6 Elliptic curves

6 Elliptic curves

Elliptic curves are not ellipses. The name comes from the elliptic functions arising from the integrals used to calculate the arc length of ellipses. Elliptic curves can be parametrised by elliptic functions in a similar way as circles can be parametrised by sine and cosine.

Elliptic curves have the very special property that their points also have a natural commutative group structure. Elliptic curves have been studied intensively in number theory, they played a crucial part in Wiles’s proof of Fermat’s Last Theorem. Elliptic curves over finite fields have a great practical importance, too, their groups of points can be used for a public key cryptography algorithm similar to RSA, but as the group structure is more complicated, smaller primes can be used to achieve the same level of security.

Definition. An elliptic curve is non-singular projective algebraic variety E ⊂ P² defined by an irreducible homogeneous polynomial of degree 3 together with a distinguished point O ∈ E.

Definition. (Chord and tangent process) Let E be a non-singular curve of degree 3 in P² and fix O ∈ E. For A, B ∈ E define A + B ∈ E as follows:

let Q be the third intersection point of the line AB with E, and then A + B is the third intersection point of the line OQ with E.

O

B

A

Q Q=A+B

If A = B or O = Q, then the line AB or the line OQ is taken to be the tangent line at A or O, resp. If any line in this construction is tangent to E, the third intersection point is defined using intersection multiplicities.

The picture below shows the calculation of 2A. We take the tangent line at A, let Q be the third intersection point of this tangent line with E, and then 2A is the third intersection point of the line OQ with E.

O

A Q=2A Q

To calculate the negative of a point in this group structure, first take the tangent line at O and let M be its 3rd point of intersection with E. To find

−A, just take the line through A and M , its 3rd point of intersection with E is −A.

O

A

-A

M

Worked examples of calculations on elliptic curves can be found in the hand-

out https://personalpages.manchester.ac.uk/staff/gabor.megyesi/teaching/

MATH32062/Ellipticexample.pdf. Although elliptic curves are projective, calculations are usually carried out in affine coordinates.

If the affine equation has the special form y² = x³ + ax² + bx + c, the so-called Weierstraß form, then its projective closure has equation Y²Z = X³+ aX²Z + bxZ²+ Z³. The only point of intersection with the line Z = 0 is (0 : 1 : 0), often called simply the point at ∞. By convention, if the equation is in this form, O is taken to be (0 : 1 : 0) even if it is not mentioned explicitly.

If a, b, c ∈ R, then x³ + ax² + bx + c = 0 can have 1 or 3 real roots, in the first case the elliptic curve y² = x³ + ax²+ bx + c has one real component like the curve below on the left, in the second case the elliptic curve has two real components like the curve below on the right.

-2 -1 1 2 3 4 x

-4 -2 2 4 y

-2 -1 1 2 3 x

-4 -2 2 4 y

The lines passing through (0 : 1 : 0) are the lines parallel to the y-axis in affine terms. If the point Q in the addition process has co-ordinates (u, v), the line through O and Q is the line x = u, and since as the curve is symmetric about the x-axis, its 3rd intersection point with E is (u, −v) = A + B. The line Z = 0 and E have intersection multiplicity 3 at (0 : 1 : 0), therefore the point M in the construction of −A is also O, so if A = (s, t), then −A = (s, −t).

The calculations are much simpler if the equation is in Weierstraß form, one of our goals will be to transform elliptic curves into this form.

The diagrams below illustrate the addition of two points, doubling a point and taking the negative of a point on an elliptic curve in Weierstraß form.

B A Q

Q=A+B

-2 -1 1 2 3 4

x

-4 -2 2 4 y

A

Q Q=2A

-2 -1 1 2 3 4

x

-4 -2 2 4 y

A

-A

-2 -1 1 2 3 4

x

-4 -2 2 4 y

Theorem 6.1 The addition defined above makes the points of E into an abelian group with O as the identity element.

Proof. Let’s assume that K is algebraically closed, otherwise we can replace it by its algebraic closure.

It is obvious A + B = B + A for every A, B ∈ E, so the addition operation is commutative. It also follows directly from the addition procedure that O + A = A for every A ∈ E.

