Universit de Rennes I 1st Semester 2013-2014

Introduction to elliptic curves

By
Christophe RITZENTHALER
2
 3

These are notes of a course taught at Rennes in the first semester 2013-2014. They
can be found on http://perso.univ-rennes1.fr/christophe.ritzenthaler/.
Please send comments and corrections to me at christophe.ritzenthaler@univ-rennes1.
fr.

Notation and convention. Then integer q is a power n > 0 of a prime p and k is a

finite field of cardinal q. The letter K is any (perfect) field of characteristic p, and here
p can be 0 as well.
4
Contents

1 Introduction to elliptic curves 1

1.1 Some definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 First definition of an elliptic curve . . . . . . . . . . . . . . . . . 1
1.1.2 Second definition . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.3 Third definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.4 Isomorphisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 The group law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.2 Torsion points . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.3 The Weil pairing . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2 Elliptic curves over finite fields 11

2.1 Number of points on elliptic curves over finite fields: theory . . . . . . . 11
2.1.1 An example and an easy result . . . . . . . . . . . . . . . . . . . 11
2.1.2 Hasse-Weil bound: first proof . . . . . . . . . . . . . . . . . . . . 11
2.1.3 Hasse-Weil bound: second proof . . . . . . . . . . . . . . . . . . 12
2.1.4 A case of the Weil conjectures . . . . . . . . . . . . . . . . . . . . 20
2.1.5 Supersingular elliptic curves . . . . . . . . . . . . . . . . . . . . . 21
2.2 Number of points on elliptic curves over finite fields: practice . . . . . . 22
2.2.1 Counting points . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.2.2 Baby steps-giant steps . . . . . . . . . . . . . . . . . . . . . . . . 22
2.2.3 To work with extensions . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.4 Schoof method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3 Pairings 25
3.1 Review on divisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.2 The Weil pairing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.3 Computation of the Weil pairing: practice . . . . . . . . . . . . . . . . . 29

4 Travaux Dirigs 31
4.1 TD 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.1.1 noncs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.1.2 Corrections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

i
 4.2 TD 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.2.1 noncs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.2.2 Corrections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4.3 TD 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.3.1 noncs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.3.2 Corrections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.4 TD1 de gomtrie algbrique . . . . . . . . . . . . . . . . . . . . . . . . 40
4.4.1 noncs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.4.2 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.5 TD2 de gomtrie algbrique . . . . . . . . . . . . . . . . . . . . . . . . 46
4.5.1 noncs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.5.2 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

5 Appendices 49
5.1 Nullstellensatz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5.2 Bzout theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

ii
1 Introduction to elliptic
curves

1.1 Some definitions

1.1.1 First definition of an elliptic curve
Definition 1.1.1. A Weierstrass equation of an elliptic curve E over a field K is

E : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6

where a1 , a2 , a3 , a4 , a6 K and 6= 0 where is the discriminant of E and is defined

as follow



= b22 b8 8b34 27b26 + 9b2 b4 b6 ,
2
b2 = a1 + 4a2 ,



b4 = 2a4 + a1 a3 ,

b6 = a23 + 4a6 ,





b8 = a21 a6 + 4a2 a6 a1 a3 a4 + a2 a23 a24 .

This definition raises many comments.

A non singular algebraic affine curve defined over K

The previous equation defines an algebraic affine curve since it is given by a polynomial
in two variables in the affine plane. It is defined over K meaning that the coefficient of
the equation are in K.
To any affine curve C given by an equation C : f (x, y) = 0, where f K[x, y], one can
associate the set of its K-rational points, i.e.

C(K) := {(a, b) K 2 , f (a, b) = 0}.

Note that this set can be empty (for instance x2 + y 2 = 1 over R) so the set of points
does not determine the equation of the curve. However if K is algebraically closed and
if f is irreducible (check it looking at f as a polynomial of degree 2 in y) then f is
uniquely determined by C(K) up to a scalar multiplier. For this reason, it is important

1
2 Chapter 1. Introduction to elliptic curves

to be able to consider the set of points of a curve C/K not only over K but over all
extensions of K. In particular, we simply call a K-rational point, a point of C.
The condition 6= 0 insures that E has no singular point. Let us check this in the case
a1 = a3 = a2 = 0 and char K 6= 2, 3. A point P = (a, b) E(k) is singular if and only if
f /x(a, b) = f /y(a, b) = 0 where f = y 2 (x3 + a4 x + a6 ). Hence we get

2b = 0,


(3a2 + a4 ) = 0,

b2 (a3 + a a + a ) = 0.

4 6

It then means that b = 0 and a is a solution of x3 + a4 x + a6 = 0 and its derivative, i.e.

a is a double root. This can happen if and only if the discriminant of this polynomial is
zero, i.e. if and only if (4a34 + 27a26 ) = 16 = 0.
Let us draw pictures over R.

An abstract curve
We have not defined what an elliptic curve is! We only gave an equation of this object.
One has to understand that an elliptic curve is an abstract object that can have many
avatars (models), a model given by a Weierstrass equation being one. Here are other
examples

1. Quartic equations: y 2 = f (x) with f a degree 4 polynomial without multiple root;

2. Hessian model: x3 + y 3 + z 3 = dxyz;

3. Intersection of quadrics in P3 : x2 + z 2 = ayt and y 2 + t2 = axz;

1.1. Some definitions 3

4. Edwards model: x2 + y 2 = 1 + dx2 y 2 .

To keep it simple, we will however often confuse the definition of an elliptic curve and of
its (Weierstrass equation) but one has to keep in mind that in general abstract curve
6= a model of a curve 6= an equation of the curve.

1.1.2 Second definition

An affine version of a curve is often incomplete, for instance in terms of Bzout theorem.
It is then better to consider a projective version.

Definition 1.1.2. A (projective) Weierstrass equation of an elliptic curve E over a field

K is
E : y 2 z + a1 xyz + a3 yz 2 = x3 + a2 x2 z + a4 xz 2 + a6 z 3
where a1 , a2 , a3 , a4 , a6 K and 6= 0.

This is not surprising. More generally considering an affine curve C : f (x, y) = 0,

one obtains its projective version by defining the curve C : f(x, y, z) = 0 where f is the
homogeneous polynomial associated to f , i.e. such that f(x, y, 1) = f (x, y).
What does it means for the points of E ? Recall that the K-rational points of the
projective plane P2 are the projective points given by the equivalence classes of triples
(x, y, z) K 3 \ (0, 0, 0) under the multiplicative action of K . Since the projective
equation of E is homogenous, it makes sense to speak about equivalence classes (x : y : z)
which satisfy the equation of the curve and this defines the set E(K). Among these
points, we can distinguish

The affine points of E, i.e. the ones with z 6= 0. We can hence find a representative
with z = 1 and so with this normalization the affine points of E are the points of
E.

The points at infinity of E, i.e. the ones with z = 0. Letting z = 0 in the equation,
we get x3 = 0 so there is a unique point at infinity which is denoted O = (0 : 1 : 0).

By a change of coordinate, one can prove that the point O is non singular : around
O, we have the affine equation z + a1 xz + a3 z 2 = x3 + a2 x2 z + a4 xz 2 + a6 z 3 and the
derivatives with respect to x and z at the point O are 0 and 1. Hence the model E is a
non-singular projective curve. Since E and E are so closely related, we often forget the
adjective projective or the in our speech.

1.1.3 Third definition

Just for sake of completeness, let us give the abstract definition of an elliptic curve.

Definition 1.1.3. An elliptic curve over a field K is a projective non-singular curve of

genus 1 with a K-rational point O.
4 Chapter 1. Introduction to elliptic curves

The genus is a topological invariant which is a non negative integer. Hence if two
curves have different genus they cannot be transformed into each other in a contineous
way without introducing singulairities. This hence defines a stratification of the set of
curves with growing complexity according to the genus. Note that the genus 0 algebraic
curves are the one which admit a parametrization, for instance the conics, i.e. plane
curves given by a projective equation of degree 2. One can prove that an elliptic curve
does not admit a parametrization. Since it can be given by a degree 3 equation, this is
somehow the simplest example after the conics. Note that if would be zero we can
see that we can get a parametrization.
Remark 1.1.4. To go even further and make the link with our initial definition, wed have
to use Riemann-Roch theorem to see that we can obtain an embedding of our abstract
curve as a plane curve using the Riemann-Roch space associated to the divisor 3O (see
[Sil92, Prop.III.3.1]).
Remark 1.1.5. At least, over C, one can see that the genus of an elliptic curve is 1.
First, one has to understand that an elliptic curve can be given as C modulo a lattice
through the so-called Weierstrass functions (see DH ??). But C modulo a lattice is
a complex torus and it is well known that the genus counts the number of holes in a
compact Riemann surface.

Figure 1.1: A complex torus

1.1.4 Isomorphisms
Between two algebraic varieties, there is a natural notion of morphisms which are maps
described by polynomials. We will choose an ad hoc definition for isomorphisms between
Weierstrass models.

Definition 1.1.6. Two elliptic curves E1 and E2 defined over K and given by Weier-
1.1. Some definitions 5

strass equations

E1 : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6
E2 : y 2 + a01 xy + a03 y = x3 + a02 x2 + a04 x + a06 ,

are said to be isomorphic over K if there exist u, r, s, t K with u 6= 0 such that the
change of variables
(x, y) 7 (u2 x + r, u3 y + u2 sx + t)
transform the equation of E1 into the equation of E2 (up to a non-zero scalar multiplier
of course).
If E2 = E1 , such a transformation is called an automorphism of E1 .

If the characteristic of K is different from 2, one can simplify a Weierstrass model

by completing the square on the left, i.e. replacing y by y a1 /2x a3 /2 we get
y 2 = x3 + b2 /4x2 + b4 /2x + b6 /4 where the bi are defined in Sec.1.1.1.
Moreover if the characteristic of K is different from 3, one can eliminate the coefficient
in front of x2 , getting a simplified Weierstrass model of the form y 2 = x3 + ax + b. As
the properties we are interested in do not depend on a model up to isomorphism (over
K) we will often consider this model when the characteristic is not 2 or 3.

Is there a simple way to see if two Weierstrass models are isomorphic over an al-
gebraically closed field K ? Such a classical problem is part of the general theory of
invariants and in this case the answer is simple. Let us start with two simplified Weier-
strass models: y 2 = x3 + ax + b and y 2 = x3 + a0 x + b0 . It is easy to see that the
only possible transformation is a = u4 a0 and b = u6 b0 for some u K . There exists
such an u if and only if a0 3 /b0 2 = a3 /b2 . However this has no sense if b or b0 is zero.
There is one quantity which we know is never 0: the discriminant . Here we have
= 16(4a3 + 27b2 ) and 0 = 16(4a0 3 + 27b0 2 ). Hence we can get the same result
using the well defined j-invariant

j := 1728(4a3 )/.

Proposition 1.1.7. Two simplified Weierstrass models are K-isomorphic if and only
if they have the same j-invariant. Moreover given j0 K, there exists a Weierstrass
model over K with j-invariant equal to j0 .

Proof. The direct implication is trivial. Conversely assume that two simplified Weier-
strass models have the same j-invariants, then from
3 2
(4a3 )/(4a3 + 27b2 ) = (4a0 )3 /(4a0 + 27b0 ),

we get
2 3
a3 b0 = a0 b2 .

if a = 0 then b 6= 0 (since 6= 0) and we can take u = (b/b0 )1/6 .

6 Chapter 1. Introduction to elliptic curves

if b = 0 then a 6= 0 and we can take u = (a/a0 )1/4 .

if ab 6= 0 then we can take u = (a/a0 )1/4 = (b/b0 )1/6 .

Finally if j0 6= 0 or 1728 we can compute that the j-invariant of

36 1
E : y 2 + xy = x3 x
j0 1728 j0 1728

is j0 . To complete the list one can use y 2 + y = x3 with j-invariant 0 and y 2 = x3 + x

with j-invariant 1728.

This can be extended to all Weierstrass models (and then to characteristic 2 and 3)
by defining c4 = b22 24b4 and j = c34 /.

1.2 The group law

1.2.1 Definition
The main reason to care about elliptic curves is that they carry an interesting structure,
namely their points form a group under a certain addition law that we will describe
now. Let P, Q E be two points and L be the line connecting P and Q (tangent to E
if P = Q) and R be the third point of intersection of L with E by Bzout. Let L0 be
the line connecting R and O. Then P + Q is the residual point of intersection of L0 and
E.

Figure 1.2: Addition on an elliptic curve

Theorem 1.2.1. Let E/K be an elliptic curve. The previous operation is a commutative
group law on E(K 0 ) for all extensions K 0 of K.

Proof. One has to prove several facts:

1.2. The group law 7

P + O = P;

P + Q = Q + P;

if P E then there exists a point Q such that P + Q = O;

if P, Q E(K) then P + Q E(K);

for P, Q, R E one has (P + Q) + R = P + (Q + R);

Only the last point is not obvious. It can be proved by direct computation with coordi-
nates of the points see TP 4. Another geometric proof is given in [Ful89, p.124].

