If G is the same for everyone, why can’t you just reverse the operation (reflect, tangent) until you get to G? The the number of times you did the operation is your private key. What am I missing? #reverse #operation #reflect #tangent #number #times #operation #private #key #missing


If G is the very same for every person, why just can’t you just reverse the procedure (mirror, tangent) until finally you get to G? The the variety of periods you did the operation is your personal important. What am I lacking?

Check out Supply

Share this post

Comments (41)

  • pwuille Reply

    To compute a public key *P* from private key *d*, you start with *G* (the generator, a well-known, fixed, constant point on the curve), and add it to itself *d* times.

    This can be reversed. Starting from *P*, keep subtracting *G* (= adding the x-axis-reflection of *G*) from it until you hit *G* itself. There is nothing wrong with this approach, except how long it takes.

    You see, private keys are numbers between *1* and *115792089237316195423570985008687907852837564279074904382605163141518161494336* inclusive. That’s a mind-bogglingly large number. For an average private key, your approach for finding the private key from the public key would on average take half of that number as the number of steps. Even if we could compute a billion such point subtractions per second, for every atom on earth, it’d still take longer than the age of the universe.

    Now you may wonder: why doesn’t it take that long to compute it in the forward direction from private key to public key? The crucial difference is that we can take shortcuts because we know how many additions we want to do.

    Say you want to compute *37G*. You may think that needs needs 36 additions (*G+G+G+G+…+G*), but there is a better way:

    * *G_2 = G+G*
    * *G_4 = G_2 + G_2*
    * *G_8 = G_4 + G_4*
    * *G_16 = G_8 + G_8*
    * *G_32 = G_16 + G_16*
    * *G_36 = G_32 + G_4*
    * *G_37 = G_36 + G*

    Only 7 additions to compute *G_37 = 37G*. A more in-depth explanation can be found on https://en.wikipedia.org/wiki/Exponentiation_by_squaring. It scales extremely well: it can compute *any* public key with at most 510 additions (roughly *2log(n)/log(2)* for an *n* bit private key). More advanced techniques exist that bring that number down to just 46 additions (using a few precomputed tables with multiples of *G*), which a modern CPU can do ~20000 times per second, on a single core.

    However, this approach just doesn’t work if you don’t know what number of times to add or subtract, so it doesn’t help attackers.

    As a follow-up, see https://www.reddit.com/r/Bitcoin/comments/z1smog/if_g_is_the_same_for_everyone_why_cant_you_just/ixfeum5/ for how these can be used for constructing signatures without revealing the private key.

    November 24, 2022 at 11:18 am
  • dont-listentome Reply

    The most important part you’re missing is that things look *completely* different if you take an elliptic curve over a finite field.

    The geometric interpretation works for a curve y^2 = x^3 +ax +b over R (the reals) where x and y are *real numbers*, but for ECC you have to do this over a finite field Fp where x, y are integer values. The values of x and y that satisfy the equation don’t form a nice continuous curve anymore, they are simply points in the plane. This means, lines aren’t actually lines, they are the set of points that satisfy the line equation: ax + by + c = 0 mod p.

    As such, the notion of tangent isn’t the good old tangent that you know from smooth continuous functions.

    November 24, 2022 at 11:18 am
  • wideportapotty Reply

    what book is this?

    November 24, 2022 at 11:18 am
  • iam_aryan007 Reply

    I missed the g spot again.

    November 24, 2022 at 11:18 am
  • Mr_P_Nissaurus Reply

    https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/

    > It turns out that if you have two points, an initial point “dotted” with itself n times to arrive at a final point, finding out n when you only know the final point and the first point is hard.

    . . .

    > You can compute how much energy is needed to break a cryptographic algorithm, and compare that with how much water that energy could boil. This is a kind of cryptographic carbon footprint. By this measure, breaking a 228-bit RSA key requires less energy to than it takes to boil a teaspoon of water. Comparatively, breaking a 228-bit elliptic curve key requires enough energy to boil all the water on earth.

    November 24, 2022 at 11:18 am
  • datageek9 Reply

    The example in the diagram only shows how it works for powers of 2, ie repeated doubling of G (2G, 4G, 8G, 16G etc). So if your private key k happens to be a power of 2 (and the attacker guessed that it was) then it can be trivially calculated from the public key kG. However for any other number, getting from kG to G is computationally intractable. For example if k is 13, then kG is equal to 8G + 4G + 1G. You can’t just follow the halving approach to get back to G.

    November 24, 2022 at 11:18 am
  • 99MushrooM99 Reply

    Somebody just shared something logical here…is the world ending?

    November 24, 2022 at 11:18 am
  • Themostepicguru Reply

    Finally, a cryptocurrency post that’s actually about…. *cryptography*

    November 24, 2022 at 11:18 am
  • TriumphantConch Reply

    I don’t know why I tried to read the picture and the top reply because I don’t even understand a single fucking thing about it lmao

    November 24, 2022 at 11:18 am
  • Klutzy-Pie-2510 Reply

    I know some of these words…

    November 24, 2022 at 11:18 am
  • rrreiner Reply

    You use the tangent of G to get to -2G and then mirror on the X-axis to get to 2G.

    How do you get now from 2G back to G?

