ch02.asciidoc

Elliptic Curves

In this chapter we’re going to learn about elliptic curves. In [chapter_elliptic_curve_cryptography], we will combine elliptic curves with finite fields to make elliptic curve cryptography.

Like finite fields, elliptic curves can look intimidating if you haven’t seen them before. But again, the actual math isn’t very difficult. Most of what you need to know about elliptic curves could have been taught to you after algebra. In this chapter, we’ll explore what these curves are and what we can do with them.

Definition

Elliptic curves are like many equations you’ve seen since pre-algebra. They have y on one side and x on the other, in some form. elliptic curves have a form like this:

• y² = x³ + ax + b

You’ve worked with other equations that look similar. For example, you probably learned the linear equation back in pre-algebra:

• y = mx + b

You may even remember that m here has the name slope and b is the y-intercept. You can also graph linear equations, as shown in Linear equation.

Figure 1. Linear equation

Similarly, you’re probably familiar with the quadratic equation and its graph (Quadratic equation):

• y = ax² + bx + c

And sometime around algebra, you did even higher orders of x—something called the cubic equation and its graph (Cubic equation):

• y = ax³ + bx² + cx + d

Figure 2. Quadratic equation

Figure 3. Cubic equation

An elliptic curve isn’t all that different:

• y² = x³ + ax + b

The only real difference between the elliptic curve and the cubic curve in Cubic equation is the y² term on the left side. This has the effect of making the graph symmetric over the x-axis, as shown in Continuous elliptic curve.

Figure 4. Continuous elliptic curve

The elliptic curve is also less steep than the cubic curve. Again, this is because of the y² term on the left side. At times, the curve may even be disjoint, as in Disjoint elliptic curve.

Figure 5. Disjoint elliptic curve

If it helps, an elliptic curve can be thought of as taking a cubic equation graph (Step 1: A cubic equation), flattening out the part above the x-axis (Step 2: Stretched cubic equation), and then mirroring that part below the x-axis (Step 3: Reflected over the x-axis).

Figure 6. Step 1: A cubic equation

Figure 7. Step 2: Stretched cubic equation

Figure 8. Step 3: Reflected over the x-axis

Specifically, the elliptic curve used in Bitcoin is called secp256k1 and it uses this particular equation:

• y² = x³ + 7

The canonical form is y² = x³ + ax + b, so the curve is defined by the constants a = 0, b = 7. It looks like secp256k1 curve.

Figure 9. secp256k1 curve

Coding Elliptic Curves in Python

For a variety of reasons that will be made clear later, we are not interested in the curve itself, but specific points on the curve. For example, in the curve y² = x³ + 5x + 7, we are interested in the coordinate (–1,1). We are thus going to define the class Point to be a point on a specific curve. The curve has the form y² = x³ + ax + b, so we can define the curve with just the two numbers a and b:

link:code-ch02/ecc.py[role=include]

1. We check here that the point is actually on the curve.

2. Points are equal if and only if they are on the same curve and have the same coordinates.

We can now create Point objects, and we will get an error if the point is not on the curve:

link:code-ch02/examples.py[role=include]

In other words, init will raise an exception when the point is not on the curve.

code-ch02/answers.py

code-ch02/answers.py

Point Addition

Elliptic curves are useful because of something called point addition. Point addition is where we can do an operation on two of the points on the curve and get a third point, also on the curve. This is called addition because the operation has a lot of the intuitions we associate with the mathematical operation of addition. For example, point addition is commutative. That is, adding point A to point B is the same as adding point B to point A.

The way we define point addition is as follows. It turns out that for every elliptic curve, a line will intersect it at either one point (Line intersects at only one point) or three points (Line intersects at three points), except in a couple of special cases.

Figure 10. Line intersects at only one point

Figure 11. Line intersects at three points

The two exceptions are when a line is exactly vertical (Line intersects at two points because it’s vertical) and when a line is tangent to the curve (Line intersects at two points because it’s tangent to the curve).

Figure 12. Line intersects at two points because it’s vertical

Figure 13. Line intersects at two points because it’s tangent to the curve

We will come back to these two cases later.

We can define point addition using the fact that lines intersect one or three times with the elliptic curve. Two points define a line, so since that line must intersect the curve one more time, that third point reflected over the x-axis is the result of the point addition.

So, for any two points P₁ = (x₁,y₁) and P₂ = (x₂,y₂), we get P₁ + P₂ as follows:

• Find the point intersecting the elliptic curve a third time by drawing a line through P₁ and P₂.

• Reflect the resulting point over the x-axis.

Visually, it looks like Point addition.

Figure 14. Point addition

We first draw a line through the two points we’re adding (A and B). The third intersection point is C. We then reflect that point over the x-axis, which puts us at the A + B point in Point addition.

One of the properties that we are going to use is that point addition is not easily predictable. We can calculate point addition easily enough with a formula, but intuitively, the result of point addition can be almost anywhere given two points on the curve. Going back to Point addition, A + B is to the right of both points, A + C would be somewhere between A and C on the x-axis, and B + C would be to the left of both points. In mathematics parlance, point addition is nonlinear.

Math of Point Addition

Point addition satisfies certain properties that we associate with addition, such as:

• Identity

• Commutativity

• Associativity

• Invertibility

Identity here means that there’s a zero. That is, there exists some point I that, when added to a point A, results in A:

• I + A = A

We’ll call this point the point at infinity (reasons for this will become clear in a moment).

This is related to invertibility. For some point A, there’s some other point –A that results in the identity point. That is:

• A + (–A) = I

Visually, these points are opposite one another over the x-axis on the curve (see Vertical line intersection).

Figure 15. Vertical line intersection

This is why we call this point the point at infinity. We have one extra point in the elliptic curve, which makes the vertical line intersect the curve a third time.

Commutativity means that A + B = B + A. This is obvious since the line going through A and B will intersect the curve a third time in the same place, no matter the order.

Associativity means that (A + B) + C = A + (B + C). This isn’t obvious and is the reason for flipping over the x-axis. This is shown in Figures #a_b_c_case_1 and #a_b_c_case_2.

You can see that in both (A + B) + C and A + (B + C), the final point is the same. In other words, we have good reason to believe that (A + B) + C = A + (B + C). While this doesn’t prove the associativity of point addition, the visual should at least give you the intuition that this is true.

Figure 16. (A + B) + C

Figure 17. A + (B + C)

To code point addition, we’re going to split it up into three steps:

1. Where the points are in a vertical line or using the identity point

2. Where the points are not in a vertical line, but are different

3. Where the two points are the same

Coding Point Addition

We first handle the identity point, or point at infinity. Since we can’t easily use infinity in Python, we’ll use the None value instead. What we want is this to work:

link:code-ch02/examples.py[role=include]

To make this work, we have to do two things. First, we have to adjust the init method slightly so it doesn’t check that the curve equation is satisfied when we have the point at infinity. Second, we have to overload the addition operator or add as we did with the FieldElement class:

class Point:

    def __init__(self, x, y, a, b):
        self.a = a
        self.b = b
        self.x = x
        self.y = y
link:code-ch02/ecc.py[role=include]
        if self.y**2 != self.x**3 + a * x + b:
            raise ValueError('({}, {}) is not on the curve'.format(x, y))

link:code-ch02/ecc.py[role=include]

1. The x coordinate and y coordinate being None is how we signify the point at infinity. Note that the next if statement will fail if we don’t return here.

2. We overload the + operator here.

3. self.x being None means that self is the point at infinity, or the additive identity. Thus, we return other.

4. other.x being None means that other is the point at infinity, or the additive identity. Thus, we return self.

code-ch02/answers.py

Point Addition for When x₁≠x₂

Now that we’ve covered the vertical line, let’s examine when the points are different. When we have points where the `x’s differ, we can add using a fairly simple formula. To help with intuition, we’ll first find the slope created by the two points. We can figure this out using a formula from pre-algebra:

• P₁ = (x₁,y₁), P₂ = (x₂,y₂), P₃ = (x₃,y₃)
• P₁ + P₂ = P₃
• s = (y₂ – y₁)/(x₂ – x₁)

This is the slope, and we can use the slope to calculate x₃. Once we know x₃, we can calculate y₃. P₃ can be derived using this formula:

• x₃ = s² – x₁ – x₂
• y₃ = s(x₁ – x₃) – y₁

Remember that y₃ is the reflection over the x-axis.

Deriving the Point Addition Formula

Supposing:

• P₁ = (x₁,y₁), P₂ = (x₂,y₂), P₃ = (x₃,y₃)
• P₁ + P₂ = P₃

We want to know what P₃ is.

Let’s start with the fact that the line goes through P₁ and P₂, and has this formula:

• s = (y₂ – y₁)/(x₂ – x₁)
• y = s(x – x₁) + y₁

The second formula is the equation of the line that intersects at both P₁ and P₂. Using this formula and plugging it into the elliptic curve equation, we get:

• y² = x³ + ax + b
• y² = (s(x – x₁) + y₁)² = x³ + ax + b

Gathering all the terms, we have this polynomial equation:

• x³ – s²x² + (a + 2s²x₁ – 2sy₁)x + b – s²x₁² + 2sx₁y₁ – y₁² = 0

We also know that x₁, x₂, and x₃ are solutions to this equation, thus:

• (x – x₁)(x – x₂)(x – x₃) = 0
• x³ – (x₁ + x₂ + x₃)x² + (x₁x₂ + x₁x₃ + x₂x₃)x – x₁x₂x₃ = 0

From earlier, we know that:

• x³ – s²x² + (a + 2s²x₁ – 2sy~1~)x + b – s²x₁² + 2sx₁y₁ – y₁² = 0

There’s a result from what’s called Vieta’s formula, which states that the coefficients have to equal each other if the roots are the same. The first coefficient that’s interesting is the coefficient in front of x²:

• –s² = –(x₁ + x₂ + x₃)

We can use this to derive the formula for x₃:

• x₃ = s² – x₁ – x₂

We can plug this into the formula for the line above:

• y = s(x – x₁) + y₁

But we have to reflect over the x-axis, so the right side has to be negated:

• y₃ = –(s(x₃ – x₁) + y₁) = s(x₁ – x₃) – y₁

QED.

code-ch02/answers.py

Coding Point Addition for When x₁≠x₂

We now code this into our library. That means we have to adjust the add method to handle the case where x₁≠x₂. We have the formulas:

• s = (y₂ – y₁)/(x₂ – x₁)
• x₃ = s² – x₁ – x₂
• y₃ = s(x₁ – x₃) – y₁

At the end of the method, we return an instance of the class Point using self.class to make subclassing easier.

code-ch02/answers.py

Point Addition for When P₁ = P₂

When the x coordinates are the same and the y coordinate is different, we have the situation where the points are opposite each other over the x-axis. We know that this means:

• P₁ = –P₂ or P₁ + P₂ = I

We’ve already handled this in Exercise 3.

What happens when P₁ = P₂? Visually, we have to calculate the line that’s tangent to the curve at P₁ and find the point at which the line intersects the curve. The situation looks like Line that’s tangent to the curve, as we saw before.

Figure 18. Line that’s tangent to the curve

Once again, we’ll find the slope of the tangent point:

• P₁ = (x₁,y₁), P₃ = (x₃,y₃)
• P₁ + P₁ = P₃
• s = (3x₁² + a)/(2y₁)

The rest of the formula goes through as before, except x₁ = x₂, so we can combine them:

• x₃ = s² – 2x₁
• y₃ = s(x₁ – x₃) – y₁

Note

Deriving the Slope Tangent to the Curve We can derive the slope of the tangent line using some slightly more advanced math: calculus. We know that the slope at a given point is: dy/dx To get this, we need to take the derivative of both sides of the elliptic curve equation: y2 = x3 + ax + b Taking the derivative of both sides, we get: 2y dy = (3x2 + a) dx Solving for dy/dx, we get: dy/dx = (3x2 + a)/(2y) That’s how we arrive at the slope formula. The rest of the results from the point addition formula derivation hold.

code-ch02/answers.py

Coding Point Addition for When P₁ = P₂

We adjust the add method to account for this particular case. We have the formulas, and now we implement them:

• s = (3x₁² + a)/(2y₁)
• x₃ = s² – 2x₁
• y₃ = s(x₁ – x₃) – y₁

code-ch02/answers.py

Coding One More Exception

There is one more exception, and this involves the case where the tangent line is vertical (Vertical and tangent to the curve).

Figure 19. Vertical and tangent to the curve

This can only happen if P₁ = P₂ and the y coordinate is 0, in which case the slope calculation will end up with a 0 in the denominator.

We handle this with a special case:

class Point:
    ...
    def __add__(self, other):
    	...
	if self == other and self.y == 0 * self.x:  # (1)
	    return self.__class__(None, None, self.a, self.b)

1. If the two points are equal and the y coordinate is 0, we return the point at infinity.

Conclusion

We’ve covered what elliptic curves are, how they work, and how to do point addition. We’ll now combine the concepts from the first two chapters to learn elliptic curve cryptography in [chapter_elliptic_curve_cryptography].