0

I aim to find the answer to what is $X$ on an EC over a finite field where $A + X = B$ and $A$ and $B$ are known. I’m currently learning with secp256k1 so the simplified equation for the curve is $y^2 = x^3 + 7$. I am trying to figure this out so I can write the formula in python.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
user92305
  • 9
  • 1
  • 1
    Welcome to crypto-SE! I edited the question to use consistent notation. You are working on the Elliptic Curve secp256k1, that is the set of $(x,y)\in{\mathbb F_p}^2$ (where $\mathbb F_p$ is a prime field) with $y^2=x^3+7$. Multiplication and addition here are in this field. $A$, $X$ and $B$ are in the curve (not the field), and the $+$ operation there is a group law (more complex than the law in the field). Since it's a group, there is a single solution $X$ to the equation $A+X=B$, and it can be computed. – fgrieu Jun 28 '21 at 06:01
  • Yeah I realized now I used some pretty stupid variables given the context of the question. I want to know if I have PublicKey1 + PublicKey2 = PublicKey3 and I know 1 and 3 can I calculate 2. If so what formula would I use. – user92305 Jun 28 '21 at 07:06

1 Answers1

1

Since an Elliptic Curve is a group, $A+X=B$ in this group can¹ be solved per $X=(-A)+B$, where $+$ is the group law and $-A$ is the opposite of $A$ in the group.

To compute $-A$, change $A=(x,y)$ to $-A=(x,p-y)$. The addition formulas are in Sec1 §2.2.1. If you get $A$ or $B$ in bytestring form (perhaps, compressed), use the conversion in Sec1 §2.3.4. The value of $p$ for secp256k1 is in Sec2 §2.4.

¹ Proof: $A$ is a member of the group, thus has an opposite $-A$. We add it on the left of both sides of $A+X=B$, yielding $(-A)+(A+X)=(-A)+B$. We use the group law's associativity to get $((-A)+A)+X=(-A)+B$. By definition of the opposite, $(-A)+A$ is the neutral $\mathcal O$, thus $\mathcal O+X=(-A)+B$. By definition of the neutral, $\mathcal O+X=X$, thus by replacement we get $A+X=B\implies X=(-A)+B$. Proving that $X=(-A)+B\implies A+X=B$ is just as easy, by adding $A$ on the left of both sides.

fgrieu
  • 140,762
  • 12
  • 307
  • 587