Topic: NSA and ECC - page 6. (Read 48727 times)

An explanation on G would be nice to have, yes.  As for p, someone would need to dig into the implementation of optimized reduction algorithms to explain why t being less than 1024 is helpful.  I've implemented a secp256k1 specific reduction algorithm before (link to source), but it's been awhile and I didn't take the time to intuitively understand exactly which Mersenne-like primes make the method work effectively.  Nor do I understand why they chose the smallest p, and not the largest.  Perhaps that particular p allowed a small (a,b) for the curve?  I recall there being better (less code required) Mersenne-like primes to choose.

Super math geeks, what do you expect? Hopefully the more cryptography enters into the public eye, cryptographers will be more apt to write papers that are digestible by a wider audience. Is it possible to simply avoid getting into the situations described by the paper? Or would doing so effectively reduce the security by the same amount?

Thanks. That's a decent and quite convincing explanation of why they chose B to be 7, though don't you feel like doing someone's else job here by explaining it to us?

I guess we can narrow down our investigation to the G point and the P (since we still don't seem to know what is so great about 1024 aka 2^10).

Well, you put in the work to check p for us, so here's my contribution:

secp256k1_parameter_proof.py

This requires sagemath, and can be executed by running "sage -python secp256k1_parameter_proof.py"  Here is my output:


I built the test to not only show that b = 7 results in the first prime order, given a = 0, but also that a = 0 and b = 7 is the first result when searching all combinations of a and b < 7.  So, if one was looking for a curve, and didn't know about GLV, (0,7) would still be a reasonable choice.

You need a six dimensions math library.

For curves of particular structure there are simple formulas, but the general case is hard. Fancy math packages just have functions to implement fancy techniques.

There is an overview of techniques in section 5 here: http://cdn.intechopen.com/pdfs/29703/InTech-Elliptic_curve_cryptography_and_point_counting_algorithms.pdf

I've seen this paper before.

It's "quite efficient", at least relative to recovering the key the exponential time way by computing the discrete log of the public key, under their assumptions that you've signed messages with either a pair of very small (or large) K values, or a single message with a permitted combination large and small K and signature. The definition of small/large depends which of their cases you're concerned with, but picking one at random, requires (K1 * K2) < (order^(1/2))/6^(3/4).  So e.g. <2^61. The probability of picking a single 256 bit K less than 2^61 is 1e-59. So the probability is negligible even if you sign many times (and I think there were additional constraints as well— it certainly would have been nice if the authors had given concrete figures rather than requiring the readers to fuddle through the math themselves…). (Though I suppose if you want to be extra paranoid you can use this kind of thing as yet another argument for not reusing keys, at if we didn't already have enough). (And even in this case, it's not clear to me that the solution is actually tractable, just exponentially better than the DLP solving way)

Ahh, thanks, missed that one.

Right - that should do

I'm just going blind here, trying to find a hole, though still hoping that there isn't any.

Maybe this needs its own thread, but there are a lot of crypto-smart people in this thread who will see it and it needs some discussion I think:

"Some Lattice Attacks on DSA and ECDSA" http://eprint.iacr.org/2009/363.pdf

Abstract: In this paper, using the LLL reduction method and computing the
integral points of two classes of conics, we develop attacks on DSA and
ECDSA in case where the secret and the ephemeral key and their modular
inverse are quite small or quite large.


I wasn't able to find any papers or discussion referencing it. The authors conclude that the attacks can be "quite efficient".

I can answer the question about the prime numbers.  If you set the certainty high enough you can be certain.  For example above in this thread the call test.isProbablePrime(1024) is made.  This is asking to test if the number is prime within a certainty of 1 - 0.5¹⁰²⁴

When I try to calculate this number on my calculator I get 1.00

So pretty darn certain.

0.5¹⁰²⁴ = 5.562684646268e-309

pardon me the lame question, but what is the actual formula to calculate the order (N), from the A & B?
can I calc it myself, using a python shell, or do I need a six dimensions math library?

moreover, from what I understand, it isn't really possible to check whether 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 is a real prime number, is it?
AFAIK, the algos we know only allow us to check whether such a big numbers are prime with a certain probability, but we can never be totally sure about their primness, since checking for that would have taken ages - right?

ask and you shall...

It is technically the smallest prime, since it is the largest t (and t is subtracted).

I don't know where 1024 comes from.  Maybe there is something in the internals of large multipliers. 

The 2^32 is presumably linked to 32 bit words in the multipliers.


That is past my expertise, but a check should be made that b < 7 wouldn't have given a prime order.

Thanks for explaining.

I am not going to pretend that I am working on this stuff in detail, since honestly I have no freaking idea what all these XY vs XYZ calculations do, nor I'd dare to question your expertise in this field.
But still I didn't get it, from your explanation, why it is 1024 and not e.g. 512 or 2048?

Not really, the reasons here are well understood by anyone working on this stuff in detail.

The number is a generalized mersenne prime. The reason for this is that our we are doing calculations in this field so when we multiply we must take the result mod p where p is the size of the field. If p is a freely chosen prime to compute the mod we must divide which is hideously complex. Instead, if P has special form, we can break the larger value at the word level into small fragments and compute the mod p as some sum of them with negations. The performance impact is enormous.

