Author

Topic: How is the base point G chosen for secp256k1? (Read 1074 times)

staff
Activity: 4284
Merit: 8808
The NSA picked it. There is no known way to gimmick the base point.
As far as anyone yet knows our parameters were not selected by "The NSA".  In any case, choice of the generator was discussed extensively. The most we could come up with is that perhaps someone could convince you that a particular pubkey was a 'nothing up my sleeve' pubkey when it really wasn't.
jr. member
Activity: 55
Merit: 2
The NSA picked it. There is no known way to gimmick the base point.

What if the picker of G actually started from a special point G' on the curve that has very small x-coordinates, and pick a random 256-bit number n to arrive at G = n * G'. There's no way to disprove that someone has the knowledge of this secret value "n".

I'm not exactly sure what advantage this secret knowledge has, except the picker could create very short ECDSA signatures (he'll set "k" to the multiplicative inverse of "n" thus "r" will be the x-coordinate of G').
legendary
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
The NSA picked it. There is no known way to gimmick the base point.
jr. member
Activity: 55
Merit: 2
I did some research on Google but couldn't find an answer.

So secp256k1 has this seemingly random "base point" G:

G = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8

Has anyone wondered why this point is chosen? Is it provably chosen at random, or based on some nothing-up-my-sleeve procedure?

Why not choose a point with a very small (say <10) x-coordinate?

The modular exponential Diffie-Hellman groups for IKE (http://tools.ietf.org/html/rfc3526) always choose the number "2" as the generator. Something similar can be done for ECC too.
Jump to: