So adding -1G to x would subtract 1G from it if x is in +n, and adding -1G to x should add 1G to it if x is -n?
Or adding 1G to -x will subtract 1G from +x, and adding 1G to +x will subtract 1G from -x.
Isn't that the correct method to find out which x coordinate is -n or +n?
Topic: 🖤 (Read 248 times)
but we are not talking about +-N 
we are talking about weakness .
do you know secq256k1? (not secp256k1) and their parameters? check it out and think...
Secp256k1 group order == Secq256k1 base field order: True
Secp256k1 base field order == Secq256k1 group order: True
run in on https://sagecell.sagemath.org/
I checked that out and thought about it for a few minutes, I found it not interesting, other coins copy pasted bitcoin's curve with a bit of modification, what is special about it?we are talking about weakness .
do you know secq256k1? (not secp256k1) and their parameters?
check it out and think...Secp256k1 group order == Secq256k1 base field order: True
Secp256k1 base field order == Secq256k1 group order: True
run in on https://sagecell.sagemath.org/
Code:
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
q = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
# Secp256k1
P = GF(p)
aP = P(0x0000000000000000000000000000000000000000000000000000000000000000)
bP = P(0x0000000000000000000000000000000000000000000000000000000000000007)
Secp256k1 = EllipticCurve(P, (aP, bP))
Secp256k1.set_order(q)
# Secq256k1
Q = GF(q)
aQ = P(0x0000000000000000000000000000000000000000000000000000000000000000)
bQ = P(0x0000000000000000000000000000000000000000000000000000000000000007)
Secq256k1 = EllipticCurve(Q, (aQ, bQ))
Secq256k1.set_order(p)
print(
"Secp256k1 group order == Secq256k1 base field order:",
Secp256k1.order() == Secq256k1.base_field().cardinality()
)
print(
"Secp256k1 base field order == Secq256k1 group order:",
Secp256k1.base_field().cardinality() == Secq256k1.order()
)
q = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
# Secp256k1
P = GF(p)
aP = P(0x0000000000000000000000000000000000000000000000000000000000000000)
bP = P(0x0000000000000000000000000000000000000000000000000000000000000007)
Secp256k1 = EllipticCurve(P, (aP, bP))
Secp256k1.set_order(q)
# Secq256k1
Q = GF(q)
aQ = P(0x0000000000000000000000000000000000000000000000000000000000000000)
bQ = P(0x0000000000000000000000000000000000000000000000000000000000000007)
Secq256k1 = EllipticCurve(Q, (aQ, bQ))
Secq256k1.set_order(p)
print(
"Secp256k1 group order == Secq256k1 base field order:",
Secp256k1.order() == Secq256k1.base_field().cardinality()
)
print(
"Secp256k1 base field order == Secq256k1 group order:",
Secp256k1.base_field().cardinality() == Secq256k1.order()
)
As I said earlier, the one and only "weakness" of secp256k1 is the old known DLP, it's been there ever since the big bang! If you or anyone else like to worry for no reason, then good luck with it.
Imagine you have selected 1 atom inside of a planet in a galaxy billions of years apart from earth and deposited your bitcoins on it, and now you are worried someone might go there and grab that 1 atom! I'd better fire up my antimatter fueled spaceship to go after it.😂
So adding -1G to x would subtract 1G from it if x is in +n, and adding -1G to x should add 1G to it if x is -n?
Or adding 1G to -x will subtract 1G from +x, and adding 1G to +x will subtract 1G from -x.
Isn't that the correct method to find out which x coordinate is -n or +n?
Or adding 1G to -x will subtract 1G from +x, and adding 1G to +x will subtract 1G from -x.
Isn't that the correct method to find out which x coordinate is -n or +n?
no there is no way calaculate or correcting method for solving which x coordinate is -n or +n.
maybe only BSGS -> but you have 2**128 possibilities to verified.
but we are not talking about +-N
we are talking about weakness .
do you know secq256k1? (not secp256k1) and their parameters? check it out and think...