This is just an extension of how it's easier to compute x%16, which can be computed as x&15, then it is to compute x%13.

The reason to use largest prime is just to have the largest field size for one admitting the optimization.

The same reasonable sounding criteria has been used to select primes for many different curves, so it's unlikely that a bad prime was selected and then a complicated explanation was found. The explanation gives a real performance improvement, makes sense, and then was used many times to pick many numbers.

Likewise the efficient endomorphism selection of the a and curve formula permits using the GLV method to speed up point multiplies. This optimization is used by Pieter's libsecp256k1 to make ECDSA verification on x86_64 something like 6x faster than OpenSSL for our curve.

Maybe it turns out that these selections for performance also turn out to select for some weakness. No one knows what unknown math will bring. But the performance benefits are not small, so you don't have to hypothize some rigged process to explain this stuff. (And certainly ECDSA performance is very important to our applications.)  As a side effect, this eliminates all random parameters, save the generator. So thats a great relief for anyone concerned that our parameters were mysterious and could have been rigged via non-public selection.

I have no blinking idea where the generator comes from, but also can't come up with _any_ way it could be an attack even if I assume that our curve has a weakness of every form which I've heard of for discrete log on an abelian variety. The generator is generally irrelevant. You might be able to pick one which permits faster multiplication under some specific multiplication scheme, but I asked Pieter about that and he seemed to believe that it would take a exponentially hard search, so was unlikely to be very useful... I've only bothered expending time thinking about it because I can't figure out why, due to the irrelevance of its specific value, they didn't pick one with a more compact binary representation, and because its the only parameter thats unexplained though it is the only one which there is no real reason to care about.

This isn't to say that the curve selection couldn't be better: Ed25519 is still somewhat faster than Pieter's code. Our parameters pick a curve who's quadratic twist is not of prime order, which means that some optimizations (e.g. the ones used in Ed25519) are not available, and it also means that a single bit error during a multiply (e.g. for doing ECDH) could basically leak the private key. (Basically an off by one in the x coordinate instead gives a value on the twist, and because the twist's order is factorable, the discrete log problem can be solved on it with complexity related to its largest factor, which is only about 2^50). But the ideas behind making curves for high performance which are better in these respects all came after these parameters were selected.

What?

There is no true random. Only exponential.

With regard to the selection of a and b, from Dan:

I did not know the answer to Dan's question so I asked gmaxwell and he responded to Dan, through me, with:

Therefore we know that a=0 on purpose and b=7 is the smallest value that works given a=0.

Explained - yes.
Justified - no. At least not according to my understanding of what "science" is.

To be more specific:

But why 1024? What does 1024 have to do with the EC math?
Why the largest prime for t<1024, not e.g. the smallest prime for t>1024?
This explanation, instead of answering questions, only creates more.

I'd like to know "the specifics" though.
For you they aren't suspicious because they are small - but maybe B is suspicious exactly because it is small? Or maybe it is suspicious because it leads to a specific N that is suspicious...

Don't get me wrong - it's not that I believe in B being suspicious, but before we know exactly why it is 7, we cannot exclude any possibility, can we?


If you believe that the curve is not weak to any attacks, then what are you doing in this topic? In such case it should not concern you.

But if you believe that the curve might be weak to some attacks that are not publicly known, though they are known to someone, then the statements you are making are kind of weird, since whether such weaknesses exist is exactly what we are trying to figure out here, while you are throwing your "no worries" conclusion on us.

If there is a weakness that depends on the constants (which is the thesis from the OP), the best way to find it goes through questioning the values.

They've already been explained in this thread.  In summary:

The first constant we care about is p; TierNolan already explained that one.  It's the largestsmallest prime that satisfies: p = 2^256 - 2^32 - t where t < 1024

From that we can explain b.  If we're searching for the smallest combination of a and b that results in a prime order elliptic curve, a = 0 and b = 7 is the first one.  I don't know the specifics on why a and b should be small (probably GLV optimization), but they aren't suspicious regardless.

N is just the order of the elliptic curve; no explanation needed.

The last piece of the puzzle is the choice for G.  Since the order of the elliptic curve is prime, we can pick any point on the curve (except infinity), and get a group with the same order (i.e. there are no subgroups).  Why SECG picked the particular G they did is unexplained.  However, there is no reason to believe any G is weaker or stronger than any other G (against a compliant ECDSA verifier).  I would guess that either G is totally random, or it has sentimental meaning to the author(s).

Since the curve is not weak to any publicly known attacks, and the constants are not suspicious, then what else are we looking for with regards to secp256k1?

Thanks Burt for digging into it.

I don't know about others, but personally I only care about SECP256k1, and specifically about these five constants:

How the above values were chosen/calculated/generated?
What process a person shall follow to get to the same values?

If we know the process of calculating these values, I guess we should be able to draw our own conclusions on whether it was an honest one, or rather a backdoor driven.
B and N were rather chosen intentionally not randomly - but also here I would like to hear a fair explanation (a scientific justification) on why this values and not some others.