I know it should be impossible (or at least infeasibly hard) to extract a ECDSA Private Key from a given Public Key (discrete logarithm problem). But I'm not deep enough into ECC to find an answer to this question: is it possible/easier to find the private key if the corresponding public key is zero? (like "0x000...000")? Of course the curve details (base point, finite field etc) are given too.
Asked
Active
Viewed 1,771 times
2 Answers
4
Yes, actually it is rather trivial.
First we need to dive a little bit into how elliptic curves work. Take a finite field, usually $\mathbb F_p$ for some fixed prime $p$. We call the set of all pairs $(x,y)\in\mathbb F_p^2$ satisfying the equation $y^2\equiv x^3+ax+b\pmod p$ the elliptic curve $E_{a,b}(\mathbb F_p)$.
First we note that $(0,0)$ is on the curve if and only if $b=0$. However, for practically used curves this is not the case. So we can conclude that your request doesn't actually ask for the point which gets encoded to $(0,0)$ (because it isn't on any curve) but rather for the semantic point $0$ that fullfills the same role as the $0$ for the integers, the rationals, the reals, that is the role of the additive neutral element in a group. The encoding of $\mathcal O$ as all-0x00 bytes is confirmed in SEC 1 v2 section 2.3.3 (PDF).
Now we commonly write the points on an elliptic curves as a group, because we can add them, we can subtract them, they have a neutral element $\mathcal O$ ("the point at infinity") and addition is associative.
Now that we have made use of 3 of the 7 usual parameters for elliptic curves, let's look at the rest. Two parameters encode the base point, that is a point $G=(g_x,g_y)$ on the curve which is fixed and used as the reference element for all cryptographic operations. In fact the private key $d$ to your public key point $Q$ has to satisfy the relation $Q=[d]G$, that is addition of $G$, $d$-times with itself yields $Q$.
So now for the last two parameters. Remember when we talked about the curve being the set of all points? It turns out that we actually need to know how many there are. This is called the order of the curve and is not encoded usually in the domain parameters. However, the order of $n$ of the base-point is encoded and that is precisely the integer such that $\mathcal O=[n]G$, so the "private key" to "0x0000...000" is actually directly encoded in the domain parameters.
To satisfy the curiosity you surely have: The last value encoded is the co-factor, that is the quotient of the curve's order and the base-point's order, we need this for some computations.
If you are now asking yourself, whether $n$ is the private key, then the answer is "no". It is the private key that is smaller or equal to $n$ and larger than $0$, however, any multiple of $n$ will work. That is $d'=2n$ will work just the same as $d''=3n$, because in this setting they designate the same as all scalar factors are reduced $\bmod n$ and $0\equiv n\equiv 2n\equiv 3n\equiv\ldots\pmod n$.
On a final note (as pointed out by @fgrieu in the comments): No sane implementation would accept $\mathcal O$ as a public key (section 3.2.2.1 of SEC 1 v2 (PDF)), because it would offer no security as discussed above. On key generation there's also the standard restriction that $0<d<n$, meaning no sane implementation would ever generate $\mathcal O$ as the public key (section 3.2.1 of SEC 1 v2 (PDF)).
SEJPM
- 46,697
- 9
- 103
- 214
2
fgrieu and SEJPM have answered the question completly for all elliptic curves in regard to the public key. There is an interesting edge case with ECDSA signatures which occurs when there exists a point whose x coordinate is equal to the order of the curve in that case the parameter r of the r,s pair for the signature would also be 0 (mod n), n being the order of the curve. But as they already noted no sane implementation would accept it. To get the ephemeral private key to that point you would need to solve the ECDLP.
immigrantswede
- 43
- 6