0

The curve I am using is secp256r1. Its formulae is

$y^2 == x^3 + a\cdot x + b$

$a$ = 0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc (115792089210356248762697446949407573530086143415290314195533631308867097853948)

$b$ = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b (41058363725152142129326129780047268409114441015993725554835256314039467401291)

And I am checking the base point $G$:

$G_x$ = 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296 (48439561293906451759052585252797914202762949526041747995844080717082404635286)

$G_y$ = 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5 (36134250956749795798585127919587881956611106672985015071877198253568414405109)

Calculating left side $y^2$ gives me:

1305684092205373533040221077691077339148521389884908815529498583727542773586739078600732747106020956683600164371063053787771205051084393085089418365301881

Calculating right side $x^3 + a\cdot x + b$ gives:

113658155427813365024510503555061841058107074695539734801914243855899581676106121216742031186749037217068373713699401633275460693094202620308271598867055040123401752346577561684789671973397929725392419990583281258891711488349384075

Left and right sides are not equal.

What I am doing wrong in my calculations?

Renard
  • 21
  • 3
  • 2
    Does this answer your question? Verify that a point belongs to secp256r1 Exactly the same reason. – kelalaka Mar 29 '22 at 19:17
  • @kelalaka, yes if I performed mod with p on both sides and it goes equal. It works with base point and other constant points on the curve. But I got a problem with points calculated with scalar multiplication. I asked the question in another thread. Now digging in into my implementation of scalar multiplication operation to identify what is wrong. – Renard Mar 30 '22 at 03:27

1 Answers1

1

What I am doing wrong in my calculations?

The actual equation may be expressed as:

$$y^2 \equiv x^3 + ax + b \pmod p$$

where $p$ is the characteristic of the field that P256 uses. When working in this field, we usually understand that we're in $GF(p)$ and not $\mathbb{Z}$ (and so we don't need to write out the modulus), however it is important that we realize that it's there.

When don't you reduce each side modulus $p$ and see if it then works.

When I work with P256 computations, I typically use a subsystem that does the modular reduction at each step (addition, multiplication); in that case, it just doesn't come up.

poncho
  • 147,019
  • 11
  • 229
  • 360