7

There function in libsecp256k1 that allows you to directly set the field element to 32 bytes of your choice. Does secp256k1 always return a valid group element for any 32 byte value?

secp256k1_fe_set_b32(&xpoint, bytes)

secp256k1_ge_set_xo_var(ge, &xpoint, 0)

Vojtěch Strnad
  • 5,623
  • 1
  • 8
  • 31
Penquin
  • 671
  • 3
  • 15

1 Answers1

9

The size of secp256k1's coordinate field is 2256 - 232 - 977.

That means there are only 232 + 977 (about 4 billion) possible 32-byte combinations that are not a valid coordinate.

Only slightly less than half (around 2255 - 1.17 * 2127) of those are the X coordinate of a point on the curve (in fact, for every valid X coordinate, there are either exactly 0 or exactly 2 points on the curve).

Pieter Wuille
  • 98,249
  • 9
  • 183
  • 287
  • Could you elaborate how you arrived at "around 2^255 - 1.17 * 2^127"? – drogos86 May 06 '22 at 10:19
  • I divided the curve order by two. You can find the curve order in the secp256k1 specification, or you can compute it using mathematical software like Sage. – Pieter Wuille May 06 '22 at 13:00
  • FWIW, that order (=equal to the number of points on the curve, including infinity) is 115792089237316195423570985008687907852837564279074904382605163141518161494337. – Pieter Wuille May 06 '22 at 13:27