Rational Points on an Elliptic Curve Dr. Carmen Bruni University of - - PowerPoint PPT Presentation

Rational Points on an Elliptic Curve

• Dr. Carmen Bruni

University of Waterloo

November 11th, 2015 Lest We Forget

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Revisit the Congruent Number Problem

Congruent Number Problem Determine which positive integers N can be expressed as the area

• f a right angled triangle with side lengths all rational.

For example 6 is a congruent number since it is the area of the 3 − 4 − 5 right triangle.

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Enter Elliptic Curves

The associated equations with the congruent number problem, namely x2 + y2 = z2 xy = 2N can be converted to an elliptic curve of the form Y 2 = X 3 − N2X. We also saw that we can reduce our problem to considering only squarefree numbers N.

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Going Backwards

The belief now is that solving problems related to elliptic curves might be easier than the originally stated problem. The question now that occurs is can we go from an elliptic curve of the form y2 = x3 − N2x to a rational right triangle with area N?

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Key Theorem 1

Theorem 1. Let (x, y) be a point with rational coordinates on the elliptic curve y2 = x3 − N2x where N is a positive squarefree integer. Suppose that x satisfies three conditions:

1 x is the square of a rational number 2 x has an even denominator 3 x has a numerator that shares no common factor with N

Then there exists a right angle triangle with rational sides and area N, that is, N is congruent.

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Key Theorem 2

Theorem 2. A number N is congruent if and only if the elliptic curve y2 = x3 − N2x has a rational point P = (x, y) distinct from (0, 0) and (±N, 0). Thus, determining congruent numbers can be reduced to finding rational points on elliptic curves!

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Proof of Key Theorem 1

Let (x, y) be a point with rational coordinates on the elliptic curve y2 = x3 − N2x where N is a positive squarefree integer where x is a rational square, has even denominator (in lowest terms) and has a numerator that shares no common factor with N. Our goal is to trace backwards the proof from last week. Let u = √x which is given to be rational. Set v = y

u giving

v2 = y2

u2 = x3−N2x x

= x2 − N2. Let d be the smallest integer such that du ∈ Z (namely the denominator of u in lowest terms). Note that d is even by assumption and that d4 is the denominator for u2 = x.

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Proof of Key Theorem 1

Since v2 = x2 − N2 and N2 is an integer, then d4 is also the denominator of v2. Multiplying everything by d4 gives (d2v)2 = (d2x)2 − (d2N)2 . Since (d2v)2 = (d2x)2 − (d2N)2, the triple (d2v, d2x, d2N) forms a Pythagorean triple. Since the numerator of x shares no common factor with N, we have that this is a primitive triple and thus, by problem set 1, there exist integers a and b

• f opposite parity such that

d2N = 2ab d2v = a2 − b2 d2x = a2 + b2

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Proof of Key Theorem 1

Create the triangle with sides 2a/d, 2b/d and 2u. This satisfies the Pythagorean Theorem since (2a/d)2 + (2b/d)2 = 4a2/d2 + 4b2/d2 = 4/d2(a2 + b2) = 4/d2(d2x) = 4x = (2u)2 and it has area N since A = 1 2 · 2a d · 2b d = 2ab d2 = N.

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Summary of Key Theorem 1

From the triple, d2N = 2ab d2v = a2 − b2 d2x = a2 + b2, we can add and subtract twice the first to the last equation to get d2(x + N) = a2 + 2ab + b2 = (a + b)2 d2(x − N) = a2 − 2ab + b2 = (a − b)2 Taking square roots yields d √ x + N = a + b d √ x − N = a − b (where above we’ve assumed that 0 < b < a). Adding and subtracting and dividing by 2. gives expressions for a and b, namely a = d/2( √ x + N + √ x − N) b = d/2( √ x + N − √ x − N)

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Example of Key Theorem 1

Let’s find the triangle for N = 7. On the elliptic curve y2 = x3 − 72x, we close our eyes and pray we can find a triple that consists of integers. After some trying we see that (x, y) = (25, 120) gives a solution. Adding the point to itself gives 2P = (x2P, −y2P) where (using the formulas from last time) m = 3x2 − 72 2y = 913 120 b = 120 − 25 913 120

• = −1685

24 x2P = m2 − 2x = 113569 14400 = 337 120 2 y2P = mx2P + b = −17631503 1728000 Hence 2P = (113569/14400, 17631503/1728000). Now, d is the denominator of √x2P = 337/120 and so d = 120.

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Example of Key Theorem 1

Finding the a and b values gives... a = d/2( √ x + N + √ x − N) = 120/2(

• 113569/14400 + 7 +
• 113569/14400, −7)

= 288 and b = d/2( √ x + N − √ x − N) = 120/2(

• 113569/14400 + 7 −
• 113569/14400, −7)

= 175 This gives the triangle 2a d = 2 · 288 120 = 24 5 2b d = 2 · 175 120 = 35 12 2√x = 337 60 which indeed has area 7 and is a right angle triangle (the side lengths satisfy the Pythagorean Identity)

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Proof of Key Theorem 2

Theorem 3. A number N is congruent if and only if the elliptic curve y2 = x3 − N2x has a rational point P = (x, y) distinct from (0, 0) and (±N, 0). We have already seen that if N is congruent, then we can find a rational point on the elliptic curve. Now, suppose our elliptic curve has a rational point P = (x, y) where P is not one of (0, 0) and (±N, 0). Our goal will be to show that 2P satisfies the conditions of the previous theorem.

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Proof of Key Theorem 2

Using the results of adding a point to itself from last time, we see that the x-coordinate of P + P on the elliptic curve y2 = x3 + Ax + B is given by 3x2 + A 2y 2 − 2x = 9x4 + 6Ax2 + A2 4y2 − 2x = 9x4 + 6Ax2 + A2 4(x3 + Ax + B) − 2x = 9x4 + 6Ax2 + A2 4(x3 + Ax + B) + −2x · 4(x3 + Ax + B) 4(x3 + Ax + B) = 9x4 + 6Ax2 + A2 4(x3 + Ax + B) + −8x4 − 8Ax2 − 8Bx 4(x3 + Ax + B) = x4 − 2Ax2 − 8Bx + A2 4(x3 + Ax + B)

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Proof of Key Theorem 2

Using the results of adding a point to itself from last time, we see that the x-coordinate of P + P on the elliptic curve y2 = x3 + Ax + B is given by 3x2 + A 2y 2 − 2x = x4 − 2Ax2 − 8Bx + A2 4(x3 + Ax + B) Specializing to when A = −N2 and B = 0 (that is, on the elliptic curve y2 = x3 − N2x) gives us the formula for the x-coordinate of P + P as x4 + 2N2x2 + N4 4(x3 − N2x) = (x2 + N2)2 (2y)2 . Notice that by our restriction on the rational point P, the denominator is nonzero and the numerator is nonzero.

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Proof of Key Theorem 2

The x-coordinate of P + P, namely x4 + 2N2x2 + N4 4(x3 − N2x) = (x2 + N2)2 (2y)2 . satisfies that it is the square of a rational number. It is also true that the numerator shares no common factor with N. Suppose p divides x2 + N2 and p divides N for some prime p. Then p | x and hence p3 divides x3 − N2x = y2. Hence p3 divides y2. Thus, in the x-coordinate above, we can factor out a p2 in the numerator and cancel it with a p2 in the denominator. By repeating this, the numerator can be reduced so that it shares no common factor with N. So it suffices to show that the number has an even denominator.

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Proof of Key Theorem 2

The x-coordinate of P + P, namely x4 + 2N2x2 + N4 4(x3 − N2x) = (x2 + N2)2 (2y)2 . immediately appears to have an even denominator but we need to be careful. What happens if the factor of 4 in the denominator cancels with the numerator? In what cases is this possible?

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Proof of Key Theorem 2

The x-coordinate of P + P, namely x4 + 2N2x2 + N4 4(x3 − N2x) = (x2 + N2)2 (2y)2 . Case 1: x and N are even. Then 2 divides both x and N which means that the numerator and N share a common factor. Applying the previous argument shows that we can reduce the fraction.

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Proof of Key Theorem 2

The x-coordinate of P + P, namely x4 + 2N2x2 + N4 4(x3 − N2x) = (x2 + N2)2 (2y)2 . Case 2: x and N are odd. In this case, write x = 2a + 1 and N = 2b + 1. Plugging in and simplifying gives (x2 + N2)2 = 16(a2 + a + b2 + b)2 + 16(a2 + a + b2 + b) + 4 Hence 4 exactly divides the numerator. Since y2 = x3 − N2x, we have that y is even and so at least 16 divides the denominator. Hence the denominator is even. Thus, this point P satisfies the conditions of the previous theorem and so the number N is congruent.

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Don Zagier

To compute a rational point on the elliptic curve y2 = x3 − 1572x, Zagier noted that if N − 5 is divisible by 8 for a prime N, then each of the factors x and x ± N in y2 = x3 − N2x must be of the form ±s2, ±2s2, ±ns2 or ±2ns2 where s is a rational number.

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Don Zagier

Then, as an example, if x = −A2, x + n = B2 and x − n = C 2, simplifying gives us that we must solve C 2 − B2 = 2A2 C 2 − A2 = n Similarly to the techniques we used to find Pythagorean triples, it must hold that A = 2RS

M , B = R2−2S2 M

and C = R2+2S2

M

for suitable integers R, S, M. In this way the problem is reduced to the solvability of M2N = R4 + 4S4. For N = 5 this has a clear solution but for N = 157, we need to apply this idea a few more times to the equation N = U2 + 4V 2 and find a solution with UV a rational square. Then take U = R2/M and V = S2/M. The ideas here are difficult to flesh out but can be done which is what Zagier did. (Thanks to Carlos Beenakker!)

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Rational Points on Elliptic Curves

Given the previous discussion, we have become interested in the following problem: Problem How can we find a rational point on an elliptic curve of the form y2 = x3 + Ax + B? This is a complex problem!

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Points on Elliptic Curves over Zp

Given a complex problem, sometimes we try to simplify it! In some sense the problem is that the rational numbers are too

• big. What we’ll consider is dealing with points over a finite

field, in this case, Zp. We define the field Zp for a prime number p to be the set of integers and we state that two integers are equal in Zp provided they differ by a multiple of p. It will turn out over Zp that the group law will still hold. So for example, in Z7, 1 and 15 are the same number because they differ by 14 which is divisible by 7. We denote this by 1 ≡ 15 (mod 7) and in general by a ≡ b (mod p).

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Practice Z5

Which of the following numbers are equivalent to 1 in Z5?

1 1 2 2 3 6 4 17 5 −4 6 3200

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Practice Z5

Which of the following numbers are equivalent to 1 in Z5?

1 1 Equivalent since 5 divides 1 − 1 = 0 2 2 Not equivalent since 5 does not divide 2 − 1 = 1 3 6 Equivalent since 5 divides 6 − 1 = 5 4 17 Not equivalent since 5 does not divide 17 − 1 = 16 5 −4 Equivalent since 5 divides −4 − 1 = −5. 6 3200 Equivalent since 5 divides

3200−1 = (34)50−1 = 8150−1 = (81−1)(8149+8148+...+1) (Think: x − 1 is a factor of x50 − 1 so 81 − 1 = 80 is a factor

• f 8150 − 1 and 5 divides 80 so 5 divides 8150 − 1).
• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Practice Zp

When we think about numbers in Zp for a prime p, we can restrict ourselves to just looking at numbers between 0 and p − 1 inclusive since every number is equivalent to one of these numbers (this actually follows quickly from long division with remainders!) Hence, we sometimes write Zp = {0, 1, 2, ..., p − 1}.

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Points on Elliptic Curves over Finite Fields

Now we can start to look at elliptic curves over different finite

• fields. Let’s look at the elliptic curve y2 = x3 − x.

In order to reduce this elliptic curve over a finite field, we need to avoid primes dividing the discriminant of the elliptic curve (see the problem sheet). In this case, the discriminant is 64 so we can look for points on finite fields over all Zp for odd primes. Over Z3, we can look at all the possible x values, namely x = 0, 1, 2. These give the equations y2 = 03 − 0 ≡ 0 (mod 3) y2 = 13 − 1 = 0 (mod 3) y2 = 23 − 2 = 6 ≡ 0 (mod 3) Hence, this elliptic curve when considered over Z3 has three points (0, 0), (1, 0), (2, 0) and one more point for the point at infinity.

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Points on Elliptic Curves over Finite Fields

What about the elliptic curve y2 = x3 − x over Z5? Again we can look at all the possible x values, namely x = 0, 1, 2, 3, 4. These give the equations y2 = 03 − 0 = 0 y2 = 13 − 1 = 0 y2 = 23 − 2 = 6 ≡ 1 (mod 5) y2 = 33 − 3 = 24 ≡ 4 (mod 5) y2 = 43 − 4 = 60 ≡ 0 (mod 5) Thus, we want to know what solutions we have for y2 ≡ 0 (mod 5), y2 ≡ 1 (mod 5) and y2 ≡ 4 (mod 5).

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Points on Elliptic Curves over Finite Fields

We can compute the squares modulo 5 via x 1 2 3 4 x2 (mod 5) 1 4 4 1 Hence, this elliptic curve when considered over Z5 has seven points (0, 0), (1, 0), (2, 1), (2, 4), (3, 2), (3, 3), (4, 0) and one more point for the point at infinity.

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

Your Turn!

What about the elliptic curve y2 = x3 − 4x over Z5 (If you’re quick, change 5 to 7 and 11 and see what happens)? Again we can look at all the possible x values, namely x = 0, 1, 2, 3, 4. These give the equations y2 = 03 − 4(0) = 0 y2 = 13 − 4(1) = −3 ≡ 2 (mod 5) y2 = 23 − 4(2) = 0 y2 = 33 − 4(3) = 15 ≡ 0 (mod 5) y2 = 43 − 4(4) = 48 ≡ 3 (mod 5) From the table before, we see that 2 and 3 are not squares in

• Z5. Hence the only points here are (0, 0), (2, 0), (3, 0) and

the point at infinity.

• Dr. Carmen Bruni

Rational Points on an Elliptic Curve

So what?

What can we do with these ideas? By taking the information at many primes, we can gain a lot

• f information about our elliptic curve.

Elliptic curves can be used to help factor numbers (Lenstra’s Algorithm). Elliptic Curves over finite fields form the basis for a cryptosystem in use today called Elliptic Curve Cryptography. They form a correspondence with certain types of modular forms which are another beautiful mathematical object with many applications. In the end you have a good foundation to pick up an introductory book on elliptic curves and start to study these

• bjects more deeply.
• Dr. Carmen Bruni

Rational Points on an Elliptic Curve