## If G is the same for everyone, why can’t you just reverse the operation (reflect, tangent) until you get to G? The the number of times you did the operation is your private key. What am I missing? #reverse #operation #reflect #tangent #number #times #operation #private #key #missing

If G is the very same for every person, why just can’t you just reverse the procedure (mirror, tangent) until finally you get to G? The the variety of periods you did the operation is your personal important. What am I lacking?

## Comments (41)

pwuilleTo compute a public key *P* from private key *d*, you start with *G* (the generator, a well-known, fixed, constant point on the curve), and add it to itself *d* times.

This can be reversed. Starting from *P*, keep subtracting *G* (= adding the x-axis-reflection of *G*) from it until you hit *G* itself. There is nothing wrong with this approach, except how long it takes.

You see, private keys are numbers between *1* and *115792089237316195423570985008687907852837564279074904382605163141518161494336* inclusive. That’s a mind-bogglingly large number. For an average private key, your approach for finding the private key from the public key would on average take half of that number as the number of steps. Even if we could compute a billion such point subtractions per second, for every atom on earth, it’d still take longer than the age of the universe.

Now you may wonder: why doesn’t it take that long to compute it in the forward direction from private key to public key? The crucial difference is that we can take shortcuts because we know how many additions we want to do.

Say you want to compute *37G*. You may think that needs needs 36 additions (*G+G+G+G+…+G*), but there is a better way:

* *G_2 = G+G*

* *G_4 = G_2 + G_2*

* *G_8 = G_4 + G_4*

* *G_16 = G_8 + G_8*

* *G_32 = G_16 + G_16*

* *G_36 = G_32 + G_4*

* *G_37 = G_36 + G*

Only 7 additions to compute *G_37 = 37G*. A more in-depth explanation can be found on https://en.wikipedia.org/wiki/Exponentiation_by_squaring. It scales extremely well: it can compute *any* public key with at most 510 additions (roughly *2log(n)/log(2)* for an *n* bit private key). More advanced techniques exist that bring that number down to just 46 additions (using a few precomputed tables with multiples of *G*), which a modern CPU can do ~20000 times per second, on a single core.

However, this approach just doesn’t work if you don’t know what number of times to add or subtract, so it doesn’t help attackers.

As a follow-up, see https://www.reddit.com/r/Bitcoin/comments/z1smog/if_g_is_the_same_for_everyone_why_cant_you_just/ixfeum5/ for how these can be used for constructing signatures without revealing the private key.

dont-listentomeThe most important part you’re missing is that things look *completely* different if you take an elliptic curve over a finite field.

The geometric interpretation works for a curve y^2 = x^3 +ax +b over R (the reals) where x and y are *real numbers*, but for ECC you have to do this over a finite field Fp where x, y are integer values. The values of x and y that satisfy the equation don’t form a nice continuous curve anymore, they are simply points in the plane. This means, lines aren’t actually lines, they are the set of points that satisfy the line equation: ax + by + c = 0 mod p.

As such, the notion of tangent isn’t the good old tangent that you know from smooth continuous functions.

wideportapottywhat book is this?

iam_aryan007I missed the g spot again.

Mr_P_Nissaurushttps://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/

> It turns out that if you have two points, an initial point “dotted” with itself n times to arrive at a final point, finding out n when you only know the final point and the first point is hard.

. . .

> You can compute how much energy is needed to break a cryptographic algorithm, and compare that with how much water that energy could boil. This is a kind of cryptographic carbon footprint. By this measure, breaking a 228-bit RSA key requires less energy to than it takes to boil a teaspoon of water. Comparatively, breaking a 228-bit elliptic curve key requires enough energy to boil all the water on earth.

datageek9The example in the diagram only shows how it works for powers of 2, ie repeated doubling of G (2G, 4G, 8G, 16G etc). So if your private key k happens to be a power of 2 (and the attacker guessed that it was) then it can be trivially calculated from the public key kG. However for any other number, getting from kG to G is computationally intractable. For example if k is 13, then kG is equal to 8G + 4G + 1G. You can’t just follow the halving approach to get back to G.

