Elliptic curve

In mathematics, an elliptic curve is a smooth, projective, algebraic curve of genus one, on which there is a specified point $O$ . An elliptic curve is defined over a field $K$ and describes points in $K 2$ , the Cartesian product of $K$ with itself. If the field's characteristic is different from 2 and 3, then the curve can be described as a plane algebraic curve which consists of solutions $(x, y)$ for:

y^{2}=x^{3}+ax+b

for some coefficients $a$ and $b$ in $K$ . The curve is required to be non-singular, which means that the curve has no cusps or self-intersections. (This is equivalent to the condition $4 a 3 + 27 b 2 \neq 0$ , that is, being square-free in $x$ .) It is always understood that the curve is really sitting in the projective plane, with the point $O$ being the unique point at infinity. Many sources define an elliptic curve to be simply a curve given by an equation of this form. (When the coefficient field has characteristic 2 or 3, the above equation is not quite general enough to include all non-singular cubic curves; see § Elliptic curves over a general field below.)

An elliptic curve is an abelian variety – that is, it has a group law defined algebraically, with respect to which it is an abelian group – and $O$ serves as the identity element.

If $y 2 = P (x)$ , where $P$ is any polynomial of degree three in $x$ with no repeated roots, the solution set is a nonsingular plane curve of genus one, an elliptic curve. If $P$ has degree four and is square-free this equation again describes a plane curve of genus one; however, it has no natural choice of identity element. More generally, any algebraic curve of genus one, for example the intersection of two quadric surfaces embedded in three-dimensional projective space, is called an elliptic curve, provided that it is equipped with a marked point to act as the identity.

Using the theory of elliptic functions, it can be shown that elliptic curves defined over the complex numbers correspond to embeddings of the torus into the complex projective plane. The torus is also an abelian group, and this correspondence is also a group isomorphism.

Elliptic curves are especially important in number theory, and constitute a major area of current research; for example, they were used in Andrew Wiles's proof of Fermat's Last Theorem. They also find applications in elliptic curve cryptography (ECC) and integer factorization.

An elliptic curve is not an ellipse in the sense of a projective conic, which has genus zero: see elliptic integral for the origin of the term. However, there is a natural representation of real elliptic curves with shape invariant $j \geq 1$ as ellipses in the hyperbolic plane $\mathbb {H} ^{2}$ . Specifically, the intersections of the Minkowski hyperboloid with quadric surfaces characterized by a certain constant-angle property produce the Steiner ellipses in $\mathbb {H} ^{2}$ (generated by orientation-preserving collineations). Further, the orthogonal trajectories of these ellipses comprise the elliptic curves with $j \leq 1$ , and any ellipse in $\mathbb {H} ^{2}$ described as a locus relative to two foci is uniquely the elliptic curve sum of two Steiner ellipses, obtained by adding the pairs of intersections on each orthogonal trajectory. Here, the vertex of the hyperboloid serves as the identity on each trajectory curve.

Topologically, a complex elliptic curve is a torus, while a complex ellipse is a sphere.

Elliptic curves over the real numbers

Graphs of curves $y 2 = x 3 - x$ and $y 2 = x 3 - x + 1$

Although the formal definition of an elliptic curve requires some background in algebraic geometry, it is possible to describe some features of elliptic curves over the real numbers using only introductory algebra and geometry.

In this context, an elliptic curve is a plane curve defined by an equation of the form

y^{2}=x^{3}+ax+b

after a linear change of variables ( $a$ and $b$ are real numbers). This type of equation is called a Weierstrass equation, and said to be in Weierstrass form, or Weierstrass normal form.

The definition of elliptic curve also requires that the curve be non-singular. Geometrically, this means that the graph has no cusps, self-intersections, or isolated points. Algebraically, this holds if and only if the discriminant, $\Delta$ , is not equal to zero.

\Delta =-16\left(4a^{3}+27b^{2}\right)\neq 0

The discriminant is zero when $a=-3k^{2},b=2k^{3}$ .

(Although the factor −16 is irrelevant to whether or not the curve is non-singular, this definition of the discriminant is useful in a more advanced study of elliptic curves.)

The real graph of a non-singular curve has two components if its discriminant is positive, and one component if it is negative. For example, in the graphs shown in figure to the right, the discriminant in the first case is 64, and in the second case is −368. Following the convention at Conic section#Discriminant, elliptic curves require that the discriminant is negative.

The group law

When working in the projective plane, the equation in homogeneous coordinates becomes

{\frac {Y^{2}}{Z^{2}}}={\frac {X^{3}}{Z^{3}}}+a{\frac {X}{Z}}+b.

This equation is not defined on the line at infinity, but we can multiply by $Z^{3}$ to get one that is:

ZY^{2}=X^{3}+aZ^{2}X+bZ^{3}.

This resulting equation is defined on the whole projective plane, and the curve it defines projects onto the elliptic curve of interest. To find its intersection with the line at infinity, we can just posit $Z=0$ . This implies $X^{3}=0$ , which in a field means $X=0$ . $Y$ on the other hand can take any value, and thus all triplets $(0,Y,0)$ satisfy the equation. In projective geometry this set is simply the point $O=[0:1:0]$ , which is thus the unique intersection of the curve with the line at infinity.

Since the curve is smooth, hence continuous, it can be shown that this point at infinity is the identity element of a group structure whose operation is geometrically described as follows:

Since the curve is symmetric about the $x$ axis, given any point $P$ , we can take $- P$ to be the point opposite it. We then have $-O=O$ , as $O$ lies on the $XZ$ plane, so that $-O$ is also the symmetrical of $O$ about the origin, and thus represents the same projective point.

If $P$ and $Q$ are two points on the curve, then we can uniquely describe a third point $P + Q$ in the following way. First, draw the line that intersects $P$ and $Q$ . This will generally intersect the cubic at a third point, $R$ . We then take $P + Q$ to be $- R$ , the point opposite $R$ .

