What is the reasoning behind the choice of 2^256-2^32-977 for the prime on the secp256k1 curve?How do you derive the lambda and beta values for endomorphism on the secp256k1 curve?Signature: encoding a message - transaction to a point of curve y^2=x^3+7 and Bitcoin Coreorder of group of points of secp256k1Can I quickly check the cofactor of secp256k1 is 1C secp256k1 : what is the purpose of secp256k1_context_randomize?Is the following a valid bitcoin private key? - FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFEWhy 256 bit for a cryptocurrency is enough but 1024 bit for ssh is not?SECP256K1 Minimum Value for Private KeyIs there a list of coins that are bip-32 compatible?Why is a cyclic subgroup chosen in ECDSA?
Find the next value of this number series
Biological Blimps: Propulsion
What to do when eye contact makes your coworker uncomfortable?
Is it allowed to activate the ability of multiple planeswalkers in a single turn?
Why do ¬, ∀ and ∃ have the same precedence?
Is it necessary to use pronouns with the verb "essere"?
Change the color of a single dot in `ddot` symbol
Has any country ever had 2 former presidents in jail simultaneously?
What's the name of the logical fallacy where a debater extends a statement far beyond the original statement to make it true?
What does "Scientists rise up against statistical significance" mean? (Comment in Nature)
C++ copy constructor called at return
A Trivial Diagnosis
Microchip documentation does not label CAN buss pins on micro controller pinout diagram
Why is the Sun approximated as a black body at ~ 5800 K?
What features enable the Su-25 Frogfoot to operate with such a wide variety of fuels?
Merge org tables
Can you use Vicious Mockery to win an argument or gain favours?
Shouldn’t conservatives embrace universal basic income?
How do I fix the group tension caused by my character stealing and possibly killing without provocation?
Why does Carol not get rid of the Kree symbol on her suit when she changes its colours?
Why does AES have exactly 10 rounds for a 128-bit key, 12 for 192 bits and 14 for a 256-bit key size?
Is a Java collection guaranteed to be in a valid, usable state after a ConcurrentModificationException?
I found an audio circuit and I built it just fine, but I find it a bit too quiet. How do I amplify the output so that it is a bit louder?
meaning of encore in this sentence
What is the reasoning behind the choice of 2^256-2^32-977 for the prime on the secp256k1 curve?
How do you derive the lambda and beta values for endomorphism on the secp256k1 curve?Signature: encoding a message - transaction to a point of curve y^2=x^3+7 and Bitcoin Coreorder of group of points of secp256k1Can I quickly check the cofactor of secp256k1 is 1C secp256k1 : what is the purpose of secp256k1_context_randomize?Is the following a valid bitcoin private key? - FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFEWhy 256 bit for a cryptocurrency is enough but 1024 bit for ssh is not?SECP256K1 Minimum Value for Private KeyIs there a list of coins that are bip-32 compatible?Why is a cyclic subgroup chosen in ECDSA?
In Bitcoin's elliptic curve (secp256k1),
the prime
p = 2^256 - 2^32 - 2^9 -2^8 - 2^7 - 2^6 - 2^4 - 1
the generator point
Gx =
0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
Gy =
0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8
and the order of the group generated by G
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
are predefined.
What is the reasoning behind this? Why are these values more secure or efficient than any other ones?
ecdsa sha256 secp256k1
asked Mar 17 at 23:35
Pedro GonçalvesPedro Gonçalves
426
add a comment |
In Bitcoin's elliptic curve (secp256k1),
the prime
p = 2^256 - 2^32 - 2^9 -2^8 - 2^7 - 2^6 - 2^4 - 1
the generator point
Gx =
0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
Gy =
0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8
and the order of the group generated by G
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
are predefined.
What is the reasoning behind this? Why are these values more secure or efficient than any other ones?
ecdsa sha256 secp256k1
asked Mar 17 at 23:35
Pedro GonçalvesPedro Gonçalves
426
add a comment |
In Bitcoin's elliptic curve (secp256k1),
the prime
p = 2^256 - 2^32 - 2^9 -2^8 - 2^7 - 2^6 - 2^4 - 1
the generator point
Gx =
0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
Gy =
0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8
and the order of the group generated by G
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
are predefined.
What is the reasoning behind this? Why are these values more secure or efficient than any other ones?
ecdsa sha256 secp256k1
asked Mar 17 at 23:35
Pedro GonçalvesPedro Gonçalves
426
In Bitcoin's elliptic curve (secp256k1),
the prime
p = 2^256 - 2^32 - 2^9 -2^8 - 2^7 - 2^6 - 2^4 - 1
the generator point
Gx =
0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
Gy =
0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8
and the order of the group generated by G
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
are predefined.
What is the reasoning behind this? Why are these values more secure or efficient than any other ones?
ecdsa sha256 secp256k1
ecdsa sha256 secp256k1
asked Mar 17 at 23:35
Pedro GonçalvesPedro Gonçalves
426
asked Mar 17 at 23:35
Pedro GonçalvesPedro Gonçalves
426
asked Mar 17 at 23:35
Pedro GonçalvesPedro Gonçalves
426
asked Mar 17 at 23:35
Pedro GonçalvesPedro Gonçalves
426
asked Mar 17 at 23:35
Pedro GonçalvesPedro Gonçalves
426
426
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
Secp256k1 was designed to be a 256-bit size elliptic curve without cofactor and admitting an efficient endomorphism for optimization purposes. The choices of the relevant parameters are derived from these criteria.
P is selected allow a more efficient implementation on general purpose computers. See Solinas' paper on Generalized Mersenne Numbers. We don't know the exact search procedure Certicom used to select P, but it is the first prime you get if you search 2^256 - 2^32 - (1024 - x).
We know, however, that this may not be the exact procedure they would have needed because the presence of the endomorpism requires a cube root of unity. See this answer on crypto stack exchange. But they could have searched this way and got lucky.
The generator could be just any point on the curve and it is trivial to prove that the choice of generator is irrelevant to the security of any scheme that doesn't involve coercing values into curvepoints, and pretty narrowly relevant otherwise.
We haven't been able to uncover how G was selected, but I did discover that it a value that was likely obtained by doubling a point with a very small (166 bit) x coordinate. The same value was used in several other ECC standards. (I wouldn't be surprised if it was the hash of someone's name of something silly like that, but it seems that this trivia might have followed Scott Vanstone to his grave).
Since the curve order is prime the order of G isn't a parameter so much as the result of the selection of the field and the curve equation. 'b' in the curve equation being 7 was almost certainly just because it was the first value that gives a secure curve. 'a' being 0 is a necessary condition for the endomorphism.
You might also find this old thread on bitcointalk interesting.
answered Mar 18 at 0:56
G. MaxwellG. Maxwell
5,1192839
What do you mean by "admitting an efficient endomorphism"? I know the meaning of the word endomorphism. But where and how is it being used? I could open a separate question if that was necessary.
– Rene Pickhardt
Mar 18 at 6:51
@Rene Pickhardt: the optimization to use the efficiently-computable endormorphism to speed up elliptic curve computations is called the Gallant-Lambert-Vanstone method, but the details probably warrant their own question
– Pieter Wuille
2 days ago
add a comment |
A very short layman's answer (not mathematically correct) is the normalization of the the private key needs to be a very large prime number less than 2^256-1 to ensure the cyclic modulo operation does not easily repeat predictably to compute the associated public key. If someone was able to discover a larger prime number than p = 2^256 - 2^32 - 2^9 -2^8 - 2^7 - 2^6 - 2^4 - 1 and less than 2^256-1, such a number could have been used for cyclic normalization. Additionally, a good pseudo random number generator heuristic is to initially seed them with very large prime numbers.
answered Mar 18 at 2:37
skahtskaht
2,353718
add a comment |
That is probably for others here to answer but I will give it a shot.
We are looking for an elliptic curve which has a cyclic subgroup with a high order (but not higher than 2^256 as we want to work with 32byte private keys and the private keys are the orders of the elements with respect to the generator point) this particular elliptic curve over that prime field seems to fulfill these properties.
The order of the subgroup basically defines the difficulty for the discret logarithm. If the subgroup for example was of an order so small that one could store all group ements on a computer one could just compute it and break any public key coming from that group.
As for the generator point. I believe this is an arbitrary choice. Since the group is cyclic (and afaik of prime order) any other element (unless the neutral one) could have served as the generator. However we need to agree on a fixed generator point for ecdsa to have the same results every time we run the algorithms. Therefor one element was chosen.
