18.783 | Spring 2021 | Undergraduate

Elliptic Curves


Course Meeting Times

Lectures: 2 sessions / week, 1.5 hours / session


18.702 Algebra II 


This course is a computationally focused introduction to elliptic curves, with applications to number theory and cryptography. While this is an introductory course, we will (gently) work our way up to some fairly advanced material, including an overview of the proof of Fermat’s Last Theorem.

Each of the topics listed below corresponds to roughly one week of lectures (a total of three hours).

  1. Introduction
    Course overview, the group law, and Weierstrass and Edwards curves.
  2. Efficient computation
    Integer arithmetic, finite field arithmetic, polynomial arithmetic, and root-finding.
  3. Isogenies and endomorphisms
    The Frobenius endomorphism, division polynomials, and Hasse’s theorem.
  4. Elliptic curves over finite fields
    Point counting, baby-steps giant-steps, and Schoof’s algorithm.
  5. The discrete logarithm problem
    ECEDH, Pollard rho, Pohlig-Hellman, generic lower bounds, and index calculus.
  6. Integer factorization and primality proving
    Lenstra ECM, Goldwasser-Kilian ECPP, and Montgomery curves.
  7. Endomorphism rings
    The dual isogeny, quadratic orders, quaternion algebras, and supersingular curves.
  8. Elliptic curves over the complex numbers
    Elliptic functions, Eisenstein series, the Weierstrass ℘-function, complex tori, the j-function, the uniformization theorem, and isogenies.
  9. Modular curves
    Congruence subgroups, Riemann surfaces, and modular functions.
  10. The theory of complex multiplication
    Ring class fields, Hilbert class polynomials, and the CM method.
  11. Isogeny graphs
    Isogeny volcanoes, supersingular isogeny graphs, and isogeny-based cryptography.
  12. Divisors and pairings
    Divisor class groups, pairings, Miller’s algorithm, and pairing-based cryptography.
  13. Elliptic curves over Q, modular forms, and Fermat’s Last Theorem
    L-series, BSD, Galois representations, modularity, and outline of Wiles’s proof.

Textbook and Notes

There is no required text; lecture notes will be provided. We will make reference to material in the following books.

Washington, Lawrence C. Elliptic Curves: Number Theory and Cryptography. Second edition. Chapman & Hall / CRC, 2008. ISBN: 9781420071467. (Errata (PDF)) [Preview with Google Books]. Online version.

Milne, James S. Elliptic Curves. BookSurge Publishing, 2006. ISBN: 9781419652578. (Addendum / erratum (PDF)). Online version (PDF - 1.5MB).

Silverman, Joseph H. The Arithmetic of Elliptic Curves. Springer-Verlag, 2009. ISBN: 9780387094939. (Errata (PDF)) [Preview with Google Books]. Online version.

———. Advanced Topics in the Arithmetic of Elliptic Curves. Springer-Verlag, 1994. ISBN: 9780387943251. (Errata (PDF)). Online version.

Cox, David A. Primes of the Form \(x^2 + ny^2\): Fermat, Class Field Theory, and Complex Multiplication. Wiley-Interscience, 1989. ISBN: 9780471506546. (Errata (PDF)). Online version.

The following two books give quite accessible introductions to elliptic curves from different perspectives. You may find them useful as supplemental reading, but we will not use of them in the course.

Blake, Ian F., Gadiel Seroussi, and Nigel P. Smart. Elliptic Curves in Cryptography. Cambridge University Press, 1999. ISBN: 9780521653749. [Preview with Google Books]

Silverman, Joseph H., and John T. Tate. Rational Points on Elliptic Curves. Springer-Verlag, 1994. ISBN: 9780387978253. Online version.

The following references provide introductions to algebraic number theory and complex analysis; neither of these topics is an official prerequisite for this course, but we will occasionally need to make use of their results.

Algebraic Number Theory Course Notes by James S. Milne.

Lang, Serge. Complex Analysis. Springer-Verlag, 2003. ISBN: 9780387985923. Online version.


Some of the theorems and algorithms presented in lecture will be demonstrated using Sage, a python-based computer algebra system, hosted on CoCalc. Most of the problem sets will contain at least one computationally-focused problem, which you will likely want to use Sage to solve, but you are free to use other packages, or roll your own code from scratch. You will be graded on your results and your mathematical explanation and analysis of your algorithm, not your code.

Problem Sets

There will be weekly problem sets, each of which typically contains three to five multi-part problems. You are not expected to solve all of the problems; you be given the option to choose a subset to turn in. Some problems are purely theoretical in nature, while others are more computationally focused; those who prefer proofs to programming (or vice versa) can choose problems that appeal to their interests.

Problem sets are to be prepared in typeset form (typically via LaTeX) and submitted electronically as PDF files. Collaboration is permitted, but you must write up your own solutions and identify any collaborators, as well as any resources you used that are not listed above. There will be computational problems for which the correct answer will be different for every student, based on a unique identifier derived from your MIT ID.


Your grade will be primarily determined by your average problem set score, after dropping your lowest score, plus bonus points you can earn by participating in polls held in class—you will get one point of extra credit for each question you answer (correctly or incorrectly). That might not sound like much, but over the course of the term it could be enough to make up for an entire problem set you missed.

Course Info

As Taught In
Spring 2021
Learning Resource Types
Problem Sets
Lecture Notes
Instructor Insights