99MushrooM99Somebody just shared something logical here…is the world ending?

ThemostepicguruFinally, a cryptocurrency post that’s actually about…. *cryptography*

TriumphantConchI don’t know why I tried to read the picture and the top reply because I don’t even understand a single fucking thing about it lmao

Klutzy-Pie-2510I know some of these words…

rrreinerYou use the tangent of G to get to -2G and then mirror on the X-axis to get to 2G.

How do you get now from 2G back to G?

From 2G to -2G -> mirror the x-axis easy

From -2G to G -> you need the tangent of G to get and go the invert way.

But how do you get the Tangent of G when you just have the point -2G?

You need to try every point on the function, build the tangent and check if it ends in -2G

So it isn’t possible without trial and error

IPretend2EngineerMIT has a really good talk on this. You need to understand some complex concepts to really understand why its not possible.

Thanis_in_EveBecause by definition an asymmetric algorithm cannot be reversed.

DreiDcutI appreciate the deeper kind of content. More of this!

Crazy_namesI thought I understood bitcoin. This is absolute gibberish to me.

ItIsThyselfWell, if you can reflect and tangent, you can also multiply and divide. So you can divide the difference between G and your original point by the tangent of G, then multiply by the inverse of the tangent of G, then reflect. Hence, the number of operations is not sufficient to make it unique.

Or in simple terms, the reason that you cannot invert the operations is because if you knew $G$ you could compute $A$ and $A$ is the public key.

To see this, suppose $A = g^x$ and $G = g^y$ where $g$ is a generator. Then $G = A^y = (g^x)^y = g^{xy}$. So if you know $G$ you can compute $A = G^{1/y}$ and then you know the private key.

cubcaptainNerds! Love you guys. Thanks for making everyone’s life easier by being so smart and sharing the knowledge in a useful way. What a time to be alive.

itsMeejiThis just hurt my head 😅

rguerrafYou can’t buy any BTC until you get this through your thick skull

kirovreportedyou can’t just take it and find the G-spot

TheSagePhoenixYour ass

soufianka80Wen moon ?:)

SnooBooks638What book is this please?

MOSOISKINGWhat book is this?

DjWhackedAnyone else that read through but didn’t understand a thing from all the maths, but was interested as fuck and expecting somebody that would say: we’ve cracked Bitcoin ?

gstrap07So you’re saying there’s a chance…

0x72pWhat book is this?

liamcollins333xjust know the guy answered the question is rich

Beesters2005Ok now explain it to me like I’m a first grader.

ultimaIVSimple answer is because we don’t know how to do point division.

rambumriottNot to the depths of detail found in this post but I’ve always sort of wondered the same thing. I’m sure Bitcoin is secure mathematically but.. I wouldn’t be surprised to find out that quantum computing or something will rule BTC obsolete .

Sherbear1993This math is beyond me. I just need to how secure bitcoin is

_doublejjIt hasn’t been even 15 years for BITCOIN .

And we’re still learning Crypto every day.

LocksmithAware4210So we taking DYOR seriously now?

GungableExtremely interesting topic, thanks everyone!, I think I roughly get the explanations but I’m missing something here, how do you sign a message and use the public key to validate that signature is correct?

lankymanxIs it okay if i dont understand this? this is just way over my head…

Cyberchort228I’m nihya ne ponyal

InfiniteWarthog8953What is this book?

ToughAd4618Here I am wondering what the gravitation constant has to do with bitcoin

Life_Airline_6767Who cares

Wish_33Could a quantum computer solve the issue of time by reversing G / qubits^2? Quantum theory allows for ₽ ≠ ž. Pair that with [-X^2] – [X^2], which brings us to when in nineteen ninety eight, the undertaker threw mankind off hell in a cell and plummeted sixteen feet through an announcers table.