Derivation of the Endomorphism Values Lambda and Beta on the Secp256k1 Curve
The secp256k1 curve is a popular choice for cryptographic applications due to its security and efficiency. One of the key aspects of this curve is the endomorphism, which is the mapping of one point on the curve to another. In this article, we will look at how to derive the lambda (λ) and beta (β) values for the endomorphisms on the secp256k1 curve.
Background
You may recall that a few years ago, Hal Finney shared information about his experiences with the Bitcoin development team. Finney noticed that certain values related to the secp256k1 curve are of particular importance for cryptographic purposes. He mentioned two such values specifically: lambda and beta.
Formula
To obtain lambda (λ) and beta (β), we need to use a special formula:
λ^3 (mod N) = 1
β^3 (mod P) = 1
where λ and β are values on the secp256k1 curve, and N and P are norms and prime factors of the infinity point (P) for endomorphisms.
Calculating lambda (λ)
To calculate λ, we need to find the modulus N of the primitive cube root. This can be done using the extended Euclidean algorithm or other methods. Once we find λ, we can use it to create an endomorphism on the secp256k1 curve.
Calculate beta (β)
Similarly, to calculate β, we need to find the modulus of the primitive cube root of P. There are various methods available for this, such as the norm of P or using prime factors.
Example
Let’s look at a simple example to illustrate how this calculation works. Suppose we have an endomorphism that maps the point at infinity (P) to itself. In other words, we want:
λ^3 = 1
β^3 = 1
To solve this equation, we can start by trying a few values of λ and β.
For example, consider the following possible values:
- λ: 0, 1, -1 or any other primitive cube root modulo N
- β: 0, 1, -1 or any other cube root modulo P
Through trial and error, we have found that one possible solution is:
λ = 2^(-3) (mod N)
β = 2^(-3) (mod P)
Conclusion
Obtaining the values of the lambda and beta endomorphisms on the secp256k1 curve involves finding the primitive cube roots modulo N and P. These calculations can be complex, but there are various ways to simplify them. By following the steps below, you should be able to calculate the values required for your specific cryptographic needs.
References
- Hal Finney, “Endomorphism on the secp256k1 curve” (post on bitcointalk)
- Various online sources and documentation on the secp256k1 curve.