Zulip Chat Archive

Stream: maths

Topic: thoughts on elliptic curves

Kevin Buzzard (Dec 15 2021 at 13:53):

Some students at Imperial are thinking about associativity of the group law on an elliptic curve.

Let's fix a field $k$, and for simplicity let's assume char 0. An elliptic curve $E$ over $k$ can be written as $Y^2=f(X)$ where $f(X)=X^3+AX+B$, with $A,B\in K$ (and some polynomial $D(A,B)$ is assumed non-zero to guarantee the cubic is smooth). The formalisation literature only ever does one thing now: defines $E(k)$ to be the union of a mysterious "point at infinity" plus the set of solutions $(x,y)\in k^2$ to the equation $y^2=f(x)$, and then defines an addition on $E(k)$ via some strange geometric shenannigans involving drawing lines or just directly via "this is the equation, deal with it".

What we in mathlib are in a very good position to do now is to develop a basic theory of elliptic curves over number fields: things like a proof of the Mordell-Weil theorem (this group is finitely-generated if $k$ is a number field), the statement of the Taniyama--Shimura conjecture (the $L$-function of the curve has an analytic extension to the complexes), and the statement of the Birch and Swinnerton--Dyer conjecture (in both its weak and strong forms) are within scope over the next few years and would be a really nice project. Nothing like this is in any other theorem prover.

However, before we get to those shiny things, we need to prove associativity of the group law!

My initial plan for this was "just grind out the algebra". The question is literally "here is a field k, here are 11 variables a1,a2,a3,a4,a6,x1,y1,x2,y2,x3,y3 in that field, here is some really big rational function in these 11 variables, we claim that the numerator can be written as a simple combination of y1^2-f(x1), y2^2-f(x2), y3^2-f(x3) and we're only allowed to divide by the discriminant". Apparently Lean 3 times out (according to a student -- I've not seen the code but the student is about to get push access to mathlib non-master branches so I'm about to).

There are two other proofs I know. One involves some projective geometry. It goes like this: say the three points are A,B,C and the point at infinity is O. Draw the line through A and B; it intersects the curve again at D. Reflect (change the sign of the y coordinate) to get E. Draw the line through E and C and get a new point F. Now go the other way around; the line through B,C meets the curve again at G; the reflection of G is H; the line through H and A meets the curve again at I. STP F=I ((A+B)+C is the reflection of F; A+(B+C) is the reflection of I). The proof goes like this. First show that for eight points P1,P2,...,P8 in projective 2-space in "general position" (e.g. no 4 on a line etc), any cubic through these 8 points also passes through a mysterious 9th point P9 (this is done by a dimension count) and now apply to the 8 points OABCDEGH. Using the elliptic curve and the degenerate (i.e. product of three linear factors) cubic ABD+ECF+OGH you deduce the 9th point is F, and using BCG+AHI+ODE
you deduce that the 9th point is I, so F=I. I don't really have a feeling as to how practical this method is in practice. One worry is that whatever "general position" actually does mean, there will be a ton of edge cases which will probably need doing; in the books you just say "oh blah blah blah, Zariski-closed set in a scheme containing the generic point so it's everything" but I'm not convinced that this would be any easier.

The other proof I know of associativity is a more high-powered one using the Picard group. Basically the idea is that you write down another object which is obviously an abelian group (it's a subquotient of the free abelian group generated by the points on the curve) and then you write down a bijection between this object and the points on the curve and prove that addition on the object and addition on the curve commutes with the bijection, and hence addition on the curve is associative. This proof looks at first sight like it's way out of reach because it looks like it might need a whole bunch of algebraic geometry (divisors, principal divisors etc) but actually when thinking about this this morning I realised that a lot of this material is closer than we might think. Let me say more about this.

$k$ is our ground field (fixed), equation is $y^2=f(x)$. Let $R$ be the ring $k[X,Y]/(Y^2-f(X))$. This ring is an integral domain, and indeed it's a Dedekind domain. I claim that the elliptic curve $E(k)$ is "canonically" isomorphic to the class group of $R$! The proof of this involves a little bit of diagram chasing etc but let's just assume it; the point is that Pic^0(E)=Pic(affine model). The map from E(k) to the class group sends the point at infinity to the zero class (the identity of the class group) and sends (x,y) to the ideal (X-x,Y-y). This is easily checked to be a maximal ideal. Now there are two things which need to be done to finish the proof of associativity:

1) Prove that this map is injective
2) Prove that addition on the curve corresponds to the group law on the class group

For (1) this boils down to the following assertion: prove that if (x1,y1) != (x2,y2) are two distinct points on the curve, then there does not exist non-zero f,g in R such that $(X-x1,Y-y1)*(f)=(X-x2,Y-y2)*(g)$, this being equality of ideals in R.

For (2) this boils down to an identity of ideals -- if (x1,y1)+(x2,y2)=(x3,y3) addition on the curve, then we want to write down explicit f and g (linear) such that $(X-x1,Y-y1)*(X-x2,Y-y2)*(f)=(X-x3,Y-y3)*(g)$. This looks to me to be much easier algebra.

I am a bit unclear about how to do (1). Again my head says "of course the divisor P-Q isn't principal because this would give an isomorphism of the curve with the projective line, which can't happen because genus is an isomorphism-invariant". If we could come up with a low-level translation then this would be a really cool application of the class group stuff. Do any of the more algebro-geometric people (@Damiano Testa , @Riccardo Brasca , @Antoine Chambert-Loir ) know if there is a proof of (1) which translates down into only ring theory somehow? I think that if we can do this then this would be a really nice way to prove associativity because we can claim that we're doing it the conceptual way which is of course the "correct" way.

Note that we need associativity (which works over a general field) before we can start on all of the arithmetic stuff (which works over a number field e.g. the rationals).

Riccardo Brasca (Dec 15 2021 at 13:58):

I am afraid I don't know a simpler proof, but I really like your idea of using the class group!

Filippo A. E. Nuccio (Dec 15 2021 at 14:01):

Since you would be interested in number fields, wouldn't the option through Weierstrass $\wp$ work? I have never tried the details myself, but what I mean is that you first prove that $\mathbb{C}/\Lambda$ is abelian (associative!); that's easy (coming up with the right lattice might be tricky). And then you prove "by hand" that $\wp$ and $\wp'$ produce a bijection, so you can transfer the group law, and it will be associative for elliptic curves over $\mathbb{C}$. Then $E(k)$ is a substuff of $E(\mathbb{C})$ and associativity is preserved. Again, I wrote this without too much thinking, so I apologise if it does not work - but it would be nice to see meromorphic functions in action!

Filippo A. E. Nuccio (Dec 15 2021 at 14:02):

That being said, I agree with Riccardo that the idea with the class group is nice! We actually mentioned this example in our final version of our Dedekind paper with @Anne Baanen , @Ashvni Narayanan and @Sander Dahmen , to give an example of a non-finite class group.

Antoine Chambert-Loir (Dec 15 2021 at 14:04):

That's unclear to me that there is a low-tech proof, precisely for the reason that you indicate : it would prove that the cubic is not rational.

On the other hand, some simple cubics can be proved to be nonrational by applying Stothers/Mason, when their equation reduces to a sum of three terms. I remember it works for the Fermat_3 curve, and possibly for $y^2=x^3+1$ (I'm not sure), but in general, you have 4 terms…

Antoine Chambert-Loir (Dec 15 2021 at 14:08):

I remember Mestre telling that with a computer algebra system, associativity of the group law is a mere triviality.
I believe that one should try to understand why the formal computation does not work in Lean, or how to make a computer algebra system produce compilable Lean code.
I think that this is along these lines that Hales and coauthors formalized the associativity for Edwards models of elliptic curves, see https://arxiv.org/abs/2004.12030.

Kevin Buzzard (Dec 15 2021 at 14:31):

Yes associativity is a triviality with a computer algebra system. It is the statement that some element is in some ideal and if the computer algebra system has Groebner bases implemented for polynomial rings over fields it's easy. What we would have to do in Lean is to reduce the question to "element is in ideal" and then solve it using a computer algebra system, copy the explicit presentation of the element as a linear combination of generators of the ideal back into Lean and then hope that ring can handle it. Computer algebra systems can handle very large algebraic objects easily. Lean 3 is not so good at it. I did propose to a couple of people the project of doing this in Lean 4 as an interesting test for ring but someone objected that the "bash it out" proof was not "the proper proof" and so shouldn't be formalised at all!

Adam Topaz (Dec 15 2021 at 14:38):

But I would say the "proper proof" is to prove Riemann Roch first, and that's going to take a little while...

Adam Topaz (Dec 15 2021 at 14:40):

Can ring in lean3 not handle the explicit formulas for the group law?

Kevin Buzzard (Dec 15 2021 at 14:41):

I don't know yet. David Angdinata just pushed where he was at; https://github.com/leanprover-community/mathlib/commit/f9685f40de179cba4fb8f68b1a51c2913c0c7463

Adam Topaz (Dec 15 2021 at 14:42):

The definition of add is ~130 lines long...

Adam Topaz (Dec 15 2021 at 14:43):

Where is my copy of Silverman

Kevin Buzzard (Dec 15 2021 at 14:44):

This is the first time I've seen the code. I also tried something with Cremona at LFTCM: https://github.com/ImperialCollegeLondon/Example-Lean-Projects/blob/master/src/elliptic_curves/basic.lean

Kevin Buzzard (Dec 15 2021 at 14:44):

Looks like I got the definition of add down to 50

Kevin Buzzard (Dec 15 2021 at 14:46):

the definition involves a proof obligation, right? You have P=(x1,y1) and Q=(x2,y2) and the answer to P+Q in general is "the x coordinate is some messy function of x1,y1,x2,y2, as is the y coordinate, but now we have to prove they're a solution to the cubic"

Adam Topaz (Dec 15 2021 at 14:47):

Yeah, I see... I guess the ideal approach would have some custom auto param on that proof obligation that would (hopefully) discharge the goal automatically ;)

Johan Commelin (Dec 15 2021 at 14:48):

An elliptic curve is a smooth proper group scheme of dimension 1. Isn't that the way mathlib should approach this?

Kevin Buzzard (Dec 15 2021 at 14:48):

Jamie Bell's project does addition in 30 lines https://github.com/jamiebell2805/BSD-conjecture/blob/master/src/elliptic_curve_rationals.lean (one of which is very long) but he works with the simpler model y^2=cubic

Kevin Buzzard (Dec 15 2021 at 14:48):

@Johan no I don't think it is. Because then we're just saying "Mordell-Weil is 3 years away".

Adam Topaz (Dec 15 2021 at 14:49):

@Johan Commelin how would you prove that such a smooth proper group scheme of dimension 1 has a Weierstrass equation?

Filippo A. E. Nuccio (Dec 15 2021 at 14:49):

Well, but are we speaking of mathlib or Lean? Mordell--Weil can land in mathlib in 3 years, no? There might be a parallel project proving it in the meanwhile.

Kevin Buzzard (Dec 15 2021 at 14:49):

The proof of Mordell-Weil for elliptic curves over Q looks like this: first prove that a smooth proper group scheme of dimension 1 over a PID has a Weierstrass equation. Then do the theory of heights and a 2-descent.

Kevin Buzzard (Dec 15 2021 at 14:50):

For me the two parts are totally disjoint. The first step is some algebro-geometric argument which I sketch in the module doc for EllipticCurve. The second is arithmetic and is completely independent.

Kevin Buzzard (Dec 15 2021 at 14:51):

The algebro-geometric language buys you very little; this was why Mordell-Weil was proved way before schemes were even invented

Reid Barton (Dec 15 2021 at 14:52):

There is a formalization https://github.com/strub/elliptic-curves-ssr in Coq (paper) that takes this approach via the Picard group. The math-hard part is indeed (1) and unfortunately they don't discuss it at all in the paper. The formalization of that part is in https://github.com/strub/elliptic-curves-ssr/blob/main/src/ecrr.v and it uses elementary methods (Fermat descent). I had some difficulty following the formalization, but then I came across some notes by Eva Belmont which contain the same proof (pages ~6-8).

Kevin Buzzard (Dec 15 2021 at 14:52):

The reason I called the file EllipticCurve in mathlib is because you are supposed to think of it as the category of elliptic curves. Now your objection becomes irrelevant because defnitional equality, and equality in general, is evil in a category, and my category is equivalent to yours and furthermore actually exists so we can start using it.

Johan Commelin (Dec 15 2021 at 14:54):

Adam Topaz said:

Johan Commelin how would you prove that such a smooth proper group scheme of dimension 1 has a Weierstrass equation?

That's a consequence of Riemann-Roch, isn't it?

Kevin Buzzard (Dec 15 2021 at 14:55):

Sure

Kevin Buzzard (Dec 15 2021 at 14:55):

but to do anything like that we need a working theory of sheaf cohomology and projective space

Adam Topaz (Dec 15 2021 at 14:55):

You could use the classical approach with repartitions in this case.

