Chapter 10

Hyperelliptic Curves

This is a chapter from version 2.0 of the book “Mathematics of Public Key Cryptography” by Steven Galbraith, available from http://www.math.auckland.ac.nz/˜sgal018/crypto- book/crypto-book.html The copyright for this chapter is held by Steven Galbraith. This book was published by Cambridge University Press in early 2012. This is the extended and corrected version. Some of the Theorem/Lemma/Exercise numbers may be different in the published version. Please send an email to [email protected] if youfind any mistakes.

Hyperelliptic curves are a natural generalisation of elliptic curves, and it was suggested by Koblitz [346] that they might be useful for public key cryptography. Note that there is not a group law on the points of a hyperelliptic curve; instead we use the divisor class group of the curve. The main goals of this chapter are to explain the geometry of hyperelliptic curves, to describe Cantor’s algorithm [118] (and variants) to compute in the divisor class group of hyperelliptic curves, and then to state some basic properties of the divisor class group. Definition 10.0.1. Letk be a perfectfield. LetH(x),F(x) k[x] (we stress that H(x) andF(x) are not assumed to be monic). An affine algebraic∈ set of the formC: y2 +H(x)y=F(x) is called a hyperelliptic equation. The hyperelliptic involution ι:C C is defined byι(x, y)=(x, y H(x)). → − − Exercise 10.0.2. LetC be a hyperelliptic equation overk. Show that ifP C(k) then ι(P) C(k). ∈ ∈ When the projective closure (in an appropriate space) of the algebraic setC in Defini- tion 10.0.1 is irreducible, dimension 1, non-singular and of genusg 2 then we will call it a hyperelliptic curve. By definition, a curve is projective and non-singular.≥ We will give conditions for when a hyperelliptic equation is non-singular. Exercise 10.1.20 will give a projective non-singular model, but in practice one can work with the affine hyperelliptic equation. To “see” the points at infinity we will move them to points on a related affine equation, namely the curveC † of equation (10.3). The classical definition of a hyperelliptic curve (over an algebraically closedfield k) is that it is a non-singular projective irreducible curveC over k (usually of genusg 2) with a degree 2 rational mapφ:C P 1 over k. This is equivalent toC having≥ an (affine) equation of the formy 2 +→H(x)y=F(x) over k. WhenC is defined over a non-algebraically closedfieldk then the existence of a rational mapφ:C P 1 over k does not imply the existence of such a map overk, and soC might not have→ an equation

201 202 CHAPTER 10. HYPERELLIPTIC CURVES overk of this form. This subtlety does not arise when working overfinitefields (to show this, combine Theorem 10.7.4 with the Riemann-Roch theorem), hence we will define hyperelliptic curves using a generalisation of the Weierstrass equation. The genus has already been defined (see Definition 8.4.8) as a measure of the com- plexity of a curve. The treatment of the genus in this chapter is very “explicit”. We will give precise conditions (Lemmas 10.1.6 and 10.1.8) that explain when the degree of a hyperelliptic equation is minimal. From this minimal degree we define the genus. In contrast, the approach of most other authors is to use the Riemann-Roch theorem. 0 We remark that one can also consider the algebraic group quotient PicFq (C)/[ 1] of equivalence classes D, D whereD is a reduced divisor. For genus 2 curves this object− can be described as{ a variety,− } called the Kummer surface. It is beyond the scope of this book to give the details of this case. We refer to Chapter 3 of Cassels and Flynn [123] for background. Gaudry [244] and Gaudry and Lubicz [247] have given fast algorithms for computing with this algebraic group quotient.

10.1 Non-Singular Models for Hyperelliptic Curves

Consider the singular points on the affine curveC(x, y)=y 2 +H(x)y F(x) = 0. The − partial derivatives are∂C(x, y)/∂y=2y+H(x) and∂C(x, y)/∂x=H ′(x)y F ′(x), − so a singular point in particular satisfies 2F ′(x) +H(x)H ′(x) = 0. IfH(x) = 0 and if the characteristic ofk is not 2 thenC is non-singular over k if and only ifF(x) has no repeated root in k.

Exercise 10.1.1. Show that the curvey 2 +H(x)y=F(x) overk has no affine singular points if and only if one of the following conditions hold.

1. char(k) = 2 andH(x) is a non-zero constant.

2 2 2. char(k) = 2,H(x) is a non-zero polynomial and gcd(H(x), F ′(x) F(x)H ′(x) ) = 1. −

3. char(k)= 2,H(x) = 0 and gcd(F(x),F ′(x)) = 1. 6 2 4. char(k)= 2,H(x)= 0 and gcd(H(x) + 4F(x),2F ′(x) +H(x)H ′(x)) = 1 (this 6 6 applies even whenH(x)=0 orH ′(x) = 0).

We will now give a simple condition for when a hyperelliptic equation is geometrically irreducible and of dimension 1.

Lemma 10.1.2. LetC(x, y) =y 2 +H(x)y F(x) overk be a hyperelliptic equation. − Suppose that deg(F(x)) is odd. Suppose also that there is no pointP=(x P , yP ) C(k) such that(∂C(x, y)/∂x)(P)=(∂C(x, y)/∂y)(P)=0. Then the affine algebraic set∈ V(C(x, y)) is geometrically irreducible. The dimension ofV(C(x, y)) is1.

Proof: From Theorem 5.3.10,C(x, y) = 0 is k-reducible if and only ifC(x, y) factors over k[x, y]. By consideringC(x, y) as an element of k(x)[y] it follows that such a factorisation must be of the formC(x, y)=(y a(x))(y b(x)) witha(x), b(x) k[x]. Since deg(F) is odd it follows that deg(a(x))=− deg(b(x−)) and that at least∈ one ofa(x) andb(x) is non-constant. Hencea(x) b(x) is6 a non-constant polynomial, so letx k be a rootof − P ∈ a(x) b(x) and sety P =a(x P ) =b(x P ) so that (xP , yP ) C( k). It is then easy to check that− both partial derivatives vanish atP . Hence, under∈ the conditions of the Lemma, V(C(x, y)) is k-irreducible and so is an affine variety. 10.1. NON-SINGULAR MODELS FOR HYPERELLIPTIC CURVES 203

Now thatV(C(x, y)) is known to be a variety we can consider the dimension. The functionfield of the affine variety isk(x)(y), which is a quadratic algebraic extension of k(x) and so has transcendence degree 1. Hence the dimension of is 1. The proof of Lemma 10.1.2 shows that a hyperelliptic equationy 2 +H(x)y F(x) corresponds to a geometrically irreducible curve as long as it does not factorise− as (y a(x))(y b(x)) over k[x]. In practice it is not hard to determine whether or not there− exist polynomials− a(x), b(x) k[x] such thatH(x) = a(x) b(x) andF(x) = a(x)b(x). So determining if a hyperelliptic∈ equation is geometrically− − irreducible is easy.− LetH(x), F(x) k[x] be such thaty 2 +H(x)y=F(x) is a non-singular affine curve. DefineD = max deg(∈ F(x)), deg(H(x)) + 1 . The projective closure ofC inP 2 is given by { } 2 D 2 D 1 D y z − +z − H(x/z)y=z F(x/z). (10.1)

Exercise 10.1.3. Show that ifD> 2 then there are at most two points at infinity on the curve of equation (10.1). Show further that ifD> 3 and deg(F)> deg(H) + 1 then there is a unique point (0 : 1 : 0) at infinity, which is a singular point.

