0

We are working on some detailed estimates for the time required for a quantum computer to break ECC, and are using secp256k1 as an example. This question does not seem to be directly addressed in standard cryptography literature. What is the probability when selecting a random point on the curve that the selected point could be a valid public key (e.g. n*G, for any n and G is the base point)?

In other words, which of the following apply: (A) essentially all points on the curve are potentially a valid public key (e.g. ~>99%), (B) only about half of all point on the curve are potentially valid public keys, or (C) some smaller fraction of points are potentially valid public keys?

If you could provide reasoning or a citation, that would be helpful. If the answer depends on the curve, assume secp256k1.

PKI Security Analyzer
  • 29
  • 2
  • **EXACTLY 100%** not counting the point-at-infinity which is not on the curve though in the curve subgroup. secp256k1 (like all the X9/SECG GF(p) curves) was chosen to have cofactor 1, so the subgroup generated by G is the full group (and 0 is excluded as a privatekey). For other curves (notably the GF(2^m) ones) it depends on the cofactor. But this is not programming or development, and is offtopic for StackOverflow; crypto.stackexchange.com would be suitable. – dave_thompson_085 Apr 22 '22 at 04:06
  • Great, and that fully and clearly explains it! The fact that 100% of points on the curve can be public keys (at least with cofactor 1) turns out to also simplify the calculations for estimating a break of ECC using Shor's algorithm (or potentially another). – PKI Security Analyzer Apr 22 '22 at 04:41

0 Answers0