The first step in the calculation of A + (−A) is to draw the line through them and to find the third intersection point of this line with E. By the construction of −A, this third intersection point is M (see the diagram on p. 76). The second step is to take the line OM and find its third intersection point with E. The line OM is tangent to E at O, this is how M was defined, therefore the “third” intersection point is O, thus A + (−A) = O.

Let A, B, C ∈ E. The diagram below shows the calculation of (A + B) + C and A + (B + C), except for the last step. S is the 3rd intersection point of the line C ¯Q with E, so (A + B) + C is the 3rd intersection point of the line OS with E. S⁰ is the 3rd intersection point of the line A ¯R with E, so A + (B + C) is the 3rd intersection point of the line OS⁰ with E. Therefore in order to prove the equality (A + B) + C = A + (B + C) it is sufficient to show that S = S⁰. Let’s assume that O, A, B, C, Q, ¯Q, R, ¯R are all distinct and they are not equal to S or S⁰.

O

A B C

Q Q=A+B

R

R=B+C

S=S'

Let L₁ = 0 be the equation of the line ABQ, let L₂ = 0 be the equation of the line OR ¯R and let L₃ = 0 be the equation of the line C ¯QS. Let F = V(hL₁L₂L₃i), it is the union of the green lines in the diagram.

Let M₁ = 0 be the equation of the line BCR, let M₂ = 0 be the equation of the line OQ ¯Q and let M₃ = 0 be the equation of the line A ¯RS⁰. Let G = V(hM1M2M3i), it is the union of the red lines in the diagram. Both F and G are cubic curves.

E ∩ F ⊇ {O, A, B, C, Q, ¯Q, R, ¯R, S}. As E is irreducible, it has no common component with F , therefore the intersection must consist of exactly these 9 points by B´ezout’s Theorem (Theorem 5.1). Then by Theorem 5.3, any cubic curve that passes through O, A, B, C, Q, ¯Q, R, ¯R also passes through S.

Similarly, E ∩ G = {O, A, B, C, Q, ¯Q, R, ¯R, S⁰}. Since G contains O, A, B, C, Q, ¯Q, R, and ¯R, as we noted above it must also contain S. Since S is different from the other 8 points, this implies S = S⁰ as required.

Now let’s consider the assumption that O, A, B, C, Q, ¯Q, R, ¯R are all distinct and they are not equal to S or S⁰. This implies A 6= O, then given A, the points O, A, B, Q and ¯Q will be all distinct for all but finitely many choices of B. Similarly, for given A and B, the points O, A, B, C, Q, ¯Q, R, ¯R will be all distinct and not equal to S or S⁰ for all but finitely many choices of C. Therefore (A + B) + C = A + (B + C) holds for (A, B, C) in a non-empty subset of E × E × E. Over R or C we can use continuity to prove (A + B) + C = A + (B + C) for all A, B and C. Over

any field, we can make E × E × E into a variety (this is not as simple as in the affine case because P^m× Pⁿ 6∼= P^m+n, E × E × E will be a projective variety in P²⁶), and then we have two morphisms Φ₁, Φ₂ : E × E × E → E, Φ₁(A, B, C) = (A + B) + C, Φ₂(A, B, C) = A + (B + C), which agree outside a proper subvariety of E × E × E → E. As E × E × E → E is irreducible, this implies Φ₁(A, B, C) = Φ₂(A, B, C) for all A, B, C.

We noted earlier that if the equation of the elliptic curve is of the form Y²Z = X³ + aX²Z + bxZ² + Z³, then the line Z = 0 only intersects the curve at (0 : 1 : 0), so by B´ezout’s Theorem, the intersection multiplicity at that point must be 3. This implies that the tangent line to the elliptic curve at (0 : 1 : 0) is the line Z = 0 and furthermore, that (0 : 1 : 0) is a special point, since in general a curve and the tangent line to it at a point only have intersection multiplicity 2.

Definition A non-singular point P of a plane curve C (affine or projective) is called an inflection point if and only if the tangent line to C at P has intersection multiplicity at least 3 with C at P .

Warning: Inflection points are preserved under affine equivalence (also under projective equivalence, which will be defined in the next chapter), but not necessarily under more general isomorphisms of varieties.

Proposition 6.2 Let E be a non-singular curve of degree 3 in P²and assume that O ∈ E is an inflection point.

