associativity ec

https://file.scirp.org/Html/1-5301366_80983.htm

 

https://brilliant.org/wiki/cubic-discriminant/

 

 

 

We can compute the discriminant of any power of a polynomial. For example, the quadratic discriminant is given by \Delta_2 = b^2 - 4acΔ2​=b2−4ac. But it gets more complicated for higher-degree polynomials.

The discriminant of a cubic polynomial ax^3 + bx^2 + cx + dax3+bx2+cx+d is given by

\Delta_3 = b^2 c^2 - 4ac^3 - 4b^3 d - 27a^2 d^2 + 18abcd.Δ3​=b2c2−4ac3−4b3d−27a2d2+18abcd.

If \Delta_3 > 0Δ3​>0, then the equation has three distinct real roots.
If \Delta_3 = 0Δ3​=0, then the equation has a repeated root and all its roots are real.
If \Delta_3 < 0Δ3​<0, then the equation has one real root and two non-real complex conjugate roots.

 

 

 

 

Discriminant, in mathematics, a parameter of an object or system calculated as an aid to its classification or solution. In the case of a quadratic equation ax² + bx + c = 0, the discriminant is b² − 4ac; for a cubic equation x³ + ax² + bx + c = 0, the discriminant is a²b² + 18abc − 4b³ − 4a³c − 27c². The roots of a quadratic or cubic equation with real coefficients are real and distinct if the discriminant is positive, are real with at least two equal if the discriminant is zero, and include a conjugate pair of complex roots if the discriminant is negative. A discriminant can be found for the general quadratic, or conic, equation ax² + bxy + cy² + dx + ey + f = 0; it indicates whether the conic represented is an ellipse, a hyperbola, or a parabola.

 

 

 

In this paper we revisit the addition of elliptic curves and give an algebraic proof to the associative law by use of MATHEMATICA. The existing proofs of the associative law are rather complicated and hard to understand for beginners. An ‘‘elementary” proof to it based on algebra has not been given as far as we know. Undergraduates or non-experts can master the addition of elliptic curves through this paper. After mastering it they should challenge the elliptic curve cryptography.

Keywords:

Elliptic Curve, Addition, Associative Law, MATHEMATICA, Elliptic Curve Cryptography

1. Introduction

Ciphering is essential for the security of internet. The RSA cryptography [1] [2] [3] is now commonly used. However, in the very near future the RSA cryptography will be replaced by the elliptic curve cryptography because of its efficiency; the RSA system is based on 2048 bits, while the elliptic system is based on 224 bits (2016, [4] ).

The target reader of this note is undergraduates or non-experts. Those who are interested in cryptography are strongly encouraged to master the theory of elliptic curve cryptography as soon as possible. For this purpose they must study an additional structure of elliptic curves. However, it is not so hard except for the associative law.

As far as we know an algebraic proof to it has not yet been given¹. Therefore, we give an ‘‘elementary” proof by use of MATHEMATICA for them.

2. Addition of Points of an Elliptic Curve

Let us start by recalling the definition of an elliptic curve [5] [6]

𝑦2=𝑥3+𝑎𝑥+𝑏y2=x3+ax+b(1)

where a and b are some real constants. In the following we consider only real category. The discriminant of the cubic equation

𝑥3+𝑎𝑥+𝑏=0x3+ax+b=0

is given by

𝐷=−4𝑎3−27𝑏2D=−4a3−27b2(2)

(see for example [5] ) and we assume 𝐷<0D<0 in the following, so the point crossing the real axis is just one.

For the graph of the elliptic curve (1)

𝐸={(𝑥,𝑦)∈𝑅2∣∣𝑦2=𝑥3+𝑎𝑥+𝑏}E={(x,y)∈R2 | y2=x3+ax+b}(3)

we want to introduce an addition, which is essential in the elliptic curve cryptography. For the purpose we must add the infinity point 𝑂=(∞,∞)O=(∞,∞) to (3). As a result, our space is not 𝐑2R2 but a two dimensional sphere 𝐑2∪𝑂=𝐒2R2∪O=S2 . Later it turns out that O is the identity element of the addition, see (10), (11). This justifies the notation O for the infinity point.

