Elliptic curve

In, an elliptic curve is a defined by an equation of the form


 * $$y^2 = x^3 + ax + b$$

which is ; that is, the curve has no or self-intersections. (When the has  2 or 3, the above equation is not quite general enough to comprise all non-singular ; see  below.)

Formally, an elliptic curve is a, , of  one, on which there is a specified point O. An elliptic curve is an – that is, it has a multiplication defined algebraically, with respect to which it is an  – and O serves as the identity element. Often the curve itself, without O specified, is called an elliptic curve; the point O is often taken to be the curve's "" in the.

If y2 = P(x), where P is any polynomial of degree three in x with no repeated roots, the solution set is a nonsingular plane curve of one, an elliptic curve. If P has degree four and is this equation again describes a plane curve of genus one; however, it has no natural choice of identity element. More generally, any algebraic curve of genus one, for example from the intersection of two embedded in three-dimensional projective space, is called an elliptic curve, provided that it has at least one  to act as the identity.

Using the theory of s, it can be shown that elliptic curves defined over the s correspond to embeddings of the into the. The torus is also an, and in fact this correspondence is also a.

Elliptic curves are especially important in, and constitute a major area of current research; for example, they were used in the proof, by , of. They also find applications in (ECC) and.

An elliptic curve is not an : see for the origin of the term. Topologically, a complex elliptic curve is a.

Elliptic curves over the real numbers
Although the formal definition of an elliptic curve is fairly technical and requires some background in, it is possible to describe some features of elliptic curves over the s using only introductory and.

In this context, an elliptic curve is a defined by an equation of the form


 * $$y^2 = x^3 + ax + b$$

where a and b are real numbers. This type of equation is called a.

The definition of elliptic curve also requires that the curve be. Geometrically, this means that the graph has no, self-intersections, or isolated points. Algebraically, this holds if and only if the


 * $$\Delta = -16(4a^3 + 27b^2)$$

is not equal to zero. (Although the factor −16 is irrelevant to whether or not the curve is non-singular, this definition of the discriminant is useful in a more advanced study of elliptic curves.)

The (real) graph of a non-singular curve has two components if its discriminant is positive, and one component if it is negative. For example, in the graphs shown in figure to the right, the discriminant in the first case is 64, and in the second case is −368.

The group law
When working in the, we can define a group structure on any smooth cubic curve. In Weierstrass normal form, such a curve will have an additional point at infinity, O, at the [0:1:0] which serves as the identity of the group.

Since the curve is symmetrical about the x-axis, given any point P, we can take −P to be the point opposite it. We take −O to be just O.

If P and Q are two points on the curve, then we can uniquely describe a third point, P + Q, in the following way. First, draw the line that intersects P and Q. This will generally intersect the cubic at a third point, R. We then take P + Q to be −R, the point opposite R.

This definition for addition works except in a few special cases related to the point at infinity and intersection multiplicity. The first is when one of the points is O. Here, we define P + O = P = O + P, making O the identity of the group. Next, if P and Q are opposites of each other, we define P + Q = O. Lastly, if P = Q we only have one point, thus we can't define the line between them. In this case, we use the tangent line to the curve at this point as our line. In most cases, the tangent will intersect a second point R and we can take its opposite. However, if P happens to be an (a point where the concavity of the curve changes), we take R to be P itself and P + P is simply the point opposite itself.

For a cubic curve not in Weierstrass normal form, we can still define a group structure by designating one of its nine inflection points as the identity O. In the projective plane, each line will intersect a cubic at three points when accounting for multiplicity. For a point P, −P is defined as the unique third point on the line passing through O and P. Then, for any P and Q, P + Q is defined as −R where R is the unique third point on the line containing P and Q.

Let K be a field over which the curve is defined (i.e., the coefficients of the defining equation or equations of the curve are in K) and denote the curve by E. Then the K-s of E are the points on E whose coordinates all lie in K, including the point at infinity. The set of K-rational points is denoted by E(K). It, too, forms a group, because properties of polynomial equations show that if P is in E(K), then −P is also in E(K), and if two of P, Q, and R are in E(K), then so is the third. Additionally, if K is a subfield of L, then E(K) is a of E(L).

