The Ubiquity of Elliptic Curves

Download Report

Transcript The Ubiquity of Elliptic Curves

The Ubiquity of
Elliptic Curves
Joseph Silverman (Brown University)
MAA Invited Address – Expanded Version
Baltimore – January 18, 2003
Contents
•
•
•
•
•
•
•
•
•
•
•
Introduction
Geometry, Algebra, Analysis, and Beyond
The Group Law on an Elliptic Curve
Elliptic Curves and Complex Analysis
Elliptic Curves and Number Theory (I)
Elliptic Curves and Cryptography
Elliptic Curves and Classical Physics
Elliptic Curves and Topology
Elliptic Curves and Modern Physics
Elliptic Curves and Number Theory (II)
References and Texts
-2-
Elliptic Curves
Geometry, Algebra, Analysis
and Beyond…
What is an Elliptic Curve?
• An elliptic curve is a curve that’s also naturally a group.
• The group law on an elliptic curve can be described:
• Geometrically using intersection theory
• Algebraically using polynomial equations
• Analytically using complex analytic functions
• Elliptic curves appear in many diverse areas of
mathematics, ranging from number theory to complex
analysis, and from cryptography to mathematical
physics.
-4-
The Equation of an Elliptic Curve
An Elliptic Curve is a curve given by an equation
E : y2 = f(x) for a cubic or quartic polynomial f(x)
We also require that the polynomial f(x) has no double
roots. This ensures that the curve is nonsingular.
After a change of variables, the equation takes the
simpler form
E : y2 = x3 + A x + B
Finally, for reasons to be explained shortly, we toss in
an extra point O “at infinity,” so E is really the set
E = { (x,y) : y2 = x3 + A x + B }  { O }
-5-
A Typical Elliptic Curve E
E : Y2 = X3 – 5X + 8
Surprising Fact: We can use geometry to make the
points of an elliptic curve into a group.
-6-
The Group Law on an
Elliptic Curve
Adding Points P + Q on E
R
Q
P
P+Q
-8-
Doubling a Point P on E
Tangent Line to E at P
R
P
2*P
-9-
Vertical Lines and an Extra Point at Infinity
O
Add an extra point O “at infinity.”
The point O lies on every vertical line.
P
Q = –P
Vertical lines have no
third intersection point
- 10 -
Properties of “Addition” on E
Theorem: The addition law on E has the following
properties:
a) P + O = O + P = P
for all P  E.
b) P + (–P) = O
for all P  E.
c) (P + Q) + R = P + (Q + R)
for all P,Q,R  E.
d) P + Q = Q + P
for all P,Q  E.
In other words, the addition law + makes the points of E
into a commutative group.
All of the group properties are trivial to check except for
the associative law (c). The associative law can be
verified by a lengthy computation using explicit
formulas, or by using more advanced algebraic or
analytic methods.
- 11 -
A Numerical Example
E : Y2 = X3 – 5X + 8
The point P = (1,2) is on the curve E.
Using the tangent line construction, we find that
2P = P + P = (-7/4, -27/8).
Using the secant line construction, we find that
3P = P + P + P = (553/121, -11950/1331)
Similarly,
4P = (45313/11664, 8655103/1259712).
As you can see, the coordinates become complicated.
- 12 -
Algebraic Formulas for Addition on E
Suppose that we want to add the points
P1 = (x1,y1) and P2 = (x2,y2)
on the elliptic curve
E : y2 = x3 + Ax + B.
y 2  y1
Let  
if P1  P2
x2  x1
3x12  A
and  
if P1  P2 .
2y1
Then P1  P2  (2  x1  x2,  3  2x1  x2  y1).
Quite a mess!!!!! But…
Crucial Observation: If A and B are in a field K and
if P1 and P2 have coordinates in K,
then P1+ P2 and 2P1 have coordinates in K.
- 13 -
The Group of Points on E with
Coordinates in a Field K
The elementary observation on the previous slide
leads to an important result:
Theorem (Poincaré, 1900): Let K be a field and
suppose that an elliptic curve E is given by an equation
of the form
y2 = x3 + A x + B
with
A,B  K.
Let E(K) be the set of points of E with coordinates in K,
E(K) = { (x,y)  E : x,y  K }  { O }.
Then E(K) is a subgroup of E.
- 14 -
What Does E(R) Look Like?
We have seen one example of E(R). It is also possible for
E(R) to have two connected components.
E : Y2 = X3 – 9X
Analytically, E(R) is isomorphic to the circle group S1 or to
two copies of the circle group S1  Z/2 Z.
- 15 -
A Finite Field Numerical Example
The formulas giving the group law on E are valid if the
points have coordinates in any field, even if the
geometric pictures don’t make sense.
For example, we can take points with coordinates in Fp.
Example:The curve
E : Y2 = X3 – 5X + 8 modulo 37
contains the points
P = (6,3) and Q = (9,10).
Using the addition formulas, we can compute in E(F37):
2P = (35,11) 3P = (34,25) 4P = (8,6) 5P = (16,19) …
P + Q = (11,10)
3P + 4Q = (31,28) …
- 16 -
Elliptic Curves and
Complex Analysis
Or…How the Elliptic Curve Acquired
Its Unfortunate Moniker
The Arc Length of an Ellipse
The arc length of a (semi)circle is given by the familiar integral
x2+y2=a2
-a

a
a
a
a dx
a2  x 2
The arc length of a (semi)ellipse is more complicated
b
-a
x2/a2 + y2/b2 = 1
a

a
a


a2  1 b2 / a2 x 2
dx
2
2
a x
- 18 -
The Arc Length of an Ellipse
Let k2 = 1 – b2/a2 and change variables x  ax. Then the
arc length of an ellipse is
1
a
1
1 k x
dx
2
1 x
2
2
1 k 2 x 2
1
a
1
(1  x )(1  k x )
1 k 2 x 2
Arc Length  a 
dx
1
y
1
2
2
2
dx
An Elliptic Curve!
with y2 = (1 – x2) (1 – k2x2) = quartic in x.
An elliptic integral is an integral  R ( x, y ) dx , where R(x,y) is
a rational function of the coordinates (x,y) on an “elliptic curve”
E : y2 = f(x) = cubic or quartic in x.
- 19 -
Elliptic Integrals and Elliptic Functions
w
The circular integral

0
dx
1 x 2
is equal to sin-1(w).
Its inverse function w = sin(z) is periodic with period 2.
The elliptic integral
dx
w

has an inverse
x  Ax  B
w = (z) with two independent complex periods 1 and 2.
3
(z + 1) = (z + 2) = (z)
Doubly periodic functions are called
for all z  C.
elliptic functions.
- 20 -
Elliptic Functions and Elliptic Curves
The -function and its derivative satisfy an algebraic
relation
(z)2  (z)3  A(z)  B
This equation looks familiar
The double periodicity of (z) means that it is a function
on the quotient space C/L, where L is the lattice
L = { n11 + n22 : n1,n2  Z }.
1
1+ 2
L
2
(z) and ’(z) are functions on a fundamental parallelogram
- 21 -
The Complex Points on an Elliptic Curve
The -function gives a complex analytic isomorphism
C

L
(z),(z)
E(C)
Parallelogram with opposite
sides identified = a torus
Thus the points of E with coordinates in the complex
numbers C form a torus, that is, the surface of a donut.
E(C) =
- 22 -
Elliptic Curves and
Number Theory
Rational Points on Elliptic Curves
E(Q) : The Group of Rational Points
A fundamental and ancient problem in number theory is
that of solving polynomial equations using integers or
rational numbers.
The description of E(Q) is a landmark in the modern
study of Diophantine equations.
Theorem (Mordell, 1922): Let E be an elliptic curve given
by an equation
E : y2 = x3 + A x + B
with A,B  Q.
There is a finite set of points P1,P2,…,Pr so that every
point P in E(Q) can be obtained as a sum
P = n1P1 + n2P2 + … + nrPr
with n1,…,nr  Z.
In other words, E(Q) is a finitely generated group.
- 24 -
E(Q) : The Group of Rational Points
The elements of finite order in the group E(Q) are quite
well understood.
Theorem (Mazur, 1977): The group E(Q) contains at
most 16 points of finite order.
The minimal number of points needed to generate the
group E(Q) is much more mysterious!
Conjecture: The number of points needed to generate
E(Q) may be arbitrarily large.
Current World Record: There is an elliptic curve with
Number of generators for E(Q)  23.
- 25 -
E(Fp) : The Group of Points Modulo p
Number theorists also like to solve polynomial equations
modulo p.
This is much easier than finding solutions in Q, since
there are only finitely many solutions in the finite field Fp!
One expects E(Fp) to have approximately p+1 points.
A famous theorem of Hasse (later vastly generalized by
Weil and Deligne) quantifies this expectation.
Theorem (Hasse, 1922): An elliptic curve equation
E : y2  x3 + A x + B (modulo p)
has
p+1+
solutions (x,y) mod p, where the error  satisfies
  2 p.
- 29 -
Elliptic Curves and
Cryptography
The (Elliptic Curve) Discrete Log Problem
Let A be a group and let P and Q be known elements of A.
The Discrete Logarithm Problem (DLP) is to find an
m summands
integer m satisfying
Q = P + P + … + P = mP.
• There are many cryptographic constructions based on
the difficulty of solving the DLP in various finite groups.
• The first group used for this purpose (Diffie-Hellman
1976) was the multiplicative group Fp* in a finite field.
• Koblitz and Miller (1985) independently suggested using
the group E(Fp) of points modulo p on an elliptic curve.
• At this time, the best algorithms for solving the elliptic
curve discrete logarithm problem (ECDLP) are much
less efficient than the algorithms for solving DLP in Fp*
or for factoring large integers.
- 32 -
Elliptic Curve Diffie-Hellman Key Exchange
Public Knowledge: A group E(Fp) and a point P of order n.
BOB
ALICE
Choose secret 0 < b < n
Choose secret 0 < a < n
Compute QBob = bP
Compute QAlice = aP
Send QBob
to Bob
Compute bQAlice
to Alice
Send QAlice
Compute aQBob
Bob and Alice have the shared value bQAlice = abP = aQBob
Presumably(?) recovering abP from aP and bP requires
solving the elliptic curve discrete logarithm problem.
- 33 -
Elliptic Curves and
Classical Physics
The Elliptic Curve and the Pendulum
- 35 -
The Elliptic Curve and the Pendulum

In freshman physics, one assumes
that  is small and derives the
formula
2
d
2
 k 
2
dt
This leads to a simple harmonic
motion for the pendulum.
But this formula is only a rough approximation. The
actual differential equation for the pendulum is
d2
2


k
sin( )
2
dt
- 36 -
How to Solve the Pendulum Equation
d2
22
d



k
sin( ) d
2
dt
2

1 1  d 
d

2 2 dt 

2


sin())d (taking C  0)
k
cos(


d
 2k dt
cos( )

 
Now substitute x  tan .
 2
d
dx
dx
 2
 2
y
cos( )
1 x 4
w ith y  1  x .
2
4
- 37 -
How to Solve the Pendulum Equation
An Elliptic Integral!!!

An Elliptic Curve!!!
d
dx
dx
 2
 2
y
cos( )
1 x 4
w ith y  1  x .
2
4
Conclusion: tan( /2) = Elliptic Function of t
- 38 -
Elliptic Curves and
Topology
Cobordism and Genus
An important object in topology is the (complex oriented)
cobordism ring W.
For our purposes, it is enough to know that W is a polynomial
ring in infinitely many variables:
W= C[T2, T4, T6, T8, …].
(T2n is the cobordism class of projective space CPn.)
A (complex) genus is a ring homomorphism
 : W  C.
The genus  is characterized by its logarithm
(T2 ) 3 (T4 ) 5 (T6 ) 7
log ( x )  x 
x 
x 
x    C[[ x ]]
3
5
7
- 40 -
What Makes a Genus Elliptic?
A genus is a ring homomorphism, so it satisfies
(U x V) = (U) (V).
Here U and V are (cobordism classes) of complex manifolds.
It is interesting to impose a stronger multiplicative property:
Let W  V be a fiber bundle with fiber U, i.e., W is a twisted
product of U and V. Then we still require that
(W) = (U) (V).
Ochanine proved that the logarithm of  is an elliptic integral!
log x   
dx
dx

y
1  2ax 2  bx4
A genus whose logarithm is an elliptic integral is called an
Elliptic Genus.
- 41 -
Elliptic Curves and
Modern Physics
Elliptic Curves and String Theory
In string theory, the notion of a point-like particle is replaced
by a curve-like string.
As a string moves through space-time, it traces out a surface.
For example, a single string that moves around and returns to
its starting position will trace a torus.
So the path traced by a string looks like an elliptic curve!
In quantum theory, physicists like to compute averages over
all possible paths, so when using strings, they need to
compute integrals over the space of all elliptic curves.
- 43 -
Elliptic Curves and
Number Theory
Fermat’s Last Theorem
Fermat’s Last Theorem and Fermat Curves
Fermat’s Last Theorem says that if n > 2, then the equation
an + bn = cn
has no solutions in nonzero integers a,b,c.
It is enough to prove the case that n = 4 (already done by
Fermat himself) and the case that n = p is an odd prime.
If we let x = a/c and y = b/c, then solutions to Fermat’s
equation give rational points on the Fermat curve
xp + yp = 1.
But Fermat’s curve is not an elliptic curve. So how can
elliptic curves be used to study Fermat’s problem?
- 45 -
Elliptic Curves and Fermat’s Last Theorem
Gerhard Frey (and others) suggested using an hypothetical
solution (a,b,c) of Fermat’s equation to “manufacture” an
elliptic curve
Ea,b,c : y2 = x (x – ap) (x + bp).
Frey suggested that Ea,b,c would be such a strange curve, it
shouldn’t exist at all. More precisely, Frey doubted that Ea,b,c
could be modular.
Ribet verified Frey’s intuition by proving that Ea,b,c is indeed
not modular.
Wiles completed the proof of Fermat’s Last Theorem by
showing that (most) elliptic curves, in particular elliptic
curves like Ea,b,c, are modular.
- 46 -
Elliptic Curves and Fermat’s Last Theorem
Ea,b,c : y2 = x (x – ap) (x + bp)
To Summarize:
Suppose that ap + bp = cp with abc  0.
Ribet proved that Ea,b,c is not modular
Wiles proved that Ea,b,c is modular.
Conclusion: The equation ap + bp = cp has no solutions.
But what does it mean
for an elliptic curve E to
be modular?
- 47 -
Elliptic Curves and Modularity
There are many equivalent definitions, none of them
particularly intuitive. Here’s one:
E is modular if it is parameterized by modular forms!
A modular form is a function f(t) with the property
 at  b 
2
f
  (ct  d ) f (t )
 ct  d 
a b 
for all matrices 
 SL 2 (Z) satisfying c  0 (mod N ).

c d 
The variable t represents the elliptic curve Et whose lattice
is
Lt = {n1+n2t : n1,n2  Z}.
So just as in string theory, the space of all elliptic curves
makes an unexpected appearance.
- 48 -
Conclusion
- 49 -
References and Texts on Elliptic Curves
Apostol, T. Modular functions and Dirichlet series in number theory, Graduate
Texts in Mathematics 41, Springer-Verlag, New York, 1976.
Blake, I. F.; Seroussi, G.; Smart, N. P. Elliptic curves in cryptography. London
Mathematical Society Lecture Note Series, 265. Cambridge University Press,
Cambridge, 2000.
Cremona, J. E. Algorithms for modular elliptic curves. Cambridge University
Press, Cambridge, 1997.
Knapp, A. Elliptic curves, Mathematical Notes 40, Princeton University Press,
Princeton, NJ, 1992.
Koblitz, N. Introduction to elliptic curves and modular forms, Springer-Verlag, NY,
1984.
- 50 -
References and Texts on Elliptic Curves
Lang, S. Elliptic functions, Graduate Texts in Mathematics 112, Springer-Verlag,
NY, 1987.
Lang, S. Elliptic curves: Diophantine analysis, Springer-Verlag, Berlin, 1978.
Silverman, Joseph H. The arithmetic of elliptic curves. Graduate Texts in
Mathematics, 106. Springer-Verlag, New York, 1986.
Silverman, Joseph H. Advanced topics in the arithmetic of elliptic curves.
Graduate Texts in Mathematics, 151. Springer-Verlag, New York, 1994.
Silverman, Joseph H.; Tate, John. Rational points on elliptic curves. Undergraduate Texts in Mathematics. Springer-Verlag, New York, 1992.
- 51 -
The Ubiquity of
Elliptic Curves
Joseph Silverman (Brown University)
MAA Invited Address – Expanded Version
Baltimore – January 18, 2003