Elliptical Curve

In mathematics, an elliptic curve is a smooth, projective, algebraic curve of genus one, on which there is a specified point . An elliptic curve is defined over a field and describes points in , the Cartesian product of with itself. If the field's characteristic is different from 2 and 3, then the curve can be described as a plane algebraic curve which consists of solutions for:

:$y^2 = x^3 + ax + b$

for some coefficients and in . The curve is required to be non-singular, which means that the curve has no cusps or self-intersections. (This is equivalent to the condition , that is, being square-free in .) It is always understood that the curve is really sitting in the projective plane, with the point being the unique point at infinity. Many sources define an elliptic curve to be simply a curve given by an equation of this form. (When the coefficient field has characteristic 2 or 3, the above equation is not quite general enough to include all non-singular cubic curves; see below.)

An elliptic curve is an abelian variety – that is, it has a group law defined algebraically, with respect to which it is an abelian group – and serves as the identity element.

If , where is any polynomial of degree three in with no repeated roots, the solution set is a nonsingular plane curve of genus one, an elliptic curve. If has degree four and is square-free this equation again describes a plane curve of genus one; however, it has no natural choice of identity element. More generally, any algebraic curve of genus one, for example the intersection of two quadric surfaces embedded in three-dimensional projective space, is called an elliptic curve, provided that it is equipped with a marked point to act as the identity.

Using the theory of elliptic functions, it can be shown that elliptic curves defined over the complex numbers correspond to embeddings of the torus into the complex projective plane. The torus is also an abelian group, and this correspondence is also a group isomorphism.

Elliptic curves are especially important in number theory, and constitute a major area of current research; for example, they were used in Andrew Wiles's proof of Fermat's Last Theorem. They also find applications in elliptic curve cryptography (ECC) and integer factorization.

An elliptic curve is ''not'' an ellipse in the sense of a projective conic, which has genus zero: see elliptic integral for the origin of the term. However, there is a natural representation of real elliptic curves with shape invariant as ellipses in the hyperbolic plane $\mathbb^2$. Specifically, the intersections of the Minkowski hyperboloid with quadric surfaces characterized by a certain constant-angle property produce the Steiner ellipses in $\mathbb^2$ (generated by orientation-preserving collineations). Further, the orthogonal trajectories of these ellipses comprise the elliptic curves with , and any ellipse in $\mathbb^2$ described as a locus relative to two foci is uniquely the elliptic curve sum of two Steiner ellipses, obtained by adding the pairs of intersections on each orthogonal trajectory. Here, the vertex of the hyperboloid serves as the identity on each trajectory curve.

Topologically, a complex elliptic curve is a torus, while a complex ellipse is a sphere.

Elliptic curves over the real numbers

Although the formal definition of an elliptic curve requires some background in algebraic geometry, it is possible to describe some features of elliptic curves over the real numbers using only introductory algebra and geometry.

In this context, an elliptic curve is a plane curve defined by an equation of the form

:$y^2 = x^3 + ax + b$

after a linear change of variables ( and are real numbers). This type of equation is called a Weierstrass equation, and said to be in Weierstrass form, or Weierstrass normal form.

The definition of elliptic curve also requires that the curve be non-singular. Geometrically, this means that the graph has no cusps, self-intersections, or isolated points. Algebraically, this holds if and only if the discriminant, $\Delta$, is not equal to zero.

: $\Delta = -16\left(4a^3 + 27b^2\right) \neq 0$

The discriminant is zero when $a=-3k^2, b=2k^3$.

(Although the factor −16 is irrelevant to whether or not the curve is non-singular, this definition of the discriminant is useful in a more advanced study of elliptic curves.)

The real graph of a non-singular curve has ''two'' components if its discriminant is positive, and ''one'' component if it is negative. For example, in the graphs shown in figure to the right, the discriminant in the first case is 64, and in the second case is −368. Following the convention at Conic section#Discriminant, ''elliptic'' curves require that the discriminant is negative.

Group law

When working in the projective plane, the equation in homogeneous coordinates becomes
: $\frac = \frac + a\frac + b.$

This equation is not defined on the line at infinity, but we can multiply by $Z^3$ to get one that is:
: $ZY^2 = X^3 + aZ^2X + bZ^3.$

This resulting equation is defined on the whole projective plane, and the curve it defines projects onto the elliptic curve of interest. To find its intersection with the line at infinity, we can just posit $Z = 0$. This implies $X^3 = 0$, which in a field means $X = 0$. $Y$ on the other hand can take any value, and thus all triplets $(0,Y,0)$ satisfy the equation. In projective geometry this set is simply the point O = :1:0/math>, which is thus the unique intersection of the curve with the line at infinity.

Since the curve is smooth, hence continuous, it can be shown that this point at infinity is the identity element of a group structure whose operation is geometrically described as follows:

Since the curve is symmetric about the axis, given any point , we can take to be the point opposite it. We then have $-O = O$, as $O$ lies on the plane, so that $-O$ is also the symmetrical of $O$ about the origin, and thus represents the same projective point.

If and are two points on the curve, then we can uniquely describe a third point in the following way. First, draw the line that intersects and . This will generally intersect the cubic at a third point, . We then take to be , the point opposite .

This definition for addition works except in a few special cases related to the point at infinity and intersection multiplicity. The first is when one of the points is . Here, we define , making the identity of the group. If , we only have one point, thus we cannot define the line between them. In this case, we use the tangent line to the curve at this point as our line. In most cases, the tangent will intersect a second point , and we can take its opposite. If and are opposites of each other, we define . Lastly, if is an inflection point (a point where the concavity of the curve changes), we take to be itself, and is simply the point opposite itself, i.e. itself.

Let be a field over which the curve is defined (that is, the coefficients of the defining equation or equations of the curve are in ) and denote the curve by . Then the -rational points of are the points on whose coordinates all lie in , including the point at infinity. The set of -rational points is denoted by . is a group, because properties of polynomial equations show that if is in , then is also in , and if two of , , are in , then so is the third. Additionally, if is a subfield of , then is a subgroup of .

Algebraic interpretation

The above groups can be described algebraically as well as geometrically. Given the curve over the field (whose characteristic we assume to be neither 2 nor 3), and points and on the curve, assume first that (case ''1''). Let be the equation of the line that intersects and , which has the following slope:
: $s = \frac.$

The line equation and the curve equation intersect at the points , , and , so the equations have identical values at these values.

: $(sx + d)^2 = x^3 + bx + c,$
which is equivalent to
: $x^3 - s^2 x^2 - 2sdx + bx + c - d^2 = 0.$

Since , , and are solutions, this equation has its roots at exactly the same values as
: $(x - x_P) (x - x_Q) (x - x_R) = x^3 + (-x_P - x_Q - x_R) x^2 + (x_P x_Q + x_P x_R + x_Q x_R) x - x_P x_Q x_R,$
and because both equations are cubics, they must be the same polynomial up to a scalar. Then equating the coefficients of in both equations
: $-s^2 = (-x_P - x_Q - x_R)$
and solving for the unknown ,
: $x_R = s^2 - x_P - x_Q.$

follows from the line equation
: $y_R = y_P - s(x_P - x_R),$
and this is an element of , because is.

If , then there are two options: if (case ''3''), including the case where (case ''4''), then the sum is defined as 0; thus, the inverse of each point on the curve is found by reflecting it across the  axis.

If , then and (case ''2'' using as ). The slope is given by the tangent to the curve at (''x''_''P'', ''y''_''P'').

: $\begin s &= \frac, \\ x_R &= s^2 - 2x_P, \\ y_R &= y_P - s(x_P - x_R). \end$

A more general expression for $s$ that works in both case 1 and case 2 is
: $s = \frac,$
where equality to relies on and obeying .

Non-Weierstrass curves

For the curve (the general form of an elliptic curve with characteristic 3), the formulas are similar, with and .

For a general cubic curve not in Weierstrass normal form, we can still define a group structure by designating one of its nine inflection points as the identity . In the projective plane, each line will intersect a cubic at three points when accounting for multiplicity. For a point , is defined as the unique third point on the line passing through and . Then, for any and , is defined as where is the unique third point on the line containing and .

For an example of the group law over a non-Weierstrass curve, see Hessian curves.

Elliptic curves over the rational numbers

A curve ''E'' defined over the field of rational numbers is also defined over the field of real numbers. Therefore, the law of addition (of points with real coordinates) by the tangent and secant method can be applied to ''E''. The explicit formulae show that the sum of two points ''P'' and ''Q'' with rational coordinates has again rational coordinates, since the line joining ''P'' and ''Q'' has rational coefficients. This way, one shows that the set of rational points of ''E'' forms a subgroup of the group of real points of ''E''.

Integral points

This section is concerned with points ''P'' = (''x'', ''y'') of ''E'' such that ''x'' is an integer.

For example, the equation ''y''² = ''x''³ + 17 has eight integral solutions with ''y'' > 0:
:(''x'', ''y'') = (−2, 3), (−1, 4), (2, 5), (4, 9), (8, 23), (43, 282), (52, 375), (, ).

As another example, Ljunggren's equation, a curve whose Weierstrass form is ''y''² = ''x''³ − 2''x'', has only four solutions with ''y'' â‰¥ 0 :
:(''x'', ''y'') = (0, 0), (−1, 1), (2, 2), (338, ).

The structure of rational points

Rational points can be constructed by the method of tangents and secants detailed above, starting with a ''finite'' number of rational points. More precisely the Mordell–Weil theorem states that the group ''E''(Q) is a finitely generated (abelian) group. By the fundamental theorem of finitely generated abelian groups it is therefore a finite direct sum of copies of Z and finite cyclic groups.

The proof of the theorem involves two parts. The first part shows that for any integer ''m'' > 1, the quotient group ''E''(Q)/''mE''(Q) is finite (this is the weak Mordell–Weil theorem). Second, introducing a height function ''h'' on the rational points ''E''(Q) defined by ''h''(''P''₀) = 0 and if ''P'' (unequal to the point at infinity ''P''₀) has as abscissa the rational number ''x'' = ''p''/''q'' (with coprime ''p'' and ''q''). This height function ''h'' has the property that ''h''(''mP'') grows roughly like the square of ''m''. Moreover, only finitely many rational points with height smaller than any constant exist on ''E''.

The proof of the theorem is thus a variant of the method of infinite descent and relies on the repeated application of Euclidean divisions on ''E'': let ''P'' ∈ ''E''(Q) be a rational point on the curve, writing ''P'' as the sum 2''P''₁ + ''Q''₁ where ''Q''₁ is a fixed representant of ''P'' in ''E''(Q)/2''E''(Q), the height of ''P''₁ is about of the one of ''P'' (more generally, replacing 2 by any ''m'' > 1, and by ). Redoing the same with ''P''₁, that is to say ''P''₁ = 2''P''₂ + ''Q''₂, then ''P''₂ = 2''P''₃ + ''Q''₃, etc. finally expresses ''P'' as an integral linear combination of points ''Q_i'' and of points whose height is bounded by a fixed constant chosen in advance: by the weak Mordell–Weil theorem and the second property of the height function ''P'' is thus expressed as an integral linear combination of a finite number of fixed points.

The theorem however doesn't provide a method to determine any representatives of ''E''(Q)/''mE''(Q).

The rank of ''E''(Q), that is the number of copies of Z in ''E''(Q) or, equivalently, the number of independent points of infinite order, is called the ''rank'' of ''E''. The Birch and Swinnerton-Dyer conjecture is concerned with determining the rank. One conjectures that it can be arbitrarily large, even if only examples with relatively small rank are known. The elliptic curve with the currently largest exactly-known rank is
:''y''² + ''xy'' + ''y'' = ''x''³ − ''x''² − ''x'' +

It has rank 20, found by Noam Elkies and Zev Klagsbrun in 2020. Curves of rank higher than 20 have been known since 1994, with lower bounds on their ranks ranging from 21 to 29, but their exact ranks are not known and in particular it is not proven which of them have higher rank than the others or which is the true "current champion".

As for the groups constituting the torsion subgroup of ''E''(Q), the following is known: the torsion subgroup of ''E''(Q) is one of the 15 following groups ( a theorem due to Barry Mazur): Z/''N''Z for ''N'' = 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, or 12, or Z/2Z × Z/2''N''Z with ''N'' = 1, 2, 3, 4. Examples for every case are known. Moreover, elliptic curves whose Mordell–Weil groups over Q have the same torsion groups belong to a parametrized family.

The Birch and Swinnerton-Dyer conjecture

The ''Birch and Swinnerton-Dyer conjecture'' (BSD) is one of the Millennium problems of the Clay Mathematics Institute. The conjecture relies on analytic and arithmetic objects defined by the elliptic curve in question.

At the analytic side, an important ingredient is a function of a complex variable, ''L'', the Hasse–Weil zeta function of ''E'' over Q. This function is a variant of the Riemann zeta function and Dirichlet L-functions. It is defined as an Euler product, with one factor for every prime number ''p''.

For a curve ''E'' over Q given by a minimal equation
:$y^2 + a_1xy + a_3y = x^3 + a_2x^2 + a_4x + a_6$

with integral coefficients $a_i$, reducing the coefficients modulo ''p'' defines an elliptic curve over the finite field F_''p'' (except for a finite number of primes ''p'', where the reduced curve has a singularity and thus fails to be elliptic, in which case ''E'' is said to be of bad reduction at ''p'').

The zeta function of an elliptic curve over a finite field F_''p'' is, in some sense, a generating function assembling the information of the number of points of ''E'' with values in the finite field extensions F_''pⁿ'' of F_''p''. It is given by
:Z(E(\mathbf_p), T) = \exp\left(\sum_^\infty \# \left (_)\rightfrac\right)

The interior sum of the exponential resembles the development of the logarithm and, in fact, the so-defined zeta function is a rational function in ''T'':
:$Z(E(\mathbf_p), T) = \frac,$
where the 'trace of Frobenius' term $a_p$ is defined to be the difference between the 'expected' number $p+1$ and the number of points on the elliptic curve $E$ over $\mathbb_p$, viz.
:$a_p = p + 1 - \#E(\mathbb_p)$

or equivalently,

:$\#E(\mathbb_p) = p + 1 - a_p$.

We may define the same quantities and functions over an arbitrary finite field of characteristic $p$, with $q = p^n$ replacing $p$ everywhere.

The L-function of ''E'' over Q is then defined by collecting this information together, for all primes ''p''. It is defined by

:$L(E(\mathbf), s) = \prod_ \left(1 - a_p p^ + p^\right)^ \cdot \prod_ \left(1 - a_p p^\right)^$

where ''N'' is the conductor of ''E'', i.e. the product of primes with bad reduction $(\Delta (E\mod p)=0$), in which case ''a_p'' is defined differently from the method above: see Silverman (1986) below.

For example $E:y^2=x^3+14x+19$ has bad reduction at 17, because $E\mod17:y^2=x^3-3x+2$ has $\Delta=0$.

This product converges for Re(''s'') > 3/2 only. Hasse's conjecture affirms that the ''L''-function admits an analytic continuation to the whole complex plane and satisfies a functional equation relating, for any ''s'', ''L''(''E'', ''s'') to ''L''(''E'', 2 − ''s''). In 1999 this was shown to be a consequence of the proof of the Shimura–Taniyama–Weil conjecture, which asserts that every elliptic curve over ''Q'' is a modular curve, which implies that its ''L''-function is the ''L''-function of a modular form whose analytic continuation is known. One can therefore speak about the values of ''L''(''E'', ''s'') at any complex number ''s''.

At ''s'' = 1 (the conductor product can be discarded as it is finite), the ''L''-function becomes

:$L(E(\mathbf), 1) = \prod_ \left(1 - a_p p^ + p^\right)^ = \prod_ \frac = \prod_\frac$

The ''Birch and Swinnerton-Dyer conjecture'' relates the arithmetic of the curve to the behaviour of this ''L''-function at ''s'' = 1. It affirms that the vanishing order of the ''L''-function at ''s'' = 1 equals the rank of ''E'' and predicts the leading term of the Laurent series of ''L''(''E'', ''s'') at that point in terms of several quantities attached to the elliptic curve.

Much like the Riemann hypothesis, the truth of the BSD conjecture would have multiple consequences, including the following two:
* A congruent number is defined as an odd square-free integer ''n'' which is the area of a right triangle with rational side lengths. It is known that ''n'' is a congruent number if and only if the elliptic curve $y^2 = x^3 - n^2x$ has a rational point of infinite order; assuming BSD, this is equivalent to its ''L''-function having a zero at ''s'' = 1. Tunnell has shown a related result: assuming BSD, ''n'' is a congruent number if and only if the number of triplets of integers (''x'', ''y'', ''z'') satisfying $2x^2 + y^2 + 8z^2 = n$ is twice the number of triples satisfying $2x^2 + y^2 + 32z^2 = n$. The interest in this statement is that the condition is easy to check.
*In a different direction, certain analytic methods allow for an estimation of the order of zero in the center of the critical strip for certain ''L''-functions. Admitting BSD, these estimations correspond to information about the rank of families of the corresponding elliptic curves. For example: assuming the generalized Riemann hypothesis and BSD, the average rank of curves given by $y^2=x^3+ax+b$ is smaller than 2.

Elliptic curves over finite fields

Let ''K'' = F_''q'' be the finite field with ''q'' elements and ''E'' an elliptic curve defined over ''K''. While the precise number of rational points of an elliptic curve ''E'' over ''K'' is in general difficult to compute, Hasse's theorem on elliptic curves gives the following inequality:
:$, \# E(K) - (q + 1), \le 2\sqrt$

In other words, the number of points on the curve grows proportionally to the number of elements in the field. This fact can be understood and proven with the help of some general theory; see local zeta function and étale cohomology for example.

The set of points ''E''(F_''q'') is a finite abelian group. It is always cyclic or the product of two cyclic groups. For example, the curve defined by
:$y^2 = x^3 - x$

over F₇₁ has 72 points (71 affine points including (0,0) and one point at infinity) over this field, whose group structure is given by Z/2Z × Z/36Z. The number of points on a specific curve can be computed with Schoof's algorithm.

Studying the curve over the field extensions of F_''q'' is facilitated by the introduction of the local zeta function of ''E'' over F_''q'', defined by a generating series (also see above)
:Z(E(K), T) = \exp \left(\sum_^ \# \left (K_n)\right \right)

where the field ''K_n'' is the (unique up to isomorphism) extension of ''K'' = F_''q'' of degree ''n'' (that is, $K_n=F_$).

The zeta function is a rational function in ''T''. To see this, consider the integer $a$ such that

:$\#E(K) = 1 - a + q$

There is a complex number $\alpha$ such that

:$1 - a + q = (1 - \alpha)(1 - \bar\alpha)$

where $\bar\alpha$ is the complex conjugate, and so we have

:$\alpha+\bar\alpha = a$
:$\alpha\bar\alpha = q$

We choose $\alpha$ so that its absolute value is $\sqrt$, that is $\alpha = q^e^, \bar\alpha = q^e^$, and that $\cos \theta=\frac$. Note that $, a, \le2\sqrt$.

$\alpha$ can then be used in the local zeta function as its values when raised to the various powers of ''n'' can be said to reasonably approximate the behaviour of $a_n$, in that

:$\#E(K_n) = 1 - a_n + q^n$

Using the Taylor series for the natural logarithm,

:$\begin Z(E(K),T) & = \exp \left(\sum_^ \left(1 - \alpha^n - \bar\alpha^n + q^n\right) \right) \\ & = \exp \left(\sum_^ - \sum_^\alpha^n - \sum_^\bar\alpha^n + \sum_^q^n \right) \\ & = \exp \left(-\ln(1-T) + \ln(1-\alpha T) + \ln(1-\bar\alpha T) - \ln(1-qT) \right) \\ & = \exp \left(\ln\frac \right) \\ & =\frac \\ \end$

Then $(1 - \alpha T)(1 - \bar\alpha T) = 1 - aT + qT^2$, so finally

:$Z(E(K), T) = \frac$

For example, the zeta function of ''E'' : ''y''² + ''y'' = ''x''³ over the field F₂ is given by
:$\frac$

which follows from:
:$\left, E(\mathbf_) \ = \begin 2^r + 1 & r \text \\ 2^r + 1 - 2(-2)^ & r \text \end$

as $q=2$, then $, E, =2^1+1=3=1-a+2$, so $a=0$.

The functional equation is

:$Z \left(E(K), \frac \right) = \frac= \frac = Z(E(K), T)$

As we are only interested in the behaviour of $a_n$, we can use a reduced zeta function

:$Z(a, T) = \exp \left(\sum_^ -a_n \right)$

:$Z(a, T) = \exp \left(\sum_^ -\alpha^n - \bar\alpha^n \right)$

and so

:$Z(a, T) = \exp \left(\ln(1-\alpha T) + \ln(1-\bar\alpha T)\right)$

which leads directly to the local L-functions

:$L(E(K), T) = 1 - aT + qT^2$

The Sato–Tate conjecture is a statement about how the error term $2\sqrt$ in Hasse's theorem varies with the different primes ''q'', if an elliptic curve E over Q is reduced modulo q. It was proven (for almost all such curves) in 2006 due to the results of Taylor, Harris and Shepherd-Barron, and says that the error terms are equidistributed.

Elliptic curves over finite fields are notably applied in cryptography and for the factorization of large integers. These algorithms often make use of the group structure on the points of ''E''. Algorithms that are applicable to general groups, for example the group of invertible elements in finite fields, F*_''q'', can thus be applied to the group of points on an elliptic curve. For example, the discrete logarithm is such an algorithm. The interest in this is that choosing an elliptic curve allows for more flexibility than choosing ''q'' (and thus the group of units in F_''q''). Also, the group structure of elliptic curves is generally more complicated.

Elliptic curves over a general field

Elliptic curves can be defined over any field ''K''; the formal definition of an elliptic curve is a non-singular projective algebraic curve over ''K'' with genus 1 and endowed with a distinguished point defined over ''K''.

If the characteristic of ''K'' is neither 2 nor 3, then every elliptic curve over ''K'' can be written in the form
:$y^2 = x^3 - px - q$

after a linear change of variables. Here ''p'' and ''q'' are elements of ''K'' such that the right hand side polynomial ''x''³ − ''px'' − ''q'' does not have any double roots. If the characteristic is 2 or 3, then more terms need to be kept: in characteristic 3, the most general equation is of the form
:$y^2 = 4x^3 + b_2 x^2 + 2b_4 x + b_6$

for arbitrary constants ''b''₂, ''b''₄, ''b''₆ such that the polynomial on the right-hand side has distinct roots (the notation is chosen for historical reasons). In characteristic 2, even this much is not possible, and the most general equation is

:$y^2 + a_1 xy + a_3 y = x^3 + a_2 x^2 + a_4 x + a_6$

provided that the variety it defines is non-singular. If characteristic were not an obstruction, each equation would reduce to the previous ones by a suitable linear change of variables.

One typically takes the curve to be the set of all points (''x'',''y'') which satisfy the above equation and such that both ''x'' and ''y'' are elements of the algebraic closure of ''K''. Points of the curve whose coordinates both belong to ''K'' are called ''K''-rational points.

Many of the preceding results remain valid when the field of definition of ''E'' is a number field ''K'', that is to say, a finite field extension of Q. In particular, the group ''E(K)'' of ''K''-rational points of an elliptic curve ''E'' defined over ''K'' is finitely generated, which generalizes the Mordell–Weil theorem above. A theorem due to Loïc Merel shows that for a given integer ''d'', there are (up to isomorphism) only finitely many groups that can occur as the torsion groups of ''E''(''K'') for an elliptic curve defined over a number field ''K'' of degree ''d''. More precisely, there is a number ''B''(''d'') such that for any elliptic curve ''E'' defined over a number field ''K'' of degree ''d'', any torsion point of ''E''(''K'') is of order less than ''B''(''d''). The theorem is effective: for ''d'' > 1, if a torsion point is of order ''p'', with ''p'' prime, then
:$p < d^$

As for the integral points, Siegel's theorem generalizes to the following: Let ''E'' be an elliptic curve defined over a number field ''K'', ''x'' and ''y'' the Weierstrass coordinates. Then there are only finitely many points of ''E(K)'' whose ''x''-coordinate is in the ring of integers ''O''_''K''.

The properties of the Hasse–Weil zeta function and the Birch and Swinnerton-Dyer conjecture can also be extended to this more general situation.

Elliptic curves over the complex numbers

The formulation of elliptic curves as the embedding of a torus in the complex projective plane follows naturally from a curious property of Weierstrass's elliptic functions. These functions and their first derivative are related by the formula

:$\wp'(z)^2 = 4\wp(z)^3 -g_2\wp(z) - g_3$

Here, and are constants; is the Weierstrass elliptic function and its derivative. It should be clear that this relation is in the form of an elliptic curve (over the complex numbers). The Weierstrass functions are doubly periodic; that is, they are periodic with respect to a lattice ; in essence, the Weierstrass functions are naturally defined on a torus . This torus may be embedded in the complex projective plane by means of the map

:z \mapsto \left : \wp(z) : \tfrac12\wp'(z)\right/math>

This map is a group isomorphism of the torus (considered with its natural group structure) with the chord-and-tangent group law on the cubic curve which is the image of this map. It is also an isomorphism of Riemann surfaces from the torus to the cubic curve, so topologically, an elliptic curve is a torus. If the lattice is related by multiplication by a non-zero complex number to a lattice , then the corresponding curves are isomorphic. Isomorphism classes of elliptic curves are specified by the -invariant.

The isomorphism classes can be understood in a simpler way as well. The constants and , called the modular invariants, are uniquely determined by the lattice, that is, by the structure of the torus. However, all real polynomials factorize completely into linear factors over the complex numbers, since the field of complex numbers is the algebraic closure of the reals. So, the elliptic curve may be written as

:$y^2 = x(x - 1)(x - \lambda)$

One finds that
:\begin
g_2' &= \frac \left(\lambda^2 - \lambda + 1\right) \\ ptg_3' &= \frac (\lambda + 1)\left(2\lambda^2 - 5\lambda + 2\right)
\end

and

:$j(\tau) = 1728\frac = 256\frac$

with -invariant and is sometimes called the modular lambda function. For example, let , then which implies , , and therefore of the formula above are all algebraic numbers if involves an imaginary quadratic field. In fact, it yields the integer .

In contrast, the modular discriminant
:$\Delta(\tau) = g_2(\tau)^3 - 27g_3(\tau)^2 = (2\pi)^\,\eta^(\tau)$
is generally a transcendental number. In particular, the value of the Dedekind eta function is

:$\eta(2i)=\frac$

Note that the uniformization theorem implies that every compact Riemann surface of genus one can be represented as a torus. This also allows an easy understanding of the torsion points on an elliptic curve: if the lattice is spanned by the fundamental periods and , then the -torsion points are the (equivalence classes of) points of the form
:$\frac \omega_1 + \frac \omega_2$

for integers and in the range .

If

:$E : y^2=4(x-e_1)(x-e_2)(x-e_3)$

is an elliptic curve over the complex numbers and

:$a_0=\sqrt, \qquad b_0=\sqrt, \qquad c_0=\sqrt,$

then a pair of fundamental periods of can be calculated very rapidly by

:$\omega_1=\frac, \qquad \omega_2=\frac$

is the arithmetic–geometric mean of and . At each step of the arithmetic–geometric mean iteration, the signs of arising from the ambiguity of geometric mean iterations are chosen such that where and denote the individual arithmetic mean and geometric mean iterations of and , respectively. When , there is an additional condition that .

Over the complex numbers, every elliptic curve has nine inflection points. Every line through two of these points also passes through a third inflection point; the nine points and 12 lines formed in this way form a realization of the Hesse configuration.

The dual isogeny

Given an isogeny
: $f : E \to E'$
of elliptic curves of degree $n$, the dual isogeny is an isogeny
: $\hat : E' \to E$
of the same degree such that
: f \circ \hat =

Here /math> denotes the multiplication-by-$n$ isogeny $e \mapsto ne$ which has degree $n^2.$

Construction of the dual isogeny

Often only the existence of a dual isogeny is needed, but it can be explicitly given as the composition
: $E' \to \operatorname^0(E') \to \operatorname^0(E) \to E,$
where $\operatorname^0$ is the group of divisors of degree 0. To do this, we need maps $E \to \operatorname^0(E)$ given by $P \to P - O$ where $O$ is the neutral point of $E$ and $\operatorname^0(E) \to E$ given by $\sum n_P P \to \sum n_P P.$

To see that f \circ \hat = /math>, note that the original isogeny $f$ can be written as a composite
: $E \to \operatorname^0(E) \to \operatorname^0(E') \to E',$
and that since $f$ is finite of degree $n$, $f_* f^*$ is multiplication by $n$ on $\operatorname^0(E').$

Alternatively, we can use the smaller Picard group $\operatorname^0$, a quotient of $\operatorname^0.$ The map $E \to \operatorname^0(E)$ descends to an isomorphism, $E \to \operatorname^0(E).$ The dual isogeny is
: $E' \to \operatorname^0(E') \to \operatorname^0(E) \to E.$

Note that the relation f \circ \hat = /math> also implies the conjugate relation \hat \circ f = Indeed, let $\phi = \hat \circ f.$ Then \phi \circ \hat = \hat \circ = \circ \hat. But $\hat$ is surjective, so we must have \phi =

Algorithms that use elliptic curves

Elliptic curves over finite fields are used in some cryptographic applications as well as for integer factorization. Typically, the general idea in these applications is that a known algorithm which makes use of certain finite groups is rewritten to use the groups of rational points of elliptic curves. For more see also:
* Elliptic curve cryptography
** Elliptic-curve Diffie–Hellman key exchange (ECDH)
** Supersingular isogeny key exchange
** Elliptic curve digital signature algorithm (ECDSA)
** EdDSA digital signature algorithm
** Dual EC DRBG random number generator
* Lenstra elliptic-curve factorization
* Elliptic curve primality proving

Alternative representations of elliptic curves

* Hessian curve
* Edwards curve
* Twisted curve
* Twisted Hessian curve
* Twisted Edwards curve
* Doubling-oriented Doche–Icart–Kohel curve
* Tripling-oriented Doche–Icart–Kohel curve
* Jacobian curve
* Montgomery curve

See also

* Arithmetic dynamics
* Elliptic algebra
* Elliptic surface
* Comparison of computer algebra systems
* Isogeny
* j-line
* Level structure (algebraic geometry)
* Modularity theorem
* Moduli stack of elliptic curves
* Nagell–Lutz theorem
* Riemann–Hurwitz formula
* Wiles's proof of Fermat's Last Theorem

Notes

References

Serge Lang, in the introduction to the book cited below, stated that "It is possible to write endlessly on elliptic curves. (This is not a threat.)" The following short list is thus at best a guide to the vast expository literature available on the theoretical, algorithmic, and cryptographic aspects of elliptic curves.
*
* , winner of the MAA writing prize the George Pólya Award
*
*
*
* Chapter XXV
*
*
*
*
*
*
*
*
*
*
*
*
*
*

External links

LMFDB: Database of Elliptic Curves over Q
*
*

The Arithmetic of elliptic curves
from PlanetMath

Interactive elliptic curve over R
an
over Zp
– web application that requires HTML5 capable browser.

{{DEFAULTSORT:Elliptic Curve

Analytic number theory
Group theory