Algorithmic Number Theory

MSRI Publications
Volume 44, 2008

Elliptic curves
BJORN POONEN

A BSTRACT. This is an introduction to some aspects of the arithmetic of ellip-

tic curves, intended for readers with little or no background in number theory
and algebraic geometry. In keeping with the rest of this volume, the presenta-
tion has an algorithmic slant. We also touch lightly on curves of higher genus.
Readers desiring a more systematic development should consult one of the
references for further reading suggested at the end.

C ONTENTS
1. Plane curves 183
2. Projective geometry 185
3. Determining X.Q/: subdivision by degree 186
4. Elliptic curves 188
5. Structure of E.k/ for various fields k 190
6. Elliptic curves over the rational numbers 192
7. The elliptic curve factoring method 197
8. Curves of genus greater than 1 201
9. Further reading 204
References 205

1. Plane curves
Let k be a field. For instance, k could be the field Q of rational numbers,
the field R of real numbers, the field C of complex numbers, the field Qp of
p-adic numbers (see [Koblitz 1984] for an introduction), or the finite field Fq of
q elements (see Chapter I of [Serre 1973]). Let k be an algebraic closure of k.
A (geometrically integral, affine) plane curve X over k is defined by an equa-
tion f .x; y/ D 0 where f .x; y/ D aij x i y j 2 kŒx; y is irreducible over k.
P

The writing of this article was supported by NSF grant DMS-9801104, and a Packard Fellowship.

183
184 BJORN POONEN

One defines the degree of X and of f by

deg X D deg f D maxfi C j W aij 6D 0g:
A k-rational point (or simply k-point) on X is a point .a; b/ with coordinates in
k such that f .a; b/ D 0. The set of all k-rational points on X is denoted X.k/.
E XAMPLE . The equation x 2 y 6y 2 11 D 0 defines a plane curve X over Q
of degree 3, and .5; 1=2/ 2 X.Q/.
Already at this point we can state an open problem, one which over the centuries
has served as motivation for the development of a huge amount of mathematics.
Q UESTION . Is there an algorithm, that given a plane curve X over Q, determines
X.Q/, or at least decides whether X.Q/ is nonempty?
Although X.Q/ need not be finite, we will see later that it always admits a finite
description, so this problem of determining X.Q/ can be formulated precisely
using the notion of Turing machine: see [Hopcroft and Ullman 1969] for a
definition. For the relationship of this question to Hilbert’s Tenth Problem, see
the survey [Poonen 2002].
The current status is that there exist computational methods that often answer
the question for a particular X , although it has never been proved that these
methods work in general. Even the following are unknown:
(1) Is there an algorithm that given a degree 4 polynomial f .x/ 2 QŒx, deter-
mines whether y 2 D f .x/ has a rational point?
(2) Is there an algorithm that given a polynomial f .x; y/ 2 QŒx; y of degree 3,
determines whether f .x; y/ D 0 has a rational point?
In fact, problems (1) and (2) are equivalent, although this is by no means obvi-
ous! (For the experts: both (1) and (2) are equivalent to
(3) Is there an algorithm to compute the rank of an elliptic curve over Q?
If the answer to (1) is yes, then one can compute the rank of any elliptic curve
over Q, by 2-descent. Conversely, if the answer to (3) is yes, the answer to (1) is
also yes, since the only difficult case of (1) is when y 2 D f .x/ is a locally trivial
principal homogeneous space of an elliptic curve E over Q, hence represented
by an element of the 2-Selmer group of E, and knowledge of the rank of E.Q/
lets one decide whether its image in X.E/ is nontrivial. Similarly (2) and (3)
are equivalent, via 3-descent.)
 ELLIPTIC CURVES 185

2. Projective geometry
2.1. The projective plane. The affine plane A2 is the usual plane, with A2 .k/ D
f.a; b/ W a; b 2 kg for any field k. One “compactifies” A2 by adjoining some
points “at infinity” to produce the projective plane P2 . One of the main reasons
for doing this is to make intersection theory work better: see Bézout’s Theorem
in Section 2.3.
The set of k-points on the projective plane P2 can be defined directly as
P2 .k/ WD .k 3 0/=k  . In other words, a k-rational point on P2 is an equiva-
lence class of triples .a; b; c/ with a; b; c 2 k not all zero, under the equivalence
relation , where .a; b; c/  .a; b; c/ for any  2 k  . The equivalence class
of .a; b; c/ is denoted .a W b W c/. One can also identify P2 .k/ with the set of
lines through 0 in .x; y; z/-space.
The injection A2 .k/ ΠP2 .k/ mapping .a; b/ to .a W b W 1/ is almost a bijec-
tion: the points of P2 .k/ not in the image, namely those of the form .a W b W 0/,
form a projective line P1 .k/ of “points at infinity”. Viewing P2 .k/ as lines
through 0 in .x; y; z/-space, A2 .k/ is the set of such lines passing through
.a; b; 1/ for some a; b 2 k, and the complement P1 .k/ is the set of (horizontal)
lines through 0 in the .x; y/-plane.
Also, P2 can be covered by three copies of A2 , namely f.x W y W z/ j x 6D 0g,
f.x W y W z/ j y 6D 0g, and f.x W y W z/ j z 6D 0g.
2.2. Projective closure of curves. The homogenization of a polynomial f .x; y/
of degree d is F.X; Y; Z/ WD Z d f .X=Z; Y =Z/. In other words, one changes
x to X , y to Y , and then appends enough factors of Z to each monomial to
bring the total degree of each monomial to d. One can recover f as f .x; y/ D
F.x; y; 1/.
If f .x; y/ D 0 is a plane curve C in A2 , its projective closure is the curve
C in P2 defined by the homogenized equation F.X; Y; Z/ D 0. The curve C
e e
equals C plus some points “at infinity”.
E XAMPLE . If f .x; y/ D y 2 x3 C x 7, then

F.X; Y; Z/ D Y 2 Z X 3 C XZ 2 7Z 3

and
e.Q/ D fzeros of F g
C
Q
fzeros of F.X; Y; 0/g 0
D fzeros of F.X; Y; 1/g [
Q
D C.Q/ [ fP g;
where P is the point .0 W 1 W 0/ “at infinity”.
186 BJORN POONEN

2.3. Bézout’s Theorem. As mentioned earlier, one of the primary reasons

for working in the projective plane is to obtain a good intersection theory. Let
F.X; Y; Z/ D 0 and G.X; Y; Z/ D 0 be curves in P2 over k, of degree m and n,
respectively. Bézout’s Theorem states that they intersect in exactly mn points
of P2 , provided that
(i) F and G have no nontrivial common factor,
(ii) one works over an algebraically closed field, and
(iii) one counts intersection points with multiplicity (in case of singularities, or
points of tangency).
We have given condition (i) in a form that yields a correct statement of Bézout’s
Theorem even without our assumption that plane curves are defined by irre-
ducible polynomials. Of course, if F and G are irreducible, condition (i) states
simply that the curves do not coincide.

3. Determining X.Q/: subdivision by degree

We return to the problem of determining the set of rational points X.Q/,
where X is an affine plane curve f .x; y/ D 0 over Q or its projective closure.
Let d D deg f . We will look at the problem for increasing values of d.
3.1. d D 1: lines. We know how to parameterize the rational points on ax C
by C c D 0!
3.2. d D 2: conics. Legendre proved that conics satisfy the Hasse Principle.
This means: X has a Q-point if and only if X has an R-point and a Qp -point
for each prime p. Since a projective conic is described by a quadratic form
in three variables, Legendre’s result can be viewed as a special case of the
Hasse–Minkowski Theorem [Serre 1973, Chapter IV, ~ 3.2], which states that
a quadratic form in n variables over Q represents 0 (in other words, takes the
value 0 on some arguments in Q not all zero) if and only if it represents 0 over
R and Qp for all p.
Legendre’s Theorem leads to an algorithm to determine the existence of a Q-
point on a conic X . Here is one such algorithm: complete the square, multiply
by a constant, and absorb squares into the variables, to reduce to the case of
aX 2 C bY 2 C cZ 2 D 0 in P2 , where a; b; c are nonzero, squarefree, pairwise
relatively prime integers. Then one can show that there exists a Q-point if and
only if a; b; c are not all of the same sign and the congruences
ax 2 C b  0 .mod c/;
by 2 C c  0 .mod a/;
cz 2 C a  0 .mod b/
 ELLIPTIC CURVES 187

are solvable in integers. Moreover, in this case, aX 2 C bY 2 C cZ 2 D 0 has a

nontrivial solution in integers X; Y; Z satisfying jX j  jbcj1=2 , jY j  jacj1=2 ,
and jZj  jabj1=2 . See [Mordell 1969].
In the case where the conic X has a Q-point P0 , there remains the problem
of describing the set of all Q-points. For this there is a famous trick: for each
P 2 X.Q/ draw the line through P0 and P , and let t be its slope, which will
be in Q (or maybe 1). Conversely, given t 2 Q, Bézout’s Theorem guarantees
that the line through P0 with slope t will intersect the conic in one other point
(provided that this line is not tangent to the conic at P0 ), and this will be a
rational point.
For example, if X is the circle x 2 C y 2 D 1 and P0 D . 1; 0/, then
1 t2
 
2t
tŽ ; ;
1 C t2 1 C t2
y
 .x; y/
x C1
define birational maps from A1 to X and back: this means that, ignoring finitely
many subsets of smaller dimension (a few points), they are maps given by ra-
tional functions of the variables that induce a bijection between the Q-points on
each side. These birational maps are defined over Q; that is, the coefficients of
the rational functions are in Q, so they also induce a bijection between Q-points
(ignoring the same subsets as before). In particular, the complete set of rational
solutions to x 2 C y 2 D 1 is
1 t2 2t
n  o
; W t 2 Q [ f. 1; 0/g:
1Ct 2 1Ct 2
3.3. d D 3: plane cubics. Lind [1940] and Reichardt [1942] discovered that the
Hasse Principle can fail for plane curves of degree 3. Here is a counterexample
due to Selmer [1951; 1954]: the curve 3X 3 C 4Y 3 C 5Z 3 D 0 in P2 has an
R-point (.. 4=3/1=3 W 1 W 0/ is one) and a Qp -point for each prime p, but it has
no Q-point. (For p > 5, the existence of Qp -points can be proved by combining
Hensel’s Lemma [Koblitz 1984, Theorem 3] with a counting argument to prove
the existence of solutions modulo p. For p D 2; 3; 5, a more general form
of Hensel’s Lemma can be used [Koblitz 1984, Chapter I, Exercise 6]. The
nonexistence of Q-points is more difficult to establish.)
As mentioned at the beginning of this article, deciding whether a plane cubic
curve has a rational point is currently an unsolved problem. For the time being,
we will restrict attention to those plane cubic curves that do have a rational
point. These are called elliptic curves, and are birational to curves defined by
a equation of a simple form. This leads to the first of the official definitions of
elliptic curves that we present in the next section.
188 BJORN POONEN

4. Elliptic curves
4.1. Equivalent definitions. Let k be a perfect field. An elliptic curve over k
can be defined as any one of the following:
(i) The projective closure of a nonsingular curve defined by a “Weierstrass equa-
tion”
y 2 C a1 xy C a3 y D x 3 C a2 x 2 C a4 x C a6
with a1 ; a2 ; a3 ; a4 ; a6 2 k. If the characteristic of k is not 2 or 3, one may
restrict attention to projective closures of curves
y 2 D x 3 C Ax C B:
One can show that this is nonsingular if and only if x 3 C Ax C B has distinct
roots in k, and that this holds if and only if the quantity
WD 16.4A3 C
27B 2 / is nonzero.
(ii) A nonsingular projective genus 1 curve over k equipped with a k-rational
point O.
(iii) A one-dimensional projective group variety over k.
We need to define several of the terms occurring here. (Even then it will not be
obvious that the definitions above are equivalent.)
4.2. Singularities. If .0; 0/ is a point on the affine curve f .x; y/ D 0 over
k, then .0; 0/ is a singular point if @f =@x and @f =@y both vanish at .0; 0/.
Equivalently, .0; 0/ is singular if f D f2 Cf3 C


Cfd where each fi 2 kŒx; y
is a homogeneous polynomial of degree i . For instance .0; 0/ is singular on
y 2 D x 3 and on y 2 D x 3 Cx 2 , but not on y 2 D x 3 x. More generally, .a; b/ is
singular on f .x; y/ D 0 if and only if .0; 0/ is singular on f .X Ca; Y Cb/ D 0.
An affine curve is nonsingular if it has no singular points. A projective curve
F.X; Y; Z/ D 0 is nonsingular if its “affine pieces” F.x; y; 1/ D 0, F.x; 1; z/ D
0, F.1; y; z/ D 0 are nonsingular. (One can generalize these notions to curves
in higher dimensional affine or projective spaces. This is important because
although every plane curve X , singular or not, is birational to some nonsingular
projective curve Y , sometimes such a Y cannot be found in the plane.)
Smooth is a synonym for nonsingular, at least for curves over a perfect field k.
4.3. Genus. Let X be a nonsingular projective curve over a perfect field k. The
genus of X is a nonnegative integer g that measures the geometric complexity
of X . It has the following equivalent definitions:
(A) g D dimk ˝ where ˝ is the vector space of regular differentials on X .
(Regular means “no poles”. If k D C, then regular is equivalent to holomor-
phic.)
 ELLIPTIC CURVES 189

(B) g is the topological genus (number of handles) of the compact Riemann

surface X.C/. (This definition makes sense only if k can be embedded in C.)
(C) g D 12 .d 1/.d 2/ (terms for singularities of Y ), where Y is a (possibly
singular) plane curve birational to X and d is the degree of Y . For example,
a nonsingular plane cubic curve has genus 1.
We will not prove the equivalence of these definitions.
4.4. Group law: definition. To say that an elliptic curve E over k is a group
variety means roughly that there is an “addition” map E  E ! E, given by
rational functions, that induces a group structure on E.L/ for any field extension
L of k. We now explain what the group law on E.k/ is, for an elliptic curve E
presented as a plane cubic curve in Weierstrass form.
The group law is characterized by the following two rules:
(i) The point O D .0 W 1 W 0/ at infinity is the identity of the group.
(ii) If a line L intersects E in three k-points P; Q; R 2 E.k/ (taking multiplic-
ities into account), then P C Q C R D O in the group law.
From these one deduces:
(a) Given P 2 E.k/ not equal to 0, the vertical line through P intersects E in
P , O, and a third point which is P .
(b) Given P; Q 2 E.k/ not equal to O, the line through P and Q (take the
tangent to E at P if P D Q) intersects E at P , Q, and a third point R 2 E.k/.
If R D O, then P C Q D O; otherwise P C Q D R, where R can be
constructed as in (a).
Note that E.k/ is an abelian group.
4.5. Group law: formulas. It is easy to see that, at least generically, the coor-
dinates of P C Q can be expressed as rational functions in the coordinates of P
and Q. Here we present explicit formulas that give an algorithm for computing
P C Q. The existence of these formulas will be important in Section 7.5 as we
develop the elliptic curve factoring method.
To compute the sum R of points P; Q 2 E.k/ on y 2 D x 3 C Ax C B over k:
1. If P D O, put R D Q and stop.
2. If Q D O, put R D P and stop.
3. Otherwise let P D .x1 W y1 W 1/ and Q D .x2 W y2 W 1/. If x1 6D x2 , put
1
 D .y1 y2 /.x1 x2 / ;
2
x3 D  x1 x2 ;
y3 D .x1 x3 / y1 ;
R D .x3 W y3 W 1/;
and stop.
190 BJORN POONEN

4. If x1 D x2 and y1 D y2 , put R D O and stop.

5. If x1 D x2 and y1 6D y2 (so P D Q), put
 D .3x12 C A/.y1 C y2 / 1
;
2
x3 D  x1 x2 ;
y3 D .x1 x3 / y1 ;
R D .x3 W y3 W 1/;
and stop.
This requires O.1/ field operations in k. Using projective coordinates renders
division unnecessary.
4.6. Group law: examples. Let E be the elliptic curve y 2 D x 3 25x. (From
now on, when we give a nonhomogeneous equation for an elliptic curve E, it
is understood that we really mean for E to be defined as the projective closure
of this affine curve.) Since x 3 25x has distinct roots, E is nonsingular, so E
really is an elliptic curve. The line L through P WD . 4; 6/ and Q WD .0; 0/ has
the equation y D . 3=2/x. We compute L \ E by substitution:
.. 3=2/x/2 D x 3 25x
0 D .x C 4/x.x 25=4/
and find L\E D fP; Q; Rg where R WD .25=4; 75=8/. Thus P CQCR D O
in the group law, and P C Q D R D .25=4; 75=8/.
The intersection of the line X D 0 in P2 with E W Y 2 Z D X 3 25XZ 2
is X D 0 D Y 2 Z, which gives .0 W 1 W 0/ D O and .0 W 0 W 1/ D Q, the latter
with multiplicity 2. (Geometrically, this corresponds to the vertical line x D 0
being tangent to E at Q.) Thus Q C Q C O D O, and 2Q D O; that is, Q is a
point of order 2, a 2-torsion point. (In general, the nonzero 2-torsion points on
y 2 D x 3 C Ax C B are .˛; 0/ where ˛ is a root of x 3 C Ax C B: they form a
subgroup of E.k/ isomorphic to Z=2Z  Z=2Z.)

5. Structure of E.k/ for various fields k

What kind of group is E.k/?
5.1. Elliptic curves over the complex numbers. On one hand E.C/ is a
complex manifold, but on the other hand it is a group, and the coordinates of
P C Q are rational functions in the coordinates of P and Q, so the group law
is holomorphic. Hence E.C/ is a 1-dimensional Lie group over C. Moreover,
E.C/ is closed in P2 .C/, which is compact, so E.C/ is compact. It turns out that
it is also connected. By the classification of compact connected 1-dimensional
Lie groups over C, we must have E.C/ ' C= as Lie groups over C, for some
 ELLIPTIC CURVES 191

lattice  D Z!1 C Z!2 , where !1 ; !2 are an R-basis of C. The !i are called

periods, because there is a meromorphic function }.z/ on C defined below such
that }.z C !/ D }.z/ for all ! 2 . The lattice  is not uniquely determined
by E; scaling it by a nonzero complex number does not affect the isomorphism
type of C=. But a particular  can be singled out if a nonzero holomorphic
differential on E is also given (to be identified with dz on C=).
Suppose conversely that we start with a discrete rank 2 lattice  in C. In
other words,  D Z!1 C Z!2 for an R-basis !1 ; !2 of C. We will show how
to reverse the previous paragraph to find aPcorresponding elliptic curve E over
C. Set g2 D 60 !2 ! and g3 D 140 0!2 ! 6 where the 0 means “omit
P0 4

the ! D 0 term”. Let

}.z/ D z 2 C 0!2 ..z !/ 2 ! 2 /:
P

Then one can prove the following: }.z/ is meromorphic on C with poles in
, }.z C !/ D }.z/ for all ! 2 , and z ‘ .}.z/; } 0 .z// defines an analytic
isomorphism C= ! E.C/ where E is the elliptic curve
y 2 D 4x 3 g2 x g3
over C. (The poles of }.z/ correspond under the isomorphism to the point
O 2 E.C/ at infinity.) The differential dx=y on E pulls back to dz on C=;
hence the inverse map E.C/ ! C= is given by
Z .a;b/ Z a
dx dx
.a; b/ ‘ D p
O y 1 4x 3 g2 x g3
(with suitable choice of path and branch).
More generally, Riemann proved that any compact Riemann surface is iso-
morphic as complex manifold to X.C/ for some nonsingular projective curve
X over C.
5.2. Elliptic curves over the real numbers. Let E be an elliptic curve y 2 D
f .x/ over R, where f .x/ D x 3 C Ax C B 2 RŒx is squarefree. This time E.R/
is a 1-dimensional compact commutative Lie group over R. Considering the
intervals where f is nonnegative, we find that E.R/ has one or two connected
components, according as f has one real root, or three real roots. Since the
circle group
R=Z ' fz 2 C W jzj D 1g
is the only connected 1-dimensional compact commutative Lie group over R, it
follows that
R=Z if f has 1 real root,

E.R/ '
R=Z  Z=2Z if f has 3 real roots.
192 BJORN POONEN

The group E.R/ can also be viewed as the subgroup of E.C/ fixed by com-
plex conjugation. If E is defined over R, one can choose  of the previous
section to be stable under complex conjugation, and the coordinatewise action
of complex conjugation on E.C/ corresponds to the natural action on C=. If a
nonzero regular differential on E (defined over R) is fixed, then  is determined,
and in this situation one defines the real period as the positive generator of the
infinite cyclic group  \ R.
5.3. Elliptic curves over finite fields. Let E be an elliptic curve over the finite
field Fq of q elements. Since E.Fq / is a subset of P2 .Fq /, E.Fq / is a finite
abelian group. Hasse proved
#E.Fq / D q C 1 a;
p
where jaj  2 q. This is a special case of the “Weil conjectures” (now proved).
Moreover, an algorithm of Schoof [1985] computes #E.Fq / in time .log q/O.1/
as follows: an algorithm we will not explain determines #E.Fq / mod ` for each
prime ` up to about log q, and then the Chinese Remainder Theorem recovers
#E.Fq /.
E XAMPLE 1. Let E be the elliptic curve y 2 D x 3 x C 1 over F3 . Hasse’s
Theorem implies 1  #E.F3 /  7. In fact,
E.F3 / D f.0; 1/; .0; 2/; .1; 1/; .1; 2/; .2; 1/; .2; 2/; Og;
and E.F3 / ' Z=7Z. Here is an exercise for the reader, an instance of what is
called the elliptic discrete logarithm problem: which multiple of .0; 1/ equals
.1; 1/?
E XAMPLE 2. Let E be the elliptic curve y 2 D x 3 x over F3 . Then
E.F3 / D f.0; 0/; .1; 0/; .2; 0/; Og;
and E.F3 / ' Z=2Z  Z=2Z.

6. Elliptic curves over the rational numbers

6.1. Mordell’s Theorem. Let E be an elliptic curve over Q. Mordell proved
that E.Q/ is a finitely generated abelian group:
E.Q/ ' Zr  T;
where r 2 Z0 is called the rank, and T D E.Q/tors is a finite abelian group
called the torsion subgroup. (This is sometimes called the Mordell–Weil the-
orem, because Weil proved a generalization for abelian varieties over number
fields. Abelian varieties are projective group varieties of arbitrary dimension.)
 ELLIPTIC CURVES 193

Although T can be computed in polynomial time, it is not known whether r

is computable. We will say a little more about the latter at the end of Section 6.7.

E XAMPLE 1. Let E be the elliptic curve y 2 D x 3 25x over Q. With work,

one can show
E.Q/ ' Z  Z=2Z  Z=2Z;

where E.Q/=E.Q/tors is generated by . 4; 6/.

E XAMPLE 2. Let E be the elliptic curve y 2 C y D x 3 x 2 over Q, also known

as “the modular curve X1 .11/”. Then

E.Q/ D f.0; 0/; .0; 1/; .1; 0/; .1; 1/; Og ' Z=5Z:

E XAMPLE 3. Let E be the elliptic curve 1063y 2 D x 3 x. (This is not in Weier-

strass form, but it is isomorphic to y 2 D x 3 10632 x.) Using “Heegner points on
modular curves”, Elkies [1994] computed that E.Q/ ' Z  Z=2Z  Z=2Z, where
E.Q/=E.Q/tors is generated by a point with x-coordinate q 2 =1063, where

11091863741829769675047021635712281767382339667434645
qD :
317342657544772180735207977320900012522807936777887

E XAMPLE 4. Let E be the elliptic curve y 2 C xy C y D x 3 C ax C b where

a D 120039822036992245303534619191166796374; and
b D 504224992484910670010801799168082726759443756222911415116:

Martin and McMillen [2000] showed that E.Q/ ' Zr , where r  24.

A folklore conjecture predicts that as E varies over all elliptic curves over Q,
the rank r can be arbitrarily large. But the present author does not believe this.

6.2. One-dimensional affine group varieties over k. One way to begin study-
ing an elliptic curve over Q or another number field is to reduce its coefficients
modulo a prime and to study the resulting curve over a finite field. Unfortunately,
the result can be singular even if the original curve was nonsingular. It turns out
that upon deleting the singularity, we obtain a one-dimensional group variety,
but it is no longer an elliptic curve: it is affine instead of projective due to the
deletion.
The one-dimensional affine group varieties G over k can be classified. For
simplicity, we assume that k is a perfect field of characteristic not 2. The table
on the next page lists all possibilities.
194 BJORN POONEN

G variety group law G.k/

Ga A1 x1 ; x2 ‘ x1 C x2 k; under C
Gm xy D 1 .x1 ; y1 /; .x2 ; y2 / ‘ .x1 x2 ; y1 y2 / k  ; under

.a/ p norm
x 2 ay 2 D 1 .x1 ; y1 /; .x2 ; y2 / ‘ ker k. a/ Ž k 


Gm
.x1 x2 C ay1 y2 ; x1 y2 C x2 y1 /
The first column gives the group variety G, which is either the additive group
.a/
Ga , or the multiplicative group Gm or one of its twists Gm for some a 2 k  .
.a/
The isomorphism type of Gm as a group variety is determined by the image of
.a/
a in k  =k 2 . If a 2 k 2 , then Gm is isomorphic to Gm .
The second column describes G as a variety; in each case, G is either A1
or a plane curve in A2 . The third column expresses the group law morphism
G  G ! G in coordinates. The final column describes the group of rational
points G.k/.
6.3. Singular Weierstrass cubics. If E is a singular curve defined as the
projective closure of
y 2 D x 3 C ax 2 C bx C c
then there is at most one singularity. (Otherwise the formula for the genus
would produce a negative integer.) Let P0 be the singularity. By a change
of variables, we may assume that P0 D .0; 0/. The equation then has the form
p
.y 2 ax 2 / x 3 D 0. The tangent line(s) to the branches at .0; 0/ are y D ˙ ax.
The singularity is called a node or a cusp according as a 6D 0 or a D 0.
In either case, Ens WD E fP0 g becomes a one-dimensional affine group
variety using the same geometric construction as in the nonsingular case. (A
line L through two nonsingular points cannot pass through P0 , because the
intersection multiplicity at P0 would be at least 2, and Bézout’s Theorem would
be violated.) In fact,
8
<Ga
ˆ if a D 0 (cusp),
Ens ' Gm if a 2 k 2 (node),
:G.a/ if a is a nonsquare (node).
ˆ
m

E XAMPLE . If E is the projective closure of y 2 D x 3 , which has a cusp at .0; 0/,

then the isomorphism is given by
Ens “ Ga ;
.x; y/ Ž x=y;
.t W 1 W t 3 / D .t 2
;t 3
/  t:
The isomorphism respects the group structures: one can check for example that
.t W 1 W t 3 /, .u W 1 W u3 /, and .v W 1 W v 3 / are collinear in P2 whenever t CuCv D 0.
 ELLIPTIC CURVES 195

6.4. Reduction mod p. For any u 2 Q , the elliptic curve E W y 2 D x 3 CAxCB

over Q is isomorphic to Y 2 D X 3 C u4 AX C u6 B. (Multiply the equation by
u6 , and set Y D u3 y and X D u2 x.) Therefore, we may assume that A; B 2 Z.
Then one can reduce the equation modulo a prime p to get a cubic curve E over
Fp . But E might be singular. This happens if and only if p divides
.
One says that E has good reduction at p if there is some Weierstrass equation
for E (obtained by change of coordinates) whose reduction modulo p is nonsin-
gular. Similarly if there is a Weierstrass equation for E whose reduction modulo
p is a cubic curve with a node, one says that E has multiplicative reduction
at p; in this case one says that E has split multiplicative reduction or nonsplit
multiplicative reduction according as E ns is Gm or a nontrivial twist. Otherwise,
if E has neither good nor multiplicative reduction, then all Weierstrass equations
for E reduce modulo p to a cubic curve with a cusp, and one says that E has
additive reduction. Some of this is summarized in the following table.

singularity E ns terminology
none E good reduction
cusp Ga additive reduction
.d/
node Gm or Gm multiplicative reduction

6.5. Finiteness of T WD E.Q/tors . Suppose that an elliptic curve E over Q has

good reduction at p. By scaling, any point in E.Q/ can be written as .a W b W c/
with a; b; c 2 Z such that gcd.a; b; c/ D 1, and then a; b; c can be reduced modulo
p to obtain a point on E.Fp /. This defines a homomorphism E.Q/ ! E.Fp /.
T HEOREM . If E has good reduction at a prime p > 2, then the torsion subgroup
T of E.Q/ injects into E.Fp /.
C OROLLARY . T is finite.
E XAMPLE . Let E be the elliptic curve y 2 D x 3 4x C 4 over Q. Then

D 16.4. 4/3 C 27
42 / D 28
11;

so E has good reduction at p at least when p 6D 2; 11. We compute #E.F3 / D 7

and #E.F5 / D 9. The only group that can inject into groups of order 7 and 9 is
the trivial group, so T D fOg. In particular, .0; 2/ 2 E.Q/ is of infinite order,
and E.Q/ has positive rank.
6.6. Other theorems about the torsion subgroup T .
T HEOREM (L UTZ , NAGELL ). Let A; B 2 Z be such that E W y 2 D x 3 CAx CB
is an elliptic curve. If P 2 T and P 6D O, then P D .x0 ; y0 / where x0 ; y0 2 Z
and y02 j 4A3 C 27B 2 .
196 BJORN POONEN

This gives a slow algorithm to determine T . (It requires factoring the integer
4A3 C 27B 2 .)
T HEOREM (M AZUR ). If E is an elliptic curve over Q, then either T ' Z=N Z
for some N  12, N 6D 11, or T ' Z=2Z  Z=2N ZZ for some N  4. In
particular, #T  16.
For each m  1, one can use the group law to compute the polynomial m .x/ 2
QŒx whose roots are the x-coordinates of the points of order m in E.Q/. Deter-
mining the points of order m in E.Q/ is then a matter of finding the rational roots
of m and checking which of these give a rational y-coordinate. By Mazur’s
Theorem, only finitely many m need be considered, so this gives a polynomial
time algorithm for computing T .
6.7. Height functions. We next describe some of the ingredients which go into
the proof of Mordell’s Theorem. If P D .a W b W c/ 2 P2 .Q/, we may scale to
assume a; b; c 2 Z and gcd.a; b; c/ D 1. Then define

H .P / WD max.jaj; jbj; jcj/ and h.P / WD log H .P /:

One calls h.P / the (logarithmic) height of P . Roughly, h.P / is the width of a
sheet of paper needed to write down P .
It is easy to see that for any B > 0,

#fP 2 P2 .Q/ W H .P /  Bg  .2B C 1/3 ;

so
fP 2 P2 .Q/ W h.P /  Bg is finite. (6-1)
The latter is a special case of Northcott’s Theorem [Serre 1989, ~ 2.4]. If E  P2
is an elliptic curve over Q, then one can show that for P; Q 2 E.Q/,

h.P C Q/ C h.P Q/ D 2h.P / C 2h.Q/ C O.1/; (6-2)

where the O.1/ depends on E but not on P or Q.

Define the canonical height or Néron–Tate height of a point P 2 E.Q/ as
O / WD limn!1 h.2n P /=4n . The following are formal consequences of (6-1)
h.P
and (6-2): for P; Q 2 E.Q/ and n 2 Z,
(a) h.2P / D 4h.P / C O.1/;
O / exists;
(b) the limit defining h.P
O
(c) h.P / D h.P / C O.1/;
O C Q/ C h.P
(d) h.P O Q/ D 2h.PO / C 2h.Q/;
O
O
(e) h.nP O /;
/ D n h.P
2
O
(f) h.P /  0, with equality if and only if P 2 E.Q/tors .
 ELLIPTIC CURVES 197

In particular, hO is a quadratic form on E.Q/=E.Q/tors .

Moreover, (6-1) and (6-2) with the “Weak Mordell–Weil Theorem”, which
asserts the finiteness of E.Q/=2E.Q/, imply that E.Q/ is finitely generated. If
generators of E.Q/=2E.Q/ could be found effectively, then the rank of E.Q/
and generators of E.Q/ could be found effectively. Unfortunately, the only
known method for calculating E.Q/=2E.Q/, descent, requires a prime p such
that the p-primary part of a certain torsion group X.E/ associated to E is finite.
The group X.E/, called the Shafarevich–Tate group, is conjectured to be finite
for all E, but this has been proved only in certain cases.

7. The elliptic curve factoring method

7.1. An interpretation of factoring. Suppose that p and q are unknown large
primes, and N D pq is given. One way to factor N is to compute somehow an
integer m that is zero modulo p but nonzero mod q. Then gcd.m; N /, which
can be computed quickly, yields p.
7.2. Some factoring methods. We outline various well-known factoring meth-
ods from the point of view of Section 7.1. (We use Z=N as an abbreviation for
the quotient ring Z=N Z.)
Trial division: Try m D 2, m D 3, m D 5 : : : .
Pollard : Let f be a function Z=N ! Z=N , compute a sequence x1 ; x2 ; x3 ; : : :
of elements of Z=N satisfying xiC1 D f .xi /, and try m D xj xi for various
i; j .
Quadratic sieve, number field sieve: After finding a nontrivial solution to x 2 
y 2 .mod n/, try m D x C y.
Pollard p 1: Choose random a mod N , take K D k! for some k  1, and try
m D aK 1.
ECM (Lenstra’s elliptic curve method): Instead of aK for a 2 .Z=N / , consider
K
P for some P 2 E.Z=N /, for some elliptic curve E. Here K
P means
P C P C


C P , the sum of K copies of P in an abelian group E.Z=N / to be
defined.
7.3. The Pollard p 1 method. The elliptic curve method can be viewed as
an analogue of the Pollard p 1 method. As a warmup for the elliptic curve
method, we describe the p 1 method here more fully, but still ignoring details
and practical improvements.
To factor N :
1. Choose an integer K > 1 with a lot of factors, for instance, K D k! for some
k  1.
198 BJORN POONEN

2. Choose an arbitrary integer a satisfying 1 < a < N 1.

3. If gcd.a; N / > 1, then we’re done! Otherwise continue.
4. Use the binary expansion of K to compute aK mod N .
5. Compute g D gcd.aK 1; N /. If 1 < g < N , then we’re done, since g is
a nontrivial factor of N . If g D N , try again with a different a, or with K
replaced by a divisor. If g D 1, try again with a larger K (or if you’re tired,
give up).
If K is a multiple of p 1 for some prime p dividing N , then in Step 4,
.aK mod p/ is a power of .ap 1 mod p/, which is .1 mod p/ by Fermat’s Little
Theorem. Then in Step 5, aK 1 is divisible by p, so g D p, (unless by chance
aK 1 is divisible also by another factor of N ).
The problem with this method is that it is not easy to arrange for K to be
divisible by p 1, since we do not know what p is! The best we can do is
choose a K with many factors, and hope that p 1 will be among the factors. If
we choose K D k!, we are essentially hoping that p 1 will be smooth, that is,
equal to a product of small primes. Thus the Pollard p 1 method is effective
only for finding factors p of N such that p 1 is smooth.
7.4. Variants of the p 1 method. If instead of Fermat’s Little Theorem in Fp ,
one uses that every element of Fp2 =Fp has order dividing p C 1, one can develop
a p C 1 method by working in A =.Z=N / , where A D .Z=N /Œt =.t 2 b/ for
some b 2 Z=N . This will be effective for finding factors p of N such that p C1
is smooth.
Similarly one can use subgroups of Fpr for other small r to develop methods
that work well when p 2 C p C 1 is smooth, when p 2 C 1 is smooth, . . . , when
˚r .p/ is smooth, where ˚r .z/ is the r -th cyclotomic polynomial. These rapidly
become useless, because p 2 C p C 1 and so on are much larger than p 1, and
hence are much less likely to be smooth.
Lenstra’s idea was instead to replace Fp by the group E.Fp / where E is an
elliptic curve! There are many different E to try, of varying orders close to p.
7.5. Elliptic curves over Z=N . The elliptic curve method requires working
with elliptic curves over rings that are not fields. The theory of elliptic curves
over rings is best expressed in the language of schemes, but this would take too
many pages to develop. Fortunately, for the factoring application, we can make
do with a more concrete development based on explicit formulas for the group
law.
Let N be a positive integer. To simplify the exposition, we assume that
gcd.N; 6/ D 1. Define
f.a W b W c/ j a; b; c 2 Z=N; gcd.a; b; c; N / D 1g
P2 .Z=N / WD :
.Z=N /
 ELLIPTIC CURVES 199

An elliptic curve E over Z=N is given by an homogeneous equation

Y 2 Z D X 3 C AXZ 2 C BZ 3 ;
where A; B 2 Z=N are such that the quantity
WD 16.4A3 C 27B 2 / is in
.Z=N / . Then E.Z=N / denotes the subset of points .a W b W c/ 2 P2 .Z=N /
satisfying the cubic equation. For any prime p dividing N , E.Z=p/ denotes
the set of points in P2 .Z=p/ satisfying the equation reduced modulo p.
For simplicity, suppose that N D pq where p and q are distinct primes greater
than 3. The Chinese Remainder Theorem implies
Z ZZ
'  (as rings),
N p q
     
Z Z Z
'  (as groups),
N p q
Z Z Z
     
P2 ' P2  P2 (as sets),
N p q
Z Z Z
     
E 'E E (as groups).
N p q
Hence the set E.Z=N / inherits the structure of an abelian group. Most pairs
of points in E.Z=N / can be added using the formulas of Section 4.5. (Use the
extended GCD algorithm to compute inverses modulo N .) In fact, the formulas
fail only if some calculated quantity in Z=N is zero mod p and nonzero mod q
or vice versa, in which case N is factored!
7.6. The elliptic curve method. Assume that the integer N to be factored
satisfies gcd.N; 6/ D 1 and that N 6D nr for any integers n; r  2. (The latter
can be tested very quickly, in .log N /1Co.1/ time [Bernstein 1998].) To search
for factors of N of size less than about P :
1. Fix a “smoothness bound” y much smaller than P , and let K be the LCM of
all y-smooth integers less than or equal to P .
2. Choose random integers A; x1 ; y1 2 Œ1; N .
3. Let B D y12 x13 Ax1 2 Z=N and let E be y 2 D x 3 C Ax C B, so
P1 WD .x1 ; y1 / 2 E.Z=N /. If gcd.4A3 C 27B 2 ; N / 6D 1, go back to Step 2.
4. Use the binary expansion of the factors of K to attempt to compute K
P1 2
E.Z=N / using the group law formula.
5. If at some point the formula fails (that is, we try to use the extended GCD
to invert a nonzero non-unit in Z=N ), then we have found a factor of N .
Otherwise, go back to Step 2 and try a different elliptic curve.
Note that in Steps 2 and 3 we choose the point first and then find an elliptic
curve through it. This is because it is algorithmically difficult to find a “ran-
dom” point on a given elliptic curve over Z=N : doing this in the naive way, by
200 BJORN POONEN

choosing the x-coordinate first, would require taking a square root of an element
of Z=N , which is a problem known to be random polynomial time equivalent
to factoring N !
7.7. Partial analysis of the elliptic curve method. If #E.Z=p/ divides K,
then K
P1 will reduce mod p to O. In this case, it is probable that K
P1 is not
also O modulo N , or at least that at some point of the computation of K
P1 ,
one reaches a subproduct K 0 of K such that K 0
P1 is O mod p but not O mod
N . (This can be made precise.) Hence it is essentially true that factoring N
requires only being lucky enough to choose E such that #E.Z=p/ divides K.
p
Suppose that N has a prime factor p such that p C 1 C 2 p  P . Let s be
the probability that for a random E constructed by the algorithm, the order of
E.Z=p/ is y-smooth. If #E.Z=p/ is y-smooth, then #E.Z=p/ j K, by definition
p
of K and by Hasse’s Theorem (Section 5.3) that #E.Z=p/  p C 1 C 2 p.
Hence the number of elliptic curves that need to be tried during the algorithm
is O.1=s/. Each trial involves O.log K/ group law operations, each requiring
.log N /O.1/ bit operations, making the total running time
1
R D O.s .log K/.log N /O.1/ /:

Let L.x/ D exp. .log x/.log log x//, so log x  L.x/  x as x ! 1.

p

Take y D L.P /a for some a > 0 to be optimized later. In order to express the
running time R in terms of the parameters of the algorithm, namely N , P , and
a, we first bound K:
Y Y
K `blog` P c  P  P y;
`y `y
aCo.1/
log K  y log P D L.P / :

Next we need an estimate of the smoothness probability s. A theorem of

Canfield, Erdős, and Pomerance [1983] states that the probability that a random
integer in Œ1; x is L.x/a -smooth is L.x/ 1=.2a/Co.1/ as x ! 1. Using a
formula of Deuring for the number of elliptic curves of given order over Z=p,
one can show that #E.Z=p/ is close to uniformly distributed over most of the
Hasse range
p p
Œp C 1 2 p; p C 1 C 2 p:
To proceed, we assume the conjecture that the result of Canfield, Erdős, and
Pomerance result holds for random integers in this much smaller range. Then
s D L.P / 1=.2a/Co.1/ .
Under this assumption, the total running time for the elliptic curve method is

R D L.P /aC1=.2a/Co.1/ .log N /O.1/ :

 ELLIPTIC CURVES 201

p p
This is optimized at a D 1= 2, which makes y D L.P /1= 2 and
p
2Co.1/
R D L.P / .log N /O.1/ :
p
To factor N completely, we would take P D N , which yields a running time
of L.N /1Co.1/ . But one advantage of the elliptic curve method over most other
factoring methods is that its running time depends on the size of the factor to be
found: it is capable of finding small factors more quickly.
In practice, since the optimal choices of y and hence K depend on P , it
is reasonable to run the elliptic curve method with P small at first (to search
for small factors) and then if no factor is found, try again and again, with an
increasing sequence of values of P . Eventually, if no small factors are found,
one should switch to the number field sieve, which is faster asymptotically if
the factors are large.
7.8. Elliptic curve method records. The largest factor found by the elliptic
curve method as of April 2008 is the 67-digit prime factor
4444349792156709907895752551798631908946180608768737946280238078881
(by Bruce Dodson in August 2006; see [Zimmerman 2008]).
Given Richard Brent’s 2000 extrapolation [2000, ~ 3.4] that
pthe elliptic curve
method record will be a D-digit factor in year Y .D/ WD 9:3 D C 1932:3, the
value Y .67/ D 2008:4 shows that the method performs well in practice.

8. Curves of genus greater than 1

8.1. Divisors. Divisors can be used to produce higher dimensional analogues of
elliptic curves, attached to higher genus curves. They also give a natural proof
of the associativity for the group law of elliptic curves.
Let X be a nonsingular projective curve over a perfect field k. The group of
k-divisors Div.Xk / is the set of formal sums of points in X.k/. The subgroup
of k-rational divisors Div.X / is the subgroup of Gal.k=k/-stable divisors. The
degree of a divisor D D n1 .P1 / C


C nr .Pr / is the integer n1 C


C nr .
Then Div0 .Xk / denotes the group of k-divisors of degree zero. Similarly define
Div0 .X /.
E XAMPLE . Let E be the elliptic curve y 2 D x 3 C 17 over Q. The points
p p p p
P D .1 C 7; 2 C 7/; Q D .1 7; 2 7/; R D . 1; 4/

lie in E.Q/. The divisor D WD 2.P / C 2.Q/ 7.R/ is stable under Gal.Q=Q/
even though P and Q individually are not fixed, so D 2 Div.E/. The degree of
D is 2 C 2 7 D 3.
202 BJORN POONEN

8.2. Principal divisors and the Picard group. If f is a nonzero rational

function on X (that is, a “function” given as a ratio of polynomials in the coor-
dinates), and P 2 X.k/, let ordP .f / denote the “order of vanishing” of f at P
(positive if f .P / D 0, negative if f has a pole at P ). Then the divisor of f is
X
.f / WD ordP .f /
P 2 Div0 .Xk /;
P 2X .k/

and if the coefficients of f are in k, then .f / 2 Div0 .X /. The set of such

.f / form the subgroup Princ.X / of principal divisors. If D; D 0 2 Div.X /,
one writes D  D 0 if D D 0 2 Princ.X /. Define the Picard group or divisor
class group of X as Pic.X / WD Div.X /= Princ.X /. Also define Pic0 .X / WD
Div0 .X /= Princ.X /.
E XAMPLE . If E; P; Q; R are as in the example of the previous section and
f D y xC3, one has .f / D .P /C.Q/C.R/ 3.O/, so .P /C.Q/C.R/  3.O/
in Pic.E/.
T HEOREM . If E is an elliptic curve over k, the map E.k/ ! Pic0 .E/ sending
P to the class of .P / .O/ is a bijection.
The group structure on Pic0 .E/ thus induces a group structure on E.k/, which
is the same as the one we defined earlier.
8.3. Analogies. It is helpful to keep in mind the following analogies when
studying algebraic number fields or the geometry of curves (especially if they
are over finite fields).
Number field object Function field analogue
Z kŒt 
Q k.t /
Qp k..t //
number field F finite extension of k.t /
(rational functions on curve X )
Spec OF
(where OF is the ring of integers of F ) smooth affine curve X
finite extension F 0 of F covering X 0 ! X
fractional ideal divisor
principal ideal principal divisor
class group Pic.X /
functional equation of .s/, Weil conjectures
Riemann Hypothesis, (all proved!)
and Generalized Riemann Hypothesis
 ELLIPTIC CURVES 203

8.4. Rational points on curves. We now turn briefly to the study of rational
points on curves of arbitrary genus. (Recall that elliptic curves were curves of
genus 1 equipped with a rational point.) A curve over Q of any genus can have
X.Q/ D ∅: for example, if X is birational to y 2 D .x 2gC2 C 1/, then X has
genus g and has no rational points. In the table below, assume X is a plane
curve over Q with X.Q/ 6D ∅, and define

NX .B/ WD #fP 2 X.Q/ W h.P /  Bg:

The qualitative behavior of X.Q/, and in particular the rate of growth of the
function NX .B/, are roughly determined by the genus.

Genus X.Q/ NX .B/

0 infinite .c1 C o.1//e c2 B
1 finitely generated abelian group .c3 C o.1//B c4
2 finite O.1/

In the third column, c1 ; c2 ; c3 > 0; c4  0 are constants depending on X , and

the estimates hold as B ! 1.
The fact that X.Q/ is finite when the genus is at least 2 was conjectured
by Mordell [1922]. Proofs were given by Faltings [1983] and Vojta [1991],
and a simplified version of Vojta’s proof was given by Bombieri [1990]. All
known proofs are ineffective: it is not known whether there exists an algorithm
to determine X.Q/, although there probably is one.

8.5. Jacobians: one tool for studying higher genus curves. Recall that for
elliptic curves E, we have a group isomorphism E.k/ ' Pic0 .k/. But if X is
a nonsingular projective curve of genus g > 1 over a field k, then there is no
natural bijection between X.k/ and Pic0 .X /, and in fact one can show that X
cannot be made into a group variety. (Here is one way to show this: if X is
a group variety, then one can create a global section of the tangent bundle of
X by choosing a nonzero tangent vector at the origin and moving it around by
translations. But on a curve of genus g > 1, any nonzero meromorphic section
of the tangent bundle has degree 2 2g < 0, so it cannot be regular everywhere.)
Define an abelian variety to be a projective group variety, so that an elliptic
curve is a one-dimensional abelian variety. Then for any X of genus g as above,
there is an abelian variety J of dimension g called the Jacobian of X , with the
property that J.k/ ' Pic0 .X /, (at least under the technical assumption that
X.k/ 6D ∅). It is only when X is an elliptic curve that J coincides with X .
If P0 2 X.k/, then there is an embedding of varieties X ! J mapping each
point P on X to the class of the divisor .P / .P0 / in Pic0 .X /.
204 BJORN POONEN

E XAMPLE . Here we do a few computations in a Jacobian of a Fermat curve.

Let X be the projective closure of x 13 C y 13 D 1 over Q. The genus of X is
g D .13 1/.13 2/=2 D 66. Let P D .1; 0/ and Q D .0; 1/, which are in
X.Q/. Let J be the Jacobian of X , so J is a 66-dimensional abelian variety.
The divisor of the function .y 1/=.x 1/ on X is 13.Q/ 13.P /, so the class
of 13.Q/ 13.P / in Pic0 .X / D J.Q/ is trivial. Thus the class of .Q/ .P / is
a 13-torsion point (a point of order 13) in J.Q/. (One can use the fact that X
has positive genus to show that no function on X has divisor .Q/ .P /, so this
point of J.Q/ is nonzero.)
Suppose that X is a nonsingular projective curve over Q of genus g  2 with
X.Q/ 6D ∅. By the Mordell–Weil theorem, J.Q/ is a finitely generated abelian
group. Moreover, J.Q/=J.Q/tors can be equipped with a quadratic canonical
height function h.O Vojta’s proof of the finiteness of X.Q/ (following earlier
ideas of Mumford) studies how points of X.Q/ can sit inside this lattice by
applying diophantine approximation techniques.
Unfortunately the diophantine approximation techniques are ineffective: they
give bounds on the number of rational points, but not bounds on their height.
(Height bounds would reduce the problem of listing the points of X.Q/ to a
finite computation.)
Nevertheless there exist techniques that often succeed in determining X.Q/
for particular curves X ; some of these are discussed by Poonen [1996; 2002].
Also, there are many other conjectural approaches towards a proof that X.Q/ can
be determined explicitly for all curves X over Q. (See [Hindry and Silverman
2000, Section F.4.2] for a survey of some of these.) But none have yet been
successful. We need some new ideas!

9. Further reading
For the reader who wants more, we suggest a few other books and survey
articles. Within each topic, references assuming less background are listed first.
Of course, there are many other books on these topics; those listed here were
chosen partly because they are the ones the author is most familiar with.
9.1. Elliptic curves. The book [Silverman and Tate 1992] is an introduc-
tion to elliptic curves at the advanced undergraduate level; among other things,
it contains a treatment of the elliptic curve factoring method. The graduate
level textbook [Silverman 1986] uses more algebraic number theory and alge-
braic geometry, but most definitions and theorems are recalled as they are used,
so the book is readable even by those with minimal background. Cremona’s
book [1997] contains extensive tables of elliptic curves over Q, and discusses
many elliptic curve algorithms in detail.
 ELLIPTIC CURVES 205

9.2. Algebraic geometry. Fulton’s text [1969] requires only a knowledge of

abstract algebra at the undergraduate level; it develops the commutative algebra
as it goes along. Shafarevich’s text, now in two volumes [1994a; 1994b], is a
extensive survey of the main ideas of algebraic geometry and its connections
to other areas of mathematics. It is intended for mathematicians outside alge-
braic geometry, but the topics covered are so diverse that even specialists are
likely to find a few things that are new to them. Finally, Hartshorne’s graduate
text [1977], although more demanding, contains a thorough development of the
language of schemes and sheaf cohomology, as well as applications to the theory
of curves and surfaces, mainly over algebraically closed fields.
9.3. Surveys on arithmetic geometry. Mazur’s article [1986] is intended for a
general mathematical audience: it begins with a discussion of various diophan-
tine problems, and works its way up to a sketch of Faltings’ proof of the Mordell
conjecture. Lang’s book [1991] is a detailed survey of the tools and results of
arithmetic geometry, mostly without proofs (but it too sketches Faltings’ proof).

References
[Bernstein 1998] D. J. Bernstein, “Detecting perfect powers in essentially linear time”,
Math. Comp. 67:223 (1998), 1253–1283.
[Bombieri 1990] E. Bombieri, “The Mordell conjecture revisited”, Ann. Scuola Norm.
Sup. Pisa Cl. Sci. (4) 17:4 (1990), 615–640. Errata in “The Mordell conjecture
revisited”, Ann. Scuola Norm. Sup. Pisa Cl. Sci. (4) 18:3 (1991), 473.
[Brent 2000] R. P. Brent, “Recent progress and prospects for integer factorisation
algorithms”, pp. 3–22 in Computing and combinatorics (Sydney, 2000), edited by
D.-Z. Du et al., Lecture Notes in Comput. Sci. 1858, Springer, Berlin, 2000.
[Canfield et al. 1983] E. R. Canfield, P. Erdős, and C. Pomerance, “On a problem of
Oppenheim concerning “factorisatio numerorum””, J. Number Theory 17:1 (1983),
1–28.
[Cremona 1997] J. E. Cremona, Algorithms for modular elliptic curves, 2nd ed.,
Cambridge University Press, Cambridge, 1997.
[Elkies 1994] N. D. Elkies, “Heegner point computations”, pp. 122–133 in Algorithmic
number theory (Ithaca, NY, 1994), edited by L. M. Adleman and M.-D. Huang,
Lecture Notes in Comput. Sci. 877, Springer, Berlin, 1994.
[Faltings 1983] G. Faltings, “Endlichkeitssätze für abelsche Varietäten über Zahlkör-
pern”, Invent. Math. 73:3 (1983), 349–366. Translated in Arithmetic geometry, edited
by G. Cornell and J. Silverman, Springer, New York-Berlin, 1986, 9–27.
[Fulton 1969] W. Fulton, Algebraic curves: An introduction to algebraic geometry,
Addison-Wesley, Reading, MA, 1969. With the collaboration of Richard Weiss.
[Hartshorne 1977] R. Hartshorne, Algebraic geometry, Graduate Texts in Mathematics
52, Springer, New York, 1977.
206 BJORN POONEN

[Hindry and Silverman 2000] M. Hindry and J. H. Silverman, Diophantine geometry:

An introduction, Graduate Texts in Mathematics 201, Springer, New York, 2000.
[Hopcroft and Ullman 1969] J. E. Hopcroft and J. D. Ullman, Formal languages and
their relation to automata, Addison-Wesley, Reading, MA, 1969.
[Koblitz 1984] N. Koblitz, p-adic numbers, p-adic analysis, and zeta-functions, 2nd
ed., Graduate Texts in Mathematics 58, Springer, New York, 1984.
[Lang 1991] S. Lang, Number theory. III, Encyclopaedia of Mathematical Sciences 60,
Springer, Berlin, 1991. Diophantine geometry.
[Lind 1940] C.-E. Lind, Untersuchungen über die rationalen Punkte der ebenen kubis-
chen Kurven vom Geschlecht Eins, thesis, University of Uppsala, 1940.
[Martin and McMillen 2000] R. Martin and W. McMillen, “An elliptic curve over Q
with rank at least 24”, electronic announcement on the NMBRTHRY list server,
posted May 2, 2000. Available at http://listserv.nodak.edu/archives/nmbrthry.html.
[Mazur 1986] B. Mazur, “Arithmetic on curves”, Bull. Amer. Math. Soc. .N.S./ 14:2
(1986), 207–259.
[Mordell 1922] L. J. Mordell, “On the rational solutions of the indeterminate equations
of the third and fourth degrees”, Proc. Cambridge Phil. Soc. 21 (1922), 179–192.
[Mordell 1969] L. J. Mordell, “On the magnitude of the integer solutions of the
equation ax 2 C by 2 C cz 2 D 0”, J. Number Theory 1 (1969), 1–3.
[Poonen 1996] B. Poonen, “Computational aspects of curves of genus at least 2”, pp.
283–306 in Algorithmic number theory (Talence, 1996), edited by H. Cohen, Lecture
Notes in Comput. Sci. 1122, Springer, Berlin, 1996.
[Poonen 2002] B. Poonen, “Computing rational points on curves”, pp. 149–172 in
Number theory for the millennium, III (Urbana, IL, 2000), edited by M. A. Bennett
et al., A K Peters, Natick, MA, 2002.
[Reichardt 1942] H. Reichardt, “Einige im Kleinen überall lösbare, im Grossen unlös-
bare diophantische Gleichungen”, J. Reine Angew. Math. 184 (1942), 12–18.
[Schoof 1985] R. Schoof, “Elliptic curves over finite fields and the computation of
square roots mod p”, Math. Comp. 44:170 (1985), 483–494.
[Selmer 1951] E. S. Selmer, “The diophantine equation ax 3 C by 3 C cz 3 D 0”, Acta
Math. 85 (1951), 203–362.
[Selmer 1954] E. S. Selmer, “The diophantine equation ax 3 C by 3 C cz 3 D 0: Com-
pletion of the tables”, Acta Math. 92 (1954), 191–197.
[Serre 1973] J.-P. Serre, A course in arithmetic, Graduate Texts in Mathematics 7,
Springer, New York, 1973.
[Serre 1989] J.-P. Serre, Lectures on the Mordell–Weil theorem, Aspects of Mathemat-
ics E15, Friedr. Vieweg & Sohn, Braunschweig, 1989.
[Shafarevich 1994a] I. R. Shafarevich, Basic algebraic geometry, 1: Varieties in pro-
jective space, 2nd ed., Springer, Berlin, 1994.
 ELLIPTIC CURVES 207

[Shafarevich 1994b] I. R. Shafarevich, Basic algebraic geometry, 2: Schemes and

complex manifolds, 2nd ed., Springer, Berlin, 1994.
[Silverman 1986] J. H. Silverman, The arithmetic of elliptic curves, Graduate Texts in
Mathematics 106, Springer, New York, 1986.
[Silverman and Tate 1992] J. H. Silverman and J. Tate, Rational points on elliptic
curves, Undergraduate Texts in Mathematics, Springer, New York, 1992.
[Vojta 1991] P. Vojta, “Siegel’s theorem in the compact case”, Ann. of Math. .2/ 133:3
(1991), 509–548.
[Zimmerman 2008] P. Zimmerman, “50 largest factors found by ECM”, web page,
2008. Available at http://www.loria.fr/˜zimmerma/records/top100.html.

B JORN P OONEN
D EPARTMENT OF M ATHEMATICS
U NIVERSITY OF C ALIFORNIA
B ERKELEY, CA 94720-3840
U NITED S TATES
[email protected]