Computing the Mordell–Weil Group

Silverman, Joseph H.

doi:10.1007/978-0-387-09494-6_10

Joseph H. Silverman⁴

Part of the book series: Graduate Texts in Mathematics ((GTM,volume 106))

22k Accesses

Abstract

A better title for this chapter might be “Computing the Weak Mordell–Weil Group,” since we will be concerned solely with the problem of computing generators for the group E(K)∕mE(K).

Access provided by Autonomous University of Puebla. Download chapter PDF

A better title for this chapter might be “Computing the Weak Mordell–Weil Group,” since we will be concerned solely with the problem of computing generators for the group E(K)∕mE(K). However, given generators for E(K)∕mE(K), a finite amount of computation yields generators for E(K); see (VIII.3.2) and Exercise 8.18. Unfortunately, there is no comparable algorithm currently known that is guaranteed to give generators for E(K)∕mE(K) in a finite amount of time!

We start in (X §1) by taking the proof of the weak Mordell–Weil theorem given in (VIII §1) and making it quite explicit. In this way the computation of the quotient E(K)∕mE(K) (in a special case) is reduced to the problem of determining whether each of a certain finite set of auxiliary curves, called homogeneous spaces, has a single rational point. The question whether a given homogeneous space has a rational point may often be answered either affirmatively by finding a point or negatively by showing that it has no points in some completion K _v of K.

The subsequent two sections develop the general theory of homogeneous spaces (for elliptic curves). Then, in (X §4), we apply this theory to the problem of computing E(K)∕mE(K) or, more generally, $E'(K)/\phi {\bigl (E(K)\bigr )}$ for an isogeny

$$\displaystyle{\phi : E \rightarrow E'.}$$

Again this computation is reduced to the problem of the existence of a single rational point on certain homogeneous spaces. The only impediment to solving this latter problem occurs if some homogeneous space has a K _v-rational point for every completion K _v of K, yet fails to have a K-rational point. Unfortunately, this precise situation, the failure of the so-called Hasse principle, does occur. The extent of its failure is quantified by the elements of a certain group, called the Shafarevich–Tate group. The question of an effective algorithm for the computation of E(K)∕mE(K) is thus finally reduced to the problem of giving a bound for divisibility in the Shafarevich–Tate group, or, even better, proving the conjecture that the Shafarevich–Tate group is finite. In the last section we illustrate the general theory by studying in some detail the family of elliptic curves given by the equations

$$\displaystyle{E_{D} : Y ^{2} = X^{3} + DX,\qquad D \in \mathbb{Q}.}$$

In particular, we compute the torsion subgroups and give an upper bound for the rank of $E_{D}(\mathbb{Q})$, we give a large class of examples for which $E_{D}(\mathbb{Q})$ has rank 0, and we show that in certain cases $E_{D}(\mathbb{Q})$ has an associated homogeneous space that violates the Hasse principle, i.e., the homogeneous space has points defined over $\mathbb{R}$ and over $\mathbb{Q}_{p}$ for every prime p, but it has no $\mathbb{Q}$-rational points.

Unless explicitly stated to the contrary, the notation for this chapter is the same as for Chapter VIII. In particular, K is a number field and M _K is a complete set of inequivalent absolute values on K. However, as indicated in the text, this specification is dropped in (X §§2,3,5), where K is allowed to be an arbitrary (perfect) field.

X.1 An Example

For this section we let E∕K be an elliptic curve and m ≥ 2 an integer, and we assume that

$$\displaystyle{E[m] \subset E(K).}$$

Recall from (VIII §1) that under this assumption there is a pairing

$$\displaystyle{\kappa : E(K) \times G_{\bar{K}/K}\longrightarrow E[m]}$$

defined by

$$\displaystyle{\kappa (P,\sigma ) = Q^{\sigma } - Q,}$$

where $Q \in E(\bar{K})$ is chosen to satisfy [m]Q = P. Further, (VIII.1.2) says that the kernel on the left is mE(K), so we may view κ as a homomorphism

$$\displaystyle\begin{array}{rcl} & \delta _{E} : E(K)/mE(K)\longrightarrow \mathop{\mathrm{Hom}}\nolimits {\bigl (G_{\bar{K}/K},E[m]\bigr )},& {}\\ & \delta _{E}(P)(\sigma ) =\kappa (P,\sigma ). & {}\\ \end{array}$$

(This is the connecting homomorphism for a group cohomology long exact sequence; see (VIII §2).)

We also observe from (III.8.1.1) that our assumption $E[m] \subset E(K)$ implies that $\boldsymbol{\mu }_{m} \subset K^{{\ast}}$. This follows from basic properties of the Weil pairing (III.8.1.1),

$$\displaystyle{e_{m} : E[m] \times E[m]\longrightarrow \boldsymbol{\mu }_{m}.}$$

The Weil pairing will play a prominent role in this section.

Finally, since $\boldsymbol{\mu }_{m} \subset K^{{\ast}}$, Hilbert’s Theorem 90 (B.2.5c) says that every homomorphism $G_{\bar{K}/K} \rightarrow \boldsymbol{\mu }_{m}$ has the form

$$\displaystyle{\sigma \longmapsto \frac{\beta ^{\sigma }} {\beta }\quad \mbox{ for some $\beta \in \bar{K}^{{\ast}}$ satisfying $\beta ^{m} \in K^{{\ast}}$.}}$$

In other words, there is an isomorphism (cf. VIII §2)

$$\displaystyle{\delta _{K} : K^{{\ast}}/(K^{{\ast}})^{m}\longrightarrow \mathop{ \mathrm{Hom}}\nolimits (G_{\bar{ K}/K},\boldsymbol{\mu }_{m})}$$

defined by

$$\displaystyle{\delta _{K}(b)(\sigma ) = \beta ^{\sigma }/\beta ,}$$

where $\beta \in \bar{K}^{{\ast}}$ is chosen to satisfy β ^m = b. Note the close resemblance in the definitions of δ _E and δ _K. This is no coincidence. The map δ _E is the connecting homomorphism for the Kummer sequence associated to the group variety E∕K, and δ _K is the connecting homomorphism for the Kummer sequence associated to the group variety $\mathbb{G}_{m}/K$.

Using these maps, we can make the proof of the weak Mordell–Weil theorem much more explicit, and by doing so, derive formulas that allow us to compute the Mordell–Weil group in certain cases. We start with a theoretical description of the method.

Theorem 1.1.

(a)
With notation as above, there is a bilinear pairing
$$\displaystyle\begin{array}{rcl} b : E(K)/mE(K) \times E[m]\longrightarrow K^{{\ast}}/(K^{{\ast}})^{m}& & {}\\ \end{array}$$
satisfying
$$\displaystyle\begin{array}{rcl} e_{m}{\bigl (\delta _{E}(P),T\bigr )} = \delta _{K}{\bigl (b(P,T)\bigr )}.& & {}\\ \end{array}$$
(b)
The pairing in (a) is nondegenerate on the left.
(c)
Let $S \subset M_{K}$ be the union of the set of infinite places, the set of finite primes at which E has bad reduction, and the set of finite primes dividing m. Then the image of the pairing in (a) lies in the following subgroup of K ^∗ ∕(K ^∗ ) ^m :
$$\displaystyle{K(S,m) ={\bigl \{ b \in K^{{\ast}}/(K^{{\ast}})^{m} : \mbox{ $\mathop{\mathrm{ord}}\nolimits _{ v}(b) \equiv 0(\text{ mod}m)$ for all $v\notin S$}\bigr \}}.}$$
(d)
The pairing in (a) may be computed as follows. For each T ∈ E[m], choose functions f _T ,g _T ∈ K(E) satisfying the conditions
$$\displaystyle{\mathop{\mathrm{div}}\nolimits (f_{T}) = m(T) - m(O)\qquad \text{and}\qquad f_{T} \circ [m] = g_{T}^{m}}$$
( cf. the definition of the Weil pairing (III §8) ) . Then for any point P ≠ T,
$$\displaystyle{b(P,T) \equiv f_{T}(P)\pmod (K^{{\ast}})^{m}.}$$
( If P = T, we can compute b(T,T) using linearity. For example, if [2]T ≠ O, then b(T,T) = f _T (−T) ⁻¹ . More generally, let Q ∈ E(K) be any point with Q ≠ T; then b(T,T) = f _T (T + Q)f _T (Q) ⁻¹ . )

Remark 1.2.

Why do we say that (X.1.1) provides formulas that help us to compute the Mordell–Weil group? First, the group K(S, m) in (c) is finite (see the proof of (VIII.1.6)), and in fact it is reasonably easy to explicitly compute K(S, m). Second, the functions f _T in (d) are also fairly easy to compute from the equation of the curve. (This is true even for quite large values of m; see (XI.8.1).) Then the fact that the pairing in (a) is nondegenerate on the left means that in order to compute E(K)∕mE(K), it is necessary to do “only” the following:

Fix generators T ₁ and T ₂ for E[m]. For each of the finitely many pairs

$$\displaystyle{(b_{1},b_{2}) \in K(S,m) \times K(S,m),}$$

check whether the simultaneous equations

$$\displaystyle{b_{1}^{}z_{1}^{m} = f_{ T_{1}}(P)\qquad \text{and}\qquad b_{2}^{}z_{2}^{m} = f_{ T_{2}}(P)}$$

have a solution (P, z ₁, z ₂) ∈ E(K) × K ^∗× K ^∗. We can be even more explicit if we express the function f _T in terms of Weierstrass coordinates x and y. Then we are looking for a solution (x, y, z ₁, z ₂) ∈ K × K × K ^∗× K ^∗ satisfying

$$\displaystyle\begin{array}{rcl} y^{2} + a_{ 1}xy + a_{3}y = x^{3} + a_{ 2}x^{2} + a_{ 4}x + a_{6},& & {}\\ b_{1}^{}z_{1}^{m} = f_{ T_{1}}(x,y),\qquad b_{2}^{}z_{2}^{m} = f_{ T_{2}}(x,y).& & {}\\ \end{array}$$

These equations define a new curve, called a homogeneous space for E∕K. (We discuss homogeneous spaces in more detail in (X §3).) What we have done is reduce the problem of calculating E(K)∕mE(K) to the problem of the existence or non-existence of a single rational point on each of an explicitly given finite set of curves. Frequently, many of these curves can be immediately eliminated from consideration because they have no points over some completion K _v of K, which is an easy thing to check. On the other hand, a short search by hand or with a computer often uncovers rational points on some of the others. If, in this way, we can deal with all of the homogeneous spaces in question, then the determination of E(K)∕mE(K) is complete. The problem that arises is that occasionally there is a homogeneous space having points defined over every completion K _v, yet having no K-rational points. It is this situation, the failure of the Hasse principle, that makes the Mordell–Weil theorem ineffective.

Remark 1.3.

Notice that the condition $\mathop{\mathrm{div}}\nolimits (f_{T}) = m(T) - m(O)$ in (X.1.1d) is enough to specify f _T only up to multiplication by an arbitrary element of K ^∗. However, the equality f _T ∘ [m] = g _T ^m with g _T ∈ K(E) means that in fact f _T is well-determined up to multiplication by an element of (K ^∗)^m. Thus the value of f _T(P) in (X.1.1d) is a well-defined element of K ^∗∕(K ^∗)^m.

We now give the proof of (X.1.1), after which we study the case m = 2 in more detail and use it to compute E(K)∕2E(K) for an example.

Proof Proof of (X.1.1).

(a) Hilbert’s Theorem 90 (B.2.5c) shows that the pairing is well-defined. Bilinearity follows from bilinearity of the Kummer pairing (VIII.1.2b) and bilinearity of the Weil e _m-pairing (III.8.1a).

(b)In order to prove nondegeneracy on the left, we suppose that b(P, T) = 1 for all T ∈ E[m]. This means that for all T ∈ E[m] and all $\sigma \in G_{\bar{K}/K}$,

$$\displaystyle{e_{m}{\bigl (\kappa (P,\sigma ),T\bigr )} = 1.}$$

The nondegeneracy of the Weil pairing (III.8.1c) implies that $\kappa (P,\sigma ) = 0$ for all $\sigma$, and then (VIII.1.2c) tells us that P ∈ mE(K).

(c)Let β = b(P, T)^1∕m . Tracing through the definitions, we see that the field K(β) is contained in the field $K{\bigl ([m]^{-1}E(K)\bigr )}$ described in (VIII.1.2d). Further, applying (VIII.1.5b) tells us that the extension L∕K is unramified outside S. But it is easy to see that if v ∈ M _K is a finite place with v(m) = 0, then the extension K(β)∕K is unramified at v if and only if

$$\displaystyle{\mathop{\mathrm{ord}}\nolimits _{v}(\beta ^{m}) \equiv 0\pmod m.}$$

(Here $\mathop{\mathrm{ord}}\nolimits _{v} : K^{{\ast}}\twoheadrightarrow \mathbb{Z}$ is the normalized valuation associated to v.) This says precisely that b(P, T) ∈ K(S, m).

(d)Choose $Q \in E(\bar{K} )$ and $\beta \in \bar{K}^{{\ast}}$ satisfying

$$\displaystyle{P = [m]Q\qquad \text{and}\qquad b(P,T) = \beta ^{m}.}$$

Then for all $\sigma \in G_{\bar{K}/K}$ we have by definition

$$\displaystyle\begin{array}{rcl} e_{m}{\bigl (\delta (P)(\sigma ),T\bigr )}& =& \delta _{K}{\bigl (b(P,T)\bigr )}(\sigma ), {}\\ e_{m}(Q^{\sigma } - Q,T)& =& \beta ^{\sigma }/\beta , {}\\ g_{T}(X + Q^{\sigma } - Q)/g_{T}(X)& =& \beta ^{\sigma }/\beta , {}\\ g_{T}(Q)^{\sigma }/g_{T}(Q)& =& \beta ^{\sigma }/\beta \qquad \mbox{ putting $X = Q$.} {}\\ \end{array}$$

Since δ _K is an isomorphism, it follows that $g_{T}(Q)^{m} \equiv \beta ^{m}\ (\text{ mod}\ (K^{{\ast}})^{m})$. (Note that g _T(Q)^m = f _T(P) is in K ^∗.) Therefore

$$\displaystyle{f_{T}(P) = f_{T} \circ [m](Q) = g_{T}(Q)^{m} \equiv \beta ^{m} = b(P,T)\pmod (K^{{\ast}})^{m}.}$$

□

We now consider the special case m = 2, which is by far the easiest with which to work. Under our assumption $E[m] \subset E(K)$, we may take a Weierstrass equation for E of the form

$$\displaystyle{y^{2} = (x - e_{ 1})(x - e_{2})(x - e_{3})\qquad \mbox{ with $e_{1},e_{2},e_{3} \in K$.}}$$

The three nontrivial 2-torsion points are

$$\displaystyle{T_{1} = (e_{1},0),\quad T_{2} = (e_{2},0),\quad T_{3} = (e_{3},0).}$$

Letting T = (e, 0) represent any one of these points, we claim that the associated function f _T specified in (X.1.1d) is f _T = x − e. It is clear that this function has the correct divisor,

$$\displaystyle{\mathop{\mathrm{div}}\nolimits (x - e) = 2(T) - 2(O).}$$

It is then a calculation to check that

$$\displaystyle{x \circ [2] = \left (\frac{x^{2} - 2ex - 2e^{2} + 2(e_{1} + e_{2} + e_{3})e - (e_{1}e_{2} + e_{1}e_{3} + e_{2}e_{3})} {2y} \right )^{2},}$$

so x − e has both of the properties needed to be f _T.

Now suppose that we have chosen a pair (b ₁, b ₂) ∈ K(S, m) × K(S, m) and that we want to determine whether there is a point P ∈ E(K)∕2E(K) satisfying

$$\displaystyle{b(P,T_{1}) = b_{1}\qquad \text{and}\qquad b(P,T_{2}) = b_{2}.}$$

Such a point exists if and only if there is a solution

$$\displaystyle{(x,y,z_{1},z_{2}) \in K \times K \times K^{{\ast}}\times K^{{\ast}}}$$

to the system of equations

$$\displaystyle{y^{2} = (x - e_{ 1})(x - e_{2})(x - e_{3}),\qquad b_{1}^{}z_{1}^{2} = x - e_{ 1},\qquad b_{2}^{}z_{2}^{2} = x - e_{ 2}.}$$

We substitute the latter two equations into the former and define a new variable z ₃ by y = b ₁ b ₂ z ₁ z ₂ z ₃, which is permissible since b ₁, b ₂, z ₁, and z ₂ take only nonzero values. This yields the three equations

$$\displaystyle{b_{1}^{}b_{2}^{}z_{3}^{2} = x - e_{ 3},\qquad b_{1}^{}z_{1}^{2} = x - e_{ 1},\qquad b_{2}^{}z_{2}^{2} = x - e_{ 2}.}$$

Finally, eliminating x gives the pair of equations

$$\displaystyle{b_{1}^{}z_{1}^{2} - b_{ 2}^{}z_{2}^{2} = e_{ 2} - e_{1},\qquad b_{1}^{}z_{1}^{2} - b_{ 1}^{}b_{2}^{}z_{3}^{2} = e_{ 3} - e_{1}.}$$

This gives a finite collection of equations, one for each pair (b ₁, b ₂), and we may use whatever techniques are at our disposal (e.g., v-adic, computer search) to determine whether they have a solution. Notice that if we do find a solution (z ₁, z ₂, z ₃), then we immediately recover the corresponding point in E(K)∕2E(K) using the formulas

$$\displaystyle{x = b_{1}^{}z_{1}^{2} + e_{ 1},\qquad y = b_{1}b_{2}z_{1}z_{2}z_{3}.}$$

Finally we must deal with the fact that the definition b(P, T) = f _T(P) cannot be used if it happens that P = T. In other words, there are two pairs (b ₁, b ₂) that do not arise from the above procedure, namely the pairs ${\bigl (b(T_{1},T_{1}),b(T_{1},T_{2})\bigr )}$ and ${\bigl (b(T_{2},T_{1}),b(T_{2},T_{2})\bigr )}$. These values may be computed using linearity as

$$\displaystyle\begin{array}{rcl} b(T_{1},T_{1})& =& b(T_{1},T_{1} + T_{2})b(T_{1},T_{2})^{-1} {}\\ & =& b(T_{1},T_{3})b(T_{1},T_{2})^{-1} {}\\ & =& \frac{e_{1} - e_{3}} {e_{1} - e_{2}}, {}\\ \end{array}$$

and similarly

$$\displaystyle{b(T_{2},T_{2}) = \frac{e_{2} - e_{3}} {e_{2} - e_{1}}.}$$

We summarize this entire procedure in the following proposition.

Proposition 1.4.

(Complete 2-Descent) Let E∕K be an elliptic curve given by a Weierstrass equation

$$\displaystyle{y^{2} = (x - e_{ 1})(x - e_{2})(x - e_{3})\qquad \mbox{ with $e_{1},e_{2},e_{3} \in K$.}}$$

Let $S \subset M_{K}$ be a finite set of places of K including all archimedean places, all places dividing 2, and all places at which E has bad reduction. Further let

$$\displaystyle{K(S,2) ={\bigl \{ b \in K^{{\ast}}/(K^{{\ast}})^{2} : \mbox{ $\mathop{\mathrm{ord}}\nolimits _{ v}(b) \equiv 0(\text{ mod}2)$ for all $v\notin S$}\bigr \}}.}$$

Then there is an injective homomorphism

$$\displaystyle{E(K)/2E(K)\longrightarrow K(S,2) \times K(S,2)}$$

defined by

$$\displaystyle{P = (x,y)\longmapsto \left \{\begin{array}{@{}l@{\quad }l@{}} (x - e_{1},x - e_{2}) \quad &\mbox{ if $x\neq e_{1},e_{2}$,} \\ \left (\dfrac{e_{1} - e_{3}} {e_{1} - e_{2}},e_{1} - e_{2}\right )\quad &\mbox{ if $x = e_{1}$,} \\ \left (e_{2} - e_{1}, \dfrac{e_{2} - e_{3}} {e_{2} - e_{1}}\right )\quad &\mbox{ if $x = e_{2}$,} \\ (1,1) \quad &\mbox{ if $x = \infty $, i.e., if $P = O$.}\\ \quad \end{array} \right .}$$

Let (b ₁ ,b ₂ ) ∈ K(S,2) × K(S,2) be a pair that is not the image of one of the three points O, (e ₁ ,0), (e ₂ ,0). Then (b ₁ ,b ₂ ) is the image of a point

$$\displaystyle{\mbox{ $P = (x,y) \in E(K)/2E(K)$}}$$

if and only if the equations

$$\displaystyle\begin{array}{rcl} b_{1}^{}z_{1}^{2} - b_{ 2}^{}z_{2}^{2}& =& e_{ 2} - e_{1}, {}\\ b_{1}^{}z_{1}^{2} - b_{ 1}^{}b_{2}^{}z_{3}^{2}& =& e_{ 3} - e_{1}, {}\\ \end{array}$$

have a solution (z ₁ ,z ₂ ,z ₃ ) ∈ K ^∗ × K ^∗ × K. If such a solution exists, then we can take

$$\displaystyle{P = (x,y) = (b_{1}^{}z_{1}^{2} + e_{ 1},b_{1}b_{2}z_{1}z_{2}z_{3}).}$$

Proof.

As explained above, this is a special case of (X.1.1). □

Example 1.5.

We use (X.1.4) to compute $E(\mathbb{Q})/2E(\mathbb{Q})$ for the elliptic curve

$$\displaystyle{E : y^{2} = x^{3} - 12x^{2} + 20x = x(x - 2)(x - 10).}$$

This equation has discriminant

$$\displaystyle{\varDelta = 409600 = 2^{14}5^{2},}$$

so it has good reduction except at 2 and 5. Reducing the equation modulo 3, we easily check that $\#\tilde{E}(\mathbb{F}_{3}) = 4$. Since $E[2] \subset E_{\text{tors}}(\mathbb{Q})$ and $E_{\text{tors}}(\mathbb{Q})$ injects into $\tilde{E}(\mathbb{F}_{3})$ from (VII.3.5), we see that

$$\displaystyle{E_{\text{tors}}(\mathbb{Q}) = E[2].}$$

Let $S =\{ 2,5,\infty \}\subset M_{\mathbb{Q}}$. Then a complete set of representatives for

$$\displaystyle{\mathbb{Q}(S,2) ={\bigl \{ b \in \mathbb{Q}^{{\ast}}/(\mathbb{Q}^{{\ast}})^{2} : \mbox{ $\mathop{\mathrm{ord}}\nolimits _{ p}(b) \equiv 0(\text{ mod}2)$ for all $p\notin S$}\bigr \}}}$$

is given by the set

$$\displaystyle{\{\pm 1,\pm 2,\pm 5,\pm 10\}.}$$

We identify this set with $\mathbb{Q}(S,2)$. Now consider the map given in (X.1.4),

$$\displaystyle{E(\mathbb{Q})/2E(\mathbb{Q})\longrightarrow \mathbb{Q}(S,2) \times \mathbb{Q}(S,2),}$$

say with

$$\displaystyle{e_{1} = 0,\qquad e_{2} = 2,\qquad \text{and}\qquad e_{3} = 10.}$$

There are 64 pairs $(b_{1},b_{2}) \in \mathbb{Q}(S,2) \times \mathbb{Q}(S,2)$, and for each pair, we must check to see whether it comes from an element of $E(\mathbb{Q})/2E(\mathbb{Q})$. For example, using (X.1.4), we can compute the image of E[2] in $\mathbb{Q}(S,2) \times \mathbb{Q}(S,2)$:

$$\displaystyle{O\mapsto (1,1),\qquad (0,0)\mapsto (5,-2),\qquad (2,0)\mapsto (2,-1),\qquad (10,0)\mapsto (10,2).}$$

It remains to determine, for every other pair (b ₁, b ₂), whether the equations

$$\displaystyle{ b_{1}^{}z_{1}^{2} - b_{ 2}^{}z_{2}^{2} = 2,\qquad b_{ 1}^{}z_{1}^{2} - b_{ 1}^{}b_{2}^{}z_{3}^{2} = 10, }$$

(*)

have a solution $z_{1},z_{2},z_{3} \in \mathbb{Q}$. For example, if b ₁ < 0 and b ₂ > 0, then (*) clearly has no rational solutions, since the first equation does not even have a solution in $\mathbb{R}$.

Proceeding systematically, we list our results in Table 10.1. The entry for each pair (b ₁, b ₂) consists of either a point of $E(\mathbb{Q})$ that maps to (b ₁, b ₂), or else a (local) field over which the equations listed in (*) have no solution. (Note that if (z ₁, z ₂, z ₃) is a solution to (*), then the corresponding point of $E(\mathbb{Q})$ is (b ₁ z ₁ ² + e ₁, b ₁ b ₂ z ₁ z ₂ z ₃).) The circled numbers in the table refer to the notes that explain each entry. Finally, we note that since the map $E(\mathbb{Q})/2E(\mathbb{Q}) \rightarrow \mathbb{Q}(S,2) \times \mathbb{Q}(S,2)$ is a homomorphism, it is not necessary to check every pair (b ₁, b ₂). For example, if both (b ₁, b ₂) and (b ₁′, b ₂′) come from $E(\mathbb{Q})$, then so does (b ₁ b ₁′, b ₂ b ₂′). Similarly, if (b ₁, b ₂) does and (b ₁′, b ₂′) does not, then (b ₁ b ₁′, b ₂ b ₂′) does not. This observation substantially reduces the number of cases of (*) that must be considered.

Table 10.1 Computing $E(\mathbb{Q})$ for E : y ² = x ³ − 12x ² + 20x.

Full size table

1.
If b ₁ < 0 and b ₂ > 0, then b ₁ z ₁ ² − b ₂ z ₂ ² = 2 has no solutions in $\mathbb{R}$.
2.
If b ₁ < 0 and b ₂ < 0, then b ₁ z ₁ ² − b ₁ b ₂ z ₃ ² = 10 has no solutions in $\mathbb{R}$.
3.
The four 2-torsion points ${\bigl \{O,(0,0),(2,0),(10,0)\bigr \}}$ map respectively to the four points (1, 1), (5, −2), (2, −1), and (10, 2).
4.
(b ₁, b ₂) = (1, −1): By inspection, the equations
$$\displaystyle{z_{1}^{2} + z_{ 2}^{2} = 2\qquad \text{and}\qquad z_{ 1}^{2} + z_{ 3}^{2} = 10}$$
have the solution (1, 1, 3). This gives the point $(1,-3) \in E(\mathbb{Q})$.
5.
Adding $(1,-3) \in E(\mathbb{Q})$ to the nontrivial two-torsion points corresponds to multiplying their (b ₁, b ₂) values. This gives three pairs (5, 2), (2, 1), and (10, −2) in $\mathbb{Q}(S,2) \times \mathbb{Q}(S,2)$, which correspond to the three rational points (20, 60), (18, −48), and (10∕9, −80∕27) in $E(\mathbb{Q})$.
6.
$b_{1}\not\equiv 0\ (\text{ mod}\ 5)$ and $b_{2} \equiv 0\ (\text{ mod}\ 5)$: The first equation in (*) implies that z ₁ and z ₂ must be 5-adically integral. Then the second equation shows that $z_{1} \equiv 0\ (\text{ mod}\ 5)$, and so from the first equation we obtain $0 \equiv 2\ (\text{ mod}\ 5)$. Therefore (*) has no solutions in $\mathbb{Q}_{5}$.
7.
The eight pairs in (6) are $\mathbb{Q}_{5}$-nontrivial, i.e., there are no $\mathbb{Q}_{5}$ solutions to (*). If we multiply these eight pairs by the $\mathbb{Q}$-trivial pair (5, 2), we obtain eight more $\mathbb{Q}_{5}$-nontrivial pairs.
8.
(b ₁, b ₂) = (1, 2): The two equations in (*) are
$$\displaystyle{z_{1}^{2} - 2z_{ 2}^{2} = 2\qquad \text{and}\qquad z_{ 1}^{2} - 2z_{ 3}^{2} = 10.}$$
Since 2 is a quadratic nonresidue modulo 5, the second equation implies that $z_{1} \equiv z_{3} \equiv 0\ (\text{ mod}\ 5)$. But then the second equation says that $0 \equiv 10\ (\text{ mod}\ 25)$. Therefore there are no solutions in $\mathbb{Q}_{5}$.
9.
Taking the $\mathbb{Q}_{5}$-nontrivial pair (1, 2) from (8) and multiplying it by the seven $\mathbb{Q}$-trivial pairs already in the table gives seven new $\mathbb{Q}_{5}$-nontrivial pairs that fill the remaining entries in the table.

Conclusion. $E(\mathbb{Q})\mathop{\cong}\mathbb{Z} \times \mathbb{Z}/2\mathbb{Z} \times \mathbb{Z}/2\mathbb{Z}$.

X.2 Twisting—General Theory

For this section and the next we drop the requirement that K be a number field, so K will be an arbitrary (perfect) field. As we saw in (X §1), computation of the Mordell–Weil group of an elliptic curve E leads naturally to the problem of the existence or nonexistence of a single rational point on various other curves. These other curves are certain twists of E that are called homogeneous spaces. In this section we study the general question of twisting which, since it is no more difficult, we develop for curves of arbitrary genus. Then, in the next section, we look at the homogeneous spaces associated to elliptic curves.

Definition.

Let C∕K be a smooth projective curve. The isomorphism group of C, denoted by $\mathop{\mathrm{Isom}}\nolimits (C)$, is the group of $\bar{K}$-isomorphisms from C to itself. We denote the subgroup of $\mathop{\mathrm{Isom}}\nolimits (C)$ consisting of isomorphisms defined over K by $\mathop{\mathrm{Isom}}\nolimits _{K}(C)$. To ease notation, we write composition of maps multiplicatively, thus α β instead of α ∘β.

Remark 2.1.

The group that we are denoting by $\mathop{\mathrm{Isom}}\nolimits (C)$ is usually called the automorphism group of C and denoted by $\mathop{\mathrm{Aut}}\nolimits (C)$. However, if E is an elliptic curve, then we have defined $\mathop{\mathrm{Aut}}\nolimits (E)$ to be the group of isomorphisms from E to E that take O to O. Thus $\mathop{\mathrm{Aut}}\nolimits (E)\neq \mathop{\mathrm{Isom}}\nolimits (E)$, since for example, the group $\mathop{\mathrm{Isom}}\nolimits (E)$ contains translation maps τ _P : E → E. We describe $\mathop{\mathrm{Isom}}\nolimits (E)$ more fully in (X §5).

Definition.

A twist of C∕K is a smooth curve C′∕K that is isomorphic to C over $\bar{K}$. We treat two twists as equivalent if they are isomorphic over K. The set of twists of C∕K, modulo K-isomorphism, is denoted by $\mathop{\mathrm{Twist}}\nolimits (C/K)$.

Let C′∕K be a twist of C∕K. Thus there is an isomorphism ϕ : C′ → C defined over $\bar{K}$. To measure the failure of ϕ to be defined over K, we consider the map

$$\displaystyle{\xi : G_{\bar{K}/K}\longrightarrow \mathop{ \mathrm{Isom}}\nolimits (C),\qquad \xi _{\sigma } = \phi ^{\sigma }\phi ^{-1}.}$$

It turns out that $\xi$ is a 1-cocycle and that the cohomology class of $\xi$ is uniquely determined by the K-isomorphism class of C′. Further, every cohomology class comes from some twist of C∕K. In this way $\mathop{\mathrm{Twist}}\nolimits (C/K)$ may be identified with a certain cohomology set. We now prove these assertions.

Theorem 2.2.

Let C∕K be a smooth projective curve. For each twist C′∕K of C∕K, choose a $\bar{K}$ -isomorphism ϕ : C′ → C and define a map $\xi _{\sigma } = \phi ^{\sigma }\phi ^{-1} \in \mathop{\mathrm{Isom}}\nolimits (C)$ as above.

(a)
The map $\xi$ is a 1-cocycle, i.e.,
$$\displaystyle{\xi _{\sigma \tau } = (\xi _{\sigma })^{\tau }\xi _{\tau }\qquad \mbox{ for all $\sigma ,\tau \in G_{\bar{K}/K}$.}}$$
The associated cohomology class in $H^{1}{\bigl (G_{\bar{K}/K},\mathop{\mathrm{Isom}}\nolimits (C)\bigr )}$ is denoted by $\{\xi \}$ .
(b)
The cohomology class $\{\xi \}$ is determined by the K-isomorphism class of C′ and is independent of the choice of ϕ. We thus obtain a natural map
$$\displaystyle{\mathop{\mathrm{Twist}}\nolimits (C/K)\longrightarrow H^{1}{\bigl (G_{\bar{ K}/K},\mathop{\mathrm{Isom}}\nolimits (C)\bigr )}.}$$
(c)
The map in (b) is a bijection. In other words, the twists of C∕K, up to K-isomorphism, are in one-to-one correspondence with the elements of the cohomology set $H^{1}{\bigl (G_{\bar{K}/K},\mathop{\mathrm{Isom}}\nolimits (C)\bigr )}$ .

Remark 2.3.

We emphasize that the group $\mathop{\mathrm{Isom}}\nolimits (C)$ is often nonabelian, and indeed, it is always nonabelian for elliptic curves. Hence $H^{1}{\bigl (G_{\bar{K}/K},\mathop{\mathrm{Isom}}\nolimits (C)\bigr )}$ is generally only a pointed set, not a group. See (B §3) for details. However, if $\mathop{\mathrm{Isom}}\nolimits (C)$ has a $G_{\bar{K}/K}$-invariant abelian subgroup A, then $H^{1}(G_{\bar{K}/K},A)$ is a group, and its image in $H^{1}{\bigl (G_{\bar{K}/K},\mathop{\mathrm{Isom}}\nolimits (C)\bigr )}$ gives a natural group structure to some subset of $\mathop{\mathrm{Twist}}\nolimits (C)$. We apply this observation in (X §3) when C is an elliptic curve, taking for A the group of translations, and in (X §5) we do the same with $A =\mathop{ \mathrm{Aut}}\nolimits (E)$.

Proof.

(a) We compute

$$\displaystyle{\xi _{\sigma \tau } = \phi ^{\sigma \tau }\phi ^{-1} = (\phi ^{\sigma }\phi ^{-1})^{\tau }(\phi ^{\tau }\phi ^{-1}) = (\xi _{\sigma })^{\tau }\xi _{\tau }.}$$

(b)Let C″∕K be another twist of C∕K that is K-isomorphic to C′. Choose a $\bar{K}$-isomorphism ψ : C″ → C. We must show that the cocycles $\phi ^{\sigma }\phi ^{-1}$ and $\psi ^{\sigma }\psi ^{-1}$ are cohomologous. By assumption there is a K-isomorphism $\theta : C'' \rightarrow C'\!$. Consider the element $\alpha =\phi \theta \psi ^{-1} \in \mathop{\mathrm{Isom}}\nolimits (C)$. We compute

$$\displaystyle\begin{array}{rcl} (\alpha ^{\sigma })(\psi ^{\sigma }\psi ^{-1})& =& (\phi \theta \psi ^{-1})^{\sigma }(\psi ^{\sigma }\psi ^{-1}) = \phi ^{\sigma }\theta ^{\sigma }\psi ^{-1} {}\\ & =& \phi ^{\sigma }\theta \psi ^{-1} = (\phi ^{\sigma }\phi ^{-1})(\phi \theta \psi ^{-1}) = (\phi ^{\sigma }\phi ^{-1})\alpha . {}\\ \end{array}$$

This proves that $\phi ^{\sigma }\phi ^{-1}$ and $\psi ^{\sigma }\psi ^{-1}$ are cohomologous when viewed as elements of $H^{1}{\bigl (G_{\bar{K}/K},\mathop{\mathrm{Isom}}\nolimits (C)\bigr )}$.

(c)Suppose that C′∕K and C″∕K are twists of C∕K that give the same cohomology class in $H^{1}{\bigl (G_{\bar{K}/K},\mathop{\mathrm{Isom}}\nolimits (C)\bigr )}$. This means that if we choose $\bar{K}$-isomorphisms ϕ : C′ → C and ψ : C″ → C, then there is a map $\alpha \in \mathop{\mathrm{Isom}}\nolimits (C)$ such that

$$\displaystyle{\alpha ^{\sigma }(\psi ^{\sigma }\psi ^{-1}) = (\phi ^{\sigma }\phi ^{-1})\alpha \qquad \mbox{ for all $\sigma \in G_{\bar{ K}/K}$.}}$$

In other words, the cocycles associated to ϕ and ψ are cohomologous. We now consider the map $\theta : C'' \rightarrow C'$ defined by $\theta = \phi ^{-1}\alpha \psi$. It is clearly a $\bar{K}$-isomorphism, and we claim that it is, in fact, defined over K. To prove this, for any $\sigma \in G_{\bar{K}/K}$ we compute

$$\displaystyle{\theta ^{\sigma } = (\phi ^{\sigma })^{-1}(\alpha ^{\sigma }\psi ^{\sigma }) = (\phi ^{\sigma })^{-1}(\phi ^{\sigma }\phi ^{-1}\alpha \psi ) = \phi ^{-1}\alpha \psi =\theta .}$$

Therefore C″ and C′ are K-isomorphic, and thus they give the same element of $\mathop{\mathrm{Twist}}\nolimits (C/K)$. This proves that the map

$$\displaystyle{\mathop{\mathrm{Twist}}\nolimits (C/K) \rightarrow H^{1}{\bigl (G_{\bar{ K}/K},\mathop{\mathrm{Isom}}\nolimits (C)\bigr )}}$$

is injective.

To prove surjectivity, we start with a 1-cocycle

$$\displaystyle{\xi : G_{\bar{K}/K} \rightarrow \mathop{\mathrm{Isom}}\nolimits (C)}$$

and use it to construct a curve C′∕K and an isomorphism ϕ : C′ → C satisfying $\xi _{\sigma } = \phi ^{\sigma }\phi ^{-1}$. To do this, we consider a field, denoted by $\bar{K}(C)_{\xi }$, that is isomorphic, as an abstract field extension of $\bar{K}$, to $\bar{K}(C)$, say by an isomorphism that we denote by $Z : \bar{K}(C) \rightarrow \bar{K}(C)_{\xi }$. The difference between $\bar{K}(C)$ and $\bar{K}(C)_{\xi }$ lies in the action of the Galois group $G_{\bar{K}/K}$; the action on $\bar{K}(C)_{\xi }$ is twisted by $\xi$. What this means is that

$$\displaystyle{Z(f)^{\sigma } = Z(f^{\sigma }\xi _{\sigma })\qquad \mbox{ for all $f \in \bar{K}(C)$ and all $\sigma \in G_{\bar{K}/K}$.}}$$

In this equality we are viewing f as a map $f : C \rightarrow \mathbb{P}^{1}$ as in (II.2.2), and $f^{\sigma }\xi _{\sigma }$ is composition of maps. Equivalently, the map $\xi _{\sigma } : C \rightarrow C$ of curves induces a map $\xi _{\sigma }^{{\ast}} : \bar{K}(C) \rightarrow \bar{K}(C)$ of fields, and $f^{\sigma }\xi _{\sigma }$ is an alternative notation for $\xi _{\sigma }^{{\ast}}(f^{\sigma })$.

For this action of $G_{\bar{K}/K}$ on $\bar{K}(C)_{\xi }$, we consider the subfield $\mathcal{F}\subset \bar{K}(C)_{\xi }$ consisting of the elements of $\bar{K}(C)_{\xi }$ that are fixed by $G_{\bar{K}/K}$. We now show, in several steps, that the field $\mathcal{F}$ is the function field of the desired twist of C.

$$\displaystyle{\fbox{ $\text{Step (i):}\mathcal{F}\cap \bar{K} = K$}}$$

Suppose that $Z(f) \in \mathcal{F}\cap \bar{K}$. In particular, since Z induces the identity on $\bar{K}$, we have $f \in \bar{K}$. Now the fact that $Z(f) \in \mathcal{F}$, combined with the fact that f is a constant function and thus unaffected by isomorphisms of C, implies that

$$\displaystyle{Z(f) = Z(f)^{\sigma } = Z(f^{\sigma }\xi _{\sigma }) = Z(f^{\sigma }).}$$

This holds for all $\sigma \in G_{\bar{K}/K}$, and hence f ∈ K.

$$\displaystyle{\fbox{ $\text{Step (ii):}\bar{K}\mathcal{F} = \bar{K}(C)_{\xi }$}}$$

This is an immediate consequence of (II.5.8.1) applied to the $\bar{K}$-vector space $\bar{K}(C)_{\xi }$.

It follows from Step (ii) that $\mathcal{F}$ has transcendence degree one over K, and thus using Step (i) and (II.2.4c), we deduce that there exists a smooth curve C′∕K such that $\mathcal{F}\mathop{\cong}K(C')$. Further, Step (ii) implies that

$$\displaystyle{\bar{K}(C') = \bar{K}\mathcal{F} = \bar{K}(C)_{\xi }\mathop{\cong}\bar{K}(C),}$$

so (II.2.4.1) says that C′ and C are isomorphic over $\bar{K}$. In other words, C′ is a twist of C, and the final step in proving surjectivity is to show that C′ gives the cohomology class $\{\xi \}$.

Let ϕ : C′ → C be a $\bar{K}$-isomorphism, as described in (II.2.4b), whose associated map ϕ ^∗ is the isomorphism of fields

$$\displaystyle{Z : \bar{K}(C)\longrightarrow \bar{K}(C)_{\xi } = \bar{K}\mathcal{F} = \bar{K}(C').}$$

$$\displaystyle{\fbox{ $\text{Step (iii):}\xi _{\sigma } = \phi ^{\sigma }\phi ^{-1}\text{for all}\sigma \in G_{\bar{K}/K}$}}$$

Having identified ϕ ^∗ with Z, the relation $Z(f)^{\sigma } = Z(f^{\sigma }\xi _{\sigma })$ used to define the map Z can be rewritten as $(f\phi )^{\sigma } = f^{\sigma }\xi _{\sigma }\phi$. In other words,

$$\displaystyle{f^{\sigma }\phi ^{\sigma } = (f\phi )^{\sigma } = f^{\sigma }\xi _{\sigma }\phi \qquad \mbox{ for all $f \in \bar{K}(C)$.}}$$

This implies that $\phi ^{\sigma } =\xi _{\sigma }\phi$, which is exactly the desired result. □

Example 2.4.

Let E∕K be an elliptic curve, let $K(\sqrt{d}\,)$ be a quadratic extension of K, and let

$$\displaystyle{\chi : G_{\bar{K}/K} \rightarrow \{\pm 1\},\qquad \chi (\sigma ) = \sqrt{d}\,^{\sigma }\big/\sqrt{d},}$$

be the quadratic character associated to $K(\sqrt{d}\,)/K$. (Note that $\mathop{\mathrm{char}}\nolimits (K)\neq 2$.) We use χ to define a 1-cocycle

$$\displaystyle{\xi : G_{\bar{K}/K}\longrightarrow \mathop{ \mathrm{Isom}}\nolimits (E),\qquad \xi _{\sigma } ={\bigl [\chi (\sigma )\bigr ]}.}$$

Let C∕K be the corresponding twist of E∕K. We are going to derive an equation for C∕K.

We choose a Weierstrass equation for E∕K of the form y ² = f(x) and we write $\bar{K}(E) = \bar{K}(x,y)$ and $\bar{K}(C) = \bar{K}(x,y)_{\xi }$. Since [−1](x, y) = (x, −y), the action of $\sigma \in G_{\bar{K}/K}$ on $\bar{K}(x,y)_{\xi }$ is determined by the formulas

$$\displaystyle{\sqrt{d}\,^{\sigma } =\chi (\sigma )\sqrt{d},\qquad x^{\sigma } = x,\qquad y^{\sigma } =\chi (\sigma )y.}$$

Notice that the functions x′ = x and $y' = y/\sqrt{d}$ in $\bar{K}(x,y)_{\xi }$ are fixed by $G_{\bar{K}/K}$, and they satisfy the equation

$$\displaystyle{dy'^{2} = f(x'),}$$

which is the equation of an elliptic curve defined over K. Further, the identification $(x',y')\mapsto (x',y'\sqrt{d}\,)$ shows that this curve is isomorphic to E over $K(\sqrt{d}\,)$. It is now an easy matter to check that the associated cocycle is $\xi$, and thus to verify that we have found an equation for C∕K. The curve C is a quadratic twist of E; more precisely, it is the twist of E by the quadratic character χ. We will return to this example in more detail in (X §5).

X.3 Homogeneous Spaces

We recall from (VIII §2) that associated to an elliptic curve E∕K is a Kummer sequence

$$\displaystyle{\begin{array}{ccccccccc} 0&\longrightarrow & \dfrac{E(K)} {mE(K)} &\longrightarrow &H^{1}{\bigl (G_{\bar{K}/K},E[m]\bigr )}&\longrightarrow &H^{1}{\bigl (G_{\bar{K}/K},E\bigr )}[m]&\longrightarrow &0. \end{array} }$$

The proof of the weak Mordell–Weil theorem hinges on the essential fact that the image of the first term in the second consists of elements that are unramified outside of a certain finite set of primes. In this section we analyze the third term in the sequence by associating to each element of $H^{1}(G_{\bar{K}/K},E)$ a certain twist of E called a homogeneous space. However, rather than starting with cohomology, we instead begin by directly defining homogeneous spaces and describing their basic properties. We follow this with the cohomological interpretation, which says that homogeneous spaces are those twists that correspond to cocycles taking values in the group of translations.

Definition.

Let E∕K be an elliptic curve. A (principal) homogeneous space for E∕K is a smooth curve C∕K together with a simply transitive algebraic group action of E on C defined over K. In other words, a homogeneous space for E∕K consists of a pair (C, μ), where C∕K is a smooth curve and

$$\displaystyle{\mu : C \times E\longrightarrow C}$$

is a morphism defined over K having the following three properties:

(i)
μ(p, O) = p for all p ∈ C.
(ii)
$\mu {\bigl (\mu (p,P),Q\bigr )} =\mu (p,P + Q)$ for all p ∈ C and P, Q ∈ E.
(iii)
For all p, q ∈ C there is a unique P ∈ E satisfying μ(p, P) = q.

We will often replace μ(p, P) with the more intuitive notation p + P. Then property (ii) is just the associative law (p + P) + Q = p + (P + Q). Of course, one must determine from context whether + means addition on E or the action of E on C.

In view of the simple transitivity of the action, we may define a subtraction map on C by the rule

$$\displaystyle\begin{array}{rcl} & \nu : C \times C\longrightarrow E, & {}\\ & \nu (q,p) = \mbox{ (the unique $P \in E$ satisfying $\mu (p,P) = q$)}.& {}\\ \end{array}$$

It is not clear, a priori, that the map ν is even a rational map, but we will soon see that ν is a morphism and is defined over K. (This fact also follows from elementary intersection theory on C × C.) In conjunction with our addition notation for μ, we often write ν(q, p) as q − p.

We now verify that addition and subtraction on a homogeneous space have the right properties.

Lemma 3.1.

Let C∕K be a homogeneous space for E∕K. Then for all p,q ∈ C and all P,Q ∈ E :

(a)
μ(p,O) = p and ν(p,p) = O.
(b)
$\mu {\bigl (p,\nu (q,p)\bigr )} = q\quad and\quad \nu \bigl (\mu (p,P),p) = P$ .
(c)
$\nu {\bigl (\mu (q,Q),\mu (p,P)\bigr )} =\nu (q,p) + Q - P$ .

Equivalently, using the alternative “addition” and “subtraction” notation :

(a)
p + O = p and p − p = O.
(b)
p + (q − p) = q and (p + P) − p = P.
(c)
(q + Q) − (p + P) = (q − p) + Q − P.

In other words, using + and − signs provides the right intuition.

Proof.

(a) The equality μ(p, O) = p is part of the definition of homogeneous space. Next, the definition of ν says that ν(p, p) is the unique point P ∈ E satisfying μ(p, P) = p. We know that this last equation is true for P = O, so ν(p, p) = O.

(b)The relation $\mu {\bigl (p,\nu (q, p)\bigr )} = q$ is the definition of ν. Then, from

$$\displaystyle{\mu {\bigl (p,\nu (\mu (p,P),p)\bigr )} =\mu (p,P),}$$

we conclude that ν(μ(p, P), p) = P.

(c)We start with

$$\displaystyle{q =\mu {\bigl ( p,\nu (q,p)\bigr )}.}$$

Adding Q to both sides gives

$$\displaystyle\begin{array}{rcl} \mu (q,Q)& =& \mu {\bigl (p,\nu (q,p) + Q\bigr )} {}\\ & =& \mu {\bigl (p,P +\nu (q,p) + Q - P\bigr )} {}\\ & =& \mu {\bigl (\mu (p,P),\nu (q,p) + Q - P\bigr )}. {}\\ \end{array}$$

From the definition of ν, this is equivalent to

$$\displaystyle{\nu {\bigl (\mu (q,Q),\mu (p,P)\bigr )} =\nu (q,p) + Q - P.}$$

□

Next we show that a homogeneous space C∕K for E∕K is a twist of of E∕K as described in (X §2). We also describe addition and subtraction on C in terms of a given $\bar{K}$-isomorphism E → C.

Proposition 3.2.

Let E∕K be an elliptic curve, and let C∕K be a homogeneous space for E∕K. Fix a point p ₀ ∈ C and define a map

$$\displaystyle{\theta : E\longrightarrow C,\qquad \theta (P) = p_{0} + P.}$$

(a)
The map $\theta$ is an isomorphism defined over K(p ₀ ). In particular, the curve C∕K is a twist of E∕K.
(b)
For all p ∈ C and all P ∈ E,
$$\displaystyle{p + P =\theta {\bigl (\theta ^{-1}(p) + P\bigr )}.}$$
( N.B. The first + is the action of E on C, while the second + is addition on E. )
(c)
For all p,q ∈ C,
$$\displaystyle{q - p =\theta ^{-1}(q) -\theta ^{-1}(p).}$$
(d)
The subtraction map
$$\displaystyle{\nu : C \times C\longrightarrow E,\qquad \nu (q,p) = q - p,}$$
is a morphism and is defined over K.

Proof.

(a) The action of E on C is defined over K. Hence for any $\sigma \in G_{\bar{K}/K}$ satisfying $p_{0}^{\sigma } = p_{0}$, we have

$$\displaystyle{\theta (P)^{\sigma } = (p_{0} + P)^{\sigma } = p_{0}^{\sigma } + P^{\sigma } = p_{ 0} + P^{\sigma } =\theta (P^{\sigma }).}$$

This shows that $\theta$ is defined over K(p ₀). Further, the simple transitivity of the action tells us that $\theta$ has degree one, and then (II.2.4.1) allows us to conclude that $\theta$ is an isomorphism.

(b)We compute

$$\displaystyle{\theta {\bigl (\theta ^{-1}(p) + P\bigr )} = p_{ 0} +\theta ^{-1}(p) + P = p + P.}$$

Note that we are using the fact that $\theta ^{-1}(p)$ is the unique point of E that gives p when it is added to p ₀.

(c)We compute

$$\displaystyle{\theta ^{-1}(q) -\theta ^{-1}(p) ={\bigl ( p_{ 0} +\theta ^{-1}(q)\bigr )} -{\bigl ( p_{ 0} +\theta ^{-1}(p)\bigr )} = q - p.}$$

(d)The fact that ν is a morphism follows from (c), since (III.3.6) says that subtraction on E is a morphism. To check that ν is defined over K, we let $\sigma \in G_{\bar{K}/K}$ and use (c) to compute

$$\displaystyle\begin{array}{rcl} (q - p)^{\sigma }& =& {\bigl (\theta ^{-1}(q) -\theta ^{-1}(p)\bigr )}^{\sigma } {}\\ & =& \theta ^{-1}(q)^{\sigma } -\theta ^{-1}(p)^{\sigma }\qquad \qquad \qquad \qquad since subtraction on E is defined over\ K, {}\\ & =& {\bigl (p_{0} +\theta ^{-1}(q)\bigr )}^{\sigma } -{\bigl ( p_{ 0} +\theta ^{-1}(p)\bigr )}^{\sigma }\quad since the action of E on C is defined over K, {}\\ & =& q^{\sigma } - p^{\sigma }. {}\\ \end{array}$$

This completes the proof that ν is defined over K. □

Definition.

Two homogeneous spaces C∕K and C′∕K for E∕K are equivalent if there is an isomorphism $\theta : C \rightarrow C'$ defined over K that is compatible with the action of E on C and C′. In other words,

$$\displaystyle{\theta (p + P) =\theta (p) + P\qquad \mbox{ for all $p \in C$ and all $P \in E$.}}$$

The equivalence class containing E∕K, acting on itself by translation, is called the trivial class. The collection of equivalence classes of homogeneous spaces for E∕K is called the Weil–Châtelet group for E∕K and is denoted by $\mathop{\mathrm{WC}}\nolimits (E/K)$. (We will see later why $\mathop{\mathrm{WC}}\nolimits (E/K)$ is a group.)

The next result explains which homogeneous spaces are trivial.

Proposition 3.3.

Let C∕K be a homogeneous space for E∕K. Then C∕K is in the trivial class if and only if C(K) is not the empty set.

Proof.

Suppose that C∕K is in the trivial class. Then there is a K-isomorphism $\theta : E \rightarrow C$, and thus $\theta (O) \in C(K)$.

Conversely, suppose that p ₀ ∈ C(K). Then from (X.3.2a), the map

$$\displaystyle{\theta : E\longrightarrow C,\qquad \theta (P) = p_{0} + P,}$$

is an isomorphism defined over K(p ₀) = K. The required compatibility condition on $\theta$ is

$$\displaystyle{p_{0} + (P + Q) = (p_{0} + P) + Q,}$$

which is part of the definition of homogeneous space. □

Remark 3.4.

Notice that (X.3.3) says that the problem of checking the triviality of a homogeneous space is exactly equivalent to answering the fundamental Diophantine question whether the given curve has any rational points. Thus our next step, namely the identification of $\mathop{\mathrm{WC}}\nolimits (E/K)$ with a certain cohomology group, may be regarded as the development of a tool to help us study this difficult Diophantine problem.

Lemma 3.5.

Let $\theta : C/K \rightarrow C'/K$ be an equivalence of homogeneous spaces for E∕K. Then

$$\displaystyle{\theta (q) -\theta (p) = q - p\qquad \mbox{ for all $p,q \in C$.}}$$

Proof.

This is just a matter of grouping points so that the additions and subtractions are well-defined. Thus

$$\displaystyle\begin{array}{rcl} \theta (q) -\theta (p)& =& {\Bigl ({\bigl (\theta (q) + (p - q)\bigr )} -\theta (p)\Bigr )} + (q - p) {}\\ & =& {\Bigl (\theta {\bigl (q + (p - q)\bigr )} -\theta (p)\Bigr )} + (q - p) {}\\ & =& q - p. {}\\ \end{array}$$

□

Theorem 3.6.

Let E∕K be an elliptic curve. There is a natural bijection

$$\displaystyle{\mathop{\mathrm{WC}}\nolimits (E/K)\longrightarrow H^{1}(G_{\bar{ K}/K},E)}$$

defined as follows :

Let C∕K be a homogeneous space for E∕K and choose any point p ₀ ∈ C. Then

$$\displaystyle{\{C/K\}\longmapsto \{\sigma \mapsto p_{0}^{\sigma } - p_{ 0}\}.}$$

( The braces indicate that we are taking the equivalence class of C∕K and the cohomology class of the 1-cocycle $\sigma \mapsto p_{0}^{\sigma } - p_{0}$ . )

Remark 3.6.1.

Since $H^{1}(G_{\bar{K}/K},E)$ is a group, we can use (X.3.6) to define a group structure on the set $\mathop{\mathrm{WC}}\nolimits (E/K)$. It is also possible to describe the group law on $\mathop{\mathrm{WC}}\nolimits (E/K)$ geometrically, without using cohomology, which in fact is the way that it was originally defined. See Exercise 10.2 and [307].

Proof.

First we check that the map is well-defined. It is easy to see that the map $\sigma \mapsto p_{0}^{\sigma } - p_{0}$ is a cocycle:

$$\displaystyle{p_{0}^{\sigma \tau } - p_{ 0} = (p_{0}^{\sigma \tau } - p_{ 0}^{\tau }) + (p_{ 0}^{\tau } - p_{ 0}) = (p_{0}^{\sigma } - p_{ 0})^{\tau } + (p_{ 0}^{\tau } - p_{ 0}).}$$

Now suppose that C′∕K is another homogeneous space that is equivalent to C∕K. Let $\theta : C \rightarrow C'$ be a K-isomorphism giving the equivalence, and let p ₀′ ∈ C′. We use (X.3.5) to compute

$$\displaystyle\begin{array}{rcl} p_{0}^{\sigma } - p_{ 0}& =& \theta (p_{0}^{\sigma }) -\theta (p_{ 0}) {}\\ & =& \left (p_{0}^{{\prime}\sigma }- p_{ 0}'\right ) +{\Bigl ({\bigl (\theta (p_{0}) - p_{0}'\bigr )}^{\sigma } -{\bigl (\theta (p_{ 0}) - p_{0}'\bigr )}\Bigr )}. {}\\ \end{array}$$

Hence the cocycles $p_{0}^{\sigma } - p_{0}$ and $p_{0}^{{\prime}\sigma }- p_{0}'$ differ by the coboundary generated by the point $\theta (p_{0}) - p_{0}' \in E$, so they give the same cohomology class in $H^{1}(G_{\bar{K}/K},E)$.

Next we check injectivity. Suppose that the cocycles $p_{0}^{\sigma } - p_{0}$ and $p_{0}^{{\prime}\sigma }- p_{0}'$ corresponding to C∕K and C′∕K are cohomologous. This means that there is a point P ₀ ∈ E satisfying

$$\displaystyle{p_{0}^{\sigma } - p_{ 0} = p_{0}^{{\prime}\sigma }- p_{ 0}' + (P_{0}^{\sigma } - P_{ 0})\qquad \mbox{ for all $\sigma \in G_{\bar{K}/K}$.}}$$

Consider the map

$$\displaystyle{\theta : C\longrightarrow C',\qquad \theta (p) = p_{0}' + (p - p_{0}) + P_{0}.}$$

It is clear that $\theta$ is a $\bar{K}$-isomorphism and that it is compatible with the action of E on C and C′. We claim that $\theta$ is defined over K. In order to prove this, we compute

$$\displaystyle\begin{array}{rcl} \theta (p)^{\sigma }& =& p_{0}^{{\prime}\sigma } + (p^{\sigma } - p_{ 0}^{\sigma }) + P_{ 0}^{\sigma } {}\\ & =& p_{0}' + (p^{\sigma } - p_{0}) + P_{0} +{\bigl ( (p_{0}^{{\prime}\sigma }- p_{ 0}') + P_{0}^{\sigma } - P_{ 0} - (p_{0}^{\sigma } - p_{ 0})\bigr )} {}\\ & =& \theta (p^{\sigma }). {}\\ \end{array}$$

This proves that C and C′ are equivalent.

It remains to prove surjectivity. Let $\xi : G_{\bar{K}/K} \rightarrow E$ be a 1-cocycle representing an element in $H^{1}(G_{\bar{K}/K},E)$. We embed E into $\mathop{\mathrm{Isom}}\nolimits (E)$ by sending P ∈ E to the translation map $\tau _{P} \in \mathop{\mathrm{Isom}}\nolimits (E)$, and then we may view $\xi$ as living in the cohomology set $H^{1}{\bigl (G_{\bar{K}/K},\mathop{\mathrm{Isom}}\nolimits (E)\bigr )}$. From (X.2.2), there are a curve C∕K and a $\bar{K}$-isomorphism ϕ : C → E such that for all $\sigma \in G_{\bar{K}/K}$,

$$\displaystyle{\phi ^{\sigma } \circ \phi ^{-1} = (\mbox{ translation by $-\xi _{\sigma }$}).}$$

(The reason for using $-\xi$, rather than $\xi$, will soon become apparent.)

Define a map

$$\displaystyle{\mu : C \times E\longrightarrow C,\qquad \mu (p,P) = \phi ^{-1}{\bigl (\phi (p) + P\bigr )}.}$$

We now show that μ gives C∕K the structure of a homogeneous space over E∕K and that its associated cohomology class is $\{\xi \}$.

First we check that μ is simply transitive. Let p, q ∈ C. Then by definition we have

$$\displaystyle{\mu (p,P) = q\quad \text{if and only if}\quad \phi ^{-1}{\bigl (\phi (p) + P\bigr )} = q,}$$

so the only choice for P is P = ϕ(q) −ϕ(p). Second we verify that μ is defined over K. We take $\sigma \in G_{\bar{K}/K}$ and compute

$$\displaystyle\begin{array}{rcl} \mu (p,P)^{\sigma }& =& (\phi ^{-1})^{\sigma }{\bigl (\phi ^{\sigma }(p^{\sigma }) + P^{\sigma }\bigr )} {}\\ & =& \phi ^{-1}{\Bigl ({\bigl (\phi (p^{\sigma }) -\xi _{\sigma } + P^{\sigma }\bigr )} +\xi _{\sigma }\Bigr )} {}\\ & =& \mu (p^{\sigma },P^{\sigma }). {}\\ \end{array}$$

Finally, we compute the cohomology class associated to C∕K. To do this, we may choose any point p ₀ ∈ C and take the class of the cocycle $\sigma \mapsto p_{0}^{\sigma } - p_{0}$. In particular, if we take p ₀ = ϕ ⁻¹(O), then

$$\displaystyle\begin{array}{rcl} p_{0}^{\sigma } - p_{ 0}& =& (\phi ^{\sigma })^{-1}(O) -\phi ^{-1}(O) {}\\ & =& \phi ^{-1}(O +\xi _{\sigma }) -\phi ^{-1}(O) {}\\ & =& \xi _{\sigma }. {}\\ \end{array}$$

This completes the proof of (X.3.6). □

Remark 3.7.

Let E∕K be an elliptic curve and let $K(\sqrt{d}\,)/K$ be a quadratic extension, so in particular $\mathop{\mathrm{char}}\nolimits (K)\neq 2$. Let T ∈ E(K) be a nontrivial point of order 2. Then the homomorphism

$$\displaystyle\begin{array}{rcl} \xi : G_{\bar{K}/K}& \longrightarrow & E, {}\\ \sigma & \longmapsto & \left \{\begin{array}{@{}l@{\quad }l@{}} O\quad &\mbox{ if $\sqrt{d}^{\,\sigma } = \sqrt{d}$,} \\ T \quad &\mbox{ if $\sqrt{d}^{\,\sigma } = -\sqrt{d}$,}\\ \quad \end{array} \right .{}\\ \end{array}$$

is a 1-cocycle. We now construct the homogeneous space corresponding to the element $\{\xi \}\in H^{1}(G_{\bar{K}/K},E)$.

Since T ∈ E(K), we may choose a Weierstrass equation for E∕K in the form

$$\displaystyle{E : y^{2} = x^{3} + ax^{2} + bx\qquad \mbox{ with $T = (0,0)$.}}$$

Then the translation-by-T map has the simple form

$$\displaystyle{\tau _{T}(P) = (x,y) + (0,0) = \left ( \frac{b} {x},-\frac{by} {x^{2}}\right ).}$$

Thus if we let $\sigma \in G_{\bar{K}/K}$ be the nontrivial automorphism of $K(\sqrt{d}\,)/K$, then the action of $\sigma$ on the twisted field $\bar{K}(E)_{\xi }$ may be summarized by

$$\displaystyle{\sqrt{d}^{\,\sigma } = -\sqrt{d},\qquad x^{\sigma } = \frac{b} {x},\qquad y^{\sigma } = -\frac{by} {x^{2}}.}$$

We need to find the subfield of $K(\sqrt{d}\,)(x,y)_{\xi }$ that is fixed by $\sigma$.

The functions

$$\displaystyle{\frac{\sqrt{d}\,x} {y} \quad \text{and}\quad \sqrt{d}\left (x - \frac{b} {x}\right )}$$

are easily seen to be invariant. Anticipating the form of our final equation, we consider instead the functions

$$\displaystyle{z = \frac{\sqrt{d}\,x} {y} \quad \text{and}\quad w = \sqrt{d}\left (x - \frac{b} {x}\right )\left (\frac{x} {y}\right )^{2}.}$$

We find a relation between z and w by computing

$$\displaystyle\begin{array}{rcl} d\left ( \frac{w} {z^{2}}\right )^{2}& =& \left (x - \frac{b} {x}\right )^{2} = \left (x + \frac{b} {x}\right )^{2} - 4b {}\\ & =& \left (\left (\frac{y} {x}\right )^{2} - a\right )^{2} - 4b = \left ( \frac{d} {z^{2}} - a\right )^{2} - 4b. {}\\ \end{array}$$

Thus (z, w) are affine coordinates for the hyperelliptic curve

$$\displaystyle{C : dw^{2} = d^{2} - 2adz^{2} + (a^{2} - 4b)z^{4}.}$$

(See (II.2.5.1) and Exercise 2.14 for general properties of hyperelliptic curves.) We claim that C∕K is the twist of E∕K corresponding to the cocycle $\xi$.

First, we recall from (II.2.5.1) that C is a smooth affine curve provided that the polynomial d ² − 2adz ² + (a ² − 4b)z ⁴ has four distinct roots in $\bar{K}$. Further, (II.2.5.2) says that if the quartic polynomial has distinct roots, then there is a smooth curve in $\mathbb{P}^{3}$ that has an affine piece isomorphic to C. This smooth curve consists of C together with the two points

$$\displaystyle{\left [0,0,\pm \sqrt{\frac{a^{2 } - 4b} {d}} \,,1\right ]}$$

at infinity. (N.B. The projective closure of C in $\mathbb{P}^{2}$ is always singular.) It is easy to check that the quartic has distinct roots if and only if b(a ² − 4b) ≠ 0. On the other hand, since E is nonsingular, we know that Δ(E) = 16b ²(a ² − 4b) ≠ 0. Therefore C is an affine piece of a smooth curve in $\mathbb{P}^{3}$. To ease notation, we also use C to denote this smooth curve $C \subset \mathbb{P}^{3}$.

There is a natural map defined over $K(\sqrt{d}\,)$,

$$\displaystyle\begin{array}{rcl} \phi : E& \longrightarrow & C, {}\\ (x,y)& \longmapsto & (z,w) = \left (\frac{\sqrt{d}\,x} {y} ,\sqrt{d}\left (x - \frac{b} {x}\right )\left (\frac{x} {y}\right )^{2}\right ). {}\\ \end{array}$$

Note that since

$$\displaystyle{\frac{x} {y} = \frac{xy} {y^{2}} = \frac{y} {x^{2} + ax + b},}$$

the map ϕ may also be written as

$$\displaystyle{\phi (x,y) = \left ( \frac{\sqrt{d}\,y} {x^{2} + ax + b}, \frac{\sqrt{d}\,(x^{2} - b)} {x^{2} + ax + b}\right ).}$$

This allows us to evaluate

$$\displaystyle{\phi (0,0) = (0,-\sqrt{d}\,)\quad \text{and}\quad \phi (O) = (0,\sqrt{d}\,).}$$

To show that ϕ is an isomorphism, we compute its inverse:

$$\displaystyle\begin{array}{rcl} \frac{\sqrt{ d}\,w} {z^{2}} & =& x - \frac{b} {x} = 2x -\left (x + \frac{b} {x}\right ) {}\\ & =& 2x -\left (\left (\frac{y} {x}\right )^{2} - a\right ) = 2x -\left ( \frac{d} {z^{2}} - a\right ). {}\\ \end{array}$$

This gives x in terms of z and w, and then $y = \sqrt{d}\,x/z$. Thus

$$\displaystyle\begin{array}{rcl} \phi ^{-1} : C& \longrightarrow & E, {}\\ (z,w)& \longmapsto & \left (\frac{\sqrt{d}\,w - az^{2} + d} {2z^{2}} , \frac{dw - a\sqrt{d}\,z^{2} + d\sqrt{d}} {2z^{3}} \right ). {}\\ \end{array}$$

Since C and E are smooth, it follows from (II.2.4.1) that ϕ is an isomorphism.

Finally, in order to compute the element of $H^{1}(G_{\bar{K}/K},E)$ corresponding to the curve C∕K, we may choose any point p ∈ C and compute the cocycle

$$\displaystyle{\sigma \longmapsto p^{\sigma } - p = \phi ^{-1}(p^{\sigma }) -\phi ^{-1}(p).}$$

For instance, we may take $p = (0,\sqrt{d}\,) \in C$. It is clear that if $\sigma$ fixes $\sqrt{d}$, then $p^{\sigma } - p = O$. On the other hand, if $\sqrt{d}^{\,\sigma } = -\sqrt{d}$, then

$$\displaystyle{p^{\sigma } - p = \phi ^{-1}(0,-\sqrt{d}\,) -\phi ^{-1}(0,\sqrt{d}\,) = (0,0).}$$

Therefore $p^{\sigma } - p =\xi _{\sigma }$ for all $\sigma \in G_{\bar{K}/K}$, so $\{C/K\} \in \mathop{\mathrm{WC}}\nolimits (E/K)$ maps to $\{\xi \}\in H^{1}(G_{\bar{K}/K},E)$. Of course, it was just “luck” that we obtained an equality $p^{\sigma } - p =\xi _{\sigma }$. In general, the difference of these two cocycles would be some coboundary.

We conclude this section by showing that if C∕K is a homogeneous space for E∕K, then $\mathop{\mathrm{Pic}}\nolimits ^{0}(C)$ may be canonically identified with E. This means that E is the Jacobian variety of C∕K. Since every curve C∕K of genus one is a homogeneous space for some elliptic curve E∕K (Exercise 10.3), this shows that the abstract group $\mathop{\mathrm{Pic}}\nolimits ^{0}(C)$ can always be represented as the group of points of an elliptic curve. The analogous result for curves of higher genus, in which $\mathop{\mathrm{Pic}}\nolimits ^{0}(C)$ is represented by an abelian variety of dimension equal to the genus of C, is considerably harder to prove.

Theorem 3.8.

Let C∕K be a homogeneous space for an elliptic curve E∕K. Choose a point p ₀ ∈ C and consider the summation map

$$\displaystyle\begin{array}{rcl} \mathop{\mathrm{sum}}\nolimits :\mathop{ \mathrm{Div}}\nolimits ^{0}(C)& \longrightarrow & E, {}\\ \sum n_{i}(p_{i})& \longmapsto & \sum [n_{i}](p_{i} - p_{0}). {}\\ \end{array}$$

(a)
There is an exact sequence
(b)
The summation map is independent of the choice of the point p ₀ .
(c)
The summation map commutes with the natural actions of the Galois group $G_{\bar{K}/K}$ on $\mathop{\mathrm{Div}}\nolimits ^{0}(C)$ and on E. Hence it induces an isomorphism of $G_{\bar{K}/K}$ -modules (also denoted by $\mathop{\mathrm{sum}}\nolimits$ )
$$\displaystyle{\mathop{\mathrm{sum}}\nolimits :\mathop{ \mathrm{Pic}}\nolimits ^{0}(C)\mathop{\longrightarrow}\limits_{}^{\; \sim \;} E.}$$
In particular,
$$\displaystyle{\mathop{\mathrm{Pic}}\nolimits _{K}^{0}(C)\mathop{\cong}E(K).}$$

Proof.

(a) Using (II.3.4), we see that we must check that the summation map is a surjective homomorphism and that its kernel is the set of principal divisors. It is clear that it is a homomorphism. Let P ∈ E and $D = (p_{0} + P) - (p_{0}) \in \mathop{\mathrm{Div}}\nolimits ^{0}(C)$. Then

$$\displaystyle{\mathop{\mathrm{sum}}\nolimits (D) ={\bigl ( (p_{0} + P) - p_{0}\bigr )} - (p_{0} - p_{0}) = P,}$$

so $\mathop{\mathrm{sum}}\nolimits$ is surjective.

Next suppose that $D =\sum n_{i}(p_{i}) \in \mathop{\mathrm{Div}}\nolimits ^{0}(C)$ satisfies $\mathop{\mathrm{sum}}\nolimits (D) = O$. Then the divisor $\sum n_{i}(p_{i} - p_{0}) \in \mathop{\mathrm{Div}}\nolimits ^{0}(E)$ sums to O, so (III.3.5) tells us that it is principal, say

$$\displaystyle{\sum n_{i}(p_{i} - p_{0}) =\mathop{ \mathrm{div}}\nolimits (f)\quad \mbox{ for some $f \in \bar{K}(E)^{{\ast}}$.}}$$

We have an isomorphism

$$\displaystyle{\phi : C\longrightarrow E,\qquad \phi (p) = p - p_{0},}$$

and hence applying (II.3.6b),

$$\displaystyle{\mathop{\mathrm{div}}\nolimits (\phi ^{{\ast}}f) = \phi ^{{\ast}}\mathop{\mathrm{div}}\nolimits (f) =\sum n_{ i}\phi ^{{\ast}}{\bigl ((p_{ i} - p_{0})\bigr )} =\sum n_{i}(p_{i}) = D.}$$

Therefore D is principal.

Finally, if $D =\mathop{ \mathrm{div}}\nolimits (g)$ is principal, then

$$\displaystyle{\sum n_{i}(p_{i} - p_{0}) = (\phi ^{-1})^{{\ast}}\mathop{\mathrm{div}}\nolimits (g) =\mathop{ \mathrm{div}}\nolimits {\bigl ((\phi ^{-1})^{{\ast}}g\bigr )},}$$

and hence $\mathop{\mathrm{sum}}\nolimits (D) = O$. This shows that the kernel of the summation map is the set of principal divisors.

(b)Let $\mathop{\mathrm{sum } }\nolimits ' :\mathop{ \mathrm{Div } }\nolimits ^{0 } (C) \rightarrow E$ be the summation map defined using the base point p ₀′ ∈ C. Then

$$\displaystyle\begin{array}{rcl} \mathop{\mathrm{sum}}\nolimits (D) -\mathop{\mathrm{sum}}\nolimits '(D)& =& \sum [n_{i}]{\bigl ((p_{i} - p_{0}) - (p_{i} - p_{0}')\bigr )} {}\\ & =& \sum [n_{i}](p_{0}' - p_{0}) {}\\ & =& O, {}\\ \end{array}$$

since $\sum n_{i} =\deg (D) = 0$.

(c)Let $\sigma \in G_{\bar{K} /K }$. Then

$$\displaystyle{\mathop{\mathrm{sum}}\nolimits (D)^{\sigma } =\sum [n_{i}](p_{i}^{\sigma } - p_{ 0}^{\sigma }) =\mathop{ \mathrm{sum}}\nolimits (D^{\sigma }),}$$

since we know from (b) that the sum is the same if we use $p_{0}^{\sigma }$ as our base point instead of p ₀. Now (a) and the definition of $\mathop{\mathrm{Pic}}\nolimits ^{0}(C)$ tell us that we have a group isomorphism $\mathop{\mathrm{sum}}\nolimits :\mathop{ \mathrm{Pic}}\nolimits ^{0}(C) \rightarrow E$, and the fact that the summation map commutes with the action of $G_{\bar{K}/K}$ says precisely that it is an isomorphism of $G_{\bar{K}/K}$-modules. Finally, the last statement in (X.3.8c) follows by taking $G_{\bar{K}/K}$-invariants. □

X.4 The Selmer and Shafarevich–Tate Groups

We return now to the problem of calculating the Mordell–Weil group of an elliptic curve E∕K defined over a number field K. As we have seen in (VIII.3.2) and Exercise 8.18, it is enough to find generators for the finite group E(K)∕mE(K) for any integer m ≥ 2.

Suppose that we are given another elliptic curve E′∕K and a nonzero isogeny ϕ : E → E′ defined over K. For example, we could take E = E′ and ϕ = [m]. Then there is an exact sequence of $G_{\bar{K}/K}$-modules

$$\displaystyle{0\longrightarrow E[\phi ]\longrightarrow E\mathop{\longrightarrow}\limits_{}^{\;\phi \;}E'\longrightarrow 0,}$$

where E[ϕ] denotes the kernel of ϕ. Taking Galois cohomology yields the long exact sequence

and from this we form the fundamental short exact sequence

$$\displaystyle{ 0 \rightarrow E'(K)/\phi {\bigl (E(K)\bigr )}\mathop{\longrightarrow}\limits_{}^{\;\delta \;}H^{1}{\bigl (G_{\bar{ K}/K},E[\phi ]\bigr )} \rightarrow H^{1}(G_{\bar{ K}/K},E)[\phi ] \rightarrow 0. }$$

(*)

Note that (X.3.6) says that the last term in (*) may be identified with the ϕ-torsion in the Weil–Châtelet group $\mathop{\mathrm{WC}}\nolimits (E/K)$.

The next step is to replace the second and third terms of (*) with certain finite groups. This is accomplished by local considerations. For each v ∈ M _K we fix an extension of v to $\bar{K}$, which serves to fix an embedding $\bar{K} \subset \bar{K}_{v}$ and a decomposition group $G_{v} \subset G_{\bar{K}/K}$. Now G _v acts on $E(\bar{K}_{v})$ and $E'(\bar{K}_{v})$, and repeating the above argument yields exact sequences

$$\displaystyle{ 0 \rightarrow E'(K_{v})/\phi {\bigl (E(K_{v})\bigr )}\mathop{\longrightarrow}\limits_{}^{\;\delta \;}H^{1}{\bigl (G_{ v},E[\phi ]\bigr )} \rightarrow H^{1}(G_{ v},E)[\phi ] \rightarrow 0. }\qquad\qquad\qquad\qquad\qquad\qquad\qquad\qquad\qquad\qquad ({\ast}_{v})$$

The natural inclusions $G_{v} \subset G_{\bar{K}/K}$ and $E(\bar{K}) \subset E(\bar{K}_{v})$ give restriction maps on cohomology, and we thus end up with the following commutative diagram, in which we have replaced each H ¹(G, E) with the corresponding Weil–Châtelet group:

$$\displaystyle{ \begin{array}{*9{@{}c@{}}} 0\;& \rightarrow & E'(K)/\phi {\bigl (E(K)\bigr )} &\mathop{\longrightarrow}\limits_{}^{\;\delta \;}& H^{1}{\bigl (G_{\bar{K}/K},E[\phi ]\bigr )} & \rightarrow & \mathop{\mathrm{WC}}\nolimits (E/K)[\phi ] & \rightarrow &\;0 \\ & & \Big \downarrow && \Big \downarrow & & \Big \downarrow \\ 0\;& \rightarrow &\prod _{v\in M_{K}}\!\!E'(K_{v})/\phi {\bigl (E(K_{v})\bigr )}&\mathop{\longrightarrow}\limits_{}^{\;\delta \;}&\prod _{v\in M_{K}}\!\!H^{1}{\bigl (G_{ v},E[\phi ]\bigr )}& \rightarrow &\prod _{v\in M_{K}}\!\!\mathop{ \mathrm{WC}}\nolimits (E/K_{v})[\phi ]& \rightarrow &\;0\\ \end{array} }$$

(**)

Our ultimate goal is to compute the image of $E'(K)/\phi {\bigl (E(K)\bigr )}$ in the cohomology group $H^{1}{\bigl (G_{\bar{K}/K},E[\phi ]\bigr )}$, or equivalently, to compute the kernel of the map

$$\displaystyle{H^{1}{\bigl (G_{\bar{ K}/K},E[\phi ]\bigr )} \rightarrow \mathop{\mathrm{WC}}\nolimits (E/K)[\phi ].}$$

Using (X.3.3), we see that this last problem is the same as determining whether certain homogeneous spaces possess a K-rational point, which may be a very difficult question to answer. On the other hand, by the same reasoning, the determination of each local kernel

$$\displaystyle{\ker {\Bigl (H^{1}{\bigl (G_{ v},E[\phi ]\bigr )}\longrightarrow \mathop{\mathrm{WC}}\nolimits (E/K_{v})[\phi ]\Bigr )}}$$

is straightforward, since the question whether a curve has a point over a complete local field K _v reduces, by Hensel’s lemma, to checking whether the curve has a point in some finite ring $R_{v}^{}/\mathcal{M}_{v}^{e}$ for some easily computable integer e, which clearly requires only a finite amount of computation. This prompts the following definitions.

Definition.

Let ϕ : E∕K → E′∕K be an isogeny. The ϕ-Selmer group of E∕K is the subgroup of $H^{1}{\bigl (G_{\bar{K}/K},E[\phi ]\bigr )}$ defined by

$$\displaystyle{S^{(\phi )}(E/K) =\ker \left \{H^{1}{\bigl (G_{\bar{ K}/K},E[\phi ]\bigr )}\longrightarrow \prod _{v\in M_{K}}\mathop{ \mathrm{WC}}\nolimits (E/K_{v})\right \}.}$$

The Shafarevich–Tate group of E∕K is the subgroup of $\mathop{\mathrm{WC}}\nolimits (E/K)$ defined by

(The Cyrillic letter is pronounced “sha.”)

Remark 4.1.1.

The exact sequences (*_v) require us to extend each v ∈ M _K to $\bar{K}$, so the groups S ^(ϕ)(E∕K) and might depend on this choice. However, in order to determine whether an element of $\mathop{\mathrm{WC}}\nolimits (E/K)$ becomes trivial in $\mathop{\mathrm{WC}}\nolimits (E/K_{v})$, we must check whether the associated homogeneous space, which is a curve defined over K, has any points defined over K _v. This last problem is clearly independent of our choice of extension of v to $\bar{K}$, since v itself determines the embedding of K into K _v. Therefore S ^(ϕ)(E∕K) and depend only on E and K.

Alternatively, one can check directly by working with cocycles that the cohomological definitions of S ^(ϕ) and do not depend on the extension of the v ∈ M _K to $\bar{K}$. We leave this verification for the reader. (See also Exercise B.6.)

Remark 4.1.2.

A good way to view is as the group of homogeneous spaces for E∕K that possess a K _v-rational point for every v ∈ M _K. Equivalently, the Shafarevich–Tate group is the group of homogeneous spaces, modulo equivalence, that are everywhere locally trivial.

Theorem 4.2.

Let ϕ : E∕K → E′∕K be an isogeny of elliptic curves defined over K.

(a)
There is an exact sequence
(b)
The Selmer group S ^(ϕ) (E∕K) is finite.

Proof.

(a) This is immediate from the diagram (**) and the definitions of the Selmer and Shafarevich–Tate groups.

(b)If we take E = E′ and ϕ = [m], then (a) and the finiteness of S ^(m)(E∕K) imply the weak Mordell–Weil theorem. On the other hand, in order to prove that S ^(ϕ)(E∕K) is finite for a general map ϕ, we must essentially re-prove the weak Mordell–Weil theorem. The arguement goes as follows.

Let $\xi \in S^{(\phi )}(E/K)$, and let v ∈ M _K be a finite place of K not dividing $m =\deg (\phi )$ and such that E∕K has good reduction at v. We claim that $\xi$ is unramified at v. (See (VIII §2) for the definition of an unramified cocycle.)

To check this, let $I_{v} \subset G_{v}$ be the inertia group for v. Since $\xi \in S^{(\phi )}(E/K)$, we know that $\xi$ is trivial in $\mathop{\mathrm{WC}}\nolimits (E/K_{v})$. Hence from the sequence (*_v) given earlier, there is a point $P \in E(\bar{K}_{v})$ such that

$$\displaystyle{\xi _{\sigma } =\{ P^{\sigma } - P\}\qquad \mbox{ for all $\sigma \in G_{v}$.}}$$

(Note that $P^{\sigma } - P \in E[\phi ]$.) In particular, this holds for all $\sigma$ in the inertia group. But if $\sigma \in I_{v}$, then looking at the “reduction modulo v” map $E \rightarrow \tilde{ E}_{v}$ yields

$$\displaystyle{\widetilde{P^{\sigma } - P} =\tilde{ P}^{\sigma } -\tilde{ P} =\tilde{ O},}$$

since by definition inertia acts trivially on $\tilde{E}_{v}$. Thus $P^{\sigma } - P$ is in the kernel of reduction modulo v. But $P^{\sigma } - P$ is also in E[ϕ], which is contained in E[m]; and from (VIII.1.4) we know that E(K)[m] injects into $\tilde{E}_{v}$. Therefore $P^{\sigma } = P$, and hence

$$\displaystyle{\xi _{\sigma } =\{ P^{\sigma } - P\} = 0\qquad \mbox{ for all $\sigma \in I_{v}$.}}$$

This proves that every element in S ^(ϕ)(E∕K) is unramified at all but a fixed, finite set of places v ∈ M _K. The following lemma allows us to conclude that S ^(ϕ)(E∕K) is finite. □

Lemma 4.3.

Let M be a finite ( abelian ) $G_{\bar{K}/K}$ -module, let $S \subset M_{K}$ be a finite set of places, and define

$$\displaystyle{H^{1}(G_{\bar{ K}/K},M;S) ={\bigl \{\xi \in H^{1}(G_{\bar{ K}/K},M) : \mbox{ $\xi $ is unramified outside $S$}\bigr \}}.}$$

Then $H^{1}(G_{\bar{K}/K},M;S)$ is finite.

Proof.

Since M is finite and $G_{\bar{K}/K}$ acts continuously on M, there is a subgroup of finite index in $G_{\bar{K}/K}$ that fixes every element of M. Using the inflation–restriction sequence (B.2.4), it suffices to prove the lemma with K replaced by a finite extension, so we may assume that the action of $G_{\bar{K}/K}$ on M is trivial. Then

$$\displaystyle{H^{1}(G_{\bar{ K}/K},M;S) =\mathop{ \mathrm{Hom}}\nolimits (G_{\bar{K}/K},M;S).}$$

Let m be the exponent of M, i.e., the smallest positive integer such that mx = 0 for all x ∈ M, and let L∕K be the maximal abelian extension of K having exponent m that is unramified outside of S. Since M has exponent m, the natural map

$$\displaystyle{\mathop{\mathrm{Hom}}\nolimits (G_{L/K},M;S)\longrightarrow \mathop{\mathrm{Hom}}\nolimits (G_{\bar{K}/K},M;S)}$$

is an isomorphism. But we know from (VIII.1.6) that L∕K is a finite extension. Therefore $\mathop{\mathrm{Hom}}\nolimits (G_{\bar{K}/K},M;S)$ is finite. □

We record as a corollary an important property of the Selmer group that was derived during the course of proving (X.4.2), where we use the fact (VII.7.2) that isogenous elliptic curves have the same set of primes of bad reduction.

Corollary 4.4.

Let ϕ : E∕K → E′∕K be as in (X.4.2), and let $S \subset M_{K}$ be a finite set of places containing

$$\displaystyle{M_{K}^{\infty }\cup \{ v \in M_{ K}^{0} : \mbox{ $E$ has bad reduction at $v$}\} \cup \{ v \in M_{ K}^{0} : \mbox{ $v(\deg \phi ) > 0$}\}.}$$

Then

$$\displaystyle{S^{(\phi )}(E/K) \subset H^{1}(G_{\bar{ K}/K},E[\phi ];S).}$$

Remark 4.5.

Certainly in theory, and often in practice, the Selmer group is effectively computable. This is true because the finite group $H^{1}(G_{\bar{K}/K},E[\phi ];S)$ is effectively computable. Then, in order to determine whether a given element $\xi \in H^{1}(G_{\bar{K}/K},E[\phi ];S)$ is in S ^(ϕ)(E∕K), we take the corresponding homogeneous spaces $\{C/K\} \in \mathop{\mathrm{WC}}\nolimits (E/K)$ and check, for each of the finitely many v ∈ S, whether C(K _v) ≠ ∅. This last problem may be reduced, using Hensel’s lemma, to a finite amount of computation.

Example 4.5.1.

We reformulate the example described in (X §1) in these terms, leaving some details to the reader. Let E∕K be an elliptic curve with $E[m] \subset E(K)$, let $S \subset M_{K}$ be the usual set of places (X.4.4), and let K(S, m) be as in (X.1.1c). We choose a basis for E[m] and use it to identify E[m] with $\boldsymbol{\mu }_{m} \times \boldsymbol{\mu }_{m}$ as $G_{\bar{K}/K}$-modules. Then

$$\displaystyle{H^{1}(G_{\bar{ K}/K},E[m];S)\mathop{\cong}K(S,m) \times K(S,m),}$$

where this map uses the isomorphism $K^{{\ast}}/(K^{{\ast}})^{m}\mathop{\longrightarrow}\limits_{}^{\, \sim \,} H^{1}(G_{\bar{K}/K},\boldsymbol{\mu }_{m})$.

Restricting attention now to the case m = 2, the homogeneous space associated to a pair (b ₁, b ₂) ∈ K(S, m) × K(S, m) is the curve in $\mathbb{P}^{3}$ given by the equations (cf. (X.1.4))

$$\displaystyle{C : b_{1}^{}z_{1}^{2} - b_{ 2}^{}z_{2}^{2} = (e_{ 2} - e_{1})z_{0}^{2},\quad b_{ 1}^{}z_{1}^{2} - b_{ 1}^{}b_{2}^{}z_{3}^{2} = (e_{ 3} - e_{1})z_{0}^{2}.}$$

For any given pair (b ₁, b ₂) and any absolute value v ∈ S, it is easy to check whether C(K _v) ≠ ∅, and thus to calculate S ⁽²⁾(E∕K). For example, the conclusion of (X.1.5) may be summarized by stating that the curve

$$\displaystyle{E : y^{2} = x^{3} - 12x^{2} + 20x}$$

satisfies

The conclusion about follows from the exact sequence (X.4.2a), since in (X.1.5) we proved that every element of $S^{(2)}(E/\mathbb{Q})$ is the image of a point in $E(\mathbb{Q})$.

Suppose that we have computed the Selmer group S ^(ϕ)(E∕K) for an isogeny ϕ. Each $\xi \in S^{(\phi )}(E/K)$ corresponds to a homogeneous space $C_{\xi }/K$ that has a point defined over every local field K _v. Suppose further that we are lucky and can show that . This means that we are able to find a K-rational point on each $C_{\xi }$. It then follows from (X.4.2a) that $E'(K)/\phi {\bigl (E(K)\bigr )}\mathop{\cong}S^{(\phi )}(E/K)$, and all that remains is to explain how to find generators for $E'(K)/\phi {\bigl (E(K)\bigr )}$ in terms of the points that we found in each $C_{\xi }(K)$. This is done in the next proposition.

Proposition 4.6.

Let ϕ : E∕K → E′∕K be a K-isogeny, let $\xi$ be a cocycle representing an element of $H^{1}(G_{\bar{K}/K},E[\phi ])$ , and let C∕K be a homogeneous space representing the image of $\xi$ in $\mathop{\mathrm{WC}}\nolimits (E/K)$ . Choose a $\bar{K}$ -isomorphism $\theta : C \rightarrow E$ satisfying

$$\displaystyle{\theta ^{\sigma } \circ \theta ^{-1} = (\mbox{ translation by $\xi _{\sigma }$})\qquad \mbox{ for all $\sigma \in G_{\bar{ K}/K}$.}}$$

(a)
The map $\phi \circ \theta : C \rightarrow E'$ is defined over K.
(b)
Suppose that there is a point P ∈ C(K), so {C∕K} is trivial in $\mathop{\mathrm{WC}}\nolimits (E/K)$ . Then the point $\phi \circ \theta (P) \in E'(K)$ maps to $\xi$ via the connecting homomorphism $\delta : E'(K) \rightarrow H^{1}{\bigl (G_{\bar{K}/K},E[\phi ]\bigr )}$ .

Proof.

(a) Let $\sigma \in G_{\bar{K}/K}$ and let P ∈ C. Then, since ϕ is defined over K and $\xi _{\sigma } \in E[\phi ]$, we have

$$\displaystyle{{\bigl (\phi \circ \theta (P)\bigr )}^{\sigma } = (\phi \circ \theta ^{\sigma })(P^{\sigma }) =\phi {\bigl (\theta (P^{\sigma }) +\xi _{\sigma }\bigr )} =\phi \circ \theta (P^{\sigma }).}$$

Therefore $\phi \circ \theta$ is defined over K.

(b)This is just a matter of unwinding definitions. Thus

$$\displaystyle{\delta {\bigl (\phi \circ \theta (P)\bigr )}_{\sigma } =\theta (P)^{\sigma } -\theta (P) =\theta (P^{\sigma }) +\xi _{\sigma } -\theta (P) =\xi _{\sigma }.}$$

□

Remark 4.7.

We have been working with arbitrary isogenies ϕ : E → E′, but in order to compute the Mordell–Weil group of E′, we must find generators for E′(K)∕mE′(K) for some integer m; simply knowing $E'(K)/\phi {\bigl (E(K)\bigr )}$ is not enough. The solution to this dilemma is to work with both ϕ and its dual $\hat{\phi }: E' \rightarrow E$. Using the procedure described in this section, we compute both Selmer groups S ^(ϕ)(E∕K) and $S^{(\hat{\phi })}(E'/K)$, and with a little bit of luck, we find generators for the two quotient groups $E'(K)/\phi {\bigl (E(K)\bigr )}$ and $E(K)/\hat{\phi }{\bigl (E'(K)\bigr )}$. It is then a simple matter to compute generators for E(K)∕mE(K), where $m =\deg (\phi )$, using the elementary exact sequence (note that $\hat{\phi }\circ \phi = [m]$)

$$\displaystyle{0\longrightarrow \frac{E'(K)[\hat{\phi }]} {\phi {\bigl (E(K)[m]\bigr )}}\longrightarrow \frac{E'(K)} {\phi {\bigl (E(K)\bigr )}}\mathop{\longrightarrow}\limits_{}^{\;\hat{\phi }\;} \frac{E(K)} {mE(K)}\longrightarrow \frac{E(K)} {\hat{\phi }{\bigl (E'(K)\bigr )}}\longrightarrow 0.}$$

Example 4.8.

Two-isogenies. We illustrate the general theory by completely analyzing the case of isogenies of degree 2. Let ϕ : E → E′ be an isogeny of degree 2 defined over K. Then the kernel E[ϕ] = { O, T} is defined over K, so T ∈ E(K). Moving this K-rational 2-torsion point to (0, 0), we can find a Weierstrass equation for E∕K of the form

$$\displaystyle{E : y^{2} = x^{3} + ax^{2} + bx.}$$

Let $S \subset M_{K}$ be the usual set of places (X.4.4). Identifying E[ϕ] with $\boldsymbol{\mu }_{2}$ (as $G_{\bar{K}/K}$-modules), we see that $K^{{\ast}}/(K^{{\ast}})^{2}\mathop{\cong}H^{1}(G_{\bar{K}/K},E[\phi ])$. Thus, using notation from (X.1.1c) and (X.4.3), we have

$$\displaystyle{H^{1}(G_{\bar{ K}/K},E[\phi ];S)\mathop{\cong}K(S,2).}$$

More precisely, if d ∈ K(S, 2), then tracing through the above identification shows that the corresponding cocycle is

$$\displaystyle{\sigma \longmapsto \left \{\begin{array}{@{}l@{\quad }l@{}} O\quad &\mbox{ if $\sqrt{d}^{\,\sigma } = \sqrt{d}$,} \\ T \quad &\mbox{ if $\sqrt{d}^{\,\sigma } = -\sqrt{d}$.}\\ \quad \end{array} \right .}$$

The homogeneous space C _d∕K associated to this cocycle was computed in (X.3.7); it is given by the equation

$$\displaystyle{C_{d} : dw^{2} = d^{2} - 2adz^{2} + (a^{2} - 4b)z^{4}.}$$

We can now compute the Selmer group S ^(ϕ) by checking whether C _d(K _v) = ∅ for each of the finitely many d ∈ K(S, 2) and v ∈ S.

The isogenous curve E′∕K has Weierstrass equation

$$\displaystyle{E' : Y ^{2} = X^{3} - 2aX^{2} + (a^{2} - 4b)X,}$$

and the isogeny ϕ : E → E′ is given by the formula (III.4.5)

$$\displaystyle{\phi (x,y) = \left (\frac{y^{2}} {x^{2}}, \frac{y(b - x^{2})} {x^{2}} \right ).}$$

In (X.3.7) we gave an isomorphism $\theta : C_{d} \rightarrow E$ defined over $K(\sqrt{d}\,)$. Computing the composition $\phi \circ \theta$ yields the map

$$\displaystyle{\theta \circ \phi : C_{d}\longrightarrow E',\qquad \theta \circ \phi (z,w) = \left ( \frac{d} {z^{2}},-\frac{dw} {z^{3}} \right ),}$$

described in (X.4.6). Finally, just as we did in (X.1.4) (see also Exercise 10.1), we can compute the connecting homomorphism

$$\displaystyle{\delta : E'(K)\longrightarrow H^{1}(G_{\bar{ K}/K},E[\phi ])\mathop{\cong}K^{{\ast}}/(K^{{\ast}})^{2}.}$$

It is given by

$$\displaystyle{\delta (O) = 1,\qquad \delta (0,0) = a^{2} - 4b,\qquad \delta (X,Y ) = X\quad \mbox{ if $X\neq 0,\infty $.}}$$

We summarize (X.4.8) in the next proposition.

Proposition 4.9.

(Descent via Two-Isogeny) Let E∕K and E′∕K be elliptic curves given by the equations

$$\displaystyle{E : y^{2} = x^{3} + ax^{2} + bx\qquad \text{and}\qquad E' : Y ^{2} = X^{3} - 2aX^{2} + (a^{2} - 4b)X,}$$

and let

$$\displaystyle{\phi : E\longrightarrow E',\qquad \phi (x,y) = \left (\frac{y^{2}} {x^{2}}, \frac{y(b - x^{2})} {x^{2}} \right ),}$$

be the isogeny of degree 2 with kernel $E[\phi ] ={\bigl \{ O,(0,0)\bigr \}}$ . Let

$$\displaystyle{S = M_{K}^{\infty }\cup {\bigl \{ v \in M_{ K}^{0} : \mbox{ $v(2)\neq 0$ or $v(b)\neq 0$ or $v(a^{2} - 4b)\neq 0$}\bigr \}}.}$$

Further, for each d ∈ K ^∗ , let C _d ∕K be the homogeneous space for E∕K given by the equation

$$\displaystyle{C_{d} : dw^{2} = d^{2} - 2adz^{2} + (a^{2} - 4b)z^{4}.}$$

Then there is an exact sequence

$$\displaystyle{\begin{array}{*7c} 0&\longrightarrow &E'(K)/\phi {\bigl (E(K)\bigr )}&\mathop{\longrightarrow}\limits_{}^{\;\delta \;}& K(S,2) &\longrightarrow &\mathop{\mathrm{WC}}\nolimits (E/K)[\phi ], \\ && (X,Y )&\longmapsto &X, d&\longmapsto & \{C_{d}/K\}, \\ && O&\longmapsto & 1, \\ && (0,0)&\longmapsto &a^{2} - 4b.\\ \end{array} }$$

The ϕ-Selmer group is

$$\displaystyle{S^{(\phi )}(E/K)\mathop{\cong}{\bigl \{d \in K(S,2) : \mbox{ $C_{ d}(K_{v})\neq \emptyset $ for all $v \in S$}\bigr \}}.}$$

Finally, the map

$$\displaystyle{\psi : C_{d}\longrightarrow E',\qquad \psi (z,w) = \left ( \frac{d} {z^{2}},-\frac{dw} {z^{3}} \right ),}$$

has the property that if P ∈ C _d (K), then

$$\displaystyle{\delta {\bigl (\psi (P)\bigr )} \equiv d\pmod (K^{{\ast}})^{2}.}$$

Remark 4.9.1.

Note that since the isogenous curve E′ in (X.4.9) has the same form as E, everything in (X.4.9) applies equally well to the dual isogeny $\hat{\phi }: E' \rightarrow E$. Then, using the exact sequence (X.4.7), we can try to compute E(K)∕2E(K).

Remark 4.9.2.

If E∕K is an elliptic curve that has a K-rational 2-torsion point, then (III.4.5) says that E automatically has an isogeny of degree 2 defined over K. Thus the procedure described in (X.4.8) may be applied to any elliptic curve satisfying E(K)[2] ≠ 0. In particular, (X.4.9) in some sense subsumes (X.1.4), which described how to try to compute E(K)∕2E(K) when $E[2] \subset E(K)$.

Example 4.10.

We use (X.4.9) to compute $E(\mathbb{Q})/2E(\mathbb{Q})$ for the elliptic curve

$$\displaystyle{E : y^{2} = x^{3} - 6x^{2} + 17x.}$$

This equation has discriminant Δ = −147968 = −2⁹17², so our set S is $\{\infty ,2,17\}$ and we may identify $\mathbb{Q}(S,2)$ with { ± 1, ±2, ±17, ±34}. The curve that is 2-isogenous to E has equation

$$\displaystyle{E : Y ^{2} = X^{3} + 12X^{2} - 32X,}$$

and for $d \in \mathbb{Q}(S,2)$, the corresponding homogeneous space is

$$\displaystyle{C_{d} : dw^{2} = d^{2} + 12dz^{2} - 32z^{4}.}$$

From (X.4.9) we know that the point $(0,0) \in E'(\mathbb{Q})$ maps to

$$\displaystyle{\delta (0,0) = -32 \equiv -2\pmod (\mathbb{Q}^{{\ast}})^{2},}$$

so $-2 \in S^{(\phi )}(E/\mathbb{Q})$. It remains to check the other values of $d \in \mathbb{Q}(S,2)$.

$$\displaystyle{\fbox{ $d = 2$}C_{2} : 2w^{2} = 4 + 24z^{2} - 32z^{4}.}$$

Dividing by 2 and letting z = Z∕2 gives the equation

$$\displaystyle{w^{2} = 2 + 3Z^{2} - Z^{4},}$$

which by inspection has the rational point (Z, w) = (1, 2). Then (X.4.9) tells us that the point $(z,w) = (\frac{1} {2},2) \in C_{2}(\mathbb{Q})$ maps to to $\psi (\frac{1} {2},2) = (8,-32) \in E'(\mathbb{Q})$. Further, as the theory predicts, we have $\delta (8,-32) = 8 \equiv 2\ (\text{ mod}\ (\mathbb{Q}^{{\ast}})^{2})$.

$$\displaystyle{\fbox{ $d = 17$}C_{17} : 17w^{2} = 17^{2} + 12 \cdot 17z^{2} - 32z^{4}.}$$

Suppose that $C_{17}(\mathbb{Q}_{17})\neq \emptyset$. Since $\mathop{\mathrm{ord}}\nolimits _{17}(17w^{2})$ is odd and $\mathop{\mathrm{ord}}\nolimits _{17}(32z^{4})$ is even, we see that necessarily $z,w \in \mathbb{Z}_{17}$. But then the equation for C ₁₇ implies first that $z \equiv 0\ (\text{ mod}\ 17)$, then that $w \equiv 0\ (\text{ mod}\ 17)$, and finally that $17^{2} \equiv 0\ (\text{ mod}\ 17^{3})$. This contradiction shows that $C_{17}(\mathbb{Q}_{17}) =\emptyset$, and hence that $17\notin S^{(\phi )}(E/\mathbb{Q})$.

We now know that

$$\displaystyle{1,-2,2 \in S^{(\phi )}(E/\mathbb{Q})\qquad \text{and}\qquad 17\notin S^{(\phi )}(E/\mathbb{Q}).}$$

Since $S^{(\phi )}(E/\mathbb{Q})$ is a subgroup of $\mathbb{Q}(S,2)$, we have $S^{(\phi )}(E/\mathbb{Q}) =\{ \pm 1,\pm 2\}$. Further, we have shown that $E'(\mathbb{Q})$ surjects onto $S^{(\phi )}(E/\mathbb{Q})$, and hence from (X.4.2a) we see that .

We now repeat the above computation with the roles of E and E′ reversed. Thus for $d \in \mathbb{Q}(S,2)$ we look at the homogeneous space

$$\displaystyle{C_{d}' : dw^{2} = d^{2} - 24dz^{2} + 272z^{4}.}$$

As above, the point $(0,0) \in E(\mathbb{Q})$ maps to $\delta (0,0) = 272 \equiv 17\ (\text{ mod}\ (\mathbb{Q}^{{\ast}})^{2})$. Next, if d < 0, then clearly $C_{d}'(\mathbb{R}) =\emptyset$, so $d\notin S^{(\hat{\phi })}(E'/\mathbb{Q})$. Finally, for d = 2, if we let z = Z∕2, then C ₂′ has the equation

$$\displaystyle{2w^{2} = 4 - 12Z^{2} + 17Z^{4}.}$$

If $C_{2}'(\mathbb{Q}_{2})\neq \emptyset$, then necessarily $Z,w \in \mathbb{Z}_{2}$, and then the equation allows us to deduce successively

$$\displaystyle{Z \equiv 0\pmod 2,\qquad w \equiv 0\pmod 2,\qquad 4 \equiv 0\pmod 2^{3}.}$$

Therefore $C_{2}(\mathbb{Q}_{2}) =\emptyset$, and hence $2\notin S^{(\hat{\phi })}(E'/\mathbb{Q})$. Thus $S^{(\hat{\phi })}(E'/\mathbb{Q}) =\{ 1,17\}$ and .

To recapitulate, we now know that

$$\displaystyle{E'(\mathbb{Q})/\phi {\bigl (E(\mathbb{Q})\bigr )}\mathop{\cong}(\mathbb{Z}/2\mathbb{Z})^{2}\qquad \text{and}\qquad E(\mathbb{Q})/\hat{\phi }{\bigl (E'(\mathbb{Q})\bigr )}\mathop{\cong}\mathbb{Z}/2\mathbb{Z},}$$

the former being generated by ${\bigl \{(0,0),\,(8,-32)\bigr \}}$ and the latter by ${\bigl \{(0,0)\bigr \}}$. The exact sequence (X.4.7) then yields

$$\displaystyle{E(\mathbb{Q})/2E(\mathbb{Q})\mathop{\cong}(\mathbb{Z}/2\mathbb{Z})^{2}\qquad \text{and}\qquad E'(\mathbb{Q})/2E'(\mathbb{Q})\mathop{\cong}(\mathbb{Z}/2\mathbb{Z})^{2},}$$

and hence

$$\displaystyle{E(\mathbb{Q})\mathop{\cong}E'(\mathbb{Q})\mathop{\cong}\mathbb{Z} \times \mathbb{Z}/2\mathbb{Z}.}$$

Remark 4.11.

In all of the examples up to this point, we have been lucky in the sense that for every locally trivial homogeneous space that has appeared, we were able to find (by inspection) a global rational point. Another way to say this is that we have yet to see a nontrivial element of the Shafarevich–Tate group. The first examples of such spaces are due to Lind [150] and independently, but a bit later, to Reichardt [207]. For example, they proved that the curve

$$\displaystyle{2w^{2} = 1 - 17z^{4}}$$

has no $\mathbb{Q}$-rational points, while it is easy to check that it has a point defined over every $\mathbb{Q}_{p}$. Shortly thereafter, Selmer [225, 227] made an extensive study of the curves ax ³ + by ³ + cz ³ = 0, which are homogeneous spaces for the elliptic curves x ³ + y ³ + dz ³ = 0. He gave many examples of locally trivial, globally nontrivial homogeneous spaces, of which the simplest is

$$\displaystyle{3x^{3} + 4y^{3} + 5z^{3} = 0.}$$

It is a difficult problem, in general, to divide the Selmer group into the piece coming from rational points on the elliptic curve and the piece giving nontrivial elements of the Shafarevich–Tate group. At present there is no algorithm known that is guaranteed to solve this problem. The procedure that we now describe often works in practice, although it tends to lead to fairly elaborate computations in algebraic number fields.

Recall that for each integer m ≥ 2 there is an exact sequence (X.4.2a)

where at least in theory, the finite group S ^(m)(E∕K) is effectively computable; see (X.4.5). If we knew some way of computing , then we could find generators for E(K)∕mE(K), and thence for E(K). Unfortunately, a general procedure for computing is still being sought. However, for each integer n ≥ 1 we can combine different versions of the above exact sequence to form a commutative diagram

Now at least in principle, the middle column of this diagram is effectively computable. This allows us to make the following refinement to the exact sequence in (X.4.2a).

Proposition 4.12.

Let E∕K be an elliptic curve. For any integers m ≥ 2 and n ≥ 1, let S ^(m,n) (E∕K) be the image of $S^{(m^{n}) }(E/K)$ in S ^(m) (E∕K). Then there exists an exact sequence

Proof.

This is immediate from the commutative diagram given above. □

Now to find generators for E(K), we can try the following procedure. Compute successively the relative Selmer groups

$$\displaystyle{S^{(m)}(E/K) = S^{(m,1)}(E/K) \supset S^{(m,2)}(E/K) \supset S^{(m,3)}(E/K) \supset \cdots }$$

and the rational-point groups

$$\displaystyle{T_{(m,1)}(E/K) \subset T_{(m,2)}(E/K) \subset T_{(m,3)}(E/K) \subset \cdots \,,}$$

where T _(m, r)(E∕K) is the subgroup of S ^(m)(E∕K) generated by all of the points P ∈ E(K) with height h _x(P) ≤ r. Eventually, with sufficient perseverance, we hope to arrive at an equality

$$\displaystyle{S^{(m,n)}(E/K) = T_{ (m,r)}(E/K).}$$

Once this happens, we know that and that the points with height h _x(P) ≤ r generate E(K)∕mE(K). The difficulty lies in the fact that as far as is currently known, there is nothing to prevent from containing an element that is infinitely m-divisible, i.e., a nonzero element such that for every n ≥ 1 there is an element satisfying $\xi = m^{n}\xi _{n}$. If such an element exists, then the above procedure never terminates. However, opposed to such a gloomy scenario is the following optimistic conjecture.

Conjecture 4.13.

Let E∕K be an elliptic curve. Then is finite. !

The finiteness of has been proven for certain elliptic curves by Kolyvagin [130] and Rubin [215]. Note that the successful carrying out of the procedure described above shows only that the m-primary component of is finite. This has, of course, been done in many cases. For example, in (X.4.10) we showed that for a particular elliptic curve.

We conclude this section with a beautiful result of Cassels, which says something interesting about the order of a group that is not known in general to be finite.

Theorem 4.14.

( [38] , [281] ) Let E∕K be an elliptic curve. There exists an alternating bilinear pairing

whose kernel on each side is exactly the subgroup of divisible elements of . In other words, if $\varGamma (\alpha ,\beta ) = 0$ for all , then for every integer N ≥ 1 there exists an element satisfying Nα _N = α.

In particular, if is finite, then its order is a perfect square, and the same is true of any p-primary component of . (See Exercise 10.20 .)

X.5 Twisting—Elliptic Curves

As in (X §§2,3), we let K be an arbitrary (perfect) field and we let E∕K be an elliptic curve. We saw in (X.2.2) that if we consider E merely to be a curve and ignore the base point O, then the twists of E∕K correspond to the elements of the (pointed) cohomology set $H^{1}{\bigl (G_{\bar{K}/K},\mathop{\mathrm{Isom}}\nolimits (E)\bigr )}$. The group $\mathop{\mathrm{Isom}}\nolimits (E)$ has two natural subgroups, namely $\mathop{\mathrm{Aut}}\nolimits (E)$ and E, where we identify E with the set of translations {τ _P} in $\mathop{\mathrm{Isom}}\nolimits (E)$. We also observe that $\mathop{\mathrm{Aut}}\nolimits (E)$ acts naturally on E. The next proposition describes $\mathop{\mathrm{Isom}}\nolimits (E)$.

Proposition 5.1.

The map

$$\displaystyle{E \times \mathop{\mathrm{Aut}}\nolimits (E)\longrightarrow \mathop{\mathrm{Isom}}\nolimits (E),\qquad (P,\alpha )\longmapsto \tau _{P}\circ \alpha ,}$$

is a bijection of sets. It identifies $\mathop{\mathrm{Isom}}\nolimits (E)$ with the product of E and $\mathop{\mathrm{Aut}}\nolimits (E)$ twisted by the natural action of $\mathop{\mathrm{Aut}}\nolimits (E)$ on E. In other words, the group $\mathop{\mathrm{Isom}}\nolimits (E)$ is the set of ordered pairs $E \times \mathop{\mathrm{Aut}}\nolimits (E)$ with the group law

$$\displaystyle{(P,\alpha ) \cdot (Q,\beta ) = (P +\alpha Q,\alpha \circ \beta ).}$$

Proof.

Let $\phi \in \mathop{\mathrm{Isom}}\nolimits (E)$. Then $\tau _{-\phi (O)}\circ \phi \in \mathop{\mathrm{Aut}}\nolimits (E)$, so writing

$$\displaystyle{\phi =\tau _{\phi (O)} \circ \left (\tau _{-\phi (O)}\circ \phi \right )}$$

shows that the map is surjective. On the other hand, if τ _P ∘α = τ _Q ∘β, then evaluating at O gives P = Q, and then also α = β. This proves injectivity. Finally, the twisted nature of the group law follows from the calculation

$$\displaystyle{\tau _{P} \circ \alpha \circ \tau _{Q}\circ \beta =\tau _{P} \circ \tau _{\alpha Q} \circ \alpha \circ \beta .}$$

□

We have already extensively studied those twists of E∕K that arise from translations; these are the twists corresponding to elements of the group

$$\displaystyle{H^{1}(G_{\bar{ K}/K},E)\mathop{\cong}\mathop{\mathrm{WC}}\nolimits (E/K)}$$

that we studied in (X §§3,4). We now look at the twists of E∕K coming from isomorphisms of E as an elliptic curve, i.e., isomorphisms of the pair (E, O). In other words, we consider the twists of E corresponding to elements of the cohomology group $H^{1}{\bigl (G_{\bar{K}/K},\mathop{\mathrm{Aut}}\nolimits (E)\bigr )}$. We start with a general proposition and then, for $\mathop{\mathrm{char}}\nolimits (K)\neq 2,3$, we derive explicit equations for the associated twists.

Remark 5.2.

In the literature, the phrase “let C be a twist of E” generally means that C corresponds to an element of $H^{1}{\bigl (G_{\bar{K}/K},\mathop{\mathrm{Aut}}\nolimits (E)\bigr )}$. More properly, such a C should be called a twist of the pair (E, O), since the group of isomorphisms of (E, O) with itself is the group we denote by $\mathop{\mathrm{Aut}}\nolimits (E)$. However, one can generally resolve any ambiguity from context.

Proposition 5.3.

Let E∕K be an elliptic curve.

(a)
The natural inclusion $\mathop{\mathrm{Aut}}\nolimits (E) \subset \mathop{\mathrm{Isom}}\nolimits (E)$ induces an inclusion
$$\displaystyle{H^{1}{\bigl (G_{\bar{ K}/K},\mathop{\mathrm{Aut}}\nolimits (E)\bigr )} \subset H^{1}{\bigl (G_{\bar{ K}/K},\mathop{\mathrm{Isom}}\nolimits (E)\bigr )}.}$$
Identifying the latter set with $\mathop{\mathrm{Twist}}\nolimits (E/K)$ via (X.2.2), we denote the former by $\mathop{\mathrm{Twist}}\nolimits {\bigl ((E,O)/K\bigr )}$ .
(b)
Let $C/K \in \mathop{\mathrm{Twist}}\nolimits {\bigl ((E,O)/K\bigr )}$ . Then C(K) ≠ ∅ , so C∕K can be given the structure of an elliptic curve over K. N.B. The curve C∕K is generally not K-isomorphic to E∕K; cf. (X.3.3).
(c)
Conversely, if E′∕K is an elliptic curve that is isomorphic to E over $\bar{K}$ , then E′∕K represents an element of $\mathop{\mathrm{Twist}}\nolimits {\bigl ((E,O)/K\bigr )}$ .

Proof.

(a) Let $i :\mathop{ \mathrm{Aut}}\nolimits (E) \rightarrow \mathop{\mathrm{Isom}}\nolimits (E)$ be the natural inclusion. From (X.5.1), there is a homomorphism $j :\mathop{ \mathrm{Isom}}\nolimits (E) \rightarrow \mathop{\mathrm{Aut}}\nolimits (E)$ satisfying j ∘ i = 1. It follows that the induced map

$$\displaystyle{H^{1}{\bigl (G_{\bar{ K}/K},\mathop{\mathrm{Aut}}\nolimits (E)\bigr )}\mathop{\longrightarrow}\limits_{}^{\;i\;}H^{1}{\bigl (G_{\bar{ K}/K},\mathop{\mathrm{Isom}}\nolimits (E)\bigr )}}$$

is one-to-one.

(b)Let ϕ : C → E be an isomorphism defined over $\bar{K}$ such that the cocycle

$$\displaystyle{\sigma \longmapsto \phi ^{\sigma } \circ \phi ^{-1}}$$

represents the element of $H^{1}{\bigl (G_{\bar{K}/K},\mathop{\mathrm{Aut}}\nolimits (E)\bigr )}$ corresponding to C∕K. Then we have $\phi ^{\sigma } \circ \phi ^{-1}(O) = O$, so

$$\displaystyle{\phi ^{-1}(O) = \phi ^{-1}(O)^{\sigma }\qquad \mbox{ for all $\sigma \in G_{\bar{ K}/K}$.}}$$

Hence ϕ ⁻¹(O) ∈ C(K), so ${\bigl (C,\phi ^{-1}(O)\bigr )}$ is an elliptic curve defined over K.

(c)Let ϕ : E′ → E be a $\bar{K}$-isomorphism of elliptic curves, so in particular, ϕ(O′) = O, where O ∈ E(K) and O′ ∈ E′(K) are the respective zero points of E and E′. Then for any $\sigma \in G_{\bar{K}/K}$ we have

$$\displaystyle{\phi ^{\sigma } \circ \phi ^{-1}(O) = \phi ^{\sigma }(O') =\phi (O')^{\sigma } = O^{\sigma } = O.}$$

Thus $\phi ^{\sigma } \circ \phi ^{-1} \in \mathop{\mathrm{Aut}}\nolimits (E)$, so the cocycle corresponding to E′∕K lies in the group $H^{1}{\bigl (G_{\bar{K}/K},\mathop{\mathrm{Aut}}\nolimits (E)\bigr )}$ as desired. □

If the characteristic of K is not equal to 2 or 3, then the elements of the group $\mathop{\mathrm{Twist}}\nolimits {\bigl ((E,O)/K\bigr )}$ can be described quite explicitly.

Proposition 5.4.

Assume that $\mathop{\mathrm{char}}\nolimits (K)\neq 2,3$ , and let

$$\displaystyle{n = \left \{\begin{array}{@{}l@{\quad }l@{}} 2\quad &\mbox{ if $j(E)\neq 0,1728$,} \\ 4\quad &\mbox{ if $j(E) = 1728$,} \\ 6\quad &\mbox{ if $j(E) = 0$.}\\ \quad \end{array} \right .}$$

Then $\mathop{\mathrm{Twist}}\nolimits {\bigl ((E,O)/K\bigr )}$ is canonically isomorphic to K ^∗ ∕(K ^∗ ) ⁿ .

More precisely, choose a Weierstrass equation

$$\displaystyle{E : y^{2} = x^{3} + Ax + B}$$

for E∕K, and let D ∈ K ^∗ . Then the elliptic curve $E_{D} \in \mathop{\mathrm{Twist}}\nolimits {\bigl ((E,O)/K\bigr )}$ corresponding to $D\ (\text{ mod}\ (K^{{\ast}})^{n})$ has Weierstrass equation

Table 2

Full size table

Corollary 5.4.1.

Define an equivalence relation on the set K × K ^∗ by

$$\displaystyle{(j,D) \sim (j',D')\qquad \mbox{ if $j = j'$ and $D/D' \in (K^{{\ast}})^{n(j)}$,}}$$

where n(j) = 2 ( respectively 4, respectively 6 ) if j ≠ 0,1728 ( respectively j = 1728, respectively j = 0 ) . Then the K-isomorphism classes of elliptic curves E∕K are in one-to-one correspondence with the elements of the quotient

$$\displaystyle{\frac{K \times K^{{\ast}}} {\sim } .}$$

Proof.

From (III.10.2.) we have an isomorphism

$$\displaystyle{\mathop{\mathrm{Aut}}\nolimits (E)\mathop{\cong}\boldsymbol{\mu }_{n}}$$

of $G_{\bar{K}/K}$-modules. It follows from (B.2.5c) that

$$\displaystyle{\mathop{\mathrm{Twist}}\nolimits {\bigl ((E,O)/K\bigr )} = H^{1}{\bigl (G_{\bar{ K}/K},\mathop{\mathrm{Aut}}\nolimits (E)\bigr )}\mathop{\cong}H^{1}(G_{\bar{ K}/K},\boldsymbol{\mu }_{n})\mathop{\cong}K^{{\ast}}/(K^{{\ast}})^{n}.}$$

The calculation of an equation for the twist of E is straightforward. The case j(E) ≠ 0, 1728 was done in (X.2.4). We do j(E) = 1728 here and leave j(E) = 0 for the reader.

Thus let D ∈ K ^∗, let $\delta \in \bar{K}$ be a fourth root of D, and define a cocycle

$$\displaystyle{\xi : G_{\bar{K}/K}\longrightarrow \boldsymbol{\mu }_{4},\qquad \xi _{\sigma } = \delta ^{\sigma }/\delta .}$$

We also fix an isomorphism

$$\displaystyle{[\;\;] :\boldsymbol{\mu } _{4}\longrightarrow \mathop{ \mathrm{Aut}}\nolimits (E),\qquad [\zeta ](x,y) = (\zeta ^{2}x,\zeta y).}$$

Then E _D corresponds to the cocycle $\sigma \mapsto [\xi _{\sigma }]$ in $H^{1}{\bigl (G_{\bar{K}/K},\mathop{\mathrm{Aut}}\nolimits (E)\bigr )}$.

The action of $G_{\bar{K}/K}$ on the twisted field $\bar{K}(E)_{\xi }$ is given by

$$\displaystyle{\delta ^{\sigma } =\xi _{\sigma }\delta ,\qquad x^{\sigma } =\xi _{ \sigma }^{2}x,\qquad y^{\sigma } =\xi _{\sigma }y.}$$

The subfield fixed by $G_{\bar{K}/K}$ thus contains the functions

$$\displaystyle{X = \delta ^{-2}x\qquad \text{and}\qquad Y = \delta ^{-1}y,}$$

and these functions satisfy the equation

$$\displaystyle{Y ^{2} = DX^{3} + AX.}$$

This gives an equation for the twist E _D∕K, and the substitution

$$\displaystyle{(X,Y ) = (D^{-1}X',D^{-1}Y ')}$$

puts it into the desired form.

The corollary follows by combining the proposition and (X.5.3c) with (III.1.4bc), which says that up to $\bar{K}$-isomorphism, the elliptic curves E∕K are in one-to-one correspondence with their j-invariants j(E) ∈ K. □

X.6 The Curve Y ² = X ³ + DX

Many of the deepest theorems and conjectures in the arithmetic theory of elliptic curves have had as their testing ground one of the families of curves given in (X.5.4). To illustrate the theory that we have developed, let’s see what we can say about the family of elliptic curves $E/\mathbb{Q}$ with j-invariant j(E) = 1728.

One such curve is given by the equation

$$\displaystyle{y^{2} = x^{3} + x,}$$

and then (X.5.3) and (X.5.4) tell us that every such curve has an equation of the form

$$\displaystyle{E : y^{2} = x^{3} + Dx,}$$

where D ranges over representatives for the cosets in $\mathbb{Q}^{{\ast}}/(\mathbb{Q}^{{\ast}})^{4}$. Thus if we specify that D is a fourth-power-free integer, then D is uniquely determined by E. We observe that the equation for E has discriminant Δ(E) = −64D ³, so E has good reduction at all primes not dividing 2D, and the given Weierstrass equation is minimal at all odd primes.

Let p be a prime not dividing 2D and consider the reduced curve $\tilde{E}$ over the finite field $\mathbb{F}_{p}$. From (V.4.1) we find that $\tilde{E}$ is supersingular if and only if the coefficient of x ^p−1 in (x ³ + Dx)^(p−1)∕2 is zero. In particular, if $p \equiv 3\ (\text{ mod}\ 4)$, then $\tilde{E}/\mathbb{F}_{p}$ is supersingular, and hence we conclude (see Exercise 5.10) that

$$\displaystyle{\#\tilde{E}(\mathbb{F}_{p}) = p + 1\qquad \mbox{ for all $p \equiv 3(\text{ mod}4)$.}}$$

(See Exercise 10.17 for an elementary derivation of this result.)

Next we recall from (VII.3.5) that if p ≠ 2 and if E has good reduction at p, then $E_{\text{tors}}(\mathbb{Q})$ injects into the reduction $\tilde{E}(\mathbb{F}_{p})$. It follows from this discussion that $\#E_{\text{tors}}(\mathbb{Q})$ divides p + 1 for all but finitely many primes $p \equiv 3\ (\text{ mod}\ 4)$, and hence that $\#E_{\text{tors}}(\mathbb{Q})$ divides 4. Since $(0,0) \in E(\mathbb{Q})[2]$, the possibilities for $E_{\text{tors}}(\mathbb{Q})$ are $\mathbb{Z}/2\mathbb{Z}$, $(\mathbb{Z}/2\mathbb{Z})^{2}$, and $\mathbb{Z}/4\mathbb{Z}$.

We have $E[2] \subset E(\mathbb{Q})$ if and only if the polynomial x ³ + Dx factors completely over $\mathbb{Q}$, so if and only if − D is a perfect square. Similarly, $E(\mathbb{Q})$ has a point of order 4 if and only if $(0,0) \in 2E(\mathbb{Q})$. The duplication formula for E reads

$$\displaystyle{x(2P) = \frac{(x^{2} - D)^{2}} {4x^{3} + 4Dx},}$$

so we see that

$$\displaystyle{(0,0) = [2]{\bigl (D^{1/2},(4D^{3})^{1/4}\bigr )}.}$$

Hence assuming that D is a fourth-power-free integer, we conclude that

$$\displaystyle{(0,0) \in 2E(\mathbb{Q})\quad \text{if and only if}\quad D = 4,}$$

in which case (0, 0) = [2](2, ±4).

Next, since $E(\mathbb{Q})$ contains a 2-torsion point, we can use (X.4.9) to try to calculate $E(\mathbb{Q})/2E(\mathbb{Q})$. The curve E is isogenous to the curve

$$\displaystyle{E' : Y ^{2} = X^{3} - 4DX}$$

via the isogeny

$$\displaystyle{\phi : E\longrightarrow E',\qquad \phi (x,y) = \left (\frac{y^{2}} {x^{2}}, \frac{y(D - x^{2})} {x^{2}} \right ).}$$

The set $S \subset M_{\mathbb{Q}}$ consists of $\infty $ and the primes dividing 2D, and for each $d \in \mathbb{Q}(S,2)$, the corresponding homogeneous space $C_{d}/\mathbb{Q} \in \mathop{\mathrm{WC}}\nolimits (E/\mathbb{Q})$ is given by the equation

$$\displaystyle{C_{d} : dw^{2} = d^{2} - 4Dz^{4}.}$$

Similarly, working with the dual isogeny $\hat{\phi }: E' \rightarrow E$ leads to the homogeneous spaces $C_{d}'/\mathbb{Q} \in \mathop{\mathrm{WC}}\nolimits (E'/\mathbb{Q})$ with equations

$$\displaystyle{C_{d}' : dW^{2} = d^{2} + DZ^{4}.}$$

(More precisely, using (X.4.9) leads to the equation dW ² = d ² + 16DZ ⁴, but we are free to replace Z with Z∕2.)

Let ν(2D) denote the number of distinct primes dividing 2D. The group $\mathbb{Q}(S,2)$ is generated by − 1 and the primes dividing 2D, so we have the estimate

$$\displaystyle{\dim _{2}E(\mathbb{Q})/2E(\mathbb{Q}) \leq 2 + 2\nu (2D) -\dim _{2}E'(\mathbb{Q})[\hat{\phi }] +\dim _{2}\phi {\bigl (E(\mathbb{Q})[2]\bigr )}.}$$

Here $\dim _{2}$ denotes the dimension of an $\mathbb{F}_{2}$-vector space. We clearly have

$$\displaystyle{E'(\mathbb{Q})[\hat{\phi }]\mathop{\cong}\mathbb{Z}/2\mathbb{Z}.}$$

In order to deal with the other two terms, we consider two cases.

(1)
$E(\mathbb{Q})[2]\mathop{\cong}\mathbb{Z}/2\mathbb{Z}$. Then $\phi {\bigl (E(\mathbb{Q})[2]\bigr )}\mathop{\cong}0$ and $\dim _{2}E(\mathbb{Q})/2E(\mathbb{Q}) =\mathop{ \mathrm{rank}}\nolimits E(\mathbb{Q}) + 1$.
(2)
$E(\mathbb{Q})[2]\mathop{\cong}\mathbb{Z}/2\mathbb{Z} \times \mathbb{Z}/2\mathbb{Z}$. Then $\phi {\bigl (E(\mathbb{Q})[2]\bigr )}\mathop{\cong}\mathbb{Z}/2\mathbb{Z}$ and $\dim _{2}E(\mathbb{Q})/2E(\mathbb{Q}) =\mathop{ \mathrm{rank}}\nolimits E(\mathbb{Q}) + 2$.

Substituting these values into the above inequality yields in both cases the estimate

$$\displaystyle{\mathop{\mathrm{rank}}\nolimits E(\mathbb{Q}) \leq 2\nu (2D).}$$

Notice that we have obtained this upper bound without having checked for local triviality of any of the homogeneous spaces C _d and C _d′. By inspection, if d < 0, then either $C_{d}(\mathbb{R}) =\emptyset$ or $C_{d}'(\mathbb{R}) =\emptyset$. Thus the upper bound my be decreased by 1, giving the small improvement

$$\displaystyle{\mathop{\mathrm{rank}}\nolimits E(\mathbb{Q}) \leq 2\nu (2D) - 1.}$$

The preceding discussion is summarized in the following proposition.

Proposition 6.1.

Let $D \in \mathbb{Z}$ be a fourth-power-free integer, and let E _D be the elliptic curve

$$\displaystyle{E_{D} : y^{2} = x^{3} + Dx.}$$

(a)
$$\displaystyle{E_{D,\text{tors}}(\mathbb{Q})\mathop{\cong}\left \{\begin{array}{@{}l@{\quad }l@{}} \mathbb{Z}/4\mathbb{Z} \quad &\mbox{ if $D = 4$,} \\ \mathbb{Z}/2\mathbb{Z} \times \mathbb{Z}/2\mathbb{Z}\quad &\mbox{ if $ - D$ is a perfect square,} \\ \mathbb{Z}/2\mathbb{Z} \quad &\text{otherwise.}\\ \quad \end{array} \right .}$$
(b)
$$\displaystyle{\mathop{\mathrm{rank}}\nolimits E(\mathbb{Q}) \leq 2\nu (2D) - 1.}$$

Remark 6.1.1.

The estimate in (X.6.1b) cannot be improved in general. For example, the curve E : y ² = x ³ − 82x has

$$\displaystyle{\mathop{\mathrm{rank}}\nolimits E(\mathbb{Q}) = 3,}$$

while ν(−164) = ν(2⁴ ⋅ 41) = 2. See Exercise 10.18.

We now restrict attention to the special case that D = p is an odd prime. The next proposition gives a complete description of the relevant Selmer groups and deduces corresponding upper bounds for the rank of $E(\mathbb{Q})$ and the dimension of .

Proposition 6.2.

Let p be an odd prime, let E _p be the elliptic curve

$$\displaystyle{E_{p} : y^{2} = x^{3} + px,}$$

and let ϕ : E _p → E _p ′ be the isogeny of degree 2 with kernel $E_{p}[\phi ] ={\bigl \{ O,(0,0)\bigr \}}$.

(a)
$$\displaystyle{E_{p,\text{tors}}(\mathbb{Q})\mathop{\cong}\mathbb{Z}/2\mathbb{Z}.}$$
(b)
$$\displaystyle\begin{array}{rcl} S^{(\hat{\phi })}(E_{ p}'/\mathbb{Q})& \mathop{\cong}& \mathbb{Z}/2\mathbb{Z}. {}\\ S^{(\phi )}(E_{ p}/\mathbb{Q})& \mathop{\cong}& \left \{\begin{array}{@{}l@{\quad }l@{}} \mathbb{Z}/2\mathbb{Z} \quad &\mbox{ if $p \equiv 7,11(\text{ mod}16)$,} \\ (\mathbb{Z}/2\mathbb{Z})^{2}\quad &\mbox{ if $p \equiv 3,5,13,15(\text{ mod}16)$,} \\ (\mathbb{Z}/2\mathbb{Z})^{3}\quad &\mbox{ if $p \equiv 1,9(\text{ mod}16)$.}\\ \quad \end{array} \right . {}\\ & & {}\\ \end{array}$$
(c)

Proof.

To ease notation, we let E = E _p and E′ = E _p′.

(a)This is a special case of (X.6.1a) .

(b)As usual, we take representatives { ± 1, ±2, ±p, ±2p} for the cosets in the finite group $\mathbb{Q}(S,2)$. From (X.4.9) we know that the images of the 2-torsion points in the Selmer groups are given by

$$\displaystyle{-p \in S^{(\phi )}(E/\mathbb{Q})\qquad \text{and}\qquad p \in S^{(\hat{\phi })}(E'/\mathbb{Q}).}$$

Further, if d < 0, then $C_{d}(\mathbb{R}) =\emptyset$, so $d\notin S^{(\hat{\phi })}(E'/\mathbb{Q})$.

Next we consider the homogeneous space

$$\displaystyle{C_{2}' : 2W^{2} = 4 + pZ^{4}.}$$

If $(Z,W) \in C_{2}'(\mathbb{Q}_{2})$, then necessarily $Z,W \in \mathbb{Z}_{2}$, which allows us to conclude that $Z \equiv 0\ (\text{ mod}\ 2)$, so $W \equiv 0\ (\text{ mod}\ 2)$, and thus $0 \equiv 4\ (\text{ mod}\ 8)$. Therefore $C_{2}'(\mathbb{Q}_{2}) =\emptyset$, and hence $2\notin S^{(\hat{\phi })}(E'/\mathbb{Q})$. We now know that

$$\displaystyle{p \in S^{(\hat{\phi })}(E'/\mathbb{Q})\qquad \text{and}\qquad - 1,\pm 2,-p,-2p\notin S^{(\hat{\phi })}(E'/\mathbb{Q}).}$$

It follows that $S^{(\hat{\phi })}(E'/\mathbb{Q}) =\{ 1,p\} \equiv \mathbb{Z}/2\mathbb{Z}$.

It remains to calculate $S^{(\phi )}(E/\mathbb{Q})$, and from the form of the answer, it is clear that there will be many cases to be considered. The best approach is to look at the various $d \in \mathbb{Q}(S,2)$ and check for which primes the homogeneous space is locally trivial. Note that (X.4.9) says that

$$\displaystyle{d \in S^{(\phi )}(E/\mathbb{Q})\qquad \text{if and only if}\qquad C_{ d}(\mathbb{Q}_{p})\neq \emptyset \quad \text{and}\quad C_{d}(\mathbb{Q}_{2})\neq \emptyset ,}$$

i.e., it suffices to check whether C _d is locally trivial at the primes p and 2. We make frequent use of Hensel’s lemma (Exercise 10.12), which gives a criterion for when a solution of an equation modulo q ⁿ lifts to a solution in $\mathbb{Q}_{q}$.

$$\displaystyle{\fbox{ $d = -1$}C_{-1} : w^{2} + 1 = 4pz^{4}.}$$

(i)
If $(z,w) \in C_{-1}(\mathbb{Q}_{p})$, then necessarily $z,w \in \mathbb{Z}_{p}$, so $w^{2} \equiv -1\ (\text{ mod}\ p)$. Conversely, from Exercise 10.12 we see that any solution to the congruence $w^{2} \equiv -1\ (\text{ mod}\ p)$ lifts to a point in $C_{-1}(\mathbb{Q}_{p})$. Therefore
$$\displaystyle{C_{-1}(\mathbb{Q}_{p})\neq \emptyset \quad \Longleftrightarrow\quad p \equiv 1\pmod 4.}$$
(ii)
From (i) we may assume that $p \equiv 1\ (\text{ mod}\ 4)$. If $p \equiv 1\ (\text{ mod}\ 8)$, then we let
$$\displaystyle{\mbox{ $(z,w) = (Z/4,W/8)$}.}$$
Our equation becomes W ² + 64 = pZ ⁴, and the solution (1, 1) to the congruence
$$\displaystyle{W^{2} + 64 \equiv pZ^{4}\pmod 8}$$
lifts to a point in $C_{-1}(\mathbb{Q}_{2})$. Similarly, if $p \equiv 5\ (\text{ mod}\ 8)$, then we let
$$\displaystyle{\mbox{ $(z,w) = (Z/2,W/2)$}}$$
and consider the solution (Z, W) = (1, 1) to the congruence
$$\displaystyle{W^{2} + 4 = pZ^{4}\pmod 8.}$$
This solution lifts to a point in $C_{-1}(\mathbb{Q}_{2})$. This shows that if $p \equiv 1\ (\text{ mod}\ 4)$, then $C_{-1}(\mathbb{Q}_{2})\neq \emptyset$.

Combining (i) and (ii) yields

$$\displaystyle{-1 \in S^{(\phi )}(E/\mathbb{Q})\quad \Longleftrightarrow\quad p \equiv 1\pmod 4.}$$

$$\displaystyle{\fbox{ $d = -2$}C_{-2} : w^{2} + 2 = 2pz^{4}.}$$

(i)
If $(z,w) \in C_{-2}(\mathbb{Q}_{p})$, then $z,w \in \mathbb{Z}_{p}$ and $w^{2} \equiv -2\ (\text{ mod}\ p)$. Conversely, a solution to $w^{2} \equiv -2\ (\text{ mod}\ p)$ lifts to a point of $C_{-1}(\mathbb{Q}_{p})$. Therefore
$$\displaystyle{C_{-2}(\mathbb{Q}_{p})\neq \emptyset \quad \Longleftrightarrow\quad p \equiv 1,3\pmod 8.}$$
(ii)
If $(z,w) \in C_{-2}(\mathbb{Q}_{2})$, then $z,w \in \mathbb{Z}_{2}$ and $w \equiv 0\ (\text{ mod}\ 2)$. So after setting (z, w) = (Z, 2W), we must check whether the equation
$$\displaystyle{2W^{2} + 1 = pZ^{4}}$$
has any solutions $Z,W \in \mathbb{Z}_{2}$. From (i) we see that it suffices to consider primes $p \equiv 1,3\ (\text{ mod}\ 8)$. The congruence $2W^{2} + 1 \equiv pZ^{4}\ (\text{ mod}\ 16)$ has no solutions if $p \equiv 11\ (\text{ mod}\ 16)$, so
$$\displaystyle{p \equiv 11\pmod 16\quad \Longrightarrow\quad C_{-2}(\mathbb{Q}_{2}) =\emptyset .}$$
On the other hand, if we can find solutions modulo 2⁵ = 32, then Exercise 10.12 says that they lift to points in $C_{-2}(\mathbb{Q}_{2})$. The following table gives solutions (Z, W) to the congruence
$$\displaystyle{2W^{2} + 1 \equiv pZ^{4}\pmod 32}$$
for each of the remaining values of $p\bmod 32$:
$$\displaystyle{\begin{array}{|c|c|c|c|c|c|c|} \hline p\bmod 32 & 1 & 3 & 9 & 17 & 19 & 25 \\ \hline (Z,W)&(1,0)&(3,11)&(1,2)&(3,0)&(1,3)&(3,2) \\ \hline\end{array} }$$

Combining (i) and (ii), we have proven that

$$\displaystyle{-2 \in S^{(\phi )}(E/\mathbb{Q})\quad \Longleftrightarrow\quad p \equiv 1,3,9\pmod 16.}$$

$$\displaystyle{\fbox{ $d = 2$}C_{2} : w^{2} = 2 - 2pz^{4}.}$$

This case is entirely similar to the case d = −2 that we just completed. A point $(z,w) \in C_{2}(\mathbb{Q}_{p})$ has $z,w \in \mathbb{Z}_{p}$ and $w^{2} \equiv 2\ (\text{ mod}\ p)$, and any such solutions lifts, so

$$\displaystyle{C_{2}(\mathbb{Q}_{p})\neq \emptyset \quad \Longleftrightarrow\quad p \equiv 1,7\pmod 8.}$$

Next, if $p \equiv 1\ (\text{ mod}\ 8)$, then from above we have $-1,-2 \in S^{(\phi )}(E/\mathbb{Q})$, so certainly $2 \in S^{(\phi )}(E/\mathbb{Q})$. It remains to consider the case $p \equiv 7\ (\text{ mod}\ 8)$.

A point $(z,w) \in C_{2}(\mathbb{Q}_{2})$ satisfies (z, w) = (Z, 2W) with $Z,W \in \mathbb{Z}_{2}$ and

$$\displaystyle{2W^{2} = 1 - pZ^{4}.}$$

If $p \equiv 7\ (\text{ mod}\ 16)$, then this equation has no solutions modulo 16. On the other hand, if $p \equiv 15\ (\text{ mod}\ 16)$, then we have solutions

$$\displaystyle{\begin{array}{l@{\qquad \qquad }l} 2 \cdot 3^{2} \equiv 1 - p \cdot 1^{4}\pmod 32\qquad \qquad &\mbox{ if $p \equiv 15\pmod 32$,} \\ 2 \cdot 1^{2} \equiv 1 - p \cdot 1^{4}\pmod 32\qquad \qquad &\mbox{ if $p \equiv 31\pmod 32$,} \end{array} }$$

and these solutions lift to points in $C_{2}(\mathbb{Q}_{2})$. Putting all of this together, we have shown that

$$\displaystyle{2 \in S^{(\phi )}(E/\mathbb{Q})\quad \Longleftrightarrow\quad p \equiv 1,9,15\pmod 16.}$$

We have now determined exactly which of the values − 1, 2, and − 2 are in $S^{(\phi )}(E/\mathbb{Q})$ in terms of the residue of p modulo 16. Since we also know that $-p \in S^{(\phi )}(E/\mathbb{Q})$, it is now a simple matter to reconstruct the table for $S^{(\phi )}(E/\mathbb{Q})$ given in (b). In fact, we obtain more information, namely a precise list of which elements of $\mathbb{Q}(S,2)$ are in $S^{(\phi )}(E/\mathbb{Q})$.

(c)We use (X.4.7) and (X.4.2a) to compute

From (a) we see that

$$\displaystyle{E'(\mathbb{Q})/\phi {\bigl (E(\mathbb{Q})[2]\bigr )}\mathop{\cong}\mathbb{Z}/2\mathbb{Z}\qquad \text{and}\qquad E(\mathbb{Q})/2E(\mathbb{Q})\mathop{\cong}(\mathbb{Z}/2\mathbb{Z})^{1+\mathop{\mathrm{rank}}\nolimits E(\mathbb{Q})}.}$$

Further, since $E(\mathbb{Q})/\hat{\phi }\bigl (E'(\mathbb{Q}))\mathop{\cong}S^{(\hat{\phi })}(E'/\mathbb{Q})\mathop{\cong}\mathbb{Z}/2\mathbb{Z}$ from (b), the exact sequence given in (X.4.2a) implies that . Hence the exact sequence

gives

and combining this with the above results yields

Now (c) is immediate from the calculation of $S^{(\phi )}(E/\mathbb{Q})$ and $S^{(\hat{\phi })}(E'/\mathbb{Q})$ given in (b). □

Corollary 6.2.1.

There are infinitely many elliptic curves $E/\mathbb{Q}$ satisfying

Proof.

From (X.6.2), the elliptic curves y ² = x ³ + px with $p \equiv 7,11\ (\text{ mod}\ 16)$ have this property. □

Remark 6.3.

One of the consequences of (X.6.2) is that if p is a prime satisfying $p \equiv 5\ (\text{ mod}\ 8)$, then the elliptic curve

$$\displaystyle{E_{p} : y^{2} = x^{3} + px}$$

has rank at most one. Further, examining the proof of (X.6.2) shows that the group $E_{p}(\mathbb{Q})$ has rank 1 if and only if the homogeneous space

$$\displaystyle{C_{-1} : w^{2} + 1 = 4pz^{4}}$$

has a $\mathbb{Q}$-rational point, and if there is such a point, then we can find a point of infinite order in $E(\mathbb{Q})$ by using the map

$$\displaystyle{\hat{\phi }\circ \psi : C_{1}\longrightarrow E,\qquad \hat{\phi } \circ \psi (z,w) = \left ( \frac{w^{2}} {4z^{2}}, \frac{w(w^{2} + 2)} {8z^{3}} \right );}$$

cf. (X.4.9). Taking the first few primes $p \equiv 5\ (\text{ mod}\ 8)$, in each case we find points in $C_{-1}(\mathbb{Q})$, and these give points of infinite order in $E_{p}(\mathbb{Q})$ as listed in the following table:

$$\displaystyle{\begin{array}{|c|c|c|c|c|} \hline p & 5 & 13 & 29 & 37 \\ \hline(x,y)&\left (\frac{1} {4}, \frac{9} {8}\right )&\left (\frac{9} {4}, \frac{51} {8} \right )&\left (\frac{25} {4} , \frac{165} {8} \right )&\left (\frac{22801} {900} , \frac{3540799} {27000} \right )\\ \hline \end{array} }$$

Suppose that we knew, a priori, that the Shafarevich–Tate group was finite, or even that its 2-primary component was finite. Then the existence of the Cassels pairing (X.4.14) implies that is even, and hence that $E_{p}(\mathbb{Q})$ has rank 1 for all primes $p \equiv 5\ (\text{ mod}\ 8)$. This also follows from a conjecture of Selmer [226] concerning the difference between the number of “first and second descents,” and it is also a consequence of the conjecture of Birch and Swinnerton-Dyer (C.16.5). Bremner and Cassels [26, 27] have verified numerically that $\mathop{\mathrm{rank}}\nolimits E_{p}(\mathbb{Q}) = 1$ for all such primes less than 20000, and Monsky [182] has shown that $\mathop{\mathrm{rank}}\nolimits E_{p}(\mathbb{Q}) = 1$ for all primes $p \equiv 5\pmod 16$.

In order to give the reader an idea of the magnitude of the solutions that may occur, we mention that for p = 877, the Mordell–Weil group of the elliptic curve

$$\displaystyle{y^{2} = x^{3} + 877x}$$

is generated by the 2-torsion point (0, 0) and the point

$$\displaystyle{\left (\frac{612776083187947368101^{2}} {78841535860683900210^{2}} ,\frac{256256267988926809388776834045513089648669153204356603464786949} {78841535860683900210^{3}} \right ).}$$

Similarly, if $p \equiv 3,15\ (\text{ mod}\ 16)$ and if the 2-primary component of is finite, then (X.6.2) and (X.4.14) imply that $E_{p}(\mathbb{Q})$ has rank exactly one. The fact that the rank is one for any particular prime p may be verified numerically by searching for a point in $C_{-2}(\mathbb{Q})$ and $C_{2}(\mathbb{Q})$ respectively. See, for example, the tables in [20] and [54] and online at [53] and [274].

Remark 6.4.

If $p \equiv 7,11\ (\text{ mod}\ 16)$, then (X.6.2c) says that $E_{p}(\mathbb{Q})$ consists of only two points, while if $p \equiv 3,5,13,15\ (\text{ mod}\ 16)$, then (X.6.2c) combined with the reasonable conjecture that is finite tells us that $E_{p}(\mathbb{Q})\mathop{\cong}\mathbb{Z}/2\mathbb{Z} \times \mathbb{Z}$. In the remaining case, namely $p \equiv 1\ (\text{ mod}\ 8)$, there are two possibilities. First, $E_{p}(\mathbb{Q})$ might have rank 2. This can certainly occur. For example, the curves

$$\displaystyle{y^{2} = x^{3} + 73x\qquad \text{and}\qquad y^{2} = x^{3} + 89x}$$

both have rank 2, independent points being given by

$$\displaystyle{\left ( \frac{9} {16}, \frac{411} {64} \right ),(36,222) \in E_{73}(\mathbb{Q})\quad \text{and}\quad \left (\frac{25} {16}, \frac{765} {64} \right ),\left (\frac{4} {9}, \frac{170} {27} \right ) \in E_{89}(\mathbb{Q}).}$$

Second, $E_{p}(\mathbb{Q})$ might have rank 0, in which case . (Note that $\mathop{\mathrm{rank}}\nolimits E_{p}(\mathbb{Q}) = 1$ is precluded if we assume that is finite.) The next proposition gives a fairly general condition under which the second possibility holds. It also provides our first examples of homogeneous spaces that are everywhere locally trivial, but have no global rational points.

Proposition 6.5.

Let $p \equiv 1\ (\text{ mod}\ 8)$ be a prime for which 2 is not a quartic residue.

(a)
The curves
$$\displaystyle{w^{2} + 1 = 4pz^{4},\qquad w^{2} + 2 = 2pz^{4},\qquad w^{2} + 2pz^{4} = 2,}$$
have points defined over every completion of $\mathbb{Q}$ , but they have no $\mathbb{Q}$ -rational points.
(b)
The elliptic curve
$$\displaystyle{E_{p} : y^{2} = x^{3} + px}$$
satisfies

Remark 6.5.1.

Any prime $p \equiv 1\ (\text{ mod}\ 8)$ can be written as p = A ² + B ² with $A,B \in \mathbb{Z}$ satisfying $AB \equiv 0\ (\text{ mod}\ 4)$. A theorem of Gauss, which we prove later in this section (X.6.6), says that 2 is a quartic residue modulo p if and only if $AB \equiv 0\ (\text{ mod}\ 8)$. Thus, for example, 2 is a quartic nonresidue for the primes

$$\displaystyle{17 = 1^{2} + 4^{2},\quad 41 = 5^{2} + 4^{2},\quad 97 = 9^{2} + 4^{2},\quad \text{and}\quad 193 = 7^{2} + 12^{2},}$$

so these primes satisfy the conclusion of (X.6.5).

Proof Proof of (X.6.5).

During the course of proving (X.6.2b), we showed that the Selmer group $S^{(p)}(E_{p}/\mathbb{Q}) \subset \mathbb{Q}^{{\ast}}/(\mathbb{Q}^{{\ast}})^{2}$ is given by { ± 1, ±2, ±p, ±2p}. Further, we showed that − p is the image of the 2-torsion point $(0,0) \in E_{p}(\mathbb{Q})$. Thus in order to show that has order 4, it suffices to prove that the homogeneous spaces C ₋₁, C ₂, and C ₋₂ have no $\mathbb{Q}$-rational points. These are the three curves listed in (a), and so, once we prove that they have no $\mathbb{Q}$-rational points, all of (X.6.5) will follow from (X.6.2). Our proof is based on ideas of Lind and Mordell [150, 41]; see also [207, 184, 20].

$$\displaystyle{\fbox{ $\text{Case I.}$}C_{\pm 2} : w^{2} = 2 - 2pz^{4}.}$$

Suppose that $(z,w) \in C_{\pm 2}(\mathbb{Q})$. Writing z and w in lowest terms, we see that they necessarily have the form (z, w) = (r∕t, 2s∕t ²), where $r,s,t \in \mathbb{Z}$ satisfy

$$\displaystyle{\pm 2s^{2} = t^{4} - pr^{4}\qquad \text{and}\qquad \gcd (r,s,t) = 1.}$$

We write (a | b) for the Legendre symbol. Let q be an odd prime dividing s. Then (p | q) = 1, so (q | p) = 1 by quadratic reciprocity. Since also (2 | p) = 1, we see that (s | p) = 1, so (s ² | p)₄ = 1, i.e., s ² is a quartic residue modulo p. Now the equation implies that (±2 | p)₄ = 1. But − 1 is always a quartic residue for primes $p \equiv 1\ (\text{ mod}\ 8)$, while by assumption 2 is a quartic nonresidue modulo p. This contradiction proves that $C_{\pm 2}(\mathbb{Q}) =\emptyset$.

$$\displaystyle{\fbox{ $\text{Case II.}$}C_{-1} : -w^{2} = 1 - 4pz^{4}.}$$

Writing $(z,w) \in C_{-1}(\mathbb{Q})$ in (almost) lowest terms as (z, w) = (r∕2t, s∕2t ²), we have

$$\displaystyle{s^{2} + 4t^{4} = pr^{4}\qquad \text{with}\qquad \gcd (r,t) = 1.}$$

(We do not preclude the possibility that r is even.) Since $p \equiv 1\ (\text{ mod}\ 4)$, there are integers $A \equiv 1\ (\text{ mod}\ 2)$ and $B \equiv 0\ (\text{ mod}\ 2)$ such that

$$\displaystyle{p = A^{2} + B^{2}.}$$

It is a simple matter to verify the identity

$$\displaystyle{(pr^{2} + 2Bt^{2})^{2} = p(Br^{2} + 2t^{2})^{2} + A^{2}s^{2},}$$

from which we obtain the factorization

$$\displaystyle{(pr^{2} + 2Bt^{2} + As)(pr^{2} + 2Bt^{2} - As) = p(Br^{2} + 2t^{2})^{2}.}$$

It is not difficult to check that $\gcd (pr^{2} + 2Bt^{2} + As,pr^{2} + 2Bt^{2} - As)$ is either a square or twice a square; up to multiplication by 2, it is a square divisor of $\gcd (A,s)^{2}$. Hence the above factorization implies that there are integers u and v satisfying

$$\displaystyle{\left [\begin{array}{c} pr^{2} + 2Bt^{2} \pm As = pu^{2} \\ pr^{2} + 2Bt^{2} \mp As = v^{2} \\ Br^{2} + 2t^{2} = uv\\ \end{array} \right ]\qquad \text{or}\qquad \left [\begin{array}{c} pr^{2} + 2Bt^{2} \pm As = 2pu^{2} \\ pr^{2} + 2Bt^{2} \mp As = 2v^{2} \\ Br^{2} + 2t^{2} = 2uv \end{array} \right ].}$$

Eliminating s from these equations, we obtain two systems of equations:

$$\displaystyle{\fbox{ $\begin{array}{rl} 2pr^{2} + 4Bt^{2} & = pu^{2} + v^{2} \\ Br^{2} + 2t^{2} & = uv\\ \end{array} $}\qquad \fbox{ $\begin{array}{rl} pr^{2} + 2Bt^{2} & = pu^{2} + v^{2} \\ Br^{2} + 2t^{2} & = 2uv\\ \end{array} $}}$$

We prove later (X.6.6) that the assumptions that 2 is a quartic nonresidue modulo p and that $p \equiv 1\ (\text{ mod}\ 8)$ imply that $B \equiv 4\ (\text{ mod}\ 8)$. Reducing each system of equations modulo 8, it is now a simple matter to verify that in both cases, any solution must satisfy $r \equiv t \equiv 0\ (\text{ mod}\ 2)$. This contradicts our initial assumption that $\gcd (r,t) = 1$, which completes the proof that $C_{-1}(\mathbb{Q}) =\emptyset$. □

We close this section with the theorem of Gauss describing the quartic character of 2 that was used in the proof of (X.6.5). The proof that we give is due to Dirichlet [66]; see also [184].

Proposition 6.6.

Let p be a prime satisfying $p \equiv 1\ (\text{ mod}\ 8)$ , and write p as a sum of two squares, p = A ² + B ² . Then

$$\displaystyle{{2\overwithdelims() p}_{\!4} = (-1)^{AB/4}.}$$

In other words, 2 is a quartic residue modulo p if and only if $AB \equiv 0\ (\text{ mod}\ 8)$ .

Proof.

Using the fact that $A^{2} + B^{2} \equiv 0\ (\text{ mod}\ p)$, we compute

$$\displaystyle\begin{array}{rcl} (A + B)^{(p-1)/2}& \equiv & (2AB)^{(p-1)/4}\pmod p {}\\ & \equiv & 2^{(p-1)/4}(-1)^{(p-1)/8}A^{(p-1)/2}\pmod p. {}\\ \end{array}$$

Switching A and B if necessary, we may assume that A is odd, and then the fact that $p \equiv 1\ (\text{ mod}\ 4)$ implies that

$$\displaystyle{{A\overwithdelims() p} ={ p\overwithdelims() A} ={ B^{2}\overwithdelims() A} = 1.}$$

Hence

$$\displaystyle{{A + B\overwithdelims() p} = (-1)^{(p-1)/8}{2\overwithdelims() p}_{\!4}.}$$

Finally, we observe that

$$\displaystyle{{A + B\overwithdelims() p} ={ p\overwithdelims() A + B} ={ 2\overwithdelims() A + B}{ 2p\overwithdelims() A + B} ={ 2\overwithdelims() A + B} = (-1)^{\frac{(A+B)^{2}-1} {8} },}$$

since the identity

$$\displaystyle{2p = (A + B)^{2} + (A - B)^{2}\quad \text{implies that}\quad { 2p\overwithdelims() A + B} = 1.}$$

Substituting this above yields

$$\displaystyle{{2\overwithdelims() p}_{\!4} = (-1)^{\frac{(A+B)^{2}-1} {8} -\frac{p-1} {8} } = (-1)^{\frac{AB} {4} }.}$$

□

Exercises

10.1. Let ϕ : E∕K → E′∕K be an isogeny of degree m of elliptic curves defined over an arbitrary (perfect) field K. Assume that $E[\hat{\phi }] \subset E(K)$. Generalize (X.1.1) as follows:

(a)
Prove that there is a bilinear pairing
$$\displaystyle{b : E'(K)/\phi {\bigl (E(K)\bigr )} \times E'[\hat{\phi }]\longrightarrow K(S,m)}$$
defined by
$$\displaystyle{e_{\phi }{\bigl (\delta _{\phi }(P),T\bigr )} = \delta _{K}{\bigl (b(P,T)\bigr )}.}$$
Here e _ϕ is the generalized Weil pairing (Exercise 3.15) and
$$\displaystyle{\delta _{\phi } : E'(K) \rightarrow H^{1}{\bigl (G_{\bar{ K}/K},E[\phi ]\bigr )}\qquad \text{and}\qquad \delta _{K} : K^{{\ast}}\rightarrow H^{1}(G_{\bar{ K}/K},\boldsymbol{\mu }_{m})}$$
are the usual connecting homomorphisms.
(b)
Prove that the pairing in (a) is nondegenerate on the left.
(c)
For $T \in E[\hat{\phi }]$, let f _T ∈ K(E′) and g _T ∈ K(E) be functions satisfying
$$\displaystyle{\mathop{\mathrm{div}}\nolimits (f_{T}) = m(T) - m(O)\qquad \text{and}\qquad f_{T}\circ \phi = g_{T}^{m}.}$$
Prove that
$$\displaystyle{b(P,T) = f_{T}(P)\bmod (K^{{\ast}})^{m}\qquad \text{for all} P\neq O,T.}$$
(d)
In particular, if $\deg (\phi ) = 2$, so $E'[\hat{\phi }] =\{ O,T\}$, then
$$\displaystyle{b(P,T) = x(P) - x(T)\bmod (K^{{\ast}})^{2}.}$$
We thus recover part of (X.4.9).

10.2. Let K be an arbitrary (perfect) field, let E∕K be an elliptic curve, and let C ₁∕K and C ₂∕K be homogeneous spaces for E∕K.

(a)
Prove that there exist a homogeneous space C ₃∕K for E∕K and a morphism
$$\displaystyle{\phi : C_{1} \times C_{2} \rightarrow C_{3}}$$
defined over K such that for all p ₁ ∈ C ₁, p ₂ ∈ C ₂, and P ₁, P ₂ ∈ E,
$$\displaystyle{\phi (p_{1} + P_{1},p_{2} + P_{2}) =\phi (p_{1},p_{2}) + P_{1} + P_{2}.}$$
(b)
Prove that C ₃ is uniquely determined, up to equivalence of homogeneous spaces, by C ₁ and C ₂.
(c)
Prove that
$$\displaystyle{\{C_{1}\} +\{ C_{2}\} =\{ C_{3}\},}$$
the sum taking place in $\mathop{\mathrm{WC}}\nolimits (E/K)$.

10.3. Let C∕K be a curve of genus one defined over an arbitrary (perfect) field.

(a)
Prove that there exists an elliptic curve E∕K such that C∕K is a homogeneous space for E∕K. (Hint. Use Exercise 3.22 to show that $C/K \in \mathop{\mathrm{Twist}}\nolimits (E/K)$. Then find an element $\{\xi \}\in H^{1}{\bigl (G_{\bar{K}/K},\mathop{\mathrm{Aut}}\nolimits (E)\bigr )}$ such that C∕K is the homogeneous space for the twist of E by $\xi$.)
(b)
Prove that E is unique up to K-isomorphism.

10.4. Let K be an arbitrary (perfect) field and let E∕K be an elliptic curve.

(a)
Prove that there is a natural action of $\mathop{\mathrm{Aut}}\nolimits _{K}(E)$ on $\mathop{\mathrm{WC}}\nolimits (E/K)$ defined by letting an automorphism $\alpha \in \mathop{\mathrm{Aut}}\nolimits _{K}(E)$ act on $\{C/K,\mu \}\in \mathop{\mathrm{WC}}\nolimits (E/K)$ via
$$\displaystyle{\{C/K,\mu \}^{\alpha } ={\bigl \{ C/K,\mu \circ (1\times \alpha )\bigr \}}.}$$
In other words, take the same curve, but define a new action of E on C by the rule
$$\displaystyle{\mu ^{\alpha }(p,P) =\mu (p,\alpha P).}$$
(b)
Conversely, if {C∕K, μ} and {C∕K, μ′} are elements of $\mathop{\mathrm{WC}}\nolimits (E/K)$, prove that there exists an $\alpha \in \mathop{\mathrm{Aut}}\nolimits _{K}(E)$ such that μ′ = μ ∘ (1 ×α).
(c)
Conclude that for a given curve C∕K of genus one, there are only finitely many inequivalent ways to make C∕K into a homogeneous space. In particular, if C satisfies j(C) ≠ 0, 1728, then there are at most two. (See also Exercise B.5.)

10.5. Let ϕ : E∕K → E′∕K be a separable isogeny of elliptic curves defined over an arbitrary (perfect) field K, and let C∕K be a homogeneous space for E∕K. The finite group E[ϕ] acts on C, and we let C′ = C∕E[ϕ] be the quotient curve (cf. Exercise 3.13).

(a)
Prove that C′ is a curve of genus one defined over K.
(b)
Prove that C′∕K is a homogeneous space for E′∕K and that the natural map
$$\displaystyle{\phi :\mathop{ \mathrm{WC}}\nolimits (E/K) \rightarrow \mathop{\mathrm{WC}}\nolimits (E'/K)}$$
sends {C∕K} to {C′∕K}.
(c)
In particular, if $\{C/K\} \in \mathop{\mathrm{WC}}\nolimits (E/K)[\phi ]$, then C′ is isomorphic to E′ over K. Prove that this isomorphism can be chosen so that the natural projection $C \rightarrow C/E[\phi ]\mathop{\cong}E'$ is the map $\phi \circ \theta$ defined in (X.4.6a).

10.6. WC Over Finite Fields. Let $\mathbb{F}_{q}$ be a finite field with q elements, let $C/\mathbb{F}_{q}$ be a curve of genus one, and pick any point of $C(\bar{\mathbb{F}}_{q})$ as origin to make C into an elliptic curve. Let ϕ : C → C be the q ^th-power Frobenius map on C.

(a)
Prove that there are an endomorphism $f \in \mathop{\mathrm{End}}\nolimits (C)$ and a point $P_{0} \in C(\bar{\mathbb{F}}_{q})$ satisfying ϕ(P) = f(P) + P ₀.
(b)
Prove that f is inseparable, and conclude that there exists a point $P_{1} \in C(\bar{\mathbb{F}}_{q})$ satisfying (1 − f)(P ₁) = P ₀.
(c)
Prove that ϕ(P ₁) = P ₁, and hence that $P_{1} \in C(\mathbb{F}_{q})$.
(d)
Let $E/\mathbb{F}_{q}$ be an elliptic curve. Prove that $\mathop{\mathrm{WC}}\nolimits (E/\mathbb{F}_{q}) = 0$.

10.7. WC Over $\mathbb{R}$. Let $E/\mathbb{R}$ be an elliptic curve.

(a)
Prove that
$$\displaystyle{\mathop{\mathrm{WC}}\nolimits (E/\mathbb{R}) = \left \{\begin{array}{@{}l@{\quad }l@{}} \mathbb{Z}/2\mathbb{Z}\quad &\mbox{ if $\varDelta (E/\mathbb{R}) > 0$,}\\ 0 \quad &\mbox{ if $\varDelta (E/\mathbb{R}) < 0$.} \\ \quad \end{array} \right .}$$
(b)
Assuming that $\varDelta (E/\mathbb{R}) > 0$, find an equation for a homogeneous space representing the nontrivial element of $\mathop{\mathrm{WC}}\nolimits (E/\mathbb{R})$ in terms of a given Weierstrass equation for $E/\mathbb{R}$.

10.8. Let E∕K be an elliptic curve, let m ≥ 2 be an integer, and assume that $E[m] \subset E(K)$. Let v ∈ M _K ⁰ be a prime not dividing m. Prove that the restriction map

$$\displaystyle{\mathop{\mathrm{WC}}\nolimits (E/K)[m]\longrightarrow \mathop{ \mathrm{WC}}\nolimits (E/K_{v})[m]}$$

is surjective. (Hint. Show that the map on the $H^{1}{\bigl (\,\cdot \,,E[m]\bigr )}$ groups is surjective.)

10.9. Let E∕K be an elliptic curve, let T ∈ E[m], and suppose that the field L = K(T) has maximal degree, namely [L : K] = m ² − 1. (Note that L∕K is generally not a Galois extension.) Let e _m denote the Weil pairing and consider the chain of maps

$$\displaystyle{\begin{array}{*9{@{}c@{}}} \alpha : E(K)&\!\mathop{\longrightarrow}\limits_{}^{\delta }\!&H^{1}{\bigl (G_{\bar{K}/K},E[m]\bigr )}&\!\mathop{\longrightarrow}\limits_{}^{\mathop{ \mathrm{res}}\nolimits }\!&H^{1}{\bigl (G_{\bar{K}/L},E[m]\bigr )}&\! \rightarrow \!&H^{1}(G_{\bar{K}/L},\boldsymbol{\mu }_{m})&\mathop{\cong}&L^{{\ast}}/(L^{{\ast}})^{m}\!, \\ && & & \xi _{\sigma }& \mapsto & e_{m}(\xi _{\sigma },T). \\ \end{array} }$$

(a)
Let f _T ∈ L(E) be as in (X.1.1d), i.e.,
$$\displaystyle{\mathop{\mathrm{div}}\nolimits (f_{T}) = m(T) - m(O)\qquad \text{and}\qquad f_{T} \circ [m] \in {\bigl ( L(E)^{{\ast}}\bigr )}^{m}.}$$
Prove that
$$\displaystyle{\alpha (P) = f_{T}(P)\bmod (L^{{\ast}})^{m}.}$$
(b)
Prove that for all P ∈ E(K),
$$\displaystyle{\mathop{\mathrm{N}}\nolimits _{L/K}{\bigl (\alpha (P)\bigr )} \in (K^{{\ast}})^{m}.}$$
(c)
Let $S \subset M_{L}$ be the set of places of L containing all archimedean places, all places dividing m, and all places at which E∕L has bad reduction. Show that if P ∈ E(K) and v ∈ M _L with v ∉ S, then
$$\displaystyle{\mathop{\mathrm{ord}}\nolimits _{v}{\bigl (\alpha (P)\bigr )} \equiv 0\pmod m.}$$
(d)
For m = 2, prove that the kernel of α is exactly 2E(K). Hence in this case there is an injective homomorphism from E(K)∕2E(K) into the group
$$\displaystyle{{\bigl \{a \in L^{{\ast}}/(L^{{\ast}})^{2} : \mbox{ $\mathop{\mathrm{N}}\nolimits _{ L/K}(a) \in (K^{{\ast}})^{2}$ and $\mathop{\mathrm{ord}}\nolimits _{v}(a) \equiv 0(\text{ mod}2)$ for all $v\notin S$}\bigr \}}}$$
given by the map
$$\displaystyle{P\longmapsto x(P) - x(T).}$$
This map may often be used to compute E(K)∕2E(K). (Hint. Expand the quantity x(P) − x(T) = r + sx(T) + tx(T)² and use the resulting relations on r, s, t ∈ K to show that P is in 2E(K).)
(e)
Use (d) to compute $E(\mathbb{Q})/2E(\mathbb{Q})$ for the curve
$$\displaystyle{E : y^{2} + y = x^{3} - x.}$$
(Hint. Let $K/\mathbb{Q}$ be the totally real cubic field generated by a root of the polynomial 4x ³ − 4x + 1. Start by showing that K has class number one and that every totally positive unit in K is a square.)

10.10. Let C∕K be a curve of genus one, and suppose that C(K _v) ≠ ∅ for all v ∈ M _K. Prove that the map

$$\displaystyle{\mathop{\mathrm{Div}}\nolimits _{K}(C)\longrightarrow \mathop{ \mathrm{Pic}}\nolimits _{K}(C)}$$

is surjective. (Hint. Take Galois cohomology of the exact sequence

$$\displaystyle{1\longrightarrow \bar{K}^{{\ast}}\longrightarrow \bar{K}(C)^{{\ast}}\longrightarrow \mathop{\mathrm{Div}}\nolimits (C)\longrightarrow \mathop{ \mathrm{Pic}}\nolimits (C)\longrightarrow 0.}$$

Use Noether’s generalization of Hilbert’s Theorem 90,

$$\displaystyle{H^{1}{\bigl (G_{\bar{ K}/K},\bar{K}(C)^{{\ast}}\bigr )} = 0,}$$

and the (cohomological version) of the Brauer–Hasse–Noether theorem [288, §9.6], which says that an element of $H^{2}(G_{\bar{K}/K},\bar{K}^{{\ast}})$ is trivial if and only if it is trivial in $H^{2}(G_{\bar{K}_{v}/K_{v}},\bar{K}_{v}^{{\ast}})$ for every v ∈ M _K.)

10.11. Index and Period in WC. Let K be an arbitrary (perfect) field, let E∕K be an elliptic curve, and let C∕K be a homogeneous space for E∕K. The period of C∕K is defined to be the exact order of {C∕K} in $\mathop{\mathrm{WC}}\nolimits (E/K)$, and the index of C∕K is the smallest degree of an extension L∕K such that C(L) ≠ ∅. So for example, (X.3.3) says that the period is equal to 1 if and only if the index is equal to 1.

(a)
Prove that the period may also be characterized as the smallest integer m ≥ 1 such that there exists a point p ∈ C satisfying
$$\displaystyle{p^{\sigma } - p \in E[m]\qquad \mbox{ for every $\sigma \in G_{\bar{K}/K}$.}}$$
(b)
Prove that the index may also be characterized as the smallest degree among the positive divisors in $\mathop{\mathrm{Div}}\nolimits _{K}(C)$.
(c)
Prove that the period divides the index.
(d)
Prove that the period and the index are divisible by the same set of primes.
(e)
* Give an example with $K = \mathbb{Q}$ showing that the period may be strictly smaller than the index.
(f)
Prove that if K is a number field and if C∕K represents an element of , then the period and the index are equal. (Hint. Use (a), (b), (c), and Exercise 10.10.)
(g)
* Let $K/\mathbb{Q}_{p}$ be a finite extension. Prove that the period and the index are equal.

10.12. Hensel’s Lemma. The following version of Hensel’s lemma is often useful for proving that a homogeneous space is locally trivial. Let R be a ring that is complete with respect to a discrete valuation v.

(a)
Let f(T) ∈ R[T] be a polynomial and a ₀ ∈ R a value satisfying
$$\displaystyle{v{\bigl (f(a_{0})\bigr )} > 2v{\bigl (f'(a_{0})\bigr )}.}$$

Define a sequence of elements a _n ∈ R recursively by
$$\displaystyle{a_{n+1} = a_{n} -\frac{f(a_{n})} {f'(a_{n})}\qquad \mbox{ for $n = 1, 2,\ldots \,$.}}$$
Prove that a _n converges to an element a ∈ R satisfying
$$\displaystyle{f(a) = 0\qquad \text{and}\qquad v(a - a_{0}) \geq v\left ( \frac{f(a_{0})} {f'(a_{0})^{2}}\right ) > 0.}$$
(b)
More generally, let F(X ₁, …, X _N) ∈ R[X ₁, …, X _N], and suppose that there are an index 1 ≤ i ≤ N and a point (a ₁, …, a _N) ∈ R ^N satisfying
$$\displaystyle{v{\bigl (F(a_{1},\ldots ,a_{N})\bigr )} > 2v\left ( \frac{\partial F} {\partial X_{i}}(a_{1},\ldots ,a_{N})\right ).}$$
Prove that F has a root in R ^N.
(c)
Show that the curve
$$\displaystyle{3X^{3} + 4Y ^{3} + 5Z^{3} = 0}$$
in $\mathbb{P}^{2}$ has a point defined over $\mathbb{Q}_{p}$ for every prime p.

10.13. Use (X.1.4) to compute $E(\mathbb{Q})/2E(\mathbb{Q})$ for each of the following elliptic curves.

(a)
E : y ² = x(x − 1)(x + 3).
(b)
E : y ² = x(x − 12)(x − 36).

10.14. Use (X.4.9) to compute $E(\mathbb{Q})/2E(\mathbb{Q})$ for each of the following elliptic curves.

(a)
E : y ² = x ³ + 6x ² + x.
(b)
E : y ² = x ³ + 14x ² + x.
(c)
E : y ² = x ³ + 9x ² − x.

10.15. Let E∕K be an elliptic curve, let $\xi \in H^{1}{\bigl (G_{\bar{K}/K},\mathop{\mathrm{Aut}}\nolimits (E)\bigr )}$, and let $E_{\xi }$ be the twist of E corresponding to $\xi$. Let v ∈ M _K be a finite place at which E has good reduction. Prove that $E_{\xi }$ has good reduction at v if and only if $\xi$ is unramified at v. (See (VIII §2) for the definition of an unramified cocycle. Hint. If the residue characteristic is not 2 or 3, you can use explicit Weierstrass equations. In general, use the criterion of Néron–Ogg–Shafarevich (VII.7.1).)

10.16. Let E∕K be an elliptic curve, let D ∈ K ^∗ be such that $L = K(\sqrt{D}\,)$ is a quadratic extension, and let E _D∕K be the twist of E∕K given by (X.5.4). Prove that

$$\displaystyle{\mathop{\mathrm{rank}}\nolimits E(L) =\mathop{ \mathrm{rank}}\nolimits E(K) +\mathop{ \mathrm{rank}}\nolimits E_{D}(K).}$$

10.17. Let $p \equiv 3\ (\text{ mod}\ 4)$ be a prime and let $D \in \mathbb{F}_{p}^{{\ast}}$.

(a)
Show directly that the equation
$$\displaystyle{C : v^{2} = u^{4} - 4D}$$
has p − 1 solutions $(u,v) \in \mathbb{F}_{p} \times \mathbb{F}_{p}$. (Hint. Since $p \equiv 3\ (\text{ mod}\ 4)$, the map u ² ↦ u ⁴ is an automorphism of $(\mathbb{F}_{p}^{{\ast}})^{2}$.)
(b)
Let $E/\mathbb{F}_{p}$ be the elliptic curve
$$\displaystyle{E : y^{2} = x^{3} + Dx.}$$
Use the map
$$\displaystyle{\phi : C\longrightarrow E,\qquad \phi (u,v) = \left (\frac{u^{2} + v} {2} , \frac{u(u^{2} + v)} {2} \right ),}$$
to prove that
$$\displaystyle{\#E(\mathbb{F}_{p}) = p + 1.}$$

10.18. Let p be an odd prime. Do a computation analogous to (X.6.2) to determine the Selmer groups and a bound for the ranks of the following families of elliptic curves $E/\mathbb{Q}$.

(a)
E : y ² = x ³ − 2px. (The curve with p = 41 has rank 3.)
(b)
E : y ² = x ³ + p ² x.

10.19. Let $E/\mathbb{Q}$ be an elliptic curve with j(E) = 0.

(a)
Prove that there is a unique sixth-power-free integer D such that E is given by the Weierstrass equation
$$\displaystyle{E : y^{2} = x^{3} + D.}$$
(b)
Let $p \equiv 2\ (\text{ mod}\ 3)$ be a prime not dividing 6D. Prove that
$$\displaystyle{\#E(\mathbb{F}_{p}) = p + 1.}$$
(c)
Prove that $\#E(\mathbb{Q})_{\text{tors}}$ divides 6.
(d)
More precisely, prove that the following list gives a complete description of $E_{\text{tors}}(\mathbb{Q})$:
$$\displaystyle{E_{\text{tors}}(\mathbb{Q})\mathop{\cong}\left \{\begin{array}{@{}l@{\quad }l@{}} \mathbb{Z}/6\mathbb{Z}\quad &\mbox{ if $D = 1$,} \\ \mathbb{Z}/3\mathbb{Z}\quad &\mbox{ if $D\neq 1$ is a square, or if $D = -432$,} \\ \mathbb{Z}/2\mathbb{Z}\quad &\mbox{ if $D\neq 1$ is a cube,} \\ 1 \quad &\text{otherwise.}\\ \quad \end{array} \right .}$$

10.20. Let A be a finite abelian group, and suppose that there exists a bilinear, alternating, nondegenerate pairing

$$\displaystyle{\varGamma : A \times A\longrightarrow \mathbb{Q}/\mathbb{Z}.}$$

Prove that # A is a perfect square.

10.21. Let E∕K be an elliptic curve defined over a field of characteristic not equal to 2 or 3, fix a Weierstrass equation for E∕K, and let c ₄ and c ₆ be the usual quantities (III §1) associated to the equation. Assuming that j(E) ≠ 0, 1728, we define

$$\displaystyle{\gamma (E/K) = -c_{4}/c_{6} \in K^{{\ast}}/(K^{{\ast}})^{2}.}$$

(a)
Prove that γ(E∕K) is well-defined as an element of K ^∗∕(K ^∗)², independent of the choice of Weierstrass equation for E∕K.
(b)
Let E′∕K be another elliptic curve with j(E′) ≠ 0, 1728. Prove that E and E′ are isomorphic over K if and only if j(E) = j(E′) and γ(E∕K) = γ(E′∕K).
(c)
If j(E) = j(E′) ≠ 0, 1728, prove that E and E′ are isomorphic over the field
$$\displaystyle{K\left (\sqrt{\frac{\gamma (E/K)} {\gamma (E'/K)}}\right ).}$$

10.22. Let E∕K be an elliptic curve over an arbitrary (perfect) field, let L∕K be a finite Galois extension, and define a trace map

$$\displaystyle{T_{L/K} : E(L)\longrightarrow E(K),\qquad P\longmapsto \sum _{\sigma \in G_{L/K}}P^{\sigma }.}$$

(a)
Prove that T _L∕K is a homomorphism.
(b)
If K is a finite field, prove that T _L∕K : E(L) → E(K) is surjective.
(c)
Assume that [L : K] = 2 and that $\mathop{\mathrm{char}}\nolimits (K)\neq 2$, and write $L = K(\sqrt{D}\,)$. Fix a Weierstrass equation for E∕K of the form
$$\displaystyle{E : y^{2} = x^{3} + ax^{2} + bx + c,}$$
and let E _D be the quadratic twist of E given by the equation (cf. (X.5.4))
$$\displaystyle{E_{D} : y^{2} = x^{3} + Dax^{2} + D^{2}bx + D^{3}c.}$$
1. (i)
  Prove that the kernel of T _L∕K : E(L) → E(K) is isomorphic to E _D(K).
2. (ii)
  Prove that the image of T _L∕K : E(L) → E(K) contains 2E(K).
3. (iii)
  Deduce that there are an exact sequence
  
  and a surjective homomorphism $E(K)/2E(K) \twoheadrightarrow V$.
4. (iv)
  Suppose further that K is a number field. Re-prove Exercise 10.16, i.e.,
  $$\displaystyle{\mathop{\mathrm{rank}}\nolimits E(L) =\mathop{ \mathrm{rank}}\nolimits E(K) +\mathop{ \mathrm{rank}}\nolimits E_{D}(K).}$$

10.23. Let $a \equiv 1\ (\text{ mod}\ 4)$ be an integer with the property that p = a ² + 64 is prime. (It is conjectured, but not known, that there exist infinitely many such primes.) Let $E_{a}/\mathbb{Q}$ be the elliptic curve

$$\displaystyle{E_{a} : y^{2} = x^{3} + ax^{2} - 16x.}$$

These are known as Neumann–Setzer curves.

(a)
Prove that $\mathcal{D}_{E_{a}/\mathbb{Q}} = (p)$. More precisely, prove that E _a has split multiplicative reduction at p and good reduction at all other primes. (N.B. The given Weierstrass equation is not minimal.)
(b)
Perform a two-descent (X.4.9) and prove that
(c)
* Let $E/\mathbb{Q}$ be an elliptic curve with the following two properties: (i) $E(\mathbb{Q})$ contains a 2-torsion point. (ii) E has multiplicative reduction at a single prime p > 17 and good reduction at all other primes. Prove that p has the form p = a ² + 64 and that E is either isomorphic or 2-isogenous to the curve E _a.

10.24. Let E∕K be an elliptic curve and let m ≥ 1. This exercise describes the Tate pairing

$$\displaystyle{\langle \,\cdot \,,\,\cdot \,\rangle _{\text{Tate}} : E(K)/mE(K) \times \mathop{\mathrm{WC}}\nolimits (E/K)[m]\longrightarrow \mathop{ \mathrm{Br}}\nolimits (K),}$$

where $\mathop{\mathrm{Br}}\nolimits (K) = H^{2}(G_{\bar{K}/K},\bar{K}^{{\ast}})$ is the Brauer group of K. (This exercise assumes that the reader is familiar with higher cohomology groups; see for example [9, 233].)

Let P ∈ E(K)∕mE(K) and let $C \in \mathop{\mathrm{WC}}\nolimits (E/K)[m]$. We use the Kummer sequence (VIII §2)

$$\displaystyle{0\longrightarrow E(K)/mE(K)\mathop{\longrightarrow}\limits_{}^{\;\;\delta \;\;}H^{1}{\bigl (G_{\bar{ K}/K},E[m]\bigr )}\mathop{\longrightarrow}\limits_{}^{\;\;\epsilon \;\;}\mathop{ \mathrm{WC}}\nolimits (E/K)[m]\longrightarrow 0}$$

to push forward the point P by δ and to pull back the homogeneous space C by ε to obtain 1-cocycles

$$\displaystyle{\delta _{P} : G_{\bar{K}/K}\longrightarrow E[m]\qquad \text{and}\qquad \xi _{C} : G_{\bar{K}/K}\longrightarrow E[m].}$$

We use δ _P and ξ _C to define a map

$$\displaystyle{\lambda _{P,C} : G_{\bar{K}/K} \times G_{\bar{K}/K}\longrightarrow \boldsymbol{\mu }_{m},\qquad \lambda _{P,C}(\sigma ,\tau ) = e_{m}{\bigl (\delta _{P}(\sigma ),\xi _{C}(\tau )\bigr )},}$$

where e _m is the Weil pairing.

(a)
Prove that the map λ _P, C is a 2-cocycle.
(b)
Prove that changing either δ _P or ξ _C by a 1-coboundary has the effect of changing λ _P, C by a 2-coboundary.
(c)
Prove that pulling back C to some other element ξ′_C changes λ _P, C by a 2-coboundary.
(d)
Conclude that
$$\displaystyle{\langle P,\xi \rangle _{\text{Tate}} = \mbox{ cohomology class of $\lambda _{P,C}$}}$$
gives a well-defined pairing
$$\displaystyle{\langle \,\cdot \,,\,\cdot \,\rangle _{\text{Tate}} : E(K)/mE(K) \times \mathop{\mathrm{WC}}\nolimits (E/K)[m]\longrightarrow \mathop{ \mathrm{Br}}\nolimits (K).}$$
(e)
Prove that the pairing in (d) is bilinear.
(f)
* Let K∕ℚ _p be a finite extension. A basic result in local class field theory says that Br(K)≅ℚ∕ℤ; see [233, XII §3, Theorem 2]. Prove in this case that the Tate pairing is nondegenerate.

References

M. Abdalla, M. Bellare, and P. Rogaway. The oracle Diffie-Hellman assumptions and an analysis of DHIES. In Topics in cryptology—CT-RSA 2001 (San Francisco, CA), volume 2020 of Lecture Notes in Comput. Sci., pages 143–158. Springer, Berlin, 2001.
Google Scholar
D. Abramovich. Formal finiteness and the torsion conjecture on elliptic curves. A footnote to a paper: “Rational torsion of prime order in elliptic curves over number fields” [Astérisque No. 228 (1995), 3, 81–100] by S. Kamienny and B. Mazur. Astérisque, (228):3, 5–17, 1995. Columbia University Number Theory Seminar (New York, 1992).
Google Scholar
L. V. Ahlfors. Complex analysis. McGraw-Hill Book Co., New York, third edition, 1978. An introduction to the theory of analytic functions of one complex variable, International Series in Pure and Applied Mathematics.
Google Scholar
T. M. Apostol. Introduction to analytic number theory. Springer-Verlag, New York, 1976. Undergraduate Texts in Mathematics.
Google Scholar
T. M. Apostol. Modular functions and Dirichlet series in number theory, volume 41 of Graduate Texts in Mathematics. Springer-Verlag, New York, second edition, 1990.
Google Scholar
N. Arthaud. On Birch and Swinnerton-Dyer’s conjecture for elliptic curves with complex multiplication. I. Compositio Math., 37(2):209–232, 1978.
Google Scholar
E. Artin. Galois theory. Dover Publications Inc., Mineola, NY, second edition, 1998. Edited and with a supplemental chapter by Arthur N. Milgram.
Google Scholar
M. F. Atiyah and I. G. Macdonald. Introduction to commutative algebra. Addison-Wesley Publishing Co., Reading, Mass.–London–Don Mills, Ont., 1969.
Google Scholar
M. F. Atiyah and C. T. C. Wall. Cohomology of groups. In Algebraic Number Theory (Proc. Instructional Conf., Brighton, 1965), pages 94–115. Thompson, Washington, D.C., 1967.
Google Scholar
A. O. L. Atkin and F. Morain. Elliptic curves and primality proving. Math. Comp., 61(203):29–68, 1993.
Article MathSciNet MATH Google Scholar
A. Baker. Transcendental number theory. Cambridge Mathematical Library. Cambridge University Press, Cambridge, second edition, 1990.
MATH Google Scholar
A. Baker and J. Coates. Integer points on curves of genus 1. Proc. Cambridge Philos. Soc., 67:595–602, 1970.
Article MathSciNet MATH Google Scholar
R. Balasubramanian and N. Koblitz. The improbability that an elliptic curve has subexponential discrete log problem under the Menezes-Okamoto-Vanstone algorithm. J. Cryptology, 11(2):141–145, 1998.
Article MathSciNet MATH Google Scholar
A. F. Beardon. Iteration of Rational Functions, volume 132 of Graduate Texts in Mathematics. Springer-Verlag, New York, 1991. Complex analytic dynamical systems.
Google Scholar
E. Bekyel. The density of elliptic curves having a global minimal Weierstrass equation. J. Number Theory, 109(1):41–58, 2004.
Article MathSciNet MATH Google Scholar
D. Bernstein and T. Lange. Faster addition and doubling on elliptic curves. In Advances in cryptology—ASIACRYPT 2007, volume 4833 of Lecture Notes in Comput. Sci., pages 29–50. Springer, Berlin, 2007.
Google Scholar
B. J. Birch. Cyclotomic fields and Kummer extensions. In Algebraic Number Theory (Proc. Instructional Conf., Brighton, 1965), pages 85–93. Thompson, Washington, D.C., 1967.
Google Scholar
B. J. Birch. How the number of points of an elliptic curve over a fixed prime field varies. J. London Math. Soc., 43:57–60, 1968.
Article MathSciNet MATH Google Scholar
B. J. Birch and W. Kuyk, editors. Modular functions of one variable. IV. Springer-Verlag, Berlin, 1975. Lecture Notes in Mathematics, Vol. 476.
Google Scholar
B. J. Birch and H. P. F. Swinnerton-Dyer. Notes on elliptic curves. I. J. Reine Angew. Math., 212:7–25, 1963.
Google Scholar
B. J. Birch and H. P. F. Swinnerton-Dyer. Elliptic curves and modular functions. In Modular functions of one variable, IV (Proc. Internat. Summer School, Univ. Antwerp, Antwerp, 1972), pages 2–32. Lecture Notes in Math., Vol. 476. Springer, Berlin, 1975.
Google Scholar
I. F. Blake, G. Seroussi, and N. P. Smart. Elliptic curves in cryptography, volume 265 of London Mathematical Society Lecture Note Series. Cambridge University Press, Cambridge, 2000. Reprint of the 1999 original.
Google Scholar
D. Boneh and M. Franklin. Identity-based encryption from the Weil pairing. In Advances in Cryptology—CRYPTO 2001 (Santa Barbara, CA), volume 2139 of Lecture Notes in Comput. Sci., pages 213–229. Springer, Berlin, 2001.
Google Scholar
D. Boneh, B. Lynn, and H. Shacham. Short signatures from the Weil pairing. In Advances in cryptology—ASIACRYPT 2001 (Gold Coast), volume 2248 of Lecture Notes in Comput. Sci., pages 514–532. Springer, Berlin, 2001.
Google Scholar
A. I. Borevich and I. R. Shafarevich. Number theory. Translated from the Russian by Newcomb Greenleaf. Pure and Applied Mathematics, Vol. 20. Academic Press, New York, 1966.
Google Scholar
A. Bremner. On the equation Y ² = X(X ² + p). In Number theory and applications (Banff, AB, 1988), volume 265 of NATO Adv. Sci. Inst. Ser. C Math. Phys. Sci., pages 3–22. Kluwer Acad. Publ., Dordrecht, 1989.
Google Scholar
A. Bremner and J. W. S. Cassels. On the equation Y ² = X(X ² + p). Math. Comp., 42(165):257–264, 1984.
Google Scholar
C. Breuil, B. Conrad, F. Diamond, and R. Taylor. On the modularity of elliptic curves over Q: wild 3-adic exercises. J. Amer. Math. Soc., 14(4):843–939 (electronic), 2001.
Google Scholar
F. Brezing and A. Weng. Elliptic curves suitable for pairing based cryptography. Des. Codes Cryptogr., 37(1):133–141, 2005.
Article MathSciNet MATH Google Scholar
M. L. Brown. Note on supersingular primes of elliptic curves over Q. Bull. London Math. Soc., 20(4):293–296, 1988.
Article MathSciNet MATH Google Scholar
W. D. Brownawell and D. W. Masser. Vanishing sums in function fields. Math. Proc. Cambridge Philos. Soc., 100(3):427–434, 1986.
Article MathSciNet MATH Google Scholar
Y. Bugeaud. Bounds for the solutions of superelliptic equations. Compositio Math., 107(2):187–219, 1997.
Article MathSciNet MATH Google Scholar
J. P. Buhler, B. H. Gross, and D. B. Zagier. On the conjecture of Birch and Swinnerton-Dyer for an elliptic curve of rank 3. Math. Comp., 44(170):473–481, 1985.
MathSciNet MATH Google Scholar
E. R. Canfield, P. Erdős, and C. Pomerance. On a problem of Oppenheim concerning “factorisatio numerorum.” J. Number Theory, 17(1):1–28, 1983.
Article MathSciNet MATH Google Scholar
H. Carayol. Sur les représentations galoisiennes modulo l attachées aux formes modulaires. Duke Math. J., 59(3):785–801, 1989.
Article MathSciNet MATH Google Scholar
J. W. S. Cassels. A note on the division values of ℘(u). Proc. Cambridge Philos. Soc., 45:167–172, 1949.
Article MathSciNet MATH Google Scholar
J. W. S. Cassels. Arithmetic on curves of genus 1. III. The Tate-Šafarevič and Selmer groups. Proc. London Math. Soc. (3), 12:259–296, 1962.
Google Scholar
J. W. S. Cassels. Arithmetic on curves of genus 1. IV. Proof of the Hauptvermutung. J. Reine Angew. Math., 211:95–112, 1962.
Google Scholar
J. W. S. Cassels. Arithmetic on curves of genus 1. V. Two counterexamples. J. London Math. Soc., 38:244–248, 1963.
Google Scholar
J. W. S. Cassels. Arithmetic on curves of genus 1. VIII. On conjectures of Birch and Swinnerton-Dyer. J. Reine Angew. Math., 217:180–199, 1965.
Google Scholar
J. W. S. Cassels. Diophantine equations with special reference to elliptic curves. J. London Math. Soc., 41:193–291, 1966.
Article MathSciNet MATH Google Scholar
J. W. S. Cassels. Global fields. In Algebraic Number Theory (Proc. Instructional Conf., Brighton, 1965), pages 42–84. Thompson, Washington, D.C., 1967.
Google Scholar
J. W. S. Cassels. Lectures on elliptic curves, volume 24 of London Mathematical Society Student Texts. Cambridge University Press, Cambridge, 1991.
Google Scholar
T. Chinburg. An introduction to Arakelov intersection theory. In Arithmetic geometry (Storrs, Conn., 1984), pages 289–307. Springer, New York, 1986.
Google Scholar
D. V. Chudnovsky and G. V. Chudnovsky. Padé approximations and Diophantine geometry. Proc. Nat. Acad. Sci. U.S.A., 82(8):2212–2216, 1985.
Article MathSciNet MATH Google Scholar
C. H. Clemens. A scrapbook of complex curve theory, volume 55 of Graduate Studies in Mathematics. American Mathematical Society, Providence, RI, second edition, 2003.
Google Scholar
L. Clozel, M. Harris, and R. Taylor. Automorphy for some l-adic lifts of automorphic mod l representations. 2007. IHES Publ. Math., submitted.
Google Scholar
J. Coates. Construction of rational functions on a curve. Proc. Cambridge Philos. Soc., 68:105–123, 1970.
Article MathSciNet MATH Google Scholar
J. Coates and A. Wiles. On the conjecture of Birch and Swinnerton-Dyer. Invent. Math., 39(3):223–251, 1977.
Article MathSciNet MATH Google Scholar
H. Cohen. A Course in Computational Algebraic Number Theory, volume 138 of Graduate Texts in Mathematics. Springer-Verlag, Berlin, 1993.
Google Scholar
H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen, and F. Vercauteren, editors. Handbook of Elliptic and Hyperelliptic Curve Cryptography. Discrete Mathematics and Its Applications (Boca Raton). Chapman & Hall/CRC, Boca Raton, FL, 2006.
Google Scholar
D. A. Cox. The arithmetic-geometric mean of Gauss. Enseign. Math. (2), 30(3-4):275–330, 1984.
MathSciNet MATH Google Scholar
J. Cremona. Elliptic Curve Data. http://sage.math.washington. edu/cremona/index.html , http://www.math.utexas.edu/users/ tornaria/cnt/cremona.html .
J. E. Cremona. Algorithms for modular elliptic curves. Cambridge University Press, Cambridge, second edition, 1997. available free online at www.warwick.ac.uk/ staff/J.E.Cremona/book/fulltext/index.html .
J. E. Cremona, M. Prickett, and S. Siksek. Height difference bounds for elliptic curves over number fields. J. Number Theory, 116(1):42–68, 2006.
Article MathSciNet MATH Google Scholar
L. V. Danilov. The Diophantine equation x ³ − y ² = k and a conjecture of M. Hall. Mat. Zametki, 32(3):273–275, 425, 1982. English translation: Math. Notes Acad. Sci. USSR 32 (1982), no. 3–4, 617–618 (1983).
Google Scholar
H. Davenport. On f ³ (t) − g ² (t). Norske Vid. Selsk. Forh. (Trondheim), 38:86–87, 1965.
Google Scholar
S. David. Minorations de formes linéaires de logarithmes elliptiques. Mém. Soc. Math. France (N.S.), (62):iv+143, 1995.
Google Scholar
B. M. M. de Weger. Algorithms for Diophantine equations, volume 65 of CWI Tract. Stichting Mathematisch Centrum Centrum voor Wiskunde en Informatica, Amsterdam, 1989.
Google Scholar
M. Deuring. Die Typen der Multiplikatorenringe elliptischer Funktionenkörper. Abh. Math. Sem. Hansischen Univ., 14:197–272, 1941.
Article MathSciNet MATH Google Scholar
M. Deuring. Die Zetafunktion einer algebraischen Kurve vom Geschlechte Eins. Nachr. Akad. Wiss. Göttingen. Math.-Phys. Kl. Math.-Phys.-Chem. Abt., 1953:85–94, 1953.
MathSciNet MATH Google Scholar
M. Deuring. Die Zetafunktion einer algebraischen Kurve vom Geschlechte Eins. II. Nachr. Akad. Wiss. Göttingen. Math.-Phys. Kl. IIa., 1955:13–42, 1955.
Google Scholar
M. Deuring. Die Zetafunktion einer algebraischen Kurve vom Geschlechte Eins. III. Nachr. Akad. Wiss. Göttingen. Math.-Phys. Kl. IIa., 1956:37–76, 1956.
Google Scholar
M. Deuring. Die Zetafunktion einer algebraischen Kurve vom Geschlechte Eins. IV. Nachr. Akad. Wiss. Göttingen. Math.-Phys. Kl. IIa., 1957:55–80, 1957.
Google Scholar
W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. Information Theory, IT-22(6):644–654, 1976.
Article MathSciNet MATH Google Scholar
L. Dirichlet. Über den biquadratischen Charakter der Zahl “Zwei.” J. Reine Angew. Math., 57:187–188, 1860.
Article MathSciNet Google Scholar
Z. Djabri, E. F. Schaefer, and N. P. Smart. Computing the p-Selmer group of an elliptic curve. Trans. Amer. Math. Soc., 352(12):5583–5597, 2000.
Article MathSciNet MATH Google Scholar
D. S. Dummit and R. M. Foote. Abstract algebra. John Wiley & Sons Inc., Hoboken, NJ, third edition, 2004.
MATH Google Scholar
R. Dupont, A. Enge, and F. Morain. Building curves with arbitrary small MOV degree over finite prime fields. J. Cryptology, 18(2):79–89, 2005.
Article MathSciNet MATH Google Scholar
B. Dwork. On the rationality of the zeta function of an algebraic variety. Amer. J. Math., 82:631–648, 1960.
Article MathSciNet MATH Google Scholar
H. M. Edwards. A normal form for elliptic curves. Bull. Amer. Math. Soc. (N.S.), 44(3):393–422 (electronic), 2007.
Google Scholar
M. Eichler. Quaternäre quadratische Formen und die Riemannsche Vermutung für die Kongruenzzetafunktion. Arch. Math., 5:355–366, 1954.
Article MathSciNet MATH Google Scholar
D. Eisenbud. Commutative algebra, volume 150 of Graduate Texts in Mathematics. Springer-Verlag, New York, 1995. With a view toward algebraic geometry.
Google Scholar
T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory, 31(4):469–472, 1985.
Article MathSciNet MATH Google Scholar
N. Elkies. List of integers x, y with $x < 10^{18}$, $0 < \vert x^{3} - y^{2}\vert < x^{1/2}$. www.math.harvard.edu/~elkies/hall.html.
N. Elkies. $\mathbb{Z}^{28}$ in $E(\mathbb{Q})$. Number Theory Listserver, May 2006.
Google Scholar
N. D. Elkies. The existence of infinitely many supersingular primes for every elliptic curve over $\mathbb{Q}$. Invent. Math., 89(3):561–567, 1987.
Article MathSciNet MATH Google Scholar
N. D. Elkies. Distribution of supersingular primes. Astérisque, (198-200):127–132 (1992), 1991. Journées Arithmétiques, 1989 (Luminy, 1989).
Google Scholar
N. D. Elkies. Elliptic and modular curves over finite fields and related computational issues. In Computational perspectives on number theory (Chicago, IL, 1995), volume 7 of AMS/IP Stud. Adv. Math., pages 21–76. Amer. Math. Soc., Providence, RI, 1998.
Google Scholar
J.-H. Evertse. On equations in S-units and the Thue-Mahler equation. Invent. Math., 75(3):561–584, 1984.
Article MathSciNet MATH Google Scholar
J.-H. Evertse and J. H. Silverman. Uniform bounds for the number of solutions to Y ⁿ = f(X). Math. Proc. Cambridge Philos. Soc., 100(2):237–248, 1986.
Article MathSciNet MATH Google Scholar
G. Faltings. Endlichkeitssätze für abelsche Varietäten über Zahlkörpern. Invent. Math., 73(3):349–366, 1983.
Article MathSciNet Google Scholar
G. Faltings. Calculus on arithmetic surfaces. Ann. of Math. (2), 119(2):387–424, 1984.
Article MathSciNet MATH Google Scholar
G. Faltings. Finiteness theorems for abelian varieties over number fields. In Arithmetic geometry (Storrs, Conn., 1984), pages 9–27. Springer, New York, 1986. Translated from the German original [Invent. Math. 73 (1983), no. 3, 349–366; ibid. 75 (1984), no. 2, 381; MR 85g:11026ab] by Edward Shipz.
Google Scholar
S. Fermigier. Une courbe elliptique définie sur Q de rang ≥ 22. Acta Arith., 82(4):359–363, 1997.
MathSciNet Google Scholar
E. V. Flynn and C. Grattoni. Descent via isogeny on elliptic curves with large rational torsion subgroups. J. Symbolic Comput., 43(4):293–303, 2008.
Article MathSciNet MATH Google Scholar
D. Freeman. Constructing pairing-friendly elliptic curves with embedding degree 10. In Algorithmic number theory, volume 4076 of Lecture Notes in Comput. Sci., pages 452–465. Springer, Berlin, 2006.
Google Scholar
G. Frey. Links between stable elliptic curves and certain Diophantine equations. Ann. Univ. Sarav. Ser. Math., 1(1):iv+40, 1986.
Google Scholar
G. Frey. Elliptic curves and solutions of A − B = C. In Séminaire de Théorie des Nombres, Paris 1985–86, volume 71 of Progr. Math., pages 39–51. Birkhäuser Boston, Boston, MA, 1987.
Google Scholar
G. Frey. Links between solutions of A − B = C and elliptic curves. In Number theory (Ulm, 1987), volume 1380 of Lecture Notes in Math., pages 31–62. Springer, New York, 1989.
Google Scholar
G. Frey and H.-G. Rück. A remark concerning m-divisibility and the discrete logarithm problem in the divisor class group of curves. Math. Comp., 62:865–874, 1994.
MathSciNet MATH Google Scholar
A. Fröhlich. Local fields. In Algebraic Number Theory (Proc. Instructional Conf., Brighton, 1965), pages 1–41. Thompson, Washington, D.C., 1967.
Google Scholar
A. Fröhlich. Formal groups. Lecture Notes in Mathematics, No. 74. Springer-Verlag, Berlin, 1968.
Google Scholar
R. Fueter. Ueber kubische diophantische Gleichungen. Comment. Math. Helv., 2(1):69–89, 1930.
Article MathSciNet MATH Google Scholar
W. Fulton. Algebraic curves. Advanced Book Classics. Addison-Wesley Publishing Company Advanced Book Program, Redwood City, CA, 1989. An introduction to algebraic geometry, Notes written with the collaboration of Richard Weiss, Reprint of 1969 original.
Google Scholar
J. Gebel, A. Pethő, and H. G. Zimmer. Computing integral points on elliptic curves. Acta Arith., 68(2):171–192, 1994.
MathSciNet MATH Google Scholar
S. Goldwasser and J. Kilian. Almost all primes can be quickly certified. In STOC ’86: Proceedings of the eighteenth annual ACM symposium on Theory of computing, pages 316–329, New York, 1986. ACM.
Google Scholar
R. Greenberg. On the Birch and Swinnerton-Dyer conjecture. Invent. Math., 72(2):241–265, 1983.
Article MathSciNet MATH Google Scholar
P. Griffiths and J. Harris. Principles of algebraic geometry. Wiley Classics Library. John Wiley & Sons Inc., New York, 1994. Reprint of the 1978 original.
Google Scholar
B. Gross, W. Kohnen, and D. Zagier. Heegner points and derivatives of L-series. II. Math. Ann., 278(1-4):497–562, 1987.
Google Scholar
B. Gross and D. Zagier. Points de Heegner et dérivées de fonctions L. C. R. Acad. Sci. Paris Sér. I Math., 297(2):85–87, 1983.
Google Scholar
B. H. Gross and D. B. Zagier. Heegner points and derivatives of L-series. Invent. Math., 84(2):225–320, 1986.
Article MathSciNet MATH Google Scholar
R. Gross. A note on Roth’s theorem. J. Number Theory, 36:127–132, 1990.
Article MathSciNet MATH Google Scholar
R. Gross and J. Silverman. S-integer points on elliptic curves. Pacific J. Math., 167(2):263–288, 1995.
Article MathSciNet MATH Google Scholar
K. Gruenberg. Profinite groups. In Algebraic Number Theory (Proc. Instructional Conf., Brighton, 1965), pages 116–127. Thompson, Washington, D.C., 1967.
Google Scholar
M. Hall, Jr. The Diophantine equation x ³ − y ² = k. In Computers in number theory (Proc. Sci. Res. Council Atlas Sympos. No. 2, Oxford, 1969), pages 173–198. Academic Press, London, 1971.
Google Scholar
D. Hankerson, A. Menezes, and S. Vanstone. Guide to elliptic curve cryptography. Springer Professional Computing. Springer-Verlag, New York, 2004.
MATH Google Scholar
G. H. Hardy and E. M. Wright. An introduction to the theory of numbers. The Clarendon Press Oxford University Press, New York, fifth edition, 1979.
MATH Google Scholar
J. Harris. Algebraic geometry, volume 133 of Graduate Texts in Mathematics. Springer-Verlag, New York, 1992. A first course.
Google Scholar
M. Harris, N. Shepherd-Barron, and R. Taylor. A family of Calabi-Yau varieties and potential automorphy. Ann. of Math. (2). to appear.
Google Scholar
R. Hartshorne. Algebraic geometry. Springer-Verlag, New York, 1977. Graduate Texts in Mathematics, No. 52.
Google Scholar
M. Hazewinkel. Formal groups and applications, volume 78 of Pure and Applied Mathematics. Academic Press Inc. [Harcourt Brace Jovanovich Publishers], New York, 1978.
Google Scholar
M. Hindry and J. H. Silverman. The canonical height and integral points on elliptic curves. Invent. Math., 93(2):419–450, 1988.
Article MathSciNet MATH Google Scholar
M. Hindry and J. H. Silverman. Diophantine geometry, volume 201 of Graduate Texts in Mathematics. Springer-Verlag, New York, 2000. An introduction.
Google Scholar
G. Hochschild and J.-P. Serre. Cohomology of group extensions. Trans. Amer. Math. Soc., 74:110–134, 1953.
Article MathSciNet MATH Google Scholar
J. Hoffstein, J. Pipher, and J. H. Silverman. An introduction to mathematical cryptography. Undergraduate Texts in Mathematics. Springer-Verlag, New York, 2008.
MATH Google Scholar
A. Hurwitz. Über ternäre diophantische Gleichungen dritten Grades. Vierteljahrschrift d. Naturf. Ges. Zürich, 62:207–229, 1917.
MATH Google Scholar
D. Husemöller. Elliptic curves, volume 111 of Graduate Texts in Mathematics. Springer-Verlag, New York, second edition, 2004. With appendices by Otto Forster, Ruth Lawrence and Stefan Theisen.
Google Scholar
J.-I. Igusa. Class number of a definite quaternion with prime discriminant. Proc. Nat. Acad. Sci. U.S.A., 44:312–314, 1958.
Article MathSciNet MATH Google Scholar
A. Joux. A one round protocol for tripartite Diffie-Hellman. In Algorithmic number theory (Leiden, 2000), volume 1838 of Lecture Notes in Comput. Sci., pages 385–393. Springer, Berlin, 2000.
Google Scholar
S. Kamienny. Torsion points on elliptic curves and q-coefficients of modular forms. Invent. Math., 109(2):221–229, 1992.
Article MathSciNet MATH Google Scholar
S. Kamienny and B. Mazur. Rational torsion of prime order in elliptic curves over number fields. Astérisque, (228):3, 81–100, 1995. With an appendix by A. Granville, Columbia University Number Theory Seminar (New York, 1992).
Google Scholar
N. M. Katz. An overview of Deligne’s proof of the Riemann hypothesis for varieties over finite fields. In Mathematical developments arising from Hilbert problems (Proc. Sympos. Pure Math., Vol. XXVIII, Northern Illinois Univ., De Kalb, Ill., 1974), pages 275–305. Amer. Math. Soc., Providence, R.I., 1976.
Google Scholar
N. M. Katz and B. Mazur. Arithmetic moduli of elliptic curves, volume 108 of Annals of Mathematics Studies. Princeton University Press, Princeton, NJ, 1985.
Google Scholar
M. A. Kenku. On the number of Q-isomorphism classes of elliptic curves in each Q-isogeny class. J. Number Theory, 15(2):199–202, 1982.
Article MathSciNet MATH Google Scholar
J.-H. Kim, R. Montenegro, Y. Peres, and P. Tetali. A birthday paradox for Markov chains, with an optimal bound for collision in Pollard rho for discrete logarithm. In Algorithmic number theory, volume 5011 of Lecture Notes in Comput. Sci., pages 402–415. Springer, Berlin, 2008.
Google Scholar
A. W. Knapp. Elliptic curves, volume 40 of Mathematical Notes. Princeton University Press, Princeton, NJ, 1992.
Google Scholar
N. Koblitz. Elliptic curve cryptosystems. Math. Comp., 48(177):203–209, 1987.
Article MathSciNet MATH Google Scholar
N. Koblitz. Introduction to elliptic curves and modular forms, volume 97 of Graduate Texts in Mathematics. Springer-Verlag, New York, second edition, 1993.
Google Scholar
V. A. Kolyvagin. Finiteness of $E(\mathbb{Q})$ and $(E, \mathbb{Q})$ for a subclass of Weil curves. Izv. Akad. Nauk SSSR Ser. Mat., 52(3):522–540, 670–671, 1988.
Google Scholar
S. V. Kotov and L. A. Trelina. S-ganze Punkte auf elliptischen Kurven. J. Reine Angew. Math., 306:28–41, 1979.
MathSciNet MATH Google Scholar
D. S. Kubert. Universal bounds on the torsion of elliptic curves. Proc. London Math. Soc. (3), 33(2):193–237, 1976.
Article MathSciNet MATH Google Scholar
E. Kunz. Introduction to plane algebraic curves. Birkhäuser Boston Inc., Boston, MA, 2005. Translated from the 1991 German edition by Richard G. Belshoff.
Google Scholar
M. Lal, M. F. Jones, and W. J. Blundon. Numerical solutions of the Diophantine equation y ³ − x ² = k. Math. Comp., 20:322–325, 1966.
Google Scholar
S. Lang. Elliptic curves: Diophantine analysis, volume 231 of Grundlehren der Mathematischen Wissenschaften [Fundamental Principles of Mathematical Sciences]. Springer-Verlag, Berlin, 1978.
Google Scholar
S. Lang. Introduction to algebraic and abelian functions, volume 89 of Graduate Texts in Mathematics. Springer-Verlag, New York, second edition, 1982.
Google Scholar
S. Lang. Complex multiplication, volume 255 of Grundlehren der Mathematischen Wissenschaften [Fundamental Principles of Mathematical Sciences]. Springer-Verlag, New York, 1983.
Google Scholar
S. Lang. Conjectured Diophantine estimates on elliptic curves. In Arithmetic and geometry, Vol. I, volume 35 of Progr. Math., pages 155–171. Birkhäuser Boston, Boston, MA, 1983.
Google Scholar
S. Lang. Fundamentals of Diophantine geometry. Springer-Verlag, New York, 1983.
Book MATH Google Scholar
S. Lang. Elliptic functions, volume 112 of Graduate Texts in Mathematics. Springer-Verlag, New York, second edition, 1987. With an appendix by J. Tate.
Google Scholar
S. Lang. Number theory III, volume 60 of Encyclopedia of Mathematical Sciences. Springer-Verlag, Berlin, 1991.
Google Scholar
S. Lang. Algebraic number theory, volume 110 of Graduate Texts in Mathematics. Springer-Verlag, New York, second edition, 1994.
Google Scholar
S. Lang. Algebra, volume 211 of Graduate Texts in Mathematics. Springer-Verlag, New York, third edition, 2002.
Google Scholar
S. Lang and J. Tate. Principal homogeneous spaces over abelian varieties. Amer. J. Math., 80:659–684, 1958.
Article MathSciNet MATH Google Scholar
S. Lang and H. Trotter. Frobenius distributions in $\mathop{\mathrm{GL}}\nolimits _{2}$ -extensions. Springer-Verlag, Berlin, 1976. Distribution of Frobenius automorphisms in $\mathop{\mathrm{GL}}\nolimits _{2}$-extensions of the rational numbers, Lecture Notes in Mathematics, Vol. 504.
Google Scholar
M. Laska. An algorithm for finding a minimal Weierstrass equation for an elliptic curve. Math. Comp., 38(157):257–260, 1982.
Article MathSciNet MATH Google Scholar
M. Laska. Elliptic curves over number fields with prescribed reduction type. Aspects of Mathematics, E4. Friedr. Vieweg & Sohn, Braunschweig, 1983.
Google Scholar
D. J. Lewis and K. Mahler. On the representation of integers by binary forms. Acta Arith., 6:333–363, 1960/1961.
Google Scholar
S. Lichtenbaum. The period-index problem for elliptic curves. Amer. J. Math., 90:1209–1223, 1968.
Article MathSciNet MATH Google Scholar
C.-E. Lind. Untersuchungen über die rationalen Punkte der ebenen kubischen Kurven vom Geschlecht Eins. Thesis, University of Uppsala,, 1940:97, 1940.
MathSciNet MATH Google Scholar
J. Liouville. Sur des classes très-étendues de quantités dont la irrationalles algébriques. C. R. Acad. Paris, 18:883–885 and 910–911, 1844.
Google Scholar
E. Lutz. Sur l’equation y ² = x ³ − ax − b dans les corps p-adic. J. Reine Angew. Math., 177:237–247, 1937.
MathSciNet Google Scholar
K. Mahler. On the lattice points on curves of genus 1. Proc. London Math. Soc. (3), 39:431–466, 1935.
Article MathSciNet MATH Google Scholar
J. I. Manin. The Hasse-Witt matrix of an algebraic curve. Izv. Akad. Nauk SSSR Ser. Mat., 25:153–172, 1961.
MathSciNet Google Scholar
J. I. Manin. The p-torsion of elliptic curves is uniformly bounded. Izv. Akad. Nauk SSSR Ser. Mat., 33:459–465, 1969.
MathSciNet Google Scholar
J. I. Manin. Cyclotomic fields and modular curves. Uspehi Mat. Nauk, 26(6(162)):7–71, 1971. English translation: Russian Math. Surveys 26 (1971), no. 6, 7–78.
Google Scholar
R. C. Mason. The hyperelliptic equation over function fields. Math. Proc. Cambridge Philos. Soc., 93(2):219–230, 1983.
Article MathSciNet MATH Google Scholar
R. C. Mason. Norm form equations. I. J. Number Theory, 22(2):190–207, 1986.
Google Scholar
D. Masser. Elliptic functions and transcendence. Springer-Verlag, Berlin, 1975. Lecture Notes in Mathematics, Vol. 437.
Google Scholar
D. Masser and G. Wüstholz. Isogeny estimates for abelian varieties, and finiteness theorems. Ann. of Math. (2), 137(3):459–472, 1993.
Article MathSciNet MATH Google Scholar
D. W. Masser. Specializations of finitely generated subgroups of abelian varieties. Trans. Amer. Math. Soc., 311(1):413–424, 1989.
Article MathSciNet MATH Google Scholar
D. W. Masser and G. Wüstholz. Fields of large transcendence degree generated by values of elliptic functions. Invent. Math., 72(3):407–464, 1983.
Article MathSciNet MATH Google Scholar
D. W. Masser and G. Wüstholz. Estimating isogenies on elliptic curves. Invent. Math., 100(1):1–24, 1990.
Article MathSciNet MATH Google Scholar
H. Matsumura. Commutative algebra, volume 56 of Mathematics Lecture Note Series. Benjamin/Cummings Publishing Co., Inc., Reading, Mass., second edition, 1980.
Google Scholar
B. Mazur. Modular curves and the Eisenstein ideal. Inst. Hautes Études Sci. Publ. Math., (47):33–186 (1978), 1977.
Google Scholar
B. Mazur. Rational isogenies of prime degree (with an appendix by D. Goldfeld). Invent. Math., 44(2):129–162, 1978.
Google Scholar
H. McKean and V. Moll. Elliptic curves. Cambridge University Press, Cambridge, 1997. Function theory, geometry, arithmetic.
Google Scholar
A. J. Menezes, T. Okamoto, and S. A. Vanstone. Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inform. Theory, 39(5):1639–1646, 1993.
Article MathSciNet MATH Google Scholar
A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press Series on Discrete Mathematics and Its Applications. CRC Press, Boca Raton, FL, 1997.
MATH Google Scholar
L. Merel. Bornes pour la torsion des courbes elliptiques sur les corps de nombres. Invent. Math., 124(1-3):437–449, 1996.
Article MathSciNet Google Scholar
J.-F. Mestre. Construction d’une courbe elliptique de rang ≥ 12. C. R. Acad. Sci. Paris Sér. I Math., 295(12):643–644, 1982.
MathSciNet MATH Google Scholar
J.-F. Mestre. Courbes elliptiques et formules explicites. In Seminar on number theory, Paris 1981–82 (Paris, 1981/1982), volume 38 of Progr. Math., pages 179–187. Birkhäuser Boston, Boston, MA, 1983.
Google Scholar
M. Mignotte. Quelques remarques sur l’approximation rationnelle des nombres algébriques. J. Reine Angew. Math., 268/269:341–347, 1974. Collection of articles dedicated to Helmut Hasse on his seventy-fifth birthday, II.
Google Scholar
S. D. Miller and R. Venkatesan. Spectral analysis of Pollard rho collisions. In Algorithmic number theory, volume 4076 of Lecture Notes in Comput. Sci., pages 573–581. Springer, Berlin, 2006.
Google Scholar
S. D. Miller and R. Venkatesan. Non-degeneracy of Pollard rho collisions, 2008. arXiv:0808.0469.
Google Scholar
V. S. Miller. Use of elliptic curves in cryptography. In Advances in Cryptology—CRYPTO ’85 (Santa Barbara, Calif., 1985), volume 218 of Lecture Notes in Comput. Sci., pages 417–426. Springer, Berlin, 1986.
Google Scholar
J. S. Milne. Arithmetic duality theorems, volume 1 of Perspectives in Mathematics. Academic Press Inc., Boston, MA, 1986.
Google Scholar
J. S. Milne. Elliptic curves. BookSurge Publishers, Charleston, SC, 2006.
MATH Google Scholar
J. Milnor. On Lattès maps. ArXiv:math.DS/0402147, Stony Brook IMS Preprint #2004/01.
Google Scholar
R. Miranda. Algebraic curves and Riemann surfaces, volume 5 of Graduate Studies in Mathematics. American Mathematical Society, Providence, RI, 1995.
Google Scholar
A. Miyaji, M. Nakabayashi, and S. Takano. Characterization of elliptic curve traces under FR-reduction. In Information security and cryptology—ICISC 2000 (Seoul), volume 2015 of Lecture Notes in Comput. Sci., pages 90–108. Springer, Berlin, 2001.
Google Scholar
P. Monsky. Three constructions of rational points on Y ² = X ³ ± NX. Math. Z., 209(3):445–462, 1992.
Google Scholar
F. Morain. Building cyclic elliptic curves modulo large primes. In Advances in cryptology—EUROCRYPT ’91 (Brighton, 1991), volume 547 of Lecture Notes in Comput. Sci., pages 328–336. Springer, Berlin, 1991.
Google Scholar
L. J. Mordell. The diophantine equation x ⁴ + my ⁴ = z ². . Quart. J. Math. Oxford Ser. (2), 18:1–6, 1967.
Article MathSciNet MATH Google Scholar
L. J. Mordell. Diophantine equations. Pure and Applied Mathematics, Vol. 30. Academic Press, London, 1969.
Google Scholar
D. Mumford. Abelian varieties. Tata Institute of Fundamental Research Studies in Mathematics, No. 5. Published for the Tata Institute of Fundamental Research, Bombay, 1970.
Google Scholar
D. Mumford, J. Fogarty, and F. Kirwan. Geometric invariant theory, volume 34 of Ergebnisse der Mathematik und ihrer Grenzgebiete (2) [Results in Mathematics and Related Areas (2)]. Springer-Verlag, Berlin, third edition, 1994.
Google Scholar
K.-I. Nagao. Construction of high-rank elliptic curves. Kobe J. Math., 11(2):211–219, 1994.
MathSciNet MATH Google Scholar
K.-I. Nagao. $\mathbb{Q}(T)$-rank of elliptic curves and certain limit coming from the local points. Manuscripta Math., 92(1):13–32, 1997. With an appendix by Nobuhiko Ishida, Tsuneo Ishikawa and the author.
Google Scholar
T. Nagell. Solution de quelque problèmes dans la théorie arithmétique des cubiques planes du premier genre. Wid. Akad. Skrifter Oslo I, 1935. Nr. 1.
Google Scholar
NBS–DSS. Digital Signature Standard (DSS). FIPS Publication 186-2, National Bureau of Standards, 2000. http://csrc.nist.gov/publications/ PubsFIPS.html .
A. Néron. Problèmes arithmétiques et géométriques rattachés à la notion de rang d’une courbe algébrique dans un corps. Bull. Soc. Math. France, 80:101–166, 1952.
MathSciNet MATH Google Scholar
A. Néron. Modèles minimaux des variétés abéliennes sur les corps locaux et globaux. Inst. Hautes Études Sci. Publ.Math. No., 21:128, 1964.
Google Scholar
A. Néron. Quasi-fonctions et hauteurs sur les variétés abéliennes. Ann. of Math. (2), 82:249–331, 1965.
Article MathSciNet MATH Google Scholar
O. Neumann. Elliptische Kurven mit vorgeschriebenem Reduktionsverhalten. I. Math. Nachr., 49:107–123, 1971.
Google Scholar
J. Oesterlé. Nouvelles approches du “théorème” de Fermat. Astérisque, (161-162):Exp. No. 694, 4, 165–186 (1989), 1988. Séminaire Bourbaki, Vol. 1987/88.
Google Scholar
A. Ogg. Modular forms and Dirichlet series. W. A. Benjamin, Inc., New York-Amsterdam, 1969.
MATH Google Scholar
A. P. Ogg. Abelian curves of 2-power conductor. Proc. Cambridge Philos. Soc., 62:143–148, 1966.
Article MathSciNet MATH Google Scholar
A. P. Ogg. Abelian curves of small conductor. J. Reine Angew. Math., 226:204–215, 1967.
MathSciNet MATH Google Scholar
A. P. Ogg. Elliptic curves and wild ramification. Amer. J. Math., 89:1–21, 1967.
Article MathSciNet MATH Google Scholar
L. D. Olson. Torsion points on elliptic curves with given j-invariant. Manuscripta Math., 16(2):145–150, 1975.
Article MathSciNet MATH Google Scholar
PARI/GP, 2005. http://pari.math.u-bordeaux.fr/.
A. N. Paršin. Algebraic curves over function fields. I. Izv. Akad. Nauk SSSR Ser. Mat., 32:1191–1219, 1968.
Google Scholar
R. G. E. Pinch. Elliptic curves with good reduction away from 2. Math. Proc. Cambridge Philos. Soc., 96(1):25–38, 1984.
Article MathSciNet MATH Google Scholar
S. C. Pohlig and M. E. Hellman. An improved algorithm for computing logarithms over $\mathop{\mathrm{GF}}\nolimits (p)$ and its cryptographic significance. IEEE Trans. Information Theory, IT-24(1):106–110, 1978.
Article MathSciNet MATH Google Scholar
J. M. Pollard. Monte Carlo methods for index computation $(\mathop{\mathrm{mod}}\nolimits \ p)$. Math. Comp., 32(143):918–924, 1978.
MathSciNet MATH Google Scholar
H. Reichardt. Einige im Kleinen überall lösbare, im Grossen unlösbare diophantische Gleichungen. J. Reine Angew. Math., 184:12–18, 1942.
MathSciNet MATH Google Scholar
K. A. Ribet. On modular representations of $\mathop{\mathrm{Gal}}\nolimits (\overline{\mathbf{Q}}/\mathbf{Q})$ arising from modular forms. Invent. Math., 100(2):431–476, 1990.
Article MathSciNet MATH Google Scholar
R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Comm. ACM, 21(2):120–126, 1978.
Article MathSciNet MATH Google Scholar
A. Robert. Elliptic curves. Springer-Verlag, Berlin, 1973. Notes from postgraduate lectures given in Lausanne 1971/72, Lecture Notes in Mathematics, Vol. 326.
Google Scholar
D. E. Rohrlich. On L-functions of elliptic curves and anticyclotomic towers. Invent. Math., 75(3):383–408, 1984.
Article MathSciNet MATH Google Scholar
P. Roquette. Analytic theory of elliptic functions over local fields. Hamburger Mathematische Einzelschriften (N.F.), Heft 1. Vandenhoeck & Ruprecht, Göttingen, 1970.
Google Scholar
M. Rosen and J. H. Silverman. On the rank of an elliptic surface. Invent. Math., 133(1):43–67, 1998.
Article MathSciNet MATH Google Scholar
K. Rubin. Elliptic curves with complex multiplication and the conjecture of Birch and Swinnerton-Dyer. Invent. Math., 64(3):455–470, 1981.
Article MathSciNet MATH Google Scholar
K. Rubin. Tate-Shafarevich groups and L-functions of elliptic curves with complex multiplication. Invent. Math., 89(3):527–559, 1987.
Article MathSciNet MATH Google Scholar
K. Rubin. The “main conjectures” of Iwasawa theory for imaginary quadratic fields. Invent. Math., 103(1):25–68, 1991.
Article MathSciNet MATH Google Scholar
T. Saito. Conductor, discriminant, and the Noether formula of arithmetic surfaces. Duke Math. J., 57(1):151–173, 1988.
Article MathSciNet MATH Google Scholar
T. Satoh and K. Araki. Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Comment. Math. Univ. St. Paul., 47(1):81–92, 1998.
MathSciNet MATH Google Scholar
E. F. Schaefer and M. Stoll. How to do a p-descent on an elliptic curve. Trans. Amer. Math. Soc., 356(3):1209–1231 (electronic), 2004.
Google Scholar
S. H. Schanuel. Heights in number fields. Bull. Soc. Math. France, 107(4):433–449, 1979.
MathSciNet MATH Google Scholar
W. M. Schmidt. Diophantine approximation, volume 785 of Lecture Notes in Mathematics. Springer, Berlin, 1980.
Google Scholar
S. Schmitt and H. G. Zimmer. Elliptic curves, volume 31 of de Gruyter Studies in Mathematics. Walter de Gruyter & Co., Berlin, 2003. A computational approach, With an appendix by Attila Pethő.
Google Scholar
R. Schoof. Elliptic curves over finite fields and the computation of square roots mod p. Math. Comp., 44(170):483–494, 1985.
Google Scholar
R. Schoof. Counting points on elliptic curves over finite fields. J. Théor. Nombres Bordeaux, 7(1):219–254, 1995. Les Dix-huitièmes Journées Arithmétiques (Bordeaux, 1993).
Google Scholar
E. S. Selmer. The Diophantine equation ax ³ + by ³ + cz ³ = 0. Acta Math., 85:203–362 (1 plate), 1951.
Google Scholar
E. S. Selmer. A conjecture concerning rational points on cubic curves. Math. Scand., 2:49–54, 1954.
MathSciNet MATH Google Scholar
E. S. Selmer. The diophantine equation ax ³ + by ³ + cz ³ = 0. Completion of the tables. Acta Math., 92:191–197, 1954.
Google Scholar
I. A. Semaev. Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p. Math. Comp., 67(221):353–356, 1998.
Google Scholar
J.-P. Serre. Géométrie algébrique et géométrie analytique. Ann. Inst. Fourier, Grenoble, 6:1–42, 1955–1956.
Google Scholar
J.-P. Serre. Complex multiplication. In Algebraic Number Theory (Proc. Instructional Conf., Brighton, 1965), pages 292–296. Thompson, Washington, D.C., 1967.
Google Scholar
J.-P. Serre. Propriétés galoisiennes des points d’ordre fini des courbes elliptiques. Invent. Math., 15(4):259–331, 1972.
Google Scholar
J.-P. Serre. A course in arithmetic. Springer-Verlag, New York, 1973. Translated from the French, Graduate Texts in Mathematics, No. 7.
Google Scholar
J.-P. Serre. Local fields, volume 67 of Graduate Texts in Mathematics. Springer-Verlag, New York, 1979. Translated from the French by Marvin Jay Greenberg.
Google Scholar
J.-P. Serre. Quelques applications du théorème de densité de Chebotarev. Inst. Hautes Études Sci. Publ. Math., (54):323–401, 1981.
Article MATH Google Scholar
J.-P. Serre. Sur les représentations modulaires de degré 2 de $\mathop{\mathrm{Gal}}\nolimits (\overline{\mathbf{Q}}/\mathbf{Q})$. Duke Math. J., 54(1):179–230, 1987.
Article MathSciNet Google Scholar
J.-P. Serre. Lectures on the Mordell-Weil theorem. Aspects of Mathematics. Friedr. Vieweg & Sohn, Braunschweig, third edition, 1997. Translated from the French and edited by Martin Brown from notes by Michel Waldschmidt, With a foreword by Brown and Serre.
Google Scholar
J.-P. Serre. Abelian l-adic representations and elliptic curves, volume 7 of Research Notes in Mathematics. A K Peters Ltd., Wellesley, MA, 1998. With the collaboration of Willem Kuyk and John Labute, Revised reprint of the 1968 original.
Google Scholar
J.-P. Serre. Galois cohomology. Springer Monographs in Mathematics. Springer-Verlag, Berlin, english edition, 2002. Translated from the French by Patrick Ion and revised by the author.
Google Scholar
J.-P. Serre and J. Tate. Good reduction of abelian varieties. Ann. of Math. (2), 88:492–517, 1968.
Article MathSciNet MATH Google Scholar
B. Setzer. Elliptic curves of prime conductor. J. London Math. Soc. (2), 10:367–378, 1975.
Article MathSciNet MATH Google Scholar
B. Setzer. Elliptic curves over complex quadratic fields. Pacific J. Math., 74(1):235–250, 1978.
Article MathSciNet MATH Google Scholar
I. R. Shafarevich. Algebraic number fields. In Proc. Int. Cong. (Stockholm 1962), pages 25–39. American Mathematical Society, Providence, R.I., 1963. Amer. Math. Soc. Transl., Series 2, Vol. 31.
Google Scholar
I. R. Shafarevich. Basic algebraic geometry. Springer-Verlag, Berlin, study edition, 1977. Translated from the Russian by K. A. Hirsch, Revised printing of Grundlehren der mathematischen Wissenschaften, Vol. 213, 1974.
Google Scholar
I. R. Shafarevich and J. Tate. The rank of elliptic curves. In Amer. Math. Soc. Transl., volume 8, pages 917–920. Amer. Math. Soc., 1967.
Google Scholar
A. Shamir. Identity-based cryptosystems and signature schemes. In Advances in Cryptology (Santa Barbara, Calif., 1984), volume 196 of Lecture Notes in Comput. Sci., pages 47–53. Springer, Berlin, 1985.
Google Scholar
G. Shimura. Correspondances modulaires et les fonctions ζ de courbes algébriques. J. Math. Soc. Japan, 10:1–28, 1958.
Article MathSciNet MATH Google Scholar
G. Shimura. On elliptic curves with complex multiplication as factors of the Jacobians of modular function fields. Nagoya Math. J., 43:199–208, 1971.
MathSciNet MATH Google Scholar
G. Shimura. On the zeta-function of an abelian variety with complex multiplication. Ann. of Math. (2), 94:504–533, 1971.
Article MathSciNet MATH Google Scholar
G. Shimura. Introduction to the arithmetic theory of automorphic functions, volume 11 of Publications of the Mathematical Society of Japan. Princeton University Press, Princeton, NJ, 1994. Reprint of the 1971 original, Kano Memorial Lectures, 1.
Google Scholar
G. Shimura and Y. Taniyama. Complex multiplication of abelian varieties and its applications to number theory, volume 6 of Publications of the Mathematical Society of Japan. The Mathematical Society of Japan, Tokyo, 1961.
Google Scholar
T. Shioda. An explicit algorithm for computing the Picard number of certain algebraic surfaces. Amer. J. Math., 108(2):415–432, 1986.
Article MathSciNet MATH Google Scholar
R. Shipsey. Elliptic divisibility sequences. PhD thesis, Goldsmith’s College (University of London), 2000.
Google Scholar
V. Shoup. Lower bounds for discrete logarithms and related problems. In Advances in cryptology—EUROCRYPT ’97 (Konstanz), volume 1233 of Lecture Notes in Comput. Sci., pages 256–266. Springer, Berlin, 1997. updated version at www.shoup.net/papers/dlbounds1.pdf.
J. H. Silverman. Lower bound for the canonical height on elliptic curves. Duke Math. J., 48(3):633–648, 1981.
Article MathSciNet MATH Google Scholar
J. H. Silverman. The Néron–Tate height on elliptic curves. PhD thesis, Harvard University, 1981.
Google Scholar
J. H. Silverman. Heights and the specialization map for families of abelian varieties. J. Reine Angew. Math., 342:197–211, 1983.
MathSciNet MATH Google Scholar
J. H. Silverman. Integer points on curves of genus 1. J. London Math. Soc. (2), 28(1):1–7, 1983.
Article MathSciNet MATH Google Scholar
J. H. Silverman. The S-unit equation over function fields. Math. Proc. Cambridge Philos. Soc., 95(1):3–4, 1984.
Article MathSciNet MATH Google Scholar
J. H. Silverman. Weierstrass equations and the minimal discriminant of an elliptic curve. Mathematika, 31(2):245–251 (1985), 1984.
Google Scholar
J. H. Silverman. Divisibility of the specialization map for families of elliptic curves. Amer. J. Math., 107(3):555–565, 1985.
Article MathSciNet MATH Google Scholar
J. H. Silverman. Arithmetic distance functions and height functions in Diophantine geometry. Math. Ann., 279(2):193–216, 1987.
Article MathSciNet MATH Google Scholar
J. H. Silverman. A quantitative version of Siegel’s theorem: integral points on elliptic curves and Catalan curves. J. Reine Angew. Math., 378:60–100, 1987.
MathSciNet MATH Google Scholar
J. H. Silverman. Computing heights on elliptic curves. Math. Comp., 51(183):339–358, 1988.
Article MathSciNet MATH Google Scholar
J. H. Silverman. Wieferich’s criterion and the abc-conjecture. J. Number Theory, 30(2):226–237, 1988.
Article MathSciNet MATH Google Scholar
J. H. Silverman. The difference between the Weil height and the canonical height on elliptic curves. Math. Comp., 55(192):723–743, 1990.
Article MathSciNet MATH Google Scholar
J. H. Silverman. Advanced topics in the arithmetic of elliptic curves, volume 151 of Graduate Texts in Mathematics. Springer-Verlag, New York, 1994.
Google Scholar
J. H. Silverman. The arithmetic of dynamical systems, volume 241 of Graduate Texts in Mathematics. Springer, New York, 2007.
Google Scholar
N. P. Smart. S-integral points on elliptic curves. Math. Proc. Cambridge Philos. Soc., 116(3):391–399, 1994.
Article MathSciNet MATH Google Scholar
N. P. Smart. The discrete logarithm problem on elliptic curves of trace one. J. Cryptology, 12(3):193–196, 1999.
Article MathSciNet MATH Google Scholar
K. Stange. The Tate pairing via elliptic nets. In Pairing Based Cryptography, Lecture Notes in Comput. Sci. Springer, 2007.
Google Scholar
K. Stange. Elliptic Nets and Elliptic Curves. PhD thesis, Brown University, 2008.
Google Scholar
K. Stange. Elliptic nets and elliptic curves, 2008. arXiv:0710.1316v2.
Google Scholar
H. M. Stark. Effective estimates of solutions of some Diophantine equations. Acta Arith., 24:251–259, 1973.
MathSciNet MATH Google Scholar
W. Stein. The Modular Forms Database. http://modular.fas.harvard. edu/Tables .
W. Stein. Sage Mathematics Software, 2007. http://www.sagemath.org.
N. M. Stephens. The Diophantine equation X ³ + Y ³ = DZ ³ and the conjectures of Birch and Swinnerton-Dyer. J. Reine Angew. Math., 231:121–162, 1968.
MathSciNet MATH Google Scholar
D. R. Stinson. Cryptography: Theory and Practice. CRC Press Series on Discrete Mathematics and Its Applications. Chapman & Hall/CRC, Boca Raton, FL, 2002.
MATH Google Scholar
W. W. Stothers. Polynomial identities and Hauptmoduln. Quart. J. Math. Oxford Ser. (2), 32(127):349–370, 1981.
Article MathSciNet MATH Google Scholar
R. J. Stroeker and N. Tzanakis. Solving elliptic Diophantine equations by estimating linear forms in elliptic logarithms. Acta Arith., 67(2):177–196, 1994.
MathSciNet MATH Google Scholar
J. Tate. Letter to J.-P. Serre, 1968.
Google Scholar
J. Tate. Duality theorems in Galois cohomology over number fields. In Proc. Internat. Congr. Mathematicians (Stockholm, 1962), pages 288–295. Inst. Mittag-Leffler, Djursholm, 1963.
Google Scholar
J. Tate. Endomorphisms of abelian varieties over finite fields. Invent. Math., 2:134–144, 1966.
Article MathSciNet MATH Google Scholar
J. Tate. Algorithm for determining the type of a singular fiber in an elliptic pencil. In Modular functions of one variable, IV (Proc. Internat. Summer School, Univ. Antwerp, Antwerp, 1972), pages 33–52. Lecture Notes in Math., Vol. 476. Springer, Berlin, 1975.
Google Scholar
J. Tate. Variation of the canonical height of a point depending on a parameter. Amer. J. Math., 105(1):287–294, 1983.
Article MathSciNet MATH Google Scholar
J. Tate. A review of non-Archimedean elliptic functions. In Elliptic curves, modular forms, & Fermat’s last theorem (Hong Kong, 1993), Ser. Number Theory, I, pages 162–184. Int. Press, Cambridge, MA, 1995.
Google Scholar
J. Tate. WC-groups over $\mathfrak{p}$-adic fields. In Séminaire Bourbaki, Vol. 4 (1957/58), pages Exp. No. 156, 265–277. Soc. Math. France, Paris, 1995.
Google Scholar
J. T. Tate. Algebraic cycles and poles of zeta functions. In Arithmetical Algebraic Geometry (Proc. Conf. Purdue Univ., 1963), pages 93–110. Harper & Row, New York, 1965.
Google Scholar
J. T. Tate. Global class field theory. In Algebraic Number Theory (Proc. Instructional Conf., Brighton, 1965), pages 162–203. Thompson, Washington, D.C., 1967.
Google Scholar
J. T. Tate. The arithmetic of elliptic curves. Invent. Math., 23:179–206, 1974.
Article MathSciNet MATH Google Scholar
R. Taylor. Automorphy for some l-adic lifts of automorphic mod l representations. II. Inst. Hautes Études Sci. Publ. Math. submitted.
Google Scholar
R. Taylor and A. Wiles. Ring-theoretic properties of certain Hecke algebras. Ann. of Math. (2), 141(3):553–572, 1995.
Article MathSciNet MATH Google Scholar
E. Teske. A space efficient algorithm for group structure computation. Math. Comp., 67(224):1637–1663, 1998.
Article MathSciNet MATH Google Scholar
E. Teske. Speeding up Pollard’s rho method for computing discrete logarithms. In Algorithmic Number Theory (Portland, OR, 1998), volume 1423 of Lecture Notes in Comput. Sci., pages 541–554. Springer, Berlin, 1998.
Google Scholar
E. Teske. Square-root algorithms for the discrete logarithm problem (a survey). In Public-Key Cryptography and Computational Number Theory (Warsaw, 2000), pages 283–301. de Gruyter, Berlin, 2001.
Google Scholar
D. Ulmer. Elliptic curves with large rank over function fields. Ann. of Math. (2), 155(1):295–315, 2002.
Article MathSciNet MATH Google Scholar
B. L. van der Waerden. Algebra. Vols. I and II. Springer-Verlag, New York, 1991. Based in part on lectures by E. Artin and E. Noether, Translated from the seventh German edition by Fred Blum and John R. Schulenberger.
Google Scholar
J. Vélu. Isogénies entre courbes elliptiques. C. R. Acad. Sci. Paris Sér. A-B, 273:A238–A241, 1971.
Google Scholar
P. Vojta. A higher-dimensional Mordell conjecture. In Arithmetic geometry (Storrs, Conn., 1984), pages 341–353. Springer, New York, 1986.
Google Scholar
P. Vojta. Siegel’s theorem in the compact case. Ann. of Math. (2), 133(3):509–548, 1991.
Article MathSciNet MATH Google Scholar
J. F. Voloch. Diagonal equations over function fields. Bol. Soc. Brasil. Mat., 16(2):29–39, 1985.
Article MathSciNet MATH Google Scholar
P. M. Voutier. An upper bound for the size of integral solutions to Y ^m = f(X). J. Number Theory, 53(2):247–271, 1995.
Article MathSciNet MATH Google Scholar
R. J. Walker. Algebraic curves. Springer-Verlag, New York, 1978. Reprint of the 1950 edition.
Google Scholar
M. Ward. Memoir on elliptic divisibility sequences. Amer. J. Math., 70:31–74, 1948.
Article MathSciNet MATH Google Scholar
L. C. Washington. Elliptic curves. Discrete Mathematics and Its Applications (Boca Raton). Chapman & Hall/CRC, Boca Raton, FL, second edition, 2008. Number theory and cryptography.
Google Scholar
A. Weil. Numbers of solutions of equations in finite fields. Bull. Amer. Math. Soc., 55:497–508, 1949.
Article MathSciNet MATH Google Scholar
A. Weil. Jacobi sums as “Grössencharaktere.” Trans. Amer. Math. Soc., 73:487–495, 1952.
MathSciNet MATH Google Scholar
A. Weil. On algebraic groups and homogeneous spaces. Amer. J. Math., 77:493–512, 1955.
Article MathSciNet MATH Google Scholar
A. Weil. Über die Bestimmung Dirichletscher Reihen durch Funktionalgleichungen. Math. Ann., 168:149–156, 1967.
Article MathSciNet MATH Google Scholar
A. Weil. Dirichlet Series and Automorphic Forms, volume 189 of Lecture Notes in Mathematics. Springer-Verlag, 1971.
Google Scholar
E. T. Whittaker and G. N. Watson. A course of modern analysis. Cambridge Mathematical Library. Cambridge University Press, Cambridge, 1996. Reprint of the fourth (1927) edition.
Google Scholar
A. Wiles. Modular elliptic curves and Fermat’s last theorem. Ann. of Math. (2), 141(3):443–551, 1995.
Article MathSciNet MATH Google Scholar
A. Wiles. The Birch and Swinnerton-Dyer conjecture. In The millennium prize problems, pages 31–41. Clay Math. Inst., Cambridge, MA, 2006.
Google Scholar
G. Wüstholz. Recent progress in transcendence theory. In Number theory, Noordwijkerhout 1983 (Noordwijkerhout, 1983), volume 1068 of Lecture Notes in Math., pages 280–296. Springer, Berlin, 1984.
Google Scholar
G. Wüstholz. Multiplicity estimates on group varieties. Ann. of Math. (2), 129(3):471–500, 1989.
Article MathSciNet MATH Google Scholar
D. Zagier. Large integral points on elliptic curves. Math. Comp., 48(177):425–436, 1987.
Article MathSciNet MATH Google Scholar
H. G. Zimmer. On the difference of the Weil height and the Néron-Tate height. Math. Z., 147(1):35–51, 1976.
Article MathSciNet MATH Google Scholar
K. Zsigmondy. Zur Theorie der Potenzreste. Monatsh. Math., 3:265–284, 1892.
Article MathSciNet Google Scholar
P. Deligne. La conjecture de Weil. I. Inst. Hautes Études Sci. Publ. Math., (43):273–307, 1977.
Google Scholar

Download references

Author information

Authors and Affiliations

Department of Mathematics, Brown University, 151 Thayer St., Providence, RI, 02912, USA
Joseph H. Silverman

Authors

Joseph H. Silverman
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Joseph H. Silverman .

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Silverman, J.H. (2009). Computing the Mordell–Weil Group. In: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol 106. Springer, New York, NY. https://doi.org/10.1007/978-0-387-09494-6_10

Download citation

DOI: https://doi.org/10.1007/978-0-387-09494-6_10
Publisher Name: Springer, New York, NY
Print ISBN: 978-0-387-09493-9
Online ISBN: 978-0-387-09494-6
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)

Publish with us

Policies and ethics

Computing the Mordell–Weil Group

Abstract

X.1 An Example

Theorem 1.1.

Remark 1.2.

Remark 1.3.

Proof Proof of (X.1.1).

Proposition 1.4.

Proof.

Example 1.5.

X.2 Twisting—General Theory

Definition.

Remark 2.1.

Definition.

Theorem 2.2.

Remark 2.3.

Proof.

Example 2.4.

X.3 Homogeneous Spaces

Definition.

Lemma 3.1.

Proof.

Proposition 3.2.

Proof.

Definition.

Proposition 3.3.

Proof.

Remark 3.4.

Lemma 3.5.

Proof.

Theorem 3.6.

Remark 3.6.1.

Proof.

Remark 3.7.

Theorem 3.8.

Proof.

X.4 The Selmer and Shafarevich–Tate Groups

Definition.

Remark 4.1.1.

Remark 4.1.2.

Theorem 4.2.

Proof.

Lemma 4.3.

Proof.

Corollary 4.4.

Remark 4.5.

Example 4.5.1.

Proposition 4.6.

Proof.

Remark 4.7.

Example 4.8.

Proposition 4.9.

Remark 4.9.1.

Remark 4.9.2.

Example 4.10.

Remark 4.11.

Proposition 4.12.

Proof.

Conjecture 4.13.

Theorem 4.14.

X.5 Twisting—Elliptic Curves

Proposition 5.1.

Proof.

Remark 5.2.

Proposition 5.3.

Proof.

Proposition 5.4.

Corollary 5.4.1.

Proof.

X.6 The Curve Y 2 = X 3 + DX

Proposition 6.1.

Remark 6.1.1.

Proposition 6.2.

Proof.

Corollary 6.2.1.

Proof.

Remark 6.3.

Remark 6.4.

Proposition 6.5.

Remark 6.5.1.

X.6 The Curve Y ² = X ³ + DX