You cannot divide in the normal way on an elliptic curve. Instead you have to use something called the multiplicative inverse.
To find the multiplicative inverse of a number on a elliptic curve, then you are looking for another number so that when the two are multiplied together modulo p, then the answer is 1.
For example, if we consider a curve modulo 17, then the multiplicative inverse of 2 would be 9, since 2*9 = 18, modulo 17 = 1. The multiplicative inverse of 5 would be 7, since 5*7 = 35, modulo 17 = 1.
So 1 / (x2 - x1) is finding the multiplicative inverse of (x2 - x1.) Once you've found the multiplicative inverse, then instead of doing (y2 - y1) divided by (x2 - x1), you instead do (y2 - y1) multiplied by the multiplicative inverse of (x2 - x1).
All of these operations will be modulo p.
Topic: Elliptic Curve Point Addition Question (Read 869 times)
If L = (y2 - y1) / (x2 - x1) what does 1 / (x2 - x1) mean?
It means that you take the result of x2 - x1 = xdiff, and then raise it to the (p-2)th power: xdiffp-2 mod p. (xdiffp-1 % p would be equal to 1, while xdiffp % p is simply xdiff) where p is the curve characteristic.
It's just a shorthand way of writing the above expression as division doesn't really exist in elliptic curves but modular inverses do.
I get this
Quote
It means that you take the result of x2 - x1 = xdiff
but I totally don't uderstand this
Quote
then raise it to the (p-2)th power: xdiffp-2 mod p. (xdiffp-1 % p would be equal to 1
I need this explained in the simplest possible terms please.
That's why I asked for a step by step breakdown (every step) would be much appreciated.
If L = (y2 - y1) / (x2 - x1) what does 1 / (x2 - x1) mean?
It means that you take the result of x2 - x1 = xdiff, and then raise it to the (p-2)th power: xdiffp-2 mod p. (xdiffp-1 % p would be equal to 1, while xdiffp % p is simply xdiff) where p is the curve characteristic.
It's just a shorthand way of writing the above expression as division doesn't really exist in elliptic curves but modular inverses do.
Code:
L = (y2 - y1) / (x2 - x1)
x3 = L^2 - x1 - x2
y3 = L(x1 - x3) - y1
y2 - y1 = 94553076844452666078538149424419144783741135675920254371088167625192913487275
x2 - x1 = 75694105346914480362575934586442506821074289349400393707630734405845016901087
1 / (x2 - x1) = 57109544797366026611537207709745816878454354988638946088653096565731074851657
L = 26260209610829739695182151635707675950033180086458470318530731088353219693361
L^2 = 85396884292048511216639145930585800795235676868516676403763378131573495159908
x3 = 22299113221787846994488776168920263850616409616156953345645360922861305118563
x1 - x3 = 87194808877201440358869426427379159064426064000963275369055864486481116123229
L(x1 - x3) = 114457103505967127914246148065726475976734011734324777350232007537745534737470
y3 = 4557556935953335244676085823642666982350217411134294760123069603436116216826
x3 = L^2 - x1 - x2
y3 = L(x1 - x3) - y1
y2 - y1 = 94553076844452666078538149424419144783741135675920254371088167625192913487275
x2 - x1 = 75694105346914480362575934586442506821074289349400393707630734405845016901087
1 / (x2 - x1) = 57109544797366026611537207709745816878454354988638946088653096565731074851657
L = 26260209610829739695182151635707675950033180086458470318530731088353219693361
L^2 = 85396884292048511216639145930585800795235676868516676403763378131573495159908
x3 = 22299113221787846994488776168920263850616409616156953345645360922861305118563
x1 - x3 = 87194808877201440358869426427379159064426064000963275369055864486481116123229
L(x1 - x3) = 114457103505967127914246148065726475976734011734324777350232007537745534737470
y3 = 4557556935953335244676085823642666982350217411134294760123069603436116216826
Thanks again for your help.
To get L, can you break this down further for me please?
Code:
1 / (x2 - x1) = 57109544797366026611537207709745816878454354988638946088653096565731074851657
L = 26260209610829739695182151635707675950033180086458470318530731088353219693361
L = 26260209610829739695182151635707675950033180086458470318530731088353219693361
If L = (y2 - y1) / (x2 - x1) what does 1 / (x2 - x1) mean?
