© 2008 by Taylor & Francis Group, LLC

224 CHAPTER 8 ELLIPTIC CURVES OVER Q

The integer r is harder to compute. In this section, we show how to use the

methods of the previous sections to compute r in some cases. In Section 8.8,

we™ll give an example that shows why the computation of r is sometimes

di¬cult.

Example 8.7

Let E be the curve

y 2 = x3 ’ 4x.

In Section 8.2, we showed that

E(Q)/2E(Q) = {∞, (0, 0), (2, 0), (’2, 0)}

(more precisely, the points on the right are representatives for the cosets on

the left). Moreover, an easy calculation using the Lutz-Nagell theorem shows

that the torsion subgroup of E(Q) is

T = E[2].

T • Zr , so

From Theorem 8.15, we have E(Q)

(T /2T ) • Zr = T • Zr .

E(Q)/2E(Q) 2 2

Since E(Q)/2E(Q) has order 4, we must have r = 0. Therefore,

E(Q) = E[2] = {∞, (0, 0), (2, 0), (’2, 0)}.

Example 8.8

Let E be the curve

y 2 = x3 ’ 25x.

This curve E appeared in Chapter 1, where we found the points

(0, 0), (5, 0), (’5, 0), (’4, 6).

We also calculated the point

412 ’62279

2(’4, 6) = ( , ).

122 1728

Since 2(’4, 6) does not have integer coordinates, (’4, 6) cannot be a torsion

point, by Theorem 8.7. In fact, a calculation using the Lutz-Nagell theorem

shows that the torsion subgroup is

T = {∞, (0, 0), (5, 0), (’5, 0)} Z2 • Z2 .

© 2008 by Taylor & Francis Group, LLC

225

SECTION 8.4 EXAMPLES

We claim that

Z2 • Z2 • Z.

E(Q)

We know that the rank r is at least 1, because there is a point (’4, 6) of

in¬nite order. The problem is to show that the rank is exactly 1.

Consider the map

2 2 2

φ : E(Q) ’ (Q— /Q— ) • (Q— /Q— ) • (Q— /Q— )

of Theorem 8.14 de¬ned by

(x, y) ’ (x, x ’ 5, x + 5)

when y = 0. Therefore,

φ(’4, 6) = (’1, ’1, 1),

where we have used the fact that ’4 and ’9 are equivalent to ’1 mod squares.

Also, from Theorem 8.14,

φ(∞) = (1, 1, 1)

φ(0, 0) = (’1, ’5, 5)

φ(5, 0) = (5, 2, 10)

φ(’5, 0) = (’5, ’10, 2).

Since φ is a homomorphism, we immediately ¬nd that φ(’4, 6) times any of

these triples is in the image of φ, so

(1, 5, 5), (’5, ’2, 10), (5, 10, 2)

correspond to points.

If we write

x = au2

x ’ 5 = bv 2

x + 5 = cw2 ,

we have φ(x, y) = (a, b, c). From Proposition 8.13, we may assume

a, b, c ∈ {±1, ±2, ±5, ±10}.

Also, abc is a square, so c is determined by a, b. Therefore, we™ll often ignore

c and concentrate on the possibilities for a, b. There are 64 possible pairs a, b.

So far, we have 8 pairs that correspond to points. Let™s record them in a list,

which we™ll refer to as L in the following:

L = {(1, 1), (1, 5), (’1, ’1), (’1, ’5), (5, 2), (5, 10), (’5, ’2), (’5, ’10)}.

© 2008 by Taylor & Francis Group, LLC

226 CHAPTER 8 ELLIPTIC CURVES OVER Q

Our job is to eliminate the remaining 56 possibilities.

Observe that

x ’ 5 = bv 2 < x = au2 < x + 5 = cw2 .

If a < 0, then b < 0. If a > 0 then c > 0, hence b > 0 since abc is a square.

Therefore, a and b have the same sign. This leaves 32 possible pairs a, b.

We now consider, and eliminate, three special pairs a, b. The fact that

φ is a homomorphism will then su¬ce to eliminate all but the eight pairs

corresponding to known points.

(a,b)=(2,1). We have

x = 2u2

x ’ 5 = v2

x + 5 = 2w2 .

Therefore,

2u2 ’ v 2 = 5, 2w2 ’ 2u2 = 5.

If one of u or v has an even denominator, then so does the other. However,

2u2 has an odd power of 2 in its denominator, while v 2 has an even power

of 2 in its denominator. Therefore, 2u2 ’ v 2 is not an integer, contradiction.

It follows that u, v have odd denominators, so we may work with them mod

powers of 2. Since v 2 ≡ ’5 (mod 2), we must have v odd. Therefore, v 2 ≡ 1

(mod 8), so

2u2 ≡ 6 (mod 8).

This implies that u2 ≡ 3 (mod 4), which is impossible. Therefore, the pair

(a, b) = (2, 1) is eliminated.

(a,b)=(5,1). We have

x = 5u2

x ’ 5 = v2

x + 5 = 5w2 .

Therefore,

5u2 ’ v 2 = 5, 5w2 ’ 5u2 = 5.

If the denominator of one of u or v is divisible by 5, then so is the other.

But 5u2 then has an odd power of 5 in its denominator, while v 2 has an even

power of 5 in its denominator. This is impossible, so the denominators of

both u and v are not divisible by 5. Since w2 ’ u2 = 1, the same holds for w.

Therefore, we can work with u, v, w mod 5. We have v ≡ 0 (mod 5), so we

can write v = 5v1 . Then

u2 ’ 5v1 = 1,

2

so u2 ≡ 1 (mod 5). Therefore, w2 = 1 + u2 ≡ 2 (mod 5). This is impossible.

Therefore, the pair (a, b) = (5, 1) is eliminated.

© 2008 by Taylor & Francis Group, LLC

227

SECTION 8.4 EXAMPLES

(a,b)=(10, 1). We have

x = 10u2

x ’ 5 = v2

x + 5 = 10w2 .

Therefore,

10u2 ’ v 2 = 5, 10w2 ’ 10u2 = 5.

As before, the denominators of u, v, w are not divisible by 5. Write v = 5v1 .

Then 2u2 ’ 5v1 = 1, so 2u2 ≡ 1 (mod 5). This is impossible, so the pair

2

(a, b) = (10, 1) is eliminated.

The pairs (a, 1) with a < 0 are eliminated since a, b must have the same

sign. Therefore, (1, 1) = φ(∞) is the only pair of the form (a, 1) corresponding

to a point.

Let (a, b) be any pair. There is a point P with φ(P ) = (a , b) on the list L

for some a . If there is a point Q with φ(Q) = (a, b), then

φ(P ’ Q) = (a , b)(a, b)’1 = (a , 1)

for some a . We showed that (a , 1) is not in the image of φ when a = 1.

Therefore, a = 1, so a = a and (a, b) = (a , b) = φ(P ). Consequently, the

only pairs in the image of φ are those on the list L.

As stated above, the torsion subgroup of E(Q) is E[2], so

Z2 • Z2 • Zr

E(Q)/2E(Q) 2

for some r. Since the image of φ has order 8 and the kernel of φ is 2E(Q),

the order of E(Q)/2E(Q) is 8. Therefore, r = 1. This implies that

Z2 • Z2 • Z.

E(Q)

Note that we have also proved that E[2] and (’4, 6) generate a subgroup of

E(Q) of odd index. It can be shown that they actually generate the whole

group. This would require making the constants in the proof of Theorem 8.17

more explicit, then ¬nding all points with heights less than an explicit bound

to obtain a generating set.

Silverman [110] proved the following.

THEOREM 8.23

Let E be de¬ned over Q by the equation

y 2 = x3 + Ax + B

© 2008 by Taylor & Francis Group, LLC

228 CHAPTER 8 ELLIPTIC CURVES OVER Q

with A, B ∈ Z. Then

1 1 1

ˆ

’ h(j) ’ h(∆) ’ 0.973 ¤ h(P ) ’ h(P )

8 12 2

1 1

¤ h(j) + h(∆) + 1.07

12 12

for all P ∈ E(Q). Here ∆ = ’16(4A3 + 27B 2 ) and j = ’1728(4A)3 /∆.

For the curve y 2 = x3 ’ 25x, we have ∆ = 106 and j = 1728. Therefore,

1

ˆ

’3.057 < h(P ) ’ h(P ) < 2.843

2

for all P ∈ E(Q). The points (0, 0), (5, 0), (’5, 0), (’4, 6) generate the group

E(Q)/2E(Q). The ¬rst three of these points have canonical height 0 since

they are torsion points. The point (’4, 6) has canonical height 0.94974 . . .

(this can be calculated using the series (8.5)). The proof of Theorem 8.17

shows that the points with canonical height at most 0.94974 . . . generate

E(Q). Theorem 8.23 says that such points have noncanonical height h(P ) <

8.02. Since e8.02 ≈ 3041, the nonlogarithmic height of the x-coordinate is at

most 3041. Therefore, we need to ¬nd all points (x, y) ∈ E(Q) such that

a

with Max(|a|, |b|) ¤ 3041.

x=

b

It is possible to ¬nd all such points using a computer. The fact that the

denominator of x must be a perfect square can be used to speed up the

search. We ¬nd the points

(0, 0), (’5, 0), (5, 0), (’4, 6)

(45, ’300) = (’5, 0) + (’4, 6)

(25/4, 75/8) = (0, 0) + (’4, 6)

(’5/9, ’100/27) = (5, 0) + (’4, 6)

(1681/144, ’62279/1728) = 2(’4, 6)

and the negatives of these points. Since these points generate E(Q), we

conclude that (0, 0), (5, 0), (’5, 0), (’4, 6) generate E(Q).

REMARK 8.24 In Chapter 1, we needed to ¬nd an x such that x, x ’ 5,

and x + 5 were all squares. We did this by starting with the point (’4, 6) and

¬nding the other point of intersection of the tangent line with the curve. In

e¬ect, we computed

412 ’62279

2(’4, 6) = ( 2 , )

12 1728

and miraculously obtained x = 412 /122 with the desired property. We now

see that this can be explained by the fact that φ is a homomorphism. Since

© 2008 by Taylor & Francis Group, LLC

229

SECTION 8.4 EXAMPLES

φ(2P ) = (1, 1, 1) for any point P , we always obtain an x such that x, x ’ 5,

and x+5 are squares when we double a point on the curve y 2 = x(x’5)(x+5).

Example 8.9

One use of descent is to ¬nd points on elliptic curves. The idea is that in the

equations

x ’ e1 = au2

x ’ e2 = bv 2

x ’ e3 = cw2 ,

the numerators and denominators of u, v, w are generally smaller than those

of x. Therefore, an exhaustive search for u, v, w is faster than searching for x

directly. For example, suppose we are looking for points on

y 2 = x3 ’ 36x.

One of the triples that we encounter is (a, b, c) = (3, 6, 2). This gives the

equations

x = 3u2

x ’ 6 = 6v 2

x + 6 = 2w2 .

These can be written as

3u2 ’ 6v 2 = 6, 2w2 ’ 3u2 = 6,

which simplify to

u2 ’ 2v 2 = 2, 2w2 ’ 3u2 = 6.

A quick search through small values of u yields (u, v, w) = (2, 1, 3). This gives

(x, y) = (12, 36).

Note that the value of u is smaller than x. Of course, we are lucky in this

example since the value of u turned out to be integral. Otherwise, we would

have had to search through values of u with small numerator and small de-

nominator.

The curve y 2 = x3 ’36x can be transformed to the curve y 2 = x(x+1)(2x+

1)/6 that we met in Chapter 1 (see Exercise 1.5). The point (1/2, 1/2) on

that curve corresponds to the point (12, 36) that we found here.

Example 8.10

The elliptic curves that we have seen up to now have had small generators

for their Mordell-Weil groups. However, frequently the generators of Mordell-

Weil groups have very large heights. For example, the Mordell-Weil group of

© 2008 by Taylor & Francis Group, LLC

230 CHAPTER 8 ELLIPTIC CURVES OVER Q

the elliptic curve (see [76])

y 2 = x3 ’ 59643

over Q is in¬nite cyclic, generated by

62511752209 15629405421521177

,

9922500 31255875000

(there are much larger examples, but the margin is not large enough to contain

them). This curve can be transformed to the curve u3 + v 3 = 94 by the

techniques of Section 2.5.2.

8.5 The Height Pairing

Suppose we have points P1 , . . . , Pr that we want to prove are independent.

How do we do it?

THEOREM 8.25

ˆ

Let E be an elliptic curve de¬ned over Q and let h be the canonical height

function. For P, Q ∈ E(Q), de¬ne the height pairing

ˆ ˆ ˆ

P, Q = h(P + Q) ’ h(P ) ’ h(Q).

Then , is bilinear in each variable. If P1 , . . . , Pr are points in E(Q), and

the r — r determinant

det( Pi , Pj ) = 0,

then P1 , . . . , Pr are independent (that is, if there are integers ai such that

a1 P1 + · · · + ar Pr = ∞, then ai = 0 for all i).

PROOF The second part of the theorem is true for any bilinear pairing.

Let™s assume for the moment that the pairing is bilinear and prove the second

part. Suppose a1 P1 + · · · + ar Pr = ∞, and ar = 0, for example. Then ar

times the last row of the matrix Pi , Pj is a linear combination of the ¬rst

r ’ 1 rows. Therefore, the determinant vanishes. This contradiction proves

that the points must be independent.

The proof of bilinearity is harder. Since the pairing is symmetric (that is,

P, Q = Q, P ), it su¬ces to prove bilinearity in the ¬rst variable:

P + Q, R = P, R + Q, R .

Recall the parallelogram law:

ˆ ˆ ˆ ˆ

h(S + T ) + h(S ’ T ) = 2h(S) + 2h(T ).

© 2008 by Taylor & Francis Group, LLC

231

SECTION 8.6 FERMAT™S INFINITE DESCENT

Successively letting (S, T ) = (P + Q, R), (P, Q ’ R), (P + R, Q), and (Q, R)

yields the following equations:

ˆ ˆ ˆ ˆ

h(P + Q + R) + h(P + Q ’ R) = 2h(P + Q) + 2h(R)

ˆ ˆ ˆ ˆ

2h(P ) + 2h(Q ’ R) = h(P + Q ’ R) + h(P ’ Q + R)

ˆ ˆ ˆ ˆ

h(P + R + Q) + h(P + R ’ Q) = 2h(P + R) + 2h(Q)

ˆ ˆ ˆ ˆ

4h(Q) + 4h(R) = 2h(Q + R) + 2h(Q ’ R).

Adding together all of these equations yields

ˆ ˆ ˆ

2 h(P + Q + R) ’ h(P + Q) ’ h(R)

ˆ ˆ ˆ ˆ ˆ ˆ

= 2 h(P + R) ’ h(P ) ’ h(R) + h(Q + R) ’ h(Q) ’ h(R) .

Dividing by 2 and using the de¬nition of the pairing yields the result.

Example 8.11

Let E be given by y 2 = x3 + 73. Let P = (2, 9) and Q = (3, 10). Then

P, P = 0.9239 . . .

P, Q = ’0.9770 . . .

Q, Q = 1.9927 . . . .

Since

0.9239 ’0.9770

= 0.8865 · · · = 0,

det

’0.9770 1.9927

the points P and Q are independent on E.

8.6 Fermat™s In¬nite Descent

The methods in this chapter have their origins in Fermat™s method of

in¬nite descent. In the present section, we™ll give an example of Fermat™s

method and show how it relates to the calculations we have been doing.

Consider the equation

a4 + b4 = c2 . (8.12)

The goal is to show that it has no solutions in nonzero integers a, b, c. Recall

the parameterization of Pythagorean triples:

© 2008 by Taylor & Francis Group, LLC

232 CHAPTER 8 ELLIPTIC CURVES OVER Q

PROPOSITION 8.26

Suppose x, y, z are relatively prime positive integers such that

x2 + y 2 = z 2 .

Then one of x, y is even. Suppose it is x. Then there exist positive integers

m, n such that

y = m2 ’ n2 , z = m2 + n2 .

x = 2mn,

Moreover, gcd(m, n) = 1 and m ≡ n (mod 2).

This result is proved in most elementary number theory texts. Alternatively,

see Exercise 2.21.

Suppose now that there are nonzero integers a, b, c satisfying (8.12). We

may assume a, b, c are positive and relatively prime. Proposition 8.26 implies

we may assume that a is even and that there exist integers m, n with

a2 = 2mn, b2 = m2 ’ n2 , c = m2 + n2 .

If n is odd, then m is even, which implies that b2 ≡ ’1 (mod 4). This is

impossible, so n is even and m is odd. Write n = 2q for some integer q. We

then have

(a/2)2 = mq.

Since gcd(m, n) = 1, we also have gcd(m, q) = 1. Since m, q are relatively

prime and their product is a square, it follows easily from looking at the prime

factorizations of m, q that both m and q must be squares:

m = t2 , q = u2

for some positive integers t, u. Therefore, we have

b2 = m2 ’ n2 = t4 ’ 4u4 .

This may be rewritten as

(2u2 )2 + b2 = t4 .

Since m is odd, t is odd. Since gcd(m, q) = 1, we also have gcd(t, u) = 1.

Therefore, gcd(t, 2u2 ) = 1. Proposition 8.26 implies that

2u2 = 2vw, b = v 2 ’ w2 , t2 = v 2 + w 2

with gcd(v, w) = 1. Since the product vw is a square, it follows that both v

and w are squares:

v = r 2 , w = s2 .

Therefore, t2 = v 2 + w2 becomes

t2 = r4 + s4 .

© 2008 by Taylor & Francis Group, LLC

233

SECTION 8.6 FERMAT™S INFINITE DESCENT

This is the same equation we started with. Since

0 < t ¤ t4 = m2 < c, (8.13)

we have proved that for every triple (a, b, c) with a4 + b4 = c2 , there is another

solution (r, s, t) with 0 < t < c. We therefore have an in¬nitely descending

sequence c > t > . . . of positive integers. This is impossible. Therefore, there

is no solution (a, b, c).

Observe that m2 > n2 , so c < 2m2 = 2t4 . Combining this with (8.13) yields

t4 < c < 2t4 .

This implies that the logarithmic height of t is approximately one fourth the

logarithmic height of c. Recall that the canonical height of 2P is four times

the height of P . Therefore, we suspect that Fermat™s procedure amounts to

halving a point on an elliptic curve. We™ll show that this is the case.

We showed in Section 2.5.3 that the transformation

4(z + 1)

2(z + 1)

, y=

x=

w2 w3

maps the curve

C : w2 = z 4 + 1

to the curve

E : y 2 = x3 ’ 4x.

If we start with

a4 + b4 = c2 ,

then the point

ac

(z, w) = ( , 2 )

bb

lies on C. It maps to a point (x, y) on E, with

c

2( + 1) 2(c + b2 )

2

x= b =

(a/b)2 a2

2(t4 + 4r4 s4 + (r4 ’ s4 )2 )

=

(2rst)2

2

t

= .

rs

This implies that

2

t2 ’ 2r2 s2 r2 ’ s2

x’2 = =

(rs)2 rs

2

t2 + 2r2 s2 r2 + s2

x+2 = = .

(rs)2 rs

© 2008 by Taylor & Francis Group, LLC

234 CHAPTER 8 ELLIPTIC CURVES OVER Q

Let φ be the map in Theorem 8.14. Since x, x ’ 2, x + 2 are squares, φ(x, y) =

1. Theorem 8.14 implies that

(x, y) = 2P

for some point P ∈ E(Q).

Let™s ¬nd P . We follow the procedure used to prove Theorem 8.14. In the

notation of the proof of Theorem 8.14, the polynomial

r2 ’ t 2

s

t

’ T+ T

f (T ) =

rs rs 4rs

satis¬es

r2 ’ s2 r2 + s2

t

f (0) = , f (2) = , f (’2) = .

rs rs rs

The formulas from the proof of Theorem 8.14 say that the point (x1 , y1 ) with

’2s2

’s/2r

x1 = =2

(r2 ’ t)/4rs r ’t

4rs

y1 = 2

r ’t

satis¬es 2(x1 , y1 ) = (x, y).

The transformation

2x3

2x

w = ’1 + 2

z= ,

y y

maps E to C. The point (x1 , y1 ) maps to

2x1 s

=’

z1 =

y1 r

2x3 s4

w1 = ’1 + 21 = ’1 ’ 2 2

r (r ’ t)

y1

r4 + s4 ’ r2 t t2 ’ r 2 t

=’ 2 2 =’ 2 2

r (r ’ t) r (r ’ t)

t

= 2.

r

We have

2 4

’s

t

= + 1.

r2 r

Therefore, the solution (r, ’s, t) corresponds to a point P on E such that 2P

corresponds to (a, b, c). Fermat™s procedure, therefore, can be interpreted as

starting with a point on an elliptic curve and halving it. The height decreases

by a factor of 4. The procedure cannot continue forever, so we must conclude

that there are no nontrivial solutions to start with.

© 2008 by Taylor & Francis Group, LLC

235

SECTION 8.6 FERMAT™S INFINITE DESCENT

On y 2 = x3 ’4x, the points of order 2 played a role in the descent procedure

in Section 8.2. We showed that the image of the map φ was equal to the image

of E[2] under φ. If we start with a possible point P ∈ E(Q), then φ(P ) = φ(T )

for some T ∈ E[2]. Therefore, P ’ T = 2Q for some Q ∈ E(Q). In Fermat™s

method, the points of order 2 appear more subtly. If (x, y) on E corresponds

to the solution a, b, c of a4 + b4 = c2 , then a calculation shows that

(x, y) + (0, 0) ←’ ’a, b, ’c

(x, y) + (2, 0) ←’ ’b, a, c

(x, y) + (’2, 0) ←’ b, a, ’c.

Since we assumed that a was even and b was odd, we removed the solutions

±b, a, “c from consideration. The solution ’a, b, ’c was implicitly removed

by the equation c = m2 + n2 , which required c to be positive. Therefore,

the choices that were made, which seemed fairly natural and innocent, were

exactly those that caused φ(P ) to be trivial and thus allowed us to halve the

point.

Finally, we note that in the descent procedure for E in Section 8.2, we elim-

inated many possibilities by congruences mod powers of 2. The considerations

also appear in Fermat™s method, for example, in the argument that n is even.

In Fermat™s descent, the equation

b2 = t4 ’ 4u4

appears in an intermediate stage. This means we are working with the point

(w, z) = (u/t, b/t2 ) on the curve

C : w2 = ’4z 4 + 1.

The transformation (see Theorem 2.17)

2(z + 1) 4(z + 1)

x= , y=

w2 w3

maps C to the elliptic curve

2 3

E :y = x + 16x .

There is a map ψ : E ’ E given by

y 2 y(x2 + 4)

(x , y ) = ψ(x, y) = , .

x2 x2

There is also a map ψ : E ’ E given by

2 2

y (x ’ 16)

y

(x, y) = ψ (x , y ) = , .

4x 2 8x 2

© 2008 by Taylor & Francis Group, LLC

236 CHAPTER 8 ELLIPTIC CURVES OVER Q

It can be shown that ψ —¦ ψ is multiplication by 2 on E. Fermat™s descent

procedure can be analyzed in terms of the maps ψ and ψ .

More generally, if E is an elliptic curve given by y 2 = x3 + Cx2 + Ax and E

2 3 2

is given by y = x ’ 2Cx + (C 2 ’ 4A)x , then there are maps ψ : E ’ E

given by

y 2 y(x2 ’ A)

ψ(0, 0) = ψ(∞) = ∞,

(x , y ) = ψ(x, y) = , ,

x2 x2

and ψ : E ’ E given by

2 2

y (x ’ C 2 + 4A)

y

ψ (0, 0) = ψ (∞) = ∞.

(x, y) = ψ (x , y ) = , ,

4x 2 8x 2

The composition ψ —¦ ψ is multiplication by 2 on E. It is possible to do

descent and prove the Mordell-Weil theorem using the maps ψ and ψ . This

is a more powerful method than the one we have used since it requires only

one two-torsion to be rational, rather than all three. For details, see [114],

[109].

The maps ψ and ψ can be shown to be homomorphisms between E(Q) and

E (Q) and are described by rational functions. In general, for elliptic curves

E1 and E2 over a ¬eld K, a homomorphism from E1 (K) to E2 (K) that is

given by rational functions is called an isogeny.

8.7 2-Selmer Groups; Shafarevich-Tate Groups

Let™s return to the basic descent procedure of Section 8.2. We start with

an elliptic curve E de¬ned over Q by

y 2 = (x ’ e1 )(x ’ e2 )(x ’ e3 )

with all ei ∈ Z. This leads to equations

x ’ e1 = au2

x ’ e2 = bv 2

x ’ e3 = cw2 .

These lead to the equations

au2 ’ bv 2 = e2 ’ e1 , au2 ’ cw2 = e3 ’ e1 .

This de¬nes a curve Ca,b,c in u, v, w. In fact, it is the intersection of two

quadratic surfaces. If it has a rational point, then it can be changed to an

© 2008 by Taylor & Francis Group, LLC

237

SECTION 8.7 2-SELMER GROUPS; SHAFAREVICH-TATE GROUPS

elliptic curve, as in Section 2.5.4. A lengthy calculation, using the formulas of

Theorem 2.17, shows that this elliptic curve is the original curve E. If Ca,b,c

does not have any rational points, then the triple (a, b, c) is eliminated.

The problem is how to decide which curves Ca,b,c have rational points. In

the examples of Section 8.2, we used considerations of sign and congruences

mod powers of 2 and 5. These can be interpreted as showing that the curves

Ca,b,c that are being eliminated have no real points, no 2-adic points, or no

5-adic points (for a summary of the relevant properties of p-adic numbers, see

Appendix A). For example, when we used inequalities to eliminate the triple

(a, b, c) = (’1, 1, ’1) for the curve y 2 = x(x ’ 2)(x + 2), we were showing that

the curve

C’1,1,’1 : ’u2 ’ v 2 = 2, ’u2 + w2 = ’2

has no real points. When we eliminated (a, b, c) = (1, 2, 2), we used congru-

ences mod powers of 2. This meant that

C1,2,2 : u2 ’ 2v 2 = 2, u2 ’ 2w2 = ’2

has no 2-adic points.

The 2-Selmer group S2 is de¬ned to be the set of (a, b, c) such that Ca,b,c

has a real point and has p-adic points for all p. For notational convenience,

the real numbers are sometimes called the ∞-adics Q∞ . Instead of saying

that something holds for the reals and for all the p-adics Qp , we say that it

holds for Qp for all p ¤ ∞. Therefore,

S2 = {(a, b, c) | Ca,b,c (Qp ) is nonempty for all p ¤ ∞}.

Therefore, S2 is the set of (a, b, c) that cannot be eliminated by sign or congru-

ence considerations. It is a group under multiplication mod squares. Namely,

we regard

2 2 2

S2 ‚ (Q— /Q— ) • (Q— /Q— ) • (Q— /Q— ).

The prime divisors of a, b, c divide (e1 ’ e2 )(e1 ’ e3 )(e2 ’ e3 ), which implies

that S2 is a ¬nite group.

The descent map φ gives a map

φ : E(Q)/2E(Q) ’ S2 .

The 2-torsion in the Shafarevich-Tate group is the cokernel of this map:

= S2 /Im φ.

2

The symbol is the Cyrillic letter “sha,” which is the ¬rst letter of “Shafare-

vich” (in Cyrillic). We™ll de¬ne the full group in Section 8.9. The group

2 represents those triples (a, b, c) such that Ca,b,c has a p-adic point for all

p ¤ ∞, but has no rational point. If 2 = 1, then it is much more di¬cult

to ¬nd the points on the elliptic curve E. If (a, b, c) represents a nontrivial

© 2008 by Taylor & Francis Group, LLC

238 CHAPTER 8 ELLIPTIC CURVES OVER Q

element of , then it is usually di¬cult to show that Ca,b,c does not have

rational points.

Suppose we have an elliptic curve on which we want to ¬nd rational points.

If we do a 2-descent, then we encounter curves Ca,b,c . If we search for points

on a curve Ca,b,c and also try congruence conditions, both with no success,

then perhaps (a, b, c) represents a nontrivial element of 2 . Or we might

need to search longer for points. It is di¬cult to decide which is the case.

Fortunately for Fermat, the curves on which he did 2-descents had trivial

2.

The possible nontriviality of the group 2 means that we do not have a

general procedure for ¬nding the rank of the group E(Q). The group S2 can

be computed exactly and allows us to obtain an upper bound for the rank.

But we do not know how much of S2 is the image of φ and how much consists

of triples (a, b, c) representing elements of a possibly nontrivial 2 . Since

the generators of E(Q) can sometimes have very large height, it is sometimes

quite di¬cult to ¬nd points representing elements of the image of φ. Without

this information, we don™t know that the triple is actually in the image.

The Shafarevich-Tate group is often called the Tate-Shafarevich group

comes after

in English and the Shafarevich-Tate group in Russian. Since

T in the Cyrillic alphabet, these names for the group, in each language, are

the reverse of the standard practice in mathematics, which is to put names

was given to the group by Cassels (see

in alphabetical order. The symbol

[23, p. 109]).

REMARK 8.27 The Hasse-Minkowski theorem (see [104]) states that a

quadratic form

n n

Q(x1 , . . . , xn ) = aij xi xj

i=1 j=1

with aij ∈ Q represents 0 nontrivially over Q (that is, Q(x1 , . . . , xn ) = 0 for

some (0, . . . , 0) = (x1 , . . . , xn ) ∈ Qn ) if and only if it represents 0 nontrivially

in Qp for all p ¤ ∞. This is an example of a local-global principle.

For a general algebraic variety over Q (for example, an algebraic curve), we

can ask whether the local-global principle holds. Namely, if the variety has a

p-adic point for all p ¤ ∞, does it have a rational point? Since it is fairly easy

to determine when a variety has p-adic points, and most varieties fail to have

p-adic points for at most a ¬nite set of p, this would make it easy to decide

when a variety has rational points. However, the local-global principle fails in

many cases. In Section 8.8, we™ll give an example of a curve, one that arises in

a descent on an elliptic curve, for which the local-global principle fails.

© 2008 by Taylor & Francis Group, LLC

239

SECTION 8.8 A NONTRIVIAL SHAFAREVICH-TATE GROUP

8.8 A Nontrivial Shafarevich-Tate Group

Let E be the elliptic curve over Q given by

y 2 = x(x ’ 2p)(x + 2p),

where p is a prime. If we do a 2-descent on E, we encounter the equations

x = u2

x ’ 2p = pv 2

x + 2p = pw2 .

These yield the curve de¬ned by the intersection of two quadratic surfaces:

C1,p,p : u2 ’ pv 2 = 2p, u2 ’ pw2 = ’2p. (8.14)

THEOREM 8.28

If p ≡ 9 (mod 16), then C1,p,p has q-adic points for all primes q ¤ ∞, but

has no rational points.

PROOF First, we™ll show that there are no rational points. Suppose there

is a rational point (u, v, w). We may assume that u, v, w > 0. If p divides

the denominator of v, then an odd power of p is in the denominator of pv 2

and an even power of p is in the denominator of u2 , so u2 ’ pv 2 cannot be

an integer, contradiction. Therefore, u, v, and hence also w have no p in their

denominators. It follows easily that the denominators of u, v, w are equal.

Since u2 = 2p + pv 2 , we have u ≡ 0 (mod p). Write

pr s t

u= , v= , w= ,

e e e

with positive integers r, s, t, e and with

gcd(r, e) = gcd(s, e) = gcd(t, e) = 1.

The equations for C1,p,p become

pr2 ’ s2 = 2e2 , pr2 ’ t2 = ’2e2 .

Subtracting yields

s2 + 4e2 = t2 .

If s is even, then pr2 = s2 + 2e2 is even, so r is even. Then 2e2 = pr2 ’

s2 ≡ 0 (mod 4), which implies that e is even. This contradicts the fact that

gcd(s, e) = 1. Therefore, s is odd, so

gcd(s, 2e) = 1.

© 2008 by Taylor & Francis Group, LLC

240 CHAPTER 8 ELLIPTIC CURVES OVER Q

By Proposition 8.26, there exist integers m, n with gcd(m, n) = 1 such that

s = m2 ’ n2 , t = m2 + n2 .

2e = 2mn,

Therefore,

pr2 = s2 + 2e2 = (m2 ’ n2 )2 + 2(mn)2 = m4 + n4 .

Let q be a prime dividing r. Proposition 8.26 says that m ≡ n (mod 2), which

implies that pr2 must be odd. Therefore, q = 2. Since gcd(m, n) = 1, at least

one of m, n is not divisible by q. It follows that both m, n are not divisible by

q, since m4 + n4 ≡ 0 (mod q). Therefore,

(m/n)4 ≡ ’1 (mod q).

It follows that m/n has order 8 in F— , so q ≡ 1 (mod 8). Since r is a positive

q

integer and all prime factors of r are 1 mod 8, we obtain

r≡1 (mod 8).

Therefore, r2 ≡ 1 (mod 16), so

m4 + n4 = pr2 ≡ 9 (mod 16).

But, for an arbitrary integer j, we have j 4 ≡ 0, 1 (mod 16). Therefore,

m4 + n4 ≡ 0, 1, 2 (mod 16),

so pr2 = m4 +n4 . This contradiction proves that C1,p,p has no rational points.

We now need to show that C1,p,p has q-adic points for all primes q ¤ ∞.

The proof breaks into four cases: q = ∞, q = 2, q = p, and all other q.

The case of the reals is easy. Let u be large enough that u2 > 2p. Then

choose v, w satisfying (8.14).

For q = 2, write

u = 1/2, v = v1 /2, w = w1 /2.

The equations for C1,p,p become

2 2

1 ’ pv1 = 8p, 1 ’ pw1 = ’8p.

We need to solve

2 2

v1 = (1 ’ 8p)/p, w1 = (1 + 8p)/p

in the 2-adics. Since

(1 ± 8p)/p ≡ 1 (mod 8),

and since any number congruent to 1 mod 8 has a 2-adic square root (see

Appendix A), v1 , w1 exist. Therefore, C1,p,p has a 2-adic point.

© 2008 by Taylor & Francis Group, LLC

241

SECTION 8.8 A NONTRIVIAL SHAFAREVICH-TATE GROUP

Now let™s consider q = p. Since p ≡ 1 (mod 4), there is a square root of ’1

mod p. Since p ≡ 1 (mod 8), there is a square root of ’2 mod p. Therefore,

both 2 and ’2 have square roots mod p. Hensel™s lemma (see Appendix A)

implies that both 2 and ’2 have square roots in the p-adics. Let

√

√

u = 0, v = ’2, w = 2.

Then u, v, w is a p-adic point on C1,p,p .

Finally, we need to consider q = 2, p, ∞. From a more advanced standpoint,

we could say that the curve C1,p,p is a curve of genus 1 and that Hasse™s

theorem holds for such curves. If we use the estimates from Hasse™s theorem,

then we immediately ¬nd that C1,p,p has points mod q for all q (except maybe

for a few small q, since we are not looking at the points at in¬nity on C1,p,p ).

However, we have only proved Hasse™s theorem for elliptic curves, rather than

for arbitrary genus 1 curves. In the following, we™ll use Hasse™s theorem only

for elliptic curves and show that C1,p,p has points mod q. Hensel™s lemma

then will imply that there is a q-adic point.

Subtracting the two equations de¬ning C1,p,p allows us to put the equations

into a more convenient form:

w2 ’ v 2 = 4, u2 ’ pv 2 = 2p. (8.15)

Suppose we have a solution (u0 , v0 , w0 ) mod q. It is impossible for both u0

and w0 to be 0 mod q.

Suppose u0 ≡ 0 (mod q). Then w0 ≡ 0 (mod q). Also, v0 ≡ 0 (mod q).

2

Let u = 0. Since ’pv0 ≡ 2p (mod q), Hensel™s lemma says that there exists

v ≡ v0 (mod q) in the q-adics such that ’pv 2 = 2p. Applying Hensel™s lemma

again gives the existence of w ≡ w0 satisfying w2 ’v 2 = 4. Therefore, we have

found a q-adic point. Similarly, if w0 ≡ 0 (mod q), there is a q-adic point.

Finally, suppose u0 ≡ 0 (mod q) and w0 ≡ 0 (mod q). Choose any v ≡ v0

(mod q). Now use Hensel™s lemma to ¬nd u, w. This yields a q-adic point.

It remains to show that there is a point mod q. Let n be a quadratic

nonresidue mod q. Then every element of F— is either of the form u2 or nu2 .

q

Consider the curve

C : w2 ’ v 2 = 4, nu2 ’ pv 2 = 2p.

Let N be the number of points mod q on C1,p,p and let N be the number of

points mod q on C . (We are not counting points at in¬nity.)

LEMMA 8.29

N + N = 2(q ’ 1).

Let x ≡ 0 (mod q). Solving

PROOF

w + v ≡ x, w ’ v ≡ 4/x (mod q)

© 2008 by Taylor & Francis Group, LLC

242 CHAPTER 8 ELLIPTIC CURVES OVER Q

yields a pair (v, w) for each x. There are q ’ 1 choices for x, hence there are

q ’ 1 pairs (v, w) satisfying w2 ’ v 2 = 4. Let (v, w) be such a pair. Consider

the congruences

u2 ≡ 2p + pv 2 (mod q) and nu2 ≡ 2p + pv 2 (mod q).

If 2p + pv 2 ≡ 0 (mod q), then exactly one of these has a solution, and it has

2 solutions. If 2p + pv 2 ≡ 0 (mod q), then both congruences have 1 solution.

Therefore, each of the q ’ 1 pairs (v, w) contributes 2 to the sum N + N , so

N + N = 2(q ’ 1).

The strategy now is the following. If N > 0, we™re done. If N > 0,

then C can be transformed into an elliptic curve with approximately N

points. Hasse™s theorem then gives a bound on N , which will show that

N = 2(q ’ 1) ’ N > 0, so there must be points on C1,p,p .

LEMMA 8.30

If q ≥ 11, then N > 0.

PROOF If N = 0 then N = 2(q ’1) > 0, by Lemma 8.29. In Section 2.5.4,

we showed how to start with the intersection of two quadratic surfaces and

a point and obtain an elliptic curve. Therefore, we can transform C to

√

an elliptic curve E . By Hasse™s theorem, E has less than q + 1 + 2 q

points. We need to check that every point on C gives a point on E . In the

parameterization

2 + 2t2

4t

v= , w= (8.16)

1 ’ t2 1 ’ t2

of w2 ’ v 2 = 4, the value t = ∞ corresponds to (v, w) = (0, ’2). All of

the other points (v, w) correspond to ¬nite values of t. No (¬nite) pair (v, w)

corresponds to t = ±1 (the lines through (0, 2) of slope t = ±1 are parallel to

the asymptotes of the hyperbola). Substituting the parameterization (8.16)

into nu2 ’ pv 2 = 2p yields the curve

2p 4

u2 = (t + 6t2 + 1),

Q: 1

n

where u1 = (1 ’ t2 )u. A point on C with (v, w) = (0, ’2) yields a ¬nite

point on the quartic curve Q . Since C has 2(q ’ 1) > 1 points mod q, there

is at least one ¬nite point on Q . Section 2.5.3 describes how to change Q

to an elliptic curve E (the case where Q is singular does not occur since Q

is easily shown to be nonsingular mod q when q = 2, p). Every point mod q

on Q (including those at in¬nity, if they are de¬ned over Fq ) yields a point

(possibly ∞) on E (points at in¬nity on Q yield points of order 2 on E ).

© 2008 by Taylor & Francis Group, LLC

243

SECTION 8.8 A NONTRIVIAL SHAFAREVICH-TATE GROUP

Therefore, the number of points on C is less than or equal to the number of

points on E . By Hasse™s theorem,

√

2(q ’ 1) = N ¤ q + 1 + 2 q.

This may be rearranged to obtain

√

( q ’ 1)2 ¤ 4,

which yields q ¤ 9. Therefore, if q ≥ 11, we must have N = 0.

It remains to treat the cases q = 3, 5, 7. First, suppose p is a square mod

q. There are no points on C1,p,p with coordinates in F3 , for example, so we

introduce denominators. Let™s try

u = u1 /q, v = 1/q, w = w1 /q.

Then we want to solve

w1 = 1 + 4q 2 ,

2

u2 = p + 2pq 2 .

1

Since p is assumed to be a square mod q, Hensel™s lemma implies that there

are q-adic solutions u1 , w1 .

Now suppose that p is not a square mod q. Divide the second equation in

(8.15) by p to obtain

12

w2 ’ v 2 = 4, u ’ v 2 = 2.

p

Let n be any ¬xed quadratic nonresidue mod q, and write 1/p ≡ nx2 (mod q).

Letting u1 = xu, we obtain

w2 ’ v 2 = 4, nu2 ’ v 2 = 2.

1

For q = 3 and q = 5, we may take n = 2 and obtain

w2 ’ v 2 ≡ 4, 2u2 ’ v 2 ≡ 2 (mod q).

1

This has the solution (u1 , v, w) = (1, 0, 2). As above, Hensel™s lemma yields a

q-adic solution.

For q = 7, take n = 3 to obtain

w2 ’ v 2 ≡ 4, 3u2 ’ v 2 ≡ 2 (mod 7).

1

This has the solution (u1 , v, w) = (3, 2, 1), which yields a 7-adic solution.

Therefore, we have shown that there is a q-adic solution for all q ¤ ∞. This

completes the proof of Theorem 8.28.

© 2008 by Taylor & Francis Group, LLC

244 CHAPTER 8 ELLIPTIC CURVES OVER Q

8.9 Galois Cohomology

In this section, we give the de¬nition of the full Shafarevich-Tate group.

This requires reinterpreting and generalizing the descent calculations in terms

of Galois cohomology. Fortunately, we only need the ¬rst two cohomology

groups, and they can be de¬ned in concrete terms.

Let G be a group and let M be an additive abelian group on which G acts.

This means that each g ∈ G gives a automorphism g : M ’ M . Moreover,

(g1 g2 )(m) = g1 (g2 (m))

for all m ∈ M and all g1 , g2 ∈ G. We call such an M a G-module. One

possibility is that g is the identity map for all g ∈ G. In this case, we say that

the action of G is trivial.

If G is a topological group, and M has a topology, then we require that the

action of G on M be continuous. We also require all maps to be continuous.

In the cases below where the groups have topologies, this will always be the

case, so we will not discuss this point further.

A homomorphism φ : M1 ’ M2 of G-modules is a homomorphism of

abelian groups that is compatible with the action of G:

φ(gm1 ) = g φ(m1 )

for all g ∈ G and all m1 ∈ M1 . Note that φ(m1 ) is an element of M2 , so

g φ(m1 ) is the action of g on an element of M2 . An exact sequence

0 ’ M 1 ’ M2 ’ M3 ’ 0

is a short way of writing that the map from M1 to M2 is injective, the map from

M2 to M3 is surjective, and the image of M1 ’ M2 is the kernel of M2 ’ M3 .

The most common situation is when M1 ⊆ M2 and M3 = M2 /M1 .

More generally, a sequence of abelian groups and homomorphisms

··· ’ A ’ B ’ C ’ ···

is said to be exact at B if the image of A ’ B is the kernel of B ’ C. Such

a sequence is said to be exact if it is exact at each group in the sequence.

De¬ne the zeroth cohomology group to be

H 0 (G, M ) = M G = {m ∈ M | gm = m for all g ∈ G}.

For example, if G acts trivially, then H 0 (G, M ) = M .

De¬ne the cocycles

Z(G, M ) =

{ maps f : G ’ M | f (g1 g2 ) = f (g1 ) + g1 f (g2 ) for all g1 , g2 ∈ G}.

© 2008 by Taylor & Francis Group, LLC

245

SECTION 8.9 GALOIS COHOMOLOGY

The maps f are (continuous) maps of sets that are required to satisfy the

given condition. Note that g1 f (g2 ) means that we evaluate f (g2 ) and obtain

an element of M , then act on this element of M by the automorphism g1 .

The set Z is sometimes called the set of twisted homomorphisms from G

to M . It is a group under addition of maps.

We note one important case. If G acts trivially on M , then

Z(G, M ) = Hom(G, M )

is the set of group homomorphisms from G to M .

There is an easy way to construct elements of Z(G, M ). Let m be a ¬xed

element of M and de¬ne

fm (g) = gm ’ m.

Then fm gives a map from G to M . Since

fm (g1 g2 ) = g1 (g2 m) ’ m

= g1 m ’ m + g1 (g2 m ’ m)

= fm (g1 ) + g1 fm (g2 ),

we have fm ∈ Z(G, M ). Let

B(G, M ) = {fm | m ∈ M }.

Then B(G, M ) ⊆ Z(G, M ) is called the set of coboundaries. De¬ne the

¬rst cohomology group

H 1 (G, M ) = Z/B.

In the important special case where G acts trivially, B(G, M ) = 0 since

gm ’ m = 0 for all g, m. Therefore

H 1 (G, M ) = Hom(G, M )

is simply the set of group homomorphisms from G to M .

A homomorphism φ : M1 ’ M2 of G-modules induces a map

φ— : H j (G, M1 ) ’ H j (G, M2 )

of cohomology groups for j = 0, 1. For H 0 , this is simply the restriction of φ

G

to M1 . Note that if gm1 = m1 , then g φ(m1 ) = φ(gm1 ) = φ(m1 ), so φ maps

M1 into M2 . For H 1 , we obtain φ— by taking an element f ∈ Z and de¬ning

G G

(φ— (f ))(g) = φ(f (g)).

It is easy to see that this induces a map on cohomology groups.

The main property we need is the following.

© 2008 by Taylor & Francis Group, LLC

246 CHAPTER 8 ELLIPTIC CURVES OVER Q

PROPOSITION 8.31

An exact sequence

0 ’ M1 ’ M2 ’ M3 ’ 0

of G-modules induces a long exact sequence

0 ’ H 0 (G, M1 ) ’ H 0 (G, M2 ) ’ H 0 (G, M3 )

’ H 1 (G, M1 ) ’ H 1 (G, M2 ) ’ H 1 (G, M3 )

of cohomology groups.

For a proof, see any book on group cohomology, for example [132], [21],

or [6]. The hardest part of the proposition is the existence of the map from

H 0 (G, M3 ) to H 1 (G, M1 ).

Suppose now that we have an elliptic curve de¬ned over Q. Let n be

a positive integer. Multiplication by n gives an endomorphism of E. By

Theorem 2.22, it is surjective from E(Q) ’ E(Q), since Q is algebraically

closed. Therefore, we have an exact sequence

n

0 ’ E[n] ’ E(Q) ’ E(Q) ’ 0. (8.17)

Let

G = Gal(Q/Q)

be the Galois group of Q/Q. The reader who doesn™t know what this group

looks like should not worry. No one does. Much of modern number theory

can be interpreted as trying to understand the structure of this group. The

one property we need at the moment is that

H 0 (G, E(Q)) = E(Q)G = E(Q).

Applying Proposition 8.31 to the exact sequence (8.17) yields the long exact

sequence

n

0 ’ E(Q)[n] ’ E(Q) ’ E(Q)

n

’ H 1 (G, E[n]) ’ H 1 (G, E(Q)) ’ H 1 (G, E(Q)).

This induces the short exact sequence

0 ’ E(Q)/nE(Q) ’ H 1 (G, E[n]) ’ H 1 (G, E(Q))[n] ’ 0, (8.18)

where we have written A[n] for the n-torsion in an abelian group A. This

sequence is similar to the sequence

0 ’ E(Q)/2E(Q) ’ S2 ’ ’0

2

that we met in Section 8.7. In the remainder of this section, we™ll show how the

two sequences relate when n = 2 and also consider the situation for arbitrary

n.

© 2008 by Taylor & Francis Group, LLC

247

SECTION 8.9 GALOIS COHOMOLOGY

First, we give a way to construct elements of H 1 (G, E(Q)). Let C be a

curve de¬ned over Q such that C is isomorphic to E over Q. This means that

there is a map φ : E ’ C given by rational functions with coe¬cients in Q

and an inverse function φ’1 : C ’ E also given by rational functions with

coe¬cients in Q. Let g ∈ G, and let φg denote the map obtained by applying

g to the coe¬cients of the rational functions de¬ning φ. Since C is de¬ned

over Q, the map φg maps E to gC = C. Note that

g(φ(P )) = (φg )(gP ) (8.19)

for all P ∈ E(Q), since the expression g(φ(P )) means we apply g to ev-

erything, while φg means applying g to the coe¬cients of φ and gP means

applying g to P .

We have to be a little careful when applying g1 g2 . The rule is

φg1 g2 = (φg2 )g1 ,

since applying g1 g2 to the coe¬cients of φ means ¬rst applying g2 , then ap-

plying g1 to the result.

We say that a map φ is de¬ned over Q if φg (P ) = φ(P ) for all P ∈ E(Q)

and all g ∈ G (this is equivalent to saying that the coe¬cients of the rational

functions de¬ning φ can be taken to be in Q, though proving this requires

results such as Hilbert™s Theorem 90).

The map φ’1 φg gives a map from E to E. We assume the following:

Assumption: Assume that there is a point Tg ∈ E(Q) such that

φ’1 (φg (P )) = P + Tg (8.20)

for all P ∈ E(Q). Equation (8.20) can be rewritten as

φg (P ) = φ(P + Tg ) (8.21)

for all P ∈ E(Q). If we let P = (φg )’1 (Q) for a point Q ∈ C(Q), then the

assumption becomes

φ’1 (Q) = (φg )’1 (Q) + Tg , (8.22)

which says that φ’1 and (φg )’1 di¬er by a translation. We™ll give an example

of such a map φ below.

LEMMA 8.32

De¬ne „φ : G ’ E(Q) by „φ (g) = Tg . Then „φ ∈ Z(G, E(Q)).

© 2008 by Taylor & Francis Group, LLC

248 CHAPTER 8 ELLIPTIC CURVES OVER Q

PROOF

’1 ’1

g1 φ(P + Tg1 g2 ) = g1 φg1 g2 (P )

’1

= φg2 (g1 P ) (by (8.19))

’1

= φ(g1 P + Tg2 ) (by (8.21))

’1

= g1 φg1 (P + g1 Tg2 ) (by (8.19))

’1

= g1 φ(P + g1 Tg2 + Tg1 ) (by (8.21)).

Applying g1 then φ’1 yields

T g 1 g 2 = g1 T g 2 + T g 1 .

This is the desired relation.

Suppose we have curves Ci and maps φi : E ’ Ci , for i = 1, 2, as above.

We say that the pairs (C1 , φ1 ) and (C2 , φ2 ) are equivalent if there is a map

θ : C1 ’ C2 de¬ned over Q and a point P0 ∈ E(Q) such that

φ’1 θφ1 (P ) = P + P0 (8.23)

2

for all P ∈ E(Q). In other words, if we identify C1 and C2 with E via φ1 and

φ2 , then θ is simply translation by P0 .

PROPOSITION 8.33

The pairs (C1 , φ1 ) and (C2 , φ2 ) are equivalent if and only if the cocycles „φ1

and „φ2 di¬er by a coboundary. This means that there is a point P1 ∈ E(Q)

such that

„φ1 (g) ’ „φ2 (g) = gP1 ’ P1

for all g ∈ G.

i

PROOF For i = 1, 2, denote „φi (g) = Tg , so

φg (P ) = φi (P + Tg )

i

(8.24)

i

for all P ∈ E(Q). Suppose the pairs (C1 , φ1 ) and (C2 , φ2 ) are equivalent, so

there exists θ : C1 ’ C2 and P0 as above. For any P ∈ E(Q), we have

P + Tg + P0 = φ’1 θφ1 (P + Tg )

1 1

(by (8.23))

2

= φ’1 θφg (P ) (by (8.24))

2 1