I am not sure if there is more theory as to why this particular configuration seems preferable.
answered Mar 17 at 23:49
Rene PickhardtRene Pickhardt
2,348117
Tiny nit: an elliptic curve with a cyclic prime subgroup. Most elliptic curves are cyclic on their own, but most are of composite order.
– Pieter Wuille
Mar 18 at 4:49
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "308"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f85387%2fwhat-is-the-reasoning-behind-the-choice-of-2256-232-977-for-the-prime-on-the-s%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Secp256k1 was designed to be a 256-bit size elliptic curve without cofactor and admitting an efficient endomorphism for optimization purposes. The choices of the relevant parameters are derived from these criteria.
P is selected allow a more efficient implementation on general purpose computers. See Solinas' paper on Generalized Mersenne Numbers. We don't know the exact search procedure Certicom used to select P, but it is the first prime you get if you search 2^256 - 2^32 - (1024 - x).
We know, however, that this may not be the exact procedure they would have needed because the presence of the endomorpism requires a cube root of unity. See this answer on crypto stack exchange. But they could have searched this way and got lucky.
The generator could be just any point on the curve and it is trivial to prove that the choice of generator is irrelevant to the security of any scheme that doesn't involve coercing values into curvepoints, and pretty narrowly relevant otherwise.
We haven't been able to uncover how G was selected, but I did discover that it a value that was likely obtained by doubling a point with a very small (166 bit) x coordinate. The same value was used in several other ECC standards. (I wouldn't be surprised if it was the hash of someone's name of something silly like that, but it seems that this trivia might have followed Scott Vanstone to his grave).
Since the curve order is prime the order of G isn't a parameter so much as the result of the selection of the field and the curve equation. 'b' in the curve equation being 7 was almost certainly just because it was the first value that gives a secure curve. 'a' being 0 is a necessary condition for the endomorphism.
You might also find this old thread on bitcointalk interesting.
answered Mar 18 at 0:56
G. MaxwellG. Maxwell
5,1192839
What do you mean by "admitting an efficient endomorphism"? I know the meaning of the word endomorphism. But where and how is it being used? I could open a separate question if that was necessary.
– Rene Pickhardt
Mar 18 at 6:51
@Rene Pickhardt: the optimization to use the efficiently-computable endormorphism to speed up elliptic curve computations is called the Gallant-Lambert-Vanstone method, but the details probably warrant their own question
– Pieter Wuille
2 days ago
add a comment |
Secp256k1 was designed to be a 256-bit size elliptic curve without cofactor and admitting an efficient endomorphism for optimization purposes. The choices of the relevant parameters are derived from these criteria.
P is selected allow a more efficient implementation on general purpose computers. See Solinas' paper on Generalized Mersenne Numbers. We don't know the exact search procedure Certicom used to select P, but it is the first prime you get if you search 2^256 - 2^32 - (1024 - x).
We know, however, that this may not be the exact procedure they would have needed because the presence of the endomorpism requires a cube root of unity. See this answer on crypto stack exchange. But they could have searched this way and got lucky.
The generator could be just any point on the curve and it is trivial to prove that the choice of generator is irrelevant to the security of any scheme that doesn't involve coercing values into curvepoints, and pretty narrowly relevant otherwise.
We haven't been able to uncover how G was selected, but I did discover that it a value that was likely obtained by doubling a point with a very small (166 bit) x coordinate. The same value was used in several other ECC standards. (I wouldn't be surprised if it was the hash of someone's name of something silly like that, but it seems that this trivia might have followed Scott Vanstone to his grave).
Since the curve order is prime the order of G isn't a parameter so much as the result of the selection of the field and the curve equation. 'b' in the curve equation being 7 was almost certainly just because it was the first value that gives a secure curve. 'a' being 0 is a necessary condition for the endomorphism.
You might also find this old thread on bitcointalk interesting.
answered Mar 18 at 0:56
G. MaxwellG. Maxwell
5,1192839
What do you mean by "admitting an efficient endomorphism"? I know the meaning of the word endomorphism. But where and how is it being used? I could open a separate question if that was necessary.
– Rene Pickhardt
Mar 18 at 6:51
@Rene Pickhardt: the optimization to use the efficiently-computable endormorphism to speed up elliptic curve computations is called the Gallant-Lambert-Vanstone method, but the details probably warrant their own question
– Pieter Wuille
2 days ago
add a comment |
Secp256k1 was designed to be a 256-bit size elliptic curve without cofactor and admitting an efficient endomorphism for optimization purposes. The choices of the relevant parameters are derived from these criteria.
P is selected allow a more efficient implementation on general purpose computers. See Solinas' paper on Generalized Mersenne Numbers. We don't know the exact search procedure Certicom used to select P, but it is the first prime you get if you search 2^256 - 2^32 - (1024 - x).
We know, however, that this may not be the exact procedure they would have needed because the presence of the endomorpism requires a cube root of unity. See this answer on crypto stack exchange. But they could have searched this way and got lucky.
The generator could be just any point on the curve and it is trivial to prove that the choice of generator is irrelevant to the security of any scheme that doesn't involve coercing values into curvepoints, and pretty narrowly relevant otherwise.
We haven't been able to uncover how G was selected, but I did discover that it a value that was likely obtained by doubling a point with a very small (166 bit) x coordinate. The same value was used in several other ECC standards. (I wouldn't be surprised if it was the hash of someone's name of something silly like that, but it seems that this trivia might have followed Scott Vanstone to his grave).
Since the curve order is prime the order of G isn't a parameter so much as the result of the selection of the field and the curve equation. 'b' in the curve equation being 7 was almost certainly just because it was the first value that gives a secure curve. 'a' being 0 is a necessary condition for the endomorphism.
You might also find this old thread on bitcointalk interesting.
answered Mar 18 at 0:56
G. MaxwellG. Maxwell
5,1192839
Secp256k1 was designed to be a 256-bit size elliptic curve without cofactor and admitting an efficient endomorphism for optimization purposes. The choices of the relevant parameters are derived from these criteria.
P is selected allow a more efficient implementation on general purpose computers. See Solinas' paper on Generalized Mersenne Numbers. We don't know the exact search procedure Certicom used to select P, but it is the first prime you get if you search 2^256 - 2^32 - (1024 - x).
We know, however, that this may not be the exact procedure they would have needed because the presence of the endomorpism requires a cube root of unity. See this answer on crypto stack exchange. But they could have searched this way and got lucky.
The generator could be just any point on the curve and it is trivial to prove that the choice of generator is irrelevant to the security of any scheme that doesn't involve coercing values into curvepoints, and pretty narrowly relevant otherwise.
We haven't been able to uncover how G was selected, but I did discover that it a value that was likely obtained by doubling a point with a very small (166 bit) x coordinate. The same value was used in several other ECC standards. (I wouldn't be surprised if it was the hash of someone's name of something silly like that, but it seems that this trivia might have followed Scott Vanstone to his grave).
Since the curve order is prime the order of G isn't a parameter so much as the result of the selection of the field and the curve equation. 'b' in the curve equation being 7 was almost certainly just because it was the first value that gives a secure curve. 'a' being 0 is a necessary condition for the endomorphism.
You might also find this old thread on bitcointalk interesting.
answered Mar 18 at 0:56
G. MaxwellG. Maxwell
5,1192839
edited Mar 18 at 1:03
answered Mar 18 at 0:56
G. MaxwellG. Maxwell
5,1192839
answered Mar 18 at 0:56
G. MaxwellG. Maxwell
5,1192839
answered Mar 18 at 0:56
G. MaxwellG. Maxwell
5,1192839
5,1192839
What do you mean by "admitting an efficient endomorphism"? I know the meaning of the word endomorphism. But where and how is it being used? I could open a separate question if that was necessary.
– Rene Pickhardt
Mar 18 at 6:51
@Rene Pickhardt: the optimization to use the efficiently-computable endormorphism to speed up elliptic curve computations is called the Gallant-Lambert-Vanstone method, but the details probably warrant their own question
– Pieter Wuille
2 days ago
add a comment |
What do you mean by "admitting an efficient endomorphism"? I know the meaning of the word endomorphism. But where and how is it being used? I could open a separate question if that was necessary.
– Rene Pickhardt
Mar 18 at 6:51
@Rene Pickhardt: the optimization to use the efficiently-computable endormorphism to speed up elliptic curve computations is called the Gallant-Lambert-Vanstone method, but the details probably warrant their own question
– Pieter Wuille
2 days ago
What do you mean by "admitting an efficient endomorphism"? I know the meaning of the word endomorphism. But where and how is it being used? I could open a separate question if that was necessary.
