Topic: secp256k1 (Read 29235 times)

Bitcoin uses elliptic curve cryptography for its keys and signatures, but the specific curve used is pretty unusual. It is called secp256k1, from a standard called SEC2, published by a group called SECG, http://www.secg.org/index.php?action=secg,docs_secg.

Taking the name secp256k1 apart, sec comes from the standard, p means that the curve coordinates are a prime field, 256 means the prime is 256 bits long, k means it is a variant on a so-called Koblitz curve, and 1 means it is the first (and only) curve of that type in the standard. This is all fine and common, except for the Koblitz part. Koblitz curves are a special kind of elliptic curves that have some internal structure that can be used to speed up calculations. Standards bodies have tended to shy away from Koblitz curves out of fear that this internal structure could someday be exploited to yield a new attack. Indeed certain Koblitz curves, but not secp256k1, lose a couple dozen bits of security to a known attack.

Most standards use what are called random curves when they are using prime fields. SEC2 also includes random curves, and the very next one after secp256k1 is called secp256r1. This curve, secp256r1, is widely standardized and used, including by the U.S. government, which calls it P-256.

I don't know the rationale behind using secp256k1. It has the potential for speed - I've seen estimates from 33% to 50% speedup - but the techniques are quite esoteric as it is not a conventional Koblitz curve, and I doubt that the OpenSSL implementation exploits this. I'm not losing much sleep over the theoretical possibility of an attack on secp256k1, but it is likely to be less widely implemented. I looked at BouncyCastle, a widely used Java crypto library, and they had commented out the code for secp256k1. Whereas secp256r1 (P-256) might well be a default curve for the native crypto keys in future OS's.

It wouldn't be a change to make lightly, but we might want to consider changing to this more widely used standard curve. We'd have to mark the new keys to distinguish them, and be prepared to handle both kinds of signatures.

One question is whether we would ever reach a point where clients could eliminate support for the old curve? Maybe just miners could retain support, and the fact that a transaction got into a block with some confirmations would be good enough evidence that it was valid.

Can you please elaborate a bit more on the subject?

You mean you are uneasy that he chose the _only_ standardized curve at the time without unexplained parameters?

But I'm really not at ease knowing that every signature in a Bitcoin transaction is implemented using a very particular and unusual elliptic curve that has been selected for an unknown reason that his chooser is unwilling to elaborate on.

I also discussed with satoshi, and he said that his employers at the NSA wanted him to create the first P2P currency with a back door in it. That back door happens to be in this specific elliptic curve. Government supercomputers searched for a random elliptic curve that contained a back door.

Just joking, but that's my conspiracy theory. Actually if there is no particular reason for this elliptic curve to be chosen, that is actually suspicious...

Hal posted some example code for it, a while ago. I don't remember if it was implemented.

For what bitcoin does, I don't think the complexity is worth a 30% to 50% gain in speed.

I looked at BouncyCastle, a widely used Java crypto library, and they had commented out the code for secp256k1.

user> (enumeration-seq (org.bouncycastle.asn1.sec.SECNamedCurves/getNames))
("sect233r1" "secp112r2" "secp112r1" "secp256k1" "sect113r2" "secp521r1" "sect113r1" "sect409r1" "secp192r1" "sect193r2" "sect131r2" "sect193r1" "sect131r1" "secp160k1" "sect571r1" "sect283k1" "secp384r1" "sect163k1" "secp256r1" "secp128r2" "secp128r1" "secp224k1" "sect233k1" "secp160r2" "secp160r1" "sect409k1" "sect283r1" "sect163r2" "sect163r1" "secp192k1" "secp224r1" "sect239k1" "sect571k1")
user> (org.bouncycastle.asn1.sec.SECNamedCurves/getByName "secp256k1")
#

Becoming fully generic would mean encoding curve parameters into  ... where?

this is why we cannot embed messages into transactions.

I am not the cryptographer that all of you appear to be but, to me, this discussion raises a disturbing point.  You all appear to be saying that the encryption algorithm for Bitcoin generation and future security is changeable at this time.  How is that?  I thought this was all some open source program and client that was all put "out there" in P2P space with no central authority.  The fact that this person Satoshi (the inventor?) has the power to change the encryption method at will, does that not mean that he is a central authority, not unlike a bank, that can alter how the rest of the 75% 21 million coins are minted?