undergraduate texts in mathematics978-3-319-18588...department of mathematics brown university...
TRANSCRIPT
Undergraduate Texts in Mathematics
Undergraduate Texts in Mathematics
Series Editors:
Sheldon AxlerSan Francisco State University, San Francisco, CA, USA
Kenneth RibetUniversity of California, Berkeley, CA, USA
Advisory Board:
Colin Adams, Williams CollegeDavid A. Cox, Amherst CollegePamela Gorkin, Bucknell UniversityRoger E. Howe. Yale UniversityMichael Orrison, Harvey Mudd CollegeJill Pipher, Brown UniversityFadil Santosa, University of Minnesota
Undergraduate Texts in Mathematics are generally aimed at third- and fourth-year undergraduate mathematics students at North American universities. These textsstrive to provide students and teachers with new perspectives and novel approaches.The books include motivation that guides the reader to an appreciation of interre-lations among different aspects of the subject. They feature examples that illustratekey concepts as well as exercises that strengthen understanding.
More information about this series at http://www.springer.com/series/666
Joseph H. Silverman • John T. Tate
Rational Points on EllipticCurves
Second Edition
123
Joseph H. SilvermanDepartment of MathematicsBrown UniversityProvidence, RI, USA
John T. TateDepartment of MathematicsHarvard UniversityCambridge, MA, USA
ISSN 0172-6056 ISSN 2197-5604 (electronic)Undergraduate Texts in MathematicsISBN 978-3-319-18587-3 ISBN 978-3-319-18588-0 (eBook)DOI 10.1007/978-3-319-18588-0
Library of Congress Control Number: 2015940539
Springer Cham Heidelberg New York Dordrecht London© Springer International Publishing Switzerland 1992, 2015This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part ofthe material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,broadcasting, reproduction on microfilms or in any other physical way, and transmission or informationstorage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodologynow known or hereafter developed.The use of general descriptive names, registered names, trademarks, service marks, etc. in this publicationdoes not imply, even in the absence of a specific statement, that such names are exempt from the relevantprotective laws and regulations and therefore free for general use.The publisher, the authors and the editors are safe to assume that the advice and information in this bookare believed to be true and accurate at the date of publication. Neither the publisher nor the authors or theeditors give a warranty, express or implied, with respect to the material contained herein or for any errorsor omissions that may have been made.
Printed on acid-free paper
Springer International Publishing AG Switzerland is part of Springer Science+Business Media (www.springer.com)
Preface
Preface to the Original 1992 Edition
In 1961 the second author delivered a series of lectures at Haverford Collegeon the subject of “Rational Points on Cubic Curves.” These lectures, intendedfor junior and senior mathematics majors, were recorded, transcribed, andprinted in mimeograph form. Since that time, they have been widely dis-tributed as photocopies of ever-decreasing legibility, and portions have ap-peared in various textbooks (Husemoller [25], Chahal [9]), but they havenever appeared in their entirety. In view of the recent interest in the the-ory of elliptic curves for subjects ranging from cryptography (Lenstra [30],Koblitz [27]) to physics (Luck–Moussa–Waldschmidt [31]), as well as thetremendous amount of purely mathematical activity in this area, it seems apropitious time to publish an expanded version of those original notes suit-able for presentation to an advanced undergraduate audience.
We have attempted to maintain much of the informality of the originalHaverford lecturers. Our main goal in doing this has been to write a textbookin a technically difficult field that is “readable” by the average undergraduatemathematics major. We hope that we have succeeded in this goal. The mostobvious drawback to such an approach is that we have not been entirely rig-orous in all of our proofs. In particular, much of the foundational materialon elliptic curves presented in Chapter 1 is meant to explain and convince,rather than to rigorously prove. Of course, the necessary algebraic geometrycan mostly be developed in one moderately long chapter, as we have done inAppendix A. But the emphasis of this book is on number theoretic aspects ofelliptic curves, so we feel that an informal approach to the underlying geom-etry is permissible, since it allows us more rapid access to the number theory.For those who wish to delve more deeply into the geometry, there are severalgood books on the theory of algebraic curves suitable for an undergraduate
v
vi Preface
course, such as Reid [37], Walker [57], and Brieskorn–Knorrer [8]. In thelater chapters we have generally provided all of the details for the proofs ofthe main theorems.
