The Ubiquity of Elliptic Curves

Joseph Silverman (Brown University)MAA Invited Address

Baltimore – January 18, 2003

Elliptic CurvesGeometry, Algebra, Analysis and

Beyond…

• An elliptic curve is a curve that’s also naturally a group.

• The group law on an elliptic curve can be described:

• Geometrically using intersection theory• Algebraically using polynomial equations• Analytically using complex analytic functions

• Elliptic curves appear in many diverse areas of mathematics, ranging from number theory to complex analysis, and from cryptography to mathematical physics.

What is an Elliptic Curve?

- 4 -

The Equation of an Elliptic CurveAn Elliptic Curve is a curve given by an equation

E : y2 = f(x) for a cubic or quartic polynomial f(x)

We also require that the polynomial f(x) has no double roots. This ensures that the curve is nonsingular.

- 5 -

After a change of variables, the equation takes the simpler form

E : y2 = x3 + A x + B

Finally, for reasons to be explained shortly, we toss in an extra point O “at infinity,” so E is really the set

E = { (x,y) : y2 = x3 + A x + B } { O }

A Typical Elliptic Curve E

E : Y2 = X3 – 5X + 8

- 6 -

Surprising Fact: We can use geometry to make the points of an elliptic curve into a group. Surprising Fact: We can use geometry to make the points of an elliptic curve into a group.

The Group Law on anElliptic Curve

Adding Points P + Q on E

P

Q

P+Q

R

- 8 -

Doubling a Point P on E

P

2*P

RTangent Line to E at P

- 9 -

Vertical Lines and an Extra Point at Infinity

Vertical lines have no third intersection point

Q

Add an extra point O “at infinity.”The point O lies on every vertical line.

O

P

Q = –P

- 10 -

Properties of “Addition” on E

Theorem: The addition law on E has the following properties:

a) P + O = O + P = P for all P E.

b) P + (–P) = O for all P E.

c) (P + Q) + R = P + (Q + R) for all P,Q,R E.

d) P + Q = Q + P for all P,Q E.

In other words, the addition law + makes the points of E into a commutative group.

All of the group properties are trivial to check except for the associative law (c). The associative law can be verified by a lengthy computation using explicit formulas, or by using more advanced algebraic or analytic methods.

- 11 -

Algebraic Formulas for Addition on E

Suppose that we want to add the points

P1 = (x1,y1) and P2 = (x2,y2)

on the elliptic curve

E : y2 = x3 + Ax + B.

- 12 -

. if 2

3 and if Let 21

1

21

2112

12 PPy

AxPP

xx

yy

).2,( Then 1213

212

21 yxxxxPP

Quite a mess!!!!! But…

Crucial Observation: If A and B are in a field K and if P1 and P2 have coordinates in K,

then P1+ P2 and 2P1 have coordinates in K.

The Group of Points on E with Coordinates in a Field K

The elementary observation on the previous slide leads to an important result:

Theorem (Poincaré, 1900): Let K be a field and suppose that an elliptic curve E is given by an equation of the form

y2 = x3 + A x + B with A,B K.

Let E(K) be the set of points of E with coordinates in K,

E(K) = { (x,y) E : x,y K } { O }.

Then E(K) is a subgroup of E.

- 13 -

Elliptic Curves and Complex Analysis

Or…How the Elliptic Curve Acquired Its Unfortunate Moniker

The Arc Length of an Ellipse

- 15 -

The arc length of a (semi)circle

-a a

x2+y2=a2

a

a xa

dxa22

is given by the familiar integral

dx

xa

xabaa

a

22

2222 /1

is more complicatedThe arc length of a (semi)ellipse

x2/a2 + y2/b2 = 1

-a

b

a

An Elliptic Curve!

The Arc Length of an Ellipse

- 16 -

Let k2 = 1 – b2/a2 and change variables x ax. Then the arc length of an ellipse is

1

1 2

22

1

1dx

x

xka

dxy

xka

1

1

221LengthArc

with y2 = (1 – x2) (1 – k2x2) = quartic in x.

An elliptic integral is an integral , where R(x,y) is a rational function of the coordinates (x,y) on an “elliptic curve”

E : y2 = f(x) = cubic or quartic in x.

dxyxR ),(

1

1 222

22

)1)(1(

1dx

xkx

xka

Elliptic Integrals and Elliptic Functions

- 17 -

Doubly periodic functions are called elliptic functions.

Its inverse function w = sin(z) is periodic with period 2.

The circular integral is equal to sin-1(w).

w

x

dx0 21

The elliptic integral has an inverse

w = (z) with two independent complex periods 1 and 2.

w

BAxx

dx 3

(z + 1) = (z + 2) = (z) for all z C.

Elliptic Functions and Elliptic Curves

- 18 -

This equation looks familiar

BzAzz )()()( 32

The -function and its derivative satisfy an algebraic relation

The double periodicity of (z) means that it is a function on the quotient space C/L, where L is the lattice

L = { n11 + n22 : n1,n2 Z }.

1

2

1+ 2 L

(z) and ’(z) are functions on a fundamental parallelogram

The Complex Points on an Elliptic Curve

E(C) =

- 19 -

The -function gives a complex analytic isomorphism

Thus the points of E with coordinates in the complex numbers C form a torus, that is, the surface of a donut.

E(C) )(),( zz

L

C

Parallelogram with opposite sides identified = a torus

Elliptic Curves andNumber Theory

Rational Points on Elliptic Curves

E(Q) : The Group of Rational PointsA fundamental and ancient problem in number theory is that of solving polynomial equations using integers or rational numbers.

The description of E(Q) is a landmark in the modern study of Diophantine equations.

Theorem (Mordell, 1922): Let E be an elliptic curve given by an equation

E : y2 = x3 + A x + B with A,B Q.

There is a finite set of points P1,P2,…,Pr so that every point P in E(Q) can be obtained as a sum

P = n1P1 + n2P2 + … + nrPr with n1,…,nr Z.

In other words, E(Q) is a finitely generated group.- 21 -

E(Q) : The Group of Rational Points

The elements of finite order in the group E(Q) are quite well understood.

- 22 -

Theorem (Mazur, 1977): The group E(Q) contains at most 16 points of finite order.

Conjecture: The number of points needed to generate E(Q) may be arbitrarily large.

The minimal number of points needed to generate the group E(Q) is much more mysterious!

Current World Record: There is an elliptic curve with

Number of generators for E(Q) 23.

E(Fp) : The Group of Points Modulo pNumber theorists also like to solve polynomial equations modulo p.

- 26 -

Theorem (Hasse, 1922): An elliptic curve equation

E : y2 x3 + A x + B (modulo p)

has p+1+

solutions (x,y) mod p, where the error satisfies

.2 p

This is much easier than finding solutions in Q, since there are only finitely many solutions in the finite field Fp!

One expects E(Fp) to have approximately p+1 points.

A famous theorem of Hasse (later vastly generalized by Weil and Deligne) quantifies this expectation.

Elliptic Curves andCryptography

The (Elliptic Curve) Discrete Log ProblemLet A be a group and let P and Q be known elements of A.

- 29 -

• There are many cryptographic constructions based on the difficulty of solving the DLP in various finite groups.

• The first group used for this purpose (Diffie-Hellman 1976) was the multiplicative group Fp* in a finite field.

• Koblitz and Miller (1985) independently suggested using the group E(Fp) of points modulo p on an elliptic curve.

• At this time, the best algorithms for solving the elliptic curve discrete logarithm problem (ECDLP) are much less efficient than the algorithms for solving DLP in Fp* or for factoring large integers.

The Discrete Logarithm Problem (DLP) is to find an integer m satisfying

Q = P + P + … + P = mP.

m summands

Elliptic Curve Diffie-Hellman Key Exchange

- 30 -

Public Knowledge: A group E(Fp) and a point P of order n.

BOB ALICE

Choose secret 0 < b < n Choose secret 0 < a < n

Compute QBob = bP Compute QAlice = aP

Compute bQAlice Compute aQBob

Bob and Alice have the shared value bQAlice = abP = aQBob

Presumably(?) recovering abP from aP and bP requiressolving the elliptic curve discrete logarithm problem.

Send QBob to Alice

to Bob Send QAlice

Elliptic Curves andClassical Physics

The Elliptic Curve and the Pendulum

- 32 -

The Elliptic Curve and the Pendulum

- 33 -

This leads to a simple harmonic motion for the pendulum.

