What is the symbolic solution?

Question

Let in ECDSA, $G$ is the base point, $P$ is a public key with the corresponding private key $k$. $G_2$ is another base point, $k_2$ is another private key. $P$ and all variables except $k$ are known.

Consider the following system of equations:

$\begin{align}[k]\,G &= P\\ [k_2]\,G_2 &= P\end{align}$

Givens:

• $G = (G_x,G_y)$ (Constant)

• $P = (P_x,P_y)$

• $k_2 = 11$

• $G_2 =({G_2}_x,{G_2}_y)$

Question: what is the symbolic solution for calculating $k$ from $k_2$, $G_2$ and maybe $P$ ?

Answer 1

I'm answering the question with the equations as they stand in Rev 18. I'll assume $G$ and its order $n$ are known (that's not stated).

What is the symbolic solution for calculating $k$ from $k_2$, $G_2$ and maybe $P\,$?

If the point multiplications in the question are on a secure curve, and no relation is known between $G$ and $G_2$, then we can't find $k$ as asked. That would be solving a discrete logarithm problem. There is nothing in the question suggesting an insecure curve.

---

However, we can compute a $G_2$ so that $P$ is a valid private key for known public key $k_2$, and that could enable an attack if a target can be convinced that a certificate for public key $P$ intended for generator $G$ really is for generator $G_2$.

The idea is to choose $G_2=[i]\,P$ for some appropriate integer $i$, selected so that the desired $[k_2]\,G_2=P$ holds. That goes:

• Replace $G_2$ in $[k_2]\,G_2=P$ with its value in $G_2=[i]\,P$, we get $[k_2]\,([i]\,P)=P$
• Change that to $[k_2\,i]\,P=P$ (that follows from definition of point multiplication as repeated addition, and associativity of point addition: adding $i$ copies of $P$, then $k_2$ copies of the outcome, yields the same thing as adding $k_2\,i$ copies of $P$)
• It holds $[-1]\,P=-P$ (where the second $-$ is the opposite for point addition on the curve).
• We add the two equations and get $([k_2\,i]\,P)+([-1]\,P)=P+(-P)$ (where $+$ is point addition on the curve)
• We apply distributivity of scalar multiplication w.r.t. point addition, and that $P+(-P)=\infty$ by definition of the identity element for point addition, and get $([k_2\,i-1]\,P)=\infty$
• By definition of the order $n_P$ of point $P$ on the curve, that's equivalent to $k_2\,i-1\equiv0\pmod{n_P}$.
• Since $[k]\,G=P$ for some (unknown) $k$, $n_P$ much divide the order $n$ of point $G$ on the curve (in practice $n$ is a known prime number, thus $n_P=n\,$).
• It is thus enough to choose $i$ such that $k_2\,i-1\equiv0\pmod n$, that is $i\equiv{k_2}^{-1}\pmod n\,$.

Wrapping up: we compute $i={k_2}^{-1}\bmod n\,$, then compute $G_2=[i]\,P$ by point multiplication. Again, $n$ is the order of $G$ on the Elliptic Curve considered, and generally given with the definition of the curve. Integer $i$ is the multiplicative inverse of $k_2$ modulo $n\,$, and can be computed using the extended Euclidean algorithm. In Python 3.8 and later, that can be computed as i = pow(k2,-1,n).

---

Note: if we had the choice of $k_2$, we could more simply choose $k_2=1$ and $G_2=P\,$; or alternatively $k_2=(n-1)/2$ and $G_2=P+P\,$.