The above group can be described algebraically as well as geometrically. Given the curve y2 = x3 + ax + b over the field K (whose we assume to be neither 2 nor 3), and points P = (xP, yP) and Q = (xQ, yQ) on the curve, assume first that xP ≠ xQ (first pane below). Let y = sx + d be the line that intersects P and Q, which has the following slope:


 * $$s = \frac{y_P - y_Q}{x_P - x_Q}$$

Since K is a field, s is well-defined. The line equation and the curve equation have an identical y in the points xP, xQ, and xR.


 * $$(s x + d)^2 = x^3 + ax + b$$

which is equivalent to $$0 = x^3 - s^2 x^2 - 2sdx + ax + b - d^2$$. We know that this equation has its roots in exactly the same x-values as


 * $$(x - x_P) (x - x_Q) (x - x_R) = x^3 + x^2 (-x_P - x_Q - x_R) + x (x_P x_Q + x_P x_R + x_Q x_R) - x_P x_Q x_R $$

We for x2 and solve for xR. yR follows from the line equation. This defines R = (xR, yR) = −(P + Q) with


 * $$\begin{align}

x_R &= s^2 - x_P - x_Q \\ y_R &= y_P + s(x_R - x_P) \end{align}$$

If xP = xQ, then there are two options: if yP = −yQ (third and fourth panes below), including the case where yP = yQ = 0 (fourth pane), then the sum is defined as 0; thus, the inverse of each point on the curve is found by reflecting it across the x-axis. If yP = yQ ≠ 0, then Q = P and R = (xR, yR) = −(P + P) = −2P = −2Q (second pane below with P shown for R) is given by


 * $$\begin{align}

s &= \frac{3{x_P}^2 + a}{2y_P}\\ x_R &= s^2 - 2x_P\\ y_R &= y_P + s(x_R - x_P) \end{align}$$

Elliptic curves over the complex numbers
The formulation of elliptic curves as the embedding of a in the  follows naturally from a curious property of. These functions and their first derivative are related by the formula


 * $$\wp'(z)^2 = 4\wp(z)^3 -g_2\wp(z) - g_3$$

Here, g2 and g3 are constants; $$\wp(z)$$ is the Weierstrass elliptic function and $$\wp'(z)$$ its derivative. It should be clear that this relation is in the form of an elliptic curve (over the s). The Weierstrass functions are doubly periodic; that is, they are periodic with respect to a Λ; in essence, the Weierstrass functions are naturally defined on a torus  T = C/Λ. This torus may be embedded in the complex projective plane by means of the map


 * $$z \mapsto [1 :\wp(z) : \wp'(z)/2]$$

This map is a of the torus (considered with its natural group structure) with the chord-and-tangent group law on the cubic curve which is the image of this map. It is also an isomorphism of s from the torus to the cubic curve, so topologically, an elliptic curve is a torus. If the lattice Λ is related by multiplication by a non-zero complex number c to a lattice cΛ, then the corresponding curves are isomorphic. Isomorphism classes of elliptic curves are specified by the.

The isomorphism classes can be understood in a simpler way as well. The constants g2 and g3, called the s, are uniquely determined by the lattice, that is, by the structure of the torus. However, the complex numbers form the for polynomials with real coefficients, and so the elliptic curve may be written as
 * $$y^2 = x(x - 1)(x - \lambda)$$

One finds that
 * $$g_2 = \frac{\sqrt[3]4}{3} (\lambda^2 - \lambda + 1)$$

and
 * $$g_3 = \frac{1}{27} (\lambda + 1)(2\lambda^2 - 5\lambda + 2)$$

so that the is
 * $$\Delta = g_2^3 - 27g_3^2 = \lambda^2(\lambda - 1)^2$$

Here, λ is sometimes called the.

Note that the implies that every  Riemann surface of genus one can be represented as a torus.

This also allows an easy understanding of the on an elliptic curve: if the lattice Λ is spanned by the fundamental periods ω1 and ω2, then the n-torsion points are the (equivalence classes of) points of the form
 * $$ \frac{a}{n} \omega_1 + \frac{b}{n} \omega_2$$

for a and b integers in the range from 0 to n−1.

Over the complex numbers, every elliptic curve has nine s. Every line through two of these points also passes through a third inflection point; the nine points and 12 lines formed in this way form a realization of the.

Elliptic curves over the rational numbers
A curve E defined over the field of rational numbers is also defined over the field of real numbers. Therefore, the law of addition (of points with real coordinates) by the tangent and secant method can be applied to E. The explicit formulae show that the sum of two points P and Q with rational coordinates has again rational coordinates, since the line joining P and Q has rational coefficients. This way, one shows that the set of rational points of E forms a subgroup of the group of real points of E. As this group, it is an, that is, P + Q = Q + P.

The structure of rational points
The most important result is that all points can be constructed by the method of tangents and secants starting with a finite number of points. More precisely the states that the group E(Q) is a  (abelian) group. By the it is therefore a finite direct sum of copies of Z and finite cyclic groups.

The proof of that theorem rests on two ingredients: first, one shows that for any integer m > 1, the E(Q)/mE(Q) is finite (weak Mordell–Weil theorem). Second, introducing a h on the rational points E(Q) defined by h(P0) = 0 and $h(P) = log max(&#124;p&#124;, &#124;q&#124;)$ if P (unequal to the point at infinity P0) has as abscissa the rational number x = p/q (with  p and q). This height function h has the property that h(mP) grows roughly like the square of m. Moreover, only finitely many rational points with height smaller than any constant exist on E.

The proof of the theorem is thus a variant of the method of and relies on the repeated application of s on E: let P ∈ E(Q) be a rational point on the curve, writing P as the sum 2P1 + Q1 where Q1 is a fixed representant of P in E(Q)/2E(Q), the height of P1 is about $1⁄4$ of the one of P (more generally, replacing 2 by any m > 1, and $1⁄4$ by $1⁄m^{2}$). Redoing the same with P1, that is to say P1 = 2P2 + Q2, then P2 = 2P3 + Q3, etc. finally expresses P as an integral linear combination of points Qi and of points whose height is bounded by a fixed constant chosen in advance: by the weak Mordell–Weil theorem and the second property of the height function P is thus expressed as an integral linear combination of a finite number of fixed points.

So far, the theorem is not effective since there is no known general procedure for determining the representants of E(Q)/mE(Q).

The of E(Q), that is the number of copies of Z in E(Q) or, equivalently, the number of independent points of infinite order, is called the rank of E. The is concerned with determining the rank. One conjectures that it can be arbitrarily large, even if only examples with relatively small rank are known. The elliptic curve with biggest exactly known rank is
 * y2 + xy + y = x3 − x2 + 31 368  015  812  338  065  133  318  565  292  206  590  792  820  353  345x + 302  038  802  698  566  087  335  643  188  429  543  498  624  522  041  683  874  493  555  186  062  568  159  847

It has rank 19, found by in 2009. Curves of rank at least 28 are known, but their rank is not exactly known.

As for the groups constituting the of E(Q), the following is known: the torsion subgroup of E(Q) is one of the 15 following groups ( due to ): Z/NZ for N = 1, 2, ..., 10, or 12, or Z/2Z × Z/2NZ with N = 1, 2, 3, 4. Examples for every case are known. Moreover, elliptic curves whose Mordell–Weil groups over Q have the same torsion groups belong to a parametrized family.

The Birch and Swinnerton-Dyer conjecture
The Birch and Swinnerton-Dyer conjecture (BSD) is one of the s of the. The conjecture relies on analytic and arithmetic objects defined by the elliptic curve in question.

At the analytic side, an important ingredient is a function of a complex variable, L, the of E over Q. This function is a variant of the and s. It is defined as an, with one factor for every  p.

For a curve E over Q given by a minimal equation
 * $$y^2 + a_1xy + a_3y = x^3 + a_2x^2 + a_4x + a_6$$

with integral coefficients $$a_i$$, reducing the coefficients p defines an elliptic curve over the  Fp (except for a finite number of primes p, where the reduced curve has a  and thus fails to be elliptic, in which case E is said to be of  at p).

The zeta function of an elliptic curve over a finite field Fp is, in some sense, a assembling the information of the number of points of E with values in the finite s Fpn of Fp. It is given by
 * $$Z(E(\mathbf{F}_p)) = \exp\left(\sum \# \left[E({\mathbf F}_{p^n})\right]\frac{T^n}{n}\right)$$

The interior sum of the exponential resembles the development of the and, in fact, the so-defined zeta function is a :
 * $$Z(E(\mathbf{F}_p)) = \frac{1 - a_pT + pT^2}{(1 - T)(1 - pT)},$$

where the 'trace of Frobenius' term $$a_p$$ is defined to be the (negative of) the difference between the number of points on the elliptic curve $$E$$ over $$\mathbb{F}_p$$ and the 'expected' number $$p+1$$, viz.:

a_p = p + 1 - \#E(\mathbb{F}_p). $$ There are two points to note about this quantity. First, these $$a_p$$ are not to be confused with the $$a_i$$ in the definition of the curve $$E$$ above: this is just an unfortunate clash of notation. Second, we may define the same quantities and functions over an arbitrary finite field of characteristic $$p$$, with $$q = p^n$$ replacing $$p$$ everywhere.

The of E over Q is then defined by collecting this information together, for all primes p. It is defined by
 * $$L(E(\mathbf{Q}), s) = \prod_p \left(1 - a_p p^{-s} + \varepsilon(p)p^{1 - 2s}\right)^{-1}$$

where ε(p) = 1 if E has good reduction at p and 0 otherwise (in which case ap is defined differently from the method above: see Silverman (1986) below).

This product for Re(s) > 3/2 only. Hasse's conjecture affirms that the L-function admits an to the whole complex plane and satisfies a  relating, for any s, L(E, s) to L(E, 2 − s). In 1999 this was shown to be a consequence of the proof of the Shimura–Taniyama–Weil conjecture, which asserts that every elliptic curve over Q is a, which implies that its L-function is the L-function of a whose analytic continuation is known.

One can therefore speak about the values of L(E, s) at any complex number s. The Birch–Swinnerton-Dyer conjecture relates the arithmetic of the curve to the behavior of its L-function at s = 1. More precisely, it affirms that the order of the L-function at s = 1 equals the rank of E and predicts the leading term of the Laurent series of L(E, s) at that point in terms of several quantities attached to the elliptic curve.

Much like the, this conjecture has multiple consequences, including the following two:
 * Let n be an odd . Assuming the Birch and Swinnerton-Dyer conjecture, n is the area of a right triangle with rational side lengths (a ) if and only if the number of triplets of integers (x, y, z) satisfying $$2x^2 + y^2 + 8z^2 = n$$ is twice the number of triples satisfying $$2x^2 + y^2 + 32z^2 = n$$. This statement, due to, is related to the fact that n is a congruent number if and only if the elliptic curve $$y^2 = x^3 - n^2x$$ has a rational point of infinite order (thus, under the Birch and Swinnerton-Dyer conjecture, its L-function has a zero at 1). The interest in this statement is that the condition is easily verified.
 * In a different direction, certain analytic methods allow for an estimation of the order of zero in the center of the of families of L-functions. Admitting the BSD conjecture, these estimations correspond to information about the rank of families of elliptic curves in question. For example: assuming the  and the BSD conjecture, the average rank of curves given by $$y^2=x^3+ax+b$$ is smaller than 2.

The modularity theorem and its application to Fermat's Last Theorem
The modularity theorem, once known as the Taniyama–Shimura–Weil conjecture, states that every elliptic curve E over Q is a, that is to say, its Hasse–Weil zeta function is the L-function of a of weight 2 and level N, where N is the  of E (an integer divisible by the same prime numbers as the discriminant of E, Δ(E).) In other words, if, for Re(s) > 3/2, one writes the L-function in the form
 * $$L(E(\mathbf{Q}), s) = \sum_{n>0}a(n)n^{-s}$$

the expression
 * $$\sum a(n) q^n, \qquad q = e^{2 \pi i z}$$

defines a parabolic modular of weight 2 and level N. For prime numbers ℓ not dividing N, the coefficient a(ℓ) of the form equals ℓ minus the number of solutions of the minimal equation of the curve modulo ℓ.

For example, to the elliptic curve $$y^2 - y = x^3 -x$$ with discriminant (and conductor) 37, is associated the form
 * $$f(z) = q - 2q^2 - 3q^3 + 2q^4 - 2q^5 + 6q^6 + \cdots, \qquad q = e^{2 \pi i z}$$

For prime numbers ℓ not equal to 37, one can verify the property about the coefficients. Thus, for ℓ = 3, there are 6 solutions of the equation modulo 3: (0, 0), (0, 1), (2, 0), (1, 0), (1, 1), (2, 1); thus a(3) = 3 − 6 = −3.

The conjecture, going back to the 1950s, was completely proven by 1999 using ideas of, who proved it in 1994 for a large family of elliptic curves.

There are several formulations of the conjecture. Showing that they are equivalent is difficult and was a main topic of number theory in the second half of the 20th century. The modularity of an elliptic curve E of conductor N can be expressed also by saying that there is a non-constant defined over Q, from the modular curve X0(N) to E. In particular, the points of E can be parametrized by s.

For example, a modular parametrization of the curve $$y^2 - y = x^3 - x$$ is given by


 * $$\begin{align}

x(z) &= q^{-2} + 2q^{-1} + 5 + 9q + 18q^2 + 29q^3 + 51q^4 +\ldots\\ y(z) &= q^{-3} + 3q^{-2} + 9q^{-1} + 21 + 46q + 92q^2 + 180q^3 +\ldots \end{align}$$

where, as above, q = exp(2πiz). The functions x(z) and y(z) are modular of weight 0 and level 37; in other words they are, defined on the Im(z) > 0 and satisfy
 * $$x\!\left(\frac{az + b}{cz + d}\right) = x(z)$$

and likewise for y(z) for all integers a, b, c, d with ad − bc = 1 and 37|c.

Another formulation depends on the comparison of s attached on the one hand to elliptic curves, and on the other hand to modular forms. The latter formulation has been used in the proof the conjecture. Dealing with the level of the forms (and the connection to the conductor of the curve) is particularly delicate.

The most spectacular application of the conjecture is the proof of (FLT). Suppose that for a prime p ≥ 5, the Fermat equation
 * $$a^p + b^p = c^p$$

has a solution with non-zero integers, hence a counter-example to FLT. Then as was the first to notice, the elliptic curve
 * $$y^2 = x(x - a^p)(x + b^p)$$

of discriminant
 * $$\Delta = \frac{1}{256}(abc)^{2p}$$

cannot be modular. Thus, the proof of the Taniyama–Shimura–Weil conjecture for this family of elliptic curves (called Hellegouarch–Frey curves) implies FLT. The proof of the link between these two statements, based on an idea of (1985), is difficult and technical. It was established by in 1987.

Integral points
This section is concerned with points P = (x, y) of E such that x is an integer. The following theorem is due to : the set of points P = (x, y) of E(Q) such that x is an integer is finite. This theorem can be generalized to points whose x coordinate has a denominator divisible only by a fixed finite set of prime numbers.

The theorem can be formulated effectively. For example, if the Weierstrass equation of E has integer coefficients bounded by a constant H, the coordinates (x, y) of a point of E with both x and y integer satisfy:
 * $$\max (|x|, |y|) < \exp\left(\left[10^6H\right]^{{10}^6}\right)$$

For example, the equation y2 = x3 + 17 has eight integral solutions with y > 0 :
 * (x, y) = (−1, 4), (−2, 3), (2, 5), (4, 9), (8, 23), (43, 282), (52, 375), ($5,234$, $378,661$).

As another example,, a curve whose Weierstrass form is y2 = x3 − 2x, has only four solutions with y ≥ 0 :
 * (x, y) = (0, 0), (−1, 1), (2, 2), (338, $6,214$).

Generalization to number fields
Many of the preceding results remain valid when the field of definition of E is a K, that is to say, a finite  of Q. In particular, the group E(K) of K-rational points of an elliptic curve E defined over K is finitely generated, which generalizes the Mordell–Weil theorem above. A theorem due to shows that for a given integer d, there are ( isomorphism) only finitely many groups that can occur as the torsion groups of E(K) for an elliptic curve defined over a number field K of  d. More precisely, there is a number B(d) such that for any elliptic curve E defined over a number field K of degree d, any torsion point of E(K) is of less than B(d). The theorem is effective: for d > 1, if a torsion point is of order p, with p prime, then
 * $$p < d^{3d^2}$$

As for the integral points, Siegel's theorem generalizes to the following: Let E be an elliptic curve defined over a number field K, x and y the Weierstrass coordinates. Then there are only finitely many points of E(K) whose x-coordinate is in the OK.

The properties of the Hasse–Weil zeta function and the Birch and Swinnerton-Dyer conjecture can also be extended to this more general situation.

Elliptic curves over a general field
Elliptic curves can be defined over any K; the formal definition of an elliptic curve is a non-singular projective algebraic curve over K with  1 and endowed with a distinguished point defined over K.

