1

I was recently working with some ECC crypto and stumbled across the following phrase on the SafeCurves page:

The rational points of a complete Edwards curve are the pairs (x,y) of elements of F_p satisfying the equation; there is no extra "point at infinity".

Normally, if you have a point $G$ on a curve $E$ with order (of the point) $q$, multiplying $qG=0G=\mathcal O$ results in the point at infinity.

But apparently complete Edwards curves don't have said extra point.

So what happens in this case?

SEJPM
  • 45,967
  • 7
  • 99
  • 205
  • I consider this related to cryptography as ECC is a core discipline of cryptography and multiplying the order with the point is a common self-test for libraries. Furthermore wrong handling of this case may lead to implementation based (side-channel?) attacks. That being said, if there is consensus for migration, I think Math.SE would be the appropriate target. – SEJPM Dec 27 '15 at 19:38

1 Answers1

5

Actually multiplying an elliptic curve point $G$ by its order $q$ gets you to the neutral element of the group, i.e., the point $O$ such that $P+O=P$ for any point P.

In a generic elliptic curves this point is the point at infinity $O$. However on Edwards curves, this point is $(0,1)$, i.e., it can be represented by affine coordinates. This is also stated on wikipedia.

Therefore, multiplying a point by its order, on an Edwards curve, gets you the point $(0,1)$

This means that on Edwards curves: $P+(0,1)=P$ for any point $P$.

Ruggero
  • 7,054
  • 30
  • 40