Flying Nobita

❯

❯

❯

secp256k1 and secp256r1

secp256k1 and secp256r1

Apr 16, 20251 min read

secp256k1

used in Bitcoin
- all points on the curve are valid Bitcoin public keys
chosen for Bitcoin over secp256r1 since it’s a Koblitz curve (known to be a few bits weaker than other curves)
- has properties that make it possible to implement the group operation more efficiently
- parameters are chosen as $a = 0, b = 7$ , and not chosen at “random” which can provide a backdoor
the strength of a 256-bit secp256k1 private key has the strength of 128 bits of encryption when the associated public key is exposed
used for ECDSA Signature

secp256r1

a.k.a. NIST P-256
recommended by NIST until 2015, when it said quantum computing could render this curve insecure and recommended P-384 instead
a non-Koblitz curve
“r”: stands for random, as the parameters for the curves are meant to be chosen at random
- but some people believe the “random” parameters chosen actually allow for a backdoor
$a = FFFFFFFF 00000001000000000000000000000000 FFFFFFFFFFFFFFFFFFFFFFFC$ , $b = 5 A C 635 D 8 AA 3 A 93 E 7 B 3 EBB D 55769886 BC 651 D 06 B 0 CC 53 B 0 F 63 BCE 3 C 3 E 27 D 2604 B$
RIP-7212 - Proposal to add secp256r1 precompile contract for signature verification

Recent writing

Boolean Hypercube
Apr 25, 2025
Discrete Logarithm Problem (DLP)
Apr 21, 2025
KZG
Apr 21, 2025
BLS12-381
Apr 17, 2025
BN254
Apr 17, 2025

secp256k1
secp256r1

Backlinks

ECDSA Signature
Elliptic Curves - Overview

X
Farcaster
GitHub
RSS