Bitcoin Forum
December 14, 2017, 01:01:25 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Did Satoshi foresee that secp256r1 was compromised?  (Read 4507 times)
drawingthesun
Legendary
*
Offline Offline

Activity: 1078


View Profile
September 12, 2013, 05:54:55 AM
 #1

It would be kind of genius if the reason Bitcoin does not use secp256r1 was because Satoshi knew about its possible weaknesses.

Weaknesses discussion: http://it.slashdot.org/story/13/09/11/1224252/are-the-nist-standard-elliptic-curves-back-doored?utm_source=rss1.0mainlinkanon&utm_medium=feed

Bruce Schneier no longer trusts the numbers used to create the curves. https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929

And going back to this discussion about why secp256k1 was used instead of secp256r1 is it possible that Satoshi knew the secp256r1 was compromised?
https://bitcointalk.org/?topic=2699.0
1513213285
Hero Member
*
Offline Offline

Posts: 1513213285

View Profile Personal Message (Offline)

Ignore
1513213285
Reply with quote  #2

1513213285
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218


Michael, send me some coins before I hitman you


View Profile
September 12, 2013, 06:01:53 AM
 #2

I also discussed with satoshi, and he said that his employers at the NSA wanted him to create the first P2P currency with a back door in it. That back door happens to be in this specific elliptic curve. Government supercomputers searched for a random elliptic curve that contained a back door.

Just joking, but that's my conspiracy theory. Actually if there is no particular reason for this elliptic curve to be chosen, that is actually suspicious...
Shocked  Cheesy

We can't do anything but speculate, though. Earlier, it's said Satoshi picked it "just because."

Don't mix your coins someone said isn't legal
drawingthesun
Legendary
*
Offline Offline

Activity: 1078


View Profile
September 12, 2013, 06:03:25 AM
 #3

I discussed this with Satoshi. There is no particular reason why secp256k1 is used. It just happened to be around at the time.
https://bitcointalk.org/index.php?topic=2699.0

Yeah I saw that, but if he knew that secp256r1 was possibly compromised he might have wanted to divert the conversation and hide his real reason for using secp256k1. (He probably knew that if he started talking about how secp256r1 was compromised people would see him as a nut case and that could undermine bitcoin in the early years)
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2366



View Profile
September 12, 2013, 06:07:25 AM
 #4

It would be kind of genius if the reason Bitcoin does not use secp256r1 was because Satoshi knew about its possible weaknesses.
No need to assume that. Secp256k1 was sort of the obvious choice for Bitcoin because of the performance considerations. (Today you would have chosen Ed25519 instead)

Bitcoin will not be compromised
drawingthesun
Legendary
*
Offline Offline

Activity: 1078


View Profile
September 12, 2013, 06:13:42 AM
 #5

It would be kind of genius if the reason Bitcoin does not use secp256r1 was because Satoshi knew about its possible weaknesses.
No need to assume that. Secp256k1 was sort of the obvious choice for Bitcoin because of the performance considerations. (Today you would have chosen Ed25519 instead)

Oh ok. Do you reckon there is any need to switch bitcoin over to Ed25519 at the moment? Or do you trust the magic numbers in Secp256k1?
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2366



View Profile
September 12, 2013, 06:37:29 AM
 #6

Oh ok. Do you reckon there is any need to switch bitcoin over to Ed25519 at the moment? Or do you trust the magic numbers in Secp256k1?
If it's possible for any of these ECC systems to be intentionally insecure that would require some profound math which is unknown to the public. If we assume the existence of profound math which is unknown to the public, I do not see a reason to also assume Ed25519 is more secure.

Including it would be a significant burden (a fast ecc signature validation implementation is not simple code, and would not overlap with our existing code) which would carry its own risks.

