Ethereum: How do you derive the lambda and beta values for endomorphism on the secp256k1 curve?

Derivation of Lambda and Beta Values ​​for Endomorphism on the Secp256k1 Curve

The secp256k1 curve is a popular choice for cryptographic applications due to its security and efficiency. One of the most important aspects of this curve is endomorphism, which refers to the mapping from one point to another on the curve. In this article, we will look at how to derive lambda (λ) and beta (β) values ​​for endomorphisms on the secp256k1 curve.

Background

You may recall that Hal Finney shared some information about his experiences with Bitcoin’s development team a few years ago. According to Finney, he noticed that certain values ​​related to the secp256k1 curve were particularly important for cryptographic purposes. In particular, he mentioned lambda and beta as two such values.

The Formula

To derive lambda (λ) and beta (β), we need to use a specific formula:

λ^3 (mod N) = 1

β^3 (mod P) = 1

where λ and β are the values ​​on the secp256k1 curve and N and P are the norm and prime factors of the point at infinity (P) for endomorphisms.

Calculating lambda (λ)

To calculate λ, we need to find a primitive cube root modulo N. This can be done using the extended Euclidean algorithm or other methods. Once we find λ, we can use it to construct an endomorphism on the secp256k1 curve.

Calculating beta (β)

To calculate β, we need to find a primitive cube root modulo P. Again, there are various methods available for this, such as using the norm or prime factors of P.

Example

Let’s look at a simple example to illustrate how these calculations work. Suppose we have an endomorphism that maps the point at infinity (P) to itself. In other words, we want:

λ^3 = 1

β^3 = 1

To solve this equation, we can first try out some values ​​for λ and β.

For example, consider the following possible values:

• For λ: 0, 1, -1, or any other primitive cube root modulo N

• For β: 0, 1, -1, or any other primitive cube root modulo P

By trial and error, we find a possible solution:

λ = 2^(-3) (mod N)

β = 2^(-3) (mod P)

Conclusion

To derive lambda and beta values ​​for endomorphisms on the secp256k1 curve, primitive cube roots modulo N and P must be found. These calculations can be complex, but there are several methods to simplify them. By following these steps, you should be able to calculate the required values ​​for your specific cryptographic needs.

References

• Hal Finney, “The Endomorphism on the secp256k1 Curve” (Bitcointalk post)

• Various online resources and documentation for the secp256k1 curve.