Bitcoin Forum
April 23, 2024, 01:11:47 PM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > How is the base point G chosen for secp256k1?
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: How is the base point G chosen for secp256k1?  (Read 1052 times)
uminatsu (OP)
Newbie
*
Offline Offline

Activity: 55
Merit: 0


View Profile
April 01, 2014, 05:12:00 PM
 #1
I did some research on Google but couldn't find an answer.

So secp256k1 has this seemingly random "base point" G:

G = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8

Has anyone wondered why this point is chosen? Is it provably chosen at random, or based on some nothing-up-my-sleeve procedure?

Why not choose a point with a very small (say <10) x-coordinate?

The modular exponential Diffie-Hellman groups for IKE (http://tools.ietf.org/html/rfc3526) always choose the number "2" as the generator. Something similar can be done for ECC too.
Transactions must be included in a block to be properly completed. When you send a transaction, it is broadcast to miners. Miners can then optionally include it in their next blocks. Miners will be more inclined to include your transaction if it has a higher transaction fee.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
JoelKatz
Legendary
*
Offline Offline

Activity: 1596
Merit: 1012


Democracy is vulnerable to a 51% attack.


View Profile WWW
April 01, 2014, 05:15:12 PM
 #2
The NSA picked it. There is no known way to gimmick the base point.
I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
uminatsu (OP)
Newbie
*
Offline Offline

Activity: 55
Merit: 0


View Profile
April 01, 2014, 05:25:27 PM
 #3
Quote from: JoelKatz on April 01, 2014, 05:15:12 PM
The NSA picked it. There is no known way to gimmick the base point.

What if the picker of G actually started from a special point G' on the curve that has very small x-coordinates, and pick a random 256-bit number n to arrive at G = n * G'. There's no way to disprove that someone has the knowledge of this secret value "n".

I'm not exactly sure what advantage this secret knowledge has, except the picker could create very short ECDSA signatures (he'll set "k" to the multiplicative inverse of "n" thus "r" will be the x-coordinate of G').
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4158
Merit: 8382



View Profile WWW
April 01, 2014, 06:26:04 PM
 #4
Quote from: JoelKatz on April 01, 2014, 05:15:12 PM
The NSA picked it. There is no known way to gimmick the base point.
As far as anyone yet knows our parameters were not selected by "The NSA".  In any case, choice of the generator was discussed extensively. The most we could come up with is that perhaps someone could convince you that a particular pubkey was a 'nothing up my sleeve' pubkey when it really wasn't.
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > How is the base point G chosen for secp256k1?
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!