From 383278e70a73a98787b64bac2ead56fff254ad33 Mon Sep 17 00:00:00 2001 From: Tim Daly Date: Wed, 21 Jan 2015 08:21:59 -0500 Subject: src/input/bitcoin.input add additional information --- changelog | 2 + patch | 2 +- src/axiom-website/patches.html | 2 + src/input/bitcoin.input.pamphlet | 509 +++++++++++++++++++++++++++++++------- 4 files changed, 428 insertions(+), 87 deletions(-) diff --git a/changelog b/changelog index 6cbeb58..e6efdbd 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,5 @@ +20150121 tpd src/axiom-website/patches.html 20150121.01.tpd.patch +20150121 tpd src/input/bitcoin.input add additional information 20150119 tpd src/axiom-website/patches.html 20150119.02.tpd.patch 20150119 tpd src/input/bitcoin.input demonstrate finite fields and graphics 20150119 tpd src/axiom-website/patches.html 20150119.01.tpd.patch diff --git a/patch b/patch index 1eb3f1d..4c66917 100644 --- a/patch +++ b/patch @@ -1,2 +1,2 @@ -src/input/bitcoin.input demonstrate finite fields and graphics +src/input/bitcoin.input add additional information diff --git a/src/axiom-website/patches.html b/src/axiom-website/patches.html index a1be972..5efc192 100644 --- a/src/axiom-website/patches.html +++ b/src/axiom-website/patches.html @@ -4962,6 +4962,8 @@ src/axiom-website/download.html add Docker instructions
bug 7296: connect from VIEW2D is not graph specific
20150119.02.tpd.patch src/input/bitcoin.input demonstrate finite fields and graphics +20150121.01.tpd.patch +src/input/bitcoin.input add additional information
diff --git a/src/input/bitcoin.input.pamphlet b/src/input/bitcoin.input.pamphlet index ae0b8d7..b8b9c0d 100644 --- a/src/input/bitcoin.input.pamphlet +++ b/src/input/bitcoin.input.pamphlet @@ -77,7 +77,7 @@ precisely one other point on the curve. We can use these properties to define two operations: point addition and point doubling. -Point addition, P + Q = R, is defined as the reflection through the +{\bf Point addition}, P + Q = R, is defined as the reflection through the x-axis of the third intersecting point R’ on a line that includes P and Q. It's easiest to understand this using a diagram: @@ -98,7 +98,7 @@ makeViewport2D(bitcoin2) \end{chunk} -Similarly, point doubling, P + P = R is defined by finding the line +Similarly, {\bf point doubling}, P + P = R is defined by finding the line tangent to the point to be doubled, P, and taking reflection through the x-axis of the intersecting point R' on the curve to get R. Here's an example of what that would look like: @@ -201,6 +201,10 @@ makeViewport2D(bitcoin4) \end{chunk} +The secp256k1 curve $y^2=x^3+7$ is defined over the field +$Z_{x^256-2^32-977}$ so the coordinates would be 256-bit integers +modulo a large number. + It's now a set of points, in which all the x and y values are integers between 0 and 66. Note that the ``curve'' still retains its horizontal symmetry. @@ -305,9 +309,9 @@ look for the two points with first component of 47, which are A protocol such as Bitcoin selects a set of parameters for the elliptic curve and its finite field representation that is fixed for -all users of the protocol. The parameters include the equation used, -the prime modulo of the field, and a base point that falls on the -curve. The order of the base point, which is not independently +all users of the protocol. The parameters include the {\bf equation} used, +the {\bf prime modulo} of the field, and a {\bf base point} that falls on the +curve. The {\bf order} of the base point, which is not independently selected but is a function of the other parameters, can be thought of graphically as the number of times the point can be added to itself until its slope is infinite, or a vertical line. The base point is @@ -318,29 +322,101 @@ order. In fact, all practical applications of ECDSA use enormous values. The security of the algorithm relies on these values being large, and therefore impractical to brute force or reverse engineer. -In the case of Bitcoin: +In the case of Bitcoin, from the standard we can find the constants used. + +The elliptic curve domain parameters over $F_p$ associated with a +Koblitz curve secp256k1 are specified by the sextuple +\begin{verbatim} + T = (p,a,b,G,n,h) +\end{verbatim} + +The bitcoin finite field $F_p$ is defined by the prime modulo $p$ +\begin{verbatim} + p = 2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1 = + p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F +\end{verbatim} +\begin{chunk} +2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1 + +toint("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F") - _ +115792089237316195423570985008687907853269984665640564039457584007908834671663 +\end{chunk} + +An elliptic curve has the equation $y^2 = x^2 +ax + b$ \begin{verbatim} - Elliptic curve equation: y2 = x3 + 7 + a = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + b = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000007 +\end{verbatim} +so the bitcoin elliptic curve equation is $y^2 = x^3 + 7$ - Prime modulo = 2256 – 232 – 29 – 28 – 27 – 26 – 24 - 1 = FFFFFFFF - FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F +The base point G is +\begin{verbatim} + G = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B + 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 + 9C47D08F FB10D4B8 +\end{verbatim} +\begin{chunk} +toint("0479BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F8179848_ +3ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8")-_ +6000746936161145159580807630710398194806667503591148342868840061480003460960_ +169061252790327998144653833156263603576192256683705628067124438257434856474_ +7448 - Base point = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB - 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 - FD17B448 A6855419 9C47D08F FB10D4B8 +\end{chunk} - Order = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B - BFD25E8C D0364141 +and the order $n$ of G and the cofactor are: +\begin{verbatim} + n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141 + h = 01 \end{verbatim} +\begin{chunk} +toint("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141") -_ +115792089237316195423570985008687907852837564279074904382605163141518161494337 + +\end{chunk} -Who chose these numbers, and why? A great deal of research, and a fair -amount of intrigue, surrounds the selection of appropriate -parameters. After all, a large, seemingly random number could hide a -backdoor method of reconstructing the private key. In brief, this -particular realization goes by the name of secp256k1 and is part of a -family of elliptic curve solutions over finite fields proposed for use -in cryptography. +An optimized C library is available on github\cite{7}. + +Who chose these numbers, and why? A great deal of research\cite{3}, +and a fair amount of intrigue\cite{4}, surrounds the selection of +appropriate parameters. After all, a large, seemingly random number +could hide a backdoor method of reconstructing the private key. In +brief, this particular realization goes by the name of secp256k1\cite{5} and +is part of a family of elliptic curve solutions over finite fields +proposed for use in cryptography. According to the bitcoin wiki this +curve was constructed in a special non-random way which allows for +especially efficient computation. It is claimed to be 30 percent faster +than other curves if the implementation is sufficiently optimized. + +More importantly, the curve constants were selected in a predictable way +to significantly reduce the possibility that the curve's creator +inserted any sort of backdoor. Whether the published elliptic curves +have a backdoor is not known. Such a thing is possible and has already +been done with RSA.