NIIBE Yutaka gniibe at
Fri Jan 10 01:42:31 CET 2014

On 2014-01-09 at 20:22 +0100, Werner Koch wrote:
> On Thu,  9 Jan 2014 13:59, gniibe at said:
> > Can I add secp256k1 curve?  OID is
> AFAIK, the Koblitz curves are still patented.  I maybe wrong, though.
> In general binary curves are considered potetial weak or at least very
> fragile.  Thus the suggestion for new applications is not to use them.
> However, if you really like to experiment with them, you may add this
> curve.

I had also thought that it were one of Koblitz curves, as defined: 

That is, Anomalous Binary Curves.

But, the curve, secp256k1, is the curve over primary field.  In the
document of SEC 2: Recommended Elliptic Curve Domain Parameters, it
says (page 4):

    Parameters associated with a Koblitz curve admit especially
    efficient implementation.  The name Koblitz curve is best-known
    when used to describe binary anomalous curves over F 2^m which have
    a, b \in {0, 1} [9].  Here it is generalized to refer also to curves
    over p which possess an efficiently computable endomorphism

The reference here is:
[7] R. Gallant. Faster elliptic curve cryptography using efficient
endomorphisms. Presentation at ECC '99, 1999.


This optimization technique is now called Gallant, Lambert and
Vanstone method (or GLV method in short).

Gallant, Lambert and Vanstone: Faster Point Multiplication on Elliptic
Curves with Efficient Endomorphisms:

I don't know this technique is patented or not.

At the start, I don't have an idea to implement this technique, but, I
am going to just define the curve by adding its domain parameter.

More information about the Gcrypt-devel mailing list