Did Satoshi foresee that secp256r1 was compromised?

[drawingthesun]

It would be kind of genius if the reason Bitcoin does not use secp256r1 was because Satoshi knew about its possible weaknesses.

Weaknesses discussion: http://it.slashdot.org/story/13/09/11/1224252/are-the-nist-standard-elliptic-curves-back-doored?utm_source=rss1.0mainlinkanon&utm_medium=feed

Bruce Schneier no longer trusts the numbers used to create the curves. https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929

And going back to this discussion about why secp256k1 was used instead of secp256r1 is it possible that Satoshi knew the secp256r1 was compromised?
https://bitcointalk.org/?topic=2699.0

[Kluge]

I also discussed with satoshi, and he said that his employers at the NSA wanted him to create the first P2P currency with a back door in it. That back door happens to be in this specific elliptic curve. Government supercomputers searched for a random elliptic curve that contained a back door.

Just joking, but that's my conspiracy theory. Actually if there is no particular reason for this elliptic curve to be chosen, that is actually suspicious...

 

We can't do anything but speculate, though. Earlier, it's said Satoshi picked it "just because."

[drawingthesun]

I discussed this with Satoshi. There is no particular reason why secp256k1 is used. It just happened to be around at the time.

https://bitcointalk.org/index.php?topic=2699.0

Yeah I saw that, but if he knew that secp256r1 was possibly compromised he might have wanted to divert the conversation and hide his real reason for using secp256k1. (He probably knew that if he started talking about how secp256r1 was compromised people would see him as a nut case and that could undermine bitcoin in the early years)

[gmaxwell]

It would be kind of genius if the reason Bitcoin does not use secp256r1 was because Satoshi knew about its possible weaknesses.

No need to assume that. Secp256k1 was sort of the obvious choice for Bitcoin because of the performance considerations. (Today you would have chosen Ed25519 instead)

[drawingthesun]

It would be kind of genius if the reason Bitcoin does not use secp256r1 was because Satoshi knew about its possible weaknesses.

No need to assume that. Secp256k1 was sort of the obvious choice for Bitcoin because of the performance considerations. (Today you would have chosen Ed25519 instead)

Oh ok. Do you reckon there is any need to switch bitcoin over to Ed25519 at the moment? Or do you trust the magic numbers in Secp256k1?

[gmaxwell]

Oh ok. Do you reckon there is any need to switch bitcoin over to Ed25519 at the moment? Or do you trust the magic numbers in Secp256k1?

If it's possible for any of these ECC systems to be intentionally insecure that would require some profound math which is unknown to the public. If we assume the existence of profound math which is unknown to the public, I do not see a reason to also assume Ed25519 is more secure.

Including it would be a significant burden (a fast ecc signature validation implementation is not simple code, and would not overlap with our existing code) which would carry its own risks.

[Mike Hearn]

The curve we use has fewer (no?) places to hide magic NSA-selected numbers. At the moment the only reason to doubt it would be the general aura of distrust that now surrounds anything NIST does, which is insufficient by itself. The random curves look bad because even though nobody knows what kind of maths would allow them to be undermined, the way the selection process worked is deeply suspicious.

[oleganza]

It's kinda interesting how "trust" could be misleading. Same people who advocated switching to a "more deployed random curve" just 2.5 years ago (https://bitcointalk.org/index.php?topic=2699.0) now seriously distrust NIST parameters and prefer Koblitz curves for allowing less freedom in parameter choice.

Even if Satoshi didn't know anything in particular about backdoors in random parameters, he might have chosen a less suspicious curve.

[Mike Hearn]

I think Satoshi was clearly not an expert cryptographer. His interest in ECC went as far as saying "this does digital signatures and takes less space than RSA". He may or may not have chosen secp256k1 because he saw mention of performance - if he did, then he didn't mention that when I explicitly asked him about it. Alternatively it could have been as simple as finding some example code somewhere on the net that happened to use that curve. He plugged it in, it worked, done.

As it happens, whatever the reason for selecting that curve, it's worked out pretty well for us all things considered. Of all the issues Bitcoin has, it turns out that ECC isn't one of them.

[oleganza]

I think Satoshi was clearly not an expert cryptographer. His interest in ECC went as far as saying "this does digital signatures and takes less space than RSA". He may or may not have chosen secp256k1 because he saw mention of performance - if he did, then he didn't mention that when I explicitly asked him about it. Alternatively it could have been as simple as finding some example code somewhere on the net that happened to use that curve. He plugged it in, it worked, done.

