Contents A Number theory and algebraic geometry

2

B Elliptic curves

2

1 Rational points on elliptic curves (Mordell’s Theorem)

5

2 Fermat’s Last Theorem and Frey curves

5

3 Elliptic functions and elliptic curves over C

5

4 Moduli space of elliptic curves over C

6

5 Modular forms

7

6 Elliptic curve cryptography

7

The following two problems can be seen as motivation to study elliptic curves. Are there 3 consecutive integers/rationals whose product is a perfect square? Are there 3 integers/rationals differing by 5, whose product is a perfect square?

Points in C1 = {(x, y) ∈ Q2 : y 2 = x(x + 1)(x + 2)}

3 (0, 0), (−1, 0), (−2, 0)

and 2

2

C2 = {(x, y) ∈ Q : y = x(x + 5)(x + 10)}

3 (0, 0), (−5, 0), (−10, 0)

Answer: C1 contains no further points. C2 contains infinitely many!

In how many ways can n > 0 be written as the sum of four squares?

The function f (z) =

X

r4 (n)e2πinz

n≥1 4

where r4 (n) = #{(a, b, c, d) ∈ Z : n = a4 + b4 + c4 + d4 }, is a modular form of weight 2 for Γ0 (4). Answer: r4 (n) equals the n-th coefficient of the Fourier expansion of f (z).

1

A

Number theory and algebraic geometry

We start by introducing some necessary concepts in number theory and algebraic geometry. Throughout the course K will denote a field (usually K = Q, R, C, Fp or Fpk ) and K[x1 , . . . , xn ] the polynomial ring in n variables over K. Assume that a collection of polynomials f1 , . . . , fm ∈ K[x1 , . . . , xn ] generates an ideal I ⊂ K[x1 , . . . , xn ]. An algebraic set is a set of the form VI := {(a1 , . . . , an ) ∈ K n : f1 (a1 , . . . , an ) = . . . = fm (a1 , . . . , an ) = 0} . An algebraic set is an algebraic variety if I is a prime ideal, that is if whenever f · g ∈ I for some f, g ∈ K[x1 , . . . , xn ], then either f ∈ I or g ∈ I. If K ⊂ L is a field extension and E = VI for some ideal I ⊂ K[x1 , . . . , xn ], we write E(L) = {(a1 , . . . , an ) ∈ Ln : f (a1 , . . . , an ) = 0 , ∀f ∈ I}. Note that E(K) ⊂ E(L). Example: V(f ) for f (x, y) = y 2 − x(x + 1)(x + 2) ∈ Q[x, y] is an algebraic variety V(g) for g(x, y) = y 2 − x(x + 5)(x + 10) ∈ Q[x, y] is an algebraic variety V(h) for h(x, y) = xy is an algebraic set but not an algebraic variety

Figure 1: V(f ) and V(h) seen as curves over R. Let I be a prime ideal and V = VI . We denote by K[V ] = K[x1 , . . . , xn ]/I the coordinate ring of V and by K(V ) its fraction field. The dimension dim(V ) of V is defined as the transcendence degree of K(V ) over K. We are interested in smooth algebraic varieties, that is varieties V(f1 ,...,fm ) such that the matrix (∂fi /∂xj (P )) has rank n − dim(V ) for every P ∈ V (see Figure 2).

B

Elliptic curves

Let K be a field of characteristic char K 6= 2, 3. An elliptic curve over K is a smooth cubic curve E (that is, a smooth curve given by a polynomial f (x, y) ∈ K[x, y] of degree 3), with at least a K-rational point (that is, a point with coordinates x, y ∈ K). Note that this point may be a point at infinity. By a change of coordinates, one can always assume that E is given by an equation E :

y 2 = x3 + Ax + B ,

2

A, B ∈ K ,

(1)

Figure 2: Two non-smooth curves. called the Weierstraß form of E. The algebraic curve given by such an equation is smooth if and only if its discriminant ∆E = −16(4A3 + 27B 2 ) is not zero in K. Whenever K is algebraically closed, one can also write E in Legendre normal form (this will be relevant when we study elliptic curves over C): E :

y 2 = x(x − 1)(x − λ) ,

λ∈K.

Figure 3: The elliptic curve y 2 = x3 − 3x + 3 over the fields C, R and F101 . Let E(K) be an elliptic curve over K in Weierstraß form as in equation (1). By adding a point O at infinity (equivalently, by considering E(K) as the affine part of a projective curve) one can define a group structure on E(K) in a geometric way. Let P, Q ∈ E(K) and consider the line ` through these two points (if Q = P , then ` is the tangent line to E(K) at P ). Note that, if P = (xP , yP ) and Q = (xQ , yQ ) are different, then ` is given by y − yP =

yQ − yP (x − xP ) , xQ − xP

(2)

which is a linear equation on (x, y) with coefficients in K. Therefore there exists a third point of intersection R0 of E(K) and ` with coordinates in K. In fact, plugging the value of y from (2) into the equation (1) of the elliptic curve, we get a polynomial of degree 3 in x. Since we already know two roots of this polynomial, namely x = xP and x = xQ , we can divide by (x − xP )(x − xQ ) and find a third solution xR0 . Substituting now x = xR0 into (2) gives us y = yR0 . We then define the sum of P and Q as P ⊕ Q = R := (xR0 , −yR0 ), that is the reflection of R0 along the real line y = 0 (see Figure 4 for a graphic version). One potential problem arises if we try to add the points P = (xP , yP ) and (xP , −yP ). Then the line ` passing through them is x = xP and it does not intersect E in further points. 3

Figure 4: The sum operation on E : y 2 = x3 − 10x + 4 for E(R) and E(F19 ). We denote (xP , −yP ) by P and in this case we define the sum P ⊕ ( P ) as the point O at infinity. It turns out that the operation thus defined turns (E(K), ⊕) into an abelian group, with O as neutral element and inverse given by P 7→ P . Whenever it is clear, we will use the signs + and − instead of ⊕ and . Similarly, for any P ∈ E(K) and n ∈ N we will write n

nP = P + .^ . . +P . Note that there can be torsion (or finite order ) points, that is points P ∈ E for which there exists n ∈ N such that nP = O (see Figure 5).

Figure 5: The point P = (2, 3) on E : y 2 = x3 + 1 has order 6, that is 6P = P + 5P = O.

4

1

Rational points on elliptic curves (Mordell’s Theorem)

The study of the structure of the group of rational points E(Q) of an elliptic curve is one of the main objectives of the subject. The principal result in this directions is given by Mordell’s Theorem. Theorem (Mordell, 1922). The group E(Q) is a finitely generated abelian group, that is there exist P1 , . . . , Pn ∈ E(Q) such that for each Q ∈ E(Q) Q = a1 P1 + . . . + an Pn , In particular we can write

for some ai ∈ Z.

E(Q) ∼ = E(Q)tor ⊕ ZrE ,

where E(Q)tor is the torsion part and rE ∈ N is called the rank of E. The proof of this fact uses some properties of the height function H : E(Q) → Q, (x, y) 7→ max{|x|, |y|}, and a key lemma (often called weak Mordell ) stating that E(Q)/2E(Q) is finite. Mordell’s Theorem can be generalized to elliptic curves E(K) (and even abelian varieties A(K)) over number fields K (Mordell-Weil Theorem).

2

Fermat’s Last Theorem and Frey curves

Fermat first formulated (without proof) his famous Last Theorem in 1637, in the margin of a copy of the “Arithmetica” of Diophantus. Theorem (Wiles, 1994). Let n ≥ 3. There exists no three positive integers a, b, c > 0 such that an + bn = cn . The conjecture remained unproved until 1994, when Andrew Wiles proved a special case of the modularity theorem (Taniyama-Shimura-Weil conjecture) that implied Fermat’s Last Theorem. The relationship between the Theorem and elliptic curves goes as follows. First, it is easy to prove that it is enough to prove the Theorem for n = 4 and n = p odd prime (the case n = 4 was actually already proved by Fermat). Now, given a solution (a, b, c) of Fermat’s equation ap + bp = cp we could construct the Frey elliptic curve Ea,b,c : y 2 = x(x − ap )(x + bp ) . Therefore, proving Fermat’s Last Theorem amounts to showing that no such curve can exist. In 1984, Gerhard Frey stated that this curve could not be modular, a fact finally proved later by Serre and Ribet. This would contradict the Taniyama-Shimura-Weil conjecture, which claimed that every elliptic curve over Q is modular, and therefore a proof of this conjecture would make impossible the existence of such a curve, implying in particular Fermat’s Last Theorem.

3

Elliptic functions and elliptic curves over C

Given two (non-real multiples of each other) complex numbers ω1 , ω2 ∈ C× , an elliptic function relative to the periods (ω1 , ω2 ) is a meromorphic function f : C → C ∪ {∞} such that f (z + ω1 ) = f (z) = f (z + ω2 ) for all z ∈ C. Note that this implies that the function f is well defined on C/Λ, where Λ = hω1 , ω2 iZ is the lattice (Z-module) generated by ω1 and ω2 5

in C (see Figure 6). It is also immediate that the derivative f 0 (z) of an elliptic function is again an elliptic function for the same periods and that the set of elliptic functions for given periods forms a field.

Figure 6: Lattice generated by ω1 = 3 + i and ω2 = 2 + 4i. Elliptic functions take the same values at z and at its translates z + aω1 + bω2 , for a, b ∈ Z. For any choice of periods (ω1 , ω2 ) one can explicitly write down an elliptic function ℘(z) called the Weierstraß elliptic function. This function has the two remarkable properties that it satisfies the first-order differential equation ℘0 (z) = 4℘3 (z) − g2 ℘(z) − g3 , for complex numbers g2 := g2 (Λ), g2 := g3 (Λ) depending on Λ, and that the field C (℘, ℘0 ) is precisely the field of elliptic functions relative to the periods (ω1 , ω2 ). One can then create a morphism C/Λ z

→ E(C) : y 2 = 4x3 − g2 x − g3 7→ (℘(z), ℘0 (z))

which turns out to be an isomorphism. In particular, this allows us to see the complex elliptic curve E(C) = {(x, y) ∈ C2 : y 2 = 4x3 − g2 x − g3 } as a torus C/Λ. Conversely, for every complex elliptic curve E one can make a change of coordinates so that E : y 2 = 4x3 − Ax − B, for some A, B ∈ C, and find a lattice Λ = hω1 , ω2 iZ satisfying A = g2 (Λ) and B = g3 (Λ) so that, in particular, E ∼ = C/Λ.

4

Moduli space of elliptic curves over C

The next plan is to consider the space M1,1 of all (isomorphism classes of) elliptic curves over C and give it some structure. To each elliptic curve E one can associate the corresponding lattice Λ ⊂ C which, after rotating and rescaling, can be assumed to be generated by elements Λ = h1, τ iZ , for some τ ∈ H := {z ∈ C : Im z > 0}. However this choice is not unique. The group SL(2, Z) of 2 × 2 integral matrices with determinant 1 acts naturally on the upper half-space H by M¨ obius transformations az + b a b , for γ = ∈ SL(2, Z) , γ(z) = c d cz + d and two lattices Λ = h1, τ iZ and Λ0 = h1, τ 0 iZ turn out to define isomorphic elliptic curves if and only if τ and τ 0 are related by an element γ of SL(2, Z), that is τ 0 = γ(τ ).

6

In particular, one can identify the space M1,1 with the quotient space Y (1) = H/ SL(2, Z). This space, which is called the modular curve, can be seen topologically as a sphere without one point via the j-invariant, a function j : H → C invariant under the action of SL(2, Z). The modular group SL(2, Z) is a very important group in number theory. It can be generated by the two matrices 1 1 0 −1 T = and S = . 0 1 1 0

5

Modular forms

As we saw in the previous talk, the space H/ SL(2, Z) parametrises all possible elliptic curves over C. Modular forms (and modular functions) are functions in H which are almost well defined on the quotient. More precisely, let k ∈ Z be an integer. A modular form of weight k (for SL(2, Z)) is a holomorphic function f : H → C which is bounded at infinity and such that f (z + 1) = f (z) and f (−1/z) = z k f (z). Note that T (z) = z + 1 and S(z) = −1/z. In particular, the second condition implies that a b k f (γ(z)) = (cz + d) f (z) , for all γ = ∈ SL(2, Z) . c d It is easy to see that non-zero modular forms have necessarily even weight 2k. Among them, Eisenstein series G2k are especially important. They are defined by the following formula X 1 . G2k (z) = (mz + n)2k m,n∈Z (m,n)6=(0,0)

The vector space M2kLof modular forms of weight 2k turns out to be finite dimensional. ∞ In fact, the graded ring k=0 M2k is generated by G4 and G6 .

6

Elliptic curve cryptography

Elliptic curve cryptography is a public-key cryptographic system that uses the group structure of elliptic curves over finite fields. Public-key cryptography is based on the use of two keys: a public key which is known to everyone, and a private key which is known only to the owner. The encoding uses functions whose inverse is hard to compute unless the private key is known. Usually, the stability of the system relies on two factors: the unsolvability of the inverse problem and the secure interchange of private keys through unsafe channels. An example of a hard-to-invert function is the exponential function in finite fields. Given a finite field Fq , its (multiplicative) group of units F× q is known to be a cyclic group, hence generated by an element g: 0 2 q−2 F× }. q = {1 = g , g, g , . . . , g × Now, fixed a generator g of F× q and given an element h ∈ Fq , the discrete logarithm problem x is the problem of finding an exponent x ∈ Z such that g = h. The hardness of the discrete logarithm problem can be used to create a cryptographic system. This problem uses only the abelian structure of the group F× q . One can therefore generalise it to any abelian group, such as an elliptic curve E(Fq ) over a finite field: for a fixed point P ∈ E of large (prime) order p and a given point Q ∈ E, the discrete logarithm problem is the problem of finding (if there exists) a coefficient m ∈ Z such that mP = Q ∈ E.

7