Secp256k1 group order == Secq256k1 base field order: True
Secp256k1 base field order == Secq256k1 group order: True
run in on https://sagecell.sagemath.org/
we are talking about weakness .
do you know secq256k1? (not secp256k1) and their parameters?
check it out and think...Secp256k1 group order == Secq256k1 base field order: True
Secp256k1 base field order == Secq256k1 group order: True
run in on https://sagecell.sagemath.org/
Code:
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
q = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
# Secp256k1
P = GF(p)
aP = P(0x0000000000000000000000000000000000000000000000000000000000000000)
bP = P(0x0000000000000000000000000000000000000000000000000000000000000007)
Secp256k1 = EllipticCurve(P, (aP, bP))
Secp256k1.set_order(q)
# Secq256k1
Q = GF(q)
aQ = P(0x0000000000000000000000000000000000000000000000000000000000000000)
bQ = P(0x0000000000000000000000000000000000000000000000000000000000000007)
Secq256k1 = EllipticCurve(Q, (aQ, bQ))
Secq256k1.set_order(p)
print(
"Secp256k1 group order == Secq256k1 base field order:",
Secp256k1.order() == Secq256k1.base_field().cardinality()
)
print(
"Secp256k1 base field order == Secq256k1 group order:",
Secp256k1.base_field().cardinality() == Secq256k1.order()
)
and what is a order of this point ? looks like order of point is mach less then curve order
ps not need talk what order of poiint = order of curve this is not throwcouse if add point with smaler order to point with bigger order result will be less then order of point with big order
Firstly: all weaknesses of the secp256k1 curve should be made public. If there are undisclosed information, it means that secp256k1 is being used against us.
Secondly, the hidden actual control over Bitcoin poses a threat to our funds. It's better to know than not to know.
I will compare it to stock market actions.
If a company's CEO knows that his company will fail, he conceals the information, people buy stocks, and they lose their life savings.
I believe that there should be a separate section on Bitcointalk for Bitcoin vulnerabilities, where all algorithms, solutions, and weaknesses of secp256k1 are disclosed and made available to everyone, not just a select few. From what I know, the biggest thieves are mathematicians and scientists.
I disagree, since elliptic curve is just based on math and nothing more, there are already weaknesses such as DLP, there are other methods which are unknown to the public, the whole point of studying EC is to find out whether these weaknesses are easily exploitable or not.Secondly, the hidden actual control over Bitcoin poses a threat to our funds. It's better to know than not to know.
I will compare it to stock market actions.
If a company's CEO knows that his company will fail, he conceals the information, people buy stocks, and they lose their life savings.
I believe that there should be a separate section on Bitcointalk for Bitcoin vulnerabilities, where all algorithms, solutions, and weaknesses of secp256k1 are disclosed and made available to everyone, not just a select few. From what I know, the biggest thieves are mathematicians and scientists.
If you are worried about your funds, if anyone, as long as your funds are in a key with no exposed public key, you can relax for the next billion years, the only weakness I have found is DLP, which is not something new.
Imagine, having a dedicated board here to discuss vulnerabilities of secp256k1 curve! It would be like having a dedicated forum for all the hackers and looters to make their work easy for them.🤣
In my opinion, if there is no way to find out which X coordinate is -N or not, then we have no concern.
A hint, there is no way to find out.
@pooya87:
Am I offending you? I don't understand why you're saying that the scripts are stupid. Of course, everything in mathematics is manipulation. Searching for formulas based on appropriate assumptions. No one has said and will say that you can break the secp256k1 curve because there's nothing to break. Perhaps sha256, everything is transparent, the signature formula is transparent, there are no backdoors, but there is poor algorithm implementation by so-called developers. If my script works, what's the problem? There are plenty of bad transactions on the network that can be used to break a specific private key. So please don't insult others.
I have been studying the secp256k1 for the past 2 months, and tried at least 40-50 methods to figure out which one could be used to crack the target k by hand, not using automated existing tools.
Experts and mathematicians have been trying to crack elliptic curve cryptography ever since 1985 and they only have a handful of methods and haven't been able to make any meaningful progress. But good luck to you...other coins copy pasted bitcoin's curve with a bit of modification, what is special about it?
