Documentation: GLV lattice constants are Eisenstein integer factors of group order #1798

issue Justsomebuddy openend this issue on January 10, 2026
  1. Justsomebuddy commented at 7:23 pm on January 10, 2026: contributor

    Summary

    The GLV decomposition in scalar_impl.h uses constants a1, b1, a2, b2 that form the reduced lattice basis. These constants have a beautiful number-theoretic interpretation that is currently undocumented: they are exactly the Eisenstein integer factors of the group order n.

    Background

    The code already notes:

    0Let l = -1/2 + i*sqrt(3)/2, the complex root of X^2 + X + 1.

    What isn’t mentioned is that Z[l] is classically known as the Eisenstein integers Z[ω], studied by Gotthold Eisenstein in 1844. This ring has unique factorization, and primes p ≡ 1 (mod 3) split as p = π·π̄ = a² + ab + b².

    The Connection

    The secp256k1 group order n factors in Z[ω] as:

    0n = N(π) = π · π̄   where   π = a - bω

    Using the standard Eisenstein norm N(x + yω) = x² - xy + y², we have:

    0N(a - bω) = a² - a(-b) + (-b)² = a² + ab + b² = n

    where:

    0a = 303414439467246543595250775667605759171   (128 bits)
1b = 64502973549206556628585045361533709077    (126 bits)

    The GLV basis constants are exactly these Eisenstein factors:

    Constant Value Eisenstein factor
    a1 0x3086d221a7d46bcde86c90e49284eb15 b
    -b1 0xe4437ed6010e88286f547fa90abfe4c3 a
    a2 0x114ca50f7a8e2f3f657c1108d9d44cfd8 a + b
    b2 0x3086d221a7d46bcde86c90e49284eb15 b

    Verification (SageMath)

     0n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
 1a = 303414439467246543595250775667605759171
 2b = 64502973549206556628585045361533709077
 3
 4# Verify norm formula
 5assert a^2 + a*b + b^2 == n  # ✓
 6
 7# Verify in Eisenstein ring
 8K.<w> = NumberField(x^2 + x + 1)
 9pi = a - b*w  # Note: π = a - bω
10assert pi.norm() == n  # ✓
11
12# GLV constants from libsecp256k1
13a1 = 0x3086d221a7d46bcde86c90e49284eb15
14b1_neg = 0xe4437ed6010e88286f547fa90abfe4c3
15
16assert a1 == b      # ✓
17assert b1_neg == a  # ✓

    Why This Matters

    1. Independent verification: The constants can be verified through Eisenstein factorization, not just derived from Frobenius trace
    2. Educational value: Connects modern ECC optimization to classical algebraic number theory (1844)
    3. Mathematical elegance: The GLV lattice is literally the kernel of the ring homomorphism Z[ω] → Z_n

    Suggested Documentation Addition

    Add to the existing comment in scalar_impl.h:

    0/*
1 * Note: Z[l] is classically known as the ring of Eisenstein integers Z[ω],
2 * studied by Gotthold Eisenstein (1844). The group order n factors in this
3 * ring as n = N(π) where π = a - b*l is an Eisenstein prime with norm
4 * N(a - b*l) = a² + ab + b². The lattice basis vectors {a1 + b1*l, a2 + b2*l}
5 * correspond exactly to these factors: a1 = b, -b1 = a, a2 = a + b, b2 = b.
6 *
7 * This provides an independent verification path for the constants through
8 * classical algebraic number theory.
9 */

    References

    • Eisenstein, G. (1844). “Beweis der allgemeinsten Reciprocitätsgesetze”
    • Gallant, R., Lambert, R., Vanstone, S. (2001). “Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms”
    • Cox, D. “Primes of the Form x² + ny²” — Chapter on Eisenstein integers

    This observation connects two mathematical traditions that developed independently: 19th-century algebraic number theory and 21st-century elliptic curve cryptography.

  2. real-or-random commented at 2:08 pm on January 13, 2026: contributor

    This is certainly interesting, but I’m not convinced that this is a meaningful insight to readers of our code. If anything, I believe we could verify this fact in https://github.com/bitcoin-core/secp256k1/blob/master/sage/gen_split_lambda_constants.sage instead of changing the C comments.

    Can I ask you whether an LLM was used when creating this issue? If so, how?

  3. Justsomebuddy commented at 9:21 am on January 14, 2026: contributor

    Re: practical value — I’d argue theory matters. First came the word, then the number, then cryptography. Gauss and Eisenstein didn’t know their 1844 work on Z[ω] would end up in Bitcoin’s scalar multiplication 180 years later. Documentation of such connections has educational value, even if it doesn’t change the code behavior.

    That said, your suggestion about sage/gen_split_lambda_constants.sage makes sense. Here’s a standalone verification:

     0#!/usr/bin/env sage
 1"""
 2Eisenstein integer structure verification for secp256k1.
 3Demonstrates that GLV constants arise from Z[ω] factorization of group order.
 4
 5References:
 6- Gallant, Lambert, Vanstone (2001): "Faster Point Multiplication on Elliptic Curves"
 7- Eisenstein (1844): "Beweis der allgemeinsten Reciprocitätsgesetze"
 8"""
 9
10n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
11LAMBDA = 0x5363ad4cc05c30e0a5261c028812645a122e22ea20816678df02967c1b23bd72
12
13# Eisenstein factors (from Cornacchia or direct search)
14a = 303414439467246543595250775667605759171
15b = 64502973549206556628585045361533709077
16
17# 1. Norm equation: n = a² + ab + b²
18assert a**2 + a*b + b**2 == n
19
20# 2. In Z[ω]: π = a - bω is an Eisenstein prime with N(π) = n  
21K.<omega> = NumberField(x^2 + x + 1)
22pi = a - b*omega
23assert pi.norm() == n
24
25# 3. GLV eigenvalue: λ = b/a (mod n)
26assert (b * inverse_mod(a, n)) % n == LAMBDA
27
28# 4. Verify λ is primitive cube root of unity
29assert (LAMBDA**2 + LAMBDA + 1) % n == 0
30
31print("All verified.")

    The key insight: λ = b/a mod n where (a, b) are Eisenstein factors satisfying n = a² + ab + b². This connects the “magic constants” in scalar_impl.h to 19th century algebraic number theory.

    Re: LLM — I use a custom software stack with agents for research. This is part of a personal philosophical investigation into Semaev’s summation polynomials and j=0 curve structure. The math is independently verified in SageMath regardless of how it was explored.

  4. Justsomebuddy referenced this in commit d096bfbffe on Jan 14, 2026
  5. real-or-random added the label meta/development on Jan 14, 2026
  6. real-or-random commented at 1:29 pm on January 14, 2026: contributor

    Related and potentially interesting stuff if someone wants to dive deeper:

    • https://eprint.iacr.org/2024/1906.pdf: Faster EC mults?!
    • https://eprint.iacr.org/2025/933.pdf: With a second “GLV-like” endomorphism, you can decompose the scalar in an EC mult in 4 integers of size ~64 bits (instead of just 2 of size ~128 bits). This paper talks only about verifying EC mult within arithmetic circuits and not about simply computing them on “ordinary” computers. Perhaps the decomposition itself is too expensive to hope for a speed-up in ordinary EC mults? Any comments appreciated here. @Liam-Eagen
  7. real-or-random closed this on Jan 21, 2026
  8. fanquake referenced this in commit 471e3a130d on Jan 21, 2026


Justsomebuddy real-or-random

Labels
meta/development

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-01-27 08:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me