Cryptography Reference
In-Depth Information
=
P
22
.
Finally, suppose
P
23
=
P
32
.Then
P
23
lies on
2
,
3
,m
2
,m
3
. This forces
P
22
=
P
32
, which we have just shown is impossible.
Therefore, all possibilities lead to contradictions. It follows that
(
x, y, z
)
must be identically 0. Therefore
D
=0,so
Similarly,
P
23
C
=
α
1
2
3
+
βm
1
m
2
m
3
.
Since
3
and
m
3
vanish at
P
33
,wehave
C
(
P
33
) = 0, as desired. This completes
the proof of Theorem 2.6.
REMARK 2.10
Note that we proved the stronger result that
C
=
α
1
2
3
+
βm
1
m
2
m
3
for some constants
α, β
. Since there are 10 coecients in an arbitrary ho-
mogeneous cubic polynomial in three variables and we have required that
C
vanish at eight points (when the
P
ij
are distinct), it is not surprising that the
set of possible polynomials is a two-parameter family. When the
P
ij
are not
distinct, the tangency conditions add enough restrictions that we still obtain
a two-parameter family.
We can now prove the associativity of addition for an elliptic curve. Let
P, Q, R
be points on
E
. Define the lines
1
=
PQ,
2
=
∞
,Q
+
R,
3
=
R, P
+
Q
m
1
=
QR,
m
2
=
∞
,P
+
Q,
m
3
=
P, Q
+
R.
We have the following intersections:
1
2
3
m
1
Q
−
(
Q
+
R
)
R
m
2
−
(
P
+
Q
)
∞
P
+
Q
m
3
P
Q
+
RX
Assume for the moment that the hypotheses of the theorem are satisfied.
Then all the points in the table, including
X
, lie on
E
. The line
3
has three
points of intersection with
E
,namely
R, P
+
Q
,and
X
. By the definition of
addition,
X
=
−
((
P
+
Q
)+
R
). Similarly,
m
3
intersects
C
in 3 points, which
means that
X
=
−
(
P
+(
Q
+
R
)). Therefore, after reflecting across the
x
-axis,
we obtain (
P
+
Q
)+
R
=
P
+(
Q
+
R
), as desired.
It remains to verify the hypotheses of the theorem, namely that the orders
of intersection are correct and that the lines
i
are distinct from the lines
m
j
.
First we want to dispense with cases where
∞
occurs. The problem is that
we treated
∞
as a special case in the definition of the group law. However,
Search WWH ::
Custom Search