In Definition 10.1.15 we will define the genus of a hyperelliptic curve in terms of the degree of the hyperelliptic equation. To do this it will be necessary to have conditions that ensure that this degree is minimal. Example 10.1.4 and Exercise 10.1.5 show how a hyperelliptic equation that is a variety can be isomorphic to an equation of significantly lower degree (remember that isomorphism is only defined for varieties).

2 200 101 3 Example 10.1.4. The curvey + xy=x +x +x + 1 overF 2 (which is irreducible 2 3 and non-singular) is isomorphic overF 2 to the curveY + xY=x + 1 via the map (x, y) (x, Y+x 100). 7→ Exercise 10.1.5. Letk be anyfield. Show that the affine algebraic varietyy 2 + (1 2x3)y= x 6 +x 3 +x + 1 is isomorphic to a variety having an equation of total degree− 2. Show that− the resulting curve has genus 0.

Lemma 10.1.6. Letk be a perfectfield of characteristic 2 andh(x), f(x) k[x]. Suppose the hyperelliptic equationC:y 2 +h(x)y=f(x) is a variety. Then it is∈ isomorphic over k toY 2 +H(x)Y=F(x) where one of the following conditions hold:

1. deg(F(x))> 2 deg(H(x)) and deg(F(x)) is odd;

2 2. deg(F(x)) = 2 deg(H(x)) = 2d and the equationu +H du+F 2d has no solution in d d 1 2d k (whereH(x) =H dx +H d 1x − + +H 0 andF(x) =F 2dx + +F 0); − ··· ··· 3. deg(F(x))< deg(H(x)).

i Proof: Letd H = deg(H(x)) andd F = deg(F(x)). The change of variablesy=Y+ cx transformsy 2 +H(x)y=F(x) toY 2 +H(x)Y=F(x) +c 2x2i +H(x)cx i. Hence, if deg(F(x))> 2 deg(H(x)) and deg(F(x)) is even then one can remove the leading coefficient by choosingi = deg(F(x))/2 andc= √F2i (remember that char(k) = 2 andk is perfect soc k). Similarly, if deg(H(x)) j = deg(F(x))< 2 deg(H(x)) then one can ∈ i ≤ remove the leading coefficientF j x fromF by takingi=j deg(H(x)) andc=F j /HdH . Repeating these processes yields thefirst and third claims.− The second case follows easily.  Note that in the second case in Lemma 10.1.6 one can lower the degree using a k- isomorphism. Hence, geometrically (i.e., over k) one can assume that a hyperelliptic equation is of the form of case 1 or 3. 204 CHAPTER 10. HYPERELLIPTIC CURVES

2 3 6 Example 10.1.7. The affine curvey +x y=x +x + 1 is isomorphic overF 22 to 2 3 3 2 Y +x Y=x + 1 viaY=y+ux whereu F 22 satisfiesu +u = 1. (Indeed, these curves are quadratic twists; see Definition 10.2.2.)∈ Lemma 10.1.8. Letk be afield such that char(k)= 2. Every hyperelliptic curve over 6 2 d 2d k is isomorphic overk to an equation of the formy + (Hdx + +H 0)y=F 2dx + 2d 1 ··· F2d 1x − + +F 0 where either: − ··· 1.H d = 0 and (F2d = 0 orF 2d 1 = 0); 6 − 6 2 2.H d = 0 and (F2d = (H d/2) orF 2d 1 = H dHd 1/2). 6 6 − − 6 − − Proof: IfH d =F 2d =F 2d 1 = 0 then just replaced byd 1. IfH d = 0 and both 2 − − 6 Hd d F2d = (H d/2) andF 2d 1 = H dHd 1/2 then the morphism (x, y) (x, Y=y+ 2 x ) maps− the hyperelliptic equation− − to − 7→

Hd d 2 d Hd d 2d 2d 1 (Y x ) + (Hdx + +H 0)(Y x ) (F 2dx +F 2d 1x − + +F 0). − 2 ··· − 2 − − ··· This can be shown to have the form Y 2 +h(x)Y=f(x) with deg(h(x)) d 1 and deg(f(x)) 2d 2. (This is what happened in Exercise 10.1.5.)  ≤ − ≤ − Exercise 10.1.9. Show that the hyperelliptic curvey 2 + (2x3 + 1)y= x 6 +x 5 +x+1 is isomorphic toY 2 +Y=x 5 +x 3 +x+1. −

10.1.1 Projective Models for Hyperelliptic Curves For the rest of the chapter we will assume that our hyperelliptic equations are k-irreducible and non-singular as affine algebraic sets. We also assume that when char(k) = 2 one of the conditions of Lemma 10.1.6 holds and when char(k)= 2 one of the conditions of Lemma 10.1.8 holds. The interpretation of deg(H(x)) and6 deg(F(x)) in terms of the genus of the curve will be discussed in Section 10.1.3. There are several ways to write down a non-singular projective model for a hyperel- liptic curve. The simplest is to use weighted projective space. Definition 10.1.10. Letk be a perfectfield andH(x),F(x) k[x]. LetC:y 2 + ∈ H(x)y=F(x) be a hyperelliptic equation. WriteH j for the coefficients ofH(x) and Fj for the coefficients ofF(x). Defined H = deg(H(x)) andd F = deg(F(x)). Let d = max d , d /2 and supposed> 0. SetH = =H = 0 andF = = { H ⌈ F ⌉} d ··· dH +1 2d ··· FdF +1 = 0 if necessary. The weighted projective hyperelliptic equation is the equation

2 d d 1 d 2d 2d 1 2d Y +(HdX +Hd 1X − Z+ +H 0Z )Y=F 2dX +F2d 1X − Z+ +F 0Z (10.2) − ··· − ··· in weighted projective space whereX andZ have weight 1 andY has weightd. Points (x, y) on the affine equation correspond to points (x:y : 1) on the weighted projective equation. If the original affine algebraic set is non-singular then the corre- sponding points on the weighted projective model are also non-singular (since singularity is a local property). The mapι onC extends toι(X:Y:Z)=(X: Y H(X,Z):Z) whereH(X,Z) is the degreed homogenisation ofH(x). Points with− −Z = 0 correspond to the points at infinity. Lemma 10.1.11 shows that there are at most two points at infinity on this equation and that they are not singular on this equation. 10.1. NON-SINGULAR MODELS FOR HYPERELLIPTIC CURVES 205

Lemma 10.1.11. The points at infinity on equation (10.2) are of the form (1 :α: 2 0) whereα k satisfiesα +H dα F 2d = 0. If the conditions of Lemma 10.1.6 or Lemma 10.1.8∈ hold as appropriate, then− the points at infinity are non-singular. Proof: LetZ = 0. IfX = 0 thenY = 0 (which is not a projective point) so we may assume thatX = 1. The points at infinity are therefore as claimed. To study non-singularity, make the problem affine by settingX = 1. The equation is

2 d d C† :Y + (Hd +H d 1Z+ H 0Z )Y=F 2d +F 2d 1Z+ F 0Z . (10.3) − ··· − ···

The partial derivatives evaluated at (α,0) are 2α+H d andH d 1α F 2d 1. When − − − char(k)= 2 the point being singular would implyH d = 2α in which caseF 2d = 2 6 2 2 − α +H dα= α = (H d/2) andF 2d 1 =H d 1α= H dHd 1/2. One easily sees that these equations− contradict− the conditions− of Lemma− 10.1.8.− − 2 When char(k) = 2 the point being singular would implyH d = 0 (and soα =F 2d) andH d 1α=F 2d 1. First consider the caseF 2d = 0. Thenα = 0 and soF 2d 1 = 0, but − − − this contradicts the definition ofd. Now consider the caseF 2d = 0, so thatα= 0. Since deg(H(x)) d 1 we are in case 1 of Lemma 10.1.6, but then deg(6 F(x)) must6 be odd, which is a≤ contradiction.−  Example 10.1.12. Letk be a perfectfield with char(k)= 2. The curvey 2 =F(x) where deg(F(x)) is odd has a single point (1 : 0 : 0) at infi6 nity. Exercise 10.1.13. LetC be a hyperelliptic equation as in Definition 10.0.1. Letd= 2 max deg(H(x)), deg(F(x))/2 . Show that the curveC † :Y +H(Z)Y=F(Z) in equation{ (10.3) has⌈ max deg(⌉H}(Z)), deg(F(Z))/2 =d. { ⌈ ⌉} Theorem 10.1.14 justifies the use of the word “curve”. Theorem 10.1.14. LetC(x, y)=y 2 +H(x)y F(x) overk be a hyperelliptic equation that is geometrically irreducible as an affine algebraic− set. Suppose there is no pointP= (xP , yP ) C( k) such that(∂C(x, y)/∂x)(P)=(∂C(x, y)/∂y)(P)=0. Suppose further that the∈ conditions of Lemma 10.1.6 or Lemma 10.1.8 hold as appropriate. Then the associated weighted projective algebraic set of equation (10.2) is geometrically irreducible, has dimension 1, is non-singular, and is birational to the hyperelliptic equation. Recall that Lemma 10.1.2 gave some conditions for when the affine algebraic set V(C(x, y)) is k-irreducible. Proof: It follows immediately that the projective algebraic set of equation (10.2) is k-irreducible and has dimension 1. Non-singularity has been explained already. The birational map from the weighted projective equation toC is simplyφ(X:Y:Z) = (X/Z, Y/Zd).  From a practical point of view one does not need to work with weighted projective 2 space. LetC:y +H(x)y=F(x) be the original curve and letC † be the curve of equation (10.3). Consider the birational mapρ:C C † given by (Z, Y)=ρ(x, y) = d → (1/x,y/x ). ThenC andC † give two “affine parts” of the projective curve and every point on the curve lies on at least one of these affine algebraic sets. This birational map corresponds to the isomorphism (X:Y:Z) (Z:Y:X) from the weighted projective 7→ model ofC to the weighted projective model ofC †. We canfinally give a formal definition for a hyperelliptic curve. Technically, we should distinguish the terms “hyperelliptic equation” and “hyperelliptic curve”, since the former is an affine variety whose “obvious” projective closure is singular. In practice, we abuse notation and call the affine hyperelliptic equation a hyperelliptic curve. 206 CHAPTER 10. HYPERELLIPTIC CURVES

Definition 10.1.15. Letk be a perfectfield. LetH(x), F(x) k[x] be such that: ∈ deg(H(x)) 3 or deg(F(x)) 5; • ≥ ≥ the affine hyperelliptic equationy 2+H(x)y=F(x) is k-irreducible and non-singular; • the conditions of Lemma 10.1.6 and Lemma 10.1.8 hold. • The non-singular projective curve of equation (10.2) is called a hyperelliptic curve. The genus of the hyperelliptic curve isg = max deg(H(x)) 1, deg(F(x)) 1)/2 (see Section 10.1.3 for justification of this). { − ⌊ − ⌋} It looks like Definition 10.1.15 excludes some potentially interesting equations (such asy 2 +H(x)y=F(x) where deg(F(x)) = 4 and deg(H(x)) = 2). In fact, it can be shown that all the algebraic sets excluded by the definition are either k-reducible, singular over k, or birational over k to a curve of genus 0 or 1 over k. 2 The equationα +H dα F 2d = 0 in Lemma 10.1.11 can have ak-rational repeated root, two roots ink, or two− conjugate roots in k. It follows that there are three possible behaviours at infinity: a singlek-rational point, two distinctk-rational points, a pair of distinct points defined over a quadratic extension ofk (which are Galois conjugates). These three cases correspond to the fact that the place at infinity ink[x] is ramified, split or inert respectively in thefield extensionk(C)/k(x). A natural terminology for the three types of behaviour at infinity is therefore to call them ramified, split and inert. Definition 10.1.16. LetC be a hyperelliptic curve as in Definition 10.1.15. We denote the points at infinity on the associated hyperelliptic curve by + = (1 :α + : 0) and + ∞ − = (1 :α − : 0) (when there is only one point, set = = − = (1 :α : 0)). If ∞there is a single point at infinity then equation (10.2)∞ is called∞ a rami∞ fied model of a + hyperelliptic curve. If there are two distinct points at infinity then whenα ,α − k + ∈ equation (10.2) is called a split model of a hyperelliptic curve and whenα ,α − k it is an inert model of a hyperelliptic curve. 6∈ Onefinds in the literature the names imaginary hyperelliptic curve (respec- tively, real hyperelliptic curve) for ramified model and split model respectively. Ex- ercise 10.1.18 classifies ramified hyperelliptic models. Exercise 10.1.19 shows that if C(k)=∅ then one may transformC into a ramified or split model. Hence, when working overfi6 nitefields, it is not usually necessary to deal with curves having an inert model. + Exercise 10.1.17. With notation as in Definition 10.1.16 show thatι( ) = −. ∞ ∞ Exercise 10.1.18. LetC:y 2 +H(x)y=F(x) be a hyperelliptic curve overk satisfying all the conditions above. Letd = max deg(H(x)), deg(F(x))/2 . Show that this is a ramified model if and only if (deg(H(x{))

We now indicate a different projective model for hyperelliptic curves. Exercise 10.1.20. Let the notation and conditions be as above. AssumeC:y 2 + H(x)y=F(x) is irreducible and non-singular as an affine curve. LetY,X d,Xd 1 ...,X1,X0 d+1 i − be coordinates forP (one interpretsX i =x ). The projective hyperelliptic equa- tion is the projective algebraic set inP d+1 given by

2 2 2 Y + (HdXd +H d 1Xd 1 + +H 0X0)Y=F 2dXd +F 2d 1XdXd 1 + +F 1X1X0 +F 0X0 , − − ··· 2 − − ··· Xi =X i 1Xi+1 , for1 i d 1, − ≤ ≤ − XdXi =X (d+i)/2 X (d+i)/2 , for0 i d 2. ⌈ ⌉ ⌊ ⌋ ≤ (10.4)≤ −

1. Give a birational map (assuming for the moment that the above model is a variety) between the affine algebraic setC and the model of equation (10.4). 2. Show that the hyperelliptic involutionι extends to equation (10.4) as

ι(Y:X d : :X 0) = ( Y H dXd H d 1Xd 1 H 0X0 :X d : :X 0) ··· − − − − − −···− ···

3. Show that the points at infinity on equation (10.4) satisfyX 0 =X 1 =X 2 = = 2 2 ··· Xd 1 = 0 andY +H dXdY F 2dXd = 0. Show that ifF 2d =H d = 0 then there is a single− point at infinity. −

4. Show that if the conditions of Lemma 10.1.6 or Lemma 10.1.8 hold then equa- tion (10.4) is non-singular at infinity. 5. Show that equation (10.4) is a variety.

10.1.2 Uniformizers on Hyperelliptic Curves The aim of this section is to determine uniformizers for all points on hyperelliptic curves. We begin in Lemma 10.1.21 by determining uniformizers for the affine points of a hyper- elliptic curve. Lemma 10.1.21. LetP=(x , y ) C(k) be a point on a hyperelliptic curve. If P P ∈ P=ι(P) then(y y P ) is a uniformizer atP (andv P (x x P ) = 2). IfP=ι(P) then (x x ) is a uniformizer− atP. − 6 − P Proof: We have

(y y )(y+y +H(x )) =y 2 +H(x )y (y 2 +H(x )y ) − P P P P − P P P =F(x) +y(H(x ) H(x)) F(x ). P − − P

Now, use the general fact for any polynomial thatF(x) =F(x P )+(x xP )F ′(xP ) (mod (x x )2). Hence, the above expression is congruent modulo (x x )2−to − P − P 2 (x x )(F ′(x ) yH ′(x )) (mod (x x ) ). − P P − P − P 2 WhenP=ι(P ) then (y y )(y+(y +H(x ))) = (y y ) . Note also thatF ′(x ) − P P P − P P − yP H′(xP ) is not zero since 2yP +H(x P ) = 0 and yetC is not singular. WritingG(x, y)= (y y )2/(x x ) k[x, y] we haveG(x , y )= 0 and − P − P ∈ P P 6 1 x x = (y y )2 . − P − P G(x, y) 208 CHAPTER 10. HYPERELLIPTIC CURVES

Hence, a uniformizer atP is (y y ) andv (x x ) = 2. − P P − P For the caseP=ι(P ) note thatv P (y y P )> 0 andv P (y+y P +H(x P )) = 0. It follows thatv (y6 y ) v (x x ). −  P − P ≥ P − P We now consider uniformizers at infinity on a hyperelliptic curveC overk. The easiest way to proceed is to use the curveC † of equation (10.3).

Lemma 10.1.22. LetC be a hyperelliptic curve and letρ:C C † be as in equa- + + + → + tion (10.3). LetP=ρ( ) = (0,α ) C †(k). Ifι( ) = (i.e., if there is one ∞ + ∈ ∞ ∞ d + point at infinity) thenY α is a uniformizer atP onC † and so(y/x ) α is a + − + + − uniformizer at onC. Ifι( )= thenZ is a uniformizer atP onC † (i.e.,1/x is a uniformizer∞ at + onC).∞ 6 ∞ ∞ Proof: Note that ifι( +) = + thenι(P)=P and ifι( +)= + thenι(P)=P. It immediately follows∞ from Lemma∞ 10.1.21 thatY α +∞orZ is6 a∞ uniformizer at6 P on − C†. Lemma 8.1.13, Exercise 8.2.11 and Lemma 8.2.9 show that for anyf k(C †) and P C(k),v (f ρ) =v (f). Hence, uniformizers at infinity onC are(Y∈ α +) ρ= ∈ P ◦ ρ(P) − ◦ (y/xd) α + orZ ρ=1/x.  − ◦ Exercise 10.1.23. LetC be a hyperelliptic curve in ramified model. Show thatv (x) = 2. Show that if the curve has equationy 2 =F(x) where deg(F(x)) = 2g + 1 then∞x g/y −is an alternative uniformizer at infinity.

Now supposeC is given as a split or inert model. Show thatv + (x) =v − (x) = 1. ∞ ∞ − Exercise 10.1.24. LetC be a hyperelliptic curve (ramified, split or inert). Ifu(x) = (x x 0) is a function onC andP 0 = (x0, y0) C( k) then div(u(x)) = (P0) + (ι(P0)) −+ ∈ − ( ) ( −). ∞ − ∞ Exercise 10.1.25. LetC be a hyperelliptic curve of genusg. Show that ifC is in ramified model thenv (y)= (2g+1) and ifC is in split model thenv + (y)=v − (y)= (g+1). ∞ − ∞ ∞ − Exercise 10.1.26. LetC be a hyperelliptic curve. LetA(x),B(x) k[x] and letP= ∈ (xP , yP ) C( k) be a point on the affine curve. Show thatv P (A(x) yB(x)) is equal to e where∈ (x x )e (A(x)2 +H(x)A(x)B(x) F(x)B(x) 2). − − P k − Exercise 10.1.27. Describe uniformizers at infinity in terms of the model of equa- tion (10.4).

We now describe a polynomial that will be crucial for arithmetic on hyperelliptic curves with a split model. Essentially,G +(x) is a function that cancels the pole ofy at +. This leads to another choice of uniformizer at + for these models. ∞ ∞ Exercise 10.1.28. LetC:y 2 +H(x)y=F(x) be a hyperelliptic curve in split model + 2 overk of genusg. Letα ,α − k be the roots ofY +H dY F 2d. Show that there exists a polynomialG +(x) =α +xd ∈+ k[x] of degreed=g + 1− such that deg(G +(x)2 + + ···∈ H(x)G (x) F(x)) d 1=g. Similarly, show that there is a polynomialG −(x) = d − ≤ − 2 α−x + such that deg(G −(x) +H(x)G −(x) F(x)) d 1=g. Indeed, show that ··· + − ≤ − G−(x) = G (x) H(x). − − Exercise 10.1.29. LetC:y 2 +H(x)y=F(x) be a hyperelliptic curve in split model + + overk of genusg and letG (x) be as in Exercise 10.1.28. Show thatv + (y G (x)) 1. ∞ − ≥ 10.2. ISOMORPHISMS, AUTOMORPHISMS AND TWISTS 209

10.1.3 The Genus of a Hyperelliptic Curve In Lemma 10.1.6 and Lemma 10.1.8 we showed that some hyperelliptic equationsy 2 + h(x)y=f(x) are birational to hyperelliptic equationsy 2+H(x)y=F(x) with deg(F(x))< deg(f(x)) or deg(H(x))< deg(h(x)). Hence, it is natural to suppose that the geometry of the curveC imposes a lower bound on the degrees of the polynomialsH(x) andF(x) in its curve equation. The right measure of the complexity of the geometry is the genus. Indeed, the Riemann-Roch theorem implies that ifC is a hyperelliptic curve overk of genusg and there is a functionx k(C) of degree 2 thenC is birational overk to an equation of the formy 2 +H(x)y∈=F(x) with deg(H(x)) g + 1 and deg(F(x)) 2g + 2. Furthermore, the Hurwitz genus formula shows that≤ ify 2 +H(x)y=F(x≤) is non-singular and with degrees reduced as in Lemma 10.1.6 and Lemma 10.1.8 then the genus is max deg(H(x)) 1, deg(F(x))/2 1 . (Theorem 8.7.3, as it is stated, cannot be applied for{ hyperelliptic− ⌈ curves in characteristic− ⌉} 2, but a more general version of the Hurwitz genus formula proves the above statement about the genus.) Hence, writing d=g + 1, the conditions of Lemma 10.1.6 and Lemma 10.1.8 together with deg(H(x)) =d or 2d 1 deg(F(x)) 2d (10.5) − ≤ ≤ are equivalent to the curvey 2 +H(x)y=F(x) having genusg. It is not necessary for us to prove the Riemann-Roch theorem or the Hurwitz genus formula. Our discussion of Cantor reduction (see Lemma 10.3.20 and Lemma 10.4.6) will directly prove a special case of the Riemann-Roch theorem for hyperelliptic curves, namely that every divisor class contains a representative corresponding to an effective divisor of degree at mostg=d 1. The reader should interpret− the phrase “hyperelliptic curve of genusg” as meaning the conditions of Lemma 10.1.6 and Lemma 10.1.8 together with equation (10.5) on the degrees ofH(x) andF(x) hold.

10.2 Isomorphisms, Automorphisms and Twists

We consider maps between hyperelliptic curves in this section. We are generally interested in isomorphisms over k rather than justk. In the elliptic curve case (see Section 9.3) there was no loss of generality by assuming that isomorphismsfix infinity (since any isomorphism can be composed with a translation map). Since the points on a hyperelliptic curve do not, in general, form a group, one can no longer make this assumption. Nevertheless, many researchers have restricted attention to the special case of maps between curves that map points at infinity (with respect to an affine model of the domain curve) to points at infinity on the image curve. Theorem 10.2.1 classifies this special case. In this chapter, and in the literature as a whole, isomorphisms are usually not assumed tofix infinity. For example, the isomorphismρ P defined earlier in Exercise 10.1.19 does notfix infinity. Isomorphisms that map points at infinity to points at infinity map ramified models to ramified models and unramified models to unramified models. 2 2 Theorem 10.2.1. LetC 1 :y 1 +H 1(x1)y1 =F 1(x1) andC 2 :y 2 +H 2(x2)y2 =F 2(x2) be hyperelliptic curves overk of genusg. Then every isomorphismφ:C C overk that 1 → 2 maps points at infinity ofC 1 to points at infinity ofC 2 is of the form

φ(x1, y1) = (ux1 +r,wy 1 +t(x 1)) where u,w,r k andt k[x 1]. IfC 1 andC 2 have ramified models then deg(t) g. If C andC have∈ split∈ or inert models then deg(t) g+1 and the leading coefficient≤ of 1 2 ≤ 210 CHAPTER 10. HYPERELLIPTIC CURVES

+ + t(x ) is not equal to the leading coefficient of wG (x ) or wG −(x ) (whereG and 1 − 1 − 1 G− are as in Exercise 10.1.28). Proof: (Sketch) The proof is essentially the same as the proof of Proposition 3.1(b) of Silverman [564]; one can alsofind the ramified case in Proposition 1.2 of Lockhart [392]. One notes that the valuations at infinity ofx 1 andx 2 have to agree, and similarly fory 1 andy 2. It follows thatx 2 lies in same Riemann-Roch spaces asx 1 and similarly fory 2 andy 1. The result follows (thefinal conditions are simply that the valuations at infinity ofy 1 andy 2 must agree, so we are prohibited from settingy 2 =w(y 1 +t(x)) such that it lowers the valuation ofy 2).  We now introduce quadratic twists in the special case offinitefields. As mentioned in Example 9.5.2, when working in characteristic zero there are infinitely many quadratic twists. Definition 10.2.2. LetC:y 2 =F(x) be a hyperelliptic curve over afinitefieldk where 2 char(k)= 2. Letu k ∗ be a non-square (i.e., there is nov k ∗ such thatu=v ) and defineC6 (u) :y 2 =∈uF(x). ∈ LetC:y 2 +H(x)y=F(x) be a hyperelliptic curve over afinitefieldk where char(k) = 2. Letu k be such that Tr (u)=1. DefineC (u) :y 2 +H(x)y=F(x) +uH(x) 2. ∈ k/F2 In both cases thek-isomorphism class of the curveC (u) is called the non-trivial quadratic twist ofC. Exercise 10.2.3. Show that the quadratic twist is well-defined whenk is afinitefield. In other words, show that in the case char(k)= 2 ifu andu ′ are two different non-squares (u) 6 (u′) ink ∗ then the corresponding curvesC andC as in Definition 10.2.2 are isomorphic overk. Similarly, when chark = 2 and for two different choices of trace one elements (u) (u′) u, u′ k, show that the corresponding curvesC andC are isomorphic overk. ∈ Exercise 10.2.4. LetC be a hyperelliptic curve over afinitefieldk and letC (u) be a (u) non-trivial quadratic twist. Show that #C(Fq) + #C (Fq) = 2(q + 1). Exercise 10.2.5. LetC:y 2 =F(x) be a hyperelliptic curve of genusg overk (where char(k)= 2). Show thatC is isomorphic over k to a curve of the form 6 2 Y =X(X 1)(X a 1)(X a 2) (X a 2g 1) − − − ··· − − for somea 1, a2, . . . , a2g 1 k. − ∈ Exercise 10.2.5 indicates that one generally needs 2g 1 values to specify a hyperelliptic curve of genusg (in fancy terminology: the moduli space− of genusg hyperelliptic curves has dimension 2g 1). It is natural to seek an analogue of thej-invariant for hyperelliptic − curves (i.e., some parametersj 1, . . . , j2g 1 associated with each curveC such thatC 1 is − isomorphic over k toC 2 if and only if the corresponding valuesj 1, . . . , j2g 1 are equal). Such values have been given by Igusa in the case of genus 2 curves and Shioda− [550] for genus 3 curves. It is beyond the scope of this book to present and explain them. We refer to Igusa [304] and Section 5.1.6 of [16] for details of the Igusa invariants. A natural problem (analogous to Exercise 9.3.7 for the case of elliptic curves) is to write down a genus 2 curve corresponding to a given triple of values for the Igusa invariants. Mestre [420] has given an algorithm to do this for curves overfinitefields 1 (for details also see Section 7 of Weng [628]). We now consider automorphisms. Define Aut(C) to be the set of all isomorphisms φ:C C over k. As usual, Aut(C) is a group under composition. → 1It can also be applied over infinitefields. 10.2. ISOMORPHISMS, AUTOMORPHISMS AND TWISTS 211

Lemma 10.2.6. LetC be a hyperelliptic curve overk. The hyperelliptic involution commutes with every element of Aut(C). Furthermore, letφ:C P 1 be the canonical morphismφ(x, y) =x. For every automorphismψ:C C there is→ a linear fractional transformationγ:P 1 P 1 (i.e.,γ(x) = (ax+b)/(→cx+d) for some a, b, c, d k such that ad bc= 0) such that→ the following diagram commutes ∈ − 6 ψ CC✲

φ φ ❄ ❄ γ✲ P1 P1

Proof: The result follows from Theorem III.7.3 of Farkas and Kra [200] (which uses the notion of Weierstrass points) and Corollaries 2 and 3 on page 102 of [200]. Exercise 10.2.7. Prove Lemma 10.2.6 in the special case of automorphisms that map points at infinity to points at infinity. Show that, in this case,γ has no denominator.

