5
$\begingroup$

I wanted to use https://github.com/AntonKueltz/fastecdsa library and the function parameters for creating curve are:

p, # (long): The value of p in the curve equation. a, # (long): The value of a in the curve equation. b, # (long): The value of b in the curve equation. q, # (long): The order of the base point of the curve. gx, # (long): The x coordinate of the base point of the curve. gy, # (long): The y coordinate of the base point of the curve.

The curve I need is this one: https://docs.starkware.co/starkex-docs-v2-deprecated/crypto/stark-curve It gives info about $p, a, b, gx, gy$. But not the $q$

How to infer the $q$ parameter?

Improve this question
$\endgroup$
0

1 Answer 1

Reset to default
4
$\begingroup$

Theoretical answer here

Practically, one can use SageMath to find it;

a = 1 b = 3141592653589793238462643383279502884197169399375105820974944592307816406665 p = 2^251 + 17*2^192 +1 E = EllipticCurve(GF(p), [0,0,0,a,b]) print(E) print(E.abelian_group()) card = E.cardinality() print("cardinality =",card) factor(card) G = E(874739451078007766457464989774322083649278607533249481151382481072868806602,152666792071518830868575557812948353041420400780739481342941381225525861407) print("Generator order q=", G.order())

This outputs

 Elliptic Curve defined by y^2 = x^3 + x + 3141592653589793238462643383279502884197169399375105820974944592307816406665 over Finite Field of size 3618502788666131213697322783095070105623107215331596699973092056135872020481 Additive abelian group isomorphic to Z/3618502788666131213697322783095070105526743751716087489154079457884512865583 embedded in Abelian group of points on Elliptic Curve defined by y^2 = x^3 + x + 3141592653589793238462643383279502884197169399375105820974944592307816406665 over Finite Field of size 3618502788666131213697322783095070105623107215331596699973092056135872020481 cardinality = 3618502788666131213697322783095070105526743751716087489154079457884512865583 Generator order q= 3618502788666131213697322783095070105526743751716087489154079457884512865583

Since the order of the curve is prime we have a prime curve, every element, except the identity, is a generator, therefore the order of the basepoint is equal to the order of the curve group.

Also, the cofactor $h$ is 1 since the curve order is prime. Cofactor is defined as the number of the $k$ rational points of the curve $h = \#E(k)/n $ divided by the order of the chosen base element $n$

I couldn't find any information about the magic number (nothing-up-in-my-sleeve). The reason for the choice of $G$ is not clear. Although it is psychological, one should provide it.

SageMath uses sea.gp which is a fast implementation of the SEA algorithm. This library is implemented in pari/GP. A good slide about sea.gp is The SEA algorithm in PARI/GP.

Improve this answer
$\endgroup$
1
  • $\begingroup$ How to do the same on a twisted Edward curve ? Because I suppose converting the curve and the point to the Wiestrass form would change the resulting order being computed right ? $\endgroup$ Commented Jul 7, 2024 at 9:13

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.