Is there a subgroup of order 2^n (for large n) of the prime field that secp256k1 is defined over?

Question

the curve secp256k1 is defined over the prime finite field F_p with p = 2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1.

Is there any known cyclic subgroup of order 2^n of F_p?

Pieter Wuille · Accepted Answer · 2022-07-22T18:50:16.060

6

No, there cannot be.

There are two groups defined by the secp256k1 field, the addition group, and the group of multiplication of its non-zero elements.

Neither has a large 2ⁿ subgroup, because the order of a subgroup of a finite group must be a divisor of the order of that group.

The order of the additive group must divide the size of the field, namely p, the modulus itself, which is prime, and thus only has itself and the trivial group as subgroups.
The order of the multiplicative group of a field is one less than the size of the field, so p-1, which factors as 2 * 3 * 7 * 13441 * 205115282021455665897114700593932402728804164701536103180137503955397371. Thus, it only has C₂ (the cyclic group with two elements) as subgroup whose order is a power of two. Specifically, in the embedding in the secp256k1 multiplicative group, that subgroup consists of the elements 1 and p-1, and the multiplication between them.

edited Jul 22 '22 at 18:50

answered Jul 22 '22 at 17:55

Pieter Wuille

Ah yes. makes sense! thank you very much! – jet Jul 22 '22 at 21:14
1

@user108963: the answer is correct. The question is about the prime field of order p that secp256k1 is defined over, independent of other parameters of secp256k1 (like b=7, and the curve order n). If we change the question to make it about a subgroup of the elliptic curve group secp256k1, the answer remains NO, because the order of a subgroup divides the order of the group, which for secp256k1 is the prime n, thus any subgroup of secp256k1 has order 1 or n, and none of 1 or n is a large power of 2. – fgrieu Jan 31 '24 at 21:34
@fgrieu okey, that's true. – user108963 Jan 31 '24 at 21:38

1 Answers1