Undergraduate Texts in Mathematics Undergraduate Texts in Mathematics

Series Editors:

Sheldon Axler San Francisco State University, San Francisco, CA, USA

Kenneth Ribet University of California, Berkeley, CA, USA

Advisory Board:

Colin Adams, Williams College David A. Cox, Amherst College Pamela Gorkin, Bucknell University Roger E. Howe. Yale University Michael Orrison, Harvey Mudd College Jill Pipher, Brown University Fadil Santosa, University of Minnesota

Undergraduate Texts in Mathematics are generally aimed at third- and fourth- year undergraduate mathematics students at North American universities. These texts strive to provide students and teachers with new perspectives and novel approaches. The books include motivation that guides the reader to an appreciation of interre- lations among different aspects of the subject. They feature examples that illustrate key concepts as well as exercises that strengthen understanding.

More information about this series at http://www.springer.com/series/666 Joseph H. Silverman • John T. Tate

Rational Points on Elliptic Curves

Second Edition

123 Joseph H. Silverman John T. Tate Department of Mathematics Department of Mathematics Brown University Harvard University Providence, RI, USA Cambridge, MA, USA

ISSN 0172-6056 ISSN 2197-5604 (electronic) Undergraduate Texts in Mathematics ISBN 978-3-319-18587-3 ISBN 978-3-319-18588-0 (eBook) DOI 10.1007/978-3-319-18588-0

Library of Congress Control Number: 2015940539

Springer Cham Heidelberg New York Dordrecht London © Springer International Publishing Switzerland 1992, 2015 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made.

Printed on acid-free paper

Springer International Publishing AG Switzerland is part of Springer Science+Business Media (www. springer.com) Preface

Preface to the Original 1992 Edition

In 1961 the second author delivered a series of lectures at Haverford College on the subject of “Rational Points on Cubic Curves.” These lectures, intended for junior and senior mathematics majors, were recorded, transcribed, and printed in mimeograph form. Since that time, they have been widely dis- tributed as photocopies of ever-decreasing legibility, and portions have ap- peared in various textbooks (Husemoller¨ [25], Chahal [9]), but they have never appeared in their entirety. In view of the recent interest in the the- ory of elliptic curves for subjects ranging from cryptography (Lenstra [30], Koblitz [27]) to physics (Luck–Moussa–Waldschmidt [31]), as well as the tremendous amount of purely mathematical activity in this area, it seems a propitious time to publish an expanded version of those original notes suit- able for presentation to an advanced undergraduate audience. We have attempted to maintain much of the informality of the original Haverford lecturers. Our main goal in doing this has been to write a textbook in a technically difficult field that is “readable” by the average undergraduate mathematics major. We hope that we have succeeded in this goal. The most obvious drawback to such an approach is that we have not been entirely rig- orous in all of our proofs. In particular, much of the foundational material on elliptic curves presented in Chapter 1 is meant to explain and convince, rather than to rigorously prove. Of course, the necessary algebraic geometry can mostly be developed in one moderately long chapter, as we have done in Appendix A. But the emphasis of this book is on number theoretic aspects of elliptic curves, so we feel that an informal approach to the underlying geom- etry is permissible, since it allows us more rapid access to the number theory. For those who wish to delve more deeply into the geometry, there are several good books on the theory of algebraic curves suitable for an undergraduate

v vi Preface course, such as Reid [37], Walker [57], and Brieskorn–Knorrer¨ [8]. In the later chapters we have generally provided all of the details for the proofs of the main theorems. The original Haverford lectures make up Chapters 1, 2, 3, and the first two sections of Chapter 4. In a few places we have added a small amount of explanatory material, references have been updated to include some discov- eries made since 1961, and a large number of exercises have been added. But those who have seen the original mimeographed notes will recognize that the changes have been kept to a minimum. In particular, the emphasis is still on proving (special cases of) the fundamental theorems in the subject: (1) the Nagell–Lutz theorem, which gives a precise procedure for finding all of the rational points of finite order on an elliptic curve; (2) Mordell’s theorem, which says that the group of rational points on an elliptic curve is finitely generated; (3) a special case of Hasse’s theorem, due to Gauss, which de- scribes the number of points on an elliptic curve defined over a finite field. In Section 4.4 we have described Lenstra’s elliptic curve algorithm for fac- toring large integers. This is one of the recent applications of elliptic curves to the “real world,” to wit, the attempt to break certain widely used public key ciphers. We have restricted ourselves to describing the factorization algorithm itself, since there have been many popular descriptions of the corresponding ciphers.1 Chapters 5 and 6 are new. Chapter 5 deals with integer points on elliptic curves. Section 5.2 is loosely based on an IAP undergraduate lecture given by the first author at MIT in 1983. The remaining sections of Chapter 5 contain a proof of a special case of Siegel’s theorem, which asserts that an elliptic curve has only finitely many integral points. The proof, based on Thue’s method of Diophantine approximation, is elementary, but intricate. However, in view of Vojta’s [56] and Faltings’ [15] recent spectacular applications of Diophantine approximation techniques, it seems appropriate to introduce this subject at an undergraduate level. Chapter 6 gives an introduction to the theory of com- plex multiplication. Elliptic curves with complex multiplication arise in many different contexts in number theory and in other areas of mathematics. The goal of Chapter 6 is to explain how points of finite order on elliptic curves with complex multiplication can be used to generate extension fields with Abelian Galois groups, much as roots of unity generate Abelian extensions of the rational numbers. For Chapter 6 only, we have assumed that the reader is familiar with the rudiments of field theory and Galois theory.

1That was what we said in the first edition, but in this second edition, we have included a discussion of elliptic curve cryptography; see Section 4.5. Preface vii

Finally, we have included an appendix giving an introduction to projec- tive geometry, with an especial emphasis on curves in the projective plane. The first three sections of Appendix A provide the background needed for reading the rest of the book. In Section A.4 of the appendix we give an ele- mentary proof of Bezout’s theorem, and in Section A.5, we provide a rigorous discussion of the reduction modulo p map and explain why it induces a ho- momorphism on the rational points of an elliptic curve. The contents of this book should form a leisurely semester course, with some time left over for additional topics in either algebraic geometry or num- ber theory. The first author has also used this material as a supplementary special topic at the end of an undergraduate course in modern algebra, cov- ering Chapters 1, 2, and 4 (excluding Section 4.3) in about four weeks of class. We note that the last five chapters are essentially independent of one another (except Section 4.3 depends on the Nagell–Lutz theorem, proven in Chapter 2). This gives the instructor maximum freedom in choosing topics if time is short. It also allows students to read portions of the book on their own, e.g., as a suitable project for a reading course or honors thesis. We have included many exercises, ranging from easy calculations to published theo- rems. An exercise marked with a (∗) is likely to be somewhat challenging. An exercise marked with (∗∗) is either extremely difficult to solve with the material that we cover or is a currently unsolved problem. It has been said that “it is possible to write endlessly on elliptic curves.”2 We heartily agree with this sentiment, but have attempted to resist succumb- ing to its blandishments. This is especially evident in our frequent decision to prove special cases of general theorems, even when only a few additional pages would be required to prove a more general result. Our goal throughout has been to illuminate the coherence and the beauty of the arithmetic the- ory of elliptic curves; we happily leave the task of being encyclopedic to the authors of more advanced monographs.

Preface to the 2015 Edition

The most important change to the new edition is the addition of two new sec- tions. In Section 4.5 we briefly discuss how and why elliptic curves are used in modern cryptography, and in Section 6.6, we give an overview of how elliptic

2From the introduction to Elliptic Curves: Diophantine Analysis, Serge Lang, Springer- Verlag, New York, 1978. Professor Lang follows his assertion with the statement that “This is not a threat,” indicating that he, too, has avoided the temptation to write a book of indefinite length. viii Preface curves play a key role in Wiles’ proof of Fermat’s Last Theorem. We have also taken the opportunity to make numerous corrections, both typographical and mathematical, to add a few new problems, and to update historical material to reflect some of the exciting advances of the past 25 years.

Electronic Resources

The interested reader will find additional material and a list of errata on the Rational Points on Elliptic Curves home page:

www.math.brown.edu/˜jhs/RPECHome.html This web page includes some of the numerical exercises in the book, allowing the reader to cut and paste them into other programs, rather than having to retype them. There are now many commercial and free computer packages that perform calculations of varying levels of sophistication on elliptic curves,3 including, for example, Sage: http://www.sagemath.org Pari/GP: http://pari.math.u-bordeaux.fr No book is ever free from error or incapable of being improved. We would be delighted to receive comments, good or bad, and corrections from our readers. You can send mail to us at [email protected]

Acknowledgments

First Edition, First Printing: The authors would like to thank Rob Gross, Emma Previato, Michael Rosen, Seth Padowitz, Chris Towse, Paul van Mulbregt, Eileen O’Sullivan, and the students of Math 153 (especially Jeff Achter and Jeff Humphrey) for reading and providing corrections to the original draft. They would also like to thank Davide Cervone for producing beautiful illustrations from their original jagged diagrams. The first author owes a tremendous debt of gratitude to Susan for her patience and understanding, to Debby for her fluorescent attire brightening up

3This was not the case when the first edition of this book appeared in 1992, at which time the first author had created a small stand-alone application for Macintosh computers and a somewhat more highly featured set of routines for Mathematica. These antique packages are no longer available. Preface ix the days, to Danny for his unfailing good humor, and to Jonathan for taking timely naps during critical stages in the preparation of this manuscript. The second author would like to thank Louis Solomon for the invitation to deliver the Philips Lectures at Haverford College in the Spring of 1961.

Providence, USA Joseph H. Silverman Cambridge, USA John T. Tate March 27, 1992

First Edition (Second Printing) and Second Edition: We, the authors, would like the thank the following individuals for sending comments and corrections: G. Allison, T. Anderson, P. Berman, D. Appleby, K. Bender, G. Bender, A. Berkovich, J. Blumenstein, P. de Boor, J. Brillhart, D. Clausen, S. Datta, Z. Fang, D. Freeman, L. Goldberg, F. Goldstein, A. Guth, D. Gupta, A. Granville, R. Hoibakk, I. Igusic, M. Kida, P. Kahn, J. Kraft, C. Levesque, B. Levin, J. Lipman, R. Lipes, A. Mazel-Gee, M. Mossinghoff, K. Nolish, B. Pelz, R. Pennington, R. Pries, A. Rajan, K. Ribet, M. Reid, H. Rose, L. Gomez-S´ anchez,´ R. Schwartz, D. Schwein J.-P. Serre, M. Szydlo, L. Tartar, J. Tobey, R. Urian, C.R. Videla, J. Wendel, A. Ziv.

Providence, USA Joseph H. Silverman Cambridge, USA John T. Tate March 27, 2015

Contents

Preface v

Introduction xv

1 Geometry and Arithmetic 1 1.1RationalPointsonConics...... 1 1.2TheGeometryofCubicCurves...... 8 1.3WeierstrassNormalForm...... 16 1.4ExplicitFormulasfortheGroupLaw...... 23 Exercises...... 28

2 Points of Finite Order 35 2.1PointsofOrderTwoandThree...... 35 2.2RealandComplexPointsonCubicCurves...... 38 2.3TheDiscriminant...... 45 2.4PointsofFiniteOrderHaveIntegerCoordinates...... 47 2.5TheNagell–LutzTheoremandFurtherDevelopments.... 56 Exercises...... 58

3 The Group of Rational Points 65 3.1 Heights and Descent ...... 65 3.2 The Height of P + P0 ...... 71 3.3 The Height of 2P ...... 75 3.4AUsefulHomomorphism...... 80 3.5Mordell’sTheorem...... 88

xi xii Contents

3.6ExamplesandFurtherDevelopments...... 95 3.7 Singular Cubic Curves ...... 106 Exercises...... 111

4 Cubic Curves over Finite Fields 117 4.1RationalPointsoverFiniteFields...... 117 4.2ATheoremofGauss...... 121 4.3PointsofFiniteOrderRevisited...... 133 4.4 A Factorization Algorithm Using Elliptic Curves ...... 139 4.5 Elliptic Curve Cryptography ...... 152 Exercises...... 157

5 Integer Points on Cubic Curves 167 5.1HowManyIntegerPoints?...... 167 5.2TaxicabsandSumsofTwoCubes...... 170 5.3 Thue’s Theorem and Diophantine Approximation ...... 176 5.4 Construction of an Auxiliary Polynomial ...... 182 5.5 The Auxiliary Polynomial Is Small ...... 190 5.6 The Auxiliary Polynomial Does Not Vanish ...... 193 5.7 Proof of the Diophantine Approximation Theorem ...... 197 5.8FurtherDevelopments...... 200 Exercises...... 202

6 Complex Multiplication 207 6.1 Abelian Extensions of Q ...... 207 6.2AlgebraicPointsonCubicCurves...... 213 6.3 A Galois Representation ...... 221 6.4 Complex Multiplication ...... 230 6.5 Abelian Extensions of Q(i) ...... 235 6.6 Elliptic Curves and Fermat’s Last Theorem ...... 245 Exercises...... 256

A Projective Geometry 265 A.1HomogeneousCoordinatesandtheProjectivePlane..... 265 A.2CurvesintheProjectivePlane...... 271 A.3IntersectionsofProjectiveCurves...... 280 Contents xiii

A.4 Intersection Multiplicities and a Proof of Bezout’s Theorem...... 290 A.5 Reduction Modulo p ...... 302 Exercises...... 305

B Transformation to Weierstrass Form 311

List of Notation 315

References 317

Index 323

Introduction

The theory of Diophantine equations is that branch of number theory that deals with the solution of polynomial equations in either integers or rational numbers. The subject itself is named after one of the greatest of the ancient Greek algebraists, Diophantus of Alexandria,4 who formulated and solved many such problems. Most readers will undoubtedly be familiar with Fermat’s Last Theorem. This theorem, which Fermat stated in the seventeenth century, says that if n ≥ 3 is an integer, then the equation

Xn + Y n = Zn has no solutions in nonzero integers X, Y ,andZ. Equivalently, it asserts that the only solutions in rational numbers to the equation

xn + yn =1 are those with either x =0or y =0.5

4Diophantus lived sometime before the third century AD. He wrote the Arithmetica,a treatise on algebra and number theory in 13 volumes, of which 6 volumes have survived. 5In the first edition of this book in 1992, we noted that Fermat’s Last Theorem was a conjecture, not a theorem. Fermat wrote his “theorem” as a marginal note in his copy of Diophantus’ Arithmetica, but also wrote that the margin was unfortunately too small for him to write down the proof. And for 350 years, no one managed to find a proof. However, this all changed in 1995, when Andrew Wiles, with assistance from Richard Taylor on one point, proved Fermat’s assertion [53, 60]. We will have more to say about Wiles’ proof, which is intimately connected with the theory of elliptic curves, in Section 6.6. xv xvi Introduction

As another example of a Diophantine equation, we consider the problem of writing an integer as the difference of a square and a cube. In other words, we fix an integer c ∈ Z and look for solutions to the Diophantine equation6

y2 − x3 = c.

Suppose that we are interested in solution in rational numbers x, y ∈ Q.An amazing property of this equation is the existence of a duplication formula, discovered by Bachet in 1621. If (x, y) is a solution with x and y rational and y =0 , then it is not hard to check that the pair   x4 − cx −x6 − cx3 c2 8 , 20 +8 4y2 8y3 is a solution in rational numbers to the same equation. Further, it is possible to prove, although Bachet was unable to do so, that if c/∈{1, −432} and if the original solution satisfies xy =0 , then repeating this process leads to infinitely many distinct solutions. So except for 1 and −432, if an integer can be expressed as the difference of a square and a cube using nonzero rational numbers, then it can be so expressed in infinitely many ways. For example, if we start with the solution (3, 5) to the equation

y2 − x3 = −2 and apply Bachet’s duplication formula, we find a sequence of solutions that starts     129 383 2340922881 113259286337279 (3, 5), , − , , ,... . 102 103 76602 76603 As you can see, the numerators and denominators rapidly become extremely large. Next we’ll take the same equation,

y2 − x3 = c, and ask for solutions in integers x, y, ∈ Z. In the 1650s Fermat posed as a challenge to the English mathematical community the problem of show- ing that the equation y2 − x3 = −2 has only two solutions in integers,

6This equation is sometimes called Bachet’s equation, after the seventeenth-century math- ematician who originally discovered the duplication formula. It is also known as Mordell’s equation, in honor of the twentieth-century mathematician L.J. Mordell, who made funda- mental contributions to the solution of this and many similar Diophantine equations. We will prove a special case of Mordell’s theorem in Chapter 3. Introduction xvii

(0, 1) (0, 1)

(−1, 0) (1, 0) (1, 0)

(0, −1)

Figure 1: The Fermat curves x4 + y4 =1and x5 + y5 =1 namely, (3, ±5). This is in marked contrast to the question of solutions in rational numbers, since we have just seen that there are infinitely many of those. None of Fermat’s contemporaries appears to have solved the problem, which was given an incomplete solution by Euler in the 1730s and a correct proof 150 years later! Then in 1908, Axel Thue7 made a tremendous break- through; he showed that for any nonzero integer c, the equation y2 − x3 = c has only finitely many solutions in integers x and y. This is a tremendous (qualitative) generalization of Fermat’s challenge problem, since it says that among the potentially infinitely many solutions in rational numbers, only finitely many of them can be in integers. The seventeenth century witnessed Descartes’ introduction of coordinates into geometry, a revolutionary development that allowed geometric problems to be solved algebraically and algebraic problems to be studied geometri- cally. For example, if n is even, then the real solutions to Fermat’s equa- tion xn + yn =1in the xy-plane form a geometric object that looks like a squashed circle. Fermat’s theorem is then equivalent to the assertion that the only points on that squashed circle having rational coordinates are the four points (±1, 0) and (0, ±1). The Fermat equations with odd exponents look a bit different. We have illustrated the Fermat curves with exponents 4 and 5 in Figure 1.

7Axel Thue made important contributions to the theory of Diophantine equations, es- pecially to the problem of showing that certain equations have only finitely many solutions in integers. These theorems about integer solutions were generalized by C.L. Siegel during the 1920s and 1930s. We will prove a version of the Thue–Siegel theorem, actually a special case of Thue’s original result, in Chapter 5. xviii Introduction

Q

P

Figure 2: Bachet’s equation y2 − x3 = c

Similarly, we can look at Bachet’s equation y2 − x3 = c, which we have graphed in Figure 2. Recall that Bachet discovered a duplication formula which he used to take a given rational solution and produce a new rational solution. Bachet’s formula is rather complicated, and one might wonder from whence it comes. The answer is that it comes from geometry! Thus suppose that we let P =(x, y) be our original solution, so P is a point on the curve as illustrated in Figure 2. Next we draw the tangent line to the curve at the point P , an easy exercise for a first semester calculus course.8 This tangent line will intersect the curve in one further point, which we have labeled Q. Then, if you work out the algebra to calculate the coordinates of Q, you will find Bachet’s duplication formula. So Bachet’s complicated algebraic formula has a simple geometric interpretation in terms of the intersection of a tangent line with a curve. This is our first intimation of the fruitful interplay that is possible among algebra, number theory, and geometry. The simplest sort of Diophantine equation is a polynomial equation in one variable, n n−1 anx + an−1x + ···+ a1x + a0 =0.

Assuming that a0,...,an are integers, how can we find all integer and all ra- tional solutions? Gauss’ lemma provides a simple answer. If p/q isarational solution written in lowest terms, then Gauss’ lemma tells us that q divides an and p divides a0. This gives us a small list of possible rational solutions, and

8Of course, Bachet had neither calculus nor analytic geometry, so he probably discovered his formula by clever algebraic manipulation. Introduction xix we can substitute each of them into the equation to determine the actual solu- tions. So Diophantine equations in one variable are easy.9 When we move to Diophantine equations in two variables, the situation changes dramatically. Suppose we take a polynomial f(x, y) with integer co- efficients and look at the equation

f(x, y)=0.

For example, Fermat’s and Bachet’s equations have this form. Here are some natural questions that we might ask:

(a) Are there any solutions in integers? (b) Are there any solutions in rational numbers? (c) Are there infinitely many solutions in integers? (d) Are there infinitely many solutions in rational numbers?

In this generality, only question (c) has been fully answered, although much progress has recently been made on (d).10 The set of real solutions to an equation f(x, y)=0forms a curve in the xy-plane. Such curves are called algebraic curves to indicate that they are the set of solutions of a polynomial equation. In trying to answer questions (a)–(d), we might begin by looking at simple polynomials, such as polyno- mials of degree 1 (also called linear polynomials, because their graphs are straight lines). For a linear equation

ax + by = c with integer coefficients, it is easy to answer our questions.11 There are always infinitely many rational solutions, there are no integer solutions if gcd(a, b) does not divide c, and there are infinitely many integer solutions if gcd(a, b) does divide c. So linear equations in two variables are even easier to analyze than higher-degree equations in one variable.

9In practice, it may be easier to approximate the real roots to high accuracy and then check which, if any, of these roots can be written in the form b/an for some integer b.Thisavoids having to find the prime factorization of a0 and an. 10 For polynomials f(x1,...,xn) with more than two variables, our four questions have only been answered for some very special sorts of questions. Even worse, work of Davis, Matijasevic,˘ and Robinson has shown that in general it is not possible to find a solution to question (a). That is, there does not exist an algorithm which takes as input the polynomial f and produces as output either YES or NO as an answer to question (a). 11We assume that a and b are not both zero, since if a = b =0, there are either no solutions if c =0, while every (x, y) is a solution if c =0. xx Introduction

Next we turn to polynomials of degree 2, also called quadratic polyno- mials. Their graphs are conic sections. It turns out that if such an equation has one rational solution, then it has infinitely many. The complete set of so- lutions can be described very easily using geometry. We will briefly explain how this is done in Section 1.1. We will also briefly indicate how to answer question (b) for quadratic polynomials. So although it would be untrue to say that quadratic polynomials are easy, it is fair to say that their solutions are completely understood. This brings us to the main topic of this book, namely, the solution of de- gree 3 polynomial equations in rational numbers and in integers. One exam- ple of such an equation is Bachet’s equation y2 − x3 = c that we looked at earlier. Some other examples that will appear during our studies are

2 3 2 3 3 y = x + ax + bx + c and ax + by = c.

The solutions to these equations using real numbers are called cubic curves or elliptic curves.12 In contrast to linear and quadratic equations, the rational and integer solutions to cubic equations are still not completely understood, and even in those cases where the complete answers are known, the proofs involve a subtle blend of techniques from algebra, number theory, and geom- etry. Our primary goal in this book is to introduce you to the beautiful subject of Diophantine equations by studying in depth the first case of such equations that is still imperfectly understood, namely, cubic equations in two variables. To give you an idea of the sorts of results that we will be studying, we briefly indicate what is known about questions (a)–(d) for cubic curves. First, Siegel proved in the 1920s that a cubic equation has only finitely many integer solutions,13 and in 1970 Baker and Coates gave an explicit up- per bound for the largest solution in terms of the coefficients of the polyno- mials. This provides a satisfactory answer to (a) and (c), although the Baker– Coates bounds for the largest solution are generally too large to be practical.14 In Chapter 5 we will prove a special case of Siegel’s theorem for equations of the form ax3 + by3 = c.

12Despite its name, an elliptic curve is not an ellipse, since ellipses are conic sections, and conic sections are given by quadratic equations! The curious chain of events that led to elliptic curves being so named is recounted in Section 1.3. 13Actually, Siegel’s theorem applies only to “nonsingular” cubic equations. However, most cubic equations are nonsingular, and in practice, it is generally quite easy to check whether a given equation is nonsingular. 14Techniques developed since 1970 are practical enough to find all integer solutions on many cubic equations, as long as the coefficients are not too large. Introduction xxi

Second, all of the possibly infinitely many rational solutions to a cubic equation may be found by starting with a finite set of solutions and repeatedly applying a geometric procedure similar to Bachet’s duplication formula. The fact that there always exists a finite generating set was suggested by Poincare´ in 1901 and proven by L.J. Mordell in 1923. We will prove a special case of Mordell’s theorem in Chapter 3. However, we must in truth point out that Mordell’s theorem does not really answer questions (b) and (d). As we shall see, the proof of Mordell’s theorem gives a procedure that often allows one to find a finite generating set for the set of rational solutions. But it is only conjectured, and not yet proven, that Mordell’s method always yields a gen- erating set. So even for special sorts of cubic equations such as y2 − x3 = c and ax3 + by3 = c, there is no general method (algorithm) currently known that is guaranteed to answer question (b) or (d). We have mentioned several times the idea that the study of Diophantine equations involves an interplay among algebra, number theory, and geometry. The geometric component is clear, since the equation itself defines (in the case of two variables) a curve in the plane, and we have already seen how it may be useful to consider the intersection of that curve with various lines. The number theory is also clearly present, since we are searching for solutions in either integers or rational numbers, and what is the heart of number theory other than the study of relations between integers and/or rational numbers. But what of the algebra? We could point out that polynomials are essentially algebraic objects. However, algebra plays a far more important role. Recall that Bachet’s duplication formula may be described as follows: start with a point P on a cubic curve, draw the tangent line at P , and take the third point of intersection of the line with the curve. Similarly, if we start with two points P1 and P2 on the curve, we can draw the line through P1 and P2 and look at the third intersection point P3. This will work for most choices of P1 and P2, since most lines intersect a cubic curve in exactly three points. We might describe this procedure, which is illustrated in Figure 3,asaway to “add” two points on the curve and get a third point. Amazingly, it turns out that with a slight modification, this geometric operation turns the set of rational solutions to a cubic equation into an Abelian group! And Mordell’s theorem, alluded to earlier, may be rephrased as saying that this group has a finite number of generators. So here is algebra, number theory, and geometry all packaged together in one of the greatest theorems of the twentieth century. We hope that the preceding introduction has convinced you of some of the beauty and elegance to be found in the theory of Diophantine equations. But the study of Diophantine equations, in particular the theory of elliptic curves, xxii Introduction

P3

P2 P1

Figure 3: “Adding” two points on a cubic curve also has its practical applications. We will study two such applications in this book. Everyone is familiar with the Fundamental Theorem of Arithmetic, which asserts that every positive integer factors uniquely into a product of primes. However, if the integer is fairly large, say on the order of 10300 to 10600,it may be virtually impossible in practice to perform that factorization. This is true even though there are quick ways to check if an integer of that size is not prime. In other words, if someone hands you a composite integer N having, say, 450 digits, then you can easily prove that N is not prime, even though you probably won’t be able to find any prime factors of N. This curious state of affairs was used by Rivest, Shamir, and Adleman to construct the first practical and secure public key cryptosystem, called RSA. It then becomes of practical importance to find the best possible algorithms to factor large numbers. One such algorithm, which is particularly effective when N has factors of somewhat different magnitudes, is due to Hendrik Lenstra and uses elliptic curves defined over finite fields. We describe Lenstra’s algorithm in Section 4.4. Just as factoring large numbers is hard, it turns out that expressing a given point on an elliptic curve as a multiple of some other given point on the curve is hard, and indeed, based on current algorithms, it appears to be significantly harder than factoring. This is called the elliptic curve discrete logarithm prob- lem, and it has been used as the basis for a public key cryptosystem that is, in some ways, more efficient than RSA due to the added difficulty of the un- derlying hard mathematical problem. We give a brief introduction to elliptic curve cryptography in Section 4.5.