Evaluating at e i yields

∈ Q × 2 .

e i )=( ae i + b ) 2

( x 1 −

e i )( x 2 −

e i )( x 3 −

Since this is true for each i ,

Q × / Q × 2

Q × / Q × 2

Q × / Q × 2

φ ( P 1 ) φ ( P 2 ) φ ( P 3 )=1

∈

⊕

⊕

(that is, the product is a square, hence is equivalent to 1 mod squares). Since

any number z is congruent to its multiplicative inverse mod squares (that is,

z equals 1 /z times a square),

φ ( P 3 ) − 1 = φ ( P 3 )= φ ( −P 3 ) .

Therefore,

φ ( P 1 ) φ ( P 2 )= φ ( −P 3 )= φ ( P 1 + P 2 ) .

To show that φ is a homomorphism, it remains to check what happens when

one or both of P 1 ,P 2 is a point of order 1 or 2. The case where a point P i is of

order 1 (that is, P i = ∞ ) is trivial. If both P 1 and P 2 have order 2, a case by

case check shows that φ ( P 1 + P 2 )= φ ( P 1 ) φ ( P 2 ). Finally, suppose that P 1 has

order 2 and P 2 has y 2 = 0. Let's assume P 1 =( e 1 , 0). The other possibilities

are similar. Since the values of φ are triples, let φ 1 ,φ 2 ,φ 3 denote the three

components of φ (so φ =( φ 1 ,φ 2 ,φ 3 )). The proof given above shows that

φ i ( P 1 ) φ i ( P 2 )= φ i ( P 1 + P 2 )

for i =2 , 3. So it remains to consider φ 1 .

By inspection, φ 1 ( P ) φ 2 ( P ) φ 3 ( P ) = 1 for all P .Sin e φ i ( P 1 ) φ i ( P 2 )=

φ i ( P 1 + P 2 )for i =2 , 3, the relation holds for i = 1, too. Therefore, φ is a

homomorphism.

Putting everything together, we see that φ is a homomorphism.

To prove the second half of the theorem, we need to show that if x

−

e i is

a square for all i ,then( x, y )=2 P for some point P

∈

E ( Q ). Let

x − e i = v i ,

i =1 , 2 , 3 .

For simplicity, we'll assume that e 1 + e 2 + e 3 = 0, which means that the

equation for our elliptic curve has the form y 2 = x 3 + Ax + B .(If e 1 + e 2 + e 3

=

0, the coecient of x 2

is nonzero. A simple change of variables yields the

present case.) Let

f ( T )= u 0 + u 1 T + u 2 T 2

satisfy

f ( e i )= v i ,

i =1 , 2 , 3 .