The group law on elliptic curves

Similar documents
Introduction to Arithmetic Geometry Fall 2013 Lecture #23 11/26/2013

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

CORRESPONDENCE BETWEEN ELLIPTIC CURVES IN EDWARDS-BERNSTEIN AND WEIERSTRASS FORMS

School of Mathematics

AN ELEMENTARY PROOF OF THE GROUP LAW FOR ELLIPTIC CURVES

Quadratic points on modular curves

Algebraic structures I

NOTES ON FINITE FIELDS

Homework 6 Solution. Math 113 Summer 2016.

Elliptic Curves and Public Key Cryptography (3rd VDS Summer School) Discussion/Problem Session I

Topics in Number Theory: Elliptic Curves

Chapter 3. Rings. The basic commutative rings in mathematics are the integers Z, the. Examples

LECTURE 7, WEDNESDAY

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

The Group Structure of Elliptic Curves Defined over Finite Fields

ABSTRACT ALGEBRA MODULUS SPRING 2006 by Jutta Hausen, University of Houston

Group Law for elliptic Curves

Polynomials, Ideals, and Gröbner Bases

1. multiplication is commutative and associative;

(1) A frac = b : a, b A, b 0. We can define addition and multiplication of fractions as we normally would. a b + c d

Elliptic curves over Q p

THE JOHNS HOPKINS UNIVERSITY Faculty of Arts and Sciences FINAL EXAM - FALL SESSION ADVANCED ALGEBRA I.

6]. (10) (i) Determine the units in the rings Z[i] and Z[ 10]. If n is a squarefree

1. Factorization Divisibility in Z.

Course 311: Michaelmas Term 2005 Part III: Topics in Commutative Algebra

LECTURE 2 FRANZ LEMMERMEYER

Math 797W Homework 4

Elliptic Curves and Public Key Cryptography

Public-key Cryptography: Theory and Practice

Modern Number Theory: Rank of Elliptic Curves

Institutionen för matematik, KTH.

Yuriy Drozd. Intriduction to Algebraic Geometry. Kaiserslautern 1998/99

Formal groups. Peter Bruin 2 March 2006

Algebra Review. Instructor: Laszlo Babai Notes by Vincent Lucarelli and the instructor. June 15, 2001

Elliptic Curves Spring 2017 Lecture #5 02/22/2017

Algebraic Varieties. Chapter Algebraic Varieties

AN INTRODUCTION TO ARITHMETIC AND RIEMANN SURFACE. We describe points on the unit circle with coordinate satisfying

Continuing the pre/review of the simple (!?) case...

Exercises for algebraic curves

Mathematics 222a Quiz 2 CODE 111 November 21, 2002

Elliptic Curves: An Introduction

Modern Computer Algebra

Discrete Logarithms. Let s begin by recalling the definitions and a theorem. Let m be a given modulus. Then the finite set

CHAPTER 14. Ideals and Factor Rings

Math 581 Problem Set 7 Solutions

12 Hilbert polynomials

Introduction to Arithmetic Geometry

12. Hilbert Polynomials and Bézout s Theorem

Solutions 13 Paul Garrett garrett/

Math 210B: Algebra, Homework 4

Models of Elliptic Curves

Math 429/581 (Advanced) Group Theory. Summary of Definitions, Examples, and Theorems by Stefan Gille

ADVANCED TOPICS IN ALGEBRAIC GEOMETRY

Profinite Groups. Hendrik Lenstra. 1. Introduction

TEST CODE: PMB SYLLABUS

Course 2316 Sample Paper 1

Part 1. For any A-module, let M[x] denote the set of all polynomials in x with coefficients in M, that is to say expressions of the form

Math 120 HW 9 Solutions

Honors Algebra 4, MATH 371 Winter 2010 Assignment 4 Due Wednesday, February 17 at 08:35

Algebra Exam Fall Alexander J. Wertheim Last Updated: October 26, Groups Problem Problem Problem 3...

To hand in: (a) Prove that a group G is abelian (= commutative) if and only if (xy) 2 = x 2 y 2 for all x, y G.

5 Group theory. 5.1 Binary operations

ENTRY GROUP THEORY. [ENTRY GROUP THEORY] Authors: started Mark Lezama: October 2003 Literature: Algebra by Michael Artin, Mathworld.

Math 121 Homework 5: Notes on Selected Problems

Foundations of Cryptography

THE EULER CHARACTERISTIC OF A LIE GROUP

MATHEMATICS COMPREHENSIVE EXAM: IN-CLASS COMPONENT

Just like the ring of Gaussian integers, the ring of Eisenstein integers is a Unique Factorization Domain.

1. Let r, s, t, v be the homogeneous relations defined on the set M = {2, 3, 4, 5, 6} by

Handout - Algebra Review

LECTURE 10, MONDAY MARCH 15, 2004

Honors Algebra 4, MATH 371 Winter 2010 Assignment 3 Due Friday, February 5 at 08:35

1 Structures 2. 2 Framework of Riemann surfaces Basic configuration Holomorphic functions... 3

Commutative Algebra. Andreas Gathmann. Class Notes TU Kaiserslautern 2013/14

1 First Theme: Sums of Squares

φ(xy) = (xy) n = x n y n = φ(x)φ(y)

D-MATH Algebra I HS18 Prof. Rahul Pandharipande. Solution 6. Unique Factorization Domains

Introduction to Algebraic Geometry. Franz Lemmermeyer

Module MA3411: Abstract Algebra Galois Theory Michaelmas Term 2013

A Generalization of Wilson s Theorem

Elliptic Curves with 2-torsion contained in the 3-torsion field

MATH 403 MIDTERM ANSWERS WINTER 2007

Gaussian integers. 1 = a 2 + b 2 = c 2 + d 2.

Points of Ninth Order on Cubic Curves

APPM 3310 Problem Set 4 Solutions

Chapter 3. Introducing Groups

HOME ASSIGNMENT: ELLIPTIC CURVES OVER FINITE FIELDS

CSIR - Algebra Problems

Dip. Matem. & Fisica. Notations. Università Roma Tre. Fields of characteristics 0. 1 Z is the ring of integers. 2 Q is the field of rational numbers

THE MORDELL-WEIL THEOREM FOR Q

Introduction to Algebraic Geometry. Jilong Tong

Graded modules over generalized Weyl algebras

Algorithmic Number Theory in Function Fields

Arithmetic Progressions Over Quadratic Fields

1 Fields and vector spaces

MT5836 Galois Theory MRQ

Math Midterm Solutions

Algebra homework 6 Homomorphisms, isomorphisms

Math 611 Homework 6. Paul Hacking. November 19, All rings are assumed to be commutative with 1.

Chapter 1. Complex Numbers. Dr. Pulak Sahoo

Transcription:

Mathematisch Instituut Universiteit Leiden

Elliptic curves The theory of elliptic curves is a showpiece of modern mathematics. Elliptic curves play a key role both in the proof of Fermat s Last Theorem and in the construction of the best cryptographic schemes available. Undergraduates have good reasons to wish to know more about elliptic curves. What can we teach them?

The first non-trivial theorem Let k be a field. An elliptic curve over k is a smooth curve defined by an equation of the form y 2 z + a 1 xyz + a 3 yz 2 = x 3 + a 2 x 2 z + a 4 xz 2 + a 6 z 3 with all a i k. Fact. The set of points in the projective plane over k that satisfy the equation has a natural addition law that turns it into an abelian group. To be done: 1: Turn the Fact into a Theorem: define everything! 2: Prove the Theorem.

What I shall do 1: I will briefly recall the algebraic definitions of the geometric terms to be used. A good reference: Ideals, varieties and algorithms, by Cox, Little, & O Shea. I will define the addition law. 2: I will outline a proof that we do get an abelian group. The proof depends on basic properties of commutative rings. I shall use a ring that has a formal resemblance to the ring Z[i] of Gaussian integers. Promise: all details I omit are indeed details.

Zero sets of polynomials Let k be a field with algebraic closure k, and n Z 0. Projective n-space over k is P n (k) = (k n+1 \{0})/k. For F k[x 0,..., X n ] non-zero and homogeneous, put Z(F ) = {(x 0 :... : x n ) P n ( k) : F (x 0,..., x n ) = 0}. It is a hypersurface of degree deg F in P n ( k), defined over k. If n = 1, then Z(F ) consists of deg F points, counting multiplicities: Z(F ) = {P 1,..., P deg F }. The bold-faced braces indicate that this is a set with multiplicities.

Plane curves Now let n = 2, and write X, Y, Z for X 0, X 1, X 2. A hypersurface in P 2 ( k) is called a plane curve, and if the degree is 1 it is called a line: L = Z(aX + by + cz) with a, b, c not all 0. One may identify a line L with P 1 ( k). If ax + by + cz does not divide F, then L Z(F ) will be identified with a hypersurface of degree deg F in P 1 ( k), so it consists of deg F points: L Z(F ) = {P 1,..., P deg F }.

Non-singular points Let F k[x, Y, Z] be non-zero and homogeneous, with partial derivatives F X, F Y, F Z. We call a point P = (x : y : z) Z(F ) non-singular if not all of a = F X (x, y, z), b = F Y (x, y, z) c = F Z (x, y, z) are zero. In that case L = Z(aX + by + cz) is the unique tangent line to Z(F ) through P, in the sense that P is a point of L Z(F ) of multiplicity at least 2. The curve Z(F ) is called smooth if all P Z(F ) are non-singular.

Weierstrass curves Let k be a field. We call a polynomial W of the form Y 2 Z + a 1 XY Z + a 3 Y Z 2 X 3 a 2 X 2 Z a 4 XZ 2 a 6 Z 3 with all a i k a Weierstrass polynomial over k. The plane curve Z(W ) of degree 3 is called a Weierstrass curve over k. It is an elliptic curve if it is smooth. Let E = Z(W ) be a Weierstrass curve over k. Write E(k) = E P n (k), E(k) ns = {non-singular points on E(k)}. Note: O = (0 : 1 : 0) E(k) ns.

The chord and tangent process Let E be a Weierstrass curve over a field k. Theorem. Let L be a line in P 2 ( k) with L E = {P, Q, R}. Suppose that P and Q belong to E(k) ns. Then so does R. Put P + Q = S if there are lines L and M in P 2 ( k) such that L E = {P, Q, R} and M E = {O, R, S}. This is a well-defined operation on E(k) ns! Theorem. The operation + makes E(k) ns into an abelian group with neutral element O.

Two examples Put k = F 2 = Z/2Z, and let E 1 and E 2 be the Weierstrass curves over k defined by W 1 = Y 2 Z + XY Z X 3 X 2 Z, W 2 = Y 2 Z + XY Z X 3 XZ 2. Then E 1 (k) and E 2 (k) both consist of the four points (0 : 1 : 0), (0 : 0 : 1), (1 : 0 : 1), (1 : 1 : 1). The point (0 : 0 : 1) is singular on E 1 and non-singular on E 2, and the other points are non-singular on both. The group E 1 (k) ns consists of three collinear points, and is cyclic of order 3. The group E 2 (k) ns is cyclic of order 4.

Infinite and finite points Generally, O = (0 : 1 : 0) is the only point on E(k) with z = 0. It is non-singular, with tangent line Z(Z), and Z(Z) E(k) = {O, O, O}. A finite point (x : y : 1) is on E(k) if and only if w = Y 2 + a 1 XY + a 3 Y X 3 a 2 X 2 a 4 X a 6 vanishes in (x, y). The point (0 : 0 : 1) is a singular point on E(k) if and only if w is in the k[x, Y ]-ideal (X 2, XY, Y 2 ) = (X, Y ) 2. Likewise, (x : y : 1) is a singular point on E(k) if and only if w (X x, Y y) 2.

The hero of the story We write A = k[x, Y ]/(w), which is a commutative ring containing k. Each finite (x : y : 1) E(k) gives a ring homomorphism ϕ: A k with X x, Y y, and an ideal m = ker ϕ. The set E(k)\{O} is in bijection with the set of A-ideals m with dim k (A/m) = 1. The set E(k) ns \{O} is in bijection with the set of A-ideals m with dim k (A/m) = dim k (m/m 2 ) = 1. Hence E(k) ns is in bijection with the set of A-ideals m with dim k (A/m) = dim k (m/m 2 ) 1.

Euclidean rings The ring Z comes with the function Z Z 0, n n. It satisfies nm = n m, n = #(Z/nZ) (for n 0). For a field k, the polynomial ring k[x] comes with the function deg : k[x]\{0} Z 0. It satisfies deg(fg) = deg f + deg g, deg f = dim k (k[x]/(f)) because 1, X,..., X (deg f) 1 yield a k-basis for k[x]/(f).

Gaussian integers The ring of Gaussian integers is Z[i] = {a + bi : a, b Z}. It has a ring automorphism defined by a + bi = a bi, and a norm map Z[i] Z sending α = a + bi to αᾱ = a 2 + b 2. The norm map makes Z[i] into a Euclidean ring.

The counting norm Theorem. One has #Z[i]/αZ[i] = αᾱ for α 0. Proof. Put N(α) = #Z[i]/αZ[i]. One has: N(α) = N(ᾱ) because #Z[i]/αZ[i] = #Z[i]/ᾱZ[i]. N(m) = m 2 for m Z\{0} because Z[i]/mZ[i] = Z/mZ Z/mZ as groups. N(αβ) = N(α)N(β) because of the exact sequence β 0 Z[i]/αZ[i] Z[i]/αβZ[i] Z[i]/βZ[i] 0. Now N(α) 2 = N(α)N(ᾱ) = N(αᾱ) = (αᾱ) 2, done!

An analogous ring One has Z[i] = Z[Y ]/(Y 2 + 1), Z[i] = Z Zi, i 2 = 1. With w = Y 2 + a 1 XY + a 3 Y X 3 a 2 X 2 a 4 X a 6 we defined A = k[x, Y ]/(w). Write w = Y 2 uy v with u, v k[x]. Then if Y denotes the coset Y + (w), one has A = k[x][y ]/(Y 2 uy v) = k[x] k[x]y, Y 2 = v + uy, deg u 1, deg v = 3.

The counting norm again Analogously to Y 2 + 1 = (Y i)(y ī), one has Y 2 uy v = (Y Y)(Y Ȳ), where Ȳ = u Y. This gives rise to a ring automorphism : A A, f + gy = f + gȳ (f, g k[x]) and to a norm map A k[x] sending α = f + gy A to αᾱ = f 2 + fgu g 2 v k[x]. Theorem. One has dim k (A/αA) = deg(αᾱ) for α 0. This is proved exactly as for Z[i]!

The degree of the norm For α = f + gy A one has deg(αᾱ) = deg(f 2 +fgu g 2 v) = max{2 deg f, 3+2 deg g}. It follows that A is a domain. Also: Theorem. The elements e 0, e 2, e 3, e 4,... of A defined by e 2j = X j, e 3+2j = X j Y (j 0) form a basis of A over k, and for α = i 1 c ie i A (with c i k not all zero), one has deg(αᾱ) = max{i : c i 0}. The absence of e 1 implies that A is not Euclidean.

Poor man s Riemann Roch Theorem. For each ideal a of A there is a unique principal ideal αa a such that dim k (a/αa) 1. Outline of proof. First show that dim k (A/a) = m (say) is finite if a 0. The m + 1 elements e 0, e 2,..., e m+1 become linearly dependent in A/a, so some non-zero α = 1 i m+1 c ie i is in a, and then dim k (A/αA) = max{i : c i 0} m + 1. This proves existence. One proves uniqueness similarly. One can deduce: A is a PID if and only if E(k) = {O}.

The Picard group The Picard group Pic B of a domain B is the set of equivalence classes [a] of invertible ideals a B, with multiplication [a][b] = [ab]. It is abelian. Here a is invertible if ab = αb for some ideal b and some non-zero α B. Two invertible ideals a, b are equivalent if there are non-zero α, β B with βa = αb. We shall show that E(k) ns is a group by exhibiting a bijection E(k) ns = Pic A.

Putting things together Reminder: E(k) ns is in bijection with the set S of A-ideals m with dim k (A/m) = dim k (m/m 2 ) 1. We make S (and hence E(k) ns ) into a group by proving that m [m] defines a bijection S Pic A. Ingredients of the proof: a technical lemma showing that an A-ideal m with dim k (A/m) = 1 is in S if and only if m is invertible; poor man s Riemann Roch, which shows that for any [a] Pic A there is a unique m S with [a][m] = 1.

The technical lemma Lemma. Let m = (α, β) be a maximal ideal of a domain B. Then: m is invertible dim B/m (m/m 2 ) = 1. : use that a am gives a bijection {ideals a between B and m} {ideals between m and m 2 }. : if (say) m = αb + m 2 then β αb + m 2 = (α, β 2 ), so there is γ B with β γβ 2 mod αb, and then n = (α, 1 γβ) satisfies mn = αb.

Summary of the group law To add P, Q in the group E(k) ns : find the corresponding A-ideals m, n S; compute the ideal product mn = a in A; determine the unique l S such that al is principal; find the point in E(k) ns corresponding to l S. That is P + Q! Since all proofs are completely explicit, one verifies without trouble that P + Q can equivalently be obtained by the chord and tangent process.

Tableau de la troupe (1) Euclid of Alexandria, Greek mathematician, 300 BC. Pierre de Fermat, French mathematician, 1601 1665. Carl Friedrich Gauss, German mathematician, 1777 1855. Niels Henrik Abel, Norwegian mathematician, 1802 1829. Karl Weierstrass, German mathematician, 1815 1897. Bernhard Riemann, German mathematician, 1826 1866.

Tableau de la troupe (2) Gustav Roch, German mathematician, 1839 1866. Émile Picard, French mathematician, 1856 1941. David Cox, American mathematician, 1948. John Little, American mathematician, 1956. Donal O Shea, Canadian mathematician, 1952.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback