Point addition, the chord-tangent construction, and the group structure on a cubic
An elliptic curve is a smooth projective curve of genus 1 with a distinguished point O, typically written in Weierstrass form as y² = x³ + ax + b. Despite this simple equation, elliptic curves carry an extraordinarily rich structure: they are simultaneously algebraic varieties, compact Riemann surfaces (complex tori), and abelian groups.
The group law arises from a geometric construction: given two points P and Q on the curve, draw the line through them, find the third intersection point R with the curve (guaranteed by Bézout's theorem), and reflect across the x-axis to get P + Q. This "chord-tangent" construction makes the set of points on an elliptic curve into an abelian group, with deep applications to number theory, cryptography, and the proof of Fermat's Last Theorem.
Click on the curve to place points P and Q, then click "Compute P + Q" to watch the chord-tangent construction step by step: draw the secant line, find the third intersection R, and reflect to get P + Q.
Click on the curve to place P and Q, then click "Compute P + Q" to animate the chord-tangent construction.
Drag the a and b sliders to morph the elliptic curve in real time. The right panel shows the parameter space with the discriminant locus Δ = 0 (red curve). When you cross this boundary, the curve develops a singularity and the group law breaks down.
The short Weierstrass form y² = x³ + ax + b defines an elliptic curve when the discriminant Δ = -16(4a³ + 27b²) is nonzero. The condition Δ ≠ 0 ensures the curve is smooth — no cusps or self-intersections. When Δ = 0, the cubic has a repeated root and the curve degenerates to a nodal or cuspidal cubic.
The j-invariant j = -1728(4a)³/Δ classifies elliptic curves up to isomorphism over an algebraically closed field: two curves are isomorphic if and only if they have the same j-invariant. Every value j ∈ k is realized by some elliptic curve. Special values — j = 0 and j = 1728 — correspond to curves with extra automorphisms (complex multiplication by cube roots or fourth roots of unity).
To add P and Q: draw the line L through them (or the tangent line if P = Q). By Bézout's theorem, L meets the cubic curve in exactly three points (counted with multiplicity): P, Q, and a third point R. Then P + Q is defined as the reflection of R across the x-axis, i.e., if R = (x0, y0), then P + Q = (x0, -y0).
The identity element O is the point at infinity [0 : 1 : 0]. The inverse of P = (x, y) is -P = (x, -y). Associativity — the hardest axiom to verify — can be proved algebraically or via the theory of divisors on curves. Over finite fields Fp, the group E(Fp) is finite, and the difficulty of the discrete logarithm problem on these groups is the basis of elliptic curve cryptography (ECC).
Over a finite field 𝔽p, an elliptic curve has only finitely many points. Each glowing dot is a solution (x, y) to y² ≡ x³ + ax + b (mod p). The group order is bounded by Hasse's theorem: |p + 1 - |E|| ≤ 2√p. These finite groups are the foundation of elliptic curve cryptography.