Rational Points on an Elliptic Curve - CEMC...rational points on elliptic curves! Dr. Carmen Bruni Rational Points on an Elliptic Curve. Proof of Key Theorem 1 Let (x;y) be a point

Rational Points on an Elliptic Curve

Dr. Carmen Bruni

University of Waterloo

November 11th, 2015

Lest We Forget

Dr. Carmen Bruni Rational Points on an Elliptic Curve

Revisit the Congruent Number Problem

Congruent Number Problem

Determine which positive integers N can be expressed as the areaof a right angled triangle with side lengths all rational.

For example 6 is a congruent number since it is the area of the3− 4− 5 right triangle.


Enter Elliptic Curves

The associated equations with the congruent number problem,namely

x2 + y2 = z2 xy = 2N

can be converted to an elliptic curve of the form

Y 2 = X 3 − N2X .

We also saw that we can reduce our problem to considering onlysquarefree numbers N.


Going Backwards

The belief now is that solving problems related to elliptic curvesmight be easier than the originally stated problem. The questionnow that occurs is can we go from an elliptic curve of the form

y2 = x3 − N2x

to a rational right triangle with area N?


Key Theorem 1

Theorem 1.

Let (x , y) be a point with rational coordinates on the elliptic curvey2 = x3 − N2x where N is a positive squarefree integer. Supposethat x satisfies three conditions:

1 x is the square of a rational number

2 x has an even denominator

3 x has a numerator that shares no common factor with N

Then there exists a right angle triangle with rational sides and areaN, that is, N is congruent.


Key Theorem 2

Theorem 2.

A number N is congruent if and only if the elliptic curvey2 = x3 − N2x has a rational point P = (x , y) distinct from (0, 0)and (±N, 0).

Thus, determining congruent numbers can be reduced to findingrational points on elliptic curves!


Proof of Key Theorem 1

Let (x , y) be a point with rational coordinates on the ellipticcurve y2 = x3 − N2x where N is a positive squarefree integerwhere x is a rational square, has even denominator (in lowestterms) and has a numerator that shares no common factorwith N. Our goal is to trace backwards the proof from lastweek.

Let u =√x which is given to be rational.

Set v = yu giving

v2 = y2

u2= x3−N2x

x = x2 − N2.

Let d be the smallest integer such that du ∈ Z (namely thedenominator of u in lowest terms). Note that d is even byassumption and that d4 is the denominator for u2 = x .



Since v2 = x2 − N2 and N2 is an integer, then d4 is also thedenominator of v2. Multiplying everything by d4 gives

(d2v)2 = (d2x)2 − (d2N)2

.

Since (d2v)2 = (d2x)2 − (d2N)2, the triple (d2v , d2x , d2N)forms a Pythagorean triple. Since the numerator of x sharesno common factor with N, we have that this is a primitivetriple and thus, by problem set 1, there exist integers a and bof opposite parity such that

d2N = 2ab d2v = a2 − b2 d2x = a2 + b2



Create the triangle with sides 2a/d , 2b/d and 2u. This satisfiesthe Pythagorean Theorem since

(2a/d)2 + (2b/d)2 = 4a2/d2 + 4b2/d2

= 4/d2(a2 + b2)

= 4/d2(d2x) = 4x = (2u)2

and it has area N since

A =1

2· 2a

d· 2b

d=

2ab

d2= N.


Summary of Key Theorem 1

From the triple,

d2N = 2ab d2v = a2 − b2 d2x = a2 + b2,

we can add and subtract twice the first to the last equation toget

d2(x + N) = a2 + 2ab + b2 = (a + b)2

d2(x − N) = a2 − 2ab + b2 = (a− b)2

Taking square roots yields

d√x + N = a + b d

√x − N = a− b

(where above we’ve assumed that 0 < b < a).

Adding and subtracting and dividing by 2. gives expressionsfor a and b, namely

a = d/2(√x + N +

√x − N) b = d/2(

√x + N −

√x − N)


Example of Key Theorem 1

Let’s find the triangle for N = 7. On the elliptic curvey2 = x3 − 72x , we close our eyes and pray we can find a triplethat consists of integers. After some trying we see that(x , y) = (25, 120) gives a solution.

Adding the point to itself gives 2P = (x2P ,−y2P) where(using the formulas from last time)

m =3x2 − 72

2y=

913

120b = 120− 25

(913

120

)=−1685

24

x2P = m2 − 2x =113569

14400=

(337

120

)2

y2P = mx2P + b =−17631503

1728000

Hence 2P = (113569/14400, 17631503/1728000).

Now, d is the denominator of√x2P = 337/120 and so

d = 120.


Example of Key Theorem 1

Finding the a and b values gives...

a = d/2(√x + N +

√x − N)

= 120/2(√

113569/14400 + 7 +√

113569/14400,−7)

= 288

and

b = d/2(√x + N −

√x − N)

= 120/2(√

113569/14400 + 7−√

113569/14400,−7)

= 175

This gives the triangle

2a

d=

2 · 288

120=

24

5

2b

d=

2 · 175

120=

35

122√x =

337

60

which indeed has area 7 and is a right angle triangle (the sidelengths satisfy the Pythagorean Identity)



Theorem 3.

A number N is congruent if and only if the elliptic curvey2 = x3 − N2x has a rational point P = (x , y) distinct from (0, 0)and (±N, 0).

We have already seen that if N is congruent, then we can finda rational point on the elliptic curve.

Now, suppose our elliptic curve has a rational pointP = (x , y) where P is not one of (0, 0) and (±N, 0).

Our goal will be to show that 2P satisfies the conditions ofthe previous theorem.



Using the results of adding a point to itself from last time, wesee that the x-coordinate of P + P on the elliptic curvey2 = x3 + Ax + B is given by(

3x2 + A

2y

)2

− 2x =9x4 + 6Ax2 + A2

4y2− 2x

=9x4 + 6Ax2 + A2

4(x3 + Ax + B)− 2x

=9x4 + 6Ax2 + A2

4(x3 + Ax + B)+−2x · 4(x3 + Ax + B)

4(x3 + Ax + B)

=9x4 + 6Ax2 + A2

4(x3 + Ax + B)+−8x4 − 8Ax2 − 8Bx

4(x3 + Ax + B)

=x4 − 2Ax2 − 8Bx + A2

4(x3 + Ax + B)



Using the results of adding a point to itself from last time, wesee that the x-coordinate of P + P on the elliptic curvey2 = x3 + Ax + B is given by(

3x2 + A

2y

)2

− 2x =x4 − 2Ax2 − 8Bx + A2

4(x3 + Ax + B)

Specializing to when A = −N2 and B = 0 (that is, on theelliptic curve y2 = x3 − N2x) gives us the formula for thex-coordinate of P + P as

x4 + 2N2x2 + N4

4(x3 − N2x)=

(x2 + N2)2

(2y)2.

Notice that by our restriction on the rational point P, thedenominator is nonzero and the numerator is nonzero.



The x-coordinate of P + P, namely

x4 + 2N2x2 + N4

4(x3 − N2x)=

(x2 + N2)2

(2y)2.

satisfies that it is the square of a rational number.

It is also true that the numerator shares no common factorwith N. Suppose p divides x2 + N2 and p divides N for someprime p. Then p | x and hence p3 divides x3 − N2x = y2.Hence p3 divides y2.

Thus, in the x-coordinate above, we can factor out a p2 in thenumerator and cancel it with a p2 in the denominator. Byrepeating this, the numerator can be reduced so that it sharesno common factor with N.

So it suffices to show that the number has an evendenominator.




x4 + 2N2x2 + N4

4(x3 − N2x)=

(x2 + N2)2

(2y)2.

immediately appears to have an even denominator but weneed to be careful. What happens if the factor of 4 in thedenominator cancels with the numerator? In what cases is thispossible?




x4 + 2N2x2 + N4

4(x3 − N2x)=

(x2 + N2)2

(2y)2.

Case 1: x and N are even. Then 2 divides both x and Nwhich means that the numerator and N share a commonfactor.

Applying the previous argument shows that we can reduce thefraction.




x4 + 2N2x2 + N4

4(x3 − N2x)=

(x2 + N2)2

(2y)2.

Case 2: x and N are odd. In this case, write x = 2a + 1 andN = 2b + 1. Plugging in and simplifying gives

(x2 + N2)2 = 16(a2 + a + b2 + b)2 + 16(a2 + a + b2 + b) + 4

Hence 4 exactly divides the numerator. Since y2 = x3 − N2x ,we have that y is even and so at least 16 divides thedenominator.

Hence the denominator is even.

Thus, this point P satisfies the conditions of the previoustheorem and so the number N is congruent.


Don Zagier

To compute a rational point on the elliptic curvey2 = x3 − 1572x , Zagier noted that if N − 5 is divisible by 8for a prime N, then each of the factors x and x ± N iny2 = x3 − N2x must be of the form ±s2, ±2s2, ±ns2 or±2ns2 where s is a rational number.


Don Zagier

Then, as an example, if x = −A2, x + n = B2 andx − n = C 2, simplifying gives us that we must solve

C 2 − B2 = 2A2 C 2 − A2 = n

Similarly to the techniques we used to find Pythagoreantriples, it must hold that A = 2RS

M , B = R2−2S2

M and

C = R2+2S2

M for suitable integers R, S , M. In this way theproblem is reduced to the solvability of M2N = R4 + 4S4. ForN = 5 this has a clear solution but for N = 157, we need toapply this idea a few more times to the equationN = U2 + 4V 2 and find a solution with UV a rational square.Then take U = R2/M and V = S2/M.

The ideas here are difficult to flesh out but can be done whichis what Zagier did.

(Thanks to Carlos Beenakker!)


Rational Points on Elliptic Curves

Given the previous discussion, we have become interested in thefollowing problem:

Problem

How can we find a rational point on an elliptic curve of the formy2 = x3 + Ax + B?

This is a complex problem!


Points on Elliptic Curves over Zp

Given a complex problem, sometimes we try to simplify it! Insome sense the problem is that the rational numbers are toobig. What we’ll consider is dealing with points over a finitefield, in this case, Zp.

We define the field Zp for a prime number p to be the set ofintegers and we state that two integers are equal in Zp

provided they differ by a multiple of p.

It will turn out over Zp that the group law will still hold.

So for example, in Z7, 1 and 15 are the same number becausethey differ by 14 which is divisible by 7.

We denote this by 1 ≡ 15 (mod 7) and in general bya ≡ b (mod p).


Practice Z5

Which of the following numbers are equivalent to 1 in Z5?

1 1

2 2

3 6

4 17

5 −4

6 3200


Practice Z5

Which of the following numbers are equivalent to 1 in Z5?

1 1 Equivalent since 5 divides 1− 1 = 0

2 2 Not equivalent since 5 does not divide 2− 1 = 1

3 6 Equivalent since 5 divides 6− 1 = 5

4 17 Not equivalent since 5 does not divide 17− 1 = 16

5 −4 Equivalent since 5 divides −4− 1 = −5.

6 3200 Equivalent since 5 divides

3200−1 = (34)50−1 = 8150−1 = (81−1)(8149+8148+...+1)

(Think: x − 1 is a factor of x50 − 1 so 81− 1 = 80 is a factorof 8150 − 1 and 5 divides 80 so 5 divides 8150 − 1).


Practice Zp

When we think about numbers in Zp for a prime p, we canrestrict ourselves to just looking at numbers between 0 andp − 1 inclusive since every number is equivalent to one ofthese numbers (this actually follows quickly from long divisionwith remainders!)

Hence, we sometimes write Zp = {0, 1, 2, ..., p − 1}.


Points on Elliptic Curves over Finite Fields

Now we can start to look at elliptic curves over different finitefields. Let’s look at the elliptic curve y2 = x3 − x .In order to reduce this elliptic curve over a finite field, we needto avoid primes dividing the discriminant of the elliptic curve(see the problem sheet). In this case, the discriminant is 64 sowe can look for points on finite fields over all Zp for oddprimes.Over Z3, we can look at all the possible x values, namelyx = 0, 1, 2. These give the equations

y2 = 03 − 0 ≡ 0 (mod 3)

y2 = 13 − 1 = 0 (mod 3)

y2 = 23 − 2 = 6 ≡ 0 (mod 3)

Hence, this elliptic curve when considered over Z3 has threepoints (0, 0), (1, 0), (2, 0) and one more point for the point atinfinity.



What about the elliptic curve y2 = x3 − x over Z5?

Again we can look at all the possible x values, namelyx = 0, 1, 2, 3, 4. These give the equations

y2 = 03 − 0 = 0

y2 = 13 − 1 = 0

y2 = 23 − 2 = 6 ≡ 1 (mod 5)

y2 = 33 − 3 = 24 ≡ 4 (mod 5)

y2 = 43 − 4 = 60 ≡ 0 (mod 5)

Thus, we want to know what solutions we have fory2 ≡ 0 (mod 5), y2 ≡ 1 (mod 5) and y2 ≡ 4 (mod 5).



We can compute the squares modulo 5 via

x 0 1 2 3 4

x2 (mod 5) 0 1 4 4 1

Hence, this elliptic curve when considered over Z5 has sevenpoints (0, 0), (1, 0), (2, 1), (2, 4), (3, 2), (3, 3), (4, 0) and onemore point for the point at infinity.


Your Turn!

What about the elliptic curve y2 = x3 − 4x over Z5 (If you’requick, change 5 to 7 and 11 and see what happens)?

Again we can look at all the possible x values, namelyx = 0, 1, 2, 3, 4. These give the equations

y2 = 03 − 4(0) = 0

y2 = 13 − 4(1) = −3 ≡ 2 (mod 5)

y2 = 23 − 4(2) = 0

y2 = 33 − 4(3) = 15 ≡ 0 (mod 5)

y2 = 43 − 4(4) = 48 ≡ 3 (mod 5)

From the table before, we see that 2 and 3 are not squares inZ5. Hence the only points here are (0, 0), (2, 0), (3, 0) andthe point at infinity.


So what?

What can we do with these ideas?

By taking the information at many primes, we can gain a lotof information about our elliptic curve.

Elliptic curves can be used to help factor numbers (Lenstra’sAlgorithm).

Elliptic Curves over finite fields form the basis for acryptosystem in use today called Elliptic Curve Cryptography.

They form a correspondence with certain types of modularforms which are another beautiful mathematical object withmany applications.

In the end you have a good foundation to pick up anintroductory book on elliptic curves and start to study theseobjects more deeply.


Rational Points on an Elliptic Curve - CEMC...rational points on elliptic curves! Dr. Carmen Bruni Rational Points on an Elliptic Curve. Proof of Key Theorem 1 Let (x;y) be a point

Documents