Elliptic curve

Template:Short description Template:Distinguish Template:Redirect

Template:Group theory sidebar

In mathematics, an elliptic curve is a smooth, projective, algebraic curve of genus one, on which there is a specified point Template:Mvar. An elliptic curve is defined over a field Template:Mvar and describes points in Template:Math, the Cartesian product of Template:Mvar with itself. If the field's characteristic is different from 2 and 3, then the curve can be described as a plane algebraic curve which consists of solutions Template:Math for:

<math>y^2 = x^3 + ax + b</math>

for some coefficients Template:Mvar and Template:Mvar in Template:Mvar. The curve is required to be non-singular, which means that the curve has no cusps or self-intersections. (This is equivalent to the condition Template:Math, that is, being square-free in Template:Mvar.) It is always understood that the curve is really sitting in the projective plane, with the point Template:Mvar being the unique point at infinity. Many sources define an elliptic curve to be simply a curve given by an equation of this form. (When the coefficient field has characteristic 2 or 3, the above equation is not quite general enough to include all non-singular cubic curves; see Template:Section link below.)

An elliptic curve is an abelian variety – that is, it has a group law defined algebraically, with respect to which it is an abelian group – and Template:Mvar serves as the identity element.

If Template:Math, where Template:Mvar is any polynomial of degree three in Template:Mvar with no repeated roots, the solution set is a nonsingular plane curve of genus one, an elliptic curve. If Template:Mvar has degree four and is square-free this equation again describes a plane curve of genus one; however, it has no natural choice of identity element. More generally, any algebraic curve of genus one, for example the intersection of two quadric surfaces embedded in three-dimensional projective space, is called an elliptic curve, provided that it is equipped with a marked point to act as the identity.

Using the theory of elliptic functions, it can be shown that elliptic curves defined over the complex numbers correspond to embeddings of the torus into the complex projective plane. The torus is also an abelian group, and this correspondence is also a group isomorphism.

Elliptic curves are especially important in number theory, and constitute a major area of current research; for example, they were used in Andrew Wiles's proof of Fermat's Last Theorem. They also find applications in elliptic curve cryptography (ECC) and integer factorization.

An elliptic curve is not an ellipse in the sense of a projective conic, which has genus zero: see elliptic integral for the origin of the term. However, there is a natural representation of real elliptic curves with shape invariant Template:Math as ellipses in the hyperbolic plane <math>\mathbb{H}^2</math>. Specifically, the intersections of the Minkowski hyperboloid with quadric surfaces characterized by a certain constant-angle property produce the Steiner ellipses in <math>\mathbb{H}^2</math> (generated by orientation-preserving collineations). Further, the orthogonal trajectories of these ellipses comprise the elliptic curves with Template:Math, and any ellipse in <math>\mathbb{H}^2</math> described as a locus relative to two foci is uniquely the elliptic curve sum of two Steiner ellipses, obtained by adding the pairs of intersections on each orthogonal trajectory. Here, the vertex of the hyperboloid serves as the identity on each trajectory curve.<ref>Template:Cite journal</ref>

Topologically, a complex elliptic curve is a torus, while a complex ellipse is a sphere.

Elliptic curves over the real numbersEdit

Although the formal definition of an elliptic curve requires some background in algebraic geometry, it is possible to describe some features of elliptic curves over the real numbers using only introductory algebra and geometry.

In this context, an elliptic curve is a plane curve defined by an equation of the form

<math>y^2 = x^3 + ax + b</math>

after a linear change of variables (Template:Mvar and Template:Mvar are real numbers). This type of equation is called a Weierstrass equation, and said to be in Weierstrass form, or Weierstrass normal form.

The definition of elliptic curve also requires that the curve be non-singular. Geometrically, this means that the graph has no cusps, self-intersections, or isolated points. Algebraically, this holds if and only if the discriminant, <math>\Delta</math>, is not equal to zero.

<math>\Delta = -16\left(4a^3 + 27b^2\right) \neq 0</math>

The discriminant is zero when <math>a=-3k^2, b=2k^3</math>.

(Although the factor −16 is irrelevant to whether or not the curve is non-singular, this definition of the discriminant is useful in a more advanced study of elliptic curves.)<ref>Template:Harvard citations</ref>

The real graph of a non-singular curve has two components if its discriminant is positive, and one component if it is negative. For example, in the graphs shown in figure to the right, the discriminant in the first case is 64, and in the second case is −368. Following the convention at Conic section#Discriminant, elliptic curves require that the discriminant is negative.

The group lawEdit

When working in the projective plane, the equation in homogeneous coordinates becomes

<math>\frac{Y^2}{Z^2} = \frac{X^3}{Z^3} + a\frac{X}{Z} + b.</math>

This equation is not defined on the line at infinity, but we can multiply by <math>Z^3</math> to get one that is:

<math>ZY^2 = X^3 + aZ^2X + bZ^3.</math>

This resulting equation is defined on the whole projective plane, and the curve it defines projects onto the elliptic curve of interest. To find its intersection with the line at infinity, we can just posit <math>Z = 0</math>. This implies <math>X^3 = 0</math>, which in a field means <math>X = 0</math>. <math>Y</math> on the other hand can take any value, and thus all triplets <math>(0,Y,0)</math> satisfy the equation. In projective geometry this set is simply the point <math>O = [0:1:0]</math>, which is thus the unique intersection of the curve with the line at infinity.

