Elliptic Curve Cryptography is the foundation of a series of public-key cryptographic schemes, for example, signature schemes, encryption and key transport schemes, and key agreement schemes. In general, these schemes involve arithmetic operations on an elliptic curve over a finite field. Secp256k1 and secp256r1 are two commonly used curves. Hyperledger / Fabric developed by IBM is using secp256r1 while Bitcoin is using secp256k1. What is the difference between these two and why did Satoshi decide to use secp256k1 which is considered as a surprising choice at the time?
The difference between secp256k1 and secp256r1
The main difference between secp256k1 and secp256r1 is that secp256k1 is a Koblitz curve which is defined in a characteristic 2 finite field, while secp256r1 is a prime field curve. Please note, the prime field and the characteristic 2 finite field are only two types of finite fields used by the Standards for Efficient Cryptography Group. Secp256k1 curves are non-random while secp256r1 is pseudo-randomly structured. Although Koblitz curves are generally known to be a few bits weaker than prime field curves, when talking about 256-bit curves, it has little impact.
Secp256k1 is a pure SECG curve, while secp256r1 is a so-called NIST curve. NIST curves are more widely used and have received more scrutiny than other SECG curves. Ironically, this is generally believed as the reason why Satoshi did not use secp256r1. In particular, the leaked documents by the National Security Agency contractor and whistleblower Edward Showden suggested that the NSA had used its influence over NIST to insert a backdoor into a random number generator used in elliptic curve cryptography standards. Without knowing this, Satoshi would have wanted to reduce the risk of there being a backdoor in the curve he would implement, and since NIST and NSA are very close, a pure SECG curve might have been preferred.
Why is it possible that there is a backdoor in secp256r1?
First of all, let’s review how NIST curves are specified. Back in 1999, all Elliptic Curve Discrete Logarithm Problems attack techniques were surveyed. All curves breakable by these techniques were prohibited and Jerry Solinas at NSA specified the methods of generating random non-prohibited curves which lead to the NIST curves.
Ever since then, although some advances have been made to break non-prime-field ECC, the security for prime-field ECC remains unchanged. In NIST curves, p has been specified as 192 bits, 224 bits, 256 bits, 384 bits and 521 bits. These curves were chosen actually for efficiency not security. According to IEEE P1363 standard: “provide the fastest arithmetic on elliptic curves”. The conspiracy comes if NSA has searched many choices of the seed until finding a weak curve. Given the fact that the curve r1 is pseudo-randomized, thus such weak curves could be used under the attack. As the result, Satoshi decided to use a pre-defined pure Koblitz curve for Bitcoin, defined as:
P = 2^256-2^32-2^9-2^8-2^7-2^6-2^4-1
A = 0
B = 7
G = 02 79BE667E F9DCBBAC 55A06295 CE870B07
029BFCDB 2DCE28D9 59F2815B 16F81798
n =
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141
h = 1