Would the Equation $s⋅G=P1+e⋅P2$ Reveal Hidden Points $P1$ and $P2$ on an Elliptic Curve?
My apologies if this is not a valid question. I come from a computer science background, and this question came to mind while attempting to provide privacy protection for my use case.
Assume there are two points, $P1$ and $P2$, on an elliptic curve with generator $G$.
Given that the scalars $s$ and $e$, and the generator $G$, are public, while the points $P1$ and $P2$ are hidden,
Would the following equation reveal any information about $P1$ or $P2$?
$s⋅G=P1+e⋅P2$
Answer
- The questioner was satisfied with and accepted the answer, or
- The answer was evaluated as being 100% correct by the judge.
-
Many thanks! Your answer is actually very helpful. The points are indeed independently generated from uniformly random scalars x and y. Since you mentioned cryptography, allow me to ask a follow-up question ( I’ll increase the tip).
-
I am glad you found it helpful.
-
-
I am working on distributed verification of Schnorr’s identification protocol using multi-party computation to hide the clients’ public keys. The verification involves the equation: s* G = R + e * P, where s is the client signature, R is a random point and P is the client public key. Only P and R are private (secret-shared). The result of 𝑅 + 𝑒 * 𝑃 will be revealed, and the equality test will be performed in the clear. Based on your answer I can say that this should not reveal P, correct?
-
You are correct. The scenario you described does not reveal the private key P based on what you mentioned and under the conditions you described. The revealed value R+e⋅P and the subsequent equality test do not reveal information about P, provided if you have randomness of R and secure secret-sharing.
-
So, basically, you have a P which is secret-shared and not directly exposed. R is a random elliptic curve point, also secret-shared and not revealed directly. Only R+e⋅P is revealed, which is effectively a masked version of e.P. So, because R is random and independent of P, its presence ensures that the revealed R+e⋅P does not expose direct information about P.
-
Great! Last question، could you point me to approaches or resources that may help in writing a formal security analysis?
-
I did a quick Google search and this paper seem to be helpful for that: https://www.baigneres.net/downloads/2007_provable_security.pdf
-
-
Found a good one for you. This will help you: https://crypto.stanford.edu/~dabo/cryptobook/BonehShoup_0_5.pdf
-
Thanks for the tip. Let me know if you have more questions.
- answered
- 265 views
- $20.00
Related Questions
- Prove that a reduced Gorenstein ring of Krull dimension 1 is not a complete intersection ring.
- Solve this problem using branch and bound algorithm.
- Set theory question
- Linearly independent vector subsets.
- Three questions on Vectors
- Attempting to make a formula/algorithm based on weighted averages to find how much equipment we need to maintain.
- If both $n$ and $\sqrt{n^2+204n}$ are positive integers, find the maximum value of $𝑛$.
- Prove that language L = {a^p ; p is prime} isn't regular using Myhill-Nerode theorem.