Bitcoin will not be compromised
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526


View Profile
September 12, 2013, 11:36:44 AM
 #7

The curve we use has fewer (no?) places to hide magic NSA-selected numbers. At the moment the only reason to doubt it would be the general aura of distrust that now surrounds anything NIST does, which is insufficient by itself. The random curves look bad because even though nobody knows what kind of maths would allow them to be undermined, the way the selection process worked is deeply suspicious.
oleganza
Full Member
***
Offline Offline

Activity: 200


Software design and user experience.


View Profile WWW
September 12, 2013, 12:12:56 PM
 #8

It's kinda interesting how "trust" could be misleading. Same people who advocated switching to a "more deployed random curve" just 2.5 years ago (https://bitcointalk.org/index.php?topic=2699.0) now seriously distrust NIST parameters and prefer Koblitz curves for allowing less freedom in parameter choice.

Even if Satoshi didn't know anything in particular about backdoors in random parameters, he might have chosen a less suspicious curve.


Bitcoin analytics: blog.oleganza.com / 1TipsuQ7CSqfQsjA9KU5jarSB1AnrVLLo
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526


View Profile
September 12, 2013, 12:20:43 PM
 #9

I think Satoshi was clearly not an expert cryptographer. His interest in ECC went as far as saying "this does digital signatures and takes less space than RSA". He may or may not have chosen secp256k1 because he saw mention of performance - if he did, then he didn't mention that when I explicitly asked him about it. Alternatively it could have been as simple as finding some example code somewhere on the net that happened to use that curve. He plugged it in, it worked, done.

As it happens, whatever the reason for selecting that curve, it's worked out pretty well for us all things considered. Of all the issues Bitcoin has, it turns out that ECC isn't one of them.
oleganza
Full Member
***
Offline Offline

Activity: 200


Software design and user experience.


View Profile WWW
September 12, 2013, 04:39:26 PM
 #10

I think Satoshi was clearly not an expert cryptographer. His interest in ECC went as far as saying "this does digital signatures and takes less space than RSA". He may or may not have chosen secp256k1 because he saw mention of performance - if he did, then he didn't mention that when I explicitly asked him about it. Alternatively it could have been as simple as finding some example code somewhere on the net that happened to use that curve. He plugged it in, it worked, done.

As it happens, whatever the reason for selecting that curve, it's worked out pretty well for us all things considered. Of all the issues Bitcoin has, it turns out that ECC isn't one of them.

If he was not an expert cryptographer and secp256k1 was less used that r1, how did he end up with it? Random sample code would rather contain an "r" curve.

I think he was quite serious about Bitcoin and took enough time to think through many complex aspects of it (and implement!) that many Bitcoin enthusiasts still don't get. Even if he wasn't an "expert" by your standard, I doubt he plugged in ECC implementation from a random sample code. I think he had reasons for almost every decision he was making.




Bitcoin analytics: blog.oleganza.com / 1TipsuQ7CSqfQsjA9KU5jarSB1AnrVLLo
Zangelbert Bingledack
Legendary
*
Offline Offline

Activity: 1036


View Profile
September 12, 2013, 08:55:44 PM
 #11

Given Satoshi's desire to stay anonymous, he wouldn't have wanted to out himself as a crypto expert, or any kind of expert - that would really narrow down the search field. His best move is to appear to be "just good enough" at everything and to make any choices informed by high-level expertise look like mere happenstance.
grau
Hero Member
*****
Offline Offline

Activity: 836


bits of proof


View Profile WWW
September 12, 2013, 09:05:45 PM
 #12

I think Satoshi was clearly not an expert cryptographer. His interest in ECC went as far as saying "this does digital signatures and takes less space than RSA". He may or may not have chosen secp256k1 because he saw mention of performance - if he did, then he didn't mention that when I explicitly asked him about it. Alternatively it could have been as simple as finding some example code somewhere on the net that happened to use that curve. He plugged it in, it worked, done.

It appears to me that he was creating a system he knew works in principle with tools he just stumbled upon, his choice of language, database, algorithms, constants, opcodes etc. seem to be arbitrary, sometimes lucky, sometimes poor.

