# What Is an Elliptic Curve?

Elliptic curves are a class of curves that satisfy certain mathematical criteria. Specifically, a planar curve is elliptic if it is smooth and takes the commonly used "Weierstrass form" of

$$
y^2=x^3+A x+B
$$

where

$$
4 A^3+27 B^2 \neq 0
$$

You'll often see these curves depicted as planar slices of what might otherwise be a 3D plot.

<br><br/>
<p align="center"><img src="ECC___[images]/Curve_Cryptography_fig01.gif" style="width:50%"></p>
<center> Fig. $\quad$ On the left, in transparent red, is the 3-dimensional contour plot of $y^2=x^3-3 x+z$. The orange plane that intersects the $3 D$ contour plot is shown on the right. The curve is "elliptic" everywhere except at the saddle point, where the curve transitions from a closed curve to an open curve. </center>
<br><br/>

You might notice that "elliptic curves" do not look like geometric ellipses. That is because "elliptic curves" take their name from a larger class of equations that describe these curves and the ellipses you came to know in school.

$$
a y^2+b y=c x^3+d x^2+e x+f \quad\{a, b, c, d, e, f\} \in \mathbb{R}
$$

The general form of the elliptic curve equation


# Elliptic Curve Addition Operations

Elliptic curves have a few necessary peculiarities when it comes to addition. Two points on the curve $(P, Q)$ will intercept the curve at a third point on the curve. When that point is reflected across the horizontal axis, it becomes the point (R). So $P \oplus Q=R$.

>Note: The character $\oplus$ is used as a mathematical point addition operator, not the binary XOR operator.

<br><br/>
<p align="center"><img src="ECC___[images]/Curve_Cryptography_fig02.webp" style="width:50%"></p>
<center> Fig. $\quad$ In the graphs above, the two example points $P+Q=R$. </center>
<br><br/>

<br><br/>
<p align="center"><img src="ECC___[images]/Curve_Cryptography_fig03.gif" style="width:50%"></p>
<center> Fig. $\quad$  </center>
<br><br/>

The line that connects $\mathrm{P}$ and $\mathrm{Q}$ intersects the curve at a third point, and when that point is reflected across the horizontal axis, it becomes the point $\mathrm{R}$.

This reflection is necessary is for the times where $\mathrm{P}$ and $\mathrm{Q}$ are at the same point on the curve $(\mathrm{P}=\mathrm{Q})$. In those cases, the generated line is tangent to the curve by definition. Without the reflection, it would not be possible to add $\mathrm{P}$ to itself multiple times, since $\mathrm{P} \oplus \mathrm{P}(2 \mathrm{P})$ would generate the same point as $\mathrm{P} \oplus \mathrm{P} \oplus \mathrm{P}(3 \mathrm{P}, 4 \mathrm{P}, \mathrm{nP})$, etc...

<br><br/>
<p align="center"><img src="ECC___[images]/Curve_Cryptography_fig04.webp" style="width:50%"></p>
<center> Fig. $\quad$ Left: A point that is added to itself $(2 P)$ generates a tangent line that intercepts the curve at a new point that when reflected across the horizontal access becomes the point $R$. Right: Two points $(P, Q)$ that lie on the curve will intercept the curve in a third point, that when reflected across the horizontal access becomes point $R$. </center>
<br><br/>

This, of course, wouldn't be an ideal mathematical condition. By reflecting below the line, $\mathrm{P} \oplus \mathrm{P}=\mathrm{R}$, and the point $\mathrm{P} \oplus \mathrm{R}=\mathrm{P} \oplus \mathrm{P} \oplus \mathrm{P}=3 \mathrm{P}$ ends up generating a new point $(-\mathrm{S})$ somewhere else on the curve. That new point, when added to $P$, then generates a new point, and so on. Without the reflection, none of this would happen. The following graphic shows the result of successive addition of $\mathrm{P}$ to itself $(\mathrm{P} \oplus \mathrm{P}, \mathrm{P} \oplus 2 \mathrm{P}, \mathrm{P} \oplus 3 \mathrm{P}, \mathrm{P} \oplus 4 \mathrm{P}, \mathrm{etc} .$.$) .$


<br><br/>
<p align="center"><img src="ECC___[images]/Curve_Cryptography_fig05.gif" style="width:50%"></p>
<center> Fig. $\quad$ This animation shows the results of $P \oplus P \oplus P \oplus P \oplus P$-- Each frame shows the results of $P \oplus Q=R$ (until the animation cycles), with the first frame being $P \oplus P$, and each successive frame using the results of the last frame $R$ to generate the now point $Q$ that is added to the stationary point $P$. Each point " $Q$ " begins the frame where " $R$ " ended the previous frame (until it recycles at $2 P$ ). </center>
<br><br/>

The idea behind all of this is that one point on the curve added to itself multiple times will generate other points on the curve. Any two points can be used to identify a third point on the curve. An exception is provided for when $\mathrm{P}(\mathrm{x}, \mathrm{y}=0)$, and the tangent line goes to infinity.

# Finding Integer Points on the Curve

To use these curves in cryptography, we have to limit their range, after all, it simply isn't practical to have numbers near infinity on a 16/32/64-bit microcontroller. So the vertical and horizontal range is capped at a very large prime number, p. The modulus operator is used to keep the results within that range. Then, all integer solutions to the equation that describes the curve are found.

In this example, I'll use the prime number 281 and the equation

$$
y^2=x^3-3 x
$$

Rearranging and introducing the modulus operator leaves the following equation:

$$
\left(y^2-x^3+3 x\right)(\bmod 281)=0
$$

In this equation, $x$ and $y$ are integers with values between 0 and 281 . When the left side of the equation is computed, divided by 281, and there is no remainder, the point is added to the list below.

Then it is a matter of substituting all integer values of $x$ and $y$ between 0 and 281 into the equation and seeing if the equation is true or not. While the equation can be evaluated by hand, the process is best suited to a computer program.

<br><br/>
<p align="center"><img src="ECC___[images]/Curve_Cryptography_fig06.webp" style="width:50%"></p>
<center> Fig. $\quad$ The points that satisfy the equation shown above are color-coded for use in a diagram that is shown below. The colors are based on their $y$-value distance from $281 / 2$, which is half of the modulus. Note that each x value has only two $y$ values, and the $y$ values are equidistant from the midpoint of the modulus. The colors are introduced simply to aid in pattern recognition in later diagrams. </center>
<br><br/>

When these points are plotted on cartesian coordinates, certain symmetries become apparent.

<br><br/>
<p align="center"><img src="ECC___[images]/Curve_Cryptography_fig07.webp" style="width:50%"></p>
<center> Fig. $\quad$ The graph above plots the previously determined points. Note that each $x$ value has two $y$ values that are equally spaced away from the vertical center. </center>
<br><br/>

But a planar graph isn't really the best way to visualize the numbers. When we use the modulus operator, the graph wraps around itself in both the $x$ and $y$ direction once it hits $281 ; 281$ is equivalent to 0, 282 is equivalent to 1, 290 is equivalent to 9, etc. If the graph wrapped in only one direction we could represent it as a cylinder. But it wraps in both and mathematicians tend to imagine those situations with a torus

Datapoints mapped onto the surface of the torus are shown in the following picture, with colored lines provided to help determine orientation.

<br><br/>
<p align="center"><img src="ECC___[images]/Curve_Cryptography_fig08.webp" style="width:50%"></p>
<center> Fig. $\quad$ </center>
<br><br/>

The torus is created such that the vertical midpoint of the graph corresponds to the outer radius of the torus, and the top and bottom of the graph correspond to the inner radius of the torus. In this graphic, the color coding should allow you to see how the points are mapped onto the torus. For example, the clump of points near $(50,150)$ is visible on the near side of the torus on the viewer's left. Dotted lines are added to assist viewers in determining orientation.

A line of constant slope that travels along the surface of the torus is shown below. This line passes through two randomly selected data-points.

<br><br/>
<p align="center"><img src="ECC___[images]/Curve_Cryptography_fig09.webp" style="width:50%"></p>
<center> Fig. $\quad$ </center>
<br><br/>

To add two points on the graph, draw a line from the first selected point $\mathbf{P}=(187,89)$ to the second selected point $\mathbf{Q}=(235,204)$, and extend the line until it intersects another point on the graph $-\mathbf{R}=(272,215)$, extending it across the plot boundaries if necessary.

Once you intercept a data-point, reflect the point vertically across the middle of the graph (an orange dotted line that represents $y=281 / 2)$ to find the new point on the graph $(272,66)$. Therefore $(187,89) \oplus(235,204)=$ $(272,66)$

<br><br/>
<p align="center"><img src="ECC___[images]/Curve_Cryptography_fig10.webp" style="width:50%"></p>
<center> Fig. $\quad$ </center>
<br><br/>

This is equivalent to what we did earlier. Two points are selected, and a line is drawn between them until it intercepts the third point. Since we calculated the points, we know that they all lie on the graph, and satisfy the equation

$$
\left(y^2-x^3+3 x\right)(\bmod 281)=0
$$

<br><br/>
<p align="center"><img src="ECC___[images]/Curve_Cryptography_fig11.webp" style="width:50%"></p>
<center> Fig. $\quad$  </center>
<br><br/>

# Putting It All Together-The Diffie-Hellman EllipticCurve Key Exchange

...