Torsion Points of Elliptic Curves Over Number Fields

Christine Croll

A thesis presented to the faculty of the University of Massachusetts in partial fulﬁllment of the requirements for the degree of Bachelor of Science with Honors.

Department of Mathematics

Amherst, Massachusetts April 21, 2006 Acknowledgements

I would like to thank my advisor, Prof. Farshid Hajir of the University of Mas- sachusetts at Amherst, for his willingness to explain everything twice. I would also like to thank Prof. Tom Weston of the University of Massachusetts at Amherst, for entertaining me during my 9 a.m. Number Theory course; Prof. Peter Norman of the University of Massachusetts, for oﬀering me the summer research that inspired this thesis; and the Umass Mathematics department for my Mathematical education. Lastly, to the English major, Animal Science major, and Biology major that have had to live with me, thank you for putting up with this strange Math major. Abstract

A curve C over Q is an equation f(x, y) = 0, where f is a polynomial: f ∈ Z[x, y]. It is interesting to study the set of rational points for curves, denoted as C(Q), which consists of pairs (x, y) ∈ Q2 satisfying f(x, y) = 0. For curves of degree 1 and 2 we know how to write C(Q) as a parametrized set, therefore enabling us to know all the rational points for curves of these degrees. For irreducible, smooth curves of degree 3 equipped with at least one rational point, which are called elliptic curves, C(Q) is a group. As with other groups, each element of C(Q) has an order. The subgroup C(Q)tors is the set of all rational points of finite order in C(Q). This paper will briefly describe the basic theory of elliptic curves and then focus on what is known about C(Q)tors, both over the rationals and over the extension field Q(ζ11), where ζ11 is an irrational root of x11 − 1 = 0. Contents

1 Introduction 5

2 Background 8 2.1 Curves ...... 8 2.2 Rational Points on Conics ...... 8 2.3 Method for Rational Solutions for Quadratics ...... 9 2.4 Projective Space ...... 11

3 Elliptic Curves 13 3.1 EC Deﬁnitions ...... 13 3.2 Weierstrass Form ...... 13 3.3 EC Deﬁnitions Revisited ...... 13 3.4 Projective Space Revisited ...... 14

4 Group Law 15 4.1 Deﬁning ⊕ ...... 15 4.2 (P ∗ Q) ⊕ (P ⊕ Q) ...... 16 4.3 P ⊕ P...... 17 4.4 Elliptic Curves Under ⊕ ...... 19

5 Torsion Points 20 5.1 Deﬁnition of torsion points ...... 20 5.2 Points of Order 2 ...... 20 5.3 Points of Order 3 ...... 21 5.4 Nagell-Lutz Theorem ...... 22 5.5 Mazur’s Theorem ...... 23 5.6 Ψn(x) ...... 24

6 Appendix A 26

7 Appendix B 27

8 Appendix C 28 5

1 Introduction

The subject of rational points on elliptic curves could be seen as a component of the theory of Diophantine equations. The study of elliptic curves has come a long way since its beginning, with elliptic curves currently being used in the area of cryptography. My research did not delve into the role of elliptic curves in cryptography; instead I studied basic theoretical tools for understanding rational points on an elliptic curve, which, simply put, are solutions with coordinates which can be expressed as ratios of whole numbers.

Interestingly enough, for a certain geometrically-defined binary operation ⊕, to be described in more detail in chapter 4, we can turn the set of rational points, notated as C(Q), into a commutative group. Furthermore, we can classify elements into torsion points and non-torsion points, which are points of finite order and infinite order, respectively. In considering the set of all torsion points, defined as C(Q)tors, we find that this set forms a subgroup. It is actually known that for an elliptic curve C over Q that contains a point of finite order m, either 1 ≤ m ≤ 10 or m = 12. More precisely, the set of all points of finite order in C(Q) forms a subgroup which has one of the following two forms:

(i) A cyclic group of order N with 1 ≤ N ≤ 10 or N = 12. (ii) T he product of a cyclic group of order two and a cyclic group of order 2N with 1 ≤ N ≤ 4.

This characterization of C(Q)tors is known as Mazur’s Theorem.

Another valuable theorem is the Nagell-Lutz Theorem.

Theorem 1 Let y2 = f(x) = x3 + ax2 + bx + c be a non-singular cubic curve with integer coeﬃcients a,b,c; and let D be the discriminant of the cubic polynomial f(x),

D = −4a3c + a2b2 + 18abc − 4b3 − 27c2.

