>>Kristin Lauter: Okay. So thank you all very much for coming, and welcome to everyone and to our distinguished guests and speakers. So happy to see such a great turnout here. I'd like to acknowledgments the sponsorship, generous sponsorship, from the National Science Foundation, a grant that was submitted by Dan Bernstein that's allowed us to support many students to attend this conference, the generous sponsorship of Certicom to sponsor the dinner for the conference. We have received sponsorship from PIMS, Pacific Institute of Mathematical Sciences, to help support many people to come, and the generous support of Microsoft Research, which has been providing the facilities and much of the food for the conference.
So with that, I'd like to say obviously we're here to celebrate the 25th year anniversary of elliptic curve cryptography and many related and relevant elliptic curve algorithms.
So for that reason, we've doubled the length of the usual ECC conference, which is usually an annual conference which is 2.5 days. Instead we're having five days of talks.
And we've devoted the entire first day as a celebration of the 25th year anniversary.
So today we'll have talks commemorating the invention of elliptic curve cryptography, talks by Victor Miller and Neal Koblitz, co-inventors of ECC, talks by Francois Morae
[phonetic] and Goldwasser [phonetic], who are pioneers of the ECPP elliptic curve primality proving algorithm, Rene Scoff [phonetic], who found the first polynomial time algorithm for counting points on an elliptic curve, and Gerhard Frey, famous for many contributions and attacks in elliptic curve and hyper elliptic curve cryptography, among which is the Frey curve, which played a starring role in the proof of Therma's [phonetic] last theorem.
Later in the week we will have a talk about ECM, the elliptic curve factoring method, by
Peter Montgomery who's also celebrating around this time roughly 25-year anniversary of Montgomery Multiplication, and we'll be speaking about new work on elliptic curve factoring method at the end of the conference.
So just for context, we're celebrating 25 years anniversary of elliptic curve cryptography.
Microsoft Research has only been around for almost 20 years. We're about to celebrate our 20-year anniversary next year, so we're really young compared to the elliptic curve progress. A few years ago 25th year anniversary of LLL was celebrated. RSA was roughly 35 years old, if I did my subtraction right. So today after a fantastic day of talks we'll have the reception and the [inaudible] session including honoring Scott Van Stone
[phonetic] for his pioneering role in advocating for widespread adoption of ECC, and in the intervening 25 years we've seen ECC transition from being an abstract idea to being a practical and valuable technology which is currently deployed across the computer industry. So this is quite an accomplishment to celebrate. And ECC has expanded and been extended to include pairing-based cryptography which has also enabled many new cryptographic functionalities and become practical very quickly and hyper elliptic curve cryptography which holds out promise for the future. You can form your own opinion about how practical it is for the present.
So I welcome you to what I think will be a great week of talks and a very fun conference, and I'd like to start -- our first talk is going to be given by Gerhard Frey, professor from
University of Essen, and he will talk about elliptic curves, facts, conjectures and applications.

Thank you.
[applause].
>>Gerhard Frey: Thank you very much, and I want to thank very, very much all the organizers which made it possible that I could come here. And of course it's great for me to see all the people again. I met you in the last 35 years and longer, and I was kind of active in ECC workshops from the beginning on, and I would think that Scott Van
Stone is especially honored today, for without him this beautiful series of conference would not exist.
And of course I'm very happy to see all the active actors of ECC and beyond ECC here, and so I am able to give talks, and many others who are new in the business will give talks, so I'm a little bit embarrassed. What should I tell you?
And one of the members of the program committees that gave an introductory talk. So in fact I will not give an introductory talk but a pre-introductory talk. Most of my talk will be from the time before '85. And not much -- not the major part will be applied cryptography, but nevertheless I think our family being here will feel at home in the kind of mathematics I want to present here, and if you're bored, there are next lecturers to come.
So there are problems we would like to solve. For instance, Kronecker's Jugendtraum.
Please give a recipe to generate all billion varieties of a given number field by adjoining very explicit elements coming from transcendental functions, special values. Or today, beyond, Langland [phonetic] said why do you restrict to a billion extensions? Look at all
[inaudible] presentations of every dimension and try to find objects which finally give you this whole bunch of fields in an explicit way.
Number theory is daily life, but like to decide whether a given number is a prime number, or if not, what are the factors? And of course we know how to do it. It's an effective algorithm to try, but it should be fast.
And finally now this is 1976, I think, Diffie-Hellman's Demand, please give a discrete log system, which means give us cyclic loop in which you can present element in a compact way, do addition in a very compact way and fast way, but the inverse, the discrete log, is not feasible in [inaudible] time.
These are challenges, and we are far away from having solutions for these, but there is some progress.
So let me go in the big first part to history. And every good history in number theory should begin with Gauss. And this is 9 times 25 years ago when he invented his first theorems, but then it goes on and on of course. And you all know his achievements.
We would not be in the state in which we are without his ground-breaking work.
But maybe it's not so well known that he is the first one who does arithmetic geometry.
He really is looking for function fields over finite fields and gives the first non-trivial

example of Riemann hypothesis, which is in chapter 7 of [inaudible] which is not so well known, and there's a very nice article of [inaudible] about this chapter.
Then we have Jacobi, and 7 times 25 years ago. By the way, Gauss already introduced the name [inaudible] for the power you need to go from one root of [inaudible]. And geometric was fascinated and did algorithmic work. He gave a table of indexes for primes smaller than thousand and all numbers between 1 and 100.
5 times 25 years ago, at least it is plus/minus one year, Kronecker stated his
Jugendtraum. I already have mentioned this. And then at the same time period
Frobenius proved what is usually needed about the density theorem of Cebotarev which came quite later, but not so late, 1922.
About 3 times 25 years ago the big, big work of Emmy Noether was. I think this was kind of a beginning of a systematic study of ideas -- classes, ideas and so on in
Noetherian rings. And it is interesting that a student of hers, Grete Herrmann, studied with things from an algorithmic point of view and proved that arithmetic in [inaudible] can be done effectively.
Okay. Now, 50 years ago we have an explosion. Of course, one has to mention
Grothendieck introducing schemes, introducing homology, and given it's a totally new side of what arithmetic geometry should be, unifying number theory and geometry.
Tate stated his duality theorems. Published. That's something [inaudible] about him.
Neron and Tate developed the theory of heights, and especially [inaudible], but a height is a geometric concept. It's done by [inaudible] theory locally, and when you put down together the local contributions, you get a global height. And it's not so easy to give an exact date, Eichler and Shimura developed this very, very fundamental concept that
Hecke operators, which have to do with [inaudible] another object have to do with
[inaudible] theory. The traces correspond to traces of [inaudible] elements. The
Eichleh-Shimura congruence gives you really the connection between number theory and the analytic theory of modular forms.
Birch and Swinnerton-Dyer published -- I think '63-'65 -- very, very keen speculations based on maybe the first massive computations on a computer. And they say that the arithmetic of elliptic curve over [inaudible] over number fields can be described analogously to class groups of number fields, but not analogously [inaudible], new things coming up. And out came the very, very ground-breaking conjecture of Birch and
Swinnerton-Dyer which is now one of the most seminal concepts in arithmetic geometry, generalized wider and wider. Today we speak about special values of [inaudible] attached to [inaudible] which should have an arithmetic meaning.
Then Tate-Sato Conjecture came up, independently discovered by Tate and by Sato
[inaudible], and a refinement, kind of refinement, was given by Lang and Trotter. This is not in the grid of 25 years. It is a little bit later.
Anyway, we had now all the ingredients to enter into a golden age, I would say, of mathematics, but some people say of arithmetic geometry. Depends on the point of view.

And number theory did not vanish, but number theory was integrated many, many times and very fruitfully by looking at geometric objects and trying to combine both concepts.
It is not true that you just do geometry and then number theorems pop out or you do number theory and then you get geometric things, but both sides have to do together.
And because of Grothendieck we are used to look at these things in a unified way.
So what is a geometric plane, the simplest one? It's a cubic with a cusp. And looking at this transformation, you see easily that you have an isomorphism between the usual additive line, affine line, with usual addition and the points on the cube curve which is projective, but one point is not regular and you have to take it away.
So if you do not go to this one point, you have addition law. Just try to find is it out, but it's addition law. You know addition in the field. Try to find what is addition on this cubic.
Taking two points away, you come to a node. You take two points away, and when you
[inaudible] it again in a node with two different tangent lines when you get is y squared zed plus xy zed equal to x cubed. You have a parameterization of any element u going to this thing, special definition for a point 1. Here you have problem with 1, but then you say, okay, this is infinity. So a .0.1. And by this method you get an isomorphism between the multiplicative group as a scheme and the regular points of this projective cubic. Again, write down the addition laws.
This is now part of geometry which lies behind the multiplicative group of fields, and with this quite a lot of results were obtained already. For instance, the Jugendtraum of
Kronecker over the rational numbers. You can realize every abelian extension of rational numbers q by adjoining roots of unity and with our [inaudible] of the exponential functions, e power to Pi ix at rational numbers. Okay?
Characters were studied successfully, and as a spectacular result of this theory
Kummer established the criterion that the Fermat's last theorem is true for exponents which are regular primes. Unfortunately, there are infinitely many non-regular primes, and I do not know the state of the art. I think one knows what should be the part of the regular ones, but one cannot prove it until now.
So we get results by this very easy multiplicative theory, but not everything that we want.
Factoring of numbers and prime number tests used the multiplicative group of finite fields, and this is very -- they're very nice [inaudible] but they are not as good as we would like to have it.
And, finally, Diffie-Hellman's question could be answered in a not so bad way. But already 1922, I think this was not -- people were not about this in '76 [inaudible] gives an index calculus algorithm, and this index calculus algorithm makes it clear that with security the [inaudible] of a discrete log in a multiplicative group is exponential without all the constants which we know today. But in principle, we have already this algorithm in 1922.

Why do we not get all what we want? One thing is if we use our affine curve in p1, one finds essentially only two curves. Namely, the one with a cusp, the additive group, which is good in characteristic p but nearly worthless in characteristic zero, and the multiplicative group. And there are twists, so you get toroid [phonetic] which are not split [inaudible].
Secondly, if you look at the multiplicative group, then the number of points is very, very rich. Look at the multiplicative group of Q. It's an exercise in the first class of number theory, I think, to prove that Q -- zed Q star is a zed module not finitely generated. It's a very, very big group.
But it has lots and lots of finitely generated free subgroups. Take any set of primes and take the numbers which are powers of this set of primes and you have a free zed module, and this leads to the concept of smooth numbers. So there are many, many subgroups which consist of smooth numbers.
A small deformation changes the world. What are you doing? Just write, instead of y squared zed equal to x cubed, right, y squared plus xy. Now, here plus y squared zed equal to x cubed plus zed power 3. Plot the function, and what you see is singularity vanishes. You have now a cubic without singularity.
Or take the other example. Just write, instead of y squared zed plus xy zed equal to x cubed, again, this one additional term, zed power 3. And, again, you see the singular point vanishes.
So you make a small deformation of your cubic with a singular point and of course then you get something without a singularity. So you get a cubic without a singularity.
But remember that we had addition on the cubic with singularity. Now, it is very easy and I think everyone believes it that if you change a little bit and do the same changed addition, you get again a [inaudible]. And in fact you just have solved now all the exercises. You solved the addition law where all this, taking two points, taking the line through the two points, you have a third intersection. Maybe you have to -- and then the sum of these three points you get is equal to one neutral element. And you do just the same on the elliptic curve, and what you did is addition law.
Now, this is a strange introduction of addition law and elliptic curve. Usually one does it conversely beginning with an elliptic curve and shows that this is an addition law and
[inaudible] some generations, and of course one of the generations of addition law is the same.
Anyway, we have this addition law, and we have one [inaudible]. These elliptic curves are now projective to where we can do addition in the projective. Projective always means compact area.
And there are many non-isomorphic elliptic curves. We just want one deformations.
You can make many deformations, and you always get curves.
In fact, if you want to classify elliptic curves -- you all know this -- you just need one number where absolute j invariant Ga to classify the isomorphism class of elliptic curve

of algebraically-closed fields, and if you are over a non-algebraically-closed field, you have to take an additional character, usually a quadratic one, but this character.
And the converse is true, too. I think with [inaudible] observation of [inaudible], but given any j, you find an elliptic curve of j invariant, and then you find all the other twist companions by twisting.
It is kind of strange that the abstract concept of elliptic curves is a late one. Maybe
[inaudible] was the first one who really if this in earnest in the 1910, -20, and Hasse did it in earnest in combination with [inaudible] and such people, and so we have now this theorem.
And so we have many, many isomorphic classes of elliptic curves. Roughly speaking, as many as elements in the field Kr. And then addition law -- first of all, presentation of a curve can be given. This is a result using Reimann-Roch by a very specific way of cubic curves, namely, by Weierstrass equation, and sometime if you are not in characteristic 2 or 3, you even can make these three coefficients zero when you have a short Weierstrass equation.
And conversely, having such projective plane curve, you only have to make sure that it has no singularities when you have an elliptic curve. This means, by definition, a curve of genus 1 defined over a field K with a rational point [inaudible] function field language with a prime deviser of degree 1. And then you use Reimann-Roch and you come to an equation like that.
And what happens, if you have a discriminant equal to zero, that means singular points, then there can be at most -- there can be at most one singular point, at least after maybe a quadratic extension you find it, and with this then you come back to the Ga of additive group and the multiplicative group.
So they just occur as the generations and [inaudible].
Addition laws. Again, an exercise. I gave it geometrically. Write it down and you all know this, so I have not to go into this detail.
These are simple formulas. But nevertheless, now, this is because of cryptography maybe, you want to have this addition as efficient as possible. So, first of all, you transform and transform until you have a very efficient addition law for Weierstrass equation. But when you see maybe other curves are much better, for instance, taking
Legendre normal form or intersections of two quadratics, which is, from a theoretical point of view, sometimes very useful, or take the Hessian forms, you did some conditions on points of order 3, or taking Edwards curves. And these are now quadratics.
So we go up with the exponent, but then we have [inaudible] we have a singular point.
The big advantage is that as long as the singular point -- it corresponds to two points, and if these two points are not rational you can be sure that the remaining affine part has an addition law in the affine part. That's a big advantage.

Having now elliptic curves, we come to the key. Namely, we look at points of order n.
The points E[n]. And one knows one knows about the structure. If n is a power of a characteristic of the fields, then the point of order P power s are either only trivial or zed mod P power s, and the 2 cases are distinguished between to say A is super singular or
A is ordinary.
But if agree from a characteristic of a field, then we know that this group scheme is isomorphic as a billion group to zed mod n, across zed mod n, but it has a Galois action on it. And this means that we have a Galois representation, ro E[n] induced by the action of a Galois group over point of order n. And a little bit more general, go to the projective limit and you get a Tate module of elliptic curve, and this is a freeze at l module of ranks 2. You have a continuous action of a Galois group of Q with respect to a pro finite topology, and you get a very, very important 2-dimensional l-adic representation ro to the El.
If we want to see this from a highbrow point of view is we introduce l-adic homology and we elect the Galois group operating on the first zed l cohomology of our elliptic curve.
And of course this is just a special case of a general case of abelian varieties. But I am speaking about elliptic curves, so an expert should do an entertaining thing and always think about abelian varieties instead of elliptic curves.
Okay. This has already very nice consequences. Namely, we can describe the ring of endomorphisms of elliptic curves if [inaudible]. Well, this is a skew field since we have a simple abelian variety, and it lies in [inaudible] to zed l because of the dimension of the module. And so we get that this is either Q or a quadratic field or a quaternion field.
There are no other possibilities for endomorphisms of elliptic curves [inaudible] with Q.
Has this to do something with rational curves? Yes, it has. Come back to Gm, look at the Galois representation used by the action of a Galois group of roots of unity, you get a cyclotomic character, and this cyclotomic character is a determinant of representation we get from elliptic curves. And behind this is already the duality of abelian varieties or elliptic curves, and restricted to torsion points, it's for Weil pairing, which tells us that this is true, especially we have that this representation is an odd representation. So if we look at a complex conjugation and take representation, look at the determinant when it's minus 1.
Come to this later maybe.
Here it is. Having these points of order n, we can [inaudible] structures. We just take a trivialization of our scheme, we map it to that mod n, to that mod n. So we forget the
Galois structure, we just go the abelian group structure. And when we have a modular problem, there are many such isomorphisms. Please classify them together with elliptic curve. It's a modular problem, and it is representable, and it is even affine modular problem, and it's even defined over that when we curve the -- [inaudible] n will not be connected, but if you want to have it connected you add n root of unity and then you get the modular X of n classifying elliptic curves together with specific isomorphism to that n cross that n.
Okay. There are subcovers. Look at orbits of level structures. First one is X1 of n.
There you want to have an elliptic curve together with a specific point of order n, take

this s first, vector in a base and let the other one vary and when you get presentations
1, 0, star, star, and this gives you the curve X1 of n, and if you do not want to have a fixed point but just [inaudible] generated by this fixed point, you get X0 of n classifying elliptic curves together with [inaudible] which are cyclic and have a kernel which is equal to a specific group of order n.
So we have modular forms, and so elliptic curves create modular forms and create X0n,
X1n. On the other side we can look at elliptic curves which are quotients of these curves. It happens sometimes. And so elliptic curves create elliptic curves, and this is the conjecture of Taniyama-Shimura [inaudible].
I have introduce some concepts of Galois theory. You know over number fields we have hierarchy. We begin with a global field. When we have many evaluations they have give topologies. We look at the completions of our field with respect to these topologies, we get a local field, p-adic field or the real numbers or the complex numbers.
And if we are the p-adic case, we can look at the ring of integers, evaluation ring, and we can look at the quotient modular over maximum idea and we come to the finite field.
And the specific thing is that in Galois theory we have analogous hierarchy. You have a very big and complicated Galois group of a number field. A Galois group of Q is one of the most complicated objects we can think of.
Then you go to the Galois group of the local field. How you get it, you just take your evaluation, you take one extension to be determined but you will not care to the separate [inaudible], you take all automorphisms of your field K which are continuous with respect to the topology you get which leaves you a subgroup, and with this Galois group of the local field. Now, this has nice structure. In particular, there is a big quotient corresponding to the maximal unramified extension of this local field. This
Galois group is generated by one element topologically, and this element corresponds to either canonical way to a Frobenius automorphism of your finite field.
So you have the notion of Frobenius automorphisms in the Galois group of a number field by doing all these identification and take care of the fact that Frobenius is determined only up to conjugation because of the choice of your extension for evaluation. And this one of the key points which relates Galois theory with number theory.
We have a local-global principle attached to an element in our glow group of characteristic polynomial. For instance, for dimension 2 representation, it's clear that you have this one, and then define representation is simple if it is determined up to equivalence by the set of all characteristic polynomials. You'll know if you have a finite group and the group order is prime to [inaudible] you are looking to define a representation, you have the theorem of [inaudible] which tells that you always you have a simple representation.
In general, this may not be true. Anyway, assume that you have such one. Then
Cebotarev's density theorem tells you that this representation is determined just by looking at all the images of almost all the Frobenius elements you have.
So it's a local-global principle. If you know how the local groups act on your object, you know the whole action of the Galois group.

What are elliptic curves doing in this environment? Now number theorists are interested in elliptic curves over global fields. But global fields are embedded in the local bounds.
A typical local bound is of complex numbers, over complex numbers, and this is historically where elliptic curves come from. We know elliptic curve has an analytic structure. It is additive group c divided out by a two-dimension lattice. Over that you have normalization, you have the Weierstrass functions, and normalization [inaudible] lattice, you look at is of this form [inaudible] in the upper half plane when you have function g, a modular function, and if you take g of tau then you just get g of elliptic curve you begin with.
So you see again what is the structure of points of order n. But here, this is not so trivial. It's trivial in our context, but we get immediately that s3 of endomorphisms of elliptic curves with fields of characteristic zero, we always have only commutative rings because it's all over complex numbers and every field can be embedded into the complex numbers if [inaudible]. Standard business.
And you get that usually this ring of endomorphism is equal to zed, just n times the identities or what you have as endomorphisms, but sometimes you get special values of the j invariant at tau when this tau lives in an imaginary quadratic field and you have complex multiplication, and you have that j is an algebraic integer, and I think we will have a talk about this theory which binds [inaudible] theory with elliptic curves.
Now let's go to [inaudible] evaluation. You get p-adic fields. There you can try to imitate the analytic theory. Sometimes this works very well, you come to a [inaudible] curve, but all the time you get the following. If you go near enough in the topology you have to a zero point then you always have kind of p functions. And you get a theorem of Lutz proved three times 25 years ago, namely, that you always have a subgroup of finite index of this group of rational points on E which is isomorphic to Ov.
This tells you that the structure of points on elliptic curves over local fields is kind of very, very easy. For instance, you get that you have only finitely many rational torsion points. And so if you have a field of finite type over its [inaudible] field, then you get immediately that the torsion part of the rational part of elliptic curve is finite.
But you can do better. You choose now very specific models, the Neron model, instead of taking any equation. This is adapted to the situation over the ring of integers of your evaluation V. And then you have a classification. You get a group scheme over Ov, which means you get a group scheme over the finite field, the [inaudible] field, and you can classify it. And if you look at it, it may not be connected, but if it is connected -- but it has a connected component. And this is, again, on elliptic curve you have good reduction, the multiplicative curve, at least after quadratic extension, you have multiplicative reduction or split multiplicative reduction or the additive curve. Nothing else happens.
And looking at these conditions and the description of a model, you get a very, very nice criterion of Neron, Ogg and Shafarevich. An elliptic curve has good reduction and if only if the adjunction of all points of order n where n has nothing to do with the characteristic of [inaudible] field is unramified.

Elliptic curves over finite fields. If you have it over -- if you have this reduction theory, you are now curious what happens over a finite field. There, of course, you have only torsion points. We have a Frobenius automorphism as element in the Galois group.
Now it [inaudible] an endomorphism on the elliptic curve, and it is not very difficult to see that the characteristic polynomial of this endomorphism can apply to Tate modules is the same for all else, and it's a polynomial in zed. This is not a deep theorem.
So we have this characteristic polynomial. We know about the determinant, so we have a Q there, and because this is specifically what [inaudible] characteristic does, it powers by Q. And we have this important trace of IQ, and you see the trace of IQ determines everything.
As a corollary, you get that you can compute the number of points on your elliptic curve over finite field FQ if you know the trace by this simple formula [inaudible] but this endomorphism of IQ minus identity is separable, and so the number you have here with this of this kernel of this map is the degree, and you can compute the degree and basically the algebra to get it.
And not trivial is the result of Tate, namely, that the isogeny class of an elliptic curve over finite field is determined by the trace over Frobenius.
Now let's go slowly back to the global picture. We used the number theory to have a global problem go to a localization and to reduction and try to get information about the local -- the global piece by looking at the local pieces.
Here we go once in a different direction. We try to get information by lifting. A key ingredient is, of course, Hensel's Lemma, and it says that the points of order L if L that is nothing to do with the characteristic of your ground field, of your residue field, they are the same as Galois modules over the local field and over the finite field. So you get the same representation.
But it is not totally satisfying because there is no uniqueness. You'll find many, many elliptic curves [inaudible] which go to E. Just a congruence module over maximal idea has to be satisfied. And we lift the automorphism of the Galois group as Frobenius element and not the endomorphism of elliptic curve. A big difference.
And lifting the endomorphism is, for obvious reason, not always possible because if we have super singular elliptic curves, we have non-commutative endomorphisms, this is part of the work of Deuring in this very, very beautiful and ground-breaking paper
[inaudible]. And, of course, we know that the endomorphisms are commutative in characteristic zero, so we never can lift the endomorphism of super singular elliptic curves totally. But if we have an ordinary elliptic curve, then Deuring proved that there is exactly one [inaudible] twist elliptic curve until they're defined over a number field with this reduction E and with the same ring of endomorphisms. So especially the Frobenius endomorphism from the finite field lives in that ring of endomorphisms, and we have
[inaudible] has to be a curve with complex multiplication because this Frobenius is not exact.
So we know about bearing of endomorphism there. We know that this Frobenius corresponds to an integer in order of an imaginary quadratic field. And so we know that

the trace discriminant of our characteristic polynomial has to be negative because we get an imaginary quadratic field. And so we have proof the Reimann hypothesis for elliptic curves, namely, the number of points minus the number of points on the projected space is bounded by two times square root of Q, and this defines the famous
Hasse interval. So this is, you see, if you have the lifting theorem of Deuring, the
Reimann hypothesis for elliptic curves is a triviality.
Now let's go back to global case. Look at the field obtained by adjoining the point of order and the elliptic curve. Of course, by reaction -- by representation here we know the Galois group of this field is contained in the 2 by 2 matrices with entries over zed mod n. We know that the [inaudible] of unity have to be inside of K, and that if you go over this field adjoining n root of unity and take the Galois group off this one, we are in a special linear group.
Now we have to distinguish two cases. First we are in the complex multiplication case, and then, and this is classically Kronecker and [inaudible], so 1900-something, already another case of Kronecker's dream becomes true for [inaudible] quadratic fields you get all abelian extensions by adjoining such g's and torsion points of the corresponding elliptic curves in a very explicit way. [inaudible] theory in an explicit way over imaginary quadratic fields.
Well, general case is when the endomorphism ring is equal to zed, and then we have the famous theorem of Serre, namely, for almost all numbers l we have the image is s big as possible, namely, Gl 2 zed mod l in the prime case and then you see if you go up to l power n you always get the full linear group.
So we have now a method to create extension fields of the number field K in an explicit way by adjoining torsion points. And because of the criterion of Neron [inaudible] we have control about ramification.
Look at a group of rational points. We know already torsion elements are finite in a finite group. And using the Hermite-Minkowski theorem it says that for given degree where only finitely many extensions of a number field which are unramified outside a given finite set we get immediately that if you look at the group rational points modulo n times rational points, for every number n we get a finite group.
Okay. But we want more. And for this we need a new ingredient, the Neron-Tate height I mentioned in the very beginning. It is a positive definite quadratic form if we kill torsion by [inaudible] with R. It is defined locally, so it's a local geometric object. This is
[inaudible]. And it is defined in an explicit way with this due to Tate and can compute it.
And the nice thing is one can even do it in a poor man's manner, namely, essentially you have to compute the height of the coordinate of your elliptic curve. And if you have other Q and you have a point Pa divided by b and some y and a and b leave out common devisers, then the height is exactly the maximum of R. Log is missing.
Excuse me. Log of its maximum. So the height is a logarithmic object, and I forgot to put in here log.
Okay. Excuse me.

And having this, the properties, it follows that EK is an is a finitely generated zed module, and if I cancel this R it's a Euclidian space with respect to the quadratic form
Neron-Tate height. And the ring is called RE. Problem is to compute RE.
Consequence for a given finite set of places there are only identify finitely -- choose a
[inaudible] equation. Look at a points. Look at these points where the x coordinate has denominators only in this finite set. Then you only get finitely many such points. It's the
[inaudible] theorem. So you do not have smooth points. Given a finite set, you have only finitely many points which have this smoothness condition. No smooth points. And even more conjecture of Lang, another one I do not mention is that the height of the points is not too small. It's bounded from below. And in fact [inaudible] Silverman proof as far as a conjecture smoothness for [inaudible] a lot of elliptic curves.
So it follows, I said already, no finite set of smooth elements, and points with small height tend to be linearly independent because there's a bound from below for a height
[inaudible]. You cannot combine small points with [inaudible].
Okay. Now let's come again to representation theory. L-series. We have the local information, and we can count with this local information the points modulo evaluations.
We want to bring these together. And we just write down -- yeah, we sample this.
First of all, I should say here [inaudible] has proved [inaudible] simple. It's a deep, deep theorem.
It follows that two elliptic curves of abelian varieties are heterogenous if their Frobenius elements coincide at enough places. It's an effect of [inaudible]. And as a consequence you get modules [inaudible] Mordell's conjecture.
Okay. This shows you how deep it is. Now let's look at what Hasse and Taniyama did.
In fact, Taniyama. Maybe Hasse. We want to link Galois theory with analytic functions.
Inspiring is the theory of L-series of classical theory of L-theorists of global fields, and here we use Eichler-Shimura congruence and Langland's program. Let me state the things only for Q for explicit, for my time is not infinite.
We just write down good primes. No reason written down characteristic polynomials of a Frobenius and for bad primes we define special definitions depending on the type of reduction. Very easy recipe.
Conjecture, maybe Hasse. It's not clear to me. I did not find anyplace -- I can tell a story afterwards if you want -- and Taniyama. This function [inaudible] is easily converging on the half plane with [inaudible]. This is has an analytic continuation to the whole plane and satisfies a functional equation. It was proved by Deuring for his
CM-curves and by Shimura for modular elliptic curves coming from X0.
Now finally we are read to formulate the conjecture of Birch and Swinnerton-Dyer. I think Professor Birch can tell you better, but I have a feeling Galois number formula was somewhere behind.
>>: [inaudible].

>>Gerhard Frey: The conjecture is look at this analytic function. So first assume it is an analytic function. Secondly, take that R is a derivative normalized. Then the value at 1 is very explicitly given by an expression which has easy parts, namely, torsion part. , then this other number of connected components [inaudible] more or less. This is the period where [inaudible]. Here this is already more complicated. We have Euclidian space behind, and you take the volume of this, this is a regulator in the case of number theory, and this here is a mysterious group, a [inaudible] group. It is really something new. In the multiplicative group you have no [inaudible] group, you have a the Hasse principle. And this measures the difference between the truth of the Hasse -- how the
Hasse principle is not satisfied. It should be a finite group. And we know a lot of cases it is a finite group, but believe in this conjecture when it is a finite group. Define the
[inaudible] group by this formula.
Okay. If you want to compute, then the regulator is hard to be computed if you need good bounds from below. I spoke about the [inaudible] group already. Can go to the next slide.
If we stay before 1985, then we have only one big theoretical result due to Coates and
Wiles. Namely, for curves with CM and the value of L theory is not equal to zero at 1, we have finiteness of a number of points. I have already spoken about the importance of this conjecture. It's the central theme in arithmetic geometry nowadays.
Next conjecture. We have now that the L series is important. In the L series we have the traces. How are they distributed if I go over various p? This has to do with regression. What [inaudible] expect as exact order. We know the value is in an interval. What is the exact order? It's this order prime number or is it a smooth number? Both is important for cryptography or for factoring numbers.
And if you have complex multiplication, we have already theory of Deuring. We have that we are inside of a ring of integers of imaginary quadratic field with Frobenius element and we have analytic number theory which answers our questions.
But what if [inaudible] in the general case? When we look for the distribution because of Reimann hypothesis, we know that we can write the trace as 2 times square root p times a [inaudible]. Now we look at this angle theta p and the conjecture is it is equally distributed with respect to a special measure.
Okay. Another question is can we see more? Given the number which satisfies some conditions, is it true that we can count the number of p's such that the trace is exactly to this number. And Lang-Trotter says yes, we can, with a constant to be computed times square root t divided by log t which gives you distribution.
Okay. A lot of conjectures until '85. Now, what comes past' 85? A lot of theory. But very new ingredient. It was seen by these people mentioned in the announcement of the conference already that these elliptic curves are eager beavers if you want to factor a number or if you want to give discrete algorithms and for prime number theorems.
Okay.

So it becomes important to get explicit results. But first let me show what are the big theorems in theory.
The biggest one is that Serre's conjecture is proved now. It means the following.
Assume that you have any two-dimensional representation of a Galois group of Q going to a finite field which is irreducible in [inaudible]. Then it is modular of a given level and a given weight. Consequence is [inaudible] conjecture for irreducible two-dimensional or complex representation is true. Every elliptic curve is modular, which is Taniyama's conjecture. And as a footnote, you get [inaudible] last theorem. So this is really down, down, down in proof of [inaudible].
Then there are results which are conditionally -- for modular curves they are not true
[inaudible] and finally [inaudible] was proved in I think nearly totally 2010.
What has this to do with cryptography? We do not need all the deep theory, but we need astonishingly much of it. And the rest of the theory is to build up our confidence.
We are in an area which is well understood which is deep, and no one is allowed to come to [inaudible].
Okay. I think that we should tell you from Neal Koblitz and Victor Miller one strong motivation to suggest elliptic curves are a source for DL was that there is no index calculus attack model after the one with the multiplicative group because we have golden shield of heights. Look at the nice lectures and slides of [inaudible] 2000. And the [inaudible] of Silverman was analyzed in this paper to be not effective.
So this was the motivation. But when you have to construct fast construction, we have these distribution theorems, and they tell us if we take a random curve, we have a good chance to get a strong curve. But to do it really, one has to count points. This is the next wave of application of arithmetic geometry. First was CM. Until today, very efficient. But then came a [inaudible] homology by [inaudible] using modular curve isogenies to ...