secp256k1 icon indicating copy to clipboard operation
secp256k1 copied to clipboard

Published 20 hours ago verified publisher icon bitcoin-core

Curves other than secp256k1

Open lightbulb128 opened this issue 1 year ago • 7 comments

I wonder if I could change something so that the implementation is for the curve $y^2=x^3+5$ other than secp256k1 $y^2=x^3+7$. Is that possible?

lightbulb128 avatar Sep 01 '22 08:09 lightbulb128

You could change this line: https://github.com/bitcoin-core/secp256k1/blob/master/src/group_impl.h#L64

But I'm pretty sure this alone won't work because $y^2 = x^3 + 5$ is not a prime-order curve, and our code probably relies on this heavily. Even if it work, the security would immediately degrade to about 93 bits due to the size of the involved prime factors.

So the more general answer is that this is not a good idea if you want to do cryptography.

real-or-random avatar Sep 01 '22 09:09 real-or-random

It's possible and used in the library tests to exhaustively run checks on all elements of a small subgroup. See https://github.com/bitcoin-core/secp256k1/blob/master/src/tests_exhaustive.c and https://github.com/bitcoin-core/secp256k1/blob/2f984ffc45eba89faa9e79da3d5d5bd50a6c1c3d/src/group_impl.h#L34.

By the way, as far as I can tell y^2 + x^3 + 5 is not a secure curve.

@real-or-random It may be sufficient if you have a prime order subgroup. The curves used in the exhaustive tests aren't prime order curves either.

jonasnick avatar Sep 01 '22 09:09 jonasnick

Thanks for your help!

lightbulb128 avatar Sep 01 '22 10:09 lightbulb128

@real-or-random It may be sufficient if you have a prime order subgroup. The curves used in the exhaustive tests aren't prime order curves either.

Ok true our code can probably handle this, at least in the exhaustive tests: https://github.com/bitcoin-core/secp256k1/blob/485f608fa9e28f132f127df97136617645effe81/src/group_impl.h#L677-L696

But I'm still not sure if would bet that we handle it correctly really everywhere.

real-or-random avatar Sep 01 '22 13:09 real-or-random

Maybe a better question is... @1286482110 why do you want such a curve? It's uninteresting for cryptography as far as I can tell, and if it's just for experimenting you don't need the testing/performance this library offers, and may be better off using a computer algebra system like Sage.

sipa avatar Sep 01 '22 13:09 sipa

I was hoping to implement some funcs within SM9 cryptography standard, and some searching told me it is based upon the curve y^2=x^3+5, very much similar to the secp256k1 curve in the form.

lightbulb128 avatar Sep 01 '22 15:09 lightbulb128

@1286482110 A very brief search leads me to believe this SM9 standard is pairing-based, not just elliptic curve-based. If that's the case, it's very unlikely the code in libsecp256k1 will be useful.

sipa avatar Sep 01 '22 16:09 sipa