London Mathematical Society Student Texts 24
Lectures
on
Elliptic Curves
J.W.S. Cassels
Department of Pure Mathema...
117 downloads
1380 Views
2MB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
London Mathematical Society Student Texts 24
Lectures
on
Elliptic Curves
J.W.S. Cassels
Department of Pure Mathematics and Mathematical Statistics, University of Cambridge
Tlrr "'"' u/11!� UtJIPrrmr fi{CDiflbm}flt' lflpr!lll Qtul.rrll
�II tltlllffK'' t�/ books 11'83
'"'"'"dhy
Hl"llr}" VIII"' IJ14. TM Uni'rrrJily IKu P""'fti tlltli publi:rltrJ rfllllllfutJIUiy sinrt' IJB4.
CAMBRIDGE UNIVERSITY PRESS Cambridge New York Port Chester Melbourne
Sydney
Published by the Press Syndicate of the University of Cambridge The Pitt Building, Trumpington Street, Cambridge CB2 1RP 40 West 20th Street, New York, NY 10011-4211, USA 10 Stamford Road, Oakleigh, Melbourne 3166, Australia © Cambridge University Press 1991 First published 1991 Printed in Great Britain at the University Press, Cambridge
Library of Congress cataloging in publication data available A catalogue record for this book is available from the British Library
ISBN ISBN
0 521 41517 9 hardback 0 521 42530 1 paperback
Contents
0 1 2 3
4 5 6 7 8 9 10 11 12 13
14 15 16 17 18 19 20 21 22
Introd uct ion Cur ves of genus 0. Introduct io n p-ad ic numbers The local -global p r inc iple for con ics Geometry of num bers Local-global p r inc iple. Conclus io n of proof Cu bic cur ves No n-s in gular cub ics. The group law Ell ipt ic cur ves. Canonical form De generate laws Reduct ion The p-ad ic case Global tors ion Fin ite b as is theorem . Strategy and comments A 2-iso ge ny The weak finite bas is theory Remed ial mathemat ics . Resultants He ights. Finite basis Theorem Local-global for genus 1 Elements of Galo is cohomology Construct ion of the jacob ian Some abstract nonsense Pr inc ipal homogeneous spaces and Galois cohomology
1 3
6 13
17 20 23 27 32 39 42
46 50 54 58 66 75 78 85 89 92
98 104
Vl
23 24 25 26
The Tate -Shafare vich group The endomorph ism group Points over fin ite fields Factorizin g us in g e lliptic cur ves Formulary Further Read ing Index
108 1 14 118 124 130 135 136
0 Introduction
Diophantine equations, that is to say equations whose solution is to be found in integers, or, alternatively, in rationals, have fascinated man from the earliest times: a Babylonian clay tablet dated to between 1600 and 1900 B.C. lists 15 solutions of the "Pythagorean" equation x2 + y2
=
z2.
Diophantos himself lived in Alexandria in the 3rd Century A.D. We shall meet some of his ideas. His work was continued by Hypatia, the only female mathematician of antiquity whose name has come down to us. (She was cruelly done to death by the Christians: their leader was canonized.) Another mathematician whose ideas continue to play a key role is Fermat (1601-1665). For a fuller historical account in a modern context, see A. Wei! Number theory: an approach through hi�tory from Hammurabi to Legendre ( Birkhii.user, 1983). [For Hypatia, see Gibbon Decline and Fall.]
In this course we concentrate attention on rational solutions of Dio phantine equations. The study of integral solutions requires further considerations, which we shall not touch on. It is now clear that an appropriate language to discuss many aspects of Diophantine equations is that of algebraic geometry: not so much the classical algebraic geometry, which works over the complex numbers, but a version working over a general ground field such as the field Q of rationals and often called "Diophantine geometry". Some of the argu ments and results of classical geometry go over to Diophantine geometry unchanged, for some the conclusions are more limited, and for others we
2
Lecture3
on
Elliptic Curve3
must make further hypotheses which are automatically satisfied in the classical theory. Diophantine equations can be interpreted as questions about the ex istence of points on algebraic varieties. Here we will be concerned only with curves. Geometers classify curves by a non-negative integer, the genus. The Diophantine theory of curves of genus 0 is well understood. For curves of genus 1 , there is a rich body of well-established theory and an equally rich corpus of conjecture which is currently beginning to succumb to intensive research. The Diophantine theory of curves o£ genus > 1 is in a rudimentary state (despite Faltings ' Theorem). The main subject of this course is some of the basic Diophantine theory of curves of genus 1 . To set the scene, we start with an account of genus 0. Here the situation is dominated by the local-global principle (Hasse principle). This relates behaviour over the rational field Q to that over its local completions, the p-adic fields QP , where things are simpler. A unifying theme for curves of genus 1 is the extent to which local (i.e. p-adic) behaviour determines rational behaviour. This material generalizes smoothly to algebraic number fields but we have restricted attention to the rationals in the belief that new concepts are easiest acquired in the simplest contexts. The final three sections mark a change of goal. Two of them introduce the more sophisticated theory over finite fields, culminating in the esti mates for the number of points known as the "Riemann hypothesis for function fields" (of genus 1 ) . The very last section indicates how these ideas are used in the modern technology for factorizing large integers. Prerequi3ite3.
In this course the prerequisites have been reduced to a minimum. We have spoken above about curves of genus 0 and 1 , but the focus will be on concrete classes of curves such as conics and plane cubics. The p-adic numbers are introduced from scratch. A knowledge of algebraic number theory is not required, provided that the reader is prepared to take one statement on trust. Algebraic number theory is, however, indispensable for many applications, as we shall indicate in optional passages. We do require the rudiments of Galois theory: indeed one of the interests will be its application in novel contexts.
1 Curves of genus 0. Introduction
We shall say that a point is rational, or defined over Q, if its co ordinates are rational. A curve is said to be defined over Q if it is given by an equation or equations with coefficients in Q. [Unfortunately the term "rational curve" was preempted by the geometers as a synonym for "curve of genus 0" .] More generally we shall say that we are working over Q, or that the ground field is Q, if all the coefficients of the algebraic expressions involved are in Q. Sometimes elementary geometric arguments continue to be valid when we work over Q. For example, consider a cubic curve such as
C
:
X2 - Y2 = (X- 2Y)(X2 + Y2 ),
which has a double point at the origin.
A line through the origin meets the curve in one further point, so giving
4
Lecture� on Elliptic Curve�
a description of all the points on the curve. More precisely, consider the line X =sY
for givens. This meets the curve where Y2(s2 - 1) = Y3(s- 2)(s2+1), and so in the point (x, y) where s(s2 - 1) y =�-..,...,-�-X = ������ (s- 2)(s2+ 1) ' (s- 2)(s2+1)" Conversely, given (x, y) on the curve, it is of the above form with
xfy. We say that C is birationally equivalent to the line [given by a single variable and no equation] . In this case the birational equivalence is defined over Q [i.e. the rational functions expressing the equivalence have coefficients in Q. Note the unfortunate clash in the double meaning of the term "rational" ] . In general there is a 1 1 correspondence between the rational points s
=
-
on the one curve and those on the other, the correspondence being given by the birational correspondence. There are, however, exceptions. For examples = 2 does not correspond to any point (x, y ) and s = ±1 both correspond to (x , y) = (0, 0). If we had had X2 -2Y2 instead of X2- Y2 on the left hand side, then (x, y) (0, 0) would not correspond to any rational value of s. It is not difficult to see however that if two curves are birationally equivalent over Q there are only finitely many rational points on the ones which do not correspond to rational points on the other. To study the rational points on a curve, it is thus sufficient to consider it up to a birational equivalence defined over Q. A classical theorem working over the complex field C states that every curve of genus 0 is birationally equivalent to the line: we could treat this as a definition of "genus 0" . When the ground field is Q, this theorem no longer holds. Instead we have the =
curve of genu� 0 defined over Q i� birationally equivalent over Q either to the line or to a conic.
Fact. A
This reduces the Diophantine study of curves of genus 0 to that of conics. Theorem 1.
A conic defined over Q i� birationally equivalent to the line if and only if it ha3 a rational point.
1:
Curve� of genu� 0
5
Proof. The "only if ' part is trivial. Suppose then that there is a rational point. After a change of co-ordinates we may take it to be the origin, so that the equation of the conic is F1(X, Y) + F2(X, Y) = 0, where Fj is homogeneous in X, Y of degree j. The birational equivalence with the line follows by putting X = sY, as in the cubic case discussed earlier.
The Diophantine theory of curves of genus 0 is thus reduced to de ciding when a conic defined over Q has a rational point. It is certainly easy to write down conics without rational points. For a change, let us use homogeneous co-ordinates. There is no rational point on x2 + y2 + z2 = o, since clearly there are no real points. Again, there are no rational points on For suppose (x, y, z ) were such a rational point. By homogeneity, we may suppose that x, y, z are integers without common divisor. Now (*) implies x2 + y2 = 0 (3) and so x = y = 0 (3). Then (*) gives z :::= 0 (3), so x, y, z have the common factor 3: a contr�dicition. For our purposes, it is convenient, and ultimately indispensable, to express the last argument in a different way. We shall introduce the fields Qp of p-adic numbers, where p is a prime (here p = 3); and what we have just done can be expressed as proving that there are no points on (*) defined over Q3•
2 p-adic numb ers
Most of the familiar properties of the ordinary absolute value on the real or complex fields are consequences of the following three: (i) \rl � 0, with equality precisely for r = 0. (ii) \rs\ = \r\\s\. (iii) \r + s\ � \r\ + \s\. A real-valued function 1-1 on a field k is said to be a valuation if it satisfies (i), (ii) (iii). Since ( -1)2 = 1, properties (i)-(iii) imply that 1- 1\ = 1, 1- r\ \r\ (all r). The rational field Q has other valuations than the absolute value. Let p be a fixed prime. Any rational r -1- 0 can be put in the shape r = pPu fv , p E Z , u., v E Z, p Au., p A v. We define =
and IO ip =0.
This definition clearly satisfies (i), (ii) above. Let m, n E Z, p l m, pAn, s = p"m/n so \s\p = p-", where without loss of generality u � p, i.e. \s \ p �\ ri p·
2:
p-adic number�
7
Then r+ s = pP(un+ p"-Pmv)/vn.
Here p ,{ vn. The numerator u n + p"-Pmv is an integer, but, at least for for p = u , it may be divisible by p. Hence lr+ sip �p-P,
that is ( iii* ) lr+ sip � max{lrlp, lslp}· Clearly ( iii* ) implies ( iii ) , so l iP is a valuation. We call it the p-adic valuation. The inequality ( iii* ) is called the ultrametric inequality, since ( iii ) , the triangle inequality, expresses the fact that l r - sl is a metric . A valuation which satisfies the ultrametric inequality is said to be non archimedean.
We can transfer familiar terminology from the ordinary absolute value to the p-adic case. For example, we say that a sequence {an}, n = 1, 2, . . . is a fundamental � e quence if for any c; > 0 there is an no (c; ) such that lam- an lp < c; whenever m,n � n0 (c:). The sequence {an} converge� to b if ( all n � no (c:)). For example let p=5 and consider the sequence {an} : 3, 33, 333, 3333, Then
(m � n) 1.e.
(m � n). Hence {an} is a fundamental sequence. Indeed it is a convergent se quence, s1nce 1.e. and so 5-adically.
8
Lecture� on Elliptic Curve�
As the above example shows, the main difficulties with the p-adic val uation are psychological: something is p-adically small if it is divisible by a high power of p. Not every p-adic fundamental sequence is conver gent. Let us take p =5 again. Then we construct a sequence of an E Z such that and an+!
=
n an (5 ).
We start with a1 =2. Suppose that we already have an for some n and put an +l = an +b5n, where b E Z is to be determined. We require (an+ b5 n)2 +1 = 0 (5n+1), that is where we already have
c =(a� +1)/5n E Z.
Clearly 5% an and so we can solve the congruence (*) for the unknown
b.
The sequence {an} just constructed is a 5-adic fundamental sequence s1nce (m ;::: n ) . Suppose, if possible, that an tends 5-adically to some e E Q. Then a! + 1 -+ e2+ 1.
On the other hand, by our construction, a� +1-+ 0. 2 Hence e + 1 = 0; a contradiction. Just as the real numbers are constructed by completing the rationals with respect to the ordinary absolute value, so the rationals can be completed with respect to liP to give the field Qp of p-adic number�. In fact the process can be simplified because I IP is non-archimedean. For the reader who is unfamiliar with this way of constructing the reals, we sketch a construction of Qp at the end of this section. We say that a field K is complete with respect to a valuation J.J if every fundamental sequence is convergent. A field K with valuation JJ.JI is said to be the completion of the field k with valuation J.J if there is an injection >..: k -+ K
2:
9
p-adic number�
which preserves the valuation: (a E k)
and such that (i) K is complete with respect to 11 -11 (ii) K is the closure of >..k with respect to the topology induced by II-II (K is not "too large" ) . The completion always exists and is unique (up t o a unique isomor phism). We henceforth identify k with >..k and 1-1 with 11-11 , so regard k as a subfield of K. We now discuss the structure of the p-adic field Qp with its valuation p li · We note that if For by (iii*) Ia+ blp 5 lalp and, since a = (a + b) + (-b) , we have a contradiction if Ia + blp < lair It follows that the set of values taken by I IP on Qp is precisely the same as the set for Q. Indeed if 0! E QP, 0! "1- 0 then by (ii) of the definition of the completion, there is an a E Q with Ia- O!lp < IO!Ip, so IO!Ip = Ialp· The set of 0! E Qp with 10!1 5 1 is called the set of p-adic integer� lp. Because liP is non-archimedean, lp is a ring: IO!Ip, l/11 p 5 1 =? I0!/11p 5 1, 1 0!+ /11p 5 1. A rational number b is in Zp precisely when it has the form b = ujv, where u, v E Z , p l v. The numbers c E Qp with lei = 1 are the p-adic unit�. From what was said about the values taken by l-Ip on Qp, every f1 "1- 0 in Qp is of the shape f1 = p nt:, where n E Z and c is a unit. The units are just the elements c of Qp such that c E Zp, c-1 E Zp. As we have already noted, elementary analysis continues to hold in Qp, but can be simpler; as the following lemma shows. Lemma 1.
In QP the � erie� z:: f1n converge� if and only if f1n
--+
0.
Proof. By sayin,.ey that the sum converges, we mean, of course, that the partial sums Eo tend to a limit. That convergence implies f1n --+ 0 is true even in real analysis. To
Lectu.re3 on Elliptic Curve3
10
prove the opposite implication, we note that I
N
M
N
0
0
M+l
L - L IP =I L �
fin IP
max lfi l p M m, zEZn
We may now take for the Sj
so ;::: m + 1 . the w0 + z for which 1/;(w0 + z) > 0.
The setS is said to be 3ymmetric (about the origin) if-X E S when ever x E S. It is convex if whenever x, y E S, then the whole line segment (0���1) joining them is inS. In particular, the mid-point Hx + y) is inS. Theorem 1. Let A be a. 3ubgroup of zn of index m. Let C 3ymmetric convex 3d of volume
C
Rn be a.
V(C ) > 2 nm .
Then C a.nd A ha.ve a. common point other tha.n Proof. Let S =
0 =
�C be the set of points tc, c E C. V( _:C) = TnV(C) > m.
(0, . . . , 0).
Then
2
By Lemma 1 , there are m + 1 distinct points c0 , . . . , Cm E C such that (0 � i, j � m). _:c - _:c E zn 2
·
I
There are m + 1 points
2
·
]
1 1 -Cj--Co
2
(O�i� m)
2
and m cosets of zn modulo A. By the pigeon hole principle, two must be in the same coset, that is there are i, j with i f. j such that 1 1 -Cj- -Cj
2
2
Now -ci E C by symmetry; and so by convexity.
1
1
2
2
-ci- -c1
·
=
1
E A. 1
-2 ci + - ( -c ) E C 2
·
]
§4: Exercises
19
Note. Lemma 1 and Theorem 1 with m
= 1 are due to Blichfeldt and Minkowski respectively. The generalizations to m > 1 are by van der Corput .
As a foretaste of the flavour of the application in the next section, we give Lemma 2. Let N be a. positive integer. Suppos e tha.t there is a.n I
such tha.t Then N
=
E
Z
1 2 = -1 (N). u2 + v2 for some u, v E Z.
Proof. We take n = 2 and denote the co-ordinates by x, y. For C we take the open disc
of volume ( = area) V(C)
=
271"m > 22m.
The subgroup A of Z2 is given by x, y
E
Z,
y = lx (m).
It is clearly of index m. Hence by the Theorem there is (0, 0) f. (u, v) E AnC.
Then and u 2 + v 2 =u 2 (1 + 12 ) = 0 (m).
Hence u2 + v2 m, as required. We note, in passing, that the condition of the lemma satisfied for primes p with p = 1 ( 4 ). =
IS
certainly
§4. Exercises
1. Let m E Z, m > 1 and suppose that there is some f E Z such that P + J + 1 = 0 (m). Show that m = u 2 + uv + v2 for some u, v E Z. 2. Find a prime p > 0 for which there is an J 1 + 5P = o (P) but p is not of the shape u2 + 5v2 (u, v E Z).
E
Z
such that
5 Local-global principle. Conclusion of proof
We now complete the proof of the local-global principle for conics using the theorem of the last section. We recall that we had reduced the proof to that for !1 x; + hXi + !JXi = 0 where h, h , h E Z and f1 hh is square free. We assume that there are points everywhere locally and we showed that this implied certain congruences to primes p dividing 2fddJ· We first define a subgroup A of Z3 by imposing congruence conditions on the components of x (x1, x2, x3). =
First ca.se. p f. 2, pl fddJ, say p I j1. We saw (end of §3) that then there is an rp E Z and that h + r;h = 0 (p). We impose the condition
Then F(x)
!Jx� + hx� + hx� = ( h + r:h)x� = 0 (p). =
Second ca.se. p = 2, 2l hhh· Then without loss of generality h + h = 0 ( 4 ).
5:
Loca.l-globa.lprinciple. Conclu3ion o f proo f
We impose the conditions X1
:=
0 (2)
X2
:=
X3 (2)
which imply
}
21
'
F(x) = 0 ( 4) . Third ca.se. p
= 2,
2 1 /I/2/J, say 2 1 fi. Then
s2/I + h + h = 0 (8), where s 0 or 1 . We impose the conditions x2:=x3 ( 4 ) x1 = fx3 (2) ' which imply F(x) = 0 (8).
}
=
To sum up. The group A is of index m (say) = 41/I hhIin Z3, where throughout this section II is the absolute value. Further, F(x) = 0 for x E A. We apply the theorem of the previous section to A and the convex: symmetric set C: 1/IIx� + lhlx � + l hlx� < 4l fd2/JISchool geometry shows that V( C) (-n"/3).23. l 4fddJI > 2 3l 4fd dJI =
=m.
Hence there is an c f. 0 in An c. For this X we have F(x) = 0 ( 4lhhhl) and IF(x)l� lh lx� + lhl x � + 1/Ji x� < 41/Ihhl; so F(x) = 0, as required. We conclude with some remarks.
Lecture3 on Elliptic Curve3
22
Remark 1. We have not merely shown that there is a solution of F ( x ) = 0, but we have found that there is one in a certain ellipsoid.
This facilitates the search in explicitly given cases. Remark e. We have made no use of the condition of solubility in QP for p l2 fddJ . In fact this condition tells us nothing [cf. §3, 'Exercises 2 , 3] . I t i s left t o the reader t o check that for any f1, h , f3 and p with p l2 fthh there is always a point defined over Qp on ft Xf + h Xi + !JXi = 0. Remark 3. We have also nowhere used that there is local solubility for Qao
= R.
Hence solubility at Q00 is implied by solubility at all the Qp (p f. oo ) . This phenomenon is connected with quadratic reciprocity. In fact for any conic over Q, the number of p (including oo ) for which there is not a point over Qp is always even [cf. §3, Exercises 6 , 7] . See a book on quadratic forms (such as the author's) . §5. Exercises 1 . Let 5X 2 + 3Y2 + 8Z2 + 6(YZ + ZX + XY). Find rational integers x, y , z not all divisible by 1 3, such that F(x, y, z ) = 0 (mod 13 2 ) . F(X, Y, Z)
=
[ Hint. cf. Hensel's Lemma 2 of §10.] 2. Let
F(X, Y, Z) = 7X2 + 3Y 2- 2Z2 + 4Y Z + 6ZX + 2XY. Find rational integers x, y, z not all divisible by 17 such that F(x, y, z ) = 0 (mod 17 3 ) .
6 Cubic curves
In this section we consider curves given by where F is a homogeneous cubic form. The case of interest is when the ground field is the rationals Q, but our initial remarks apply to any ground field. A point x on C is said to be 3ingula.r when aF (x) = O (j = 1 , 2, 3) . ax]. If we choose co-ordinates so that x = (0, 0, 1 ) , this is equivalent to F not containing terms in x:, X1X'f, X2 X'f. A singular point counts with multiplicity at least 2 as an intersection with a line. More precisely, if a, b are two points on the line, the general point on it is >.a+ JLb, where the numbers >., JL are not both 0. The intersections with C are given by F(>.a+ JLb) = 0, a homogeneous cubic in >., JL. What is claimed is that if one of the intersections is a singular point of C then the corresponding ratio >. : JL occurs as a multiple root of ( * ) . An easy way to check this is to take b = X.
24
Lectures on Elliptic Curves
Suppose that C has two distinct singular points x, y. The line joining them cuts C at both x, y with multiplicity;:::: 2. This can happen only if F(.\x+ J.LY) vanishes identically, i.e. if C contains the whole line. If we suppose, as we shall, that C is irreducible (i.e. that F does not factorize) , this cannot happen. An irreducible cubic curve has at most one singular point. Now take the ground field to be Q. If there is a singular point over the algebraic closure Q, there is at most one. By Galois theor/ it must be defined over Q. Hence, as we have already seen in §1, C is birationally equivalent over Q to the line. From now on we restrict attention to non-singular cubic curves, i.e. those which have non-singular points over Q. Let a, b be rational points on C. The line joining them meets C in a third point , in general distinct: it is also rational since it is given by a cubic equation, two of whose roots are rational. This process was used already by Diophantos to find new unobvious points from known obvious ones. The variant in which one takes the third point of intersection with the curve of the tangent at a rational point was, according to Weil, first noted by Newton. An older generation of mathematicians refer to these as the "chord and tangent processes" . In general, starting from one rational point a on C one obtains in finitely many by the chord and tangent processes. If this is not the case, a is said to be exceptional. For example we have Lemma 1. Let a ;:::: 1 be a. cubic-free integer a.nd let
C : X3 + Y3 - aZ3 = 0. The point ( 1 , -1, 0) is exceptional. For a = 1 the points (0, 1, 1 ), ( 1 , 0, 1 ) a.re a.ls o exceptional. For a = 2 the point ( 1 , 1 , 1 ) is exceptional. No other
ra.tiona.l point is exceptional.
Proof. We first show that the given points are indeed exceptional. The tangent at ( 1 , - 1 , 0) is X+ Y = 0, which meets C only at ( 1, -1, 0). The other cases for a = 1 are similar. The tangent at ( 1, 1, 1 ) for a = 2 is X+ Y- 2Z = 0, which meets C again only at ( 1 , -1, 0). Let x = (x, y , z ) be a rational point other than those named. We may
2
For the cognoscenti. If the ground field is not perfect, the conclusion does not necessarily hold. See Note a.t end of § 9 .
§6: Exercises
25
suppose that x, y, z are integers without common factor. The equation for C implies that then x, y, z are coprime in pairs. Let x1 = ( x1, y1 , z1) be the third point of intersection, where again x 1 , y1, z1 are integers without common factor. It may be verified3 that x1 : y1 : z1 = x(x3 + 2 y3 ) : -y(2x3 + y3 ) : z (x3 y3 ) Let d b e the greatest common divisor of the three terms on the right hand side. If a prime p divides both x and d it must also divide y , a contradiction. Hence d divides x3 + 2y3 and 2x3 + y3 • It thus divides 3x3 and 3y3 , so d = 1 or 3. Hence or z1 = ± z (x3 y3 )/3. z1 = ±z(x3 - y3 ) In either case, it is readily verified that jz1J > Jzl except for the x listed in the enunciation. By repeating the tangent process we thus get a sequence of points x, x1, X2 , . . . with lzl < Jz11 < lz2l < Hence the Xj are distinct, and x is not exceptional. -
-
· · ·
·
§6. Exercises 1. (i) Show that the cubic curve Y2 Z = X3 + AX Z 2+ B Z 3
is non-singular provided that 4A3 + 27 B2 f. 0.
(ii)
If
4 A3 + 27 B2 = 0, find a singularity and decide whether it is a cusp or a double point with distinct tangents.
2. (i) Let where a1a 2 a3 f. O.
Show that F(x)
=
0 is non-singular provided that a1a2a 3 + d3 f. 0.
(ii) If a1 = a2 = a3 = 1 , d = -3, show that any point (x1, x2 , x3 ) with a� = x� = x� = x1 x 2 x3 = 1 is a singularity. 3
This is essentially a. special ca.se of elega.nt formulae of Desboves for the chord a.nd ta.ngent processes. See Exercises a.nd Formulary.
Lecture3
26
on
Elliptic Curve3
(iii) How does the result of (ii) square with the result proved in the text that a cubic curve has at most one singularity? 3. Let F(x) be as in the previous question and suppose that F(x) = 0 is non-singular. (i) Let F(x) 0 . Show that the third intersection t of the tangent at x is given by t i = Xj(ai+lxj+1- ai+2xj+2) (j = 1, 2, 3), where the suffixes are taken mod 3. (ii) Let x, y be distinct points on F(X) = 0. Show that the third intersection z of the line joining them is given by Zj = X2jYi+IYj+2- Y2jXj+IXj+2· [Formulae of Desboves] . =
4. Starting with the solution ( 2 , - 1 , -1 ) of X 3 +Y 3 + 7Z 3
distinct solutions.
=
0 , find 10
7 Non-singular cubics. The group law
Let C be a non-singular cubic curve and let o be a rational point on C. We show that the set of rational points on C has a natural structure of commutative group with o as neutral element ( "zero" ) . Hence the ground field is arbitrary, the curve C is defined over it; and by rational point we mean point defined over the ground field. The group law is defined as follows. Let a, b be rational points. Let d be the third point of intersection with C of the line through a, b. Let e be the third point of intersection of the line through o, d. Then we write a+ b = e. a
The construction has to be interpreted appropriately if two or more of the points involved coincide. For example if b a we take the tangent at a. =
Lectures
28
on
Elliptic Curves
We have to show that this operation "+" gives a structure of commu tative group. Clearly and for all a. Next we construct the inverse. Let the third intersection of the tangent at o be k. Let a- be the third intersection of the line through a and k. Then by definition
a
The crunch is to show that + is associative: (a+ b) + c = a + (b + c).
We give two proofs; the first geometric, the second more fundamental. Let a, b, c be given. Consider the diagram
r
s
t
Here
r,
s,
w
a
f
b
c
u
d
e
0
rn
t, 1,
m, n
v
n
are the names of lines and the remaining symbols
7: Non-singular cubics. The group law.
29
are points on C. All except f, w are intersections of two of the lines. The wh ole fig ure is determined once a, b, c and o are given. We have (a+ b) = e, and so (a+ b)+ c is the third intersection of the line through o, f. Similarly a + ( b + c ) is the th ird intersection of the line thr ough o, w. To prove associat ivity, we thus have to show that f, w are not as shown b ut coincide with the unlabelled intersection of the l ines r, m. We n ow recall a geometrical
Lemma 1. Let x1, , x8 be 8 points of the plane in general position4 . Then there is a. 9 th pointy such tha.t every cubic curve through x1, ... , x8 a.lso pa.sses through y. • . •
We brie fly recall the p roo f of the lemma. A c ub ic fo rm F(X), X = (X1, X2, X3) has 10 coe ffic ie nts. A n equa tion F(x) 0 impo se s a l inear co nd ition on the coe ffic ients. Passing throug h x1, ..., x8 impo ses 8 con d itio ns. He nce if F1(X), F2(X) are l inearly indep endent fo rm s thro ug h th e 8 po ints, a ny othe r F is o f the shape =
F(X) = .\F1(X) +J.tF2(X). Now Ft = 0 , F2 = 0 have 9 points i n common ; and clearly F = 0 passes thro ugh them all. Now to the appl ication of the Lemma. Let an equation for the line I be /(X) = 0 etc. and consider the two (reducible ) c ubics Ft(X) = /(X)m(X)n(X) = 0
F2(X) = r(X)s(X)t(X) = 0. O ur n ons ingular c ub ic C p asses through 8 of the points of intersection of Ft = 0 , F2 = 0 and so by the Lemma must pass thro ugh the 9th. Hence f = w, as requi red. We now present a second proof of the assoc iat ivity of the relat ion "+" for points which is more basic. A linear form /(X) (say ) does not g ive a meaning ful function on the c urve C because the coe fficients X are homogeneous. On the ot her hand , i f t(X) is another l inear form , then the quotient
g(X) = l(X)/t(X) does give something meaning ful. In the situat ion j ust disc ussed , the line 4 This ia the geometer's way of saying "such that the proffered proof works". In
this caae, what is needed is that the on the coefficients of
F:
Xj
give linearly independent conditions
so no 4 on a line and no
7
on a conic.
Lectures
30
on
Elliptic Curves
I(X) = 0 passes through a, b, d and t(X) = 0 through d, o, e, all being points on C. The function g (X) thus has a zero a, b and a pole at o, e. At the point d there is neither a zero nor a pole, as the zeros of the linear forms cancel out. There is the notion of the order of a pole or zero at a nonsingular point of an algebraic curve which generalizes in an obvious way the notion of the order of a zero or pole of a rational function of a single variable. In our case, g (X) clearly has simple poles at a, b and simple zeros at o, e. The equation e =a+ b is equivalent to the existence of such a function. Similarly, the equation x=(a+h)+c
is equivalent to the existence of a function with simple poles at a, b, c, a double zero at o and a simple zero at x. The equation (a+h)+c=a+(h+c)
is now obvious. This point of view shows that the group law is unchanged under hi rational equivalence, since it depends only on the function field of the curve. The geometer would say that a+b = c precisely when the divisor {a, b } is linearly equivalent to the divisor { o , c}. We conclude with an informal explanation of what is meant by say ing that a nonsingular cubic curve is of genus 1 . Let r ;:::: 2 and let ,Yr-l be points on C, for simplicity all distinct . By x1, ... ,Xr, y1, manipulating linear forms in X, as we did in the construction of g (X), one can construct a function h(X) on the curve where only poles are simple poles at x1, ... ,Xr and which has zeros at y1, ... , yr-l· Then h(X) has one further zero, which is completely determined. Contrast the position on the line. Let c 1 , , cr, d 1 , , dr be any 2r distinct numbers. Then the function . • .
. . •
I
. . •
IJ(T- dj ) IJ(T- Cj ) ]
]
has simple zeros at the dj, simple poles at the Cj and no further zeros or poles ( even at infinity). The genus of a curve is a measure of the freedom in imposing the zeros . and poles of a function. The precise statement, which we shall not need, is slightly complicated and is called the Riemann-Roch Theorem.
31 §7. Exercises 1. Let o, a be rational points on the nonsingular cubic C. Construct the point -a with respect to the group law for which o is the neutral element. 2. Let o, o 1 be rational points on the nonsingular cubic C. Show how
the group law for which o1 is the neutral element can be expressed in terms of that for which o is the neutral element.
3. Let o, a be rational points on the nonsingular cubic C and suppose that 3 a o with respect to the group law based on o. Let b 2a. Show that each side of the triangle o, a, b meets the tangent to C of the opposite vertex at a point of C. Take o, a, bas the triangle of reference and express this condition in terms of the coefficients of the cubic form determining C. =
=
4. Let C be the curve X3 + Y3 - XZ 2 - YZ2 + 7 XY Z 0 and let x ( x, y, z ) be a point on C defined over some Qp. Show that yfx-+ - 1 as x-+ (0, 0, 1 ) (with respect to the p-adic topology) . =
=
5. I n this question everything i s defined over QP for some p . Let a b e a
nonsingular point on the cubic curve F(X, Y, Z) 0 and let t(X) 0 be the tangent. Let /(X) 0, m(X) 0 be lines through a distinct from the tangent. Show that there are d, e, f such that dl(X) + e m(X) + Jt(X) = 0 (identically) with d f. 0, e f. 0. Show that =
=
=
m(x)/l(x)-+ -d/e
as x-+ a.
=
8 Elliptic curves. Canonical Form
We are concerned with algebraic curves defined up to a birational equivalence over the ground field. For genus 0 we saw that every curve is equivalent to a conic (or line). For genus 1 no such reduction to a special form or forms is possible. The situation changes when we are also given a point on the curve which is defined over the ground field (a "rational point"). It is convenient to have a special name for this situation: an elliptic curve is a curve of genus 1 together with the specification of a rational point on it. As canonical form we take C : Y2 = X3 + AX + B or, in homogeneous co-ordinates Y2 Z = X3 + AX Z2 + BZ 3 • The right hand side does not have multiple roots provided that 4A3 + 27B2 f. 0. The specified rational point o is the point (X, Y, Z) = (0, 0, 1) at infinity. Since the line at infinity is an inflexional tangent at o, the group law on C is especially simple: - ( x, y )
=
( x, - y )
and a+ b + c = o precisely when a , b , c are collinear. We shall find this choice of canonical form particularly convenient when the ground field is Q. When the ground field is of characteristic 2 or 3, we can no longer use C as a canonical form but must use Y2 +a1XY +a3Y = X3 + a2X2 +a4X +as.
8:
Elliptic curves. Canonical Form.
33
However this is quite peripheral to our purposes and we leave it to the reader, if she wishes, to deal with these cases. As we have not formally defined curves of genus 1 , we will not give a formal proof that elliptic curves are birationally equivalent to the canoni cal form. In compensation we will give detailed algorithms for converting certain kinds of elliptic curves to that form. These could well be omitted at first reading. Fact. (characteristic f. 2 , 3 ) . A ny elliptic curve is birationally equivalent over the ground field to the canonical form for some A, B. More p recis ely the curve is equivalent to C and the equivalence takes the specified rational point 0 on it into the point at infinity on C. Proof for the Cognoscenti. By the Riemann-Roch theorem, the set of functions on the curve with at worst a pole of order 2 at 0 has dimension 2. Let a basis be 1 , (. Similarly the set of functions with at worst a triple pole is of dimension 3 at 0, with basis say 1 , ( , "'I· Then the functions .,2,.,,,.,,(3 ,(2,(, 1 all have at worst a pole of order 6. By the Riemann-Roch Theorem, there must be a linear relation between the 7 listed functions. The relation must involve both e and .,2. A transformation ( --+ CJ ( + C2 "'I --+ c3 T"f + c4 ( + cs reduces the relation to "'12 = e +H( +B for some A, B. Note for the Cognoscenti. The reason why there is no canonical form, or finite family of canonical forms for curves of genus 1 is that 2(g - 1 ) = 0 for g = 1 . For every other genus we can use the divisor of the differential of a function defined over the ground field to give a birational map. For example, for genus 2, there is always equivalence with some curve Y2 = sextic in X . Particular cas es. The above proof does not, i n any case, usually provide a practical algorithm. We discuss some special cases. Note that it is
Lectures on Elliptic Curves
34
enough to transform the curve into the shape C. For if it takes 0 into a, we can make the translation x -+ x - a on C. (i) Cubic curve 1J . Rational point 0 has inflexional tangent. Here a linear tranformation of co-ordinates is enough, taking 0 to o and the tangent to be line at infinity. For example 0= ( 1 , - 1 , 0).
Put Y=U-V.
Then so where X I = - 6 dZ
,
(ii) Cubic curve 'D. Rational point 0 not on inflexional tangent5 . The tangent at 0 meets 1J again at a rational point P, say. We may take an affine system of co-ordinates with P as origin and with the tangent as Y -axis
The argument is due to Nagell: Sur les proprietes ar ithmeUques des cu biques planes du premier genre. Acta Math. 52 (1928-9), 92-106. Older geome trical techniques (adjoint curves etc.) had shown that every elliptic curve is bira tionally equivalent to a cubic, but he was the first to show that it can be reduced to the canonical form.
8:
Elliptic curves. Canonical Form.
35
1J
is given by F( X, Y) = 0, where F(X, Y) = F1( X, Y) +F2 (X, Y) + Fa ( X , Y), with Fj is homogeneous of degree j. The Y-axis meets the curve at ( 0 , y), where 0 = yF1(0, 1) + y2 F2 (0, 1) + l Fa (O, 1). Since the Y-axis is a tangent , we have a double root: Then the curve
F2 (0, 1) 2 - 4FI (O, 1)Fa(O, 1)
= 0.
Now consider the intersection of the curve with Y = tX . Then 0
=
xF1(1, t) +x 2 F2 (1, t)
+ x 3 Fa(1, t).
= 0, we have F2 ( 1, t ) 2 - 4F1(1, t)F3 ( 1, t) (say) , = G(t)
Discarding the solution x s2
=
where s
= 2F3 ( 1, t )x + F2 (1, t). Now G(t ) is a cubic by (*); and we achieve the canonical form by a linear transformation on s , t . (iii) Curve 1J is Y2 = Quartic in X with rational point. Let the rational point be (a, b). By a transformation y X . 1 Y --+ 2
- X - a'
(X - a)
'
we may suppose that the rational point is at infinity: Y 2 = fo + fi X + h X 2 + faX 3 + f4X \ where J4 is a square. On dividing by f4, we have without loss of gener ality
!4 = 1. We can write the right hand side G(X) 2
where
as
+ H(X),
G(X) = X 2 + g 1 X + go H(X) = h1X + ho , are easily given in terms of the fi .
and the gj , hj The equation of the curve is now (Y + G(X))(Y - G( X ) = Put Y + G(X) = T,
H(X).
LectureJ on Elliptic CurveJ
36 so
y - G(X)
==
and
H(X) T
�
2G(X) T - H X) . Multiply by T2 and put TX S. We get 252 + 2giTS + 2g o T2 T3 - hS - hoT. ==
==
==
This is readily brought to the canonical form.
(iv) InterJection of two quadric JurfaceJ with a rational point. We use homogeneous co-ordinates X, Y , Z, T and may suppose that the common rational point is (0, 0, 0, 1 ) . The two quadric forms are thus of the shape
where L , M are linear in X, Y, Z and R, S are quadratic. Suppose, first , that L and M are linearly dependent. Then without loss of generality M 0. The intersection is S(X, Y, Z) 0 , T R(X , Y, Z) / L(X, Y, Z); which is of genus 0. Otherwise, eliminating T, we have C(X, Y, Z) LS - RM 0, where C is a homogeneous cubic. It has the rational point ==
==
==
=
==
L(X, Y, Z) M(X, Y, Z) 0. ==
==
Hence we are reduced to an earlier case. §8. Exercises 1. Transform the following curves to canonical form:
(i) (ii) (iii) (iv)
X3 + Y3 + dZ3 = 0 X3 + Y3 + Z3 - 3mXYZ 0 Y 2 - kT2 X 2 , Y 2 + kT2 Z2 X�X2 - X1X� - X1 X� + X�Xa == 0 ==
==
=
2. [Difficult] . Show that the group law on z 2 y2 + T2 x 2 y2 T2 , ==
_
==
37 with ( 1 , 1 , 1 , 0) as neutral element is given by X3 = x1 + x2 , where X 3= x2 t 2 Y 1 Z 1 - x 1 t 1 y2 z2 Y3 = Y2 t 2 z 1 x 1 - Y1 t 1 z2 x 2 Z3 = z2 t 2 X1 Y1 - Z l i1 X2 Y2 t 3 = t�x� - t�x� = t�y� - t�y� = t�z: - t:zr 3. ( i ) Find all the points defined over the field F 5 of 5 elements on each of Y 2 Z= X 3 + XZ2 Y 2 z = X 3 + 2 x Z2 y2 z = x 3 + z 3 . Check in each case that they form a group under the group law, with (0, 1, 0) as neutral element . ( ii ) As ( i ) but with other F P and other curves Y2 Z= X 3 + AXZ2 + BZ 3 • Find an example where the group is not cyclic. Can you find an example where the group requires more than 2 generators? 4. In the curves considered below, the point at infinity is taken as neutral element for the group law. ( i ) Let Y2 = (X - O!)(X2 + aX + b) be an elliptic curve. Show that the transformation x -+ x + ( Cl!, 0) induces a fractional-linear transfor mation T : x -+ ( t11 x + t 1 2 ) / ( t 2 1 x + t 22 ). 2 Check that T : x -+ x. ( ii ) Consider Y2 = (X - 0! 1 )(X - 0!2 )(X - 0! 3 ) and let T1 , T2 , T3 be as in ( i ) with Cl! = Cl! j (j = 1 , 2, 3 ) . Show that T1 , T , T commute 2 3 and that ( iii ) Let 'Fj be the 2 X 2 matrix of coefficients G;� (j = 1 , 2, 3 ) . Show that T-. 72 + 727-. = o.
::�) in ( i ) with Cl!= Cl!j
( iv ) Find the fixed points of T1 and show that they are interchanged by T2. IX + m 5. Find a necessary and sufficient condition that a line Y
38
LectureJ
on
Elliptic CurveJ
should be an inflexional tangent to Y2 = X 3 + AX + B. Hence find a general formula for the curves in canonical form having a rational point of order 3 . 6. Find a necessary an d sufficient condition that a line Y should be an inflexional tangent to Y 2 = X(X2 + aX + b).
=
IX + m
Hence find a general formula for curves in canonical form having a point of order 6. 7. Let
F(X, Y, Z) = X2 Y + X Z2 + 2Y 3 + Z 3 . Find a birational transformation defined over Q taking the curve F = 0 into canonical form with the point ( 1 , 0, 0) going to the point at infinity. 8. Find a birational transformation defined over Q taking X i - 2X� + X� = 0, X� - 2X� + X� = 0 into canonical form, with ( 1 , 1 , 1 , 1 ) going to the point at infinity. 9 . Invent similar exercises to the two preceding, and solve them.
9 Degenerate laws
In this section we consider the curve C : Y 2 = X3 + AX + B when
(1)
(2 ) There is then precisely one singular point . We recall that if (2) does not hold, there is a group law on the curve given by6 a+b+c =O
whenever a, b, c are the intersection of a line with C. We show that this continues to give a group law on the nonsingular points in the degenerate case (2), and we find out what it is. There are two cases, the second with two subcases. FirJt caJ e. Cu3p . Suppose A = B = 0, so
c : Y2 Z = X 3 with a singular point at the origin. Any line not passing through the origin can be written Z = IX + mY. It meets C where
6
We write indifferently 0 or
o
for the neutral element of the gro up law.
Lecture3 on Ellip tic Curve3
40
If the three points of intersection are ( xj, Yj, Zj) (j = 1 , 2, 3) , it follows that where U j = Xj /Yi· We therefore have the additive group, the zero being the point (0, 1, 0) at infinity. Second ca3e7 . Double point. (Characteristic -1- 2). If not both A, B vanish, then, after a transformation X ---+ X + constant, we have (C -1- 0),
I.e. (Y 2 - CX 2 )Z = X 3 • Suppose, first, that C = 1 2 is a square. Put V = Y - 1X;
so C is given by 8/ UVZ = (U - V ) 2 .
Any line not passing through the origin can be written Z = IU + mV.
It meets C where ( U - V ) 3 - 8/ UV(IU + mV ) = 0. If the points of intersection are (u j, Vj, Zj) (j = 1 , 2, 3) , then
We have the multiplicative group. Now suppose that C is not a square. Adjoin 1 to the ground field, where 1 2 = C. For a point ( x , y, z ) on C, put y + {X -- = r + S{ (say) , y - {X where We now have a "twisted" multiplication law on ( * ) . Compare the mul tiplication of the complex numbers x + iy with x2 + y 2 = 1 . 7
We shall n o t require the de tails about this case in later work.
9: Degenerate lawJ
41
Nate for the CognoJcenti. In characteristic 2 the curve c : Y 2 z = X 3 + AX Z 2 + B Z 3
is always singular. Write the equation as (Y 2 - BZ 2 )Z = X(X 2 + AZ 2 ) . Over a finite (or, more generally, a perfect) field, we have B {32 , A = 0!2 for some 0!1 {3. Then the curve is (Y + {3Z) 2 Z = X(X + O!Z) 2 ; which is clearly singular. If the ground field is not perfect , we may have an example of a singu larity defined over an inseparable extension, compare footnote in §6. =
10 Reduct ion
The philosophy is to approach the rational field Q through the local fields Qp and, similarly, to approach the Qp through the finite fields FP by reduction modulo p. We do no more than is required for the applications. The mod p map Z p -+ F P is denoted by a bar a -+ a. This is extended to the corresponding 2-dimensional projective planes V , V as follows. Let ( a1 , a 2 , a a) be projective co-ordinates of a point a of V. By multi plying a1 , a2 , aa by the same element of Qp , we have without loss of generality max { l a 1 l , l a 2 l , l a a i } = 1 , where II = l i P . Then (7il, a 2 , a a) are the co-ordinates of a well-defined
point a of v . I n a similar way, we define the reduction I of a line
I1X1 + I2 X2 + laX a = 0. If the point a lies on the line l, then clearly a lies on I. l:
We need only the least sophisticated of the many ways of reducing a cubic curve C : F(X) = O defined over Qp . Here F(X ) = L fiikxixixk E Qp [ XJ ·�j�k
where the fijk E Qp are not all 0 and without loss of generality 1. I?� l fijk l =
1 0:
Reduction
43
Then
L -h.x;x1x. l E f p [XJ i� j 9 is not the zero polynomial, and defines the reduced curve C : F(X) = o over fp . It may, of course, be reducible 8 . If a point a lies on C, then clearly a lies on C. There is a weak converse F(X) =
Le mma 1. Let b be a non3ingular point of C. Then there i3 an a on C 3uch that a = b.
Note. The notation b is intended to denote a point defined over fp not necessarily derived from a b. We say that b lift3 to a. It is easy to see by examples that a singular point on C may or may not lift to a point of C ( cf. Exercises ) .
We construct a by successive approximation a la Newton. The generic term for such constructions in p-adic analysis is Hensel's Lemma. Lemma 2. Let G( T )
E
Zp [T] and let t0 E Zp be 3uch that I G(t o ) l < 1 , I G' (t o ) l = 1 , where G ' i3 t he formal derivative of G. Then t here i3 a t E Z p 3uch that G(t) = 0 I t - to I ::::; G(to ) .
Assuming the truth of Hensel's Lemma for the moment, we complete the proof of the Lemma. Since b is nonsingular on C, we may suppose that
a"F (b) ax1 "I o .
, bn ) · Then the conditions of Pick any bi E Z p such that b = (b1 , Hensel ' s Lemma apply to G (T) = F(T, b2 , . . . , b n ) , Put a = ( t , b2 , . . . , bn ) , where t is provided by Hensel. Clearly F ( a) = 0 , a = b , so a does what is required. It remains to prove the Hensel ' s Lemma. Let U be an indeterminate . •
8
.
•
In the sense tha t F(X ) factorizes. The re is an unfo rtuna te dash of meanings
between "reduced" (mod p) and "reducible".
44
LectureJ on Elliptic CurveJ
Then G(T + U) = G(T) +UG 1 (T) + U2 G 2 (T) + . . . where Gj E Zp [T] and G 1 = G' . Now define u = -G(to)/G'(to),
so Hence where t1
=
IG '(t J ) I
=
t 0 +u.
Clearly IG' (to ) l
1. We may therefore iterate the process and get a fundamental sequence tj (t � 0). The limit t clearly does what is required. =
We shall also need information about the behaviour of the intersection of a line and a cubic curve under reduction. From what we have already proved, if l meets C in a, then I meets C in a. But suppose that l meets C in a, b with a f= b: if a = b, can we be sure that it has multiplicity � 2 in the intersection? The following lemma confirms expectations. Lemma 3. Suppo3e that the line l meetJ the cubic curve C in a, b, c , multiple pointJ of interJection being given with their multiplicitieJ. Then either
( I ) the entire line I iJ in C or ( II ) I meetJ C in a, b, c, multip le pointJ occuring with the correct mul tiplicitie3. Proof. We have without loss of generality
Consider G(X1 , X2 )
= =
Its reduction is
F(X1 , X2 , -I 1 X1 - I2 X2 ) Zp [X 1 , X2 ] .
§ 1 0: Ezercis es If G(X 1 , X2 )
=
45
0, we have case ( I) of the Lemma, so we may suppose
that
We normalize the coefficients of a, b, c so that max ( l a 1 l , l a2 ! , l a 3 1 ) = 1 . Since la = 0, i t follows that . (a1 , --a 2 ) 1- (O, O )
etc. By hypothesis, there is some G(X1 , X2 )
= =
Now H(X1 , X2 )
=
). E
Qp such that >.(a 2 X1 - a1 X2 )(b2 X1 - b1 X2 )( c2 X1 - c 1 X2 ) >.H(X1 , X2 ). (a2 X1 - a1 X2 )(b2 X1 - b1 X2 )(c2 X1 - c1 X2 )
i- 0. Hence G, H differ only by a scalar multiple, which is what we needed to prove.
§ 10. Exercises 1 . (i) Let C be the curve Y 2 = X 3 +p over Qp . Show that the point (0, 0) on the mod p curve does not lift to a point of C. (ii) Find an example of an elliptic curve C over QP such that the mod p curve has a cusp which is the reduction of a point on C. 2. Find examples of curves C over Qp such that the mod p curve has a double point with distinct tangents which (i) lifts, (ii) does not lift , to C.
11 The p-adic case
Let C : Y 2 = X 3 + AX + B be an elliptic curve defined over Qp, so 4A 3 + 27B 2 f- 0 and, without loss of generality, A, B E Zp· In this section we study the group 15 of points on C defined over Qp . Our tool will be the theory of reduction developed in the preceeding section. For this, we write C homogeneously C : Y 2 Z = X 3 + AXZ 2 + BZ 3 • The reduced curve c
:
Y 2 z = X 3 + A:x Z 2 + B Z 3
over F P may be singular but (with an eye to Lemma 3 of § 10) we note that C does not contain a "line. Let 15 denote the set of points on C defined over Fp and let -;;;-{ 15 o ) C 15 be the non-singular points. Write 15 ( o ) C 15 for the set of points which 0 reduce mod p to 15 ( ) The map -
15 ( 0 )
--+
� 0)
is surjective by Lemma 1 of §10. How does the group structure behave? Let a+b+c =
o.
a,
b,
c E
15 with
11:
The p-adic cau
47
This holds if and only if a, b, c are the intersection of e with a line L Then the reductions a, b, c are the intersections of C with 1 On C we have defined a group law only for the non-singular points_ If a, b, (0 cEIB ) , then a + h + c = o. To sum up so far, we have a subgroup (B ( o ) of IB such that there is a group homomorphism (B ( o ) -+ IB ( o ) onto IB ( o ) . The kernel of this homomorphism is the set of points which map into o, that is, in inhomo geneous co-ordinates, o itself together with the (x, y) E IB with x ¢ lp, y fl. lp . This is called the kernel of the reduction. Next, we look at the structure of the kernel of reduction. If (x, y) E IB , x, y fl. lp , then clearly I Y I 2 = l x l 3 and so 2 lx i = P n ,
IYI = l n for some n � 1 . We call n the le-uel of ( x, y ) . For ( x, y) not in the kernel of reduction the level is 0, by definition. The level of o is oo . Now for integer N � 1 make the transformation X w = i N X, ZN = Z, YN = l N Y,
so the equation of e becomes
eN : Y�ZN = X!v + p4 AXNZ� + p6 BZ!v . We may use the new co-ordinates for a reduction mod p: the reduced curve IS
CN : Y�ZN = Xtv. We can now transfer what was done earlier to the new situation. A point ( x , y) maps into the singular point (0, 0) ofC N if its level is < N. It is in the kernel of reduction for eN if its level is > N. Finally, the group of the non-singular points on the CN defined over F P is the additive group of Fp . They are in the image of IB , as before. For N � 1 define (B ( N ) to be the set of points of IB of level � N. We have proved Lemma 1. The
(B ( N ) :J
are groups and
(B ( O ) :J (B ( ! ) :J . . . :J (B ( N ) :J . . . . The quotient graphs of (B( N ) / �B( N +l ) for N � 1 are cyclic of order p. The quotient (B(O ) j(B(l ) is isomorphic to the group of nonsingular points on C. Further, n (B( N) = {o } . N IB
LectureJ on Elliptic CurveJ
48
The sequence of groups is called the p- adic filtration. Corollary. Let x y E Zp ·
=
(x, y)
be of finite order prime to p. Then x,
E 15
E (5 ( n ) , x ¢ (5(n + 1 ) + l5 ) ) / (n (n 1 and so maps into a non-zero element of (5 . But this is of order Proof. Otherwise x is of some level
n
� 1 . Then x
p.
Our next aim is to free the statement in the Corollary from the re quirement that the order is prime to p. The homommphism of (5 ( N ) j 0 and as small as possible. (II is the absolute value). Then x, y, z have no common factor, and indeed are coprime in pairs. Since x4 = 1 mod 4 if x is odd, one of x, y must be odd and the other even. We
56
Lecture3
on
2 1 x,
2 1 y,
Elliptic Curve3
suppose that 2 1 z.
Write (*) in the shape ( z + y2)(z - y 2 )
=
x4 .
Since z , y are both odd, the two factors on the left are divisible by 2 but only one is divisible by 4. Hence (taking z > 0) we have two possibilities, where u, v E Z : Second Case z + y2
=
z - y2
=
2u4 8v 4
The first case gives y2
=
4u4 - v 4 ,
which is impossible mod 4. Hence we have the second case: y2
=
u 4 - 4u 4 .
Now and so
for some r 1 s
u2 + y E
u2
- y
2v4 = 2s 4
=
Z. Hence v4 + 5 4
=
u2 .
This is another solution of (*). Further, x4
=
16u4 v4
=
l6u 4 r 4 s 4 .
Hence rs "I 0 and max ( / r J , J s / ) < t x t :::; max( / x / , tYt).
This contradicts the assumed minimality of the original solution, and so we have a contradiction. Note that ( r, s , u ) --+ (x, y, z) is multiplication by 2. Thus Fermat ' s descent is essentially a converse of Diophantos ' ascent . Note also that multiplication by 2 has been divided into two steps via another curve This is the phenomenon of isogeny, which we explore in the next section. § 13. Exercises
1. Let C
X 3 + AX + B be defined over Q. Let Q( .Jd) be
57
a quadratic extension of Q and let the non-trivial automorphism be denoted by ('). Let x be a point of C defined over Q( Vd). Show that ' x + x is defined over Q and that x - x ' = ( u , v ) where u and v / Vd are in Q. Deduce that the group of points on C defined over Q( Vd) may be determined once the groups over Q on C and dY 2 = X 3 + B are known. 2. This question assumes knowledge of the arithmetic of Q(p) where p3 = 1 ' p f:- 1 . Fill in the details of the sketched proof of the Theorem. Let d = q1 q2 where q 1 > 0, q2 > 0 are rational primes with q 1 = 2 (9), q2 = 5 (9). Then the only rational point on c : x; + x; + dx; = o i3 ( 1 , - 1 , 0). Sketch proof.
It is enough to prove that the only points on C defined over Q(p) are those with X3 = 0 (ii) If x = ( x 1 , x 2 , x3 ) is defined ovt.r Q(p) and on the curve, without loss of generality x 1 , x2 , X 3 are coprime in pa.irs in Z[p] . (iii) ( x 1 + x2 )(px1 + p- 1 x2 )(p - 1 xr + px2 ) = -q1 q2 x� . There are 0!1 , 0!2 , 0!3 , � 1 , 6 , 6 E Z[p] such that either px1 + p- 1 X2 = a2 � � ' x1 + x2 = 0! 1 �: , 0! 1 0! 2 0!3 = d, p- 1 x1 + px2 = 0! 3�� , (i)
or
x1 + x2 = >.a 1 � � ,
p - 1 x 1 + px2 = >.a 3�; , where >. = p - p- 1 [ = v'-3] .
px1 + p- 1 x2 = >.a2 �� ,
0! 1 0! 2 0! 3 = d
(iv) 0! 1 � � + a2a + 0! 3 a = 0, 0! 1 0!2 0!3 = d, (v) Any rational q 1 -adic unit is congruent to a cube mod q, but p is not congruent to a cube. And similar for q2 . (vi) After multiplying a1 , 0! 2 , a3 all by p, or by p2 , if necessary, we may suppose that { a 1 , 0!2 , 0! 3 } is a permutation if { ±1, ± 1 , ± q1 ± q 2 } or {± 1 , ±q1 , ± q2 } · (vii) The equation � � + q1 �� + q2 �� = 0 is impossible mod 9 [and indeed mod >. 3 ]. (viii) If { a 1 , a 2 , aJ } is a permutation of {±1, ± 1 , ±d} , then � � � 6 �3 loo < lx 1 x 2x3 loo ·
14 A 2-isogeny
An i3ogeny is a map C -. D of elliptic curves defined over the ground field and taking the specified rational point oc on C into that on D. Clearly the kernel of the isogeny, i.e. the set of points mapped into ov is a finite group and is defined over the ground field as a whole. In this section we consider the case when C has a rational point of order 2. It is convenient to modify our canonical form to C : Y 2 = X(X 2 + aX + b), the point of order 2 being (0, 0). The function on the right hand side may not have a double root, so a2 - 4b # 0. b # 0, We take Q to be the ground field. Let x = ( x , y) be a generic point of C; that is, x is transcendental and y is defined by y2 = x(x 2 + ax + b) . The field Q ( x, y) i s known as the function field of C over Q.
Let X 1 = X + (0, 0).
The transformation is an automorphism of Q( x, y) of order 2 . We will find the fixed field.
1{· A 2-isogeny
59
The line through (0, 0) and (x, y) is X = tx,
Y = ty,
which meets C in (0, 0), x and -x1 = (x1 , -y1). We get x1 = bfx y1 = -byfx2.
One invariant under x
x1 is clearly t2 , which is x2 + ax + b t 2 = ( y /x )2 = x =A (say) [= x + x1 + a]. -+
---
Another is y + Yl =
J-'
(say) .
To find an algebraic relation between A, 1-' we compute 1-'2 = y2( 1 - bfx2)2 =
x2 + ax + b X
(x2 - 2b + b2 fx2) .
Here the first factor is just A. The second is (x + bfx)2 - 4b = (A - a)2 - 4b = A2 - 2aA + (a2 - 4b).
Hence 1-'2 = A(A2 - 2aA + (a2 - 4b)).
Conversely, we can express x, y in terms of A , 1-' and Al/2 = yfx,
smce A - l/21-' = x - bfx A = x + (b/x) + a.
Hence
1
x = - (A + A-l /21-' - a), 2 The field extension Q( x, y) /Q( A, 1-') is of degree 2 and so by Galois theory Q(A, JA) is the complete field of invariants. The point (A, JA) is a generic point of 1J : Y2 = X(X2 - 2aX + (a2 - 4b)).
The map given by x = (x , y) -+ A = (A , JA)
60 preserves the group law12. For let a, b be points on C and let f E Q(x) be a function with simple poles at a, b and simple zeros at o, a + b. Let h be the conjugate under x --> x 1 . Then fh E Q(A) : as a function of A it clearly has simple poles at ,P(a) , ,P(b) and simple zeros at ,P (o ) = o and ,P (a + b) . Hence
,P ( a + b) = ,P(a) + ,P(b) . The equation for 1J has the same general shape as that for C. On repeating the process with A and 1J, we get p, u with u2 = p(p2 + 4ap + 16b) ; and so {=
p/4,
'7
= (J'
/8
is a generic point of C again. The points mapping into (>., I') = (0, 0) are just the 2-division points other than (0, 0 ). Hence the kernel of the map ( x, y ) --> ( {, TJ ) is just the 2-division points and o . So the map must be multiplication by ±2. We now consider the effect of the isogeny ¢1 : C -. 1J on rational points. Denote the rational points on C, 1J by Q5 , .f'} respec tively. We denote the multiplicative group of nonzero elements of Q by Q* .
Lemma 1. Let ( u, v ) E .f'} . Then ( u, v ) E ¢1Q5 precisely wh en either u E (Q* )2 or u = 0 , a2 - 4b E (Q* )2 . Proof. For u -f. 0 , this follows by specializing >. --> u, I' -+ v in (*) . The
point (>., JA) = (0, 0) comes from the points ( a , 0) where a2 + aa + b = 0: and a E Q if and only if a2 - 4b E (Q*)2 . This suggests the map given by
12
q( (u , v )) = u(Q* )2 (u -f. 0) = (a2 - 4b)(Q*)2 (u = O) q(o) = (Q*)2.
The argument is quite general for isogenies of any degree. Note that the norm of f for the extension
Q(x)/Q(A),
cf. §24, Lemma
1.
f ft
is
61 We note that the equation
v 2 = u( u 2 - 2a u + a 2 - 4b) implies that
q((u, v) ) = ( u 2 - 2au + a 2 - 4b)(Q * )2 whenever the right hand side is defined. Lemma 2. The map
q : , -+ Q* /(Q*) 2
i3 a group homomorphism. Proof. Write the equation of D as D : V 2 = U(U2 + a1 U + b1 ) . Let U j = ( u j , v j ) ( j = 1 , 2, 3) E 1J with u1 + u2 + u3 = o, so they are the intersection of D with a line
V
=
IU + m.
Substituting in the equation for D, we have
Hence
U(U2 + a1 U + b! ) - (IU + m) 2 = ( U - u! ) ( U - u 2 )(U_u J ) .
This implies that
q( u 1 )q( u2 )q( u3 ) = (Q* ) 2 except , possibly, when one of the Uj is (0, 0 ) . The verification in this case is left to the reader. Lemma 3. The image of
i3 finite. Proof. Without loss of generality
a 1 E Z, An element of Q* /(Q*) 2 may be written r(Q*) 2 , where
r E Z,
square free.
Lecture3 on Elliptic Curve3
62
We show that r(Q.) 2 is in the image of q only when r I b 1 . Suppose that q ( (u, v)) = r(Q. ) 2 • Then there are s, t E Q such that
u2 + a1 u + b 1 = rs 2 1L = rt2 .
Put t = 1 /m , where gcd( I, m) = 1 .
l, m E Z, Then, on eliminating
u,
r 2 14 + a 1 rl 2 m 2 + b 1 m4
=
rn2 ,
where n = m 2 s E Z. Suppose that there is a prime p with p I r, p J. b1 . Then p I m, so p2 I rn 2 and hence p I n because r is square-free. Then p3 I r 2 14 , so p 1 1, contrary to g cd( l, m) = 1 . Putting the three lemmas together, we get the
Theorem 1 . !'J / ¢1!J i3 finite. Corollary. Q5 /21!J i3 finite. Proof. Consider the exact triangle
c
x2 ---+
c
D
where !') /¢Q5 and Q5 /'rf;!'J are both finite. By considering in detail the equations arising in the Lemma 3 , we can get more information about Q5 /2C5; e.g. by looking at the equations lo cally. There is, however, no local-global theorem and indeed even today there is no algorithm for deciding whether or not there is a solution. We shall come back to these questions in a late section. So one should not conclude from the fact that we can determine Q5 /21!J in the examples that one can always do so.
14: A 2-isogeny
63
We first enunciate more precisely what was proved. Lemma 4. The group !'J/¢Q5 u i3omorphic to the group of q(Q* )2 m Q* /(Q* )2 where (i) q E Z i3 3quare-jree and q I b 1 (ii) The equation ql4 + a 1 12m2 + (b 1 /q)m4 = n2 ha3 a 3olution in l, m, n E Z not all 0. Further, the point (0, 0) of !') corre3pond3 to q = the 3qu.are-jree kernel of b l ·
Example 1 . Y2 = X(X2 - X + 6) D : Y2 = X(X2 + 2X - 23) For !'J/ ¢ Q5 we have q I ( -23). Since -23 corresponds to (0, 0), we need look at only one of q = +23, q = - 1 , say the latter. The equation of Lemma 4 is C:
I.e.
-( 12 - m2 ) 2 + 24m4 = n2 , which is impossible in Q3 . Hence !'J/¢Q3 is generated by (0, 0). For I!J /1/;!'J , we have q I 6, so q = -1 or q = ±2, ± 3, ±6. Since the form X2 - X + 6 is definite, we must have q > 0. Hence q = 2, 3 or 6; and 6 belongs to (0, 0). Thus it is enough to look at one of 2, 3, say 2. The equation is 214 - 12 m2 + 3m4 = n2 , which is seen to have the solution (I, m, n) = ( 1 , 1 , 2). This corresponds to (x, y) = (2, 4). It follows that Q5 /1/;!'J is generated by (0, 0) and (2, 4). To find gener ators for Q5 /21!J we need to look at the effect of ·1/J on the generators of !'J/ ¢Q5 . In this case ¢(0, 0) = o, so I!J/21!J is also generated by (0, 0) and
(2, 4).
Second example. This is related to Fermat's equation u4 + v4 = v4. Then
Lecture3
64
on
Elliptic Curve3
satisfy
Y2 == X(X 2 - 1),
C: so
D : Y 2 == X(X 2
+
4).
For !'J/¢rtJ, we have q I 4, so q == - 1 , ±2. Since X 2 + 4 is definite, we need q > 0, so only q == 2 needs to be looked at. The relevant equation is 214 + 2m4 = n2 , which has the solution (l, m , n ) = ( 1 , 1, 2), giving (X, Y ) = (2, 4) as the generator of !'J / ¢ Q3 . The point (0, 0) is in ¢Q3. For I!J / 1/; i'J , we have q I ( -1). Since 1 belongs to (0, 0), there is nothing to do. Then I!J/1/;!'J is generated by (0, 0) and I!J/21!J is generated by (0, 0) and 1/;(2, 4 ) = ( 1 , 0) . -
§ 14. Exercises
1. Find (i) (ii)
a set of generators for I!J/21!J, where Q5 is the group of rational points and the 2-power torsion, for the following curves
Y2 Y2 Y2 Y2 Y2 Y2
== X(X2 = X(X2 = X( X 2 = X( X 2 == X( X 2 = X( X2
+ 3X + 5 ) - 4X + 15 ) + 4X - 6) - X + 6) + 2X + 9 ) - 2X + 9)
2. Invent similar questions to 1 and solve them. [Note. You cannot expect to determine Q5 /21!J in every case, but you can majorize its order. It m1ght be helpful to write a Mickey Mouse program to look for points with small co-ordinates.]
3. Let C : Y2 == X(X 2 + aX + b), D : Y 2 = X(X 2 a1 = -2a, b 1 = a2 - 4 b . (i) (ii)
+
a1 X + bi ) with
Show that the odd torsion groups are isomorphic Assuming the finite basis theorem, show that the ranks [= number of generators of infinite order] are the same
§ 14: ExerciJ eJ
65
( iii ) give an example to show that the orders of the groups of 2-power torsion need not be the same. Determine what the possibilities are.
4. ( i ) Construct an elliptic curve with a torsion element of order 8. ( ii ) Show that no torsion element can have order 16. ( iii ) Determine all abstract groups of 2-power order which can isomor phic to the 2-power torsion of an elliptic curve. Give elliptic curves in the possible cases and give a proof of impossibility for the others.
5. ( Another kind of isogeny ) . Let c : Y2 = X 3 + B be defined over Q and let {32 = B, {3 E Q. ( i ) Show that Y = ±{3 are inflexions and that 2 ( 0, {3 ) = (0, -{3) . ( ii ) Let x = (x, y) be generic and put
X2 = X + (0, -{3). Show that
TJ = y + Yl + Y2 � = X + XI + X 2 , are functions of ( x, y) defined over Q and that D : TJ 2 = C - 27B.
( iii ) Show that the repetition of the above map is ( essentially ) multi plication by 3 . ( iv ) Denote by Q5 , .f'} the groups of rational points on C , D respectively. Denote by Q(f3)* the multiplicative group of non zero elements of Q(f3). If (x, y) E Q5 and y + {3 E { Q( f3)' } 3 show that x is in the image of .f'} under D --> C. [Hint. Put y + {3 = ( u + vf3) 3 and equate the coefficients of {3.] ( v ) Show that (x, y) --> (y + f3) { Q(f3) " } 3 is a homomorphism �-' :
Q5 --. Q * (f3) / { Q(f3) * P
whose kernel i s the image of .f'} .
( vi ) ( Requires algebraic number theory) . Show that the image of J.l is finite [Hint. cf. §16]. ( vii ) Deduce that Q5 / 3Q5 is finite.
15 The weak finite basis theorem
In this section we show that Q5 / 21!J is finite, where Q5 is the group of rational points on the elliptic curve
Y2
=
F( X ),
where
F(X) = X 3 + AX + B, The argument has similarities with that in the previous section, where we made the addition assumption that F(X) has a rational root. Here we treat in a uniform manner the cases when F(X) has 3 rational roots , one rational root, no rational root . We work with the commutative ring
Q[8] = Q[T] /F(T), where T is a variable and 8 is the image of T. Then Q[8] is the direct sum of as many fields as F(T) has irreducible factors 1 3 . There is a
norm
map Norm : Q[ e] -. Q
defined as follows. Let a E Q[8] . The map ( -> a(
13
( E Q[8]
The preceding section ha.s proved t h e wea.k fi n i te ba.sis theorem when F(T) ha.s a. rati o n al root, so i t would be enough to c o n si d e r the ca.se w hen i s a. field. This brings some m i n or simplifications to the proof.
Q(8]
1 5: The weak finite ba3i3 theorem
67
takes Q[0] into itself. If Q[0] is regarded as a 3-dimensional vector space over Q, the map is linear and its determinant is defined to be Norm( a). Clearly Norm( a ,B) = Norm( a) Norm( ,B); and a is invertible (i.e. has an inverse) precisely when Norm( a) f= 0. It is readily checked that Norm( a - 0) = F(a) (a E Q). Denote by Q[0] ' the multiplicative group of invertible elements of Q[0] . We shall work with the group M c Q[e]* /(Q[0]*) 2 consists of the a(Q[0 ] * ) 2 for which Norm a E (Q*) 2 • There is a map defined as follows. (i ) (ii)
J.L(o) = l (Q[0]* ) 2 if a = (a, b) E Q5, b f= 0, then
J.L(a) = (a - 0 ) (Q[0] * ) 2
(iii) if14 a = (a , 0), then F(a) = 0, so one of the summands in the expression of Q[0] as a sum of fields is a copy of Q arising from the map 0 -> a. Hence this component of a - 0 is 0. We replace (patch) this component with a.ny element of Q* such that the norm of the new element of Q[0] is in (Q* ) 2 . Lemma
1.
The map
J.'
i3 a group h.omomorphiJm.
Proof. Let a1 = (aj , bj ) (j = 1 , 2, 3) be elements of Q5 with a 1 + a2 + a3
=
0,
so that they lie on a line
l, m E Q.
Y = IX + m Then
F(X) - (I X + m ) 2 = (X - a l )(X - a2 )(X - a 3 ) . Replace X by 0 :
(a 1 - 8)(a 2 - 0)( a 3 14
d.
preceding foo t n o t e .
-
0) = ( kG + m) 2 .
Lecture3 on Elliptic Curve3
68
If all the bj i- 0, then the a! e are invertible and we are done. It remains to deal with the case when F(T) is reducible and at least one of the roots is among the ai . If only one of the roots, e (say ) , of F(T) is among the a j , then Q[0] is a direct sum K1 EB K2 or K 1 EB K2 EB KJ of fields, where K 1 is the copy of Q given by 0 --> e . The given proof shows that the Lemma holds for the components in Ki (j f. 1 ) . Since we have patched things so that the norms are always a square, the Lemma must hold for the K1 -components as well. The remaining case is when all the bj are 0 and the ai are the roots of F(T). Then Q[0] is the direct sum of three copies Ki of Q by 0 --> ai (j = 1, 2, 3). The components of 0 - a 1 in K2 , K3 are a2 - a1 , a3 - a1 respectively. Hence the patch for the zero compound of 0 - a 1 in I. = I a + 11 0 + 12 0 2 (li E Q) with
CJj(>.) = tj Show that >. is unique. (ii )
(j = 1 , 2, 3).
Let x E Q b e such that
(j = 1 , 2, 3) . x - e i = t� Show that the >. constructed i n ( i) satisfy >. 2 = X - e. (iii) Find in terms of the tj , e i the s0 E Q such that ( say) (so - 0)>. = ro + r l 0 has no terms in 0 2 . (iv) Show that (x, t 1 t 2 h ) = 2(so , ?) for some ? E Q. (v) On replacing t; by ±tj (independent signs) show that one gets in general further x1 E l!5 with 2x1 = x. What is the relation between the different x1 ? (vi) Using the above with F(X) = X(X - 3)(X + 5) and x = (4, 6) , find all the x1 with 2 x 1 = x.
4. [Fermat, Euler] . By transforming it to canonical form, or otherwise, show that the only rational points ( x1 , x 2 , X 3 , X4 ) on the curve
X� - 2X� + Xi = 0,
X� - 2Xi + X� = 0
are those with x� = x� = x� = x!. If n1 < n2 < n3 < n4 < are integers in arithmetic progression, deduce that they cannot all be perfect squares.
16 Remedial mathematics. Resultant s .
As they are often not included nowadays in undergraduate courses , we give here some basic facts about resultants on discriminates. The ground field is arbitrary. Let F(X) = fNXn + fn - 1 xn -1 + . . . + fo G(X) = 9 m X m + 9m-1 xm - 1 + . . . + go be polynomials. The polynomials
F(X) XF(X) xm- 1 F(X) G(X) xn- 1 G(X)
can be regarded as m+n linear forms in the m+n variables x m+n - l , . . . , 1 ( the "forgetful functor" ) . The determinant R(F, G) is the resultant of F, G. It is defined only up to sign. By eliminating x m + n -1 , . . . , X determinantally, we express R(F, G) as a linear combination of the rows ( * ) , that is (1) A(X)F(X) + B(X)G(X) = R(F, G), where A(X), B(X) have degrees ...::; m - 1 , � n - 1 respectively. If
Lecture3
76
on
Elliptic Curve3
F, G have coefficients in a ring, say Z, then R(F, G) E Z and A( X ) , B(X) E Z [X]. If F(X), G(X) have a common zero x (in the algebraic closure) , then ( 1 ) implies that R(F, G) = 0. Conversely, suppose that R( F, G) = 0. Then the (*) are linearly dependent, and so there are A(X), B(X) of degrees ::; m - 1 , n - 1 , not both zero 1 9 , such that A(X)F(X) + B(X)G(X) = 0. If we suppose that F(X ) , G(X), have precise degrees n , m (i.e. fn f. 0 , 9m f. 0), it follows that F(X) , G(X) have a common factor, and so a common zero in the algebraic closure. If fn = 9m = 0, then clearly R(F, G) = 0. If fn f. 0 but 9 m = 0, then clearly R(F, G) = fnR(F, G* ) ,
where
G* = 9m-lx m -l + . . . + go .
Hence the elegant formulation is that the homogeneous forms
n fn X + fn- ! x n - ! U + . . . + fa U n m m 9mX + . . . + go U have a common zero ( x, u ) i=_ ( 0, 0) in the algebraic closure if and only if R(F, G) = 0.
Revert to the inhomogeneous polynomials and let F(X ) = fn II (X - 0; ) G(X) = 9m II (X - ¢ k ) · R
If fm , 9 n , 0 1 , . . . , On , r/J 1 , . . . , r/Jm are ta.ken a.s variables, R( F, G) is a poly nomial in them. It vanishes when any 0; is equal to any r/J k · Hence and
from considerations of degree,
R(F, G) = ± !;:' J::. II (0; - ¢ k ) j, k = ± !;:' II G(Oj ) = ±g ;;. II F(¢ k ) .
19
The pa.rticula.r A ( X ) , B ( X ) given by the determi na.n ta.l elimi nation which ga.ve
(1)
ma.y, of course, both be 0.
§ 1 6: Exerci3e3
77
Let H = H(X) be a. further polynomial. Then it readily follows tha.t R( F, GH ) = ± R( F, G) R( F, H) .
Further, if G 1 , G2 ha.ve the sa.me degree by F , we ha.ve Finally, we put G =
and G1 - G2 is divisible
R( F, GJ ) = ± R(F, G2 ) . F' , the ( forma.!) derivative. Since F' ( Oi )
we ha.ve
m
=
fn
IT (Oi - 0; )
j� l
i <j
The function on the right side with + is the di3crimina.nt D(F). It vanishes precisely when F has a. multiple root. For example, when F(X) = X 3 + AX + B, we ha.ve D = 4A3 + 27 B 2 , a.nd ( 1 ) gives (6AX 2 - 9BX + 4A2 )(3X 2 + A) - ( 18AX - 27B)(X 2 + AX + B) = 4A 3 + 27B 2 •
§ 16. Exercises
1. Let F(X) E Zp[X] ha.ve discriminant D and let a E ZP . I F( a) l p < I D IP , show tha.t IF' (a) lp 2: I D i p ·
H
17 Height s . Finite Basis Theorem .
We a.re now in a. position t o introduce the notion of height , a.nd so to complete the proof of the Finite Ba.sis Theorem. Let u = ( uo , . . . , un ) be a. point of projective n-dimensiona.l spa.ce over Q. As the co-ordinates a.re homogeneous, we ma.y suppose without loss of generality tha.t u; E Z, gcd( ua , . . . , un) = 1 . (1) The height H(u) of u is defined to be H ( u ) = m�x l u; l J
with the a.bove normalization. In this section I I = l l oo is the absolute va.lue. We sha.ll ma.inly but not exclusively be concerned with the projective line. We identify x E Q with the point (x , 1 ) on the line, a.nd so write H(x) = max { l uo I , l u l l } if x = u0/u1 with u0 , u1 E Z a.s a. fraction in its lowest terms . Le nuua
(i)
1.
Let D(Uo , U! ), E(Uo , U1 ) E Q[Uo , U! ] be formJ of the Ja.me degree Let u = ( u 0 , ui ) be a. point on the ra.tiona.l projective line, a.nd JuppoJe tha.t D ( u), E(u) do not both va.niJh. Then
n.
H(D(u), E( u)) � c H(u t , where c iJ independent of u.
1 7: Height3. Finite Ba.3i3 Theorem.
(ii)
79
Suppo3 e, further, tha.t the re3ulta.nt of D, E i3 not 0. Then there i3 a. 1 > 0, independent of u, 3uch tha.t
H(D(u), E(u)) ;::: I H(u t . Note. The a.dditiona.l hypothesis in (ii) is equivalent to supposing tha.t D, E do not ha.ve a. common zero over the a.lgebra.ic closure Q. Proof. By homogeneity, we ma.y suppose tha.t
D ( Uo , UI ) , E ( Uo , UI ) E Z [Uo , UI ] a.nd tha.t u = (u o , ui) is normalized by ( 1 ) . Clearly ID( u) l , IE( u ) I .O:::: c{ma.x( luo l , !u 1 W for some c. In general D(u), E(u) will ha.ve a. common fa.ctor, but in a.ny ca.se this implies the conclusion of (i). Now suppose tha.t the hypotheses of (ii) hold a.nd let R be the re sultant . Then there a.re homogeneous forms L;( U0 , UI ), Mj( U0 , UI ) E Z [Uo , UI ] (j = 0, 1 ) such tha.t (j = 0, 1 ) . LiD + M; E = Rur - 1 On substituting u for U we deduce tha.t gcd{ D( u), E ( u) } I R. Further, a.s in the proof of (i), there is a. c' such tha.t 1 (j = 0, 1 ) . IL; ( u ) l , I Mj( u ) I .O:::: c' {ma.x( luo l , lu 1 W O n substituting i n ( * ) (with u for U ) , we obta.in the conclusion of (ii) with 1 = IRI/2c' . Now let u, v be two points on the projective line a.nd let w = ( uovo , uov! + u1 va , u. I v! ) (sa.y). = ( wo , w! , w2 ) Lenuna 2.
1 H(w ) -< 0 depending only on C 3uch
H(2x) < --- < "'' 1 c . H(x) 4 - 1
Proof. Writing x
where
1
=
( x , y ) , 2x
=
( x 2 , Y 2 ) , we ha.ve (cf. Formulary)
x2
=
D(x)/E(x) ,
(3x + A) 2 - 8 x( x 3 + Ax + B) E(x) = 4(x 3 + Ax + B) Now the resultant of 3x 2 + A a.nd x 3 + Ax + B is 4A3 + 27 B 2 f. 0 , D(x)
=
a.nd the formulae of the previous section show tha.t the resultant R of D(x), E(x) is a. power of 4 times (4A3 + 27B 2 ) 2 • Hence the conditions of both parts of Lemma. 1 a.pply with x = u 0 / u 1 a.nd n = 4; a.nd the result follows. 2 0 Lemma 4. Let x 1 , x 2 E
by Lemma. 3 . Putting everything together, we ha.ve 1 H(c) 4 � /; c4 H(a)H(b j ) � �tH(a), ·
where Hence either
1
H(c) � 2 H(a)
or
H(a) � ( 1 6�tr'3 = ).
(sa.y) . It follows readily tha.t .. But the la.tter a.re finite in number by Lemma. 5. We ·conclude this section with a. brief review of the properties of heights. The inequality in Lemma. 4 is supplemented by one in the other di rection: where /"l > 0. Indeed the Wo ' WI ' w2 of the proof of Lemma. 4, consid ered a.s functions of indeterminates x 1 , x 2 , ha.ve no common zero in the a.lgebra.ic closure: for Wo = 0 implies X 2 = X ! a.nd then WI ' w2 become the functions D, E used in the proof of Lemma. 3. Now (*) follows from a.n appropriate generalization of Lemma. 1. Note tha.t Lemma. 3 is now just the ca.se x2 = x1 of the extended Lemma. 4. We now move over to the logarithmic height h(x) = log H(x), so tha.t the extended Lemma. 4 gives lh(xl + x2 ) + h( x 1 - x2 ) - 2h(x i ) - 2h(x 2 ) 1 � c for some constant c. In pa.rticula.r, lh(2x ) - 4h(x) l � c.
It follows tha.t h(x) = lim h(2 nx)/4n n -ao
exists, a.nd satisfies h(x 1 + x 2 ) + h(x1 - x2 ) = 2h(x i ) + 2h(x2 ) .
83
§ 1 7: Exercises It is now an undergraduate exercise (cf. Exercises) to deduce that ii(x1 + x2 ) - ii(xl ) - ii(x2) is
bilinear in x1 x2 ; and so that h(x) is a quadratic form on The function h(x) is called the22 canonical height. In particular h ( nx) = n2 h(x) 1 1
1
so h(x) = 0 if x is torsion: the converse holds by Lemma 5 and since h(x) - h(x) is bounded.
§ 17. Exercises
1. (i) Let a E Q1 a -:f:. 0. Show that l a i P many primes p and that
(ii)
1 except for at most finitely
=
IT Ia lP = 1 . p inc oo 1 Un E Q1 not all 0. Show that max: l u; IP
Let Uo1 at most finitely many p and that • • •
IT
. oc p 1nc
is the height of the point
m� J
u =
lu; l p
(uo 1
• • •
=
=
1 except for
H(u)
1 un) in projective space.
2. (Required in text.) Let f ( x) be a. function defined for x in a. group 9Jl and taking values in a. field of characteristic -:f:. 2 . Suppose that f (x + y ) + f (x - y ) for all X1 y E 9Jl. Show that where B(x 1 y) is [Hint. Take
a.
=
2f (x) + 2f ( y )
f (x) = B(x 1 x) 1 symmetric bilinear form.
B(x 1 y)
=
1
2 {f (x
+ y ) - f (x) - f ( y) } .
One has to show that B (x + Z 1 y) i.e. that
22
=
B(x 1 y ) + B ( z 1 y) 1
f (x + Y + z ) + f(x) + f ( y ) + f ( z ) = f ( y + z ) + f ( z + x ) + f (x + y ) .
There are different definitions of the canonical height. constant factor.
They differ by a
84
Lecture3 on Elliptic Cur·u e3
One opening ga.mbit is to observe tha.t (x + y + z ) + x = (x + z ) + (y + z ) . ] 3. Let c : X 3 + AX + B a.nd suppose tha.t XI ' x 2 a.re independent generic points. Let x3 = x 1 + X 2 , X4 = x 1 - X2 . Show tha.t ( :r1 - x 2 ) 2 ( J.' 1 + x 2 + x 3 ) = ( Y! - Y2 ) 2 ( x 1 - x 2 ) 2 (x1 + :r 2 + x4 ) = ( Y! + Y2 ) 2 . Deduce tha.t x1 + x 2 + x 3 , x1 + x 2 + x 4 a.re roots of a.n equation ( x 1 - x 2 ) 2 T2 + uT + v = 0, where u , v a.re polynomia.l3 in x 1 , x 2 . Deduce tha.t a. similar result holds for x3 , x 4 . 4. (Required in text.) Let G( X ) E Q[X] be a. nonsingula.r qua.dra.tic form in X = (X, Y, Z) a.nd suppose tha.t there is a.n x = ( x , y , z ) f. (0, 0, 0) such tha.t G(x) = 0. Show tha.t there a.re linea.r forms L( X), M(X), N(X) E Q[X] a.nd a. d E q• such tha.t G ( X ) = L ( X)M(X) + dN ( X ) 2 . [Hint3. (i) Without loss of generality x = ( 1 , 0, 0) . (ii) After a. linea.r transformation on Y, Z, we ma.y suppose G( X) = XY + form in Y, Z. (iii) Complete the squa.re with respect to Z .] 5. Let h be the ca.nonica.l height on some curve C a.nd suppose tha.t there a.re representatives of a.ll classes of 0 /20 in h ( x ) :=:; t for some t. Show tha.t 0 is generated by the a E 0 with h( a) :=:; t.
18 Local-global for genus 1
Our attention now moves from elliptic curves to curves of genus 1 in general. In this section we give a. couple of examples to show tha.t there is no loca.l-globa.l principle for ra.tiona.l points on curves of genus 1 . Subsequently, we sha.ll give a. structure to the "obstruction" to a. loca.l-globa.l principle, namely the Ta.te-Sha.fa.revich group. The two examples we sha.ll discuss a.re 3X 3 + 4Y 3 + 5Z 3 = 0, (1) due to Selmer, a.nd (2) due (independently) to Lind a.nd Reichardt. The techniques we ha.ve developed so fa.r ena.ble us to disprove the existence of ra.tiona.l points_ We ha.ve not, however, developed techniques to show tha.t there a.re solutions everwhere locally. This is because we ha.ve left a. fairly highbrow discussion of curves of genus 1 over finite fields until the end (§25). The rea.der ma.y, of course, verify for a.ny given p tha.t there is a. point defined over Qp but this ca.n never disprove the existence of some P > 10 1 0 (sa.y) such tha.t ( 1 ) or (2) ha.s no solution in Qp. We sha.ll a.ssume without present proof tha.t a. curve of genus 1 over a. finite field FP a.lwa.ys ha.s a. point defined over F p (§25, Theorem 2). If, therefore, a. curve such a.s (1) or (2) reduced mod p is still of genus 1 , then there is a. point mod p which ca.n, by Lemma. 1 of §10, be lifted to a. point defined over Qp -
Lecture3 on Elliptic Curve3
86
Assuming this 22 , the only Qp to be considered for ( 1 ) a.re p = 2, 3, 5 a.nd the only ones for (2) a.re p = 2, 17. It ma.y confidently be left to the rea.der to confirm tha.t there a.re points for these p . The disproof of ra.tiona.l points on ( 1 ) uses Le mma 1. Let a, b, c be di3tinct integer3 > 1 and 3uppo3e that d = abc i3 cube free. Suppo3e that there are u, v, w E Z not all 0 3Uch that
Then there are
x,
y,
au 3 + bv3 + cw3 = 0. z E Z with z f. 0 3uch that 3 x + y 3 + dz 3= 0.
Proof. Let p3= 1, p f. 1 a.nd put �= au3 + pbv 3 + p2 cw 3 "'I=au 3 + p2 bv3 + pcw 3 .
Then
� + "'I= 3au 3 p� + p2 ry= 3cw3 p2 � + P"'l = 3bv 3
a.nd so (= -3uvw. 2 Now the two points ((, pry, (), (7) 1 p �, () a.re conjugate over Q. Hence the line joining them meets X 3 + Y 3 + dZ3 = 0 in a. point defined over Q a.nd distinct from ( 1 , - 1 , 0) . Lemma 2. The only point defined over Q on
X 3 + Y 3 + 60Z3 = o
i3 ( 1 , - 1 , 0). Proof. There is no torsion, e.g. by the discussion of exceptional points on cubic curves (§6, Lemma. 1 ) . The curve is bira.tiona.lly equivalent over Q to
22
For the specific curves ( 1 ) , (2) the number of points mod p may be computed (or estimated) by other fairly elementary means, e.g. by the use of finite Fourier analysis.
1 8:
Local-global for genu� 1
87
for which 0/20 is trivia.! by the proof a.t the end of the section on the wea.k theorem (§15, Second example) . It follows from the Finite Ba.sis Theorem tha.t 0 is trivia.!. Theorem
1.
There are no rational point� on-.{ 1 ) .
Proof. The la.st two lemma.s.
The preceding proof used the theory of a.lgebra.ic numbers. The next proof works entirely in the ra.tiona.ls. Theorem 2. There are no rational point� on (2). Proof. If not, suppose ( x, y ) is on (2). Let x = a/c a.s a. fraction in its
lowest terms. Then a 4 - 1 7c4 = 2b2 , Putting
gcd(a, c) = gcd(b, c) = gcd(a, b) = 1 .
we ha.ve This equation is soluble everwhere loca.lly, so globa.lly, a.nd in fa.ct 52 - 1 7. 12 = 2.22 •
Now (5A + 1 7C + 4 b)(5A. + 1 7C - 4b) = 17(A + 5C) 2 •
If there is a. common odd prime divisor of the two factors on the left ha.nd side, it divides 5A + 17C a.nd A + 5C, so divides 8A a.nd 8C: a. contradiction. The two factors on the left ha.nd side ha.ve the sa.me sign, which for A = a 2 , C = c 2 must be positive. Hence for integers u, v there is one of two possibilities Second Ca.se First Ca.se 2 5a2 + 1 7 c ± 4b = 1 7u 2 34u2 5a2 + 1 7c2
=f
2v 2
4b =
a 2 + 5c2 In the first ca.se
uv 10 a 2 + 34c2 = 1 7u 2 + v 2 a2 + 5c2 =u v.
2uv
Lecture3
88
on
Elliptic Curve3
We show tha.t this is impossible in Q 17 . Write I I = 1 1 1 7 · By homogeneity ma.x( l a l , l ei , l u i , lvl ) 1 . Since 10 is a. qua.dra.tic non residue mod 1 7 , we ha.ve =
la l < 1 ,
l vl < 1 .
The second equation gives l ei < 1 .
Finally, the first equation gives lui < 1.
Contradiction. The second ca.se gives
5a 2 + 1 7 c2 17u2 + v 2 a2 + 5 c2 = 2uv. The proof tha.t this is impossible in Q 1 7 is similar. =
§ 18. Exercises 1. [Uses a.lgebra.ic number theory.] Supply the details of the following a.lterna.tive proof of Theorem 2. (i) The field Q( Jl7) ha.s cla.ss number 1 . A ba.sis of integers is 1 , t(l + Jl7 ) . A funda.menta.l unit i s 4 + Jl7 of norm -1. The prime 2 splits into (5 ± Jl7)/2. (ii) Suppose a 4 - 17 c4 = 2b2 with a, b, c E Z, gcd(a, c) = 1. Then a, c a.re odd a.nd
a.re coprime. (iii)
for some unit TJ a.nd some integer J.l· (iv) TJ > 0 in both rea.! embeddings. Hence TJ is a. square a.nd so ca.n be absorbed in J.l- 2 . (v) Put 7 ) = 1 , J.l = (u + v J17)/2 in a.nd equa.te terms independent of Jl7. Then 4a 2 = 5( u 2 + 1 7v 2 ) ± 34 uv , which is impossible in Q 3 (a.nd in Q 1 7 ) .
19 Elements of Galois cohomology
In the next section we ha.ve occasion to consider two curves which a.re both defined over Q a.nd which a.re bira.tiona.lly equivalent over Q. Here we consider a. simpler ca.se a.nd then set up some genera.! machinery. The conic A : X� + X� = 3 ha.s no ra.tiona.l point a.nd so is not equivalent over Q to the line (co ordinate Y, no equation). They a.re, however, equivalent over Q( v'3), for example by the equations y = ( x1 - ..J3)/x 2 -2v'3y X 2 := -2-. y +1 Let y be transcendental, so x 1 , x 2 is a. generic point of A. The Galois group Ga.l(Q( v'3)/Q) ca.n be ma.de to a.ct in two different wa.ys on Q( v'3, y ) = Q(v'3, x 1 , x 2 ) . We ca.n either make it a.ct trivially on y or we ca.n ma.ke it a.ct trivially on (x 1 , x 2 ) . In the first ca.se, the non-trivial element of the Galois group induces the automorphism of A. In the second ca.se, it induces the automorphism y -+ - 1/y of the line.
Lecture� on Elliptic Curve�
90
In the example, we ha.ve used the bira.tiona.l equivalence to identify the two function fields. In the genera.! theory it is better to ma.ke it explicit . Let A, B be two curves defined over Q a.nd let ¢:
A -+ B
be a. bira.tiona.l equivalence defined over Q. Let u E Ga.l(Q/Q). We ca.n let u a.ct on the coefficients in rp a.nd so obta.in another bira.tiona.l equivalence A --+ B.
u rp : Then
O.. (sa.y) == (urp)rp- 1 : B --+ B is a. bira.tiona.l automorphism defined over Q. We ca.n a.ct on 0 by T E G a.l(Q/Q ). Then T(}a ( TUrp)( Trp) - 1 [(Turp)rp- 1] [rp(Trp)- 1] ..
==
==
==
Ora0; 1.
Hence Or a == (TO.. )Or. This is the"lJ cocycle identity a.nd { 017 } is a. co cycle. Let there be another bira.tiona.l equivalence ¢' : A --+ B defined over Q, so ¢'
=
wrp
for some automorphism w : B --+ B. Then ==
uwo.. w-1•
The two cocyles { 017 } a.nd { 0� } a.re sa.id to be co bounding. If rp is defined over Q, we ha.ve 0�
=
(uw)w-1,
a. cobounda.ry. In this ca.se A, B a.re bira.tiona.lly equivalent over Q; but we ha.ve chosen to use a. different equivalence.
23
We owe the rococo terminology to the topologists.
§ 1 9: Exerci3e3
91
Given B a.nd the co cycle { 017 } , we ca.n reconstruct A (up to a. bira.tiona.l equivalence defined over Q). For let x be a. generic point of B. We define a.n a.ction u of the u E Ga.l(Q/Q) on Q (x) a.s follows: u a.cts �n Q by u ux
=
Orrx.
}
Then for T E Ga.l(Q/Q) we ha.ve T'(ux)
=
(TOa )(T'x)
=
(TOa )Orx
Thus
(Tci)
=
T'u.
The fixed field of the u is a. function field over Q, a.nd so gives A up to bira.tiona.l equivalence over Q.
§ 19. Exercises
1. Let u run through Ga.l( Q/Q). Find a. cocyle { 017 } of bira.tiona.l a.uto morphisms which twist the line into
X� + X� = n , where n is a.ny given element of Q* . When n = 5 give a.n explicit representation of your cocycle a.s a. cobounda.ry. Is your cocycle a. cobounda.ry when
n
=
3?
20 Const ruct ion of the j acobian
Let V be a. curve of genus 1 defined over Q. In this section we construct a.n elliptic curve C, a.lso defined over Q, which is closely related to it . This relationship will be exploited in subsequent sections. We must initially consider bira.tiona.l equivalences between elliptic curves. We work a.t first over a. general field. Let
(j = 1 , 2) a.nd let
c1 --+ c2 be a. bira.tional correspondence. By considering rp(x) - rp(o1 ) instead of rp(x), we ma.y suppose without loss of generality tha.t r1> :
rp(oJ ) = o2 , where o; is the point a.t infinity on C;. The correspondence must ta.ke functions with poles of order 1 into such functions. Hence rj>(X) = aX + b for some a, b. Similarly
rj>(Y) = cY = cY + dX + e. The form of the equations for C; imply tha.t
d= a.nd so
e
= 0,
b = 0,
a3 = c2
20:
Con3truction of the jacobian
93
A2 = 5 4 A1 ,
(1)
for some 5 . Hence
B2 = 56B! .
In pa.rticula.r, A UB � = A� / Bi is invariant under bira.tiona.l equiva lence. It is conventional to work with the bira.tiona.l invariant
of
1 728(4A3 )
.
.
J(C ) = 4A3 + 27 B2
C:
Y 2 = X 3 + AX + B.
1 =
The notation j is sta.nda.rd. The constant 1 728 = 123 is suggested by the complex variable theory. Note tha.t every elliptic curve gives a. finite value of j: it is the degenerate curves tha.t send j to infinity.
Lemma 1. Two elliptic curve.• in canonical form which are birationally equivalent are related by (1} for 3ome 5 . In particular, they have the 3ame j -invariant. Further, 5 i3 in any field over which the curve3 and the equivalence are defined. Corollary. Any birational equ.i·ualence of the elliptic curve C : Y 2 = X 3 + AX + B taking o into
o
i3 of the form Y --+ 53Y, X --+ 52 X. If AB f. 0, then 5 2 = 1 . If B = 0, then 5 4 = 1 and if A = 0, then 56 = 1 . Proof. Clea.r from ( 1 ) with C = C1 = C2 . Let us return to the ma.in topic of the section. Let V be a. curve of genus 1 defined over Q. In general it will not ha.ve a. ra.tiona.l point and, if it has, we ma.y not be a.ble to find one: but there is no difficulty in finding a. point defined over Q. Hence there is a. bira.tiona.l correspondence r/> : V ->
C
defined over Q, where C is in canonical form but defined over Q. Let u E Ga.l(Q/Q) . We ca.n a.ct on the bira.tiona.l correspondence with u and obtain
urp :
where
uC :
V --+
uC,
Y 2 = X3 + uAX + uB.
Lecture3
94
on
Elliptic Curve3
Now C a.nd uC a.re bira.tiona.lly equivalent over Q by ( ur/>)r/> - 1 • Hence uj (C) = j(uC) = j (C); tha.t is, j(C) E Q or equivalently A3 /B2 E Q if AB f. 0. Hence by a. transformation X -+ t2 X, Y --+ t3 Y (t E Q) we ma.y suppose without loss of generality tha.t C is defined over Q. Of course in general r/> is defined only over Q. Now is a.n automorphism of C. Suppose, first, tha.t AB f. 0. Then by Lemma. 1, Corollary, the automorphism ()" of C must be (}CT : X -> cuX + au for some point au defined over Q and E: u = ± 1 . We a.re in the position discussed in the previous section, so ()r u = (T0 u )()r · In particular, since E:" E Q, we ha.ve so E:u is a. group character. We would like to ensure tha.t cu is a.lwa.ys 1 . . If not, there is some d E Q such tha.t The transformation X --+ dX, Y --+ dv'dY gives a. new C defined over Q: and with this we do indeed ha.ve cu a.lwa.ys.
=
1
If AB = 0, the same conclusion holds but the argument is a. little deeper24 . Suppose tha.t B 0, so c� 1, where we define X --+ eX by X --+ c 2 X , y --+ cY. Now Ga.l(Q/Q) a.cts on c, and E:r u = (Tc u) E: r · =
24
And may b e omitted a t first reil.ding.
=
§20: Exerci3e3
95
By "Hilbert 90" (see Exercises) there is a. li E Q with li4 E Q such tha.t
uli = c: u li. We can now modify C, a.s before, so tha.t C: u = 1 identically on the new C. Similarly for A = 0. Thus in every ca.se we ha.ve found a. C defined over Q a.nd a. bira.tiona.l equivalence
rp : V -+ C defined over Q such tha.t
(ur/>)r/>- 1 = 0u : X -+ x + au for a.ll u E Ga.l(Q/Q) . To sum up , we ha.ve proved: Theorem 1 . Let V be a. curve of genu3 1 defined over Q. There i3 an elliptic curve C defined over Q and a. bira.tiona.l equivalence
rp :
V -+ C
defined over Q nch that. for every u E Ga.l(Q/Q), the map 1 C -+ C Ou = ( urj>)rp- : i3 of the for·m for 3ome a" E 15 . Further, C i3 unique up to bira.tiona.l equivalence over Q. The elliptic curve C is the jacobian of V. Before exploring this situation further, we require some new machin ery, introduced in the next section.
§ 20. Exercises 1. Construct the ja.cobia.n of (i) (ii) (iii) (iv)
Y2 = aX4 + bX2 + c (a, c E Q• , b E Q, b2 - 4ac f. 0). aX3 + bY3 + cZ3 = 0 (a, b, c E Q• ). aX3 + bY3 + cZ3 + mXYZ = 0 ( a., b, c, m E Q• ) . Y 2 = aX 4 + bX 3 + cX2 + dX + e.
2. Let V be the curve of genus 1 given by the redundant equations ( e2 (e 3 (e 1 -
e 1 )t2 = d1 v� - d v� 2 e 2 )tl = d2 v� - d3 v� e 3 )t2 = d3 v� - d1 v � ,
§1W: Exerci3 e3 where e1 , e , e 3 are distinct a.nd dj E Q* , d1 d d3 = 1. Show tha.t there 2 2 is a. point of V defined over K. = Q( d: /2 , d� / 2 ) and hence find a. ma.p r/> : V -+ C defined over
K.
into C:
Show tha.t the cocycle
Y2 = (X - e 1 )(X - e2 )(X - e3 ). (urj>)rp - 1 = Orr : C -+ C
for u E Gal( �t/Q) is of the type X: -+ X + arr where 2arr =
o.
Deduce tha.t C is the jacobian of V.
3. In this exercise the ground field is Q(p), where p3 = 1 , p f. 1. Let a , b, c E Q(p) , and let V : aU3 + bV3 + cW3 C : X 3 + Y 3 + abcZ3 = 0. Put
K.
= Q(p, a 1 1 3 , b1 13 ) a.nd let r/> : V -+ C be given by X = a 1 13 U, Y = b 1 13 V, Z = a - 1 1 3 b -1 1 3 W
Show tha.t the corresponding O rr is
Orr : X -+ X, or x + (p, -p2 , 0) or x + (p2 , -p, O ). Deduce tha.t C is the ja.cobia.n of V. The remaining exercises fill in the proof tha.t (in the notation of the text) one can arrange to ha.ve err = 1 when AB = 0.
4. Let �t/ k be a. finite norma.l (separable) extension of fields of degree n . Let 0! 1 , . . . , Cl! n be a. ba.sis of �t/ k a.nd let u1 , . . . , un be the elements of the Galois group. Show tha.t
[Hint.
K. = k(f3) for some {3. Note. In wha.t is still the finest introduction to Galois theory, ( Ga.loi3 Theory. Notre Da.me Ma.thema.tica.l Lectures 2, 1942. Second edn., 1948.) E. Artin proves this a.t the onset by an induction argument.]
5. Let �t/k be a. finite norma.! (separable) extension. For u E G a.l(�t/k) let Orr E k* be given satisfying the cocycle identity Orrr = (TOrr)Or . Show tha.t {Orr} is
a.
cobounda.ry, i.e. tha.t (all u), Orr = (u-yh- 1
§20: Exerci3 e3 for some "' E �t" . [Hint. Let >.. E
K..
97
Show that "'f =
L lla (u >. )
a does what is required provided that "' -:/:- 0. Use Lemma 2 to show that >.. can be so chosen. Note. This result is usually known as Hilbert 90 because it is Satz 90 in Hilbert 's Zahlbericht his report on algebraic number theory to the German Mathematical Society at the end of the last century.] -
6. Let n > 1 be an integer. For u E Gal(Q/Q) let lla be an nth root of 1 and suppose that { lla} is a co cycle. Show that there is a li E Q such that lla = uli/li and lin E Q.
21 Some abstract nonsense25
Let r be a finite group which acts on an abelian group A ( written additively) . The action is written uA (u E r, a E A). A cocycle is a map r -+ A, say
(J' --+ au which satisfies the cocyle identity
(u, r E r). note that for
r =
1 ( the identity of r) this implies
a 1 = 0.
If b E A, then it is easy to see that
ar = ub - b is a cocycle. Cocycles of this type are called cobou.ndarie3. Cocycles form a group under elementwise addition
{ au } + {b u } = {a u + bu } . The coboundaries are a subgroup. The quotient group is
H 1 (r, A),
25
This is a self-contained account o f what is needed from t h e cohomology of groups and commutative Galois cohomology. For how i t fits into a wider pic ture, see, for example, Chapters IV and V of J.W.S. Cassels and A. Frohlich (Editors) Algebraic number theory, Academic Press ( 1 967). The treatment here is suggested by that in C. Chevalley Class field theory, Nagoya ( 1 954).
99 the jir3t cohomology grov.p. Now r acts on the whole situation ( "transfer o f structure" ). r acts on itself by inner automorphisms. So T acts on the map (cocycle)
{a .. } : u -+ a.to give
Or, writing u for rur- 1 , This i3 a cocycle,
as it has to be; and indeed r{ Gu } - { Gu} : (J' --+ Gur - Gr - Gu
is a coboundary. Hence
Lemma
0.
r act3 trivially on H 1 (r, A).
Lemma 1. Every dement of H 1 (r, A ) i3 of finite order dividing26 �r. Proof. Let the element be represented by the cocycle {a.- } . Then, from what we have seen, it is also represented by the cocycle r { a.- } = {a.- r - a r } But now
L r{a.. } T
=
{0}
[Recall that a 1 = 0. ]
Lemma 2. Let m E Z, m > 1 . Denote by 6. m C A the 3d of element" of order dividing m. Sv.ppo3e that every dement of A i3 divi3ible by m in A. Then every dement of H 1 ( r, A) of order m i3 repre3entable by a co cycle {d.- }, d.- E 6m. Proof. Let the given element of H1 (r , A ) be represented by {a.- } . By hypothesis, m{ a.-} is a coboundary, say ma.- = ub - b ( b E A). Under the hypotheses of the Lemma, b = me , c E A so
ma.- = muc - mc
26
We use � for the cardinality of
a se t
.
1 00
Lecture3 on Elliptic Curve3
that is
m(a .. - uc + c) = 0. 1 Hence the element of H is represented by u -+ a .. - uc + c E 6-m, as required. Denote by Ar the set of elements of A fixed by r:
a E Ar
( all u E r).
ua = a
Lemma 3. Notation and hypothe3e3
a3
Ar /mAr
in previo1L3 Lemma. Then
&3 canonically iwmorphic to a 3ubgroup of H 1 (r, 6-m ) . Proof. Let a E Ar . By hypothesis a '= m b
b E A.
O n applying u E r, we have
a = ua = mub, and so d.. = ub
md.. = 0,
-
b.
Hence {d .. } is a cocycle with values in 6-m (indeed it becomes a. cobound ary in .4) . For given a, any other choice of b i s of the type b + c , c E 6-m. Hence the element of H 1 (r, 6.m) given by {d .. } is uniquely determined by a. If a E mAr , we may take b E Ar , so d 0 for all u, and the image in H 1 (r, 6-m) is 0 . Conversely suppose that the cocycle constructed above i s a. cobound ary, so ..
=
Vu E r, some e E 6-m Then
u(b - e) = b - e
( all u E r)
:
and so
m(b - e) = a. We can put the last two lemmas together. We repeat the hypothesis.
Theorem. Suppo3e that m > 1 i3 an integer and that every element of A i3 di·ui3ible by m . Then the 3 equence
101
i3 exact, where [ . . .] m denote3 the grov.p of dement3 of order dividing m , and the third map i 3 indv.ced b y 6 m '-> A . Proof. After Lemmas 2, 3 we need only prove exactness a.t H1 (r, 6m), i.e. that the image of is exactly the kernel of
H1 (r, 6m) -+ [H 1 (r, A)]m · Consider first an element of the image, given (say) by the cocycle
{d.,} By hypothesis, drr = ub - b, b E A and so {d.,} considered as taking values in A, is a coboundary. Thus Image C Kernel. Now let the co cycle represented by { d.,} be the kernel, i.e. {d., } is a coboundary for A: d., = ub - b some b E A. then (all u ) u(mb) - mb = md., = 0 r and so mb E A . Hence Kernel C Image. Galoi3 cohomology. Let k be a field and k its separable closure ( = algebraic closure in characteristic 0, the case of interest). Put r = Gal(k/k). We say that the action a -+ ua ( u E r, a E A) of r on the abelian group A is contin·uov.3 if: For every a E A there is an extension K. of k of finite degree [�t : k] < co (depending on a) such that ua = a (all u E Gal(k/ �t) C Gal(k/k)).
Note 1 . An example is: k = Q, C a curve Y2 = X 3 + AX + B defined over Q, A = l5. Note 2 . If A has any natural topology, this i s disregarded. For us the word "continuous" is just a term of art . The action is continuous in the usual sense if r is given an appropriate topology and A the di3crete topology. A continv.ov.3 cocycle is a map
(J' --+ a u
( u E r, a.,A)
which (i)
satisfies the cocycle identity
(u, r E r) (ii)
is continuous in the sense that there is a normal extension �t/k of
Lectu.res on Elliptic Cu.rves
102
finite degree [��: : k] < co such that a .. depends only on the action of u on 11: [Of course 11: may depend on {a .. }]. I n particular,
(all
T
E
Gal(k/��:)),
so
( all
r
E
Gal(k/ ��:)
and hence
a;,.
E
11:
( all
u
in Galk/k).
I f {a.. }, { b.. } are continuous c ocycles, then clearly {a.. + b.. } i s con tinuous. A coboundary {uc - c} c E A is automatically continuous, by our hypothesis that r acts continuously on A.
Definition. H 1 (r, A) is the grou.p of continu.ou.s cocycles modu.lo co boundaries . By following the proofs of the r finite case it is straightforward to prove
Theore m 1 . H1 (r, A) is torsion (i. e. every element has finite order). Theore m 2. Let m > 1 be an integer and su.ppose that every element of A is divisible by m. Then the s equ.ence 0 --+ Ar /mAr --+ H 1 (r, 6.m) --+ [H1 (r, A)] m --+ 0 &s exact where {as in the previou.s section) (i) Ar is the set of a E A fixed by r.
( ii )
6.m is the set of elements of A of order dividing m .
(iii) [H1 (r, A)]m i s the s e t of elements of H 1 ( r , A ) of order dividing m .
Appendix. 2 7 Localizat ion Let p be a fixed prime. Choose a fixed embedding
>.. : Q '---+ Qp . Write
27
May be omit ted at first reading. As will be explained, the result obtained here is obvious from another poi nt of view in the context of the course.
§21 : Appendix. Localization
103
r = Gal(Q/Q) rP = Gal(Qp/Qp); s o >.. induces an embedding
>.. * : rp ...... r. Let A be a continuous r-module. Then it IS VIa >.,• a continuous r,-module. Let {a" } , (]" E r be a continuous co cycle. By restricting u to rP> we have a continuous rP co cycle. Hence we have a group homomorphism >.I :
H 1 (r, A) --+ H 1 (rp, A)
[localization: A special case of the "restriction map" ] . Ostensibly >.I depends o n the embedding >.. , but we show that i t does not. Any embedding A. of Q '---+ Qp is of the shape A. = >.p., where p. is an automorphism of Q/Q. By the analogue of Lemma 0 of the "Finite r" section, p. acts trivial on H 1 (r , A), and so A.I = >.I. Thus the map is canonical. In the context of the course, we have an elliptic curve Y 2 = X 3 + AX + B defined over Q. Let � � � P be the points defined over Q, Qp respectively. We are concerned with the map
H 1 (r, �) --+ H 1 (rp. �p) , which may b e regarded
as
H 1 (r, �) --+ H 1 (rp, �) --+ H 1 (rp, �p),
the second induced by the embedding
�
�pLater we interpret an element of H 1 ( r, �) as a curve V defined over '---+
Q together with a choice of structure as a principal homogeneous space. A curve V defined over Q is certainly defined over Qp- with its struc
tme of principle homogeneous space it thus corresponds to an element of H 1 (rp , �p)· The resulting map H 1 (r, �) --+ H 1 (rp , �p) is precisely the one constructed above.
22 Principal homogeneous spaces and Galois cohomology
Let V be a curve of genus 1 defined over Q. We ha.ve seen ( §20, Theorem 1) that there is an elliptic curve
C
:
Y2
=
X3 + AX + B
defined over Q a.nd a birational equivalence
,P : 'D -+ C defined over Q. Further, for a.ny u E Gal(Q/Q) the map (u,P),p- 1 : C -+ C is of the type
X -+ X + a.- , where a.. E l5 . The elliptic curve C i s unique up t o a transformation X -+ s2 X, Of course ,P and the V.
a ..
Y -+ s 3 Y,
s E Q* .
are fa.r from being unique. C is the jacobian of
We have to discuss how fa.r the elements o f the above situation a.re arbitrary. We note first that (by the previous discussion) the a.- satisfy the co cycle identity Now the a.. a.re in the commutative group l5 , and we ma.y invoke the machinery of §21.
22: Principal homogeneov.3 3pace3 and Galoi3 cohomology
105
On replacing the map ¢ by ¢1/;. where
'lj; : C --+ C, x --+ x + b (b E �), we replace {a.. } by
a.- + (ub - b) where ub - b is a coboundary. In the commutative case, the cobound aries are a subgroup of the co cycles and so { ar } determines an element of the quotient group cocycles/coboundaries
=
H 1 (r, � )
the first cohomology group, where r = Gal(Q/Q). We now look at the information which an element of H 1 (r , �) gives us about V. In the first place, we certainly can construct a curve V and a. birationa.l equivalence ¢ by our general machinery. To remind: let x be a generic point of C. There is an action u of Gal(Q/Q) on Q(x) given by -
(i) u acts like u on Q (ii) ux = x + a .. . Then the fixed field i s the function field of a curve V defined over Q and ¢, defined over Q, is given by the identification of the two function fields over Q. The map ¢ gives V a structure of principal homogeneov.3 3pace over C in the following sense. Let � 1 , �2 be independent generic points on V, which we treat as fixed under Gal(Q/Q). Put Then
u6( � 1 , �2 ) = (¢( � 1 ) + a.. - (¢( �2 ) + a.- ) = 6( � 1 > �2 ) · That is, the algebraic map from two copies of V to C given by 6 is defined over Q. Clearly
6( � 1 > �2 ) + 6( �2 > � 3 ) = 6( � 1 > �3 ). Hence the cocycle { a.. }, or the corresponding elements of H1(r, �) , determines the pair (V, 6). The cocycle { -a0 } determines the pair (V, - 6) . Thus to get a group structure we must consider not just the curves V with given j acobian, but the pairs (V, 6) where 6 is a structure of principal homogeneous space. The above account overlooks one tricky point . An element of H1 ( r, � ) determines the function field of V , and so determines V only up to
Lectures on Elliptic Curves
106
birational equivalence defined over Q. Now it can happen that there is a birational automorphism of V defined over Q which interchanges 6. and -6 ( ! ) . A trivial example is when C is regarded as its own j acobian. Consider two maps
(j = 1 , 2) where ¢1 is x -+ x and r/>2 is x -+ -x. In both cases the cocycle a., is identically 0. In the first case, 6 1 (x 1 , x2 ) = x 1 - x2 ; and in the second 62 (x 1 , x2 ) = x2 - x1 . The two are taken into one another by the automorphism x -+ -x of C = V. In the example j ust above, we have the trivial element of H 1 (r, �). There is the same phenomenon for elements of order 2 (and only for them) [Exercise for reader!] . To deal with this difficulty, we shall identify two structures of principal homogeneous space which are birationally equivalent. With this conven tion each element of H 1 (r, �) defines a unique principal homogeneous space. Conversely, a structure of principal homogeneous space determines the element of H 1 (r, � ) . Consider the map
¢:
V -+ C.
By our initial construction, the corresponding cocycle is
a., = (u¢)( � )
=
¢( � ),
where � is a generic point of V fixed under Galois. Now let Cl! be any algebraic point on V (i.e. defined over Q} Then
u(rf>(a) ) = (urf>)(ua) = rf>(ua) + a., , since u acts both a and o n the coefficients of the map ¢ . Hence
6(a, ua) = ¢(a) - rf>(ua) = ¢(a) - u(rf>(a)) + a., Thus { 6( a, ua)} is a co cycle, and differs from {a.,} by a coboundary. ..
..
To sum up:
Theorem There is a canonical isomorphism between principal homoge neous spaces (V, 6) (up to birational equivalence over Q) and elements of H 1 (r, � ) . The element corresponding to (V, 6) is given by the cocyle {6.(a, ua)} ., , where a is any algebraic point on V. Note 1. Principal homogeneous spaces were introduced by Weil. He defined their group structure directly, not by refernce to H 1 (r, �).
§ 22: Exercis es
107
Note 2. For the cognoscenti. The "jacobian" defined here is a refinement of the classical notion defined over the complex numbers. Recall that a divisor a on V is a map from the algebraic points a on V to Z which is 0 for all except at most finitely many a. It is defined over Q if it is invariant. (in an obvious sense) under Gal(QIQ). The degree is E n 0 , where a is a --+ n 0 • Suppose that a is of degree 0. The jacobian map is the map from a to a
the summation being that on C. The divisor a is in the kernel of the map precisely when the ¢(a) with their multiplicities are the poles and zeros of a function on C. Identifying V and C via ¢, this is the same as saying that a is the divisor of a function on V [a principal divisor] . If a is defined over Q, then J ac( a) is defined over Q, as follows easily from the formula for u ¢( a ) . Hence we have group monomorphism. Divisors of degree 0 on V defined over Q --+ l5 . Principal such divisors A final point. If the divisor a of degree 0 is defined over Q and is principal, then it is the divisor of a function on V defined over Q. For suppose that f is a function with divisor V defined over Q. Let u E Gal(QIQ). Then a is also the divisor of u f and so uf
TE
....,. Q ..
.
It is readily checked that u u f If is a cocycle with values in Q* ; and so is a coboundary by Hilbert 90 [§20, Exercise 5]. Hence u f If = u >.I A for some ).. E Q* and all u. Then ).. -l f is fixed under Galois, i.e. defined over Q, and has divisor a, as required. [Of course this remark is general, and applies to curves of any genus.] --+
§22. Exercises 1. If €, x are generic points of V, C respectively, fixed under Galois, show that the function A( € , x ) = r 1 ( ¢(0 + x) is defined over Q and investigate its properties.
23 The Tate- Shafarevich group
We put together the results of the two previous sections. As before, let C : Y2
=
X 3 + AX + B
be an elliptic curve defined over Q. The groups of points defined over Q, Q respectively are l5, l5; and r is Gal(Q/Q). We have seen that the first cohomology group H 1 ( r , l5) is canonically isomorphic to the group of equivalence classes of {V, 6} where V is a curve of genus 1 and 6 is a stmcture of principal homogeneous space on it. This group is often referred to as the Weil-Chatelet group and denoted by WC WC(C). Let m > 1 be a n integer. The group l5 is divisible by m since finding a b such that mb = a E l5 is just a matter of solving some algebraic equations. The exact sequence of the previous section is now =
0 ---+ l5 /ml5 ---+ H 1 (r , 6m) -+ [H 1 ( r , l5)]m ---+ 0, where 6m C l5 is the group of elements of l5 of order m and the [ . . . ]m denotes the subgroup of elements of order dividing m.
We now have an approach to the weak Mordell-Weil theorem. We would like to find the elements of H 1 ( r , 6m) which are the images of l5 /ml5 . By the exactness of the sequence these are precisely the kernel of the map H 1 (r, 6 m )
___,
H 1 ( r, l5)
=
WC(C).
Being in the kernel means that the image is a trivial principal homoge neous space {V, 6 } ; i.e. that there is a point on V defined over Q. For m 2 we are back in the situation discussed in the proof of =
The Tate-Shafarevich grov.p
109
the Weak Mordell-Weil Theorem. There we displayed the curve V in the image {V, 6} of an element of H1 (r, 62 ) as the intersection of two quartic surfaces2 8 . As we have already emphasised, there is even now no algorithm for deciding whether or not there is a rational point on V. There is, however, no difficulty in deciding whether or not there is a point on V everywhere locally. As we shall see in a moment, the elements of we for which there is a point on V everywhere locally form a subgroup. It is known as the Tate-Shafarevich group and is usually denoted29 by the Russian letter Ill ( "sha" ) . To show that Ill i s a subgroup we must discuss localization. For any prime p (including oo ) we use a suffix p to denote an object defined over QP instead of over Q. There is an obvious map Jp :
we -+ wep
which takes the equivalence class of a principal homogeneous space (V, 6) defined over Q into the class of the same {V, 6} considered over Qp . The non-cohomological description of the composition of principal homogeneous spaces works entirely over the ground field: thus it shows immediately that the localization )p respects the group law; but we have not explained that description. From the cohomological point of view, we have a map Jp : H 1 (r, l5) -+ H 1 (rp , l5p),
induced by the inclusion l5 C l5 P . This situation was discussed at the end of §21, where it was shown that )p is a group homomorphism and is independent of the choice of inclusion Q C Qp . Clearly Ill is the intersection of the kernels of all the localization maps j1, (including p = oo ) . For given m, denote by Sm the group of elements of H1 (r, 6m) which map into Ill C H1 (r, l5). It is called the mth Sehner group. Now we have the exact sequence 0
-+
l5 /ml5
-+
Sm -+ [ Ill ]m -+ 0.
For m = 2, which we encountered in the proof of the weak Mordell Weil Theorem, we saw that S2 is finite and effectively constructible. It 28 29
The au thor apologizes for the clash between 6 denoting a structure of prin cipal homogeneous space and 6 2 , the group of elements of order 2 in l5 . This i s the author's most lasting contribu tion t o t h e subject. The original notation was TS, which, Tate tells me, was intended to continue the lavato rial allusion of W C . The A mericanism "tough shi t" indic ates the part that is difficul t to eliminate.
110
Lectu.re3
on
Elliptic Cu.rve3
can be shown by a more sophisticated version of the same argument that the same things hold for Sm and general m, though now the effective constructibility tends to be not very practical. To sum up. The Selmer group is knowable. It majorizes rtJ /mr!J and the "enor" is given by III , which can be called the obstruction to the local-glocal principle for curves of genus 1 with the given jacobian C. This is as far as we shall go in this direction with the theory. We conclude with background comments. Before all this theory was invented, Selmer embarked on a massive programme to find the Mordell-Weil groups of elliptic curves, especially those of the type c
:
X 3 + Y 3 + dZ 3
= o,
where d E Z. He used descent arguments to bound the Mordell-Weil rank. Also, by a direct search, he found rational points on C and so bounded the Mordell-Weil rank from below. Most often the upper and the lower estimates for the rank coincided, but when there was a dis crepancy the difference was always even. Moreover, estimates for the rank derived from different types of descent (e.g. majorization of rtJ /2r!J and rtJ /3r,]j) always differed, if at all, by an even integer. After the group III was discovered by Tate and Shafarevich, it was natural to look for the explanation of this phenomenon in the structure of III . It turns out that there is a skew-symmetric form on III whose kernel is the group of infinitely-divisible elements of III . It always looked improbable that there are infinitely-divisible elements and by now there is much evidence (but no proof) that they do not exist. If there are no infinitely divisible elements, the existence of the skew-symmetric form shows that the order of [ III ]m is a square. This explains Selmer's observation. There is not merely a local-global principle for curves of genus 0, but it has a qmUltitative formulation (and also, more generally for linear algebra groups. The modern formulation is in terms of the "Tamagawa number" ) . On the basis of massive calculations (this time on a com puter) Birch and Swinnerton-Dyer proposed what can be regarded as a quantitative local-global theorem for elliptic curves. In their formula there is a number, not otherwise accounted for. In all their calculations the mysterious number turned out to be an integer and indeed a perfect square. It was natural to interpret this integer as the order of III (supposed
The Tate-Shafarevich grov.p
111
finite), and, once made, this identification w as supported on other gr ounds. The Birch-Swinnerton-Dyer conjectures were widely generalized and further evidence for their plausibility were adduced. It is only in the last few years that progress has been made with their proof. Until the very recent work of Rubin and Kolyvagin there was not even a single elliptic curve for which Ill had been proved to be finite. §23. Exercises 1 . Let m, n be integers, phism >.. such that
m
�
J
n.
Show that there is a group homomor
H1 (f, 6m)
-
l .x
'\.
COinlTIUtes. Hence show that there are
H1 (f, 6n)
p.,
v
such that
0
-
H1 (f, 6n)
0
-
H1 (f, 6m)
is exact and commutative. Describe p., v explicitly.
l .x
-
-
0
-
-
0
24 The endomorphism ring
p
In this section, the ground field k is any field, possibly of characteristic -:/:- 2, 3. [This last restriction solely because of our choice of canonical
form.] The main objective is the application to the estimation of the number of points over finite fields, but we do a little more, to set things in context. Let C
:
Y2
=
X 3 + AX + B
be an elliptic curve defined over k. An endomorphism of C (over k) is a rational map ¢ : C -+ C
defined over k, for which ¢(o)
= o.
One endomorphism is the constant isomorphism which maps C entirely onto o. Otherwise, if x is a generic point of C, then so is � = ¢(x) and k( x) / k( 0 is an algebraic extension. We define the degree of ¢ to be d(¢)
=
[k(x) : k(O ] .
By convention, the degree of the constant endomorphism is 0. The first lemma shows that ¢ respects the group structure of C. It is not really needed for what follows, but it helps to set ideas. In the application to finite fields, the conclusion will be obvious.
24 : The endomorphi3m ring
1 13
Lemma 1. Let a, b be point3 of C. Then rP(a + b) = rP(a) + rP(b). Sketch p roof. By extending the ground field if necessary, we may suppose that a, b are defined over k. If rP is the constant endomorphism, there is nothing to prove . . Otherwise, let x be a generic point ( = rP(x). By the definition of the group law, there is a >.. = >.. ( x) E k(x) whose only zeros are simple zeros at a, b and whose only poles are simple poles at o , a + b. Let A. = A.(() = Normk(()/k(x) >.. .
Then the zeros of A. are just simple zeros at rP( a), rP(b) and the poles of A. are just simple poles at rP( a + b) and at o = rP( o ). Note. cf. §14, Lemma 1 . The proof above follows that in Silverman, Theorem 4.8 (p. 75), where it is proved for isogenies and the treatment is fuller. For the conesponding result for abelian varieties of any dimen sion, see D . Mumford, Abelian Varietie3 (Oxford, 1 970), p.43, Corollary 3 or H.P.F. Swinnerton-Dyer, Analytic theory of abelian varietie3 (Cam bridge, 1974), Theorem 32 or S. Lang, Abelian varietie3 (New York and London, 1959), Chapter II, Theorem 4. All we shall need is the
C o rollary. Let x, ( be a3 above and let x = (x, y), ( = (€ . 7J ) . Then c E k(x), and [ k (x ) : k· ( c )] = [ k (x) : k(()] = d(rP)· Proof. For rP( - x ) = - rP(x )
= -
(.
For any two end01norphisms rP, 'lj;, we defined the sum rP + 'lj; and the product rPV' by (rP + lj; )(x) = rP(x) + lj; (x) , (rPlj; )(x) = rP( lj; (x)) ,
where x is a generic point. It is readily verified that this gives the set of endomorphisms the structure of a (not necessarily commutative) ring.
Lectv.res on Elliptic Cv.rves
114 Lenuna 2.
d(¢1/; ) = d( rf> )d(lj;). Proof. Clear. Lemrna 3.
d(¢ + 1/;) + d(¢ - 1/;) = 2d(¢) + 2d(lj;). Proof. Let
X =
(x, y ) be a generic point , and put ¢( x ) = �� � 1/;(x) = �2 • (¢ + 1/;)( x ) = �3 ,
(¢ - 1/; ) ( x ) = �4 ,
so
�3 = �1 + � 2 1
Then
�i E k(x),
�4 = �I
-
�2 ·
(j = 1 , 2 , 3, 4)
where �j = ( �j , 7]j ) . We argue as in the corresponding results for heights ( § 1 7 , Lemma 4). The degree of an element of k( x) corresponds to the height of an element of Q. As k(x) has no archimidearJ valuations trivial on k, the results are more precise. By the formula for sum ar�d difference, we have 1 = 6 + c-4 = 6c4 = ( c1 6 ) 2 : 2 (ci 6 + A)( C"1 + 6 ) + 4 B 2 = c- � c-� - 2A c1 6 - 4B( � � + 6 ) + A • A similar argument to that for heights3 0 gives deg( C"J ) + deg( c4 ) = 2 deg( c! ) + 2 deg( 6 ) , where "deg" i s the degree as a rational function of x ( = maximum of the degrees of numerator and denominator.) This result now follows from Lemma 1 , Corollary. -
30
d. also
(*) of §1 7
24 : The endomorphism ring
115
Corollary. There are r, s, t E Z, depending on ¢, 1/;, sv.ch that
�mr/> + nl/;) = rm2 + smn + t�
for all m, 11 E Z. Fv.rther, r � 0,
t � 0,
Proof. The first part follows exactly as for heights. 3 1 For the second, d( . ) � 0 by definition, so the quadratic form in m, n is positive semi
definitive or definite. The rest of this section is not needed for the application to finite fields. By abuse of notation we denote the constant endomorphism by 0 and the identity endomorphism ¢(x) = X by 1 . Lennna 4 . Every endomorphism ¢ satisfies a qv.adratic eqv.ation
¢2 - s¢ + t = 0,
wher·e s, t E Z . Proof. By the preceding Lemma, d(m + n¢) = m 2 + smn + tn2 for some s , t E Z and for all m , n E Z. Let I E Z. Then cl(¢ + I) = d(¢ - s - I) = 12 + s1 + t.
Hence by Lemma 2 d(( ¢ + 1)(¢ - s - I)) = (12 + s1 + t) 2 .
But (¢ + 1)(¢ - s - I) = ¢2 - s¢ - 1(s + 1).
Hence and by Lemma 3, Corollary, with ¢2 - s¢, 1 for ¢, lj;, we have d(¢ 2 - s ¢ + n) = ( - n + t) 2
for all 11 E Z . In particular, d(¢2 - s rf> + t) = O.
But the only endomorphism of degree 0 is the constant endomorphism
0.
31
d. §17, Exercise 2.
116
Lectu.res o n Elliptic Cu.rves
Note. As was shown by Deur·ing, the endomorphism ring is isomorphic to one of: (i) z . (ii) a ring of integers in an imaginary quadratic field (iii) a ring of integers in a generalized quaternion skew field. The last case can occur only in characteristic p -:/:- 0; and the skew field is very special.
§24 Exercises 1. Suppose that the ground field contains an element i with i 2 = - 1 and that its characteristic is not 2. Let C be Y 2 = X 3 + AX for some A -:/:- 0. Show that c: :
Y -+ i Y,
x -. x
is an endomorphism. Construct the endomorphism 1 + c: and check that (1 + c ) 2 endomorphisms.
=
2c as
2. Suppose that the characteristic of the ground field is not 2 or 3 and that it contains p with p3 = 1 , p -:/:- 1 . Let C be Y 2 = X 3 + B for some B -:/:- 0. Show that >.. : X -+ pX , is an endomorphism. Construct the endomorphism >.. - >.. 2 and show that ( >.. - >.. 2 ) 2 = -3 as endomorphisms.
3. Suppose that the characteristic of the ground field is not 2 . For a -:/:- 0 dete1·mine the b such that the isogenous curves C : Y2
X(X2 + aX + b) C1 : Y 2 = X(X2 - 2aX + a2 =
-
4b)
are birationally equivalent over the algebraic closure. Show that they are equivalent over the ground field provided that -2 is a square in it. Denote the isogeny, considered as an endomorphism of C, by p.. Show that p. 2 = -2 as endomorphisms. 4. Let ¢ : C -. C
be an endomorphism and suppose that ¢ 2 - s¢ + t = 0
s,
t
E
Z.
§24 : ExerciJes
117
For positive integer m show that 1/J = 1/J m satisfies !/J 2 - s m!/J + tm = 0,
where sm , tm E Z are defined T2 - sT + t = 0. Then
as
follows. Let
G,
(3
E
Q b e the roots of
5. (i) Let 1/J be an endomorphism and define 1/J' by 1/J' = 1/J if 1/J E Z; otherwise 1/J' = s - 1/J, where I/J2 - si/J + t = 0. Show that 1/JI/J' = 1/J'I/J = d(ljJ). (ii) Let x be a generic point and let € 1 , , €1 be the points of C defined over k( x) ( k = ground field) such that 1/J( €i ) = x (with appropriate multiplicities if 1/J is inseparable). Show that • • •
1/J' (x) =
L xi
( addition on C). (iii) If 1/J is another endomorphism, show that and (1/J + !/J)' = I/J + I/J' .
25 Point s over finite fields
We denote by F 9 the field of q elements and denote its characteristic by p , so q is a power of p. Our objective is the Theorem 1. Let C
be an elliptic curve over defined over F satisfies 9
Y 2 = X3 + AX + B
: a
finite field F9 . The number N of point" of C
We shall give the main idea of a proof but will have to be impressionist on one of the ingredients. Because of our canonical form, we shall assume that p =f. 2, 3. Note that N includes the point o "at infinity" . At the end of the section we shall indicate the proof of a couple of other results. Let x = (x, y) be a generic point. We show that r!J(x) (x9 , y9) is also on the curve. Indeed, since we are in characteristic p I q , =
( y9 ) 2
as
A9
==
A, B9
Now let Then
u =
=
x3 + Ax + B
=
( x 9 )3 + A9x9 + B9
=
(x9)3 + Ax9 + B,
B. This is the Frobenius endomorphiJm. (u, v ) be a point defined over the algebraic closure F, .
==
25:
Points over finite fields
119
so u is defined over Fq precisely when it is a fixed point of 1/J or, what is the same thing, when (I/J - 1 )u = o,
where 1 is the identity endomorphism and 1/J 1 is defined in terms of the endomorphism ring. 3 In the notation of the previous section, clearly -
d(ljJ) = q
and so by §24, Lemma 3, Corollary d(ljJ - 1 ) = q - s + 1
where We have seen that a point defined over Fq is actually defined over F q precisely when it is the kernel of 1/J - 1 . But the degree of an endo morphism is equal to the number of algebraic points in the kernel, each counted with its multiplicity. If therefore we can show that the points of the kernel of 1/J - 1 have multiplicity 1 , we are done. It is here that we have to leave a lacuna. One argument, which can be made precise, is to observe that dx q /dx = qx q - l = 0 in characteristic p , and so the differential of the map 1/J - 1 is the same as that of the map - 1 , and hence never 0. Note. The result is due to Hasse by essentially the same proof. It is of ten referred to as the "Riemann hypothesis for function fields" (of genus 1 ) because of an analogy with Riemann's notorious unproved conjecture about the zeros of the usual ( "Riemann" ) zeta function. It was general ized to curves of any genus by Weil and to algebraic varieties by Deligne. The analysis of the action of the Frobenius map 1/J is still a central theme of modern arithmetic geometry. Theorem 2. Let V be a cur·ve of genus 1 defined over F q · Then it ha.s a point defined over F q .
Proof. We developed the theory of the jacobian in characteristic 0 , but it holds for general characteristics. Let C be the jacobian of V and let � be the group of points on C defined over Fq . It is enough to show that H 1 (r, 0 )
is trivial, where
Lectures on Elliptic Curves
120
The group r is generated3 2 by the Frobenius automorphism "Y (say) : q . We have to show that any co cycle {a., } is trivial. It is enough to show that
a -+ a
a
for some b E � - Now
..,
=
-yb - b
-yb - b =
(rP - l)b
where 1/J is the "geometrical" Frobenius, so 1/J - 1 is not the constant endomorphism. For any c E � we can thus solve ( rP - l)b = c for b, since we are working in the algebraic closed field. In particular, this holds for c = a.., . The cocycle identity gives inductively that a .. = ub - b u = -y, -y 2 , -y3 , . . . and we are done. Note. For a broad generalization, see S. Lang, Algebraic groups over finite fields. Amer. ]. Math. 78 ( 1956), 535-563. The Theorem is due to F.K. Schmidt and the idea behind his proof is amusing. He used analytic means to estimate the number of points defined over the extension fields F q n . In particular, he showed that the number is > 0 for all large enough n. Let b 1 , . . . , bn be n conjugate points defined over F qn and c 1 , . . . , e n + ! be similar conjugates defined over F q n + • . Then by Riemann-Roch there is a function whose poles are simple poles at the c ; and which has simple zeros at the bj . It has one further zero; which must be defined over F q · Theorem 3. Let
>. : c1 -+ c2 be an isogeny of elliptic curves, everything defined over Fq . Then N1 N2 , where Nj is the number of points on Cj defined over F q · Note. >.(at )
=
An isogeny is defined to be a rational map onto such that o 2 . Lemma 1 of the preceding section extends to isogenies, whid1 gives compatibility with the usage earlier in the course. =
Proof. Let rPi be the Frobenius on Cj· Clearly the diagram
32
"topologica.lly" , tha.t is the group genera.ted by ga.lois topology.
"Y
is everywhere dense in the
§25: Exercis es c1
1�
c2
is commutative, and hence
so
4J,
---+
41>
---+
121
c1
1�
c2
is
c1
1�
c2
4J, -1 c ---+ 1
1�
2 4J,---+ c2
It follows that the degrees d( rP l
d( r/>2
1) are equal. But (proof of Theorem 1), this i s just N1 -
1)
=
-
=
N2 .
Exa mple. The numbers of solutions of y2 = x(x 2 + ax + b) (mod p)
and y2
=
x(x2 - 2ax + a2 - 4b) mod p)
are equal, where a, b are integers and p is any prime with 2b(a2 - 4b) "¢- 0 (mod p).
§25. Exercises 1 . Let p be prime, p
elliptic curve
=
2
(3). Show that the number of points on the
defined over FP is p + 1 . [Hint. Given Y , solve for X]. 2.
Let p be prime, p = 3 (4). Show that the number of points on the elliptic curve Y2
defined over FP is p + 1 . [Hint . Consider ±X together] .
=
X ( X2 + A)
Lectures on Elliptic Curves
122
3. Let C be an elliptic curve defined over Fp and let N(n) be the number of points defined over F q , where q = p" . Show that there are l.l!, {3 E Q such that l.I!{J = p and N( n) = pn + 1 - a n (3" . Hence show that all the N(n) are determined by the value of N( 1). Hence determine N(2) for -
Y2 = X3 + X + 1 ,
with p = 3. [Hint. §24, Exercise 4] . 4. [Preparation for next exercises.] Let A :J Z be a commutative ring without divisors of 0 [an integral domain] . Suppose that every >. E A satisfies an equation >.2 + a>. + b = 0 ( a , b E Z, depending on >.). Show that either A = Z or A = Z [a] for some single element l.l! E A. 5. Let
p
=
1 (4) be prime and C : Y 2 = X(X 2 + A)
an elliptic curve defined over FP . Let c:
Y -+ 8Y,
()
E FP , 82 = - 1 . Show that X -+ -X
is an endomorphism of C, and that c 2 + 1 = 0. Let 1/J be the Frobenius. Show that 1/Jc = ci/J and deduce that 1/J = u + vc 2 E Z with u + v 2 p.
for some u, v Show, further, that the number N of points on C defined over F P is N = p + 1 - 2u. Evaluate N for some A and p and check that u (say) = t(p+ 1 -N) E Z and satisfies u 2 + v2 = p for some v E Z. =
6. Let p
be an that
=
1 (3) and let
C : Y2 = X3 + B elliptic curve defined over FP . Let () E FP , 83 = 1 ,
>. : Y -+ Y, X -+ 8X is an endomorphism of C and that >. 2 + >. + 1 = 0.
()
#- 1 . Show.
§25: Exercises
Show that the Frobenius ¢> satisfies ¢>. = >.¢>. Now continue previous Exercise.
123 as
in the
7. Let
C : Y 2 = X(X 2 + 4CX + 2C2 ) be an elliptic curve defined over Fp , where p is prime and -2 is quadratic residue. Show that the number N of points is of the shape N = p + 1 - 2u, where u E Z and there is a v E l such that u2 + 2v 2 = p.
[Hint. §24, Exercise 3.]
a.
