[xurukefi]

Very generally speaking: with ECC using Weierstrasser curves the secret key is a x-bit integer (say x=128 for example) that is usually generated randomly and the public key is a point on the curve that you get by multiplying a "generator point" with that secret key using elliptic curve point multiplication. Actually, it is only the x-coordinate of that point but that doesn't really matter. This all has to satisfy certain mathematical properties. Most importanly given a public key (remember, this is a point on the curve) it should not be possible to undo the multiplication to retrieve the secret key.

If you understand this it becomes obvious why it is strange that people seem to be able to know the private key of the all 0 public key. Getting to that point on the curve would either require undoing the multiplication or brute force, both of which are not feasible assuming that ECC is not broken.

Without going to deep: the explanation of this penomenon is that ed25519 uses a different curve model (not Weierstrasser curves) where this logic does not completely apply due to special cases.

[xurukefi]

An extra titbit for anybody who is interested in this: The Weierstrasser curve used by Bitcoin (secp256k1) has an interesting public key where the secret key is 1/2. What's so special about this (apart from the fact that the key is a nothing-up-my-sleeve number) is the x-coordinate of that public key has 162 leading 0-bits (out of 256). This can be used for saving Bitcoin transaction fees as they use the DER encoding to compress these leading 0 bits.*

Considering that it is highly unlikely that this is a coincidence it is believed that the designers of the secp256k1 curve chose the generator point based on that value. They looked at that point (1/2, P) and then they defined the generator point G as 2*P.

* NOTE: don't try this at home. If you're not clever about this you will lose all your Bitcoins.

[kebman]

Would that be a way to leverage fees in trades?

[hdevalence]

It’s not strange at all. The “all zero public key” is the encoding of the zero element (identity element) of the group. Finding the private key corresponding to a public key A is finding the number a so that A = a*B. When A = 0, this is really easy: a = 0.

[xurukefi]

It's strange if you come from Weierstrasser curves and think of public keys as points on the curve, which I think is what most people start with. I was obviously oversimplifying heavily.

[less_less]

It's still a point on a curve here. It's just on a twisted Edwards curve (or in the case of Ristretto, on a Jacobi quartic curve), not on a Weierstrass curve, but it's the same idea.

When encoding the public key, you give only one coordinate and possibly also a sign bit, and the other person uses the curve equation to solve for the other coordinate. Just like with a Weierstrass curve y^2 = x^3 + ax + b, you can solve for y using only x, plus one bit to say whether to take the positive or negative square root.

Technically, the zero-string encodes the identity element (0,1) for Ristretto, but not for Ed25519 where it's the point (i,0) where i = sqrt(-1). (Not (1,0) as the StackExchange claims, unless I'm very much mistaken. For Ed448 instead I believe it encodes (-1,0).) However the points (i,0) or (-1,0) are basically a rotation of (0,1). So for some protocols it works out that you can use 0 as the private key and it will work anyway.

Part of the point of Ristretto is to eliminate this sort of "gotcha" where certain public keys are equivalent. The way around it is that you pick a certain one of the equivalent points to encode, in a canonical way, and the other options are not valid encodings. This also means you don't need a sign bit: one of the criteria for choosing which rotation is that the sign bit would be zero.

[tptacek]

It's "Weierstrass". I don't believe they're describing a different model of public keys. The private key in all of these schemes is a scalar.

[cvs268]

Thanks for putting in the effort to compose this explanation (assuming U did, and not simply asked GPT). But FYI, I did not find it helpful at all. Even after re-reading it twice.

Bawolff's concise ELI5 comment helped though.

[xurukefi]

Thanks for the feedback. It's certainly interesting to see that you did not find it helpful at all. I was oversimplifying so much that I felt uncomfortable about it because I feel like some aspects of my answer are just borderline wrong. I don't think I can make it even simpler. Explaining highly technical issues to people without any background in that field really is a tough skill that I apparently don't possess.

Also: I did not use ChatGPT. Proof: Any native english speaker can tell you that my answers do not come from a native speaker. I don't think ChatGPT can mimic that (yet). English not being your first language can have its virtues.

[cvs268]

> I was oversimplifying so much that I felt uncomfortable about it because I feel like some aspects of my answer are just borderline wrong

Hmmm... true true. Simplifications are likely to miss the nuances involved.