:08:54,979 either Alice's private key-- little a-- 1575 01:08:54,979 --> 01:08:58,790 or Bob's private key, little b. 1576 01:08:58,790 --> 01:09:02,270 Even though you can see the public keys, 1577 01:09:02,270 --> 01:09:06,470 you can't compute C from just the public keys, right? 1578 01:09:06,470 --> 01:09:12,229 Because big A times big B, that's not defined. 1579 01:09:12,229 --> 01:09:13,910 You can't multiply the points. 1580 01:09:13,910 --> 01:09:16,670 You have to multiply the point by a scalar. 1581 01:09:16,670 --> 01:09:18,260 And since you don't know the scalars 1582 01:09:18,260 --> 01:09:20,450 from viewing this exchange, you can't 1583 01:09:20,450 --> 01:09:23,810 compute C. But Alice and Bob can both compute C. 1584 01:09:23,810 --> 01:09:25,710 So this is really useful. 1585 01:09:25,710 --> 01:09:30,229 You can compute C. You can use it for encryption. 1586 01:09:30,229 --> 01:09:33,319 You can use it to prove you are who you say you are. 1587 01:09:33,319 --> 01:09:36,200 You can use it as an interactive verification 1588 01:09:36,200 --> 01:09:38,300 where you say, OK, I'm Bob. 1589 01:09:38,300 --> 01:09:41,680 I'm going to make random point. 1590 01:09:41,680 --> 01:09:42,930 I'm going to give that to you. 1591 01:09:42,930 --> 01:09:46,680 Prove you know your private key-- little a-- 1592 01:09:46,680 --> 01:09:50,439 by telling me what C is, right? 1593 01:09:50,439 --> 01:09:54,880 So I can make a random key here, give it to you. 1594 01:09:54,880 --> 01:09:58,340 You return C. I verify that that's the right C. And I say, 1595 01:09:58,340 --> 01:10:00,460 OK, well you must know little a. 1596 01:10:00,460 --> 01:10:03,100 You haven't shown me a little a, but you've 1597 01:10:03,100 --> 01:10:05,260 proven that you know it, so proof of knowledge 1598 01:10:05,260 --> 01:10:06,680 of the private key. 1599 01:10:06,680 --> 01:10:11,000 So you can use that for logins instead of passwords. 1600 01:10:11,000 --> 01:10:13,280 And it's much simpler than a signature. 1601 01:10:13,280 --> 01:10:16,180 So that's really cool. 1602 01:10:16,180 --> 01:10:17,920 All sorts of things you can do with that. 1603 01:10:17,920 --> 01:10:19,990 The last part, you can have fun with points. 1604 01:10:19,990 --> 01:10:22,690 And I use this in my software. 1605 01:10:22,690 --> 01:10:25,090 So you say, OK, well, there's a public key A. 1606 01:10:25,090 --> 01:10:27,430 There's a public key B. And we'll 1607 01:10:27,430 --> 01:10:32,590 define D as the sum of these two public keys. 1608 01:10:32,590 --> 01:10:35,110 The thing is if you're summing these two public keys, 1609 01:10:35,110 --> 01:10:36,820 it's commutative, and it is the same 1610 01:10:36,820 --> 01:10:41,890 as saying the sum of the two private keys times G, right? 1611 01:10:41,890 --> 01:10:45,910 a times G plus b times G is the same as a plus 1612 01:10:45,910 --> 01:10:50,650 b times G, which is another really cool property. 1613 01:10:50,650 --> 01:10:54,310 So what if I compute this public key D, 1614 01:10:54,310 --> 01:10:59,410 and I say I want a signature from public key D? 1615 01:10:59,410 --> 01:11:00,130 You can. 1616 01:11:00,130 --> 01:11:01,900 And you so the private key, little d, 1617 01:11:01,900 --> 01:11:07,060 which can sign for this, is just little a plus little b. 1618 01:11:07,060 --> 01:11:09,192 So you can make a combined key. 1619 01:11:09,192 --> 01:11:10,150 And then either party-- 1620 01:11:10,150 --> 01:11:14,260 Alice has little a, Bob has a little b-- 1621 01:11:14,260 --> 01:11:16,000 and they could reveal it to each other 1622 01:11:16,000 --> 01:11:19,750 and allow the other person to make a signature with D later. 1623 01:11:24,400 --> 01:11:27,010 I use this in the lightning network software I've had, 1624 01:11:27,010 --> 01:11:30,670 where, basically, you say, look, we'll compute D, 1625 01:11:30,670 --> 01:11:36,150 and I can give you the private key, right? 1626 01:11:36,150 --> 01:11:36,750 I'm Bob. 1627 01:11:36,750 --> 01:11:39,330 And I say, OK, here's point b. 1628 01:11:39,330 --> 01:11:40,270 Here's point a. 1629 01:11:40,270 --> 01:11:41,700 We add them together. 1630 01:11:41,700 --> 01:11:45,030 And then, Alice, if I give you my private key, now 1631 01:11:45,030 --> 01:11:47,550 you can sign, but I can't, right? 1632 01:11:47,550 --> 01:11:50,610 So I'll give you the private key to D 1633 01:11:50,610 --> 01:11:52,170 from some information I have. 1634 01:11:52,170 --> 01:11:54,030 Or you could give me the private key to D 1635 01:11:54,030 --> 01:11:56,370 by sharing little a with me. 1636 01:11:56,370 --> 01:11:58,020 So this is another useful thing where 1637 01:11:58,020 --> 01:12:00,150 you can have something where both parties know 1638 01:12:00,150 --> 01:12:03,120 that neither party can sign unless they give them 1639 01:12:03,120 --> 01:12:05,110 something. 1640 01:12:05,110 --> 01:12:09,450 And you can use that for bitcoin addresses, things like that. 1641 01:12:09,450 --> 01:12:11,610 Before you even get to signatures, 1642 01:12:11,610 --> 01:12:13,000 you can share keys and stuff. 1643 01:12:13,000 --> 01:12:15,390 There's all sorts of super fun things 1644 01:12:15,390 --> 01:12:18,690 you can do with these points and curves and systems. 1645 01:12:18,690 --> 01:12:22,860 Multisignatures-- I put a link to a PDF file 1646 01:12:22,860 --> 01:12:26,760 that's very recent and kind of overkill and over my head, 1647 01:12:26,760 --> 01:12:28,530 as well. 1648 01:12:28,530 --> 01:12:31,600 But you can do signatures where you aggregate the signatures. 1649 01:12:31,600 --> 01:12:32,100 But 1650 01:12:32,100 --> 01:12:34,333 There's ways to say, OK, well, I'm 1651 01:12:34,333 --> 01:12:36,000 going to add all these R points, and I'm 1652 01:12:36,000 --> 01:12:37,333 going to add all these s points. 1653 01:12:37,333 --> 01:12:39,900 And I can have signatures that are 1654 01:12:39,900 --> 01:12:41,820 from a bunch of different people that 1655 01:12:41,820 --> 01:12:44,940 collapse into the same size as a single signature. 1656 01:12:44,940 --> 01:12:47,490 And I can verify that they're all signing the same thing 1657 01:12:47,490 --> 01:12:49,860 or, possibly, that they're all signing different things. 1658 01:12:49,860 --> 01:12:52,410 So I have 10 different signatures 1659 01:12:52,410 --> 01:12:55,260 from different people signing different messages. 1660 01:12:55,260 --> 01:12:57,220 But I can add up all the s values. 1661 01:12:57,220 --> 01:12:58,440 I have to keep the R values. 1662 01:12:58,440 --> 01:13:01,710 But now these 10 signatures, instead of being 64 bytes 1663 01:13:01,710 --> 01:13:03,840 each are more like 32 bites each. 1664 01:13:03,840 --> 01:13:07,360 And there's one extra 32 byte value for all of them. 1665 01:13:07,360 --> 01:13:08,970 So there's a lot of really cool ways 1666 01:13:08,970 --> 01:13:12,330 you can combine things, make things smaller, 1667 01:13:12,330 --> 01:13:14,920 make things really versatile, where we can share keys, 1668 01:13:14,920 --> 01:13:17,250 things like that, which you can't 1669 01:13:17,250 --> 01:13:20,670 do with hash-based signatures, hash functions. 1670 01:13:20,670 --> 01:13:22,170 And so it's really fun. 1671 01:13:22,170 --> 01:13:24,240 One worry is that if quantum computers ever 1672 01:13:24,240 --> 01:13:26,850 become really a thing, all this stuff stops working. 1673 01:13:26,850 --> 01:13:29,070 All the elliptic curve stuff doesn't work anymore. 1674 01:13:29,070 --> 01:13:31,950 You can figure out what people's private keys are, 1675 01:13:31,950 --> 01:13:34,320 whereas hash stuff, hash things like lamport signatures, 1676 01:13:34,320 --> 01:13:36,060 still work. 1677 01:13:36,060 --> 01:13:38,460 So there's some talk of hey, we should 1678 01:13:38,460 --> 01:13:42,360 prepare for if that ever happens and make efficient, effective 1679 01:13:42,360 --> 01:13:44,520 hash-based signatures and use them 1680 01:13:44,520 --> 01:13:46,608 in something like Bitcoin or Ethereum. 1681 01:13:46,608 --> 01:13:48,900 People haven't yet because the overhead is really high. 1682 01:13:48,900 --> 01:13:50,940 It's really big. 1683 01:13:50,940 --> 01:13:52,710 The real thing is all these fun things 1684 01:13:52,710 --> 01:13:55,270 might disappear in the next 10, 20 years. 1685 01:13:55,270 --> 01:13:55,770 Who knows? 1686 01:13:55,770 --> 01:13:56,880 But there's lots of cool stuff. 1687 01:13:56,880 --> 01:13:57,880 What do we do with this? 1688 01:13:57,880 --> 01:13:59,760 So we're not going to do anything yet 1689 01:13:59,760 --> 01:14:01,350 in terms of problem sets. 1690 01:14:01,350 --> 01:14:03,540 It's a little hard to program it directly. 1691 01:14:03,540 --> 01:14:04,730 But there's libraries. 1692 01:14:04,730 --> 01:14:06,355 And the libraries have fairly easy use, 1693 01:14:06,355 --> 01:14:08,980 where it's multiply by G is a function, 1694 01:14:08,980 --> 01:14:11,140 and multiply by this point is a function. 1695 01:14:11,140 --> 01:14:13,140 So this is groundwork for cool stuff you can do. 1696 01:14:13,140 --> 01:14:15,420 And it's really nice because it's a new area. 1697 01:14:15,420 --> 01:14:18,570 And I'm not an expert on this, but I've come up with stuff 1698 01:14:18,570 --> 01:14:20,640 that people have cited me on. 1699 01:14:20,640 --> 01:14:23,350 And they're like, yeah, I guess no one thought of that before. 1700 01:14:23,350 --> 01:14:25,240 There's a lot of things. 1701 01:14:25,240 --> 01:14:26,760 There's one very recent one called 1702 01:14:26,760 --> 01:14:28,453 Taproot, where it's one line. 1703 01:14:28,453 --> 01:14:29,370 You're like, oh, yeah. 1704 01:14:29,370 --> 01:14:30,750 That works. 1705 01:14:30,750 --> 01:14:33,930 And it's just these sort of elliptic curve operations. 1706 01:14:33,930 --> 01:14:35,220 It's like, yeah, that works. 1707 01:14:35,220 --> 01:14:36,352 That's really useful. 1708 01:14:36,352 --> 01:14:37,560 How did no one think of that? 1709 01:14:37,560 --> 01:14:38,370 It's one line. 1710 01:14:38,370 --> 01:14:39,180 Wow. 1711 01:14:39,180 --> 01:14:40,320 So there's just not a ton of people 1712 01:14:40,320 --> 01:14:41,570 working on this kind of stuff. 1713 01:14:41,570 --> 01:14:43,490 And so it's kind of fun.