Adam Topaz (Dec 15 2021 at 14:56):

E.g. as in Serre's book on class fields

Johan Commelin (Dec 15 2021 at 14:56):

so we can start using it

I agree. But for a whole bunch of arguments, it will be quite useful to know that an elliptic curve is a projective variety.

Johan Commelin (Dec 15 2021 at 14:57):

So even if you say "definitions don't matter" you are in some sense just post-poning the "problem"

Kevin Buzzard (Dec 15 2021 at 14:57):

My impression is that this is what Strub did (repartitions). They wrote down local uniformisers at all points on the curve, e.g. "it's Y-y unless y=0 in which case it's X-x"

Kevin Buzzard (Dec 15 2021 at 14:58):

Johan we are postponing what you think is a problem but we also postponing the ability to say "we have stated Shimura-Taniyama and BSD in a sorry-free way in a theorem prover" and the less that this is postponed the better.

Kevin Buzzard (Dec 15 2021 at 14:59):

Nobody is going to object that the statement of BSD refers to y^2=cubic -- this is the definition that Wiles gives in his write-up of BSD on the Clay website.

Kevin Buzzard (Dec 15 2021 at 15:00):

I view "generating the theory of the arithmetic of y^2=cubic" and "proving y^2=cubic can be re-interpreted up to equivalence using Grothendieck's machine as a smooth proper morphism" as two completely different problems.

Alex J. Best (Dec 15 2021 at 15:03):

Kevin Buzzard said:

For me the two parts are totally disjoint. The first step is some algebro-geometric argument which I sketch in the module doc for EllipticCurve. The second is arithmetic and is completely independent.

No idea if it still compiles but I did a very basic notion of heights once and proved a weak mw -> mw type result. One may want a more general notion of height in practice though.

import group_theory.index
import group_theory.subgroup.pointwise
import group_theory.quotient_group
import data.real.basic
import data.real.nnreal


lemma lt_of_mul_lt_mul_of_le {G : Type*} [linear_ordered_comm_group_with_zero G] {a b c d : G}
  (h : a * b < c * d) (hc : 0 < c) (hh : c ≤ a) : b < d :=
begin
  rw ←(inv_le_inv₀ (ne_of_gt hc) (ne_of_gt (lt_of_lt_of_le hc hh) : a ≠ 0)) at hh,
  -- rw ← div_lt_div₀ _ _ at h,
  sorry,
end

attribute [to_additive add_subgroup.smul_mem] subgroup.pow_mem
attribute [to_additive] subgroup.gpow_mem
open add_subgroup set
--TODO move
lemma not_mem_of_not_mem_closure {A : Type*} [add_comm_group A] {G : set A} {P : A}
  (hP : P ∉ closure G) : P ∉ G :=
begin
  intro h,
  have := subset_closure h,
  exact hP this,
end

open_locale nnreal
-- TODO generalize to valued in a linear_ordered_field
structure height_function (A : Type*) [add_comm_group A] :=
(h : A → ℝ≥0)
(height_smul' : ∀ (a : A) (m : ℕ), h (m • a) = m^2 * h a)
(parallelogram_law : ∀ (a b : A), h (a + b) + h (a - b) = 2 * h a + 2 * h b)

namespace height_function
variables {A : Type*} [add_comm_group A] (h : height_function A)

instance : has_coe_to_fun (height_function A) := ⟨λ _, A → ℝ≥0, λ h, h.h⟩
-- @[simp]
-- lemma height_gsmul (a : A) (m : ℤ) : h (m • a) = m^2 * h a := h.height_smul a m
@[simp]
lemma height_smul (a : A) (m : ℕ) : h (m • a) = m^2 * h a :=
  h.height_smul' a m

-- begin
--   convert h.height_smul a m using 1,
--   simp,
-- end
-- should be a version for any nontrivial target
@[simp]
lemma height_zero : h 0 = 0 :=
begin
  have := calc 2^2 * h 0 = h (2 • 0) : by simp only [int.cast_bit0, nat.cast_bit0,
                      int.cast_one, nat.cast_one, height_smul]
            ... = h 0 : by simp,
  exact eq_zero_of_mul_eq_self_left (by norm_num) this,
end
lemma zero_of_tors (a : A) {m : ℕ} (hm : m ≠ 0) (h : height_function A) (hma : m • a = 0) :
  h a = 0 :=
begin
  have := eq.symm (calc 0 = h 0 : by simp
                     ... = h (m • a) : by rw hma
                     ... = m^2 * h a : h.height_smul _ _),
  rw mul_eq_zero at this,
  norm_num at this,
  finish,
end

def northcott_property : Prop := ∀ x, {P | h P ≤ x}.finite

end height_function
-- TODO make mul and to_add
open_locale pointwise
open quotient_add_group

variables {A : Type*} [add_comm_group A] (h : height_function A) (hN : h.northcott_property)
variables {Ps : finset A} {m : ℕ} (hm : 2 ≤ m)
-- TODO maybe nicer to take any finite index subgroup
variables (hPs : ∀ x : quotient (m • (⊤ : add_subgroup A)), ∃ (p : A) (hp : p ∈ Ps), ↑ p = x)
include hPs hN hm

-- https://www.msri.org/attachments/workshops/301/HtSurveyMSRIJan06.pdf
-- https://ocw.mit.edu/courses/mathematics/18-782-introduction-to-arithmetic-geometry-fall-2013/lecture-notes/MIT18_782F13_lec25.pdf
lemma group_eq_span_bdd_height : closure {R | h R ≤ Ps.sup h} = ⊤ :=
begin
  rw add_subgroup.eq_top_iff',
  classical,
  by_contra h,
  push_neg at h,
  choose x hx using h,
  have C_finite : ((closure {R : A | h R ≤ Ps.sup h} : set A)ᶜ ∩ {P | h P ≤ h x}).finite,
  exact finite.inter_of_right (hN (h x)) _,
  have : ∃ P, P ∈ ((closure {R : A | h R ≤ Ps.sup h} : set A)ᶜ ∩ {P | h P ≤ h x})
                ∧ ∀ P' ∈ ((closure {R : A | h R ≤ Ps.sup h} : set A)ᶜ ∩ {P | h P ≤ h x}),
                  h P ≤ h P',
  { have := C_finite.to_finset.exists_min_image h _,
    { simp only [and_imp, exists_prop, mem_inter_eq, finite.mem_to_finset, mem_set_of_eq,
        set_like.mem_coe, compl_eq_compl, mem_compl_eq] at this ⊢,
      exact this, },
    rw finite.to_finset.nonempty,
    use x,
    simp only [hx, le_refl, mem_inter_eq, mem_set_of_eq, set_like.mem_coe, not_false_iff,
      and_self, mem_compl_eq], },
  have : ∃ P, P ∈ (closure {R : A | h R ≤ Ps.sup h} : set A)ᶜ
                ∧ ∀ P' ∈ (closure {R : A | h R ≤ Ps.sup h} : set A)ᶜ,
                  h P ≤ h P',
  { obtain ⟨P, hP, hPP⟩ := this,
    use P,
    simp_rw mem_inter_iff at hP hPP ⊢,
    split,
    exact hP.1,
    intros P' hP',
    by_cases hPx : h P' ≤ h x,
    { apply hPP,
      split,
      exact hP',
      rw mem_def,
      exact hPx, },
    { push_neg at hPx,
      exact calc _ ≤ h x : hP.2
               ... ≤ _ : hPx.le }, },
  choose P hP hPP' using this,
  have : ∃ (Pj) (hPj : Pj ∈ Ps) (Q), Pj + m • Q = P,
  { obtain ⟨Pj, hPj, hPPj⟩ := hPs P,
    use [Pj, hPj],
    erw [quotient_add_group.eq, mem_smul_set] at hPPj,
    simpa [eq_neg_add_iff_add_eq] using hPPj, },
  obtain ⟨Pj, hPj, Q, hPj'⟩ := this,
  simp only [set_like.mem_coe, compl_eq_compl, mem_compl_eq] at hP,
  apply hP,
  have : Q ∈ closure {R : A | h R ≤ Ps.sup h},
  { have : 2 * h Pj < 2 * h P,
    { rw mul_lt_mul_left (show (0 : ℝ≥0) < 2, by norm_num),
      have := not_mem_of_not_mem_closure hP,
      simp only [not_le, mem_set_of_eq] at this,
      calc _ ≤ Ps.sup h : finset.le_sup hPj
        ... < _ : this, },
    rw ← eq_sub_iff_add_eq' at hPj',
    have h_main := calc
    (m^2 : ℝ≥0) * h Q = h (m • Q) : (h.height_smul _ _).symm
                  ... = h (P - Pj) : by rw hPj'
                  ... ≤ h (P + Pj) + h (P - Pj) : le_add_self
                  ... = 2 * h P + 2 * h Pj : h.parallelogram_law P Pj
                  ... < 2 * h P + 2 * h P : add_lt_add_left this _
                  ... = 4 * h P : by {rw ← add_mul, norm_num},
    have := hPP' Q,
    rw ← not_imp_not at this,
    simp only [not_le, not_not, set_like.mem_coe, compl_eq_compl, mem_compl_eq] at this,
    apply this,
    have two_le_m : (2 : ℝ≥0) ≤ m := by exact_mod_cast hm,
    have four_le_m : (2^2 : ℝ≥0) ≤ m^2 := pow_le_pow_of_le_left (zero_le 2) two_le_m 2,
    norm_num at four_le_m,
    exact lt_of_mul_lt_mul_of_le h_main (by norm_num) four_le_m, },
  rw ← hPj',
  apply' add_mem,
  { apply subset_closure,
    rw mem_def,
    exact finset.le_sup hPj, },
  { exact smul_mem _ this m, },
end

Kevin Buzzard (Dec 15 2021 at 15:21):

Just trying to disentangle the notes that Reid sent (Tom Fisher's elliptic curves course): on page 8 when the notes refer to "Corollary 1.5(in green)" they mean "Corollary 1.8(with 1.5 written in green afterwards)" as opposed to the completely irrelevant Corollary 1.5 which had me utterly confused.

Alex J. Best (Dec 15 2021 at 15:25):

I just saw on page 2 it says

A note on the numbering
There are two concurrent numbering schemes in this document: numbers and headings
in green refer to Prof. Fisher’s numbering system; everything else refers to LATEX’s numbering, induced by setting section numbers = lecture numbers.

Kevin Buzzard (Dec 15 2021 at 16:12):

unfortunately I started reading on pages 6 to 8 ;-)

Johan Commelin (Dec 16 2021 at 07:09):

Kevin Buzzard said:

The reason I called the file EllipticCurve in mathlib is because you are supposed to think of it as the category of elliptic curves. Now your objection becomes irrelevant because defnitional equality, and equality in general, is evil in a category, and my category is equivalent to yours and furthermore actually exists so we can start using it.

I understand your point. At the same time, right now you have a type in mathlib that doesn't have a category instance yet.

Kevin Buzzard (Dec 16 2021 at 08:45):

That's because I don't know what to do for the morphisms. Are they supposed to be isogenies, or are you allowed the zero map, or are they supposed to be isomorphisms, or random morphisms of schemes? I know how to define all of these.

Kevin Buzzard (Dec 16 2021 at 08:46):

You don't need associativity of the group law to do any of them because of this theorem which says that preserving zero implies preserving +

Johan Commelin (Dec 16 2021 at 08:56):

Probably we need all those categories.

Kevin Buzzard (Dec 16 2021 at 09:02):

You know Jujian is working on the category where the objects are pairs (R,M) with R a ring and M an R-module? There are two kinds of morphisms you can choose for that category. If you want presheaves of modules to be a functor you let the rings and the modules both change. But if you want to do the moduli stack of elliptic curves then you allow the base ring to change but you demand that the map on modules induces an isomorphism after you tensor up. I don't fully understand what's going on here.

Marc Masdeu (Dec 16 2021 at 09:05):

Proving associativity using the explicit equations is not so much a triviality, at least in the computational sense. For the general Weierstrass form, it involves checking polynomial identities with terms having more than 130000 nonzero coefficients. I don't know Lean's IO system, but would be the kind of proof where one would load a separate input file containing the polynomials to be checked. And we would need a tactic for checking equalities of polynomials (ring didn't work last time I tried).

Kevin Buzzard (Dec 16 2021 at 09:10):

Oh interesting! I remember checking the generic case for y^2=x^3+Ax+B in pari-gp when I was a graduate student and it being huge but easily doable. But I wanted to use the 5 variable version in mathlib because I realised I could prove that it was valid for all PIDs and more generally all rings whose Picard group has trivial 12-torsion.