\cite{6} + +An NSA-backed NIST elliptic curve has a potential problem. From the +paper by Shumow and ferguson\cite{9} we quote Bruce Schneier\cite{10} +\begin{quote} +But today there's an even bigger stink brewing around Dual\_EC\_DRBG. +In an informal presentation\cite{10} at the CRYPTO 2007 conference +in August, Dan Shumow and Niels Ferguson showed that the algorithm +contains a weakness that can only be described as a backdoor. + +This is how it works: There are a bunch of constants -- fixed numbers -- +in the standard used to define the algorithm's elliptic curve. These +constants are listed in Appendix A of the NIST publication, but nowhere +is it explained where they came rom. + +What Shumow and Ferguson showed is that these numbers have a +relationship with a second, secret set of numbers that can act as a +kind of skeleton key. If you know the secret numbers, you can predict +the output of the random-number generator after collecting just 32 +bytes of its output. To put that in real terms, you only need to +monitor one TLS internet encryption connection in order to crask the +security of that protocol. If you know the secret numbers, you can +completely break any instantiation of Dual\_\_DRBG. +\end{quote} \section{Private Keys and Public Keys} @@ -363,19 +439,19 @@ public key on the graph, but there are some equations that accomplish the same thing in the context of finite fields. Point addition of p + q to find r is defined component-wise as follows: -\begin{verbatim} - c = (qy - py) / (qx - px) - rx = c2 - px - qx - ry = c (px - rx) - py -\end{verbatim} +\[\begin{array}{rcl} +c &=& (q_y - p_y) / (q_x - p_x)\\ +r_x &=& c^2 - p_x - q_x\\ +r_y &=& c (p_x - r_x) - p_y +\end{array}\] And point doubling of p to find r is as follows: -\begin{verbatim} - c = (3px2 + a) / 2py - rx = c2 - 2px - ry = c (px - rx) - py -\end{verbatim} +\[\begin{array}{rcl} +c &=& (3p_{x^2} + a) / 2p_y\\ +r_x &=& c^2 - 2p_x\\ +r_y &=& c (p_x - r_x) - p_y +\end{array}\] In practice, computation of the public key is broken down into a number of point doubling and point addition operations starting from @@ -385,32 +461,26 @@ Let's run a back of the envelope example using small numbers, to get an intuition about how the keys are constructed and used in signing and verifying. The parameters we will use are: -\begin{verbatim} - Equation: y2 = x3 + 7 (which is to say, a = 0 and b = 7) - Prime Modulo: 67 - Base Point: (2, 22) - Order: 79 - Private key: 2 -\end{verbatim} +Equation: $y^2 = x^3 + 7$ (which is to say, $a = 0$ and $b = 7$)\\ +Prime Modulo: 67\\ +Base Point: (2, 22)\\ +Order: 79\\ +Private key: 2 First, let's find the public key. Since we have selected the simplest possible private key with value = 2, it will require only a single point doubling operation from the base point. The calculation looks like this: -\begin{verbatim} - c = (3 * 22 + 0) / (2 * 22) mod 67 - c = (3 * 4) / (44) mod 67 - c = 12 / 44 mod 67 -\end{verbatim} +\[\begin{array}{rcl} +c &=& (3 * 2^2 + 0) / (2 * 22) mod 67\\ +c &=& (3 * 4) / (44) mod 67\\ +c &=& 12 / 44 mod 67 +\end{array}\] Here we have to pause for a bit of sleight-of-hand: how do we perform division in the context of a finite field, where the result must -always be an integer? We have to multiply by the inverse, which space -does not permit us to define here (we refer you to here and here if -interested). In the case at hand, you will have to trust us for the -moment that: - +always be an integer? We have to multiply by the inverse. \begin{verbatim} -1 44 = 32 @@ -437,7 +507,8 @@ inv(12*32)::FIN \end{chunk} \begin{verbatim} - rx = (49^2 - 2 * 2) mod 67 + 2 + rx = (49 - 2 * 2) mod 67 rx = (2401 - 4) mod 67 rx = 2397 mod 67 rx = 52 @@ -559,7 +630,7 @@ addition and point doubling. s = (z + r * d) / k mod n s = (17 + 62 * 2) / 3 mod 79 s = (17 + 124) / 3 mod 79 - s = 141 / 3 mod 79 + s = 141 / 3 mod 79 s = 47 mod 79 s = 47 \end{verbatim} @@ -573,7 +644,8 @@ before, we have hidden some gory details by computing it elsewhere): s = (17 + 62 * 2) / 3 mod 79 s = (17 + 124) / 3 mod 79 s = 141 / 3 mod 79 - s = 141 * 3-1 mod 79 + -1 + s = 141 * 3 mod 79 s = 141 * 53 mod 79 s = 7473 mod 79 s = 47 @@ -594,12 +666,12 @@ With Q being the public key and the other variables defined as before, the steps for verifying a signature are as follows: \begin{enumerate} -\item Verify that r and s are between 1 and n - 1. -\item Calculate w = s-1 mod n -\item Calculate u = z * w mod n -\item Calculate v = r * w mod n -\item Calculate the point (x, y) = uG + vQ -\item Verify that r = x mod n. The signature is invalid if it is not. +\item Verify that $r$ and $s$ are between $1$ and $n - 1$. +\item Calculate $w = s^{-1} mod n$ +\item Calculate $u = z * w mod n$ +\item Calculate $v = r * w mod n$ +\item Calculate the point $(x, y) = uG + vQ$ +\item Verify that $r = x mod n$. The signature is invalid if it is not. \end{enumerate} Why do these steps work? We are skipping the proof, but you can read @@ -624,8 +696,10 @@ variables, once again: 2. Calculate w: \begin{verbatim} - w = s-1 mod n - w = 47-1 mod 79 + -1 + w = s mod n + -1 + w = 47 mod 79 w = 37 \end{verbatim} @@ -715,43 +789,306 @@ Clearly step 5 is the bulk of the work. For the final step, Our signature is valid! -\section{Conclusion} - -For those of you who saw all the equations and skipped to the bottom, -what have we just learned? +\section{Bitcoin addresses} -We have developed some intuition about the deep mathematical -relationship that exists between public and private keys. We have seen -how even in the simplest examples the math behind signatures and -verification quickly gets complicated, and we can appreciate the -enormous complexity which must be involved when the parameters -involved are 256-bit numbers. We have seen how the clever application -of the simplest mathematical procedures can create the one-way ``trap -door'' functions necessary to preserve the information asymmetry which -defines ownership of a bitcoin. And we have newfound confidence in the -robustness of the system, provided that we carefully safeguard the -knowledge of our private keys. +Bitcoin does not just check the keys. A bitcoin address is not a public +key. It is the hash of a public key. The relationship is\cite{11} -In other words, this is why it is commonly said that Bitcoin is -``backed by math.'' +\begin{verbatim} -If you hung in through the complicated bits, we hope it gave you the -confidence to take the next step and try out the math on your own (a -modular arithmetic calculator makes the finite field math much -easier). We found that going through the steps of signing and -verifying data by hand provides a deeper understanding of the -cryptography that enables Bitcoin's unique form of ownership. +private key = + c4bbcb1fbec99d65b59d85c8cb62ee2db963f0fe106f483d9afa73bd4e39a8a + | + Key Conversion + (one way) + | +public