Elliptic Curves and the Probability of Prime Torsion Zoe Daunt Northeastern University Saturday, January 23rd, 2021 NCUWM: Brought to you by Elliptic Curves Zoe Daunt Northeastern University Saturday, January 23rd, 2021 Projective Spaces Let k be an algebraically closed field. Definition: For n 2 Z; ≥ 0, we define projective n-space as the quotient of kn+1 − f0g by the equivalence relation ∼ , where a ∼ b () 9λ 2 kx such that b = λa n+1 n Notation: Let q : k − f0g ! P be the quotient map which n+1 takes (a0; :::; an) in k − f0g to (a0 : ::: : an) Examples: 0 1 i. P = (k − f0g)= ∼= f(1)g, a 1-point set 1 2 ii. P = f(a0; a1) 2 k :(a0; a1) 6= (0; 0)g= ∼= f(a : 1): a 2 1 kg t f(1 : 0)g = A t f1g n iii. P = f(a0 : ::: : an−1 : 1): a0; :::; an−1 2 kg t f(a0 : ::: : an−1 : n n n−1 0): 0 6= (a0; :::; an−1 2 k g = A t P Projective Spaces 1 1 P = f(a : 1): a 2 kg t f(1 : 0)g = A t f1g 1 1 P = A t f1g Projective Space The Projective Plane is the set of triples [a0; a1; a2] with a0; a1; a2 not all zero with the following equivalence relation ∼: 0 0 0 0 0 0 [a0; a1; a2] ∼ [a0; a1; a2] if a0 = λa0; a1 = λa1; a2 = λa2 for some λ 6= 0. 2 2 Algebraic definition of P Geometric definition of P f[a0;a1;a2]:a0;a1;a2 not all zerog 2 1 ∼ $ A [ P 8 a0 a1 2 <( ; ) 2 A if a2 6= 0 [a0; a1; a2] ! a2 a2 1 :[a0; a1] 2 P if a2 = 0 2 [x,y,1] (x,y) 2 A 1 [A; B; 0] [A; B]2 P Joseph H. Silverman, John T. Tate, Rational Points on Elliptic Curves, Springer, 2015. Projective Spaces 2 2 1 P = A t P , which is our line at 1 Plane Cubics and Elliptic Curves 2 A cubic plane curve in the projective plane P (k) is defined by the set of solutions to the following equation ax3 + bx2y + cxy 2 + dy 3 + ex2 + fxy + gy 2 + hx + iy + j = 0 where a, b, c,..., i, and j 2 k An elliptic curve E has the form E : y 2 = x3 + Ax + B with A; B 2 k An elliptic curve is a smooth projective curve of genus 1 with a distinguished point. Elliptic Curves If a curve E is of the form E : F (x; y) = 0 It’s rational points are denoted by E(Fp) = f(x; y): x; y 2 Fp and F (x; y) = 0g Examples From Bezout’s theorem, every line in the projective plane intersects an elliptic curve in three points, counting multiplicity. Group Law on Elliptic Curves I Identity: the point (0 : 1 : 0) at infinity I Inverse: the inverse of point P = (x : y : z) is the point −P = (x : −y : z) I Commutativity: A + B = B + A I Associativity: A + (B + C) = (A + B) + C Isogenies An isogeny φ : E1 ! E2 of elliptic curves defined over k is a non-constant rational map that sends the distinguished point of E1 to the distinguished point of E2. Examples 1. The negation map φ1:P ! -P, where (x : y : z) 7! (x : -y : z) 2. The multiplication-by-n map, [n]: E ! E P 7! n · P 3. The frobenius endomorphism: Let Fp be a finite field of prime order p, the Frobenius endomorphism π : Fp ! Fp is the map x 7! xp Structure of Torsion Subgroups Let E=k be an elliptic curve of characteristic p > 0, p prime. E[n] is the n-torsion subgroup of E consisting of all points P in E(k) such that nP = 0, i.e. the kernel of [n]. E[n] = fP 2 E(k): nP = 0g E(k)[n] = fP 2 E(k): nP = 0g Probability of `-torsion Goal: Determine the probability that a random elliptic curve E=Fp has an Fp point of prime order `, where p is either a fixed prime much larger than `, or a prime varying over some large interval. Probability of `-torsion Goal: Determine the probability that a random elliptic curve E=Fp has an Fp point of prime order `, where p is either a fixed prime much larger than `, or a prime varying over some large interval. I "Random Elliptic Curve E=Fp": Random A and B for y 2 = x3 + Ax + B I An Fp-point is a point on E=Fp with coordinates in Fp I An Fp point, say P, of order ` is an `-torsion point (` · P = 0) with coordinates in Fp. Probability of `-torsion: STEP 3 For a fixed p, we need to consider two cases: when p ≡ 1 mod` and when p 6≡ 1 mod`. From part a, we know that there are 2 `(` − 1) matrices in GL2(F`) with determinant p mod`. For p ≡ 1 mod`, There are `2 possibilities, and thus `2 Prfixed≡1 = `(`2−1) For p 6≡ 1 mod`, There are `2 + ` possibilities, and thus `2+l Prfixed6≡1 = `(`2−1) Probability of `-torsion: STEP 3 For varying p, we use the probabilities we just found for fixed p and incorporate the probabilities of the occurrence of each p mod`. We assumed each value of p mod` occurs equally often, so the probability that p ≡ 1 mod` is 1 Pr(p ≡ 1) = `−1 And the probability that p 6≡ 1 mod` is `−2 Pr(p 6≡ 1) = `−1 Therefore our total probability of `-torsion for varying p is `2 1 `2+l `−2 Pr(`-torsion) = `(`2−1) ∗ ( `−1 ) + `(`2−1) ∗ ( `−1 ) Probability of `-torsion: STEP 3 Combinatorial Formula `2 1 `2+l `−2 `2−2 f (`) = `(`2−1) ∗ ( `−1 ) + `(`2−1) ∗ ( `−1 ) = `3−`2−`+1 7 f (3) = 16 23 f (5) = 96 47 f (7) = 288 Sage Script Public Key Cryptography Probability of `-torsion: Applications ***Public Key Cryptography*** The Discrete Logarithm Problem: Let G be a group and let g 2 G be an element of finite order n. Given a power h of g, the discrete logarithm problem is to find an exponent x 2 Z=(n) with g x = h. Probability of `-torsion: Applications The Elliptic Curve Discrete Logarithm Problem: Let E be an elliptic curve defined over Fp. Given P; Q 2 E(Fp), find an integer x such that xP = Q. Probability of `-torsion: Applications.