Twists of elliptic curves

Last updated October 22, 2024

In the mathematical field of algebraic geometry, an elliptic curve E over a field K has an associated quadratic twist, that is another elliptic curve which is isomorphic to E over an algebraic closure of K. In particular, an isomorphism between elliptic curves is an isogeny of degree 1, that is an invertible isogeny. Some curves have higher order twists such as cubic and quartic twists. The curve and its twists have the same j-invariant.

Quadratic twist

First assume $K$ is a field of characteristic different from 2. Let $E$ be an elliptic curve over $K$ of the form:

y^{2}=x^{3}+a_{2}x^{2}+a_{4}x+a_{6}.\,

Given $d\neq 0$ not a square in $K$ , the quadratic twist of $E$ is the curve $E^{d}$ , defined by the equation:

dy^{2}=x^{3}+a_{2}x^{2}+a_{4}x+a_{6}.\,

or equivalently

y^{2}=x^{3}+da_{2}x^{2}+d^{2}a_{4}x+d^{3}a_{6}.\,

The two elliptic curves $E$ and $E^{d}$ are not isomorphic over $K$ , but rather over the field extension $K({\sqrt {d}})$ . Qualitatively speaking, the arithmetic of a curve and its quadratic twist can look very different in the field $K$ , while the complex analysis of the curves is the same; and so a family of curves related by twisting becomes a useful setting in which to study the arithmetic properties of elliptic curves.^[5]

Twists can also be defined when the base field $K$ is of characteristic 2. Let $E$ be an elliptic curve over $K$ of the form:

y^{2}+a_{1}xy+a_{3}y=x^{3}+a_{2}x^{2}+a_{4}x+a_{6}.\,

Given $d\in K$ such that $X^{2}+X+d$ is an irreducible polynomial over $K$ , the quadratic twist of $E$ is the curve $E^{d}$ , defined by the equation:

y^{2}+a_{1}xy+a_{3}y=x^{3}+(a_{2}+da_{1}^{2})x^{2}+a_{4}x+a_{6}+da_{3}^{2}.\,

The two elliptic curves $E$ and $E^{d}$ are not isomorphic over $K$ , but over the field extension $K[X]/(X^{2}+X+d)$ .

Quadratic twist over finite fields

If $K$ is a finite field with $q$ elements, then for all $x$ there exist a $y$ such that the point $(x,y)$ belongs to $E$ or $E^{d}$ (or possibly both). In fact, if $(x,y)$ is on just one of the curves, there is exactly one other $y'$ on that same curve (which can happen if the characteristic is not $2$ ).

As a consequence, $|E(K)|+|E^{d}(K)|=2q+2$ or equivalently $t_{E^{d}}=-t_{E}$ , where $t_{E}$ is the trace of the Frobenius endomorphism of the curve.

Quartic twist

It is possible to "twist" elliptic curves with j-invariant equal to 1728 by quartic characters;^[6] twisting a curve $E$ by a quartic twist, one obtains precisely four curves: one is isomorphic to $E$ , one is its quadratic twist, and only the other two are really new. Also in this case, twisted curves are isomorphic over the field extension given by the twist degree.

Cubic twist

Analogously to the quartic twist case, an elliptic curve over $K$ with j-invariant equal to zero can be twisted by cubic characters. The curves obtained are isomorphic to the starting curve over the field extension given by the twist degree.

Generalization

Twists can be defined for other smooth projective curves as well. Let $K$ be a field and $C$ be curve over that field, i.e., a projective variety of dimension 1 over $K$ that is irreducible and geometrically connected. Then a twist $C'$ of $C$ is another smooth projective curve for which there exists a ${\bar {K}}$ -isomorphism between $C'$ and $C$ , where the field ${\bar {K}}$ is the algebraic closure of $K$ .^[4]

Examples

Related Research Articles

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modular exponentiation in Galois fields, such as the RSA cryptosystem and ElGamal cryptosystem.

<span class="mw-page-title-main">Elliptic curve</span> Algebraic curve

In mathematics, an elliptic curve is a smooth, projective, algebraic curve of genus one, on which there is a specified point $O$ . An elliptic curve is defined over a field $K$ and describes points in $K 2$ , the Cartesian product of $K$ with itself. If the field's characteristic is different from 2 and 3, then the curve can be described as a plane algebraic curve which consists of solutions $(x, y)$ for:

The Lenstra elliptic-curve factorization or the elliptic-curve factorization method (ECM) is a fast, sub-exponential running time, algorithm for integer factorization, which employs elliptic curves. For general-purpose factoring, ECM is the third-fastest known factoring method. The second-fastest is the multiple polynomial quadratic sieve, and the fastest is the general number field sieve. The Lenstra elliptic-curve factorization is named after Hendrik Lenstra.

In mathematics, particularly in algebraic geometry, complex analysis and algebraic number theory, an abelian variety is a projective algebraic variety that is also an algebraic group, i.e., has a group law that can be defined by regular functions. Abelian varieties are at the same time among the most studied objects in algebraic geometry and indispensable tools for research on other topics in algebraic geometry and number theory.

In mathematics, an affine algebraic plane curve is the zero set of a polynomial in two variables. A projective algebraic plane curve is the zero set in a projective plane of a homogeneous polynomial in three variables. An affine algebraic plane curve can be completed in a projective algebraic plane curve by homogenizing its defining polynomial. Conversely, a projective algebraic plane curve of homogeneous equation $h (x, y, t) = 0$ can be restricted to the affine algebraic plane curve of equation $h (x, y, 1) = 0$ . These two operations are each inverse to the other; therefore, the phrase algebraic plane curve is often used without specifying explicitly whether it is the affine or the projective case that is considered.

<span class="mw-page-title-main">Birational geometry</span> Field of algebraic geometry

In mathematics, birational geometry is a field of algebraic geometry in which the goal is to determine when two algebraic varieties are isomorphic outside lower-dimensional subsets. This amounts to studying mappings that are given by rational functions rather than polynomials; the map may fail to be defined where the rational functions have poles.

<i>j</i>-invariant Modular function in mathematics

In mathematics, Felix Klein's $j$ -invariant or $j$ function, regarded as a function of a complex variable $τ$ , is a modular function of weight zero for special linear group $SL(2, Z)$ defined on the upper half-plane of complex numbers. It is the unique such function that is holomorphic away from a simple pole at the cusp such that

In algebraic geometry, a hyperelliptic curve is an algebraic curve of genus g > 1, given by an equation of the form $where f (x) is a polynomial of degree n = 2 g + 1 > 4 or n = 2 g + 2 > 4 with n distinct roots, and h (x) is a polynomial of degree < g + 2 (if the characteristic of the ground field is not 2, one can take h (x) = 0).$

In mathematics, an algebraic torus, where a one dimensional torus is typically denoted by $,, or, is a type of commutative affine algebraic group commonly found in projective algebraic geometry and toric geometry. Higher dimensional algebraic tori can be modelled as a product of algebraic groups . These groups were named by analogy with the theory of tori in Lie group theory. For example, over the complex numbers the algebraic torus is isomorphic to the group scheme, which is the scheme theoretic analogue of the Lie group . In fact, any -action on a complex vector space can be pulled back to a -action from the inclusion as real manifolds.$

In mathematics, complex multiplication (CM) is the theory of elliptic curves E that have an endomorphism ring larger than the integers. Put another way, it contains the theory of elliptic functions with extra symmetries, such as are visible when the period lattice is the Gaussian integer lattice or Eisenstein integer lattice.

In algebraic geometry, a Kummer quartic surface, first studied by Ernst Kummer, is an irreducible nodal surface of degree 4 in with the maximal possible number of 16 double points. Any such surface is the Kummer variety of the Jacobian variety of a smooth hyperelliptic curve of genus 2; i.e. a quotient of the Jacobian by the Kummer involution x ↦ −x. The Kummer involution has 16 fixed points: the 16 2-torsion point of the Jacobian, and they are the 16 singular points of the quartic surface. Resolving the 16 double points of the quotient of a torus by the Kummer involution gives a K3 surface with 16 disjoint rational curves; these K3 surfaces are also sometimes called Kummer surfaces.

In mathematics, an algebraic surface is an algebraic variety of dimension two. In the case of geometry over the field of complex numbers, an algebraic surface has complex dimension two and so of dimension four as a smooth manifold.

In mathematics, the canonical bundle of a non-singular algebraic variety $of dimension over a field is the line bundle, which is the n th exterior power of the cotangent bundle on .$

In mathematics, a rational variety is an algebraic variety, over a given field K, which is birationally equivalent to a projective space of some dimension over K. This means that its function field is isomorphic to

In algebraic geometry, supersingular elliptic curves form a certain class of elliptic curves over a field of characteristic p > 0 with unusually large endomorphism rings. Elliptic curves over such fields which are not supersingular are called ordinary and these two classes of elliptic curves behave fundamentally differently in many aspects. Hasse (1936) discovered supersingular elliptic curves during his work on the Riemann hypothesis for elliptic curves by observing that positive characteristic elliptic curves could have endomorphism rings of unusually large rank 4, and Deuring (1941) developed their basic theory.

In mathematics, the Enriques–Kodaira classification groups compact complex surfaces into ten classes, each parametrized by a moduli space. For most of the classes the moduli spaces are well understood, but for the class of surfaces of general type the moduli spaces seem too complicated to describe explicitly, though some components are known.

In number theory, the classical modular curve is an irreducible plane algebraic curve given by an equation

Supersingular isogeny Diffie–Hellman key exchange is an insecure proposal for a post-quantum cryptographic algorithm to establish a secret key between two parties over an untrusted communications channel. It is analogous to the Diffie–Hellman key exchange, but is based on walks in a supersingular isogeny graph and was designed to resist cryptanalytic attack by an adversary in possession of a quantum computer. Before it was broken, SIDH boasted one of the smallest key sizes of all post-quantum key exchanges; with compression, SIDH used 2688-bit public keys at a 128-bit quantum security level. SIDH also distinguishes itself from similar systems such as NTRU and Ring-LWE by supporting perfect forward secrecy, a property that prevents compromised long-term keys from compromising the confidentiality of old communication sessions. These properties seemed to make SIDH a natural candidate to replace Diffie–Hellman (DHE) and elliptic curve Diffie–Hellman (ECDHE), which are widely used in Internet communication. However, SIDH is vulnerable to a devastating key-recovery attack published in July 2022 and is therefore insecure. The attack does not require a quantum computer.

In mathematics, the supersingular isogeny graphs are a class of expander graphs that arise in computational number theory and have been applied in elliptic-curve cryptography. Their vertices represent supersingular elliptic curves over finite fields and their edges represent isogenies between curves.

Andrew Victor Sutherland is an American mathematician and Principal Research Scientist at the Massachusetts Institute of Technology. His research focuses on computational aspects of number theory and arithmetic geometry. He is known for his contributions to several projects involving large scale computations, including the Polymath project on bounded gaps between primes, the L-functions and Modular Forms Database, the sums of three cubes project, and the computation and classification of Sato-Tate distributions.

References

↑ Bos, Joppe W.; Halderman, J. Alex; Heninger, Nadia; Moore, Jonathan; Naehrig, Michael; Wustrow, Eric (2014). "Elliptic Curve Cryptography in Practice". In Christin, Nicolas; Safavi-Naini, Reihaneh (eds.). Financial Cryptography and Data Security. Lecture Notes in Computer Science. Vol. 8437. Berlin, Heidelberg: Springer. pp. 157–175. doi:10.1007/978-3-662-45472-5_11. ISBN 978-3-662-45471-8 . Retrieved 2022-04-10.
↑ Mazur, B.; Rubin, K. (September 2010). "Ranks of twists of elliptic curves and Hilbert's tenth problem". Inventiones Mathematicae. 181 (3): 541–575. arXiv: 0904.3709 . Bibcode:2010InMat.181..541M. doi:10.1007/s00222-010-0252-0. ISSN 0020-9910. S2CID 3394387.
↑ Poonen, Bjorn; Schaefer, Edward F.; Stoll, Michael (2007-03-15). "Twists of X(7) and primitive solutions to x²+y³=z⁷". Duke Mathematical Journal. 137 (1). arXiv: math/0508174 . doi:10.1215/S0012-7094-07-13714-1. ISSN 0012-7094. S2CID 2326034.
1 2 Lombardo, Davide; Lorenzo García, Elisa (February 2019). "Computing twists of hyperelliptic curves". Journal of Algebra. 519: 474–490. arXiv: 1611.04856 . Bibcode:2016arXiv161104856L. doi:10.1016/j.jalgebra.2018.08.035. S2CID 119143097.
↑ Rubin, Karl; Silverberg, Alice (2002-07-08). "Ranks of elliptic curves". Bulletin of the American Mathematical Society. 39 (4): 455–474. doi: 10.1090/S0273-0979-02-00952-7 . ISSN 0273-0979. MR 1920278.
↑ Gouvêa, F.; Mazur, B. (1991). "The square-free sieve and the rank of elliptic curves" (PDF). Journal of the American Mathematical Society. 4 (1): 1–23. doi:10.1090/S0894-0347-1991-1080648-7. JSTOR 2939253.

P. Stevenhagen (2008). Elliptic Curves (PDF). Universiteit Leiden.
C. L. Stewart and J. Top (October 1995). "On Ranks of Twists of Elliptic Curves and Power-Free Values of Binary Forms". Journal of the American Mathematical Society. 8 (4): 943–973. doi: 10.1090/S0894-0347-1995-1290234-5 . JSTOR 2152834.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Bos, Joppe W.; Halderman, J. Alex; Heninger, Nadia; Moore, Jonathan; Naehrig, Michael; Wustrow, Eric (2014). "Elliptic Curve Cryptography in Practice". In Christin, Nicolas; Safavi-Naini, Reihaneh (eds.). Financial Cryptography and Data Security. Lecture Notes in Computer Science. Vol. 8437. Berlin, Heidelberg: Springer. pp. 157–175. doi:10.1007/978-3-662-45472-5_11. ISBN 978-3-662-45471-8 . Retrieved 2022-04-10.

[2] Mazur, B.; Rubin, K. (September 2010). "Ranks of twists of elliptic curves and Hilbert's tenth problem". Inventiones Mathematicae. 181 (3): 541–575. arXiv: 0904.3709 . Bibcode:2010InMat.181..541M. doi:10.1007/s00222-010-0252-0. ISSN 0020-9910. S2CID 3394387.

[3] Poonen, Bjorn; Schaefer, Edward F.; Stoll, Michael (2007-03-15). "Twists of X(7) and primitive solutions to x²+y³=z⁷". Duke Mathematical Journal. 137 (1). arXiv: math/0508174 . doi:10.1215/S0012-7094-07-13714-1. ISSN 0012-7094. S2CID 2326034.

[LLG2019-4] 1 2 Lombardo, Davide; Lorenzo García, Elisa (February 2019). "Computing twists of hyperelliptic curves". Journal of Algebra. 519: 474–490. arXiv: 1611.04856 . Bibcode:2016arXiv161104856L. doi:10.1016/j.jalgebra.2018.08.035. S2CID 119143097.

[5] Rubin, Karl; Silverberg, Alice (2002-07-08). "Ranks of elliptic curves". Bulletin of the American Mathematical Society. 39 (4): 455–474. doi: 10.1090/S0273-0979-02-00952-7 . ISSN 0273-0979. MR 1920278.

[6] Gouvêa, F.; Mazur, B. (1991). "The square-free sieve and the rank of elliptic curves" (PDF). Journal of the American Mathematical Society. 4 (1): 1–23. doi:10.1090/S0894-0347-1991-1080648-7. JSTOR 2939253.

[1]

[2]

[3]

[4]

[5]

[6]