 This is a mathematical mystery. Does this work? Yes, this works So this is something that I have been talking about a little bit with Travis Schull and Dan Schumow, so Street, so as you may notice from my shirt, I've been getting into blockchain recently in my way and As a side effect of a paper that I was working on recently We ended up looking for colliding ECDSA nonces in the Bitcoin blockchain And if you do this you notice that 99% of the repeated ECDSA nonces which gives you the private key are This value which happens to be n minus 1 over 2 where n is the order of the elliptic curve used for Bitcoin So this is an interesting thing what's going on so it turns out that the x-coordinate of This value times the generator of the curve which is the same as the x-coordinate of a half times the this point has 166 bits. It's this value instead of 256 bits So that's interesting This has been known to food sort of the Bitcoin crowd for some time and They're all like dude this magic valley decreases my transaction costs great Every time I give a talk to a room full of mathematicians about this they're like wait what? This this makes no sense like how is this how is this even happening? There's no way that this is this is random, but also this is not documented in like the specification for these curves So okay It turns out that if you look at a half times the generator the x-coordinate for the half times the generator For all of this family of curves the prime-order cobalt curves from sec to They have the same property So I mean okay for 160 bit curve you would expect to have 160 bit x-coordinate But the rest of them are all small and in fact they all share almost all of their bits in common so okay if you look at Sort of the the sec 2 standard that was produced by certicom This is all they say about the generation of these curves the recommended parameters associated with a cobalt curve Were chosen by repeatedly selecting parameters a binning and efficiently computable endomorphism until a prime-order curve was found Repeatedly selecting parameters. They don't specify like how they selected these parameters So you sort of the the natural Generation procedure that you would expect for this kind of curve is that you choose some prime modulus You choose some curve parameters and you check whether they have all the properties that you would want then you count some points And you hope for a prime-order curve and you sort of stop when you get a Prime-order group and then at that point you you search for a generator of this group and then you then then you publish in a standard so Okay, this 160 bit value that you find I mean we can hypothesize that this is a sha 1 hash of something You know if this is generated in 1999 then That's 160 bit hash function. So it seems natural Maybe the most in least for significant for bits have been changed since they're different in all of these points The other curve generators seem to be have been produced by changing the most in least to think for bits and appending some digits to the most new thing that's There's a mystery here, which is that you would expect to only need to try two values to get a valid point on the curve So why so many changes? Why are they appending so many digits? And then another unsolved mystery. Why did they double the point to get a generator? Because you know, you could have just published that like use the original hash hash value if it's a nothing on my sleeve value However, this property doesn't seem to be known to aid in computing of the curve discrete log in any way So there doesn't seem to be any advantage to having this kind of structure or either attackers or defenders so We have no idea if this is some kind of backdoor It doesn't seem to be but this does seem to be some kind of doc like undocumented artifact from the generation procedure That shed some light on how the generators were chosen, which is not documented in the spec So if you would like to contribute to our understanding Of this problem, did you work at sort of common in the 90s? It would be great to chat with you We have talked to Dan Brown and and he did not know that this had this property And Otherwise do you have any GPUs and can you help with Shaw when brute-forcing? So there's 256 possible values if we assume that the most at least significant four bits have possibly been changed I've been running John the Ripper, but I don't have really have GPUs and my cluster is down right now So I don't have that many CPUs either so if you if you have if you would like to run things and then that would be exciting too we might Hypothesize that this has been there's some ASCII seed, but we don't know Thank you