LogoLogo
LogoLogo
  • Introduction
    • About Us
    • Notations & Definitions
      • MPC
      • ZK
    • Contribute to this Site!
  • Primitives
    • Multiplication
      • Karatsuba Multiplication
      • Toom-Cook Multiplication
    • NAF (Non-adjacent form)
    • Chinese Remainder Theorem (CRT)
    • Euclidean Algorithm
      • Extended Euclidean Algorithm
      • Binary Euclidean Algorithm
      • Extended Binary Euclidean Algorithm
    • Coding Theory
      • Linear Code
    • Number Theoretic Transform
    • Abstract Algebra
      • Group
        • -Morphisms
        • Batch Inverse
      • Elliptic Curve
        • Weierstrass Curve
          • Coordinate Forms
          • Fast Elliptic Curve Arithmetic and Improved WEIL Pairing Evaluation
        • Edwards Curve
          • Coordinate Forms
          • Twisted Edwards ↔ Short Weierstrass Transformation
        • Batch Inverse for Batch Point Additions
        • Scalar Multiplication
          • Double-and-add
          • GLV Decomposition
        • MSM
          • Pippenger's Algorithm
          • Signed Bucket Index
          • CycloneMSM
          • EdMSM
          • cuZK
        • 2-Chain and 2-Cycle of Elliptic Curves
    • Encryption Scheme
      • ElGamal Encryption
    • Modular Arithmetic
      • Modular Reduction
        • Barrett Reduction
        • Montgomery Reduction
      • Modular Inverse
        • Bernstein-Yang's Inverse
    • Multiset Check
    • Sumcheck
    • Commitment Scheme
      • Fflonk
      • SHPlonk
      • Zeromorph
  • MPC
    • Yao's Garbled Circuits
    • GMW
    • BMR
  • ZK
    • Arithmetization
      • R1CS
      • PLONK
      • AIR
    • Folding
      • LatticeFold
      • Nova
        • Nova over Cycles of Curves
    • Lookup
      • Lasso
      • LogUp-GKR
    • SNARK
      • Groth16
      • HyperPlonk
      • Spartan
        • SPARK
    • STARK
      • Additive NTT
      • Basefold
      • Binius
      • Brakedown
      • CircleSTARK
      • FRI
        • FRI Security Features and Optimizations
      • DEEP FRI
      • STIR
      • WHIR
    • Distributed ZK
      • Ryan's Trick for Distributed Groth16
  • Application
    • zkLogin
    • zkHoldem
    • zkTLS
      • DECO
      • Proxying is enough
  • zkVM
Powered by GitBook
On this page
  • Definition
  • Addition (Short Weierstrass Form)
  • Calculating Point Additions
  • Negation (Short Weierstrass Form)
  • Why?
  • Confirming Additive Abelian Group Properties
  • References
Export as PDF
  1. Primitives
  2. Abstract Algebra
  3. Elliptic Curve

Weierstrass Curve

PreviousElliptic CurveNextCoordinate Forms

Last updated 1 month ago

Definition

An elliptic curve over a field is commonly defined using the Weierstrass equation, which appears in multiple forms. The general Weierstrass form is:

y2+a1xy+a3y=x3+a2x2+a4x+a6y^2 + a_1xy + a_3y = x^3 + a_2x^2 + a_4x + a_6y2+a1​xy+a3​y=x3+a2​x2+a4​x+a6​

This equation defines a non-singular cubic curve, given certain conditions on the coefficients a1,a2,a3,a4,a6a_1, a_2, a_3, a_4, a_6a1​,a2​,a3​,a4​,a6​ to ensure smoothness (i.e., the curve has no cusps or self-intersections).

However, when the field has characteristic not equal to 2 or 3, we can simplify this equation via a change of variables into a more convenient form, known as the Short Weierstrass Form:

y2=x3+ax+by^2 = x^3 + ax + by2=x3+ax+b

This is the form most commonly used in cryptography. In this case, the curve is uniquely determined by the values of aaa and bbb, and the non-singularity condition becomes:

4a3+27b2≠04a^3 + 27b^2 \ne 04a3+27b2=0

The set of points on an elliptic curve forms an , with a well-defined addition operation.

Addition (Short Weierstrass Form)

We define point addition geometrically through the relation:

That is, three colinear points on an elliptic curve (in affine form) sum to the identity. Hence, the sum of two points is the reflection of the third point over the x-axis:

Calculating Point Additions

Negation (Short Weierstrass Form)

Why?

So:

This makes point negation simple and geometric: just reflect the point across the x-axis.

Confirming Additive Abelian Group Properties

References

Note that O=(0,1,0)\mathcal{O} = (0,1,0)O=(0,1,0) refers to the point at infinity, or the identity point, as defined in .

P+Q+R=OP + Q + R = \mathcal{O}P+Q+R=O
P+Q=−RP + Q = -RP+Q=−R

Let P=(xP,yP)P = (x_P, y_P)P=(xP​,yP​), Q=(xQ,yQ)Q = (x_Q, y_Q)Q=(xQ​,yQ​), and −R=(xR,yR)-R = (x_R, y_R)−R=(xR​,yR​). The formulas depend on whether we are adding or doubling points.

Case 1. Adding: P≠Q→P+Q=(xP,yP)+(xQ,yQ)=(xR,yR)=−RP \ne Q \to P + Q = (x_P,y_P) + (x_Q,y_Q) = (x_R,y_R) = -RP=Q→P+Q=(xP​,yP​)+(xQ​,yQ​)=(xR​,yR​)=−R

m=yQ−yPxQ−xPxR=m2−xP−xQyR=m(xP−xR)−yPm = \frac{y_Q - y_P}{x_Q - x_P} \\ x_R = m^2 - x_P - x_Q \\ y_R = m(x_P - x_R) - y_Pm=xQ​−xP​yQ​−yP​​xR​=m2−xP​−xQ​yR​=m(xP​−xR​)−yP​

Case 2. Doubling: P=Q→2P=2(xP,yP)=(xP,yP)+(xP,yP)=(xR,yR)=−RP = Q \to 2P = 2(x_P,y_P)= (x_P,y_P) + (x_P,y_P) =(x_R,y_R) = -RP=Q→2P=2(xP​,yP​)=(xP​,yP​)+(xP​,yP​)=(xR​,yR​)=−R

m=3xP2+a2yPxR=m2−2xPyR=m(xP−xR)−yPm = \frac{3x_P^2 + a}{2y_P} \\ x_R = m^2 - 2x_P \\ y_R = m(x_P - x_R) - y_Pm=2yP​3xP2​+a​xR​=m2−2xP​yR​=m(xP​−xR​)−yP​

The additive inverse of a point P=(x,y)P = (x, y)P=(x,y) on a Short Weierstrass curve is:

−P=(x,−y)-P = (x, -y)−P=(x,−y)

The curve is symmetric about the x-axis, because the equation contains y2y^2y2 (even power), so flipping the sign of yyy still satisfies the curve equation:

(−y)2=y2=x3+ax+b(-y)^2 = y^2 = x^3 + ax + b(−y)2=y2=x3+ax+b
P+(−P)=OP + (-P) = \mathcal{O}P+(−P)=O

Closure: If PPP, QQQ are on the curve, then P+QP + QP+Q is also on the curve ✅

Associativity: P+(Q+R)=(P+Q)+RP + (Q + R) = (P + Q) + RP+(Q+R)=(P+Q)+R ✅

Identity: P+O=PP + \mathcal{O} = PP+O=P ✅

Inverse: P+(−P)=OP + (-P) = \mathcal{O}P+(−P)=O ✅

Commutativity: P+Q=Q+PP + Q = Q + PP+Q=Q+P ✅

Written by of A41

Elliptic curves: A gentle Intro
A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography
Ashley Jeong
projective form
additive abelian group