key = V + 0478d430274f8c5ec1321338151e9274c676a008bdf8638d07c0b6be9ab35c71 + a1518063243acd4dfe96b66e3f2ec8013c8e072cd09b3834a19f81f659cc3455 + | + SHA256 + | + V + RIPEMD-160 + | + V + c4c5d791fcb4654a1ef5e03fe0ad3d9c598f9827 + | + +--- SHA256 x2 ------> 4abb81a + | | + +-- concatenate --------+ + | + Base 58 + | + V + bitcoin address = 1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T +\end{verbatim} -*** +A bitcoin transaction contains the spender's public key and a signature +made with the spender's private key. The hash of the public key can +be checked (the spender's "address") and the signature can be checked +with the public key. + +\subsection{Base68 encoding} +The bitcoin base58 encoding\cite{12} + +\begin{tabular}{|c|c|c|c|c|c|c|c|} +Value&Char &Value&Char &Value&Char &Value&Char \\ + 0 & 1 & 1 & 2 & 3 & 3 & 3 & 4\\ + 4 & 5 & 5 & 6 & 6 & 7 & 7 & 8\\ + 8 & 9 & 9 & A & 10 & B & 11 & C\\ + 12 & D & 13 & E & 14 & F & 15 & G\\ + 16 & H & 17 & J & 18 & K & 19 & L\\ + 20 & M & 21 & N & 22 & P & 23 & Q\\ + 24 & R & 25 & S & 26 & T & 27 & U\\ + 28 & V & 29 & W & 30 & X & 31 & Y\\ + 32 & Z & 33 & a & 34 & b & 35 & c\\ + 36 & d & 37 & e & 38 & f & 39 & g\\ + 40 & h & 41 & i & 42 & j & 43 & k\\ + 44 & m & 45 & n & 46 & o & 47 & p\\ + 48 & q & 49 & r & 50 & s & 51 & t\\ + 52 & u & 53 & v & 54 & w & 55 & x\\ + 56 & y & 57 & z +\end{tabular} + +\section{Test Vectors} +Bitcoin test examples.\cite{8} +\begin{verbatim} +Curve: secp256k1 +------------- +k = 1 +x = 79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798 +y = 483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8 + +k = 2 +x = C6047F9441ED7D6D3045406E95C07CD85C778E4B8CEF3CA7ABAC09B95C709EE5 +y = 1AE168FEA63DC339A3C58419466CEAEEF7F632653266D0E1236431A950CFE52A + +k = 3 +x = F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F9 +y = 388F7B0F632DE8140FE337E62A37F3566500A99934C2231B6CB9FD7584B8E672 + +k = 4 +x = E493DBF1C10D80F3581E4904930B1404CC6C13900EE0758474FA94ABE8C4CD13 +y = 51ED993EA0D455B75642E2098EA51448D967AE33BFBDFE40CFE97BDC47739922 + +k = 5 +x = 2F8BDE4D1A07209355B4A7250A5C5128E88B84BDDC619AB7CBA8D569B240EFE4 +y = D8AC222636E5E3D6D4DBA9DDA6C9C426F788271BAB0D6840DCA87D3AA6AC62D6 + +k = 6 +x = FFF97BD5755EEEA420453A14355235D382F6472F8568A18B2F057A1460297556 +y = AE12777AACFBB620F3BE96017F45C560DE80F0F6518FE4A03C870C36B075F297 + +k = 7 +x = 5CBDF0646E5DB4EAA398F365F2EA7A0E3D419B7E0330E39CE92BDDEDCAC4F9BC +y = 6AEBCA40BA255960A3178D6D861A54DBA813D0B813FDE7B5A5082628087264DA + +k = 8 +x = 2F01E5E15CCA351DAFF3843FB70F3C2F0A1BDD05E5AF888A67784EF3E10A2A01 +y = 5C4DA8A741539949293D082A132D13B4C2E213D6BA5B7617B5DA2CB76CBDE904 + +k = 9 +x = ACD484E2F0C7F65309AD178A9F559ABDE09796974C57E714C35F110DFC27CCBE +y = CC338921B0A7D9FD64380971763B61E9ADD888A4375F8E0F05CC262AC64F9C37 + +k = 10 +x = A0434D9E47F3C86235477C7B1AE6AE5D3442D49B1943C2B752A68E2A47E247C7 +y = 893ABA425419BC27A3B6C7E693A24C696F794C2ED877A1593CBEE53B037368D7 + +k = 11 +x = 774AE7F858A9411E5EF4246B70C65AAC5649980BE5C17891BBEC17895DA008CB +y = D984A032EB6B5E190243DD56D7B7B365372DB1E2DFF9D6A8301D74C9C953C61B + +k = 12 +x = D01115D548E7561B15C38F004D734633687CF4419620095BC5B0F47070AFE85A +y = A9F34FFDC815E0D7A8B64537E17BD81579238C5DD9A86D526B051B13F4062327 + +k = 13 +x = F28773C2D975288BC7D1D205C3748651B075FBC6610E58CDDEEDDF8F19405AA8 +y = 0AB0902E8D880A89758212EB65CDAF473A1A06DA521FA91F29B5CB52DB03ED81 + +k = 14 +x = 499FDF9E895E719CFD64E67F07D38E3226AA7B63678949E6E49B241A60E823E4 +y = CAC2F6C4B54E855190F044E4A7B3D464464279C27A3F95BCC65F40D403A13F5B + +k = 15 +x = D7924D4F7D43EA965A465AE3095FF41131E5946F3C85F79E44ADBCF8E27E080E +y = 581E2872A86C72A683842EC228CC6DEFEA40AF2BD896D3A5C504DC9FF6A26B58 + +k = 16 +x = E60FCE93B59E9EC53011AABC21C23E97B2A31369B87A5AE9C44EE89E2A6DEC0A +y = F7E3507399E595929DB99F34F57937101296891E44D23F0BE1F32CCE69616821 + +k = 17 +x = DEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34 +y = 4211AB0694635168E997B0EAD2A93DAECED1F4A04A95C0F6CFB199F69E56EB77 + +k = 18 +x = 5601570CB47F238D2B0286DB4A990FA0F3BA28D1A319F5E7CF55C2A2444DA7CC +y = C136C1DC0CBEB930E9E298043589351D81D8E0BC736AE2A1F5192E5E8B061D58 + +k = 19 +x = 2B4EA0A797A443D293EF5CFF444F4979F06ACFEBD7E86D277475656138385B6C +y = 85E89BC037945D93B343083B5A1C86131A01F60C50269763B570C854E5C09B7A + +k = 20 +x = 4CE119C96E2FA357200B559B2F7DD5A5F02D5290AFF74B03F3E471B273211C97 +y = 12BA26DCB10EC1625DA61FA10A844C676162948271D96967450288EE9233DC3A + +k = 112233445566778899 +x = A90CC3D3F3E146DAADFC74CA1372207CB4B725AE708CEF713A98EDD73D99EF29 +y = 5A79D6B289610C68BC3B47F3D72F9788A26A06868B4D8E433E1E2AD76FB7DC76 + +k = 112233445566778899112233445566778899 +x = E5A2636BCFD412EBF36EC45B19BFB68A1BC5F8632E678132B885F7DF99C5E9B3 +y = 736C1CE161AE27B405CAFD2A7520370153C2C861AC51D6C1D5985D9606B45F39 + +k = 2894802230932904885589274625217197696320939106976872609565129078 + 5379540373584 +x = A6B594B38FB3E77C6EDF78161FADE2041F4E09FD8497DB776E546C41567FEB3C +y = 71444009192228730CD8237A490FEBA2AFE3D27D7CC1136BC97E439D13330D55 + +k = 5789604461865809771178549250434395392641878213953745219130258157 + 0759080747168 +x = 00000000000000000000003B78CE563F89A0ED9414F5AA28AD0D96D6795F9C63 +y = 3F3979BF72AE8202983DC989AEC7F2FF2ED91BDD69CE02FC0700CA100E59DDF3 + +k = 86844066927987146567678238756515930889628173209306178286953872356 + 138621120752 +x = E24CE4BEEE294AA6350FAA67512B99D388693AE4E7F53D19882A6EA169FC1CE1 +y = 8B71E83545FC2B5872589F99D948C03108D36797C4DE363EBD3FF6A9E1A95B10 + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494317 +x = 4CE119C96E2FA357200B559B2F7DD5A5F02D5290AFF74B03F3E471B273211C97 +y = ED45D9234EF13E9DA259E05EF57BB3989E9D6B7D8E269698BAFD77106DCC1FF5 + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494318 +x = 2B4EA0A797A443D293EF5CFF444F4979F06ACFEBD7E86D277475656138385B6C +y = 7A17643FC86BA26C4CBCF7C4A5E379ECE5FE09F3AFD9689C4A8F37AA1A3F60B5 + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494319 +x = 5601570CB47F238D2B0286DB4A990FA0F3BA28D1A319F5E7CF55C2A2444DA7CC +y = 3EC93E23F34146CF161D67FBCA76CAE27E271F438C951D5E0AE6D1A074F9DED7 + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494320 +x = DEFDEA4CDB677750A420FEE807EACF21EB9898AE79B9768766E4FAA04A2D4A34 +y = BDEE54F96B9CAE9716684F152D56C251312E0B5FB56A3F09304E660861A910B8 + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494321 +x = E60FCE93B59E9EC53011AABC21C23E97B2A31369B87A5AE9C44EE89E2A6DEC0A +y = 081CAF8C661A6A6D624660CB0A86C8EFED6976E1BB2DC0F41E0CD330969E940E + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494322 +x = D7924D4F7D43EA965A465AE3095FF41131E5946F3C85F79E44ADBCF8E27E080E +y = A7E1D78D57938D597C7BD13DD733921015BF50D427692C5A3AFB235F095D90D7 + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494323 +x = 499FDF9E895E719CFD64E67F07D38E3226AA7B63678949E6E49B241A60E823E4 +y = 353D093B4AB17AAE6F0FBB1B584C2B9BB9BD863D85C06A4339A0BF2AFC5EBCD4 + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494324 +x = F28773C2D975288BC7D1D205C3748651B075FBC6610E58CDDEEDDF8F19405AA8 +y = F54F6FD17277F5768A7DED149A3250B8C5E5F925ADE056E0D64A34AC24FC0EAE + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494325 +x = D01115D548E7561B15C38F004D734633687CF4419620095BC5B0F47070AFE85A +y = 560CB00237EA1F285749BAC81E8427EA86DC73A2265792AD94FAE4EB0BF9D908 + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494326 +x = 774AE7F858A9411E5EF4246B70C65AAC5649980BE5C17891BBEC17895DA008CB +y = 267B5FCD1494A1E6FDBC22A928484C9AC8D24E1D20062957CFE28B3536AC3614 + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494327 +x = A0434D9E47F3C86235477C7B1AE6AE5D3442D49B1943C2B752A68E2A47E247C7 +y = 76C545BDABE643D85C4938196C5DB3969086B3D127885EA6C3411AC3FC8C9358 + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494328 +x = ACD484E2F0C7F65309AD178A9F559ABDE09796974C57E714C35F110DFC27CCBE +y = 33CC76DE4F5826029BC7F68E89C49E165227775BC8A071F0FA33D9D439B05FF8 + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494329 +x = 2F01E5E15CCA351DAFF3843FB70F3C2F0A1BDD05E5AF888A67784EF3E10A2A01 +y = A3B25758BEAC66B6D6C2F7D5ECD2EC4B3D1DEC2945A489E84A25D3479342132B + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494330 +x = 5CBDF0646E5DB4EAA398F365F2EA7A0E3D419B7E0330E39CE92BDDEDCAC4F9BC +y = 951435BF45DAA69F5CE8729279E5AB2457EC2F47EC02184A5AF7D9D6F78D9755 + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494331 +x = FFF97BD5755EEEA420453A14355235D382F6472F8568A18B2F057A1460297556 +y = 51ED8885530449DF0C4169FE80BA3A9F217F0F09AE701B5FC378F3C84F8A0998 + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494332 +x = 2F8BDE4D1A07209355B4A7250A5C5128E88B84BDDC619AB7CBA8D569B240EFE4 +y = 2753DDD9C91A1C292B24562259363BD90877D8E454F297BF235782C459539959 + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494333 +x = E493DBF1C10D80F3581E4904930B1404CC6C13900EE0758474FA94ABE8C4CD13 +y = AE1266C15F2BAA48A9BD1DF6715AEBB7269851CC404201BF30168422B88C630D + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494334 +x = F9308A019258C31049344F85F89D5229B531C845836F99B08601F113BCE036F9 +y = C77084F09CD217EBF01CC819D5C80CA99AFF5666CB3DDCE4934602897B4715BD + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494335 +x = C6047F9441ED7D6D3045406E95C07CD85C778E4B8CEF3CA7ABAC09B95C709EE5 +y = E51E970159C23CC65C3A7BE6B99315110809CD9ACD992F1EDC9BCE55AF301705 + +k = 1157920892373161954235709850086879078528375642790749043826051631 + 41518161494336 +x = 79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798 +y = B7C52588D95C3B9AA25B0403F1EEF75702E84BB7597AABE663B82F6F04EF2777 +\end{verbatim} -Special thanks to Steven Phelps for help with this article -3 months ago \begin{thebibliography}{99} \bibitem[1]{1} -\verb|http://blog.chain.com/post/95218566791/the-math-behind-bitcoin| +\verb|blog.chain.com/post/95218566791/the-math-behind-bitcoin| \bibitem[2]{2} \verb|arstechnica.com/gaming/2010/12/ps3-hacked-through-poor-implementation| \verb|-of-cryptography| +\bibitem[3]{3} +\verb|perso-univ-rennes1.fr/sylvain.duquesne/master/standards/sec2_final.pdf| +\bibitem[4]{4} +\verb|it.slashdot.org/story/13/09/11/1224252/are-the-nist-standard-elliptic-curves-back-doored| +\bibitem[5]{5} +\verb|en.bitcoin.it/wiki/Secp256k1| +\bibitem[6]{6} +\verb|kukuruku.co/hub/infosec/backdoor-in-a-public-rsa-key| +\bibitem[7]{7} +\verb|github.com/bitcoin/secp256k1| +\bibitem[8]{8} +\verb|crypto.stackexchange.com/questions/784/are-there-any-secp256k1-| +\verb|ecdsa-test-examples-available| +\bibitem[9]{9} Shumow, Dan; Ferguson, Niels ``On the Possibility of a +Back Door in the NIST SP800-90 Dual Ec Prng'' +\verb|rump2007.cr.yp.to/15-shumow.pdf| +\bibitem[10]{10} Schneier, Bruce +\verb|www.schneier.com/blog/archives/2007/11/the_strange_sto.html| +\bibitem[11]{11} +\verb|coinmagazine.com/7781/satoshis-genius-unexpected-ways-in-which-| +\verb|bitcoin-dodged-some-cryptographic-bullet| +\bibitem[12]{12} +\verb|en.bitcoin.it/wiki/Base58Check_encoding| \end{thebibliography} \end{document} -- 1.7.5.4