# Exploring Elliptic Curves

In normal plane geometry, an *elliptic curve* is the set of points (x, y) that satisfy the equation

    y² = x³ + ax + b
   
where *a* and *b* are real numbers that define the curve, plus a "point at infinity" 𝓞 that is included to address certain special cases that will be discussed below.

Here are example of a couple of elliptic curves over the real numbers:

![Elliptic curves from WikiMedia commons](https://upload.wikimedia.org/wikipedia/commons/thumb/d/d0/ECClines-3.svg/800px-ECClines-3.svg.png "Elliptic Curves over the real numbers")

**Elliptic curves aren't ellipses. Ellipses aren't elliptic curves.**

The study of elliptic curves evolved over a long time from the study of the lengths of paths in ellipses, but that history doesn't help understanding what we are doing with elliptic curves today.

# Points on an Elliptic Curve May Form a Group

If the curve has no singularities, then an operation (that we'll call addition)
can be defined geometrically. The curve will be non-singular if and only if:

    4a³ + 27b² ≠ 0.

We define the identity element to be "infinity", denoted by 𝓞. So, for any point **P**, we have **P** + 𝓞 = **P**, 𝓞 + **P** = **P**, and **P** + **-P** = 𝓞.

Elliptic curves are obviously symmetric about the x-axis (that y² term), so if **P** = (x, y) is on the curve, so is its reflection (x, -y). We define the reflection of a point across the x axis as **-P**, the arithmetic inverse of the point **P**, so **P** + **-P** = 𝓞 = **-P** + **P**.

Given two points **P** and **Q** on the curve, draw a line connecting them. If the curve is non-singular, this line will intersect the curve in at most one more point **R**. We define **P** + **Q** to be **-R**.

*(Why? Bear with us. This approach leads the points on the curve to form a group over this operation.)*

There are cases where we can't use this geometric approach for addition. For example, we can't use it to add **P** and **-P**, because the line through them is vertical. But as we've already seen, that sum must be the identity element 𝓞.


Finally, we can't add a point to itself (double it) with this geometric approach, because the single point doesn't determine a line. Instead we take a tangent to the curve, which will intersect the curve in at most a single point **R**. That point's inverse **-R** is defined as **P** + **P**. And if the tangent is vertical (so never intersects the curve at another point)? Then **P** + **P** is defined to be 𝓞.

The points on an elliptic curve together with this operation form a group.

# Group Refresher

Some quick background. A **group** is a set **S** combined with an operator ***op*** such that:

- the set is closed over the operator, that is, **e** ***op*** **f** is another element **g** of the set
- there is an identity element **i** such that **i** ***op*** **e** = **e** = **e** ***op*** **i** for every element **e** in **S**
- every element **e** has an inverse; that is, another element **f** such that **e** ***op*** **f** = **i** = **f** ***op*** **e**
- the operation is associative: (**e** ***op*** **f**) ***op*** **g** = **e** ***op*** (**f** ***op*** **g**)

Note that the operation does not have to obey the commutive law (**e** ***op*** **f** == **f** ***op*** **e**), though if it does, it is called an _abelian_ group.

You'll see that the integers with addition form a group, as do positive real numbers with multiplication. Groups show up in all kinds of places, and abstracting them out this way helps study their common properties.

#### *(What's purple and commutes? An abelian grape.)*

# Formulas for Computing Sums

We've defined the additive operation in terms of geometry, but analytic geometry can give us formulas that achieve the same result. Warning: the formulas are not obvious, but they can be derived with straightforward high school algebra. We won't do that here, though.

Why bother with these formulas? Because in the next step we will move from elliptic curves over real numbers to ones over integers modulo a prime number. At that point, the geometric pictures don't help, but the formulas will still retain the same properties that make points on the curve form a group. So here goes:

Let

**P** = (x₁, y₁)

**Q** = (x₂, y₂) 
    
be points on the elliptic curve defined by 

    y² = x³ + ax + b where 4a³ + 27b² ≠ 0.
   
Then calculate **R** = (x₃, y₃) = **P** + **Q** as follows:

## Case 1: **P** or **Q** is 𝓞

In that case, **P** + **Q** is whichever one of **P** or **Q** is not 𝓞 (or 𝓞 if both are 𝓞).

## Case 2: **P** + **Q** where **P** = **-Q**

That is, x₁ = x₂ and y₁ = -y₂. Or where **P** and **Q** are both 𝓞.

Then, by definition, their sum is 𝓞 (which does not have a representation as (x, y).


## Case 3: **P** + **Q** where **P** ≠ **-Q**

That is, x₁ ≠ x₂.

