March 30, 2020 9:51 Engaging Young …Vol.

2 9in x 6in b3756-ch01-1 page 3

Engaging Young Students in Mathematics through Competitions — World Perspectives and Practices Downloaded from www.worldscientific.com
by 80.189.61.177 on 07/14/20. Re-use and distribution is strictly not permitted, except for Open Access articles.

Chapter 1.1

From the Lifting-the-Exponent-Lemma to Elliptic

Curves with Isomorphic Groups of Points:
How Olympiad Mathematics Influences
Mathematical Research

Clemens Heuberger
Alpen-Adria-Universität Klagenfurt, Austria

1. Introduction
About 10 years ago, an idea which seems to have been folklore for quite
some time became known as the “Lifting-the-Exponent-Lemma” in the
mathematical Olympiad community (Parvardi, 2011; Cuellar and Samper,
2007). In this chapter, we first recall the lemma including a sketch of the
proof. We then proceed to an application in a recent mathematical Olympiad
problem in the second part of this chapter. In the third part, we consider
an application of the lemma in the scientific literature, in particular in a
study (Heuberger and Mazzoli, 2017) concerning isomorphic point groups
of elliptic curves. We will first introduce the necessary background to for-
mulate the problem and then proceed to a characterization of the problem
by Wittmann in elementary terms. In the last part of this chapter, we will
then sketch the reduction of the elementary problem by means of Olympiad
mathematics to a question whose solution is essentially equivalent to the
Lifting-the-Exponent-Lemma.

2. Lifting-the-Exponent-Lemma
In this section, we recall the Lifting-the-Exponent-Lemma. As usual, we
denote the p-adic valuation of an integer x (the exponent of p in the prime

3
March 30, 2020 9:51 Engaging Young …Vol. 2 9in x 6in b3756-ch01-1 page 4

4 Engaging Young Students in Mathematics Through Competitions — Volume 2

factor decomposition of x) by v p (x). For example,

Engaging Young Students in Mathematics through Competitions — World Perspectives and Practices Downloaded from www.worldscientific.com

v2 (24 · 3) = 4, v3 (24 · 3) = 1, v5 (24 · 3) = 0.

Lemma 1 (Lifting-the-Exponent (see Parvardi, 2011)). Let p be

by 80.189.61.177 on 07/14/20. Re-use and distribution is strictly not permitted, except for Open Access articles.

a prime, a ≡ b (mod p) but p does not divide a and n ≥ 1. If p = 2

and n is even, additionally assume that a ≡ b (mod 4). Then

v p (a n − bn ) = v p (a − b) + v p (n).

We note that the lemma is incorrect without the additional condition for
p = 2: take p = 2, n = 2, a = 3 and b = 1, then

v2 (32 − 12 ) = v2 (8) = 3 > 2 = v2 (3 − 1) + v2 (2).

Actually, the well-known fact that the square of any odd integer is congruent
to 1 modulo 8 strikes once more.

Proof of Lemma 1. We proceed in three steps.

We first consider the case that n is coprime to p. We decompose a n −bn as


n−1
a − b = (a − b)
n n
a j bn−1− j (mod p). (1)
j =0

By the assumption that a ≡ b (mod p), we have


n−1 
n−1 
n−1
j n−1− j
a b ≡ j n−1− j
a a = a n−1 = na n−1 (mod p),
j =0 j =0 j =0

which is certainly not congruent to 0 modulo p, because a is coprime to p


by assumption. This implies that n−1 j n−1− j
j =0 a b is not divisible by p and
therefore, (1) implies that v p (a − b ) = v p (a − b). This is exactly the
n n

assertion of the Lifting-the-Exponent-Lemma in this case.

We next consider the case that n = p. By assumption, we can write
a = b + cpk where k = v p (a − b) ≥ 1 and c is coprime to p. Note that the
additional assumption guarantees that k ≥ 2 if p = 2. We compute a p − b p
March 30, 2020 9:51 Engaging Young …Vol. 2 9in x 6in b3756-ch01-1 page 5

From the Lifting-the-Exponent-Lemma to Elliptic Curves 5

modulo pk+2 by the binomial theorem:

Engaging Young Students in Mathematics through Competitions — World Perspectives and Practices Downloaded from www.worldscientific.com

a p − b p = (b + cpk ) p − b p
⎛
p( p − 1) 2 2k p−2
= ⎝b p + cpk+1 b p− j + c p b
by 80.189.61.177 on 07/14/20. Re-use and distribution is strictly not permitted, except for Open Access articles.

2
  ⎞

p
p
+ c j p j k b p− j ⎠ − b p .
j =3
j

As jk ≥ k + 2 for j ≥ 3 because of k ≥ 1, we certainly have

p( p − 1) 2 2k p−2
a p − b p ≡ cpk+1 b p−1 + c p b (mod pk+2 ).
2
If p is odd, then p−1
2
is an integer and the second summand is divisible by
p 2k+1
which is divisible by pk+2 . If p = 2, however, we have to use the
assumption that k ≥ 2 to see that p2k is divisible by pk+2 . So, in any case,
we have

a p − b p ≡ cb p−1 pk+1 (mod pk+2 ).

By assumption, cb p−1 is coprime to p. Therefore, v p (a p − b p ) = k + 1 =

v p (a − b) + v p ( p), as required.
We now turn to the general case where n = pt m for some t ≥ 0 and
some integer m which is coprime to p. We prove the lemma by induction on
t. For t = 0, the assertion has been shown in our first case. The induction
step from t to t + 1 then follows from our second case together with the
induction hypothesis:
t+1 m t+1 m t t
v p (a p − bp ) = v p ((a p m ) p − (b p m ) p )
t t
= v p (a p m − b p m ) + 1
= v p (a − b) + t + 1. 

3. An Olympiad Problem
There are plenty of examples of Olympiad problems which can be solved by
the Lifting-the-Exponent-Lemma, see Parvardi (2011). We add one recent
March 30, 2020 9:51 Engaging Young …Vol. 2 9in x 6in b3756-ch01-1 page 6

6 Engaging Young Students in Mathematics Through Competitions — Volume 2

problem of the Austrian Mathematical Olympiad to the list. In this case,

Engaging Young Students in Mathematics through Competitions — World Perspectives and Practices Downloaded from www.worldscientific.com

using the Lifting-the-Exponent-Lemma is optional.

Problem 1 (Austria, 2018, Final Round/6 (suggested by Walther
Janous)). Determine all digits z such that for each integer k ≥ 1 there
exists an integer n ≥ 1 with the property that the decimal representation of
by 80.189.61.177 on 07/14/20. Re-use and distribution is strictly not permitted, except for Open Access articles.

n 9 ends with at least k digits z.

Solution. This is possible for z ∈ {0, 1, 3, 7, 9}.
For z = 0, we easily find n = 10l with an integer l such that 9l ≥ k.
For z ∈ {2, 4, 6, 8}, the number n 9 is even and therefore n must be even
as well, and hence n 9 must be divisible by 29 . However, numbers ending
with 222, 444 or 666 are not divisible by 8, and numbers ending with 8888
are not divisible by 16. Therefore, there does not exist a solution for these
values of z.
Similarly, for z = 5, the number n 9 is divisible by 5, therefore n itself is
divisible by 5 as well, and therefore, n 9 must be divisible by 59 . However,
numbers ending with 55 are not divisible by 25.
For z ∈ {1, 3, 5, 7}, let b := (zzz . . . z)10 with k digits z. We have to
prove that there exists some integer n such that n 9 ≡ b (mod 10k ). We do
this by proving that taking the 9th power is a surjective map from the set of
primitive residue classes modulo 10k to itself (a residue class modulo 10k
is said to be primitive if its elements are coprime to 10k ). As this is a finite
set, the map is surjective if and only if it is bijective and if and only if it is
injective. Thus, we assume that n 9 ≡ m 9 (mod 10k ) for some m and n which
are coprime to 10. This implies that n 9 ≡ m 9 (mod 10). By Euler’s theorem,
n 4 ≡ 1 (mod 10) and therefore n ≡ m (mod 10). The Lifting-the-Exponent-
Lemma implies that k ≤ v p (n 9 − m 9 ) = v p (n − m) + v p (9) = v p (n − m)
for p ∈ {2, 5}. This implies that n ≡ m (mod 10k ). We therefore proved
that taking the 9th power is injective.
Of course, there are other solutions of this problem, in particular taking
the rth power of n 9 ≡ b (mod 10k ), where r is the inverse residue of 9
modulo φ(10k ). Another approach is via Hensel lifting.
In fact, the problem was solved by two students out of 24 par-
ticipating in the final round of the Austrian Mathematical Olympiad;
both students qualified for the IMO and both obtained bronze medals
there.
March 30, 2020 9:51 Engaging Young …Vol. 2 9in x 6in b3756-ch01-1 page 7

From the Lifting-the-Exponent-Lemma to Elliptic Curves 7

4. Elliptic Curves
Engaging Young Students in Mathematics through Competitions — World Perspectives and Practices Downloaded from www.worldscientific.com

As announced in the introduction, we will consider an application of the

Lifting-the-Exponent-Lemma to a problem on isomorphic point groups of
elliptic curves. We collect the necessary background on elliptic curves in
by 80.189.61.177 on 07/14/20. Re-use and distribution is strictly not permitted, except for Open Access articles.

this section.
The simplest definition of an elliptic curve is to define it via its affine
equation in Weierstrass form

y 2 = x 3 + ax 2 + bx + c

for given constants a, b and c where the cubic polynomial on the right side
is assumed to have no multiple roots. An example of an elliptic curve over
the reals is shown in Fig. 1.
We define a special addition on this curve: For two (distinct) points P and
Q on the curve, we take the line through P and Q, find its third intersection
with the curve and reflect that point on the horizontal axis to obtain P + Q,
as shown in Fig. 1. To compute R + R, i.e., doubling a point, we take the
tangent through R as the line.

Fig. 1. Elliptic curve E: y 2 = x 3 + 26 2

9 x + 1 over R.
March 30, 2020 9:51 Engaging Young …Vol. 2 9in x 6in b3756-ch01-1 page 8

8 Engaging Young Students in Mathematics Through Competitions — Volume 2

It is obvious that this operation is commutative, i.e., P + Q = Q + P.

Engaging Young Students in Mathematics through Competitions — World Perspectives and Practices Downloaded from www.worldscientific.com

When including a point 0 at infinity, we have P + 0 = P and −P is

the reflection of P on the horizontal axis. It is far from obvious from this
approach that the operation is in fact associative: (P +Q)+R = P+(Q+R)
for all points P, Q and R. See for instance Knap’s book (1992) for an
by 80.189.61.177 on 07/14/20. Re-use and distribution is strictly not permitted, except for Open Access articles.

elementary proof. It follows that the set of points together with the point at
infinity form a commutative group.
Elliptic curves have many inner-mathematical interests (for instance,
the proof of Fermat’s last theorem heavily relies on elliptic curves, among
other topics), but also have applications, e.g., in cryptography. There, the
essential feature is that scalar multiplication is considered to be a “one-way
function”: for n ∈ Z and P on the curve, the multiple n P = P+· · ·+P (with
n summands P) can be computed efficiently by at most 2 log2 n additions
or doubling operations; the inverse operation (given nP and P, compute n),
however, seems to be intractable in reasonable time. For these purposes, it
is more convenient to consider elliptic curves over a finite field instead of
the rationals.
Therefore, we will now replace the field of real numbers by a finite field
Fq with q elements for some prime power q, for instance the residue classes
modulo some prime in Z. For completeness, be advised that if 1 + 1 = 0
(e.g., integers modulo 2) or 1 + 1 + 1 = 0 (e.g., integers modulo 3), the
Weierstrass form has to be modified to the so-called long Weierstrass form.
A map φ between two elliptic curves E and E  is said to be a homomor-
phism if φ(P + Q) = φ(P) + φ(Q) for all points P and Q on E. If E and
E  coincide, we say that φ is an endomorphism of E.

5. Problem Formulation
We are now able to formulate the research question: Let q be the power of a
prime, Fq be a field with q elements and E and E  be elliptic curves over Fq
such that E and E  have the same number of points over Fq . The question
then is to find all k ≥ 1 such that the point groups of E and E  over the field
extension Fq k are isomorphic, i.e., there exists a bijective homomorphism
between E and E  .
An important step has been provided by Wittmann (2001). Its formula-
tion, however, needs some more notation. The Frobenius endomorphism τ
March 30, 2020 9:51 Engaging Young …Vol. 2 9in x 6in b3756-ch01-1 page 9

From the Lifting-the-Exponent-Lemma to Elliptic Curves 9

of an elliptic curve over Fq is the map which sends a pair (x, y) to (x q , y q ).

Engaging Young Students in Mathematics through Competitions — World Perspectives and Practices Downloaded from www.worldscientific.com

In fact, it is an endomorphism

 because of the well-known fact that the bino-
mial coefficient pj is divisible by p for 0 < j < p and prime p; in our
case, we use the prime p which q is a power of.
It is a known, but non-trivial, result that for each point P of the curve,
by 80.189.61.177 on 07/14/20. Re-use and distribution is strictly not permitted, except for Open Access articles.

we have

τ 2 (P) − (q + 1 − n)τ (P) + q P = 0,

where n denotes the number of points on the curve. Of course, the addi-
tions and subtractions occurring in this equations are meant to be instances
of our special operation on the elliptic curve. Thus, we may identify the
endomorphism τ of the curve with a root of the quadratic equation

τ 2 − (q + 1 − n)τ + q = 0;

we denote this root by τ , as well. A famous result by Hasse ensures that

this root τ is never a real number. We can therefore write τ in the form
τ = a + bδ for suitable a, b ∈ Z and
√
m if m ≡ 2 or 3 (mod 4),
δ = 1+√m
2
if m ≡ 1 (mod 4),
where m < 0 is square-free.
The elliptic curve is said to be ordinary if gcd(q + 1 − n, q) = 1. It is
easily verified that this holds if and only if gcd(a, b) = 1. The same theory
which yields the result on the Frobenius endomorphism also ensures that
in the case of an ordinary elliptic curve, every endomorphism of the curve
fulfills a quadratic equation whose square-free part of the discriminant is
the same m, so it can represented as a  + b δ for the same δ for suitable
a  and b . The smallest positive b which occurs in this way is called the
conductor g of the endomorphism ring.
The construction ensures that g divides b: otherwise, a linear
combination of τ and the endomorphism leading to g would contradict
the minimality of g.
We are now able to state Wittmann’s result.

Lemma 2 (Wittmann, 2001). Let E and E  be ordinary elliptic curves

over Fq with an equal number of points with conductors of the
March 30, 2020 9:51 Engaging Young …Vol. 2 9in x 6in b3756-ch01-1 page 10

10 Engaging Young Students in Mathematics Through Competitions — Volume 2

endomorphism rings g and g  , respectively. Write the kth power of the

Engaging Young Students in Mathematics through Competitions — World Perspectives and Practices Downloaded from www.worldscientific.com

complex number τ as τ k = ak + bk δ for suitable ak , bk ∈ Z.

Then, the point groups of E and E  over Fq k are isomorphic if and only
if
 
by 80.189.61.177 on 07/14/20. Re-use and distribution is strictly not permitted, except for Open Access articles.

bk bk
gcd ak − 1, = gcd ak − 1,  . (2)
g g

Note that g and g  divide bk for the same reason that g divides b.

We emphasize that Wittmann’s result reduces the question to a gcd prob-

lem in terms of the known quantities g and g  involving the integers ak and
bk arising from taking powers of τ = a + bδ. In particular, the problem is
completely solved for given k because we can simply compute ak and bk and
then compare the gcds. For general k, however, we need to invest more work.
This work will no longer depend on the theory of elliptic curves; instead, we
will use Olympiad methods including the Lifting-the-Exponent-Lemma.

6. Sketch of the Solution Using Olympiad Methods

6.1. Rewriting in terms of primes
The first step consists in translating (2) in terms of p-adic valuations. It is
clear that (2) is equivalent to
   
bk bk
∀ p prime : min v p (ak − 1), v p = min v p (ak − 1), v p .
g g

This trivially holds for those primes p for which v p (g) = v p (g  ). We

therefore restrict our attention to the set of primes

P := { p prime|v p (g) = v p (g  )}. (3)

So, Wittmann’s condition (2) is equivalent to

   
bk bk
∀ p ∈ P : min v p (ak − 1), v p = min v p (ak − 1), v p .
g g

As the second elements on both sides are now guaranteed to be different,

the minima coincide if and only if they are equal to the first element. Thus
March 30, 2020 9:51 Engaging Young …Vol. 2 9in x 6in b3756-ch01-1 page 11

From the Lifting-the-Exponent-Lemma to Elliptic Curves 11

(2) is equivalent to
Engaging Young Students in Mathematics through Competitions — World Perspectives and Practices Downloaded from www.worldscientific.com

  
bk bk
∀ p ∈ P : v p (ak − 1) ≤ min v p , vp .
g g
We rewrite the valuations of quotients as differences of valuations and see
by 80.189.61.177 on 07/14/20. Re-use and distribution is strictly not permitted, except for Open Access articles.

that the condition is equivalent to

∀ p ∈ P : v p (ak − 1) ≤ v p (bk ) − max{v p (g), v p (g  )}.

We summarize our findings in the following lemma.

Lemma 3. With the notations of Lemma 2, the point groups of E and E 

over Fq k are isomorphic if and only if

∀ p ∈ P : v p (ak − 1) ≤ v p (bk ) − s p ,

where P is defined in (3) and

s p := max{v p (g), v p (g  )}.

6.2. Relation to a k and bk

Fix p ∈ P. For simplicity, assume that p = 2. The goal of this section is
to replace the quantities v p (ak − 1) and v p (bk ) occurring in Lemma 3 by
v p (a k − 1) and v p (bk ). We first recall that by definition, we have

(a + bδ)k = ak + bk δ.

We write b = pt c and k = pl m for suitable integers t, c, l and m with p

not a divisor of cm and l ≥ 0. Note that the fact that g and g  divide b and
v p (g) = v p (g  ) implies that t ≥ 1. The fact we are considering ordinary
elliptic curves then implies that p does not divide a.
The binomial theorem implies that
l
ak + bk δ = (a + bδ)k = (a + pt cδ) p m
 
k
pl m k−r tr r r
= a + p mca δ +
k l+t k−1
a p cδ .
r=2
r

Careful counting of occurrences of factors p in the binomial coefficients

pl m 
r
— see the original study (Heuberger and Mazzoli, 2017) for the
March 30, 2020 9:51 Engaging Young …Vol. 2 9in x 6in b3756-ch01-1 page 12

12 Engaging Young Students in Mathematics Through Competitions — Volume 2

details, in particular of some annoying boundary cases — shows that all

Engaging Young Students in Mathematics through Competitions — World Perspectives and Practices Downloaded from www.worldscientific.com

coefficients of the last sum are divisible by pl+t +1 . We conclude that

ak ≡ a k (mod pl+t +1 ),
bk ≡ pl+t mcak−1 (mod pl+t +1 ).
by 80.189.61.177 on 07/14/20. Re-use and distribution is strictly not permitted, except for Open Access articles.

As we know that p is not a divisor of mcak−1 , this implies that

v p (bk ) = l + t and v p (ak − a k ) ≥ l + t + 1. (4)

Lemma 4. Let p ∈ P be an odd prime. Then the condition

v p (ak − 1) ≤ v p (bk ) − s p (5)

of Lemma 3 holds if and only if

v p (a k − 1) ≤ v p (b) + v p (k) − s p . (6)

Note that the right side of (6) is non-negative because g|b and g  |b imply
that s p ≤ v p (b).

Proof. We first consider the case that v p (a k − 1) ≥ l + t + 1. Writing

ak − 1 = (ak − a k ) + (a k − 1)

and using (4) then shows that both summands on the right side are divisible
by pl+t +1 , which immediately implies that the left side is divisible by the
same power of p. In other words,

v p (ak − 1) ≥ l + t + 1 = v p (b) + v p (k) + 1 > v p (bk ) ≥ v p (bk ) − s p ,

where (4) has been used in the second inequality. We conclude that neither
(5) nor (6) holds in this case.
We now turn to the case that v p (a k − 1) ≤ l + t. We again consider the
decomposition

ak − 1 = (ak − a k ) + (a k − 1).

