The Group Structure of Elliptic Curves Defined over Finite Fields

Transcription

1 The Group Structure of Elliptic Curves Defined over Finite Fields A Senior Project submitted to The Division of Science, Mathematics, and Computing of Bard College by Andrija Peruničić Annandale-on-Hudson, New York April 30, 2008

2 Abstract An elliptic curve defined over a field k is the set of solutions to the polynomial equation y 2 = x 3 + ax + b where a and b lie in k. There exists a well defined addition of points on each elliptic curve. In fact, points on an elliptic curve form an abelian group under this operation. Typically, coordinates of our solutions lie in the closure of the field k over which the curve is defined. However, we can allow the coordinates of our points to lie only in a particular extension of k. The addition operation is well defined on this set as well, and thus we can associate a group to every extension k of the base field k. For an elliptic curve E, denote this group by E(k ). Now it makes sense to ask the following question. For an elliptic curve E defined over a finite field F p of characteristic p, to what extent does E(F p ) determine E(F p 2), where F p 2 is a degree two extension of F p? This project tackles exactly this question.

3 Contents Abstract 1 Acknowledgments 4 1 Introduction 5 2 Preliminaries Algebraic Geometry Projective Geometry Geometry of Elliptic Curves Definition of an Elliptic Curve The Group Structure of Elliptic Curves Elliptic Curves Defined over Finite Fields Behavior of Elliptic Curves Under Field Extensions Statement of the Problem The Supersingular Case The a p = 1 Case The a p = 1 Case Further Research A Connection of Elliptic Curves to Ellipses 49

4 List of Figures Elliptic curves y 2 = x 3 x and y 2 = x 3 x + 1 graphed over the real numbers Adding two points on an elliptic curve The addition law (P + Q) and a point of inflection (P + P = O) Inverse of a point P

5 Acknowledgments I am particularly grateful to John Cullinan for introducing me to a lot of interesting mathematics and being such a great adviser! I would also like to thank the other two members of my board, Lauren Rose and Matthew Deady, for supporting me and my project. Finally, I owe a large debt of graditude to Heidi Choi for her patience and love.

6 1 Introduction The study of Diophantine equations deals with finding integer or rational number solutions to polynomial equations. This area of number theory is named after one of the great ancient Greek mathematicians, Diophantus of Alexandria, who solved many such problems. The simplest Diophantine equation is a polynomial equation in one variable: a n x n + a n 1 x n a 1 x + a 0 = 0. These equations are easily solved by Gauss lemma which states that if p/q is a rational solution written in lowest terms, then q divides a n and p divides a 0. By trying each of the possible solutions, we can quickly assemble all of the actual ones. The situation changes greatly when we look at Diophantine equations in two variables, that is, polynomial equations of the form f(x, y) = 0. The set of real solutions to such an equation forms a curve in the Euclidean plane. The simplest curve arising from a polynomial equation in two variables is that of a line, and it

7 1. INTRODUCTION 6 is given by a degree 1 polynomial of the form ax + by = c. There are always infinitely many rational solutions, there are no integer solutions if gcd(a, b) doesn t divide c, and there are infinitely many integer solutions otherwise. So, linear equations are also easy. The next family of curves are conic sections, given by various degree 2 polynomials. It turns out, if there is one rational solution, then there are infinitely many. This can be shown using simple geometry (see [7, Chapter 1]) so the situation isn t yet all that bad. The first interesting family of curves is given by degree 3 polynomial equations of the form y 2 = x 3 + ax 2 + bx + c. We call these curves elliptic curves, which are so named because they arise when computing the arclength of an ellipse (see Appendix A). For examples of elliptic curves graphed over the real numbers see Figure The integer and rational solutions to these equations are still not completely understood. For example, it is known that there are only finitely many integer solutions and there is an explicit upper bound, but it is too large to be practical. Also, all of the (possibly infinitely many) rational solutions may be found by starting with a known set of solutions, and getting new ones by adding two solutions on the elliptic curve. This is done by finding the third intersection point of the line connecting the original two solutions and the elliptic curve as in Figure However, there is no method to find the initial generating set of rational solutions: we have to guess. So, studying integer or rational solutions to the simplest family of cubic equations really is non-trivial. In fact, proofs of the results mentioned in the previous paragraph are often very difficult and require techniques from area of mathematics as diverse as geometry, number theory

8 1. INTRODUCTION 7 Figure Elliptic curves y 2 = x 3 x and y 2 = x 3 x+1 graphed over the real numbers Figure Adding two points on an elliptic curve

9 1. INTRODUCTION 8 and algebra. Geometry enters because we can consider the solutions of our cubic equations as curves and because we get new solutions by intersecting various lines with our curve. Number theory is present in the fact that we are looking for integer and rational solutions. Algebra, however, has a more subtle role and provides us with a fundamentally important tool in studying elliptic curves. Polynomials are algebraic objects, but the connection of elliptic curves to algebra is less obvious. We have mentioned that by finding the intersection of the elliptic curve and the line connecting two rational points on the curve we can find a third rational point of intersection, which is guaranteed to exist by Bézout s theorem (cf. Theorem 3.2.2). This process, slightly modified, gives us an abelian group of points on the elliptic curve! Thus, we can use group theory to study rational solutions on elliptic curves. In fact, the proofs of the results mentioned above rely heavily on this fact. However, there is nothing special about rational solutions. We can generalize our definition of the elliptic curve and work over any field. Definition An elliptic curve E defined over a field k is the set of k solutions to the polynomial equation y 2 = x 3 + ax 2 + bx + c where a, b, c k. Instead of looking only at solutions (or points) with coordinates in the closure of the field k over which the curve is defined, we can restrict our attention to those points with coordinates that lie only in a particular extension of k. The addition operation is well defined on this set as well, and thus we can associate a group to every extension k of the base field k. For an elliptic curve E, denote this group by E(k ). In this project, we consider curves defined over finite fields of characteristic p, denoted F p. We are interested in the set of points with coordinates in the degree two extension

10 1. INTRODUCTION 9 of F p, denoted F p 2. More specifically, we are interested in the group structure of E(F p 2). Because we want to be able to easily determine this group, we ask the following question. Given E(F p ), to what extent is E(F p 2) determined? In general, this question has proven to be very difficult. However, we have successfully solved the problem for certain special cases of curves, classified based on the number of points on them. A considerable amount of background theory is necessary to properly understand elliptic curves and the associated groups. The reader should be familiar with basic group and field theory, including basics of finite fields. See [3] for an excellent introduction to these subjects. In Chapter 2 we introduce the necessary background to define elliptic curves. In the first section we define affine varieties, ideals and some associated concepts. We do this since we will eventually define elliptic curves as varieties arising from ideals generated by equations in the form of the one from Definition In the second section we provide the connection between affine and projective varieties since elliptic curves live in projective space, if only just. In Chapter 3 we use the first two sections to provide a general definition of elliptic curves, simplify it and show how to associate a group to an elliptic curve. In the last section, we state some useful results about elliptic curves over finite fields. In Chapter 4 we finally formally state the central problem of this project and present the main results.

11 2 Preliminaries 2.1 Algebraic Geometry In this section we provide an introduction to the algebraic geometry needed to define and understand elliptic curves. We begin with a definition of the space in which we are working. Definition Let k be a field. Affine n-space (over k) is the set of all n-tuples of elements of k, denoted A n k or simply An. For example, if k = R, then A n (k) = R n. We can start building up the definition of an affine variety. Let k [x] = k [x 1,..., x n ] be the ring in n variables over k and let T be any subset of k [x]. Definition The zero set of T or an (affine) algebraic set is a subset of A n of the following form Z(T ) = {P A n : f(p ) = 0 for all f T }.

12 2. PRELIMINARIES 11 We know that T generates an ideal a of k [x] and that this ideal has a finite set of generators f 1,..., f m, since k [x] is a Noetherian ring (see [2, Theorem 2.5.4], for instance). Therefore, Z(T ) = Z(a) is the set of common zeros of the polynomials f 1,..., f m. We can also go the other way. Definition Let Z be an algebraic set. The ideal of Z is given by I(Z) = {f k [x] : f(p ) = 0 for all P Z}. We want to explore the relationship between algebraic sets and their ideals. Shortly, we will prove a theorem telling us when the variety-ideal correspondence is bijective. Example Suppose we are working over the polynomial ring C [x, y] and let f = x 2 + y 2 = (x + iy)(x iy). Then Z(f) = Z(x + iy) Z(x iy) (see [2, Lemma 1.2.2]). Definition A prime ideal is an ideal I such that if ab I, either a I or b I. Since multiplication corresponds to union in passing from ideals to varieties, the previous example suggests that we are only interested in irreducible polynomials, and more generally prime ideals, as generators of our algebraic sets. The following definitions and theorem show our intuition to be correct. Definition An algebraic set is irreducible if it cannot be expressed as a union of other algebraic sets. Consider V (xz, yz) as a subset of R 3. This variety is the union of the xy-plane and the z-axis. Intuitively, it is natural to think of the line and the plane as more fundamental than V (xz, yz). We formalize this notion. Definition An irreducible affine algebraic set V is called an (affine) variety.

13 2. PRELIMINARIES 12 Theorem (Hilbert s Nullstellensatz). There is an injective, inclusion-reversing correspondence between algebraic sets in A n and radical ideals (i.e., ideals I in which f m I implies f I) in k [x], given by V I(Z) and p Z(a). An algebraic set V is a variety if and only if its ideal I(V ) is prime. Proof. See either [4, Chapter 1] or [2, Chapter 4.2]. This theorem allows us to uniquely identify varieties, and later curves, with their generating prime ideals. Furthermore, we intuitively see a curve as being one dimensional, and a surface as two dimensional even if it is curved in three dimensional affine space for instance. We now develop the notion of the dimension of a variety. We start with an example. Example Consider the ideal I = yz, xz, xyz k[x, y, z] and let H x be the plane defined by x = 0 with H y and H z defined similarly. Let H xy be the line defined by x = y = 0. Then V (I) = V (xz) V (xz) V (xyz) = (H y H z ) (H x H z ) (H x H y H z ) = H z H xy consists of the xy-plane H z together with the z-axis x = y = 0. As subspaces of k 3, these two have dimensions 2 and 1, respectively, and we take the bigger of the two as the dimension of V. In other words, dim(v ) = 2. Since a variety V (I) of a monomial ideal I k [x] is a finite union of vector subspaces of k n by [2, Proposition 9.1.1], we can generalize the process from the previous example and define the dimension of V as the dimension of the largest of the subspaces that compose

14 2. PRELIMINARIES 13 it. A crucial result due to Hilbert states that the dimension of a variety of a monomial ideal can be characterized by the growth of the number of monomials of certain degree not in I(V ), as their degree increases (see [2, Theorem 9.2.6]). We are able to fully generalize this notion to any ideal in k [x] using the following definition. Definition Let V be a variety and R = k [x]. We define the affine coordinate ring of V to be k [V ] = R I(V ). The coordinate ring k[v ] of polynomial functions f : V k is so called since every polynomial function on V is a k-linear combination of products of the coordinate functions x i : V k whose value at a point P V is the ith coordinate of P. To see how k[v ] relates to the dimension of V, let I s be all polynomials of I of total degree s. Both k [x] and I(V ) can be seen as infinite dimensional vector spaces over k. On the other hand, since there are only finitely many monomials for each s (see [2, Theorem 9.2.4]), restricting an ideal to polynomials of degree s gives us a finite dimensional vector space over k. Consider the injective linear map α s : k [x] s /I(V ) s k [x] /I(V ) = k[v ] defined by α s ([f]) = [f] for each s 0. This map allows us to say that k [x] s /I(V ) s is a finite dimensional piece of k[v ] that approximates it more closely as s gets larger (see [2, Proposition 9.3.1] for a proof that a quotient of finite dimensional vector spaces is finite dimensional). Following Hilbert s result for monomial ideals, we want the dimension of V to measure how fast these finite dimensional approximations of k[v ] are growing, since our intuition about the quotient R/I of a polynomial ring R by an ideal I R tells us that it composes of exactly those polynomials of R not in I. Therefore, dim(v ) conveys information about the size of k[v ], and vice-versa.

