Cryptocurrencies are a mean of executing online transactions. They use a variety of cryptographic techniques to secure and verify these transactions, which are functionally supported by the Blockchain platform. Blockchain is a continuously growing, distributed ledger of files that contains all transactions between users of cryptocurrencies in a verifiable and permanent manner. It consists of blocks that are connected and secured cryptographically. Cryptocurrencies use algorithms to produce pairs of public and private keys. These pairs, cryptographically merged with a message between the participants, are the building blocks of the relevant transactions. Bitcoin uses the ECDSA algorithm to produce the above-mentioned keys. The purpose of our work is to present some useful motifs for the domain parameters of base point (P) and the order (n) of the subgroup produced by it, while choosing the elliptic curve and the Galois field on which we formulate the algorithm, in order to obtain safer private keys. The results of the research are experimental due to the limited infrastructure, but explanatory for the purpose of our work. The resulting conclusions highlight the value of the proper selection of the structural parameters of these algorithms and possible alternatives to the curve, field and domain parameters that can be used.
The most important issue a cryptocurrency such as Bitcoin has to offer to its users is the ability to handle a large volume of transactions in a short period of time with security and verifiability.
Often the developer’s task with respect to the key generation algorithm is the right choice of the algorithm’s domain parameters that will provide a sufficient combination of the above properties. For the Bitcoin cryptocurrency, the elliptic curve secp256k1 defined by the standards for an efficient cryptographic group (SECG) is the one used by the ECDSA algorithm, as discussed further in [
For the purpose of the research, we focused exclusively on the security of the algorithm, which we applied for specific experimental data. The resulting conclusions concern the selection of appropriate domain parameters on the specific safe elliptical curves from the NSA survey conducted by the United States of America, best explained by [
In Bitcoin, on the Blockchain platform, the user’s digital addresses are the result of fragmentation of a public key part Q produced by the ECDSA algorithm [
• Collision resistance: Collision resistance: Concept in which a hash function H is resistant to collisions of input values if it is infeasible to lead to a common output value from different input values. Otherwise, for x , y with x ≠ y we arrive at H ( x ) = H ( y ) .
• Preimage resistance: For a predetermined output value y, it is infeasible to find the input value x that has it as output, i.e. it is difficult to find any preselected input value x, so that H ( x ) = y .
• Second preimage resistance: It is not possible for a different input value x ′ , with x ′ ≠ x , to arrive at a valid H ( x ) = H ( x ′ ) .
• Hiding: A hash function has the ability to be hidden if for a hidden value i, which is selected from a distribution with a high min-entropy, for a given value F ( i ∥ z ) it is impossible to find the value z.
Note that all addresses consist of letters and numbers, which are the output values of the Bitcoin-based hash function, with input values the corresponding parts of the public keys Q. The amount, the addresses of the contracted users and the dates of the transactions, as shown in
Elliptic curves are the first mathematical tool used to create the ECDSA algorithm, as discussed in [
Elliptic curve: A curve whose shape is given by the equation:
y 2 = x 3 + A x + B , with A , B ∈ ℤ
where the basic condition is the discriminant Δ = 4 ⋅ A 3 + 27 ⋅ B 2 ≠ 0
Its points are given by the set:
E = { ( x , y ) : y 2 = x 3 + A x + B } ∪ { O } , where O is the point at infinity.
Algebraic properties: For two points P 1 = ( x 1 , y 1 ) and P 2 = ( x 2 , y 2 ) on an elliptic curve of the form E : y 2 = x 3 + A x + B , the following properties, further explained by [
Apply
§ If P 1 ≠ P 2 with x 1 = x 2 , then P 1 + P 2 = 0 .
§ If P 1 = P 2 and y 1 = 0 , then P 1 + P 2 = 2 P 1 = 0 .
