Security

Elliptic Curve Support

Evervault currently supports two elliptic curves. The first is the secp256k1 curve (also known as the bitcoin curve or the koblitz curve) and the second is the secp256r1 curve (also known as the NIST P256 curve or the prime256v1 curve).

The main difference is that the secp256k1 curve is a Koblitz curve, while the secp256r1 curve is not. Koblitz curves are known to be a few bits weaker than other curves, but since we are talking about 256-bit curves, neither is broken in "5-10 years" unless there's a breakthrough.

The other difference is how the parameters have been chosen. For the secp256r1 curve they are supposedly from random numbers, however, it is impossible to prove that's really the case. See these slides from Bernstein and Lange for an easily understandable treatment.

The secp256k1 curve, on the other hand, has had its parameters chosen relatively rigidly.

It's also important to note that the secp256k1 curve is a pure SECG curve, while the secp256r1 curve is a so-called NIST curve. NIST curves are more widely used and have received more scrutiny than other SECG curves.

The bottom line is that both curves are secure and have no known weaknesses. We're providing our users with the choice so they can decide what's best for them. Our SDKs default to the secp256k1 curve but you can view our SDK references to learn how to configure the secp256r1 curve.

References

  • Houria et al. 2018, A comparison between the secp256r1 and the koblitz secp256k1 bitcoin curves, Indonesian Journal of Electrical Engineering and Computer Science, Vol 13, No 3, pp. 910-918.
  • Dan J. Bernstein and Tanja Lange. Security dangers of the NIST curves. Invitedtalk, International State of the Art Cryptography Workshop, Athens, Greece, 2013.
  • Dan J. Bernstein and Tanja Lange. Security dangers of the NIST curves. In K. Kurosawa, editor, Advances in Cryptology – Asiacrypt 2007, volume 4833 of Lecture Notes in Computer Science, pages 29–50. Springer, 2007.