Security

# Elliptic Curve Support

Evervault currently supports two elliptic curves. The first is the `secp256k1`

curve (also known as the bitcoin curve or the `koblitz`

curve) and the second is the `secp256r1`

curve (also known as the `NIST P256`

curve or the `prime256v1`

curve).

The main difference is that the `secp256k1`

curve is a Koblitz curve, while the `secp256r1`

curve is not. Koblitz curves are known to be a few bits weaker than other curves, but since we are talking about 256-bit curves, neither is broken in "5-10 years" unless there's a breakthrough.

The other difference is how the parameters have been chosen. For the secp256r1 curve they are supposedly from random numbers, however, it is impossible to prove that's really the case. See these slides from Bernstein and Lange for an easily understandable treatment.

The `secp256k1`

curve, on the other hand, has had its parameters chosen relatively rigidly.

It's also important to note that the `secp256k1`

curve is a pure SECG curve, while the `secp256r1`

curve is a so-called NIST curve. NIST curves are more widely used and have received more scrutiny than other SECG curves.

The bottom line is that both curves are secure and have no known weaknesses. We're providing our users with the choice so they can decide what's best for them. Our SDKs default to the `secp256k1`

curve but you can view our SDK references to learn how to configure the secp256r1 curve.

# References

- Houria et al. 2018, A comparison between the secp256r1 and the koblitz secp256k1 bitcoin curves, Indonesian Journal of Electrical Engineering and Computer Science, Vol 13, No 3, pp. 910-918.
- Dan J. Bernstein and Tanja Lange. Security dangers of the NIST curves. Invitedtalk, International State of the Art Cryptography Workshop, Athens, Greece, 2013.
- Dan J. Bernstein and Tanja Lange. Security dangers of the NIST curves. In K. Kurosawa, editor, Advances in Cryptology – Asiacrypt 2007, volume 4833 of Lecture Notes in Computer Science, pages 29–50. Springer, 2007.