§ If P 1 ≠ P 2 and x 1 ≠ x 2 , then { λ = y 2 − y 1 x 2 − x 1 β = − λ x 1 + y 1 = y 1 x 2 − y 2 x 1 x 2 − x 1 ⇒ Point Addition.
§ If P 1 = P 2 with y 1 ≠ 0 , then { λ = 3 x 1 2 + A 2 y 1 β = − λ x 1 + y 1 = − x 3 + A x + 2 B 2 y ⇒ Point Doubling.
It is true from the foregoing that in general:
P 1 + P 2 = ( λ 2 − x 1 − x 2 , − λ 3 + λ ( x 1 + x 2 ) − β )
Schematic examples of the above are illustrated in
The second mathematical theory that supports ECDSA are the finite fields, commonly known as Galois fields, as mentioned in [
• Field: A set of numbers defining the operations of addition, multiplication, and consequently subtraction and division, which satisfy all the essential properties of these operations.
• Galois fields are all fields of form F p = { 0 , 1 , 2 , ⋯ , p − 1 } with p prime number. These fields have a finite number of elements. The results of all operations are divided by modulo p and are all prime field values.
For example, F 29 is { 0 , 1 , 2 , 3 , ⋯ , 28 } . Examples of numerical operations are:
§ Addition: 17 + 20 = 8, because 37 mod 29 = 8
§ Subtraction: 17 − 20 = 26, due to −3 mode 29 = 26
§ Multiplication: 17*20 = 21, because 340 mod 29 = 21
§ Division: 17 − 1 = 12, due to 17*12 mod 29 = 1
Some very basic properties of Galois fields useful for conducting research are:
1) Subfield-Field Expansion: For field F, we call K a subfield of F, when this is a field provided with the same operations as F, all elements of which belong to the original F. By analogy, F is an extension of subfield K.
2) Galois Field Base: Algebraically a finite field F p n can be a vector space of the F p subfield, where the vectors will be the elements of the first and gradual sizes the elements of the second (depending on the operation we perform). For B = { b 1 , b 2 , ⋯ , b n } a base and a ∈ F p n , a subfield element α can be unique as a = a 1 ⋅ b 1 + a 2 ⋅ b 2 + ⋯ + a n ⋅ b n with ( a 1 , a 2 , ⋯ , a n ) elements of the F p field.
3) Existence and Uniqueness: For every prime number p and positive integer n there is a finite field with p n elements, i.e. F p n . Any other finite field with the same number of elements is isomorphic to the previous one.
4) Subfield Criterion: For F q a finite field with q = p n elements, we have that any subfield of F q m has an order p m , where m is a positive divisor of n. Conversely, for m positive divisor of n, there is exactly one subfield F q m of F q with p m elements.
Note: The Galois fields are widely used in modern cryptography. Specifically in software applications, in the development of processors due to the field arithmetic and the creation of fast desktop multipliers. These are only a few of the improvements they have been brought by Galois fields.
The ECDSA algorithm is constructed from a specific elliptic curve (secp256k1) on a Galois field. The merge of the two previous theories is the Weierstrass equation, best explained by [
Weierstrass equation: For an arbitrary (finite) field we define the Weierstrass equation of the elliptic curve E on the field, i.e. E/F, which is of the form:
E : y 2 + a 1 ⋅ x y + a 3 ⋅ y = x 3 + a 2 ⋅ x 2 + a 4 ⋅ x + a 6 with ( x , y ) ∈ F .
where:
For α 1 , α 2 , α 3 , α 4 , α 6 ∈ F we have Δ ≠ 0 , where Δ is the discriminant of Ε.
In general, the above equation must be transformed into more friendly forms for use by any key pair generation algorithm. The following isomorphism is appropriate.
Weierstrass isomorphism (mentioned in [
E 1 : y 2 + a 1 ⋅ x y + a 3 ⋅ y = x 3 + a 2 ⋅ x 2 + a 4 ⋅ x + a 6 E 2 : y 2 + a ′ 1 ⋅ x y + a ′ 3 ⋅ y = x 3 + a ′ 2 ⋅ x 2 + a ′ 4 ⋅ x + a ′ 6
The curves are called isomorphic on the field if there are u , r , s , t ∈ F , with u ≠ 0 , so for the transformation:
( x , y ) → ( u 2 ⋅ x + r , u 3 ⋅ y + u 2 ⋅ s ⋅ x + t )
Starting with E 1 , we end up in E 2 .
Basically, we use isomorphism:
( x , y ) → ( x − 3 a 1 2 − 12 a 2 36 , y − 3 a 1 ⋅ x 216 − a 1 3 + 4 a 1 ⋅ a 2 − 12 a 3 24 )
Which leads us to the known form of short Weierstrass elliptic curves over Galois field F p , p prime, with the formula:
y 2 = x 3 + a ⋅ x + b where 4 ⋅ a 3 + 27 ⋅ b 2 ( mod p ) ≠ 0 .
Riemann’s hypothesis for elliptic curves (mentioned in [
| # E ( F q n ) − 1 − q n | ≤ 2 ⋅ q n 2 , ∀ n ≥ 1.
By selecting n = 1 we have | # E ( F q ) − 1 − q | ≤ 2 ⋅ q , ∀ n ≥ 1 -Hasse theorem [
Note: The order of the field, i.e. the number of points of the elliptic curve on the Galois field is to be denoted by N. According to Hasse theorem, an easy first estimate of the order of the curve is calculated.
Using similar isomorphisms, we result from the generalized Weierstrass equation in two other very useful elliptical curve cryptographic forms (ECC).
Specifically:
• Montgomery equation: concerning elliptic curves on Galois F p fields of the form:
B ⋅ y 2 = x 3 + A ⋅ x 2 + x , where B ⋅ ( A 2 − 4 ) ( mod p ) ≠ 0
• Edwards equation: concerning elliptic curves over Galois F p fields of the form:
x 2 + y 2 = 1 + d ⋅ x 2 ⋅ y 2 , where d ⋅ ( 1 − d ) ( mod p ) ≠ 0
Note: It is possible, through proper transformation, to determine one form of elliptic curve equation from another. Specifically:
• For a Montgomery elliptic curve through transformation, ( x , y ) → ( B ⋅ u − A 3 , B ⋅ v ) we pass into a short Weierstrass form with the equation:
v 2 = u 3 + a ⋅ u + b , where a = 3 − A 2 3 ⋅ B 2 and b = 2 ⋅ A 3 − 9 ⋅ A 27 ⋅ B 3
• For an Edward elliptic curve through transformation ( x , y ) → ( u / v , ( u − 1 ) / ( u + 1 ) ) we pass into Montgomery with the following equation:
B ⋅ v 2 = u 3 + A ⋅ u 2 + u , where A = 2 ⋅ ( 1 + d ) 1 − d and B = 4 1 − d
Note: Generally, all elliptical equations on Galois F p , p > 3 fields can be in the form of a short Weierstrass equation.
Rational points (explained in detail in [
Elliptic Curve Cryptography (ECC) supports its safety in the difficulty of solving the discrete logarithmic elliptic curve problem (ECDLP). This means that the implementation of the ECDSA used to produce a key pair (𝑑, 𝑄) should support its functions in a robust pair of elliptic curve and Galois field, as explained in [
ECDLP (Short Weierstrass): We consider an elliptic curve E defined on a finite field F p , with characteristic p i.e.:
E : y 2 = x 3 + A ⋅ x + B , where A , B ∈ F p with restriction 4 ⋅ A 3 + 27 ⋅ B 2 ( mod p ) ≠ 0
For two points of E ( F p ) , let P, Q we look for the integer x , x ∈ ℕ for which:
Q = x ⋅ P
Complexity of Pohlig-Hellman―ECDSA (resilience, thoroughly explained by [
By parameterizing n = ∏ i p i e i we degrade Pohlig-Hellman into a Baby-giant step algorithm, which results in the complexity of the algorithm to increase to O ( ∑ i e i ( log n + p i ) )
Let an elliptic curve E be defined on a Galois field F p , whose order is the number # E ( F p ) = N . Based on the above, order N can be presented as the product of prime numbers, i.e. N = p 1 p 2 ⋯ p n which are the orders of subgroups produced by base points P. This makes it more difficult to solve ECDLP, which implies that the ECDSA algorithm is resilient to model-based attacks.
We prefer orders n i ≡ p i to be large prime numbers.
Domain parameters of ECDSA
The domain parameters are the composite elements on which ECDSA is designed to produce the requested keys for trading. Although the users of the platform know their values, it is common for security reasons to list the hash function outputs with input values, the values of the domain parameters. Bitcoin’s ECDSA uses the elliptic curve secp256k1 with domain parameters T = ( p , a , b , G , n , h ) where:
§ p = 2 256 − 2 32 − 2 9 − 2 8 − 2 7 − 2 6 − 2 4 − 1 ,is the size of the Galois field F p .
§ The coefficients a = 0, b = 7 of the above curve.
§ The generation point G = 0279BE667E F9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B 16F81798, from which we produce the subset of the elliptic curve points in the field.
§ n = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141, the order of the base point G.
§ The cofactor h = 1.
The base point is the one from which the algorithm generates the subgroup of elliptic curve points applied to the Galois field. We prefer the order of the subgroup produced for security reasons to be a large prime number. If N is the order of the curve, then we look for the largest prime number n that divides the order of the curve. Simply selecting a base point with a non-prime subgroup n order makes the algorithm vulnerable to attacks because it is not adequately supported by the ECDLP.
The process of finding the order n is fulfilled by the procedure of elliptic curve scalar point multiplication, i.e. by solving the equation:
n ⋅ P ( mod p ) = 0 , where P is a point of E ( F p ) .
Cofactor h = N = # E ( F p ) n , with h ∈ ℕ is used to calculate the base point G by solving the equation:
n ⋅ ( h ⋅ P ) = n ⋅ G = 0 with G = h ⋅ P .
In the present work, we will unleash three model-based methods of attack, such as Brute force, Baby-giant step and Pollard's rho. The methods will violate the ECDSA algorithm to steal the private key d of the transaction, as explained by [
Brute force: Calculates the products x 1 ⋅ P , x 2 ⋅ P , x 3 ⋅ P , ⋯ for random values x 1 , x 2 , x 3 , ⋯ until x ⋅ P = Q is verified for some value. The length of time until the above verification, is O ( p ) . Clearly the most time-consuming method requiring a powerful computing system for comparable results over the next. The symbolism O is Landau’s big O notation.
Baby giant step: First, we transform the equality Q = x ⋅ P that we verify as:
Q − a ⋅ m ⋅ P = b ⋅ P
Reminder: Generally, any integer x , x ∈ ℤ can be written as a product of three arbitrary integers a , m , b ∈ ℤ , so that x = a ⋅ m + b .
So, in the next step two vector lists of the starting points P , Q of E ( F q ) are created with the previous coefficients ( x 1 , x 2 , x 3 , ⋯ ) i.e.:
Vector 1 : x 1 ⋅ P , x 2 ⋅ P , x 3 ⋅ P , ⋯ Vector 2 : Q − x 1 ⋅ P , Q − x 2 ⋅ P , Q − x 2 ⋅ P , ⋯
The process ends when a collision of the following form occurs:
x i ⋅ P = Q − x j ⋅ P , where i , j = 1 , 2 , 3 , ⋯
The expected execution time is O ( q ) and is clearly less than the equivalent of the exhaustive method (Brute force).
(Pollard’s Attack): with this method, we search for discrete pairs ( a , A ) and ( b , B ) of modulo n integers to verify equality:
a ⋅ P + b ⋅ Q = A ⋅ P + B ⋅ Q , with a , b , A , B ∈ ℤ
Specifically we calculate the value
x = ( a − A ) ⋅ ( B − b ) − 1 mod n
Briefly
1) For a given point X ∈ 〈 P 〉 and integers ( c , d ) with X = c ⋅ P + d ⋅ Q , a random iteration function f : 〈 P 〉 → 〈 P 〉 is defined, which calculates X = f ( X ) and c ¯ , d ¯ ∈ [ 0 , n − 1 ] with X ¯ = c ¯ ⋅ P + d ¯ ⋅ Q .
2) Subsequently we define a random partition of 〈 P 〉 , the set { S 1 , S 2 , ⋯ , S L } in order the L sets to have an even approximate size. Typical values of L are 16 (2^{4}) and 32 (2^{5}).
3) For X = c ⋅ P + d ⋅ Q we have f ( X ) = X ¯ = c ¯ ⋅ P + d ¯ ⋅ Q where c ¯ = c + a j mod n and d ¯ = d + b j mod n .
Finally, each point X 0 ∈ 〈 P 〉 defines a sequence { X i } i ≥ 0 of points, where X i = f ( X i − 1 ) , i ≥ 1 . Because the 〈 P 〉 set is finite, we will definitely come to a collision. This means that there will be a small index w for which X w = X w + s , s ≥ 1 . In conclusion we have X i = X i − s , ∀ i ≥ w + s .
W is called “tail length”, while s is the “length of the circle”. A collision is expected after π ⋅ n / 2 values, while the tail and cycle lengths are respectively t ~ π ⋅ n / 8 and s ~ π ⋅ n / 8 . The algorithm used to find this collision is the Floyd Cycle Finding algorithm. We calculate point pairs ( X i , X 2 i ) for i = 1 , 2 , 3 , ⋯ and terminate the process when X i = X 2 i . There is a collision when for two points X i , X j ⇒ X i = X j for i ≠ j . The expected number of pairs to be compared is k ∈ [ w , w + s ] and for random iterated function f is 1.0308 ⋅ n .
Advantages of ECDSA:
1) With respect to earlier cryptographic tools such as RSA, DSA, elliptic curve algorithms offer greater security for a certain key size. This is also observed for small key sizes, which by definition are much more vulnerable than larger ones.
2) Time and memory space required to produce and distribute messages in the case of ECDSA is significantly smaller than in previous tools. In this way, the platform becomes accessible to more users and researchers.
3) From an economic point of view, systems based on elliptic curve algorithms are more cost-efficient than older algorithms in storage, cooling and energy.
Disadvantages of ECDSA:
1) Cryptographic tools are primarily free to access by all kinds of users, allowing the creation of tools for violating any kind of platform.
2) Encrypted information, authentic and digitally signed, can be difficult to access even for a legitimate user at critical decision time, especially when the platform is tampered with.
3) Cryptography by definition does not protect against the vulnerabilities and threats that result from bad design of systems, protocols and processes.
At this point, we present all the experimental results that emerged from the research. Specifically, we have implemented the ECDSA key pair generation algorithm for two Galois F 50101 and F 100153 fields with appropriate base points of our choice. We then launched three model-based attacks such as Brute force, Baby-giant step and Pollard rho to steal private keys used in transactions. By counting the time required to carry out the wrenching of the private key, we have arrived at significant practical conclusions.
Before the tables and diagrams are presented, we must mention the modifications to the algorithm and the assumptions made for the better conduct of the survey. Analytically:
• We modified the GitHub mini_ecdsa algorithm, as referenced in the relevant bibliography, designed to calculate the first 10 - 12 base points of order only prime number. Specifically, by finding one of the points of the elliptic curve on the Galois field, we examined the order of the subgroup we create when that point is used as a base point. If order n is prime number then we would consider it for study, otherwise we are going to be checked at the next points. This double check to find points increases waiting time in many hours per elliptic curve, but it serves the rest of the research to a large extent.
• The Galois fields we studied are objectively very small than those used in key-generation algorithms. The reason is the limited infrastructure. It is noticeable that the wait for double check increases exponentially, when the size of the Galois field increases. The results, however, are similar and expected.
• From the above points, we have chosen as base points those for which the largest possible subgroup n order has been obtained. It is known that the larger the n order is, the greater the security in minor attacks, that we are not studying in this research. In addition, it was observed that for larger n order larger private keys are emerging, which is very important for research.
• Despite the elasticity of the base point selection algorithm, we remain “loyal” to the ECDLP problem on which the ECDSA algorithm is based, i.e. the base point selection that gives as an order n prime number.
• In applying the algorithm, we additionally chose elliptic curves with Edward equations, which we transformed into short Weierstrass. The reason is that the mini_ecdsa algorithm, best explained in [
y 2 = x 3 + a ⋅ x 2 + b ⋅ x + c defined on F p , p prime number.
The above equation is an intermediate form of Short Weierstrass and Montgomery.
In particular, the equations of the above form are:
Having properly transformed the elliptic curves, which are displayed in
Curve | Equation |
---|---|
secp256k1 | y 2 = x 3 + x + 7 |
Curve25519 | y 2 = x 3 + 486662 x 2 + x |
Curve383187 | y 2 = x 3 + 229969 x 2 + x |
M-221 | y 2 = x 3 + 117050 x 2 + x |
M-551 | y 2 = x 3 + 530438 x 2 + x |
Anomalous | y 2 = x 3 + 1.535 e 62 ⋅ x + 7.444 e 60 |
BN(2,254) | y 2 = x 3 + 2 |
BrainpollP256t1 | y 2 = x 3 − 3 x + 4.621 e 76 |
Curve1174 | y 2 = x 3 − 28489 x + 1926947 |
E-222 | y 2 = x 3 + 13333333333 x |
E-382 | y 2 = x 3 − 94211737 x + 352268124782 |
E-521 | y 2 = x 3 + 14833242554 x + 6219980097646 |
Ed448-Goldilocks | y 2 = x 3 − 318383 x + 692424 |
M-383 | y 2 = x 3 + 2065150 x 2 + x |
NIST P-224 | y 2 = x 3 − 3 x + 1.896 e 67 |
Galois Field F_{50101} | |||||||
---|---|---|---|---|---|---|---|
Method (Time in sec) | |||||||
Curve | Base Point P | Order n | Private Key d | Point P | Brute Force | Baby-Giant Step | Pollard’s rho |
secp256k1 | (99, 11,436) | 137 | 52 | (35,925, 39,101) | 0.008 | 0.001 | 0.002 |
Curve25519 | (1288, 23,396) | 181 | 156 | (48,651, 17,578) | 0.225 | 0.004 | 0.005 |
Curve383187 | (88, 17,366) | 1049 | 988 | (12,662, 41,418) | 0.023 | 0.01 | 0.006 |
M-221 | (15, 14,998) | 12,547 | 11123 | (2847, 24,111) | 4.239 | 0.068 | 0.032 |
M-551 | (4, 3728) | 3119 | 1440 | (33,896, 38,549) | 0.289 | 0.011 | 0.008 |
Anomalous | (378, 6853) | 211 | 104 | (49,646, 42,661) | 0.014 | 0.002 | 0.004 |
BN(2,254) | (61, 4601) | 1021 | 319 | (16,955, 40,535) | 0.237 | 0.006 | 0.004 |
BrainpollP256t1 | (16, 25,549) | 25,057 | 23719 | (5992, 11700) | 9.736 | 0.085 | 0.022 |
Curve1174 | (26, 44,099) | 4549 | 4345 | (929, 5479) | 1.864 | 0.04 | 0.026 |
E-222 | (184, 13,447) | 701 | 552 | (45,080, 196) | 0.096 | 0.006 | 0.005 |
E-382 | (16, 2607) | 4999 | 4913 | (20,242, 13,648) | 1.25 | 0.027 | 0.009 |
E-521 | (280, 28,472) | 991 | 831 | (18,354, 4898) | 0.158 | 0.008 | 0.005 |
Ed448-Goldilocks | (694, 9865) | 499 | 99 | (911, 12,900) | 0.012 | 0.002 | 0.006 |
M-383 | (76, 7159) | 349 | 252 | (46,426, 38,837) | 0.036 | 0.004 | 0.004 |
NIST P-224 | (78, 4999) | 1931 | 1703 | (10,585, 26,862) | 0.356 | 0.012 | 0.004 |
Remarks:
1) For all curves defined on the field, the private key is stolen in a very short time. Fact expected due to the small size of the Galois field and the limited base point options.
2) Some curves like Curve1174 and Ed448-Goldilocks show much longer resistance against the Brute force method. However, all curves succumb almost immediately to Baby-giant step and Pollard’s rho attacks. The reason is their search model and quick verification of the corresponding ECDLP solution.
3) The higher the n order of the subgroup of the base point P, the larger the d private key created. For the public key Q this is not observed. In all cases where a large private d key is observed, the times for all the model-based methods are comparatively much longer than for other elliptic curves for which the subgroup order n gives small-sized private keys.
4) The theory of the complexity of the Pohlig-Hellman algorithm is verified as to the difficulty of solving the ECDLP problem for large orders n of subgroups, and therefore the ECDSA algorithm’s durability.
Correspondingly, for the Galois Field F_{100153} the results of the survey are displayed in
Corresponding observations with field results F_{50101} also arise here. By comparing the tables, we also observe:
1) For elliptic curves such as secp256k1 and Curve1174 when doubling the Galois field there is a longer tolerance for the Brute force method only. The other smarter methods used to steal the private key consume almost equal times.
Galois Field F_{100153} | |||||||
---|---|---|---|---|---|---|---|
Method (Time in sec) | |||||||
Curve | Base Point P | Order n | Private Key d | Public Key Q | Brute Force | Baby-Giant Step | Pollard’s rho |
secp256k1 | (149, 62,878) | 1933 | 1360 | (4678, 2942) | 0.446 | 0.013 | 0.009 |
Curve25519 | (2318, 11,352) | 179 | 102 | (69,082, 18,748) | 0.022 | 0.003 | 0.003 |
Curve383187 | (1258, 2668) | 733 | 701 | (79,043, 21,484) | 0.17 | 0.008 | 0.006 |
M-221 | (1843, 70,129) | 107 | 100 | (64,009, 10,304) | 0.013 | 0.002 | 0.003 |
M-551 | (2115, 86,231) | 271 | 101 | (44,889, 47,472) | 0.021 | 0.003 | 0.005 |
Anomalous | (2995, 96,951) | 43 | 40 | (61381, 17502) | 0.004 | 0.001 | 0.001 |
BN(2, 254) | (240, 321) | 1231 | 994 | (57435, 36387) | 0.294 | 0.008 | 0.004 |
BrainpollP256t1 | (2368, 5807) | 83 | 61 | (46,066, 25,833) | 0.004 | 0.001 | 0.001 |
Curve1174 | (8, 93683) | 99551 | 96542 | (15,179, 6830) | 66.859 | 0.231 | 0.086 |
E-222 | (3, 98740) | 1229 | 781 | (77,951, 68,281) | 0.274 | 0.013 | 0.01 |
E-382 | (785, 3790) | 148 | 148 | (65,000, 4657) | 0.029 | 0.004 | 0.006 |
E-521 | (858, 16,707) | 893 | 760 | (82,041, 45,996) | 0.186 | 0.009 | 0.005 |
Ed448-Goldilocks | (6, 85,750) | 50021 | 35057 | (77,073, 78,269) | 12.331 | 0.105 | 0.031 |
M-383 | (22, 72,669) | 6229 | 6161 | (60,238, 81,175) | 1.678 | 0.033 | 0.009 |
NIST P-224 | (3079, 50,355) | 229 | 174 | (25,906, 3547) | 0.024 | 0.003 | 0.002 |
2) On the contrary, for curves such as BrainpollP256t1 and M-221, doubling the field made them more vulnerable even to the Brute force method. For the other two methods, we observe as expected very short times.
