Cryptography Reference
In-Depth Information
=
that we are assuming throughout that the characteristic of the field is
2). Thus the
points of order 2 are precisely the points whose
y
-coordinate is equal to 0. If
F
is
algebraically closed there are always three such points (counting multiplicities) and
they are
(
x
1
,
0
)
,
(
x
2
,
0
)
,
(
x
3
,
0
)
, where
x
1
,
x
2
,
x
3
are the roots of the cubic polynomial
x
3
b
(where
y
2
x
3
b
is the Weierstrass equation of the curve).
But for other fields the situation may be different. As we have mentioned, the curve
of Example 11.2 has no points of finite order other than
+
ax
+
=
+
ax
+
and, in particular, that it
has no points of order 2 follows easily from the already observed fact that the
x
-axis
does not intersect the curve. The situation is different if we consider the real curve
defined by the same equation, which has three points of order 2 corresponding to the
three real roots of the cubic polynomial. The other possibility for a real elliptic curve
is to have only one point of order 2 in case the cubic has a single real root.
The points of order 3 are the points
P
O
=
O
such that 3
P
=
O
, which is equivalent
to
P
P
and hence happens precisely when the tangent line at
P
has a contact
of order 3 with the curve. As we have remarked, this is the algebraic definition of
inflection point and so the inflection points are just those of order 3 plus
+
P
=−
(i.e., the
points whose order divides 3). Again, the curve of Example 11.2 has no points of
order 3, so that its only inflection point is
O
. However, it can be seen by the usual
calculus methods that the real curve defined by the same equation has three inflection
points, two of which have order 3.
O
Example 11.3
Let us consider the curve
E
(
Q
)
defined by the Weierstrass equation
y
2
x
3
is on the curve and we may compute
its order by using the formulas provided by Theorem 11.1. Using the duplication
formula given there we get:
=
+
1. Then the point
P
=
(
2
,
3
)
2
P
=
(
0
,
1
),
and we may use the formula again to compute:
4
P
=
2
P
+
2
P
=
2
(
0
,
1
)
=
(
0
,
−
1
)
=−
2
P
.
From 4
P
0. This means that 2
P
has order 3 and hence
it is an inflection point. Moreover, 3
P
has order 2 (for, otherwise, 3
P
=−
2
P
it follows that 6
P
=
=
O
would
imply that 4
P
=
3
P
+
P
=
P
which is not the case) and hence the
y
-coordinate
1 is the only rational root of
x
3
of 3
P
is 0 and 3
P
=
(
−
1
,
0
)
since
−
+
1. Finally,
5
P
=−
P
=
(
2
,
−
3
)
and so
E
(
Q
)
has the cyclic subgroup:
{
O,(
2
,
3
), (
0
,
1
), (
−
1
,
0
), (
0
,
−
1
), (
2
,
−
3
)
}
,
in which
P
and 5
P
are generators. Already in the 18th century, Euler proved using
the method known as infinite descent that these are the only rational points on this
elliptic curve, so we have that
E
(
Q
)
Z
6
).
is cyclic of order 6 (and hence isomorphic to
