Difference between revisions of "Secp256k1"
Timmattison (talk | contribs) m (Fixed broken link to SEC PDF. I'm not happy about where it is coming from now but at least it is a link that works.) |
m (Update SEC 2 link to the official site, which is back up again) |
||
Line 1: | Line 1: | ||
[[File:Secp256k1.png|thumb |This is a graph of secp256k1's elliptic curve ''y<sup>2</sup> = x<sup>3</sup> + 7'' over the real numbers. Note that because secp256k1 is actually defined over the field Z<sub>p</sub>, its graph will in reality look like random scattered points, not anything like this.]] | [[File:Secp256k1.png|thumb |This is a graph of secp256k1's elliptic curve ''y<sup>2</sup> = x<sup>3</sup> + 7'' over the real numbers. Note that because secp256k1 is actually defined over the field Z<sub>p</sub>, its graph will in reality look like random scattered points, not anything like this.]] | ||
− | '''secp256k1''' refers to the parameters of the [[ECDSA]] curve used in Bitcoin, and is defined in ''Standards for Efficient Cryptography (SEC)'' (Certicom Research, http:// | + | '''secp256k1''' refers to the parameters of the [[ECDSA]] curve used in Bitcoin, and is defined in ''Standards for Efficient Cryptography (SEC)'' (Certicom Research, http://www.secg.org/sec2-v2.pdf). |
secp256k1 was almost never used before Bitcoin became popular, but it is now gaining in popularity due to its several nice properties. Most commonly-used curves have a random structure, but secp256k1 was constructed in a special non-random way which allows for especially efficient computation. As a result, it is often more than 30% faster than other curves if the implementation is sufficiently optimized. Also, unlike the popular NIST curves, secp256k1's constants were selected in a predictable way, which significantly reduces the possibility that the curve's creator inserted any sort of backdoor into the curve. | secp256k1 was almost never used before Bitcoin became popular, but it is now gaining in popularity due to its several nice properties. Most commonly-used curves have a random structure, but secp256k1 was constructed in a special non-random way which allows for especially efficient computation. As a result, it is often more than 30% faster than other curves if the implementation is sufficiently optimized. Also, unlike the popular NIST curves, secp256k1's constants were selected in a predictable way, which significantly reduces the possibility that the curve's creator inserted any sort of backdoor into the curve. |
Revision as of 02:43, 30 March 2015
secp256k1 refers to the parameters of the ECDSA curve used in Bitcoin, and is defined in Standards for Efficient Cryptography (SEC) (Certicom Research, http://www.secg.org/sec2-v2.pdf).
secp256k1 was almost never used before Bitcoin became popular, but it is now gaining in popularity due to its several nice properties. Most commonly-used curves have a random structure, but secp256k1 was constructed in a special non-random way which allows for especially efficient computation. As a result, it is often more than 30% faster than other curves if the implementation is sufficiently optimized. Also, unlike the popular NIST curves, secp256k1's constants were selected in a predictable way, which significantly reduces the possibility that the curve's creator inserted any sort of backdoor into the curve.
Technical details
As excerpted from Standards:
The elliptic curve domain parameters over F_{p} associated with a Koblitz curve secp256k1 are specified by the sextuple T = (p,a,b,G,n,h) where the finite field F_{p} is defined by:
- p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F
- = 2^{256} - 2^{32} - 2^{9} - 2^{8} - 2^{7} - 2^{6} - 2^{4} - 1
The curve E: y^{2} = x^{3}+ax+b over F_{p} is defined by:
- a = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
- b = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000007
The base point G in compressed form is:
- G = 02 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798
and in uncompressed form is:
- G = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8
Finally the order n of G and the cofactor are:
- n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141
- h = 01