Halving a Point on an Elliptic Curve of Even Order

Question

For an elliptic curve with the corresponding elliptic curve group of order $2k$, where $2k$ is any even integer, the inverse of $2$ does not exist so that point halving is not defined on the elliptic curve group: Two points that differ by $kG$, where $G$ is some suitable generator point, multiplied by $2$ always give the same result.

This Q & A on the site offers a very detailed explanation.

I have the following questions:

1. Is the difference a 2-torsion point, as I suspect?
2. Is there a way to cancel this term and compute the half of a given point in some other way (without using a multiplicative inverse which is missing)?
3. Is there in general a way to tell such two points apart?

Any ideas would be appreciated.

Answer 1

I'm not sure I understand what you are asking, but I think understanding the group structure will help you.

Let's take as example $y^2 = x^3 -3x + 6$ over $GF(17)$

This curve has $14 (=2*7)$ points:

• The point at infinity
• The point of order $2$
• $6$ points in the prime order subgroup of order $7$
• $6$ points of order $14$

For a total of $1+1+6+6=14$. The last set of points, of order $14$, is made by adding the point of order $2$ to all points of the prime order subgroup. Let's call $P[0], P[1], ..., P[5]$ the points of the prime order subgroup and $T$ the point of order $2$, then the $5$ points of order $14$ are:

$P[0] + T, P[1] + T, ..., P[5] + T$

Now, intuitively, you can't halve $T$, as its subgroup is $\{T,O\}$. There is no point that multiplied by $2$, will give you $T$.

So you can't also halve the points $P[i] + T$ as there is $T$ in there, so no point multiplied by $2$ will give you $P[i] + T$

Instead, you can halve the points in the prime order subgroup by multiplying them by $2^{-1} \mod 7= 4$, but this is not the only solution!

In fact, the points $P[i] + T$ when multiplied by $2$ give you $2P[i] + 2T =2P[i] + O = 2P[i]$, so $4P[i]+T$ and $4P[i]$ are two distinct solution to the halving of $P[i]$ in the curve

Answer 2

The question consider an elliptic curve group over a finite field $\mathbb F$, with that group of even order $2k$, and a generator $G$. It remarks that $2$ has no inverse modulo $2k$. And that if points $P,Q$ are such that $Q=kG+P$, then $2Q=2(kG+P)=(2kG)+2P=\mathcal O+20=2P$. Notice that $2kG=\mathcal O$ follows from the group order being $2k$.

1. Is the difference a 2-torsion point, as I suspect?

Yes, if $Q=kG+P$, then $R=Q-P$ is a 2-torsion point. That $R$ is a 2-torsion point by my definition means that $R\ne\mathcal O$ and $2R=\mathcal O$, which the later followng from $2R=2(Q-P)=2(kG+P-P)=2kG=\mathcal O$.

2. Is there a way to cancel this term and compute the half of a given point in some other way (without using a multiplicative inverse which is missing)?

In that elliptic curve group, "the half of a given point" $P$ is not a well-defined point $H$. That's the set, possibly empty, of the point(s) $H$ on the elliptic curve such that $2H=P$. If $H$ belongs to that set, then so does $H'=H+kG$, since we'll have $2H'=2(H+kG)=2H+2kG=2H+\mathcal O=2H=P$. And we can't have $H=H'$, for this would imply $kG=\mathcal O$, contradicting the hypothesis that $G$ is a generator of a group of order $2k$.

If we are given a point $P=uG$ with $u$ given or somewhat found from $P$, then the set of $H$ is the set of $H=vG$ with $2v\equiv u\pmod{2k}$ (Note: $G$ being a generator implies $u$ exists, and $v$ exists if $H$ exits). The equation $2v\equiv u\pmod{2k}$ is in the ring of integers modulo $2k$. It has a solution if and only if $u$ is even, and then has exactly two distinct solutions in that ring: $u/2$ and $u/2+k$. There are thus exactly two solutions for $H$, which are $(u/2)G$ and $(u/2+k)G$. And yes the difference between these two solutions if $kG$, a 2-torsion point per question 1.

If we are given $P$ but do not want to make the (possibly impossibly hard) work of finding $u$: we can test if there is a solution $H$ to $2H=P$ by checking $kP=\mathcal O$. That condition is necessary, because if $H$ exists it holds $kP=k(2H)=(2k)H=\mathcal O$. It's sufficient (argument: it implies the order $u$ of $P$ is even). When $k$ is odd, a solution is $((k+1)/2)P$, and easily verified: $2H=2((k+1)/2)P=(k+1)P=kP+P=\mathcal O+P=P$. The other solution is $((3k+1)/2)P$. I'm still struggling with even $k$.

3. Is there in general a way to tell such two points apart?

If we know only that $P$ was obtained by doubling $H$, there's no way to tell which of the two solutions is the original $H$. It's possible define a criteria to choose a particular one, like if $P=uG$, we choose $H=((u/2)\bmod k)G$. Or prefer $\mathcal O$ when $P=0$, and the solution with the lexicographicaly smallest representation in uncompressed coordinates otherwise.