2 p Example 10.2.8. Letp> 2 be a prime andC:y =x x overF p. Fora F p∗, b F p one has isomorphisms − ∈ ∈

φa(x, y)=(ax, √ay) andψ b, (x, y)=(x+b, y) ± ± ± fromC to itself (in both cases theyfix the point at infinity). Hence, the subgroup of Aut(C) consisting of maps thatfix infinity is a group of at least 2p(p 1) elements. There is also the birational mapρ(x, y)=( 1/x,y/x (p+1)/2) that− corresponds to an isomorphismρ:C C on the projective curve.− This morphism does notfix infinity. → 2 Since all the compositionsψ b′, ρ ψ b, φ a are distinct one has 2p (p 1) isomorphisms of this form. Hence, Aut(C) has± ◦ size◦ at± least◦ 2p(p 1)+2p 2(p 1)=2−p(p + 1)(p 1). − − − 2 p Exercise 10.2.9. Letp> 2 be a prime andC:y =x x + 1 overF p. Show that the subgroup of Aut(C) consisting of automorphisms thatfix− infinity has order 2p.

2 n Exercise 10.2.10. Letp> 2 be a prime andC:y =x + 1 overF p withn=p (whenn=p the equation is singular). Show that the subgroup of Aut(C) consisting6 of automorphisms thatfix infinity has order 2n. We now give the important Hurwitz-Roquette theorem, which bounds the size of the automorphism group. Theorem 10.2.11. (Hurwitz-Roquette) LetC be a curve of genusg over afieldk such that char(k)>g+1 and such thatC is not isomorphic to the curve of Example 10.2.8. Then #Aut(C) 84(g 1). ≤ − Proof: The case char(k) = 0 is Exercise IV.2.5 of Hartshorne [278] and the general case is due to Roquette [501].  Stichtenoth [587] has given the bound #Aut(C) 16g 4, which applies even when char(k) g + 1 for all curvesC except the Hermitian curve≤ y q +y=x q+1. We≤ refer to Chapter 2 of Gaudry’s thesis [243] for a classification of Aut(C) when the genus is two. There are many challenges to determining/classifying Aut(C) for hyperel- liptic curves; we do not attempt a complete analysis of the literature.

2 5 Exercise 10.2.12. Letp 1 (mod 8) and letC:y =x + Ax overF p. Writeζ 8 Fp ≡ 2 ∈ for a primitive 8-th root of unity. Show thatζ 8 F p4 . Show thatψ(x, y)=(ζ 8 x,ζ 8y) is an automorphism ofC. Show thatψ 4 =ι. ∈ 212 CHAPTER 10. HYPERELLIPTIC CURVES

10.3 Effective Affine Divisors on Hyperelliptic Curves

This section is about how to represent effective divisors on affine hyperelliptic curves, and algorithms to compute with them. A convenient way to represent divisors is using Mumford representation, and this is only possible if the divisor is semi-reduced.

Definition 10.3.1. LetC be a hyperelliptic curve overk and denote byC A 2 the affine curve. Aneffective affine divisor onC is ∩ X D= nP (P) P (C A 2)(k) ∈ ∩ wheren P 0 (and, as always,n P = 0 for onlyfinitely manyP ). A divisor onC is semi-reduced≥ if it is an effective affi6 ne divisor and for allP (C A 2)(k) we have ∈ ∩ 1. IfP=ι(P ) thenn 0,1 . P ∈{ } 2. IfP=ι(P ) thenn > 0 impliesn = 0. 6 P ι(P) We slightly adjust the notion of equivalence for divisors onC A 2. ∩ Definition 10.3.2. LetC be a hyperelliptic curve over afieldk and letf k(C). We ∈ define X div(f) A 2 = v (f)(P). ∩ P P (C A 2)(k) ∈ ∩ 2 Two divisorsD,D ′ onC A are equivalent, writtenD D ′, if there is some function ∩ 2 ≡ f k(C) such thatD=D ′ + div(f) A . ∈ ∩ Lemma 10.3.3. LetC be a hyperelliptic curve. Every divisor onC A 2 is equivalent to a semi-reduced divisor. ∩ P Proof: LetD= P C A 2 nP (P ). By Exercise 10.1.24 the functionx x P has divisor ∈ ∩ − (P)+(ι(P )) onC A 2. Ifn < 0 for someP (C A 2)(k) then, by adding an ∩ P ∈ ∩ appropriate multiple of div(x x P ), one can arrange thatn P = 0 (this will increase n ). Similarly, ifn > 0 and−n > 0 (or ifP=ι(P ) andn 2) then subtracting a ι(P) P ι(P) P ≥ multiple of div(x x P ) lowers the values ofn P andn ι(P) . Repeating this process yields a semi-reduced divisor.− 

Example 10.3.4. LetP 1 = (x1, y1) andP 2 = (x2, y2) be points on a hyperelliptic curve C such thatx 1 =x 2. LetD= (P 1) + 2(P2) + (ι(P2)). ThenD is not semi-reduced. One has 6 −

D + div(x x ) =D+(P ) + (ι(P )) = (ι(P )) + 2(P ) + (ι(P )), − 1 1 1 1 2 2 which is still not semi-reduced. Subtracting div(x x ) from the above gives − 2 D + div((x x )/(x x )) = (ι(P )) + (P ), − 1 − 2 1 2 which is semi-reduced. 10.3. EFFECTIVE AFFINE DIVISORS ON HYPERELLIPTIC CURVES 213

10.3.1 Mumford Representation of Semi-Reduced Divisors Mumford [445] introduced2 a representation for semi-reduced divisors. The condition that the divisor is semi-reduced is crucial: if pointsP=(x P , yP ) and (xP , yP′ ) with y =y ′ both appear in the support of the divisor then no polynomialv(x) can satisfy P 6 P bothv(x P ) =y P andv(x P ) =y P′ . P l Lemma 10.3.5. LetD= i=1 ei(xi, yi) be a non-zero semi-reduced divisor on a hyper- elliptic curveC:y 2 +H(x)y=F(x) (henceD is affine and effective). Define

Yl u(x) = (x x )ei k[x]. − i ∈ i=1

Then there is a unique polynomialv(x) k[x] such that deg(v(x))< deg(u(x)),v(x i) =y i for all1 i l, and ∈ ≤ ≤ v(x)2 +H(x)v(x) F(x) 0 (modu(x)). (10.6) − ≡ In particular,v(x) = 0 if and only ifu(x) F(x). |

Proof: SinceD is semi-reduced there is no conflict in satisfying the conditionv(x i) =y i. If alle i = 1 then the result is trivial. For eachi such thate i > 1 writev(x) =y i + (x ei − xi)W(x) for some polynomialW(x). We computev(x) (mod (x x i) ) so it satisfies 2 ei − v(x) +H(x)v(x) F(x) 0 (mod (x x i) ) by Hensel lifting (see Section 2.13) as 2 − ≡ − j j follows: Ifv(x) +H(x)v(x) F(x) = (x x i) Gj (x) then setv †(x) =v(x) +w(x x i) wherew is an indeterminate− and note that− −

2 j j+1 v†(x) +H(x)v †(x) F(x) (x x ) (G (x) + 2v(x)w+H(x)w) (mod (x x ) ). − ≡ − i j − i

It suffices tofindw such that this is zero, in other words, solveG j (xi)+w(2yi+H(x i)) = 0. SinceD is semi-reduced, we know 2y i +H(x i)= 0 (sinceP=ι(P ) impliesn P = 1). The result follows by the Chinese remainder theorem.6 

Definition 10.3.6. LetD be a non-zero semi-reduced divisor. The polynomials (u(x), v(x)) of Lemma 10.3.5 are the Mumford representation ofD. IfD = 0 then takeu(x) = 1 andv(x) = 0. A pair of polynomialsu(x), v(x) k[x] is called a Mumford represen- tation ifu(x) is monic, deg(v(x))< deg(u(x))∈ and if equation (10.6) holds.

We have shown that every semi-reduced divisorD has a Mumford representation and that the polynomials satisfying the conditions in Definition 10.3.6 are unique. We now show thatQ one can easily recover anP affine divisorD from the pair (u(x), v(x)): write l l u(x) = (x x )ei and letD= e (x , v(x )). i=1 − i i=1 i i i Exercise 10.3.7. Show that the processes of associating a Mumford representation to a divisor and associating a divisor to a Mumford representation are inverse to each other. More precisely, letD be a semi-reduced divisor on a hyperelliptic curve. Show that if one representsD in Mumford representation and then obtains a corresponding divisorD ′ as explained above, thenD ′ =D.

2Mumford remarks on page 3-17 of [445] that a special case of these polynomials arises in the work of Jacobi. However, Jacobi only gives a representation for semi-reduced divisors withg points in their support, rather than arbitrary semi-reduced divisors. 214 CHAPTER 10. HYPERELLIPTIC CURVES

Exercise 10.3.8. Letu(x), v(x) k[x] be such that equation (10.6) holds. LetD be the corresponding semi-reduced divisor.∈ Show that X D= min v (u(x)), v (y v(x)) (P). { P P − } P (C A 2)(k) ∈ ∩ This is called the greatest common divisor of div(u(x)) and div(y v(x)) and is denoted div(u(x), y v(x)). − −

Exercise 10.3.9. Let (u1(x), v1(x)) and (u2(x), v2(x)) be the Mumford representations of two semi-reduced divisorsD andD . Show that if gcd(u (x), u (x)) = 1 then Supp(D ) 1 2 1 2 1 ∩ Supp(D2) =∅.

Lemma 10.3.10. LetC be a hyperelliptic curve overk and letD be a semi-reduced divisor onC with Mumford representation(u(x), v(x)). Letσ Gal( k/k). ∈ 1.σ(D) is semi-reduced.

2. The Mumford representation ofσ(D) is(σ(u(x)),σ(v(x))).

3.D is defined overk if and only ifu(x), v(x) k[x]. ∈ Exercise 10.3.11. Prove Lemma 10.3.10.

Exercise 10.3.8 shows that the Mumford representation of a semi-reduced divisorD is natural from the point of view of principal divisors. This explains why condition (10.6) is the natural definition for the Mumford representation. There are two other ways to understand condition (10.6). First, the divisorD corresponds to an ideal in the ideal class group of the affine coordinate ringk[x, y] and condition (10.6) shows this ideal is equal to thek[x, y]-ideal (u(x), y v(x)). Second, from a purely algorithmic point of view, condition (10.6) is needed− to make the Cantor reduction algorithm work (see Section 10.3.3). A divisor class contains infinitely many divisors whose affine part is semi-reduced. Later we will define a reduced divisor to be one whose degree is sufficiently small. One can then consider whether there is a unique such representative of the divisor class. This issue will be considered in Lemma 10.3.24 below. Exercise 10.3.12 is relevant for the index calculus algorithms on hyperelliptic curves and it is convenient to place it here.

Exercise 10.3.12. A semi-reduced divisorD defined overk with Mumford representation (u(x), v(x)) is said to be a prime divisor if the polynomialu(x) is irreducible overk. Show that ifD is not a prime divisor, thenD can be efficiently expressedQ as a sum ci of prime divisors by factoringu(x). More precisely, showP that ifu(x) = ui(x) is the complete factorization ofu(x) overk, thenD= c div(u (x), y v (x)) where i i − i vi(x) =v(x) modu i(x).

10.3.2 Addition and Semi-Reduction of Divisors in Mumford Rep- resentation We now present Cantor’s algorithm [118]3 for addition of semi-reduced divisors on a hyperelliptic curveC. As above, we take a purely geometric point of view. An alternative,

3The generalisation of Cantor’s algorithm to all hyperelliptic curves was given by Koblitz [346]. 10.3. EFFECTIVE AFFINE DIVISORS ON HYPERELLIPTIC CURVES 215 and perhaps more natural, interpretation of Cantor’s algorithm is multiplication of ideals ink[x, y] k(C). ⊂ Given two semi-reduced divisorsD 1 andD 2 with Mumford representation (u1(x), v1(x)) and (u2(x), v2(x)) we want to compute the Mumford representation (u3(x), v3(x)) of the sumD 1 +D 2. Note that we are not yet considering reduction of divisors in the divisor class group. There are two issues that make addition not completely trivial. First, ifP is in the support ofD 1 andι(P ) is in the support ofD 2 then we remove a suitable multiple of (P)+(ι(P )) fromD 1 +D 2. Second, we must ensure that the Mumford representation takes multiplicities into account (i.e., so that equation (10.6) holds for (u3(x), v3(x))). Example 10.3.13. LetP=(x , y ) ony 2 +H(x)y=F(x) be such thatP=ι(P ). P P 6 LetD 1 =D 2 = (P ) so thatu 1(x) =u 2(x) = (x x P ) andv 1(x) =v 2(x) =y P . Then − 2 D1 +D 2 = 2(P ). The Mumford representation for this divisor hasu 3(x) = (x x P ) and v(x) =y +w(x x ) for somew k. To satisfy equation (10.6) onefinds that− P − P ∈ y2 + 2y w(x x ) +H(x)y +wH(x)(x x ) F(x) 0 (mod (x x )2). P P − P P − P − ≡ − P 2 WritingF(x) F(x P )+F ′(xP )(x xP ) (mod (x xP ) ) andH(x) H(x P )+H ′(xP )(x x ) (mod (x≡ x )2) gives − − ≡ − P − P F ′(x ) y H′(x ) w= P − P P , 2yP +H(x P ) which is defined sinceP=ι(P ). 6 To help motivate the formula forv 3(x) in Theorem 10.3.14 we now make some obser- vations. First, note that the equation 1 =s (x)(x x ) +s (x)(2y +H(x)) 1 − P 3 P has the solution 1 s3(x) = ands 1(x) = s 3(x)(H′(xP ) + (x x P )G(x)) 2yP +H(x P ) − − 2 whereG(x) = (H(x) H(x P ) H ′(xP )(x x P ))/(x x P ) . In other words, we have − − −2 − H(x) =H(x ) + (x x )H′(x ) + (x x ) G(x). Furthermore, note that P − P P − P v(x) s (x)(x x )y +s (x)(y2 +F(x)) (mod (x x )2). ≡ 1 − P P 3 P − P The core of Cantor’s addition and semi-reduction algorithm is to decide which func- tions (x x ) are needed (and to which powers) to obtain a semi-reduced divisor equivalent − P toD 1 +D 2. The crucial observation is that ifP is in the support ofD 1 andι(P ) is in the support ofD then (x x ) u (x),(x x ) u (x) andv (x ) = v (x ) H(x ) 2 − P | 1 − P | 2 1 P − 2 P − P and so (x x P ) (v 1(x)+v2(x)+H(x)). The exact formulae are given in Theorem 10.3.14. The process− is| called Cantor’s addition algorithm or Cantor’s composition algo- rithm.

