Elliptic Curve And It's Applications

Introduction
What is Elliptic Curve
- The Group Law
Elliptic Curve's Applications
Short Weierstrass curves and their representations for fast computations

Introduction

Elliptic curves are a fascinating area of mathematics with profound implications in number theory and cryptography. They provide a rich structure that can be utilized in various applications, particularly in secure communication protocols. In this article, we will explore the fundamental properties of elliptic curves, their group law, and how these mathematical concepts form the basis for several cryptographic algorithms. By understanding elliptic curves, we can gain insight into the underlying principles that ensure the security and efficiency of modern cryptographic systems.

What is Elliptic Curve

An elliptic curve is the graph of an short Weierstrass equation
$y^{2} = x^{3} + A x + B$
where $A$ and $B$ are constants. Below is an example of such a curve.

The Group Law

GroupLaw

Adding Points on an Elliptic Curve
Start with two points
$P_{1} = (x_{1}, y_{1}), P_{2} = (x_{2}, y_{2})$
on an elliptic curve $E$ given by the equation $y^{2} = x^{3} + A x + B$ . Define a new point $P_{3}$ as follows. Draw the line $L$ through $P_{1}$ and $P_{2}$ . We'll see below that $L$ intersects $E$ in a third point $P_{3}^{'}$ . Reflect $P_{3}^{'}$ across the $x -$ axis (i.e., change the sign of the $y$ -coordinate) to obtain $P_{3}$ . We define
$P_{1} + P_{2} = P_{3}$
Examples below will show that shis is not the same as adding coordinates of the points. It might be better to denote this operation by $P_{1} + P_{2}$ , but we opt for the simpler notation since we will never be adding points by adding coordinates.
Assume first that $P_{1} \neq = P_{2}$ and that neither point is $\infty$ . Draw the line $L$ through $P_{1}$ and $P_{2}$ . Its slope is
$m = \frac{y _{2} - y _{1}}{x _{2} - x _{1}} .$
If $x_{1} = x_{2}$ , then $L$ is vertical. We'll treat this case later, so let's assume that $x_{1} \neq = x_{2}$ . The equation of $L$ is then
$y = m (x - x_{1}) + y_{1} .$
To find the intersection with $E$ , substitute to get
$(m (x - x_{1}) + y_{1})^{2} = x^{3} + A x + B .$
This can be rearranged to the form
$0 = x^{3} - m^{2} x^{2} + \dots .$
The three roots of this cubic correspond to the three points of intersection of $L$ with $E$ . Generally, solving a cubic is not easy, but in the present case we already know two of the roots, namely $x_{1}$ and $x_{2}$ , since $P_{1}$ and $P_{2}$ are points on both $L$ and $E$ . Therefore, we could factor the cubic to obtain the third value of x. But there is an easier way. If we have a cubic polynomial $x^{3} + a x^{2} + b x + c$ with roots $r, s, t$ , then
$x^{3} + a x^{2} + b x + c = (x - r) (x - s) (x - t) = x^{3} - (r + s + t) x^{2} + \dots .$ Therefore,
$r + s + t = - a .$
If we know two roots $r, s$ , then we can recover the third as $t = - a - r - s$ .
In our case, we obtain
$x = m^{2} - x_{1} - x_{2}$
and
$y = m (x - x_{1}) + y_{1} .$
Now, reflect across the $x -$ axis to obtain the point $P_{3} = x_{3}, y_{3}$ :
$x_{3} = m^{2} - x_{1} - x_{2}, y_{3} = m (x_{1} - x_{3}) - y_{1} .$
In the case that $x_{1} = x_{2}$ but $y_{1} \neq = y_{2}$ , the line through $P_{1}$ and $P_{2}$ is a vertical line, which therefore intersects E in $\infty$ . REflecting $\infty$ across the $x -$ axis yields the same point $\infty$ (this is why we put $\infty$ at both the top and the bottom of the $y -$ axis).Therefore, in this case $P_{1} + P_{2} = \infty$ .
Now consider the case where $P_{1} = P_{2} = (x_{1}, y_{1}) .$ When two points on a curve are very close to each other, the line through them approximates a tangent line. Therefore, when the two points coincide, we take the line $L$ through them to be the tangent line. Implicit differentiation allows us to find the slope $m$ of $L$ :
$2 y \frac{d y}{d x} = 3 x^{2} + A, so m = \frac{d y}{d x} = \frac{3 x _{1}^{2} + A}{2 y _{1}} .$
If $y_{1} = 0$ then the line is vertical and we set $P_{1} + P_{2} = \infty$ , as before. Therefore, assume that $y_{1} \neq = 0$ . The equation of $L$ is
$y = m (x - x_{1}) + y_{1},$
as before. We obtain the cubic equation
$0 = x^{3} - m^{2} x^{2} + \dots .$ This time, we know only one root, namely $x_{1}$ , but it is a double root since $L$ is tangent to $E$ at $P_{1}$ . Therefore, proceeding as before, we obtain
$x_{3} = m^{2} - 2 x_{1}, y_{3} = m (x_{1} - x_{3}) - y_{1} .$
Finally, suppose $P_{2} = \infty$ . The line through $P_{1}$ and $\infty$ is a vertical line that intersects $E$ in the point $P_{1}^{'}$ that is the reflection of $P_{1}$ across the $x -$ axis. When we reflect $P_{1}^{'}$ across the $x -$ axis to get $P_{3} = P_{1} + P_{2}$ , we are back at $P_{1}$ . Therefore
$P_{1} + \infty = P_{1}$
for all points $P_{1}$ on $E$ . Of course, we extend this to include $\infty + \infty = \infty$ .
Let's summarize the above discussion:

