Instead, let’s break it down in a way that even your grandma could understand!
So what exactly are these “subgroups” and why do they matter? Well, imagine if you will, an elliptic curve (EC) as a fancy dance floor where the points on the curve represent the dancers. Now, let’s say we want to create a secret code using this EC dance floor. To do that, we need to choose some special points on the curve and assign them specific values these are called “subgroups”.
But here’s the catch: not all subgroups are created equal! Some have orders (the number of points in the group) that make them more secure than others. For example, a subgroup with an order of 18 might seem like it would be pretty strong… but as we’ll soon see, it’s actually quite weak.
Let’s take a look at some real-world examples to help illustrate this concept. First up is the “p1707” curve (which you can find in our downloads folder), where 3 * G’ = _**infinity**_ and the obtained subgroup order is **3**:
# This script is used to demonstrate the weakness of the "p1707" curve by showing that 3 * G' = infinity and the obtained subgroup order is only 3.
# Define the curve "p1707" with the equation y^2 = x^3 + 0x + 7 (mod 17)
curve: "p1707" => y^2 = x^3 + 0x + 7 (mod 17)
# Calculate the points on the curve by multiplying the generator point G' by different values
# Note: G' is the base point on the curve and is used to generate all other points
# 0 * G' = (None, None) => This is the identity point on the curve, represented by "None" for both x and y coordinates
0 * G' = (None, None)
# 1 * G' = (5, 9) => This is the first point on the curve, obtained by multiplying G' by 1
1 * G' = (5, 9)
# 2 * G' = (5, 8) => This is the second point on the curve, obtained by multiplying G' by 2
2 * G' = (5, 8)
# 3 * G' = (None, None) => This is the third point on the curve, obtained by multiplying G' by 3
# However, since 3 * G' = infinity, the coordinates are represented by "None" for both x and y
3 * G' = (None, None)
# 4 * G' = (5, 9) => This is the fourth point on the curve, obtained by multiplying G' by 4
4 * G' = (5, 9)
# 5 * G' = (5, 8) => This is the fifth point on the curve, obtained by multiplying G' by 5
5 * G' = (5, 8)
# 6 * G' = (None, None) => This is the sixth point on the curve, obtained by multiplying G' by 6
# However, since 6 * G' = infinity, the coordinates are represented by "None" for both x and y
6 * G' = (None, None)
# ... => This pattern continues, with every third point on the curve being infinity and the other points repeating in a cycle of (5, 9) and (5, 8)
...
As you can see, the third point in this subgroup is _**infinity**_, which means that it doesn’t actually exist on our dance floor. This might seem like a problem at first glance, but it turns out to be quite useful for cryptography! By using these “pointless” points as part of our secret code, we can make it much harder for anyone to crack.
But here’s the thing: not all subgroups are created equal when it comes to their orders. In fact, some (like the one with an order of 18) might actually be quite weak! This is because they have a relatively small number of points, which makes them easier for attackers to brute-force.
So what’s the solution? Well, as cryptographers, it’s our job to design these EC curves and subgroups in such a way that they are both secure and practical for real-world use cases. And while we might not always get it right on the first try (as evidenced by the “p1707” curve), we can learn from our mistakes and improve over time!
In fact, there’s already a well-established crypto standard called ECC that uses these concepts to provide secure communication for devices like smartphones and laptops. And while it might not be as flashy or exciting as some of the other technologies out there (like quantum computing), it’s definitely worth paying attention to if you care about keeping your data safe!
And while we might not be able to dance like the pros on this fancy EC dance floor, at least we can use our knowledge to keep our secrets safe from prying eyes!