London Mathematical Society Student Texts 24
Lectures on Elliptic Curves
J.W.S. Cassels
Department of Pure Mathematics and Mathematical Statistics,
University of Cambridge
The nght of the
University of Cambridge
to print ami sell
all manner of books
was granted by
Henry Vllt in 1534.
The University has printed
and published continuously
since 1584.
CAMBRIDGE UNIVERSITY PRESS
Cambridge
New York Port Chester
Melbourne Sydney

LONDON MATHEMATICAL SOCIETY STUDENT TEXTS
Managing editor: Dr C.M. Series, Mathematics Institute
University of Warwick, Coventry CV4 7 AL, United Kingdom
1	Introduction to combinators and X-calculus, J.R. HINDLEY & J.P. SELDIN
2	Building models by games, WILFRID HODGES
3	Local fields, J.W.S. CASSELS
4	An introduction to twistor theory, S.A. HUGGETT & K.P. TOD
5	Introduction to general relativity, L.P. HUGHSTON & K.P. TOD
6	Lectures on stochastic analysis: diffusion theory, DANIEL W. STROOCK
7	The theory of evolution and dynamical systems, J. HOFBAUER & K. SIGMUND
8	Summing and nuclear norms in Banach space theory, G.J.O. JAMESON
9	Automorphisms of surfaces after Nielsen and Thurston, A. CASSON & S. BLEILER
10	Nonstandard analysis and its applications, N. CUTLAND (ed)
11	Spacetime and singularities, G. NABER
12	Undergraduate algebraic geometry, MILES REID
13	An introduction to Hankel operators, J.R. PARTINGTON
14	Combinatorial group theory: a topological approach, DANIEL E. COHEN
15	Presentations of groups, D.L. JOHNSON
16	An introduction to noncommutative Noetherian rings, K.R. GOODEARL &
R.B. WARFIELD, JR.
17	Aspects of quantum field theory in curved spacetime, S.A. FULLING
18	Braids and coverings: selected topics, VAGN LUNDSGAARD HANSEN
19	Steps in commutative algebra, R.Y. SHARP
20	Communication theory, C.M. GOLDIE & R.G.E. PINCH
21	Representations of finite groups of Lie type, FRANCOIS DIGNE & JEAN MICHEL
22	Designs, graphs, codes, and their links, P.J. CAMERON & J.H. VAN LINT
24	Lectures on elliptic curves, J.W.S. CASSELS
Published by the Press Syndicate of the University of Cambridge
The Pitt Building, Trumpington Street, Cambridge CB2 1RP
40 West 20th Street, New York, NY 10011-4211, USA
10 Stamford Road, Oakleigh, Melbourne 3166, Australia
© Cambridge University Press 1991
First published 1991
Printed in Great Britain at the University Press, Cambridge
Library of Congress cataloging in publication data available
A catalogue record for this book is available from the British Library
ISBN 0 52141517 9 hardback
ISBN 0 521 42530 1 paperback
Contents
0	Introduction	1
1	Curves of genus 0. Introduction	3
2	p-adic numbers	6
3	The local-global principle for conics	13
4	Geometry of numbers	17
5	Local-global principle. Conclusion of proof	20
6	Cubic curves	23
7	Non-singular cubics. The group law	27
8	Elliptic curves. Canonical form	32
9	Degenerate laws	39
10	Reduction	42
11	The p-adic case	46
12	Global torsion	50
13	Finite basis theorem. Strategy and comments	54
14	A 2-isogeny	58
15	The weak finite basis theory	66
16	Remedial mathematics. Resultants	75
17	Heights. Finite basis Theorem	78
18	Local-global for genus 1	85
19	Elements of Galois cohomology	89
20	Construction of the jacobian	92
21	Some abstract nonsense	98
22	Principal homogeneous spaces and Galois cohomology	104
vi
23	The Tate-Shafarevich group	108
24	The endomorphism group	114
25	Points over finite fields	118
26	Factorizing using elliptic curves	124
	Formulary	130
	Further Reading	135
	Index	136
о
Introduction
Diophantine equations, that is to say equations whose solution is to
be found in integers, or, alternatively, in rationale, have fascinated man
from the earliest times: a Babylonian clay tablet dated to between 1600
and 1900 B.C. lists 15 solutions of the “Pythagorean” equation
X2 +Y2 = Z2.
Diophantos himself lived in Alexandria in the 3rd Century A.D. We
shall meet some of his ideas. His work was continued by Hypatia, the
only female mathematician of antiquity whose name has come down to
us. (She was cruelly done to death by the Christians: their leader was
canonized.) Another mathematician whose ideas continue to play a key
role is Fermat (1601-1665). For a fuller historical account in a modern
context, see A. Weil Number theory: an approach through history from
Hammurabi to Legendre (Birkhauser, 1983). [For Hypatia, see Gibbon
Decline and Fall]
In this course we concentrate attention on rational solutions of Dio-
phantine equations. The study of integral solutions requires further
considerations, which we shall not touch on.
It is now clear that an appropriate language to discuss many aspects
of Diophantine equations is that of algebraic geometry: not so much the
classical algebraic geometry, which works over the complex numbers,
but a version working over a general ground field such as the field Q of
rationale and often called “Diophantine geometry”. Some of the argu-
ments and results of classical geometry go over to Diophantine geometry
unchanged, for some the conclusions are more limited, and for others we
2
Lectures on Elliptic Curves
must make further hypotheses which are automatically satisfied in the
classical theory.
Diophantine equations can be interpreted as questions about the ex-
istence of points on algebraic varieties. Here we will be concerned only
with curves. Geometers classify curves by a non-negative integer, the
genus. The Diophantine theory of curves of genus 0 is well understood.
For curves of genus 1, there is a rich body of well-established theory
and an equally rich corpus of conjecture which is currently beginning
to succumb to intensive research. The Diophantine theory of curves of
genus > 1 is in a rudimentary state (despite Faltings’ Theorem).
The main subject of this course is some of the basic Diophantine
theory of curves of genus 1. To set the scene, we start with an account
of genus 0. Here the situation is dominated by the local-global principle
(Hasse principle). This relates behaviour over the rational field Q to that
over its local completions, the p-adic fields Qp, where things are simpler.
A unifying theme for curves of genus 1 is the extent to which local
(i.e. p-adic) behaviour determines rational behaviour. This material
generalizes smoothly to algebraic number fields but we have restricted
attention to the rationals in the belief that new concepts are easiest
acquired in the simplest contexts.
The final three sections mark a change of goal. Two of them introduce
the more sophisticated theory over finite fields, culminating in the esti-
mates for the number of points known as the “Riemann hypothesis for
function fields” (of genus 1). The very last section indicates how these
ideas are used in the modern technology for factorizing large integers.
Prerequisites.
In this course the prerequisites have been reduced to a minimum. We
have spoken above about curves of genus 0 and 1, but the focus will be
on concrete classes of curves such as conics and plane cubics. The p-adic
numbers are introduced from scratch. A knowledge of algebraic number
theory is not required, provided that the reader is prepared to take one
statement on trust. Algebraic number theory is, however, indispensable
for many applications, as we shall indicate in optional passages. We do
require the rudiments of Galois theory: indeed one of the interests will
be its application in novel contexts.
1
Curves of genus 0. Introduction
We shall say that a point is rational, or defined over Q, if its co-
ordinates are rational. A curve is said to be defined over Q if it is given
by an equation or equations with coefficients in Q. [Unfortunately the
term “rational curve” was preempted by the geometers as a synonym
for “curve of genus 0”.] More generally we shall say that we are working
over Q, or that the ground field is Q, if all the coefficients of the algebraic
expressions involved are in Q.
Sometimes elementary geometric arguments continue to be valid when
we work over Q. For example, consider a cubic curve such as
С : X2 - У 2 = (X - 2У)(Х2 + У2),
which has a double point at the origin.
A line through the origin meets the curve in one further point, so giving
4
Lectures on Elliptic Curves
a description of all the points on the curve. More precisely, consider the
line
X = sY
for given s. This meets the curve where
Y\s2 - 1) = Y\s - 2)(з2 + 1),
and so in the point (z,j/) where
s(s2 — 1)	з2 — 1
X = (з-2)(з2+1) ’ У= (з-2)(з2 + 1)'
Conversely, given (r, y) on the curve, it is of the above form with
s = x/y.
We say that C is birationally equivalent to the line [given by a single
variable and no equation]. In this case the birational equivalence is
defined over Q [i.e. the rational functions expressing the equivalence
have coefficients in Q. Note the unfortunate clash in the double meaning
of the term “rational”].
In general there is a 1 — 1 correspondence between the rational points
on the one curve and those on the other, the correspondence being given
by the birational correspondence. There are, however, exceptions. For
example s = 2 does not correspond to any point (x,y) and з = ±1 both
correspond to (x, j/) = (0,0). If we had had X2 —2Y2 instead of X2 — Y2
on the left hand side, then (x,y) = (0,0) would not correspond to any
rational value of s. It is not difficult to see however that if two curves
are birationally equivalent over Q there are only finitely many rational
points on the ones which do not correspond to rational points on the
other. To study the rational points on a curve, it is thus sufficient to
consider it up to a birational equivalence defined over Q.
A classical theorem working over the complex field C states that every
curve of genus 0 is birationally equivalent to the line: we could treat this
as a definition of “genus 0”. When the ground field is Q, this theorem
no longer holds. Instead we have the
Fact. A curve of genus 0 defined over Q is birationally equivalent over
Q either to the line or to a conic.
This reduces the Diophantine study of curves of genus 0 to that of
conics.
Theorem 1. A conic defined over Q is birationally equivalent to the
line if and only if it has a rational point.
1: Curves of genus 0
5
Proof. The “only if’ part is trivial. Suppose then that there is a rational
point. After a change of co-ordinates we may take it to be the origin, so
that the equation of the conic is
FI(X,y) + F2(X,y) = 0,
where Fj is homogeneous in X, Y of degree j. The birational equivalence
with the line follows by putting X = зУ, as in the cubic case discussed,
earlier.
The Diophantine theory of curves of genus 0 is thus reduced to de-
ciding when a conic defined over Q has a rational point. It is certainly
easy to write down conics without rational points. For a change, let us
use homogeneous co-ordinates. There is no rational point on
X2 + У2 + Z2 = 0,
since clearly there are no real points. Again, there are no rational points
on
х2 + У2-зг2 = о.	(*)
For suppose (r,j/, z) were such a rational point. By homogeneity, we
may suppose that x, y, z are integers without common divisor. Now (*)
implies x2 + y2 = 0 (3) and so x = у = 0 (3). Then (*) gives z = 0 (3),
so x, y, z have the common factor 3: a contradicition.
For our purposes, it is convenient, and ultimately indispensable, to
express the last argument in a different way. We shall introduce the
fields Qp of p-adic numbers, where p is a prime (here p = 3); and what
we have just done can be expressed as proving that there are no points
on (*) defined over Q3.
2
p-adic numbers
Most of the familiar properties of the ordinary absolute value on the
real or complex fields are consequences of the following three:
(i)	|r| > 0, with equality precisely for r = 0.
(ii)	|rs| = |r||s|.
(iii)	|r + s| < jr] + |s|.
A real-valued function |.| on afield k is said to be a valuation if it satisfies
(i), (ii) (iii). Since ( — I)2 = 1, properties (i)-(iii) imply that | — 1| = 1,
| — r| = |r| (all r).
The rational field Q has other valuations than the absolute value. Let
p be a fixed prime. Any rational r 0 can be put in the shape
r = ppu/v, p 6 Z, и, v g Z, p Л u, p / v.
We define
|r|p = p~13
and
|0|p = 0.
This definition clearly satisfies (i), (ii) above. Let
s = pam/n m, n g Z, p / m, p % n,
so
where without loss of generality
c > p, i.e. |s|p < |r|p.
2: p-adic numbers
7
Then
r 4- s = pp(un pIT~pmv)/vn.
Here p % vn. The numerator un +p!T~pmv is an integer, but, at least for
for p — a, it may be divisible by p. Hence
к + -s|P <P~p,
that is
(iii*) |r 4- s|p < max{|r|p, |s|p}.
Clearly (iii*) implies (iii), so | |p is a valuation. We call it the p-adic
valuation. The inequality (iii*) is called the ultrametric inequality, since
(iii), the triangle inequality, expresses the fact that |r — is a metric.
A valuation which satisfies the ultrametric inequality is said to be non-
archimedean.
We can transfer familiar terminology from the ordinary absolute value
to the p-adic case. For example, we say that a sequence {an}, n = 1, 2,.. .
is a fundamental sequence if for any г > 0 there is an По (г) such that
|am — an\P < s whenever m,n > n0 (e).
The sequence {a„} converges to b if
lan — 1>|P < г (all n > n0 (e)).
For example let
p = 5
and consider the sequence		33, 333,	3333, ....
	{»>.} : 3,		
Then	(lyn = 0>n	mod 5"	(m > n)
i.e.	| |	s <5-"	(m > n).
Hence {an} is a	fundamental	sequence.	Indeed it is a convergent se-
quence, since			
3a„ = 99 ...99 s —1(5”),
i.e.
|3on 4- l|s < 5
and so
an -» -1/3
5-adically.
8
Lectures on Elliptic Curves
As the above example shows, the main difficulties with the p-adic val-
uation are psychological: something is p-adically small if it is divisible
by a high power of p. Not every p-adic fundamental sequence is conver-
gent. Let us take p = 5 again. Then we construct a sequence of an g Z
such that
«2n + 1 = 0 (5n)
and
ttn+l =	(5 )•
We start with = 2. Suppose that we already have an for some n and
put an+1 = an + J5", where b g Z is to be determined. We require
(n„ + &5")2 + 1 = 0 (5"+I),
that is
2anb 4- c = 0 (5),	(*)
where we already have
c = (a2 + l)/5" € Z.
Clearly 5 / an and so we can solve the congruence (*) for the unknown
b.
The sequence {a„} just constructed is a 5-adic fundamental sequence
since
- “n|s < 5"" (m > n).
Suppose, if possible, that a„ tends 5-adically to some e g Q. Then
a2n + 1 e2 + 1.
On the other hand, by our construction,
a2 + 1 - 0.
Hence e2 + 1 = 0; a contradiction.
Just as the real numbers are constructed by completing the rationals
with respect to the ordinary absolute value, so the rationals can be
completed with respect to | |p to give the field Qp of p-adic numbers. In
fact the process can be simplified because | |p is non-archimedean. For
the reader who is unfamiliar with this way of constructing the reals, we
sketch a construction of Qp at the end of this section.
We say that a field К is complete with respect to a valuation |.| if
every fundamental sequence is convergent. A field К with valuation ||.||
is said to be the completion of the field k with valuation |.| if there is an
injection
A : к -> К
2: p-adic numbers
9
which preserves the valuation:
||Aa|| = |a| (a € fc)
and such that
(i) К is complete with respect to
(ii) К is the closure of Xk with respect to the topology induced by ||.| |
(A' is not “too large”).
The completion always exists and is unique (up to a unique isomor-
phism). We henceforth identify к with Xk and |.| with ]|.||, so regard fc
as a subfield of K.
We now discuss the structure of the p-adic field Qp with its valuation.
II,-
We note that
|a + b|p = |a|p if |b|p < |a|p.
For by (iii*) |a + b|p < |a|p and, since a — (a + b) ( — b), we have a
contradiction if |a + b|p < |a|p. It follows that the set of values taken
by | |p on Qp is precisely the same as the set for Q. Indeed if a € Qp,
a 0 then by (ii) of the definition of the completion, there is an a € Q
with |a - a|p < |a|p, so |a|p = |a|p.
The set of a g Qp with |a| < 1 is called the set of p-adic integers Zp.
Because | |p is non-archimedean, Zp is a ring:
|a|„ 1^1, < 1 => \afi\p <1, |a + 0\P < 1-
A rational number b is in Zp precisely when it has the form b = u/v,
where u, v g Z, p / v.
The numbers e g Qp with |e| = 1 are the p-adic units. From what
was said about the values taken by |.|p on Qp, every /3	0 in Qp is of
the shape ft = p"e, where n g Z and г is a unit. The units are just the
elements г of Qp such that г € Zp, г-1 g Zp.
As we have already noted, elementary analysis continues to hold in
Qp, but can be simpler; as the following lemma shows.
Lemma 1. In Qp the series 0n converges if and only if [jn —> 0.
Proof. By saying that the sum converges, we mean, of course, that the
partial sums tend to a limit.
That convergence implies /?„ —» 0 is true even in real analysis. To
10
Lectures on Elliptic Curves
prove the opposite implication, we note that
N	M	N
I57 - 571? =i 57 Pn I?
о	о	M+i
< max |^„|p
M<n<N e
by an obvious extension of the ultrametric inequality (iii*) to several
summands. Hence	is a fundamental sequence, so tending to
a limit by the completeness of Qp.
We are now in a position to give an explicit description of Zp. We
write
A = {0,l,...,p-1}.
Lemma 2. The elements of Zp are precisely the sums
oo
a = 57a„pn,
о
where
an g A (all n).
Proof. By the proceeding lemma, the infinite sum converges, and its
value is clearly in Zp.
Now let a g Zp be given. There is a b £ Q such that |b — a|p < 1,
and it is easy to prove that there is precisely one a0 £ A such that
|«o — b\p < 1- Then
a = a0 +pa1
where |cni | < 1, i.e. £ Zp. Proceeding inductively, we get
a = ao + dip + ... + awpN +
with адг £ Zp.
For the final result we must distinguish between p = 2 and p 2.
Lemma 3 (p/2). Let a £ Qp be a unit. A necessary and sufficient
condition that a = for some f) £ Qp in that there is some ~f £ Qp
with
- y2|p < 1.
Proof. Necessity is obvious. We have already in effect given a proof in
the special case p = 5, a = — 1. That in the general case is similar: one
§£: Exercises
11
constructs inductively ffi = у, f}2, fh, • • . such that
|^-a|<p-
|^n+l - P„\ <p-n
If we already have /9„, we take /3„+1 =	+ <5, so
/^+I =/?" +w + *2
and it is enough to take
5 = (a - ^)/2^„.
This lemma ceases to hold for p = 2 (consider a = 5, /3 = 1). We have
Lemma 4 (p = 2). Let a € Q2 be a unit. A necessary and sufficient
condition that a = for some ft G Q2 is that |a — 1| < 2-3.
Proof. Here again, the necessity is obvious. For sufficiency we construct
a sequence ffi = 1, ffi, ffi,... as in the previous proof. The details are
left to the reader. 1
We conclude this section be the promised sketch of the construction
of Qp.
Denote by S the set of fundamental sequences {«„} for | |p, where
a„ € Q- Then S is a ring under componentwise addition and multipli-
cation.
{} T {bn} — {nn + bn} . J{bnJ — (anbn J.
A sequence {an} is a null sequence if an —♦ 0 (p-adically). The set Hl of
null-sequences is clearly an ideal in J.
Let {an} € S but {an} Hl. Then it is easy to see that there is at least
one N such that |адг — a„| < |a^|p for all n > N. Then |a„|p = |ajv|P
for all n > N. We write |{a„}|p = |a^|p. If an 0 for all n, it is now
easy to deduce that {a))1} g S'.
We show that Hl is a maximal ideal in S- For, if not, let ffil be a
strictly bigger ideal than Hl. It must contain an {an} Hl. Then only
finitely many of the a„ can be 0, and replacing them by (say) 1 merely
adds an element of Hl. Hence we can suppose that a„ 0 for all n. Then
{a"1} € S, and so	€ ®l- Hence we should have 9Л = S, a
contradiction. We conclude that Hl is maximal, and thus S/Hl is a field.
The field Q is mapped into S/Hl by
r —> {r} € S-
The function |{a„ } | on? induces a function on S/Hl which is easily seen
to be a valuation and to coincide with | |p on the image of Q.
12
Lectures on Elliptic Curves
Finally, it is not difficult to check that S'/Ш is itself complete by a
diagonal argument on a sequence of elements of J.
§2. Exercises
1.	For each of the sets of p, m, r given, either find an x € L such that
|r - x\p <p~m,
or show that no such x exists.
(i)	p = 257, r = 1/2, m = 1;
(ii)	p =	3,	r	—	7/8,	m	=	2;
(iii)	p =	3,	r	=	7/8,	m	=	7;
(iv)	p =	3,	r	=	5/6,	m	=	9;
(v)	p =	5,	r	=	1/4,	m	=	4.
2.	Construct further examples along the lines of Exercise 1 until the
whole business seems trivial.
3.	For given p, m, r either find an x € 1 such that
I 21	— m
|r - X Ip <p
or show that no such x exists.
(i)	p = 5, r = —1, m = 4;
(ii)	p = 5, r = 10, m = 3;
(iii)	p = 13, r = —4, m = 3;
(iv)	p = 2, r = —7, m = 6;
(v)	p = 7, r = —14, m = 4;
(vi)	p = 7, r = 6, m = 3;
(vii)	p = 7, r — 1/2, m = 3.
4.	As Exercise 2.
5.	Let p > 0 be prime, p = 2 (3). For any integer a, p / a, show that
there is an x E with x3 = a.
3
The local-global principle for conics
We have seen that the theory of curves of genus 0 over Q turns on
deciding whether a given conic has a rational point.
We use homogeneous co-ordinates. A conic C defined over Q is given
by an equation
т(Х) = £/1;ед = о
where X = (Хг.ХгЛз),
fii = fji e Q
and the quadratic form F (recall a form is a homogeneous polynomial)
is nonsingular, i.e.
det(/,y) 0.
In our initial discussion we noted that, apart from reality considera-
tions, we could disprove the existence of rational points by congruence
considerations. These we now replace by reference to p-adic numbers.
A criterion for the existence of a rational point on a conic was given,
by Legendre. It was left to Hasse to give it the following succinct for-
mulation.
Theorem 1. A necessary and sufficient condition for the existence of a
rational point on a conic C defined over Q is that there is a point defined
over the real field R and over Qp for every prime p.
Necessity is trivial. We shall prove sufficiency, but it will require some
time and preparation. First we introduce some conventional terminol-
ogy.
14
The real field R is somewhat analogous to the Qp and is conventionally
denoted by Qqq. When we write Qp we will not include p — oo unless
we explicitly say so. The fields Qp (including p — oo) are called the
localizations of Q. In contrast, Q is called the global field. We say that
something is true “everywhere locally” if it is true for all Qp (including
oo). In this lingo the theorem becomes “A necessary and sufficient con-
dition for the existence of a global point on a conic is that there should
be a point everywhere locally”.
The local-global theorem for conics implies a local-global theorem for
curves of genus 0 but some care must be taken in the formulation [“point"
must be interpreted as “place”]. We do not pursue this further.
In the rest of this section we transform the theorem into a shape better
suited for attack1.
A transformation
T-.	=
i
with
tij G Q, det(tjj) / 0
takes the quadratic form T’(X) into a quadratic form G(Y), say. Then
T takes points defined over Q on T’(X) = 0 into points defined over Q
on G(Y) — 0 and, similarly, the inverse T~x takes points on G(Y) = 0
to points on T’(X) = 0. Likewise for points defined over Qp for each p
(including oo). Hence the theorem holds for T’(X) = 0 if and only if it
holds for GCY1 = fi.
By suitable choice of transformation T we thus need consider only
“diagonal” forms
F (X) =	+ /2X22 + f3X3.
By substitutions Xj —* tjXj (tj G Q) we may suppose without loss of
generality that the
4ez
are square free.
If /1! fi, fa have a prime factor p in common, we replace T’(X) by
p~1F(X). If two of the fj, say fly f2 have a prime p in common but
p f f3t we replace X3 by pX3 and then divide F by p. Both of these
1 The details of the proof of Theorem 1 will not be required for the treatment
of elliptic curves. The reader who is interested only in the latter should omit
the rest of this § and also omit §§4,5.
3: The local-global principle for conics
15
transformations reduce the absolute value of the integer /1/2/3- After a
finite number of steps we are reduced to the case when /1/2/3 is square
free. We have thus proved the
Metalemma 1. To prove the Theorem, it is enough to prove it for
conics
FIX = /1^? +	+ /3Х2 = 0,
where fj ET. and /1/2/3 i-s square free.
The next stage is to draw conclusions from the hypothesis that a conic
as described in the Metalemma has points everwhere locally. There is a
point defined over Qp when there is a vector a = (a!, <22,03) f. (0,0,0)
with oj € Qp such that F(bl) = 0. By multiplying the <2y by an element
of Qp we may suppose without loss of generality that
max|a3|p = 1.	(*)
For our later purposes we have to consider several cases.
First case, p / 2, p | /1/2/3. Without loss of generality p | /1, so p / /2,
p / /3. Then 1/ioJlp < 1. Suppose, if possible that |аг|р < 1- Then
|/заз1р — l/iai + faal\p < 1
and |a3|p < 1. Now
l/iailp — \faaz + /заз1р < P-2
and so |oi|p < 1 since /1 is square free. This contradicts the normaliza-
tion (*), and so |a2|p = |a3|p = 1. But now
1/2^2 + /заз1р < 1-
On dividing by the unit <22, we deduce that there is some rp £ 7 such
that
/2 + fp/з = 0 (p)-
Second case, p = 2, 2 / /1/2/3- It is easy to see that precisely two of
the aj are units, say a2 and a3. Now a2 = 1 or (I (4) for a £7; and so
/2 + /3 н 0 (4).
Third case, p — 2, 2 | /1/2/3, say 2 | fa. Now |а2|г = |аз|з = 1- Now
а2 = 1 (8) for a G 1, 2 / a; and so
/2+ /з = 0(8)
or
/1 + /2 + /3 = 0 (8)
16
according as |ai|з < 1 or |ai|2 = 1.
In the next two sections, we show that the conditions just derived are
sufficient to ensure the existence of a global point on E(X) = 0.
§3. Exercises
1.	(i) Let p > 2 be prime and let 6, c G Z, p / 6. Show that bx2 + c takes
precisely |(p + 1) distinct values p for x G Z. (ii) Suppose that, further,
a G Z, p / a. Show that there are x, у G Z such that bx2 4- c = ay2 (p).
2.	Let a, b, c G Zp, |a|p = |6|p = |c|p — 1 where p is prime, p > 2. Show
that there are x, у G Zp such that bx2 + c = ay2.
3.	Let p > 2 be prime, G Z (1 < i, j < 3), aj; — and let
d = det(aij). Suppose that p / d. Show that there are Xi, rr2, x-j G Z,
not all divisible by p, such that . aijX(Xj = 0 (p).
4.	Let a, b, c G Z, 2 / abc. Show that a necessary and sufficient condition
that the only solution in Q2 of ax2 + by2 + cz2 — 0 is the trivial one is
that a = b = c (4).
5.	For each of the following sets of a, b, c find the set of primes p
(including 00) for which the only solution of ax2 + by2 + cz2 — 0 in Qp
is the trivial one:
(i)	(a,b,c) = (1,1,-2)
(ii)	(a, b, c) = (1,1, —3)
(iii)	(a, b, c) = (1,1,1)
(iv)	(a, b, c) = (14,-15,33)
6. Do you observe anything about the parity of the number N of primes
(including 00) for which there is insolubility? If not, construct similar
exercises and solve them until the penny drops.
7.(i) Prove your observation in (6) in the special case a — 1, b = —r,
c = — .s, where r, s are distinct primes > 2.
[Hint. Quadratic reciprocity]
(ii) [Difficult], Prove your observation for all a, b, c G Z.
4
Geometry of numbers
At this stage we require a tool from the Geometry of Numbers, which
we shall develop from scratch.
A generalization of the pigeon-hole principle (Schubfachprinzip) says
that if we have N things to file in H holes and N > mH for an integer
m, then at least one of the holes will contain > (m +1) things. We start
with a continuous analogue.
Let Rn denote the vector space of real n-tuples г = (rj,... , rn). It
contains the group Zn of г for which rj G Z (all j). By the volume
V(<S) of a set 5 C Rn we shall mean its Lebesgue measure, but in the
applications we will be concerned only with very simple-minded S.
Lemma 1. Let m > 0 be an integer and let 5 CR" with
У(<$) > m.
Then there are m + 1 distinct points So,..., sm of S such that
s, — Sj G Z" (0 < i, j < m).
Proof. Let W C R" be the “unit cube” of points w with
0 < Wj < 1	(1 < j'< n).
Then every x G Rn is uniquely of the shape
x = w + z,
where z G Zn. Let ^(x) be the characteristic function of S (= 1 if x G <S,
18
Lectures on Elliptic Curves
= 0 otherwise). Then
m < 7(5) = / i[>(x)dx
= /	/ V’(w + z) I dw.
Jw W" /
Since V(W) = 1, there must be some w0 g W such that
V’fwo + z) > m,
zg2n
so > m + 1.
We may now take for the Sj the w0 + z for which i/>(w0 + z) > 0.
The set S is said to be symmetric (about the origin) if —x g S when-
ever x g S. It is convex if whenever x, у g 5, then the whole line-
segment
Ax + (1 —A)ygS (0 < A < 1)
joining them is in S. In particular, the mid-point |(x + y) is in S.
Theorem 1. Let Л be a subgroup of Z" of index m. Let С C Rn be a
symmetric convex set of volume
V(C) > 2nm.
Then C and Л have a common point other than 0 = (0,. . . , 0).
Proof. Let S = yC be the set of points |c, c g C. Then
V(-C) =2-"7(C) >m.
2
By Lemma 1, there are m + 1 distinct points c0,.. . , cm EC such that
-С,- — -Cj gZ” (0 < i, j < m).
2	2
There are m + 1 points
1	1	. .
-С,----Co (0 < i < m)
2	2
and tn cosets of Z" modulo Л. By the pigeon hole principle, two must
be in the same coset, that is there are г, j with i j such that
i	i
-C,----C; g Л.
2	2
Now —Cj g C by symmetry; and so
1	1	1	1 /	. z,
-c;----Cj = -Ci + -(-Cj) g C
2	2	2	2
by convexity.
Exercises
19
Note. Lemma 1 and Theorem 1 with m = 1 are due to Blichfeldt and
Minkowski respectively. The generalizations to m > 1 are by van der
Corput.
As a foretaste of the flavour of the application in the next section, we
give
Lemma 2. Let N be a positive integer. Suppose that there is are / G Z
such that
I1 2 = -1 (IV).
Then N = u2 + v2 for some u, v £~L.
Proof. We take n = 2 and denote the co-ordinates by x. y. For C we
take the open disc
x2 + y2 < 2m
of volume (= area)
V(C) = 2?rm > 22m.
The subgroup Л of Z2 is given by
x, у G Z, у = lx (m).
It is clearly of index m. Hence by the Theorem there is
(0,0) + (u,v) G AflC.
Then
0 < u2 + v2 < 2m
and
u2 t>2 = м2(1	I2) = 0 (m).
Hence u2 + v2 = m, as required.
We note, in passing, that the condition of the lemma is certainly
satisfied for primes p with p = 1 (4).
§4. Exercises
1. Let m G Z, m > 1 and suppose that there is some f G Z such that
f2 -|- f + 1 = 0 (m). Show that m = u2 + uv + v2 for some и, v G Z.
2. Find a prime p > 0 for which there is an f G Z such that
1 + 5/2 = 0 (p)
but p is not of the shape u2 + 5v2 (и, v G Z).
5
Local-global principle. Conclusion of proof
We now complete the proof of the local-global principle for conics
using the theorem of the last section. We recall that we had reduced the
proof to that for
f.xl + f2X2 + f3X23 = 0
where ft, f2, /3 6 Z and /1/2/3 is square free. We assume that there
are points everywhere locally and we showed that this implied certain
congruences to primes p dividing 2/i/2/3.
We first define a subgroup Л of Z3 by imposing congruence conditions
on the components of x = (а?!, z2, £3).
First case, p / 2, p/ /1/2/3, say p | /]• We saw (end of §3) that then
there is an rp € Z and that
/2 + r2f3 = 0 (p).
We impose the condition
£3 s rpx2 (p).
Then
•f(x) = Ml +	+ /з^з
= (/2 + r2f3)x22
sO (p).
Second case, p = 2, 2 / /1/2/3- Then without loss of generality
/2 + /з = 0 (4).
5: Local-global principle. Conclusion of proof
21
We impose the conditions
(2)
= £3 (2)
which imply
F(x) = 0 (4).
Third case, p = 2, 2 | /1/2/3, say 2 | /1. Then
s2fi + /2 + /3 = 0 (8),
where s = 0 or 1. We impose the conditions
X2 = xs (4)
£j = fx3 (2)
which imply
F(x) = 0 (8).
To sum up. The group Л is of index m (say) = 4|/i f2 f31 in Z3, where
throughout this section | | is the absolute value. Further,
F(x) = 0	(4 |Л/2/з|)
for x e л.
We apply the theorem of the previous section to Л and the convex
symmetric set
С:|/1|^ + |/2|^+|/з|^<4|/1/2/з|.
School geometry shows that
V(C) = (тг/3).23. |4/1/2/з I
>23|4/1/2/3|
= m.
Hence there is an c 0 in Л П C. For this x we have
F(x) = 0 (4|/1/2/з|)
|F(x)| < |/1 |£1 + |/2|£2 + |/з|£2
< 4|/г/2/з|;
SO
F(x) = 0,
as required.
We conclude with some remarks.
22
Lectures on Elliptic Curves
Remark 1. We have not merely shown that there is a solution of
F(x.) = 0, but we have found that there is one in a certain ellipsoid.
This facilitates the search in explicitly given cases.
Remark 2. We have made no use of the condition of solubility in Qp for
p ]( 2f\ f2f3. In fact this condition tells us nothing [cf. §3, Exercises 2,
3]. It is left to the reader to check that for any J\, f2, f3 and p with
p / 2f3f2f3 there is always a point defined over Qp on
fiX2 + f2X22 + f3X23 = 0.
Remark 3. We have also nowhere used that there is local solubility for
Qoo = R-
Hence solubility at is implied by solubility at all the Qp (p Y- oo).
This phenomenon is connected with quadratic reciprocity. In fact for
any conic over Q, the number of p (including oo) for which there is not
a point over Qp is always even [cf. §3, Exercises 6,7]. See a book on
quadratic forms (such as the author’s).
§5. Exercises
1. Let
F(X, У, 2) = 5X2 + ЗУ2 + 8У2 + 6(У2 + ZX + ХУ).
Find rational integers r, y, z not all divisible by 13, such that
Е(т,у,г) = 0 (mod 132).
[Hint. cf. Hensel’s Lemma 2 of §10.]
2. Let
F(X, У, Z) = 7X2 + ЗУ2 - 2Z2 + 4YZ + QZX + 2XY.
Find rational integers x, y, z not all divisible by 17 such that
F(x, y,z) = 0 (mod 173).
6
Cubic curves
In this section we consider curves given by
C-. F(X) = F(X1,X2,X3) = 0,
where F is a homogeneous cubic form. The case of interest is when
the ground field is the rationale Q, but our initial remarks apply to any
ground field.
A point x on C is said to be singular when
dF
—(x) = 0 (j = 1,2,3).
(7 A j
If we choose co-ordinates so that x = (0,0,1), this is equivalent to F
not containing terms in X3, XjXj,
A singular point counts with multiplicity at least 2 as an intersection
with a line. More precisely, if a, b are two points on the line, the general
point on it is
Aa + /2b,
where the numbers A, /2 are not both 0. The intersections with C are
given by
F(Aa+/rb) = 0,	(*)
a homogeneous cubic in А, //. What is claimed is that if one of the
intersections is a singular point of C then the corresponding ratio A : /2
occurs as a multiple root of (*). An easy way to check this is to take
b = x.
24
Lectures on Elliptic Curves
Suppose that C has two distinct singular points x, y. The line joining
them cuts C at both x, у with multiplicity > 2. This can happen only if
P(Ax + ^y) vanishes identically, i.e. if C contains the whole line. If we
suppose, as we shall, that C is irreducible (i.e. that F does not factorize),
this cannot happen. An irreducible cubic curve has at most one singular
point.
Now take the ground field to be Q. If there is a singular point over the
algebraic closure Q, there is at most one. By Galois theory2 it must be
defined over Q. Hence, as we have already seen in §1, C is birationally
equivalent over Q to the line.
From now on we restrict attention to non-singular cubic curves, i.e.
those which have non-singular points over Q. Let a, b be rational points
on C. The line joining them meets C in a third point, in general distinct:
it is also rational since it is given by a cubic equation, two of whose roots
are rational. This process was used already by Diophantos to find new
unobvious points from known obvious ones. The variant in which one
takes the third point of intersection with the curve of the tangent at a
rational point was, according to Weil, first noted by Newton. An older
generation of mathematicians refer to these as the “chord and tangent
processes”.
In general, starting from one rational point a on C one obtains in-
finitely many by the chord and tangent processes. If this is not the case,
a is said to be exceptional. For example we have
Lemma 1. Let a > 1 be a cubic-free integer and let
С : X3 + Y3 - aZ3 = 0.
The point (1, —1, 0) is exceptional. For a = 1 the points (0,1,1), (1, 0,1)
are also exceptional. For a = 2 the point (1,1,1) is exceptional. No other
rational point is exceptional.
Proof. We first show that the given points are indeed exceptional. The
tangent at (1,—1, 0) is X -|-У = 0, which meets C only at (1, —1,0). The
other cases for a = 1 are similar. The tangent at (1,1,1) for a = 2 is
X + Y — 2Z = 0, which meets C again only at (1, —1,0).
Let x = (r, y, z) be a rational point other than those named. We may
2 For the cognoscenti. If the ground field is not perfect, the conclusion does not
necessarily hold. See Note at end of §9.
§5: Exercises
25
suppose that x. y, z are integers without common factor. The equation,
for C implies that then x, y, z are coprime in pairs.
Let Xj = (x3 , yi, zj) be the third point of intersection, where again.
Xj, j/j, zj are integers without common factor. It may be verified3 that
: У1 : Zj = x(x3 + 2y3) : -y(2x3 + y3) : z(x3 - y3)
Let d be the greatest common divisor of the three terms on the right
hand side. If a prime p divides both x and d it must also divide y, a
contradiction. Hence d divides x3 + 2y3 and 2x3 + y3. It thus divides
3x3 and 3y3, so d = 1 or 3. Hence
z3 = iz(x3 — y3) or zi = ±z(x3 - y3)/3.
In either case, it is readily verified that |zj | > |z| except for the x listed
in the enunciation. By repeating the tangent process we thus get a
sequence of points x, Xj, x2,. •  with
H < |zj| < |z2| < ... .
Hence the Xj are distinct, and x is not exceptional.
§6. Exercises
1. (i) Show that the cubic curve
Y2Z = X3 + AXZ2 +BZ3
is non-singular provided that
4.43 +27B2 yt 0.
(ii) If 4.4 3 + 27B2 = 0, find a singularity and decide whether it is a
cusp or a double point with distinct tangents.
2.	(i) Let
F(x) = aiX3 + a2X3 + a3X3 + <DGX2X3,
where
al a2a3 7^ 0.
Show that F(x) = 0 is non-singular provided that
a1a2a3 + d3 ф 0.
(ii)	If aj = a2 = a3 = 1, d = —3, show that any point (xj, x2, x3) with
a3 = x2 = x3 = x3x2x3 = 1 is a singularity.
3 This is essentially a special case of elegant formulae of Desboves for the chord
and tangent processes. See Exercises and Formulary.
26
Lectures on Elliptic Curves
(iii)	How does the result of (ii) square with the result proved in the text
that a cubic curve has at most one singularity?
3.	Let F(x) be as in the previous question and suppose that F(x) = 0
is non-singular.
(i)	Let F(x) = 0. Show that the third intersection t of the tangent at
x is given by
tj = xj+i — aj+'2xj+i) (J = 1,2,3),
where the suffixes are taken mod 3.
(ii)	Let x, у be distinct points on F"(X) = 0. Show that the third
intersection z of the line joining them is given by
zj = xjUj+iyi+i ~ yjxj+ixj+'2-
[Formulae of Desboves].
4.	Starting with the solution (2, —1, —1) of X3 + Y3 + 7Z3 = 0, find 10
distinct solutions.
7
Non-singular cubics. The group law
Let C be a non-singular cubic curve and let о be a rational point on
C. We show that the set of rational points on C has a natural structure
of commutative group with о as neutral element (“zero”).
Hence the ground field is arbitrary, the curve C is defined over it; and
by rational point we mean point defined over the ground field.
The group law is defined as follows. Let a, b be rational points. Let
d be the third point of intersection with C of the line through a, b. Let
e be the third point of intersection of the line through o, d. Then we
write
a 4- b = e.
The construction has to be interpreted appropriately if two or more of
the points involved coincide. For example if b — a we take the tangent
at a.
28
Lectures on Elliptic Curves
We have to show that this operation gives a structure of commu-
tative group. Clearly
a -J- Ь = b + a
and
о + a = a
for all a.
Next we construct the inverse. Let the third intersection of the tangent
at о be k. Let a- be the third intersection of the line through a and k.
Then by definition
a + a- = о
The crunch is to show that + is associative:
(a + b) + c = a 4- (b 4- c).
We give two proofs; the first geometric, the second more fundamental.
Let a, Ь, c be given. Consider the diagram
	a	w	V
	b	f c	u
	d	e	о
			
1 m n
Here r, s, t, 1, m, n are the names of lines and the remaining symbols
7: Non-singular cubics. The group law.
29
are points on C. All except f, w are intersections of two of the lines.
The whole figure is determined once a, b, c and о are given.
We have (a+ b) — e, and so (a-f-b) + c is the third intersection of the
line through o, f. Similarly a + (b + c) is the third intersection of the
line through o, w. To prove associativity, we thus have to show that f,
w are not as shown but coincide with the unlabelled intersection of the
lines r, m.
We now recall a geometrical
Lemma 1. Let Xi,... , x8 be 8 points of the plane in general position4.
Then there is a 9th point у such that every cubic curve through X],... , x8
also passes through y.
We briefly recall the proof of the lemma. A cubic form F(X), X =
(Xi, X2, X3) has 10 coefficients. An equation F(x) = 0 imposes a linear
condition on the coefficients. Passing through Xj,.. . ,Xg imposes 8 con-
ditions. Hence if Fi(X), F2(X) are linearly independent forms through
the 8 points, any other F is of the shape
F(X) = AF1(X) + ^F2(X).
Now Fi = 0, Fj — 0 have 9 points in common; and clearly F = 0 passes
through them all.
Now to the application of the Lemma. Let an equation for the line 1
be Z(X) = 0 etc. and consider the two (reducible) cubics
Fi(X) = Z(X)m(X)n(X) = 0
F2(X) = r(X)s(X)/(X) = 0.
Our nonsingular cubic C passes through 8 of the points of intersection of
Fi = 0, F2 = 0 and so by the Lemma must pass through the 9th. Hence
f = w, as required.
We now present a second proof of the associativity of the relation
for points which is more basic.
A linear form Z(X) (say) does not give a meaningful function on the
curve C because the coefficients X are homogeneous. On the other hand,
if Z(X) is another linear form, then the quotient
ff(X) = Z(X)/Z(X)
does give something meaningful. In the situation just discussed, the line
4 Thia is the geometer’s way of saying “such that the proffered proof works”. In
this case, what is needed is that the xj give linearly independent conditions
on the coefficients of F: so no 4 on a line and no 7 on a conic.
30
Lectures on Elliptic Curves
1(X) = 0 passes through a, b, d and t(X) = 0 through d, o, e, all being
points on C. The function j(X) thus has a zero a, b and a pole at o, e.
At the point d there is neither a zero nor a pole, as the zeros of the
linear forms cancel out.
There is the notion of the order of a pole or zero at a nonsingular point
of an algebraic curve which generalizes in an obvious way the notion of
the order of a zero or pole of a rational function of a single variable. In
our case, ff(X) clearly has simple poles at a, b and simple zeros at o, e.
The equation e = a-f- b is equivalent to the existence of such a function.
Similarly, the equation
x = (a + b) + c
is equivalent to the existence of a function with simple poles at a, b, c,
a double zero at о and a simple zero at x. The equation
(a + b) 4- c = a + (b + c)
is now obvious.
This point of view shows that the group law is unchanged under bi-
rational equivalence, since it depends only on the function field of the
curve. The geometer would say that a + b = c precisely when the divisor
{a, b} is linearly equivalent to the divisor {o, c}.
We conclude with an informal explanation of what is meant by say-
ing that a nonsingular cubic curve is of genus 1. Let г > 2 and let
Xj,... , хг,У1,... ,yr-i be points on C, for simplicity all distinct. By
manipulating linear forms in X, as we did in the construction of <?(X),
one can construct a function /г(Х) on the curve where only poles are
simple poles at Xi,. .. ,xr and which has zeros at yj,.. . , yr_j. Then
h(X) has one further zero, which is completely determined.
Contrast the position on the line. Let Cj,... , cr, dl,... , dr be any 2r
distinct numbers. Then the function
пм/пм
has simple zeros at the dj, simple poles at the Cj and no further zeros
or poles (even at infinity).
The genus of a curve is a measure of the freedom in imposing the zeros
and poles of a function. The precise statement, which we shall not need,
is slightly complicated and is called the Riemann-Roch Theorem.
§7; Exercises
31
§7. Exercises
1.	Let o, a be rational points on the nonsingular cubic C. Construct
the point —a with respect to the group law for which о is the neutral
element.
2.	Let o, Oj be rational points on the nonsingular cubic C. Show how
the group law for which O; is the neutral element can be expressed in
terms of that for which о is the neutral element.
3.	Let o, a be rational points on the nonsingular cubic C and suppose
that За = о with respect to the group law based on o. Let b = 2a.
Show that each side of the triangle o, a, b meets the tangent to C of the
opposite vertex at a point of C. Take о, a, b as the triangle of reference
and express this condition in terms of the coefficients of the cubic form
determining C.
4.	Let C be the curve
X3 + Y3 - XZ2 - YZ2 + 7XYZ = 0
and let x = (ar, y, z) be a point on C defined over some Qp. Show that
y/x —+ —1 as x —+ (0,0,1) (with respect to the p-adic topology).
5.	In this question everything is defined over Qp for some p. Let a be a
nonsingular point on the cubic curve
Г(Х,У,2) = 0
and let i(X) = 0 be the tangent. Let /(X) = 0, m(X) = 0 be lines
through a distinct from the tangent. Show that there are d, e, f such
that
dl(X) + em(X) + ft(X) = 0
(identically) with d ф 0, e 0. Show that
m(x)//(x) —» — d/e
as x -+ a.
8
Elliptic curves. Canonical Form
We are concerned with algebraic curves defined up to a birational
equivalence over the ground field. For genus 0 we saw that every curve is
equivalent to a conic (or line). For genus 1 no such reduction to a special
form or forms is possible. The situation changes when we are also given
a point on the curve which is defined over the ground field (a “rational
point”)- It is convenient to have a special name for this situation: an
elliptic curve is a curve of genus 1 together with the specification of a
rational point on it.
As canonical form we take
C : Y2 = X3 + AX + В
or, in homogeneous co-ordinates
Y2Z = X3 +AXZ2 +BZ3.
The right hand side does not have multiple roots provided that
4Л3 + 27B2 0.
The specified rational point о is the point (X, Y, Z) = (0,0,1) at infinity.
Since the line at infinity is an inflexional tangent at o, the group law
on C is especially simple:
-(*,!/) =
and a + Ь + с = о precisely when a, b, c are collinear.
We shall find this choice of canonical form particularly convenient
when the ground field is Q. When the ground field is of characteristic 2
or 3, we can no longer use C as a canonical form but must use
Y2 + a,iXY &3 Y = X3 T C12X T a4X as.
8: Elliptic curves. Canonical Form.
33
However this is quite peripheral to our purposes and we leave it to the
reader, if she wishes, to deal with these cases.
As we have not formally defined curves of genus 1, we will not give a
formal proof that elliptic curves are birationally equivalent to the canoni-
cal form. In compensation we will give detailed algorithms for converting
certain kinds of elliptic curves to that form. These could well be omitted
at first reading.
Fact, (characteristic 2,3). Any elliptic curve is birationally equivalent
over the ground field to the canonical form for some A, B.
More precisely the curve is equivalent to C and the equivalence takes
the specified rational point О on ii into the point at infinity on C.
Proof for the Cognoscenti. By the Riemann-Roch theorem, the set of
functions on the curve with at worst a pole of order 2 at О has dimension
2. Let a basis be 1, £. Similarly the set of functions with at worst a triple
pole is of dimension 3 at O, with basis say 1, £, rj. Then the functions
all have at worst a pole of order 6. By the Riemann-Roch Theorem, there
must be a linear relation between the 7 listed functions. The relation
must involve both and rfi. A transformation
£ Cj£ + c2
4 -» C37] + C4£ + C5
reduces the relation to
q2 = C +	+ В
for some A, B.
Note for the Cognoscenti. The reason why there is no canonical form,
or finite family of canonical forms for curves of genus 1 is that
2(y — 1) = 0 for g = 1.
For every other genus we can use the divisor of the differential of a
function defined over the ground field to give a birational map. For
example, for genus 2, there is always equivalence with some curve
У 2 = sextic in X.
Particular cases. The above proof does not, in any case, usually provide
a practical algorithm. We discuss some special cases. Note that it is
34
Lectures on Elliptic Curves
enough to transform the curve into the shape C. For if it takes О into
a, we can make the translation x —» x — a on C.
(i)	Cubic curve T>. Rational point О has inflexional tangent. Here a
linear tranformation of co-ordinates is enough, taking О to о and the
tangent to be line at infinity.
For example
T> : X3 + У3 + dZ3 = 0
О = (1, —1,0).
Put
X = и + V, Y = U~V.
Then
бПУ2 = ~2(73 +dZ3,
so
Y12Z1 = X3 - 24,33-d2Z3,
where
Xj = -6dZ, У1 = 62dV, Zx = U.
(ii)	Cubic curve T>. Rational point О not on inflexional tangent5.
The tangent at О meets T> again at a rational point P, say. We
may take an affine system of co-ordinates with P as origin and with the
tangent as У-axis
5 The argument is due to Nagell: Sur les proprietes arithmetiques des cubiques
planes du premier genre. Acta Math. 52 (1928-9), 92-106. Older geometrical
techniques (adjoint curves etc.) had shown that every elliptic curve is bira-
tionally equivalent to a cubic, but he was the first to show that it can be
reduced to the canonical form.
8: Elliptic curves. Canonical Form.
35
Then the curve T> is given by F(X, Y) = 0, where
F(X,Y) = F^X,Y) + F2(X,Y) + F3(X,Y),
with Fj is homogeneous of degree j.
The У-axis meets the curve at (0, y), where
0 = yF^O, 1) + y2 F2 (0,1) + y3F3(0,1).
Since the У-axis is a tangent, we have a double root:
F2(0,l)2 -4F1(0,l)F3(0,l) = 0.	(*)
Now consider the intersection of the curve with У = tX. Then
0 = zTVM) + T2F2(l,t) + x3F3(l,t).
Discarding the solution x = 0, we have
s2 = F2(l,i)2 - 4JF1(l,/)^’3(l,i)
= G(t) (say),
where
s = 2Tj(1, f)ar + -F2(l, f).
Now G(f) is a cubic by (*); and we achieve the canonical form by a linear
transformation on s,f.
(iii)	Curve T> is Y2 = Quartic in X with rational point.
Let the rational point be (a, b). By a transformation
1	У
v , _______ у ) ______________
X — a'	(X-a)2’
we may suppose that the rational point is at infinity:
У2 = fo + fiX + f2X2 + f3X3 + f,X\
where /4 is a square. On dividing by /4, we have without loss of gener-
ality
A = l.
We can write the right hand side as
G(X)2 +H(X),
where
G(X) = X2 + g.X + gQ
H(X) = h1X + /i0,
and the gj, hj are easily given in terms of the fj.
The equation of the curve is now
(У + С(Х))(У-С(Х) = Я(Х).
Put
у + G(X) = T,
36
Lectures on Elliptic Curves
Y-am^
and
2G(X) = T-^H).
Multiply by T2 and put TX = S. We get
2S2+2fflTS + 2ff0T2 =T3 -h'S-hoT.
This is readily brought to the canonical form.
(iv) Intersection of two quadric surfaces with a rational point.
We use homogeneous co-ordinates X, У, Z, T and may suppose that
the common rational point is (0, 0, 0,1). The two quadric forms are thus
of the shape
Qi = TL + R
q2 = tm + s
where L, M are linear in X, У, Z and R, S are quadratic.
Suppose, first, that L and M are linearly dependent. Then without
loss of generality M = 0. The intersection is
S(X,Y,Z) = 0, T = R(X,Y,Z)/L(X,Y,Z)-,
which is of genus 0.
Otherwise, eliminating T, we have
C(X,Y,Z) = LS-RM = 0,
where C is a homogeneous cubic. It has the rational point
L(X,Y,Z) = M(X,Y,Z) = 0.
Hence we are reduced to an earlier case.
§8. Exercises
1.	Transform the following curves to canonical form:
(i)	X3 + Y3 + dZ3 = 0
(ii)	X3 + Y3 + Z3 - 3mXYZ = 0
(iii)	У2 - kT2 = X2, У2 + kT2 = z2
(iv)	X2X2 - X,X2 - X-LX2 + A'2X3 = о
2.	[Difficult]. Show that the group law on
J^"2 ___________________ -y-2 _ rp2	r?2 _ y-2 । rp2
§5: Exercises
37
with (1,1, 1, 0) as neutral element is given by X3 = Xi + x2, where
X3 = Xit-lVlZ-l - 1^^222
Уз = У2^2^1Х1 - y1tlZ2X2
Z3 = Z2t2Xiyi - Z1t1X2y2
- t2T2 - /2т2 - A/2 - A,2 - /А2 - t2r2
S3 — t-2xl llx2 — ‘'2У1	41У2 — l2z1
3.	(i) Find all the points defined over the field Fs of 5 elements on each,
of
Y2Z ~X3 +XZ2
Y2Z = X3 + 2XZ2
Y2Z = X3 + Z3.
Check in each case that they form a group under the group law, with
(0,1, 0) as neutral element.
(ii) As (i) but with other Fp and other curves
Y2Z = X3 + AXZ2 +BZ3.
Find an example where the group is not cyclic. Can you find an.
example where the group requires more than 2 generators?
4.	In the curves considered below, the point at infinity is taken as neutral
element for the group law.
(i)	Let Y2 = (X —a)(X2 + aX + 6) be an elliptic curve. Show that the
transformation x —» x + (a,0) induces a fractional-linear transfor-
mation
T : x -> (tuar + ti2)/(i2i^ + <22).
Check that T2 : x —» x.
(ii)	Consider Y2 = (X — a1)(X — a2)(X — a3) and let T), T2, T3 be
as in (i) with a — aj (j = 1,2,3). Show that T), T2, T3 commute
and that
TiT2T3 : x —> x.
(iii)	Let Tj be the 2x2 matrix of coefficients (J	with a = otj
(j = 1,2,3). Show that
717г + 7г 7) = 0.
(iv)	Find the fixed points of 7) and show that they are interchanged
by T2.
5.	Find a necessary and sufficient condition that a line Y = IX -f- m
38
Lectures on Elliptic Curves
should be an inflexional tangent to
Y2 = X3 + AX + B.
Hence find a general formula for the curves in canonical form having a
rational point of order 3.
6.	Find a necessary and sufficient condition that a line Y = IX + m
should be an inflexional tangent to Y2 = X(X2 + aX + b).
Hence find a general formula for curves in canonical form having a point
of order 6.
7.	Let
F(X, Y, Z) = X2Y + XZ2 + 2У3 + Z3.
Find a birational transformation defined over Q taking the curve F = 0
into canonical form with the point (1,0,0) going to the point at infinity.
8.	Find a birational transformation defined over Q taking
X2 - 2X? + X2 = 0, X22 - 2X? + X2 = 0
into canonical form, with (1,1, 1,1) going to the point at infinity.
9.	Invent similar exercises to the two preceding, and solve them.
9
Degenerate laws
In. this section we consider the curve
C : Y2 = X3 + AX + В	(1)
when
4A3 + 27B2 = 0.	(2)
There is then precisely one singular point. We recall that if (2) does not
hold, there is a group law on the curve given by6
a + b + c = 0
whenever a, b, c are the intersection of a line with C. We show that this
continues to give a group law on the nonsingular points in the degenerate
case (2), and we find out what it is.
There are two cases, the second with two subcases.
First case. Cusp. Suppose A = В = 0, so
C : Y2Z = X3
with a singular point at the origin. Any line not passing through the
origin can be written
Z = IX + mY.
It meets C where
X3 -Y2(IX + mY) =0
6
We write indifferently 0 or о for the neutral element of the group law.
40
Lectures on Elliptic Curves
If the three points of intersection are (xj,yj,Zj) (j = 1,2,3), it follows
that
«1 + «2 + “3 = 0,
where
ui = xilVi-
We therefore have the additive group, the zero being the point (0, 1, 0)
at infinity.
Second case1. Double point. (Characteristic yt 2). If not both A, В
vanish, then, after a transformation X —> X+ constant, we have
C : Y2 Z = X2(X + CZ) (CVO),
i.e.
(У2 -CX2)Z = A3.
Suppose, first, that C = 72 is a square. Put
U = Y+yX, V = Y-yX-
so C is given by
873UVZ = (U- V)2.
Any line not passing through the origin can be written
Z = IU + mV.
It meets C where
(C - V)3 - 8y3UV(lU + mV) = 0.
If the points of intersection are (uy, vy, zy) (j = 1, 2, 3), then
( U1 \	i
\vi J \v2 J \v3 J
We have the multiplicative group.
Now suppose that C is not a square. Adjoin 7 to the ground field,
where -у2 = C- For a point (t, y. z) on C, put
У + ix
------ = r + s~f (say),
У - ~tx
where
r2-s2C = l.	(*)
We now have a “twisted” multiplication law on (*). Compare the mul-
tiplication of the complex numbers x + iy with x2 -f- у2 ~ 1.
7
We shall not require the details about this case in later work.
9: Degenerate laws	41
Note for the Cognoscenti. In characteristic 2 the curve
C: Y2Z =X3 +AXZ2 +BZ3
is always singular. Write the equation as
(У2 - BZ2)Z = X(X2 + AZ2).
Over a finite (or, more generally, a perfect) field, we have
B=/32, A = a2
for some a, /3. Then the curve is
(Y + /3Z)2Z = X(X + aZ)2\
which is clearly singular.
If the ground field is not perfect, we may have an example of a singu-
larity defined over an inseparable extension, compare footnote in §6.
10
Reduction
The philosophy is to approach the rational field Q through the local
fields Qp and, similarly, to approach the Qp through the finite fields
Fp by reduction modulo p. We do no more than is required for the
applications.
The mod p map —» Fp is denoted by a bar a —► a. This is extended
to the corresponding 2-dimensional projective planes V, V as follows.
Let (ai,a2, аз) be projective co-ordinates of a point a of V. By multi-
plying ai, аг, аз by the same element of Qp, we have without loss of
generality
maxfloil, |а21, |a3|} = 1,
where || = ||p. Then (aj", а7,аз) are the co-ordinates of a well-defined
point a of V.
In a similar way, we define the reduction 1 of a line
1 : liXi + /2-^2 + I3X3 = 0-
If the point a lies on the line 1, then clearly a lies on 1.
We need only the least sophisticated of the many ways of reducing a
cubic curve
C : F(X) = 0
defined over Qp. Here
F(X) = Y, fiikXtXjXk e Qp[X]
where the f ijk. € Qp are not all 0 and without loss of generality
10: Reduction
43
Then
Ж) = E	e fp[X]
is not the zero polynomial, and defines the reduced curve
C : F(X) = 0
over Fp. It may, of course, be reducible8.
If a point a lies on C, then clearly a lies on C. There is a weak converse
Lemma 1. Let b be a nonsingular point ofC. Then there is an a on C
such that a = b.
Note. The notation b is intended to denote a point defined over F? not
necessarily derived from a b. We say that b lifts to a. It is easy to see
by examples that a singular point on C may or may not lift to a point
of C (cf. Exercises).
We construct a by successive approximation a la Newton. The generic
term for such constructions in p-adic analysis is Hensel’s Lemma.
Lemma 2. Lei G(T) € Zp[T] and let to € Zp be such thai
|G(t0)|<l,	|G'(t0)| = 1,
where G' is the formal derivative of G. Then there is a t € ~Lf such that
G’(t) = 0	|t-t0| <G(t0).
Assuming the truth of Hensel’s Lemma for the moment, we complete
the proof of the Lemma. Since b is nonsingular on C, we may suppose
that
S“(b) °'
0Л. i
Pick any bj € Zp such that b = (bi,. . . , b„). Then the conditions of
Hensel’s Lemma apply to
G(T) = F(T,b2,... ,bn), t0 = b1.
Put a = (t, b2,... , bn), where t is provided by Hensel. Clearly F’(a) = 0,
a = b, so a does what is required.
It remains to prove the Hensel’s Lemma. Let U be an indeterminate.
8 In the sense that F(X) factorizes. There is an unfortunate clash of meanings
between “reduced” (mod p) and “reducible”.
44
Lectures on Elliptic Curves
Then
G(T + U) = G(T) + UG^T) + U2G2(T) + ...
where Gj € Zp[T] and Gi = G1. Now define
и = —G(io)/G/(to),
so
G(io + и) = w2G2(to) + и3Gs(fo) + ... .
Hence
|G(ii)l<|G(io)|2,
where
ti = to + u.
Clearly
IG'GJI = |G'(*o)l = 1.
We may therefore iterate the process and get a fundamental sequence tj
(t > 0). The limit t clearly does what is required.
We shall also need information about the behaviour of the intersection
of a line and a cubic curve under reduction. From what we have already
proved, if 1 meets C in a, then 1 meets C in a. But suppose that 1 meets
C in a, b with a b: if a = b, can we be sure that it has multiplicity
> 2 in the intersection?
The following lemma confirms expectations.
Lemma 3. Suppose that the line 1 meets the cubic curve C in a, b, c,
multiple points of intersection being given with their multiplicities. Then
either
(I) the entire line 1 is in C or
(II) I meets C in H, b, c) multiple points occuring with the correct mul-
tiplicities.
Proof. We have without loss of generality
1з = 1 = maxd/J, |I2|, R3I)-
Consider
G(X1,X1) = F(Xl,X1,-llX1-l2X2)
= IP[X1,X2].
Its reduction is
G(X1,X2) =F(X1)X2-T1X1 -12X2).
$10: Exercises
45
If G(Xi, X2) — 0, we have case (I) of the Lemina, so we may suppose
that
ед,х2)^о.
We normalize the coefficients of a, b, c so that
maxdaj, |a2|, |a3|) = 1.
Since la = 0, it follows that
(aI;-a2) (0,0)
etc.
By hypothesis, there is some A E Qp such that
С(Х1;Х2) = A(a2Xi — ajX2)(b2X1 — 61X2)(c2X1 — CjX2)
= ЛЯ(Х1,Х2).
Now
Я(Х1;Х2) = (a2Xi -alX2)(b2Xl -b1X2)(c2X1 -qX2)
^0.
Hence G, H differ only by a scalar multiple, which is what we needed
to prove.
§10. Exercises
1. (i) Let C be the curve Y2 = X3 +p over Qp. Show that the point
(0, 0) on the mod p curve does not lift to a point of C.
(ii) Find an example of an elliptic curve C over Qp such that the mod
p curve has a cusp which is the reduction of a point on C.
2. Find examples of curves C over Qp such that the mod p curve has a.
double point with distinct tangents which (i) lifts, (ii) does not lift, to
11
The p-adic case
Let
С : У2 = X3 + AX + В
be an elliptic curve defined over Q?, so
4.4 3 -I- 27B2	0
and, without loss of generality,
A,В € Zp.
In this section we study the group <3 of points on C defined over Qp.
Our tool will be the theory of reduction developed in the proceeding
section. For this, we write C homogeneously
C: Y2Z — X3AXZ2 + BZ3.
The reduced curve
C: Y2Z = X3 + AXZ2 + BZ3
over Fp may be singular but (with an eye to Lemma 3 of §10) we note
that C does not contain a line.
Let ® denote the set of points on C defined over Fp and let 25^ C ®
be the non-singular points. Write C ® for the set of points which
reduce mod p to в*' \ The map
<&<°)	0*O)
is surjective by Lemma 1 of §10.
How does the group structure behave? Let a, b, с E в with
a + b + c = o.
11: The p-adic case
47
This holds if and only if a, b, C are the intersection of C with a line
1. Then the reductions a, b, c are the intersections of C with 1. On C
we have defined a group law only for the non-singular points. If a, b,
0* \ then
a + b + c = o.
To sum up so far, we have a subgroup of ® such that there
is a group homomorphism ®(°) —» ®' onto ®' \ The kernel of this
homomorphism is the set of points which map into o, that is, in inhomo-
geneous co-ordinates, о itself together with the (x,y) g ® with x Zp,
у Zp. This is called the kernel of the reduction.
Next, we look at the structure of the kernel of reduction. If (ar, у) g ®,
x, у £ Zp, then clearly |г/|2 = |t|3 and so
l^l=p2n, M=p3n
for some n > 1. We call n the level of (ar, y). For (ar, y} not in the kernel
of reduction the level is 0, by definition. The level of о is oo.
Now for integer N > 1 make the transformation
Xw = p2NX, Yn = p3NY, zn = z,
so the equation of C becomes
CN- Yf,ZN = X^+p^AXnZ^+p^BZ^.
We may use the new co-ordinates for a reduction mod p: the reduced
curve is
cN-. y^zn = x3n.
We can now transfer what was done earlier to the new situation. A
point (ar, y) maps into the singular point (0, 0) of if its level is < N. It
is in the kernel of reduction for C,v if its level is > N. Finally, the group
of the non-singular points on the C?j defined over Fp is the additive
group of Fp. They are in the image of ®, as before.
For N > 1 define to be the set of points of ® of level > N. We
have proved
Lemma 1. The ©W are groups and
® D ®<°> D ®^ D • • • D ®<N> D • • • .
The quotient graphs of ®(,v</®(,v+1j for N > 1 are cyclic of order p.
The quotient ®(°)/®(1) is isomorphic to the group of nonsingular points
on C. Further,
n®^ = {o}.
N
48
Lectures on Elliptic Curves
The sequence of groups is called the p-adic filtration.
Corollary. Let x = (ar,y) € <5 be of finite order prime to p. Then x,
у e zP.
Proof. Otherwise x is of some level n > 1. Then x £ x ©(n+1)
and so maps into a non-zero element of /Q5^n+1\ But this is of order
P-
Our next aim is to free the statement in the Corollary from the re-
quirement that the order is prime to p.
The homomorphism of 0(,v)/0(,v+1) to the additive group mod p is
given by
(ar, y) —> p~Nx/y mod p.
For x € we introduce и(х) defined by
и(х) = xfy (x = (x,y)),
u(o) = 0.
Note that |u(x)| = j?-n, where n is the level of x.
Lemma 2. Let x1; x2 € Then
|u(xi + x2) - u(xi) - и(х2)| < max {|u(xi)|s, |(x2)|5}.
Proof. We may suppose that none of xj, x2, Xi T x2 is o. Without loss
of generality
l«(Xl)l > |и(х2)|.
Define N to be the level of Xj. We use the co-ordinates	and
the curve C,v introduced above.
Since neither x1; nor x2 maps into the singularity (0,0) of Сдг, the
line joining them has the shape
ZN = IXN + шУу,
where
|m| < 1.
This meets C where
0 = -y£(/AW+myN) + A^
+ piN AX pfilX n + тУдг)2
+ p6NB(IXn + myN)3
=С3-^ДГ +	+ C! X-^Yf + СцУу	(*)
11: The p-adic case
49
(say). Here
c3 = 1 +piNAl2 +p6NBl3
c2 = 2p4NlmA + 3p6Nl2mB,
SO
|c3 I = 1,	|c2 I < p~4N.
The roots Ху/Уу of (*) are — p~Nu(x.1 + x2), p~Nu(x.i'j and
p-Nti(x2). Since the sum of the roots is —с2/сз, the result follows.
Corollary 1.
|«(sx)| = |s| |u(x)|
for all x € and all s ^,1.
Proof. By induction, for s > 0 we have
|n(sx) — su(x)| < |u(x)|5.
This proves the result for p f s and for s = p. Now use induction on the
power of p in s.
Corollary 2. Ь is torsion-free.
Corollary 3. Suppose that p ^2, |4A3 4- 27B21 = 1. Then the torsion
subgroup of 05 is isomorphic to a subgroup of 05.
Proof. For 05 = Q5(°); and so
05 = Q5/Q5(1),
where 05^ is torsion free.
Note for the Cognoscenti. This all generalizes to algebraic extensions
of Qp. The proof that torsion points of order prime to p have integral
co-ordinates continues to hold, but that for points of p-power order may
break down if there is ramification.
There is a power-series in и = и(х) which gives a parametrization
of the group (25^) for large enough N. This was originally shown by
transferring the formulae from the complex variable case. A modern
approach is by formal groups and formal logarithms, see, for example,
Silverman’s book.
12
Global torsion
Let
C : Y2 = X3 + AX + В
be an elliptic curve over Q, so
4.43 + 27В2 ± 0
and without loss of generality
A, В € Z.
Theorem 1. The group of rational points on C of finite order is finite.
If (x,y) о is of finite order, then
ж, у € Z
and
y = 0 or y2 | (4A3+27B2).
Proof. Let <5 be the group of points on C defined over Q and let &p be
the group for Q?, where p runs through the primes.
Let (x, у) о be torsion. Since © C ©p we have
x € Zp, у € Zp
for all p, and so
x € Z, у € Z.
Now let p be any prime with p fi 2, p / (4A3 + 27B2). Then by the
last Corollary of §11, the torsion group of © is isomorphic to a subgroup
of the group of points over F? = Z mod p. Hence the torsion group is
finite. By looking at different p, one can in general restrict the order of
§12: Exercises
51
the torsion group severely. But the following argument makes it easy to
find the torsion points themselves.
If '2(x,y) = o, then у = 0. Otherwise, 2(т,^) = (гсз, г/2) (say) is also
torsion, so X2, У2 € Z.
Now taking the tangent at (t, 3/), we have (cf. Formulary)
( 3т2 + A\2	(3т2 + A)2
t2 + 2x = I -------- 1 =-----------------.
\ 2y J 4(т3 + Ax + B)
and so y2 — x3 + Ax + В divides (3т2 + A)2.
But now,
(3X2 + 4A)(3X2 + A)2 ~ 4A3 + 27B2
mod (X3 + AX + B)
in Z[X, A,B], as in readily verified. Hence
у2 I (4A3 + 27B2),
as required. [For more on identity (*), see §16].
Note. There are stronger statements about the torsion of C when
AB = 0, see Exercises. Mazur has determined all possible forms of
the torsion group. It is one of
Z/nZ 1 < n < 10 or n = 12
or
Z/2Z x Z/2nZ 1 < n < 4;
all of which occur.
§12. Exercises
1.	Find the torsion groups over Q of the following elliptic curves:
(i)	Y2 = X3 + 1
(ii)	Y2 = X3 - 43X + 166
(iii)	Y2 = X3 - 219X + 1654
(iv)	E2 = X(X - 1)(X + 2)
(v)	Y2 =X(X + l)(X+4)
(vi)	X3 + Y3 + Z3 - 15XFZ = 0
(vii)	Y2 = X(X + 81)(X + 256)
(viii)	X2X2 - XjX2 - XjX2 + X2X3 = 0
[Xote: not a random sample!]
52
Lectures on Elliptic Curves
2.	Fill in the details of the sketched proof of the following theorem 9 [or
find a better one!].
Theorem. Lei A € Z be i-th power free. Then all the torsion points on
C:Y2 = X(X2 + A)
are given by (I), (II), (III) below:
(I)	(0, 0) of order 2.
(II)	If A = 4, the points (2, ±4,1) of order 4.
(Ill)	If A = — C2, C € Z, the points (±C, 0) of order 2.
Sketch proof.
(i)	If (ar, y) = 2(a, b), then
x = (a2 - A)2/4b2.
(ii)	The points of order 2 are as stated.
(iii)	(0,0) = 2(a,b) for some (a, b) precisely when A = 4. The (±C,0)
are never of form 2(a, b). From now on, let (a, 6) be a point of odd
order.
(iv)	a = □
(v)	If d = gcd(a, A) then a = daj, A = dAj b = dvbx where
b2 = (da2 Ai).
(vi)	There exists f, g, h such that gcd(/,g) = 1 and a, — if2,
da2 + Aj = ig2, bj = fg, d = ±/i2
(vii)	a2 — A = 2/t4/4	h2g2, b = h2fg.
(viii)	a2 — A = 0 (mod 2b).
(ix)	Hence f — 1, g = 0 (2), h = 0 (2). [Hint. First show that f | g],
(x)	Hence 24 | A.
(xi)	Contradiction!
3. Fill in the sketched proof of the following theorem10 [or find a better].
Theorem. Lei В Elbe 6-th power free and let
C . Y2 = X3 + B.
All the torsion points are given by the following.
(I)	If В = C2, the points (0, ±C) of order 3.
(II)	If В = D3, the points (-D, 0) of order 2.
9 cf. T.Nagell. Solution de quelques problemes dans la theorie arithmetique
des cubiques planes du premier genre. Skrifter vig. av det norske viden$k.-akad i
Oslo, Mai.-natvrv. kl. 1935, No 1, 1-25.
10 The result is due to R.Fueter: Ueber kubische diophantische Gleichungen.
Comm. Math. Helv. 2 (1930), 68-89; but the argument suggested is based
loosely on L.J.Mordell. The infinity of rational solutions of	4- k. J.
London Math. Soc. 41 (1966), 523-525.
§12: Exercises
53
(III)	If В = 1, the points (2, ±3) of order 6.
(IV)	If В = —432 = —24.33, the points (12, ±36) of order 3.
Sketch proof.
(i)	If (ar, y) = 2(a, b), b 0 then
x = (w — 2)a, w = 9ar3/4г/2.
(ii)	the elements of 2-power order are as stated.
(iii)	Elements (0,6) are of order 3.
From now on, let (a, 6) be of odd order with a 0. The strategy is to
show that w g Z. The cases with w = 1, 2, 3 are then easily dealt with.
Otherwise, |г|со > |o|oo and so on repeated duplication lajoo -» oo a
contradiction. We sketch a proof that w € Z.
(iv)	If p | B, p f a then p / x.
(v)	If p | B, p / x then p f a [Hint. Consider repeated duplication.]
(vi)	If 3' || b, 3m || a then I = 0, 1 or I = 2, m > 1. [Hint. If I = 3
deduce that either 3 / x oi 36 | B]
(vii)	Hence w E Zj.
(viii)	w € Z2-
(ix)	w € Z, for q|B, q 2, 3.
(x)	Hence w € Z.
4.	Show that
X3 + Y3 ± dZ3 = 0
is birationally equivalent to
Y2 = X3 - 24.33.d2
If d > 0, d E Z is cube free, deduce from the preceding exercise that the
only cases of torsion are
d = 1, (1, 0, —1) and (0,1, —1) of order 3.
d = 1, (1,1, —1) of order 2.
Compare with results of §6 on exceptional points.
5.	Let s € Q. Show that if there is one к £ Q such that
X3 ± sX ± к = 0
has 3 rational roots, then there are infinitely many.
[Hini. Let и be a rational root. Find the condition, in terms of s, u, k:
that the two remaining roots are rational.]
6.	Let к € Q, к / 0. Show that if there are two s £ Q such that
X3 +sX ± к = 0
has 3 rational roots, then there are infinitely many.
13
Finite Basis Theorem. Strategy and
comments
The objective of the next few sections is the following.
Theorem 1. The group (S of rational points on an elliptic curve defined
over Q is finitely generated.
The theorem is due to Mordell and it was generalized to number fields
by Weil. It is usually referred to as the Mordell (or Mordell-Weil) Finite
Вазгз Theorem.
For example11, when C is
Y2 = X(X2 + 877)
the group <S is generated by (0,0) of order 2 and (u/v,r/s) of infinite
order, where
и = 37 5494 5281 2716 2193 1055 0406 9942 0927 9234 6201,
v = 6215 9877 7687 1505 4254 6322 0780 6972 3804 4100,
r = 256 2562 6798 8926 8093 8877 6834 0455 1308 9648 6691 5320
4356 6034 6478 6949,
s = 4900 7802 3219 7875 8895 9802 9339 9592 8925 0960 6161 6470
7799 7926 1000.
The proof of Theorem 1 subdivides into two parts requiring different
ideas and techniques.
11 A. Bremner, J.W.S. Cassels: On the equation У2 = X(X2 +p). Math. Comp.
42 (1984), 257-264.
13: Finite basis Theorem. Strategy and comments
55
(i) The “weak finiteness theorem” that
®/2®
is finite. The proof depends on the construction of a map of ®/2® into
a finite group. The proof is in some ways easier if ® has a point of order
2 and we do this first. For this we need to know about isogenies.
It is rather remarkable that the proof of the weak theorem is not
constructive - that is, it does not give an infallible procedure, even in
principle, for determining ®/2®. Even today no algorithm is known.
(ii) The second part of the proof of the finite basis theorem is a “de-
scent”. Suppose that we have a set of representatives bi,. . . , br of the
classes of 0/2®. Let a be any point. Then there is some s, 1 < s < r
such that
a — b3 g2®,
i’e’	a = b3 + 2c, eg®.	(*)
The height measures the size of the numbers involved in a point of ®.
For example if x = (a;, y) and x = и/v with u, v g ~L in its lowest terms,
we can take Л(х) = max(|u|, |v|) (absolute values). Now it follows from
(*) that Л(с) < Л(а); at least if Л(а) is greater than some Ha. It
follows that ® is generated by the b3 and the finitely many a with
J(a) <Я0.
We conclude this section by giving one of Fermat’s own descent argu-
ments.
He wished to show that there are no integer solutions of
X4+K4=Z4	X^0,y^0.
This is a curve of genus 3 (not that Fermat knew about the genus), but
he remarked that it is enough to disprove
X4+F4=Z2	X/0,Y/0	(*)
On writing (*) in the shape
(Z/У2)2 = 1 + (А7У)4
one sees that we have an elliptic curve, though not given in canonical
form. However, following Fermat, we consider integer solutions of (*).
If (*) has an integral solution, we take one (x,y) for which
тах(|г|,|!/|)
is > 0 and as small as possible. (|| is the absolute value). Then x. y, z
have no common factor, and indeed are coprime in pairs. Since x4 = 1
mod 4 if г is odd, one of x, у must be odd and the other even. We
56
Lectures on Elliptic Curves
suppose that
2 К 2 [у,	2/z.
Write (*) in the shape
(z + y2')(z ~ у2) = xi-
Since z, у are both odd, the two factors on the left are divisible by 2 but
only one is divisible by 4. Hence (taking z > 0) we have two possibilities,
where u, v g Z:
	First Case	Second Case
z + y2 =	8u4	2u4
Z - У2 =	2v4	8u4
The first case gives		
	2	л 4	4 у =	— V ,	
which is impossible mod 4. Hence we have the second case:
y2 — u4 — 4u4.
Now
(u2 + t/)(u2 - y) = 4v4,
and so
и2 + у = 2v4
и2 — у = 2s4
for some г, з g Z. Hence
V4+? = u2.
This is another solution of (*). Further,
a;4 = 16u4v4 = 16u4r4s4.
Hence rs ф 0 and
max(|r|, |s|) < |ат| < max(|a;|, |т/|).
This contradicts the assumed minimality of the original solution, and
so we have a contradiction.
Note that (r, s,u) —> (ar, ?/, .z) is multiplication by 2. Thus Fermat’s
descent is essentially a converse of Diophantos’ ascent.
Note also that multiplication by 2 has been divided into two steps via
another curve
X4 -4У4 = Z2.
This is the phenomenon of isogeny, which we explore in the next section.
§13. Exercises
1.	Let C : Y2 = X3 + AX + В be defined over Q. Let Q(\/d) be
§7У; Exercises
57
a quadratic extension of Q and let the non-trivial automorphism be
denoted by (') Let x be a point of C defined over Q(\/d). Show that
x + x' is defined over Q and that x — x' = (u, v) where и and v/yfd are
in Q.
Deduce that the group of points on C defined over Q(v/d) may be
determined once the groups over Q on C and dY2 = X3 + В are known.
2.	This question assumes knowledge of the arithmetic of Q(p) where
P3 = 1, P Ф L
Fill in the details of the sketched proof of the
Theorem. Lei d = qiq2 where qx > 0, q2 > 0 are rational primes
with qt =2 (9), 92 = 5 (9). Then the only rational point on
С: X3 + X3 + dXf = 0
is (1,—1, 0).
Sketch proof.
(i)	It is enough to prove that the only points on C defined over Q(p)
are those with X3 = 0
(ii)	If x = (а?1, x2, X3) is defined over Q(p) and on the curve, without
loss of generality a?!, ^2, хз are coprime in pairs in Z[p].
(iii)	(a;i + x2)(pxi + p-1 x2')(p~1x1 + px2) = — 9392^3. There are 03,
«2, «3,	6; G € %[p] such
Хз +x2 =
p-1^i + px2 = 0-3^3,
or
хг-\- x2 =
p-1^i + px2 = Аа3£з,
where A = p — p”1 [= x/—3].
either
pxi + P 1 *^2 = 02^2 1
010'203 = d,
pxl + p 1 X2 = Aa2^2,
030203 = d
(iv)	Ojtf + O2^2 + 03^3 = 0, 010203 = d,
(v)	Any rational 93-adic unit is congruent to a cube mod 9, but p is
not congruent to a cube. And similar for 92-
(vi)	After multiplying 03,02,03 all by p, or by p2, if necessary, we may
suppose that {03,02, a3} is a permutation if {±1, ±1, ±93 ±92} or
{±1,±9з,±92}.
(vii)	The equation £3 +93^ + q2f,3 = 0 is impossible mod 9 [and indeed
mod A3].
(viii)	If {03,02,03} is a permutation of {±l,±l,±d}, then
I666I00 < kl^ZsIoo-
14
A 2-isogeny
An isogeny is a map
C -> V
of elliptic curves defined over the ground field and taking the specified
rational point oc on C into that on T>. Clearly the kernel of the isogeny,
i.e. the set of points mapped into oj> is a finite group and is defined
over the ground field as a whole.
In this section we consider the case when C has a rational point of
order 2. It is convenient to modify our canonical form to
C : Y2 = X(X2 + aX + b),
the point of order 2 being (0,0). The function on the right hand side
may not have a double root, so
b 0, a2 — 4b 0.
We take Q to be the ground field. Let x = (a;,g) be a generic point
of C; that is, x is transcendental and у is defined by
y2 = x(x2 + ax + 6).
The field Q(ar, y) is known as the function field of C over Q.
Let
Xi = X + (0,0).
The transformation
x —> Xj
is an automorphism of Q(z, y) of order 2. We will find the fixed field.
Ц: >1 2-isogeny
59
The line through (0,0) and (z,3/) is
X = tx, Y = ty,
which meets C in (0,0), x and —Xi =	We get
xi = b/x
У1 = -by/x2.
One invariant under x —> Xi is clearly t2, which is
.2	( , x2 z2 + az+6
t = (j//z) = -
= A
x
(say) [= x 4- X! + a].
Another is
У + У1-У (say).
To find an algebraic relation between A, у we compute
y2 = y2(l-b/x2)2
— x2 ax ^—(x2 — 2b + b2/x2).
X
Here the first factor is just A. The second is
(z + b/x)2 — 46 — (A — a)2 — 46
= A2 - 2aA + (a2 - 46).
Hence
y2 = A(A2 — 2aA + (a2 — 46)).
Conversely, we can express z, у in terms of A, у and
A1/2 = y/x,
since
A-1/2/j — x — b/x
A = x + (b/x) + a.
Hence
x - |(A + X~i/2y - a), у = A1/2z.	(*)
The field extension Q(z, y)/Q(A, y) is of degree 2 and so by Galois
theory Q(A,^) is the complete field of invariants.
The point (A, y) is a generic point of
T> : Y2 = X(X2 — 2aX + (a2 -46)).
The map
ф . C-+T>
given by
x = (x, y) -<• A = (X,y)
60
preserves the group law12. For let a, b be points on C and let f € Q(x)
be a function with simple poles at a, b and simple zeros at o, a4- b. Let
fl be the conjugate under x —» Xi. Then ffi g Q(A): as a function of
A it clearly has simple poles at 0(a), 0(b) and simple zeros at 0(o) — о
and 0(a+ b). Hence
0(a + b) = 0(a) + 0(b).
The equation for 7? has the same general shape as that for C. On
repeating the process with A and 7?, we get p, cr with
<r2 = p(p2 + 4ap + 166);
and so
f = P/4, T) = <r/8
is a generic point of C again.
The points mapping into (A,p) — (0,0) are just the 2-division points
other than (0, 0). Hence the kernel of the map (a?, y'j —> (£, r?) is just the
2-division points and o. So the map must be multiplication by ±2.
We now consider the effect of the isogeny
0: C —> 7?
on rational points. Denote the rational points on C, 7? by <S, Sj respec-
tively.
We denote the multiplicative group of nonzero elements of Q by Q*.
Lemma 1. Let (u, u) € f). Then (u, i>) € 0® precisely when either
и € (Q*)2 or и = 0, a2 — 46 € (Q*)2.
Proof. For и 0, this follows by specializing A —► u, p —> v in (*). The
point (A, p) = (0, 0) comes from the points (a, 0) where a2 + aa + 6 = 0:
and a € Q if and only if a2 — 46 £ (Q*)2.
This suggests the map
<? = fl-QV(Q’)2
given by
g((u,u)) = u(Q*)2	(u/0)
= (a2 - 46)(Q*)2 (u = 0)
5(o) = (Q*)2.
12 The argument is quite general for isogenies of any degree. Note that Jfi is
the norm of f for the extension Q(x)/Q(A), cf. §24, Lemma 1.
1^: A 2-isogeny
61
We note that the equation
v2 = u(u2 — 2au + a2 — 46)
implies that
g((u, v)) = (u2 — 2au + a2 — 46)(Q*)2
whenever the right hand side is defined.
Lemma 2. The map
q :f) -Q’/(Q’)2
is a group homomorphism.
Proof. Write the equation of © as
P: V2 = U(U2 + a1P + 61).
Let Uj = (j = 1,2,3) € T) with
U1 + U2 + U3 = O,
so they are the intersection of P with a line
V = IU + m.
Substituting in the equation for P, we have
U(U2 +<21P + 61)-(lP + m)2
= (17-u1)(P-u2)(P_u3).
Hence
2
U1U2U3 = m .
This implies that
g(u1)5(u2)g(u3) = (Q*)2
except, possibly, when one of the uy is (0,0). The verification in this
case is left to the reader.
Lemma 3. The image of
g-.
is finite.
Proof. Without loss of generality
&i C Z, 61 C Z.
An element of Q*/(Q*)2 may be written r(Q*)2, where
r E Z, square free.
62
Lectures on Elliptic Curves
We show that r(Q*)2 is in the image of q only when r | Zq.
Suppose that g((u,i>)) = r(Q*)2. Then there are s, t g Q such that
rs
и = rt2.
Put t = Z/m, where
l,mgZ, gcd(Z,m) = 1.
Then, on eliminating u,
r I pa^rl m + btm = rn ,
where n = m2s g Z.
Suppose that there is a prime p with p | r, p / 6j. Then p | m, so
p2 | rn2 and hence p | n because r is square-free. Then p3 | r2Z4, so p | Z,
contrary to jcd(Z,m) = 1.
Putting the three lemmas together, we get the
Theorem 1.	is finite.
Corollary. ®/2® is finite.
Proof. Consider the exact triangle
P
where and are both finite.
By considering in detail the equations arising in the Lemma 3, we can
get more information about <25/205; e.g. by looking at the equations lo-
cally. There is, however, no local-global theorem and indeed even today
there is no algorithm for deciding whether or not there is a solution. We
shall come back to these questions in a late section. So one should not
conclude from the fact that we can determine ®/2® in the examples
that one can always do so.
1J: A 2-isogeny
63
We first enunciate more precisely what was proved.
Lemma 4. The group Sj/<p<S is isomorphic to the group of ?(Q*)2 in
Q*/(Q*)2 where
(i) q g Z is square-free and q | Iq
(ii) The equation
ql* + a,il2m2 + (bt/q'jrrA = n2
has a solution in I, m, n£Z not all 0.
Further, the point (0,0) of f) corresponds to q = the square-free kernel
of bi.
Example 1.
C -. У2 = AT A"2 - A'+ 6)
V- Y2 = A'(A''2 + 2X - 23)
For Jj/</>® we have q | (—23). Since —23 corresponds to (0,0), we need
look at only one of q = +23, q = —1, say the latter. The equation of
Lemma 4 is
-I4 +2l2m2 + 23m4 = n2
i.e.
— (I2 — m2)2 + 24m4 = n2,
which is impossible in Q3. Hence $/</>0 is generated by (0,0).
For we have q | 6, so q = — 1 or q — ±2, ±3, ±6. Since the
form A'2 — X + 6 is definite, we must have q > 0. Hence q = 2, 3 or 6;
and 6 belongs to (0,0). Thus it is enough to look at one of 2,3, say 2.
The equation is
2I4 — I2 m2 + 3m4 = n2,
which is seen to have the solution (I,m,n) = (1,1,2). This corresponds
t° (x,y) = (2,4).
It follows that is generated by (0,0) and (2,4). To find gener-
ators for (S/2® we need to look at the effect of </> on the generators of
fj/</>®. In this case </>(0,0) = o, so ®/2® is also generated by (0,0) and
(2Л).
Second example. This is related to Fermat’s equation
Ui + V4 = v4.
Then
y = v2w2/u\ x = w2/u2
64
Lectures on Elliptic Curves
satisfy
C-. Y2 = X(X2 — 1),
so
D : Y2 = X(X2 + 4).
For	we have q | 4, so q = —1, ±2. Since X2 + 4 is definite, we
need q > 0, so only q = 2 needs to be looked at. The relevant equation
is
2/4 4-2m4 = n2,
which has the solution (Z, m,n) = (1,1,2), giving (X, Y) = (2,4) as the
generator of	The point (0,0) is in Ф&.
For	we have q | ( — 1). Since —1 belongs to (0,0), there is
nothing to do. Then is generated by (0, 0) and ®/2® is generated
by (0, 0) and ^>(2,4) — (1, 0).
§14. Exercises
1.	Find
(i)	a set of generators for ®/2®, where ® is the group of rational
points and
(ii)	the 2-power torsion, for the following curves
Y2 = X(X2 4-3X + 5)
Y2 = X(X2 - 4X + 15)
Y2 = X(X2 + 4X - 6)
Y2 = X(X2 -X4-6)
Y2 = X(X2 +2X 4-9)
Y2 = X(X2 -2X4-9)
2.	Invent similar questions to 1 and solve them. [Xote. You cannot
expect to determine ®/2® in every case, but you can majorize its order.
It might be helpful to write a Mickey Mouse program to look for points
with small co-ordinates.]
3.	Let C : Y2 = X(X2 4- aX 4- 6), D : Y2 = X(X2 4- c^X 4- 6L) with
eq = — 2a, bi = a2 — 46.
(i)	Show that the odd torsion groups are isomorphic
(ii)	Assuming the finite basis theorem, show that the ranks [= number
of generators of infinite order] are the same
§1^: Exercises
65
(iii)	give a.n example to show that the orders of the groups of 2-power
torsion need not be the same. Determine what the possibilities
are.
4.	(i) Construct an elliptic curve with a torsion element of order 8.
(ii)	Show that no torsion element can have order 16.
(iii)	Determine all abstract groups of 2-power order which can isomor-
phic to the 2-power torsion of an elliptic curve. Give elliptic curves
in the possible cases and give a proof of impossibility for the others.
5.	(Another kind of isogeny). Let
C : Y2 = X3 + В
be defined over Q and let /?2 = 5, /? E Q.
(i)	Show that Y — ±/3 are inflexions and that 2(0, B) = (0, — /3).
(ii)	Let x = (x,y) be generic and put
x1=x + (0,/3), x2 = x 4-(0,-/9).
Show that
£ = x + arj + x2, г] = у + У1 + y2
are functions of (a;, y) defined over Q and that
T> : rj2 = f3 - 27B.
(iii)	Show that the repetition of the above map is (essentially) multi-
plication by 3.
(iv)	Denote by 0, Sj the groups of rational points on C, T> respectively.
Denote by Q(/3)* the multiplicative group of non zero elements of
Q(/3). If (x,y) € <0 and
y + ?e{W}3
show that x is in the image of Sj under T) —» C.
[Hint. Put у + /3 — (u + v/З)3 and equate the coefficients of /?.]
(v)	Show that
(x,y^ (y+n){m*}3
is a homomorphism
whose kernel is the image of Sj.
(vi)	(Requires algebraic number theory). Show that the image of p is
finite [Hint. cf. §16].
(vii)	Deduce that 0/30 is finite.
15
The weak finite basis theorem
In this section we show that 0/2® is finite, where ® is the group of
rational points on the elliptic curve
Y2 = F(X),
where
F(X) = X3 + AX + B, 4A3+27B2y^0.
The argument has similarities with that in the previous section, where
we made the addition assumption that F(X) has a rational root.
Here we treat in a uniform manner the cases when F(X) has 3 rational
roots, one rational root, no rational root. We work with the commutative
ring
Q[0] = Q[T]/F(T),
where T is a variable and 0 is the image of T. Then Q[0] is the direct
sum of as many fields as F(T) has irreducible factors13 * is.
There is a norm map
Norm : Q[0] —* Q
defined as follows. Let a g Q[6). The map
£ ->	£ g Q[0]
13 The preceding section has proved the weak finite basis theorem when F(T)
has a rational root, so it would be enough to consider the case when Q[0]
is a field. This brings some minor simplifications to the proof.
15: The weak finite basis theorem
67
takes Q[0] into itself. If Q[0] is regarded as a 3-dimensional vector space
over Q, the map is linear and its determinant is defined to be Norm(a).
Clearly
Norm(a/?) = Norm(a) Norm(/?);
and a is invertible (i.e. has an inverse) precisely when Norm(a) ф 0. It
is readily checked that
Norm(a — 0) = J’(a) (a 6 Q).
Denote by Q[0]’ the multiplicative group of invertible elements of
Q[0]. We shall work with the group
M c Q[0)7(Q[0]*)2
consists of the a(Q[0]*)2 for which Norma € (Q*)2.
There is a map
p : ® M
defined as follows.
(i)	p(o) = 1(Q[0]‘)2
(ii)	if a = (a, J) g 0, li / 0, then
p(a) = (a — 0)(Q[0]*)2
(iii)	if14 a = (a,0), then F(a) = 0, so one of the summands in the
expression of Q[0] as a sum of fields is a copy of Q arising from
the map 0 —> a. Hence this component of a — 0 is 0. We replace
(patch) this component with any element of Q* such that the norm
of the new element of Q[0] is in (Q*)2.
Lemma 1. The map p is a group homomorphism.
Proof. Let aj = (<2j,bj) (j — 1,2,3) be elements of ® with
ai + a2 + аз = 0,
so that they lie on a line
Y = IX + m l,m g Q.
Then
F(X) - (IX + m)2 = (X - ai)(X - a2)(X - a3).
Replace X by 0:
(aj — 0)(a2 — 0)(“з - 0) = (L0 + m)2.
14
cf. preceding footnote.
68
Lectures on Elliptic Curves
If all the bj ф 0, then the ai — 0 are invertible and we are done.
It remains to deal with the case when F(T) is reducible and at least
one of the roots is among the ay. If only one of the roots, e (say), of F(T)
is among the ay, then Q[0] is a direct sum K3 ф К? or Ki ф К? ф К3 of
fields, where Ki is the copy of Q given by 0 —» e. The given proof shows
that the Lemma holds for the components in Kj (j ф 1). Since we have
patched things so that the norms are always a square, the Lemma must
hold for the Ki~components as well.
The remaining case is when all the by are 0 and the ay are the roots of
F(T). Then Q[0] is the direct sum of three copies Kj of Q by 0 —> ay
(y = 1, 2, 3). The components of 0 — a! in A’2, K3 are a2 — a3, a3 — a3
respectively. Hence the patch for the zero compound of 0 — a! in Кг is
(a2 — a!)(a3 — <2i)(Q*)2- Now the truth of the Lemma follows by direct
calculation.
Lemma 2. The kernel of p is 2(5.
Proof. Since M has exponent 2, the kernel certainly contains 2®. We
have to show it is no bigger.
Suppose that
Ha) = (Q‘[©])2, a = (a, b).
Then15
a — 0 = (p2 02 + pi 0 + po )2
for some po, pi, pi € Q. Further,
_ P2 Ф 0,
since 0 does not satisfy any equation of degree < 3.
We can find s0, -Si, r0, ri € Q such that
(S10 + s0)(p2Q2 +Pi& +po) = Г10 + r0,
since the vanishing of the 02-component on the right hand side is a
linear condition on So, «1• If si = 0, sa 0, we would have p2 = 0.
Hence, without loss of generality,
Sj = -1.
Now
(s0 - 0)2(a - 0) = (riQ + Го)2.
15 A moment’s consideration shows that this statement remains true when
6 = 0, though then 4" Pl ® + Po is not invertible.
15: The weak finite basis theorem
69
On replacing 0 by an indeterminate X, we have
(r.X + r0)2 - (s0 - X)2(a - X) = F(X),
since the coefficient of X3 is 1.
Hence the line
Y = r1X + r0
meets У2 = F(X) in (a, ±6) and (so,t) (twice) for some i. It follows
that (<i,b) g 2<S, as required.
Theorem 1. <S/2<*5 is finite.
Proof. It is enough to show that the image of /j. :	> Л1 is finite.
We may suppose without loss of generality that
А, в e t.
Let x = (a:,y) g (S. Then y2 — F(x) implies that
x = r/t2, у = s/t3
where
r,s,t 6 Z, gcd(r, f) = gcd(s, f) = 1,
and
s2 = r3 + Art4 + Bi6.
To illustrate ideas, suppose for now that the roots ej, e2, e3 of F(X)
are rational, and so in Z. Then
•s2 = (r - eit2)(r - e2f2)(r - e3f2).	(*)
Now
gcd{(r - ejt2),(r - e2t2)}
divides (ej — e2)t2 and (e3 — e2)r, so divides (e3 — e2): and similarly for
the other pairs of factors. Hence and by (*)
r — ej = djV2,
where dj is square free,
dj|(ei - e2)(e2 - e3)(e3 - ej,
and
did2dj — square.
There are thus only finitely many sets {d1;d2,d3}; which proves the
theorem in this case.
70
Lectures on Elliptic Curves
Before leaving this special case, we note that (tq,г>2,u3, t) lies on the
curve given redundantly by
' (ei — е2)12 = d2v% — d3v2
T> : < (e2 - e3)f2 = d3v3 — d2v2
. (e3 - ei)t2 = dxv2 - d3v2
We may therefore get further information about ®/2® by looking whe-
ther there is a rational point on T). In particular, one may be able to
show that there is not a rational point by local considerations.
Now consider the general case. Denote the roots of F(X) by £j g Q
(j = 1,2,3). We work16 in К = Q(ei,e2,£3). As in the rational case,
the ideal [r — Cit2,r — e2t2] divides — e2. Hence each principal ideal
[r — Cjt2] is a square up to one of a finite number of ideal factors. The
finiteness of the class-number and the finite generation of units now
imply that
r - Sjt2 = 8jX2,
where 8j. Xj g Q(£j) and {^i, £2,^3} is from a finite set. This clearly
shows that the image of ц is finite and so completes the proof of the
Theorem.
We now find a curve T> with properties analogous to those of the T>
constructed above in the case when the roots are rational.
We have shown that if (x,y) € ®, then
г_0 = гд2,
where <5, A g Q[0] and 8 is one of a finite set. Write
A = v0 + «1© + u2©2	£ Q).
Then the right hand side becomes
Яо(у) + Я1(у)0 + Я2(у)©2,
where Hj(v) g Q[v] is a quadratic form depending on 8. Hence there is
a rational point (v,t) on
( Я2(у) = 0
D : <
l Я3(у) = -t2.
16 This is the only place where the use of algebraic number theory is unavoid-
able. If she does not know the theory, the reader should take it on trust that
it is very like the rational case. But see next footnote.
15: The weak finite basis theorem
71
Again, we can get further information on <S/2<25 by examining whether
there is a point on T) everwhere locally. If not, then f> cannot occur. If
there is, we can make s further useful transformation. If T) has a point
everwhere locally, there is always a point everwhere locally on the conic
#2(v) = 0.
There is a point on = 0 globally by Theorem 1 of §3, and so (see
exercises)
#2(v) = hL2 -MN
identically, for some h g Q and some linear forms
L(v), M(v), N(v) e Q[v],
Hence the rational points on Hfiv) = 0 can be parametrized in terms
of r, s (say) by
Vj = Vfir,s) (j = 1,2,3)
where the Vj(r, s) € Q[r, s] are quadratic forms.
It follows that T> is birationally equivalent to
P': t2 = G(r,s),
where G is a quartic form. It would be possible to describe the possible
equivalence classes of quartic forms G in terms of its invariants instead of
the detour through algebraic number theory17. In fact this is what Birch,
and Swinnerton-Dyer did in their historic computations. [B.J. Birch and
H.P.F. Swinnerton-Dyer. Notes on elliptic curves I, II. J. reine angew.
Math. 212 (1963), 7-25; 218 (1965), 79-108].
We conclude this section by looking at a couple of examples.
First Example.
Y2 = X(X2 - 1).
We considered this already as an example of isogenies. Let (r/t2, s/t3')
be on the curve, so
r(r + f2)(r — i2) = s2.
The greatest common divisor of (r ± t2) is 1 or 2: that of r and r + t2
or r — t2 is 1. Further,
r + i2 > r > r — t2.
17 This line of argument proves the finiteness of <15/205 without algebraic num-
ber theory at the expense of a fairly substantial study of binary quartic
forms.
72
Lectures on Elliptic Curves
Hence if
r + t2 = di v2, r = d2v%, r — t2 = d3i>2
with the dj square free, the only possibilities are
(di,d2,d3-) =(1,1,1),
(2,1,2),
(1,-1,-1),
(2,-1,-2).
These are all realized by the points of order 2. Hence ®/2® is gener-
ated by them.
Second example. Most applications require algebraic number theory. We
give one such application, to which we will want to refer later.
The curve
Y3 + уз + 6QZ3 = Q
is birationally equivalent to
Y2 = A'3 — 33(30)2.
We shall work in Q(£) where <53 — 30. This has class number h = 3 and
fundamental unit18 rj = 1 + 96 — 362.
The roots of F(X) = X3 -33(30)2 агеЗб2, 3p<52, 3p2<52, where p3 = 1.
In our usual notation, if (r/f2,s/f3) g ®, a prime common ideal divisor
of any two of
r-362t2, r — 3p62t2,	r-3p262t2
must divide 2.3.5. Since 2, 3, 5 ramify completely, r — 362t2 must be a
perfect ideal square.
In the real embedding, clearly
r - 362i2 > 0,
and so either r — 362t2 = a2 or r — 362t2 = rja2 for some a 6 Q(6).
We disprove the second alternative. Put
a = и + v6 + w62.
Equating coefficients of powers of 6 in
r — 362t2 = r]a2,
18 As it can be mildly troublesome to check that a unit is fundamental, all we
actually use is that т/ > 0 in the real embedding and r) is not a square. The
last fact follows by looking at rj modulo [2 — 6, 11].
§15: Exercises
73
we get
0 = 9u2 4- 2uv — 9ov2 — 180uw + 540uw + 30w2
—3t2 = —3u2 + 18uv + v2 + 2uw — 180uw + 270w2.
On putting
и = —28e + 90/,
v = —9e 4- 29/,
w = g — 3e 4- 9/,
in the first equation, it becomes
0 = 30ff2 -4e/.
Hence there are m, n such that
e : / : g = m2 : 30n2 : 2mn.
On substituting in the second equation, we get for some I:
—3l2 = 3m4 — 112m3n 4- 1620m2n2
- 10800mn3 4- 27900n4.
But this is impossible in Q2. (Consider |n|2 < |m|2 and |n|2 > |m|2
separately).
Hence ®/2® is the trivial group.
§15. Exercises
1.	Determine the 2-power torsion and sets of representatives ®/2® for
У2 = E(X) in the following cases.
(i)	F(X) = X(X - 3)(X 4- 4)
(ii)	ДХ) = Х(Х-1)(Х + 3)
(iii)	F(X) = X(X 4- 1)(X - 14)
(iv)	etc.
(v)	etc.
2.	(i)Give the general form of an elliptic curve with a rational point of
order 4. [Hint'. use isogenies.]
(ii) Show that an elliptic curve cannot have two independent rational
points of order 4, i.e. points a, b such that 4a = 4b = о, 2a ф 2b,
2a ф o, 2b ф o.
3. Make more explicit the algorithms of the text for the case of rational
roots. More precisely, let
Г(Х) = (Х-е1)(Х-е2)(Х-ез)
74
Lectures on Elliptic Curves
where ej g Q and let
<rj• : 0 —» ej (j = 1,2,3)
be the homomorphisms of Q[0] into Q.
(i)	For given tx, t2, t3 g Q, find an explicit A = /о + ^б+^г©2 (0 € Q)
with
<7;(А) = <; (j = 1,2,3).
Show that A is unique.
(ii)	Let x g Q be such that
x — ej = t2 (J = 1,2,3).
Show that the A constructed in (i) satisfy A2 = x — 0.
(iii)	Find in terms of the tj, ej the sq g Q such that
(s0 - 0)A = r0 + 7i0 (say)
has no terms in 02.
(iv)	Show that (ar,<1<2<з) = 2(sq,?) for some ? g Q.
(v)	On replacing tj by ±tj (independent signs) show that one gets in
general further Xj g <5 with 2xj = x. What is the relation between
the different Xi?
(vi)	Using the above with F(X) = X(X — 3)(X + 5) and x = (4,6),
find all the Xj with 2xj = x.
4. [Fermat, Euler]. By transforming it to canonical form, or otherwise,
show that the only rational points (arj, x2, а'з, X4) on the curve
X2 - 2X2 + X2 = 0, X2 - 2X2 + X2 = 0
are those with x2 = x2 = x3 = х±.
If nj < n2 < n3 < П4 < are integers in arithmetic progression, deduce
that they cannot all be perfect squares.
16
Remedial mathematics. Resultants.
As they are often not included nowadays in undergraduate courses,
we give here some basic facts about resultants on discriminates. The
ground field is arbitrary.
Let
F(X) = fNXn + fn^Xn~l +... + /„
G(X) = gmXm + g^X™-1 +... + g0
be polynomials. The polynomials
F(X)
XF(X)
Xm-lF(X) >
G(A')
Xn-1G(X) .
can be regarded as m+n linear forms in the m+n variables Xm+n~1,..., 1
(the “forgetful functor”). The determinant R(F, G) is the resultant of
F, G. It is defined only up to sign.
By eliminating _X’m+n~1,... ,X determinantally, we express R(F, G)
as a linear combination of the rows (*), that is
A(X)F(X) + B(X)G(X) = R(F,G),	(1)
where A(.Y), B(X) have degrees < m — 1, < n — 1 respectively. If
76
Lectures on Elliptic Curves
F, G have coefficients in a ring, say Z, then R(F, G) € Z and A(X),
5(X) eZ[X],
If F(X), G(X) have a common zero x (in the algebraic closure), then
(1) implies that R(F, G) = 0. Conversely, suppose that R(R G) = 0.
Then the (*) axe linearly dependent, and so there are A(X), B(X) of
degrees < rn. — 1, n — 1, not both zero19, such that
A(X)F(X) + B(X)G(X) = 0.
If we suppose that F(X), G(X), have precise degrees n, m (i.e. fn 0,
9m ф 0), it follows that FIX'), G(X) have a common factor, and so a
common zero in the algebraic closure.
If fn = gm = 0, then clearly R(R G) = 0. If fn 0 but gm = 0, then
clearly
R(F,G) = fnR(F,G*),
where
G* = gm-\Xm 1 + ... + gg.
Hence the elegant formulation is that the homogeneous forms
fnXn + fn-1Xn~1U + ...+f0Un
gmXm + ...+g0Um
have a common zero (x,u)	(0,0) in the algebraic closure if and only
if R(F, G) = 0.
Revert to the inhomogeneous polynomials and let
Г(Х) = /„П(^-^)
С(Х) = !Л„П(Х-М
я
If fm, gn, 0i,. . • , 0n,	., фт are taken as variables, R(F, G) is a poly-
nomial in them. It vanishes when any 9j is equal to any ф^. Hence and
from considerations of degree,
R(F,G) = ±f™	~ Фк)
i,k
= ±л,Пад
19 The particular A(X), B(X) given by the determinantal elimination which
gave (1) may, of course, both be 0.
§16: Exercises
77
Let H = H(X) be a further polynomial. Then it readily follows that
R(F,GH) = ±R(F,G)R(F,H).
Further, if Gi, G2 have the same degree m and G'i — G2 is divisible
by F, we have
R^G.) = ±B(F,G2).
Finally, we put G = F', the (formal) derivative. Since
F'W = fn № -
we have
Я(Г,Г') = ±/Г-’ П^-^)2
The function on the right side with 4- is the discriminant D^F). It
vanishes precisely when F has a multiple root.
For example, when F(X) = X3 + AX + B, we have D = 4A3 + 27B2,
and (1) gives
(6AX2 - 9BX + 4A2)(3X2 + A) - (18AX - 27B)(X2 + AX + B)
= 443 + 27B2.
§16. Exercises
1. Let F(X) g have discriminant D and let a g lp. If
|F(a)|P < |B|„,
show that |F'(a)|p > |D|p.
17
Heights. Finite Basis Theorem.
We are now in a position to introduce the notion of height, and so to
complete the proof of the Finite Basis Theorem.
Let u = (u0, .. ., un) be a point of projective n-dimensional space over
Q. As the co-ordinates axe homogeneous, we may suppose without loss
of generality that
Uj E Z, gcd(u0,...,un) = 1.	(1)
The height H(u) of u is defined to be
H(u) = max |uj |
J
with the above normalization. In this section || = is the absolute
value.
We shall mainly but not exclusively be concerned with the projective
line. We identify x g Q with the point (x, 1) on the line, and so write
H(x) = max{|u0|, luj}
if x = Uq/uj with uq, ui S Z as a fraction in its lowest terms.
Lemma 1.
(i) Let D(Uo,Ui), E(Uij, Ui) E Q[I7o, be forms of the same degree
n. Let и = (uo,Ui) be a point on the rational projective line, and
suppose that D(u), £(u) do not both vanish. Then
H(D(u),E(u)) < cH(u)",
where c is independent of u.
11: Heights. Finite Basis Theorem.
79
(ii) Suppose, further, that the resultant of D, E is not 0. Then there
is a 7 > 0, independent of u, such that
Н(Л(и),£(и)) >7H(u)n.
Note. The additional hypothesis in (ii) is equivalent to supposing that
D, E do not have a common zero over the algebraic closure Q.
Proof. By homogeneity, we may suppose that
Л(17о,1Л),ад,^1)
and that u = (uq,^) is normalized by (1). Clearly
|-D(u)|, |E(u)| < c{max(|u0|, |“i|}n
for some c. In general D(u), -E(u) will have a common factor, but in
any case this implies the conclusion of (i).
Now suppose that the hypotheses of (ii) hold and let R be the re-
sultant. Then there are homogeneous forms Lj(Ug, U\), Mj(Ug, Uij g
Z[Co, Ci] (j = 0,1) such that
LjD + MjE = RU^'1	(j=0,l).	(*)
On substituting u for U we deduce that
gcd{D(u),E(u)}|77.
Further, as in the proof of (i), there is a c' such that
l-^j(u)l,	(u)| < c'{max(|u0|, |uj|}n-1 (j = 0,1).
On substituting in (*) (with u for U), we obtain the conclusion of (ii)
with 7 = |Я|/2с'.
Now let u, v be two points on the projective line and let
W = (uOVo,UOVi + UjVOjUiV!)
= (wo,wi,w2) (say).
Lemma 2.
1	< H(w) „
2	- H(u)H(v) - -
Proof. Let u, v be normalized by (1). Then the right hand inequality
is immediate.
It is readily verified that w0, uq, w2 have no common factor, so it will
be enough to show that
max(|w0|, IwJ, |w21) > ^{max(|u0|, |«i|)}{max(|v0|, |iq|};
80
Lectures on Elliptic Curves
which, is a simple exercise left to the reader.
Back to the elliptic curve
С : У2 = X3 + AX + в
with
A, Be Z, 4 A3 + 27 B2 / 0.
It is convenient (and conventional) to define the height H(x) of a
rational point x = (ar, y) on C to be the height H(r) of its X-co-ordinate.
In other words, if x = (x,y, z) in homogeneous co-ordinates, we have
B(x) = Н(.т, г). (x о)
Я(о) = 1.
Lemma 3. There are constants c1; 7 > 0 depending only on C such
that
Proof. Writing x = (x,y), 2x = (х2,У2)> we have (cf. Formulary)
x2 = D(x)/Е(х),
where
Л(т) = (За: + A)2 — 8ж(а:3 + Ax + B)
E(x) = 4(r3 -f- Ax + B)
Now the resultant of 3a:2 + A and a:3 + Ax + В is 4 A3 + 27B2	0,
and the formulae of the previous section show that the resultant R of
D(x~), E(x) is a power of 4 times (4A3 + 27B2)2. Hence the conditions
of both parts of Lemma 1 apply with x = Uq/uj and n = 4; and the
result follows.20
Lemma 4. Let x1; x2 g di. Then
H(*i + X2)B'(x1 - x2) < c2B'(x1)2B'(x2)2,
where C2 depends only on C.
Proof. Write
Xi + x2 = x3, Xi - x2 = x4
2° In fact in the proof of Lemma l(ii) in this case one may take 4A3 + 27B^
instead of R since a factor 4A3 4- 27B2 cancels from the Lj, Mj. Compare
the formula (*) at the end of §12. Detailed formulae are in Silverman’s book.
11: Heights. Finite Basis Theorem.
81
and xy = (xj,yj) as usual. Then (cf. Formulary)
(1,x3+x4,^4) = (Wo,JV1,JV2)
as elements of the projective plane, where
wo =(x-2-n)2
VTi = 2(зг 1 x 2 + А)(зг 1 +3:2)+ 4B
W2 = ^1^2 — 2Азг1зг2 — 4В(ЗГ] + зг2) + A2
On writing a?!, x2 as quotients of integers and homogenizing, it is
readily seen that
H( Wo, Wi, W2) < c3H(x: )2Н(зг2 )2
for some c3. On the other hand,
H(W0, W:,W2) = H(1 ,X3 + X4,X3X4)
> |н(з:з)Н(з:4)
by Lemma 2. The truth of the lemma follows with c2 = 2c3.
Corollary.
Мш(Я(Х1 +Х2),Я(х1 - X2)) < С4Я(Х!)Я(Х2)
with C4 = c\'2.
In another direction we have
Lemma 5. Let A be given. There are only finitely many x G ® with
Я(х)< A.
Proof. For x = (r, y~) with Н(з’) < A; that is x = u0/“i with u0, “1 € T.
and |u01, |“i| < A.
We are now in a position to prove the
Finite Basis Theorem. The group ® of rational points is finitely
generated.
Proof. By the “weak” theorem (§15, Theorem 1], ®/2® is finite. Let
bj,..., b, g ® be representatives of the classes of ® modulo 2®.
Now let a G ®- There is some j such that a ± by G 2® for both
choices of sign. By Lemma 4, Corollary, there is one choice of sign such
that
Я(а±Ьу) < с4Я(а)Я(Ьу).
82
Lectures on Elliptic Curves
Now a ± by = 2c, c € <&, and so
Я(а±Ьу)>71Я(с)4
by Lemma 3. Putting everything together, we have
Я(с)4 <
< кЯ(а),
where
к.	= yj-1C4 max LZ(by).
j
Hence either
Я(с) < ^Я(а)
or
Я(а) < (16k)1/3
= A (say).
It follows readily that ® is generated by the by and the a with
Л(а) < A. But the latter are finite in number by Lemma 5.
We 'conclude this section with a brief review of the properties of
heights.
The inequality in Lemma 4 is supplemented by one in the other di-
rection:
Я(Х! + Х2)Я(хх - x2) > 72Я(х!)2Я(х2)2,	(*)
where y2 > 0. Indeed the Wo, JVi, W2 of the proof of Lemma 4, consid-
ered as functions of indeterminates xx, ar2, have no common zero in the
algebraic closure: for Wo = 0 implies x2 = x^ and then Wi, W2 become
the functions D, E used in the proof of Lemma 3. Now (*) follows from
an appropriate generalization of Lemma 1. Note that Lemma 3 is now
just the case x2 — Xi of the extended Lemma 4.
We now move over to the logarithmic height
h(x) = log-H(x),
so that the extended Lemma 4 gives
|A(x! + x2) + A(x! - x2) - 2fi(xj) - 2A(x2)| < c
for some constant c. In particular,
|A(2x) — 4fi(x)| < c.
It follows that
h(x) = lim A(2nx)/4n
n—>oo
exists, and satisfies
h(x! + x2) + h(x! - x2) = 2fi(xJ + 2fi(x2).
§17: Exercises
83
It is now an undergraduate exercise (cf. Exercises) to deduce that
A(xj + x2) - A(xj) - Л(х2)
is bilinear in Xj, x2; and so that h(x) is a quadratic form on ®.
The function h(x) is called the22 canonical height.
In particular,
h(nx) — n2h(x),
so h(x) — 0 if x is torsion: the converse holds by Lemma 5 and since
h(x) — h(x) is bounded.
§17, Exercises
1.	(i) Let a £ Q, а ф 0. Show that |a|p — 1 except for at most finitely
many primes p and that
П и? — 1-
p inc oo
(ii)	Let «о,..., un £ Q, not all 0. Show that max |p — 1 except for
at most finitely many p and that
JJ тах|иу|р = H(u)
p inc oo
is the height of the point u = (uq, • • •, un) in projective space.
2.	(Required in text.) Let /(z) be a function defined for x in a group
SUt and taking values in a field of characteristic 2. Suppose that
f(x + y) + f(x — y) — 2f(x) + 2f(y)
for all x, у £ SUt. Show that
/(z) = B(z, z),
where B(z, p) is a symmetric bilinear form.
[Hint. Take
B(x, У) ~	+ У) - /(*) - f(.y)}-
One has to show that
B(z + z, y) - B(x, y) + B(z, y),
i.e. that
f(x + у + z) + /(z) + /(p) + f(z)
- f(y + z) + f(z + z) + /(z + p).
22 There are different definitions of the canonical height. They differ by a
constant factor.
84
Lectures on Elliptic Curves
One opening gambit is to observe that
(x + У + z) + X = (x + z) + (?/ + z).]
3.	Let С : X3 + AX + В and suppose that Xj, x2 are independent
generic points. Let x3 = Xi + x2, x4 = X; — x2. Show that
01 - зг2)2(^1 + x2 + x3) = (2/1 - У2)2
(a.-! - зг2)2(т1 + x2 + 1-4) = (2/1 + У2)2.
Deduce that Ti + x2 + зг3, x'i + x2 + X4 are roots of an equation
(aq — x2)2T2 + uT + v = 0,
where u, v are polynomials in aq, x2.
Deduce that a similar result holds for x3, X4.
4.	(Required in text.) Let G(X) € Q[X] be a nonsingular quadratic form
in X = (X, Y, Z) and suppose that there is an x = (aqi/,z) (0,0,0)
such that G(x) = 0. Show that there are linear forms L(X), A/(X),
X(X) € Q[X] and a d g Q* such that
G(X) = L(X)M(X) + <LV(X)2.
[Hints.
(i)	Without loss of generality x = (1,0,0).
(ii)	After a linear transformation on У, Z, we may suppose G(X) =
XY + form in У, Z.
(iii)	Complete the square with respect to Z.]
5. Let h be the canonical height on some curve C and suppose that there
are representatives of all classes of <5/2(5 in h(x) < t for some t.
Show that <5 is generated by the a g <5 with h(a) < t.
18
Local-global for genus 1
Our attention now moves from elliptic curves to curves of genus 1
in general. In this section we give a couple of examples to show that
there is no local-global principle for rational points on curves of genus
1. Subsequently, we shall give a structure to the “obstruction” to a
local-global principle, namely the Tate-Shafarevich group.
The two examples we shall discuss are
ЗА3 + 4У3 + 5Z3 = 0,	(1)
due to Selmer, and
A4 — 17 = 2У2,	(2)
due (independently) to Lind and Reichardt. The techniques we have
developed so far enable us to disprove the existence of rational points.
We have not, however, developed techniques to show that there are
solutions everwhere locally. This is because we have left a fairly highbrow
discussion of curves of genus 1 over finite fields until the end (§25). The
reader may, of course, verify for any given p that there is a point defined,
over Qp but this can never disprove the existence of some P > IO10 (say)
such that (1) or (2) has no solution in Qp. We shall assume without
present proof that a curve of genus 1 over a finite field Fp always has a
point defined over Fp (§25, Theorem 2). If, therefore, a curve such as
(1) or (2) reduced mod p is still of genus 1, then there is a point mod.
p which can, by Lemma 1 of §10, be lifted to a point defined over Qp.
86
Lectures on Elliptic Curves
Assuming this22, the only Qp to be considered for (1) are p = 2, 3, 5
and the only ones for (2) are p = 2, 17. It may confidently be left to the
reader to confirm that there are points for these p.
The disproof of rational points on (1) uses
Lemma 1. Let a, b, c be distinct integers > 1 and suppose that d = abc
is cube free. Suppose that there are u, v, w gZ not all 0 such that
au3 + bv3 + cw3 = 0.
Then there are x, y, z tzl. with z 0 such that
a:3 + y3 + dz3 = 0.
Proof. Let p3 = 1, p 1 and put
£ = au3 + pbv3 + p2cw3
у = au3 + p2bv3 + pew3.
Then
£ + у = 3au3
p£ + p2 у = 3cw3
p2£ + py = 3bv3
and so
£3 + y3 + d£3 =0,	£ = —3uvw.
Now the two points (£,pt?,£), (’?,/’2£,£) are conjugate over Q. Hence
the line joining them meets X3 + Y3 + dZ3 = 0 in a point defined over
Q and distinct from (1,—1,0).
Lemma 2. The only point defined over Q on
X3 + У3 + 60Z3 = 0
w (1, —1,0).
Proof. There is no torsion, e.g. by the discussion of exceptional points
on cubic curves (§6, Lemma 1). The curve is birationally equivalent over
Q to
У2 =X3 — 24.33.602,
22 For the specific curves (1), (2) the number of points mod p may be computed
(or estimated) by other fairly elementary means, e.g. by the use of finite
Fourier analysis.
18: Local-global for genus 1
87
for which. ®/2® is trivial by the proof at the end of the section on the
weak theorem (§15, Second example). It follows from the Finite Basis
Theorem that <6 is trivial.
Theorem 1. There are no rational points ondl).
Proof. The last two lemmas.
The preceding proof used the theory of algebraic numbers. The next
proof works entirely in the rationals.
Theorem 2. There are no rational points on (2).
Proof. If not, suppose (x,y) is on (2). Let x = a/c as a fraction in its
lowest terms. Then
a4 — 17c4 = 2b2, gcd(a, c) = gcd(6, c) = gcd(a, b) = 1.
Putting
A = a2, C = c2
we have
A2 - 17C2 = 2b2.
This equation is soluble everwhere locally, so globally, and in fact
52 - 17.12 = 2.22.
Now
(5A + 17C + 46)(5.4 + 17C - 4Ь) = 17(A + 5C)2.
If there is a common odd prime divisor of the two factors on the left
hand side, it divides 5A + 17 C and A + 5C, so divides SA and 8C: a
contradiction. The two factors on the left hand side have the same sign,
which for A = a2, C = c2 must be positive. Hence for integers u, v there
is one of two possibilities
	First Case	Second Case
5a2 + 17c2 ±46 =	17u2	34u2
5a2 ± 17c2 ±46 =	v2	2v2
a2 ± 5c2 =	uv	2uv
In the first case
10a2 ± 34c2 = 17u2 + v2
a2 + 5c2 =uv.
88
Lectures on Elliptic Curves
We show that this is impossible in Qit- Write || = ||it• By homogeneity
max(|a|, |c|, |u|, |v|) = 1.
Since 10 is a quadratic non residue mod 17, we have
|a| < 1,	|v| < 1.
The second equation gives
|c| < 1.
Finally, the first equation gives
|u|<l.
Contradiction.
The second case gives
5a2 + 17c2 = 17u2 + v2
a2 + 5c2 = 2uv.
The proof that this is impossible in Qi? is similar.
§18. Exercises
1.	[Uses algebraic number theory.] Supply the details of the following
alternative proof of Theorem 2.
(i)	The field Q(\/17) has class number 1. A basis of integers is 1,
|(1 + \/17)- A fundamental unit is 4 + \/17 of norm —1. The
prime 2 splits into (5 ± \/17)/2.
(ii)	Suppose a4 — 17c4 = 2b2 with a, b, c £ Z, gcd(a,c) = 1. Then a, c
are odd and
а2 ±с2л/Г7
2
axe coprime.
(iii)
a2 + У17с2	/5 ± v/17 \	2
----------------------2---- =	j W	(*)
for some unit r) and some integer ц.
(iv)	7} > 0 in both real embeddings. Hence r) is a square and so can be
absorbed in ц2.
(v)	Put t] = 1, /I = (u + v\/i"7)/2 in and equate terms independent of
\/17. Then 4a2 = 5(u2 + 17v2) ± 34uv, which is impossible in Q3
(and in Qit)-
19
Elements of Galois cohomology
In the next section we have occasion to consider two curves which are
both defined over Q and which are birationally equivalent over Q. Here
we consider a simpler case and then set up some general machinery.
The conic
A : X'f + X2 = 3
has no rational point and so is not equivalent over Q to the line (co-
ordinate Y, no equation). They are, however, equivalent over Q(a/3),
for example by the equations
У = (^i - V3)/x2
_ 73(1-y2)	_ -2^32/
21	t/2 + 1	’ X2 y2il'
Let у be transcendental, so rq, x2 is a generic point of A.
The Galois group Gal(Q(73)/Q) can be made to act in two different
ways on Q(a/3, У) = Q(T3, x-L, x2). We can either make it act trivially
on у or we can make it act trivially on (xq,iq).
In the first case, the non-trivial element of the Galois group induces
the automorphism
Xi —> — xl,	x2	— x2
of A. In the second case, it induces the automorphism
У -> -1/y
of the line.
90
Lectures on Elliptic Curves
In the example, we have used the birational equivalence to identify the
two function fields. In the general theory it is better to make it explicit.
Let A, В be two curves defined over Q and let
ф; A-+B
be a birational equivalence defined over Q. Let a £ Gal(Q/Q). We
can let <r act on the coefficients in ф and so obtain another birational
equivalence
<гф : A —» B.
Then
0CT(say) = (,о’ф')ф~! : В —► В
is a birational automorphism defined over Q.
We can act on by г £ Gal(Q/Q). Then
тда = (таф^тфу1
= [(Г^Ф)Ф~1][Ф(.ГФ)~1]
= етав;1.
Hence
= (r0J0r.
This is the23 cocycle identity and {$<,} is a cocycle.
Let there be another birational equivalence
ф’ : A -► В
defined over Q, so
ф' — иоф
for some automorphism
w : В -» В.
Then
^(say) = (аф'^ф'-1)
The two cocyles {$<,} and {0^} are said to be cobounding.
If ф is defined over Q, we have
a coboundary. In this case A, В are birationally equivalent over Q; but
we have chosen to use a different equivalence.
23
We owe the rococo terminology to the topologists.
§19: Exercises
91
Given В and the cocycle {f)a }, we can reconstruct A (up to a birational
equivalence defined over Q). For let x be a generic point of B. We define
an action a of the a g Gal(Q/Q) on Q(x) as follows:
a acts on Q by a
ax =
Then for т g Gal(Q/Q) we have
g(dx) = (t0o.)(Fx)
= (T0ff)0Tx
= 9™*-
Thus
(та) = та.
The fixed field of the a is a function field over Q, and so gives A up
to birational equivalence over Q.
§19. Exercises
1. Let a run through Gal(Q/Q). Find a cocyle {#<,} of birational auto-
morphisms which twist the line into
Xj + X2 = n,
where n is any given element of Q*.
When n = 5 give an explicit representation of your cocycle as a
coboundary.
Is your cocycle a coboundary when n = 3?
20
Construction of the jacobian
Let P be a curve of genus 1 defined over Q. In this section we construct
an elliptic curve C, also defined over Q, which is closely related to it.
This relationship will be exploited in subsequent sections.
We must initially consider birational equivalences between elliptic
curves. We work at first over a general field.
Let
Cj : Y2 = X3 + AjX + Bj (j = 1, 2)
and let
Ф  Ci —» C2
be a birational correspondence. By considering </>(x) — </>(°i) instead of
</>(x), we may suppose without loss of generality that
^>(01) = o2,
where oj is the point at infinity on Cj.
The correspondence must take functions with poles of order 1 into
such functions. Hence
ф(Х) = aX + b
for some a, b. Similarly
ф(У) = cY = cY + dX + e.
The form of the equations for Cj imply that
d = e = 0, b = 0, a3 = c2
and so
2	3
a = s , c = s
20: Construction of the jacobian
93
for some s. Hence
A2 = s4A1, B2 = siB1.	(1)
In particular, A^/B^ = A^/B? is invariant under birational equiva-
lence.
It is conventional to work with, the birational invariant
J ; '	4A3 + 27B2
of
С : У2 = X3 + AX + B.
The notation j is standard. The constant 1728 = 123 is suggested by
the complex variable theory. Note that every elliptic curve gives a finite
value of j: it is the degenerate curves that send j to infinity
Lemma 1. Two elliptic curves in canonical form which are birationally
equivalent are related by (1) for some s. In particular, they have the
same j-invariant. Further, s is in any field over which the curves and
the equivalence are defined.
Corollary. Any birational equivalence of the elliptic curve
C: Y2 = X3 + AX + В
taking о into о is of the form
Y -> s3Y, X -> s2X.
If AB ф 0, then s2 = 1. If В = 0, then s4 = 1 and if A = 0, then
s* = 1.
Proof. Clear from (1) with C = Ci = C2.
Let us return to the main topic of the section. Let P be a curve of
genus 1 defined over Q. In general it will not have a rational point and, if
it has, we may not be able to find one: but there is no difficulty in finding
a point defined over Q. Hence there is a birational correspondence
</>: B->C
defined over Q, where C is in canonical form but defined over Q.
Let a £ Gal(Q/Q). We can act on the birational correspondence with
a and obtain
аф : В —> aC,
where
aC: Y2 = X3 + a AX + aB.
94
Lectures on Elliptic Curves
Now C and aC are birationally equivalent over Q by (сгф)ф 1. Hence
that is, j(C) g Q or equivalently А3/В2 g Q if AB / 0. Hence by a
transformation X -> t2X, Y -> t3Y (t g Q) we may suppose without
loss of generality that C is defined over Q. Of course in general ф is
defined only over Q. Now
9a = (cr</>)</>-1
is an automorphism of C.
Suppose, first, that
AB /0.
Then by Lemma 1, Corollary, the automorphism of C must be
9 a  x -+ £„x + &a
for some point defined over Q and = ±1. We are in the position
discussed in the previous section, so
9ra = (r9a)9T.
In particular, since Sa € Q, we have
Ста = £a£r',
so £a is a gr°uP character.
We would like to ensure that is always 1.. If not, there is some
d g Q such that
<z('/d) = Ca^/d-
The transformation
X -> dX, Y -> d\/dY
gives a new C defined over Q: and with this we do indeed have = 1
always.
If AB = 0, the same conclusion holds but the argument is a little
deeper24. Suppose that В = 0, so e4 = 1, where we define
x —» ex
by
X -> e2X, Y -> eY.
Now Gal(Q/Q) acts on e, and
era = (rea)er-
24
And may be omitted at first reading.
§20: Exercises
95
By “Hilbert 90” (see Exercises) there is a 8 € Q with S4 g Q such that
ab = ea8.
We can now modify C, as before, so that = 1 identically on the new
C. Similarly for A = 0.
Thus in every case we have found a C defined over Q and a birationad
equivalence
ф: T>—> C
defined over Q such that
(аф)ф^1=0а: x->xfa„
for all a g Gal(Q/Q).
To sum up, we have proved:
Theorem 1. Let T> be a curve of genus 1 defined over Q. There is an
elliptic curve C defined over Q and a birational equivalence
ф:
defined over Q such that, for every a g Gal(Q/Q), the map
0a = (сгф)ф-1 :	C-+C
is of the form
0„ : x -+ x +
for some aa g (5.
Further, C is unique up to birational equivalence over Q.
The elliptic curve C is the jacobian of T>.
Before exploring this situation further, we require some new machin-
ery, introduced in the next section.
§20. Exercises
1.	Construct the jacobian of
(i)	Y2 = aX4 + ЬХ2 + с (a, c g Q*, b g Q, b2 — 4ac / 0).
(ii)	aX3 + bY3 + cZ3 = 0 (a, b, c g Q*).
(iii)	aX3 + bY3 + cZ3 + mXYZ = 0 (a, b, c, m g Q*).
(iv)	Y2 = aX4 + bX3 + cX2 + dX + e.
2.	Let T> be the curve of genus 1 given by the redundant equations
(e2 - ej)t2 = djv2 — d2v2
(e3 - e2)t2 = d2v2 - d3vj
(ej - e3)t2 = d3v3 - djv2,
§20: Exercises
where ei, e2, e3 are distinct and dj g Q*, d^d^dz = 1. Show that there
is a point of T> defined over к. = Q(dy2, d^2) and hence find a map
ф'. T>—> C
defined over к. into
С:	У2 = (X - e1)(X - e2)(X - e3).
Show that the cocycle
=9a-. C-^C
for a g Gal(/t/Q) is of the type
x -> x + aff
where 2a,, = o. Deduce that C is the jacobian of T>.
3.	In this exercise the ground field is Q(p), where p3 = 1, p 1.
Let a, b, c g Q(p), and let
V : aU3 + bV3 + cW3
С : X3 + Y3 + abcZ3 = 0.
Put к = Q(p, a1/3, b1/3) and let ф : T> —» C be given by
X=a1/3U, Y = b1/3V, Z = a~1/3b~1/3W.
Show that the corresponding 0a is
9a : x —> x, or x + (p, — p2,0) or x + (p2,— p, 0).
Deduce that C is the jacobian of T>.
The remaining exercises fill in the proof that (in the notation of the
text) one can arrange to have ea = 1 when AB = 0.
4.	Let K./k be a finite normal (separable) extension of fields of degree n.
Let ,..., an be a basis of к./ k and let crj,..., an be the elements of
the Galois group. Show that
det[<7;aj] / 0.
[Hint. к. = fc(/2) for some (3.
Note. In what is still the finest introduction to Galois theory, [Galois
Theory. Notre Dame Mathematical Lectures 2, 1942. Second edn.,
1948.) E. Artin proves this at the onset by an induction argument.]
5.	Let к/k be a finite normal (separable) extension. For <r g Gal(/t/fc)
let 9a g k* be given satisfying the cocycle identity
9Ta = [r9a)9T.
Show that {^o-} is a coboundary, i.e. that
^<7 = (o’?)?-1 (all cr),
§£0: Exercises
97
for some 7 g к*.
[Hint. Let A g к.. Show that
7 =	^(<7 A)
does what is required provided that 7	0. Use Lemma 2 to show that
A can be so chosen.
Note. This result is usually known as Hilbert 90 because it is Satz 90
in Hilbert’s Zahlbericht - his report on algebraic number theory to the
German Mathematical Society at the end of the last century.]
6.	Let n > 1 be an integer. For <r € Gal(Q/Q) let be an nth root of
1 and suppose that is a cocycle. Show that there is a 8 g Q such
that = cr&l8 and 8n g Q.
21
Some abstract nonsense25
Let Г be a finite group which acts on an abelian group A (written
additively). The action is written aA (cr g Г, a g A).
A cocycle is a map Г —» A, say
<r -» aa
which satisfies the cocyle identity
та„ = aTa - ат (ст, r g Г).
note that for r = 1 (the identity of Г) this implies
ai = 0.
If b g A, then it is easy to see that
ar = crb — b
is a cocycle. Cocycles of this type are called coboundaries.
Cocycles form a group under elementwise addition
{a<z} + {b<z} = {a<z + b<z}.
The coboundaries are a subgroup. The quotient group is
№(T,A),
25 This is a self-contained account of what is needed from the cohomology of
groups and commutative Galois cohomology. For how it fits into a wider pic-
ture, see, for example, Chapters IV and V of J.W.S. Cassels and A. Frohlich
(Editors) Algebraic number theory, Academic Press (1967). The treatment here
is suggested by that in C. Chevalley Class field theory, Nagoya (1954).
21: Some abstract nonsense
99
the first cohomology group.
Now Г acts on the whole situation (“transfer of structure”). Г acts
on itself by inner automorphisms. So r acts on the map (cocycle)
{a,,} : cr-ta,
to give
r{a<7} :	-> ra„
= dTtT Qr.
Or, writing a for rar-1,
r(a<,} : cr aaT - ar.
This is a cocycle, as it has to be; and indeed
r{a„} ~ {a<4 :	—* aar - aT — aa
= aaT — aT
is a coboundary. Hence
Lemma 0. Г acts trivially on №(Г, A). .
Lemma 1. Every element of H1 (Г, A) is of finite order dividing26 ЦГ.
Proof. Let the element be represented by the cocycle {aff}. Then, from,
what we have seen, it is also represented by the cocycle
r{a„} = {a„r - ar}.
But now
= {о}
r
[Recall that аг = 0.]
Lemma 2. Let m g Z, m > 1. Denote by Am C A the set of elements
of order dividing m. Suppose that every element of A is divisible by m
in A.
Then every element о/Н1(Г, A) of order m is representable by a co-
cycle {(!„}, da g Am.
Proof. Let the given element of №(Г, A) be represented by {aff}. By
hypothesis,	is a coboundary, say
ma„ = crb — b (b g A).
Under the hypotheses of the Lemma, b = тс, c g A so
maa = mac — me
26
We use Ц for the cardinality of a set.
100
Lectures on Elliptic Curves
that is
m(aa — ac + c) = 0.
Hence the element of H1 is represented by
<7 —» aa — ас + c € Am,
as required.
Denote by Ar the set of elements of A fixed by Г:
a g Ar aa = a (all a g Г).
Lemma 3. Notation and hypotheses as in previous Lemma. Then
Аг I mAF
is canonically isomorphic to a subgroup of H1 (Г, Am).
Proof. Let a g Ar. By hypothesis
amb b g A.
On applying cr g Г, we have
a = aa = mab,
and so
md„ = 0, d„ = ab — b.
Hence {d<z} is a cocycle with values in (indeed it becomes a cobound-
ary in A).
For given a, any other choice of b is of the type b + с, c g Am. Hence
the element of №(Г, Am) given by {do-} is uniquely determined by a.
If a g mAr, we may take b g Ar, so d„ = 0 for all a, and the image
in Н\Г,Ат) is 0.
Conversely suppose that the cocycle constructed above is a cobound-
ary, so
da = ae — e V<7 g Г, some e g Am
Then
a(b — e) = b — e (all <7 g Г) :
and so
b — e g Ar, m(b — e) = a.
We can put the last two lemmas together. We repeat the hypothesis.
Theorem. Suppose that m > 1 is an integer and that every element
of A is divisible by m. Then the sequence
0 -> Аг/тАг - Н\Г, Am) - [W1(r,4)]m	0
21: Some abstract nonsense
101
exact, where [. . .]m denotes the group of elements of order dividing m,
and the third map is induced by Дт » A.
Proof. After Lemmas 2, 3 we need only prove exactness at Н’1(Г, Дт),
i.e. that the image of
Аг/тАт №(Г,Дт)
is exactly the kernel of
тэ^г, дт) [№(r, A)]m.
Consider first an element of the image, given (say) by the cocycle
{her} By hypothesis, da = crb — b, b € A and so {d^) considered as
taking values in A, is a coboundary. Thus Image C Kernel.
Now let the cocycle represented by {d„} be the kernel, i.e. {da} is a
coboundary for A: d„ = ab — b some b g A. then
cr(mb) — mb = md, — 0 (all <r)
and so mb g Ar. Hence Kernel C Image.
Galois cohomology. Let к be a field and к its separable closure ( =
algebraic closure in characteristic 0, the case of interest). Put
Г = Gal(T/fc).
We say that the action a —» era (<z g Г, a g A) of Г on the abelian group
A is continuous if:
For every a g A there is an extension k. of к of finite degree [re : fc] < oo
(depending on a) such that
aa = a (all a g Gal(fc//t) C Gal(fc/fc)).
Note 1. An example is: к = Q, C a curve У2 = X3 + AX + В defined
over Q, A = C5.
Note 2. If A has any natural topology, this is disregarded. For us the
word “continuous” is just a term of art. The action is continuous in
the usual sense if Г is given an appropriate topology and A the discrete
topology.
A continuous cocycle is a map
a -+ a„ (<z g Г,астА)
which
(i) satisfies the cocycle identity
ra„ = aTa — ar (a, г g Г)
(ii) is continuous in the sense that there is a normal extension к/к of
102
Lectures on Elliptic Curves
finite degree [к : fc] < oo such, that a„ depends only on the action
of a on к. [Of course к. may depend on {«„}].
In particular,
aT = 0 (all r g Gal(fc//t)),
so
rria = aTa — aT = aa — 0 (all r g Gal(fc/к)
and hence
aa g к. (all a in Galfc/fc).
If {a<z}, {ba} are continuous cocycles, then clearly {aa + (>„.} is con-
tinuous.
A coboundary {<rc — с} c g A is automatically continuous, by our
hypothesis that Г acts continuously on A.
Definition.	is the group of continuous cocycles modulo co-
boundaries.
By following the proofs of the Г finite case it is straightforward to
prove
Theorem 1. Н1(Г,А) is torsion (i.e. every element has finite order).
Theorem 2. Let m > 1 lie an integer and suppose that every element
of A is divisible by m. Then the sequence
0 -> Ar/m4r №(r,Am) -> [Я1(Г,А)]т - 0
13 exact where (as in the previous section)
(i)	Ar is the set of a g A fixed by Г.
(ii)	is the set of elements of A of order dividing m.
(iii)	[№ (Г, A)]m is the set of elements of №(Г, A) of order dividing m.
Appendix.27 Localization
Let p be a fixed prime. Choose a fixed embedding
A : Q Qp.
Write
May be omitted at first reading. As will be explained, the result obtained
here is obvious from another point of view in the context of the course.
§21: Appendix. Localization
103
Г = Gal(Q/Q)
Гр = Gal(Qp/Qp);
so A induces an embedding
А*: Гр-+Г.
Let 4 be a continuous Г-module. Then it is via A* a continuous
Гр-module.
Let {a<z}, <7 g Г be a continuous cocycle. By restricting a to Гр, we
have a continuous Гр cocycle. Hence we have a group homomorphism
XI: №(r,A) -* H'(Yr,A)
[localization: A special case of the “restriction map”].
Ostensibly XI depends on the embedding A, but we show that it does
not.
Any embedding A of Q <-+ Qp is of the shape
A = Xp,
where p is an automorphism of QIQ. By the analogue of Lemma 0 of
the “Finite Г” section, p acts trivial on Н1(Г, A), and so Л/ = XI. Thus
the map
Н\Г,А) -> №(rp,A)
is canonical.
In the context of the course, we have an elliptic curve
Y2 = № + AX + В
defined over Q. Let (5, be the points defined over Q, Qp respectively.
We are concerned with the map
№(r,®)-*№(rp,®p),
which may be regarded as
№(Г,Ф) - Я\Гр, Ф) №(rp,0p),
the second induced by the embedding
Ф-+ Фр.
Later we interpret an element of .ff'fT, Ф) as a curve T> defined over
Q together with a choice of structure as a principal homogeneous space.
A curve T> defined over Q is certainly defined over Qp. with its struc-
ture of principle homogeneous space it thus corresponds to an element
of //’'(Гр, (Sp). The resulting map Ф) —» //’'(Гр, Фр) is precisely
the one constructed above.
22
Principal homogeneous spaces and
Galois cohomology
Let D be a curve of genus 1 defined over Q. We have seen (§20,
Theorem 1) that there is an elliptic curve
C : Y2 = A3 + AX + В
defined over Q and a birational equivalence
ф: T>-+C
defined over Q. Further, for any a g Gal(Q/Q) the map
: C -> C
is of the type
x —> x + a^,
where ®.
The elliptic curve C is unique up to a transformation
A -> ?A, Y -> s3K, s g Q*.
Of course ф and the aa are far from being unique. C is the jacobian of
T>.
We have to discuss how far the elements of the above situation are
arbitrary. We note first that (by the previous discussion) the aff satisfy
the cocycle identity
т*а.(у —	~	.
Now the aCT are in the commutative group ®, and we may invoke the
machinery of §21.
22: Principal homogeneous spaces and Galois cohomology
105
On replacing the map ф by фф. where
ф : C —>C, x—» x + b (be ®),
we replace {a„} by
a„ + (<rb - b)
where crb — b is a coboundary. In the commutative case, the cobound-
aries are a subgroup of the cocycles and so {ar} determines an element
of the quotient group
cocycles/coboundaries = №(Г, ®)
- the first cohomology group, where Г = Gal(Q/Q).
We now look at the information which an element of №(Г, 0) gives
us about T>.
In the first place, we certainly can construct a curve T> and a birational
equivalence ф by our general machinery. To remind: let x be a generic
point of C. There is an action a of Gal(Q/Q) on Q(x) given by
(i) cr acts like <r on Q
(ii) 5-x = x + a<7.
Then the fixed field is the function field of a curve T> defined over Q and.
Ф, defined over Q, is given by the identification of the two function fields
over Q.
The map ф gives T> a structure of principal homogeneous space over C
in the following sense.
Let £2 be independent generic points on 1?, which we treat as fixed
under Gal(Q/Q). Put
A(G,G)M(GW(G)-
Then
= (<^(€1) + a<z ~ (</>(G) +
= Д(Ш
That is, the algebraic map from two copies of T> to C given by A is
defined over Q. Clearly
д(е1,е2) + д(е2,е3) = д(е1,е3).
Hence the cocycle {aa}, or the corresponding elements of №(Г,®),
determines the pair (1?, A). The cocycle {—aa} determines the pair
(T>,— A). Thus to get a group structure we must consider not just the
curves T> with given jacobian, but the pairs (T>, A) where A is a structure
of principal homogeneous space.
The above account overlooks one tricky point. An element of H1 (Г, 0)
determines the function field of T>, and so determines only up to
106
Lectures on Elliptic Curves
birational equivalence defined over Q. Now it can happen that there is a
birational automorphism of T> defined over Q which interchanges A and
— A (!). A trivial example is when C is regarded as its own jacobian.
Consider two maps
Ф,  (V=)C-^C, (j = l,2)
where <f>i is x —» x and is x -> —x. In both cases the cocycle
is identically 0. In the first case, АДх^Хг) = Xi — X2; and in the
second А^х^Хг) = X2 — Xi. The two are taken into one another by
the automorphism x —» —x of C = T>.
In the example just above, we have the trivial element of ЕРСГ, 0).
There is the same phenomenon for elements of order 2 (and only for
them) [Exercise for reader!].
To deal with this difficulty, we shall identify two structures of principal
homogeneous space which are birationally equivalent. With this conven-
tion each element of /Р(Г, 0) defines a unique principal homogeneous
space.
Conversely, a structure of principal homogeneous space determines
the element of №(Г, (5). Consider the map
ф : T> -> C.
By our initial construction, the corresponding cocycle is
a<z =	= <№),
where £ is a generic point of T> fixed under Galois.
Now let a be any algebraic point on T> (i.e. defined over Q). Then
cr(^(a)) = (<7</>)(cra) = ф(сга) + a.a,
since a acts both a and on the coefficients of the map ф. Hence
A(a, era) = ф(а) — ф(аа)
= </>(<*) - cr(</>(a)) + a„
Thus {A(a, cra)}^ is a cocycle, and differs from [aa}a by a coboundary.
To sum up:
Theorem Th ere is a canonical isomorphism between principal homoge-
neous spaces (1?, A) (up io birational equivalence over Q) and elements
of Н\Г, 0). The element corresponding to (T>, A) is given by the cocyle
{A(a, cra)}^, w/iere a is any algebraic point on T>.
Note 1. Principal homogeneous spaces were introduced by Weil. He
defined their group structure directly, not by refernce to №(Г, 0).
<>22: Exercises
107
Note 2. For the cognoscenti. The “jacobian” defined here is a refinement
of the classical notion defined over the complex numbers.
Recall that a divisor a on D is a map from the algebraic points a on
7? to Z which is 0 for all except at most finitely many a. It is defined
over Q if it is invariant, (in an obvious sense) under Gal(Q/Q). The
degree is £)na, where a is a —» na.
Suppose that a is of degree 0. The jacobian map is the map from a
to
Jac(a) = ^2na<Ka) €
a
the summation being that on C.
The divisor a is in the kernel of the map precisely when the ф(а) with
their multiplicities are the poles and zeros of a function on C. Identifying
T> and C via ф, this is the same as saying that a is the divisor of a function
on T> [a principal divisor].
If a is defined over Q, then Jac(a) is defined over Q, as follows easily
from the formula for аф(сг'). Hence we have group monomorphism.
Divisors of degree 0 on P defined over Q
Principal such divisors
A final point. If the divisor a of degree 0 is defined over Q and
is principal, then it is the divisor of a function on T> defined over Q.
For suppose that f is a function with divisor defined over Q. Let
cr g Gal(Q/Q). Then a is also the divisor of erf and so
It is readily checked that er —> erf /f is a cocycle with values in Q ; and
so is a coboundary by Hilbert 90 [§20, Exercise 5]. Hence erf/f = crX/X
for some A g Q and all a. Then A-1 f is fixed under Galois, i.e. defined
over Q, and has divisor a, as required. [Of course this remark is general,
and applies to curves of any genus.]
§22. Exercises
1. If £, x are generic points of T>, C respectively, fixed under Galois,
show that the function A(£,x) = Ф~\Ф(£) + x) is defined over Q and
investigate its properties.
23
The Tate-Shafarevich group
We put together the results of the two previous sections.
As before, let
C : Y2 =X3 + AX + В
be an elliptic curve defined over Q. The groups of points defined over
Q, Q respectively are (5, ®; and Г is Gal(Q/Q). We have seen that the
first cohomology group Н}(Г, ®) is canonically isomorphic to the group
of equivalence classes of {77, A} where 77 is a curve of genus 1 and A
is a structure of principal homogeneous space on it. This group is often
referred to as the Weil-Chatelet group and denoted by WC = WC(C).
Let 771. > 1 be an integer. The group 0 is divisible by m since finding
a b such that mb = a g ® is just a matter of solving some algebraic
equations. The exact sequence of the previous section is now
0	®/m® -> Н\Г, Am) [№(T, ®)]m - 0,
where Am C ® is the group of elements of ® of order m and the [.. .]m
denotes the subgroup of elements of order dividing m.
We now have an approach to the weak Mordell-Weil theorem. We
would like to find the elements of Am) which are the images of
®/m®. By the exactness of the sequence these are precisely the kernel
of the map
Я1(Г,Ди)-4Я1(Г,в) = 1КС(С).
Being in the kernel means that the image is a trivial principal homoge-
neous space {77, A}; i.e. that there is a point on 77 defined over Q.
For m = 2 we are back in the situation discussed in the proof of
The Tate-Shafarevich group
109
the Weak Mordell-Weil Theorem. There we displayed the curve 7? in
the image {77, A} of an element of H1 (Г, A2) 218 the intersection of two
quartic surfaces28.
As we have already emphasised, there is even now no algorithm for
deciding whether or not there is a rational point on T>. There is, however,
no difficulty in deciding whether or not there is a point on T> everywhere
locally. As we shall see in a moment, the elements of WC for which
there is a point on D everywhere locally form a subgroup. It is known
as the Tate-Shafarevich group and is usually denoted29 by the Russian
letter Ш (“sha”).
To show that III is a subgroup we must discuss localization. For any
prime p (including 00) we use a suffix p to denote an object defined over
Qj, instead of over Q. There is an obvious map
WC-^WCp
which takes the equivalence class of a principal homogeneous space
(7?, A) defined over Q into the class of the same {7?, A} considered over
Qj,. The non-cohomological description of the composition of principal
homogeneous spaces works entirely over the ground field: thus it shows
immediately that the localization jp respects the group law; but we have
not explained that description. From the cohomological point of view,
we have a map
induced by the inclusion © C • This situation was discussed at the
end of §21, where it was shown that jp is a group homomorphism and
is independent of the choice of inclusion Q C Qp.
Clearly Ш is the intersection of the kernels of all the localization
maps jp (including p = 00). For given m, denote by Sm the group of
elements of Ff'(F, Am) which map into III C H'fT, ®). It is called the
mth Selmer group. Now we have the exact sequence
0 —»	—> Sm —> [ III ]m —> 0.
For m = 2, which we encountered in the proof of the weak Mordell-
Weil Theorem, we saw that S2 is finite and effectively constructible. It
28 The author apologizes for the clash between A denoting a structure of prin-
cipal homogeneous space and the group of elements of order 2 in ®.
29 This is the author’s most lasting contribution to the subject. The original
notation was TS} which, Tate tells me, was intended to continue the lavato-
rial allusion of WC. The Americanism “tough shit” indicates the part that
is difficult to eliminate.
по
Lectures on Elliptic Curves
can be shown by a more sophisticated version of the same argument that
the same things hold for Sm and general m, though now the effective
constructibility tends to be not very practical.
To sum up. The Selmer group is knowable. It majorizes (5/m(5 and
the “error” is given by Ш, which can be called the obstruction to the
local-glocal principle for curves of genus 1 with the given jacobian C.
This is as far as we shall go in this direction with the theory. We
conclude with background comments.
Before all this theory was invented, Selmer embarked on a massive
programme to find the Mordell-Weil groups of elliptic curves, especially
those of the type
C . X3 + Y3 + dZ3 = 0,
where d g Z. He used descent arguments to bound the Mordell-Weil
rank. Also, by a direct search, he found rational points on C and so
bounded the Mordell-Weil rank from below. Most often the upper and
the lower estimates for the rank coincided, but when there was a dis-
crepancy the difference was always even. Moreover, estimates for the
rank derived from different types of descent (e.g. majorization of (5/2(5
and (5/3(5) always differed, if at all, by an even integer.
After the group III was discovered by Tate and Shafarevich, it was
natural to look for the explanation of this phenomenon in the structure
of III. It turns out that there is a skew-symmetric form on III whose
kernel is the group of infinitely-divisible elements of III. It always
looked improbable that there are infinitely-divisible elements and by now
there is much evidence (but no proof) that they do not exist. If there
are no infinitely divisible elements, the existence of the skew-symmetric
form shows that the order of [ III ]m is a square. This explains Selmer’s
observation.
There is not merely a local-global principle for curves of genus 0, but
it has a quantitative formulation (and also, more generally for linear
algebra groups. The modern formulation is in terms of the “Tamagawa
number”). On the basis of massive calculations (this time on a com-
puter) Birch and Swinnerton-Dyer proposed what can be regarded as
a quantitative local-global theorem for elliptic curves. In their formula
there is a number, not otherwise accounted for. In all their calculations
the mysterious number turned out to be an integer and indeed a perfect
square.
It was natural to interpret this integer as the order of III (supposed
The Tate-Shafarevich group
111
finite), and, once made, this identification was supported on other gr-
ounds.
The Birch-Swinnerton-Dyer conjectures were widely generalized and
further evidence for their plausibility were adduced. It is only in the last
few years that progress has been made with their proof. Until the very
recent work of Rubin and Kolyvagin there was not even a single elliptic
curve for which III had been proved to be finite.
§23. Exercises
1. Let m, n be integers, m | n. Show that there is a group homomor-
phism A such that
0
commutes.
Hence show that there are /.i, v such that
0 —» <S/n<9	W.A")	[^C]„	0
к b b
о	[ЖС]т 0
is exact and commutative.
Describe /г, iz explicitly.
24
The endomorphism ring
In this section, the ground field k is any field, possibly of characteristic
p 2, 3. [This last restriction solely because of our choice of canonical
form.] The main objective is the application to the estimation of the
number of points over finite fields, but we do a little more, to set things
in context.
Let
С : Г 2 = X3 + AX + В
be an elliptic curve defined over k. An endomorphism of C (over k) is a
rational map
ф : C-^C
defined over fc, for which
^(o) = o.
One endomorphism is the constant isomorphism which maps C entirely
onto o. Otherwise, if x is a generic point of C, then so is
£ = </>(*)
and k(x)/fc(£) is an algebraic extension. We define the degree of ф to be
ЦФ) = [fc(x) : fc(£)].
By convention, the degree of the constant endomorphism is 0.
The first lemma shows that ф respects the group structure of C. It
is not really needed for what follows, but it helps to set ideas. In the
application to finite fields, the conclusion will be obvious.
2Jf: The endomorphism ring
113
Lemma 1. Let a, b be points ofC. Then
ф(л + b) = ^(a) + ^(b).
Sketch proof. By extending the ground field if necessary, we may suppose
that a, b are defined over к. If ф is the constant endomorphism, there
is nothing to prove. Otherwise, let x be a generic point f = ф(х). By
the definition of the group law, there is a
A = A(x) g Ar(x)
whose only zeros are simple zeros at a, b and whose only poles are simple
poles at o, a + b. Let
A = Д(£) = Ыогт*(е)/*(Х) A.
Then the zeros of Л are just simple zeros at ф(а.'), ф(Ъ) and the poles of
Л are just simple poles at ^>(a + b) and at о = </>(o).
Note. cf. §14, Lemma 1. The proof above follows that in Silverman,
Theorem 4.8 (p. 75), where it is proved for isogenies and the treatment
is fuller. For the corresponding result for abelian varieties of any dimen-
sion, see D. Mumford, Abelian Varieties (Oxford, 1970), p.43, Corollary
3 or H.P.F. Swinnerton-Dyer, Analytic theory of abelian varieties (Cam-
bridge, 1974), Theorem 32 or S. Lang, Abelian varieties (New York and
London, 1959), Chapter II, Theorem 4.
All we shall need is the
Corollary. Let x, be as above and let
Then f g k(x), and
[k(X) . fc(O] = [fc(x) : fc(O] = d(^).
Proof. For ф(—x) = —<^>(x) = —£.
For any two endomorphisms ф, ф, we defined the sum ф + ф and the
product фф by
(^> + V’)(x) = ф(х) + ф(х),
(^)(x) = ^(V>(x)),
where x is a generic point. It is readily verified that this gives the set of
endomorphisms the structure of a (not necessarily commutative) ring.
114
Lectures on Elliptic Curves
Lemma 2.
Л(ФФ) = <1(ф)<1(ф).
Proof. Clear.
Lemma 3.
с1(ф + ф) + <Рф — ф) = 2d(</>) + 2d(i/i).
Proof. Let x = (ar, у) be a generic point, and put
</>W = Cl,
V’W = C2,
(</> + l/r)(x) =C3,
(</> - l/,)(x) = C4,
so
Сз = Ci + Сг, C4 = Ci — Ca-
Then
c, e fc(rr), (j = 1,2,3,4)
where
С; =(Сулу)-
We argue as in the corresponding results for heights (§17, Lemma 4).
The degree of an element of fc(ar) corresponds to the height of an element
of Q. As fc(ar) has no archimidean valuations trivial on fc, the results are
more precise.
By the formula for sum and difference, we have
L : Сз 1- C- •• СзС » =
(Cl -C2)2 :2(CiCa+A)(Ci+C2)+4B
: C1C2 — 2AC1C2 — 4B(Ci + C2) + ^42-
A similar argument to that for heights30 gives
<ШСз) + deg(C4) = 2deg(Ci) + 2deg(C2),
where “deg” is the degree as a rational function of x (= maximum of
the degrees of numerator and denominator.)
This result now follows from Lemma 1, Corollary.
30
cf. also (*) of §17
The endomorphism ring
115
Corollary. There are r,s,i£ ~L, depending on ф, ф, such that
сЦтф + пф} = rm2 + smn + in2
for all m, n G Z.
Further,
r > 0, i > 0, s2 — rt > 0.
Proof. The first part follows exactly as for heights.31 For the second,
d(.) > 0 by definition, so the quadratic form in m, n is positive semi-
definitive or definite.
The rest of this section is not needed for the application to finite fields.
By abuse of notation we denote the constant endomorphism by 0 and
the identity endomorphism </>(x) = x by 1.
Lemma 4. Every endomorphism ф satisfies a quadratic equation
ф2 — зф + t = 0,
where s, t € Z.
Proof. By the preceding Lemma,
d(m + пф) = m2 + smn + tn2
for some s, t g Z and for all m, n g Z.
Let I € Z. Then
cl(fi> + I) = d\f — s — I) = I2 + si + t.
Hence by Lemma 2
с1^ф + 1)(ф-з-1))=(12+sl + t)2.	(*)
But
(ф + 1)(ф-3-1) = ф2 -зф-1(з + 1).	(**)
Hence and by Lemma 3, Corollary, with ф2 — зф, 1 for ф, ф, we have
d(</>2 — зф + n) = (— n + t)2
for all n € Z. In particular,
d(</>2 — зф + t) = 0.
But the only endomorphism of degree 0 is the constant endomorphism
0.
31
cf. §17, Exercise 2.
116
Lectures on Elliptic Curves
Note. As was shown by Deuring, the endomorphism ring is isomorphic
to one of:
(0 Z.
(ii) a ring of integers in an imaginary quadratic field
(iii) a ring of integers in a generalized quaternion skew field.
The last case can occur only in characteristic p O', and the skew field
is very special.
§24 Exercises
1.	Suppose that the ground field contains an element i with i2 = —1
and that its characteristic is not 2. Let C be Y2 = X3 + AX for some
A 0. Show that
г : Y -> iY, X -» X
is an endomorphism.
Construct the endomorphism 1 + e and check that (1 + e)2 = 2e as
endomorphisms.
2.	Suppose that the characteristic of the ground field is not 2 or 3 and
that it contains p with p3 = 1, p 1. Let C be Y2 = X3 + В for some
В 0. Show that
A : X -> pX, Y-*Y
is an endomorphism. Construct the endomorphism A —A2 and show that
(A-A2)2 = —3 as endomorphisms.
3.	Suppose that the characteristic of the ground field is not 2. For a 0
determine the b such that the isogenous curves
C: Y2 = _Y(X2 + aX + b)
Ci : Y2 = X(X2 - 2aX A a2 - 4b)
are birationally equivalent over the algebraic closure. Show that they
are equivalent over the ground field provided that —2 is a square in it.
Denote the isogeny, considered as an endomorphism of C, by p. Show
that p2 = —2 as endomorphisms.
4.	Let
ф'.С-^С
be an endomorphism and suppose that
ф2 — зф + t = 0 s,t G ~L.
Exercises
117
For positive integer m show that ф = фт satisfies
Ф $ тф 4"	— 0,
where sm, im € Z are defined as follows. Let a, /9 e Q be the roots of
T2 - sT + t = 0. Then
„ m i /ЭТП	i	„ m nm
H" P i	CE p
5.	(i) Let ф be an endomorphism and define </>' by
</>' = </> if ф S Z;
otherwise ф' = s — </>, where ф2 — зф + t = 0. Show that
фф1 = ф'ф = d(</>).
(ii) Let x be a generic point and let f be the points of C defined
over t(x) (fc = ground field) such that </>(^y) = x (with appropriate
multiplicities if ф is inseparable). Show that
= 52 X>
(addition on C).
(iii) If ф is another endomorphism, show that
(ФФУ = ф'ф'
and
(</> + ф)' = ф + ф'.
25
Points over finite fields
We denote by F? the field of q elements and denote its characteristic
by p, so q is a power of p. Our objective is the
Theorem 1.	Let
C: Y2 = X3 + AX + В
be an elliptic curve over a finite field F?. The number N of points of C
defined over F? satisfies
|V-(? + l)| <2//2.
We shall give the main idea of a proof but will have to be impressionist
on one of the ingredients. Because of our canonical form, we shall assume
that p fi 2, 3. Note that N includes the point о “at infinity”. At the
end of the section we shall indicate the proof of a couple of other results.
Let x = (a:,y) be a generic point. We show that ^>(x) = (xq,y4') is
also on the curve. Indeed, since we are in characteristic p |
(у9)2 =г3+Аа; + В
= (a;’)3 + Agxg + Bg
= (г’)3 + Axg +B,
as A4 — A, Bg = B. This is the Frobenius endomorphism.
Now let u = (u,v) be a point defined over the algebraic closure Fp.
Then
</>(u) = (us, V*),
25: Points over finite fields
119
so u is defined over F? precisely when it is a fixed point of ф or, what is
the same thing, when
(</> — l)u ~ o,
where 1 is the identity endomorphism and ф — 1 is defined in terms of
the endomorphism ring. 3
In the notation of the previous section, clearly
d(</>) = q
and so by §24, Lemma 3, Corollary
d(</> — 1) = g — s + 1
where
s2 < 4g,	|s| < 2g1/2.
We have seen that a point defined over F? is actually defined over
F? precisely when it is the kernel of ф — 1. But the degree of an endo-
morphism is equal to the number of algebraic points in the kernel, each,
counted with its multiplicity. If therefore we can show that the points
of the kernel of ф — 1 have multiplicity 1, we are done.
It is here that we have to leave a lacuna. One argument, which can be
made precise, is to observe that dxg/dx = qx4-1 = 0 in characteristic p,
and so the differential of the map ф — 1 is the same as that of the map
— 1, and hence never 0.
Note. The result is due to Hasse by essentially the same proof. It is of-
ten referred to as the “Riemann hypothesis for function fields” (of genus
1) because of an analogy with Riemann’s notorious unproved conjecture
about the zeros of the usual (“Riemann”) zeta function. It was general-
ized to curves of any genus by Weil and to algebraic varieties by Deligne.
The analysis of the action of the Frobenius map ф is still a central theme
of modern arithmetic geometry.
Theorem 2.	Let T> be a. curve of genus 1 defined over F?. Then it has
a point defined over F?.
Proof. We developed the theory of the jacobian in characteristic 0, but
it holds for general characteristics. Let C be the jacobian of T> and let ®
be the group of points on C defined over F?. It is enough to show that
Я^Г,®)
is trivial, where
Г = Gal(F,/F,).
120
Lectures on Elliptic Curves
The group Г is generated32 by the Frobenius automorphism 7 (say):
a —> ag. We have to show that any cocycle {ao} is trivial. It is enough
to show that
a7 = 7b — b
for some b £ (S. Now
7b — b — (</> — l)b
where </> is the “geometrical” Frobenius, so ф — 1 is not the constant
endomorphism. For any c g 6 we can thus solve (</> — l)b = c for b,
since we are working in the algebraic closed field. In particular, this
holds for c = a7. The cocycle identity gives inductively that
a, = <zb — b <7 = 7,72,73,...
and we are done.
Note. For a broad generalization, see S. Lang, Algebraic groups over
finite fields. Amer. J. Math. 78 (1956), 535-563.
The Theorem is due to F.K. Schmidt and the idea behind his proof
is amusing. He used analytic means to estimate the number of points
defined over the extension fields F?„. In particular, he showed that the
number is > 0 for all large enough n.
Let bj,... , bn be n conjugate points defined over F?„ and Ci,..., cn_|-i
be similar conjugates defined over F?n+i. Then by Riemann-Roch there
is a function whose poles are simple poles at the c; and which has simple
zeros at the by. It has one further zero; which must be defined over F?.
Theorem 3.	Let
A : Cj C2
be an isogeny of elliptic curves, everything defined over F?. Then Ni =
N?, where Nj is the number of points on Cj defined over F?.
Note. An isogeny is defined to be a rational map onto such that
A(oj) = o2. Lemma 1 of the preceding section extends to isogenies,
which gives compatibility with the usage earlier in the course.
Proof. Let ф} be the Frobenius on Cj. Clearly the diagram
SI “topologically”, that is the group generated by -y is everywhere dense in the
galois topology.
§25: Exercises
121
Ci A Ci
ь Iх
c, c,
is commutative, and hence so is
Ci	Ci
Iх Iх
c,	c,
It follows that the degrees
d(<fa ~ 1) = 4^2 ~ !)
are equal. But (proof of Theorem 1), this is just Nj = N?.
Example. The numbers of solutions of
y2 = x(x2 + ax + b) (mod p)
and
i/2 = x(x2 — 2ax + a2 — 4b) mod p)
are equal, where a, b are integers and p is any prime with
2b(a2 — 4b)	0 (mod p).
§25. Exercises
1.	Let p be prime, p = 2 (3). Show that the number of points on the
elliptic curve
Y2 = X3 + В
defined over F,, is p + 1.
[Hint. Given Y, solve for X].
2.	Let p be prime, p = 3 (4). Show that the number of points on the
elliptic curve
Y2 = X(X2 + A)
defined over Fp is p+ 1.
[Hint. Consider ±X together].
122
Lectures on Elliptic Curves
3.	Let C be an elliptic curve defined over F? and let IV(n) be the number
of points defined over F?, where q = pn. Show that there are a, /3 G Q
such that
a/3 = p
and
N(n) = pn + 1 - an - /3n.
Hence show that all the IV(n) are determined by the value of Af(l).
Hence determine Д1(2) for
Y2 = X3 +X + 1,
with p — 3.
[Hint. §24, Exercise 4].
4.	[Preparation for next exercises.] Let A 2> Z be a commutative ring
without divisors of 0 [an integral domain]. Suppose that every A 6 A
satisfies an equation A2 + “A + Ь = 0 (a, b G Z, depending on A). Show
that either A = Z or A = Z[a] for some single element a G A.
5.	Let p = 1 (4) be prime and
C: Y2 = X(X2 + A)
an elliptic curve defined over F?. Let 9 G F?, 92 = — 1. Show that
£ : Y 0Y, X -X
is an endomorphism of C, and that e2 + 1 = 0.
Let ф be the Frobenius. Show that Фе = еф and deduce that
ф = и + vs
for some u, v G Z with u2 + v2 = p-
Show, further, that the number N of points on C defined over F? is
N — p + 1 — 2u.
Evaluate for some A andp and check that и (say) = |(p+l— N) G Z
and satisfies u2 + v2 = p for some v G Z.
6.	Let p = 1 (3) and let
C : Y2 = A'3 + В
be an elliptic curve defined over F?. Let в £ F,, S3 = 1, в / 1. Show,
that
A : Y -> Y, X OX
is an endomorphism of C and that A2 + A + 1 = 0.
§25: Exercises	123
Show that the Frobenius ф satisfies фХ = Хф. Now continue as in the
previous Exercise.
7.	Let
С: У 2 = .¥(A2 +4CX + 2C2)
be an elliptic curve defined over F?, where p is prime and —2 is a.
quadratic residue. Show that the number N of points is of the shape
N ~ p + 1 — 2u,
where и £ ~L and there is a v 6 I such that
u2 + 2v2 — p.
[Hint. §24, Exercise 3.]
26
Factorizing using elliptic curves
The problem of finding a factor of a given large integer has fascinated
mathematicians through the ages. Recently the question has assumed
practical, and indeed political, significance with the use of the products
of large primes in cryptology.
It is usually (but not always) easy to prove that a given composite
integer n is composite, e.g. if there is an a > 1 with a"-1	1 mod n.
But finding an actual nontrivial factor is a completely other matter!
For the logician, of course, the problem of factorizing an integer n
is constructive. All one has to do is to test all integers m < n1/2 for
divisibility. When, say, n has 100 decimal digits, this could take longer
than the age of the universe. What are needed are practical methods.
Recently H.W. Lenstra Jr. has shown that elliptic curves provide
powerful methods for this problem. We will sketch one of his attacks.
Lenstra’s method is suggested by Pollard’s “p — 1 method”. Let n be
a large integer with an unknown prime factor p. Let a be an integer and
consider
m = gcd(at — 1, n)
for some integer k. If к | (p — 1) then p | m. Unless we are unlucky, not
all the other primes q | n will divide m; and so m would be a nontrivial
factor of n.
One does not evaluate a1, of course, but works modulo n. There is
an algorithm which works in O(log к) steps (cf. Exercises). Evaluating
the ged is cheap, using Euclid’s algorithm.
Pollard’s method is particularly effective if n is divisible by a prime
26: Factorizing using elliptic curves
125
p for which all the prime factors of p — 1 are comparatively small. The
accepted recipe is to take к of the shape33
к = fc(b) = JJ pe(s),
where q runs through the primes and is the longest power of q which,
is < b. Here b is chosen suitably, in a way which will be described later.
The chances of success with this method of Pollard’s appear to be
best when the smallest prime factor p of n is substantially smaller than
n1/2. But even, then, we may be out of luck if p — 1 has some largish
prime factors. One can try to find a value of a whose exponent mod p
is substantially smaller than p — 1, but that is not very promising.
Lenstra observed that Pollard’s method depends on the fact that the
residue classes mod p have a group structure, and that elliptic curves
provide other groups which can be used for the same purpose.
Let
C: Y2Z = X3 +AXZ2 +BZ3
be an elliptic curve and let (r,i/,z) with x, y, z G Z be a point on it.
Let
k(x,y,z) = (xk,yk,Zk),
where к > 1 is an integer and Xk, у к, Zk G Z. Now let p be a prime, and
suppose that C mod p (in an obvious sense) is an elliptic curve over Z
mod p. The mod p points form a group whose order
N = Np = Np(A,B)
satisfies
H — (p + 1) |< 2-^/p.
If N | к, the point (n, Ук, ?k) mod p is the “point at infinity”, that is
P I zk-
Given A, B, x, y, z, values of (xk,yk,Zk) can be computed in O(logfc)
steps involving addition, multiplication subtraction. Since we are using
homogeneous co-ordinates, there is no need to divide. The resulting
values of Хк, Ук, zk may have a common factor, but this does not disturb
the conclusion that Np | к implies p | Zk-
Now let n be the large integer to be factorized and let к = k(b) for
some suitable b, as before. Then we can evaluate Xk, Ук, zk mod n in
O(log fc) steps of addition, multiplication, subtraction modulo n. The
33
That is, к is the gcd of the integers < b.
126
Lectures on Elliptic Curves
unknown prime divisor p of n will divide z^ mod n provided that | k:
and then p divides
m = gcd(n,zt).
If z^ = 0 (mod n), we axe out of luck. Otherwise m will be a nontrivial
divisor of n: which is what we want.
It can, of course, happen that m = 1, if Np / к for all p | n. If this
happens, we select other values of A, B, x, y, z (and, possibly, fc) and
try, try, try again.34
The above account leaves a couple of questions unanswered.
(i) How do we choose the initial curve C and the point (a;, y, z)l Since
all the calculations axe mod n, it is enough to find A, B, x, y, z G Z
such that
y1 = x3 + Axz2 + Bz3 mod n.
An obvious way is to put z = 1, choose A, x, у at random and use the
equation to determine B. Since we naturally suppose that we started
off' by checking that n has no small divisors, the chance that C is not
an elliptic curve for any p | n is negligible. In any case, there is no
harm in running through the algorithm: at worst we will draw a blank.
Alternatively, one can compute
I = gcd(n, 4A3 + 27B2).
If I — 1, we axe OK. If 1 < I < n, we have a non-trivial factor of n,
which is what we want. If I = n, which is highly unlikely, we abort the
run and choose fresh A, B, x, y, z.
(ii) What is the optimal choice of b in к = к(Ь)? It turns out that
this depends on the smallest prime divisor p of n: which is, of course,
unknown. We argue heuristically.
Let 1 < s < t, where t is an integer. We say that t is s-smooth if
every prime divisor q of t is less than s. It is known that the number
of integers t < T, for given Г, which are T^-smooth is very roughly
u~^uT. Put
L = L(T) = eXp(y(logTloglogT))
and let 0 < a < oo. On putting T1/” = L“, we deduce that the number
of t < T which are L“-smooth is roughly L~1f2aT. We shall paraphrase
З4 For the distribution of Np over curves, see B.J. Birch: How the number of
points of an elliptic curve over a fixed prime varies. J. London Math. Soc. 43
(1968), 57-60.
26: Factorizing using elliptic curves
127
this to the statement that the probability P that a random integer t in
the neighbourhood of T is L“-smooth is P = L~xl2a.
We shall choose the best value of a later. Let p be the unknown
smallest prime factor of n. Put L = L(p). We have seen that the order
Np = Np(A, B) of the points mod p on C is approximately p. Assuming
that Np behaves reasonably randomly as A, В vary, the probability P
that Np is ^“-smooth is P =
Take
b = La, k = k(b).
Then all the prime factors of Np divide k. The practitioners of the
mystery of factorization assume that it is highly probable that indeed
Np | k, which we suppose. The number of steps in one run of the
algorithm is O(log k), which is very roughly b = La.
To sum up. The amount of work in a run of the algorithm is about
La. The probability of success in a single sun is about L-1/2“. Hence
the expected work to find a nontrivial factor is about
Ila
This is minimized at
a = 1/^/2,
which is therefore the optimal choice.
The above estimates depend on the size of the unknown least prime
factor p of n. The worst case scenario is when p is nearly n1^2. However,
one expects the Lenstra algorithm to be most effective when the small-
est prime factor is much smaller. Thus it works better on “naturally
occurring” integers n than on the integers n used in some cryptosys-
tems, which are the product of two nearly equal primes. If nothing is
known a priori about the primes in n, a good strategy is to start with a
comparatively small b and to increase it gradually if necessary.
We have chosen a version of the Lenstra algorithm which is easy to
describe, rather than one which minimizes computation time. In prac-
tice, further devices and stratagems are brought into play. We do not
go into this here, but conclude with a variant in the spirit of the course.
In the variant, one considers the elliptic curve
C : CY2 = X3 + AX + В
for some C 0, where we now take the inhomogeneous form. Recall
that if (ariji/i) and (яг2,1/2) are points on the curve and
(1'з.Уз) = Oi,yi) + (2.-2,y2),
(1'4,У4) = (a?i, Vi) — (я?2, У2)
128
Lectures on Elliptic Curves
then гз, X4 are the roots of a quadratic equation whose coefficients
are polynomial in arj, x2. A, В (but not C). If now к is a positive
integer and if, to change the notation, (a;, y) is a rational point on C and
1/fc) — k(x,y), then the classical algorithm for computing gk can
be modified to give an algorithm to compute x^ in O(log fc) steps (cf.
Exercises).
Now write X = U/V and work homogeneously. If x = u/v, then
= Xk/v^ where щ., are obtained from u, v by O(log fc) additions,
subtractions and multiplications, but no divisions.
Now, as before, let n be the number to be factorized and p an unknown
prime divisor. Suppose that A, B, u, v £ ~L and work mod n. then, as
before, if Np | к then p | Vk and we can expect that gcd(v*,n) is a
non-trivial divisor of n.
In this version of the algorithm we may choose A, B, u, v entirely
arbitrarily. Put x = u/v, у = 1. Then, unless we are strikingly unlucky,
the point (.t, y) lies on C for some С E Q* which need not be evaluated,
as it is never needed.
Elliptic curves are used also in primality testing and in other unex-
pected ways: for example, finding square roots modulo a large prime.
See A.K. Lenstra and H.W. Lenstra Jr., Algorithms in number theory.
Chapter 12 (pp.673-715) of: Handbook of theoretical computer science,
vol. A (ed. J. van Leeuwen), Elsevier, 1990.
§26. Exercises
1.	[Motivation for next question.] Let G be an abelian group and n a
positive integer. For g E G show that the following algorithm computes
gn in O(logn) operations.
(i)	N = n, Y = 1 e G, Z = g
(ii)	IF N = 0, GOTO END
(iii)	M = [N/2], E = N -2M
(iv)	IF E = 1 THEN У = YZ
(v)	N = M, Z = Z'1
(vi)	GOTO (ii)
END [У = gn],
2.	Let С : У2 = X3 + AX + В be an elliptic curve. For positive
odd integer n and a = (a,b) on C, check that the following algorithm
computes u, where na = (u,d), *n O(logn) steps.
§26: Exercises
129
We recall that there is a rational function cf(ar) such that if x = (a:, y)
then 2x = (d(x), ?) for some ?.
Further, there is a quadratic q(T) = q(T-, a?i, £3) whose coefficients are
rational in xj, a;2 and whose roots are Г3, r4 if X3 = Xj+хз, x4 = xj—x2.
(i) N = n, X = a, Y = a, Z = a
(ii) IF N = 0, GOTO END
(iii) M = [W/2], E = N - 2M.
(iv)	Z = d(Z).
(v)	IF E = 1 GOTO (viii)
(vi)	[Check that Y is a root of g(T; X, Z).] Y IS THE OTHER ROOT
OF q(T-,X,Z)
(vii) GOTO(ix)
(viii)	[Check that X is a root of Q(T; Y, Z).] X IS THE OTHER ROOT
OF q(T-Y,Z).
(ix)	N = M
(x)	GOTO (ii).
END [X = u, where n(a,b) = (u,v).]
3. Suppose that (a,b) lies on
C* : EY2 = X3 + AX + B
for some E 0. Let n(a, b) = (u, v) on C*. Show that u is given by the
algorithm in (2). [i.e. the algorithm is independent of £.]
Formulary
Desboues’ Formulae*5. These are for
cii A3 T T a3A3 4" dAj A2A3 = 0.
This is nonsingular if 27«ja2a3 4- d3 ф 0. The residual intersection t of
the tangent at x is
tj = xj(aj+ixj+i — aj+2-'rj+2) (j taken mod 3)
The third intersection z of the line joining x, у is
zi = x2jyj+iyj+2 - y2jxj+ixj+2 (j mod 3).
Canonical curve.
Y2 = A3 4- AX 4- B.
If x = (г, у), then —x = (ar, — y).
Addition formula. Let
X1 =	x2 = (Х2,У2)-
and
x = Xi + x2, x = (rr, y).
З5 A. Desboves. Resolution en nombres entiers et sous sa forme la plus generale,
de I’equation cubique, homogene a trois inconnues. Nouv. Ann. de la Math.,
Ser. Ill, vol. 5 (1886), 545-579.
Formulary
131
If X2 = —Xi, we have x = o. If X2 = Xi, we apply the duplication,
formula, given below. Otherwise, we may suppose that
2*2 7^ 1 *
The line joining Xj, X2 is
Y = IX + m,
where
,	У1-У2	Х1У2-Х2У1
I = -------, m = -----------------.
X1 — 2?2	2*1 — 2*2
This line cuts the curve in Xi, X2 and
-(xi + x2) = -x = (2, -y).
The roots of
X2 + AX + В - (IX + m)2
are 2i, 1*2 and x. Hence
x = I2 — ii — 22;
and so
(21 - 2*2)22 = XlX2 + x2x2 - 21/11/2 +	+ 22) + 25.
Further,
у = —lx — m;
and so
(2*i - 22)3t/ = W2J/2 - Wiyt,
where
Wj = 3212*2 + 2j + A(21 + З22) + 45
W2 = symmetric.
Duplication formula. Here we consider
(х-2,у2) = x2 = 2x = 2(2,1/).
If у = 0 we have X2 = o. Hence we may suppose
У /0.
We need the tangent
Y = IX + m
at x. Since formal differentiation on the curve gives
JV
2H-7V = 3-Y2 + A,
we have
I = (З22 + A)/2y.
132
Lectures on Elliptic Curves
Hence (as for addition formula)
x2 = I2 — 2x
(3a;2 + A)2 — 8ary2
4y2	’
i.e.
a;4 — 2Aa;2 — 8Bx 4- A2
2	4(x3 + Ax + B)
To find y2 we need the value
—a;3 + Ax + 2B
m = ------------------,
2y
which is determined by у = lx + m. Now
y2 = —lx2 — m;
which gives
(2j/)3i/2 = xs + 5Aa;4 + 20Ba;3
- 5A2a;2 - 4ABx - A3 - 8B2.
Formulae in X only. Let
xi = (»i, 1/1),	x2 = (x2,y2)
with
a;i ®2.
Let
x3 = xj + x2 = (а:з,2/з)
x4 = Xj - x2 = (a:4,j/4).
Then
(а?! - ат2)2(;г3 + x4) = 2(.т1а;2 + A)(a;1 + a:2) + 4B,
(ari — а.-2)2а.’за;4 = a;2a;2 — 2Ax1x2 — 4B(a;i + a;2) + A2.
This follows from the expression for x in the addition formula. The
value of a;3 is x as given and that of a;4 is obtained from it merely by
changing the sign of yiy?- Hence the formula for ar3 + a;4 is immedi-
ate. That for aa3ar4 comes by substituting for yjy2 in the product and
cancelling (arj — a;2)2. [Alternatively, cf. §17, Exercise 3.]
Formulary
133
Multiplication36. Let (Хт,Ут) = m(JX,Y) where m G Z. Then
„ _ Хфт ~ Фт-1Фт+1
A M	12	’
Фт
Y —
m %Фт’
where
Фо = 0,
Ф1 = 1,
ф2 = 2У,
= 3W4 + 6AA2 + 12-BX - A2,
ф4 = 4У(Х6 + 5АХ4 + 20ВХ3 - 5А2Х2 - 4АВХ - 8В2 - А3),
ф2п+1 = Ф^фп+2 - Ф^+1Фп-1,
УФ2п = Фп{Фп-1Фп+2 - ф2п+1фп-2}-
This is an exercise on the fact that a function is defined up to multi-
plicative constant by its zero and poles. We determine the constants by
looking at the behaviour at о using the local uniformiser
t = X/Y.
фт is defined by
(i) it has a simple zero at all a о with ma = 0. (a defined over Q).
(ii) it behaves like mt~m +1 at o.
More precisely
(I) if m is odd, there are |(m2 — 1) pairs (ay ±bj) of m-division pairs
and
Фт = m JJ(W “ aj)-
(II) If m is even, the three 2-division points are m-division points, and
there are |(m2 —4) pairs (а,,±Ьу), bj 0. Then
фт = mY ]J(X - aj).
Now for all m, even or odd, we have
Xm~rn“2t-2, Ут~т~3Г3
36
cf. II. Weber, Algebra Ш, §58; but we have adjusted the sign of ‘фгп so that
the leading term is always positive.
134
Lectures on Elliptic Curves
at o, and
Ф2тхт
has no poles except at o.
Further, Xm — X vanishes at a only if (m + l)a = о or (m — l)a = o.
Hence
X — Xm —	— х 1фт,	(*)
where the constant is right since both sides behave like (m2 — l)/m2t2
at o. This gives the formula for Xm. That for Ym follows immediately
from the specification of the poles and zeros.
It remains to give the recurrence relation. For integers I, m we have
Xj = Xm precisely when either (I + m)(X, У) = о or (I — ттг)(Х, У) = o.
Hence
Xl - Xm = фт+1фт-1/ф2ф2т‘
the constant being determined by the behaviour at o. But
X, - Xm = (X - Xm) - (X - X()
Hence by (*)
ф2фт+хФт-1 ~ ф2тф1+1ф{-1
— Фт-$-1фт — 1-
Put I = 7i, m = n + 1, so фт-1 = 1 and
Фгп+l = ФпФп+2 ~ Фп+1Фп-1
Put I = n — 1, m = n + 1 so ф,п-1 = фз = Y. Then
i Ф?п = Фп{Фп — хФп+2 ~ Фп+1 Фп —1 }
Further Reading
Cassels, J.W.S. Diophantine equations with special reference to elliptic
curves, J. London Math. Soc. 41 (1966), 193-291.
Husemoller, D. Elliptic curves, Springer, 1987.
Koblitz, N. Introduction to elliptic curves and modular forms, Springer,
1984.
Lang, S. Fundamentals of diophantine geometry, Springer, 1983. [The
first edition is less complete but more coherent: Diophantine geome-
try, Interscience, 1962.]
Serre, J.-P. Lectures on the Mordell-Weil theorem, Vieweg, 1989. [Notes
of a course given in 1980-81]
Silverman, J.H. The arithmetic of elliptic curves, Springer, 1986.
Tate, J. The arithmetic of elliptic curves, Invent. Math. 23 (1974),
179-206.
INDEX
birationally equivalent 4
Birch 71, 110, 126(fn)
Blichfeldt 19
Bremner 55(fn)
canonical form 32 et 3eq
canonical height 83
Chatelet 108
chord and tangent processes 24
coboundary 90
cobounding 90
cocycle 90, 98
cocycle identity 90, 98
cocycle (continuous) 101
cohomology (Galois) 89 et seq
cohomology group 98 et seq
complete, completion 8
continuous (action), (cocycle) 101
convex (pointset) 18
cubic curves 23 et seq
defined over 3
degenerate (laws) 39 et seq
Deligne 121
Desboves 25(fn), 26, 130
Deuring 116
Diophantine geometry 1
Diophantos 1, 24
discriminant 77
elliptic curve 32
endomorphism 112 et seq
everywhere locally 14
exceptional (point) 24
Fermat 1, 55, 63
filtration (p-adic) 48
finite basis theorem 54 et seq
finite basis theorem (weak) 55
forgetful functor 75
form 13
Frobenius endomorphism 118
Fueter 52(fn)
function field 58
fundamental sequence 7
Galois cohomology 89 et seq, 101
et seq
general position 29
generic point 58
genus 30
genus 0 4 et seq
genus 1 30, 32
globally 14
group law 27 et seq
H1 99
Hasse 119
Hasse principle:
see local-global principle
height 55, 78 et seq
height (canonical) 83
height (logarithmic) 82
Hensel 43
'Hilbert 90’ 95,97
homogeneous spaces: see princicpal
homogeneous space
Hypatia 1
integer (p-adic) 9
invertible 67
irreducible (curve);
see also reducible 24
isogeny 58
jacobian (of curve of
genus 1) 92 et seq, 95, 107
j-invariant 93
kernel of reduction 47
Kolyvagin 111
Lang 120
Lenstra 124, 128
level (of point in p-adic case) 47
lift 43
Lind 85
locally 14
local-global principle 2, 13 et seq,
85 et seq
localization 14, 103
logarithmic height 82
Mazur 51
Minkowski 19
Mordell 19
Mordell Theorem, Mordell-Weil
Theorem; see finite basis theorem
Index
137
multiplicity 23, 44
Nagell 34(fn), 52(fn)
neutral element (of group) 27
Newton 24, 43
nonsense 98 et seq
non-archimedean 7
non-singular 24
norm (map) 66
patch 67
pole 30
Pollard 124
principal homogeneous spaces 104
et seq
p-adic filtration 48
p-adic integers 9
p-adic numbers 6
p-adic units 9
p-adic valuation 7
rational curve
(= curve of genus 0) 3
rational (point etc.) 3
reducible (curve):
see also irreducible 43(fn)
reduction mod p 42 et seq
Reichardt 85
resultant 75 et seq
“Riemann hypothesis for
function fields” 2, 119
Riemann-Roch theorem 30
Rubin 111
Schmidt 120
Selmer 87, 110
Shafarevich 85
singular (point) 23
Swinnerton-Dyer 71, 110
symmetric (pointset) 18
Tamagawa number 110
Tate 85, 109(fn)
Tate-Shafarevich group 85, 109 et
seq
torsion 102
triangle inequality 7
ultrametric inequality 7
unit (p-adic) 9
valuation 6
valuation (p-adic) 7
van der Corput 19
weak finite basis
theorem 55, 66 et seq
Weil 1, 54, 108, 119
Weil-Chatelet group 108
INDEX
birationally equivalent 4
Birch 71, 110, 126(fn)
Blichfeldt 19
Bremner 55(fn)
canonical form 32 et seq
canonical height 83
Chatelet 108
chord and tangent processes 24
coboundary 90
cobounding 90
cocycle 90, 98
cocycle identity 90, 98
cocycle (continuous) 101
cohomology (Galois) 89 et seq
cohomology group 98 et seq
complete, completion 8
continuous (action), (cocycle) 101
convex (pointset) 18
cubic curves 23 et seq
defined over 3
degenerate (laws) 39 et seq
Deligne 121
Desboves 25(fn), 26, 130
Deuring 116
Diophantine geometry 1
Diophantos 1, 24
discriminant 77
elliptic curve 32
endomorphism. 112 ei seq
everywhere locally 14
exceptional (point) 24
Fermat 1, 55, 63
filtration (p-adic) 48
finite basis theorem 54 et seq
finite basis theorem (weak) 55
forgetful functor 75
form 13
Frobenius endomorphism 118
Fueter 52(fn)
function field 58
fundamental sequence 7
Galois cohomology 89 et seq, 101
ei seq
general position 29
generic point 58
genus 30
genus 0 4 et seq
genus 1 30, 32
globally 14
group law 27 et seq
H1 99
Hasse 119
Hasse principle:
see local-global principle
height 55, 78 et seq
height (canonical) 83
height (logarithmic) 82
Hensel 43
‘Hilbert 90’ 95,97
homogeneous spaces: see princicpal
homogeneous space
Hypatia 1
integer (p-adic) 9
invertible 67
irreducible (curve);
see also reducible 24
isogeny 58
jacobian (of curve of
genus 1) 92 ei! seq, 95, 107
j-invariant 93
kernel of reduction 47
Kolyvagin 111
Lang 120
Lenstra 124, 128
level (of point in p-adic case) 47
lift 43 '
Lind 85
locally 14
local-global principle 2, 13 ei seq,
85 et seq
localization 14, 103
logarithmic height 82
Mazur 51
Minkowski 19
Mordell 19
Mordell Theorem, Mordell-Weil
Theorem; see finite basis theorem
Index
137
multiplicity 23, 44
Nagell 34(fn), 52(fn)
neutral element (of group) 27
Newton 24, 43
nonsense 98 et seq
non-archimedean 7
non-singular 24
norm (map) 66
patch 67
pole 30
Pollard 124
principal homogeneous spaces 104
et seq
p-adic filtration 48
p-adic integers 9
p-adic numbers 6
p-adic units 9
p-adic valuation 7
rational curve
(= curve of genus 0) 3
rational (point etc.) 3
reducible (curve):
see also irreducible 43(fn)
reduction mod p 42 et seq
Reichardt 85
resultant 75 et seq
“Riemann hypothesis for
function fields” 2, 119
Riemann-Roch theorem 30
Rubin 111
Schmidt 120
Selmer 87, 110
Shafarevich 85
singular (point) 23
Swinnerton-Dyer 71, 110
symmetric (pointset) 18
Tamagawa number 110
Tate 85, 109(fn)
Tate-Shafarevich group 85, 109 et
seq
torsion 102
triangle inequality 7
ultrametric inequality 7
unit (p-adic) 9
valuation 6
valuation (p-adic) 7
van der Corput 19
weak finite basis
theorem 55, 66 et seq
Weil 1, 54, 108, 119
Weil-Chatelet group 108
17
Heights. Finite Basis Theorem.
We are now in a position to introduce the notion of height, and so to
complete the proof of the Finite Basis Theorem.
Let u = («о,   • , un) be a point of projective n-dimensional space over
Q. As the co-ordinates are homogeneous, we may suppose without loss
of generality that
Uj £ Z, gcd(u0,.-.,wn) = 1.	(1)
The height H(u) of u is defined to be
H(u) = max |uy |
j
with the above normalization. In this section || = Цоо is the absolute
value.
We shall mainly but not exclusively be concerned with the projective
line. We identify x € Q with the point (т, 1) on the line, and so write
= max{|u01, |ui |}
if x = uo/uj with Uq> 6 Z as a fraction in its lowest terms.
Lemma 1.
(i) Let D(Uo, U1), E(U0,Ui) € Q[Uo-,Ui] be forms of the same degree
n. Let u = (uojUj) be a point on the rational projective line, and
suppose that D(u), -®(u) do n°i both vanish. Then
H(D(u),S(u))<cH(u)n,
where c is independent of u.
11: Heights. Finite Basis Theorem.
79
(ii) Suppose, further, that the resultant of D, E is not 0. Then there
is a 7 > 0, independent of u, such that
H(D(u),E(u)) > 7H(u)n.
Note. The additional hypothesis in (ii) is equivalent to supposing that
D, E do not have a common zero over the algebraic closure Q.
Proof. By homogeneity, we may suppose that
and that u = (ti0,Ui) is normalized by (1). Clearly
|B(u)|, |S(u)| < c{max(|u0|, |ui|}n
for some c. In general -D(u), E(u) will have a common factor, but in
any case this implies the conclusion of (i).
Now suppose that the hypotheses of (ii) hold and let R be the re-
sultant. Then there are homogeneous forms Lj(Ua,U\'), Mj(U0,Ui) G
Z[I7o, СЛ] (j = 0,1) such that
LjD + MjE = RUjn~1 0=0,1).	(*)
On substituting u for U we deduce that
gcd{D(u),S(u)}|fi.
Further, as in the proof of (i), there is a c' such that
lAG(u)l < c'{max(|u0|,|ui|}n~1 (j =0,1).
On substituting in (*) (with u for U), we obtain the conclusion of (ii)
with 7 = |Я|/2с'.
Now let u, v be two points on the projective line and let
w = («o^o, «0^1 + «1^0,«1^1)
= (wo,wi,w2) (say).
Lemma 2.
1	< H(w) <
2	- H(u)H(v) - ’
Proof. Let u, v be normalized by (1). Then the right hand inequality
is immediate.
It is readily verified that w0, uq, w2 have no common factor, so it will
be enough to show that
max(|w0|, |uq|, |w2|) > |{max(|u0|, |tq |)}{max(|tq |, |tq|};