(i) A point P 6= O has order 2 in the group structure on E if and only if the tangent line at P passes through O.

(ii) A point P 6= O has order 3 in the group structure on E if and only if it is an inflection point.

Proof. (i) 2P = O is equivalent to P = −P . As O is an inflection point,

−P is simply the 3rd intersection point of the line OP with E as shown on the diagram below on the left. It is equal to P if and only if the line OP is tangent to E at P .

(ii) 3P = O is equivalent to P = −2P . Let Q be the 3rd intersection point of E with the tangent line to E at P . Then 2P = ¯Q is the 3rd intersection point of the line OQ with E as shown on the diagram above on the right. By the method of calculating the negative of a point, Q = − ¯Q = −2P . P = −2P if and only if P = Q, i. e., if and only if P is an inflection point.

O

P

-P

O

P

Q=-2P Q=2P

In particular, (i) implies that if the equation of the curve is in the form y² = x³+ ax²+ bx + c, the points of order 2 are the points where the tangent line is parallel to the y-axis, which are the points whose y co-ordinate 0 and whose x co-ordinate is one of the roots of x³+ ax²+ bx + c.

Example: Find the points of order 2 on the elliptic curve with affine equation y² = x³− 2x − 4 over C.

The points of order 2 are the points of the form (α, 0), where α is a root x³− 2x − 4. x³− 2x − 4 = (x − 2)(x²+ 2x + 2), so the roots are 2 and −1 ± i, hence the points of order 2 are (2, 0), (−1 + i, 0) and (−1 − i, 0).

It follows from part (ii) of the above proposition that the 3rd point of inter- section of a line through two inflection points of an elliptic curve is also an inflection point.

Definition. Let f (x, y) ∈ K[x, y]. The Hessian of f , named after the German mathematician Ludwig Otto Hesse, is the determinant

f_xx f_xy f_x f_xy f_yy f_y f_x f_y 0       ,

where f_x denotes the partial derivative of f with respect to x, etc.

Let F (X, Y, Z) ∈ K[X, Y, Z] be a homogeneous polynomial. The Hessian of F is the determinant

FXX FXY FXZ

F_XY F_{Y Y} F_{Y Z} F_XZ F_{Y Z} F_ZZ       .

Proposition 6.3 Let C be a curve in A² or in P², defined by an irreducible polynomial f (x, y) ∈ K[x, y] or by an irreducible homogeneous polynomial

F (X, Y, Z) ∈ K[X, Y, Z]. Let H be the Hessian of f or F and let D be the curve H = 0. In the affine case the inflection points of C are the elements of C ∩ D which are non-singular points of C, in the projective case the same holds under the additional assumption that if the field K has finite characteristic, the characteristic does not divide deg F − 1.

Proof. In the affine case the slope of the tangent line to the curve f (x, y) = 0 is −f_x/f_y by implicit differentiation. Inflection points are critical points of

−f_x/f_y on C, which occur where the gradients of −f_x/f_y and f are parallel, including the possibility that the former is (0, 0).

∇(−fx/fy) = f_xxf_y− f_xyf_x

f_x² ,f_xyf_y − f_yyf_x f_x²

 , so the condition for parallelarity with ∇f = (f_x, f_y) is

f_x(f_xyf_y − f_yyf_x) − f_y(f_xxf_y − f_xyf_x) = 0.

The expression on the left-hand side is exactly the Hessian of f . A point of C is singular if and only if f_x = f_y = 0 at that point, if this holds, then H = 0 at that point automatically, but if fx, fy are not both 0, i. e., the point is non-singular, then the above equation implies that ∇(−f_x/f_y) is a scalar multiple of ∇f , so the slope of the tangent line has a critical point there and the point is an inflection point.

In the projective case let f ∈ K[x, y], f (x, y) = F (x, y, 1) be the deho- mogenisation of F with respect to Z, then F (X, Y, Z) = Z^df (X/Z, Y /Z), where d = deg F . By using the chain rule and the product rule, we can express the partial derivatives of F in terms of those of f and after some calculation it turns out that

F_XX F_XY F_XZ F_XY F_{Y Y} F_{Y Z} FXZ FY Z FZZ

= (d−1)²Z^3(d−2)      

f_xx f_xy f_x f_xy f_yy f_y fx fy 0      

+ d

d − 1(f_xxf_yy−(f_xy)²)f

! .

Therefore the intersection points of C and D which do not lie on the line Z = 0 correspond to the intersection points of the affine curve f = 0 and the curve defined by the Hessian of f , so if they are non-singular points of C, they are inflection points. The definition of the Hessian for homogeneous polynomials is symmetric in X, Y and Z, therefore we can also use this argument with X and Y to deduce that all elements of C ∩ D are inflection points of C if they are non-singular points of C.

The diagram below shows a cubic curve (blue, thicker), its Hessian (red, thinner), the inflection points, and the tangent lines to the original cubic curve at the inflection points.

There are some special phenomena for cubic curves, which do not happen for curves of higher degree. The tangent lines are also tangent to the Hessian curve, and it is also true that the inflection points of the Hessian curve are the same as those of the original curve, although this cannot be seen in this diagram.

As the projective Hessian has degree 3(d − 2), the number of inflection points is at most 3d(d − 2) and for general curves over an algebraically closed field this number is achieved. If d = 3, the number of inflection points is 9 (if the characteristic of the field is not 3). If the coefficients of the elliptic curve E are real, then at least one inflection point has to be real, since non-real complex solutions come in conjugate pairs. In fact, an elliptic curve over R always has 3 real inflection points.

Example: Find the real inflection points of the curve y² = x³+ 4x²+ 3x − 1.

Let f (x, y) = x³+ 4x²+ 3x − 1 − y². Its Hessian is

H =      

6x + 8 0 3x²+ 8x + 3

0 −2 −2y

3x² + 8x + 3 −2y 0      

= 2(3x²+ 8x + 3)² − 4y²(6x + 8).

To find the solutions f = H = 0, we consider

H − 4(6x + 8)f = 2(3x² + 8x + 3)²− 4(6x + 8)(x³+ 4x²+ 3x − 1)

= −6x⁴− 32x³− 36x²+ 24x + 50,

which only involves x. x = 1 is a root, the corresponding values of y are y = ±√

7. These are the real inflection points, together with the point at infinity, (0 : 1 : 0). −6x⁴− 32x³− 36x²+ 24x + 50 = 0 has another real root x ≈ −3.473, but the corresponding values of y are imaginary.

The diagram below show this elliptic curve, its Hessian curve, the two inflec- tion points and the tangent lines there.

-3 -2 -1 1 2

x

-4 -2 2 4 y

Since if O is an inflection point, then the inflection points are exactly the points P satisfying 3P = 0, so over an algebraically closed field of character- istic other than 3, there are 9 such points. From Proposition 6.2 (i) and the remarks after the proof it follows that if the equation of the elliptic curve is in Weierstraß form and the field K is algebraically closed, then then there are 4 points satisfying 2P = O, O itself and the 3 points of order 2.

These are special cases of a more general phenomenon. The number of points P on an elliptic curve such that nP = O is n² if the field K is algebraically closed and its characteristic does not divide n, in particular this holds over C. If the characteristic of K is a prime p, then the number of points such that p^kP = 0 may be p^k or just 1, in the latter case the curve is called supersingular (not related to the definition of singular points, the elliptic curve is always a non-singular variety).

Examples:

1. Let K be an algebraically closed field of characteristic 2. The elliptic curve defined by the affine equation y²+ y = x³+ ax²+ bx + c and O = (0 : 1 : 0) is supersingular for any a, b, c ∈ K. It has no point of order 2, because any line passing through O has affine equation x = α for some α ∈ K.

y²+ y = α³+ aα²+ bα + c has two distinct solutions for any α ∈ K, they are of the form β, β + 1 for some β ∈ K, so the line x = α is never tangent to the curve y²+ y = y²+ y = x³+ ax²+ bx + c.

2. Let K be an algebraically closed field of characteristic 3. The elliptic

curve defined by the affine equation y² = x³ + bx + c and O = (0 : 1 : 0) is supersingular for any b ∈ K \ {0}, c ∈ K. In this case the Hessian turns out to be 2b², a non-0 constant, so there are no inflection points other than O = (0 : 1 : 0) and there are no points of order 3.

