2

I am writing unit-tests for an elliptic curve implementation (secp256r1 / prime256v1) and need to find a curve point with $y = 0$ to reach coverage for an edge case (special handling of curve points with $y = 0$ during point doubling).

The curve is defined as

$$ y^2 \bmod p \equiv x^3 + ax + b \bmod p $$

with p, a and b being fixed constants

$$ p=115792089210356248762697446949407573530086143415290314195533631308867097853951 $$

$$ a=115792089210356248762697446949407573530086143415290314195533631308867097853948=-3 \mod p $$

$$ b=41058363725152142129326129780047268409114441015993725554835256314039467401291 $$

and I must find

$$ 0 \bmod p \equiv x^3 + ax + b \bmod p $$

I would appreciate your help. If you know a solution or a database (I think this is a common edge case for this named elliptic curve), please let me know :)

Best regards, Dustin

Dustin
  • 21
  • Nicely asked question – abcdefu Aug 10 '22 at 14:19
  • I doubt there is a method other than checking all values $x=0,\cdots,p-1.$ Even a simpler equation, $x^2+ax+b\equiv 0\pmod p$ doesn't have a simple formula - it amounts to finding a square root of $a^2-4b$ modulo $p,$ and I don't know any quick method for that other than squaring $0,1,\dots,\frac{p-1}2.$ – Thomas Andrews Aug 10 '22 at 14:28
  • We might have a rule for figuring out if such an $x$ exists, however. – Thomas Andrews Aug 10 '22 at 14:30
  • 2
    For example, if you compute $\gcd(x^p-x,{x^3+ax+b})$ and get a value other than $1,$ then there is such an $x.$ If the gcd is of the form $x+c,$ this will also give you the root, but th GCD might give $x^3+ax+b,$ if there are three distinct roots, or $x^2+cx+d,$ in which case there are two distinct roots with one repeated (and then you should be able to find a root.) – Thomas Andrews Aug 10 '22 at 14:38
  • 1
    Calculating the GCD might seem complicated, but we can solve the division of $x^p-x$ by $x^3+ax+b$ by calculating $x^p\bmod(x^3+ax+b)$ using repeated squaring, which takes $O(\log p)$ time. – Thomas Andrews Aug 10 '22 at 14:42
  • You can find the solution(s), if any with for example the Cantor-Zassenhaus algorithm. It is an extension of the method outlined in two comments by Thomas Andrews. In the annoying case of a cubic with three solutions, C-Z proceeds by (non-deterministically?) distinguishing roots $x$ such that $x-r$ is a quadratic residue modulo $p$. You simply select random $r$s until you get lucky (a single test value of $r$ gives you something with probability at least 50 per cent). See this older thread for links to more. I did a small case as an example. – Jyrki Lahtonen Aug 10 '22 at 15:43
  • FYI. There is https://neuromancer.sk/std/secg/secp256r1 for a good listing of the standard curves. In Cryptography, we divide the curves into prime and non-prime curves. Prime curves have prime order, so there are no order 2 elements ( y=0). Non-prime curves can have order two elements like Curve25519. This is necessary for the Montgomery ladder... – kelalaka Aug 10 '22 at 19:22
  • Your real issue is the point of infinity and side-channel resistance. You may need to look at Joyce Ladder for side channel implementation. – kelalaka Aug 10 '22 at 19:24

2 Answers2

1

Mathematica does not find any solutions to the equation $x^3-3x+b=0$ in the field $\Bbb{F}_p$. This is just as well because the order of this curve $n$, see page 16 of the linked document, is an odd integer. When the cofactor $h=1$, the order of $G$ is the order of the curve. But for a curve in the short Weierstrass form, a point with $y=0$ would be of order two, implying that $2\mid n$ by Lagrange's theorem.

Jyrki Lahtonen
  • 133,153
  • Yes, this is the correct approach. The curve is prime and there are no order 2 elements that are found by setting $y=0$. One can visit Washingtons' book section 3.1 Torsion points for this. – kelalaka Aug 10 '22 at 19:10
0

If $P=(x,0)\in E$ for some $x$, then $-P=(x,-0) = (x,0) = P$, hence

$$P+P={\cal O}_E$$

The algorithm for adding points would first check whether you are trying to add $P$ to $-P$, and if so (which is the case for such specific $P$), return ${\cal O}_E$. Hence, the algorithm would never enter the usual computation of $2P$ that requires the computation of $$\lambda = \dfrac{3x_P^2+a}{2y_P}$$

So when computing $\lambda$, it holds that assert (y != 0), and you'll never succeed in covering the computation of $\lambda$ with $y=0$ (except there is a bug elsewhere in the code).

emacs drives me nuts
  • 10,390
  • 2
  • 12
  • 31