\chapter{Mordell-Weil Theorem, Shafarevich-Tate Group and
Selmer Groups for Elliptic Curves.}
We use the proof of the weak Mordell-Weil group as a motivation for
introducing the Shafarevich-Tate group and the Selmer group of
an elliptic curve. This approach allows us to present a more
geometric interpretation of the two groups in terms of principal
homogeneous spaces and their relation to Galois cohomology. These ideas are
important for the computation of the full Mordell-Weil
group $E(K)$, which is still an open problem. It follows from \cite[VIII.3]{silverman:aec} and
\cite[Exer. 8.18]{silverman:aec} that by knowing generators for the group $E(K) / mE(K)$, we can
obtain generators for $E(K)$ with a finite amount of computation. Thus, we will be interested
only in computing the group $E(K)/mE(K)$.
We show how computing the weak Mordell-Weil group $E(K)/mE(K)$ reduces
to determining whether there exists at least one rational point on
certain homogeneous spaces. The last problem is a particular case of
Hilbert's Tenth Problem about deciding the solvability of diophantine
equations. In fact, the techniques allow us to describe an algorithm
for computing $E(K)/mE(K)$ which terminates if one assumes the
Tate-Shafarevich conjecture about the finiteness of
$\Sha(E/K)$. Finally, we prove that the $\phi$-Selmer group for an
arbitrary isogeny $\phi : E' \ra E$ is always finite and explain how
to compute that group.\footnote{We should make clear that we will not
be concerned at all about the computational complexity of the
algorithms, i.e. how difficult the computations are.}
\section{Weak Mordell-Weil Group and Kummer Pairing via
Galois Cohomology}
Suppose that $E$ is an elliptic curve over a number field $K$ and
$m \geq 2$ is an integer, such that $E[m] \subseteq E(K)$. We
define the weak Mordell-Weil group for $E / K$ to be the quotient
group $E(K) / mE(K)$, where $E(K)$ is the group of $K$-rational points
on $E$.
We start by defining a pairing
$$
\kappa : E(K) \times \textrm{Gal}(\overline{K} / K) \ra E[m],
$$
in the following way: for each $P \in E(K)$ choose $Q \in E(\overline{K})$, such
that $[m]Q = P$ and let $\kappa(P, \sigma) := Q^\sigma - Q$.
First of all, this pairing is well-defined. To see this, suppose that
$Q'$ is another point, such that $[m]Q = [m]Q' = P$. We need to
check that $Q'^\sigma - Q' = Q^\sigma - Q$. But $[m](Q' - Q) = 0$,
i.e. $Q - Q' \in E[m] \subseteq E(K)$, which means that $Q' - Q$
is fixed by the action of Gal$(\overline{K} / K)$. Hence, $(Q' -
Q)^\sigma = Q' - Q$, or $Q'^\sigma - Q' = Q^\sigma - Q$. We often
call the pairing $\kappa$ the Kummer pairing.
The basic properties of $\kappa$ are summarized in the following
proposition:
\begin{prop}
The pairing $\kappa$ is bilinear, with left kernel equal to
$mE(K)$ and right kernel equal to Gal$(\overline{K} / L)$, where
$L$ is a field extension of $K$ obtained by adjoining the
coordinates of all points in $[m]^{-1}E(K)$ (or $L =
K([m]^{-1}E(K))$). In particular, $\kappa$ induces a perfect
bilinear pairing\edit{The Gal below should be in roman!}
$$
E(K) / mE(K) \times \textrm{Gal}(L / K) \ra E[m].
$$
\end{prop}
\begin{proof} Bilinearity of $\kappa$ is obvious from the
definition. Suppose that $P \in E(K)$ is in the left kernel of
$\kappa$. Choose $Q \in E(\overline{K})$, such that $[m]Q = P$. We
will show that $Q \in E(K)$ and thus, it will follow that $P \in
mE(K)$. But this is clear from the definition, since $\kappa(P,
\sigma) = 0$ means precisely that $Q$ is fixed by $\sigma$.
Conversely, any $P \in mE(K)$ is in the left kernel of $\kappa$.
Let $\sigma \in \Gk(K)$ be in the right kernel. In this case it
suffices to show that $\sigma$ fixes the field extension $L / K$.
Let $P \in E(K)$ and $Q$ be a point, such that $[m]Q = P$. Then
$\kappa(P, \sigma) = 0$ implies $Q^\sigma = Q$. Since this is true
for any point in $[m]^{-1}E(K)$, then $L$ is fixed by $\sigma$,
i.e. $\sigma \in \textrm{Gal}(\overline{K} / L)$. Conversely, any
$\sigma \in \textrm{Gal}(\overline{K} / L)$ is in the right
kernel, because it fixes the points in $[m]^{-1}E(K)$.
We obtain the perfect bilinear pairing by moding out by the left
and right kernels of $\kappa$.
\end{proof}
Next, our goal is to describe the Kummer pairing in terms of
Galois cohomology. To begin with, consider the short exact
sequence of Gal$(\overline{K} / K)$-modules for a fixed integer $m
> 1$
$$
0 \ra E[m] \ra E(\overline{K}) \xrightarrow{\cdot m} E(\overline{K}) \ra 0.
$$
This short exact sequence gives a long exact sequence on
cohomology
\begin{eqnarray*}
0 &\ra& H^0(\Gk, E[m]) \ra H^0(\Gk, E(\overline{K})) \xrightarrow{\cdot m}
H^0(\Gk, E(\overline{K})) \\
&\xrightarrow{\delta}& H^1(\Gk, E[m]) \ra H^1(\Gk, E(\overline{K})) \xrightarrow{\cdot m}
H^1(\Gk, E(\overline{K})).
\end{eqnarray*}
But $H^0(G, M) = M^G$ for any group $G$ and a $G$-module $M$, so
we rewrite the above sequence as
\begin{eqnarray*}
0 &\ra& E(K)[m] \ra E(K) \xrightarrow{\cdot m} E(K) \xrightarrow{\delta}
H^1(\Gk, E[m]) \\
&\ra& H^1(\Gk, E(\overline{K})) \xrightarrow{\cdot m} H^1(\Gk, E(\overline{K})).
\end{eqnarray*}
Using the fact that ker$(\delta) = mE(K)$, we obtain the following short exact
sequence, known as the \emph{Kummer sequence}:
\begin{eqnarray*}
0 \ra E(K) / mE(K) \xrightarrow{\delta} H^1(\Gk, E[m]) \ra H^1(\Gk,
E(\overline{K}))[m] \ra 0.
\end{eqnarray*}
Since the left kernel of the pairing $\kappa$ is $mE(K)$, then
$\kappa$ induces a homomorphism
$$
\delta_E : E(K) / mE(K) \ra \textrm{Hom}(\Gk, E[m]).
$$
It follows immediately that $\delta_E$ is precisely the connecting homomorphism
$\delta$ for the above long exact sequence.
%%% ----------------------------------------------------------------------
\section{Properties of $L = K([m]^{-1}E(K))/K$}
After introducing the Kummer pairing in the previous section, we will
to study in a more detail the field extension $L = K([m]^{-1}E(K))$,
which appeared in Proposition 1.1.1 in the previous section. The main
result that we prove is that this extension is abelian and of exponent dividing
$m$, which is unramified outside of a finite set of places
$\nu$. Then, using a general result from algebraic number theory, we will
prove that $L / K$ is a finite extension.\footnote{Note that finite generatedness
of $E(K)$ would immediately imply that $L / K$ is finitely generated, because
$L$ would be an extension of $K$, obtained by adjoining finitely many elements. However, we
cannot use this, because we are trying to prove finite generatedness for $E(K)$.}
The main properties of the field extension $L / K$ are summarized
in the following
\begin{prop}
(i) The field extension $L / K$ is an abelian extension of
exponent dividing $m$. In other words, the Galois group Gal$(L / K)$ is
abelian and every element has order dividing $m$.\\
(ii) If $S$ is the finite set of places at which $E$ has bad
reduction, together with the infinite places and the places $\nu$,
for which $\nu(m) \ne 0$, then $L / K$ is unramified at each $\nu
\notin S$.
\end{prop}
The following lemma will be used in the proof of the proposition:
\begin{lem}
Suppose that $\nu$ is a discrete valuation, such that $\nu(m) = 0$
and $E / K$ has good reduction at $\nu$. Then the reduction map
$E(K)[m] \ra \tilde{E}_\nu(k_\nu)$ is injective.
\end{lem}
\begin{proof}
This is proved in \cite[VII.3.1]{silverman:aec} by using formal groups. We will later on refer to
a similar statement for abelian varieties.
\end{proof}
We are now ready to prove the proposition:
\begin{proof}[Proof of Proposition 1.2.1] (i) This is a consequence of
proposition 1.1.1. Indeed, the map Gal$(L / K) \ra \textrm{Hom}(E(K), E[m])$
defines an injection $\sigma \mapsto \kappa(\sigma,
\cdot)$, so Gal$(L / K)$ is abelian and the order of every elements of divides
dividing $m$, since every homomorphism of $\textrm{Hom}(E(K),
E[m])$ has order dividing $m$. \\
(ii) Take a point $Q \in [m]^{-1}E(K)$ and let $P = [m]Q$.
Consider the extension $L = K(Q)$ over $K$. It suffices to show
that this extension is unramified at each $\nu \notin S$. Let
$\nu'$ be an extension of $\nu$ in $K(Q)$ and $D_{\nu' / \nu}$ and
$I_{\nu' / \nu}$ be the inertia and the decomposition groups,
respectively. We will be done if we show that each element of
$I_{\nu' / \nu}$ acts trivially on $K(Q)$. Indeed, every element
of $I_{\nu' / \nu}$ acts trivially on $\tilde{E}_\nu(k'_{\nu'})$,
where $k'_{\nu'}$ denote the reduction of $K(Q)$ at $\nu'$.
Therefore $(Q^\sigma - Q)^{\sim} = \tilde{Q}^\sigma - \tilde{Q} =
\tilde{0}$ for all $\sigma \in I_{\nu' / \nu}$. But $Q^\sigma - Q
\in E[m]$, because $Q \in [m]^{-1}E(K)$. Thus, lemma 1.2.2 implies
that $Q^\sigma = Q$, so $I_{\nu' / \nu}$ acts trivially on $K(Q) /
K$, which means that the field extension is unramified. This
proves the proposition.