The original Haverford lectures make up Chapters 1, 2, 3, and the firsttwo sections of Chapter 4. In a few places we have added a small amount ofexplanatory material, references have been updated to include some discov-eries made since 1961, and a large number of exercises have been added. Butthose who have seen the original mimeographed notes will recognize that thechanges have been kept to a minimum. In particular, the emphasis is still onproving (special cases of) the fundamental theorems in the subject: (1) theNagell–Lutz theorem, which gives a precise procedure for finding all of therational points of finite order on an elliptic curve; (2) Mordell’s theorem,which says that the group of rational points on an elliptic curve is finitelygenerated; (3) a special case of Hasse’s theorem, due to Gauss, which de-scribes the number of points on an elliptic curve defined over a finite field.
In Section 4.4 we have described Lenstra’s elliptic curve algorithm for fac-toring large integers. This is one of the recent applications of elliptic curvesto the “real world,” to wit, the attempt to break certain widely used public keyciphers. We have restricted ourselves to describing the factorization algorithmitself, since there have been many popular descriptions of the correspondingciphers.1
Chapters 5 and 6 are new. Chapter 5 deals with integer points on ellipticcurves. Section 5.2 is loosely based on an IAP undergraduate lecture given bythe first author at MIT in 1983. The remaining sections of Chapter 5 contain aproof of a special case of Siegel’s theorem, which asserts that an elliptic curvehas only finitely many integral points. The proof, based on Thue’s method ofDiophantine approximation, is elementary, but intricate. However, in view ofVojta’s [56] and Faltings’ [15] recent spectacular applications of Diophantineapproximation techniques, it seems appropriate to introduce this subject atan undergraduate level. Chapter 6 gives an introduction to the theory of com-plex multiplication. Elliptic curves with complex multiplication arise in manydifferent contexts in number theory and in other areas of mathematics. Thegoal of Chapter 6 is to explain how points of finite order on elliptic curveswith complex multiplication can be used to generate extension fields withAbelian Galois groups, much as roots of unity generate Abelian extensionsof the rational numbers. For Chapter 6 only, we have assumed that the readeris familiar with the rudiments of field theory and Galois theory.
1That was what we said in the first edition, but in this second edition, we have included adiscussion of elliptic curve cryptography; see Section 4.5.
Preface vii
Finally, we have included an appendix giving an introduction to projec-tive geometry, with an especial emphasis on curves in the projective plane.The first three sections of Appendix A provide the background needed forreading the rest of the book. In Section A.4 of the appendix we give an ele-mentary proof of Bezout’s theorem, and in Section A.5, we provide a rigorousdiscussion of the reduction modulo p map and explain why it induces a ho-momorphism on the rational points of an elliptic curve.
The contents of this book should form a leisurely semester course, withsome time left over for additional topics in either algebraic geometry or num-ber theory. The first author has also used this material as a supplementaryspecial topic at the end of an undergraduate course in modern algebra, cov-ering Chapters 1, 2, and 4 (excluding Section 4.3) in about four weeks ofclass. We note that the last five chapters are essentially independent of oneanother (except Section 4.3 depends on the Nagell–Lutz theorem, proven inChapter 2). This gives the instructor maximum freedom in choosing topicsif time is short. It also allows students to read portions of the book on theirown, e.g., as a suitable project for a reading course or honors thesis. We haveincluded many exercises, ranging from easy calculations to published theo-rems. An exercise marked with a (∗) is likely to be somewhat challenging.An exercise marked with (∗∗) is either extremely difficult to solve with thematerial that we cover or is a currently unsolved problem.
It has been said that “it is possible to write endlessly on elliptic curves.”2
We heartily agree with this sentiment, but have attempted to resist succumb-ing to its blandishments. This is especially evident in our frequent decisionto prove special cases of general theorems, even when only a few additionalpages would be required to prove a more general result. Our goal throughouthas been to illuminate the coherence and the beauty of the arithmetic the-ory of elliptic curves; we happily leave the task of being encyclopedic to theauthors of more advanced monographs.
Preface to the 2015 Edition
The most important change to the new edition is the addition of two new sec-tions. In Section 4.5 we briefly discuss how and why elliptic curves are used inmodern cryptography, and in Section 6.6, we give an overview of how elliptic
2From the introduction to Elliptic Curves: Diophantine Analysis, Serge Lang, Springer-Verlag, New York, 1978. Professor Lang follows his assertion with the statement that “This isnot a threat,” indicating that he, too, has avoided the temptation to write a book of indefinitelength.
viii Preface
curves play a key role in Wiles’ proof of Fermat’s Last Theorem. We have alsotaken the opportunity to make numerous corrections, both typographical andmathematical, to add a few new problems, and to update historical materialto reflect some of the exciting advances of the past 25 years.
Electronic Resources
The interested reader will find additional material and a list of errata on theRational Points on Elliptic Curves home page:
www.math.brown.edu/˜jhs/RPECHome.html
This web page includes some of the numerical exercises in the book, allowingthe reader to cut and paste them into other programs, rather than having toretype them.
There are now many commercial and free computer packages that performcalculations of varying levels of sophistication on elliptic curves,3 including,for example,
Sage: http://www.sagemath.orgPari/GP: http://pari.math.u-bordeaux.fr
No book is ever free from error or incapable of being improved. We wouldbe delighted to receive comments, good or bad, and corrections from ourreaders. You can send mail to us at
Acknowledgments
First Edition, First Printing: The authors would like to thank Rob Gross,Emma Previato, Michael Rosen, Seth Padowitz, Chris Towse, Paul vanMulbregt, Eileen O’Sullivan, and the students of Math 153 (especially JeffAchter and Jeff Humphrey) for reading and providing corrections to theoriginal draft. They would also like to thank Davide Cervone for producingbeautiful illustrations from their original jagged diagrams.
The first author owes a tremendous debt of gratitude to Susan for herpatience and understanding, to Debby for her fluorescent attire brightening up
3This was not the case when the first edition of this book appeared in 1992, at which timethe first author had created a small stand-alone application for Macintosh computers and asomewhat more highly featured set of routines for Mathematica. These antique packages areno longer available.
Preface ix
the days, to Danny for his unfailing good humor, and to Jonathan for takingtimely naps during critical stages in the preparation of this manuscript.
The second author would like to thank Louis Solomon for the invitationto deliver the Philips Lectures at Haverford College in the Spring of 1961.
Providence, USA Joseph H. SilvermanCambridge, USA John T. TateMarch 27, 1992
First Edition (Second Printing) and Second Edition: We, the authors,would like the thank the following individuals for sending comments andcorrections: G. Allison, T. Anderson, P. Berman, D. Appleby, K. Bender,G. Bender, A. Berkovich, J. Blumenstein, P. de Boor, J. Brillhart, D. Clausen,S. Datta, Z. Fang, D. Freeman, L. Goldberg, F. Goldstein, A. Guth, D. Gupta,A. Granville, R. Hoibakk, I. Igusic, M. Kida, P. Kahn, J. Kraft, C. Levesque,B. Levin, J. Lipman, R. Lipes, A. Mazel-Gee, M. Mossinghoff, K. Nolish,B. Pelz, R. Pennington, R. Pries, A. Rajan, K. Ribet, M. Reid, H. Rose,L. Gomez-Sanchez, R. Schwartz, D. Schwein J.-P. Serre, M. Szydlo,L. Tartar, J. Tobey, R. Urian, C.R. Videla, J. Wendel, A. Ziv.
Providence, USA Joseph H. SilvermanCambridge, USA John T. TateMarch 27, 2015
Contents
Preface v
Introduction xv
1 Geometry and Arithmetic 11.1 Rational Points on Conics . . . . . . . . . . . . . . . . . . . 11.2 The Geometry of Cubic Curves . . . . . . . . . . . . . . . . 81.3 Weierstrass Normal Form . . . . . . . . . . . . . . . . . . . 161.4 Explicit Formulas for the Group Law . . . . . . . . . . . . . 23Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2 Points of Finite Order 352.1 Points of Order Two and Three . . . . . . . . . . . . . . . . 352.2 Real and Complex Points on Cubic Curves . . . . . . . . . . 382.3 The Discriminant . . . . . . . . . . . . . . . . . . . . . . . 452.4 Points of Finite Order Have Integer Coordinates . . . . . . . 472.5 The Nagell–Lutz Theorem and Further Developments . . . . 56Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3 The Group of Rational Points 653.1 Heights and Descent . . . . . . . . . . . . . . . . . . . . . 653.2 The Height of P + P0 . . . . . . . . . . . . . . . . . . . . . 713.3 The Height of 2P . . . . . . . . . . . . . . . . . . . . . . . 753.4 A Useful Homomorphism . . . . . . . . . . . . . . . . . . . 803.5 Mordell’s Theorem . . . . . . . . . . . . . . . . . . . . . . 88
xi
xii Contents
3.6 Examples and Further Developments . . . . . . . . . . . . . 953.7 Singular Cubic Curves . . . . . . . . . . . . . . . . . . . . 106Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
4 Cubic Curves over Finite Fields 1174.1 Rational Points over Finite Fields . . . . . . . . . . . . . . . 1174.2 A Theorem of Gauss . . . . . . . . . . . . . . . . . . . . . 1214.3 Points of Finite Order Revisited . . . . . . . . . . . . . . . 1334.4 A Factorization Algorithm Using Elliptic Curves . . . . . . 1394.5 Elliptic Curve Cryptography . . . . . . . . . . . . . . . . . 152Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
5 Integer Points on Cubic Curves 1675.1 How Many Integer Points? . . . . . . . . . . . . . . . . . . 1675.2 Taxicabs and Sums of Two Cubes . . . . . . . . . . . . . . 1705.3 Thue’s Theorem and Diophantine Approximation . . . . . . 1765.4 Construction of an Auxiliary Polynomial . . . . . . . . . . . 1825.5 The Auxiliary Polynomial Is Small . . . . . . . . . . . . . . 1905.6 The Auxiliary Polynomial Does Not Vanish . . . . . . . . . 1935.7 Proof of the Diophantine Approximation Theorem . . . . . . 1975.8 Further Developments . . . . . . . . . . . . . . . . . . . . . 200Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
6 Complex Multiplication 2076.1 Abelian Extensions of Q . . . . . . . . . . . . . . . . . . . 2076.2 Algebraic Points on Cubic Curves . . . . . . . . . . . . . . 2136.3 A Galois Representation . . . . . . . . . . . . . . . . . . . 2216.4 Complex Multiplication . . . . . . . . . . . . . . . . . . . . 2306.5 Abelian Extensions of Q(i) . . . . . . . . . . . . . . . . . . 2356.6 Elliptic Curves and Fermat’s Last Theorem . . . . . . . . . 245Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
A Projective Geometry 265A.1 Homogeneous Coordinates and the Projective Plane . . . . . 265A.2 Curves in the Projective Plane . . . . . . . . . . . . . . . . 271A.3 Intersections of Projective Curves . . . . . . . . . . . . . . 280
Contents xiii
A.4 Intersection Multiplicities and a Proof of Bezout’sTheorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
A.5 Reduction Modulo p . . . . . . . . . . . . . . . . . . . . . 302Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
B Transformation to Weierstrass Form 311
List of Notation 315
References 317
Index 323
Introduction
The theory of Diophantine equations is that branch of number theory thatdeals with the solution of polynomial equations in either integers or rationalnumbers. The subject itself is named after one of the greatest of the ancientGreek algebraists, Diophantus of Alexandria,4 who formulated and solvedmany such problems.
Most readers will undoubtedly be familiar with Fermat’s Last Theorem.This theorem, which Fermat stated in the seventeenth century, says that ifn ≥ 3 is an integer, then the equation
Xn + Y n = Zn
has no solutions in nonzero integers X, Y , and Z . Equivalently, it asserts thatthe only solutions in rational numbers to the equation
xn + yn = 1
are those with either x = 0 or y = 0.5
4Diophantus lived sometime before the third century AD. He wrote the Arithmetica, atreatise on algebra and number theory in 13 volumes, of which 6 volumes have survived.
5In the first edition of this book in 1992, we noted that Fermat’s Last Theorem was aconjecture, not a theorem. Fermat wrote his “theorem” as a marginal note in his copy ofDiophantus’ Arithmetica, but also wrote that the margin was unfortunately too small for himto write down the proof. And for 350 years, no one managed to find a proof. However, thisall changed in 1995, when Andrew Wiles, with assistance from Richard Taylor on one point,proved Fermat’s assertion [53, 60]. We will have more to say about Wiles’ proof, which isintimately connected with the theory of elliptic curves, in Section 6.6.
xv
xvi Introduction
As another example of a Diophantine equation, we consider the problemof writing an integer as the difference of a square and a cube. In other words,we fix an integer c ∈ Z and look for solutions to the Diophantine equation6
y2 − x3 = c.
Suppose that we are interested in solution in rational numbers x, y ∈ Q. Anamazing property of this equation is the existence of a duplication formula,discovered by Bachet in 1621. If (x, y) is a solution with x and y rational andy �= 0, then it is not hard to check that the pair
(x4 − 8cx
4y2,−x6 − 20cx3 + 8c2
8y3
)
is a solution in rational numbers to the same equation. Further, it is possibleto prove, although Bachet was unable to do so, that if c /∈ {1,−432} andif the original solution satisfies xy �= 0, then repeating this process leads toinfinitely many distinct solutions. So except for 1 and −432, if an integer canbe expressed as the difference of a square and a cube using nonzero rationalnumbers, then it can be so expressed in infinitely many ways. For example, ifwe start with the solution (3, 5) to the equation
y2 − x3 = −2
and apply Bachet’s duplication formula, we find a sequence of solutions thatstarts
(3, 5),
(129
102,−383
103
),
(2340922881
76602,113259286337279
76603
), . . . .
As you can see, the numerators and denominators rapidly become extremelylarge.
Next we’ll take the same equation,
y2 − x3 = c,
and ask for solutions in integers x, y,∈ Z. In the 1650s Fermat posed asa challenge to the English mathematical community the problem of show-ing that the equation y2 − x3 = −2 has only two solutions in integers,
6This equation is sometimes called Bachet’s equation, after the seventeenth-century math-ematician who originally discovered the duplication formula. It is also known as Mordell’sequation, in honor of the twentieth-century mathematician L.J. Mordell, who made funda-mental contributions to the solution of this and many similar Diophantine equations. We willprove a special case of Mordell’s theorem in Chapter 3.
Introduction xvii
(1 , 0)
(0 , 1)
(1 , 0)
(0 , 1)
(−1, 0)
(0 ,−1)
Figure 1: The Fermat curves x4 + y4 = 1 and x5 + y5 = 1
namely, (3,±5). This is in marked contrast to the question of solutions inrational numbers, since we have just seen that there are infinitely many ofthose. None of Fermat’s contemporaries appears to have solved the problem,which was given an incomplete solution by Euler in the 1730s and a correctproof 150 years later! Then in 1908, Axel Thue7 made a tremendous break-through; he showed that for any nonzero integer c, the equation y2 − x3 = chas only finitely many solutions in integers x and y. This is a tremendous(qualitative) generalization of Fermat’s challenge problem, since it says thatamong the potentially infinitely many solutions in rational numbers, onlyfinitely many of them can be in integers.
The seventeenth century witnessed Descartes’ introduction of coordinatesinto geometry, a revolutionary development that allowed geometric problemsto be solved algebraically and algebraic problems to be studied geometri-cally. For example, if n is even, then the real solutions to Fermat’s equa-tion xn + yn = 1 in the xy-plane form a geometric object that looks like asquashed circle. Fermat’s theorem is then equivalent to the assertion that theonly points on that squashed circle having rational coordinates are the fourpoints (±1, 0) and (0,±1). The Fermat equations with odd exponents look abit different. We have illustrated the Fermat curves with exponents 4 and 5 inFigure 1.
7Axel Thue made important contributions to the theory of Diophantine equations, es-pecially to the problem of showing that certain equations have only finitely many solutionsin integers. These theorems about integer solutions were generalized by C.L. Siegel duringthe 1920s and 1930s. We will prove a version of the Thue–Siegel theorem, actually a specialcase of Thue’s original result, in Chapter 5.
xviii Introduction
P
Q
Figure 2: Bachet’s equation y2 − x3 = c
Similarly, we can look at Bachet’s equation y2 − x3 = c, which we havegraphed in Figure 2. Recall that Bachet discovered a duplication formulawhich he used to take a given rational solution and produce a new rationalsolution. Bachet’s formula is rather complicated, and one might wonder fromwhence it comes. The answer is that it comes from geometry! Thus supposethat we let P = (x, y) be our original solution, so P is a point on the curveas illustrated in Figure 2. Next we draw the tangent line to the curve at thepoint P , an easy exercise for a first semester calculus course.8 This tangentline will intersect the curve in one further point, which we have labeled Q.Then, if you work out the algebra to calculate the coordinates of Q, you willfind Bachet’s duplication formula. So Bachet’s complicated algebraic formulahas a simple geometric interpretation in terms of the intersection of a tangentline with a curve. This is our first intimation of the fruitful interplay that ispossible among algebra, number theory, and geometry.
The simplest sort of Diophantine equation is a polynomial equation in onevariable,
anxn + an−1x
n−1 + · · · + a1x+ a0 = 0.
Assuming that a0, . . . , an are integers, how can we find all integer and all ra-tional solutions? Gauss’ lemma provides a simple answer. If p/q is a rationalsolution written in lowest terms, then Gauss’ lemma tells us that q divides anand p divides a0. This gives us a small list of possible rational solutions, and
8Of course, Bachet had neither calculus nor analytic geometry, so he probably discoveredhis formula by clever algebraic manipulation.
Introduction xix
we can substitute each of them into the equation to determine the actual solu-tions. So Diophantine equations in one variable are easy.9
When we move to Diophantine equations in two variables, the situationchanges dramatically. Suppose we take a polynomial f(x, y) with integer co-efficients and look at the equation
f(x, y) = 0.
For example, Fermat’s and Bachet’s equations have this form. Here are somenatural questions that we might ask:
(a) Are there any solutions in integers?(b) Are there any solutions in rational numbers?(c) Are there infinitely many solutions in integers?(d) Are there infinitely many solutions in rational numbers?
In this generality, only question (c) has been fully answered, although muchprogress has recently been made on (d).10
The set of real solutions to an equation f(x, y) = 0 forms a curve in thexy-plane. Such curves are called algebraic curves to indicate that they arethe set of solutions of a polynomial equation. In trying to answer questions(a)–(d), we might begin by looking at simple polynomials, such as polyno-mials of degree 1 (also called linear polynomials, because their graphs arestraight lines). For a linear equation
ax+ by = c
with integer coefficients, it is easy to answer our questions.11 There arealways infinitely many rational solutions, there are no integer solutions ifgcd(a, b) does not divide c, and there are infinitely many integer solutionsif gcd(a, b) does divide c. So linear equations in two variables are even easierto analyze than higher-degree equations in one variable.
9In practice, it may be easier to approximate the real roots to high accuracy and then checkwhich, if any, of these roots can be written in the form b/an for some integer b. This avoidshaving to find the prime factorization of a0 and an.
10For polynomials f(x1, . . . , xn) with more than two variables, our four questions haveonly been answered for some very special sorts of questions. Even worse, work of Davis,Matijasevic, and Robinson has shown that in general it is not possible to find a solution toquestion (a). That is, there does not exist an algorithm which takes as input the polynomial fand produces as output either YES or NO as an answer to question (a).
11We assume that a and b are not both zero, since if a = b = 0, there are either no solutionsif c �= 0, while every (x, y) is a solution if c = 0.
xx Introduction
Next we turn to polynomials of degree 2, also called quadratic polyno-mials. Their graphs are conic sections. It turns out that if such an equationhas one rational solution, then it has infinitely many. The complete set of so-lutions can be described very easily using geometry. We will briefly explainhow this is done in Section 1.1. We will also briefly indicate how to answerquestion (b) for quadratic polynomials. So although it would be untrue to saythat quadratic polynomials are easy, it is fair to say that their solutions arecompletely understood.
This brings us to the main topic of this book, namely, the solution of de-gree 3 polynomial equations in rational numbers and in integers. One exam-ple of such an equation is Bachet’s equation y2 − x3 = c that we looked atearlier. Some other examples that will appear during our studies are
y2 = x3 + ax2 + bx+ c and ax3 + by3 = c.
The solutions to these equations using real numbers are called cubic curvesor elliptic curves.12 In contrast to linear and quadratic equations, the rationaland integer solutions to cubic equations are still not completely understood,and even in those cases where the complete answers are known, the proofsinvolve a subtle blend of techniques from algebra, number theory, and geom-etry. Our primary goal in this book is to introduce you to the beautiful subjectof Diophantine equations by studying in depth the first case of such equationsthat is still imperfectly understood, namely, cubic equations in two variables.To give you an idea of the sorts of results that we will be studying, we brieflyindicate what is known about questions (a)–(d) for cubic curves.
First, Siegel proved in the 1920s that a cubic equation has only finitelymany integer solutions,13 and in 1970 Baker and Coates gave an explicit up-per bound for the largest solution in terms of the coefficients of the polyno-mials. This provides a satisfactory answer to (a) and (c), although the Baker–Coates bounds for the largest solution are generally too large to be practical.14
In Chapter 5 we will prove a special case of Siegel’s theorem for equations ofthe form ax3 + by3 = c.
12Despite its name, an elliptic curve is not an ellipse, since ellipses are conic sections, andconic sections are given by quadratic equations! The curious chain of events that led to ellipticcurves being so named is recounted in Section 1.3.
13Actually, Siegel’s theorem applies only to “nonsingular” cubic equations. However, mostcubic equations are nonsingular, and in practice, it is generally quite easy to check whether agiven equation is nonsingular.
14Techniques developed since 1970 are practical enough to find all integer solutions onmany cubic equations, as long as the coefficients are not too large.
Introduction xxi
Second, all of the possibly infinitely many rational solutions to a cubicequation may be found by starting with a finite set of solutions and repeatedlyapplying a geometric procedure similar to Bachet’s duplication formula. Thefact that there always exists a finite generating set was suggested by Poincarein 1901 and proven by L.J. Mordell in 1923. We will prove a special caseof Mordell’s theorem in Chapter 3. However, we must in truth point out thatMordell’s theorem does not really answer questions (b) and (d). As we shallsee, the proof of Mordell’s theorem gives a procedure that often allows oneto find a finite generating set for the set of rational solutions. But it is onlyconjectured, and not yet proven, that Mordell’s method always yields a gen-erating set. So even for special sorts of cubic equations such as y2 − x3 = cand ax3 + by3 = c, there is no general method (algorithm) currently knownthat is guaranteed to answer question (b) or (d).
We have mentioned several times the idea that the study of Diophantineequations involves an interplay among algebra, number theory, and geometry.The geometric component is clear, since the equation itself defines (in thecase of two variables) a curve in the plane, and we have already seen how itmay be useful to consider the intersection of that curve with various lines. Thenumber theory is also clearly present, since we are searching for solutions ineither integers or rational numbers, and what is the heart of number theoryother than the study of relations between integers and/or rational numbers.But what of the algebra? We could point out that polynomials are essentiallyalgebraic objects. However, algebra plays a far more important role.
Recall that Bachet’s duplication formula may be described as follows:start with a point P on a cubic curve, draw the tangent line at P , and take thethird point of intersection of the line with the curve. Similarly, if we start withtwo points P1 and P2 on the curve, we can draw the line through P1 and P2
and look at the third intersection point P3. This will work for most choicesof P1 and P2, since most lines intersect a cubic curve in exactly three points.We might describe this procedure, which is illustrated in Figure 3, as a wayto “add” two points on the curve and get a third point. Amazingly, it turnsout that with a slight modification, this geometric operation turns the set ofrational solutions to a cubic equation into an Abelian group! And Mordell’stheorem, alluded to earlier, may be rephrased as saying that this group has afinite number of generators. So here is algebra, number theory, and geometryall packaged together in one of the greatest theorems of the twentieth century.
We hope that the preceding introduction has convinced you of some of thebeauty and elegance to be found in the theory of Diophantine equations. Butthe study of Diophantine equations, in particular the theory of elliptic curves,
xxii Introduction
P1
P2
P3
Figure 3: “Adding” two points on a cubic curve
also has its practical applications. We will study two such applications in thisbook.
Everyone is familiar with the Fundamental Theorem of Arithmetic, whichasserts that every positive integer factors uniquely into a product of primes.However, if the integer is fairly large, say on the order of 10300 to 10600, itmay be virtually impossible in practice to perform that factorization. This istrue even though there are quick ways to check if an integer of that size is notprime. In other words, if someone hands you a composite integer N having,say, 450 digits, then you can easily prove that N is not prime, even thoughyou probably won’t be able to find any prime factors of N . This curious stateof affairs was used by Rivest, Shamir, and Adleman to construct the firstpractical and secure public key cryptosystem, called RSA. It then becomesof practical importance to find the best possible algorithms to factor largenumbers. One such algorithm, which is particularly effective when N hasfactors of somewhat different magnitudes, is due to Hendrik Lenstra and useselliptic curves defined over finite fields. We describe Lenstra’s algorithm inSection 4.4.
Just as factoring large numbers is hard, it turns out that expressing a givenpoint on an elliptic curve as a multiple of some other given point on the curveis hard, and indeed, based on current algorithms, it appears to be significantlyharder than factoring. This is called the elliptic curve discrete logarithm prob-lem, and it has been used as the basis for a public key cryptosystem that is,in some ways, more efficient than RSA due to the added difficulty of the un-derlying hard mathematical problem. We give a brief introduction to ellipticcurve cryptography in Section 4.5.