|
Title: How was the order of secp256k1 calculated? Post by: mynonce on November 23, 2021, 11:58:15 PM We know that the prime of secp256k1 (p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F) was chosen.
But how was the order (n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141) calculated? Title: Re: How was the order of secp256k1 calculated? Post by: gmaxwell on November 24, 2021, 08:13:35 AM https://en.wikipedia.org/wiki/Schoof%27s_algorithm
Title: Re: How was the order of secp256k1 calculated? Post by: mynonce on November 24, 2021, 06:26:39 PM https://en.wikipedia.org/wiki/Schoof%27s_algorithm Thanks. Very interesting. 'In 1985, Schoof discovered an algorithm which enabled him to count points on elliptic curves over finite fields in polynomial time. This was important for the use of elliptic curves in cryptography ...' Without his discovery in 1985 we wouldn't have Bitcoin. Title: Re: How was the order of secp256k1 calculated? Post by: gmaxwell on December 09, 2021, 06:58:11 AM If Schoof's algorithm hadn't been discovered, Bitcoin would have just used different cryptography like RSA.
... or maybe it would use elliptic curves like RSA by users selecting a random group and using the hardness of finding its order for security. ... only to have it broken when Schoof's algorithm is discovered. :) Title: Re: How was the order of secp256k1 calculated? Post by: mynonce on December 09, 2021, 10:58:17 AM If Schoof's algorithm hadn't been discovered, Bitcoin would have just used different cryptography like RSA. ... or maybe it would use elliptic curves like RSA by users selecting a random group and using the hardness of finding its order for security. ... only to have it broken when Schoof's algorithm is discovered. :) It is also very interesting that Satoshi used secp256k1 and not the common secp256r1, isn't it? Title: Re: How was the order of secp256k1 calculated? Post by: n0nce on December 09, 2021, 12:27:23 PM It is also very interesting that Satoshi used secp256k1 and not the common secp256r1, isn't it? Yeah; it was discussed a few times on this forum. You find it all through the search function.Here's a quote from Mike Hearn: I discussed this with Satoshi. There is no particular reason why secp256k1 is used. It just happened to be around at the time. However it sounds like there's no real consensus that the k1 curve is really a terrible thing and indeed it may even be helpful in future as ECDSA verification is the primary CPU bottleneck for running a network node. So if Koblitz curves do indeed perform better we might end up grateful for that in future ... And gmaxwell: But I'm really not at ease knowing that every signature in a Bitcoin transaction is implemented using a very particular and unusual elliptic curve that has been selected for an unknown reason that his chooser is unwilling to elaborate on. You mean you are uneasy that he chose the _only_ standardized curve at the time without unexplained parameters?A full topic on this: why did bitcoin choose secp256k1 over secp256r1? (https://bitcointalk.org/index.php?topic=151120.0) StackExchange answer: Should we trust the NIST-recommended ECC parameters? (https://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters/10273#10273) Also; OT but lol your username is confusing me :D Title: Re: How was the order of secp256k1 calculated? Post by: mynonce on December 11, 2021, 01:32:08 AM A full topic on this: Thanks.why did bitcoin choose secp256k1 over secp256r1? (https://bitcointalk.org/index.php?topic=151120.0) StackExchange answer: Should we trust the NIST-recommended ECC parameters? (https://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters/10273#10273) Also; OT but lol your username is confusing me :D myn0nce :D Title: Re: How was the order of secp256k1 calculated? Post by: mynonce on December 14, 2021, 11:36:59 PM It is also very interesting that Satoshi used secp256k1 and not the common secp256r1, isn't it? Yeah; it was discussed a few times on this forum. You find it all through the search function.'Many crypto experts have noticed that Bitcoin’s choice of secp256k1 elliptic curve was unusual for its time, as it was not yet well researched. ... Cointelegraph asked one of the world’s leading cryptographers, Tatsuaki Okamoto, about this unusual choice. Okamoto currently serves as director of the Cryptography & Information Security Lab at NTT Research. According to Okamoto, there are two alternative explanations for this choice: Either Satoshi picked because it offers greater efficiency or because it may have offered a secret backdoor.' https://cointelegraph.com/news/this-researcher-says-bitcoins-elliptic-curve-could-have-a-secret-backdoor (https://cointelegraph.com/news/this-researcher-says-bitcoins-elliptic-curve-could-have-a-secret-backdoor) 'Laszlo Hanyecz, who worked closely with Satsohi in 2010, told Cointelegraph that he was befuddled by Satoshi’s choice of the elliptic curve secp256k1. The use of this curve, at the time, was unusual. ... At some point, Hanyecz sent Satoshi an email asking him why he picked this particular curve, Satoshi explained to Hanyecz that he had had some experts helping him: “‘I had a bunch of people look at it and they told me this was good.’ And he didn't really elaborate on it, but he said he had experts look at it.” It is not clear exactly when Satoshi sought this outside help, but prior to launching Bitcoin.' https://cointelegraph.com/news/satoshi-nakamoto-had-outside-cryptography-help-says-early-bitcoin-dev (https://cointelegraph.com/news/satoshi-nakamoto-had-outside-cryptography-help-says-early-bitcoin-dev) I had a bunch of people look at it and they told me this was good. ??? |