Since the curve is smooth, hence continuous, it can be shown that this point at infinity is the identity element of a group structure whose operation is geometrically described as follows:

Since the curve is symmetric about the Template:Mvar axis, given any point Template:Mvar, we can take Template:Math to be the point opposite it. We then have <math>-O = O</math>, as <math>O</math> lies on the Template:Mvar plane, so that <math>-O</math> is also the symmetrical of <math>O</math> about the origin, and thus represents the same projective point.

If Template:Mvar and Template:Mvar are two points on the curve, then we can uniquely describe a third point Template:Math in the following way. First, draw the line that intersects Template:Mvar and Template:Mvar. This will generally intersect the cubic at a third point, Template:Mvar. We then take Template:Math to be Template:Math, the point opposite Template:Mvar.

This definition for addition works except in a few special cases related to the point at infinity and intersection multiplicity. The first is when one of the points is Template:Mvar. Here, we define Template:Math, making Template:Mvar the identity of the group. If Template:Math, we only have one point, thus we cannot define the line between them. In this case, we use the tangent line to the curve at this point as our line. In most cases, the tangent will intersect a second point Template:Mvar, and we can take its opposite. If Template:Mvar and Template:Mvar are opposites of each other, we define Template:Math. Lastly, if Template:Mvar is an inflection point (a point where the concavity of the curve changes), we take Template:Mvar to be Template:Mvar itself, and Template:Math is simply the point opposite itself, i.e. itself.

Let Template:Mvar be a field over which the curve is defined (that is, the coefficients of the defining equation or equations of the curve are in Template:Mvar) and denote the curve by Template:Mvar. Then the Template:Mvar-rational points of Template:Mvar are the points on Template:Mvar whose coordinates all lie in Template:Mvar, including the point at infinity. The set of Template:Mvar-rational points is denoted by Template:Math. Template:Math is a group, because properties of polynomial equations show that if Template:Mvar is in Template:Math, then Template:Math is also in Template:Math, and if two of Template:Mvar, Template:Mvar, Template:Mvar are in Template:Math, then so is the third. Additionally, if Template:Mvar is a subfield of Template:Mvar, then Template:Math is a subgroup of Template:Math.

Algebraic interpretationEdit

The above groups can be described algebraically as well as geometrically. Given the curve Template:Math over the field Template:Mvar (whose characteristic we assume to be neither 2 nor 3), and points Template:Math and Template:Math on the curve, assume first that Template:Math (case 1). Let Template:Math be the equation of the line that intersects Template:Mvar and Template:Mvar, which has the following slope:

<math>s = \frac{y_P - y_Q}{x_P - x_Q}.</math>

The line equation and the curve equation intersect at the points Template:Mvar, Template:Mvar, and Template:Mvar, so the equations have identical Template:Mvar values at these values.

<math>(sx + d)^2 = x^3 + bx + c,</math>

which is equivalent to

<math>x^3 - s^2 x^2 - 2sdx + bx + c - d^2 = 0.</math>

Since Template:Mvar, Template:Mvar, and Template:Mvar are solutions, this equation has its roots at exactly the same Template:Mvar values as

<math>(x - x_P) (x - x_Q) (x - x_R) = x^3 + (-x_P - x_Q - x_R) x^2 + (x_P x_Q + x_P x_R + x_Q x_R) x - x_P x_Q x_R,</math>

and because both equations are cubics, they must be the same polynomial up to a scalar. Then equating the coefficients of Template:Math in both equations

<math>-s^2 = (-x_P - x_Q - x_R)</math>

and solving for the unknown Template:Mvar,

<math>x_R = s^2 - x_P - x_Q.</math>

Template:Mvar follows from the line equation

<math>y_R = y_P - s(x_P - x_R),</math>

and this is an element of Template:Mvar, because Template:Mvar is.

If Template:Math, then there are two options: if Template:Math (case 3), including the case where Template:Math (case 4), then the sum is defined as 0; thus, the inverse of each point on the curve is found by reflecting it across the Template:Mvar axis.

If Template:Math, then Template:Math and Template:Math (case 2 using Template:Mvar as Template:Mvar). The slope is given by the tangent to the curve at (x_P, y_P).

<math>\begin{align}

   s &= \frac{3{x_P}^2 + b}{2y_P}, \\
 x_R &= s^2 - 2x_P, \\
 y_R &= y_P - s(x_P - x_R).

\end{align}</math>

A more general expression for <math>s</math> that works in both case 1 and case 2 is

<math>s = \frac{{x_P}^2 + x_P x_Q + {x_Q}^2 + b}{y_P + y_Q},</math>

where equality to Template:Math relies on Template:Mvar and Template:Mvar obeying Template:Math.

Non-Weierstrass curves

For the curve Template:Math (the general form of an elliptic curve with characteristic 3), the formulas are similar, with Template:Math and Template:Math.

For a general cubic curve not in Weierstrass normal form, we can still define a group structure by designating one of its nine inflection points as the identity Template:Mvar. In the projective plane, each line will intersect a cubic at three points when accounting for multiplicity. For a point Template:Mvar, Template:Math is defined as the unique third point on the line passing through Template:Mvar and Template:Mvar. Then, for any Template:Mvar and Template:Mvar, Template:Math is defined as Template:Math where Template:Mvar is the unique third point on the line containing Template:Mvar and Template:Mvar.

For an example of the group law over a non-Weierstrass curve, see Hessian curves.

Elliptic curves over the rational numbers

A curve E defined over the field of rational numbers is also defined over the field of real numbers. Therefore, the law of addition (of points with real coordinates) by the tangent and secant method can be applied to E. The explicit formulae show that the sum of two points P and Q with rational coordinates has again rational coordinates, since the line joining P and Q has rational coefficients. This way, one shows that the set of rational points of E forms a subgroup of the group of real points of E.

Integral points

This section is concerned with points P = (x, y) of E such that x is an integer.

For example, the equation y² = x³ + 17 has eight integral solutions with y > 0:<ref>T. Nagell, L'analyse indéterminée de degré supérieur, Mémorial des sciences mathématiques 39, Paris, Gauthier-Villars, 1929, pp. 56–59.</ref><ref>OEIS: https://oeis.org/A029728</ref>

(x, y) = (−2, 3), (−1, 4), (2, 5), (4, 9), (8, 23), (43, 282), (52, 375), (Template:Val, Template:Val).

As another example, Ljunggren's equation, a curve whose Weierstrass form is y² = x³ − 2x, has only four solutions with y ≥ 0 :<ref>Template:Citation</ref>

(x, y) = (0, 0), (−1, 1), (2, 2), (338, Template:Val).

The structure of rational points

Rational points can be constructed by the method of tangents and secants detailed above, starting with a finite number of rational points. More precisely<ref>Template:Harvard citations</ref> the Mordell–Weil theorem states that the group E(Q) is a finitely generated (abelian) group. By the fundamental theorem of finitely generated abelian groups it is therefore a finite direct sum of copies of Z and finite cyclic groups.

The proof of the theorem<ref>Template:Harvard citations</ref> involves two parts. The first part shows that for any integer m > 1, the quotient group E(Q)/mE(Q) is finite (this is the weak Mordell–Weil theorem). Second, introducing a height function h on the rational points E(Q) defined by h(P₀) = 0 and Template:Math if P (unequal to the point at infinity P₀) has as abscissa the rational number x = p/q (with coprime p and q). This height function h has the property that h(mP) grows roughly like the square of m. Moreover, only finitely many rational points with height smaller than any constant exist on E.

The proof of the theorem is thus a variant of the method of infinite descent<ref>See also Template:Cite journal and the comment of A. Weil on the genesis of his work: A. Weil, Collected Papers, vol. 1, 520–521.</ref> and relies on the repeated application of Euclidean divisions on E: let P ∈ E(Q) be a rational point on the curve, writing P as the sum 2P₁ + Q₁ where Q₁ is a fixed representant of P in E(Q)/2E(Q), the height of P₁ is about Template:Sfrac of the one of P (more generally, replacing 2 by any m > 1, and Template:Sfrac by Template:Sfrac). Redoing the same with P₁, that is to say P₁ = 2P₂ + Q₂, then P₂ = 2P₃ + Q₃, etc. finally expresses P as an integral linear combination of points Q_i and of points whose height is bounded by a fixed constant chosen in advance: by the weak Mordell–Weil theorem and the second property of the height function P is thus expressed as an integral linear combination of a finite number of fixed points.

The theorem however doesn't provide a method to determine any representatives of E(Q)/mE(Q).

The rank of E(Q), that is the number of copies of Z in E(Q) or, equivalently, the number of independent points of infinite order, is called the rank of E. The Birch and Swinnerton-Dyer conjecture is concerned with determining the rank. One conjectures that it can be arbitrarily large, even if only examples with relatively small rank are known. The elliptic curve with the currently largest exactly-known rank is

y² + xy + y = x³ − x² − Template:Gapsx + Template:Gaps

It has rank 20, found by Noam Elkies and Zev Klagsbrun in 2020. Curves of rank higher than 20 have been known since 1994, with lower bounds on their ranks ranging from 21 to 29, but their exact ranks are not known and in particular it is not proven which of them have higher rank than the others or which is the true "current champion".<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

As for the groups constituting the torsion subgroup of E(Q), the following is known:<ref>Template:Harvard citations</ref> the torsion subgroup of E(Q) is one of the 15 following groups (a theorem due to Barry Mazur): Z/NZ for N = 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, or 12, or Z/2Z × Z/2NZ with N = 1, 2, 3, 4. Examples for every case are known. Moreover, elliptic curves whose Mordell–Weil groups over Q have the same torsion groups belong to a parametrized family.<ref>Template:Harvard citations</ref>

The Birch and Swinnerton-Dyer conjecture

{{#invoke:Labelled list hatnote|labelledList|Main article|Main articles|Main page|Main pages}} The Birch and Swinnerton-Dyer conjecture (BSD) is one of the Millennium problems of the Clay Mathematics Institute. The conjecture relies on analytic and arithmetic objects defined by the elliptic curve in question.

