|
Title: Same private key for 02 and 03 key with same X coord? Post by: luv2drnkbr on October 12, 2018, 01:12:12 PM In this reddit thread (https://www.reddit.com/r/crypto/comments/9mgb77/ed25519_public_key_sign/e7mokek/), somebody is claiming that a private key can be used to derive two different public keys which share the same X coordinate. i.e. the same private key can derive both an 02 key and an 03 key with the same X coord.
I was under the belief that was not true and that an 02 key is an entirely different key from an 03 key with the same X coordinate, and that a given private key will only ever correspond to either an 02 or an 03 public key. Is my understanding mistaken? Can a private key be associated with both a 02 and 03 key (that have the same X value)? Edit: Nevermind, it looks like he pointed me (https://www.reddit.com/r/crypto/comments/9mgb77/ed25519_public_key_sign/e7mtf86/) to where this was specified. Thank goodness, I'm not going crazy. Title: Re: Same private key for 02 and 03 key with same X coord? Post by: Coding Enthusiast on October 12, 2018, 03:04:21 PM There is only one public key for any private key (a 1-1 correspondence). This part:
"There are two possible y coordinates for any x of a given P The either of the two possibilities for y is encoded in some way in the compressed representation" from ietf.org link is explaining the process when you are calculating y from x and in that equation you are left with 2 results which you have to decide which one is the correct one. Not when you calculate public key (x and y coordinates) from a private key. In simple terms (simple math that is not modular) imagine you have the following formula: y2=x And I tell you x=4. You use your basic math to calculate y and come up with two values: +2 and -2 but you don't know which one is correct. But if I told you x=p4 and we agreed on a standard that when a number starts with 'p' that means the y value must be positive (n for negative) so you calculate y again and discard the negative number and say the point was (4,+2). Now in modular arithmetic things are the same. There still is only one valid point that corresponds with your private key. But because of the way Elliptic Curve looks, a vertical line crosses the curve on two points hence 2 y values. The standard for ECC based on SEC1 is that if y is even (yp mod 2 = 0) you start the octet string with 0216 and if y is odd (yp mod 2 = 1) then you start the octet string with 0316. (SEC1 page 10 part 2.3.3). The reddit comment is saying positive/negative instead of odd/even which was a mistake. The 02 and 03 are like the standard I explained above with (p and n). And 0416 means we are reporting x and y both. Reporting x and y is called uncompressed public key. Reporting x alone is called compressed public key. Example with private key = 1 private key hex: 0000000000000000000000000000000000000000000000000000000000000001 public key hex uncompressed (04|x coordinate|y coordinate): 0479be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8 public key hex compressed (02/03|x coordinate): 0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 If you have only x (the compressed public key) and calculate y you will end up with 2 values: y = {32670510020758816978083085130507043184471273380659243275938904335757337482424} or y = {83121579216557378445487899878180864668798711284981320763518679672151497189239} but since the compressed public key had a "helper" in it (the first byte which was 2) it tells us that we should choose the even value of y which is the first one which was an even y. And 32670.... in hex is exactly 483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8 |