Here we note

𝑃=(𝑥,𝑦)∈𝐸⇒−𝑃=(𝑥,−𝑦)∈𝐸P=(x,y)∈E ⇒ −P=(x,−y)∈E(4)

where we have adopted the notation −𝑃−P for the mirror image of 𝑃P with respect to the real axis, see (11).

Let us introduce the addition in E. For two points 𝑃1,𝑃2∈𝐸P1,P2∈E we associate another point 𝑃3∈𝐸P3∈E . Consider the straight line passing through 𝑃1P1 and 𝑃2P2 . We set R the crossing point of the line and the elliptic curve.

A simple-minded candidate of the addition is

𝑃1⊕𝑃2=𝑅P1⊕P2=R

Unfortunately, this is not good because the associative law does not hold. Instead, we take the reflection point of R

𝑃1⊕𝑃2=−𝑅≡𝑃3.P1⊕P2=−R≡P3.(5)

This is correct as shown in the paper. See the following Figure 1.

Next, we want to express the addition above by use of the coordinate system. For the purpose we set

𝑃1=(𝑥1,𝑦1),𝑃2=(𝑥2,𝑦2)and𝑃3=(𝑥3,𝑦3).P1=(x1,y1), P2=(x2,y2)  and  P3=(x3,y3).

Formula The addition formula

(𝑥1,𝑦1)⊕(𝑥2,𝑦2)=(𝑥3,𝑦3)(x1,y1)⊕(x2,y2)=(x3,y3)

is given by

𝑥3=(𝑦2−𝑦1𝑥2−𝑥1)2−(𝑥1+𝑥2),x3=(y2−y1x2−x1)2−(x1+x2),

Figure 1. Addition 𝑃1≠𝑃2P1≠P2 .

𝑦3=−(𝑦2−𝑦1𝑥2−𝑥1)3+(𝑦2−𝑦1𝑥2−𝑥1)(2𝑥1+𝑥2)−𝑦1.y3=−(y2−y1x2−x1)3+(y2−y1x2−x1)(2x1+x2)−y1.(6)

Proof To give an elementary proof for undergraduates or non-experts is educational.

First of all we set the coordinate of the point 𝑅=(𝑥𝑟,𝑦𝑟)R=(xr,yr) and look for 𝑥𝑟xr and 𝑦𝑟yr . The straight line passing through 𝑃1P1 and 𝑃2P2 is given by

𝑦=𝑦2−𝑦1𝑥2−𝑥1(𝑥−𝑥1)+𝑦1.y=y2−y1x2−x1(x−x1)+y1.

By taking 𝑥−𝑥1x−x1 into consideration we have

𝑦2=𝑥3+𝑎𝑥+𝑏=(𝑥−𝑥1+𝑥1)3+𝑎(𝑥−𝑥1+𝑥1)+𝑏=(𝑥−𝑥1)3+3(𝑥−𝑥1)2𝑥1+3(𝑥−𝑥1)𝑥21+𝑎(𝑥−𝑥1)+𝑥31+𝑎𝑥1+𝑏=(𝑥−𝑥1)3+3(𝑥−𝑥1)2𝑥1+3(𝑥−𝑥1)𝑥21+𝑎(𝑥−𝑥1)+𝑦21.y2=x3+ax+b=(x−x1+x1)3+a(x−x1+x1)+b=(x−x1)3+3(x−x1)2x1+3(x−x1)x12+a(x−x1)+x13+ax1+b=(x−x1)3+3(x−x1)2x1+3(x−x1)x12+a(x−x1)+y12.

We substitute the straight line for the equation above

(𝑦2−𝑦1𝑥2−𝑥1)2(𝑥−𝑥1)2+2𝑦2−𝑦1𝑥2−𝑥1(𝑥−𝑥1)𝑦1+𝑦21=(𝑥−𝑥1)3+3(𝑥−𝑥1)2𝑥1+3(𝑥−𝑥1)𝑥21+𝑎(𝑥−𝑥1)+𝑦21.(y2−y1x2−x1)2(x−x1)2+2y2−y1x2−x1(x−x1)y1+y12=(x−x1)3+3(x−x1)2x1+3(x−x1)x12+a(x−x1)+y12.

A short calculation gives

(𝑦2−𝑦1𝑥2−𝑥1)2(𝑥−𝑥1)+2𝑦2−𝑦1𝑥2−𝑥1𝑦1=(𝑥−𝑥1)2+3𝑥1(𝑥−𝑥1)+3𝑥21+𝑎(y2−y1x2−x1)2(x−x1)+2y2−y1x2−x1y1=(x−x1)2+3x1(x−x1)+3x12+a

and

(𝑥−𝑥1)2−{(𝑦2−𝑦1𝑥2−𝑥1)2−3𝑥1}(𝑥−𝑥1)+3𝑥21−2𝑦2−𝑦1𝑥2−𝑥1𝑦1+𝑎=0.(x−x1)2−{(y2−y1x2−x1)2−3x1}(x−x1)+3x12−2y2−y1x2−x1y1+a=0.

This is a quadratic equation and it is easy to solve

𝑥−𝑥1=12{(𝑦2−𝑦1𝑥2−𝑥1)2−3𝑥1±{(𝑦2−𝑦1𝑥2−𝑥1)2−3𝑥1}2−4(3𝑥21−2𝑦2−𝑦1𝑥2−𝑥1𝑦1+𝑎)‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾√}.x−x1=12{(y2−y1x2−x1)2−3x1±{(y2−y1x2−x1)2−3x1}2−4(3x12−2y2−y1x2−x1y1+a)}.

Here we set

(#)={(𝑦2−𝑦1𝑥2−𝑥1)2−3𝑥1}2−4(3𝑥21−2𝑦2−𝑦1𝑥2−𝑥1𝑦1+𝑎).(#)={(y2−y1x2−x1)2−3x1}2−4(3x12−2y2−y1x2−x1y1+a).

By expanding and arranging (#)(#) we have

(#)=(𝑦2−𝑦1𝑥2−𝑥1)4−6𝑥1(𝑦2−𝑦1𝑥2−𝑥1)2+8𝑦2−𝑦1𝑥2−𝑥1𝑦1−3𝑥21−4𝑎.(#)=(y2−y1x2−x1)4−6x1(y2−y1x2−x1)2+8y2−y1x2−x1y1−3x12−4a.

Some calculation (this is a key point) gives

(#)=(𝑦2−𝑦1𝑥2−𝑥1)4−6𝑥1(𝑦2−𝑦1𝑥2−𝑥1)2−4(𝑦2−𝑦1)2𝑥2−𝑥1+4(𝑦2−𝑦1)2𝑥2−𝑥1+8𝑦2−𝑦1𝑥2−𝑥1𝑦1−3𝑥21−4𝑎=(𝑦2−𝑦1𝑥2−𝑥1)4−{6𝑥1+4(𝑥2−𝑥1)}(𝑦2−𝑦1𝑥2−𝑥1)2+4(𝑦2−𝑦1){(𝑦2−𝑦1)+2𝑦1}𝑥2−𝑥1−3𝑥21−4𝑎=(𝑦2−𝑦1𝑥2−𝑥1)4−2(2𝑥2+𝑥1)(𝑦2−𝑦1𝑥2−𝑥1)2+4𝑦22−𝑦21𝑥2−𝑥1−3𝑥21−4𝑎(#)=(y2−y1x2−x1)4−6x1(y2−y1x2−x1)2−4(y2−y1)2x2−x1  +4(y2−y1)2x2−x1+8y2−y1x2−x1y1−3x12−4a=(y2−y1x2−x1)4​−{6x1+4(x2−x1)}(y2−y1x2−x1)2  +4(y2−y1){(y2−y1)+2y1}x2−x1−3x12−4a=(y2−y1x2−x1)4−2(2x2+x1)(y2−y1x2−x1)2+4y22−y12x2−x1−3x12−4a

=(𝑦2−𝑦1𝑥2−𝑥1)4−2(2𝑥2+𝑥1)(𝑦2−𝑦1𝑥2−𝑥1)2+4(𝑥22+𝑥2𝑥1+𝑥21+𝑎)−3𝑥21−4𝑎=(𝑦2−𝑦1𝑥2−𝑥1)4−2(2𝑥2+𝑥1)(𝑦2−𝑦1𝑥2−𝑥1)2+4𝑥22+4𝑥2𝑥1+𝑥21=(𝑦2−𝑦1𝑥2−𝑥1)4−2(2𝑥2+𝑥1)(𝑦2−𝑦1𝑥2−𝑥1)2+(2𝑥2+𝑥1)2={(𝑦2−𝑦1𝑥2−𝑥1)2−2𝑥2−𝑥1}2=(y2−y1x2−x1)4−2(2x2+x1)(y2−y1x2−x1)2+4(x22+x2x1+x12+a)−3x12−4a=(y2−y1x2−x1)4−2(2x2+x1)(y2−y1x2−x1)2+4x22+4x2x1+x12=(y2−y1x2−x1)4−2(2x2+x1)(y2−y1x2−x1)2+(2x2+x1)2={(y2−y1x2−x1)2−2x2−x1}2

where in the process we have used the equation

𝑦22−𝑦21=(𝑥32+𝑎𝑥2+𝑏)−(𝑥31+𝑎𝑥1+𝑏)=(𝑥2−𝑥1)(𝑥22+𝑥2𝑥1+𝑥21+𝑎).y22−y12=(x23+ax2+b)−(x13+ax1+b)=(x2−x1)(x22+x2x1+x12+a).

Therefore

𝑥−𝑥1=12{(𝑦2−𝑦1𝑥2−𝑥1)2−3𝑥1+(𝑦2−𝑦1𝑥2−𝑥1)2−2𝑥2−𝑥1}=12{2(𝑦2−𝑦1𝑥2−𝑥1)2−4𝑥1−2𝑥2}=(𝑦2−𝑦1𝑥2−𝑥1)2−(2𝑥1+𝑥2)x−x1=12{(y2−y1x2−x1)2−3x1+(y2−y1x2−x1)2−2x2−x1}=12{2(y2−y1x2−x1)2−4x1−2x2}=(y2−y1x2−x1)2−(2x1+x2)

and we finally obtain

𝑥𝑟=(𝑦2−𝑦1𝑥2−𝑥1)2−(𝑥1+𝑥2),xr=(y2−y1x2−x1)2−(x1+x2),

which is symmetric in 1 and 2. Another solution is 𝑥=𝑥2x=x2 (check this).

This gives

𝑦𝑟=𝑦2−𝑦1𝑥2−𝑥1(𝑥𝑟−𝑥1)+𝑦1=𝑦2−𝑦1𝑥2−𝑥1{(𝑦2−𝑦1𝑥2−𝑥1)2−(2𝑥1+𝑥2)}+𝑦1=(𝑦2−𝑦1𝑥2−𝑥1)3−(𝑦2−𝑦1𝑥2−𝑥1)(2𝑥1+𝑥2)+𝑦1.yr=y2−y1x2−x1(xr−x1)+y1=y2−y1x2−x1{(y2−y1x2−x1)2−(2x1+x2)}+y1=(y2−y1x2−x1)3−(y2−y1x2−x1)(2x1+x2)+y1.

As a result we have

(𝑥3,𝑦3)=(𝑥𝑟,−𝑦𝑟)(x3,y3)=(xr,−yr)

and this gives the Formula (6).

Comment From the geometric definition of the addition (5) it is easy to see the commutativity

𝑃1⊕𝑃2=𝑃2⊕𝑃1.P1⊕P2=P2⊕P1.

However, it is not clear to see this from the Formula (6). Then, a small change of 𝑦3y3 in (6) gives

𝑦3=−(𝑦2−𝑦1𝑥2−𝑥1)3+(𝑦2−𝑦1𝑥2−𝑥1)(𝑥1+𝑥2)+𝑦2𝑥1−𝑦1𝑥2𝑥2−𝑥1,y3=−(y2−y1x2−x1)3+(y2−y1x2−x1)(x1+x2)+y2x1−y1x2x2−x1,(7)

which is anti-symmetric in 1 and 2. The commutativity is very clear. In our opinion this formula is best.

Next, we must define the addition 𝑃⊕𝑃P⊕P of the same point P. The definition is usually performed by differential. By noting

lim2→1𝑦2−𝑦1𝑥2−𝑥1=𝑦′1lim2→1y2−y1x2−x1=y′1

the differential of 𝑦2=𝑥3+𝑎𝑥+𝑏y2=x3+ax+b at (𝑥1,𝑦1)(x1,y1) gives

2𝑦1𝑦′1=3𝑥21+𝑎⇒𝑦′1=3𝑥21+𝑎2𝑦1.2y1y′1=3x12+a ⇒ y′1=3x12+a2y1.

If we set for 𝑃(𝑥,𝑦)P(x,y)

𝑃⊕𝑃=𝑃3or(𝑥,𝑦)⊕(𝑥,𝑦)=(𝑥3,𝑦3)P⊕P=P3   or   (x,y)⊕(x,y)=(x3,y3)(8)

then we obtain

𝑥3=(3𝑥2+𝑎2𝑦)2−2𝑥,x3=(3x2+a2y)2−2x,

𝑦3=−(3𝑥2+𝑎2𝑦)3+(3𝑥2+𝑎2𝑦)3𝑥−𝑦y3=−(3x2+a2y)3+(3x2+a2y)3x−y(9)

by applying the argument above to (6). See the following Figure 2.

There are tasks left behind. Our tasks are to show

𝑃⊕𝑂=𝑂⊕𝑃=𝑃P⊕O=O⊕P=P(10)

and

𝑃⊕(−𝑃)=(−𝑃)⊕𝑃=𝑂.P⊕(−P)=(−P)⊕P=O.(11)

Exercise Consider a proof with the geometric method.

Last, we must prove the associative law

(𝑃1⊕𝑃2)⊕𝑃3=𝑃1⊕(𝑃2⊕𝑃3),(P1⊕P2)⊕P3=P1⊕(P2⊕P3),(12)

which is very hard for undergraduates (hard even for experts).

The geometric method usually goes like Figure 3 ( 𝑃1=𝑃P1=P , 𝑃2=𝑄P2=Q and 𝑃3=𝑅P3=R in this figure)

Figure 2. Addition P₁ = P₂ = P.

Figure 3. Associativity (𝑃⊕𝑄)⊕𝑅=𝑃⊕(𝑄⊕𝑅)(P⊕Q)⊕R=P⊕(Q⊕R) .

However, this is not a proof but a circumstantial evidence. Therefore, we give an algebraic proof by use of MATHEMATICA².

For the purpose let us calculate the difference

(𝑃1⊕𝑃2)⊕𝑃3−𝑃1⊕(𝑃2⊕𝑃3)(P1⊕P2)⊕P3−P1⊕(P2⊕P3)(13)

by MATHEMATICA. In the following program we set

(𝑃1⊕𝑃2)⊕𝑃3−𝑃1⊕(𝑃2⊕𝑃3)=(𝐶𝐶−𝐹𝐹,𝐷𝐷−𝐺𝐺).(P1⊕P2)⊕P3−P1⊕(P2⊕P3)=(CC−FF,DD−GG).(14)

and use the Formula (7) because of its high symmetry. Associativity holds when the right hand side vanishes.

Beginning of MATHEMATICA

Readers must input and execute the following program in standard form of MATHEMATICA.

We set

𝑠=(𝑦2−𝑦1𝑥2−𝑥1)2−(𝑥1+𝑥2);s=(y2−y1x2−x1)2−(x1+x2);

𝑡=−(𝑦2−𝑦1𝑥2−𝑥1)3+(𝑦2−𝑦1𝑥2−𝑥1)(𝑥1+𝑥2)+Det[(𝑥1𝑦1𝑥2𝑦2)]𝑥2−𝑥1;t=−(y2−y1x2−x1)3+(y2−y1x2−x1)(x1+x2)+Det[(x1x2y1y2)]x2−x1;

and

𝐶𝐶=(𝑦3−𝑡𝑥3−𝑠)2−(𝑠+𝑥3);CC=(y3−tx3−s)2−(s+x3);

𝐷𝐷=−(𝑦3−𝑡𝑥3−𝑠)3+(𝑦3−𝑡𝑥3−𝑠)(𝑠+𝑥3)+Det[(𝑠𝑡𝑥3𝑦3)]𝑥3−𝑠;DD=−(y3−tx3−s)3+(y3−tx3−s)(s+x3)+Det[(sx3ty3)]x3−s;

and also set

𝑢=(𝑦3−𝑦2𝑥3−𝑥2)2−(𝑥2+𝑥3);u=(y3−y2x3−x2)2−(x2+x3);

𝑣=−(𝑦3−𝑦2𝑥3−𝑥2)3+(𝑦3−𝑦2𝑥3−𝑥2)(𝑥2+𝑥3)+Det[(𝑥2𝑦2𝑥3𝑦3)]𝑥3−𝑥2;v=−(y3−y2x3−x2)3+(y3−y2x3−x2)(x2+x3)+Det[(x2x3y2y3)]x3−x2;

and

𝐹𝐹=(𝑣−𝑦1𝑢−𝑥1)2−(𝑥1+𝑢);FF=(v−y1u−x1)2−(x1+u);

𝐺𝐺=−(𝑣−𝑦1𝑢−𝑥1)3+(𝑣−𝑦1𝑢−𝑥1)(𝑥1+𝑢)+Det[(𝑥1𝑦1𝑢𝑣)]𝑢−𝑥1.GG=−(v−y1u−x1)3+(v−y1u−x1)(x1+u)+Det[(x1uy1v)]u−x1.

Moreover, we set

𝑃=(𝑦1−𝑦2)2−(𝑥1−𝑥2)2(𝑥1+𝑥2+𝑥3);P=(y1−y2)2−(x1−x2)2(x1+x2+x3);

𝑄=(𝑦2−𝑦3)2−(𝑥2−𝑥3)2(𝑥1+𝑥2+𝑥3);Q=(y2−y3)2−(x2−x3)2(x1+x2+x3);

𝑅=(𝑥2−𝑥3)𝑦21+(𝑥3−𝑥1)𝑦22+(𝑥1−𝑥2)𝑦23+(𝑥1−𝑥2)(𝑥2−𝑥3)(𝑥3−𝑥1)(𝑥1+𝑥2+𝑥3).R=(x2−x3)y12+(x3−x1)y22+(x1−x2)y32  +(x1−x2)(x2−x3)(x3−x1)(x1+x2+x3).

Here, 𝑃2P2 ( 𝑄2Q2 ) appears in the denominator of 𝐶𝐶CC ( 𝐹𝐹FF ) and 𝑃3P3 ( 𝑄3Q3 ) in the denominator of 𝐷𝐷DD (GG). The homogeneous polynomials P and Q are invariant under the permutation of 1,2,31,2,3 , whereas R changes sign.

For

𝐴𝐴=𝑃2𝑄2(𝐶𝐶−𝐹𝐹)𝑅;𝐵𝐵=𝑃3𝑄3(𝐷𝐷−𝐺𝐺)𝑅;AA=P2Q2(CC−FF)R; BB=P3Q3(DD−GG)R;

execute the following

Factor[𝐴𝐴]Factor[AA]

Factor[𝐵𝐵]Factor[BB]

Ending of MATHEMATICA

It takes about several seconds for a standard present day PC before MATHEMATICA outputs two huge homogeneous polynomials in 𝑥1x1 , 𝑥2x2 , 𝑥3x3 , 𝑦1y1 , 𝑦2y2 and 𝑦3y3 of integer coefficients. The “degrees” of 𝐴𝐴AA and 𝐵𝐵BB are 9 and 31/2, respectively, when “degree” 1 is assigned to 𝑥1x1 , 𝑥2x2 , 𝑥3x3 and 3/2 for 𝑦1y1 , 𝑦2y2 and 𝑦3y3 , see the curve Equation (1). In other words, 𝐴𝐴AA and 𝐵𝐵BB are universal polynomials of elliptic curves which are independent of the parameters a and b. More than 10 pages are required to write down the outputs. As we will see their explicit forms are irrelevant for the discussion of the associativity, we do not display them here. These polynomials have many interesting features.