I don't quite understand, sorry.
Thank you.
How did you get y2-y1 to equal that? When I did it it ends up being a negative number.
Also, where does modp come into it all?
You've answered your own question here.Also, where does modp come into it all?
The secp256k1 curve which bitcoin uses is defined over the field p. So all calculations must be done modulo p. p is defined as:
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F
2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1
115792089237316195423570985008687907853269984665640564039457584007908834671663
With the coordinates you have given above, y2 - y1 gives:
Code:
-21239012392863529345032835584268763069528848989720309668369416382715921184388
Take that number mod p, and you get:
Code:
94553076844452666078538149424419144783741135675920254371088167625192913487275
Quote
Code:
L = (y2 - y1) / (x2 - x1)
x3 = L^2 - x1 - x2
y3 = L(x1 - x3) - y1
y2 - y1 = 94553076844452666078538149424419144783741135675920254371088167625192913487275
x2 - x1 = 75694105346914480362575934586442506821074289349400393707630734405845016901087
1 / (x2 - x1) = 57109544797366026611537207709745816878454354988638946088653096565731074851657
L = 26260209610829739695182151635707675950033180086458470318530731088353219693361
L^2 = 85396884292048511216639145930585800795235676868516676403763378131573495159908
x3 = 22299113221787846994488776168920263850616409616156953345645360922861305118563
x1 - x3 = 87194808877201440358869426427379159064426064000963275369055864486481116123229
L(x1 - x3) = 114457103505967127914246148065726475976734011734324777350232007537745534737470
y3 = 4557556935953335244676085823642666982350217411134294760123069603436116216826
x3 = L^2 - x1 - x2
y3 = L(x1 - x3) - y1
y2 - y1 = 94553076844452666078538149424419144783741135675920254371088167625192913487275
x2 - x1 = 75694105346914480362575934586442506821074289349400393707630734405845016901087
1 / (x2 - x1) = 57109544797366026611537207709745816878454354988638946088653096565731074851657
L = 26260209610829739695182151635707675950033180086458470318530731088353219693361
L^2 = 85396884292048511216639145930585800795235676868516676403763378131573495159908
x3 = 22299113221787846994488776168920263850616409616156953345645360922861305118563
x1 - x3 = 87194808877201440358869426427379159064426064000963275369055864486481116123229
L(x1 - x3) = 114457103505967127914246148065726475976734011734324777350232007537745534737470
y3 = 4557556935953335244676085823642666982350217411134294760123069603436116216826
Thanks so much and please excuse my lack of math skills.
How did you get y2-y1 to equal that? When I did it it ends up being a negative number.
Also, where does modp come into it all?
Thanks again.
Thanks so much for everyone's input so far.
Could I ask if someone would be able to provide a manual step by step example of the point addition process using actual numbers?
Here are 2 random EC points to use from secp256k1.
Privkey: DBD5EBF749EDF69369B251A9434E9B782534294066797AEF1D25ED9B9672E821
x - 109493922098989287353358202596299422915042473617120228714701225409342421241792
y - 109899546570013792669570062242083808994383794323190482590108937934309418520644
+
Privkey: 9A309407E5266673F677C583BF1068615810AF4C1B90D5A8DBB335CC15D05959
x - 69395938208587572292363152174054021882846778300880058382874375807278603471216
y - 88660534177150263324537226657815045924854945333470172921739521551593497336256
I just need the (public key) point addition. No need to do anything with the private keys, they are just there for reference if needed.
I haven't seen this done anywhere (and I've looked a lot). This would be amazing to include in my project and for me to learn what this process actually looks like on paper.
Thanks so much in advance.
Could I ask if someone would be able to provide a manual step by step example of the point addition process using actual numbers?
Here are 2 random EC points to use from secp256k1.
Privkey: DBD5EBF749EDF69369B251A9434E9B782534294066797AEF1D25ED9B9672E821
x - 109493922098989287353358202596299422915042473617120228714701225409342421241792
y - 109899546570013792669570062242083808994383794323190482590108937934309418520644
+
Privkey: 9A309407E5266673F677C583BF1068615810AF4C1B90D5A8DBB335CC15D05959
x - 69395938208587572292363152174054021882846778300880058382874375807278603471216
y - 88660534177150263324537226657815045924854945333470172921739521551593497336256
I just need the (public key) point addition. No need to do anything with the private keys, they are just there for reference if needed.