At the analytic side, an important ingredient is a function of a complex variable, L, the Hasse–Weil zeta function of E over Q. This function is a variant of the Riemann zeta function and Dirichlet L-functions. It is defined as an Euler product, with one factor for every prime number p.

For a curve E over Q given by a minimal equation

<math>y^2 + a_1xy + a_3y = x^3 + a_2x^2 + a_4x + a_6</math>

with integral coefficients <math>a_i</math>, reducing the coefficients modulo p defines an elliptic curve over the finite field F_p (except for a finite number of primes p, where the reduced curve has a singularity and thus fails to be elliptic, in which case E is said to be of bad reduction at p).

The zeta function of an elliptic curve over a finite field F_p is, in some sense, a generating function assembling the information of the number of points of E with values in the finite field extensions F_pⁿ of F_p. It is given by<ref>The definition is formal, the exponential of this power series without constant term denotes the usual development.</ref>

<math>Z(E(\mathbf{F}_p), T) = \exp\left(\sum_{n=1}^\infty \# \left[E({\mathbf F}_{p^n})\right]\frac{T^n}{n}\right)</math>

The interior sum of the exponential resembles the development of the logarithm and, in fact, the so-defined zeta function is a rational function in T:

<math>Z(E(\mathbf{F}_p), T) = \frac{1 - a_pT + pT^2}{(1 - T)(1 - pT)},</math>

where the 'trace of Frobenius' term<ref>see for example {{#invoke:citation/CS1|citation |CitationClass=web }}</ref> <math>a_p</math> is defined to be the difference between the 'expected' number <math>p+1</math> and the number of points on the elliptic curve <math>E</math> over <math>\mathbb{F}_p</math>, viz.

<math>

a_p = p + 1 - \#E(\mathbb{F}_p) </math>

or equivalently,

<math>

\#E(\mathbb{F}_p) = p + 1 - a_p </math>.

We may define the same quantities and functions over an arbitrary finite field of characteristic <math>p</math>, with <math>q = p^n</math> replacing <math>p</math> everywhere.

The L-function of E over Q is then defined by collecting this information together, for all primes p. It is defined by

<math>L(E(\mathbf{Q}), s) = \prod_{p\not\mid N} \left(1 - a_p p^{-s} + p^{1 - 2s}\right)^{-1} \cdot \prod_{p\mid N} \left(1 - a_p p^{-s}\right)^{-1}</math>

where N is the conductor of E, i.e. the product of primes with bad reduction <math>(\Delta (E\mod p)=0</math>),<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref> in which case a_p is defined differently from the method above: see Silverman (1986) below.

For example <math>E:y^2=x^3+14x+19</math> has bad reduction at 17, because <math>E\mod17:y^2=x^3-3x+2</math> has <math>\Delta=0</math>.

This product converges for Re(s) > 3/2 only. Hasse's conjecture affirms that the L-function admits an analytic continuation to the whole complex plane and satisfies a functional equation relating, for any s, L(E, s) to L(E, 2 − s). In 1999 this was shown to be a consequence of the proof of the Shimura–Taniyama–Weil conjecture, which asserts that every elliptic curve over Q is a modular curve, which implies that its L-function is the L-function of a modular form whose analytic continuation is known. One can therefore speak about the values of L(E, s) at any complex number s.

At s = 1 (the conductor product can be discarded as it is finite), the L-function becomes

<math>L(E(\mathbf{Q}), 1) = \prod_{p\not\mid N} \left(1 - a_p p^{-1} + p^{-1}\right)^{-1} = \prod_{p\not\mid N} \frac{p}{p - a_p + 1} = \prod_{p\not\mid N}\frac{p}{\#E(\mathbb{F}_p)}</math>

The Birch and Swinnerton-Dyer conjecture relates the arithmetic of the curve to the behaviour of this L-function at s = 1. It affirms that the vanishing order of the L-function at s = 1 equals the rank of E and predicts the leading term of the Laurent series of L(E, s) at that point in terms of several quantities attached to the elliptic curve.

Much like the Riemann hypothesis, the truth of the BSD conjecture would have multiple consequences, including the following two:

• A congruent number is defined as an odd square-free integer n which is the area of a right triangle with rational side lengths. It is known that n is a congruent number if and only if the elliptic curve <math>y^2 = x^3 - n^2x</math> has a rational point of infinite order; assuming BSD, this is equivalent to its L-function having a zero at s = 1. Tunnell has shown a related result: assuming BSD, n is a congruent number if and only if the number of triplets of integers (x, y, z) satisfying <math>2x^2 + y^2 + 8z^2 = n</math> is twice the number of triples satisfying <math>2x^2 + y^2 + 32z^2 = n</math>. The interest in this statement is that the condition is easy to check.<ref>Template:Harvard citations</ref>
• In a different direction, certain analytic methods allow for an estimation of the order of zero in the center of the critical strip for certain L-functions. Admitting BSD, these estimations correspond to information about the rank of families of the corresponding elliptic curves. For example: assuming the generalized Riemann hypothesis and BSD, the average rank of curves given by <math>y^2=x^3+ax+b</math> is smaller than 2.<ref>Template:Cite journal</ref>

Elliptic curves over finite fields

Template:Further

Let K = F_q be the finite field with q elements and E an elliptic curve defined over K. While the precise number of rational points of an elliptic curve E over K is in general difficult to compute, Hasse's theorem on elliptic curves gives the following inequality:

<math>|\# E(K) - (q + 1)| \le 2\sqrt{q}</math>

In other words, the number of points on the curve grows proportionally to the number of elements in the field. This fact can be understood and proven with the help of some general theory; see local zeta function and étale cohomology for example.

The set of points E(F_q) is a finite abelian group. It is always cyclic or the product of two cyclic groups. For example,<ref>See Template:Harvard citations</ref> the curve defined by

<math>y^2 = x^3 - x</math>

over F₇₁ has 72 points (71 affine points including (0,0) and one point at infinity) over this field, whose group structure is given by Z/2Z × Z/36Z. The number of points on a specific curve can be computed with Schoof's algorithm.

Studying the curve over the field extensions of F_q is facilitated by the introduction of the local zeta function of E over F_q, defined by a generating series (also see above)

<math>Z(E(K), T) = \exp \left(\sum_{n=1}^{\infty} \# \left[E(K_n)\right] {T^n\over n} \right)</math>

where the field K_n is the (unique up to isomorphism) extension of K = F_q of degree n (that is, <math>K_n=F_{q^n}</math>).

The zeta function is a rational function in T. To see this, consider the integer <math>a</math> such that

<math>\#E(K) = 1 - a + q</math>

There is a complex number <math>\alpha</math> such that

<math> 1 - a + q = (1 - \alpha)(1 - \bar\alpha)</math>

where <math>\bar\alpha</math> is the complex conjugate, and so we have

<math>\alpha+\bar\alpha = a</math>

<math>\alpha\bar\alpha = q</math>

We choose <math>\alpha</math> so that its absolute value is <math>\sqrt{q}</math>, that is <math>\alpha = q^{\frac12}e^{i\theta}, \bar\alpha = q^{\frac12}e^{-i\theta}</math>, and that <math>\cos \theta=\frac{a}{2\sqrt q}</math>. Note that <math>|a|\le2\sqrt{q}</math>.

<math>\alpha</math> can then be used in the local zeta function as its values when raised to the various powers of n can be said to reasonably approximate the behaviour of <math>a_n</math>, in that

<math>\#E(K_n) = 1 - a_n + q^n</math>

Using the Taylor series for the natural logarithm,

<math>

\begin{alignat}{2} Z(E(K),T) & = \exp \left(\sum_{n=1}^{\infty} \left(1 - \alpha^n - \bar\alpha^n + q^n\right){T^n\over n} \right) \\ & = \exp \left(\sum_{n=1}^{\infty} {T^n\over n} - \sum_{n=1}^{\infty}\alpha^n{T^n\over n} - \sum_{n=1}^{\infty}\bar\alpha^n{T^n\over n} + \sum_{n=1}^{\infty}q^n{T^n\over n} \right) \\ & = \exp \left(-\ln(1-T) + \ln(1-\alpha T) + \ln(1-\bar\alpha T) - \ln(1-qT) \right) \\ & = \exp \left(\ln\frac{(1-\alpha T)(1-\bar\alpha T)}{(1-T)(1-qT)} \right) \\ & =\frac{(1-\alpha T)(1-\bar\alpha T)}{(1-T)(1-qT)} \\ \end{alignat} </math>

Then <math>(1 - \alpha T)(1 - \bar\alpha T) = 1 - aT + qT^2</math>, so finally

<math>Z(E(K), T) = \frac{1 - aT + qT^2}{(1 - qT)(1 - T)}</math>

For example,<ref>Template:Harvard citations</ref> the zeta function of E : y² + y = x³ over the field F₂ is given by

<math>\frac{1 + 2T^2}{(1 - T)(1 - 2T)}</math>

which follows from:

<math> \left| E(\mathbf{F}_{2^r}) \right| = \begin{cases} 2^r + 1 & r \text{ odd} \\ 2^r + 1 - 2(-2)^{\frac{r}{2}} & r \text{ even} \end{cases} </math>

as <math>q=2</math>, then <math>|E|=2^1+1=3=1-a+2</math>, so <math>a=0</math>.

The functional equation is

<math>Z \left(E(K), \frac{1}{qT} \right) = \frac{1 - a\frac{1}{qT} + q\left(\frac{1}{qT}\right)^2}{(1 - q\frac{1}{qT})(1 - \frac{1}{qT})}= \frac{q^2T^2 - aqT + q}{(qT - q)(qT - 1)} = Z(E(K), T)</math>

As we are only interested in the behaviour of <math>a_n</math>, we can use a reduced zeta function

<math>Z(a, T) = \exp \left(\sum_{n=1}^{\infty} -a_n {T^n\over n} \right)</math>

<math>Z(a, T) = \exp \left(\sum_{n=1}^{\infty} -\alpha^n {T^n\over n} - \bar\alpha^n {T^n\over n} \right)</math>

and so

<math>Z(a, T) = \exp \left(\ln(1-\alpha T) + \ln(1-\bar\alpha T)\right)</math>

which leads directly to the local L-functions

<math>L(E(K), T) = 1 - aT + qT^2</math>

The Sato–Tate conjecture is a statement about how the error term <math>2\sqrt{q}</math> in Hasse's theorem varies with the different primes q, if an elliptic curve E over Q is reduced modulo q. It was proven (for almost all such curves) in 2006 due to the results of Taylor, Harris and Shepherd-Barron,<ref>Template:Cite journal</ref> and says that the error terms are equidistributed.

Elliptic curves over finite fields are notably applied in cryptography and for the factorization of large integers. These algorithms often make use of the group structure on the points of E. Algorithms that are applicable to general groups, for example the group of invertible elements in finite fields, F*_q, can thus be applied to the group of points on an elliptic curve. For example, the discrete logarithm is such an algorithm. The interest in this is that choosing an elliptic curve allows for more flexibility than choosing q (and thus the group of units in F_q). Also, the group structure of elliptic curves is generally more complicated.

Elliptic curves over a general fieldEdit

Elliptic curves can be defined over any field K; the formal definition of an elliptic curve is a non-singular projective algebraic curve over K with genus 1 and endowed with a distinguished point defined over K.

If the characteristic of K is neither 2 nor 3, then every elliptic curve over K can be written in the form

<math>y^2 = x^3 - px - q</math>

after a linear change of variables. Here p and q are elements of K such that the right hand side polynomial x³ − px − q does not have any double roots. If the characteristic is 2 or 3, then more terms need to be kept: in characteristic 3, the most general equation is of the form

<math>y^2 = 4x^3 + b_2 x^2 + 2b_4 x + b_6</math>

for arbitrary constants b₂, b₄, b₆ such that the polynomial on the right-hand side has distinct roots (the notation is chosen for historical reasons). In characteristic 2, even this much is not possible, and the most general equation is

<math>y^2 + a_1 xy + a_3 y = x^3 + a_2 x^2 + a_4 x + a_6</math>

provided that the variety it defines is non-singular. If characteristic were not an obstruction, each equation would reduce to the previous ones by a suitable linear change of variables.

One typically takes the curve to be the set of all points (x,y) which satisfy the above equation and such that both x and y are elements of the algebraic closure of K. Points of the curve whose coordinates both belong to K are called K-rational points.

Many of the preceding results remain valid when the field of definition of E is a number field K, that is to say, a finite field extension of Q. In particular, the group E(K) of K-rational points of an elliptic curve E defined over K is finitely generated, which generalizes the Mordell–Weil theorem above. A theorem due to Loïc Merel shows that for a given integer d, there are (up to isomorphism) only finitely many groups that can occur as the torsion groups of E(K) for an elliptic curve defined over a number field K of degree d. More precisely,<ref>Template:Cite journal</ref> there is a number B(d) such that for any elliptic curve E defined over a number field K of degree d, any torsion point of E(K) is of order less than B(d). The theorem is effective: for d > 1, if a torsion point is of order p, with p prime, then

<math>p < d^{3d^2}</math>

As for the integral points, Siegel's theorem generalizes to the following: Let E be an elliptic curve defined over a number field K, x and y the Weierstrass coordinates. Then there are only finitely many points of E(K) whose x-coordinate is in the ring of integers O_K.

The properties of the Hasse–Weil zeta function and the Birch and Swinnerton-Dyer conjecture can also be extended to this more general situation.

Elliptic curves over the complex numbersEdit

Template:Further

The formulation of elliptic curves as the embedding of a torus in the complex projective plane follows naturally from a curious property of Weierstrass's elliptic functions. These functions and their first derivative are related by the formula

<math>\wp'(z)^2 = 4\wp(z)^3 -g_2\wp(z) - g_3</math>

Here, Template:Math and Template:Math are constants; Template:Math is the Weierstrass elliptic function and Template:Math its derivative. It should be clear that this relation is in the form of an elliptic curve (over the complex numbers). The Weierstrass functions are doubly periodic; that is, they are periodic with respect to a lattice Template:Math; in essence, the Weierstrass functions are naturally defined on a torus Template:Math. This torus may be embedded in the complex projective plane by means of the map

<math>z \mapsto \left[1 : \wp(z) : \tfrac12\wp'(z)\right]</math>

This map is a group isomorphism of the torus (considered with its natural group structure) with the chord-and-tangent group law on the cubic curve which is the image of this map. It is also an isomorphism of Riemann surfaces from the torus to the cubic curve, so topologically, an elliptic curve is a torus. If the lattice Template:Math is related by multiplication by a non-zero complex number Template:Mvar to a lattice Template:Math, then the corresponding curves are isomorphic. Isomorphism classes of elliptic curves are specified by the [[j-invariant|Template:Mvar-invariant]].

The isomorphism classes can be understood in a simpler way as well. The constants Template:Math and Template:Math, called the modular invariants, are uniquely determined by the lattice, that is, by the structure of the torus. However, all real polynomials factorize completely into linear factors over the complex numbers, since the field of complex numbers is the algebraic closure of the reals. So, the elliptic curve may be written as

<math>y^2 = x(x - 1)(x - \lambda)</math>

One finds that

<math>\begin{align}

g_2' &= \frac{\sqrt[3]4}{3} \left(\lambda^2 - \lambda + 1\right) \\[4pt] g_3' &= \frac{1}{27} (\lambda + 1)\left(2\lambda^2 - 5\lambda + 2\right) \end{align}</math>

and

<math>j(\tau) = 1728\frac{{g_2'}^3}{{g_2'}^3 - 27{g_3'}^2} = 256\frac{ \left(\lambda^2 - \lambda + 1\right)^3}{\lambda^2\left(\lambda - 1\right)^2}</math>

with [[J-invariant|Template:Mvar-invariant]] Template:Math and Template:Math is sometimes called the modular lambda function. For example, let Template:Math, then Template:Math which implies Template:Math, Template:Math, and therefore Template:Math of the formula above are all algebraic numbers if Template:Mvar involves an imaginary quadratic field. In fact, it yields the integer Template:Math.

In contrast, the modular discriminant

<math>\Delta(\tau) = g_2(\tau)^3 - 27g_3(\tau)^2 = (2\pi)^{12}\,\eta^{24}(\tau)</math>

is generally a transcendental number. In particular, the value of the Dedekind eta function Template:Math is

<math>\eta(2i)=\frac{\Gamma \left(\frac14\right)}{2^\frac{11}{8} \pi^\frac34}</math>

Note that the uniformization theorem implies that every compact Riemann surface of genus one can be represented as a torus. This also allows an easy understanding of the torsion points on an elliptic curve: if the lattice Template:Math is spanned by the fundamental periods Template:Math and Template:Math, then the Template:Mvar-torsion points are the (equivalence classes of) points of the form

<math> \frac{a}{n} \omega_1 + \frac{b}{n} \omega_2</math>

for integers Template:Mvar and Template:Mvar in the range Template:Math.

If

<math>E : y^2=4(x-e_1)(x-e_2)(x-e_3)</math>

is an elliptic curve over the complex numbers and

<math>a_0=\sqrt{e_1-e_3}, \qquad b_0=\sqrt{e_1-e_2}, \qquad c_0=\sqrt{e_2-e_3},</math>

then a pair of fundamental periods of Template:Mvar can be calculated very rapidly by

<math>\omega_1=\frac{\pi}{\operatorname{M}(a_0,b_0)}, \qquad \omega_2=\frac{\pi}{\operatorname{M}(c_0,ib_0)}</math>

Template:Math is the arithmetic–geometric mean of Template:Mvar and Template:Mvar. At each step of the arithmetic–geometric mean iteration, the signs of Template:Mvar arising from the ambiguity of geometric mean iterations are chosen such that Template:Math where Template:Mvar and Template:Mvar denote the individual arithmetic mean and geometric mean iterations of Template:Mvar and Template:Mvar, respectively. When Template:Math, there is an additional condition that Template:Math.<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

Over the complex numbers, every elliptic curve has nine inflection points. Every line through two of these points also passes through a third inflection point; the nine points and 12 lines formed in this way form a realization of the Hesse configuration.

The dual isogenyEdit

Given an isogeny

<math> f : E \to E'</math>

of elliptic curves of degree <math>n</math>, the dual isogeny is an isogeny

<math>\hat{f} : E' \to E</math>

of the same degree such that

<math>f \circ \hat{f} = [n].</math>

Here <math>[n]</math> denotes the multiplication-by-<math>n</math> isogeny <math>e \mapsto ne</math> which has degree <math>n^2.</math>

Construction of the dual isogenyEdit

Often only the existence of a dual isogeny is needed, but it can be explicitly given as the composition

<math>E' \to \operatorname{Div}^0(E') \to \operatorname{Div}^0(E) \to E,</math>

where <math>\operatorname{Div}^0</math> is the group of divisors of degree 0. To do this, we need maps <math>E \to \operatorname{Div}^0(E)</math> given by <math>P \to P - O</math> where <math>O</math> is the neutral point of <math>E</math> and <math>\operatorname{Div}^0(E) \to E</math> given by <math>\sum n_P P \to \sum n_P P.</math>

To see that <math>f \circ \hat{f} = [n]</math>, note that the original isogeny <math>f</math> can be written as a composite

<math>E \to \operatorname{Div}^0(E) \to \operatorname{Div}^0(E') \to E',</math>

and that since <math>f</math> is finite of degree <math>n</math>, <math>f_* f^*</math> is multiplication by <math>n</math> on <math>\operatorname{Div}^0(E').</math>

Alternatively, we can use the smaller Picard group <math>\operatorname{Pic}^0</math>, a quotient of <math>\operatorname{Div}^0.</math> The map <math>E \to \operatorname{Div}^0(E)</math> descends to an isomorphism, <math>E \to \operatorname{Pic}^0(E).</math> The dual isogeny is

<math>E' \to \operatorname{Pic}^0(E') \to \operatorname{Pic}^0(E) \to E.</math>

Note that the relation <math>f \circ \hat{f} = [n]</math> also implies the conjugate relation <math>\hat{f} \circ f = [n].</math> Indeed, let <math>\phi = \hat{f} \circ f.</math> Then <math>\phi \circ \hat{f} = \hat{f} \circ [n] = [n] \circ \hat{f}.</math> But <math>\hat{f}</math> is surjective, so we must have <math>\phi = [n].</math>

Algorithms that use elliptic curvesEdit

Elliptic curves over finite fields are used in some cryptographic applications as well as for integer factorization. Typically, the general idea in these applications is that a known algorithm which makes use of certain finite groups is rewritten to use the groups of rational points of elliptic curves. For more see also:

• Elliptic curve cryptography
  • Elliptic-curve Diffie–Hellman key exchange (ECDH)
  • Supersingular isogeny key exchange
  • Elliptic curve digital signature algorithm (ECDSA)
  • EdDSA digital signature algorithm
  • Dual EC DRBG random number generator
• Lenstra elliptic-curve factorization
• Elliptic curve primality proving

Alternative representations of elliptic curvesEdit

• Hessian curve
• Edwards curve
• Twisted curve
• Twisted Hessian curve
• Twisted Edwards curve
• Doubling-oriented Doche–Icart–Kohel curve
• Tripling-oriented Doche–Icart–Kohel curve
• Jacobian curve
• Montgomery curve

See alsoEdit

• Arithmetic dynamics
• Elliptic algebra
• Elliptic surface
• Comparison of computer algebra systems
• Isogeny
• j-line
• Level structure (algebraic geometry)
• Modularity theorem
• Moduli stack of elliptic curves
• Nagell–Lutz theorem
• Riemann–Hurwitz formula
• Wiles's proof of Fermat's Last Theorem

NotesEdit

Template:Reflist

ReferencesEdit

Serge Lang, in the introduction to the book cited below, stated that "It is possible to write endlessly on elliptic curves. (This is not a threat.)" The following short list is thus at best a guide to the vast expository literature available on the theoretical, algorithmic, and cryptographic aspects of elliptic curves.

• Template:Cite book
• Template:Cite journal, winner of the MAA writing prize the George Pólya Award
• Template:Cite book
• Template:Cite book
• Template:Cite book
• Template:Hardy and Wright Chapter XXV
• Template:Cite book
• Template:Cite book
• Template:Cite book
• Template:Cite book
• Template:Cite book
• Template:Cite book
• Template:Cite book
• Template:Cite book
• Template:Cite book
• Template:Cite book
• Template:Cite book
• Template:Cite book
• Template:Cite journal
• Template:Cite book

External linksEdit

Template:Sister project Template:Sister project

• LMFDB: Database of Elliptic Curves over Q
• Template:Springer
• {{#invoke:Template wrapper|{{#if:|list|wrap}}|_template=cite web

|_exclude=urlname, _debug, id |url = https://mathworld.wolfram.com/{{#if:EllipticCurve%7CEllipticCurve.html}} |title = Elliptic Curves |author = Weisstein, Eric W. |website = MathWorld |access-date = |ref = Template:SfnRef }}

• The Arithmetic of elliptic curves from PlanetMath
• Interactive elliptic curve over R and over Zp – web application that requires HTML5 capable browser.

Template:Algebraic curves navbox

{{#if: | This article incorporates material from the following PlanetMath articles, which are licensed under the Creative Commons Attribution/Share-Alike License: {{#if: | Isogeny | {{#if: 3206 | Isogeny | [{{{sourceurl}}} Isogeny] }} }}, {{#if: | {{{title2}}} | {{#if: | {{{title2}}} | [{{{sourceurl2}}} {{{title2}}}] }} }}{{#if: | , {{#if: | {{{title3}}} | {{#if: | {{{title3}}} | [{{{sourceurl3}}} {{{title3}}}] }} }} }}{{#if: | , {{#if: | {{{title4}}} | {{#if: | {{{title4}}} | [{{{sourceurl4}}} {{{title4}}}] }} }} }}{{#if: | , {{#if: | {{{title5}}} | {{#if: | {{{title5}}} | [{{{sourceurl5}}} {{{title5}}}] }} }} }}{{#if: | , {{#if: | {{{title6}}} | {{#if: | {{{title6}}} | [{{{sourceurl6}}} {{{title6}}}] }} }} }}{{#if: | , {{#if: | {{{title7}}} | {{#if: | {{{title7}}} | [{{{sourceurl7}}} {{{title7}}}] }} }} }}{{#if: | , {{#if: | {{{title8}}} | {{#if: | {{{title8}}} | [{{{sourceurl8}}} {{{title8}}}] }} }} }}{{#if: | , {{#if: | {{{title9}}} | {{#if: | {{{title9}}} | [{{{sourceurl9}}} {{{title9}}}] }} }} }}. | This article incorporates material from {{#if: | Isogeny | Isogeny}} on PlanetMath, which is licensed under the Creative Commons Attribution/Share-Alike License. }}

Template:Authority control