Pages:
Author

Topic: secp256k1 (Read 29324 times)

sr. member
Activity: 280
Merit: 257
bluemeanie
December 16, 2013, 06:19:00 PM
#28


 The advantage to Koblitz curves is faster arithmetic.  I would imagine they are thought to be appropriate for bitcoin because of the number of ECDSA operations that are required.  When you use Koblitz curves, part of the equation can be dropped(the ax part as a=0 in secp256k1).

 -bm

 

Bitcoin uses elliptic curve cryptography for its keys and signatures, but the specific curve used is pretty unusual. It is called secp256k1, from a standard called SEC2, published by a group called SECG, http://www.secg.org/index.php?action=secg,docs_secg.

Taking the name secp256k1 apart, sec comes from the standard, p means that the curve coordinates are a prime field, 256 means the prime is 256 bits long, k means it is a variant on a so-called Koblitz curve, and 1 means it is the first (and only) curve of that type in the standard. This is all fine and common, except for the Koblitz part. Koblitz curves are a special kind of elliptic curves that have some internal structure that can be used to speed up calculations. Standards bodies have tended to shy away from Koblitz curves out of fear that this internal structure could someday be exploited to yield a new attack. Indeed certain Koblitz curves, but not secp256k1, lose a couple dozen bits of security to a known attack.

Most standards use what are called random curves when they are using prime fields. SEC2 also includes random curves, and the very next one after secp256k1 is called secp256r1. This curve, secp256r1, is widely standardized and used, including by the U.S. government, which calls it P-256.

I don't know the rationale behind using secp256k1. It has the potential for speed - I've seen estimates from 33% to 50% speedup - but the techniques are quite esoteric as it is not a conventional Koblitz curve, and I doubt that the OpenSSL implementation exploits this. I'm not losing much sleep over the theoretical possibility of an attack on secp256k1, but it is likely to be less widely implemented. I looked at BouncyCastle, a widely used Java crypto library, and they had commented out the code for secp256k1. Whereas secp256r1 (P-256) might well be a default curve for the native crypto keys in future OS's.

It wouldn't be a change to make lightly, but we might want to consider changing to this more widely used standard curve. We'd have to mark the new keys to distinguish them, and be prepared to handle both kinds of signatures.

One question is whether we would ever reach a point where clients could eliminate support for the old curve? Maybe just miners could retain support, and the fact that a transaction got into a block with some confirmations would be good enough evidence that it was valid.
hero member
Activity: 731
Merit: 503
Libertas a calumnia
December 16, 2013, 03:26:27 PM
#27
You mean you are uneasy that he chose the _only_ standardized curve at the time without unexplained parameters?
Can you please elaborate a bit more on the subject?
I reply to myself, found reading this other thread:
http://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters/10273#10273
hero member
Activity: 731
Merit: 503
Libertas a calumnia
December 16, 2013, 03:06:55 PM
#26
You mean you are uneasy that he chose the _only_ standardized curve at the time without unexplained parameters?
Shocked

Can you please elaborate a bit more on the subject?
I'm sincerely interested, thanks.
staff
Activity: 4284
Merit: 8808
December 16, 2013, 11:31:04 AM
#25
But I'm really not at ease knowing that every signature in a Bitcoin transaction is implemented using a very particular and unusual elliptic curve that has been selected for an unknown reason that his chooser is unwilling to elaborate on.
You mean you are uneasy that he chose the _only_ standardized curve at the time without unexplained parameters?
hero member
Activity: 731
Merit: 503
Libertas a calumnia
December 16, 2013, 08:04:20 AM
#24
I also discussed with satoshi, and he said that his employers at the NSA wanted him to create the first P2P currency with a back door in it. That back door happens to be in this specific elliptic curve. Government supercomputers searched for a random elliptic curve that contained a back door.

Just joking, but that's my conspiracy theory. Actually if there is no particular reason for this elliptic curve to be chosen, that is actually suspicious...
If I'm not mistaken, while at the time this was just a conspiracy theory, nowadays we know that something exactly of that kind happened and NSA pushed a cryptography standard exclusively because they had some kind of backdoor for it (some random and incomplete references: 1, 2, 3, 4, 5).

We also know that good cryptographic conventions requires to explain how arbitrary constants get chosen, expressly to rule out the possibility of using some particular algebraic field with known (to NSA or others) properties that can lead to advantages when implementing algorithms to break it.

So, each time an arbitrary constant is chosen without explaining how and why, a good cryptographer has reason to believe that something fishy is going on.

Someone says that Satoshi is the nickname of an NSA working group and I really don't care if this is true or not because the code is open source and everyone can verify whether the code and the protocol are sound.

But I'm really not at ease knowing that every signature in a Bitcoin transaction is implemented using a very particular and unusual elliptic curve that has been selected for an unknown reason that his chooser is unwilling to elaborate on.
kjj
legendary
Activity: 1302
Merit: 1026
August 24, 2012, 08:12:44 AM
#23
Hal posted some example code for it, a while ago. I don't remember if it was implemented.

Found it!

here
legendary
Activity: 1526
Merit: 1134
August 24, 2012, 07:37:36 AM
#22
Hal posted some example code for it, a while ago. I don't remember if it was implemented.
donator
Activity: 1218
Merit: 1079
Gerald Davis
August 23, 2012, 05:07:36 PM
#21
How many hundreds of transactions per second is your smartcard going to process? 
hero member
Activity: 815
Merit: 1000
August 23, 2012, 04:43:49 PM
#20
For what bitcoin does, I don't think the complexity is worth a 30% to 50% gain in speed.
Thanks a bunch.

I'm researching this to develop a btc smart card which is more limited. If it's easy to do it it may be worth it...
kjj
legendary
Activity: 1302
Merit: 1026
August 23, 2012, 02:48:25 PM
#19
Google "GLV method".  I didn't see any source code, but several academic papers and slide decks about it.

To use it, you need to be able to precompute a multiple of a point (which is a property of the curve used), then you can factor a future multiplication on that curve into two multiplications each with half as many bits.  For what bitcoin does, I don't think the complexity is worth a 30% to 50% gain in speed.
hero member
Activity: 815
Merit: 1000
August 23, 2012, 12:53:31 PM
#18
Don't know if anyone knows this, but how do you take advantage of the speedup built into the koblitz curve?

Is it automatic?
You do something special?

Is the BTC client already using the speedup opportunity?
Even if it's not, could someone point me to the source code location of said algorithm?

Thanks in advance and sry for bumping.
Activity: -
Merit: -
January 13, 2011, 09:10:43 PM
#17
I looked at BouncyCastle, a widely used Java crypto library, and they had commented out the code for secp256k1.

The current version of BouncyCastle (version 1.45 at the time I'm writing this) has secp256k1 available as far as I can tell.

org.bouncycastle.asn1.sec.SECNamedCurves.getNames()  will give you a list of some named curves (including "secp256k1").

org.bouncycastle.asn1.sec.SECNamedCurves.getByName("secp256k1")  will give you an org.bouncycastle.asn1.x9.X9ECParameters object

Here's an example of what I get in Clojure:
Code:
user> (enumeration-seq (org.bouncycastle.asn1.sec.SECNamedCurves/getNames))
("sect233r1" "secp112r2" "secp112r1" "secp256k1" "sect113r2" "secp521r1" "sect113r1" "sect409r1" "secp192r1" "sect193r2" "sect131r2" "sect193r1" "sect131r1" "secp160k1" "sect571r1" "sect283k1" "secp384r1" "sect163k1" "secp256r1" "secp128r2" "secp128r1" "secp224k1" "sect233k1" "secp160r2" "secp160r1" "sect409k1" "sect283r1" "sect163r2" "sect163r1" "secp192k1" "secp224r1" "sect239k1" "sect571k1")
user> (org.bouncycastle.asn1.sec.SECNamedCurves/getByName "secp256k1")
#
newbie
Activity: 43
Merit: 0
January 12, 2011, 12:35:34 PM
#16
I also discussed with satoshi, and he said that his employers at the NSA wanted him to create the first P2P currency with a back door in it. That back door happens to be in this specific elliptic curve. Government supercomputers searched for a random elliptic curve that contained a back door.

Just joking, but that's my conspiracy theory. Actually if there is no particular reason for this elliptic curve to be chosen, that is actually suspicious...
sr. member
Activity: 416
Merit: 277
January 11, 2011, 10:03:21 PM
#15
Becoming fully generic would mean encoding curve parameters into  ... where?
One plausible option for a future bitcoin-like system is to allow a selection from a numbered range of pre-selected curves. Smaller transactions or balances could use smaller keysizes if necessary.

this is why we cannot embed messages into transactions.
You can still embed messages into transactions see https://bitcointalksearch.org/topic/m.32288

ByteCoin
legendary
Activity: 1526
Merit: 1134
January 11, 2011, 05:31:40 PM
#14
I discussed this with Satoshi. There is no particular reason why secp256k1 is used. It just happened to be around at the time.

However it sounds like there's no real consensus that the k1 curve is really a terrible thing and indeed it may even be helpful in future as ECDSA verification is the primary CPU bottleneck for running a network node. So if Koblitz curves do indeed perform better we might end up grateful for that in future ...
Activity: -
Merit: -
January 10, 2011, 10:17:30 AM
#13
I am not the cryptographer that all of you appear to be but, to me, this discussion raises a disturbing point.  You all appear to be saying that the encryption algorithm for Bitcoin generation and future security is changeable at this time.  How is that?  I thought this was all some open source program and client that was all put "out there" in P2P space with no central authority.  The fact that this person Satoshi (the inventor?) has the power to change the encryption method at will, does that not mean that he is a central authority, not unlike a bank, that can alter how the rest of the 75% 21 million coins are minted? 

Satoshi is the creator and main developer of Bitcoin.  He can make changes to the software, creating a new version, and allow others to download this new updated version...it's everyone else's choice as an individual whether they will download the new version and use it, use an older version, use someone else's version of bitcoin, write their own version, or not use bitcoin anymore.  Satoshi can't just modify the code on anyone else's machine.  He has no control over the software running on anyone else's machines, but is merely the most popular provider of Bitcoin software.  Since his software is currently used by the majority of Bitcoin users, it effectively defines the Bitcoin protocol standard, which means that Satoshi currently defines the protocol standard.  But this is not a technical issue, but rather a social one.  If some other implementation of bitcoin gains in popularity, it can lead to either someone else setting the protocol standards, or a fork in the block chain.  If there are two or more alternative bitcoin implementations out there, and none of them have a majority of the users, then it can still lead to forks of the block chain unless the developers of the different implementations continue to agree on a standard.  Those that don't agree with the standard and fork the block chain will most likely lose users as a forked block chain will be less secure as well as incompatible with the other chain(s), which is not in the interest of many users.

So currently, Satoshi has a significant social influence on the bitcoin protocol, but he does not have control over the network or anyone's software.  The apparent "centralization" is merely a voluntary/anarchistic social one, that will remain only as long as enough users agree with or will tolerate Satoshi's decisions.  If he makes a choice that most users won't like, bitcoin will either collapse or (more likely) the block chain will be forked and not implement the unwanted changes.  Satoshi's influence is not brought about by force, and is therefore not comparable to that of a government created/protected central bank that can change the monetary system at a whim without the peoples' say.
full member
Activity: 143
Merit: 100
January 10, 2011, 09:47:40 AM
#12
I guess I'd follow whomever releases the client, whether I knew it contained changes or not.  Most would.
legendary
Activity: 1106
Merit: 1004
January 10, 2011, 09:42:49 AM
#11
Anyone could perform such change. It's open source.

If you make a fundamental change, you'll probably end up forking the project. Some might follow you, some will remain using the previous branch.
full member
Activity: 143
Merit: 100
January 10, 2011, 09:28:50 AM
#10
I am not the cryptographer that all of you appear to be but, to me, this discussion raises a disturbing point.  You all appear to be saying that the encryption algorithm for Bitcoin generation and future security is changeable at this time.  How is that?  I thought this was all some open source program and client that was all put "out there" in P2P space with no central authority.  The fact that this person Satoshi (the inventor?) has the power to change the encryption method at will, does that not mean that he is a central authority, not unlike a bank, that can alter how the rest of the 75% 21 million coins are minted? 
legendary
Activity: 1526
Merit: 1134
January 10, 2011, 05:35:03 AM
#9
I believe the key factor in the choice of curve, size and indeed ECC itself was the size of the block chain - which is ultimately based on a set of educated guesses. The key.h file has a list of signature sizes at the top along with a comment that the script system can encode signatures of up to 75 bytes with a single size opcode. It's hard to know if that's the reason or not but it seems likely.

Becoming fully generic would mean encoding curve parameters into  ... where? Addresses? Scripts and thus the block chain? All of those would make transactions much much larger and reduce the scalability of the network as a result. We know Satoshi cares a lot about block chain size, this is why we cannot embed messages into transactions.

/mike
Pages:
Jump to: