We recount here an elementary proof of associativity for the group law on a non-singular elliptic curve. The principal ingredient is the Cayley-Bacharach theorem, which has a neat combinatorial proof using only a corollary of Bézout’s theorem (see “further reading” below).
Theorem (Cayley-Bacharach): Let be two cubic curves intersecting in nine distinct points. If is a cubic curve through eight of the nine points, then it has the form for some and in particular goes through the ninth point.
Note that “curve” in this context just means zero set in the projective plane of some homogeneous (not necessarily irreducible) polynomial. In particular, the union of three distinct lines in the projective plane is a cubic curve, by this definition, being the zero set of a product of three linear polynomials.
Theorem: Let be a non-singular elliptic curve with base point (=identity) and addition defined (as usual) via where denotes the third point of intersection of with the line through and , for all . Then for all distinct we have
Proof: First notice that since and the identity implies that it is sufficient to show that
Consider the following diagram. A red line and a blue line intersect the curve inside the dotted circle. Our goal is to show that these two intersections occur at the same point of (as indeed they appear to, in the diagram).
Let be an enumeration of the red lines, an enumeration of the blue lines as follows:
Define cubics , (these are the red and blue triangles in the first diagram). Then and meet at exactly nine points.
We assume that the eight points (in black on both diagrams) are distinct from one another and also from and (i.e. the points we are trying to show are equal).
Then and have nine points in common (the black points and ), and moreover cannot share more than these, since otherwise Bézout’s Theorem (applied to and each component of ) would imply that one of these components belonged to , thereby contradicting the assumed non-singularity of (since this implies irreducibility, see note below).
Similarly, and share precisely nine points, viz. the black points and . Now contains eight points (the black points) that are shared by and , and hence contains also the ninth, by the Cayley-Bacharach Theorem, i.e. .
So and share precisely nine points. On the other hand, we’ve shown that they share ten points: the eight black points, , and . Hence, in view of the point distinctness assumptions, the last two points must be equal.
Notes
Non-singular curves are irreducible since reducible curves are necessarily singular (since components must intersect by Bézout’s Theorem, and these intersection points are necessarily singularities).
Questions
The distinctness assumptions are sufficient in view of Zariski closure?
Further reading
Husemöller’s book “Elliptic Curves” (page 51, 2nd edition) proves this, as well as the Cayley-Bacharach theorem itself, along with the corollary of Bézout’s theorem needed for it.
Terence Tao’s blog covers the same material as above (and does a much better job of it).
The appearance of an elliptic curve from the point of view of the affine plane is familiar to us, but leaves us wondering what the curve might look like near the point at infinity (i.e. the identity element ). This is not merely of visual interest, as it allows one to see directly that e.g. a line that is vertical in the plane has a pole of order 2 at the identity (even though it also intersects the curve at that point). The divisors of such linear functions play a crucial role in e.g. the computation of the Weil pairing.
Here is a first example of an elliptic curve over a finite field where you can work everything out by hand.
Consider the elliptic curve defined by the equation over the field . Multiplying out the right hand side, we see that (over ), the right hand side (“RHS”) is . So our equation is not in Weierstrass form, but that’s fine. It’s still defines an elliptic curve. Note that we know immediately that it is non-singular, since the roots of the RHS are distinct.
It’s easy to find all the solutions to our equation by hand – just consider each possible value for , calculate the RHS, and set , if such exist. So we first need to know which values in are squares:
Thus the points on our elliptic curve are The point is the solution at infinity: this is the one extra solution that arises when the equation defining the elliptic curve is homogenized, and solutions in the projective plane are permitted. The other solutions live in the “affine” plane.
The nice thing about working over an unextended finite field like is that it is still “1-dimensional”, so the affine solutions can be depicted on a 2-dimensional diagram like the following:
Fortunately, the familiar geometric description of the group operation on elliptic curves in terms of line intersections still works (why?). That is, any two points can be added by drawing a line through them, finding the third point of intersection, and reflecting through the line , and the point corresponds to the vertical direction and is the identity element of the group.
For example, it is immediate from this rule that . Remembering that lines wrap-around our diagram (which is actually a torus), what do you think is equal to? (Hint: it’s the next letter of the alphabet).
As in the case over :
If a vertical line passes through two distinct affine points such as and , then (since it also intersects with in the projective plane) these points are inverses of one another w.r.t. the group operation. (We’ve labelled to reflect this.)
If a vertical line hits a single affine point (e.g. the line ) then this point is its own inverse.
Thus are all group elements of order 2.
Amusingly, the geometric rule for point doubling using tangents still works, as well. The slope of the tangent at a point on our elliptic curve can be calculated in the usual way. These slopes are depicted on our diagram with dashed blue lines. Following these tangents, you can immediately verify that and so have order as group elements.
The orders of our group elements are enough to conclude that our group (call it ) is isomorphic to . Indeed, since and (to check, just follow the lines!) we have that is an isomorphism of groups