New blogpost on SIDH, a key-exchange protocol based on supersingular isogenies.

Hope you enjoy! M x

Skip to content
# Tag: curves

## SIDH

## Elliptic Curves: The Basics

### Point at Infinity

### Making Points on an Elliptic Curve into a Group

### Consequence

## Intrinsic Geometry

### Curves, Curvature and Normals

### Intrinsic Geometry

## VIDEO: Space-Filling Curves

New blogpost on SIDH, a key-exchange protocol based on supersingular isogenies.

Hope you enjoy! M x

Working over the rationals (or more precisely any field with characteristic 0) an **elliptic curve** is a curve given the equation

such that the discriminant, which is 4A^{3} + 27B^{2}, is non-zero. Equivalently, the polynomial on the right hand side has distinct roots, ensuring that the curve is non-singular. Though we restrict our attention to these non-singular curves we note that if the right hand side is a cubic polynomial, there are only two types of singular curves, corresponding to whether there is a double root (*node*) or triple root (*cusp*).

The point at infinity is an important point that **always** lies on an elliptic curve. For those who have studied algebraic geometry this is a familiar concept and comes from defining a projective closure of the equation defining the elliptic curve. However, informally it can be described as an idealised limiting point at the ‘end’ of each line.

If you imagine a vertical straight line, which intersects the elliptic curve at most two times.

The point at infinity is the point at which the two ends of this vertical line ‘meet’.

The reason that elliptic curves are amazing objects is because we can use geometry to make the points on the curve a group. Therefore we can use tools from algebraic number theory to study them.

This is done using the *chord and tangent process*:

We denote the point at infinity on an elliptic curve E over **Q** as O_{E}. E meets each line in 3 points, counted with multiplicity. Given two points on E, say P and Q, let R be the third point of intersection of PQ and E. Then P ⊕ Q is the third point of intersection of O_{E}R (vertical line through R) and E.

If P = Q we take the tangent at P instead of the line PQ.

Then E with the group law on points defined above, denoted by (E, ⊕), is an abelian group:

- The fact that is abelian is clear by construction
- I
**dentity:**O_{E}– this is why the point at infinity is such an important point and exists on all elliptic curves.

**Inverses:**Given a point P, let S be the point of intersection of the tangent at O_{E}and E. Then let Q be the intersection of PS and E. Then the inverse of P is defined to be Q. Note that if O_{E}is a point of inflection (point of multiplicity 3) then S = O_{E}in the above.

**Associativity:**This is much harder to prove. It can be done by identifying (E, ⊕) with a subgroup of the Picard Group, which related to something called*divisors*.

Divisors are a tool for keeping track of poles and zeroes. For example, suppose a function *g* has a zero at a point P of order 3, and a pole at another point Q of order 2, and a pole at O of order 1 (note the number of zeroes and poles are equal, as they must be for a function). Then using divisors, we can say all this concisely as follows:

**div g=3P−2Q−O**

More precisely, we can define a divisor D to be a ‘formal sum’ of points on E (meaning that we write a sum of points using a + symbol but no actual operation is defined), say

Then the **degree** of a divisor is the sum of the coefficients.

This set of divisors forms a group, Div(E), generated by the points on E. Immediately we can identify a subgroup of Div(E), namely the divisors of **degree zero** denoted Div^{0}(E).

We can also define an equivalence relation ~ on divisors: D_{1}, D_{2} ∈ Div(E) are** linearly equivalent,** written D_{1} ~ D_{2}, if exists an *f* such that **div(f) = D _{1} – D_{2}**.

We can now introduce the **Picard Group**. It is a subgroup of Div(E), defined by quotienting out by this equivalence relation

A subgroup of the Picard group is given by

We’re now ready to go back to talking about elliptic curves. The point of this discussion is that we know (Pic_{0}(E), +) is a group which has the associative property. Furthermore, we can show that we have a bijection between (E, ⊕) and (Pic_{0}(E), +) that preserves the group structure i.e. we have an isomorphism of groups. So, using this isomorphism we can identify the two groups and deduce that (E, ⊕) is also associative.

Say we started looking at points defined over **Q** (denoted by E(**Q**)). A natural question is to ask how we know that the addition or inverses of these points remains in **Q**?

We defined the group law by looking at the intersections of lines and curves. So, working through the algebra, we can get explicit equations for the addition of points and inverses. For example if we have an elliptic curve E over **Q** and a point P = (x,y) in E(**Q**), then **-P = (x, -y)**.

These explicit equations are useful because they tell us that the points do indeed remain defined over **Q**. More precisely, we find that (E(**Q**), ⊕) is a subgroup of (E, ⊕):

- The identity O
_{E}is in E(**Q**) by definition - (E(
**Q**), ⊕) is closed under addition and has inverses by the explicit formulae - Associativity and commutativity is inherited from (E, ⊕).

Note: This in fact holds for any field K, not just **Q**, but we must be a bit more careful, as the elliptic curve may not be expressible in the nice form y^{2} = x^{3} + Ax + B so the formulae are a bit messier. The reason why this is important is that we often want to consider elliptic curves over *finite fields*, something I will explore in future posts.

M x

Today I wanted to discuss the geometry of curves and surfaces.

First let us consider a curve **r**(s) which is parameterised by s, the arc length.

Now, **t**(s) = is a unit tangent vector and so **t**^{2} = 1, thus **t**.**t** = 1. If we differentiate this, we get that **t**.**t**‘ = 0, which specifies a direction normal to the curve, provided **t**‘ is not equal to zero. This is because if the dot product of two vectors is zero, then those two vectors are perpendicular to each other.

Let us define **t’** = K**n **where the unit vector **n**(s) is called the *principal normal* and K(s) is called the *curvature*. Note that we can always make K positive by choosing an appropriate direction for **n**.

Another interesting quantity is the *radius of curvature*, a, which is given by

a = 1/curvature

Now that we have **n** and **t** we can define a new vector **b **= **t **x** n**, which is orthonormal to both **t** and **n**. This is called the *binormal*. Using this, we can then examine the *torsion* of the curve, which is given by

T(s) = –**b’**.**n**

As the plane is rotated about **n** we can find a range

where and are the *principal curvatures*. Then

is called the *Gaussian curvature.*

Gauss’ *Theorema Egregium* (which literally translates to ‘Remarkable Theorem’!) says that K is **intrinsic** to the surface. This means that it can be expressed in terms of lengths, angles, etc. which are measured entirely on the surface!

For example, consider a geodesic triangle on a surface S.

Let θ1, θ2, θ3 be the interior angles. Then the *Gauss-Bonnet theorem* tells us that

which generalises the angle sum of a triangle to curved space.

Let us check this when S is a sphere of radius a, for which the geodesics are great circles. We can see that == 1/a, and so K = 1/a^{2}, a constant. As shown below, we have a family of geodesic triangles D with θ1 = α, θ2 = θ3 = π/2.

Since K is constant over S,

Then θ1 + θ2 + θ3 = π + α, agreeing with the prediction of the theorem.

M x

Numberphile has recently posted a video on Space-Filling Curves, a topic I made a post on a few weeks ago. I thought I would share this video as it would be a nice complement to that post!

M x