Why Did Satoshi Decide to Use Secp256k1 Instead of Secp256r1?

by g42gregory on 10/9/2021, 9:05 PM with 98 comments
  • by janmo on 10/9/2021, 11:05 PM

    The article basically says that Satoshi went for secp256k1 because for secp256r1 the constants were defined by the NIST under the possible influence of the NSA.

    I don't think it is a good argument, I invite every one to take a look at the DES S-Box constants. Many people believed that those were backdoor constants that the NSA planted into the algorithm as there was no explanation on how and why they were chosen. Many years later it turned out that they were picked carefully to protect against differential-linear attacks. An attack only the NSA knew back then. So they gave out safe S-Box constants, and all those who distrusted them and picked random/other S-Boxes were actually screwed, this is really ironic.

    https://en.wikipedia.org/wiki/S-box

  • by nullc on 10/9/2021, 10:23 PM

    Garbage spam page. This shouldn't be on HN. There is a common trend for people to take highly technical subjects do a tiny amount of research and then spam up some page (often full of plagiarism) in order to add bulk to their sites. This is especially common in the "defi / ico" fraud ecosystem.

    In this case the article is so poorly researched that even though it says fairly little it manages to make outright false claims about basic facts, e.g. "secp256k1 is a Koblitz curve which is defined in a characteristic 2 finite field, while secp256r1 is a prime field curve"-- which is false, secp256k1 uses a prime field.

  • by 0des on 10/9/2021, 9:17 PM

    Well, for one, iirc Secp256r1 was pseudo random and can be seen glowing in broad daylight.

  • by darthvoldemort on 10/9/2021, 10:35 PM

    I wonder if you could track down who Satoshi is based on someone's search queries about Secp256k1 specifically

  • by sentinel on 10/9/2021, 10:11 PM

    Any recommendations for courses or books that give a 101 intro all the way to understanding these curves and why / how they are used?

    I'd like to get a grasp on this from first principles. Thank you!

  • by AlexCoventry on 10/9/2021, 9:45 PM

    > secp256k1 is a Koblitz curve which is defined in a characteristic 2 finite field,

    Secp256k1's base field size is a 256-bit prime. What does he mean?

  • by forty on 10/10/2021, 8:21 AM

    If you are interested in comparing curves, here is the djb page on the topic https://safecurves.cr.yp.to/index.html

  • by woliveirajr on 10/9/2021, 9:26 PM

    > These curves were chosen actually for efficiency not security

    Isn't this enough?

  • by tromp on 10/10/2021, 11:58 AM

    I wonder if anything is known about the choice of base point, which in compressed form is:

        G = 02 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798
    Is this choice beneficial for efficiency? If the choice of G doesn't matter, why not choose it as having the smallest possible x coordinate?

    Many applications use a second generator H, which must be an unknown multiple of G. This is achieved by defining it as essentially SHA256(G).

  • by egberts1 on 10/10/2021, 12:49 AM

    k for konstant?

  • by pluc on 10/9/2021, 9:21 PM

    please refer to him as The Enlightened One