Why is the non-singularity condition $4a^3 + 27b^2 \neq 0 \mod p$ required for elliptic curves?
If $4a^3 + 27b^2 \equiv 0 \mod p$, the curve has a singular point (a cusp or self-intersection) where point addition breaks down — the group structure is lost, and the discrete log problem becomes easy.
* Only the smooth (non-singular) curve on the left has a well-defined tangent everywhere, so only it supports the group law; the node and cusp break point doubling. *
What happens at a singularity:
- The curve has a point where it "crosses itself" or forms a sharp cusp
- At this point, there is no unique tangent line → point doubling is undefined
- The group law fails → no valid cryptographic group
Why it makes crypto weak:
- On a singular curve, the discrete logarithm problem can be reduced to easier problems
- For a node (self-intersection): ECDLP reduces to the classical DLP in $\mathbb{F}_p^*$ → subexponential attacks apply
- For a cusp: ECDLP reduces to arithmetic in $\mathbb{F}_p$ → polynomial-time solvable!
- Either way, the security advantage of elliptic curves is completely destroyed
Checking the condition:
- $y^2 = x^3 + ax + b$ with discriminant $\Delta = -16(4a^3 + 27b^2)$
- If $\Delta = 0$: singular → never use this curve
- If $\Delta \neq 0$: non-singular → valid for cryptography
Example: $y^2 = x^3$ (where $a = 0, b = 0$): $4 \cdot 0 + 27 \cdot 0 = 0$ → singular (cusp at origin). This curve must not be used.
Tip: All standardized curves (NIST P-256, Curve25519, brainpool curves) have been verified to satisfy this condition. You'd only encounter this issue when generating custom curves.
Go deeper:
Elliptic curve — Wikipedia — the non-singularity condition and the discriminant $\Delta = -16(4a^3+27b^2)$.
Singular point of a curve — Wikipedia — how cusps and nodes (crunodes) are classified.