Introduction to Elliptic Curves - York University
Transcript of Introduction to Elliptic Curves - York University
What is an Elliptic Curve?
An Elliptic Curve is a curve given by an equation
E : y2 = f(x)
Where f(x) is a square-free (no double roots) cubic or a quarticpolynomial
After a change of variables it takes a simpler form:
E : y2 = x3 + Ax + B 0274 23 ≠+ BA
So y2 = x3 is not an elliptic curve but y2 = x3-1 is
Why is it called Elliptic?
Arc Length of an ellipse =
∫− −−
−1
1 222
22
)1)(1(1 dx
xkxxka
( ) dxxa
xabaa
a∫− −−−
22
2222 /1
Let k2 = 1 – b2/a2 and change variables x ax.
Then the arc length of an ellipse is
dxy
xka∫−−
=1
1
221Length Arc
with y2 = (1 – x2) (1 – k2x2) = quartic in x
Addition of Points on E
1. Commutativity. P1+P2 = P2+P1
2.Existence of identity. P + O = P
3. Existence of inverses. P + (-P) = O
4. Associativity. (P1+P2) + P3 = P1+(P2+P3)
Addition FormulaSuppose that we want to add the points
P1 = (x1,y1) and P2 = (x2,y2) on the elliptic curve
E : y2 = x3 + Ax + B.
21 xx ≠ 21 xx =IfIf
12
12
xxyym
−−
=1
21
23
yAxm +
=
212
3 xxmx −−=
1313 )( yxxmy −−=
Note that when P1, P2 have rational coordinates and A and B are rational, then P1+P2 and 2P also have rational coordinates
Important Result
Theorem (Poincaré, ≈1900): Suppose that an elliptic curve E is given by an equation of the form
y2 = x3 + A x + B with A,B rational numbers.
Let E(Q) be the set of points of E with rational coordinates,
E(Q) = { (x,y) ∈ E : x,y are rational numbers } ∪ { O }.
Then sums of points in E(Q) remain in E(Q).
Really Complicated first…
Elliptic curves were used to prove Fermat’s Last Theorem
Ea,b,c : y2 = x (x – ap) (x + bp)
Suppose that ap + bp = cp with abc ≠ 0.
Ribet proved that Ea,b,c is not modular
Wiles proved that Ea,b,c is modular.
Conclusion: The equation ap + bp = cp has no solutions.
Elliptic Curves and String TheoryIn string theory, the notion of a point-like particle is replaced by a curve-like string.
As a string moves through space-time, it traces out a surface.
For example, a single string that moves around and returns to its starting position will trace a torus.
So the path traced by a string looks like an elliptic curve!Points of E with coordinates in the complex numbers C form a torus, that is, the surface of a donut.
Congruent Number Problem
Which positive rational n can occur as areas of right triangles with rational sides?
Ex: 5 is a congruent number because it is the area of 20/3, 3/2, 41/6 triangle
This question appears in 900A.D. in Arab manuscripts
A theorem exists to test the numbers but it relies on an unproven conjecture.
Congruent Number Problem cont….
nab=
2222 cba =+Suppose a, b and c satisfy
bcanx )( +
=2
2 )(2yb
can +=Then set
xnxy 232 −=A Calculation shows that
ynxb 2
=y
nxc22 +
=ynxa /)( 22−=Conversely:
A positive rational number n is congruent if and only if the elliptic curvehas a rational point with y not equal to 0
Congruent Number Problem cont…xxy 2532 −=Continuing with n = 5
We have Point (-4,6) on the curve
172862279
14416812 ==− yxisPfindWe
We can now find a, b and c
Factoring Using Elliptic Curves
Ex: We want to factor 4453
Step 1. Generate an elliptic curve with point P mod n
)3,1()4453(mod21032 =−+= PletxxyStep 2. Compute BP for some integer B.
)4453(mod37136
132
10322
≡=+y
xfirstPcomputeLets
)4453(mod371161)4453,6gcd( 1 ≡= −findtothatfacttheusedWe
32303)1(371323713),(2 2 ≡−−−≡−≡= xyxwithyxPthatfindwe
)3230,4332(2 isP
Factoring Continued..
Step 3. If step 2 fails because some slope does not exist mod n, the we have found a factor of n.
PandPaddwePcomputeTo 23
43313227
1433233230=
−−isslopeThe
)4453(mod4331161)4453,4331gcd( 1−≠= findnotcanweBut
445361, offactorthefoundhaveweHowever
CryptographySuppose that you are given two points P and Q in E(Fp).
The Elliptic Curve Discrete Logarithm Problem (ECDLP) is to find an integer m satisfying
Q = P + P + … + P = mP.
m summands
• If the prime p is large, it is very very difficult to find m.• The extreme difficulty of the ECDLP yields highly
efficient cryptosystems that are in widespread use protecting everything from your bank account to your government’s secrets.
Elliptic Curve Diffie-Hellman Key ExchangePublic Knowledge: A group E(Fp) and a point P of order n.
BOB ALICE
Choose secret 0 < b < n Choose secret 0 < a < n
Compute QBob = bP Compute QAlice = aP
Send QBob to Alice
to Bob Send QAlice
Compute bQAlice Compute aQBob
Bob and Alice have the shared value bQAlice = abP = aQBob
Can you solve this?
Suppose a collection of cannonballs is piled in a square pyramidwith one ball on the top layer, four on the second layer, nine on the third layer, etc.. If the pile collapses, is it possible to rearrange the balls into a square array (how many layers)?
...)())()(( 23 +++−=−−− xcbaxcxbxax32 PPFind +
solutionstrivialarePandP 21Hint:
Solution
6)12)(1(...321 2322 ++
=++++xxxx
6)12)(1(2 ++
=xxxy This is an elliptic curve
)1,1()0,0( 21 PPWe know two points
The line through these points is y = x
6236)12)(1( 23
2 xxxxxxx ++=++
=
021
23 23 =+− xxx
Solution cont…
)21,
21(
2310 3 −=++ isPthereforex
2332 −= xyisPandPthroughlineThe
6)12)(1()23( 2 ++
=−xxxx
0...2
51 23 =+− xx
2511
21
=++ x 24=x 70=y
22222 7024...321 =++++
References
Elliptic Curves Number Theory and CryptographyLawrence C. Washington
http://www.math.vt.edu/people/brown/doc.htmlhttp://www.math.brown.edu/~jhs/