Chapter status: 👷 in progress 👷

TODO:

Elliptic Curves

Generalities
Affine versus Projective Coordinates
- Projective Plan
- Elliptic Curves in Projective Coordinates

Generalities

Let $F$ be a field of characteristic $p > 3.$ ¹ Let $a, b \in F$ be two field elements such that $4 a^{3} + 27 b^{2} \neq = 0.$ An elliptic curve in short Weierstrass form over $F,$ denoted $E (F),$ is the set of all pairs $(x, y) \in F^{2}$ that satisfy the equation $y^{2} = x^{3} + a x + b$ together with a distinguished element denoted $O$ called the point at infinity: $E (F) = {(x, y) \in F^{2} ∣ y^{2} = x^{3} + a x + b} \cup {O} .$ This is the so-called affine representation of points of the elliptic curve. There is another family of representations called projective (more attractive from an algorithmic point of view) that we will discuss shortly.

Hasse's bound establishes that the number of points of $E (F),$ called the order of $E (F),$ is $∣ E (F) ∣ = ∣ F ∣ + 1 - t$ where $t$ is an integer (called the Frobenius trace or simply trace of the curve) satisfying $∣ t ∣ \leq 2 ∣ F ∣ .$

It is possible to equip $E (F)$ with a commutative group law for which the point at infinity $O$ is the identity element with the so-called chord-and-tangent rule. This group operation is denoted additively and called addition law. The inverse of a point $(x, y) \in E (F) ∖ {O}$ is the point $(x, - y) .$

From the addition law we can define scalar multiplication: for $m \in Z$ and $P \in E (F),$ the scalar multiplication of $P$ by $m,$ denoted $[m] P$ or $m P$ if there is no ambiguity, is given by $[m] P : = ⎩ ⎨ ⎧ O m times P + \dots + P - ([- m] P) if m = 0 if m > 0 if m < 0.$

The group structure of $E (F)$ is either cyclic or "almost" cyclic. Namely, a general theorem establishes that $E (F)$ has at most two invariant factors (see Theorem 5.6 for the definition of an invariant factor). In other words, $E (F)$ is isomorphic to either the cyclic group $Z_{n}$ or a direct product of cyclic groups $Z_{n_{1}} \times Z_{n_{2}}$ with $n_{1} ∣ n_{2} .$

Affine versus Projective Coordinates

Earlier we saw how to defined an elliptic curve using affine coordinates. This is not how elliptic curves are usually defined by mathematicians, who usually prefer to use projective geometry.

Projective Plan

Let $F$ be a finite field of order $q$ and let $F^{*} : = F ∖ {0} .$ The projective plan over $F,$ denoted $P^{2} (F),$ is the set of equivalence classes of $F^{3} ∖ {(0, 0, 0)}$ where two tuples $(x, y, z)$ and $(x^{'}, y^{'}, z^{'})$ are equivalent, denoted $(x, y, z) \sim (x^{'}, y^{'}, z^{'}),$ if there is a scalar $k \in F^{*}$ such that $(x^{'}, y^{'}, z^{'}) = (k x, k y, k z) .$ Such an equivalence class is called a projective point. A projective point contains $q - 1$ tuples $(x, y, z) \in F^{3} .$ The convention is to denote projective points with capital letters and colon separators, i.e., $(X : Y : Z)$ (or sometimes $[X : Y : Z])$ will denote the equivalence class ${(k X, kY, k Z) ∣ k \in F^{*}} .$

Equivalently, projective points can be seen as 1-dimensional subspaces ("lines") of the 3-dimensional vector space $V = F^{3}$ over $F .$ How many projective points are there? There are $q^{3} - 1$ non-zero vectors in $F^{3},$ but each of the $q - 1$ non-zero vectors in a subspace generates this subspace, hence the total number of 1-dimensional subspaces is $\frac{q ^{3} - 1}{q - 1} = q^{2} + q + 1.$

Another way to count the number of projective points is as follows:

there are $q^{2}$ projective points of the form $(X : Y : 1),$ $X, Y \in F;$
there are $q$ projective points of the form $(1 : Y : 0),$ $Y \in F;$
there is one projective point of the form $(0 : 1 : 0) .$

It is customary to identify the ordinary "affine" plane $F^{2} = {(x, y) ∣ x, y \in F}$ with the first type of projective points, meaning there is an injective map from $F^{2}$ to $P^{2} (F)$ given by $(x, y) \mapsto (x : y : 1) .$ The inverse of this map is $(X : Y : Z) \mapsto (X / Z, Y / Z) .$

The $q + 1$ points of the second and third types (sharing the property that $Z = 0)$ are called "points at infinity" and form the so-called "line at infinity".

