# Elliptic Curve Elliptic curves constructed over finite fields are another important cryptographic tool. We use elliptic curves because they provide a cryptographic group, i.e. a group in which the discrete logarithm problem (discussed below) is hard. Even though elliptic curve groups permit only one binary operation (the so called group law), the operation itself is computed within the underlying field, which by definition permits two operations (and their inverses). In cryptography, Weierstrass form is the most common elliptic curve form. Weierstrass form always uses $y^2 = x^3 + ax + b$ equation form. When we choose an elliptic curve we should be careful to the **[Elliptic Discriminant](https://mathworld.wolfram.com/EllipticDiscriminant.html)** formula which is shown as $4a^3-27b^2 \ne0$ if this equation returns $0$ that means our elliptic curve will have a singularity at a point. If $a=0$ this singularity is **cusp** singularity and a `cusp` is a point at which two branches of a curve meet such that the tangents of each branch are equal. If $a\ne0$ then its singularity is called an **ordinary double point (or node)**, in which case the singularity has two distinct tangent directions. This will create an ambiguity when we use `tangent and chord` rule to calculate group addition. That is why we want to avoid elliptic curves with singularity. First, we find a field that has prime moduli and big enough to create hard discrete log problems for the cryptography calculations. This field will be called as base field $F_p$ and it will be used to restrict chosen elliptic curve. We define our elliptic curve over this field and when we define we should pick the elliptic curve that has the biggest group order for our field (most amount of possible unique results) while not being uncompitable with other requirements such as security. One of the critical things that we should be careful when picking our base field is that it should have a prime moduli. This is needed because if we have a non-prime moduli, some of our elements won't have multiplicative inverse. For example, the set of integers modulo 4 is not a field: 2 has no multiplicative inverse (i.e. the equation $2 * x = 1 (mod 4)$ has no solutions). Sub group $n$ is the smallest number that when we add a point $P$ to itself $n$ times (or multiply with $n$ using scalar multiplication) it will be equal to $0P$ $0P, 1P, 2P... (n-1)P, nP==0P$ ### Fields in Elliptic Curves A fundamental component of many cryptographic protocols is the algebraic structure known as a $field$. Fields are sets of objects (usually numbers) with two associated binary operators $+$ and $×$ such that various field axioms hold. The real numbers $R$ are an example of a field with uncountably many elements. ### Groups Groups are simpler and more limited than fields; they have only one binary operator which is group addition. A group in mathematics is a set for which we have defined a binary operation that we call “addition” and indicate with the symbol +. In order for the set to be a group, addition must defined so that it respects the following five properties: 1. If $a$ and $b$ are members of the set, then $a + b$ must also be in the set. 2. $(a + b) + c = a + (b + c)$ 3. there exists an identity element 0: $a + 0 = 0 + a = a$ 4. for every element exists an inverse z, such that a + z = 0 5. $a + b = b + a$ ### Groups in Elliptic Curves **1.** The group addition law is simple. to add two points together: 1) Find the line that intersects both points P and Q. 2) Obtain the third point R that is also intersected by this line. 3) Then negate its y-coordinate. **2.** The case that a point is being added to itself, called point doubling, requires special handling: 1) Find the line tangent to the point Q. 2) Find the single other point P that intersects this line. 3) Negate the y-coordinate of this point. **3. and 4.** Otherwise, in the event that a point is being "added" to its negation, the result is the point at infinity.  The ability to add and double points naturally gives us a way to scale them by integers, called scalars. If this number is a prime $q$, then the scalars can be considered as elements of a scalar field, $F_q$. ## Some Elliptic Curves ### Weirstrass Weirstrass curves uses chord and tangent rule to do calculations. Formula for the Weirstrass Equation is: $E : y^2 + a_1xy + a_3y = x_3 + a_2x^2 + a_4x + a_6$ ### Edwards Edwards Curves use neither chords nor tangents. They have a their own characteristic construction method similar to unit circle's addition law. Formula for the Edwards curve is: $x^2 + y^2 = 1 + dx^2y^2$ ### Twisted-Edwards Each twisted Edwards curve is a twist of an Edwards curve. Formula for Twisted-Edwards curve is: $E_{E_{a,d}}: ax^2 + y^2 = 1 + dx^2y^2$ ### Montgomery $by^2 = x^3 + ax^2 + x$ ## Projective Space Projective space is the space where our group elements in the elliptic curve represented with `(x, y ,z)` coordinates. To convert projective space to affine space, both `x` and `y` coordinates should be divided with `z`, so new coordinates in affine space will be `(x/z, y/z, z/z)` ## Affine Space Affine space is the space where our group elements in the elliptic curve represented with `(x, y)` coordinates. When convert an affine space representation to the projective space, our point in affine space will be represented as a line in the projective space, that is why multiple projective space elements can return same point in affine space ## Elliptic Curves for the ECDSA and EDDSA https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/ Using secp256k1 in ECDSA is chosen because of the performance of its operations inside binary field. > "There is no specified reason why Bitcoin chose secp256k1 over another elliptic curve at the time of its inception, but we can speculate:" > "The author was a pseudonymous contributor to the Metzdowd mailing list for cypherpunks, and probably didn’t trust the NIST curves. Since Ed25519 didn’t exist at the time, the only obvious choice for a hipster elliptic curve parameter selection was to rely on the SECG recommendations, which specify the NIST and Koblitz curves. If you cross the NIST curves off the list, only the Koblitz curves remained." For EDDSA, usually the Ed25519 or Ed448 are used. (See article why) Recently, the BabyJubJub curve was found (Bn254) which can also be used for EDDSA. Author (Barry Whitehat) provided the security analysis: https://eips.ethereum.org/EIPS/eip-2494 Bn254 has a very good performance and field <256 bits, which makes it sutable to work with inside EVM.