1

I am watching cryptography classes because I want to understand the math behind bitcoin's algorithm. This is a hobby, but I am having a brainfart watching this part of the lecture:

The equations are:

$$ S_2 = AS_1 + B \mod m $$

$$ S_3 = AS_2 + B \mod m $$

He solved them and got:

$$ A = (S_2 - S_3)(S_1 - S_2)^{-1} \mod m $$

$$ B = S_2 - S_1(S_2 - S_3)(S_1 - S_2)^{-1} \mod m $$

I was able to solve for A and arrive at the same result but not B, How did he arrive at the resulting equation for B? I can see that A was plugged into the first equation but I wasn't able to get to the same result.

Alexandre Borela
  • 125
  • Subtract the 2nd equation from the first. – user2661923 Nov 22 '22 at 11:42
  • 1
    Please see this article on MathSE protocol. As onerous as the article may appear to you, it provides a defense mechanism against the MathSE forum being used as a do my homework forum. In particular, please see the Edit-Tools section of the article, and the portion of the article that discusses showing work. Homework problems are allowed, as long as the protocol is observed. – user2661923 Nov 22 '22 at 11:42
  • 2
    You have $s_1$ and $S_1$, also $s_2$ and $S_2$, $s_3$ and $S_3$. If these are meant to be the same, please edit so they actually are the same. It wouldn't hurt to look at the help pages on formatting mathematics so you get $s_2$ instead of s2, and so on. – Gerry Myerson Nov 22 '22 at 11:49
  • @user2661923 this is not homework, I am learning this stuff as a hobby because I want to understand the math behind bitcoin's algorithms. I was able to solve for A but no B. – Alexandre Borela Nov 22 '22 at 12:49
  • @GerryMyerson I corrected it, it was a typo. – Alexandre Borela Nov 22 '22 at 12:53
  • 1
    Note that $S_1 - S_2$ is invertible $\bmod m$ iff it is coprime to the modulus, so the solutions are not valid if this is not the case. – Bill Dubuque Nov 22 '22 at 13:02
  • 1
    You can use Cramer Rule when the determinant is invertible $\bmod m,,$ e.g. see here, or do the same by (Gaussian) elimination. – Bill Dubuque Nov 22 '22 at 13:07
  • "this is not homework" : as I indicated, that is irrelevant. Please follow the instructions in the article, with all of your responses inserted directly into your posting, rather than in the comments. – user2661923 Nov 22 '22 at 14:39
  • 1
    From the first equation, you get $B=S_2-AS_1$ (OK, congruent, not equal – I'm being lazy). Now replace $A$ by the expression you got for it earlier. – Gerry Myerson Nov 22 '22 at 22:03
  • @GerryMyerson I see, it was my interpretation of the symbol that was incorrect, I should have used congruent, if you create an answer to this topic, I'll mark it as accepted. – Alexandre Borela Nov 22 '22 at 22:29

1 Answers1

2

Subtracting the second congruence from the first, we get $$ S_3-S_2\equiv AS_2-AS_1\equiv A(S_2-S_1)\pmod m, $$ whence $A\equiv(S_3-S_2)(S_2-S_1)^{-1}\pmod m$ (provided $S_2-S_1$ is invertible, modulo $m$).

Then the first equation can be rewritten as $B\equiv S_2-AS_1\mod m$, and substituting for $A$ the expression we just found earlier, $$ B\equiv S_2-S_1(S_3-S_2)(S_2-S_1)^{-1}\pmod m $$

Gerry Myerson
  • 185,413