– Rene Pickhardt
Mar 18 at 6:51
What do you mean by "admitting an efficient endomorphism"? I know the meaning of the word endomorphism. But where and how is it being used? I could open a separate question if that was necessary.
– Rene Pickhardt
Mar 18 at 6:51
@Rene Pickhardt: the optimization to use the efficiently-computable endormorphism to speed up elliptic curve computations is called the Gallant-Lambert-Vanstone method, but the details probably warrant their own question
– Pieter Wuille
2 days ago
@Rene Pickhardt: the optimization to use the efficiently-computable endormorphism to speed up elliptic curve computations is called the Gallant-Lambert-Vanstone method, but the details probably warrant their own question
– Pieter Wuille
2 days ago
add a comment |
A very short layman's answer (not mathematically correct) is the normalization of the the private key needs to be a very large prime number less than 2^256-1 to ensure the cyclic modulo operation does not easily repeat predictably to compute the associated public key. If someone was able to discover a larger prime number than p = 2^256 - 2^32 - 2^9 -2^8 - 2^7 - 2^6 - 2^4 - 1 and less than 2^256-1, such a number could have been used for cyclic normalization. Additionally, a good pseudo random number generator heuristic is to initially seed them with very large prime numbers.
answered Mar 18 at 2:37
skahtskaht
2,353718
add a comment |
A very short layman's answer (not mathematically correct) is the normalization of the the private key needs to be a very large prime number less than 2^256-1 to ensure the cyclic modulo operation does not easily repeat predictably to compute the associated public key. If someone was able to discover a larger prime number than p = 2^256 - 2^32 - 2^9 -2^8 - 2^7 - 2^6 - 2^4 - 1 and less than 2^256-1, such a number could have been used for cyclic normalization. Additionally, a good pseudo random number generator heuristic is to initially seed them with very large prime numbers.
answered Mar 18 at 2:37
skahtskaht
2,353718
add a comment |
A very short layman's answer (not mathematically correct) is the normalization of the the private key needs to be a very large prime number less than 2^256-1 to ensure the cyclic modulo operation does not easily repeat predictably to compute the associated public key. If someone was able to discover a larger prime number than p = 2^256 - 2^32 - 2^9 -2^8 - 2^7 - 2^6 - 2^4 - 1 and less than 2^256-1, such a number could have been used for cyclic normalization. Additionally, a good pseudo random number generator heuristic is to initially seed them with very large prime numbers.
answered Mar 18 at 2:37
skahtskaht
2,353718
A very short layman's answer (not mathematically correct) is the normalization of the the private key needs to be a very large prime number less than 2^256-1 to ensure the cyclic modulo operation does not easily repeat predictably to compute the associated public key. If someone was able to discover a larger prime number than p = 2^256 - 2^32 - 2^9 -2^8 - 2^7 - 2^6 - 2^4 - 1 and less than 2^256-1, such a number could have been used for cyclic normalization. Additionally, a good pseudo random number generator heuristic is to initially seed them with very large prime numbers.
answered Mar 18 at 2:37
skahtskaht
2,353718
answered Mar 18 at 2:37
skahtskaht
2,353718
answered Mar 18 at 2:37
skahtskaht
2,353718
answered Mar 18 at 2:37
skahtskaht
2,353718
2,353718
add a comment |
add a comment |
That is probably for others here to answer but I will give it a shot.
We are looking for an elliptic curve which has a cyclic subgroup with a high order (but not higher than 2^256 as we want to work with 32byte private keys and the private keys are the orders of the elements with respect to the generator point) this particular elliptic curve over that prime field seems to fulfill these properties.
The order of the subgroup basically defines the difficulty for the discret logarithm. If the subgroup for example was of an order so small that one could store all group ements on a computer one could just compute it and break any public key coming from that group.
As for the generator point. I believe this is an arbitrary choice. Since the group is cyclic (and afaik of prime order) any other element (unless the neutral one) could have served as the generator. However we need to agree on a fixed generator point for ecdsa to have the same results every time we run the algorithms. Therefor one element was chosen.
I am not sure if there is more theory as to why this particular configuration seems preferable.
answered Mar 17 at 23:49
Rene PickhardtRene Pickhardt
2,348117
Tiny nit: an elliptic curve with a cyclic prime subgroup. Most elliptic curves are cyclic on their own, but most are of composite order.