This definition for addition works except in a few special cases related to the point at infinity and intersection multiplicity. The first is when one of the points is $O$ . Here, we define $P + O = P = O + P$ , making $O$ the identity of the group. If $P = Q$ , we only have one point, thus we cannot define the line between them. In this case, we use the tangent line to the curve at this point as our line. In most cases, the tangent will intersect a second point $R$ , and we can take its opposite. If $P$ and $Q$ are opposites of each other, we define $P + Q = O$ . Lastly, if $P$ is an inflection point (a point where the concavity of the curve changes), we take $R$ to be $P$ itself, and $P + P$ is simply the point opposite itself, i.e. itself.

Let $K$ be a field over which the curve is defined (that is, the coefficients of the defining equation or equations of the curve are in $K$ ) and denote the curve by $E$ . Then the $K$ -rational points of $E$ are the points on $E$ whose coordinates all lie in $K$ , including the point at infinity. The set of $K$ -rational points is denoted by $E (K)$ . $E (K)$ is a group, because properties of polynomial equations show that if $P$ is in $E (K)$ , then $- P$ is also in $E (K)$ , and if two of $P$ , $Q$ , $R$ are in $E (K)$ , then so is the third. Additionally, if $K$ is a subfield of $L$ , then $E (K)$ is a subgroup of $E (L)$ .

Algebraic interpretation

The above groups can be described algebraically as well as geometrically. Given the curve $y 2 = x 3 + bx + c$ over the field $K$ (whose characteristic we assume to be neither 2 nor 3), and points $P = (x P, y P)$ and $Q = (x Q, y Q)$ on the curve, assume first that $x P \neq x Q$ (case 1). Let $y = sx + d$ be the equation of the line that intersects $P$ and $Q$ , which has the following slope:

s={\frac {y_{P}-y_{Q}}{x_{P}-x_{Q}}}.

The line equation and the curve equation intersect at the points $x P$ , $x Q$ , and $x R$ , so the equations have identical $y$ values at these values.

(sx+d)^{2}=x^{3}+bx+c,

which is equivalent to

x^{3}-s^{2}x^{2}-2sdx+bx+c-d^{2}=0.

Since $x P$ , $x Q$ , and $x R$ are solutions, this equation has its roots at exactly the same $x$ values as

(x-x_{P})(x-x_{Q})(x-x_{R})=x^{3}+(-x_{P}-x_{Q}-x_{R})x^{2}+(x_{P}x_{Q}+x_{P}x_{R}+x_{Q}x_{R})x-x_{P}x_{Q}x_{R},

and because both equations are cubics, they must be the same polynomial up to a scalar. Then equating the coefficients of $x 2$ in both equations

-s^{2}=(-x_{P}-x_{Q}-x_{R})

and solving for the unknown $x R$ ,

x_{R}=s^{2}-x_{P}-x_{Q}.

$y R$ follows from the line equation

y_{R}=y_{P}-s(x_{P}-x_{R}),

and this is an element of $K$ , because $s$ is.

If $x P = x Q$ , then there are two options: if $y P = - y Q$ (case 3), including the case where $y P = y Q = 0$ (case 4), then the sum is defined as 0; thus, the inverse of each point on the curve is found by reflecting it across the $x$ axis.

If $y P = y Q \neq 0$ , then $Q = P$ and $R = (x R, y R) = -(P + P) = -2 P = -2 Q$ (case 2 using $P$ as $R$ ). The slope is given by the tangent to the curve at (x_P, y_P).

{\begin{aligned}s&={\frac {3{x_{P}}^{2}+b}{2y_{P}}},\\x_{R}&=s^{2}-2x_{P},\\y_{R}&=y_{P}-s(x_{P}-x_{R}).\end{aligned}}

A more general expression for $s$ that works in both case 1 and case 2 is

s={\frac {{x_{P}}^{2}+x_{P}x_{Q}+{x_{Q}}^{2}+b}{y_{P}+y_{Q}}},

where equality to $.mw-parser-output .sfrac{white-space:nowrap}.mw-parser-output .sfrac.tion,.mw-parser-output .sfrac .tion{display:inline-block;vertical-align:-0.5em;font-size:85%;text-align:center}.mw-parser-output .sfrac .num{display:block;line-height:1em;margin:0.0em 0.1em;border-bottom:1px solid}.mw-parser-output .sfrac .den{display:block;line-height:1em;margin:0.1em 0.1em}.mw-parser-output .sr-only{border:0;clip:rect(0,0,0,0);clip-path:polygon(0px 0px,0px 0px,0px 0px);height:1px;margin:-1px;overflow:hidden;padding:0;position:absolute;width:1px}⁠yP − yQ/xP − xQ⁠$ relies on $P$ and $Q$ obeying $y 2 = x 3 + bx + c$ .

Non-Weierstrass curves

For the curve $y 2 = x 3 + ax 2 + bx + c$ (the general form of an elliptic curve with characteristic 3), the formulas are similar, with $s = ⁠ x P 2 + x P x Q + x Q 2 + ax P + ax Q + b / y P + y Q ⁠$ and $x R = s 2 - a - x P - x Q$ .

For a general cubic curve not in Weierstrass normal form, we can still define a group structure by designating one of its nine inflection points as the identity $O$ . In the projective plane, each line will intersect a cubic at three points when accounting for multiplicity. For a point $P$ , $- P$ is defined as the unique third point on the line passing through $O$ and $P$ . Then, for any $P$ and $Q$ , $P + Q$ is defined as $- R$ where $R$ is the unique third point on the line containing $P$ and $Q$ .

For an example of the group law over a non-Weierstrass curve, see Hessian curves.

Elliptic curves over the rational numbers

A curve E defined over the field of rational numbers is also defined over the field of real numbers. Therefore, the law of addition (of points with real coordinates) by the tangent and secant method can be applied to E. The explicit formulae show that the sum of two points P and Q with rational coordinates has again rational coordinates, since the line joining P and Q has rational coefficients. This way, one shows that the set of rational points of E forms a subgroup of the group of real points of E.

