If it were possible to perform point doubling using only y-coordinate on secp256k1, would that compromise the curve?

Question

I'm exploring a hypothetical scenario for educational and cryptographic understanding. This question assumes an impossible or currently unknown shortcut, and I'm not suggesting this is actually feasible. My goal is to understand whether such a shortcut would compromise the security of the secp256k1 elliptic curve.

Curve context:

I'm referring to the elliptic curve secp256k1, used in Bitcoin and Ethereum, defined over a finite field by:

$y^2 = x^3 + 7 \mod p$

Let:

• $G$ be the generator point.
• $2G = G +G$
• $4G = 2G + 2G$
• Each point $P = (x, y)$

The hypothetical assumption:

Assume that it were possible to compute the y-coordinate of $4G$ (denoted as $4G(y)$) given only the y-coordinate of $2G$ ($2G(y)$), without knowing the corresponding x-coordinate. I understand this is not possible under current mathematics, but I'm assuming it just for the sake of analysis.

My questions:

1. Would such a function (let's call it f) that maps $2G(y) → 4G(y)$ compromise the security of the elliptic curve (specifically secp256k1)?

2. Could this hypothetical function be used to weaken or break the hardness of the Elliptic Curve Discrete Logarithm Problem (ECDLP)?

3. How might an attacker use this ability to compromise cryptographic systems based on secp256k1 (e.g., ECDSA, Schnorr signatures, ECDH)?

My understanding so far:

• Scalar multiplication on an elliptic curve (e.g., computing $kG$) is only supposed to be possible through full knowledge of the point $(x, y)$ and the use of the group law.

• If one could compute $4G(y)$ from just $2G(y)$, this implies some predictability or shortcut in scalar multiplication, even from partial point information.

This could potentially break assumptions about the irreversibility of scalar multiplication, which ECDLP-based security relies on.

In theory, if this shortcut generalized, it could be used to reduce the complexity of solving for $k$ given $kG$.

I'm asking:

• If it were feasible compute $4G(y)$ from $2G(y)$

• Would that break ECC security?

• And how might that leak be exploited by an attacker?

Answer 1

If it were possible to perform point doubling using only Y-coordinate on secp256k1, would that compromise the curve?

No. And the if condition in this conditional statement is true.

Indeed it is possible to compute with certainty the Y coordinate $y'$ of $2P$ from the Y coordinate $y$ of any $P$ on secp256k1, without requiring the X coordinate of $P$.

Follow this procedure:

1. Compute $x=(y^2-a)^{(p+2)/9}\bmod p$ with $a=7$ and $p=2^{256}-2^{32}-977$
2. Compute $\lambda=(2y)^{-1}\,3x^2\bmod p$ and $y'=(3x-\lambda^2)\lambda-y\bmod p$

Rationale: It holds $p\bmod 9=7$. Thus In step 1, the exponent $(p+2)/9$ is $3^{-1}\bmod((p-1)/3)$. Therefore if $y$ indeed is the Y coordinate of some point $P=(x_0,y)$ on the curve, then $y^2-7\equiv{x_0}^3\equiv x^3\pmod p$, thus point $(x,y)$ is on the curve, with $x\equiv r^j x_0\pmod p$ for some integer $j\in\{0,1,2\}$ and $r=2^{(p-1)/3}\bmod p$ a non-trivial root of unity, that is $r^3\bmod p=1$.
The formulas of step 2 are those for point doubling on a short Weierstrass curve with $a=0$, and the X coordinate of the result eliminated. Changing $x$ to $r^jx$ leaves $y'$ unchanged.

More generally, on secp256k1, we can compute the Y (resp. X) coordinate of $kP$ knowing only the Y (resp. X) coordinate of $P$ and integer $k\not\equiv 0\pmod n$, where prime $n$ is the curve's order.

Is it possible to compute $4G(y)$ from $2G(y)$ ?

Yes. Use the above procedure with
$y=\;\!$0x1AE168FEA63DC339A3C58419466CEAEEF7F632653266D0E1236431A950CFE52A yielding
$x=$0xC360A6D0B34CE6DF4135EE7D59F87B33D2FAD8CCE43837EF3E995B6ED89250E1 $\lambda=$0xACA8855949319D3D84469736C789DF49EED159F1B1815919A4AB7B73F5186E5C
$y'\;\!\!\!=$0x51ED993EA0D455B75642E2098EA51448D967AE33BFBDFE40CFE97BDC47739922
Note: the above $x$ is not the X coordinate of $2G$, but $y'$ is the Y coordinate of $4G$ nevertheless.

Would that break ECC security?

No. The previous fact has been standing since the origins of secp256k1. It's easy to establish, and I doubt this is the first time this is discussed. Thus the security of secp256k1 was studied with that fact standing, and known or at least at arm's reach.

How might that leak be exploited by an attacker?

I don't see that this property is a leak, or that it can be exploited.

Answer 2

Assume that it were possible to compute the y-coordinate of $4G$ (denoted as $4G(y)$) given only the y-coordinate of $2G$ ($2G(y)$), without knowing the corresponding x-coordinate. I understand this is not possible under current mathematics, but I'm assuming it just for the sake of analysis.

Yes, it is possible.

If you have the $y$ coordinate of $2G$, all you need to do is find the $x$ coordinate. Now, because $p \equiv 1 \pmod 3$ for the Secp256k1 curve, the equation $y^2 = x^3 + 7 \pmod p$ has in general three solutions for $x$ (for those $y$ coordinates where one solution exists), and so there are three possible points for $2G$, namely $(x_0, y), (x_1, y), (x_2, y)$.

For each of these points, you can double them to compute $4G$, ending up with three possible points for $4G$. Now, it happens that all three points share the same $y$ coordinate, and so the $y$ coordinate can be uniquely determined. This is true because the curve is a Koblitz curve ($a=0$), I do not believe that it is true for Weierstrass curves in general.

Would that break ECC security?

One would hope not. As I've shown, the computation from $2G(y)$ to $4G(y)$ is quite practical, and so any such weakness would apply.