1.2.2 Torsion points

Let E : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 be an elliptic curve over a field K. Since
E(K) is a group we can consider for all m Z the homomorphism [m] : E(K) E(K)
which associate to a point P the point mP . This map is given by polynomial expressions
and is then a morphism of curves. For a general elliptic curve over a field of characteristic
0, these endomorphisms are the only ones and so End(E) ' Z.
Remark 1.2.2. Here we consider only group endomorphisms. Obviously any translation
by a point of E is also a morphism.
What is the structure of E[m] := ker([m]) ? To answer this question, we need the
following lemma.

Lemma 1.2.3.

If m is prime to p then the map [m] is separable and # ker([m]) = deg(m) = m2 .

Proof. The first fact comes easily from the action of [m] on the regular differential and
general results from algebraic geometry [Sil92, Cor.III.5.4]. The first equality can be
proved using [Sil92, Prop.II.2.6,Th.III.4.10]. The second equality can be derived using
duality [Sil92, Cor.III.6.4], an explicit computation with division polynomials [Was03,
Sec.3.2] or an analogy this the complex torus over C.

Hence ker([m]) when m is prime to p is a commutative group of order m2 which is

killed by multiplication by m: there is only one which is (Z/mZ)2 .
The importance of this Z/mZ-module (even a vector space when m is prime) is that it
makes us able to linearize algebraic properties and to study them with classical tools of
linear algebra.
Remark 1.2.4. When m = pr , one has either #ker([m]) = 1 or m.
8 Chapter 1. Introduction to elliptic curves

1.2.3 The Weil pairing

The Weil pairing on the n-torsion points is a major tool in the study of elliptic curves.
it has also important applications in cryptography. Let E be an elliptic curve over a
perfect field K and let n be an integer not divisible by the characteristic of K. Then
E[n] ' (Z/nZ)2 . Let n = {x K|xn = 1} be the group of nth roots of unity in K. It
is a cyclic group of order n and any generator of n is callaed a primitive nth root of
unity.

Theorem 1.2.5. There exists a pairing

en : E[n] E[n] n

called the Weil pairing. It satisfies the following properties:

1. en is bilinear in each variable. This means that

en (S1 + S2 , T ) = en (S1 , T )en (S2 , T )

and
en (S, T1 + T2 ) = en (S, T1 )en (S, T2 ).

2. en is alternated: en (T, T ) = 1 for all T E[n] and en (T, S) = en (S, T )1 for all
S, T E[n].

3. en is nondegenerate. This means that if en (S, T ) = 1 for all T E[n] then S = O

and also that if en (S, T ) = 1 for all S E[n] then T = O.

4. en (S, T ) = (en (S, T )) for all automorphisms Gal(K/K).

5. en (u(S), u(T )) = en (S, T )deg(u) for all (separable) endomorphisms u EndK (E).

We will give proofs for this theorem in the last chapter. Presently well derive some
consequences.

Corollary 1.2.6. Let {T1 , T2 } be a basis of E[n]. Then en (T1 , T2 ) is a primitive nth
root of unity.

Proof. Suppose en (T1 , T2 ) = with d = 1. Then en (T1 , dT2 ) = 1. Let S E[n] then
S = aT1 + bT2 therefore

en (S, dT2 ) = en (T1 , dT2 )a en (T2 , dT2 ) = 1

which implies dT2 = O and so n|d.

If "u is an
# endomorphism, we obtain the action of u on the n-torsion by a matrix
a b
un = with entries in Z/nZ describing the action of u on a basis {T1 , T2 } of E[n].
c d
1.2. The group law 9

Corollary 1.2.7. We have det(un ) deg(u) (mod n).

Proof. By Corollary 1.2.6, = en (T1 , T2 ) is a primitive nth root of unity. Then using
Theorem 2.1.14

deg(u) = en (u(T1 ), u(T2 )) = en (aT1 + cT2 , bT1 + dT2 )

= en (T1 , T2 )ab en (T1 , T2 )ad en (T2 , T1 )cb en (T2 , T2 )cd
= adbc .

Hence we get the result.

10 Chapter 1. Introduction to elliptic curves
2 Elliptic curves over finite
fields

2.1 Number of points on elliptic curves over finite fields:

theory
2.1.1 An example and an easy result
Example 2.1.1. Let us consider the elliptic curve E : y 2 = x3 + 2 over F7 . One has

E(F7 ) = {O, (0, 3), (0, 4), (3, 1), (3, 6), (5, 1), (5, 6), (6, 1), (6, 6)}.

Hence there is 9 points on this curve.

Could we predict this result ? Or at least give bounds for the number of points of
an elliptic curve over a finite field k ? An obvious upper bound since for all x k, there
are at most two y which are solutions is 2q + 1. Can we do better ?
Example 2.1.2. The elliptic curve E : y 2 + y = x3 + x + 1 has only O as rational point
over F2 .
Are there other examples of elliptic curves with no affine rational points ? Infinitely
many ?

2.1.2 Hasse-Weil bound: first proof

We have seen that when p = 0 then in general the only endomorphisms are the multi-
plication by [m]. However, when K = k = Fq = Fpn is a finite field, there exists another
important morphism: the Frobenius endomorphism q : E E which maps a point
(x, y) E(k) to (xq , y q ). Let us check that it is an endomorphism of E :

(y q )2 +a1 xq y q +a3 y q = (y 2 ++a1 xy+a3 y)q = (x3 +a2 x2 +a4 x+a6 )q = (xq )3 +a2 (xq )2 +a4 xq +a6

since x 7 xq is k-linear. It also respect the addition since all the formulas have coeffi-
cients in k. Finally, for the same reason, it commutes with the action of [m], hence the
subring of End(E) generated by the multiplication maps [m] and is a commutative
ring and the composition of elements of this ring will be denoted multiplicatively.

11
12 Chapter 2. Elliptic curves over finite fields

Lemma 2.1.3. A point (x, y) E(k) belongs to E(k) if and only if q (x, y) = (x, y).

Since qr = rq for all r 1, we have the following useful result.

Lemma 2.1.4. ker(rq 1) = E(Fqr ) for all r 1.

To continue, we need the following facts.

Lemma 2.1.5. deg(q ) = q;

The map rq 1 is separable and so # ker(rq 1) = deg(rq 1);

The degree map d : End(E) Z is a positive definite quadratic form (i.e. L(a,b)=(d(a+b)-
d(a)-d(b))/2 is Z-bilinear).

Proof. The first and second points can be proved using some algebraic geometry [Sil92,
Prop.II.2.11,Cor.III.5.5]. Since deg(u) 0 and that the only morphisms of degree 0 are
constant, it is clear that the map is positive definite. To prove that it is bilinear, we will
use Corollary 1.2.7. Let u, v, w End(E) and let n be a prime big enough so that all
equivalences of the degrees modulo n are equalities in N. It is then enough to use the
fact that the 2-dimensional determinant is a quadratic form to conclude.
p
Cauchy-Schwarz inequality implies that |d(a b) d(a) d(b)| 2 d(a)d(b). Using
this with a = rq et b = 1, we get
q
|d(rq 1) d(1) d(rq ) d(1)| 2 d(1)d(rq )

|# ker(E(Fqr )) 1 q r | 2 q r .

The last inequality is known as Hasse-Weil bound.

2.1.3 Hasse-Weil bound: second proof

Let q = pe , for an odd prime number p and an integer e 1. Suppose E/Fq is an elliptic
curve.

Theorem 2.1.6 (Hasse). If Nq denotes the number of rational points of E/Fq , then

|Nq q 1| 2 q.

This second proof comes from Manins article in 1956, explained by Cassels and then
completed (for a missing details on the degrees) by Gelfond and Linnik in 1966. The
following part is extracted from the PhD thesis of Afzal Soomro, defended in 2013 who
also generalized the proof to the characteristic 2 case.

Let E/Fq be given by an equation

E : y 2 = f (x) = x3 + ax2 + bx + c.
2.1. Number of points on elliptic curves over finite fields: theory 13

Consider
E tw : f (t)y 2 = x3 + ax2 + bx + c. (2.1)
The curve E tw is a quadratic twist of E/Fq (t). The two curves E and E tw are isomorphic
over K = F(t, s), where s2 = f (t). The isomorphism is defined as follows:

E tw E

(x, y) 7 (x, sy).

It is easy to see that the points Q = (t, 1) and P0 = (x0 , y0 ) = (tq , f (t)(q1)/2 ) are in
E tw (F(t)). We define
Pn = P0 + nQ, n Z.
If Pn is not the point at infinity O, set Pn = (xn , yn ). We write xn = fn /gn , where
fn , gn Fq [t], with gcd(fn , gn ) = 1. We get a well-defined function

d : Z {0, 1, 2, 3, ...}

given by (
0 if Pn = O;
d(n) = dn =
deg(fn ) otherwise.

Since E tw is not in the standard Weierstrass form, there will be modifications in the
usual addition and duplication formulae.

(i) If O 6= Pj = (xj , yj ) E tw (F(t)) and P1 6= P2 , then

2
y2 y1

x(P1 + P2 ) = f (t) a (x1 + x2 ) (2.2)
x2 x1

(ii) If P = (x, y) E tw (F(t)) and y 6= 0, then

x4 2bx2 8cx + b2 4ac

x(2P ) = . (2.3)
4x3 + 4ax2 + 4bx + 4c
Now we present the properties of dn .

Lemma 2.1.7. If Pn = (xn , yn ) 6= O, write xn = fn (t)/gn (t) with fn (t), gn (t) F[t].
Then deg(fn ) > deg(gn ).

Proof. Suppose = 1/t and view E tw over F(( )). We change coordinates as follows:

= x and = y.

In these new coordinates the equation for E tw is

(1 + a + b 2 + c 3 ) 2 = 3 + a 2 + b 2 + c 3 .
14 Chapter 2. Elliptic curves over finite fields

We denote by v(f /g) the valuation of f /g seen as an element of F(( )). We know that
v(f /g) = v(f ) v(g) and if f F[t] then v(f ) = deg(f ). Namely, if f = ad td + + a0
with ad 6= 0, then

f = ad d + + a0
= d (ad + ad1 + + a0 d ).

Since v( d ) = d and ad + ad1 + + a0 d F[[ ]] , we have v(f ) = d = deg(f ).

By reduction modulo , we obtain the curve

E tw /F : 2 = 3 .

We have a reduction map (see [Sil92, Chapter VII, Prop: 2.1])

mod tw
E0tw (F(( ))) Ens (F)
(, ) 7 ( (mod ), (mod )) if min(v(), v()) = 0
(, ) 7 O if v() or v() < 0

where E0tw (F(( ))) is the set of points in E tw (F(( ))) whose reduction modulo is in
Ens (F) = {(, ) 6= (0, 0), 2 = 3 } O, the set of non-singular points of E tw . To prove
tw

that E0tw (F(( ))) is a group, it is enough to shod that Enstw (F) is also for the law inherited

from the classical addition law on E tw . This is classical: the curve y 2 z = x3 without the
point (0, 0) is isomorphic to A1 by (x, y) 7 x/y with inverse x 7 (x : 1 : x3 ). The group
law + on A1 induces a group law on the curve. This group law is the classical geometric
one: it is enough to see that x1 + x2 + x3 = 0 if and only if P1 + P2 + P3 = O (use the
coordinates in (x, z)). Therefore Ens tw (F) is a group for the geometric group law. Hence,

when we take P1 , P2 E0tw (F(( ))) then, by definition, their reduction is on Ens tw (F),

so also the sum of their reduction. But this means that P1 + P2 has its reduction on
tw (F), so it is on E tw (F(( ))). This last set is also a group.
Ens 0
Let P = (f /g, y) E tw (F(t)), where f and g are polynomials. In new coordinates
, , the point P = ( f /g, y) E tw (F(t)) E tw (F(( ))) (because = x. Note that

f
 
P E0tw (F(( ))) v 0
g
deg(f ) > deg(g).

Clearly the points P = (tq , f (t)(q1)/2 ) and Q = (t, 1) are in the group E0tw (F(( ))) for
all q. Therefore, Pn = P0 + nQ E0tw (F(( ))). This proves the lemma.

Corollary 2.1.8. If Pn 6= O then dn > 0, n Z.

The following lemma gives the connection between Nq and dn .

Lemma 2.1.9.
d1 = Nq .
2.1. Number of points on elliptic curves over finite fields: theory 15

Proof. We compute d1 . By the addition formula (2.2)

x(P1 ) = x(P0 Q)
h i2
f (t) f (t)(q1)/2 + 1
= a (tq + t)
(tq t)2
f (t)q + 2f (t)(q+1)/2 + f (t) a(tq t)2 (t3q t2q+1 tq+2 + t3 )
=
(tq t)2
t2q+1 + a polynomial of lower degree
= .
(tq t)2

We can write Y
tq t = (t ).
F

Therefore,
d1 = 2q + 1 #{Cancellations of degree one factors}.
Now we count #{Cancellations of degree one factors}. Suppose
h i2
f (t) f (t)(q1)/2 + 1 = N (t).

We have
N (t) a )2 (tq t) )2
Q Q
F (t F (t
x(P1 ) = 2
,
F (t )
Q

so t cancels (from both numerator and denominator) if and only if N () = 0. For

t = F, if f () = 0, then we have one cancellation. From equality
(
(q1)/2 1 if f () 6= 0 is a non-square
f () =
1 if f () 6= 0 is a square,

we see for f () 6= 0 non-square we have a double cancellation. Also, if f () 6= 0 is a

square, there is no cancellation. Therefore

d1 = 1 + 2q #{ F|f () = 0} 2 #{ F|f () 6= 0, 6= }
= 1 + 2 { F} #{ F|f () = 0} 2 #{ F|f () 6= 0, 6= }
= 1 + 2 #{ F|f () 6= 0, = } + #{ F|f () = 0}
= Nq .

This proves the lemma.

Lemma 2.1.10. The integers dn satisfy the identity

dn1 + dn+1 = 2dn + 2.

16 Chapter 2. Elliptic curves over finite fields

Proof. Take Pn1 , Pn and Pn+1 . We consider the following two cases.
Case 1: One of Pn1 , Pn and Pn+1 is O. By definition, Pn = Pn1 + Q = Pn+1 Q, for
every n Z.
(i) If Pn = O, then Pn1 = (t, 1) and Pn+1 = (t, 1). Therefore, dn1 = 1 and dn+1 =
1. The lemma follows.
(ii) If Pn1 = O, then Pn = (t, 1) and Pn+1 = 2(t, 1). By the duplication formula
(2.3),
t4 2bt2 8ct + b2 4ac
x(Pn+1 ) = . (2.4)
4t3 + 4at2 + 4bt + 4c
We can write this as
df (t)
dt (4a + 2t)f (t)
x(Pn+1 ) = .
4f (t)

Since f (t) does not have multiple roots, we have (2.4) in lowest form and dn+1 = 4.
This proves the lemma.
(iii) If Pn+1 = O, then the same argument proves the the lemma in this case.
Case 2: None of Pn1 , Pn and Pn+1 is O. Recall that we introduced the notation
Pi = (fi /gi , yi ) whenever Pi 6= O, where fi , gi F[t] are coprime, and yi F(t). By the
addition formula (2.2), applied to Pn1 = Pn Q, one has

fn1 (tgn + fn )(tgn fn )2 agn (tgn fn )2 + f (t)gn3 (1 + yn )2

=
gn1 gn (tgn fn )2
(tgn + fn )(bgn + tfn ) + 2gn (atfn + cgn ) + 2f (t)gn2 yn
=
(tgn fn )2
R
= , (2.5)
(tgn fn )2

say. Replacing yn by yn in the formula above, one obtains x(Pn Q) = x(Pn+1 ) =

x(Pn+1 ). Therefore,

fn+1 (tgn + fn )(tgn fn )2 agn (tgn fn )2 + f (t)gn3 (1 yn )2

=
gn+1 gn (tgn fn )2
(tgn + fn )(bgn + tfn ) + 2gn (atfn + cgn ) 2f (t)gn2 yn
=
(tgn fn )2
S
= , (2.6)
(tgn fn )2

say.
Remark 2.1.11. The assumption Pn1 6= O is equivalent to Pn 6= Q, or x(Pn ) =
fn /gn 6= t. Since in Case 2 above Pn 6= O, this means x(Pn ) = fn /gn 6= t, i.e., fn 6= tgn .
2.1. Number of points on elliptic curves over finite fields: theory 17

Suppose Pn 6= O, so that coprime polynomials fn and gn F[t] exist with x(Pn ) =

fn /gn . Put yn := y(Pn ) as above. Then

fn3 fn2 fn
f (t)yn2 = + a + b + c,
gn3 gn2 gn

hence (f (t)gn2 yn )2 F[t], which implies f (t)gn yn F[t]. Therefore, R and S are also
polynomials. Moreover, fn1 /gn1 and fn+1 /gn+1 are in lowest form; by multiplying
them, we get

fn1 fn+1 RS (tfn bgn )2 4cgn [(t + a)gn + fn ]

= = (2.7)
gn1 gn+1 (tgn fn )4 (tgn fn )2
T
= ,
(tgn fn )2

say. If we show that, up to a non-zero constant,

gn1 gn+1 = (tgn fn )2 , (2.8)

up to the same constant, then

fn1 fn+1 = (tfn agn )2 4cgn [(t + a)gn + fn ] .

Using Lemma 2.1.7, it follows that the right-hand-side of this expression has the same
degree as t2 fn2 . Hence we get

dn1 + dn+1 = deg(fn1 fn+1 )

= deg(t2 fn2 )
= 2dn + 2.

Now we prove (2.8). It follows from the second equality in (2.7) that (tgn fn )2 | RS.
Write (tgn fn )2 = R1 S1 for certain R1 , S1 F[t] such that R1 | R and S1 | S. Since
fn1 R R R/R1
= = = ,
gn1 (tgn fn )2 R1 S1 S1
we get gn1 | S1 . Similarly, we get gn+1 | R1 . Therefore,

gn1 gn+1 | (tgn fn )2 .

The equality (2.8) will follow if we prove that also

(tgn fn )2 | gn1 gn+1 . (2.9)

Suppose (2.9) is not true, then an irreducible polynomial (t) F[t] exists such that
v ((tgn fn )2 ) > v (gn1 gn+1 ), where v is valuation on F(t) corresponding to (t).
We claim that and the valuation v have the following properties.
18 Chapter 2. Elliptic curves over finite fields

(a) v ((tgn fn )2 ) > 0;

(b) - gn ;

(c) v (T ) > 0;

(d) v (R) > 0 and v (S) > 0.

Property (a) is immediate from the assumption

v ((tgn fn )2 ) v (gn1 gn+1 ) > 0.

Since v ((tgn fn )2 ) > 0 by Property (a), the condition | gn would imply | tgn
(tgn fn ) = fn , violating the fact that gn and fn are coprime; hence, Property (b)
follows.
To see Property (c), note that (2.7) implies

v (fn1 fn+1 ) v (gn1 gn+1 ) = v (T ) v ((tgn fn )2 );

hence,
v (T ) v (fn1 fn+1 ) = v ((tgn fn )2 ) v (gn1 gn+1 ),
which by our assumption is strictly positive. This implies that v (T ) > 0.
Finally, to prove Property (d), note that we already saw that (tgn fn )2 | RS; hence,
Property (a) implies that | RS. Therefore | R or | S. Suppose - R, then from
(2.5), we get
v (gn1 ) v (fn1 ) = v ((tgn fn )2 ) > 0.
Since gcd(fn1 , gn1 ) = 1, this implies v (fn1 ) = 0; hence, the equality above reduces
to
v (gn1 ) = v ((tgn fn )2 ).
From (2.7), we now deduce

v (fn+1 ) v (gn+1 ) = v (T ) > 0.

Since the polynomials fn+1 and gn+1 are co-prime, it follows that v (gn+1 ) = 0. There-
fore,
v (gn+1 gn1 ) = v ((tgn fn )2 ),
contradicting our initial assumption. Hence, indeed | R. An analogous argument
shows that | S. Indeed, if - S, then (2.6) shows

v (gn+1 ) v (fn+1 ) = v ((tgn fn )2 ) > 0,

which implies v (fn+1 ) = 0 and v (gn+1 ) = v ((tgn fn )2 ). Again applying (2.7) shows
in this case that
v (fn1 ) v (gn1 ) = v (T ) > 0
2.1. Number of points on elliptic curves over finite fields: theory 19

and v (gn1 ) = 0. Therefore,

v (gn+1 gn1 ) = v ((tgn fn )2 ),

which is a contradiction. This finishes the proof of the Properties (a), (b), (c) and (d).
Properties (a) and (d) imply that the valuations at of

f (t)gn3 (1 yn )2 = S + (tgn + fn )(tgn fn )2 + agn (tgn fn )2

and of
f (t)gn3 (1 + yn )2 = R + (tgn + fn )(tgn fn )2 + agn (tgn fn )2
are both positive, as is seen by considering the right-hand-side. Also, v ((1 yn )2 ) and
v ((1+yn )2 ) can not both be positive: since (1yn )+(1+yn ) = 2 and the characteristic
is not equal to 2, this would yield a contradiction. If we suppose v ((1 yn )2 ) 0, then
v (f (t)) > 0 since v (f (t)gn3 (1 yn )2 ) > 0. Similarly, if v ((1 + yn )2 ) 0, it follows that
v (f (t)) > 0. So we conclude in all cases that | f .
By computing modulo (tgn fn ) one clearly has fn tgn mod (tgn fn ); hence,
h i
T (t2 gn bgn )2 4cgn ((t a)gn + tgn ) mod (tgn fn ),

i.e.,
T gn2 (t4 2bt2 8ct 4ac + b2 ) mod (tgn fn ).
Properties (a), (b), and (c) therefore show

| (t4 2bt2 8ct 4ac + b2 ) = (t),

say. A calculation reveals that the resultant of and f equals the square of the dis-
criminant of f , which is nonzero constant in F. Since the resultant is an F[t]- linear
combination of f and , this contradicts the fact that f and are divisible by . So the
lemma follows in this case.

Remark 2.1.12. Note that the polynomial , appearing in the proof above, is precisely
the numerator appearing in the formula for x(2P ).
From the above identity, we obtain that the function dn can be expressed as a
polynomial in n, as follows.

Lemma 2.1.13. The function dn satisfies

dn = n2 + aq n + q.

Proof. This follows by induction on n, using the Lemmas 2.1.10 and 2.1.9.

Proof of Hasses theorem. Consider the quadratic polynomial

d(x) = x2 + aq x + q.
20 Chapter 2. Elliptic curves over finite fields

Assume that Hasses theorem were false for E/F. This is equivalent to the statement
a2q 4q > 0, which implies that d(x) has two zeroes. Suppose x1 < x2 are two zeroes of
the above polynomial. Note that the quadratic function d(x) is negative at all values x
between x1 and x2 . By Lemma 2.1.13 and the definition of the number dn , d(x) takes
non-negative values at all integers x. In particular, this implies that the interval (x1 , x2 )
does not contain any integer. Hence taking n = bx1 c (the largest integer x1 ), we have

n x1 < x2 n + 1. (2.10)

It is not possible that both x1 , x2 Z since this would imply

n(n + 1) = x1 x2 = q,

contradicting the fact that n(n + 1) in even and q is odd. As a consequence,

0 < x2 x1 < 1.

This is impossible since a2q 4q = (x1 x2 )2 is assumed to be a positive integer. Therefore,

a2q 4q 0.

This completes the proof of Hasses theorem.

2.1.4 A case of the Weil conjectures

The previous result has a beautiful consequence.

Theorem 2.1.14. Let E be an elliptic curve defined over Fq . Let a = q + 1 #E(Fq ).

Then the Frobenius endomorphism satisfies the equation

2q [a]q + [q] = 0.

Moreover a is the unique integer such that

a Tr((q )m ) mod m

for all m coprime to p.

Proof. Let u = 2q [a]q + [q]. If u is not zero, then it has a finite kernel. We need to
prove that u has a kernel which is infinite. To do so, let m be a positive integer coprime
to p and " #

(q )m = .

Since q 1 is separable we have

# ker(q 1) = deg(q 1) det((q )m I) ( + ) + 1 (mod m).

2.1. Number of points on elliptic curves over finite fields: theory 21

On the other hand det((q )m ) deg(q ) q (mod m) and since # ker(q 1) = q+1a
one has
Tr((q )m ) = + a (mod m).
By Cayley-Hamilton (if m is prime) or by a straightforward computation with matrices,
we have
(q )2m [a]m (q )m + [q]m Im 0 (mod m).
(Note that X 2 aX + q is the characteristic polynomial of (q )m . This means that u is
0 on E[m]. As m can go to infinity, this means that u is 0.

Definition 2.1.15. The polynomial X 2 aX + q is called the characteristic polynomial

of the Frobenius (or Weil polynomial). The integer a is called the trace of the elliptic
curve.

Remark 2.1.16. This formula is the first example of a beautiful theorem, true for any
smooth projective (absolutely irreducible) algebraic variety over a finite field. This
theorem is known as Weil conjectures.

2.1.5 Supersingular elliptic curves

Let E be an elliptic curve over Fq . Remember that for the prime p, unlike other m
coprime to p, one has #E[p] = p or 1.

Definition 2.1.17. The curve E is said supersingular if E[p] = {O}.

We can reformulate this definition in terms of the trace a.

Proposition 2.1.18. The curve E is supersingular if and only if a 0 (mod p).

Proof. With the notation of Exercice 11, assume that a 0 (mod p). One has

#E(Fqi ) = q i + 1 si 1 si (mod p).

Since s1 a 0 (mod p) by the induction formula si 0 (mod p) so

#E(Fqi ) 1 (mod p).

In particular there is no non-trivial p-torsion point.

Conversely, assume that a 6 0 (mod p). The recurrence formula implies that si+1 asi
(mod p) hence si ai (mod p). Fermats little theorem implies that ap1 1 (mod p)
therefore #E(Fqp1 ) = q p1 +1sp1 0 (mod p). This means that E has a non-trivial
p-torsion point and so E is not supersingular.

Corollary 2.1.19. Suppose p 5 is a prime. Then E/Fp is supersingular if and only

if a = 0.
22 Chapter 2. Elliptic curves over finite fields

2.2 Number of points on elliptic curves over finite fields:

practice
With the development of elliptic cryptography and the use of elliptic curves over large
finite fields, several methods have been created to compute very efficiently the number
of points on these objects. Unfortunately, they often rely on deep consideration (coho-
mology, canonical lift, deformation, complex multiplication,. . . ) and we will not be able
to explain them here. However, we can give some easy ways to do this, but less secure
or slower.

2.2.1 Counting points

When p > 2, we can always write our elliptic curve E : y 2 = f (x) with deg f = 3. Hence
the number of points on E(Fp ) is
X  f (x) 
1+p+ .
xFp
p

Obviously the complexity is O(p) and one can reach in this way p 230 .

2.2.2 Baby steps-giant steps

This is based on Hasse-Weil bound

|p + 1 #E(Fp )| < 2 p

The idea is to pick a random point P E(Fp ) and to compute an integer m (p + 1

2 p, p + 1 + 2 p) such that mP = 0. If m is the only such number in the interval, it
follows that m = #E(Fp ). It is easy and fast to pick a point P randomly by choosing
an x and see if f (x) is a square.
Remark 2.2.1. To avoid problem that m is not the only such number in the interval,
Mestre showed that one can work simultaneously with the curve and its quadratic twist.
Actually, we do things a bit differently. Theorem 2.1.14 tells us that

[p + 1]P [#E(Fp )]P = [k]P, k {2 p + 1, . . . , 2 p 1}.

If R = [p + 1]P , this means that R = [k]P . We are going to check this equality.

Baby steps : make a list of the first s = d 4 pe multiples of P and compute R =
[p + 1]P . Note that we know jP as well. Check if jP = R.

Giant steps : compute Q = [2s]P and compute R, R Q, R 2Q, . . . R tQ where

k
t = b2 p/(2s)c 4 p. As we can write k = (2s)i + j with i = b 2s e {0, 1, . . . , t}
(the closest integer) R [i]Q = [j]P is a match. Putting m = p + 1 (2s)i j we get

mP = 0 and we get an algorithm is O( 4 p). This improves the previous method but it
is still exponential.
2.2. Number of points on elliptic curves over finite fields: practice 23

2.2.3 To work with extensions

Let E/Fq be an elliptic curve over a small field where we can easily compute its number
of points N . Let t = 1 + q N and write P (X) = X 2 tX + q = (X )(X ). Then
we can use the Exercise 11 to get the number of points over large extension: indeed
the characteristic polynomial over Fqn is given by the resultant of P (X) and z X n .
However, note that #E(Fq )|#E(Fqn ) hence we necessarily loose a bit of efficiency since
we do not get a prime order. As there are also attacks for certain primes and certain
degree extensions on the DL problem, this method is generally considered as less safe.

2.2.4 Schoof method

In 1985 Schoof was the first to describe a polynomial time algorithm to count the number
of points on an elliptic curve E over a large prime field Fp . In the remainder of this
section, we will assume that p > 3 and
E : y 2 = x3 + a4 x + a6 with a4 , a6 Fp .
Recall that |E(Fp )| = p + 1 t with t the trace of the Frobenius endomorphism p and by

Hasses Theorem we have |t| 2 p. The main idea of Schoofs algorithm is to compute

t modulo various small primes `1 , . . . `r such that ri=1 `i > 4 p. The trace t can then
Q

be determined using the Chinese Remainder Theorem and the group order follows. If
the largest prime `r is of order O(log p) then from the prime number theorem, it follows
that r can be taken has O(log p/ log log p).
Qr
Remark 2.2.2. Approximatively, we have indeed that i=1 `i log plog p/ log log p =
exp(log log p log p/ log log p) = p
To illustrate the idea, we show how to compute t (mod 2). Since p is an odd prime,
we have |E(Fp )| t (mod 2), so t 0 (mod 2) if and only if E(Fp ) has a nontrivial
Fp -rational point of order two. The nontrivial points of order two are given by (i , 0)
with i a root of X 3 + a4 X + a6 . Therefore, if X 3 + a4 X + a6 is irreducible over Fp we
have t 1 (mod 2) otherwise, t 0 (mod 2). Note that the polynomial X 3 + a4 X + a6
is irreducible over Fp if and only if gcd(X 3 + a4 X + a6 , X p X) = 1. The computation
of t (mod 2) thus boils down to polynomial arithmetic modulo X 3 + a4 X + a6 .
More generally, we obtain the trace t modulo a prime ` > 2 by computing with the
`-torsion points.
Remark 2.2.3. One can use powers of ` when ` is small as well to get higher congruences.
We will not look at this.
Recall that the Frobenius endomorphism p is defined by p : E(Fp ) E(Fp ) :
(x, y) 7 (xp , y p ) and that it cancels its characteristic polynomial, i.e.
2p [t]p + [p] = 0.

By restricting to nontrivial `-torsion points P E(Fp ) we obtain the reduced equation

in the F` -vector space E[`](Fp )
2p (P ) + [p` ]P = [t` ]p (P )
24 Chapter 2. Elliptic curves over finite fields

with t` t (mod l) and pl p (mod `) and 0 t` , p` < l.

P = (x1 , y1 ) is a nontrivial `-torsion point if and only if x1 is a root of the `-th division
polynomial F` (because ` > 2, see Exercice 8 for F3 ). The nontrivial `-torsion points
can therefore be described as the solutions of the system of equations

Y 2 X 3 a4 X a6 = 0, F` (X) = 0.

This implies that the equation

2 2
(X p , Y p ) + [p` ](X, Y ) = [t` ](X p , Y p )

holds modulo the polynomial F` (X) and E(X, Y ) = Y 2 X 3 a4 X a6 . To compute

t` one simply try all {0, . . . , ` 1} until we find the unique value for which the
equation is true modulo F` (X) and E(X, Y ).

The computation of [a](X, Y ) is done using division polynomials and the classical for-
mulas. Recall that for gcd(`, p) = 1 we have E[`] ' Z/`ZZ/`Z and thus deg(F` ) = (`2
2 2
1)/2 (when ` 6= 2). The computation of (X p , Y p ) and (X p , Y p ) modulo F` and E(X, Y )
clearly takes O(log p) multiplications in the ring Fp [X, Y ]/(E(X, Y ), F` (X)). Since
deg F` is of order O(`2 ), each of these multiplication takes O(`2 log p) bit-operations
(note that we can represent elements of Fp [X, Y ]/(E(X, Y ), F` (X)) as P (X)Y + Q(X)
with degree of Q and P less than degree of F` ), so computing t (mod `) requires
O(`2 log1+ p) bit operations (as we have to do it log p when spans 0, . . . , ` 1).
Summing over all primes `i this gives a complexity of O(log2+3 p) bit-operations.
Remark 2.2.4. Recall that 1 < 2 depends on the algorithm used for multiplication
: school-book multiplication ( = 2), Karatsuba ( = log2 3) or FFT ( = 1 + ). The
choice of Karatsuba or FFT only become relevant for very large fields (much more than
crypto-sizes for FFT).
Note that if we could replace the division polynomials F` by alternative polynomials
of lower degree, the complexity of the algorithm would drop considerably. This is part
of the improvements of Atkin and Elkies leading to the so-called Schoof-Elkies-Atkin
(SEA) algorithm. The last record is a computation with an elliptic curve over Fp with
p = 102099 + 6243.
3 Pairings

3.1 Review on divisors

We are going to assume that an elliptic curve is a genus 1 curve and that in this case,
the Riemann-Roch theorem states that

dim L(D) = deg(D)

for all divisor D on the curve of non negative degree.

Lemma 3.1.1 ([Sil92, Lem.III.3.3]). Let E be an elliptic curve and P, Q E then

(P ) (Q) if and only if P = Q.

Proof. Let D = (Q). Since deg(D) = 1 then dim L(D) = 1 and since constants are in
L(D) then it is only the constant. Hence div f = (P ) (Q) is equivalent to f L(D)
hence f is constant and P = Q.

Proposition 3.1.2 ([Sil92, Prop.III.3.4]). Let E be an elliptic curve.

1. For every divisor D div0 (E) there exists a unique point P E so that

D (P ) (O).

Let : div0 (E) E be the map given by this association.

2. is surjective.

3. Let D1 , D2 div0 (E). Then (D1 ) = (D2 ) if and only if D1 D2 .

4. The inverse to is the map

: E Pic0 (E)
P 7 (P ) (O)

5. If E is given by a Weierstrass equation then the geometric group law on E and the
group law induced from Pic0 (E) are the same.

25
26 Chapter 3. Pairings

Proof. (1) We have that dim(L(D + (O)) = 1 so let f be a generator. Since div(f )
D (O) and deg(div(f )) = 0 it follows that

div(f ) = D (O) + (P )

for some P E. Hence D (P ) (O). Then using the lemma we see that P is unique.
(2) For any P E we have ((P ) (O)) = P .
(3) Let D1 , D2 div0 (E) and set Pi = (Di ). Then from the definition of

(P1 ) (P2 ) D1 D2 .

Hence P1 = P2 certainly implies that D1 D2 . Conversely we get (P1 ) (P2 ) hence

by the lemma P1 = P2 .
(5) For the last point, let E be given by a Weirstrass equation and P, Q E. It clearly
suffices to show that
(P + Q) = (P ) + (Q).
Let f = X + Y + Z a line L going through P, Q and let R be the third intersection
point of L with E. Let f 0 = 0 X + 0 Y + 0 Z be the line through R and O. Then from
the definition of the addition on E and the fact that the line Z = 0 intersects E at O
with multiplicity 3, we have

div(f /Z) = (P ) + (Q) + (R) 3(O)

and
div(f 0 /Z) = (R) + (P + Q) 2(O).
Hence
(P + Q) (P ) (Q) + (O) = div(f 0 /f ) 0.
So
(P + Q) (P ) (Q) = 0.

nP (P )
P
Corollary 3.1.3 ([Sil92, Cor.III.3.5]). Let E be an elliptic curve and D =
P P
div(E). Then D is principal if and only if nP = 0 and nP P = O.

3.2 The Weil pairing

Let E/K be an elliptic curve. For this section we fix an integer n prime to p. Let
T E[n], then there is a function f such that

div(f ) = n(T ) n(O).

Letting T 0 E with [n]T 0 = T (all non constant morphism is surjective), there is

similarly a function g such that

(T 0 + R) (R).
X
div(g) =
RE[n]
3.2. The Weil pairing 27

One can easily check that f [n] and g n have the same divisor, so after scaling we can
assume that f [n] = g n . Now suppose that S E[n] then for any point X E,

g(X + S)n = f ([n]X + [n]S) = f ([n]X) = g(X)n .

Hence we can define the Weil pairing

en : E[n] E[n] n

by en (S, T ) = g(X +S)/g(X). We need to check that it satisfies the properties we stated
in Theorem 2.1.14.

Proof. (1) Linearity in the first factor is easy.

g(X + S1 + S2 ) g(X + S1 )
en (S1 + S2 , T ) = = en (S2 , T )en (S1 , T ).
g(X + S1 ) g(X)
For the second, let f1 , f2 , f3 , g1 , g2 , g3 be functions as above for T1 , T2 and T3 = T1 + T2 .
Choose a function h with divisor (T1 + T2 ) (T1 ) (T2 ) + (O). Then div(f3 /(f1 f2 )) =
n div h so f3 = cf1 f2 hn for some constant c. Compose with the multiplication by n-map,
use fi [n] = gin and take n-th roots to find

g3 = c0 g1 g2 (h [n]).

Now
g3 (X + S) g1 (X + S)g2 (X + S)h([n]X + [n]S)
en (S, T1 + T2 ) = =
g3 (X) g1 (X)g2 (X)h([n]X)
= en (S, T1 )en (S, T2 ).

(2) Let P be the translation by P . Then

n1 n1
!
Y X
div f [i]T =n ([1 i]T ) ([i]T ) = 0.
i=0 i=0

Hence n1 0 0
i=0 f [i]T is constant and if we choose some T with [n]T = T then
n1
i=0 g
Q Q

[i]T 0 is also constant because its n-th power is the above product of the f s. Evaluating
the product of gs at X and X + T 0 yields
n1 n1
g(X + [i]T 0 ) = g(X + [i + 1]T 0 ).
Y Y

i=0 i=0

Now cancelling like terms gives

g(X) = g(X + [n]T 0 ) = g(X + T )

so
en (T, T ) = g(X + T )/g(X) = 1.
28 Chapter 3. Pairings

(3) If en (S, T ) = 1 for all S E[n], so g(X + S) = g(X) for all S E[n] then g = h [n]
(see [Sil92, III.4.10.b]) for some function h. But then

(h [n])n = g n = f [n]

so f = hn . Hence n div h = div f = n(T ) n(O) so div h = (T ) (O) and T = O.

(4) Let Gal(K/K). if f, g are the functions for T then clearly f and g are the
corresponding functions for T . Then

g (X + S )
en (S , T ) = = en (S, T ) .
g (X )

(5) Let {Q1 , . . . , Qk } = ker(u). Since u is separable then k = deg(u). Let

div(fT ) = n(T ) n(O), div(fu(T ) ) = n(u(T )) n(O)

and
gTn = fT [n], n
gu(T ) = fu(T ) [n].

We have
div(fT Qi ) = n(T + Qi ) n(Qi ).

Therefore

(T 00 ) n
X X
div(fu(T ) u) = n (Q)
u(T 00 )=u(T ) u(Q)=O
X
= n ((T + Qi ) (Qi ))
i
Y
= div( fT Qi ).
i

For each i choose Q0i with nQ0i = Qi . Then

gT (P Q0i )n = fT (nP Qi ).

Consequently,
Y Y
div( (gT Q0i )n ) = div( fT Qi [n])
i i
= div(fu(T ) u [n])
= div(fu(T ) [n] u)
= div(gu(T ) u)n .

Q0i and gu(T ) u differ only by a constant.

Q
Therefore i gT
3.3. Computation of the Weil pairing: practice 29

The definition of en yields

gu(T ) (u(X + S))

en (u(S), u(T )) =
gu(T ) (u(X))
Y gT (X + S Q0 )
i
=
i
gT (X Q0i )
Y
= en (S, T )
i
= en (S, T )k = en (S, T )deg(u) .

Note that it works also for the Frobenius endomorphism (even if it is not separable)
since
en (q (S), q (T )) = q (en (S, T )) = en (S, T )q
since q is the q-th power on the element of Fq .

3.3 Computation of the Weil pairing: practice

If we want to compute the Weil pairing for large values of n we need to find a proper
way to avoid massive computations. Indeed, the definition of the Weil pairing involves
a function g whose divisor includes contributions from all the n2 -torsion points of E[n].
We hence need another definition for the Weil pairing.

Theorem 3.3.1. Let S, T E[n] and let DS = (S) (O) and DT = (T + R) (R) for
an n-torsion point R. Let fS and fT defined (up to a constant) by

div(fS ) = nDS , div(fT ) = nDT .

Then the Weil pairing is given by

fT (DS )
en (S, T ) = .
fS (DT )

By definition, fT (DS ) = ri=1 fT (Pi )ni where DS = ri=1 ni (Pi ) (here we assume also
Q P

that the support of div(fT ) is disjoint of the support of DS ). The proof of the theorem
relies on Weils reciprocity law, see [Sil92, Ex.III.3.16]. Using this new definition, one
sees that one has to be able to compute values of the type fS (P ) for a given point P
and div fS = n(S) n(O). It is still time-consuming to produce directly a function fS
when n is large. However this can be done efficiently thanks to the following algorithm
due to Victor Miller.

Definition 3.3.2. Let m Z, S E[n], one calls Miller function fm,S the function
defined up to a scalar by

div(fm,S ) = m(S) (mS) (m 1)(O).

30 Chapter 3. Pairings

Let S1 , S2 E, we define the function gS1 ,S2 = LS1 ,S2 /LS1 +S2 ,(S1 +S2 ) where LS,T
is the line passing through S and T (possibly the tangent if S = T ). Clearly from the
definition of the addition law, one has

div(gS1 ,S2 ) = (S1 ) + (S2 ) (S1 + S2 ) (O).

By computing the divisors, one then sees that Miller functions can be built as follows:
f1,S := 1, and for m1 , m2 Z

fm1 +m2 ,S = fm1 ,S fm2 ,S g[m1 ]S,[m2 ]S ,

m2 m1
fm1 m2 ,S = fm 1 ,S
fm2 ,[m1 ]S = fm 2 ,S
fm1 ,[m2 ]S .

In particular

fm+1,S = fm,S g[m]S,S ,

2
f2m,S = fm,S g[m]S,[m]S ,

fn,S = fS .

This yields the following doubling and add algorithm:

Input: S E[n], P E[n], n = (nl , . . . , n0 )2 .

Output: fS (P )
R S, f 1
for (i l 1, i 0, i ) do )
f f 2 gR,R (P )
Doubling
R [2]R
if (ni = 1) then )
f f gR,S (P )
Addition
RR+S
end if
end for
return f
Remark 3.3.3. This gives only half of the Weil pairing. It is then tempting to define
a pairing only using this computation. It is indeed possible and leads to the notion of
reduced Lichtenbaum-Tate pairing, see [CFA+ 06].
4 Travaux Dirigs

4.1 TD 1
4.1.1 noncs
Exercice 1 (Dessiner des courbes elliptiques sur R). On fera un trac des courbes
suivantes
E1 : y 2 = x3 x + 1
et
E2 : y 2 = x3 x
en
tudiant le tableau
de variations (domaine de dfinition, variations,. . . ) des fonctions
x3 x + 1 et x3 x.

Exercice 2 (j-invariant en caractristique 2 et 3). Vrifier laide dun logiciel de calcul

formel que si deux modles de Weierstrass sont isomorphes alors leurs j-invariants sont
gaux.

Exercice 3 (Loi de groupe algbrique). crire explicitement les coordonnes de P + Q

pour un modle de Weierstrass simplifi dans le cas o P et Q sont distincts, distincts
du point linfini et de somme non nulle. Ces formules sont-elles encore valables lorsque
P = Q?

Vrifier quune addition ncessite une inversion (I), 2 multiplications (M) et 1 carr
(S) sur K (on ngligera les additions).

Exercice 4 (Associativit de la loi de groupe). Grce un logiciel de calcul formel, mon-

trer que la loi de groupe est associative (on se restreindra au cas gnrique de points
distincts).

Exercice 5 (Prservation de laddition par isomorphisme). Montrer quun isomor-

phisme entre deux courbes elliptiques est un morphisme de groupes pour la loi usuelle
sur les courbes.

31
32 Chapitre 4. Travaux Dirigs

Exercice 6 (Groupe des automorphismes). Montrer que le groupe des automorphismes

dune courbe elliptique sur un corps algbriquement clos de caractristique diffrente de
2 ou 3 est un groupe cyclique dordre 2 si le j-invariant est diffrent de 0 et 1728 (resp.
4 sil est gal 1728, resp. 6 sil est gal 0).
Remark 4.1.1. En caractristiques 2 et 3, le groupe des automorphismes est plus gros et
non ablien si j = 0 = 1728.

Exercice 7 (Forme de Legendre). Mettre la courbe elliptique E : y 2 = x(x 1)(x )

avec 6= 0, 1 sous forme de Weierstrass et montrer qualors

(2 + 1)3
j = 28 .
2 ( 1)2

Montrer que si j 6= 0, 1728, il y a six valeurs distinctes de donnant ce j et que si 0

est une de ces valeurs alors les autres sont donns par
1 1 1
, 1 , , , .
1 1

Exercice 8 (Points de 2-torsion et de 3-torsion). Soit E : y 2 = x3 + Ax + B une courbe

elliptique en caractristique p 6= 2, 3. Donner les coordonnes des points de 2-torsion et
de 3-torsion.
4.1. TD 1 33

4.1.2 Corrections
Correction exercice 1 Voir les dessins 1.1.1 du cours.

Correction exercice 2 Voir TP.

Correction exercice 3 Soient donc P = (x1 , y1 ) et Q = (x2 , y2 ) deux points dune

courbe E : y 2 = x3 + Ax + B. La droite passant par P et Q a pour pente = (y2
y1 )/(x2 x1 ) et a donc pour quation y = x + avec = (y1 x2 y2 x1 )/(x2 x1 ).
On remplace dans lquation de la courbe E : (x + )2 = x3 + Ax + B. On sait que les
trois solutions en x de cette quation sont x1 , x2 et x3 labscisse du point P + Q. Comme
(x1 + x2 + x3 ) est le coefficient de degr 2 de lquation x3 + Ax + B (x + )2 = 0
on obtient que x1 + x2 + x3 = 2 soit x3 = 2 x1 x2 . Lordonne y3 du point P + Q
est donne par (y3 y1 )/(x3 x1 ) = soit y3 = y1 (x1 x3 ). En rsum :

1. = (y2 y1 )/(x2 x1 ) (Une inversion et une multiplication) ;

2. x3 = 2 x1 x2 (un carr) ;

3. y3 = y1 (x1 x3 ) (une multiplication).

Ceci nest plus valable si P = Q car alors x2 = x1 et on ne peut calculer . On notera

toutefois que

(y2 + y1 )(y2 y1 ) y22 y12 x3 + Ax1 + B (x32 + Ax2 + B) x2 + x22 + x1 x2 + A

= = 1 = 1
(y2 + y1 )(x2 x1 ) (y2 + y1 )(x2 x1 ) (y2 + y1 )(x2 x1 ) y2 + y1

pour lequel il ny a plus de problme lorsque P = Q (mais nouveau lorsque Q = P ).

Correction exercice 4 Voir TP.

Correction exercice 5 Remarquons tout dabord que limage du point linfini est
encore le point linfini. En effet, lisomorphisme (x, y) 7 (u2 x + r, u3 y + u2 sx + t)
scrit en coordonnes projectives (x : y : z) 7 (u2 x + rz : u3 y + u2 sx + tz : z). Ainsi
limage de (0 : 1 : 0) est bien le point (0 : 1 : 0). De plus puisque cette isomorphisme est
affine, il prserve les droites et les tangentes et donc la construction gomtrique de la
somme de deux points (et du double dun point).
Correction exercice 6 Puisque la caractristique de k (algbriquement clos) est diff-
rente de 2 et 3, on peut supposer E : y 2 = x3 + Ax + B. Les automorphismes de E sont
donc de la forme x0 = u2 x et y 0 = u3 y avec u k . On a alors u6 y 0 2 = u6 x0 3 + Au2 x0 + B
soit y 0 2 = x0 3 + A/u4 x0 + B/u6 . Il faut et il suffit donc que A/u4 = A et que B/u6 = B.
On distingue trois cas

1. AB 6= 0 i.e. le j-invariant de E est diffrent de 0 et de 1728 car j = 1728

4A3 /(4A3 + 27B 2 ). Dans ce cas, on obtient u2 = 1 cest--dire x0 = x et
y 0 = y.
34 Chapitre 4. Travaux Dirigs

2. B = 0 alors on a la condition u4 = 1 et le groupe des automorphismes est engendr

par x0 = x et y 0 = iy.

3. A = 0 alors on a la condtion u6 = 1 et si on note j une racine cubique de lunit,

le groupe des automorphismes est engendr par x0 = jx et y 0 = y.

Correction exercice 7 Voir TP.

Correction exercice 8 Par dfinition P est un point de 2-torsion ssi 2P = O. La

droite
tangente P doit donc tre verticale. En regardant la drive de la fonction
x + Ax + B, ceci se produit pour les zros de x3 + Ax + B (et le point linfini). Les
3

points de 2-torsion sont donc O et les 3 points (xi , 0) tel xi est solution de x3 + Ax + B
(les points sont distincts puisque le polynme est sans facteur carr).
De mme P est un point de 3-torsion ssi 3P = O i.e. 2P = P . La droite tangente en
P doit donc recouper la courbe E en P uniquement : P est donc un point dinflexion.
3
On peut les calculer en tudiant la fonction x + Ax + B ou comme les zros de la
hessienne det((F/xi )) o F (x1 , x2 , x3 ) = x22 x3 x31 Ax1 x23 Bx33 . On peut aussi
crire 2P = P algbriquement. Choisissons cette dernire possibilit. Soit P = (x0 , y0 )
diffrent du point linfini. On calcule 2P en calculant la pente de la tangente en P :
= (3x20 + A)/((2y0 )) = (3x20 + A)/(2y0 ). On raisonne comme lexercice 3 et on
obtient que 3x0 = 2 soit

3x0 (4y02 ) = 12x0 (x30 + Ax0 + B) = (3x20 + A)2

Ce qui nous donne lquation

3x4 + 6Ax2 + 12Bx A2 = 0.

Les points de 3-torsion sont le point 0 et les points (x0 , y0 ) o x0 est solution de lqua-
tion prcdente.
4.2. TD 2 35

4.2 TD 2
4.2.1 noncs
Exercice 9 (Quelques fonctionnalits de Sage). Soit E/F101 : y 2 = x3 + 3x + 5. De-
mander Sage

1. De donner lordre de E(F101 ) et de lister tous les points rationnels.

2. De donner le polynme de Weil de la courbe.

3. De donner le polynme de Weil de la courbe sur F1012 . Vrifier que ceci correspond
lexercice 11.

4. Tracer les points de la courbe E/Fp : y 2 = x3 + x + 1 pour p = 101, 2003 et 10007.

5. Que remarquez-vous ?

Exercice 10 (Nombre minimum de points des courbes elliptiques). En utilisant la borne

de Hasse-Weil, dmontrer que les seuls corps finis pour lesquels il existe une courbe ellip-
tique sans point affine rationnel sont F2 , F3 et F4 . Pour chacun de ces corps, en utilisant
lordinateur, trouver explicitement ces courbes.

Exercice 11 (Nombre de points sur les extensions). Soit E/Fq une courbe elliptique
de trace a. Soit , les racines du polynme caractristique du Frobenius q . Montrer

que || = || = q (on commencera par montrer que |a| 2 q).
Soit si = i + i . Alors s0 = 2, s1 = a et montrer que

sn+1 = asn qsn1 .

En utilisant le fait que X 2i si X i +q i est divisible par X 2 aX +q, exprimer en fonction

de , le nombre de points de E sur une extension de degr i de Fq .
ti
Soit Z(E, t) = exp(
P
i=1 #E(Fq i ) i ) la srie formelle en t. Montrer que

1 at + qt2
Z(E, t) = .
(1 t)(1 qt)

Exercice 12 (Une famille de courbes supersingulires). Soit q impair et q 2

(mod 3). Soit B Fq . Montrer que la courbe elliptique E : y 2 = x3 + B est super-
singulire (on commencera par montrer que tout lment de Fq a une unique racine
cubique dans Fq ).

Exercice 13 (Nombres de courbes supersingulires). Calculer laide de lordinateur

pour les 100 premiers p premiers, le nombre de classes de Fp -isomorphismes de courbes
elliptiques supersingulires sur Fp .
36 Chapitre 4. Travaux Dirigs

4.2.2 Corrections
Correction exercice 9 Voir TP.

Correction exercice 10 Daprs Hasse-Weil |E(Fq ) q 1| 2 q, donc |E(Fq )|

q + 1 2 q = ( q 1)2 . Ce nombre est strictement plus grand que 1 ds que q > 4.
Puis voir TP.

Correction exercice 11 On sait que #E(Fq ) = q + 1 a, les bornes de Hasse-Weil

donne donc |a| 2 q. Puisque le polynme caractristique du Frobenius est X 2 aX +q

on a que = a2 4q 0 avec galit si et seulement si a = 2 q. On a donc deux
cas :

Si a = 2 q (en particulier q est un carr) alors X 2 2 q + q = (X q)2 et le
rsultat est tabli.

Sinon les racines et sont complexe conjugues donc || = || et puisque leur

produit vaut q, on a le rsultat.

Le deuxime rsultat sobtient facilement puisque

asn qsn1 = ( + )(n + n ) (n1 ) + n1 ) = n+1 + n+1 .

Remarquons que X 2i si X i +q i = (X i i )(X i i ) et il est divisible par (X )(X )

dans Z[X]. Soit Q(X) Z[X] le quotient. On a alors

(iq )2 (i + i )iq + q i = Q(q )(2q aq + q) = 0.

Puisque iq = qi et que le polynme caractristique de qi est unique, on a que i + i

est la trace de E(Fqi ). Donc #E(Fqi ) = q i + 1 si .
Pour finir, il suffit de remarquer que

ti ti (qt)i (t)i (t)i

#E(Fqi ) = +
i i i i i
P (zt)i
et que i=1 i = log(1 zt).

Correction exercice 12 Puisque q 2 (mod 3), q 1 = 1 + 3n donc 3 et premier

q et donc inversible modulo q 1. Soit r tel que 3r = 1 + (q 1)m. Pour tout a Fq
(pour a = 0 cest clair), on a alors (ar )3 = a3r = a1+(q1)m = a (aq1 )m = a car Fq est
un groupe cyclique dordre q 1. ar est donc une solution de x3 = a. La solution est de
plus unique car si x3 = y 3 (avec x et y non nuls) alors en appliquant r des deux cts,
on trouve x = y.
Pour toute valeur de y Fq , il existe donc une unique solution y 2 B = x3 . La courbe
E a donc q + 1 points (le 1 provient du point linfini). Sa trace est nulle donc la courbe
est supersingulire.
Remarquez que toutes les courbes E ont mme j-invariant gal 0. On ne peut donc
4.2. TD 2 37

pas vraiment parler de famille.

Correction exercice 13 Voir TP.

38 Chapitre 4. Travaux Dirigs

4.3 TD 3
4.3.1 noncs
Exercice 14. 1. Soit E/Q : y 2 = x3 +2x2. Montrer que E est une courbe elliptique.
2. et soit P = (1, 1) E(Q). Calculer 2P et 3P la main" (en se servant de SAGE
comme dune grosse calculatrice) puis vrifier sur lordinateur.
3. Soit E/F5 : y 2 = x3 + x + 1. Quel est son nombre de points rationnels ? Mme
question sur F52 . Vrifier avec lordinateur. La courbe E est-elle supersingulire ?
4. Les courbes E/F7 : y 2 = x3 + x + 1 et E 0 /F7 : y 2 3xy y = x3 x2 + 2x + 2
sont-elles isomorphes ? Sur F7 ?

Exercice 15. Montrer que si une courbe est anomale sur Fq (i.e. son nombre de point
est gal au cardinal du corps de de base) elle ne lest pas sur Fq2 . En supposant la
caractristique diffrente de 2, montrer que si (x, y) E(Fq ) alors
2 2
q(x, y) = (xq , y q ) + (xq , y q ).
Exercice 16. On considre les courbes suivantes sur F2 , dites courbes de Koblitz
E1 : y 2 + xy = x3 + 1, E2 : y 2 + xy = x3 + x2 + 1.
1. Montrer que le polynme de Weil de Ei est Pi = X 2 (1)i X + 2.
2. Ces courbes sont-elles supersingulires ?
On considre maintenant d > 1 un entier et Ei sur F2d pour i = 1, 2.
3. Calculer lordre de Ei sur F4 .
4. Existe-t-il un d tel que lordre de Ei est premier ?
5. Est-ce un inconvnient ou un avantage en cryptographie ?
Lopration du Frobenius 2 : (x, y) 7 (x2 , y 2 ) est rapide en caractristique 2 pour
une base bien choisie. On souhaite donc crire la multiplication par un entier k en
base 2 ". Pour cela, remarquons
que 2 annule Pi et que donc il correspond une
i
racine i = ((1) + 7)/2. Choisissons i = 2 et = 2 . Comme lanneau Z[] est
euclidien et que || = 2, on va pouvoir dvelopper k = rj=0 j j avec j 1, 0, 1 et
P

ainsi [k] = rj=0 [j ]j2 . On peut galement procder de manire plus simple en crivant
P

un lment de Z[] comme a + b puis en effectuant la division euclidienne de a et b par

2 en remplaant 2 par 2 .
6. crire 7 en base .
7. crire 7 en base 2.
8. Que remarque-t-on au niveau de la longueur du dveloppement ?
4.3. TD 3 39

4.3.2 Corrections
Correction exercice 15 Une courbe E/Fq est anomale si et seulement si sa trace
a = (q + 1) q = 1. La trace de E/Fq2 est gale 2q a2 = 2q 1 qui est toujours
diffrent de 1.
Lendomorphisme de Frobenius q sur E/Fq satisfait 2q q + [q] = [0] do le rsultat
en prenant un modle de Weirstrass de la forme y 2 = f (x).

Correction exercice 16

1. Il suffit de calculer le nombre de points sur Ei et on a alors #Ei (F2 ) = 1 t + 2.

2. Ces courbes ne sont pas supersingulires puisque 2 ne divise pas la trace. Cette
proprit reste vraie sur toute extension car elle est quivalente #Ei [2](F2 ) = 4.
Lattaque MOV ne fonctionne donc pas sur ces courbes.

3. Si Pi = (X )(X ), le polynme de Weil sur F4 scrit (X 2 )(X 2 ) =

X 2 (4 ( + )2 )X + 4. Donc #E1 (F4 ) = #E2 (F4 ) = 8.

4. Non car 1 < #Ei (F2 )|#Ei (F2d ).

5. Cest un inconvnient car puisquon veut un grand facteur premier dans lordre
de Ei (F2d ) il faudra augmenter la taille de d dau moins 2 bits par rapport
loptimum envisageable.

6.

7 = 1+3(2 ) = 1+332 = 1++(2 )2 (2 )2 = 1+23 +4 = 1++5 .

7. 7 = 1 + 2 + 22 .

8. 5 > 2 2, il semblerait que le dveloppement soit de longueur au moins double.

En considrant 22n = ( 2 )2n = 2n ( 1)2n on voit que cest le cas pour un
nombre infini de valeurs.

9. Le doublement de la longueur du dveloppement est problmatique mais est contre-

balance par la rapidit du Frobenius. De plus il existe des algorithmes qui per-
mettent de rduire la longueur du dveloppement.
40 Chapitre 4. Travaux Dirigs

4.4 TD1 de gomtrie algbrique

4.4.1 noncs
Exercice 17. Soit C = V (F ) une courbe affine plane dfinie sur un corps algbrique-
ment clos.
1. Montrer que C est lunion de deux courbes planes affines si et seulement si F nest
pas la puissance dun polynme irrductible. Si ce nest pas le cas, on dira que C
est irrductible.

2. Montrer que toute courbe plane est une union finie de courbes irrductibles, ap-
peles ses composantes irrductibles.
Exercice 18. tudier les singularits de
1. Lastrode C : (x2 + y 2 1)3 + 27x2 y 2 ;

2. La conchode de Nicomde : C : (x2 + y 2 )(x 1)2 = 4x2 (cette courbe permet de

trissecter un angle, cf. Kirwan F. complex algebraic curves p.25).

3. Les surfaces S1 : xt yz = 0 et S2 : x3 + y 3 + z 3 + t3 = 0 puis la courbe de P3 :

C : {xt yz = 0, x3 + y 3 + z 3 + t3 } = S1 S2 .

4. De mme avec S10 : t2 yz = 0 et C 0 = S10 S2 .

Exercice 19. 1. Soit F (x, y, z) un polynme homogne de degr d. Montrer (Rela-

tion dEuler) que
F F F
x +y +z = d F (x, y, z)
x y z
(on prendra la drive partielle de F (x, y, z) = d F (x, y, z) par rapport
puis = 1).

2. Si d est premier a la caractristique du corps, en dduire que la courbe plane

projective C : F = 0 est singulire au point projectif P0 = (x0 : y0 : z0 ) si et
seulement si
F F F
( (P0 ), (P0 ), (P0 )) = (0, 0, 0).
x y z
3. Si le point P0 nest pas singulier, une quation de la tangente est
F F F
(P0 )x + (P0 )y + (P0 )z = 0.
x y z

4. Etudier les singularits de C1 /C : y 2 z = x3 sur C puis sur F2 .

Exercice 20. On appelle conique projective Q sur un corps k, une courbe plane don-
ne par un polynme homogne de degr 2 qui est irrductible sur k. On suppose que
char(k) 6= 2.
4.4. TD1 de gomtrie algbrique 41

1. Supposons k = k. Montrer quil existe un systme de coordonnes (X, Y, Z) de

P2 tel quune quation de la conique est X 2 Y Z = 0. En particulier Q est non
singulire.

2. En dduire que Q est isomorphe P1 . Peut-on dduire un rsultat similaire si k

nest pas algbriquement clos ?

3. Comment ralise-t-on gomtriquement cet isomorphisme ?

4. Montrer que si k = Fq alors Q possde toujours un point rationnel. En dduire

que Q est isomorphe P1 .

On suppose maintenant que k = Q.

5. En utilisant la thorie des formes quadratiques, montrer quil existe une transfor-
mation projective dfinie sur Q telle que Q est isomorphe ax2 + by 2 = z 2 pour
a, b Q \ {0}.

6. Montrer que par une transformation diagonale supplmentaire, on peut supposer

que a, b sont des entiers sans facteurs carrs et que |a| |b|.

7. Montrer que si Q a un point rationnel alors b est un carr modulo tout p divisant
a. En dduire que b est un carr modulo a. Il existe donc m, a1 avec |m| |a|/2
et m2 = b + aa1 .

8. Montrer que si m2 = b + aa1 et que si (x : y : z) est un point de Q alors

a1 (z 2 by 2 )2 + b((my z)x)2 = ((mz by)x)2 .

En dduire que Q a un point rationnel si et seulement si il en est de mme pour

a1 x2 + by 2 = z 2 .

9. Montrer que si |a| > 1 alors |a1 | < |a| et quon peut donc se ramener au cas o b
nest pas un carr modulo a ou |a| = |b| = 1 pour lequel il existe une solution si et
seulement si au moins lun des deux nombres est positif.

Exercice 21. On souhaite montrer des versions faibles du thorme de Bzout. Soit
F, G k[x, y] avec k algbriquement clos, sans facteur commun.

1. Montrer quil existe un polynme d k[x] non nul et des polynmes A, B k[x, y]
tels que d = AF + BG.

2. En dduire que lintersection de V (F ) et V (G) est finie.

3. La courbe {(t, sin(t)), t C} est-elle algbrique ?

Une seconde version. Soit une courbe projective C = V (F ) avec F k[x, y, z] homogne
de degr n > 0. Soit L une droite du plan projective qui nest pas une composante de
C.
42 Chapitre 4. Travaux Dirigs

Figure 4.1 Hexagone de Pascal

4. Montrer que C L est constitu dau plus n points.

5. Soit p un point nappartenant pas C. Montrer quavec au plus n(n1) exceptions,

une droite L passant par p coupe C en exactement n points.

Exercice 22. Montrer le rsultat suivant :

Proposition 4.4.1. Si deux courbes planes projectives C1 , C2 sur C de degr n sinter-

sectent en exactement n2 points et quil existe une courbe irrductible D de degr m < n
contenant mn de ces points alors il existe une courbe de degr au plus n m contenant
les n(n m) points rsiduels.

Pour se faire on note P1 , P2 , R les quations respectives de C1 , C2 et D et p = [a : b : c]

un point de D qui nappartient pas C1 C2 . Montrer quil existe une combinaison li-
naire de P1 et P2 contenant p. Conclure en utilisant Bzout.

On utilisera ce rsultat pour montrer le corollaire :

Corollary 4.4.2 (Hexagone mystique de Pascal). Les paires de cts opposs dun hexa-
gone inscrit dans une conique irrductible se rencontrent en trois points colinaires.

Exercice 23. Soit C : f = 0 une courbe projective plane de degr 4. On suppose

que C est non-singulire. Si L est une droite, elle peut couper C en des points avec les
multiplicits suivantes :

1. (1, 1, 1, 1) : cest le cas gnrique.

2. (2, 1, 1) : cest le cas o L est tangente au premier point.

3. (3, 1) : dans ce cas, le premier point est un point dinflexion.

4. (2, 2) : ces droites sont appeles bitangentes.

4.4. TD1 de gomtrie algbrique 43

5. (4) : ces points sont appels point dhyperinflexion. Une quartique gnrale nen
possde pas.

Calculer les bitagentes la quartique de Plcker

1
4(x2 + y 2 + 2y)2 + (2y + 3)(y + 1)(y 2 x2 ) = .
360
Pour se faire, on remplace y par x + et z par 1 dans f puis on exprime le fait que
la droite y = x + est bitangente par le fait que le polynme en la variable x est un
carr parfait : si g est un polynme de degr 4 quelconque, on a

g(x) = ax4 + bx3 + cx2 + dx + e = a(x2 + b/(2a)x + (4ac b2 )/(8a2 ))2 + x + .

Ceci donne deux conditions, une sur le terme en x et lautre sur le terme constant. Par
le calcul dun rsultant on limine par exemple entre ces deux quations pour obtenir
une condition sur . Cette quation (de degr 28 gnriquement) donne les valeurs de
puis on remonte aux valeurs de . On traitera part les cas des droites linfini ou
verticales.
44 Chapitre 4. Travaux Dirigs

4.4.2 Solutions
Correction exercice 17

1. Par le corollaire 5.1.8, si F = Fiei , on a aussi que C = V (G) avec G = F1 Fr

Q

irrductibles distincts. Si r > 1 alors C1 = V (F1 ) et C2 = V (F2 Fr ) sont deux

courbes telles que C = C1 C2 et C1 6= C2 (en effet si C1 = C2 alors I(C1 ) =
(F1 ) = I(C2 ) = (F2 Gr ) ce qui est impossible puisque les idaux sont premiers
entre eux). Si r = 1 alors on a que C = V (F1 ). Sil existait C1 = V (H) C non
trivial alors I(F1 ) I(H) et donc H diviserait F1 , ce qui nest pas possible.

2. on procde par une rcurrence immdiate.

Correction exercice 18 Voir TP.

Correction exercice 19

1. Drivons la compose de g : 7 (x, y, z) avec la fonction F : (x, y, z) 7

F (x, y, z) On a

(F g)/ = (F/x, F/y, F/z) t (x/, x/, x/)

qui donne le rsultat. La drivation du second membre est directe.

2. On choisit une carte affine autour du point qui nous intresse. Comme lquation
est symtrique, supposons quil sagisse dun point avec z0 6= 0. Alors le point
est singulier si et seulement si F (x, y, z)/x = F (x, y, z)/y = 0 en (x0 , y0 , 1).
Si cela est le cas alors on voit que F (x, y, z)/z = 0 puisque F (x0 , y0 , z0 ) = 0.
Inversement si un point vrifie que ses trois drives partielles sont nulles alors
puisque d nest pas nul, F est galement nul et il est donc un point de la courbe.

3. Une quation affine de la tangente en (x0 : y0 : 1) est

F/x
y y0 = (x0 , y0 , 1)(x x0 ).
F/y

En dveloppant, on obtient alors

F/x(P0 )x + F/y(P0 )y (x0 F/x(P0 ) + F/y(P0 )y0 ) = 0.

Le dernier terme vaut F/z(P0 ) puis en homognisant en (x : y : z), on obtient

le rsultat.

4. Dans le premier cas, on obtient le vecteur drive : (3x2 , 2yz, y 2 ). Le point (0 :

0 : 1) est donc lunique point singulier sur C et sur F2 .

Correction exercice 20
4.4. TD1 de gomtrie algbrique 45

1. une quadrique est donne par sa matrice symtrique et un changement de variables

correspond une forme quadratique quivalente. La classification sur k en carac-
tristique diffrente de 2 nous dit que celles-ci sont donnes par leur rang. On voit
que les formes de rang 1 et 2 ne donnent pas des quations irrductibles. Si le rang
est 3, on a donc a forme x2 + y 2 + z 2 = 0 qui peut tre transforme aisment en
X 2 Y Z = 0. Les critres de singularit montrent que cette courbe est lisse.

2. On a lisomorphisme P1 Q donn par (u : v) 7 (uv : u2 : v 2 ) dinverse

(x : y : z) 7 (y : x) si (x, y) 6= (0, 0) et (0 : 1) sinon. Cela ne marche pas sur R par
exemple car la conique x2 + y 2 + z 2 = 0 na pas de point rel alors que P1 en a.

3. On peut le raliser en projetant la conique sur une droite partir dun point de
celle-ci.

4. crivons Q sous la forme ax2 + by 2 = z 2 . Pour tout y, les fonctions x 7 ax2 + by 2

et z 7 z 2 prennent (q + 1)/2 valeurs. Comme il y a q valeurs dans Fq , il existe
donc une valeur commune et donc un point sur Q.

5. La classification nous donne une forme ax2 + by 2 + cz 2 = 0 avec a, b, c non nuls.

En divisant par c, on peut se ramener la forme indique.

6. Si a = a1 /a2 et b = b1 /b2 on multiplie par (a2 b2 )2 et on fait le changement de

variables z 7 (a2 b2 )z. On a donc que a et b sont des entiers. Les facteurs carrs
peuvent rentrer dans les x et y. Puis on peut intervertir x et y le cas chant
pour lingalit sur les normes.

7. Soit (x0 : y0 : z0 ) un point rationnel quon peut supposer coordonnes entires

premires entre elles. En rduisant modulo p on a donc que by02 z02 (mod p). Si
y0 6 0 (mod p) cest fini. Sinon on voit que p|z0 . En rinjectant dans lquation on
a alors que p2 |ax20 . Comme a est sans facteur carr, on aurait p qui divise aussi x0 .
Exclu. Comme b est un carr pour tous les p divisant a et que a est sans facteur
carr, le TRC nous montre que b est un carr modulo a. Lexistence de m et a1
est simplement la dfinition dtre un carr modulo a.

8. On dveloppe lexpression (notons la A)

A = a1 (ax2 )2 + x2 (bm2 y 2 + bz 2 2bmyz m2 z 2 b2 y 2 + 2bmyz)

= a1 a2 x4 + x2 (m2 (by 2 z 2 ) + b(z 2 by 2 ))
= x4 (a1 a2 m2 a + ba)
= 0

Ainsi, si Q a un point rationnel alors lquation A montre que a1 x2 + by 2 = z 2

en a un galement. En permutant les valeurs de a et de a1 dans lquation de A,
puisque la condition m2 = b + aa1 est symtrique, on voit que lon peut inverser le
raisonnement et en dduire lexistence dun point rationnel de Q en fonction dun
point rationnel de a1 x2 + by 2 = z 2 .
46 Chapitre 4. Travaux Dirigs

9. Puisque |b| |a|, on a |m2 b| m2 + |a| a2 /4 + |a|. Do |a1 | |a|/4 + 1.

Puisque a est un entier et que |a| > 1 on peut supposer |a| 2. On a donc que
lingalit |a1 | < |a| est satisfaite. En procdant rcursivement, on peut donc
chaque fois que b est un carr modulo a, diminuer |a| et donc |b|. La procdure
sarrte au moment o b nest plus un carr modulo a (alors lquation na pas
de solution rationnelle daprs ce qui prcde) ou alors |a| = 1 et donc |b| = 1.
Lquation a une solution si et seulement si ab est ngatif.

4.5 TD2 de gomtrie algbrique

4.5.1 noncs
Exercice 24. On souhaite montrer des versions faibles du thorme de Bzout. Soit
F, G k[x, y] avec k algbriquement clos, sans facteur commun.

1. Montrer quil existe un polynme d k[x] non nul et des polynmes A, B k[x, y]
tels que d = AF + BG.

2. En dduire que lintersection de V (F ) et V (G) est finie.

3. La courbe {(t, sin(t)), t C} est-elle algbrique ?

Une seconde version. Soit une courbe projective C = V (F ) avec F k[x, y, z] homogne
de degr n > 0. Soit L une droite du plan projective qui nest pas une composante de
C.

4. Montrer que C L est constitu dau plus n points.

5. Soit p un point nappartenant pas C. Montrer quavec au plus n(n1) exceptions,

une droite L passant par p coupe C en exactement n points.

Exercice 25. Montrer le rsultat suivant :

Proposition 4.5.1. Si deux courbes planes projectives C1 , C2 sur C de degr n sinter-

sectent en exactement n2 points et quil existe une courbe irrductible D de degr m < n
contenant mn de ces points alors il existe une courbe de degr au plus n m contenant
les n(n m) points rsiduels.

Pour se faire on note P1 , P2 , R les quations respectives de C1 , C2 et D et p = [a : b : c]

un point de D qui nappartient pas C1 C2 . Montrer quil existe une combinaison li-
naire de P1 et P2 contenant p. Conclure en utilisant Bzout.

On utilisera ce rsultat pour montrer le corollaire :

Corollary 4.5.2 (Hexagone mystique de Pascal). Les paires de cts opposs dun hexa-
gone inscrit dans une conique irrductible se rencontrent en trois points colinaires.
4.5. TD2 de gomtrie algbrique 47

Figure 4.2 Hexagone de Pascal

Exercice 26. Soit C : f = 0 une courbe projective plane de degr 4. On suppose

que C est non-singulire. Si L est une droite, elle peut couper C en des points avec les
multiplicits suivantes :

1. (1, 1, 1, 1) : cest le cas gnrique.

2. (2, 1, 1) : cest le cas o L est tangente au premier point.

3. (3, 1) : dans ce cas, le premier point est un point dinflexion.

4. (2, 2) : ces droites sont appeles bitangentes.

5. (4) : ces points sont appels point dhyperinflexion. Une quartique gnrale nen
possde pas.

Calculer les bitagentes la quartique de Plcker

1
4(x2 + y 2 + 2y)2 + (2y + 3)(y + 1)(y 2 x2 ) = .
360
Pour se faire, on remplace y par x + et z par 1 dans f puis on exprime le fait que
la droite y = x + est bitangente par le fait que le polynme en la variable x est un
carr parfait : si g est un polynme de degr 4 quelconque, on a

g(x) = ax4 + bx3 + cx2 + dx + e = a(x2 + b/(2a)x + (4ac b2 )/(8a2 ))2 + x + .

Ceci donne deux conditions, une sur le terme en x et lautre sur le terme constant. Par
le calcul dun rsultant on limine par exemple entre ces deux quations pour obtenir
une condition sur . Cette quation (de degr 28 gnriquement) donne les valeurs de
puis on remonte aux valeurs de . On traitera part les cas des droites linfini ou
verticales.
48 Chapitre 4. Travaux Dirigs

4.5.2 Solutions
Correction exercice 24

1. On considre les polynmes F, G k(x)[y]. Cest un anneau principal dans lequel

F et G sont premiers entre eux. En effet sil existait un polynme R non constant
en y qui divise F et G alors si S(x) est le ppcm des dnominateurs de R on a que
SR|SF et SR|SG dans k[x, y] Comme S est de degr 0 en y, il existe un facteur
non constant de SR qui divise F et G. On peut donc appliquer le thorme de
Bzout dans k(x)[y] et il existe A0 , B0 k(x)[y] tel que 1 = A0 F + B0 G. En
multipliant comme prcdemment par les ppcm des dnominateurs de A0 et B0 ,
on obtient le rsultat.

2. Soit (x, y) un point de F = G = 0 alors d(x) = 0. Cette quation a donc un

nombre fini de solutions en x. On peut raisonner de mme avec y.

3. Non car elle a une infinit dintersections avec laxe des abscisses.

4. Quitte changer de coordonnes, on peut supposer que la droite est x = 0. On a

alors quun point (0 : y, z) est solution si et seulement si F (0, y, z) = 0. Comme x
nest pas une composante, ceci nest pas le polynme nul et cest donc un polynme
ai y i z ni =
P
homogne de degr n en y, z. crivons ce polynme sous la forme
Qn
i=1 (i y i z). Alors les solutions est lensemble {(i : i )} qui a au plus n
lments.

5. On peut supposer que P = (0 : 0 : 1) et que la droite est donne par y = x

ou x = 0 (qui correspond = ). En injectant dans lquation, on obtient
F (x, x, z) qui est de degr au plus n en . Cest galement un polynme homogne
de degr n en z (car (0 : 0 : 1) nest pas sur la courbe) vu comme polynme dans
k()[x, z]. On cherche les tel que ce polynme est des racines multiples. Cela
correspond lannulation de son discriminant qui est un polynme de degr au
plus n(n1) en . On a donc le rsultat (la solution = tant prise en compte :
elle nintervient que lorsque le degr est < n(n 1)).

Correction exercice 25 On souhaite que P1 (a, b, c) + P2 (a, b, c) = 0 ce qui est

toujours possible. On note R = P1 + P2 . Alors puisquep est un point de la courbe D
diffrent de C1 C2 , R est D se coupe en au moins nm + 1 points. Compte tenu de leur
degr, ceci nest possible que si D a une composante en commun avec R. Comme D est
irrductible, il faut que D|R. Soit alors U = R/D. Cest une courbe de degr au plus
n m (car R est de degr au plus n) et on vrifie facilement que U (q) = 0 pour tout
q C1 C2 .
On considre pour C1 et C2 les deux courbes de degr 3 composes par 3 cts non
adjacents et pour D la conique irrductible. Alors les neufs points dintersection sont les 6
points sur la conique et les 3 points dintersection des cots opposs (qui nappartiennent
en effet jamais la mme courbe). Le rsultat prcdent nous dit alors que les 3 points
rsiduels sont sur une courbe de degr 3 2 = 1.
5 Appendices

5.1 Nullstellensatz
Let k be a (commutative) field and n > 0 a positive integer.
Definition 5.1.1. Let S be any subset of k[X1 , . . . , Xn ]. We say that
V (S) = {x k n , P S P (x) = 0}
is the affine algebraic set associated to S.
Let F1 , . . . , Fr k[X1 , . . . , Xn ] polynomials and I = (F1 , . . . , Fr ) be the ideal gene-
rated by the Fi s. One also denote V (F1 , . . . , Fr ) = V (I).
Example 5.1.2. V ({1}) = and V ({0}) = k n .
Conversely
Definition 5.1.3. Let V be a subset of k n . One defines the ideal associated to V as
I(V ) = {P k[X1 , . . . , Xn ], x V, P (x) = 0}.
Clearly V (I(V )) = V if V is an affine algebraic set (i.e. V = V (I) for an ideal I).
One has also I I(V (I)) but there is not in general equality. A first obstruction is that
k needs to be algebraically closed. A second obstruction is that I forgets about the
exponents : if n = 2 and I = (X 2 ) then I(V (I)) = (X) 6= I.

In the sequel, we assume that k is algebraically closed and not countable (for instance
C but not Fp ). The following results do not neeed this last hypothesis but the proofs are
simpler.
Lemma 5.1.4. Let K be an extension of k of at most countable dimension (as a k-vector
space). Then K = k.
Dmonstration. It is enough to show that K is algebraic over k. Otherwise there would
be a transcendental element in K and hence a subfield isomorphic to k(T ). This subfield
contains the non countable family 1/(T a) with a k and this family is free. Indeed
a relation n
X i
=0
i=1
T ai
implies, multiplying by T ai and letting T = ai that i = 0.

49
50 Chapitre 5. Appendices

Proposition 5.1.5 (weak Nullstellensatz). Let I k[X1 , . . . , Xn ] be an ideal distinct

from k[X1 , . . . , Xn ]. Then V (I) is not empty.

Dmonstration. We can always embed I in a maximal ideal, so we can assume that I is

maximal. Let K = k[X1 , . . . , Xn ]/I be the residual field. Since k[X1 , . . . , Xn ] is a vector
space of at most countable dimension over k, it is the same for K. Hence K = k. We can
consider the images of X1 , . . . , Xn under the quotient byI. They belong to K and hence
to k. Let us denote them a1 , . . . , an . If P I then P (a1 , . . . , an ) = 0 (by definition of
the images under the quotient by I). Hence (a1 , . . . , an ) V (I).

To state the Nullstellensatz, we need the notion of radical

rac(I) = {P k[X1 , . . . , Xn ], r N, P r I}.

Theorem 5.1.6 (Nullstellensatz). Let I be an ideal of [X1 , . . . , Xn ]. Then I(V (I)) =

rac(I).

Dmonstration. Let R = k[X1 , . . . , Xn ], I = (P1 , . . . , Pr ) (since R is noetherian) and

V = V (I). Clearly rac(I) I(V (I)). Conversely, let P I(V ). We need to prove that
P m I for m big enough. Let us consider the localized ring RP which is isomorphic
to k[X1 , . . . , Xn , T ]/(1 T P ). We are going to show that IRP = (1) = RP . Indeed,
Pi Qi /P m and hence P m I. Let J = (P1 , . . . , Pr , 1 T P ) in
P
this means that 1 =
k[X1 , . . . , Xn , T ]. One has V (J) = . Indeed if (x1 , . . . , xn , t) V (J), then (x1 , . . . , xn )
V and then would cancel P and could not cancel 1 T P . Hence J = (1) by the
weak Nullstellensatz. This means that 1 = Pi Qi + A(1 T P ) in k[X1 , . . . , Xn , T ] for
P

A, Qi k[X1 , . . . , Xn , T ] and equivalently that 1 = PI Qi /P m in RP .

P

Hence, morally, I and V are inverse of each other and create a bridge between the
algebraic world and the geometric one.

Corollary 5.1.7. I(k n ) = I(V ({0})) = rac (0) = (0).

Corollary 5.1.8. Let P k[X1 , . . . , Xn ] such that P = P1a1 Prar with the Pi irredu-
cible and distinct. Then I(V (P )) = (P1 Pr ).

Let us say some words about the projective case

Definition 5.1.9. Let S be any subset of k[X0 , . . . , Xn ]. We say that

Vp (S) = {x Pn , P S P (x) = 0}

is the projective algebraic set associated to S. Conversely if Vp Pn , we define

Ip (Vp ) = {P k[X0 , . . . , Xn ], x Vp , P (x) = 0}.

By P (x) = 0 we mean that this stands for any representative of x. It is then easy to
show that we can assume S to be finite and generated by homogeneous elements.
Example 5.1.10. Vp ((0)) = Pn . Vp ((X0 , . . . , Xn )) =
5.2. Conics, parametrization and projective transformations 51

Theorem 5.1.11 (projective Nullstellensatz). Let k be algebraically closed, I be a ho-

mogeneous ideal of k[X0 , . . . , Xn ] and V = Vp (I).

1. Vp (I) = (X0 , . . . , Xn ) rac(I) ;

2. If Vp (I) 6= then Ip (Vp (I)) = rac(I).

Dmonstration. When Vp is empty, it means that V is reduced to the origin of k n+1 and
therefore rac(I) = (X0 , . . . , Xn ). Let us assume that Vp = Vp (I) is not empty and let us
consider V = V (I) k n+1 the associated cone. To prove the second point, since Vp is
now non empty, we have Ip (V ) = I(V ) = rac(I) by the affine Nullstellensatz.

A word about automorphisms of the projective space Pn : one can show that there
are necessarily linear, although the proof is not elementary (see [Har77, Ex.7.1.1]). Hence
this group is isomorphic to GLn+1 (k)/k .

5.2 Conics, parametrization and projective transformations

5.3 Resultant and Bzout theorem

Let C = V (F ) and C 0 = V (G) be two projective plane curves with no common com-
ponent over an algebraically closed field k. We have already seen that C C 0 is finite
(see exercice 24). We now want to make this more precise, using an ad hoc definition
for the multiplicity of intersection. Let us choose the coordinates x, y, z in such a way
that q = (0 : 0 : 1) does not belong to C and C 0 and such that L : z = 0 is not a
component of C or C 0 . We also assume that no line through q contains more than one
point of intersection of C C 0 . We write in this coordinates F = A0 z m + . . . + Am and
G = B0 z n + . . . + Bn where Ai , Bi k[x, y] are homogeneous polynomials of degree i.
Since q / C C 0 we get that A0 (0, 0)B0 (0, 0) 6= 0 so there are non-zero constant. From
resultant theory, it follows that the resultant R(x, y) of F and G with respect to z is a
homogenous polynomial check this by the definition of degree mn and that a projec-
tive point (x0 : y0 ) is a solution of R if and only if there exists z0 such that (x0 : y0 : z0 )
is a solution of F and G (note that there is no issue with the leading terms and that one
can consider the points (x : 1) and (1 : y) successively). More geometrically, (x0 : y0 )
is the projection from q on the line L of the intersection point (x0 : y0 : z0 ). Note that
because of our assumption, z0 is unique for each (x0 : y0 ). We hence obtain our first
result.

Proposition 5.3.1. C and C 0 have at most mn intersection points.

To go further, we then define the multiplicity of intersection at a point p = (x0 : y0 :

z0 ) as the multiplicity of the projective root (x0 : y0 ) in R. With this definition, one
has of course

Proposition 5.3.2. Counting with multiplicity, C and C 0 have exactly mn intersection

points.
52 Chapitre 5. Appendices

Remark 5.3.3. More intrinsically,the intersection multiplicity is the length of the OP -

module OP /(F, G) where OP is the localization with respect to the maximal ideal defi-
ning P in the ring k[x, y]/(F ) (see [Har77]).
Without this, one can prove the following :

1. the definition of intersection multiplicity does not depend on the choice of a co-
ordinate system. Intuitively, this comes from the fact that the multiplicity of the
roots has to be constant as the roots stay the same for any continuous change of
variables.

2. Let p (C) be the multiplicity of a point p = (a, b) on the curve C, i.e. if we

write F = i i (x a)i (y b)j , the multiplicity is the degree of the lowest non-
P

vanishing term in this expression. In particular a point p is non-singular if and only

if its multiplicity is one. Determinant manipulations show that the intersection
multiplicity at p of C and C 0 is greater or equal to p (C) p (C 0 ). If C and C 0 are
non singular at p then the intersection multiplicity is 1 if the tangents are distinct.
Bibliography

[CFA+ 06] Henri Cohen, Gerhard Frey, Roberto Avanzi, Christophe Doche, Tanja Lange,
Kim Nguyen, and Frederik Vercauteren, editors. Handbook of elliptic and
hyperelliptic curve cryptography. Discrete Mathematics and its Applications
(Boca Raton). Chapman & Hall/CRC, Boca Raton, FL, 2006.

[Ful89] William Fulton. Algebraic curves. Advanced Book Classics. Addison-Wesley

Publishing Company Advanced Book Program, Redwood City, CA, 1989. An
introduction to algebraic geometry, Notes written with the collaboration of
Richard Weiss, Reprint of 1969 original.

[Har77] R. Hartshorne. Algebraic geometry. Springer-Verlag, New York, 1977. Grad-

uate Texts in Mathematics, No. 52.

[Sil92] Joseph H. Silverman. The arithmetic of elliptic curves, volume 106 of Grad-
uate Texts in Mathematics. Springer-Verlag, New York, 1992. Corrected
reprint of the 1986 original.

[Was03] Lawrence C. Washington. Elliptic curves. Discrete Mathematics and its

Applications (Boca Raton). Chapman & Hall/CRC, Boca Raton, FL, 2003.
Number theory and cryptography.

53