DOCSLIB.ORG

Analysis of the Ghs Weil Descent Attack on the Ecdlp Over Characteristic Two Finite Fields of Composite Degree

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Analysis of the Ghs Weil Descent Attack on the Ecdlp Over Characteristic Two Finite Fields of Composite Degree London Mathematical Society ISSN 1461–1570 ANALYSIS OF THE GHS WEIL DESCENT ATTACK ON THE ECDLP OVER CHARACTERISTIC TWO FINITE FIELDS OF COMPOSITE DEGREE MARKUS MAURER, ALFRED MENEZES and EDLYN TESKE Abstract In this paper, the authors analyze the Gaudry–Hess–Smart (GHS) Weil descent attack on the elliptic curve discrete logarithm prob- lem (ECDLP) for elliptic curves defined over characteristic two fi- F nite fields of composite extension degree. For each such field 2N , N ∈[100, 600], elliptic curve parameters are identified such that: (i) there should exist a cryptographically interesting elliptic curve E F over 2N with these parameters; and (ii) the GHS attack is more effi- E(F ) cient for solving the ECDLP in 2N than for solving the ECDLP F on any other cryptographically interesting elliptic curve over 2N . The feasibility of the GHS attack on the specific elliptic curves is ex- F F F F F amined over 2176 , 2208 , 2272 , 2304 and 2368 , which are provided as examples in the ANSI X9.62 standard for the elliptic curve signature scheme ECDSA. Finally, several concrete instances are provided of F N the ECDLP over 2N , composite, of increasing difficulty; these resist all previously known attacks, but are within reach of the GHS attack. 1. Introduction E K = F Let be an elliptic curve defined over a finite field 2N . The elliptic curve discrete logarithm problem (ECDLP) in E(K) is as follows: given E, P ∈ E(K), r = ord(P ) and Q ∈hP i, find the integer λ ∈[0,r − 1] such that Q = λP . We write λ = logP Q. The ECDLP is of interest because its apparent intractability forms the basis for the security of elliptic curve cryptographic schemes. The elliptic curve parameters have to be carefully chosen in order to circumvent some E F known attacks on the ECDLP. We say that an elliptic curve over 2N is cryptographically E(F ) E(F ) = rd r interesting if: (i) # 2N is almost prime (that is, # 2N , where is prime and d ∈{2, 4}) in order to provide maximum resistance to the Pohlig–Hellman [28] and Pollard’s rho [29, 26] attacks; and (ii) r does not divide 2Nj − 1 for each j ∈[1,J], where J F is large enough so that it is computationally infeasible to find discrete logarithms in 2NJ – in order to resist the Weil pairing [24] and Tate pairing [11] attacks. Frey [10] first proposed using Weil descent as a means to reduce the ECDLP in elliptic F curves over 2N to the discrete logarithm problem in an abelian variety over a proper subfield F F 2l of 2N . Frey’s method, which we refer to as the Weil descent attack methodology,was further elaborated by Galbraith and Smart [13]. In 2000, Gaudry, Hess and Smart (GHS) [17] showed how Frey’s methodology could be used (in most cases) to reduce any instance of the Received 12 October 2001, revised 9 September 2002; published 15 November 2002. 2000 Mathematics Subject Classification 94A60, 11Y16, 68W40, 14H52 © 2002, Markus Maurer, Alfred Menezes and Edlyn Teske Downloaded from https://www.cambridge.org/core. IP address: 170.106.202.226, on 27 Sep 2021 at 22:23:44, subject to the Cambridge Core terms of use, available at LMShttps://www.cambridge.org/core/terms J. Comput. Math. 5 (2002) 127–. https://doi.org/10.1112/S1461157000000723174 Analysis of the GHS Weil descent attack ECDLP to an instance of the discrete logarithm problem in the Jacobian of a hyperelliptic F curve over 2l . Since subexponential-time algorithms for the hyperelliptic curve discrete logarithm problem (HCDLP) are known, this could have important implications for the security of elliptic curve cryptographic schemes. The GHS attack was analyzed in [17, 23]. It was proven to fail for all cryptographically F N ∈[ , ] interesting elliptic curves over 2N , where 160 600 is prime. In other words, the hyperelliptic curves C that are produced either have genus too small (whence JC(F2) is too E(F ) small to yield any non-trivial information about the ECDLP in 2N ), or have genus too 16 large (g > 2 − 1, whence the HCDLP in JC(F2) is infeasible). The purpose of this paper is to investigate the applicability