Notebook 06a: Elliptic Curves over the Reals

Module 06. Elliptic Curves

Motivating Question. In Modules 01 and 05 we built cryptography on the multiplicative group $\mathbb{Z}/p\mathbb{Z}^*$. That group works, but it has a weakness: sub-exponential attacks (index calculus) mean we need 2048-bit primes for adequate security. Is there a different group where the discrete log is even harder, so we can use shorter keys? The answer is yes, elliptic curves provide groups where the best known attacks are fully exponential, enabling 256-bit keys with security comparable to 3072-bit RSA.

Before we can use these curves for crypto, we must first understand what they look like. This notebook starts with curves over the real numbers $\mathbb{R}$, where we can draw pictures and build geometric intuition.

Prerequisites. You should be comfortable with:

• Groups and group operations (Module 01)

• Fields, especially $\mathbb{R}$ and finite fields $\mathbb{F}_p$ (Module 02)

• The discrete logarithm problem in $\mathbb{Z}/p\mathbb{Z}^*$ (Module 05)

Learning objectives. By the end of this notebook you will be able to:

1. Write the short Weierstrass equation $y^2 = x^3 + ax + b$ and explain each component.

2. Compute and interpret the discriminant $\Delta = -16(4a^3 + 27b^2)$.

3. Plot elliptic curves over $\mathbb{R}$ and describe how $a$ and $b$ affect the shape.

4. Identify the point at infinity $\mathcal{O}$ and the $x$-axis symmetry.

5. Distinguish singular from non-singular curves.

1. The Weierstrass Equation

An elliptic curve over a field $K$ (for now, $K = \mathbb{R}$) is the set of points $(x, y)$ satisfying

together with a special "point at infinity" $\mathcal{O}$ that we will discuss shortly.

This is called the short Weierstrass form. The constants $a, b \in K$ determine the curve's shape.

Not every choice of $(a, b)$ gives a valid elliptic curve, we need the curve to be non-singular (no cusps or self-intersections). This is guaranteed by the discriminant condition.

Observations:

• The curve is symmetric about the $x$-axis (if $(x, y)$ is on the curve, so is $(x, -y)$, since $(-y)^2 = y^2$).

• It has a smooth, connected shape, no sharp corners or crossings.

• The right "arm" extends to infinity as $x \to \infty$.

Checkpoint 1. Why is the curve symmetric about the $x$-axis? Look at the equation $y^2 = x^3 + ax + b$, what happens when you replace $y$ with $-y$?

2. The Discriminant: Singular vs Non-Singular

For the curve $y^2 = x^3 + ax + b$ to define an elliptic curve, we require the discriminant

When $\Delta = 0$, the cubic $x^3 + ax + b$ has a repeated root, and the curve develops a singularity, either a cusp (one repeated root of multiplicity 3) or a node (a double root). Singular curves do not form a group, so they are useless for cryptography.

Key observation: The cusp ($y^2 = x^3$) has a sharp point at the origin where the tangent is not well-defined. The node ($y^2 = x^3 - 3x + 2$) crosses itself at $(1, 0)$. Neither can be used for cryptography because the group law breaks down at the singular point.

Misconception alert. "Any cubic equation defines an elliptic curve." No! The curve must be non-singular ($\Delta \neq 0$). Also, the general cubic $y^2 + a_1 xy + a_3 y = x^3 + a_2 x^2 + a_4 x + a_6$ can always be transformed to short Weierstrass form over fields with characteristic $\neq 2, 3$.

3. Exploring Different Shapes

By varying $a$ and $b$, the curve can take on quite different shapes. Let us build a gallery.

Patterns to notice:

• When $a < 0$, the curve can have two components: a closed "egg" on the left and an unbounded piece on the right (e.g., $y^2 = x^3 - x$).

• When $a \geq 0$ or $b$ is large enough, the curve typically has one connected component.

• The curve always extends to the right ($x \to +\infty$) because $x^3$ dominates.

• All curves are symmetric about the $x$-axis.

Checkpoint 2. The curve $y^2 = x^3 - x$ has two components. The cubic $x^3 - x = x(x-1)(x+1)$ has three real roots at $x = -1, 0, 1$. Between which pairs of roots is $x^3 - x \geq 0$ (needed for real $y$)?

4. The Point at Infinity $\mathcal{O}$

Every elliptic curve has a special point $\mathcal{O}$ called the point at infinity. You cannot see it on our plots, it lives "at the top and bottom of the plane simultaneously," in the projective closure of the curve.

Formally, we work in projective coordinates $[X : Y : Z]$ where the affine point $(x, y)$ corresponds to $[x : y : 1]$, and the point at infinity is $\mathcal{O} = [0 : 1 : 0]$.

Why do we need $\mathcal{O}$? It serves as the identity element of the group:

Without $\mathcal{O}$, the set of curve points would not have an identity and could not form a group.

5. Points and the $x$-Axis Symmetry

For any point $P = (x_0, y_0)$ on the curve, the point $(x_0, -y_0)$ is also on the curve (since $(-y_0)^2 = y_0^2$). This "mirror" point is the inverse of $P$ in the group:

Geometrically: the line through $P$ and $-P$ is vertical, and it "meets the curve at infinity", which is $\mathcal{O}$.

Checkpoint 3. If a point $P = (x_0, 0)$ lies on the curve (i.e., $y_0 = 0$), what is $-P$? What does this tell you about such points in the group?

6. Finding Rational Points

Over $\mathbb{R}$, there are infinitely many points on any elliptic curve. But finding points with rational coordinates (both $x$ and $y$ in $\mathbb{Q}$) is a deep number-theoretic problem. Let us find some by hand and with SageMath.

Bridge from Module 05. In Module 05, our group elements were numbers in $\{1, 2, \ldots, p-1\}$ and the operation was multiplication mod $p$. On an elliptic curve, our group elements are points $(x, y)$ and the operation is a geometric "addition" rule (coming in notebook 06b). Different objects, same abstract structure: a finite cyclic group where the DLP is hard.

7. Why Curves, Not Lines or Conics?

You might wonder: why specifically cubic curves? Why not lines ($y = mx + b$) or conics ($x^2 + y^2 = 1$)?

• Lines have no interesting structure, a line meets another line in at most one point.

• Conics (degree 2) can be parameterised rationally, meaning you can write down all rational points with a formula. This makes the "discrete log" problem trivial.

• Cubics (degree 3) are the sweet spot: they have enough structure to define a group law (two points determine a third), but they cannot be rationally parameterised, which is what makes the DLP hard.

This is sometimes called the genus argument: elliptic curves have genus 1, which is exactly what gives them a group structure and computational hardness.

This "three-point" property is the key to defining the group law in the next notebook. Given two points $P$ and $Q$ on the curve, we draw a line through them, find the third intersection point $R$, and then reflect $R$ across the $x$-axis to get $P + Q$.

Crypto foreshadowing. The group law on elliptic curves enables the same cryptographic constructions as $\mathbb{Z}/p\mathbb{Z}^*$, Diffie-Hellman, ElGamal, digital signatures, but with much shorter keys. A 256-bit elliptic curve key provides roughly the same security as a 3072-bit RSA key. That is a factor of 12× savings in key size, which matters for constrained devices, bandwidth, and storage.

8. Exercises

Exercise 1 (Worked): Checking the Discriminant

Problem. Determine which of the following define valid elliptic curves:

• (a) $y^2 = x^3 + 2x + 3$

• (b) $y^2 = x^3 - 3x + 2$

• (c) $y^2 = x^3 + x + 1$

Solution. Compute $\Delta = -16(4a^3 + 27b^2)$ for each:

Curve (b) is singular because $x^3 - 3x + 2 = (x-1)^2(x+2)$ has a double root at $x = 1$.

Exercise 2 (Guided): Curve Shape Classification

Problem. For the curve $y^2 = x^3 + ax$ (with $b = 0$), determine:

1. For which values of $a$ is the curve non-singular?

2. For $a = -1$ and $a = 1$, how many connected components does the real curve have?

3. Plot both curves to confirm.

Hint: With $b = 0$, the discriminant simplifies to $\Delta = -16 \cdot 4a^3 = -64a^3$. When is this zero?

Exercise 3 (Independent): Point Negation

Problem.

1. On the curve $E: y^2 = x^3 + 1$ over $\mathbb{Q}$, find the point $P = (0, 1)$ and its inverse $-P$. Verify that $P + (-P) = \mathcal{O}$ using SageMath.

2. Find all points of the form $(x, 0)$ on this curve (i.e., points where $y = 0$). What is special about these points?

3. The point $(-1, 0)$ is on the curve. What is its order in the group? (Hint: compute $2 \cdot (-1, 0)$.)

Summary

We now know what elliptic curves look like over $\mathbb{R}$. In the next notebook, we will define the group law: how to "add" two points on the curve using the chord-and-tangent construction.

Next: 06b: Point Addition: The Geometry