7 geometry and elliptic curvesndonalds/math180b/7elliptic.pdf7 geometry and elliptic curves to bring...
TRANSCRIPT
7 Geometry and Elliptic Curves
To bring the discussion of Fermat’s Last Theorem full-circle, we reference another of Fermat’s ‘marginnotes’ from his copy of Diophantus’ Arithmetica. In 1650 Fermat claimed that the equation y2 = x3− 2has only two solutions in integers; namely (x, y) = (3,±5). The first correct proof in writing camearound 150 years later.1 It is perhaps ironic that the proof of Fermat’s Last Theorem came via theconsideration of elliptic curves, of which y2 = x3 − 2 is an example. Here is a rough summary of thetimeline:
• (1955-57) Yutaka Taniyama and Goro Shimura conjecture that every elliptic curve over Q ismodular. Similarly to how conics can be parameterized using rational functions, this means thatsuch curves may be parameterized by modular functions.2
• (1984–1986) Gerhard Frey, Jean-Pierre Serre and Ken Ribet prove that if (a, b, c) is a non-trivialsolution to Fermat’s equation xp + yp = zp where p is an odd prime, then the Frey curve
y2 = x(x− ap)(x + bp)
is a non-modular elliptic curve.
• (1986–1994) Andrew Wiles (with assistance from Richard Taylor) proves that all semistable el-liptic curves are modular. Since the (hypothetical) Frey curves are semistable, this is enough toput Fermat firmly to bed. The full Taniyama–Shimura conjecture has now been proved, basedon the ideas of Wiles and Taylor, and is now known as the modularity theorem.
Wiles’ proof is far too difficult for us! In what follows, we discuss some of the beautiful structure ofelliptic curves and the way in which their study infuses number theory with geometry and algebra.In particular, we discuss the question of finding integer/rational points on elliptic curves, and someof the modularity patterns that arise when considering elliptic curves modulo primes: the existence ofthese patterns is equivalent to the modularity theorem.
Elliptic curves are more than merely interesting to those intent on proving 350-year-old conjectures.They form the basis of a widely-used cryptographic system superior in several ways to the famousRSA system, especially in situations where computing power is at a premium. Their structure alsodrives the particularly efficient Lenstra algorithm for factorizing integers.
Before doing any of this, we need to define an elliptic curve, and then to understand (some) of thecomponents of the definition: this will require a little work. . .
1Euler thought he had proved this earlier, but he implicitly assumed unique factorization in the ring Z[i√
2]: once this isestablished the result is straightforward: write x3 = (y+ i
√2)(y− i
√2), show that the two factors on the RHS are coprime,
whence each must be a perfect cube in Z[i√
2]; but if y + i√
2 = (a + ib√
2)3, then (a, b) = . . .2Non-examinable! A modular function f of level N is a meromorphic function (complex differentiable except at a discrete
set of poles) on the upper half-plane H = {x + iy : y > 0} such that, for all matrices( a b
c d)
in the modular group with N | c,we have
f(
az + bcz + d
)= f (z)
The modular group is the set of 2× 2 matrices with integer entries and determinant ad− bc = 1.
1
7.1 Algebraic Curves
Definition 7.1. A real (planar) algebraic curve C is the set of points (x, y) ∈ R2 satisfying some polyno-mial equation f (x, y) = 0. The degree of C is the degree of the polynomial f .A curve is irreducible if and only if its defining polynomial is irreducible:
f (x, y) = g(x, y)h(x, y) =⇒ g or h is constant
Irreducibility is often a pain to check directly, so we will typically avoid doing so.
Examples The irreducible degree-two curve defined by x2 + 2x + y2 − 3 = 0 is a circle of radius 2centered at the point (−1, 0).f (x, y) = (x2 + y2− 1)(y− x2) has two irreducible components of degree two: a circle and a parabola.
We can easily describe all irreducible algebraic curves of degrees 1 and 2.
Degree 1: All curves are irreducible f (x, y) = ax + by + c =⇒ C is a straight line.
Degree 2: Suppose that f (x.y) = ax2 + bxy + cy2 + dx + ey + g is quadratic, irreducible and con-tains at least two points3 in R2; then C is a conic. The sign of the discriminant ∆ = b2 − 4ac tellsus which of the standard conics we have. Using a change of variables amounting to rotationand translation, any conic can be put into one of the familiar canonical forms:
sgn(∆) + 0 −conic Hyperbola Parabola Ellipse
canonical form x2
p2 − y2
q2 = 1 y2 = 4kx x2
p2 +y2
q2 = 1
Example The curve defined by f (x, y) = 7x2 − 3xy− 2y2 + 2x + 2 is irreducible, has discriminant∆ = 9 + 14 > 0 and contains at least two points (e.g. (x, y) = (0,±1)): it is therefore a hyperbola.
3This caveat is important for conics. For example:
• The polynomial f (x, y) = x2 + y2 + 1 is irreducible over R, but defines an empty curve!
• The polynomial f (x, y) = (x− 3)2 + y2 is also irreducible over R, but the corresponding curve C in R2 contains onlyone point (3, 0).
We don’t want to think about these examples as being curves! To prevent things getting too technical, we shall simplyassume that any examples we see do not behave this way.
One way to get around this problem is by considering points (x, y) ∈ C2. The first example is still irreducible over C:the object in question is still called a ‘curve’ although its real ‘dimension’ is now two! If we are to write x = p + iq andy = r + is, and think about C2 ∼= R4, we see that
x2 + y2 + 1 = 0 ⇐⇒{
p2 − q2 + r2 − s2 + 1 = 0pq + rs = 0
The locus is therefore the intersection of two hypersurfaces in R4! Trying to make sense of these ‘complex curves’ isultimately necessary, but beyond this course.The second example is no longer irreducible over C: the curve defined by
f (x, y) = (x− 3)2 + y2 = (x− 3 + iy)(x− 3− iy)
is a pair of ‘straight lines’ in C2 which intersect at the only real point (3, 0) on both lines. Irreducibility therefore dependson the base field!
2
Cubic Curves
If f (x, y) has degree 3 and is irreducible, then C is a cubic curve. The canonical forms are shownbelow. The general cubic curve requires a more subtle change of co-ordinates than merely rota-tion/translation in order to be put in a canonical form; the details are not relevant to us since almostall examples we shall consider will already be in canonical form.
y
xα β γ
y
xα β
I: y2 = (x− α)(x− β)(x− γ) II: y2 = (x− α)(x− β)2
y
xα
y
xα
III: y2 = (x− α)3 IV: y2 = (x− α)(irred quadratic in x)
For example, with a simple factorization, Fermat’s curve y2 = x3 − 2 is in canonical form IV
y2 = (x− 21/3)([x + 2−2/3]2 + 3 · 2−4/3
)Singular Points
The second and third canonical forms have y2 = g(x) where g has a repeated root. The pointscorresponding to the repeated roots are singular points.
• In the second canonical form, the curve crosses itself at (β, 0): we call this a double point.
• In the third case, (α, 0) is known as a cusp, or triple point.
A better way of thinking about singular points is that the tangent line to the curve is not well-defined.At a double point we would have two tangent directions, whereas at a cusp, a traveller along thecurve is forced to stop and change direction.
3
In fact we can easily detect double and triple points on any cubic curve using the gradient∇ f =(
fxfy
):
it is easiest to make this a definition.
Definition 7.2. Let C be the algebraic curve defined by f (x, y) = 0. A point p on C is singular if∇ f (p) = 0 and non-singular otherwise. A curve C is non-singular if all of its points are non-singular.At a non-singular point p = (x0, y0) there is a well-defined (and unique) tangent line
fx(p)(x− x0) + fy(p)(y− y0) = 0
Lemma 7.3. According to the definition, only canonical forms I and IV are non-singular.
We leave the proof as an exercise. To match up these ideas, recall that the gradient ∇ f (p) pointsin the direction of greatest increase of the function f . A curve divides the plane into regions wheref (x, y) is positive or negative, so the gradient vector points perpendicular to the curve into the positiveregion. If the gradient were non-zero at either a double point or a cusp, we would necessarily havetwo possible choices for its direction: a contradiction.
Examples
1. Let C be defined by the polynomial f (x, y) = y2 − x3 + 4x + 8. Then
∇ f =
(−3x2 + 42y
)=
(00
)⇐⇒ x = ± 2√
3, y = 0
Neither of the points (± 2√3, 0) lie on the curve, whence C is non-singular. In fact, the curve is
in canonical form I:
y2 = (x + 1)(x + 2)(x− 3)
and is thus non-singular.
2. Let f (x, y) = x2 + xy2 + 2x + 1. Then
∇ f =
(2x + y2 + 2
2xy
)=
(00
)⇐⇒ (x, y) = (−1, 0)
Since f (−1, 0) = 0 it follows that the curve defined by f (x, y) = 0 has exactly one singularpoint. To decide whether this is a double point or a cusp is a little trickier: one could considerpoints on a tiny circle with radius ε centered at (−1, 0) via
(x, y) = (−1 + ε cos θ, ε sin θ)
Substituting this into f (x, y) = 0 one obtains
ε2 cos 2θ + ε3 cos θ sin2θ = 0
Since ε3 � ε2 we see that cos 2θ = 0, resulting infour nearby points corresponding to θ = ±π
4 ,± 3π4 .
We therefore have a double point.
−3
3
−15 −10 −5 x
y
It is perhaps surprising that our curve looks a little like the second canonical form, but with atwist: the point α lies at infinity. . .
4
7.2 Homogenization and the Projective Plane
It turns out that the theory of algebraic curves is much cleaner when one allows points at infinity.
Definition 7.4. The homogenization of an algebraic curve is the equation obtained by multiplyingterms by powers of a new variable until all terms have the same degree as the original curve. Ahomogenized curve is also called a projective curve.
Examples
1. The homogenization of the circle x2 + y2 = 3 is the projective curve X2 + Y2 = 3Z2.
2. The homogenization of the hyperbola x2 − y2 = 3 is the projective curve X2 −Y2 = 3Z2.
3. The homogenization of x2 + xy2 + 2x + 1 = 0 is X2Z + XY2 + 2XZ2 + Z3 = 0.
Definition 7.5. The real projective plane RP2 is defined via an equivalence relation on the set of non-zero points in R3:
RP2 = R3∗/∼ where (X, Y, Z) ∼ (A, B, C) ⇐⇒
( XYZ
)‖( A
BC
)Points in RP2 correspond to lines through the origin in R3. We denote points in RP2 using the stan-dard notation for equivalence classes [X, Y, Z] ∈ RP2: these are known as homogeneous co-ordinates.The set of points with Z = 0 is the ideal line: any point on it is an ideal point.
One can visualize RP2 as R2 together with all the ‘points at infinity’ on the ideal line. In particular:
• (x, y) ∈ R2 corresponds to the point [x, y, 1] ∈ RP2.
• [X, Y, Z] = [λX, λY, λZ] for any non-zero λ.
• The point [X, Y, Z] ∈ RP2 corresponds to either:
– (XZ , Y
Z ) ∈ R2, if Z 6= 0, or,
– The ideal point [X, Y, 0] thought of as a point at infinity in the direction(
XY
).
– Note that [0, 0, 0] is not a valid point in RP2!
Examples: take II
1. The projective curve X2 + Y2 = 3Z2 has no ideal points, since Z = 0 =⇒ X2 + Y2 = 0 =⇒X = Y = 0 does not produce a legitimate4 point in RP2.Also observe, for example, that in homogeneous co-ordinates we could write
[√
3,−3, 2] = [−1,√
3,− 2√3]
both corresponding to the point (√
32 ,− 3
2 ) ∈ R2 on the circle x2 + y2 = 3.
4If we were to work over the complex numbers however, the curve would contain two ideal points [1,±i, 0] ∈ CP2.
5
2. The projectivized hyperbola X2 − Y2 = 3Z2 has two ideal points [1,±1, 0], since Z = 0 =⇒X = ±Y. Pictorially this is the idea that the hyperbola ‘heads to infinity’ in directions parallelto the lines y = ±x: indeed these are the asymptotes of the hyperbola.
3. The projective curve X2Z + XY2 + 2XZ2 + Z3 = 0 has two ideal points: when Z = 0 we haveXY2 = 0, yielding [1, 0, 0] and [0, 1, 0]. In keeping with the graph, these suggest points at infinityin the horizontal and vertical directions.
−2
2
−2 2 x
y [1, 1, 0]
[1,−1, 0][1, 1, 0]
[1,−1, 0]
−3
3
−15 −10 −5 x
y[0, 1, 0]
[1, 0, 0]
In the following pictures, we’ve scaled distance so that the (dashed) ideal line can be visualised:5
1 2 4 8−1−2−4−8
12
48
−1−2
−4−8
1 2 4 8−1−2−4−8
12
48
−1−2
−4−8
As the magnitude√
x2 + y2 of a point in R2 increases to infinity, the scaled point approaches the unitcircle. Remember that opposite points on the ideal line are equivalent, so that [1, 1, 0] = [−1,−1, 0](the blue dots in the first picture). The dashed circular boundary is the ideal line Z = 0. Note in thesecond example that the curve appears to be tangent to the ideal line at [1, 0, 0]. Our next goal is to beable to check this algebraically. . .
