• $E: y^2 = x^3 - x$ over $\mathbb{Q}$: Here $A = -1$, $B = 0$, $\Delta = 64 \neq 0$. The curve has complex multiplication by $\mathbb{Z}[i]$ (the Gaussian integers), since $[i]: (x, y) \mapsto (-x, iy)$ is an endomorphism.

• $E: y^2 = x^3 - 1$ over $\mathbb{Q}$: Here $A = 0$, $B = -1$, $\Delta = -432 \neq 0$. Has CM by $\mathbb{Z}[\omega]$ where $\omega = e^{2\pi i/3}$, via $[\omega]: (x,y) \mapsto (\omega x, y)$.

• $E: y^2 = x^3 + x + 1$ over $\mathbb{F}_5$: The points are $O, (0, \pm 1), (2, \pm 1), (3, \pm 1), (4, \pm 2)$, so $|E(\mathbb{F}_5)| = 9$.

• $E: y^2 = x(x-1)(x-\lambda)$ for $\lambda \neq 0, 1$: the Legendre family, a universal family of elliptic curves with full level-2 structure. The $j$-invariant is $j = 256 \frac{(\lambda^2 - \lambda + 1)^3}{\lambda^2(\lambda - 1)^2}$.

For $E: y^2 = x^3 + Ax + B$ in short Weierstrass form, $P = (x_1, y_1)$, $Q = (x_2, y_2)$:

Case $P \neq Q$: The slope of $PQ$ is $\lambda = \frac{y_2 - y_1}{x_2 - x_1}$. Then:

$x_3 = \lambda^2 - x_1 - x_2, \quad y_3 = \lambda(x_1 - x_3) - y_1.$

Case $P = Q$ (doubling): $\lambda = \frac{3x_1^2 + A}{2y_1}$. Same formulas for $x_3, y_3$.

Negation: $-P = (x_1, -y_1)$.

Numerical example on $y^2 = x^3 - 5x + 8$: Let $P = (1, 2)$ and $Q = (-1, -2\sqrt{3})$... Actually, let's use $P = (1, 2)$ (check: $4 = 1 - 5 + 8 = 4$ ✓). Doubling: $\lambda = \frac{3 - 5}{4} = -\frac{1}{2}$, so $x_3 = \frac{1}{4} - 2 = -\frac{7}{4}$, $y_3 = -\frac{1}{2}(1 + \frac{7}{4}) - 2 = -\frac{1}{2} \cdot \frac{11}{4} - 2 = -\frac{27}{8}$.

Check: $\left(-\frac{27}{8}\right)^2 = \frac{729}{64}$ and $\left(-\frac{7}{4}\right)^3 - 5\left(-\frac{7}{4}\right) + 8 = -\frac{343}{64} + \frac{35}{4} + 8 = -\frac{343}{64} + \frac{560}{64} + \frac{512}{64} = \frac{729}{64}$ ✓

On $E: y^2 = x^3 - x$ over $\mathbb{Q}$:

• 2-torsion ($2P = O$): these are points with $y = 0$, i.e., $(0,0)$, $(1,0)$, $(-1,0)$. So $E[2](\mathbb{Q}) \cong (\mathbb{Z}/2)^2$.

• Over $\bar{\mathbb{Q}}$: $E[n] \cong (\mathbb{Z}/n)^2$ for all $n \geq 1$. This is a free $\mathbb{Z}/n$-module of rank $2$.

• Mordell–Weil theorem: $E(\mathbb{Q}) \cong \mathbb{Z}^r \oplus E(\mathbb{Q})_{\text{tors}}$. For this curve: $E(\mathbb{Q}) \cong (\mathbb{Z}/2)^2$ (rank $0$, torsion only).

• Mazur's theorem: For $E/\mathbb{Q}$, the torsion subgroup $E(\mathbb{Q})_{\text{tors}}$ is isomorphic to $\mathbb{Z}/n$ for $1 \leq n \leq 10$ or $n = 12$, or $\mathbb{Z}/2 \times \mathbb{Z}/2m$ for $1 \leq m \leq 4$.

• $j = 0$: $E: y^2 = x^3 + 1$ ($A = 0$). Has automorphism group $\mathbb{Z}/6$ (generated by $(x,y) \mapsto (\omega x, -y)$, $\omega^3 = 1$). CM by $\mathbb{Z}[\omega]$, $\omega = e^{2\pi i/3}$.

• $j = 1728$: $E: y^2 = x^3 + x$ ($B = 0$). Has $\operatorname{Aut}(E) \cong \mathbb{Z}/4$ (generated by $(x,y) \mapsto (-x, iy)$). CM by $\mathbb{Z}[i]$.

• $j \neq 0, 1728$: $\operatorname{Aut}(E) = \{\pm 1\} \cong \mathbb{Z}/2$ (the generic case).

• $j = -2^{15} \cdot 3 \cdot 5^3$: corresponds to the curve $X_0(11): y^2 + y = x^3 - x^2 - 10x - 20$, the modular elliptic curve of conductor $11$.

• Over $\mathbb{F}_p$: the supersingular elliptic curves form a finite set. For $p \geq 5$, $E$ is supersingular iff $|E(\mathbb{F}_p)| = p + 1$ iff the Hasse invariant vanishes. There are approximately $p/12$ supersingular $j$-invariants.

• Square lattice $\Lambda = \mathbb{Z} + \mathbb{Z}i$: gives $\tau = i$, $j = 1728$. The curve $y^2 = x^3 + x$. The 4-fold symmetry $z \mapsto iz$ of the lattice corresponds to $(x,y) \mapsto (-x, iy)$.

• Hexagonal lattice $\Lambda = \mathbb{Z} + \mathbb{Z}\omega$, $\omega = e^{2\pi i/3}$: gives $\tau = \omega$, $j = 0$. The curve $y^2 = x^3 + 1$. The 6-fold symmetry $z \mapsto \omega z$ gives $(x,y) \mapsto (\omega x, y)$... but the Weierstrass map mixes things up; the 6-fold symmetry descends to 3-fold on $x$ and sign flip on $y$.

• $\tau = 2i$: a "tall" rectangular lattice. No extra symmetry, so $j \neq 0, 1728$. The $j$-invariant can be computed from $q = e^{2\pi i \cdot 2i} = e^{-4\pi}$ via the $q$-expansion $j(\tau) = q^{-1} + 744 + 196884q + \cdots$.

• Degeneration: as $\tau \to i\infty$ (lattice becomes "infinitely tall"), $q \to 0$ and $j \to \infty$. The curve degenerates to a nodal cubic $y^2 = x^3 + x^2$ (a "Neron 1-gon").

• Multiplication by $n$: $[n]: E \to E$ is an isogeny of degree $n^2$, with $\ker([n]) = E[n] \cong (\mathbb{Z}/n)^2$ (if $(n, \operatorname{char} k) = 1$).

• Frobenius: Over $\mathbb{F}_q$, the Frobenius $\phi_q: (x,y) \mapsto (x^q, y^q)$ is an isogeny of degree $q$. The trace $a_q = q + 1 - |E(\mathbb{F}_q)|$ satisfies $\phi_q^2 - a_q \phi_q + q = 0$ in $\operatorname{End}(E)$.

• 2-isogenies from 2-torsion: If $P_0 = (e, 0) \in E[2]$, there is a 2-isogeny $\phi: E \to E' = E/\langle P_0 \rangle$ given by Velu's formulas. For $E: y^2 = (x - e)(x^2 + ex + f)$:

$\phi(x, y) = \left(x + \frac{f - e^2}{x - e},\; y \cdot \frac{(x-e)^2 - (f - e^2)}{(x-e)^2}\right).$

• $\operatorname{End}(E)$ for CM curves: For $E: y^2 = x^3 - x$, $\operatorname{End}(E) \cong \mathbb{Z}[i]$ with $i: (x,y) \mapsto (-x, iy)$. The element $1 + i \in \mathbb{Z}[i]$ gives a $(1+i)$-isogeny of degree $|1+i|^2 = 2$.

• $E: y^2 = x^3 + x + 1$ over $\mathbb{F}_5$: We computed $|E(\mathbb{F}_5)| = 9$. So $a_5 = 5 + 1 - 9 = -3$. Check: $|-3| = 3 \leq 2\sqrt{5} \approx 4.47$ ✓.

• Over $\mathbb{F}_7$: for $y^2 = x^3 + 1$, direct counting gives $|E(\mathbb{F}_7)| = 7$ (note: $7 \equiv 1 \pmod{3}$). So $a_7 = 1$. The curve is ordinary.

• Supersingular over $\mathbb{F}_p$ ($p \geq 5$): $a_p = 0$, so $|E(\mathbb{F}_p)| = p + 1$. Example: $y^2 = x^3 + 1$ over $\mathbb{F}_5$: points are $O$, $(0, \pm 1)$, $(2, \pm 2)$, $(3, 0)$. That's $6 = 5 + 1$ ✓, so this is supersingular over $\mathbb{F}_5$.

The BSD conjecture (one of the Clay Millennium Problems) relates the arithmetic and analytic data of $E/\mathbb{Q}$:

$\operatorname{ord}_{s=1} L(E, s) = \operatorname{rank} E(\mathbb{Q}),$

where $L(E, s) = \prod_p L_p(E, s)$ is the Hasse–Weil $L$-function. The leading coefficient involves the regulator, the Tate–Shafarevich group $\text{III}(E/\mathbb{Q})$, and other invariants.

Known cases:

• If $\operatorname{ord}_{s=1} L(E,s) = 0$: then $\operatorname{rank} E(\mathbb{Q}) = 0$ (Kolyvagin, using Gross–Zagier).
• If $\operatorname{ord}_{s=1} L(E,s) = 1$: then $\operatorname{rank} E(\mathbb{Q}) = 1$ (Gross–Zagier + Kolyvagin).
• $\operatorname{ord}_{s=1} L(E,s) \geq 2$: wide open.

• $X_0(11)$: The first modular curve of genus $1$. It is the elliptic curve $y^2 + y = x^3 - x^2 - 10x - 20$ of conductor $11$.

• $X_0(N)$ for small $N$: genus $0$ for $N \leq 10$ and $N = 12, 13, 16, 18, 25$. First genus-$1$ case: $N = 11$. First genus-$2$ case: $N = 23$.

• Modularity theorem (Wiles, Taylor–Wiles, Breuil–Conrad–Diamond–Taylor): Every elliptic curve $E/\mathbb{Q}$ of conductor $N$ corresponds to a weight-2 newform $f \in S_2(\Gamma_0(N))$, i.e., there exists a surjection $X_0(N) \to E$.

• Fermat's Last Theorem follows: Frey showed a solution $a^p + b^p = c^p$ gives a semistable curve $E: y^2 = x(x - a^p)(x + b^p)$ that cannot be modular by Ribet's theorem. Wiles proved all semistable curves are modular. Contradiction.