Bitcoin curve is secure. The values [0,7] are extremely well chosen. There is a weakness in some curves that was not known when the parameters were chosen, but I guess bitcoin got lucky (yet again).
While researching how can it be possible that they succeeded in choosing so good parameters, (when they could not have known) I was reading how the parameters for bitcoin curve were selected from this old thread:
https://bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
And it seems that the curve equation y2=x3+ax+b (a=0 and b=7) was selected, by first selecting an "easy" value for P, which will make some calculations faster.
P=2256-232-29-28-27-26-24-1 or
P=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
And then searching for the smallest value for b, (while keeping a=0), that would make the resulting curve have a prime order.
So the value b=7 was not even consciously chosen, as it was a result of just choosing an "easy" value for P. They could have selected another "easy" value for P and then b could have been something else.
And that is where bitcoin got lucky, because if b would have been 5 or 9 (or one of several possibilities) there would have been a weakness in the curve that would have made it a lot easier to break the encryption. I do not know if it would be possible to actually break it even then, but it would be 1/1000 times easier nevertheless.
This just shows that we always need a bit of luck, whatever we do.
PS: can you guess what is the weakness if b=5 or 9 or one of several other values? My lips are sealed
While researching how can it be possible that they succeeded in choosing so good parameters, (when they could not have known) I was reading how the parameters for bitcoin curve were selected from this old thread:
https://bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
And it seems that the curve equation y2=x3+ax+b (a=0 and b=7) was selected, by first selecting an "easy" value for P, which will make some calculations faster.
P=2256-232-29-28-27-26-24-1 or
P=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
And then searching for the smallest value for b, (while keeping a=0), that would make the resulting curve have a prime order.
So the value b=7 was not even consciously chosen, as it was a result of just choosing an "easy" value for P. They could have selected another "easy" value for P and then b could have been something else.
And that is where bitcoin got lucky, because if b would have been 5 or 9 (or one of several possibilities) there would have been a weakness in the curve that would have made it a lot easier to break the encryption. I do not know if it would be possible to actually break it even then, but it would be 1/1000 times easier nevertheless.
This just shows that we always need a bit of luck, whatever we do.
PS: can you guess what is the weakness if b=5 or 9 or one of several other values? My lips are sealed