Editing Elliptic curve (section)

===Algebraic interpretation===

The above groups can be described algebraically as well as geometrically. Given the curve {{math|1=''y''<sup>2</sup> = ''x''<sup>3</sup> + ''bx'' + ''c''}} over the field {{mvar|K}} (whose [[Prime subfield|characteristic]] we assume to be neither 2 nor 3), and points {{math|1=''P'' = (''x<sub>P</sub>'', ''y<sub>P</sub>'')}} and {{math|1=''Q'' = (''x<sub>Q</sub>'', ''y<sub>Q</sub>'')}} on the curve, assume first that {{math|''x<sub>P</sub>'' ≠ ''x<sub>Q</sub>''}} (case ''1''). Let {{math|1=''y'' = ''sx'' + ''d''}} be the equation of the line that intersects {{mvar|P}} and {{mvar|Q}}, which has the following slope:
: <math>s = \frac{y_P - y_Q}{x_P - x_Q}.</math>

The line equation and the curve equation intersect at the points {{mvar|x<sub>P</sub>}}, {{mvar|x<sub>Q</sub>}}, and {{mvar|x<sub>R</sub>}}, so the equations have identical {{mvar|y}} values at these values.

: <math>(sx + d)^2 = x^3 + bx + c,</math>
which is equivalent to
: <math>x^3 - s^2 x^2 - 2sdx + bx + c - d^2 = 0.</math>

Since {{mvar|x<sub>P</sub>}}, {{mvar|x<sub>Q</sub>}}, and {{mvar|x<sub>R</sub>}} are solutions, this equation has its roots at exactly the same {{mvar|x}} values as
: <math>(x - x_P) (x - x_Q) (x - x_R) = x^3 + (-x_P - x_Q - x_R) x^2 + (x_P x_Q + x_P x_R + x_Q x_R) x - x_P x_Q x_R,</math>
and because both equations are cubics, they must be the same polynomial up to a scalar. Then [[equating the coefficients]] of {{math|''x''<sup>2</sup>}} in both equations
: <math>-s^2 = (-x_P - x_Q - x_R)</math>
and solving for the unknown {{mvar|x<sub>R</sub>}},
: <math>x_R = s^2 - x_P - x_Q.</math>

{{mvar|y<sub>R</sub>}} follows from the line equation
: <math>y_R = y_P - s(x_P - x_R),</math>
and this is an element of {{mvar|K}}, because {{mvar|s}} is.

If {{math|1=''x<sub>P</sub>'' = ''x<sub>Q</sub>''}}, then there are two options: if {{math|1=''y<sub>P</sub>'' = −''y<sub>Q</sub>''}} (case ''3''), including the case where {{math|1=''y<sub>P</sub>'' = ''y<sub>Q</sub>'' = 0}} (case ''4''), then the sum is defined as 0; thus, the inverse of each point on the curve is found by reflecting it across the {{mvar|x}}&nbsp;axis.

If {{math|1=''y<sub>P</sub>'' = ''y<sub>Q</sub>'' ≠ 0}}, then {{math|1=''Q'' = ''P''}} and {{math|1=''R'' = (''x''<sub>''R''</sub>, ''y''<sub>''R''</sub>) = −(''P'' + ''P'') = −2''P'' = −2''Q''}} (case ''2'' using {{mvar|P}} as {{mvar|R}}). The slope is given by the tangent to the curve at (''x''<sub>''P''</sub>, ''y''<sub>''P''</sub>).
<!-- As a reminder, R=-2P here, not 2P; it's the other point of intersection between the elliptic curve and the tangent line. The equation for y_R should be the same as above: y_R &= y_P - s(x_P - x_R). -->
: <math>\begin{align}
    s &= \frac{3{x_P}^2 + b}{2y_P}, \\
  x_R &= s^2 - 2x_P, \\
  y_R &= y_P - s(x_P - x_R).
\end{align}</math>

A more general expression for <math>s</math> that works in both case 1 and case 2 is
: <math>s = \frac{{x_P}^2 + x_P x_Q + {x_Q}^2 + b}{y_P + y_Q},</math>
where equality to {{math|1={{sfrac|''y<sub>P</sub>'' − ''y<sub>Q</sub>''|''x<sub>P</sub>'' − ''x<sub>Q</sub>''}}}} relies on {{mvar|P}} and {{mvar|Q}} obeying {{math|1=''y''<sup>2</sup> = ''x''<sup>3</sup> + ''bx'' + ''c''}}.

===Non-Weierstrass curves===

For the curve {{math|1=''y''<sup>2</sup> = ''x''<sup>3</sup> + ''ax''<sup>2</sup>  + ''bx'' + ''c''}} (the general form of an elliptic curve with [[Prime subfield|characteristic]] 3), the formulas are similar, with {{math|1=''s'' = {{sfrac|''x<sub>P</sub>''<sup>2</sup> + ''x<sub>P</sub>'' ''x<sub>Q</sub>'' + ''x<sub>Q</sub>''<sup>2</sup> + ''ax<sub>P</sub>'' + ''ax<sub>Q</sub>'' + ''b''|''y<sub>P</sub>'' + ''y<sub>Q</sub>''}}}} and {{math|1=''x<sub>R</sub>'' = ''s''<sup>2</sup> − ''a'' − ''x<sub>P</sub>'' − ''x<sub>Q</sub>''}}.

For a general cubic curve not in Weierstrass normal form, we can still define a group structure by designating one of its nine inflection points as the identity {{mvar|O}}. In the projective plane, each line will intersect a cubic at three points when accounting for multiplicity. For a point {{mvar|P}}, {{math|−''P''}} is defined as the unique third point on the line passing through {{mvar|O}} and {{mvar|P}}. Then, for any {{mvar|P}} and {{mvar|Q}}, {{math|''P'' + ''Q''}} is defined as {{math|−''R''}} where {{mvar|R}} is the unique third point on the line containing {{mvar|P}} and {{mvar|Q}}.

For an example of the group law over a non-Weierstrass curve, see [[Hessian_form_of_an_elliptic_curve#Group_law|Hessian curves]].

==Elliptic curves over the rational numbers==
A curve ''E'' defined over the field of rational numbers is also defined over the field of real numbers. Therefore, the law of addition (of points with real coordinates) by the tangent and secant method can be applied to ''E''. The explicit formulae show that the sum of two points ''P'' and ''Q'' with rational coordinates has again rational coordinates, since the line joining ''P'' and ''Q'' has rational coefficients.<!--Il en est de même pour le symétrique par rapport à l'axe des abscisses d'un point à coordonnées rationnelles.--> This way, one shows that the set of rational points of ''E'' forms a subgroup of the group of real points of ''E''.

===Integral points===
This section is concerned with points ''P'' = (''x'', ''y'') of ''E'' such that ''x'' is an integer.

For example, the equation ''y''<sup>2</sup> = ''x''<sup>3</sup> + 17 has eight integral solutions with ''y''&nbsp;> 0:<ref>T. Nagell, ''L'analyse indéterminée de degré supérieur'', Mémorial des sciences mathématiques 39, Paris, Gauthier-Villars, 1929, pp. 56–59.</ref><ref>OEIS: https://oeis.org/A029728</ref>
:(''x'', ''y'') = (−2, 3), (−1, 4), (2, 5), (4, 9), (8, 23), (43, 282), (52, 375), ({{val|5234}}, {{val|378661}}).

As another example, [[Stella octangula number|Ljunggren's equation]], a curve whose Weierstrass form is ''y''<sup>2</sup> = ''x''<sup>3</sup> − 2''x'', has only four solutions with ''y''&nbsp;≥ 0 :<ref>{{citation |hdl=10871/8323 |first=Samir |last=Siksek |type=Ph.D. thesis |publisher=University of Exeter |year=1995 |title=Descents on Curves of Genus 1 |pages=16–17 |postscript=. }}</ref>
:(''x'', ''y'') = (0, 0), (−1, 1), (2, 2), (338, {{val|6214}}).

===The structure of rational points===
Rational points can be constructed by the method of tangents and secants detailed [[#The group law|above]], starting with a ''finite'' number of rational points. More precisely<ref>{{Harvard citations|author=Silverman|year=1986|nb=yes|loc=Theorem 4.1}}</ref> the [[Mordell–Weil theorem]] states that the group ''E''('''Q''') is a [[finitely generated group|finitely generated]] (abelian) group. By the [[fundamental theorem of finitely generated abelian groups]] it is therefore a finite direct sum of copies of '''Z''' and finite cyclic groups.

The proof of the theorem<ref>{{Harvard citations|author=Silverman|year=1986|nb=yes|loc=pp. 199–205}}</ref> involves two parts. The first part shows that for any integer ''m''&nbsp;>&nbsp;1, the [[quotient group]] ''E''('''Q''')/''mE''('''Q''') is finite (this is the weak Mordell–Weil theorem). Second, introducing a [[height function]] ''h'' on the rational points ''E''('''Q''') defined by ''h''(''P''<sub>0</sub>) = 0 and {{math|''h''(''P'') {{=}} log max({{pipe}}''p''{{pipe}}, {{pipe}}''q''{{pipe}})}} if ''P'' (unequal to the point at infinity ''P''<sub>0</sub>) has as [[abscissa]] the rational number ''x'' = ''p''/''q'' (with [[coprime]] ''p'' and ''q''). This height function ''h'' has the property that ''h''(''mP'') grows roughly like the square of ''m''. Moreover, only finitely many rational points with height smaller than any constant exist on ''E''.

The proof of the theorem is thus a variant of the method of [[infinite descent]]<ref>See also {{cite journal
| last1=Cassels | first1=J. W. S. | authorlink1=J. W. S. Cassels
| title=Mordell's Finite Basis Theorem Revisited
| date=1986
| journal=[[Mathematical Proceedings of the Cambridge Philosophical Society]]
| volume=100
| issue=1
| pages=31–41
| doi=10.1017/S0305004100065841| bibcode=1986MPCPS.100...31C }} and the comment of A. Weil on the genesis of his work: A. Weil, ''Collected Papers'', vol. 1, 520–521.</ref> and relies on the repeated application of [[Euclidean algorithm|Euclidean division]]s on ''E'': let ''P'' ∈ ''E''('''Q''') be a rational point on the curve, writing ''P'' as the sum 2''P''<sub>1</sub> + ''Q''<sub>1</sub> where ''Q''<sub>1</sub> is a fixed representant of ''P'' in ''E''('''Q''')/2''E''('''Q'''), the height of ''P''<sub>1</sub> is about {{sfrac|1|4}} of the one of ''P'' (more generally, replacing 2 by any ''m'' > 1, and {{sfrac|1|4}} by {{sfrac|1|''m''<sup>2</sup>}}). Redoing the same with ''P''<sub>1</sub>, that is to say ''P''<sub>1</sub> = 2''P''<sub>2</sub> + ''Q''<sub>2</sub>, then ''P''<sub>2</sub> = 2''P''<sub>3</sub> + ''Q''<sub>3</sub>, etc. finally expresses ''P'' as an integral linear combination of points ''Q<sub>i</sub>'' and of points whose height is bounded by a fixed constant chosen in advance: by the weak Mordell–Weil theorem and the second property of the height function ''P'' is thus expressed as an integral linear combination of a finite number of fixed points. 

The theorem however doesn't provide a method to determine any representatives of ''E''('''Q''')/''mE''('''Q''').

The [[Rank of an abelian group|rank]] of ''E''('''Q'''), that is the number of copies of '''Z''' in ''E''('''Q''') or, equivalently, the number of independent points of infinite order, is called the ''rank'' of ''E''. The [[Birch and Swinnerton-Dyer conjecture]] is concerned with determining the rank. One conjectures that it can be arbitrarily large, even if only examples with relatively small rank are known. The elliptic curve with the currently largest exactly-known rank is
:''y''<sup>2</sup> + ''xy'' + ''y'' = ''x''<sup>3</sup> − ''x''<sup>2</sup> − {{gaps|244|537|673|336|319|601|463|803|487|168|961|769|270|757|573|821|859|853|707}}''x'' + {{gaps|961|710|182|053|183|034|546|222|979|258|806|817|743|270|682|028|964|434|238|957|830|989|898|438|151|121|499|931}}

It has rank 20, found by [[Noam Elkies]] and Zev Klagsbrun in 2020. Curves of rank higher than 20 have been known since 1994, with lower bounds on their ranks ranging from 21 to 29, but their exact ranks are not known and in particular it is not proven which of them have higher rank than the others or which is the true "current champion".<ref>{{cite web|url=http://web.math.pmf.unizg.hr/~duje/tors/rankhist.html|title=History of elliptic curves rank records|last=Dujella|first=Andrej|author-link=Andrej Dujella|publisher = University of Zagreb}}</ref>

As for the groups constituting the [[torsion subgroup]] of ''E''('''Q'''), the following is known:<ref>{{Harvard citations|author=Silverman|year=1986|nb=yes|loc=Theorem 7.5}}</ref> the torsion subgroup of ''E''('''Q''') is one of the 15 following groups ([[Mazur's torsion theorem|a theorem]] due to [[Barry Mazur]]): '''Z'''/''N'''''Z''' for ''N'' = 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, or 12, or '''Z'''/2'''Z''' × '''Z'''/2''N'''''Z''' with ''N'' = 1, 2, 3, 4. Examples for every case are known. Moreover, elliptic curves whose Mordell–Weil groups over '''Q''' have the same torsion groups belong to a parametrized family.<ref>{{Harvard citations|author=Silverman|year=1986|nb=yes|loc=Remark 7.8 in Ch. VIII}}</ref>

===The Birch and Swinnerton-Dyer conjecture===
{{Main|Birch and Swinnerton-Dyer conjecture}}
The ''Birch and Swinnerton-Dyer conjecture'' (BSD) is one of the [[Millennium problem]]s of the [[Clay Mathematics Institute]]. The conjecture relies on analytic and arithmetic objects defined by the elliptic curve in question.

At the analytic side, an important ingredient is a function of a complex variable, ''L'', the [[Hasse–Weil zeta function]] of ''E'' over '''Q'''. This function is a variant of the [[Riemann zeta function]] and [[Dirichlet L-function]]s. It is defined as an [[Euler product]], with one factor for every [[prime number]] ''p''.

For a curve ''E'' over '''Q''' given by a minimal equation
:<math>y^2 + a_1xy + a_3y = x^3 + a_2x^2 + a_4x + a_6</math>

with integral coefficients <math>a_i</math>, reducing the coefficients [[Modular arithmetic|modulo]] ''p'' defines an elliptic curve over the [[finite field]] '''F'''<sub>''p''</sub> (except for a finite number of primes ''p'', where the reduced curve has a [[Mathematical singularity|singularity]] and thus fails to be elliptic, in which case ''E'' is said to be of [[bad reduction]] at ''p'').

The zeta function of an elliptic curve over a finite field '''F'''<sub>''p''</sub> is, in some sense, a [[generating function]] assembling the information of the number of points of ''E'' with values in the finite [[field extension]]s '''F'''<sub>''p<sup>n</sup>''</sub> of '''F'''<sub>''p''</sub>. It is given by<ref>The definition is formal, the exponential of this [[power series]] without constant term denotes the usual development.</ref>
:<math>Z(E(\mathbf{F}_p), T) = \exp\left(\sum_{n=1}^\infty \# \left[E({\mathbf F}_{p^n})\right]\frac{T^n}{n}\right)</math>

The interior sum of the exponential resembles the development of the [[logarithm]] and, in fact, the so-defined zeta function is a [[rational function]] in ''T'':
:<math>Z(E(\mathbf{F}_p), T) = \frac{1 - a_pT + pT^2}{(1 - T)(1 - pT)},</math>
where the 'trace of Frobenius' term<ref>see for example {{cite web |title=An Introduction to the Theory of Elliptic Curves |first=Joseph H. |last=Silverman |date=2006 |work=Summer School on Computational Number Theory and Applications to Cryptography |publisher=University of Wyoming |url=https://www.math.brown.edu/~jhs/Presentations/WyomingEllipticCurve.pdf }}</ref> <math>a_p</math> is defined to be the difference between the 'expected' number <math>p+1</math> and the number of points on the elliptic curve <math>E</math> over <math>\mathbb{F}_p</math>, viz.
:<math>
a_p = p + 1 - \#E(\mathbb{F}_p)
</math>

or equivalently,

:<math>
\#E(\mathbb{F}_p) = p + 1 - a_p
</math>.

We may define the same quantities and functions over an arbitrary finite field of characteristic <math>p</math>, with <math>q = p^n</math> replacing <math>p</math> everywhere.

The [[Hasse–Weil zeta function#Example:_elliptic_curve_over_Q|L-function]] of ''E'' over '''Q''' is then defined by collecting this information together, for all primes ''p''. It is defined by

:<math>L(E(\mathbf{Q}), s) = \prod_{p\not\mid N} \left(1 - a_p p^{-s} + p^{1 - 2s}\right)^{-1} \cdot \prod_{p\mid N} \left(1 - a_p p^{-s}\right)^{-1}</math>

where ''N'' is the [[Conductor_of_an_elliptic_curve|conductor]] of ''E'', i.e. the product of primes with bad reduction <math>(\Delta (E\mod p)=0</math>),<ref>{{cite web | url=https://www.lmfdb.org/knowledge/show/ec.bad_reduction | title=LMFDB - Bad reduction of an elliptic curve at a prime (Reviewed) }}</ref> in which case ''a<sub>p</sub>'' is defined differently from the method above: see Silverman (1986) below.

For example <math>E:y^2=x^3+14x+19</math> has bad reduction at 17, because <math>E\mod17:y^2=x^3-3x+2</math> has <math>\Delta=0</math>.

This product [[absolute convergence|converges]] for Re(''s'') > 3/2 only. Hasse's conjecture affirms that the ''L''-function admits an [[analytic continuation]] to the whole complex plane and satisfies a [[functional equation]] relating, for any ''s'', ''L''(''E'', ''s'') to ''L''(''E'', 2 − ''s''). In 1999 this was shown to be a consequence of the proof of the Shimura–Taniyama–Weil conjecture, which asserts that every elliptic curve over ''Q'' is a [[modular curve]], which implies that its ''L''-function is the ''L''-function of a [[modular form]] whose analytic continuation is known. One can therefore speak about the values of ''L''(''E'', ''s'') at any complex number ''s''.

At ''s'' = 1 (the conductor product can be discarded as it is finite), the ''L''-function becomes

:<math>L(E(\mathbf{Q}), 1) = \prod_{p\not\mid N} \left(1 - a_p p^{-1} + p^{-1}\right)^{-1} = \prod_{p\not\mid N} \frac{p}{p - a_p + 1} = \prod_{p\not\mid N}\frac{p}{\#E(\mathbb{F}_p)}</math>

The ''Birch and Swinnerton-Dyer conjecture'' relates the arithmetic of the curve to the behaviour of this ''L''-function at ''s''&nbsp;= 1. It affirms that the vanishing order of the ''L''-function at ''s''&nbsp;= 1 equals the rank of ''E'' and predicts the leading term of the Laurent series of ''L''(''E'', ''s'') at that point in terms of several quantities attached to the elliptic curve.

Much like the [[Riemann hypothesis]], the truth of the BSD conjecture would have multiple consequences, including the following two:
* A [[congruent number]] is defined as an odd [[square-free integer]] ''n'' which is the area of a right triangle with rational side lengths. It is known that ''n'' is a congruent number if and only if the elliptic curve <math>y^2 = x^3 - n^2x</math> has a rational point of infinite order; assuming BSD, this is equivalent to its ''L''-function having a zero at ''s''&nbsp;= 1. [[Tunnell's theorem|Tunnell]] has shown a related result: assuming BSD, ''n'' is a congruent number if and only if the number of triplets of integers (''x'', ''y'', ''z'') satisfying <math>2x^2 + y^2 + 8z^2 = n</math> is twice the number of triples satisfying <math>2x^2 + y^2 + 32z^2 = n</math>. The interest in this statement is that the condition is easy to check.<ref>{{Harvard citations|author=Koblitz|year=1993|nb=yes}}</ref>
*In a different direction, certain analytic methods allow for an estimation of the order of zero in the center of the [[critical strip]] for certain ''L''-functions. Admitting BSD, these estimations correspond to information about the rank of families of the corresponding elliptic curves. For example: assuming the [[generalized Riemann hypothesis]] and BSD, the average rank of curves given by <math>y^2=x^3+ax+b</math> is smaller than 2.<ref>{{cite journal |first=D. R. |last=Heath-Brown |title=The Average Analytic Rank of Elliptic Curves |journal=Duke Mathematical Journal |volume=122 |issue=3 |pages=591–623 |year=2004 |doi=10.1215/S0012-7094-04-12235-3 |arxiv=math/0305114 |s2cid=15216987 }}</ref>

==Elliptic curves over finite fields==
{{Further|Arithmetic of abelian varieties}}

[[File:Elliptic curve on Z61.svg|thumb|right|upright=1.2|Set of affine points of elliptic curve ''y''<sup>2</sup> = ''x''<sup>3</sup> − ''x'' over finite field '''F'''<sub>61</sub>.]]

Let ''K'' = '''F'''<sub>''q''</sub> be the [[finite field]] with ''q'' elements and ''E'' an elliptic curve defined over ''K''. While the precise [[Counting points on elliptic curves|number of rational points of an elliptic curve]] ''E'' over ''K'' is in general difficult to compute, [[Hasse's theorem on elliptic curves]] gives the following inequality:
:<math>|\# E(K) - (q + 1)| \le 2\sqrt{q}</math>

In other words, the number of points on the curve grows proportionally to the number of elements in the field. This fact can be understood and proven with the help of some general theory; see [[local zeta function]] and [[étale cohomology#An_application_to_curves|étale cohomology]] for example.

[[File:Elliptic curve on Z89.svg|thumb|upright=1.2|Set of affine points of elliptic curve ''y''<sup>2</sup> = ''x''<sup>3</sup> − ''x'' over finite field '''F'''<sub>89</sub>.]]

The set of points ''E''('''F'''<sub>''q''</sub>) is a finite abelian group. It is always cyclic or the product of two cyclic groups. For example,<ref>See {{Harvard citations|last=Koblitz|year=1994|nb=yes|loc=p. 158}}</ref> the curve defined by
:<math>y^2 = x^3 - x</math>

over '''F'''<sub>71</sub> has 72 points (71 [[Affine space#Affine coordinates|affine points]] including (0,0) and one [[point at infinity]]) over this field, whose group structure is given by '''Z'''/2'''Z''' × '''Z'''/36'''Z'''. The number of points on a specific curve can be computed with [[Schoof's algorithm]].

[[File:Elliptic curve on Z71.svg|thumb|right|upright=1.5|Set of affine points of elliptic curve ''y''<sup>2</sup> = ''x''<sup>3</sup> − ''x'' over finite field '''F'''<sub>71</sub>.]]

Studying the curve over the [[field extension]]s of '''F'''<sub>''q''</sub> is facilitated by the introduction of the local zeta function of ''E'' over '''F'''<sub>''q''</sub>, defined by a generating series (also see above)
:<math>Z(E(K), T) = \exp \left(\sum_{n=1}^{\infty} \# \left[E(K_n)\right] {T^n\over n} \right)</math>

where the field ''K<sub>n</sub>'' is the (unique up to isomorphism) extension of ''K'' = '''F'''<sub>''q''</sub> of degree ''n'' (that is,  <math>K_n=F_{q^n}</math>).

The zeta function is a rational function in ''T''. To see this, consider the integer <math>a</math> such that

:<math>\#E(K) = 1 - a + q</math>

There is a complex number <math>\alpha</math> such that

:<math> 1 - a + q = (1 - \alpha)(1 - \bar\alpha)</math>

where <math>\bar\alpha</math> is the [[complex conjugate]], and so we have

:<math>\alpha+\bar\alpha = a</math>
:<math>\alpha\bar\alpha = q</math>

We choose <math>\alpha</math> so that its [[absolute value]] is <math>\sqrt{q}</math>, that is <math>\alpha = q^{\frac12}e^{i\theta}, \bar\alpha = q^{\frac12}e^{-i\theta}</math>, and that <math>\cos \theta=\frac{a}{2\sqrt q}</math>. Note that <math>|a|\le2\sqrt{q}</math>.

<math>\alpha</math> can then be used in the local zeta function as its values when raised to the various powers of ''n'' can be said to reasonably approximate the behaviour of <math>a_n</math>, in that

:<math>\#E(K_n) = 1 - a_n + q^n</math>

Using the [[List_of_logarithmic_identities#Series_representation|Taylor series for the natural logarithm]],

:<math>
\begin{alignat}{2} 
Z(E(K),T) & = \exp \left(\sum_{n=1}^{\infty}  \left(1 - \alpha^n - \bar\alpha^n + q^n\right){T^n\over n} \right) \\ 
& = \exp \left(\sum_{n=1}^{\infty} {T^n\over n} - \sum_{n=1}^{\infty}\alpha^n{T^n\over n} - \sum_{n=1}^{\infty}\bar\alpha^n{T^n\over n} + \sum_{n=1}^{\infty}q^n{T^n\over n} \right) \\ 
& = \exp \left(-\ln(1-T) + \ln(1-\alpha T) + \ln(1-\bar\alpha T) - \ln(1-qT) \right) \\ 
& = \exp \left(\ln\frac{(1-\alpha T)(1-\bar\alpha T)}{(1-T)(1-qT)} \right) \\ 
& =\frac{(1-\alpha T)(1-\bar\alpha T)}{(1-T)(1-qT)} \\ 
\end{alignat}
</math>

Then <math>(1 - \alpha T)(1 - \bar\alpha T)  = 1 - aT + qT^2</math>, so finally

:<math>Z(E(K), T) = \frac{1 - aT + qT^2}{(1 - qT)(1 - T)}</math>

For example,<ref>{{Harvard citations|last=Koblitz|year=1994|nb=yes|loc=p. 160}}</ref> the zeta function of ''E'' : ''y''<sup>2</sup> + ''y'' = ''x''<sup>3</sup> over the field '''F'''<sub>2</sub> is given by
:<math>\frac{1 + 2T^2}{(1 - T)(1 - 2T)}</math>

which follows from:
:<math> \left| E(\mathbf{F}_{2^r}) \right| = \begin{cases} 2^r + 1 & r \text{ odd} \\ 2^r + 1 - 2(-2)^{\frac{r}{2}} & r \text{ even} \end{cases} </math>

as <math>q=2</math>, then <math>|E|=2^1+1=3=1-a+2</math>, so <math>a=0</math>.

The [[functional equation]] is

:<math>Z \left(E(K), \frac{1}{qT} \right) = \frac{1 - a\frac{1}{qT} + q\left(\frac{1}{qT}\right)^2}{(1 - q\frac{1}{qT})(1 - \frac{1}{qT})}= \frac{q^2T^2 - aqT + q}{(qT - q)(qT - 1)} = Z(E(K), T)</math>

As we are only interested in the behaviour of <math>a_n</math>, we can use a reduced zeta function

:<math>Z(a, T) = \exp \left(\sum_{n=1}^{\infty} -a_n {T^n\over n} \right)</math>

:<math>Z(a, T) = \exp \left(\sum_{n=1}^{\infty} -\alpha^n {T^n\over n} - \bar\alpha^n {T^n\over n} \right)</math>

and so

:<math>Z(a, T) = \exp \left(\ln(1-\alpha T) + \ln(1-\bar\alpha T)\right)</math>

which leads directly to the local L-functions

:<math>L(E(K), T) = 1 - aT + qT^2</math>

The [[Sato–Tate conjecture]] is a statement about how the error term <math>2\sqrt{q}</math> in Hasse's theorem varies with the different primes ''q'', if an elliptic curve E over '''Q''' is reduced modulo q. It was proven (for almost all such curves) in 2006 due to the results of Taylor, Harris and Shepherd-Barron,<ref>{{cite journal |first1=M. |last1=Harris |first2=N. |last2=Shepherd-Barron |first3=R. |last3=Taylor |title=A family of Calabi–Yau varieties and potential automorphy |journal=[[Annals of Mathematics]] |volume=171 |issue=2 |pages=779–813|year=2010 |doi=10.4007/annals.2010.171.779 |doi-access=free }}</ref> and says that the error terms are equidistributed.

Elliptic curves over finite fields are notably applied in [[cryptography]] and for the [[factorization]] of large integers. These algorithms often make use of the group structure on the points of ''E''. Algorithms that are applicable to general groups, for example the group of invertible elements in finite fields, '''F'''*<sub>''q''</sub>, can thus be applied to the group of points on an elliptic curve. For example, the [[discrete logarithm]] is such an algorithm. The interest in this is that choosing an elliptic curve allows for more flexibility than choosing ''q'' (and thus the group of units in '''F'''<sub>''q''</sub>). Also, the group structure of elliptic curves is generally more complicated.