Bitcoin Forum>Bitcoin>Development & Technical Discussion
Author

Topic: Key agreement protocol Diffie-Hellman using Bitcoin's secp256k1 (Read 369 times)

DevilOper
member
Activity: 280
Merit: 26
Key agreement protocol Diffie-Hellman using Bitcoin's secp256k1
April 27, 2018, 11:39:36 AM
#7
Quote from: Coin-1 on April 26, 2018, 09:02:37 PM
Yes, the Secp256k1 has a 128 bit strength, but I guess that it is not concerned to the reference you mentioned. Both of these elliptic curves has a 256 bit private key, but the attacker just can use the best known attacks that require around 2^128 work, such a way solve the elliptic curve discrete logarithm problem and then calculate the 256 bit private key from the public key which is the 256 bit X and 256 bit Y coordinates of the EC point.
Well, literally solving the DLP of course is not the same as a collisin finding but since there is no (yet known?) plain formula for it, and all known algorithms (Pollard's rho method, etc.) merely reduce the full-range brute force search to virtually the same kind of task as mentioned.
Quote
Thus, it seems that the elliptic curve Secp256k1 has no any advantage in comparing to the Curve25519. That is a Montgomery curve, it fits all security requirements and is much faster. I think that here is no any sane reason to use the Secp256k1 instead of the Curve25519 for the key agreement protocol Diffie-Hellman.
Neither [perceptible] disadvantage. In my opinion, it's just a matter of personal preference.

Unlike the DH key exchange for ECC. In fact, as I mentioned in my first reply, multiplying Alice's Public Key (a Point) by Bob's Private Key (scalar) means exactly the same as two EC points addition: Alice's and Bob's Public Keys. Thus, it is totally vulnerable to MITM attack.
Coin-1
legendary
Activity: 2422
Merit: 2166
Re: Key agreement protocol Diffie-Hellman using Bitcoin's secp256k1
April 26, 2018, 09:02:37 PM
#6
Quote from: DevilOper on April 23, 2018, 07:02:45 PM
Nope, it's the same 128 bit collision resistance as above.
Yes, the Secp256k1 has a 128 bit strength, but I guess that it is not concerned to the reference you mentioned. Both of these elliptic curves has a 256 bit private key, but the attacker just can use the best known attacks that require around 2^128 work, such a way solve the elliptic curve discrete logarithm problem and then calculate the 256 bit private key from the public key which is the 256 bit X and 256 bit Y coordinates of the EC point.

Thus, it seems that the elliptic curve Secp256k1 has no any advantage in comparing to the Curve25519. That is a Montgomery curve, it fits all security requirements and is much faster. I think that here is no any sane reason to use the Secp256k1 instead of the Curve25519 for the key agreement protocol Diffie-Hellman.

Quote from: Anti-Cen on April 25, 2018, 02:57:38 PM
I just about get the ECPOINT and use secp256 myself but this Curve25519 sounds even better so would you work with me so that I can put a wrappers
around it so that I can give it a go please.
Curve25519 is a well known free elliptic curve. As far as I know, this curve is used by the secure messenger Tox, the crypto currency ZCash and many other projects. You can download the source code and see how the Curve25519 is implemented there.
Anti-Cen
member
Activity: 210
Merit: 26
High fees = low BTC price
Re: Key agreement protocol Diffie-Hellman using Bitcoin's secp256k1
April 25, 2018, 02:57:38 PM
#5
Quote from: Coin-1 on April 23, 2018, 06:02:59 PM
The Curve25519 offers 128 bits of security and designed especially for use with ECDH. It is one of the fastest elliptic curves, fits all security requirements and is not covered by any known patents. The Secp256k1 has some weaknesses and is more slow, but it offers 256 bits of security. Which of the elliptic curves is more secure for using with Diffie–Hellman key agreement protocol: Curve25519 or Bitcoin's secp256k1?

