Pages:
Author

Topic: NSA and ECC - page 8. (Read 48818 times)

legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
September 18, 2013, 02:46:32 PM
#85
This is the reply I got form Dan Brown the current SECG chair:

Quote
Hi Burt,

Rob forwarded your email to me.

I am the current SECG chair, so I will try to provide a partial answer. I did not know that BitCoin is using secp256k1.  Indeed, I am surprised to see anybody use secp256k1 instead of secp256r1.  With my SECG chair hat on, I am pleased because this curve is a pure SECG curve, not a NIST curve (but see * below).

Minor aside: SECG updated SEC2 in 2010.  The curve secp256k1 is now in Section 2.4, which is smaller because SECG removed the very small curves.

I was not involved in the parameter selection for secp256k1, and may not have even been a Certicom employee at the time of secp256k1 parameter selection.  I am going to assume that you are mainly concerned about a potential backdoor, given the coincidence of your query with certain news coverage.  I will attempt to address this concern mainly by looking directly SEC2 document and parameters.

1. The defining Weierstrass coefficients (a,b) of the curve are (0,7).  The SEC2 document says, in Section 2.1, “The recommended parameters associated with a Koblitz curve were chosen by repeatedly selecting parameters admitting an efficiently computable endomorphism until a prime order curve was found”.  Furthermore, I see that the small values 0 and 7 are certainly nothing-up-my-sleeve values.  More precisely, they cannot be the result of a malicious exhaustive search of curve selection until the curve lands in a weak class.  So, the only risk is that the special class, with small coefficient and efficient endomorphism is somehow weak.  I am not aware of any such weakness. Indeed, I highly doubt such a weakness, at least in the ECDLP: it would constitute a major breakthrough in ECDLP.  Also, some ECC theorists have established the equivalence ECDLP between curves of the same order, via something called isogenies.  I am not expert in that area, but it may imply that mere fact that the curve coefficients are small is insufficient to constitute a weak class of ECDLP.

2. The defining field size p seems to be a 256-bit prime of the special form 2^256-s where s is small.  This form is for efficiency.  I am not sure why this particular value of s is chosen, because I expect that smaller s could be found.  Nevertheless, there does not seem to be too much wiggle room in this choice of s, because s itself also has a special form: s = 2^32 + t, where t < 1024.  I would not be surprised if s was the smallest value of this form, but I did not check.  In any case, there are no known weak classes of prime order field for elliptic curves. 

3. The base point G is something I cannot explain, but the general understanding, at the time and still now, is that the base point G cannot contain a backdoor in the main problem underlying ECC, namely ECDLP and ECDHP. Indeed, random self-reducibility applies to prove that the choice of G is irrelevant for most versions of these problems.  Some cryptographic schemes, including ECDSA, seem to depend mildly on some other problems, in which the choice of G may be more relevant.    In particular, the ECDSA verification of a signature (r,s) includes a check that r is not zero.  If this check is dropped, then there is a possibility that party who chose G can have chosen G in such that to make some signature (0,s) valid for a particular message m.  (For details and examples, see my chapter in Advances in Cryptology II, or my paper “Generic Groups, Collisiion Resistance, and ECDSA”, or my IACR eprint “The One-Up Problem for ECDSA”.)   I strongly doubt that G is malicious, because these properties were not widely known at the time, and the adversary seems to have little to gain, the verifier has to be faulty.

4. Rob Lambert and John Goyo were present at the time Certicom generated the secp256k1 parameters, but were not directly involved either.  John Goyo recalls that two former employees generated the domain parameters.  In particular, no external organization, including any that some now asperse with backdoor insertion, generated the parameters.  We will continue to investigate our records and archives. 

I hope that the four points above address your main concerns, despite them not fully answering your questions.  Feel free to request further clarification, but, unfortunately, I am not sure if we have maintained all the archives.

(*) With my SECG chair hat off now, I recognize some validity of the following argument: the NIST curves have received more scrutiny than the other SECG curves, because the prominence of NIST created a greater incentive to study these curves.  Putting my SECG chair back on, a mild counterargument to the latter argument is that: none of the known weak classes of curves resulted by targeting particular parameters. Rather they are results from basic research on ECC. 


Best regards,

Dan
hero member
Activity: 560
Merit: 517
September 15, 2013, 05:15:40 PM
#84
Quote
I believe the order #E(Fp) of our elliptic curve n is prime and is in fact their n.

I think this is also validated by the fact that h = 1.
To be specific, n in BurtW's quote is any prime number that divides the order of the elliptic group.  In our case, the order of the secp256k1 group is prime, which means n can only be the order of the elliptic group (convenient!).

