Elliptic curves over finite fields#

AUTHORS:

  • William Stein (2005): Initial version

  • Robert Bradshaw et al….

  • John Cremona (2008-02): Point counting and group structure for non-prime fields, Frobenius endomorphism and order, elliptic logs

  • Mariah Lenox (2011-03): Added set_order method

  • Lorenz Panny, John Cremona (2023-02): .twists()

  • Lorenz Panny (2023): special_supersingular_curve()

class sage.schemes.elliptic_curves.ell_finite_field.EllipticCurve_finite_field(R, data, category=None)[source]#

Bases: EllipticCurve_field

Elliptic curve over a finite field.

EXAMPLES:

sage: EllipticCurve(GF(101),[2,3])
Elliptic Curve defined by y^2  = x^3 + 2*x + 3 over Finite Field of size 101

sage: # needs sage.rings.finite_rings
sage: F = GF(101^2, 'a')
sage: EllipticCurve([F(2),F(3)])
Elliptic Curve defined by y^2  = x^3 + 2*x + 3 over Finite Field in a of size 101^2

>>> from sage.all import *
>>> EllipticCurve(GF(Integer(101)),[Integer(2),Integer(3)])
Elliptic Curve defined by y^2  = x^3 + 2*x + 3 over Finite Field of size 101

>>> # needs sage.rings.finite_rings
>>> F = GF(Integer(101)**Integer(2), 'a')
>>> EllipticCurve([F(Integer(2)),F(Integer(3))])
Elliptic Curve defined by y^2  = x^3 + 2*x + 3 over Finite Field in a of size 101^2

Elliptic curves over \(\ZZ/N\ZZ\) with \(N\) prime are of type “elliptic curve over a finite field”:

sage: F = Zmod(101)
sage: EllipticCurve(F, [2, 3])
Elliptic Curve defined by y^2 = x^3 + 2*x + 3 over Ring of integers modulo 101
sage: E = EllipticCurve([F(2), F(3)])
sage: type(E)
<class 'sage.schemes.elliptic_curves.ell_finite_field.EllipticCurve_finite_field_with_category'>
sage: E.category()
Category of abelian varieties over Ring of integers modulo 101

>>> from sage.all import *
>>> F = Zmod(Integer(101))
>>> EllipticCurve(F, [Integer(2), Integer(3)])
Elliptic Curve defined by y^2 = x^3 + 2*x + 3 over Ring of integers modulo 101
>>> E = EllipticCurve([F(Integer(2)), F(Integer(3))])
>>> type(E)
<class 'sage.schemes.elliptic_curves.ell_finite_field.EllipticCurve_finite_field_with_category'>
>>> E.category()
Category of abelian varieties over Ring of integers modulo 101

Elliptic curves over \(\ZZ/N\ZZ\) with \(N\) composite are of type “generic elliptic curve”:

sage: F = Zmod(95)
sage: EllipticCurve(F, [2, 3])
Elliptic Curve defined by y^2 = x^3 + 2*x + 3 over Ring of integers modulo 95
sage: E = EllipticCurve([F(2), F(3)])
sage: type(E)
<class 'sage.schemes.elliptic_curves.ell_generic.EllipticCurve_generic_with_category'>
sage: E.category()
Category of schemes over Ring of integers modulo 95
sage: TestSuite(E).run(skip=["_test_elements"])

>>> from sage.all import *
>>> F = Zmod(Integer(95))
>>> EllipticCurve(F, [Integer(2), Integer(3)])
Elliptic Curve defined by y^2 = x^3 + 2*x + 3 over Ring of integers modulo 95
>>> E = EllipticCurve([F(Integer(2)), F(Integer(3))])
>>> type(E)
<class 'sage.schemes.elliptic_curves.ell_generic.EllipticCurve_generic_with_category'>
>>> E.category()
Category of schemes over Ring of integers modulo 95
>>> TestSuite(E).run(skip=["_test_elements"])
abelian_group()[source]#

Return the abelian group structure of the group of points on this elliptic curve.

See also

If you do not need the complete abelian group structure but only generators of the group, use gens() which can be much faster in some cases.

This method relies on gens(), which uses random points on the curve and hence the generators are likely to differ from one run to another. However, the group is cached, so the generators will not change in any one run of Sage.

OUTPUT:

ALGORITHM:

We first call gens() to obtain a generating set \((P,Q)\). Letting \(P\) denote the point of larger order \(n_1\), we extend \(P\) to a basis \((P,Q')\) by computing a scalar \(x\) such that \(Q'=Q-[x]P\) has order \(n_2=\#E/n_1\). Finding \(x\) involves a (typically easy) discrete-logarithm computation.

The complexity of the algorithm is the cost of factoring the group order, plus \(\Theta(\sqrt{\ell})\) for each prime \(\ell\) such that the rational \(\ell^\infty\)-torsion of self is isomorphic to \(\ZZ/\ell^r\times\ZZ/\ell^s\) with \(r>s>0\), times a polynomial in the logarithm of the base-field size.

AUTHORS:

  • John Cremona: original implementation

  • Lorenz Panny (2021): current implementation

See also

AdditiveAbelianGroupWrapper.from_generators()

EXAMPLES:

sage: E = EllipticCurve(GF(11),[2,5])
sage: E.abelian_group()
Additive abelian group isomorphic to Z/10 embedded in
 Abelian group of points on Elliptic Curve defined by y^2 = x^3 + 2*x + 5
  over Finite Field of size 11

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(11)),[Integer(2),Integer(5)])
>>> E.abelian_group()
Additive abelian group isomorphic to Z/10 embedded in
 Abelian group of points on Elliptic Curve defined by y^2 = x^3 + 2*x + 5
  over Finite Field of size 11

sage: E = EllipticCurve(GF(41),[2,5])
sage: E.abelian_group()
Additive abelian group isomorphic to Z/22 + Z/2 ...

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(41)),[Integer(2),Integer(5)])
>>> E.abelian_group()
Additive abelian group isomorphic to Z/22 + Z/2 ...

sage: # needs sage.rings.finite_rings
sage: F.<a> = GF(3^6,'a')
sage: E = EllipticCurve([a^4 + a^3 + 2*a^2 + 2*a, 2*a^5 + 2*a^3 + 2*a^2 + 1])
sage: E.abelian_group()
Additive abelian group isomorphic to Z/26 + Z/26 ...

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> F = GF(Integer(3)**Integer(6),'a', names=('a',)); (a,) = F._first_ngens(1)
>>> E = EllipticCurve([a**Integer(4) + a**Integer(3) + Integer(2)*a**Integer(2) + Integer(2)*a, Integer(2)*a**Integer(5) + Integer(2)*a**Integer(3) + Integer(2)*a**Integer(2) + Integer(1)])
>>> E.abelian_group()
Additive abelian group isomorphic to Z/26 + Z/26 ...

sage: # needs sage.rings.finite_rings
sage: F.<a> = GF(101^3,'a')
sage: E = EllipticCurve([2*a^2 + 48*a + 27, 89*a^2 + 76*a + 24])
sage: E.abelian_group()
Additive abelian group isomorphic to Z/1031352 ...

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> F = GF(Integer(101)**Integer(3),'a', names=('a',)); (a,) = F._first_ngens(1)
>>> E = EllipticCurve([Integer(2)*a**Integer(2) + Integer(48)*a + Integer(27), Integer(89)*a**Integer(2) + Integer(76)*a + Integer(24)])
>>> E.abelian_group()
Additive abelian group isomorphic to Z/1031352 ...

The group can be trivial:

sage: E = EllipticCurve(GF(2), [0,0,1,1,1])
sage: E.abelian_group()
Trivial group embedded in Abelian group of points on
 Elliptic Curve defined by y^2 + y = x^3 + x + 1 over Finite Field of size 2

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(2)), [Integer(0),Integer(0),Integer(1),Integer(1),Integer(1)])
>>> E.abelian_group()
Trivial group embedded in Abelian group of points on
 Elliptic Curve defined by y^2 + y = x^3 + x + 1 over Finite Field of size 2

Of course, there are plenty of points if we extend the field:

sage: E.cardinality(extension_degree=100)
1267650600228231653296516890625

>>> from sage.all import *
>>> E.cardinality(extension_degree=Integer(100))
1267650600228231653296516890625

This tests the patch for Issue #3111, using 10 primes randomly selected:

sage: E = EllipticCurve('389a')
sage: for p in [5927, 2297, 1571, 1709, 3851, 127, 3253, 5783, 3499, 4817]:
....:     G = E.change_ring(GF(p)).abelian_group()
sage: for p in prime_range(10000):  # long time (19s on sage.math, 2011)
....:     if p != 389:
....:         G = E.change_ring(GF(p)).abelian_group()

>>> from sage.all import *
>>> E = EllipticCurve('389a')
>>> for p in [Integer(5927), Integer(2297), Integer(1571), Integer(1709), Integer(3851), Integer(127), Integer(3253), Integer(5783), Integer(3499), Integer(4817)]:
...     G = E.change_ring(GF(p)).abelian_group()
>>> for p in prime_range(Integer(10000)):  # long time (19s on sage.math, 2011)
...     if p != Integer(389):
...         G = E.change_ring(GF(p)).abelian_group()

This tests that the bug reported in Issue #3926 has been fixed:

sage: # needs sage.rings.number_field
sage: K.<i> = QuadraticField(-1)
sage: OK = K.ring_of_integers()
sage: P = K.factor(10007)[0][0]
sage: OKmodP = OK.residue_field(P)
sage: E = EllipticCurve([0, 0, 0, i, i + 3])
sage: Emod = E.change_ring(OKmodP); Emod
Elliptic Curve defined by y^2 = x^3 + ibar*x + (ibar+3)
 over Residue field in ibar of Fractional ideal (10007)
sage: Emod.abelian_group() #random generators
(Multiplicative Abelian group isomorphic to C50067594 x C2,
 ((3152*ibar + 7679 : 7330*ibar + 7913 : 1), (8466*ibar + 1770 : 0 : 1)))

>>> from sage.all import *
>>> # needs sage.rings.number_field
>>> K = QuadraticField(-Integer(1), names=('i',)); (i,) = K._first_ngens(1)
>>> OK = K.ring_of_integers()
>>> P = K.factor(Integer(10007))[Integer(0)][Integer(0)]
>>> OKmodP = OK.residue_field(P)
>>> E = EllipticCurve([Integer(0), Integer(0), Integer(0), i, i + Integer(3)])
>>> Emod = E.change_ring(OKmodP); Emod
Elliptic Curve defined by y^2 = x^3 + ibar*x + (ibar+3)
 over Residue field in ibar of Fractional ideal (10007)
>>> Emod.abelian_group() #random generators
(Multiplicative Abelian group isomorphic to C50067594 x C2,
 ((3152*ibar + 7679 : 7330*ibar + 7913 : 1), (8466*ibar + 1770 : 0 : 1)))
cardinality(algorithm=None, extension_degree=1)[source]#

Return the number of points on this elliptic curve.

INPUT:

  • algorithm – (optional) string:

    • 'pari' – use the PARI C-library function ellcard.

    • 'bsgs' – use the baby-step giant-step method as

      implemented in Sage, with the Cremona-Sutherland version of Mestre’s trick.

    • 'exhaustive' – naive point counting.

    • 'subfield' – reduce to a smaller field, provided that the j-invariant lies in a subfield.

    • 'all' – compute cardinality with both 'pari' and 'bsgs'; return result if they agree or raise a AssertionError if they do not

  • extension_degree – an integer \(d\) (default: 1): if the base field is \(\GF{q}\), return the cardinality of self over the extension \(\GF{q^d}\) of degree \(d\).

OUTPUT:

The order of the group of rational points of self over its base field, or over an extension field of degree \(d\) as above. The result is cached.

EXAMPLES:

sage: # needs sage.rings.finite_rings
sage: EllipticCurve(GF(4, 'a'), [1,2,3,4,5]).cardinality()
8
sage: k.<a> = GF(3^3)
sage: l = [a^2 + 1, 2*a^2 + 2*a + 1, a^2 + a + 1, 2, 2*a]
sage: EllipticCurve(k,l).cardinality()
29

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> EllipticCurve(GF(Integer(4), 'a'), [Integer(1),Integer(2),Integer(3),Integer(4),Integer(5)]).cardinality()
8
>>> k = GF(Integer(3)**Integer(3), names=('a',)); (a,) = k._first_ngens(1)
>>> l = [a**Integer(2) + Integer(1), Integer(2)*a**Integer(2) + Integer(2)*a + Integer(1), a**Integer(2) + a + Integer(1), Integer(2), Integer(2)*a]
>>> EllipticCurve(k,l).cardinality()
29

sage: # needs sage.rings.finite_rings
sage: l = [1, 1, 0, 2, 0]
sage: EllipticCurve(k, l).cardinality()
38

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> l = [Integer(1), Integer(1), Integer(0), Integer(2), Integer(0)]
>>> EllipticCurve(k, l).cardinality()
38

An even bigger extension (which we check against Magma):

sage: # needs sage.rings.finite_rings
sage: EllipticCurve(GF(3^100, 'a'), [1,2,3,4,5]).cardinality()
515377520732011331036459693969645888996929981504
sage: magma.eval("Order(EllipticCurve([GF(3^100)|1,2,3,4,5]))")    # optional - magma
'515377520732011331036459693969645888996929981504'

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> EllipticCurve(GF(Integer(3)**Integer(100), 'a'), [Integer(1),Integer(2),Integer(3),Integer(4),Integer(5)]).cardinality()
515377520732011331036459693969645888996929981504
>>> magma.eval("Order(EllipticCurve([GF(3^100)|1,2,3,4,5]))")    # optional - magma
'515377520732011331036459693969645888996929981504'

sage: EllipticCurve(GF(10007), [1,2,3,4,5]).cardinality()
10076
sage: EllipticCurve(GF(10007), [1,2,3,4,5]).cardinality(algorithm='pari')
10076
sage: EllipticCurve(GF(next_prime(10**20)), [1,2,3,4,5]).cardinality()
100000000011093199520

>>> from sage.all import *
>>> EllipticCurve(GF(Integer(10007)), [Integer(1),Integer(2),Integer(3),Integer(4),Integer(5)]).cardinality()
10076
>>> EllipticCurve(GF(Integer(10007)), [Integer(1),Integer(2),Integer(3),Integer(4),Integer(5)]).cardinality(algorithm='pari')
10076
>>> EllipticCurve(GF(next_prime(Integer(10)**Integer(20))), [Integer(1),Integer(2),Integer(3),Integer(4),Integer(5)]).cardinality()
100000000011093199520

The cardinality is cached:

sage: # needs sage.rings.finite_rings
sage: E = EllipticCurve(GF(3^100, 'a'), [1,2,3,4,5])
sage: E.cardinality() is E.cardinality()
True

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> E = EllipticCurve(GF(Integer(3)**Integer(100), 'a'), [Integer(1),Integer(2),Integer(3),Integer(4),Integer(5)])
>>> E.cardinality() is E.cardinality()
True

The following is very fast since the curve is actually defined over the prime field:

sage: # needs sage.rings.finite_rings
sage: k.<a> = GF(11^100)
sage: E1 = EllipticCurve(k, [3,3])
sage: N1 = E1.cardinality(algorithm="subfield"); N1
137806123398222701841183371720896367762643312000384671846835266941791510341065565176497846502742959856128
sage: E1.cardinality_pari() == N1
True
sage: E2 = E1.quadratic_twist()
sage: N2 = E2.cardinality(algorithm="subfield"); N2
137806123398222701841183371720896367762643312000384656816094284101308193849980588362304472492174093035876
sage: E2.cardinality_pari() == N2
True
sage: N1 + N2 == 2*(k.cardinality() + 1)
True

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> k = GF(Integer(11)**Integer(100), names=('a',)); (a,) = k._first_ngens(1)
>>> E1 = EllipticCurve(k, [Integer(3),Integer(3)])
>>> N1 = E1.cardinality(algorithm="subfield"); N1
137806123398222701841183371720896367762643312000384671846835266941791510341065565176497846502742959856128
>>> E1.cardinality_pari() == N1
True
>>> E2 = E1.quadratic_twist()
>>> N2 = E2.cardinality(algorithm="subfield"); N2
137806123398222701841183371720896367762643312000384656816094284101308193849980588362304472492174093035876
>>> E2.cardinality_pari() == N2
True
>>> N1 + N2 == Integer(2)*(k.cardinality() + Integer(1))
True

We can count points over curves defined as a reduction:

sage: # needs sage.rings.number_field
sage: x = polygen(QQ)
sage: K.<w> = NumberField(x^2 + x + 1)
sage: EK = EllipticCurve(K, [0, 0, w, 2, 1])
sage: E = EK.base_extend(K.residue_field(2))
sage: E
Elliptic Curve defined by y^2 + wbar*y = x^3 + 1
 over Residue field in wbar of Fractional ideal (2)
sage: E.cardinality()
7
sage: E = EK.base_extend(K.residue_field(w - 1))
sage: E.abelian_group()
Trivial group embedded in Abelian group of points on Elliptic Curve defined
 by y^2 + y = x^3 + 2*x + 1 over Residue field of Fractional ideal (w - 1)

>>> from sage.all import *
>>> # needs sage.rings.number_field
>>> x = polygen(QQ)
>>> K = NumberField(x**Integer(2) + x + Integer(1), names=('w',)); (w,) = K._first_ngens(1)
>>> EK = EllipticCurve(K, [Integer(0), Integer(0), w, Integer(2), Integer(1)])
>>> E = EK.base_extend(K.residue_field(Integer(2)))
>>> E
Elliptic Curve defined by y^2 + wbar*y = x^3 + 1
 over Residue field in wbar of Fractional ideal (2)
>>> E.cardinality()
7
>>> E = EK.base_extend(K.residue_field(w - Integer(1)))
>>> E.abelian_group()
Trivial group embedded in Abelian group of points on Elliptic Curve defined
 by y^2 + y = x^3 + 2*x + 1 over Residue field of Fractional ideal (w - 1)

sage: R.<x> = GF(17)[]
sage: pol = R.irreducible_element(5)
sage: k.<a> = R.residue_field(pol)
sage: E = EllipticCurve(R, [1, x]).base_extend(k)
sage: E
Elliptic Curve defined by y^2 = x^3 + x + a
 over Residue field in a of Principal ideal (x^5 + x + 14)
  of Univariate Polynomial Ring in x over Finite Field of size 17
sage: E.cardinality()
1421004

>>> from sage.all import *
>>> R = GF(Integer(17))['x']; (x,) = R._first_ngens(1)
>>> pol = R.irreducible_element(Integer(5))
>>> k = R.residue_field(pol, names=('a',)); (a,) = k._first_ngens(1)
>>> E = EllipticCurve(R, [Integer(1), x]).base_extend(k)
>>> E
Elliptic Curve defined by y^2 = x^3 + x + a
 over Residue field in a of Principal ideal (x^5 + x + 14)
  of Univariate Polynomial Ring in x over Finite Field of size 17
>>> E.cardinality()
1421004
cardinality_bsgs(verbose=False)[source]#

Return the cardinality of self over the base field.

ALGORITHM: A variant of “Mestre’s trick” extended to all finite fields by Cremona and Sutherland, 2008.

Note

  1. The Mestre-Schoof-Cremona-Sutherland algorithm may fail for a small finite number of curves over \(F_q\) for \(q\) at most 49, so for \(q<50\) we use an exhaustive count.

  2. Quadratic twists are not implemented in characteristic 2 when \(j=0 (=1728)\); but this case is treated separately.

EXAMPLES:

sage: p = next_prime(10^3)
sage: E = EllipticCurve(GF(p), [3,4])
sage: E.cardinality_bsgs()
1020
sage: E = EllipticCurve(GF(3^4,'a'), [1,1])
sage: E.cardinality_bsgs()
64
sage: F.<a> = GF(101^3,'a')
sage: E = EllipticCurve([2*a^2 + 48*a + 27, 89*a^2 + 76*a + 24])
sage: E.cardinality_bsgs()
1031352

>>> from sage.all import *
>>> p = next_prime(Integer(10)**Integer(3))
>>> E = EllipticCurve(GF(p), [Integer(3),Integer(4)])
>>> E.cardinality_bsgs()
1020
>>> E = EllipticCurve(GF(Integer(3)**Integer(4),'a'), [Integer(1),Integer(1)])
>>> E.cardinality_bsgs()
64
>>> F = GF(Integer(101)**Integer(3),'a', names=('a',)); (a,) = F._first_ngens(1)
>>> E = EllipticCurve([Integer(2)*a**Integer(2) + Integer(48)*a + Integer(27), Integer(89)*a**Integer(2) + Integer(76)*a + Integer(24)])
>>> E.cardinality_bsgs()
1031352
cardinality_exhaustive()[source]#

Return the cardinality of self over the base field.

This simply adds up the number of points with each x-coordinate: only used for small field sizes!

EXAMPLES:

sage: p = next_prime(10^3)
sage: E = EllipticCurve(GF(p), [3,4])
sage: E.cardinality_exhaustive()
1020
sage: E = EllipticCurve(GF(3^4,'a'), [1,1])
sage: E.cardinality_exhaustive()
64

>>> from sage.all import *
>>> p = next_prime(Integer(10)**Integer(3))
>>> E = EllipticCurve(GF(p), [Integer(3),Integer(4)])
>>> E.cardinality_exhaustive()
1020
>>> E = EllipticCurve(GF(Integer(3)**Integer(4),'a'), [Integer(1),Integer(1)])
>>> E.cardinality_exhaustive()
64
cardinality_pari()[source]#

Return the cardinality of self using PARI.

This uses pari:ellcard.

EXAMPLES:

sage: p = next_prime(10^3)
sage: E = EllipticCurve(GF(p),[3,4])
sage: E.cardinality_pari()
1020
sage: K = GF(next_prime(10^6))
sage: E = EllipticCurve(K,[1,0,0,1,1])
sage: E.cardinality_pari()
999945

>>> from sage.all import *
>>> p = next_prime(Integer(10)**Integer(3))
>>> E = EllipticCurve(GF(p),[Integer(3),Integer(4)])
>>> E.cardinality_pari()
1020
>>> K = GF(next_prime(Integer(10)**Integer(6)))
>>> E = EllipticCurve(K,[Integer(1),Integer(0),Integer(0),Integer(1),Integer(1)])
>>> E.cardinality_pari()
999945

Since Issue #16931, this now works over finite fields which are not prime fields:

sage: # needs sage.rings.finite_rings
sage: k.<a> = GF(7^3)
sage: E = EllipticCurve_from_j(a)
sage: E.cardinality_pari()
318
sage: K.<a> = GF(3^20)
sage: E = EllipticCurve(K,[1,0,0,1,a])
sage: E.cardinality_pari()
3486794310

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> k = GF(Integer(7)**Integer(3), names=('a',)); (a,) = k._first_ngens(1)
>>> E = EllipticCurve_from_j(a)
>>> E.cardinality_pari()
318
>>> K = GF(Integer(3)**Integer(20), names=('a',)); (a,) = K._first_ngens(1)
>>> E = EllipticCurve(K,[Integer(1),Integer(0),Integer(0),Integer(1),a])
>>> E.cardinality_pari()
3486794310
count_points(n=1)[source]#

Return the cardinality of this elliptic curve over the base field or extensions.

INPUT:

  • n (int) – a positive integer

OUTPUT:

If \(n=1\), returns the cardinality of the curve over its base field.

If \(n>1\), returns a list \([c_1, c_2, ..., c_n]\) where \(c_d\) is the cardinality of the curve over the extension of degree \(d\) of its base field.

EXAMPLES:

sage: p = 101
sage: F = GF(p)
sage: E = EllipticCurve(F, [2,3])
sage: E.count_points(1)
96
sage: E.count_points(5)
[96, 10368, 1031904, 104053248, 10509895776]

>>> from sage.all import *
>>> p = Integer(101)
>>> F = GF(p)
>>> E = EllipticCurve(F, [Integer(2),Integer(3)])
>>> E.count_points(Integer(1))
96
>>> E.count_points(Integer(5))
[96, 10368, 1031904, 104053248, 10509895776]

sage: # needs sage.rings.finite_rings
sage: F.<a> = GF(p^2)
sage: E = EllipticCurve(F, [a,a])
sage: E.cardinality()
10295
sage: E.count_points()
10295
sage: E.count_points(1)
10295
sage: E.count_points(5)
[10295, 104072155, 1061518108880, 10828567126268595, 110462212555439192375]

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> F = GF(p**Integer(2), names=('a',)); (a,) = F._first_ngens(1)
>>> E = EllipticCurve(F, [a,a])
>>> E.cardinality()
10295
>>> E.count_points()
10295
>>> E.count_points(Integer(1))
10295
>>> E.count_points(Integer(5))
[10295, 104072155, 1061518108880, 10828567126268595, 110462212555439192375]
endomorphism_discriminant_from_class_number(h)[source]#

Return the endomorphism order discriminant of this ordinary elliptic curve, given its class number h.

INPUT:

  • h – a positive integer

OUTPUT:

(integer) The discriminant of the endomorphism ring \(\text{End}(E)\), if this has class number h. If \(\text{End}(E)\) does not have class number h, a ValueError is raised.

ALGORITHM:

Compute the trace of Frobenius and hence the discriminant \(D_0\) and class number \(h_0\) of the maximal order containing the endomorphism order. From the given value of \(h\), which must be a multiple of \(h_0\), compute the possible conductors, using height_above_floor() for each prime \(\ell\) dividing the quotient \(h/h_0\). If exactly one conductor \(f\) remains, return \(f^2D_0\), otherwise raise a ValueError; this can onlyhappen when the input value of \(h\) was incorrect.

Note

Adapted from [RouSuthZur2022]. The application for which one knows the class number in advance is in the recognition of Hilbert Class Polynomials: see sage.schemes.elliptic_curves.cm.is_HCP().

EXAMPLES:

sage: F = GF(312401)
sage: E = EllipticCurve(F,(0, 0, 0, 309381, 93465))
sage: E.endomorphism_discriminant_from_class_number(30)
-671

>>> from sage.all import *
>>> F = GF(Integer(312401))
>>> E = EllipticCurve(F,(Integer(0), Integer(0), Integer(0), Integer(309381), Integer(93465)))
>>> E.endomorphism_discriminant_from_class_number(Integer(30))
-671

We check that this is the correct discriminant, and the input value of \(h\) was correct:

sage: H = hilbert_class_polynomial(-671)
sage: H(E.j_invariant()) == 0 and H.degree()==30
True

>>> from sage.all import *
>>> H = hilbert_class_polynomial(-Integer(671))
>>> H(E.j_invariant()) == Integer(0) and H.degree()==Integer(30)
True
frobenius()[source]#

Return the frobenius of self as an element of a quadratic order.

Note

This computes the curve cardinality, which may be time-consuming.

Frobenius is only determined up to conjugacy.

EXAMPLES:

sage: E = EllipticCurve(GF(11),[3,3])
sage: E.frobenius()
phi
sage: E.frobenius().minpoly()
x^2 - 4*x + 11

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(11)),[Integer(3),Integer(3)])
>>> E.frobenius()
phi
>>> E.frobenius().minpoly()
x^2 - 4*x + 11

For some supersingular curves, Frobenius is in Z:

sage: # needs sage.rings.finite_rings
sage: E = EllipticCurve(GF(25,'a'),[0,0,0,0,1])
sage: E.frobenius()
-5

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> E = EllipticCurve(GF(Integer(25),'a'),[Integer(0),Integer(0),Integer(0),Integer(0),Integer(1)])
>>> E.frobenius()
-5
frobenius_discriminant()[source]#

Return the discriminant of the ring \(\ZZ[\pi_E]\) where \(\pi_E\) is the Frobenius endomorphism.

EXAMPLES:

sage: # needs sage.rings.finite_rings
sage: F.<t> = GF(11^4)
sage: E = EllipticCurve([t,t])
sage: E.frobenius_discriminant()
-57339

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> F = GF(Integer(11)**Integer(4), names=('t',)); (t,) = F._first_ngens(1)
>>> E = EllipticCurve([t,t])
>>> E.frobenius_discriminant()
-57339
frobenius_endomorphism()[source]#

Return the \(q\)-power Frobenius endomorphism of this elliptic curve, where \(q\) is the cardinality of the (finite) base field.

EXAMPLES:

sage: # needs sage.rings.finite_rings
sage: F.<t> = GF(11^4)
sage: E = EllipticCurve([t,t])
sage: E.frobenius_endomorphism()
Frobenius endomorphism of degree 14641 = 11^4:
  From: Elliptic Curve defined by y^2 = x^3 + t*x + t over Finite Field in t of size 11^4
  To:   Elliptic Curve defined by y^2 = x^3 + t*x + t over Finite Field in t of size 11^4
sage: E.frobenius_endomorphism() == E.frobenius_isogeny(4)
True

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> F = GF(Integer(11)**Integer(4), names=('t',)); (t,) = F._first_ngens(1)
>>> E = EllipticCurve([t,t])
>>> E.frobenius_endomorphism()
Frobenius endomorphism of degree 14641 = 11^4:
  From: Elliptic Curve defined by y^2 = x^3 + t*x + t over Finite Field in t of size 11^4
  To:   Elliptic Curve defined by y^2 = x^3 + t*x + t over Finite Field in t of size 11^4
>>> E.frobenius_endomorphism() == E.frobenius_isogeny(Integer(4))
True

See also

frobenius_isogeny()

frobenius_order()[source]#

Return the quadratic order Z[phi] where phi is the Frobenius endomorphism of the elliptic curve.

Note

This computes the curve cardinality, which may be time-consuming.

EXAMPLES:

sage: E = EllipticCurve(GF(11),[3,3])
sage: E.frobenius_order()
Order of conductor 2 generated by phi
 in Number Field in phi with defining polynomial x^2 - 4*x + 11

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(11)),[Integer(3),Integer(3)])
>>> E.frobenius_order()
Order of conductor 2 generated by phi
 in Number Field in phi with defining polynomial x^2 - 4*x + 11

For some supersingular curves, Frobenius is in Z and the Frobenius order is Z:

sage: # needs sage.rings.finite_rings
sage: E = EllipticCurve(GF(25,'a'),[0,0,0,0,1])
sage: R = E.frobenius_order()
sage: R
Order generated by []
 in Number Field in phi with defining polynomial x + 5
sage: R.degree()
1

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> E = EllipticCurve(GF(Integer(25),'a'),[Integer(0),Integer(0),Integer(0),Integer(0),Integer(1)])
>>> R = E.frobenius_order()
>>> R
Order generated by []
 in Number Field in phi with defining polynomial x + 5
>>> R.degree()
1
frobenius_polynomial()[source]#

Return the characteristic polynomial of Frobenius.

The Frobenius endomorphism of the elliptic curve has quadratic characteristic polynomial. In most cases this is irreducible and defines an imaginary quadratic order; for some supersingular curves, Frobenius is an integer a and the polynomial is \((x-a)^2\).

Note

This computes the curve cardinality, which may be time-consuming.

EXAMPLES:

sage: E = EllipticCurve(GF(11),[3,3])
sage: E.frobenius_polynomial()
x^2 - 4*x + 11

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(11)),[Integer(3),Integer(3)])
>>> E.frobenius_polynomial()
x^2 - 4*x + 11

For some supersingular curves, Frobenius is in Z and the polynomial is a square:

sage: # needs sage.rings.finite_rings
sage: E = EllipticCurve(GF(25,'a'),[0,0,0,0,1])
sage: E.frobenius_polynomial().factor()
(x + 5)^2

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> E = EllipticCurve(GF(Integer(25),'a'),[Integer(0),Integer(0),Integer(0),Integer(0),Integer(1)])
>>> E.frobenius_polynomial().factor()
(x + 5)^2
gens()[source]#

Return points which generate the abelian group of points on this elliptic curve.

The algorithm involves factoring the group order of self, but is otherwise (randomized) polynomial-time.

(The points returned by this function are not guaranteed to be the same each time, although they should remain fixed within a single run of Sage unless abelian_group() is called.)

OUTPUT: a tuple of points on the curve.

  • if the group is trivial: an empty tuple.

  • if the group is cyclic: a tuple with 1 point, a generator.

  • if the group is not cyclic: a tuple with 2 points, where the order of the first point equals the exponent of the group.

Warning

In the case of 2 generators \(P\) and \(Q\), it is not guaranteed that the group is the cartesian product of the 2 cyclic groups \(\langle P \rangle\) and \(\langle Q \rangle\). In other words, the order of \(Q\) is not as small as possible. If you really need a basis (rather than just a generating set) of the group, use abelian_group().

EXAMPLES:

sage: E = EllipticCurve(GF(11),[2,5])
sage: P = E.gens()[0]; P # random
(0 : 7 : 1)
sage: E.cardinality(), P.order()
(10, 10)
sage: E = EllipticCurve(GF(41),[2,5])
sage: E.gens()  # random
((20 : 38 : 1), (25 : 31 : 1))
sage: E.cardinality()
44

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(11)),[Integer(2),Integer(5)])
>>> P = E.gens()[Integer(0)]; P # random
(0 : 7 : 1)
>>> E.cardinality(), P.order()
(10, 10)
>>> E = EllipticCurve(GF(Integer(41)),[Integer(2),Integer(5)])
>>> E.gens()  # random
((20 : 38 : 1), (25 : 31 : 1))
>>> E.cardinality()
44

If the abelian group has been computed, return those generators instead:

sage: E.abelian_group()
Additive abelian group isomorphic to Z/22 + Z/2
 embedded in Abelian group of points on Elliptic Curve
 defined by y^2 = x^3 + 2*x + 5 over Finite Field of size 41
sage: ab_gens = E.abelian_group().gens()
sage: ab_gens == E.gens()
True
sage: E.gens()[0].order()
22
sage: E.gens()[1].order()
2

>>> from sage.all import *
>>> E.abelian_group()
Additive abelian group isomorphic to Z/22 + Z/2
 embedded in Abelian group of points on Elliptic Curve
 defined by y^2 = x^3 + 2*x + 5 over Finite Field of size 41
>>> ab_gens = E.abelian_group().gens()
>>> ab_gens == E.gens()
True
>>> E.gens()[Integer(0)].order()
22
>>> E.gens()[Integer(1)].order()
2

Examples with 1 and 0 generators:

sage: # needs sage.rings.finite_rings
sage: F.<a> = GF(3^6)
sage: E = EllipticCurve([a, a+1])
sage: pts = E.gens()
sage: len(pts)
1
sage: pts[0].order() == E.cardinality()
True

sage: E = EllipticCurve(GF(2), [0,0,1,1,1])
sage: E.gens()
()

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> F = GF(Integer(3)**Integer(6), names=('a',)); (a,) = F._first_ngens(1)
>>> E = EllipticCurve([a, a+Integer(1)])
>>> pts = E.gens()
>>> len(pts)
1
>>> pts[Integer(0)].order() == E.cardinality()
True

>>> E = EllipticCurve(GF(Integer(2)), [Integer(0),Integer(0),Integer(1),Integer(1),Integer(1)])
>>> E.gens()
()

This works over larger finite fields where abelian_group() may be too expensive:

sage: # needs sage.rings.finite_rings
sage: k.<a> = GF(5^60)
sage: E = EllipticCurve([a, a])
sage: len(E.gens())
2
sage: E.cardinality()
867361737988403547206134229616487867594472
sage: a = E.gens()[0].order(); a # random
433680868994201773603067114808243933797236
sage: b = E.gens()[1].order(); b # random
30977204928157269543076222486303138128374
sage: lcm(a,b)
433680868994201773603067114808243933797236

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> k = GF(Integer(5)**Integer(60), names=('a',)); (a,) = k._first_ngens(1)
>>> E = EllipticCurve([a, a])
>>> len(E.gens())
2
>>> E.cardinality()
867361737988403547206134229616487867594472
>>> a = E.gens()[Integer(0)].order(); a # random
433680868994201773603067114808243933797236
>>> b = E.gens()[Integer(1)].order(); b # random
30977204928157269543076222486303138128374
>>> lcm(a,b)
433680868994201773603067114808243933797236
height_above_floor(ell, e)[source]#

Return the height of the \(j\)-invariant of this ordinary elliptic curve on its \(\ell\)-volcano.

INPUT:

  • ell – a prime number

  • e – a non-negative integer, the ell-adic valuation of the conductor the Frobenius order

Note

For an ordinary \(E/\GF{q}\), and a prime \(\ell\), the height \(e\) of the \(\ell\)-volcano containing \(j(E)\) is the \(\ell\)-adic valuation of the conductor of the order generated by the Frobenius \(\pi_E\); the height of \(j(E)\) on its ell-volcano is the \(\ell\)-adic valuation of the conductor of the order \(\text{End}(E)\).

ALGORITHM:

EXAMPLES:

sage: F = GF(312401)
sage: E = EllipticCurve(F,(0, 0, 0, 309381, 93465))
sage: D = E.frobenius_discriminant(); D
-687104
sage: D.factor()
-1 * 2^10 * 11 * 61
sage: E.height_above_floor(2,8)
5

>>> from sage.all import *
>>> F = GF(Integer(312401))
>>> E = EllipticCurve(F,(Integer(0), Integer(0), Integer(0), Integer(309381), Integer(93465)))
>>> D = E.frobenius_discriminant(); D
-687104
>>> D.factor()
-1 * 2^10 * 11 * 61
>>> E.height_above_floor(Integer(2),Integer(8))
5
is_isogenous(other, field=None, proof=True)[source]#

Return whether or not self is isogenous to other.

INPUT:

  • other – another elliptic curve.

  • field (default None) – a field containing the base fields of the two elliptic curves into which the two curves may be extended to test if they are isogenous over this field. By default is_isogenous will not try to find this field unless one of the curves can be extended into the base field of the other, in which case it will test over the larger base field.

  • proof (default: True) – this parameter is here only to be consistent with versions for other types of elliptic curves.

OUTPUT:

(bool) True if there is an isogeny from curve self to curve other defined over field.

EXAMPLES:

sage: # needs sage.rings.finite_rings
sage: E1 = EllipticCurve(GF(11^2,'a'),[2,7]); E1
Elliptic Curve defined by y^2 = x^3 + 2*x + 7 over Finite Field in a of size 11^2
sage: E1.is_isogenous(5)
Traceback (most recent call last):
...
ValueError: Second argument is not an Elliptic Curve.
sage: E1.is_isogenous(E1)
True

sage: # needs sage.rings.finite_rings
sage: E2 = EllipticCurve(GF(7^3,'b'),[3,1]); E2
Elliptic Curve defined by y^2 = x^3 + 3*x + 1 over Finite Field in b of size 7^3
sage: E1.is_isogenous(E2)
Traceback (most recent call last):
...
ValueError: The base fields must have the same characteristic.

sage: # needs sage.rings.finite_rings
sage: E3 = EllipticCurve(GF(11^2,'c'),[4,3]); E3
Elliptic Curve defined by y^2 = x^3 + 4*x + 3 over Finite Field in c of size 11^2
sage: E1.is_isogenous(E3)
False

sage: # needs sage.rings.finite_rings
sage: E4 = EllipticCurve(GF(11^6,'d'),[6,5]); E4
Elliptic Curve defined by y^2 = x^3 + 6*x + 5 over Finite Field in d of size 11^6
sage: E1.is_isogenous(E4)
True

sage: # needs sage.rings.finite_rings
sage: E5 = EllipticCurve(GF(11^7,'e'),[4,2]); E5
Elliptic Curve defined by y^2 = x^3 + 4*x + 2 over Finite Field in e of size 11^7
sage: E1.is_isogenous(E5)
Traceback (most recent call last):
...
ValueError: Curves have different base fields: use the field parameter.

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> E1 = EllipticCurve(GF(Integer(11)**Integer(2),'a'),[Integer(2),Integer(7)]); E1
Elliptic Curve defined by y^2 = x^3 + 2*x + 7 over Finite Field in a of size 11^2
>>> E1.is_isogenous(Integer(5))
Traceback (most recent call last):
...
ValueError: Second argument is not an Elliptic Curve.
>>> E1.is_isogenous(E1)
True

>>> # needs sage.rings.finite_rings
>>> E2 = EllipticCurve(GF(Integer(7)**Integer(3),'b'),[Integer(3),Integer(1)]); E2
Elliptic Curve defined by y^2 = x^3 + 3*x + 1 over Finite Field in b of size 7^3
>>> E1.is_isogenous(E2)
Traceback (most recent call last):
...
ValueError: The base fields must have the same characteristic.

>>> # needs sage.rings.finite_rings
>>> E3 = EllipticCurve(GF(Integer(11)**Integer(2),'c'),[Integer(4),Integer(3)]); E3
Elliptic Curve defined by y^2 = x^3 + 4*x + 3 over Finite Field in c of size 11^2
>>> E1.is_isogenous(E3)
False

>>> # needs sage.rings.finite_rings
>>> E4 = EllipticCurve(GF(Integer(11)**Integer(6),'d'),[Integer(6),Integer(5)]); E4
Elliptic Curve defined by y^2 = x^3 + 6*x + 5 over Finite Field in d of size 11^6
>>> E1.is_isogenous(E4)
True

>>> # needs sage.rings.finite_rings
>>> E5 = EllipticCurve(GF(Integer(11)**Integer(7),'e'),[Integer(4),Integer(2)]); E5
Elliptic Curve defined by y^2 = x^3 + 4*x + 2 over Finite Field in e of size 11^7
>>> E1.is_isogenous(E5)
Traceback (most recent call last):
...
ValueError: Curves have different base fields: use the field parameter.

When the field is given:

sage: # needs sage.rings.finite_rings
sage: E1 = EllipticCurve(GF(13^2,'a'),[2,7]); E1
Elliptic Curve defined by y^2 = x^3 + 2*x + 7 over Finite Field in a of size 13^2
sage: E1.is_isogenous(5,GF(13^6,'f'))
Traceback (most recent call last):
...
ValueError: Second argument is not an Elliptic Curve.
sage: E6 = EllipticCurve(GF(11^3,'g'),[9,3]); E6
Elliptic Curve defined by y^2 = x^3 + 9*x + 3 over Finite Field in g of size 11^3
sage: E1.is_isogenous(E6,QQ)
Traceback (most recent call last):
...
ValueError: The base fields must have the same characteristic.
sage: E7 = EllipticCurve(GF(13^5,'h'),[2,9]); E7
Elliptic Curve defined by y^2 = x^3 + 2*x + 9 over Finite Field in h of size 13^5
sage: E1.is_isogenous(E7,GF(13^4,'i'))
Traceback (most recent call last):
...
ValueError: Field must be an extension of the base fields of both curves
sage: E1.is_isogenous(E7,GF(13^10,'j'))
False
sage: E1.is_isogenous(E7,GF(13^30,'j'))
False

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> E1 = EllipticCurve(GF(Integer(13)**Integer(2),'a'),[Integer(2),Integer(7)]); E1
Elliptic Curve defined by y^2 = x^3 + 2*x + 7 over Finite Field in a of size 13^2
>>> E1.is_isogenous(Integer(5),GF(Integer(13)**Integer(6),'f'))
Traceback (most recent call last):
...
ValueError: Second argument is not an Elliptic Curve.
>>> E6 = EllipticCurve(GF(Integer(11)**Integer(3),'g'),[Integer(9),Integer(3)]); E6
Elliptic Curve defined by y^2 = x^3 + 9*x + 3 over Finite Field in g of size 11^3
>>> E1.is_isogenous(E6,QQ)
Traceback (most recent call last):
...
ValueError: The base fields must have the same characteristic.
>>> E7 = EllipticCurve(GF(Integer(13)**Integer(5),'h'),[Integer(2),Integer(9)]); E7
Elliptic Curve defined by y^2 = x^3 + 2*x + 9 over Finite Field in h of size 13^5
>>> E1.is_isogenous(E7,GF(Integer(13)**Integer(4),'i'))
Traceback (most recent call last):
...
ValueError: Field must be an extension of the base fields of both curves
>>> E1.is_isogenous(E7,GF(Integer(13)**Integer(10),'j'))
False
>>> E1.is_isogenous(E7,GF(Integer(13)**Integer(30),'j'))
False
is_ordinary(proof=True)[source]#

Return True if this elliptic curve is ordinary, else False.

INPUT:

  • proof (boolean, default: True) – If True, returns a proved result. If False, then a return value of True is certain but a return value of False may be based on a probabilistic test. See the documentation of the function is_j_supersingular() for more details.

EXAMPLES:

sage: F = GF(101)
sage: EllipticCurve(j=F(0)).is_ordinary()
False
sage: EllipticCurve(j=F(1728)).is_ordinary()
True
sage: EllipticCurve(j=F(66)).is_ordinary()
False
sage: EllipticCurve(j=F(99)).is_ordinary()
True

>>> from sage.all import *
>>> F = GF(Integer(101))
>>> EllipticCurve(j=F(Integer(0))).is_ordinary()
False
>>> EllipticCurve(j=F(Integer(1728))).is_ordinary()
True
>>> EllipticCurve(j=F(Integer(66))).is_ordinary()
False
>>> EllipticCurve(j=F(Integer(99))).is_ordinary()
True
is_supersingular(proof=True)[source]#

Return True if this elliptic curve is supersingular, else False.

INPUT:

  • proof (boolean, default: True) – If True, returns a proved result. If False, then a return value of False is certain but a return value of True may be based on a probabilistic test. See the documentation of the function is_j_supersingular() for more details.

EXAMPLES:

sage: F = GF(101)
sage: EllipticCurve(j=F(0)).is_supersingular()
True
sage: EllipticCurve(j=F(1728)).is_supersingular()
False
sage: EllipticCurve(j=F(66)).is_supersingular()
True
sage: EllipticCurve(j=F(99)).is_supersingular()
False

>>> from sage.all import *
>>> F = GF(Integer(101))
>>> EllipticCurve(j=F(Integer(0))).is_supersingular()
True
>>> EllipticCurve(j=F(Integer(1728))).is_supersingular()
False
>>> EllipticCurve(j=F(Integer(66))).is_supersingular()
True
>>> EllipticCurve(j=F(Integer(99))).is_supersingular()
False
multiplication_by_p_isogeny()[source]#

Return the multiplication-by-\(p\) isogeny.

EXAMPLES:

sage: p = 23
sage: K.<a> = GF(p^3)
sage: E = EllipticCurve(j=K.random_element())
sage: phi = E.multiplication_by_p_isogeny()
sage: assert phi.degree() == p**2
sage: P = E.random_element()
sage: assert phi(P) == P * p

>>> from sage.all import *
>>> p = Integer(23)
>>> K = GF(p**Integer(3), names=('a',)); (a,) = K._first_ngens(1)
>>> E = EllipticCurve(j=K.random_element())
>>> phi = E.multiplication_by_p_isogeny()
>>> assert phi.degree() == p**Integer(2)
>>> P = E.random_element()
>>> assert phi(P) == P * p
order(algorithm=None, extension_degree=1)[source]#

Return the number of points on this elliptic curve.

INPUT:

  • algorithm – (optional) string:

    • 'pari' – use the PARI C-library function ellcard.

    • 'bsgs' – use the baby-step giant-step method as

      implemented in Sage, with the Cremona-Sutherland version of Mestre’s trick.

    • 'exhaustive' – naive point counting.

    • 'subfield' – reduce to a smaller field, provided that the j-invariant lies in a subfield.

    • 'all' – compute cardinality with both 'pari' and 'bsgs'; return result if they agree or raise a AssertionError if they do not

  • extension_degree – an integer \(d\) (default: 1): if the base field is \(\GF{q}\), return the cardinality of self over the extension \(\GF{q^d}\) of degree \(d\).

OUTPUT:

The order of the group of rational points of self over its base field, or over an extension field of degree \(d\) as above. The result is cached.

EXAMPLES:

sage: # needs sage.rings.finite_rings
sage: EllipticCurve(GF(4, 'a'), [1,2,3,4,5]).cardinality()
8
sage: k.<a> = GF(3^3)
sage: l = [a^2 + 1, 2*a^2 + 2*a + 1, a^2 + a + 1, 2, 2*a]
sage: EllipticCurve(k,l).cardinality()
29

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> EllipticCurve(GF(Integer(4), 'a'), [Integer(1),Integer(2),Integer(3),Integer(4),Integer(5)]).cardinality()
8
>>> k = GF(Integer(3)**Integer(3), names=('a',)); (a,) = k._first_ngens(1)
>>> l = [a**Integer(2) + Integer(1), Integer(2)*a**Integer(2) + Integer(2)*a + Integer(1), a**Integer(2) + a + Integer(1), Integer(2), Integer(2)*a]
>>> EllipticCurve(k,l).cardinality()
29

sage: # needs sage.rings.finite_rings
sage: l = [1, 1, 0, 2, 0]
sage: EllipticCurve(k, l).cardinality()
38

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> l = [Integer(1), Integer(1), Integer(0), Integer(2), Integer(0)]
>>> EllipticCurve(k, l).cardinality()
38

An even bigger extension (which we check against Magma):

sage: # needs sage.rings.finite_rings
sage: EllipticCurve(GF(3^100, 'a'), [1,2,3,4,5]).cardinality()
515377520732011331036459693969645888996929981504
sage: magma.eval("Order(EllipticCurve([GF(3^100)|1,2,3,4,5]))")    # optional - magma
'515377520732011331036459693969645888996929981504'

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> EllipticCurve(GF(Integer(3)**Integer(100), 'a'), [Integer(1),Integer(2),Integer(3),Integer(4),Integer(5)]).cardinality()
515377520732011331036459693969645888996929981504
>>> magma.eval("Order(EllipticCurve([GF(3^100)|1,2,3,4,5]))")    # optional - magma
'515377520732011331036459693969645888996929981504'

sage: EllipticCurve(GF(10007), [1,2,3,4,5]).cardinality()
10076
sage: EllipticCurve(GF(10007), [1,2,3,4,5]).cardinality(algorithm='pari')
10076
sage: EllipticCurve(GF(next_prime(10**20)), [1,2,3,4,5]).cardinality()
100000000011093199520

>>> from sage.all import *
>>> EllipticCurve(GF(Integer(10007)), [Integer(1),Integer(2),Integer(3),Integer(4),Integer(5)]).cardinality()
10076
>>> EllipticCurve(GF(Integer(10007)), [Integer(1),Integer(2),Integer(3),Integer(4),Integer(5)]).cardinality(algorithm='pari')
10076
>>> EllipticCurve(GF(next_prime(Integer(10)**Integer(20))), [Integer(1),Integer(2),Integer(3),Integer(4),Integer(5)]).cardinality()
100000000011093199520

The cardinality is cached:

sage: # needs sage.rings.finite_rings
sage: E = EllipticCurve(GF(3^100, 'a'), [1,2,3,4,5])
sage: E.cardinality() is E.cardinality()
True

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> E = EllipticCurve(GF(Integer(3)**Integer(100), 'a'), [Integer(1),Integer(2),Integer(3),Integer(4),Integer(5)])
>>> E.cardinality() is E.cardinality()
True

The following is very fast since the curve is actually defined over the prime field:

sage: # needs sage.rings.finite_rings
sage: k.<a> = GF(11^100)
sage: E1 = EllipticCurve(k, [3,3])
sage: N1 = E1.cardinality(algorithm="subfield"); N1
137806123398222701841183371720896367762643312000384671846835266941791510341065565176497846502742959856128
sage: E1.cardinality_pari() == N1
True
sage: E2 = E1.quadratic_twist()
sage: N2 = E2.cardinality(algorithm="subfield"); N2
137806123398222701841183371720896367762643312000384656816094284101308193849980588362304472492174093035876
sage: E2.cardinality_pari() == N2
True
sage: N1 + N2 == 2*(k.cardinality() + 1)
True

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> k = GF(Integer(11)**Integer(100), names=('a',)); (a,) = k._first_ngens(1)
>>> E1 = EllipticCurve(k, [Integer(3),Integer(3)])
>>> N1 = E1.cardinality(algorithm="subfield"); N1
137806123398222701841183371720896367762643312000384671846835266941791510341065565176497846502742959856128
>>> E1.cardinality_pari() == N1
True
>>> E2 = E1.quadratic_twist()
>>> N2 = E2.cardinality(algorithm="subfield"); N2
137806123398222701841183371720896367762643312000384656816094284101308193849980588362304472492174093035876
>>> E2.cardinality_pari() == N2
True
>>> N1 + N2 == Integer(2)*(k.cardinality() + Integer(1))
True

We can count points over curves defined as a reduction:

sage: # needs sage.rings.number_field
sage: x = polygen(QQ)
sage: K.<w> = NumberField(x^2 + x + 1)
sage: EK = EllipticCurve(K, [0, 0, w, 2, 1])
sage: E = EK.base_extend(K.residue_field(2))
sage: E
Elliptic Curve defined by y^2 + wbar*y = x^3 + 1
 over Residue field in wbar of Fractional ideal (2)
sage: E.cardinality()
7
sage: E = EK.base_extend(K.residue_field(w - 1))
sage: E.abelian_group()
Trivial group embedded in Abelian group of points on Elliptic Curve defined
 by y^2 + y = x^3 + 2*x + 1 over Residue field of Fractional ideal (w - 1)

>>> from sage.all import *
>>> # needs sage.rings.number_field
>>> x = polygen(QQ)
>>> K = NumberField(x**Integer(2) + x + Integer(1), names=('w',)); (w,) = K._first_ngens(1)
>>> EK = EllipticCurve(K, [Integer(0), Integer(0), w, Integer(2), Integer(1)])
>>> E = EK.base_extend(K.residue_field(Integer(2)))
>>> E
Elliptic Curve defined by y^2 + wbar*y = x^3 + 1
 over Residue field in wbar of Fractional ideal (2)
>>> E.cardinality()
7
>>> E = EK.base_extend(K.residue_field(w - Integer(1)))
>>> E.abelian_group()
Trivial group embedded in Abelian group of points on Elliptic Curve defined
 by y^2 + y = x^3 + 2*x + 1 over Residue field of Fractional ideal (w - 1)

sage: R.<x> = GF(17)[]
sage: pol = R.irreducible_element(5)
sage: k.<a> = R.residue_field(pol)
sage: E = EllipticCurve(R, [1, x]).base_extend(k)
sage: E
Elliptic Curve defined by y^2 = x^3 + x + a
 over Residue field in a of Principal ideal (x^5 + x + 14)
  of Univariate Polynomial Ring in x over Finite Field of size 17
sage: E.cardinality()
1421004

>>> from sage.all import *
>>> R = GF(Integer(17))['x']; (x,) = R._first_ngens(1)
>>> pol = R.irreducible_element(Integer(5))
>>> k = R.residue_field(pol, names=('a',)); (a,) = k._first_ngens(1)
>>> E = EllipticCurve(R, [Integer(1), x]).base_extend(k)
>>> E
Elliptic Curve defined by y^2 = x^3 + x + a
 over Residue field in a of Principal ideal (x^5 + x + 14)
  of Univariate Polynomial Ring in x over Finite Field of size 17
>>> E.cardinality()
1421004
plot(*args, **kwds)[source]#

Draw a graph of this elliptic curve over a prime finite field.

INPUT:

  • *args, **kwds – all other options are passed to the circle graphing primitive.

EXAMPLES:

sage: E = EllipticCurve(FiniteField(17), [0,1])
sage: P = plot(E, rgbcolor=(0,0,1))                                         # needs sage.plot

>>> from sage.all import *
>>> E = EllipticCurve(FiniteField(Integer(17)), [Integer(0),Integer(1)])
>>> P = plot(E, rgbcolor=(Integer(0),Integer(0),Integer(1)))                                         # needs sage.plot
points()[source]#

Return all rational points on this elliptic curve. The list of points is cached so subsequent calls are free.

EXAMPLES:

sage: p = 5
sage: F = GF(p)
sage: E = EllipticCurve(F, [1, 3])
sage: len(E.points())
4
sage: E.order()
4
sage: E.points()
[(0 : 1 : 0), (1 : 0 : 1), (4 : 1 : 1), (4 : 4 : 1)]

>>> from sage.all import *
>>> p = Integer(5)
>>> F = GF(p)
>>> E = EllipticCurve(F, [Integer(1), Integer(3)])
>>> len(E.points())
4
>>> E.order()
4
>>> E.points()
[(0 : 1 : 0), (1 : 0 : 1), (4 : 1 : 1), (4 : 4 : 1)]

sage: K = GF((p, 2), 'a')
sage: E = E.change_ring(K)
sage: len(E.points())
32
sage: E.order()
32
sage: w = E.points(); w
[(0 : 1 : 0), (0 : 2*a + 4 : 1), (0 : 3*a + 1 : 1), (1 : 0 : 1), (2 : 2*a + 4 : 1), (2 : 3*a + 1 : 1), (3 : 2*a + 4 : 1), (3 : 3*a + 1 : 1), (4 : 1 : 1), (4 : 4 : 1), (a : 1 : 1), (a : 4 : 1), (a + 2 : a + 1 : 1), (a + 2 : 4*a + 4 : 1), (a + 3 : a : 1), (a + 3 : 4*a : 1), (a + 4 : 0 : 1), (2*a : 2*a : 1), (2*a : 3*a : 1), (2*a + 4 : a + 1 : 1), (2*a + 4 : 4*a + 4 : 1), (3*a + 1 : a + 3 : 1), (3*a + 1 : 4*a + 2 : 1), (3*a + 2 : 2*a + 3 : 1), (3*a + 2 : 3*a + 2 : 1), (4*a : 0 : 1), (4*a + 1 : 1 : 1), (4*a + 1 : 4 : 1), (4*a + 3 : a + 3 : 1), (4*a + 3 : 4*a + 2 : 1), (4*a + 4 : a + 4 : 1), (4*a + 4 : 4*a + 1 : 1)]

>>> from sage.all import *
>>> K = GF((p, Integer(2)), 'a')
>>> E = E.change_ring(K)
>>> len(E.points())
32
>>> E.order()
32
>>> w = E.points(); w
[(0 : 1 : 0), (0 : 2*a + 4 : 1), (0 : 3*a + 1 : 1), (1 : 0 : 1), (2 : 2*a + 4 : 1), (2 : 3*a + 1 : 1), (3 : 2*a + 4 : 1), (3 : 3*a + 1 : 1), (4 : 1 : 1), (4 : 4 : 1), (a : 1 : 1), (a : 4 : 1), (a + 2 : a + 1 : 1), (a + 2 : 4*a + 4 : 1), (a + 3 : a : 1), (a + 3 : 4*a : 1), (a + 4 : 0 : 1), (2*a : 2*a : 1), (2*a : 3*a : 1), (2*a + 4 : a + 1 : 1), (2*a + 4 : 4*a + 4 : 1), (3*a + 1 : a + 3 : 1), (3*a + 1 : 4*a + 2 : 1), (3*a + 2 : 2*a + 3 : 1), (3*a + 2 : 3*a + 2 : 1), (4*a : 0 : 1), (4*a + 1 : 1 : 1), (4*a + 1 : 4 : 1), (4*a + 3 : a + 3 : 1), (4*a + 3 : 4*a + 2 : 1), (4*a + 4 : a + 4 : 1), (4*a + 4 : 4*a + 1 : 1)]

Note that the returned list is an immutable sorted Sequence:

sage: w[0] = 9
Traceback (most recent call last):
...
ValueError: object is immutable; please change a copy instead.

>>> from sage.all import *
>>> w[Integer(0)] = Integer(9)
Traceback (most recent call last):
...
ValueError: object is immutable; please change a copy instead.
random_element()[source]#

Return a random point on this elliptic curve, uniformly chosen among all rational points.

ALGORITHM:

Choose the point at infinity with probability \(1/(2q + 1)\). Otherwise, take a random element from the field as x-coordinate and compute the possible y-coordinates. Return the i’th possible y-coordinate, where i is randomly chosen to be 0 or 1. If the i’th y-coordinate does not exist (either there is no point with the given x-coordinate or we hit a 2-torsion point with i == 1), try again.

This gives a uniform distribution because you can imagine \(2q + 1\) buckets, one for the point at infinity and 2 for each element of the field (representing the x-coordinates). This gives a 1-to-1 map of elliptic curve points into buckets. At every iteration, we simply choose a random bucket until we find a bucket containing a point.

AUTHORS:

  • Jeroen Demeyer (2014-09-09): choose points uniformly random, see Issue #16951.

EXAMPLES:

sage: k = GF(next_prime(7^5))
sage: E = EllipticCurve(k,[2,4])
sage: P = E.random_element(); P  # random
(16740 : 12486 : 1)
sage: type(P)
<class 'sage.schemes.elliptic_curves.ell_point.EllipticCurvePoint_finite_field'>
sage: P in E
True

>>> from sage.all import *
>>> k = GF(next_prime(Integer(7)**Integer(5)))
>>> E = EllipticCurve(k,[Integer(2),Integer(4)])
>>> P = E.random_element(); P  # random
(16740 : 12486 : 1)
>>> type(P)
<class 'sage.schemes.elliptic_curves.ell_point.EllipticCurvePoint_finite_field'>
>>> P in E
True

sage: # needs sage.rings.finite_rings
sage: k.<a> = GF(7^5)
sage: E = EllipticCurve(k,[2,4])
sage: P = E.random_element(); P  # random
(5*a^4 + 3*a^3 + 2*a^2 + a + 4 : 2*a^4 + 3*a^3 + 4*a^2 + a + 5 : 1)
sage: type(P)
<class 'sage.schemes.elliptic_curves.ell_point.EllipticCurvePoint_finite_field'>
sage: P in E
True

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> k = GF(Integer(7)**Integer(5), names=('a',)); (a,) = k._first_ngens(1)
>>> E = EllipticCurve(k,[Integer(2),Integer(4)])
>>> P = E.random_element(); P  # random
(5*a^4 + 3*a^3 + 2*a^2 + a + 4 : 2*a^4 + 3*a^3 + 4*a^2 + a + 5 : 1)
>>> type(P)
<class 'sage.schemes.elliptic_curves.ell_point.EllipticCurvePoint_finite_field'>
>>> P in E
True

sage: # needs sage.rings.finite_rings
sage: k.<a> = GF(2^5)
sage: E = EllipticCurve(k,[a^2,a,1,a+1,1])
sage: P = E.random_element(); P  # random
(a^4 + a : a^4 + a^3 + a^2 : 1)
sage: type(P)
<class 'sage.schemes.elliptic_curves.ell_point.EllipticCurvePoint_finite_field'>
sage: P in E
True

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> k = GF(Integer(2)**Integer(5), names=('a',)); (a,) = k._first_ngens(1)
>>> E = EllipticCurve(k,[a**Integer(2),a,Integer(1),a+Integer(1),Integer(1)])
>>> P = E.random_element(); P  # random
(a^4 + a : a^4 + a^3 + a^2 : 1)
>>> type(P)
<class 'sage.schemes.elliptic_curves.ell_point.EllipticCurvePoint_finite_field'>
>>> P in E
True

Ensure that the entire point set is reachable:

sage: E = EllipticCurve(GF(11), [2,1])
sage: S = set()
sage: while len(S) < E.cardinality():
....:     S.add(E.random_element())

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(11)), [Integer(2),Integer(1)])
>>> S = set()
>>> while len(S) < E.cardinality():
...     S.add(E.random_element())
random_point()[source]#

Return a random point on this elliptic curve, uniformly chosen among all rational points.

ALGORITHM:

Choose the point at infinity with probability \(1/(2q + 1)\). Otherwise, take a random element from the field as x-coordinate and compute the possible y-coordinates. Return the i’th possible y-coordinate, where i is randomly chosen to be 0 or 1. If the i’th y-coordinate does not exist (either there is no point with the given x-coordinate or we hit a 2-torsion point with i == 1), try again.

This gives a uniform distribution because you can imagine \(2q + 1\) buckets, one for the point at infinity and 2 for each element of the field (representing the x-coordinates). This gives a 1-to-1 map of elliptic curve points into buckets. At every iteration, we simply choose a random bucket until we find a bucket containing a point.

AUTHORS:

  • Jeroen Demeyer (2014-09-09): choose points uniformly random, see Issue #16951.

EXAMPLES:

sage: k = GF(next_prime(7^5))
sage: E = EllipticCurve(k,[2,4])
sage: P = E.random_element(); P  # random
(16740 : 12486 : 1)
sage: type(P)
<class 'sage.schemes.elliptic_curves.ell_point.EllipticCurvePoint_finite_field'>
sage: P in E
True

>>> from sage.all import *
>>> k = GF(next_prime(Integer(7)**Integer(5)))
>>> E = EllipticCurve(k,[Integer(2),Integer(4)])
>>> P = E.random_element(); P  # random
(16740 : 12486 : 1)
>>> type(P)
<class 'sage.schemes.elliptic_curves.ell_point.EllipticCurvePoint_finite_field'>
>>> P in E
True

sage: # needs sage.rings.finite_rings
sage: k.<a> = GF(7^5)
sage: E = EllipticCurve(k,[2,4])
sage: P = E.random_element(); P  # random
(5*a^4 + 3*a^3 + 2*a^2 + a + 4 : 2*a^4 + 3*a^3 + 4*a^2 + a + 5 : 1)
sage: type(P)
<class 'sage.schemes.elliptic_curves.ell_point.EllipticCurvePoint_finite_field'>
sage: P in E
True

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> k = GF(Integer(7)**Integer(5), names=('a',)); (a,) = k._first_ngens(1)
>>> E = EllipticCurve(k,[Integer(2),Integer(4)])
>>> P = E.random_element(); P  # random
(5*a^4 + 3*a^3 + 2*a^2 + a + 4 : 2*a^4 + 3*a^3 + 4*a^2 + a + 5 : 1)
>>> type(P)
<class 'sage.schemes.elliptic_curves.ell_point.EllipticCurvePoint_finite_field'>
>>> P in E
True

sage: # needs sage.rings.finite_rings
sage: k.<a> = GF(2^5)
sage: E = EllipticCurve(k,[a^2,a,1,a+1,1])
sage: P = E.random_element(); P  # random
(a^4 + a : a^4 + a^3 + a^2 : 1)
sage: type(P)
<class 'sage.schemes.elliptic_curves.ell_point.EllipticCurvePoint_finite_field'>
sage: P in E
True

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> k = GF(Integer(2)**Integer(5), names=('a',)); (a,) = k._first_ngens(1)
>>> E = EllipticCurve(k,[a**Integer(2),a,Integer(1),a+Integer(1),Integer(1)])
>>> P = E.random_element(); P  # random
(a^4 + a : a^4 + a^3 + a^2 : 1)
>>> type(P)
<class 'sage.schemes.elliptic_curves.ell_point.EllipticCurvePoint_finite_field'>
>>> P in E
True

Ensure that the entire point set is reachable:

sage: E = EllipticCurve(GF(11), [2,1])
sage: S = set()
sage: while len(S) < E.cardinality():
....:     S.add(E.random_element())

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(11)), [Integer(2),Integer(1)])
>>> S = set()
>>> while len(S) < E.cardinality():
...     S.add(E.random_element())
rational_points()[source]#

Return all rational points on this elliptic curve. The list of points is cached so subsequent calls are free.

EXAMPLES:

sage: p = 5
sage: F = GF(p)
sage: E = EllipticCurve(F, [1, 3])
sage: len(E.points())
4
sage: E.order()
4
sage: E.points()
[(0 : 1 : 0), (1 : 0 : 1), (4 : 1 : 1), (4 : 4 : 1)]

>>> from sage.all import *
>>> p = Integer(5)
>>> F = GF(p)
>>> E = EllipticCurve(F, [Integer(1), Integer(3)])
>>> len(E.points())
4
>>> E.order()
4
>>> E.points()
[(0 : 1 : 0), (1 : 0 : 1), (4 : 1 : 1), (4 : 4 : 1)]

sage: K = GF((p, 2), 'a')
sage: E = E.change_ring(K)
sage: len(E.points())
32
sage: E.order()
32
sage: w = E.points(); w
[(0 : 1 : 0), (0 : 2*a + 4 : 1), (0 : 3*a + 1 : 1), (1 : 0 : 1), (2 : 2*a + 4 : 1), (2 : 3*a + 1 : 1), (3 : 2*a + 4 : 1), (3 : 3*a + 1 : 1), (4 : 1 : 1), (4 : 4 : 1), (a : 1 : 1), (a : 4 : 1), (a + 2 : a + 1 : 1), (a + 2 : 4*a + 4 : 1), (a + 3 : a : 1), (a + 3 : 4*a : 1), (a + 4 : 0 : 1), (2*a : 2*a : 1), (2*a : 3*a : 1), (2*a + 4 : a + 1 : 1), (2*a + 4 : 4*a + 4 : 1), (3*a + 1 : a + 3 : 1), (3*a + 1 : 4*a + 2 : 1), (3*a + 2 : 2*a + 3 : 1), (3*a + 2 : 3*a + 2 : 1), (4*a : 0 : 1), (4*a + 1 : 1 : 1), (4*a + 1 : 4 : 1), (4*a + 3 : a + 3 : 1), (4*a + 3 : 4*a + 2 : 1), (4*a + 4 : a + 4 : 1), (4*a + 4 : 4*a + 1 : 1)]

>>> from sage.all import *
>>> K = GF((p, Integer(2)), 'a')
>>> E = E.change_ring(K)
>>> len(E.points())
32
>>> E.order()
32
>>> w = E.points(); w
[(0 : 1 : 0), (0 : 2*a + 4 : 1), (0 : 3*a + 1 : 1), (1 : 0 : 1), (2 : 2*a + 4 : 1), (2 : 3*a + 1 : 1), (3 : 2*a + 4 : 1), (3 : 3*a + 1 : 1), (4 : 1 : 1), (4 : 4 : 1), (a : 1 : 1), (a : 4 : 1), (a + 2 : a + 1 : 1), (a + 2 : 4*a + 4 : 1), (a + 3 : a : 1), (a + 3 : 4*a : 1), (a + 4 : 0 : 1), (2*a : 2*a : 1), (2*a : 3*a : 1), (2*a + 4 : a + 1 : 1), (2*a + 4 : 4*a + 4 : 1), (3*a + 1 : a + 3 : 1), (3*a + 1 : 4*a + 2 : 1), (3*a + 2 : 2*a + 3 : 1), (3*a + 2 : 3*a + 2 : 1), (4*a : 0 : 1), (4*a + 1 : 1 : 1), (4*a + 1 : 4 : 1), (4*a + 3 : a + 3 : 1), (4*a + 3 : 4*a + 2 : 1), (4*a + 4 : a + 4 : 1), (4*a + 4 : 4*a + 1 : 1)]

Note that the returned list is an immutable sorted Sequence:

sage: w[0] = 9
Traceback (most recent call last):
...
ValueError: object is immutable; please change a copy instead.

>>> from sage.all import *
>>> w[Integer(0)] = Integer(9)
Traceback (most recent call last):
...
ValueError: object is immutable; please change a copy instead.
set_order(value, check, num_checks)[source]#

Set the value of self._order to value.

Use this when you know a priori the order of the curve to avoid a potentially expensive order calculation.

INPUT:

  • value – integer in the Hasse-Weil range for this curve.

  • check (boolean, default: True) – whether or not to run sanity checks on the input.

  • num_checks (integer, default: 8) – if check is True, the number of times to check whether value times a random point on this curve equals the identity.

OUTPUT:

None

EXAMPLES:

This example illustrates basic usage:

sage: E = EllipticCurve(GF(7), [0, 1]) # This curve has order 12
sage: E.set_order(12)
sage: E.order()
12
sage: E.order() * E.random_point()
(0 : 1 : 0)

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(7)), [Integer(0), Integer(1)]) # This curve has order 12
>>> E.set_order(Integer(12))
>>> E.order()
12
>>> E.order() * E.random_point()
(0 : 1 : 0)

We now give a more interesting case, the NIST-P521 curve. Its order is too big to calculate with Sage, and takes a long time using other packages, so it is very useful here:

sage: p = 2^521 - 1
sage: prev_proof_state = proof.arithmetic()
sage: proof.arithmetic(False) # turn off primality checking
sage: F = GF(p)
sage: A = p - 3
sage: B = 1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984
sage: q = 6864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532963996371363321113864768612440380340372808892707005449
sage: E = EllipticCurve([F(A), F(B)])
sage: E.set_order(q)
sage: G = E.random_point()
sage: G.order() * G  # This takes practically no time.
(0 : 1 : 0)
sage: proof.arithmetic(prev_proof_state) # restore state

>>> from sage.all import *
>>> p = Integer(2)**Integer(521) - Integer(1)
>>> prev_proof_state = proof.arithmetic()
>>> proof.arithmetic(False) # turn off primality checking
>>> F = GF(p)
>>> A = p - Integer(3)
>>> B = Integer(1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984)
>>> q = Integer(6864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532963996371363321113864768612440380340372808892707005449)
>>> E = EllipticCurve([F(A), F(B)])
>>> E.set_order(q)
>>> G = E.random_point()
>>> G.order() * G  # This takes practically no time.
(0 : 1 : 0)
>>> proof.arithmetic(prev_proof_state) # restore state

It is an error to pass a value which is not an integer in the Hasse-Weil range:

sage: E = EllipticCurve(GF(7), [0, 1]) # This curve has order 12
sage: E.set_order("hi")
Traceback (most recent call last):
...
TypeError: unable to convert 'hi' to an integer
sage: E.set_order(0)
Traceback (most recent call last):
...
ValueError: Value 0 illegal (not an integer in the Hasse range)
sage: E.set_order(1000)
Traceback (most recent call last):
...
ValueError: Value 1000 illegal (not an integer in the Hasse range)

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(7)), [Integer(0), Integer(1)]) # This curve has order 12
>>> E.set_order("hi")
Traceback (most recent call last):
...
TypeError: unable to convert 'hi' to an integer
>>> E.set_order(Integer(0))
Traceback (most recent call last):
...
ValueError: Value 0 illegal (not an integer in the Hasse range)
>>> E.set_order(Integer(1000))
Traceback (most recent call last):
...
ValueError: Value 1000 illegal (not an integer in the Hasse range)

It is also very likely an error to pass a value which is not the actual order of this curve. How unlikely is determined by num_checks, the factorization of the actual order, and the actual group structure:

sage: E = EllipticCurve(GF(1009), [0, 1]) # This curve has order 948
sage: E.set_order(947)
Traceback (most recent call last):
...
ValueError: Value 947 illegal (multiple of random point not the identity)

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(1009)), [Integer(0), Integer(1)]) # This curve has order 948
>>> E.set_order(Integer(947))
Traceback (most recent call last):
...
ValueError: Value 947 illegal (multiple of random point not the identity)

For curves over small finite fields, the order is cheap to compute, so it is computed directly and compared:

sage: E = EllipticCurve(GF(7), [0, 1]) # This curve has order 12
sage: E.set_order(11)
Traceback (most recent call last):
...
ValueError: Value 11 illegal (correct order is 12)

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(7)), [Integer(0), Integer(1)]) # This curve has order 12
>>> E.set_order(Integer(11))
Traceback (most recent call last):
...
ValueError: Value 11 illegal (correct order is 12)

Todo

Add provable correctness check by computing the abelian group structure and comparing.

AUTHORS:

  • Mariah Lenox (2011-02-16): Initial implementation

  • Gareth Ma (2024-01-21): Fix bug for small curves

torsion_basis(n)[source]#

Return a basis of the \(n\)-torsion subgroup of this elliptic curve, assuming it is fully rational.

EXAMPLES:

sage: # needs sage.rings.finite_rings
sage: E = EllipticCurve(GF(62207^2), [1,0])
sage: E.abelian_group()
Additive abelian group isomorphic to Z/62208 + Z/62208 embedded in
 Abelian group of points on Elliptic Curve defined by y^2 = x^3 + x
  over Finite Field in z2 of size 62207^2
sage: PA,QA = E.torsion_basis(2^8)
sage: PA.weil_pairing(QA, 2^8).multiplicative_order()
256
sage: PB,QB = E.torsion_basis(3^5)
sage: PB.weil_pairing(QB, 3^5).multiplicative_order()
243

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> E = EllipticCurve(GF(Integer(62207)**Integer(2)), [Integer(1),Integer(0)])
>>> E.abelian_group()
Additive abelian group isomorphic to Z/62208 + Z/62208 embedded in
 Abelian group of points on Elliptic Curve defined by y^2 = x^3 + x
  over Finite Field in z2 of size 62207^2
>>> PA,QA = E.torsion_basis(Integer(2)**Integer(8))
>>> PA.weil_pairing(QA, Integer(2)**Integer(8)).multiplicative_order()
256
>>> PB,QB = E.torsion_basis(Integer(3)**Integer(5))
>>> PB.weil_pairing(QB, Integer(3)**Integer(5)).multiplicative_order()
243

sage: E = EllipticCurve(GF(101), [4,4])
sage: E.torsion_basis(23)
Traceback (most recent call last):
...
ValueError: curve does not have full rational 23-torsion
sage: F = E.division_field(23); F
Finite Field in t of size 101^11
sage: EE = E.change_ring(F)
sage: P, Q = EE.torsion_basis(23)
sage: P  # random
(89*z11^10 + 51*z11^9 + 96*z11^8 + 8*z11^7 + 67*z11^6
 + 31*z11^5 + 55*z11^4 + 59*z11^3 + 28*z11^2 + 8*z11 + 88
 : 40*z11^10 + 33*z11^9 + 80*z11^8 + 87*z11^7 + 97*z11^6
 + 69*z11^5 + 56*z11^4 + 17*z11^3 + 26*z11^2 + 69*z11 + 11
 : 1)
sage: Q  # random
(25*z11^10 + 61*z11^9 + 49*z11^8 + 17*z11^7 + 80*z11^6
 + 20*z11^5 + 49*z11^4 + 52*z11^3 + 61*z11^2 + 27*z11 + 61
 : 60*z11^10 + 91*z11^9 + 89*z11^8 + 7*z11^7 + 63*z11^6
 + 55*z11^5 + 23*z11^4 + 17*z11^3 + 90*z11^2 + 91*z11 + 68
 : 1)

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(101)), [Integer(4),Integer(4)])
>>> E.torsion_basis(Integer(23))
Traceback (most recent call last):
...
ValueError: curve does not have full rational 23-torsion
>>> F = E.division_field(Integer(23)); F
Finite Field in t of size 101^11
>>> EE = E.change_ring(F)
>>> P, Q = EE.torsion_basis(Integer(23))
>>> P  # random
(89*z11^10 + 51*z11^9 + 96*z11^8 + 8*z11^7 + 67*z11^6
 + 31*z11^5 + 55*z11^4 + 59*z11^3 + 28*z11^2 + 8*z11 + 88
 : 40*z11^10 + 33*z11^9 + 80*z11^8 + 87*z11^7 + 97*z11^6
 + 69*z11^5 + 56*z11^4 + 17*z11^3 + 26*z11^2 + 69*z11 + 11
 : 1)
>>> Q  # random
(25*z11^10 + 61*z11^9 + 49*z11^8 + 17*z11^7 + 80*z11^6
 + 20*z11^5 + 49*z11^4 + 52*z11^3 + 61*z11^2 + 27*z11 + 61
 : 60*z11^10 + 91*z11^9 + 89*z11^8 + 7*z11^7 + 63*z11^6
 + 55*z11^5 + 23*z11^4 + 17*z11^3 + 90*z11^2 + 91*z11 + 68
 : 1)

See also

Use division_field() to determine a field extension containing the full \(\ell\)-torsion subgroup.

ALGORITHM:

This method currently uses abelian_group() and AdditiveAbelianGroupWrapper.torsion_subgroup().

trace_of_frobenius()[source]#

Return the trace of Frobenius acting on this elliptic curve.

Note

This computes the curve cardinality, which may be time-consuming.

EXAMPLES:

sage: E = EllipticCurve(GF(101),[2,3])
sage: E.trace_of_frobenius()
6
sage: E = EllipticCurve(GF(11^5,'a'),[2,5])                                 # needs sage.rings.finite_rings
sage: E.trace_of_frobenius()                                                # needs sage.rings.finite_rings
802

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(101)),[Integer(2),Integer(3)])
>>> E.trace_of_frobenius()
6
>>> E = EllipticCurve(GF(Integer(11)**Integer(5),'a'),[Integer(2),Integer(5)])                                 # needs sage.rings.finite_rings
>>> E.trace_of_frobenius()                                                # needs sage.rings.finite_rings
802

The following shows that the issue from Issue #2849 is fixed:

sage: E = EllipticCurve(GF(3^5,'a'),[-1,-1])                                # needs sage.rings.finite_rings
sage: E.trace_of_frobenius()                                                # needs sage.rings.finite_rings
-27

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(3)**Integer(5),'a'),[-Integer(1),-Integer(1)])                                # needs sage.rings.finite_rings
>>> E.trace_of_frobenius()                                                # needs sage.rings.finite_rings
-27
twists()[source]#

Return a list of \(k\)-isomorphism representatives of all twists of this elliptic curve, where \(k\) is the base field.

The input curve appears as the first entry of the result.

Note

A twist of \(E/k\) is an elliptic curve \(E'\) defined over \(k\) that is isomorphic to \(E\) over the algebraic closure \(\bar k\).

Most elliptic curves over a finite field only admit a single nontrivial twist (the quadratic twist); the only exceptions are curves with \(j\)-invariant \(0\) or \(1728\).

In all cases the sum over all the twists \(E'\) of \(1/|Aut(E')|\) is 1.

See also

EXAMPLES:

sage: E = EllipticCurve(GF(97), [1,1])
sage: E.j_invariant()
54
sage: E.twists()
[Elliptic Curve defined by y^2 = x^3 + x + 1 over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97]

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(97)), [Integer(1),Integer(1)])
>>> E.j_invariant()
54
>>> E.twists()
[Elliptic Curve defined by y^2 = x^3 + x + 1 over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97]

sage: E = EllipticCurve(GF(97), [1,0])
sage: E.j_invariant()
79
sage: E.twists()
[Elliptic Curve defined by y^2 = x^3 + x over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97]

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(97)), [Integer(1),Integer(0)])
>>> E.j_invariant()
79
>>> E.twists()
[Elliptic Curve defined by y^2 = x^3 + x over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97]

sage: E = EllipticCurve(GF(97), [0,1])
sage: E.j_invariant()
0
sage: E.twists()
[Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97]

>>> from sage.all import *
>>> E = EllipticCurve(GF(Integer(97)), [Integer(0),Integer(1)])
>>> E.j_invariant()
0
>>> E.twists()
[Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97,
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 97]

This can be useful to quickly compute a list of all elliptic curves over a finite field \(k\) up to \(k\)-isomorphism:

sage: Es = [E for j in GF(13) for E in EllipticCurve(j=j).twists()]
sage: len(Es)
32
sage: Es
[Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field of size 13,
 ...
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 13]

>>> from sage.all import *
>>> Es = [E for j in GF(Integer(13)) for E in EllipticCurve(j=j).twists()]
>>> len(Es)
32
>>> Es
[Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field of size 13,
 ...
 Elliptic Curve defined by y^2 = x^3 + ... over Finite Field of size 13]

In characteristic 3, the number of twists is 2 except for \(j=0=1728\), when there are either 4 or 6 depending on whether the field has odd or even degree over \(\GF{3}\):

sage: # needs sage.rings.finite_rings
sage: K = GF(3**5)
sage: [E.ainvs() for E in EllipticCurve(j=K(1)).twists()]
[(0, 1, 0, 0, 2), (0, z5, 0, 0, 2*z5^3)]

sage: # needs sage.rings.finite_rings
sage: K = GF(3**5)
sage: [E.ainvs() for E in EllipticCurve(j=K(0)).twists()] # random
[(0, 0, 0, 1, 0),
 (0, 0, 0, 2, 0),
 (0, 0, 0, 2, z5^4 + z5^3 + z5^2),
 (0, 0, 0, 2, 2*z5^4 + 2*z5^3 + 2*z5^2)]

sage: # needs sage.rings.finite_rings
sage: K = GF(3**4)
sage: [E.ainvs() for E in EllipticCurve(j=K(1)).twists()]
[(0, 1, 0, 0, 2), (0, z4, 0, 0, 2*z4^3)]

sage: # needs sage.rings.finite_rings
sage: K = GF(3**4)
sage: [E.ainvs() for E in EllipticCurve(j=K(0)).twists()] # random
[(0, 0, 0, 1, 0),
 (0, 0, 0, 2, 2*z4^3 + 2*z4^2 + 2*z4 + 2),
 (0, 0, 0, 1, 0),
 (0, 0, 0, 1, 2*z4^3 + 2*z4^2 + 2*z4 + 2),
 (0, 0, 0, z4, 0),
 (0, 0, 0, z4^3, 0)]

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> K = GF(Integer(3)**Integer(5))
>>> [E.ainvs() for E in EllipticCurve(j=K(Integer(1))).twists()]
[(0, 1, 0, 0, 2), (0, z5, 0, 0, 2*z5^3)]

>>> # needs sage.rings.finite_rings
>>> K = GF(Integer(3)**Integer(5))
>>> [E.ainvs() for E in EllipticCurve(j=K(Integer(0))).twists()] # random
[(0, 0, 0, 1, 0),
 (0, 0, 0, 2, 0),
 (0, 0, 0, 2, z5^4 + z5^3 + z5^2),
 (0, 0, 0, 2, 2*z5^4 + 2*z5^3 + 2*z5^2)]

>>> # needs sage.rings.finite_rings
>>> K = GF(Integer(3)**Integer(4))
>>> [E.ainvs() for E in EllipticCurve(j=K(Integer(1))).twists()]
[(0, 1, 0, 0, 2), (0, z4, 0, 0, 2*z4^3)]

>>> # needs sage.rings.finite_rings
>>> K = GF(Integer(3)**Integer(4))
>>> [E.ainvs() for E in EllipticCurve(j=K(Integer(0))).twists()] # random
[(0, 0, 0, 1, 0),
 (0, 0, 0, 2, 2*z4^3 + 2*z4^2 + 2*z4 + 2),
 (0, 0, 0, 1, 0),
 (0, 0, 0, 1, 2*z4^3 + 2*z4^2 + 2*z4 + 2),
 (0, 0, 0, z4, 0),
 (0, 0, 0, z4^3, 0)]

In characteristic 2, the number of twists is 2 except for \(j=0=1728\), when there are either 3 or 7 depending on whether the field has odd or even degree over \(\GF{2}\):

sage: # needs sage.rings.finite_rings
sage: K = GF(2**7)
sage: [E.ainvs() for E in EllipticCurve(j=K(1)).twists()]
[(1, 0, 0, 0, 1), (1, 1, 0, 0, 1)]

sage: # needs sage.rings.finite_rings
sage: K = GF(2**7)
sage: [E.ainvs() for E in EllipticCurve(j=K(0)).twists()]
[(0, 0, 1, 0, 0), (0, 0, 1, 1, 0), (0, 0, 1, 1, 1)]

sage: # needs sage.rings.finite_rings
sage: K = GF(2**8)
sage: [E.ainvs() for E in EllipticCurve(j=K(1)).twists()] # random
[(1, 0, 0, 0, 1), (1, z8^7 + z8^6 + z8^5 + z8^4 + z8^2 + z8, 0, 0, 1)]

sage: # needs sage.rings.finite_rings
sage: K = GF(2**8)
sage: [E.ainvs() for E in EllipticCurve(j=K(0)).twists()] # random
[(0, 0, 1, 0, 0),
 (0, 0, 1, 0, z8^5 + z8^4 + z8^3),
 (0, 0, 1, z8^6 + z8^5 + z8^2 + 1, 0),
 (0, 0, z8^4 + z8^3 + z8^2 + 1, 0, 0),
 (0, 0, z8^4 + z8^3 + z8^2 + 1, 0, z8^3 + z8^2 + 1),
 (0, 0, z8^6 + z8^3 + z8^2, 0, 0),
 (0, 0, z8^6 + z8^3 + z8^2, 0, z8^3 + z8^2)]

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> K = GF(Integer(2)**Integer(7))
>>> [E.ainvs() for E in EllipticCurve(j=K(Integer(1))).twists()]
[(1, 0, 0, 0, 1), (1, 1, 0, 0, 1)]

>>> # needs sage.rings.finite_rings
>>> K = GF(Integer(2)**Integer(7))
>>> [E.ainvs() for E in EllipticCurve(j=K(Integer(0))).twists()]
[(0, 0, 1, 0, 0), (0, 0, 1, 1, 0), (0, 0, 1, 1, 1)]

>>> # needs sage.rings.finite_rings
>>> K = GF(Integer(2)**Integer(8))
>>> [E.ainvs() for E in EllipticCurve(j=K(Integer(1))).twists()] # random
[(1, 0, 0, 0, 1), (1, z8^7 + z8^6 + z8^5 + z8^4 + z8^2 + z8, 0, 0, 1)]

>>> # needs sage.rings.finite_rings
>>> K = GF(Integer(2)**Integer(8))
>>> [E.ainvs() for E in EllipticCurve(j=K(Integer(0))).twists()] # random
[(0, 0, 1, 0, 0),
 (0, 0, 1, 0, z8^5 + z8^4 + z8^3),
 (0, 0, 1, z8^6 + z8^5 + z8^2 + 1, 0),
 (0, 0, z8^4 + z8^3 + z8^2 + 1, 0, 0),
 (0, 0, z8^4 + z8^3 + z8^2 + 1, 0, z8^3 + z8^2 + 1),
 (0, 0, z8^6 + z8^3 + z8^2, 0, 0),
 (0, 0, z8^6 + z8^3 + z8^2, 0, z8^3 + z8^2)]
sage.schemes.elliptic_curves.ell_finite_field.EllipticCurve_with_order(m, D)[source]#

Return an iterator for elliptic curves over finite fields with the given order. The curves are computed using the Complex Multiplication (CM) method.

A \(:sage:`~sage.structure.factorization.Factorization\) can be passed for m, in which case the algorithm is more efficient.

If D is specified, it is used as the discriminant.

EXAMPLES:

sage: from sage.schemes.elliptic_curves.ell_finite_field import EllipticCurve_with_order
sage: E = next(EllipticCurve_with_order(1234)); E  # random
Elliptic Curve defined by y^2 = x^3 + 1142*x + 1209 over Finite Field of size 1237
sage: E.order() == 1234
True

>>> from sage.all import *
>>> from sage.schemes.elliptic_curves.ell_finite_field import EllipticCurve_with_order
>>> E = next(EllipticCurve_with_order(Integer(1234))); E  # random
Elliptic Curve defined by y^2 = x^3 + 1142*x + 1209 over Finite Field of size 1237
>>> E.order() == Integer(1234)
True

When iter is set, the function returns an iterator of all elliptic curves with the given order:

sage: from sage.schemes.elliptic_curves.ell_finite_field import EllipticCurve_with_order
sage: it = EllipticCurve_with_order(21); it
<generator object EllipticCurve_with_order at 0x...>
sage: E = next(it); E  # random
Elliptic Curve defined by y^2 = x^3 + 6*x + 14 over Finite Field of size 23
sage: E.order() == 21
True
sage: Es = [E] + list(it); Es  # random
[Elliptic Curve defined by y^2 = x^3 + 6*x + 14 over Finite Field of size 23,
 Elliptic Curve defined by y^2 = x^3 + 12*x + 4 over Finite Field of size 23,
 Elliptic Curve defined by y^2 = x^3 + 5*x + 2 over Finite Field of size 23,
 Elliptic Curve defined by y^2 = x^3 + (z2+3) over Finite Field in z2 of size 5^2,
 Elliptic Curve defined by y^2 = x^3 + (2*z2+2) over Finite Field in z2 of size 5^2,
 Elliptic Curve defined by y^2 = x^3 + 7*x + 1 over Finite Field of size 19,
 Elliptic Curve defined by y^2 = x^3 + 17*x + 10 over Finite Field of size 19,
 Elliptic Curve defined by y^2 = x^3 + 5*x + 12 over Finite Field of size 17,
 Elliptic Curve defined by y^2 = x^3 + 9*x + 1 over Finite Field of size 17,
 Elliptic Curve defined by y^2 = x^3 + 7*x + 6 over Finite Field of size 17,
 Elliptic Curve defined by y^2 = x^3 + z3^2*x^2 + (2*z3^2+z3) over Finite Field in z3 of size 3^3,
 Elliptic Curve defined by y^2 = x^3 + (z3^2+2*z3+1)*x^2 + (2*z3^2+2*z3) over Finite Field in z3 of size 3^3,
 Elliptic Curve defined by y^2 = x^3 + (z3^2+z3+1)*x^2 + (2*z3^2+1) over Finite Field in z3 of size 3^3,
 Elliptic Curve defined by y^2 + (z4^2+z4+1)*y = x^3 over Finite Field in z4 of size 2^4,
 Elliptic Curve defined by y^2 + (z4^2+z4)*y = x^3 over Finite Field in z4 of size 2^4,
 Elliptic Curve defined by y^2 = x^3 + 18*x + 26 over Finite Field of size 29,
 Elliptic Curve defined by y^2 = x^3 + 11*x + 19 over Finite Field of size 29,
 Elliptic Curve defined by y^2 = x^3 + 4 over Finite Field of size 19,
 Elliptic Curve defined by y^2 = x^3 + 19 over Finite Field of size 31,
 Elliptic Curve defined by y^2 = x^3 + 4 over Finite Field of size 13]
sage: all(E.order() == 21 for E in Es)
True

>>> from sage.all import *
>>> from sage.schemes.elliptic_curves.ell_finite_field import EllipticCurve_with_order
>>> it = EllipticCurve_with_order(Integer(21)); it
<generator object EllipticCurve_with_order at 0x...>
>>> E = next(it); E  # random
Elliptic Curve defined by y^2 = x^3 + 6*x + 14 over Finite Field of size 23
>>> E.order() == Integer(21)
True
>>> Es = [E] + list(it); Es  # random
[Elliptic Curve defined by y^2 = x^3 + 6*x + 14 over Finite Field of size 23,
 Elliptic Curve defined by y^2 = x^3 + 12*x + 4 over Finite Field of size 23,
 Elliptic Curve defined by y^2 = x^3 + 5*x + 2 over Finite Field of size 23,
 Elliptic Curve defined by y^2 = x^3 + (z2+3) over Finite Field in z2 of size 5^2,
 Elliptic Curve defined by y^2 = x^3 + (2*z2+2) over Finite Field in z2 of size 5^2,
 Elliptic Curve defined by y^2 = x^3 + 7*x + 1 over Finite Field of size 19,
 Elliptic Curve defined by y^2 = x^3 + 17*x + 10 over Finite Field of size 19,
 Elliptic Curve defined by y^2 = x^3 + 5*x + 12 over Finite Field of size 17,
 Elliptic Curve defined by y^2 = x^3 + 9*x + 1 over Finite Field of size 17,
 Elliptic Curve defined by y^2 = x^3 + 7*x + 6 over Finite Field of size 17,
 Elliptic Curve defined by y^2 = x^3 + z3^2*x^2 + (2*z3^2+z3) over Finite Field in z3 of size 3^3,
 Elliptic Curve defined by y^2 = x^3 + (z3^2+2*z3+1)*x^2 + (2*z3^2+2*z3) over Finite Field in z3 of size 3^3,
 Elliptic Curve defined by y^2 = x^3 + (z3^2+z3+1)*x^2 + (2*z3^2+1) over Finite Field in z3 of size 3^3,
 Elliptic Curve defined by y^2 + (z4^2+z4+1)*y = x^3 over Finite Field in z4 of size 2^4,
 Elliptic Curve defined by y^2 + (z4^2+z4)*y = x^3 over Finite Field in z4 of size 2^4,
 Elliptic Curve defined by y^2 = x^3 + 18*x + 26 over Finite Field of size 29,
 Elliptic Curve defined by y^2 = x^3 + 11*x + 19 over Finite Field of size 29,
 Elliptic Curve defined by y^2 = x^3 + 4 over Finite Field of size 19,
 Elliptic Curve defined by y^2 = x^3 + 19 over Finite Field of size 31,
 Elliptic Curve defined by y^2 = x^3 + 4 over Finite Field of size 13]
>>> all(E.order() == Integer(21) for E in Es)
True

Indeed, we can verify that this is correct. Hasse’s bounds tell us that \(p \leq 50\) (approximately), and the rest can be checked via bruteforce:

sage: for p in prime_range(50):
....:     for j in range(p):
....:         E0 = EllipticCurve(GF(p), j=j)
....:         for Et in E0.twists():
....:             if Et.order() == 21:
....:                 assert any(Et.is_isomorphic(E) for E in Es)

>>> from sage.all import *
>>> for p in prime_range(Integer(50)):
...     for j in range(p):
...         E0 = EllipticCurve(GF(p), j=j)
...         for Et in E0.twists():
...             if Et.order() == Integer(21):
...                 assert any(Et.is_isomorphic(E) for E in Es)

Note

The output curves are not deterministic, as EllipticCurve_finite_field.twists() is not deterministic. However, the order of the j-invariants and base fields is fixed.

AUTHORS:

  • Gareth Ma and Giacomo Pope (Sage Days 123): initial version

sage.schemes.elliptic_curves.ell_finite_field.curves_with_j_0(K)[source]#

Return a complete list of pairwise nonisomorphic elliptic curves with \(j\)-invariant 0 over the finite field \(K\).

Note

In characteristics 2 and 3 this function simply calls curves_with_j_0_char2 or curves_with_j_0_char3. Otherwise there are either 2 or 6 curves, parametrised by \(K^*/(K^*)^6\).

Examples:

For \(K=\GF{q}\) where \(q\equiv1\mod{6}\) there are six curves, the sextic twists of \(y^2=x^3+1\):

sage: # needs sage.rings.finite_rings
sage: from sage.schemes.elliptic_curves.ell_finite_field import curves_with_j_0
sage: sorted(curves_with_j_0(GF(7)), key = lambda E: E.a_invariants())
[Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field of size 7,
 Elliptic Curve defined by y^2 = x^3 + 2 over Finite Field of size 7,
 Elliptic Curve defined by y^2 = x^3 + 3 over Finite Field of size 7,
 Elliptic Curve defined by y^2 = x^3 + 4 over Finite Field of size 7,
 Elliptic Curve defined by y^2 = x^3 + 5 over Finite Field of size 7,
 Elliptic Curve defined by y^2 = x^3 + 6 over Finite Field of size 7]
sage: curves = curves_with_j_0(GF(25)); len(curves)
6
sage: all(not curves[i].is_isomorphic(curves[j]) for i in range(6) for j in range(i + 1, 6))
True
sage: set(E.j_invariant() for E in curves)
{0}

>>> from sage.all import *
>>> # needs sage.rings.finite_rings
>>> from sage.schemes.elliptic_curves.ell_finite_field import curves_with_j_0
>>> sorted(curves_with_j_0(GF(Integer(7))), key = lambda E: E.a_invariants())
[Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field of size 7,
 Elliptic Curve defined by y^2 = x^3 + 2 over Finite Field of size 7,
 Elliptic Curve defined by y^2 = x^3 + 3 over Finite Field of size 7,
 Elliptic Curve defined by y^2 = x^3 + 4 over Finite Field of size 7,
 Elliptic Curve defined by y^2 = x^3 + 5 over Finite Field of size 7,
 Elliptic Curve defined by y^2 = x^3 + 6 over Finite Field of size 7]
>>> curves = curves_with_j_0(GF(Integer(25))); len(curves)
6
>>> all(not curves[i].is_isomorphic(curves[j]) for i in range(Integer(6)) for j in range(i + Integer(1), Integer(6)))
True
>>> set(E.j_invariant() for E in curves)
{0}

For \(K=\GF{q}\) where \(q\equiv5\mod{6}\) there are two curves, quadratic twists of each other by \(-3\): \(y^2=x^3+1\) and \(y^2=x^3-27\):

sage: from sage.schemes.elliptic_curves.ell_finite_field import curves_with_j_0
sage: curves_with_j_0(GF(5))
[Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field of size 5,
 Elliptic Curve defined by y^2 = x^3 + 3 over Finite Field of size 5]
sage: curves_with_j_0(GF(11))
[Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field of size 11,
 Elliptic Curve defined by y^2 = x^3 + 6 over Finite Field of size 11]

>>> from sage.all import *
>>> from sage.schemes.elliptic_curves.ell_finite_field import curves_with_j_0
>>> curves_with_j_0(GF(Integer(5)))
[Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field of size 5,
 Elliptic Curve defined by y^2 = x^3 + 3 over Finite Field of size 5]
>>> curves_with_j_0(GF(Integer(11)))
[Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field of size 11,
 Elliptic Curve defined by y^2 = x^3 + 6 over Finite Field of size 11]
sage.schemes.elliptic_curves.ell_finite_field.curves_with_j_0_char2(K)[source]#

Return a complete list of pairwise nonisomorphic elliptic curves with \(j\)-invariant 0 over the finite field \(K\) of characteristic 2.

Note

The number of twists is either 3 or 7 depending on whether the field has odd or even degree over \(\GF{2}\). See [Connell1999], pages 429-431.

Examples:

In odd degree, there are three isomorphism classes all with representatives defined over \(\GF{2}\):

sage: from sage.schemes.elliptic_curves.ell_finite_field import curves_with_j_0_char2
sage: # needs sage.rings.finite_rings
sage: K = GF(2**7)
sage: curves = curves_with_j_0_char2(K)
sage: len(curves)
3
sage: [E.ainvs() for E in curves]
[(0, 0, 1, 0, 0), (0, 0, 1, 1, 0), (0, 0, 1, 1, 1)]

>>> from sage.all import *
>>> from sage.schemes.elliptic_curves.ell_finite_field import curves_with_j_0_char2
>>> # needs sage.rings.finite_rings
>>> K = GF(Integer(2)**Integer(7))
>>> curves = curves_with_j_0_char2(K)
>>> len(curves)
3
>>> [E.ainvs() for E in curves]
[(0, 0, 1, 0, 0), (0, 0, 1, 1, 0), (0, 0, 1, 1, 1)]

Check that the curves are mutually non-isomorphic:

sage: all((e1 == e2 or not e1.is_isomorphic(e2))                                # needs sage.rings.finite_rings
....:     for e1 in curves for e2 in curves)
True

>>> from sage.all import *
>>> all((e1 == e2 or not e1.is_isomorphic(e2))                                # needs sage.rings.finite_rings
...     for e1 in curves for e2 in curves)
True

Check that the weight formula holds:

sage: sum(1/len(E.automorphisms()) for E in curves) == 1                        # needs sage.rings.finite_rings
True

>>> from sage.all import *
>>> sum(Integer(1)/len(E.automorphisms()) for E in curves) == Integer(1)                        # needs sage.rings.finite_rings
True

In even degree there are seven isomorphism classes:

sage: from sage.schemes.elliptic_curves.ell_finite_field import curves_with_j_0_char2
sage: # needs sage.rings.finite_rings
sage: K = GF(2**8)
sage: curves = EllipticCurve(j=K(0)).twists()
sage: len(curves)
7
sage: [E.ainvs() for E in curves] # random
[(0, 0, 1, 0, 0),
 (0, 0, 1, 0, z8^5 + z8^4 + z8^3),
 (0, 0, 1, z8^6 + z8^5 + z8^2 + 1, 0),
 (0, 0, z8^4 + z8^3 + z8^2 + 1, 0, 0),
 (0, 0, z8^4 + z8^3 + z8^2 + 1, 0, z8^3 + z8^2 + 1),
 (0, 0, z8^6 + z8^3 + z8^2, 0, 0),
 (0, 0, z8^6 + z8^3 + z8^2, 0, z8^3 + z8^2)]

>>> from sage.all import *
>>> from sage.schemes.elliptic_curves.ell_finite_field import curves_with_j_0_char2
>>> # needs sage.rings.finite_rings
>>> K = GF(Integer(2)**Integer(8))
>>> curves = EllipticCurve(j=K(Integer(0))).twists()
>>> len(curves)
7
>>> [E.ainvs() for E in curves] # random
[(0, 0, 1, 0, 0),
 (0, 0, 1, 0, z8^5 + z8^4 + z8^3),
 (0, 0, 1, z8^6 + z8^5 + z8^2 + 1, 0),
 (0, 0, z8^4 + z8^3 + z8^2 + 1, 0, 0),
 (0, 0, z8^4 + z8^3 + z8^2 + 1, 0, z8^3 + z8^2 + 1),
 (0, 0, z8^6 + z8^3 + z8^2, 0, 0),
 (0, 0, z8^6 + z8^3 + z8^2, 0, z8^3 + z8^2)]

Check that the twists are mutually non-isomorphic:

sage: all((e1 == e2 or not e1.is_isomorphic(e2))                                # needs sage.rings.finite_rings
....:     for e1 in curves for e2 in curves)
True

>>> from sage.all import *
>>> all((e1 == e2 or not e1.is_isomorphic(e2))                                # needs sage.rings.finite_rings
...     for e1 in curves for e2 in curves)
True

Check that the weight formula holds:

sage: sum(1/len(E.automorphisms()) for E in curves) == 1                        # needs sage.rings.finite_rings
True

>>> from sage.all import *
>>> sum(Integer(1)/len(E.automorphisms()) for E in curves) == Integer(1)                        # needs sage.rings.finite_rings
True
sage.schemes.elliptic_curves.ell_finite_field.curves_with_j_0_char3(K)[source]#

Return a complete list of pairwise nonisomorphic elliptic curves with \(j\)-invariant 0 over the finite field \(K\) of characteristic 3.

Note

The number of twists is either 4 or 6 depending on whether the field has odd or even degree over \(\GF{3}\). See [Connell1999], pages 429-431.

Examples:

In odd degree, there are four isomorphism classes:

sage: from sage.schemes.elliptic_curves.ell_finite_field import curves_with_j_0_char3
sage: # needs sage.rings.finite_rings
sage: K = GF(3**5)
sage: curves = curves_with_j_0_char3(K)
sage: len(curves)
4
sage: [E.ainvs() for E in curves] # random
[(0, 0, 0, 1, 0),
 (0, 0, 0, 2, 0),
 (0, 0, 0, 2, z5^4 + z5^3 + z5^2),
 (0, 0, 0, 2, 2*z5^4 + 2*z5^3 + 2*z5^2)]

>>> from sage.all import *
>>> from sage.schemes.elliptic_curves.ell_finite_field import curves_with_j_0_char3
>>> # needs sage.rings.finite_rings
>>> K = GF(Integer(3)**Integer(5))
>>> curves = curves_with_j_0_char3(K)
>>> len(curves)
4
>>> [E.ainvs() for E in curves] # random
[(0, 0, 0, 1, 0),
 (0, 0, 0, 2, 0),
 (0, 0, 0, 2, z5^4 + z5^3 + z5^2),
 (0, 0, 0, 2, 2*z5^4 + 2*z5^3 + 2*z5^2)]

Check that the twists are mutually non-isomorphic:

sage: all((e1 == e2 or not e1.is_isomorphic(e2))                                # needs sage.rings.finite_rings
....:     for e1 in curves for e2 in curves)
True

>>> from sage.all import *
>>> all((e1 == e2 or not e1.is_isomorphic(e2))                                # needs sage.rings.finite_rings
...     for e1 in curves for e2 in curves)
True

Check that the weight formula holds:

sage: sum(1/len(E.automorphisms()) for E in curves) == 1                        # needs sage.rings.finite_rings
True

>>> from sage.all import *
>>> sum(Integer(1)/len(E.automorphisms()) for E in curves) == Integer(1)                        # needs sage.rings.finite_rings
True

In even degree, there are six isomorphism classes:

sage: from sage.schemes.elliptic_curves.ell_finite_field import curves_with_j_0_char3
sage: # needs sage.rings.finite_rings
sage: K = GF(3**4)
sage: curves = EllipticCurve(j=K(0)).twists()
sage: len(curves)
6
sage: [E.ainvs() for E in curves] # random
[(0, 0, 0, 1, 0),
 (0, 0, 0, 2, 2*z4^3 + 2*z4^2 + 2*z4 + 2),
 (0, 0, 0, 1, 0),
 (0, 0, 0, 1, 2*z4^3 + 2*z4^2 + 2*z4 + 2),
 (0, 0, 0, z4, 0),
 (0, 0, 0, z4^3, 0)]

>>> from sage.all import *
>>> from sage.schemes.elliptic_curves.ell_finite_field import curves_with_j_0_char3
>>> # needs sage.rings.finite_rings
>>> K = GF(Integer(3)**Integer(4))
>>> curves = EllipticCurve(j=K(Integer(0))).twists()
>>> len(curves)
6
>>> [E.ainvs() for E in curves] # random
[(0, 0, 0, 1, 0),
 (0, 0, 0, 2, 2*z4^3 + 2*z4^2 + 2*z4 + 2),
 (0, 0, 0, 1, 0),
 (0, 0, 0, 1, 2*z4^3 + 2*z4^2 + 2*z4 + 2),
 (0, 0, 0, z4, 0),
 (0, 0, 0, z4^3, 0)]

Check that the twists are mutually non-isomorphic:

sage: all((e1 == e2 or not e1.is_isomorphic(e2))                                # needs sage.rings.finite_rings
....:     for e1 in curves for e2 in curves)
True

>>> from sage.all import *
>>> all((e1 == e2 or not e1.is_isomorphic(e2))                                # needs sage.rings.finite_rings
...     for e1 in curves for e2 in curves)
True

Check that the weight formula holds:

sage: sum(1/len(E.automorphisms()) for E in curves) == 1                        # needs sage.rings.finite_rings
True

>>> from sage.all import *
>>> sum(Integer(1)/len(E.automorphisms()) for E in curves) == Integer(1)                        # needs sage.rings.finite_rings
True
sage.schemes.elliptic_curves.ell_finite_field.curves_with_j_1728(K)[source]#

Return a complete list of pairwise nonisomorphic elliptic curves with \(j\)-invariant 1728 over the finite field \(K\).

Note

In characteristics 2 and 3 (so 0=1728) this function simply calls curves_with_j_0_char2 or curves_with_j_0_char3. Otherwise there are either 2 or 4 curves, parametrised by \(K^*/(K^*)^4\).

EXAMPLES:

For \(K=\GF{q}\) where \(q\equiv1\mod{4}\), there are four curves, the quartic twists of \(y^2=x^3+x\):

sage: from sage.schemes.elliptic_curves.ell_finite_field import curves_with_j_1728
sage: sorted(curves_with_j_1728(GF(5)), key = lambda E: E.a_invariants())
[Elliptic Curve defined by y^2 = x^3 + x over Finite Field of size 5,
 Elliptic Curve defined by y^2 = x^3 + 2*x over Finite Field of size 5,
 Elliptic Curve defined by y^2 = x^3 + 3*x over Finite Field of size 5,
 Elliptic Curve defined by y^2 = x^3 + 4*x over Finite Field of size 5]
sage: curves_with_j_1728(GF(49))  # random                                      # needs sage.rings.finite_rings
[Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 7^2,
 Elliptic Curve defined by y^2 = x^3 + z2*x over Finite Field in z2 of size 7^2,
 Elliptic Curve defined by y^2 = x^3 + (z2+4)*x over Finite Field in z2 of size 7^2,
 Elliptic Curve defined by y^2 = x^3 + (5*z2+4)*x over Finite Field in z2 of size 7^2]

>>> from sage.all import *
>>> from sage.schemes.elliptic_curves.ell_finite_field import curves_with_j_1728
>>> sorted(curves_with_j_1728(GF(Integer(5))), key = lambda E: E.a_invariants())
[Elliptic Curve defined by y^2 = x^3 + x over Finite Field of size 5,
 Elliptic Curve defined by y^2 = x^3 + 2*x over Finite Field of size 5,
 Elliptic Curve defined by y^2 = x^3 + 3*x over Finite Field of size 5,
 Elliptic Curve defined by y^2 = x^3 + 4*x over Finite Field of size 5]
>>> curves_with_j_1728(GF(Integer(49)))  # random                                      # needs sage.rings.finite_rings
[Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 7^2,
 Elliptic Curve defined by y^2 = x^3 + z2*x over Finite Field in z2 of size 7^2,
 Elliptic Curve defined by y^2 = x^3 + (z2+4)*x over Finite Field in z2 of size 7^2,
 Elliptic Curve defined by y^2 = x^3 + (5*z2+4)*x over Finite Field in z2 of size 7^2]

For \(K=\GF{q}\) where \(q\equiv3\mod{4}\), there are two curves, quadratic twists of each other by \(-1\): \(y^2=x^3+x\) and \(y^2=x^3-x\):

sage: from sage.schemes.elliptic_curves.ell_finite_field import curves_with_j_1728
sage: curves_with_j_1728(GF(7))
[Elliptic Curve defined by y^2 = x^3 + x over Finite Field of size 7,
 Elliptic Curve defined by y^2 = x^3 + 6*x over Finite Field of size 7]
sage: curves_with_j_1728(GF(11))
[Elliptic Curve defined by y^2 = x^3 + x over Finite Field of size 11,
 Elliptic Curve defined by y^2 = x^3 + 10*x over Finite Field of size 11]

>>> from sage.all import *
>>> from sage.schemes.elliptic_curves.ell_finite_field import curves_with_j_1728
>>> curves_with_j_1728(GF(Integer(7)))
[Elliptic Curve defined by y^2 = x^3 + x over Finite Field of size 7,
 Elliptic Curve defined by y^2 = x^3 + 6*x over Finite Field of size 7]
>>> curves_with_j_1728(GF(Integer(11)))
[Elliptic Curve defined by y^2 = x^3 + x over Finite Field of size 11,
 Elliptic Curve defined by y^2 = x^3 + 10*x over Finite Field of size 11]
sage.schemes.elliptic_curves.ell_finite_field.fill_ss_j_dict()[source]#

Fill the global cache of supersingular j-_polynomials.

This function does nothing except the first time it is called, when it fills supersingular_j_polynomials with precomputed values for \(p<300\). Setting the values this way avoids start-up costs.

sage.schemes.elliptic_curves.ell_finite_field.is_j_supersingular(j, proof=True)[source]#

Return True if \(j\) is a supersingular \(j\)-invariant.

INPUT:

  • j (finite field element) – an element of a finite field

  • proof (boolean, default: True) – If True, returns a proved result. If False, then a return value of False is certain but a return value of True may be based on a probabilistic test. See the ALGORITHM section below for more details.

OUTPUT:

(boolean) True if \(j\) is supersingular, else False.

ALGORITHM:

For small characteristics \(p\) we check whether the \(j\)-invariant is in a precomputed list of supersingular values. Otherwise we next check the \(j\)-invariant. If \(j=0\), the curve is supersingular if and only if \(p=2\) or \(p\equiv3\pmod{4}\); if \(j=1728\), the curve is supersingular if and only if \(p=3\) or \(p\equiv2\pmod{3}\). Next, if the base field is the prime field \({\rm GF}(p)\), we check that \((p+1)P=0\) for several random points \(P\), returning False if any fail: supersingular curves over \({\rm GF}(p)\) have cardinality \(p+1\). If Proof is false we now return True. Otherwise we compute the cardinality and return True if and only if it is divisible by \(p\).

EXAMPLES:

sage: from sage.schemes.elliptic_curves.ell_finite_field import is_j_supersingular, supersingular_j_polynomials
sage: [(p,[j for j in GF(p) if is_j_supersingular(j)]) for p in prime_range(30)]
[(2, [0]), (3, [0]), (5, [0]), (7, [6]), (11, [0, 1]), (13, [5]),
 (17, [0, 8]), (19, [7, 18]), (23, [0, 3, 19]), (29, [0, 2, 25])]

sage: [j for j in GF(109) if is_j_supersingular(j)]
[17, 41, 43]
sage: PolynomialRing(GF(109),'j')(supersingular_j_polynomials[109]).roots()
[(43, 1), (41, 1), (17, 1)]

sage: [p for p in prime_range(100) if is_j_supersingular(GF(p)(0))]
[2, 3, 5, 11, 17, 23, 29, 41, 47, 53, 59, 71, 83, 89]
sage: [p for p in prime_range(100) if is_j_supersingular(GF(p)(1728))]
[2, 3, 7, 11, 19, 23, 31, 43, 47, 59, 67, 71, 79, 83]
sage: [p for p in prime_range(100) if is_j_supersingular(GF(p)(123456))]
[2, 3, 59, 89]

>>> from sage.all import *
>>> from sage.schemes.elliptic_curves.ell_finite_field import is_j_supersingular, supersingular_j_polynomials
>>> [(p,[j for j in GF(p) if is_j_supersingular(j)]) for p in prime_range(Integer(30))]
[(2, [0]), (3, [0]), (5, [0]), (7, [6]), (11, [0, 1]), (13, [5]),
 (17, [0, 8]), (19, [7, 18]), (23, [0, 3, 19]), (29, [0, 2, 25])]

>>> [j for j in GF(Integer(109)) if is_j_supersingular(j)]
[17, 41, 43]
>>> PolynomialRing(GF(Integer(109)),'j')(supersingular_j_polynomials[Integer(109)]).roots()
[(43, 1), (41, 1), (17, 1)]

>>> [p for p in prime_range(Integer(100)) if is_j_supersingular(GF(p)(Integer(0)))]
[2, 3, 5, 11, 17, 23, 29, 41, 47, 53, 59, 71, 83, 89]
>>> [p for p in prime_range(Integer(100)) if is_j_supersingular(GF(p)(Integer(1728)))]
[2, 3, 7, 11, 19, 23, 31, 43, 47, 59, 67, 71, 79, 83]
>>> [p for p in prime_range(Integer(100)) if is_j_supersingular(GF(p)(Integer(123456)))]
[2, 3, 59, 89]
sage.schemes.elliptic_curves.ell_finite_field.special_supersingular_curve(F, endomorphism)[source]#

Given a finite field F, construct a “special” supersingular elliptic curve \(E\) defined over F.

Such a curve

  • has coefficients in \(\mathbb F_p\);

  • has group structure \(E(\mathbb F_p) \cong \ZZ/(p+1)\) and \(E(\mathbb F_{p^2}) \cong \ZZ/(p+1) \times \ZZ/(p+1)\);

  • has an endomorphism \(\vartheta\) of small degree \(q\) that anticommutes with the \(\mathbb F_p\)-Frobenius on \(E\).

(The significance of \(\vartheta\) is that any such endomorphism, together with the \(\mathbb F_p\)-Frobenius, generates the endomorphism algebra \(\mathrm{End}(E) \otimes \QQ\).)

INPUT:

  • F – finite field \(\mathbb F_{p^r}\);

  • endomorphism – boolean (default: False): When set to True, it is required that \(2 \mid r\), and the function then additionally returns \(\vartheta\).

EXAMPLES:

sage: special_supersingular_curve(GF(1013^2), endomorphism=True)
(Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field in z2 of size 1013^2,
 Isogeny of degree 3 from Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field in z2 of size 1013^2 to Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field in z2 of size 1013^2)

sage: special_supersingular_curve(GF(1019^2), endomorphism=True)
(Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 1019^2,
 Elliptic-curve endomorphism of Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 1019^2
   Via:  (u,r,s,t) = (389*z2 + 241, 0, 0, 0))

sage: special_supersingular_curve(GF(1021^2), endomorphism=True)
(Elliptic Curve defined by y^2 = x^3 + 785*x + 794 over Finite Field in z2 of size 1021^2,
 Isogeny of degree 2 from Elliptic Curve defined by y^2 = x^3 + 785*x + 794 over Finite Field in z2 of size 1021^2 to Elliptic Curve defined by y^2 = x^3 + 785*x + 794 over Finite Field in z2 of size 1021^2)

sage: special_supersingular_curve(GF(1031^2), endomorphism=True)
(Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 1031^2,
 Elliptic-curve endomorphism of Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 1031^2
   Via:  (u,r,s,t) = (747*z2 + 284, 0, 0, 0))

sage: special_supersingular_curve(GF(1033^2), endomorphism=True)
(Elliptic Curve defined by y^2 = x^3 + 53*x + 980 over Finite Field in z2 of size 1033^2,
 Isogeny of degree 11 from Elliptic Curve defined by y^2 = x^3 + 53*x + 980 over Finite Field in z2 of size 1033^2 to Elliptic Curve defined by y^2 = x^3 + 53*x + 980 over Finite Field in z2 of size 1033^2)

sage: special_supersingular_curve(GF(1039^2), endomorphism=True)
(Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 1039^2,
 Elliptic-curve endomorphism of Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 1039^2
   Via:  (u,r,s,t) = (626*z2 + 200, 0, 0, 0))

sage: special_supersingular_curve(GF(1049^2), endomorphism=True)
(Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field in z2 of size 1049^2,
 Isogeny of degree 3 from Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field in z2 of size 1049^2 to Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field in z2 of size 1049^2)

sage: special_supersingular_curve(GF(1051^2), endomorphism=True)
(Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 1051^2,
 Elliptic-curve endomorphism of Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 1051^2
   Via:  (u,r,s,t) = (922*z2 + 129, 0, 0, 0))

>>> from sage.all import *
>>> special_supersingular_curve(GF(Integer(1013)**Integer(2)), endomorphism=True)
(Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field in z2 of size 1013^2,
 Isogeny of degree 3 from Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field in z2 of size 1013^2 to Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field in z2 of size 1013^2)

>>> special_supersingular_curve(GF(Integer(1019)**Integer(2)), endomorphism=True)
(Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 1019^2,
 Elliptic-curve endomorphism of Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 1019^2
   Via:  (u,r,s,t) = (389*z2 + 241, 0, 0, 0))

>>> special_supersingular_curve(GF(Integer(1021)**Integer(2)), endomorphism=True)
(Elliptic Curve defined by y^2 = x^3 + 785*x + 794 over Finite Field in z2 of size 1021^2,
 Isogeny of degree 2 from Elliptic Curve defined by y^2 = x^3 + 785*x + 794 over Finite Field in z2 of size 1021^2 to Elliptic Curve defined by y^2 = x^3 + 785*x + 794 over Finite Field in z2 of size 1021^2)

>>> special_supersingular_curve(GF(Integer(1031)**Integer(2)), endomorphism=True)
(Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 1031^2,
 Elliptic-curve endomorphism of Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 1031^2
   Via:  (u,r,s,t) = (747*z2 + 284, 0, 0, 0))

>>> special_supersingular_curve(GF(Integer(1033)**Integer(2)), endomorphism=True)
(Elliptic Curve defined by y^2 = x^3 + 53*x + 980 over Finite Field in z2 of size 1033^2,
 Isogeny of degree 11 from Elliptic Curve defined by y^2 = x^3 + 53*x + 980 over Finite Field in z2 of size 1033^2 to Elliptic Curve defined by y^2 = x^3 + 53*x + 980 over Finite Field in z2 of size 1033^2)

>>> special_supersingular_curve(GF(Integer(1039)**Integer(2)), endomorphism=True)
(Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 1039^2,
 Elliptic-curve endomorphism of Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 1039^2
   Via:  (u,r,s,t) = (626*z2 + 200, 0, 0, 0))

>>> special_supersingular_curve(GF(Integer(1049)**Integer(2)), endomorphism=True)
(Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field in z2 of size 1049^2,
 Isogeny of degree 3 from Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field in z2 of size 1049^2 to Elliptic Curve defined by y^2 = x^3 + 1 over Finite Field in z2 of size 1049^2)

>>> special_supersingular_curve(GF(Integer(1051)**Integer(2)), endomorphism=True)
(Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 1051^2,
 Elliptic-curve endomorphism of Elliptic Curve defined by y^2 = x^3 + x over Finite Field in z2 of size 1051^2
   Via:  (u,r,s,t) = (922*z2 + 129, 0, 0, 0))

Note

This function makes no guarantees about the distribution of the output. The current implementation is deterministic in many cases.

ALGORITHM: [Bro2009], Algorithm 2.4

sage.schemes.elliptic_curves.ell_finite_field.supersingular_j_polynomial(p, use_cache=True)[source]#

Return a polynomial whose roots are the supersingular \(j\)-invariants in characteristic \(p\), other than 0, 1728.

INPUT:

  • \(p\) (integer) – a prime number.

  • use_cache (boolean, default True) – use cached coefficients if they exist

ALGORITHM:

First compute H(X) whose roots are the Legendre \(\lambda\)-invariants of supersingular curves (Silverman V.4.1(b)) in characteristic \(p\). Then, using a resultant computation with the polynomial relating \(\lambda\) and \(j\) (Silverman III.1.7(b)), we recover the polynomial (in variable j) whose roots are the \(j\)-invariants. Factors of \(j\) and \(j-1728\) are removed if present.

Note

The only point of the use_cache parameter is to allow checking the precomputed coefficients.

EXAMPLES:

sage: from sage.schemes.elliptic_curves.ell_finite_field import supersingular_j_polynomial
sage: f = supersingular_j_polynomial(67); f
j^5 + 53*j^4 + 4*j^3 + 47*j^2 + 36*j + 8
sage: f.factor()
(j + 1) * (j^2 + 8*j + 45) * (j^2 + 44*j + 24)

>>> from sage.all import *
>>> from sage.schemes.elliptic_curves.ell_finite_field import supersingular_j_polynomial
>>> f = supersingular_j_polynomial(Integer(67)); f
j^5 + 53*j^4 + 4*j^3 + 47*j^2 + 36*j + 8
>>> f.factor()
(j + 1) * (j^2 + 8*j + 45) * (j^2 + 44*j + 24)

sage: [supersingular_j_polynomial(p) for p in prime_range(30)]
[1, 1, 1, 1, 1, j + 8, j + 9, j + 12, j + 4, j^2 + 2*j + 21]

>>> from sage.all import *
>>> [supersingular_j_polynomial(p) for p in prime_range(Integer(30))]
[1, 1, 1, 1, 1, j + 8, j + 9, j + 12, j + 4, j^2 + 2*j + 21]