Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2020-08-10 16:38:58 +0200

dan_fulea gravatar image

This could not be a comment, so it is an posted as answer.

In such a case it is best to also explain mathematically what is expected and why. So let us digest together.

The code defines a curve $E$ with equation $y^2=x^3+ax+b$ defined over the field with $p$ elements $F$, where

  • $p$ is the prime 2**224 * (2**32 - 1) + 2**192 + 2**96 - 1

  • $a$ is 0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC and

  • $b$ is 0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B.

The code also gives the order $N$ of $E(F)$.

It is $N=$0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 .

The curve also comes with a generator, that i will denote by $G$. The $N=$ord below is maybe a prime, at any rate ord * G is E(0). So i would expect that $(E(F),+)$ is isomorphic with the simpler group $(\Bbb Z/N,+)$, a map in one direction being simple, $k\to k*G$.

The following code initializes the data in the above notations in a manner that i understand.

p = 2^224 * (2^32 - 1) + 2^192 + 2^96 - 1
a = ZZ(0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC)
b = ZZ(0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B)

F = GF(p)
E = EllipticCurve(F, [a, b])

ord = ZZ(0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551)

G = E.point( ( ZZ( 0x6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296 ),
               ZZ( 0x4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5 ) )
R = Zmod(ord)

Now the framework of the OP becomes even harder to understand (and thus also understanding where is the question), since there are some undefined points like Point1 and Point and some expressions that do not make sense like Point1-1 and Point-3. (Furthermore it is a bad idea to try to reproduce an error using sample code involving a randomizer.)

Note: If we have a point like G on the curve E, then in order to take some multiple of it, say k=2020 times, is is enough to compute k*G. It is no need for taking E( k*G ) to make the code even less readable.

The OP introduces now several (random) integers $k$, and the corresponding points $kG$. Unfortunately these integers have complicated variable names, i will use mine. (Just place yourself in an other place to see how complicated it is to use unexplained variable notations to figure out a simple point...)

# we use now a fixed private key, k0, instead of the privkey. 
k0 = 2020
Q0 = k0 * G

# i have no idea what is a malicious generator, so i will use some special k, k1, instead of kprime...
k1 = R(1234567890)
k2 = 1/k1
Q02 = ZZ(k2) * Q    # so it is k2 * Q = k2 * k0 * G

Now where is the problem?

Please define all variables and try to explain in both mathematical and programatical worlds the issue. (Since the error can be in both of them.)

A final note: Asking a question is both work and effective communication. It is work, since the question should come maximally digested. (For instance, just try to reproduce the situation with small values for $p,a,b,N$. If the problem remains, then post it for these values. Then one can also mention the real framework where the problems shows, but not just copy+paste code from a file written for other purposes.) Always consider that the answer will be longer, and try to already cover with the question a fair share of the effort. The question is always a plus for the community, so write it so that it really lasts longer. This applies also in the case of the other post:

https://math.stackexchange.com/questions/3784440/how-to-modify-sage-code-for-findcalculate-exact-generator-of-curve

This could not be a comment, so it is an posted as an answer.

In such a case it is best to also explain mathematically what is expected and why. So let us digest together.

The code defines a curve $E$ with equation $y^2=x^3+ax+b$ defined over the field with $p$ elements $F$, where

  • $p$ is the prime 2**224 * (2**32 - 1) + 2**192 + 2**96 - 1

  • $a$ is 0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC and

  • $b$ is 0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B.

The code also gives the order $N$ of $E(F)$.

It is $N=$0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 .

The curve also comes with a generator, that i will denote by $G$. The $N=$ord below is maybe a prime, at any rate ord * G is E(0). So i would expect that $(E(F),+)$ is isomorphic with the simpler group $(\Bbb Z/N,+)$, a map in one direction being simple, $k\to k*G$.

The following code initializes the data in the above notations in a manner that i understand.

p = 2^224 * (2^32 - 1) + 2^192 + 2^96 - 1
a = ZZ(0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC)
b = ZZ(0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B)

F = GF(p)
E = EllipticCurve(F, [a, b])

ord = ZZ(0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551)

G = E.point( ( ZZ( 0x6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296 ),
               ZZ( 0x4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5 ) )
R = Zmod(ord)

Now the framework of the OP becomes even harder to understand (and thus also understanding where is the question), since there are some undefined points like Point1 and Point and some expressions that do not make sense like Point1-1 and Point-3. (Furthermore it is a bad idea to try to reproduce an error using sample code involving a randomizer.)

Note: If we have a point like G on the curve E, then in order to take some multiple of it, say k=2020 times, is is enough to compute k*G. It is no need for taking E( k*G ) to make the code even less readable.

The OP introduces now several (random) integers $k$, and the corresponding points $kG$. Unfortunately these integers have complicated variable names, i will use mine. (Just place yourself in an other place to see how complicated it is to use unexplained variable notations to figure out a simple point...)

# we use now a fixed private key, k0, instead of the privkey. 
k0 = 2020
Q0 = k0 * G

# i have no idea what is a malicious generator, so i will use some special k, k1, instead of kprime...
k1 = R(1234567890)
k2 = 1/k1
Q02 = ZZ(k2) * Q    # so it is k2 * Q = k2 * k0 * G

Now where is the problem?

Please define all variables and try to explain in both mathematical and programatical worlds the issue. (Since the error can be in both of them.)

A final note: Asking a question is both work and effective communication. It is work, since the question should come maximally digested. (For instance, just try to reproduce the situation with small values for $p,a,b,N$. If the problem remains, then post it for these values. Then one can also mention the real framework where the problems shows, but not just copy+paste code from a file written for other purposes.) Always consider that the answer will be longer, and try to already cover with the question a fair share of the effort. The question is always a plus for the community, so write it so that it really lasts longer. This applies also in the case of the other post:

https://math.stackexchange.com/questions/3784440/how-to-modify-sage-code-for-findcalculate-exact-generator-of-curve

https://math.stackexchange.com/questions/3784440/how-to-modify-sage-code-for-findcalculate-exact-generator-of-curve
Copyright Sage, 2010. Some rights reserved under creative commons license. Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.7.59