Cryptography Reference
In-Depth Information
a multiple zero
x
0
of the cubic polynomial
x
3
F
+
+
an algebraic closure of
b
. Thus,
in this algebraic closure this polynomial is a product of linear factors as follows:
ax
x
3
2
+
ax
+
b
=
(
x
−
x
0
)
(
x
−
x
1
).
Expanding the polynomial on the right and equating the coefficients of both expres-
sions we obtain that the coefficient of the term of degree 2 is
−
2
x
0
−
x
1
=
0, i.e.,
x
0
x
1
=−
2
x
0
. The coefficient of the term of degree 1 is then
a
=
+
2
x
0
x
1
=
x
0
−
4
x
0
=−
3
x
0
, which implies that, with the preceding notations,
F
x
(
x
0
,
0
)
=
0.
The point
(
x
0
,
0
)
also satisfies that
F
(
x
0
,
0
)
=
0 and
F
y
(
x
0
,
0
)
=
0, so that
(
x
0
,
0
)
is a singular point of
E
, completing the proof of the implication.
For the converse implication suppose now, also by contradiction, that
P
y
0
)
is a singular point of the curve. The singularity of
P
is then equivalent to the following
identities:
=
(
x
0
,
x
0
+
y
0
=
F
(
x
0
,
y
0
)
=
ax
0
+
b
−
0
(
P
is on the curve)
,
3
x
0
+
x
0
=−
F
x
(
x
0
,
y
0
)
=
0
⇔
a
=
0
⇔
a
/
3
,
F
y
(
x
0
,
y
0
)
=
0
⇔−
2
y
0
=
0
⇔
y
0
=
0
.
If
a
=
0 we see that
b
=
0 and hence
Δ
=
0 too, otherwise, combining these
identities we obtain:
x
0
+
x
0
=
9
b
2
4
a
2
x
0
(
)
+
=
x
0
(
/
)
+
=
⇒
/
=−
/
,
a
b
2
a
3
b
0
a
3
from which it follows that 27
b
2
4
a
3
+
=
0, completing the proof.
11.1.2 The Group Structure on an Elliptic Curve
We are going to define the group structure on the set of points of an elliptic curve
E
(
K
)
. The group operationwill be denoted additively and hence, given points
P
,
Q
∈
. The rough idea is to consider the unique
line determined by
P
and
Q
and take the sum of these points to be equal to the
reflection in the
x
-axis of the third point at which this line intersects the curve.
In order to see why this makes sense, consider first the case in which
P
E
(
K
)
, we want to define
P
+
Q
∈
E
(
K
)
Q
.
Then there is a unique line
L
PQ
that contains both; in case one of them is the point
at infinity
=
O
P
is just the vertical line through
P
. It is easy to see that
the line
L
PQ
intersects the curve at one more point, say
R
. Indeed, if the line is not
vertical, we eliminate the variable
y
in the system formed by the equations of the
curve and the line, and we obtain a cubic equation that has two roots in
O
the line
L
K
. Hence
K
the remaining root must also belong to
since it corresponds to the linear factor
