# Elliptic Curves


In a general field $K$, a _curve_ is the set of roots of a polynomial in two variables.

Curves are not very curvy in a finite field, but that doesn't stop us.

Example, in $\mathbb{Z}_{31}$, the unit circle $x^2+y^2 = 1$ is 

In [10]:
circle = set([])
for x in range(31):
    for y in range(31):
        if (x**2 + y**2)%31 == 1:
            circle.add((x,y))
print(circle)

s = ""
for y in range(31):
    s = ""
    for x in range(31):
        if (x,30-y) in circle:
            s += " *"
        else:
            s += "  "
    print(s)

{(11, 2), (4, 27), (20, 29), (24, 13), (10, 26), (24, 18), (30, 0), (4, 4), (13, 7), (21, 5), (26, 21), (21, 26), (13, 24), (18, 24), (2, 20), (7, 18), (29, 11), (27, 4), (5, 21), (0, 30), (1, 0), (0, 1), (10, 5), (5, 10), (27, 27), (20, 2), (29, 20), (7, 13), (2, 11), (11, 29), (18, 7), (26, 10)}
 *                                                            
                       *                 *                    
                                                              
         *                                             *      
                     *                     *                  
                                                              
                           *         *                        
                                                              
                                                              
           *                                         *        
     *                                                     *  
        

The _projective plane_ over $K$ consists of all lines in $K^3$ that pass through $0$.
Where a _line_ is a set of points $\{(at, bt, ct) : t \in K\}$.

Let's figure out what the plane is in $\mathbb Z_{11}$.

In [12]:
P_K = {}
for a in range(11):
    for b in range(11):
        for c in range(11):
            P_K[(a,b,c)] = set(((a*t)%11,(b*t)%11, (c*t)%11) for t in range(11))

In [20]:
P_K[(0,2,3)]

{(0, 0, 0),
 (0, 1, 7),
 (0, 2, 3),
 (0, 3, 10),
 (0, 4, 6),
 (0, 5, 2),
 (0, 6, 9),
 (0, 7, 5),
 (0, 8, 1),
 (0, 9, 8),
 (0, 10, 4)}

So there are lots of duplicates. How do we know if $(x_1,y_1,z_1)$ and $(x_2,y_2,z_2)$ are colinear with $(0,0,0)$.

* $(a,b,c)$ is colinear with $(a/c,b/c,1)$ when $c \neq 0$.
* $(a,b,0)$ is colinear with $(a/b,1,0)$ when $b\neq 0$.
* $(a,0,0)$ is colinear with $(0,0,1)$.

So we can either take the projective plane to consist of colinear equivalence classes of triples $(x,y,z)$, or as triples $(x,y,1)$, $(x,1,0)$ and $(x,0,0)$.

Coordinates $(x,y,z)$ modulo colinearity are called _homogeneous_ coordinates.

I will write $p,q,r$ for points in the projective plane.

## Projective curves

A curve in the projective plane is a curve for a homogeneous polynomial:

$$0 = \sum_{i+j+k=d} a_{ijk} x^iy^kz^j.$$

Note that each term has the same degree. The roots $p=(x,y,z)$ of this polynomial are the homogeneous coordinates of the projective curve.

Notice that of $(x,y,z) = (\lambda x,\lambda y, \lambda z)$, and $0=P(x,y,z)$ then $P(\lambda x,\lambda y, \lambda z)$ for any homogeneous polynomial $P$.
So \{p {:} 0=P(p)\}$ is meaningfully a _curve_.

If $d=3$, (called genus 1, for other reasons) the curve will intersect any projective line (roots of a homogeneous linear polynomial $0=ax+by+cz$) in at most three points.

Consider the polynomial $y^2 = x^3 + ax + b$, homogenized as 
$$y^2z = x^3 + axz^2 + bz^3$$
Then in terms of normalized coordinates
* $(x,y,1)$ solves iff $y^2 = x^3 + ax + b$,
* $(x,1,0)$ solves iff $x=0$
* $(1,0,0)$ does not solve.

So the curve defined here has just two kinds of solutions: "normal" solutions
and one "point at infinity" $(0,1,0)$.


Suppose $$y_p^2 = x_p^3 + ax_p + b$$
and
$$y_q^2 = x_q^3 + ax_q + b.$$
Then the pairs that are colinear with $(x_p,y_p)$ and $(x_q,y_q)$ satisfy
$$(x- x_q)(y_p - y_q) = (y-y_q)(x_p-x_q).$$

So  $y = \lambda x + c$ where $\lambda = (y_p-y_q)/(x_p-x_q)$
and $c = y_q - \lambda x_q.$

We need to find a pair $r=(x_r,y_r)$ that is colinear with $p$ and $q$, distinct from $p$ and $q$, and that lies on the curve: 
$y_r^2 = x_r^3 + ax_r + b.$

So substituting, we just need to find $x_r$ satisfying
$$(\lambda x_r + c)^2 = x_r^3 + ax_r + b.$$

That is $$\lambda^2x_r^2 + 2\lambda x_r c + c^2 = x_r^3 + ax_r + b.$$
Or
$$0 = x_r^3 -\lambda^2x_r^2 + (a-2\lambda c)x_r + b - c^2.$$
$$0 = x_r^3 -\lambda^2x_r^2 + (a-2\lambda (y_q-\lambda x_q))x_r + b - (y_q - \lambda x_q)^2.$$
$$0 = x_r^3 -\lambda^2x_r^2 + (a-2\lambda y_q-2\lambda^2 x_q)x_r + b - y_q^2 - 2y_q\lambda x_q + \lambda^2 x_q^2.$$

If the coefficients are in $GF(2^k)$, then all of the $2$ multiples cancel, so
$$0 = x_r^3 -\lambda^2x_r^2 + ax_r + b - y_q^2  \lambda^2 x_q^2.$$

Let $x_r = \lambda^2 - x_q - x_p$ and $y_r = \lambda(x_q - x_r) - y_q$