Given that our elliptic group is of prime order, we know a few things.  There are no subgroups.  It's cyclic.  It's abelian.  To the best of my knowledge, that also implies that we can pick any element of the group, except the identity element, to be our generator.  Which makes me wonder how secp256k1's generator was picked.  I don't yet know what restrictions one must apply to the generator.  I can only assume it doesn't matter ...

By the way, I ran a little experiment.  Given our finite field, and setting a to 0, 7 is the first (counting from 0) value for b that results in a prime order elliptic group.  I don't understand GLV well enough to know what restrictions it places on a and b, but if we have to pick a curve where a is 0, it seems like b being 7 would be a logical choice (again, given our finite field).
legendary
Activity: 1204
Merit: 1002
Gresham's Lawyer
September 15, 2013, 09:00:34 AM
#83
Hmm I wonder how many colours of coloured coin it takes to [something something] a blockchain? Wink Cheesy

(You only need four whatzits to build a DNA strand? Hmm....)

Think like the game "sprouts".

(And maybe read Peirs Anthony's "Macroscope" while you're at it.)

One point is a point, two is a line, three is a circle.

If the fourth is inside the circle, it is surrounded, no luck there.

If the fourth is outside the circle, how you gonna connect it to the other three without surrounding any of them?

-MarkM-


Congratulations to your child-self.
The personal implications of your avatar icon are suddenly more manifold.
Wink
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
September 15, 2013, 08:13:47 AM
#82
I believe the order #E(Fp) of our elliptic curve n is prime and is in fact their n.

I think this is also validated by the fact that h = 1.

But hey, I am just treading water here...

legendary
Activity: 1176
Merit: 1280
May Bitcoin be touched by his Noodly Appendage
September 15, 2013, 07:57:40 AM
#81
They say
Quote
the order #E(Fq) of the elliptic curve is divisible by a large prime number n (say n >= 2^160)
So their n (random prime number) isn't our n (order of the EC) (?)


With p=FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F
and n=FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141
Code:
p^1  - 1 % n = 000000000000000000000000000000014551231950b75fc4402da1722fc9baed
p^2  - 1 % n = 9d671cd581c69bc5e697f5e1d12ab7e0bd57efff7678bda14d8f2b05a6047402
p^3  - 1 % n = ac7a8c3d903db4f5506b3cd06358dbb83c0356f1426f6154796949ebcaf2c963
p^4  - 1 % n = 4a9039c8e0cf1d2e546bf94562b4cdd3f931a37f7210ea3d2448e17471c13846
p^5  - 1 % n = 13257c198a85197265443fa89aac96ccdac5495c438984dc734659a59cd53681
p^6  - 1 % n = 48e1ad01feb908300c9be1bd9d9d7afe6b7d929d4954c6e73f5b35d6d38c8ce7
p^7  - 1 % n = 98c10d11ce5ba0e56349034ff8f0078cefdbb6462b5fadb02b77e6f9b15e63a0
p^8  - 1 % n = d450873664cc63bee8debf0810f4d3885087441407bdebb24ea9c33ab125b3cc
p^9  - 1 % n = 3763ce8ef848dd69408119a522e171d9ad2132e2eb349967bebdea391b96d024
p^10 - 1 % n = 3e07117dea68ea380611113c0988e37608059d1e8315f2dc397457536359b05a
p^11 - 1 % n = 1c16652e13748ed710097fe21c21c0ee3cf4dddca456a0d0900601f2c136da93
p^12 - 1 % n = 0a95c2539eba1d41b55552516bf5a46a2417109fb45813aecc859ccab824fd91
p^13 - 1 % n = a12715798e6b78096c12e8e73a5e1550e4184561cafbb5dbfb34ffcacbbeba6c
p^14 - 1 % n = 637f4698784525945df4080fa4334351f3a8137f01d1b2118cfe4f00a79ff5eb
p^15 - 1 % n = 4adf22895fd4ced7120a9b5bd1bedb0358b25073a52879da089054cef992b7f0
p^16 - 1 % n = cc43712c43c1b51af2e29020520ae03abccd9f5c3ffdeb0c94a585ac91372278
p^17 - 1 % n = ec473f03332198fd61c411b184e81b7093423dd2a245fa278e111aac1c9c7af6
p^18 - 1 % n = 2abbbd0960d7884ac5648cfd88fd6a8485fea0af29300256d827369ccd72db9b
p^19 - 1 % n = 4ced2137a0dc99c48f9203c2dd9b423fd31d95998b29165efb48bf868170e857
p^20 - 1 % n = ac95279e81042a93568de45d91f29ccdd83acb8097ec611ba84fcace3e140ed1
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
September 15, 2013, 07:51:35 AM
#80
q = p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F

n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141
legendary
Activity: 1176
Merit: 1280
May Bitcoin be touched by his Noodly Appendage
September 15, 2013, 07:40:16 AM
#79
What is n?
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
September 15, 2013, 07:27:05 AM
#78
1) I believe that #E(Fq) of the elliptic curve is divisible by a large prime
number n (say n >= 2160) is true

