1

Given an elliptic curve with generator $G$, is it possible to generate a random point on the curve $Q = a \cdot G$ without knowing the secret value $a$ that generated it? Note that just using an $a$ to generate $Q$, and then "throwing away" $a$ (forgetting about it) isn't a valid solution. Also note that $Q$ should be uniformly distributed over all valid values (i.e. as if $a$ was chosen uniformly between 0 and $n-1$).

A toy application I have is about making some "fake" Diffie–Hellman secret exchanges, where 1 party can't get to the secret because they don't know their key $a$ (and weren't just be trusted to "throw away" the value of $a$ after generating $Q$). This is all to ultimately enable "playing poker over the phone".

chausies
  • 335
  • 1
  • 11

2 Answers2

1

Pick a random $x$ value. Calculate $y^2 = x^3+ax+b \bmod p$. Then try to form $y$ by taking the square root $\bmod p$. If the square root fails then no $(x,y)$ pair exists on the curve. If the square root works, flip a coin; if tails form $y = p-y \bmod p$.

This is how public key compression works. Only the low bit of y is saved. Form $y^2$, take the square root (which had better work). If the low bit of $y$ is wrong then form $y = p-y$.

Raoul722
  • 2,836
  • 2
  • 20
  • 39
Mike Kaye
  • 9
  • 1
  • 1
    In general elliptical curves used in cryptography the generator $G$ does not generate all possible points on the curve. So you need to multiply your point by co-factor which you forgot to mention – Manish Adhikari Apr 01 '21 at 08:07
  • Also: the method uses "rejection sampling". It's hard to make a constant-time implementation of that, and some state that might matter in the context (ask why to them, not me; I've learned the hard way that when there's a requirement in a standard, the path of least resistance is to comply when possible, even if the rationale is unstated, lost, and the requirement demonstrably not useful in the situation at hand). – fgrieu Apr 01 '21 at 08:14
1

The procedure that Mike Kaye suggested works; the other method would be to select a random value, and then use a Hash-to-Curve method to translate that random value to a point; they have been designed so that the order of that generated point is unknown.

poncho
  • 147,019
  • 11
  • 229
  • 360
  • There's room for expanding the answer on Hash-to-Curve. I find it nontrivial to extract the method(s) from the linked draft RFC. Also, the RFC "first hashes the input byte string to produce a uniformly random byte string", which silently assumes the input varies and is not handpicked, something I haven't found stated nearby, thus I'm not taking for granted that the rest if airtight. – fgrieu Apr 01 '21 at 06:36