secp256k1
secp256k1 copied to clipboard
Curves other than secp256k1
I wonder if I could change something so that the implementation is for the curve $y^2=x^3+5$ other than secp256k1 $y^2=x^3+7$. Is that possible?
You could change this line: https://github.com/bitcoin-core/secp256k1/blob/master/src/group_impl.h#L64
But I'm pretty sure this alone won't work because $y^2 = x^3 + 5$ is not a prime-order curve, and our code probably relies on this heavily. Even if it work, the security would immediately degrade to about 93 bits due to the size of the involved prime factors.
So the more general answer is that this is not a good idea if you want to do cryptography.
It's possible and used in the library tests to exhaustively run checks on all elements of a small subgroup. See https://github.com/bitcoin-core/secp256k1/blob/master/src/tests_exhaustive.c and https://github.com/bitcoin-core/secp256k1/blob/2f984ffc45eba89faa9e79da3d5d5bd50a6c1c3d/src/group_impl.h#L34.
By the way, as far as I can tell y^2 + x^3 + 5
is not a secure curve.
@real-or-random It may be sufficient if you have a prime order subgroup. The curves used in the exhaustive tests aren't prime order curves either.
Thanks for your help!
@real-or-random It may be sufficient if you have a prime order subgroup. The curves used in the exhaustive tests aren't prime order curves either.
Ok true our code can probably handle this, at least in the exhaustive tests: https://github.com/bitcoin-core/secp256k1/blob/485f608fa9e28f132f127df97136617645effe81/src/group_impl.h#L677-L696
But I'm still not sure if would bet that we handle it correctly really everywhere.
Maybe a better question is... @1286482110 why do you want such a curve? It's uninteresting for cryptography as far as I can tell, and if it's just for experimenting you don't need the testing/performance this library offers, and may be better off using a computer algebra system like Sage.
I was hoping to implement some funcs within SM9 cryptography standard, and some searching told me it is based upon the curve y^2=x^3+5, very much similar to the secp256k1 curve in the form.
@1286482110 A very brief search leads me to believe this SM9 standard is pairing-based, not just elliptic curve-based. If that's the case, it's very unlikely the code in libsecp256k1 will be useful.