Yes, it’s a consequence of the Edwards curve models used, but secp256k1 is a short Weierstrass curve.

Ed25519 has the identity (0,1) in Affine coordinates, meaning (0,1) + (0,1) = (0,1) in Ed25519. It little endian encodes as [1u8, 0u8, ..., 0u8], not all zeros.

In fact [0u8; 32] decodes as (1,0) because -1 is a square in F_q with q = 2^255-19, since q is divisible by 4. It follows (1,0) lies on the curve. It’s not in the distinguished prime order subgroup, but (1,0) + (1,0) = (0,1) in Ed25519, so (1,0) still acts like the identity in sane Ed25519 protocols. See page 6 of Ed25519 paper.

Ristretto decompresses [0u8; 32] as the identity. It’s arguably somewhat by chance, except Mike Hamberg avoided crazy constants in the Jacobi quartic encoding, so zero stuck around from Ed25519.

If you want unspendable funds then choose a point via hash-to-curve, which also lets you encode an undependable reason, and control who knows they’re unspendable.

let mut hash = sha2::Shake256::default();
let unspendable_address = RistrettoPoint::from_hash(hash).compress()

Appears dalek never released a hash-to-curve for ed25519, but they’ve one in master that’s usable for this:

Read More