of the GHS attack on the ECDLP for cryptographically F N ∈[ , ] interesting elliptic curves over 2N for composite 100 600 . The remainder of this paper is organized as follows. Section 2 provides a brief introduc- tion to the relevant theory of hyperelliptic curves. The GHS Weil descent attack is outlined in Section 3, and an overview of the best methods known for solving the ECDLP and HCDLP is given in Section 4. Our analysis of the applicability of the GHS attack on the ECDLP over characteristic two finite fields of composite extension degree is presented in Section 5. In Section 6, a detailed analysis is presented of the feasibility of the GHS attack on certain elliptic curves specified in the ANSI X9.62 standard. Section 7 lists some ECDLP ‘challenges’ of increasing difficulty, which should resist all previously known attacks, but which are within reach of the GHS attack. Our conclusions are stated in Section 8. 2. Hyperelliptic curves We provide a brief overview of the theory of hyperelliptic curves, relevant to this paper. 2.1. Hyperelliptic curves S Let k = Fq denote the finite field of order q. The algebraic closure of Fq is k = F n C g k n>1 q .Ahyperelliptic curve of genus over is defined by a non-singular equation v2 + h(u)v = f (u), (1) where h, f ∈ k[u],degf = 2g + 1, and deg h 6 g. Let L be an extension field of k. The set of L-rational points on C is C(L) ={(x, y) : x,y ∈ L, y2 + h(x)y = f(x)} ∪ {∞}. The opposite of P = (x, y) ∈ C(L) is Pe = (x, −y − h(x)); we also define ∞=∞e . Note that Pe ∈ C(L). Except for the case g = 1 (since a genus 1 hyperelliptic curve is precisely an elliptic curve), there is no natural group law on the set of points C(L). Instead, one considers the Jacobian of C over k, which is a finite group. 2.2. The Jacobian of a hyperelliptic curve P D0 C m P The setP of degree zero divisors of is the set of formal sums P ∈C(k) P , where mP ∈ Z, mP = 0, and only a finite number of the values of mP are non-zero. D0 is a group under the addition rule X X X mP P + nP P = (mP + nP )P. q Let σ : k → k be the Frobenius map defined by xP7→ x . The mapP σ extends to C(k) by σ σ σ σ (x, y) 7→ (x ,y ) and ∞ 7→ ∞, and to D0 by mP P 7→ mP P . The set of zero Downloaded from https://www.cambridge.org/core. IP address: 170.106.202.226, on 27 Sep 2021 at 22:23:44, subject to the Cambridge Core terms of use, available at https://www.cambridge.org/core/terms128 . https://doi.org/10.1112/S1461157000000723 Analysis of the GHS Weil descent attack divisors defined over k is 0 0 σ Dk ={D ∈ D : D = D}. The function field of C over k, denoted k(C), is the field of fractions of the integral domain 2 of polynomialP functions k[u, v]/(v + h(u)v − f (u)).Forz ∈ k(C), the divisor of z is div(z) = P ∈C(k) vP (z)P , where vP (z) denotes the multiplicity of P as a root of z.Now 0 the set Prink ={div(z) : z ∈ k(C)} is a subgroup of Dk . The Jacobian of C (over k)isthe 0 quotient group JC(k) = Dk /Prink. 2.3. Properties of the Jacobian JC(k) is a finite group. A theorem of Weil’s implies that √ √ 2g 2g ( q − 1) 6 #JC(k) 6 ( q + 1) . (2) If D1 and D2 are in the same equivalence class of divisors in JC(k), we write D1 ∼ D P2. Each equivalenceP class has a unique divisor in reduced form – that is, a divisor m P − ( m )∞ m > P m > P 6=∞ P P 6=∞ P satisfying: (i) P 0 for all ; (ii)P if P 1 and e e P 6= P , then mPe = 0; (iii) mP is equal to 0 or 1 if P = P ; and (iv) mP 6 g. Such a reduced divisor D can be uniquely represented by a pair of polynomials a,b ∈ k[u], where: (i) deg b<deg a 6 g; (ii) a is monic; and (iii) a|(b2 + bh − f). We write D =Pdiv(a, b) to meanP that D = gcd(divP(a), div(b − v))P, where the gcd of two divi- sorsP P 6=∞ mP P − ( P 6=∞PmP )∞ and P 6=∞ nP P − ( P 6=∞ nP )∞ is defined to be P 6=∞ min(mP ,nP )P − ( P 6=∞ min(mP ,nP ))∞. The degree of D is deg a. Cantor’s algorithm [4, 22] can be used to compute the sum of two reduced divisors efficiently, and to express the sum in reduced form. 2.4. Artin’s bound In the above, we considered only the imaginary form of a hyperelliptic curve, and not the real form, for which deg(f ) = 2g + 2 in the defining equation (1). Let C be a hyperelliptic curve (real or imaginary) of genus g over k = Fp with p an odd prime. Then h = 0in(1). Artin [3] showed that (P 2g ν= τν, if deg f = 2g + 1; #JC(k) = P0 − 2g+1 ντ , f = g + .
Load more

Recommended publications
  • Arxiv:0906.3146V1 [Math.NT] 17 Jun 2009
    Λ-RINGS AND THE FIELD WITH ONE ELEMENT JAMES BORGER Abstract. The theory of Λ-rings, in the sense of Grothendieck’s Riemann– Roch theory, is an enrichment of the theory of commutative rings. In the same way, we can enrich usual algebraic geometry over the ring Z of integers to produce Λ-algebraic geometry. We show that Λ-algebraic geometry is in a precise sense an algebraic geometry over a deeper base than Z and that it has many properties predicted for algebraic geometry over the mythical field with one element. Moreover, it does this is a way that is both formally robust and closely related to active areas in arithmetic algebraic geometry. Introduction Many writers have mused about algebraic geometry over deeper bases than the ring Z of integers. Although there are several, possibly unrelated reasons for this, here I will mention just two. The first is that the combinatorial nature of enumer- ation formulas in linear algebra over finite fields Fq as q tends to 1 suggests that, just as one can work over all finite fields simultaneously by using algebraic geome- try over Z, perhaps one could bring in the combinatorics of finite sets by working over an even deeper base, one which somehow allows q = 1. It is common, follow- ing Tits [60], to call this mythical base F1, the field with one element. (See also Steinberg [58], p. 279.) The second purpose is to prove the Riemann hypothesis. With the analogy between integers and polynomials in mind, we might hope that Spec Z would be a kind of curve over Spec F1, that Spec Z ⊗F1 Z would not only make sense but be a surface bearing some kind of intersection theory, and that we could then mimic over Z Weil’s proof [64] of the Riemann hypothesis over function fields.1 Of course, since Z is the initial object in the category of rings, any theory of algebraic geometry over a deeper base would have to leave the usual world of rings and schemes.
    [Show full text]
  • MAPPING STACKS and CATEGORICAL NOTIONS of PROPERNESS Contents 1. Introduction 2 1.1. Introduction to the Introduction 2 1.2
    MAPPING STACKS AND CATEGORICAL NOTIONS OF PROPERNESS DANIEL HALPERN-LEISTNER AND ANATOLY PREYGEL Abstract. One fundamental consequence of a scheme being proper is that there is an algebraic space classifying maps from it to any other finite type scheme, and this result has been extended to proper stacks. We observe, however, that it also holds for many examples where the source is a geometric stack, such as a global quotient. In our investigation, we are lead naturally to certain properties of the derived category of a stack which guarantee that the mapping stack from it to any geometric finite type stack is algebraic. We develop methods for establishing these properties in a large class of examples. Along the way, we introduce a notion of projective morphism of algebraic stacks, and prove strong h-descent results which hold in the setting of derived algebraic geometry but not in classical algebraic geometry. Contents 1. Introduction 2 1.1. Introduction to the introduction2 1.2. Mapping out of stacks which are \proper enough"3 1.3. Techniques for establishing (GE) and (L)5 1.4. A long list of examples6 1.5. Comparison with previous results7 1.6. Notation and conventions8 1.7. Author's note 9 2. Artin's criteria for mapping stacks 10 2.1. Weil restriction of affine stacks 11 2.2. Deformation theory of the mapping stack 12 2.3. Integrability via the Tannakian formalism 16 2.4. Derived representability from classical representability 19 2.5. Application: (pGE) and the moduli of perfect complexes 21 3. Perfect Grothendieck existence 23 3.1.
    [Show full text]
  • FINITE WEIL RESTRICTION of CURVES Introduction Let L Be A
    FINITE WEIL RESTRICTION OF CURVES E.V. FLYNN AND D. TESTA Abstract. Given number fields L ⊃ K, smooth projective curves C defined over L and B defined over K, and a non-constant L-morphism h: C ! BL, we denote by Ch the curve defined over K whose K-rational points parametrize the L-rational points on C whose images under h are defined over K. We compute the geometric genus of the curve Ch and give a criterion for the applicability of the Chabauty method to find the points of the curve Ch. We provide a framework which includes as a special case that used in Elliptic Curve Chabauty techniques and their higher genus versions. The set Ch(K) can be infinite only when C has genus at most 1; we analyze completely the case when C has genus 1. Introduction Let L be a number field of degree d over Q, let f 2 L[x] be a polynomial with coefficients in L, and define Af := x 2 L j f(x) 2 Q : Choosing a basis of L over Q and writing explicitly the conditions for an element of L to lie in Af , it is easy to see that the set Af is the set of rational solutions of d − 1 polynomials in d variables. Thus we expect the set Af to be the set of rational points of a (possibly reducible) curve Cf ; indeed, this is always true when f is non-constant. A basic question that we would like to answer is to find conditions on L and f that guarantee that the set Af is finite, and ideally to decide when standard techniques can be applied to explicitly determine this set.
    [Show full text]
  • A Cryptographic Application of Weil Descent
    A Cryptographic Application of Weil Descent Nigel Smart, Steve Galbraith† Extended Enterprise Laboratory HP Laboratories Bristol HPL-1999-70 26 May, 1999* function fields, This paper gives some details about how Weil descent divisor class group, can be used to solve the discrete logarithm problem on cryptography, elliptic curves which are defined over finite fields of elliptic curves small characteristic. The original ideas were first introduced into cryptography by Frey. We discuss whether these ideas are a threat to existing public key systems based on elliptic curves. † Royal Holloway College, University of London, Egham, UK *Internal Accession Date Only Ó Copyright Hewlett-Packard Company 1999 A CRYPTOGRAPHIC APPLICATION OF WEIL DESCENT S.D. GALBRAITH AND N.P. SMART Abstract. This pap er gives some details ab out howWeil descent can b e used to solve the discrete logarithm problem on elliptic curves which are de ned over nite elds of small characteristic. The original ideas were rst intro duced into cryptographybyFrey.We discuss whether these ideas are a threat to existing public key systems based on elliptic curves. 1. Introduction Frey [4] intro duced the cryptographic community to the notion of \Weil descent", n which applies to elliptic curves de ned over nite elds of the form F with n>1. q This pap er gives further details on how these ideas might be applied to give an attack on the elliptic curve discrete logarithm problem. We also discuss which curves are most likely to b e vulnerable to such an attack. The basic strategy consists of the following four stages which will b e explained in detail in the remainder of the pap er.
    [Show full text]
  • Arxiv:Math/0504359V2 [Math.AG] 7 Aug 2005
    On the Structure of Weil Restrictions of Abelian Varieties Claus Diem Niko Naumann June 10, 2003 Abstract We give a description of endomorphism rings of Weil restrictions of abelian varieties with respect to finite Galois extensions of fields. The results are applied to study the isogeny decompositions of Weil restrictions. 2000 Mathematics Subject Classification Primary: 14K15, Secondary: 11G10. Introduction For the use of Weil restrictions of abelian varieties in various fields of math- ematics but also because of genuine interest in Weil restrictions themselves, it is important to determine the endomorphism rings and the isogeny de- compositions. This is what this article provides – at least in two important special cases. After giving a brief expos´eof general facts about Weil restrictions of abelian varieties in the first section, we study Weil restrictions with respect to extensions of finite fields in the second section. Here we determine the endomorphism algebra of a Weil restriction (see Theorem 1) and then show arXiv:math/0504359v2 [math.AG] 7 Aug 2005 that under rather general assumptions, the Weil restriction is simple over the base-field (see Theorem 2). In the third section, we deal with the following situation: K k is an ar- | bitrary finite Galois extension of fields, A an abelian variety over k, W the Weil restriction of AK with respect to K k. We describe the endomorphism | ring of W as a skew group ring over End(AK ) (see Theorem 3) and apply this result to study the isogeny decomposition of W over k. In the last sub- section the results are applied to give an explicit description of the isogeny decomposition of W in the case of a cyclic field extension; see Theorem 4.
    [Show full text]
  • Arxiv:1311.0051V4 [Math.NT] 8 Nov 2016 3 Elrsrcinadtegenegfntr75 65 44 27 49 5 Functor Greenberg the and Restriction Weil Theorem 25 Functor Structure 13
    THE GREENBERG FUNCTOR REVISITED ALESSANDRA BERTAPELLE AND CRISTIAN D. GONZALEZ-AVIL´ ES´ Abstract. We extend Greenberg’s original construction to arbitrary (in partic- ular, non-reduced) schemes over (certain types of) local artinian rings. We then establish a number of basic properties of the extended functor and determine, for example, its behavior under Weil restriction. We also discuss a formal analog of the functor. Contents 1. Introduction 2 2. Preliminaries 4 2.1. Generalities 4 2.2. Vector bundles 7 2.3. Witt vectors 8 2.4. Groups of components 10 2.5. The connected-´etale sequence 11 2.6. Formal schemes 12 2.7. Weil restriction 16 2.8. The fpqc topology 20 3. Greenberg algebras 25 3.1. Finitely generated modules over arbitrary fields 25 3.2. Modules over rings of Witt vectors 27 4. The Greenberg algebra of a truncated discrete valuation ring 37 5. Greenbergalgebrasandramification 44 6. The Greenberg algebra of a discrete valuation ring 49 7. The Greenberg functor 50 8. The Greenberg functor of a truncated discrete valuation ring 56 9. The change of rings morphism 57 arXiv:1311.0051v4 [math.NT] 8 Nov 2016 10. The change of level morphism 64 11. Basic properties of the Greenberg functor 65 12. Greenberg’s structure theorem 69 13. Weil restriction and the Greenberg functor 75 Date: June 5, 2018. 2010 Mathematics Subject Classification. Primary 11G25, 14G20. Key words and phrases. Greenberg realization, formal schemes, Weil restriction. C.G.-A. was partially supported by Fondecyt grants 1120003 and 1160004. 1 2 ALESSANDRABERTAPELLEANDCRISTIAND.GONZALEZ-AVIL´ ES´ 14.
    [Show full text]
  • Weil Restriction for Schemes and Beyond
    WEIL RESTRICTION FOR SCHEMES AND BEYOND LENA JI, SHIZHANG LI, PATRICK MCFADDIN, DREW MOORE, & MATTHEW STEVENSON Abstract. This note was produced as part of the Stacks Project workshop in August 2017, under the guidance of Brian Conrad. Briefly, the process of Weil restriction is the algebro-geometric analogue of viewing a complex- analytic manifold as a real-analytic manifold of twice the dimension. The aim of this note is to discuss the Weil restriction of schemes and algebraic spaces, highlighting pathological phenoma that appear in the theory and are not widely-known. 1. Weil Restriction of Schemes Definition 1.1. Let S0 ! S be a morphism of schemes. Given an S0-scheme X0, 0 opp consider the contravariant functor RS0=S(X ): (Sch=S) ! (Sets) given by 0 0 T 7! X (T ×S S ): 0 If the functor RS0=S(X ) is representable by an S-scheme X, then we say that X is 0 0 0 the Weil restriction of X along S ! S, and we denote it by RS0=S(X ). Remark 1.2. Given any morphism of schemes f : S0 ! S and any contravari- ant functor F : (Sch=S0)opp ! (Sets), one can define the pushforward functor opp 0 f∗F : (Sch=S) ! (Sets) given on objects by T 7! F (T ×S S ). If F is repre- 0 0 0 sentable by an S -scheme X , then f∗F = RS0=S(X ). This approach is later used to define the Weil restriction of algebraic spaces. Theorem 1.3. Let S0 ! S be a finite and locally free morphism.
    [Show full text]
  • Constructing Pairing-Friendly Hyperelliptic Curves Using Weil Restriction
    CONSTRUCTING PAIRING-FRIENDLY HYPERELLIPTIC CURVES USING WEIL RESTRICTION DAVID MANDELL FREEMAN1 AND TAKAKAZU SATOH2 Abstract. A pairing-friendly curve is a curve over a finite field whose Ja- cobian has small embedding degree with respect to a large prime-order sub- group. In this paper we construct pairing-friendly genus 2 curves over finite fields Fq whose Jacobians are ordinary and simple, but not absolutely simple. We show that constructing such curves is equivalent to constructing elliptic curves over Fq that become pairing-friendly over a finite extension of Fq. Our main proof technique is Weil restriction of elliptic curves. We describe adap- tations of the Cocks-Pinch and Brezing-Weng methods that produce genus 2 curves with the desired properties. Our examples include a parametric fam- ily of genus 2 curves whose Jacobians have the smallest recorded ρ-value for simple, non-supersingular abelian surfaces. 1. Introduction Let q be a prime power and Fq be a finite field of q elements. In this paper we study two types of abelian varieties: • Elliptic curves E, defined over Fqd , with j(E) 2 Fq. • Genus 2 curves C, defined over Fq, whose Jacobians are isogenous over Fqd to a product of two isomorphic elliptic curves defined over Fq. Both types of abelian varieties have recently been proposed for use in cryptography. In the first case, Galbraith, Lin, and Scott [17] showed that arithmetic operations on certain elliptic curves E as above can be up to 30% faster than arithmetic on generic elliptic curves over prime fields. In the second case, Satoh [32] showed that point counting on Jacobians of certain genus 2 curves C as above can be performed much faster than point counting on Jacobians of generic genus 2 curves.
    [Show full text]
  • Weil Restriction, Quasi-Projective Schemes
    Lecture 11: Weil restriction, quasi-projective schemes 10/16/2019 1 Weil restriction of scalars Let S0 ! S be a morphism of schemes and X ! S0 an S0-scheme. The Weil restriction of scalars RS0/S(X), if it exists, is the S-scheme whose functor of pointsis given by 0 HomS(T, RS0/S(X)) = HomS0 (T ×S S , X). Classically, the restriction of scalars was studied in the case that S0 ! S is a finite extension 0 0 of fields k ⊂ k . In this case, RS0/S(X) is roughly given by taking the equations of X/k and viewing that as equations over the smaller field k. Theorem 1. Let f : S0 ! S be a flat projective morphism over S Noetherian and let g : X ! S0 be 0 a projective S -scheme. Then the restriction of scalars RS0/S(X) exists and is isomorphic to the open P P 0 subscheme HilbX!S0/S ⊂ HilbX/S where P is the Hilbert polynomial of f : S ! S. P 0 P Proof. Note that HilbS0/S = S with universal family given by f : S ! S. Then on HilbX!S/S0 we have a well defined pushforward P g∗ : HilbX!S0/S ! S 0 given by composing a closed embedding i : Z ⊂ T ×S X with gT : T ×S X ! T ×S S . On the other hand, since the Hilbert polynomials agree, then the closed embedding gT ◦ 0 i : Z ! T ×S S must is a fiberwise isomorphism and thus an isomorphism. Therefore, 0 0 gT ◦ i : Z ! T ×S X = (T ×S S ) ×S0 X defines the graph of an S morphism 0 T ×S S ! X.
    [Show full text]
  • Arxiv:1210.1792V3 [Math.NT]
    RATIONAL POINTS OF BOUNDED HEIGHT AND THE WEIL RESTRICTION DANIEL LOUGHRAN Abstract. Given an extension of number fields E ⊂ F and a projective variety X over F , we compare the problem of counting the number of rational points of bounded height on X with that of its Weil restriction over E. In particular, we consider the compatibility with respect to the Weil restriction of conjectural asymptotic formulae due to Manin and others. Using our methods we prove several new cases of these conjectures. We also construct new counterexamples over every number field. Contents 1. Introduction 1 2. The Weil restriction 5 3. Adelically metrised line bundles 8 4. Manin’s conjectures 10 References 19 1. Introduction n Let X be a smooth projective variety over a number field F . To any embedding X PF of X over F , we may associate a height function given by ⊂ H(x)= max x ,..., x , (1.1) {| 0|v | n|v} v∈Val(Y F ) where x = (x0 : : xn) X(F ) and v is the usual absolute value associated to a place v of F . The product··· formula∈ λ| · |= 1, for any λ F ∗, implies that this expression is v∈Val(F ) | |v ∈ independent of the choice of representation of x in homogeneous coordinates. More generally, one Q may associate a height function H to any adelically metrised line bundle = (L, ) on X (see L L || · || arXiv:1210.1792v3 [math.NT] 16 Feb 2015 Section 3 for further details). The advantage of such a definition is that it is intrinsic, i.e it does not depend on a choice of embedding.
    [Show full text]
  • Derived Algebraic Geometry XIV: Representability Theorems
    Derived Algebraic Geometry XIV: Representability Theorems March 14, 2012 Contents 1 The Cotangent Complex 6 1.1 The Cotangent Complex of a Spectrally Ringed 1-Topos . 7 1.2 The Cotangent Complex of a Spectral Deligne-Mumford Stack . 10 1.3 The Cotangent Complex of a Functor . 14 2 Properties of Moduli Functors 22 2.1 Nilcomplete, Cohesive, and Integrable Functors . 22 2.2 Relativized Properties of Functors . 33 2.3 Finiteness Conditions on Functors . 37 2.4 Moduli of Spectral Deligne-Mumford Stacks . 47 3 Representability Theorems 55 3.1 From Classical Algebraic Geometry to Spectral Algebraic Geometry . 55 3.2 Artin's Representability Theorem . 61 3.3 Application: Existence of Weil Restrictions . 68 3.4 Example: The Picard Functor . 76 4 Tangent Complexes and Dualizing Modules 86 4.1 The Tangent Complex . 87 4.2 Dualizing Modules . 93 4.3 Existence of Dualizing Modules . 97 4.4 A Linear Representability Criterion . 104 4.5 Existence of the Cotangent Complexes . 107 1 Introduction Let R be a commutative ring and let X be an R-scheme. Suppose that we want to present X explicitly. We might do this by choosing a covering of X by open subschemes fUαgα2I , where each Uα is an affine scheme given by the spectrum of a commutative R-algebra Aα. Let us suppose for simplicity that each intersection −1 Uα \Uβ is itself an affine scheme, given as the spectrum of Aα[xα,β] for some element xα,β 2 Aα. To describe X, we need to specify the following data: (a) For each α 2 I, a commutative R-algebra Aα.
    [Show full text]
  • WEIL RESTRICTION and the QUOT SCHEME Introduction the Main
    WEIL RESTRICTION AND THE QUOT SCHEME ROY MIKAEL SKJELNES Abstract. We introduce a concept that we call module restric- tion, which generalizes the classical Weil restriction. After having established some fundamental properties, as existence and ´etaleness of the module restrictions, we apply our results to show that the Quot functor Quotn of Grothendieck is representable by an al- FX =S gebraic space, for any quasi-coherent sheaf FX on any separated algebraic space X=S. Introduction The main novelty in this article is the introduction of the module restriction, which is a generalization of the classical Weil restriction. Our main motivation for introducing the module restriction is given by our application to the Quot functor of Grothendieck. If FX is a quasi-coherent sheaf on a scheme X −! S, then the Quot functor Quot parametrizes quotients of FX that are flat and with FX =S proper support over the base. For projective schemes X −! S the Quot functor is represented by a scheme given as a disjoint union of projective schemes [Gro95]. When X −! S is locally of finite type and separated, Artin showed that the Quot functor is representable by an algebraic space ([Art69] and erratum in [Art74]). When the fixed sheaf FX = OX is the structure sheaf of X the Quot functor is referred to as the Hilbert functor HilbX=S. Grothendieck who both introduced the Quot functor and showed rep- resentability for projective X −! S, also pointed out the connection between the Hilbert scheme and the Weil restriction [Gro95, 4. Vari- antes]. If f : Y −! X is a morphism with X separated over the base, there is an open subset ΩY !X of HilbY=S from where the push-forward map f∗ is defined.
    [Show full text]