|
Title: How is the base point G chosen for secp256k1? Post by: uminatsu on April 01, 2014, 05:12:00 PM I did some research on Google but couldn't find an answer.
So secp256k1 has this seemingly random "base point" G: G = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8 Has anyone wondered why this point is chosen? Is it provably chosen at random, or based on some nothing-up-my-sleeve procedure? Why not choose a point with a very small (say <10) x-coordinate? The modular exponential Diffie-Hellman groups for IKE (http://tools.ietf.org/html/rfc3526) always choose the number "2" as the generator. Something similar can be done for ECC too. Title: Re: How is the base point G chosen for secp256k1? Post by: JoelKatz on April 01, 2014, 05:15:12 PM The NSA picked it. There is no known way to gimmick the base point.
Title: Re: How is the base point G chosen for secp256k1? Post by: uminatsu on April 01, 2014, 05:25:27 PM The NSA picked it. There is no known way to gimmick the base point. What if the picker of G actually started from a special point G' on the curve that has very small x-coordinates, and pick a random 256-bit number n to arrive at G = n * G'. There's no way to disprove that someone has the knowledge of this secret value "n". I'm not exactly sure what advantage this secret knowledge has, except the picker could create very short ECDSA signatures (he'll set "k" to the multiplicative inverse of "n" thus "r" will be the x-coordinate of G'). Title: Re: How is the base point G chosen for secp256k1? Post by: gmaxwell on April 01, 2014, 06:26:04 PM The NSA picked it. There is no known way to gimmick the base point. As far as anyone yet knows our parameters were not selected by "The NSA". In any case, choice of the generator was discussed extensively. The most we could come up with is that perhaps someone could convince you that a particular pubkey was a 'nothing up my sleeve' pubkey when it really wasn't. |