In freshman physics, one assumes that is small and derives the formula

22

2

d

dk

t

But this formula is only a rough approximation. The actual differential equation for the pendulum is

)sin(d

d 22

2

k

t

How to Solve the Pendulum Equation

- 34 -

)sin( d

d 22

2

k

t

d )sin(d d

d 22

2

kt

d )sin(

d

dd

2

1 22

kt

0) (taking )cos( d

d

2

1 22

Ckt

tk d 2)cos(

d

.1 withd

21

d2

)cos(

d 42

4xy

y

x

x

x

.2

tan substituteNow

x

How to Solve the Pendulum Equation

- 35 -

.1 withd

21

d2

)cos(

d 42

4xy

y

x

x

x

Conclusion: tan( /2) = Elliptic Function of t

An Elliptic Curve!!!An Elliptic Integral!!!

Elliptic Curves andTopology

Cobordism and Genus

- 37 -

For our purposes, it is enough to know that is a polynomial ring in infinitely many variables:

= C[T2, T4, T6, T8, …].

(T2n is the cobordism class of projective space CPn.)

An important object in topology is the (complex oriented) cobordism ring .

]][[7

)(

5

)(

3

)()(log 765432 xx

Tx

Tx

Txx C

The genus is characterized by its logarithm

A (complex) genus is a ring homomorphism

: C.

What Makes a Genus Elliptic?

- 38 -

A genus is a ring homomorphism, so it satisfies

(U x V) = (U) (V).

Here U and V are (cobordism classes) of complex manifolds.

Let W V be a fiber bundle with fiber U, i.e., W is a twisted product of U and V. Then we still require that

(W) = (U) (V).

y

dx

bxax

dxx

4221log

Ochanine proved that the logarithm of is an elliptic integral!

A genus whose logarithm is an elliptic integral is called anElliptic Genus.

It is interesting to impose a stronger multiplicative property:

Elliptic Curves andModern Physics

Elliptic Curves and String Theory

- 40 -

In string theory, the notion of a point-like particle is replaced by a curve-like string.

As a string moves through space-time, it traces out a surface.

For example, a single string that moves around and returns to its starting position will trace a torus.

So the path traced by a string looks like an elliptic curve!

In quantum theory, physicists like to compute averages over all possible paths, so when using strings, they need to compute integrals over the space of all elliptic curves.

Elliptic Curves andNumber Theory

Fermat’s Last Theorem

Fermat’s Last Theorem and Fermat Curves

- 42 -

Fermat’s Last Theorem says that if n > 2, then the equation

an + bn = cn

has no solutions in nonzero integers a,b,c.

It is enough to prove the case that n = 4 (already done by Fermat himself) and the case that n = p is an odd prime.

If we let x = a/c and y = b/c, then solutions to Fermat’s equation give rational points on the Fermat curve

xp + yp = 1.

But Fermat’s curve is not an elliptic curve. So how can elliptic curves be used to study Fermat’s problem?

Elliptic Curves and Fermat’s Last Theorem

- 43 -

Frey suggested that Ea,b,c would be such a strange curve, it shouldn’t exist at all. More precisely, Frey doubted that Ea,b,c could be modular.

Ribet verified Frey’s intuition by proving that Ea,b,c is indeed not modular.

Wiles completed the proof of Fermat’s Last Theorem by showing that (most) elliptic curves, in particular elliptic curves like Ea,b,c, are modular.

Gerhard Frey (and others) suggested using an hypothetical solution (a,b,c) of Fermat’s equation to “manufacture” an elliptic curve

Ea,b,c : y2 = x (x – ap) (x + bp).

Elliptic Curves and Fermat’s Last Theorem

- 44 -

To Summarize:

Suppose that ap + bp = cp with abc 0.

Ribet proved that Ea,b,c is not modular

Wiles proved that Ea,b,c is modular.

Conclusion: The equation ap + bp = cp has no solutions.

Ea,b,c : y2 = x (x – ap) (x + bp)

But what does it mean for an elliptic curve E to

be modular?

The variable represents the elliptic curve E whose lattice is L = {n1+n2 : n1,n2 Z}.

So just as in string theory, the space of all elliptic curves makes an unexpected appearance.

Elliptic Curves and Modularity

- 45 -

E is modular if it is parameterized by modular forms!

There are many equivalent definitions, none of them particularly intuitive. Here’s one:

).(mod0 satisfying )(SL matrices all for 2 Ncdc

ba

Z

)()( 2

fdcdc

baf

A modular form is a function f() with the property

Conclusion

- 46 -

The Ubiquity ofElliptic Curves

Joseph Silverman (Brown University)MAA Invited Address

Baltimore – January 18, 2003