I do no longer wonder of his particular decisions. As if he knew the system works if it has certain features, details are not relevant to bootstrap, and will be sorted out by others after him.
tyler durden
Newbie
*
Offline Offline

Activity: 4


View Profile
September 12, 2013, 09:34:59 PM
 #13

If it's possible for any of these ECC systems to be intentionally insecure that would require some profound math which is unknown to the public. If we assume the existence of profound math which is unknown to the public, I do not see a reason to also assume Ed25519 is more secure.

If we are to believe the Snowden documents then we must "assume the existence of profound math which is unknown to the public"

http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?_r=0

from the bullrun briefing sheet:

In recent years there has been an aggressive effort, lead by NSA, to make major improvements in defeating network security and privacy involving multiple sources and methods, all of which are extremely sensitive and fragile. These include: Computer Network Exploitation (CNE); collaboration with other Intelligence Agencies; investment in high-performance computers; and development of advanced mathematical techniques.
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2366



View Profile
September 12, 2013, 09:41:36 PM
 #14

If we are to believe the Snowden documents then we must "assume the existence of profound math which is unknown to the public"
You missed my point. I wasn't expressing any opinion on that fact. I was saying that if it is true the mystery math could apply equally (or more so) to other arbitrary choices that otherwise look good.  That generally "Foo could have ninja math" is a concerning risk but it's not generally one that tells us which of two otherwise very similar things is better.  (It might, however, suggest a stronger preference for symmetric cryptography, as that rests on math which is believed to be fundamentally more sound)

Bitcoin will not be compromised
markm
Legendary
*
Offline Offline

Activity: 2002



View Profile WWW
September 12, 2013, 10:21:25 PM
 #15

Ninja math! Hahah.

"I am going to count to three..." Wink

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
Sukrim
Legendary
*
Offline Offline

Activity: 2212


View Profile
September 14, 2013, 07:54:36 AM
 #16

Well, he was working on a system that does at least a partial brute-force attack on secure hashes. Seeing some magic constants whose only protection is that a "random"(?) value is being hashed and the hash is being used instead of the value itself might at least look suspicious enough for someone.

I however also doubt that there was very much of a design choice - maybe he did read through docs and whatnot, but realistically he just wanted something to get the job of signature verification done. Afaik bitcoin uses openssl, so he saw 2 defined curves with the same parameters, maybe he checked at least, which one has better performance characteristics or security, so he would have ended up with the k-curve, or it was pure luck.

https://bitfinex.com <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with this refcode: x5K9YtL3Zb
Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2366



View Profile
September 14, 2013, 08:16:57 AM
 #17

or it was pure luck.
or it was satoshi who chose the NIST recommended parameters!

Bitcoin will not be compromised
Sukrim
Legendary
*
Offline Offline

Activity: 2212


View Profile
September 14, 2013, 08:24:27 AM
 #18

They are equally as likely based on a sound sample of a fart during a phone talk between George W. Bush and Putin, intercepted by NSA and encoded in this number or the phrase "Satoshi Nakamoto's mom" run through a key derivation function... Roll Eyes

https://bitfinex.com <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with this refcode: x5K9YtL3Zb
Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf
behindtext
Full Member
***
Offline Offline

Activity: 121


View Profile WWW
September 14, 2013, 10:23:21 PM
 #19

or it was pure luck.
or it was satoshi who chose the NIST recommended parameters!
if bitcoin was a product of USG agencies, you may indirectly be correct Smiley

spike420211
Sr. Member
****
Offline Offline

Activity: 380



View Profile
September 15, 2013, 11:22:07 PM
 #20

Quote
Oh ok. Do you reckon there is any need to switch bitcoin over to Ed25519 at the moment? Or do you trust the magic numbers in Secp256k1?
Would Ed22519 be allowed to implement without a major fork?
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!