Elliptic curve
Algebraic structure → Group theory Group theory 



Infinite dimensional Lie group

In mathematics, an elliptic curve is a plane algebraic curve defined by an equation of the form
which is nonsingular; that is, the curve has no cusps or selfintersections. (When the coefficient field has characteristic 2 or 3, the above equation is not quite general enough to comprise all nonsingular cubic curves; see § Elliptic curves over a general field below.)
Formally, an elliptic curve is a smooth, projective, algebraic curve of genus one, on which there is a specified point O. An elliptic curve is an abelian variety – that is, it has a multiplication defined algebraically, with respect to which it is an abelian group – and O serves as the identity element. Often the curve itself, without O specified, is called an elliptic curve; the point O is often taken to be the curve's "point at infinity" in the projective plane.
If y^{2} = P(x), where P is any polynomial of degree three in x with no repeated roots, the solution set is a nonsingular plane curve of genus one, an elliptic curve. If P has degree four and is squarefree this equation again describes a plane curve of genus one; however, it has no natural choice of identity element. More generally, any algebraic curve of genus one, for example from the intersection of two quadric surfaces embedded in threedimensional projective space, is called an elliptic curve, provided that it has at least one rational point to act as the identity.
Using the theory of elliptic functions, it can be shown that elliptic curves defined over the complex numbers correspond to embeddings of the torus into the complex projective plane; the torus is also an abelian group, and in fact this correspondence is also a group isomorphism.
Elliptic curves are especially important in number theory, and constitute a major area of current research; for example, they were used in the proof, by Andrew Wiles, of Fermat's Last Theorem, they also find applications in elliptic curve cryptography (ECC) and integer factorization.
An elliptic curve is not an ellipse: see elliptic integral for the origin of the term. Topologically, a complex elliptic curve is a torus.
Contents
 1 Elliptic curves over the real numbers
 2 The group law
 3 Elliptic curves over the complex numbers
 4 Elliptic curves over the rational numbers
 5 Elliptic curves over a general field
 6 Isogeny
 7 Elliptic curves over finite fields
 8 Applications
 9 Algorithms that use elliptic curves
 10 Alternative representations of elliptic curves
 11 See also
 12 Notes
 13 References
 14 External links
Elliptic curves over the real numbers[edit]
Although the formal definition of an elliptic curve is fairly technical and requires some background in algebraic geometry, it is possible to describe some features of elliptic curves over the real numbers using only introductory algebra and geometry.
In this context, an elliptic curve is a plane curve defined by an equation of the form
where a and b are real numbers. This type of equation is called a Weierstrass equation.
The definition of elliptic curve also requires that the curve be nonsingular. Geometrically, this means that the graph has no cusps, selfintersections, or isolated points. Algebraically, this holds if and only if the discriminant
is not equal to zero. (Although the factor −16 is irrelevant to whether or not the curve is nonsingular, this definition of the discriminant is useful in a more advanced study of elliptic curves.)
The (real) graph of a nonsingular curve has two components if its discriminant is positive, and one component if it is negative. For example, in the graphs shown in figure to the right, the discriminant in the first case is 64, and in the second case is −368.
The group law[edit]
When working in the projective plane, we can define a group structure on any smooth cubic curve. In Weierstrass normal form, such a curve will have an additional point at infinity, O, at the homogeneous coordinates [0:1:0] which serves as the identity of the group.
Since the curve is symmetrical about the xaxis, given any point P, we can take −P to be the point opposite it. We take −O to be just O.
If P and Q are two points on the curve, then we can uniquely describe a third point, P + Q, in the following way. First, draw the line that intersects P and Q; this will generally intersect the cubic at a third point, R. We then take P + Q to be −R, the point opposite R.
This definition for addition works except in a few special cases related to the point at infinity and intersection multiplicity; the first is when one of the points is O. Here, we define P + O = P = O + P, making O the identity of the group. Next, if P and Q are opposites of each other, we define P + Q = O. Lastly, if P = Q we only have one point, thus we can't define the line between them. In this case, we use the tangent line to the curve at this point as our line. In most cases, the tangent will intersect a second point R and we can take its opposite. However, if P happens to be an inflection point (a point where the concavity of the curve changes), we take R to be P itself and P + P is simply the point opposite itself.
For a cubic curve not in Weierstrass normal form, we can still define a group structure by designating one of its nine inflection points as the identity O. In the projective plane, each line will intersect a cubic at three points when accounting for multiplicity. For a point P, −P is defined as the unique third point on the line passing through O and P. Then, for any P and Q, P + Q is defined as −R where R is the unique third point on the line containing P and Q.
Let K be a field over which the curve is defined (i.e., the coefficients of the defining equation or equations of the curve are in K) and denote the curve by E. Then the Krational points of E are the points on E whose coordinates all lie in K, including the point at infinity; the set of Krational points is denoted by E(K). It, too, forms a group, because properties of polynomial equations show that if P is in E(K), then −P is also in E(K), and if two of P, Q, and R are in E(K), then so is the third. Additionally, if K is a subfield of L, then E(K) is a subgroup of E(L).
The above group can be described algebraically as well as geometrically. Given the curve y^{2} = x^{3} + ax + b over the field K (whose characteristic we assume to be neither 2 nor 3), and points P = (x_{P}, y_{P}) and Q = (x_{Q}, y_{Q}) on the curve, assume first that x_{P} ≠ x_{Q} (first pane below). Let y = sx + d be the line that intersects P and Q, which has the following slope:
Since K is a field, s is welldefined; the line equation and the curve equation have an identical y in the points x_{P}, x_{Q}, and x_{R}.
which is equivalent to . We know that this equation has its roots in exactly the same xvalues as
We equate the coefficient for x^{2} and solve for x_{R}. y_{R} follows from the line equation. This defines R = (x_{R}, y_{R}) = −(P + Q) with
If x_{P} = x_{Q}, then there are two options: if y_{P} = −y_{Q} (third and fourth panes below), including the case where y_{P} = y_{Q} = 0 (fourth pane), then the sum is defined as 0; thus, the inverse of each point on the curve is found by reflecting it across the xaxis. If y_{P} = y_{Q} ≠ 0, then Q = P and R = (x_{R}, y_{R}) = −(P + P) = −2P = −2Q (second pane below with P shown for R) is given by
Elliptic curves over the complex numbers[edit]
The formulation of elliptic curves as the embedding of a torus in the complex projective plane follows naturally from a curious property of Weierstrass's elliptic functions; these functions and their first derivative are related by the formula
Here, g_{2} and g_{3} are constants; is the Weierstrass elliptic function and its derivative. It should be clear that this relation is in the form of an elliptic curve (over the complex numbers); the Weierstrass functions are doubly periodic; that is, they are periodic with respect to a lattice Λ; in essence, the Weierstrass functions are naturally defined on a torus T = C/Λ. This torus may be embedded in the complex projective plane by means of the map
This map is a group isomorphism of the torus (considered with its natural group structure) with the chordandtangent group law on the cubic curve which is the image of this map, it is also an isomorphism of Riemann surfaces from the torus to the cubic curve, so topologically, an elliptic curve is a torus. If the lattice Λ is related by multiplication by a nonzero complex number c to a lattice cΛ, then the corresponding curves are isomorphic. Isomorphism classes of elliptic curves are specified by the jinvariant.
The isomorphism classes can be understood in a simpler way as well; the constants g_{2} and g_{3}, called the modular invariants, are uniquely determined by the lattice, that is, by the structure of the torus. However, the complex numbers form the splitting field for polynomials with real coefficients, and so the elliptic curve may be written as
One finds that
and
so that the modular discriminant is
Here, λ is sometimes called the modular lambda function.
Note that the uniformization theorem implies that every compact Riemann surface of genus one can be represented as a torus.
This also allows an easy understanding of the torsion points on an elliptic curve: if the lattice Λ is spanned by the fundamental periods ω_{1} and ω_{2}, then the ntorsion points are the (equivalence classes of) points of the form
for a and b integers in the range from 0 to n−1.
Over the complex numbers, every elliptic curve has nine inflection points; every line through two of these points also passes through a third inflection point; the nine points and 12 lines formed in this way form a realization of the Hesse configuration.
