Curves other than secp256k1 #1139

issue lightbulb128 opened this issue on September 1, 2022
  1. lightbulb128 commented at 8:06 AM on September 1, 2022: none

    I wonder if I could change something so that the implementation is for the curve $y^2=x^3+5$ other than secp256k1 $y^2=x^3+7$. Is that possible?

  2. real-or-random commented at 9:14 AM on September 1, 2022: contributor

    You could change this line: https://github.com/bitcoin-core/secp256k1/blob/master/src/group_impl.h#L64

    But I'm pretty sure this alone won't work because $y^2 = x^3 + 5$ is not a prime-order curve, and our code probably relies on this heavily. Even if it work, the security would immediately degrade to about 93 bits due to the size of the involved prime factors.

    So the more general answer is that this is not a good idea if you want to do cryptography.

  3. jonasnick commented at 9:31 AM on September 1, 2022: contributor

    It's possible and used in the library tests to exhaustively run checks on all elements of a small subgroup. See https://github.com/bitcoin-core/secp256k1/blob/master/src/tests_exhaustive.c and https://github.com/bitcoin-core/secp256k1/blob/2f984ffc45eba89faa9e79da3d5d5bd50a6c1c3d/src/group_impl.h#L34.

    By the way, as far as I can tell y^2 + x^3 + 5 is not a secure curve. @real-or-random It may be sufficient if you have a prime order subgroup. The curves used in the exhaustive tests aren't prime order curves either.

  4. lightbulb128 commented at 10:07 AM on September 1, 2022: none

    Thanks for your help!

  5. real-or-random commented at 1:12 PM on September 1, 2022: contributor

    @real-or-random It may be sufficient if you have a prime order subgroup. The curves used in the exhaustive tests aren't prime order curves either.

    Ok true our code can probably handle this, at least in the exhaustive tests: https://github.com/bitcoin-core/secp256k1/blob/485f608fa9e28f132f127df97136617645effe81/src/group_impl.h#L677-L696

    But I'm still not sure if would bet that we handle it correctly really everywhere.

  6. sipa commented at 1:39 PM on September 1, 2022: contributor

    Maybe a better question is... @1286482110 why do you want such a curve? It's uninteresting for cryptography as far as I can tell, and if it's just for experimenting you don't need the testing/performance this library offers, and may be better off using a computer algebra system like Sage.

  7. lightbulb128 commented at 3:42 PM on September 1, 2022: none

    I was hoping to implement some funcs within SM9 cryptography standard, and some searching told me it is based upon the curve y^2=x^3+5, very much similar to the secp256k1 curve in the form.

  8. sipa commented at 4:12 PM on September 1, 2022: contributor

    @1286482110 A very brief search leads me to believe this SM9 standard is pairing-based, not just elliptic curve-based. If that's the case, it's very unlikely the code in libsecp256k1 will be useful.

  9. jonasnick closed this on Nov 7, 2022
Contributors
lightbulb128real-or-randomjonasnicksipa
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-27 04:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me