Actually other coins that copy the ECC part of bitcoin, are creating an exact copy without any modification. The changes they make is elsewhere like the address encoding and PoW (eg. LTC, Doge, ETH) or they just replace the curve itself (eg. NIST P-256 in NEO).What @ecdsa123 is doing has nothing to do with other coins though, they are just pointlessly manipulating the basics of the math behind the algorithm to sell a silly script to anybody who falls for it.
Without to be paranoiac, I think that finding a weakness on ECC such secp256k1 and stay anonymous in a "safe place" is near impossible in this hyper-connected world
After this discover, billions of dollars will be instantly at the fingertips of the researcher(s) and at the friends well informed (notice that the most probable issue is that the price of bitcoin will drop to zero).
NSA, Armed forces, governments,research consortium,mathematicians, big tech societies, will deploy all possible technicals and humans resources to obtain the study (and not only the legals ways
). just to insure that if secp256k1 is broken or partially broken means that the others curves (like the very close secp256r1 widely used) aren't compromised too.Today every secures communications (website certificate, https, banks,stock exchange, cryptocurrencies, army, administration... on internet use ECC.And a lot of our economy is based on the security of the communications.
The cake is simply too big...
When we talk about bitcoin, it would be a bad idea to publicly announce the weakness because it is open source and fixing it would be nearly impossible, publishing weaknesses about other curves, well that would just notify everyone in the world that there is a weakness, that would be a good thing.
Besides DLP already has a solution called kangaroo, I am trying to understand how it works because I never finished high school, therefore I don't understand the symbols, signs, mathematic terms used in the algorithm, lol.
Ps, militaries and governments use private curves with parameters unknown to the public, internet communications also work through hash functions, cryptocurrencies are the only targets of exploit if there is a weakness in their used curves.
~dig, the EC "researcher".
but we are not talking about +-N
we are talking about weakness .
do you know secq256k1? (not secp256k1) and their parameters? check it out and think...
Secp256k1 group order == Secq256k1 base field order: True
Secp256k1 base field order == Secq256k1 group order: True
run in on https://sagecell.sagemath.org/
we are talking about weakness .
do you know secq256k1? (not secp256k1) and their parameters?
check it out and think...Secp256k1 group order == Secq256k1 base field order: True
Secp256k1 base field order == Secq256k1 group order: True
run in on https://sagecell.sagemath.org/
Code:
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
q = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
# Secp256k1
P = GF(p)
aP = P(0x0000000000000000000000000000000000000000000000000000000000000000)
bP = P(0x0000000000000000000000000000000000000000000000000000000000000007)
Secp256k1 = EllipticCurve(P, (aP, bP))
Secp256k1.set_order(q)
# Secq256k1
Q = GF(q)
aQ = P(0x0000000000000000000000000000000000000000000000000000000000000000)
bQ = P(0x0000000000000000000000000000000000000000000000000000000000000007)
Secq256k1 = EllipticCurve(Q, (aQ, bQ))
Secq256k1.set_order(p)
print(
"Secp256k1 group order == Secq256k1 base field order:",
Secp256k1.order() == Secq256k1.base_field().cardinality()
)
print(
"Secp256k1 base field order == Secq256k1 group order:",
Secp256k1.base_field().cardinality() == Secq256k1.order()
)
Firstly: all weaknesses of the secp256k1 curve should be made public. If there are undisclosed information, it means that secp256k1 is being used against us.
Secondly, the hidden actual control over Bitcoin poses a threat to our funds. It's better to know than not to know.
I will compare it to stock market actions.
If a company's CEO knows that his company will fail, he conceals the information, people buy stocks, and they lose their life savings.
I believe that there should be a separate section on Bitcointalk for Bitcoin vulnerabilities, where all algorithms, solutions, and weaknesses of secp256k1 are disclosed and made available to everyone, not just a select few. From what I know, the biggest thieves are mathematicians and scientists.
Secondly, the hidden actual control over Bitcoin poses a threat to our funds. It's better to know than not to know.
I will compare it to stock market actions.
If a company's CEO knows that his company will fail, he conceals the information, people buy stocks, and they lose their life savings.
