Both the report itself and the OHP slides version are available (pdf). Content covered: hyperelliptic curves, points, divisors, mumford polynomials and the Picard group/Jacobian; the discrete logarithm problem; explicit group law computation; characteristic polynomial of Frobenius and Weil theorems/interval; group-theoretic approaches; Schoof’s algorithm, SEA in genus 1, genus 2 hybrid algorithms.

The plaque marking the discovery of the quarternions, Dublin.

I’ve spent the last three days in Dublin, and whilst there I couldn’t resist taking a rare opportunity for mathematical tourism. Hamilton figured out the structure of the quarternions in “a flash of genius” during a morning walk along Dublin’s royal canal, carving them into the nearby Brougham bridge. Whilst the carving does not survive, there is a plaque at the spot to mark this discovery, and it was that I set off to see.

Getting there doesn’t seem too difficult, though: I got the 120 bus from Parnell Street (conveniently close to my hotel on Parnell Square) to Broombridge road. This is the opposite of advice found elsewhere online, but the suggested 20 route doesn’t seem to exist any more. If you have a map, it’s easy enough to follow the bus route, but as I didn’t I just asked the driver to give me a shout when we got there. Brougham is pronounced broom, so all you need to do is to find where Broombridge road crosses the canal and (it turns out) railway tracks: presumably taking the western suburban line would be an even easier way to get there, as the platform is next to the bridge. Of course, I went the wrong way along Broombridge road, which is easily detected by reaching the end without finding a bridge!

It’s been described as “the least visited tourist attraction in Dublin”, partly because the area isn’t particularly appealing today but presumably because there aren’t that many mathematical tourists!

It does seem a shame that the site – and Hamilton – are so overlooked compared to the attention that, say, local authors or artists get. But it’s better than nothing, as mathematical tourist attractions are few and far between, especially outside of universities. The bridges of Königsberg are often suggested; I’d also be fascinated to tour Japan in search of sangaku. If you have other ideas, why not mention them in the comments?

Background: The Zeta function

Recall that the zeta function of a curve encodes information about the number of points over an infinite family of fields. For a curve C over the field F_q This is defined as

Thus, we can recover the cardinality over F_q^r by differentiating r times with respect to T, evaluating for T=0 and dividing through by (r-1)!. This is all well and good, provided that computing the zeta function is less work than simply testing points in the field directly. For this, we need a couple of results:

Weil Conjectures for curve C over F_q
We have

such that

with the α_i algebraic integers such that |α_i|=q^1/2.

For such α_i we then have

For F_q to be a field, q=p^r for some prime p. Thus we need only compute the zeta function over F_p to be able to retrieve #C(F_q) or indeed any higher #C(F_q^r). The question is, therefore, whether computing the zeta function for F_p is any easier than the naive point search. With Weil’s result, we can see that knowledge of #C(F_p),…,#C(F_p^2g) would, via some Taylor series trickery, be enough to determine P(T) and hence Z(T). If q is a high power of p, or we are interested in high powers of q, then this is already progress. But if q was itself a (potentially very large) prime, this approach would be useless for finding #C(F_q) since it would require knowledge of #C(F_q) (!) and at least #C(F_q²) too! Fortunately SAGE does not complain about searching over prime fields- there are a couple of algorithms – so we can restrict our attention to the original problem, that of composite q.

Elliptic Curves

Let us consider then the problem of finding #E(F_q^r) where q=p^s for a prime p with rs≥2 and E an Elliptic curve with coefficients from F_p. Then by the above we need only find #E(F_p) and #E(F_p²), which by brute force is rarely more work than finding #E(F_q^r)=#E(F_p^rs). But, since the genus is 1 the various results allow us to cut down our workload still further:

Weil Conjectures for Elliptic curve E over F_p

We have

such that

with the α_i algebraic integers such that |α_i|=p^1/2.

For such α_i we then have

It follows that α₁, α₂ are conjugates, so over F_p we have

and

So,

meaning that the zeta function can be constructed from just #E(F_p) as it is simply:

This then allows us to recover #E(F_q^r)=#E(F_p^rs) as desired, by repeated differentiation to recover the rs‘th coefficient.

Comparison

For an elliptic curve over a finite field, using SAGE to calculate the cardinality over a field of p^r elements by the “very, very stupid” algorithm rapidly gets impractical. For instance, for a given elliptic curve y²=x³+Ax+b with A,B from F₅ determining the cardinality takes about 0.04s over F₅; about a second over F₂₅, around 3.7s for F₁₂₅ and a tedious 19s over F₆₂₅. Implementing the approach above, asking for the cardinality of three such curves over F₆₂₅ is rapid enough in Maple to not register on its timer. This is despite my program lazily using brute force for the #E(F₅) calculations! (The same machine, with a 2.6ghz celeron processor, was used for each run; with Maple on Windows XP and SAGE in Xubuntu Linux; SAGE timings were for CPU rather than wall time.)

Smarter Still

In fact, if we only wish to determine a single #E(F_q^r) we can sidestep the construction of the zeta function by working with the α_p, since

Thus if α_p=a+bi then

and

So

will suffice, and again this requires only knowledge of #E(F_p).

Maple Source

The file ellCount contains Maple procedures for finding the cardinality of elliptic curves over finite fields (with coefficients from the prime subfield). Simply put, CountPoints(F,q) will find the number of points over the field of q elements for an Elliptic curve F=0. For instance, CountPoints(y^2-x^3-x-2,625) gives the cardinality of E: y²=x³+x+2 over F_5⁴ (should be 640). The route taken is to find points over F₅, determine α then directly calculate from the formula in the previous section. You can retrieve the zeta function with ellZeta(F,q), or ellZetap(F,p), if you know that q is prime (which saves Maple trying to determine the prime factor). Thus the number of points over F_q^r can be retrieved with getZetaCoeffr(Z,r) which performs the appropriate differentiation and scaling; this is useful to avoid having to calculate the number of solutions over the prime field, or indeed determine the prime, every time. ZetaCountPoints(F,q) behaves as CountPoints except it follows this alternative route.

A call to totalTrace(d,t) will scurry off and determine all degree d polynomials of trace t, provided neither your chosen trace or degree are too high (data tables only exist up to a certain point, and I wasn’t patient enough to implement much of what is known, either!). If you’re confident that the trace is sufficiently small to guarantee a building block from the set of exceptional polynomials S, you can use the fractionally faster totalTraceS(d,t) instead- it’ll tell you if you’re wrong!

Calling smallDefectPol(g) will, for a genus g, display the possible polynomials Q (whose roots are the β_i) corresponding to small defect curves (where small means at most 0.780022g, using the exceptional set S). You can get the types (of the form used e.g. by Serre) instead by calling smallDefectTypes(g).

Some defects that don’t meet the bound for small can nonetheless be computed with totalTrace(d,t), use its output as the argument for zetaTypes(X) to recover their corresponding types. This will become more useful if I add additional cases from the data tables.

Mazur’s Theorem

Let E/Q be an elliptic curve. Then the torsion subgroup E_tors(Q) is one of the following fifteen groups:

Z/nZ for 1≤n≤10 or n=12;

Z/2Z X Z/2nZ 1≤n≤4.

Further, each of these groups does occur as an E_tors(Q).

This result is particularly handy as it allows for an experimental approach to be taken, gathering enough computational evidence to determine which form the torsion subgroup takes; knowledge of the order of points being especially useful. For instance, the presence of an order 7 element instantly shows that E_tors(Q) is Z/7Z. Better still, there are results which aid in finding such points:

Nagell-Lutz Theorem

Let E/Q be an elliptic curve of the form

(that is, with the usual labelling of coefficients, a_1=a_3=0) with a,b,c integers. If P an element of E(Q) has finite order then x(P), y(P) are also integers.

Further, For such a point either y(P)=0 or y(P) divides

Hence for such curves it is sufficient to look for integer points; and only finitely many such points are suitable candidates for being torsion points.

Good and Bad Reduction

What of Elliptic curves not in the above form? It is possible to bound the number of torsion elements (and generate candidates) by working over finite fields (which I’ve coincidentally considered before). Save for finitely many primes of bad reduction – those which divide the discriminant of the elliptic curve – it transpires that the torsion subgroup maps injectively to E(F_p). For small primes, this is readily found without anything more sophisticated than brute force. Testing a number of primes can give an upper bound whilst naive searches for integer points can provide a lower bound: appealing again to Mazur’s theorem then usually settles the question.

Procedures

I’ve bundled together various Maple procedures based on these ideas as torsion_tools.mpl; they require gla.mpl. Various number theory subprocedures are included to make it all work (the numtheory package is invoked as well), but the following procedures should be the only ones you’re likely to need to work with directly.

ellorder(point)

gla.mpl comes with a procedure, modgetorder for calculating the order of a point when working modulo a prime; ellorder should now always be used instead. When working on gla, I’d been aware of the possibility of torsion points in non-finite fields, but didn’t know of any good way to ensure that a point was genuinely of infinite rather than very large order. However, due to the Nagell-Lutz result this is now easy: if any multiple of the point is non-integral, it cannot be a torsion point (since the multiple of a torsion point is a torsion point, and they have integral co-ordinates). Better still, Mazur’s theorem ensures that the maximum order of a torsion point is 12, so simply testing multiples will be fast. Thus ellorder performs repeated addition until either the group identity or a non-integral point is found, and (along with a test for the group identity as input) is therefore suitable regardless of whether you are working in a finite field. I’m keeping modgetorder around so that my earlier examples still work, hence ellorder lazily calls that when workModM is true.

torsion()

If workModM is set to true, then this simply tests all possible (x,y) pairs for membership of the curve. Any that are found are returned along with their order.

If a_1 and a_3 are both zero, then the Nagell-Lutz result holds and the algorithm given in Cremona’s book is implemented, with each point with positive y co-ordinate given, along with its order. From this it is usually obvious (by Mazur’s theorem) which group they come from; playing around with ncopies usually confirms this, or can be employed to give an explicit list of all points and the relationship between them.

Otherwise, alternative methods using reduction need to be employed, the use of which is described below.

testRange(x1,x2,y1,y2)

This provides a brute-force test of points (x,y) such that x1≤x≤x2 and y1≤y≤y2 for membership of the curve, paying attention to workModM. Whenever a point is found, it is displayed along with its order.

The variant testRangeQuiet takes the same arguments and performs a similar task, but instead returns a count of the number of points found and suppresses the points themselves. This is useful for comparing the upper bounds of several good reductions, which is precisely what the next procedure does.

boundTorsion(n)

This is actually just a wrapper for boundForOrder, feeding it the primes of bad reduction; n primes of good reduction are then used to place upper bounds on the size of the torsion subgroup; the least upper bound is found and displayed, along with the points found when working modulo that prime, which may give assist in identifying genuine torsion points.

I’m unsure as to whether 2 should always be rejected as a prime of bad reduction; if you wish to exclude it, call boundTorsion2 instead.

Examples

Exercise 8.12 of Silverman’s Arithmetic of Elliptic Curves supposedly gives examples of each possible type of torsion group; we can attempt to verify these using torsion_tools. (Start a maple worksheet and enter read "torsion_tools.mpl" to load them; this requires that both torsion_tools.mpl and gla.mpl be somewhere Maple can find them, typically your home directory.)

a) y²=x³-2

>a_1:=0;a_3:=0;a_2:=0;a_4:=0;a_6:=-2;
torsion();

Nagell-Lutz search for non-identity torsion points, with order, yields:

x, y, order

Nagell-Lutz theorem applies, but no points other than the identity are found. Thus we have Z/1Z i.e., the trivial group {0}.

b) y²=x³+8

>a_1:=0;a_3:=0;a_2:=0;a_4:=0;a_6:=8;
torsion();

Nagell-Lutz search for non-identity torsion points, with order, yields:

x, y, order

-2, 0, 2

We have one other point, of order 2; so the torsion subgroup is Z/2Z, consisting of the identity and (-2,0).

c) y²=x³+4

>a_1:=0;a_3:=0;a_2:=0;a_4:=0;a_6:=4;
torsion();

Nagell-Lutz search for non-identity torsion points, with order, yields:

x, y, order

0, 2, 3

We have a point (0,2) of order 3; so the torsion subgroup is clearly Z/3Z. We can explicity find all the elements of the group:

>> ncopies(1,0,2);

0, 2

> ncopies(2,0,2);

0, -2

> ncopies(3,0,2);

zero

So they are the identity, P=(0,2) and 2P=(0,-2).

d) y²=x³+4x

>a_1:=0;a_3:=0;a_2:=0;a_4:=4;a_6:=0;
torsion();

Nagell-Lutz search for non-identity torsion points, with order, yields:

x, y, order

0, 0, 2

2, 4, 4

Now things get slightly more interesting. We have an element P=(2,4) of order 4, so we have a subgroup of size 4 consisting of the multiples of P. Does this include the other point found, (0,0)?

> ncopies(1,2,4);

2, 4

> ncopies(2,2,4);

0, 0

> ncopies(3,2,4);

2, -4

> ncopies(4,2,4);

zero

Since it does, we can safely conclude that the torsion subgroup is Z/4Z.

e) y²-y=x³-x²

>a_1:=0;a_3:=-1;a_2:=-1;a_4:=0;a_6:=0;
torsion();
Error, expected a_1=a_3=0

Try working with reduced curve modulo a prime not from the set {11}

To test l such primes call boundTorsion(l)

We are no longer in the convenient situation of being able to apply the Nagell-Lutz result. Thus we try to place a bound on the torsion:

> boundTorsion(10);

At most 5 points, example: working mod 5, brute force search for points on curve with order yields

0, 0, 5

0, 1, 5

1, 0, 5

1, 1, 5

4 points, plus point at infinity for a total of 5 points.

The torsion group can have no more than five elements, but it may of course have less. If, however, we can verify the existence of a point of order 5 (not working modulo a prime) then we are clearly done (note that after its calculations for various moduli, boundTorsion resets workModM to false.

> ncopies(5,0,0);
zero

So, as suspected, the group is Z/5Z with (0,0) a generator.

f) y²=x³+1

>a_1:=0;a_3:=0;a_2:=0;a_4:=0;a_6:=1;
torsion();
Nagell-Lutz search for non-identity torsion points, with order, yields:

x, y, order

-1, 0, 2

0, 1, 3

2, 3, 6

Another easy one; using ncopies it is readily verified that P=(2,3) is a generator for the other elements found, so the group is Z/6Z.

g) y²+y=x³-x+137

This one seems to be broken, given the structure of the exercise it should yield Z/7Z. However:

>a_1:=0;a_3:=1;a_2:=0;a_4:=-1;a_6:=167;
> torsion();
Error, expected a_1=a_3=0

Try working with reduced curve modulo a prime not from the set {11, 659, 1667}

To test l such primes call boundTorsion(l)

> boundTorsion(10);

At most 1 points, example: working mod 2, brute force search for points on curve with order yields

0 points, plus point at infinity for a total of 1 points.

Or, excluding the prime 2,

> boundTorsion(2);
At most 4 points, example: working mod 3, brute force search for points on curve with order yields

0, 1, 2

1, 1, 2

2, 1, 2

3 points, plus point at infinity for a total of 4 points.

So in neither case can there be an element of order 7.

h) y² + 7xy =x³+16x

>a_1:=7;a_3:=0;a_2:=0;a_4:=16;a_6:=0;
> torsion();
Error, expected a_1=a_3=0

Try working with reduced curve modulo a prime not from the set {2, 3, 17}

To test l such primes call boundTorsion(l)

> boundTorsion(10);

At most 8 points, example: working mod 7, brute force search for points on curve with order yields

0, 0, 2

4, 3, 4

4, 4, 4

5, 3, 8

5, 4, 8

6, 2, 8

6, 5, 8

7 points, plus point at infinity for a total of 8 points.

By Mazur’s Theorem, a torsion group with 8 elements (assuming there is no better bound) could be Z/8Z, or Z/2Z X Z/4Z. Thus we need to test for the existence of an order 8 element; the points found above being possibilities. However, ncopies confirms they are not suitable, so we try a brute-force search:

> testRange(-20,20,-20,20);

-8, 16, 8

-2, 4, 8

-2, 10, 8

0, 0, 2

4, 4, 4

5

So, for instance, P=(-2,10) – corresponding to (5,3) mod 7 – is of order 8, so we have Z/8Z.

i) y²+xy+y=x³-x²-14x+29

>a_1:=1;a_3:=1;a_2:=-1;a_4:=-14;a_6:=29;
> torsion();
Error, expected a_1=a_3=0

Try working with reduced curve modulo a prime not from the set {2, 3}

To test l such primes call boundTorsion(l)

> boundTorsion(10);

At most 9 points, example: working mod 11, brute force search for points on curve with order yields

1, 3, 3

1, 6, 3

3, 1, 9

3, 6, 9

8, 6, 9

8, 7, 9

9, 4, 9

9, 8, 9

8 points, plus point at infinity for a total of 9 points.

We suspect Z/9Z, and indeed ncopies(9,3,1) gives zero, so the suspicion is correct.

j) y²+xy=x³-45x+81

>a_1:=1;a_3:=0;a_2:=0;a_4:=-45;a_6:=81;
> torsion();
Error, expected a_1=a_3=0

Try working with reduced curve modulo a prime not from the set {2, 3, 11}

To test l such primes call boundTorsion(l)

> boundTorsion(10);

At most 10 points, example: working mod 13, brute force search for points on curve with order yields

0, 4, 10

0, 9, 10

2, 12, 2

5, 10, 5

5, 11, 5

6, 3, 5

6, 4, 5

7, 2, 10

7, 4, 10

9 points, plus point at infinity for a total of 10 points.

(0,4) fails, but (0,9) turns out to genuinely be of order 10 (using ellorder, for a change!). So this gives rise to a torsion group of Z/10Z.

k) y²+43xy-210y=x³-210x²

>a_1:=43;a_3:=-210;a_2:=-210;a_4:=0;a_6:=0;
> torsion();
Error, expected a_1=a_3=0

Try working with reduced curve modulo a prime not from the set {2, 3, 5, 7, 13}

To test l such primes call boundTorsion(l)

> boundTorsion(10);

At most 12 points, example: working mod 17, brute force search for points on curve with order yields

0, 0, 12

0, 6, 12

6, 0, 6

6, 3, 6

9, 13, 4

9, 14, 4

11, 10, 12

11, 16, 12

13, 1, 3

13, 7, 3

14, 8, 2

11 points, plus point at infinity for a total of 12 points.

(0,0) is of order 12, so the torsion group is Z/12Z.

l) y²=x³-4x

> a_1:=0;a_3:=0;a_2:=0;a_4:=-4;a_6:=0;
> torsion();
Nagell-Lutz search for non-identity torsion points, with order, yields:

x, y, order

-2, 0, 2

0, 0, 2

2, 0, 2

Since we were able to use Nagell-Lutz, this is all the points with positive y co-ordinate. Along with the identity, there are thus at least 4 points, but none of order 4. So by Mazur’s theorem we have Z/2Z X Z/2Z, so the points above must be related. We can confirm this:

> P:=-2,0;

P := -2, 0

> Q:=0,0;

Q := 0, 0

> ella(P,Q);

2, 0

So we can think of the group as {0,P} X {0,Q}.

m) y²+xy-5y = x³ -5x²

Again, I’m unsure as to whether or not 2 should always be avoided as a prime of bad reduction since it is also misleading here, claiming no more than 4 elements. Using boundTorsion2 (and then ellorder) we find P=(0,0) of order 4, and Q=(1,2) of order 2; Q is not 2P so they are independent, that is, there are 8 elements in contradiction to the result when reducing modulo 2. The torsion group therefore appears to be (in line with the structure of the exercise) {0,Q} X {0,P} = Z/2Z X Z/4Z.

n) y²+5xy-6y=x³-3x²

> a_1:=5;a_3:=-6;a_2:=-3;a_4:=0;a_6:=0;
> torsion();
Error, expected a_1=a_3=0

Try working with reduced curve modulo a prime not from the set {2, 3, 5}

To test l such primes call boundTorsion(l)

> boundTorsion(10);

At most 12 points, example: working mod 17, brute force search for points on curve with order yields

0, 0, 6

0, 6, 6

2, 15, 2

3, 0, 3

3, 8, 3

5, 16, 2

11, 1, 2

12, 1, 6

12, 13, 6

14, 1, 6

14, 3, 6

11 points, plus point at infinity for a total of 12 points.

P=(0,0) has order 6, whilst the suggestion of 12 points yet none of order 12 implies Z/2Z X Z/6Z. None of the potential order 2 points above have finite order when not working modulo 17; so we search by brute force:

> testRange(-10,10,-10,10);

-3, 3, infinity

0, 0, 6

0, 6, 6

2, -2, 2

3, -9, 3

3, 0, 3

6

This turns up a point Q=(2,-2) of order 2; we must verify it is not generated by P:

> ncopies(2,0,0);

3, -9

> ncopies(3,0,0);

-6, 18

> ncopies(4,0,0);

3, 0

> ncopies(5,0,0);

0, 6

As this is not the case, we conclude that the group is {0,Q} X {0,P} = Z/2Z X Z/6Z.

o) y²+17xy-120y = x³-60x²

> a_1:=17;a_3:=-120;a_2:=-60;a_4:=0;a_6:=0;
> torsion();
Error, expected a_1=a_3=0

Try working with reduced curve modulo a prime not from the set {2, 3, 5, 7}

To test l such primes call boundTorsion(l)

> boundTorsion(10);

At most 16 points, example: working mod 19, brute force search for points on curve with order yields

0, 0, 8

0, 6, 8

3, 0, 4

3, 12, 4

5, 8, 2

7, 3, 4

7, 17, 4

8, 9, 8

8, 13, 8

11, 4, 8

11, 5, 8

12, 14, 8

12, 16, 8

17, 1, 2

18, 2, 2

15 points, plus point at infinity for a total of 16 points.

Again, P=(0,0) turns out to be a legitimate point of order 8; it generates 2P=(60,-900), 3P=(-30,180), 4P=(24,-144), 5P=(-30,450), 6P=(60,0), 7P=(0,120). None of the suggested points of order 2 work, so again we search, this time over much larger ranges (given the values for multiples of P)-

> testRange(-500,500,-500,500);

-40, 400, 2

-30, 180, 8

-30, 450, 8

-12, 36, 4

-12, 288, 4

0, 0, 8

0, 120, 8

24, -144, 2

30, -300, 8

30, -90, 8

60, 0, 4

11

Q=(-40,400) is of order 2 and not a multiple of P, so we have {0,Q} X {0,P} = Z/2Z X Z/8Z for the torsion subgroup.

This also makes it much more likely that you’ll be interested in the order of a point, so a procedure modgetorder is included to calculate this by brute force- that is, repeated addition until the zero element is reached.

This makes questions of the type I faced in MA40188: Algebraic Curves much easier. For instance, consider the curve

Over the field with 37 elements, and with a suitable dehomogenisation, the point P: (x,y)=(0,23) is easily verified as an element of E. Then we may easily determine the point Q=-2P, the third intersection of E with the tangent to E at P:

>read "gla.mpl";

> a_1:=0;a_2:=0;a_4:=-9;a_3:=0;a_6:=11;

>workModM:=true;

>

>M:=37;

>Q:=ncopies(-2,0,23);

1,22

So Q=(1,22). Further, Q is an inflexion point: that is, the tangent to E at Q meets E three times at Q. In terms of the group law, this means -2Q=Q, or equivalently 3Q=0. We can verify this in a couple of ways:

> ncopies(3,Q);

zero

> modgetorder(Q);

3

Since Q=-2P and 3Q=0, it should follow that 6P=0. Which, fortunately, it does:

> modgetorder(0,23);

6

Example 1

We consider example 2.4/problem 3.4 from Silverman;

By inspection we can identify some integer points, such as P₁=(-2,3) and P₃=(2,5). A brute force search for x in the range -1000 to 1000 generates the following results-

> #naive point search;

> for k from -1000 to 1000 do

> if(type(simplify((k^3+17)^(1/2)),integer)) then print(k,simplify((k^3+17)^(1/2))); end;

> end;

-2, 3

-1, 4

2, 5

4, 9

8, 23

43, 282

52, 375

Silverman tells us there is a further point, P₈=(5234,378661), plus we have missed all the inverses of our points (since only the positive square root was computed). Brute force on the range -6000 to 6000 of course uncovers P₈, but this computation takes 70.6 seconds, 10.24mb of memory and produces alarming sounds from my new office computer. Silverman observes that (due to a result of Nagell) the rational points are generated by integer combinations of P₁, P₃, so we can proceed by testing some of these instead:

> read "gla.mpl";

> a_1:=0;a_3:=0;a_2:=0;a_4:=0;a_6:=17; #setting
up the curve;

>#smarter search

> for i from -5 to 5 do

> for j from -5 to 5 do

> if(type(mnadd(i,j,-2,3,-1,4)[1],integer) and type(mnadd(i,j,-2,3,-1,4)[2],integer)) then print(i,j,mnadd(i,j,-2,3,-1,4));

> end if;

> end:

> end:

-3, -2, 43, -282

-2, -3, 5234, -378661

-2, -1, 2, -5

-2, 0, 8, 23

-1, -1, 4, 9

-1, 0, -2, -3

-1, 1, 52, -375

0, -1, -1, -4

0, 1, -1, 4

1, -1, 52, 375

1, 0, -2, 3

1, 1, 4, -9

2, 0, 8, -23

2, 1, 2, 5

2, 3, 5234, 378661

3, 2, 43, 282

All sixteen points are recovered in 0.02 seconds, consuming merely 0.31mb of memory!

Of course, for this example I’m cheating somewhat because I know where I’d like to get to in that I know this list is complete; although a priori there’s no indication of how large the arguments m,n needed to be to generate points such as P₇ or P₈. Nonetheless, this indicates that the procedures allow for more rapid exploration of points on the curve, even if they don’t prove anything (besides existence) by themselves.

Example 2

Maple’s own algcurves package can also be useful to tackle problems given in projective terms. For instance, we can rapidly demonstrate the first result claimed in Exercise 3.3b. Here we are concerned with the curve

which homogenizing away from Z=0 gives

However, this is not of Weierstrass form; but we can retrieve this from Maple:

> with(algcurves):

> f:=x^3+y^3-A

> Weierstrassform(f,x,y,x0,y0)

This yields

But this is not quite of the Weierstrass form as used in Silverman; we substitute -x₀ for x₀ to arrive at

That is, we have that the curve coefficients a_i are all zero except a₆=27A²/4; we also have an isomorphism φ between E and its Weierstrass form given coordinatewise. We can verify with the procedure j_invariant that these are indeed the same curve (it turns out to have j invariant zero, too). Moreover, we can show the desired result, that

For this, let P=(x_0,y_0) a point on the curve in Weierstrass form. Then we compute -P:

> a_1:=0;a_3:=0;a_2:=0;a_4:=0,a_6=-27*A^2/4:

> read "gla.mpl":

> ellm(x_0,y_0);

x_0, -y_0

Then, identifying P with a projective point via the isomorphism, we find

Which is the desired result.

Overview

These maple procedures implement the group law algorithm for an elliptic curve as given in Chapter III Section 2.3 of Silverman’s The Arithmetic of Elliptic Curves. In particular, they can handle the group identity symbolically as it arises during calculations.

Loading the procedures

The procedures can be downloaded as the maple file gla.mpl, which should be placed in whatever directory Maple expects to find it. To be more helfpul, this is probably your home directory on Unix based systems; on Windows it could be the application directory, although if you invoke maple by opening a worksheet, it’ll be the directory that sheet resides in. If you’re unsure, entering the following:

> x:=5;

> save x, "test.m";

Will create a file test.m which you can then search for to determine the appropriate directory.

Having established where the file goes, you then need to read it into Maple:

> read "gla.mpl";

Which after some shameless self-promotion gives you the procedures. The assumption is that you have an Elliptic curve given by a Weierstrass equation determined by coefficients a₁,…,a₆ as in Silverman:

You can of course work in full generality without defining these coefficients. The point at infinity is referred to as zero, whilst a point P=(x,y) can be specified as x,y (using (x,y) will likely give errors).

The procedures

Looking at the source you’ll find various procedures, some of which are only needed for the internal workings- in particular, elladd cannot handle zero and should not be used directly. The operations available are:

Elliptic addition (ella)

Addition with the group law is achieved by a call to the ella procedure; a typical call is ella(x1,y1,x2,y2) to compute x1,y1+x2,y2=P₁⊕P₂; however, you may substitute zero for either or both points (for instance, ella(zero,x,y) is valid). In accordance with 2.3(b) this either returns zero or x(P₁+P₂),y(P₁+P₂).

Inverse of a point (ellm)

Given a point P=(x,y), ellm(x,y) returns the group inverse, i.e., the point -P. zero is understood and is its own inverse.

Integer multiples (ncopies)

Repeated iteration of ella for a single point P=(x,y) is made available by ncopies(n,x,y), for n an integer. As before, zero may be (somewhat pointlessly) subsituted for x,y. Care is taken to ensure zero is appropriately handled at each stage, and thus may be returned as an answer (always, for n=0). Negative values of n are of course handled by returning n copies of -P, so this provides an alternative to ellm.

Addition of integer multiples (mnadd)

For convenience, two such integer multiples [m]P₁,[n]P₂ can be added using mnadd(m,n,x1,y1,y2); as usual zero can replace a pair of coordinates (or both).

To save carrying the original paperwork about, and to give myself a recap on the material, I’ve written up the lecture notes from MA40037:Galois Theory as taught at the University of Bath by Geoff Smith.

The content is broadly as follows: Rings, Integral Domains, Fields of Fractions, Units, Ideals, Homomorphisms, The First Isomorphism Theorem, The Chinese Remainder Theorem, Irreducibles, Field Extensions, Characteristic, Minimal Polynomials and Algebraic Numbers, Galois Theory.

The notes very closely match those I made and hence the lectures given, except the section on the Chinese Remainder Theorem, which was adapted from problem sheets. There have been various minor linguistic tweaks, but few mathematical ones.

It should be noted (to avoid confusion under composition) that the convention of writing function arguments to the left (i.e., (x)f rather than f(x)) is adopted here; and that square brackets are sometimes used for factors in polynomials where these appear in expressions also featuring function or polynomial evaluations (which are denoted by round brackets).

Proof reading would be appreciated!

To calculate the moments requires knowledge of a particularly elusive coefficient g_k, about which very little is known: g₀ is trivially 1, Hardy and Littlewood established that g₁=1 in the early part of the 20th century, Ingham proved that g₂=2 in 1926. No progress was made until 1995, when Conrey and Ghosh conjectured that g₃ was, of all things, 42. At a conference in Vienna, Conrey and Gonek planned to present a conjecture for g₄; yet the random matrix theorists had a conjecture for all values of k. Following some frantic checking at a blackboard, it was confirmed that the two conjectures agreed for g₄=24024: and thus that quantum physics really could offer predictions about number theory!

One of my lecturers plugged the coefficients 1,1,2,42,24024 into the OEIS, and just one result comes up, sequence A039622. Curiously, this is about Young diagrams, which are linked to irreducible representations of the symmetric group. Young Tableau themselves describe a fairly elegant number theory puzzle. I’ve been studying representation theory this semester, and I’m always amazed by how different strands of mathematics can pull together like this- from quantum theory to distribution of primes to symmetry, somehow they’re all woven together.

For an overview of the current status of work on the Riemann Hypothesis, including Random Matrix Theory, see this article by Conrey. Marcus Du Sautoy’s the music of the primes also mentions Nina’s work, and Riemann’s own study of problems in Physics alongside the zeta function.