Identity Element of an Elliptic Curve in Cryptography

Question

The Group for Elliptic Curve Cryptography doesn't actually seem to have an identity element. You have just randomly defined an element at Infinity as an identity element and said that any other element when added to that element is the same element.

Let us say I have a set & an operator which satisfies all other properties of a group except for the identity element property. Can I convert into a group by creating my own definition of a new element & say it that it is an identity element.

Doesn't this make the whole definition of a Group & the properties it must satisfy meaningless? I could just create my own definitions & create my own imaginary definitions just so it satisfies the property which it otherwise doesn't.

Answer 1

Well, it depends whether you define the elliptic curve over the affine or projective space.

In the projective plane, the group has the point at infinity, usually written $O=(0:1:0)$, as unit element. All other points of the curve lie in the affine plane given by points of the form $(1:a:b)$, where $a,b$ are elements of the underlying field.

If you define the elliptic curve over the affine space in the first place, there is no point at infinity which amounts to the unit elements.

Then the theory is like that of a semigroup which can always be extended to a monoid by adding a unit element. Just an extension that always works and brings not much more insight.

Answer 2

We can think of the point at infinity as an extra point created so that the curve works out as a group, but that's unsatisfactory: the point of infinity has no place in the geometric picture and in the algebraic construction we magically add one with no coordinates.

$$E := \{ (x, y) \in k^2 \mid y^2 = x^3 - x + 1 \} \cup \{\mathcal O\}$$

An Elliptic Curve cannot be easily understood without the projective plane.

The projective plane is the set $\mathbb{P}^2(k)$ all nonzero triples $(x,y,z)$ in $k^3$ modulo the equivalence relation $(x,y,z) \sim (\lambda x,\lambda y,\lambda z)$

With this definition, we can define a projective point $(x:y:z)$ is the equivalence class of $(x,y,z)$

Now can we turn these points into Affine point?

Points of the form $(x:y:1)$ are called the affine points They form an affine plane ( Euclidean plane) $\mathbb{A}^2(k)$ and that is embedded in the $\mathbb{P}^2(k)$. This is a natural embedding. One can define some other embedding too that can change the point at infinity.

What is not mapped into the $\mathbb{A}^2(k)$ is the points of the form $(x:y:0)$ and they are called point at infinity.

These point include $(x:y:0)$ and $(1:0:0)$ and they form the line at infinity that is a copy of $\mathbb{P}^1(k)$ embeded in $\mathbb{P}^2(k)$

The group needs and an identity element and the group law works perfectly with the simple law

$$\texttt{Three points on a line sum to zero, which is the point at infinity.}$$

• In the short Weierstrass form $y^2 = x^3 +A x + B$ the point at infinity is $O =(0:1:0)$ Reason; consider it homogeneous equation $E : y^2 z = x^3 + Axz^2 + Bz^3$. This point is the unique point on the line $z=0$ at infinity. ( if $z=0$ then $x=0$ then we get $(0:y:0)$ and scale it with $1/y$. Note that by definition $(0:0:0)$ is not a projective plane.

• Identity element Edwards curves? It is $(0,1)$ They can still embed into Projective Plane. That is very useful in Cryptography. Can you define the identity element as any element up to isomorphism!.