secp256k1 - A tale of two elliptic curves

A tale of two elliptic curves

Posted on 21 August 2018 by John

A few days ago I blogged about the elliptic curve secp256k1 and its use in Bitcoin. This curve has a sibling, secp256r1. Note the “r” in the penultimate position rather than a “k”. Both are defined in SEC 2: Recommended Elliptic Curve Domain Parameters. Both are elliptic curves over a field z_p where p is a 256-bit prime (though different primes for each curve).

The “k” in sepc256k1 stands for Koblitz and the “r” in sepc256r1 stands for random. A Koblitz elliptic curve has some special properties that make it possible to implement the group operation more efficiently. It is believed that there is a small security trade-off, that more “randomly” selected parameters are more secure. However, some people suspect that the random coefficients may have been selected to provide a back door.

Both elliptic curves are of the form y² = x³ + ax + b. In the Koblitz curve, we have

a = 0
b = 7

and in the random case we have

a = FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFFFC
b = 5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6 3BCE3C3E 27D2604B

You can find the rest of the elliptic curve parameters in the SEC 2 report. For some help understanding what the parameters mean and how to decode them, see my earlier post.

The NSA recommends the random curve for government use. It is also known as NIST P-256. Or rather it did recommend P-256 as part of its Suite B of cryptography recommendations. In August 21015 the NSA announced its concern that in the future, quantum computing could render the Suite B methods insecure. As far as we know, quantum computing at scale is years, maybe decades, away. But it takes a long time to develop quality encryption methods, and so the NSA and NIST are urging people to think ahead. (Update: The NSA recommends P-384 until post quantum methods mature.)

 

 

 

 

 

In the previous post, we’ve mention the math behind addition law for elliptic curves over Galois Field GF(p) – prime field. Now, math behind elliptic curves over Galois Field GF(2ⁿ) – binary field would be mentioned. In literature, elliptic curves over GF(2ⁿ) are more common than GF(p) because of their adaptability into the computer hardware implementations. These type of curves are also called as Koblitz curves.

 

 

---

---

Elliptic Curves over GF(2ⁿ)

Algebraically, an elliptic curve over binary field is represented as the following form:

y² + xy = x³ + ax² + b, (b≠0)

Negative Point

Suppose that P(x, y) is a point on the curve. The negative of the point P(x, y) is -P(x, -(x+y)), and -P is still on the curve.

Put P(m, t) and Q(m,n) into the equation y² + xy = x³ + ax² + b

t² + mt = m³ + am² + b

n² + mn = m³ + am² + b

Extract 2nd equation from 1st equation

t² – n² + mt – mn = 0

t² + mt – n² -mn = 0

t² + mt – n(n + m) = 0

According to the sum and product of the roots rule, the equation could be written as:

---

---

(t – n).(t + n + m) = 0

t1 = n

t2 = – n – m = – (n+m)

We’ve already know t1=n is on the curve at the point Q(m,n). So, t2= -(n+m) is still on the curve. That’s the proof of the negative point for elliptic curves over (2ⁿ).

Proven of Addition Law

The red line would satify the equation y = ß.x + µ . Slope formula could help to calculate ß.

ß = (y1-y2)/(x1-x2) [Eq. 1]

Let’s merge the curve function (y² + xy = x³ + ax² + b) and linear function (y = ß.x + µ).

(ß.x + µ)² + x.(ß.x + µ) = x³ + ax² + b

ß².x² +µ² +2ßµx + ßx² + µx = x³ + ax² + b

x³ + (a – ß² – ß).x² + (2ßµ – µ).x + (b – µ²) = 0

As mentinoned on previous post, according to the polynomial relation rule between coefficients and roots, the sum of the roots (x1, x2, x3) have to be equal to the negative coefficient of x² , which is (a – ß² – ß)².

-(a – ß² – ß) = x1 + x2 + x3

x3 = ß² + ß – x1 – x2 – a [Eq. 2]

We’ve already known that P(x1, y1) is on the linear line.

---

---

y1 =  ß.x1 + µ

µ = y1 – ß.x1

Also, the point -R(x3, -(x3+y3)) has to be located on the linear line y = ß.x + µ.

-(x3+y3) = ß.x3 + µ

Put the obtained µ the equation above

-(x3+y3) = ß.x3 + y1 – ß.x1

-x3 – y3 = ß.x3 + y1 – ß.x1

y3 = ß.x1 -x3 – ß.x3 – y1

y3 = ß(x1 – x3) – x3 – y1 [Eq. 3]

To sum up, addition of two point P(x1, y1) and Q(x2, y2) on the elliptic curve form y² + xy = x³ + ax² + b is another point on the curve which is labeled R(x3, y2) and could be computed by the following formulas.

P(x1, y1) + Q(x2, y2) = R(x3, y3)

ß = (y1-y2)/(x1-x2)

x3 = ß² + ß – x1 – x2 – a

y3 = ß(x1 – x3) – x3 – y1

Doubling a point

Similarly, doubling a point on an elliptic curve is implemented by following principles.

---

---

The red line is tangential to the elliptic curve at the point labeled P(x1, y1). The slope of the tangent line is equal to the derivative of the elliptic curve function at the point labeled P(x1, y1).

(y² + xy)’ = (x³ + ax² + b)’

2y.dy + y.dx + x.dy = 3x².dx + 2.a.x.dx

2y.dy + x.dy = 3x².dx + 2.a.x.dx – y.dx

dy(2y + x) = dx(3x² + 2.a.x – y)

ß = dy/dx = (3x² + 2.a.x – y)/(2y + x)

We’ve known x1, y1 pairs are on the line. Let’s put the pairs into the slope formula.

ß = (3.(x1)² + 2.a.x1 – y1)/(2y1 + x1)

Doubling a point on an elliptic curve over GF(2ⁿ) could be computed by the following formulas.

P(x1, y1) + P(x1, y1) = 2P(x2, y2)

ß = (3.(x1)² + 2.a.x1 – y1)/(2y1 + x1)

x2 = ß² + ß – 2.x1 – a

y2 = ß(x1 – x2) – x2 – y1

As metioned before, this type of elliptic curves are mostly used in cryptographic hardware implementations because of their speed and adaptability.

Bitcoin chose to use the less popular Koblitz curve for the reasons mentioned above, namely efficiency and concerns over a possible back door in the random curve. Before Bitcoin, secp256k1 was not widely used.