6

79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8 seems very random to me. I see how this point is on the curve, but how exactly was this specific point chosen to be the base point? Could other base points have worked?

lurf jurv
  • 2,704
  • 4
  • 22
  • 28
  • 1
    Does this answer your question? [How is the generator point G chosen in the secp256k1 curve used in Bitcoin?](https://bitcoin.stackexchange.com/questions/113116/how-is-the-generator-point-g-chosen-in-the-secp256k1-curve-used-in-bitcoin) – Pieter Wuille May 16 '22 at 17:26

1 Answers1

6

Since the secp256k1 curve order is prime, every point on the curve except the point at infinity is a generator.

Nothing is known about how the designers of the curve chose this specific generator.

However, there is one tell-tale sign that hints about its construction. When the chosen generator G is multiplied by 1/2 (i.e. multiplied by the multiplicative inverse of 2 modulo the curve order), the resulting X coordinate is an exceptionally low number. This very likely means that G was created by picking that X, finding a corresponding Y on the curve, and then doubling the resulting point.

Pieter Wuille
  • 98,249
  • 9
  • 183
  • 287
  • Can you share this low number X? – k06a Jan 23 '18 at 09:12
  • 1
    G/2 = (0x3b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63, 0xc0c686408d517dfd67c2367651380d00d126e4229631fd03f8ff35eef1a61e3c). – Pieter Wuille Jan 23 '18 at 15:01
  • Is there a reason why it needs to be random and large like this? It seems like y^2=x^3+7 is a nice "nothing up my sleeve" curve, but I can't say the same about this base point. Is security compromised in any way if the X coordinate of the base point was chosen to be a tiny number like 3 or 7? – lurf jurv Jan 28 '19 at 19:48
  • 1
    @lurfjurv To the best of my knowledge, the choice of the generator is not relevant to the security of ECDSA. – Pieter Wuille Jan 28 '19 at 19:55
  • 3
    I see, so the choice is irrelevant. Is this not suspicious then? Why not pick a trivially small number for x to remove any concern that this base point has some fatal flaw or backdoor? – lurf jurv Jan 29 '19 at 21:28
  • @lurfjurv You'll have to ask the people who designed secp256k1 and wrote it up as a standard, I'm afraid. Other elliptic curve standards sometimes use non-random-looking base points. – Pieter Wuille Apr 17 '22 at 14:24
  • Pieter, to get a exceptionally low number, could you share the exact math ? I found a couple of different values of "curve order" and none of them are giving the exceptionally low number. – ramshi Apr 17 '22 at 14:01
  • secp256k1's curve order is 2^256 - 432420386565659656852420866394968145599. The multiplicative inverse of 2 modulo the curve order is 2^255 - 216210193282829828426210433197484072799. So multiplying a point with that number is the reverse operation of doubling a point. If you do that with the generator point, you obtain a point with X coordinate 86918276961810349294276103416548851884759982251107 (a 166-bit number, which is extremely small; most X coordinates are 256-bit numbers). – Pieter Wuille Apr 17 '22 at 14:28
  • 1
    Not only secp256k1, but also the generators of secp160k1, secp192k1, secp224k1 were created using this scheme. And even more interestingly the x coordinate of these G/2 points all look very similar. See: https://bitcoin.stackexchange.com/a/113495/109728 And here a gist with a Sage script to calculate these values: https://gist.github.com/johnzweng/863f412689ee383cc41ac7c709ca662c – Johannes Zweng Apr 28 '22 at 16:05