|
garlonicon (OP)
|
 |
July 23, 2023, 10:44:45 AM |
|
Many people wonder, why we cannot multiply point by point in ECDSA. We can add points, subtract them, multiply point by some number, or divide it (by using inversion). The main reason for that, is this operation requires a hidden argument, that is often missed: the base point. Many times, people think about things like "halving a point" in a similar way, as how we can do that on integers in many programming languages: if we have 9/10, it gives us zero as the result. In ECDSA world, this is not the case. To better explore, how point by point multiplication could be defined, we can take an elliptic curve you can see in my avatar: "p=79,n=67,base=(1,18),bits=7". It is quite simple, every coordinate takes only one byte, and it can be fully explored, without applying any optimizations, and just by brute forcing everything. So, we start with our p=79. We can easily check if it is prime, and then find the nearest point, meeting famous equation: y^2=x^3+7. All numbers are small enough, so we can even easily create some 79x79 black bitmap, and set pixel color to white, if for a given (x,y) pair, our left and right side is equal modulo 79. We can even try this for some bigger values, then we could get a nice picture for our desktop background, similar to the stars on the sky at night. In this way, we can easily grab the nearest point, being (1,18) in this case. Also, we can count all dots, and note that we have 66 points, and the 67th value is just (0,0), point at infinity, which we can reach later, after trying to add the first, and the last point. So, let's start from the base point, and create the full list of points: d= 1, x= 1, y=18
d= 2, x=60, y=10
d= 3, x=15, y= 8
d= 4, x=49, y= 5
d= 5, x=42, y=54
d= 6, x=59, y=12
d= 7, x=61, y=10
d= 8, x=43, y=35
d= 9, x=37, y=69
d=10, x=26, y=19
d=11, x=18, y=54
d=12, x=12, y=47
d=13, x=39, y=47
d=14, x= 9, y= 5
d=15, x=63, y=63
d=16, x=19, y=25
d=17, x=75, y=41
d=18, x=21, y=74
d=19, x=68, y=63
d=20, x=29, y= 8
d=21, x= 6, y=12
d=22, x=45, y=19
d=23, x=35, y=71
d=24, x=66, y=41
d=25, x=28, y=32
d=26, x=17, y=41
d=27, x=14, y=67
d=28, x=74, y=35
d=29, x=23, y=18
d=30, x=55, y=61
d=31, x=41, y=35
d=32, x= 8, y=60
d=33, x=27, y=63
d=34, x=27, y=16
d=35, x= 8, y=19
d=36, x=41, y=44
d=37, x=55, y=18
d=38, x=23, y=61
d=39, x=74, y=44
d=40, x=14, y=12
d=41, x=17, y=38
d=42, x=28, y=47
d=43, x=66, y=38
d=44, x=35, y= 8
d=45, x=45, y=60
d=46, x= 6, y=67
d=47, x=29, y=71
d=48, x=68, y=16
d=49, x=21, y= 5
d=50, x=75, y=38
d=51, x=19, y=54
d=52, x=63, y=16
d=53, x= 9, y=74
d=54, x=39, y=32
d=55, x=12, y=32
d=56, x=18, y=25
d=57, x=26, y=60
d=58, x=37, y=10
d=59, x=43, y=44
d=60, x=61, y=69
d=61, x=59, y=67
d=62, x=42, y=25
d=63, x=49, y=74
d=64, x=15, y=71
d=65, x=60, y=69
d=66, x= 1, y=61
d=67, x= 0, y= 0
d=68, x= 1, y=18 After handling corner cases, we can convert any private key "d" to "(x,y)" pair, representing our public key, and make it rolling ad infinitum: (1,18)+(1,61)=(0,0)
(1,18)+(0,0)=(1,18) As we can see, we started from p=79, and y^2=x^3+7, nothing else. We reached n=67, and now we can be 100% sure that it is not just some result we picked. It is the only valid result, that makes things tick, and meets our criteria, being as close to secp256k1 as possible, and using smaller numbers to demonstrate things. By going into bigger numbers, we can get even more convinced, that "n" was not arbitrarily chosen: it was just calculated, by using very well optimized code. Now, we have everything we need to see, why we cannot multiply point by point. Let's write some multiplications with private keys, and then convert them to corresponding public keys: 2* 3= 6
5* 7=35
11*13=35 (mod 67)
(60,10)*(15, 8)=(59,12)
(42,54)*(61,10)=( 8,19)
(18,54)*(39,47)=( 8,19) And now, let's assume we want to use a different base point, for example (75,41), instead of (1,18). Let's generate the full list of points again, and see, how everything was suddenly changed: d= 1, x=75, y=41
d= 2, x=27, y=16
d= 3, x=19, y=54
d= 4, x= 1, y=18
d= 5, x=21, y=74
d= 6, x= 8, y=19
d= 7, x=63, y=16
d= 8, x=60, y=10
d= 9, x=68, y=63
d=10, x=41, y=44
d=11, x= 9, y=74
d=12, x=15, y= 8
d=13, x=29, y= 8
d=14, x=55, y=18
d=15, x=39, y=32
d=16, x=49, y= 5
d=17, x= 6, y=12
d=18, x=23, y=61
d=19, x=12, y=32
d=20, x=42, y=54
d=21, x=45, y=19
d=22, x=74, y=44
d=23, x=18, y=25
d=24, x=59, y=12
d=25, x=35, y=71
d=26, x=14, y=12
d=27, x=26, y=60
d=28, x=61, y=10
d=29, x=66, y=41
d=30, x=17, y=38
d=31, x=37, y=10
d=32, x=43, y=35
d=33, x=28, y=32
d=34, x=28, y=47
d=35, x=43, y=44
d=36, x=37, y=69
d=37, x=17, y=41
d=38, x=66, y=38
d=39, x=61, y=69
d=40, x=26, y=19
d=41, x=14, y=67
d=42, x=35, y= 8
d=43, x=59, y=67
d=44, x=18, y=54
d=45, x=74, y=35
d=46, x=45, y=60
d=47, x=42, y=25
d=48, x=12, y=47
d=49, x=23, y=18
d=50, x= 6, y=67
d=51, x=49, y=74
d=52, x=39, y=47
d=53, x=55, y=61
d=54, x=29, y=71
d=55, x=15, y=71
d=56, x= 9, y= 5
d=57, x=41, y=35
d=58, x=68, y=16
d=59, x=60, y=69
d=60, x=63, y=63
d=61, x= 8, y=60
d=62, x=21, y= 5
d=63, x= 1, y=61
d=64, x=19, y=25
d=65, x=27, y=63
d=66, x=75, y=38
d=67, x= 0, y= 0
d=68, x=75, y=41 Then, let's write the same multiplications again: 2* 3= 6
5* 7=35
11*13=35 (mod 67)
(27,16)*(19,54)=( 8,19)
(21,74)*(63,16)=(43,44)
( 9,74)*(29, 8)=(43,44) See? Everything is completely different. Everything was changed. We can even take our old points, and see, what private keys are hidden behind them, when we calculate it under our new base point: (60,10)*(15, 8)=(59,12)
(42,54)*(61,10)=( 8,19)
(18,54)*(39,47)=( 8,19)
8*12=24
20*28=6
44*52=6 See? Point by point multiplication leads to completely wrong results, if it is done directly, based on two points, without calculating things relatively to the base point. I hope this topic will help to better understand, why some operations cannot be done in ECDSA, and how implicit things like base point can change everything, if we forget to consider them in our calculations. |
