Full torsion groups

Cryptographically interesting pairings are defined on so-called torsion subgroups of elliptic curves. To define torsion groups of an elliptic curve, let $F$ be a finite field, $E(F)$ an elliptic curve of order $n$ and $r$ a factor of $n$. Then the $r$-torsion group of the elliptic curve $E(F)$ is defined as the set

$$E(F)[r] = \{P ∈ E(F) | [r]P = O\}.$$

The fundamental theorem of finite cyclic groups states that every factor $r$ of a cyclic group’s order uniquely defines a subgroup of the size of that factor and those subgroup are important examples of $r$-torsion groups.

When we consider elliptic curve extensions, we could ask what happens to the $r$-torsion groups in the extension. One might intuitively think that their extension just parallels the extension of the curve. For example, when $E(F_p)$ is a curve over prime field $F_p$, with some $r$-torsion group $E(F_p)[r]$ and when we extend the curve to $E(F_{p^m} )$, then there might be a bigger $r$-torsion group $E(F_{p^m} )[r]$ such that $E(F_p)[r]$ is a subgroup of $E(F_{p^m} )[r]$. This might make intuitive sense, as $E(F_p)$ is a subset of $E(F_{p^m} )$.

However, the actual situation is a bit more surprising than that. To see that, let $F_p$ be a prime field and let $E(F_p)$ be an elliptic curve of order $n$, such that $r$ is a factor of $n$, with embedding degree $k(r)$ and $r$-torsion group $E(F_p)[r]$. Then the $r$-torsion group $E(F_{p^m} )[r]$ of a curve extension is equal to $E(F_p)[r]$, only as long as the power $m$ is less than the embedding degree $k(r)$ of $E(F_p)$.

For the prime power $p^{k(r)}$, the $r$-torsion group $E(F_{p^{k(r)}})[r]$ might then be larger than $E(F_p)[r]$ and it contains $E(F_p)[r]$ as a subgroup. We call it the full r-torsion group of that elliptic curve and write is as follows:

$$E[r] = E(F_{p^{k(r)}})[r].$$

The $r$-torsion groups $E(F_{p^m})[r]$ of any curve extensions for $m > k(r)$ are all equal to $E[r]$. In this sense $E[r]$ is already the largest $r$-torsion group, which justifies the name. The full $r$-torsion group contains $r^2$ many elements and consists of $r + 1$ subgroups, one of which is $E(F_p)[r]$.