Join Log in
Score:3
avatar Crypto

Can one find the GCD of two points on a curve?

ca flag
Colton

Mathematically is it possible to find the GCD of two points on a prime curve, one of them not being the order as you do in Extended Euclidean Algorithm?

159
0 + 0
poncho avatar
my flag
poncho
What would 'the GCD of two points on a prime curve' mean?
2
Reply
meshcollider avatar
gb flag
meshcollider
There is no such thing as "division" or "multiplication" of points on a curve, so there can also be no "greatest common divisor"
2
Reply
Score:3
fgrieu avatar Crypto
ng flag
fgrieu

TLDR: If we specialize a generator point $G$ of an Elliptic Curve group of prime order, we can consistently define the GCD of two points for that generator. But we can't efficiently find it for arbitrary points and a group of cryptographic interest, where the Discrete Logarithm Problem is hard.

Before finding something, we must know what it is. Hence poncho's sub-question:

What would 'the GCD of two points on a prime curve' mean?

GCD stands for Greatest Common Divisor. Thus we need to define three notions

  • What a "prime curve" is. In this, curve stands for Elliptic Curve. And prime is a property of either
    • the base finite field's order (that prime order is often noted $p$, and then the field is simply the integers modulo $p$);
    • the curve's order, that is how many elements in the finite group of points of the curve, including the neutral;
    • or the order of a subgroup of the curve (then often noted $n$, as we'll do).
  • The notion of "divisor" of a point of a prime elliptic curve, which we'll assume is a point of the elliptic curve with some property to be defined.
  • The notion of "greatest" among points of an elliptic curve.

We can define such things consistently! We posit that a "prime curve" is some subgroup of prime order $n$ of an elliptic curve (perhaps the whole curve, which can use a prime field; e.g. secp256k1, secp256r1), and $G$ a given point of the curve / an element of the group, other than the neutral. Now the set of $n$ integers in $[0,n)$ is isomorphic to the curve, by the trivial isomorphism $i\mapsto i\,G$ defined as usual: $0\,G$ is the group's neutral, $i\,G$ is $((i-1)\,G)+G$ for any $i\in[1,n)$ with $+$ the group's law.

We can define "divisor" and "greatest" on the set $[0,n)$. And we can define the GCD of two elements of that set (together with the somewhat arbitrary $\gcd(0,0)=0$ ). Then we can use this isomorphism to define the Greatest Common Divisor of two points of an Elliptic Curve Group of prime order provided with a generator point $G$.

In other words, I define the GCD of points $P$ and $Q$ as the point which matching private key (for generator $G$) is the GCD of the private keys matching $P$ and $Q$, with matching private key an integer in $[0,n)$.

If we can efficiently solve the Discrete Logarithm Problem in the group considered, then we can efficiently compute the GCD (we solve two DLP, compute the GCD of the integers, and get back to the curve).

Update: the converse is true to some degree. If we can efficiently compute the GCD of any two points $P$ and $Q$, then we can use that algorithm to efficiently compute the Discrete Logarithm $i$ of any $P$. Sketch: we select the first primes $r_j$ until $n<\prod r_j$, and for each $j$ we find $i\bmod r_j$ by asking for the GCD of $(P+k\,G,r_j\,G)$ which is either $G$ or $r_j\,G$, in the later case revealing that $i+k\equiv0\pmod{r_j}$. Then we find $i$ by the Chinese Remainder Theorem. Optimizations are possible to group a sizable number of queries into one. E.g. submits $(P+k\,G,30\,G)$ and tests if the result is $G$, $2\,G$, $3\,G$, $5\,G$, $6\,G$, $10\,G$, $15\,G$ or $30\,G$. Further reductions are possible by computing the discrete logarithm of the oracle's output using variants of Baby-Step/Giant-Step.

I don't know any application, in cryptography or otherwise.

0 + 0
meshcollider avatar
gb flag
meshcollider
So you interpret it as the GCD of the "secret keys"?
1
Reply
fgrieu avatar
ng flag
fgrieu
@meshcollider : in essence yes, and I stole your formulation in a revision of the answer, with a reword such that the GCD of points is a point.
1
Reply
poncho avatar
my flag
poncho
Two things: 1) such a definition of "GCD of two points" would be dependent on what $G$ is" (if we select a different $G$, the GCD of two points is different) 2) given a function that computes the GCD as specified, one can compute DLog's efficiently (hence it is no easier than the DLog problem)
1
Reply
fgrieu avatar
ng flag
fgrieu
@poncho: 1) yes, and I took care to state it with "provided with a generator point $G$" (tentative translation of _muni d'un générateur_, which would have the desired meaning in French, but I don't know if it's understandable in English). 2) Thanks, at first I did not knew. I updated the answer with a proof, but it's not tight: it requires that we can efficiently compute the GCD of any two points $P$ and $Q$. I wonder if this can be improved, and how.
0
Reply
Score:2
G. Stergiopoulos avatar Crypto
lu flag
G. Stergiopoulos

The short version is that you cannot define the GCD of points since that would require to first define an explicit notion of comparison of their ordered sequence, I.e. a way to test for $[k]P > [j]P , k>j$ and $P \in E$, where $E$ is the set of points defined by your elliptic curve and respective generator $P$.

