Skip to main content
Mathematics LibreTexts

8.2: Elliptic Curves

  • Page ID
    8867
  • \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

    Elliptic curves in the \(xy\)-plane are the set of points \((x,y)\in\mathbb{R}\times\mathbb{R}\) that are the zeros of special types of third order polynomials \(f(x,y)\), with real coefficients, in the two variables \(x\) and \(y\). These curves turn out to be of fundamental interest in analytic number theory. More generally, one can define similar curves over arbitrary algebraic fields as follows. Let \(f(x,y)\) be a polynomial of any degree in two variables \(x\) and \(y\), with coefficients in an algebraic field \(\mathcal{F}\). We define the algebraic curve \(\mathscr{C}_f(\mathcal{F})\) over the field \(\mathcal{F}\) by \[\mathscr{C}_f(\mathcal{F})=\{(x,y)\in\mathcal{F}\times\mathcal{F}:f(x,y)=0\in \mathcal{F}\}.\] Of course one can also similarly define the algebraic curve \(\mathscr{C}_f(\mathcal{Q})\) over a field \(\mathcal{Q}\), where \(\mathcal{Q}\) is either a subfield of the field \(\mathcal{F}\) where the coefficients of \(f\) exist, or is an extension field of \(\mathcal{F}\). Thus if \(f\in\mathcal{F}[x,y]\), and if \(\mathcal{Q}\) is either an extension or a subfield of \(\mathcal{F}\), then one can define \(\mathscr{C}_f(\mathcal{Q})=\{(x,y)\in\mathcal{Q}\times\mathcal{Q}:f(x,y)=0\}\). Our main interest in this section will be in third order polynomials (cubic curves) \[f(x,y)=ax^3+bx^2y+cxy^2+dy^3+ex^2+fxy+gy^2+hx+iy+j,\] with coefficients in \(\mathcal{R}\), with the associated curves \(\mathscr{C}_f(\mathbb{Q})\) over the field of rational numbers \(\mathbb{Q}\subset\mathbb{R}\). Thus, basically, we will be interested in points \((x,y)\in\mathbb{R}^2\) that have rational coordinates \(x\) and \(y\), and called rational points, that satisfy \(f(x,y)=0\). Of course one can first imagine the curve \(f(x,y)=0\) in \(\mathbb{R}^2\), i.e. the curve \(\mathscr{C}_f(\mathbb{R})\) over \(\mathbb{R}\), and then choosing the points on this curve that have rational coordinates. This can simply be expressed by writing that \(\mathscr{C}_f(\mathbb{Q})\subset\mathscr{C}_f(\mathbb{R})\). It has to be mentioned that "rational curves" \(\mathscr{C}_f(\mathbb{Q})\) are related to diophantine equations. This is in the sense that rational solutions to equations \(f(x,y)=0\) produce integer solutions to equations \(f'(x,y)=0\), where the polynomial \(f'\) is very closely related to the polynomial \(f\), if not the same one in many cases. For example every point in \(\mathscr{C}_f(\mathbb{Q})\), where \(f(x,y)=x^n+y^n\), i.e. every rational solution to \(f(x,y)=x^n+y^n=0\), produces an integer solution to \(x^n+y^n=0\). Thus algebraic curves \(\mathscr{C}_f(\mathbb{Q})\) can be of genuine interest in this sense.

    In a possible procedure to construct the curve \(\mathscr{C}_f(\mathbb{Q})\) for a polynomial \(f(x,y)\in\mathbb{R}[x,y]\) with real coefficients, one considers the possibility that, given one rational point \((x,y)\in\mathscr{C}_f(\mathbb{Q})\subset\mathscr{C}_f(\mathbb{R})\), a straight line with a rational slope \(m\) might intersect the curve \(\mathscr{C}_f(\mathbb{R})\) in a point \((x',y')\) that is also in \(\mathscr{C}_f(\mathbb{Q})\). This possibility comes from the simple fact that if \((x,y), (x',y')\in\mathscr{C}_f(\mathbb{Q})\), then the slope of the straight line that joins \((x,y)\) and \((x',y')\) is a rational number. This technique, of determining one point in \(\mathscr{C}_f(\mathbb{Q})\) from another by using straight lines as mentioned, works very well in some cases of polynomials, especially those of second degree, and works reasonably well for third order polynomials.

    Two aspects of this technique of using straight lines to determine points in \(\mathscr{C}_f(\mathbb{Q})\), and which will be needed for defining elliptic curves, are the following. The first is illustrated by the following example.

    Consider the polynomial \(f(x,y)=y^2-x^2+y=(y-x+1)(y+x)\). The curve \(\mathscr{C}_f(\mathbb{R})\) contains the two straight lines \(y=x-1\) and \(y=-x\). The point \((2,1)\in\mathscr{C}_f(\mathbb{Q})\), and if one tries to find the intersection of the particular line \(y=x-1\) that passes through \((2,1)\) with \(\mathscr{C}_f(\mathbb{R})\), one finds that this includes the whole line \(y=x-1\) itself, and not just one or two other points (for example). This result is due to the fact that \(f\) is a reducible polynomial, i.e. that can be factored in the form \(f=f'f''\) with \(f\) and \(f''\) not just real numbers.

    In this direction one has the following general theorem concerning the number of intersection points between a straight line \(L\) and an algebraic curve \(\mathscr{C}_f(\mathcal{R})\):

    If \(f\in\mathbb{R}[x,y]\) is a polynomial of degree \(d\), and the line \(L\), which is defined by the zeros of \(g(x,y)=y-mx-b\in\mathbb{R}[x,y]\), are such that \(L\cap\mathscr{C}_f(\mathcal{R})\) contains more than \(d\) points (counting the multiplicities of intersections) then in fact \(L=\mathscr{C}_g(\mathcal{R})\subset\mathscr{C}_f(\mathcal{R})\), and \(f\) can be written in the form \(f(x,y)=g(x,y)p(x,y)\), where \(p(x,y)\) is some polynomial of degree \(d-1\).

    In connection with the above theorem, and in defining an elliptic curve \(\mathscr{C}_f(\mathcal{R})\), where \(f\) is a polynomial of degree three, we shall require that this curve be such that any straight line that passes through two points \((x_1,y_1), (x_2,y_2)\in\mathscr{C}_f(\mathcal{R})\), where the two points could be the same point if the curve at one of them is differentiable with the tangent at that point to the curve having same slope as that of the line, will also pass through a unique third point \((x_3,y_3)\). By the above theorem, if a line intersects the curve \(\mathscr{C}_f(\mathcal{R})\) associated with the third order polynomial \(f\) in more than three points, then the line itself is a subset of \(\mathscr{C}_f(\mathcal{R})\). This will be excluded for the kind of third degree polynomials \(f\) whose associated algebraic curves shall be called elliptic curves.

    One other thing to be excluded, to have third order curves characterized as elliptic curves, is the existence of singular points on the curve, where a singular point is one where the curve does not admit a unique tangent.

    It has to be mentioned that in the previous discussion, the points on the curve \(\mathscr{C}_f(\mathbb{R})\) may lie at infinity. To deal with this situation we assume that the curve is in fact a curve in the real projective plane \(\mathbb{P}_2(\mathbb{R})\). We now can define an elliptic curve \(\mathscr{C}_f(\mathbb{R})\) as being such that \(f(x,y)\) is an irreducible third order polynomial with \(\mathscr{C}_f(\mathbb{R})\) having no singular points in \(\mathbb{P}_2(\mathbb{R})\).

    The main idea behind the above definition for elliptic curves is to have a curve whereby any two points \(A\) and \(B\) on the curve can determine a unique third point, to be denoted by \(AB\), using a straight line joining \(A\) and \(B\). The possibilities are as follows: If the line joining \(A\) and \(B\) is not tangent to the curve \(\mathscr{C}_f(\mathbb{R})\) at any point, then the line intersects the curve in exactly three different points two of which are \(A\) and \(B\) while the third is \(AB\). If the line joining \(A\) and \(B\) is tangent to the curve at some point \(p\) then either this line intersects \(\mathscr{C}_f(\mathbb{R})\) in exactly two points, \(p\) and some other point \(p'\), or intersects the curve in only one point \(p\). If the line intersects \(\mathscr{C}_f(\mathbb{R})\) in two points \(p\) and \(p'\), then either \(p=A=B\) in which case \(AB=p'\), or \(A\neq B\) in which case (irrespective of whether \(p=A\) and \(p'=B\) or vice-versa) one would have \(p=AB\). While if the line intersects \(\mathscr{C}_f(\mathbb{R})\) in only one point \(p\) then \(p=A=B=AB\).

    The above discussion establishes a binary operation on elliptic curves that produces, for any two points \(A\) and \(B\) a uniquely defined third point \(AB\). This binary operation in turn produces, as will be described next, another binary operation, denoted by \(+\), that defines a group structure on \(\mathscr{C}_f(\mathbb{R})\) that is associated with the straight-line construction discussed so far.

    A group structure on an elliptic curve \(\mathscr{C}_f(\mathbb{R})\) is defined as follows: Consider an arbitrary point, denoted by \(0\), on \(\mathscr{C}_f(\mathbb{R})\). We define, for any two points \(A\) and \(B\) on \(\mathscr{C}_f(\mathbb{R})\), the point \(A+B\) by \[A+B=0(AB),\] meaning that we first determine the point \(AB\) as above, then we determine the point \(0(AB)\) corresponding to \(0\) and \(AB\). Irrespective of the choice of the point \(0\), one has the following theorem on a group structure determined by \(+\) on \(\mathscr{C}_f(\mathbb{R})\).

    Let \(\mathscr{C}_f(\mathbb{R})\) be an elliptic curve, and let \(0\) be any point on \(\mathscr{C}_f(\mathbb{R})\). Then the above binary operation \(+\) defines an Abelian group structure on \(\mathscr{C}_f(\mathbb{R})\), with \(0\) being the identity element and \(-A=A(00)\) for every point \(A\).

    The proof is very lengthy and can be found in . We first note that if \(0\) and \(0'\) are two different points on an elliptic curve with associated binary operations \(+\) and \(+'\), then one can easily show that for any two points \(A\) and \(B\) \[A+'B=A+B-0'.\] This shows that the various group structures that can be defined on an elliptic curve by considering all possible points \(0\) and associated operations \(+\), are essentially the same, up to a "translation".

    Consider the group structure on an elliptic curve \(\mathscr{C}_f(\mathbb{R})\), corresponding to an operation \(+\) with identity element \(0\). If the cubic polynomial \(f\) has rational coefficients, then the subset \(\mathscr{C}_f(\mathbb{Q})\subset\mathscr{C}_f(\mathbb{R})\) of rational solutions to \(f(x,y)=0\) forms a subgroup of \(\mathscr{C}_f(\mathbb{R})\) if and only if \(0\) is itself a rational point (i.e. a rational solution).

    If \(\mathscr{C}_f(\mathbb{Q})\) is a subgroup of \(\mathscr{C}_f(\mathbb{R})\), then it must contain the identity \(0\), and thus \(0\) would be a rational point. Conversely, assume that \(0\) is a rational point. First, since \(f\) has rational coefficients, then for any two rational points \(A\) and \(B\) in \(\mathscr{C}_f(\mathbb{Q})\) one must have that \(AB\) is also rational, and thus (since \(0\) is assumed rational) that \(0(AB)\) is rational, making \(A+B=0(AB)\) rational. Thus \(\mathscr{C}_f(\mathbb{Q})\) would be closed under \(+\). Moreover, since for every \(A\in\mathscr{C}_f(\mathbb{Q})\) one has that \(-A=A(00)\), then \(-A\) is also rational, which makes \(\mathscr{C}_f(\mathbb{Q})\) closed under inversion. Hence \(\mathscr{C}_f(\mathbb{Q})\) is a subgroup.

    Thus by lemma 18, the set of all rational points on an elliptic curve form a subgroup of the group determined by the curve and a point \(0\), if and only if the identity element \(0\) is itself a rational point. In other words, one finds that if the elliptic curve \(\mathscr{C}_f(\mathbb{R})\) contains one rational point \(p\), then there exists a group structure on \(\mathscr{C}_f(\mathbb{R})\), with \(0=p\) and the corresponding binary operation \(+\), such that the set \(\mathscr{C}_f(\mathbb{Q})\) of all rational points on \(\mathscr{C}_f(\mathbb{R})\) is a group.

    One thing to note about rational solutions to general polynomial functions \(f(x,y)\), is that they correspond to integer solution to a corresponding homogeneous polynomial \(h(X,Y,Z)\) in three variables, and vice-verse, where homogeneous practically means that this function is a linear sum of terms each of which has the same power when adding the powers of the variables involved in this term. For example \(XY^2-2X^3+XYZ+Z^3\) is homogeneous.

    In fact a rational solution \(x=a/b\) and \(y=c/d\) for \(f(x,y)=0\), where \(a,b,c,d\) are integers, can first be written as \(x=ad/bd\) and \(y=cb/bd\), and thus one can always have this solution in the form \(x=X/Z\) and \(y=Y/Z\), where \(X=ad, Y=cb\) and \(Z=bd\). If \(x=X/Z\) and \(y=Y/Z\) are replaced in \(f(x,y)=0\), one obtains a new version \(h(X,Y,Z)=0\) of this equation written in terms of the new variables \(X,Y,Z\). One can immediately see that this new polynomial function \(h(X,Y,Z)\) is homogeneous in \(X,Y,Z\). The homogeneous function \(h(X,Y,Z)\) in \(X,Y,Z\) is the form that \(f(x,y)\) takes in projective space, where in this case the transformations \(x=X/Z\) and \(y=Y/Z\) define the projective transformation that take \(f(x,y)\) to \(h(X,Y,Z)\).

    If we now go back to cubic equation \(f(x,y)=0\), one can transform this function into its cubic homogeneous form \(h(X,Y,Z)=0\), where \[\begin{aligned} h(X,Y,Z)=aX^3&+&bX^2Y+cXY^2+dY^3+eX^2Z\nonumber\\&+&fXYZ+gY^2Z+hXZ^2+iYZ^2+jZ^3,\end{aligned}\] by using the projective transformation \(x=X/Z\) and \(y=Y/Z\). Then, by imposing some conditions, such as requiring that the point \((1,0,0)\) (in projective space) satisfy this equation, and that the line tangent to the curve at the point \((1,0,0)\) be the \(Z\)-axis that intersects the curve in the point \((0,1,0)\), and that the \(X\)-axis is the line tangent to the curve at \((0,1,0)\), then one can immediately show that the homogeneous cubic equation above becomes of the form \[h(X,Y,Z)=cXY^2+eX^2Z+fXYZ+hXZ^2+iYZ^2+jZ^3.\] Which, by using the projective transformation again, and using new coefficients, gives that points on the curve \(\mathscr{C}_f(\mathbb{R})\) are precisely those on the curve \(\mathscr{C}_h(\mathbb{R})\), where \[h(x,y)=axy^2+bx^2+cxy+dx+ey+f.\] And with further simple change of variables (consisting of polynomial functions in \(x\) and \(y\) with rational coefficients) one obtains that the points on the curve \(\mathscr{C}_f(\mathbb{R})\) are precisely those on \(\mathscr{C}_g(\mathbb{R})\) where \[g(x,y)=y^2-4x^3+g_2x-g_3,\] i.e. that \(\mathscr{C}_f(\mathbb{R})=\mathscr{C}_g(\mathbb{R})\). The equation \(g(x,y)=0\), where \(g\) is given in (8.10), is said to be the Weierstrass normal form of the equation \(f(x,y)=0\). Thus, in particular, any elliptic curve defined by a cubic \(f\), is birationally equivalent to an elliptic curve defined by a polynomial \(g(x,y)\) as above. Birational equivalence between curves is defined here as being a rational transformation, together with its inverse transformation, that takes the points on one curve to another, and vice-versa.

    Contributors and Attributions

    • Dr. Wissam Raji, Ph.D., of the American University in Beirut. His work was selected by the Saylor Foundation’s Open Textbook Challenge for public release under a Creative Commons Attribution (CC BY) license.


    This page titled 8.2: Elliptic Curves is shared under a CC BY license and was authored, remixed, and/or curated by Wissam Raji.

    • Was this article helpful?