# secp256k1

NIIBE Yutaka gniibe at fsij.org
Fri Jan 10 01:42:31 CET 2014

On 2014-01-09 at 20:22 +0100, Werner Koch wrote:
> On Thu,  9 Jan 2014 13:59, gniibe at fsij.org said:
> > Can I add secp256k1 curve?  OID is 1.3.132.0.10.
>
> AFAIK, the Koblitz curves are still patented.  I maybe wrong, though.
>
> In general binary curves are considered potetial weak or at least very
> fragile.  Thus the suggestion for new applications is not to use them.
>
> However, if you really like to experiment with them, you may add this
> curve.

I had also thought that it were one of Koblitz curves, as defined:

http://www.springerreference.com/docs/html/chapterdbid/317770.html

That is, Anomalous Binary Curves.

But, the curve, secp256k1, is the curve over primary field.  In the
document of SEC 2: Recommended Elliptic Curve Domain Parameters, it
says (page 4):

Parameters associated with a Koblitz curve admit especially
efficient implementation.  The name Koblitz curve is best-known
when used to describe binary anomalous curves over F 2^m which have
a, b \in {0, 1} [9].  Here it is generalized to refer also to curves
over p which possess an efficiently computable endomorphism
[7].

The reference here is:
[7] R. Gallant. Faster elliptic curve cryptography using efficient
endomorphisms. Presentation at ECC '99, 1999.

It's http://cacr.uwaterloo.ca/conferences/1999/ecc99/gallant.ps

This optimization technique is now called Gallant, Lambert and
Vanstone method (or GLV method in short).

Gallant, Lambert and Vanstone: Faster Point Multiplication on Elliptic
Curves with Efficient Endomorphisms:
http://www.iacr.org/archive/crypto2001/21390189.pdf

I don't know this technique is patented or not.

At the start, I don't have an idea to implement this technique, but, I
am going to just define the curve by adding its domain parameter.
--