I'm reading the spending section of BIP47:
Alice calculates a scalar shared secret using the x value of S: s = SHA256(Sx). If the value of s is not in the secp256k1 group, Alice MUST increment the index used to derive Bob's public key and try again.
Where S is a point on the elliptic curve and s is an integer to be used as a private key in subsequent sections.
My question is
s to be in a group of points?
I believe it simply means: if s, when interpreted as an integer, is larger or equal to the curve order, one needs to restart and increment. The probability for this happening is negligible, as the curve order for secp256k1 is very close to 2256.
For any curve over any field, algebraic geometers are interested in an associated group called the Picard group. It is a certain quotient of the free abelian group on points of the curve. It consists of formal sums of points on the curve modulo those formal sums that come from looking at the zeroes and poles of rational functions. It is a very important tool in the study of algebraic curves. Why is an elliptic curve a group?
The smaller p2pkh addresses in Bitcoin are derived from a larger public key. This key is made from a scalar private key, the public key is basically an x and y coordinate on the secp256k1 elliptic curve derived from the scalar private key. If the private key is not within the curve group you cannot derive a valid x and y coordinate aka public key from it.
In the case you presented s, the scalar shared secret, needs to be within the elliptic curve group because they are deriving a public key that someone could claim funds with from s.
Deeper explanation: What is the math behind Bitcoin's elliptic curve?
Edit: The scalar and the curve order are integers, their elements are points.
"If the private key is not within the curve group you cannot derive a valid x and y coordinate aka public key from it."
I understand that secp256k1 forms a group. But the elements of this group are a set of planar points: (x,y). The private key s is a scalar/integer. What I do not understand is that how could an integer be part of a set whose elements are not integers but rather a bunch of ordered pairs (x,y).
Q = G+G+…+G [k-times] = kG
Now secp256k1 is defined as
y² = x³+7 mod P
where P is
P = 2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1
In secp256k1, the base point is G(Gx,Gy), where
Gx = 550662...
Gy = 326705...
The addition of two points is defined as
P + Q = R
(xp, yp) + (xq, yq) = (xr, yr)
Which works out to be
xr = (yq - yp) / (xq - xp) - xp - xq
yr = ((yq - yp) / (xq - xp)) × (xp - xr) - yp
2 is not in the set {(1,2),(4,5),...}. How do I even check that? How do you compare an integer to a pair?
– Merri
Feb 07 '23 at 06:55
if s, when interpreted as an integer, is larger or equal to the curve order, one needs to restart and increment. So effectively the curve order is representable as an integer and s is interpreted as an integer, that means it can also be represented as a curve point as well.
– Poseidon
Feb 07 '23 at 15:25
mod nin case the integershappens to be greater thann? (nbeing the order of the group) – Merri Feb 07 '23 at 16:340...(2^256-N); the authors may have taken this from BIP32 which has a similar rule (which I'm the author of). In retrospect, this is dumb, because the number is so close to 2^256 that hitting a number in that range at all (much less resulting in an observable bias) only has a negligible probability. – Pieter Wuille Feb 07 '23 at 16:46sto the bitlength ofn(instead of comparing the numerical value). Do you have any comments on that?Impl 1 and, Impl 2
– Merri Feb 08 '23 at 05:13