|
Title: Duplicate y-coordinate scalars on secp256k1? Post by: rdenkye on September 11, 2025, 09:53:55 PM Are there two different known scalars on secp256k1 that give points with the same y-coordinate?
Title: Re: Duplicate y-coordinate scalars on secp256k1? Post by: stwenhao on September 12, 2025, 03:52:41 AM Of course.
Code: d=0x1 Code: d=satoshi Title: Re: Duplicate y-coordinate scalars on secp256k1? Post by: kTimesG on September 12, 2025, 11:03:00 PM Since all valid points on the curve are defined as
y**2 = x**3 + b (b = 7) this solves as three x roots for every possible y**2. Since y**2 has two solutions, we have 3*2 = six points sharing the same y**2. Simplifying and getting rid of the squaring, this means all curve points can be split in sets of 6, every set having the same min(y, -y). Now, let's assume you have some (x, y) of a point, without even knowing its scalar. You can directly compute all other 5 points, and their scalar multiples, without any expensive operations! In the scalar domain, solve for lambda**3 = 1 as the post above uses. This allows playing around with the scalars and verifying that the below math checks out OK! In the curve field (x, y) first solve for beta**3 = 1 like this: Because of Fermat we have a**(p-1) = 1 mod p for eny integer a and prime p. So beta**3 == 1 == a**(p-1) hence beta = a**((p-1)/3) (there are only ever two solutions for this no matter what value for a you pick). Due to another theorem, because we have beta**3 = 1 we then have beta**0 + beta**1 + beta**2 = 0 which gives all roots for beta, which are: beta**0 = 1 beta**1 = a**((p-1)/3) beta**2 = -beta**0 - beta**1 = -1 - beta So, fastest way to get all other 5 points from (x, y): (x, -y) (x * beta, y) (x * beta, -y) (x * beta**2, y) = (- (x + x*beta), y) (x * beta**2, -y) = (- (x + x*beta), -y) So, just one multiplication and a field additions / negations at most. Note that my point is that the multiplication with a precomputed beta**2 can be simplified with a simple addition and negation. Title: Re: Duplicate y-coordinate scalars on secp256k1? Post by: rdenkye on October 29, 2025, 02:58:41 AM If one of the 3 public keys with the same Y value is solved, can the other 2 also be solved?
Title: Re: Duplicate y-coordinate scalars on secp256k1? Post by: stwenhao on October 29, 2025, 05:36:06 AM Quote If one of the 3 public keys with the same Y value is solved, can the other 2 also be solved? If you have a single private key, then you will get all six.Code: key1=something |