AN ELEMENTARY PROOF OF THE GROUP LAW FOR ELLIPTIC

CURVES

STEFAN FRIEDL

Abstract. We give an elementary proof of the group law for elliptic curves using
explicit formulas.

1. Introduction
In this short note we give an elementary proof of the well–known fact that the
addition of points on an elliptic curve defines a group structure. We only use explicit
and very well–known formulas for the coordinates of the addition of two points. Even
though the arguments in the proof are elementary, making this approach work requires
several intricate arguments and elaborate computer calculations. The approach of this
note was used by Laurent Théry [Th07] to give a formal proof of the group law for
elliptic curves in the formal proof management system Coq. Some of the ideas of our
approach were also used by Thomas Hales [Ha16] to give an elementary computational
proof of the group law for Edwards elliptic curves.
In the following K will denote an algebraically closed field with char(K) > 3. An
elliptic curve is defined as a pair (E, O) where E is a smooth algebraic curve of genus
one and O ∈ E a point. The following proposition tells us in particular that the
precise definition of an elliptic curve is irrelevant to us since we describe any elliptic
curve in an elementary way.
Proposition 1.1. [Si86, Prop. 3.1] Let E be an elliptic curve. Then there exist
a, b ∈ K with 4a3 + 27b2 ̸= 0 and an isomorphism of curves
ϕ : E → Ea,b := {[x : y : z] ∈ P(K)2 | zy 2 = x3 + axz 2 + bz 3 }
such that ϕ(O) = [0 : 1 : 0]. Conversely, for any a, b ∈ K with 4a3 + 27b2 ̸= 0 the
variety (Ea,b , [0 : 1 : 0]) is an elliptic curve.
Corollary 1.2. Let E be an elliptic curve. Then there exist a, b ∈ K with 4a3 +27b2 ̸=
0 and a bijection
ϕ : E → Ea,b
affine
:= {(x, y) ∈ K 2 |y 2 = x3 + ax + b} ∪ {O}
such that ϕ(O) = O.

Date: September 30, 2017.

1
2 STEFAN FRIEDL

In the following we will take the affine point of view, i.e. an elliptic curve E will
mean the set Ea,baffine
for some a, b ∈ K with 4a3 + 27b2 ̸= 0. The point O is called the
“point at infinity”. For points A, B, C, · · · ∈ E \ {O} we will write A = (xA , yA ), B =
(xB , yB ), C = (xC , yC ), . . . for the coordinates.
Definition. We define + : E × E → E, (A, B) 7→ A + B as follows.
(a) We set A + O = O + A := O for all A.
(b) If (xA , yA ) = (xB , −yB ), then A + B := O.
(c) If (xA , yA ) ̸= (xB , −yB ), then we define A + B := (xAB , yAB ) where
xAB := α(A, B)2 − xA − xB
(1)
yAB := −yA + α(A, B)(xA − xAB )
y −y 3x2 +a
with α(A, B) = xA −xB if xA ̸= xB and α(A, B) = 2yA if xA = xB .
A B B

Remark. This definition of the “addition” + can be described geometrically. More

precisely, if A, B ̸= O are two points on E with A ̸= B, then we first consider the
line g through A and B, it intersects the curve E in a third point C and we define
A + B := −C where −C is the reflection of C about the x-axis. Similarly, if A ̸= O
is a point on E, then A + A is defined by considering the tangent h to E at the point
A, it intersects the curve E in a third point C and we define A + A := −C.

elliptic1111111 2
= x3 − 4x + 4
curve E given by the equation y11111111
0000000 00000000
0000000
1111111 00000000
11111111
y1111111
0000000
0000000
1111111
1
0
y11111111
00000000
00000000
11111111
11
00
00
11
1
0 00
11

g C C
B A h
1
0 11
00
1
0 11
00
1
0

A1
0
1
0 0000
1111 11111
00000
0000
1111 00000
11111
0000
1111
0000
1111 00000
11111
0000x
1111 00000
11111
00000x
11111
0000
1111
0000
1111 11111
00000
0000
1111 00000
1111100000
11111

11
00
00
11 A+B 0
1
1
0
0
1
A+A

The following theorem is the main result of this paper.

Theorem 1.3. (E, +) is an abelian group with neutral element O.
This theorem is of course well known. For example in [Si86] it is shown that the
above structure is isomorphic to the group structure of Pic0 (E), the Picard group of
E. In particular (E, +) forms a group. A more geometric argument for the statemant
that (E, +) defines a group is given in [Ku95, p. 87] or [Hu87]. Perhaps the most
elementary proof can be found for K = C using the Weierstrass function (cf. [La78]).
By the Lefschetz principle this shows the theorem for any algebraically closed field of
characteristic zero.
 AN ELEMENTARY PROOF OF THE GROUP LAW FOR ELLIPTIC CURVES 3

We will give a completely elementary proof, just using the above explicit definition
of the group structure through formulas. It must have always been clear that such a
proof exists, but it turns out that this direct proof is more difficult than one might
have imagined initially. Many special cases have to be dealt with separately and some
are non–trivial. Furthermore it turns out that the explicit computations in the proof
are very hard. The verification of some identities took several hours on a modern
computer; this proof could not have been carried out before the 1980’s.

Added in proof. Here by a “modern computer” I mean a PC from 1998 with 16Mb
RAM.

Note. This elementary proof was part of my undergraduate thesis written in 1998 at
the University of Regensburg written under the supervision of Ernst Kunz. Several
years ago I posted this extract from my thesis on my webpage. Slightly to my own
surprise (and surely thanks to google) it has been cited on several occasions [Th07,
TH07, Ha16, Ru, Ru17].

Acknowledgment. I am grateful to Martin Kreuzer and Armin Röhrl for helping me

with the computer calculations. I am especially grateful to Ernst Kunz for suggesting
this problem to me. I also would like to use this opportunity to thank Ernst Kunz for
his support in the early stages of my mathematical career. Without his help I would
never have become a mathematician.

2. Proof of the associativity law for elliptic curves

In the following let E be a fixed elliptic curve. It is clear that “+” is commutative,
that O is a neutral element and that the inverse element for A = (xA , yA ) is given by
−A := (xA , −yA ). The only difficult part is to show that “+” is in fact associative.
This proof will require the remainder of this paper.

Throughout this section we will use the following facts which follow immediately
from the definition.
(1) For A = (xA , yA ) ∈ E \ {O} we have A + A = O if and only if y = 0.
(2) If A, B ∈ E \ {O} and xA = xB , then A = B or A = −B.
Except for three special cases the operation “+” is given by Formula (1). In
Section 2.1 we will show the associativity in three out of four cases in which addition
is given by either of the two formulas. This will be done using explicit calculations.
In Section 2.2 we will prove several lemmas, which we will use in Section 2.3 to
give the proof in the general case.

2.1. Proof for the generic cases. In this section we consider the cases in which
only Equation (1) is being used in the definitions of (A + B) + C and A + (B + C).
4 STEFAN FRIEDL

Lemma 2.1. Let A, B, C ∈ E \ {O}. If A ̸= ±B, B ̸= ±C, A + B ̸= ±C and

B + C ̸= ±A, then
(A + B) + C = A + (B + C).
Proof. Write (x1 , y1 ) := (A + B) + C and (x2 , y2 ) := A + (B + C). Let
y −y y +y −α(2x +x −α2 )
α := xB −xA , β := A xC +x +xA −αB
2 ,
B A A B C
y −y y +y −γ(2x +x −γ )2
γ := xB −xC , τ := A xB +x +xB −γC2 .
B C A B C

Using Equation (1) we get

x1 = β 2 + xA + xB − xC − α2 , y1 = −yC + β(2xC − xA − xB − β 2 + α2 ),
x2 = τ 2 + xB + xC − xA − γ 2 , y2 = −yA + τ (2xA − xB − xC − τ 2 + γ 2 ).
Setting
e := yB − xA ,
α βe := (yA + yC )(xB − xA )3 − αe((2xA + xB )(xB − xA )2 − α
e2 ),
e := yB − yC ,
γ τe := (yA + yB )(xB − xC )3 − γ
e((2xB + xC )(xB − xC )2 − γ
e2 ),
ηe := xB − xA , µe := xB − xC .
one can show that x1 = x2 is equivalent to

(βe2 (xB − xC )2 + (((2xA − 2xC )(xB − xC )2 + γe2 )(xB − xA )2 − α

e2 (xB − xC )2 )
((xA + xB + xC )(xB − xA )2 − α e2 )2 )((xA + xB + xC )(xB − xA )2 − γe2 )2
−e
τ 2 ((xA + xB + xC )(xB − xA )2 − α
e2 )2 (xB − xA )2 = 0

and y1 = y2 is equivalent to

(yA − yC )((xA + xB + xC )e
η2 − αe2 )3 ((xA + xB + xC )e µ2 − γe2 )3 ηe3 µ
e3
e
+β(((2xC − xA − xB )e e2 )((xA + xB + xC )e
η2 + α η 2 − ηe2 )2 − βe2 )
µ2 − γ
((xA + xB + xC )e e2 )3 µe3
−e
τ (((2xA − xB − xC )e e2 )((xA + xB + xC )e
µ2 + γ η2 − γ
e2 )2 − τe2 )
η2 − α
((xA + xB + xC )e e2 )3 ηe3 = 0.

By abuse of notation we now consider the equations over the polynomial ring
P := Z[xA , xB , xC , yA , yB , yC , a, b].
It suffices to show that the equalities hold in P/I where
I := (yA2 − x3A − axA − b, yB2 − x3B − axB − b, yC2 − x3C − axC − b).
This is equivalent to showing that both left hand sides lie in I. This was shown using
the commutative algebra package ‘CoCoA’ [CoCoA]. 
In a very similar way one can show the following two lemmas.
 AN ELEMENTARY PROOF OF THE GROUP LAW FOR ELLIPTIC CURVES 5

Lemma 2.2. If A, B ̸= O, A ̸= −A, A ̸= ±B, A + A ̸= ±B and A + B ̸= ±A, then

(A + A) + B = A + (A + B).
Lemma 2.3. If A ̸= O, A ̸= −A, A + A ̸= −(A + A), (A + A) + A ̸= ±A and
A + A ̸= ±A, then
(A + A) + (A + A) = A + (A + (A + A)).
The next step would be to show that under the above restrictions, we have
(A + B) + (A + B) = A + (B + (A + B)).
We will show this without reverting to explicit computations in the proof of Theo-
rem 2.13.

2.2. Proof of basic properties.

Lemma 2.4. For A, B ∈ E we have
−A − B = −(A + B).
Proof. The cases A = O, B = O and A = −B are trivial. In the other cases the
lemma follows from an easy calculation using Equation (1). 
Lemma 2.5. Let A, B ∈ E. If A + B = A − B and A ̸= −A, then B = −B.
Proof. The cases A = O respectively B = O are trivial. If A = ±B, then B = −B
follows easily from the uniqueness of the inverse element. So assume that A, B ̸=
O, A ̸= ±B. Using Equation (1) we get
( ) ( )
yB − yA 2 −yB − yA 2
− xA − xB = − xA − xB .
xB − xA xB − xA
This simplifies to −2yA yB = 2yA yB . Since A ̸= −A it follows that yA ̸= 0. We get
yB = 0 since char(K) > 3, hence B = −B. 
Lemma 2.6 (Uniqueness of the neutral element). Let A, B ∈ E. If A + B = A, then
B = O.
Proof. The cases A = O and A = −B are trivial. Now assume that A ̸= O, A ̸= −B.
Assume that B ̸= O. Write (xC , yC ) := A + B = A = (xA , yA ). It follows from
Formula (1) that
yA = yC = −yA + α(P, Q) (xA − xC ) = −yA
| {z }
=0

i.e. yA = 0, therefore A = −A. It follows that

A + B = A = −A = −A − B = A − B.
6 STEFAN FRIEDL

According to Lemma 2.5 this means that B = −B, i.e. yB = 0. In particular A ̸= B,

because otherwise we would get B = A = A + B = A + A = A − A = O. According
to Formula (1) we get
( )2
y −y
xA = xC = B A − xA − xB = −xA − xB
xB − xA
since yA = yB = 0. Therefore xA and xB = −xA − xA are zeros of the polynomial
P := X 3 + aX + b. It follows that x0 = −xA − xB = xA is the third zero since the
second highest coefficient of P is zero. In particular xA is a zero of degree 2. This
leads to a contradiction, since we assumed that the discriminant 4a3 + 27b2 of the
polynomial X 3 + aX + b is non–zero, i.e. the polynomial has distinct zeros. 
Lemma 2.7. Let A ∈ E. If A ̸= −A and A + A ̸= −A, then (A + A) − A = A.
Proof. The cases A = O and A + A = O are trivial. The general case follows from an
easy computation using Equation (1). 
Lemma 2.8. Let A, B ∈ E. If A + B = −A, then B = −A − A.
Proof. The cases A = O, B = O, A = B, A = −B are trivial. If A = −A, then
−A + B = −A. Using Lemma 2.6 it follows that B = O. Hence B = O = A − A =
−A − A. Now assume that A ̸= ±B and A ̸= −A, A, B ̸= O. From −A = A + B it
follows that ( )
yA − yB 2
xA = − xA − xB
xA − xB
which is equivalent to 2yA yB = yA2 + axB + b − 2x3A + 3x2A xB . Squaring both sides we
get
4x3B yA2 − x2B (3x2A + a)2 + xB (2a2 xA + 6x5A − 12bx2A ) − (yA2 − b)2 + 4ax4A + 8bx3A = 0
which in turn is equivalent to
( (( ) ))
3x2A + a 2
xB − − 2xA (xB − xA )2 = 0.
2yA
Since we excluded the case xA = xB we get
( 2 )
3xA + a 2
xB = − 2xA
2yA
i.e. B = A+A or B = −(A+A) = −A−A. If A+A = −A, then B = ±(A+A) = ±A.
Hence A + A ̸= −A. By Lemma 2.7 it follows that B = −A − A is a solution for the
equation A + B = −A. If B = A + A is also a solution, then
A + B = A + (A + A) = −A = A − (A + A) = A − B.
Since A ̸= −A it follows from Lemma 2.5, that B = −B. Therefore we obtain that
B = −B = −A − A. 
e ∈ E. If A + B = A + B,
Lemma 2.9 (Cancelation rule). Let A, B, B e then B = B.
e
 AN ELEMENTARY PROOF OF THE GROUP LAW FOR ELLIPTIC CURVES 7

Proof. If A = O, then immediately B = B. e The cases B = O and A + B = O

follow immediately from the uniqueness of the neutral element (Lemma 2.6) and the
uniqueness of the inverse element. If A + B = A + B e = −A, then using 2.8 we see
that B = −A − A and B e = −A − A.
We therefore can assume that A, B, B e ̸= O and A + B = A + B
e ̸= O, A + B ̸= −A.
Writing A + B = A + B e =: (xC , yC ) we get

xC = α(A, B)2 − xA − xB e 2 − xA − x
= α(A, B) eB
e A − xC ).
yC = −yA + α(A, B)(xA − xC ) = −yA + α(A, B)(x
From A+B ̸= ±A it follows that xA ̸= xC , from the second equation we get α(A, B) =
e Using the first equation we get xB = x
α(A, B). e or B = B.
eB , i.e. B = −B, e We
consider the following two cases:
(1) If A = −A, then B, B e ̸= −A = A, hence
yB − yA e = yeB − yA .
= α(A, B) = α(A, B)
xB − xA eB − xA
x

Since xB = x e
eB we get yB = yeB , therefore B = B.
(2) If A ̸= −A, then assume that B = −B. e It follows that A+B = A+ B
e = A−B.
By Lemma 2.5 B = −B, since A ̸= −A. Therefore B = B. e 
Lemma 2.10. For any A, B ∈ E we have
(A + B) − B = A.
Proof. The cases A = O, B = O respectively A = −B are trivial. The case A = B
follows from Lemma 2.7. If A+B = −B and A ̸= −B, then we obtain from Lemma 2.8
that A = −B − B, hence (A + B) − B = −B − B = A.
Now assume that A, B ̸= O, A ̸= ±B, A + B ̸= −B. This case follows from an
explicit computation using Equation (1). 
Corollary 2.11. Let A, B, C ∈ E. If A + B = C, then A = C − B.
Proof. From Lemma 2.10 we get A + B = A + (C − A), the corollary now follows
from Lemma 2.9. 

2.3. Completion of the proof.

Lemma 2.12. Let A, B, C ∈ E. Assume that
(1) (A + B) ̸= C and A ̸= (B + C), or
(2) A = B, or B = C, or A = C, or
(3) O ∈ {A, B, C, A + B, B + C, (A + B) + C, A + (B + C)},
then
(A + B) + C = A + (B + C).
8 STEFAN FRIEDL

Proof. The cases A = O, B = O, C = O and A = C are trivial. The cases A = −B

and C = −B follow immediately from Lemma 2.10. If A + B = −C, then by
Lemma 2.10
(A + B) + C = O = A − A = A + (B + (−B − A)) = A + (B + C).
The case B + C = −A works the same way. We thus established part (3) of the
lemma.
We can therefore assume that A, B, C ̸= O, A ̸= C, B ̸= −A, −C, A + B ̸= −C
and B + C ̸= −A.
If A = B, then we have to show that (A + A) + C = A + (A + C). This follows
from Lemmas 2.2 (C ̸= A + A) and 2.3 (C = A + A). The case B = C again works
the same way. This shows part (2) of the lemma.
The remaining cases of part (1) now follow immediately from Lemma 2.1. 
Theorem 2.13. Let A, B, C ∈ E(K). Then
(A + B) + C = A + (B + C)
Proof. By Lemma 2.12. we only have to prove the theorem for A, B, C with A+B = C
or B +C = A. Clearly it is enough to consider only the case A+B = C. We therefore
have to show that
(A + B) + (A + B) = A + (B + (A + B)).
By Lemma 2.12 we can assume that A, B, C, A+B, B+C, (A+B)+C, A+(B+C) ̸= O
and that A, B, C are pairwise different.
If (A + B) + (A + B) = −A, then A + B = (−B − A) − A by Corollary 2.11.
Furthermore (−B − A) − A = −B + (−A − A) by the second part of Lemma 2.12,
hence A + B = −B + (−A − A). We get
A + (B + (A + B)) = A + (B + (−B + (−A − A))) = A + (−A − A) =
= −A = (A + B) + (A + B).
If (A + B) + (A + B) ̸= −A, then ((A + B) + (A + B)) − A = (A + B) + ((A + B) − A)
by the second part of Lemma 2.12. Hence
((A + B) + (A + B)) − A = (A + B) + ((A + B) − A) = (A + B) + B =
= (A + (B + (A + B))) − A.
From Lemma 2.9 it follows, that (A + B) + (A + B) = A + (B + (A + B)). 
References
[CoCoA] http://cocoa.dima.unige.it/
[Ha16] T. Hales, The Group Law for Edwards Curves, Preprint, arXiv:1610.05278 (2016)
[Hu87] D. Husemoller, Elliptic curves, Graduate Texts in Mathematics, 111. Springer-Verlag, New
York (1987)
[Ku95] E. Kunz, Ebene algebraische Kurven, Der Regensburger Trichter, Band 23, Regensburg
(1995)
 AN ELEMENTARY PROOF OF THE GROUP LAW FOR ELLIPTIC CURVES 9

[La78] S. Lang, Elliptic curves: Diophantine analysis, Grundlehren der Mathematischen Wis-
senschaften, 231. Springer-Verlag, Berlin-New York (1978)
[Ru] D. Rusinoff, A Computationally Surveyable Proof of the Curve25519 Group Axioms
http://www.russinoff.com/papers/group.pdf
[Ru17] D. Rusinoff, A Computationally Surveyable Proof of the Group Properties of an Elliptic
Curve, preprint, arXiv:1705.01226 (2017)
[Si86] J. H. Silverman, The Arithmetic of Elliptic Curves, Springer Verlag, Berlin–Heidelberg–New
York (1986)
[Th07] L. Théry, Proving the group law for elliptic curves formally, INRIA Rapport technique n.
0311, available from
http://hal.inria.fr/inria-00129237/en/
[TH07] L. Théry and G. Hanrot, Primality proving with elliptic curves, Schneider, Klaus (ed.)
et al., Theorem proving in higher order logics. 20th international conference, TPHOLs 2007,
Kaiserslautern, Germany, September 10-13, 2007. Proceedings. Berlin: Springer (ISBN 978-3-
540-74590-7/pbk). Lecture Notes in Computer Science 4732, 319-333 (2007).

Fakultät für Mathematik, Universität Regensburg, 93040 Regensburg, Germany

E-mail address: [email protected]