The Geometric Foundation
The algebraic formulas arise directly from the geometric construction. Let's derive them step by step.

Case 1: Adding Two Different Points P ≠ Q
Given: $P = (x_1, y_1)$ and $Q = (x_2, y_2)$ on curve $y^2 = x^3 + ax + b$

Step 1: Find the line through P and Q
The slope of the line passing through points $P$ and $Q$ is: $\lambda = \frac{y_2 - y_1}{x_2 - x_1}$ This is just the standard slope formula from basic geometry.

The equation of the line through $P$ and $Q$ is: $y - y_1 = \lambda(x - x_1)$ $y = \lambda x + (y_1 - \lambda x_1)$

Step 2: Find where this line intersects the elliptic curve
We substitute the line equation into the curve equation: $(\lambda x + (y_1 - \lambda x_1))^2 = x^3 + ax + b$
Expanding the left side: $\lambda^2 x^2 + 2\lambda(y_1 - \lambda x_1)x + (y_1 - \lambda x_1)^2 = x^3 + ax + b$
Rearranging to standard form: $x^3 - \lambda^2 x^2 + [a - 2\lambda(y_1 - \lambda x_1)]x + [b - (y_1 - \lambda x_1)^2] = 0$

Step 3: Use Vieta's formulas
This is a cubic equation in $x$. We know it has three roots: $x_1$, $x_2$, and $x_3$ (the x-coordinates of points $P$, $Q$, and the third intersection point).

From Vieta's formulas, for a cubic $x^3 + bx^2 + cx + d = 0$ with roots $r_1, r_2, r_3$: $r_1 + r_2 + r_3 = -b \text{ (coefficient of } x^2\text{)}$
In our case: $x_1 + x_2 + x_3 = \lambda^2$
Therefore: $x_3 = \lambda^2 - x_1 - x_2$

Step 4: Find y₃ using the line equation
Since $(x_3, y_3')$ lies on the line through $P$ and $Q$: $y_3' = \lambda x_3 + (y_1 - \lambda x_1) = \lambda(x_3 - x_1) + y_1$
But we want the reflection of this point across the x-axis, so: $y_3 = -y_3' = -[\lambda(x_3 - x_1) + y_1] = \lambda(x_1 - x_3) - y_1$

Case 2: Point Doubling (P = Q)
When $P = Q$, we can't use the slope formula above (it gives 0/0). Instead, we need the slope of the tangent line at point $P$.

Step 1: Find the tangent slope using implicit differentiation
Starting with the curve equation: $y^2 = x^3 + ax + b$
Differentiating both sides with respect to $x$: $2y \frac{dy}{dx} = 3x^2 + a$
Solving for the slope: $\frac{dy}{dx} = \frac{3x^2 + a}{2y}$
At point $P = (x_1, y_1)$: $\lambda = \frac{3x_1^2 + a}{2y_1}$

Step 2: Apply the same intersection analysis
The rest of the derivation follows the same pattern as Case 1:
• The tangent line equation is: $y = \lambda x + (y_1 - \lambda x_1)$
• Substituting into the curve equation gives a cubic with roots $x_1$ (with multiplicity 2) and $x_3$
• From Vieta's formulas: $x_1 + x_1 + x_3 = \lambda^2$, so $x_3 = \lambda^2 - 2x_1$
• The y-coordinate: $y_3 = \lambda(x_1 - x_3) - y_1$

Why the Reflection?
The geometric construction requires reflecting the third intersection point across the x-axis. This ensures that:
1. The result is still on the elliptic curve
2. The group operation is well-defined and associative
3. Every point has an inverse (its reflection across the x-axis)

Verification Example
Let's verify with the curve $y^2 = x^3 + 7$ and points $P = (1, 2\sqrt{2})$ and $Q = (4, 9)$:
• Slope: $\lambda = \frac{9 - 2\sqrt{2}}{4 - 1} = \frac{9 - 2\sqrt{2}}{3}$
• $x_3 = \lambda^2 - 1 - 4 = \lambda^2 - 5$
• $y_3 = \lambda(1 - x_3) - 2\sqrt{2}$

The beauty of these formulas is that they work consistently across all elliptic curves, turning the geometric group law into efficient algebraic operations suitable for computer implementation.

Setup: Elliptic Curve over F₁₇
Let's use the elliptic curve $y^2 = x^3 + 2x + 2$ over the finite field $\mathbb{F}_{17}$ (integers modulo 17).

Step 1: Finding Points on the Curve
We need to find all points $(x,y)$ such that $y^2 \equiv x^3 + 2x + 2 \pmod{17}$.

For $x = 5$: $y^2 \equiv 5^3 + 2(5) + 2 \equiv 125 + 10 + 2 \equiv 137 \equiv 1 \pmod{17}$
Since $1^2 = 1$ and $16^2 = 256 \equiv 1 \pmod{17}$, we get points $(5, 1)$ and $(5, 16)$.

Step 2: Point Addition Example
Let's add points $P = (5, 1)$ and $Q = (6, 3)$:

First, calculate the slope: $$\lambda = \frac{y_2 - y_1}{x_2 - x_1} = \frac{3 - 1}{6 - 5} = \frac{2}{1} = 2$$
Then calculate the new coordinates: $$x_3 = \lambda^2 - x_1 - x_2 = 2^2 - 5 - 6 = 4 - 11 = -7 \equiv 10 \pmod{17}$$ $$y_3 = \lambda(x_1 - x_3) - y_1 = 2(5 - 10) - 1 = 2(-5) - 1 = -11 \equiv 6 \pmod{17}$$
So $P + Q = (10, 6)$.

Step 3: Scalar Multiplication
Let's compute $2P = P + P$ where $P = (5, 1)$:

For point doubling, the slope is: $$\lambda = \frac{3x_1^2 + a}{2y_1} = \frac{3(5^2) + 2}{2(1)} = \frac{75 + 2}{2} = \frac{77}{2}$$
Since $77 \equiv 9 \pmod{17}$ and $2^{-1} \equiv 9 \pmod{17}$ (because $2 \times 9 = 18 \equiv 1 \pmod{17}$): $$\lambda = 9 \times 9 = 81 \equiv 13 \pmod{17}$$
Then: $$x_3 = 13^2 - 2(5) = 169 - 10 = 159 \equiv 6 \pmod{17}$$ $$y_3 = 13(5 - 6) - 1 = 13(-1) - 1 = -14 \equiv 3 \pmod{17}$$
So $2P = (6, 3)$.

The secp256k1 Curve Parameters
The secp256k1 curve is defined by $y^2 = x^3 + 7$ over the prime field $\mathbb{F}_p$ where:
$p = 2^{256} - 2^{32} - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1$
(This is approximately $1.16 \times 10^{77}$, a 256-bit prime)

The base point G has coordinates:
$G_x = $ 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798
$G_y = $ 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8

ECDH Key Exchange Protocol
Alice's Actions:
1. Alice generates a random private key: $d_A = $ (256-bit random integer)
2. Alice computes her public key: $Q_A = d_A \cdot G$
3. Alice sends $Q_A$ to Bob

Bob's Actions:
1. Bob generates a random private key: $d_B = $ (256-bit random integer)
2. Bob computes his public key: $Q_B = d_B \cdot G$
3. Bob sends $Q_B$ to Alice

Shared Secret Computation
Alice computes: $S_A = d_A \cdot Q_B = d_A \cdot (d_B \cdot G) = d_A d_B \cdot G$
Bob computes: $S_B = d_B \cdot Q_A = d_B \cdot (d_A \cdot G) = d_B d_A \cdot G$

Since $d_A d_B = d_B d_A$, both parties arrive at the same shared secret point $S$.

Example with Smaller Numbers (for illustration)
Let's say Alice chooses $d_A = $ 123456 and Bob chooses $d_B = $ 654321.

Alice computes: $Q_A = 123456 \cdot G$ (this would be a specific point on the curve)
Bob computes: $Q_B = 654321 \cdot G$ (another specific point on the curve)

For the shared secret:
Alice: $S = 123456 \cdot Q_B = 123456 \cdot 654321 \cdot G$
Bob: $S = 654321 \cdot Q_A = 654321 \cdot 123456 \cdot G$

Both get the same point $S = 80779853376 \cdot G$.

Security Analysis
An eavesdropper (Eve) sees the public keys $Q_A$ and $Q_B$, but to compute the shared secret, she would need to solve the ECDLP to find either $d_A$ or $d_B$. With the 256-bit secp256k1 curve, this would require approximately $2^{128}$ operations, which is computationally infeasible with current technology.

ECDSA Key Generation
1. Choose a cryptographically secure elliptic curve (e.g., secp256k1)
2. Generate a random private key: $d$ (256-bit integer)
3. Compute public key: $Q = d \cdot G$ where G is the base point

ECDSA Signature Generation
To sign a message M:

1. Compute message hash: $h = \text{SHA-256}(M)$
2. Generate a random nonce: $k$ (this must be unique for each signature!)
3. Compute point: $(x_1, y_1) = k \cdot G$
4. Compute $r = x_1 \bmod n$ (where n is the order of G)
5. Compute $s = k^{-1}(h + rd) \bmod n$
6. The signature is the pair $(r, s)$

ECDSA Signature Verification
To verify signature $(r, s)$ on message M with public key Q:

1. Compute message hash: $h = \text{SHA-256}(M)$
2. Compute $w = s^{-1} \bmod n$
3. Compute $u_1 = hw \bmod n$ and $u_2 = rw \bmod n$
4. Compute point: $(x_1, y_1) = u_1 \cdot G + u_2 \cdot Q$
5. Verify that $r = x_1 \bmod n$

Why This Works
The verification works because:
$u_1 \cdot G + u_2 \cdot Q = (hw) \cdot G + (rw) \cdot (d \cdot G)$
$= w(h + rd) \cdot G = w \cdot s \cdot k \cdot G = k \cdot G$
(since $s = k^{-1}(h + rd)$, so $w \cdot s = k$)

Security Note
The random nonce $k$ must be unique for each signature and kept secret. Reusing $k$ or generating it predictably can lead to private key recovery, as famously happened with early PlayStation 3 signing keys and some Bitcoin implementations.