Are there questions that just can't be answered?

10 replies 280 views
novaNewbie
Posts: 122 · Reputation: 14
#1May 3, 2024, 06:53 PM
So, how do we tackle this one? Does anyone actually know how the half of the secp256k1 generator came into being? I was chatting with someone about this, and they mentioned that no one really knows the answer. But I feel like if it was made by someone, there has to be an answer out there. Would love to hear your thoughts.
2 Reply Quote Share
Posts: 241 · Reputation: 32
#2May 3, 2024, 07:00 PM
No, because it was discussed for decades, and nobody shared the solution yet. For example: https://www.youtube.com/watch?v=NGLR2N4EK58 And the creator certainly knew it. But it happened in the 90s, and now, we don't even have the original source code, which was used to create secp256k1 in the first place. Also, the generator was not so important, because it was just given as an example. Different protocols and networks could use different generators. Edit: Let's say, that someone would really want to get the same x-value for all curves: secp160k1, secp192k1, secp224k1, and secp256k1. In that case, it could be done in a provably fair way, by just hashing something with SHA-1. And then, it could be used for all four curves: Then, we would have these generators: And they could even be doubled, if someone would need it: But for some reason, that magic value around 0x48ce563f89a0ed9414f5aa28ad0d96d6795f9c62 was used. Even one bigger value would work for all four curves: So, it is now simply unknown, why exactly these values were picked. Because as you can see, many others would work fine as well, if not better.
0 Reply Quote Share
Posts: 12 · Reputation: 142
#3May 4, 2024, 10:27 PM
Suppose I were a malicious curve designer, and suppose there existed some generator that enabled a backdoor. I would not choose that generator as the public standard generator. I would choose a generator that appears ordinary and secure, while privately using the special generator for my own computations. Since generators in the same cyclic group are related by a scalar multiple, I could translate results between the hidden generator and the official one through the corresponding scalar conversion. In other words, if a vulnerable generator exists, the official generator does not necessarily have to be that vulnerable generator. It could simply be a safe-looking representative of the same group, while the actual trapdoor relationship is used privately. For that reason, an unclear origin of the standard generator does not automatically imply that the generator itself is unsafe. A generator-based backdoor, if such a thing were possible, would not need to be visible directly in the published generator.
3 Reply Quote Share
Posts: 23 · Reputation: 34
#4May 5, 2024, 02:01 AM
@rdenkye, hi. Can you please kindly explain how could such a tricky (back-door) generator work?  A simple demonstration would suffice. All I can think right now, I already have, you CAN NOT use a broken and also wrong key to figure out the inner pin combination of a lock. In secp256k1, there is no such a thing as a weak generator. Whatever you go with, it would eventually mess you up when you hit a giant mountain of numbers we call N.
1 Reply Quote Share
Posts: 12 · Reputation: 142
#5May 5, 2024, 06:17 AM
I didn't say that. I was trying to explain that if anyone had doubts about the election, even the doubt itself was invalid.
1 Reply Quote Share
Posts: 244 · Reputation: 60
#6May 5, 2024, 10:28 AM
edit: The size of N doesn't really matter because in cryptography, no, we cannot blindly trust data, and this data is not verifiable. And this is why how G was created is important and subject to debate.
5 Reply Quote Share
Posts: 241 · Reputation: 32
#7May 5, 2024, 04:23 PM
There is no backdoor. It is all about knowing, how things were created. Another discussion about it: https://github.com/crocs-muni/DiSSECT/issues/8 See this topic: https://crypto.stackexchange.com/questions/60420/what-does-the-special-form-of-the-base-point-of-secp256k1-allow Basically, if you would use G.x = SHA-256("something") then that "something" can be used in some message, if a given protocol is designed in a broken way. But as long as you simply commit to the generator, and use SHA-256("something"||G), there is no backdoor anymore, so it can be easily fixed. Also, even today's Bitcoin blocks are not that strong, to produce SHA-256 of a header, which would be comparable to this small x-value. Which means, that in 90s, when secp256k1 was created, people definitely didn't have that much computing power. And even if that x-value would be an artifact of using SHA-1, then still: Bitcoin uses SHA-256, so it is very unlikely, that you can even attack some bad signature scheme, even if it would be created, and would not commit to the generator. And yet another thing is that the value is changed from the initial one, to something else. If you know, that SHA-1("34") is equal to 0xf1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59, but you use for example 0xf1f836cb4ea6efb2a0b1b99f41ad8b103eff4b5f, then all of your advantage is gone, because you can no longer produce a message, which would exactly hash to a proper value. And here, the initial 160-bit value was adjusted for different curves, so it is even less likely to be abused.
1 Reply Quote Share
novaNewbie
Posts: 122 · Reputation: 14
#8May 7, 2024, 11:42 AM
It also got me thinking if there will be risk of backdoors when deriving an elliptical curve generator point G using something like G.x =SHA 256(“some fixed string “), and if there is, how can it be possibly mitigated?
2 Reply Quote Share
Posts: 241 · Reputation: 32
#9May 7, 2024, 05:16 PM
You already have the answer to that in the linked things: So, again: if you use SHA-256("something") alone, then it could be unsafe. But if it would be SHA-256("something"||G), then it no longer matters, which generator would be there, as long as it would be constant. And the practically used value in secp256k1 has 166 bits, so it is too long for SHA-1, and too short for SHA-256, so it is extremely unlikely, that someone knows anything, where SHA-256 of that would be equal to exactly 0x00000000000000000000003b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63. As I said, even today's miners cannot reach it that easily, and even if they could, then endianness would break it. In 90s, nobody had that much computing power, to generate such low hash. And if it was generated from SHA-1, RIPEMD-160, or anything else, then it doesn't matter, because Bitcoin uses SHA-256.
4 Reply Quote Share
Posts: 12 · Reputation: 142
#10May 7, 2024, 07:02 PM
If any generator is unsafe, then no generator is safe. This is a mathematical and concrete fact. Therefore, discussing generator selection is entirely due to a lack of sufficient information.
3 Reply Quote Share
Posts: 241 · Reputation: 32
#11May 7, 2024, 09:40 PM
Of course. But it doesn't change the fact, that it was picked in an unknown way. And the question was: "are there any questions with unknown answers", which are just cases like that. It is more about curiosity, related to the exact generation procedure, than to any weakness.
3 Reply Quote Share
?Reply
Sign in to reply to this topic

Related topics