I haven't seen this done anywhere (and I've looked a lot). This would be amazing to include in my project and for me to learn what this process actually looks like on paper.
Thanks so much in advance.
Code:
L = (y2 - y1) / (x2 - x1)
x3 = L^2 - x1 - x2
y3 = L(x1 - x3) - y1
y2 - y1 = 94553076844452666078538149424419144783741135675920254371088167625192913487275
x2 - x1 = 75694105346914480362575934586442506821074289349400393707630734405845016901087
1 / (x2 - x1) = 57109544797366026611537207709745816878454354988638946088653096565731074851657
L = 26260209610829739695182151635707675950033180086458470318530731088353219693361
L^2 = 85396884292048511216639145930585800795235676868516676403763378131573495159908
x3 = 22299113221787846994488776168920263850616409616156953345645360922861305118563
x1 - x3 = 87194808877201440358869426427379159064426064000963275369055864486481116123229
L(x1 - x3) = 114457103505967127914246148065726475976734011734324777350232007537745534737470
y3 = 4557556935953335244676085823642666982350217411134294760123069603436116216826
x3 = L^2 - x1 - x2
y3 = L(x1 - x3) - y1
y2 - y1 = 94553076844452666078538149424419144783741135675920254371088167625192913487275
x2 - x1 = 75694105346914480362575934586442506821074289349400393707630734405845016901087
1 / (x2 - x1) = 57109544797366026611537207709745816878454354988638946088653096565731074851657
L = 26260209610829739695182151635707675950033180086458470318530731088353219693361
L^2 = 85396884292048511216639145930585800795235676868516676403763378131573495159908
x3 = 22299113221787846994488776168920263850616409616156953345645360922861305118563
x1 - x3 = 87194808877201440358869426427379159064426064000963275369055864486481116123229
L(x1 - x3) = 114457103505967127914246148065726475976734011734324777350232007537745534737470
y3 = 4557556935953335244676085823642666982350217411134294760123069603436116216826
Could I ask if someone would be able to provide a manual step by step example of the point addition process using actual numbers?
You can use any of the open source ECC libraries and find their point addition method then open it in a debugger to call the method and "step through" the code to see what happens on each step. For example in c# using Visual Studio we simply place a break point on that line and then keep pressing F10 to see each step.
Thanks so much for everyone's input so far.
Could I ask if someone would be able to provide a manual step by step example of the point addition process using actual numbers?
Here are 2 random EC points to use from secp256k1.
Privkey: DBD5EBF749EDF69369B251A9434E9B782534294066797AEF1D25ED9B9672E821
x - 109493922098989287353358202596299422915042473617120228714701225409342421241792
y - 109899546570013792669570062242083808994383794323190482590108937934309418520644
+
Privkey: 9A309407E5266673F677C583BF1068615810AF4C1B90D5A8DBB335CC15D05959
x - 69395938208587572292363152174054021882846778300880058382874375807278603471216
y - 88660534177150263324537226657815045924854945333470172921739521551593497336256
I just need the (public key) point addition. No need to do anything with the private keys, they are just there for reference if needed.
I haven't seen this done anywhere (and I've looked a lot). This would be amazing to include in my project and for me to learn what this process actually looks like on paper.
Thanks so much in advance.
Could I ask if someone would be able to provide a manual step by step example of the point addition process using actual numbers?
Here are 2 random EC points to use from secp256k1.
Privkey: DBD5EBF749EDF69369B251A9434E9B782534294066797AEF1D25ED9B9672E821
x - 109493922098989287353358202596299422915042473617120228714701225409342421241792
y - 109899546570013792669570062242083808994383794323190482590108937934309418520644
+
Privkey: 9A309407E5266673F677C583BF1068615810AF4C1B90D5A8DBB335CC15D05959
x - 69395938208587572292363152174054021882846778300880058382874375807278603471216
y - 88660534177150263324537226657815045924854945333470172921739521551593497336256
I just need the (public key) point addition. No need to do anything with the private keys, they are just there for reference if needed.
I haven't seen this done anywhere (and I've looked a lot). This would be amazing to include in my project and for me to learn what this process actually looks like on paper.
Thanks so much in advance.
I am doing a school project about Bitcoin and more specifically point addition on the Elliptic Curve. I am very new to all this so please forgive my mistakes.
I have been reading that when adding points together the result can go "outside of the bounds before intersecting a third point" as in this image.
This is fascinating but also a little confusing and I would like to know more.
So my questions are:
1. Is it possible to know when the point addition process has gone outside of the field?
And
2. Is there a way (like a Python script or something) that I could use to add 2 points and it would tell me if the result went outside of the field?
I know that the result of the addition is still a valid point on the curve, but I would love to know if it passed out of bounds first.
This would be fantastic for my project to show others how this works.
I hope that made sense and thanks in advance for your help.
I have been reading that when adding points together the result can go "outside of the bounds before intersecting a third point" as in this image.
This is fascinating but also a little confusing and I would like to know more.
So my questions are:
1. Is it possible to know when the point addition process has gone outside of the field?
And
2. Is there a way (like a Python script or something) that I could use to add 2 points and it would tell me if the result went outside of the field?
I know that the result of the addition is still a valid point on the curve, but I would love to know if it passed out of bounds first.
This would be fantastic for my project to show others how this works.
I hope that made sense and thanks in advance for your help.
The math involves different kinds of objects and so the meaning which is understood as "add" is different. When we say add two numbers in a finite field, which is what you have to do for this to work, we really mean add like integers and then divide by the special modulus value and keep the remainder.
So take the clock and consider neither the minute nor day but only the hour. 7+7 is considered 2 rather than 14. So they're right. You cannot get above 12. But 7+7 is 14 (in normal addition). So I think you want to know whether you can determine when the you get different results. In the case of the clock, you overflow at 12. Now not only is addition different but so is division, multiplication and subtraction.
[1] You can calculate the slope the normal way, find the other point on the graph and you'll get some rational number for the slope and the x and y for the new point may not even be integers. If they are not both integers, this means you would have to follow the slope outside of the field size and wrap around (perhaps many times) in order to get to the field bounded answer.
Follow the instructions of how to calculate a sum of points (now the points have yet another different meaning for add). Start with say y^2=x^3-x+7. Figure out two integer points with trial and error. The desmos graph will give you some points to try. Plug in numbers that look like they are in integer spots. Do your point addition as if they are all real numbers. Post your third point here. You'll most probably get some non-integer value.
Use a small modulus like 1999 or 113. Do this the modulus way and you'll get integers smaller than 113. How to do division modulus 113 is something you should search for yourself also. Go search for finite fields.
Can we agree to provide numbers here in hexa-decimal?
I can not follow the last bill.
Could you write something?
I can not follow the last bill.
Could you write something?
1)876742496012344784179985348367087362
*57896044618658097711785492504343953926418782139537452191302581570759080747168=50759922668204382934134837660716306466228361205929188691171789049422319851611495761608191356750899783486890090816
2)5075992266820438293413483766071630646622836120592918869117178904942231985161149 5761608191356750899783486890090816:115792089237316195423570985008687907852837564279074904382605163141518161494336=438371248006172392089992674183543681
3)438371248006172392089992674183543681
pub key 04811cfaa321171426ac4fc20a3a43f8ab4e9579923fafab4630039d7bb4daa2637f7e8c86ecb69 05e449804b7a85731343618f5a92582e3a7713e038a980d1544
*57896044618658097711785492504343953926418782139537452191302581570759080747168=50759922668204382934134837660716306466228361205929188691171789049422319851611495761608191356750899783486890090816
2)5075992266820438293413483766071630646622836120592918869117178904942231985161149 5761608191356750899783486890090816:115792089237316195423570985008687907852837564279074904382605163141518161494336=438371248006172392089992674183543681
3)438371248006172392089992674183543681
pub key 04811cfaa321171426ac4fc20a3a43f8ab4e9579923fafab4630039d7bb4daa2637f7e8c86ecb69 05e449804b7a85731343618f5a92582e3a7713e038a980d1544
Thank you for using the Calculator and feedback. :-) How did you calculate it? Is there an alternate SECP256K1 Calculator with which I could compare the result?
Distributive rule
a*c + b*c = (a+b)*c
a =
From your example
b =
b is added as a new auxiliary variable.
c =
From your example
a*c =
b*c =
a*c+b*c =
(a+b) =
(a+b)*c =
I think it's right.