2) I believe that #E(Fq) != q is true [#E(Fp) != p in our case]

3) n does not divide qi - 1 for all 1 <= i <= 20

We would need to write a small program to verify the last one.
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
September 15, 2013, 07:02:07 AM
#77
From the referenced paper I would expect our curve to at least satisfy these criteria:

Quote
5 Security Considerations

Elliptic curves having effciently-computable endomorphisms should be regarded
as "special" elliptic curves. Using "special" instances of cryptographic schemes
is sometimes done for effciency reasons (for example the use of low encryption-
exponent RSA, or the use of small subgroups hidden in a larger group as with
DSA). However in any instance of a cryptographic scheme, there is always the
chance that an attack will be forthcoming that applies to the special instance
and signifcantly weakens the security. Such is the case here as well.

When selecting an elliptic curve E over Fq for cryptographic use, one must
ensure that the order #E(Fq) of the elliptic curve is divisible by a large prime
number n (say n >= 2160) in order to prevent the Pohlig-Hellman [22] and Pol-
lard's rho [23, 21] attacks. In addition, one must ensure that #E(Fq) != q in
order to prevent the Semaev-Satoh-Araki-Smart attack [26, 25, 28], and that n
does not divide qi - 1 for all 1 <= i <= 20 in order to prevent the Weil pairing [16]
and Tate pairing attacks [8]. Given a curve satisfying these conditions, there is
no attack known that signifcantly reduces the time required to compute elliptic
curve discrete logarithms. Many such curves having effcient endomorphisms ex-
ist and hence appear suitable for cryptographic use. One attack on the elliptic
curve discrete logarithm problem on such curves is along the lines of [9] and [34].
The application of such ideas does not reduce the time to compute a logarithm
by more than a small factor.

The number of curves for which this technique applies seems to be reasonably
large. For instance, one of the Examples 3, 4, 5 and 6 provide a candidate for
most primes p.

legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
September 15, 2013, 06:18:38 AM
#76
Here is Jerry's response:

Quote
Hello Burt,

  I have looked at the SECG standard you pointed to.  The secp256k1 curve is not one of the NIST curves, and I'm afraid I had nothing to do with it.  It uses the technology described in the Crypto 2001 paper by Gallant, Lambert, and Vanstone (https://www.iacr.org/archive/crypto2001/21390189.pdf).  Since the authors were all affiliated with Certicom, and Certicom was the main partner in the SECG consortium, I'm guessing the Certicom folks came up with that curve.  I would suggest getting in touch with one of them for more info on where the particular parameters came from.

Regards,

-- Jerry S.
I have emailed all three authors.
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
September 13, 2013, 10:50:07 PM
#75
It would be cool if the engineers of the agency will mine altcoins for fun! Tongue

Would be even cooler if they just fucked off and died and left the rest of us alone to do the right thing .... just saying.
sr. member
Activity: 364
Merit: 253
September 13, 2013, 10:18:54 AM
#74
It would be cool if the engineers of the agency will mine altcoins for fun! Tongue
staff
Activity: 4284
Merit: 8808
September 12, 2013, 02:17:27 PM
#73
Presumably, since it was government work,  it should be possible to FOIA any records they have relating to the procedures they used to generate those ECC parameters.

If no secret information was used to select them, e.g. strengthening or weakening the selection there should be no reason for the result to be classified.

If we don't get a response with a casual request we could try the FOIA route. Might be fun.

(As an aside: I think that there is weak evidence that they didn't use the selection to strengthen the curves as there are criteria by which these curves are considered weaker (see the Brainpool curves RFC for the extra criteria they used))
legendary
Activity: 2053
Merit: 1356
aka tonikt
September 12, 2013, 02:12:46 PM
#72

This might be Mr Solinas' email address: [email protected]

We could ask him if how the curves were generated is reproducible.


Maybe better ask first if the generation methodology is classified.
Done.

Waiting for a response.

Thank you for this.
I'm betting they won't say.
Who's in? Smiley
legendary
Activity: 1204
Merit: 1002
Gresham's Lawyer
September 12, 2013, 02:02:56 PM
#71

This might be Mr Solinas' email address: [email protected]

We could ask him if how the curves were generated is reproducible.


Maybe better ask first if the generation methodology is classified.
Done.

Waiting for a response.

Thank you for this.
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
September 12, 2013, 11:47:22 AM
#70
While everyone is gathered here I have a quick easy question.  I always assumed that the private keys came from the finite field defined by the parameter p specified here (and secg of course):

https://en.bitcoin.it/wiki/Secp256k1 

However, this wiki page states that the valid private keys are specified by the parameter n:

https://en.bitcoin.it/wiki/Private_key#Range_of_valid_private_keys

Either I need to be fixed (ouch!) or the wiki needs to be fixed.

