A short Weierstrass curve $y^2 = x^3 + A x + B$ over a commutative ring $R$, parameterised by the coefficients $A$ and $B$.
- A : R
- B : R
Instances For
The underlying Mathlib WeierstrassCurve of a short Weierstrass curve, with
$a_1 = a_2 = a_3 = 0$, $a_4 = A$, $a_6 = B$.
Instances For
The first Weierstrass coefficient $a_1$ of a short Weierstrass curve vanishes.
The second Weierstrass coefficient $a_2$ of a short Weierstrass curve vanishes.
The third Weierstrass coefficient $a_3$ of a short Weierstrass curve vanishes.
The fourth Weierstrass coefficient $a_4$ of a short Weierstrass curve equals $A$.
The sixth Weierstrass coefficient $a_6$ of a short Weierstrass curve equals $B$.
The auxiliary invariant $b_2 = a_1^2 + 4 a_2$ of a short Weierstrass curve vanishes.
The auxiliary invariant $b_4 = 2 a_4 + a_1 a_3$ of a short Weierstrass curve equals $2A$.
The auxiliary invariant $b_6 = a_3^2 + 4 a_6$ of a short Weierstrass curve equals $4B$.
The auxiliary invariant $b_8$ of a short Weierstrass curve equals $-A^2$.
The $n$-th division polynomial $\psi_n \in R[X][Y]$ of a short Weierstrass curve, as a
bivariate polynomial. Computed from Mathlib's WeierstrassCurve.ψ.
Instances For
The zeroth division polynomial vanishes, $\psi_0 = 0$.
The first division polynomial is $\psi_1 = 1$.
The second division polynomial is $\psi_2$, equal to the Mathlib helper ψ₂.
For a short Weierstrass curve, $\psi_2 = 2 Y$ (since $a_1 = a_3 = 0$).
The third division polynomial $\psi_3$ depends only on $X$ (it equals $C \, \Psi_3$).
The fourth division polynomial factors as $\psi_4 = C \, \mathrm{pre}\Psi_4 \cdot \psi_2$.
Negating the index negates the division polynomial: $\psi_{-n} = -\psi_n$.
Odd-index recurrence (Theorem 5.21): $\psi_{2m+1} = \psi_{m+2}\psi_m^3 - \psi_{m-1}\psi_{m+1}^3$.
Even-index recurrence (Theorem 5.21): $\psi_{2m} \psi_2 = \psi_{m-1}^2 \psi_m \psi_{m+2}
- \psi_{m-2}\psi_m \psi_{m+1}^2$.
The $x$-coordinate numerator polynomial $\phi_n \in R[X][Y]$ used in the multiplication-by-$n$ map: $\phi_n = X \psi_n^2 - \psi_{n+1} \psi_{n-1}$.
Instances For
Defining identity: $\phi_n = C X \cdot \psi_n^2 - \psi_{n+1} \cdot \psi_{n-1}$.
The zeroth $\phi$-polynomial is $\phi_0 = 1$.
The first $\phi$-polynomial is $\phi_1 = X$.
The $\phi$-polynomial is invariant under negation of the index: $\phi_{-n} = \phi_n$.
The numerator polynomial of $\omega_n$ (the $y$-coordinate piece of $[n]$), defined as $\psi_{n+2}\psi_{n-1}^2 - \psi_{n-2}\psi_{n+1}^2$.
Instances For
For odd $n$, Mathlib's $\Psi_n$ collapses to $C(\mathrm{pre}\Psi_n)$ (no $\psi_2$ factor).
For even $n$, Mathlib's $\Psi_n$ equals $C(\mathrm{pre}\Psi_n) \cdot \psi_2$.
For even $n$, the image of omegaPolyNumer n in the coordinate ring equals
$\psi_2 \cdot C(\text{pre}\Psi\text{-combination})$.
For odd $n$, the image of omegaPolyNumer n in the coordinate ring equals
$\psi_2^2 \cdot C(\text{pre}\Psi\text{-combination})$.
For even $n$, the polynomial combination of preΨ is divisible by $2$, witnessed by
some half $h \in R[X]$.
Squaring is invariant under negation of the index: $\psi_{-n}^2 = \psi_n^2$.
The $x$-coordinate of $[n]P$ is unchanged by $n \mapsto -n$: both $\phi_n$ and $\psi_n^2$ are invariant under $n \mapsto -n$.
Odd-index addition identity (Theorem 5.21): the difference of cross terms $\phi_m \psi_{m+1}^2 - \phi_{m+1}\psi_m^2$ equals $\psi_{2m+1}$.
Even-index verification (Theorem 5.21): $\psi_m \cdot \omega_n^{\mathrm{num}} = \psi_{2m} \cdot \psi_2$.
Degree of $\Phi_n$: the natural degree of Mathlib's $\Phi_n$ equals $n^2$ (in absolute value).
Leading coefficient of $\Phi_n$ is $1$ (the polynomial is monic).
Degree of $\mathrm{pre}\Psi_n$: when $n \neq 0$ in $R$, its $\mathrm{natDegree}$ equals $(n^2 - 4)/2$ for even $n$ and $(n^2 - 1)/2$ for odd $n$.
Leading coefficient of $\mathrm{pre}\Psi_n$: it equals $n/2$ for even $n$ and $n$ for odd $n$ (when $n \neq 0$ in $R$).
Degree of $\Psi_n^2$: when $n \neq 0$ in $R$, $\mathrm{natDegree}(\Psi_n^2) = n^2 - 1$.
Leading coefficient of $\Psi_n^2$ equals $n^2$.
Combined statement of degree and leading coefficient of $\Psi_n^2$.
A short Weierstrass curve has $a_1 = a_2 = a_3 = 0$.
Evaluate a bivariate polynomial $p \in S[X][Y]$ at a point $(x_0, y_0) \in S \times S$ by first specialising $Y \mapsto y_0$ then $X \mapsto x_0$.
Instances For
Numeric evaluation of $\psi_n$ at the affine point $(x_0, y_0)$.
Instances For
Numeric evaluation of $\phi_n$ at the affine point $(x_0, y_0)$.
Instances For
Numeric evaluation of the $\omega_n$-numerator polynomial at $(x_0, y_0)$.
Instances For
The $x$-coordinate of $[n] P$ for $P = (x_0, y_0)$, given by $\phi_n / \psi_n^2$.
Instances For
Numeric value of $\omega_n(P) = \omega_n^{\mathrm{num}}/(4y_0)$ at the affine point $P = (x_0, y_0)$.
Instances For
The $y$-coordinate of $[n] P$ for $P = (x_0, y_0)$, given by $\omega_n / \psi_n^3$.
Instances For
Base case: $\psi_1$ evaluates to $1$ at any point.
Base case: $\phi_1(x_0, y_0) = x_0$.
Base case: $[1] P$ has $x$-coordinate $x_0$.
Over an elliptic short Weierstrass curve, $4 \neq 0$ in the base field $F$ (otherwise $\Delta = 0$).
Base case: $\omega_1^{\mathrm{num}}(x_0, y_0) = 4 y_0^2$.
Base case: $[1] P$ has $y$-coordinate $y_0$.
Theorem 5.21 (algebraic form): when $\psi_n$ does not vanish at $P$, the affine point $(x_0, y_0)$ is sent under $[n]$ to the point $(\mathrm{mulByN}_x, \mathrm{mulByN}_y)$.
Theorem 5.21 (algebraic form): when $\psi_n$ vanishes at $P$, the affine point is an $n$-torsion point ($[n] P = O$).
Theorem 5.21 (purely algebraic): three identities characterising the division polynomials. The first asserts $n \mapsto -n$ symmetry; the second is the odd recurrence; the third is the even recurrence.
Theorem 5.21: case split on whether $\psi_n(P)$ vanishes, returning either the affine formulae for $[n] P$ or that $[n] P = O$.
Auxiliary lemma for the coprimality of $\Phi_n$ and $\Psi_n^2$: a common root would witness an affine $n$-torsion point that is also $(n \pm 1)$-torsion, contradicting nontriviality.
The polynomials $\Phi_n$ and $\Psi_n^2$ are coprime over an elliptic short Weierstrass curve, used to extract the multiplication-by-$n$ map as a standard-form isogeny.
Vélu parameter $t = 3 x_0^2 + A$.
Instances For
Vélu parameter $w = x_0 t = x_0 (3 x_0^2 + A)$.
Instances For
Vélu image parameter $A' = A - 5 t$ for the codomain curve.
Instances For
Vélu image parameter $B' = B - 7 w$ for the codomain curve.
Instances For
The image curve $E' : y^2 = x^3 + A' x + B'$ of the Vélu degree-$2$ isogeny.
Instances For
Unfolding the $A$-coefficient of the image curve.
Unfolding the $B$-coefficient of the image curve.
Defining identity for $t$.
Defining identity for $w$.
The $2$-torsion point $(x_0, 0)$ lies on $E$ since $x_0^3 + A x_0 + B = 0$.
The key algebraic identity for the Vélu degree-$2$ map: the cubic in the numerator factors compatibly with the image curve equation.
Numerator of the $x$-coordinate component $\phi_x(x) = x^2 - x_0 x + t$.
Instances For
Denominator of the $x$-coordinate component $\phi_x$, namely $x - x_0$.
Instances For
Factor appearing in the $y$-coordinate numerator: $(x - x_0)^2 - t$.
Instances For
Denominator of the $y$-coordinate component: $(x - x_0)^2$.
Instances For
Natural degree of the Vélu $u$-polynomial $X^2 - x_0 X + t$ over a field is $2$.
The Wronskian of the Vélu degree-$2$ pair simplifies to $(X - x_0)^2 - t$.
Separability of the Vélu degree-$2$ map: the Wronskian is nonzero.
The Vélu degree-$2$ map has degree $2$: $\max(\deg u, \deg v) = 2$.
The denominators of $\phi_x$ and $\phi_y$ vanish at the kernel point $x_0$.
The kernel of $\phi_x$ is exactly $\{x_0\}$: the denominator does not vanish elsewhere.
On the curve, $y^2$ factors as $(x - x_0)(x^2 + x_0 x + x_0^2 + A)$.
The Vélu degree-$2$ map sends an on-curve point $(x, y)$ to a point on the image curve.
The Vélu degree-$2$ map is a standard-form separable isogeny of degree $2$.
Bundled kernel data for the Vélu degree-$2$ isogeny: the kernel point is on $E$, the denominators vanish at it, are nonzero elsewhere, and the kernel has order $2$.
- nonkernel_welldefined (x : F) : x ≠ d.x₀ → d.phi_x_denom x ≠ 0
Instances For
The Vélu degree-$2$ kernel data associated to a Vélu degree-$2$ datum.
Instances For
Bundled Vélu degree-$2$ isogeny: a standard-form separable degree-$2$ isogeny together with its kernel datum.
- degree_eq_two : max (Polynomial.X ^ 2 - Polynomial.C d.x₀ * Polynomial.X + Polynomial.C d.t).natDegree (Polynomial.X - Polynomial.C d.x₀).natDegree = 2
- is_separable : Polynomial.derivative (Polynomial.X ^ 2 - Polynomial.C d.x₀ * Polynomial.X + Polynomial.C d.t) * (Polynomial.X - Polynomial.C d.x₀) - (Polynomial.X ^ 2 - Polynomial.C d.x₀ * Polynomial.X + Polynomial.C d.t) * Polynomial.derivative (Polynomial.X - Polynomial.C d.x₀) ≠ 0
- kernel : VeluDeg2Kernel E d
Instances For
The Vélu degree-$2$ isogeny constructed from a Vélu datum.
Instances For
An affine point on a short Weierstrass curve: a pair $(x, y)$ together with a proof that $y^2 = x^3 + A x + B$.
- x : k
- y : k
Instances For
Vélu parameter $t_Q = 3 x_Q^2 + A$ associated with an affine point $Q$.
Instances For
Vélu parameter $u_Q = 2 y_Q^2$ associated with an affine point $Q$.
Instances For
Vélu parameter $w_Q = u_Q + t_Q x_Q$ associated with an affine point $Q$.
Instances For
Unfolds $t_Q$ to its defining formula.
Unfolds $u_Q$ to its defining formula.
Unfolds $w_Q$ to its defining formula $u_Q + t_Q x_Q$.
Data for the odd-degree Vélu isogeny: a finite set of nonidentity affine points such that the kernel order $|S| + 1$ is odd.
- pts : Finset E.AffinePoint
Instances For
Vélu sum $t = \sum_Q t_Q$ over the kernel points.
Instances For
Vélu sum $w = \sum_Q w_Q$ over the kernel points.
Instances For
Vélu image coefficient $A' = A - 5 t$.
Instances For
Vélu image coefficient $B' = B - 7 w$.
Instances For
The image curve $E' : y^2 = x^3 + A' x + B'$ of the odd-degree Vélu isogeny.
Instances For
Unfolding the $A$-coefficient of the image curve.
Unfolding the $B$-coefficient of the image curve.
The rational function $r(x) = x + \sum_Q \left(\tfrac{t_Q}{x - x_Q} + \tfrac{u_Q}{(x - x_Q)^2}\right)$ defining the $x$-coordinate component of the Vélu isogeny.
Instances For
The derivative $r'(x) = 1 - \sum_Q \left(\tfrac{t_Q}{(x - x_Q)^2} + \tfrac{2 u_Q}{(x - x_Q)^3}\right)$ used in the $y$-coordinate component.
Instances For
The Vélu odd-degree map sends an on-curve point not in the kernel to a point on the image curve.
The Vélu odd-degree map is a separable isogeny of degree $|S| + 1$.
The kernel of the Vélu odd-degree map is precisely the $x$-coordinate set $\{x_Q : Q \in S\}$.
Corollary 5.2: in characteristic zero, every isogeny of positive degree is separable.
An isogeny $\alpha$ over a field of characteristic $p$ has a Frobenius factorisation if it factors as $\mathrm{Frob}^n \circ \alpha_{\mathrm{sep}}$ for a separable $\alpha_{\mathrm{sep}}$.
Instances For
Frobenius factorisation: over a field of characteristic $p$, every positive-degree isogeny factors as $\alpha_{\mathrm{sep}}$ composed with $\mathrm{Frob}^n$.
Over an elliptic curve, the derivative of $\Phi_n$ is nonzero whenever $n \neq 0$ in $k$. This is the key separability ingredient for $[n]$.
The multiplication-by-$n$ map packaged as an IsogenyStandardForm: numerator $\Phi_n$,
denominator $\Psi_n^2$, on the elliptic short Weierstrass curve.
Instances For
Degree part of Theorem 5.25: $\deg[n] = n^2$ (when $n \neq 0$ in $k$).
Separability part of Theorem 5.25: $[n]$ is separable when $n \neq 0$ in $k$.
When $n$ vanishes in $k$ (char $p \mid n$), both $\Phi_n$ and $\Psi_n^2$ are images of the Frobenius expansion: there exist polynomials $f, g$ with $\mathrm{expand}_p f = \Phi_n$, $\mathrm{expand}_p g = \Psi_n^2$.
Inseparability case of Theorem 5.25: when $n$ vanishes in $k$, the Wronskian of $\Phi_n$ and $\Psi_n^2$ is zero, so $[n]$ is inseparable.
Theorem 5.25 (separability $\iff$ $n$-nonvanishing): $[n]$ is separable iff $n \neq 0$ in $k$.
General degree formula: for any nonzero $n$, $\max(\deg \Phi_n, \deg \Psi_n^2) = n^2$.
Theorem 5.25 (combined): for nonzero $n$, $[n]$ has degree $n^2$ and is separable iff $n \neq 0$ in $k$.
An isogeny $\alpha$ has separable degree $d$ if it factors as $\mathrm{Frob}^n \circ \alpha_{\mathrm{sep}}$ with $\deg \alpha_{\mathrm{sep}} = d$.
Instances For
An isogeny $\alpha$ has inseparable degree $d = p^n$ if its Frobenius factorisation has exponent $n$.
Instances For
An isogeny is purely inseparable if its separable degree is $1$.
Instances For
The separable degree of a standard-form isogeny: the maximum of the separable degrees of its numerator and denominator.
Instances For
The inseparable degree of a standard-form isogeny: total degree divided by separable degree.
Instances For
An isogeny is purely inseparable if its separable degree equals $1$.
Instances For
Existence of separable degree: every positive-degree isogeny over a positive-characteristic field has a separable degree.
The total degree of $\alpha$ equals $p^n$ times its separable degree, witnessing the $\deg = \deg_{\mathrm{insep}} \cdot \deg_{\mathrm{sep}}$ decomposition.
The size of the kernel of $\alpha$, computed as $\max(\mathrm{natSepDegree}(u), \mathrm{natSepDegree}(v))$.
Instances For
The size of the kernel of $\alpha$ as an abstract group; this agrees with
kernelSize (cf. groupKernelSize_eq_separableDegree).
Instances For
The group-theoretic kernel size equals the separable degree.
The polynomial kernel size equals the separable degree (for a Frobenius factorisation witness).
Corollary 5.9: a purely inseparable Frobenius factorisation (separable degree $1$) implies the isogeny has kernel size $1$.
Corollary 5.9' (packaged form): if $\alpha$ is purely inseparable then its kernel size is $1$.
Converse direction: if $\alpha$ has kernel size $1$ then it is purely inseparable.
The rational function $u/v \in K(F[X])$ representing the $x$-coordinate of a standard-form isogeny in the fraction field.
Instances For
Evaluate a polynomial $p \in F[X]$ at a rational function $r \in K$ by substitution.
Instances For
The composition of two $x$-coordinate rational functions $\beta \circ \gamma$ in the fraction field.
Instances For
$\alpha = \beta \circ \gamma$ as rational $x$-coordinate maps: the $x$-coordinate rational function of $\alpha$ equals the composition of those of $\beta$ and $\gamma$.
Instances For
A separable-degree witness gives an inseparable-degree witness $p^n$ and a degree factorisation $\deg \alpha = p^n \cdot d$.
Multiplicativity of separable degree under composition: $d_\alpha = d_\beta \cdot d_\gamma$ when $\alpha = \beta \circ \gamma$.
Multiplicativity of inseparable degree under composition: $i_\alpha = i_\beta \cdot i_\gamma$ when $\alpha = \beta \circ \gamma$.
Multiplicativity of total degree under composition: $\deg \alpha = \deg \beta \cdot \deg \gamma$ when $\alpha = \beta \circ \gamma$, obtained by combining separable and inseparable multiplicativity.
Corollary 5.10 (combined): for a composition $\alpha = \beta \circ \gamma$, the total, separable, and inseparable degrees are all multiplicative.
Quotient existence: for any finite subgroup $G \subseteq E(F)$, there exists a quotient isogeny $\phi : E \to E/G$ realising $G$ as $\ker \phi$ and with $\deg \phi = |G|$.
Every isogeny admits an IsogenyRepresentation (a rational standard-form representation
of its action on coordinates).
Instances For
The standard-form representation of a quotient isogeny is separable.
Packaging: a quotient isogeny admits a separable standard-form representation.
For every finite subgroup $G$ of $E$, there is an isogeny $\phi : E \to E'$ with kernel $G$, degree $|G|$, and admitting a separable standard-form representation.
Uniqueness up to isomorphism: any two quotient isogenies with the same kernel $G$ differ by a degree-$1$ isogeny.
Auxiliary statement for prime-degree factorisation: any divisor $d$ of $\alpha$.degree admits a length-$2$ decomposition with degrees $p$ and $d/p$.
Prime-degree factorisation: an isogeny of degree $> 1$ factors as $\beta \circ \gamma$ with $\deg \beta = p$ for any prime $p$ dividing $\deg \alpha$.
A chain of isogenies between Weierstrass curves: either a single isogeny or one followed by a further chain.
- single {F : Type u_1} [Field F] [DecidableEq F] {E₁ E₂ : WeierstrassCurve.Affine F} (φ : Isogeny E₁ E₂) : IsogenyChain E₁ E₂
- cons {F : Type u_1} [Field F] [DecidableEq F] {E₁ E₂ E₃ : WeierstrassCurve.Affine F} (φ : Isogeny E₁ E₂) (rest : IsogenyChain E₂ E₃) : IsogenyChain E₁ E₃
Instances For
The compose of an IsogenyChain as an additive group homomorphism on point groups.
Instances For
Predicate asserting that every link in an IsogenyChain has prime degree.
Instances For
Prime-degree factorisation of a single isogeny: an isogeny of degree $> 1$ factors as $\gamma \circ \beta$ with $\deg \beta = p$ for any prime $p \mid \deg \alpha$.
Prime-degree decomposition: every isogeny of degree $> 1$ decomposes as a chain of prime-degree isogenies whose composition is the original isogeny.
Public alias for the $n$-th division polynomial of a short Weierstrass curve.
Instances For
Public alias for the $n$-th $\phi$-polynomial of a short Weierstrass curve.
Instances For
Public alias for the numerator of the $n$-th $\omega$-polynomial.
Instances For
$\psi_0 = 0$.
$\psi_1 = 1$.
Defining identity: $\phi_n = X \psi_n^2 - \psi_{n+1} \psi_{n-1}$.
$\phi_0 = 1$.
$\phi_1 = X$.
$\phi_{-n} = \phi_n$.
Even recurrence: $\psi_{2m} \psi_2 = \psi_{m-1}^2 \psi_m \psi_{m+2} - \psi_{m-2} \psi_m \psi_{m+1}^2$.
Even identity (Theorem 5.21): $\psi_m \cdot \omega^{\mathrm{num}}_m = \psi_{2m} \cdot \psi_2$.
Numerical evaluation of $\psi_n$ at the affine point $(x_0, y_0)$.
Instances For
Numerical evaluation of $\phi_n$ at the affine point $(x_0, y_0)$.
Instances For
Numerical evaluation of $\omega_n$ at the affine point $(x_0, y_0)$.
Instances For
$x$-coordinate of $[n] P$ for $P = (x_0, y_0)$, as $\phi_n(P) / \psi_n(P)^2$.
Instances For
$y$-coordinate of $[n] P$ for $P = (x_0, y_0)$, as $\omega_n(P) / \psi_n(P)^3$.
Instances For
Theorem 5.21 (textbook statement): the three division polynomial identities — symmetry under negation, odd recurrence, and even recurrence — hold over any commutative ring.
Combined point-multiplication theorem: either $\psi_n(P) \neq 0$ and $[n]P$ is given by the division polynomial formulae, or $\psi_n(P) = 0$ and $[n] P = O$.