Elliptic curves over the rational numbers[edit]
A curve E defined over the field of rational numbers is also defined over the field of real numbers. Therefore, the law of addition (of points with real coordinates) by the tangent and secant method can be applied to E; the explicit formulae show that the sum of two points P and Q with rational coordinates has again rational coordinates, since the line joining P and Q has rational coefficients. This way, one shows that the set of rational points of E forms a subgroup of the group of real points of E; as this group, it is an abelian group, that is, P + Q = Q + P.
The structure of rational points[edit]
The most important result is that all points can be constructed by the method of tangents and secants starting with a finite number of points. More precisely^{[1]} the Mordell–Weil theorem states that the group E(Q) is a finitely generated (abelian) group. By the fundamental theorem of finitely generated abelian groups it is therefore a finite direct sum of copies of Z and finite cyclic groups.
The proof of that theorem^{[2]} rests on two ingredients: first, one shows that for any integer m > 1, the quotient group E(Q)/mE(Q) is finite (weak Mordell–Weil theorem). Second, introducing a height function h on the rational points E(Q) defined by h(P_{0}) = 0 and h(P) = log max(p, q) if P (unequal to the point at infinity P_{0}) has as abscissa the rational number x = p/q (with coprime p and q). This height function h has the property that h(mP) grows roughly like the square of m. Moreover, only finitely many rational points with height smaller than any constant exist on E.
The proof of the theorem is thus a variant of the method of infinite descent^{[3]} and relies on the repeated application of Euclidean divisions on E: let P ∈ E(Q) be a rational point on the curve, writing P as the sum 2P_{1} + Q_{1} where Q_{1} is a fixed representant of P in E(Q)/2E(Q), the height of P_{1} is about 1/4 of the one of P (more generally, replacing 2 by any m > 1, and 1/4 by 1/m^{2}). Redoing the same with P_{1}, that is to say P_{1} = 2P_{2} + Q_{2}, then P_{2} = 2P_{3} + Q_{3}, etc. finally expresses P as an integral linear combination of points Q_{i} and of points whose height is bounded by a fixed constant chosen in advance: by the weak Mordell–Weil theorem and the second property of the height function P is thus expressed as an integral linear combination of a finite number of fixed points.
So far, the theorem is not effective since there is no known general procedure for determining the representants of E(Q)/mE(Q).
The rank of E(Q), that is the number of copies of Z in E(Q) or, equivalently, the number of independent points of infinite order, is called the rank of E. The Birch and SwinnertonDyer conjecture is concerned with determining the rank. One conjectures that it can be arbitrarily large, even if only examples with relatively small rank are known; the elliptic curve with biggest exactly known rank is
 y^{2} + xy + y = x^{3} − x^{2} + 31368015812338065133318565292206590792820353345x + 302038802698566087335643188429543498624522041683874493555186062568159847
It has rank 19, found by Noam Elkies in 2009.^{[4]} Curves of rank at least 28 are known, but their rank is not exactly known.
As for the groups constituting the torsion subgroup of E(Q), the following is known:^{[5]} the torsion subgroup of E(Q) is one of the 15 following groups (a theorem due to Barry Mazur): Z/NZ for N = 1, 2, ..., 10, or 12, or Z/2Z × Z/2NZ with N = 1, 2, 3, 4. Examples for every case are known. Moreover, elliptic curves whose Mordell–Weil groups over Q have the same torsion groups belong to a parametrized family.^{[6]}
The Birch and SwinnertonDyer conjecture[edit]
The Birch and SwinnertonDyer conjecture (BSD) is one of the Millennium problems of the Clay Mathematics Institute; the conjecture relies on analytic and arithmetic objects defined by the elliptic curve in question.
At the analytic side, an important ingredient is a function of a complex variable, L, the Hasse–Weil zeta function of E over Q. This function is a variant of the Riemann zeta function and Dirichlet Lfunctions, it is defined as an Euler product, with one factor for every prime number p.
For a curve E over Q given by a minimal equation
with integral coefficients , reducing the coefficients modulo p defines an elliptic curve over the finite field F_{p} (except for a finite number of primes p, where the reduced curve has a singularity and thus fails to be elliptic, in which case E is said to be of bad reduction at p).
The zeta function of an elliptic curve over a finite field F_{p} is, in some sense, a generating function assembling the information of the number of points of E with values in the finite field extensions F_{pn} of F_{p}. It is given by^{[7]}
The interior sum of the exponential resembles the development of the logarithm and, in fact, the sodefined zeta function is a rational function:
where the 'trace of Frobenius' term^{[8]} is defined to be the (negative of) the difference between the number of points on the elliptic curve over and the 'expected' number , viz.:
Two points to note about this quantity: (i) DO NOT confuse these with the in the definition of the curve above: this is just an unfortunate clash of notation; (ii) we may define the same quantities and functions over an arbitrary finite field of characteristic , with replacing everywhere.
The Hasse–Weil zeta function of E over Q is then defined by collecting this information together, for all primes p. It is defined by
where ε(p) = 1 if E has good reduction at p and 0 otherwise (in which case a_{p} is defined differently from the method above: see Silverman (1986) below).
This product converges for Re(s) > 3/2 only. Hasse's conjecture affirms that the Lfunction admits an analytic continuation to the whole complex plane and satisfies a functional equation relating, for any s, L(E, s) to L(E, 2 − s). In 1999 this was shown to be a consequence of the proof of the Shimura–Taniyama–Weil conjecture, which asserts that every elliptic curve over Q is a modular curve, which implies that its Lfunction is the Lfunction of a modular form whose analytic continuation is known.
One can therefore speak about the values of L(E, s) at any complex number s; the Birch–SwinnertonDyer conjecture relates the arithmetic of the curve to the behavior of its Lfunction at s = 1. More precisely, it affirms that the order of the Lfunction at s = 1 equals the rank of E and predicts the leading term of the Laurent series of L(E, s) at that point in terms of several quantities attached to the elliptic curve.
Much like the Riemann hypothesis, this conjecture has multiple consequences, including the following two:
 Let n be an odd squarefree integer. Assuming the Birch and SwinnertonDyer conjecture, n is the area of a right triangle with rational side lengths (a congruent number) if and only if the number of triplets of integers (x, y, z) satisfying is twice the number of triples satisfying . This statement, due to Tunnell, is related to the fact that n is a congruent number if and only if the elliptic curve has a rational point of infinite order (thus, under the Birch and SwinnertonDyer conjecture, its Lfunction has a zero at 1). The interest in this statement is that the condition is easily verified.^{[9]}
 In a different direction, certain analytic methods allow for an estimation of the order of zero in the center of the critical strip of families of Lfunctions. Admitting the BSD conjecture, these estimations correspond to information about the rank of families of elliptic curves in question. For example: assuming the generalized Riemann hypothesis and the BSD conjecture, the average rank of curves given by is smaller than 2.^{[10]}
The modularity theorem and its application to Fermat's Last Theorem[edit]
The modularity theorem, once known as the Taniyama–Shimura–Weil conjecture, states that every elliptic curve E over Q is a modular curve, that is to say, its Hasse–Weil zeta function is the Lfunction of a modular form of weight 2 and level N, where N is the conductor of E (an integer divisible by the same prime numbers as the discriminant of E, Δ(E).) In other words, if, for Re(s) > 3/2, one writes the Lfunction in the form
the expression
defines a parabolic modular newform of weight 2 and level N. For prime numbers ℓ not dividing N, the coefficient a(ℓ) of the form equals ℓ minus the number of solutions of the minimal equation of the curve modulo ℓ.
For example,^{[11]} to the elliptic curve with discriminant (and conductor) 37, is associated the form
For prime numbers ℓ not equal to 37, one can verify the property about the coefficients. Thus, for ℓ = 3, there are 6 solutions of the equation modulo 3: (0, 0), (0, 1), (2, 0), (1, 0), (1, 1), (2, 1); thus a(3) = 3 − 6 = −3.
The conjecture, going back to the 1950s, was completely proven by 1999 using ideas of Andrew Wiles, who proved it in 1994 for a large family of elliptic curves.^{[12]}
There are several formulations of the conjecture. Showing that they are equivalent is difficult and was a main topic of number theory in the second half of the 20th century; the modularity of an elliptic curve E of conductor N can be expressed also by saying that there is a nonconstant rational map defined over Q, from the modular curve X_{0}(N) to E. In particular, the points of E can be parametrized by modular functions.
For example, a modular parametrization of the curve is given by^{[13]}
where, as above, q = exp(2πiz). The functions x(z) and y(z) are modular of weight 0 and level 37; in other words they are meromorphic, defined on the upper halfplane Im(z) > 0 and satisfy
and likewise for y(z) for all integers a, b, c, d with ad − bc = 1 and 37c.
Another formulation depends on the comparison of Galois representations attached on the one hand to elliptic curves, and on the other hand to modular forms; the latter formulation has been used in the proof the conjecture. Dealing with the level of the forms (and the connection to the conductor of the curve) is particularly delicate.
The most spectacular application of the conjecture is the proof of Fermat's Last Theorem (FLT). Suppose that for a prime p ≥ 5, the Fermat equation
has a solution with nonzero integers, hence a counterexample to FLT. Then as Yves Hellegouarch was the first to notice,^{[14]} the elliptic curve
of discriminant
cannot be modular.^{[15]} Thus, the proof of the Taniyama–Shimura–Weil conjecture for this family of elliptic curves (called Hellegouarch–Frey curves) implies FLT; the proof of the link between these two statements, based on an idea of Gerhard Frey (1985), is difficult and technical. It was established by Kenneth Ribet in 1987.^{[16]}
Integral points[edit]
This section is concerned with points P = (x, y) of E such that x is an integer;^{[17]} the following theorem is due to C. L. Siegel: the set of points P = (x, y) of E(Q) such that x is an integer is finite. This theorem can be generalized to points whose x coordinate has a denominator divisible only by a fixed finite set of prime numbers.
The theorem can be formulated effectively. For example,^{[18]} if the Weierstrass equation of E has integer coefficients bounded by a constant H, the coordinates (x, y) of a point of E with both x and y integer satisfy:
For example, the equation y^{2} = x^{3} + 17 has eight integral solutions with y > 0 :^{[19]}
 (x, y) = (−1, 4), (−2, 3), (2, 5), (4, 9), (8, 23), (43, 282), (52, 375), (5234, 378661).
As another example, Ljunggren's equation, a curve whose Weierstrass form is y^{2} = x^{3} − 2x, has only four solutions with y ≥ 0 :^{[20]}
 (x, y) = (0, 0), (−1, 1), (2, 2), (338, 6214).
Generalization to number fields[edit]
Many of the preceding results remain valid when the field of definition of E is a number field K, that is to say, a finite field extension of Q. In particular, the group E(K) of Krational points of an elliptic curve E defined over K is finitely generated, which generalizes the Mordell–Weil theorem above. A theorem due to Loïc Merel shows that for a given integer d, there are (up to isomorphism) only finitely many groups that can occur as the torsion groups of E(K) for an elliptic curve defined over a number field K of degree d. More precisely,^{[21]} there is a number B(d) such that for any elliptic curve E defined over a number field K of degree d, any torsion point of E(K) is of order less than B(d); the theorem is effective: for d > 1, if a torsion point is of order p, with p prime, then
As for the integral points, Siegel's theorem generalizes to the following: Let E be an elliptic curve defined over a number field K, x and y the Weierstrass coordinates. Then there are only finitely many points of E(K) whose xcoordinate is in the ring of integers O_{K}.
The properties of the Hasse–Weil zeta function and the Birch and SwinnertonDyer conjecture can also be extended to this more general situation.
Elliptic curves over a general field[edit]
Elliptic curves can be defined over any field K; the formal definition of an elliptic curve is a nonsingular projective algebraic curve over K with genus 1 and endowed with a distinguished point defined over K.
If the characteristic of K is neither 2 nor 3, then every elliptic curve over K can be written in the form
where p and q are elements of K such that the right hand side polynomial x^{3} − px − q does not have any double roots. If the characteristic is 2 or 3, then more terms need to be kept: in characteristic 3, the most general equation is of the form
for arbitrary constants b_{2}, b_{4}, b_{6} such that the polynomial on the righthand side has distinct roots (the notation is chosen for historical reasons). In characteristic 2, even this much is not possible, and the most general equation is
provided that the variety it defines is nonsingular. If characteristic were not an obstruction, each equation would reduce to the previous ones by a suitable change of variables.
One typically takes the curve to be the set of all points (x,y) which satisfy the above equation and such that both x and y are elements of the algebraic closure of K. Points of the curve whose coordinates both belong to K are called Krational points.
Isogeny[edit]
Let E and D be elliptic curves over a field k. An isogeny between E and D is a finite morphism f : E → D of varieties that preserves basepoints (in other words, maps the given point on E to that on D).
The two curves are called isogenous if there is an isogeny between them; this is an equivalence relation, symmetry being due to the existence of the dual isogeny. Every isogeny is an algebraic homomorphism and thus induces homomorphisms of the groups of the elliptic curves for kvalued points.
Elliptic curves over finite fields[edit]
Let K = F_{q} be the finite field with q elements and E an elliptic curve defined over K. While the precise number of rational points of an elliptic curve E over K is in general rather difficult to compute, Hasse's theorem on elliptic curves gives us, including the point at infinity, the following estimate:
In other words, the number of points of the curve grows roughly as the number of elements in the field; this fact can be understood and proven with the help of some general theory; see local zeta function, Étale cohomology.
The set of points E(F_{q}) is a finite abelian group. It is always cyclic or the product of two cyclic groups.^{[further explanation needed]} For example,^{[22]} the curve defined by
over F_{71} has 72 points (71 affine points including (0,0) and one point at infinity) over this field, whose group structure is given by Z/2Z × Z/36Z. The number of points on a specific curve can be computed with Schoof's algorithm.
Studying the curve over the field extensions of F_{q} is facilitated by the introduction of the local zeta function of E over F_{q}, defined by a generating series (also see above)
where the field K_{n} is the (unique up to isomorphism) extension of K = F_{q} of degree n (that is, F_{qn}). The zeta function is a rational function in T. There is an integer a such that
Moreover,
with complex numbers α, β of absolute value . This result is a special case of the Weil conjectures. For example,^{[23]} the zeta function of E : y^{2} + y = x^{3} over the field F_{2} is given by
this follows from:
The Sato–Tate conjecture is a statement about how the error term in Hasse's theorem varies with the different primes q, if an elliptic curve E over Q is reduced modulo q. It was proven (for almost all such curves) in 2006 due to the results of Taylor, Harris and ShepherdBarron,^{[24]} and says that the error terms are equidistributed.
Elliptic curves over finite fields are notably applied in cryptography and for the factorization of large integers; these algorithms often make use of the group structure on the points of E. Algorithms that are applicable to general groups, for example the group of invertible elements in finite fields, F*_{q}, can thus be applied to the group of points on an elliptic curve. For example, the discrete logarithm is such an algorithm; the interest in this is that choosing an elliptic curve allows for more flexibility than choosing q (and thus the group of units in F_{q}). Also, the group structure of elliptic curves is generally more complicated.
Applications[edit]
Algorithms that use elliptic curves[edit]
Elliptic curves over finite fields are used in some cryptographic applications as well as for integer factorization. Typically, the general idea in these applications is that a known algorithm which makes use of certain finite groups is rewritten to use the groups of rational points of elliptic curves. For more see also:
 Elliptic curve cryptography
 Ellipticcurve Diffie–Hellman
 Elliptic Curve Digital Signature Algorithm
 EdDSA
 Dual_EC_DRBG
 Lenstra ellipticcurve factorization
 Elliptic curve primality proving
 Supersingular isogeny key exchange
Alternative representations of elliptic curves[edit]
 Hessian curve
 Edwards curve
 Twisted curve
 Twisted Hessian curve
 Twisted Edwards curve
 Doublingoriented Doche–Icart–Kohel curve
 Triplingoriented Doche–Icart–Kohel curve
 Jacobian curve
 Montgomery curve
See also[edit]
 Riemann–Hurwitz formula
 Nagell–Lutz theorem
 Arithmetic dynamics
 Elliptic surface
 Comparison of computer algebra systems
 jline
 Elliptic algebra
 Complex multiplication
Notes[edit]
 ^ Silverman 1986, Theorem 4.1
 ^ Silverman 1986, pp. 199–205
 ^ See also J. W. S. Cassels, Mordell's Finite Basis Theorem Revisited, Mathematical Proceedings of the Cambridge Philosophical Society 100, 3–41 and the comment of A. Weil on the genesis of his work: A. Weil, Collected Papers, vol. 1, 520–521.
 ^ Dujella, Andrej. "History of elliptic curves rank records". University of Zagreb.
 ^ Silverman 1986, Theorem 7.5
 ^ Silverman 1986, Remark 7.8 in Ch. VIII
 ^ The definition is formal, the exponential of this power series without constant term denotes the usual development.
 ^ see for example Silverman, Joseph H. (2006). "An Introduction to the Theory of Elliptic Curves" (PDF). Summer School on Computational Number Theory and Applications to Cryptography. University of Wyoming.
 ^ Koblitz 1993
 ^ HeathBrown, D. R. (2004). "The Average Analytic Rank of Elliptic Curves". Duke Mathematical Journal. 122 (3): 591–623. arXiv:math/0305114. doi:10.1215/S0012709404122353.
 ^ For the calculations, see for example Zagier 1985, pp. 225–248
 ^ A synthetic presentation (in French) of the main ideas can be found in this Bourbaki article of JeanPierre Serre. For more details see Hellegouarch 2001
 ^ Zagier, D. (1985). "Modular points, modular curves, modular surfaces and modular forms". Arbeitstagung Bonn 1984. Lecture Notes in Mathematics. 1111. Springer. pp. 225–248. doi:10.1007/BFb0084592. ISBN 9783540392989.
 ^ Hellegouarch, Yves (1974). "Points d'ordre 2p^{h} sur les courbes elliptiques" (PDF). Polska Akademia Nauk. Instytut Matematyczny. Acta Arithmetica. 26 (3): 253–263. doi:10.4064/aa263253263. ISSN 00651036. MR 0379507.
 ^ Ribet, Ken (1990). "On modular representations of Gal(Q/Q) arising from modular forms" (PDF). Inventiones Mathematicae. 100 (2): 431–476. doi:10.1007/BF01231195. hdl:10338.dmlcz/147454. MR 1047143.
 ^ See the survey of Ribet, K. (1990). "From the Taniyama–Shimura conjecture to Fermat's Last Theorem". Annales de la Faculté des sciences de Toulouse. 11: 116–139. doi:10.5802/afst.698.
 ^ Silverman 1986, Chapter IX
 ^ Silverman 1986, Theorem IX.5.8., due to Baker.
 ^ T. Nagell, L'analyse indéterminée de degré supérieur, Mémorial des sciences mathématiques 39, Paris, GauthierVillars, 1929, pp. 56–59.
 ^ Siksek, Samir (1995), Descents on Curves of Genus 1 (Ph.D. thesis), University of Exeter, pp. 16–17, hdl:10871/8323.
 ^ Merel, L. (1996). "Bornes pour la torsion des courbes elliptiques sur les corps de nombres". Inventiones Mathematicae (in French). 124 (1–3): 437–449. Bibcode:1996InMat.124..437M. doi:10.1007/s002220050059. Zbl 0936.11037.
 ^ See Koblitz 1994, p. 158
 ^ Koblitz 1994, p. 160
 ^ Harris, M.; ShepherdBarron, N.; Taylor, R. (2010). "A family of Calabi–Yau varieties and potential automorphy". Annals of Mathematics. 171 (2): 779–813. doi:10.4007/annals.2010.171.779.
References[edit]
Serge Lang, in the introduction to the book cited below, stated that "It is possible to write endlessly on elliptic curves. (This is not a threat.)" The following short list is thus at best a guide to the vast expository literature available on the theoretical, algorithmic, and cryptographic aspects of elliptic curves.
 I. Blake; G. Seroussi; N. Smart (2000). Elliptic Curves in Cryptography. LMS Lecture Notes. Cambridge University Press. ISBN 0521653746.
 Richard Crandall; Carl Pomerance (2001). "Chapter 7: Elliptic Curve Arithmetic". Prime Numbers: A Computational Perspective (1st ed.). SpringerVerlag. pp. 285–352. ISBN 0387947779.
 Cremona, John (1997). Algorithms for Modular Elliptic Curves (2nd ed.). Cambridge University Press. ISBN 0521598206.
 Darrel Hankerson, Alfred Menezes and Scott Vanstone (2004). Guide to Elliptic Curve Cryptography. Springer. ISBN 038795273X.
 Hardy, G. H.; Wright, E. M. (2008) [1938]. An Introduction to the Theory of Numbers. Revised by D. R. HeathBrown and J. H. Silverman. Foreword by Andrew Wiles. (6th ed.). Oxford: Oxford University Press. ISBN 9780199219865. MR 2445243. Zbl 1159.11001. Chapter XXV
 Hellegouarch, Yves (2001). Invitation aux mathématiques de FermatWiles. Paris: Dunod. ISBN 9782100055081.
 Husemöller, Dale (2004). Elliptic Curves. Graduate Texts in Mathematics. 111 (2nd ed.). Springer. ISBN 0387954902.
 Kenneth Ireland; Michael I. Rosen (1998). "Chapters 18 and 19". A Classical Introduction to Modern Number Theory. Graduate Texts in Mathematics. 84 (2nd revised ed.). Springer. ISBN 038797329X.
 Knapp, Anthony W. (2018) [1992]. Elliptic Curves. Mathematical Notes. 40. Princeton University Press. ISBN 9780691186900.
 Koblitz, Neal (1993). Introduction to Elliptic Curves and Modular Forms. Graduate Texts in Mathematics. 97 (2nd ed.). SpringerVerlag. ISBN 0387979662.
 Koblitz, Neal (1994). "Chapter 6". A Course in Number Theory and Cryptography. Graduate Texts in Mathematics. 114 (2nd ed.). SpringerVerlag. ISBN 0387942939.
 Serge Lang (1978). Elliptic curves: Diophantine analysis. Grundlehren der mathematischen Wissenschaften. 231. SpringerVerlag. ISBN 3540084894.
 Henry McKean; Victor Moll (1999). Elliptic curves: function theory, geometry and arithmetic. Cambridge University Press. ISBN 0521658179.
 Ivan Niven; Herbert S. Zuckerman; Hugh Montgomery (1991). "Section 5.7". An introduction to the theory of numbers (5th ed.). John Wiley. ISBN 0471546003.
 Silverman, Joseph H. (1986). The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics. 106. SpringerVerlag. ISBN 0387962034.
 Joseph H. Silverman (1994). Advanced Topics in the Arithmetic of Elliptic Curves. Graduate Texts in Mathematics. 151. SpringerVerlag. ISBN 0387943285.
 Joseph H. Silverman; John Tate (1992). Rational Points on Elliptic Curves. SpringerVerlag. ISBN 0387978259.
 John Tate (1974). "The arithmetic of elliptic curves". Inventiones Mathematicae. 23 (3–4): 179–206. Bibcode:1974InMat..23..179T. doi:10.1007/BF01389745.
 Lawrence Washington (2003). Elliptic Curves: Number Theory and Cryptography. Chapman & Hall/CRC. ISBN 1584883650.
External links[edit]
Wikimedia Commons has media related to Elliptic curve. 
Wikiquote has quotations related to: Elliptic curve 
 Hazewinkel, Michiel, ed. (2001) [1994], "Elliptic curve", Encyclopedia of Mathematics, Springer Science+Business Media B.V. / Kluwer Academic Publishers, ISBN 9781556080104
 The Mathematical Atlas: 14H52 Elliptic Curves
 Weisstein, Eric W. "Elliptic Curves". MathWorld.
 The Arithmetic of elliptic curves from PlanetMath
 Brown, Ezra (2000), "Three Fermat Trails to Elliptic Curves", The College Mathematics Journal, 31 (3): 162–172, doi:10.1080/07468342.2000.11974137, winner of the MAA writing prize the George Pólya Award
 Matlab code for implicit function plotting – can be used to plot elliptic curves.
 Interactive introduction to elliptic curves and elliptic curve cryptography with Sage by Maike Massierer and the CrypTool team
 Geometric Elliptic Curve Model (Java applet drawing curves)
 Interactive elliptic curve over R and over Zp – web application that requires HTML5 capable browser.
 Comprehensive database of Elliptic Curves over Q
This article incorporates material from Isogeny on PlanetMath, which is licensed under the Creative Commons Attribution/ShareAlike License.