Bitcoin Forum
May 25, 2024, 11:43:00 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Quick elliptic curve security question
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Quick elliptic curve security question  (Read 1293 times)
Peter R (OP)
Legendary
*
Offline Offline

Activity: 1162
Merit: 1007



View Profile
March 08, 2015, 06:57:36 PM
Last edit: March 08, 2015, 07:10:26 PM by Peter R
 #1
Question for the experts out there:

Let

    Q1 = k1 * G

and
  
    Q2 = (k1 + n) * G.

If Q1, Q2, G, and n are known, is it still difficult to determine k1?

What about if

    Q2 = n * k1 * G?


Qi is a secp256k1 curve point (public key), ki is a private key, and G is the secp256k1 base point.
Run Bitcoin Unlimited (www.bitcoinunlimited.info)
Nikinger
Full Member
***
Offline Offline

Activity: 141
Merit: 100



View Profile
March 08, 2015, 08:05:41 PM
Last edit: March 08, 2015, 08:16:54 PM by Nikinger
 #2
Quote from: Peter R on March 08, 2015, 06:57:36 PM
If Q1, Q2, G, and n are known, is it still difficult to determine k1?
  • Yes, knowing Q1, Q2, G, n is not sufficient to calculate k1 easyly because there is no known fast method doing a point division.
  • Knowing Q1, Q2, G, k1 is not sufficient to calculate n easyly
  • Knowing Q1, n, G is sufficient to calculate Q2 easyly (Q2 = Q1 + G*n)

Quote from: Peter R on March 08, 2015, 06:57:36 PM
   Q2 = n * k1 * G?
If one of n, k1, G is not known, you can't recover it's value easyly because it would involve point division. If Q2 is unknown, you can calculate it easyly just by multiplying.
1EwKrY5Bn3T47r4tYqSv6mMQkUyu7hZckV
andytoshi
Full Member
***
Offline Offline

Activity: 179
Merit: 151

-


View Profile
March 08, 2015, 10:04:31 PM
 #3
Hey Peter,

k1 is indeed hidden. You can argue this by reduction ... suppose you had an algorithm A which given (G, (n + k)G, n, kG) could spit out k. Then if I wanted to solve a discrete log challenge (G, kG), I'd just choose my own n, compute (n + k)G as nG + kG, and give all these values to the algorithm A. It'd spit out k which is my answer.

I'm glossing over the distributions of secret values (all should be i.i.d. uniformly random over their domains) here.

You can also argue the reverse direction, which shows that your problem is exactly as hard as discrete log.

Edit: Given (G, nkG, n, kG) the same argument works. (Get a DL challenge kG, multiply by your own n, solve for k if it's really so simple, and you've solved DL.)

Andrew
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4186
Merit: 8426



View Profile WWW
March 09, 2015, 12:03:58 AM
 #4
Do take care that because your one more discrete log problem is secure doesn't mean that any larger system you embed it into is secure.
Peter R (OP)
Legendary
*
Offline Offline

Activity: 1162
Merit: 1007



View Profile
March 09, 2015, 04:27:41 PM
 #5
Thanks for the responses Andrew, Greg and Nikinger.  I was quite certain the answer was "yes, it's still secure" (e.g., I suppose this is why split-key vanity address generation works), but Andrew's reduction argument makes this rock solid.  
Run Bitcoin Unlimited (www.bitcoinunlimited.info)
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Quick elliptic curve security question
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!