    From 2G to -2G -> mirror the x-axis easy

    From -2G to G -> you need the tangent of G to get and go the invert way.

    But how do you get the Tangent of G when you just have the point -2G?

    You need to try every point on the function, build the tangent and check if it ends in -2G

    So it isn’t possible without trial and error

    November 24, 2022 at 11:18 am
  • IPretend2Engineer Reply

    MIT has a really good talk on this. You need to understand some complex concepts to really understand why its not possible.

    November 24, 2022 at 11:18 am
  • Thanis_in_Eve Reply

    Because by definition an asymmetric algorithm cannot be reversed.

    November 24, 2022 at 11:18 am
  • DreiDcut Reply

    I appreciate the deeper kind of content. More of this!

    November 24, 2022 at 11:18 am
  • Crazy_names Reply

    I thought I understood bitcoin. This is absolute gibberish to me.

    November 24, 2022 at 11:18 am
  • ItIsThyself Reply

    Well, if you can reflect and tangent, you can also multiply and divide. So you can divide the difference between G and your original point by the tangent of G, then multiply by the inverse of the tangent of G, then reflect. Hence, the number of operations is not sufficient to make it unique.

    Or in simple terms, the reason that you cannot invert the operations is because if you knew $G$ you could compute $A$ and $A$ is the public key.
    To see this, suppose $A = g^x$ and $G = g^y$ where $g$ is a generator. Then $G = A^y = (g^x)^y = g^{xy}$. So if you know $G$ you can compute $A = G^{1/y}$ and then you know the private key.

    November 24, 2022 at 11:18 am
  • cubcaptain Reply

    Nerds! Love you guys. Thanks for making everyone’s life easier by being so smart and sharing the knowledge in a useful way. What a time to be alive.

    November 24, 2022 at 11:18 am
  • itsMeeji Reply

    This just hurt my head 😅

    November 24, 2022 at 11:18 am
  • rguerraf Reply

    You can’t buy any BTC until you get this through your thick skull

    November 24, 2022 at 11:18 am
  • kirovreported Reply

    you can’t just take it and find the G-spot

    November 24, 2022 at 11:18 am
  • TheSagePhoenix Reply

    Your ass

    November 24, 2022 at 11:18 am
  • soufianka80 Reply

    Wen moon ?:)

    November 24, 2022 at 11:18 am
  • SnooBooks638 Reply

    What book is this please?

    November 24, 2022 at 11:18 am
  • MOSOISKING Reply

    What book is this?

    November 24, 2022 at 11:18 am
  • DjWhacked Reply

    Anyone else that read through but didn’t understand a thing from all the maths, but was interested as fuck and expecting somebody that would say: we’ve cracked Bitcoin ?

    November 24, 2022 at 11:18 am
  • gstrap07 Reply

    So you’re saying there’s a chance…

    November 24, 2022 at 11:18 am
  • 0x72p Reply

    What book is this?

    November 24, 2022 at 11:18 am
  • liamcollins333x Reply

    just know the guy answered the question is rich

    November 24, 2022 at 11:18 am
  • Beesters2005 Reply

    Ok now explain it to me like I’m a first grader.

    November 24, 2022 at 11:18 am
  • ultimaIV Reply

    Simple answer is because we don’t know how to do point division.

    November 24, 2022 at 11:18 am
  • rambumriott Reply

    Not to the depths of detail found in this post but I’ve always sort of wondered the same thing. I’m sure Bitcoin is secure mathematically but.. I wouldn’t be surprised to find out that quantum computing or something will rule BTC obsolete .

    November 24, 2022 at 11:18 am
  • Sherbear1993 Reply

    This math is beyond me. I just need to how secure bitcoin is

    November 24, 2022 at 11:18 am
  • _doublejj Reply

    It hasn’t been even 15 years for BITCOIN .

    And we’re still learning Crypto every day.

    November 24, 2022 at 11:18 am
  • LocksmithAware4210 Reply

    So we taking DYOR seriously now?

    November 24, 2022 at 11:18 am
  • Gungable Reply

    Extremely interesting topic, thanks everyone!, I think I roughly get the explanations but I’m missing something here, how do you sign a message and use the public key to validate that signature is correct?

    November 24, 2022 at 11:18 am
  • lankymanx Reply

    Is it okay if i dont understand this? this is just way over my head…

    November 24, 2022 at 11:18 am
  • Cyberchort228 Reply

    I’m nihya ne ponyal

    November 24, 2022 at 11:18 am
  • InfiniteWarthog8953 Reply

    What is this book?

    November 24, 2022 at 11:18 am
  • ToughAd4618 Reply

    Here I am wondering what the gravitation constant has to do with bitcoin

    November 24, 2022 at 11:18 am
  • Life_Airline_6767 Reply

    Who cares

    November 24, 2022 at 11:18 am
  • Wish_33 Reply

    Could a quantum computer solve the issue of time by reversing G / qubits^2? Quantum theory allows for ₽ ≠ ž. Pair that with [-X^2] – [X^2], which brings us to when in nineteen ninety eight, the undertaker threw mankind off hell in a cell and plummeted sixteen feet through an announcers table.

    November 24, 2022 at 11:18 am

Leave a Reply


%d bloggers like this: