The Ubiquity of

Elliptic Curves

Joseph Silverman (Brown University)

MAA Invited Address Expanded Version
Baltimore January 18, 2003
 Contents
Introduction
Geometry, Algebra, Analysis, and Beyond
The Group Law on an Elliptic Curve
Elliptic Curves and Complex Analysis
Elliptic Curves and Number Theory (I)
Elliptic Curves and Cryptography
Elliptic Curves and Classical Physics
Elliptic Curves and Topology
Elliptic Curves and Modern Physics
Elliptic Curves and Number Theory (II)
References and Texts

-2-
 Elliptic Curves
Geometry, Algebra, Analysis
and Beyond
 What is an Elliptic Curve?
An elliptic curve is a curve thats also naturally a group.
The group law on an elliptic curve can be described:
Geometrically using intersection theory
Algebraically using polynomial equations
Analytically using complex analytic functions
Elliptic curves appear in many diverse areas of
mathematics, ranging from number theory to complex
analysis, and from cryptography to mathematical
physics.

-4-
 The Equation of an Elliptic Curve
An Elliptic Curve is a curve given by an equation

E : y2 = f(x) for a cubic or quartic polynomial f(x)

We also require that the polynomial f(x) has no double

roots. This ensures that the curve is nonsingular.
After a change of variables, the equation takes the
simpler form
E : y2 = x3 + A x + B

Finally, for reasons to be explained shortly, we toss in

an extra point O at infinity, so E is really the set
E = { (x,y) : y2 = x3 + A x + B } { O }

-5-
 A Typical Elliptic Curve E

E : Y2 = X3 5X + 8

Surprising Fact: We can use geometry to make the

points of an elliptic curve into a group.

-6-
The Group Law on an
Elliptic Curve
Adding Points P + Q on E

P+Q

-8-
 Doubling a Point P on E

Tangent Line to E at P R

2*P

-9-
Vertical Lines and an Extra Point at Infinity
O

Add an extra point O at infinity.

The point O lies on every vertical line.

Q = P

Vertical lines have no

third intersection point
- 10 -
 Properties of Addition on E
Theorem: The addition law on E has the following
properties:
a) P + O = O + P = P for all P E.
b) P + (P) = O for all P E.
c) (P + Q) + R = P + (Q + R) for all P,Q,R E.
d) P + Q = Q + P for all P,Q E.
In other words, the addition law + makes the points of E
into a commutative group.
All of the group properties are trivial to check except for
the associative law (c). The associative law can be
verified by a lengthy computation using explicit
formulas, or by using more advanced algebraic or
analytic methods.
- 11 -
 A Numerical Example

E : Y2 = X3 5X + 8
The point P = (1,2) is on the curve E.

Using the tangent line construction, we find that

2P = P + P = (-7/4, -27/8).

Using the secant line construction, we find that

3P = P + P + P = (553/121, -11950/1331)

Similarly, 4P = (45313/11664, 8655103/1259712).

As you can see, the coordinates become complicated.
- 12 -
 Algebraic Formulas for Addition on E
Suppose that we want to add the points
P1 = (x1,y1) and P2 = (x2,y2)
on the elliptic curve
E : y2 = x3 + Ax + B.

y 2 y1 3 x12 A
Let if P1 P2 and if P1 P2 .
x2 x1 2y 1

Then P1 P2 (2 x1 x2 , 3 2x1 x2 y1 ).
Quite a mess!!!!! But
Crucial Observation: If A and B are in a field K and
if P1 and P2 have coordinates in K,
then P1+ P2 and 2P1 have coordinates in K.
- 13 -
 The Group of Points on E with
Coordinates in a Field K
The elementary observation on the previous slide
leads to an important result:

Theorem (Poincar, 1900): Let K be a field and

suppose that an elliptic curve E is given by an equation
of the form
y2 = x3 + A x + B with A,B K.
Let E(K) be the set of points of E with coordinates in K,
E(K) = { (x,y) E : x,y K } { O }.
Then E(K) is a subgroup of E.

- 14 -
 What Does E(R) Look Like?
We have seen one example of E(R). It is also possible for
E(R) to have two connected components.

E : Y2 = X3 9X

Analytically, E(R) is isomorphic to the circle group S1 or to

two copies of the circle group S1 Z/2 Z.
- 15 -
 A Finite Field Numerical Example
The formulas giving the group law on E are valid if the
points have coordinates in any field, even if the
geometric pictures dont make sense.
For example, we can take points with coordinates in Fp.

Example:The curve
E : Y2 = X3 5X + 8 modulo 37
contains the points
P = (6,3) and Q = (9,10).
Using the addition formulas, we can compute in E(F37):
2P = (35,11) 3P = (34,25) 4P = (8,6) 5P = (16,19)
P + Q = (11,10) 3P + 4Q = (31,28)
- 16 -
 Elliptic Curves and
Complex Analysis

OrHow the Elliptic Curve Acquired

Its Unfortunate Moniker
 The Arc Length of an Ellipse
The arc length of a (semi)circle is given by the familiar integral
x2+y2=a2 a a dx
-a a

a
a2 x 2

The arc length of a (semi)ellipse is more complicated

x2/a2 + y2/b2 = 1
b a a2 1 b2 / a2 x 2
-a a

a a x
2 2
dx

- 18 -
 The Arc Length of an Ellipse
Let k2 = 1 b2/a2 and change variables x ax. Then the
arc length of an ellipse is

1 k x
2 2 1 1 k 2 x 2
a
1
a dx dx
1 1 x 2 1
(1 x )(1 k x )
2 2 2

1 k x
1
2 2
An Elliptic Curve!
Arc Length a dx
1 y
with y2 = (1 x2) (1 k2x2) = quartic in x.

An elliptic integral is an integral R( x, y ) dx , where R(x,y) is

a rational function of the coordinates (x,y) on an elliptic curve
E : y2 = f(x) = cubic or quartic in x. - 19 -
 Elliptic Integrals and Elliptic Functions
w dx
The circular integral 0
1 x 2
is equal to sin-1(w).

Its inverse function w = sin(z) is periodic with period 2.

w dx
The elliptic integral
x Ax B3
has an inverse

w = (z) with two independent complex periods 1 and 2.

(z + 1) = (z + 2) = (z) for all z C.

Doubly periodic functions are called elliptic functions.

- 20 -
 Elliptic Functions and Elliptic Curves
The -function and its derivative satisfy an algebraic
relation
(z) (z) A(z) B
2 3

This equation looks familiar

The double periodicity of (z) means that it is a function
on the quotient space C/L, where L is the lattice
L = { n11 + n22 : n1,n2 Z }.

1+ 2
1 L
2

(z) and (z) are functions on a fundamental parallelogram

- 21 -
The Complex Points on an Elliptic Curve
The -function gives a complex analytic isomorphism

C (z),(z)
E(C)
L
Parallelogram with opposite
sides identified = a torus

Thus the points of E with coordinates in the complex

numbers C form a torus, that is, the surface of a donut.

E(C) =

- 22 -
 Elliptic Curves and
Number Theory

Rational Points on Elliptic Curves

 E(Q) : The Group of Rational Points
A fundamental and ancient problem in number theory is
that of solving polynomial equations using integers or
rational numbers.
The description of E(Q) is a landmark in the modern
study of Diophantine equations.
Theorem (Mordell, 1922): Let E be an elliptic curve given
by an equation
E : y2 = x3 + A x + B with A,B Q.
There is a finite set of points P1,P2,,Pr so that every
point P in E(Q) can be obtained as a sum
P = n1P1 + n2P2 + + nrPr with n1,,nr Z.
In other words, E(Q) is a finitely generated group.
- 24 -
 E(Q) : The Group of Rational Points
The elements of finite order in the group E(Q) are quite
well understood.
Theorem (Mazur, 1977): The group E(Q) contains at
most 16 points of finite order.

The minimal number of points needed to generate the

group E(Q) is much more mysterious!

Conjecture: The number of points needed to generate

E(Q) may be arbitrarily large.

Current World Record: There is an elliptic curve with

Number of generators for E(Q) 23.

- 25 -
 E(Fp) : The Group of Points Modulo p
Number theorists also like to solve polynomial equations
modulo p.
This is much easier than finding solutions in Q, since
there are only finitely many solutions in the finite field Fp!
One expects E(Fp) to have approximately p+1 points.
A famous theorem of Hasse (later vastly generalized by
Weil and Deligne) quantifies this expectation.
Theorem (Hasse, 1922): An elliptic curve equation
E : y2 x3 + A x + B (modulo p)
has p+1+
solutions (x,y) mod p, where the error satisfies
2 p.
- 29 -
Elliptic Curves and
Cryptography
The (Elliptic Curve) Discrete Log Problem
Let A be a group and let P and Q be known elements of A.
The Discrete Logarithm Problem (DLP) is to find an
integer m satisfying m summands
Q = P + P + + P = mP.
There are many cryptographic constructions based on
the difficulty of solving the DLP in various finite groups.
The first group used for this purpose (Diffie-Hellman
1976) was the multiplicative group Fp* in a finite field.
Koblitz and Miller (1985) independently suggested using
the group E(Fp) of points modulo p on an elliptic curve.
At this time, the best algorithms for solving the elliptic
curve discrete logarithm problem (ECDLP) are much
less efficient than the algorithms for solving DLP in Fp*
or for factoring large integers.
- 32 -
Elliptic Curve Diffie-Hellman Key Exchange
Public Knowledge: A group E(Fp) and a point P of order n.
BOB ALICE

Choose secret 0 < b < n Choose secret 0 < a < n

Compute QBob = bP Compute QAlice = aP

Send QBob to Alice

to Bob Send QAlice
Compute bQAlice Compute aQBob
Bob and Alice have the shared value bQAlice = abP = aQBob

Presumably(?) recovering abP from aP and bP requires

solving the elliptic curve discrete logarithm problem.
- 33 -
Elliptic Curves and
Classical Physics
The Elliptic Curve and the Pendulum

- 35 -
 The Elliptic Curve and the Pendulum

In freshman physics, one assumes

that is small and derives the

formula
d
2

2
k
2

dt
This leads to a simple harmonic
motion for the pendulum.

But this formula is only a rough approximation. The

actual differential equation for the pendulum is
d2
2
k 2
sin( )
dt - 36 -
 How to Solve the Pendulum Equation
d2
2
d k 22
sin( ) d
dt
1 1 d
2

d k 2
sin())d (taking C 0)
cos(
2 2 dt
d
2k dt Now substitute x tan .
cos( ) 2
d dx dx
2 2 with y 1 x .
2 4

cos( ) 1 x 4 y

- 37 -
 How to Solve the Pendulum Equation

An Elliptic Integral!!!
An Elliptic Curve!!!

d dx dx
2 2 with y 1 x .
2 4

cos( ) 1 x 4 y

Conclusion: tan( /2) = Elliptic Function of t

- 38 -
Elliptic Curves and
Topology
 Cobordism and Genus
An important object in topology is the (complex oriented)
cobordism ring W.
For our purposes, it is enough to know that W is a polynomial
ring in infinitely many variables:
W= C[T2, T4, T6, T8, ].
(T2n is the cobordism class of projective space CPn.)

A (complex) genus is a ring homomorphism

: W C.

The genus is characterized by its logarithm

(T2 ) 3 (T4 ) 5 (T6 ) 7
log ( x ) x x x x C[[ x ]]
3 5 7
- 40 -
 What Makes a Genus Elliptic?
A genus is a ring homomorphism, so it satisfies
(U x V) = (U) (V).
Here U and V are (cobordism classes) of complex manifolds.
It is interesting to impose a stronger multiplicative property:
Let W V be a fiber bundle with fiber U, i.e., W is a twisted
product of U and V. Then we still require that
(W) = (U) (V).
Ochanine proved that the logarithm of is an elliptic integral!

log x
dx dx

1 2ax bx
2 4 y
A genus whose logarithm is an elliptic integral is called an
Elliptic Genus.
- 41 -
Elliptic Curves and
Modern Physics
 Elliptic Curves and String Theory
In string theory, the notion of a point-like particle is replaced
by a curve-like string.
As a string moves through space-time, it traces out a surface.

For example, a single string that moves around and returns to

its starting position will trace a torus.
So the path traced by a string looks like an elliptic curve!
In quantum theory, physicists like to compute averages over
all possible paths, so when using strings, they need to
compute integrals over the space of all elliptic curves.
- 43 -
Elliptic Curves and
Number Theory

Fermats Last Theorem

Fermats Last Theorem and Fermat Curves
Fermats Last Theorem says that if n > 2, then the equation
an + bn = cn
has no solutions in nonzero integers a,b,c.
It is enough to prove the case that n = 4 (already done by
Fermat himself) and the case that n = p is an odd prime.
If we let x = a/c and y = b/c, then solutions to Fermats
equation give rational points on the Fermat curve
xp + yp = 1.

But Fermats curve is not an elliptic curve. So how can

elliptic curves be used to study Fermats problem?

- 45 -
Elliptic Curves and Fermats Last Theorem
Gerhard Frey (and others) suggested using an hypothetical
solution (a,b,c) of Fermats equation to manufacture an
elliptic curve
Ea,b,c : y2 = x (x ap) (x + bp).

Frey suggested that Ea,b,c would be such a strange curve, it

shouldnt exist at all. More precisely, Frey doubted that Ea,b,c
could be modular.
Ribet verified Freys intuition by proving that Ea,b,c is indeed
not modular.
Wiles completed the proof of Fermats Last Theorem by
showing that (most) elliptic curves, in particular elliptic
curves like Ea,b,c, are modular.
- 46 -
Elliptic Curves and Fermats Last Theorem
Ea,b,c : y2 = x (x ap) (x + bp)
To Summarize:
Suppose that ap + bp = cp with abc 0.
Ribet proved that Ea,b,c is not modular
Wiles proved that Ea,b,c is modular.
Conclusion: The equation ap + bp = cp has no solutions.

But what does it mean

for an elliptic curve E to
be modular?

- 47 -
 Elliptic Curves and Modularity
There are many equivalent definitions, none of them
particularly intuitive. Heres one:
E is modular if it is parameterized by modular forms!
A modular form is a function f(t) with the property
at b
(ct d ) f (t )
2
f
ct d
a b
for all matrices SL2 (Z ) satisfying c 0 (mod N ).
c d

The variable t represents the elliptic curve Et whose lattice

is Lt = {n1+n2t : n1,n2 Z}.
So just as in string theory, the space of all elliptic curves
makes an unexpected appearance.
- 48 -
Conclusion

- 49 -
 References and Texts on Elliptic Curves

Apostol, T. Modular functions and Dirichlet series in number theory, Graduate

Texts in Mathematics 41, Springer-Verlag, New York, 1976.
Blake, I. F.; Seroussi, G.; Smart, N. P. Elliptic curves in cryptography. London
Mathematical Society Lecture Note Series, 265. Cambridge University Press,
Cambridge, 2000.
Cremona, J. E. Algorithms for modular elliptic curves. Cambridge University
Press, Cambridge, 1997.
Knapp, A. Elliptic curves, Mathematical Notes 40, Princeton University Press,
Princeton, NJ, 1992.
Koblitz, N. Introduction to elliptic curves and modular forms, Springer-Verlag, NY,
1984.

- 50 -
 References and Texts on Elliptic Curves

Lang, S. Elliptic functions, Graduate Texts in Mathematics 112, Springer-Verlag,

NY, 1987.
Lang, S. Elliptic curves: Diophantine analysis, Springer-Verlag, Berlin, 1978.
Silverman, Joseph H. The arithmetic of elliptic curves. Graduate Texts in
Mathematics, 106. Springer-Verlag, New York, 1986.
Silverman, Joseph H. Advanced topics in the arithmetic of elliptic curves.
Graduate Texts in Mathematics, 151. Springer-Verlag, New York, 1994.
Silverman, Joseph H.; Tate, John. Rational points on elliptic curves. Under-
graduate Texts in Mathematics. Springer-Verlag, New York, 1992.

- 51 -
The Ubiquity of
Elliptic Curves

Joseph Silverman (Brown University)

MAA Invited Address Expanded Version
Baltimore January 18, 2003