If the of K is neither 2 nor 3, then every elliptic curve over K can be written in the form
 * $$y^2 = x^3 - px - q$$

where p and q are elements of K such that the right hand side polynomial x3 − px − q does not have any double roots. If the characteristic is 2 or 3, then more terms need to be kept: in characteristic 3, the most general equation is of the form
 * $$y^2 = 4x^3 + b_2 x^2 + 2b_4 x + b_6$$

for arbitrary constants b2, b4, b6 such that the polynomial on the right-hand side has distinct roots (the notation is chosen for historical reasons). In characteristic 2, even this much is not possible, and the most general equation is


 * $$y^2 + a_1 xy + a_3 y = x^3 + a_2 x^2 + a_4 x + a_6$$

provided that the variety it defines is non-singular. If characteristic were not an obstruction, each equation would reduce to the previous ones by a suitable change of variables.

One typically takes the curve to be the set of all points (x,y) which satisfy the above equation and such that both x and y are elements of the of K. Points of the curve whose coordinates both belong to K are called K-rational points.

Isogeny
Let E and D be elliptic curves over a field k. An isogeny between E and D is a f : E → D of  that preserves basepoints (in other words, maps the given point on E to that on D).

The two curves are called isogenous if there is an isogeny between them. This is an, being due to the existence of the. Every isogeny is an algebraic and thus induces homomorphisms of the  of the elliptic curves for k-valued points.

Elliptic curves over finite fields
Let K = Fq be the with q elements and E an elliptic curve defined over K. While the precise E over K is in general rather difficult to compute,  gives us, including the point at infinity, the following estimate:
 * $$|\# E(K) - (q + 1) | \le 2\sqrt{q}$$

In other words, the number of points of the curve grows roughly as the number of elements in the field. This fact can be understood and proven with the help of some general theory; see,.

The set of points E(Fq) is a finite abelian group. It is always cyclic or the product of two cyclic groups. For example, the curve defined by
 * $$y^2 = x^3 - x$$

over F71 has 72 points (71 including (0,0) and one ) over this field, whose group structure is given by Z/2Z × Z/36Z. The number of points on a specific curve can be computed with.

Studying the curve over the s of Fq is facilitated by the introduction of the local zeta function of E over Fq, defined by a generating series (also see above)
 * $$Z(E(K), T) \equiv \exp \left(\sum_{n=1}^{\infty} \# \left[E(K_n)\right] {T^n\over n} \right)$$

where the field Kn is the (unique up to isomorphism) extension of K = Fq of degree n (that is, Fqn). The zeta function is a rational function in T. There is an integer a such that


 * $$Z(E(K), T) = \frac{1 - aT + qT^2}{(1 - qT)(1 - T)}$$

Moreover,


 * $$\begin{align}

Z \left(E(K), \frac{1}{qT} \right) &= Z(E(K), T)\\ \left(1 - aT + qT^2 \right) &= (1 - \alpha T)(1 - \beta T) \end{align}$$

with complex numbers α, β of $$\sqrt{q}$$. This result is a special case of the. For example, the zeta function of E : y2 + y = x3 over the field F2 is given by
 * $$\frac{1 + 2T^2}{(1 - T)(1 - 2T)}$$

this follows from:
 * $$ \left| E(\mathbf{F}_{2^r}) \right| = \begin{cases} 2^r + 1 & r \text{ odd} \\ 2^r + 1 - 2(-2)^{\frac{r}{2}} & r \text{ even} \end{cases} $$

The is a statement about how the error term $$2\sqrt{q}$$ in Hasse's theorem varies with the different primes q, if an elliptic curve E over Q is reduced modulo q. It was proven (for almost all such curves) in 2006 due to the results of Taylor, Harris and Shepherd-Barron, and says that the error terms are equidistributed.

Elliptic curves over finite fields are notably applied in and for the  of large integers. These algorithms often make use of the group structure on the points of E. Algorithms that are applicable to general groups, for example the group of invertible elements in finite fields, F*q, can thus be applied to the group of points on an elliptic curve. For example, the is such an algorithm. The interest in this is that choosing an elliptic curve allows for more flexibility than choosing q (and thus the group of units in Fq). Also, the group structure of elliptic curves is generally more complicated.

Algorithms that use elliptic curves
Elliptic curves over finite fields are used in some applications as well as for. Typically, the general idea in these applications is that a known which makes use of certain finite groups is rewritten to use the groups of rational points of elliptic curves. For more see also: