Very generally speaking: with ECC using Weierstrasser curves the secret key is a x-bit integer (say x=128 for example) that is usually generated randomly and the public key is a point on the curve that you get by multiplying a "generator point" with that secret key using elliptic curve point multiplication. Actually, it is only the x-coordinate of that point but that doesn't really matter. This all has to satisfy certain mathematical properties. Most importanly given a public key (remember, this is a point on the curve) it should not be possible to undo the multiplication to retrieve the secret key.
If you understand this it becomes obvious why it is strange that people seem to be able to know the private key of the all 0 public key. Getting to that point on the curve would either require undoing the multiplication or brute force, both of which are not feasible assuming that ECC is not broken.
Without going to deep: the explanation of this penomenon is that ed25519 uses a different curve model (not Weierstrasser curves) where this logic does not completely apply due to special cases.
An extra titbit for anybody who is interested in this: The Weierstrasser curve used by Bitcoin (secp256k1) has an interesting public key where the secret key is 1/2. What's so special about this (apart from the fact that the key is a nothing-up-my-sleeve number) is the x-coordinate of that public key has 162 leading 0-bits (out of 256). This can be used for saving Bitcoin transaction fees as they use the DER encoding to compress these leading 0 bits.*
Considering that it is highly unlikely that this is a coincidence it is believed that the designers of the secp256k1 curve chose the generator point based on that value. They looked at that point (1/2, P) and then they defined the generator point G as 2*P.
* NOTE: don't try this at home. If you're not clever about this you will lose all your Bitcoins.
It’s not strange at all. The “all zero public key” is the encoding of the zero element (identity element) of the group. Finding the private key corresponding to a public key A is finding the number a so that A = a*B. When A = 0, this is really easy: a = 0.
It's strange if you come from Weierstrasser curves and think of public keys as points on the curve, which I think is what most people start with. I was obviously oversimplifying heavily.
It's still a point on a curve here. It's just on a twisted Edwards curve (or in the case of Ristretto, on a Jacobi quartic curve), not on a Weierstrass curve, but it's the same idea.
When encoding the public key, you give only one coordinate and possibly also a sign bit, and the other person uses the curve equation to solve for the other coordinate. Just like with a Weierstrass curve y^2 = x^3 + ax + b, you can solve for y using only x, plus one bit to say whether to take the positive or negative square root.
Technically, the zero-string encodes the identity element (0,1) for Ristretto, but not for Ed25519 where it's the point (i,0) where i = sqrt(-1). (Not (1,0) as the StackExchange claims, unless I'm very much mistaken. For Ed448 instead I believe it encodes (-1,0).) However the points (i,0) or (-1,0) are basically a rotation of (0,1). So for some protocols it works out that you can use 0 as the private key and it will work anyway.
Part of the point of Ristretto is to eliminate this sort of "gotcha" where certain public keys are equivalent. The way around it is that you pick a certain one of the equivalent points to encode, in a canonical way, and the other options are not valid encodings. This also means you don't need a sign bit: one of the criteria for choosing which rotation is that the sign bit would be zero.
Thanks for putting in the effort to compose this explanation (assuming U did, and not simply asked GPT). But FYI, I did not find it helpful at all. Even after re-reading it twice.
Thanks for the feedback. It's certainly interesting to see that you did not find it helpful at all. I was oversimplifying so much that I felt uncomfortable about it because I feel like some aspects of my answer are just borderline wrong. I don't think I can make it even simpler. Explaining highly technical issues to people without any background in that field really is a tough skill that I apparently don't possess.
Also: I did not use ChatGPT. Proof: Any native english speaker can tell you that my answers do not come from a native speaker. I don't think ChatGPT can mimic that (yet). English not being your first language can have its virtues.
You can ask questions about crypto to real cryptographers on https://crypto.stackexchange.com. My layperson, 30 second understanding is:
- If you remember RSA, ECC replaces RSA because it has better performance.
- In ECC, public keys are points on a curve. There's two main types of EC curves:
- A Weierstrass curve looks like a pimple (classical ECC) - you'll see this in older crypto systems.
- An Edwards curve looks like a butthole - more popular these days, as it has less 'exceptional cases' on the curve which don't confirm to normal 'add two points together to get a third point' maths.
The question asks why the all 0 public key in SR25519 and ED25519 has a known private key and what users should be aware of when using these curves. The answer explains that this is due to the mathematical properties of the Edwards curve models used in these curves and suggests using hash-to-curve to generate unspendable funds instead of the all zero public key.
I think the ELI5 version is - if you are doing complex things with math, 0 and 1 probably have weird properties so you should avoid those numbers. If you're picking a key you should generally do it randomly as certain numbers may have special properties that are exploitable, but the chance of getting such a number by chance is basically zero.
It uses math and it uses 0. When you use 0 in math everything becomes 0 after you multiply it. The more you multiply the more 0 it becomes. I bet you have to multiply a lot in cryptography.
Math is about precision, so it's generally not a good idea to have something become "more 0" than actually needed. Especially in cryptography.
So here's my advice. If you multiplied too much by zero, you can make it less 0 by dividing a few times by zero. Then maths would be closer to the precise 0 that you were looking for in the first place.
If you understand this it becomes obvious why it is strange that people seem to be able to know the private key of the all 0 public key. Getting to that point on the curve would either require undoing the multiplication or brute force, both of which are not feasible assuming that ECC is not broken.
Without going to deep: the explanation of this penomenon is that ed25519 uses a different curve model (not Weierstrasser curves) where this logic does not completely apply due to special cases.