Prime Numbers

7.1 Elliptic curve fundamentals 321
Definition 7.1.1. A nonsingular cubic curve (7.2) with coefficients in a
field F and with at least one point with coordinates in F (that are not
all zero) is said to be an elliptic curve over F . If the characteristic of F
is not 2 or 3, then the equations (7.4) and (7.5) also define elliptic curves
over F , provided that 4a 3 +27b 2 = 0 in the case of equation (7.4) and
4A 3 +27B 2 − 18ABC − A 2 C 2 +4BC 3 = 0 in the case of equation (7.5).
In these two cases, we denote by E(F ) the set of points with coordinates in
F that satisfy the equation together with the point at infinity, denoted by O.
So, in the case of (7.4),
E(F )= (x, y) ∈ F × F : y 2 = x 3 + ax + b ∪{O},
and similarly for a curve defined by equation (7.5).
Note that we are concentrating on fields of characteristic not equal to 2
or 3. For fields such as F2m the modified equation (7.11) of Exercise 7.1 must
be used (see, for example, [Koblitz 1994] for a clear exposition of this).
We use the form (7.5) because it is sometimes computationally useful
in, for example, cryptography and factoring studies. Since the form (7.4)
corresponds to the special case of (7.5) with C = 0, it should be sufficient
to give any formulae for the form (7.5), allowing the reader to immediately
convert to a formula for the form (7.4) in case the quadratic term in x is
missing. However, it is important to note that equation (7.5) is overspecified
because of an extra parameter. So in a word, the Weierstrass form (7.4) is
completely general for curves over the fields in question, but sometimes our
parameterization (7.5) is computationally convenient.
The following parameter classes will be of special practical importance:
(1) C = 0, giving immediately the Weierstrass form y 2 = x 3 + Ax + B. This
parameterization is the standard form for much theoretical work on elliptic
curves.
(2) A = 1, B = 0, so curves are based on y 2 = x 3 + Cx 2 + x. This
parameterization has particular value in factorization implementations
[Montgomery 1987], [Brent et al. 2000], and admits of arithmetic
enhancements in practice.
(3) C =0,A= 0, so the cubic is y 2 = x 3 + B. This form has value in finding
particular curves of specified order (the number elements of the set E, as
we shall see), and also allows practical arithmetic enhancements.
(4) C =0, B = 0, so the cubic is y 2 = x 3 + Ax, with advantages as in (3).
The tremendous power of elliptic curves becomes available when we define
a certain group operation, under which E(F ) becomes, in fact, an abelian
group:
Definition 7.1.2. Let E(F ) be an elliptic curve defined by (7.5) over a field
F of characteristic not equal to 2 or 3. Denoting two arbitrary curve points
by P1 =(x1,y1),P2 =(x2,y2) (not necessarily distinct), and denoting by O