Hide keyboard shortcuts

Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

669

670

671

672

673

674

675

676

677

678

679

680

681

682

683

684

685

686

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

705

706

707

708

709

710

711

712

713

714

715

716

717

718

719

720

721

722

723

724

725

726

727

728

729

730

731

732

733

734

735

736

737

738

739

740

741

742

743

744

745

746

747

748

749

750

751

752

753

754

755

756

757

758

759

760

761

762

763

764

765

766

767

768

769

770

771

772

773

774

775

776

777

778

779

780

781

782

783

784

785

786

787

788

789

790

791

792

793

794

795

796

797

798

799

800

801

802

803

804

805

806

807

808

809

810

811

812

813

814

815

816

817

818

819

820

821

822

823

824

825

826

827

828

829

830

831

832

833

834

835

836

837

838

839

840

841

842

843

844

845

846

847

848

849

850

851

852

853

854

855

856

857

858

859

860

861

862

863

864

865

866

867

868

869

870

871

872

873

874

875

876

877

878

879

880

881

882

883

884

885

886

887

888

889

890

891

892

893

894

895

896

897

898

899

900

901

902

903

904

905

906

907

908

909

910

911

912

913

914

915

916

917

918

919

920

921

922

923

924

925

926

927

928

929

930

931

932

933

934

935

936

937

938

939

940

941

942

943

944

945

946

947

948

949

950

951

952

953

954

955

956

957

958

959

960

961

962

963

964

965

966

967

968

969

970

971

972

973

974

975

976

977

978

979

980

981

982

983

984

985

986

987

988

989

990

991

992

993

994

995

996

997

998

999

1000

1001

1002

1003

1004

1005

1006

1007

1008

1009

1010

1011

1012

1013

1014

1015

1016

1017

1018

1019

1020

1021

1022

1023

1024

1025

1026

1027

1028

1029

1030

1031

1032

1033

1034

1035

1036

1037

1038

1039

1040

1041

1042

1043

1044

1045

1046

1047

1048

1049

1050

1051

1052

1053

1054

1055

1056

1057

1058

1059

1060

1061

1062

1063

1064

1065

1066

1067

1068

1069

1070

1071

1072

1073

1074

1075

1076

1077

1078

1079

1080

1081

1082

1083

1084

1085

1086

1087

1088

1089

1090

1091

1092

1093

1094

1095

1096

1097

1098

1099

1100

1101

1102

1103

1104

1105

1106

1107

1108

1109

1110

1111

1112

1113

1114

1115

1116

1117

1118

1119

1120

1121

1122

1123

1124

1125

1126

1127

1128

1129

1130

1131

1132

1133

1134

1135

1136

1137

1138

1139

1140

1141

1142

1143

1144

1145

1146

1147

1148

1149

1150

1151

1152

1153

1154

1155

1156

1157

1158

1159

1160

1161

1162

1163

1164

1165

1166

1167

1168

1169

1170

1171

1172

1173

1174

1175

1176

1177

1178

1179

1180

1181

1182

1183

1184

1185

1186

1187

1188

1189

1190

1191

1192

1193

1194

1195

1196

1197

1198

1199

1200

1201

1202

1203

1204

1205

1206

1207

1208

1209

1210

1211

1212

1213

1214

1215

1216

1217

1218

1219

1220

1221

1222

1223

1224

1225

1226

1227

1228

1229

1230

1231

1232

1233

1234

1235

1236

1237

1238

1239

1240

1241

1242

1243

1244

1245

1246

1247

1248

1249

1250

1251

1252

1253

1254

1255

1256

1257

1258

1259

1260

1261

1262

1263

1264

1265

1266

1267

1268

1269

1270

1271

1272

1273

1274

1275

1276

1277

1278

1279

1280

1281

1282

1283

1284

1285

1286

1287

1288

1289

1290

1291

1292

1293

1294

1295

1296

1297

1298

1299

1300

1301

1302

1303

1304

1305

1306

1307

1308

1309

1310

1311

1312

1313

1314

1315

1316

1317

1318

1319

1320

1321

1322

1323

1324

1325

1326

1327

1328

1329

1330

1331

1332

1333

1334

1335

1336

1337

1338

1339

1340

1341

1342

1343

1344

1345

1346

1347

1348

1349

1350

1351

1352

1353

1354

1355

1356

1357

1358

1359

1360

1361

1362

1363

1364

1365

1366

1367

1368

1369

1370

1371

1372

1373

1374

1375

1376

1377

1378

1379

1380

1381

1382

1383

1384

1385

1386

1387

1388

1389

1390

1391

1392

1393

1394

1395

1396

1397

1398

1399

1400

1401

1402

1403

1404

1405

1406

1407

1408

1409

1410

1411

1412

1413

1414

1415

1416

1417

1418

1419

1420

1421

1422

1423

1424

1425

1426

1427

1428

1429

1430

1431

1432

1433

1434

1435

1436

1437

1438

1439

1440

1441

1442

1443

1444

1445

1446

1447

1448

1449

1450

1451

1452

1453

1454

1455

1456

1457

1458

1459

1460

1461

1462

1463

1464

1465

1466

1467

1468

1469

1470

1471

1472

1473

1474

1475

1476

1477

1478

1479

1480

1481

1482

1483

1484

1485

1486

1487

1488

1489

1490

1491

1492

1493

1494

1495

1496

1497

1498

1499

1500

1501

1502

1503

1504

1505

1506

1507

1508

1509

1510

1511

1512

1513

1514

1515

1516

1517

1518

1519

1520

1521

1522

1523

1524

1525

1526

1527

1528

1529

1530

1531

1532

1533

1534

1535

1536

1537

1538

1539

1540

1541

1542

1543

1544

1545

1546

1547

1548

1549

1550

1551

1552

1553

1554

1555

1556

1557

1558

1559

1560

1561

1562

1563

1564

1565

1566

1567

1568

1569

1570

1571

1572

1573

1574

1575

1576

1577

1578

1579

1580

1581

1582

1583

1584

1585

1586

1587

1588

1589

1590

1591

1592

1593

1594

1595

1596

1597

1598

1599

1600

1601

1602

1603

1604

1605

1606

1607

1608

1609

1610

1611

1612

1613

1614

1615

1616

1617

1618

1619

1620

1621

1622

1623

1624

1625

1626

1627

1628

1629

1630

1631

1632

1633

1634

1635

1636

1637

1638

1639

1640

1641

1642

1643

1644

1645

1646

1647

1648

1649

1650

1651

1652

1653

1654

1655

1656

1657

1658

1659

1660

1661

1662

1663

1664

1665

1666

1667

1668

1669

1670

1671

1672

1673

1674

1675

1676

1677

1678

1679

1680

1681

1682

1683

1684

1685

1686

1687

1688

1689

1690

1691

1692

1693

1694

1695

1696

1697

1698

1699

1700

1701

1702

1703

1704

1705

1706

1707

1708

1709

1710

1711

1712

1713

1714

1715

1716

1717

1718

1719

1720

1721

1722

1723

1724

1725

1726

1727

1728

1729

1730

1731

1732

1733

1734

1735

1736

1737

1738

1739

1740

1741

1742

1743

1744

1745

1746

1747

1748

1749

1750

1751

1752

1753

1754

1755

1756

1757

1758

1759

1760

1761

1762

1763

1764

1765

1766

1767

1768

1769

1770

1771

1772

1773

1774

1775

1776

1777

1778

1779

1780

1781

1782

1783

1784

1785

1786

1787

1788

1789

1790

1791

1792

1793

1794

1795

1796

1797

1798

1799

1800

1801

1802

1803

1804

1805

1806

1807

1808

1809

1810

1811

1812

1813

1814

1815

1816

1817

1818

1819

1820

1821

1822

1823

1824

1825

1826

1827

1828

1829

1830

1831

1832

1833

1834

1835

1836

1837

1838

1839

1840

1841

1842

1843

1844

1845

1846

1847

1848

1849

1850

1851

1852

1853

1854

1855

1856

1857

1858

1859

1860

1861

1862

1863

1864

1865

1866

1867

1868

1869

1870

1871

1872

1873

1874

1875

1876

1877

1878

1879

1880

1881

1882

1883

1884

1885

1886

1887

1888

1889

1890

1891

1892

1893

1894

1895

1896

1897

1898

1899

1900

1901

1902

1903

1904

1905

1906

1907

1908

1909

1910

1911

1912

1913

1914

1915

1916

1917

1918

1919

1920

1921

1922

1923

1924

1925

1926

1927

1928

1929

1930

1931

1932

1933

1934

1935

1936

1937

1938

1939

1940

1941

1942

1943

1944

1945

1946

1947

1948

1949

1950

1951

1952

1953

1954

1955

1956

1957

1958

1959

1960

1961

1962

1963

1964

1965

1966

1967

1968

1969

1970

1971

1972

1973

1974

1975

1976

1977

1978

1979

1980

1981

1982

1983

1984

1985

1986

1987

1988

1989

1990

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

2001

2002

2003

2004

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

2017

2018

2019

2020

2021

2022

2023

2024

2025

2026

2027

2028

2029

2030

2031

2032

2033

2034

2035

2036

2037

2038

2039

2040

2041

2042

2043

2044

2045

2046

2047

2048

2049

2050

2051

2052

2053

2054

2055

2056

2057

2058

2059

2060

2061

2062

2063

2064

2065

2066

2067

2068

2069

2070

2071

2072

2073

2074

2075

2076

2077

2078

2079

2080

2081

2082

2083

2084

2085

2086

2087

2088

2089

2090

2091

2092

2093

2094

2095

2096

2097

2098

2099

2100

2101

2102

2103

2104

2105

2106

2107

2108

2109

2110

2111

2112

2113

2114

2115

2116

2117

2118

2119

2120

2121

2122

2123

2124

2125

2126

2127

2128

2129

2130

2131

2132

2133

2134

2135

2136

2137

2138

2139

2140

2141

2142

2143

2144

2145

2146

2147

2148

2149

2150

2151

2152

2153

2154

2155

2156

2157

2158

2159

2160

2161

2162

2163

2164

2165

2166

2167

2168

2169

2170

2171

2172

2173

2174

2175

2176

2177

2178

2179

2180

2181

2182

2183

2184

2185

2186

2187

2188

2189

2190

2191

2192

2193

2194

2195

2196

2197

2198

2199

2200

2201

2202

2203

2204

2205

2206

2207

2208

2209

2210

2211

2212

2213

2214

2215

2216

2217

2218

2219

2220

2221

2222

2223

2224

2225

2226

2227

2228

2229

2230

2231

2232

2233

2234

2235

2236

2237

2238

2239

2240

2241

2242

2243

2244

2245

2246

2247

2248

2249

2250

2251

2252

2253

2254

2255

2256

2257

2258

2259

2260

2261

2262

2263

2264

2265

2266

2267

2268

2269

2270

2271

2272

2273

2274

2275

2276

2277

2278

2279

2280

2281

2282

2283

2284

2285

2286

2287

2288

2289

2290

2291

2292

2293

2294

2295

2296

2297

2298

2299

2300

2301

2302

2303

2304

2305

2306

2307

2308

2309

2310

2311

2312

2313

2314

2315

2316

2317

2318

2319

2320

2321

2322

2323

2324

2325

2326

2327

2328

2329

2330

2331

2332

2333

2334

2335

2336

2337

2338

2339

2340

2341

2342

2343

2344

2345

2346

2347

2348

2349

2350

2351

2352

2353

2354

2355

2356

2357

2358

2359

2360

2361

2362

2363

2364

2365

2366

2367

2368

2369

2370

2371

2372

2373

2374

2375

2376

2377

2378

2379

2380

2381

2382

2383

2384

2385

2386

2387

2388

2389

2390

2391

2392

2393

2394

2395

2396

2397

2398

2399

2400

2401

2402

2403

2404

2405

2406

2407

2408

2409

2410

2411

2412

2413

2414

2415

2416

2417

2418

2419

2420

2421

2422

2423

2424

2425

2426

2427

2428

2429

2430

2431

2432

2433

2434

2435

2436

2437

2438

2439

2440

2441

2442

2443

2444

2445

2446

2447

2448

2449

2450

2451

2452

2453

2454

2455

2456

2457

2458

2459

2460

2461

2462

2463

2464

2465

2466

2467

2468

2469

2470

2471

2472

2473

2474

2475

2476

2477

2478

2479

2480

2481

2482

2483

2484

2485

2486

2487

2488

2489

2490

2491

2492

2493

2494

2495

2496

2497

2498

2499

2500

2501

2502

2503

2504

2505

2506

2507

2508

2509

2510

2511

2512

2513

2514

2515

2516

2517

2518

2519

2520

2521

2522

2523

2524

2525

2526

2527

2528

2529

2530

2531

2532

2533

2534

2535

2536

2537

2538

2539

2540

2541

2542

2543

2544

2545

2546

2547

2548

2549

2550

2551

2552

2553

2554

2555

2556

2557

2558

2559

2560

2561

2562

2563

2564

2565

2566

2567

2568

2569

2570

2571

2572

2573

2574

2575

2576

2577

2578

2579

2580

2581

2582

2583

2584

2585

2586

2587

2588

2589

2590

2591

2592

2593

2594

2595

2596

2597

2598

2599

2600

2601

2602

2603

2604

2605

2606

2607

2608

2609

2610

2611

2612

2613

2614

2615

2616

2617

2618

2619

2620

2621

2622

2623

2624

2625

2626

2627

2628

2629

2630

2631

2632

2633

2634

2635

2636

2637

2638

2639

2640

2641

2642

2643

2644

2645

2646

2647

2648

2649

2650

2651

2652

2653

2654

2655

2656

2657

2658

2659

2660

2661

2662

2663

2664

2665

2666

2667

2668

2669

2670

2671

2672

2673

2674

2675

2676

2677

2678

2679

2680

2681

2682

2683

2684

2685

2686

2687

2688

2689

2690

2691

2692

2693

2694

2695

2696

2697

2698

2699

2700

2701

2702

2703

2704

2705

2706

2707

2708

2709

2710

2711

2712

2713

2714

2715

2716

2717

2718

2719

2720

2721

2722

2723

2724

2725

2726

2727

2728

2729

2730

2731

2732

2733

2734

2735

2736

2737

2738

2739

2740

2741

2742

2743

2744

2745

2746

2747

2748

2749

2750

2751

2752

2753

2754

2755

2756

2757

2758

2759

2760

2761

2762

2763

2764

2765

2766

2767

2768

2769

2770

2771

2772

2773

2774

2775

2776

2777

2778

2779

2780

2781

2782

2783

2784

2785

2786

2787

2788

2789

2790

2791

2792

2793

2794

2795

2796

2797

2798

2799

2800

2801

2802

2803

2804

2805

2806

2807

2808

2809

2810

2811

2812

2813

2814

2815

2816

2817

2818

2819

2820

2821

2822

2823

2824

2825

2826

2827

2828

2829

2830

2831

2832

2833

2834

2835

2836

2837

2838

2839

2840

2841

2842

2843

2844

2845

2846

2847

2848

2849

2850

2851

2852

2853

2854

2855

2856

2857

2858

2859

2860

2861

2862

2863

2864

2865

2866

2867

2868

2869

2870

2871

2872

2873

2874

2875

2876

2877

2878

2879

2880

2881

2882

2883

2884

2885

2886

2887

2888

2889

2890

2891

2892

2893

2894

2895

2896

2897

2898

2899

2900

2901

2902

2903

2904

2905

2906

2907

2908

2909

2910

2911

2912

2913

2914

2915

2916

2917

2918

2919

2920

2921

2922

2923

2924

2925

2926

2927

2928

2929

2930

2931

2932

2933

2934

2935

2936

2937

2938

2939

2940

2941

2942

2943

2944

2945

2946

2947

2948

2949

2950

2951

2952

2953

2954

2955

2956

2957

2958

2959

2960

2961

2962

2963

2964

2965

2966

2967

2968

2969

2970

2971

2972

2973

2974

2975

2976

2977

2978

2979

2980

2981

2982

2983

2984

2985

2986

2987

2988

2989

2990

2991

2992

2993

2994

2995

2996

2997

2998

2999

3000

3001

3002

3003

3004

3005

3006

3007

3008

3009

3010

3011

3012

3013

3014

3015

3016

3017

3018

3019

3020

3021

3022

3023

3024

3025

3026

3027

3028

3029

3030

3031

3032

3033

3034

3035

3036

3037

3038

3039

3040

3041

3042

3043

3044

3045

3046

3047

3048

3049

3050

3051

3052

3053

3054

3055

3056

3057

3058

3059

3060

3061

3062

3063

3064

3065

3066

3067

3068

3069

3070

3071

3072

3073

3074

3075

3076

3077

3078

3079

3080

3081

3082

3083

3084

3085

3086

3087

3088

3089

3090

3091

3092

3093

3094

3095

3096

3097

3098

3099

3100

3101

3102

3103

3104

3105

3106

3107

3108

3109

3110

3111

3112

3113

3114

3115

3116

3117

3118

3119

3120

3121

3122

3123

3124

3125

3126

3127

3128

3129

3130

3131

3132

3133

3134

3135

3136

3137

3138

3139

3140

3141

3142

3143

3144

3145

3146

3147

3148

3149

3150

3151

3152

3153

3154

3155

3156

3157

3158

3159

3160

3161

3162

3163

3164

3165

3166

3167

3168

3169

3170

3171

3172

3173

3174

3175

3176

3177

3178

3179

3180

3181

3182

3183

3184

3185

3186

3187

3188

3189

3190

3191

3192

3193

3194

3195

3196

3197

3198

3199

3200

3201

3202

3203

3204

3205

3206

3207

3208

3209

3210

3211

3212

3213

3214

3215

3216

3217

3218

3219

3220

3221

3222

3223

3224

3225

3226

3227

3228

3229

3230

3231

3232

3233

3234

3235

3236

3237

3238

3239

3240

3241

3242

3243

3244

3245

3246

3247

3248

3249

3250

3251

3252

3253

3254

3255

3256

3257

3258

3259

3260

3261

3262

3263

3264

3265

3266

3267

3268

3269

3270

3271

3272

3273

3274

3275

3276

3277

3278

3279

3280

3281

3282

3283

3284

3285

3286

3287

3288

3289

3290

3291

3292

3293

3294

3295

3296

3297

3298

3299

3300

3301

3302

3303

3304

3305

3306

3307

3308

3309

3310

3311

3312

3313

3314

3315

3316

3317

3318

3319

3320

3321

3322

3323

3324

3325

3326

3327

3328

3329

3330

3331

3332

3333

3334

3335

3336

3337

3338

3339

3340

3341

3342

3343

3344

3345

3346

3347

3348

3349

3350

3351

3352

3353

3354

3355

3356

3357

3358

3359

3360

3361

3362

3363

3364

3365

3366

3367

3368

3369

3370

3371

3372

3373

3374

3375

3376

3377

3378

3379

3380

3381

3382

3383

3384

3385

3386

3387

3388

3389

3390

3391

3392

3393

3394

3395

3396

3397

3398

3399

3400

3401

3402

3403

3404

3405

3406

3407

3408

3409

3410

3411

3412

3413

3414

3415

3416

3417

3418

3419

3420

3421

3422

3423

3424

3425

3426

3427

3428

3429

3430

3431

3432

3433

3434

3435

3436

3437

3438

3439

3440

3441

3442

3443

3444

3445

3446

3447

3448

3449

3450

3451

3452

3453

3454

3455

3456

3457

3458

3459

3460

3461

3462

3463

3464

3465

3466

3467

3468

3469

3470

3471

3472

3473

3474

3475

3476

3477

3478

3479

3480

3481

3482

3483

3484

3485

3486

3487

3488

3489

3490

3491

3492

3493

3494

3495

3496

3497

3498

3499

3500

3501

3502

3503

3504

3505

3506

3507

3508

3509

3510

3511

3512

3513

3514

3515

3516

3517

3518

3519

3520

3521

3522

3523

3524

3525

3526

3527

3528

3529

3530

3531

3532

3533

3534

3535

3536

3537

3538

3539

3540

3541

3542

3543

3544

3545

3546

3547

3548

3549

3550

3551

3552

3553

3554

3555

3556

3557

3558

3559

3560

3561

3562

3563

3564

3565

3566

3567

3568

3569

3570

3571

3572

3573

3574

3575

3576

3577

3578

3579

3580

3581

3582

3583

3584

3585

3586

3587

3588

3589

3590

3591

3592

3593

3594

3595

3596

3597

3598

3599

3600

3601

3602

3603

3604

3605

3606

3607

3608

3609

3610

3611

3612

3613

3614

3615

3616

3617

3618

3619

3620

3621

# -*- coding: utf-8 -*- 

r""" 

Points on elliptic curves 

 

The base class ``EllipticCurvePoint_field``, derived from 

``AdditiveGroupElement``, provides support for points on elliptic 

curves defined over general fields. The derived classes 

``EllipticCurvePoint_number_field`` and 

``EllipticCurvePoint_finite_field`` provide further support for point 

on curves defined over number fields (including the rational field 

`\QQ`) and over finite fields. 