As it happens, whatever the reason for selecting that curve, it's worked out pretty well for us all things considered. Of all the issues Bitcoin has, it turns out that ECC isn't one of them.

If he was not an expert cryptographer and secp256k1 was less used that r1, how did he end up with it? Random sample code would rather contain an "r" curve.

I think he was quite serious about Bitcoin and took enough time to think through many complex aspects of it (and implement!) that many Bitcoin enthusiasts still don't get. Even if he wasn't an "expert" by your standard, I doubt he plugged in ECC implementation from a random sample code. I think he had reasons for almost every decision he was making.

[Zangelbert Bingledack]

Given Satoshi's desire to stay anonymous, he wouldn't have wanted to out himself as a crypto expert, or any kind of expert - that would really narrow down the search field. His best move is to appear to be "just good enough" at everything and to make any choices informed by high-level expertise look like mere happenstance.

[grau]

I think Satoshi was clearly not an expert cryptographer. His interest in ECC went as far as saying "this does digital signatures and takes less space than RSA". He may or may not have chosen secp256k1 because he saw mention of performance - if he did, then he didn't mention that when I explicitly asked him about it. Alternatively it could have been as simple as finding some example code somewhere on the net that happened to use that curve. He plugged it in, it worked, done.

It appears to me that he was creating a system he knew works in principle with tools he just stumbled upon, his choice of language, database, algorithms, constants, opcodes etc. seem to be arbitrary, sometimes lucky, sometimes poor.

I do no longer wonder of his particular decisions. As if he knew the system works if it has certain features, details are not relevant to bootstrap, and will be sorted out by others after him.

[tyler durden]

If it's possible for any of these ECC systems to be intentionally insecure that would require some profound math which is unknown to the public. If we assume the existence of profound math which is unknown to the public, I do not see a reason to also assume Ed25519 is more secure.

If we are to believe the Snowden documents then we must "assume the existence of profound math which is unknown to the public"

http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?_r=0

from the bullrun briefing sheet:

In recent years there has been an aggressive effort, lead by NSA, to make major improvements in defeating network security and privacy involving multiple sources and methods, all of which are extremely sensitive and fragile. These include: Computer Network Exploitation (CNE); collaboration with other Intelligence Agencies; investment in high-performance computers; and development of advanced mathematical techniques.

[gmaxwell]

If we are to believe the Snowden documents then we must "assume the existence of profound math which is unknown to the public"

You missed my point. I wasn't expressing any opinion on that fact. I was saying that if it is true the mystery math could apply equally (or more so) to other arbitrary choices that otherwise look good.  That generally "Foo could have ninja math" is a concerning risk but it's not generally one that tells us which of two otherwise very similar things is better.  (It might, however, suggest a stronger preference for symmetric cryptography, as that rests on math which is believed to be fundamentally more sound)

[markm]

Ninja math! Hahah.

"I am going to count to three..."

-MarkM-

[Sukrim]

Well, he was working on a system that does at least a partial brute-force attack on secure hashes. Seeing some magic constants whose only protection is that a "random"(?) value is being hashed and the hash is being used instead of the value itself might at least look suspicious enough for someone.

I however also doubt that there was very much of a design choice - maybe he did read through docs and whatnot, but realistically he just wanted something to get the job of signature verification done. Afaik bitcoin uses openssl, so he saw 2 defined curves with the same parameters, maybe he checked at least, which one has better performance characteristics or security, so he would have ended up with the k-curve, or it was pure luck.

[gmaxwell]

or it was pure luck.

or it was satoshi who chose the NIST recommended parameters!

[Sukrim]

They are equally as likely based on a sound sample of a fart during a phone talk between George W. Bush and Putin, intercepted by NSA and encoded in this number or the phrase "Satoshi Nakamoto's mom" run through a key derivation function...

[behindtext]

or it was pure luck.

or it was satoshi who chose the NIST recommended parameters!

if bitcoin was a product of USG agencies, you may indirectly be correct

[spike420211]

Oh ok. Do you reckon there is any need to switch bitcoin over to Ed25519 at the moment? Or do you trust the magic numbers in Secp256k1?

Would Ed22519 be allowed to implement without a major fork?