– Pieter Wuille
Mar 18 at 4:49
add a comment |
That is probably for others here to answer but I will give it a shot.
We are looking for an elliptic curve which has a cyclic subgroup with a high order (but not higher than 2^256 as we want to work with 32byte private keys and the private keys are the orders of the elements with respect to the generator point) this particular elliptic curve over that prime field seems to fulfill these properties.
The order of the subgroup basically defines the difficulty for the discret logarithm. If the subgroup for example was of an order so small that one could store all group ements on a computer one could just compute it and break any public key coming from that group.
As for the generator point. I believe this is an arbitrary choice. Since the group is cyclic (and afaik of prime order) any other element (unless the neutral one) could have served as the generator. However we need to agree on a fixed generator point for ecdsa to have the same results every time we run the algorithms. Therefor one element was chosen.
I am not sure if there is more theory as to why this particular configuration seems preferable.
answered Mar 17 at 23:49
Rene PickhardtRene Pickhardt
2,348117
Tiny nit: an elliptic curve with a cyclic prime subgroup. Most elliptic curves are cyclic on their own, but most are of composite order.
– Pieter Wuille
Mar 18 at 4:49
add a comment |
That is probably for others here to answer but I will give it a shot.
We are looking for an elliptic curve which has a cyclic subgroup with a high order (but not higher than 2^256 as we want to work with 32byte private keys and the private keys are the orders of the elements with respect to the generator point) this particular elliptic curve over that prime field seems to fulfill these properties.
The order of the subgroup basically defines the difficulty for the discret logarithm. If the subgroup for example was of an order so small that one could store all group ements on a computer one could just compute it and break any public key coming from that group.
As for the generator point. I believe this is an arbitrary choice. Since the group is cyclic (and afaik of prime order) any other element (unless the neutral one) could have served as the generator. However we need to agree on a fixed generator point for ecdsa to have the same results every time we run the algorithms. Therefor one element was chosen.
I am not sure if there is more theory as to why this particular configuration seems preferable.
answered Mar 17 at 23:49
Rene PickhardtRene Pickhardt
2,348117
That is probably for others here to answer but I will give it a shot.
We are looking for an elliptic curve which has a cyclic subgroup with a high order (but not higher than 2^256 as we want to work with 32byte private keys and the private keys are the orders of the elements with respect to the generator point) this particular elliptic curve over that prime field seems to fulfill these properties.
The order of the subgroup basically defines the difficulty for the discret logarithm. If the subgroup for example was of an order so small that one could store all group ements on a computer one could just compute it and break any public key coming from that group.
As for the generator point. I believe this is an arbitrary choice. Since the group is cyclic (and afaik of prime order) any other element (unless the neutral one) could have served as the generator. However we need to agree on a fixed generator point for ecdsa to have the same results every time we run the algorithms. Therefor one element was chosen.
I am not sure if there is more theory as to why this particular configuration seems preferable.
answered Mar 17 at 23:49
Rene PickhardtRene Pickhardt
2,348117
answered Mar 17 at 23:49
Rene PickhardtRene Pickhardt
2,348117
answered Mar 17 at 23:49
Rene PickhardtRene Pickhardt
2,348117
answered Mar 17 at 23:49
Rene PickhardtRene Pickhardt
2,348117
2,348117
Tiny nit: an elliptic curve with a cyclic prime subgroup. Most elliptic curves are cyclic on their own, but most are of composite order.
– Pieter Wuille
Mar 18 at 4:49
add a comment |
Tiny nit: an elliptic curve with a cyclic prime subgroup. Most elliptic curves are cyclic on their own, but most are of composite order.
– Pieter Wuille
Mar 18 at 4:49
Tiny nit: an elliptic curve with a cyclic prime subgroup. Most elliptic curves are cyclic on their own, but most are of composite order.
– Pieter Wuille
Mar 18 at 4:49
Tiny nit: an elliptic curve with a cyclic prime subgroup. Most elliptic curves are cyclic on their own, but most are of composite order.
– Pieter Wuille
Mar 18 at 4:49
add a comment |
Thanks for contributing an answer to Bitcoin Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f85387%2fwhat-is-the-reasoning-behind-the-choice-of-2256-232-977-for-the-prime-on-the-s%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