 

The class ``EllipticCurvePoint``, which is based on 

``SchemeMorphism_point_projective_ring``, currently has little extra 

functionality. 

 

EXAMPLES: 

 

An example over `\QQ`:: 

 

sage: E = EllipticCurve('389a1') 

sage: P = E(-1,1); P 

(-1 : 1 : 1) 

sage: Q = E(0,-1); Q 

(0 : -1 : 1) 

sage: P+Q 

(4 : 8 : 1) 

sage: P-Q 

(1 : 0 : 1) 

sage: 3*P-5*Q 

(328/361 : -2800/6859 : 1) 

 

An example over a number field:: 

 

sage: K.<i> = QuadraticField(-1) 

sage: E = EllipticCurve(K,[1,0,0,0,-1]) 

sage: P = E(0,i); P 

(0 : i : 1) 

sage: P.order() 

+Infinity 

sage: 101*P-100*P==P 

True 

 

An example over a finite field:: 

 

sage: K.<a> = GF(101^3) 

sage: E = EllipticCurve(K,[1,0,0,0,-1]) 

sage: P = E(40*a^2 + 69*a + 84 , 58*a^2 + 73*a + 45) 

sage: P.order() 

1032210 

sage: E.cardinality() 

1032210 

 

Arithmetic with a point over an extension of a finite field:: 

 

sage: k.<a> = GF(5^2) 

sage: E = EllipticCurve(k,[1,0]); E 

Elliptic Curve defined by y^2 = x^3 + x over Finite Field in a of size 5^2 

sage: P = E([a,2*a+4]) 

sage: 5*P 

(2*a + 3 : 2*a : 1) 

sage: P*5 

(2*a + 3 : 2*a : 1) 

sage: P + P + P + P + P 

(2*a + 3 : 2*a : 1) 

 

:: 

 

sage: F = Zmod(3) 

sage: E = EllipticCurve(F,[1,0]); 

sage: P = E([2,1]) 

sage: import sys 

sage: n = sys.maxsize 

sage: P*(n+1)-P*n == P 

True 

 

Arithmetic over `\ZZ/N\ZZ` with composite `N` is supported. When an 

operation tries to invert a non-invertible element, a 

ZeroDivisionError is raised and a factorization of the modulus appears 

in the error message:: 

 

sage: N = 1715761513 

sage: E = EllipticCurve(Integers(N),[3,-13]) 

sage: P = E(2,1) 

sage: LCM([2..60])*P 

Traceback (most recent call last): 

... 

ZeroDivisionError: Inverse of 1520944668 does not exist (characteristic = 1715761513 = 26927*63719) 

 

 

AUTHORS: 

 

- William Stein (2005) -- Initial version 

 

- Robert Bradshaw et al.... 

 

- John Cremona (Feb 2008) -- Point counting and group structure for 

non-prime fields, Frobenius endomorphism and order, elliptic logs 

 

- John Cremona (Aug 2008) -- Introduced ``EllipticCurvePoint_number_field`` class 

 

- Tobias Nagel, Michael Mardaus, John Cremona (Dec 2008) -- `p`-adic elliptic logarithm over `\QQ` 

 

- David Hansen (Jan 2009) -- Added ``weil_pairing`` function to ``EllipticCurvePoint_finite_field`` class 

 

- Mariah Lenox (March 2011) -- Added ``tate_pairing`` and ``ate_pairing`` 

functions to ``EllipticCurvePoint_finite_field`` class 

 

""" 

 

#***************************************************************************** 

# Copyright (C) 2005 William Stein <wstein@gmail.com> 

# 

# Distributed under the terms of the GNU General Public License (GPL) 

# as published by the Free Software Foundation; either version 2 of 

# the License, or (at your option) any later version. 

# http://www.gnu.org/licenses/ 

#***************************************************************************** 

from __future__ import print_function, division, absolute_import 

 

import math 

 

import sage.plot.all as plot 

 

from sage.rings.padics.factory import Qp 

from sage.rings.padics.precision_error import PrecisionError 

 

import sage.rings.all as rings 

from sage.rings.real_mpfr import is_RealField 

from sage.rings.integer import Integer 

from sage.rings.integer_ring import ZZ 

from sage.groups.additive_abelian.additive_abelian_wrapper import AdditiveAbelianGroupWrapper 

import sage.groups.generic as generic 

from sage.libs.pari import pari 

from cypari2.pari_instance import prec_words_to_bits 

from sage.structure.sequence import Sequence 

from sage.structure.richcmp import richcmp 

 

from sage.schemes.curves.projective_curve import Hasse_bounds 

from sage.schemes.projective.projective_point import (SchemeMorphism_point_projective_ring, 

SchemeMorphism_point_abelian_variety_field) 

from sage.schemes.generic.morphism import is_SchemeMorphism 

 

from .constructor import EllipticCurve 

from sage.misc.superseded import deprecated_function_alias 

 

oo = rings.infinity # infinity 

 

 

class EllipticCurvePoint(SchemeMorphism_point_projective_ring): 

""" 

A point on an elliptic curve. 

""" 

pass 

 

 

class EllipticCurvePoint_field(SchemeMorphism_point_abelian_variety_field): 

""" 

A point on an elliptic curve over a field. The point has coordinates 

in the base field. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('37a') 

sage: E([0,0]) 

(0 : 0 : 1) 

sage: E(0,0) # brackets are optional 

(0 : 0 : 1) 

sage: E([GF(5)(0), 0]) # entries are coerced 

(0 : 0 : 1) 

 

sage: E(0.000, 0) 

(0 : 0 : 1) 

 

sage: E(1,0,0) 

Traceback (most recent call last): 

... 

TypeError: Coordinates [1, 0, 0] do not define a point on 

Elliptic Curve defined by y^2 + y = x^3 - x over Rational Field 

 

:: 

 

sage: E = EllipticCurve([0,0,1,-1,0]) 

sage: S = E(QQ); S 

Abelian group of points on Elliptic Curve defined by y^2 + y = x^3 - x over Rational Field 

 

sage: K.<i>=NumberField(x^2+1) 

sage: E=EllipticCurve(K,[0,1,0,-160,308]) 

sage: P=E(26,-120) 

sage: Q=E(2+12*i,-36+48*i) 

sage: P.order() == Q.order() == 4 # long time (3s) 

True 

sage: 2*P==2*Q 

False 

 

:: 

 

sage: K.<t>=FractionField(PolynomialRing(QQ,'t')) 

sage: E=EllipticCurve([0,0,0,0,t^2]) 

sage: P=E(0,t) 

sage: P,2*P,3*P 

((0 : t : 1), (0 : -t : 1), (0 : 1 : 0)) 

 

 

TESTS:: 

 

sage: loads(S.dumps()) == S 

True 

sage: E = EllipticCurve('37a') 

sage: P = E(0,0); P 

(0 : 0 : 1) 

sage: loads(P.dumps()) == P 

True 

sage: T = 100*P 

sage: loads(T.dumps()) == T 

True 

 

Test pickling an elliptic curve that has known points on it:: 

 

sage: e = EllipticCurve([0, 0, 1, -1, 0]); g = e.gens(); loads(dumps(e)) == e 

True 

 

Test that the refactoring from :trac:`14711` did preserve the behaviour 

of domain and codomain:: 

 

 

sage: E=EllipticCurve(QQ,[1,1]) 

sage: P=E(0,1) 

sage: P.domain() 

Spectrum of Rational Field 

sage: K.<a>=NumberField(x^2-3,'a') 

sage: P=E.base_extend(K)(1,a) 

sage: P.domain() 

Spectrum of Number Field in a with defining polynomial x^2 - 3 

sage: P.codomain() 

Elliptic Curve defined by y^2 = x^3 + x + 1 over Number Field in a with defining polynomial x^2 - 3 

sage: P.codomain() == P.curve() 

True 

""" 

def __init__(self, curve, v, check=True): 

""" 

Constructor for a point on an elliptic curve. 

 

INPUT: 

 

- curve -- an elliptic curve 

- v -- data determining a point (another point, the integer 

0, or a tuple of coordinates) 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('43a') 

sage: P = E([2, -4, 2]); P 

(1 : -2 : 1) 

sage: P == E([1,-2]) 

True 

sage: P = E(0); P 

(0 : 1 : 0) 

sage: P=E(2, -4, 2); P 

(1 : -2 : 1) 

""" 

point_homset = curve.point_homset() 

if is_SchemeMorphism(v) or isinstance(v, EllipticCurvePoint_field): 

v = list(v) 

elif v == 0: 

# some of the code assumes that E(0) has integral entries 

# irregardless of the base ring... 

#R = self.base_ring() 

#v = (R.zero(),R.one(),R.zero()) 

v = (0, 1, 0) 

if check: 

# mostly from SchemeMorphism_point_projective_field 

d = point_homset.codomain().ambient_space().ngens() 

if not isinstance(v, (list, tuple)): 

raise TypeError("Argument v (= %s) must be a scheme point, list, or tuple." % str(v)) 

if len(v) != d and len(v) != d-1: 

raise TypeError("v (=%s) must have %s components" % (v, d)) 

v = Sequence(v, point_homset.value_ring()) 

if len(v) == d-1: # very common special case 

v.append(v.universe()(1)) 

 

n = len(v) 

all_zero = True 

for i in range(n): 

c = v[n-1-i] 

if c: 

all_zero = False 

if c == 1: 

break 

for j in range(n-i): 

v[j] /= c 

break 

if all_zero: 

raise ValueError("%s does not define a valid point " 

"since all entries are 0" % repr(v)) 

 

x, y, z = v 

if z == 0: 

test = x 

else: 

a1, a2, a3, a4, a6 = curve.ainvs() 

test = y**2 + (a1*x+a3)*y - (((x+a2)*x+a4)*x+a6) 

if not test == 0: 

raise TypeError("Coordinates %s do not define a point on %s" % (list(v), curve)) 

 

SchemeMorphism_point_abelian_variety_field.__init__(self, point_homset, v, check=False) 

#AdditiveGroupElement.__init__(self, point_homset) 

 

def _repr_(self): 

""" 

Return a string representation of this point. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('39a') 

sage: P = E([-2, 1, 1]) 

sage: P._repr_() 

'(-2 : 1 : 1)' 

""" 

return self.codomain().ambient_space()._repr_generic_point(self._coords) 

 

def _latex_(self): 

""" 

Return a LaTeX representation of this point. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('40a') 

sage: P = E([3, 0]) 

sage: P._latex_() 

'\\left(3 : 0 : 1\\right)' 

""" 

return self.codomain().ambient_space()._latex_generic_point(self._coords) 

 

def __getitem__(self, n): 

""" 

Return the n'th coordinate of this point. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('42a') 

sage: P = E([-17, -51, 17]) 

sage: [P[i] for i in [2,1,0]] 

[1, -3, -1] 

""" 

return self._coords[n] 

 

def __iter__(self): 

""" 

Return the coordinates of this point as a list. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('37a') 

sage: list(E([0,0])) 

[0, 0, 1] 

""" 

return iter(self._coords) 

 

def __tuple__(self): 

""" 

Return the coordinates of this point as a tuple. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('44a') 

sage: P = E([1, -2, 1]) 

sage: P.__tuple__() 

(1, -2, 1) 

""" 

return tuple(self._coords) # Warning: _coords is a list! 

 

def _richcmp_(self, other, op): 

""" 

Comparison function for points to allow sorting and equality testing. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('45a') 

sage: P = E([2, -1, 1]) 

sage: P == E(0) 

False 

sage: P+P == E(0) 

True 

""" 

if not isinstance(other, EllipticCurvePoint_field): 

try: 

other = self.codomain().ambient_space()(other) 

except TypeError: 

return NotImplemented 

return richcmp(self._coords, other._coords, op) 

 

def __pari__(self): 

r""" 

Converts this point to PARI format. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve([0,0,0,3,0]) 

sage: O = E(0) 

sage: P = E.point([1,2]) 

sage: O.__pari__() 

[0] 

sage: P.__pari__() 

[1, 2] 

 

The following implicitly calls O.__pari__() and P.__pari__():: 

 

sage: pari(E).elladd(O,P) 

[1, 2] 

 

TESTS:: 

 

Try the same over a finite field:: 

 

sage: E = EllipticCurve(GF(11), [0,0,0,3,0]) 

sage: O = E(0) 

sage: P = E.point([1,2]) 

sage: O.__pari__() 

[0] 

sage: P.__pari__() 

[Mod(1, 11), Mod(2, 11)] 

 

We no longer need to explicitly call ``pari(O)`` and ``pari(P)`` 

after :trac:`11868`:: 

 

sage: pari(E).elladd(O, P) 

[Mod(1, 11), Mod(2, 11)] 

""" 

if self[2]: 

return pari([self[0]/self[2], self[1]/self[2]]) 

else: 

return pari([0]) 

 

def scheme(self): 

""" 

Return the scheme of this point, i.e., the curve it is on. 

This is synonymous with :meth:`curve` which is perhaps more 

intuitive. 

 

EXAMPLES:: 

 

sage: E=EllipticCurve(QQ,[1,1]) 

sage: P=E(0,1) 

sage: P.scheme() 

Elliptic Curve defined by y^2 = x^3 + x + 1 over Rational Field 

sage: P.scheme() == P.curve() 

True 

sage: K.<a>=NumberField(x^2-3,'a') 

sage: P=E.base_extend(K)(1,a) 

sage: P.scheme() 

Elliptic Curve defined by y^2 = x^3 + x + 1 over Number Field in a with defining polynomial x^2 - 3 

""" 

#The following text is just not true: it applies to the class 

#EllipticCurvePoint, which appears to be never used, but does 

#not apply to EllipticCurvePoint_field which is simply derived 

#from AdditiveGroupElement. 

# 

#"Technically, points on curves in Sage are scheme maps from 

# the domain Spec(F) where F is the base field of the curve to 

# the codomain which is the curve. See also domain() and 

# codomain()." 

 

return self.codomain() 

 

def order(self): 

r""" 

Return the order of this point on the elliptic curve. 

 

If the point is zero, returns 1, otherwise raise a 

NotImplementedError. 

 

For curves over number fields and finite fields, see below. 

 

.. NOTE:: 

 

:meth:`additive_order` is a synonym for :meth:`order` 

 

EXAMPLES:: 

 

sage: K.<t>=FractionField(PolynomialRing(QQ,'t')) 

sage: E=EllipticCurve([0,0,0,-t^2,0]) 

sage: P=E(t,0) 

sage: P.order() 

Traceback (most recent call last): 

... 

NotImplementedError: Computation of order of a point not implemented over general fields. 

sage: E(0).additive_order() 

1 

sage: E(0).order() == 1 

True 

""" 

if self.is_zero(): 

return Integer(1) 

raise NotImplementedError("Computation of order of a point " 

"not implemented over general fields.") 

 

additive_order = order 

 

def curve(self): 

""" 

Return the curve that this point is on. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('389a') 

sage: P = E([-1,1]) 

sage: P.curve() 

Elliptic Curve defined by y^2 + y = x^3 + x^2 - 2*x over Rational Field 

""" 

return self.scheme() 

 

def __bool__(self): 

""" 

Return ``True`` if this is not the zero point on the curve. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('37a') 

sage: P = E(0); P 

(0 : 1 : 0) 

sage: P.is_zero() 

True 

sage: P = E.gens()[0] 

sage: P.is_zero() 

False 

""" 

return bool(self[2]) 

 

__nonzero__ = __bool__ 

 

def has_finite_order(self): 

""" 

Return ``True`` if this point has finite additive order as an 

element of the group of points on this curve. 

 

For fields other than number fields and finite fields, this is 

NotImplemented unless self.is_zero(). 

 

EXAMPLES:: 

 

sage: K.<t>=FractionField(PolynomialRing(QQ,'t')) 

sage: E=EllipticCurve([0,0,0,-t^2,0]) 

sage: P = E(0) 

sage: P.has_finite_order() 

True 

sage: P=E(t,0) 

sage: P.has_finite_order() 

Traceback (most recent call last): 

... 

NotImplementedError: Computation of order of a point not implemented over general fields. 

sage: (2*P).is_zero() 

True 

""" 

if self.is_zero(): 

return True 

return self.order() != oo 

 

is_finite_order = has_finite_order # for backward compatibility 

 

def has_infinite_order(self): 

""" 

Return True if this point has infinite additive order as an element 

of the group of points on this curve. 

 

For fields other than number fields and finite fields, this is 

NotImplemented unless self.is_zero(). 

 

EXAMPLES:: 

 

sage: K.<t>=FractionField(PolynomialRing(QQ,'t')) 

sage: E=EllipticCurve([0,0,0,-t^2,0]) 

sage: P = E(0) 

sage: P.has_infinite_order() 

False 

sage: P=E(t,0) 

sage: P.has_infinite_order() 

Traceback (most recent call last): 

... 

NotImplementedError: Computation of order of a point not implemented over general fields. 

sage: (2*P).is_zero() 

True 

""" 

if self.is_zero(): 

return False 

return self.order() == oo 

 

def plot(self, **args): 

""" 

Plot this point on an elliptic curve. 

 

INPUT: 

 

- ``**args`` -- all arguments get passed directly onto the point 

plotting function. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('389a') 

sage: P = E([-1,1]) 

sage: P.plot(pointsize=30, rgbcolor=(1,0,0)) 

Graphics object consisting of 1 graphics primitive 

""" 

if self.is_zero(): 

return plot.text("$\\infty$", (-3, 3), **args) 

 

else: 

return plot.point((self[0], self[1]), **args) 

 

def _add_(self, right): 

""" 

Add self to right. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('389a') 

sage: P = E([-1,1]); Q = E([0,0]) 

sage: P + Q 

(1 : 0 : 1) 

sage: P._add_(Q) == P + Q 

True 

 

Example to show that bug :trac:`4820` is fixed:: 

 

sage: [type(c) for c in 2*EllipticCurve('37a1').gen(0)] 

[<... 'sage.rings.rational.Rational'>, 

<... 'sage.rings.rational.Rational'>, 

<... 'sage.rings.rational.Rational'>] 

 

Checks that :trac:`15964` is fixed:: 

 

sage: N = 1715761513 

sage: E = EllipticCurve(Integers(N),[3,-13]) 

sage: P = E(2,1) 

sage: LCM([2..60])*P 

Traceback (most recent call last): 

... 

ZeroDivisionError: Inverse of 1520944668 does not exist 

(characteristic = 1715761513 = 26927*63719) 

 

sage: N = 35 

sage: E = EllipticCurve(Integers(N),[5,1]) 

sage: P = E(0,1) 

sage: LCM([2..6])*P 

Traceback (most recent call last): 

... 

ZeroDivisionError: Inverse of 28 does not exist 

(characteristic = 35 = 7*5) 

""" 

# Use Prop 7.1.7 of Cohen "A Course in Computational Algebraic 

# Number Theory" 

if self.is_zero(): 

return right 

if right.is_zero(): 

return self 

E = self.curve() 

a1, a2, a3, a4, a6 = E.ainvs() 

x1, y1 = self[0], self[1] 

x2, y2 = right[0], right[1] 

if x1 == x2 and y1 == -y2 - a1*x2 - a3: 

return E(0) # point at infinity 

 

if x1 == x2 and y1 == y2: 

try: 

m = (3*x1*x1 + 2*a2*x1 + a4 - a1*y1) / (2*y1 + a1*x1 + a3) 

except ZeroDivisionError: 

R = E.base_ring() 

if R.is_finite(): 

N = R.characteristic() 

N1 = N.gcd(Integer(2*y1 + a1*x1 + a3)) 

N2 = N//N1 

raise ZeroDivisionError("Inverse of %s does not exist (characteristic = %s = %s*%s)" % (2*y1 + a1*x1 + a3, N, N1, N2)) 

else: 

raise ZeroDivisionError("Inverse of %s does not exist" % (2*y1 + a1*x1 + a3)) 

else: 

try: 

m = (y1-y2)/(x1-x2) 

except ZeroDivisionError: 

R = E.base_ring() 

if R.is_finite(): 

N = R.characteristic() 

N1 = N.gcd(Integer(x1-x2)) 

N2 = N//N1 

raise ZeroDivisionError("Inverse of %s does not exist (characteristic = %s = %s*%s)" % (x1-x2, N, N1, N2)) 

else: 

raise ZeroDivisionError("Inverse of %s does not exist" % (x1-x2)) 

 

x3 = -x1 - x2 - a2 + m*(m+a1) 

y3 = -y1 - a3 - a1*x3 + m*(x1-x3) 

# See trac #4820 for why we need to coerce 1 into the base ring here: 

return E.point([x3, y3, E.base_ring()(1)], check=False) 

 

def _sub_(self, right): 

""" 

Subtract right from self. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('389a') 

sage: P = E([-1,1]); Q = E([0,0]) 

sage: P - Q 

(4 : 8 : 1) 

sage: P - Q == P._sub_(Q) 

True 

sage: (P - Q) + Q 

(-1 : 1 : 1) 

sage: P 

(-1 : 1 : 1) 

""" 

return self + (-right) 

 

def __neg__(self): 

""" 

Return the additive inverse of this point. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('389a') 

sage: P = E([-1,1]) 

sage: Q = -P; Q 

(-1 : -2 : 1) 

sage: Q + P 

(0 : 1 : 0) 

 

Example to show that bug :trac:`4820` is fixed:: 

 

sage: [type(c) for c in -EllipticCurve('37a1').gen(0)] 

[<... 'sage.rings.rational.Rational'>, 

<... 'sage.rings.rational.Rational'>, 

<... 'sage.rings.rational.Rational'>] 

""" 

if self.is_zero(): 

return self 

E, x, y = self.curve(), self[0], self[1] 

# See trac #4820 for why we need to coerce 1 into the base ring here: 

return E.point([x, -y - E.a1()*x - E.a3(), E.base_ring()(1)], check=False) 

 

def xy(self): 

""" 

Return the `x` and `y` coordinates of this point, as a 2-tuple. 

If this is the point at infinity a ZeroDivisionError is raised. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('389a') 

sage: P = E([-1,1]) 

sage: P.xy() 

(-1, 1) 

sage: Q = E(0); Q 

(0 : 1 : 0) 

sage: Q.xy() 

Traceback (most recent call last): 

... 

ZeroDivisionError: rational division by zero 

""" 

if self[2] == 1: 

return self[0], self[1] 

else: 

return self[0]/self[2], self[1]/self[2] 

 

def is_divisible_by(self, m): 

""" 

Return True if there exists a point `Q` defined over the same 

field as self such that `mQ` == self. 

 

INPUT: 

 

- ``m`` -- a positive integer. 

 

OUTPUT: 

 

(bool) -- True if there is a solution, else False. 

 

.. WARNING:: 

 

This function usually triggers the computation of the 

`m`-th division polynomial of the associated elliptic 

curve, which will be expensive if `m` is large, though it 

will be cached for subsequent calls with the same `m`. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('389a') 

sage: Q = 5*E(0,0); Q 

(-2739/1444 : -77033/54872 : 1) 

sage: Q.is_divisible_by(4) 

False 

sage: Q.is_divisible_by(5) 

True 

 

A finite field example:: 

 

sage: E = EllipticCurve(GF(101),[23,34]) 

sage: E.cardinality().factor() 

2 * 53 

sage: Set([T.order() for T in E.points()]) 

{1, 106, 2, 53} 

sage: len([T for T in E.points() if T.is_divisible_by(2)]) 

53 

sage: len([T for T in E.points() if T.is_divisible_by(3)]) 

106 

 

TESTS: 

 

This shows that the bug reported at :trac:`10076` is fixed:: 

 

sage: K = QuadraticField(8,'a') 

sage: E = EllipticCurve([K(0),0,0,-1,0]) 

sage: P = E([-1,0]) 

sage: P.is_divisible_by(2) 

False 

sage: P.division_points(2) 

[] 

 

Note that it is not sufficient to test that 

``self.division_points(m,poly_only=True)`` has roots:: 

 

sage: P.division_points(2, poly_only=True).roots() 

[(1/2*a - 1, 1), (-1/2*a - 1, 1)] 

 

sage: tor = E.torsion_points(); len(tor) 

8 

sage: [T.order() for T in tor] 

[2, 4, 4, 2, 1, 2, 4, 4] 

sage: all([T.is_divisible_by(3) for T in tor]) 

True 

sage: Set([T for T in tor if T.is_divisible_by(2)]) 

{(0 : 1 : 0), (1 : 0 : 1)} 

sage: Set([2*T for T in tor]) 

{(0 : 1 : 0), (1 : 0 : 1)} 

""" 

# Coerce the input m to an integer 

m = Integer(m) 

 

# Check for trivial cases of m = 1, -1 and 0. 

if m == 1 or m == -1: 

return True 

if m == 0: 

return self == 0 # then m*self=self for all m! 

m = m.abs() 

 

# Now the following line would of course be correct, but we 

# work harder to be more efficient: 

# return len(self.division_points(m)) > 0 

 

P = self 

 

# If P has finite order n and gcd(m,n)=1 then the result is 

# True. However, over general fields computing P.order() is 

# not implemented. 

 

try: 

n = P.order() 

if not n == oo: 

if m.gcd(n) == 1: 

return True 

except NotImplementedError: 

pass 

 

P_is_2_torsion = (P == -P) 

g = P.division_points(m, poly_only=True) 

 

if not P_is_2_torsion: 

# In this case deg(g)=m^2, and each root in K lifts to two 

# points Q,-Q both in E(K), of which exactly one is a 

# solution. So we just check the existence of roots: 

return len(g.roots()) > 0 

 

# Now 2*P==0 

 

if m % 2 == 1: 

return True # P itself is a solution when m is odd 

 

# Now m is even and 2*P=0. Roots of g in K may or may not 

# lift to solutions in E(K), so we fall back to the default. 

# Note that division polynomials are cached so this is not 

# inefficient: 

 

return len(self.division_points(m)) > 0 

 

def division_points(self, m, poly_only=False): 

r""" 

Return a list of all points `Q` such that `mQ=P` where `P` = self. 

 

Only points on the elliptic curve containing self and defined 

over the base field are included. 

 

INPUT: 

 

- ``m`` -- a positive integer 

 

- ``poly_only`` -- bool (default: False); if True return 

polynomial whose roots give all possible `x`-coordinates of 

`m`-th roots of self. 

 

OUTPUT: 

 

(list) -- a (possibly empty) list of solutions `Q` to `mQ=P`, 

where `P` = self. 

 

EXAMPLES: 

 

We find the five 5-torsion points on an elliptic curve:: 

 

sage: E = EllipticCurve('11a'); E 

Elliptic Curve defined by y^2 + y = x^3 - x^2 - 10*x - 20 over Rational Field 

sage: P = E(0); P 

(0 : 1 : 0) 

sage: P.division_points(5) 

[(0 : 1 : 0), (5 : -6 : 1), (5 : 5 : 1), (16 : -61 : 1), (16 : 60 : 1)] 

 

Note above that 0 is included since [5]*0 = 0. 

 

We create a curve of rank 1 with no torsion and do a consistency check:: 

 

sage: E = EllipticCurve('11a').quadratic_twist(-7) 

sage: Q = E([44,-270]) 

sage: (4*Q).division_points(4) 

[(44 : -270 : 1)] 

 

We create a curve over a non-prime finite field with group of 

order `18`:: 

 

sage: k.<a> = GF(25) 

sage: E = EllipticCurve(k, [1,2+a,3,4*a,2]) 

sage: P = E([3,3*a+4]) 

sage: factor(E.order()) 

2 * 3^2 

sage: P.order() 

9 

 

We find the `1`-division points as a consistency check -- there 

is just one, of course:: 

 

sage: P.division_points(1) 

[(3 : 3*a + 4 : 1)] 

 

The point `P` has order coprime to 2 but divisible by 3, so:: 

 

sage: P.division_points(2) 

[(2*a + 1 : 3*a + 4 : 1), (3*a + 1 : a : 1)] 

 

We check that each of the 2-division points works as claimed:: 

 

sage: [2*Q for Q in P.division_points(2)] 

[(3 : 3*a + 4 : 1), (3 : 3*a + 4 : 1)] 

 

Some other checks:: 

 

sage: P.division_points(3) 

[] 

sage: P.division_points(4) 

[(0 : 3*a + 2 : 1), (1 : 0 : 1)] 

sage: P.division_points(5) 

[(1 : 1 : 1)] 

 

An example over a number field (see :trac:`3383`):: 

 

sage: E = EllipticCurve('19a1') 

sage: K.<t> = NumberField(x^9-3*x^8-4*x^7+16*x^6-3*x^5-21*x^4+5*x^3+7*x^2-7*x+1) 

sage: EK = E.base_extend(K) 

sage: E(0).division_points(3) 

[(0 : 1 : 0), (5 : -10 : 1), (5 : 9 : 1)] 

sage: EK(0).division_points(3) 

[(0 : 1 : 0), (5 : 9 : 1), (5 : -10 : 1)] 

sage: E(0).division_points(9) 

[(0 : 1 : 0), (5 : -10 : 1), (5 : 9 : 1)] 

sage: EK(0).division_points(9) 

[(0 : 1 : 0), (5 : 9 : 1), (5 : -10 : 1), (-150/121*t^8 + 414/121*t^7 + 1481/242*t^6 - 2382/121*t^5 - 103/242*t^4 + 629/22*t^3 - 367/242*t^2 - 1307/121*t + 625/121 : 35/484*t^8 - 133/242*t^7 + 445/242*t^6 - 799/242*t^5 + 373/484*t^4 + 113/22*t^3 - 2355/484*t^2 - 753/242*t + 1165/484 : 1), (-150/121*t^8 + 414/121*t^7 + 1481/242*t^6 - 2382/121*t^5 - 103/242*t^4 + 629/22*t^3 - 367/242*t^2 - 1307/121*t + 625/121 : -35/484*t^8 + 133/242*t^7 - 445/242*t^6 + 799/242*t^5 - 373/484*t^4 - 113/22*t^3 + 2355/484*t^2 + 753/242*t - 1649/484 : 1), (-1383/484*t^8 + 970/121*t^7 + 3159/242*t^6 - 5211/121*t^5 + 37/484*t^4 + 654/11*t^3 - 909/484*t^2 - 4831/242*t + 6791/484 : 927/121*t^8 - 5209/242*t^7 - 8187/242*t^6 + 27975/242*t^5 - 1147/242*t^4 - 1729/11*t^3 + 1566/121*t^2 + 12873/242*t - 10871/242 : 1), (-1383/484*t^8 + 970/121*t^7 + 3159/242*t^6 - 5211/121*t^5 + 37/484*t^4 + 654/11*t^3 - 909/484*t^2 - 4831/242*t + 6791/484 : -927/121*t^8 + 5209/242*t^7 + 8187/242*t^6 - 27975/242*t^5 + 1147/242*t^4 + 1729/11*t^3 - 1566/121*t^2 - 12873/242*t + 10629/242 : 1), (-4793/484*t^8 + 6791/242*t^7 + 10727/242*t^6 - 18301/121*t^5 + 2347/484*t^4 + 2293/11*t^3 - 7311/484*t^2 - 17239/242*t + 26767/484 : 30847/484*t^8 - 21789/121*t^7 - 34605/121*t^6 + 117164/121*t^5 - 10633/484*t^4 - 29437/22*t^3 + 39725/484*t^2 + 55428/121*t - 176909/484 : 1), (-4793/484*t^8 + 6791/242*t^7 + 10727/242*t^6 - 18301/121*t^5 + 2347/484*t^4 + 2293/11*t^3 - 7311/484*t^2 - 17239/242*t + 26767/484 : -30847/484*t^8 + 21789/121*t^7 + 34605/121*t^6 - 117164/121*t^5 + 10633/484*t^4 + 29437/22*t^3 - 39725/484*t^2 - 55428/121*t + 176425/484 : 1)] 

 

TESTS: 

 

Check that :trac:`24844` is fixed:: 

 

sage: p = next_prime(1000000) 

sage: E = EllipticCurve(GF(p), 123, 456) 

sage: pts = E(0).division_points(3) 

sage: P = pts[1]; P 

(389063 : 124244 : 1) 

sage: P._order 

3 

 

When we sucessfully divide a point known to have infinite 

order, the points returned know that they also have infinite 

order:: 

 

sage: E = EllipticCurve([0,0,1,-1,0]) 

sage: P = E(-1,0) 

sage: P.order() 

+Infinity 

sage: pts = P.division_points(3); len(pts) 

1 

sage: [(Q,Q._order) for Q in pts] 

[((0 : -1 : 1), +Infinity)] 

 

When we sucessfully divide a point of known finite order `n`, 

the points returned know that they also have finite order `nk` 

for some divisor `k` of `m`:: 

 

sage: E = EllipticCurve([1, 0, 1, -19, 26]) 

sage: [(Q,Q._order) for Q in E(0).division_points(12)] 

[((-5 : 2 : 1), 2), 

((-2 : -7 : 1), 6), 

((-2 : 8 : 1), 6), 

((0 : 1 : 0), 1), 

((1 : -4 : 1), 6), 

((1 : 2 : 1), 6), 

((7/4 : -11/8 : 1), 2), 

((3 : -2 : 1), 2), 

((4 : -7 : 1), 3), 

((4 : 2 : 1), 3), 

((13 : -52 : 1), 6), 

((13 : 38 : 1), 6)] 

sage: P = E(4,-7) 

sage: P.order() 

3 

sage: [(Q,Q._order) for Q in P.division_points(4)] 

[((-2 : -7 : 1), 6), ((1 : 2 : 1), 6), ((4 : -7 : 1), 3), ((13 : 38 : 1), 6)] 

""" 

# Coerce the input m to an integer 

m = Integer(m) 

# Check for trivial cases of m = 1, -1 and 0. 

if m == 1 or m == -1: 

return [self] 

if m == 0: 

if self == 0: # then every point Q is a solution, but... 

return [self] 

else: 

return [] 

 

# ans will contain the list of division points. 

ans = [] 

 

# We compute a polynomial g whose roots give all possible x 

# coordinates of the m-division points. The number of 

# solutions (over the algebraic closure) is m^2, assuming that 

# the characteristic does not divide m. 

 

E = self.curve() 

P = self 

nP = -P 

P_is_2_torsion = (P == nP) 

 

# If self is the 0, then self is a solution, and the correct 

# poly is the m'th division polynomial 

if P == 0: 

ans.append(P) 

g = E.division_polynomial(m) 

else: 

# The poly g here is 0 at x(Q) iff x(m*Q) = x(P). 

g = E._multiple_x_numerator(m) - P[0]*E._multiple_x_denominator(m) 

 

# When 2*P=0, then -Q is a solution iff Q is. For even m, 

# no 2-torsion point is a solution, so that g is the 

# square of a polynomial g1 of degree m^2/2, and each root 

# of g1 leads to a pair of solutions Q, -Q to m*Q=P. For 

# odd m, P itself is the only 2-torsion solution, so g has 

# the form (x-x(P))*g1(x)^2 where g1 has degree (m^2-1)/2 

# and each root of g1 leads to a pair Q, -Q. 

 

if P_is_2_torsion: 

if m % 2 == 0: 

# This computes g.sqrt() which is not implemented 

g = g.gcd(g.derivative())*g.leading_coefficient().sqrt() 

 

# When 2*P!=0, then for each solution Q to m*Q=P, -Q is 

# not a solution (and points of order 2 are not 

# solutions). Hence the roots of g are distinct and each 

# gives rise to precisely one solution Q. 

 

else: 

g0 = g.variables()[0] - P[0] 

g = g // g0 

g = g.gcd(g.derivative())*g.leading_coefficient().sqrt() 

g = g0*g 

 

if poly_only: 

return g 

 

for x in g.roots(multiplicities=False): 

if E.is_x_coord(x): 

# Make a point on the curve with this x coordinate. 

Q = E.lift_x(x) 

nQ = -Q 

mQ = m*Q 

# if P==-P then Q works iff -Q works, so we include 

# both unless they are equal: 

if P_is_2_torsion: 

if mQ == P: 

ans.append(Q) 

if nQ != Q: 

ans.append(nQ) 

else: 

# P is not 2-torsion so at most one of Q, -Q works 

# and we must try both: 

if mQ == P: 

ans.append(Q) 

elif mQ == nP: 

ans.append(nQ) 

 

if not ans: 

return ans 

 

# set orders of points found when self's order is known: 

if self.is_zero(): 

self._order = Integer(1) 

try: 

n = self._order # do not compute, just use if already known 

if n==oo: 

for Q in ans: 

Q._order = oo 

else: 

mfac = m.factor() 

for Q in ans: 

R = n*Q 

Q._order = n*generic.order_from_multiple(R, m, factorization=mfac, operation='+') 

except AttributeError: # do nothing about order if self's order unknown 

pass 

 

# Finally, sort and return 

ans.sort() 

return ans 

 

def _divide_out(self, p): 

r""" 

Return `(Q,k)` where `p^kQ` == self and `Q` cannot be divided by `p`. 