Such an order comparison relates to the notion of distance between $[k]P$ and $[j]P$ inside the defined space. Concerning the distances in a finite field with p elements $F_p$ where $E$ is defined, unfortunately we are not able to compare distance in any way in $F_p$.

As Silverman has stated, there is a good way to define the distance between elements in $Z_p$ and $Q_p$, but there is not a good way to define the distance between elements of $F_p$, nor for points on elliptic curves whose coordinates are in $F_p$.

There is a natural map $E(Q_p) to  E(F_p)$ but unfortunately there is not really any good inverse map. Silverman discusses this in the following paper, in the context of trying to lift and then use the lift to solve the ECDLP.

Lifting and elliptic curve discrete logarithms, Selected Areas of Cryptography (SAC 2008), Lecture Notes in Computer Science 5381, Springer--Verlag, Berlin, 2009, 82-102.

0 + 0
kodlu avatar
sa flag
kodlu
does your answer contradict the other answer? please comment
0
Reply
G. Stergiopoulos avatar
lu flag
G. Stergiopoulos
Two things. First, I provide a clear answer to the original question as to why you cannot create a proper algorithm for the GCD, by explaining why/how you cannot transfer the Euclidean algorithm to the ellipctic curve group over a finite field due to lack of proper definition of distance. I believe that this is not provided by the first answer which elaborates on how an algorithm could be, but does not actually provide an answer if this can indeed happen or not. [continued]
1
Reply
G. Stergiopoulos avatar
lu flag
G. Stergiopoulos
[continued] Second, I argue that you cannot _define_ the GCD of two points as stated in previous answer since a definition needs to be rigorously exact based on specific sets/laws which I outline here: That is, since distance or ordered element comparison cannot be defined, then the previous answer is not a definition but a theory (albeit a thoughtful one).
0
Reply
kodlu avatar
sa flag
kodlu
thank you for your extensive comments
0
Reply
poncho avatar
my flag
poncho
Also, if we do have a way, given $[j]G$, $[k]G$, determine whether $j > k$, we can use that to efficiently compute discrete logs (using binary search) - hence, we hope that is a hard problem.
2
Reply
G. Stergiopoulos avatar
lu flag
G. Stergiopoulos
Correct @poncho. But I am pretty sure, as I explained in my answer, that (at least this problem) is definitely not solvable using known transformations.
0
Reply
fgrieu avatar
ng flag
fgrieu
I agree we can't define a distance, or divisor, hence GCD, on an elliptic curve _alone_. But we can if we add a generator point $G$ (implying it's a curve of prime order). The distance between $P$ and $Q$ on the curve is the smallest integer $d\in[0,\lfloor n/2\rfloor)$ such that $P=Q+d\,G$ or $Q=P+d\,G$. $P$ divides $Q$ with $P/Q=R$ iif exists $u,v,w\in[0,n)$ with $P=u\,G$, $Q=v\,G$, $R=w\,G$, $v\ne0$, and $u=v\,w$.
0
Reply
G. Stergiopoulos avatar
lu flag
G. Stergiopoulos
We cannot define distance even by using the generator as a reference point. Let me explain. What you are describing is a notion of distance on the _scalar_ multipliers, which is not the same as the distance of two points. The GCD of points on the curve requires the notion of comparison on the plane. Effectively, comparing the scalar is some sort of a transformation on this. But as I explain in my answer, at least up until know, distance measurements in complex or integer planes in finite fields is impossible and this is the real reason why your scalar comparison cannot define a GCD on curves
0
Reply
fgrieu avatar
ng flag
fgrieu
I don't see anything wrong with the definition I give in my answer, or in my previous (expanded) comment. [updated]: I agree this is _not_ a GCD on the curve, but a GCD on the curve taken with a specific generator. I agree there is no efficient way to compute this GCD, contrary to a normal GCD, unless the DLP is easy for the group considered. And I agree I see no application to the notion.
1
Reply
G. Stergiopoulos avatar
lu flag
G. Stergiopoulos
It’s not about your answer being wrong, your algorithmic approach is sound in theory. I answer as to *why* you cannot find a way to use your approach to actually create a working GCD, the underlying mathematical reason due to geometry limitations and what an expert in the field (Silverman) did in his search for this answer. Effectively, my mathematical argument is what Silverman said about distance. My second argument is that your answer is a theoretical algorithm and not a definition of GCD as explained in previous comment.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.