[fermigier]

Well, the basics, oversimplified, are this:

- In general, elliptic curves are solutions of P(x, y) = 0 where P is a polynomial of degree 3 in two variables. "Points" on the curve are solutions of this equation.

- If you intersect an elliptic curve with a straight line, you end up with a polynomial in one variable, of degree 3 (in general). Since a polynomial of degree 3 has 3 solutions (in the appropriate context), this means that if you have two points on the curve, and you draw a line through these two points, there is a third aligned with them which belongs to the curve. So we have an operation on the curve, which to every pair of points associates a third point. This can be explicitly calculated.

- It can be proven (again, by explicit calculation) that this operation is associative and commutative, and that there is a "zero" element, i.e. that this operation forms a "group".

Now we want to study these elliptic curves and their associated groups with one additional condition: that the points are rational, i.e. have coordinates that are rational numbers (a/b). For each curve with rational parameters (i.e. the coefficients of the polynomial are rational), we want to study the rational points of this curve.

For some elliptic curves, there is a finite number of points, so the associated group is a finite commutative group.

For other elliptic curves, however, there are infinitely many rational points, and mathematicians have wanted to classify their structure.

A foundational result in number theory known as the Mordell-Weil theorem states that the group of rational points on an elliptic curve over a number field (such as the rationals, ℚ) is finitely generated. In other words, although there may be infinitely many points, they can be expressed as a finite set of points (known as "generators") combined under the group operation. This structure forms what is called a "finitely generated abelian group", which can be decomposed into a direct sum of a finite subgroup (called the "torsion") and a free part of rank r, where r is called the "rank" of the elliptic curve.

This rank "r" essentially measures the "size" of the free part of the group and has deep implications in both theoretical and computational number theory. For example, if r=0, the group is finite, meaning that the set of rational points on the curve is limited to a finite collection. When r>0, there are infinitely many rational points, which can be generated by combining a finite number of points.

So the challenge is to find a curve with a large number of generators. All of these computations (for a given curve at least) are quite explicit, and can be carried out with a bignum library (the numbers tend to get quite large quickly). I used PARI/GP for my thesis.

[Sniffnoy]

> - If you intersect an elliptic curve with a straight line, you end up with a polynomial in one variable, of degree 3 (in general). Since a polynomial of degree 3 has 3 solutions (in the appropriate context), this means that if you have two points on the curve, and you draw a line through these two points, there is a third aligned with them which belongs to the curve. So we have an operation on the curve, which to every pair of points associates a third point. This can be explicitly calculated.

> - It can be proven (again, by explicit calculation) that this operation is associative and commutative, and that there is a "zero" element, i.e. that this operation forms a "group".

I feel like it's worth clarifying here that this operation is actually not the group operation, although the group operation is defined in terms of it.

[oasisaimlessly]

If you going to contradict someone, be specific about it. What is your "the group operation" and how is this not it? A given mathematical object can have more than one group operation defined for it.

[wbl]

In this case there is a negation missing. If a line intersects three points we have A+B+C=0. To get the group law you have to negate a point.

[intuitionist]

Of course for this to make sense you have to have a notion of 0, which is traditionally taken to be the point at infinity (so negation is negating the y-coordinate). It’s been a while since my algebraic geometry classes but IIRC this is just a useful convention.

[Sniffnoy]

"The" group operation is the standard one for elliptic curves, that the article discusses. "The" here means "the one we're talking about" and also "the ones that mathematicians mean if they're not specifying otherwise". The vast majority of possible group structures on a given set are not particularly noteworthy and aren't under discussion.

I didn't bother specifying the correct one because I didn't think it was important enough to the point to be worth the effort to describe. But for completeness, if we use # to denote the operation described by fermigier above, then the group law a+b is given by a+b=(a#b)#O, where O here denotes the vertical point at infinity.

...and at this point we get into a whole can of worms, because that's right this whole time this was actually all taking place in the projective plane, not the affine plane, a complication the article didn't get into, meaning there's this hidden point you didn't know about. And actually we could have used any point as the basepoint and gotten a group law (although they all end up being isomorphic!), which is why technically an elliptic curve is (despite the name) defined to be not just a curve of genus 1, but rather a curve of genus 1 together with a choice of basepoint; the use of the vertical point at infinity as basepoint is just the default convention when you're doing things in this equational way rather than more abstractly, etc... and now you see why I didn't want to get into it.

Also, # isn't a group law because it doesn't satisfy the requirements of one. For instance, there's no identity (maybe barring some weird degenerate cases? I'm not an algebraic geometer so I'm not too familiar with the details here). For # to have an identity P, all of the curve's tangent lines would have to pass through P (and P would have to be an inflection point). Again, not an algebraic geometer but I think that's impossible! (It certainly isn't typical.) I also don't think # is associative but I don't really want to check that right now. Regardless it definitely is not typically a group structure.

[Sniffnoy]

Actually, one addition here: I said that there are lots of possible group laws on an elliptic curve, but IINM, the ones described here are the only ones that are algebraic (and as for what exactly that means, I'll definitely skip going into that because I would probably get it wrong :P ).

[marton78]

This is a fantastic explanation, thank you very much!