Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

21.1 The Addition Law

An elliptic curve $E$ $E$ is the graph of an equation

\begin{matrix} E : & y^{2} = x^{3} + a x^{2} + b x + c, \end{matrix}

$\begin{matrix} E : & y^{2} = x^{3} + a x^{2} + b x + c, \end{matrix}$

where $a, b, c$ $a, b, c$ are in whatever is the appropriate set (rational numbers, real numbers, integers mod $p,$ $p,$ etc.). In other words, let $K$ $K$ be the rational numbers, the real numbers, or the integers mod a prime $p$ $p$ (or, for those who know what this means, any field of characteristic not 2; but see Section 21.4). Then we assume $a, b, c \in K$ $a, b, c \in K$ and take $E$ $E$ to be

{(x, y) ∣ x, y \in K, y^{2} = x^{3} + a x^{2} + b x + c} .

${(x, y) ∣ x, y \in K, y^{2} = x^{3} + a x^{2} + b x + c} .$

As will be discussed below, it is also convenient to include a point $(∞, ∞),$ $(∞, ∞),$ which often will be denoted simply by $∞ .$ $∞ .$

Let’s consider the case of real numbers first, since this case allows us to work with pictures. The graph $E$ $E$ has two possible forms, depending on whether the cubic polynomial has one real root or three real roots. For example, the graphs of $y^{2} = x (x + 1) (x - 1)$ $y^{2} = x (x + 1) (x - 1)$ and $y^{2} = x^{3} + 73$ $y^{2} = x^{3} + 73$ are the following:

A graph of y versus x shows two curves for the equation y superscript 2 equals x times left parenthesis x plus 1 right parenthesis times left parenthesis x minus 1 right parenthesis.

A graph of y versus x shows a curve for the equation y superscript 2 equals x superscript 3 plus 73.

The case of two components (for example, $y^{2} = x (x + 1) (x - 1)$ $y^{2} = x (x + 1) (x - 1)$ ) occurs when the cubic polynomial has three real roots. The case of one component (for example, $y^{2} = x^{3} + 73$ $y^{2} = x^{3} + 73$ ) occurs when the cubic polynomial has only one real root.

For technical reasons that will become clear later, we also include a “point at infinity,” denoted $∞,$ $∞,$ which is most easily regarded as sitting at the top of the $y -axis$ $y -axis$ . It can be treated rigorously in the context of projective geometry (see [Washington]), but this intuitive notion suffices for what we need. The bottom of the $y -axis$ $y -axis$ is identified with the top, so $∞$ $∞$ also sits at the bottom of the $y -axis$ $y -axis$ .

Now let’s look at elliptic curves mod $p,$ $p,$ where $p$ $p$ is a prime. For example, let $E$ $E$ be given by

\begin{matrix} y^{2} \equiv x^{3} + 2 x - 1 & (\mod 5) . \end{matrix}

$\begin{matrix} y^{2} \equiv x^{3} + 2 x - 1 & (\mod 5) . \end{matrix}$

We can list the points on $E$ $E$ by letting $x$ $x$ run through the values $0, 1, 2, 3, 4$ $0, 1, 2, 3, 4$ and solving for $y :$ $y :$

(0, 2), (0, 3), (2, 1), (2, 4), (4, 1), (4, 4), ∞ .

$(0, 2), (0, 3), (2, 1), (2, 4), (4, 1), (4, 4), ∞ .$

Note that we again include a point $∞ .$ $∞ .$

Elliptic curves mod $p$ $p$ are finite sets of points. It is these elliptic curves that are useful in cryptography.

Technical point: We assume that the cubic polynomial $x^{3} + a x^{2} + b x + c$ $x^{3} + a x^{2} + b x + c$ has no multiple roots. This means we exclude, for example, the graph of $y^{2} = (x - 1)^{2} (x + 2) .$ $y^{2} = (x - 1)^{2} (x + 2) .$ Such curves will be discussed in Subsection 21.3.1.

Technical point: For most situations, equations of the form $y^{2} = x^{3} + b x + c$ $y^{2} = x^{3} + b x + c$ suffice for elliptic curves. In fact, in situations where we can divide by 3, a change of variables changes an equation $y^{2} = x^{3} + a x^{2} + b x + c$ $y^{2} = x^{3} + a x^{2} + b x + c$ into an equation of the form $y^{2} = x^{3} + b^{'} x + c^{'} .$ $y^{2} = x^{3} + b^{'} x + c^{'} .$ See Exercise 1. However, sometimes it is necessary to consider elliptic curves given by equations of the form

y^{2} + a_{1} x y + a_{3} y = x^{3} + a_{2} x^{2} + a_{4} x + a_{6},

$y^{2} + a_{1} x y + a_{3} y = x^{3} + a_{2} x^{2} + a_{4} x + a_{6},$

where $a_{1}, \dots, a_{6}$ $a_{1}, \dots, a_{6}$ are constants. If we are working mod $p,$ $p,$ where $p > 3$ $p > 3$ is prime, or if we are working with real, rational, or complex numbers, then simple changes of variables transform the present equation into the form $y^{2} = x^{3} + b x + c .$ $y^{2} = x^{3} + b x + c .$ However, if we are working mod 2 or mod 3, or with a finite field of characteristic 2 or 3 (that is, $1 + 1 = 0$ $1 + 1 = 0$ or $1 + 1 + 1 = 0$ $1 + 1 + 1 = 0$ ), then we need to use the more general form. Elliptic curves over fields of characteristic 2 will be mentioned briefly in Section 21.4.

Historical point: Elliptic curves are not ellipses. They received their name from their relation to elliptic integrals such as

\begin{matrix} \int_{z_{1}}^{z_{2}} \frac{d x}{\sqrt{x^{3} + b x + c}} & and & \int_{z_{1}}^{z_{2}} \frac{x d x}{\sqrt{x^{3} + b x + c}} \end{matrix}

$\begin{matrix} \int_{z_{1}}^{z_{2}} \frac{d x}{\sqrt{x^{3} + b x + c}} & and & \int_{z_{1}}^{z_{2}} \frac{x d x}{\sqrt{x^{3} + b x + c}} \end{matrix}$

that arise in the computation of the arc length of ellipses.

The main reason elliptic curves are important is that we can use any two points on the curve to produce a third point on the curve. Given points $P_{1}$ $P_{1}$ and $P_{2}$ $P_{2}$ on $E,$ $E,$ we obtain a third point $P_{3}$ $P_{3}$ on $E$ $E$ as follows (see Figure 21.1): Draw the line $L$ $L$ through $P_{1}$ $P_{1}$ and $P_{2}$ $P_{2}$ (if $P_{1} = P_{2},$ $P_{1} = P_{2},$ take the tangent line to $E$ $E$ at $P_{1}$ $P_{1}$ ). The line $L$ $L$ intersects $E$ $E$ in a third point $Q .$ $Q .$ Reflect $Q$ $Q$ through the $x -axis$ $x -axis$ (i.e., change $y$ $y$ to $- y$ $- y$ ) to get $P_{3} .$ $P_{3} .$ Define a law of addition on $E$ $E$ by

P_{1} + P_{2} = P_{3} .

$P_{1} + P_{2} = P_{3} .$

A graph of y versus x shows adding points on an elliptic curve.

Figure 21.1 Full Alternative Text

Note that this is not the same as adding points in the plane.

Example

Suppose $E$ $E$ is defined by $y^{2} = x^{3} + 73 .$ $y^{2} = x^{3} + 73 .$ Let $P_{1} = (2, 9)$ $P_{1} = (2, 9)$ and $P_{2} = (3, 10) .$ $P_{2} = (3, 10) .$ The line $L$ $L$ through $P_{1}$ $P_{1}$ and $P_{2}$ $P_{2}$ is

y = x + 7.

$y = x + 7.$

Substituting into the equation for $E$ $E$ yields

(x + 7)^{2} = x^{3} + 73,

$(x + 7)^{2} = x^{3} + 73,$

which yields $x^{3} - x^{2} - 14 x + 24 = 0 .$ $x^{3} - x^{2} - 14 x + 24 = 0 .$ Since $L$ $L$ intersects $E$ $E$ in $P_{1}$ $P_{1}$ and $P_{2},$ $P_{2},$ we already know two roots, namely $x = 2$ $x = 2$ and $x = 3 .$ $x = 3 .$ Moreover, the sum of the three roots is minus the coefficient of $x^{2}$ $x^{2}$ (Exercise 1) and therefore equals 1. If $x$ $x$ is the third root, then

2 + 3 + x = 1,

$2 + 3 + x = 1,$

so the third point of intersection has $x = - 4 .$ $x = - 4 .$ Since $y = x + 7,$ $y = x + 7,$ we have $y = 3,$ $y = 3,$ and $Q = (- 4, 3) .$ $Q = (- 4, 3) .$ Reflect across the $x -axis$ $x -axis$ to obtain

(2, 0) + (3, 10) = P_{3} = (- 4, - 3) .

$(2, 0) + (3, 10) = P_{3} = (- 4, - 3) .$

Now suppose we want to add $P_{3}$ $P_{3}$ to itself. The slope of the tangent line to $E$ $E$ at $P_{3}$ $P_{3}$ is obtained by implicitly differentiating the equation for $E :$ $E :$

2 y d y = 3 x^{2} d x, so \frac{d y}{d x} = \frac{3 x^{2}}{2 y} = - 8,

$2 y d y = 3 x^{2} d x, so \frac{d y}{d x} = \frac{3 x^{2}}{2 y} = - 8,$

where we have substituted $(x, y) = (- 4, - 3)$ $(x, y) = (- 4, - 3)$ from $P_{3} .$ $P_{3} .$ In this case, the line $L$ $L$ is $y = - 8 (x + 4) - 3 .$ $y = - 8 (x + 4) - 3 .$ Substituting into the equation for $E$ $E$ yields

(- 8 (x + 4) - 3)^{2} = x^{3} + 73,

$(- 8 (x + 4) - 3)^{2} = x^{3} + 73,$

hence $x^{3} - (- 8)^{2} x^{2} + \dots = 0 .$ $x^{3} - (- 8)^{2} x^{2} + \dots = 0 .$ The sum of the three roots is 64 (= minus the coefficient of $x^{2}$ $x^{2}$ ). Because the line $L$ $L$ is tangent to $E,$ $E,$ it follows that $x = - 4$ $x = - 4$ is a double root. Therefore,

(- 4) + (- 4) + x = 64,

$(- 4) + (- 4) + x = 64,$

so the third root is $x = 72 .$ $x = 72 .$ The corresponding value of $y$ $y$ (use the equation of $L$ $L$ ) is $- 611 .$ $- 611 .$ Changing $y$ $y$ to $- y$ $- y$ yields

P_{3} + P_{3} = (72, 611) .

$P_{3} + P_{3} = (72, 611) .$

What happens if we try to compute $P + ∞$ $P + ∞$ ? We make the convention that the lines through $∞$ $∞$ are vertical. Therefore, the line through $P = (x, y)$ $P = (x, y)$ and $∞$ $∞$ intersects $E$ $E$ in $P$ $P$ and also in $(x, - y) .$ $(x, - y) .$ When we reflect $(x, - y)$ $(x, - y)$ across the $x -axis$ $x -axis$ , we get back $P = (x, y) .$ $P = (x, y) .$ Therefore,

P + ∞ = P .

$P + ∞ = P .$

We can also subtract points. First, observe that the line through $(x, y)$ $(x, y)$ and $(x, - y)$ $(x, - y)$ is vertical, so the third point of intersection with $E$ $E$ is $∞ .$ $∞ .$ The reflection across the $x -axis$ $x -axis$ is still $∞$ $∞$ (that’s what we meant when we said $∞$ $∞$ sits at the top and at the bottom of the $y -axis$ $y -axis$ ). Therefore,

(x, y) + (x, - y) = ∞ .

$(x, y) + (x, - y) = ∞ .$

Since $∞$ $∞$ plays the role of an additive identity (in the same way that 0 is the identity for addition with integers), we define

- (x, y) = (x, - y) .

$- (x, y) = (x, - y) .$

To subtract points $P - Q,$ $P - Q,$ simply add $P$ $P$ and $- Q .$ $- Q .$

Another way to express the addition law is to say that

\begin{matrix} P + Q + R = ∞ & \Leftrightarrow & P, Q, R are collinear . \end{matrix}

$\begin{matrix} P + Q + R = ∞ & \Leftrightarrow & P, Q, R are collinear . \end{matrix}$

(See Exercise 17.)

For computations, we can ignore the geometrical interpretation and work only with formulas, which are as follows:

Addition Law

Let $E$ $E$ be given by $y^{2} = x^{3} + b x + c$ $y^{2} = x^{3} + b x + c$ and let

\begin{matrix} P_{1} = (x_{1}, y_{1}), & P_{2} = (x_{2}, y_{2}) . \end{matrix}

$\begin{matrix} P_{1} = (x_{1}, y_{1}), & P_{2} = (x_{2}, y_{2}) . \end{matrix}$

Then

P_{1} + P_{2} = P_{3} = (x_{3}, y_{3}),

$P_{1} + P_{2} = P_{3} = (x_{3}, y_{3}),$

where

\begin{array}{rcl} x_{3} & = & m^{2} - x_{1} - x_{2} \\ y_{3} & = & m (x_{1} - x_{3}) - y_{1} \end{array}

$\begin{array}{rcl} x_{3} & = & m^{2} - x_{1} - x_{2} \\ y_{3} & = & m (x_{1} - x_{3}) - y_{1} \end{array}$

and

m = \{\begin{array}{cc} (y_{2} - y_{1}) / (x_{2} - x_{1}) & i f P_{1} \neq P_{2} \\ (3 x_{1}^{2} + b) / (2 y_{1}) & i f P_{1} = P_{2} . \end{array}

$m = \{\begin{array}{cc} (y_{2} - y_{1}) / (x_{2} - x_{1}) & i f P_{1} \neq P_{2} \\ (3 x_{1}^{2} + b) / (2 y_{1}) & i f P_{1} = P_{2} . \end{array}$

If the slope $m$ $m$ is infinite, then $P_{3} = ∞ .$ $P_{3} = ∞ .$ There is one additional law: $∞ + P = P$ $∞ + P = P$ for all points $P .$ $P .$

It can be shown that the addition law is associative:

(P + Q) + R = P + (Q + R) .

$(P + Q) + R = P + (Q + R) .$

It is also commutative:

P + Q = Q + P .

$P + Q = Q + P .$

When adding several points, it therefore doesn’t matter in what order the points are added nor how they are grouped together. In technical terms, we have found that the points of $E$ $E$ form an abelian group. The point $∞$ $∞$ is the identity element of this group.

If $k$ $k$ is a positive integer and $P$ $P$ is a point on an elliptic curve, we can define

\begin{matrix} k P = P + P + \dots + P & (k summands) . \end{matrix}

$\begin{matrix} k P = P + P + \dots + P & (k summands) . \end{matrix}$

We can extend this to negative $k .$ $k .$ For example, $(- 3) P = 3 (- P) = (- P) + (- P) + (- P),$ $(- 3) P = 3 (- P) = (- P) + (- P) + (- P),$ where $- P$ $- P$ is the reflection of $P$ $P$ across the $x -axis$ $x -axis$ . The associative law means that we can group the summands in any way we choose when computing a multiple of a point. For example, suppose we want to compute $100 P .$ $100 P .$ We do the additive version of successive squaring that was used in modular exponentiation:

\begin{array}{l} 2 p & = P + P \\ 4 P & = 2 P + 2 P \\ 8 P & = 4 P + 4 P \\ 16 P & = 8 P + 8 P \\ 32 P & = 16 P + 16 P \\ 64 P & = 32 P + 32 P \\ 100 P & = 64 P + 32 P + 4 P . \end{array}

$\begin{array}{l} 2 p & = P + P \\ 4 P & = 2 P + 2 P \\ 8 P & = 4 P + 4 P \\ 16 P & = 8 P + 8 P \\ 32 P & = 16 P + 16 P \\ 64 P & = 32 P + 32 P \\ 100 P & = 64 P + 32 P + 4 P . \end{array}$

The associative law means, for example, that $4 P$ $4 P$ can be computed as $2 P + 2 P = (P + P) + (P + P) .$ $2 P + 2 P = (P + P) + (P + P) .$ It also could have been computed in what might seem to be a more natural way as $((P + P) + P) + P,$ $((P + P) + P) + P,$ but this is slower because it requires three additions instead of two.

For more examples, see Examples 41–44 in the Computer Appendices.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for
21.1 The Addition Law

21.1 The Addition Law

Figure 21.1 Adding Points on an Elliptic Curve

Example

Addition Law

Table of Contents for 21.1 The Addition Law

Create new playlist

Sign In

Sign Up

Table of Contents for
21.1 The Addition Law