At the diagram level, the times for all the model-based methods for the elliptical curves Curve1174, M-221, NIST P-224, secp256k1 are displayed in Graph 1.
Likewise the diagram level and the time tolerance for all the model-based methods for the elliptical curves Brainpoll256t1 and Anomalous are displayed in Graph 2.
Important Note: You may wonder why search for candidate base points P takes many hours, while model-based attacks squeeze the private key d in much shorter times. It is sufficient to consider that the equations of the elliptic curves we chose are very large, which delays the finding of E ( F p ) points starting from a absolutely random point search in combination with the integer division defined in the Galois field. In addition, the order n check performed at each such point further delays the whole process. On the contrary, solving the Q = d ⋅ P equation of the ECDLP for calculating d takes place much faster, since the public keys Q and the base point P are known to all users of any platform.
Study of d private keys
The private key d is clearly the most important building block of a transaction taking place at Bitcoin. For this reason, it is the target of potential hackers who,
Graph 1. Tolerance of secp256k1, NIST P-224, M-221 and Curve1174 against all model based attacks on both Galois fields.
use one of the above-mentioned model-based methods of attack or their variants, seek to steal it within a reasonable period of time. Ownership of a user’s account is determined by who knows the private key, i.e. it controls the account. For this reason, users should never disclose or make public their private keys, because their theft has irreversible consequences. The ECDSA algorithm, which takes into account the developer-defined structural parameters, is responsible for creating the private keys and, consequently, for the security of the system.
Below we study cases of making private keys from the algorithm for some elliptic curves from those we studied in the Galois field F 100153 . By maintaining specific domain parameters, such as the base point P and the order n of the subgroup, we have studied the impact on the production of private keys. Note that
Graph 2. Tolerance of BrainpollP256t1 and Anomalous against all model based attacks on the Galois fields.
these results are the outcome of great search in all above-mentioned elliptic curves. The following were chosen because of their representative image for the purpose of the survey, but this did not mean that there were no alternatives.
Note: Usually for the same domain parameters, the ECDSA algorithm allows code-level creation of many private keys that serve the same needs with the same efficiency. This is most common for huge Galois fields.
In the first phase, we defined the E elliptic curve M-383 according to the formula:
E : y 2 = x 3 + 2065150 ⋅ x 2 + x with x ∈ ℝ ,
In the finite Galois field mentioned, maintaining the base point P ( 22 , 72669 ) stable, for which a subgroup of points of the curve with order n = 6229 is created, a value which is objectively large prime number in relation to the field. Below in
We notice that with the creation of three different key pairs ( Q , d ) , as the size of the private key increases, the algorithm’s “resistance” to model-based attacks increases, with the exception of Pollard rho. Corresponding picture is observed in all elliptic curves of the survey.
Diagramically, the stealing times are plotted per model-based method in Graph 3.
Conclusion: From an algorithm perspective, it is possible to improve the security of a user’s account by generating a large-sized private key. This security involves model-based methods such as Brute force and the Baby-giant step and variations thereof. Pollard rho does not appear to be affected to some extent. Finally, the size of the public key does not affect the results at all.
Two further elliptic curves, Curve1174 and BrainpollP256t1, were then studied. Their equations are:
y 2 = x 3 − 28486 ⋅ x + 1926947 & y 2 ≅ x 3 − 3 ⋅ x + 4.621 ⋅ 10 76 , x ∈ ℝ