Let P = (x,y) be a rational point of ﬁnite order. Then x and y are integers; and either y = 0, in which case P has order two, or else y divides D. 6

Once our cubic is put in the proper form, the Nagell-Lutz Theorem gives us a procedure, although one that can be long and tedious, for finding the points of finite order for an elliptic curve. The procedure is simple; take D and find all the integers that divide it. These are all of the possible y values. From here we plug in each y value into our curve and factor the resulting cubic to obtain any integer x values. The bigger D is, the longer this process takes. Luckily there is a stronger version of Nagell-Lutz which tells us that y2 divides D, not just y. This means we only need to look at which perfect squares divide D instead of which integers. This significantly cuts down on the number of y values we have to process. After listing all possible (x, y) satisfying the hypotheses of the theorem, we then still need to check which of these are actually torsion points.

In addition to having a method for finding all the rational torsion points for a given curve, there exists a way to find all the torsion points of a certain order for that curve. For each integer n, there exists a polynomial with rational coefficients called Ψn(x) where the roots of this polynomial are the x values of the torsion points of order n. For the rational torsion points of order n you simply restrict your view to the roots of Ψn(x) that are rational.

For example, to ﬁnd all the torsion points of order 3 on the curve y2 = 3 4 2 2 x + bx + c you would use Ψ3(x) = 3x + 6bx + 12cx − b . Finding the roots of Ψ3 will give us the x-coordinates of our torsion points. To ﬁnd the corresponding y values you simply plug these x values into our elliptic curve and solve for y. Note that because our elliptic curve contains a y2 term, we will get two y values for every x value. In other words, every x value yields two torsion points.

Remember, Ψn will give you all the possible torsion points of order n, both rational and irrational. If Ψn has no rational roots, then there will be no rational torsion points of order n.

Although the study of elliptic curves over Q is very rich, the topic broadens even further when you consider elliptic curves over algebraic number fields. An algebraic number field is a finite field extension of the rational numbers. That is, it is a field which contains Q and has finite dimension when considered as a vector space over Q. In other words, take Q and adjoin to it a root of a polynomial that is not found in Q. This gives us a field that contains a copy of Q and all linear combinations of powers of our adjoined root.

2 3 2 I focused on the curve X0(11) which is y = x −4x −160x−1264 over the 7

11 algebraic number ﬁeld Q(ζ11), where ζ11 is an irrational root of x − 1 = 0, i.e. a root of x10 + x9 + x8 + x7 + x6 + x5 + x4 + x3 + x2 + x + 1 = 0.

In considering the size of the torsion subgroup of X0(11) over Q(ζ11), I discovered the subgroup has cardinality 5, the same cardinality as the torsion subgroup over Q. In fact, the same 5 points make up the two torsion subgroups. Therefore, for X0(11), the torsion subgroup was not eﬀected by looking for points over Q(ζ11) instead of Q. 8

2 Background

2.1 Curves Before we can talk about elliptic curves, we must first review a few basic definitions, starting with the definition of a curve. A curve C, is an equation f(x, y) = 0, where f is a polynomial: f ∈ Z[x, y]. Without further comment, we will always assume that our curves are irreducible (meaning f is an irreducible polynomial) and smooth, meaning the system of equations f(x, y) = 0, ∂xf = 0, ∂yf = 0 has no solutions. A rational solution of a curve is a pair (x, y) such that x, y ∈ Q and f(x, y) = 0 . Similarly, an integer solution of a curve is a pair (x, y) such that x, y ∈ Z and f(x, y) = 0. The definitions of rational and integer solutions give rise to two natural subsets of our curve, called C(Q) and C(Z). C(Q) := {(x, y) ∈ Q × Q | f(x, y) = 0} and C(Z) := {(x, y) ∈ Z × Z | f(x, y) = 0} . The majority of this paper will focus on C(Q).

The diﬃculty of ﬁnding C(Q) depends on the degree of the curve. The study of linear curves is not very challenging, as the reader may imagine. Let’s jump instead to the slightly more interesting case of degree 2 curves, also known as the conics.

2.2 Rational Points on Conics The general form of a quadratic equation, or conic, is

f(x, y) = ax2 + bxy + cy2 + dx + ey + f with a, b, c, d, e, f ∈ Z. To demonstrate how to ﬁnd C(Q) for any quadratic, let us consider the historical example of ﬁnding C(Q) for the unit circle x2 + y2 = 1.

When we draw the unit circle, four rational (in fact integer) points immediately jump out at us: (1, 0), (0, 1), (−1, 0), and (0, −1), labeled in Figure 1. Some other rational points are also easy to recognize, such as (3/5, 4/5) and (5/13, 12/13). Note that these last two points are of the form x = m/n and y = l/n, where the gcd(m, n) and the gcd(l, n) are 1. When we plug these x and y values into C we get

(m/n)2 + (l/n)2 = 1 =⇒ m2/n2 + l2/n2 = 1 =⇒ m2 + l2 = n2. 9

Figure 1: Some Rational Points on the Unit Circle

This implies (m, l, n) is a primitive Pythagorean Triple. This process works in reverse also and gives a 1 − 1 correspondence between primitive P triples and rational points on the unit circle. So we can easily think of examples of rational points on the unit circle, namely the rational solutions that correspond to the primitive Pythagorean triples. The critical question is, how do we ﬁnd all of the rational solutions on the unit circle?

2.3 Method for Rational Solutions for Quadratics The ﬁrst step in solving this problem is to pick a rational point on the curve. We can pick ANY rational point, but lets choose Po = (−1, 0). We selected this Po based on the knowledge that this point will make the following steps computationally nice. Keep in mind that we could have chosen any rational point on the curve; there is nothing special about which rational point we use.

Suppose we look at the formula for the line going through Po using point slope form. We get 10

y = t(x + 1) (1) with t = slope.

Figure 2: Unit Circle with Line

If P ∈ C(Q) is not Po, then the line passing through Po and P has rational slope (This is easy enough to see by the standard slope formula). What about the converse? Does a line with rational slope passing through Po intersect the unit circle at a rational point P ∈ C(Q) distinct from Po? Yes! Consequently, we will be able to ﬁnd a way to parametrize all the rational points based on Po via the rational parameter t.

We prove the converse statement by intersecting y = t(x+1) with x2 +y2 = 1. Plugging in y = tx + t and simplifying we get

(1 + t2)x2 + 2t2x + t21 = 0. (2)

From here we know x = −1 is a root, due to our choice of Po, so we know (x + 1) divides (2). Factoring (2) gives us (x + 1)[(1 + t2)x + t2 − 1] = 0. 11

Solving for x in the factor (1 + t2)x + t2 − 1 gives us

x = (1 − t2)/(1 + t2). (3) We know that t, which equals the slope, is given as a rational number. Therefore (3) is rational, which gives us x is rational. Plugging in (3) into (1) gives us that y is rational, with

y = t((1 − t2)/(1 + t2) + 1) = t((1 − t2 + 1 + t2)/(1 + t2)) = 2t/(1 + t2).

Therefore we have shown that the converse statement is true. We can now parametrize C(Q):

2 2 2 C(Q) = {((1 − t )/(1 + t ), 2t/(1 + t )) | t ∈ Q}. This method of ﬁnding all the rational points works for any quadratic equation, assuming that you have one rational point to start with. C(Q) can either be the empty set () or inﬁnite in size and is, in the second case, parametrized by a single rational parameter.

2.4 Projective Space It will be exceedingly helpful later on to look at our curves as projective curves. This requires us to know at least a little about projective space. We will start by describing what we mean when we say a curve is projective.

Deﬁnition 1 A projective curve is the set of zeros of a homogeneous polynomial of three variables: F (x, y, z) = 0. We will assume that F has coeﬃcients in Z. We recall that F (x, y, z) is homogeneous of degree d if F (kx, ky, kz) = kdF (x, y, z) for all constants k.

The curves we have been considering are of two variables only and have not been restricted to being homogeneous. This, however, is not a problem. Any curve in two variables can be made into a homogeneous curve in three. Take f to be a curve in two variables and make the substitution x = X/Z and y = Y/Z. This makes f(x, y) = 0 into f(X/Z, Y/Z) = 0, which clearing de- nominators, becomes F (X,Y,Z) = 0.

More speciﬁcally, if we multiply both sides of f(X/Z, Y/Z) = 0 through by Zd where d is the greatest degree of the individual terms of f, we get a homogeneous equation F (X,Y,Z) = 0. This substitution and multiplication can also 12 be performed by completing each monomial in f(X,Y ) = 0 with the power of Z which makes that monomial have total degree d where d is as above. For example, the curve y2 = x3 + x2 + 17 would become Y 2Z = X3 + X2Z + 17Z3. To summarize, F (X,Y,Z) = Zdf(X/Z, Y/Z).

The introduction of an extra variable serves to embed the ordinary plane curve f(x, y) = 0 into what is called the projective plane P2. We will now describe the latter. Consider the set of all triples (X,Y,Z) ∈ C3, minus the origin triple (0, 0, 0). On this set, we introduce an equivalence relation by

× (X,Y,Z) ∼ (λX, λY, λZ) for all λ ∈ C .

The (complex) projective plane P2 is deﬁned to be the set of equivalence classes of this equivalence relation. According to this description, two points are equivalent if they lie along the same line towards the origin. We formally write projective space as

2 P (C) = {(X,Y,Z) | X,Y,Z ∈ C}/ ∼= {[X : Y : Z]}. This means [x : y : z] = [λx, λy, λz] | λ 6= 0. For example, [1 : 0.5 : 1.5] is the same point in projective space as [2 : 1 : 3].

How do these projective points relate to the homogenization process we described above? Given a point [X : Y : Z] in P2, we can always write [X : Y : Z] = [X/Z : Y/Z : 1] as long as Z 6= 0. Now, if F (X,Y,Z) = 0 and Z 6= 0, then (x, y) = (X/Z, Y/Z) is on our original curve f(x, y) = 0; con- versely, given a point (x, y) on f(x, y) = 0, we get a projective point [x : y : 1] on F (X,Y,Z) = 0. Note that the projective curve F (X,Y,Z) = 0 carries all the points on f(x, y) = 0 in its Z 6= 0 component, but, in addition, could have more points “at inﬁnity,” meaning in its Z = 0 component. These additional points serve to “complete” the curve (in various senses) which will be seen to have various beneﬁts.

This is a quick overview of projective curves and projective space. We will brieﬂy revisit projective curves in chapter 3. 13

3 Elliptic Curves

3.1 EC Deﬁnitions

As the degree of f increases, the amount known about C(Q) drastically de- creases. It is here that we enter the study of degree three curves, of which elliptic curves are the most interesting. So, what is an elliptic curve?

Deﬁnition 2 An elliptic curve over Q is a smooth (non-singular) projective curve of degree 3 F (X,Y,Z) = 0 (where F has rational coeﬃcients), equipped with a rational base point O.

A basic form for an elliptic curve is

2 3 2 y + a1xy + a3y = x + a2x + a4x + a6.

This, in fact, is the form that Pari uses when initializing a new elliptic curve. Pari is a special math program that is incredibly useful when working with elliptic curves, as well as many other branches of advanced mathematics.

3.2 Weierstrass Form We can always put elliptic curves in a standard useful form, called Weierstrass Form. In general, any cubic equation with a rational point can be put into this form. Classic Weierstrass Form is

2 3 y = 4x − g2x − g3.

A variation of Weierstrass Form, which is more commonly in use today, and the one I will be referring to from here on out, is

y2 = x3 + ax2 + bx + c.

The trick to making this change of form is to make a change of axes by linear transformations. For an example of this process see Appendix A.

From now on, all our elliptic curves we be in Weierstrass form.

3.3 EC Deﬁnitions Revisited According to the deﬁnition, there are three interesting conditions that must be met in order for a curve to be an elliptic curve. First, curve must be projective, 14 which we described in chapter 2. Second, the curve must be smooth. This means that the gradient of F h∂F/∂x, ∂F/∂y, ∂F/∂zi never vanishes simultaneously (all three parts of this vector never equal zero at the same time) on the curve. This tells us there are no cusps or nodes in the graph of our curve and that that the cubic part has three distinct roots. One can check that y2 = x3 + ax2 + bx + c is smooth if and only if the cubic polynomial in x in the right hand side has no repeated roots.

3.4 Projective Space Revisited The third condition is our curve must be equipped with a rational base point O. This means that C(Q) for an elliptic curve C is never empty; C always has at least one rational point. In fact, because C is restricted to being a projective curve, we actually have a nice and compact way of writing this rational base point.

Let us recall that in projective space f(x, y) = 0 becomes F (X,Y,Z) = 0 and that we are now going to restrict our f to being an elliptic curve. This means that when f becomes homogeneous, all of the terms on both sides of the equation will have at least one power of Z, except the X3 term. Our curve then looks like Y 2Z = X3 + aX2Z + bXZ2 + cZ3. What happens when we let Z = 0?. All of the terms become zero expect X3 and we get the equation X3 = 0. This has the solution X = 0. We therefore have a single projective point [0 : Y : O] = [0 : 1 : 0] in the intersection of the curve with the line at infinity Z = 0. We will call this the point at infinity: [0 : 1 : 0]. Due to the fact that elliptic curves are by definition projective curves, our elliptic curve C contains this point at infinity. It therefore makes sense to set the rational base point mentioned in the definition of elliptic curves equal to the point at infinity. By convention, whenever our curve is in Weierstrass form, this point O will serve as the “origin” of the curve.

We therefore have completed the breakdown of the deﬁnition and forms of elliptic curves. We are now ready to start to explore what makes these curves so interesting to study! 15

4 Group Law

4.1 Deﬁning ⊕ Assume we are working with the elliptic curve y2 = x3 + ax2 + bx + c. Curves of this form look similar to ﬁgure 3.

Figure 3: Elliptic Curve

Let’s define a way for rational points on this curve to interact. In fact, we are going to define a binary operation, notated ⊕, for C(Q). Let P and Q be elements in C(Q) with P = (x1, y1), Q = (x2, y2). Suppose we draw a line that connects P and Q. It is easy enough to see that there will be a point where this line intersects with the elliptic curve. Let’s see what we can find out about this intersection point. ~ Using the point-slope form of a line we get PQ =: y − y1 = λ(x − x1) with y2−y1 1 λ = . Solving for y gives us the equation y = y + λ(x − x1). Plugging x2−x1 this y value into our elliptic curve gives us

2 2 2 2 3 2 y = λ (x − x1) + 2λ(x − x1)y1 + y1 = x + ax + bx + c. 16

Let’s consider the equation formed by the second equal sign. Moving everything to the right and collecting terms gives us

0 = x3 + (a − λ2)x2 + ...lower terms.

Due to the fact that this is a cubic equation in x and we know the equation has three roots, we get that

3 2 2 x + (a − λ )x + ... = (x − x1)(x − x2)(x − x3).

Using Vieta’s formulas, which allow us to write the coeﬃcients of powers of x 2 in terms of the roots of the polynomial, we get that −(x1 + x2 + x3) is the x coeﬃcient. We know x1 and x2 from P and Q, so we get the formula

2 x3 = λ − a − x1 − x2 which tells us that x3 is rational. In terms of our picture, this x3 is the x value of our intersection point. From here, plugging in x3 into the line equation gives us a y3 value that is also rational. Summing up what we have found; the intersection of the line PQ~ and the elliptic curve gives us a rational point (x3, y3), labeled as P ∗ Q in Figure 4. So a line connecting two points in C(Q) intersects the curve at another point in C(Q), similar to what we found with conics! In fact, because our cubic curve has a y2 in it, we actually have found a fourth point that is in C(Q), namely P ∗ Q reflected over the x − axis, which is (x3, −y3). Let’s do something crazy and define this fourth point as P ⊕ Q. Therefore the ⊕ operator extends the line connecting two points and reflects it over the x-axis.

4.2 (P ∗ Q) ⊕ (P ⊕ Q) From this definition of ⊕ we can make a few important observations. First, what happens when we ⊕ P ∗Q and P ⊕Q? We can’t use our normal method because λ does not exist (connecting the two points creates a vertical line). The solution is to set P ∗Q⊕P ⊕ Q equal to the point at infinity, notated from here on as O. Remember that we are using a projective curve by definition! Because we are working with an elliptic curve, it would be good to note that −O = O. Therefore, the connecting line between P ∗ Q and P ⊕ Q intersects the curve at a third point infinitely high above and below these two points. (See Figure 5) It is easy enough to see that P ⊕ O = P by using the definitions of O and ⊕. What we have then is the two following facts: 17

Figure 4: Elliptic Curve Intersected with PQ~ i) P ⊕ O = P ii) P ∗ Q ⊕ P ⊕ Q = O (true for any two points reﬂected over the x-axis).

From these two facts it looks like O acts like an identity for the ⊕ operator and reﬂection over the x-axis deﬁnes a point’s inverse.

4.3 P ⊕ P Although we have defined how to ⊕ two different points, ⊕ a point P and O, and ⊕ inverses, we have yet to define how to ⊕ a point to itself. Once again 0 we can’t use our normal method because λ would equal 0 , which is undefined and therefore does not exist. The question in defining P ⊕ P lies in answering what should be choose our slope to be?

It turns out that the best way to define λ is to take the derivative of the curve at P and use that value for the slope. THe easiest way to find λ is to use implicit differentiation. For example, suppose we have the curve y2 = x3 + 17. 18

Figure 5: Adding P ∗ Q and P ⊕ Q

Diﬀerentiating this curve implicitly gives us 3x2 2yy0 = 3x2 =⇒ λ = y0 = 2y In general we would get 3x2 + 2az + b f 0(x) λ = y0 = = 2y 2y To get the numerical value of the slope at a point P we would plug in the coeﬃcients a, b, and c, and the coordinates of the point P . Once λ is obtained we can simply continue with the normal process described in section 4.1.

It turns out to be convenient to have an explicit expression for 2P in f 0(x) terms of the coordinates for P . If we plug in λ = 2y into the equation 2 2 y = (λx+x1) (from section 4.1), put everything over a common denominator, and substitute y2 by f(x), the we get the duplication formula x4 − 2bx2 − 8cx + b2 − 4ac x coordinate of 2(x, y) = . 4x3 + 4ax2 + 4bx + 4c 19

It turns out that adding a point to itself once, twice, even n times, is something of great interest in the study of elliptic curves. This is because for some points P ∈ C(Q) there exists a smallest integer n such that nP = O, where nP is defined as P ⊕P ⊕...⊕P n times. Any point that satisfies this property, i.e. such an n exists, is called a torsion point of finite order n. Any point for which no such n exists is called a torsion point of infinite order. This will be discussed more formally in Chapter 5.

4.4 Elliptic Curves Under ⊕ So what we have found is that the set of rational points on an elliptic curve has an operation, ⊕, which gives rise to a unique identity point O and makes every point have an inverse. If only we had associativity, then the set of rational points on elliptic curves would be a group. As it turns out associativity does hold, so C(Q) is a group under ⊕. Proving associativity is not hard, but it is very time consuming and therefore it will be left as a fun little exercise for the reader. The fact that C(Q) is a group allows us to explore a wide variety of things, such as the existence of a group structure. The classiﬁcation of the group structures of rational points on elliptic curves is known as the Mordell-Weil Theorem.

Theorem 2 Let C be a non-singular cubic curve. Then C(Q) is a ﬁnitely generated abelian group isomorphic to Zr ⊕ F where Zr = Z × Z × ... × Z r times F = {P ∈ C(Q) | P has finite order} and r = rank, which is the number of generators needed.

This theorem tells us that if C is a non-singular cubic curve, then the group C(Q) is ﬁnitely generated. This means that there exist a ﬁnite number of points in C(Q) such that if we took all the possible linear combinations of those points, we would have generated C(Q). 20

5 Torsion Points

5.1 Definition of torsion points Every point on an elliptic curve is one of two kinds: a point of finite order or a point of infinite order. For P to be a point of finite order means there exist a smallest integer n such that nP = O. If no such n exists then P is of infinite order. In other words, P being of infinite order means you can never get the point at infinity by adding P to itself, no matter how many times you do it. This distinction between finite and infinite points leads to the following definition:

Deﬁnition 3 A point P ∈ C(Q) is called a torsion point of order n if P has order n.

Gathering all of the torsion points of a an elliptic curve C will form a ﬁnite subgroup of C(Q), called C(Q)tor:

C(Q)tor = {P ∈ C(Q) | P has finite order} ⊆ C(Q).

5.2 Points of Order 2 What do we actually know about these points of ﬁnite order? Let’s start with points of order two. We want

2P = O, where P 6= O.

If we allow P = (x, y), then −P = (x, −y). Therefore 2P = O is equivalent to P = −P . This implies (x, y) = (x, −y), which can only happen when y = 0. So all points of order two must have y = 0. If we allow x ∈ C, we ﬁnd we get four points of order two:

S = {O, (α1, 0), (α2, 0), (α3, 0)}

3 2 where α1, α2, α3 are the roots of x + ax + bx + c. It turns out S is a group of order 4, where every element is of order 1 or 2. What we have is S is the Four Group, which is the direct product of two groups of order 2.

If we restrict x to being in R, we have two possibilities: either all three roots are real, in which case we get the Four Group, or only one root is real and we get a cyclic group of order 2. The second possibility results in a graph like Figure 3. The ﬁrst possibility’s graph is seen in Figure 6. 21

Figure 6: Three real Torsion Points of Order 2

Similarly, if we restrict x to being in Q we get the above two possibilities, plus a third possibility, the trivial possibility S = {O}, which tells us no rational roots exist. We have found that it is easy enough to ﬁnd the torsion points of order 2.

5.3 Points of Order 3 Torsion Points of order 3 are the points that satisfy 3P = O, which implies we are looking for the points such that 2P = −P . Recall the duplication formula from section 4.3. This formula gives us the x value of 2P based on the x value of P = (x, y). We want 2P = −P = (−x, y), which means the x value of 2P must equal the x value of (−P ). We therefore get the equation

x4 − 2bx2 − 8cx + b2 − 4ac x = . 4x3 + 4ax2 + 4bx + 4c Through cross multiplication and moving every term to one side of the equal sign we get a simpliﬁed equation in terms of x. For reasons that will make 22

sense in a little bit, let’s call this equation Ψ3. The equation is

4 3 2 2 Ψ3(x) = 3x + 4ax + 6bx + 12cx + (4ac − b ).

The roots of this equation will be the x values for our points of order 3.

If we allow x ∈ C we get 4 distinct roots. We know they are distinct be- 0 cause you can check that Ψ3(x) and Ψ3(x) have no common roots. In the event that they had a common root, then f(x) and f 0(x) would have a common root, which would be a contradiction to f(x) being non-singular. Plugging in these 4 roots of Ψ3(x) into our elliptic curve will yield a total of 8 distinct points. All together we get 9 points of order 3, the above mentioned 8 together with the point at inﬁnity O. There is only one commutative group of order 9 with every element having order 3, and that is the product of two cyclic groups of order 3.

If we restrict x to being in R, we will always get a cyclic group of order 3. If we restrict x to being in Q, we will either get a cyclic group of order 3 or the trivial group {O}.

It is not too hard to see that we can use the process we used in finding torsion points of order 3 to find torsion points of order higher than three. We simply need to find a way of re-writing nP = O that will utilize what we already know.

5.4 Nagell-Lutz Theorem There are many more points of inﬁnite order than ﬁnite order. This will become immediately evident if you were to try and discover elements in C(Q)tor by trial and error. In fact, it would be a nearly impossible feat to discover the torsion points of a curve simply by the guess-and-check method. Finding C(Q)tor would be extremely frustrating if it weren’t for a very convenient theorem, named for its two independent discoverers, the Norwegian Trygve Nagell (18951988) who published it in 1935, and Elisabeth Lutz (1937).

Theorem 3 Let P = (x, y) be a rational point of ﬁnite order. Then x and y are integers and either y = 0 (for points of order 2) or else y divides D, where D is the discriminant

D = −4a3c + a2b2 + 18abc − 4b3 − 27c2 for y2 = f(x) = x3 + ax2 + bx + c. 23

Using this theorem gives us a way to find all the rational points of finite order. However, one must keep in mind that this is not an if and only if statement. A rational point on an elliptic curve can have integer coefficients with y dividing D and not be a rational torsion point. It turns out that there is a stronger form of the Nagell-Lutz theorem that is useful for calculating: Theorem 4 Let y2 = f(x) = x3 + ax2 + bx + c be a non-singular cubic curve with integer coefficients a, b, c; and let D be the discriminant of the cubic polynomial f(x), D = −4a3c + a2b2 + 18abc − 4b3 − 27c2. Let P = (x, y) be a rational point of finite order. Then x and y are integers and either y = 0, in which case P has order 2, or else y2 divides D. The Nagell-Lutz Theorem gives us a procedure, although one that can be long and tedious, for finding the points of finite order for an elliptic curve. The procedure is simple; take D and find all the integers that divide it. These are all of the possible y values. From here we plug in each y value into our curve and factor the resulting cubic to obtain any integer x values. The bigger D is, the longer this process takes. Luckily the stronger form of Nagell-Lutz helps to cut down the number of y possibilities that divide D. Since y2 divides D, we only need to look at which perfect squares divide D instead of which integers. This significantly cuts down on the number of y values we have to process. After listing all possible (x, y) satisfying the hypotheses of the theorem, we then still need to check which of these are actually torsion points.

It is good to note that the Nagell-Lutz Theorem cannot be used to prove a rational point is of finite order, but it can be, and is often, used to prove a rational point is of infinite order. How? Easily enough, we keep computing nP until you reach either an n that gives coordinates that are not integers or until we compute past 16P , whichever happens first. Why are we only interested in up to at most 16P ? The answer lies in Mazur’s Theorem.

5.5 Mazur’s Theorem Mazur’s Theorem is a theorem which describes what we can expect about the structure of C(Q)tor. Theorem 5 Let C be a non-singular rational cubic curve, and suppose that C(Q) contains a point of ﬁnite order m. Then either 1 ≤ m ≤ 10 or m = 12. 24

More precisely, the set of all points of ﬁnite order in C(Q) forms a subgroup of C(Q) which has the following forms: i) A cyclic group of order N with 1 ≤ N ≤ 10 or N = 12. ii) The product of a cyclic group of order 2 and a cyclic group of order 2N with 1 ≤ N ≤ 4.

Amazingly, this theorem tells us that there are no rational torsion points of order greater than 12. Even more odd, there are no rational torsion points of order 11 either. Unfortunately I was unable to delve into the proof as to why no rational torsion points of order 11 exist. I was, however, able to compute the torsion subgroups of 15 different elliptic curves, one corresponding to each of the possible subgroup structures. In Appendix B you can find an example that takes you through finding C(Q)tor for one of the easier curves among the 15 I did.

5.6 Ψn(x) Suppose you were interested in ﬁnding all the rational torsion points of a speciﬁc order instead of searching for the set of all rational torsion points. Sections 5.2 and 5.3 covered torsion points of order 2 and 3; for order 3 we 4 3 2 2 use Ψ3(x) = 3x + 4ax + 6bx + 12cx + (4ac − b ) and for order 2 we can use 3 2 Ψ2(x) = x + ax + bx + c, whose roots corresponds to our elliptic curve values when y = 0. Solving

4P = O =⇒ 2P = −2P gives us

6 4 3 2 2 2 3 Ψ4(x) = 4y(x + 5bx + 20cx − 5b x − 4bcx − 8c − b ).

The roots of this equation can be used to ﬁnd the torsion points of order 4. Setting Ψ4 equal to zero tells us either y = 0, giving us the points of order 2 ( 2 divides 4 so the points of order 2 will also satisfy 4P = O, and there for 6 4 3 2 2 Ψ4 must give us the points of order 2 as well), or x + 5bx + 20cx − 5b x − 4bcx − 8c2 − b3 = 0, giving us the points of order four.

It turns out that we can ﬁnd equations Ψn(x) for each integer n, where the roots of Ψn(x) will be the x values for the points of order n. For n > 4, a set of recursion formulas take over and allow us an easy way to calculate Ψn(x). 4 3 2 2 Using Ψ2(x) = 2y and Ψ/3(x) = 3x + 4ax + 6bx + 12cx + (4ac − b ) we get 25

Deﬁnition 4

3 3 Ψ2n+1(x) = Ψn+2(x)Ψn(x) − Ψn−1(x)Ψn+1(x) for n ≥ 2

Ψ (x)(Ψ (x)Ψ (x)2 − Ψ (x)Ψ (x)2) Ψ (x) = n n+2 n−1 n−2 n+1 for n ≥ 3. 2n 2y

A quick note about the Ψn(x) equations; the roots of these equations are the torsion points of order n. These equations give both the rational and irrational torsion points for a given curve. If in factoring these equations we ﬁnd that there are no integer x values, or if there are no integer roots that lead to integer y values, then there are no rational torsion points of that order. Therefore, Ψ13(x) will have at least one real root, however it will never have any integer roots. This is a direct observation from Mazur’s Theorem.

The degrees of these Ψ equations grows very quickly. The task of calculating Ψn(x) for even relatively small values of n, such as 11, because very cumbersome. It is possible, however, to write a program that will carry out the recursions for you. In Appendix C you will ﬁnd my Ψn(x) converter program, written for gp-PARI. 26

6 Appendix A

Let’s put the curve y2 + y = x3 − x2 − 10x − 20 into Weierstrass form. We start by completing the square on the left hand side:

y2 + y = (y + 1/2) − 1/4 = x3 − x2 − 10x − 20.

Adding 1/4 to each side and making the substitution Y = y + 1/2 gives us

Y 2 = x3 − x2 − 10x − 20 + 1/4.

This substitution corresponds to making a change of axis, where the new axis Y is the old axis plus 1/2. We now need to clear the denominator on the right hand side. Suppose we allowed the following substitutions, y = d3Y and x = d2x. Plugging in Y = d−3y and x = d−2x we get

d−6y2 = d−6x3 − d−4x2 − 10d−2x − 20 + 1/4.

From here we multiply the entire equation through by d6, which leaves us with

y2 = x3 − d2x2 − 10d4x − 20d6 + d6/4.

If we choose d wisely, we can clear the denominator on the right hand side. Setting d = 2 gives us the ﬁnal equation

y2 = x3 − 4x2 − 160x − 1264. 27

7 Appendix B

2 3 Finding C(Q)tor for the curve y = x + 4.

a = 0, b = 0, c = 4 D = 432 Possible y values- {0, 1, −1, 2, −2, 3, −3, 4, −4, 6, −6, 12, −12}

0 =⇒ 0 = x3 + 4 =⇒ −4 = x3 =⇒ x∈ / Z =⇒ no points with y = 0 + + 1 =⇒ 1 = x3 + 4 =⇒ −3 = x3 =⇒ x∈ / Z =⇒ no points with y = 1 + 2 =⇒ 4 = x3 + 4 =⇒ 0 = x3 =⇒ x = 0 =⇒ (0, 2) and (0, −2) + + 3 =⇒ 9 = x3 + 4 =⇒ 5 = x3 =⇒ x∈ / Z =⇒ no points with y = 3 + + 4 =⇒ 16 = x3 + 4 =⇒ 12 = x3 =⇒ x∈ / Z =⇒ no points with y = 4 + + 6 =⇒ 36 = x3 + 4 =⇒ 32 = x3 =⇒ x∈ / Z =⇒ no points with y = 6 + + 12 =⇒ 144 = x3+4 =⇒ 140 = x3 =⇒ x∈ / Z =⇒ no points with y = 12

All possible points

(0, 2)→2(0,2)=(0,-2) =⇒ 2P = −P =⇒ order 3 (0, −2)→2(0,-2)=(0,2) =⇒ 2P = −P =⇒ order 3 O → order 1

So C(Q)tor = {O, (0, 2), (0, −2)}.

The structure of C(Qtor is a cyclic group of order 3. 28

8 Appendix C

Since all elliptic curves can be put into Classical Weierstrass Form, which has no x2 term, we can allow a = 0, thus simplifying our recursion equations. My program is broken into three parts: