Elliptic Curves over Q

As we saw in Chapter 1, elliptic curves over Q represent an interesting class of

Diophantine equations. In the present chapter, we study the group structure

of the set of rational points of an elliptic curve E de¬ned over Q. First, we

show how the torsion points can be found quite easily. Then we prove the

Mordell-Weil theorem, which says that E(Q) is a ¬nitely generated abelian

group. As we™ll see in Section 8.6, the method of proof has its origins in

Fermat™s method of in¬nite descent. Finally, we reinterpret the descent calcu-

lations in terms of Galois cohomology and de¬ne the Shafarevich-Tate group.

8.1 The Torsion Subgroup. The Lutz-Nagell The-

orem

The torsion subgroup of E(Q) is easy to calculate. In this section we™ll give

examples of how this can be done. The crucial step is the following theorem,

which was used in Chapter 5 to study anomalous curves. For convenience, we

repeat some of the notation introduced there.

Let a/b = 0 be a rational number, where a, b are relatively prime integers.

Write a/b = pr a1 /b1 with p a1 b1 . De¬ne the p-adic valuation to be

vp (a/b) = r.

For example, v2 (7/40) = ’3, v5 (50/3) = 2, and v7 (1/2) = 0. De¬ne vp (0) =

+∞ (so vp (0) > n for every integer n).

Let E be an elliptic curve over Z given by y 2 = x3 + Ax + B. Let r ≥ 1 be

an integer. De¬ne

Er = {(x, y) ∈ E(Q) | vp (x) ¤ ’2r, vp (y) ¤ ’3r} ∪ {∞}.

These are the points such that x has at least p2r in its denominator and y

has at least p3r in its denominator. These should be thought of as the points

that are close to ∞ mod powers of p (that is, p-adically close to ∞).

199

© 2008 by Taylor & Francis Group, LLC

200 CHAPTER 8 ELLIPTIC CURVES OVER Q

THEOREM 8.1

Let E be given by y 2 = x3 + Ax + B with A, B ∈ Z. Let p be a prime and let

r be a positive integer. Then

1. Er is a subgroup of E(Q).

2. If (x, y) ∈ E(Q), then vp (x) < 0 if and only if vp (y) < 0. In this case,

there exists an integer r ≥ 1 such that vp (x) = ’2r and vp (y) = ’3r.

3. The map

»r : Er /E5r ’ Zp4r

(x, y) ’ p’r x/y (mod p4r )

∞’0

is an injective homomorphism (where Zp4r is a group under addition).

4. If (x, y) ∈ Er but (x, y) ∈ Er+1 , then »r (x, y) ≡ 0 (mod p).

REMARK 8.2 The map »r should be regarded as a logarithm for the

group Er /E5r since it changes the law of composition in the group to addition

in Zp4r , just as the classical logarithm changes the composition law in the

multiplicative group of positive real numbers to addition in R.

PROOF The denominator of x3 + Ax + B equals the denominator of y 2 .

It is easy to see that the denominator of y is divisible by p if and only if

the denominator of x is divisible by p. If pj , with j > 0, is the exact power

of p dividing the denominator of y, then p2j is the exact power of p in the

denominator of y 2 . Similarly, if pk , with k > 0, is the exact power of p dividing

the denominator of x, then denominator of x3 + Ax + B is exactly divisible

by p3k . Therefore, 2j = 3k. It follows that there exists r with j = 3r and

k = 2r. This proves (2). Also, we see that

{(x, y) ∈ Er | vp (x) = ’2r, vp (y) = ’3r} = {(x, y) ∈ Er | vp (x/y) = r}

is the set of points in Er not in Er+1 . This proves (4). Moreover, if »r (x, y) ≡

0 (mod p4r ), then vp (x/y) ≥ 5r, so (x, y) ∈ E5r . This proves that »r is

injective (as soon as we prove it is a homomorphism).

Let

x 1

t= , s= .

y y

Dividing the equation y 2 = x3 + Ax + B by y 3 yields

3 2 3

x x 1

1 1

= +A +B ,

y y y y y

© 2008 by Taylor & Francis Group, LLC

201

SECTION 8.1 THE TORSION SUBGROUP. THE LUTZ-NAGELL THEOREM

which can be written as

s = t3 + Ats2 + Bs3 .

In the following, it will be convenient to write pj |z for a rational number

z when pj divides the numerator of z. Similarly, we™ll write z ≡ 0 (mod pj )

in this case. These extended notions of divisibility and congruence satisfy

properties similar to those for the usual notions.

LEMMA 8.3

(x, y) ∈ Er if and only if p3r |s. If p3r |s, then pr |t.

PROOF If (x, y) ∈ Er , then p3r divides the denominator of y, so p3r

divides the numerator of s = 1/y. Conversely, suppose p3r |s. Then p3r

divides the denominator of y. Part (2) of the theorem shows that p2r divides

the denominator of x. Therefore, (x, y) ∈ Er .

If p3r |s, then the exact power of p dividing the denominator of y is p3k ,

with k ≥ r. Part (2) of the theorem implies that the exact power of p dividing

t = x/y is pk . Since k ≥ r, we have pr |t.

We now continue with the proof of Theorem 8.1. Let »r be as in the

statement of the theorem. Note that

»r (’(x, y)) = »r (x, ’y) = ’p’r x/y = ’»r (x, y).

We now claim that if P1 + P2 + P3 = ∞ then

»r (P1 ) + »r (P2 ) + »r (P3 ) ≡ 0 (mod p4r ).

The proof will also show that if P1 , P2 ∈ Er , then P3 ∈ Er (hence Er is a

subgroup). Therefore,

»r (P1 + P2 ) = »r (’P3 ) = ’»r (P3 ) = »r (P1 ) + »r (P2 ),

so »r is a homomorphism.

Recall that three points add to ∞ if and only if they are collinear (Exercise

2.6). To prove the claim, let P1 , P2 , P3 lie on the line

ax + by + d = 0

and assume that P1 , P2 ∈ Er . Dividing by y yields the s, t line

at + b + ds = 0.

Let Pi denote the point Pi written in terms of the s, t coordinates. In other

words, if

Pi = (xi , yi ),

© 2008 by Taylor & Francis Group, LLC

202 CHAPTER 8 ELLIPTIC CURVES OVER Q

then

Pi = (si , ti )

with

si = 1/yi , ti = xi /yi .

The points P1 , P2 , P3 lie on the line at + b + ds = 0.

Since P1 , P2 ∈ Er , Lemma 8.3 implies that

p3r |si , pr |ti , for i = 1, 2.

As discussed in Section 2.4, at a ¬nite point (x, y), the order of intersection

of the line ax+by +d = 0 and the curve y 2 = x3 +Ax+B can be calculated by

using projective coordinates and considering the line aX + bY + dZ = 0 and

the curve ZY 2 = X 3 + AXZ 2 + BZ 3 . In this case, x = X/Z and y = Y /Z.

If we start with a line at + b + ds = 0 and the curve s = t3 + Ats2 + Bs3 ,

we can homogenize to get aT + bU + dS = 0 and SU 2 = T 3 + AT S 2 + BS 3 .

In this case, we have t = T /U and s = S/U . If we let Z = S, Y = U , X = T ,

we ¬nd that we are working with the same line and curve as above. A point

(x, y) corresponds to

t = T /U = X/Y = x/y and s = S/U = Z/Y = 1/y.

Since orders of intersection can be calculated using the projective models, it

follows that the order of intersection of the line ax + by + d = 0 with the curve

y 2 = x3 + Ax + B at (x, y) is the same as the order of intersection of the line

at + b + ds = 0 with the curve s = t3 + Ats2 + Bs3 at (s, t) = (1/y, x/y).

For example, the line and curve are tangent in the variables x, y if and only if

they are tangent in the variables t, s. This allows us to do the elliptic curve

group calculations using t, s instead of x, y.

LEMMA 8.4

A line t = c, where c ∈ Q is a constant with c ≡ 0 (mod p), intersects the

curve s = t3 + As2 t + Bs3 in at most one point (s, t) with s ≡ 0 (mod p).

This line is not tangent at such a point of intersection.

PROOF Suppose we have two values of s, call them s1 , s2 with s1 ≡ s2 ≡ 0

(mod p). Suppose s1 ≡ s2 (mod pk ) for some k ≥ 1. Write si = psi . Then

2 2 2 2

s1 ≡ s2 (mod pk’1 ), so s1 ≡ s2 (mod pk’1 ), so s2 = p2 s1 ≡ p2 s2 = s2

1 2

(mod pk+1 ). Similarly, s3 ≡ s3 (mod pk+2 ). Therefore,

1 2

s1 = c3 + Acs2 + Bs3 ≡ c3 + Acs2 + Bs3 = s2 (mod pk+1 ).

1 1 2 2

By induction, we have s1 ≡ s2 (mod pk ) for all k. It follows that s1 = s2 , so

there is at most one point of intersection with s ≡ 0 (mod p).

© 2008 by Taylor & Francis Group, LLC

203

SECTION 8.1 THE TORSION SUBGROUP. THE LUTZ-NAGELL THEOREM

The slope of the tangent line to the curve can be found by implicit di¬er-

entiation:

ds ds ds

= 3t2 + As2 + 2Ast + 3Bs2 ,

dt dt dt

so

3t2 + As2

ds

= .

1 ’ 2Ast ’ 3Bs2

dt

If the line t = c is tangent to the curve at (s, t), then 1 ’ 2Ast ’ 3Bs2 = 0.

But s ≡ t ≡ 0 (mod p) implies that

1 ’ 2Ast ’ 3Bs2 ≡ 1 ≡ 0 (mod p).

Therefore, t = c is not tangent to the curve.

If d = 0, then our line is of the form in the lemma. But it passes through

the points P1 and P2 , so we must have P1 = P2 , and the line is tangent to the

curve. Changing back to x, y coordinates, we obtain P1 = P2 . The de¬nition

of the group law says that since the points P1 and P2 are equal, the line

ax + by + d = 0 is tangent at (x, y). As pointed out above, this means that

at + b + ds = 0 is tangent at (s, t). The lemma says that this cannot happen.

Therefore, d = 0.

Dividing by d, we obtain

s = ±t + β

for some ±, β ∈ Q. Then P1 , P2 , P3 lie on the line s = ±t + β.

LEMMA 8.5

t2 + t1 t2 + t2 + As2

2 1 2

2 + s s + s2 ) .

±=

1 ’ A(s1 + s2 )t1 ’ B(s2 12 1

If t1 = t2 , then ± = (s2 ’s1 )/(t2 ’t1 ). Since si = t3 +As2 ti +Bs3 ,

PROOF i i i

we have

(s2 ’ s1 ) 1 ’ A(s1 + s2 )t1 ’ B(s2 + s1 s2 + s2 )

2 1

= (s2 ’ s1 ) ’ A(s2 ’ s2 )t1 ’ B(s3 ’ s3 )

2 1 2 1

= (s2 ’ As2 t2 ’ Bs2 ) ’ (s1 ’ As1 t1 ’ Bs3 ) + As2 (t2 ’ t1 )

2 3 2

1 2

= t3 ’ t3 + As2 (t2 ’ t1 )

2 1 2

= (t2 ’ t1 )(t2 + t1 t2 + t2 + As2 ).

2

1 2

This proves that (s2 ’ s1 )/(t2 ’ t1 ) equals the expression in the lemma.

Now suppose that t1 = t2 . Since a line t = c with c ≡ 0 (mod p) intersects

the curve s = t3 + As2 t + Bs3 in only one point with s ≡ 0 (mod p) by

Lemma 8.4, the points (s1 , t1 ) and (s2 , t2 ) must be equal. The line s = ±t + β

© 2008 by Taylor & Francis Group, LLC

204 CHAPTER 8 ELLIPTIC CURVES OVER Q

is therefore the tangent line at this point, and the slope is computed by implicit

di¬erentiation of s = t3 + Ats2 + Bs3 :

ds ds ds

= 3t2 + As2 + 2Ast + 3Bs2 .

dt dt dt

Solving for ds/dt yields the expression in the statement of the lemma when

t1 = t2 = t and s1 = s2 = s.

Since s1 ≡ s2 ≡ 0 (mod p), we ¬nd that the denominator

1 ’ A(s1 + s2 )t1 ’ B(s2 + s1 s2 + s2 ) ≡ 1 (mod p).

2 1

Since pr |ti , we have

t2 + t1 t2 + t2 + As2 ≡ 0 (mod p2r ).

2 1 2

Therefore, ± ≡ 0 (mod p2r ). Since p3r |si , we have

(mod p3r ).

β = si ’ ±ti ≡ 0

The point P3 is the third point of intersection of the line s = ±t + β with

s = t3 + As2 t + Bs3 . Therefore, we need to solve for t:

±t + β = t3 + A(±t + β)2 t + B(±t + β)3 .

This can be rearranged to obtain

2A±β + 3B±2 β 2

0 = t3 + t + ··· .

1 + B±3 + A±2

The sum of the three roots is the negative of the coe¬cient of t2 , so

2A±β + 3B±2 β

t 1 + t2 + t3 = ’

1 + B±3 + A±2

≡ 0 (mod p5r ).

The last congruence holds because p2r |± and p3r |β. Since t1 ≡ t2 ≡ 0

(mod pr ), we have t3 ≡ 0 (mod pr ). Therefore, s3 = ±t3 + β ≡ 0 (mod p3r ).

By Lemma 8.3, P3 ∈ Er . Moreover,

»r (P1 ) + »r (P2 ) + »r (P3 ) ≡ p’r (t1 + t2 + t3 ) ≡ 0 (mod p4r ).

Therefore, »r is a homomorphism. This completes the proof of Theorem 8.1.

COROLLARY 8.6

Let the notations be as in Theorem 8.1. If n > 1 and n is not a power of p,

then E1 contains no points of exact order n. (See also Theorem 8.9.)

© 2008 by Taylor & Francis Group, LLC

205

SECTION 8.1 THE TORSION SUBGROUP. THE LUTZ-NAGELL THEOREM

PROOF Suppose P ∈ E1 has order n. Since n is not a power of p, we

may multiply P by the largest power of p dividing n and obtain a point, not

equal to ∞, of order prime to p. Therefore, we may assume that P has order

n with p n. Let r be the largest integer such that P ∈ Er . Then

(mod p4r ).

n»r (P ) = »r (nP ) = »r (∞) ≡ 0

Since p n, we have »r (P ) ≡ 0 (mod p4r ), so P ∈ E5r . Since 5r > r, this

contradicts the choice of r. Therefore, P does not exist.

The following theorem was proved independently by Lutz and Nagell in the

1930s. Quite often it allows a quick determination of the torsion points on an

elliptic curve over Q. See Section 9.6 for another method.

THEOREM 8.7 (Lutz-Nagell)

Let E be given by y 2 = x3 + Ax + B with A, B ∈ Z. Let P = (x, y) ∈ E(Q).

Suppose P has ¬nite order. Then x, y ∈ Z. If y = 0 then

y 2 |4A3 + 27B 2 .

PROOF Suppose x or y is not in Z. Then there is some prime p dividing

the denominator of one of them. By part (2) of Theorem 8.1, P ∈ Er for

some r ≥ 1. Let be a prime dividing the order n of P . Then Q = (n/ )P

has order . By Corollary 8.6, = p. Choose j such that Q ∈ Ej , Q ∈ Ej+1 .

Then »j (Q) ≡ 0 (mod p), and

p»j (Q) = »j (pQ) ≡ 0 (mod p4j ).

Therefore,

»j (Q) ≡ 0 (mod p4j’1 ).

This contradicts the fact that »j (Q) ≡ 0 (mod p). It follows that x, y ∈ Z.

Assume y = 0. Then 2P = (x2 , y2 ) = ∞. Since 2P has ¬nite order,

x2 , y2 ∈ Z. By Theorem 3.6,

x4 ’ 2Ax2 ’ 8Bx + A2

x2 = .

4y 2

Since x2 ∈ Z, this implies that

y 2 |x4 ’ 2Ax2 ’ 8Bx + A2 .

A straightforward calculation shows that

(3x2 + 4A)(x4 ’ 2Ax2 ’ 8Bx + A2 ) ’ (3x3 ’ 5Ax ’ 27B)(x3 + Ax + B)

= 4A3 + 27B 2 .

© 2008 by Taylor & Francis Group, LLC

206 CHAPTER 8 ELLIPTIC CURVES OVER Q

Since y 2 = x3 + Ax + B, we see that y 2 divides both terms on the left.

Therefore, y 2 |4A3 + 27B 2 .

COROLLARY 8.8

Let E be an elliptic curve over Q. Then the torsion subgroup of E(Q) is

¬nite.

PROOF A suitable change of variables puts the equation for E into Weier-

strass form with integer coe¬cients. Theorem 8.7 now shows that there are

only ¬nitely many possibilities for the torsion points.

Example 8.1

Let E be given by y 2 = x3 + 4. Then 4A3 + 27B 2 = 432. Let P = (x, y) be a

point of ¬nite order in E(Q). Since 0 = x3 + 4 has no rational solutions, we

have y = 0. Therefore, y 2 |432, so

y = ±1, ±2, ±3, ±4, ±6, ±12.

Only y = ±2 yields a rational value of x, so the only possible torsion points are

(0, 2) and (0, ’2). A quick calculation shows that 3(0, ±2) = ∞. Therefore,

the torsion subgroup of E(Q) is cyclic of order 3.

Example 8.2

Let E be given by y 2 = x3 + 8. Then 4A3 + 27B 2 = 1728. If y = 0, then

x = ’2. The point (’2, 0) has order 2. If y = 0, then y 2 |1728, which means

that y|24. Trying the various possibilities, we ¬nd the points (1, ±3) and

(2, ±4). However,

2(1, 3) = (’7/4, ’13/8) and 2(2, 4) = (’7/4, 13/8).

Since these points do not have integer coordinates, they cannot have ¬nite

order. Therefore, (1, 3) and (2, 4) cannot have ¬nite order. It follows that the

torsion subgroup of E(Q) is {∞, (’2, 0)}. (Remark: The fact that 2(1, 3) =

’2(2, 4) leads us to suspect, and easily verify, that (1, 3) + (2, 4) = (’2, 0).)

Suppose we use the Lutz-Nagell theorem and obtain a possible torsion point

P . How do we decide whether or not it™s a torsion point? In the previous

example, we multiplied P by an integer and obtained a nontorsion point.

Therefore, P was not a torsion point. In general, the Lutz-Nagell theorem

explicitly gives a ¬nite list of possibilities for torsion points. If P is a torsion

point, then, for every n, the point nP must either be ∞ or be on that list.

Since there are only ¬nitely many points on the list, either we™ll have nP = mP

for some m = n, in which case P is torsion and (n ’ m)P = ∞, or some

© 2008 by Taylor & Francis Group, LLC

207

SECTION 8.1 THE TORSION SUBGROUP. THE LUTZ-NAGELL THEOREM

multiple nP is not on the list and P is not torsion. Alternatively, we can use

Mazur™s theorem (Theorem 8.11 below), which says that the order of a torsion

point in E(Q) is at most 12. Therefore, if nP = ∞ for all n ¤ 12, then P is

not torsion. Consequently, it is usually not hard to check each possibility in

the Lutz-Nagell theorem and see which ones yield torsion points. However,

sometimes the discriminant is hard to factor, and sometimes it contains many

factors. In this case, another algorithm can be used. See Section 9.6.

Another technique that helps us determine the torsion subgroup involves

reduction mod primes. The main result needed is the following.

THEOREM 8.9

Let E be an elliptic curve given by y 2 = x3 + Ax + B with A, B ∈ Z. Let p

be an odd prime and assume p 4A3 + 27B 2 . Let

ρp : E(Q) ’ E(Fp )

be the reduction mod p map. If P ∈ E(Q) has ¬nite order and ρp (P ) = ∞,

then P = ∞.

REMARK 8.10 In general, reduction mod a prime ideal containing p is

injective on the prime-to-p torsion in E(Q). This is similar to the situation

in algebraic number theory, where reduction mod a prime ideal containing p

is injective on roots of unity of order prime to p (see [129]).

PROOF By Theorem 8.7, all of the torsion points (other than ∞) have

integral coordinates, so they reduce to well-de¬ned ¬nite points mod p. In

particular, ∞ is the only point that reduces to ∞.

Example 8.3

Let™s use Theorem 8.9 to ¬nd the torsion on y 2 = x3 + 8. We have 4A3 +

27B 2 = 1728 = 26 · 33 , so we cannot use the primes 2, 3. The reduction

mod 5 has 6 points, so Theorem 8.9 implies that the torsion in E(Q) has

order dividing 6. The reduction mod 7 has 12 points, so the torsion has order

dividing 12, which gives no new information. The reduction mod 11 has 12

points, so we again get no new information. However, the reduction mod 13

has 16 points, so the torsion in E(Q) has order dividing 16. It follows that

the torsion group has order dividing 2. Since (’2, 0) is a point of order 2, the

torsion has order exactly 2. This is of course the same result that we obtained

earlier using the Lutz-Nagell theorem.

Example 8.4

In the preceding example, the Lutz-Nagell theorem was perhaps at least as

fast as Theorem 8.9 in determining the order of the torsion subgroup. This is

© 2008 by Taylor & Francis Group, LLC

208 CHAPTER 8 ELLIPTIC CURVES OVER Q

not always the case. Let E be given by y 2 = x3 + 18x + 72. Then

4A3 + 27B 2 = 163296 = 25 · 36 · 7.

The Lutz-Nagell theorem would require us to check all y with y 2 |163296, which

amounts to checking all y|108 = 22 · 33 . Instead, the reduction mod 5 has 5

points and the reduction mod 11 has 8 points. It follows that the torsion

subgroup of E(Q) is trivial.

Finally, we mention a deep result of Mazur, which we will not prove (see

[77]).

THEOREM 8.11

Let E be an elliptic curve de¬ned over Q. Then the torsion subgroup of E(Q)

is one of the following:

Zn with 1 ¤ n ¤ 10 or n = 12,

Z2 • Z2n with 1 ¤ n ¤ 4.

REMARK 8.12 For each of the groups in the theorem, there are in¬nitely

many elliptic curves E (with distinct j-invariants) having that group as the

torsion subgroup of E(Q). See Exercise 8.1 for examples of each possibility.

8.2 Descent and the Weak Mordell-Weil Theo-

rem

We start with an example that has its origins in the work of Fermat (see

Section 8.6).

Example 8.5

Let™s look at rational points on the curve E given by

y 2 = x(x ’ 2)(x + 2).

If y = 0, we have x = 0, ±2. Therefore, assume y = 0. Since the product of

x, x ’ 2, and x + 2 is a square, intuition suggests that each of these factors

should, in some sense, be close to being a square. Write

x = au2

x ’ 2 = bv 2

x + 2 = cw2

© 2008 by Taylor & Francis Group, LLC

209

SECTION 8.2 DESCENT AND THE WEAK MORDELL-WEIL THEOREM

with rational numbers a, b, c, u, v, w. Then y 2 = abc(uvw)2 , so

abc is a square.

By adjusting u, v, w, we may assume that a, b, c are squarefree integers. In

fact, we claim that

a, b, c ∈ {±1, ±2}.

Suppose that p is an odd prime dividing a. Since a is squarefree, p2 a, so

the exact power pk dividing x = au2 has k odd. If k < 0, then pk is the

exact power of p in the denominator of x ± 2, so p3k is the power of p in the

denominator of y 2 = x(x ’ 2)(x + 2). Since 3k is odd and y 2 is a square, this

is impossible. If k > 0 then x ≡ 0 (mod p), so x ± 2 ≡ 0 (mod p). Therefore,

pk is the power of p dividing y 2 . Since k is odd, this is impossible. Therefore,

p a. Similarly, no odd prime divides b or c. Therefore, each of a, b, c is, up

to sign, a power of 2. Since they are squarefree, this proves the claim.

The procedure we are following is called descent, or, more precisely, a

2-descent. Suppose x is a rational number with at most N digits in its

numerator and denominator. Then u, v, w should have at most N/2 digits

(approximately) in their numerators and denominators. Therefore, if we are

searching for points (x, y), we can instead search for smaller numbers u, v, w.

This method was developed by Fermat. See Section 8.6.

We have four choices for a and four choices for b. Since a and b together

determine c (because abc is a square), there are 16 possible combinations for

a, b, c. We can eliminate some of them quickly. Since x(x’1)(x+2) = y 2 > 0,

we have cw2 = x + 2 > 0, so c > 0. Since abc > 0, it follows that a and b

must have the same sign. We are now down to 8 possible combinations.

Let™s consider (a, b, c) = (1, 2, 2). We have

x = u2 , x ’ 2 = 2v 2 , x + 2 = 2w2

with rational numbers u, v, w. Therefore,

u2 ’ 2v 2 = 2, u2 ’ 2w2 = ’2.

If v has 2 in its denominator, then 2v 2 has an odd power of 2 in its denomi-

nator. But u2 has an even power of 2 in its denominator, so u2 ’ 2v 2 cannot

be an integer. This contradiction shows that v and u have odd denominators.

Therefore, we may consider u, v mod powers of 2. Since 2|u2 , we have 2|u,

hence 4|u2 . Therefore, ’2v 2 ≡ 2 (mod 4), which implies that 2 v. Similarly,

’2w2 ≡ ’2 (mod 4), so 2 w. It follows that v 2 ≡ w2 ≡ 1 (mod 8), so

2 ≡ u2 ’ 2v 2 ≡ u2 ’ 2 ≡ u2 ’ 2w2 ≡ ’2 (mod 8),

which is a contradiction. It follows that (a, b, c) = (1, 2, 2) is impossible.

Similar considerations eliminate the combinations (’1, ’1, 1), (2, 1, 2), and

© 2008 by Taylor & Francis Group, LLC

210 CHAPTER 8 ELLIPTIC CURVES OVER Q

(’2, ’2, 1) for (a, b, c) (later, we™ll see a faster way to eliminate them). Only

the combinations

(a, b, c) = (1, 1, 1), (’1, ’2, 2), (2, 2, 1), (’2, ’1, 2)

remain. As we™ll see below, these four combinations correspond to the four

points that we already know about, namely,

∞, (0, 0), (2, 0), (’2, 0)

(this requires some explanation, which will be given later). As we™ll see later,

the fact that we eliminated all combinations except those coming from known

points implies that we have found all points, except possibly points of odd

order, on the curve. The Lutz-Nagell theorem, or reduction mod 5 and 7

(see Theorem 8.9), shows that there are no nontrivial points of odd order.

Therefore, we have found all rational points on E:

E(Q) = {∞, (0, 0), (2, 0), (’2, 0)}.

The calculations of the example generalize to elliptic curves E of the form

y 2 = (x ’ e1 )(x ’ e2 )(x ’ e3 )

with e1 , e2 , e3 ∈ Z and ei = ej when i = j. In fact, they extend to even more

general situations. If ei ∈ Q but ei ∈ Z, then a change of variables transforms

the equation to one with ei ∈ Z, so this situation gives nothing new. However,

if ei ∈ Q, the method still applies. In order to keep the discussion elementary,

we™ll not consider this case, though we™ll say a few things about it later.

Assuming that x, y ∈ Q, write

x ’ e1 = au2

x ’ e2 = bv 2

x ’ e3 = cw2

with rational numbers a, b, c, u, v, w. Then y 2 = abc(uvw)2 , so

abc is a square.

By adjusting u, v, w, we may assume that a, b, c are squarefree integers.

PROPOSITION 8.13

Let

S = {p | p is prime and p|(e1 ’ e2 )(e1 ’ e3 )(e2 ’ e3 )}.

If p is a prime and p|abc, then p ∈ S.

© 2008 by Taylor & Francis Group, LLC

211

SECTION 8.2 DESCENT AND THE WEAK MORDELL-WEIL THEOREM

PROOF Suppose p|a. Then pk , with k odd, is the exact power of p dividing

x ’ e1 . If k < 0, then pk is the power of p in the denominator of x ’ e2 and

x ’ e3 . Therefore, p3k is the power of p in the denominator of y 2 , which is

impossible. Therefore k > 0. This means that x ≡ e1 (mod p). Also, x has

no p in its denominator, so the same is true of bv 2 = x ’ e2 and cw2 = x ’ e3 .

Moreover, bv 2 ≡ e1 ’ e2 and cw2 ≡ e1 ’ e3 (mod p). If p ∈ S, then the power

of p in

y 2 = (au2 )(bv 2 )(cw2 )

is pk p0 p0 = pk . Since k is odd, this is impossible. Therefore, p ∈ S.

Since S is a ¬nite set, there are only ¬nitely many combinations (a, b, c)

that are possible. The following theorem shows that the set of combinations

that actually come from points (x, y) has a group structure modulo squares.

2

Let Q— /Q— denote the group of rational numbers modulo squares. This

means that we regard two nonzero rational numbers x1 , x2 as equivalent if the

2

ratio x1 /x2 is the square of a rational number. Every element of Q— /Q—

can be represented by ±1 times a (possibly empty) product of distinct primes.

Note that if x ’ e1 = au2 , then x ’ e1 is equivalent to a mod squares. There-

fore, the map φ in the following theorem maps a point (x, y) ∈ E[2] to the

corresponding triple (a, b, c).

THEOREM 8.14

Let E be given by y 2 = (x ’ e1 )(x ’ e2 )(x ’ e3 ) with e1 , e2 , e3 ∈ Z. The map

2 2 2

φ : E(Q) ’ (Q— /Q— ) • (Q— /Q— ) • (Q— /Q— )

de¬ned by

(x, y) ’ (x ’ e1 , x ’ e2 , x ’ e3 ) when y = 0

∞ ’ (1, 1, 1)

(e1 , 0) ’ ((e1 ’ e2 )(e1 ’ e3 ), e1 ’ e2 , e1 ’ e3 )

(e2 , 0) ’ (e2 ’ e1 , (e2 ’ e1 )(e2 ’ e3 ), e2 ’ e3 )

(e3 , 0) ’ (e3 ’ e1 , e3 ’ e2 , (e3 ’ e1 )(e3 ’ e2 ))

is a homomorphism. The kernel of φ is 2E(Q).

PROOF First, we show that φ is a homomorphism. Suppose Pi = (xi , yi ),

i = 1, 2, 3, are points lying on the line y = ax + b. Assume for the moment

that yi = 0. The polynomial

(x ’ e1 )(x ’ e2 )(x ’ e3 ) ’ (ax + b)2

has leading coe¬cient 1 and has roots x1 , x2 , x3 (with the correct multiplici-

ties). Therefore,

(x ’ e1 )(x ’ e2 )(x ’ e3 ) ’ (ax + b)2 = (x ’ x1 )(x ’ x2 )(x ’ x3 ).

© 2008 by Taylor & Francis Group, LLC

212 CHAPTER 8 ELLIPTIC CURVES OVER Q

Evaluating at ei yields

2

(x1 ’ ei )(x2 ’ ei )(x3 ’ ei ) = (aei + b)2 ∈ Q— .

Since this is true for each i,

2 2 2

φ(P1 )φ(P2 )φ(P3 ) = 1 ∈ Q— /Q— • Q— /Q— • Q— /Q—

(that is, the product is a square, hence is equivalent to 1 mod squares). Since

any number z is congruent to its multiplicative inverse mod squares (that is,

z equals 1/z times a square),

φ(P3 )’1 = φ(P3 ) = φ(’P3 ).

Therefore,

φ(P1 )φ(P2 ) = φ(’P3 ) = φ(P1 + P2 ).

To show that φ is a homomorphism, it remains to check what happens when

one or both of P1 , P2 is a point of order 1 or 2. The case where a point Pi is of

order 1 (that is, Pi = ∞) is trivial. If both P1 and P2 have order 2, a case by

case check shows that φ(P1 + P2 ) = φ(P1 )φ(P2 ). Finally, suppose that P1 has

order 2 and P2 has y2 = 0. Let™s assume P1 = (e1 , 0). The other possibilities

are similar. Since the values of φ are triples, let φ1 , φ2 , φ3 denote the three

components of φ (so φ = (φ1 , φ2 , φ3 )). The proof given above shows that

φi (P1 )φi (P2 ) = φi (P1 + P2 )

for i = 2, 3. So it remains to consider φ1 .

By inspection, φ1 (P )φ2 (P )φ3 (P ) = 1 for all P . Since φi (P1 )φi (P2 ) =

φi (P1 + P2 ) for i = 2, 3, the relation holds for i = 1, too. Therefore, φ is a

homomorphism.

Putting everything together, we see that φ is a homomorphism.

To prove the second half of the theorem, we need to show that if x ’ ei is

a square for all i, then (x, y) = 2P for some point P ∈ E(Q). Let

2

x ’ ei = vi , i = 1, 2, 3.

For simplicity, we™ll assume that e1 + e2 + e3 = 0, which means that the

equation for our elliptic curve has the form y 2 = x3 +Ax+B. (If e1 +e2 +e3 =

0, the coe¬cient of x2 is nonzero. A simple change of variables yields the

present case.) Let

f (T ) = u0 + u1 T + u2 T 2

satisfy

f (ei ) = vi , i = 1, 2, 3.

© 2008 by Taylor & Francis Group, LLC

213

SECTION 8.2 DESCENT AND THE WEAK MORDELL-WEIL THEOREM

Such an f exists since there is a unique quadratic polynomial whose graph

passes through any three points that have distinct x-coordinates. In fact

1

(T ’ e2 )(T ’ e3 )

f (T ) = v1

(e1 ’ e2 )(e1 ’ e3 )

1

(T ’ e1 )(T ’ e3 )

+ v2

(e2 ’ e1 )(e2 ’ e3 )

1

(T ’ e1 )(T ’ e2 ).

+ v3

(e3 ’ e1 )(e3 ’ e2 )

Let g(T ) = x ’ T ’ f (T )2 . Then g(ei ) = 0 for all i, so

T 3 + AT + B = (T ’ e1 )(T ’ e2 )(T ’ e3 ) divides g(T ).

Therefore, g(T ) ≡ 0 (mod T 3 + AT + B), so

x ’ T ≡ (u0 + u1 T + u2 T 2 )2 (mod T 3 + AT + B).

(We say that two polynomials P1 , P2 are congruent mod P3 if P1 ’ P2 is a

multiple of P3 .) This congruence for x ’ T can be thought of as a way of

simultaneously capturing the information that x ’ ei is a square for all i.

Mod T 3 + AT + B, we have

T 3 ≡ ’AT ’ B, T 4 ≡ T · T 3 ≡ ’AT 2 ’ BT.

Therefore,

x ’ T ≡ (u0 + u1 T + u2 T 2 )2

≡ u2 + 2u0 u1 T + (u2 + 2u0 u2 )T 2 + 2u1 u2 T 3 + u2 T 4

0 1 2

≡ (u2 ’ 2Bu1 u2 ) + (2u0 u1 ’ 2Au1 u2 ’ Bu2 )T

0 2

2 2 2

+(u1 + 2u0 u2 ’ Au2 )T .

If two polynomials P1 and P2 of degree at most two are congruent mod a

polynomial of degree three, then their di¬erence P1 ’ P2 is a polynomial of

degree at most two that is divisible by a polynomial of degree three. This can

only happen if P1 = P2 . In our case, this means that

x = u2 ’ 2Bu1 u2 (8.1)

0

’1 = 2u0 u1 ’ 2Au1 u2 ’ Bu2 (8.2)

2

0 = u2 + 2u0 u2 ’ Au2 . (8.3)

1 2

If u2 = 0 then (8.3) implies that also u1 = 0. Then f (T ) is constant, so

v1 = v2 = v3 . This means that e1 = e2 = e3 , contradiction. Therefore,

u2 = 0. Multiply (8.3) by u1 /u3 and multiply (8.2) by 1/u2 , then subtract to

2 2

obtain

2 3

1 u1 u1

= +A + B.

u2 u2 u2

© 2008 by Taylor & Francis Group, LLC

214 CHAPTER 8 ELLIPTIC CURVES OVER Q

Let

u1 1

x1 = , y1 = ,

u2 u2

so (x1 , y1 ) ∈ E(Q). We claim that 2(x1 , y1 ) = ±(x, y).

Equation 8.3 implies that

Au2 ’ u2 A ’ x2

2 1 1

u0 = = .

2u2 2y1

Substituting this into (8.1) yields

x4 ’ 2Ax2 ’ 8Bx1 + A2

x= 1 1

.

2

4y1

This is the x-coordinate of 2(x1 , y1 ) (see Theorem 3.6). The y-coordinate is

determined up to sign by the x-coordinate, so 2(x1 , y1 ) = (x, ±y) = ±(x, y).

It follows that (x, y) = 2(x1 , y1 ) or 2(x1 , ’y1 ). In particular, (x, y) ∈ 2E(Q).

Example 8.6

We continue with Example 8.5. For the curve y 2 = x(x ’ 2)(x + 2), we have

φ(0, 0) = (’1, ’2, 2),

φ(∞) = (1, 1, 1),

φ(’2, 0) = (’2, ’1, 2)

φ(2, 0) = (2, 2, 1),

(we used the fact that 4 and 1 are equivalent mod squares to replace 4 by 1).

We eliminated the triple (a, b, c) = (1, 2, 2) by working mod powers of 2. We

now show how to eliminate (’1, ’1, 1), (2, 1, 2), (’2, ’2, 1). Suppose there is

a point P with φ(P ) = (’1, ’1, 1). Then

φ(P + (0, 0)) = φ(P )φ(0, 0) = (’1, ’1, 1)(’1, ’2, 2) = (1, 2, 2).

But we showed that (1, 2, 2) does not come from a point in E(Q). Therefore,

P does not exist. The two other triples are eliminated similarly.

Theorem 8.14 has a very important corollary.

THEOREM 8.15 (Weak Mordell-Weil Theorem)

Let E be an elliptic curve de¬ned over Q. Then

E(Q)/2E(Q)

is ¬nite.

PROOF We give the proof in the case that e1 , e2 , e3 ∈ Q. As remarked

earlier, we may assume that e1 , e2 , e3 ∈ Z. The map φ in Theorem 8.14 gives

© 2008 by Taylor & Francis Group, LLC

215

SECTION 8.3 HEIGHTS AND THE MORDELL-WEIL THEOREM

an injection

2 2 2

E(Q)/2E(Q) ’ (Q— /Q— ) • (Q— /Q— ) • (Q— /Q— ).

Proposition 8.13 says that if (a, b, c) (where a, b, c are chosen to be squarefree

integers) is in the image of φ, then a, b, c are products of primes in the set S

of Proposition 8.13. Since S is ¬nite, there are only ¬nitely many such a, b, c

mod squares. Therefore, the image of φ is ¬nite. This proves the theorem.

REMARK 8.16 (for those who know some algebraic number theory) Let

K/Q be a ¬nite extension. The theorem can be extended to say that if E

is an elliptic curve over K then E(K)/2E(K) is ¬nite. If we assume that

x3 + Ax + B = (x ’ e1 )(x ’ e2 )(x ’ e3 ) with all ei ∈ K, then the proof is the

same except that the image of φ is contained in

2 2 2

(K — /K — ) • (K — /K — ) • (K — /K — ).

Let OK be the ring of algebraic integers of K. To make things simpler, we

invert some elements in order to obtain a unique factorization domain. Take

a nonzero element from an integral ideal in each ideal class of OK and let M

be the multiplicative subset generated by these elements. Then M ’1 OK is a

principal ideal domain, hence a unique factorization domain. The analogue of

Proposition 8.13 says that the primes of M ’1 OK dividing a, b, c also divide

(e1 ’ e2 )(e1 ’ e3 )(e2 ’ e3 ). Let S ‚ M ’1 OK be the set of prime divisors of

(e1 ’ e2 )(e1 ’ e3 )(e2 ’ e3 ). Then the image of φ is contained in the group

generated by S and the units of M ’1 OK . Since the class number of K is

¬nite, M is ¬nitely generated. A generalization of the Dirichlet unit theorem

(often called the S-unit theorem) says that the units of M ’1 OK are a ¬nitely

generated group. Therefore, the image of φ is a ¬nitely generated abelian

group of exponent 2, hence is ¬nite. This proves that E(K)/2E(K) is ¬nite.

8.3 Heights and the Mordell-Weil Theorem

The purpose of this section is to change the weak Mordell-Weil theorem

into the Mordell-Weil theorem. This result was proved by Mordell in 1922 for

elliptic curves de¬ned over Q. It was greatly generalized in 1928 by Weil in

his thesis, where he proved the result not only for elliptic curves over number

¬elds (that is, ¬nite extensions of Q) but also for abelian varieties (higher-

dimensional analogues of elliptic curves).

© 2008 by Taylor & Francis Group, LLC

216 CHAPTER 8 ELLIPTIC CURVES OVER Q

THEOREM 8.17 (Mordell-Weil)

Let E be an elliptic curve de¬ned over Q. Then E(Q) is a ¬nitely generated

abelian group.

The theorem says that there is a ¬nite set of points on E from which all

other points can be obtained by repeatedly drawing tangent lines and lines

through points, as in the de¬nition of the group law. The proof will be given

below. Since we proved the weak Mordell-Weil theorem only in the case that

E[2] ⊆ E(Q), we obtain the theorem only for this case. However, the weak

Mordell-Weil theorem is true in general, and the proof of the passage from

the weak result to the strong result holds in general.

From the weak Mordell-Weil theorem, we know that E(Q)/2E(Q) is ¬-

nite. This alone is not enough to deduce the stronger result. For example,

R/2R = 0, hence is ¬nite, even though R is not ¬nitely generated. In our

case, suppose we have points R1 , . . . , Rn representing the ¬nitely many cosets

in E(Q)/2E(Q). Let P ∈ E(Q) be an arbitrary point. We can write

P = Ri + 2P1

for some i and some point P1 . Then we write

P1 = Rj + 2P2 ,

etc. If we can prove the process stops, then we can put things back together

and obtain the theorem. The theory of heights will show that the points

P1 , P2 , . . . are getting smaller, in some sense, so the process will eventually

yield a point Pk that lies in some ¬nite set of small points. These points, along

with the Ri , yield the generators of E(Q). We make these ideas more precise

after Theorem 8.18 below. Note that sometimes the points Ri by themselves

do not su¬ce to generate E(Q). See Exercise 8.7.

Let a/b be a rational number, where a, b are integers with gcd(a, b) = 1.

De¬ne

H(a/b) = Max(|a|, |b|)

and

h(a/b) = log H(a/b).

The function h is called the (logarithmic) height function. It is closely

related to the number of digits required to write the rational number a/b.

Note that, given a constant c, there are only ¬nitely many rational numbers

x with h(x) ¤ c.

Now let E be an elliptic curve over Q and let (x, y) ∈ E(Q). De¬ne

h(x, y) = h(x), h(∞) = 0, H(x, y) = H(x), H(∞) = 1.

It might seem strange using only the x-coordinate. Instead, we could use

the y-coordinate. Since the square of the denominator of the y-coordinate is

© 2008 by Taylor & Francis Group, LLC

217

SECTION 8.3 HEIGHTS AND THE MORDELL-WEIL THEOREM

the cube of the denominator of the x-coordinate (when the coe¬cients A, B

of E are integers), it can be shown that this would change the function h

approximately by a factor of 3/2. This would cause no substantial change in

ˆ

the theory. In fact, the canonical height h, which will be introduced shortly,

1

is de¬ned using a limit of values of 2 h. It could also be de¬ned as a limit of

values of 1/3 of the height of the y-coordinate. These yield the same canonical

height function. See [109, Lemma 6.3]. The numbers 2 and 3 are the orders

of the poles of the functions x and y on E (see Section 11.1).

ˆ

It is convenient to replace h with a function h that has slightly better

ˆ

properties. The function h is called the canonical height.

THEOREM 8.18

Let E be an elliptic curve de¬ned over Q. There is a function

ˆ

h : E(Q) ’ R≥0

with the following properties:

ˆ

1. h(P ) ≥ 0 for all P ∈ E(Q).

2. There is a constant c0 such that | 1 h(P ) ’ h(P )| ¤ c0 for all P .

ˆ

2

3. Given a constant c, there are only ¬nitely many points P ∈ E(Q) with

ˆ

h(P ) ¤ c.

4. h(mP ) = m2 h(P ) for all integers m and all P .

ˆ ˆ

ˆ ˆ ˆ ˆ

5. h(P + Q) + h(P ’ Q) = 2h(P ) + 2h(Q) for all P, Q.

ˆ

6. h(P ) = 0 if and only if P is a torsion point.

Property (5) is often called the parallelogram law because if the origin

0 and vectors P, Q, P + Q (ordinary vector addition) are the vertices of a

parallelogram, then the sum of the squares of the lengths of the diagonals

equals the sum of the squares of the lengths of the four sides:

||P + Q||2 + ||P ’ Q||2 = 2||P ||2 + 2||Q||2 .

The proof of Theorem 8.18 will occupy most of the rest of this section. First,

let™s use the theorem to deduce the Mordell-Weil theorem.

Proof of the Mordell-Weil theorem: Let R1 , . . . , Rn be representatives for

E(Q)/2E(Q). Let

ˆ

c = Maxi {h(Ri )}

ˆ

and let Q1 , . . . , Qm be the set of points with h(Qi ) ¤ c. This is a ¬nite set by

Theorem 8.18. Let G be the subgroup of E(Q) generated by

R1 , . . . , Rn , Q1 , . . . , Qm .

© 2008 by Taylor & Francis Group, LLC

218 CHAPTER 8 ELLIPTIC CURVES OVER Q

We claim that G = E(Q). Suppose not. Let P ∈ E(Q) be an element not

in G. Since, for a point P , there are only ¬nitely many points of height less

than P , we may change P to one of these, if necessary, and assume P has the

smallest height among points not in G. We may write

P ’ Ri = 2P1

for some i and some P1 . By Theorem 8.18,

ˆ ˆ ˆ

4h(P1 ) = h(2P1 ) = h(P ’ Ri )

ˆ ˆ ˆ

= 2h(P ) + 2h(Ri ) ’ h(P + Ri )

ˆ

¤ 2h(P ) + 2c + 0

ˆ ˆ ˆ

< 2h(P ) + 2h(P ) = 4h(P )

ˆ

(since c < h(P ), because P = Qj ). Therefore,

ˆ ˆ

h(P1 ) < h(P ).

Since P had the smallest height for points not in G, we must have P1 ∈ G.

Therefore,

P = Ri + 2P1 ∈ G.

This contradiction proves that E(Q) = G. This completes the proof of the

Mordell-Weil theorem.

It remains to prove Theorem 8.18. The key step is the following.

PROPOSITION 8.19

There exists a constant c1 such that

|h(P + Q) + h(P ’ Q) ’ 2h(P ) ’ 2h(Q)| ¤ c1

for all P, Q ∈ E(Q).

The proof is rather technical, so we postpone it in order to complete the

proof of Theorem 8.18.

Proof of Theorem 8.18:

Proof of parts (1) and (2): Letting Q = P in Proposition 8.19, we obtain

|h(2P ) ’ 4h(P )| ¤ c1 (8.4)

for all P . De¬ne

1 1

lim n h(2n P ).

ˆ

h(P ) =

2 n’∞ 4

We need to prove the limit exists. We have

∞

1 1

lim n h(2n P ) = h(P ) + (h(2j P ) ’ 4h(2j’1 P )). (8.5)

4j

n’∞ 4

j=1

© 2008 by Taylor & Francis Group, LLC

219

SECTION 8.3 HEIGHTS AND THE MORDELL-WEIL THEOREM

By (8.4),

1 c1

(h(2j P ) ’ 4h(2j’1 P )) ¤ j ,

4j 4

ˆ

so the in¬nite sum converges. Therefore, h(P ) exists. Since

∞

c1 c1

=,

4j 3

j=1

we obtain |h(P )’ 1 h(P )| ¤ c1 /6. It is clear from the de¬nitions that h(P ) ≥ 0

ˆ ˆ

2

for all P .

Proof of part (3): If h(P ) ¤ c, then h(P ) ¤ 2c + c3 . There are only ¬nitely

ˆ 1

many P satisfying this inequality.

Proof of part (5): We have

1 c1

|h(2n P + 2n Q) + h(2n P ’ 2n Q) ’ 2h(2n P ) ’ 2h(2n Q)| ¤ n .

4n 4

Letting n ’ ∞ yields the result.

Proof of part (4): Since the height depends only on the x-coordinate,

ˆ ˆ

h(’P ) = h(P ). Therefore, we may assume m ≥ 0. The cases m = 0, 1

are trivial. Letting Q = P in part (5) yields the case m = 2. Assume that we

know the result for m ’ 1 and m. Then

ˆ ˆ ˆ ˆ

h((m + 1)P ) = ’h((m ’ 1)P ) + 2h(mP ) + 2h(P ) (by part (5))

= ’(m ’ 1)2 + 2m2 + 2 h(P )

ˆ

= (m + 1)2 h(P ).

ˆ

By induction, the result is true for all m.

Proof of part (6): If mP = ∞, then m2 h(P ) = h(mP ) = h(∞) = 0, so

ˆ ˆ ˆ

h(P ) = 0. Conversely, if h(P ) = 0, then h(mP ) = m2 h(P ) = 0 for all m.

ˆ ˆ ˆ ˆ

Since there are only ¬nitely many points of height 0, the set of multiples

of P is ¬nite. Therefore, P is a torsion point. This completes the proof of

Theorem 8.18.

Proof of Proposition 8.19. It remains to prove Proposition 8.19. It can be

restated as saying that there exist constants c , c such that

2h(P ) + 2h(Q) ’ c ¤ h(P + Q) + h(P ’ Q) (8.6)

h(P + Q) + h(P ’ Q) ¤ 2h(P ) + 2h(Q) + c (8.7)

for all P, Q. These two inequalities will be proved separately. We™ll start with

the second one.

Let the elliptic curve E be given by y 2 = x3 + Ax + B with A, B ∈ Z. Let

a1 a2

P = ( , y1 ), Q = ( , y2 ),

b1 b2

a3 a4

P ’ Q = ( , y4 )

P + Q = ( , y3 ),

b3 b4

© 2008 by Taylor & Francis Group, LLC

220 CHAPTER 8 ELLIPTIC CURVES OVER Q

be points on E, where yi ∈ Q and ai , bi are integers with gcd(ai , bi ) = 1. Let

g1 = 2(a1 b2 + a2 b1 )(Ab1 b2 + a1 a2 ) + 4Bb2 b2

12

2

g2 = (a1 a2 ’ Ab1 b2 ) ’ 4B(a1 b2 + a2 b1 )b1 b2

g3 = (a1 b2 ’ a2 b1 )2 .

Then a short calculation shows that

a3 a4 g1 a3 a4 g2

+ =, =.

b3 b4 g3 b3 b4 g3

LEMMA 8.20

Let c1 , c2 , d1 , d2 ∈ Z. Then

Max(|c1 |, |d1 |) · Max(|c2 |, |d2 |) ¤ 2Max(|c1 c2 |, |c1 d2 + c2 d1 |, |d1 d2 |).

PROOF Without loss of generality, we may assume that |c1 | ¤ |d1 | (other-

wise, switch c1 , d1 ). Let L denote the left side of the inequality of the lemma

and let R denote the right side. There are three cases to consider.

1. If |c2 | ¤ |d2 |, then L = |d1 d2 | and 2|d1 d2 | ¤ R, so L ¤ R.

2. If |c2 | ≥ |d2 | ≥ (1/2)|c2 |, then L = |d1 c2 | and

R ≥ 2|d1 d2 | ≥ |d1 c2 | ≥ L.

3. If |d2 | ¤ (1/2)|c2 |, then L = |d1 c2 | and

R ≥ 2|c1 d2 + c2 d1 |

≥ 2(|c2 d1 | ’ |c1 d2 |)

≥ 2(|c2 d1 | ’ |d1 |(1/2)|c2 |)

= |c2 d1 | = L.

This completes the proof of the lemma.

LEMMA 8.21

Let c1 , c2 , d1 , d2 ∈ Z with gcd(ci , di ) = 1 for i = 1, 2. Then

gcd(c1 c2 , c1 d2 + c2 d1 , d1 d2 ) = 1.

PROOF Let d = gcd(c1 d2 + c2 d1 , d1 d2 ). Suppose p is a prime such that

p|c1 and p|d. Then p d1 since gcd(c1 , d1 ) = 1. Since p|d1 d2 , we have p|d2 .

Therefore, p c2 . Therefore, p|c1 d2 and p c2 d1 , so p c1 d2 + c2 d1 . Therefore

p d, contradiction. Similarly, there is no prime dividing both c2 and d. It

© 2008 by Taylor & Francis Group, LLC

221

SECTION 8.3 HEIGHTS AND THE MORDELL-WEIL THEOREM

follows that there is no prime dividing c1 c2 and d, so the gcd in the lemma is

1.

We can apply the lemmas to a3 , a4 , b3 , b4 . Since gcd(a3 , b3 ) = 1 and

gcd(a4 , b4 ) = 1, we have

gcd(a3 a4 , a3 b4 + a4 b3 , b3 b4 ) = 1.

Therefore, there exist integers x, y, z such that

a3 a4 x + (a3 b4 + a4 b3 )y + b3 b4 z = 1.

Since

g3 (a3 b4 + a4 b3 ) = g1 (b3 b4 ) and g3 (a3 a4 ) = g2 (b3 b4 ), (8.8)

we have

g3 = g3 (a3 a4 )x + g3 (a3 b4 + a4 b3 )y + g3 (b3 b4 )z

= g2 (b3 b4 )x + g1 (b3 b4 )y + g3 (b3 b4 )z.

Therefore, b3 b4 |g3 , so

|b3 b4 | ¤ |g3 |.

Similarly,

|a3 a4 | ¤ |g2 |.

Equation 8.8 and the fact that |b3 b4 | ¤ |g3 | imply that

|a3 b4 + a4 b3 | ¤ |g1 |.

In terms of the nonlogarithmic height H, these inequalities say that

H(P + Q) · H(P ’ Q) = Max(|a3 |, |b3 |) · Max(|a4 |, |b4 |)

¤ 2Max(|a3 a4 |, |a3 b4 + a4 b3 |, |b3 b4 |)

¤ 2Max(|g2 |, |g1 |, |g3 |).

Let H1 = Max(|a1 |, |b1 |) and H2 = Max(|a2 |, |b2 |). Then

|g1 | = |2(a1 b2 + a2 b1 )(Ab1 b2 + a1 a2 ) + 4Bb2 b2 |

12

22

¤ 2(H1 H2 + H2 H1 )(|A|H1 H2 + H1 H2 ) + 4|B|H1 H2

22

¤ 4(|A| + 1 + |B|)H1 H2 .

Similarly,

|g2 | ¤ ((1 + |A|)2 + 8|B|)H1 H2 ,

22 22

|g3 | ¤ 4H1 H2 .

Therefore,

H(P + Q) · H(P ’ Q) ¤ CH1 H2 = CH(P )2 H(Q)2

22

© 2008 by Taylor & Francis Group, LLC

222 CHAPTER 8 ELLIPTIC CURVES OVER Q

for some constant C. Taking logs yields

h(P + Q) + h(P ’ Q) ¤ 2h(P ) + 2h(Q) + c (8.9)

for some constant c .

We now need to prove the inequality in (8.6). First we™ll prove an inequality

between h(R) and h(2R) for points R.

LEMMA 8.22

Let R ∈ E(Q). There exists a constant C2 , independent of R, such that

4h(R) ¤ h(2R) + C2 .

PROOF Let

a

R = ( , y)

b

with y ∈ Q and a, b ∈ Z with gcd(a, b) = 1. Let

h1 = a4 ’ 2Aa2 b2 ’ 8Bab3 + A2 b4

h2 = (4b)(a3 + Aab2 + Bb3 )

∆ = 4A3 + 27B 2 .

By Lemma 3.8, there exist homogeneous polynomials r1 , r2 , s1 , s2 ∈ Z[a, b] of

degree 3 (the coe¬cients depend on A, B) such that

4∆b7 = r1 h1 + r2 h2 (8.10)

4∆a7 = s1 h1 + s2 h2 . (8.11)

For a homogeneous polynomial

p(x, y) = c0 x3 + c1 x2 y + c2 xy 2 + c3 y 3 ,

we have

|p(a, b)| ¤ (|c0 | + |c1 | + |c2 | + |c3 |)Max(|a|, |b|)3 .

Suppose |b| ≥ |a|. It follows that

|4∆||b|7 ¤ |r1 (a, b)||h1 | + |r2 (a, b)||h2 |

¤ C1 |b|3 Max(|h1 |, |h2 |),

for some constant C1 independent of R. Therefore,

|4∆||b|4 ¤ C1 Max(|h1 |, |h2 |).

Let d = gcd(h1 , h2 ). Then (8.10) and (8.11) imply that

d | 4∆b7 and d | 4∆a7 .

© 2008 by Taylor & Francis Group, LLC

223

SECTION 8.4 EXAMPLES

Since gcd(a, b) = 1, we have d|4∆, so d ¤ |4∆|. Since

|h1 | |h2 |

H(2R) = Max , ,

d d

we have

|4∆|H(R)4 = |4∆||b|4

¤ C1 Max(|h1 |, |h2 |)

|h1 | |h2 |

¤ C1 |4∆| Max( , )

d d

¤ C1 |4∆|H(2R).

Dividing by |4∆| and taking logs yields

4h(R) ¤ h(2R) + C2

for some constant C2 , independent of R.

The case where |a| ≥ |b| is similar. This completes the proof of Lemma 8.22.

Changing P to P + Q and Q to P ’ Q in (8.9) yields

h(2P ) + h(2Q) ¤ 2h(P + Q) + 2h(P ’ Q) + c .

By Lemma 8.22,

4h(P ) + 4h(Q) ’ 2C2 ¤ h(2P ) + h(2Q).

Therefore,

2h(P ) + 2h(Q) ’ c ¤ h(P + Q) + h(P ’ Q)

for some constant c . This completes the proof of Proposition 8.19.

8.4 Examples

The Mordell-Weil theorem says that if E is an elliptic curve de¬ned over

Q, then E(Q) is a ¬nitely generated abelian group. The structure theorem

for such groups (see Appendix B) says that

T • Zr ,

E(Q)

where T is a ¬nite group (the torsion subgroup) and r ≥ 0 is an integer,