Koblitz Curves and Its Practical Uses in Bitcoin Security: Kristian Bjoernsen Krbjorn@umail - Ucsb.edu
Koblitz Curves and Its Practical Uses in Bitcoin Security: Kristian Bjoernsen Krbjorn@umail - Ucsb.edu
Koblitz Curves and Its Practical Uses in Bitcoin Security: Kristian Bjoernsen Krbjorn@umail - Ucsb.edu
Bitcoin uses a specific Koblitz curve secp256k1 defined by Or for curves defined over the finite field Fp :
the Standards for Efficient Cryptography Group (SECG). The
curve is defined over the finite field Fp : y 2 = x3 + ax + b
B. Group Homomorphism of Koblitz Curves dlog2 pe ∈ [192, 224, 256, 384, 521].
Koblitz curves are defined over GF (2k ), and this gives them Elliptic curve domain parameters over Fp with dlog2 pe =
the following advantagious property: 2t supply approximately t bits of security. This means that
solving the logarithm problem on the elliptic curves of the
P = (x, y) ∈ ε → Q = (x2 , y 2 ) ∈ ε bits mentioned above will take approximately 2t operations.
The advantages in computation of Koblitz curves lies within All the recommended elliptic curve parameters defined over
the existence of the group homomorphism: Fp presented in SECG features a special form of primes for
their field order p. These primes make for especially efficient
τ : ε(GF (q)) → ε(GF (q)) implementations in elliptic curve cryptosystems.
Based on the Frobenius map:
V. T HE KOBLITZ CURVE secp256k1
τ (x, y) = (x2 , y 2 )
The elliptic curve domain parameters over Fp associated
C. Point multiplication of Koblitz curves with a Koblitz curve secp256k1 are specified by the sextuple
To show how this identity is benefitial to the computation T = (p, a, b, G, n, h) where the finite field Fp is defined by[2]:
of point multiplication for Koblitz curves we write it in terms
of the squaring map τ (x, y) = (x2 , y 2 ) and the point on the p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
elliptic curve P = (x, y): FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F
recorded on a public distributed ledger, the so-called block IX. H OW SECURE IS secp256k1
chain, available to everyone. Unlike pseudo-randomly chosen parameters for elliptic
To create Bitcoins, users of the network offer computing curves, Koblitz curves are chosen in a predictable way. When
power to the network to record and verify payments into the using elliptic curve parameter standars such as SECG curves,
public ledger (block chain). This activity is called mining and there is some concerns regarding rigidity in the curves. Safe-
the transaction fees on the network, as well as newly created Curves.kr.yp.to is a internet resource that looks at the current
bitcoins are distributed to the users who mine. elliptic curve cryptography standards and the security of many
Bitcoin uses elliptic curves in its cryptosystem, and has different standard curves. [5]
implemented many ECDSA as a way of verifying ownership SafeCurves argues that attackers might have manipulated the
and facilitating transactions on the network. choices of standard curves to be vulnerable to a secret attack
that applies to a small fraction of curves. Rigidity is required
to protect against corner cases in curve vulnerability. [Rigidity
VII. ECDSA IN B ITCOIN is a feature of a curve-generation process, limiting the number
ECDSA is an important algorithm used in the authorization of curves that can be generated by the process.][5]. Without
of ownership and transfer of the Bitcoin cryptocurrency. rigidity, a curve creator could keep generating curves until a
curve vulnerable to the secret attack is found.
The curve secp256k1 is defined by SafeCurves as a ”some-
A. ECDSA Key Generation what rigid” curve, where the generation process of the curve
is generally considered secure.
Input: G and n The current SECG chair, Dan Brown, addressed Bitcoin
Output: Public key Q and private key d users on the online forum Bitcointalk.org regarding the use
1) Compute a random integer in the range [1, n − 1] of secp256k1 in Bitcoin[6]. He explains that the Weistrass
2) Compute Q = dG coefficients of (a, b) = (0, 7) cannot be the result of malicious
3) Public key: Q, Private key: d exaustive search of curve selection until the curve lands on a
weak class. The rigidity of the curve stated above supports
In Bitcoin, someone with the private key that corresponds to
this claim.[6]
funds on the public ledger is the authorized owner of the funds
The SECG chair has no good explanation for the base
and have the option to spend them. A private key in Bitcoin
point G, but the general understanding is that the base point
is a single unsigned 256 bit integer.
G cannot contain a backdoor in ECDLP and ECDHP. The
Public key can either be compressed or uncompressed. ECDSA algorithm signature check of (r, s) involves checking
Compressed public keys are 33 bytes, consisting of a prefix if r is zero. If this check is for some reason dropped there
either 0x02 or 0x03, and a 256-bit integer called x. is a possibility of the G being chosen in such a way that for
(0, s) is valid for a particular signature. However this is very
unlikely.[6]
B. ECDSA Signatures
Bitcoin also implements the use of ECDSA Signatures to X. secp256k1 VS secp256r1
manage ownership of funds on the public ledger. In essence, The main difference between secp256k1 and secp256r1 is
with the public key, one can determine through a mathematical that secp256k1 is a Koblitz curve, while secp256r1 is a prime
operation on the signature if the signature was originally field curve. Koblitz curves are generally known to be a few
produced from the hash and the private key, without the need bits weaker than prime field curves, but when talking about
of knowing the private key. In Bitcoin, the signatures are 71, 256-bit curves, it has little impact.
72, or 73 bytes long. secp256k1 is a pure SECG curve, while secp256r1 is a
so-called NIST curve. NIST curves are more widely used
and has received more scrutiny than other SECG curves.
VIII. B ITCOIN AND secp256k1
In particular, leaked documents by the NSA contractor and
Before Bitcoins implementation of secp256k1 in its ECDSA whistleblower Edward Showden suggested that the NSA had
algorithm, this specific curve was not widely used. Many of used its influence over NIST to insert a backdoor into a
the early adopters of Bitcoin questioned the use of a seemingly random number generator used in elliptic curve cryptography
simple elliptic curve, but it is now gaining popularity [4]. standards[7].
Users argue that the closest alternative to secp256k1, namely Satoshi, the creator of Bitcoin, would have wanted to reduce
secp256r1 is a better alternative. Other security software the risk of there being a backdoor in the curve he would
companies like OpenSSL now supports the use of secp256k1 implement, and since NIST and NSA are very close, a pure
in its security protocols. SECG curve might have been preferred.[8]
Like described earlier, the parameters of secp256k1 was
chosen in a predictable way, in contrast to more popular NIST
curves, which is believed to make it less likely that the creator
of the curve inserted any form of backdoor into the curve.
4
XI. C ONCLUSION
Koblitz curves allows for fast computation and complex
multiplication through the use of τ -adic expansion, and fea-
tures many advantageous characteristics when used in elliptic
curve cryptosystems.
Bitcoin is an cryptocurrency that has implemented the use of
the Koblitz curve secp256k1 in its security algorithms. Other
than the advantageous characteristics of Koblitz curves the
choice of the specific curve secp256k1 was likely made with
the expectation of being the most secure option to prevent
backdoors in the curve. secp256k1 is a pure SECG curve
that is not a part of the NIST standard, and this is probably
one of the contributing reasons why this particular curve was
implemented in Bitcoin.
In regards to security, it seems unlikely that there has been
inserted a malicious backdoor in the secp256k1 curve, as
explained by the SECG chair, Dan Brown. The combination
of transparency, rigidity and the widespread use of the curve
it seems unlikely that the curve is compromised.
R EFERENCES
[1] Koblitz: 10. N. Koblitz. CM curves with good cryptographic
properties, Proc. Crypto ’91, Springer-Verlag (1992)