椭圆曲线加法

椭圆曲线在$\mathbb{R}$上的加法

$K$为$\mathbb{R}$，$K$的特征不为$2,3$时： $y^2=x^3+a_4x+a_6$ $\Delta=-16\left(4a_4^3+27a_6^2\right)\neq0$

求逆运算$-P=\left(x_1,-y_1\right)$

• $P\left(x_1,y_1\right)\neq Q\left(x_2,y_2\right)$，$P,Q$不互逆

  \left\{\begin{array}{**lr**} x_3=\lambda^2-x_1-x_2\\ y_3=\lambda\left(x_1-x_3\right)-y_1\\ \lambda=\left(y_2-y_1\right)/\left(x_2-x_1\right) \end{array} \right.

• $P\left(x_1,y_1\right)=Q\left(x_2,y_2\right)=2P\left(x_1,y_1\right)$

  \left\{\begin{array}{**lr**} x_3=\lambda^2-2x_1\\ y_3=\lambda\left(x_1-x_3\right)-y_1\\ \lambda=\left(3x_1^2+a_4\right)/\left(2y_1\right) \end{array} \right.

椭圆曲线在$F_p$上的加法

$K$为$F_p$，$p$为大于$3$的素数，$K$的特征不为$2,3$时： $y^2=x^3+a_4x+a_6\left(\mod p\right)$ $\Delta=-16\left(4a_4^3+27a_6^2\right)\neq0\left(\mod p\right)$

求逆运算$-P=\left(x_1,p-y_1\right)$

• $P\left(x_1,y_1\right)\neq Q\left(x_2,y_2\right)$，$P,Q$不互逆

  \left\{\begin{array}{**lr**} x_3=\lambda^2-x_1-x_2\left(\mod p\right)\\ y_3=\lambda\left(x_1-x_3\right)-y_1\left(\mod p\right)\\ \lambda=\left(y_2-y_1\right)\cdot{\left(x_2-x_1\right)}^{-1}\left(\mod p\right)\end{array} \right.

• $P\left(x_1,y_1\right)=Q\left(x_2,y_2\right)=2P\left(x_1,y_1\right)$

  \left\{\begin{array}{**lr**} x_3=\lambda^2-2x_1\left(\mod p\right)\\ y_3=\lambda\left(x_1-x_3\right)-y_1\left(\mod p\right)\\ \lambda=\left(3x_1^2+a_4\right)\cdot{\left(2y_1\right)}^{-1}\left(\mod p\right)\end{array} \right.

• $F_p$上$E$的阶为\#\left(E\left(F_p\right)\right)=p+1+\sum_\limits{x=0}^{p-1}{\left(\frac{x^3+a_4x+a_6}{p}\right)}，括号为勒让德符号
• 当循环群$E$的阶$n$是足够大的素数时，这个循环群中的离散对数问题是困难的

椭圆曲线在$F_{2^n}$上的加法

$K$为$F_{2^n}$，$K$的特征为$2$时： $y^2+xy=x^3+a_2x^2+a_6$ $\Delta=a_6\neq0$ 求逆运算$-P=\left(x_1,x_1+y_1\right)$

• $P\left(x_1,y_1\right)\neq Q\left(x_2,y_2\right)$，$P,Q$不互逆

  \left\{\begin{array}{**lr**} x_3=\lambda^2+\lambda+x_1+x_2+a_2\\ y_3=\lambda\left(x_1+x_3\right)+x_3+y_1\\ \lambda=\left(y_2+y_1\right)/\left(x_2+x_1\right) \end{array} \right.

• $P\left(x_1,y_1\right)=Q\left(x_2,y_2\right)=2P\left(x_1,y_1\right)$

  \left\{\begin{array}{**lr**} x_3=\lambda^2+\lambda+a_2\\ y_3=x_1^2+\left(\lambda+1\right)x_3\\ \lambda=\left(x_1^2+y_1\right)/\left(x_1\right) \end{array} \right.