2

I am using Montgomery ladder with Montgomery curve $by^2=x^3+ax^2+x$ using XZ coordinates and I recovered the $X$ value using $X3=X1/Z1$, but I don't know how to recover the $Y$ coordinates.

for Double and add ladder I am using this:

      A = X2+Z2
      AA = A2
      B = X2-Z2
      BB = B2
      E = AA-BB
      C = X3+Z3
      D = X3-Z3
      DA = D*A
      CB = C*B
      X5 = Z1*(DA+CB)2
      Z5 = X1*(DA-CB)2
      X4 = AA*BB
      Z4 = E*(BB+a24*E)

I tried this way :

x3=2;
y3 = mod(mod((x3.^3 + mod(a*x3.^2,p)+x3),p) * mod(modinvr(b,p),p),p);

for y = 0:22
    x = mod(y^2, 23);
    if x == y3
        fprintf("y = %d\n", y);// here I got two values of y 8 and 15
    end
end

here I got two values of y 8 and 15 both are correct points on the curve but in my case I want to choose 8 because the affine scalar point is (2,8) I have another point on the curve (2,15) but not in my scalar point! so that's why I need to select 8 instead of 15.

fgrieu
  • 149,326
  • 13
  • 324
  • 622
Cisco Saeed
  • 251
  • 1
  • 7

2 Answers2

4

Although x25519 uses only the x-coordinate for the DH, for some protocols the $y$ coordinate is also required. So, if one wants to find the $y$ coordinate of $[n]P$, where $P=(x_1,y_1)$ is in affine coordinates, there is a paper for finding $y_n=Y_n/Z_n$ from $x_1,y_1$, and $x_n$;

Given the Montgomery curve $$M_{A,B}:By^2 = x^3 + Ax^2 +x$$ The result simply is;

$$y_n = \frac{(x_nx_1+1)(x_n+x_1+2A)-2A-(x_n-x_1)^2x_{n+1}}{2By_1}$$

Yes, it is $x_{n+1}$, and for that one needs to go for $[n+1]P$.

Ykulvaarlck
  • 3
  • 1
kelalaka
  • 49,797
  • 12
  • 123
  • 211
1

I also recommend seeing section 4.3 on Montgomery curves and their arithmetic by Craig Costello and Benjamin Smith. It cites the document from the answer above but also explains, has the algorithm and the closed form while giving some "history" on the recovery of y.

Alex Them
  • 350
  • 3
  • 8