5
4
79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8 seems very random to me. I see how this point is on the curve, but how exactly was this specific point chosen to be the base point? Could other base points have worked?
5
Since the secp256k1 curve order is prime, every point on the curve except the point at infinity is a generator.
Nothing is known about how the designers of the curve chose this specific generator.
However, there is one tell-tale sign that hints about its construction. When the chosen generator G is multiplied by 1/2 (i.e. multiplied by the multiplicative inverse of 2 modulo the curve order), the resulting X coordinate is an exceptionally low number. This very likely means that G was created by picking that X, finding a corresponding Y on the curve, and then doubling the resulting point.
Can you share this low number X? – k06a – 2018-01-23T09:12:08.167
1G/2 = (0x3b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63, 0xc0c686408d517dfd67c2367651380d00d126e4229631fd03f8ff35eef1a61e3c). – Pieter Wuille – 2018-01-23T15:01:11.593
Is there a reason why it needs to be random and large like this? It seems like y^2=x^3+7 is a nice "nothing up my sleeve" curve, but I can't say the same about this base point. Is security compromised in any way if the X coordinate of the base point was chosen to be a tiny number like 3 or 7? – lurf jurv – 2019-01-28T19:48:29.687
1@lurfjurv To the best of my knowledge, the choice of the generator is not relevant to the security of ECDSA. – Pieter Wuille – 2019-01-28T19:55:05.703
I see, so the choice is irrelevant. Is this not suspicious then? Why not pick a trivially small number for x to remove any concern that this base point has some fatal flaw or backdoor? – lurf jurv – 2019-01-29T21:28:29.880