This article describes how elliptic curve addition works over real numbers.
Cryptography uses elliptic curves over finite fields, but elliptic curves are easier to conceptualize in a real Cartesian plane. This article is aimed at programmers and tries to strike a balance between getting too math heavy and too hand-wavy.
The set of points on an elliptic curve form a group under elliptic curve point addition.
Hopefully, if you’ve been following our group theory introduction, then you actually understood most of this, aside from what “point addition” is. But that’s the beauty of abstract algebra right? You don’t need to know what that is, and you still understand the above sentence.
Elliptic curves are a family of curves which have the formula
$$ y^2 = x^3 + ax + b $$
Depending on what value of a and b you pick, you’ll get a curve that looks like some of the following:
A point on an elliptic curve is an $(x, y)$ pair that satisfies $y² = x³ + ax + b$ for a given $a$ and $b$.
For example, the point $(3, 6)$ is in the curve $y² = x³ + 9$ because it $6² = 3³ + 9$. In group theoretic terms, $(3, 6)$ is a member of the set defined by $y² = x³ + 9$. Since we are dealing with real numbers, the set has infinite cardinality.
The idea here is we can take two points from this set, do a binary operator, and we will get another point that is also in the set. That is, it is an $(x, y)$ pair that also lies on the curve.
Instead of thinking about elliptic curves as a plot on a graph, think of them as an infinite set of points. Points are in the set if and only if they satisfy the elliptic curve equation.
Once we see these points as a set, looking at them as a group isn’t mysterious. We just take two points, and produce a third according to the rules of a group.
Specifically, to be a group, the set of points needs to have:
Although we don’t know how the binary operator works, we do know that it takes two $(x, y)$ points on the curve and returns another point on the curve. Because the operator is closed, we know that the point will in fact be a valid solution to the elliptic curve equation, not a point somewhere else.
We also know that this binary operator is associative (and commutative, per the section heading).
So given three points on the elliptic curve $A$, $B$, and $C$ (or $(x_a, y_a)$, $(x_b, y_b)$, and $(x_c, y_c)$ if you prefer), we know the following is true:
I’m using $⊕$, because we know this binary operator is not addition in any normal sense, but a binary operator (again, remember from set theory, a binary operator takes two elements in a set and returns another element in a set, how it does that is not central to the definition).
We also know that there has to be an identity element somewhere. That is, any $(x, y)$ point that falls on the curve is combined with the identity element, the output is the same $(x, y)$ point unchanged.
And because this is a group and not a monoid, every point needs to have an inverse such that $P ⊕ P⁻¹ = I$, where $I$ is the identity element.
Intuitively, we might think of $(0, 0)$ or $(1, 1)$ being the identity element, since something like that often is in other groups, but you can see in the plots above that those points generally do not land on the curve. Since they don’t belong to the set of points on $y² = x³ + ax + b$, they are not part of the group.
But recall from set theory that we can define binary operators however we like over sets arbitrarily defined. This allows us to add a special element that isn’t technically on the curve but by definition is the identity element.
I like to think of the identity element as “the point that is nowhere” because if you combine nowhere with any real point, nothing changes. Annoyingly, mathematicians call this point, the identity element “the point at infinity.”
Hey wait, isn’t this point supposed to satisfy $y² = x³ + ax + b$? Nowhere (or infinity) is not a valid value for $(x, y)$.
Ahh, but remember, we can define sets however we like! We define the set that makes up the elliptic curve as points on the elliptic curve and the nowhere point.
Because binary operators are just subsets of a cartesian product (a relation), and we can define the relation however we like. We can have as many hacky “if statements” in our arithmetic as we please and still follow the group laws.
Without loss of generality, let’s take the elliptic curve
$$ y² = x³ + 10 $$
To illustrate how lines intersect on elliptic curves, then let’s draw a nearly vertical line $y = 10x$
(It could be 1000x to make it more vertical, but we would get numerical instability as you will see later)
We get the following set of plots.
It turns out, even though it looks like the purple line ($y = 10x$) is rising faster than the blue curve ($y² = x³ + 10$), they will always eventually intersect.
If we zoom out far enough, we can see the intersection. This is true in general.
As long as x is not “perfectly vertical” if it crosses two points on the curve, it will always cross a third. Two of those points could be the same point if one of the points of intersection is a tangent point.
The “if we intersect two points” is important. If we shift our purple line over to the left so it doesn’t cross the “U-turn” of the elliptic curve, then it will only cross at one point
Another way of understanding it:
If a straight line crosses an elliptic curve at exactly two points, and neither of the intersection points are tangent intersections, then it must be perfectly vertical.
You could work out an algebraic proof from the formulas above, but I think the geometric argument is more intuitive.
I recommend you stop here and draw some elliptic curves and lines and convince yourself of this visually.
Our exception for vertical lines actually causes inverse and identity elements to fall into place beautifully.
The inverse of an elliptic curve point is the negative of the y value of the pair. That is, the inverse of $(x, y)$ is $(x, -y)$ and vice versa. Drawing a line through such points creates a perfectly vertical line.
The identity element is the “point at infinity” we alluded to earlier is simply the point “way up there” when we draw a vertical line.
The fact that elliptic curve points are a group under our “2 points always result in a 3rd except for the identity” makes its commutative nature obvious.
When we pick two points, there is only one other third point. You can’t get four intersections in an elliptic curve. Since we only have one possible solution, then it is clear that $A ⊕ B = B ⊕ A$.
We glossed over a very important detail in the last section, because it really deserves a section on its own.
In it’s current form, it has a bug if we add two points where the intersection happens in the middle.
Using our definitions above, the following must be true
$$ \begin{align*} A ⊕ B &= C \\ A ⊕ C &= B \\ B ⊕ C &= A \end{align*} $$
With a little algebra, we’ll derive a contradiction
$$ \begin{align*} (B ⊕ C) ⊕ B &= C \\ B ⊕ C &= \mathsf{inv}(B) ⊕ C \\ B &= \mathsf{inv}(B) \end{align*} $$
This says $B$ is equal to it’s inverse. But $B$ is not the identity element (which is the only element that can be the inverse of itself), so we have a contradiction.
Thankfully, there is a way to rescue this. Just define point addition to be the third point flipped over the y axis. Again, we are allowed to do this because binary operators can be defined however we like, we just care that our definitions satisfy the group laws.
So the correct way to add elliptic curve points is represented graphically below
Using some algebra, and given two points
$$ \begin{align*} P₁ &= (x₁, y₁) \\ P₂ &= (x₂, y₂) \end{align*} $$
One can derive how to compute $P₃ = (x₃, y₃)$ where $P₃ = P₁ ⊕ P₂$ using the following formula.
$$ \begin{align*} \lambda &= \frac{y₂ – y₁}{x₂ – x₁} \\ x₃ &= \lambda² – x₁ – x₂ \\ y₃ &= \lambda(x₃ – x₁) – y₁ \end{align*} $$
Because we have a closed form equation, we can prove algebraically that $T⊕U = U⊕T$ given points $T$ and $U$.
We do it as follows
$$\begin{align*} P &= T ⊕ U \\ Q &= U ⊕ T \\ P &= Q \end{align*}$$
var('y_t', 'y_u', 'x_t', 'x_u')
lambda_p = (y_u - y_t)/(x_u - x_t)
x_p = lambda_p^2 - x_t - x_u
y_p = (lambda_p*(x_t - x_p) - y_t)
lambda_q = (y_t - y_u)/(x_t - x_u)
x_q = lambda_q^2 - x_u - x_t
y_q = (lambda_q*(x_u - x_q) - y_u)
Here is a screenshot of running the above code in Jupyter notebook and pretty printing the output. The computer algebra system needs a bit of coaxing, but we can clearly see x_q == x_p and y_q == y_p.
$P = Q$ for all $(x_t, y_t)$ and $(x_u, y_u)$ values. We get a division by zero error if $x_t = x_u$, but this means they are the same point and that is obviously commutative.
We can use similar techniques to demonstrate associativity, but unfortunately this is extremely messy so we refer the interested reader to another proof of associativity.
Let’s see that elliptic curves meet the group property.
A binary operator must accept every possible pair from the set. What if the pair is the same element, i.e. A ⊕ A?
Let’s think of this in limit terms. Adding a point to itself is like bringing two points infinitesimally close to each other until they become the same point. When this convergence happens, the slope of the line will lie tangent to the curve.
So adding a point to itself is simply taking the derivative at that point, getting the intersection, then flipping the $y$ axis.
The following image graphically demonstrates $A ⊕ A = 2A$.
What if we wanted to compute $1000A$ instead of $2A$? It would seem this is an $\mathcal{O}(n)$ operation, but it isn’t.
Because of associativity, we can write $1000A$ as
$$1000A = 512A ⊕ 256A ⊕ 128A ⊕ 64A ⊕ 32A ⊕ 8A$$
$512A$ (and the other terms) can be computed quickly because 512 is just $A$ doubled 9 times.
So rather than doing 1000 operations, we can do it in 14 (9 to compute 512, caching the intermediate results, then 5 additions).
This is actually an important property when we get to cryptography:
We can efficiently multiply an elliptic curve point by a large integer efficiently.
It isn’t too hard to derive the formula for point addition using simple algebra. When we intersect two points, we know the slope and the points that it crossed through, so we can calculate the point of intersection.
I’d rather not do that here because I don’t want to get lost in a bunch of symbolic manipulation.
The whole power of group theory is that we don’t care what that symbolic manipulation looks like. We know that if we do our binary operator on two points, we’ll get another point in our set, and our set follows the group laws.
If you think about it that way, elliptic curves are much easier to understand.
Rather than trying to understand elliptic curves in isolation from the ground up, we study a bunch of other algebraic groups, then transfer that knowledge and intuition to elliptic curves.
Rational numbers under addition are a group. Integers modulo a prime are a group under multiplication. Matrices of non-zero determinant under multiplication are a group.
You do the binary operator, and you get another item in the set. The group has an identity element, and each element has an inverse. Associative law holds. With all that in mind, you shouldn’t care what the operator ⊕ is doing behind the scenes.
In my opinion, if you try to understand elliptic curves math in isolation from first principles of group theory, you’re doing it the hard way. It’s far easier to understand it in the context of its relatives.
That makes for a smoother learning experience.
Let $P$ be an elliptic curve point. What happens we do something like this?
$$(a + b)P + cP = aP + (a + c)P$$
At first, it may seem weird that we can do that, because if we try to visualize what is happening with the elliptic curve, we will surely get lost.
Remember, what looks like multiplication above is really just a point getting added with itself repeatedly, so this is what actually happens under the hood when looking at it as a group
$$\underbrace{(a + b)P + cP}_{((a + b + c)P)} = \underbrace{aP + (b + c)P}_{(a + b + c)P}$$
$$ \begin{align*} (a + b + c)P &= (a + b + c)P \\ (aP + bP) + cP &= aP + (bP + cP) \\ (a + b)P + cP& = aP (b + c)P \end{align*} $$
Scalar “multiplication” isn’t “distributive” the way we would think about normal algebra. It’s just shorthand for rearranging the order in which we add P to itself.
Under the hood, we just added $P$ to itself $(a + b + c)$ times. The order we do it in doesn’t matter because of associativity.
So when you see manipulation like that, our group didn’t suddenly gain a multiplication binary operator, it’s just misleading shorthand.
If we were to do elliptic curves over real numbers for a real application, they would be very numerically unstable because the intersection point could require a lot of decimal places to compute.
So in reality, we do everything with modular arithmetic.
But we lose none of the intuition we’ve gained above by doing this.
This material is from our zero knowledge course, see there to learn more.
Originally Published September 1, 2023
The intuition behind elliptic curve digital signatures (ECDSA) This article explains how the ECDSA (Elliptic Curve Digital Signature Algorithm) works as well as why it works. We will incrementally “rediscover” the algorithm from first principles in this tutorial. Prerequisites We assume prior knowledge of Elliptic Curve Arithmetic Elliptic Curve Arithmetic in Finite Fields Digital Signature […]
Trusted Setup A trusted setup is a mechanism ZK-SNARKs use to evaluate a polynomial at a secret value. Observe that a polynomial $f(x)$ can be evaluated by computing the inner product of the coefficients with successive powers of $x$: For example, if $f(x)=3x^3+2x^2+5x+10$, then the coefficients are $[3,2,5,10]$ and we can compute the polynomial as […]
The Schwartz-Zippel Lemma and its application to Zero Knowledge Proofs Nearly all ZK-Proof algorithms rely on the Schwartz-Zippel Lemma to achieve succintness. The Schwartz-Zippel Lemma states that if we are given two polynomials $p(x)$ and $q(x)$ with degrees $d_p$ and $d_q$ respectively, and if $p(x) \neq q(x)$, then the number of points where $p(x)$ and […]
Building a Zero Knowledge Proof from an R1CS Given an arithmetic circuit encoded as a Rank 1 Constraint System, it is possible to create a ZK-proof of having a witness, albeit not a succinct one. This article describes how to accomplish that. A zero knowledge proof for an R1CS is accomplished by converting the witness […]