Elliptic curve is worth billions
A Bitcoin public key is created by applying elliptic-curve cryptography to the private key. One can easily create a public key from the private key, but it is impossible to go in the reverse direction. Unless, of course, Bitcoin’s elliptic curve is compromised.
Many crypto experts have noticed that Bitcoin’s choice of secp256k1 elliptic curve was unusual for its time, as it was not yet well researched. Cointelegraph asked one of the world’s leading cryptographers, Tatsuaki Okamoto, about this unusual choice. Okamoto currently serves as director of the Cryptography & Information Security Lab at NTT Research.
Efficiency or vulnerability?
According to Okamoto, there are two alternative explanations for this choice: Either Satoshi picked because it offers greater efficiency or because it may have offered a secret backdoor. Of course, Okamoto underlined that these are just two logical hypotheses, as he has no way of knowing what Satoshi was thinking at the time:
“(1) The Koblitz curve is specially designed for faster scalar multiplications. Hence the (signing, verifying and key generation) operations on Secp256k1 are faster than those on Secp256r1. (2) Although the Secp256r1 curve was announced to be randomly selected, there could still exist some suspicion that some backdoor might be secretly set up in the curve parameters. In contrast, the Koblitz curve parameters are mathematically determined, and there is little possibility for setting such a backdoor.”
Okamoto is impressed with the way the Bitcoin creator was able to combine several cryptographic techniques — such as hash chains, Merkle trees and elliptic curves — to create the world's first decentralized currency:
“I think it is a revolutionary invention, the first decentralized currency, and its core technology blockchain, is giving a great impact on our society.”
Bitcoin Core developer agrees
Bitcoin Core developer Wladimir van der Laan told Cointelegraph that he does not know why Satoshi chose this particular curve. He also noted that if someone has discovered a vulnerability, they have not stepped forward to announce it:
“I have no idea why Satoshi chose this particular curve, they have provided no rationale anywhere (it seems, in hindsight, to have been a fairly good choice though).”
Even if Secp256r1 has a vulnerability, no one has stepped forward yet to announce their discovery. On the other hand, keeping this discovery to themselves could yield a multi-billion dollar reward.