3

I am quite new to the study of elliptic curve cryptography and as such I might be asking something with a mundane solution, but I can't easily find such a solution online. My understanding of ECC is that you can generate a private key (some integer $k$), a starting point on the curve ($G$), and a curve equation, and then generate a public key through finding $kG$. My understanding is then that your computer would perform however many operations are required to find $kG$ (if $k$ was 16 then that would be four operations).

With this data the starting point $G$, the curve equation, and the public key is made public. What I am wondering is why can't an attacker try to find out what the private key $k$ simply is, take the starting point and perform operations until they reach the public key and as such know what $k$ is? Is it based in the fact that the sender only needs 4 operations to calculate $kG$ whereas the attacker would need 16 operations (for the given example)?

mostlycryptic
  • 151
  • 2
  • 9
James
  • 199
  • 2
  • 11

1 Answers1

5

To compute $kG$ you need $O(log(k))$ operations. (For every bit, double the result and and additionally add $G$ if bit is $1$). As you mentioned in a comment for around $k=1024$ you would need like $10$ operations to compute $kG$. But this example is way to small for practical use and the exponential effect does not really kick in yet. Normally, when the curve has order around $2^n$, $k$ would be of a similar magnitude as $2^n$.

So for curves with order $2^{256}$ish you need around $log(2^{256})=256$ operations to compute $kG$ but $2^{256}$ to attack it. There is only a problem with absurdly small curves with order of maybe up to a few billion or trillion (like in your example).

Wai Ha Lee
  • 103
  • 4
jjj
  • 469
  • 3
  • 8