# Elliptic Curves

Elliptic curves are interesting for number theory and algobraic geometry, but for cryptography they are used only as a source of complicated representations of finite Abelian groups, in which the discrete logarithm problem is difficult.

The idea is to determine a distinguished element $o$ belonging to some collection $P$, and a set $E$ of triples $(p,q,r)$ belonging to $P$ so that $p+q+r=o$ defines an Abelian group. It is not hard to see that these triples need to satisfy a few properties:
1. $(o,o,o)\in E$
2. $(p,q,r)\in E$ implies $(p,r,q)\in E$
3. $(p,q,r)\in E$ implies $(q,p,r)\in E$
4. For each $p,q\in P$ there is a unique $r$ to that $(p,q,r)\in E$.

These almost determine a group.
* $-p$ is the unique element so that $(p,o,-p)\in E$.
* $o$ is the unit,
* $p+q = -r$ when $(p,q,r)\in E$.

The only problem is that $+$ might not be associative. To ensure that, $E$ must also satisfy the following complicated condition.
5. $(p,q,r), (r,s,t), (t,-q,u), (u,-s,v)\in E$ implies $p=v$.

**Exercise:** Prove that for any set $P$ and any collection of triples $E\subseteq P^3$,
if $E$ satisfies the conditions 1 to 5, then $E$ determines an Abelian group that satisfies
$p+q+r=o$ if and only if $(p,q,r)\in E$.


## Curves

In a general field $K$, a _curve_ is the set of roots of a polynomial in two variables.

Curves are not very curvy in a finite field, but that doesn't stop us.

Example, in $\mathbb{Z}_{31}$, the unit circle $x^2+y^2 = 1$ is 

In [23]:
p = 31
radius = 1
circle = set([])
for x in range(p):
    for y in range(p):
        if (x**2 + y**2)%p == radius:
            circle.add((x,y))
print(circle)

s = ""
for y in range(p):
    s = ""
    for x in range(p):
        if (x,p-1-y) in circle:
            s += " *"
        else:
            s += "  "
    print(s)

{(1, 2), (7, 0), (9, 1), (10, 2), (2, 1), (0, 7), (2, 10), (9, 10), (1, 9), (0, 4), (10, 9), (4, 0)}
     *             *  
   *                 *
                      
 *                    
                      
                      
 *                    
                      
   *                 *
     *             *  
         *     *      


The _projective plane_ over $K$ consists of all lines in $K^3$ that pass through $0$.
Where a _line_ is a set of points $\{(at, bt, ct) : t \in K\}$.

Let's figure out what the plane is in $\mathbb Z_{11}$.

In [28]:
p = 11
P_K = {}
for a in range(p):
    for b in range(p):
        for c in range(p):
            P_K[(a,b,c)] = set(((a*t)%p,(b*t)%p, (c*t)%p) for t in range(p))

In [29]:
P_K[(9,7,5)]

{(0, 0, 0),
 (1, 2, 3),
 (2, 4, 6),
 (3, 6, 9),
 (4, 8, 1),
 (5, 10, 4),
 (6, 1, 7),
 (7, 3, 10),
 (8, 5, 2),
 (9, 7, 5),
 (10, 9, 8)}

So there are lots of duplicates.

How do we know if $(x_1,y_1,z_1)$ and $(x_2,y_2,z_2)$ are colinear with $(0,0,0)$?

* $(a,b,c)$ is colinear with $(a/c,b/c,1)$ when $c \neq 0$.
* $(a,b,0)$ is colinear with $(a/b,1,0)$ when $b\neq 0$.
* $(a,0,0)$ is colinear with $(1,0,0)$.

So we can either take the projective plane to consist of colinear equivalence classes of triples $(x,y,z) \neq (0,0,0)$, or as triples $(x,y,1)$, $(x,1,0)$ and $(x,0,0)$, or to cocsist of abstract "points" and "lines" that satisfy various axioms.

To distinguish between 3d Cartesian coordinates $(x,y,z)$ and the corresponding point in the projective plane, one write $[x:y:z]$. That is,
$[x:y:z] = \{(\lambda x,\lambda y,\lambda z)\ :\ \lambda \in K\}$.
$[x:y:z}$ is called the _homogeneous coordinates_ of a projective point.

__Important:__ A projective point $[x:y:z]$ must define a line in $K^3$, so $[0:0:0]$ is not the homogeneous coordinates of a point.

For any point $[x:y:z]$, projectivity says exactly that $[\lambda x: \lambda y:\lambda z] = [x:y:z]$ for any non-zero $\lambda\in K$.

I will write $p,q,r$ for points in the projective plane.

## Projective curves

A _curve_ in the projective plane is a curve for a homogeneous polynomial:

$$0 = \sum_{i+j+k=d} a_{ijk} x^iy^kz^j.$$

Note that each term has the same degree. The roots $(x,y,z)$ of this polynomial are the homogeneous coordinates of the projective curve.

Notice that if $0=P(x,y,z)$ then $0=P(\lambda x,\lambda y, \lambda z)$ for any homogeneous polynomial $P$.

So we can write $0=P(p)$ meaningfully when $p$ is a projective point,
and the set $\{p {\ :\ } 0=P(p)\}$ legitimately deserves to be called a _projective curve_.


# Two curves of special interest
Two classes of curves are particularly interesting for cryptography.

$$y^2 = x^3 + ax + b$$
and
$$y^2 + xy = x^3 + ax + b$$

More general curves could be used in principle, but there are both theoretical and practical reasons to use these. 

* Historically, cubics $x^3 + ax +b$ were the first to have a _cubic_ formula discovered (by Cardano). Analogous to the quadratic formula, this yields a description of all the complex roots, and a test for multiplicity of roots. Namely, if $4a^3 + 27b^2 \neq 0$, then this cubic polynomial has three distinct complex roots. This is key to defining a group on the roots of the projective curve.
* Cardano's formula also yields an easy way to calculate roots of the curves obtained by transforming the given curve with an affine transformation. And these, too, are key to defining a group.

The reason we can't always use the simpler curve is that it is not well-behaved when $K$ has characteristic $2$ or $3$. In that case either $4a^3 = 0$ or $27b^2=0$, and that's bad. Roughly, the resulting group would have special structure that would reduce the search space for the discrete logarithm problem. 

So the two types of curves are used as follows:
* In fields $GF(p)$ for prime $p>3$, the simpler form is used: $y^2 = x^3+ax + b$.
* In fields $GF(2^n)$, the more complicated form is used: $y^2 + xy = x^3 + ax + b$.
In any case, non-singularity is important, so $a$ and $b$ have to be chosen so that $4a^3 + 27b^2 \neq 0$.



## Solutions

We can homogenize both kinds of curve as

$$y^2z = x^3 + axz^2 + bz^3$$
and
$$y^2z + xyz = x^3 + axz^2 + bz^3$$
where $4a^3 + 27b^2 \neq 0$.

Then in terms of _homogeneous_ coordinates
* When $z\neq 0$, $[x:y:z]$ lies on the projective curve iff $x$ and $y$ solve the original equation,
* $[x:y:0]$ lies on the curve iff $x=0$

So the curves defined here have just two kinds of points: 
* normal solutions: $z\neq 0$ and $(x,y)$ solves the equation,
* one "point at infinity" $[0:y:0]$.

Note: Strickly speaking, geometrically, the "point at infinity" is not special, even though it looks to be. A change of coordinates (multiplication of coordinates by a unitary $3\times 3$ matrix) will preserve the general properties of the curve, but will "move" to point at infinity.

## Colinearity

We will need to understand what it means for three projective points to be "colinear". In Cartesian planar geometry, two points $(x_p,y_p)$, $(x_q,y_q)$ determine a line (actually an affine curve) described by solutions of 
$$(x - x_p)(y_q-y_p) = (x_q-x_p)(y-y_p).$$
The homogenized version of this is
$$(x-zx_p)(y_q-y_p)= (y-zy_p)(x_q-x_p).$$
So the projective line passing through $[x_p:y_p:1]$ and $[x_q:y_q:1]$ corresponds to coordinates $[x:y:z]$ satisfying this equation.

In case $z=0$, this is
$$x(y_q-y_p) = y(x_q-x_p)$$
In case $z=1$, the equation is the usual colinearity on Euclidean terms.


## Back to our curves

Our curves exhibit some symmetries that can be exploited to determine a group.
The idea is that a distinguished point $o$ on the curve and a certain system of colinear triples $(p,q,r)$ capture symmetries of the curve under affine transformations, so that 
a group arises by declaring $o$ to be the unit, and requiring $p+q+r = o$ whenever $(p,q,r)$ is a triple in our system.

Geometrically, the choice of $o$ does not matter. But we already know that the projective curve defined by $y^2=x^3+ax+ b$ has a "point at infinity" $[0:1:0]$. We use that as our distinguished element $o$.

To find the system of triples, for each $p\neq q$ on the curve, we find another point $r$ on the curve so that $(p,q,r)$ are colinear. All such triples are part of the system. We can not guarantee that $r$ is distinct, but if it equals $p$ or $q$, then the way it is constructed means that it is essentially a "double root".

In addition, for each $p\neq o$, we find $q$ so that $(p,q,p)$ is one of our triples. 
We add the triples $(p,p,q)$ to the system. 

So for each $p\neq o$, $(p,r,o)$ is one of our triples. We declare $-p=r$. 
And whenever $(p,q,r)$ is a triple, we declare $p+q = -r$. 


### The simpler case



Suppose $p=[x_p:y_p:z_p]$ and $q=[x_q:y_q:z_q]$ are distinct roots of (the homogenized version of)
$$y^2 + = x^3 + ax + b.$$
Remember, for $p$ this means that either $z_p\neq 0$ and $(x_p,y_p)$ solve the equation exactly, or $p=[0:y_p:0]$ for any non-zero $y_p$.

We look for another root that is colinear with $p$ and $q$. Because the defining polynomial is 3rd degree there can be at most one other root.

There are a few cases to consider.

* If $p=[0:y_p:0]$, then $q\neq[0:1:0]$, so $q$ must have coordinates $[x_q:y_q:1]$
where $y_q^2 = x_q^3 + ax_q + b$. Clearly, $[x_q:-y_q:1]$ is also root, and 
$$(x_q-z_qx_p)(y_q-y_p)= (y_q-z_qy_p)(x_q-x_p).$$
In other words $p=[0:y_p:0]$, $q=[x_q:y_q:1]$ and $r=[x_q:-y_q:1]$ are colinear roots.
Note that in general, these are distinct unless $y_q=0$.
If $y_q=0$, then the $q$ must actually satisfy
$$0=x_q^3 + ax_q +b.$$
But in that case, there is no other point on the curve that is colinear with $[x_q:0:1]$ and $[0:1:0]$. (Check this for yourself.)

* If $p=[x_p:y_p:1]$ and $q=[x_q:y_q:1]$ and $x_p=x_q$, then $y_p^2 = y_q^2$. 
So $y_p=-y_q$ and the third colinear root must be $[0:1:0]$.

* If $p=[x_p:y_p:1]$ and $q=[x_q:y_q:1]$ and $x_p\neq x_q$, then $y_p\neq 0$ and $y_q\neq 0$. Let
$$\lambda = \frac{y_q-y_p}{x_q-x_p}$$
$$x_r = \lambda^2 - (x_p+ x_q)$$
$$y_r = \lambda(x_r-x_p)-y_p$$
Then $r = [x_r:y_r:1]$ is colinear and lies on the curve. (Check this for yourself.)

* It is possible that in the last case $r$ duplicates one of the two. For example, $r=q$.
But then it turns out that there are also no other colinear points on the curve. (Again, check.) Moreover, then $r$ and $p$ are related by the following formulas:
$$\lambda = \frac{3x_r^2 + a}{2y_r}$$
$$x_p = \lambda^2 - 2x_r$$
$$y_p = \lambda(x_p-x_r) + y_r.$$

