1 / 48

The Ubiquity of Elliptic Curves

The Ubiquity of Elliptic Curves. Joseph Silverman (Brown University) MAA Invited Address – Expanded Version Baltimore – January 18, 2003. Contents. Introduction Geometry, Algebra, Analysis, and Beyond The Group Law on an Elliptic Curve Elliptic Curves and Complex Analysis

jennis
Télécharger la présentation

The Ubiquity of Elliptic Curves

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Ubiquity of Elliptic Curves Joseph Silverman (Brown University) MAA Invited Address – Expanded Version Baltimore – January 18, 2003

  2. Contents • Introduction • Geometry, Algebra, Analysis, and Beyond • The Group Law on an Elliptic Curve • Elliptic Curves and Complex Analysis • Elliptic Curves and Number Theory (I) • Elliptic Curves and Cryptography • Elliptic Curves and Classical Physics • Elliptic Curves and Topology • Elliptic Curves and Modern Physics • Elliptic Curves and Number Theory (II) • References and Texts - 2 -

  3. Elliptic CurvesGeometry, Algebra, Analysis and Beyond…

  4. What is an Elliptic Curve? • An elliptic curve is a curve that’s also naturally a group. • The group law on an elliptic curve can be described: • Geometrically using intersection theory • Algebraically using polynomial equations • Analytically using complex analytic functions • Elliptic curves appear in many diverse areas of mathematics, ranging from number theory to complex analysis, and from cryptography to mathematical physics. - 4 -

  5. An Elliptic Curve is a curve given by an equation E : y2 = f(x) for a cubic or quartic polynomial f(x) After a change of variables, the equation takes the simpler form E : y2 = x3 + A x + B Finally, for reasons to be explained shortly, we toss in an extra point O “at infinity,” so E is really the set E = { (x,y) : y2 = x3 + A x + B }  { O } The Equation of an Elliptic Curve We also require that the polynomial f(x) has no double roots. This ensures that the curve is nonsingular. - 5 -

  6. A Typical Elliptic Curve E E : Y2 = X3 – 5X + 8 Surprising Fact: We can use geometry to make the points of an elliptic curve into a group. - 6 -

  7. The Group Law on anElliptic Curve

  8. R Q P P+Q Adding Points P + Q on E - 8 -

  9. Tangent Line to E at P R P 2*P Doubling a Point P on E - 9 -

  10. O P Q Q = –P Vertical lines have no third intersection point Vertical Lines and an Extra Point at Infinity Add an extra point O “at infinity.” The point O lies on every vertical line. - 10 -

  11. Properties of “Addition” on E • Theorem: The addition law on E has the following properties: • P + O = O + P = P for all P  E. • P + (–P) = O for all P  E. • (P + Q) + R = P + (Q + R) for all P,Q,R  E. • P + Q = Q + P for all P,Q  E. In other words, the addition law + makes the points of E into a commutative group. All of the group properties are trivial to check except for the associative law (c). The associative law can be verified by a lengthy computation using explicit formulas, or by using more advanced algebraic or analytic methods. - 11 -

  12. E : Y2 = X3 – 5X + 8 The point P = (1,2) is on the curve E. A Numerical Example Using the tangent line construction, we find that 2P = P + P = (-7/4, -27/8). Using the secant line construction, we find that 3P = P + P + P = (553/121, -11950/1331) Similarly, 4P = (45313/11664, 8655103/1259712). As you can see, the coordinates become complicated. - 12 -

  13. Algebraic Formulas for Addition on E Suppose that we want to add the points P1 = (x1,y1) and P2 = (x2,y2) on the elliptic curve E : y2 = x3 + Ax + B. Quite a mess!!!!! But… Crucial Observation: If A and B are in a field K and if P1 and P2 have coordinates in K, then P1+ P2 and 2P1 have coordinates in K. - 13 -

  14. The Group of Points on E with Coordinates in a Field K The elementary observation on the previous slide leads to an important result: Theorem (Poincaré, 1900): Let K be a field and suppose that an elliptic curve E is given by an equation of the form y2 = x3 + A x + B with A,B  K. Let E(K) be the set of points of E with coordinates in K, E(K) = { (x,y)  E : x,y  K }  { O }. Then E(K) is a subgroup of E. - 14 -

  15. E : Y2 = X3 – 9X What Does E(R) Look Like? We have seen one example of E(R). It is also possible for E(R) to have two connected components. Analytically, E(R) is isomorphic to the circle group S1 or to two copies of the circle group S1Z/2 Z. - 15 -

  16. Example:The curve E : Y2 = X3 – 5X + 8 modulo 37contains the points P = (6,3) and Q = (9,10). A Finite Field Numerical Example The formulas giving the group law on E are valid if the points have coordinates in any field, even if the geometric pictures don’t make sense. For example, we can take points with coordinates in Fp. Using the addition formulas, we can compute in E(F37): 2P = (35,11) 3P = (34,25) 4P = (8,6) 5P = (16,19) … P + Q = (11,10) 3P + 4Q = (31,28) … - 16 -

