Xjyuk

Set-theoretical foundations of Mathematics with only bounded quantifiers

Is there a minimum number of transactions in a block?

Why don't electron-positron collisions release infinite energy?

What typically incentivizes a professor to change jobs to a lower ranking university?

What makes Graph invariants so useful/important?

What do you call something that goes against the spirit of the law, but is legal when interpreting the law to the letter?

Can an x86 CPU running in real mode be considered to be basically an 8086 CPU?

Is it possible to make sharp wind that can cut stuff from afar?

Why is this code 6.5x slower with optimizations enabled?

How to report a triplet of septets in NMR tabulation?

Shell script can be run only with sh command

I probably found a bug with the sudo apt install function

I see my dog run

XeLaTeX and pdfLaTeX ignore hyphenation

Example of a relative pronoun

Do airline pilots ever risk not hearing communication directed to them specifically, from traffic controllers?

How do we improve the relationship with a client software team that performs poorly and is becoming less collaborative?

What do you call a Matrix-like slowdown and camera movement effect?

How to add power-LED to my small amplifier?

DOS, create pipe for stdin/stdout of command.com(or 4dos.com) in C or Batch?

I’m planning on buying a laser printer but concerned about the life cycle of toner in the machine

Is it tax fraud for an individual to declare non-taxable revenue as taxable income? (US tax laws)

Could a US political party gain complete control over the government by removing checks & balances?

Draw simple lines in Inkscape

Can you tell me why doing scalar multiplication of a point on a Elliptic curve over a finite field gets to a point at infinity?

What is the relationship between p (prime), n (order) and h (cofactor) of an elliptic curve?What is the point at infinity on secp256k1 and how to calculate it?Modulus for elliptic curve point multiplicationGraphically representing points on Elliptic Curve over finite fieldElliptic curve group over a prime finite field $F_p$Scalar Multiplication for Elliptic CurveUsage of parameter “b” of an elliptic curve over GF(p)Elliptic curve scalar point multiplicationElliptic curve point multiplication — who is wrong?Understanding elliptic curve point addition over a finite fieldPoint-at-infinity in the scalar multiplicationelliptic curve infinity point implementation returns exception

2

1

$begingroup$

I am reading Programming Bitcoin. The author said:

Another property of scalar multiplication is that at a certain multiple, we get to the point at infinity (remember, the point at infinity is the additive identity or $0$). If we imagine a point $G$ and scalar-multiply until we get the point at infinity.

He doesn't explain why. So I don't understand why. I would like you to give me a plain explanation, without a serious mathematical proof, if that could be possible.

elliptic-curves cryptocurrency

share|improve this question

edited 9 hours ago

Maarten Bodewes♦

55.7k679196

asked 18 hours ago

inherithandleinherithandle

1111

New contributor

inherithandle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

$endgroup$

• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  If you're interested in elliptic curve cryptography, you should maybe just get a book on elliptic curve cryptography in which the basic concepts of groups, elliptic curves, scalar multiplication, and the point at infinity will appear in the first act. If you're interested in cryptocurrency applications, you probably don't need to worry about elliptic curves in detail, and can just use higher-level ideas like signatures.
  $endgroup$
  – Squeamish Ossifrage
  3 mins ago
  

  
  
  
  

add a comment | 

2

1

$begingroup$

I am reading Programming Bitcoin. The author said:

Another property of scalar multiplication is that at a certain multiple, we get to the point at infinity (remember, the point at infinity is the additive identity or $0$). If we imagine a point $G$ and scalar-multiply until we get the point at infinity.

He doesn't explain why. So I don't understand why. I would like you to give me a plain explanation, without a serious mathematical proof, if that could be possible.

elliptic-curves cryptocurrency

share|improve this question

edited 9 hours ago

Maarten Bodewes♦

55.7k679196

asked 18 hours ago

inherithandleinherithandle

1111

New contributor

inherithandle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

$endgroup$

• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  If you're interested in elliptic curve cryptography, you should maybe just get a book on elliptic curve cryptography in which the basic concepts of groups, elliptic curves, scalar multiplication, and the point at infinity will appear in the first act. If you're interested in cryptocurrency applications, you probably don't need to worry about elliptic curves in detail, and can just use higher-level ideas like signatures.
  $endgroup$
  – Squeamish Ossifrage
  3 mins ago
  

  
  
  
  

add a comment | 

$begingroup$

I am reading Programming Bitcoin. The author said:

Another property of scalar multiplication is that at a certain multiple, we get to the point at infinity (remember, the point at infinity is the additive identity or $0$). If we imagine a point $G$ and scalar-multiply until we get the point at infinity.

He doesn't explain why. So I don't understand why. I would like you to give me a plain explanation, without a serious mathematical proof, if that could be possible.

elliptic-curves cryptocurrency

share|improve this question

edited 9 hours ago

Maarten Bodewes♦

55.7k679196

asked 18 hours ago

inherithandleinherithandle

1111

New contributor

inherithandle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

$endgroup$

share|improve this question

edited 9 hours ago

Maarten Bodewes♦

55.7k679196

asked 18 hours ago

inherithandleinherithandle

1111

New contributor

inherithandle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 9 hours ago

Maarten Bodewes♦

55.7k679196

asked 18 hours ago

inherithandleinherithandle

1111

New contributor

inherithandle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

edited 9 hours ago

Maarten Bodewes♦

55.7k679196

edited 9 hours ago

Maarten Bodewes♦

55.7k679196

asked 18 hours ago

inherithandleinherithandle

1111

New contributor

inherithandle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 18 hours ago

inherithandleinherithandle

1111

1 Answer
1

active

oldest

votes

3

$begingroup$

The points on the Elliptic Curves are forming an additive group with the identity $mathcalO$, the point at infinity.

The scalar multiplication $k P$ this actually means adding $P$, $k$-times itself

$$kP=underbraceP+P+cdots+P_text$k$ times.$$

Bitcoin uses Secp256k1 which has characteristic $p$ and it is defined over the prime field $mathbbZ_p$ with the curve equation $y^2=x^3-7$.

Point addition in $mathbbZ_p$ has an interesting property since the number of elements is finite if you add a point $P$ itself many times eventually you will get the identity $mathcalO$.

$$underbraceP+P+cdots+P_text$t$ times = mathcalO$$

The smallest $t$ will be the order of the subgroup generated by the $P$. For security, we want this order huge.

Note 1: a point $P$ may not generate the whole group but it generates a cyclic subgroup.

Note 2: As pointed by SqueamishOssifrage, The Smart showed that if the order of the curve and order of the base field are same then the discrete logarithm on this curves runs in linear time.

share|improve this answer

edited 8 hours ago

answered 16 hours ago

kelalakakelalaka

8,75532351

$endgroup$

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  $begingroup$
  The order of the scalar ring is not the characteristic or order of the coordinate field. The orders are related, but are not the same except in cases that are trivially breakable as Nigel Smart showed.
  $endgroup$
  – Squeamish Ossifrage
  10 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  @SqueamishOssifrage thanks and for the links.
  $endgroup$
  – kelalaka
  8 hours ago
  
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

inherithandle is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68593%2fcan-you-tell-me-why-doing-scalar-multiplication-of-a-point-on-a-elliptic-curve-o%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

3

$begingroup$

The points on the Elliptic Curves are forming an additive group with the identity $mathcalO$, the point at infinity.

The scalar multiplication $k P$ this actually means adding $P$, $k$-times itself

$$kP=underbraceP+P+cdots+P_text$k$ times.$$

Bitcoin uses Secp256k1 which has characteristic $p$ and it is defined over the prime field $mathbbZ_p$ with the curve equation $y^2=x^3-7$.

Point addition in $mathbbZ_p$ has an interesting property since the number of elements is finite if you add a point $P$ itself many times eventually you will get the identity $mathcalO$.

$$underbraceP+P+cdots+P_text$t$ times = mathcalO$$

The smallest $t$ will be the order of the subgroup generated by the $P$. For security, we want this order huge.

Note 1: a point $P$ may not generate the whole group but it generates a cyclic subgroup.

Note 2: As pointed by SqueamishOssifrage, The Smart showed that if the order of the curve and order of the base field are same then the discrete logarithm on this curves runs in linear time.

share|improve this answer

edited 8 hours ago

answered 16 hours ago

kelalakakelalaka

8,75532351

$endgroup$

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  $begingroup$
  The order of the scalar ring is not the characteristic or order of the coordinate field. The orders are related, but are not the same except in cases that are trivially breakable as Nigel Smart showed.
  $endgroup$
  – Squeamish Ossifrage
  10 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  @SqueamishOssifrage thanks and for the links.
  $endgroup$
  – kelalaka
  8 hours ago
  
  

  
  
  
  

add a comment | 

3

$begingroup$

The points on the Elliptic Curves are forming an additive group with the identity $mathcalO$, the point at infinity.

The scalar multiplication $k P$ this actually means adding $P$, $k$-times itself

$$kP=underbraceP+P+cdots+P_text$k$ times.$$

Bitcoin uses Secp256k1 which has characteristic $p$ and it is defined over the prime field $mathbbZ_p$ with the curve equation $y^2=x^3-7$.

Point addition in $mathbbZ_p$ has an interesting property since the number of elements is finite if you add a point $P$ itself many times eventually you will get the identity $mathcalO$.

$$underbraceP+P+cdots+P_text$t$ times = mathcalO$$

The smallest $t$ will be the order of the subgroup generated by the $P$. For security, we want this order huge.

Note 1: a point $P$ may not generate the whole group but it generates a cyclic subgroup.

Note 2: As pointed by SqueamishOssifrage, The Smart showed that if the order of the curve and order of the base field are same then the discrete logarithm on this curves runs in linear time.

share|improve this answer

edited 8 hours ago

answered 16 hours ago

kelalakakelalaka

8,75532351

$endgroup$

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  $begingroup$
  The order of the scalar ring is not the characteristic or order of the coordinate field. The orders are related, but are not the same except in cases that are trivially breakable as Nigel Smart showed.
  $endgroup$
  – Squeamish Ossifrage
  10 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  @SqueamishOssifrage thanks and for the links.
  $endgroup$
  – kelalaka
  8 hours ago
  
  

  
  
  
  

add a comment | 

$begingroup$

The points on the Elliptic Curves are forming an additive group with the identity $mathcalO$, the point at infinity.

The scalar multiplication $k P$ this actually means adding $P$, $k$-times itself

$$kP=underbraceP+P+cdots+P_text$k$ times.$$

Bitcoin uses Secp256k1 which has characteristic $p$ and it is defined over the prime field $mathbbZ_p$ with the curve equation $y^2=x^3-7$.

Point addition in $mathbbZ_p$ has an interesting property since the number of elements is finite if you add a point $P$ itself many times eventually you will get the identity $mathcalO$.

$$underbraceP+P+cdots+P_text$t$ times = mathcalO$$

The smallest $t$ will be the order of the subgroup generated by the $P$. For security, we want this order huge.

Note 1: a point $P$ may not generate the whole group but it generates a cyclic subgroup.

Note 2: As pointed by SqueamishOssifrage, The Smart showed that if the order of the curve and order of the base field are same then the discrete logarithm on this curves runs in linear time.

share|improve this answer

edited 8 hours ago

answered 16 hours ago

kelalakakelalaka

8,75532351

$endgroup$

share|improve this answer

edited 8 hours ago

answered 16 hours ago

kelalakakelalaka

8,75532351

answered 16 hours ago

kelalakakelalaka

8,75532351

answered 16 hours ago

kelalakakelalaka

8,75532351