I often see in papers (e.g. this one) that for an elliptic curve with generator point $G$ and order $n$ the private key $d$ can take on any integer value in the range $[1, n)$. When $d = 1$ the corresponding public key $Q = dG$ is of course then just the generator point $G$. Why is this allowed? I understand that the chances that $d = 1$ for a sufficient size curve are basically non-existant, but doesn't $d = 1$ break the hardness assumption that elliptic curve schemes are based on (i.e. if I see $Q = G$ I can immediately infer $d$ without having to compute a discrete log over an elliptic curve).
Asked
Active
Viewed 1,521 times
1 Answers
21
By the same argument, they would have to forbid $d = 1234$; after all, an attacker can trivially compute the value of $1234 G$; and if they see it, then they can immediately infer $d$ without having to complete a discrete log over an elliptic curve. Of course, this logic would forbid all possible values of $d$...
The issue is that if the attacker gets lucky and guesses $d$, he wins (and there's nothing special about $d=1$ in this). However, he is quite unlikely to get lucky (and again, there's nothing special about $d=1$ in this either).
poncho
- 154,064
- 12
- 239
- 382