I created smaller secp256k1 just for testing

stwenhao

member

Activity: 86

Merit: 100

The smallest valid example I can come up with:

Curve p=7, n=13, y^2=x^3+3, generator=(1,2)
Server to execute code: https://sagecell.sagemath.org/

Code:

p=7
n=13
K=GF(p)
a=K(0)
b=K(3)
E=EllipticCurve(K,(a,b))
G=E(1,2)
E.set_order(n)
d=1
P=d*G
while d    print(d,P[0],P[1])
    d+=1
    P=d*G

Table of private and public keys:

Code:

+----+---+---+
|  d | x | y |
+----+---+---+
|  1 | 1 | 2 |
|  2 | 6 | 3 |
|  3 | 2 | 2 |
|  4 | 4 | 5 |
|  5 | 3 | 3 |
|  6 | 5 | 3 |
|  7 | 5 | 4 |
|  8 | 3 | 4 |
|  9 | 4 | 2 |
| 10 | 2 | 5 |
| 11 | 6 | 4 |
| 12 | 1 | 5 |
+----+---+---+

And then, everything can be rotated just like in a clock, with additional 13th point at infinity.

Later, you can try to go into bigger and bigger curves, and get for example everything below 100:

Code:

p=5
while p<100:
    n_values=[]
    b_value=1
    while len(n_values)<6:
        K=GF(p)
        a=K(0)
        b=K(b_value)
        E=EllipticCurve(K,(a,b))
        n=E.order()
        if n == p+1:
            n_values.append(n)
            n_values.append(n)
            n_values.append(n)
            n_values.append(n)
            n_values.append(n)
            n_values.append(n)
        else:
            if n not in n_values:
                n_values.append(n)
            b_value+=1
    if n_values[0] != p+1:
        print(p,n_values)
    p=next_prime(p)

It is just slightly modified example from vjudeu's code: https://github.com/vjudeu/curves1000/wiki/Six-n%E2%80%90values-when-changing-b%E2%80%90value

As you can probably see, you can get these results:

Code:

7 [12, 9, 13, 3, 7, 4]
13 [12, 19, 9, 21, 16, 7]
19 [12, 13, 21, 27, 28, 19]
31 [36, 43, 39, 21, 25, 28]
37 [48, 49, 39, 37, 28, 27]
43 [36, 52, 49, 39, 31, 57]
61 [48, 61, 75, 63, 76, 49]
67 [84, 73, 52, 57, 63, 79]
73 [84, 81, 57, 91, 64, 67]
79 [84, 63, 97, 93, 67, 76]
97 [84, 117, 93, 79, 103, 112]

Another similar topic, which may be useful: https://bitcointalksearch.org/topic/smaller-elliptic-curves-y2-x37-based-on-secp256k1-5459153

Here, Garlo Nicon was trying just y^2=x^3+7, and checked only values, where p-value and n-value can be swapped, but as it is not the case in secp192k1 and secp224k1, and works only for secp160k1 and secp256k1, then probably other b-values should be considered as well.

jovica888

jr. member

Activity: 49

Merit: 11

@dexizer7799
Thank you but I think this is an example for different type of curve... I do not know I did not understand the content of that link

for small secp256k1 I found that if you do addition of all X values for all points and do mod p you get 0

So if P=97 I get n=79

if I do the addition of all valid points Gx+2Gx+3Gx+4Gx....+78Gx Where Generator point is P (1,69) then I get
3880 mod 97 = 0

Maybe this can be usefull

dexizer7799

newbie

Activity: 30

Merit: 0

Hola! You can check this one https://amnesia.sh/ctf/2024/03/14/htb-arranged.html

iceland2k14

jr. member

Activity: 37

Merit: 68

secp256k1 curve is

Code:

y² = x³ + 7

With the help of cuberoot of Unity, we can say that each value of Y there will be 3 values of X. (Endomorphism Points)
In a similar way For each X there will be 2 values of Y. (symmetry Points)

The relationships between them are well known and already used in various tools for faster scanning (example VanitySearch from JLP).
In a very simple way if you have a Pubkey points (x, y) you can get in total 6 pubkeys easily through

Code:

6 Pubkeys = [x,y]  [x*beta%p, y]  [x*beta2%p, y] [x,p-y]  [x*beta%p, p-y]  [x*beta2%p, p-y]

These points are related with the Generator through Privatekeys like this

Code:

6 Pvkeys = pvk, pvk*lmda%N, pvk*lmda2%N, N-pvk, N-pvk*lmda%N, N-pvk*lmda2%N

Here the secp256k1 constants are

Code:

p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
N = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
# Constants Based on Cube root of 1
beta = 0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee
beta2 = 0x851695d49a83f8ef919bb86153cbcb16630fb68aed0a766a3ec693d68e6afa40      # beta*beta
lmda = 0x5363ad4cc05c30e0a5261c028812645a122e22ea20816678df02967c1b23bd72
lmda2 = 0xac9c52b33fa3cf1f5ad9e3fd77ed9ba4a880b9fc8ec739c2e0cfc810b51283ce      # lmda*lmda

AlexanderCurl

newbie

Activity: 5

Merit: 168

Quite impressive!!!
I was doing the same things when i started learning secp256k1 curve.
I do not know if that info can be used to some advantage but there is one good saying: "If one does not know how to do it DOES NOT MEAN THAT IT CANNOT BE DONE!!!"

jovica888

jr. member

Activity: 49

Merit: 11

So I am learning about everything and so there is a chance that this post can be lame/noob or something like that

I created a smaller secp256k1, p=43 n=31
I took point G(2, 31) for the generator point and I got the list of all valid points

Code:

G=(2,31)
2G=(7,36)
3G=(35,22)
4G=(21,25)
5G=(12,31)
6G=(29,12)
7G=(25,25)
8G=(32,3)
9G=(20,3)
10G=(42,36)
11G=(40,18)
12G=(37,7)
13G=(13,22)
14G=(34,3)
15G=(38,22)
16G=(38,21)
17G=(34,40)
18G=(13,21)
19G=(37,36)
20G=(40,25)
21G=(42,7)
22G=(20,40)
23G=(32,40)
24G=(25,18)
25G=(29,31)
26G=(12,12)
27G=(21,18)
28G=(35,21)
29G=(7,7)
30G=(2,12)

I printed this and I put it on my wall so when I work (I work from home) sometimes I look into this paper and I tried to find something interesting (interesting for me

)

so this is what I found and also those rules can be applied on regular secp256k1 that Bitcoin is using...

Every Y has 3 different X values... When you calculate G of those points you always get n=31
so G=(2,31) + 5G=(12,31) + 25G=(29,31) = 31G, also for all other points 2G=(7,36) + 10G=(42,36) + 19G=(37,36) = 31G
If you change generator points those positions will remain the same so for n=31 you will always get the same Y on the same sets of points 1 5 25, 2 10 19... there are 10 sets of this points

There are negative points set with 1 5 25 and 6 26 30 (6 26 30 starting from the "end" to start" basically) When you do positive set + negative set of points those point will always return 93G or 3n

I found that if you do for one set of point X1 + X2 +X3 you sometimes get 2P and sometimes get only P I do not know why...

so on original curve where y is 483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8
you have 3 X
first   x: c994b69768832bcbff5e9ab39ae8d1d3763bbf1e531bed98fe51de5ee84f50fb
second   x: 79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
third   x: bcace2e99da01887ab0102b696902325872844067f15e98da7bba04400b88fcb

If you do X1 + X2 + X3 in this case you will get 2P in some other cases I found that I only get 1P
Y 4218f20ae6c646b363db68605822fb14264ca8d2587fdd6fbc750d587e76a7ee

first   x: 1
second   x: 7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee
third   x: 851695d49a83f8ef919bb86153cbcb16630fb68aed0a766a3ec693d68e6afa40
In this case you get only P when you do X1 + X2 + X3

I found that for symmetrical points if you do Y1+Y2 you always get P
b7c52588d95c3b9aa25b0403f1eef75702e84bb7597aabe663b82f6f04ef2777 + 79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 = p
.
.
.

Is there and useful way that we can use those points if we can calculate their G positions? I am testing bigger and bigger curves and always looking for n that number of points mod 6 = 0 (+ infinity point)
p = 937 n = 973
1G 235G 737G

So I am trying to make a connection between 1st and 2nd point for any p and any n....
If I know 1st and 2nd point I can easily calculate 3rd = n - 1st - 2nd
then I can calculate the position of other 3 points that has different Y but same 3 X

If we know the relations between those points maybe we can scan keys faster or see some periodical groups I do not know

Topic: I created smaller secp256k1 just for testing (Read 170 times)