ec-curve-symmetry-finite-field

Wed Apr 01 2026

Elliptic curves are symmetric over y=p/2y = p/2

In secp256k1 over R2\mathbb{R}^2, the curve y2=x3+7y^2 = x^3 + 7 forms an abelian group where point addition is defined as "draw a straight line through both points and take the inverse of the intersection (the third point)." The graph is symmetric along y=0y = 0. There exists a point PR2P \in \mathbb{R}^2 such that P=P1P = P^{-1}, namely P=(73,0)P = (\sqrt[3]{-7}, 0). This point won't lie on secp256k1 if it is taken over (Fp)2(\mathbb{F}_p)^2, so every point will have a distinct inverse in that case.

Plotting the curve over (Fp)2(\mathbb{F}_p)^2

We vary x=0,1,2,3,,p1x = 0, 1, 2, 3, \ldots, p-1 and substitute each into y2=x3+7modpy^2 = x^3 + 7 \mod p. So for each xx we get y2=qxmodpy^2 = q_x \mod p, where qx=x3+7q_x = x^3 + 7.

If qxq_x is a quadratic residue of pp, then the point lies on the curve. We get two solutions: (x,y)(x, y) and (x,py)(x, p - y). If yy is even, then pyp - y is odd. Similarly, if yy is a QR then pyp - y is a QNR. If qxq_x is a quadratic non-residue of pp, then there is no solution.

ec-curve-symmetry-f23

The symmetry axis

The graph is symmetric along y=p/2y = p/2 because yy and pyp - y belong to the same xx, since y2(py)2modpy^2 \equiv (p - y)^2 \mod p.

But wait. pp is odd, so p/2p/2 does not belong to Zp\mathbb{Z}_p. Should we compute p21modpp \cdot 2^{-1} \mod p instead? That is always zero. But the EC curve is not symmetric over y=0modpy = 0 \mod p.

Also, since pp is odd, the number of quadratic residues and non-residues are not equal. But the yy-coordinate points on the EC curve seem to be symmetric over y=p/2y = p/2 anyway.

So the symmetry is visual, not algebraic in Zp\mathbb{Z}_p. When we plot the points on a standard integer grid, yy and pyp - y are equidistant from p/2p/2 by construction. The axis y=p/2y = p/2 is a property of how we draw the graph, not a meaningful element of the field.

Quadratic residues in Zp\mathbb{Z}_p^*

Exactly half of Zp\mathbb{Z}_p^* are quadratic residues, and they are the even powers of a generator gg. A group can have different generator points, but the set of QRs can't be different. So the even powers of any gg result in the same set QR?