I just about get the ECPOINT and use secp256 myself but this Curve25519 sounds even better so would you work with me so that I can put a wrappers
around it so that I can give it a go please.

if you can knock up some code in say C++ or skin out the maths and flow then maybe I can use it.
DevilOper
member
Activity: 280
Merit: 26
Re: Key agreement protocol Diffie-Hellman using Bitcoin's secp256k1
April 23, 2018, 07:02:45 PM
#4
Quote from: Coin-1 on April 23, 2018, 06:02:59 PM
The LADDER is a computing the curve point nP given an integer n and a curve point P. This is a bottleneck in Diffie–Hellman: n is Alice's secret key, P is Bob's public key, some hash of nP is the secret key shared between Alice and Bob.
Nope (Actually I do not see any correlation of all you just wrote down with the [Montgomery] ladder).
Ladder security requirement under the given link context is about constant-time scalar multiplication method known as Montgomery ladder (or non-costant in case of secp256k1).
As I said, there are some other constant-time algorithms especially designed for secp256k1.
Quote
The Curve25519 offers 128 bits of security and designed especially for use with ECDH.
128 bit collision resistance is a result of the well-known probability theory birthday paradox and has nothing to do with all those requirements.
Quote
It is one of the fastest elliptic curves
And basically that's it.
Since there is no known [common] attack method other then brute force - faster in practice means weaker.
Quote
The Secp256k1 ... offers 256 bits of security
Nope, it's the same 128 bit collision resistance as above.
Quote
Which of the elliptic curves is more secure for using with Diffie–Hellman key agreement protocol: Curve25519 or Bitcoin's secp256k1?
As of today, either.
Coin-1
legendary
Activity: 2422
Merit: 2166
Re: Key agreement protocol Diffie-Hellman using Bitcoin's secp256k1
April 23, 2018, 06:02:59 PM
#3
Quote from: DevilOper on April 23, 2018, 05:49:19 AM
Depends on what is enough.
Apparently, it is secure unless practically proven otherwise.
Not fitting the requirements does not essentially mean a security breach, it means a weakness, so the question is how feasible is to exploit it. For instance, the ladder is basically considerable for side-channel attacks but there are some other algorithms for preventing it.
The LADDER is a computing the curve point nP given an integer n and a curve point P. This is a bottleneck in Diffie–Hellman: n is Alice's secret key, P is Bob's public key, some hash of nP is the secret key shared between Alice and Bob.

The Curve25519 offers 128 bits of security and designed especially for use with ECDH. It is one of the fastest elliptic curves, fits all security requirements and is not covered by any known patents. The Secp256k1 has some weaknesses and is more slow, but it offers 256 bits of security. Which of the elliptic curves is more secure for using with Diffie–Hellman key agreement protocol: Curve25519 or Bitcoin's secp256k1?
DevilOper
member
Activity: 280
Merit: 26
Re: Key agreement protocol Diffie-Hellman using Bitcoin's secp256k1
April 23, 2018, 05:49:19 AM
#2
Quote from: Coin-1 on April 22, 2018, 03:10:33 PM
the private key of the first person multiplied by the public key of the second person is equal to the private key of the second person multiplied by the public key of the first person
In other words, it's just a result of two EC poits (PubKey A and PubKey B) addition.
Quote
Bitcoin's elliptic curve Secp256k1 doesn't support the DISC parameter of ECDLP security, the LADDER, the COMPLETE and the IND parameters of ECC security. Are these requirements important for ECDH? Is the key agreement protocol Diffie-Hellman using Bitcoin's elliptic curve Secp256k1 enough secure?
Depends on what is enough.
Apparently, it is secure unless practically proven otherwise.
Not fitting the requirements does not essentially mean a security breach, it means a weakness, so the question is how feasible is to exploit it. For instance, the ladder is basically considerable for side-channel attacks but there are some other algorithms for preventing it.
Coin-1
legendary
Activity: 2422
Merit: 2166
Re: Key agreement protocol Diffie-Hellman using Bitcoin's secp256k1
April 22, 2018, 03:10:33 PM
#1
Elliptic curve Diffie–Hellman is a key agreement protocol. The idea of ECDH is based on that the domain parameter G is predefined before the generating a key pair, therefore two persons can establish a shared secret using the following equation:

the private key of the first person multiplied by the public key of the second person is equal to the private key of the second person multiplied by the public key of the first person

The shared secret is the X coordinate of the computed point which can be hashed and used as a password of the symmetric key cipher.


The mostly common elliptic curve used in ECDH is the Curve25519. It supports all basic parameter requirements, all ECDLP security requirements and all ECC security requirements beyond ECDLP security.

Bitcoin's elliptic curve Secp256k1 doesn't support the DISC parameter of ECDLP security, the LADDER, the COMPLETE and the IND parameters of ECC security. Are these requirements important for ECDH? Is the key agreement protocol Diffie-Hellman using Bitcoin's elliptic curve Secp256k1 enough secure?
Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: