Given a random point on a curve defined over a prime field, is it possible to compute 2 different scalar that will lead to the same result?

Question

Simple question : given a randomly selected point $P$ belonging on a given Edwards curve defined on a prime field, does 2 scalars $S1$ $S2$ exist such as :

• $packed(S1\cdot P)= packed(S2\cdot P$) (where packed means keeping only $x$ and dropping the $y$ coordinate but remember this is an edward’s curve where the negation of a coordinate is $(−x,y)$)
• $S1≠S2$
• Both $S1$ $S2$ are <targetcurve.Suborder (the largest prime factor of the composite curve’s order or the curve order if the curve is a prime which also appears to be the order of any randomly sample points)
• if $S1$ and/or $S2$ are <0, then either S1+=targetcurve.Suborder and/or S2+=targetcurve.Suborder which of course is aking to saying they can’t be negative.

If yes, is it possible to compute such integer pair using a easier method than solving the elliptic curve’s discrete logarithm ?

Answer 1

does 2 scalars $S1$ $S2$ exist such as

1. $packed(S1\cdot P)= packed(S2\cdot P$)

$S1 = S2$ is equivalent to the statement that $S1 - S2$ is an integer multiple of the order of $P$.

2. $S1 \ne S2$

If that multiple is not zero, this criteria is met.

Both $S1$ $S2$ are >targetcurve.Suborder

I'm not exactly sure what you mean by that, but arbitrarily large $S1, S2$ exist, so it appears to say "yes"

If yes, is it possible to compute such integer pair using a easier method than solving the elliptical curve’s discrete logarithm ?

Not only possible, but easy:

• Select an arbitrary integer $S1$ that meets your criteria 3

• Select an arbitrary positive integer $n$ and set $S2 = S1 + nq$ (where $q$ is the order of $P$ - if you don't know that, you can safely use the order of the curve)

And you are done...

---

Now, with the corrected condition (3), and assuming that the scalars cannot be negative, then it is impossible to have $S1\cdot P = S2 \cdot P$ if $S1 \ne S2$, and $0 < S1, S2 < q$ (where $q$ is the order of $P$).

On the other hand, that's not what you asked for; you asked for $packed(S1\cdot P) = packed(S2\cdot P)$

So, is it possible to have the $packed$ process encode two different points into the same value?

It may be. The most obvious case for this is if $packet$ depends only on the $x$ coordinate of the point. In this case, we have $packed(S1 \cdot P) = packed( (q-S1) \cdot P)$, even though (obviously) $S1 \cdot P \ne (q-S1) \cdot P$.

If this is the case, then producing such a pair $S1, S2$ is easy.

On the other hand, if $packed$ uniquely identifies the encoded point, then what you're asking for is impossible - there will not be any such $S1, S2$ pairs.

Answer 2

Consider an Edwards curve with equation $x^2+y^2=d\,x^2y^2$ in the field $\mathbb F_p$, with prime $p\bmod 4=1$, integer $d$ with $d^{(p-1)/2}\bmod p=p-1$. The group law is $$\bigl(x_1,y_1\bigr)+\bigl(x_2,y_2\bigr)=\bigl((x_1y_2+y_1x_2)/(1+d\,x_1x_2y_1y_2),(y_1y_2-x_1x_2)/(1-d\,x_1x_2y_1y_2)\bigr)$$ We note scalar multiplication $k\cdot P=\underbrace{P+P+\cdots+P}_{k\text{ terms}}$.

The order (number of elements) of that curve can be uniquely written as $h\,n$ with $n$ it's largest prime factor. $n$ is the question's "targetcurve.Suborder". The cofactor $h$ is a multiple of $4$, and $n$ is odd. For curves commonly used in cryptography, $h\in\{4,8\}$ and $n\gg h$.

The only element of order $1$ is the group's unit $\mathcal O=(0,1)$. The only element of order $2$ is $(0,-1)$. The only two elements of order $4$ are $(\pm1,0)$. There are $n-1$ element of order $n$. The opposite of $(x,y)$ is $-(x,y)=(-x,y)$. Define the reflect of $(x,y)$ as $\overline{(x,y)}=(x,-y)$. For all $U$ on the curve, $\overline U$ is on the curve, $\overline{\overline U}=U$, and $U+\overline U=(0,-1)$.

---

The question asks if given a random point $P$ on the curve, there exists distinct integers $s_1$ and $s_2$ in $[0,n)$ such that $s_1\cdot P$ and $s_2\cdot P$ have the same $x$ coordinate, that is are equal or/and one is the reflect of the other. And if so, asks if we can compute $s_1$ and $s_2$.

That depends on $P$, and more precisely on the order $j$ of $P$, that is the smallest integer $j>0$ with $j\cdot P=\mathcal O$. In practice we can efficiently compute $j$ given the coordinates of $P$, because $j$ divides $h\,n$, leaving few choices.

1. If $j=n$, then no. That's when $P$ happens to be in the subgroup of order $n$ and is not the unit. This is with probability $(1-1/n)/h$, nearly 25% or 12.5% for curves of interest. Proof by contradiction:

   • If $s_1\cdot P$ and $s_2\cdot P$ were equal, we'd have $(s_2-s_1)\cdot P=\mathcal O$, thus $(s_2-s_1)\bmod n=0$ since $P$ has order $n$, contradicting "distinct integers $s_1$ and $s_2$ in $[0,n)$".
   • If $s_1\cdot P$ was the reflect of $s_2\cdot P$, we'd have $s_1\cdot P+s_2\cdot P=(0,-1)$, thus $(s_1+s_2)\cdot P=(0,-1)$, thus the order of $(0,-1)$ would divide the order of $P$, thus $2$ would divide $n$, a contradiction with $n$ being an odd prime.

2. If $j=2n$, then yes: any $s_1\in[1,n)$ and $s_2=n-s_1$ will do. That's when $\overline P$ has order $n$. This is with the same probability as above. Proof: $s_1\in[1,n)$ and $s_2=n-s_1$ implies $s_1\ne s_2$ and $s_1,s_2\in[0,n)$, and $s_2\cdot P=(n-s_1)P=n\cdot P-s_1\cdot P=(-1,0)-(s_1\cdot P)$, that is $s_2\cdot P=\overline{s_1\cdot P}$. Hence all requirements are met.

3. If $j<n$, then yes: any $s_1\in[0,n-j)$ and $s_2=s_1+j$ will do. Argument: we'll have $s_1\cdot P=s_2\cdot P$. Other solutions with $s_2\cdot P=\overline{s_1\cdot P}$ are also possible.

4. There are other cases, e.g. $j=4n$. I believe the answer is no, at least for $h\in\{4,8\}$ and $n>2h$. Tentative proof:

   • The condition for $s_1\cdot P=s_2\cdot P$ is $s_1\equiv s_2\pmod j$, and that's incompatible with the other constraints on $s_1$ and $s_2$.
   • The condition for $\overline{s_1\cdot P}=s_2\cdot P$ is perhaps $s_1+s_2\equiv j/2\pmod j$, and that's incompatible with the other constraints on $s_1$ and $s_2$.