Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question about curve parameters #3

Open
OSoup opened this issue Jul 15, 2019 · 3 comments
Open

Question about curve parameters #3

OSoup opened this issue Jul 15, 2019 · 3 comments

Comments

@OSoup
Copy link

OSoup commented Jul 15, 2019

Hi,
I try to learn and I have to make some connections.
You have in the code below values:
P = 10177
A = 1
B = P-1
G = (1,1)
N = 10331

What should be the values in case of btc when I know the public key, K = (x,y) so I know x and y?
P=115792089237316195423570985008687907853269984665640564039457584007908834671663 ???
A = ???
B = P-1
G = (??,??)
N = ??

Thank you!
@marcvincenti
Copy link
Owner

Hello, Bitcoin use the Secp256k1 curve.

# Elliptic curve parameters (secp256k1)

P = 2**256 - 2**32 - 977
N = 115792089237316195423570985008687907852837564279074904382605163141518161494337
A = 0
B = 7
Gx = 55066263022277343669578718895168534326250603453777594175500187360389116729240
Gy = 32670510020758816978083085130507043184471273380659243275938904335757337482424
G = (Gx, Gy)

@mertgonul
Copy link

Added secp256k1 parameters and decreased "N" to lower one to test it but it is only searching can't find any result.

#!/usr/bin/env python

from bitcoin import change_curve, fast_add, fast_multiply, inv
import random

# define a 16-bits curve (not secure)
P = 2**256 - 2**32 - 977
N = 10331
A = 0
B = 7
Gx = 55066263022277343669578718895168534326250603453777594175500187360389116729240
Gy = 32670510020758816978083085130507043184471273380659243275938904335757337482424
G = (Gx, Gy)
change_curve(P, N, A, B, G[0], G[1])

# generate private and public key
k = random.randint(1, N)
Q = fast_multiply(G, k)
print("SEARCH - {0}".format(k))

# Pollard rho
def new_xab(x, a, b):
    S = x[0] % 3
    if S == 0:
        a = (a + 1) % N
        x = fast_add(x, G)
    elif S == 1:
        a = (a * 2) % N
        b = (b * 2) % N
        x = fast_add(x, x)
    elif S == 2:
        b = (b + 1) % N
        x = fast_add(x, Q)
    return x, a, b

x=X=(0,0); a=A=0; b=B=0;
for i in range(N):
    x, a, b = new_xab(x, a, b)
    X, A, B = new_xab(X, A, B)
    X, A, B = new_xab(X, A, B)
    if x == X:
        if b == B:
            print("NOT FOUND")
        else:
            k = ((a - A) * inv(B - b, N)) % N
            print("FOUND  - {0}".format(k))
        break

@marcvincenti
Copy link
Owner

@mertgonul N should be the order of the curve in Z_P. It means that you have to reduce P first (with P a prime number) and then you should calculate N such that N is the order of the curve (i.e. G x P = G).
To find N you can define some bounds with Hasse's theorem and try to determine with an algo of your choice (for P being not too big, you can use the bsgs algorithm).
If you don't want to code this all by yourself, i've started a script to help everyone generate testing curves, but it doesn't work every time, i need a PR or some help here.

@marcvincenti marcvincenti changed the title question Question about curve parameters Jul 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mertgonul @marcvincenti @OSoup