18.

783 Elliptic Curves

Lecture 5

Andrew Sutherland

September 26, 2023

Isogenies (Lecture 4 recap)
Definition
An isogeny α : E → E 0 is a surjective morphism that is also a group homomorphism,
equivalently, a non-constant rational map that sends zero to zero.

Lemma
If E and E 0 are elliptic curves over k in short Weierstrass form then every isogeny
α : E → E 0 can be put in standard form

u(x) s(x)
 
α(x, y) = , y ,
v(x) t(x)

where u, v, s, t ∈ k[x] are polynomials with u ⊥ v, s ⊥ t.

The roots of both v and t are the x-coordinates of the affine points in ker α.
The degree of α is max(deg u, deg v), and α is separable if and only if (u/v)0 6= 0.
Separable and inseparable isogenies

Lemma
Let k be a field of characteristic p. For relatively prime u, v ∈ k[x] we have

(u/v)0 = 0 ⇐⇒ u0 = v 0 = 0 ⇐⇒ u = f (xp ) and v = g(xp ) with f, g ∈ k[x]

Proof
(first ⇔): (u/v)0 = (u0 v − v 0 u)/v 2 = 0 iff u0 v = v 0 u, and u ⊥ v implies u|u0 , which is
impossible unless u0 = 0, and similarly for v.
(second ⇔): If u = n an xn then u0 = nan xn = 0 iff nan = 0 for n with an 6= 0,
P P

in which case u = m amp xmp = f (xp ) where f = m am xm , and similarly for v.

P P

In characteristic zero the lemma says that u0 = v 0 = 0 if and only if deg u = deg v = 0,
but isogenies are non-constant morphisms, so this never happens.
Decomposing inseparable isogenies
Lemma
Let α : E → E 0 be an inseparable isogeny over k with E and E 0 in short Weierstrass
form. Then α(x, y) = α(a(xp ), b(xp )y p ) for some a, b ∈ k(x).

Proof
This follows from the previous lemma, see Lemma 5.3 in the notes for details.

Corollary
Isogenies of elliptic curves over a field of characteristic p > 0 can be decomposed as

α = αsep ◦ π n ,

for some separable αsep , with π : (x : y : z) 7→ (xp : y p : z p ) and n ≥ 0.

The separable degree is degs α := deg αsep , the inseparable degree is degi α := pn .
First isogeny-kernel theorem
Theorem
The order of the kernel of an isogeny is equal to its separable degree.

Proof
To the blackboard!

Corollary
A purely inseparable isogeny has trivial kernel.

Corollary
In any composition of isogenies α = β ◦ γ all degrees are multiplicative:

deg α = (deg β)(deg γ), degs α = (degs )(degs γ), degi α = (degi β)(degi γ).
Second isogeny-kernel theorem
Definition
Let E/k be an elliptic curve. A subgroup G of E(k̄) is defined over L/k if it is Galois
stable, meaning σ(G) = G for all σ ∈ Gal(k̄/L).

Theorem
Let E/k be an elliptic curve and G a finite subgroup of E(k̄) defined over k.
There is a separable isogeny α : E → E 0 with kernel G.
The isogeny α and the elliptic curve E 0 /k are unique up to isomorphism.

Proof sketch
To the blackboard!

Corollary
Isogenies of composite degree can be decomposed into isogenies of prime degree.
Isogeny graphs

Isogeny class 30a in the L-functions and modular forms database.

Isogeny graphs

Side and top views of a 3-volcano over a finite field taken from Isogeny volcanoes.
Isogeny graphs

Image taken from Adventures in Supersingularland by Sarah Arpin, Catalina Camacho-Navarro,

Kristin Lauter, Joelle Lim, Kristina Nelson, Travis Scholl, and Jana Sotáková.
Isogeny graphs

Image taken from Orienting supersingular isogeny graphs by Leonardo Colò and David Kohel.
Constructing a separable isogeny from its kernel

Let E/k be an elliptic curve in Weierstrass form, and G a finite subgroup of E(k̄).
Let G6=0 denote the set of nonzero points in G, which are affine points Q = (xQ , yQ ).

For affine points P = (xP , yP ) in E(k̄) not in G define

 
X X
α(xP , yP ) := xP + (xP +Q − xQ ) , yP + (yP +Q − yQ ) .
Q∈G6=0 Q∈G6=0

Here xP and yP are variables, xQ and yQ are elements of k̄, and xP +Q and yP +Q are
rational functions of xP and yP giving coordinates of P + Q in terms of xP and yP .

For P 6∈ G we have α(P ) = α(P + Q) if and only if Q ∈ G, so ker α = G.

Vélu’s formula for constructing 2-isogenies

Theorem (Vélu)
Let E : y 2 = x3 + Ax + B be an elliptic curve over k and let x0 ∈ k̄ be a root of
x3 + Ax + B. Define t := 3x20 + A and w := x0 t. The rational map
!
x2 − x0 x + t (x − x0 )2 − t
α(x, y) := , y
x − x0 (x − x0 )2

is a separable isogeny from E to E 0 : y 2 = x3 + A0 x + B 0 , where A0 := A − 5t and

B 0 := B − 7w. The kernel of α is the group of order 2 generated by (x0 , 0).

If x0 ∈ k then E 0 and α will be defined over k, but in general E 0 and α will be defined
over k(A0 , B 0 ) which might be a quadratic or cubic extension of k.
Vélu’s formula for constructing cyclic isogenies of odd degree

Theorem (Vélu)
Let E : y 2 = x3 + Ax + B be an elliptic curve over k and let G be a finite subgroup of
E(k̄) of odd order. For each nonzero Q = (xQ , yQ ) in G define

tQ := 3x2Q + A, 2
uQ := 2yQ , wQ := uQ + tQ xQ ,
!
X X X tQ uQ
t := tQ , w := wQ , r(x) := x + + .
Q∈G6=0 Q∈G6=0 Q∈G6=0
x − xQ (x − xQ )2

The rational map

α(x, y) := r(x), r0 (x)y

is a separable isogeny from E to E 0 : y 2 = x3 + A0 x + B 0 , where A0 := A − 5t and

B 0 := B − 7w, with ker α = G. If G is defined over k then so are α and E 0 .
Jacobian coordinates
Let us now work in the weighted projective plane, where x, y, z have weights 2, 3, 1.
This means, for example, that x3 and y 2 are monomials of the same degree.

The homogeneous equation for an elliptic curve E in short Weierstrass form is then

y 2 = x3 + axz 4 + Bz 6 .

In general Weierstrass form we have

y 2 + a1 xyz + a3 yz 3 = x3 + a2 x2 z 2 + a4 xz 4 + a6 z 6 ,

Pro tip : ai is the coefficient of the term containing z i ; this is why there is no a5 .

In Jacobian coordinates the formulas for the group law look more complicated, but the
formula for z3 becomes very simple: z3 = x1 z12 − x2 z12 when adding distinct points
(x1 : y1 : z1 ) and (x2 : y2 : z2 ) and z3 = 2y1 z1 when doubling (x1 : y1 : z1 ).
Division polynomials

If we apply the group law in Jacobian coordinates to an affine point P = (x : y : 1) on

E : y 2 = x3 + Ax + B we can compute the rational map (in affine coordinates):

φ n ωn
 
nP = , .
ψn2 ψn3

where φn , ωn , ψn are polynomials in Z[x, y, A, B] with degree at most 1 in y

(we can reduce modulo (y 2 − x3 − Ax − B) to ensure this).

The polynomials φn and ψn2 have degree 0 in y, so we write them as φn (x) and ψn2 (x).
Exactly one of ωn and ψn3 has degree 1 in y, so nP is effectively in standard form.
(multiply the numerator by y 2 and the denominator by x3 + Ax + B if necessary).
Division polynomial recurrences
Definition
Let E : y 2 = x3 + Ax + B be an elliptic curve. Let ψ0 = 0, and define ψ1 , ψ2 , ψ3 , ψ4 as:

ψ1 = 1,
ψ2 = 2y,
ψ3 = 3x4 + 6Ax2 + 12Bx − A2 ,
ψ4 = 4y(x6 + 5Ax4 + 20Bx3 − 5A2 x2 − 4ABx − A3 − 8B 2 ).

We then define ψn for n > 4 via the recurrences

ψ2n+1 = ψn+2 ψn3 − ψn−1 ψn+1

3
,
1 2 2
ψ2n = ψn (ψn+2 ψn−1 − ψn−2 ψn+1 ),
2y

We also define ψ−n := −ψn (and the recurrences work for negative integers as well).
Division polynomial recurrences

Definition
Having defined ψn for E : y 2 = x3 + Ax + B and all n ∈ Z, we now define

φn := xψn2 − ψn+1 ψn−1 ,

1 2 2
ωn := (ψn+2 ψn−1 − ψn−2 ψn+1 ),
4y
and one finds that φn = φ−n and ωn = ω−n .

It is a somewhat tedious algebraic exercise to verify that these recursive definitions

agree with the definitions given by applying the group law. See this Sage notebook.

We rarely use φn and ωn , but need to know the degree and leading coefficient of φn
to compute the degree and separability of the multiplication-by-n map.
Multiplication-by-n maps
Theorem
Let E/k be an elliptic curve defined by the equation y 2 = x3 + Ax + B and let n be a
nonzero integer. The multiplication-by-n map is defined by the affine rational map

φn (x) ωn (x, y)
 
[n](x, y) = ,
ψn2 (x) ψn3 (x, y)

Lemma
The polynomial φn (x) is monic of degree n2 and the polynomial ψn2 (x) has leading
coefficient n2 , degree n2 − 1, and is coprime to φn (x).

Corollary
The multiplication-by-n map on E/k has degree n2 and is separable if and only p 6 | n.