• Crypto for dummies
  • Posts
  • From a Rubber Ball to Secure Transactions: A Fun Guide to Understanding Elliptic Curve Cryptography

From a Rubber Ball to Secure Transactions: A Fun Guide to Understanding Elliptic Curve Cryptography

A visual journey through the magic of ECC

What’s all this hype about Curves?

Elliptic Curve Cryptography (ECC) is one of the most powerful but least understood types of cryptography in wide use today. This guide aims to change that “least understood” part - and no, there’s no math involved!

As the name suggests, ECC is based on the mathematics of elliptic curves. And when I say it’s in “wide use”, I ain’t lying. ECC is used to secure everything from data centers to your 'https' connection.

It is also called "future-proof" cryptography. Unlike its predecessors (RSA, DH, etc), ECC will be tough to break even if computing becomes way more advanced. Here's a refresher on how RSA works:

RSA algorithm uses Modular Arithmetic to create two keys for the same lock- a public key and a private key. ECC does the same but it uses a more advanced and secure form of modular maths (will explain in a minute). Plus the “size” of the key is much smaller in ECC as compared to RSA.

This is important because data storage & processing are expensive. For any cryptography solutions to reach mass adoption, they need to be inexpensive to deploy.

To get a similar level of security as a 256-bit key provides in ECC, RSA needs a 3072-bit key. Government agencies around the world use a 384-bit key to secure their top-level secrets. For the same level of security, RSA would need to generate a 7680-bit key

What happens when you throw a rubber ball at a curved wall?

Imagine Alice and Bob are playing this game. There’s a curved wall in the room (see image) and a rubber ball at a point P on the wall

The rules of the game are as such:

  • The rubber ball can be pushed in any direction

  • Whenever it hits the wall, it will magically reappear on the vertically opposite end of the curve, and stay there until it’s pushed again

  • After being pushed n times, wherever the ball stops, that point will be equal to (n+1)P (This is a characteristic of the maths behind the elliptic curve). For example, the stopping point after the 1st push = 2P, after the 2nd push = 3P, and so on

To begin the game, Alice places the ball at a starting point P on the wall, and then, Bob wears a blindfold. Alice pushes the ball in a straight line toward Q. The rule is that whenever it hits a wall, it rebounds and emerges on the opposite side. So as soon as it hits Q, it will re-emerge on the opposite end, R, as shown below:

R = 2P

Then, Alice can choose to push it again in any direction, any number of times. After a certain number of pushes (n), Alice stops the ball.

Bob then removes his blindfold and sees the following:

To win the game, Bob has to correctly predict the total number of times the ball bounced off the walls, before finally landing at T

What do you think reader - how will he do it?

He can try to place the ball at P again and throw it around to see if it lands at T. But this process is so random that it could take years and he still might not get to T. Starting from point P, the ball could've gone in any number of directions before ending at T. And that is the magic behind ECC!

Being able to generate a very large number of unique points on the curve is one of the key advantages of ECC. This allows for a high level of security, as it makes it difficult for hackers to predict or crack the encryption.

  • Starting point P is called the generator 

  • Endpoint T is the public key

  • The number of times the ball bounced around the wall (n) is the private key

As long as the ball bounces around a sufficiently large number of times, there's no way for anyone to find the private key using only the public key. Now if Bob wants to send a message to Alice, he can simply use her public key (T) to encrypt the message. Alice can then decrypt it using her private key (n).

Final thoughts

The maths behind ECC is slightly complex, but it is basically an algorithmic version of the concept I described above. Some of you might be asking- "so is this it? have we reached the pinnacle of encryption cryptography?” 

Close, but not exactly.

ECC is vulnerable to something called "side-channel attacks", but that is a topic of another day. Still, ECC remains an extremely secure method that can be performed much more quickly and with less computational power than traditional encryption methods.

I hope this post made ECC easier to understand for you. If you enjoyed reading, make sure to subscribe below: