Using Elliptic Curves

Size: px

Start display at page:

Download "Using Elliptic Curves"

Nelson Grant
5 years ago
Views:

1 Using Elliptic Curves Keith Conrad May 17, 2014

3 Proving Compositeness In practice it is easy to prove a positive integer N is composite without knowing any nontrivial factor. The most common way is by a counterexample to Fermat s Little Congruence: a N 1 1 mod N for some 1 < a < N = N is composite. There is an a for any composite N, but might take a while to find one, e.g., if N = there is no such a < Suppose an N is proved composite (by Fermat, Solovay Strassen, Miller Rabin, etc.). How can we find a nontrivial factor of N? Example. Set N = F 5 = = , the fifth Fermat number. Since 3 N mod N, it s composite. Euler famously discovered the prime factorization N = We will get this by Lenstra s elliptic curve factorization algorithm.

4 Euler s Method (1732) Let p be an unknown prime factor of N = Then mod N mod p, so 2 mod p has order 64, and thus 64 divides (Z/pZ) = p 1, so p 1 mod 64. In fact p 1 mod 128: since p 1 mod 8, by quadratic reciprocity 2 mod p is a square, say 2 r 2 mod p. Then r 64 1 mod p, so r mod p has order 128 and thus 128 (p 1), so p 1 mod 128. The first few integers > 1 that are 1 mod 128 are 129, 257, 385, 513, 641, 769, 897. Easily 129, 385, 513, and 897 are composite (why?). We see p 257 since 2 8 = mod mod 257. The second prime to try is 641, and it divides N.

5 Pollard s p 1 method (1974) To find a prime factor p of a number N that we know (or believe) is composite, seek a and k such that a k 1 mod N and (p 1) k. Then gcd(a k 1, N) is divisible by p and is probably not N. Pick bound B and let M be divisible by all prime powers up to B, e.g., lcm(2,..., B) or B!. If N has a prime factor p such that all prime-power factors of p 1 are less than B, then (p 1) M, so (a, N) = 1 a M 1 mod p, and thus p (a M 1). Thus computing (a M 1, N) should reveal a nontrivial factor of N. Example. For N = try B = 10, so M = = Letting a = 2, 3, 4, 5,... and computing (a M 1, N), it is 1 until a = 13, when ( , N) = 641: success! This worked since = 640 = has all prime factors less than B and 13 mod 641 has order 20, which is a factor of M. If a s aren t making (a M 1, N) > 1 after a reasonable number of steps then increase B, recompute M, and start again.

6 Lenstra s Elliptic Curve Method (1987) In the p 1 method (Z/NZ) is a proxy for (Z/pZ) where p N, and seek 1 < (a M 1, N) < N for fixed M and random a. Success depends on p 1, for some p N, having small prime factors. If no p N is like that, the p 1 method won t be practical. Lenstra s idea: for each p there s only one group (Z/pZ) but many elliptic curves mod p, all with roughly p points: Hasse s theorem says p p < E(Z/pZ) < p p. Even if p 1 doesn t have all small prime factors, a number t near p 1 might. An E mod p with E(Z/pZ) = t could be used in place of (Z/pZ), with a k replaced by [k](p). Instead of E(Z/pZ) we use an elliptic curve mod N : solutions to y 2 x 3 + ax + b mod N.

7 Lenstra s Elliptic Curve Method (1987) Treating N as if it were prime, we ll add points on E : y 2 = x 3 + ax + b mod N as if it were smooth: (N, 6) = 1 and (N, 4a b 2 ) = 1. For (x 1, y 1 ) and (x 2, y 2 ) on E(Z/NZ), set ( (y2 ) y 2 ( ) ) 1 y2 y 1 (x 3, y 3 ) := x 1 x 2, (x 1 x 3 ) y 1 x 2 x 1 x 2 x 1 if x 1 x 2 mod N and ( (3x ) 2 2 ( ) ) (x 3, y 3 ) := 1 + a 3x 2 2x 1, 1 + a (x 1 x 3 ) y 1 2y 1 2y 1 if x 1 x 2 mod N and y 1 y 2 0 mod N. If we can t invert x 2 x 1 mod N or 2y 1 mod N, then (x 2 x 1, N) or (2y 1, N) is greater than 1, which will be a factor of N that is likely to be nontrivial: if the math breaks down, we probably win!

8 Lenstra s Elliptic Curve Method (1987) How to find a point on a random elliptic curve mod N? Do not pick the equation first: choose pick P = (x 0, y 0 ), then a mod N, and set b : y 2 0 (x ax 0) mod N, so (x 0, y 0 ) satisfies y 2 x 3 + ax + b mod N. Example: Set P = (0, 1). For any a, set b = 1 2 (0 3 + a 0) = 1, so P lies on y 2 x 3 + ax + 1 mod N. Example: If P = (1, 1), for any a set b = 1 2 (1 3 + a 1) = a, so P lies on y 2 x 3 + ax a mod N. We will use the first example to factor N = by an elliptic analogue of the p 1 method.

9 Factoring with Elliptic Curves: Attempt #1 Set N = For a = 1, 2,..., make multiples of P = (0, 1) on E a : y 2 x 3 + ax + 1 mod N. The number k! is divisible by all prime powers up to k. Compute [k!](p) mod N for k = 1, 2,... and check if math breaks down. If it does, we get a factor of N greater than 1 (likely not N itself). Try E 1 : y 2 x 3 + x + 1 mod N and P = (0, 1). k! [k!](p) mod N 2 ( , ) 6 ( , ) 24 ( , ) 120 ( , ) We can compute [k!](p) by repeated doubling when possible: [24](P) = [4]([6](P)), [120](P) = [4]([24](P)) + [24](P). This is taking too long ; let s check another elliptic curve mod N.

10 Factoring with Elliptic Curves: Attempt #2 Try E 2 : y 2 x 3 + 2x + 1 mod N and again P = (0, 1). k! [k!](p) mod N 2 (1, ) 6 ( , ) 24 ( , ) To find [120](P) = [4]([24](P)) + [24](P) = [96](P) + [24](P), we first double [24](P) twice to get [4]([24](P)) = [96](P) ( , ) mod N. Adding [96](P) and [24](P) requires inverting the difference of x-coordinates: x 2 x 1 = mod N. But (x 2 x 1, N) = 641: we ve found a nontrivial factor of N.

11 What is going on? For N = , adding on E(Z/NZ) is adding on E(Z/641Z) and E(Z/ Z) at the same time. For P = (0, 1) on E 2 : y 2 = x 3 + 2x + 1, we have E 2 (Z/641Z) = 660 = , E 2 (Z/ Z) = with P mod 641 of order 30 and P mod of order How preparing for [120](P) = [24](P) + [96](P) looks mod primes: n [n](p) mod 641 [n](p) mod (272, 579) ( , ) 96 (272, 62) ( , ) Adding [24](P) = (x 1, y 1 ) and [96](P) = (x 2, y 2 ) needs inverse of x 2 x 1, but x 2 x 1 0 mod 641 and x 2 x 1 0 mod That is why we found (x 2 x 1, N) = 641. Why was E 1 : y 2 = x 3 + x + 1 not as useful? The order of P on E 1 (Z/641Z) is We d need [101!](P) to factor N.

12 A Problem in Art

13 Escher s Print Gallery In 2000, Lenstra saw this 1956 Escher work in an airline magazine. The picture suggests a spiral symmetry around the center and Lenstra wondered: how to correctly fill in the hole?

14 Escher s Print Gallery Lenstra saw that the empty central hole should be filled in by a self-replicating process that is a twisted analogue of a classical self-replicating process in ordinary geometry.

Escher s Print Gallery This repeating pattern is called

company Droste (left) uses it in their packaging.

painting, but the image from the Einem chocolate

15 Escher s Print Gallery This repeating pattern is called the Droste effect, because the popular Dutch chocolate company Droste (left) uses it in their packaging. They claim it goes back to 1900, inspired by the middle painting, but the image from the Einem chocolate company on the right from 1897 looks like a more plausible source.

Multiplicative Model for Elliptic Curves To continue Escher s twisting pattern into the central region, Lenstra realized he should use a multiplicatively periodic function.

16 Multiplicative Model for Elliptic Curves To continue Escher s twisting pattern into the central region, Lenstra realized he should use a multiplicatively periodic function. Traditionally, E(C) = C/L with L = Z + Zτ, τ R. The complex exponential map exp: C C induces an isomorphism C/(Z + Zτ) C /q Z, q = e 2πiτ. The group C /q Z is Tate s model for complex elliptic curves.

17 Filling in the hole in Print Gallery With help from Bart de Smit and others, Lenstra filled the hole:

18 Filling in the hole in Print Gallery With help from Bart de Smit and others, Lenstra filled the hole:

19 A Field Embedding Question

20 Field Embedding For sets, X Y and Y X implies card(x ) = card(y ). For vector spaces, V W and W V imples V = W. What about for fields: if K L and L K, is K = L? Consider isogenous elliptic curves over Q: ϕ: E E, ϕ: E E. These lead to embeddings of function fields Q(E ) Q(E) and Q(E) Q(E ). Check Q(E) = Q(E ) with j-invariants. Example. E : y 2 = x 3 + x 2 + x and E : Y 2 = X 3 2X 2 3X. There are isogenies ( y 2 (x, y) x 2, y(1 x 2 ) ( ) Y 2 x 2, (X, Y ) 4X 2, Y (3 + X 2 ) ) 8X 2, and j(e) = 2048/3, j(e ) = 35152/9. Thus the fields Q(x, x 3 + x 2 + x), Q(X, X 3 2X 2 3X ) embed into each other but are not isomorphic (unequal j-values).

21 The Class Number Problem

22 Class Numbers In a number field K, with integers O K, an ideal class is a set of nonzero ideals in O K that are equal up to scaling: I = γj for a γ K. There are finitely many ideal classes, their number being the class number h(k), which is 1 if and only if O K is a UFD. Example. Every nonzero ideal in Z[ 5] is a scalar multiple of (1) or (2, 1 + 5): h(q( 5)) = 2. Class numbers of quadratic fields, going back to Gauss: d h(q( d)) h(q( d)) Application 1. If p doesn t divide h(q(ζ p )) then Kummer settled Fermat s Last Theorem for x p + y p = z p ; h(q(ζ p )) = 1 p 19. Application 2. Action of SL 2 (O K ) on P 1 (K) by linear-fractional transformations (( c a d b )[x, y] = [ax + by, cx + dy]) has h(k) orbits.

23 Class Number Formula Let K be an imaginary quadratic field. The ζ-function of K factors into the Riemann zeta-function times a Dirichlet L-function: ζ K (s) := J (0) 1 O K /J s = ζ(s)l(s, χ) = n 1 1 n s n 1 χ(n) n s for a quadratic Dirichlet character χ that s odd (χ( 1) = 1), and Dirichlet s analytic class number formula for K says L(1, χ) = n 1 χ(n) n = 2πh(K) µ(k) disc(k), where µ(k) is roots of unity in K and disc(k) is the discriminant. This links class numbers of imaginary quadratic fields to the value of an L-function at s = 1. Example. For K = Q(i), L(s, χ) = 1 1/3 s + 1/5 s 1/7 s +. Then L(1, χ) = π/4 by calculus, and (2πh)/(4 4) = (π/4)h, so h = 1: an analytic proof that Z[i] is a UFD.

24 Class Number Problem Gauss s tables suggest finitely many imaginary quadratic fields have any particular class number. Setting h d = h(q( d)) for squarefree d > 0, the conjecture is that h d as d. 1918: Hecke showed if L(s, χ) satisfies the Generalized Riemann Hypothesis (GRH) for all odd quadratic χ then h d > c d/ log d for some positive constant c. 1934: Heilbronn showed if L(s, χ) violates GRH for some odd quadratic χ, then h d as d. Combining these, h d as d, but not effectively. Note: Heilbronn s idea (now called the Deuring Heilbronn phenomenon) was to use a violation of GRH for one L(s, χ) to get a lower bound on L(1, χ) for other χ. 1934: Heilbronn and Linfoot showed there are at most 10 imaginary quadratic fields with class number 1. Nine were known. Nobody expected there to be a tenth. (Note: Their paper is curious today for referring to fields as corpora.)

25 Class Number Problem More progress: 1935: Siegel showed that for all ε > 0 there s c ε > 0 such that h d > c ε d 1/2 ε for all d, but c ε can t be explicitly determined. 1952/ : Heegner and then Baker and Stark settled the class number 1 problem: 9 fields. 1971: Baker & Stark settle class number 2 problem: 18 fields. 1976: Goldfeld showed h d c ε (log d) 1 ε with computable c ε, provided there is an elliptic curve E /Q whose L-function L(E, s) = good p 1 1 a p /p s + p/p 2s bad p 1 1 a p /p s = n 1 vanishes to order at least 3 at s = 1 (makes exponent on log d at least 1 ε). Proof uses a Heilbronn-like idea: high-order zero of L(E, s) at s = 1 leads to a lower bound on L(1, χ) for odd quadratic χ. a n n s

26 Class Number Problem Therefore one elliptic curve E /Q whose L-function vanishes to order at least 3 at s = 1 would, in principle, computably settle the class number problem for imaginary quadratic fields. How to find it? Birch and Swinnerton-Dyer Conjecture. For any E /Q, ord s=1 L(E, s) = rank(e(q)). So any E /Q with E(Q) = Z 3 (torsion) is a candidate for L(E, s) having a third-order zero at s = 1: want L(E, 1) = 0, L (E, 1) = 0, L (E, 1) = 0, L (E, 1) 0. Example: E : y 2 = x 3 112x has E(Q) = Z 3, generated by ( 8, 28), ( 4, 28), (0, 20). A computer could prove L (E, 1) 0 numerically, but it s less clear how to prove lower derivatives are 0: being is not a proof. There is a functional equation L(E, 2 s) = ±(fudge)l(e, s), so if ± = 1 then L(E, 1) = 0 and L (E, 1) = 0. The Gross Zagier formula can prove L (E, 1) = 0 in specific examples.

27 Class Number One We expect infinitely many real quadratic fields have class number 1, but it is not yet proved there there are even infinitely many number fields with class number 1. Here s a concrete proposal: Conjecture (Weber). For all n, Q(cos(2π/2 n )) has h = 1. Evidence. Fukuda and Komatsu (2009) showed none of these class numbers have a prime factor less than 10 7, and later increased this bound to 10 8 (2010) and then to 10 9 (2011). It s true for n 8 (case n = 8 posted on arxiv on 5/5/2014). These fields fill the Z 2 -extension of Q. Morisawa (2009) showed no number field in the Z 3 -extension of Q has class number divisible by a prime less than Coates (2010) asked if every number field in the Z p -extension of Q has class number 1 for every prime p. A future task for Iwasawa theory of elliptic curves?

28 References K. Conrad, Applying Quotient Groups to an Unsolved Problem in Art, grouptheory/cstarqz.pdf. T. Fukuda and K. Komatsu, Weber s Class Number Problem, fukuda-komatsu.pdf. D. Goldfeld, The Class Numbers of Quadratic Fields and the Conjecture of Birch and Swinnerton-Dyer, Annali della Scuola Normale Superiore de Pisa, Classe die Scienze 3 (1976), H. Lenstra, Factoring Integers with Elliptic Curves, Annals of Mathematics 126 (1987), W. Trappe, L. C. Washington, Introduction to Cryptography and Coding Theory, Prentice-Hall, See Chapter 15. Escher and the Droste Effect (explanation and animations):

The Arithmetic of Elliptic Curves

The Arithmetic of Elliptic Curves Sungkon Chang The Anne and Sigmund Hudson Mathematics and Computing Luncheon Colloquium Series OUTLINE Elliptic Curves as Diophantine Equations Group Laws and Mordell-Weil