It is possible to define projective lines in a similar way to projective points: projective lines are 2-dimensional subspaces of $F^{3}$ (with vector $(0, 0, 0)$ removed). There are also $q^{2} + q + 1$ projective lines in $P^{2} (F),$ which is quite natural since any 1-dimensional subspace of $F^{3}$ defines a unique 2-dimensional subspace via its orthogonal complement. A projective point "lies on" a projective line if it is included (in the set-theoretical sense) in the projective line. From this definition, it follows that (i) given any two projective points, there is exactly one projective line containing both of them, and (ii) given any two projective lines, there is exactly one projective point lying on both of them (meaning there are no parallel lines). Properties (i) and (ii) are in fact the axiomatic definition of a projective plan. Each projective line contains $q^{2} - 1$ vectors $(x, y, z) \in F^{3} ∖ {(0, 0, 0)},$ and is the disjoint union of $q + 1$ projective points. In particular, the $q + 1$ projective points of the second and third type are indeed on the same projective line corresponding to the 2-dimensional subspace orthogonal to vector $(0, 0, 1) .$

Elliptic Curves in Projective Coordinates

To obtain the equation defining an elliptic curve in projective coordinates, we substitute $X / Z$ to $x$ and $Y / Z$ to $y$ in the affine short Weierstrass equation $y^{2} = x^{3} + a x + b (11.1)$ and multiply by $Z^{3}$ to clear the denominators. This way, we obtain the projective short Weierstrass equation: $Y^{2} Z = X^{3} + a X Z^{2} + b Z^{3} . (11.2)$

It is easy to see that a projective point $(X : Y : Z)$ with $Z \neq = 0$ satisfies (11.2) if and only if the corresponding affine point $(x, y)$ with $x = X / Z$ and $y = Y / Z$ satisfies (11.1). Moreover, a projective point $(X : Y : Z)$ on the line at infinity ( $Z = 0)$ satisfies (11.2) if and only $X = 0,$ meaning the only of the $q + 1$ projective points at infinity satisfying (11.2) is $(0 : 1 : 0) .$ This is the "curve point at infinity", the identity element of the group law, that we denoted $O$ when we defined the elliptic curve in affine coordinates.

Hence, one of the main advantages of projective coordinates over affine ones is that it unifies ordinary points and the point at infinity $O,$ which now has a projective representation as any other point, namely $(0 : 1 : 0) .$

Another advantage is that computing the group law is more efficient because it does not require to perform modular division (which is only required to perform projective-to-affine conversion). A ballpark estimation is that a modular inversion is 20 to 100 times more costly than a modular multiplication depending on the platform and the implementation.

The projective coordinates obtained with the substitution $x \leftarrow X / Z,$ $y \leftarrow Y / Z$ is just one possibility among others, called homogeneous projective coordinates because the resulting projective equation (11.2) for the curve is homogeneous, meaning all terms have the same total degree, 3 here. An very common alternative are Jacobian coordinates defined by the substitution $x \leftarrow X / Z^{2}, y \leftarrow Y / Z^{3} .$ The resulting projective equation is $Y^{2} = X^{3} + a X Z^{4} + b Z^{6} .$ Projective points in Jacobian coordinates are defined by the equivalence relation $(x, y, z) \sim (x^{'}, y,^{'}, z^{'}) if \exists k \in F^{*}, (x^{'}, y^{'}, z^{'}) = (k^{2} x, k^{3} y, k z) .$ The point at infinity ( $Z = 0)$ is the equivalence class $(1 : 1 : 0) = {(k^{2}, k^{3}, 0) : k \in F^{*}} .$

See http://www.hyperelliptic.org/EFD/ for a list of various other possible coordinates systems.

1: It is possible to define elliptic curves over fields of characteristic 2 or 3 but equations are more complicated.

Crypto Book (Work in Progress)

Elliptic Curves

Contents

Generalities

Affine versus Projective Coordinates

Projective Plan

Elliptic Curves in Projective Coordinates