ELLIPTIC CURVES

GROUP LAW AND MORDELL-WEIL

ADAM SORKIN
Abstract. This paper assumes no background on elliptic curves and cul-
minates with a proof of the Mordell-Weil theorem. The Riemann-Roch and
Dirichlet unit theorem are recalled but used without proof, but everything else
is self-contained. After some elementary properties of elliptic curves are given,
the group structure is explored in detail.
1. Introduction to Elliptic Curves
Motivation. Suppose we want to study curves. To make headway we could just
restrict to a suitable class, or instead begin with a trivial case and work up in
diculty. For example, we could restrict ourselves to nonsingular projective curves.
A measure of complexity on classes of these curves would be their genus, and we
could start by looking at those nonsingular projective curves having minimal genus.
However, that case doesnt take much time, because a nonsingular projective curve
is isomorphic to P
1
. We are naturally led to consider higher genus, and the next
class of curves are those of genus one. Elliptic curves are essentially the simplest
non-trivial class of curves that have a wealth of interesting properties. For example,
elliptic curves are group varieties. In addition, an elliptic curve dened over a eld
k

may descend to an elliptic curve dened over a subeld k k

. In what follows,
we will denote the k-valued points of an elliptic curve E (possibly dened over some
larger eld k

) by E(k). By passing from elliptic curves over C to elliptic curves

over Q many powerful connections to number theory emerge. In addition, elliptic
curve cryptography has emerged as a practical application of elliptic curves. For
more on applications to number theory and cryptography, see [3]. This paper will
not be concerned with applications, but instead introduce elliptic curves, the group
law on an elliptic curve, and nally prove the subgroup of rational points is nitely
generated.
Denition 1. An elliptic curve over k is a nonsingular projective genus 1 curve
E, with a distinguished point O E(k).
However, this denition isnt very satisfying. Recall for genus 0 we had a concrete
description of C as projective space. Of course an arbitrary curve can always be
embedded in P
3
(see Chapter 4 Section 3 of [1]), but that is still rather vague. In
fact, elliptic curves can be given a concrete description using equations for ane
plane curves.
Theorem 2. An elliptic curve E with distinguished point O can be written as the
projective closure of E

, the zero locus of

y
2
+a
1
xy +a
3
y = x
3
+a
2
x
2
+a
4
x +a
6
(1)
1
2 ADAM SORKIN
for some choice of a
i
k, having distinuished point O = [0 : 1 : 0]. Moreover, if
the characteristic of k is not 2 or 3, then we can write E as the projective closure
of the zero locus of
y
2
= x
3
+ax +b (2)
in A
2
. Conversely, providing 4a
3
+27b
2
,= 0, the projective closure of the zero locus
of (2) denes an elliptic curve in P
2
having distinguished point [0 : 1 : 0].
The goal for this section is to prove Theorem 2 so that we can get our hands on
some elliptic curves directly. To do so requires a bit of heavy machinery, which we
state without proof.
Theorem 3 (Riemann-Roch). Let D be a divisor on a curve X of genus g, and K
a canonical divisor. Then
(D) (K D) = deg D + 1 g
We specialize to an elliptic curve E. To begin with, g = 1. More importantly, we
can take the canonical divisor K to be zero, that is, the empty sum of codimension-1
subvarieties of E. So we have (D) = deg D+(D). Moreover, because (D) ,= 0
implies D is eective, we can restrict to an eective divisor D to obtain
(D) = deg D. (3)
For (3) we consider the divisor D = m[O] for m 1. Then the vector space
/(m[O]) of rational functions on E having no poles except possibly at O of order
not exceeding m has dimension m. We will use these rational functions to build a
relation which denes a model of E in P
2
.
By (3), /([O]) is a 1-dimensional vector subspace of rational functions on E, and
we can take as a basis for it 1, the constant rational function. We extend this to a
basis of the 2-dimensional vector space /(2[O]) by adjoining some rational function
x: E A
1
having a pole of order 2 at O. Similarly we extend this collection to
a basis 1, x, y of /(3[O]), where y has a pole of order 3 at O. Now consider the
rational function x
2
dened by P x(P) x(P). Notice it is a well dened rational
function having a pole of order 4 at O. Therefore it is not in the span of 1, x, y,
else it would have a pole of order not exceeding 3 at O. Thus 1, x, y, x
2
is indeed
a basis for /(4[O]). The same argument shows that the rational function xy having
a pole of order 5 at O extends our collection to a basis of /(5[O]).
Finally, consider the collection 1, x, y, x
2
, xy, x
3
, y
2
/(6[O]). Clearly it is
spanning (having rational functions with poles of order 6 at O) and also linearly
dependent, for it has 7 elements, while (3) gives that /(6[O]) is 6-dimensional.
Therefore there is a relation
b
0
y
2
+b
1
xy +b
3
y = b

0
x
3
+b
2
x
2
+b
4
x +b
6
1
with b
i
k. We can normalize the above equation as follows. The only rational
functions having a pole of order 6 are x
3
are y
2
. Adjoining either individually gives
a linearly independent set, and consequently both b
0
and b

0
are nonzero. Under the
change of variables y (b
0
/b

0
)y and x (b
0
/b

0
)x, the resulting equation becomes
b
3
0
b
2
0
y
3
+
b
2
0
b
2
0
b
1
xy +
b
0
b

0
b
3
y =
b
3
0
b
2
0
x
3
+
b
2
0
b
2
0
b
2
x
2
+
b
0
b

0
b
4
x +b
6
which we can multiply through by (b
3
0
/b
2
0
) to obtain (1).
ELLIPTIC CURVES GROUP LAW AND MORDELL-WEIL 3
Notice the relation holds between rational functions having poles only at O, so
it is in fact a relation between regular functions on E O. Thus we can consider
the morphism : E O A
2
dened by P (x(P), y(P)). Because of the
relation between x and y as regular functions, is a map onto the curve E

dened
by the zero locus of (1). Now recalling that x has exactly a double pole at O,
so x has exactly two zeros. Therefore the mapping P x(P) is of degree two.
Similarly P y(P) is of degree three, and consequently both two and three are
divisible by the degree of . So is a degree one morphism, which is to say is
an isomorphism E O E

. Finally we use the fact that E is nonsingular and

projective to deduce that extends to an isomorphism of E onto the projective
closure of E

in P
2
. Because both x and y have poles at O, it is sent to the unique
point at innity on E

, namely [0 : 1 : 0].
x
f(x)
E(R)
L
x
f(x)
E(R)
L
Figure 1. Some real points of the elliptic curves y
2
+ y xy =
x
3
and y
2
= x
3
x. The line L is the line of symmetry, y =
(1/2)(a
1
x +a
3
).
Now suppose that k has characteristic not equal to 2 or 3. To transform (1) to
y
2
= f(x) for some cubic f(x), we simply complete the square for y. The requires
the change of variables y y +(1/2)(a
1
x+a
3
), and so cannot be done for elds of
characteristic 2. Finally, to transform the right side so that f(x) = x
3
+ax
2
+bx+c
has no power of x
2
, we transform x x (a/3), which is possible precisely when
the characteristic is not 3. After these substitutions, the polynomial will have the
form (2).
Conversely, suppose we are given a polynomial y
2
= f(x) of the form (2), where
the eld has characteristic not equal to 2 or 3. First notice the variety E it denes in
P
2
contains the point [0 : 1 : 0]. Moreover, nonsingularity follows, by the Jacobian
criterion, exactly when f(x) has no repeated roots. The discriminant of f(x) is
actually (4a
3
+ 27b
2
), and being nonzero guarantees the nonsingularity of E.
Finally, by a standard application of the Riemann-Hurwitz formula, we can deduce
the genus of E is 1, and so it is indeed an elliptic curve.
Notice that if E is given by (2) then if (x, y) E we will also have (x, y) E.
More generally, for E given by (1), when the characteristic is not 2, E will be
4 ADAM SORKIN
x
f(x)
E(R)
x
f(x)
E(R)
Figure 2. Some real points of the elliptic curves y
2
= x
3
+x 1
and y
2
= x
3
x.
symmetric around the line y = (1/2)(a
1
x + a
3
), a geometric consequence of the
algebraic structure.
Because E is nonsingular, it is irreducible, and hence E(k
al
) is connected. How-
ever, passing to subelds may destroy connectivity. For example, if E is dened
over R, we can put it in the form y
2
= f(x) for some cubic polynomial f(x). If
f(x) has 3 real roots, then E(R) is disconnected, because it is symmetric around
the x-axis. And by the same reasoning, if f(x) has only 1 real root, then E(R) is
connected.
2. The Group Law on an Elliptic Curve
To simplify the calculations, we assume our eld k has characteristic not equal to
2 or 3. However, after modifying the arguments, everything in this section continues
to hold for all characteristics.
The utility of elliptic curves is, without a doubt, due to the fact they are simulta-
neously groups and varieties. There is a slick proof of this fact using Riemann-Roch
below. But, after doing all that work using Riemann-Roch to show any elliptic curve
E can be given concretely as y
2
= x
3
+ax +b, it would be foolish not to consider
what the group law looks like in A
2
. The technique we are about to describe is
known as the chord and tangent method.
Our rst observation is that the distinguished point O is not in A
2
; rather we
consider it as the point at innity. Moreover, every other point of E lies in A
2
.
Vertical lines in A
2
intersect E at O, and O is the only point of inection of E;
which is to say the tangent line of O intersects E with multiplicity 3. Now consider
a line L A
2
which intersects E at P. By Bezouts theorem, LE has intersection
multiplicity 3, so will generically intersect three points. This insight gives rise to
a map E(k) E(k) E(k), denoted P, Q PQ, which can be modied so as to
become a group law
1
.
1
We can indeed apply Bezouts theorem here, even when k is not algebraically closed. First,
notice P, Q E(k) E(k
al
). Then we use the chord-tangent method to obtain PQ E(k
al
).
Substituting the relation of the line L determined by P and Q into the equation dening the
elliptic curve gives a cubic polynomial in x, two of whose roots lie in k. But then a cubic with
two roots in k must have all three roots in k, and so PQ must lie in E(k) as well.
ELLIPTIC CURVES GROUP LAW AND MORDELL-WEIL 5
x
f(x)
E(R)
L
Q

PQ

P +Q
O
x
f(x)
E(R)
L
P

PP

P +P
O
Figure 3. The group law on E.
We now describe the group law. Let P, Q E(k), and let L be the line dened
by P and Q. If P = Q, then we set L to be the line tangent to E at P. Because
L E has intersection multiplicity 3, we have that L intersects E at P, Q, and a
third point PQ, which may or may not be distinct (for example, if the intersection
multiplicity of L at P is 2, then we have PQ = P).
This is not yet a group law, as the operation P, Q PQ is not associative. For
example, in gure 3, it is clear that ((P, Q), PQ) = (PQ, PQ), and (P, (Q, PQ)) =
(P, P) are distinct. In fact, once the group law is established, it is easy to see that
PQ = (P + Q). To have a group law, we use the distinguished point O E(k)
as the neutral group element, and dene P +Q = O(PQ). Graphically, this means
we take the point of intersection in E of the line connecting PQ with the point O
at innity. Because every vertical line intersects O, to nd O(PQ), we simply take
the vertical line through PQ, and take the point where it intersects E in A
2
; that
is, O(PQ) is just the reection of PQ through the x-axis. If we were working with
an elliptic curve given by (1), then the neutral element is no longer at innity, and
wed need another chord to nd O(PQ).
Algebraically, there is a concrete description of the group law on elements of A
2
.
Write P = (x
1
, y
1
) and Q = (x
2
, y
2
). The line L: y = x + determined by P and
Q has slope (y
1
y
2
)/(x
1
x
2
) providing L is transverse to E as in the left image
of gure 3. If instead L is tangent to E at P or Q, as in the right image, then L
has slope (3x
1
+ a)/(2y
1
), which can be found by implicit dierentiation. Then
is found by evaluating L at either P or Q, so there is an algebraic description of L.
Substituting x + for y, we obtain (x +)
2
= x
3
+ax +b, which simplies to
x
3

2
x
2
+ (a 2)x + (b
2
) = 0.
Write PQ = (x
3
, y
3
); and observe O(PQ) = P +Q = (x
3
, y
3
). The single variable
polynomial in x above factors as (xx
1
)(xx
2
)(xx
3
). By equating coecients,
(x
1
+x
2
+x
3
) =
2
, or
x
3
=
2
x
1
x
2
. (4)
Finally, y
3
is determined by the equation for L again, given P +Q = (x
3
, y
3
); this
is a description of the group law in terms of algebraic operations.
6 ADAM SORKIN
Though the algebraic description can be used to verify the operation indeed forms
a group, it is much clearer to see things geometrically. First, observe the operation is
commutative: directly from the denition PQ = QP, and hence P +Q = O(PQ) =
O(QP) = Q+P. Moreover, OP = P in ane coordinates because O is on every
vertical line through E, and so O + P = O(OP) = P. It also then follows that
P +OP = O, and so P = OP. In fact, it is useful to know that P +Q+R = O
if and only if P, Q, and R are colinear, which will follow directly from considering
the Picard group of E.
We almost have a group, but one key structure hasnt yet been veried: asso-
ciativity. Though there is a geometric proof (see [4]), we will instead use Riemann-
Roch to dene a group law on the cubic, and show it coincides with the chord-
tangent law dened above. Recall that Pic(E) is the quotient group of degree zero
divisors on E by the principal divisors on E.
Theorem 4. Let E be an elliptic curve with distinguished point O. There map
: E(k) Pic
0
(E) given by P [P] [O] is a bijection. Moreover, this bijection
yields the chord-tangent group law on E.
Proof. First we show the mapping is injective. Suppose not; that [P] [O]
[Q] [O] modulo some principal divisor f. Then there is some rational function
f : E P
1
such that Div(f) = [P] [O]. However, the degree of f is 1, because
f

([0]) = P. But then f gives a morphism E P

1
of degree 1. Because E and
P
1
are nonsingular projective curves, f is an isomorphism, which is a contradiction
because P
1
has genus zero while E has genus one.
Now let D be a degree zero divisor on E. It is enough to show E is linearly
equivalent to some [P] [O] because we are working in Pic
0
(E); the quotient of
Div(E) by linear equivalence. Hence it suces to show D = [P] [O] + Div(f)
for some f K(E). Consider the linear space /(D + [O]). By Riemann-Roch, we
have that its dimension is (D + [O]) = deg(D + [O]) = 1. Hence there is some
f K(E) which is a basis for /(D + [O]). Because f /(D + [O]), it follows
that Div(f) +D+[O] 0. Additionally, Div(f) +D+[O] is a divisor of degree 1.
But the only eective divisors of degree 1 are of the form [P] for some P E(k).
Therefore Div(f) +D + [O] = [P] for some P E(k), and hence (P) = D.
Because is a bijection, we can equip E with a group structure by declaring
to be an isomorphism. But we dont want some arbitrary group structre; rather,
we want the specic chord-tangent law of addition. The group law imposed by
is P + Q = R providing [P] [O] + [Q] [O] is linearly equivalent to [R] [O];
equivalently [P] + [Q] [R] + [O]. Consider the lines L
1
determined by P and Q
and L
2
determined by PQ and O. Homegenize L
i
so they dene lines in P
2
, and
dene the rational function f = L
1
/L
2
. Because L
1
has simple zeros at P, Q, and
PQ, and simple poles at PQ, R, and O, it follows that
Div(f) = [P] + [Q] + [PQ] [PQ] [R] [O] = 0
so that [P] + [Q] = [R] + [O]. Hence the two compositions are identical, and
associativity of the chord-tangent method follows. Additionally, this shows that
P +Q+R = O in E if and only if the points are colinear.
3. The Subgroup of Rational Points is Finitely Generated
Now we specialize for k a number eld. An amazing theorem about the group
structure of E(k) is the following.
ELLIPTIC CURVES GROUP LAW AND MORDELL-WEIL 7
Theorem 5 (Mordell-Weil). Let E be an elliptic curve over a number eld k. The
group E(k) is nitely generated.
In this section we give an elementary proof of Mordells theorem in the case
k = Q. This proof can be extended using a suitable notion of height for P
n
(k). The
standard proof relies on group cohomology. We proceed by a dierent route, that
of Fermat descent. Recall that a norm function on an abelian group is a nonnegative
real-valued function [ [ : A R
+
which is Z-multiplicative, satises the triangle
inequality, and is proper. Note that Z-multiplicativity implies that [a[ = 0 if and
only if a is a torsion element. The key to proving Mordells theorem is the following
lemma on descent.
Lemma 6. An abelian group is nitely generated if and only if [A : mA] is nite
for some m > 1 and A has a norm function.
Proof. If A is nitely generated, then by the structure theorem for nitely generated
abelian groups, [A : mA] is nite for all m > 1. Additionally, we can restrict the
euclidean norm on R to Z, and then take the
1
norm over the direct product to
get a norm on the free part of A.
To prove the converse, suppose A/mA is nite and A is normed. Let C
1
, . . . , C
m
in A be the coset representatives in A/mA, and put c = max
i
C
i
+ 1. Dene X
to be the set of P A with [P[ c and set G = X. Because the norm is
proper, G is nitely generated. We now show G = A. Suppose not: A G ,= .
Then there is some P A G of minimal norm. Notice that [P[ > c directly from
the denition of G. As cosets of A/mA, [P] = [C
i
] for some i, so we can write
P = C
i
+ mQ for some Q A. But then mQ = P C
i
, and by taking norms,
we have m[Q[ [P[ + [C
i
[ < [P[ + c < 2[P[ m[P[. Hence [Q[ < [P[, and by
minimality of P, it follows that Q G. Moreover, C
i
is not just in G, it is in the
generating set X of G. But then P G, a contradiction. Therefore our assumption
was wrong, and G = A.
The road map for the proof is as follows. We show the index [E(k) : 2E(k)]
is nite by dening a nite abelian group A(E), and then providing a morphism
: E(k) A(E)
3
whose kernel is contained in 2E(k). That E(k) is normed is
shown by dening a height on projective spaces and restricting it suitably to dene
a norm on E(k).
Finite Index. We begin by showing [E(k) : 2E(k)] is nite, for any number eld k.
Consider the elliptic curve given by y
2
= (xr
i
)(xr
2
)(xr
3
), where r
i
O
k
, the
ring of integers of a number eld k. Dene P(E) = irreducibles P O
k
[ P[r
i
r
j
for some i ,= j. Notice that P(E) is nite because factorizations exist in k.
Additionally, recall there are valuations on k for each irreducible P O
k
, where

P
(a) is given by the highest power of P dividing a. Using P(E) we can dene
the target group of interest by A(E) = cosets ak

/(k

)
2
[ a k

such that
P
(a)
is even for P / P(E). That A(E) is a group follows from the multiplicativity of
valuations and the following lemma.
Lemma 7. For (x, y) E(k),
P
(x r
i
) is even for all P / P(E).
Proof. Let P be an irreducible of O
k
not contained in P(E). First suppose that

P
(x r
1
) < 0. Then because r
i
O
k
,
P
(r
i
) 0, and because
P
is a valuation,

P
(x) = (x r
j
) for arbitrary j. Then applying the relation between x and y we
8 ADAM SORKIN
have
P
(y
2
) =
P
(

i
(x r
i
)) = 3
P
(x). But as
P
(y
2
) = 2
P
(y), it follows that

P
(x) is even. Therefore
P
(x r
i
) is also even.
Next suppose that
P
(x r
1
) > 0. Because r
1
r
i
= (x r
i
) (x r
1
) and

P
(r
1
r
i
) = 0 (as P / P(E)), it follows that
P
(x r
j
) = 0 for j = 2, 3. We
again apply the relation between x and y to obtain 2
P
(y) =
P
(x r
1
). Hence in
all cases
P
(x r
i
) is even.
Now that weve determined A(E) is indeed a group, we can dene three mappings

i
: E(k) A(E) by

i
(O) = 1

i
((r
i
, 0)) = (r
j
r
i
)(r
k
r
i
) (mod (k

)
2
)

i
((x, y)) = (x r
i
) (mod (k

)
2
)
Proposition 8. The maps
i
are group homomorphisms.
Proof. The key here is that the group law on the elliptic curve is given by P
1
+
P
2
+P
3
= O if and only if the P
i
are colinear. Then it suces to show

i
(P
1
)
i
(P
2
)
i
(P
3
) = 1 (mod (k

)
2
)
for P
j
colinear. Here we count each P
j
with multiplicity one; i.e., the P
j
are
not necessarily distinct. First consider a vertical line. Because every vertical line
intersects O, we will have P
j0
= O for some j, and because the line is vertical,
the two remaining P
j
will have identical x coordinates, and the formula dening
the
i
makes it clear the product
i
(P
1
)
i
(P
2
)
i
(P
3
) will be a square in (k

)
2
. So
we consider non vertical lines. Fix a line L dened by y = x + and the (not
necessarily distinct) three points P
i
on E(k) L. Write P
j
= (x
j
, y
j
). That is,
x
j
are the roots of the equation (x + )
2
= (x r
1
)(x r
2
)(x r
3
). However,
the denition of
i
concerns the quantity x r
i
, so we will consider a change of
variables x x +r
i
for some xed i. Then the roots transform to x
1
r
i
, x
2
r
i
,
and x
3
r
i
for the equation
((x +r
i
) +)
2
= (x +r
i
r
1
)(x +r
i
r
2
)(x +r
i
r
3
)
= x(x +r
i
r
j
)(x +r
i
r
k
) (5)
= x
3
+ax +b
where j, k 1, 2, 3 are distinct and not equal to i. Collecting terms in the
polynomial above gives
0 = x
3
+ (a
2
)x
2
+ (b 2(r
i
+))x (r
i
+)
2
(6)
= (x (x
1
r
i
))(x (x
2
r
i
))(x (x
3
r
i
)) (7)
Now we need only consider cases. First suppose that none of the y
i
are zero. Then

i
(P
1
)
i
(P
2
)(P
3
) equals the products of the roots x
j
r
i
for j = 1, 2, 3. And
according to (6), this product is (r
i
+ )
2
, which is certainly equal to 1 modulo
(k

)
2
.
Thus we can suppose some y
j
is zero; by reordering the P
j
we may take it to be
y
i
= 0. Then we see that x
i
= r
i
, and so the roots of (6) are 0, x
j
r
i
, x
k
r
i
,
where j, k are distinct and not equal to i. Then it is clear the product of the roots
is zero, and by equating coecients in (6) and (7) it follows the constant term is
zero. So we have r
i
+ = 0, and (6) collapses to x
3
+(a
2
)x
2
+bx. Evaluating
ELLIPTIC CURVES GROUP LAW AND MORDELL-WEIL 9
with
i
we get

i
(P
i
)
i
(P
j
)
i
(P
k
) = (r
j
r
i
)(r
k
r
i
)(x
j
r
i
)(x
k
r
i
).
Using (5) gives that b = (r
i
r
j
)(r
i
r
k
), while the collapsed form x
3
+(a
2
)x
2
+bx
gives b = (x
j
r
i
)(x
k
r
i
) and making the substitution above gives the product of
the
i
s is indeed 1 modulo (k

)
2
.
Collect the
i
together to form a morphism = (
1
,
2
,
3
): E(k) A(E)
3
. It
takes a page of algebraic manipulation, but one can prove that
Lemma 9. For (x

, y

) E(k), the equation

2(x, y) = (x

, y

) (8)
has a solution in E(k) if and only if x

r
1
, x

r
2
, and x

r
3
are squares in k.
Proof. The key idea here is that through clever substitutions, a solution to (8) is
found, and directly from the form of the solution the claim follows. However, we
can simplify the equation we need to solve by the change of variables x x x

.
Observe that (x, y) E(k) is a solution for (8) if and only if 2(x, y) = (0, y

) in the
equation y
2
= (x+x

r
1
)(x+x

r
2
)(x+x

r
3
). Thus it suces to prove the claim
for x

= 0. If we expand the original elliptic curve relation to y

2
= x
3
+ax
2
+bx+c,
then after the change of variables, equating coecients on the constant term gives
c = (y

)
2
= r
1
r
2
r
3
. Later we will use this fact, and also that a = r
1
+ r
2
+ r
3
and b = r
1
r
2
+ r
2
r
3
+ r
3
r
1
. We can solve (8) by nding our desired point with
the chord-tangent method. Take the line L given by y = x + tangent to E at
(0, y

). Evaluating L at (0, y

) gives = y

. Once we nd the slope we are done.

Substituting into the equation for E we have
x
3
+ax
2
+bx +c = (x +y

)
2
=
2
x
2
+ 2xy

+ (y

)
2
=
2
x
2
+ 2xy

+c
Collecting terms, we want to solve the cubic x
3
+ (a
2
)x
2
+ (b 2y)x. It
is clear that x = 0 is a root of this cubic, so we need now to solve the quadratic
x
2
+(a
2
)x+(b2y

). Recalling that L is tangent to E at (0, y

), the intersection
is of multiplicity 2, and so (0, y

) is a double root. Hence the quadratic must have

repeated roots, so its discriminant is zero. That is, 0 = (a
2
)
2
4(b 2y

), or
equivalently, (
2
a)
2
= 4(b 2y

). To solve for , we would like both sides to be

squares and simply take roots. Introduce now a dummy variable v = v(, a, b, y

).
We will solve for v so that both sides are squares. Consider the equation
(
2
a +v)
2
= 2v
2
8y

+ (v
2
+ 4b 2a) (9)
Notice the right side of (9) is a quadratic in . It will then be a perfect square if
and only if its discriminant is zero, so we want to solve
0 = (8y

)
2
4(2v)(v
2
+ 4b 2a)
= 64(c) 8v
3
32vb + 16v
2
a
Dividing through by 8 gives 0 = v
3
2av
2
+4bv 8c. To solve this cubic in v, we
change variables to v = 2w, giving the familar equation 0 = 8(w
3
+aw
2
+bw+c).
10 ADAM SORKIN
This is precisely the equation dening E, and therefore its roots are w = r
i
, implying
v = 2r
i
.
We can now solve for . Evaluate (9) at v = 2r
i
, substituting in the symmetric
polynomials in the roots r
i
for the coecients a, b, and c to get
(
2
+r
1
+r
2
+r
3
2r
1
)
2
=
2
2
(2r
i
) 8y

+ ((2r
1
)
2
+ 4(r
1
r
2
+r
2
r
3
+r
3
r
1
) 2(2r
1
)((r
1
+r
2
+r
3
)))
= 4(

r
1

r
2

r
3
)
2
Thus we have written both sides as squares, but notice we need the x

r
i
to
be squares, where x

= 0. In any event, taking roots gives the quadratic

2

r
1
+ (r
1
+ r
2
+ r
3


r
2

r
3
). We can solve this quadratic for by
simply completing the square, and then solve the resulting intersection L E(k
al
)
for the desired solution to (8). Notice the solution (x, y) lies in k
al
; by the form of
we see (x, y) will be in E(k) precisely when x

r
i
are squares in k.
From Lemma 9, we have that ker 2E(k), and so E(k)/2E(k) is a subgroup
of A(E)
3
. The last step to prove that A(E) is nite; to do so we simply recall the
Dirichlet unit theorem.
Theorem 10 (Dirichlet). Let k be a number eld and O
k
its ring of integers. Then
O

k
is isomorphic to Z/nZ
r1+r21
, where Z/n correspond to the roots of unity in
O
k
, and O
k
has r
1
real embeddings and r
2
pairs of complex conjugate embeddings.
In fact, we dont need Dirichlets theorem in all its power here, but simply that
O

k
is nitely generated. With it we conclude O

k
/(O

k
)
2
is nite, and therefore
A(E) is nite.
Normed Group. Equipping E(k) with a norm is not straightforward, and we will
only show that E(Q) is a normed group (the general number elds k, see Andre
Weils thesis). But even proving E(Q) is normed takes a bit of work. To begin with,
the norm on E(Q) is messy and has no concise algebraic description. At least it is
canonical. In fact, we wont explicitly give a norm on E(Q), but instead, a quadratic
form h
E
: E(Q) R satisfying the parallelogram law. A quick application of the
Cauchy-Schwartz inequality proves that

h
E
is a norm on E(Q). First we will
dene heights on rational projective space. From the height on projective space
we will dene a function h on E(Q). The quadratic form h
E
will be dened as a
pointwise limit of h. In what follows, we suppose E is dened by y
2
= x
3
+ax +b.
Rational points on projective space have a simple, well dened height. Given
a rational point [y
0
: : y
n
] in QP
n
, we simply rescale to [x
0
: : x
n
] where
each x
i
is integral and (all of them together) share no common factor. That is,
gcd
i
(x
i
) = 1. Coordinates of this form will be called a primitive representation.
Dene H([y
0
: : y
n
]) = max
i
[x
i
[. We will also need h([y
0
: : y
n
]) =
log H([y
0
: : y
n
]).
To prove E(k) is normed for a number eld k involves summing the absolute val-
ues over all valuations on k. One rst denes a function h

: k
n+1
(0, . . . , 0)
R by
h

(x
0
, . . . , x
n
) =

max
i
log [x
i
[

(10)
That this sum is even well dened is not immediately clear. Because k is a number
eld it has nite factorizations. Then for each xed x
i
, only nitely many [x
i
[

will
ELLIPTIC CURVES GROUP LAW AND MORDELL-WEIL 11
be unequal to 1, and so the sum in (10) is actually nite. Moreover, h

descends
to a well dened function on kP
n
; this is due to the fact that

log [a[

= 0 for
any a k

, and hence h

is invariant under rescaling.

Notice this more general denition agrees with our ad hoc one of heights on
QP
n
. The valuations on Q are the p-adic ones and the standard absolute value.
Becuase h

is invariant under scaling, a standard form on which to evaluate is on

tuples of integers [x
0
: : x
n
] with no common factor as above. But then it is
clear that every p-adic valuation will have [x
i
[
p
1, and so its logarithm will be
nonpositive. Taking the maximum ensures the p-adic absolute values contribute
nothing to this sum, and the height reduces to the familar form h

([x
0
: : x
n
]) =
log max
i
[x
i
[ = h([x
0
: : x
n
]). With this height, we can descend to E(Q),
though we will abuse notation and write H or h both for functions on P and E.
Let P E(Q). If P = O, we dene H(O) = 1. For all other P = (x, y), we
let H(P) = H([x : 1]), where the right side indicates the height function on QP
2
.
Again we let h: E(Q) R denote the natural logarithm of H. Now h will not
be the quadratic form - we must pass to a limit. In order to do that, we need
the following proposition, whose proof relies on reducing the situation to a lemma
about heights on projective space.
Proposition 11. There exists a constant A such that [h(2P) 4h(P)[ A for all
P E(Q).
Proof. The key here is that weve given an algebraic description of what form 2P
has in terms of P. First, it is clear that if P = O then 2P = O, and we have
h(2O) 4h(O) = 0. So let P = (x
1
, y
1
) A
2
and 2P = (x
2
, y
2
). Then by (4)
we have x
2
=
2
+ 2x
1
, where is the tangent line to E at P. Because we can
calculate explicity, we have
x
2
=
(3x
2
1
+a)
2
8x
1
(x
3
1
+ax
1
+b)
4(x
3
1
+ax
1
+b)
Then we have h(2P) = h([x
2
: 1]) = h([(3x
2
1
+a)
2
8x
1
(x
3
1
+ax
1
+b) : 4(x
3
1
+ax
1
+b)].
To compare this to h(P) we need to actually consider [x : z] in P
2
when calculating
heights. Specically, we want to write h(2P) = h([f(x, z) : g(x, z)]) where f, g are
the homogenization of the above terms. Then f(x, 1) = (3x
2
+a)
2
8x(x
3
+ax +
b), g(x, 1) = 4(x
3
+ax+b), and both f and g have degree 4. Because E is an elliptic
curve, x
3
+ ax + b and 3x
2
+ a have distinct roots. Therefore f(x, 1), g(x, 1) also
have distinct roots. Then by the lemma below, the claim follows.
Lemma 12. Let f(x, z), g(x, z) be homogeneous rational polynomials of degree m
with no common zeros in Q
al
. Then
[h([f(x, z) : g(x, z)]) mh([x : z])[ B
for some constant B which holds for all [x : z] QP
1
where [f(x, y) : g(x, y)] is
dened.
Proof. We interpret the polynomials f, g as giving morphisms on some open subset
of P
1
, and so may rescale appropriately such that the pair has a primitive repre-
sentation of integral coecients. For C the maximum over all coecients of f and
g, let C

= (m+1)C. Then writing P = [a : b] a primitive representation for P we

12 ADAM SORKIN
obtain [f(P)[, [g(P)[ C

max[a[, [b[
m
. Taking heights we obtain
H([f(x, z) : g(x, z)]) max[f(a, b)[, [g(a, b)[
C

max[a[, [b[
m
= C

H(P)
m
The upper bound then comes from taking the logarithm of both sides, giving
h([f(x, z) : g(x, z)]) mh(P) + log C

.
To obtain the reverse inequality, we actually must use the nullstellensatz, which
is why we assumed no common roots in Q
al
. By our assumption, the resultant of f
and g is nonzero, call it r Z. Interpret them now as single variable polynomials,
f = f(x/z, 1), g = g(x/z, 1) in the variable x/z. The resultant is unchanged, and
using the nullstellensatz we obtain degree m 1 polynomials u, v in the variable
x/z where we can write
u(x/z)f(x/z, 1) +v(x/z)g(x/z, 1) = r.
If we multiply through by z
2m1
we then have the equality
u(x, z)f(x, z) +v(x, z)g(x, z) = rz
2m1
.
Similarly we can interpret the f, g are single variable polynomials in the variable
z/x to obtain an equation u

(x, z)f(x, z) + v

(x, z)g(x, z) = rx
2m1
. Just as we
did for obtaining the upper bound, there exists some constant C such that u, u

, v,
and v

all have absolute value not exceeding C max[a[, [b[

m1
when evaluated at
(a, b). Notice gcd(ra
2m1
, rb
2m1
) = r. Evaluating both polynomial combinations
of f and g at at (a, b) shows that gcd(f(a, b), g(a, b)) divides r. Moreover,
[r[[a[
2m1
, [r[[b[
2m1
2C max [a[, [b[
m1
max[f(a, b)[, [g(a, b)[.
Therefore we have shown H([f(a, b) : g(a, b)] [r[
1
max[f(a, b)[, [g(a, b)[
(2C)
1
H(P)
m
. The logarithm of both sides gives the desired lower bound.
With Proposition 11 we are able to pass to the limit, and dene our quadratic
form on E(Q). Dene h
E
(P) = lim
n
4
n
h(2
n
P). The remainder of this section
will prove
Theorem 13. The mapping

h
E
: P

h
E
(P) denes a norm on E(Q).
Perhaps the rst thing to do is argue h
E
is well dened; that is, the limit exists.
Fix P E(Q). To see that 4
n
h(2
n
P) is a Cauchy sequence, we repeated use
Proposition 11. Let n m. Then we can write the dierence as a nite alternating
ELLIPTIC CURVES GROUP LAW AND MORDELL-WEIL 13
sum
[4
n
h(2
n
P) 4
m
h(2
m
P)[ = [
n1

i=m
4
i+1
h(2
i+1
P) 4
i
h(2
i
P)[
= [
n1

i=m
4
(i+1)
h(2
i+1
P) 4
i
h(2
i
P)[ (11)

n1

i=m
4
(i+1)
[h(2
i+1
P) 4h(2
i
P)[

n1

i=m
4
(i+1)
A
< 4
m+1
A

i=0
4
i
= A(3
1
4
m
).
Hence 4
n
h(2
n
P) is a Cauchy sequence, and consequently h
E
is a well-dened
mapping. Now to show h
E
is the desired quadratic form on E(Q), we must show
h
E
has the following properties:
(1) h
E
(2P) = 4h
E
(P),
(2) h
E
(P) 0,
(3) h
E
is proper,
(4) h
E
(P) = 0 P has nite order, and
(5) h
E
satises the parallelogram law.
The rst two properties follow directly from the denition:
h
E
(2P) = lim
n
4
n
h(2 2
n
P)
= 4 lim
m
4
m
h(2
m
P)
= 4h
E
(P).
The mapping h
E
is nonnegative because H on projective space has minimum value
1, and so h on projective space is nonnegative. Because h
E
is the limit of h on
projective space, it is also nonnegative.
To see that h
E
is proper, rst notice that the height on projective space is proper.
Next, we have that h
E
h is bounded. Specializing m = 1 in (11) where we showed
h
E
is well dened, we have the inequality [4
n
h(2
n
P) h(P)[ 3
1
A. Passing to
the limit gives [h
E
(P) h(P)[ 3
1
A for all P, and so properness of h
E
follows
from properness of h.
Now we show h
E
(P) = 0 exactly when P has nite order. First suppose P has
nite order in E(Q). Then the collection 2
n
P E(Q) is nite, and so h
E
is
bounded on it by some constant C. Using the doubling formula we get [h
E
(P)[ =
[4
n
h
E
(2
n
P)[ 4
n
C which holds for all n. Thus h
E
(P) = 0. Conversely, suppose
that P has innite order. Then 2
n
P is an innite subset of E(Q), and so h
E
is unbounded on it (because h
E
is proper). Letting M > 0, there is then some n
such that h
E
(2
n
P) > M. Again using the doubling formula we have h
E
(2
n
P) =
4
n
h
E
(P), and so h
E
(P) > 4
n
M for some n. Consequently h
E
(P) > 0, proving
the claim.
14 ADAM SORKIN
The last thing to show is h
E
satises the parallelogram inequality, which will
take a bit of work. In fact, to do so, we rst need an inequality relating the Veronese
map and heights on projective space.
Lemma 14. Let : P
1
P
1
P
2
be the Veronese map dened by ([a : b], [c : d])
[ac : ad +bc : bd]. Then for P, Q P
1
the following inequality holds:
1
2

H((P, Q))
H(P)H(Q)
2
Proof. Writing P = [a : b], Q = [c : d] as primitive representations, observe that
[ac : ad +bc : bd] is a primitive representation for (P, Q). For if a prime p divided
both ac and bd, then because P and Q are primitive representations, p divides
either a and d or b and c, but not both. Then a quick computation gives
H((P, Q)) = max[ac[, [ad +bc[, [bc[
2 max[a[, [b[ max[c[, [d[
= 2H(P)H(Q).
Notice if the lower bound is the statement
(1/2) max[a[, [c[ max[c[, [d[ max[ac[, [ad +bc[, [bd[.
If it holds for R, then it certainly holds for Z. Then suppose a, b, c, d R. We can
then rescale so that a, c = 1, so it suces to prove
(1/2) max1, [[ max1, [[ max1, [ +[, [[.
The inequality clearly holds if both [[, [[ are simultaneously not greater than one
or simultaneously not less than one. So suppose [[ 1 while [[ 1. Then we
have to consider three cases. If = 0 then the inequality holds, for (1/2)[[ [[.
If [[ (1/2) then we have (1/2)[[ [[. And nally if [[ < (1/2) then
[[ 2[[ 1 gives the desired inequality. In all cases the lower bound holds for
real numbers, and so will hold restricted to integers.
With the inequality of Lemma 14, we can prove the actual lemma needed to
show h
E
satises the parallelogram law. Because h
E
is dened as a limit of h, we
need some bound on the height. Namely
Lemma 15. There exists a constant C such that for all P, Q E(Q)
H(P +Q)H(P Q) CH(P)
2
H(Q)
2
.
Proof. Because we have an algebraic description of the group law, we can concretely
write down the form of P + Q and P Q. Also, remember that H evaluation on
P = [x : y : z] E(Q) is simply H([x : z]). Taking the Veronese embedding of
[x : z] and [x

: z

] from Q gives the desired inequality.

Finally, we are in a position to prove h
E
satises the parallelogram law. As
that equation involves sums, not products, we take the logarithm of both sides for
Lemma 15 to obtain
h(P +Q) +h(P Q) 2h(P) + 2h(P) + log C.
This bound holds for all P, Q, so it is also true that
4
n
h(2
n
(P +Q)) + 4
n
h(2
n
(P Q)) 4
n
2h(2
n
P) + 4
n
2h(2
n
Q) + 4
n
log C
ELLIPTIC CURVES GROUP LAW AND MORDELL-WEIL 15
Letting n tend to innity gives the upper bound, h
E
(P + Q) + h
E
(P Q)
2h
E
(P) +2h
E
(Q), of the parallelogram law. Using the upper bound we obtain the
lower bound: let P

= P +Q and Q

= P Q. As P

+Q

= 2P and P

= 2Q,
we have
h
E
(P

) +h
E
(Q

) 2h
E
(
P

+Q

2
) + 2h
E
(
P

2
)
=
1
2
(h
E
(P

+Q

) +h
E
(P

)).
where the second equality follows from the doubling formula that h
E
satises.
Hence h
E
satises the parallelogram law. Consequently

h
E
gives a norm on
E(Q), and so weve shown E(Q) is a nitely generated abelian group.
4. Further directions
As the classication of nitely generated abelian groups gives E(k) is isomorphic
to some Z
r
Z/p
i1
1
Z/p
in
n
, it is tempting to go further and attempt to fully
characterize E(k). Indeed, one method for doing so begins by viewing the elliptic
curve as dened over C, and showing the curve has the structure of a complex torus.
Complex analytic methods can be used to derive a number of useful theorems of
elliptic curves dened over number elds k. Just to start with, the group law on E
is the same as the group law on the complex torus. Alternately, one can move to
study higher dimensional analogous of elliptic curves. In [2], Husemoller makes the
case that the proper higher dimensional generalizations are Calabi-Yau manifolds.
Returning to the classication of E(k), determining the rank of its free part is a
dicult open problem which actually has a bounty. For more about this, see the
Birch Swinnerton-Dyer conjecture. Without a doubt, there is still plenty more that
one can say about elliptic curves.
References
[1] Robin Hartshorne, Algebraic Geometry, Springer-Verlag 1977.
[2] Dale Husem oller, Elliptic Curves, Springer-Verlag, 1987.
[3] Neal Koblitz, A Course in Number Theory and Cryptography, Springer-Verlag, 1987.
[4] J.S. Milne, Elliptic Curves, BookSurge Publishers, 2006.
[5] Brian Osserman, Lecture Notes on Algebraic Number Theory.
Department of Mathematics, University of California, Davis, CA 95616
E-mail address: azsorkin@math.ucdavis.edu