26 Factorizing using elliptic curves
The problem of finding a factor of a given large integer has fascinated mathematicians through the ages. Recently the question has assumed practical, and indeed political, significance with the use of the products of lru·ge primes in cryptology. It is usually (but not always) easy to prove that a given composite integer n is composite, e.g. if there is an a > 1 with an- I "¢ 1 mod n. But finding an actual nontrivial factor is a completely other matter! For the logician, of course, the problem of factorizing an integer n is constructive. All one has to do is to test all integers m < n11 2 for divisibility. When, say, n has 100 decimal digits, this could take longer than the age of the universe. What are needed are practical methods. Recently H.W. Lenstra Jr. has shown that elliptic curves provide powerful methods for this problem. We will sketch one of his attacks. Lenstra's method is suggested by Pollard ' s "p - 1 method" . Let n be large integer with an unknown prime factor p. Let a be an integer and a consider k m = gcd( a - 1 , n ) for some integer A�. If 1.: I ( p - 1 ) then p I m. Unless we are unlucky, not all the other primes q I n will divide m; and so m would be a nontrivial factor of n . One does not evaluate eL k , of course, but works modulo n. There is an algorithm which works in O(log k) steps ( cf. Exercises) . Evaluating the gcd is cheap, using Euclid ' s algorithm. Pollard's method is particularly effective if n is divisible by a prime
26: Factorizing using elliptic curves
125
p for which all the prime factors of p - 1 are comparatively small. The accepted recipe is to take k of the shape33 =
rr p·( q) , q9 where q runs through the primes and q•(q ) is the longest power of q which is :5 b. Here b is chosen suitably, in a way which will be described later . k
k(b)
=
The chances of success with this method of Pollard's appear to be best when the smallest prime factor p of n is substantially smaller than n 1 1 2 . But even, then, we may be out of luck if p - 1 has some largish prime factors. One can try to find a value of a whose exponent mod p is substantially smaller than p - 1 , but that is not very promising. Lenstra observed that Pollard's method depends on the fact that the residue classes mod p have a group structure, and that elliptic curves provide other groups which can be used for the same purpose. Let C : Y 2 Z = X 3 + AX Z 2 + B Z 3 be an elliptic curve and let (x , y, z ) with x, y, z E Z be a point on it . Let k (x, y, z)
=
(x k , y k , z k ) ,
where k > 1 is an integer and xk , Yk , Z k E Z. Now let p be a prime, and suppose that C mod p (in an obvious sense) is an elliptic curve over Z mod p. The mod p points form a group whose order N
=
NP
=
Np(A, B)
satisfies I N - (p + 1 ) I < 2JP.
If N I k, the point ( x k , y k , z k ) mod p is the "point at infinity" , that is p I Zk ·
Given A , B, x , y, z , values of ( x k , Y k, Zk) c an b e computed i n O(log k ) steps involving addition, multiplication subtraction. Since we are using homogeneous co-ordinates, there is no need to divide. The resulting values of X k , Yk, Zk may have a common factor, but this does not disturb the conclusion that NP I k implies p I Zk . Now let n be the large integer to be factorized and let k = k( b) for some suitable b, as before. Then we can evaluate X k , Yk , Zk mod n in O(log ��) steps of addition, multiplication, subtraction modulo n. The 33
T h at. is, k is the gcd of the in tegers � b.
126
Lectures
on
Elliptic CurveJ
unknown prime divisor p of n will divide Z k mod n provided that N, I k: and then p divides m = gcd(n, Z k ) . If zk = 0 (mod n), we are out of luck. Otherwise m will be a nontrivial divisor of n: which is what we want . It can, of course, happen that m = 1 , if N, l k for all p I n . If this happens, we select other values of A, B, x, y, z (and, possibly, k) and try, try, try again. 34 The above account leaves a couple of questions unanswered. (i) How do we choose the initial curve C and the point ( x , y, z)? Since all the calculations are mod n, it is enough to find A, B, x, y, z E Z such that mod n. An obvious way is to put z = 1 , choose A, x, y at random and use the equation to determine B. Since we naturally suppose that we started off by checking that n has no small divisors, the chance that C is not an elliptic curve for any p I n is negligible. In any case, there is no harm in running through the algorithm: at worst we will draw a blank. Alternatively, one can compute 1 = gcd(n, 4A3 + 27B2 ) . If 1 = 1 , we are OK. If 1 < 1 < n, we have a non-trivial factor of n , which i s what we want . I f I = n, which i s highly unlikely, we abort the run _and choose fresh A, B, x , y, z . (ii) What is the optimal choice of b in k = k(b)? It turns out that this depends on the smallest prime divisor p of n: which is, of course, unknown. We argue heuristically. Let 1 < s < t, where t is an integer. We say that t is s-smooth if every prime divisor q of t is less than s . It is known that the number of integers t < T, for given T, which are T 1 f u_smooth is very roughly u.- lf uT. Put L = L(T) = exp( y'(log T log log T)) and let 0 < l.l! < oo . On putting T 1 f u = L"', we deduce that the number of t :S T which are L"'-smooth is roughly L - ! f2 "'T. We shall paraphrase 34
For the distributi on of Np over curves, see B . J . Birch: How the number of points of an elliptic curve over a fixed prime varies. J. London Math. Soc. 43 ( 1 96 8 ) , 57-60.
U:
Factorizing using elliptic cuT1Jes
127
this to the statement that the probability P that a random integer t in the neighbourhood of T is La-smooth is P = L - 1 12 a . We shall choose the best value of a later. Let p be the unknown smallest prime factor of n. Put L = L (p) . We have seen that the order NP = Np(A, B) of the points mod p on C is approximately p. Assuming that NP behaves reasonably randomly as A, B vary, the probability P that NP is La-smooth is P = L- 1 f 2 a. Tal.::e k
=
k(b).
Then all the prime factors of NP divide k. The practitioners of the mystery of factorization assume that it is highly probable that indeed NP I ��, which we suppose. The number of steps in one run of the algorithm is O ( log k ) , which is very roughly b = La. To sun1. up. The amount of work in a run of the algorithm is about L"'. The probability of success in a single sun is about L-1f 2 a. Hence the expected work to find a nontrivial factor is about L a+ l / 2 a . This is minimized at 0! = 1/.../2 , wh:ich is therefore the optimal choice. The above estimates depend on the size of the unknown least prime factor p of n. The worst case scenario is when p is nearly n11 2 • However, one expects the Lenstra algorithm to be most effective when the small est prime factor is much smaller. Thus it works better on "naturally occurring" integers n than on the integers n used in some cryptosys tems, which are the product of two nearly equal primes. If nothing is known a priori about the primes in n, a good strategy is to start with a. comparatively small b and to increase it gradually if necessary. We have chosen a version of the Lenstra algorithm which is easy to describe, rather than one which minimizes computation time. In prac tice, further devices and stratagems are brought into play. We do not go into this here, but conclude with a variant in the spirit of the course. In the variant, one considers the elliptic curve C : CY2 = X 3 + AX + B for some C I 0, where we now take the inhomogeneous form. Recall that if ( x 1 , y1 ) and (x2 , y2 ) are points on the curve and (xa , ya ) = (x ! , Y! ) + (x2 , y2) ,
(2·4 ,y4 ) = (x1 , yt ) - (x 2 , y2 )
Lectures on Elliptic Curves
1 28
then :z: 3 , x 4 are the roots of a quadratic equation whose coefficients are polynomial in x 1 , x 2 , A, B (but not C ) . If now k is a positive integer and if, to change the notation, ( x, y ) is a rational point on C and ( x k , Y k ) = k(x , y ), then the classical algorithm for computing g k can be modified to give an algorithm to compute x k in O(log k) steps (d. Exercises). Now write X = U /V and work homogeneously. If x = u / v , then Xk = x k / v k where tLk , v k are obtained from u, v by O(log k) additions, subtractions and multiplications, but no divisions. Now, as before, let n be the number to be factorized and p an unknown prime divisor. Suppose that A, B, u , v E Z and work mod n. then, 8.s before, if Np I k then p I Vk and we can expect that gcd(uk , n) is a non-trivial divisor of n. In this version of the algorithm we may choose A, B, u , v entirely arbitrarily. Put x = u / v , y = 1 . Then, unless we are strikingly unlucky, the point ( x , y) lies on C for some C E Q• which need not be evaluated, as it is never needed. Elliptic curves me used also in primality testing and in other unex pected ways: for example, finding square roots modulo a large prime. See A.K. Lenstra and H.W. Lenstra Jr., Algorithms in number theory. Chapter 12 (pp.673-715) of: Handbook of theoretical computer Jcience, val. A (ed. J. van Leeuwen) , Elsevier, 1990. §26. Exercises
1 . [Motivation for next question.] Let G be an abelian group and n a· positive integer. For g E G show that the following algorithm computes n g in O(log n) operations. (i) N = n, Y = 1 E G, Z = g (ii) IF N = 0, GOTO END (iii) M = [N/2] , E = N - 2M (iv) IF E = 1 THEN Y = YZ ( v) N = M, Z = Z 2 (vi) GOTO (ii) END [Y = g n ] . 2 . Let C : Y 2 = X 3 + AX + B be an elliptic curve. For positive odd integer n and a = ( a , b) on C, check that the following algorithm computes u , where na = ( u , v ) , in O(log n) steps. .
§�6: Exercis es
129
We recall that there is a rational function d( x) such that if x = ( x, y) then 2x = (d(x), ? ) for some ?. Further, there is a quadratic q(T) = q(T; x1, x2 ) whose coefficients are rational in x 1 , x 2 and whose roots are XJ , x 4 if x 3 = x 1 +x2 , x4 = x1 -x2 • (i) N = n, X = a, Y = a , Z = a (ii) IF N = 0, GOTO EN D (iii) M [N/ 2], E = N - 2M. (iv) Z = d( Z). (v) IF E = 1 GOTO (viii) (vi) [Check that Y is a root of q(T; X, Z).] Y IS THE OTHER ROOT OF q(T; X, Z) (vii) GOTO ( i x ) (viii) [Check that X is a root of Q(T; Y, Z).] X IS THE OTHER ROOT OF q(T; Y, Z). ( ix ) N = M ( x ) GOTO (ii). END [X = u , where n(a, b) = ( u , v ) . ] ==
3. Suppose that (a, b) lies on C* : EY2 = X 3 + AX + B for SO!ne E I 0. Let n( a , b) = ( u, v ) on c· . Show that u is given by the algorithm in (2). [i . e. the algorithm is independent of E.]
Formulary
Desbo"U es ' Form·u lae:1 5 . These are for a 1 X : + a2 X� + aa X: + dX1 X2 X3 = 0. This is nonsingular if 21c11a 2 a3 + d3 I 0. The residual intersection t of
the tangent at x is
(j taken mod 3) The third intersection z of the line joining x, y is (j mod 3 ) . Canonical curve.
Y2
=
X 3 + AX + B.
If x = (:z:, y), then -x = (x, - y ) . Addition formula. Let X1
=
(x1 , y ! ),
and x = (x, y). 35 A . Des boves. Resolu tion e n nombres en tiers et sons s a. forme Ia. p l u s geno\ra.le, de l 'equa.tion cubique, homogene a trois inconnues. Nouv. Ann. do Ia Math., Ser. III, val. 5 ( 1 88 6 ) , 545-579.
Formulary
131
If X 2 = -x1 , we have x = o. If X2 = X1 , we apply the duplication formula, given below. Otherwise, we may suppose that The line joining x 1 ,
x2
X2 � X J .
is Y = IX + m,
where m= X1 - X2 This line cuts the curve in x 1 , x2 and - ( x 1 + x 2 ) = -x = (x, -y).
The roots of X 3 + AX + B - ( IX + m) 2
are x 1 , x 2 and x. Hence and so Further, y = -lx - m ;
and so where
W1 = 3x1x� + x� + A(x1 + 3x 2 ) + 4B 1¥2 = symmetric.
Duplication formula. Here we consider ( x2 , y2 ) = x2 = 2x = 2( x, y).
If y
=
0 we have x2 = o. Hence we may suppose
We need the tangent Y = IX + m
at
x.
Since formal differentiation on the curve gives 2Y
we have
dY = 3 x 2 + A, dX
1 = ( 3x 2 + A)/2y.
Lectures on Elliptic Cu.rveJ
132
Hence ( as for addition formula) x2
12 - 2x (3x 2 + A) 2 - Bxy 2 • ' 4y 2 =
_
I.e.
x 4 - 2Ax 2 - BBx + A2 4(x 3 + Ax + B)
To find y2 we need the value m =
which is determined by
y
=
Y2
- x3 + Ax + 2B 2y lx + m. Now ==
- lx 2 - m ;
which gives (2y)3Y2 == x6 + 5Ax4 + 20Bx3 - 5A2 x 2 - 4ABx - A3 - 8B2 •
Formulae in X only. Let X 1 == (x t , Y t ) ,
with Let
Then
Xa
=
x4
=
(x 1 - x 2 ) 2 ( :r a + x 4 ) ( x ! - x2 ) 2 xa x4
=
Xt + x 2 == (x a , Ya ) Xt - x2 = (x 4 , Y4 ) · 2(x t x 2 + A)( x 1 + x 2 ) + 4B ,
x�x� - 2Ax 1 x 2 - 4B( x 1 + x 2 ) + A2 • This follows from the expression for x in the addition formula. The value of x3 is x as given and that of x4 is obtained from it merely by changing the sign of y1 y2• Hence the formula for x 3 + x4 is immedi ate. That for x 3 x4 comes by substituting for yfy� in the product and cancelling (x 1 - x 2 ) 2 • [Alternatively, cf. §17, Exercise 3.] =
133
Formulary Multiplication36 . Let ( Xm , Ym ) _
"X M -
=
m(X, Y) where m E Z. Then
X 1/J'!. - 1/Jm- 1 1/Jm+ l ' 1/J� Y.
m=
where 1/Jo
=
t/J2 m
21/J� '
0,
t/J 1 = 1 , ·tp
2
=
t/J3
=
2Y,
3X 4 + 6AX 2 + 12BX - A2 , 1p4 = 4Y( X6 + 5AX 4 + 20BX 3 5A2 X 2 - 4ABX - BB 2 - A3 ) , t/J2 n+ 1 = 1/J � t/Jn+2 - 1/J�+ t "!/J n- 1 , Y I/J2 n = t/Jn {t/J�- l t/Jn+2 - ljJ� + 1 1/Jn-d · -
This is an exercise on the fact that a function is defined up to multi plica.tive constant by its zero and poles. We determine the constants by looking at the behaviour at o using the local uniformiser t
=
X/ Y.
1/J m is defined by
(i) it has a simple zero at all a I o with ma = 0. (a defined over Q). (ii) it behaves like mc m " + 1 at 0.
(I)
More precisely if m is odd, there are t(m 2 - 1) pairs (aj , ±bj) of m-division pairs and
(II) If m is even, the three 2-division points are m-division points, and there are t(m 2 - 4) pairs (aj , ±bj ) , bj I 0. Then 1/Jm
=
mY II (X - aj ) ·
Now for all m , even or odd, we have
38
d. H . Weber, Algebra III, §58; but we have adj usted the sign of
the leading term is always positive.
t/J m
so tha.t
134
at
o,
Lecturea
on
Elliptic Curvea
and
has no poles except at o. Further, X m - X vanishes at a only if (m + 1 )a = o or (m - 1 )a = o. Hence where the constant is right since both sides behave like (m 2 - 1 )/m2 t2 at o. This gives the formula for Xm . That for Ym follows immediately from the specification of the poles and zeros. It remains to give the recurrence relation. For integers I, m we have X1 = Xm precisely when either (I + m )(X, Y ) = o or (1 - m)(X, Y) = o. Hence X1 - X m 1/J m+lt/Jm- 1 /1/J� t/J'!, ; the constant being determined by the behaviour at o . But X1 - Xm = (X - X m ) - (X - X1 ) Hence by (*) =
Put l == n , m
==
1/Jrt/Jm+ l t/Jm-l - 1/J!. t/JI+l tfJI-l = 1/Jm+lt/Jm- 1 · n + 1 , so 1/J m- 1 = 1 and
Put l == n - 1 , m =
t/J2n+1 = 1/J� t/Jn+ 2 - 1/J�+ l t/Jn - l + 1 so 1/J m -1 = t/J2 = Y. Then
n
Y V'2n
=
1/Jn { t/J�-1 1/Jn+2 - 1/J�+l t/Jn-d·
Further Reading
Cassels, J.W.S. Diophantine equations with special reference to elliptic curves, J. London Math. Soc. 41 (1966), 1 93-291 . Husemoller, D. Elliptic curveJ, Springer, 1987. Koblitz, N. Introduction to elliptic curveJ and modular formJ, Springer, 1 984. Lang, S. FundamentalJ of diophantine geometry, Springer, 1983. [The first edition is less complete but more coherent : Diophantine geome try, Interscience, 1962.] Serre, J.-P. LectureJ on the Mordell- Weil theorem, Vieweg, 1989. [Notes of a course given in 1980-81] Silverman, J.H.
The arithmetic of elliptic curveJ, Springer, 1986.
Tate, J. The arithmetic of elliptic curves, Invent. Math. 23 (1974) , 179-206.
INDEX
birationally equivalent 4 Birch 7 1 , 1 1 0, 1 26(fn) Blichfeldt Bremner
19 55 (fn)
canonical form 32 et seq 83 canonical height Cha.telet 108 24 chord and t angent processes coboundary 90 cobounding 90 cocycle 90, 98 cocycle identity 90, 98 cocycle (continuous) 101 cohomology (Galois) 89 et seq cohomology group 98 et seq complete, completion 8 continuous (action) , (cocycle) 101 convex (pointset) 18 cubic curves 23 et seq defined over 3 degenerate (laws) 39 et seq Deligne 121 Desboves 25(fn), 2 6 , 130 Deuring 116 Diophantine geometry Diophantos 1, 24 discriminant 11 elliptic curve 32 e ndomorphism 112 et seq everywhere locally 14 exceptional (point) 24 Fermat 1 , 55, 6 3 filtration (p-adic) 48 finite basis theorem 54 et seq finite basis theorem (weak) 55 forgetful functor 75 form 13 Frobenius endomorphism 1 18 Fueter 52(fn) 58 function field fundamental sequence Galois cohomology
et seq
general p osition
29
7 89 et seq, 101
generic point 58 genus 30 genus 0 4 et seq genus 1 30, 32 globally 14 group law 27 et seq
H 1 99 Hasse 119 Hasse principle : see local-global principle height 55, 78 et seq height (canonical) 83 height (logarithmic) 82 Hensel 43 95,97 'Hilbert 90'
homogeneous spaces: see princicpal homogeneous space Hypatia 1 integer (p-adic) 9 67 invertible irreducible (curve ) ; s e e a ls o reducible
isogeny
24
58
j acobian (of curve of genus 1 ) 92 et seq, 95, 107 j-invariant 93 kernel of reduction Kolyvagin 111
47
Lang 120 Lenstra 124, 128 level (of point in p-adic case) 47 lift 43 Lind 85 locally 14 local-global principle 2, 13 et seq, 85 et seq localization 14, 103 logarithmic height 82
Mazur 5 1 Minkowski 19 Mordell 19 Mordell Theorem, Mordell-Wei! Theorem; see finite basis theorem
Index
multiplicity
valuation 6 valuation (p-adic) 7 van der Corput 19
23, 44
N agell 34(fn) , 52(fn) neutral element (of group) Newton 24, 43 nonsense 98 et seq non-archimedean 7 non-singular 24 norm (map) 66
27
patch 67 pole 30 Pollard 1 24 principal homogeneous spaces
et seq
p-adic p-adic p-adic p-adic p-adic
weak finite basis theorem 55, 66 et seq Weil 1, 54, 108, 1 19 Weil-Chatelet group 108
104
filtration 48 integers 9 numbers 6 units 9 valuation 7
rational curve (= curve of genus 0) 3 rational (point etc.) 3 reducible (curve ) : s e e also irreducible 43(fn) reduction mod p 42 et seq Reichardt 85 resultant 75 et seq "Riemann hypothesis for function fields" 2, 119 Riemann-Roch theorem 3 0 Rubin 111 Schmidt 1 20 Selmer 87, 1 10 Shafarevich 85 singular (point)
23
Swinnerton-Dyer 71, 1 1 0 symmetric (pointset) 18 Tamagawa number 110 Tate 8 5 , 1 09(fn) Tate-Shafarevich group 85, 109 et
seq
torsion 1 02 triangle inequality
7
ultramet ric inequality unit (p- adic) 9
7
137