Kevin Buzzard (Dec 16 2021 at 09:15):

@Johan Commelin here's another way of thinking about the definition of elliptic curve in mathlib. There's something weird going on in the Taniyama-Shimura conjecture, because it relates modular forms to elliptic curves and it's supposed to be hard, but modular forms are just functions on elliptic curves so it all sounds like it should be easy. But those two uses of the word "elliptic curve" are completely different. The hard version specifically relates to elliptic curves over the rationals. The easier version is all about moduli spaces and hence is about elliptic curves defined over all schemes (and Wiles uses modular forms defined over the complexes and finite fields and the p-adic integers in his proof as well as arguments over general bases). We still don't have enough algebraic geometry to do the scheme side of the story (the geometric side) but we can start on the arithmetic side right now.

Johan Commelin (Dec 16 2021 at 09:19):

Fair enough

Johan Commelin (Dec 16 2021 at 09:19):

I just hope that the geometric side will catch up sooner rather than later.

Kevin Buzzard (Dec 16 2021 at 09:22):

These things can move independently I think. I don't think we need anything about schemes to prove Mordell-Weil for elliptic curves over number fields -- that's why it was done before schemes existed. There's still every chance that Ashvni will define the p-adic zeta function before the Riemann zeta function.

Johan Commelin (Dec 16 2021 at 09:25):

Mordell-Weil wasn't done before varieties existed, right?

Kevin Buzzard (Dec 16 2021 at 09:28):

@Marc Masdeu it's probably worth saying that even if it's true that when you expand it all out associativity involves terms with a hundred thousand monomials in, that doesn't mean that Lean ever needs to see one. For example it's true that $(x+y)^{100000}=(y+x)^{100000}$ but I can prove this in Lean without ever multiplying everything out. In general Lean does not expand things out unless it's told to, so perhaps some judicious variable name choices can come to our rescue. Associativity is a really annoying sorry right now because any statement you make about a group attached to the curve won't compile without warnings.

Kevin Buzzard (Dec 16 2021 at 09:30):

To do the abelian varieties case you need varieties (to even state it), but I suspect that Mordell had it for elliptic curves over Q before Weil's book. All you need for that is stuff about number fields and remember we had all of class field theory 100 years ago, just not with the cohomological language.

Johan Commelin (Dec 16 2021 at 09:31):

My history of mathematics starts around 1956 :rofl:

Marc Masdeu (Dec 16 2021 at 09:41):

@Kevin Buzzard I'm not clever enough to get those polynomials without calling a Groebner basis algorithm, and then it spits out the kind of monsters that I mentioned. I'd like to see it improved, here's what I am using: https://gist.github.com/mmasdeu/20d5c0fec521f03e30e4f68ccee21a77

Kevin Buzzard (Dec 16 2021 at 09:45):

Thanks Marc -- this is really helpful. Do you have a "brute force" proof of associativity in Sage? i.e. a computer algebra package version of algebraic_geometry.elliptic_curve.group_law? It's on the elliptic_curve_group_law branch.

Marc Masdeu (Dec 16 2021 at 09:53):

I'll look at what you mean later, but when I had to teach some undergraduates about elliptic curves I figured out that I could write a complete proof if I had these three identities for "generic" points, and this I did check in Sage. In this way, I can tell my students that the associativity proof is really "elementary" if you trust Sage to multiply polynomials for you.

Antoine Chambert-Loir (Dec 16 2021 at 09:55):

Johan Commelin said:

An elliptic curve is a smooth proper group scheme of dimension 1. Isn't that the way mathlib should approach this?

— hopefully adding the hypothesis that it has connected fibers

Antoine Chambert-Loir (Dec 16 2021 at 10:00):

Adam Topaz said:

Johan Commelin how would you prove that such a smooth proper group scheme of dimension 1 has a Weierstrass equation?

The first chapter of the book by N. Katz and B. Mazur, Arithmetic moduli of elliptic curves has a clear, high-level, recap of elliptic curves from this point of view. Over a field, Riemann Roch tells you that there is a non constant function $x$ in $|2·O|$, a function $y$ in $|3·O|$ which is not in $|2·O|$, and that $x^3, x^2, x, 1, y^2, xy,y$ are linearly related… Over a base, $|2·O|$, etc. are vector bundles over the base (by the theorems on the dimensions of cohomology groups), locally they are free, etc.

Antoine Chambert-Loir (Dec 16 2021 at 10:02):

Johan Commelin said:

Mordell-Weil wasn't done before varieties existed, right?

Mordell is 1922, it follows a 1901 paper of Poincaré, varieties here are complex varieties, and one can talk about their rational points. In particular, at that time, the group law was understood using the Weierstrass $\wp$-function.

Adam Topaz (Dec 16 2021 at 13:56):

Antoine Chambert-Loir said:

Adam Topaz said:

Johan Commelin how would you prove that such a smooth proper group scheme of dimension 1 has a Weierstrass equation?

The first chapter of the book by N. Katz and B. Mazur, Arithmetic moduli of elliptic curves has a clear, high-level, recap of elliptic curves from this point of view. Over a field, Riemann Roch tells you that there is a non constant function $x$ in $|2·O|$, a function $y$ in $|3·O|$ which is not in $|2·O|$, and that $x^3, x^2, x, 1, y^2, xy,y$ are linearly related… Over a base, $|2·O|$, etc. are vector bundles over the base (by the theorems on the dimensions of cohomology groups), locally they are free, etc.

Yes, this is the standard proof I know that a curve of genus 1 with a point (or a section, if you work over a more general base) has a Weierstrass equation. Well, Johan asked for a smooth proper group scheme of dimension 1. I don't think it's so easy to apply Riemann Roch in that case, since one first has to obtain the genus. In any case, my point was that we would need Riemann Roch regardless.

Adam Topaz (Dec 16 2021 at 14:21):

I guess one needs to show that if C is a proper curve endowed with a group structure, then the group structure forces the canonical class to be trivial, hence degree 0, so that the genus must be one. But again, these are at least two additional results that are nontrivial to formalize.

Damiano Testa (Dec 16 2021 at 14:50):

Dear All,

I have taken some distance from formalization, but I am still very intrigued by such questions!

I wanted to say that proving that cubics are irrational need not be hard. Every automorphism of $\mathbb{P}^1$ fixes at least one point, while translations by non-zero elements on an elliptic curve have no fixed points (you need not know that addition is associative for this, of course). If the ground field does not have characteristic two, you can also use the fact that negation on the elliptic curve is not the identity and fixes 4 points, while an automorphism of $\mathbb{P}^1$ that fixes 3 points is the identity.

Having said this, it is not clear to me how to go from the inclusion of function fields $k(f/g) \subset k(E)$ (notation as in Kevin's initial post in this thread) to an isomorphism $k(t) \simeq k(E)$ without using the fact that rational maps between smooth projective curves extend and that the degree of such a map can be computed by looking at any scheme-theoretic fiber.

Of course, these statements are not "hard", but I do not see an easy way to obtain them without some further machinery,

Adam Topaz (Dec 16 2021 at 15:00):

Wouldn't this argument be circular? I was under the impression that Kevin wanted to use the group structure on the class group to obtain the group structure on the elliptic curve, and it seems to me that you would need the group structure to see that the curve is not rational.

Damiano Testa (Dec 16 2021 at 16:14):

My thought was simply to use the definition of the group structure, not the fact that you know is associative. Once you have a map $E \times E \to E$, you can fix one coordinate and check whether the map $E \to E$ that you obtain is injective or not. You do not need to know that this map arises from a group action.

Damiano Testa (Dec 16 2021 at 16:15):

Of course, I know that the map is injective because it is translation in a group, but I can check injectivity "by brute force".

Adam Topaz (Dec 16 2021 at 16:15):

I see. Of course, one should conclude by checking that the multiplication $E \times E \to E$ agrees with the multiplication induced by the inclusion in the class group :)

Damiano Testa (Dec 16 2021 at 16:17):

Yes, my argument was simply because I felt that proving irrationality of a cubic could be just as strong as proving associativity. The sketch above makes it more likely that it might be simpler.

Adam Topaz (Dec 16 2021 at 16:20):

Forget the IMO grand challenge. Let's teach lean how to pass a PhD qualifying exam in algebraic geometry ;)

Damiano Testa (Dec 16 2021 at 16:21):

Chances are, that what you describe is a shorter route to the IMO grand challenge...

David Michael Roberts (Dec 16 2021 at 21:57):

Kevin Buzzard said:

You know Jujian is working on the category where the objects are pairs (R,M) with R a ring and M an R-module? There are two kinds of morphisms you can choose for that category. If you want presheaves of modules to be a functor you let the rings and the modules both change. But if you want to do the moduli stack of elliptic curves then you allow the base ring to change but you demand that the map on modules induces an isomorphism after you tensor up. I don't fully understand what's going on here.

You don't need that last restriction, that's only if you want the stack of groupoids of elliptic curves. I've been saying for a long time that it's possibleto do the whole algebraic stack story with the full stack including non-invertible maps, in many cases. For elliptic curves and isogenies it's as about as nice as it can be.

I got pushback when I suggested this nine years ago, but now here and there people (eg Rezk, Gaitsgory) have started to slip the idea in, usually under weird neologisms.

David Michael Roberts (Dec 16 2021 at 22:22):

In particular, while the normal story builds a groupoid scheme, this extended version builds a "category scheme", where the subscheme of invertible arrows is the usual groupoid

Kevin Buzzard (Dec 17 2021 at 09:32):

I learnt about the isomorphism picture in Katz-Mazur. Maybe the idea is that historically we were very happy with this idea of "2-category but all the 2-morphisms are isomorphisms", it used to play an important role in the theory of stacks

David Michael Roberts (Dec 17 2021 at 10:03):

Yes, it's everywhere, but people still want to be able to descend isogenies (I.e. the hom sheaf, not just the isom sheaf), so this stuff is secretly there, but not talked about in a unified way...

Antoine Chambert-Loir (Dec 27 2021 at 12:26):

Adam Topaz said:

Yes, this is the standard proof I know that a curve of genus 1 with a point (or a section, if you work over a more general base) has a Weierstrass equation. Well, Johan asked for a smooth proper group scheme of dimension 1. I don't think it's so easy to apply Riemann Roch in that case, since one first has to obtain the genus. In any case, my point was that we would need Riemann Roch regardless.

Then you probably want to formalize Mumford's Abelian varieties book!

Elif Sacikara (Alumni) (Dec 28 2021 at 22:50):

Since I have been struggling learning both lean and algebraic geometry I was quite hesitant to say something but let me ask the following question anyway. Have you ever considered formalizing the approach for elliptic function fields given in Stichtenoth's Algebraic Function Fields and Codes? My motivation of studying this book is that the notions can be derived from some basics from linear algebra and algebra. For instance elliptic curve addition is defined with respect to equivalence on class group, as it is mentioned in (2). More explicitly we define $P\oplus Q=R$ (addition on elliptic curve) if $P+Q-R-O=(f)$ (addition and subtraction on Divisor group), where $O$ is the identity and $f$ can be chosen as a fraction of two lines relating P, Q and R. However, I am not sure if this can be a good approach for lean.

Kevin Buzzard (Dec 28 2021 at 23:20):

The difficulty with the function field approach is that one has to prove that the map from the points on the curve $E(K)$ to the divisor class group of $K[x,y]/(f(x,y))$ is injective. This is possible but might be messy. It might also be the nicest approach.

Kevin Buzzard (Dec 28 2021 at 23:29):

There's a pdf linked to above (Tom Fisher's Cambridge elliptic curves course notes) has a proof in corollary 1.8 (green 1.5) in the case of characteristic != 2.

Elif Sacikara (Alumni) (Dec 29 2021 at 12:45):

I see. Thanks for the response. For injectivity, instead of considering the class group of K[x,y]/(f(x,y)), I was thinking first to define a function field F, and then work with Cl(F) as the quotient group Div^0(F)/Princ(F) with degree zero divisors Div^0(F) and principal divisors Princ(F). Then by treating E(K) as a set of rational places of F, map each rational place P to the class of P-O. Then injectivity comes the fact that P=Q+(x) implies P=Q, because otherwise [F:K(x)]=1 (degree of zero divisor of x in F) gives us contradiction to the genus of F. However, as said, I should see if all definitions and theorems behind it are doable in Lean.

Kevin Buzzard (Dec 29 2021 at 14:34):

Right, so you have to prove F != K(x) so it boils down to the same calculation. I don't know a low-level way of doing this in characteristic 2

Elif Sacikara (Alumni) (Dec 29 2021 at 15:48):

When I look at the textbook, in theory it is claimed that this approach works for elliptic function fields F/K with an arbitrary field K. This is why may I kindly ask how characteristic 2 creates extra difficulty for Lean (under the assumptions that in Lean we can define an elliptic function as a genus 1 function field F/K containing a degree 1 divisor and if this approach is doable for any other characteristic).

Kevin Buzzard (Dec 29 2021 at 15:50):

It doesn't create extra difficulty for lean, it creates extra difficulty in the sense that there's a cheap proof which works in char > 2 but if you want to deal with char 2 you'll have to develop more of the theory

Kevin Buzzard (Dec 29 2021 at 15:52):

Basically I'm asking you "give me a complete proof that the field of fractions of y^2+axy+by=x^3+cx^2+dx+e over a field k is never isomorphic to k(t)" (provided a discriminant doesn't vanish, yes thanks Oliver :-) )

Kevin Buzzard (Dec 29 2021 at 15:52):

I can prove this using a bunch of algebraic geometry. I can prove this in a low-level way if char isn't 2

Oliver Nash (Dec 29 2021 at 15:52):

(provided a certain discriminant doesn't vanish)

Kevin Buzzard (Dec 29 2021 at 15:56):

The low-level way would be easier to formalise, the general way would take longer but of course needs to be done in the end. The issue is that there's currently no theory of the genus of a curve in algebraic geometry in Lean yet. It could be made, but these things take time. All of the theory needed to do the low-level proof is there already

Adam Topaz (Dec 29 2021 at 16:03):

To illustrate the state of things, for example, I don't think we currently have a good way to define a "regular function field of transcendence degree one" using what's currently in mathlib

Marc Masdeu (Mar 14 2022 at 16:57):

Sorry to bump this old thread, but I've given some more thought to proving associativity the brute force way. As @Kevin Buzzard pointed out above, it is indeed possible to check associativity without carrying out desperately large polynomial calculations. I've played around with Sage and all that is needed is a tactic that generalizes the ring tactic, and that allows one to work in the ring $R[x_1,x_2,x_3,y_1,y_2,y_3]$ modulo the ideal generated by the Weierstrass equation, which is satisfied by the points $(x_i,y_i)$. That is, after each operation one would run the tactic and the result would be an expression that only contains $y_i$ at most to the power 1. A question then for the tactic writers: how hard would it be to cook up a quick tactic that does this?

Heather Macbeth (Mar 14 2022 at 17:04):

@Marc Masdeu The new linear_combination tactic would get part of the way there. Do you have a sample problem written up in Lean that I could use to write up an example of use?

Marc Masdeu (Mar 14 2022 at 17:15):

Hi @Heather Macbeth, thanks!
I'd like to close goals like this one, for example. Ideally, I'd use something like field_simp [h1, h2] for this.

variables {K : Type*} [field K]

example (a1 a2 a3 a4 a6 x1 x2 y1 y2 : K)
(h1 : y1^2 + a1*x1*y1 + a3*y1 = x1^3 + a2*x1^2 + a4*x1 + a6)
(h2 : y2^2 + a1*x2*y2 + a3*y2 = x2^3 + a2*x2^2 + a4*x2 + a6)
(h: x1 ≠ x2) :
(a2*x1^2 + x1^3 - 2*a2*x1*x2 - x1^2*x2 + a2*x2^2 - x1*x2^2
+ x2^3 - a1*x1*y1 + a1*x2*y1 + a1*x1*y2 - a1*x2*y2 - y1^2 + 2*y1*y2 - y2^2)/(-x1^2 + 2*x1*x2 - x2^2)
 = (-2*a2*x1*x2 - x1^2*x2 - x1*x2^2 + a1*x2*y1 +
 a1*x1*y2 - a4*x1 - a4*x2 + a3*y1 + a3*y2 + 2*y1*y2 - 2*a6)/(-x1^2 + 2*x1*x2 - x2^2) :=
begin
  sorry
end

Heather Macbeth (Mar 14 2022 at 17:35):

@Marc Masdeu You need to figure out the coefficients yourself (which I guess you can do in Sage), but it works pretty well!

import tactic.linear_combination
import tactic.field_simp

variables {K : Type*} [field K]

example (a1 a2 a3 a4 a6 x1 x2 y1 y2 : K)
  (h1 : y1^2 + a1*x1*y1 + a3*y1 = x1^3 + a2*x1^2 + a4*x1 + a6)
  (h2 : y2^2 + a1*x2*y2 + a3*y2 = x2^3 + a2*x2^2 + a4*x2 + a6):
  (a2*x1^2 + x1^3 - 2*a2*x1*x2 - x1^2*x2 + a2*x2^2 - x1*x2^2
  + x2^3 - a1*x1*y1 + a1*x2*y1 + a1*x1*y2 - a1*x2*y2 - y1^2 + 2*y1*y2 - y2^2)/(-x1^2 + 2*x1*x2 - x2^2)
  = (-2*a2*x1*x2 - x1^2*x2 - x1*x2^2 + a1*x2*y1
    + a1*x1*y2 - a4*x1 - a4*x2 + a3*y1 + a3*y2 + 2*y1*y2 - 2*a6)/(-x1^2 + 2*x1*x2 - x2^2) :=
begin
  have : -x1^2 + 2*x1*x2 - x2^2 ≠ 0 := sorry,
  field_simp,
  linear_combination (h1, -1) (h2, -1),
end

Marc Masdeu (Mar 14 2022 at 17:39):

It will need to be more automated, because there will be several dozens of applications of reductions like that. For example, in the expression there may be a term of the form y1^10 (times stuff) and this should be recusively simplified. This is how Hales (yes, that Hales) did it in https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7324045/

Heather Macbeth (Mar 14 2022 at 17:44):

I think it can still be a single application of linear_combination (because the coefficients in linear_combination can themselves be polynomial expressions). But it might look very long -- dozens of lines. You could get Sage to compute the polynomial coefficients and then copy-paste them.

Heather Macbeth (Mar 14 2022 at 17:45):

@Rob Lewis is the person to talk to, in any case, whether the process is this Sage-to-linear_combination method, or a direct implementation of this very special case of a Grobner basis tactic.

Yaël Dillies (Mar 14 2022 at 17:45):

I am planning on doing something similar, caching an absurd amount of oracle in the source code, in #10645

Heather Macbeth (Mar 14 2022 at 17:45):

@Yaël Dillies Wrong link?

Yaël Dillies (Mar 14 2022 at 17:46):

slipped!

Heather Macbeth (Mar 14 2022 at 17:52):

@Marc Masdeu So to be more explicit: If you have the polynomial goal $P = Q$ and the polynomial hypotheses h1 that $p_1=q_1$, ... hn that $p_n = q_n$:

• get Sage to exhibit $P-Q$ as an element of the ideal generated by $p_1 - q_1$, ... $p_n - q_n$, say as
  $P-Q = a_1 (p_1-q_1)+\ldots +a_n(p_n-q_n)$
  for polynomials $a_1$, ... $a_n$

• give Lean the tactic instruction linear_combination (h1, a1) ... (hn, an).

Rob Lewis (Mar 14 2022 at 18:17):

Heather Macbeth said:

Rob Lewis is the person to talk to, in any case, whether the process is this Sage-to-linear_combination method, or a direct implementation of this very special case of a Grobner basis tactic.

There may be news about this in the not too distant future! Maybe @Dhruv Bhatia reads Zulip?

Kevin Buzzard (Mar 15 2022 at 08:12):

@Marc Masdeu there's a PhD student at Imperial @David Ang who is trying to prove Mordell-Weil but right now they're assuming associativity -- if you could make this happen this would be wonderful!

Marc Masdeu (Mar 15 2022 at 08:18):

Kevin Buzzard said:

Marc Masdeu there's a PhD student at Imperial David Ang who is trying to prove Mordell-Weil but right now they're assuming associativity -- if you could make this happen this would be wonderful!

I noticed that branch. I saw that they got the group law definition, which I had worked out in the ell_add_assoc branch. I like better the definition in that branch (I think you made it), and my approach to well-definedness (which is not super long, IMHO). Maybe you can "persuade" them to use the definition in that branch?

David Ang (Mar 15 2022 at 08:28):

The mordell_weil branch already has quite a few other definitions and lemmas in it, so it’s going to be a bit tough to switch over completely, but I’m happy to port over the definition in the other branch once it’s all done.

Dhruv Bhatia (Mar 16 2022 at 15:07):

Heather Macbeth said:

Marc Masdeu So to be more explicit: If you have the polynomial goal $P = Q$ and the polynomial hypotheses h1 that $p_1=q_1$, ... hn that $p_n = q_n$:

• get Sage to exhibit $P-Q$ as an element of the ideal generated by $p_1 - q_1$, ... $p_n - q_n$, say as
  $P-Q = a_1 (p_1-q_1)+\ldots +a_n(p_n-q_n)$
  for polynomials $a_1$, ... $a_n$

• give Lean the tactic instruction linear_combination (h1, a1) ... (hn, an).

Thanks @Rob Lewis for the mention! This is actually verbatim what I am working on right now. If all goes well, I should have something ready to use in a few weeks!

Heather Macbeth (Jun 27 2022 at 15:59):

@Marc Masdeu Dhruv's tactic is now being PR'd: #14878. Do you have any more really nasty examples from your elliptic curves project that you could share as tests?

Marc Masdeu (Jul 10 2022 at 11:42):

Sorry for not replying before... Probably there are, but buried inside the proofs as I have them right now. Maybe it's time for an update. The branch ell_add_assoc contains the proof of associativity and it just has 3 sorrys left. They are corresponding to 3 computations corresponding to generic situations (that is, it is always clear which formula to use when adding). I have done them in Sage, checking that certain rational functions are the same (modulo replacing y^n for n > 1 using the Weierstrass equation). If you want to see that code I'd happy to post it here, too. If anyone has ideas on how to do these, please do share them!

(PS: below it's not meant to be a mwe, just to point at what's left in the EllipticCurveGroupLaw.lean file.)

lemma assoc_aux { P Q R : points E} (hPz : P ≠ 0) (hQz : Q ≠ 0) (hRz : R ≠ 0)
(hPQ1 : P ≠ Q) (hPQ2 : P ≠ -Q) (hQR1 : Q ≠ R) (hQR2 : Q ≠ -R) (hPQR1 : P + Q ≠ R) (hPQR2 : P + Q ≠ -R)
(hQRP1 : Q + R ≠ P) (hQRP2 : Q + R ≠ -P) : P + Q + R = P + (Q + R) := sorry

lemma assoc_aux' {P Q : points E} (hPz : P ≠ 0) (hQz : Q ≠ 0) (hneg : P + P ≠ 0)
(hPQ1 : P ≠ Q) (hPQ2 : P ≠ -Q) (h2PQ1 : (P + P) ≠ Q) (h2PQ2 : (P + P) ≠ -Q)
(hPQP1 : P + Q ≠ P) (hPQP1 : P + Q ≠ -P) : P + P + Q = P + (P + Q) := sorry

lemma assoc_aux'' {P : points E} (hz : P ≠ 0) (hneg : P + P ≠ 0)
(htwo : (P + P) + (P + P) ≠ 0) (hPP1 : P + P ≠ P) (hPP2 : P + P ≠ -P)
(hPPP1 : P + P + P ≠ P) (hPPP2 : P + P + P ≠ -P) : (P + P) + (P + P) = P + (P + (P + P)) := sorry

Kevin Buzzard (Sep 03 2022 at 19:54):

Aargh! @Heather Macbeth @Marc Masdeu @Mario Carneiro I had some time when away on holiday to think about associativity and how to do it this fancy class group way, and I discovered to my surprise that the method I'd been proposing does not work in characteristic 2!

Kevin Buzzard (Sep 03 2022 at 19:55):

Which is really annoying because for me that had been one of the selling points -- that it was a truly general argument.

Mario Carneiro (Sep 03 2022 at 19:55):

what goes wrong?

Kevin Buzzard (Sep 03 2022 at 19:55):

Just some Diophantine arithmetic doesn't work out because some extension of fields can be inseparable

Kevin Buzzard (Sep 03 2022 at 19:59):

You assume the field k is alg closed and then try to solve Y^2=X(X-1)(X-\lambda) in the field k(T) using arithmetic but the only solutions are constant (three factors on the right are all coprime so all squares up to units and then do a descent) which shows there's no rational function of X and Y with a simple zero and simple pole, giving you the injectivity of the map to the class group and then you win because the map from the curve to the class group plays well with the group laws

Kevin Buzzard (Sep 03 2022 at 20:00):

But in char 2 you can't complete the square on the left and I can't push through the descent because it's a 2-descent on the curve and in char 2 there inseparable degree 2 isogenies which would have to be dealt with separately.

Kevin Buzzard (Sep 03 2022 at 20:01):

tl;dr: the argument in Fisher's notes needs to complete the square to get rid of the Y term in the cubic equation, and this can't be done in char 2

Kevin Buzzard (Sep 03 2022 at 20:04):

I think that probably one could work hard and construct an analogous proof in char 2; one would perhaps at some stage split into two cases depending on whether a certain discriminant was a square or not, the inseparability issue would manifest itself in some way but I'm hazy on the details, because I then realised it didn't matter.

Kevin Buzzard (Sep 03 2022 at 20:06):

If the first line of the "fancy" proof I'm proposing is definitely going to be "OK let's split into the cases of whether char(k)=2 or not" then after that split you now have to ask "now what's the best method from this point" and I think that in both cases the answer is "not my method"

Kevin Buzzard (Sep 03 2022 at 20:07):

In fact if char(k)>2 then we already know the answer thanks to @Heather Macbeth : we say "WLOG $k$ is algebraically closed" (the step I had missed before when talking to her) and then say "so we can put it in Edwards form and now the machinery Heather and Rob and their team have developed can apparently do it, a result I was not excited about at the time but have now seen the importance of.

Mario Carneiro (Sep 03 2022 at 20:12):

Well, that's still of the form "reduce the problem a bit until it is accessible to a giant computer calculation" which is not what I was hoping from the "abstract" proof

Kevin Buzzard (Sep 03 2022 at 20:12):

What would be left would be translating Lean's "official" definition of an elliptic curve into Edwards form, but my instinct is that the algebra involved here is much easier: one can work out the maps using a computer algebra package and they're just going to be quadratic over cubic or whatever, it's not going to be too taxing I don't think.

And then there's char 2 and again there are apparently char 2 specific methods which can be used to prove associativity much more cheaply than the super-complicated thing I was waffling on about above.

Kevin Buzzard (Sep 03 2022 at 20:12):

It's "reduce the problem until it is amenable to two reasonable computer calculations"

Kevin Buzzard (Sep 03 2022 at 20:13):

These are calculations which one can do by hand if it were the year 1900

Kevin Buzzard (Sep 03 2022 at 20:41):

Dan Bernstein sent me a link to his treatment in the odd characteristic case: https://cr.yp.to/papers.html#completed . He said it was the most painless method he knew. In the char 2 case I thought someone mentioned a method -- I'll come back to this. If you want to do the general case then @Marc Masdeu didn't you conclude that the calculation was unfeasible? Someone at ANTS told me that Bosma--Lenstra was the way to do associativity if you wanted a computation which worked for general $k$.

Kevin Buzzard (Sep 03 2022 at 20:44):

Here is Bernstein's sage notebook for Edwards:

R.<a,d,X1,Z1,Y1,T1,X2,Z2,Y2,T2,X4,Z4,Y4,T4> = PolynomialRing(ZZ,14)

curve1 = a*X1^2*T1^2+Z1^2*Y1^2-Z1^2*T1^2-d*X1^2*Y1^2
curve2 = a*X2^2*T2^2+Z2^2*Y2^2-Z2^2*T2^2-d*X2^2*Y2^2
curve4 = a*X4^2*T4^2+Z4^2*Y4^2-Z4^2*T4^2-d*X4^2*Y4^2

I = R.ideal([curve1,curve2,curve4])

def origadd(X1,Z1,Y1,T1,X2,Z2,Y2,T2):
  X3 = X1*Y2*Z2*T1+X2*Y1*Z1*T2
  Z3 = Z1*Z2*T1*T2+d*X1*X2*Y1*Y2
  Y3 = Y1*Y2*Z1*Z2-a*X1*X2*T1*T2
  T3 = Z1*Z2*T1*T2-d*X1*X2*Y1*Y2
  return X3,Z3,Y3,T3

def dualadd(X1,Z1,Y1,T1,X2,Z2,Y2,T2):
  X3 = X1*Y1*Z2*T2+X2*Y2*Z1*T1
  Z3 = a*X1*X2*T1*T2+Y1*Y2*Z1*Z2
  Y3 = X1*Y1*Z2*T2-X2*Y2*Z1*T1
  T3 = X1*Y2*Z2*T1-X2*Y1*Z1*T2
  return X3,Z3,Y3,T3

for a3 in origadd,dualadd:
  for a7 in origadd,dualadd:
    for a5 in origadd,dualadd:
      for a0 in origadd,dualadd:
        X3,Z3,Y3,T3 = a3(X1,Z1,Y1,T1,X2,Z2,Y2,T2)
        X7,Z7,Y7,T7 = a7(X3,Z3,Y3,T3,X4,Z4,Y4,T4)
        X5,Z5,Y5,T5 = a5(X1,Z1,Y1,T1,X4,Z4,Y4,T4)
        X0,Z0,Y0,T0 = a0(X2,Z2,Y2,T2,X5,Z5,Y5,T5)
        assert X0*Z7-X7*Z0 in I
        assert Y0*T7-Y7*T0 in I
        print([x.__name__ for x in (a3,a7,a5,a0)])

Michael Stoll (Sep 04 2022 at 10:08):

I have a fairly elementary proof for cubic curves that should be independent of the characteristic, which basically only uses Bézout's theorem for a line and a curve. See Section 9 in these notes (which are in German, but I'd be happy to help with translating :smile:).

Kevin Buzzard (Sep 04 2022 at 10:16):

You don't somewhere use Bezout for two cubics? That was what was scaring me with this approach.

Michael Stoll (Sep 04 2022 at 10:52):

No.

David Michael Roberts (Sep 08 2022 at 08:10):

I haven't followed this discussion, so it may have been mentioned, but if one is going to reduce to Edwards curves, then would https://arxiv.org/abs/2004.12030 be useful?

Kevin Buzzard (Sep 08 2022 at 08:21):

I think that @Heather Macbeth already did the Edwards case and claimed she could give a complete proof of associativity in that case. I feel bad because at the time I'd pointed out what I thought were two problems with the approach -- firstly she was assuming the curve had a point of order 4 and secondly that she'd avoided characteristic 2. But the first issue can be avoided by extending the base field and the second issue turned out to be a problem with my approach as well, unless I can prove my way around it (which I can't, right now)

David Michael Roberts (Sep 08 2022 at 08:41):

OK, thanks!

Kevin Buzzard (Sep 08 2022 at 12:51):

Dan Bernstein managed to prove associativity in char 2 in sage-math using some formulae due to David Kohel:

R.<c,X0,X1,X2,X3,Y0,Y1,Y2,Y3,Z0,Z1,Z2,Z3> = PolynomialRing(GF(2),13)

curveX1 = X0^2-X2^2-c^2*X1*X3
curveX2 = X1^2-X3^2-c^2*X0*X2
curveY1 = Y0^2-Y2^2-c^2*Y1*Y3
curveY2 = Y1^2-Y3^2-c^2*Y0*Y2
curveZ1 = Z0^2-Z2^2-c^2*Z1*Z3
curveZ2 = Z1^2-Z3^2-c^2*Z0*Z2

I = R.ideal([curveX1,curveX2,curveY1,curveY2,curveZ1,curveZ2])

def add0(X0,X1,X2,X3,Y0,Y1,Y2,Y3):
  return (X0*Y0+X2*Y2)^2,c*(X0*X1*Y0*Y1+X2*X3*Y2*Y3),(X1*Y1+X3*Y3)^2,c*(X0*X3*Y0*Y3+X1*X2*Y1*Y2)

def add1(X0,X1,X2,X3,Y0,Y1,Y2,Y3):
  return c*(X0*X1*Y0*Y3+X2*X3*Y1*Y2),(X1*Y0+X3*Y2)^2,c*(X0*X3*Y2*Y3+X1*X2*Y0*Y1),(X0*Y3+X2*Y1)^2

def add2(X0,X1,X2,X3,Y0,Y1,Y2,Y3):
  return (X3*Y1+X1*Y3)^2,c*(X0*X3*Y1*Y2+X1*X2*Y0*Y3),(X0*Y2+X2*Y0)^2,c*(X0*X1*Y2*Y3+X2*X3*Y0*Y1)

def add3(X0,X1,X2,X3,Y0,Y1,Y2,Y3):
  return c*(X0*X3*Y0*Y1+X1*X2*Y2*Y3),(X0*Y1+X2*Y3)^2,c*(X0*X1*Y1*Y2+X2*X3*Y0*Y3),(X1*Y2+X3*Y0)^2

additionlaws = add0,add1,add2,add3

for A in additionlaws:
  for B in additionlaws:
    for C in additionlaws:
      for D in additionlaws:
        A0,A1,A2,A3 = A(X0,X1,X2,X3,Y0,Y1,Y2,Y3)
        B0,B1,B2,B3 = B(A0,A1,A2,A3,Z0,Z1,Z2,Z3)
        C0,C1,C2,C3 = C(Y0,Y1,Y2,Y3,Z0,Z1,Z2,Z3)
        D0,D1,D2,D3 = D(X0,X1,X2,X3,C0,C1,C2,C3)
        assert B0*D1-B1*D0 in I
        assert B0*D2-B2*D0 in I
        assert B0*D3-B3*D0 in I
        assert B1*D2-B2*D1 in I
        assert B1*D3-B3*D1 in I
        assert B2*D3-B3*D2 in I
        print([x.__name__ for x in (A,B,C,D)])

Kevin Buzzard (Sep 08 2022 at 12:55):

But right now I guess I am confused about the general case. @Marc Masdeu you seem convinced that the polynomials involved would be astronomical but https://cr.yp.to/papers.html#completed seems to suggest that it will be less painful than we'd imagined.

Marc Masdeu (Sep 08 2022 at 14:58):

All the experiments I've done have been with the usual polynomials valid for the general Weierstrass equation. I would like a proof that worked in all characteristics at once, but I guess that it'd be okay if there was a separate case for characteristic 2. @Kevin Buzzard I've had this project slowly dying for long enough that maybe it'd be good to have a chat at some point and see how feasible it is to knock it off?
By the way, I can do the general case in Sage no problem, the denominators involved get large, and then they explode when you want to clear them out. I had prepared some scripts to share, but maybe it's better to see it live...

Riccardo Brasca (Sep 23 2022 at 13:31):

Maybe this has already been discussed, but I am at a conference where someone said elliptic curves have been formalized in HOL, but they're not sure how nor in which generality. Does anyone have more info about this?

Kevin Buzzard (Sep 23 2022 at 14:18):

They've been formalised in Coq (Weierstrass form, so not the most general form in char 2 or 3) with a conceptual proof of associativity valid in char != 2. There's an Isabelle/HOL formalisation in the AFP: https://www.isa-afp.org/entries/Elliptic_Curves_Group_Law.html again just of the group law (incl proof of associativity) for the Weierstrass curve (from last year), so again the proof is only valid in char != 2 and doesn't cover all elliptic curves in char 3.

Riccardo Brasca (Sep 23 2022 at 14:19):

I see

Adam Topaz (Sep 23 2022 at 14:41):

Maybe we should bite the bullet and start a big push for Riemann Roch so we can do all this stuff properly?

Riccardo Brasca (Sep 23 2022 at 14:47):

This is clearly the right thing to do if we can wait, but we are quite far, aren't we?

Adam Topaz (Sep 23 2022 at 14:50):

I still think the proof from Serre's book on class fields is doable

Adam Topaz (Sep 23 2022 at 14:50):

The "repartitions" proof

Riccardo Brasca (Sep 23 2022 at 14:51):

I don't know this proof, but is it for which "curves"? Schemes blah blah, varieties over algebraically closed field (defined somehow)?

Adam Topaz (Sep 23 2022 at 14:53):

One could say it's for function fields of trdeg 1

Adam Topaz (Sep 23 2022 at 14:54):

Maybe with a perfect base field? I don't remember

Riccardo Brasca (Sep 23 2022 at 14:55):

Oh, skipping algebraic geometry in some sense? Interesting!

Antoine Chambert-Loir (Sep 23 2022 at 15:29):

Kevin Buzzard said:

They've been formalised in Coq (Weierstrass form, so not the most general form in char 2 or 3) with a conceptual proof of associativity valid in char != 2. There's an Isabelle/HOL formalisation in the AFP: https://www.isa-afp.org/entries/Elliptic_Curves_Group_Law.html again just of the group law (incl proof of associativity) for the Weierstrass curve (from last year), so again the proof is only valid in char != 2 and doesn't cover all elliptic curves in char 3.

It is my understanding that the polyrithtactic implemented @Heather Macbeth should give a completely automatic proof for all elliptic curves represented as a plane cubic curve.

Heather Macbeth (Sep 23 2022 at 15:54):

@Antoine Chambert-Loir In fact this tactic was written by @Dhruv Bhatia, a student of @Rob Lewis!

Heather Macbeth (Sep 23 2022 at 15:56):

And regarding your question: I tried this out at some point (on Edwards curves). There are many cases and I skipped all of them except for the one which I guessed would be the hardest. Polyrith did send me some output here (rather than failing), but the output was so long that it got garbled when being passed back to Lean. So my guess is that it could be made to work, but it requires some effort and probably a more robust version of the Sage interaction.

Heather Macbeth (Sep 23 2022 at 15:57):

It was just a quick experiment for me but I'd be glad to see someone (else) push it further.

Antoine Chambert-Loir (Sep 23 2022 at 16:19):

Oh, I see!

Kevin Buzzard (Sep 23 2022 at 17:46):

The problem with the brute force approach is that there are problems if you use the long form because the polynomials involved apparently have hundreds of thousands of terms. I thought I could do a cheap class group proof but the argument I know doesn't work in char 2. Over an alg closed field (which you can assume wlog) in char not two you can prove that the only solutions x,y in k[t] to y^2=x(x-1)(x-a) (with a in k not 0 or ) are necessarily in k, by a descent argument using the fact that coprime stuff whose product is a square must all be squares etc. This is just a concrete proof that the function field of the curve isn't rational. But in char 2 I don't know of a low-level proof of this, and of course I'm worried about the 2-descent because the isogeny could be inseparable...

Junyan Xu (Sep 23 2022 at 19:05):

Adam Topaz said:

One could say it's for function fields of trdeg 1

reminds me that there's also a proof in Michael Rosen, Number Theory in Function Fields https://link.springer.com/book/10.1007/978-1-4757-6046-0

Anne Baanen (Sep 24 2022 at 04:55):

Riccardo Brasca said:

Maybe this has already been discussed, but I am at a conference where someone said elliptic curves have been formalized in HOL, but they're not sure how nor in which generality. Does anyone have more info about this?

Just to be clear, this was HOL Light, not HOL 4.

Kevin Buzzard (Sep 24 2022 at 08:18):

I was thinking about Riemann-Roch recently. Formally it's two completely different theorems -- one for line bundles on compact Riemann surfaces and one for invertible sheaves on smooth projective algebraic curves (in arbitrary characteristic). Neither implies the other (unless you want to develop the entire theory of GAGA first, which we probably don't). Similarly generalisations of the statement never make it clear about what they're generalising -- places like Wikipedia claim that the Atiyah-Singer index theorem is "a generalisation of Riemann-Roch" and that Grothendieck-Riemann-Roch is "a generalisation of Riemann-Roch" but they're two generalisations of two different theorems.

Kevin Buzzard (Sep 24 2022 at 08:20):

PS Jujian Zhang is working on GAGA but it's slow going, not least because as far as I know we still haven't decided how to implement sheaves of modules on a scheme...

Antoine Chambert-Loir (Sep 25 2022 at 09:04):

I don't have thought deeply about this, but I wonder whether one could adopt a high-level point of view and have topoi, ringed topoi… One reason is that many results on rings, modules… will be given for free once the traditional proofs are transferred in this generality.

Joël Riou (Sep 27 2022 at 22:57):

I would agree with @Antoine Chambert-Loir. Sheaves of rings could be identified to ring objects A in the category of sheaves of sets, and sheaves of modules M with "A-Module objects". This may imply redefining internal versions of [has_mul], [add_comm_group], [module], etc (for a symmetric monoidal structure, e.g. the one given by finite products). Then, there could be suitable notations and instances expressing that M(U) is a module over A(U), etc.

Kevin Buzzard (Sep 28 2022 at 16:58):

Some previous discussion on sheaves of modules is here and here.

Wrenna Robson (Sep 29 2022 at 10:44):

Kevin Buzzard said:

Dan Bernstein managed to prove associativity in char 2 in sage-math using some formulae due to David Kohel:

R.<c,X0,X1,X2,X3,Y0,Y1,Y2,Y3,Z0,Z1,Z2,Z3> = PolynomialRing(GF(2),13)

curveX1 = X0^2-X2^2-c^2*X1*X3
curveX2 = X1^2-X3^2-c^2*X0*X2
curveY1 = Y0^2-Y2^2-c^2*Y1*Y3
curveY2 = Y1^2-Y3^2-c^2*Y0*Y2
curveZ1 = Z0^2-Z2^2-c^2*Z1*Z3
curveZ2 = Z1^2-Z3^2-c^2*Z0*Z2

I = R.ideal([curveX1,curveX2,curveY1,curveY2,curveZ1,curveZ2])

def add0(X0,X1,X2,X3,Y0,Y1,Y2,Y3):
  return (X0*Y0+X2*Y2)^2,c*(X0*X1*Y0*Y1+X2*X3*Y2*Y3),(X1*Y1+X3*Y3)^2,c*(X0*X3*Y0*Y3+X1*X2*Y1*Y2)

def add1(X0,X1,X2,X3,Y0,Y1,Y2,Y3):
  return c*(X0*X1*Y0*Y3+X2*X3*Y1*Y2),(X1*Y0+X3*Y2)^2,c*(X0*X3*Y2*Y3+X1*X2*Y0*Y1),(X0*Y3+X2*Y1)^2

def add2(X0,X1,X2,X3,Y0,Y1,Y2,Y3):
  return (X3*Y1+X1*Y3)^2,c*(X0*X3*Y1*Y2+X1*X2*Y0*Y3),(X0*Y2+X2*Y0)^2,c*(X0*X1*Y2*Y3+X2*X3*Y0*Y1)

def add3(X0,X1,X2,X3,Y0,Y1,Y2,Y3):
  return c*(X0*X3*Y0*Y1+X1*X2*Y2*Y3),(X0*Y1+X2*Y3)^2,c*(X0*X1*Y1*Y2+X2*X3*Y0*Y3),(X1*Y2+X3*Y0)^2

additionlaws = add0,add1,add2,add3

for A in additionlaws:
  for B in additionlaws:
    for C in additionlaws:
      for D in additionlaws:
        A0,A1,A2,A3 = A(X0,X1,X2,X3,Y0,Y1,Y2,Y3)
        B0,B1,B2,B3 = B(A0,A1,A2,A3,Z0,Z1,Z2,Z3)
        C0,C1,C2,C3 = C(Y0,Y1,Y2,Y3,Z0,Z1,Z2,Z3)
        D0,D1,D2,D3 = D(X0,X1,X2,X3,C0,C1,C2,C3)
        assert B0*D1-B1*D0 in I
        assert B0*D2-B2*D0 in I
        assert B0*D3-B3*D0 in I
        assert B1*D2-B2*D1 in I
        assert B1*D3-B3*D1 in I
        assert B2*D3-B3*D2 in I
        print([x.__name__ for x in (A,B,C,D)])

oh my god this is the most Dan code ever

Wrenna Robson (Sep 29 2022 at 10:45):

I think morally I wouldn't call this a proof per se in the same way we use that word on Lean, but it seems to work on a cursory scan.

David Ang (Oct 26 2022 at 15:53):

API for addition of K-rational points

Junyan Xu (Nov 10 2022 at 06:49):

I just came across this proof and it seems to me that the computation involved is feasible for Lean 3, and the prerequisites are also available. Maybe someone could give it a try.

Andrew Yang (Nov 10 2022 at 06:56):

I think this is the "function field" approach mentioned by Kevin and others above. It seems like the "explicit calculation" doesn't really work when the characteristic is 2?

Riccardo Brasca (Nov 10 2022 at 07:00):

It uses short weirstrass equation it seems. In characteristic 2 and 3 it's not always possible to write the curve in that way

Kevin Buzzard (Nov 10 2022 at 07:29):

Yes the problem is precisely that this proof doesn't work in char 2 as it stands and neither does the Edwards curve approach. In fact it seems to me that there might be no formalisation of associativity in characteristic 2 in any system

Eric Rodriguez (Nov 10 2022 at 11:27):

is a char2-only proof just as tricky as a general proof?

David Ang (Nov 10 2022 at 14:39):

If we’re going by the brute-force approach, there are char2-specific simplifications e.g. removing two of the five coefficients, replacing (a-b)^2 with a^2+b^2, etc, but it still doesn’t reduce the computation to a level that’s feasible for Lean3’s ring tactic, especially because there’s no good way to work with expressions in char2

Yaël Dillies (Nov 10 2022 at 14:45):

Is the distinction really char 2 vs char not 2 or rather 2 is invertible vs 2 not invertible? I thought I understood it was the latter

Johan Commelin (Nov 10 2022 at 14:46):

I think we're working over a field for now

Adam Topaz (Nov 10 2022 at 14:54):

Trying to do elliptic curves over general rings (or schemes) would complicate things even further.

Riccardo Brasca (Nov 10 2022 at 14:59):

If we define an elliptic curve as a group scheme such that blah blah, at least associativity will be easy... (just joking)

Kevin Buzzard (Nov 10 2022 at 16:30):

Yes, we need all the definitions, but the point is that we have a lot of the tools necessary to start proving nontrivial theorems about this model. The concrete approach is important for applications, e.g. proving that certain explicit Diophantine equations have some explicit set of rational solutions. As Lean 4 becomes a reality then it will be interesting to see what we can do here.

Junyan Xu (Nov 10 2022 at 19:04):

I think the following argument works: to show injectivity, assume that $[I_P] = [I_Q]$ in the class group (see [MO answer] for the definition of $I_P$), then multiplying by $[I_{-Q}]$ we have $[I_{P+(-Q)}] = [I_P I_{-Q}] = [I_Q I_{-Q}] = [I_O] = 0$. If $P\ne Q$ then $P+(-Q)\ne O$ so assume it's the point (x,y), then $[I_{P+(-Q)}] = 0$ says (X-x, Y-y) is a principal ideal in R, which means that (X-x, Y-y) = (X-x, Y-y, f) = (g, f) for some $g \in k[X,Y]$. But the cubic f=0 cannot intersect g=0 at a single point, contradiction. (I think the only place where Δ ≠ 0 will be needed is in showing $[I_{P+Q}] = [I_P I_Q]$.)

Kevin Buzzard (Nov 10 2022 at 20:52):

The cubic f=0 can certainly intersect g=0 at a single point, for example when if g is linear it can meet f at a point of order 2. I don't see how to finish easily from here. The only low level proof I know assumes char not 2.

Kevin Buzzard (Nov 10 2022 at 20:55):

Even if we assume some conceptual stuff then this argument boils down to the assertion that there's no function on E with a simple zero at a given finite point and a simple pole at infinity, so it's the statement that the cubic doesn't have genus 0 (for some definition of genus), but is there an easy way of seeing that? I don't know one

Kevin Buzzard (Nov 10 2022 at 20:56):

This is my understanding of the stumbling block in this approach but I might be missing something

Junyan Xu (Nov 10 2022 at 21:04):

Yes I was wrong, it's necessary to assume some regularity of f in the last part of the argument, for example if g is linear f=0 is one line intersecting g=0 union two lines parallel to g=0 then (g,f) could be a maximal ideal. But if f=0 is smooth it certainly follows from Bezout's theorem; the intersection multiplicity at infinity can be at most deg g, so the total intersection multiplicity in the affine chart is at least 2 * deg g, which cannot be 1. I imagine Bezout is still easier to prove than Riemann-Roch.

Kevin Buzzard (Nov 10 2022 at 22:20):

Even with bezout you will have this annoying issue about things meeting at infinity eg you'll have to rule out g meeting f once away from infinity and 3d-1 times at infinity

Junyan Xu (Nov 11 2022 at 01:19):

Let me note that since f has the form y^2 + p(x) y + q(x) and is in the ideal (f,g), we may assume that g is of the form p(x) y + q(x) and therefore solve y = -q(x) / p(x). I feel that polynomials in one variable should be easy to deal with, but I haven't worked out a proof.

Kevin Buzzard (Nov 11 2022 at 08:10):

The reason I'm nervous about believing there's an easy proof is that in the char not 2 case another way of saying that the ideal isn't principal is that the only solutions to y^2=x(x-1)(x-lambda) in k(t) are all in k, which is a delicate diophantine argument (product of three coprime polys is a square so they're all squares and now you're doing a 2-descent) -- it's arithmetic rather than algebraic.

Junyan Xu (Nov 12 2022 at 04:05):

Okay I hope the following argument now contains no gap, but it depends on ideal norms so I think we first need to show that $k[X,Y]/(f)$ is a Dedekind domain; we could go the regular + dimension 1 route which uses #16860. Ideal norms have been PR'd #17203 but only for finite extensions of ℤ; @Anne Baanen is it easy to generalize your developments to all Dedekind domains?

So our goal is to show the ideal $(X-x, Y-y) \subseteq k[X,Y]/(f)$ is not principal (when $f(x,y)=0$), and we consider the degree 2 extension $k[X] \to k[X,Y]/(f)$ and the associated norm. Every element in $k[X,Y]/(f)$ can be written as $p(X)Y+q(X)$, whose conjugate is $p(X)(-Y-a_1 X-a_3)+q(X)$, so $N(p(X)Y+q(X))=-(X^3+a_2 X^2+a_4 X+a_6)p(X)^2-(a_1 X+a_3)p(X)q(X)+q(X)^2$. Let a and b be the degrees of p and q respectively, then the three terms are 2a+3, a+b+(0 or 1), and 2b respectively. When $a+1\ge b$ the first term has the highest degree (without tie), and when $a+1<b$ the last term has the highest degree (without tie), so the degree of the norm of an element is either 2a+3 or 2b and never 1. On the other hand, the norm of the ideal $(X-x, Y-y)$ is $(X-x)$ if x isn't 2-torsion and $(X-x)^2$ if x is. If $(X-x, Y-y)$ were generated by a single element then its norm $(X-x)$ would be generated by the norm of that element, so the norm is a constant multiple of $X-x$ (degree 1, impossible) or $(X-x)^2$. If the norm of $p(X)Y+q(X)$ is $c(X-x)^2$, since the degree is even it can't be 2a+3 and must be 2b=2 so we are in the second case, and we have b=1 and a+1<b means that p(X)=0, so the norm is $q(X)^2=c(X-x)^2$ and $q(X)=c'(X-x)$. But it's easy to show $(X-x, f)=(X-x, (Y-y)^2)\ne (X-x, Y-y)$ in this case.

Indeed I'm solving the norm equation in polynomials here but fortunately it's easy in this case :) This argument is inspired by Exercise I.6.2 in Hartshorne's GTM52, and I checked out the exercise after seeing the comment here.

Junyan Xu (Nov 12 2022 at 08:43):

I think we probably want to develop this general version of ideal norms (notes by Sutherland) in mathlib. To show regularity of k[X,Y]/(f), we may develop stacks#07PF, or may be we can show that the localizations at all points are PID more directly and use the 7th characterization of Dedekind domains here.

Riccardo Brasca (Nov 12 2022 at 09:38):

I think @Anne Baanen and @Alex J. Best are working on the ideal norm.

Anne Baanen (Nov 14 2022 at 15:13):

At the moment we only have working code for finite extensions of ℤ indeed, but I did do some work on the norm definition using this general suggestion, [M_p : N_p]A_p := det φ̂_p. For example, nat_abs_det_equiv in #17299 links this determinant to the cardinality of the quotient. I don't know how developed the theory of localizations for Dedekind is now, to say how quickly we can get the full definition working nicely.

Anne Baanen (Nov 14 2022 at 15:14):

My work in progress can be found on branch#ideal_norm. It is somewhat duplicate with the PRs mentioned above, but should have some more results toward this determinant-based definition of the norm.

Riccardo Brasca (Nov 14 2022 at 15:26):

Let me review some of the PR involved!

David Ang (Nov 14 2022 at 17:04):

David Ang said:

API for addition of K-rational points

I made a PR last month giving a basic API for the addition of K-rational points, the type of which is defined as an inductive over the point at infinity and the rest of the affine points. There were some discussion with @Michael Stoll in the PR page that perhaps we don't want this to be the definition, because it might be unlikely that associativity would be proven easily with this definition. So far the current approaches discussed are (if I didn't miss any):

• brute-force (Lean3's ring is ~4 times too slow for this, and even if it were fast enough I need a file with thousands of lines of polynomials),
• injecting it into the class/Picard group (need to define the associated ring),
• using some form of Cayley-Bacharach (need some form of Bezout), and
• translating it into Edwards form (need to define Edwards curves, and this doesn't work for char 2).

The last three methods would involve translating the current definition of affine addition into their respective contexts, then showing that this addition is the same as the translated addition. The ideal definition is obviously to define the Weierstrass model via the Proj construction (or even as a group scheme etc), but I doubt we are close to doing that. I'm thinking that we should fix the affine definition, partly because it's the definition that's easiest to work with and prevalent in other theorem provers, and partly because I already proved a bunch of other things with this without needing associativity. For whatever proof we have for associativity that comes later, we can simply introduce the necessary translation and define an equiv with the affine definition. Thus I'm asking for opinions via a poll here.

David Ang (Nov 14 2022 at 17:08):

/poll What should I do for #17194?
The current affine definition should be approved, and should be the definition (at least until we can give coordinates via Riemann-Roch)
The current affine definition should be approved, but should be refactored as a theorem/equiv once we have a proof of associativity
The current affine definition should be rejected, and we should wait for a better definition with a proof of associativity

Junyan Xu (Nov 15 2022 at 01:31):

I just found that the Picard group proof @Michael Stoll proposed two weeks ago on Github is almost the same as the proof I worked out, except that it's stated in terms of the (smooth) projective curve while mine is totally restricted to the affine chart, working with a Dedekind domain; and in the last part of the argument, I use the norm to show the maximal ideals (with residue field k, i.e. inertial degree 1) can't be principal, while Michael uses that the orders of zeros/poles of a rational function sum up to 0, which is essentially equivalent to Bezout for the cubic and arbitrary plane curves defined by the numerator and denominator of the rational function. (It's also possible to work with abstract curves (formed by valuations of the tr.deg. 1 function field) but that would be more theory development, and some glue is necessary to connect to the concrete plane curve model.) So I think my approach is more elementary (purely commutative algebra). Although the approaches to this last part are distinct, they also share some similarity: showing a rational function cannot have a simple pole at infinity and no pole elsewhere in his approach is the same as showing an element in the Dedekind domain cannot have norm of degree 1. I should have seen his proof in email notification but had forgotten about it when I began to pursue my approach :)

Junyan Xu (Nov 15 2022 at 01:31):

Although a full theory of ideal norms is desirable (it unifies the number field and function field cases), it's also possible to take a shortcut if we just want to prove the maximal ideals (with residue field k) in the Dedekind domain are non-principal: for algebraic number rings we have a natural notion of size of an ideal, which is the cardinality of the quotient. In our case where all ideals are vector subspaces over the base field k, we may use the k-dimension of the quotient (which is additive rather than multiplicative, but we don't even need this fact): the quotient at a rational point has dimension 1, but we can show that the quotient by any nonzero principal ideal (pY+q) has dimension equal to the degree of N(pY+q), which is at least 2 from previous argument. (And when I write this I realize I made an error in that argument: there's no need to split out the 2-torsion case; the norm of the ideal is still (X-x) rather than its square.) My argument uses this result just merged into mathlib:

def ideal.quotient_equiv_pi_span
  (I : ideal S) (b : basis ι R S) (hI : I ≠ ⊥) :
  (S ⧸ I) ≃ₗ[R] Π i, (R ⧸ ideal.span ({I.smith_coeffs b hI i} : set R))

The determinant of the multiplication by pY+q on S=k[X,Y]/(f) as a k[X]-linear map (R=k[X]) is easily calculated to be equal to N(pY+q) using the basis {1,Y}. On the other hand, it's also associated to the product of the smith_coeffs: we may consider S → (pY+q) → S → S where the first map sends each element in the Smith basis to the corresponding smith_coeff times that element (which sends a basis to a basis so is a R-linear_equiv), the second map sends every element x ∈ (pY+q) to (pY+q)⁻¹ * x (which is also a R-linear_equiv when p,q are not both zero since S is a domain), and the third map is multiplication by pY+q. Then last two maps "cancel", so the net effect of the composition of the three maps is multiplying by smith_coeffs and so has determinant equal to the product of the smith_coeffs. On the other hand, the first two maps compose to an R-automorphism of S, whose determinant is a unit (docs#linear_equiv.det). Therefore, N(pY+q), which is the determinant of the third map, is associated to and hence has the same degree as the product of the smith_coeffs. According to ideal.quotient_equiv_pi_span, the dimension of S/(pY+q) over k is the same as the sum of the degrees of the smith_coeffs, which is the same as the degree of N(pY+q), and we are done.

With this shortcut, I don't think we even need to show S is Dedekind, only that S is a domain, i.e. the polynomial f in k[X,Y] is irreducible; if f splits into a product (Y+p(X))(Y+q(X)) it should be easy to show Δ = 0.

Junyan Xu (Nov 15 2022 at 01:32):

Regarding #17194, I think the definition of addition and the case splits are fine, and are quite amenable for showing $[I_P I_Q]=[I_{P+Q}]$. However, I think def weierstrass should be made a polynomial f : k[X][X] since we're gonna define the Dedekind domain as k[X] adjoining a root of f; we can easily evaluate the polynomial at any point in the affine plane.

Kevin Buzzard (Nov 15 2022 at 05:23):

Yeah I believe that this argument should work even in char 2 and looks like the most promising approach currently

Kevin Buzzard (Nov 15 2022 at 05:23):

@David Ang

David Ang (Nov 15 2022 at 11:58):

Junyan Xu said:

Regarding #17194, I think the definition of addition and the case splits are fine, and are quite amenable for showing $[I_P I_Q]=[I_{P+Q}]$. However, I think def weierstrass should be made a polynomial f : k[X][X] since we're gonna define the Dedekind domain as k[X] adjoining a root of f; we can easily evaluate the polynomial at any point in the affine plane.

I've defined weierstrass_polynomial for this - I'm guessing the ring is now just K[X][X] ⧸ ideal.span ({E.weierstrass_polynomial} : set K[X][X])?

David Ang (Nov 15 2022 at 15:53):

Probably not the right place to ask but I will ask here anyway since it's relevant: I was trying to define the map $P \mapsto [I_P]$ and I encountered a deterministic timeout, so I tried extracting a MWE:

import ring_theory.class_group
open polynomial
open_locale polynomial

variables (K : Type) [field K]

noncomputable def cusp : K[X][X] := X ^ 2 - C (X ^ 3) -- supposed to be weierstrass_polynomial
@[reducible] def cusp_ring := K[X][X] ⧸ ideal.span ({cusp K} : set K[X][X])
instance : is_domain $ cusp_ring K := sorry
instance : is_dedekind_domain $ cusp_ring K := sorry

noncomputable def to_class : K → class_group (cusp_ring K) := -- supposed to be E(K) -> class_group
λ x, class_group.mk0 ⟨ideal.span {quotient.mk' $ C (X - C x)}, sorry⟩

The last line takes ~10 seconds to compile for me, and making it more complicated (e.g. changing K to E(K) and making the definitions actually correct) makes it time out - any idea what's going on? I can change ... : K → ... := λ x, ... to ... (x : K) : ... := ... and it's fast, but for E(K) I'd rather pattern match the inductive...

Junyan Xu (Nov 15 2022 at 17:34):

It takes <4s on my machine and I'm not yet sure how to speed it up. By the way I think you want to use the default constructor which doesn't require is_dedekind_domain, and you can directly show $[I_{-P}]$ is the inverse of $[I_P]$ because $[I_P I_{-P}]=[I_O]=[R]$. Showing is_dedekind_domain R would be more work, though certainly doable.

Junyan Xu (Nov 15 2022 at 17:36):

and K[X,Y]/(Y^2-X^3) is definitely not a Dedekind domain; (Y/X)^2=X so it's not integrally closed.

David Ang (Nov 15 2022 at 17:47):

Yeah the Y^2 = X^3 was just a stupid example to show that it’s very slow - once someone approves #17194 I can write down the actual definition that times out (and I don’t know how to fix)

Junyan Xu (Nov 15 2022 at 19:32):

Oooh I just realized the weierstrass polynomial can never be factored as (Y+p(X))(Y+q(X)), because pq needs to have degree 3 so p+q has degree at least 2 but needs to have degree 1. So k[X,Y]/(f) is always a domain no matter whether Δ = 0 and my argument actually shows that the nonsingular rational points in Spec k[X,Y]/(f) always form a group. Maybe we should do things in this generality, @Kevin Buzzard? It would be useful for bad (additive/multiplicative) reduction of elliptic curves, right?

Michael Stoll (Nov 15 2022 at 19:37):

Doing it in this generality would definitely be good!

Andrew Yang (Nov 15 2022 at 21:28):

David Ang said:

the ring should now be just K[X][X] ⧸ ideal.span ({E.weierstrass_polynomial} : set K[X][X])

docs#adjoin_root might be useful here

David Ang (Nov 15 2022 at 22:13):

Andrew Yang said:

David Ang said:

the ring should now be just K[X][X] ⧸ ideal.span ({E.weierstrass_polynomial} : set K[X][X])

docs#adjoin_root might be useful here

Thanks, this magically fixes literally all my current timeout issues as well :saluting_face:

Eric Rodriguez (Nov 15 2022 at 22:27):

adjoin_root has some diamond somewhere iirc, I have a fix on the splitting field diamond fix but I haven't kept that up to date sadly... I'll try finish that soon so that doesn't cause any issues here

Junyan Xu (Nov 16 2022 at 03:49):

Doing it in this generality would definitely be good!

So we need to introduce a new structure without the Δ : R× and make docs#EllipticCurve extends it, and define addition for this new structure more generally. What should the new structure be called? The constructor point.some (x y : K) (h : E.weierstrass_equation x y) would take a nonsingularity condition (or do we want to consider all rational points including the singular point?), and we may define another constructor for points on an EllipticCurve without that condition.

BTW @David Ang In #17194 I think it's better to use [comm_ring] instead of [field] whenever possible; I think weierstrass_equation/polynomial and neg don't need [field], only addition needs it.

P.S. I just learned that is the discriminant of $y^2+y=x^3-x$ src#EllipticCurve.inhabited :) Looks like it's not so random, but maybe just law of small number.

Andrew Yang (Nov 16 2022 at 04:00):

I think that is one of the reasons why 37 is 37 and not 42 or something else.

Junyan Xu (Nov 16 2022 at 04:06):

I think it's always advertised as a random choice, but I've now found another mention of its appearance in elliptic curves ...

Mario Carneiro (Nov 16 2022 at 04:28):

it's definitely not a random choice. It's meme status on this zulip originates from @Kevin Buzzard using it as his favorite number

Mario Carneiro (Nov 16 2022 at 04:28):

and I'm pretty sure the elliptic curve connection is part of it

Thomas Browning (Nov 16 2022 at 05:21):

I didn't know about the elliptic curve connection. I thought it just had to do with it being the first irregular prime.

Junyan Xu (Nov 16 2022 at 05:32):

and it's also the smallest prime not dividing the order of Monster ... and 59 is the only irregular prime dividing the order of Monster.

it's definitely not a random choice.

I always thought it's a randomly chosen prime number.

Johan Commelin (Nov 16 2022 at 06:54):

Never attribute to randomness that which is adequately explained by expertise in number theory.

Antoine Chambert-Loir (Nov 16 2022 at 08:58):

Just a remark on this amazing discussion: When you look at the first papers of Hasse on elliptic curves, 1936, the language was essentially field-theoretic. What made the theory work was that for curves, closed points correspond to places/valuations on the function field. This explains why @Junyan Xu it is not really necessary to develop the Dedekind-ring theory for these results to be proved. On the other hand, the Riemann-Roch theorem is a crucial component of Hasse's papers, it has been proved a few years earlier by F.K. Schmidt. Only with Weil would the theory start to be framed in a geometric language. (For Hasse and Deuring, the product of a curve $C/k$ by another one $E/k$ was constructed as the curve $C$ with scalars extended to the function field of $E$, and its places could be separated into constant one and non-constant ones, leading to an understanding of the divisor class group of the surface $C\times E$ modulo rational equivalence and its action on divisors of $C$, mapping them to divisors on $E$.)

David Ang (Nov 16 2022 at 10:53):

Junyan Xu said:

Doing it in this generality would definitely be good!

So we need to introduce a new structure without the Δ : R× and make docs#EllipticCurve extends it, and define addition for this new structure more generally. What should the new structure be called? The constructor point.some (x y : K) (h : E.weierstrass_equation x y) would take a nonsingularity condition (or do we want to consider all rational points including the singular point?), and we may define another constructor for points on an EllipticCurve without that condition.

BTW David Ang In #17194 I think it's better to use [comm_ring] instead of [field] whenever possible; I think weierstrass_equation/polynomial and neg don't need [field], only addition needs it.

P.S. I just learned that is the discriminant of $y^2+y=x^3-x$ src#EllipticCurve.inhabited :) Looks like it's not so random, but maybe just law of small number.

WeierstrassCurve? I will do the comm_ring change. I think Kevin was intentionally trying to find a curve with discriminant 37 to put in there

Kevin Buzzard (Nov 16 2022 at 11:28):

It's the first rank 1 elliptic curve.

David Ang (Nov 16 2022 at 12:18):

I can refactor both EllipticCurve.lean and EllipticCurve/point.lean to include singular Weierstrass equations, but I think it's better to have this approved first (since it's valid) and do that immediately in a separate PR

Michael Stoll (Nov 16 2022 at 16:14):

We could take a curve of conductor 5077 instead...

Oisin McGuinness (Nov 16 2022 at 19:57):

Michael Stoll said:

We could take a curve of conductor 5077 instead...

Of course 5077 is the smallest conductor of an elliptic curve of rank 3 (this has been proved), and also stands out for its role in the resolution of the class number problem for imaginary quadratic fields (Goldfeld and Gross-Zagier).

My personal favorite would be 19047851, conductor of smallest known (not yet proved, apparently searches haven't quite proved this yet) conductor of rank 5; entry in LMFDB here: Elliptic curve with LMFDB label 19047851.a1, only relatively recently added to LMFDB. See 5th page of this paper this curve's publication.

Junyan Xu (Nov 16 2022 at 23:28):

LMFDB doesn't seem to have Elkies' curves; at least the only known curve (over Q) of rank ≥ 28 y^2 + xy + y = x^3 − x^2 − 20067762415575526585033208209338542750930230312178956502x +34481611795030556467032985690390720374855944359319180361266008296291939448732243429 isn't among the results returned from searching bad prime 48463. (I found the bad prime from this page.) These curves are really special as it's conjectured that only finitely many elliptic curves over Q has rank > 21.

David Michael Roberts (Nov 17 2022 at 04:42):

Another fact: it's a factor of the conductor of what seems to be the oldest recorded curve on which someone (Diophantus, who else) found a rational point, 8732.b1.

David Michael Roberts (Nov 17 2022 at 04:59):

@Junyan Xu do we know the torsion subgroup of the Mordell–Weil group of Elkies' curve?

David Michael Roberts (Nov 17 2022 at 05:43):

Oh, I see that it has trivial torsion. Took a little search to track down that email...

Junyan Xu (Nov 17 2022 at 07:06):

I think the 123-digit number in Elkies's email must have been factored as it's not hard nowadays (at most several days according to this 2018 post). The paper I linked also mentioned "passing a list of bad primes" of the curve but I'm not sure if it means all of them; it doesn't mention how the global root numbers were obtained.

Apparently it gets harder to find elliptic curves of high ranks when there is more torsion: the records in this paper are {20,15,13,8,9,6} for Z/{2,3,4,5,6,7}Z, and heuristics suggest that there are only finitely many of ranks above {13,9,7,5,5,3}.

Elliptic curves in nature (mentioned in the MO thread) is also a nice read :) with 5077-a1 the last example.

Junyan Xu (Nov 17 2022 at 07:16):

Oh, someone added the factorization to factordb.com in 2019: 315574902691581877528345013999136728634663121 x 376018840263193489397987439236873583997122096511452343225772113000611087671413

Kevin Buzzard (Nov 17 2022 at 23:24):

So @David Ang and I went through @Junyan Xu 's approach today at work and convinced ourselves that it should work fine, even in char 2. I realise that I am still a bit confused about some of the story.

If $R$ is a commutative ring and $A$ is an $R$-algebra which is finitely-generated and projective (or locally free, which might be slightly different in the non-Noetherian case) as an $R$-module, then there's a norm map $N:A\to R$, a monoid homomorphism, defined by considering multiplication by $a\in A$ as an $R$-module endomorphism of $A$ and then taking its determinant (this and the trace are sufficiently "canonical" that they can be computed locally, meaning that $A$ doesn't have to be free, just locally free).

Now if $J$ is an ideal of $A$ we can define its norm to be the ideal of $R$ generated by the norms of all the elements. What I am slightly confused by is that we don't need to assume $A$ is a Dedekind domain in this definition, and going through the argument it seemed to me that all one needs is that the norm of the ideal $(g)$ is the ideal $N(g)$. In particular we don't need to prove that $k[X,Y]/(Y^2-a_1XY-...)$ is a Dedekind domain. Did I miss something?

Is the idea that one can define the norm of an ideal of $A$ as an ideal of $R$ but one can't prove that this construction is multiplicative unless $R$ is a Dedekind domain and perhaps more too?

Kevin Buzzard (Nov 17 2022 at 23:24):

@Anne Baanen are you working on this?

Kevin Buzzard (Nov 17 2022 at 23:25):

I think David might want to "start at the top", deducing associativity from injectivity and then starting on injectivity and perhaps meeting others coming up from the bottom.

Anne Baanen (Nov 18 2022 at 10:14):

Yes, the idea is just that bundling the map as a homomorphism requires stricter assumptions

Anne Baanen (Nov 18 2022 at 10:16):

In particular we needed for our project that it returns a number, not ideal, and that the map is multiplicative, so we restrict to rings of integers of number fields

Anne Baanen (Nov 18 2022 at 10:17):

I'm pretty sure I have some code on the ideal generated by the norms, let me look it up

Kevin Buzzard (Nov 18 2022 at 12:12):

Aha -- the norm of an ideal is an ideal in my comments above, but then I suspect that you're in the special case where $R=\Z$ and so instead of an ideal you can just take its non-negative generator. Alternatively you can just take the size of $R/N(J)$ if it's finite.

Anne Baanen (Nov 18 2022 at 12:28):

In fact, I recall our development went span of norms → generator of span → cardinality of the quotient as we figured out exactly what we required :)

Alex J. Best (Nov 18 2022 at 12:55):

Yeah some things were way easier to prove with one version than the other in the end

Alex J. Best (Nov 18 2022 at 12:55):

And indeed we considered a version of relative norm, but taking the positive generator of a Z ideal was very convenient for now

Anne Baanen (Nov 18 2022 at 13:09):

Anne Baanen said:

I'm pretty sure I have some code on the ideal generated by the norms, let me look it up

WIP on branch#ideal-span-norm

Junyan Xu (Nov 18 2022 at 22:32):

Kevin Buzzard said:

In particular we don't need to prove that $k[X,Y]/(Y^2-a_1XY-...)$ is a Dedekind domain.

Yes, this is what I concluded in the latest version of my argument, and why I said the argument could be extended to Weierstrass curves with nonzero discriminant / domains that are not Dedekind. In fact I think this part of the argument is now even easier than the other part (showing $[I_{P+Q}]=[I_P I_Q]$).

Ideal norm is usually defined either as module index as in Sutherland's notes, or as the cardinality of the quotient ring (for rings of algebraic integers A relative to R=Z as in #17203 and in Conrad's notes). The former definition requires the base ring R to be Dedekind but and latter definition requires R=Z, but both definitions make sense without A being Dedekind. However, indeed multiplicativity may fail when A isn't Dedekind: see Example 8.2 in [Conrad] for an example where |A/P|=p but |A/P^2|=p^{n+1}. (Since A is of Krull dimension 1, It should be clear that for P nonzero prime the dimension of P/P^2 over A/P is 1 iff A is regular at P.) We also have

Remark 7.6. In a domain where all nonzero ideals have finite index, the multiplicativity of the ideal norm implies unique factorization of ideals.
[3] H. S. Butts and L. Wade, Two Criteria for Dedekind Domains, Amer. Math. Monthly 73 (1966), 14-21.

If we instead define ideal norm as the ideal generated by norms of elements as you do, it's also not obviously multiplicative (because the norm of a sum has no obvious relation with the norms of the summands), but N((g)) = N(g), N(gI) = N(g)N(I) and N(I)N(J) ≤ N(IJ) are obvious; curiously this inequality seems to be opposite to what holds with the usual definition. We also know that the two definitions agree when A is a Dedekind domain, see Theorem 7.10 in [Conrad] or Corollary 6.9 in [Sutherland], in which case both are multiplicative. When A isn't Dedekind they need not agree: if A=Z+2Z[√-1] and p=2Z[√-1] (like in Example 8.2), then |A/p|=2 but N(p)=4, and |A/p^2|=8 but N(p^2)=16, so multiplicativity fails for the usual ideal norm but not your ideal norm, and I struggle to come up with counterexample to multiplicativity of your ideal norm.

Notice that [Sutherland] develops the theory of module index for modules that are lattices over a Dedekind domain; lattices are submodules of vector spaces, so they are torsion-free and hence (beingn over a Dedekind domain) projective, which is exactly the setting under which you defined the norm of an element.

David Ang (Nov 19 2022 at 21:23):

This PR, which depends on #17194 and two small PRs, proves case-by-case that the Weierstrass polynomial is irreducible and hence that the quotient ring is a domain, and this branch defines the add_monoid_hom $E(K) \to \mathrm{Cl}(R)$ and a proof of the group law on $E(K)$ assuming injectivity and that it respects addition - feel free to make commits into it

Antoine Chambert-Loir (Nov 21 2022 at 21:01):

Kevin Buzzard said:

If $R$ is a commutative ring and $A$ is an $R$-algebra which is finitely-generated and projective (or locally free, which might be slightly different in the non-Noetherian case) as an $R$-module,

it depends on what you call “locally free”. It's equivalent if you define it as the existence of an open covering of $\mathrm{Spec}(A)$ by, say $D(f_i)$ such that each module $M_{f_i}$ is free and finitely generated. It is not equivalent if, by that, you mean that the localization $M_{p}$ at all prime ideals are free modules over the local rings $A_p$.

… then there's a norm map $N:A\to R$, a monoid homomorphism, defined by considering multiplication by $a\in A$ as an $R$-module endomorphism of $A$ and then taking its determinant (this and the trace are sufficiently "canonical" that they can be computed locally, meaning that $A$ doesn't have to be free, just locally free).

Indeed.

Now if $J$ is an ideal of $A$ we can define its norm to be the ideal of $R$ generated by the norms of all the elements. What I am slightly confused by is that we don't need to assume $A$ is a Dedekind domain in this definition, and going through the argument it seemed to me that all one needs is that the norm of the ideal $(g)$ is the ideal $N(g)$. In particular we don't need to prove that $k[X,Y]/(Y^2-a_1XY-...)$ is a Dedekind domain. Did I miss something?