Score:1

Verify that x, y coordinates given as hex string are valid points on an Elliptic Curve

cn flag

Given the following information:

"curve": "P-256",

"qx": "729C51D177EBE2079A0FB7B0B3C2145159CF81EC61960E642A1744719AA9F913",

"qy": "8C36BCF51475016E614F8C7E0CB1B37C7EA65B4ECCF809852C9B2D0E438710BD"

The above coordinates are supposedly valid as per the test vector expected results:

"testPassed": true

I need to determine if the above public key coordinates are valid points on the curve or not. I have tried converting the coordinates in python into ints with:

>>> x = int("7C96DFF02F55B876A2A885A920E9FB5E30C6E1A4061A62517FD5C936A16AD363", 16)
>>> y = int("301ABC6B82DF5B6B6D3E8D56D7660D83A6E4F55E321BD2E57A5AC4A6A683374E", 16)

And then plugged those integer values into both of the following formulas:

y^2 = X^3 + 7 (secp256k1)

y^2 = x^3 - 3x + b where b is 41058363725152142129326129780047268409114441015993725554835256314039467401291

In neither case did the formula indicate that the values were valid.

Would anybody happen to know how I could go about validating these coordinates?

poncho avatar
my flag
For P256; it's the $y^2 \equiv x^3 - 3x + b \pmod p$ formula. Did you remember to do the $\bmod p$ part?
factor2 avatar
cn flag
Ah, I definitely had the formula wrong because I did leave out the mod p component. How can I get that component out of the x, y coordinates?
poncho avatar
my flag
If you know that you're checking a P256 curve, that gives you the $p$ value
factor2 avatar
cn flag
Okay, I still end up getting the wrong value. After conversion, I get the following x and y values: x = 56353365848849265321159620645865428036014544177922197398856507648435978687331 y = 21758255182490996347272889474463336439598185139152900800520689763795259832142 This gives me a (y^2) % 256 = 196 and a (x^3 -3x + b) % 256 = 93 Is my constant b value wrong perhaps?
factor2 avatar
cn flag
and with the first equation I get (x^3 + 7) %256 = 66
Ievgeni avatar
cn flag
Why are you %256 doing? You're supposed to do %$p$.
factor2 avatar
cn flag
Oh I assumed from the above comment that I was being dumb and that the p value would be the value of the curve (i.e. 256). I guess I was still being dumb. Could I get a link to the documentation that shows the p value?
kelalaka avatar
in flag
@ponco the problem is this: the curve is not correct. It should be secp256r1. The current point is not on the curve secp256k1 it is on the curve secp256r1.
kelalaka avatar
in flag
Now I can call this dupe of this [Verify that a point belongs to secp256r1](https://crypto.stackexchange.com/a/90154/18298)
factor2 avatar
cn flag
Thank you Kelalaka, I did not realize I was on the wrong curve. Much appreciated
factor2 avatar
cn flag
A brief glance looks like yes, it will. I haven't been able to test it as I got pulled into a meeting. Won't get back to it for another hour or so. I will mark it when I get back on it
factor2 avatar
cn flag
Well, that was faster than expected. Yup, works with the secp256r1 curve
Score:0
cn flag

As you wrote you're supposed to check that $y^2 = x^3 + ax + b \mod p$.

According to this source.

$$p = 2^{256}-2^{224}+2^{192}+2^{96}-1$$

Notice that the $256$ refers to the bit size of $p$, and not to $p$ itself.

factor2 avatar
cn flag
A commenter above pointed out that I am on the wrong curve, but I want to thank you for the link to that documentation, good knowledge for me to read through in general
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.