The Ubiquity of Elliptic Curves

1
The Ubiquity of Elliptic Curves

• Joseph Silverman (Brown University)
• MAA Invited Address Expanded Version
• Baltimore January 18, 2003

2
Contents

• Introduction
• Geometry, Algebra, Analysis, and Beyond
• The Group Law on an Elliptic Curve
• Elliptic Curves and Complex Analysis
• Elliptic Curves and Number Theory (I)
• Elliptic Curves and Cryptography
• Elliptic Curves and Classical Physics
• Elliptic Curves and Topology
• Elliptic Curves and Modern Physics
• Elliptic Curves and Number Theory (II)
• References and Texts

- 2 -
3
Elliptic CurvesGeometry, Algebra, Analysis and
Beyond
4
What is an Elliptic Curve?

• An elliptic curve is a curve thats also
  naturally a group.
• The group law on an elliptic curve can be
  described
• Geometrically using intersection theory
• Algebraically using polynomial equations
• Analytically using complex analytic functions
• Elliptic curves appear in many diverse areas of
  mathematics, ranging from number theory to
  complex analysis, and from cryptography to
  mathematical physics.

- 4 -
5
The Equation of an Elliptic Curve
We also require that the polynomial f(x) has no
double roots. This ensures that the curve is
nonsingular.
- 5 -
6
A Typical Elliptic Curve E
E Y2 X3 5X 8
Surprising Fact We can use geometry to make the
points of an elliptic curve into a group.
- 6 -
7
The Group Law on anElliptic Curve
8
Adding Points P Q on E
- 8 -
9
Doubling a Point P on E
- 9 -
10
Vertical Lines and an Extra Point at Infinity
Add an extra point O at infinity. The point O
lies on every vertical line.
- 10 -
11
Properties of Addition on E

• Theorem The addition law on E has the following
  properties
• P O O P P for all P ? E.
• P (P) O for all P ? E.
• (P Q) R P (Q R) for all P,Q,R ? E.
• P Q Q P for all P,Q ? E.

In other words, the addition law makes the
points of E into a commutative group.
All of the group properties are trivial to check
except for the associative law (c). The
associative law can be verified by a lengthy
computation using explicit formulas, or by using
more advanced algebraic or analytic methods.
- 11 -
12
A Numerical Example
Using the tangent line construction, we find
that 2P P P (-7/4, -27/8).
Using the secant line construction, we find
that 3P P P P (553/121, -11950/1331)
Similarly, 4P (45313/11664,
8655103/1259712). As you can see, the coordinates
become complicated.
- 12 -
13
Algebraic Formulas for Addition on E
Suppose that we want to add the points P1
(x1,y1) and P2 (x2,y2) on the elliptic
curve E y2 x3 Ax B.
Quite a mess!!!!! But
Crucial Observation If A and B are in a field K
and if P1 and P2 have coordinates in K, then
P1 P2 and 2P1 have coordinates in K.
- 13 -
14
The Group of Points on E with Coordinates in a
Field K
The elementary observation on the previous slide
leads to an important result
Theorem (Poincaré, ?1900) Let K be a field and
suppose that an elliptic curve E is given by an
equation of the form y2 x3 A x B with
A,B ? K. Let E(K) be the set of points of E with
coordinates in K, E(K) (x,y) ? E x,y ? K
? O . Then E(K) is a subgroup of E.
- 14 -
15
What Does E(R) Look Like?
We have seen one example of E(R). It is also
possible for E(R) to have two connected
components.
Analytically, E(R) is isomorphic to the circle
group S1 or to two copies of the circle group S1
? Z/2 Z.
- 15 -
16
A Finite Field Numerical Example
The formulas giving the group law on E are valid
if the points have coordinates in any field, even
if the geometric pictures dont make sense. For
example, we can take points with coordinates in
Fp.
Using the addition formulas, we can compute in
E(F37) 2P (35,11) 3P (34,25) 4P (8,6)
5P (16,19) P Q (11,10) 3P 4Q
(31,28)
- 16 -
17
Elliptic Curves and Complex Analysis
OrHow the Elliptic Curve Acquired Its
Unfortunate Moniker
18
The Arc Length of an Ellipse
- 18 -
19
The Arc Length of an Ellipse
- 19 -
20
Elliptic Integrals and Elliptic Functions
- 20 -
21
Elliptic Functions and Elliptic Curves
The ?-function and its derivative satisfy an
algebraic relation
This equation looks familiar
?(z) and ?(z) are functions on a fundamental
parallelogram
- 21 -
22
The Complex Points on an Elliptic Curve
The ?-function gives a complex analytic
isomorphism
Parallelogram with opposite sides identified a
torus
- 22 -
23
Elliptic Curves andNumber Theory
Rational Points on Elliptic Curves
24
E(Q) The Group of Rational Points
A fundamental and ancient problem in number
theory is that of solving polynomial equations
using integers or rational numbers. The
description of E(Q) is a landmark in the modern
study of Diophantine equations.
Theorem (Mordell, 1922) Let E be an elliptic
curve given by an equation E y2 x3 A x B
with A,B ? Q. There is a finite set of
points P1,P2,,Pr so that every point P in E(Q)
can be obtained as a sum P n1P1 n2P2
nrPr with n1,,nr ? Z. In other words, E(Q)
is a finitely generated group.
- 24 -
25
E(Q) The Group of Rational Points
The elements of finite order in the group E(Q)
are quite well understood.
Theorem (Mazur, 1977) The group E(Q) contains at
most 16 points of finite order.
Conjecture The number of points needed to
generate E(Q) may be arbitrarily large.
- 25 -
26
E(Q) The Group of Rational Points
A fundamental and ancient problem in number
theory is that of solving polynomial equations
using integers or rational numbers. The
description of E(Q) is a landmark in the modern
study of Diophantine equations.
Theorem (Mordell, 1922) Let E be an elliptic
curve given by an equation E y2 x3 A x B
with A,B ? Q. Then the group of rational
points E(Q) is a finitely generated abelian
group. That is, there is an integer r and a
finite group ? such that E(Q) ? Zr ? ? .
- 26 -
27
E(Q) The Group of Rational Points
E(Q) ? Zr ? ?
The finite group ? is called the torsion subgroup
of E(Q).It is quite well understood.
Theorem (Mazur, 1977) The torsion subgroup of
E(Q) contains at most 16 points.
Conjecture The rank of E(Q) can be arbitrarily
large.
Current World Record There is an elliptic curve
with rank E(Q) ? 23.
- 27 -
28
E(Z) The Set of Integer Points
If P1 and P2 are points on E having integer
coordinates, then P1 P2 will have rational
coordinates, but there is no reason for it to
have integer coordinates. Indeed, the formulas
for P1 P2 are so complicated, it seems unlikely
that P1 P2 will have integer coordinates. Comple
menting Mordells finite generation theorem for
rational points is a famous finiteness result for
integer points.
Theorem (Siegel, 1928) An elliptic curve E y2
x3 A x B with A,B ? Z has only
finitely many points P (x,y) with integer
coordinates x,y ? Z.
- 28 -
29
E(Fp) The Group of Points Modulo p
Number theorists also like to solve polynomial
equations modulo p.
This is much easier than finding solutions in Q,
since there are only finitely many solutions in
the finite field Fp! One expects E(Fp) to have
approximately p1 points. A famous theorem of
Hasse (later vastly generalized by Weil and
Deligne) quantifies this expectation.
- 29 -
30
E(Fp) The Group of Points Modulo p
Number theorists also like to solve polynomial
equations modulo p.
This is much easier than finding solutions in Q,
since there are only finitely many solutions in
the finite field Fp! One expects E(Fp) to have
approximately p1 points. A famous theorem of
Hasse (later vastly generalized by Weil and
Deligne) quantifies this expectation.
- 30 -
31
Elliptic Curves andCryptography
32
The (Elliptic Curve) Discrete Log Problem
Let A be a group and let P and Q be known
elements of A.

• There are many cryptographic constructions based
  on the difficulty of solving the DLP in various
  finite groups.
• The first group used for this purpose
  (Diffie-Hellman 1976) was the multiplicative
  group Fp in a finite field.
• Koblitz and Miller (1985) independently suggested
  using the group E(Fp) of points modulo p on an
  elliptic curve.
• At this time, the best algorithms for solving the
  elliptic curve discrete logarithm problem (ECDLP)
  are much less efficient than the algorithms for
  solving DLP in Fp or for factoring large
  integers.

- 32 -
33
Elliptic Curve Diffie-Hellman Key Exchange
Public Knowledge A group E(Fp) and a point P of
order n.
BOB
ALICE
Choose secret 0 lt b lt n Choose
secret 0 lt a lt n
Compute QBob bP Compute
QAlice aP
Compute bQAlice
Compute aQBob
Bob and Alice have the shared value bQAlice abP
aQBob
Presumably(?) recovering abP from aP and bP
requires solving the elliptic curve discrete
logarithm problem.
- 33 -
34
Elliptic Curves andClassical Physics
35
The Elliptic Curve and the Pendulum
- 35 -
36
The Elliptic Curve and the Pendulum
This leads to a simple harmonic motion for the
pendulum.
- 36 -
37
How to Solve the Pendulum Equation
- 37 -
38
How to Solve the Pendulum Equation
An Elliptic Integral!!!
An Elliptic Curve!!!
Conclusion tan(q /2) Elliptic Function of t
- 38 -
39
Elliptic Curves andTopology
40
Cobordism and Genus
An important object in topology is the (complex
oriented) cobordism ring W.
- 40 -
41
What Makes a Genus Elliptic?
- 41 -
42
Elliptic Curves andModern Physics
43
Elliptic Curves and String Theory
In string theory, the notion of a point-like
particle is replaced by a curve-like string. As a
string moves through space-time, it traces out a
surface.
For example, a single string that moves around
and returns to its starting position will trace a
torus. So the path traced by a string looks like
an elliptic curve! In quantum theory, physicists
like to compute averages over all possible paths,
so when using strings, they need to compute
integrals over the space of all elliptic curves.
- 43 -
44
Elliptic Curves andNumber Theory
Fermats Last Theorem
45
Fermats Last Theorem and Fermat Curves
It is enough to prove the case that n 4
(already done by Fermat himself) and the case
that n p is an odd prime.
But Fermats curve is not an elliptic curve. So
how can elliptic curves be used to study Fermats
problem?
- 45 -
46
Elliptic Curves and Fermats Last Theorem
Frey suggested that Ea,b,c would be such a
strange curve, it shouldnt exist at all. More
precisely, Frey doubted that Ea,b,c could be
modular. Ribet verified Freys intuition by
proving that Ea,b,c is indeed not modular. Wiles
completed the proof of Fermats Last Theorem by
showing that (most) elliptic curves, in
particular elliptic curves like Ea,b,c, are
modular.
- 46 -
47
Elliptic Curves and Fermats Last Theorem
Ea,b,c y2 x (x ap) (x bp)
To Summarize Suppose that ap bp cp with
abc ? 0. Ribet proved that Ea,b,c is not
modular Wiles proved that Ea,b,c is
modular. Conclusion The equation ap bp cp
has no solutions.
- 47 -
48
Elliptic Curves and Modularity
There are many equivalent definitions, none of
them particularly intuitive. Heres one
E is modular if it is parameterized by modular
forms!
- 48 -
49
Conclusion
Elliptic Curves Are Everywhere
Don't Leave Home Without One!
- 49 -
50
References and Texts on Elliptic Curves
Apostol, T. Modular functions and Dirichlet
series in number theory, Graduate Texts in
Mathematics 41, Springer-Verlag, New York, 1976.
Blake, I. F. Seroussi, G. Smart, N. P.
Elliptic curves in cryptography. London
Mathematical Society Lecture Note Series, 265.
Cambridge University Press, Cambridge, 2000.
Cremona, J. E. Algorithms for modular elliptic
curves. Cambridge University Press, Cambridge,
1997. Knapp, A. Elliptic curves, Mathematical
Notes 40, Princeton University Press, Princeton,
NJ, 1992. Koblitz, N. Introduction to elliptic
curves and modular forms, Springer-Verlag, NY,
1984.
- 50 -
51
References and Texts on Elliptic Curves
Lang, S. Elliptic functions, Graduate Texts in
Mathematics 112, Springer-Verlag, NY, 1987. Lang,
S. Elliptic curves Diophantine analysis,
Springer-Verlag, Berlin, 1978. Silverman, Joseph
H. The arithmetic of elliptic curves. Graduate
Texts in Mathematics, 106. Springer-Verlag, New
York, 1986. Silverman, Joseph H. Advanced topics
in the arithmetic of elliptic curves. Graduate
Texts in Mathematics, 151. Springer-Verlag, New
York, 1994. Silverman, Joseph H. Tate, John.
Rational points on elliptic curves.
Under-graduate Texts in Mathematics.
Springer-Verlag, New York, 1992.
- 51 -
52
The Ubiquity ofElliptic Curves
Joseph Silverman (Brown University) MAA Invited
Address Expanded Version Baltimore January
18, 2003