DOCSLIB.ORG

Elliptic Curves

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Elliptic Curves Chapter 9 Elliptic Curves This is a chapter from version 2.0 of the book “Mathematics of Public Key Cryptogra- phy” by Steven Galbraith, available from http://www.math.auckland.ac.nz/˜sgal018/crypto- book/crypto-book.html The copyright for this chapter is held by Steven Galbraith. This book was published by Cambridge University Press in early 2012. This is the extended and corrected version. Some of the Theorem/Lemma/Exercise numbers may be different in the published version. Please send an email to [email protected] if youfind any mistakes. This chapter summarises the theory of elliptic curves. Since there are already many outstanding textbooks on elliptic curves (such as Silverman [564] and Washington [626]) we do not give all the details. Our focus is on facts relevant for the cryptographic appli- cations, especially those for which there is not already a suitable reference. 9.1 Group law Recall that an elliptic curve over afieldk is given by a non-singular affine Weierstrass equation 2 3 2 E:y +a 1xy+a 3y=x +a 2x +a 4x+a 6 (9.1) wherea 1, a2, a3, a4, a6 k. There is a unique point E on the projective closure that does not lie on the affine∈ curve. O We recall the formulae for the elliptic curve group law with identity element : For O E allP E(k) we haveP+ E = E +P=P so it remains to consider the case where P ,P∈ E(k) are suchO thatP ,PO= . In other words,P andP are affine points and 1 2 ∈ 1 2 6 O E 1 2 so writeP 1 = (x1, y1) andP 2 = (x2, y2). Recall that Lemma 7.7.10 shows the inverse of P1 = (x1, y1) isι(P 1) = (x1, y 1 a 1x1 a 3). Hence, ifx 1 =x 2 andy 2 = y 1 a 1x1 a 3 (i.e.,P = P ) thenP +P− =− . In− the remaining cases let − − − 2 − 1 1 2 O E ( 2 3x1+2a2x1+a4 a1y1 − ifP 1 =P 2 λ= 2y1+a1x1+a3 (9.2) y2 y1 x −x ifP 1 = P 2. 2− 1 6 ± and setx =λ 2 +a λ x x a andy = λ(x x ) y a x a . Then 3 1 − 1 − 2 − 2 3 − 3 − 1 − 1 − 1 3 − 3 P1 +P 2 = (x3, y3). 165 166 CHAPTER 9. ELLIPTIC CURVES Exercise 9.1.1. It is possible to “unify” the two cases in equation (9.2). Show that if 2 3 2 P1 = (x1, y1) andP 2 = (x2, y2) lie ony + (a1x+a 3)y=x +a 2x +a 4x+a 6 and y = y a x a thenP +P can be computed using the fomula 2 6 − 1 − 1 1 − 3 1 2 x2 +x x +x 2 +a (x +x ) +a a y λ= 1 1 2 2 2 1 2 4 − 1 1 (9.3) y1 +y 2 +a 1x2 +a 3 instead of equation (9.2). Definition 9.1.2. LetE be an elliptic curve over afieldk and letP E(k). Forn N define [n]P tobeP+ +P whereP appearsn times. In particular,∈ [1] is the identity∈ map. Define [0]P= ··· and [ n]P=[n]( P ). O E − − Then-torsion subgroup is E[n] = P E( k):[n]P= . { ∈ O E} We writeE(k)[n] forE[n] E(k). ∩ 2 3 Exercise 9.1.3. LetE:y +y=x be an elliptic curve overF 2. Letm N and 4 4 ∈ P=(x P , yP ) E(F 2m ). Show that [2]P=(x P , yP +1). (We will show in Example 9.11.6 that this curve∈ is supersingular.) 2 3 2 Exercise 9.1.4. LetE:y + xy=x +a 2x +a 6 be an elliptic curve overF 2m for m m N. Show that there is a pointP=(x P , yP ) E(F 2 ) if and only if TrF2m /F2 (xP + ∈ 2 ∈ a +a /x ) = 0. GivenQ=(x , y ) E(F m ) show that the slope of the tangent 2 6 P Q Q ∈ 2 line toE atQ isλ Q =x Q +y Q/xQ. Show thaty Q =x Q(λQ +x Q). Hence show that if 2 2 2 P = [2]Q then TrF2m /F2 (xP ) = TrF2m /F2 (a2),x P =x Q +a 6/xQ and TrF2m /F2 (a6/xP ) = 0. m Conversely, show that ifP=(x P , yP ) E(F 2 ) is such that TrF2m /F2 (xP ) = TrF2m /F2 (a2) 2 ∈ and Tr (a /x ) = 0 thenP = [2]Q for someQ E(F m ). F2m /F2 6 P ∈ 2 m (Point halving) GivenP=(x P , yP ) E(F 2 ) such that TrF2m /F2 (xP ) = TrF2m /F2 (a2) ∈ 2 show that there are two solutionsλ F m to the equationλ +λ =x +a . For p Q ∈ 2 Q Q P 2 either solution letx Q = xP (λP +λ Q +x P + 1), whereλ P =x P +y P /xP , andy Q = xQ(λQ +x Q). Show that [2](xQ, yQ) =P. One can consider Weierstrass equations overk that have a singular point in the affine plane (recall that there is a unique point at infinity E and it is non-singular). By a change of variable one may assume that the singularO point is (0, 0) and the equation is 2 3 2 C:y +a 1xy=x +a 2x . LetG=C(k) E (0,0) . It turns out that the elliptic curve group law formulae give rise to∪ a{O group} law−{ onG.} There is a morphism over k 1 fromC toP and the group law onG corresponds to either the additive groupG a or the multiplicative groupG m; see Section 9 of [122], Section 2.10 of [626] or Proposition III.2.5 of [564] for details. Since an elliptic curve is a projective variety it is natural to consider addition formulae on projective coordinates. In the applications there are good reasons to do this (for example, to minimise the number of inversions in fast implementations of elliptic curve cryptography, or in the elliptic curve factoring method). Exercise 9.1.5. LetP 1 = (x1 :y 1 :z 1) andP 2 = (x2 :y 2 :z 2) be points on the elliptic 2 3 2 3 curveE:y z=x +a 4xz +a 6z overk. Let u=x z x z . 1 2 − 2 1 9.2. MORPHISMS BETWEEN ELLIPTIC CURVES 167 Show that (x3 :y 3 :z 3) is a projective representation forP 1 +P 2 where 2 3 x3 =z 1z2(y1z2 y 2z1) u (x 1z2 +x 2z1)u (9.4) − 3− 2 3 y3 = z 1z2(y1z2 y 2z1) + (2x1z2 +x 2z1)(y1z2 y 2z1)u y 1z2u (9.5) − 3 − − − z3 =z 1z2u (9.6) (as long as the resulting point is not (0,0, 0)). The elliptic curve addition formula of equations (9.3) and (9.4)-(9.6) are undefined on certain inputs (such asP= E orP 2 = P 1) and so one currently needs to make decisions (i.e., use “if” statements)O to compute− on elliptic curves. This does not agree with the definition of an algebraic group (informally, that the group operation is given by polynomial equations; formally that there is a morphismE E E). However, it can be shown (see Theorem III.3.6 of Silverman [564]) that elliptic× → curves are algebraic groups. To make this concrete letE be an elliptic curve overk written projectively. A com- plete system of addition laws forE(k) is a set of triples of polynomials (f (x , y , z , x , y , z ), f (x , y , z , x , y , z ), f (x , y , z , x , y , z )) : 1 i k { i,x 1 1 1 2 2 2 i,y 1 1 1 2 2 2 i,z 1 1 1 2 2 2 ≤ ≤ } such that, for all points P,Q E(k), at least one of (f i,x(P, Q), fi,y(P, Q), fi,z(P, Q)) is defined and all triples defined∈ at (P, Q) give a projective representation of the point P+Q. A rather surprising fact, due to Bosma and Lenstra [92], is that one can give a complete system of addition laws forE( k) using only two triples of polynomials. The resulting equations are unpleasant and not useful for practical computation. 9.2 Morphisms Between Elliptic Curves The goal of this section is to show that a morphism between elliptic curves is the compo- sition of a group homomorphism and a translation. In other words, all geometric maps between elliptic curves have a group-theoretic interpretation. Theorem 9.2.1. LetE 1 andE 2 be elliptic curves overk and letφ:E 1 E 2 be a morphism of varieties such thatφ( ) = . Thenφ is a group homomorphism.→ O E1 O E2 0 0 0 Proof: (Sketch) The basic idea is to note thatφ : Pick(E1) Pic k(E2) (where Pick(Ei) ∗ → denotes the degree zero divisor class group ofE i overk) is a group homomorphism and φ ((P) ( E1 )) = (φ(P)) ( E2 ). We refer to Theorem III.4.8 of [564] for the details. ∗ − O − O Definition 9.2.2. LetE be an elliptic curve overk and letQ E(k). We define the translation map to be the functionτ :E E given byτ (P∈)=P+Q. Q → Q Clearly,τ Q is a rational map that is defined everywhere onE and so is a morphism. Sinceτ Q has inverse mapτ Q it follows thatτ Q is an isomorphism of the curveE to itself (though be warned that in− the next section we will define isomorphism for pointed curves andτ Q will not be an isomorphism in this sense).
Load more

Recommended publications
  • Examples from Complex Geometry
    Examples from Complex Geometry Sam Auyeung November 22, 2019 1 Complex Analysis Example 1.1. Two Heuristic \Proofs" of the Fundamental Theorem of Algebra: Let p(z) be a polynomial of degree n > 0; we can even assume it is a monomial. We also know that the number of zeros is at most n. We show that there are exactly n. 1. Proof 1: Recall that polynomials are entire functions and that Liouville's Theorem says that a bounded entire function is in fact constant. Suppose that p has no roots. Then 1=p is an entire function and it is bounded. Thus, it is constant which means p is a constant polynomial and has degree 0. This contradicts the fact that p has positive degree. Thus, p must have a root α1. We can then factor out (z − α1) from p(z) = (z − α1)q(z) where q(z) is an (n − 1)-degree polynomial. We may repeat the above process until we have a full factorization of p. 2. Proof 2: On the real line, an algorithm for finding a root of a continuous function is to look for when the function changes signs. How do we generalize this to C? Instead of having two directions, we have a whole S1 worth of directions. If we use colors to depict direction and brightness to depict magnitude, we can plot a graph of a continuous function f : C ! C. Near a zero, we'll see all colors represented. If we travel in a loop around any point, we can keep track of whether it passes through all the colors; around a zero, we'll pass through all the colors, possibly many times.
    [Show full text]
  • A Review on Elliptic Curve Cryptography for Embedded Systems
    International Journal of Computer Science & Information Technology (IJCSIT), Vol 3, No 3, June 2011 A REVIEW ON ELLIPTIC CURVE CRYPTOGRAPHY FOR EMBEDDED SYSTEMS Rahat Afreen 1 and S.C. Mehrotra 2 1Tom Patrick Institute of Computer & I.T, Dr. Rafiq Zakaria Campus, Rauza Bagh, Aurangabad. (Maharashtra) INDIA [email protected] 2Department of C.S. & I.T., Dr. B.A.M. University, Aurangabad. (Maharashtra) INDIA [email protected] ABSTRACT Importance of Elliptic Curves in Cryptography was independently proposed by Neal Koblitz and Victor Miller in 1985.Since then, Elliptic curve cryptography or ECC has evolved as a vast field for public key cryptography (PKC) systems. In PKC system, we use separate keys to encode and decode the data. Since one of the keys is distributed publicly in PKC systems, the strength of security depends on large key size. The mathematical problems of prime factorization and discrete logarithm are previously used in PKC systems. ECC has proved to provide same level of security with relatively small key sizes. The research in the field of ECC is mostly focused on its implementation on application specific systems. Such systems have restricted resources like storage, processing speed and domain specific CPU architecture. KEYWORDS Elliptic curve cryptography Public Key Cryptography, embedded systems, Elliptic Curve Digital Signature Algorithm ( ECDSA), Elliptic Curve Diffie Hellman Key Exchange (ECDH) 1. INTRODUCTION The changing global scenario shows an elegant merging of computing and communication in such a way that computers with wired communication are being rapidly replaced to smaller handheld embedded computers using wireless communication in almost every field. This has increased data privacy and security requirements.
