 |
September 12, 2025, 11:03:00 PM
Last edit: September 13, 2025, 08:20:08 AM by kTimesG Merited by Halab (2), hugeblack (1), stwenhao (1) |
|
Since all valid points on the curve are defined as
y**2 = x**3 + b (b = 7)
this solves as three x roots for every possible y**2.
Since y**2 has two solutions, we have 3*2 = six points sharing the same y**2.
Simplifying and getting rid of the squaring, this means all curve points can be split in sets of 6, every set having the same min(y, -y).
Now, let's assume you have some (x, y) of a point, without even knowing its scalar. You can directly compute all other 5 points, and their scalar multiples, without any expensive operations!
In the scalar domain, solve for lambda**3 = 1 as the post above uses. This allows playing around with the scalars and verifying that the below math checks out OK!
In the curve field (x, y) first solve for beta**3 = 1 like this:
Because of Fermat we have a**(p-1) = 1 mod p for eny integer a and prime p.
So beta**3 == 1 == a**(p-1) hence beta = a**((p-1)/3) (there are only ever two solutions for this no matter what value for a you pick).
Due to another theorem, because we have beta**3 = 1 we then have beta**0 + beta**1 + beta**2 = 0 which gives all roots for beta, which are:
beta**0 = 1
beta**1 = a**((p-1)/3)
beta**2 = -beta**0 - beta**1 = -1 - beta
So, fastest way to get all other 5 points from (x, y):
(x, -y)
(x * beta, y)
(x * beta, -y)
(x * beta**2, y) = (- (x + x*beta), y)
(x * beta**2, -y) = (- (x + x*beta), -y)
So, just one multiplication and a field additions / negations at most.
Note that my point is that the multiplication with a precomputed beta**2 can be simplified with a simple addition and negation.
|
