I come from the world of programming and mathematics is not that close to me, so maybe this will be a rather simple and banal question for someone, but it causes certain misunderstandings for me. The question is:
According to Wikipedia, Lagrange's theorem for groups says the following:
In the mathematical field of group theory, Lagrange's theorem is a theorem that states that for any finite group G, the order (number of elements) of every subgroup of G divides the order of G.
However, in the example I'm working with, this rule doesn't apply for some reason. A group is created in the context of elliptic curves over a finite field. An example is as follows (I will post both a link and a picture):
Here's also a link.
As you can see, the curve $y^2=x^3+1*x+2$ $F_7$ makes a group of 9 points. Points are the following:
(0,3) (0,4) (1,2) (1,5) (3,2) (3,5) (4,0) (6,0) and (Inf, Inf) as an identity element
Therefore, the order of the curve (group) is 9.
The problem is that when I make a subgroup of the point (3, 5) I get the following points:
(0,3) (0,4) (1,2) (1,5) (3,2) (3,5) (6,0) and (Inf, Inf) as an identity element
So the order of the point (3,5) (ie the subgroups) is 8.
This is completely confusing because it contradicts Lagrange's theorem that the order of every subgroup divides the order of the group. In this case 8 does not divide 9.
Does anyone know why this is happening?
Best Answer
As pointed out in the comments, your curve $E: y^2 = x^3 + x + 2$ over $\mathbb{F}_7$ is singular: its discriminant is $-1792 = -2^8 \cdot 7 \equiv 0 \pmod{7}$. The short answer to your question is that the group law can't be extended to the singular point, so your group only consists of the 8 nonsingular points of $E$.
By computing partial derivatives or noting that $x^3 + x + 2 = (x+1)(x-4)^2$ over $\mathbb{F}_7$, we see that $(4,0)$ is a singular point of $E$. (See the plot below; although this is plotted over $\mathbb{R}$, it gives an idea of what is going on.) The singular point creates a problem with the chord-tangent construction used to define the group law of an elliptic curve. This construction works for nonsingular cubic curves because every line intersects the curve in 3 points, counted with multiplicity. When doubling a point, i.e., computing $2P$, we instead take the tangent line to $E$ at $P$ and compute the inverse of the third point of intersection.
$\hspace 4cm$
But at a singular point, there is no well-defined tangent line. In the case of our example, the Taylor expansion near $(4,0)$ is given by $y^2 = (x-4)^3 + 5(x-4)^2$, which has no linear term. The tangent cone at $(4,0)$ is given by the lowest order homogeneous form (of degree $2$ in this case), which is $y^2 = 5(x-4)^2$. Passing to the extension $\mathbb{F}_7(\sqrt{5})$, this is the union of the lines $y = \sqrt{5}(x-4)$ and $y = -\sqrt{5}(x-4)$, so there are two tangent lines at $(4,0)$. The fancy name for this is non-split multiplicative reduction, and as mentioned here, the nonsingular points of the curve $E$ form a cyclic group of order $p+1=8$.
$\hspace 4cm$
The author of this elliptic curve app made an oversight in not checking that the parameters given define a nonsingular Weierstrass equation. And this leads to nonsensical output since the group law is not well-defined. For instance, taking $P = (6,0)$, $Q = (4,0)$, the app returns $P+Q = (4,0)= Q$. But this is nonsense, since subtracting $Q$ from both sides gives $P = 0$, the identity of the group law. It is true, however, that the line $y=0$ that passes through $P$ and $Q$ intersects $Q$ with multiplicity $2$.