The correct number is n as G^(n+1) = G
Bummer.  I have been quoting the wrong number for almost two years now.  I sure wish someone had corrected me at some point.  Embarassing.
legendary
Activity: 1176
Merit: 1280
May Bitcoin be touched by his Noodly Appendage
September 12, 2013, 11:17:05 AM
#69
While everyone is gathered here I have a quick easy question.  I always assumed that the private keys came from the finite field defined by the parameter p specified here (and secg of course):

https://en.bitcoin.it/wiki/Secp256k1 

However, this wiki page states that the valid private keys are specified by the parameter n:

https://en.bitcoin.it/wiki/Private_key#Range_of_valid_private_keys

Either I need to be fixed (ouch!) or the wiki needs to be fixed.

The correct number is n as G^(n+1) = G
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
September 12, 2013, 11:10:40 AM
#68
While everyone is gathered here I have a quick easy question.  I always assumed that the private keys came from the finite field defined by the parameter p specified here (and secg of course):

https://en.bitcoin.it/wiki/Secp256k1  

However, this wiki page states that the valid private keys are specified by the parameter n:

https://en.bitcoin.it/wiki/Private_key#Range_of_valid_private_keys

Either I need to be fixed (ouch!) or the wiki needs to be fixed.
hero member
Activity: 798
Merit: 1000
September 12, 2013, 12:15:27 AM
#67
Using ECDSA that way, even if ECDSA is broken, would only be weak for the 10 minutes or so before a transaction gets into a block.  Can we reasonably foresee a break in ECDSA so profound that it can be performed in under 10 minutes?

It depends on how ECDSA is broken. It also depends on how ECDSA is used. While using pubkeys only once is "recommended", it is certainly not a requirement, and it is not possible to predict how ECDSA will be used by the bitcoin protocol in the future. But if discrete logarithm problem over elliptic curves stops being "hard", only the pubkeys are necessary, and they will probably be broken at break-neck speed. If it is a weakness with the signatures revealing information (much more likely), it will take time, but reused pubkeys are at serious risk.


Quote
I would say the size of the signatures would be one reason.  The inability to re-use them being another.

Well Merkle-Lamport constructions are probably what is of interest. On the bright side, the pubkey is only n bits where n is the security level.

However, there is research into merkle + one-time sig schemes with smaller signatures.

"On the Security of the Winternitz One-Time Signature Scheme" by Buchmann et al shows signature sizes of about 800 bytes for 129-bit effective security level at a Winternitz parameter of 16 (increasing it raises the difficulty of creating signatures, but makes the signatures smaller and weaker, I don't know the exact tradeoffs). 800 bytes is well within reason for a QC-resistant signature algo (although it might have to be more depending on how many qubits are available to crack hash algos). It is still a significant hurdle though for world-wide use, and will obviously increase the costs of running the network significantly.
staff
Activity: 4284
Merit: 8808
September 12, 2013, 12:12:12 AM
#66
Quote
How large are Lamport signatures with security equal to 256 bit ECDSA?
256-bit ECDSA has a security strength of 128-bits under classical computing.  Under Lamport, that would require signatures of length 128 * 128 bits, which is 2 KB.  The public keys would be 4 KB. (Source)

To have an estimated security strength of 128-bits under quantum computing, Lamport signatures would be 256 * 256, which is 8KB. (Source)
In Bitcoin the public key would be part of the signature, when both are sent together there are several 'compression' schemes you can apply which allow you to avoid specify unneeded parts of the keys (since both are tree structured), you can do something which has 256 bits of QC security in about 11kbytes.  This also benefits reducing the size of the public key to a single hash— addresses would be no longer (or only somewhat longer, for 256 bit ones) than the addresses we use today.

There is no severe reuse issue, for a very minor increase in size you use a merkle signature scheme, where you have a tree of lamport keys. This significantly reduces the reuse problem. In the context of Bitcoin some reuse would also not be completely fatal.

You could very nearly implement lamport signatures in our existing script with no special functionality at all, we're basically only missing code to push the raw data-to-be-signed onto the stack... though doing it that way wouldn't get you public key compression.

I'm not sure if we should implement such things prophylacticly: It would be great to have an already deployed answer to "OMG WHAT ABOUT QCs?!" or "OMG WHAT IF NSA ECDSA?!"... but I suspect a lot of people who would ask such things aren't really looking for answers.  Our common infrastructure is also very sensitive to size— my "structure it so you can forget old signatures" is a major security model change which might have severe economic consequences in the long run... and additional block-chain bloat absolutely would have consequences. So ::shrugs::.
Pages:
Jump to: