Could a EC public key have zero coordinate?

Question

Take secp256r1 as an example, the parameter of the curve is

p = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff
a = 0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc
b = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b
G = (0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296, 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5)

From my limited math knowledge, we can calculate that there is a point (or to be precise, two points) on curve such that the x coordinate is 0. $$y^2=x^3+ax + b \mod p$$ let $x=0$, $y^2 = b \mod p$. We can get that $y=46263761741508638697010950048709651021688891777877937875096931459006746039284$

However I don't know if this is a point that G could generate. I read that in some implementation zero x coordinate will be treated as infinity point. I did some research but did not find explanation on this. On the perspective of algorithm library, should we reject a public key with zero x coordinate (but non-zero y coordinate)? On the perspective of user, should I re-generate a private key if I have found that my x coordinate of public key is 0? (or it will never happen so I don't have to worry?)

Extended question: The similar question can be asked for y coordinate: there might be a point on curve that the y coordinate is zero. Although I don't know how to calculate the actual coordinate, I think it should be considered as a valid public key. Correct me if I am wrong though.

If the $y$-coordinate in short Weierstrass form is zero, we have a point of order 2, so it doesn't generate a very interesting subgroup. Such a point cannot exist on secp256r1 or any curve of prime order. Points with zero $x$-coordinate aren't usually special, on the other hand. In the case of a curve of prime order like secp256r1, all points not at infinity are generators/play the exact same role, so they are perfectly valid public keys. The probability of hitting such a point at random is negligibly small, of course. — Mehdi Tibouchi, Oct 10 '23 at 04:09
For finding order 2 points see this Find Points of order 2 on elliptic curve, it was answered by corpsfini who left the community. — kelalaka, Oct 10 '23 at 10:29
The point at infinity has no default representation on affine coordinates, however, in protective coordinate is has $(0:1:0)$ Though, in software there is a Standard encoding of the point at infinity is a single byte of value 0x00 — kelalaka, Oct 10 '23 at 16:56

score 4 · Answer 1 · edited Oct 12 '23 at 07:39

I don't know if this is a point that $G$ could generate.

Yes it is.

As stated in the question, this point satisfies the equation of secp256r1. That defines a group of prime order $n$ (given in the linked reference). That is, there are $n$ elements in the group formed by the point at infinity $\mathcal O$ and all the $(x,y)$ pairs verifying the equation in the base finite field, here $\mathbb F_p$. In yet other words, the co-factor $h=1$. Therefore any point on the curve is a member of the group generated by any member of the group other than $\mathcal O$, including $G$.

Could a EC public key have zero coordinate?

As we have seen, $x=0$ is possible in the case at hand.

$y=0$ is impossible. An algebraic proof that there is no solution to $x^3+ax+b=0$ in the finite field $\mathbb F_p$ can be made by considering the values of $a$, $b$ and $p$ (see comment), but below is an argument that only uses $4a^3+27b^2\not\equiv0\pmod p$ and that the curve is of large prime order $n$.

For any point on the curve other than $\mathcal O$, if $(x,y)$ satisfies the curve's equation, then $(x,-y)$ also satisfies the curve's equation. It's a different point (since $p$ is odd).
Therefore there is an even number of points with $y\ne0$, therefore an odd number of points counting $\mathcal O$.
We know that the group order $n$, that is the number of points including $\mathcal O$, is a large prime, thus odd. Thus the number of points with $y=0$ is even.
Since $x^3+ax+b=0$ is a polynomial of the third degree, it has 0,1,2, or 3 distinct solutions, and of these only 0 or 2 are even.
If $x^3+ax+b=0$ had 2 distinct solutions $u$ and $v$, we could rewrite the polynomial $x^3+ax+b\,$ as $\,(x-u)^2\times (x-v)$. Developing that we get $$x^3-(2u+v)x^2+u(u+2v)x-u^2v$$
Identical polynomials have identical coefficients, thus $0=2u+v$, $a=u(u+2v)$, $b=-u^2v$, thus by substitution of $v$ by $-2u$ we get $a=-3u^2$ and $b=2u^3$, thus $4a^3+27b^2=0$, which does not hold. Therefore $x^3+ax+b=0$ does not have 2 solutions. Therefore it has 0 solution.

The above considerations apply to curves over prime field with cofactor $h=1$,

including the curves of the secp familly in sec2v2: secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1, secp521r1
including the deprecated curves secp112r1, secp128r1, secp160k1, secp160r1, secp160r2;
not including the deprecated curves secp112r2, secp128r2, which have cofactor $h=4$;
not including Edwards curves over prime fields as used in EdDSA, which have cofactors $h=8$ or $h=4$;
not including standard elliptic curves over binary fields, if only because their cofactor $h>1$.

For curves of cryptographic interest with a subgroup of large prime order $n$ having generator $G$:

If the cofactor $h>1$, then in order to check that a point $P$ verifying the curve's equation can be generated by $G$, we need to check that $[n]P=\mathcal O$ (the point at infinity).
It's not universal that there is a point on the curve (excluding $\mathcal O$) with either of it's coordinates equal to $0$. If there is such point $P$, it's tempting to use $[h]P$ (or some lower multiple of $P$) as $G$. I see no reason not to do so, at least until we get into side-channel resistance.

One can also go for the discriminant of the degree 3 polynomial over a finite field or Degree 3 discriminant — kelalaka, Oct 10 '23 at 13:09
@kelalaka: kudos for the edit. I think the theorem you are thinking about is known as Euler's Totient Theorem, and attributed to Euler. I briefly toured the number theory section of the Euler archive, but could not locate the appropriate reference, sorry. — fgrieu, Oct 10 '23 at 17:03

score -1 · Answer 2 · answered Oct 10 '23 at 04:01

-1

To test if a point is in the group generated by the defualt generator point $G$ for P-256 (or P-384, P-521 and similar curves), multiply the point by $n$ the order of the group generated by $G$, and see if it's point-at-infinity.

More info:

answered Oct 10 '23 at 04:01

DannyNiu

9,207
2
24
57

Why would you do that instead of checking if the point satisfies the curve equation? Multiplying by the group order makes sense if there is a cofactor > 1, but for curves of prime order, I don't see the point. – Mehdi Tibouchi Oct 10 '23 at 04:10
@MehdiTibouchi checking the equation only tells us if it's on the curve, but it doesn't tell us if it's in the group. OP asked about this for the P-series curves, so I answered it accordingly. What's more, I've linked to SEC#1 section on validating public key, which OP could use for further investigation. – DannyNiu Oct 10 '23 at 05:11
1

For a prime order curve (of which all the P-series curves are examples), being on the curve and being in the group are equivalent. – Mehdi Tibouchi Oct 10 '23 at 05:13
I don't believe that this always ensures that the alleged point is on the curve. If you get a $(x, y)$ pair, that implies that it's on some curve (unless that curve turns out to be degenerate; not sure what would happen in that case); that curve will be of some order. However, alternative curves might also be of order $n$, and a point on such a curve will pass your test (even if it's not the curve you're thinking about). – poncho Oct 10 '23 at 20:23

Could a EC public key have zero coordinate?

2 Answers2