Deriving the Lambda and Beta Values of Endomorphism on the Secp256k1 Curve
The secp256k1 curve is a popular choice for cryptographic applications due to its security and efficiency. One of the key aspects of this curve is endomorphism, which refers to the mapping from one point on the curve to another. In this article, we will examine how to derive the lambda (λ) and beta (β) values for endomorphisms on the secp256k1 curve.
Background
You may recall that a few years ago, Hal Finney shared some information about his experience working with the Bitcoin development team. According to Finney, he noticed that certain values associated with the secp256k1 curve were particularly important for cryptographic purposes. Specifically, he mentioned lambda and beta as two such values.
The formula
To derive lambda (λ) and beta (β), we need to use a special formula:
λ^3 (mod N) = 1
β^3 (mod P) = 1
where λ and β are the values of the secp256k1 curve, and N and P are the norm and prime factors of the infinite point (P) for endomorphisms.
Calculating lambda (λ)
To calculate λ, we need to find a primitive cube root modulo N. We can do this using the extended Euclidean algorithm or other methods. Once we have found λ, we can use it to construct an endomorphism on the secp256k1 curve.
Calculating beta (β)
Similarly, to calculate β, we need to find a primitive cube root modulo P. There are also several methods available, such as the norm or prime factors of P.
Example
Let’s look at a simple example to illustrate how the calculations work. Suppose we have an endomorphism that maps a point at infinity (P) onto itself. In other words, we want:
λ^3 = 1
β^3 = 1
To solve this equation, we can first try out some values of λ and β.
For example, consider the following possible values:
- For λ: 0, 1, -1 or any other primitive cube root modulo N
- For β: 0, 1, -1 or any other primitive cube root modulo P
Through trial and error, we find that one possible solution is:
λ = 2^(-3) (mod N)
β = 2^(-3) (mod P)
Conclusion
Deriving the values of lambda and beta for endomorphisms on the secp256k1 curve involves finding the primitive cube roots modulo N and P. These calculations can be complicated, but there are various methods available to simplify them. By following these steps, you should be able to calculate the necessary values for your specific cryptographic needs.
References
- Hal Finney, “The Endomorphism on the secp256k1 Curve” (bitcointalk post)
- Various online sources and documentation for the secp256k1 curve.