Then calculate the slope **s** of the line between **P** and **Q**:

    s = (y₂ - y₁)/(x₂ - x₁)
    
And you'll eventually get to:

    x₃ = s² - x₁ - x₂
   
and

    y₃ = -y₁ + s(x₁ - x₃)
    
## Case 4: **P** + **P** (doubling **P**)

Per case 2, if y₁ = y₂ = 0, then **P** is its own inverse, and added to itself is 𝓞.

Otherwise, calculate

    s = (3x₁² + a)/(2y₁)
    
Then

    x₃ = s² - 2x₁
    
and

    y₃ = -y₁ + s(x₁ - x₃)


# Moving Away from Real Numbers

Now we're going to use the exact same formulas on ordered pairs (x, y) where x and y are integers between 0 and *p*-1, for any odd prime *p*. Do all the arithmetic modulo *p*, and the points on the resulting curves form a group under the addition operator as defined above.

We will explore these curves with some simple examples and Python.

# *p* = 37, *a* = 1, *b* = 1

Then 4a³ + 27b² = 4\*1³ + 27\*1³ = 31, and 31 ≠ 0 modulo 37, so the points satisfying the equation form a group under addition.

## Brute force determining curve points

We will just try every possible ordered pair to see which ones satisfy the equation.

In [1]:
def isOnCurve(point, prime, parameters):
    (x, y) = point
    (a, b) = parameters
    
    # Does y² = x³ + ax + b modulo prime p?
    
    leftHandSide = y * y
    rightHandSize = x * x * x + a * x + b
    
    return (leftHandSide - rightHandSize) % prime == 0

In [2]:
points = []

a = 1
b = 1
prime = 37

for x in range(prime):
    for y in range(prime):
        if isOnCurve((x, y), prime, (a, b)):
            points.append((x, y))

In [3]:
points

[(0, 1),
 (0, 36),
 (1, 15),
 (1, 22),
 (2, 14),
 (2, 23),
 (6, 1),
 (6, 36),
 (8, 15),
 (8, 22),
 (9, 6),
 (9, 31),
 (10, 7),
 (10, 30),
 (11, 14),
 (11, 23),
 (13, 18),
 (13, 19),
 (14, 13),
 (14, 24),
 (17, 11),
 (17, 26),
 (19, 16),
 (19, 21),
 (21, 12),
 (21, 25),
 (24, 14),
 (24, 23),
 (25, 0),
 (26, 18),
 (26, 19),
 (27, 8),
 (27, 29),
 (28, 15),
 (28, 22),
 (29, 6),
 (29, 31),
 (30, 13),
 (30, 24),
 (31, 1),
 (31, 36),
 (33, 9),
 (33, 28),
 (35, 18),
 (35, 19),
 (36, 6),
 (36, 31)]

Notice that, for every x-coordinate, there are two points, and their y-coordinates are inverses of each other. Consider (27, 8) and (27, 29). 8 + 29 = 37 = 0 (mod 37).

In [4]:
len(points)

47

In [5]:
# Let's let "𝓞" stand for 𝓞
points.append("𝓞")

We will define an addition method using the formulas from above, but there's a problem: the formulas use division and we're supposed to stick to integers between 0 and p-1. But realize that division is just multiplication by the multiplicative inverse (reciprocal). Every non-zero number n between 1 and p-1 has a reciprocal r modulo p, that is, an integer r such that n * r = 1 (mod p).

We define a method to calculate this is the most inefficient way possible: brute force.

In [12]:
def reciprocal(n, prime):
    for r in range(prime):
        if (n * r) % prime == 1:
            return r
    raise StandardError("%s has no inverse modulo %s" % (n, prime))

In [23]:
def add(P, Q, prime, parameters):
    if P == "𝓞":
        return Q
    if Q == "𝓞":
        return P
    
    (x1, y1) = P
    (x2, y2) = Q
    (a, b) = parameters
    
    if (x1 == x2) and (y1 + y2) % prime == 0: # Points are inverses of each other
        return "𝓞"
    
    if (x1 == x2) and (y1 == y2): # P = Q, so doubling
        s = (3 * x1 * x1 + a) * reciprocal(2 * y1, prime)
        x3 = s * s - 2 * x1
        y3 = -y1 + s * (x1 - x3)
        return (x3 % prime, y3 % prime)
    
    s = (y2 - y1) * reciprocal(x2 - x1, prime)
    x3 = s * s - x1 - x2
    y3 = -y1 + s * (x1 - x3)
    return (x3 % prime, y3 % prime)

In [24]:
sum = add ((36,6), (30,13), 37, (1, 1))
sum

(33, 9)

## Test that addition is closed

In [26]:
for P in points:
    for Q in points:
        R = add(P, Q, 37, (1, 1))
        if R not in points:
            print "Not closed: %s + %s = %s" % (P, Q, R)
print "All checked."

All checked.
