Join Log in
Score:2
aryzing avatar Crypto

What is the relationship between NIST and secp256k1?

sm flag
aryzing

While exploring secp256k1, I came across what seems like the official definition at https://www.secg.org/, specifically in https://www.secg.org/sec2-v2.pdf. In terms of authorship, the document only contains references to the Standards for Efficient Cryptography group and Certicom (acquired by Blackberry). However, many resources I come across mention "NIST curves" in the context of secp256k1.

I've searched https://www.nist.gov/publications for definitions of the curve, although wasn't successful. The document's only mention of NIST is as a reference to "National Institute of Standards and Technology. Recommended Elliptic Curves for Federal Government Use, Jul. 1999", which doesn't seem to be available at NIST anymore, but can be found here and seems to contain different curve definitions.

So what's the relationship between NIST and secp256k1? Is NIST the author of secp256k1? What's the relationship between SEC and NIST? Why does the bitcoinbook say that NIST established secp256k1?

Bitcoin uses a specific elliptic curve and set of mathematical constants, as defined in a standard called +secp256k1+, established by the National Institute of Standards and Technology (NIST)

How does NIST fit into the story of secp256k1?

225
1 + 2
fgrieu avatar
ng flag
fgrieu
Could you quote some other of those «many resources (that) mention "NIST curves" in the context of secp256k1»? The one cited in the question seems isolated. I can't remember secp256k1 quoted as a NIST curve. Is this a confusion with secp256r1, which is in NIST's [FIPS 186-2](https://csrc.nist.gov/publications/detail/fips/186/2/archive/2000-01-27) and later?
1
Reply
aryzing avatar
sm flag
aryzing
Other than the bitcoin book, I unfortunately don't recall the other resources.
0
Reply
Score:3
Daniel S avatar Crypto
ru flag
Daniel S

The NIST FIPS 186-4 digital signature standard (and earlier versions 186-2 and 18-3) recommended several elliptic curves suitable for Federal government use, specifically Appendix D lists curves that also appear in the SECG SEC 2 document, but introducing different designators. Two of these curves predate both documents and coe from the ANSI X9.62 document.* To be precise

  • secp192r1 NIST P-192 (ANSI: prime192v1)
  • secp224r1 NIST P-224
  • secp256r1 NIST P-256 (ANSI: prime 256v1)
  • secp384r1 NIST P-384
  • secp521r1 NIST P-521
  • sect163k1 NIST K-163
  • sect163r2 NIST B-163
  • sect233k1 NIST K-233
  • sect233r1 NIST B-233
  • sect283k1 NIST K-283
  • sect283r1 NIST B-283
  • sect409k1 NIST K-409
  • sect409r1 NIST B-409
  • sect571k1 NIST K-571
  • sect571r1 NIST B-571

The ANSI X9.62 document specified a procedure for the generation of curve which was followed in generating the curves above.

Other curves from the SEC2 document including the secp*k1, sect163r1, sec239k1 curves were not included in FIPS186-5. The SEC group was an industry research group and their document perhaps did not carry the same weight as NIST's endorsement. These curve saw wider adoption into Internet standards such as RFC 8422 which try to make the overlap clear. In informal usage the curves often became known as "NIST curves". This loose terminology now seems to have been inaccurately extended to all of the SEC2 curves.

Dave Thompson points out that as of three months ago FIPS 186-4 has been superceded by FIPS 186-5 he writes "the curves are now moved to SP800-186 instead, and there B/K-163 and P-192 are reduced to 'legacy use', all remaining B/K are 'deprecated', the Bernstein 25519 and 448 curves (in Montgomery, Edwards and Weierstrass forms!) are added, and Appendix H 'allows' some brainpool curves and (relevant here) secp256k1 'for blockchain'"

(*) - The publication order as far as I can tell is ANSI X9.62 (1999), FIPS 186 (2000), SEC2 (2000) with the curves in Appendix 6 of FIPS 186 dated July 1999 (thanks fgrieu). However these dates are sufficiently close together, that contributions are likely hard to separate out. There was presumably discussion between the different groups.

+ 7
dave_thompson_085 avatar
cn flag
dave_thompson_085
Your link is actually to FIPS186-4 which did include those curves (as did -3 and -2 but not earlier) but FIPS186-5, adopted 3 months ago, no longer does; the curves are now moved to SP800-186 instead, and there B/K-163 and P-192 are reduced to 'legacy use', all remaining B/K are 'deprecated', the Bernstein 25519 and 448 curves (in Montgomery, Edwards _and_ Weierstrass forms!) are added, and Appendix H 'allows' some brainpool curves and (relevant here) secp256k1 'for blockchain'.
2
Reply
Daniel S avatar
ru flag
Daniel S
@dave_thompson_085 Many thanks I have added you comment to the main body.
0
Reply
fgrieu avatar
ng flag
fgrieu
FWIW: The first version of FIPS 186 with the NIST curves is [FIPS 186-2](https://csrc.nist.gov/publications/detail/fips/186/2/archive/2000-01-27), published Jan 2000. They are in [appendix 6](https://csrc.nist.gov/CSRC/media/Publications/fips/186/2/archive/2000-01-27/documents/fips186-2.pdf#page=27), dated July 1999.
0
Reply
Daniel S avatar
ru flag
Daniel S
@fgrieu Many thanks, I've edited the footnote.
0
Reply
Daniel S avatar
ru flag
Daniel S
@dave_thompson_085 Hang on. The motivation for using `secp256k1` is because of the reciprocal nature of the "`secq256k1`" curve. Standardising one without the other surely removes that use case.
0
Reply
dave_thompson_085 avatar
cn flag
dave_thompson_085
Daniel: where do you get that? I don't believe anyone even defined the 'q' curve before Ethereum, more than a decade after 'Satoshi' published Bitcoin, and AFAIK even today no one is using it for anything in/on Bitcoin. His(?) crypto choices seem to have been motivated mostly by what Microsoft CNG provided in Windows Vista.
0
Reply
Daniel S avatar
ru flag
Daniel S
You're right, I hadn't realised that interest in secp256k1 pre-dated the ZKP observation. The [Bitcoin wiki]( https://en.bitcoin.it/wiki/Secp256k1) suggests that it is the "rigidity" of secp256k1 that was behind the choice. The wiki does distinguish the secp256k1 curve from "NIST curves".
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.