 

.. WARNING:: 

 

It is up to the caller to make sure that this does not loop 

endlessly. It is used in 

``EllipticCurve_generic._p_primary_torsion_basis()``, when 

self will always have (finite) order which is a power of `p`, 

so that the order of `Q` increases by a factor of `p` at each 

stage. 

 

Since it will clearly be in danger of looping when 

self.is_zero(), this case is caught, but otherwise caveat 

user. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('37a1') 

sage: P = E([0, 0]) 

sage: R = 12*P 

sage: R._divide_out(2) 

((-1 : -1 : 1), 2) 

sage: R._divide_out(3) 

((2 : -3 : 1), 1) 

sage: R._divide_out(5) 

((1357/841 : 28888/24389 : 1), 0) 

sage: R._divide_out(12) 

Traceback (most recent call last): 

... 

ValueError: p (=12) should be prime. 

""" 

p = Integer(p) 

if not p.is_prime(): 

raise ValueError("p (=%s) should be prime." % p) 

 

if self.is_zero(): 

raise ValueError("self must not be 0.") 

 

k = 0 

Q = self 

pts = Q.division_points(p) 

while len(pts) > 0: 

Q = pts[0] 

k += 1 

pts = Q.division_points(p) 

return (Q, k) 

 

def set_order(self, value): 

r""" 

Set the value of self._order to value. 

 

Use this when you know a priori the order of this point to avoid a 

potentially expensive order calculation. 

 

INPUT: 

 

- ``value`` - positive Integer 

 

OUTPUT: 

 

``None`` 

 

EXAMPLES: 

 

This example illustrates basic usage. 

 

:: 

 

sage: E = EllipticCurve(GF(7), [0, 1]) # This curve has order 6 

sage: G = E(5, 0) 

sage: G.set_order(2) 

sage: 2*G 

(0 : 1 : 0) 

 

We now give a more interesting case, the NIST-P521 curve. Its 

order is too big to calculate with SAGE, and takes a long time 

using other packages, so it is very useful here. 

 

:: 

 

sage: p = 2^521 - 1 

sage: prev_proof_state = proof.arithmetic() 

sage: proof.arithmetic(False) # turn off primality checking 

sage: F = GF(p) 

sage: A = p - 3 

sage: B = 1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984 

sage: q = 6864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532963996371363321113864768612440380340372808892707005449 

sage: E = EllipticCurve([F(A), F(B)]) 

sage: G = E.random_point() 

sage: G.set_order(q) 

sage: G.order() * G # This takes practically no time. 

(0 : 1 : 0) 

sage: proof.arithmetic(prev_proof_state) # restore state 

 

It is an error to pass a `value` equal to `0`:: 

 

sage: E = EllipticCurve(GF(7), [0, 1]) # This curve has order 6 

sage: G = E.random_point() 

sage: G.set_order(0) 

Traceback (most recent call last): 

... 

ValueError: Value 0 illegal for point order 

sage: G.set_order(1000) 

Traceback (most recent call last): 

... 

ValueError: Value 1000 illegal: outside max Hasse bound 

 

It is also very likely an error to pass a value which is not the actual 

order of this point. How unlikely is determined by the factorization of 

the actual order, and the actual group structure:: 

 

sage: E = EllipticCurve(GF(7), [0, 1]) # This curve has order 6 

sage: G = E(5, 0) # G has order 2 

sage: G.set_order(11) 

Traceback (most recent call last): 

... 

ValueError: Value 11 illegal: 11 * (5 : 0 : 1) is not the identity 

 

However, set_order can be fooled, though it's not likely in "real cases 

of interest". For instance, the order can be set to a multiple the 

actual order:: 

 

sage: E = EllipticCurve(GF(7), [0, 1]) # This curve has order 6 

sage: G = E(5, 0) # G has order 2 

sage: G.set_order(8) 

sage: G.order() 

8 

 

NOTES: 

 

The implementation is based of the fact that orders of elliptic curve 

points are cached in the (pseudo-private) _order slot. 

 

AUTHORS: 

 

- Mariah Lenox (2011-02-16) 

""" 

E = self.curve() 

q = E.base_ring().order() 

O = E(0) 

if value == 0: 

raise ValueError('Value 0 illegal for point order') 

if value == 1: 

if self == O: 

self._order = 1 

return 

else: 

raise ValueError('Value 1 illegal order for non-identity') 

low, hi = Hasse_bounds(q) 

if value > hi: 

raise ValueError('Value %s illegal: outside max Hasse bound' % value) 

if value * self != O: 

raise ValueError('Value %s illegal: %s * %s is not the identity' % (value, value, self)) 

if (value - 1) * self == O: 

raise ValueError('Value %s illegal: %s * %s is the identity' % (value, value-1, self)) 

self._order = value 

 

############################## end ################################ 

 

def _line_(self, R, Q): 

r""" 

Computes the value at `Q` of a straight line through points 

self and `R`. 

 

INPUT: 

 

- ``R, Q`` -- points on self.curve() with ``Q`` nonzero. 

 

OUTPUT: 

 

An element of the base field self.curve().base_field(). 

A ValueError is raised if ``Q`` is zero. 

 

EXAMPLES:: 

 

sage: F.<a>=GF(2^5) 

sage: E=EllipticCurve(F,[0,0,1,1,1]) 

sage: P = E(a^4 + 1, a^3) 

sage: Q = E(a^4, a^4 + a^3) 

sage: O = E(0) 

sage: P._line_(P,-2*P) == 0 

True 

sage: P._line_(Q,-(P+Q)) == 0 

True 

sage: O._line_(O,Q) == F(1) 

True 

sage: P._line_(O,Q) == a^4 - a^4 + 1 

True 

sage: P._line_(13*P,Q) == a^4 

True 

sage: P._line_(P,Q) == a^4 + a^3 + a^2 + 1 

True 

 

See :trac:`7116`:: 

 

sage: P._line_ (Q,O) 

Traceback (most recent call last): 

... 

ValueError: Q must be nonzero. 

 

.. NOTE:: 

 

This function is used in _miller_ algorithm. 

 

AUTHOR: 

 

- David Hansen (2009-01-25) 

""" 

if Q.is_zero(): 

raise ValueError("Q must be nonzero.") 

 

if self.is_zero() or R.is_zero(): 

if self == R: 

return self.curve().base_field().one() 

if self.is_zero(): 

return Q[0] - R[0] 

if R.is_zero(): 

return Q[0] - self[0] 

elif self != R: 

if self[0] == R[0]: 

return Q[0] - self[0] 

else: 

l = (R[1] - self[1])/(R[0] - self[0]) 

return Q[1] - self[1] - l * (Q[0] - self[0]) 

else: 

a1, a2, a3, a4, a6 = self.curve().a_invariants() 

numerator = (3*self[0]**2 + 2*a2*self[0] + a4 - a1*self[1]) 

denominator = (2*self[1] + a1*self[0] + a3) 

if denominator == 0: 

return Q[0] - self[0] 

else: 

l = numerator/denominator 

return Q[1] - self[1] - l * (Q[0] - self[0]) 

 

def _miller_(self, Q, n): 

r""" 

Return the value at `Q` of the rational function `f_{n,P}`, where the 

divisor of `f_{n,P}` is `n[P]-[nP]-(n-1)[O]`. 

 

INPUT: 

 

- ``Q`` -- a nonzero point on self.curve(). 

 

- ``n`` -- an nonzero integer. If `n<0` then return `Q` 

evaluated at `1/(v_{nP}*f_{n,P})` (used in the ate pairing). 

 

OUTPUT: 

 

An element in the base field self.curve().base_field() 

A ValueError is raised if `Q` is zero. 

 

EXAMPLES:: 

 

sage: F.<a>=GF(2^5) 

sage: E=EllipticCurve(F,[0,0,1,1,1]) 

sage: P = E(a^4 + 1, a^3) 

sage: Fx.<b>=GF(2^(4*5)) 

sage: Ex=EllipticCurve(Fx,[0,0,1,1,1]) 

sage: phi=Hom(F,Fx)(F.gen().minpoly().roots(Fx)[0][0]) 

sage: Px=Ex(phi(P.xy()[0]),phi(P.xy()[1])) 

sage: Qx = Ex(b^19 + b^18 + b^16 + b^12 + b^10 + b^9 + b^8 + b^5 + b^3 + 1, b^18 + b^13 + b^10 + b^8 + b^5 + b^4 + b^3 + b) 

sage: Px._miller_(Qx,41) == b^17 + b^13 + b^12 + b^9 + b^8 + b^6 + b^4 + 1 

True 

sage: Qx._miller_(Px,41) == b^13 + b^10 + b^8 + b^7 + b^6 + b^5 

True 

sage: P._miller_(E(0),41) 

Traceback (most recent call last): 

... 

ValueError: Q must be nonzero. 

 

An example of even order:: 

 

sage: F.<a> = GF(19^4) 

sage: E = EllipticCurve(F,[-1,0]) 

sage: P = E(15*a^3 + 17*a^2 + 14*a + 13,16*a^3 + 7*a^2 + a + 18) 

sage: Q = E(10*a^3 + 16*a^2 + 4*a + 2, 6*a^3 + 4*a^2 + 3*a + 2) 

sage: x=P.weil_pairing(Q,360) 

sage: x^360 == F(1) 

True 

 

You can use the _miller_ function on linearly dependent 

points, but with the risk of a dividing with zero:: 

 

sage: Px._miller_(2*Px,41) 

Traceback (most recent call last): 

... 

ZeroDivisionError: division by zero in finite field 

 

A small example of embedding degree 6:: 

 

sage: q = 401; F = GF(q); a = 146; b = 400; k = 6 

sage: E = EllipticCurve([F(a), F(b)]) 

sage: R.<x> = F[]; K.<a> = GF(q^k, modulus=x^6 + 4*x^4 + 115*x^3 + 81*x^2 + 51*x + 3) 

sage: EK = E.base_extend(K) 

sage: P = E([F(338), F(227)]) 

sage: Q_x = 333*a^5 + 391*a^4 + 160*a^3 + 335*a^2 + 71*a + 93 

sage: Q_y = 343*a^5 + 273*a^4 + 26*a^3 + 342*a^2 + 340*a + 210 

sage: Q = EK([Q_x, Q_y]) 

sage: P._miller_(Q, 127) 

371*a^5 + 39*a^4 + 355*a^3 + 233*a^2 + 20*a + 275 

 

A series of small examples and small torsions. We start with 

`n=1`, which is trivial: the function is the constant 

1:: 

 

sage: E = EllipticCurve([GF(7)(0), 2]) 

sage: P = E(5, 1); Q = E(0, 3); I = E(0) 

sage: I._miller_(P, 1) 

1 

sage: I._miller_(Q, 1) 

1 

 

A two-torsion example. In this case `f_{n,P}(Q) = x_Q - x_P`:: 

 

sage: E = EllipticCurve([GF(7)(-1), 0]) 

sage: P = E(0,0); Q = E(1, 0); 

sage: P._miller_(P, 2) 

0 

sage: Q._miller_(Q, 2) 

0 

sage: P._miller_(Q, 2) 

1 

sage: Q._miller_(P, 2) 

6 

 

A three-torsion example:: 

 

sage: E = EllipticCurve([GF(7)(0), 2]) 

sage: P = E(5, 1); Q = E(0, 3); 

sage: P._miller_(Q, 3) 

4 

 

A 4-torsion example:: 

 

sage: E = EllipticCurve([GF(7)(-1), 0]) 

sage: P = E(5, 1); Q = E(4, 2) 

sage: P._miller_(Q, 4) 

3 

 

A 5-torsion example:: 

 

sage: E = EllipticCurve([GF(7)(-1), 4]) 

sage: P = E(4, 1); Q = E(6, 5) 

sage: P._miller_(Q, 5) 

1 

 

A 6-torsion example:: 

 

sage: E = EllipticCurve([GF(7)(3), 1]) 

sage: P = E(5, 1); Q = E(3, 3) 

sage: P._miller_(Q, 6) 

5 

 

An example which is part of an ate pairing calculation. The trace of 

the curve is negative, so it should exercise the `n<0` case in the 

code:: 

 

sage: p = 2017; A = 1; B = 30; r = 29; t = -70; k = 7; 

sage: F = GF(p); R.<x> = F[] 

sage: E = EllipticCurve([F(A), F(B)]); P = E(369, 716) 

sage: K.<a> = GF(p^k, modulus=x^k+2); EK = E.base_extend(K) 

sage: Qx = 1226*a^6 + 1778*a^5 + 660*a^4 + 1791*a^3 + 1750*a^2 + 867*a + 770 

sage: Qy = 1764*a^6 + 198*a^5 + 1206*a^4 + 406*a^3 + 1200*a^2 + 273*a + 1712 

sage: Q = EK(Qx, Qy) 

sage: Q._miller_(P, t-1) 

1311*a^6 + 1362*a^5 + 1177*a^4 + 807*a^3 + 1331*a^2 + 1530*a + 1931 

 

ALGORITHM: 

 

Double-and-add. See also [Mil04]_. 

 

AUTHORS: 

 

- David Hansen (2009-01-25) 

- Mariah Lenox (2011-03-07) -- Added more doctests and support for 

negative n. 

""" 

if Q.is_zero(): 

raise ValueError("Q must be nonzero.") 

if n.is_zero(): 

raise ValueError("n must be nonzero.") 

n_is_negative = False 

if n < 0: 

n = n.abs() 

n_is_negative = True 

 

one = self.curve().base_field().one() 

t = one 

V = self 

S = 2*V 

nbin = n.bits() 

i = n.nbits() - 2 

while i > -1: 

S = 2*V 

ell = V._line_(V, Q) 

vee = S._line_(-S, Q) 

t = (t**2)*(ell/vee) 

V = S 

if nbin[i] == 1: 

S = V+self 

ell = V._line_(self, Q) 

vee = S._line_(-S, Q) 

t = t*(ell/vee) 

V = S 

i = i-1 

if n_is_negative: 

vee = V._line_(-V, Q) 

t = 1/(t*vee) 

return t 

 

def weil_pairing(self, Q, n): 

r""" 

Compute the Weil pairing of self and `Q` using Miller's algorithm. 

 

INPUT: 

 

- ``Q`` -- a point on self.curve(). 

 

- ``n`` -- an integer `n` such that `nP = nQ = (0:1:0)` where 

`P` = self. 

 

OUTPUT: 

 

An `n`'th root of unity in the base field self.curve().base_field() 

 

EXAMPLES:: 

 

sage: F.<a>=GF(2^5) 

sage: E=EllipticCurve(F,[0,0,1,1,1]) 

sage: P = E(a^4 + 1, a^3) 

sage: Fx.<b>=GF(2^(4*5)) 

sage: Ex=EllipticCurve(Fx,[0,0,1,1,1]) 

sage: phi=Hom(F,Fx)(F.gen().minpoly().roots(Fx)[0][0]) 

sage: Px=Ex(phi(P.xy()[0]),phi(P.xy()[1])) 

sage: O = Ex(0) 

sage: Qx = Ex(b^19 + b^18 + b^16 + b^12 + b^10 + b^9 + b^8 + b^5 + b^3 + 1, b^18 + b^13 + b^10 + b^8 + b^5 + b^4 + b^3 + b) 

sage: Px.weil_pairing(Qx,41) == b^19 + b^15 + b^9 + b^8 + b^6 + b^4 + b^3 + b^2 + 1 

True 

sage: Px.weil_pairing(17*Px,41) == Fx(1) 

True 

sage: Px.weil_pairing(O,41) == Fx(1) 

True 

 

An error is raised if either point is not n-torsion:: 

 

sage: Px.weil_pairing(O,40) 

Traceback (most recent call last): 

... 

ValueError: points must both be n-torsion 

 

A larger example (see :trac:`4964`):: 

 

sage: P,Q = EllipticCurve(GF(19^4,'a'),[-1,0]).gens() 

sage: P.order(), Q.order() 

(360, 360) 

sage: z = P.weil_pairing(Q,360) 

sage: z.multiplicative_order() 

360 

 

An example over a number field:: 

 

sage: P,Q = EllipticCurve('11a1').change_ring(CyclotomicField(5)).torsion_subgroup().gens() # long time (10s) 

sage: P,Q = (P.element(), Q.element()) # long time 

sage: (P.order(),Q.order()) # long time 

(5, 5) 

sage: P.weil_pairing(Q,5) # long time 

zeta5^2 

sage: Q.weil_pairing(P,5) # long time 

zeta5^3 

 

ALGORITHM: 

 

Implemented using Proposition 8 in [Mil04]_. The value 1 is 

returned for linearly dependent input points. This condition 

is caught via a DivisionByZeroError, since the use of a 

discrete logarithm test for linear dependence, is much too slow 

for large `n`. 

 

REFERENCES: 

 

.. [Mil04] Victor S. Miller, "The Weil pairing, and its 

efficient calculation", J. Cryptol., 17(4):235-261, 2004 

 

AUTHOR: 

 

- David Hansen (2009-01-25) 

""" 

P = self 

E = P.curve() 

 

if not Q.curve() is E: 

raise ValueError("points must both be on the same curve") 

 

# Test if P, Q are both in E[n] 

if not ((n*P).is_zero() and (n*Q).is_zero()): 

raise ValueError("points must both be n-torsion") 

 

one = E.base_field().one() 

 

# Case where P = Q 

if P == Q: 

return one 

 

# Case where P = O or Q = O 

if P.is_zero() or Q.is_zero(): 

return one 

 

# The non-trivial case P != Q 

 

# Note (2010-12-29): The following code block should not be 

# used. It attempts to reduce the pairing calculation to order 

# d = gcd(|P|,|Q|) instead of order n, but this approach is 

# counterproductive, since calculating |P| and |Q| is much 

# slower than calculating the pairing [BGN05]. 

# 

# [BGN05] D. Boneh, E. Goh, and K. Nissim, "Evaluating 2-DNF 

# Formulas on Ciphertexts", TCC 2005, LNCS 3378, pp. 325-341. 

# 

# Reduction to order d = gcd(|P|,|Q|); value is a d'th root of unity 

# try: 

# nP = P.order() 

# except AttributeError: 

# nP = generic.order_from_multiple(P,n,operation='+') 

# try: 

# nQ = Q.order() 

# except AttributeError: 

# nQ = generic.order_from_multiple(Q,n,operation='+') 

# d = arith.gcd(nP,nQ) 

# if d==1: 

# return one 

# 

# P = (nP//d)*P # order d 

# Q = (nQ//d)*Q # order d 

# n = d 

 

try: 

return ((-1)**n.test_bit(0))*(P._miller_(Q, n)/Q._miller_(P, n)) 

except ZeroDivisionError: 

return one 

 

def tate_pairing(self, Q, n, k, q=None): 

r""" 

Return Tate pairing of `n`-torsion point `P = self` and point `Q`. 

 

The value returned is `f_{n,P}(Q)^e` where `f_{n,P}` is a function with 

divisor `n[P]-n[O].`. This is also known as the "modified Tate 

pairing". It is a well-defined bilinear map. 

 

INPUT: 

 

- ``P=self`` -- Elliptic curve point having order n 

 

- ``Q`` -- Elliptic curve point on same curve as P (can be any order) 

 

- ``n`` -- positive integer: order of P 

 

- ``k`` -- positive integer: embedding degree 

 

- ``q`` -- positive integer: size of base field (the "big" 

field is `GF(q^k)`. `q` needs to be set only if its value 

cannot be deduced.) 

 

OUTPUT: 

 

An `n`'th root of unity in the base field self.curve().base_field() 

 

EXAMPLES: 

 

A simple example, pairing a point with itself, and pairing a point with 

another rational point:: 

 

sage: p = 103; A = 1; B = 18; E = EllipticCurve(GF(p), [A, B]) 

sage: P = E(33, 91); n = P.order(); n 

19 

sage: k = GF(n)(p).multiplicative_order(); k 

6 

sage: P.tate_pairing(P, n, k) 

1 

sage: Q = E(87, 51) 

sage: P.tate_pairing(Q, n, k) 

1 

sage: set_random_seed(35) 

sage: P.tate_pairing(P,n,k) 

1 

 

We now let Q be a point on the same curve as above, but defined over 

the pairing extension field, and we also demonstrate the bilinearity of 

the pairing:: 

 

sage: K.<a> = GF(p^k) 

sage: EK = E.base_extend(K); P = EK(P) 

sage: Qx = 69*a^5 + 96*a^4 + 22*a^3 + 86*a^2 + 6*a + 35 

sage: Qy = 34*a^5 + 24*a^4 + 16*a^3 + 41*a^2 + 4*a + 40 

sage: Q = EK(Qx, Qy); 

sage: # multiply by cofactor so Q has order n: 

sage: h = 551269674; Q = h*Q 

sage: P = EK(P); P.tate_pairing(Q, n, k) 

24*a^5 + 34*a^4 + 3*a^3 + 69*a^2 + 86*a + 45 

sage: s = Integer(randrange(1,n)) 

sage: ans1 = (s*P).tate_pairing(Q, n, k) 

sage: ans2 = P.tate_pairing(s*Q, n, k) 

sage: ans3 = P.tate_pairing(Q, n, k)^s 

sage: ans1 == ans2 == ans3 

True 

sage: (ans1 != 1) and (ans1^n == 1) 

True 

 

Here is an example of using the Tate pairing to compute the Weil 

pairing (using the same data as above):: 

 

sage: e = Integer((p^k-1)/n); e 

62844857712 

sage: P.weil_pairing(Q, n)^e 

94*a^5 + 99*a^4 + 29*a^3 + 45*a^2 + 57*a + 34 

sage: P.tate_pairing(Q, n, k) == P._miller_(Q, n)^e 

True 

sage: Q.tate_pairing(P, n, k) == Q._miller_(P, n)^e 

True 

sage: P.tate_pairing(Q, n, k)/Q.tate_pairing(P, n, k) 

94*a^5 + 99*a^4 + 29*a^3 + 45*a^2 + 57*a + 34 

 

An example where we have to pass the base field size (and we again have 

agreement with the Weil pairing):: 

 

sage: F.<a>=GF(2^5) 

sage: E=EllipticCurve(F,[0,0,1,1,1]) 

sage: P = E(a^4 + 1, a^3) 

sage: Fx.<b>=GF(2^(4*5)) 

sage: Ex=EllipticCurve(Fx,[0,0,1,1,1]) 

sage: phi=Hom(F,Fx)(F.gen().minpoly().roots(Fx)[0][0]) 

sage: Px=Ex(phi(P.xy()[0]),phi(P.xy()[1])) 

sage: Qx = Ex(b^19+b^18+b^16+b^12+b^10+b^9+b^8+b^5+b^3+1, b^18+b^13+b^10+b^8+b^5+b^4+b^3+b) 

sage: Px.tate_pairing(Qx, n=41, k=4) 

Traceback (most recent call last): 

... 

ValueError: Unexpected field degree: set keyword argument q equal to the size of the base field (big field is GF(q^4)). 

sage: num = Px.tate_pairing(Qx, n=41, k=4, q=32); num 

b^19 + b^14 + b^13 + b^12 + b^6 + b^4 + b^3 

sage: den = Qx.tate_pairing(Px, n=41, k=4, q=32); den 

b^19 + b^17 + b^16 + b^15 + b^14 + b^10 + b^6 + b^2 + 1 

sage: e = Integer((32^4-1)/41); e 

25575 

sage: Px.weil_pairing(Qx, 41)^e == num/den 

True 

 

NOTES: 

 

This function uses Miller's algorithm, followed by a naive 

exponentiation. It does not do anything fancy. In the case 

that there is an issue with `Q` being on one of the lines 

generated in the `r*P` calculation, `Q` is offset by a random 

point `R` and P.tate_pairing(Q+R,n,k)/P.tate_pairing(R,n,k) 

is returned. 

 

AUTHORS: 

 

- Mariah Lenox (2011-03-07) 

""" 

P = self 

E = P.curve() 

 

if not Q.curve() is E: 

raise ValueError("Points must both be on the same curve") 

 

K = E.base_ring() 

d = K.degree() 

if q is None: 

if d == 1: 

q = K.order() 

elif d == k: 

q = K.base_ring().order() 

else: 

raise ValueError("Unexpected field degree: set keyword argument q equal to the size of the base field (big field is GF(q^%s))." % k) 

 

if n*P != E(0): 

raise ValueError('This point is not of order n=%s' % n) 

 

# In small cases, or in the case of pairing an element with 

# itself, Q could be on one of the lines in the Miller 

# algorithm. If this happens we try again, with an offset of a 

# random point. 

try: 

ret = self._miller_(Q, n) 

e = Integer((q**k - 1)/n) 

ret = ret**e 

except (ZeroDivisionError, ValueError): 

R = E.random_point() 

ret = self.tate_pairing(Q + R, n, k)/self.tate_pairing(R, n, k) 

return ret 

 

def ate_pairing(self, Q, n, k, t, q=None): 

r""" 

Return ate pairing of `n`-torsion points `P=self` and `Q`. 

 

Also known as the `n`-th modified ate pairing. `P` is `GF(q)`-rational, 

and `Q` must be an element of `Ker(\pi-p)`, where `\pi` is the 

`q`-frobenius map (and hence `Q` is `GF(q^k)`-rational). 

 

INPUT: 

 

- ``P=self`` -- a point of order `n`, in `ker(\pi-1)`, where 

`\pi` is the `q`-Frobenius map (e.g., `P` is `q-rational`). 

 

- ``Q`` -- a point of order `n` in `ker(\pi-q)` 

 

- ``n`` -- the order of `P` and `Q`. 

 

- ``k`` -- the embedding degree. 

 

- ``t`` -- the trace of Frobenius of the curve over `GF(q)`. 

 

- ``q`` -- (default:None) the size of base field (the "big" 

field is `GF(q^k)`). `q` needs to be set only if its value 

cannot be deduced. 

 

OUTPUT: 

 

FiniteFieldElement in `GF(q^k)` -- the ate pairing of `P` and `Q`. 

 

EXAMPLES: 

 

An example with embedding degree 6:: 

 

sage: p = 7549; A = 0; B = 1; n = 157; k = 6; t = 14 

sage: F = GF(p); E = EllipticCurve(F, [A, B]) 

sage: R.<x> = F[]; K.<a> = GF(p^k, modulus=x^k+2) 

sage: EK = E.base_extend(K) 

sage: P = EK(3050, 5371); Q = EK(6908*a^4, 3231*a^3) 

sage: P.ate_pairing(Q, n, k, t) 

6708*a^5 + 4230*a^4 + 4350*a^3 + 2064*a^2 + 4022*a + 6733 

sage: s = Integer(randrange(1, n)) 

sage: (s*P).ate_pairing(Q, n, k, t) == P.ate_pairing(s*Q, n, k, t) 

True 

sage: P.ate_pairing(s*Q, n, k, t) == P.ate_pairing(Q, n, k, t)^s 

True 

 

Another example with embedding degree 7 and positive trace:: 

 

sage: p = 2213; A = 1; B = 49; n = 1093; k = 7; t = 28 

sage: F = GF(p); E = EllipticCurve(F, [A, B]) 

sage: R.<x> = F[]; K.<a> = GF(p^k, modulus=x^k+2) 

sage: EK = E.base_extend(K) 

sage: P = EK(1583, 1734) 

sage: Qx = 1729*a^6+1767*a^5+245*a^4+980*a^3+1592*a^2+1883*a+722 

sage: Qy = 1299*a^6+1877*a^5+1030*a^4+1513*a^3+1457*a^2+309*a+1636 

sage: Q = EK(Qx, Qy) 

sage: P.ate_pairing(Q, n, k, t) 

1665*a^6 + 1538*a^5 + 1979*a^4 + 239*a^3 + 2134*a^2 + 2151*a + 654 

sage: s = Integer(randrange(1, n)) 

sage: (s*P).ate_pairing(Q, n, k, t) == P.ate_pairing(s*Q, n, k, t) 

True 

sage: P.ate_pairing(s*Q, n, k, t) == P.ate_pairing(Q, n, k, t)^s 

True 

 

Another example with embedding degree 7 and negative trace:: 

 

sage: p = 2017; A = 1; B = 30; n = 29; k = 7; t = -70 

sage: F = GF(p); E = EllipticCurve(F, [A, B]) 

sage: R.<x> = F[]; K.<a> = GF(p^k, modulus=x^k+2) 

sage: EK = E.base_extend(K) 

sage: P = EK(369, 716) 

sage: Qx = 1226*a^6+1778*a^5+660*a^4+1791*a^3+1750*a^2+867*a+770 

sage: Qy = 1764*a^6+198*a^5+1206*a^4+406*a^3+1200*a^2+273*a+1712 

sage: Q = EK(Qx, Qy) 

sage: P.ate_pairing(Q, n, k, t) 

1794*a^6 + 1161*a^5 + 576*a^4 + 488*a^3 + 1950*a^2 + 1905*a + 1315 

sage: s = Integer(randrange(1, n)) 

sage: (s*P).ate_pairing(Q, n, k, t) == P.ate_pairing(s*Q, n, k, t) 

True 

sage: P.ate_pairing(s*Q, n, k, t) == P.ate_pairing(Q, n, k, t)^s 

True 

 

Using the same data, we show that the ate pairing is a power of the 

Tate pairing (see [HSV]_ end of section 3.1):: 

 

sage: c = (k*p^(k-1)).mod(n); T = t - 1 

sage: N = gcd(T^k - 1, p^k - 1) 

sage: s = Integer(N/n) 

sage: L = Integer((T^k - 1)/N) 

sage: M = (L*s*c.inverse_mod(n)).mod(n) 

sage: P.ate_pairing(Q, n, k, t) == Q.tate_pairing(P, n, k)^M 

True 

 

An example where we have to pass the base field size (and we again have 

agreement with the Tate pairing). Note that though `Px` is not 

`F`-rational, (it is the homomorphic image of an `F`-rational point) it 

is nonetheless in `ker(\pi-1)`, and so is a legitimate input:: 

 

sage: q = 2^5; F.<a>=GF(q) 

sage: n = 41; k = 4; t = -8 

sage: E=EllipticCurve(F,[0,0,1,1,1]) 

sage: P = E(a^4 + 1, a^3) 

sage: Fx.<b>=GF(q^k) 

sage: Ex=EllipticCurve(Fx,[0,0,1,1,1]) 

sage: phi=Hom(F,Fx)(F.gen().minpoly().roots(Fx)[0][0]) 

sage: Px=Ex(phi(P.xy()[0]),phi(P.xy()[1])) 

sage: Qx = Ex(b^19+b^18+b^16+b^12+b^10+b^9+b^8+b^5+b^3+1, b^18+b^13+b^10+b^8+b^5+b^4+b^3+b) 

sage: Qx = Ex(Qx[0]^q, Qx[1]^q) - Qx # ensure Qx is in ker(pi - q) 

sage: Px.ate_pairing(Qx, n, k, t) 

Traceback (most recent call last): 

... 

ValueError: Unexpected field degree: set keyword argument q equal to the size of the base field (big field is GF(q^4)). 

sage: Px.ate_pairing(Qx, n, k, t, q) 

b^19 + b^18 + b^17 + b^16 + b^15 + b^14 + b^13 + b^12 + b^11 + b^9 + b^8 + b^5 + b^4 + b^2 + b + 1 

sage: s = Integer(randrange(1, n)) 

sage: (s*Px).ate_pairing(Qx, n, k, t, q) == Px.ate_pairing(s*Qx, n, k, t, q) 

True 

sage: Px.ate_pairing(s*Qx, n, k, t, q) == Px.ate_pairing(Qx, n, k, t, q)^s 

True 

sage: c = (k*q^(k-1)).mod(n); T = t - 1 

sage: N = gcd(T^k - 1, q^k - 1) 

sage: s = Integer(N/n) 

sage: L = Integer((T^k - 1)/N) 

sage: M = (L*s*c.inverse_mod(n)).mod(n) 

sage: Px.ate_pairing(Qx, n, k, t, q) == Qx.tate_pairing(Px, n, k, q)^M 

True 

 

It is an error if `Q` is not in the kernel of `\pi - p`, where `\pi` is 

the Frobenius automorphism:: 

 

sage: p = 29; A = 1; B = 0; n = 5; k = 2; t = 10 

sage: F = GF(p); R.<x> = F[] 

sage: E = EllipticCurve(F, [A, B]); 

sage: K.<a> = GF(p^k, modulus=x^k+2); EK = E.base_extend(K) 

sage: P = EK(13, 8); Q = EK(13, 21) 

sage: P.ate_pairing(Q, n, k, t) 

Traceback (most recent call last): 

... 

ValueError: Point (13 : 21 : 1) not in Ker(pi - q) 

 

It is also an error if `P` is not in the kernel os `\pi - 1`:: 

 

sage: p = 29; A = 1; B = 0; n = 5; k = 2; t = 10 

sage: F = GF(p); R.<x> = F[] 

sage: E = EllipticCurve(F, [A, B]); 

sage: K.<a> = GF(p^k, modulus=x^k+2); EK = E.base_extend(K) 

sage: P = EK(14, 10*a); Q = EK(13, 21) 

sage: P.ate_pairing(Q, n, k, t) 

Traceback (most recent call last): 

... 

ValueError: This point (14 : 10*a : 1) is not in Ker(pi - 1) 

 

NOTES: 

 

First defined in the paper of [HSV]_, the ate pairing can be 

computationally effective in those cases when the trace of the curve 

over the base field is significantly smaller than the expected 

value. This implementation is simply Miller's algorithm followed by a 

naive exponentiation, and makes no claims towards efficiency. 

 

REFERENCES: 

 

.. [HSV] Hess, Smart, Vercauteren, "The Eta Pairing Revisited", 

IEEE Trans. Information Theory, 52(10): 4595-4602, 2006. 

 

AUTHORS: 

 

- Mariah Lenox (2011-03-08) 

""" 

P = self 

# check for same curve 

E = P.curve() 

O = E(0) 

if not Q.curve() is E: 

raise ValueError("Points must both be on the same curve") 

 

# set q to be the order of the base field 

K = E.base_ring() 

if q is None: 

d = K.degree() 

if d == k: 

q = K.base_ring().order() 

else: 

raise ValueError("Unexpected field degree: set keyword argument q equal to the size of the base field (big field is GF(q^%s))." % k) 

 

# check order of P 

if n*P != O: 

raise ValueError('This point %s is not of order n=%s' % (P, n)) 

 

# check for P in kernel pi - 1: 

piP = E(P[0]**q, P[1]**q) 

if piP - P != O: 

raise ValueError('This point %s is not in Ker(pi - 1)' % P) 

 

# check for Q in kernel pi - q: 

piQ = E(Q[0]**q, Q[1]**q) 

if piQ - q*Q != O: 

raise ValueError('Point %s not in Ker(pi - q)' % Q) 

 

T = t-1 

ret = Q._miller_(P, T) 

e = Integer((q**k - 1)/n) 

ret = ret**e 

return ret 

 

 

class EllipticCurvePoint_number_field(EllipticCurvePoint_field): 

""" 

A point on an elliptic curve over a number field. 

 

Most of the functionality is derived from the parent class 

``EllipticCurvePoint_field``. In addition we have support for 

orders, heights, reduction modulo primes, and elliptic logarithms. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('37a') 

sage: E([0,0]) 

(0 : 0 : 1) 

sage: E(0,0) # brackets are optional 

(0 : 0 : 1) 

sage: E([GF(5)(0), 0]) # entries are coerced 

(0 : 0 : 1) 

 

sage: E(0.000, 0) 

(0 : 0 : 1) 

 

sage: E(1,0,0) 

Traceback (most recent call last): 

... 

TypeError: Coordinates [1, 0, 0] do not define a point on 

Elliptic Curve defined by y^2 + y = x^3 - x over Rational Field 

 

:: 

 

sage: E = EllipticCurve([0,0,1,-1,0]) 

sage: S = E(QQ); S 

Abelian group of points on Elliptic Curve defined by y^2 + y = x^3 - x over Rational Field 

 

TESTS:: 

 

sage: loads(S.dumps()) == S 

True 

sage: P = E(0,0); P 

(0 : 0 : 1) 

sage: loads(P.dumps()) == P 

True 

sage: T = 100*P 

sage: loads(T.dumps()) == T 

True 

 

Test pickling an elliptic curve that has known points on it:: 

 

sage: e = EllipticCurve([0, 0, 1, -1, 0]); g = e.gens(); loads(dumps(e)) == e 

True 

""" 

 

def order(self): 

r""" 

Return the order of this point on the elliptic curve. 

 

If the point has infinite order, returns +Infinity. For 

curves defined over `\QQ`, we call PARI; over other 

number fields we implement the function here. 

 

.. NOTE:: 

 

:meth:`additive_order` is a synonym for :meth:`order` 

 

EXAMPLES:: 

 

sage: E = EllipticCurve([0,0,1,-1,0]) 

sage: P = E([0,0]); P 

(0 : 0 : 1) 

sage: P.order() 

+Infinity 

 

:: 

 

sage: E = EllipticCurve([0,1]) 

sage: P = E([-1,0]) 

sage: P.order() 

2 

sage: P.additive_order() 

2 

 

""" 

try: 

return self._order 

except AttributeError: 

pass 

 

if self.is_zero(): 

self._order = Integer(1) 

return self._order 

 

E = self.curve() 

 

# First try PARI 

from sage.libs.pari.all import PariError 

try: 

n = E.pari_curve().ellorder(self) 

if n: 

n = Integer(n) 

else: 

n = oo 

self._order = n 

return n 

except PariError: 

pass 

 

# Get the torsion order if known, else a bound on (multiple 

# of) the order. We do not compute the torsion if it is not 

# already known, since computing the bound is faster (and is 

# also cached). 

 

try: 

N = E._torsion_order 

except AttributeError: 

N = E._torsion_bound() 

 

# Now self is a torsion point iff it is killed by N: 

if not (N*self).is_zero(): 

self._order = oo 

return self._order 

 

# Finally we find the exact order using the generic code: 

self._order = generic.order_from_multiple(self, N, operation='+') 

return self._order 

 

additive_order = order 

 

def has_finite_order(self): 

""" 

Return ``True`` iff this point has finite order on the elliptic curve. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve([0,0,1,-1,0]) 

sage: P = E([0,0]); P 

(0 : 0 : 1) 

sage: P.has_finite_order() 

False 

 

:: 

 

sage: E = EllipticCurve([0,1]) 

sage: P = E([-1,0]) 

sage: P.has_finite_order() 

True 

""" 

if self.is_zero(): 

return True 

return self.order() != oo 

 

def has_infinite_order(self): 

r""" 

Return True iff this point has infinite order on the elliptic curve. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve([0,0,1,-1,0]) 

sage: P = E([0,0]); P 

(0 : 0 : 1) 

sage: P.has_infinite_order() 

True 

 

:: 

 

sage: E = EllipticCurve([0,1]) 

sage: P = E([-1,0]) 

sage: P.has_infinite_order() 

False 

""" 

if self.is_zero(): 

return False 

return self.order() == oo 

 

def is_on_identity_component(self, embedding=None): 

r""" 

Returns True iff this point is on the identity component of 

its curve with respect to a given (real or complex) embedding. 

 

INPUT: 

 

- ``self`` -- a point on a curve over any ordered field (e.g. `\QQ`) 

 

- ``embedding`` -- an embedding from the base_field of the 

point's curve into `\RR` or `\CC`; if ``None`` (the 

default) it uses the first embedding of the base_field into 

`\RR` if any, else the first embedding into `\CC`. 

 

OUTPUT: 

 

(bool) -- ``True`` iff the point is on the identity component of 

the curve. (If the point is zero then the result is True.) 

 

EXAMPLES: 

 

For `K=\QQ` there is no need to specify an embedding:: 

 

sage: E=EllipticCurve('5077a1') 

sage: [E.lift_x(x).is_on_identity_component() for x in srange(-3,5)] 

[False, False, False, False, False, True, True, True] 

 

An example over a field with two real embeddings:: 

 

sage: L.<a> = QuadraticField(2) 

sage: E=EllipticCurve(L,[0,1,0,a,a]) 

sage: P=E(-1,0) 

sage: [P.is_on_identity_component(e) for e in L.embeddings(RR)] 

[False, True] 

 

We can check this as follows:: 

 

sage: [e(E.discriminant())>0 for e in L.embeddings(RR)] 

[True, False] 

sage: e = L.embeddings(RR)[0] 

sage: E1 = EllipticCurve(RR,[e(ai) for ai in E.ainvs()]) 

sage: e1,e2,e3 = E1.two_division_polynomial().roots(RR,multiplicities=False) 

sage: e1 < e2 < e3 and e(P[0]) < e3 

True 

 

""" 

if self.is_zero(): # trivial case 

return True 

 

e = embedding 

# It is also trivially true if we have a complex embedding 

if not e is None: 

if not is_RealField(e.codomain()): 

return True 

 

# find a suitable embedding if none was supplied: 

E = self.curve() 

K = E.base_field() 

if e is None: 

try: 

e = K.embeddings(rings.RealField())[0] 

except IndexError: 

e = K.embeddings(rings.ComplexField())[0] 

 

# If there is only one component, the result is True: 

if not is_RealField(e.codomain()): # complex embedding 

return True 

if e(E.discriminant()) < 0: # only one component 

return True 

 

# Now we have a real embedding and two components and have to work: 

gx = E.two_division_polynomial() 

gxd = gx.derivative() 

gxdd = gxd.derivative() 

return (e(gxd(self[0])) > 0 and e(gxdd(self[0])) > 0) 

 

def has_good_reduction(self, P=None): 

r""" 

Returns True iff this point has good reduction modulo a prime. 

 

INPUT: 

 

- ``P`` -- a prime of the base_field of the point's curve, or 

``None`` (default) 

 

OUTPUT: 

 

(bool) If a prime `P` of the base field is specified, returns 

True iff the point has good reduction at `P`; otherwise, 

return true if the point has god reduction at all primes in 

the support of the discriminant of this model. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('990e1') 

sage: P = E.gen(0); P 

(15 : 51 : 1) 

sage: [E.has_good_reduction(p) for p in [2,3,5,7]] 

[False, False, False, True] 

sage: [P.has_good_reduction(p) for p in [2,3,5,7]] 

[True, False, True, True] 

sage: [E.tamagawa_exponent(p) for p in [2,3,5,7]] 

[2, 2, 1, 1] 

sage: [(2*P).has_good_reduction(p) for p in [2,3,5,7]] 

[True, True, True, True] 

sage: P.has_good_reduction() 

False 

sage: (2*P).has_good_reduction() 

True 

sage: (3*P).has_good_reduction() 

False 

 

:: 

 

sage: K.<i> = NumberField(x^2+1) 

sage: E = EllipticCurve(K,[0,1,0,-160,308]) 

sage: P = E(26,-120) 

sage: E.discriminant().support() 

[Fractional ideal (i + 1), 

Fractional ideal (-i - 2), 

Fractional ideal (2*i + 1), 

Fractional ideal (3)] 

sage: [E.tamagawa_exponent(p) for p in E.discriminant().support()] 

[1, 4, 4, 4] 

sage: P.has_good_reduction() 

False 

sage: (2*P).has_good_reduction() 

False 

sage: (4*P).has_good_reduction() 

True 

 

TESTS: 

 

An example showing that :trac:`8498` is fixed:: 

 

sage: E = EllipticCurve('11a1') 

sage: K.<t> = NumberField(x^2+47) 

sage: EK = E.base_extend(K) 

sage: T = EK(5,5) 

sage: P = EK(-2, -1/2*t - 1/2) 

sage: p = K.ideal(11) 

sage: T.has_good_reduction(p) 

False 

sage: P.has_good_reduction(p) 

True 

""" 

if self.is_zero(): # trivial case 

return True 

 

E = self.curve() 

if P is None: 

return all([self.has_good_reduction(Pr) for Pr in E.discriminant().support()]) 

K = E.base_field() 

from sage.schemes.elliptic_curves.ell_local_data import check_prime 

P = check_prime(K, P) 

 

# If the curve has good reduction at P, the result is True: 

t = E.local_data(P).bad_reduction_type() 

if t is None: 

return True 

 

# Make sure the curve is integral and locally minimal at P: 

Emin = E.local_minimal_model(P) 

urst = E.isomorphism_to(Emin) 

Q = urst(self) 

 

# Scale the homogeneous coordinates of the point to be primitive: 

xyz = list(Q) 

e = min([c.valuation(P) for c in xyz]) 

if e != 0: 

if K is rings.QQ: 

pi = P 

else: 

pi = K.uniformizer(P) 

pie = pi**e 

xyz = [c/pie for c in xyz] 

 

# Evaluate the partial derivatives at the point to see if they 

# are zero mod P 

 

# See #8498: sometimes evaluating F's derivatives at xyz 

# returns a constant polynomial instead of a constant 

 

F = Emin.defining_polynomial() 

for v in F.variables(): 

c = (F.derivative(v))(xyz) 

try: 

val = c.valuation(P) 

except AttributeError: 

val = c.constant_coefficient().valuation(P) 

if val == 0: 

return True 

return False 

 

def reduction(self, p): 

""" 

This finds the reduction of a point `P` on the elliptic curve 

modulo the prime `p`. 

 

INPUT: 

 

- ``self`` -- A point on an elliptic curve. 

 

- ``p`` -- a prime number 

 

OUTPUT: 

 

The point reduced to be a point on the elliptic curve modulo `p`. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve([1,2,3,4,0]) 

sage: P = E(0,0) 

sage: P.reduction(5) 

(0 : 0 : 1) 

sage: Q = E(98,931) 

sage: Q.reduction(5) 

(3 : 1 : 1) 

sage: Q.reduction(5).curve() == E.reduction(5) 

True 

 

:: 

 

sage: F.<a> = NumberField(x^2+5) 

sage: E = EllipticCurve(F,[1,2,3,4,0]) 

sage: Q = E(98,931) 

sage: Q.reduction(a) 

(3 : 1 : 1) 

sage: Q.reduction(11) 

(10 : 7 : 1) 

 

:: 

 

sage: F.<a> = NumberField(x^3+x^2+1) 

sage: E = EllipticCurve(F,[a,2]) 

sage: P = E(a,1) 

sage: P.reduction(F.ideal(5)) 

(abar : 1 : 1) 

sage: P.reduction(F.ideal(a^2-4*a-2)) 

(abar : 1 : 1) 

 

""" 

P = self 

E = P.curve() 

return E.reduction(p)(P) 

 

def height(self, precision=None, normalised=True, algorithm='pari'): 

""" 

Return the Néron-Tate canonical height of the point. 

 

INPUT: 

 

- ``self`` -- a point on an elliptic curve over a number field 

`K`. 

 

- ``precision`` -- positive integer, or None (default). The 

precision in bits of the result. If None, the default real 

precision is used. 

 

- ``normalised`` -- boolean. If True (default), the height is 

normalised to be invariant under extension of `K`. If False, 

return this normalised height multiplied by the degree of 

`K`. 

 

- ``algorithm`` -- string: either 'pari' (default) or 'sage'. 

If 'pari' and the base field is `\QQ`, use the PARI library 

function; otherwise use the Sage implementation. 

 

OUTPUT: 

 

The rational number 0, or a non-negative real number. 

 

There are two normalisations used in the literature, one of 

which is double the other. We use the larger of the two, which 

is the one appropriate for the BSD conjecture. This is 

consistent with [Cre]_ and double that of [SilBook]_. 

 

See :wikipedia:`Néron-Tate height` 

 

REFERENCES: 

 

.. [Cre] John Cremona, Algorithms for Modular Elliptic Curves. 

Cambridge University Press, 1997. 

 

.. [Sil1988] Joseph H. Silverman, Computing heights on 

elliptic curves. Mathematics of Computation, Vol. 51, 

No. 183 (Jul., 1988), pp. 339-358. 

 

.. [SilBook] Joseph H. Silverman, The Arithmetic of Elliptic 

Curves. Second edition. Graduate Texts in Mathematics, 106. 

Springer, 2009. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('11a'); E 

Elliptic Curve defined by y^2 + y = x^3 - x^2 - 10*x - 20 over Rational Field 

sage: P = E([5,5]); P 

(5 : 5 : 1) 

sage: P.height() 

0 

sage: Q = 5*P 

sage: Q.height() 

0 

 

:: 

 

sage: E = EllipticCurve('37a'); E 

Elliptic Curve defined by y^2 + y = x^3 - x over Rational Field 

sage: P = E([0,0]) 

sage: P.height() 

0.0511114082399688 

sage: P.order() 

+Infinity 

sage: E.regulator() 

0.0511114082399688... 

 

sage: def naive_height(P): 

....: return log(RR(max(abs(P[0].numerator()), abs(P[0].denominator())))) 

sage: for n in [1..10]: 

....: print(naive_height(2^n*P)/4^n) 

0.000000000000000 

0.0433216987849966 

0.0502949347635656 

0.0511006335618645 

0.0511007834799612 

0.0511013666152466 

0.0511034199907743 

0.0511106492906471 

0.0511114081541082 

0.0511114081541180 

 

:: 

 

sage: E = EllipticCurve('4602a1'); E 

Elliptic Curve defined by y^2 + x*y = x^3 + x^2 - 37746035*x - 89296920339 over Rational Field 

sage: x = 77985922458974949246858229195945103471590 

sage: y = 19575260230015313702261379022151675961965157108920263594545223 

sage: d = 2254020761884782243 

sage: E([ x / d^2, y / d^3 ]).height() 

86.7406561381275 

 

:: 

 

sage: E = EllipticCurve([17, -60, -120, 0, 0]); E 

Elliptic Curve defined by y^2 + 17*x*y - 120*y = x^3 - 60*x^2 over Rational Field 

sage: E([30, -90]).height() 

0 

 

sage: E = EllipticCurve('389a1'); E 

Elliptic Curve defined by y^2 + y = x^3 + x^2 - 2*x over Rational Field 

sage: [P,Q] = [E(-1,1),E(0,-1)] 

sage: P.height(precision=100) 

0.68666708330558658572355210295 

sage: (3*Q).height(precision=100)/Q.height(precision=100) 

9.0000000000000000000000000000 

sage: _.parent() 

Real Field with 100 bits of precision 

 

Canonical heights over number fields are implemented as well:: 

 

sage: R.<x> = QQ[] 

sage: K.<a> = NumberField(x^3-2) 

sage: E = EllipticCurve([a, 4]); E 

Elliptic Curve defined by y^2 = x^3 + a*x + 4 over Number Field in a with defining polynomial x^3 - 2 

sage: P = E((0,2)) 

sage: P.height() 

0.810463096585925 

sage: P.height(precision=100) 

0.81046309658592536863991810577 

sage: P.height(precision=200) 

0.81046309658592536863991810576865158896130286417155832378086 

sage: (2*P).height() / P.height() 

4.00000000000000 

sage: (100*P).height() / P.height() 

10000.0000000000 

 

Setting normalised=False multiplies the height by the degree of `K`:: 

 

sage: E = EllipticCurve('37a') 

sage: P = E([0,0]) 

sage: P.height() 

0.0511114082399688 

sage: P.height(normalised=False) 

0.0511114082399688 

sage: K.<z> = CyclotomicField(5) 

sage: EK = E.change_ring(K) 

sage: PK = EK([0,0]) 

sage: PK.height() 

0.0511114082399688 

sage: PK.height(normalised=False) 

0.204445632959875 

 

Some consistency checks:: 

 

sage: E = EllipticCurve('5077a1') 

sage: P = E([-2,3,1]) 

sage: P.height() 

1.36857250535393 

 

sage: EK = E.change_ring(QuadraticField(-3,'a')) 

sage: PK = EK([-2,3,1]) 

sage: PK.height() 

1.36857250535393 

 

sage: K.<i> = NumberField(x^2+1) 

sage: E = EllipticCurve(K, [0,0,4,6*i,0]) 

sage: Q = E.lift_x(-9/4); Q 

(-9/4 : -27/8*i : 1) 

sage: Q.height() 

2.69518560017909 

sage: (15*Q).height() / Q.height() 

225.000000000000 

 

sage: E = EllipticCurve('37a') 

sage: P = E([0,-1]) 

sage: P.height() 

0.0511114082399688 

sage: K.<a> = QuadraticField(-7) 

sage: ED = E.quadratic_twist(-7) 

sage: Q = E.isomorphism_to(ED.change_ring(K))(P); Q 

(0 : -7/2*a - 1/2 : 1) 

sage: Q.height() 

0.0511114082399688 

sage: Q.height(precision=100) 

0.051111408239968840235886099757 

 

An example to show that the bug at :trac:`5252` is fixed:: 

 

sage: E = EllipticCurve([1, -1, 1, -2063758701246626370773726978, 32838647793306133075103747085833809114881]) 

sage: P = E([-30987785091199, 258909576181697016447]) 

sage: P.height() 

25.8603170675462 

sage: P.height(precision=100) 

25.860317067546190743868840741 

sage: P.height(precision=250) 

25.860317067546190743868840740735110323098872903844416215577171041783572513 

sage: P.height(precision=500) 

25.8603170675461907438688407407351103230988729038444162155771710417835725129551130570889813281792157278507639909972112856019190236125362914195452321720 

 

sage: P.height(precision=100) == P.non_archimedean_local_height(prec=100)+P.archimedean_local_height(prec=100) 

True 

 

An example to show that the bug at :trac:`8319` is fixed (correct height when the curve is not minimal):: 

 

sage: E = EllipticCurve([-5580472329446114952805505804593498080000,-157339733785368110382973689903536054787700497223306368000000]) 

sage: xP = 204885147732879546487576840131729064308289385547094673627174585676211859152978311600/23625501907057948132262217188983681204856907657753178415430361 

sage: P = E.lift_x(xP) 

sage: P.height() 

157.432598516754 

sage: Q = 2*P 

sage: Q.height() # long time (4s) 

629.730394067016 

sage: Q.height()-4*P.height() # long time 

0.000000000000000 

 

An example to show that the bug at :trac:`12509` is fixed (precision issues):: 

 

sage: x = polygen(QQ) 

sage: K.<a> = NumberField(x^2-x-1) 

sage: v = [0, a + 1, 1, 28665*a - 46382, 2797026*a - 4525688] 

sage: E = EllipticCurve(v) 

sage: P = E([72*a - 509/5, -682/25*a - 434/25]) 

sage: P.height() 

1.38877711688727 

sage: (2*P).height()/P.height() 

4.00000000000000 

sage: (2*P).height(precision=100)/P.height(precision=100) 

4.0000000000000000000000000000 

sage: (2*P).height(precision=1000)/P.height(precision=1000) 

4.00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 

 

This shows that the bug reported at :trac:`13951` has been fixed:: 

 

sage: E = EllipticCurve([0,17]) 

sage: P1 = E(2,5) 

sage: P1.height() 

1.06248137652528 

sage: F = E.change_ring(QuadraticField(-3,'a')) 

sage: P2 = F([2,5]) 

sage: P2.height() 

1.06248137652528 

""" 

if self.has_finite_order(): 

return rings.QQ(0) 

 

E = self.curve() 

K = E.base_ring() 

 

if precision is None: 

precision = rings.RealField().precision() 

 

known_prec = -1 

try: 

height = self.__height 

known_prec = height.prec() 

if known_prec > precision: 

height = rings.RealField(precision)(height) 

except AttributeError: 

pass 

 

if known_prec < precision: 

if algorithm == 'pari' and K is rings.QQ: 

Emin = E.minimal_model() 

iso = E.isomorphism_to(Emin) 

P = iso(self) 

h = Emin.pari_curve().ellheight(P, precision=precision) 

height = rings.RealField(precision)(h) 

else: 

height = (self.non_archimedean_local_height(prec=precision) 

+ self.archimedean_local_height(prec=precision)) 

 

# The cached height is the one that is independent of the base field. 

self.__height = height 

if not normalised: 

height *= K.degree() 

return height 

 

def archimedean_local_height(self, v=None, prec=None, weighted=False): 

""" 

Compute the local height of self at the archimedean place `v`. 

 

INPUT: 

 

- ``self`` -- a point on an elliptic curve over a number field 

`K`. 

 

- ``v`` -- a real or complex embedding of K, or None (default). 

If `v` is a real or complex embedding, return the local 

height of self at `v`. If `v` is None, return the total 

archimedean contribution to the global height. 

 

- ``prec`` -- integer, or None (default). The precision of the 

computation. If None, the precision is deduced from v. 

 

- ``weighted`` -- boolean. If False (default), the height is 

normalised to be invariant under extension of `K`. If True, 

return this normalised height multiplied by the local degree 

if `v` is a single place, or by the degree of `K` if `v` is 

None. 

 

OUTPUT: 

 

A real number. The normalisation is twice that in Silverman's 

paper [Sil1988]_. Note that this local height depends on the 

model of the curve. 

 

ALGORITHM: 

 

See [Sil1988]_, Section 4. 

 

EXAMPLES: 

 

Examples 1, 2, and 3 from [Sil1988]_:: 

 

sage: K.<a> = QuadraticField(-2) 

sage: E = EllipticCurve(K, [0,-1,1,0,0]); E 

Elliptic Curve defined by y^2 + y = x^3 + (-1)*x^2 over Number Field in a with defining polynomial x^2 + 2 

sage: P = E.lift_x(2+a); P 

(a + 2 : 2*a + 1 : 1) 

sage: P.archimedean_local_height(K.places(prec=170)[0]) / 2 

0.45754773287523276736211210741423654346576029814695 

 

sage: K.<i> = NumberField(x^2+1) 

sage: E = EllipticCurve(K, [0,0,4,6*i,0]); E 

Elliptic Curve defined by y^2 + 4*y = x^3 + 6*i*x over Number Field in i with defining polynomial x^2 + 1 

sage: P = E((0,0)) 

sage: P.archimedean_local_height(K.places()[0]) / 2 

0.510184995162373 

 

sage: Q = E.lift_x(-9/4); Q 

(-9/4 : -27/8*i : 1) 

sage: Q.archimedean_local_height(K.places()[0]) / 2 

0.654445619529600 

 

An example over the rational numbers:: 

 

sage: E = EllipticCurve([0, 0, 0, -36, 0]) 

sage: P = E([-3, 9]) 

sage: P.archimedean_local_height() 

1.98723816350773 

 

Local heights of torsion points can be non-zero (unlike the 

global height):: 

 

sage: K.<i> = QuadraticField(-1) 

sage: E = EllipticCurve([0, 0, 0, K(1), 0]) 

sage: P = E(i, 0) 

sage: P.archimedean_local_height() 

0.346573590279973 

 

TESTS: 

 

See :trac:`12509`:: 

 

sage: x = polygen(QQ) 

sage: K.<a> = NumberField(x^2-x-1) 

sage: v = [0, a + 1, 1, 28665*a - 46382, 2797026*a - 4525688] 

sage: E = EllipticCurve(v) 

sage: P = E([72*a - 509/5, -682/25*a - 434/25]) 

sage: P.archimedean_local_height() 

-0.2206607955468278492183362746930 

 

See :trac:`19276`:: 

 

sage: K.<a> = NumberField(x^2-x-104) 

sage: E = EllipticCurve([1, a - 1, 1, -816765673272*a - 7931030674178, 1478955604013312315*a + 14361086227143654561]) 

sage: P = E(5393511/49*a + 52372721/49 , -33896210324/343*a - 329141996591/343 ) 

sage: P.height() 

0.974232017827740 

""" 

E = self.curve() 

K = E.base_ring() 

 

if v is None: 

if K is rings.QQ: 

v = K.embeddings(rings.RR)[0] 

h = self.archimedean_local_height(v, prec) 

else: 

r1, r2 = K.signature() 

pl = K.places() 

h = (sum(self.archimedean_local_height(pl[i], prec, weighted=False) 

for i in range(r1)) 

+ 2 * sum(self.archimedean_local_height(pl[i], prec, weighted=False) 

for i in range(r1, r1 + r2))) 

if not weighted: 

h /= K.degree() 

return h 

 

from sage.rings.number_field.number_field import refine_embedding 

prec_v = v.codomain().prec() 

if prec is None: 

prec = prec_v 

if K is rings.QQ: 

vv = K.embeddings(rings.RealField(max(2*prec, prec_v)))[0] 

else: 

vv = refine_embedding(v, 2*prec) # vv.prec() = max(2*prec, prec_v) 

 

absdisc = vv(E.discriminant()).abs() 

while absdisc==0: 

vv = refine_embedding(vv) 

# print("doubling precision") 

absdisc = vv(E.discriminant()).abs() 

temp = 0 if absdisc>=1 else absdisc.log()/3 

 

b2, b4, b6, b8 = [vv(b) for b in E.b_invariants()] 

H = max(vv(4), abs(b2), 2*abs(b4), 2*abs(b6), abs(b8)) 

 

# The following comes from Silverman Theorem 4.2. Silverman 

# uses decimal precision d, so his term (5/3)d = 

# (5/3)*(log(2)/log(10))*prec = 0.5017*prec, which we round 

# up. The rest of the expression was wrongly transcribed in 

# Sage versions <5.6 (see #12509). 

nterms = int(math.ceil(0.51*prec + 0.5 + 0.75 * (7 + 4*H.log()/3 - temp).log())) 

 

b2p = b2 - 12 

b4p = b4 - b2 + 6 

b6p = b6 - 2*b4 + b2 - 4 

b8p = b8 - 3*b6 + 3*b4 - b2 + 3 

 

fz = lambda T: 1 - T**2 * (b4 + T*(2*b6 + T*b8)) 

fzp = lambda T: 1 - T**2 * (b4p + T*(2*b6p + T*b8p)) 

fw = lambda T: T*(4 + T*(b2 + T*(2*b4 + T*b6))) 

fwp = lambda T: T*(4 + T*(b2p + T*(2*b4p + T*b6p))) 

 

x = vv(self[0]) 

if abs(x) >= .5: 

t = 1/x 

beta = True 

else: 

t = 1/(x+1) 

beta = False 

lam = -t.abs().log() 

mu = 0 

four_to_n = rings.QQ(1) 

 

for n in range(nterms): 

if beta: 

w = fw(t) 

z = fz(t) 

if abs(w) <= 2 * abs(z): 

mu += four_to_n * z.abs().log() 

t = w/z 

else: 

mu += four_to_n * (z+w).abs().log() 

t = w/(z+w) 

beta = not beta 

else: 

w = fwp(t) 

z = fzp(t) 

if abs(w) <= 2 * abs(z): 

mu += four_to_n * z.abs().log() 

t = w/z 

else: 

mu += four_to_n * (z-w).abs().log() 

t = w/(z-w) 

beta = not beta 

four_to_n >>= 2 

h = rings.RealField(prec)(lam + mu/4) 

if weighted and not v.im_gens()[0] in rings.RR: 

h *= 2 

return h 

 

archimedian_local_height = deprecated_function_alias(13951, archimedean_local_height) 

 

def non_archimedean_local_height(self, v=None, prec=None, 

weighted=False, is_minimal=None): 

""" 

Compute the local height of self at the non-archimedean place `v`. 

 

INPUT: 

 

- ``self`` -- a point on an elliptic curve over a number field 

`K`. 

 

- ``v`` -- a non-archimedean place of `K`, or None (default). 

If `v` is a non-archimedean place, return the local height 

of self at `v`. If `v` is None, return the total 

non-archimedean contribution to the global height. 

 

- ``prec`` -- integer, or None (default). The precision of the 

computation. If None, the height is returned symbolically. 

 

- ``weighted`` -- boolean. If False (default), the height is 

normalised to be invariant under extension of `K`. If True, 

return this normalised height multiplied by the local degree 

if `v` is a single place, or by the degree of `K` if `v` is 

None. 

 

OUTPUT: 

 

A real number. The normalisation is twice that in Silverman's 

paper [Sil1988]_. Note that this local height depends on the 

model of the curve. 

 

ALGORITHM: 

 

See [Sil1988]_, Section 5. 

 

EXAMPLES: 

 

Examples 2 and 3 from [Sil1988]_:: 

 

sage: K.<i> = NumberField(x^2+1) 

sage: E = EllipticCurve(K, [0,0,4,6*i,0]); E 

Elliptic Curve defined by y^2 + 4*y = x^3 + 6*i*x over Number Field in i with defining polynomial x^2 + 1 

sage: P = E((0,0)) 

sage: P.non_archimedean_local_height(K.ideal(i+1)) 

-1/2*log(2) 

sage: P.non_archimedean_local_height(K.ideal(3)) 

0 

sage: P.non_archimedean_local_height(K.ideal(1-2*i)) 

0 

 

sage: Q = E.lift_x(-9/4); Q 

(-9/4 : -27/8*i : 1) 

sage: Q.non_archimedean_local_height(K.ideal(1+i)) 

2*log(2) 

sage: Q.non_archimedean_local_height(K.ideal(3)) 

0 

sage: Q.non_archimedean_local_height(K.ideal(1-2*i)) 

0 

sage: Q.non_archimedean_local_height() 

2*log(2) 

 

An example over the rational numbers:: 

 

sage: E = EllipticCurve([0, 0, 0, -36, 0]) 

sage: P = E([-3, 9]) 

sage: P.non_archimedean_local_height() 

-log(3) 

 

Local heights of torsion points can be non-zero (unlike the 

global height):: 

 

sage: K.<i> = QuadraticField(-1) 

sage: E = EllipticCurve([0, 0, 0, K(1), 0]) 

sage: P = E(i, 0) 

sage: P.non_archimedean_local_height() 

-1/2*log(2) 

 

TESTS:: 

 

sage: Q.non_archimedean_local_height(prec=100) 

1.3862943611198906188344642429 

sage: (3*Q).non_archimedean_local_height() 

1/2*log(75923153929839865104) 

 

sage: F.<a> = NumberField(x^4 + 2*x^3 + 19*x^2 + 18*x + 288) 

sage: F.ring_of_integers().basis() 

[1, 5/6*a^3 + 1/6*a, 1/6*a^3 + 1/6*a^2, a^3] 

sage: F.class_number() 

12 

sage: E = EllipticCurve('37a').change_ring(F) 

sage: P = E((-a^2/6 - a/6 - 1, a)); P 

(-1/6*a^2 - 1/6*a - 1 : a : 1) 

sage: P[0].is_integral() 

True 

sage: P.non_archimedean_local_height() 

0 

 

This shows that the bug reported at :trac:`13951` has been fixed:: 

 

sage: E = EllipticCurve([0,17]) 

sage: P = E(2,5) 

sage: P.non_archimedean_local_height(2) 

-2/3*log(2) 

""" 

if prec: 

log = lambda x: rings.RealField(prec)(x).log() 

else: 

from sage.functions.log import log 

 

if v is None: 

D = self.curve().discriminant() 

K = self.curve().base_ring() 

if K is rings.QQ: 

factorD = D.factor() 

if self[0] == 0: 

c = 1 

else: 

c = self[0].denominator() 

# The last sum is for bad primes that divide c where 

# the model is not minimal. 

h = (log(c) 

+ sum(self.non_archimedean_local_height(p, prec, weighted=True, is_minimal=(e < 12)) 

for p,e in factorD if not p.divides(c)) 

+ sum(self.non_archimedean_local_height(p, prec, weighted=True) 

- c.valuation(p) * log(p) 

for p,e in factorD if e >= 12 and p.divides(c))) 

else: 

factorD = K.factor(D) 

if self[0] == 0: 

c = K.ideal(1) 

else: 

c = K.ideal(self[0]).denominator() 

# The last sum is for bad primes that divide c where 

# the model is not minimal. 

h = (log(c.norm()) 

+ sum(self.non_archimedean_local_height(v, prec, weighted=True, is_minimal=(e < 12)) 

for v,e in factorD if not v.divides(c)) 

+ sum(self.non_archimedean_local_height(v, prec, weighted=True) 

- c.valuation(v) * log(v.norm()) 

for v,e in factorD if e >= 12 and v.divides(c))) 

if not weighted: 

h /= K.degree() 

return h 

 

if is_minimal: 

E = self.curve() 

P = self 

offset = ZZ.zero() 

else: 

E = self.curve().local_minimal_model(v) 

P = self.curve().isomorphism_to(E)(self) 

# Silverman's normalization is not invariant under change of model, 

# but it all cancels out in the global height. 

offset = (self.curve().discriminant()/E.discriminant()).valuation(v) 

 

a1, a2, a3, a4, a6 = E.a_invariants() 

b2, b4, b6, b8 = E.b_invariants() 

c4 = E.c4() 

x, y = P.xy() 

D = E.discriminant() 

N = D.valuation(v) 

A = (3*x**2 + 2*a2*x + a4 - a1*y).valuation(v) 

B = (2*y+a1*x+a3).valuation(v) 

C = (3*x**4 + b2*x**3 + 3*b4*x**2 + 3*b6*x + b8).valuation(v) 

if A <= 0 or B <= 0: 

r = max(0, -x.valuation(v)) 

elif c4.valuation(v) == 0: 

n = min(B, N/2) 

r = -n*(N-n)/N 

elif C >= 3*B: 

r = -2*B/3 

else: 

r = -C/4 

r -= offset/6 

if not r: 

return rings.QQ.zero() 

else: 

if E.base_ring() is rings.QQ: 

Nv = Integer(v) 

else: 

Nv = v.norm() 

if not weighted: 

r = r / (v.ramification_index() * v.residue_class_degree()) 

return r * log(Nv) 

 

nonarchimedian_local_height = deprecated_function_alias(13951, non_archimedean_local_height) 

 

def elliptic_logarithm(self, embedding=None, precision=100, 

algorithm='pari'): 

r""" 

Returns the elliptic logarithm of this elliptic curve point. 

 

An embedding of the base field into `\RR` or `\CC` (with 

arbitrary precision) may be given; otherwise the first real 

embedding is used (with the specified precision) if any, else 

the first complex embedding. 

 

INPUT: 

 

- ``embedding``: an embedding of the base field into `\RR` or `\CC` 

 

- ``precision``: a positive integer (default 100) setting the 

number of bits of precision for the computation 

 

- ``algorithm``: either 'pari' (default for real embeddings) 

to use PARI's ``ellpointtoz{}``, or 'sage' for a native 

implementation. Ignored for complex embeddings. 

 

ALGORITHM: 

 

See [Coh1993]_ for the case of real embeddings, 

and Cremona, J.E. and Thongjunthug, T. 2010 for the complex 

case. 

 

AUTHORS: 

 

- Michael Mardaus (2008-07), 

- Tobias Nagel (2008-07) -- original version from [Coh1993]_. 

- John Cremona (2008-07) -- revision following eclib code. 

- John Cremona (2010-03) -- implementation for complex embeddings. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve('389a') 

sage: E.discriminant() > 0 

True 

sage: P = E([-1,1]) 

sage: P.is_on_identity_component () 

False 

sage: P.elliptic_logarithm (precision=96) 

0.4793482501902193161295330101 + 0.985868850775824102211203849...*I 

sage: Q=E([3,5]) 

sage: Q.is_on_identity_component() 

True 

sage: Q.elliptic_logarithm (precision=96) 

1.931128271542559442488585220 

 

An example with negative discriminant, and a torsion point:: 

 

sage: E = EllipticCurve('11a1') 

sage: E.discriminant() < 0 

True 

sage: P = E([16,-61]) 

sage: P.elliptic_logarithm(precision=70) 

0.25384186085591068434 

sage: E.period_lattice().real_period(prec=70) / P.elliptic_logarithm(precision=70) 

5.0000000000000000000 

 

A larger example. The default algorithm uses PARI and makes 

sure the result has the requested precision:: 

 

sage: E = EllipticCurve([1, 0, 1, -85357462, 303528987048]) #18074g1 

sage: P = E([4458713781401/835903744, -64466909836503771/24167649046528, 1]) 

sage: P.elliptic_logarithm() # 100 bits 

0.27656204014107061464076203097 

 

The native algorithm 'sage' used to have trouble with 

precision in this example, but no longer:: 

 

sage: P.elliptic_logarithm(algorithm='sage') # 100 bits 

0.27656204014107061464076203097 

 

This shows that the bug reported at :trac:`4901` has been fixed:: 

 

sage: E = EllipticCurve("4390c2") 

sage: P = E(683762969925/44944,-565388972095220019/9528128) 

sage: P.elliptic_logarithm() 

0.00025638725886520225353198932529 

sage: P.elliptic_logarithm(precision=64) 

0.000256387258865202254 

sage: P.elliptic_logarithm(precision=65) 

0.0002563872588652022535 

sage: P.elliptic_logarithm(precision=128) 

0.00025638725886520225353198932528666427412 

sage: P.elliptic_logarithm(precision=129) 

0.00025638725886520225353198932528666427412 

sage: P.elliptic_logarithm(precision=256) 

0.0002563872588652022535319893252866642741168388008346370015005142128009610936373 

sage: P.elliptic_logarithm(precision=257) 

0.00025638725886520225353198932528666427411683880083463700150051421280096109363730 

 

Examples over number fields:: 

 

sage: K.<a> = NumberField(x^3-2) 

sage: embs = K.embeddings(CC) 

sage: E = EllipticCurve([0,1,0,a,a]) 

sage: Ls = [E.period_lattice(e) for e in embs] 

sage: [L.real_flag for L in Ls] 

[0, 0, -1] 

sage: P = E(-1,0) # order 2 

sage: [L.elliptic_logarithm(P) for L in Ls] 

[-1.73964256006716 - 1.07861534489191*I, -0.363756518406398 - 1.50699412135253*I, 1.90726488608927] 

 

sage: E = EllipticCurve([-a^2 - a - 1, a^2 + a]) 

sage: Ls = [E.period_lattice(e) for e in embs] 

sage: pts = [E(2*a^2 - a - 1 , -2*a^2 - 2*a + 6 ), E(-2/3*a^2 - 1/3 , -4/3*a - 2/3 ), E(5/4*a^2 - 1/2*a , -a^2 - 1/4*a + 9/4 ), E(2*a^2 + 3*a + 4 , -7*a^2 - 10*a - 12 )] 

sage: [[L.elliptic_logarithm(P) for P in pts] for L in Ls] 

[[0.250819591818930 - 0.411963479992219*I, -0.290994550611374 - 1.37239400324105*I, -0.693473752205595 - 2.45028458830342*I, -0.151659609775291 - 1.48985406505459*I], [1.33444787667954 - 1.50889756650544*I, 0.792633734249234 - 0.548467043256610*I, 0.390154532655013 + 0.529423541805758*I, 0.931968675085317 - 0.431006981443071*I], [1.14758249500109 + 0.853389664016075*I, 2.59823462472518 + 0.853389664016075*I, 1.75372176444709, 0.303069634723001]] 

 

:: 

 

sage: K.<i> = QuadraticField(-1) 

sage: E = EllipticCurve([0,0,0,9*i-10,21-i]) 

sage: emb = K.embeddings(CC)[1] 

sage: L = E.period_lattice(emb) 

sage: P = E(2-i,4+2*i) 

sage: L.elliptic_logarithm(P,prec=100) 

0.70448375537782208460499649302 - 0.79246725643650979858266018068*I 

 

""" 

from sage.rings.number_field.number_field import refine_embedding 

from sage.rings.all import RealField, ComplexField, QQ 

 

# Check the trivial case: 

 

C = ComplexField(precision) 

if self.is_zero(): 

return C.zero() 

 

# find a suitable embedding if none was supplied: 

 

E = self.curve() 

K = E.base_field() 

rational = (K is QQ) 

emb = embedding 

 

if emb is None: 

emb = K.embeddings(RealField(precision)) 

if len(emb) > 0: 

emb = emb[0] 

else: 

emb = K.embeddings(ComplexField(precision))[0] 

else: 

# Get the precision of the supplied embedding 

prec = emb.codomain().precision() 

# if the precision parameter is greater, refine the embedding: 

if precision > prec: 

emb = refine_embedding(emb, precision) 

 

L = E.period_lattice(emb) 

 

if algorithm == 'sage' or not is_RealField(emb.codomain): 

return L.elliptic_logarithm(self, precision) 

 

if algorithm != 'pari': 

raise ValueError("algorithm must be either 'pari' or 'sage'") 

 

# From now on emb() is a real embedding of K into 

# RealField(precision). We interface with the PARI library. 

 

x, y = self.xy() 

if rational: # work with exact coordinates 

E_work = E 

pt_pari = pari([x, y]) 

else: # use the embedding to get real coordinates 

ai = [emb(a) for a in E.a_invariants()] 

E_work = EllipticCurve(ai) # defined over RR 

pt_pari = pari([emb(x), emb(y)]) 

working_prec = precision 

E_pari = E_work.pari_curve() 

log_pari = E_pari.ellpointtoz(pt_pari, precision=working_prec) 

 

while prec_words_to_bits(log_pari.precision()) < precision: 

# result is not precise enough, re-compute with double 

# precision. if the base field is not QQ, this 

# requires modifying the precision of the embedding, 

# the curve, and the point 

working_prec = 2*working_prec 

if not rational: 

emb = refine_embedding(emb, working_prec) 

ai = [emb(a) for a in E.a_invariants()] 

E_work = EllipticCurve(ai) # defined over RR 

pt_pari = pari([emb(x), emb(y)]) 

E_pari = E_work.pari_curve() 

log_pari = E_pari.ellpointtoz(pt_pari, precision=working_prec) 

 

# normalization step 

r, i = C(log_pari) 

wR, wI = L.basis(prec=precision) 

k = (r/wR).floor() 

if k: 

r -= k*wR 

if self.is_on_identity_component(emb): 

return C(r) 

# Now there are two components and P is on the non-identity one 

return C(r)+C(wI/2) 

 

def padic_elliptic_logarithm(self, p, absprec=20): 

r""" 

Computes the `p`-adic elliptic logarithm of this point. 

 

INPUT: 

 

``p`` - integer: a prime ``absprec`` - integer (default: 20): 

the initial `p`-adic absolute precision of the computation 

 

OUTPUT: 

 

The `p`-adic elliptic logarithm of self, with precision ``absprec``. 

 

AUTHORS: 

 

- Tobias Nagel 

- Michael Mardaus 

- John Cremona 

 

ALGORITHM: 

 

For points in the formal group (i.e. not integral at `p`) we 

take the ``log()`` function from the formal groups module and 

evaluate it at `-x/y`. Otherwise we first multiply the point 

to get into the formal group, and divide the result 

afterwards. 

 

.. TODO:: 

 

See comments at :trac:`4805`. Currently the absolute 

precision of the result may be less than the given value 

of absprec, and error-handling is imperfect. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve([0,1,1,-2,0]) 

sage: E(0).padic_elliptic_logarithm(3) 

0 

sage: P = E(0,0) 

sage: P.padic_elliptic_logarithm(3) 

2 + 2*3 + 3^3 + 2*3^7 + 3^8 + 3^9 + 3^11 + 3^15 + 2*3^17 + 3^18 + O(3^19) 

sage: P.padic_elliptic_logarithm(3).lift() 

660257522 

sage: P = E(-11/9,28/27) 

sage: [(2*P).padic_elliptic_logarithm(p)/P.padic_elliptic_logarithm(p) for p in prime_range(20)] # long time (3s) 

[2 + O(2^19), 2 + O(3^20), 2 + O(5^19), 2 + O(7^19), 2 + O(11^19), 2 + O(13^19), 2 + O(17^19), 2 + O(19^19)] 

sage: [(3*P).padic_elliptic_logarithm(p)/P.padic_elliptic_logarithm(p) for p in prime_range(12)] # long time (2s) 

[1 + 2 + O(2^19), 3 + 3^20 + O(3^21), 3 + O(5^19), 3 + O(7^19), 3 + O(11^19)] 

sage: [(5*P).padic_elliptic_logarithm(p)/P.padic_elliptic_logarithm(p) for p in prime_range(12)] # long time (2s) 

[1 + 2^2 + O(2^19), 2 + 3 + O(3^20), 5 + O(5^19), 5 + O(7^19), 5 + O(11^19)] 

 

An example which arose during reviewing :trac:`4741`:: 

 

sage: E = EllipticCurve('794a1') 

sage: P = E(-1,2) 

sage: P.padic_elliptic_logarithm(2) # default precision=20 

2^4 + 2^5 + 2^6 + 2^8 + 2^9 + 2^13 + 2^14 + 2^15 + O(2^16) 

sage: P.padic_elliptic_logarithm(2, absprec=30) 

2^4 + 2^5 + 2^6 + 2^8 + 2^9 + 2^13 + 2^14 + 2^15 + 2^22 + 2^23 + 2^24 + O(2^26) 

sage: P.padic_elliptic_logarithm(2, absprec=40) 

2^4 + 2^5 + 2^6 + 2^8 + 2^9 + 2^13 + 2^14 + 2^15 + 2^22 + 2^23 + 2^24 + 2^28 + 2^29 + 2^31 + 2^34 + O(2^35) 

""" 

if not p.is_prime(): 

raise ValueError('p must be prime') 

debug = False # True 

if debug: 

print("P=", self, "; p=", p, " with precision ", absprec) 

E = self.curve() 

Q_p = Qp(p, absprec) 

if self.has_finite_order(): 

return Q_p(0) 

while True: 

try: 

Ep = E.change_ring(Q_p) 

P = Ep(self) 

x, y = P.xy() 

break 

except (PrecisionError, ArithmeticError, ZeroDivisionError): 

absprec *= 2 

Q_p = Qp(p, absprec) 

if debug: 

print("x,y=", (x, y)) 

f = 1 # f will be such that f*P is in the formal group E^1(Q_p) 

if x.valuation() >= 0: # P is not in E^1 

if not self.has_good_reduction(p): # P is not in E^0 

n = E.tamagawa_exponent(p) # n*P has good reduction at p 

if debug: 

print("Tamagawa exponent = =", n) 

f = n 

P = n*P # lies in E^0 

if debug: 

print("P=", P) 

try: 

x, y = P.xy() 

except ZeroDivisionError: 

raise ValueError("Insufficient precision in " 

"p-adic_elliptic_logarithm()") 

if debug: 

print("x,y=", (x, y)) 

if x.valuation() >= 0: # P is still not in E^1 

t = E.local_data(p).bad_reduction_type() 

if t is None: 

m = E.reduction(p).abelian_group().exponent() 

else: 

m = p - t 

if debug: 

print("mod p exponent = =", m) 

# now m*(n*P) reduces to the identity mod p, so is 

# in E^1(Q_p) 

f *= m 

P = m*P # lies in E^1 

try: 

x, y = P.xy() 

except ZeroDivisionError: 

raise ValueError("Insufficient precision in " 

"p-adic_elliptic_logarithm()") 

if debug: 

print("f=", f) 

print("x,y=", (x, y)) 

vx = x.valuation() 

vy = y.valuation() 

v = vx-vy 

if not (v > 0 and vx == -2*v and vy == -3*v): 

raise ValueError("Insufficient precision in " 

"p-adic_elliptic_logarithm()") 

try: 

t = -x/y 

except (ZeroDivisionError, PrecisionError): 

raise ValueError("Insufficient precision in " 

"p-adic_elliptic_logarithm()") 

if debug: 

print("t=", t, ", with valuation ", v) 

phi = Ep.formal().log(prec=1+absprec//v) 

return phi(t)/f 

 

 

class EllipticCurvePoint_finite_field(EllipticCurvePoint_field): 

r""" 

Class for elliptic curve points over finite fields. 

""" 

def _magma_init_(self, magma): 

""" 

Return a string representation of self that ``MAGMA`` can 

use for input. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve(GF(17), [1,-1]) 

sage: P = E([13, 4]) 

sage: P._magma_init_(magma) # optional - magma 

'EllipticCurve([_sage_ref...|GF(17)!0,GF(17)!0,GF(17)!0,GF(17)!1,GF(17)!16])![13,4]' 

""" 

E = self.curve()._magma_init_(magma) 

x, y = self.xy() 

return "%s![%s,%s]" % (E, x, y) 

 

def discrete_log(self, Q, ord=None): 

r""" 

Returns discrete log of `Q` with respect to `P` =self. 

 

INPUT: 

 

- ``Q`` (point) -- another point on the same curve as self. 

 

- ``ord`` (integer or ``None`` (default)) -- the order of self. 

 

OUTPUT: 

 

(integer) -- The discrete log of `Q` with respect to `P`, which is an 

integer `m` with `0\le m<o(P)` such that `mP=Q`, if one 

exists. A ValueError is raised if there is no solution. 

 

.. NOTE:: 

 

The order of self is computed if not supplied. 

 

AUTHOR: 

 

- John Cremona. Adapted to use generic functions 2008-04-05. 

 

EXAMPLES:: 

 

sage: F = GF(3^6,'a') 

sage: a = F.gen() 

sage: E = EllipticCurve([0,1,1,a,a]) 

sage: E.cardinality() 

762 

sage: A = E.abelian_group() 

sage: P = A.gen(0).element() 

sage: Q = 400*P 

sage: P.discrete_log(Q) 

400 

""" 

if ord is None: 

ord = self.order() 

try: 

return generic.discrete_log(Q, self, ord, operation='+') 

except Exception: 

raise ValueError("ECDLog problem has no solution") 

 

def has_finite_order(self): 

r""" 

Return ``True`` if this point has finite additive order as an element 

of the group of points on this curve. 

 

Since the base field is finite, the answer will always be ``True``. 

 

EXAMPLES:: 

 

sage: E = EllipticCurve(GF(7), [1,3]) 

sage: P = E.points()[3] 

sage: P.has_finite_order() 

True 

""" 

return True 

 

def order(self): 

r""" 

Return the order of this point on the elliptic curve. 

 

ALGORITHM: 

 

Use generic functions from :mod:`sage.groups.generic`. If the 

group order is known, use ``order_from_multiple()``, otherwise 

use ``order_from_bounds()`` with the Hasse bounds for the base 

field. In the latter case, we might find that we have a 

generator for the group, in which case it is cached. 

 

We do not cause the group order to be calculated when not 

known, since this function is used in determining the group 

order via computation of several random points and their 

orders. The exceptions to this are (1) when the base field is 

a prime field and efficient SEA-based methods are available 

for the cardinality, and (2) when finding the group order is 

possible quickly, currently only implemented for curves with 

`j=0` or `j=1728` (see :trac:`15567`). 

 

.. NOTE:: 

 

:meth:`additive_order` is a synonym for :meth:`order` 

 

AUTHOR: 

 

- John Cremona, 2008-02-10, adapted 2008-04-05 to use generic functions. 

 

EXAMPLES:: 

 

sage: k.<a> = GF(5^5) 

sage: E = EllipticCurve(k,[2,4]); E 

Elliptic Curve defined by y^2 = x^3 + 2*x + 4 over Finite Field in a of size 5^5 

sage: P = E(3*a^4 + 3*a , 2*a + 1 ) 

sage: P.order() 

3227 

sage: Q = E(0,2) 

sage: Q.order() 

7 

sage: Q.additive_order() 

7 

 

In the next example, the cardinality of E will be computed 

(using SEA) and cached:: 

 

sage: p=next_prime(2^150) 

sage: E=EllipticCurve(GF(p),[1,1]) 

sage: P=E(831623307675610677632782670796608848711856078, 42295786042873366706573292533588638217232964) 

sage: P.order() 

1427247692705959881058262545272474300628281448 

sage: P.order()==E.cardinality() 

True 

 

In the next example, the cardinality of E will be computed and 

cached since `j(E)=0`:: 

 

sage: p = 33554501 

sage: F.<u> = GF(p^2) 

sage: E = EllipticCurve(F,[0,1]) 

sage: E.j_invariant() 

0 

sage: P = E.random_point() 

sage: P = E.random_point() 

sage: P.order() # random 

16777251 

sage: E._order # as cached 

1125904604468004 

 

Similarly when `j(E)=1728`:: 

 

sage: p = 33554473 

sage: F.<u> = GF(p^2) 

sage: E = EllipticCurve(F,[1,0]) 

sage: E.j_invariant() 

1728 

sage: P = E.random_point() 

sage: P.order() # random 

46912611635760 

sage: E._order # as cached 

1125902679258240 

""" 

try: 

return self._order 

except AttributeError: 

pass 

if self.is_zero(): 

return Integer(1) 

E = self.curve() 

K = E.base_ring() 

from sage.schemes.curves.projective_curve import Hasse_bounds 

bounds = Hasse_bounds(K.order()) 

 

try: 

M = E._order 

try: 

plist = E._prime_factors_of_order 

except AttributeError: 

plist = M.prime_divisors() 

E._prime_factors_of_order = plist 

N = generic.order_from_multiple(self, M, plist, operation='+') 

except AttributeError: 

j = E.j_invariant() 

if K.is_prime_field() or j.is_zero() or j==K(1728): 

M = E.cardinality() # computed and cached 

plist = M.prime_divisors() 

E._prime_factors_of_order = plist 

N = generic.order_from_multiple(self, M, plist, operation='+') 

else: 

N = generic.order_from_bounds(self, bounds, operation='+') 

 

if 2*N > bounds[1]: # then we have a generator, so cache this 

if not hasattr(E, '_order'): 

E._order = N 

if not E.abelian_group.is_in_cache(): 

g = AdditiveAbelianGroupWrapper(E.point_homset(), [self], [N]) 

E.abelian_group.set_cache(g) 

 

self._order = N 

return self._order 

 

additive_order = order