The set of rational points of an elliptic curveE forms a group under addition. This addition is slightly different from the common notion of addition. Before presenting the new notion of addition operation, we will provide some geometric intuition.
Consider two rational points of the equation, sayP, Q. Consider the linerpassing throughP andQ.
SinceE is a cubic curvercan intersectsE in a third point, sayR = (x3, y3). Consider now the liner0 throughRandO, thenr0 intersectsE in a third point that we callR0 and we defineP +Q= R0. The following image exemplifies this notion.
Figure 3.1: Addition on elliptic curves. y2=x3−3x+ 5.
Let us now consider the case of summing the point with itself, i.e. calculate2P. To this end we will considertthe tangent to the curveEin the pointP. IftintersectsE in another pointR= (x2, y2), then 2P = (x2,−y2). Ift does not intersectE in any other point, then we say that2P = O. This notion of doubling a point will be fundamental do define a cryptographic system based on elliptic curves. One can find an example of doubling a point in Figure 3.2.
Finally let us consider the case where we have pointsR, P ∈E, the linerthat intersectsR, P and O. In this case, the pointR+O =R.Similarly, for this case we say thatP+R=O.One can find an example of doubling a point in Figure 3.3.
We will define precisely this geometric interpretation in the next definition. It is worthwhile mentioning that since any long Weierstrass equationEhas degree 3, any line crossingE, intersects it in at most 3 points.
Definition 3.9. Let E be an elliptic curve over K and P1, P2 ∈ E(K). The line through P1 and P2
intersects the elliptic curve in a third pointP30. We consider the line throughP30andO. This line intersects Ein a third pointP3, then we define:
P1+P2=P3.
This definition yields the following proposition.
Figure 3.2: Point doubling on elliptic curves.y2=x3−3x+ 5.
Figure 3.3: Point inversion on elliptic curves.y2=x3−3x+ 5.
Proposition 3.10. LetEbe an elliptic curve overKandE(K)the set of rational points ofE. ThenE(K) is closed under the addition defined above.
Proof. TakeP1, P2∈E(K). Takerto be the line crossingEatP1andP2. Ifrintersects no other point inEthenP1+P2=O. OtherwiserintersectsEin a third pointP3which is obviously inE(K). Consider now r0 the line passing through P3 andO. This line crosses E in a third pointP30 ∈E(K)and we set P1+P2=P30.
We can prove that the set of rational points is actually stronger than just closed under addition, it is a group. We prove this result in the next theorem.
Theorem 3.11. LetEbe an elliptic curve over a fieldK. ThenE(K)is an additive abelian group withO being the identity element.
Proof. In order to prove this theorem we must prove that E(K) is closed under addition, it has an identity element, there exists an inverse for each element in the group and the sum is commutative and associative. We will proof each bullet point of the theorem separately.
1. (Closed under addition) We saw this property in Proposition 3.10.
2. (Identity element) The identity isid=Oby definition.
3. (Existence of inverse) For each elementP ∈ E consider the line intersectingP andO, this line intersects a third pointR∈E, then the sumP+R=Oand we can conclude thatRis the inverse ofP.
4. (The sum is commutative) IfP1 = P2 then there is nothing to proof. Otherwise Let us consider the line that passes throughP1 andP2. This line also passes through the point−(P1+P2), as we have seen in the previous bullet point, but this is the same as−(P2+P1), which implies that P1+P2=P2+P1.
5. (The sum is associative) We want to prove that forP1, P2, P3∈E(K)we have that,
(P1+P2) +P3=P1+ (P2+P3).
This is the same as saying,
−((P1+P2) +P3) =−(P1+ (P2+P3)).
To prove the equality we will define the following lines:
• L1: Line throughP1andP2. This line intersects the curve in a third point−(P1+P2).
• L2: Line throughP3andP1+P2. This line intersects the curve in a third point−((P1+P2)+P3).
• L3: Line through(P2+P3)andO. This line intersects the curve in a third point−(P2+P3).
• L01: Line throughP3andP2. This line intersects the curve in a third point−(P2+P3).
• L02: Line throughP1and(P2+P3). This line intersects the curve in a third point−(P1+ (P2+ P3)).
• L03: Line throughP1+P2andO. This line intersects the curve in a third point−(P1+P2).
Then we define the cubic curves,
C=L1∪L2∪L3 C0 =L01∪L02∪L03.
The curvesCandEhave no common components, (becauseCis the union of three lines). Bézout Theorem tells us that if we have two plane curvesA, B with no common components, then they
have at mostdeg(A).deg(B)points in common. Applying Bézout Theorem, we know that the 9 points thatEandChave in common are precisely:
O, P1, P2, P3,(P1+P2),−(P1+P2),(P2+P3),−(P2+P3),−((P1+P2) +P3).
The curve C0 intersects at the first 8 of the common points between C and E. Therefore C0 intersects also at the 9-th common point. On the other hand, applying Bézout Theorem again for C0 andEwe get the following common points:
O, P1, P2, P3,(P1+P2),−(P1+P2),(P2+P3),−(P2+P3),−(P1+ (P2+P3)).
Hence,
−((P1+P2) +P3) =−(P1+ (P2+P3)).
The next theorem states the sum between points in the rational group through algebraic formulas.
Theorem 3.12. LetEbe an elliptic curve over a fieldK. LetP1= (x1, y1)andP2= (x2, y2)be rational points ofE. Then we have the following formulas:
1. The inverse ofP1, denoted by−P1, is defined as:
−P1= (x1,−y1−a1x1−a3).
2. IfP1=−P2, then:
P1+P2=O.
3. LetP16=−P2andx16=x2, then we consider the following constants:
• λ= y2−y1 x2−x1
.
• µ=y1x2−y2x1 x2−x1
=y1−λx1.
4. IfP16=−P2andx1=x2, then we consider the following constants:
• λ= 3x21+ 2a2x1+a4−a1y1 2y1+a1x1+a3
.
• µ=−x31+a4x1+ 2a6−a3y1 2y1+a1x1+a3
.
Using the constants presented in 3 and 4 and denoting
P3= (x3, y3) =P1+P26=O.
We have thatx3, y3are defined as follow:
• x3=λ2+a1λ−a2−x1−x2.
• y3=−(λ+a1)x3−µ−a3.
Proof. Consider the elliptic curveEgiven by the following curve:
E:f(X, Y) =Y2+a1XY +a3Y −X3−a2X2+−a4X−a6
1. Consider the pointP = (x1, y1)∈E(K)and the lineL :X =x1. P1andOlie onL. Let us now consider the pointP0 = (x01, y01)to be the intersection point ofEandL. We will computeP0.
f(x1, Y) = Y2+ (a1x1+a3)Y −(x31+a2x21+a4x1+a6)
= (Y −y1)(Y −y01)
= Y2+ (−y1−y10)Y +y1y01. Comparing coefficients, we see that
y10 =−y1−a1x1−a3.
The third intersection point ofLwithEis therefore
P10= (x1,−y1−a1x1−a3).
2. Follows from 1.
3. Consider the lineLthroughP1andP2,
L: Y −y1
X−x1
= y2−y1
x2−x1
.
Therefore we have,
L:Y = y2−y1 x2−x1
X+ y2−y1 x2−x1
(−x1) +y1=λX+µ.
4. We assume thatP16=−P2andx1=x2, that means thatP1=P2. The tangent atP1is given by:
L:fX(x1, y1)(X−x1) +fY(x1, y1) = 0, with partial derivatives:
fX(x1, y1) =−(3x21+ 2a2x1+a4−a1y1), fY(x1, y1) = 2y1+a1x1+a3
The assumption ofP16=−P2implies thatfY(x1, y1)6= 0. Therefore we write:
L:Y = −fX(x1, y1)
fY(x1, y1) (X−x1) +y1
= −fX(x1, y1)
fY(x1, y1) X+x1fX(x1, y1) +y1fY(x1, y1) fY(x1, y1)
=λX+µ.
Using the results obtained in the point 3 and 4 we can conclude the proof of the theorem. The third intersection point of the lineLwithEis a pointP30 = (x03, y03). We now compute this point:
f(X, λX+µ) = (λx+µ)2+a1X(λX+µ) +a3(λX+µ)−X3−a2X2−a4X−a6
=−X3+ (λ2+a1λ−a2)X2+ (2λµ+a1µ+a3λ−a4)X+ (µ2+a3µ−a6)
=−(X−x1)(X−x2)(X−x03)
=−X3+ (x1+x2+x03)X2+ (−x1x2−x1x03−x2x03)X+x1x2x03. Comparing coefficients, we see that
x03=λ2+a1λ−a2−x1−x2. SinceP30 is a point ofL, one has
y30 =λx03+µ.
The pointP3= (x3, y3) =P1+P2is−P30. According to the 1 this has the coordinates:
x3 = x03 = λ2+a1λ−a2−x1−x2
y3 = −y30 −a1x03−a3 = −(λ+a1)x3−µ−a3.
To end this section we define the multiplication of a rational point by an integer.
Definition 3.13. LetEbe an elliptic curve over a filedK,m∈ZandP ∈E(K). We definemP as follow:
mP =
m
X
j=1
P ifm >0
O ifm= 0
−m
X
j=1
(−P) ifm <0.
This notion will be fundamental to define a cryptographic scheme over an elliptic curves.