[Cryptography] Zoom publishes draft cryptographic design for end-to-end encryption

Ray Dillinger bear at sonic.net
Tue Jun 2 16:18:35 EDT 2020

On Fri, 2020-05-29 at 11:49 -0400, Paul Wouters wrote:
> On Tue, 26 May 2020, other.arkitech via cryptography wrote:

> > I wonder why not using the same secp256k1 used by Bitcoin. It is
> > bullet proof as it is publicly able to keep safe billions in
> > capitalization.
> > I wonder why this is not the cypher suite of choice today.

First of all, Paul is right - completely different problem set, 
trying to secure a completely different set of properties.  
You're going to need some hashing for integrity checks, but the 
main problem you're looking at for your intended app is key 
management.  The hashing here is a relative detail.

Short version: secp256k1 was a very peculiar selection driven 
by paranoia about potential backdoor'd keys. It was little 
studied and not noticeably tested in practice.  But at this point,
because of its use in Bitcoin, it has become extensively tested 
and rigorously studied.  There's no problem any more with moving 
toward standardizing it.

(Long version follows)
About secp256k1, Keep in mind that Hal & Satoshi (I persist in 
thinking they were not the same person) were very paranoid about
backdoors in well-known curves and unlikely to use one that had 
been heavily promoted, or one frequently used by large 
organizations or projects whose selection of it might, in the 
paranoid view, have been because of undue influence.  The 
thinking was that "The crowd is probably wrong" leading to 
semi-deliberate selection of something odd.

The same kind of thinking leads to a lot of insecure "homebrew 
crypto."  Homebrew Crypto almost always fails, so reasonable 
people tend to advise against it.  If you're not *absolutely* 
*sure* what you're doing and why, stepping off the beaten path 
in crypto implementation almost always lands your foot (and 
often more tender parts) in a trap.  

IIRC secp256k1 was initially selected by Satoshi, and had a few 
peculiar properties that convinced both Hal and himself it was 
desirable and safe. I didn't have the insight into properties of 
different keys to offer any useful feedback on it. The important 
property was either because its constants had been selected in a 
way more constrained than the heavily used curves (hence less 
likely to contain a backdoor), or because it's defined over a 
Galois field instead of a modular integer ring.  Or both.

But virtually nothing used it, and it hadn't got any very 
extensive study at that time.  Secp256k1 was at that time 
undeniably a very peculiar beast, and while it offered some 
reassurance against a backdoor risk, its relatively unstudied 
status was different kind of insecure-key risk.  Both risks were 
very small, but it would be hard to place odds on which was 

At this point however, largely BECAUSE of its use in Bitcoin, I 
can't consider it very peculiar anymore. On the contrary, it has 
become one of the best-studied and most extensively tested hashes 
in the world. 

Given the vast amount of completely futile effort that's been 
spent on finding any weaknesses, backdoors, or shortcuts in it, 
I'm convinced that any such things, if they exist at all, are 
demonstrably damned hard to find. I don't know of any other 
curve that has been so extensively tested or rigorously studied. 
There really isn't a problem with moving forward to making it 
a standard.


More information about the cryptography mailing list