Because the distributive law proves it.
Is there anyone who keeps it wrong or that it can confirm the result?
Distributive rule
a*c + b*c = (a+b)*c
a =
Code:
f196d3200d66872e9573cab8117b3943f482fc2d4ac53be85b34ffad9e8d640c
6bd66e5ca7201d9d22717b1b70719955ca94e864bcedaba2c28d3d0083b5c167
b =
Code:
d39da1d0d1e5bcc80c4b4bf28701d4b611d412a9c353b1aaae763e9c79fa7440
eace7dbd056c7387a5e722618a1e1ca5847c8ae5f34dbdd055c3c2e82c7c8df9
c =
Code:
7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0
a*c =
Code:
811cfaa321171426ac4fc20a3a43f8ab4e9579923fafab4630039d7bb4daa263
8081737913496fa1bb67fb4857a8cecbc9e70a56da7d1c588ec1fc7467f2e6eb
b*c =
Code:
db0480ae98d0e58c33d3cc688903ff97e969294205c803cbc335e205925015c7
f5929b8c91e93238e97d49015c75dc167b78fa5b4cb3ca940109ec7678268f06
a*c+b*c =
Code:
c06505b3654507829b89e29cf23aaac01d63475e557aaf5bc459b9695ca43534
fb204d5b4fadabbadfcace89bf83e2bb55716c35baa07e513b2d451ef1cf0b4
(a+b) =
Code:
b3e33118e17710de40d779d3bf42fdd25fdd45c7c380cf321e07998af5452079
80b110cb68c2cb8cec778213c4a651671f422fb07441da842149faa46a7fb47e
(a+b)*c =
Code:
c06505b3654507829b89e29cf23aaac01d63475e557aaf5bc459b9695ca43534
fb204d5b4fadabbadfcace89bf83e2bb55716c35baa07e513b2d451ef1cf0b4
I think it's right.
Because the distributive law proves it.
Is there anyone who keeps it wrong or that it can confirm the result?
Your calculator is not counting correctly! Check x = f196d3200d66872e9573cab8117b3943f482fc2d4ac53be85b34ffad9e8d640c
y = 6bd66e5ca7201d9d22717b1b70719955ca94e864bcedaba2c28d3d0083b5c167
I multiply by scalar 7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0
And I cry x = 811cfaa321171426ac4fc20a3a43f8ab4e9579923fafab4630039d7bb4daa263
y = 8081737913496fa1bb67fb4857a8cecbc9e70a56da7d1c588ec1fc7467f2e6eb
This is the wrong result. Should be x = 811cfaa321171426ac4fc20a3a43f8ab4e9579923fafab4630039d7bb4daa263
y = 7f7e8c86ecb6905e449804b7a85731343618f5a92582e3a7713e038a980d1544
y = 6bd66e5ca7201d9d22717b1b70719955ca94e864bcedaba2c28d3d0083b5c167
I multiply by scalar 7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0
And I cry x = 811cfaa321171426ac4fc20a3a43f8ab4e9579923fafab4630039d7bb4daa263
y = 8081737913496fa1bb67fb4857a8cecbc9e70a56da7d1c588ec1fc7467f2e6eb
This is the wrong result. Should be x = 811cfaa321171426ac4fc20a3a43f8ab4e9579923fafab4630039d7bb4daa263
y = 7f7e8c86ecb6905e449804b7a85731343618f5a92582e3a7713e038a980d1544
Quote
I also have a tool for you, which may be able to use it.
This allows you to carry out all possible bills on the SECP256K1 curve.
https://github.com/MrMaxweII/Secp256k1-Calculator
Thank you.
Does anyone know of a website or app where I can input the EC points and it will visually show the addition on a graph of the curve/field?
This would greatly help with my school presentation.
Thanks.
This would greatly help with my school presentation.
Thanks.
I also have a tool for you, which may be able to use it.
This allows you to carry out all possible bills on the SECP256K1 curve.
https://github.com/MrMaxweII/Secp256k1-Calculator
Quote
Thanks so much. I was looking at this on Desmos. It looks like a very useful tool.
I want something for the finite field where I can input actual secp256k1 points.
Does anyone know of a website or app where I can input the EC points and it will visually show the addition on a graph of the curve/field?
This would greatly help with my school presentation.
Thanks.
you can try to use this tool - https://www.desmos.com/calculator/ialhd71we3This would greatly help with my school presentation.
Thanks.
Does anyone know of a website or app where I can input the EC points and it will visually show the addition on a graph of the curve/field?
This would greatly help with my school presentation.
Thanks.
This would greatly help with my school presentation.
Thanks.
Ok, lots of people telling you it can't be done, and saying that it would break ECDSA, but not a lot of explanation about why or how to think about that.
Let's look at it this way....
I assume when you say "around the clock" what you really mean is that you've come back through the base point G, or rather that the point you've generated is equal to G plus something greater than the order of the curve.
Here lies the problem. If you can look at a point (a public key) and know that you had to add G more than a set number of times to get there, then you could calculate the private key from the point:
Was it greater than half the order? No? Ok, how about greater than a fourth of the order? Yes? Ok, how about greater than three-eighths of the order? Yes? Ok, how about greater than seven-sixteenths of the order... and so on until you narrowed in on the exact value of the private key.
There is no way to look at 2 points, and determine which one has the greater private key.
Points are added by calculating the line that passes between both of them, and then calculating where else that line intersects the curve. If you knew the private keys for those two points to start with, then you could figure out if the sum of the two private keys was greater than the order of the curve, but if you don't know the private keys, then you don't have any way of finding out what all the points are for all the private keys that you skipped over when you added the points together. As such, there's no way to know if any of those points were G. Again, if you could know that some given private key existed "in between" the private keys of 2 given points, then you could use that information to quickly and easily narrow in on the private key of any given point.
Does this help you understand why your question isn't going to have an answer? You are thinking about private keys, and how if the private key exceeds the order of the curve then it "wraps around" giving the same results as the new private key minus the order of the curve, but you aren't asking about private keys. You're asking about public keys. Since there is no way to calculate the private key from the public key, there's no way to know what the relationship is between the private keys for 2 given public keys. Which is greater? How far apart are they? You either need to know the private keys to start with, or you need to calculate every point in between to see if any of them are G.
Now, if you want to do your demonstration by picking 2 private keys, and then calculate the public keys from them... That's a different story. In that case, you already KNOW both the private keys. If the sum of those two integers is larger than the order of the curve, then you've wrapped around, if it isn't, then you haven't. That's a simple calculation, and doesn't need a script.
Let's look at it this way....
I assume when you say "around the clock" what you really mean is that you've come back through the base point G, or rather that the point you've generated is equal to G plus something greater than the order of the curve.
Here lies the problem. If you can look at a point (a public key) and know that you had to add G more than a set number of times to get there, then you could calculate the private key from the point:
Was it greater than half the order? No? Ok, how about greater than a fourth of the order? Yes? Ok, how about greater than three-eighths of the order? Yes? Ok, how about greater than seven-sixteenths of the order... and so on until you narrowed in on the exact value of the private key.
There is no way to look at 2 points, and determine which one has the greater private key.
Points are added by calculating the line that passes between both of them, and then calculating where else that line intersects the curve. If you knew the private keys for those two points to start with, then you could figure out if the sum of the two private keys was greater than the order of the curve, but if you don't know the private keys, then you don't have any way of finding out what all the points are for all the private keys that you skipped over when you added the points together. As such, there's no way to know if any of those points were G. Again, if you could know that some given private key existed "in between" the private keys of 2 given points, then you could use that information to quickly and easily narrow in on the private key of any given point.
Does this help you understand why your question isn't going to have an answer? You are thinking about private keys, and how if the private key exceeds the order of the curve then it "wraps around" giving the same results as the new private key minus the order of the curve, but you aren't asking about private keys. You're asking about public keys. Since there is no way to calculate the private key from the public key, there's no way to know what the relationship is between the private keys for 2 given public keys. Which is greater? How far apart are they? You either need to know the private keys to start with, or you need to calculate every point in between to see if any of them are G.
Now, if you want to do your demonstration by picking 2 private keys, and then calculate the public keys from them... That's a different story. In that case, you already KNOW both the private keys. If the sum of those two integers is larger than the order of the curve, then you've wrapped around, if it isn't, then you haven't. That's a simple calculation, and doesn't need a script.
Thank you Danny.
The time and care you have taken to explain this is very much appreciated.
Jump to: