Elliptic Curves: Facts,Conjectures and Applications

Gerhard FreyInstitute for Experimental Mathematics

University of Essene-mail: frey@iem.uni-due.de

ECC 2010Seattle

1

1 Prelude

Problems:

1. Kronecker’s Dream:Let K be a field. Construct all abelianextensions in an explicit way!

2. Number Theorist’s Challenge:Decide whether a number is a prime, ifnot, find prime factors, and do it quick-ly!

3. Diffie-Hellman’s Demand:Find a large finite group with fast ad-dition and hard Discrete Logarithm!

2

PART I. The Time before ECC

2 A Little History of Great Ideas,before 1985

• about 9×25 years ago C.F. Gauß startshis career and, during the next 10 years

– makes experiments and discovers theprime number theorem

– studies theoretically and practical-ly elliptic curves and functions (keyword: lemniscate) in the special caseof the arc length on the lemniscate

r2 = cos(2ϕ)

as elliptic integral∫ w

0

1√1 − r4

dr,

– defines and computes AGM.3

– defines the “INDEX” of elements infinite fields (we say today: DL)

– begins with the theory of functionfields over finite fields and states thefirst non-trivial example for the “Rie-mann hypothesis” ( nearly forgottenChapter VII of Disquisitiones Arith-meticae)

and does many other things, too.

• about 7 × 25 years ago C.G. Jacobicomputes tables for indices for numbers≤ 100 and primes < 1000

• about 5 × 25 years ago Kronecker hada Jugendtraum: realize abelian exten-sions of number fields by special valuesof transcendental functions and

4

• Frobenius proved a predecessor (densi-ty of primes with given decompositiontype) of Cebotarev’s density theorem(proved 1922)

• about 4×25 years ago Weber publishedthe third volume of ALGEBRA

5

• about 3 × 25 years ago

– E.Noether studied Pic(O), develo-ped ideal theory (commutative al-gebra) and her student Grete Herr-mann developed effective (computa-tional) ideal theory (theoretically)

– Deuring and Hasse studied ellipticcurves over finite fields and relationswith classical theory (CM-theory).As result Hasse proved the Riemannhypothesis for elliptic curves over fi-nite fields. This was “the begin ofMODERN ARITHMETIC GEOME-TRY”

6

– 2 × 25 years ago: kind of explosion!

– Grothendieck’s monumental work onArithmetic Geometry and in parti-cular about Galois Theory: Schemes,Fundamental groups, etale and rigidcohomology, motives, relation withL-functions....Collection: Dix Exposes sur la co-homologie des schemas

– Tate: Duality theorems

– Neron-Tate: Heights on abelian va-rieties

– Eichler-Shimura congruence Relati-on between modular forms, Galoisrepresentations (Eichler-Shimura con-gruence emerging) and elliptic cur-ves (abelian varieties)

7

• Birch and Swinnerton-Dyer: using theinsights from above, and massive com-puting with EDSAC computer state BSDfor elliptic curves ( Crelle’s Journal 1963,1965)which turned out to be amongst themost seminal mathematical publicati-ons of all times.More conjectures emerged, all relyingon the interplay of Galois Theory andanalytic L-series:

• Tate-Sato ConjectureAs precision, and a little later:

• The Lang-Trotter conjecture (1976)

Things culminated in the 70’s (we are lea-ving our 25-years slots).A high point was the Conference on Mo-dular Forms in Antwerp 1972.From now on arithmetic of modular forms,of Galois representations and of varietiesover global fields interacted strongly.

8

For example: Around this time the Con-jecture of Serre was stated in a vague form:Two dimensional odd representations overfinite fields are attached to modular forms.This conjecture generalizes the Taniyama-Shimura conjecture enormously.

9

A golden age of arithmetic geome-try could begin.

3 The Geometric Players

We want to come nearer to the tasks inthe prelude by using arithmetic pro-perties of geometric objects .We begin with the easiest geometric ob-jects: rational curves, i.e. curves that are(maybe after a finite field) isomorphic tothe projective line minus some points.

10

4 Plane Cubic Curves of Genus 0:P1 with Holes

4.1 The Additive Group as Cubic

Y 2Z = X3.

is a plane projective curve with one singu-lar point (0, 0, 1) which is a cusp.

t 7→ (t−3, t−2, 1); t 6= 0; 0 7→ (0, 1, 0)

0 7→ (0, 1, 0)

is an isomorphism from Ga to Erega .

Exercise: Describe +!11

4.2 The Multiplicative Group as Cu-bic

Take

Em : Y 2Z + XY Z = X3,

a cubic with one node.

By

u 7→ (u

(1 − u)2,

u2

(1 − u)3) for u 6= 1; 1 7→ (0, 1, 0)

we get an isomorphism from Gm to Eregm .

Again: Describe multiplication geometri-cally!

12

4.3 Applications of Gm

The Jugendtraum became true over Q.

Theorem 1 (Kronecker-Weber)

Qab = Q(Gm(Qs)tor)

and hence is generated by values of exp.

Characters of GQ were studied successful-ly.One spectacular result:Kummer: Fermat’s Last Theorem is truefor regular primes (but there are infinitelymany non-regular primes).

13

Prime number tests as well as algorithmsfor factoring numbers were developed (using(Z/p)∗) but they are not as effective as de-sirable,and the computation of discrete logarithmsby index-calculus methods goes back atleast to 1922.Reasons for “Failure”:

• Using P one finds (essentially) only Ga

(which is good for Artin-Schreier-theoryin characteristic p > 0) and Gm asalgebraic-geometric objects.

• There are “too many” points on Gm,Q∗ is not finitely generated and con-tains free subgroups of large rank(“smooth”numbers).

14

5 Elliptic Curves

5.1 A Small Deformation Changesthe World

We change the projective curves definingGa and Gm a little bit:

Y 2Z = X3

7→Y 2Z = X3 + Z3

15

andY 2Z + XY Z = X3

7→Y 2Z + XY Z = X3 + Z3

The singular points have vanished. Theresult is a plane regular projective cubicE.We still can look at the geometric additionlaws

16

17

We note

• Composition makes sense for all pairsof points on the deformed curves.

• It is not difficult to give formulas forthe composition.

Fact: E is a connected projective al-gebraic group of dimension 1.

Definition 5.1 An elliptic curve E overa field K is a projective absolutely ir-reducible group scheme of dimension 1defined over K, i.e. E is an abelian va-riety of dimension 1 over K.

18

There are two big and obvious differencesto the cubics with singular points:Elliptic curves are projective and hencecompact (in many senses), and there are“many” non-isomorphic elliptic curves.In fact, the isomorphy class of E is, overKs, determined by an element jE ∈ K,the absolute invariant, and for every j ∈K there is an E with jE = j.Over K one needs in addition a (usual-ly quadratic) character to determine theclass of E. Every elliptic curve E can begiven as plane cubic with Weierstraß equa-tion

Y Z + a1XY Z + a3Y Z2 =

X3 + a2X2Z + a4XZ2 + a6Z

3.

If char(K) 6= 2 we can assume that a1 =0 = a3.If char(K) prime to 6 we can assume inaddition that a2 = 0.

19

We get the short Weierstraß form

Y 2Z = X3 + AXZ2 + BZ3.

Conversely

Y Z + a1XY Z + a3Y Z2 =

X3 + a2X2Z + a4XZ2 + a6Z

3

defines an elliptic curve iff it has no singu-lar points, i.e. there is no point on the cur-ve (over the separable closure Ks of K) atwhich all partial derivatives vanish simul-taneously, i.e. the discriminant ∆E 6= 0.If ∆E = 0 then the corresponding curveis (possibly after a quadratic extension ofK) projectively isomorphic to Ga or Gm.

20

5.2 Addition Laws

Following the geometric picture above (andusing Riemann-Roch theorem) it is an ea-sy Exercise to write down ADDITIONFORMULAS!

Remark 5.1 We emphasize that the pre-sentation of elliptic curves by Weier-straß equations is only one of many pos-sibilities. It may be of theoretical or prac-tical importance to choose other presen-tations, such as

• intersections of two quadrics in P3

• Legendre normal form (needed: ra-tionality of points of order 2)

• Hessian form (rationality conditi-on for flex points)

• quartic plane projective curve withrational singularity: “Edwards Cur-ves”.

21

5.3 Torsion Structures

0 ≥ p = char(K) 6= ℓ ∈ P. K a fieldwith separable closure Ks, absolute Galoisgroup GK and algebraic closure K.

Definition 5.2 For n ∈ N define thegroup scheme of n-torsion points of Eby

E[n] = P ∈ E(K); n·P = O = ker(n·idE).

Facts 1 • If n = ps then E[ps] = (Z/ps)δ

with δ ∈ 0, 1.δ = 0: E supersingular, else ordinary.

• If n is prime to p then E[n] ⊂ E(Ks)and, as abelian group, E[n] is iso-morphic to Z/n × Z/n.

• For gcd(n, p) = 1 E[n] induces a 2-dimensional Galois representation ρE,nover the ring Z/n.

22

•Tℓ(E) := proj − limk∈NE[lk]

is the ℓ-adic Tate module of E.It is a free Zℓ-module of rank 2.GK acts on Tℓ(E) continuously withrespect to the pro finite topology andinduces the 2-dimensional ℓ-adic re-presentation ρE,ℓ. In a highbrow lan-guage: Tℓ(E) is the first ℓ-adic etalecohomology group of E and ρE,ℓ isthe attached ℓ-adic representation.

• Let EndK(E) be the ring of endo-morpisms of E, and EndK(E)0 :=EndK(E)

⊗

Q.EndK(E)0 is a skew field (since E isa simple abelian variety) and by theaction on Tℓ(E), it is embedded intoM (2, Qℓ).Hence it is either equal to Q or is aquadratic field or a quaternion field.

23

5.3.1 Comparison with Rational Cur-ves

For n prime to p then Gm[n] = µn =<ζn > is isomorphic as abelian group toZ/n. with ζn a primitive root of unity oforder n.GK acts on µn and induces a one-dimensionrepresentation, the cyclotomic character:

χn : GK → Z/n∗

σ 7→ kσ

withσ(ζn) = ζkσ

n .

cyclotomic character

Theorem 2

det(ρE,n) = χn.

24

Remark 5.2 Behind the theorem is theduality of abelian varieties and, appliedto torsion points, the Weil pairing.It follows that ρE,n is odd.

25

5.4 Level Structures and ModularCurves

Definition 5.3 Take n prime to p

α : E[n]∼=→ Z/n × Z/n

is a level-n-structure of E.

The moduli problem: “Classify isomor-phy classes (E,α) of elliptic curves E withlevel n-structure α” is represented by themodular curve X(n). Interesting subco-vers:Classify elliptic curves with a fixed pointof order n: X1(n), andClassify elliptic curves with a fixed cyclicsubgroup of order n: X0(n).

26

To be more precise:The moduli problem (E,α) is representa-ble by a fine moduli space over (to avo-id complications) Z[1/n, ζn] which is themodular curve X(n). (For experts: to getan irreducible curve one has to fix the de-terminant of α, e.g. take canonical level-n-structures.)This means: For algebras R over Z[1/n, ζn]theset X(n)(R) parameterizes the pairs of el-liptic curves with level-n-structures ratio-nal over R.Gl(2, Z/n) acts as group of automorphismson X(n).

27

To get subcovers take Γ as subgroup ofGl(2, Z/n) and define a new moduli pro-blem: Classify pairs (E, orbits of Γ)!Again we get a moduli space (which maybe coarse) by taking X(n)/U .Examples:

Γ1(n) =:= (

1 b0 d

)

with b ∈ Z/n, d ∈ Z/n∗and

Γ0(n)) := (

a b0 d

)

with ad ∈ Z/n∗, b ∈ Z/n.Γ1(n), n > 2 defines to the modular cur-ve X1(n), a fine moduli space for pairs(E,P ) with P a point (section) of ordern.Γ0(n) defines X0(n) which is a coarse mo-duli space for pairs (E,Cn), Cn ⊂ E[n]cyclic of order n.

28

So elliptic curves (resp. torsion structures)are intimately related to modular forms.Modular elliptic curves are subcovers ofX0(n): “Elliptic curves create elliptic cur-ves” (Taniyama-Shimura).

29

6 Galois Representations in Arith-metical Environments

6.1 Hierarchy of Fields

The number field K carries various topo-logies induced by equivalence classes (“pla-ces”) of valuations v. These valuations ex-tend the p-adic valuations and the abso-lute value on Q.For K = Q they correspond to P∪− log(|.|).The completion of K at v is the local fieldKv.If v is an extension of a p-adic valuati-on then the ring of integers OK of K iscontained in the valuation ring Ov, the re-sidue field is Fv =: Fq.For each v we choose an extension to Ks

again denoted by v.

30

Gv consists of elements of GK acting v-continuously and can be identified withGKv

.It has a canonical quotient group, the Ga-lois group of the maximal unramified ex-tension of Kv that is canonically isomor-phic to GFq

and topologically generatedby the lift of the Frobenius automorphismφq.Via these identification one can define (con-jugacy classes of) Frobenius elements σv ∈GK .

31

6.2 Local-Global Principle for Ga-lois Representations

Let ρ be a continuous presentation of GK .Let σ be an element of GK .By

χρ(σ)(T )

we denote the characteristic polynomialof ρ(σ).Example:For k = 2

χρ(σ)(T ) = T 2−Tr(ρ(σ))T + det(ρ(σ)).

Definition 6.1 ρ is semi-simple if ρ isdetermined (up to equivalence)by χρ(σ)(T ); σ ∈ GK.

32

6.2.1 Local-Global Law for Represen-tations

There is a powerful Local-Global-principleyielded by Cebotarev’s density theorem(1922) mentioned above as landmark.

Theorem 3 If ρ is semi-simple then ρis determined by

χρ(σl)(T ); l runs over almost all places of K.

33

7 Elliptic Curves in ArithmeticalEnvironments

We are interested in elliptic curves E overglobal fields K.For simplicity we assume that K is a num-ber field, and sometimes even that K =Q. We follow the hierarchy from aboveand embed K in C and Kv.

34

7.1 Elliptic Curves over C

Projective algebraic curves over C have acanonical complex structure which makesthem to compact Riemann surfaces andvice-versa.Elliptic curves are equal to their Jacobianvariety, and so we get a parameterisation

Cφ→ E(C)

byz 7→ (℘(z), ℘′(z))

where ℘ is the suitable normalized Weier-straß ℘-function.The kernel of φ is a lattice ΛE in C. Bynormalizing we can assume that

ΛE = Z + Zτ

with Im(τ > 0.

35

τ is determined modulo the action of Sl(2, Z)on the complex upper half plane and is theperiod of E.The absolute invariant jE is the evaluati-on of the modular function j at τ .Consequences:

• E[n] = 1/nΛE/ΛE∼= Z/n × Z/n

(this proves one of the facts from abovefor all fields of characteristic 0)

• The ring of endomorphisms End(E)of E is commutative (hence this holdsover all fields of characteristic 0).

• End(E) is either Z (generic case) or anorder in an imaginary quadratic field(CM case).

• In the CM case the invariant jE is analgebraic integer.

36

7.2 Elliptic curves over Kv

Now assume that Kv is a complete withrespect to a non-archimedean valuation vwith ring of integers Ov, maximal idealmv and finite residue field Fq. We call Kv

a local field.Let Ev be an elliptic curve over Kv.We can try to imitate methods used overC in the realm of rigid geometry.A first classical result (3× 25 years old) isdue to E. Lutz and states:The group E(Kv) contains a subgroup offinite index which is isomorphic to Ov.

Corollary 1 The subgroup of torsion ele-ments in E(Kv) is finite.In particular: If K is a field of finitetype then E(K)tor is finite.

37

But one can do much better.Our knowledge about schemes (from ∼60′s) allows to extend E to a group sche-me E over Ov, and the special fiber Ev is agroup scheme over Fv, and there is a ho-momorphism, the reduction map, whichmaps E(Kv) surjectively to Ev(Fv).The kernel of the reduction map is a pro-p-group where p = char(Fv). It it containsonly torsion points of p-power order.We can do this in a best possible way toget the Neron model.We allow unramified quadratic extensionsand get :The connected component of Ev is either

1. an elliptic curve

2. Gm

3. Ga

38

In the first case we say that E has goodreduction modulo v.In the second case we say that E has mul-tiplicative reduction.In both cases we call E semi-stable atv. An important theoretical and practicalcriterion is due to Neron-Ogg-Shafarevich:

Theorem 4 E has good reduction mo-dulo v iff for all n prime to p the ad-junction of points of order n is unrami-fied.

39

7.3 Elliptic Curves over Finite Fields

Motivated by reduction theory we investi-gate elliptic curves E over finite fields Fq.Of course, E(Fq,s) consists only of torsionpoints.The Frobenius automorphism φq genera-tes GFq

topologically and hence it deter-mines ρE,ℓ.At the same time φq induces an endomor-phism of E by raising coordinates to q-thpowers.It is not very difficult to see that the cha-racteristic polynomial of this endomorphism(applied to Tate-modules of E) is the sa-me as the one of ρE,ℓ for all ℓ, and so itis a polynomial in Z[T ].

40

Definition 7.1 The characteristic po-lynomial of φq is

χq,E(T ) = T 2 − trace(φq)T + q

with trace(φq) the trace of the Frobeni-us endomorphism (taken from the acti-on on any Tate-module of E.

Corollary 2

|E(Fq)| = q + 1 − trace(φq)

The reason for this corollary is that E(Fq)is the kernel of the separable endomor-phism φq − idE.

Corollary 3 (Tate)The isogeny class of E over Fq is de-termined by trace(φq).

41

7.4 Information by Lifting

It is a very common feature of numbertheory that one tries to get informationabout global objects like solutions of equa-tions by looking tat the problem moduloprimes.Here we will see that the inverse way workssometimes,too.

42

7.4.1 From Finite Fields to Local Fields

The key ingredient is Hensel’s Lemma invarious forms.

Proposition 1 (ℓ-adic lifting)Let Kv be a local field with residue fieldFq.Let E be an elliptic curve over Fq and

E an elliptic curve over Kv whose re-duction modulo v is E. Take ℓ prime top.Then ρE,ℓ = ρE,ℓ.

This result is not totally satisfying sincethere are many curves E satisfying thecondition, and the lifting refers to the Fro-benius automorphism in the Galois groupand not to the lifting of the Frobenius en-domorphism of E.

43

But this is possible under one restriction:E is not supersingular!

7.4.2 From Finite Fields to GlobalFields: The Work of Deuring

In a beautiful paper (Die Typen der Mul-tiplikatorenringe von Elliptischen Kur-ven) M. Deuring classified the endomor-phism rings of elliptic curves over finitefields and established a bridge to curveswith complex multiplication in number fields.

Theorem 5 Let E be an elliptic curveover Fq.

• If E is supersingular then End(E)is an order in the quaternion algebrawhich is ramified exactly at p and ∞.

44

• If E/Fqis an ordinary elliptic cur-

ve then End(E) 6= Z and, given avaluation v on Qs with residue fieldof characteristic p, there is (up totwists) exactly one elliptic curve Edefined over a number field K with

End(E) = End(E)

and the reduction modulo v restric-ted to K is equal to E/Fq

.

It follows that E has complex multi-plication and so End(E) is an orderin an imaginary quadratic field.

45

Definition 7.2 E is the canonical liftof E

Corollary 4 (“Riemann Hypothesis”) LetE be an ordinary elliptic curve over Fq.Then the splitting field of χq,E(T ) =

T 2−trace(φq)T+q is imaginary quadra-tic, and hence (|E(Fq)|−q−1))2−4q =

trace(φq)2 − 4q < 0.

Hence

||E(Fq)| − q − 1)| < 2√

q.

(For supersingular E one gets the sameinequality immediately).

46

8 Elliptic Curves over Global Fields:Global meets Local

8.1 Torsion points

Let E be an elliptic curve over a numberfield. and define Kn := K(E[n])It is obvious that Kn/K is Galois withGalois group Gn ⊂ Gl(2, Z/n).From above we know that ζn ∈ Kn) andthat G(Kn)/K(ζn) ⊂ Sl(2, Z/n).We distinguish two cases:1.) End(E) is an order in Q(

√−d), d ∈

N.Kronecker’s Dream becomes true for ima-ginary quadratic fields:Q(

√−d)ab = Q(

√−d)(jE,

⋃

n E[n]).2.) End(E) = Z.

Theorem 6 (Serre)For almost all ℓ we have Gℓ = Gl(2, Z/ℓ).

47

8.2 The Group of Rational Points

From local theory follows:

• E(K)tor is finite (and easily estimatedand computed)

• For all n ∈ N the group E(K)/nE(K)is finite (consequence of Theorem ofHermite-Minkowski)

To get more we need a new ingredient: theNeron - Tate height hE. This is a positivedefinite quadratic form on E(K)

⊗

R.It is defined locally in a rather explicitway and can be computed effectively.Putting local heights together one gets theglobal height. Roughly, it is the height ofthe X-coordinate of points.Example: If K = Q and P = (a/b, y)then h(P ) ≈ log(max(|a|, |b|)).

48

Theorem 7 (Mordell-Weil)E(K) is a finitely generated Z-module,and E(K)

⊗

R is an Euclidian space.Its dimension is the rank rE of E.

Consequence:Choose an affine Weierstraß equation forE.For a given finite set S of places of K the-re are only finitely many points in E(K)with X - coordinates integral outside of S.Conjecture (Lang) The height of pointson elliptic curves over K is bounded frombelow by C · height(∆E).This is proved (Silverman) for many cur-ves.We conclude that there are no infinite sub-groups of “smooth” elements, and sets ofpoints with small height tend to be linear-ly independent.Problem: Compute rE

49

8.3 The L-series of E

Above we have seen that the characteri-stic polynomial of Frobenius elements atplaces v of K count points on Fv and de-termine the reduction of E up to isogeny.Bringing all this information together (andhaving Cebotarev in mind) we can hope toget insight into the arithmetic of E.

50

8.4 The Isogeny Theorem and Mor-dell’s Conjecture

Faltings proved: The ℓ-adic representa-tion attached to Tate-modules of abelianvarieties is semi-simple (1982). HenceE (A) is isogenous to E′ (A′) (i.e. there isa surjective morphism with finite kernel)iff for ℓ and for almost all places l ∈ ΣKthe characteristic polynomials of the Fro-benius automorphisms at l are equal.Effective variant: One can take as repre-sentation space the points of order n (forn large enough). As consequence Faltingscould prove that on curves of genus > 1there are only finitely many K-rationalpoints (Mordell’s conjecture).

51

8.5 The Conjecture of Taniyama-Hasse

One of the most fruitful principles of arith-metic geometry is the linking of Galoistheory with analytic functions.Of course the inspiring examples are theL-series of global fields, and key words areEichler-Shimura congruences and Langlands’programme.In our context we are interested in the L-series of elliptic curves and define them,for simplicity, for K = Q.

52

Definition 8.1 Let E be an elliptic cur-ve over Q with (minimal) discriminant∆E.

LE(s) :=∏

p|∆E

(1 − a−sp )−1

·∏

p prime to ∆E

(1−trace(φp)p−s+p1−s)−1

where , for p|∆E we have: ap = 0 if Ehas additive reduction, ap = 1 if p hassplit multiplicative reduction, and elseap = −1.

Conjecture 1 (Hasse (?) and Ta-niyama): LE(s) has an analytic con-tinuation to C and satisfies a functionalequation.

This was proved by Deuring for CM-curves,and by Shimura for modular elliptic cur-ves.

53

8.6 The Conjecture of Birch andSwinnerton-Dyer

The motivation of this conjecture is theanalytic formula for class numbers.Behind the formulation lie extensive com-putations (1960) and keen and ingeniousintuition.Again we formulate the conjecture onlyover Q.

Conjecture 2 (BSD)We assume that the Hasse-Taniyamaconjecture is true for E/Q.Then

L(rE)E (1)

rE!=

#Sha(E)ΩERE∏

p|∆Ecp

(#E(Q)tor)2.

54

In the formula we have some harmless fac-tors: ΩE is the real period of E, cpare the Tamagawa numbers determinedby the Neron model of E, and #E(Q)toris easily computed (Mazur’s theorem).A difficult factor is RE defined as volu-me of the lattice E(Q)

⊗

R in the Eucli-dean space endowed with the Neron-Tateheight.It is important to get at least bounds forit in order to make the formula useable.It corresponds to the regulator of numberfields attached to a system of fundamentalunits.Totally mysterious is Sha(E), the Tate-Shafarevich group of E. It has no coun-terpart in the Gm-world. It measures thefailure of the Hasse-principle for curves ofgenus 1 with Jacobian E.It is conjectured that it is finite (obviouslypart of BSD).

55

If we stay in the time before 1985 the on-ly theoretical big result is due to Coatesand Wiles (1976) for elliptic curves withCM: If LE(1) 6= 0 then E(Q) is finite.The influence of BSD is immense. It hasbeen vastly generalized, and the arithme-tic interpretation of special values of L-series attached to geometric objects likemotives is a central theme in arithmeticgeometry.

56

8.7 The Distribution of Eigenvaluesof Frobenius Endomorphisms

The Question:Given a “random” elliptic curve over Fq,what can we say about the structure ofE(Fq)?We know the size of |E(Fq)|: It is about qwith an error of size 2

√q, because it must

lie in the “Hasse interval”.But what is the exact order?Is the group cyclic?Is the order a prime number or, contrary,a smooth number?A first step to answer such questions is toask for probabilities.There are two possible approaches: Eitherfix Fq and vary the curve or choose a cur-ve, let us say, over Q,vary the reductionplace p and study the reduction E(p) ofE.

57

For fixed Fq Deuring’s work is again veryuseful: He relates the number of ellipticcurves with given order with class num-bers of binary quadratic forms, and thereis a highly developed theory about thissubject.For fixed E/Q we have one special case:E has CM.Then the Frobenius endomorphism is anelement in an order of an imaginary qua-dratic field with norm p, and analytic num-ber theory has results about the distribu-tion of traces of these elements.

58

But what happens if E has no CM (andthis is the generic case).We know that trace(φp) = 2

√pcos(θp)

and so the eigenvalues of φp are equal to√p · eiθp and

√p · e−iθp

Conjecture 3 (Tate,Sato)θp is equally distributed in [0, π] with

respect to the measure µ = 2/πsin2(θ)dθ.

59

Another typical question is: Given a non-torsion point P of E(Q).

How often is E(p)(Fq) =< P (p) >. This isan analogue of conjectures of Artin aboutprimitive roots in Z/p. More generally ta-ke a number A and ask “how often” wehave trace(φp) = A?

Conjecture 4 (Lang-Trotter)

|p ≤ T ; ap = A| ∼ cA,E(2/π)√

T/ log(T )

with a constant cA,E which is not zero ifthere is no congruence obstruction (forinstance, if E(Q) has a point of order2 then almost all ap are divisible by 2.)

60

PART II The Time after ECCIn 1985 everything was ready for a goldenage for arithmetic geometry.But at the same time there was a greatimpacton the algorithmic side, and num-ber theory had its first really deep app-lication to engineering. For this two newideas were responsible: Use elliptic curvesfor factoring and for Discrete Logarithms!Names of initiators of these fascinatingideas are dropped in the programme ofthis conference:

• Hendrik Lenstra about integer factori-zation using elliptic curves

• Victor Miller and Neal Koblitz aboutECC

• Shafi Goldwasser and Joe Kilian aboutprimality proving using elliptic curves

• Oliver Atkin and Francois Morain aboutprimality proving using elliptic curves

61

To show how mighty the available machi-nery is we begin with highlights from theo-ry.

9 Big Theorems

We begin with the most spectacular newresult.During the last five years the proof of Ser-re’s conjecture was established which is abig step towards Langlands’ programmeand extends the Jugendtraum.There are many names to mention but letme restrict myself to Wintenberger, Kha-re, Kisin, Taylor, Wiles, Diamond, Con-rad,...:

62

Theorem 8 Let Fq be a finite field.Let

ρ : GQ → GL(2, Fq)

be a continuous, absolutely irreducible,twodimensional, odd repre sentation withSerre conductor Nρ and Serre weightkρ. Then ρ is modular (with nebenty-pe) of level Nρ and weight kρ.

Consequences:

Theorem 9 The L-series of irreducibletwo-dimensional odd complex represen-tations ρ are holomorphic.

Already proved before:

Theorem 10 Every elliptic curve overQ is modular.

FLT is just a footnote to this result!

Previous conditional results on elliptic cur-ves are now true in general:

63

• Gross-Zagier:If LE(s) has a zero of or-der 1 at s = 1 then it has positive rank.

• Kolyvagin (1990): If LE(1) 6= 0 thenrE = 0, and if LE(s) has a first-orderzero at s = 1 then rE = 1.

• Rubin (1991) showed for CM curves de-fined over the CM field: If LE(1) 6= 0then the p-part of the Tate-Shafarevichgroup had the predicted order for allprimes p > 7.

Finally: The Tate-Sato conjecture was pro-ved (announced 2010) at least for ellipticcurves over Q by Barnet-Lamb, Geragh-ty, Harris and Taylor. (by proving that acertain L-series is holomorphic).

64

10 Cryptography

What has this to do with ECC?Surely ECC will not need all the deeptheory used for the proof of Serre’s con-jecture. But it uses astonishingly much,and the rest is for building up confidence!For Neil Koblitz and Victor Miller the exi-sting theory was a strong motivation tosuggest elliptic curves as source for DL sy-stems. One reason must have been that anindex calculus attack like the one in theGm-world was impossible because of thetheory, here: the properties of the height.I refer to the “Golden Shield”-Lecture ofKoblitz at ECC 2000 and the analysis ofthe Xedni-attack he did in the paper withJacobson, Silverman, Stein and Teske.(Cf. the remarkable new result in the pa-per of Rosen and Silverman: Even Heeg-ner points are independent!)

65

To make the approach practical one hasto overcome difficulties. Most importantis the fast construction of instances.Encouraging statistical statements (partlyheuristic or conjectural but partly provennow) were mentioned above.Koblitz himself used Deuring’s work toshow that both smooth numbers and pri-me numbers occur sufficiently often as or-ders of E(Fq).

The next step is to count points.The available theory was CM, and till to-day it is very efficient.But next came a much more general ap-proach using etale cohomology (Schoof)and modular curves (isogenies) leading tothe very efficient Schoof-Elkies-Atkin - Al-gorithm.

66

The next wave (15 year later) was the in-troduction of p-adic lifting (Satoh: cano-nical lifting making Deuring effective, Me-stre: AGM),p-adic analysis (Kedlaya: making Dwork,Monski-Washnitzer effective)and p-adic deformation (Lauder).

Some members of the big family of ellipticcurves were excluded, many contributionsto efficiency and security were added, andalways reported during ECC conferences.

But the general picture is remarkably sta-ble....

67

11 Apology

What I missed: More about p-adic coho-mologyDuality Theory: Tate pairing et al...

Not miss to say: Thanks for Listening!

68