0

I am learning ECC, I am confused a bit how it works for now. To my understanding, G is the starting point, k is how many times you apply the dot operation. And Q is the public key, which is the final point after you apply k times dot operations, like this

Q = kG

And then Q is the public key, and k is the private key. We assume it's really hard to find k given Q and G are known. The thing I don't understand (or I misunderstood) is, if the creator of this pair of key, can calculate k times of G to get Q easily in a reasonable amount of time, why can't attacker do the same? I can start from 1 dot operation, then 2 dot operations .... and eventually, I will hit a point that's the same as Q, and because the creator already did this in a reasonable amount of time, so I guess I can do it too (as they need to do k times of operation for thing like Diffie–Hellman)? And if k is super huge, doesn't it take the creator to take a super long time to generate and use it for key exchange? But I don't think it will be that easy, otherwise, it will be useless, just not sure which part I missed.

kelalaka
  • 48,443
  • 11
  • 116
  • 196
Fang-Pen Lin
  • 103
  • 3
  • 3
    "k is how many times you apply the dot operation ". *NO!* k is much too big to perform anything k times. Adding G to itself repeatedly, one less than k times, would yield Q. But the holder of k uses shortcuts. – fgrieu Sep 04 '19 at 17:44
  • got it, I see, the part I missed is that there is a short cut, double and add method to quickly get to kG. – Fang-Pen Lin Sep 05 '19 at 01:19
  • Or more simply https://crypto.stackexchange.com/questions/58373/how-to-calculate-a-private-key-from-public-key-on-elliptic-curve and https://crypto.stackexchange.com/questions/61103/why-is-it-impossible-to-find-the-private-key-from-the-public-key – dave_thompson_085 Sep 05 '19 at 01:56

1 Answers1

3

The creator of the key pair can do it efficiently because he has to calculate $kG$ for only one value of $k$. The cost would be something like $\log(k)$ elliptic curve operations. It's very small.

What you propose is to compute $1G$, $2G$, until you reach $kG$. Since $k$ is a big number (something like $2^{256}$, it is very big), then you have to do $2^{256}$ times more operations than the creator. It is very big.

  • thanks you so much, also thanks to @fgrieu, the missing part is that I didn't know there's a faster way to calculate kG. Since at very, I thought the dot operation is just something you can do one by one, but it turns out they are actually a field, where you can do double and add to get a crazy huge number easily. – Fang-Pen Lin Sep 05 '19 at 01:21