Let $E$ be an elliptic curve defined by $y^{2} = x^{3} + A x + B$ . let $P_{1} = (x_{1}, y_{1})$ and $P_{2} = (x_{2}, y_{2})$ be points on $E$ with $P_{1}, P_{2} \neq = \infty$ . Define $P_{1} + P_{2} = P_{3} = (x_{3}, y_{3})$ as follows:

If $x_{1} \neq = x_{2}$ , then $x_{3} = m^{2} - x_{1} - x_{2}, y_{3} = m (x_{1} - x_{3}) - y_{1},$ where $m = \frac{y _{2} - y _{1}}{x _{2} - x _{1}}$ .
If $x_{1} = x_{2}$ but $y_{1} \neq = y_{2}$ , then $P_{1} + P_{2} = \infty$ .
If $P_{1} = P_{2}$ and $y_{1} \neq = 0$ , then $x_{3} = m^{2} - 2 x_{1}, y_{3} = m (x_{1} - x_{3}) - y_{1}$ , where $m = \frac{3 x _{1}^{2} + A}{2 y _{1}}$ .
If $P_{1} = P_{2}$ and $y_{1} = 0$ , then $P_{1} + P_{2} = \infty$ .
Moreover, define
$P + \infty = P$
for all points $P$ on $E$ .

The addition of points on an elliptic curve $E$ satisfies the following properties:

(Commutativity) $P_{1} + P_{2} = P_{2} + P_{1}$ for all $P_{1}, P_{2}$ on $E$ .
(existence of identity) $P + \infty = P$ for all points $P$ on $E$ .
(existence of inverses) Given $P$ on $E$ , there exists $P^{'}$ on $E$ with $P + P^{'} = \infty$ . This point $P^{'}$ will usually be denoted $- P$ .
(associativity) $(P_{1} + P_{2}) + P_{3} = P_{1} + (P_{2} + P_{3})$ for all $P_{1}, P_{2}, P_{3}$ on $E$ . In other words, the points on $E$ form an additive abelian group with $\infty$ as the identity element.

In cryptography, work over $F_{p}$ instead of $R$ . We writh group operation additively $(G, +)$ . Fix a generator $G \in G$ of primer order $q$ . In practice, $(G, G)$ chosen from some standard(e.g. NIST).

ZK Book

Elliptic Curve And It's Applications

Introduction

What is Elliptic Curve

The Group Law

Elliptic Curve's Applications

What is discrete logarithm problem

ECDSA

Diffie-Hellman Key Exchange

Schnorr protocol

Short Weierstrass curves and their representations for fast computations