2

Consider the curve on $\mathbb R^2$ with equation $y^2=x^3+b$, for some fixed real $b>0$. It forms an elliptic curve group $(E,+)$ under point addition. There exists an isomorphism to that group from the group formed by the interval $[0,1)$ under addition$\pmod 1$. And we can reduce to a single such isomorhism $f$, among two, by adding the condition that $f(1/4)$ has a positive $y$ coordinate.

Is there a name for that rather canonical isomorphism $f$, or a variant, e.g. from $[0,2\pi)$ rather than $[0,1)\,$? What's an efficient way to compute $f$, or $f^{-1}$?

That's illustrated below for $b=2^{-12}$, with the images by $f$ of $\{0.1,0.2,\ldots,0.9\}\subset[0,1)$ shown. $f(0)$ is the point at infinity, that is the neutral for point addition.

y^2=x^3+2^{-12}

Examples of the isomorphism $f$ a work:

  • we geometrically add the point $P=f(0.3)$ and the point $Q=f(0.8)$, by drawing the line $(P,Q)$, noticing that it intersects the curve at point $R=f(0.9)$, which symmetric is point $R'=f(0.1)$, therefore $P+Q=R'$ and indeed $0.3+0.8\equiv0.1\pmod 1$.
  • we geometrically double the point $P=f(0.9)$ by drawing the tangent to the curve at $P$, noticing that it intersects the curve at point $R=f(0.2)$, which symmetric is point $R'=f(0.8)$, therefore $P+P=R'$ and indeed $0.9+0.9\equiv0.8\pmod 1$.

Note: I have determined $f(1/10)=(0.3529269345486749\ldots, 0.2102470200494472\ldots)$ by numerically solving the equation corresponding to $10\times f(1/10)=f(0)$ with the scalar multiplication made using point doubling and addition, and keeping the solution with the largest $x$ and $y$. The other points follow.

Update: I found no generic name, but devised a mildly workable way to evaluate $f$

  • precompute the first $k$ terms of the $u_i$ defined by $$\begin{align}u_1&=-1\\ v_i&=\sqrt{{u_i}^2-u_i+1}+u_i\\ u_{i+1}&=\sqrt{(2\,v_i-1)\,(u_i+1)}+v_i\end{align}$$ which first terms $u_1$ are -1, 0.732051…, 3.60592…, 14.4667…, 57.8693…, 231.477…, 925.910…, 3703.64…, 14814.6…, 59258.2…
  • It holds that the $x$ coordinate of $f(2^{-i})$ is $u_i\,b^{1/3}$, and the (non-negative) $y$ coordinate follows from the curve's equation.
  • This allows evaluating $f(t)$ for any $t$ with $2^k\,t$ an integer.
fgrieu
  • 1,758
  • An elliptic curve over the complex numbers is isomorphic to a 2-torus $S^1 \times S^1$ and then the real points are the subgroup fixed by however complex conjugation acts on this. One possibility is that the fixed points of complex conjugation are a single copy of $S^1$. – Qiaochu Yuan Sep 18 '20 at 20:27
  • 1
    The only proof I know that such an isomorphism exists is basically given by explicitly constructing it. Is there a reason you don't want to use that construction? –  Sep 19 '20 at 19:34
  • @TokenToucan: I'm exploring the connections between Elliptic Curve groups over finite fields (such as secp256k1) and the EC group over reals with the same equation. I noticed we can use $f$ to construct an isomorphism $g$ between the first group and a finite subgroup of the later group, as illustrated there. We have the same membership and addition formulas for both groups. But sadly, that similarity does not seem to make the isomorphism $g$ computable, which would have important applications. – fgrieu Sep 21 '20 at 06:52
  • 1
    The isomorphism $f$ is pretty much explicit (see Silverman AEC vol 2, section V.2). Also, the isomorphism from points over a finite field to $\mathbb R$ is probably a consequence of the fact that, for $p$ a prime of good reduction, the reduction-mod-$p$ map is injective on prime-to-$p$ torsion, plus some coincidence that leads to the torsion being real (when in general it could be complex and not real) –  Sep 21 '20 at 07:13
  • 1
    But on further thought, it won’t help you much with the DLP of your other question. The problem is that once you start working over the reals with power series and so on, you’re very likely going to lose a lot of algebraic information. To reduce the torsion points mod $p$, you need to understand them as algebraic integers, eg to know their minimal polynomials, and these isomorphisms are just power series, which don’t look or feel really algebraic. Of course, the DLP is supposed to be hard :) –  Sep 21 '20 at 07:34
  • @TokenToucan: I found Silverman's AEC ed 2, but that has a single volume, and it's section V.2 is about "The Weil Conjectures". What's the title of the section you have kindly pointed me to? – fgrieu Sep 21 '20 at 07:50
  • 1
    Sorry I forget that it isn’t literally two volumes. This book V.2: https://www.springer.com/gp/book/9780387943251 –  Sep 21 '20 at 08:39

0 Answers0