52 Things: Number 12: What is the elliptic curve group law?

52 Things: Number 12: What is the elliptic curve group law?

52件事：数字12：什么是椭圆曲线群定律？

 

 

This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know' to do Cryptography: a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. We continue the Mathematical Background section by introducing the Elliptic Curve Group Law...
这是一系列博客文章中的最新一篇，旨在解决“每个博士生都应该知道的52件事”做密码学：这是一组问题，旨在让博士生在第一年结束时了解他们应该知道什么。我们继续数学背景部分，介绍椭圆曲线群定律。。。

 

The Elliptic Curve group law is a method by which a binary operation is defined on the set of rational points of an elliptic curve to form a group. Now, lets go through what that actually means, and what it's used for. Thanks to Dr Dan Page for providing the group law diagram.
椭圆曲线群定律是一种在椭圆曲线的有理点集上定义二元运算以形成群的方法。现在，让我们来了解一下这实际上意味着什么，以及它的用途。感谢Dan Page博士提供的群律图。

 

An Elliptic Curve and its rational points
椭圆曲线及其有理点

An Elliptic Curve is a cubic equation in two variables over some mathematical field. They can be written in various forms, but over most fields ¹ can be written in short Weierstrass form:
椭圆曲线是一个数学域上的二元三次方程。它们可以用各种形式书写，但在大多数字段 ¹ 上可以用短的Weierstrass形式书写：

E:y2=x3+ax+b

For now we will assume that we are working in the field of real numbers, and ignore any complications that come from using finite fields. With some simple requirements on a,b (specifically, that 27b2≠−4a3) this is an elliptic curve.
现在，我们将假设我们在实数领域工作，而忽略使用有限域带来的任何复杂情况。对于 a,b （特别是 27b2≠−4a3 ）的一些简单要求，这是一条椭圆曲线。

 

The set of points that will be elements of our group are going to be the rational points of the elliptic curve. This is simply the collection of points (x,y) that satisfy the curve equation where both x,y are rational. So, that's the set of (x,y)∈Q where y2=x3+x+b.  For reasons that will become clear, we also include a point at infinity ².
作为我们群元素的点集将是椭圆曲线的有理点。这只是满足曲线方程的点 (x,y) 的集合，其中两个点 x,y 都是有理的。这就是#2的集合，其中#3。出于将变得清楚的原因，我们还包括无穷远处的一个点#4。

Adding a Group Law to an elliptic curve
向椭圆曲线添加群定律

The simplest way to describe the relation we're going to add to the set of rational points is with a diagram:
描述我们要添加到有理点集的关系的最简单方法是使用图表：

Elliptic Curve (blue) with two points (P,Q) and their sum (P+Q) plotted, along with construction lines (red)
绘制有两点（P，Q）及其和（P+Q）的椭圆曲线（蓝色），以及构造线（红色）

So, to add together P and Q, we draw a line through P and Q, and make T=(Tx,Ty) the third point this line intersects the curve. Then, P+Q=(Tx,−Ty). To add a point to itself, we take the tangent at that point. Now, the surprising fact is that this operation defines a group, with the point at infinity the neutral element.
所以，把 P 和 Q 加在一起，我们画一条穿过#2和#3的线，把#4作为这条线与曲线相交的第三点。然后， P+Q=(Tx,−Ty) 。为了给自己添加一个点，我们取该点的切线。现在，令人惊讶的事实是，这个运算定义了一个群，无穷远处的点是中性元素。

Most of the requirements of being a group are easy to see geometrically³. For example, it is easy to find the inverse of an element. In the diagram above (P+Q)+T=0, because the line from T to (P+Q) has it's third intersection at infinity, and so (P+Q)=−T. In fact, for any elliptic curve in short Weierstrass form, to negate a point we simply change the sign of it's y-coordinate.
作为一个群体的大多数要求在几何上很容易看出 ³ 。例如，很容易找到元素的逆。在 (P+Q)+T=0 上面的图中，因为从#2到#3的线在无穷大处有第三个交点，所以#4也是。事实上，对于任何短Weierstrass形式的椭圆曲线，为了否定一个点，我们只需改变它的y坐标的符号。

 

Is that all there is to it?
就这些吗？

Pretty much yes. The same method holds to over finite fields, although in this case it tends to be simpler to think of the group's operation as being an algebraic construct rather than geometrical, since Elliptic Curves over finite fields do not have such an intuitive structure.  Also, we don't need to view curves in short Weierstrass form, since there are many different coordinate schemes and equations that represent the same curve. Indeed, some choices of curve and coordinate system assist us in doing certain types of computation.
差不多是的。同样的方法适用于有限域上，尽管在这种情况下，将群的运算视为代数结构而非几何结构往往更简单，因为有限域上的椭圆曲线没有这样直观的结构。此外，我们不需要查看短Weierstrass形式的曲线，因为有许多不同的坐标方案和方程表示相同的曲线。事实上，曲线和坐标系的一些选择有助于我们进行某些类型的计算。

 

What's that got to do with Cryptography?
这和密码学有什么关系？

It turns out that over certain finite fields the Elliptic Curve Group has several nice properties for cryptographers. There are a surprisingly large number of curve and field pairs where it's not too costly to do group computations⁴, but for which the various discrete log or DH problems (see last week's blog) are hard. Moreover, compared to using large multiplicative groups (eg RSA groups) the variables computed with are much smaller. Putting all these together, elliptic curves allow cryptographers to efficiently calculate ciphertexts that are much smaller than those created by alternative means without reducing security.
结果表明，在某些有限域上，椭圆曲线群对于密码学家来说有几个很好的性质。令人惊讶的是，有大量的曲线和字段对，它们进行分组计算 ⁴ 并不太昂贵，但对于它们来说，各种离散的对数或DH问题（见上周的博客）很难解决。此外，与使用大型乘法组（如RSA组）相比，使用计算的变量要小得多。将所有这些放在一起，椭圆曲线使密码学家能够有效地计算比其他方法创建的密文小得多的密文，而不会降低安全性。

 

 

 

---

 

1. Specifically, fields of characteristic not equal to 2,3. That is, fields where 2≠0 and 3≠0. Unfortunately, this obviously means that the results we discuss won't hold in binary fields, but that is rather beyond the scope of this talk.
   具体来说，特征场不等于2,3。即 2≠0 和 3≠0 所在的字段。不幸的是，这显然意味着我们讨论的结果在二进制字段中不成立，但这远远超出了本文的范围。
2. Justification for this comes from considering the elliptic curve as a curve in projective space, but for now it suffices that such a point exists.
   这一点的理由来自于将椭圆曲线视为投影空间中的一条曲线，但就目前而言，这样一个点的存在就足够了。
3. Associativity is by far the most complicated to show. This diagram on wikipedia explains the concept behind the proof, although the details are rather involved.
   联想性是迄今为止最复杂的表现。维基百科上的这张图解释了证据背后的概念，尽管细节相当复杂。
4. Even as I write this, I'm sure someone will question the validity of this claim, but it is true that compared to many groups that one could construct in which the required problems are sufficiently hard, point arithmetic on an elliptic curve is comparatively tractable.
   即使在我写这篇文章的时候，我相信有人会质疑这一说法的有效性，但确实，与人们可以构建的许多组相比，在这些组中所需的问题足够困难，椭圆曲线上的点算术相对来说是容易处理的。