Thecasewhere K has characteristic 2 is Exercise 3.2.

Now let's look at characteristic 3. We may assume that E has the form

y 2 = x 3 + a 2 x 2 + a 4 x + a 6 . Again, we want the x -coordinate of 2 P to equal

the x -coordinate of P . We calculate the x -coordinate of 2 P by the usual

procedure and set it equal to the x -coordinate x of P . Some terms disappear

because3=0. Weobtain

2 a 2 x + a 4

2 y

2

−

a 2 =3 x =0 .

This simplifies to (recall that 4 = 1)

a 2 x 3 + a 2 a 6 −

a 4 =0 .

Note that we cannot have a 2 = a 4 = 0 since then x 3 + a 6 =( x + a 1 / 3

) 3

has

6

multiple roots, so at least one of a 2 ,a 4 is nonzero.

If a 2 =0,thenwehave

a 4

−

= 0, which cannot happen, so there are no

values of x . Therefore E [3] =

in this case.

If a 2 = 0, then we obtain an equation of the form a 2 ( x 3 + a ) = 0, which has

a single triple root in characteristic 3. Therefore, there is one value of x ,and

two corresponding values of y . This yields 2 points of order 3. Since there

is also the point ∞ , we see that E [3] has order 3, so E [3] Z 3 as abstract

groups.

The general situation is given by the following.

{∞}

THEOREM 3.2

Let E be an elliptic curve over a field K and let n be a positive integer. If

the characteristicof K does not divide n ,oris0,then

E [ n ] Z n ⊕ Z n .

n ,write n = p r n with p

n .Then

If the characteristicof K is p> 0 and p

|

E [ n ] Z n ⊕ Z n

Z n ⊕ Z n .

or

The theorem will be proved in Section 3.2.

An elliptic curve E in characteristic p is called ordinary if E [ p ]

Z p .It

is called supersingular if E [ p ]

0. Note that the terms “supersingular”

and “singular” (as applied to bad points on elliptic curves) are unrelated.

In the theory of complex multiplication (see Chapter 10), the “singular” j -

invariants are those corresponding to elliptic curves with endomorphism rings

larger than Z , and the “supersingular” j -invariants are those corresponding to

elliptic curves with the largest possible endomorphism rings, namely, orders

in quaternion algebras.

Let n be a positive integer not divisible by the characteristic of K . Choose

a basis {β 1 ,β 2 } for E [ n ] Z n ⊕ Z n . This means that every element of E [ n ]is