Theorem 6.4 If K is algebraically closed and its characteristic is not 2 or 3, any non-singular cubic curve in P² can be transformed to one with an equation of the form Y²Z = X³ + pXZ²+ qZ³ (y² = x³ + px + q in affine form) by a linear change of co-ordinates.

Proof. Step 1. Choose an inflection point of E and then change co-ordinates so that the inflection point has homogeneous co-ordinates (0 : 1 : 0) and the tangent line at the inflection point is Z = 0. (This determines the new Z co- ordinate up to scalar factor, X can be any degree 1 homogeneous polynomial which is 0 at the inflection point and which is not a scalar multiple of Z and Y can be any degree 1 homogeneous polynomial which is not 0 at the inflection point, so there is a lot of choice here.)

This step eliminates the Y³, XY² and X²Y terms from the equation. After this step the equation can be converted to affine form and the remaining steps can be carried out in affine form, if preferred.

Step 2. Write the equation with the terms containing Y on one side and the other terms, only containing X and Z on the other side. Let α and β be the coefficients of Y²Z and X³, resp. Multiply the whole equation by β²/α³ and then use βX/α and βY /α as new variables, this will make the coefficients of Y²Z and X³ equal to 1. (In the affine form the equation will look like y²+ a₁xy + a₃y = x³+ a₂x²+ a₄x + a₆, this is often called a Weierstraß form, too.)

Step 3. Complete the square with respect to Y to eliminate XY Z and Y Z² terms (xy and y in the affine form). (This is where we need that the characteristic is not 2.)

Step 4. Complete the cube with respect to X to eliminate the X²Z term (x² in the affine form). (This is where we need that the characteristic is not 3.)

A worked example of this procedure form can be found at https://personalpages.

manchester.ac.uk/staff/gabor.megyesi/teaching/MATH32062/Ellipticequation.

pdf.

As we noted previously, a cubic curve defined by an equation with real coef- ficients always has real inflection points, so the 1st step can be carried out over R and we obtain an equation with p, q real. However, if the coefficients

are rational, there is no guarantee that there exists an inflection point with rational coefficients, so p, q may not be rational.

Remark. p and q are not unique, we can multiply the equation y² = x³+px+q by α⁶ for some α ∈ K \ {0} and then we can rewrite it as (α³y)² = (α²x)³+ (α⁴p)(α²x) + α⁶q, so the parameters α⁴p and α⁶q determine an isomorphic curve.

Definition. The j-invariant of the curve y² = x³+px+q is j = 1728 4p³ 4p³+ 27q². The rest of this chapter is not examinable.

Another common form of the equation of the elliptic curve is the Legendre form y² = x(x − 1)(x − λ), where λ 6= 0, 1. j can be expressed in terms of λ as

j = 256(λ²− λ + 1)³

λ²(λ − 1)² . (*)

λ is not uniquely defined, depending on which two roots of the cubic are chosen to be mapped to 0 and 1, it can take 6 values, λ, 1 − λ, 1/λ, 1/(1 − λ), λ/(λ − 1) and (λ − 1)/λ, but they all give the same value of j.

It is not clear from either of these definitions that j is really an invariant of the curve E, since there are choices in various steps of the process of transforming the equation to the Weierstraß or Legendre form, but it is true.

It requires some more sophisticated tools to show that any isomorphism of two cubic curves in P² is obtained by a linear change of co-ordinates.

Theorem 6.5 j is indeed an invariant of the elliptic curve, i. e., all possible Weierstraß and Legendre forms of the same curve give the same value for j.

If the field K is algebraically closed, two elliptic curves over K are isomorphic if and only if they have the same j-invariant.

Non-singular cubic curves with different j invariant are not just not isomor- phic, but they are not birationally equivalent either. Non-singular cubic curves are not rational, i. e., they are not birationally equivalent to P¹. The study of points with rational co-ordinates is a very active area of number theoretical research. Mordell’s Theorem states that the group of rational points is isomorphic to T × Z^r, where T is a finite group and r ≥ 0 is a non-negative integer, called the rank of the elliptic curve. Mazur’s Theorem states that the group T has at most 16 elements. It is not known whether r can be arbitrarily large, but there exists an example with r ≥ 28.