3

Imagine a situation where there are many high-value public keys around, using the same Elliptic Curve group, say $k$ in the millions public keys¹. Can an adversary reasonably find one of the matching private key at much lower cost that finding the private key for a particular one?

What's the best feasible² method? What's it's cost relative to the best known feasible method for one key (that is, I believe, distributed Polard's rho with distinguished points), as a function of $k$ and perhaps the Elliptic Curve group order $n$?

¹ Imagine Bitcoin with secp224k1, and the corresponding ponzi had similar market value.

² Assuming known existing technologies, including supercomputers, GPUs, FPGAs, ASICs, but not quantum computers usable for cryptanalysis.

fgrieu
  • 149,326
  • 13
  • 324
  • 622

1 Answers1

2

Can an adversary reasonably find one of the matching private key at much lower cost that finding the private key for a particular one?

No, and that's provable (and is independent of the technology employed)

Suppose that we had a black box that could take $k$ different public keys $a_1G, a_2G, ..., a_kG$, and recover $a_iG$ (for some $i$) in $o(\sqrt{n})$ time.

Then, here is how we could use that black box to, given one public key $aG$, recover the private key $a$ in $o(\sqrt{n})$ time. We would:

  • Select $k$ random values $r_1, r_2, ..., r_k$, and compute the sequence $r_1(aG), r_2(aG), ..., r_k(aG)$, which (by defining $b_i = r_i a$) can be viewed as $b_1G, b_2G, ..., b_kG$

  • Give the sequence $b_1G, b_2G, ..., b_kG$, which will recover $b_i$

  • We compute $a = r_i^{-1}b_i$, and thus recover the key.

The steps in addition to the invocation of the black box takes $O(k)$ time, which can be ignored for reasonablely sized $k$.

Note that the sequence $b_1G, b_2G, ..., b_kG$ is uniformly distributed, and hence even if the black box is probabilistic, it'll still allow us to recover the public key.

poncho
  • 154,064
  • 12
  • 239
  • 382