The Ubiquity of Elliptic Curves Joseph Silverman (Brown University) MAA Invited Address Baltimore – January 18, 2003

Contents Introduction Elliptic Curves – Geometry, Algebra, and Analysis Elliptic Curves and Number Theory Elliptic Curves and Physics Elliptic Curves and Topology Elliptic Curves and Factorization Elliptic Curves and Cryptography Elliptic Curves and Fermat’s Last Theorem References and Further Reading - 2 -

Elliptic Curves Geometry, Algebra, Analysis and Beyond…

An elliptic curve is a curve that’s also naturally a group. The group law on an elliptic curve can be described: Geometricallyusing intersection theory Algebraicallyusing polynomial equations Analyticallyusing complex analytic functions Elliptic curves appear in many diverse areas of mathematics, ranging from number theory to complex analysis, and from cryptography to mathematical physics. What is an Elliptic Curve? - 4 -

The Equation of an Elliptic Curve An Elliptic Curve is a curve given by an equation E : y 2 = f(x) for a cubic or quartic polynomial f(x) We also require that the polynomial f(x) has no double roots. This ensures that the curve is nonsingular After a change of variables, the equation takes the simpler form E : y 2 = x 3 + A x + B Finally, for reasons to be explained shortly, we toss in an extra point O “at infinity,” so E is really the set E = { (x,y) : y 2 = x 3 + A x + B }  { O }

A Typical Elliptic Curve E E : Y 2 = X 3 – 5X Surprising Fact: We can use geometry to make the points of an elliptic curve into a group.

The Group Law on an Elliptic Curve

Adding Points P + Q on E P Q P+Q R - 8 -

Doubling a Point P on E P 2*P R Tangent Line to E at P - 9 -

Vertical Lines and an Extra Point at Infinity Vertical lines have no third intersection point Q Add an extra point O “at infinity.” The point O lies on every vertical line. O PQ = –P

Properties of “Addition” on E Theorem: The addition law on E has the following properties: a)P + O = O + P = Pfor all P  E. b)P + (–P) = O for all P  E. c)(P + Q) + R = P + (Q + R)for all P,Q,R  E. d)P + Q = Q + Pfor all P,Q  E. In other words, the addition law + makes the points of E into a commutative group. All of the group properties are trivial to check except for the associative law (c). The associative law can be verified by a lengthy computation using explicit formulas, or by using more advanced algebraic or analytic methods

Algebraic Formulas for Addition on E Suppose that we want to add the points P 1 = (x 1,y 1 ) and P 2 = (x 2,y 2 ) on the elliptic curve E : y 2 = x 3 + Ax + B Quite a mess!!!!! But… Crucial Observation: If A and B are in a field K and if P 1 and P 2 have coordinates in K, then P 1 + P 2 and 2P 1 have coordinates in K.

The Group of Points on E with Coordinates in a Field K The elementary observation on the previous slide leads to an important result: Theorem (Poincaré,  1900): Let K be a field and suppose that an elliptic curve E is given by an equation of the form y 2 = x 3 + A x + B with A,B  K. Let E(K) be the set of points of E with coordinates in K, E(K) = { (x,y)  E : x,y  K }  { O }. Then E(K) is a subgroup of E

Elliptic Curves and Complex Analysis Or…How the Elliptic Curve Acquired Its Unfortunate Moniker

The Arc Length of an Ellipse The arc length of a (semi)circle -aa x 2 +y 2 =a 2 is given by the familiar integral is more complicated The arc length of a (semi)ellipse x 2 /a 2 + y 2 /b 2 = 1 -a b a

An Elliptic Curve! The Arc Length of an Ellipse Let k 2 = 1 – b 2 /a 2 and change variables x  ax. Then the arc length of an ellipse is with y 2 = (1 – x 2 ) (1 – k 2 x 2 ) = quartic in x. An elliptic integral is an integral, where R(x,y) is a rational function of the coordinates (x,y) on an “elliptic curve” E : y 2 = f(x) = cubic or quartic in x.

Elliptic Integrals and Elliptic Functions Doubly periodic functions are called elliptic functions. Its inverse function w = sin(z) is periodic with period 2 . The circular integral is equal to sin -1 (w). The elliptic integral has an inverse w =  (z) with two independent complex periods  1 and  2.  (z +  1 ) =  (z +  2 ) =  (z) for all z  C.

Elliptic Functions and Elliptic Curves This equation looks familiar The  -function and its derivative satisfy an algebraic relation The double periodicity of  (z) means that it is a function on the quotient space C /L, where L is the lattice L = { n 1  1 + n 2  2 : n 1,n 2  Z }. 11 22  1 +  2 L  (z) and  ’(z) are functions on a fundamental parallelogram

The Complex Points on an Elliptic Curve E( C ) = The  -function gives a complex analytic isomorphism Thus the points of E with coordinates in the complex numbers C form a torus, that is, the surface of a donut. E( C ) Parallelogram with opposite sides identified = a torus

Elliptic Curves and Number Theory Rational Points on Elliptic Curves

E( Q ) : The Group of Rational Points A fundamental and ancient problem in number theory is that of solving polynomial equations using integers or rational numbers. The description of E( Q ) is a landmark in the modern study of Diophantine equations. Theorem (Mordell, 1922): Let E be an elliptic curve given by an equation E : y 2 = x 3 + A x + B with A,B  Q. There is a finite set of points P 1,P 2,…,P r so that every point P in E( Q ) can be obtained as a sum P = n 1 P 1 + n 2 P 2 + … + n r P r with n 1,…,n r  Z. In other words, E( Q ) is a finitely generated group

E( Q ) : The Group of Rational Points The elements of finite order in the group E( Q ) are quite well understood Theorem (Mazur, 1977): The group E( Q ) contains at most 16 points of finite order. Conjecture: The number of points needed to generate E( Q ) may be arbitrarily large. The minimal number of points needed to generate the group E( Q ) is much more mysterious! Current World Record: There is an elliptic curve with Number of generators for E( Q )  23.

E( Q ) : The Group of Rational Points A fundamental and ancient problem in number theory is that of solving polynomial equations using integers or rational numbers. The description of E( Q ) is a landmark in the modern study of Diophantine equations. Theorem (Mordell, 1922): Let E be an elliptic curve given by an equation E : y 2 = x 3 + A x + B with A,B  Q. Then the group of rational points E( Q ) is a finitely generated abelian group. That is, there is an integer r and a finite group  such that E( Q )  Z r  

E( Q ) : The Group of Rational Points The finite group  is called the torsion subgroup of E( Q ). It is quite well understood E( Q )  Z r   Theorem (Mazur, 1977): The torsion subgroup of E( Q ) contains at most 16 points. Conjecture: The rank of E( Q ) can be arbitrarily large. Current World Record: There is an elliptic curve with rank E( Q )  23. The integer r is called the rank of E( Q ). It is much more mysterious!

E( Z ) : The Group of Integer Points If P 1 and P 2 are points on E having integer coordinates, then P 1 + P 2 will have rational coordinates, but there is no reason for it to have integer coordinates. Indeed, the formulas for P 1 + P 2 are so complicated, it seems unlikely that P 1 + P 2 will have integer coordinates. Complementing Mordell’s finite generation theorem for rational points is a famous finiteness result for integer points Theorem (Siegel, 1928): An elliptic curve E : y 2 = x 3 + A x + B with A,B  Z has only finitely many points P = (x,y) with integer coordinates x,y  Z.

E( F p ) : The Group of Points Modulo p Number theorists also like to solve polynomial equations modulo p Theorem (Hasse, 1922): An elliptic curve equation E : y 2  x 3 + A x + B (modulo p) has p+1+  solutions (x,y) mod p, where the error  satisfies This is much easier than finding solutions in Q, since there are only finitely many solutions in the finite field F p ! One expects E( F p ) to have approximately p+1 points. A famous theorem of Hasse (later vastly generalized by Weil and Deligne) quantifies this expectation.

E( F p ) : The Group of Points Modulo p Number theorists also like to solve polynomial equations modulo p Theorem (Hasse, 1922): An elliptic curve E : y 2 = x 3 + A x + B with A,B  F p has p+1+  points P = (x,y) with coordinates x,y  F p, where the error  satisfies This is much easier than finding solutions in Q, since there are only finitely many solutions in the finite field F p ! One expects E( F p ) to have approximately p+1 points. A famous theorem of Hasse (later vastly generalized by Weil and Deligne) quantifies this expectation.

Elliptic Curves and Cryptography

The (Elliptic Curve) Discrete Log Problem Let A be a group and let P and Q be known elements of A There are many cryptographic constructions based on the difficulty of solving the DLP in various finite groups. The first group used for this purpose (Diffie-Hellman 1976) was the multiplicative group F p * in a finite field. Koblitz and Miller (1985) independently suggested using the group E( F p ) of points modulo p on an elliptic curve. At this time, the best algorithms for solving the elliptic curve discrete logarithm problem (ECDLP) are much less efficient than the algorithms for solving DLP in F p * or for factoring large integers. The Discrete Logarithm Problem (DLP) is to find an integer m satisfying Q = P + P + … + P = mP. m summands

Elliptic Curve Diffie-Hellman Key Exchange Public Knowledge: A group E( F p ) and a point P of order n. BOB ALICE Choose secret 0 < b < n Choose secret 0 < a < n Compute Q Bob = bP Compute Q Alice = aP Compute bQ Alice Compute aQ Bob Bob and Alice have the shared value bQ Alice = abP = aQ Bob Presumably(?) recovering abP from aP and bP requires solving the elliptic curve discrete logarithm problem. Send Q Bob to Alice to Bob Send Q Alice

Elliptic Curves and Classical Physics

The Elliptic Curve and the Pendulum

The Elliptic Curve and the Pendulum This leads to a simple harmonic motion for the pendulum. In freshman physics, one assumes that  is small and derives the formula But this formula is only a rough approximation. The actual differential equation for the pendulum is

How to Solve the Pendulum Equation

How to Solve the Pendulum Equation Conclusion: tan(  /2) = Elliptic Function of t An Elliptic Curve!!! An Elliptic Integral!!!

Elliptic Curves and Topology

Cobordism and Genus For our purposes, it is enough to know that  is a polynomial ring in infinitely many variables:  = C [T 2, T 4, T 6, T 8, …]. (T 2n is the cobordism class of projective space CP n.) An important object in topology is the (complex oriented) cobordism ring . The genus  is characterized by its logarithm A (complex) genus is a ring homomorphism  :   C.

What Makes a Genus Elliptic? A genus is a ring homomorphism, so it satisfies  (U x V) =  (U)  (V). Here U and V are (cobordism classes) of complex manifolds. Let W  V be a fiber bundle with fiber U, i.e., W is a twisted product of U and V. Then we still require that  (W) =  (U)  (V). Ochanine proved that the logarithm of  is an elliptic integral! A genus whose logarithm is an elliptic integral is called an Elliptic Genus. It is interesting to impose a stronger multiplicative property:

Elliptic Curves and Modern Physics

Elliptic Curves and String Theory In string theory, the notion of a point-like particle is replaced by a curve-like string. As a string moves through space-time, it traces out a surface. For example, a single string that moves around and returns to its starting position will trace a torus. So the path traced by a string looks like an elliptic curve! In quantum theory, physicists like to compute averages over all possible paths, so when using strings, they need to compute integrals over the space of all elliptic curves.

Elliptic Curves and Number Theory Fermat’s Last Theorem

Fermat’s Last Theorem and Fermat Curves Fermat’s Last Theorem says that if n > 2, then the equation a n + b n = c n has no solutions in nonzero integers a,b,c. It is enough to prove the case that n = 4 (already done by Fermat himself) and the case that n = p is an odd prime. If we let x = a/c and y = b/c, then solutions to Fermat’s equation give rational points on the Fermat curve x p + y p = 1. But Fermat’s curve is not an elliptic curve. So how can elliptic curves be used to study Fermat’s problem?

Elliptic Curves and Fermat’s Last Theorem Frey suggested that E a,b,c would be such a strange curve, it shouldn’t exist at all. More precisely, Frey doubted that E a,b,c could be modular. Ribet verified Frey’s intuition by proving that E a,b,c is indeed not modular. Wiles completed the proof of Fermat’s Last Theorem by showing that (most) elliptic curves, in particular elliptic curves like E a,b,c, are modular. Gerhard Frey (and others) suggested using an hypothetical solution (a,b,c) of Fermat’s equation to “manufacture” an elliptic curve E a,b,c : y 2 = x (x – a p ) (x + b p ).

Elliptic Curves and Fermat’s Last Theorem To Summarize: Suppose that a p + b p = c p with abc  0. Ribet proved that E a,b,c is not modular Wiles proved that E a,b,c is modular. Conclusion: The equation a p + b p = c p has no solutions. E a,b,c : y 2 = x (x – a p ) (x + b p ) But what does it mean for an elliptic curve E to be modular?

The variable  represents the elliptic curve E  whose lattice is L  = {n 1 +n 2  : n 1,n 2  Z }. So just as in string theory, the space of all elliptic curves makes an unexpected appearance. Elliptic Curves and Modularity E is modular if it is parameterized by modular forms! There are many equivalent definitions, none of them particularly intuitive. Here’s one: A modular form is a function f(  ) with the property

Conclusion

The Ubiquity of Elliptic Curves Joseph Silverman (Brown University) MAA Invited Address Baltimore – January 18, 2003

References and Suggested Reading (1) Blake, I. F.; Seroussi, G.; Smart, N. P. Elliptic curves in cryptography. London Mathematical Society Lecture Note Series, 265. Cambridge University Press, Cambridge, [A good introduction to the subject.] Certicom tutorials and white papers. [Certicom is a company that markets products using elliptic curve cryptography.] Cremona, J. E. Algorithms for modular elliptic curves. Cambridge University Press, Cambridge, [Extensive coverage of mathematical algorithms for elliptic curves.]

References and Suggested Reading (2) Silverman, Joseph H. The arithmetic of elliptic curves. Graduate Texts in Mathematics, 106. Springer-Verlag, New York, [The number theory of elliptic curves at a level suitable for advanced graduate students.] Silverman, Joseph H. Advanced topics in the arithmetic of elliptic curves. Graduate Texts in Mathematics, 151. Springer-Verlag, New York, [A continuation to GTM 106 with additional topics.] Silverman, Joseph H.; Tate, John. Rational points on elliptic curves. Undergraduate Texts in Mathematics. Springer-Verlag, New York, [An introduction to the number theoretic properties of elliptic curves at an advanced undergraduate level.]

A Numerical Example Using the tangent line construction, we find that 2P = P + P = (-7/4, -27/8). Using the secant line construction, we find that 3P = P + P + P = (553/121, /1331) Similarly, 4P = (45313/11664, / ). As you can see, the coordinates become complicated. E : Y 2 = X 3 – 5X + 8 The point P = (1,2) is on the curve E

A Finite Field Numerical Example The formulas giving the group law on E are valid if the points have coordinates in any field, even if the geometric pictures don’t make sense. For example, we can take points with coordinates in F p. Example:The curve E : Y 2 = X 3 – 5X + 8 modulo 37 contains the points P = (6,3) and Q = (9,10). Using the addition formulas, we can compute in E( F 37 ): 2P = (35,11) 3P = (34,25) 4P = (8,6) 5P = (16,19) … P + Q = (11,10) 3P + 4Q = (31,28) …

What Does E(K) Look Like? There is no single answer, it depends on the field K. Analytically, E( R ) is isomorphic to the circle group S 1 or to two copies of the circle group S 1  Z /2 Z. For K = R, we have seen an example of E( R ). It is also possible for E( R ) to have two connected components. (K = R ) E : Y 2 = X 3 – 9X

Factorization Using Elliptic Curves

Using Elliptic Curves for Factorization Hendrik Lenstra observed that one can replace the multi- plicative group ( Z /p Z ) * with an elliptic curve group E( F p ). Then there is a good chance that during the computation of LCM[1,2,…,L] * S (modulo N), some inverse (x 2 – x 1 ) –1 mod N will not exist, yielding GCD(x 2 –x 1,N) = p More precisely, choose an elliptic curve and point mod N: E : Y 2 = X 3 + AX + B, A,B  Z /N Z, S  E( Z /N Z ). Suppose that there is a prime p dividing N for which the number of points in E( F p ) is L-smooth:

Properties of Lenstra’s Algorithm The advantage of Lenstra’s Elliptic Curve Algorithm over Pollard’s p–1 Algorithm is the introduction of many finite groups E( F p ) of many different orders. Let p be the smallest prime dividing N. Then the expected running time of Lenstra’s algorithm is The theoretical running time of Lenstra’s Algorithm can be calculated using a reasonable assumption about the distribution of L-smooth numbers in short intervals: The fact that the running time depends on the smallest prime divisor of N makes Lenstra’s algorithm especially good for “random” numbers, but it is slower than sieve methods for “RSA-type” numbers N = pq.