I believe that there should be a separate section on Bitcointalk for Bitcoin vulnerabilities, where all algorithms, solutions, and weaknesses of secp256k1 are disclosed and made available to everyone, not just a select few. From what I know, the biggest thieves are mathematicians and scientists.
Hi there again with more trouble and questions, I'd appreciate the time you'd spend to respond.
Is it possible to determine which X coordinate of our k is -N or is -k inverse without obviously looking at the k ?
Is it possible to determine which X coordinate of our k is -N or is -k inverse without obviously looking at the k ?
No there is no knowed way to guess any information of private key (your k) with any information of public key (your X coordinate), even little.
Every actual attack (Lattice Attack etc...) oblige the attacker to know a part of the private part. and it is not an attack on the elliptic curve cryptography itself but on bad way to use signature.
ECC (and every asymmetric cryptography like RSA) is based on the assumption that the derivation of a private key in a public key "seems" perfectly randomly distributed.
Just for fun i tried a lot a cryptanalysis technical (statistics on huge amount of keys, pattern identification, deep learning ...) to find a bias in the distribution of key and believe me :
secp256k1 (curve used by bitcoin) seems really safe
I have been studying the secp256k1 for the past 2 months, and tried at least 40-50 methods to figure out which one could be used to crack the target k by hand, not using automated existing tools.
What actually is bothering me is a lack of a safe environment to publish study results without worrying about other people exploiting them! Though I'm in the learning phase, no breakthroughs yet!😉
Well, I'm not interested in signatures and related stuff, the entire elliptic curve system revolves around public keys, so that is the only entry point for me to try all I got and find the best solution. "If there are no known method to correctly guess the position of any X coordinate of k, then finding a way should be a goal.
I have been studying the secp256k1 for the past 2 months, and tried at least 40-50 methods to figure out which one could be used to crack the target k by hand, not using automated existing tools.
What actually is bothering me is a lack of a safe environment to publish study results without worrying about other people exploiting them! Though I'm in the learning phase, no breakthroughs yet!😉
Without to be paranoiac, I think that finding a weakness on ECC such secp256k1 and stay anonymous in a "safe place" is near impossible in this hyper-connected world
After this discover, billions of dollars will be instantly at the fingertips of the researcher(s) and at the friends well informed (notice that the most probable issue is that the price of bitcoin will drop to zero).
NSA, Armed forces, governments,research consortium,mathematicians, big tech societies, will deploy all possible technicals and humans resources to obtain the study (and not only the legals ways
). just to insure that if secp256k1 is broken or partially broken means that the others curves (like the very close secp256r1 widely used) aren't compromised too.Today every secures communications (website certificate, https, banks,stock exchange, cryptocurrencies, army, administration... on internet use ECC.And a lot of our economy is based on the security of the communications.
The cake is simply too big...
Hi there again with more trouble and questions, I'd appreciate the time you'd spend to respond.
Is it possible to determine which X coordinate of our k is -N or is -k inverse without obviously looking at the k ?
Is it possible to determine which X coordinate of our k is -N or is -k inverse without obviously looking at the k ?
No there is no knowed way to guess any information of private key (your k) with any information of public key (your X coordinate), even little.
Every actual attack (Lattice Attack etc...) oblige the attacker to know a part of the private part. and it is not an attack on the elliptic curve cryptography itself but on bad way to use signature.
ECC (and every asymmetric cryptography like RSA) is based on the assumption that the derivation of a private key in a public key "seems" perfectly randomly distributed.
Just for fun i tried a lot a cryptanalysis technical (statistics on huge amount of keys, pattern identification, deep learning ...) to find a bias in the distribution of key and believe me :
secp256k1 (curve used by bitcoin) seems really safe
No, if you have a signature, you have only r-value. You don't know upfront if it is public key with "02" or "03" prefix. Also, you don't know if k-value is in upper or lower half (you don't know that for any public key, because it is always relative to the base point). But currently, if you want to make a standard transaction, then s-value of your signature has to be in a lower half, and then, based on the whole signature, you can check if it has "02" or "03" prefix for R-value.
Jump to: