Elliptic Curves

Elliptic Curves

Ruben du Burck

July 13, 2017

Bachelorproject

Supervisor: dr. Mingmin Shen

R2

∞

Korteweg-de Vries Instituut voor Wiskunde

Abstract

An elliptic curve is the set of solutions to some equation of the form y2 = x3+ px + q. Interestingly, we can turn this set into a group by defining a group action P + Q as follows: we draw a line through the points P and Q. This line intersects the curve in a third point, and because the curve is symmetrical over the x-axis, we can mirror this point over the x-axis to find the point P + Q. This alone does not make this set into a group. We also need to define a formal point OE, our unit, “at infinity”. Furthermore,

if we add two of the same point together, so P + P , we take not the line going through P and P but we use the tangent line at P to find another point on the curve.

−2 −1 1 2 −2 −1 1 2 x y • P • Q • • P + Q

This definition is unsatisfying to say the least. It seems quite contrived for one, and requires a formal point that does not naturally seem to be in the set we start with. However, it turns out we can recover the same group law in a very natural way from the Riemann-Roch theorem. In this paper we will explore the world of elliptic curves from this angle, starting with a statement of the Riemann-Roch theorem, showing how the group law arises from this theorem and finishing with a small expos´e on elliptic curve cryptography.

Title: Elliptic Curves

Authors: Ruben du Burck, rubenduburck@gmail.com, 10814590 Supervisor: dr. Mingmin Shen

Date: July 13, 2017

Korteweg-de Vries Instituut voor Wiskunde Universiteit van Amsterdam

Science Park 904, 1098 XH Amsterdam http://www.science.uva.nl/math

Contents

1 Introduction 1

2 Preliminaries 3

2.1 Rational Functions . . . 4

2.2 Divisors and Degrees . . . 5

2.3 L(D) or the Riemann-Roch Space of D . . . 7

2.4 Differentials . . . 11

2.4.1 The Local Case . . . 11

2.4.2 The Global Case . . . 12

2.5 The Riemann Roch Theorem . . . 13

3 Geometry 15 3.1 Local Picture . . . 16

3.2 Maps Between Curves . . . 17

3.3 Genus of C . . . 18

3.3.1 Riemann-Hurwitz Formula . . . 19

3.3.2 Pullback of a rational differential . . . 20

4 The Group Law 25 4.1 Application of the Riemann-Roch Theorem . . . 25

5 Cryptography 29 5.1 The Discrete Logarithm Problem . . . 29

5.2 Why Elliptic Curves? . . . 30

1 Introduction

One’s first introduction to elliptic curves can be quite underwhelming. The geometric definition of the group law works, of course, but can feel quite contrived and the reason for studying these objects is not at all apparent. This paper serves as a pleasant rein-troduction. Let us start by exposing the reader to the geometry of the group law on an elliptic curve in the plane.

Definition 1.1. Let {(x, y) | y2= x3+ px + q} be the set of solutions to some equation y2 = x3 + px + q where p and q are integers such that −16(4p3+ 27q2) 6= 0(that is, the curve is non-singular). Then we turn this set into a group by adding a formal point OE “at infinity”, the unit element, and defining the group law on E = {(x, y) | y2 =

x3+ px + q} ∪ OE as follows. Let P, Q ∈ E.

1. P + OE = P for all P ∈ E,

2. P + Q is the point on E found by intersecting the line through P and Q with our curve, and mirroring the point found over the x-axis.

3. P + P is the point found by using the same recipe, but using the tangent line at P .

Figure 1.1: The Group Law

(a) Illustration of 2. −2 −1 1 2 −2 −1 1 2 x y • P • Q • • P + Q (b) Illustration of 3. −2 −1 1 2 −2 −1 1 2 x y • R • • R + R

Clearly this way of defining the group law on elliptic curves is not very natural. We would like to see that this definition arises in a more natural way and indeed we will. To understand how this happens we first need to work towards a statement of a theorem that is very valuable when studying algebraic curves, namely the Riemann-Roch theorem.

2 Preliminaries

All of the theory we will be using is based around the definition of an algebraic curve. Definition 2.1 (Algebraic Curve). An Algebraic curve C is a set of solutions of dimension one to some polynomial equation over a field k.

Example 2.2 (Elliptic Curve). An elliptic curve is an example of an algebraic curve. Namely, an elliptic curve E is defined as the set of solutions to some polynomial equation of the form

y2+ axy + by = cx3+ dx2+ ex + f

where a, b, c, d, e, f ∈ k, together with a point denoted OE “at infinity”. If our

field is not of characteristic 2 or 3, we can simplify this to the form y2 = x3+ px + q

for some p, q ∈ k.

In the example above, the set of solutions to our polynomial equation only becomes a group after we add the formal point “at infinity”. Preferably we would avoid having to add elements in order for our definition to work. In fact, we will see that if we move to the projective space we get this point for free.

Definition 2.3 (Projective Space). The projective n-space over a field k∗, denoted Pnk,

is defined as (kn\{0})/ ∼ where (x0, x1, . . . , xn) ∼ (y0, y1, . . . , yn) ⇐⇒ (x0, x1, . . . , xn) =

a · (y0, y1, . . . , yn) for some 0 6= a ∈ k. We will denote elements in the projective space

as [X0 : X1 : · · · : Xn], emphesizing that these are equivalence classes.

Now generally some polynomial f in k[x0, x1, . . . , xn] will not be well defined over the

projective space. The reason being that in projective space we require that f (ax, ay) = f (x, y) = bf (x, y) with a, b ∈ k for any polynomial f . In other words, we require our polynomial f to be homogeneous.

Example 2.4. Let E be some elliptic curve over R defined by an equation of the form y2 = x3+px+q. Clearly this polynomial is not homogeneous, so this equation does not define a curve in P2_R. However, we can make it into a homogeneous polynomial in three variables by appropriately adding powers of a third variable Z

like so.

y2 = x3+ px + q Y2Z = X3+ pXZ2+ qZ3.

We now have a homogeneous polynomial in three variables which is therefore well defined for elements [Z : X : Y ] ∈ P2R.

Now note that we can partition P2R as {[1 : X : Y ] | X, Y ∈ R} ∪ {[0 : 1 : t] | t ∈

R} ∪ [0 : 0 : 1]. Let us observe what happens in each of these cases. If our element is of the form [1 : X : Y ], we simply get back the polynomial we started out with, so this is the set of solutions to the polynomial defining our elliptic curve. If we have an element of the form [0 : 1 : t] we require that 0 = 1, which doesn’t happen, so this set is empty. Lastly we have the element [0 : 0 : 1] which is a solution and defines the element “infinity” of E in P2R.

This example shows that we do not need to add any formal point at infinity when we move to the projective space. In fact, we will see a lot of theory working more smoothly in the projective space.

2.1 Rational Functions

We start with the idea of a rational function defined over an algebraic curve C, and something called the local ring. Let us start with an example.

Example 2.5. An important example is the rational functions on Pnk,

Rat(Pnk) =

nF

G | F, G homogeneous polynomials , deg F = deg G, G 6≡ 0 o

.

Definition 2.6. We define the rational functions on C, denoted Rat(C) as the re-striction of functions on Pn

k to C.

Note that from example 2.5 we can conclude that, since rational functions on C are restrictions of rational functions on Pnk to C, the functions in Rat(C) can also be

described as fractions or homogeneous polynomials.

Definition 2.7. Let P ∈ C. The local ring of C at P is defined as OC,P :=

n

f ∈ Rat(C) | P is not a pole of f o

.

It is easy to check that this object indeed carries the structure of a ring. Furthermore, this local ring contains a unique maximal ideal

m_P :=f ∈ OC,P | f (P ) = 0 .

In other words, this maximal ideal consists of all rational functions on C such that P is a solution and not a pole. The maximality of this ideal will be proved later.

Lemma 2.8.

Rat(C) = Frac(OC,P)

Proof. Let f ∈ Rat(C). If f (P ) 6= ∞ then we are done, so let f (P ) = ∞. Then _{f (P )}1 = 0 and therefore 1_f ∈ O_C,P, so f ∈ Frac(OC,P). The converse follows trivially, since any

element in Frac(OC,P) is of the form f_g where both f and g are elements of OC,P.

Definition 2.9. We say C is smooth at P if mP = (tP), where tP is some function with

a simple zero at P .

This tP is called the local parameter. This local parameter will become very important,

and will be described in full detail later.

Lemma 2.10. Any nonzero f ∈ OC,P can be written as f = teP · g where g ∈ OC,P\mP.

Proof. If f (P ) 6= 0 we are done, so suppose f (P ) = 0. Then f ∈ mP = (tP), and so

f = tP · f1 for some f1 ∈ OC,P. Now we can repeat this process for f1 if f1(P ) = 0, and

find some f2 such that f1 = tP· f2. However, because ∩n≥0(tnP) = (0), this process must

terminate.

2.2 Divisors and Degrees

A divisor is a formal sum over the elements P of C. Divisors will play an important role in our story. First some more definitions.

Definition 2.11. We define the valuation of f = te_P · g at P as

vP(f ) = e

This number in some sense tells us with what order f vanishes at P . We note the following properties for vP, which can easily be checked to be true.

Lemma 2.12. Some properties of vP : Rat(C) → Z.

1. vP(f g) = vP(f ) + vP(g),

2. vP(_f1) = −vP(f ),

3. vP(f + g) ≥ min{vP(f ), vP(g)}

Definition 2.13 (Divisor Group). A divisor D is a sum

D = X

P ∈C

nPP

where nP ∈ Z. The set of these forms a group called the divisor group of C denoted

Definition 2.14 (Divisor of a function). Given a function f ∈ Rat(C)\0 we define div(f ) = X

P ∈C

vP(f )P

An important note to make is that although the summation runs through all elements in C, the resulting value is finite. Namely, f is a fraction of homogeneous polynomials of finite degree, so f has only a finite number of zeros and poles. Moreover, note that

OC,P =f ∈ Rat(C) | vP(f ) ≥ 0 and m_P =f ∈ Rat(C) | vP(f ) ≥ 1 . Thus OC,P/mP =[f ] | f ∈ Rat(C), vP(f ) = 0 . Lemma 2.15. OC,P/mP ' k.

Proof. We define explicitly an isomorphism

Φ : OC,P/mP → k : [f ] 7→ f (P ).

One can check that indeed Φ is a homomorphism. Moreover, if f (P ) = 0 then f ∈ mP

and therefore [f ] = [0] in OC,P. This shows that ker(Φ) = {[0]}, so Φ is injective.

Furthermore, every constant function c ∈ k is an element in OC,P\mP and therefore Φ

is surjective.

Corollary 2.16. The ideal mP is maximal.

Definition 2.17 (principal Divisor). We define the principal divisors of C as Pdiv(C) =div(f ) | f ∈ Rat(C)\{0} ⊂ Div(C)

Essentially the principal divisor group is the subgroup of Div(C) that is the image of the map

div : Rat(C)\0 → Div(C).

Another important definition for later is the divisor class group.

Definition 2.18 (Divisor Class Group). We define the divisor class group of C as Cl(C) = Div(C)

Pdiv(C) We now define the degree of a divisor.

Definition 2.19 (Degree of a Divisor). We define the degree of a divisor as deg(D) = X

P ∈C

Lemma 2.20. For any f ∈ Rat(C)\{0} we have deg div(f ) = 0.

Proof. We know f = F_G for some F, G homogeneous polynomials of same degree. Let P1, P2, . . . , Pn be the roots of F and Q1, Q2, . . . , Qn the roots of G. Then

deg div(f ) = X P ∈C vP(f ) = n X i=1 vPi(f ) + n X j=1

vQi(f ) = deg F deg C − deg G deg C = 0

because deg F = deg G, and with a little help from Bezout’s theorem. Corollary 2.21. We have a well-defined map deg : Cl(C) → Z.

High time for an example.

Example 2.22. Suppose C = P1k. Similar to before we can partition C as [1 :

X1] | X1∈ k ∪ [0 : 1] . There is an obvious isomorphism from C\{[0 : 1]} to k

through [X0 : X1] 7→ X1 X0 . Consider now t = X1 X0, s = 1

t, both rational functions on C. t has a pole at [0 : 1],

and vanishes at [1 : 0], so

div(t) = (0) − (∞). For s the situation is reversed, and so

div(s) = (∞) − (0).

Now let us direct our attention to functions fa= t − a, where a ∈ k. Then

div(fa) = (a) − (∞).

Now the claim is that Cl(C) ' Z. To show this, note that for P = [1 : a] we have div(fa) = (P ) − (∞) ∼ 0, and so (P ) ∼ (∞) for any P ∈ C. This means

that if we have some D ∈ Div(C), then D = P

P ∈CnPP ≡

P

P ∈CnP
(∞) in

Cl(C). Clearly we have a single generator for Cl(C), namely (∞), and therefore the degree map gives us an isomorphism from Cl(C) to Z. In conclusion, on P1k

our class group Cl(P1k) is equal to Z(∞).

2.3 L(D) or the Riemann-Roch Space of D

P ∈CnPP and nP ≥ 0 for all

P ∈ C.

Definition 2.23. For a divisor D ∈ Div(C) we define

sometimes called the Riemann-Roch space. Definition 2.24. `(D) := dimkL(D)

We will now prove some important facts before getting to the meat of this section. Lemma 2.25. Let D be a divisor such that `(D) is finite. Then `(D + P ) ≤ `(D) + 1 for any P ∈ C.

Proof. Let D =P

Q6=PnQQ+nPP be the divisor in question. Then for any f ∈ L(D+P )

we have div(f ) + D + P ≥ 0 and therefore vP(f ) + nP + 1 ≥ 0. So vP(f ) + nP ≥ −1.

Furthermore if f 6∈ L(D) then there is some Q ∈ C such that vQ(f ) + nQ < 0. For

f ∈ L(D + P ), this happens only when Q = P . Therefore, either L(D + P ) = L(D), or there is some f ∈ L(D + P ), 6∈ L(D) for which vP(f ) = −nP − 1.

Now we have f = t−(nP+1)_f0 _{for some f}0 _{with no poles or zeroes, meaning t}nP+1_f has no poles or zeroes (i.e. is in OC,P\mP). Since we know that OC,P/mP ∼= k from

lemma 2.15, we know tnP+1_{f ≡ a + ϕt for some a ∈ k, ϕ ∈ O}

C,P. If g ∈ L(D + P )

and vP(g) = −(nP + 1) as well, we can similarly write tnP+1g ≡ b + ψt for some

b ∈ k, ψ ∈ OC,P. From this it follows that

f = atnP+1_{+ ϕt}−nP_{, g = bt}nP+1_{+ ψt}−nP_, and therefore g − b af = ψ − b aϕ
t −np_.

If we evaluate this expression at P , we get that vP g − b af
= vP ψ − b aϕ
+ vP t −nP
≥ −n P,

which means that g − _abf ∈ L(D). It follows that in L(D + P )/L(D) we have that g − b_af = 0, so f and g are linearly independent. This holds for any two elements of L(D + P ), and therefore dimkL(D + P )/L(D) = 1. We conclude that `(D + P ) ≤

`(D) + 1.

Corollary 2.26. For any divisor D of C, either `(D) ≤ deg D + 1 or `(D) = 0

Proof. We will provide a proof by induction. To do this we must first reduce our options for the degree of D a bit.

First we claim that if deg D < 0 then `(D) = 0. Let deg D < 0 and suppose we have some f ∈ L(D) that is nonzero. We write D =P

P ∈CnPP , where PP ∈CnP < 0

from the definition of the degree. Then vP(f ) ≥ −nP for all P ∈ C since div(f ) + D is

effective. Hence 0 = X P ∈C vP(f ) ≥ − X P ∈C nP = − deg D > 0 a contradiction.

Now for the rest of the proof, suppose deg D ≥ 0. If deg D = 0, then define DP = D−P

for any P ∈ C. Note that deg DP = −1, and therefore `(DP) = 0. Therefore,

`(D) = `(DP + P ) lem.2.25

≤ `(D_P) + 1 = 1

This is our induction step. Our induction hypothesis will be that for any divisor E ∈ Div(C) with degree n ≥ 0 the inequality `(E) ≤ n + 1 holds. Suppose now D is a divisor of degree n + 1. We use DP = D − P as before to find that

`(D) = `(DP + P ) lem. 2.25

≤ `(D_P) + 1 IH≤ n + 1 + 1 = deg D + 1. This finishes the proof.

Now we have all we need to begin studying some properties of L(D). Lemma 2.27. L(D) has the following properties.

1. L(D) is a vector space with `(D) = dim L(D) < ∞, 2. D1 ∼ D2 ∈ Cl(C) =⇒ L(D1) ∼= L(D2),

3. L(D) 6= {0} ⇐⇒ D ∼ D0 where D0 ≥ 0, 4. L(0) = {constant functions on k}, 5. deg D < 0 =⇒ L(D) = {0}. Proof. Let f, g ∈ L(D).

1. Let λ ∈ k\{0}, then div(λf ) = div(f ), so λf ∈ L(D). Furthermore, we know vP(f + g) ≥ min{vP(f ) + vP(g)} and therefore

div(f + g) =XvP(f + g)P ≥

X

min{vP(f ) + vP(g)}P ≥ 0 − nP

so f + g ∈ L(D), and therefore L(D) is a vector space.

Furthermore, because deg D < ∞ by definition we can use lemma 2.26 to show that `(D) < ∞ for any D ∈ Div(C).

2. If D1∼ D2, then D1 = D2+ div(f ) for some f ∈ Rat(C). Let f1 ∈ L(D1), then

div(f · f1) + D2= div(f ) + div(f1) + D2 = div(f ) + D1 ≥ 0

so f · f1 ∈ L(D2). Note that multiplication by f gives an isomorphism between

L(D1) and L(D2).

3. If L(D) 6= {0}, then there is some 0 6= f ∈ L(D) such that div(f ) + D ≥ 0. Then D ∼ div(f ) + D ≥ 0.

Conversely, let D ∼ D0 ≥ 0, then D0 = div(f ) + D for some 0 6= f ∈ Rat(C), so we have div(f ) + D ≥ 0, and therefore L(D) 6= {0}.

4. proven in Corollary 2.25

5. Suppose D ∈ Div(C) such that D < 0, then deg D < 0. Suppose now there is some f ∈ L(D) that is not zero. Then div(f ) + D ≥ 0. Using the degree map we find

deg(div(f ) + D) = deg D ≥ 0

which is a contradiction, leaving us with no choice than to conclude that the statement holds.

Let us have a look at an example to make this somewhat abstract definition of L(D) more concrete.

Example 2.28. We have seen that on P1k our class group looks like Z(∞). We

have also seen that L(D) = L(D0) if D ∼ D0. Then for every divisor D we have L(D) = L n(∞)
_{for some n ∈ Z. Now we distinguish three general cases.}

• n < 0: Then n(∞) < 0 so L n(∞)
= {0}.

• n = 0: Then L n(∞)
= L(0) = { constant functions } ' k. • n > 0: In this case any f ∈ L n(∞)

will have no poles on C\{[0 : 1]}. Furthermore, we know we can write f = F

G =

F/X₀d G/Xd 0

with F, G homogeneous polynomials. Now we can write

F X₀d = d X i=0 ai X₀iX₁d−i X₀d = d X i=0 ai X₁ X0 d−i = d X i=0 aitd−i.

Moreover, f has no poles, so G

Xd0

6= 0 meaning it must be constant. Therefore, after a correction to the coefficients ai we can write f =Pd_i=0aitd−i. Now

for (∞) we have local parameter s = 1_t. Then f = Pd

i=0td

Pd

i=0ait −i _and

therefore vP(f ) = −d.

Now if f ∈ L n(∞)
and deg f = d > n, then

div(f ) + n(∞) = (v(∞)(f ) + n)(∞) = (−d + n)(∞) < 0

which is a contradiction. We conclude that L n(∞)
= {f | deg f ≤ n}. In summary L(n(∞)) =      k if n = 0, {0} if n < 0, {f | deg f ≤ n} if n > 0.

2.4 Differentials

A differential has a clear geometric meaning in the conventional setting, but what is the meaning of a differential in a general field? Let us forget for a second everything that went before and start building this thing from scratch.

2.4.1 The Local Case

Definition 2.29 (K¨ahler Differential). Let A be a k-algebra over some base field k. We define a k-derivation D : A → M with values in an A-module M as a map such that for every c ∈ k and a, b ∈ A we have

1. D(c) = 0,

2. D(a + b) = D(a) + D(b), 3. D(ab) = aD(b) + bD(a).

Example 2.30. Let f ∈ R[X] a polynomial with real coefficients. Then the derivative d : xn 7→ nxn−1 _{clearly satisfies each of these properties, the third of}

which being what is known as the ‘Leibniz rule’.

Theorem 2.31. There exists an A-module Ω1_A/k and a derivation d : A → Ω1_A/k such that for every derivation D : A → M there is a unique A-linear map ϕ : Ω1_A/k → M such that the following diagram commutes.

A Ω1_A/k

M

d D

ϕ

Proof. We can construct this thing to fit our needs. We start with the free A module {d(f ) | f ∈ A}, where d(f ) is just a symbol on f . Now define Ω_A/k to the the quotient of this free A module by dividing out the relations 1) to 3) from definition 2.29

The universal property follows again by construction. Let D be some other derivation from A to M . Then sending d(f ) to D(f ) assures that elements of the form d(f g) − d(f ) − d(g) get sent to D(f g) − D(f ) − D(g), so relations stay intact.

Lemma 2.32. Ω1

OC,P/k is the free OC,P-module of rank one generated by d(tP).

Proof. Let f ∈ OC,P. We know f does not have a pole at P , so we can define a0 = f (P ).

Then f = a0+ tPf1, with f1 ∈ OC,P. Now we can repeat this procedure as many times

as we would like. Therefore,

Note that this process does not generally terminate! Now write M = Ω1_O

C,P/k and let D = d : OC,P → M be the universal derivation. D(f ) = D(a0) + D(a1tP) + D(a2t2P) + · · · + D(antnP) + D(tn+1P fn+1)

= 0 + a1D(tP) + a2D(t2P) + · · · + anD(tnP) + fn+1D(tn+1P ) + t n+1

P D(fn+1)

= a1D(tP) + 2a2D(tP) + · · · + ntn−1P anD(tP) + fn+1(n + 1)tnPD(tP) + tn+1P D(fn+1)

The goal now is to show that M = OC,P · D(tP). Let M0 := OC,P · D(tP). Then

D(f ) = tn+1_P D(fn+1) ∈ tn+1_P (M/M0). Furthermore, the ideal tn+1_P (M/M0) ⊂ M/M0 for

arbitrary n ∈ N. Of course D(fn+1) ∈ M by definition, so D(f ) ∈ tn+1_P (M/M0) for every

n and therefore D(f ) ∈T∞

n=0t n+1

P (M/M0) =: N .

Observe that tN = N , so because N is finitely generated we can find some v = (v1, v2, . . . , vr) such that e = (e1, e2, . . . , er) = tv = tAe, where e is the vector such that

N = span{e1, e2, . . . , er} and A some matrix such that Ae = v. Then (I − tPA)e = 0,

and det(I −tA) ≡ det(I) mod (tP). So (I −tPA) is invertible, meaning e = 0, so N = 0.

This shows that M = M0, or in other words D(tP) generates this OC,P-module

Definition 2.33. From lemma 2.32 we know that for every f ∈ OC,P we have some

f0 ∈ OC,P such that d(f ) = f0d(tP). We define the derivative of f with respect to tP

as this f0.

Example 2.34. Let C = P1k, P = (0) = [1 : 0]. Remember that we defined our

local ring at P as OC,P =  f g ∈ k(tP) | g 6≡ 0  , where tP = X_X1₀ (See example 2.5).

As we have seen, Ω1_C,P = OC,P · dtP. This means there is a map

d : OC,P → OC,P · dtP :

f g 7→

f0g − g0f g2 dtP

or what is commonly known as the quotient rule.

2.4.2 The Global Case

Thus far we have only considered the differential on a local ring at a point P . Suppose now we want to compare the differentials at a point P and Q. Clearly Frac(OC,P) =

Rat(C) = Frac(OC,Q). Let tQ ∈ OC,Q ⊂ Rat(C) be the local parameter. Then tQ = f_g

for some f, g ∈ OC,P. Then

dtQ = d  f g  = f 0_{g − g}0_f g2 dtP.

The mapping f_g 7→ f0g−g_g2 0f gives us an isomorphism between Rat(C)·dtP and Rat(C)·dtQ

by sending hdtQ to hf

0_g−g0_f

g2 dtP. If this fraction is zero, then f_g is a constant, meaning

dtQ = 0 which is ridiculous. So because f0g − g0f can not be zero, and neither can g2,

this element must be invertible and so this map is well defined.

Definition 2.35. A rational differential on C is an element ω ∈ Rat(C) · dtP.

We are already familiar with vP(f ), the evaluation at f . We will make a very similar

definition, called the order of ω at P , and denoted ordP(ω).

Definition 2.36. We define the order of ω at P as ordP(ω) := vP(f ) where ω = f dtP.

We make the very important note that although ω carries a factor dtP, this definition

does not depend on tP at all. To see that this is true, consider tP, t0P two local parameters

at P . Then t0_P = ϕtP for some ϕ ∈ OC,P that does not vanish at P . Then

dt0_P = tPdϕ + ϕdtP = tPϕ0dtP + ϕdtP = (tPϕ0+ ϕ)dtP.

The factor tPϕ0 + ϕ is an element of OC,P\mP, because (tPϕ0 + ϕ)(P ) = tPϕ0(P ) +

ϕ(P ) = ϕ(P ) 6= 0. We conclude that if ω = f dtP = gdt0P = g(tϕ0 + ϕ)dtP, then

vP(f ) = vP(g) + vP(tPϕ0+ ϕ) = vP(g), so indeed the order of vanishing at P does not

depend on the choice of local parameter!

Definition 2.37. We define the divisor of a rational differential as div(ω) := X

P ∈C

ordP(ω)P

If ω, τ are rational differentials, then ω = f τ for some f ∈ Rat(C)\{0}. Therefore, div(ω) = div(τ ) + div(f ). We see that the divisors of two rational differential differ only by some principal divisor, meaning that the divisors of rational differentials all belong to the same equivalence class in Cl(C). Finally, we can make the following important definition.

Definition 2.38. Let ω be some rational differential. We define the canonical class as follows.

KC := [div(ω)] ∈ Cl(C)

2.5 The Riemann Roch Theorem

Finally, we have all the definitions to understand the statement of the Riemann-Roch theorem.

Theorem 2.39. Let C be an algebraic curve and KC its canonical divisor. There is an

integer g such that for every divisor D ∈ Div(C)

`(D) − `(KC− D) = deg D − g + 1.

We see that the Riemann-Roch theorem shows us that the genus of a curve C and the dimension of the Riemann-Roch spaces of divisors are connected in an algebraic way. In fact, if we take D to be 0, the statement becomes `(0) − `(KC) = −g + 1, and from

lemma 2.27 we know `(0) = dim L(0) = 1, proving the following corollary. Corollary 2.40. `(KC) = g

Using this fact and plugging in D = KC we get another important corollary.

Corollary 2.41. deg KC = 2g − 2

In particular this tells us that for a curve of genus 1 the canonical divisor class vanishes. This will be important as elliptic curves turn out to be of genus 1. In the next chapter we will again show these statements to be true but with a more geometric approach.

3 Geometry

Let us make an effort to understand the geometry of elliptic curves. Let C ⊂ Pn_C a complete algebraic curve. What we would like is to get some geometric intuition as to how this curve looks in Pn_C.

Figure 3.1: projection Q _{P P} S S1 S2 Pn_C C0 Pn−1_C C1

Let P ∈ U some open neighborhood of P in C. We will show that there is some curve C ⊂ P2_C and a P ∈ U some open neighborhood of P in C such that U ' U and P 7→ P . The picture to keep in mind for this is that of a projection from a curve C0 to

C1 in the projective space one dimension lower by choosing an appropriate point Q and

projecting from there. The point Q should be chosen with care, because it is possible to induce singularities. Let C0 be some curve in Pn_k. Given P, Q two points on C0, one

can imagine the line through P and Q defines a linear subspace. Varying P1 and P2

and taking the union of all these lines carves out a three dimensional linear subspace in Pn_k. After all, any point in this subspace can be identified by three coordinates: P1, P2,

and the position on the line between P1 and P2. Therefore, if n > 3 and we choose Q

subspace spanned by all lines between two points on C0, then the projection from Q

onto Pn−1k is an isomorphism since no new singularities will be introduced.

When n = 3 this no longer holds. However, locally for P on C0 we can still choose Q

such that the projection is an isomorphism on some open neighborhood around P . In other words, for n > 3 we have a global isomorphism and for n = 3 we have a local isomorphism.

3.1 Local Picture

We have seen that locally we can project an open neighborhood of a point down to a projective plane, we will now make this specific for C a smooth complete curve over C. In this case as we will see, locally C carries the structure of C.

Let P ∈ C. We have seen that for open U around P we have an isomorphism with U containing P in P2_C. Now if P is well chosen, then we can assume that a0 6= 0. In that

case, we can define a map

[x0 : x1 : x2] 7→ x₁ x0 ,x2 x0 

which gives us an isomorphism between {[x0 : x1 : x2] ∈ P2_C | x0 6= 0} and C2. This

allows us to interpret an open neighborhood of P in C as a set of points {(x, y) ∈ C2 | f (x, y) = 0} for some f . If we have chosen P in such a way that C at P is smooth, then either ∂f

∂x(P ) 6= 0 or ∂f

∂y(P ) 6= 0. We will, without loss of generality, assume the second case to be true. Now we have the following theorem.

Theorem 3.1 (Implicit Function Theorem). Let f (x, y) be a holomorphic function. Assume f (x0, y0) = 0 and ∂f_∂y(x, y) 6= 0. Then there is some radius δ > 0 such that for

|x − x₀| < δ we have ϕ holomorphic, ϕ(x₀) = y0 and f (x, ϕ(x)) = 0. In other words,

y = ϕ(x) is a solution for f .

Using this theorem we see that locally we can express P = (x_P, y_P) ∈ C as (x_P, ϕ(x_P)) for some ϕ dependent on x.

Now remember that we have the local ring OC,P, in which we have a local parameter

tP which is a function that vanishes with exactly order one at P . We now prove the

following lemma.

Lemma 3.2. Let C be a smooth complete curve over C and P some point on C. The local parameter tP provides a local biholomorphism from some open neighborhood U ⊂ C

of P to a disk U0 ⊂ C around the origin.

Proof. First we will show that this statement is independent of the choice of local pa-rameter. Namely, if we have tP,ftP local parameters, then clearly ftP = gtP for some

g ∈ OC,P\mP by definition of the local parameter. We know g =

P∞

i=0aitiP as a power

series, with a06= 0. Now let eg(z) = (a0+ a1z + a2z

2_{+ . . . )z. Then g}0_{(0) = a}

0 6= 0 so is

locally invertible by theorem 3.2 and therefore a biholomorphism. Moreover,eg ◦ tP =ftP. This shows that proving the statement for any local parameter will prove it for all local parameters.

Figure 3.2: Implicit Function Theorem C C • P • x_P ( ) ( ) • ϕ(x_P)

Now suppose P = (x0, y0) and take tP = X −x0. We will show this is a local parameter.

Clearly tP is a rational function without poles, which is zero at P , so tP ∈ mP. Now our

local ring is included in the local ring of holomorphic functions. That is, any rational function is holomorphic. Symbolically we have tP ∈ OC,P ⊂ OholC,P ' OC,0hol, where the

isomorphism is the induced isomorphism

t∗_P : Ohol_C,0→ Ohol_C,P : f 7→ f ◦ tP.

Now we know mhol

C,0 = (z) as an ideal in O hol

C,P. The induced isomorphism sends z to

t∗_P(z) = tP ◦ z = tP.

Now it remains to show that tP has a simple zero. To see this, note that mP = (t) for

some local parameter t. Then tP = teh for some h ∈ OC,P\mP. Also we can map tP to

z ∈ Ohol

C,0 through some isomorphism ϕ : OC,P → O hol

C,0 as seen above symbolically. Then

z = ϕ(tP) = ϕ(t)eϕ(h). Clearly z has a simple zero at zero, and h is not zero at P so

ϕ(h) is not zero at zero. Therefore, e = 1, and tP has a simple zero at P . This means

tP is a local parameter, and it is clear that tP provides a local biholomorphism through

theorem 3.2 (see figure 3.2), so the stated is proven.

In conclusion, we have found an isomorphism between a neighborhood U of P and a disc U0 in C.

3.2 Maps Between Curves

Definition 3.3. A morphism of curves f : C1 ⊂ PN_C → C2 ⊂ PM_C is defined by

sending P = [x0: x1 : · · · : xN] to f (P ) =F0(P ) : F1(P ) : · · · : FM(P ), where each Fi

is a homogeneous polynomial of the same degree in (x0, x1, . . . , xN).

We will have a short discussion about what these morphisms do locally. As we know we have this local ring OC,P depending on P in our curve. Now let f : C1 → C2 be a

morphism of curves. This then induces a morphism between local rings as follows. Let P1 ∈ C1, f (P1) = P2 ∈ C2. Then we get

f∗: OC2,P2 → OC1,P1 : ϕ 7→ f

∗_{ϕ = ϕ ◦ f}

Clearly this is well defined, since f∗ϕ(P1) = ϕ(f (P1)) = ϕ(P2) does not have a pole at

P1. Moreover, the morphism f also induces a map from mP2 to mP1. After all, we know m_P2 = (tP2), and f ∗_t P2 is in OC1,P1, which means f ∗_t P2 = t e P1g for some g ∈ OC1,P1\mP1. This e will be important, so we make the following note.

Definition 3.4. We call this e the ramification index of f at P1.

3.3 Genus of C

Earlier when we stated the Riemann-Roch theorem we introduced something called the genus of an algebraic curve C without further elaborating on it. In topology, the genus of an orientable surface counts the number of holes. The same will apply here. The genus of C will be the number of holes in the corresponding compact oriented surface. To study the genus without getting too much off topic we introduce the following definition. Definition 3.5 (Triangulation). For any compact surface we can make a triangulation, meaning we subdivide the surface into many triangles. For any such triangulation T we define

E(T ) := #vertices(T ) − #edges(T ) + #triangles(T )

Lemma 3.6. Let T and T0 be triangulations of the same compact surface, then E(T ) = E(T0).

Proof. First we introduce the idea of a refinement of a triangulation. If we have a triangulation T , we can make it finer by adding a vertex inside one of the triangles, and connecting the vertex with three new edges to the three closest preexisting vertices to create three new triangles. Note that we get +1 vertex, +3 edges and +2 triangles when we do this, so E(T ) stays the same. Another way to get a refinement is to add a vertex on an edge between two triangles, and connect this vertex to the only remaining vertex it can be connected two in both triangles touching this edge. Again E(T ) remains invariant. A last way is to bisect a triangle that touches the boundary of the surface (if a boundary exists). Again E(T ) remains unchanged. Now any two triangulations can be superimposed, after which we add edges and vertices until we again have a triangulation. Note that by superimposing, we can make any vertex from T0 land either in the interior or on an edge of a triangle T , making this adding of edges a refinement of either T or T0, and since refinement leaves E(T ) and E(T0) intact we get that E(T ) = E(T0).

(a) unramified .. . .. . f (b) ramified Pi .. . f Qi

Theorem 3.7. For a triangulation T we have E(T ) = 2 − 2g.

Proof. This can be shown by induction. To prove the base case, we provide a triangu-lation T of the sphere, the simplest one looking like a tetrahedron. One can check that indeed E(T ) = 4 − 6 + 4 = 2, so the statement holds. Now suppose the statement holds for a surface of genus n. To make from this surface a surface of genus n + 1, we must cre-ate another hole. We can do this by taking two triangles on the surface and connecting them via a cylinder. This means we remove 2 triangles, and add however many triangles edges and vertices a cylinder consists of, minus the top and bottom triangles, edges and vertices. One can check that this number equals (6 − 12 + 8) − 2 − 6 + 6 = 0, so all we count is the removal of the two triangles, which means that after punching a new hole our Euler number is 2 − 2n − 2 = 2 − 2(n + 1), which proves the claim.

3.3.1 Riemann-Hurwitz Formula

Suppose we have some morphism f : C1 → C2. Then we know every point P on C1

has a ramification index e. Furthermore, it turns out there are finitely many points P1, P2, . . . , Pn with a ramification index e > 1. These points of course then have finitely

many images Qi = f (Pi) in C2, some of which may coincide.

Now take T2 to be a triangulation of C2such that all of these Qi are vertices of T2, and

assume T2 is fine enough to make the definition that T1= f−1(T2). Now we distinguish

two situations for a triangle ∆2 in T2.

• Qi is not a vertex of ∆2.

In this case, every point on this triangle is unramified, meaning all points have ramification index 1. If we now look at the inverse image ∆1 := f−1(∆2) of ∆2,

this ∆1 looks like a big stack of triangular pancakes, the number of which we will

call the degree of f , deg f . • Qi is a vertex of ∆2.

We will without loss of generality assume that only one vertex of ∆2 satisfies this

condition. If not, we simply make T2 finer until it can be so. Now ∆1 again looks

like a big stack of pancakes, but exactly ei of these pancakes are connected at a

vertex at Pi, where ei is the ramification index of Pi. This can be visualized as a

stack of pancakes and a flower with ei triangular petals meeting at Pi.

What we want to do is compute E(T1) in terms of E(T2). We will proceed by counting

the triangles, edges and vertices. • triangles

Note what we have stated before. ∆1 looks like a big stack of pancakes, of which

we have exactly deg f . Then for every triangle in T2, we have deg f triangles in

T1. So #triangles(T1) = deg f · #triangles(T2)

• edges

Similarly, and with the same argument, #edges(T1) = deg f · #edges(T2)

• vertices

Now we need to proceed with some care. We have remarked that for every triangle in T2 we have deg f of them in T1. However, we have also stated that ei of these

are connected at a vertex, effectively removing ei− 1 vertices. This means for the

amount of vertices we get #vertices(T1) = deg f · #vertices(T2) −Pn_i=1(ei− 1)

Using all this, we arrive at the conclusion that 2 − 2gC1 = deg f · (2 − 2gC2) −

n

X

i=1

(ei− 1).

where gC1, gC2 denotes the genus of C1, C2 respectively. This means that we can relate the genus of one curve with that of another through a morphism between curves!

3.3.2 Pullback of a rational differential

Let f : eC → C be a map between complete curves. Let ω be a rational differential on C. Let P ∈ eC and define Q := f (P ). Locally around Q we can write

ω = ϕdtQ

for some rational function ϕ. We now define f∗ω such that locally at P we have f∗ω = f∗ϕd(f∗tP).

Recall that we can write f∗tQ =ftP eP g for some G ∈ O e C,P\mP. Therefore, d(f∗tQ) = d(ftP eP g) = ePftP eP−1 gdftP +ftP eP g0d(ftP) =ftP eP−1 ePg +ftPg0
dftP.

of which the term ePg +ftPg0 does not vanish at P , so is an element in OC,Pe \mP. Let

us denote this term as eg so that we can write f∗ω = f∗ϕftP

eP−1 e gdftP.

Lemma 3.8. The above is a rational differential on eC.

Proof. To prove this we need to show that whatever local parameter we choose, f∗ω does not change. To see this, note that we have the following diagram.

Rat(C) · dtP0 Rat( eC) · dtf_Q0 Ω1_Rat(C) Ω1 Rat( eC) Rat(C) · dtP Rat( eC) · dftQ f∗ ∼ ∼ ∼ ∼ ϕ ϕ

Here ϕ is the isomorphism as described in section 2.4.2.

Now we can think about what the divisor of such a pullback looks like. Let us start calculating and see where we get stuck.

div(f∗ω) = X P ∈ eC vP(f∗ϕftP eP−1 e gdftP)P = X P ∈ eC  vP(f∗ϕ) + vP(ftP eP ) + vP(eg)  P = X P ∈ eC  (vP(f∗ϕ) + eP − 1) + 0  P

So far so good, but what does vP(f∗ϕ) mean? Let us recall that we can write f∗tQ =

teP

P g, for some well chosen variables, but also that ϕ is a rational function, so ϕ = taQ· h

for some h that does not vanish. Then clearly f∗ϕ = f∗ta_Q· f∗h = teP·a

P g a_f∗

h

where the first equality follows from the definition of the pullback, and the second comes from the identity mentioned earlier. Note that h was chosen such that it does not vanish at Q, and therefore f∗h = h ◦ f does not vanish at P . Then we can calculate the evaluation, which looks like

vP(f∗ϕ) = vP(te_PP·agaf∗h) = vP(te_PP·a) = ePa = ePvP(ϕ)

Definition 3.9 (Pullback of a Point). For given f we define the pullback f∗Q := X

P 7→Q

ePP

where the sum runs over all P mapped to Q through f .

Something interesting happens in this definition. Namely, this definition extends to a map f∗ : Div(C) → Div( eC) by letting the map factor through the sum of a divisor. This then gives us for ϕ ∈ RatC that

div(f∗ϕ) = X P ∈ eC vP(f∗ϕ)P = X P ∈ eC vQ(ϕ)ePP = X Q∈C X P 7→Q vQ(ϕ)ePP = X Q∈C vQ(ϕ)f∗Q = f∗ X Q∈C vQ(ϕ)Q = f∗div(ϕ)

We conclude that we have commutativity! This of course induces a map f∗ : Cl(C) → Cl( eC).

We now return to where we got stuck in our calculation earlier. div(f∗ω) = X P ∈ eC  (vP(f∗ϕ) + (eP − 1)  P = X P ∈ eC ePvQ(ϕQ)P + X P ∈ eC (eP − 1)P = X Q∈C X P 7→Q vQ(ϕQ)ePP + X P ∈ eC (eP − 1)P = X Q∈C vQ(ϕQ)f∗Q + X P ∈ eC (eP − 1)P = f∗ X Q∈C vQ(ϕQ)Q  + X P ∈ eC (eP − 1)P = f∗(div(ω)) + X P ∈ eC (eP − 1)P

Lemma 3.10. deg(f∗D) = deg(f ) deg(D)

Proof. We arrive at this fact by direct calculation. deg(f∗D) = degX Q∈C nQf∗Q = deg X Q∈C nQ X P 7→Q ePP = X Q∈C nQ X P 7→Q eP = deg(D) deg(f ) Lemma 3.11.

deg div(f∗ω) = deg f · deg div(ω) +X

P ∈ eC

Proof. This follows from lemma 3.10 and the calculation that went on before. Proposition 1. deg KC = 2g − 2

Proof. First note that if the proposition holds for C, then it also holds for eC. This can be seen by using the Riemann-Hurwitz formula. Namely,

2 − 2g_Ce = deg f · (2 − 2gC) −

X

P ∈ eC

(eP − 1)

holds if and only if

deg K e C = deg f · deg KC+ X P ∈ eC (eP − 1)

which holds because of lemma 3.11. Next note that every curve C admits a morphism f : C → P1by simply sending P to [1 : f (P )]. This is clearly well defined when P is not a pole of f , and in the case that it is, we have an equivalence [1 : f (P )] ∼ [_{f (P )}1 : 1], which means that P gets sent to [0 : 1] = (∞). Now we simply observe that the proposition holds for P1_{, as this space is homeomorphic to C ∪ {∞}, which has genus 0 (no holes).}

This means that we can take local parameter tP = x_x1₀ − P when P is not infinity and

t∞= x_x0₁ when it is, and ω = dtP a rational differential. Then

div(ω) = X P ∈P1 vP(ω) = v∞(d( 1 t∞ ))(∞) = v∞( 1 t2 ∞ dt∞))(∞) = −2(∞)

Of course we already knew this, but it is a good thing to have some geometric intuition to go with the algebra.

4 The Group Law

Let us start with the definition of an elliptic curve.

Definition 4.1. A curve E over a field k is an elliptic curve if 1. E is of genus 1,

2. E has a point O that is defined over k.

Proposition 2. For such a curve we have KC = 0.

Proof. We have seen that `(KC) = 1, and deg(KC) = 0. Then there is some rational

function f ∈ RatC such that KC + div(f ) ≥ 0. We know that deg(KC+ div(f )) = 0,

which then implies that K + div(f ) must be zero itself. Moreover, we know that `(D) = `(D0) if [D] and [D0] are equivalent in Cl(C), so KC = [0] in Cl(C) and thus KC = 0.

4.1 Application of the Riemann-Roch Theorem

1. `(0) = 1: We have seen what happens in this case. 2. `([O]) = 1: Same as above. L([O]) ' k

3. `(2[O]) = 2: L(2[O]) ' k ⊕ kx 4. `(3[O]) = 3: L(3[O]) ' k ⊕ kx ⊕ ky 5. `(4[O]) = 4: L(4[O]) ' k ⊕ kx ⊕ ky ⊕ kx2 6. `(5[O]) = 5: L(5[O]) ' k ⊕ kx ⊕ ky ⊕ kx2⊕ kxy

7. `(6[O]) = 6: Here is where it gets interesting. Now we have that both x3 and y2 are elements in L(6[O]). We can not just extend the set like we did before however, because that would create something seven dimensional, while we have calculated the dimension over k should be six. This means there must be some linear relationship between elements that can be expressed as

If this expression looks familiar, that was the intention. This looks like a classic elliptic curve. This linear relationship means we have a map

E → P2

P 7→ [1 : x : y], O 7→ [0 : 0 : 1].

Moreover, if char(k) 6= 2, then we can write the expression above as 

y + ax + b 2

2

= f (x)

where f is some degree 3 function over x. This translates to a function y2 = f (x) as we’re used to seeing for ellliptic curves. If char(k) 6= 3 then we can even reduce this to

y2 = x3+ px + q.

Let us move towards a definition of the group law on E. To this end, we define a map ϕ : E → Cl0(E) = Div0(E)/PDiv(E), P 7→ [P − OE] where the 0 denotes the degree

zero divisors.

Lemma 4.2. ϕ is a bijection of sets.

Proof. First we show ϕ is surjective. Let D ∈ Div0(E) be some degree zero divisor. Then D0:= D + OE is a degree one divisor. Now we apply the Riemann-Roch theorem

to see that `(D0) = deg(D0). This means there is some rational function f such that D0+ div(f ) ≥ 0. This D0+ div(f ) is of degree one, so D0+ div(f ) = P for some P ∈ E. Thus D0 ∼ P in Cl(E), which means D + O_E ∼ P , or D ∼ P − O_E, so ϕ is surjective.

For injectivity, let P, Q ∈ E such that ϕ(P ) = ϕ(Q). Then P − OE ∼ Q − OE, or

P − Q ∼ 0. Which means P and Q differ by some principal divisor, or P − Q = div(f ). Thus P = Q + div(f ) for some f ∈ Rat(E). Now f will be an element in L(Q), which as we have seen earlier is the set of constant functions, the divisors of which are all zero. We conclude that P = Q.

So we have ϕ a bijection of sets, but Cl0(E) is a group. This means that we should have some induced group structure on E through ϕ.

Lemma 4.3. Let L be a line in P2

C The class L |E in Cl(E) is constant.

Proof. Let L1, L2 be two lines in P2_C. Let L1 = a0X0+ a1X1+ a2X2, L2= b0X0+ b1X1+

b2X2. Now take f = L_L1₂ |E which is a rational function in E. Let us look at the divisor

of this f . We get div(f ) = L1 |E −L2 |E. In other words, L1 |E and L2 |E differ by a

principal divisor, so L1 |E∼ L2|E in Cl(E).

Example 4.4. Let E be some elliptic curve, P, Q points on E, and L1 a line

through P and Q. Then we have another point on L1∩ E by Bezout’s Theorem.

We denote this point R0. Now we have a second line, denoted L2, through R and

OE which also crosses E in a third point we will denote R. In Cl(E) these lines

are equivalent, so P + Q + R ∼ OE + R + R0. −2 −1 1 2 −2 −1 1 2 x y • P • Q • R0 • R • OE L1 L2

We can remove the R0 from both sides, and subtract OE twice on both sides to

arrive at

P − OE+ Q − OE ∼ R − OE.

or

ϕ(P ) + ϕ(Q) = ϕ(R).

Indeed, from this example it becomes apparent from where the group law stems. That is, given P and Q in E, we have ϕ(P ) and ϕ(Q) in Cl0(E) which is a group, and therefore ϕ(P ) + ϕ(Q) is well defined. Because ϕ provides a bijection of sets we can define P + Q as exactly that element such that ϕ(P + Q) = ϕ(P ) + ϕ(Q). This induces a group law on E which, as shown in the example, is exactly the group law on elliptic curves.

5 Cryptography

One useful application of elliptic curves is in cryptography. To understand elliptic curve cryptography one must first understand the following problem.

5.1 The Discrete Logarithm Problem

Let a, b be non-zero elements of some group G and p a prime element. Suppose we have

ak≡ b _{mod p, k ∈ Z.} Find k.

Of course we have shown that an elliptic curve is a group so this discrete logarithm problem persists in the case of elliptic curves. In general, this problem is hard to solve, and for a well chosen elliptic curve, finite field and prime element p it even becomes computationally infeasible to solve. In this case we will say the discrete logarithm problem is hard.

The general idea of encryption will be shown through an example. This example will be of the Massey-Omura encryption scheme. Many different methods of encryption have been found, each with their strengths and weaknesses. This particular encryption scheme is not widely used, but lends itself very well to examples. In the following example, Alice and Bob are two persons who want to exchange data over an unsecure channel, and Eve is an Eavesdropper who is listening in and receives any message Bob or Alice would receive.

Example 5.1 (Massey-Omura). The scheme consists of the following steps. 1. Alice and Bob agree on the following data

• An elliptic curve E,

• a finite field Fq such that the discrete logarithm problem is hard in

E(Fq),

• N = #E(Fq).

2. Alice represents her message as a point M ∈ Ea

3. Alice chooses an integer mAsuch that gcd(mA, N ) = 1 that she will keep to

4. Bob does the same thing, he chooses a secret integer mBand sends mBmAM

back to Alice.

5. Alice computes m−1_A ∈ Z/NZ and sends m−1A mBmAM = mBM back to

Bob.b

6. Finally, Bob calculates m−1_B and decrypts the message. a_{See the appendix for a method by Koblitz.}

b

This turns out to be a computationally easy problem.

The example above can be intuitively understood by imagining the message being kept in a box that can be locked. Alice puts her lock on the box and sends it to Bob. Bob then puts his lock on the box and sends it back. Alice receives the box and removes her lock, then sends it back again and finally Bob is able to remove his lock and open the box. Note that nowhere in this process does Eve, the person listening in, have enough information to decrypt the message (open the box). Let us take a closer look at this side of the encryption process. Eve is listening in and gathers the information mAM, mBmAM, mBM . Eve also knows what elliptic curve over which finite field is

being used, and can calculate N . The problem then becomes to find M when we know any of the formerly mentioned multiples of M . We want to find the inverse of either mA or mBwithout knowing mA or mBexplicitly, which because of our choice of elliptic

curve and finite field is a computationally infeasible problem.

5.2 Why Elliptic Curves?

One might have noticed that the discrete logarithm problem is not exclusive to elliptic curves. In fact, it is a general problem that occurs in any group. Likewise the example above does not require our chosen group to be an elliptic curve. In fact, one can replace the elliptic curve with one’s favorite group G and the example still works (although a different method for representing one’s message as an element g ∈ G will have to be conceived of). In conclusion, cryptography works with or without elliptic curves, so why bother with elliptic curves?

The reason is efficiency. In an ideal world where storage space and transmission and calculation times are not an issue, one could take any group and simply increase the encryption key in size until the desired level of security is achieved. In the real world however, storage space and transmission and calculation times are an issue. For example, you do not want to have to wait long every time you use your bank card to pay at a store. Speed is an issue, and therefore calculation times should be minimized and security optimized simultaneously. ECC (Elliptic curve cryptography) is the cutting edge in this respect. A key size of 313 bits in an ECC scheme provides the same level of security as a 4096 bits RSA1 would. That is, elliptic curves provide the same security while being over ten times more compact. However, there are also disadvantages. The 1_{First letters of the names Rivest, Shamir and Adleman 1978. Data from the book Elliptic Curves in}

above is in the context of conventional computer systems and the advance of quantum computing has laid bare a vulnerability in ECC. It has been shown that although ECC is more secure than RSA in protecting against conventional attacks it is less secure in the quantum setting.

“The work of Proos and Zalka show how a quantum computer for breaking 2048-bit RSA requires roughly 4096 qubits, while a quantum computer to break the equivalently secure 224-bit Elliptic Curve Cryptography requires between 1300 and 1600 qubits.”2

The combination of less security in a quantum setting, the financial costs of adapting to a new system of encryption and the discomfort of having to understand this new system for engineers may be what has held back the use of ECC as a viable alternative for RSA and other conventional cryptography systems.

Cryptography

6 Conclusion

Our goal for this paper was to provide a more natural definition of the group law on elliptic curves than the widely used geometric one. For this the Riemann-Roch theorem is vital and so a first objective was to understand this theorem, and the plethora of definitions that precede it. Once we had a basic understanding of this theorem and we achieved a better understanding of the inner workings of algebraic curves, we could restrict our curves to the very specific case of the elliptic curve, which we defined as a non-singular curve with at least one point defined over the underlying field. In this case something peculiar happened. The Riemann-Roch spaces that belonged to the points OE, 2OE, . . . , 5OE could all be described by adding powers of some symbol x or

y, but the Riemann-Roch space belonging to 6OE revealed a linear relation between the

symbols x, x2, x3, xy, x2y, y, y2, from which we retrieve the definition of an elliptic curve as the set of solutions to some equation of the form y2 _{= x}3 _{+ px + q. A nice bonus}

as well is that the point OE naturally functions as the unit for our group, so we need

not add any formal points to make our group law work. The group law itself could then be recovered from the group law on the class group, and the bijection of sets that is P 7→ [P − OE]. This provides a much more satisfactory definition of the group law on

Popular Summary

The easiest way to introduce oneself to elliptic curves is through a picture. Consider the curve of the equation y2 = x3− x (figure 6.1(a)). What is special about this curve is that it is also a group, meaning we can ‘add two points on the curve together’ through what is called the ‘group law’. The way this works is as illustrated in figure 6.1(b). If we want to add two points P and Q on our curve together, we find P + Q by drawing a line through P and Q, and flipping the third point that intersects this line over the x-axis.

Figure 6.1: elliptic curves

(a) y2= x3− x −2 −1 1 2 −2 −1 1 2 x y

(b) the group law

−2 −1 1 2 −2 −1 1 2 x y • P • Q • • P + Q

This works because through ‘Bezout’s Theorem’ we know that two curves intersect each other exactly as many times as is the product of their degrees. In this case, the degree of a line is one and the degree of our elliptic curve is three, so there should always be three points on our line. Now some details have been omitted. For example, think about how one would add a point to itself. That is, where is P + P ? A group also needs a unit element. That is, an element OE such that P + OE = P . Where could we find

this element?1

Although this group law is very intersting in itself, no mathematician would call this elegant. However, the group law arises naturally in a much more beautiful way through the Riemann-Roch theorem. Exactly how this happens is shown in this paper.

Bibliography

Joseph H. Silverman, John Tate, Rational Points on Elliptic Curves, Springer-Verlag, New York, 1992

Joseph H. Silverman, The Arithmetic of Elliptic Curves, Springer-Verlag, New York, 2009

R. Hartshorne, Algebraic Geometry, Springer-Verlag, New York, 1977

John Proos, Christof Zalka, Shor’s discrete logarithm quantum algorithm for elliptic curves, https://arxiv.org/abs/quant-ph/0301141

Lawrence C. Washington, Elliptic Curves: Number Theory and Cryptography, CRC Press, 2003

Appendix

Theorem 6.1 (Bezout’s Theorem). Let C1 and C2 be algebraic curves with no common

components. Then

X

P ∈C1∩C2

I(C1∩ C2, P ) = deg C1· deg C2

where I is the intersection index.

Proof. A proof can be found in the book Algebraic Geometry by R. Hartshorne (See bibliography), section I, 7.8.