Elliptic-Curve Generator Order, Private-Key Limits, and the Point at Infinity

A Bitcoin private key begins as a securely generated random integer k. Its public key is the elliptic-curve point:

K = kG

G is a fixed public generator point. The generator's order n tells us how many additions of G complete one full cycle:

nG = 𝒪

𝒪 is the identity element, called the point at infinity.

That one equation explains all of these Bitcoin rules:

valid private keys: 1 ≤ k < n
0G = 𝒪
nG = 𝒪
(n + 1)G = G
(k + n)G = kG

The details become much easier if we build the idea from small examples before using secp256k1's 256-bit numbers.

The Four Objects to Keep Separate

The most common confusion is treating p and n as the same limit. They are different numbers with different jobs.

Building Block 1: A Five-Position Clock

Start with ordinary addition modulo 5. Use 1 as the generator:

After five additions, the sequence returns to zero. The generator 1 therefore has order 5 in this group:

5 × 1 = 0 mod 5

Adding another full cycle does not change the result:

(k + 5) × 1 = k × 1 mod 5

Elliptic-curve scalar multiplication uses the same cycle idea. Replace the number 1 with a point G, replace ordinary modular addition with elliptic-curve point addition, and replace zero with 𝒪.

Building Block 2: The Identity Point

Every group needs an identity element: a value that changes nothing when added.

For integers under addition, the identity is zero:

a + 0 = a

For elliptic-curve points, the identity is the point at infinity:

P + 𝒪 = P
𝒪 + P = P

The point at infinity is not a distant affine coordinate and it is not (0, 0). It is a special group value with no ordinary affine x,y coordinates.

Building Block 3: Inverse Points

Every finite point P has an inverse -P:

P + (-P) = 𝒪

On a short Weierstrass curve over a field modulo p, negation keeps x and reflects y:

P  = (x, y)
-P = (x, -y mod p)

Geometrically, the points are vertical reflections of one another. When a point-addition line is vertical, the sum is defined as 𝒪.

If a curve contains a point with y = 0, that point equals its own inverse, so P + P = 𝒪. Such a point has order 2. Bitcoin's selected secp256k1 subgroup has prime order and cofactor 1, so it contains no non-identity order-2 point.

Building Block 4: A Small Elliptic-Curve Cycle

Use the toy curve:

y² = x³ + 7 mod 223
G = (47, 71)

This G has order 21. A few multiples show the complete boundary behavior:

Notice the boundary:

(n - 1)G = -G
nG       = 𝒪
(n + 1)G = G

This toy order is composite, which makes it good for visual teaching but different from secp256k1. The secp256k1 generator has a very large prime order.

What “Order of G” Means

The order of G is the smallest positive integer n for which:

nG = 𝒪

“Smallest” matters. If 21G = 𝒪, then 42G, 63G, and every other multiple of 21 also equal 𝒪. The order is still 21 because that is the first positive return to the identity.

The points generated by G form a cyclic subgroup:

<G> = {𝒪, G, 2G, 3G, ..., (n - 1)G}

Every scalar is interpreted modulo n during multiplication:

kG = (k mod n)G

Therefore:

(k + n)G
= kG + nG
= kG + 𝒪
= kG

The repetition is a normal property of every finite cyclic group. It is not a defect in elliptic-curve cryptography.

The Actual secp256k1 Constants

Bitcoin uses the curve:

y² = x³ + 7 mod p

Its field prime is:

p = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F

In base 10:

p = 115792089237316195423570985008687907853269984665640564039457584007908834671663

The standard generator has coordinates:

Gx = 79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798
Gy = 483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8

Its order is:

n = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141

In base 10:

n = 115792089237316195423570985008687907852837564279074904382605163141518161494337

These values are close, but not equal:

p - n = 432420386565659656852420866390673177326

p Controls Coordinates

Point coordinates live in the finite field F_p. Curve equations, slopes, inverses, additions, and doublings reduce coordinate values modulo p:

x coordinate arithmetic mod p
y coordinate arithmetic mod p

That is why a negated point is written:

-(x, y) = (x, p - y) mod p

n Controls Scalars

Private keys and signature scalars operate in the scalar field modulo n:

scalar arithmetic mod n
public-key cycle length n
valid private key 1 ≤ k < n

So n, not p, is the private-key upper limit.

Why Zero and n Are Invalid Private Keys

The public key for private scalar k is K = kG.

If k = 0 or k = n, the public result is infinity:

0G = 𝒪
nG = 𝒪

Infinity is not a valid ordinary public key, so neither scalar is a valid Bitcoin private key. The valid range is exactly:

1, 2, 3, ..., n - 1

Values larger than n can produce familiar group points after reduction, but they are not accepted as canonical private keys:

The last two rows demonstrate group equivalence, not valid private-key serialization.

Why the secp256k1 Generator Covers the Whole Group

The cofactor is:

h = number of curve points / generator order

For secp256k1, h = 1. Therefore the curve group has n points including 𝒪, and the standard generator spans the full group.

Some other curves use a subgroup whose order is smaller than the full curve group. Protocols on those curves must handle subgroup membership carefully.

Even with cofactor 1, implementations must validate that an imported public key:

1. has a valid SEC encoding;
2. has coordinates in the field;
3. satisfies the curve equation;
4. is not the point at infinity.

How a Secure Random Number Becomes a Private Key

Conceptually, key generation chooses uniformly from:

{1, 2, ..., n - 1}

A robust implementation generally uses rejection sampling:

repeat:
    candidate = 32 bytes from a cryptographically secure random generator
    k = integer(candidate)
until 1 ≤ k < n

Do not use Math.random(), timestamps, human-chosen phrases, short PINs, or predictable counters. The private key is secure only when an attacker cannot guess the original scalar.

Because n is very close to 2^256, almost every uniformly random 256-bit candidate is valid. Rejection sampling still matters because it produces the exact required distribution without modulo bias.

Hierarchical deterministic wallets generate many private keys from one seed. Those child keys are deterministic, but their security still begins with sufficient entropy in the original wallet seed.

What Actually Hides the Random Scalar

Given k, calculating K = kG is efficient. Given only G and K, recovering k is the elliptic-curve discrete logarithm problem.

The public key does not encrypt the private scalar. Scalar multiplication is computationally one-way with known classical algorithms:

easy: k and G -> K
hard: G and K -> k

The group has roughly 2^256 scalar positions. Generic attacks such as Pollard's rho take on the order of the square root of the group size, giving approximately 2^128 work.

The order being public does not reveal the private key. It defines the public cycle in which the hard discrete-log problem lives.

Public Keys, Hashes, and Addresses Come Later

Generator order belongs to the private-key-to-public-key step:

private scalar k
    -> scalar multiplication K = kG
    -> serialize public point K
    -> hash serialized public key
    -> encode a Bitcoin address

SHA-256, RIPEMD-160, Base58Check, Bech32, and network prefixes do not change the order of G. They operate after the public point has already been derived.

Open the Bitcoin key and address explorer

Common Mistakes

A Compact Mental Model

p: coordinate arithmetic wraps
n: scalar multiplication wraps
G: public starting point
𝒪: identity point
k: secret scalar, valid when 1 ≤ k < n
K: public point kG

Then the boundary cases become predictable:

0G       = 𝒪
1G       = G
(n - 1)G = -G
nG       = 𝒪
(n + 1)G = G
(k + n)G = kG

That is what the generator's order means: it is the length of the point cycle, the modulus of scalar multiplication, and the reason Bitcoin private keys stop at n - 1.