15 2. PRELIMINARIES 14 To find the size of k[v ], we notice that since I(V ) is a prime ideal, k[v ] is an integral domain and we make the following definition. Definition The quotient field of k[v ], denoted k(v ) is called the function field of V. In particular k(v ) = {[f]/[g]: f, g k [x], g I(V )}, where [f] denotes the equivalence class of f. Similarly k [V ] and k(v ) are defined by replacing k with k. Since k(v ) is the smallest field containing k[v ], we can gauge the size of k[v ] through k(v ) and define the dimension of a variety of an ideal by looking at the size of k(v ). We use the transcendence degree of k(v ) to accomplish this task. Definition The elements φ 1,..., φ r k[v ] are algebraically independent over k if there is no nonzero polynomial p of r variables with coefficients in k such that p(φ 1,..., φ r ) = 0 in k[v ]. Definition Let K be a field extension of k. Then K has transcendence degree d over k provided that d is the largest number of elements of K that are algebraically independent over k. Definition The dimension of V, denoted by dim(v ), is the transendence degree of k(v ) over k. For a more detailed description of dimension of a variety, see [2, Chapter 9]. We will return to dimension when showing that an elliptic curve has degree 1 as a variety. In addition to its dimension, when working with a geometric object we want to determine how smooth it is. We do this using the usual Jacobian criterion for the existence of a tangent plane from vector calculus.

16 2. PRELIMINARIES 15 Definition Let V be a variety, and f 1,..., f m k[x 1,..., x n ] be a set of generators for I(V ). Then V is non-singular (or smooth) at P V if the Jacobian matrix f 1 f 1 x n x f m x 1... f m x n evaluated at P has rank n dim(v ). Example Suppose that V is generated by a single polynomial equation f k[x 1,..., x 1 ]. Then dim(v ) = n 1 and P is a singular point if and only if the Jacobian matrix evaluated at P has rank not equal to one. Hence, it has to have rank of zero, which is true only if f x 1 =... = f x n = 0, where each partial defivative is evaluated at P. We want to define elliptic curves as certain affine varieties of dimension one. In order to be able to associate a group to an elliptic curve, we need the concept of points at infinity. For this purpose we need to introduce projective space. 2.2 Projective Geometry Historically, projective space arose through the process of adding points at infinity to affine space. Points at infinity are added to affine space in order to have every pair of lines, including parallel ones, intersect at one point. Thus, points at infinity can be seen as a set of directions in affine space corresponding to the directions of different classes of parallel lines. Throughout this section we will denote k [x 0,..., x n ] by k [x] giving this notation double meaning, but this will not cause ambiguity as the use of k [x] will be clear from context.

17 2. PRELIMINARIES 16 Definition Projective n-space (over k), denoted P n (or P n (k)) is the set of all (n + 1)-tuples (x 0,..., x n ) A n+1 k such that not all x i are zero, under the equivalence relation given by (x 0,..., x n ) (y 0,..., y n ) if there exists a t k with x i = ty i for all i. An equivalence class is denoted [x 0,..., x n ]. In projective space, we are naturally interested in polynomials f such that if f(a 0,..., a n ) = 0 then f(ta 0,..., ta n ) = 0 for all t k, or in other words, the polynomials f that have a zero on the entire equivalence class [a 0,..., a n ]. Definition A polynomial f k [x] is homogeneous of degree d if f(λx 0,..., λx n ) = λ d f(x 0,..., x n ). Further, an ideal I k [x] is a homogeneous ideal if it is generated by homogeneous polynomials. One can easily verify that all monomials of a homogeneous polynomial are of the same degree. Using homogeneous polynomials, we can define projective algebraic sets, varieties and their ideals as we have similarly done in affine space. Definition A (projective) algebraic set is a subset of P n of the following form V I = {P P n : f(p ) = 0 for all f I where I is a homogeneous ideal}. The (homogeneous) ideal of a projective algebraic set V I is the ideal I(V I ) k [x] such that I(V I ) = {f k [x] : f is homogeneous and f(p ) = 0 for all P V I }. A projective algebraic set V is called a (projective) variety if its homogeneous ideal I(V ) is a prime ideal in k [x].

18 2. PRELIMINARIES 17 It is not hard to see that P n contains many copies of A n. For each 0 i n, there is an inclusion φ i : A n P n (2.2.1) (x 1,..., x n ) [x 1,..., x i, 1, x i+1,..., x n ]. We can also project from A n into P n. Let U i be the complement of the hyperplane x i = 0 in P n, U i = {P = [x 0,..., x n ] P n : x i 0}. (2.2.2) Then there is a natural bijection φ 1 i : U i A n [x 0,..., x n ] ( x0 x i,..., x i 1 x i, x i+1 x i,..., x ) n. x i (2.2.3) We see that the maps φ i and φ 1 i are inverses: ( φ 1 i x0 [x 0,..., x n ],..., x i 1 x i [ φ i x0,..., x i 1 x i, x i+1,..., x ) n x i x i x i, 1, x i+1,..., x ] n = [x 0,..., x n ], x i x i x i where the last equality follows because we are using homogeneous coordinates. Next, we show that this bijection gives us means of going between varieties in projective and affine space, losing track only of points on the hyperplane x i = 0, which we will handle separately. Lemma Let V be a projective algebraic set with homogeneous ideal I(V ) k [x]. Then V A n = φ 1 i (V U i ) is an affine algebraic set with ideal I(V A n ) where U i and φ 1 i are as defined in Equations (2.2.2) and (2.2.3). Proof. From the definitions of V and U i we have V U i = {P P n : x i 0 and f(p ) = 0 for all f I(V )} and consequently ( V A n = φ 1 a0 i (V U i ) = {,..., a i 1 a i a i, 1, a i+1 a i,..., a ) n : [a 0,..., a n ] V }. a i

19 2. PRELIMINARIES 18 Next, assume that f k [x] is a homogeneous polynomial of degree d and collect monomials having the same power of x i : f = d x j i f j j=0 = x d i = x d i d f j j=0 x j i d j=0 f j ( x 0 x i,..., x n x i ) = x d i f( x 0 x i,..., x i 1 x i, 1, x i+1 x i, x n x i ). Denote f( x 0 x i,..., x i 1 x i, 1, x i+1 x i, xn x i ) by f (y 0,..., y i 1, 1, y i+1,..., y n ), identifying x j x i with y j. If a = [a 0,..., a n ] is a zero of f, then a = ( a 0 a i,..., a i 1 since 0 = f(a) = a d i f (a ). a i, 1, a i+1 a i,..., an a i ) is a zero of f Define I = {f : f = I(V )}. Clearly, I is an ideal and the affine variety it defines is precisely V A n. We see that in addition to giving us a way to pass from projective to affine varieties, Lemma in its proof also gives us a way to pass from polynomials (and consequently ideas) in projective space to their counterparts in affine space. This process is called dehomogenization. Definition Let V be a projective algebraic set with homogeneous ideal I(V ) k [x]. Then V A n = φ 1 i (V U i ) is an affine algebraic set with ideal I(V A n ) k [x] given by I(V A n ) = {f (x 0,..., x i 1, 1, x i+1,..., x n ): f(x 0,..., x n ) I(V )}. The process of replacing f(x 0,..., x n ) with f (x 0,..., x i 1, 1, x i+1,..., x n ) is called dehomogenization of f with respect to x i.

20 2. PRELIMINARIES 19 Note that the polynomial f is in n variables. Example Let f(x, y, z) = y 2 z x 3 + z 3 k [x]. Then f (x, y) = y 2 x is the dehomogenization of f with respect to z. We now give the counterpart to Lemma that allows us to project varieties from affine to projective space. Definition Let V be an affine algebraic set with ideal I(V ). Then the set V obtained from V via the map V A n φ i P n is called the projective closure of V. Lemma Let V be an affine algebraic set with ideal I(V ). Then the projective closure of V, denoted V, is a projective algebraic set. Proof. From the definition of projective closure, V = {[a 1,..., a i 1, 1, a i,..., a n ]: (a 1,..., a n ) V }. Let f k[x 1,..., x n ] be a polynomial of degree d and write f by collecting all monomials having common degree. Denote each such homogeneous component of f by f j, so that f = f f d. Then define f k[x 1,..., x i 1, y, x i,..., x n ] so that f = y d f 0 + y d 1 f f d = y d d j=1 = y d d j=1 f j y j f j ( x 1 y,..., x n y ) = y d f( x 1 y,..., x n y ).

21 2. PRELIMINARIES 20 Clearly, f is homogeneous and if a = (a 1,..., a n ) is a zero of f, then a = [a 1,..., a i 1, 1, a i,..., a n ] is a zero of f. Define I = {f : f I(V )}. Clearly, I is an ideal and the affine variety it defines is precisely V. Similarly as before, we see that the proof of Lemma reveals how to project polynomials (and ideals) from affine to projective space. This process is called homogenization. Definition For any f(x) k [x], let f (x) = f (x 0,..., x n ) = x d i f ( x0 x i,..., x i 1 x i, x i+1 x i,..., x ) n, x i where d = deg(f) is the smallest integer for which f is a polynomial. We say that f is the homogenization of f with respect to x i. Example Let f(x 1, x 2 ) = a ij x i 1 xj 2. Then the homogenization of f with respect to x 3 is given by f (x 1, x 2, x 3 ) = i,j a ij x i 1x j 2 xd i j 3, where d = deg(f). With Lemmas and and Definitions and we have a way to pass varieties and ideals from projective to affine space and vice-versa. Because we can choose the coordinate x i with respect to which we homogenize and dehomogenize, we simply set i = n. As we have remarked above, however, we lose track of points on the hyperplane x n = 0. We give these points a name. Definition The points in the set O = {[x 0,..., x n 1, 0] P n : at least one x i 0} are called points at infinity of P n. Clearly, O = P n 1 and since P n = U n O and U n = A n by φ, then P n = A n O or equivalently P n = A n P n 1. Furthermore, an equivalence class [a 0,..., a n ] of P n

22 2. PRELIMINARIES 21 corresponds to a line through the origin in A n+1 and since we can identify all parallel lines with a unique line through the origin, we can also identify equivalence classes of P n with directions in A n+1. But since O = P n 1, we identify O with directions in A n. Intuitively, this means that parallel lines intersect at a unique point at infinity corresponding to their direction. Technically, this means that we can finally establish a bijection between P n and A n P n 1. Theorem There is a bijective correspondence P n A n P n 1 given by { φ 1 n ([x 0,..., x n ]) A n, if x n 0; [x 0,..., x n ] [x 0,..., x n 1 ] P n 1, if x n = 0, in one direction, and in the other by (x 0,..., x n 1 ) A n φ n (x 0,..., x n 1 ), [x 0,..., x n 1 ] P n 1 [x 0,..., x n 1, 0]. Proof. The theorem follows directly from Lemmas and as well as the remarks following Definition Now that we can pass between affine space and projective space, we can extend our definition of smooth affine varieties to projective ones. Definition A projective variety V is non-singular (or smooth) if all embeddings V A n of V are non-singular as an affine varieties. We end this section with an intuitive example of the bijection stated in Theorem Example For our purposes, we are interested in P 2 = A n P 1. Suppose the field we are working over is R. We verify that it makes sense to call P 1 the set of directions in R 2. Every line in R 2 is parallel to a unique line through the origin which is given by an equation of the form ax = by,

23 2. PRELIMINARIES 22 where a, b R are not both zero. In fact, the points (a, b) and (A, B) are on the same line if and only if there exists a non-zero t such that A = ta and B = tb, which means that both points belong to the same equivalence class in P 1, namely [a, b]. Denote an equivalence class in P 2 by [x, y, z]. The bijection φ : P 2 A 2 P 1 is given by [x, y, z] with the other direction given by { ( x z, y z ) A2 if z 0; [x, y] P 1 if z = 0, [x, y, 1] (x, y) A 2, [x, y, 0] [x, y] P 2. With this we conclude all the preliminaries necessary to define elliptic curves.

