Pairs of matching n-values in secp256k1 with changed b-values

[vjudeu]

Recently, I was quite surprised, when I saw that there are six different n-values, matching different b-values in secp256k1:

Code:

+-----+---------------------------------------------------------------------+
| b   | n                                                                   |
+-----+---------------------------------------------------------------------+
| 0x1 |  0xfffffffffffffffffffffffffffffffe06f23032560e83e138ea6fc857fb4794 |
| 0x2 | 0x1000000000000000000000000000000014551231950b75fc4402da1712fc9b71f |
| 0x3 |  0xffffffffffffffffffffffffffffffff4c43534ba6c5e3a57918113a87c50283 |
| 0x4 | 0x100000000000000000000000000000000b3bcacb4593a1c5a86e7eec3783af5dd |
| 0x6 | 0x100000000000000000000000000000001f90dcfcda9f17c1ec7159035a804b0cc |
| 0x7 |  0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 |
+-----+---------------------------------------------------------------------+

They are repeating over and over again, as b-value is incremented. However, it also seems they can be connected in pairs, each giving the same sum:

Code:

+-----+---------------------------------------------------------------------+
| b   | n                                                                   |
+-----+---------------------------------------------------------------------+
| 0x1 |  0xfffffffffffffffffffffffffffffffe06f23032560e83e138ea6fc857fb4794 |
| 0x6 | 0x100000000000000000000000000000001f90dcfcda9f17c1ec7159035a804b0cc |
| sum | 0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffff860 |
+-----+---------------------------------------------------------------------+
| 0x2 | 0x1000000000000000000000000000000014551231950b75fc4402da1712fc9b71f |
| 0x7 |  0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 |
| sum | 0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffff860 |
+-----+---------------------------------------------------------------------+
| 0x3 |  0xffffffffffffffffffffffffffffffff4c43534ba6c5e3a57918113a87c50283 |
| 0x4 | 0x100000000000000000000000000000000b3bcacb4593a1c5a86e7eec3783af5dd |
| sum | 0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffff860 |
+-----+---------------------------------------------------------------------+

The question is: does it mean that there is some kind of connection between y^2=x^3+7, and for example y^2=x^3+2? Or maybe there is another connection, where points on curves with identical p-value and n-value can be mapped? Does it mean, that if we have b=0x7, where there are "n" points, and for example b=0xc curve also has the same amount of points, then does it mean we can map them 1:1?

[satashi_nokamato]

If there is any 2 points on different curves mapping with each other then there will be no cryptography. imagine if you could identify only 1 point from one curve on another curve, then due to different n values you could solve any key. To understand this better you could divide any scalar mod n on 2 curves and compare the results.

After that you'll realize why it can break crypto systems if that ever happened.

[herecomesjohnny]

One possible explanation for this phenomenon could be related to the modular arithmetic used in elliptic curve cryptography. Since all operations (addition, multiplication, etc.) are performed modulo a prime number
p

[iceland2k14]

Recently, I was quite surprised, when I saw that there are six different n-values, matching different b-values in secp256k1:

Code:

+-----+---------------------------------------------------------------------+
| b   | n                                                                   |
+-----+---------------------------------------------------------------------+
| 0x7 |  0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 |
+-----+---------------------------------------------------------------------+

The question is: does it mean that there is some kind of connection between y^2=x^3+7, and for example y^2=x^3+2? Or maybe there is another connection, where points on curves with identical p-value and n-value can be mapped? Does it mean, that if we have b=0x7, where there are "n" points, and for example b=0xc curve also has the same amount of points, then does it mean we can map them 1:1?

Not very sure about the 1:1 mapping although, previously i saw when b = 0x0, it leads to a very simplified loop which allowed to map from Pubkey to Privatekey. However I could not find any way to map b = 0x7 curve pubkey into a b = 0x0 curve pubkey.

[cassondracoffee]

Recently, I was quite surprised, when I saw that there are six different n-values, matching different b-values in secp256k1:

Code:

+-----+---------------------------------------------------------------------+
| b   | n                                                                   |
+-----+---------------------------------------------------------------------+
| 0x1 |  0xfffffffffffffffffffffffffffffffe06f23032560e83e138ea6fc857fb4794 |
| 0x2 | 0x1000000000000000000000000000000014551231950b75fc4402da1712fc9b71f |
| 0x3 |  0xffffffffffffffffffffffffffffffff4c43534ba6c5e3a57918113a87c50283 |
| 0x4 | 0x100000000000000000000000000000000b3bcacb4593a1c5a86e7eec3783af5dd |
| 0x6 | 0x100000000000000000000000000000001f90dcfcda9f17c1ec7159035a804b0cc |
| 0x7 |  0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 |
+-----+---------------------------------------------------------------------+

How come from this n value?
Where do you get this n value?

edit:
What is the base value. Those 1to7 values come from N

[eugenekhashin]

The question is: does it mean that there is some kind of connection between y^2=x^3+7, and for example y^2=x^3+2? Or maybe there is another connection, where points on curves with identical p-value and n-value can be mapped? Does it mean, that if we have b=0x7, where there are "n" points, and for example b=0xc curve also has the same amount of points, then does it mean we can map them 1:1?

Yes, you can map points on curves with the same cardinality (Eg a6: 7, 12, 20, 23, 26, 37, etc.) - they're are 100% isomorphic. Also there are no known connection (at least for me) between points on curves with different cardinalities (Eg a6: 7 and 2).

The question is: does it mean that there is some kind of connection between y^2=x^3+7, and for example y^2=x^3+2? Or maybe there is another connection, where points on curves with identical p-value and n-value can be mapped? Does it mean, that if we have b=0x7, where there are "n" points, and for example b=0xc curve also has the same amount of points, then does it mean we can map them 1:1?

You may also have a look at Jacobian coordinates of points and this bijection might become more clear for you: you're getting the same point using the same X and Y, but changing third Z coordinate. By saying the "same point" I mean the point which might be projected to any isomorphic plane. Note, that not all the possible Z values might be projected to initial curve (with Z=1).

[j2002ba2]

The question is: does it mean that there is some kind of connection between y^2=x^3+7, and for example y^2=x^3+2? Or maybe there is another connection, where points on curves with identical p-value and n-value can be mapped? Does it mean, that if we have b=0x7, where there are "n" points, and for example b=0xc curve also has the same amount of points, then does it mean we can map them 1:1?

For y²=x³+d (mod p), and d being non-zero integer, the group falls into one of these different sets:

1: 2x  2 * 3 * 20412485227 * 83380711482738671590122559 * 5669387787833452836421905244327672652059
2: 3x  3 * 13² * 3319 * 22639 * 1013176677300131846900870239606035638738100997248092069256697437031
3:     109903 * 12977017 * 383229727 * 211853322379233867315890044223858703031485253961775684523
4:     3 * 199 * 18979 * 5128356331187950431517 * 1992751017769525324118900703535975744264170999967
6: 14x 2 * 7 * 10903 * 5290657 * 10833080827 * 22921299619447 * 41245443549316649091297836755593555342121
7:     115792089237316195423570985008687907852837564279074904382605163141518161494337

Here 'x' is the torsion group - then the group is noncyclic (as a whole).

One can move between different d by multiplying the whole equation by k⁶, and getting the new coordinates with the new d (the usual isomorphism):

y² = x³ + d
k⁶*y² = k⁶*x³ + k⁶*d
(k³*y)² = (k²*x)³ + k⁶*d


Trying to move between these six groups doesn't work - either k³ and/or k² are outside the usual group of numbers mod p.

If one thinks a bit it is obvious. Groups have different number of points, so - when trying to map - every point from one group corresponds to all the points in another.

So, only thing needing in order to jump to an isomorphic equation is taking sixth root of some number a (mod p).

a^p = a
a^p+1 = a²
a^(p+1)/4 = a^1/2

a^p+2 = a³
a^(p+2)/9 = a^1/3

(a^(p+1)/4)^(p+2)/9 = a^1/6 = k

One should then check if this root exists, i.e. if k⁶=a

[dexizer7799]

The question is: does it mean that there is some kind of connection between y^2=x^3+7, and for example y^2=x^3+2? Or maybe there is another connection, where points on curves with identical p-value and n-value can be mapped? Does it mean, that if we have b=0x7, where there are "n" points, and for example b=0xc curve also has the same amount of points, then does it mean we can map them 1:1?

For y²=x³+d (mod p), and d being non-zero integer, the group falls into one of these different sets:

1: 2x  2 * 3 * 20412485227 * 83380711482738671590122559 * 5669387787833452836421905244327672652059
2: 3x  3 * 13² * 3319 * 22639 * 1013176677300131846900870239606035638738100997248092069256697437031
3:     109903 * 12977017 * 383229727 * 211853322379233867315890044223858703031485253961775684523
4:     3 * 199 * 18979 * 5128356331187950431517 * 1992751017769525324118900703535975744264170999967
6: 14x 2 * 7 * 10903 * 5290657 * 10833080827 * 22921299619447 * 41245443549316649091297836755593555342121
7:     115792089237316195423570985008687907852837564279074904382605163141518161494337

Here 'x' is the torsion group - then the group is noncyclic (as a whole).

One can move between different d by multiplying the whole equation by k⁶, and getting the new coordinates with the new d (the usual isomorphism):

y² = x³ + d
k⁶*y² = k⁶*x³ + k⁶*d
(k³*y)² = (k²*x)³ + k⁶*d


Trying to move between these six groups doesn't work - either k³ and/or k² are outside the usual group of numbers mod p.

If one thinks a bit it is obvious. Groups have different number of points, so - when trying to map - every point from one group corresponds to all the points in another.

So, only thing needing in order to jump to an isomorphic equation is taking sixth root of some number a (mod p).

a^p = a
a^p+1 = a²
a^(p+1)/4 = a^1/2

a^p+2 = a³
a^(p+2)/9 = a^1/3

(a^(p+1)/4)^(p+2)/9 = a^1/6 = k

One should then check if this root exists, i.e. if k⁶=a

I know that if you will look in this example https://ask.sagemath.org/question/78809/convert-secp256k1-g-point-to-twist-sextic-curve/ you will see that we can map to another curve Secp256K1 but we cannot do invalid curve attack with mapped points because we got infinity point.

The question is: does it mean that there is some kind of connection between y^2=x^3+7, and for example y^2=x^3+2? Or maybe there is another connection, where points on curves with identical p-value and n-value can be mapped? Does it mean, that if we have b=0x7, where there are "n" points, and for example b=0xc curve also has the same amount of points, then does it mean we can map them 1:1?

For y²=x³+d (mod p), and d being non-zero integer, the group falls into one of these different sets:

1: 2x  2 * 3 * 20412485227 * 83380711482738671590122559 * 5669387787833452836421905244327672652059
2: 3x  3 * 13² * 3319 * 22639 * 1013176677300131846900870239606035638738100997248092069256697437031
3:     109903 * 12977017 * 383229727 * 211853322379233867315890044223858703031485253961775684523
4:     3 * 199 * 18979 * 5128356331187950431517 * 1992751017769525324118900703535975744264170999967
6: 14x 2 * 7 * 10903 * 5290657 * 10833080827 * 22921299619447 * 41245443549316649091297836755593555342121
7:     115792089237316195423570985008687907852837564279074904382605163141518161494337

Here 'x' is the torsion group - then the group is noncyclic (as a whole).

One can move between different d by multiplying the whole equation by k⁶, and getting the new coordinates with the new d (the usual isomorphism):

y² = x³ + d
k⁶*y² = k⁶*x³ + k⁶*d
(k³*y)² = (k²*x)³ + k⁶*d


Trying to move between these six groups doesn't work - either k³ and/or k² are outside the usual group of numbers mod p.

If one thinks a bit it is obvious. Groups have different number of points, so - when trying to map - every point from one group corresponds to all the points in another.

So, only thing needing in order to jump to an isomorphic equation is taking sixth root of some number a (mod p).

a^p = a
a^p+1 = a²
a^(p+1)/4 = a^1/2

a^p+2 = a³
a^(p+2)/9 = a^1/3

(a^(p+1)/4)^(p+2)/9 = a^1/6 = k

One should then check if this root exists, i.e. if k⁶=a

We can convert even to (p ^ 2) for secp256k1 but this is useless because we cannot do twist/subgroup/invalid curve attack.

[eugenekhashin]

We can convert even to (p ^ 2) for secp256k1 but this is useless because we cannot do twist/subgroup/invalid curve attack.

Could you please explain what do you mean by p^2 exactly?

[dexizer7799]

We can convert even to (p ^ 2) for secp256k1 but this is useless because we cannot do twist/subgroup/invalid curve attack.

Could you please explain what do you mean by p^2 exactly?

Yes we can increase p parameter of secp256k1 to do invalid/twist attack but we got infinity point and if you will factorize that prime you will see all factored primes

p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f ** 2
K = GF(p)
a = K(0x0000000000000000000000000000000000000000000000000000000000000000)
b = K(0x0000000000000000000000000000000000000000000000000000000000000007)
E = EllipticCurve(K, (a, b))
G = E(0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798, 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)
E.set_order(0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 * 0x1)

We can convert even to (p ^ 2) for secp256k1 but this is useless because we cannot do twist/subgroup/invalid curve attack.

Could you please explain what do you mean by p^2 exactly?

This is very easy to do but we cannot do attack because we got infinity zero points if we can do birational mapping for two or more curves using main curve secp256k1 we can easily compute private key of public key.

[eugenekhashin]

p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f ** 2
K = GF(p)
a = K(0x0000000000000000000000000000000000000000000000000000000000000000)
b = K(0x0000000000000000000000000000000000000000000000000000000000000007)
E = EllipticCurve(K, (a, b))
G = E(0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798, 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)
E.set_order(0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 * 0x1)

Are you sure this works? I'm getting the error:

---------------------------------------------------------------------------
ValueError                                Traceback (most recent call last)
Cell In [685], line 19
     17 E = EllipticCurve(K, (a, b))
     18 G = E(Integer(0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798), Integer(0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8))
---> 19 E.set_order(Integer(0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141) * Integer(0x1))

File /private/var/tmp/sage-9.8-current/local/var/lib/sage/venv-python3.11.1/lib/python3.11/site-packages/sage/schemes/elliptic_curves/ell_finite_field.py:1302, in EllipticCurve_finite_field.set_order(self, value, check, num_checks)
   1300 a,b = Hasse_bounds(q,1)
   1301 if not a <= value <= b:
-> 1302     raise ValueError('Value %s illegal (not an integer in the Hasse range)' % value)
   1303 # Is value*random == identity?
   1304 for i in range(num_checks):

ValueError: Value 115792089237316195423570985008687907852837564279074904382605163141518161494337 illegal (not an integer in the Hasse range)

Also I'm not quite sure this makes any sense when you're trying to define the cardinality, especially trying to set the same cardinality of the initial curve.

[dexizer7799]

p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f ** 2
K = GF(p)
a = K(0x0000000000000000000000000000000000000000000000000000000000000000)
b = K(0x0000000000000000000000000000000000000000000000000000000000000007)
E = EllipticCurve(K, (a, b))
G = E(0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798, 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)
E.set_order(0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 * 0x1)

Are you sure this works? I'm getting the error:

---------------------------------------------------------------------------
ValueError                                Traceback (most recent call last)
Cell In [685], line 19
     17 E = EllipticCurve(K, (a, b))
     18 G = E(Integer(0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798), Integer(0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8))
---> 19 E.set_order(Integer(0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141) * Integer(0x1))

File /private/var/tmp/sage-9.8-current/local/var/lib/sage/venv-python3.11.1/lib/python3.11/site-packages/sage/schemes/elliptic_curves/ell_finite_field.py:1302, in EllipticCurve_finite_field.set_order(self, value, check, num_checks)
   1300 a,b = Hasse_bounds(q,1)
   1301 if not a <= value <= b:
-> 1302     raise ValueError('Value %s illegal (not an integer in the Hasse range)' % value)
   1303 # Is value*random == identity?
   1304 for i in range(num_checks):

ValueError: Value 115792089237316195423570985008687907852837564279074904382605163141518161494337 illegal (not an integer in the Hasse range)

Also I'm not quite sure this makes any sense when you're trying to define the cardinality, especially trying to set the same cardinality of the initial curve.

Oh sorry I wrote it by phone you can check this code

p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f ** 2
K = GF(p)
a = K(0x0000000000000000000000000000000000000000000000000000000000000000)
b = K(0x0000000000000000000000000000000000000000000000000000000000000007)
E = EllipticCurve(K, (a, b))
G = E(0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798, 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)

print(E.order())

p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f ** 2
K = GF(p)
a = K(0x0000000000000000000000000000000000000000000000000000000000000000)
b = K(0x0000000000000000000000000000000000000000000000000000000000000007)
E = EllipticCurve(K, (a, b))
G = E(0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798, 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)
E.set_order(0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 * 0x1)

Are you sure this works? I'm getting the error:

---------------------------------------------------------------------------
ValueError                                Traceback (most recent call last)
Cell In [685], line 19
     17 E = EllipticCurve(K, (a, b))
     18 G = E(Integer(0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798), Integer(0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8))
---> 19 E.set_order(Integer(0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141) * Integer(0x1))

File /private/var/tmp/sage-9.8-current/local/var/lib/sage/venv-python3.11.1/lib/python3.11/site-packages/sage/schemes/elliptic_curves/ell_finite_field.py:1302, in EllipticCurve_finite_field.set_order(self, value, check, num_checks)
   1300 a,b = Hasse_bounds(q,1)
   1301 if not a <= value <= b:
-> 1302     raise ValueError('Value %s illegal (not an integer in the Hasse range)' % value)
   1303 # Is value*random == identity?
   1304 for i in range(num_checks):

ValueError: Value 115792089237316195423570985008687907852837564279074904382605163141518161494337 illegal (not an integer in the Hasse range)

Also I'm not quite sure this makes any sense when you're trying to define the cardinality, especially trying to set the same cardinality of the initial curve.

We can also change order number in sagemath but it will be useless because we cannot do attack but yes we will have factors.

[mjojo]

Anyone here to discussion about change N order in secp256k1?

[dexizer7799]

Anyone here to discussion about change N order in secp256k1?

I think only mapping coordinates from original curve to twist and private key order must be same.

[jovica888]

p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f ** 2

I tried this P and I basically get like P * regular curves (I am not sure how to explain)

So the structure and order of points are the same nothing changes

Code:

p_prime = (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) ** 2

K = GF(p_prime)
a = K(0)
b = K(7)
E = EllipticCurve(K, (a, b))

G = E(
    K(0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798), 
    K(0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)
)

private_key_hex = "fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364144"

k = int(private_key_hex, 16)

P = k * G

print(f"Private key: {private_key_hex}")
print(f"X = {hex(int(P[0]))}")
print(f"Y = {hex(int(P[1]))}")

so for
Private key 3 and private key fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364144
I get the same point

Code:

Private key: fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364144
X = 0xf9308a019258c31049344f85f89d5229b531c845836f99b08601f113bce036f9
Y = 0x388f7b0f632de8140fe337e62a37f3566500a99934c2231b6cb9fd7584b8e672

Private key: 3
X = 0xf9308a019258c31049344f85f89d5229b531c845836f99b08601f113bce036f9
Y = 0x388f7b0f632de8140fe337e62a37f3566500a99934c2231b6cb9fd7584b8e672

Maybe I am doing something wrong

[dexizer7799]

p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f ** 2

I tried this P and I basically get like P * regular curves (I am not sure how to explain)

So the structure and order of points are the same nothing changes

Code:

p_prime = (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) ** 2

K = GF(p_prime)
a = K(0)
b = K(7)
E = EllipticCurve(K, (a, b))

G = E(
    K(0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798), 
    K(0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)
)

private_key_hex = "fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364144"

k = int(private_key_hex, 16)

P = k * G

print(f"Private key: {private_key_hex}")
print(f"X = {hex(int(P[0]))}")
print(f"Y = {hex(int(P[1]))}")

so for
Private key 3 and private key fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364144
I get the same point

Code:

Private key: fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364144
X = 0xf9308a019258c31049344f85f89d5229b531c845836f99b08601f113bce036f9
Y = 0x388f7b0f632de8140fe337e62a37f3566500a99934c2231b6cb9fd7584b8e672

Private key: 3
X = 0xf9308a019258c31049344f85f89d5229b531c845836f99b08601f113bce036f9
Y = 0x388f7b0f632de8140fe337e62a37f3566500a99934c2231b6cb9fd7584b8e672

Maybe I am doing something wrong

Yes your code is right I know that. But unfortunately we cannot do invalid curve attack in these parameters I think only with mapping between curves.

[magick]

Recently, I was quite surprised, when I saw that there are six different n-values, matching different b-values in secp256k1:

Code:

+-----+---------------------------------------------------------------------+
| b   | n                                                                   |
+-----+---------------------------------------------------------------------+
| 0x1 |  0xfffffffffffffffffffffffffffffffe06f23032560e83e138ea6fc857fb4794 |
| 0x2 | 0x1000000000000000000000000000000014551231950b75fc4402da1712fc9b71f |
| 0x3 |  0xffffffffffffffffffffffffffffffff4c43534ba6c5e3a57918113a87c50283 |
| 0x4 | 0x100000000000000000000000000000000b3bcacb4593a1c5a86e7eec3783af5dd |
| 0x6 | 0x100000000000000000000000000000001f90dcfcda9f17c1ec7159035a804b0cc |
| 0x7 |  0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 |
+-----+---------------------------------------------------------------------+

They are repeating over and over again, as b-value is incremented. However, it also seems they can be connected in pairs, each giving the same sum:

Code:

+-----+---------------------------------------------------------------------+
| b   | n                                                                   |
+-----+---------------------------------------------------------------------+
| 0x1 |  0xfffffffffffffffffffffffffffffffe06f23032560e83e138ea6fc857fb4794 |
| 0x6 | 0x100000000000000000000000000000001f90dcfcda9f17c1ec7159035a804b0cc |
| sum | 0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffff860 |
+-----+---------------------------------------------------------------------+
| 0x2 | 0x1000000000000000000000000000000014551231950b75fc4402da1712fc9b71f |
| 0x7 |  0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 |
| sum | 0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffff860 |
+-----+---------------------------------------------------------------------+
| 0x3 |  0xffffffffffffffffffffffffffffffff4c43534ba6c5e3a57918113a87c50283 |
| 0x4 | 0x100000000000000000000000000000000b3bcacb4593a1c5a86e7eec3783af5dd |
| sum | 0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffff860 |
+-----+---------------------------------------------------------------------+

The question is: does it mean that there is some kind of connection between y^2=x^3+7, and for example y^2=x^3+2? Or maybe there is another connection, where points on curves with identical p-value and n-value can be mapped? Does it mean, that if we have b=0x7, where there are "n" points, and for example b=0xc curve also has the same amount of points, then does it mean we can map them 1:1?

According to Hasse's Theorem: the number of points N on an elliptic curve over a finite field Fp <where p is prime> conforms to the following formula:

|N - (p + 1)| ≤ 2√p

This means that the number of points N is typically close to p+1, with some wiggle room depending on the size of p indicated by the 2√p term

Because of this theorem if two elliptic curves have the same number of points they may share certain properties. However, just because they have the same number of points doesn’t mean there’s a 1:1 correspondence between all of their points we can only potentially create such a mapping for some subsets of points and this doesn’t apply to all points on the curves.

[gmaxwell]

Fun fact: there are optimizations in libsecp256k1 that take advantage of the isomorphic groups, by essentially skipping parts of the calculations resulting in "invalid" results that move onto these isomorphic cuves in a predictable way, then ultimately project them back onto the proper curve.

https://github.com/bitcoin-core/secp256k1/pull/210