Anyone have a good explanation for why elliptic curves have a 'natural' group law? I've seen the definition of the group law in R before, where you draw a line through two points, find the third point, and mirror-image. I feel like there's something deeper going on though.
As far as I've seen, the group law is what makes elliptic curves special. Are they the _only_ flavour of curve that has a nice geometric group law? (let's say aside from really simple cases like lines through the origin, where you can just port over the additive group from R)
I find a lot of motivation from topology. If you plot a smooth degree d curve over the complex numbers, it forms a surface of degree g=(d-1)(d-2)/2. In the case of a cubic, we get genus 1, i.e. a torus. Now tori admit a very natural group action, namely addition in (R/Z)^2. And sure enough, if you pick the right homeomorphism, this corresponds to the group action given by the elliptical curve.
Of course, the homeomorphism to (R/Z)^2 does not respect the geometry (it is not conformal). If we want the map to preserve angles, we need our fundamental domain to be a parallelogram instead of a rigid square. The shape of the parallelogram depends on the coefficients of the cubic, and the isomorphism is uniquely defined up to choice of a base point O (mapping to the identity element; for elliptic curves, this is normally taken to be the point at infinity). You still get a group law on the parallelogram from vector addition in the same way, and this pulls back to the precise group action on the elliptic curve.
The real magic is that the resulting group law is algebraic, meaning that a*b can be written as an algebraic function of a and b. This means you can do the same arithmetic over any field, not just the complex numbers, and still get a group action.
>
Anyone have a good explanation for why elliptic curves have a 'natural' group law? [...]
As far as I've seen, the group law is what makes elliptic curves special. Are they the _only_ flavour of curve that has a nice geometric group law?
I asked the same question to a professor who works in topics related to algebraic geometry. His answer was very simple: it's because elliptic curves form Abelian varieties
Being an algebraic group means that the group law on the variety can be defined by regular functions.
Basically, he told to read good textbooks about abelian varieties if one is interested in this topic.
> Are they the _only_ flavour of curve that has a nice geometric group law?
The Jacobian of a hyperelliptic curve (which generalize elliptic curves) also forms an abelian variety. Its use in cryptography is named "hyperelliptic curve cryptography":
A second special case of this theorem is Pascal's theorem, which says (roughly) that a variant of the elliptic curve group law also works on the union of a conic C and a line L (this union, like an elliptic curve, is cubic), where the group elements are on the conic. One point O on the conic is marked as the identity. To add points A+B, you draw a line AB between them, intersect that with the fixed line L in a point C, draw a second line CO back through the marked identity point, and intersect again with the conic in D:=A+B. This procedure obviously commutes and satisfies the identity law, and according to Pascal's theorem it associates.
Under a projective transformation, if the conic and line don't intersect, you can send the line to infinity and the conic to the units in (IIRC) a quadratic extension of F (e.g. the complex unit circle, if -1 isn't square in F). Since the group structure is defined by intersections of lines and conics, projective transformations don't change it. So the group is isomorphic to the group of units in an extension of F. If they do intersect ... not sure, but I would guess it instead becomes the multiplicative group in F itself.
The multiplicative group of F can be used for cryptography (this is classic Diffie-Hellman), as can the group of units in an extension field (this is LUCDIF, or in the 6th-degree case it's called XTR). These methods are slightly simpler than elliptic curves, but there are subexponential "index calculus" attacks against them, just like the ones against the original Diffie-Hellman. The attack on extension fields got a lot stronger with Joux's 2013 improvements. Since no such attack is known against properly chosen elliptic curves, those are used instead.
Nice explanation of elliptic curves especially the emphasis on how the underlying field changes what the curve actually is. The transition from intuitive equations to the formal definition (smooth, projective genus one) is very well done and the Curve1174 example helps clarify why not all elliptic curves look like Weierstrass forms
As far as I've seen, the group law is what makes elliptic curves special. Are they the _only_ flavour of curve that has a nice geometric group law? (let's say aside from really simple cases like lines through the origin, where you can just port over the additive group from R)
Of course, the homeomorphism to (R/Z)^2 does not respect the geometry (it is not conformal). If we want the map to preserve angles, we need our fundamental domain to be a parallelogram instead of a rigid square. The shape of the parallelogram depends on the coefficients of the cubic, and the isomorphism is uniquely defined up to choice of a base point O (mapping to the identity element; for elliptic curves, this is normally taken to be the point at infinity). You still get a group law on the parallelogram from vector addition in the same way, and this pulls back to the precise group action on the elliptic curve.
The real magic is that the resulting group law is algebraic, meaning that a*b can be written as an algebraic function of a and b. This means you can do the same arithmetic over any field, not just the complex numbers, and still get a group action.
I asked the same question to a professor who works in topics related to algebraic geometry. His answer was very simple: it's because elliptic curves form Abelian varieties
> https://en.wikipedia.org/wiki/Abelian_variety
i.e. a projective variety that is also an algebraic group
> https://en.wikipedia.org/wiki/Algebraic_group
Being an algebraic group means that the group law on the variety can be defined by regular functions.
Basically, he told to read good textbooks about abelian varieties if one is interested in this topic.
> Are they the _only_ flavour of curve that has a nice geometric group law?
The Jacobian of a hyperelliptic curve (which generalize elliptic curves) also forms an abelian variety. Its use in cryptography is named "hyperelliptic curve cryptography":
> https://en.wikipedia.org/wiki/Hyperelliptic_curve_cryptograp...
A second special case of this theorem is Pascal's theorem, which says (roughly) that a variant of the elliptic curve group law also works on the union of a conic C and a line L (this union, like an elliptic curve, is cubic), where the group elements are on the conic. One point O on the conic is marked as the identity. To add points A+B, you draw a line AB between them, intersect that with the fixed line L in a point C, draw a second line CO back through the marked identity point, and intersect again with the conic in D:=A+B. This procedure obviously commutes and satisfies the identity law, and according to Pascal's theorem it associates.
Under a projective transformation, if the conic and line don't intersect, you can send the line to infinity and the conic to the units in (IIRC) a quadratic extension of F (e.g. the complex unit circle, if -1 isn't square in F). Since the group structure is defined by intersections of lines and conics, projective transformations don't change it. So the group is isomorphic to the group of units in an extension of F. If they do intersect ... not sure, but I would guess it instead becomes the multiplicative group in F itself.
The multiplicative group of F can be used for cryptography (this is classic Diffie-Hellman), as can the group of units in an extension field (this is LUCDIF, or in the 6th-degree case it's called XTR). These methods are slightly simpler than elliptic curves, but there are subexponential "index calculus" attacks against them, just like the ones against the original Diffie-Hellman. The attack on extension fields got a lot stronger with Joux's 2013 improvements. Since no such attack is known against properly chosen elliptic curves, those are used instead.
(y-a)(y-b) = (x-c)(x-d)(x-k)
By varying terms on both sides or making a term as a constant, you get generalizations for conics etc.
https://en.wikipedia.org/wiki/EdDSA
Edit: Just realised this was posted in 2019.