Movatterモバイル変換

[0]ホーム

Jump to content

Elliptic curve

Edit links

From Wikipedia, the free encyclopedia

Algebraic curve in mathematics

Not to be confused withEllipse.

"Elliptic Equation" redirects here. For the type of partial differential equation, seeElliptic partial differential equation.

A catalog of elliptic curves. The region shown isx,y ∈ [−3,3].
(For(a,b) = (0, 0) the function is not smooth and therefore not an elliptic curve.)

Algebraic structure →Group theory
Group theory

Basic notions

Group homomorphisms
Subgroup Normal subgroup Group action
Quotient group (Semi-)direct product Direct sum Free product Wreath product
kernel image
simple finite infinite continuous multiplicative additive cyclic abelian dihedral nilpotent solvable
Glossary of group theory List of group theory topics

Finite groups

Dihedral group D_n
Quaternion group Q

Frobenius group

Schur multiplier

Classification of finite simple groups

cyclic
alternating
Lie type
sporadic

Integers ( $\mathbb {Z}$ )
Free group

Modular groups

PSL(2, $\mathbb {Z}$ )
SL(2, $\mathbb {Z}$ )

Topological andLie groups

General linear GL(n)

Special linear SL(n)

Orthogonal O(n)

Euclidean E(n)

Special orthogonal SO(n)

Unitary U(n)

Special unitary SU(n)

Symplectic Sp(n)

Infinite dimensional Lie group

O(∞)
SU(∞)
Sp(∞)

Algebraic groups

Linear algebraic group

Reductive group

Abelian variety

Elliptic curve

Inmathematics, anelliptic curve is asmooth,projective,algebraic curve ofgenus one, on which there is a specified pointO. An elliptic curve is defined over afieldK and describes points inK², theCartesian product ofK with itself. If the field'scharacteristic is different from 2 and 3, then the curve can be described as aplane algebraic curve which consists of solutions(x,y) for:

y^{2}=x^{3}+ax+b

for some coefficientsa andb inK. The curve is required to benon-singular, which means that the curve has nocusps orself-intersections. (This is equivalent to the condition4a³ + 27b² ≠ 0, that is, beingsquare-free inx.) It is always understood that the curve is really sitting in theprojective plane, with the pointO being the uniquepoint at infinity. Many sources define an elliptic curve to be simply a curve given by an equation of this form. (When thecoefficient field has characteristic 2 or 3, the above equation is not quite general enough to include all non-singularcubic curves; see§ Elliptic curves over a general field below.)

An elliptic curve is anabelian variety – that is, it has a group law defined algebraically, with respect to which it is anabelian group – andO serves as the identity element.

Ify² =P(x), whereP is any polynomial of degree three inx with no repeated roots, the solution set is a nonsingular plane curve ofgenus one, an elliptic curve. IfP has degree four and issquare-free this equation again describes a plane curve of genus one; however, it has no natural choice of identity element. More generally, any algebraic curve of genus one, for example the intersection of twoquadric surfaces embedded in three-dimensional projective space, is called an elliptic curve, provided that it is equipped with a marked point to act as the identity.

Using the theory ofelliptic functions, it can be shown that elliptic curves defined over thecomplex numbers correspond to embeddings of thetorus into thecomplex projective plane. The torus is also anabelian group, and this correspondence is also agroup isomorphism.

Elliptic curves are especially important innumber theory, and constitute a major area of current research; for example, they were used inAndrew Wiles's proof of Fermat's Last Theorem. They also find applications inelliptic curve cryptography (ECC) andinteger factorization.

An elliptic curve isnot anellipse in the sense of a projective conic, which has genus zero: seeelliptic integral for the origin of the term. However, there is a natural representation of real elliptic curves with shape invariantj ≥ 1 as ellipses in the hyperbolic plane $\mathbb {H} ^{2}$ . Specifically, the intersections of the Minkowski hyperboloid with quadric surfaces characterized by a certain constant-angle property produce the Steiner ellipses in $\mathbb {H} ^{2}$ (generated by orientation-preserving collineations). Further, the orthogonal trajectories of these ellipses comprise the elliptic curves withj ≤ 1, and any ellipse in $\mathbb {H} ^{2}$ described as a locus relative to two foci is uniquely the elliptic curve sum of two Steiner ellipses, obtained by adding the pairs of intersections on each orthogonal trajectory. Here, the vertex of the hyperboloid serves as the identity on each trajectory curve.^[1]

Topologically, a complex elliptic curve is atorus, while a complex ellipse is asphere.

Elliptic curves over the real numbers

[edit]

Graphs of curvesy² =x³ −x andy² =x³ −x + 1

Although the formal definition of an elliptic curve requires some background inalgebraic geometry, it is possible to describe some features of elliptic curves over thereal numbers using only introductoryalgebra andgeometry.

In this context, an elliptic curve is aplane curve defined by an equation of the form

y^{2}=x^{3}+ax+b

after a linear change of variables (a andb are real numbers). This type of equation is called a Weierstrass equation, and said to be in Weierstrass form, or Weierstrass normal form.

The definition of elliptic curve also requires that the curve benon-singular. Geometrically, this means that the graph has nocusps, self-intersections, orisolated points. Algebraically, this holds if and only if thediscriminant, $\Delta$ , is not equal to zero.

\Delta =-16\left(4a^{3}+27b^{2}\right)\neq 0

The discriminant is zero when $a=-3k^{2},b=2k^{3}$ .

(Although the factor −16 is irrelevant to whether or not the curve is non-singular, this definition of the discriminant is useful in a more advanced study of elliptic curves.)^[2]

The real graph of a non-singular curve hastwo components if its discriminant is positive, andone component if it is negative. For example, in the graphs shown in figure to the right, the discriminant in the first case is 64, and in the second case is −368. Following the convention atConic section#Discriminant,elliptic curves require that the discriminant is negative.

The group law

[edit]

When working in theprojective plane, the equation inhomogeneous coordinates becomes

{\frac {Y^{2}}{Z^{2}}}={\frac {X^{3}}{Z^{3}}}+a{\frac {X}{Z}}+b.

This equation is not defined on theline at infinity, but we can multiply by $Z^{3}$ to get one that is:

ZY^{2}=X^{3}+aZ^{2}X+bZ^{3}.

This resulting equation is defined on the whole projective plane, and the curve it defines projects onto the elliptic curve of interest. To find its intersection with the line at infinity, we can just posit $Z=0$ . This implies $X^{3}=0$ , which in afield means $X=0$ . $Y {\displaystyle Y}$ on the other hand can take any value, and thus all triplets $(0,Y,0)$ satisfy the equation. In projective geometry this set is simply the point $O=[0:1:0]$ , which is thus the unique intersection of the curve with the line at infinity.

Since the curve is smooth, hencecontinuous, it can be shown that this point at infinity is the identity element of agroup structure whose operation is geometrically described as follows:

Since the curve is symmetric about thex axis, given any pointP, we can take−P to be the point opposite it. We then have $-O=O$ , as $O {\displaystyle O}$ lies on theXZ plane, so that $-O$ is also the symmetrical of $O {\displaystyle O}$ about the origin, and thus represents the same projective point.

IfP andQ are two points on the curve, then we can uniquely describe a third pointP +Q in the following way. First, draw the line that intersectsP andQ. This will generally intersect the cubic at a third point,R. We then takeP +Q to be−R, the point oppositeR.

This definition for addition works except in a few special cases related to the point at infinity and intersection multiplicity. The first is when one of the points isO. Here, we defineP +O =P =O +P, makingO the identity of the group. IfP =Q, we only have one point, thus we cannot define the line between them. In this case, we use the tangent line to the curve at this point as our line. In most cases, the tangent will intersect a second pointR, and we can take its opposite. IfP andQ are opposites of each other, we defineP +Q =O. Lastly, ifP is aninflection point (a point where the concavity of the curve changes), we takeR to beP itself, andP +P is simply the point opposite itself, i.e. itself.

LetK be a field over which the curve is defined (that is, the coefficients of the defining equation or equations of the curve are inK) and denote the curve byE. Then theK-rational points ofE are the points onE whose coordinates all lie inK, including the point at infinity. The set ofK-rational points is denoted byE(K).E(K) is a group, because properties of polynomial equations show that ifP is inE(K), then−P is also inE(K), and if two ofP,Q,R are inE(K), then so is the third. Additionally, ifK is a subfield ofL, thenE(K) is asubgroup ofE(L).

Algebraic interpretation

[edit]

The above groups can be described algebraically as well as geometrically. Given the curvey² =x³ +bx +c over the fieldK (whosecharacteristic we assume to be neither 2 nor 3), and pointsP = (x_P,y_P) andQ = (x_Q,y_Q) on the curve, assume first thatx_P ≠x_Q (case1). Lety =sx +d be the equation of the line that intersectsP andQ, which has the following slope:

s={\frac {y_{P}-y_{Q}}{x_{P}-x_{Q}}}.

The line equation and the curve equation intersect at the pointsx_P,x_Q, andx_R, so the equations have identicaly values at these values.

(sx+d)^{2}=x^{3}+bx+c,

which is equivalent to

x^{3}-s^{2}x^{2}-2sdx+bx+c-d^{2}=0.

Sincex_P,x_Q, andx_R are solutions, this equation has its roots at exactly the samex values as

(x-x_{P})(x-x_{Q})(x-x_{R})=x^{3}+(-x_{P}-x_{Q}-x_{R})x^{2}+(x_{P}x_{Q}+x_{P}x_{R}+x_{Q}x_{R})x-x_{P}x_{Q}x_{R},

and because both equations are cubics, they must be the same polynomial up to a scalar. Thenequating the coefficients ofx² in both equations

-s^{2}=(-x_{P}-x_{Q}-x_{R})

and solving for the unknownx_R,

x_{R}=s^{2}-x_{P}-x_{Q}.

y_R follows from the line equation

y_{R}=y_{P}-s(x_{P}-x_{R}),

and this is an element ofK, becauses is.

Ifx_P =x_Q, then there are two options: ify_P = −y_Q (case3), including the case wherey_P =y_Q = 0 (case4), then the sum is defined as 0; thus, the inverse of each point on the curve is found by reflecting it across thex axis.

Ify_P =y_Q ≠ 0, thenQ =P andR = (x_R,y_R) = −(P +P) = −2P = −2Q (case2 usingP asR). The slope is given by the tangent to the curve at (x_P,y_P).

{\begin{aligned}s&={\frac {3{x_{P}}^{2}+b}{2y_{P}}},\\x_{R}&=s^{2}-2x_{P},\\y_{R}&=y_{P}-s(x_{P}-x_{R}).\end{aligned}}

A more general expression for $s {\displaystyle s}$ that works in both case 1 and case 2 is

s={\frac {{x_{P}}^{2}+x_{P}x_{Q}+{x_{Q}}^{2}+b}{y_{P}+y_{Q}}},

where equality to⁠y_P −y_Q/x_P −x_Q⁠ relies onP andQ obeyingy² =x³ +bx +c.

Non-Weierstrass curves

[edit]

For the curvey² =x³ +ax² +bx +c (the general form of an elliptic curve withcharacteristic 3), the formulas are similar, withs =⁠x_P² +x_Px_Q +x_Q² +ax_P +ax_Q +b/y_P +y_Q⁠ andx_R =s² −a −x_P −x_Q.

For a general cubic curve not in Weierstrass normal form, we can still define a group structure by designating one of its nine inflection points as the identityO. In the projective plane, each line will intersect a cubic at three points when accounting for multiplicity. For a pointP,−P is defined as the unique third point on the line passing throughO andP. Then, for anyP andQ,P +Q is defined as−R whereR is the unique third point on the line containingP andQ.

For an example of the group law over a non-Weierstrass curve, seeHessian curves.

Elliptic curves over the rational numbers

[edit]

A curveE defined over the field of rational numbers is also defined over the field of real numbers. Therefore, the law of addition (of points with real coordinates) by the tangent and secant method can be applied toE. The explicit formulae show that the sum of two pointsP andQ with rational coordinates has again rational coordinates, since the line joiningP andQ has rational coefficients. This way, one shows that the set of rational points ofE forms a subgroup of the group of real points ofE.

Integral points

[edit]

This section is concerned with pointsP = (x,y) ofE such thatx is an integer.

For example, the equationy² =x³ + 17 has eight integral solutions withy > 0:^[3]^[4]

(x,y) = (−2, 3), (−1, 4), (2, 5), (4, 9), (8, 23), (43, 282), (52, 375), (5234,378661).

As another example,Ljunggren's equation, a curve whose Weierstrass form isy² =x³ − 2x, has only four solutions withy ≥ 0 :^[5]

(x,y) = (0, 0), (−1, 1), (2, 2), (338,6214).

The structure of rational points

[edit]

Rational points can be constructed by the method of tangents and secants detailedabove, starting with afinite number of rational points. More precisely^[6] theMordell–Weil theorem states that the groupE(Q) is afinitely generated (abelian) group. By thefundamental theorem of finitely generated abelian groups it is therefore a finite direct sum of copies ofZ and finite cyclic groups.

The proof of the theorem^[7] involves two parts. The first part shows that for any integerm > 1, thequotient groupE(Q)/mE(Q) is finite (this is the weak Mordell–Weil theorem). Second, introducing aheight functionh on the rational pointsE(Q) defined byh(P₀) = 0 andh(P) = log max(|p|, |q|) ifP (unequal to the point at infinityP₀) has asabscissa the rational numberx =p/q (withcoprimep andq). This height functionh has the property thath(mP) grows roughly like the square ofm. Moreover, only finitely many rational points with height smaller than any constant exist onE.

The proof of the theorem is thus a variant of the method ofinfinite descent^[8] and relies on the repeated application ofEuclidean divisions onE: letP ∈E(Q) be a rational point on the curve, writingP as the sum 2P₁ +Q₁ whereQ₁ is a fixed representant ofP inE(Q)/2E(Q), the height ofP₁ is about⁠1/4⁠ of the one ofP (more generally, replacing 2 by anym > 1, and⁠1/4⁠ by⁠1/m²⁠). Redoing the same withP₁, that is to sayP₁ = 2P₂ +Q₂, thenP₂ = 2P₃ +Q₃, etc. finally expressesP as an integral linear combination of pointsQ_i and of points whose height is bounded by a fixed constant chosen in advance: by the weak Mordell–Weil theorem and the second property of the height functionP is thus expressed as an integral linear combination of a finite number of fixed points.

The theorem however doesn't provide a method to determine any representatives ofE(Q)/mE(Q).

Therank ofE(Q), that is the number of copies ofZ inE(Q) or, equivalently, the number of independent points of infinite order, is called therank ofE. TheBirch and Swinnerton-Dyer conjecture is concerned with determining the rank. One conjectures that it can be arbitrarily large, even if only examples with relatively small rank are known. The elliptic curve with the currently largest exactly-known rank is

y² +xy +y =x³ −x² −244537673336319601463803487168961769270757573821859853707x +961710182053183034546222979258806817743270682028964434238957830989898438151121499931

It has rank 20, found byNoam Elkies and Zev Klagsbrun in 2020. Curves of rank higher than 20 have been known since 1994, with lower bounds on their ranks ranging from 21 to 29, but their exact ranks are not known and in particular it is not proven which of them have higher rank than the others or which is the true "current champion".^[9]

As for the groups constituting thetorsion subgroup ofE(Q), the following is known:^[10] the torsion subgroup ofE(Q) is one of the 15 following groups (a theorem due toBarry Mazur):Z/NZ forN = 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, or 12, orZ/2Z ×Z/2NZ withN = 1, 2, 3, 4. Examples for every case are known. Moreover, elliptic curves whose Mordell–Weil groups overQ have the same torsion groups belong to a parametrized family.^[11]

The Birch and Swinnerton-Dyer conjecture

[edit]

Main article:Birch and Swinnerton-Dyer conjecture

TheBirch and Swinnerton-Dyer conjecture (BSD) is one of theMillennium problems of theClay Mathematics Institute. The conjecture relies on analytic and arithmetic objects defined by the elliptic curve in question.

At the analytic side, an important ingredient is a function of a complex variable,L, theHasse–Weil zeta function ofE overQ. This function is a variant of theRiemann zeta function andDirichlet L-functions. It is defined as anEuler product, with one factor for everyprime numberp.

For a curveE overQ given by a minimal equation

y^{2}+a_{1}xy+a_{3}y=x^{3}+a_{2}x^{2}+a_{4}x+a_{6}

with integral coefficients $a_{i}$ , reducing the coefficientsmodulop defines an elliptic curve over thefinite fieldF_p (except for a finite number of primesp, where the reduced curve has asingularity and thus fails to be elliptic, in which caseE is said to be ofbad reduction atp).

The zeta function of an elliptic curve over a finite fieldF_p is, in some sense, agenerating function assembling the information of the number of points ofE with values in the finitefield extensionsF_pⁿ ofF_p. It is given by^[12]

Z(E(\mathbf {F} _{p}),T)=\exp \left(\sum _{n=1}^{\infty }\#\left[E({\mathbf {F} }_{p^{n}})\right]{\frac {T^{n}}{n}}\right)

The interior sum of the exponential resembles the development of thelogarithm and, in fact, the so-defined zeta function is arational function inT:

Z(E(\mathbf {F} _{p}),T)={\frac {1-a_{p}T+pT^{2}}{(1-T)(1-pT)}},

where the 'trace of Frobenius' term^[13] $a_{p}$ is defined to be the difference between the 'expected' number $p+1$ and the number of points on the elliptic curve $E {\displaystyle E}$ over $\mathbb {F} _{p}$ , viz.

a_{p}=p+1-\#E(\mathbb {F} _{p})

or equivalently,

\#E(\mathbb {F} _{p})=p+1-a_{p}

We may define the same quantities and functions over an arbitrary finite field of characteristic $p {\displaystyle p}$ , with $q=p^{n}$ replacing $p {\displaystyle p}$ everywhere.

TheL-function ofE overQ is then defined by collecting this information together, for all primesp. It is defined by

L(E(\mathbf {Q} ),s)=\prod _{p\not \mid N}\left(1-a_{p}p^{-s}+p^{1-2s}\right)^{-1}\cdot \prod _{p\mid N}\left(1-a_{p}p^{-s}\right)^{-1}

whereN is theconductor ofE, i.e. the product of primes with bad reduction $(\Delta (E\mod p)=0$ ),^[14] in which casea_p is defined differently from the method above: see Silverman (1986) below.

For example $E:y^{2}=x^{3}+14x+19$ has bad reduction at 17, because $E\mod 17:y^{2}=x^{3}-3x+2$ has $\Delta =0$ .

This productconverges for Re(s) > 3/2 only. Hasse's conjecture affirms that theL-function admits ananalytic continuation to the whole complex plane and satisfies afunctional equation relating, for anys,L(E,s) toL(E, 2 −s). In 1999 this was shown to be a consequence of the proof of the Shimura–Taniyama–Weil conjecture, which asserts that every elliptic curve overQ is amodular curve, which implies that itsL-function is theL-function of amodular form whose analytic continuation is known. One can therefore speak about the values ofL(E,s) at any complex numbers.

Ats = 1 (the conductor product can be discarded as it is finite), theL-function becomes

L(E(\mathbf {Q} ),1)=\prod _{p\not \mid N}\left(1-a_{p}p^{-1}+p^{-1}\right)^{-1}=\prod _{p\not \mid N}{\frac {p}{p-a_{p}+1}}=\prod _{p\not \mid N}{\frac {p}{\#E(\mathbb {F} _{p})}}

TheBirch and Swinnerton-Dyer conjecture relates the arithmetic of the curve to the behaviour of thisL-function ats = 1. It affirms that the vanishing order of theL-function ats = 1 equals the rank ofE and predicts the leading term of the Laurent series ofL(E,s) at that point in terms of several quantities attached to the elliptic curve.

Much like theRiemann hypothesis, the truth of the BSD conjecture would have multiple consequences, including the following two:

Acongruent number is defined as an oddsquare-free integern which is the area of a right triangle with rational side lengths. It is known thatn is a congruent number if and only if the elliptic curve $y^{2}=x^{3}-n^{2}x$ has a rational point of infinite order; assuming BSD, this is equivalent to itsL-function having a zero ats = 1.Tunnell has shown a related result: assuming BSD,n is a congruent number if and only if the number of triplets of integers (x,y,z) satisfying $2x^{2}+y^{2}+8z^{2}=n$ is twice the number of triples satisfying $2x^{2}+y^{2}+32z^{2}=n$ . The interest in this statement is that the condition is easy to check.^[15]
In a different direction, certain analytic methods allow for an estimation of the order of zero in the center of thecritical strip for certainL-functions. Admitting BSD, these estimations correspond to information about the rank of families of the corresponding elliptic curves. For example: assuming thegeneralized Riemann hypothesis and BSD, the average rank of curves given by $y^{2}=x^{3}+ax+b$ is smaller than 2.^[16]

Elliptic curves over finite fields

[edit]

Further information:Arithmetic of abelian varieties

Set of affine points of elliptic curvey² =x³ −x over finite fieldF₆₁.

LetK =F_q be thefinite field withq elements andE an elliptic curve defined overK. While the precisenumber of rational points of an elliptic curveE overK is in general difficult to compute,Hasse's theorem on elliptic curves gives the following inequality:

|\#E(K)-(q+1)|\leq 2{\sqrt {q}}

In other words, the number of points on the curve grows proportionally to the number of elements in the field. This fact can be understood and proven with the help of some general theory; seelocal zeta function andétale cohomology for example.

Set of affine points of elliptic curvey² =x³ −x over finite fieldF₈₉.

The set of pointsE(F_q) is a finite abelian group. It is always cyclic or the product of two cyclic groups. For example,^[17] the curve defined by

y^{2}=x^{3}-x

overF₇₁ has 72 points (71affine points including (0,0) and onepoint at infinity) over this field, whose group structure is given byZ/2Z ×Z/36Z. The number of points on a specific curve can be computed withSchoof's algorithm.

Set of affine points of elliptic curvey² =x³ −x over finite fieldF₇₁.

Studying the curve over thefield extensions ofF_q is facilitated by the introduction of the local zeta function ofE overF_q, defined by a generating series (also see above)

Z(E(K),T)=\exp \left(\sum _{n=1}^{\infty }\#\left[E(K_{n})\right]{T^{n} \over n}\right)

where the fieldK_n is the (unique up to isomorphism) extension ofK =F_q of degreen (that is, $K_{n}=F_{q^{n}}$ ).

The zeta function is a rational function inT. To see this, consider the integer $a {\displaystyle a}$ such that

\#E(K)=1-a+q

There is a complex number $\alpha$ such that

1-a+q=(1-\alpha )(1-{\bar {\alpha }})

where ${\bar {\alpha }}$ is thecomplex conjugate, and so we have

\alpha +{\bar {\alpha }}=a

\alpha {\bar {\alpha }}=q

We choose $\alpha$ so that itsabsolute value is ${\sqrt {q}}$ , that is $\alpha =q^{\frac {1}{2}}e^{i\theta },{\bar {\alpha }}=q^{\frac {1}{2}}e^{-i\theta }$ , and that $\cos \theta ={\frac {a}{2{\sqrt {q}}}}$ . Note that $|a|\leq 2{\sqrt {q}}$ .

$\alpha$ can then be used in the local zeta function as its values when raised to the various powers ofn can be said to reasonably approximate the behaviour of $a_{n}$ , in that

\#E(K_{n})=1-a_{n}+q^{n}

Using theTaylor series for the natural logarithm,

{\begin{alignedat}{2}Z(E(K),T)&=\exp \left(\sum _{n=1}^{\infty }\left(1-\alpha ^{n}-{\bar {\alpha }}^{n}+q^{n}\right){T^{n} \over n}\right)\\&=\exp \left(\sum _{n=1}^{\infty }{T^{n} \over n}-\sum _{n=1}^{\infty }\alpha ^{n}{T^{n} \over n}-\sum _{n=1}^{\infty }{\bar {\alpha }}^{n}{T^{n} \over n}+\sum _{n=1}^{\infty }q^{n}{T^{n} \over n}\right)\\&=\exp \left(-\ln(1-T)+\ln(1-\alpha T)+\ln(1-{\bar {\alpha }}T)-\ln(1-qT)\right)\\&=\exp \left(\ln {\frac {(1-\alpha T)(1-{\bar {\alpha }}T)}{(1-T)(1-qT)}}\right)\\&={\frac {(1-\alpha T)(1-{\bar {\alpha }}T)}{(1-T)(1-qT)}}\\\end{alignedat}}

Then $(1-\alpha T)(1-{\bar {\alpha }}T)=1-aT+qT^{2}$ , so finally

Z(E(K),T)={\frac {1-aT+qT^{2}}{(1-qT)(1-T)}}

For example,^[18] the zeta function ofE :y² +y =x³ over the fieldF₂ is given by

{\frac {1+2T^{2}}{(1-T)(1-2T)}}

which follows from:

\left|E(\mathbf {F} _{2^{r}})\right|={\begin{cases}2^{r}+1&r{\text{ odd}}\\2^{r}+1-2(-2)^{\frac {r}{2}}&r{\text{ even}}\end{cases}}

as $q=2$ , then $|E|=2^{1}+1=3=1-a+2$ , so $a=0$ .

Thefunctional equation is

Z\left(E(K),{\frac {1}{qT}}\right)={\frac {1-a{\frac {1}{qT}}+q\left({\frac {1}{qT}}\right)^{2}}{(1-q{\frac {1}{qT}})(1-{\frac {1}{qT}})}}={\frac {q^{2}T^{2}-aqT+q}{(qT-q)(qT-1)}}=Z(E(K),T)

As we are only interested in the behaviour of $a_{n}$ , we can use a reduced zeta function

Z(a,T)=\exp \left(\sum _{n=1}^{\infty }-a_{n}{T^{n} \over n}\right)

Z(a,T)=\exp \left(\sum _{n=1}^{\infty }-\alpha ^{n}{T^{n} \over n}-{\bar {\alpha }}^{n}{T^{n} \over n}\right)

and so

Z(a,T)=\exp \left(\ln(1-\alpha T)+\ln(1-{\bar {\alpha }}T)\right)

which leads directly to the local L-functions

L(E(K),T)=1-aT+qT^{2}

TheSato–Tate conjecture is a statement about how the error term $2{\sqrt {q}}$ in Hasse's theorem varies with the different primesq, if an elliptic curve E overQ is reduced modulo q. It was proven (for almost all such curves) in 2006 due to the results of Taylor, Harris and Shepherd-Barron,^[19] and says that the error terms are equidistributed.

Elliptic curves over finite fields are notably applied incryptography and for thefactorization of large integers. These algorithms often make use of the group structure on the points ofE. Algorithms that are applicable to general groups, for example the group of invertible elements in finite fields,F*_q, can thus be applied to the group of points on an elliptic curve. For example, thediscrete logarithm is such an algorithm. The interest in this is that choosing an elliptic curve allows for more flexibility than choosingq (and thus the group of units inF_q). Also, the group structure of elliptic curves is generally more complicated.

Elliptic curves over a general field

[edit]

Elliptic curves can be defined over anyfieldK; the formal definition of an elliptic curve is a non-singular projective algebraic curve overK withgenus 1 and endowed with a distinguished point defined overK.

If thecharacteristic ofK is neither 2 nor 3, then every elliptic curve overK can be written in the form

y^{2}=x^{3}-px-q

after a linear change of variables. Herep andq are elements ofK such that the right hand side polynomialx³ −px −q does not have any double roots. If the characteristic is 2 or 3, then more terms need to be kept: in characteristic 3, the most general equation is of the form

y^{2}=4x^{3}+b_{2}x^{2}+2b_{4}x+b_{6}

for arbitrary constantsb₂,b₄,b₆ such that the polynomial on the right-hand side has distinct roots (the notation is chosen for historical reasons). In characteristic 2, even this much is not possible, and the most general equation is

y^{2}+a_{1}xy+a_{3}y=x^{3}+a_{2}x^{2}+a_{4}x+a_{6}

provided that the variety it defines is non-singular. If characteristic were not an obstruction, each equation would reduce to the previous ones by a suitable linear change of variables.

One typically takes the curve to be the set of all points (x,y) which satisfy the above equation and such that bothx andy are elements of thealgebraic closure ofK. Points of the curve whose coordinates both belong toK are calledK-rational points.

Many of the preceding results remain valid when the field of definition ofE is anumber fieldK, that is to say, a finitefield extension ofQ. In particular, the groupE(K) ofK-rational points of an elliptic curveE defined overK is finitely generated, which generalizes the Mordell–Weil theorem above. A theorem due toLoïc Merel shows that for a given integerd, there are (up to isomorphism) only finitely many groups that can occur as the torsion groups ofE(K) for an elliptic curve defined over a number fieldK ofdegreed. More precisely,^[20] there is a numberB(d) such that for any elliptic curveE defined over a number fieldK of degreed, any torsion point ofE(K) is oforder less thanB(d). The theorem is effective: ford > 1, if a torsion point is of orderp, withp prime, then

p<d^{3d^{2}}

As for the integral points, Siegel's theorem generalizes to the following: LetE be an elliptic curve defined over a number fieldK,x andy the Weierstrass coordinates. Then there are only finitely many points ofE(K) whosex-coordinate is in thering of integersO_K.

The properties of the Hasse–Weil zeta function and the Birch and Swinnerton-Dyer conjecture can also be extended to this more general situation.

Elliptic curves over the complex numbers

[edit]

Further information:Complex multiplication

An elliptic curve over the complex numbers is obtained as a quotient of the complex plane by a latticeΛ, here spanned by two fundamental periodsω₁ andω₂. The four-torsion is also shown, corresponding to the lattice⁠1/4⁠Λ containingΛ.

The formulation of elliptic curves as the embedding of atorus in thecomplex projective plane follows naturally from a curious property ofWeierstrass's elliptic functions. These functions and their first derivative are related by the formula

\wp '(z)^{2}=4\wp (z)^{3}-g_{2}\wp (z)-g_{3}

Here,g₂ andg₃ are constants;℘(z) is theWeierstrass elliptic function and℘′(z) its derivative. It should be clear that this relation is in the form of an elliptic curve (over thecomplex numbers). The Weierstrass functions are doubly periodic; that is, they areperiodic with respect to alatticeΛ; in essence, the Weierstrass functions are naturally defined on a torusT =C/Λ. This torus may be embedded in the complex projective plane by means of the map

z\mapsto \left[1:\wp (z):{\tfrac {1}{2}}\wp '(z)\right]

This map is agroup isomorphism of the torus (considered with its natural group structure) with the chord-and-tangent group law on the cubic curve which is the image of this map. It is also an isomorphism ofRiemann surfaces from the torus to the cubic curve, so topologically, an elliptic curve is a torus. If the latticeΛ is related by multiplication by a non-zero complex numberc to a latticecΛ, then the corresponding curves are isomorphic. Isomorphism classes of elliptic curves are specified by thej-invariant.

The isomorphism classes can be understood in a simpler way as well. The constantsg₂ andg₃, called themodular invariants, are uniquely determined by the lattice, that is, by the structure of the torus. However, all real polynomials factorize completely into linear factors over the complex numbers, since the field of complex numbers is thealgebraic closure of the reals. So, the elliptic curve may be written as

y^{2}=x(x-1)(x-\lambda )

One finds that

{\begin{aligned}g_{2}'&={\frac {\sqrt[{3}]{4}}{3}}\left(\lambda ^{2}-\lambda +1\right)\\[4pt]g_{3}'&={\frac {1}{27}}(\lambda +1)\left(2\lambda ^{2}-5\lambda +2\right)\end{aligned}}

and

j(\tau )=1728{\frac {{g_{2}'}^{3}}{{g_{2}'}^{3}-27{g_{3}'}^{2}}}=256{\frac {\left(\lambda ^{2}-\lambda +1\right)^{3}}{\lambda ^{2}\left(\lambda -1\right)^{2}}}

withj-invariantj(τ) andλ(τ) is sometimes called themodular lambda function. For example, letτ = 2i, thenλ(2i) = (−1 +√2)⁴ which impliesg′₂,g′₃, and thereforeg′₂³
− 27g′₃²
of the formula above are allalgebraic numbers ifτ involves animaginary quadratic field. In fact, it yields the integerj(2i) = 66³ =287496.

In contrast, themodular discriminant

\Delta (\tau )=g_{2}(\tau )^{3}-27g_{3}(\tau )^{2}=(2\pi )^{12}\,\eta ^{24}(\tau )

is generally atranscendental number. In particular, the value of theDedekind eta functionη(2i) is

\eta (2i)={\frac {\Gamma \left({\frac {1}{4}}\right)}{2^{\frac {11}{8}}\pi ^{\frac {3}{4}}}}

Note that theuniformization theorem implies that everycompact Riemann surface of genus one can be represented as a torus. This also allows an easy understanding of thetorsion points on an elliptic curve: if the latticeΛ is spanned by the fundamental periodsω₁ andω₂, then then-torsion points are the (equivalence classes of) points of the form

{\frac {a}{n}}\omega _{1}+{\frac {b}{n}}\omega _{2}

for integersa andb in the range0 ≤ (a,b) <n.

E:y^{2}=4(x-e_{1})(x-e_{2})(x-e_{3})

is an elliptic curve over the complex numbers and

a_{0}={\sqrt {e_{1}-e_{3}}},\qquad b_{0}={\sqrt {e_{1}-e_{2}}},\qquad c_{0}={\sqrt {e_{2}-e_{3}}},

then a pair of fundamental periods ofE can be calculated very rapidly by

\omega _{1}={\frac {\pi }{\operatorname {M} (a_{0},b_{0})}},\qquad \omega _{2}={\frac {\pi }{\operatorname {M} (c_{0},ib_{0})}}

M(w,z) is thearithmetic–geometric mean ofw andz. At each step of the arithmetic–geometric mean iteration, the signs ofz_n arising from the ambiguity of geometric mean iterations are chosen such that|w_n −z_n| ≤ |w_n +z_n| wherew_n andz_n denote the individual arithmetic mean and geometric mean iterations ofw andz, respectively. When|w_n −z_n| = |w_n +z_n|, there is an additional condition thatIm(⁠z_n/w_n⁠) > 0.^[21]

Over the complex numbers, every elliptic curve has nineinflection points. Every line through two of these points also passes through a third inflection point; the nine points and 12 lines formed in this way form a realization of theHesse configuration.

The dual isogeny

[edit]

Given anisogeny

f:E\to E'

of elliptic curves of degree $n {\displaystyle n}$ , thedual isogeny is an isogeny

{\hat {f}}:E'\to E

of the same degree such that

f\circ {\hat {f}}=[n].

Here $[n]$ denotes the multiplication-by- $n {\displaystyle n}$ isogeny $e\mapsto ne$ which has degree $n^{2}.$

Construction of the dual isogeny

[edit]

Often only the existence of a dual isogeny is needed, but it can be explicitly given as the composition

E'\to \operatorname {Div} ^{0}(E')\to \operatorname {Div} ^{0}(E)\to E,

where $\operatorname {Div} ^{0}$ is the group ofdivisors of degree 0. To do this, we need maps $E\to \operatorname {Div} ^{0}(E)$ given by $P\to P-O$ where $O {\displaystyle O}$ is the neutral point of $E {\displaystyle E}$ and $\operatorname {Div} ^{0}(E)\to E$ given by $\sum n_{P}P\to \sum n_{P}P.$

To see that $f\circ {\hat {f}}=[n]$ , note that the original isogeny $f {\displaystyle f}$ can be written as a composite

E\to \operatorname {Div} ^{0}(E)\to \operatorname {Div} ^{0}(E')\to E',

and that since $f {\displaystyle f}$ isfinite of degree $n {\displaystyle n}$ , $f_{*}f^{*}$ is multiplication by $n {\displaystyle n}$ on $\operatorname {Div} ^{0}(E').$

Alternatively, we can use the smallerPicard group $\operatorname {Pic} ^{0}$ , aquotient of $\operatorname {Div} ^{0}.$ The map $E\to \operatorname {Div} ^{0}(E)$ descends to anisomorphism, $E\to \operatorname {Pic} ^{0}(E).$ The dual isogeny is

E'\to \operatorname {Pic} ^{0}(E')\to \operatorname {Pic} ^{0}(E)\to E.

Note that the relation $f\circ {\hat {f}}=[n]$ also implies the conjugate relation ${\hat {f}}\circ f=[n].$ Indeed, let $\phi ={\hat {f}}\circ f.$ Then $\phi \circ {\hat {f}}={\hat {f}}\circ [n]=[n]\circ {\hat {f}}.$ But ${\hat {f}}$ issurjective, so we must have $\phi =[n].$

Algorithms that use elliptic curves

[edit]

Elliptic curves over finite fields are used in somecryptographic applications as well as forinteger factorization. Typically, the general idea in these applications is that a knownalgorithm which makes use of certain finite groups is rewritten to use the groups of rational points of elliptic curves. For more see also:

Elliptic curve cryptography
- Elliptic-curve Diffie–Hellman key exchange (ECDH)
- Supersingular isogeny key exchange
- Elliptic curve digital signature algorithm (ECDSA)
- EdDSA digital signature algorithm
- Dual EC DRBG random number generator
Lenstra elliptic-curve factorization
Elliptic curve primality proving

Alternative representations of elliptic curves

[edit]

Notes

[edit]

^Sarli, J. (2012). "Conics in the hyperbolic plane intrinsic to the collineation group".J. Geom.103:131–148.doi:10.1007/s00022-012-0115-5.S2CID 119588289.
^Silverman 1986, III.1 Weierstrass Equations (p.45)
^T. Nagell,L'analyse indéterminée de degré supérieur, Mémorial des sciences mathématiques 39, Paris, Gauthier-Villars, 1929, pp. 56–59.
^OEIS:https://oeis.org/A029728
^Siksek, Samir (1995),Descents on Curves of Genus 1 (Ph.D. thesis), University of Exeter, pp. 16–17,hdl:10871/8323.
^Silverman 1986, Theorem 4.1
^Silverman 1986, pp. 199–205
^See alsoCassels, J. W. S. (1986). "Mordell's Finite Basis Theorem Revisited".Mathematical Proceedings of the Cambridge Philosophical Society.100 (1):31–41.Bibcode:1986MPCPS.100...31C.doi:10.1017/S0305004100065841. and the comment of A. Weil on the genesis of his work: A. Weil,Collected Papers, vol. 1, 520–521.
^Dujella, Andrej."History of elliptic curves rank records". University of Zagreb.
^Silverman 1986, Theorem 7.5
^Silverman 1986, Remark 7.8 in Ch. VIII
^The definition is formal, the exponential of thispower series without constant term denotes the usual development.
^see for exampleSilverman, Joseph H. (2006)."An Introduction to the Theory of Elliptic Curves"(PDF).Summer School on Computational Number Theory and Applications to Cryptography. University of Wyoming.
^"LMFDB - Bad reduction of an elliptic curve at a prime (Reviewed)".
^Koblitz 1993
^Heath-Brown, D. R. (2004). "The Average Analytic Rank of Elliptic Curves".Duke Mathematical Journal.122 (3):591–623.arXiv:math/0305114.doi:10.1215/S0012-7094-04-12235-3.S2CID 15216987.
^See Koblitz 1994, p. 158
^Koblitz 1994, p. 160
^Harris, M.; Shepherd-Barron, N.; Taylor, R. (2010)."A family of Calabi–Yau varieties and potential automorphy".Annals of Mathematics.171 (2):779–813.doi:10.4007/annals.2010.171.779.
^Merel, L. (1996). "Bornes pour la torsion des courbes elliptiques sur les corps de nombres".Inventiones Mathematicae (in French).124 (1–3):437–449.Bibcode:1996InMat.124..437M.doi:10.1007/s002220050059.S2CID 3590991.Zbl 0936.11037.
^Wing Tat Chow, Rudolf (2018)."The Arithmetic-Geometric Mean and Periods of Curves of Genus 1 and 2"(PDF).White Rose eTheses Online. p. 12.

References

[edit]

Serge Lang, in the introduction to the book cited below, stated that "It is possible to write endlessly on elliptic curves. (This is not a threat.)" The following short list is thus at best a guide to the vast expository literature available on the theoretical, algorithmic, and cryptographic aspects of elliptic curves.

Ian Blake; Gadiel Seroussi;Nigel Smart (2000).Elliptic Curves in Cryptography. LMS Lecture Notes. Cambridge University Press.ISBN 0-521-65374-6.
Brown, Ezra (2000). "Three Fermat Trails to Elliptic Curves".The College Mathematics Journal.31 (3):162–172.doi:10.1080/07468342.2000.11974137.S2CID 5591395., winner of the MAA writing prize theGeorge Pólya Award
Richard Crandall;Carl Pomerance (2001). "Chapter 7: Elliptic Curve Arithmetic".Prime Numbers: A Computational Perspective (1st ed.). Springer-Verlag. pp. 285–352.ISBN 0-387-94777-9.
Cremona, John (1997).Algorithms for Modular Elliptic Curves (2nd ed.). Cambridge University Press.ISBN 0-521-59820-6.
Darrel Hankerson,Alfred Menezes andScott Vanstone (2004).Guide to Elliptic Curve Cryptography.Springer.ISBN 0-387-95273-X.
Hardy, G. H.;Wright, E. M. (2008) [1938].An Introduction to the Theory of Numbers. Revised byD. R. Heath-Brown andJ. H. Silverman. Foreword byAndrew Wiles. (6th ed.). Oxford:Oxford University Press.ISBN 978-0-19-921986-5.MR 2445243.Zbl 1159.11001. Chapter XXV
Hellegouarch, Yves (2001).Invitation aux mathématiques de Fermat-Wiles. Paris: Dunod.ISBN 978-2-10-005508-1.
Husemöller, Dale (2004).Elliptic Curves.Graduate Texts in Mathematics. Vol. 111 (2nd ed.). Springer.ISBN 0-387-95490-2.
Kenneth Ireland;Michael I. Rosen (1998). "Chapters 18 and 19".A Classical Introduction to Modern Number Theory. Graduate Texts in Mathematics. Vol. 84 (2nd revised ed.). Springer.ISBN 0-387-97329-X.
Knapp, Anthony W. (2018) [1992].Elliptic Curves. Mathematical Notes. Vol. 40. Princeton University Press.ISBN 9780691186900.
Koblitz, Neal (1993).Introduction to Elliptic Curves and Modular Forms. Graduate Texts in Mathematics. Vol. 97 (2nd ed.). Springer-Verlag.ISBN 0-387-97966-2.
Koblitz, Neal (1994). "Chapter 6".A Course in Number Theory and Cryptography. Graduate Texts in Mathematics. Vol. 114 (2nd ed.). Springer-Verlag.ISBN 0-387-94293-9.
Serge Lang (1978).Elliptic curves: Diophantine analysis. Grundlehren der mathematischen Wissenschaften. Vol. 231. Springer-Verlag.ISBN 3-540-08489-4.
Henry McKean;Victor Moll (1999).Elliptic curves: function theory, geometry and arithmetic. Cambridge University Press.ISBN 0-521-65817-9.
Ivan Niven; Herbert S. Zuckerman;Hugh Montgomery (1991)."Section 5.7".An introduction to the theory of numbers (5th ed.). John Wiley.ISBN 0-471-54600-3.
Silverman, Joseph H. (1986).The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics. Vol. 106. Springer-Verlag.ISBN 0-387-96203-4.
Joseph H. Silverman (1994).Advanced Topics in the Arithmetic of Elliptic Curves. Graduate Texts in Mathematics. Vol. 151. Springer-Verlag.ISBN 0-387-94328-5.
Joseph H. Silverman;John Tate (1992).Rational Points on Elliptic Curves. Springer-Verlag.ISBN 0-387-97825-9.
John Tate (1974). "The arithmetic of elliptic curves".Inventiones Mathematicae.23 (3–4):179–206.Bibcode:1974InMat..23..179T.doi:10.1007/BF01389745.S2CID 120008651.
Lawrence Washington (2003).Elliptic Curves: Number Theory and Cryptography. Chapman & Hall/CRC.ISBN 1-58488-365-0.

External links

[edit]

Wikimedia Commons has media related toElliptic curve.

Wikiquote has quotations related toElliptic curve.

LMFDB: Database of Elliptic Curves over Q
"Elliptic curve",Encyclopedia of Mathematics,EMS Press, 2001 [1994]
Weisstein, Eric W."Elliptic Curves".MathWorld.
The Arithmetic of elliptic curves from PlanetMath
Interactive elliptic curve over R andover Zp – web application that requires HTML5 capable browser.

Topics inalgebraic curves

Rational curves

Elliptic curves

Analytic theory	Elliptic function Elliptic integral Fundamental pair of periods Modular form
Arithmetic theory	Counting points on elliptic curves Division polynomials Hasse's theorem on elliptic curves Mazur's torsion theorem Modular elliptic curve Modularity theorem Mordell–Weil theorem Nagell–Lutz theorem Supersingular elliptic curve Schoof's algorithm Schoof–Elkies–Atkin algorithm
Applications	Elliptic curve cryptography Elliptic curve primality

Higher genus

Plane curves

Riemann surfaces

Constructions

Structure of curves

Divisors on curves	Abel–Jacobi map Brill–Noether theory Clifford's theorem on special divisors Gonality of an algebraic curve Jacobian variety Riemann–Roch theorem Weierstrass point Weil reciprocity law
Moduli	ELSV formula Gromov–Witten invariant Hodge bundle Moduli of algebraic curves Stable curve
Morphisms	Hasse–Witt matrix Riemann–Hurwitz formula Prym variety Weber's theorem (Algebraic curves)
Singularities	A_k singularity Acnode Crunode Cusp Delta invariant Tacnode
Vector bundles	Birkhoff–Grothendieck theorem Stable vector bundle Vector bundles on algebraic curves