    [Show full text]
  • Contents 5 Elliptic Curves in Cryptography
    Cryptography (part 5): Elliptic Curves in Cryptography (by Evan Dummit, 2016, v. 1.00) Contents 5 Elliptic Curves in Cryptography 1 5.1 Elliptic Curves and the Addition Law . 1 5.1.1 Cubic Curves, Weierstrass Form, Singular and Nonsingular Curves . 1 5.1.2 The Addition Law . 3 5.1.3 Elliptic Curves Modulo p, Orders of Points . 7 5.2 Factorization with Elliptic Curves . 10 5.3 Elliptic Curve Cryptography . 14 5.3.1 Encoding Plaintexts on Elliptic Curves, Quadratic Residues . 14 5.3.2 Public-Key Encryption with Elliptic Curves . 17 5.3.3 Key Exchange and Digital Signatures with Elliptic Curves . 20 5 Elliptic Curves in Cryptography In this chapter, we will introduce elliptic curves and describe how they are used in cryptography. Elliptic curves have a long and interesting history and arise in a wide range of contexts in mathematics. The study of elliptic curves involves elements from most of the major disciplines of mathematics: algebra, geometry, analysis, number theory, topology, and even logic. Elliptic curves appear in the proofs of many deep results in mathematics: for example, they are a central ingredient in the proof of Fermat's Last Theorem, which states that there are no positive integer solutions to the equation xn + yn = zn for any integer n ≥ 3. Our goals are fairly modest in comparison, so we will begin by outlining the basic algebraic and geometric properties of elliptic curves and motivate the addition law. We will then study the behavior of elliptic curves modulo p: ultimately, there is a fairly strong analogy between the structure of the points on an elliptic curve modulo p and the integers modulo n.
    [Show full text]
  • An Efficient Approach to Point-Counting on Elliptic Curves
    mathematics Article An Efficient Approach to Point-Counting on Elliptic Curves from a Prominent Family over the Prime Field Fp Yuri Borissov * and Miroslav Markov Department of Mathematical Foundations of Informatics, Institute of Mathematics and Informatics, Bulgarian Academy of Sciences, 1113 Sofia, Bulgaria; [email protected] * Correspondence: [email protected] Abstract: Here, we elaborate an approach for determining the number of points on elliptic curves 2 3 from the family Ep = fEa : y = x + a (mod p), a 6= 0g, where p is a prime number >3. The essence of this approach consists in combining the well-known Hasse bound with an explicit formula for the quantities of interest-reduced modulo p. It allows to advance an efficient technique to compute the 2 six cardinalities associated with the family Ep, for p ≡ 1 (mod 3), whose complexity is O˜ (log p), thus improving the best-known algorithmic solution with almost an order of magnitude. Keywords: elliptic curve over Fp; Hasse bound; high-order residue modulo prime 1. Introduction The elliptic curves over finite fields play an important role in modern cryptography. We refer to [1] for an introduction concerning their cryptographic significance (see, as well, Citation: Borissov, Y.; Markov, M. An the pioneering works of V. Miller and N. Koblitz from 1980’s [2,3]). Briefly speaking, the Efficient Approach to Point-Counting advantage of the so-called elliptic curve cryptography (ECC) over the non-ECC is that it on Elliptic Curves from a Prominent requires smaller keys to provide the same level of security. Family over the Prime Field Fp.
    [Show full text]
  • Abelian Varieties
    Abelian Varieties J.S. Milne Version 2.0 March 16, 2008 These notes are an introduction to the theory of abelian varieties, including the arithmetic of abelian varieties and Faltings’s proof of certain finiteness theorems. The orginal version of the notes was distributed during the teaching of an advanced graduate course. Alas, the notes are still in very rough form. BibTeX information @misc{milneAV, author={Milne, James S.}, title={Abelian Varieties (v2.00)}, year={2008}, note={Available at www.jmilne.org/math/}, pages={166+vi} } v1.10 (July 27, 1998). First version on the web, 110 pages. v2.00 (March 17, 2008). Corrected, revised, and expanded; 172 pages. Available at www.jmilne.org/math/ Please send comments and corrections to me at the address on my web page. The photograph shows the Tasman Glacier, New Zealand. Copyright c 1998, 2008 J.S. Milne. Single paper copies for noncommercial personal use may be made without explicit permis- sion from the copyright holder. Contents Introduction 1 I Abelian Varieties: Geometry 7 1 Definitions; Basic Properties. 7 2 Abelian Varieties over the Complex Numbers. 10 3 Rational Maps Into Abelian Varieties . 15 4 Review of cohomology . 20 5 The Theorem of the Cube. 21 6 Abelian Varieties are Projective . 27 7 Isogenies . 32 8 The Dual Abelian Variety. 34 9 The Dual Exact Sequence. 41 10 Endomorphisms . 42 11 Polarizations and Invertible Sheaves . 53 12 The Etale Cohomology of an Abelian Variety . 54 13 Weil Pairings . 57 14 The Rosati Involution . 61 15 Geometric Finiteness Theorems . 63 16 Families of Abelian Varieties .
    [Show full text]
  • 25 Modular Forms and L-Series
    18.783 Elliptic Curves Spring 2015 Lecture #25 05/12/2015 25 Modular forms and L-series As we will show in the next lecture, Fermat's Last Theorem is a direct consequence of the following theorem [11, 12]. Theorem 25.1 (Taylor-Wiles). Every semistable elliptic curve E=Q is modular. In fact, as a result of subsequent work [3], we now have the stronger result, proving what was previously known as the modularity conjecture (or Taniyama-Shimura-Weil conjecture). Theorem 25.2 (Breuil-Conrad-Diamond-Taylor). Every elliptic curve E=Q is modular. Our goal in this lecture is to explain what it means for an elliptic curve over Q to be modular (we will also define the term semistable). This requires us to delve briefly into the theory of modular forms. Our goal in doing so is simply to understand the definitions and the terminology; we will omit all but the most straight-forward proofs. 25.1 Modular forms Definition 25.3. A holomorphic function f : H ! C is a weak modular form of weight k for a congruence subgroup Γ if f(γτ) = (cτ + d)kf(τ) a b for all γ = c d 2 Γ. The j-function j(τ) is a weak modular form of weight 0 for SL2(Z), and j(Nτ) is a weak modular form of weight 0 for Γ0(N). For an example of a weak modular form of positive weight, recall the Eisenstein series X0 1 X0 1 G (τ) := G ([1; τ]) := = ; k k !k (m + nτ)k !2[1,τ] m;n2Z 1 which, for k ≥ 3, is a weak modular form of weight k for SL2(Z).
    [Show full text]
  • Elliptic Curves, Isogenies, and Endomorphism Rings
    Elliptic curves, isogenies, and endomorphism rings Jana Sot´akov´a QuSoft/University of Amsterdam July 23, 2020 Abstract Protocols based on isogenies of elliptic curves are one of the hot topic in post-quantum cryptography, unique in their computational assumptions. This note strives to explain the beauty of the isogeny landscape to students in number theory using three different isogeny graphs - nice cycles and the Schreier graphs of group actions in the commutative isogeny-based cryptography, the beautiful isogeny volcanoes that we can walk up and down, and the Ramanujan graphs of SIDH. This is a written exposition 1 of the talk I gave at the ANTS summer school 2020, available online at https://youtu.be/hHD1tqFqjEQ?t=4. Contents 1 Introduction 1 2 Background 2 2.1 Elliptic curves . .2 2.2 Isogenies . .3 2.3 Endomorphisms . .4 2.4 From ideals to isogenies . .6 3 CM and commutative isogeny-based protocols 7 3.1 The main theorem of complex multiplication . .7 3.2 Diffie-Hellman using groups . .7 3.3 Diffie-Hellman using group actions . .8 3.4 Commutative isogeny-based cryptography . .8 3.5 Isogeny graphs . .9 4 Other `-isogenies 10 5 Supersingular isogeny graphs 13 5.1 Supersingular curves and isogenies . 13 5.2 SIDH . 15 6 Conclusions 16 1Please contact me with any comments or remarks at [email protected]. 1 1 Introduction There are three different aspects of isogenies in cryptography, roughly corresponding to three different isogeny graphs: unions of cycles as used in CSIDH, isogeny volcanoes as first studied by Kohel, and Ramanujan graphs upon which SIDH and SIKE are built.
    [Show full text]
  • Lectures on the Combinatorial Structure of the Moduli Spaces of Riemann Surfaces
    LECTURES ON THE COMBINATORIAL STRUCTURE OF THE MODULI SPACES OF RIEMANN SURFACES MOTOHICO MULASE Contents 1. Riemann Surfaces and Elliptic Functions 1 1.1. Basic Definitions 1 1.2. Elementary Examples 3 1.3. Weierstrass Elliptic Functions 10 1.4. Elliptic Functions and Elliptic Curves 13 1.5. Degeneration of the Weierstrass Elliptic Function 16 1.6. The Elliptic Modular Function 19 1.7. Compactification of the Moduli of Elliptic Curves 26 References 31 1. Riemann Surfaces and Elliptic Functions 1.1. Basic Definitions. Let us begin with defining Riemann surfaces and their moduli spaces. Definition 1.1 (Riemann surfaces). A Riemann surface is a paracompact Haus- S dorff topological space C with an open covering C = λ Uλ such that for each open set Uλ there is an open domain Vλ of the complex plane C and a homeomorphism (1.1) φλ : Vλ −→ Uλ −1 that satisfies that if Uλ ∩ Uµ 6= ∅, then the gluing map φµ ◦ φλ φ−1 (1.2) −1 φλ µ −1 Vλ ⊃ φλ (Uλ ∩ Uµ) −−−−→ Uλ ∩ Uµ −−−−→ φµ (Uλ ∩ Uµ) ⊂ Vµ is a biholomorphic function. Remark. (1) A topological space X is paracompact if for every open covering S S X = λ Uλ, there is a locally finite open cover X = i Vi such that Vi ⊂ Uλ for some λ. Locally finite means that for every x ∈ X, there are only finitely many Vi’s that contain x. X is said to be Hausdorff if for every pair of distinct points x, y of X, there are open neighborhoods Wx 3 x and Wy 3 y such that Wx ∩ Wy = ∅.
    [Show full text]
  • Elliptic Curve Cryptography and Digital Rights Management
    Lecture 14: Elliptic Curve Cryptography and Digital Rights Management Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) March 9, 2021 5:19pm ©2021 Avinash Kak, Purdue University Goals: • Introduction to elliptic curves • A group structure imposed on the points on an elliptic curve • Geometric and algebraic interpretations of the group operator • Elliptic curves on prime finite fields • Perl and Python implementations for elliptic curves on prime finite fields • Elliptic curves on Galois fields • Elliptic curve cryptography (EC Diffie-Hellman, EC Digital Signature Algorithm) • Security of Elliptic Curve Cryptography • ECC for Digital Rights Management (DRM) CONTENTS Section Title Page 14.1 Why Elliptic Curve Cryptography 3 14.2 The Main Idea of ECC — In a Nutshell 9 14.3 What are Elliptic Curves? 13 14.4 A Group Operator Defined for Points on an Elliptic 18 Curve 14.5 The Characteristic of the Underlying Field and the 25 Singular Elliptic Curves 14.6 An Algebraic Expression for Adding Two Points on 29 an Elliptic Curve 14.7 An Algebraic Expression for Calculating 2P from 33 P 14.8 Elliptic Curves Over Zp for Prime p 36 14.8.1 Perl and Python Implementations of Elliptic 39 Curves Over Finite Fields 14.9 Elliptic Curves Over Galois Fields GF (2n) 52 14.10 Is b =0 a Sufficient Condition for the Elliptic 62 Curve6 y2 + xy = x3 + ax2 + b to Not be Singular 14.11 Elliptic Curves Cryptography — The Basic Idea 65 14.12 Elliptic Curve Diffie-Hellman Secret Key 67 Exchange 14.13 Elliptic Curve Digital Signature Algorithm (ECDSA) 71 14.14 Security of ECC 75 14.15 ECC for Digital Rights Management 77 14.16 Homework Problems 82 2 Computer and Network Security by Avi Kak Lecture 14 Back to TOC 14.1 WHY ELLIPTIC CURVE CRYPTOGRAPHY? • As you saw in Section 12.12 of Lecture 12, the computational overhead of the RSA-based approach to public-key cryptography increases with the size of the keys.
    [Show full text]
  • Canonical Heights and Division Polynomials 11
    CANONICAL HEIGHTS AND DIVISION POLYNOMIALS ROBIN DE JONG AND J. STEFFEN MULLER¨ Abstract. We discuss a new method to compute the canonical height of an algebraic point on a hyperelliptic jacobian over a number field. The method does not require any geometrical models, neither p-adic nor complex analytic ones. In the case of genus 2 we also present a version that requires no factori- sation at all. The method is based on a recurrence relation for the `division polynomials' associated to hyperelliptic jacobians, and a diophantine approx- imation result due to Faltings. 1. Introduction In [EW] G. Everest and T. Ward show how to approximate to high precision the canonical height of an algebraic point on an elliptic curve E over a number field K with a limit formula using the (recurrence) sequence of division polynomials φn associated to E, and a diophantine approximation result. The φn have natural analogues for jacobians of hyperelliptic curves. In [Uc2] Y. Uchida shows how to obtain recurrence relations for the φn for hyperelliptic jaco- bians of dimension g ≥ 2. Further there exists a suitable analogue of the diophantine approximation result employed by Everest and Ward, proved by G. Faltings. In this paper we derive a limit formula for the canonical height of an algebraic point on a hyperelliptic jacobian from these inputs. We have implemented the resulting method for computing canonical heights in Magma for g = 2. The method does not require geometrical models, neither p-adic nor complex analytic ones. If the curve is defined over Q and the coordinates of the point are integral, then it also requires no factorisation.
    [Show full text]
  • Commutative Algebraic Groups up to Isogeny, in Which the Problems Raised by Imperfect fields Become Tractable; This Yields Rather Simple and Uniform Structure Results
    Commutative algebraic groups up to isogeny Michel Brion Abstract Consider the abelian category Ck of commutative group schemes of finite type over a field k. By results of Serre and Oort, Ck has homological dimension 1 (resp. 2) if k is algebraically closed of characteristic 0 (resp. positive). In this article, we explore the abelian category of commutative algebraic groups up to isogeny, defined as the quotient of Ck by the full subcategory Fk of finite k-group schemes. We show that Ck/Fk has homological dimension 1, and we determine its projective or injective objects. We also obtain structure results for Ck/Fk, which take a simpler form in positive characteristics. Contents 1 Introduction 2 2 Structure of algebraic groups 5 2.1 Preliminaryresults ............................... 5 2.2 Characteristiczero ............................... 8 2.3 Positive characteristics . 10 3 The isogeny category of algebraic groups 12 3.1 Definitionandfirstproperties . .. .. 12 3.2 Divisiblegroups................................. 17 3.3 Fieldextensions................................. 20 4 Tori, abelian varieties, and homological dimension 22 arXiv:1602.00222v2 [math.AG] 27 Sep 2016 4.1 Tori ....................................... 22 4.2 Abelianvarieties ................................ 24 4.3 Vanishingofextensiongroups . 28 5 Structure of isogeny categories 30 5.1 Vector extensions of abelian varieties . 30 5.2 Semi-abelian varieties . 35 5.3 Productdecompositions ............................ 36 1 1 Introduction There has been much recent progress on the structure of algebraic groups over an arbitrary field; in particular, on the classification of pseudo-reductive groups (see [CGP15, CP15]). Yet commutative algebraic groups over an imperfect field remain somewhat mysterious, e.g., extensions with unipotent quotients are largely unknown; see [To13] for interesting results, examples, and questions.
    [Show full text]
  • Lecture 2: Abelian Varieties the Subject of Abelian Varieties Is Vast
    Lecture 2: Abelian varieties The subject of abelian varieties is vast. In these notes we will hit some highlights of the theory, stressing examples and intuition rather than proofs (due to lack of time, among other reasons). We will note analogies with the more concrete case of elliptic curves (as in [Si]), as well as places where elliptic curves provide a poor guide for what to expect. In addition, we will use the complex-analytic theory and the example of Jacobians as sources of inspiration and examples to illustrate general results. For arithmetic purposes it is essential to allow the ground field to be of arbitrary characteristic (e.g., finite fields), and not algebraically closed. At the end, we explain Chabauty's clever argument that proves the Mordell conjecture for curves of genus g ≥ 2 whose Jacobian has Mordell{Weil rank less than g. In later lectures we will bootstrap from the case of individual abelian varieties to \families" of abelian varieties, or as we will call them, abelian schemes. This concept, along with related notions such as \good reduction" and \semistable reduction" will be an essential ingredient in Faltings' method. But for this lecture we restrict attention to the more concrete setting of a single fixed abelian variety over a field. Nonetheless, the later need for a mature theory of families over a parameter space of mixed-characteristic (even for the special case of modular curves over Z(p), required to make sense of \reduction mod p" for modular curves) forces us to allow arbitrary ground fields, including imperfect ones like Fp(t), as those always show up at generic points of special fibers when the parameter space has positive-dimensional fibers in each characteristic, as will happen in nearly all examples of moduli spaces that arise in Faltings' work and throughout arithmetic geometry.
    [Show full text]