Integral points

This section is concerned with points P = (x, y) of E such that x is an integer.

For example, the equation y² = x³ + 17 has eight integral solutions with y > 0:

(x, y) = (−2, 3), (−1, 4), (2, 5), (4, 9), (8, 23), (43, 282), (52, 375), (5234, 378661).

As another example, Ljunggren's equation, a curve whose Weierstrass form is y² = x³ − 2x, has only four solutions with y ≥ 0 :

(x, y) = (0, 0), (−1, 1), (2, 2), (338, 6214).

The structure of rational points

Rational points can be constructed by the method of tangents and secants detailed above, starting with a finite number of rational points. More precisely the Mordell–Weil theorem states that the group E(Q) is a finitely generated (abelian) group. By the fundamental theorem of finitely generated abelian groups it is therefore a finite direct sum of copies of Z and finite cyclic groups.

The proof of the theorem involves two parts. The first part shows that for any integer m > 1, the quotient group E(Q)/mE(Q) is finite (this is the weak Mordell–Weil theorem). Second, introducing a height function h on the rational points E(Q) defined by h(P₀) = 0 and $h (P) = log max(| p |, | q |)$ if P (unequal to the point at infinity P₀) has as abscissa the rational number x = p/q (with coprime p and q). This height function h has the property that h(mP) grows roughly like the square of m. Moreover, only finitely many rational points with height smaller than any constant exist on E.

The proof of the theorem is thus a variant of the method of infinite descent and relies on the repeated application of Euclidean divisions on E: let P ∈ E(Q) be a rational point on the curve, writing P as the sum 2P₁ + Q₁ where Q₁ is a fixed representant of P in E(Q)/2E(Q), the height of P₁ is about ⁠1/4⁠ of the one of P (more generally, replacing 2 by any m > 1, and ⁠1/4⁠ by ⁠1/m²⁠). Redoing the same with P₁, that is to say P₁ = 2P₂ + Q₂, then P₂ = 2P₃ + Q₃, etc. finally expresses P as an integral linear combination of points Q_i and of points whose height is bounded by a fixed constant chosen in advance: by the weak Mordell–Weil theorem and the second property of the height function P is thus expressed as an integral linear combination of a finite number of fixed points.

The theorem however doesn't provide a method to determine any representatives of E(Q)/mE(Q).

The rank of E(Q), that is the number of copies of Z in E(Q) or, equivalently, the number of independent points of infinite order, is called the rank of E. The Birch and Swinnerton-Dyer conjecture is concerned with determining the rank. One conjectures that it can be arbitrarily large, even if only examples with relatively small rank are known. The elliptic curve with the currently largest exactly-known rank is

y² + xy + y = x³ − x² − 244537673336319601463803487168961769270757573821859853707x + 961710182053183034546222979258806817743270682028964434238957830989898438151121499931

It has rank 20, found by Noam Elkies and Zev Klagsbrun in 2020. Curves of rank higher than 20 have been known since 1994, with lower bounds on their ranks ranging from 21 to 29, but their exact ranks are not known and in particular it is not proven which of them have higher rank than the others or which is the true "current champion".

As for the groups constituting the torsion subgroup of E(Q), the following is known: the torsion subgroup of E(Q) is one of the 15 following groups (a theorem due to Barry Mazur): Z/NZ for N = 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, or 12, or Z/2Z × Z/2NZ with N = 1, 2, 3, 4. Examples for every case are known. Moreover, elliptic curves whose Mordell–Weil groups over Q have the same torsion groups belong to a parametrized family.

The Birch and Swinnerton-Dyer conjecture

The Birch and Swinnerton-Dyer conjecture (BSD) is one of the Millennium problems of the Clay Mathematics Institute. The conjecture relies on analytic and arithmetic objects defined by the elliptic curve in question.

At the analytic side, an important ingredient is a function of a complex variable, L, the Hasse–Weil zeta function of E over Q. This function is a variant of the Riemann zeta function and Dirichlet L-functions. It is defined as an Euler product, with one factor for every prime number p.

For a curve E over Q given by a minimal equation

y^{2}+a_{1}xy+a_{3}y=x^{3}+a_{2}x^{2}+a_{4}x+a_{6}

with integral coefficients $a_{i}$ , reducing the coefficients modulo p defines an elliptic curve over the finite field F_p (except for a finite number of primes p, where the reduced curve has a singularity and thus fails to be elliptic, in which case E is said to be of bad reduction at p).

The zeta function of an elliptic curve over a finite field F_p is, in some sense, a generating function assembling the information of the number of points of E with values in the finite field extensions F_pⁿ of F_p. It is given by

Z(E(\mathbf {F} _{p}),T)=\exp \left(\sum _{n=1}^{\infty }\#\left[E({\mathbf {F} }_{p^{n}})\right]{\frac {T^{n}}{n}}\right)

The interior sum of the exponential resembles the development of the logarithm and, in fact, the so-defined zeta function is a rational function in T:

Z(E(\mathbf {F} _{p}),T)={\frac {1-a_{p}T+pT^{2}}{(1-T)(1-pT)}},

where the 'trace of Frobenius' term $a_{p}$ is defined to be the difference between the 'expected' number $p+1$ and the number of points on the elliptic curve $E$ over $\mathbb {F} _{p}$ , viz.

a_{p}=p+1-\#E(\mathbb {F} _{p})

or equivalently,

\#E(\mathbb {F} _{p})=p+1-a_{p}

.

We may define the same quantities and functions over an arbitrary finite field of characteristic $p$ , with $q=p^{n}$ replacing $p$ everywhere.

The L-function of E over Q is then defined by collecting this information together, for all primes p. It is defined by

L(E(\mathbf {Q} ),s)=\prod _{p\not \mid N}\left(1-a_{p}p^{-s}+p^{1-2s}\right)^{-1}\cdot \prod _{p\mid N}\left(1-a_{p}p^{-s}\right)^{-1}

where N is the conductor of E, i.e. the product of primes with bad reduction $(\Delta (E\mod p)=0$ ), in which case a_p is defined differently from the method above: see Silverman (1986) below.

For example $E:y^{2}=x^{3}+14x+19$ has bad reduction at 17, because $E\mod 17:y^{2}=x^{3}-3x+2$ has $\Delta =0$ .

This product converges for Re(s) > 3/2 only. Hasse's conjecture affirms that the L-function admits an analytic continuation to the whole complex plane and satisfies a functional equation relating, for any s, L(E, s) to L(E, 2 − s). In 1999 this was shown to be a consequence of the proof of the Shimura–Taniyama–Weil conjecture, which asserts that every elliptic curve over Q is a modular curve, which implies that its L-function is the L-function of a modular form whose analytic continuation is known. One can therefore speak about the values of L(E, s) at any complex number s.

At s=1 (the conductor product can be discarded as it is finite), the L-function becomes

L(E(\mathbf {Q} ),1)=\prod _{p\not \mid N}\left(1-a_{p}p^{-1}+p^{-1}\right)^{-1}=\prod _{p\not \mid N}{\frac {p}{p-a_{p}+1}}=\prod _{p\not \mid N}{\frac {p}{\#E(\mathbb {F} _{p})}}

The Birch and Swinnerton-Dyer conjecture relates the arithmetic of the curve to the behaviour of this L-function at s = 1. It affirms that the vanishing order of the L-function at s = 1 equals the rank of E and predicts the leading term of the Laurent series of L(E, s) at that point in terms of several quantities attached to the elliptic curve.

Much like the Riemann hypothesis, the truth of the BSD conjecture would have multiple consequences, including the following two:

A congruent number is defined as an odd square-free integer n which is the area of a right triangle with rational side lengths. It is known that n is a congruent number if and only if the elliptic curve $y^{2}=x^{3}-n^{2}x$ has a rational point of infinite order; assuming BSD, this is equivalent to its L-function having a zero at s = 1. Tunnell has shown a related result: assuming BSD, n is a congruent number if and only if the number of triplets of integers (x, y, z) satisfying $2x^{2}+y^{2}+8z^{2}=n$ is twice the number of triples satisfying $2x^{2}+y^{2}+32z^{2}=n$ . The interest in this statement is that the condition is easy to check.
In a different direction, certain analytic methods allow for an estimation of the order of zero in the center of the critical strip for certain L-functions. Admitting BSD, these estimations correspond to information about the rank of families of the corresponding elliptic curves. For example: assuming the generalized Riemann hypothesis and BSD, the average rank of curves given by $y^{2}=x^{3}+ax+b$ is smaller than 2.

Elliptic curves over finite fields

Set of affine points of elliptic curve y² = x³ − x over finite field F₆₁.

Let K = F_q be the finite field with q elements and E an elliptic curve defined over K. While the precise number of rational points of an elliptic curve E over K is in general difficult to compute, Hasse's theorem on elliptic curves gives the following inequality:

|\#E(K)-(q+1)|\leq 2{\sqrt {q}}

In other words, the number of points on the curve grows proportionally to the number of elements in the field. This fact can be understood and proven with the help of some general theory; see local zeta function and étale cohomology for example.

Set of affine points of elliptic curve y² = x³ − x over finite field F₈₉.

The set of points E(F_q) is a finite abelian group. It is always cyclic or the product of two cyclic groups. For example, the curve defined by

y^{2}=x^{3}-x

over F₇₁ has 72 points (71 affine points including (0,0) and one point at infinity) over this field, whose group structure is given by Z/2Z × Z/36Z. The number of points on a specific curve can be computed with Schoof's algorithm.

Set of affine points of elliptic curve y² = x³ − x over finite field F₇₁.

Studying the curve over the field extensions of F_q is facilitated by the introduction of the local zeta function of E over F_q, defined by a generating series (also see above)

Z(E(K),T)=\exp \left(\sum _{n=1}^{\infty }\#\left[E(K_{n})\right]{T^{n} \over n}\right)

where the field K_n is the (unique up to isomorphism) extension of K = F_q of degree n (that is, $K_{n}=F_{q^{n}}$ ).

The zeta function is a rational function in T. To see this, consider the integer $a$ such that

\#E(K)=1-a+q

There is a complex number $\alpha$ such that

1-a+q=(1-\alpha )(1-{\bar {\alpha }})

where ${\bar {\alpha }}$ is the complex conjugate, and so we have

\alpha +{\bar {\alpha }}=a

\alpha {\bar {\alpha }}=q

We choose $\alpha$ so that its absolute value is ${\sqrt {q}}$ , that is $\alpha =q^{\frac {1}{2}}e^{i\theta },{\bar {\alpha }}=q^{\frac {1}{2}}e^{-i\theta }$ , and that $\cos \theta ={\frac {a}{2{\sqrt {q}}}}$ . Note that $|a|\leq 2{\sqrt {q}}$ .

$\alpha$ can then be used in the local zeta function as its values when raised to the various powers of $n$ can be said to reasonably approximate the behaviour of $a_{n}$ , in that

\#E(K_{n})=1-a_{n}+q^{n}

Using the Taylor series for the natural logarithm,

{\begin{alignedat}{2}Z(E(K),T)&=\exp \left(\sum _{n=1}^{\infty }\left(1-\alpha ^{n}-{\bar {\alpha }}^{n}+q^{n}\right){T^{n} \over n}\right)\\&=\exp \left(\sum _{n=1}^{\infty }{T^{n} \over n}-\sum _{n=1}^{\infty }\alpha ^{n}{T^{n} \over n}-\sum _{n=1}^{\infty }{\bar {\alpha }}^{n}{T^{n} \over n}+\sum _{n=1}^{\infty }q^{n}{T^{n} \over n}\right)\\&=\exp \left(-\ln(1-T)+\ln(1-\alpha T)+\ln(1-{\bar {\alpha }}T)-\ln(1-qT)\right)\\&=\exp \left(\ln {\frac {(1-\alpha T)(1-{\bar {\alpha }}T)}{(1-T)(1-qT)}}\right)\\&={\frac {(1-\alpha T)(1-{\bar {\alpha }}T)}{(1-T)(1-qT)}}\\\end{alignedat}}

Then $(1-\alpha T)(1-{\bar {\alpha }}T)=1-aT+qT^{2}$ , so finally

Z(E(K),T)={\frac {1-aT+qT^{2}}{(1-qT)(1-T)}}

For example, the zeta function of E : y² + y = x³ over the field F₂ is given by

{\frac {1+2T^{2}}{(1-T)(1-2T)}}

which follows from:

\left|E(\mathbf {F} _{2^{r}})\right|={\begin{cases}2^{r}+1&r{\text{ odd}}\\2^{r}+1-2(-2)^{\frac {r}{2}}&r{\text{ even}}\end{cases}}

as $q=2$ , then $|E|=2^{1}+1=3=1-a+2$ , so $a=0$ .

The functional equation is

Z\left(E(K),{\frac {1}{qT}}\right)={\frac {1-a{\frac {1}{qT}}+q\left({\frac {1}{qT}}\right)^{2}}{(1-q{\frac {1}{qT}})(1-{\frac {1}{qT}})}}={\frac {q^{2}T^{2}-aqT+q}{(qT-q)(qT-1)}}=Z(E(K),T)

As we are only interested in the behaviour of $a_{n}$ , we can use a reduced zeta function

Z(a,T)=\exp \left(\sum _{n=1}^{\infty }-a_{n}{T^{n} \over n}\right)

Z(a,T)=\exp \left(\sum _{n=1}^{\infty }-\alpha ^{n}{T^{n} \over n}-{\bar {\alpha }}^{n}{T^{n} \over n}\right)

and so

Z(a,T)=\exp \left(\ln(1-\alpha T)+\ln(1-{\bar {\alpha }}T)\right)

which leads directly to the local L-functions

L(E(K),T)=1-aT+qT^{2}

The Sato–Tate conjecture is a statement about how the error term $2{\sqrt {q}}$ in Hasse's theorem varies with the different primes q, if an elliptic curve E over Q is reduced modulo q. It was proven (for almost all such curves) in 2006 due to the results of Taylor, Harris and Shepherd-Barron, and says that the error terms are equidistributed.

Elliptic curves over finite fields are notably applied in cryptography and for the factorization of large integers. These algorithms often make use of the group structure on the points of E. Algorithms that are applicable to general groups, for example the group of invertible elements in finite fields, F*_q, can thus be applied to the group of points on an elliptic curve. For example, the discrete logarithm is such an algorithm. The interest in this is that choosing an elliptic curve allows for more flexibility than choosing q (and thus the group of units in F_q). Also, the group structure of elliptic curves is generally more complicated.

Elliptic curves over a general field

Elliptic curves can be defined over any field K; the formal definition of an elliptic curve is a non-singular projective algebraic curve over K with genus 1 and endowed with a distinguished point defined over K.

If the characteristic of K is neither 2 nor 3, then every elliptic curve over K can be written in the form

y^{2}=x^{3}-px-q

after a linear change of variables. Here p and q are elements of K such that the right hand side polynomial x³ − px − q does not have any double roots. If the characteristic is 2 or 3, then more terms need to be kept: in characteristic 3, the most general equation is of the form

y^{2}=4x^{3}+b_{2}x^{2}+2b_{4}x+b_{6}

for arbitrary constants b₂, b₄, b₆ such that the polynomial on the right-hand side has distinct roots (the notation is chosen for historical reasons). In characteristic 2, even this much is not possible, and the most general equation is

y^{2}+a_{1}xy+a_{3}y=x^{3}+a_{2}x^{2}+a_{4}x+a_{6}

provided that the variety it defines is non-singular. If characteristic were not an obstruction, each equation would reduce to the previous ones by a suitable linear change of variables.

One typically takes the curve to be the set of all points (x,y) which satisfy the above equation and such that both x and y are elements of the algebraic closure of K. Points of the curve whose coordinates both belong to K are called K-rational points.

Many of the preceding results remain valid when the field of definition of E is a number field K, that is to say, a finite field extension of Q. In particular, the group E(K) of K-rational points of an elliptic curve E defined over K is finitely generated, which generalizes the Mordell–Weil theorem above. A theorem due to Loïc Merel shows that for a given integer d, there are (up to isomorphism) only finitely many groups that can occur as the torsion groups of E(K) for an elliptic curve defined over a number field K of degree d. More precisely, there is a number B(d) such that for any elliptic curve E defined over a number field K of degree d, any torsion point of E(K) is of order less than B(d). The theorem is effective: for d > 1, if a torsion point is of order p, with p prime, then

p<d^{3d^{2}}

As for the integral points, Siegel's theorem generalizes to the following: Let E be an elliptic curve defined over a number field K, x and y the Weierstrass coordinates. Then there are only finitely many points of E(K) whose x-coordinate is in the ring of integers O_K.

The properties of the Hasse–Weil zeta function and the Birch and Swinnerton-Dyer conjecture can also be extended to this more general situation.

Elliptic curves over the complex numbers

An elliptic curve over the complex numbers is obtained as a quotient of the complex plane by a lattice $Λ$ , here spanned by two fundamental periods $ω 1$ and $ω 2$ . The four-torsion is also shown, corresponding to the lattice $⁠ 1 / 4 ⁠ Λ$ containing $Λ$ .

The formulation of elliptic curves as the embedding of a torus in the complex projective plane follows naturally from a curious property of Weierstrass's elliptic functions. These functions and their first derivative are related by the formula

\wp '(z)^{2}=4\wp (z)^{3}-g_{2}\wp (z)-g_{3}

Here, $g 2$ and $g 3$ are constants; $℘(z)$ is the Weierstrass elliptic function and $℘' (z)$ its derivative. It should be clear that this relation is in the form of an elliptic curve (over the complex numbers). The Weierstrass functions are doubly periodic; that is, they are periodic with respect to a lattice $Λ$ ; in essence, the Weierstrass functions are naturally defined on a torus $T = C /Λ$ . This torus may be embedded in the complex projective plane by means of the map

z\mapsto \left[1:\wp (z):{\tfrac {1}{2}}\wp '(z)\right]

This map is a group isomorphism of the torus (considered with its natural group structure) with the chord-and-tangent group law on the cubic curve which is the image of this map. It is also an isomorphism of Riemann surfaces from the torus to the cubic curve, so topologically, an elliptic curve is a torus. If the lattice $Λ$ is related by multiplication by a non-zero complex number $c$ to a lattice $c Λ$ , then the corresponding curves are isomorphic. Isomorphism classes of elliptic curves are specified by the $j$ -invariant.

The isomorphism classes can be understood in a simpler way as well. The constants $g 2$ and $g 3$ , called the modular invariants, are uniquely determined by the lattice, that is, by the structure of the torus. However, all real polynomials factorize completely into linear factors over the complex numbers, since the field of complex numbers is the algebraic closure of the reals. So, the elliptic curve may be written as

y^{2}=x(x-1)(x-\lambda )

One finds that

{\begin{aligned}g_{2}'&={\frac {\sqrt[{3}]{4}}{3}}\left(\lambda ^{2}-\lambda +1\right)\\[4pt]g_{3}'&={\frac {1}{27}}(\lambda +1)\left(2\lambda ^{2}-5\lambda +2\right)\end{aligned}}

and

j(\tau )=1728{\frac {{g_{2}'}^{3}}{{g_{2}'}^{3}-27{g_{3}'}^{2}}}=256{\frac {\left(\lambda ^{2}-\lambda +1\right)^{3}}{\lambda ^{2}\left(\lambda -1\right)^{2}}}

with $j$ -invariant $j (τ)$ and $λ (τ)$ is sometimes called the modular lambda function. For example, let $τ = 2 i$ , then $λ (2 i) = (-1 + \sqrt 2) 4$ which implies $g' 2$ , $g' 3$ , and therefore $g' 23 - 27 g' 32$ of the formula above are all algebraic numbers if $τ$ involves an imaginary quadratic field. In fact, it yields the integer $j (2 i) = 66 3 = 287496$ .

In contrast, the modular discriminant

\Delta (\tau )=g_{2}(\tau )^{3}-27g_{3}(\tau )^{2}=(2\pi )^{12}\,\eta ^{24}(\tau )

is generally a transcendental number. In particular, the value of the Dedekind eta function $η (2 i)$ is

\eta (2i)={\frac {\Gamma \left({\frac {1}{4}}\right)}{2^{\frac {11}{8}}\pi ^{\frac {3}{4}}}}

Note that the uniformization theorem implies that every compact Riemann surface of genus one can be represented as a torus. This also allows an easy understanding of the torsion points on an elliptic curve: if the lattice $Λ$ is spanned by the fundamental periods $ω 1$ and $ω 2$ , then the $n$ -torsion points are the (equivalence classes of) points of the form

{\frac {a}{n}}\omega _{1}+{\frac {b}{n}}\omega _{2}

for integers $a$ and $b$ in the range $0 \leq (a, b) < n$ .

If

E:y^{2}=4(x-e_{1})(x-e_{2})(x-e_{3})

is an elliptic curve over the complex numbers and

a_{0}={\sqrt {e_{1}-e_{3}}},\qquad b_{0}={\sqrt {e_{1}-e_{2}}},\qquad c_{0}={\sqrt {e_{2}-e_{3}}},

then a pair of fundamental periods of $E$ can be calculated very rapidly by

\omega _{1}={\frac {\pi }{\operatorname {M} (a_{0},b_{0})}},\qquad \omega _{2}={\frac {\pi }{\operatorname {M} (c_{0},ib_{0})}}

$M(w, z)$ is the arithmetic–geometric mean of $w$ and $z$ . At each step of the arithmetic–geometric mean iteration, the signs of $z n$ arising from the ambiguity of geometric mean iterations are chosen such that $| w n - z n | \leq | w n + z n |$ where $w n$ and $z n$ denote the individual arithmetic mean and geometric mean iterations of $w$ and $z$ , respectively. When $| w n - z n | = | w n + z n |$ , there is an additional condition that $Im (⁠ z n / w n ⁠) > 0$ .

Over the complex numbers, every elliptic curve has nine inflection points. Every line through two of these points also passes through a third inflection point; the nine points and 12 lines formed in this way form a realization of the Hesse configuration.

The dual isogeny

Given an isogeny

f:E\to E'

of elliptic curves of degree $n$ , the dual isogeny is an isogeny

{\hat {f}}:E'\to E

of the same degree such that

f\circ {\hat {f}}=[n].

Here $[n]$ denotes the multiplication-by- $n$ isogeny $e\mapsto ne$ which has degree $n^{2}.$

Construction of the dual isogeny

Often only the existence of a dual isogeny is needed, but it can be explicitly given as the composition

E'\to \operatorname {Div} ^{0}(E')\to \operatorname {Div} ^{0}(E)\to E,

where $\operatorname {Div} ^{0}$ is the group of divisors of degree 0. To do this, we need maps $E\to \operatorname {Div} ^{0}(E)$ given by $P\to P-O$ where $O$ is the neutral point of $E$ and $\operatorname {Div} ^{0}(E)\to E$ given by $\sum n_{P}P\to \sum n_{P}P.$

To see that $f\circ {\hat {f}}=[n]$ , note that the original isogeny $f$ can be written as a composite

E\to \operatorname {Div} ^{0}(E)\to \operatorname {Div} ^{0}(E')\to E',

and that since $f$ is finite of degree $n$ , $f_{*}f^{*}$ is multiplication by $n$ on $\operatorname {Div} ^{0}(E').$

Alternatively, we can use the smaller Picard group $\operatorname {Pic} ^{0}$ , a quotient of $\operatorname {Div} ^{0}.$ The map $E\to \operatorname {Div} ^{0}(E)$ descends to an isomorphism, $E\to \operatorname {Pic} ^{0}(E).$ The dual isogeny is

E'\to \operatorname {Pic} ^{0}(E')\to \operatorname {Pic} ^{0}(E)\to E.

Note that the relation $f\circ {\hat {f}}=[n]$ also implies the conjugate relation ${\hat {f}}\circ f=[n].$ Indeed, let $\phi ={\hat {f}}\circ f.$ Then $\phi \circ {\hat {f}}={\hat {f}}\circ [n]=[n]\circ {\hat {f}}.$ But ${\hat {f}}$ is surjective, so we must have $\phi =[n].$

Algorithms that use elliptic curves

Elliptic curves over finite fields are used in some cryptographic applications as well as for integer factorization. Typically, the general idea in these applications is that a known algorithm which makes use of certain finite groups is rewritten to use the groups of rational points of elliptic curves. For more see also:

Elliptic curve cryptography
- Elliptic-curve Diffie–Hellman key exchange (ECDH)
- Supersingular isogeny key exchange
- Elliptic curve digital signature algorithm (ECDSA)
- EdDSA digital signature algorithm
- Dual EC DRBG random number generator
Lenstra elliptic-curve factorization
Elliptic curve primality proving

Alternative representations of elliptic curves

Hessian curve
Edwards curve
Twisted curve
Twisted Hessian curve
Twisted Edwards curve
Doubling-oriented Doche–Icart–Kohel curve
Tripling-oriented Doche–Icart–Kohel curve
Jacobian curve
Montgomery curve

Notes

Sarli, J. (2012). "Conics in the hyperbolic plane intrinsic to the collineation group". J. Geom. 103: 131–148. doi:10.1007/s00022-012-0115-5. S2CID 119588289.
Silverman 1986, III.1 Weierstrass Equations (p.45)
T. Nagell, L'analyse indéterminée de degré supérieur, Mémorial des sciences mathématiques 39, Paris, Gauthier-Villars, 1929, pp. 56–59.
OEIS: https://oeis.org/A029728
Siksek, Samir (1995), Descents on Curves of Genus 1 (Ph.D. thesis), University of Exeter, pp. 16–17, hdl:10871/8323.
Silverman 1986, Theorem 4.1
Silverman 1986, pp. 199–205
See also Cassels, J. W. S. (1986). "Mordell's Finite Basis Theorem Revisited". Mathematical Proceedings of the Cambridge Philosophical Society. 100 (1): 31–41. Bibcode:1986MPCPS.100...31C. doi:10.1017/S0305004100065841. and the comment of A. Weil on the genesis of his work: A. Weil, Collected Papers, vol. 1, 520–521.
Dujella, Andrej. "History of elliptic curves rank records". University of Zagreb.
Silverman 1986, Theorem 7.5
Silverman 1986, Remark 7.8 in Ch. VIII
The definition is formal, the exponential of this power series without constant term denotes the usual development.
see for example Silverman, Joseph H. (2006). "An Introduction to the Theory of Elliptic Curves" (PDF). Summer School on Computational Number Theory and Applications to Cryptography. University of Wyoming.
"LMFDB - Bad reduction of an elliptic curve at a prime (Reviewed)".
Koblitz 1993
Heath-Brown, D. R. (2004). "The Average Analytic Rank of Elliptic Curves". Duke Mathematical Journal. 122 (3): 591–623. arXiv:math/0305114. doi:10.1215/S0012-7094-04-12235-3. S2CID 15216987.
See Koblitz 1994, p. 158
Koblitz 1994, p. 160
Harris, M.; Shepherd-Barron, N.; Taylor, R. (2010). "A family of Calabi–Yau varieties and potential automorphy". Annals of Mathematics. 171 (2): 779–813. doi:10.4007/annals.2010.171.779.
Merel, L. (1996). "Bornes pour la torsion des courbes elliptiques sur les corps de nombres". Inventiones Mathematicae (in French). 124 (1–3): 437–449. Bibcode:1996InMat.124..437M. doi:10.1007/s002220050059. S2CID 3590991. Zbl 0936.11037.
Wing Tat Chow, Rudolf (2018). "The Arithmetic-Geometric Mean and Periods of Curves of Genus 1 and 2" (PDF). White Rose eTheses Online. p. 12.

References

Serge Lang, in the introduction to the book cited below, stated that "It is possible to write endlessly on elliptic curves. (This is not a threat.)" The following short list is thus at best a guide to the vast expository literature available on the theoretical, algorithmic, and cryptographic aspects of elliptic curves.

Ian Blake; Gadiel Seroussi; Nigel Smart (2000). Elliptic Curves in Cryptography. LMS Lecture Notes. Cambridge University Press. ISBN 0-521-65374-6.
Brown, Ezra (2000). "Three Fermat Trails to Elliptic Curves". The College Mathematics Journal. 31 (3): 162–172. doi:10.1080/07468342.2000.11974137. S2CID 5591395., winner of the MAA writing prize the George Pólya Award
Richard Crandall; Carl Pomerance (2001). "Chapter 7: Elliptic Curve Arithmetic". Prime Numbers: A Computational Perspective (1st ed.). Springer-Verlag. pp. 285–352. ISBN 0-387-94777-9.
Cremona, John (1997). Algorithms for Modular Elliptic Curves (2nd ed.). Cambridge University Press. ISBN 0-521-59820-6.
Darrel Hankerson, Alfred Menezes and Scott Vanstone (2004). Guide to Elliptic Curve Cryptography. Springer. ISBN 0-387-95273-X.
Hardy, G. H.; Wright, E. M. (2008) [1938]. An Introduction to the Theory of Numbers. Revised by D. R. Heath-Brown and J. H. Silverman. Foreword by Andrew Wiles. (6th ed.). Oxford: Oxford University Press. ISBN 978-0-19-921986-5. MR 2445243. Zbl 1159.11001. Chapter XXV
Hellegouarch, Yves (2001). Invitation aux mathématiques de Fermat-Wiles. Paris: Dunod. ISBN 978-2-10-005508-1.
Husemöller, Dale (2004). Elliptic Curves. Graduate Texts in Mathematics. Vol. 111 (2nd ed.). Springer. ISBN 0-387-95490-2.
Kenneth Ireland; Michael I. Rosen (1998). "Chapters 18 and 19". A Classical Introduction to Modern Number Theory. Graduate Texts in Mathematics. Vol. 84 (2nd revised ed.). Springer. ISBN 0-387-97329-X.
Knapp, Anthony W. (2018) [1992]. Elliptic Curves. Mathematical Notes. Vol. 40. Princeton University Press. ISBN 9780691186900.
Koblitz, Neal (1993). Introduction to Elliptic Curves and Modular Forms. Graduate Texts in Mathematics. Vol. 97 (2nd ed.). Springer-Verlag. ISBN 0-387-97966-2.
Koblitz, Neal (1994). "Chapter 6". A Course in Number Theory and Cryptography. Graduate Texts in Mathematics. Vol. 114 (2nd ed.). Springer-Verlag. ISBN 0-387-94293-9.
Serge Lang (1978). Elliptic curves: Diophantine analysis. Grundlehren der mathematischen Wissenschaften. Vol. 231. Springer-Verlag. ISBN 3-540-08489-4.
Henry McKean; Victor Moll (1999). Elliptic curves: function theory, geometry and arithmetic. Cambridge University Press. ISBN 0-521-65817-9.
Ivan Niven; Herbert S. Zuckerman; Hugh Montgomery (1991). "Section 5.7". An introduction to the theory of numbers (5th ed.). John Wiley. ISBN 0-471-54600-3.
Silverman, Joseph H. (1986). The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics. Vol. 106. Springer-Verlag. ISBN 0-387-96203-4.
Joseph H. Silverman (1994). Advanced Topics in the Arithmetic of Elliptic Curves. Graduate Texts in Mathematics. Vol. 151. Springer-Verlag. ISBN 0-387-94328-5.
Joseph H. Silverman; John Tate (1992). Rational Points on Elliptic Curves. Springer-Verlag. ISBN 0-387-97825-9.
John Tate (1974). "The arithmetic of elliptic curves". Inventiones Mathematicae. 23 (3–4): 179–206. Bibcode:1974InMat..23..179T. doi:10.1007/BF01389745. S2CID 120008651.
Lawrence Washington (2003). Elliptic Curves: Number Theory and Cryptography. Chapman & Hall/CRC. ISBN 1-58488-365-0.

External links

LMFDB: Database of Elliptic Curves over Q
"Elliptic curve", Encyclopedia of Mathematics, EMS Press, 2001 [1994]
Weisstein, Eric W. "Elliptic Curves". MathWorld.
The Arithmetic of elliptic curves from PlanetMath
Interactive elliptic curve over R and over Zp – web application that requires HTML5 capable browser.

This article incorporates material from Isogeny on PlanetMath, which is licensed under the Creative Commons Attribution/Share-Alike License.

[1] Sarli, J. (2012). "Conics in the hyperbolic plane intrinsic to the collineation group". J. Geom. 103: 131–148. doi:10.1007/s00022-012-0115-5. S2CID 119588289.

[2] Silverman 1986, III.1 Weierstrass Equations (p.45)

[3] T. Nagell, L'analyse indéterminée de degré supérieur, Mémorial des sciences mathématiques 39, Paris, Gauthier-Villars, 1929, pp. 56–59.

[4] OEIS: https://oeis.org/A029728

[5] Siksek, Samir (1995), Descents on Curves of Genus 1 (Ph.D. thesis), University of Exeter, pp. 16–17, hdl:10871/8323.

[6] Silverman 1986, Theorem 4.1

[7] Silverman 1986, pp. 199–205

[8] See also Cassels, J. W. S. (1986). "Mordell's Finite Basis Theorem Revisited". Mathematical Proceedings of the Cambridge Philosophical Society. 100 (1): 31–41. Bibcode:1986MPCPS.100...31C. doi:10.1017/S0305004100065841. and the comment of A. Weil on the genesis of his work: A. Weil, Collected Papers, vol. 1, 520–521.

[9] Dujella, Andrej. "History of elliptic curves rank records". University of Zagreb.

[10] Silverman 1986, Theorem 7.5

[11] Silverman 1986, Remark 7.8 in Ch. VIII

[12] The definition is formal, the exponential of this power series without constant term denotes the usual development.

[13] see for example Silverman, Joseph H. (2006). "An Introduction to the Theory of Elliptic Curves" (PDF). Summer School on Computational Number Theory and Applications to Cryptography. University of Wyoming.

[14] "LMFDB - Bad reduction of an elliptic curve at a prime (Reviewed)".

[15] Koblitz 1993

[16] Heath-Brown, D. R. (2004). "The Average Analytic Rank of Elliptic Curves". Duke Mathematical Journal. 122 (3): 591–623. arXiv:math/0305114. doi:10.1215/S0012-7094-04-12235-3. S2CID 15216987.

[17] See Koblitz 1994, p. 158

[18] Koblitz 1994, p. 160

[19] Harris, M.; Shepherd-Barron, N.; Taylor, R. (2010). "A family of Calabi–Yau varieties and potential automorphy". Annals of Mathematics. 171 (2): 779–813. doi:10.4007/annals.2010.171.779.

[20] Merel, L. (1996). "Bornes pour la torsion des courbes elliptiques sur les corps de nombres". Inventiones Mathematicae (in French). 124 (1–3): 437–449. Bibcode:1996InMat.124..437M. doi:10.1007/s002220050059. S2CID 3590991. Zbl 0936.11037.

[21] Wing Tat Chow, Rudolf (2018). "The Arithmetic-Geometric Mean and Periods of Curves of Genus 1 and 2" (PDF). White Rose eTheses Online. p. 12.