24 3 Geometry of Elliptic Curves 3.1 Definition of an Elliptic Curve We are finally ready to define our main object of study. Definition An elliptic curve E defined over a field k, denoted E/k is the smooth projective variety of the homogeneous ideal generated by a Weierstrass equation of the form Y 2 Z + a 1 XY Z + a 3 Y Z 2 = X 3 + a 2 X 2 Z + a 4 XZ 2 + a 6 Z 3 where a 1, a 2, a 3, a 4, a 6 k. Our first lemma shows that each elliptic curve intersects the line at infinity at exactly one point. Later on, this point will serve as the identity in the group associated with each elliptic curve. Lemma Let E/k be an elliptic curve. Then E O = [0, 1, 0]. Proof. From our definition of O, we see that Z = 0 in the polynomial equation from Definition Using this in the equation gives us 0 = X 3 and thus X = 0 as well. Since

25 3. GEOMETRY OF ELLIPTIC CURVES 24 there is no constraint on Y and we are working in projective space (with homogeneous coordinates), we conclude that the only point at infinity intersecting E is [0, 1, 0]. We will slightly abuse notation and call this point O, after the set of points at infinity defined previously. Lemma provides us with a more intuitive way of thinking about elliptic curves as affine curves with an added point at infinity. Using non-homogeneous coordinates x = X/Z and y = Y/Z, the affine part of E/k is given by E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6. (3.1.1) We can simplify our view of elliptic curves even further if the characteristic of the field k over which the curve is defined is different than 2 or 3. Lemma Let E/k be an elliptic curve and let char(k) 2, 3. Then the variety from Definition is identical to the variety given by E : y 2 = x 3 + ax + b where b 2 = a a 2, b 4 = 2a 4 + a 1 a 3, b 6 = a a 6, as well as b 8 = a 2 1a 6 + 4a 2 a 6 a 1 a 3 a 4 + a 2 a 2 3 a 2 4, c 4 = b b 4, c 6 = b b 2 b 4 216b 6, finally give us a = 27c 4 and b = 54c 6.

26 3. GEOMETRY OF ELLIPTIC CURVES 25 Proof. Since char(k) 2 we can complete the square in Equation (3.1.1) by replacing y with y 2 = 4x 3 + b 2 x 2 + 2b 4 x + b 6. This produces E : y 2 = 4x 3 + b 2 x 2 + 2b 4 x + b 6. We can also eliminate the x 2 term by replacing x and y by (x 3b 2 )/36 and y/108, respectively. Note that we need char(k) 2, 3 and that the equation for our elliptic curve simplifies to E : y 2 = x 3 27c 4 x 54c 6, which is as stated in the theorem with a simple renaming of the coefficients. We will be working with elliptic curves defined over finite fields of characteristic p. Sometimes, these curves can be attained by reduction (modulo p) of the coefficients of a curve defined over a field of characteristic 0 such as Q. We are not guaranteed that a curve obtained in this way will stay smooth. Before we give a theorem that provides a simple condition under which a cubic curve is singular, we examine two types of singularities that can occur. If P is a singular point on a cubic curve E/k given by a Weierstrass equaiton f(x, y), then f = f = 0 x y (0,0) (0,0) and the Taylor expansion of f(x, y) at (x 0, y 0 ) is given by f(x, y) f(x 0, y 0 ) = λ 1 (x x 0 ) 2 + λ 2 (x x 0 )(y y 0 ) + λ 3 (y y 0 ) (x x 0 ) 3 (3.1.2) = [(y y 0 ) α(x x 0 )][(y y 0 ) β(x x 0 )] (x x 0 ) 3 for some λ i in k and α, β k. Example The cubic curve given by the equation f : y 2 = x 3 has a singular point at the origin since f = 3x 2 = 0 x (0,0) (0,0)

27 3. GEOMETRY OF ELLIPTIC CURVES 26 and f = 2y = 0. y (0,0) (0,0) We see that α = β = 0 as defined in Equation (3.1.2). This type of singularity is called a cusp. Example The curve given by g : y 2 = x 3 + x 2 also has the origin as a singular point as differentiation can show. Writing g as (y x)(y + x) x 3 = 0 gives us α = 1 and β = 1 as defined in Equation (3.1.2). This type of singularity is called a node. Definition With notation of Equation (3.1.2), the singular point P is a node if α β, in which case the tangent lines at P are defined by y y 0 = β(x x 0 ) and y y 0 = α(x x 0 ). If α = β then P is a cusp and there is a unique tangent line at P defined by y y 0 = α(x x 0 ). The following quantity is of fundamental importance in recognizing singular curves. Definition The quantity = b 2 b 8 8b b b 2 b 4 b 6 associated with a Weierstrass equation is called the discriminant associated with that curve. For an cubic curve given by the simplified equation f : y 2 = x 3 + ax + b the discriminant is given by = 16(4a b 2 ).

28 3. GEOMETRY OF ELLIPTIC CURVES 27 Example The curves given by f and g in Examples and have the discriminant = 0. This is true in general! Theorem The curve given by a Weierstrass equation can be classified as follows. (i) It is non-singular if and only if 0. (ii) It has a node if and only if = 0 and c 4 0. (iii) It has a cusp if and only if = c 4 = 0. Proof. See [6, Proposition 3.1.4]. In addition to the statement of the theorem, the proof cited above also shows that the point at infinity O is never singular. To see this, consider the curve in P 2 with a homogeneous equation f(x, Y, Z): Y 2 Z X 3 axz 2 bz 3 = 0 and the point O = [0, 1, 0]. Since f/ Z(O) = 1 0, we see that O is a non-singular point on E. In addition, an elliptic curve can have at most one singular point. In the proof we learn that a singular point P = (x 0, y 0 ) has a double root x 0 of f(x) where the elliptic curve is given by E : y 2 = f(x). Since f(x) is cubic, it cannot have two double roots. 3.2 The Group Structure of Elliptic Curves There is a well defined addition of points on an elliptic curve. In fact, points on an elliptic curve form a group under this operation. Thus, we can associate a group to each elliptic curve and study properties of the curve through the algebraic structure of the associated

29 3. GEOMETRY OF ELLIPTIC CURVES 28 group. In order to define addition of points on an elliptic curve we need the fact that a line intersects an elliptic curve exactly three times. Definition A projective line is a projective variety defined by a homogeneous polynomial of degree 1. Of course, we can intuitively think of the line as belonging in affine space in the usual way with an extra point at infinity. Theorem (Bézout s Theorem). Let L P 2 be a projective line and V P 2 be a projective variety defined by a homogeneous polynomial f(x, y, z) of degree 3. Then #V L = 3. Proof. As stated here, this theorem is actually a special case of Bézout s theorem. For the proof see [2, Theorem 8.7.8], or see [7, A.4] for a more elementary treatment. Since we are working in projective space, the point at infinity O of an elliptic curve could be a point of intersection. However, the theory developed previously allows us to consider our line and elliptic curve as subsets of the affine plane with an additional point at infinity. In this scenario, lines passing through O are vertical (see Figure 3.2.1). In addition, the three points of intersection of the line L and an elliptic curve E don t have to be distinct. That is, we count intersections with multiplicity: an inflection point (which can only be O) has multiplicity 3, a point tangent to the curve has multiplicity 2 (Figure 3.2.1) and all other points have multiplicity one. Over certain fields we don t have an appropriate picture for the group law, but we will give explicit formulas and these can be verified algebraically. We can now describe the addition law of points on an elliptic curve E. Let P, Q E, L be the line connecting P and Q (tangent line to E if P = Q), and R the third point of intersection of L with E. Let L be the line connecting R and O. Then P Q is the point

30 3. GEOMETRY OF ELLIPTIC CURVES 29 Figure The addition law (P + Q) and a point of inflection (P + P = O) such that L intersects E at R, O and P Q. See Figure for an illustration of this rule. Proposition An elliptic curve E endowed with the operation described above forms an abelian group. (a) If a line L intersects E at the (not necessarily distinct) points P, Q, R, then (P Q) R = O. (b) P O = P for all P E. (c) Let P E. There is a point of E, denoted P, such that P ( P ) = O. (d) Let P, Q, R E. Then (P Q) R = P (Q R). (e) P Q = Q P for all P, Q E.

31 3. GEOMETRY OF ELLIPTIC CURVES 30 Proof. See [6, Proposition 3.2.2]. The proof can be verified using Figure 3.2.1, as well as through direct computation with the formulas given below. Throughout the rest of the project we will simply use + and instead of and, respectively. We now derive explicit formulas for the group operations, directly following [6, Section 3.2]. Suppose that E is given by a simplified Weierstrass equation E(x, y): y 2 = x 3 + ax + b and let P = (x 0, y 0 ) E. We first compute the coordinates of P. Let L be the line going through P and O. By Proposition (a) and (b) O = (P + O) + ( P ) = P + ( P ), so the third point of intersection is P. Since O = [0, 1, 0], the line L is given by L: x x 0 = 0. Substituting this into the equation for E, we see that the quadratic polynomial E(x 0, y): y 2 x 3 0 ax 0 b = 0 has roots y 0 and y 0, where P = (x 0, y 0 ). Writing out E(x 0, y) = (y y 0 )(y y 0) = y 2 (y 0 + y 0)y + y 0 y and comparing coefficients for y gives y 0 = y 0 which means that P = (x 0, y 0 ). We see that P is just the reflection of P around the x-axis, or the third point of intersection of the line passing through P and O and our elliptic curve (see Figure 3.2.2). Next we derive a formula for the addition law. Let P 1 = (x 1, y 1 ) and P 2 = (x 2, y 2 ) be points of E. If x 1 = x 2 and y 1 = y 2, then P + ( P ) = O. Otherwise the line L through

32 3. GEOMETRY OF ELLIPTIC CURVES 31 Figure Inverse of a point P P 1 and P 2 (tangent line to E if P 1 = P 2 ) has an equation of the form L: y = λx + ν where λ = y 2 y 1 x 2 x 1 and ν = y 1 λx 1 = y 2 λx 2. To get the third point of intersection P 3 = (x 3, y 3 ) we substitute λx + ν for y into E(x, y) to get E(x, λx + ν): (λx + ν) 2 = x 3 + ax + b. Since the roots of E(x, λx + ν) are x 1, x 2, x 3 it follows that x 3 λ 2 x 2 + (a 2λν)x + (b ν) = (x x 1 )(x x 2 )(x x 3 ). By equating coefficients we find that λ 2 = x 1 + x 2 + x 3. Thus, x 3 = λ 2 x 1 x 2 and y 3 = λx 3 + ν. By the addition law stated above, we want P 1 + P 2 to be the third point of intersection of the line passing through P 3 and O. We have already shown this point to be P 3 = (x 3, y 3 )

33 3. GEOMETRY OF ELLIPTIC CURVES 32 while computing the inverse of an arbitrary point on the elliptic curve. Let y 3 = y 3. Then P 3 = P 1 + P 2 = (x 3, y 3 ). We summarize our results. Theorem (Group Law Algorithm). Let E be an elliptic curve given by a Weierstrass equation E : y 2 = x 3 + ax + b. (a) Let P = (x 0, y 0 ) E. Then P 0 = (x 0, y 0 ). Now let P 1 + P 2 = P 3 with P i = (x i, y i ) E. (b) If x 1 = x 2 and y 1 = y 2, then P 1 + P 2 = O. Otherwise, let λ = y 2 y 1 x 2 x 1, ν = y 1x 2 y 2 x 1 x 2 x 1 if x 1 x 2 ; λ = a 2y, ν = x3 1 + ax 1 + 2b 2y 1 if x 1 = x 2. (Then y = λx + ν is the line through P 1 and P 2, or tangent to E if P 1 = P 2.) (c) P 3 = X 1 + X 2 is given by x 3 = λ 2 x 1 x 2 y 3 = λx 3 ν. (d) As special cases of (c), we have the duplication formula for P = (x 0, y 0 ) E, x(p + P ) = x4 0 2ax2 0 8bx 0 + a 2 4x ax b

34 3. GEOMETRY OF ELLIPTIC CURVES 33 Proof. The proof follows from simple manipulation of the expressions derived in the discussion preceding the theorem. Example Let E be defined over R by y 2 = x Let P 1 = ( 1, 4) and P 2 = (2, 5). To compute P 1 + P 2 we first find the line through the two points, y = 1 3 x so λ = 1 3 and ν = 133. Next we have x 3 = λ 2 x 1 x 2 = 8 9 and y 3 = λx 3 + ν = , and finally P 1 + P 2 = (x 3, y 3 ) = ( 8 9, ). To compute P 1 + P 1 = 2P 1 we can use the duplication formula given above, or simply compute the slope of the line tangent to P 1 by implicit differentiation of y 2 = f(x), λ = dy dx = f (x) 2y. Now we have λ = f ( 1) 8 = 3 8 and by following the same steps we used to compute P 1 + P 2, we also compute 2P 1 = ( , ). We have been implicitly assuming that the coordinates of points on an elliptic curve E defined over k lie in the closure k of k. However, we can allow the coordinates of points on E to lie only in a particular extension k of k and still have a well defined addition law on this set. Theorem Let E : y 2 = x 3 + ax + b be an elliptic curve defined over k, and let k be any field extension of k. Then E(k ) = {(x, y) k 2 : y 2 = x 3 + ax + b} {O} is a subgroup of E. In fact, E(k ) E(k ), for any extension k of k.

35 3. GEOMETRY OF ELLIPTIC CURVES 34 Proof. The proof is as in [6, Proposition 3.2.2(f)]. Let P, Q E. If P and Q have coordinates in k, then the equation of the line connecting them has coefficients in k. If further E is defined over k, then the third point of intersection will have coordinates given by a rational combination of the coefficients of the line and of E, so will be in k. We are now ready to present the results about elliptic curves defined over finite fields that will be useful in our research. 3.3 Elliptic Curves Defined over Finite Fields Let E be an elliptic curve and let F q be the finite field of q = p n elements, where p is a prime and n is a positive integer. There are some basic results concerning the group structure of elliptic curves over finite fields. In general, E(F q ) is a finite abelian group, but there are still many possibilities for what group it could be because it is a subset of P 2 (F q ) and since there are many abelian groups of order less than or equal to #P 2 (F q ) = q 2 + q + 1. One of the basic results is on the order of the group. Theorem Let E be an elliptic curve defined over a finite field of q = p n elements. Then #E(F q ) = 1 + q a q, where a q is an integer in the range 2 q a q 2 q. Proof. See [6, Section 5.2]. The following lemma allows us to compute the order of E(F p 2) as a function of p and a p, thus eliminating the need to know a p 2. Lemma Let E be an elliptic curve defined over F p with a p as given in Theorem Then, #E(F p 2) = (1 + p + a p )(1 + p a p ).

36 3. GEOMETRY OF ELLIPTIC CURVES 35 Proof. From the discussion following [6, Proposition 5.2.3], we know that there exist some complex conjugates α, β C of q such that q = (αβ) n and a q = α n + β n. From here we compute (α + β) 2 = 2αβ + α 2 + β 2 which is equivalent to a 2 p = 2p + a p 2 so that a p 2 = a 2 p 2p. By Theorem 3.3.1, #E(F q ) = 1 q + a q which gives us the desired result with q = p 2 : #E(F p 2) = 1 + (αβ) 2 (α 2 + β 2 ) = 1 + p 2 + 2p a 2 p = (1 + p + a p )(1 + p a p ). We can classify the group structure of elliptic curves based on their order. Theorem Let F q be a finite field with q = p n elements. Then one of the following conditions is satisfied: (i) (a q, q) = 1, (ii) a q = 0, n odd or p 1(4), (iii) a q = ± q, n even or p 1(3), (iv) a q = ±2 q, n even,

37 3. GEOMETRY OF ELLIPTIC CURVES 36 (v) a q = ± 2q, n odd and p = 2, (vi) a q = ± 3q, n odd and p = 3. Proof. See [9]. Note that we have allowed for p = 2, 3 and that all elliptic curves belong to one of the six types. Types (ii) through (vi) are known as the supersingular elliptic curves. Supersingular curves are not singular, because then they wouldn t be elliptic curves at all. Their group structure has been determined. Theorem The possible group structures for curves in cases (ii) through (vi) from Theorem are (ii) Z/2 Z/(q + 1)/2 or cyclic if q 3(4), cyclic otherwise, (iii) Cyclic, (iv) (Z/( q ± 1)) 2, (v) Cyclic, (vi) Cyclic. Proof. See [5]. Finally, curves of type (i) satisfy a q 0 (p) and the group structure of these nonsupersingular curves is restricted by the following result due to Voloch. Let V l (N) be the l-adic valuation of N, i.e., the largest integer k such that l k N. Theorem (Voloch s Theorem). The possible group structures for a non-supersingular elliptic curve E defined over a finite field are E(F q ) = Z/p vp(n) l N l p (Z/l r l Z/l s l ) where each l is prime, N = #E(F q ), r l + s l = V l (N), and min(r l, s l ) V l (q 1).

38 3. GEOMETRY OF ELLIPTIC CURVES 37 Proof. See [8]. Notice that this is very restrictive, and that not every finite abelian group can occur as the group of F q -rational points of an elliptic curve. However, Voloch s result in general gives multiple possible group structures, the number of which depends on min(r l, s l ) for the curve in question. We give one final result about the structure of points of an elliptic curve E having order m. Theorem Let E be an elliptic curve defined over a finite field and let E[m] denote the set of points of E having order m. Then E[m] = (Z/mZ) (Z/mZ). Proof. See [6, Corollary 3.6.4].

39 4 Behavior of Elliptic Curves Under Field Extensions Throughout this project, we will consider elliptic curves E given by a Weierstrass equation in the particularly simplified form of Lemma 3.1.3: E : y 2 = x 3 + ax + b. This means that we omit curves defined over fields of characteristic 2 or 3 from consideration, since their inclusion in the project would greatly complicate our equations and since the central problem of this project is easily solved by direct computation for such small fields. Let E be an elliptic curve defined over a finite field F p, where p 2, 3. In this chapter we prove that E(F p 2) is completely determined by E(F p ) for supersingular curves and curves with a p = 1. For curves with a p = 1, we give the necessary conditions and a method to determine E(F p 2) given E(F p ). 4.1 Statement of the Problem Let E be an elliptic curve defined over the finite field F p. The question we are trying to answer is the following. Given E(F p ), to what extent does the group structure change

40 4. BEHAVIOR OF ELLIPTIC CURVES UNDER FIELD EXTENSIONS 39 upon a degree two extension of the base field F p? In particular, to what extent does E(F p ) determine E(F p 2)? We are interested in the answer because if E(F p 2) is determined by E(F p ), in order to find the bigger group we only need to compute E(F p ). Even when E(F p 2) is not completely determined, it is useful to know to what extent it depends on E(F p ) since we might be able to reduce the amount of work necessary to find E(F p 2). 4.2 The Supersingular Case Since Theorem allows for fields of characteristic 2 and 3 we lift this restriction and allow for such fields when working with supersingular curves. Theorem Let E be a supersingular elliptic curve defined over F p. Then E(F p 2) is uniquely determined by E(F p ). Proof. By Theorem 3.3.3, we have five cases to consider. Let q = p 2. Suppose that a p = 0 so that our curve is of type (ii) as in Theorem Using Lemma we know that a q = (a p ) 2 2p = 2p = 2 q. Since we are considering q = p 2, the power of p is even and the a q term characterizes our group structure to be (Z/(p ± 1)) 2 by Theorem Suppose that our curve is of type (iii) in Theorem This means that a p = ± p and that p 1 (3). Computing as above, a q = p = q with q an even power of p. By Theorem 3.3.4, we conclude that E(F p 2) is cyclic. Suppose that our curve is of type (iv) in Theorem Then a p = ±2 p and as before we compute a q = 2 q with n even. Again, the group structure of E(F p 2) is determined to be (Z/(p ± 1)) 2. Suppose that our curve is of type (v) in Theorem Then we have a p = ± 2p and p = 2. Now, a q = 0 and note that 2 1 (4) is satisfied. It follows that the group structure of E(F p 2) is given by Theorem 3.3.4, case (ii).

41 4. BEHAVIOR OF ELLIPTIC CURVES UNDER FIELD EXTENSIONS 40 Finally, suppose that our curve is of type (vi) in Theorem Hence a p = ± 3p and a q = q with 3 1 (3) and the group structure of E(F p 2) is cyclic. With this, we have determined the group structure of E(F p 2) completely, knowing only the order of E(F p ) for all possible supersingular curves over F p. By generalizing the process from the proof of Lemma one can compute #E(F q ) as a function of p and a p for any q = p n. It is reasonable to conjecture that raising a p to various powers in the resulting polynomials wouldn t change the way our proof of Theorem works and that in fact E(F p ) determines E(F q ) for all q = p n! Conjecture Let E be a supersingular elliptic curve defined over F p and let q = p n. Then E(F q ) is uniquely determined by E(F p ) for all positive integers n. 4.3 The a p = 1 Case Proposition Let E be an elliptic curve defined over F p. If a p = 1, then E(F p 2) is uniquely determined by E(F p ). Proof. Suppose that a p = 1. Note that by Theorem #E(F p ) = p + 2 and by Lemma #E(F p 2) = p(p + 2). This means that E(F p 2) = Z/p E(F p ) since the groups are abelian and E(F p ) E(F p 2). This completes the proof! The a p = 1 case is thus very simple. Note that we didn t have to use Voloch s structure theorem (Theorem 3.3.5) for this proof at all. In fact, all we needed was the fact that a p = 1, that is, the number of points in the group. Voloch s Theorem alone couldn t solve this problem since it in general gives many possible groups for a particular curve. For the a p = 1 case, however, we will use it to narrow the group choices down enough to be able to solve our problem!

42 4. BEHAVIOR OF ELLIPTIC CURVES UNDER FIELD EXTENSIONS 41 Example Let E be an elliptic curve defined over F 13 given by y 2 = x 3 + 2x + 2. It is easy to count the number of points on E, and this gives us a 13 = 1. By Theorem 3.3.1, N 1 = #E(F p ) = p + 2 so in this case N 1 = 15. For all primes l (p + 2) the group E(F p ) is determined by the equations r l + s l = V l (p + 2) and min {r l, s l } V l (p 1) by Voloch s result. Computing the possible groups for E(F p 2) gives us a similar set of equations. In particular, note that #E(F p 2) = p(p + 2) by Lemma Then, for any prime l N 2 it is necessarily true that l p + 2. This means that the group structure of E(F p 2) is also determined by the equations r l + s l = V l (p + 2) and min {r l, s l } V l ((p 1)(p + 1)) = V l (p 1) as used in Voloch s result. The only reason we know that r l and s l are guaranteed to be the same for both groups is because of Proposition Computing the coefficients for the curve in question, however, gives only one possible group structure. Since #E(F p ) = 15, the possible values for l are 3 and 5. In both cases, r l + s l = 1 and so r 3 = r 5 = 1 while s 3 = s 5 = 0. Hence, E(F p ) = Z/3 Z/5 and consequently E(F p 2) = Z/13 Z/ The a p = 1 Case In this section, Theorem gives the necessary conditions to determine E(F p 2) given E(F p ). First we prove two lemmas.

43 4. BEHAVIOR OF ELLIPTIC CURVES UNDER FIELD EXTENSIONS 42 Lemma Let E be an elliptic curve defined over F p and suppose that a p = 1. Then the possible structure of E(F p 2) is E(F p 2) = Z/p Z/l Vl(p+2) l p,3 { Z/3 t, if min (r 3, s 3 ) = 0; Z/3 Z/3 t 1, if min (r 3, s 3 ) = 1, where r 3 and s 3 are as defined in Theorem and t = V 3 (p + 2). Proof. By Theorem and Lemma we see that #E(F p ) = p and #E(F p 2) = p(p + 2). Since p is prime, this forces E(F p ) = Z/p. We can now use Voloch s result (Theorem 3.3.5) to help us determine the structure of E(F p 2). We know that: E(F p 2) = Z/p l p (Z/l r l Z/l s l ) (4.4.1) where each l is a prime and N = #E(F q ). The theorem also states that we can limit the possibilities for r l and s l because r l + s l = V l (N) = V l (p(p + 2)) and more crucially min (r l, s l ) V l (q 1) = V l ((p 1)(p + 1)). We are only interested in the cases when V l (N) 0. So we can suppose that l N and so V l (p(p + 2)) 0. Since p is prime, V l (N) = V l (p + 2). If l 3 then l (p 1), (p + 1) and because V l (AB) = V l (A) + V l (B) (which is easy to verify and is one of the axioms for a valuation) then V l ((p + 1)(p 1)) = 0 and so min (r l, s l ) = 0. Without loss of generality, take r l = 0. Since r l +s l = V l (p+2) we have s l = V l (p+2). The l-term for l 3 therefore looks like Z/l Vl(p+2). (4.4.2)