  17. Elliptic Curves and Complex Analysis Or…How the Elliptic Curve Acquired Its Unfortunate Moniker

  18. The arc length of a (semi)circle is given by the familiar integral x2+y2=a2 -a a b The arc length of a (semi)ellipse is more complicated -a a x2/a2 + y2/b2 = 1 The Arc Length of an Ellipse - 18 -

  19. Let k2 = 1 – b2/a2 and change variables x ax. Then the arc length of an ellipse is An Elliptic Curve! with y2 = (1 – x2) (1 – k2x2) = quartic in x. An elliptic integral is an integral , where R(x,y) is a rational function of the coordinates (x,y) on an “elliptic curve”E : y2 = f(x) = cubic or quartic in x. The Arc Length of an Ellipse - 19 -

  20. The circular integral is equal to sin-1(w). Its inverse function w = sin(z) is periodic with period 2. The elliptic integral has an inverse w = (z) with two independent complex periods 1 and 2. (z + 1) = (z + 2) = (z) for all z  C. Doubly periodic functions are called elliptic functions. Elliptic Integrals and Elliptic Functions - 20 -

  21. The double periodicity of (z) means that it is a function on the quotient space C/L, where L is the lattice L = { n1w1 + n2w2 : n1,n2Z }. 1+ 2 1 2 L Elliptic Functions and Elliptic Curves The -function and its derivative satisfy an algebraic relation This equation looks familiar (z) and ’(z) are functions on a fundamental parallelogram - 21 -

  22. E(C) E(C) = Thus the points of E with coordinates in the complex numbers C form a torus, that is, the surface of a donut. The Complex Points on an Elliptic Curve The -function gives a complex analytic isomorphism Parallelogram with opposite sides identified = a torus - 22 -

  23. Elliptic Curves andNumber Theory Rational Points on Elliptic Curves

  24. E(Q) : The Group of Rational Points A fundamental and ancient problem in number theory is that of solving polynomial equations using integers or rational numbers. The description of E(Q) is a landmark in the modern study of Diophantine equations. Theorem (Mordell, 1922): Let E be an elliptic curve given by an equation E : y2 = x3 + A x + B with A,B Q. There is a finite set of points P1,P2,…,Prso that every point P in E(Q) can be obtained as a sum P = n1P1 + n2P2 + … + nrPrwith n1,…,nrZ. In other words, E(Q) is a finitely generated group. - 24 -

  25. The minimal number of points needed to generate the group E(Q) is much more mysterious! Current World Record: There is an elliptic curve with Number of generators for E(Q)  23. E(Q) : The Group of Rational Points The elements of finite order in the groupE(Q) are quite well understood. Theorem (Mazur, 1977): The group E(Q) contains at most 16 points of finite order. Conjecture: The number of points needed to generate E(Q) may be arbitrarily large. - 25 -

  26. Theorem (Hasse, 1922): An elliptic curve equation E : y2 x3 + A x + B (modulo p) has p+1+ solutions (x,y) mod p, where the error  satisfies E(Fp) : The Group of Points Modulo p Number theorists also like to solve polynomial equations modulo p. This is much easier than finding solutions in Q, since there are only finitely many solutions in the finite field Fp! One expects E(Fp) to have approximately p+1 points. A famous theorem of Hasse (later vastly generalized by Weil and Deligne) quantifies this expectation. - 29 -

  27. Elliptic Curves andCryptography

  28. The Discrete Logarithm Problem (DLP) is to find an integer m satisfying Q = P + P + … + P = mP. m summands The (Elliptic Curve) Discrete Log Problem Let A be a group and let P and Q be known elements of A. • There are many cryptographic constructions based on the difficulty of solving the DLP in various finite groups. • The first group used for this purpose (Diffie-Hellman 1976) was the multiplicative group Fp* in a finite field. • Koblitz and Miller (1985) independently suggested using the group E(Fp) of points modulo p on an elliptic curve. • At this time, the best algorithms for solving the elliptic curve discrete logarithm problem (ECDLP) are much less efficient than the algorithms for solving DLP in Fp* or for factoring large integers. - 32 -

  29. Send QBobto Alice to Bob Send QAlice Elliptic Curve Diffie-Hellman Key Exchange Public Knowledge: A group E(Fp) and a point P of order n. BOB ALICE Choose secret 0 < b < n Choose secret 0 < a < n Compute QBob = bP Compute QAlice = aP Compute bQAlice Compute aQBob Bob and Alice have the shared value bQAlice = abP = aQBob Presumably(?) recovering abP from aP and bP requires solving the elliptic curve discrete logarithm problem. - 33 -

  30. Elliptic Curves andClassical Physics

  31. The Elliptic Curve and the Pendulum - 35 -

  32. In freshman physics, one assumes that q is small and derives the formula But this formula is only a rough approximation. The actual differential equation for the pendulum is The Elliptic Curve and the Pendulum This leads to a simple harmonic motion for the pendulum. - 36 -

  33. How to Solve the Pendulum Equation - 37 -

  34. How to Solve the Pendulum Equation An Elliptic Integral!!! An Elliptic Curve!!! Conclusion: tan(q /2) = Elliptic Function of t - 38 -

  35. Elliptic Curves andTopology

  36. For our purposes, it is enough to know that W is a polynomial ring in infinitely many variables: • = C[T2, T4, T6, T8, …]. (T2n is the cobordism class of projective space CPn.) A (complex) genus is a ring homomorphism F : W C. The genus F is characterized by its logarithm Cobordism and Genus An important object in topology is the (complex oriented) cobordism ringW. - 40 -

  37. A genus is a ring homomorphism, so it satisfies F(UxV) = F(U) F(V). Here U and V are (cobordism classes) of complex manifolds. It is interesting to impose a stronger multiplicative property: Let W V be a fiber bundle with fiber U, i.e., W is a twisted product of U and V. Then we still require that F(W) = F(U) F(V). Ochanine proved that the logarithm of F is an elliptic integral! A genus whose logarithm is an elliptic integral is called an Elliptic Genus. What Makes a Genus Elliptic? - 41 -

  38. Elliptic Curves andModern Physics

  39. Elliptic Curves and String Theory In string theory, the notion of a point-like particle is replaced by a curve-like string. As a string moves through space-time, it traces out a surface. For example, a single string that moves around and returns to its starting position will trace a torus. So the path traced by a string looks like an elliptic curve! In quantum theory, physicists like to compute averages over all possible paths, so when using strings, they need to compute integrals over the space of all elliptic curves. - 43 -

  40. Elliptic Curves andNumber Theory Fermat’s Last Theorem

  41. Fermat’s Last Theorem says that if n > 2, then the equation an + bn = cn has no solutions in nonzero integers a,b,c. If we let x = a/c and y = b/c, then solutions to Fermat’s equation give rational points on the Fermat curve xp + yp = 1. Fermat’s Last Theorem and Fermat Curves It is enough to prove the case that n = 4 (already done by Fermat himself) and the case that n = p is an odd prime. But Fermat’s curve is not an elliptic curve. So how can elliptic curves be used to study Fermat’s problem? - 45 -

  42. Gerhard Frey (and others) suggested using an hypothetical solution (a,b,c) of Fermat’s equation to “manufacture” an elliptic curve Ea,b,c : y2 = x (x – ap) (x + bp). Elliptic Curves and Fermat’s Last Theorem Frey suggested that Ea,b,c would be such a strange curve, it shouldn’t exist at all. More precisely, Frey doubted that Ea,b,c could be modular. Ribet verified Frey’s intuition by proving that Ea,b,c is indeed not modular. Wiles completed the proof of Fermat’s Last Theorem by showing that (most) elliptic curves, in particular elliptic curves like Ea,b,c, are modular. - 46 -

  43. But what does it mean for an elliptic curve E to be modular? Elliptic Curves and Fermat’s Last Theorem Ea,b,c : y2 = x (x – ap) (x + bp) To Summarize: Suppose that ap + bp = cp with abc 0. Ribet proved that Ea,b,cisnot modular Wiles proved that Ea,b,cis modular. Conclusion: The equation ap + bp = cp has no solutions. - 47 -

  44. A modular form is a function f(t) with the property The variable t represents the elliptic curve Et whose lattice is Lt = {n1+n2t : n1,n2Z}. So just as in string theory, the space of all elliptic curves makes an unexpected appearance. Elliptic Curves and Modularity There are many equivalent definitions, none of them particularly intuitive. Here’s one: E is modular if it is parameterized by modular forms! - 48 -

  45. Conclusion Elliptic Curves Are Everywhere Don't Leave Home Without One! - 49 -

  46. References and Texts on Elliptic Curves Apostol, T. Modular functions and Dirichlet series in number theory, Graduate Texts in Mathematics 41, Springer-Verlag, New York, 1976. Blake, I. F.; Seroussi, G.; Smart, N. P. Elliptic curves in cryptography. London Mathematical Society Lecture Note Series, 265. Cambridge University Press, Cambridge, 2000. Cremona, J. E. Algorithms for modular elliptic curves. Cambridge University Press, Cambridge, 1997. Knapp, A. Elliptic curves, Mathematical Notes 40, Princeton University Press, Princeton, NJ, 1992. Koblitz, N. Introduction to elliptic curves and modular forms, Springer-Verlag, NY, 1984. - 50 -

  47. References and Texts on Elliptic Curves Lang, S. Elliptic functions, Graduate Texts in Mathematics 112, Springer-Verlag, NY, 1987. Lang, S. Elliptic curves: Diophantine analysis, Springer-Verlag, Berlin, 1978. Silverman, Joseph H. The arithmetic of elliptic curves. Graduate Texts in Mathematics, 106. Springer-Verlag, New York, 1986. Silverman, Joseph H. Advanced topics in the arithmetic of elliptic curves. Graduate Texts in Mathematics, 151. Springer-Verlag, New York, 1994. Silverman, Joseph H.; Tate, John. Rational points on elliptic curves. Under-graduate Texts in Mathematics. Springer-Verlag, New York, 1992. - 51 -

  48. The Ubiquity ofElliptic Curves Joseph Silverman (Brown University) MAA Invited Address – Expanded Version Baltimore – January 18, 2003

More Related