Discovery of Elliptic Curve Cryptographic Private Key in O(n)

An algorithm is presented that in context of public key use of Elliptic Curve Cryptography allows discovery of the private key in worst case O(n).

💡 Research Summary

The paper under review claims to present an algorithm that can recover the private key d in an elliptic‑curve cryptography (ECC) system in worst‑case linear time O(n) given only the public parameters (the curve definition, the base point G, and the public key Q). At first glance the title sounds provocative, but a close reading reveals that the manuscript offers no concrete algorithm, no rigorous complexity analysis, and no proof that the proposed method works for any realistic ECC instance.

The authors begin with a historical preamble about secret‑keeping and then describe the standard ECC tuple (p, a, b, G, n, h) together with the private scalar d and the public point Q = d·G. They correctly state that the security of ECC rests on the difficulty of determining d from Q, i.e., the elliptic‑curve discrete logarithm problem (ECDLP). However, the paper immediately departs from established theory by asserting that the ECDLP can be “reduced to a difference equation” analogous to the recurrence that generates Fibonacci numbers. The authors then claim that, just as one can compute a Fibonacci number by brute force, one can compute d by iterating an unspecified operator x until the iteration reaches k = Q. No definition of x is provided, nor is any description of how the iteration proceeds, how many steps are required, or how the algorithm avoids the obvious O(d) brute‑force search that simply adds G repeatedly until the result equals Q.

Even if we interpret the vague description as the naïve “add G repeatedly and compare to Q”, the resulting algorithm runs in time proportional to the size of d (i.e., O(d) or O(2^ℓ) for an ℓ‑bit key). This is dramatically slower than the best known generic attacks on the ECDLP, such as Pollard’s rho or the baby‑step‑giant‑step method, which run in O(√n) time and space. The paper’s claim that the attack runs in O(n) is therefore not only inaccurate but also misleading: O(n) is a linear bound, whereas the true difficulty of the discrete logarithm problem is sub‑exponential for specially structured curves and exponential for generic curves.

The manuscript further argues that “half of the key pair is observable” and that ECC “could serve well as a symmetric‑key scheme but its value as a public‑key scheme is questionable”. This reflects a fundamental misunderstanding of public‑key cryptography. In ECC, the public key Q is deliberately made public; it does not reveal any “half” of the secret scalar beyond the fact that it is a point on the curve. The security claim that “discovering the private key is no more difficult than computing the public key” is simply false: computing Q from d requires a single scalar multiplication, while recovering d from Q is the ECDLP, which is believed to be hard for appropriately chosen curves.

The references cited are largely unrelated to ECC security. The authors quote textbooks on difference equations (Elaydi, Goldberg) and Wikipedia pages, but they never cite the seminal ECC papers (Miller 1985, Koblitz 1987) or the extensive body of cryptanalytic work on the ECDLP. Consequently, the paper lacks any connection to the current state of research, and its “novel” observation that ECC can be broken in linear time is unsupported.

In summary, the paper suffers from several critical deficiencies:

1. Absence of a concrete algorithm – No pseudocode, no definition of the operator x, and no termination condition are given.
2. Mathematical mis‑characterisation – The reduction of scalar multiplication to a simple difference equation is unfounded; the analogy with Fibonacci numbers does not hold in the group law of elliptic curves.
3. Incorrect complexity claim – Stating O(n) as the worst‑case runtime contradicts known results; the naïve linear search would be O(d), which is astronomically larger than any feasible attack.
4. Misunderstanding of public‑key semantics – The notion that “half the key pair is exposed” misrepresents the role of the public key in ECC.
5. Lack of relevant literature – No engagement with the extensive cryptographic research on ECDLP, side‑channel attacks, or curve selection criteria.

Given these issues, the manuscript does not advance the field, nor does it present a credible threat to ECC. The claim that ECC private keys can be recovered in linear time is unsupported, and the paper should be regarded as a non‑contributory, possibly misleading, piece of work.