5Explicitly, we used the formula(
xy
)7→(
2π tan−1
√x2+y2
3
)(xy
).
6
Non-singular Projective Curves
We want to be able to describe the concept of non-singularity entirely in homogeneous co-ordinates.In particular, this will allow us to talk about whether any ideal points are non-singular.
Definition 7.6. A projective curve C̃ in RP2 defined by the homogeneous equation F(X, Y, Z) = 0 isnon-singular at [P] if and only if ∇F(P) 6= 0. In such a case, its tangent line at [P] has equation
∇F(P) ·( X
YZ
)= 0 or FX(P)X + FY(P)Y + FZ(P)Z = 0
This definition extends our previous notions of non-singularity and tangency.
Theorem 7.7. Let C be an algebraic curve in R2 and C̃ be its homogenization. Let p ∈ C correspond to thenon-ideal point [P] ∈ C̃. Then:
1. [P] is non-singular if and only if p is non-singular.
2. The homogenization of the tangent line at p is the tangent line at [P].
Instead of proving the theorem (have a go if you want to test yourself!), we work our examples usingboth definitions and compare. To summarize; a projective curve C̃ is non-singular if an only if C isnon-singular and C̃ is non-singular at all ideal points.
Examples: take III
1. We compare the methods for computing tangents for the hyperbola f (x, y) = x2 − y2 − 3 = 0and its homogenization F(X, Y, Z) = X2 −Y2 − 3Z2 = 0. First compute the gradients:
∇ f =
(2x−2y
)∇F =
2X−2Y−6Z
The first is zero only at the origin (x, y) = (0, 0): this isn’t on the curve, so the hyperbola isnon-singular. Similarly, ∇F is only zero when X = Y = Z = 0: but [0, 0, 0] is not a valid pointin RP2. Thus the homogenized curve is also non-singular, even at ideal points.Now we compute the tangent line at the point p = ( 7
4 ,− 14 ):
∇ f (p) =( 7
212
)=⇒ 7
2 (x− 74 ) +
12 (y + 1
4 ) = 0 =⇒ 7x + y = 12
We may take the corresponding point on the homogenized curve to be [P] = [7,−1, 4], whence
∇F(P) =
142−24
=⇒ 14X + 2Y− 24Z = 0 =⇒ 7X + Y = 12Z
The second version of the tangent line is plainly the homogenization of the first.We can even compute the tangent line at each of the ideal points [1,±1, 0]: since
∇F(1,±1, 0) =
2∓20
it follows that the curve is tangent to X − Y = 0 at [1, 1, 0] and to X + Y = 0 at [1,−1, 0]. Thisshould make sense from the picture: recall that the hyperbola has asymptotes y = ±x.
7
2. The projective curve C̃ defined by F(X, Y, Z) = X2Z + XY2 + 2XZ2 + Z3 = 0 has
∇F =
2XZ + Y2 + 2Z2
2XYX2 + 4XZ + 3Z2
It is easy to see that ∇F = 0 ⇐⇒ [X, Y, Z] = [−1, 0, 1] which is a point on C̃. It follows thatC̃ is non-singular except at the point [−1, 0, 1]. Compare this to the graph on page 4 where wesaw that C was non-singular except at the double point (−1, 0).We can also compute the tangent lines at the ideal points :
• At P = [1, 0, 0]: ∇F(P) =( 0
01
)gives the tangent line Z = 0. The curve is tangent to the
ideal line at P. This comports with the notion that our example is canonical form III indisguise, with α moved to the ideal line.
• At Q = [0, 1, 0]: ∇F(Q) =(
100
)gives the tangent line X = 0. Again this makes sense, as
the curve is asymptotic to the line x = 0.
7.3 Elliptic Curves
We can finally(!) define our objects of study.
Definition 7.8. An elliptic curve over Q is a non-singular projective cubic curve with rational coeffi-cients, containing at least one rational point.
Example The curve defined by xy2 + x2 − x3 + 2 = 0 is elliptic. We compute the gradient of itshomogenization F(X, Y, Z) = XY2 + X2Z− X3 + 2Z3:
∇F =
Y2 + 2XZ− 3X2
2XYX2 + 6Z2
It is easy to see that this is non-zero unless X = Y =Z = 0, which is not a legitimate point in RP2. The curveis non-singular everywhere and is therefore elliptic. Aplot of the curve in projective space is shown. The idealpoints and their tangent lines are as follows:
Point Tangent line Dehomogenized[0, 1, 0] X = 0 x = 0[1, 1, 0] −2X + 2Y + Z = 0 y = x− 1
2[1,−1, 0] −2X− 2Y + Z = 0 y = 1
2 − x
1 2 4 8−1−2−4−8
12
48
−1−2
−4−8
The tangent lines at the ideal points are dotted. Any of the ideal points could play the role of therequired rational point, as could the finite point (2, 1).
8
Canonical/Weierstrass forms and the Discriminant
We will normally work with elliptic curves in canonical form (y2 = g(x) where g is a cubic functionof x). Indeed we will most often work with elliptic curves in Weierstrass form
y2 = x3 + ax + b
It is an easy exercise (see homework) to see that a simple change of co-ordinates can put any canonicalform elliptic curve in Weierstrass form. It is also easy to check whether curves in canonical form areelliptic.
Theorem 7.9. Suppose g(x) = ax3 + bx2 + cx + d has rational coefficients. Then the cubic curve y2 = g(x)is elliptic if and only if g(x) = 0 has distinct roots. Moreover the curve is tangent to the ideal line at its uniqueideal point σ = [0, 1, 0].
We omit the proof which involves some tedious calculation.6 Essentially, canonical forms I and IVare elliptic.To further simplify matters, we introduce a useful quantity which can quickly detect when a canoni-cal form cubic curve is elliptic:
Definition 7.10. Suppose the zeros of the g(x) = ax3 + bx2 + cx + d are µ1, µ2, µ3 ∈ C. Then itsdiscriminant is
∆ = a4 ∏j<k
(µj − µk)2
Theorem 7.11. 1. ∆ = 0 ⇐⇒ the cubic has a repeated root.7
2. ∆ = (b2 − 4ac)(c2 − 4bd) + 2abcd− 27a2d2.
3. If a cubic has integer coefficients then ∆ is an integer.
The first of these is obvious from the definition. The second is extremely tedious to prove, afterwhich the third is obvious! It is useful to note the following expressions for monic and Weierstrassform cubics:
x3 + ax2 + bx + c =⇒ ∆ = (a2 − 4b)(b2 − 4ac) + 2abc− 27c2
x3 + ax + b =⇒ ∆ = −4a3 − 27b2
Unless you work with cubics regularly, only the last expression is worth remembering! For thepresent, only one thing is important:
Corollary 7.12. A cubic curve y2 = g(x) with rational coefficients is elliptic if and only if ∆ 6= 0.
We can therefore check ellipticity without factorizing g.
6Start by writing the homogenized curve as F(X, Y, Z) = Y2Z − a3∏
k=1(X − µkZ), where µ1, µ2, µ3 are the roots of g.
Compute the gradient of F and check that non-singularity is equivalent to the µk being distinct. . .7If the coefficients of g are real, it can also be seen that ∆ > 0 ⇐⇒ the cubic has three real roots. . .
9
Examples
1. The curve y2 = x3 − 2x + 1 is elliptic since ∆ = −4 · (−2)3 − 27 = 5 is non-zero. Since ∆ > 0,this has canonical form I.
2. The curve y2 = x3 − 34 x + 1
4 is not elliptic since ∆ = −4 · (− 34 )
3 − 27 · (− 14 )
2 = 0. Indeedthis can be factored as (x− 1
2 )2(x + 1) with the repeated root clear. This has canonical form II.
Renditions in projective space of this and the previous example are below.
2 4 8−2−4−8
2
48
−2
−4−8
2 4 8−2−4−8
2
48
−2
−4−8
3. The elliptic curve y2 = (x + 7)(x2 + 1) = (x + 7)(x + i)(x− i) has
∆ = (−7− i)2(−7 + i)2(i + i)2 = −10000
A rendering in projective space is below.
−12
−8
−4
4
8
12
−8 −4 4 2 4 8 16−2−4−8−16
24
816
−2−4
−8−16
In all three examples, the tangency at σ is clearly visible. We shall return to the discriminant later.
10
Addition on Elliptic Curves
We haven’t yet mentioned the property that makes elliptic curves truly special: they have the struc-ture of an abelian group, whence the property is often referred to as ’addition’. The marked rationalpoint σ is what plays the role of the identity element (or ‘zero’). We construct this group for generalelliptic curves.
1. Let p, q be points on an elliptic curve C̃ with marked rational point σ.
2. Construct the line ` joining p and q. If q = p we let ` be the tangent line at p.
3. The set of intersections ` ∩ C̃ contains three points8 (up to multiplicity). Two of the points arep, q, the other we call p ∗ q. If there are only two intersections, one is a point of tangency; if thereis only one intersection, then p ∗ p = p.
4. Repeat the exercise with p ∗ q and σ: define
p + q := (p ∗ q) ∗ σ
If p = q we write 2p = p + p, etc.
This is particularly nice if C̃ is in canonical form: since σ = [0, 1, 0], the line through p ∗ q and σ isvertical; since C̃ is symmetric in the x-axis, we see that p + q is simply the vertical reflection of p ∗ q.The example below should clarify things.
Example Let C̃ be the elliptic curve defined by
y2 = (x + 7)(x2 + 1)
This contains the points p = (1, 4) and q = (3, 10). Theline joining these has equation
y− 4 =10− 43− 1
(x− 1) =⇒ y = 3x + 1
Substituting this into the equation for the curve, we ob-tain
(3x + 1)2 = x3 + 7x2 + x + 7
=⇒ x3 − 2x2 − 5x + 6 = 0 (∗)=⇒ (x− 1)(x− 3)(x + 2) = 0
It follows that p ∗ q = (−2,−5). By symmetry, we havep + q = (−2, 5).
−12
−8
−4
4
8
12
−8 −4 4
p
q
p ∗ q
p + q
8This is guaranteed to happen in projective space by a result known as Bezout’s Theorem.
11
Computing the x-coordinate of p ∗ q (and thus p + q) is easier than you think. We already know thatx = 1 and x = 3 are roots of (∗), whence factorization is straightforward. More generally:
Lemma 7.13. The sum of the roots (including multiplicity) of the cubic equation ax3 + bx2 + cx + d = 0 isx0 + x1 + x2 = − b
a .
Proof. Multiply out a(x− x0)(x− x1)(x− x2) = 0. . .
Applying this to our example, let x0, x1, x2 be the x co-ordinates of p, q, p ∗ q respectively. Then
x2 = −x0 − x1 −ba= −1− 3 + 2 = −2
In particular, one need only expand (∗) as far as the x2 term to be able to compute the third root!
We continue the example.
• The function f (x, y) = y2− x3− 7x2− x− 7 has gradient
∇ f =
(−3x2 − 14x− 12y
)At p = (1, 4) this is ∇ f (p) =
( −188
)which yields the
tangent line
−18(x− 1) + 8(y− 4) = 0 =⇒ y =14(9x + 7)
Substituting into the cubic, we obtain−12
−8
−4
4
8
12
−8 −4 4
pr
p ∗ p
2p
σ = 2r
8116
x2 + · · · = x3 + 7x2 + · · · =⇒ xp + xp + xp∗p =8116− 7 = −31
16
=⇒ xp∗p = −3116− 1− 1 = −63
16
Substituting into the equation for the tangent line, we obtain yp∗p = − 45564 Therefore
2p = (p ∗ p) ∗ σ =
(−63
16,
45564
)• Let r = (−7, 0). The tangent line at r is vertical: the third intersection of the tangent line with
the curve is at the ideal point, r ∗ r = σ. Moreover, the curve is tangent to the ideal line Z = 0 atthe ideal point, whence σ ∗ σ is the intersection of Z = 0 with C̃: clearly this is σ itself, whence
2r = σ ∗ σ = σ
Here are two further easy examples: check the computations yourself:
1. y2 = x3 − x + 1. If p = (1, 1), then 2p = (−1, 1), 3p = (0,−1), 4p = (3,−5), 5p = (5, 11),6p = ( 1
4 , 78 ).
2. Let y2 = x3 + 17. Let p = (−1, 4), q = (2, 5). Then p + q = (− 89 ,− 109
27 ) and 2p = ( 13764 ,− 2651
512 ).
12
Theorem 7.14. The points on an elliptic curve C̃ form an abelian group under + where the marked point σ isthe identity.
Proof (Sketch). Closure The algorithm on the previous page shows that p ∗ q and thus p + q alwaysexist.
Commutativity The roles of p, q are symmetric in the definition of p ∗ q, whence p + q = q + p.
Associativity Proving associativity requires a little more study of algebraic curves and is a lot ofwork.9 We’ll let the picture below suffice as an example.
Identity The point p + σ = (p ∗ σ) ∗ σ lies on the intersection of C̃ and the line ` joining p ∗ σ andσ. However, the points p, p ∗ σ and σ are the three intersections of ` and C̃, whence p + σ = p.This shows that σ is the identity element.
Inverse Finally, suppose C̃ is in canonical form. It should be clear that the inverse of −p is thereflection of p in the x-axis.10 Otherwise said, −p = p ∗ σ.
p
q
r
p ∗ q
p + qq ∗ r
q + r
(p + q) ∗ r = p ∗ (q + r)
p + q + r
9If you’re interested look up the Cayley–Bacharach Theorem. In fact the whole result can be extended to general cubiccurves: the set of non-singular points forms a group.
10More generally, there is exactly one element τ ∈ C̃ for which τ ∗ σ = σ: this is the third intersection of the tangent lineat σ with C̃. For any p ∈ C̃, we have p + (−p) = σ ⇐⇒ p ∗ (−p) = τ ⇐⇒ −p = p ∗ τ.
13
7.4 Rational Points on Elliptic Curves
A standard problem when given an elliptic curve is to find all the rational points lying on it. Theremay be very few, or infinitely many. For example:
1. Fermat’s curve x3 + y3 = 1 famously contains only two finite rational points p = (1, 0) andq = (0, 1). Together with the unique ideal point σ = [1,−1, 0], these form a group isomorphicto Z3: it is nice exercise to check that q = 2p and σ = 3p, etc.
2. The curve y2 = x3 + 17 can be shown to contain infinitely many rational points. Indeed thepoint p = (−1, 4) generates an infinite sequence of distinct rational points p, 2p, 3p, 4p, 5p, . . .
Our examples should suggest the following, which indeed follows immediately from Lemma 7.13and Theorem 7.14.
Corollary 7.15. If p, q are rational points on an elliptic curve, so also is p + q. Indeed the set of rational pointsC̃Q forms an abelian group under +.
For a curve y2 = g(x) = ax3 + bx2 + cx + d in canonical form we can be explicit. If p = (x0, y1) andq = (x1, y1) have rational co-ordinates, then the line joining them has equation
y = m(x− x0) + y0
where m is rational.11 Substituting into the equation for C, we obtain cubic in x:
ax3 + (b−m2)x2 + linear terms = 0
from which the rational co-ordinates of p + q can easily be found
x2 =m2 − b
a− x0 − x1, y2 = − (m(x2 − x0) + y0)
Formulæ such as these can easily be iterated by computer.
The first key result regarding C̃Q was proved in the 1920’s.
Theorem 7.16 (Mordell). C̃Q is finitely generated. Otherwise said;
• All rational points on an elliptic curve can be produced from a finite set of rational points using only theoperation +.
• C̃Q∼= T ×Zr where T (the torsion subgroup) is a finite abelian group and r ∈ N0 is the rank of
elliptic curve.
Note that being in the torsion subgroup means that a point has finite order: ∃m ∈N such that mp = σ.The proof of Mordell’s Theorem is too difficult for us; it relies on being able to measure the ‘size’ ofa rational point on C. Once this has been suitably defined, a descent argument can be performedshowing how rational points may be produced from those with smaller size.
As we’ll see below, computation of the torsion subgroup is often easy. Finding the rank of an ellipticcurve is very difficult and is the topic of much research. For example, it is conjectured that roughlyhalf of elliptic curves have rank zero, half have rank 1, and a relatively tiny number have rank ≥ 2.
11Indeed m =y1−y0x1−x0
when p 6= q and m =g′(x0)
2y0when p = q. This last is rational since the coefficients of g are rational!
We omit the discussion if the line through p, q is vertical, in which case p + q = σ is taken to be rational.
14
Example The curve x3 + y3 = 1 has C̃Q = {σ, (1, 0), (0, 1)}. It has rank zero and torsion T ∼= Z3.
Our next result how few possibilities there are for the torsion group.
Theorem 7.17 (Mazur 1977/8). Let C̃ be an elliptic curve containing a rational point of finite order k. Then1 ≤ k ≤ 10 or k = 12. Moreover, the torsion subgroup of CQ is isomorphic to one of the following:
• Zn where n ∈ {1, 2, . . . 10, 12}.• Z2 ×Z2n with 1 ≤ n ≤ 4.
It is often quite easy to find the torsion, at least for elliptic curves in canonical form.
Theorem 7.18 (Nagell–Lutz (1935/7)). Suppose P = (x, y) is a rational point of finite order on the ellipticcurve y2 = g(x) = x3 + ax2 + bx + c, where a, b, c ∈ Z. Then x, y ∈ Z and either y = 0 or y2 | ∆ where ∆is the discriminant (Definition 7.10).
Here is the process for finding the torsion.
• Compute ∆ and find all integers y = 0 or satisfying y2 | ∆.
• If there exists an integer x satisfying p = (x, y) ∈ C, keep the point and compute 2p, 3p, etc.
• If np = (x, y) ever has x, y 6∈ Z or y2 - ∆, stop: p does not have finite order.12
• If np = σ for some n, then p has finite order. By Mazur’s Theorem, n ≤ 8 so you don’t have tolook far.
Before giving the proof, here are several examples. We also state the rank of each curve.
Examples
1. The curve y2 = x3 + 1 has discriminant ∆ = −27. Since3 is the only prime dividing ∆, we see that for p = (x, y)a rational point of finite order, y = 0,±1,±3 are our onlyoptions. These all yield points on the curve:
p = (−1, 0), ±q = (0,±1), ±r = (2,±3)
With f (x, y) = y2 − x3 − 1, compute the tangent line at r:
∇ f (r) =(−12
6
)=⇒ −2(x− 2) + (y− 3) = 0
Substituting into the cubic yields
x3 − 4x2 + linear = 0 =⇒ xr + xr + xr∗r = 4
from which 2r = (0, 1) = q. It can be seen that p, q, r haveorders 2, 3 and 6 respectively. All the possible additionsshould be clear in the picture. Together with σ, the torsionis isomorphic to Z6 ∼= Z2 ×Z3.This example has rank zero: there are no other rationalpoints on the curve! Try checking this explicitly yourself. . .
−2
2
y
1 2x
p
q
−q
r
−r
12If p has finite order n, then np = σ. But then n(kp) = k(np) = kσ = σ, whence any element kp must also have finiteorder. . .
15
2. The curve y2 = x3 + 4 has discriminant ∆ = −27 · 42. Tofind all points (x, y) of finite order we need only considery = 0,±1,±2,±3,±4,±6,±12. The only integer pointswith such y are ±p = (0,±2). Now we check their or-der. With f (x, y) = y2 − x3 − 4, we find the tangent lineat p = (0, 2):
∇ f (p) =(
04
)=⇒ 4(y− 2) = 0
which is the horizontal line y = 2. Substituting in the equa-tion y2 = x3 + 4 yields x3 = 0, whence p ∗ p = p and2p = −p = (0,−2). Since p and 2p are vertically aligned,we have 3p = 2p + p = σ. Thus p and −p have order three:together with σ, the torsion is isomorphic to Z3.The rank is again zero, whence there are only three rationalpoints on the curve.
−1
1
y
−1 1x
p
−p
3. The converse to Nagell–Lutz is false: there could be points(x, y) on C with x, y ∈ Z and y2 | ∆, but where (x, y) hasinfinite order. Example 1 on page 12 provides such.
If y2 = x3 − x + 1 then ∆ = −23. To find all rational pointsof finite order it suffices to check the points where y = ±1.Taking p = (1, 1) we obtain, 2p = (−1, 1), 3p = (0,−1),4p = (3,−5). Since (−5)2 - ∆, we see that 4p does not havefinite order, and so neither does p.
Repeating the exercise with (1,−1) simply switches the signof all y co-ordinates. The curve is therefore torsion-free: T ={σ} is trivial.
It is much harder to show that the rank of this curve is 1:indeed p = (1, 1) is a generator, whence µ : Z→ C̃Q : m 7→mp is an isomorphism.
−2
−4
4
2
y
−2 2x
p2p
3p
4p
−p−2p
−3p
−4p
4. The curve y2 = x3 + 17 is torsion-free and has rank two: p = (−2, 3) and q = (−1, 4) aregenerators, whence µ : Z2 → C̃Q : (m, n) 7→ mp+ nq is an isomorphism. Check the claim aboutbeing torsion-free yourself.
5. Consider the elliptic curve y2 = 12 x3 + 1
4 . To apply Nagell–Lutz we first have to put this in thecorrect form. Multiplying by 16, we obtain
16y2 = 8x3 + 4 =⇒ (4y)2 = (2x)3 + 4 =⇒ v2 = u3 + 4
where (u, v) = (2x, 4y). Clearly the rational points on the two curves correspond. Moreover,the transformation is linear, so straight lines map to straight lines and nothing about the groupoperation is altered. It follows that the curve has rank zero and that the torsion is simply thetranslation of that of y2 = x3 + 4, namely
T = {σ, (0, 12 ), (0,− 1
2 )}
16
Alternative versions of Nagell–Lutz are available for elliptic curves in other standard forms. If youwant to see more examples of specific elliptic curves and play with examples, you can find thousandson the website http://www.lmfdb.org/EllipticCurve/Q/ with explanations of terminology13 Forinstance, try typing [0, 0, 0,−1, 1] or [0, 0, 0, 0, 17] into the search box. . .
Sketch Proof of Nagell–Lutz. 1. The difficult part is showing that any rational point of finite orderis an integer point. This is somewhat involved. Once the difficult part is out of the way. . .
2. Suppose that p = (x, y) is a point on C. It is easy to check that 2p has x co-ordinate
x4 − 2bx2 − 8cx + b2 − 4ac4(x3 + ax2 + bx + c)
=:h(x)
4g(x)=
h(x)4y2
This involves no more than computing the tangent line and the sum of the roots of a cubic.
3. We can find polynomials G(x), H(x) ∈ Z[x] for which
∆ = G(x)g(x) + H(x)h(x)
Indeed G(x) = 3x3 − ax2 − 5bx + 2ab− 27c and H(x) = −3x2 − 2ax + a2 − 4b are such.
4. If y 6= 0 and p has finite order, then 2p also has finite order whence both have integer co-ordinates. It follows from part 2 that
4y2 | h(x) =⇒ y2 | h(x)
Since y2 = g(x), part 3 says that y2 | ∆.
7.5 Algebraic Curves Modulo p
Compared to finding integer points on an algebraic curve over Q,finding points on a curve modulo p is relatively easy. The firstdifficulty with is really what is meant by a curve.
As a simple example, we consider the ‘curve’ 2x + 3y ≡ 1mod 11. This can be plotted relatively easily: the red dashed lineindicates that the left and right edges of the picture are identified(since x = 11 ≡ 0 mod 11), similarly with the blue dashed line.The ‘curve’ is really just a collection of points: 11 points to be pre-cise. In fact this is a theorem.
0
2
4
6
8
10y
0 2 4 6 8 10x
Theorem 7.19. Let p be prime and consider the linear algebraic curve ax + by ≡ c mod p. Supposing thatthe line is non-degenerate (a, b not both zero modulo p), then the line contains exactly p points.14
13For technical reasons involving the primes 2 and 3, their canonical forms are sometimes a little different to ours, andtheir discriminant is ours multiplied by 16.
14If a ≡ b ≡ 0 mod p, then the line does not really exist for it has equation 0 ≡ c mod p. This either has no solutions(if c 6≡ 0) or p2 solutions (if c ≡ 0). It is also essential that the modulus be prime: for instance 2x + 4y ≡ 2 mod 10 has 20solutions, while 2x + 4y ≡ 1 mod 10 has none.
17
Proof. If b 6≡ 0 mod p, then gcd(b, p) = 1 whence b has an inverse modulo p. But then
y ≡ b−1(c− ax) mod p
Thus for every x ∈ Zp there is exactly one y ∈ Zp such that (x, y) lies on the line.If b ≡ 0 mod p, then, by assumption a 6≡ 0. Then x ≡ a−1c and y can be anything. We obtain a‘vertical’ line of p points.
Quadratic Curves Something similar holds, though things are not as clear-cut. For example, ify ≡ x2 + 7x− 3 mod p, then every x yields precisely one y; again there are exactly p solution pairs.
What about another quadratic curve: y2 − 5x2 ≡ 1 mod p. Here are the solutions for the first fewprimes: we use the notation Np for the number of solutions, and ap = p− Np for the defect.
p Solutions (x, y) Np ap2 (1, 0), (0, 1) 2 03 (0, 1), (0, 2), (1, 0), (2, 0) 4 −15 (x, 1), (x, 4), ∀x 10 −57 (±2, 0), (0,±1), (3,±2), (4,±2) 8 −111 10 113 14 −117 18 −119 18 123 24 −129 28 131 30 137 38 −141 40 1997 998 −1
0
10
20
30
40y
0 10 20 30 40x
Points on y2 − 5x2 ≡ 1 mod 41There seems to be a pattern, once we get past p = 5. . .
Theorem 7.20. If p 6= 2, 5 is prime, then the curve y2 − 5x2 ≡ 1 modulo p has Np points, where
Np =
{p− 1 if p ≡ ±1 mod 5p + 1 if p ≡ ±2 mod 5
(equivalently ap =
{1 if p ≡ ±1 mod 5−1 if p ≡ ±2 mod 5
)The approach is very similar to how you’ve previously found rational points on quadratics: startwith a base point and draw lines with ‘rational’ gradient. . .
Proof. Assume p 6= 2, 5. The point (0, 1) always lies on the curve; we take this as a base point. Let(a, b) be another point on the curve. The ‘line’ joining these points has equation
a(y− 1) ≡ (b− 1)x mod p
If a 6≡ 0, this becomes
y ≡ a−1(b− 1)x + 1 ≡ mx + 1 mod p, where m ∈ Zp
If a ≡ 0, then we obtain a ‘vertical’ line whose other intersection with the curve is at the point(0, p− 1). Including (1, 0) we therefore have at most p + 2 points on the curve.
18
Now reverse the argument. Intersect the ‘line’ y ≡ mx + 1 with the curve. We obtain
0 ≡ (m2 − 5)x2 + 2mx + 1− 1 ≡ x[(m2 − 5)x + 2m
]mod p
Clearly x ≡ 0 corresponds to the base point (0, 1). The other solution yields a new point on thecurve:15
(x, y) ≡(
2m5−m2 ,
5 + m2
5−m2
)mod p
Thus every m ∈ Zp gives a valid new point on the curve except in two cases:
• m = 0 ⇐⇒ (x, y) ≡ (0, 1). The line can be interpreted as being tangent16 to the curve at (0, 1).This reduces our count to p + 1 points.
• If m2 ≡ 5 mod p, then we cannot find (5− m2)−1 and so cannot compute a new point. Thisequation has a solution (indeed two solutions ±m) if and only if 5 is a quadratic residue modulop. By quadratic reciprocity(
5p
)=( p
5
)=
{1 if p ≡ ±1 mod 5−1 if p ≡ ±2 mod 5
If 5 is a quadratic residue modulo p, we have two fewer points, reducing our count to p− 1.
Bad primes: What goes wrong with p = 2 and p = 5? The rough idea of the proof was that pointson a curve modulo p correspond to lines with gradient m ∈ Zp through a given point. This analysisfails if the curve is singular17 modulo p: for instance,
y2 − 5x2 ≡ 1 mod 2 =⇒ (x + y + 1)2 ≡ 0 mod 2
y2 − 5x2 ≡ 1 mod 5 =⇒ (y + 1)(y− 1) ≡ 0 mod 5
In both cases the reduced curve factorizes into ‘lines’ in Zp ×Zp. When p = 2, the reduced curveis merely a single straight line. When p = 5, the reduced curve is a pair of distinct lines: the linethrough (0, 1) with gradient m = 0 intersects the curve in five points!
15We write 2m5−m2 for 2m(5−m2)−1 modulo p, etc.
16Indeed if f (x, y) = y2 − 5x2 − 1, then we can find the ‘tangent line’ via the usual method:
∇ f |(0,1) =
(02
)=⇒ 2(y− 1) ≡ 0 mod p
17To detect this using the standard notion of singularity, we need to work in projective space. Homogenizing the hyper-bola, we obtain F(X, Y, Z) = Y2 − 5X2 − Z2, which has gradient
∇F =
−10X2Y−2Z
This is zero modulo p in precisely two situations (recall we need at least one of X, Y, Z to be non-zero for a legitimateprojective point!):
• If p = 2, then all points on the curve are singular.• If p = 5, then the ideal point [1, 0, 0] is a singular point on the curve!
The same sort of thing can be seen to happen for essentially any quadratic curve: modulo ‘good’ primes p, there willalways be p + 1 points (including ideal points) on the curve.
19
Elliptic curves and reductions modulo p
We can play the same game with elliptic curves: we’ll do this just for elliptic curves in monic canoni-cal form y2 = g(x) = x3 + ax2 + bx + c.
Definition 7.21. A prime p is a prime of bad reduction if y2 ≡ g(x) is singular modulo p. We take thisto mean that the curve contains at least one point Q = (x0, y0) ∈ Zp ×Zp where
∇ f (Q) =
(−g′(x0)2y0
)≡(
00
)mod p
Otherwise said, a prime p is a good prime for an elliptic curve C over Q if C is also an elliptic curveover the finite field18 Zp.
Theorem 7.22. For an elliptic curve in monic canonical form y2 = g(x), we have that p is a bad prime if andonly if p = 2 or p | ∆.
Proof (sketch). Suppose y2 = x3 + ax + b is in Weierstrass form. Writing f (x, y) = y2 − g(x) as usual,we have ∇ f as above. If p = 2, then Q is singular if and only if g′(x0) ≡ −3x2
0 − a ≡ x20 − a ≡ 0
mod 2. It is easy to check that the point Q = (a, g(a)) is a singular point on the curve.
For the rest of the proof assume p ≥ 3 is prime. It can easily be checked that19
∆ = −4a3 − 27b2 = (18ax− 27b)g(x) + (−18ax2 + 9bx− 4a2)g′(x) (∗)If Q = (x0, y0) is such that∇ f (Q) ≡ 0 mod p, then we we instantly have p | g′(x0) and p | 2y0 =⇒p | y0. But then p | g(x0), whence (∗) tells us that p | ∆.
Conversely, we can also easily check that
4a3g(x) = (2ax + 3b)2(ax− 3b)− ∆(ax + b)
If p | ∆ and p - a, then g(x) ≡ (4a3)−1(2ax + 3b)2(ax− 3b) mod p. But then g(x) ≡ 0 has a repeatedroot x0 ≡ −(2a)−1(3b) whence g′(x0) ≡ 0 also. It follows that the point (x0, 0) is singular modulo p.
If p | ∆ and p | a, then g(x) ≡ x3 + b with ∆ ≡ −27b3. It follows that p = 3 or p | b. Indeed we seethat
∇ f ≡(−3x2
2y
)mod p
If p = 3, then the point (−b, 0) is a singular point on the curve. If p > 3 and p | b, then the point(0, 0) is singular.
A proof for elliptic curves not in Weierstrass form is a bit messier: the main difference is that thepolynomial expressions for ∆ and 4a3g(x) are uglier. . .
Just as with conics, the entire discussion regarding joining points on a curve modulo p works per-fectly. The group structure is also preserved, provided we stay away from bad primes. Just as withconics, we can ask about the number of points Np on an elliptic curve modulo p, and its defectap = p− Np. There are many patterns here, though they are typically much more complicated thanthose for conics.
18I.e. C modulo p is non-singular and has at least one point in projective PZp: the ideal point σ = [0, 1, 0] will do the job!19This follows from the Euclidean algorithm in the ring Z[x].
20
Example 1
Consider the curve
y2 = x3 + 1 = (x + 1)(x2 − x + 1)
modulo p. This has discriminant
∆ = −27 · 13 = −27
whence the only bad primes are p = 2 and 3. By the above discussions, the point (1, 0) is a singularpoint modulo 2, while we can factorize
y2 ≡ (x + 1)3 mod 3
yielding the singular point (1, 0). Here are the numbers of points on the curve modulo p and theirdefects for several small primes:
p Solutions (x, y) Np ap2 (0, 1), (1, 0) 2 03 (0,±1), (2, 0) 3 05 (0,±1), (2,±2), (4, 0) 5 07 11 −411 11 013 11 217 17 019 27 823 23 029 0 031 35 −437 47 −1041 41 0
0
10
20
30
40y
0 10 20 30 40x
Points on y2 ≡ x3 + 1 mod 41
Perhaps the most obvious pattern in these data is that ap = 0 unless p ≡ 1 modulo 6. Proving this istricky although it is related to the following amazing fact: if we define the expression
q∞
∏n=1
(1− q6n)4 = q− 4q7 + 2q13 + 8q19 − 5q25 − 4q31 − 10q37 + · · ·
we see that the defect ap is precisely the pth coefficient of this series.
The fact that any pattern exists at all in the list of defects is somewhat amazing. If you have currentlyhave any inkling why, or why such a bizarre power series expression should have anything to dowith the original elliptic curve, then your mathematical intuition must be of genius calibre!
21
Example 2
The curve
y2 = x3 − x = x(x− 1)(x + 1)
modulo p. This has discriminant
∆ = −4(−1)3 = 4
whence the only bad prime is p = 2. Indeed (1, 0) is a singular point modulo 2. Here are the numbersof points on the curve modulo p and their defects for several small primes:
p Solutions (x, y) Np ap2 (0, 0), (1, 0) 2 03 (0, 0), (1, 0), (2, 0) 3 05 (0, 0), (±1, 0), (2,±2), (3,±2) 7 −27 (0, 0), (±1, 0), (4,±2), (5,±1) 7 011 11 013 7 617 15 219 19 023 23 029 39 −1031 31 037 39 −241 31 10
0
10
20
30
40y
0 10 20 30 40x
Points on y2 ≡ x3 − x mod 41
This time it appears that ap = 0 unless p ≡ 1 modulo 4. We can again find a series which encodes thep-defects as its prime coefficients.
q∞
∏n=1
(1− q4n)2(1− q8n)2 = q− 2q5 − 3q9 + 6q13 + 2q17 − q25 − 10q29 − 2q37 + 10q41 + · · ·
One can play this game for any elliptic curve, although finding such a compact way of writing theseries as an infinite product is not always possible. Since the elliptic curve determines only the primecoefficients ap, we need a general method for constructing the entire series: here it is. . .
22
The Modularity Theorem
1. For an elliptic curve in ‘minimal Weierstrass form’20 compute the discriminant ∆ and the p-defects ap for each prime.
2. Whenever n is not prime, define the rest of the sequence an by:a1 = 1 if n = 1apk = (ap)k if p is a prime dividing ∆apk+1 = apak
p − papk−1 if p is a prime and p - ∆amn = aman if gcd(m, n) = 1
3. Define a Fourier series over the complex numbers
f (z) =∞
∑n=1
anqn where q = e2πiz
The Modularity Theorem states that this series is a modular form, meaning that it transforms in aspecial way under the action of a particular subgroup of the modular group. Specifically: thereexists a positive integer N | ∆ such that for all complex numbers z = x + iy with y > 0, and for alla, b, c, d ∈ Z such that ad− bc = 1 and N | c we have
f(
az + bcz + d
)= (cz + d)2 f (z)
This is equivalent to the condition given in the introduction and is what Andrew Wiles proved for allsemistable elliptic curves (curves whose reductions modulo bad primes only have double points andnot cusps), which in turn was enough to establish Fermat’s Theorem.
20Every elliptic curve over Q is ‘birationally equivalent’ to some curve of the form y2 + αxy + βy = x3 + γx2 + δx + εfor which a suitably defined discriminant is minimal. Every elliptic curve of the form y2 = x3 + ax2 + bx + c consideredin these notes is already minimal. The correct discriminant for these curves is 16 times ours, thus forcing 2 | ∆ for anycanonical form elliptic curve.
23
Application: Elliptic Curve Cryptography
Alice wishes to send a secret message to Bob. They start by agreeing on an elliptic curve C, a primeq and a point P on the curve. The prime should be ‘good’ for C so that the curve is still non-singularmodulo q. In practice this is public information: software implementing the algorithm will oftenselect a suitable curve from a publically available database such as that maintained by NIST.21
1. Bob chooses an integer b and computes the point B = bP modulo q. Bob keeps b secret.
2. Bob sends the integer B to Alice (B is public).
3. Alice selects a message to encode, say a point M ∈ C, and a random integer k. She computes
A1 = kP A2 = M + kB
and sends these points to Bob.
4. Bob computes
A2 − bA1 = M + kB− bkP = M + k(B− bP) = M
to recover the message M.
This is the ElGamal cryptosystem. The security of a cryptosystem is generally based on the fact thattwo calculations/processes have very different levels of difficulty: in this case,
• It is relatively quick to compute addition on elliptic curves: thus the encoded message A1 = kP,etc., can be computed easily and quickly by a computer.
• It is very hard, given the points P and B, to efficiently compute Bob’s secret key b, withoutwhich the message cannot be decoded.
The second problem is known as the elliptic curve discrete logarithm problem, and is believed to beharder to solve (in terms of computing time) than the standard discrete logarithm problem.22 Thisfact allows one to obtain a similar level of security using key sizes which are significantly smallerthan those used for RSA, with an appreciable increase in computing speed.
21For instance, see page 89 of https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf22The ‘standard’ DLP is: given P, B ∈ Zq satisfying B ≡ Pb, compute b.
24