anonymousking123

An approach idea. Take an arbitrary x value (the one that is looked for, and find the point, that caused that value when inserted into the formula. In Mathematica that would be: Solve[(x*x - 1)^2/(4*x*(x*x + 486662*x + 1)) == THEVALUETOLOOKFOR, Modulus -> 2^255 - 19] Then go back the whole chain, unti you reach x=9. This can sometimes be tricky, that is why you probably have to think about it further.

Well, this is the point, let us say you have the following parameters: a = 486662 modulus = 2^255 - 19 Then you are right, to look for new_x=10 cannot be obtained by the formula, that means there is no "point doubling possible" that will result in new_x = 10 from any starting point. But you can use montgomery point addition to add x=9 to the desired new_10 = 10, but this point can be maybe obtained by looking for different points than newx_10, which then (added by montgomery rules) will result in new_x = 10. This is the essential task here.

pm sent so take that as a yes and as far as anyone else can make out of this, were looking to prevent this vulnerability we found somewhere from happening so anyone with any advice would and could be potentially rewarded if they'd like as a prize!

The 'p' in (mod p) is 2^255 - 19 and I'm not searching for 10 but rather some arbitrarily large number such as83402281777707715381485212681368749158073214888176003645002923212220704930559

thats wrong it is not correct If you have a generator element b of an additive group of order N, and you know it takes x repeated doubling operations (squaring operations in the context of a multiplicative group) on this element in order to reach q then you have effectively solved [multiplicative group notation]: q = b2x for x. What we really want to do is crack the discrete logarithm, which means finding x in the context of: q = bx So the question becomes: if we can solve the first equation can we solve the second? The answer is yes. The reason is that the exponent of b is itself an element of it's own multiplicative group ℤN× of which 2 is a generator since N is prime (at least in the context of Curve25519 or secp256k1). So if you find x that satisfies: q = b2x then you can use your solution to solve the discrete log easy peasy lemon squeezy.: logb(q) = 2x mod N

could be easily done, by actually using the x-coordinate only. Right now the Montgomery Curve 25519 is transformed to Kolbitz Representation with full (x,y) instead of only the (x) coordinate. Also, addition is not made using montgomery-steps but by simple mathematic arithmetic. Should be doable.

so do you have any idea how to solve this issue?

Problem Description: Being a some constant, further assume that we are in a factor ring (basically all operations modulo some sumber p). Note, that the division below is a multiplication by the modular inverse. You always have to start with x=9. Consider the following recursive formula: Code: new_x = (x²-1)² / (4*x*(x²+a*x+1)) How often do you have to perform this operation to get a specific x (basically getting the new_x and feeding it back into the formula to get another new_x, and so on)? Note: You can start multiple such chains beginning at x=9, and add the resulting x values using the addition algorithm from http://en.wikipedia.org/wiki/Montgomery_curve (Montgomery arithmetic section). Note, that the x value, is the value you get at the end of such calculation-chain, and the z value is always 1. The answer: The formula must work in all cases, and be computationally feasible (let us say calculable in less than 24 hours). NOTES: For the record, this is the posted solution: Code: <script> var equation= "(x²-1)² / (4*x*(x²+a*x+1))"; var a=0; var b=10; while(a<b) { var equation = equation.replace("x", "(x²-1)² / (4*x*(x²+a*x+1))"); a=a+1; } document.write(equation); </script> Where b is the specific new_x you are looking for so for new_x=10 (((((((((((x²-1)² / (4*x*(x²+a*x+1))²-1)² / (4*x*(x²+a*x+1))²-1)² / (4*x*(x²+a*x+1))²-1)² / (4*x*(x²+a*x+1))²-1)² / (4*x*(x²+a*x+1))²-1)² / (4*x*(x²+a*x+1))²-1)² / (4*x*(x²+a*x+1))²-1)² / (4*x*(x²+a*x+1))²-1)² / (4*x*(x²+a*x+1))²-1)² / (4*x*(x²+a*x+1))²-1)² / (4*x*(x²+a*x+1)) where x=9 By no means the formula evaluates to 10, when I insert 9. Also, additionally to that, the division must be a multiplication with the modular inverse modulo p (just as a hint for future tries). @MODS: Also, this has nothing to do with homework, this to solve a complex problem with some suspect code ive been writing and i need a science formula or math formula expert and it needs to be correct *-ring[edit] In mathematics, a *-ring is a ring with a map * : A → A that is an antiautomorphism and an involution. More precisely, * is required to satisfy the following properties:[1] (x + y)* = x* + y* (x y)* = y* x* 1* = 1 (x*)* = x for all x, y in A.

so that would be the correct response then?

the first person to post such formula in private. The formula must work in all cases, and be comutationally feasible

problem solved