Embed Size (px)
Citation preview
Introduction to Elliptic Curves
What is an Elliptic Curve?
An Elliptic Curve is a curve given by an equation
E : y2 = f(x)
Where f(x) is a square-free (no double roots) cubic or a quartic polynomial
After a change of variables it takes a simpler form:
E : y2 = x3 + Ax + B 0274 23 BA
So y2 = x3 is not an elliptic curve but y2 = x3-1 is
Why is it called Elliptic?
Arc Length of an ellipse =
1
1 222
22
)1)(1(
1dx
xkx
xka
dx
xa
xabaa
a
22
2222 /1
Let k2 = 1 – b2/a2 and change variables x ax.
Then the arc length of an ellipse is
dxy
xka
1
1
221Length Arc
with y2 = (1 – x2) (1 – k2x2) = quartic in x
Graph of y2 = x3-5x+8
0
Elliptic curves can have separate components
E : Y2 = X3 – 9X
0
Addition of two Points P+Q
P+Q
R
Q
P
Doubling of Point P
P
2*P
RTangent Line to E at P
Point at Infinity
P
Q
O
Addition of Points on E
1. Commutativity. P1+P2 = P2+P1
2.Existence of identity. P + O = P
3. Existence of inverses. P + (-P) = O
4. Associativity. (P1+P2) + P3 = P1+(P2+P3)
Addition Formula
21 xx If
12
12
xx
yym
1
21
2
3
y
Axm
If 21 xx
212
3 xxmx
1313 )( yxxmy
Note that when P1, P2 have rational coordinates and A and B are rational, then P1+P2 and 2P also have rational coordinates
Suppose that we want to add the points
P1 = (x1,y1) and P2 = (x2,y2)
on the elliptic curve
E : y2 = x3 + Ax + B.
Important Result
Theorem (Poincaré, 1900): Suppose that an elliptic curve E is given by an equation of the form
y2 = x3 + A x + B with A,B rational numbers.
Let E(Q) be the set of points of E with rational coordinates,
E(Q) = { (x,y) E : x,y are rational numbers } { O }.
Then sums of points in E(Q) remain in E(Q).
The many uses of elliptic curves.
Really Complicated first…
Elliptic curves were used to prove Fermat’s Last Theorem
Ea,b,c : y2 = x (x – ap) (x + bp)
Suppose that ap + bp = cp with abc 0.
Ribet proved that Ea,b,c is not modular
Wiles proved that Ea,b,c is modular.
Conclusion: The equation ap + bp = cp has no solutions.
Elliptic Curves and String TheoryIn string theory, the notion of a point-like particle is replaced by a curve-like string.
As a string moves through space-time, it traces out a surface.
For example, a single string that moves around and returns to its starting position will trace a torus.
So the path traced by a string looks like an elliptic curve!
Points of E with coordinates in the complex numbers C form a torus, that is, the surface of a donut.
Congruent Number Problem
Which positive rational n can occur as areas of right triangles with rational sides?
Ex: 5 is a congruent number because it is the area of 20/3, 3/2, 41/6 triangle
This question appears in 900A.D. in Arab manuscripts
A theorem exists to test the numbers but it relies on an unproven conjecture.
Congruent Number Problem cont….
ynxa /)( 22 y
nxb
2
222 cba Suppose a, b and c satisfy nab
2
Then setb
canx
)(
2
2 )(2y
b
can
A Calculation shows that xnxy 232
A positive rational number n is congruent if and only if the elliptic curvehas a rational point with y not equal to 0
y
nxc
22 Conversely:
Congruent Number Problem cont…Continuing with n = 5 xxy 2532
We have Point (-4,6) on the curve
1728
62279
144
16812 yxisPfindWe
We can now find a, b and c
Factoring Using Elliptic CurvesEx: We want to factor 4453
)3,1()4453(mod21032 Pletxxy
Step 1. Generate an elliptic curve with point P mod n
Step 2. Compute BP for some integer B.
)4453(mod37136
13
2
1032
2
y
xfirstPcomputeLets
)4453(mod371161)4453,6gcd( 1 findtothatfacttheusedWe
32303)1(371323713),(2 2 xyxwithyxPthatfindwe
)3230,4332(2 isP
Factoring Continued..
Step 3. If step 2 fails because some slope does not exist mod n, the we
have found a factor of n.
PandPaddwePcomputeTo 23
4331
3227
14332
33230
isslopeThe
)4453(mod4331161)4453,4331gcd( 1 findnotcanweBut
445361, offactorthefoundhaveweHowever
Cryptography
Suppose that you are given two points P and Q in E(Fp).
The Elliptic Curve Discrete Logarithm Problem (ECDLP) is to find an integer m satisfying
Q = P + P + … + P = mP.
m summands
• If the prime p is large, it is very very difficult to find m.
• The extreme difficulty of the ECDLP yields highly efficient cryptosystems that are in widespread use protecting everything from your bank account to your government’s secrets.
Elliptic Curve Diffie-Hellman Key Exchange
Public Knowledge: A group E(Fp) and a point P of order n.
BOB ALICE
Choose secret 0 < b < n Choose secret 0 < a < n
Compute QBob = bP Compute QAlice = aP
Compute bQAlice Compute aQBob
Bob and Alice have the shared value bQAlice = abP = aQBob
Send QBob to Alice
to Bob Send QAlice
Can you solve this?
Suppose a collection of cannonballs is piled in a square pyramid with one ball on the top layer, four on the second layer, nine on the third layer, etc.. If the pile collapses, is it possible to rearrange the balls into a square array (how many layers)?
...)())()(( 23 xcbaxcxbxax
Hint:
32 PPFind
solutionstrivialarePandP 21
Solution
6
)12)(1(...321 2322
xxx
x
6
)12)(1(2
xxxy
)1,1()0,0( 21 PP
This is an elliptic curve
We know two points
The line through these points is y = x
6236
)12)(1( 232 xxxxxxx
02
1
2
3 23 xxx
Solution cont…
)2
1,
2
1(
2
310 3 isPthereforex
2332 xyisPandPthroughlineThe
6
)12)(1()23( 2
xxx
x
0...2
51 23 xx
2
511
2
1 x 24x 70y
22222 7024...321
References
Elliptic Curves Number Theory and Cryptography
Lawrence C. Washington http://www.math.vt.edu/people/brown/doc.html http://www.math.brown.edu/~jhs/
