0

I must perform calculate of substract two points:

Let $G$ be the generator point and;

$P_1 =[1]G = (x_1,y_1)$

$P_2 = [2]G = (x_2,y_2)$,

When I will subtract $P_1 - P_2$ -> I will move Point to N-1 with negative $y_1$ of $P_1$

second: Let $G$ be the generator point and;

$P_5 =[5]G = (x_1,y_1)$

$P_2 = [2]G = (x_2,y_2)$,

$P_3 = [3]G = (x_3,y_3)$,

When I will subtract $P_2 - P_5$ -> I will take result $P_3$ with negative $y_3$ of $P_3$

it looks like $P_2 - P_5$ it "similiar" to integer 2 minus integer 5 = we get minus 3 - and in this example -3 it is N-3 .

How to check that substract points cross the order of curve n? without checking y is negative?
how to check that substract point is crossed by Point of Infinity and order of the curve?

Ps. N = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141 order of curve -> maximum points.

Ironic
  • 11
  • 3

1 Answers1

1

How to check that substract points cross the order of curve n?

You cant'; or at least, we hope you can't.

If you could, you could use that method to compute discrete logs.

Here is one approach; suppose you had a method that, given the points $[a]G$ and $[b]G$, would return you $[a-b]G$ and also informed you whether it "crossed the order of curve n", that is, if $a < b$. Then, what you could do, given the point $[x]G$, you could use this method on the points $[x]G$ and $[\lfloor n/2 \rfloor]G$; that method would tell you if $x < \lfloor n/2 \rfloor$. If it turned out (for example) if $x$ happened to be larger, you could repeat this with $[x]G$ and $[\lfloor 3n/5 \rfloor]G$; and continue to do binary searching until you have recovered the value of $x$.

That means that you've just recovered the discrete log of $xG$ with only circa $\log_2(n)$ calls to your method; we certainly hope that we can't do that.

BTW: why do you care if "the points cross the order of curve n"?

poncho
  • 154,064
  • 12
  • 239
  • 382