Bitcoin Stack Exchange
Bitcoin Stack Exchange

Questions tagged [secp256k1]

This tag should be used for anything related to the secp256k1 algorithm used for Bitcoin's public key cryptography.

secp256k1 refers to the parameters of the elliptic curve used in Bitcoin's public-key cryptography, and is defined in Standards for Efficient Cryptography (SEC) (Certicom Research, http://www.secg.org/sec2-v2.pdf).

132 questions
78
votes
3 answers

What does the curve used in Bitcoin, secp256k1, look like?

I'm reading up on ECC curves and on many of them I see an illustration that looks like this What does the comparable curve in Bitcoin look like, or are all curves generally the same?
makerofthings7
  • 12,656
  • 11
  • 60
  • 129
17
votes
3 answers

Why is it not possible to get the private key out of the public key?

From how I understand it, the equation for the public key is defined as so: K = k * G With K being the public key, k the private key and G the generator point. Is G a constant? (as far as I read, it is a constant.) If it is, how is it not…
Purple Gang
  • 285
  • 2
  • 6
10
votes
2 answers

How is the generator point G chosen in the secp256k1 curve used in Bitcoin?

The generator point G in the secp256k1 curve used in Bitcoin is a known constant: Gx = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798 Gy = 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8 How was this point…
RocketNuts
  • 1,031
  • 1
  • 9
  • 22
9
votes
2 answers

Why doesn't basepoint G of Secp256K1 seem to be on the Elliptic Curve?

From what I understood are these the coordinates of basepoint G of Secp256K1 on the Elliptic Curve, in hexadecimal and decimal format. Hexadecimal Gx = (79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798) Gy = (483ADA77…
Harald1970
  • 99
  • 3
9
votes
2 answers

BIP32 recommends a 256 bit seed. Why do most Bitcoin wallets only use a 128 bit seed?

According to BIP32's "Master key generation" section, "256 bits is advised". See https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#Master_key_generation Why did BIP32 consider 256 bits to be the recommended seed size, and why did the…
knaccc
  • 143
  • 1
  • 6
8
votes
3 answers

What is the reasoning behind the choice of 2^256-2^32-977 for the prime on the secp256k1 curve?

In Bitcoin's elliptic curve (secp256k1), the prime p = 2^256 - 2^32 - 2^9 -2^8 - 2^7 - 2^6 - 2^4 - 1 the generator point Gx = 0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 Gy =…
Pedro
  • 385
  • 2
  • 9
8
votes
1 answer

Why was the Schnorr code removed from Bitcoin Core?

I was looking for the Schnorr implementation in Bitcoin Core and was surprised to see that it was removed on Nov 2016 (commit e06e878fd7dcc99825025fa99aedb86bc7d5c29f). Why was the source code completely removed from Bitcoin Core? Was it moved to…
Consy
  • 221
  • 1
  • 5
8
votes
1 answer

Is libsecp256k1 faster than OpenSSL?

Bitcoin Core is eventually going to replace OpenSSL with libsecp256k1 for all ECDSA operations. As I understand it, this is motivated by wanting consensus-critical rules to not depend on OpenSSL. Is libsecp256k1 signature verification also faster…
Nick ODell
  • 29,184
  • 11
  • 69
  • 129
8
votes
0 answers

How does this field multiplication in libsecp256k1 work?

I'm looking at libsecp256k1's codebase, for learning reasons (doubt I can contribute with anything useful there). While looking at the field implementation, the implementation of secp256k1_fe_mul_inner in both 10x26 and 5x52 is a little strange to…
Davidson Souza
  • 906
  • 3
  • 10
7
votes
1 answer

Schnorr batch validation speed statistics

In this question What are the advantages of Schnorr vs ECDSA? I see in the Pieter Wuille's answer the following comment about Schnorr signature batch validation: "Improving verification speed, by supporting batch validation of all signatures in a…
Daniel S
  • 71
  • 2
7
votes
1 answer

Is there a point on the secp256k1 curve for any given X coordinate?

There function in libsecp256k1 that allows you to directly set the field element to 32 bytes of your choice. Does secp256k1 always return a valid group element for any 32 byte value? secp256k1_fe_set_b32(&xpoint, bytes) secp256k1_ge_set_xo_var(ge,…
Penquin
  • 671
  • 3
  • 15
7
votes
1 answer

Where and how is secp256k1 used within Bitcoin?

Bitcoin is unique that is uses secp256k1 to secure it's transactions; and any cryptographic attack against this algorithm is probably going to be percieved as an attack against the bitcoin network. Where is this algorithm used and in what manner is…
makerofthings7
  • 12,656
  • 11
  • 60
  • 129
7
votes
3 answers

How do you derive the lambda and beta values for endomorphism on the secp256k1 curve?

You can see a little background about this on this bitcointalk post by the late Hal Finney. Beta and lambda are the values on the secp256k1 curve where: λ^3 (mod N) = 1 β^3 (mod P) = 1 As seen here, in hex, N and P are: N = FFFFFFFF FFFFFFFF…
Jimmy Song
  • 7,709
  • 16
  • 35
6
votes
1 answer

How were the secp256k1 base point coordinates decided?

79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8 seems very random to me. I see how this point is on the curve, but how exactly was this specific point chosen to be the…
lurf jurv
  • 2,704
  • 4
  • 22
  • 28
6
votes
1 answer

C secp256k1: What do prefixes 0x06 and 0x07 in an uncompressed public key signify?

In the eckey_impl.h header file, the implementation of secp256k1_eckey_pubkey_parse checks if the first byte of a 65-byte public key is 0x04, 0x06 or 0x07. Where can I find documentation regarding the 0x06 and 0x07 prefixes? static int…
sarva
  • 85
  • 5
1
2 3
8 9