The real magic of elliptic curve cryptography (ECC) isn’t that it’s "hard math," but that it lets you get the same security as RSA with vastly smaller keys.
Let’s see it in action. Imagine we have a very simple elliptic curve defined by the equation $y^2 = x^3 + ax + b$ over a finite field. For our example, let’s use a tiny field, say integers modulo 17. Our curve will be $y^2 \equiv x^3 + 2x + 3 \pmod{17}$.
We need a "base point" on this curve. Let’s pick $G = (5, 1)$.
Now, ECC’s core operation is "point addition." If you have two points $P$ and $Q$ on the curve, their sum $P+Q$ is another point on the curve. There’s a geometric interpretation: draw a line through $P$ and $Q$. This line will intersect the curve at a third point, let’s call it $R’$. Reflect $R’$ across the x-axis to get $R = P+Q$. For the special case where $P=Q$, you use the tangent line at $P$.
Let’s calculate $2G$. This is $G+G$, so we need the tangent line at $G=(5,1)$. The slope $m$ of the tangent line at a point $(x,y)$ on $y^2 = x^3 + ax + b$ is given by $m = \frac{3x^2 + a}{2y} \pmod{p}$. Here, $a=2$, $x=5$, $y=1$, and $p=17$. $m = \frac{3(5^2) + 2}{2(1)} \pmod{17} = \frac{3(25) + 2}{2} \pmod{17} = \frac{75 + 2}{2} \pmod{17} = \frac{77}{2} \pmod{17}$. $77 \equiv 9 \pmod{17}$. So, $m = \frac{9}{2} \pmod{17}$. To find the inverse of 2 mod 17, we need a number $k$ such that $2k \equiv 1 \pmod{17}$. $2 \times 9 = 18 \equiv 1 \pmod{17}$. So, $2^{-1} \equiv 9 \pmod{17}$. $m = 9 \times 9 \pmod{17} = 81 \pmod{17} = 13$. The slope is 13.
The formulas for point addition $P=(x_1, y_1)$ and $Q=(x_2, y_2)$ to get $R=(x_3, y_3)$ are: If $P \neq Q$: $m = \frac{y_2 - y_1}{x_2 - x_1} \pmod{p}$ $x_3 = m^2 - x_1 - x_2 \pmod{p}$ $y_3 = m(x_1 - x_3) - y_1 \pmod{p}$
If $P = Q$ (tangent line): $m = \frac{3x_1^2 + a}{2y_1} \pmod{p}$ $x_3 = m^2 - 2x_1 \pmod{p}$ $y_3 = m(x_1 - x_3) - y_1 \pmod{p}$
Using the tangent case for $2G$ with $G=(5,1)$ and $m=13$: $x_3 = 13^2 - 2(5) \pmod{17} = 169 - 10 \pmod{17} = 159 \pmod{17}$. $159 = 9 \times 17 + 6$, so $x_3 = 6$. $y_3 = 13(5 - 6) - 1 \pmod{17} = 13(-1) - 1 \pmod{17} = -13 - 1 \pmod{17} = -14 \pmod{17} = 3$. So, $2G = (6, 3)$.
The "hard problem" in ECC is the Elliptic Curve Discrete Logarithm Problem (ECDLP): given a base point $G$ and a public point $Q$, find an integer $k$ such that $Q = kG$. This is computationally infeasible for well-chosen curves and large fields, whereas finding $k$ if $Q=G^k$ (like in RSA) is easy.
This ability to compute $Q = kG$ efficiently (by repeated point doubling and addition, known as the "double-and-add" algorithm) but not the reverse is what enables ECC. For example, in Diffie-Hellman key exchange: Alice chooses a private key $a$, computes public key $A = aG$, and sends $A$ to Bob. Bob chooses private key $b$, computes $B = bG$, and sends $B$ to Alice. Alice computes $aB = a(bG) = (ab)G$, and Bob computes $bA = b(aG) = (ab)G$. They both arrive at the same shared secret point $(ab)G$. An eavesdropper sees $G$, $A$, and $B$, but cannot compute $ab$ because it’s hard to solve the ECDLP to find $a$ from $A$ or $b$ from $B$.
The security of ECC relies on the difficulty of the Elliptic Curve Discrete Logarithm Problem (ECDLP). Unlike factoring large numbers in RSA, there’s no known sub-exponential time algorithm for ECDLP on general elliptic curves. This means ECC can achieve the same security level with much smaller key sizes. For instance, a 256-bit ECC key offers comparable security to a 3072-bit RSA key. This efficiency is crucial for resource-constrained devices like smart cards and mobile phones, where computational power and bandwidth are limited.
What most people miss is how the "point at infinity" acts as the identity element in ECC group arithmetic. When a line through two points $P$ and $Q$ on the curve is also tangent to the curve at $P$ (meaning $Q$ is infinitesimally close to $P$), or if the line through $P$ and $Q$ is vertical, the third intersection point $R’$ is "at infinity." This "point at infinity," often denoted as $O$, is the additive identity such that $P + O = P$ for any point $P$. This is analogous to how 0 is the additive identity in regular arithmetic ($x+0=x$) and 1 is the multiplicative identity ($x \times 1 = x$). Without this point, the group structure wouldn’t be complete, and many operations, like finding the inverse of a point or handling vertical lines in addition, wouldn’t be well-defined.
The next step is understanding how to choose good elliptic curves and base points that make the ECDLP hard, which involves looking at specific curve parameters and their security properties.