\end{proof}
So far, we concluded that $L / K$ is an abelian
extension of exponent dividing $m$ which is unramified outside of a finite set
of primes. It turns out that these properties are enough to
deduce the finiteness of $L/K$. The next theorem
establishes precisely this statement. In the proof, we use several results from
algebraic number theory.
\begin{thm}
Let $K$ be a number field, $m \geq 2$ be an integer, and $S$ be a
finite set of places, containing all infinite places in $K$ and
all finite places $\nu$, such that $\nu(m) \ne 0$. Consider the
maximal abelian extension $L / K$ which has exponent dividing $m$ and
which is unramified at all places outside of $S$. Then $L / K$ is a
finite extension.
\end{thm}
\begin{proof} If the proposition is true for a finite extension
$K' / K$, then it is certainly true for $K$. Indeed, if $L/K$ is
the maximal abelian extension of exponent dividing $m$, which is unramified
outside of the finite set $S$, then $LK' / K'$ is a maximal
abelian extension of exponent $m$, unramified outside of a set
$S'$ of extensions of the places in $S$ to $LK'$. Therefore, $LK'
/ K'$ is finite, and so $L / K$ would also be finite. Thus, we can
assume that $K$ contains the $m$-th roots of unity $\mu_m$.
We define \emph{the ring of $S$-integers}
$$
R_S = \{a \in K : \nu(a) \geq 0 \textrm{ for all } \nu \notin S\}.
$$
Sine the class number of $R_S$ is finite, we can add finitely many
places to $S$, so that $R_S$ becomes a Dedekind domain with class
number 1 (i.e. a principal ideal domain). Making $S$ bigger increases
$L$ and so we can assume that $R_S$ is a principal ideal domain.
Next, we use another auxiliary result:
\begin{lem}
Let $K$ be a number field (more generally, any field of
characteristic 0), containing the $m$-th roots of unity $\mu_m$.
Then the maximal abelian extension of $K$ of exponent $m$ is
obtained by adjoining $m$-th roots of the elements of $K$. In
other words, $L = K(a^{1/m} : a \in K)$ is the maximal abelian
extension of $K$ of exponent $m$.
\end{lem}
\begin{proof}
Let $L$ be an abelian extension of $K$ of exponent dividing $m$ and let
$G = \textrm{Gal}(L/K)$. Since $G$ is abelian, then
$G \cong G_1 \times \dots \times G_k$, where the groups $G_i$ are all cyclic.
Let $L_i / K$ be the fixed field of $G_1 \times \dots \times \hat{G}_i \times
\dots \times G_n$. The Galois group of $L_i / K$ is $G_i$, which is cyclic of order
$m' \mid m$. The field $K$ contains the primitive $m'$-th root of unity $\eps$.
Since $N_{L_i/K}(\eps) = 1$, then by Hilbert Satz 90, $\eps = \sigma(u_i)/u_i$ for some
$u_i \in L_i$ ($\sigma$ is a generator for the Galois group Gal$(L_i/K)$). Next,
$\sigma(u_i^n) = (\sigma(u_i))^n = (\eps^{-1}u_i)^n = u_i^n$, so $u_i^n \in K$. Since
$\sigma^i(u_i) = \eps^{-i}u_i$, then the minimal polynomial of $u_i$ has degree
$m'$, so $L_i = K(u_i)$, where $u_i^{m'} \in K$. Therefore, the maximal, abelian extension
of $K$ of exponent dividing $m$ is
$$
L = K(a^{1/m} : a \in K).
$$
\end{proof}
By lemma 1.2.4 and by the fact that $K([m]^{-1}K)/K$ is abelian, of exponent dividing
$m$ and unramified outside the finite set $S$, then $K([m]^{-1}K)/K$ is the largest subfield of
$K(a^{1/m} : a \in K)$, which is unramified outside $S$.
Suppose that $\nu \notin S$. Then $a^{1/m} \in L$ for some $a \in
K$ if and only if $K_\nu(a^{1/m}) / K_\nu$ is unramified. But
since $\nu(m) = 0$, then this condition is satisfied precisely
when $\nu(a) \equiv 0$ (mod $m$). Finally, we conclude that $L =
K(a^{1/m} : a \in T_S)$, where
$$
T_S = \{a \in K^* / {K^*}^m : \nu(a) \equiv 0 (\textrm{mod } m)
\textrm{ for all }\nu \notin S\}
$$
We will be done if we prove that $T_S$ is finite. The idea is to
consider the natural map $R_S^* \ra T_S$. We claim that this map
is surjective. Indeed, the valuations $\nu \notin S$ correspond
precisely to the prime ideals of $R_S$. Thus, if $a \in K^*$
represents an element of $T_S$, then the ideal $aR_S$ is the
$m$-th power of an ideal of $R_S$ (by the definition of $T_S$).
Since $R_S$ is a principal ideal domain, then $aR_S = b^mR_S$ for
some $b \in K^*$. Hence, $a = ub^m$ for some $u \in R_S^*$. But
then the images of $a$ and $u$ in $T_S$ are the same and therefore
the map $R_S^* \ra T_S$ is surjective. Since its kernel contains
$(R_S^*)^m$ then we obtain a surjective map $R_S^* / (R_S^*)^m \ra
T_S$. Finally, using Dirichlet's $S$-unit theorem \cite[V \S1]{lang:ant}, it
follows that $R_S^*$ is finitely generated and therefore $R_S^* /
(R_S^*)^m$ is finite. Thus, $T_S$ is finite and $L / K$ is a
finite extension.
\end{proof}
Thus, $L / K$ is a finite extension, so using the perfect pairing
$E(K) / mE(K) \times \textrm{Gal}(L / K) \ra E[m]$, we conclude that
$E(K) / mE(K)$ is finite.
%%% ----------------------------------------------------------------------
\section{Computing the Weak Mordell-Weil Group and
Principal Homogeneous Spaces}
Recall that we assumed in the very beginning that $E[m] \subset
E(K)$. This assumption implies that $\mu_m \subset K^*$. It
follows from Hilbert 90 Satz that each homomorphism
$\Gk \ra \mu_m$ has the form $\sigma \mapsto \sigma(\beta) /
\beta$ for some $\beta \in \overline{K}^*$ and $\beta^m \in K^*$.
Therefore, we have an isomorphism $\delta_K : K^* / {K^*}^m \ra
\textrm{Hom}(\Gk, \mu_m)$.
The main idea for the computation of the weak Mordell-Weil group
$E(K) / mE(K)$ is to use the homomorphisms $\delta_E$ (from
section 1) and $\delta_K$ in order to construct a pairing
$$
b : E(K)/mE(K) \times E[m] \ra K^* / {K^*}^m,
$$
which is computable.
For the construction of this pairing, we use the Weil pairing $e_m
: E[m] \times E[m] \ra \mu_m$, defined in \cite[III.8]{silverman:aec}. Define
$$
b(P, Q) = \delta_K^{-1}(e_m(\delta_E(P)(\cdot), Q)).
$$
The pairing is well-defined, because $\delta_K$ is an isomorphism. It
is also not hard to check that the pairing is bilinear and
nondegenerate on the left. Indeed, if $\delta_K$ were degenerate on
the left, then there would exist a point $P$, such that
for all $Q \in E[m]$ and all $\sigma \in \Gk$,
$e_m(\kappa(P, \sigma), Q) = 1$. Since the Weil pairing is
nondegenerate, then $\kappa(P, \sigma) = 0$, which means that $P \in
mE(K)$ by proposition 1.1.1. \\
The pairing $b$ is easily computable as follows:
\begin{prop}
Let $S$ be the finite set of places $\nu$ at which $E$ has a bad
reduction, the infinite places and the primes dividing $m$. Then
the image of the pairing $b$ lies in the subgroup
$$
K(S, m) = \{b \in K^* / {K^*}^m : \nu(b) \equiv 0 (\textrm{mod }
m) \textrm{ for all }\nu \notin S\}
$$
Moreover, for a point $Q \in E[m]$ if $f_Q$ and $g_Q$ are
functions, satisfying div$(f_Q) = m(Q) - m(0)$ and
$f_Q \circ [m] = g_Q^m$, then $b(P, Q) \equiv f_Q(P) \textrm{(mod }
{K^*}^m)$ for $P \ne Q$. In the case $P = Q$ one can consider any point
$P' \in E(K)$, such that $f_{Q}(-P') \ne 0$ and use bilinearity of the
pairing to obtain $b(P, P) = f_{Q}(P + P') / f_Q(P')$.
\end{prop}
Before presenting the proof, we will make the following
\begin{rem}
Proposition 1.3.1 is useful for computing the group $E(K)/mE(K)$ in the following
way: suppose that one is able to recover the functions $f_Q$ and $g_Q$ from the
equation of the curve. Next, take generating points $Q_1$ and $Q_2$ for $E[m] \cong
\Z /m \Z \times \Z / m\Z$. The idea is to consider the finitely many pairs
$(b_1, b_2) \in K(S, m) \times K(S, m)$ and for each one to test whether we can solve
the equations $b_1z_1^m = f_{Q_1}(P)$ and $b_2z_2^m =
f_{Q_2}(P)$ and $P \in E(K)$ have a common solution $(P, z_1, z_2) \in K^2 \times {K^*}^2$.
Since the pairing $b$ is nondegenerate on the left, then for a fixed pair $(b_1, b_2)$,
there is at most one possible $P$, such that there exists a solution $(P, z_1, z_2)$ of
the above system. Thus, one can recover this unique $P$ from arbitrary $K$-rational
point on the variety
$$
b_1z_1^m = f_{Q_1}(P),\ b_2z_2^m =
f_{Q_2}(P),\ P \in E(K),
$$
so the question of computing the Mordell-Weil group reduces to determining whether or note
each of finitely many varieties (each corresponding to a pair $(b_1, b_2)$) has a $K$-rational
point. We call these auxiliary varieties \emph{homogeneous
spaces} for $E / K$. In that sense, the question of computing the group $E(K)/mE(K)$ is
related to Hilbert's Tenth Problem of deciding the solvability of diophantine equations.
\end{rem}
\begin{proof}[Proof of Proposition 1.3.1.] Consider the element $\beta =
b(P, Q)^{1/m}$ and the field extension $K(\beta) / K$. The proof
of the first part is based on two observations. First, the element
$\beta$ is contained in the finite extension $L =
K([m]^{-1}E(K))$, as defined in proposition 1.1.1. Since $L / K$ is
unramified outside of $S$ by theorem 1.2.1, then $K(\beta) / K$ is
unramified as well. But we get from algebraic number theory that
$K(\beta / K)$ is unramified at $\nu$ if and only if $\nu(\beta^m)
\equiv 0$ (mod $m$). This proves that the image of $b$ is
contained in $K(S, m)$.
For the second part of the proposition, recall \cite[III.8]{silverman:aec}
that $f_Q$ and $g_Q$ are used for defining the Weil pairing. In
other words, $\ds e_m(P, Q) := \frac{g_Q(X + P)}{g_Q(X)}$ (the
last fraction is the same for all $X$). Choose a point $P' \in
E(\overline{K})$, such that $mP' = P$. Then by the definition of
$b$ and $e_m$ for $X = P'$, we have
$$
\frac{\beta^\sigma}{\beta} = e_m(P'^\sigma - P', Q) =
\frac{g_Q(P'^\sigma)}{g_Q(P')} = \frac{g_Q(P')^\sigma}{g_Q(P')}.
$$
By raising to the $m$-th power and using the fact that $\delta_K$
is an isomorphism, we conclude that $g_Q(P')^m \equiv \beta^m$
(mod ${K^*}^m$). Hence, $f_Q(P) = f_Q(mP') = g_Q(P')^m \equiv
b(P, Q)$ (mod ${K^*}^m$), which completes the proof of the
proposition.
\end{proof}
We should note at that point that there is a whole theory of principal
homogeneous spaces and that they can be defined abstractly as varieties, equipped with
a simple transitive action of the elliptic curve (or more generally,
the abelian variety). For the later chapters, we assume that the reader is familiar with
the basic theory. In fact, all we will need is that the equivalence classes of principal homogeneous
spaces (or torsors) form a group (the Weil-Ch\^atelet group $WC(E/K)$) and the elements of that group
are in bijective correspondence with the cohomology group $H^1(\Gk, E)$. The basic theory is presented in
\cite[X.3]{silverman:aec}
\section{Applications and Complete 2-descent}
Our discussion in the previous section will not be complete without an
explicit example, for which we compute the weak Mordell-Weil
group, using the described techniques. Since the main technical
difficulties arise from the group law on the elliptic curve,
derived out of the Weierstrass equation, we restrict ourselves to
the case $m = 2$, which can be made explicit using the formulas
for the group law on the elliptic curve, out of the Weierstrass
equations.
First, take a Weierstrass equation for $E$ of the form
$$
y^2 = (x - e_1)(x - e_2)(x - e_3).
$$
The 2-torsion point in $E$ are $0$ and $Q_i = (e_i, 0)$ for $i =
1, 2, 3$. The first step is to determine the functions $f_{Q_i}$
and $g_{Q_i}$. In this case, the explicit formulas for the group
law on the curve \cite[III.2]{silverman:aec} makes this quite easy. We check that
the function $f_{Q_i} = x - e_i$ satisfies div$(f_{Q_i}) = 2(Q_i)
- 2(0)$. Moreover,
$$
x \circ [2] - e_i = \frac{(x^2 - 2e_ix - 2e_i^2 + 2(e_1 + e_2 + e_3)e_i
- (e_1e_2 + e_1e_3 + e_2e_3))^2}{(2y)^2},
$$
so we set $\ds g_{Q_i} = \frac{(x^2 - 2e_ix - 2e_i^2 + 2(e_1 +
e_2 + e_3)e_i - (e_1e_2 + e_1e_3 + e_2e_3))}{2y}$. Recall that
knowing $f_{Q_i}$ means knowing explicitely the equations for the
principal homogeneous spaces.
Fix $(b_1, b_2) \in K(S, 2) \times K(S, 2)$. To check whether
$(b_1, b_2)$ is in the image of the pairing $b$ means to check
whether the system of equations
$$
y^2 = (x - e_1)(x - e_2)(x -e_3) \eqno{(1)}
$$
$$
b_1z_1^2 = x - e_1 \eqno{(2)}
$$
and
$$
b_2z_2^2 = x - e_2 \eqno{(3)}
$$
has a solution $(x, y, z_1, z_2) \in K \times K \times K^* \times K^*$
(we are using the fact that $Q_1$ and $Q_2$ are generators for
$E[2]$). By substituting (2) and (3) into (1), we
obtain $y^2 = (x - e_3)b_1b_2z_1^2z_2^2$.
Since $b_1, b_2, z_1, z_2$ are non-zero, we can consider $\ds z_3 =
\frac{y}{b_1b_2z_1z_2}$. Then the new set of equations is
$b_1b_2z_3^2 = x - e_3$, $b_1z_1^2 = x - e_1$ and $b_2z_2^2 = x -
e_2$. By eliminating $x$, we get a pair of equations
$$
b_1z_1^2 - b_2z_2^2 = e_2 - e_1,\ b_1z_1^2 - b_1b_2z_3^2 = e_3 - e_1.
$$
We can use various techniques, such as reduction to determine whether or
not this pair of equations has at least one rational point $(z_1, z_2)$.
If this happens to be the case, then we recover easily $x$ and $y$ as
$$
x = b_1z_1^2 + e_1,\ y = b_1b_2z_1z_2z_3
$$
The only pairs which we cannot compute using $f_{Q_1}$ and $f_{Q_2}$ are
$b(Q_1, Q_1)$ and $b(Q_2, Q_2)$. But we use
$$
b(Q_1, Q_1) = b(Q_1, Q_1+Q_2)/b(Q_1,Q_2) = \frac{(e_1-e_3)}{e_1-e_2}.
$$
Similarly,
$$
b(Q_2, Q_2) = \frac{(e_2-e_3)}{e_1-e_2}.
$$
We can summarize the whole argument in the following
\begin{thm}[Complete 2-descent]
Suppose that $E / K$ is an elliptic curve, given by a Weierstrass
equation
$$
y^2 = (x - e_1)(x - e_2)(x - e_3), \ \ e_i \in K
$$
Let $S$ be the set of places at which $E$ has bad reduction, the
places dividing 2 and the infinite places. Then there exists an
injective homomorphism
$$
E(K) / 2E(K) \ra K(S, 2) \times K(S, 2),
$$
which is given explicitly (by proposition 3.1) as
\[ P \mapsto \left\lbrace
\begin{array}{l l}
(x(P) - e_1, x(P) - e_2) & \text{if $x(P) \ne e_1, e_2$},\\
((e_1 - e_3)/(e_1 - e_2), e_1 - e_2) & \text{if $x(P) = e_1$},\\
(e_2 - e_1, (e_2 - e_3) / (e_2 - e_1)) & \text{if $x(P) = e_2$},\\
(1, 1) & \text{if $P = O$}.
\end{array}
\right. \]
If $(b_1, b_2) \in K(S, 2) \times K(S, 2)$ is not in the image of
the three points $O$, $(e_1, 0)$ and $(e_2, 0)$, then $(b_1, b_2)$
is the image of a point $P \in K$ if and only if the equations
$b_1z_1^2 - b_2z_2^2 = e_2 - e_1$ and $b_1z_1^2 - b_1b_2z_3^2 =
e_3 - e_1$ have a solution $(z_1, z_2, z_3) \in K^* \times K^*
\times K$. If such a solution exists, then a representative for
the element of $E(K) / mE(K)$ is given by $x(P) = b_1z_1^2 + e_1$
and $y(P) = b_1b_2z_1z_2z_3$.
\end{thm}
\section{Definition of the $\phi$-Selmer and Shafarevich-Tate Groups}
As in the previous section, we are led by the motivation to
effectively compute the Mordell-Weil group. The main step is to
find generators for the weak Mordell-Weil group $E(K) / mE(K)$.
In the previous section, we obtained the Kummer sequence out of
the long exact sequence on group cohomology. Now, we consider a
slightly more general setting: suppose that $\phi : E \ra E'$ is a
non-zero isogeny of elliptic curves over $K$. Then one has a short
exact sequence
$$
0 \ra E[\phi] \ra E \xrightarrow{\phi} E' \ra 0.
$$
In precisely the same way as for the case $E' = E$ and $\phi =
[m]$ from the previous section, we obtain a short exact sequence
$$
0 \ra E'(K) / \phi(E(K)) \xrightarrow{\delta} H^1(\Gk, E[\phi]) \ra H^1(\Gk,
E(\overline{K}))[\phi] \ra 0.
$$
Next, we consider a place $\nu$ for the number field $K$. Extend
$\nu$ to a place of the algebraic closure $\overline{K}$. This
gives us an embedding $\overline{K} \subset \overline{K}_\nu$ and
a decomposition group, which we denote by $D_\nu \subset
\textrm{Gal}(\overline{K} / K)$. By the definition of a
decomposition group and of the completion $\overline{K}_\nu$, it
follows that $D_\nu$ acts on $E(\overline{K}_\nu)$ and
$E'(\overline{K}_\nu)$. Repeating the same argument as the one in
the previous section, we obtain similar Kummer sequences
$$
0 \ra E'(K_\nu) / \phi(E(K_\nu)) \ra H^1(D_\nu, E[\phi]) \ra
H^1(D_\nu, E(\overline{K}))[\phi] \ra 0.
$$
Notice that $D_\nu \subset \textrm{Gal}(\overline{K} / K)$ and
$E(\overline{K}) \subset E(\overline{K}_\nu)$. Of course, it is a subtle question
on how the local cohomology depends on the choice of $\nu$, but this is discussed in
detail in \cite[Ch. IV]{cassels-frohlich}. Recall from the basic properties of Galois cohomology that these
inclusions induce restriction maps on cohomology. We do the same for each place
$\nu$ and use these restriction maps to obtain the following
commutative diagram
$$
\xymatrix{
0 \ar[r] & \frac{E'(K)}{\phi(E(K))} \ar[r]^{\delta}\ar[d] &
H^1(\textrm{Gal}(\overline{K} / K), E[\phi]) \ar[r]\ar[d] &
H^1(\textrm{Gal}(\overline{K} / K), E(K))[\phi] \ar[r]\ar[d] & 0 \\
0 \ar[r] & \prod_{\nu} \frac{E'(K_\nu)}{\phi(E(K_\nu))} \ar[r]^{\delta} &
\prod_{\nu} H^1(D_\nu, E[\phi]) \ar[r] & \prod_{\nu} H^1(D_\nu, E(K_\nu))[\phi] \ar[r] & 0
}
$$
But in the previous section, we identified the group of
equivalence classes of principle homogeneous spaces $WC(E / K)$
with the cohomology group $H^1(\textrm{Gal}(\overline{K}/K), E)$.
Thus, we can replace the upper and lower last terms by $WC(E / K)$
and $WC(E / K_\nu)$ respectively.
Our ultimate goal is computing the image of $E'(K) / \phi(E(K))$ in
$H^1(\Gk, E[\phi])$, which is the same as computing the kernel of the
map $H^1(\Gk, E[\phi]) \ra WC(E / K)[\phi]$. But the following proposition
provides a way of testing whether an element is in the kernel, in terms of
$K$-rational points on the homogeneous spaces of $WC(E / K)$.
\begin{prop}
Suppose that $C / K$ is a homogeneous space for $E / K$. Then $C / K$
represents the trivial element of $WC(E / K)$
if and only if $C$ has at least one $K$-rational point.
\end{prop}
\begin{proof}
One of the directions is easy. Suppose that $C/K$
represents a trivial element of $WC(E / K)$. Then there is a
$K$-isomorphism $\varphi : E \ra C$. Then $\varphi(0) \in C(K)$,
so in particular $C(K)$ is non-empty.
Conversely, suppose that $C(K)$ is non-empty, i.e. $P_0 \in C(K)$.
Define a morphism $\theta : E \ra C$ by $\theta(Q) = P_0 + Q$. We
first show that the morphism $\theta$ is defined over $K$. Suppose
$\sigma \in \textrm{Gal}(\overline{K} / K)$. Then
$$
\theta(Q)^\sigma = (P_0 + Q)^\sigma = P_0^\sigma + Q^\sigma = P_0
+ Q^\sigma = \theta(Q^\sigma).
$$
Thus, the morphism is defined over $K$. We next prove that
$\theta$ is an isomorphism. Indeed, since $E$ acts simply
transitively on $C$, then for each $P \in C$ there is a unique $Q
\in E$, such that $\theta(Q) = P$ and so $\theta$ has degree 1.
This means that the induced map on function fields $\theta^* :
\overline{K}(C) \ra \overline{K}(E)$ is an isomorphism of fields.
In other words $\theta^* \overline{K}(C) = \overline{K}(E)$.
Therefore, $\theta$ has an inverse, which we denote by
$\theta^{-1} : \overline{K}(E) \ra \overline{K}(C)$. This
isomorphism gives rise to a rational function $\psi : C \ra E$ of degree 1.
But such a function is always a morphism, since $E$ is smooth.
\end{proof}
Although we obtained a simple criteria to check if a principal
homogeneous space represents the trivial element in the
Weil-Ch\^atelet group, it is still a hard question to determine
whether a curve $C$ has a $K$-rational point. In such cases, it is
always easier to work over complete local fields, because we can
use Hensel's lemma to reduce the problem to checking whether the
curve has a point over a finite ring.
To illustrate more precisely the above idea, consider a place
$\nu$ and the complete local field $K_\nu$. By proposition 1.5.1,
computing the kernel of the map
$$
H^1(D_\nu, E[\phi]) \ra WC(E / K_\nu)[\phi]
$$
reduces to the question of determining whether a homogeneous space
$C$ has a $K_\nu$-rational point. This idea naturally leads to the following
definitions:
\begin{defn}
For an isogeny $\phi : E \ra E'$ defined over $K$, consider the
$\phi$-Selmer group $S^{(\phi)}(E / K)$ to be the subgroup of
$H^1(\Gk, E[\phi])$, defined as
$$
S^{(\phi)}(E / K) := \textrm{ker}\left\{ H^1(\Gk, E[\phi]) \ra
\prod_{\nu} WC(E / K_\nu) \right\}.
$$
We also consider the Shafarevich-Tate group of $E / K$ to be the
subgroup of $WC(E / K)$ defined as
$$
\Sha(E / K) := \textrm{ker}\left\{ WC(E / K) \ra \prod_{\nu} WC(E
/ K_\nu)\right\}.
$$
\end{defn}
Although the above definitions
include the choices of the extension of each place $\nu$ to the algebraic
closure $\overline{K}$, from the more
geometric interpretation of homogeneous spaces, it follows
that both $S^{(\phi)}$ and $\Sha$ depend only on $E$
and $K$. Indeed, recall that a homogeneous space $C$ represents a
trivial element in $WC(E / K_\nu)$ if and only if it has a
$K_\nu$-rational point, a condition which is certainly independent
of the choice of extension of the places $\nu$. Therefore, both
$S^{(\phi)}$ and $\Sha$ depend only on $E$ and $K$.
A famous conjecture\edit{Due to Shafarevich and Tate.} about $\Sha(E /
K)$ for an elliptic is that it is always finite and has order a
perfect square.
\begin{conj}[Tate-Shafarevich]
If $E / K$ is an elliptic curve, then $\Sha(E / K)$ is finite.
\end{conj}
\begin{rem}
Another interesting observation for $\Sha$ is that it measures the failure
of the \emph{local-to-global principle}, since the nonzero elements in $\Sha$
are equivalence classes of homogeneous spaces which have a rational point
for every local field $K_\nu$, but do not have a $K$-rational point. For
instance, for quadratic forms we have the Hasse-Minkowski principle, according
to which existence of a $\Q_\nu$-rational point for each $\nu$-adic field
implies existence of a $\Q$-rational point. This is not always true for
arbitrary curves. An example of an obstruction to the local-to-global principle
is the curve (see \cite[Ch. 18]{cassels:ellcurves} for details)
$$
3X^3 + 4Y^3 + 5Z^3 = 0.
$$
The Shafarevich-Tate groups measures the failure of the local-to-global
principle. Notice that the Tate-Shafarevich conjecture implies that for all, but
finitely many equivalence classes of homogeneous spaces the
local-to-global principle still holds.
\end{rem}
%%% ----------------------------------------------------------------------
\section{Finiteness of the Selmer Group}
Unlike $\Sha$, it is not hard to prove that $S^{(\phi)}$ is finite and
effectively computable. The main goal of the section is to prove
finiteness of $S^{(\phi)}$ for an arbitrary isogeny
$\phi$.
To begin with, let $\phi : E \ra E'$ be an isogeny defined over
the number field $K$. Using only the cohomological definition of
the Selmer group and Shafarevich-Tate group and the commutative
diagram from the previous section, we obtain the following short
exact sequence
$$
0 \ra E'(K) / \phi(E(K)) \ra S^{(\phi)}(E / K) \ra \Sha(E /
K)[\phi] \ra 0.
$$
This is going to be helpful for proving the first main result of
the section
\begin{thm}
The $\phi$-Selmer group $S^{(\phi)}(E/K)$ is finite. In
particular, if one chooses $\phi$ to be the $m$-isogeny of $E$ to
itself, then the weak Mordell-Weil group $E(K) / mE(K)$ is finite.
\end{thm}
The key idea for the proof of the finiteness of the Selmer group
is the nontrivial observation that it consists of cohomology
classes of cocycles which are \textit{unramified} outside of
finite set of places $S$. Before proceeding, we give a precise
definition for a cocycle to be unramified.
\begin{defn}
Suppose that $M$ is a $\Gk$-module, $\nu$ is a discrete valuation
for the number field $K$ and $I_\nu \subset \Gk$ be the inertia
group for $\nu$. A cohomology class $\zeta \in H^p(\Gk, M)$ is
defined to be \emph{unramified at $\nu$} if has a trivial image in
$H^p(I_\nu, M)$ under the restriction map $H^p(\Gk, M) \ra
H^p(I_\nu, M)$.
\end{defn}
First of all, we make one clarification about the above
definition. Since we have already fixed a decomposition group
$D_\nu$ for $\nu$, the inertial group $I_\nu$ is determined by the
decomposition group as the kernel of the map $D_\nu \ra
\textrm{Gal}(\bar{k}_\nu / k_\nu)$, where $\nu'$ is the extension
of $\nu$ to the algebraic closure of $K$ and $\overline{k}_\nu$
and $k_\nu$ are the two residue fields for the complete local
fields $K_\nu$ and $\overline{K}_\nu$ respectively.
Before proving theorem 1.6.1, we need to prove a lemma
\begin{lem}
For any finite, abelian $\Gk$-module $M$ the group of cohomology
classes which are unramified outside a finite set of primes is
finite. In other words, the group
$$
H^1(\Gk, M; S) := \{\zeta \in H^1(\Gk, M) : \zeta \textrm{ is
unramified outside of } S\}
$$
is finite.
\end{lem}
\begin{proof} Using the definition of the profinite topology and
the finiteness of $M$, we deduce that there must be a finite index
subgroup of $\Gk$ which acts trivially on $M$. Therefore, we can
assume that $\Gk$ acts trivially on $M$ by changing $K$ with a
finite extension (because the inflation-restriction sequence on
Galois cohomology implies that it suffices to prove the statement
for the extension of $K$). This in turn implies that $H^1(\Gk, M;
S) = \textrm{Hom}(\Gk, M; S)$. To complete the proof, denote by
$m$ the exponent of $M$ (i.e. the smallest $m$, such that $mx = 0$
for all $x \in M$). Denote by $L$ the maximal abelian extension of
exponent $m$, which is unramified outside of $S$. Then the natural
map Hom$(\textrm{Gal}(L / K), M) \ra \textrm{Hom}(\Gk, M; S)$ is
clearly an isomorphism. But theorem 1.2.3 implies that $L/K$ is
a finite extension, i.e. $H^1(\Gk, M; S)$ is a finite.
\end{proof}
\begin{proof}[Proof of theorem 1.6.1.]
Suppose that $\zeta \in S^{(\phi)}(E / K)$ and $\nu$ is a finite place of $K$ which does not
divide the degree of the isogeny $\phi$ and that $E'$ has
a\edit{delete word ``a''} good reduction at $\nu$. We will prove that
$\zeta$ is unramified at $\nu$. Using the definition of $S^{(\phi)}$,
we obtain that $\zeta$ has a trivial image in $WC(E / K_\nu)$. But
$WC(E / K_\nu)$ is identified with $H^1(D_\nu, E)$, so $\zeta(\sigma)
= P^\sigma - P$ is a coboundary, where $P \in E(\overline{K}_\nu)$ for
all $\sigma \in D_\nu$. Furthermore, the definition implies that
$P^\sigma - P \in E[\phi]$. But $E[\phi] \subset E[m]$ and we can use
lemma 2.2 to show that $E(K)[m]$ injects into $\tilde{E}_\nu$. But the
reduction (mod $\nu$) maps sends $P^\sigma - P \ra (P^\sigma -
P)^{\sim} = \tilde{P}^\sigma - \tilde{P}$. The last point is
$\tilde{0}$ for any $\sigma \in I_\nu$ by the definition of the
inertia group. Therefore $P^\sigma = P$ for every $\sigma \in I_\nu$
and hence the restriction of $\zeta$ to $H^1(I_\nu, E[\phi])$ is
trivial, i.e. $\zeta$ is unramified at $\nu$. Finally, the statement follows
from lemma 1.6.2.
\end{proof}