From the program we have

𝐶𝐶−𝐹𝐹=𝐴𝐴𝑃2𝑄2𝑅,𝐷𝐷−𝐺𝐺=𝐵𝐵𝑃3𝑄3𝑅.CC−FF=AAP2Q2R, DD−GG=BBP3Q3R.(15)

It is very interesting and important that both have a common factor R. Note that we have not imposed the equations

⎧⎩⎨⎪⎪𝑦21=𝑥31+𝑎𝑥1+𝑏𝑦22=𝑥32+𝑎𝑥2+𝑏𝑦23=𝑥33+𝑎𝑥3+𝑏{y12=x13+ax1+by22=x23+ax2+by32=x33+ax3+b(16)

up to this point.

Last, we show

𝑅=0R=0(17)

under the condition (16), which finishes the proof of associativity (14).

Here, let us give an educational proof for undergraduates. We treat the following determinant :

𝑋=∣∣∣∣∣1𝑥1𝑦211𝑥2𝑦221𝑥3𝑦23∣∣∣∣∣X=|111x1x2x3y12y22y32|(18)

Direct calculation gives

𝑋=𝑥2𝑦23+𝑥3𝑦21+𝑥1𝑦22−𝑥2𝑦21−𝑥1𝑦23−𝑥3𝑦22=−{(𝑥2−𝑥3)𝑦21+(𝑥3−𝑥1)𝑦22+(𝑥1−𝑥2)𝑦23}.X=x2y32+x3y12+x1y22−x2y12−x1y32−x3y22=−{(x2−x3)y12+(x3−x1)y22+(x1−x2)y32}.(19)

On the other hand, from (16) we have

𝑋=∣∣∣∣∣1𝑥1𝑥31+𝑎𝑥1+𝑏1𝑥2𝑥32+𝑎𝑥2+𝑏1𝑥3𝑥33+𝑎𝑥3+𝑏∣∣∣∣∣=∣∣∣∣∣1𝑥1𝑥31+𝑎𝑥11𝑥2𝑥32+𝑎𝑥21𝑥3𝑥33+𝑎𝑥3∣∣∣∣∣=∣∣∣∣∣1𝑥1𝑥311𝑥2𝑥321𝑥3𝑥33∣∣∣∣∣X=|111x1x2x3x13+ax1+bx23+ax2+bx33+ax3+b|=|111x1x2x3x13+ax1x23+ax2x33+ax3|=|111x1x2x3x13x23x33|

by some fundamental operations.

Moreover, we have

𝑋=∣∣∣∣∣1𝑥1𝑥310𝑥2−𝑥1𝑥32−𝑥310𝑥3−𝑥1𝑥33−𝑥31∣∣∣∣∣=(𝑥2−𝑥1)(𝑥3−𝑥1)∣∣∣∣∣1𝑥1𝑥3101𝑥22+𝑥2𝑥1+𝑥2101𝑥23+𝑥3𝑥1+𝑥21∣∣∣∣∣=(𝑥2−𝑥1)(𝑥3−𝑥1)∣∣∣∣∣1𝑥1𝑥3101𝑥22+𝑥2𝑥1+𝑥2100(𝑥3−𝑥2)(𝑥3+𝑥2+𝑥1)∣∣∣∣∣=(𝑥2−𝑥1)(𝑥3−𝑥1)(𝑥3−𝑥2)(𝑥3+𝑥2+𝑥1)=(𝑥1−𝑥2)(𝑥2−𝑥3)(𝑥3−𝑥1)(𝑥1+𝑥2+𝑥3)X=|100x1x2−x1x3−x1x13x23−x13x33−x13|=(x2−x1)(x3−x1)|100x111x13x22+x2x1+x12x32+x3x1+x12|=(x2−x1)(x3−x1)|100x110x13x22+x2x1+x12(x3−x2)(x3+x2+x1)|=(x2−x1)(x3−x1)(x3−x2)(x3+x2+x1)=(x1−x2)(x2−x3)(x3−x1)(x1+x2+x3)(20)

by some fundamental operations. As a result, we obtain

𝑅=(𝑥2−𝑥3)𝑦21+(𝑥3−𝑥1)𝑦22+(𝑥1−𝑥2)𝑦23+(𝑥1−𝑥2)(𝑥2−𝑥3)(𝑥3−𝑥1)(𝑥1+𝑥2+𝑥3)=−𝑋+𝑋=0R=(x2−x3)y12+(x3−x1)y22+(x1−x2)y32  +(x1−x2)(x2−x3)(x3−x1)(x1+x2+x3)=−X+X=0

by (19) and (20).

As shown in the paper the elementary proof of the associative law of the points of an elliptic curve is not easy. However, it is not necessarily a bad thing for the encryption system.

In this section we reproved the following

Theorem The system {𝐸,⊕}{E,⊕} becomes an additive (abelian) group.

3. Concluding Remarks

We conclude the paper by making some comments on the elliptic curve cryptography [7] [8] .

Let p be a huge prime number and 𝐅𝑝Fp be the finite field

𝐅𝑝={0,1,2,⋯,𝑝−1},Fp={0,1,2,⋯,p−1},

see for example [5] .

Our target is an elliptic curve on 𝐅𝑝Fp

𝐸𝑝={(𝑥,𝑦)∣∣𝑦2=𝑥3+𝑎𝑥+𝑏(mod𝑝)}.Ep={(x,y) |y2=x3+ax+b (modp)}.

For this case 𝐸𝑝Ep becomes a finite set. We assume that 𝑃P and 𝑄∈𝐸𝑝Q∈Ep satisfy the relation

𝑄=𝑛⊕𝑃(mod𝑝)Q=n⊕P ( modp)

where

𝑛⊕𝑃=𝑃⊕𝑃⊕⋯⊕𝑃(𝑛-times).n⊕P=P⊕P⊕⋯⊕P (n- times).

Problem For given P and Q is it possible to find n in polynomial time?

This is called the discrete logarithm problem and it is known as a very hard one to solve [9] . The security of the elliptic curve cryptography (which is worth studying for undergraduates or non-experts) is based on this hard problem.

Acknowledgements

We wishes to thank Ryu Sasaki for useful suggestions and comments.

Cite this paper

Fujii, K. and Oike, H. (2017) An Algebraic Proof of the Associative Law of Elliptic Curves. Advances in Pure Mathematics, 7, 649-659. https://doi.org/10.4236/apm.2017.712040

References

1. 1. Diffie, W. and Hellman, M. (1976) New Directions in Cryptography. IEEE Transactions on Information Theory, 22, 644-654. https://doi.org/10.1109/TIT.1976.1055638   [Citation Time(s):1]

1. 2. Rivest, R.L., Shamir, A. and Adleman, L. (1978) A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, 21, 120-126. https://doi.org/10.1145/359340.359342   [Citation Time(s):1]

1. 3. ELGamal, T. (1985) A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Transactions on Information Theory, 31, 469-472.https://doi.org/10.1109/TIT.1985.1057074   [Citation Time(s):1]

1. 4. Nakanishi, T. (2017) Mechanisms of Modern Cryptography. Kyoritsu Smart Selection 12, Kyoritsu Shuppan.   [Citation Time(s):1]

1. 5. Silverman, J.H. (2006) A Friendly Introduction to NUMBER THEORY. 3rd Edition, Pearson Education, London.   [Citation Time(s):3]

1. 6. Silverman, J.H. and Tate, J. (1992) Rational Points on Elliptic Curves. Springer-Verlag, Berlin. https://doi.org/10.1007/978-1-4757-4252-7   [Citation Time(s):1]

1. 7. Koblitz, N. (1987) Elliptic Curve Cryptosystems. Mathematics of Computation, 48, 203-209. https://doi.org/10.1090/S0025-5718-1987-0866109-5   [Citation Time(s):1]

1. 8. Fujii, K. (2014-2016) Public-Key Cryptography and Its Decoding by Quantum Computation (in Japanese). Lecture Note at Yokohama City University, Yokohama, 39.   [Citation Time(s):1]

1. 9. Shor, P.W. (1999) Polynomial—Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM Review, 41, 303-332.https://doi.org/10.1137/S0036144598347011   [Citation Time(s):1]

NOTES

¹We don’t admit usual geometric proofs in standard textbooks of elliptic curves.

²We expect that undergraduates in the world can use MATHEMATICA or MAPLE, etc.