Cryptography Reference
In-Depth Information
as pointed out earlier, the tangent line at
∞
intersects the curve only at
∞
(and intersects to order 3 at
). It follows that if two of the entries in a row
or column of the above table of intersections are equal to
∞
, then so is the
third, and the line intersects the curve to order 3. Therefore, this hypothesis
is satisfied.
It is also possible to treat directly the cases where some of the intersection
points
P, Q, R,±
(
P
+
Q
)
, ±
(
Q
+
R
)are
∞
. In the cases where at least one of
P, Q, R
is
∞
, associativity is trivial.
If
P
+
Q
=
∞
,then(
P
+
Q
)+
R
=
∞
+
R
=
R
. On the other hand,
the sum
Q
+
R
is computed by first drawing the line
L
through
Q
and
R
,
which intersects
E
in
−
(
Q
+
R
). Since
P
+
Q
=
∞
, the reflection of
Q
across
the
x
-axis is
P
. Therefore, the reflection
L
of
L
passes through
P
,
−R
,and
Q
+
R
.Thesum
P
+(
Q
+
R
) is found by drawing the line through
P
and
Q
+
R
,whichis
L
. We have just observed that the third point of intersection
of
L
with
E
is
−R
. Reflecting yields
P
+(
Q
+
R
)=
R
, so associativity holds
in this case.
Similarly, associativity holds when
Q
+
R
=
∞
.
Finally, we need to consider what happens if some line
i
equals some line
m
j
, since then Theorem 2.6 does not apply.
First, observe that if
P, Q, R
are collinear, then associativity is easily verified
directly.
Second, suppose that
P, Q, Q
+
R
are collinear. Then
P
+(
Q
+
R
)=
∞
−
Q
.
Also,
P
+
Q
=
(
Q
+
R
)+
R
. The second
equation of the following shows that associativity holds in this case.
−
(
Q
+
R
), so (
P
+
Q
)+
R
=
−
LEMMA 2.11
Let
P
1
,P
2
be pointsonane liptic curve. T hen
(
P
1
+
P
2
)
−
P
2
=
P
1
and
−
(
P
1
+
P
2
)+
P
2
=
−
P
1
.
PROOF
The two relations are reflections of each other, so it su
ces to
prove the second one. The line
L
through
P
1
and
P
2
intersects the elliptic
curve in
−
(
P
1
+
P
2
). Regarding
L
as the line through
−
(
P
1
+
P
2
)and
P
2
yields
−
(
P
1
+
P
2
)+
P
2
=
−
P
1
, as claimed.
Suppose that
i
=
m
j
for some
i, j
. We consider the various cases. By the
above discussion, we may assume that all points in the table of intersections
are finite, except for
and possibly
X
. Note that each
i
and each
m
j
meets
E
in three points (counting multiplicity), one of which is
P
ij
. If the two lines
coincide, then the other two points must coincide in some order.
∞
1.
1
=
m
1
:Then
P, Q, R
are collinear, and associativity follows.
2.
1
=
m
2
: In this case,
P, Q,∞
are collinear, so
P
+
Q
=
∞
; associativity
follows by the direct calculation made above.
Search WWH ::
Custom Search