The first summand on the right side is divisible by pl+t +1 by (4), but the
second is not. This implies that v p (ak − 1) = v p (a k − 1) holds in this case.
Combining this with (4) yields the assertion. 
March 30, 2020 9:51 Engaging Young …Vol. 2 9in x 6in b3756-ch01-1 page 13

From the Lifting-the-Exponent-Lemma to Elliptic Curves 13

6.3. Using the Lifting-the-Exponent-Lemma

Engaging Young Students in Mathematics through Competitions — World Perspectives and Practices Downloaded from www.worldscientific.com

In this section, we use the Lifting-the-Exponent-Lemma to express the quan-

tity v p (a k − 1) in (6) to finally decide our question. We still assume that
p ∈ P is odd.
by 80.189.61.177 on 07/14/20. Re-use and distribution is strictly not permitted, except for Open Access articles.

Denote the order of a modulo p by e, i.e., e is the minimal positive

exponent such that a e ≡ 1 (mod p).
If e is not a divisor of k, then a k is not congruent to 1 modulo p by
standard properties of the order and we have v p (a k − 1) = 0. Thus (6) is
fulfilled in this case.
Otherwise, we can use the Lifting-the-Exponent-Lemma and see that

k
v p (a − 1) = v p ((a ) − 1) = v p (a − 1) + v p
k e k/e e
e
= v p (a e − 1) + v p (k) − v p (e).
Thus (6) is equivalent to
v p (a e − 1) − v p (e) ≤ v p (b) − s p .
Note that the order e of a modulo p divides φ( p) = p − 1 by Fermat’s
theorem; thus e must be coprime to p and thus v p (e) = 0.
We conclude that for odd p, the condition (6) does not hold if and only if
e|k and v p (a e − 1) − v p (e) > v p (b) − s p .
We summarize our findings (now also incorporating p = 2 for com-
pleteness, see Heuberger and Mazzoli (2017)).
Theorem (Heuberger and Mazzoli (2017)). Let E and E  be ordinary
elliptic curves over Fq with equal number of points with conductors of the
endomorphism rings g and g  , respectively, τ = a + bδ for suitable a,
b ∈ Z and P := { p prime |v p (g) = v p (g  )}. Let k ≥ 1 be an integer. If
2 ∈ P and v2 (b) = 1, assume that k is odd. Then the point groups of E and
E  over Fq k are not isomorphic if and only if
∃ p ∈ P\{2} : e := ord p (a)|k and v p (a e − 1) − v p (e) > v p (b) − s p
or
2 ∈ P and e := ord4 (a)|k and v2 (a e − 1) − v2 (e) > v2 (b) − s2
or
2 ∈ P and v2 (k) = 0 and s2 = v2 (b).
March 30, 2020 9:51 Engaging Young …Vol. 2 9in x 6in b3756-ch01-1 page 14

14 Engaging Young Students in Mathematics Through Competitions — Volume 2

The case of even k has been excluded from the statement of the theorem
Engaging Young Students in Mathematics through Competitions — World Perspectives and Practices Downloaded from www.worldscientific.com

for ease of presentation; the case can however be decided, see Heuberger
and Mazzoli (2017).

Bibliography
by 80.189.61.177 on 07/14/20. Re-use and distribution is strictly not permitted, except for Open Access articles.

Cuellar, S. and Samper, J. A. (2007). A nice and tricky lemma (lifting the exponent),
Mathematical Reflections 3.
Heuberger, C. and Mazzoli, M. (2017). Elliptic curves with isomorphic groups of points
over finite field extensions, Journal of Number Theory 181, 89–98.
Knapp, A. W. (1992). Elliptic Curves, Mathematical Notes, Vol. 40, Princeton, NJ: Princeton
University Press.
Parvardi, H. (2011). Lifting the exponent lemma (LTE), http://citeseerx.ist.psu.edu/
viewdoc/summary?doi=10.1.1.221.5543.
Wittmann, C. (2001). Group structure of elliptic curves over finite fields, Journal of Number
Theory 88(2), 335–344.