Integer points on elliptic curves

The quest to find integer solutions to polynomial equations is one of the oldest and most profound challenges in mathematics. When these equations define an object as elegant as an elliptic curve—given by the form $y^2 = x^3 + Ax + B$—this quest reveals a world of stunning complexity and structure. While these curves can host an infinite number of rational solutions that form a sophisticated algebraic group, a fundamental question arises when we restrict our search to integer coordinates. Why does the beautiful structure of rational points seem to shatter, and what rules govern the seemingly sparse scattering of integer solutions? This article addresses this central tension, guiding you through the deep theory that explains the nature of integer points on elliptic curves.

The journey is structured in two parts. First, in "Principles and Mechanisms," we will explore the foundational concepts, from the elegant group law of rational points to the celebrated theorems of Mordell-Weil and Nagell-Lutz. We will then uncover the stark contrast presented by integer points and delve into Siegel's monumental theorem on their finiteness, culminating in the powerful engine of Baker's method that makes finding these points possible. Following this, the chapter "Applications and Interdisciplinary Connections" will showcase how this abstract theory becomes a potent tool, unlocking solutions to ancient Diophantine puzzles, powering modern cryptographic algorithms, and revealing deep connections across various branches of mathematics.

Imagine you are standing before a canvas, a vast, two-dimensional plane. On this canvas, you draw a curve, not just any curve, but one defined by a seemingly simple cubic equation like $y^2 = x^3 + Ax + B$, where $A$ and $B$ are integers. This is an ​​elliptic curve​​, an object of profound beauty and mystery that has captivated mathematicians for centuries. Our quest is not just to admire its shape, but to find specific, noteworthy points that lie upon it. What kind of points? This simple question will lead us on a journey through deep and interconnected mathematical landscapes.

Let's first consider the most generous type of solution: points $(x,y)$ where the coordinates are ​​rational numbers​​—that is, fractions. At first glance, these points, collectively denoted $E(\mathbb{Q})$, might seem like a random scattering of dots on our curve. But they hide a stunning secret. If you take any two rational points, you can "add" them together to get a third rational point on the curve.

This isn't ordinary addition. It's a geometric dance called the ​​chord-and-tangent law​​. If you have two points, $P_1$ and $P_2$, draw a line through them. This line will intersect the curve at exactly one other point. Reflect this point across the x-axis, and you have your sum, $P_1 + P_2$. If you want to add a point to itself, you use the tangent line at that point instead. Miraculously, this peculiar operation behaves just like addition: it's commutative, associative, has an identity element (a special "point at infinity" which you can think of as being infinitely far up and down the y-axis), and every point has an inverse. The rational points on an elliptic curve form an ​​abelian group​​.

This is a revelation! The solutions to a simple-looking polynomial equation have a rich, hidden algebraic structure. But there's more. The celebrated ​​Mordell-Weil theorem​​ tells us that this group is ​​finitely generated​​. This means that even if there are infinitely many rational points, they can all be constructed from a finite set of "generator" points through repeated addition. It’s like having a finite set of fundamental Lego bricks from which you can build an infinite variety of structures. The number of independent, infinite-order generators is called the ​​rank​​ of the curve. If the rank is positive, you have an infinite number of rational points to play with.

The world of rational points is beautifully structured. But what happens if we become more demanding? What if we are only interested in ​​integral points​​—points $(x,y)$ where both coordinates are whole numbers, elements of $\mathbb{Z}$? These are the Diophantine problems of antiquity: finding integer solutions to polynomial equations.

One might naively assume that this stricter set of points, $E(\mathbb{Z})$, would inherit the lovely group structure of its parent set $E(\mathbb{Q})$. But this is where our beautiful symphony hits a discordant note. The set of integral points is, in general, ​​not a subgroup​​. If you take two integer points and "add" them using the chord-and-tangent law, the slope of the line between them is a rational number. The resulting third point will almost always have fractional coordinates. The geometric dance that worked perfectly for fractions fails to stay within the tidy grid of integers. The elegant group structure shatters.

This is a fundamental distinction. The properties of rational points are governed by the algebraic group law, but the nature of integral points is an entirely different, more subtle arithmetic problem.

Before we tackle the entire set of integral points, let's explore a very special subset of rational points: the ​​torsion points​​. A torsion point is a point of finite order; if you add it to itself enough times, you eventually return to the identity element, the point at infinity. These points represent periodic orbits in our geometric dance. The set of all such points forms a finite subgroup called the ​​torsion subgroup​​, $E(\mathbb{Q})_{\mathrm{tors}}$.

Here we find our first piece of solid ground in the integer world, a beautiful result known as the ​​Nagell-Lutz theorem​​. It provides two astonishingly simple rules for any rational torsion point $P=(x,y)$ on a curve $y^2 = x^3 + Ax + B$ with integer coefficients:

1. The coordinates $x$ and $y$ must be ​​integers​​.
2. Either $y=0$ (in which case the point has order 2), or $y^2$ must divide the ​​discriminant​​ $\Delta = -16(4A^3+27B^2)$, a number determined solely by the curve's equation.

This is remarkable! First, it tells us that every rational torsion point (other than the point at infinity) is an integral point. They are a well-behaved, orderly subset of the integer points. Second, it gives us an ​​effective algorithm​​ to find them all. The discriminant $\Delta$ is just a fixed integer. There are only a finite number of integers $y$ such that $y^2$ divides $\Delta$. We can test each one, plug it into the curve's equation, and see if it gives an integer solution for $x$. In a finite number of steps, we can list every single torsion point.

But this raises a crucial question. Are all integral points torsion points? If so, we would be done. Alas, the answer is no. Consider the curve $E: y^2 = x^3 - 7x + 10$. The point $P = (5, 10)$ is clearly an integral point. However, its discriminant is $\Delta = -21248$. Since $y^2=100$ does not divide $\Delta$, the Nagell-Lutz theorem tells us that $P$ cannot be a torsion point. We have found an integral point of infinite order. The mystery of integral points runs deeper than the finite, orderly world of torsion.

So we have a picture emerging: the group of rational points $E(\mathbb{Q})$ can be infinite. Nested within it is the set of integral points $E(\mathbb{Z})$, which is not a group. And nested within that is the finite, computable set of affine torsion points. What can we say about the full set of integral points, including those of infinite order?

This is where Carl Ludwig Siegel enters with a pronouncement of breathtaking generality and power. ​​Siegel's theorem on integral points​​ states that for any elliptic curve over the rational numbers, the set of integral points is ​​always finite​​.

Let that sink in. Even if the curve's rank is positive, spawning an infinite, dense web of rational points, only a finite number of those points will ever manage to land perfectly on the integer grid. It does not matter how complex the curve is, or how many rational points it has. The number of integer solutions is finite. This starkly contrasts the infinitude of rational points with the finiteness of integral ones, a central drama in the theory. This finiteness is incredibly robust; it even holds if we relax our conditions to so-called ​​S-integral points​​, where we allow denominators to be built from a fixed, finite set of prime numbers.

Siegel's original proof was a masterpiece, but it was "ineffective." It was a proof by contradiction, like proving a safe must have a combination without giving you any clue as to what the numbers are. It told you the set of integral points was finite, but it didn't provide a way to find them, or even to bound their size.

The key to unlocking the safe came decades later with the pioneering work of Alan Baker on ​​linear forms in logarithms​​. The mechanism is a beautiful duel between analysis (geometry) and number theory (algebra).

First, let's go back to our image of the elliptic curve as a geometric object. Using the magic of complex analysis, we can "unroll" the curve into a flat parallelogram in the complex plane. This is done via a map called the ​​elliptic logarithm​​. Adding points on the curve corresponds to simply adding their corresponding logarithm values in the plane.

Now, consider an integral point $(x,y)$ where the coordinate $x$ is enormous. Geometrically, such a point on the curve is extremely close to the point at infinity, $\mathcal{O}$. When we unroll the curve, this means its elliptic logarithm is a complex number incredibly close to zero. How close? The distance shrinks at a dizzying rate, roughly like $|x|^{-1/2}$. This gives us a powerful ​​analytic upper bound​​: the logarithm of a hypothetical huge integer point must be an astronomically small number.

Next, we turn to number theory. Our huge integral point, being a rational point, can be built from the finite set of generator points. Its elliptic logarithm is therefore a specific integer linear combination of the logarithms of the generators. Baker's theory provides a profound result: a non-zero linear combination of logarithms of (algebraic) numbers cannot be too close to zero. The theory gives an ​​effective lower bound​​ on how small this value can be. This bound depends on the complexity of the numbers and the size of the integer coefficients in the combination.

Here is the punchline. For a hypothetical integral point with a sufficiently large coordinate, its logarithm must satisfy two conditions. The geometric, analytic side of the story screams that this number must be smaller than some vanishingly tiny value. The algebraic, number-theoretic side insists it must be larger than another explicit, calculable value. For large enough coordinates, the upper bound becomes smaller than the lower bound—an outright contradiction!

The only way to resolve this conflict is to conclude that no such "sufficiently large" integral point can exist. There must be a ceiling, an effective, calculable bound on the size of all possible integer solutions. This beautiful clash between upper and lower bounds, between geometry and algebra, not only proves Siegel's theorem in a new way but transforms it from a statement of existence into a tool of computation. It reveals the secret engine that enforces finiteness on the integer points, a principle of rigidity hiding within the curve's intricate structure.

Having journeyed through the foundational principles of integer points on elliptic curves, we might be left with a sense of elegant, yet perhaps isolated, mathematical beauty. Are these concepts merely a captivating chapter in the grand book of number theory, or do they reach out and touch other parts of the mathematical world, and even our own? The answer, you might not be surprised to learn, is a resounding "yes." The study of these points is not a secluded island; it is a bustling crossroads, a place where diverse paths of inquiry—from ancient geometrical puzzles to the frontiers of modern cryptography and theoretical physics—meet and enrich one another. In this chapter, we will explore this vibrant network of connections, revealing how the seemingly simple quest for integer solutions to equations like $y^2 = x^3 + Ax + B$ becomes a key that unlocks doors to entirely new landscapes.

At its very heart, finding integer points on an elliptic curve is the art of solving Diophantine equations—polynomial equations for which we seek integer solutions. For centuries, these problems have stood as formidable challenges, some posed by the ancient Greeks and remaining unsolved for millennia. Elliptic curve theory provides not just answers, but a revolutionary framework for thinking about them.

Imagine you are a detective investigating the integer solutions to an equation like $y^2 = x^3 - 4x$. Where would you even begin? A brute-force search is hopeless; the integers are an infinite domain. Here, the theory of elliptic curves hands us our first powerful clue: the Nagell-Lutz theorem. This remarkable result acts like a powerful filter, telling us that any "torsion" points—points of finite order, which repeatedly add to themselves to eventually return to the point at infinity—must have integer coordinates. Furthermore, it gives us a finite list of suspects for their $y$-coordinates. For the curve $y^2 = x^3 - 4x$, this theorem dramatically narrows the search to just a handful of possible integer points.

But the story doesn't end there. After checking the candidates provided by Nagell-Lutz, we might find a few integer solutions, but how do we know there aren't others, of infinite order, lurking out in the vastness of the number line? Here, we see a beautiful interplay between the curve's algebraic structure and classical number theory. By rewriting the equation as $y^2 = x(x-2)(x+2)$, we can analyze the prime factors of the numbers on both sides. A clever argument involving the parity of $x$ and the fact that the factors on the right are nearly coprime reveals that their product can only be a perfect square in the cases we've already found. In this way, we can prove with certainty that there are no other integer solutions.

Sometimes, an even more profound strategy is required. To find the integer points on a curve like $y^2 = x^3 - 3x$, we might first need to understand its entire universe of rational points. The Mordell-Weil theorem tells us this group is finitely generated, composed of a finite torsion part and a free part of a certain "rank". By employing advanced techniques like 2-descent, we can sometimes prove that the rank of a curve is zero. This means it has no points of infinite order at all! Consequently, the only rational points are the torsion points, which we can find easily. For $y^2 = x^3 - 3x$, it turns out the only rational points are the point at infinity and $(0,0)$. Since any integer point must first be a rational point, we immediately conclude that $(0,0)$ is the only integer solution. This is a stunning illustration of a deep principle: to understand the discrete world of integers, we sometimes must first map out the denser, continuous-like world of rational numbers.

Another subtle technique involves looking at the equation not in the familiar world of integers, but in the simpler, finite world of modular arithmetic. By considering the equation $y^2 = x^3 - x$ modulo the prime $3$, we find something astonishing: it forces $y$ to be a multiple of $3$. This means $y^2$ must be a multiple of $9$. This single piece of information, obtained by temporarily changing our perspective, provides a powerful constraint that helps prove that the only integer solutions are the obvious ones: $(-1,0), (0,0)$, and $(1,0)$.

One of the most spectacular applications of elliptic curves is in solving the "congruent number problem," a puzzle that dates back to at least the 10th century. The question is simple: which whole numbers $n$ can be the area of a right-angled triangle whose sides are all rational numbers? For example, the famous $(3,4,5)$ right triangle has integer sides and area $\frac{1}{2} \times 3 \times 4 = 6$. So, $6$ is a congruent number. The triangle with sides $(\frac{3}{2}, \frac{20}{3}, \frac{41}{6})$ has area $\frac{1}{2} \times \frac{3}{2} \times \frac{20}{3} = 5$. So, $5$ is also a congruent number. But is $1$ a congruent number? Is $2$?

For a thousand years, this problem was a collection of scattered results. Then, in the 20th century, it was discovered that this seemingly elementary geometric question is secretly a deep question about elliptic curves. A number $n$ is a congruent number if and only if the elliptic curve $E_n: y^2 = x^3 - n^2x$ has a rational point of infinite order—that is, if its rank is greater than zero. This connection is profound and utterly unexpected. It transforms a problem about areas and triangles into one about the group structure of rational points on a curve. Thanks to this bridge, we now have a conjectural, but largely effective, criterion (Tunnell's theorem, which depends on the Birch and Swinnerton-Dyer conjecture) to decide if any given number is congruent. It is a poster child for the unifying power of mathematics, showing how an ancient puzzle can find its resolution in a thoroughly modern theory.

Let's turn from ancient puzzles to the very modern world of cryptography. The security of many systems, like RSA, relies on the fact that it is incredibly difficult to find the prime factors of a very large number. For decades, mathematicians and computer scientists have been in an arms race, developing ever-more-sophisticated factoring algorithms.

In 1985, Hendrik Lenstra had a brilliant, counterintuitive idea. He realized that the theory of elliptic curves could be turned into a powerful factoring algorithm, now known as the Elliptic Curve Method (ECM). The idea is as beautiful as it is clever. Suppose you want to factor a number $n$. You can't do arithmetic on an elliptic curve "over $n$" because $n$ is not prime, so the set of points doesn't form a group. But you can try to. You pick a random elliptic curve and a point, and you start performing the group operations as if $n$ were prime. These operations involve divisions, which you perform as multiplications by an inverse modulo $n$.

Here's the catch: an inverse of a number $d$ modulo $n$ exists only if $d$ and $n$ are coprime. If you ever try to find the inverse of a number $d$ that shares a factor with $n$, the standard algorithm (Euclidean algorithm) will fail—and in failing, it will hand you a non-trivial factor of $n$! The algorithm succeeds when an operation, projected onto the (unknown) finite field modulo a prime factor $p$ of $n$, would involve the point at infinity, which corresponds to a division by zero. This "error" is the signal of success.

The performance of ECM depends on a wonderful piece of luck. The number of points on a random elliptic curve modulo a prime $p$ is an integer in the range around $p$. The algorithm finds the factor $p$ quickly if this group order happens to be "smooth"—that is, composed of small prime factors. By trying many different random curves, we are effectively "rolling the dice" for a smooth group order. Because its runtime depends on the size of the smallest prime factor, not the size of the number itself, ECM is the champion for finding small to medium-sized factors of titanic numbers. It is a standard tool in computational number theory and a beautiful example of how abstract group theory provides a powerful, practical algorithm.

The connections we've seen so far are just the beginning. The theory of integer points on elliptic curves is deeply woven into the fabric of modern number theory, connecting to other abstract algebraic structures in profound ways.

One such connection is to the theory of ​​Complex Multiplication (CM)​​. Consider again the question of counting the number of points on a curve like $y^2 = x^3 - x$ over a finite field $\mathbb{F}_p$. The answer, it turns out, is miraculously linked to the arithmetic of the Gaussian integers, $\mathbb{Z}[i]$, the set of numbers of the form $a+bi$. For a prime $p \equiv 1 \pmod 4$, we know it can be written as a sum of two squares, $p = a^2+b^2$, which is the same as factoring it in the Gaussian integers: $p = (a+bi)(a-bi)$. The number of points on the curve over $\mathbb{F}_p$ is then simply $p+1 - 2a$ (for a specific choice of $a$). This is not a coincidence. The curve $y^2=x^3-x$ has an "extra symmetry": it's not just addition of points, but you can also "multiply" a point by the imaginary number $i$. This extra structure, this complex multiplication, dictates its arithmetic properties with supernatural precision.

Another deep idea is that to find integer solutions, it is sometimes necessary to climb a "ladder of abstraction" into larger number systems, known as ​​algebraic number fields​​. Consider the Mordell equation $y^2 = x^3+k$. We can factor the right side over a larger field, writing $y^2 = (x-\sqrt[3]{-k})(x - \omega\sqrt[3]{-k})(x - \omega^2\sqrt[3]{-k})$, where $\omega$ is a complex cube root of unity. Studying this equation within the appropriate number field can lead to the conclusion that the factor $(x - \sqrt[3]{-k})$ must be of the form $\varepsilon \alpha^2$, where $\alpha$ is an element of the field and $\varepsilon$ is a "unit"—a generalized version of $\pm 1$. This transforms the problem into a "unit equation," which can often be bounded and solved using advanced tools. It's a recurring theme in number theory: problems that are intractable in one number system become simpler when viewed from a higher vantage point.

Finally, the study of integer points on elliptic curves stands at the epicenter of some of the deepest and most far-reaching conjectures in mathematics, such as the ​​$abc$ conjecture​​. This conjecture, if true, would place a profound restriction on what can happen when three coprime integers $a, b, c$ satisfy $a+b=c$. It states, roughly, that if $a$ and $b$ are built from high powers of small primes, then $c$ cannot be. From this seemingly simple statement, one can derive powerful consequences, including Hall's conjecture, which predicts a strong lower bound on the value of $|x^3-y^2|$. For our Mordell equation $y^2=x^3+k$, this becomes a lower bound on $|k|$. Flipping this around, the $abc$ conjecture would imply an upper bound on the size of any integer solution $(x,y)$ in terms of $k$. This means that these grand, overarching conjectures about the fundamental nature of integers have direct, concrete consequences for the solutions of the equations we have been studying. It shows that elliptic curves are not just a source of interesting problems; they are a critical testing ground for our deepest understanding of the world of numbers.