Elliptic curve commitments mod p

Question

As far as I understand secp256k1 is defined over the group p with

p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F

I don't really understand how out of bounds values are handled in particular with homomorphism of the commitments. Assume I commit to the value 5 which would be $G + G + G + G + G$ and then commit to the value p + 5 which would be $(p+5)G$ will those be the same commitment?

Based on this assumption I have implemented the following javascript code (using elliptic library ):

it('Test mult property of commitments', () => {
    const T1 = ec.g.mul(secp256k1.p + 5n);
    const T2 = ec.g.mul(Maths.mod(secp256k1.p + 5n, secp256k1.p));
    const T3 = ec.g.mul(5n);
    assert(T1.eq(T2));
    assert(T2.eq(T3));
});

In this example, T2 and T3 are the same, but T1 is different, so it seems like my assumption is incorrect, does this mean I can commit to values greater than p?

But it's additive homomorphic, so a C(5) + C(5) = C(10) and my problem is in understanding what happens to this homomorphism when dealing with values bigger than p. — Jakob Abfalter, Nov 16 '19 at 19:56
In EC, we write as $[5]P = P+P+P+P+P$ where $P$ is a point on the curve and addition is performed according to group law. If I've understood correctly, you are adding integers. Could you write your equations in terms of this notation? — kelalaka, Nov 16 '19 at 20:02
Thanks, I updated my original post. Maybe you can take another look. — Jakob Abfalter, Nov 16 '19 at 21:04

score 3 · Answer 1 · answered Nov 16 '19 at 21:24

You are confusing the prime $p$ over which the curve is defined (the coordinate of the points are all defined mod $p$) with the prime $q$ which is the curve cardinality and is also prime.

We have $qG = G + \ldots + G = \infty$ the neutral element (like $0$ with the addition with numbers).

Taking your example, you have: $T_1 = (p+5)G$ and $T_2 = 5G$. Of course it is not the same since $p + 5 \not\equiv 5 \bmod q$.

You will find the value $q$ somewhere in the parameters of the curve and if you replace $p$ with $q$, the equality will hold.

score 2 · Accepted Answer · answered Nov 16 '19 at 22:02

According to Recommended Elliptic Curve Domain Parameters, Koblitz curve secp256k1 defined by $T = (p, a, b, G, n, h)$

$p$ defines the finite field $\mathbb{F}_p$,

$p=2^{256} − 2^{32} − 2^{9} − 2^8 − 2^7 − 2^6 − 2^4 − 1$ or in hex

FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F
The curve $E: y^2 = x^3 + ax + b$ over $\mathbb{F}_p$ is defined by:
a = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
b = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000007
Base point $G$ in compressed for 0279BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798

and in uncompressed form 04079BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8
The order $n$ of $G$, i.e. $[n]G = \mathcal{O}$, where $\mathcal{O}$ is point at infinity, or the identity element in additive elliptic curve group.

FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C
with co-factor h is 01

When you add an element according to the group law, if one of the coordinates exceeds the $p$ take mod $p$.

For the scalar, you can use $\mod n$

$$[x]G = [x \bmod n]G$$ In your case, we can see it in this way, too.

$$[n+5]G = [5]G + [n]G = [5]G + \mathcal{O} = [5]G $$

Elliptic curve commitments mod p

2 Answers2

Linked