Bitcoin Forum
November 04, 2024, 10:47:42 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: why did bitcoin choose secp256k1 over secp256r1?  (Read 19374 times)
neoKushan
Newbie
*
Offline Offline

Activity: 2
Merit: 1


View Profile
January 28, 2014, 04:11:14 PM
Merited by vapourminer (1)
 #21

Thanks to Snowden & Bruce Schneier, we now know the answer. secp256r1 has an NSA backdoor - see http://www.linuxadvocates.com/2013/09/is-openssls-cryptography-broken.html

So - while a backdoor is not really a "honeypot" this is the best answer:-
* NIST has made an intentionally poor suggestion to use secp256r1, so it acts as a honeypot. they have found that Koblitz curves are actually more secure than the random ones.

* Satoshi had information which led him/them to believe that secp256r1 was indeed a honeypot and that secp256k1 was the better choice for real security

something i find rather disconcerting about bitcoin is a lack of justification/explanation for some of the design decisions, in particular the choice of doing 256-bit ecdsa keypairs over secp256k1 vs secp256r1 (a.k.a. P-256) for wallets...

can anyone provide a justification for using secp256k1 over secp256r1 besides "that's just the way it is" or "so it was written in the great book"?

Since 2007 there is evidence that the supposedly random constants in secp256r1 may have been manipulated by the NSA to provide a backdoor.  See http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115.  Presumably Satoshi was aware of this.  The Koblitz curves cannot have been so "cooked"; see http://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters/10273#10273.


I know this is a somewhat old thread, but as this comes up as a top answer when searching for secp256r1 , I feel some of the above points need to be clarified.

Firstly, people are comparing secp256r1 to Dual_EC_DRBG as if they're interchangeable (And some even seem to think that they're the same thing). They're not. They're two completely different algorithms that serve completely different purposes. Dual_EC_DRBG has been suspicious from the second it was published and plenty of people from the security industry have warned against using it. I believe someone recently was able to demonstrate a proof of concept of breaking the encryption when using their own curve parameters. The issue is that the specification gives a default curve that doesn't indicate where those parameters came from - it should be random.

However, secp256r1 has no such proof. There is a theoretical issue with it, though - its curve parameters are taken from a SHA1 hash (unlike Dual_EC_DRBG) of a seed value. It's very, very difficult to reverse a hash like that, which is what the NSA will have to have done in order to "trap" the algorithm. It's still theoretical and relies on them having undisclosed exploits that we're unaware of (unlike Dual_EC_DRBG which doesn't) - certainly a possibility and if you value your privacy, don't use it, but it's not quite as obvious as Dual_EC_DRBG. That doesn't make it "safe" per se, but then again it requires a much bigger leap for the NSA to have compromised. There hasn't been a "leak" (from Snowdon or otherwise) that I am aware of that indicates that secp256r1 is a honeypot, but there has for Dual_EC_DRBG.

By all means, if you're sceptical then don't use secp256r1 but let's not confuse it with a completely different algorithm.
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4270
Merit: 8805



View Profile WWW
January 28, 2014, 04:32:48 PM
 #22

No one here was claiming that and if they were they would have been promptly corrected.  The the selection power in the 'random' parameter procedure would have required unknown attacks is something that has been pointed out before.  If you're going to bump an old thread, please at least refrain from insulting everyone on in the subforum.
hashman
Legendary
*
Offline Offline

Activity: 1264
Merit: 1008


View Profile
January 28, 2014, 09:38:38 PM
 #23

More discussion please, thanks contributors Smiley

I'm too lazy to give you the link in this forum, but I believe satoshi was asked directly and his response was:  "It was lying around". 
davispuh
Newbie
*
Offline Offline

Activity: 12
Merit: 0


View Profile
February 28, 2014, 07:15:03 AM
 #24

based on this site http://safecurves.cr.yp.to/ secp256r1 (P-256) is not safe, but neither is secp256k1. Of course, it's debatable how trustable this claim is.

Curve25519 is said to be safe and there's also some other new ones assumed to be safe.
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1026



View Profile
February 28, 2014, 12:00:18 PM
 #25

based on this site http://safecurves.cr.yp.to/ secp256r1 (P-256) is not safe, but neither is secp256k1. Of course, it's debatable how trustable this claim is.

Curve25519 is said to be safe and there's also some other new ones assumed to be safe.

If you search this board for that URL, you'll find at least one thread, maybe more.  The short version is that djb has a huge ego.  The long version is that the things he dislikes about secp256k1 don't matter, or at the very least, don't matter to us.

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
March 07, 2014, 08:19:06 AM
 #26

The short version is that djb has a huge ego.

Hm. It's the 2nd time for today when u use a personal insult as a counter-argument. "Bitcoin Foundation - Lifetime Member" under ur avatar explains the behavior though...
ripper234
Legendary
*
Offline Offline

Activity: 1358
Merit: 1003


Ron Gross


View Profile WWW
September 04, 2014, 10:27:28 AM
 #27

I took the question to crypto.stackexchange.

http://crypto.stackexchange.com/questions/18965/is-secp256r1-more-secure-than-secp256k1

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4270
Merit: 8805



View Profile WWW
September 04, 2014, 10:39:33 AM
 #28

Why would you do that (and bump this old thread) except for pure trolling purposes?  Considering that fact that secp256r1 has unexplainable mystery parameters I can't imagine anyone outside of the NSA promoting it.
ripper234
Legendary
*
Offline Offline

Activity: 1358
Merit: 1003


Ron Gross


View Profile WWW
September 04, 2014, 11:57:02 AM
 #29

Why would you do that (and bump this old thread) except for pure trolling purposes?  Considering that fact that secp256r1 has unexplainable mystery parameters I can't imagine anyone outside of the NSA promoting it.

Because I haven't been able to piece together that the issue brought in this thread was fully resolved (maybe I missed something / read too quickly), and wanted to expose the matter at hand to more eyes.

Since then I also posted to reddit and via it found this other bitcointalk thread that sheds more light on the matter.

No trolling intended I assure you.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
BurtW
Legendary
*
Offline Offline

Activity: 2646
Merit: 1137

All paid signature campaigns should be banned.


View Profile WWW
September 04, 2014, 12:20:55 PM
 #30

I believe that the ECC/NSA thread you referenced did eventually nail down every parameter used to create secp256k1 and answers most if not all concerns.

Our family was terrorized by Homeland Security.  Read all about it here:  http://www.jmwagner.com/ and http://www.burtw.com/  Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4270
Merit: 8805



View Profile WWW
September 04, 2014, 04:46:36 PM
 #31

I believe that the ECC/NSA thread you referenced did eventually nail down every parameter used to create secp256k1 and answers most if not all concerns.
Yes, There is a python script that produces every parameter for secp256k1 from first principles, except the generator— and both myself and D. J. Bernstein have given the proof that in-advance choice of the generator is harmless outside of restricted conditions that aren't relevant to normal Bitcoin usage.
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!