Theorem 10.3.14. Let(u 1(x), v1(x)) and(u 2(x), v2(x)) be Mumford representations of two semi-reduced divisorsD 1 andD 2. Lets(x) = gcd(u 1(x), u2(x), v1(x) +v 2(x) +H(x)) and lets (x), s (x), s (x) k[x] be such that 1 2 3 ∈ s(x) =s 1(x)u1(x) +s 2(x)u2(x) +s 3(x)(v1(x) +v 2(x) +H(x)). 2 Defineu 3(x) =u 1(x)u2(x)/s(x) and

v3(x) = (s1(x)u1(x)v2(x) +s 2(x)u2(x)v1(x) +s 3(x)(v1(x)v2(x) +F(x)))/s(x). (10.7) Thenu (x), v (x) k[x] and the Mumford representation of the semi-reduced divisorD 3 3 ∈ equivalent toD 1 +D 2 is(u 3(x), v3(x)). 216 CHAPTER 10. HYPERELLIPTIC CURVES

Proof: LetD=D +D div(s(x)) A 2 so thatD is equivalent toD +D . By the 1 2 − ∩ 1 2 “crucial observation” above,s(x) has a rootx P for some pointP=(x P , yP ) on the curve if and only ifP andι(P ) lie in the supports ofD 1 andD 2. Taking multiplicities into account, it follows thatD is semi-reduced. It is immediate thats(x) 2 u (x)u (x) and sou (x) k[x]. It is also immediate that | 1 2 3 ∈ u3(x) is the correctfirst component of the Mumford representation ofD. To showv (x) k[x] rewritev (x) as 3 ∈ 3 v (s s u s (v +v +H)) +s u v +s (v v +F) v = 2 − 2 2 − 3 1 2 2 2 1 3 1 2 (10.8) 3 s =v +s (v v )(u /s) +s (F v H v 2)/s. (10.9) 2 2 1 − 2 2 3 − 2 − 2 Sinces(x) u (x) andu (x) (F v H v 2) the result follows. | 2 2 | − 2 − 2 We now need the equation

(v +v +H)(v y) (y v )(y v ) (modu ). (10.10) 1 2 3 − ≡ − 1 − 2 3

This is proved by inserting the definition ofv 3 from equation (10.7) to get

(v +v +H)(v y) (v +v +H)y+(s u (v2 +Hv F)+s u (v2 +Hv F) 1 2 3 − ≡− 1 2 1 1 2 2 − 2 2 1 1 − +(v1v2 +F )(s 1u1 +s 2u2 +s 3(v1 +v 2 +H))/s (modu 3(x)).

2 Then using (y v 1)(y v 2) =F (v 1 +v 2 +H)y+v 1v2 andu i (v i +Hv i F) for i=1, 2 proves− equation− (10.10). − | − Finally, it remains to prove that equation (10.6) holds. We do this by showing that

v (v(x)2 +H(x)v(x) F(x)) v (u(x)) P − ≥ P for allP=(x , y ) Supp(D). Supposefirst thatP=ι(P ) and that (x x )e u (x). P P ∈ 6 − P k 3 Then it is sufficient to show thatv P (y v 3(x)) e. This will follow from equa- tion (10.10). First note thatv (y v ) =v− ((v +v≥+H)(v y)) and that this is at least P − 3 P 1 2 3 − min vP (u3), vP ((y v 1)(y v 2)) . Thenv P (y v 1)+vP (y v 2) v P (u1(x))+vP (u2(x)) e. { − − } − − ≥ ≥ Now for the caseP=ι(P) Supp(D). Recall that such points only occur in semi- ∈ reduced divisors with multiplicity 1. Sinceu 3(x) is of minimal degree we know (x x ) u (x). It suffices to show thatv (x ) =y , but this follows from equation (10.9).− P k 3 3 P P Without loss of generality,P Supp(D 2) andP Supp(D 1) (ifP Supp(D i) for both i=1, 2 thenP Supp(D)) so∈ (x x )∤s(x),v 6∈ (x ) =y and (∈u /s)(x ) = 0. Hence 6∈ − P 2 P P 2 P v3(xP ) =v 2(xP ) + 0 =y P . 

2 2 5 Exercise 10.3.15. LetC:y +(x +2x+10)y=x +x+1 overF 11. LetD 1 = (0,4)+(6,4) andD 2 = (0, 4) + (1, 1). Determine the Mumford representation ofD 1,D2,2D 1,D1 +D 2.

We remark that, in practical implementation, one almost always has gcd(u1(x), u2(x)) = 1 and sos(x) = 1 and the addition algorithm can be simplified. Indeed, it is possible to give explicit formulae for the general cases in the addition algorithm for curves of small genus, we refer to Sections 14.4, 14.5 and 14.6 of [16].

Exercise 10.3.16. Show that the Cantor addition algorithm for semi-reduced divisors of degree m has complexityO(m 2M(log(q)) bit operations. ≤ 10.3. EFFECTIVE AFFINE DIVISORS ON HYPERELLIPTIC CURVES 217

10.3.3 Reduction of Divisors in Mumford Representation Suppose we have an affine effective divisorD with Mumford representation (u(x), v(x)). We wish to obtain an equivalent divisor (affine and effective) whose Mumford represen- tation has deg(u(x)) of low degree. We will show in Theorem 10.3.21 and Lemma 10.4.6 that one can ensure deg(u(x)) g, whereg is the genus; we will call such divisors reduced. The idea is to consider ≤ �
2 u†(x) = monic (v(x) +H(x)v(x) F(x))/u(x) , v†(x) = v(x) H(x) (modu †(x)) − − − �
(10.11) k where monic u0 +u 1x+ +u kx foru k = 0 is defined to be (u0/uk) + (u1/uk)x+ k ··· 6 +x . Obtaining (u†(x), v†(x)) from (u(x), v(x)) is a Cantor reduction step. This ···operation appears in the classical reduction theory of binary quadratic forms. Lemma 10.3.17. LetD be an affine effective divisor on a hyperelliptic curveC with Mumford representation(u(x), v(x)). Define(u †(x), v†(x)) as in equation (10.11). Then (u†(x), v†(x)) is the Mumford representation of a semi-reduced divisorD † andD † D onC A 2. ≡ ∩ Proof: One checks that (u†(x), v†(x)) satisfies condition (10.6) and so there is an asso- ciated semi-reduced divisorD †. WriteD=(P 1) + +(P n) (where the same point can appear more than once). Then div(y v(x)) A ···2 = (P ) + +(P ) + (P ) + +(P ) for some points − ∩ 1 ··· n n+1 ··· n+m Pn+1,...,Pn+m (not necessarily distinct from the earliern points, or from each other) and div(v(x)2 +H(x)v(x) F(x)) A 2 = div((y v(x))( y H(x) v(x))) A 2 = − ∩ − − − − ∩ (P ) + (ι(P )) + +(P ) + (ι(P )). Now, div(u†(x)) = (P ) + (ι(P )) + 1 1 ··· n+m n+m n+1 n+1 +(P n+m) + (ι(Pn+m)). It follows thatD † = (ι(Pn+1)) + +(ι(P n+m)) and that ··· 2 2 ··· D=D † + div(y v(x)) A div(u†(x)) A .  − ∩ − ∩ Example 10.3.18. Consider

C:y 2 =F(x) =x 5 + 2x4 8x 3 + 10x2 + 40x+1 − overQ. LetP 1 = ( 4,1),P 2 = ( 2,5),P 3 = (0, 1) andD=(P 1) + (P2) + (P3). The Mumford representation− ofD is (u(−x), v(x)) = (x(x + 2)(x+4), x 2 4x + 1), which is − − easily checked by noting thatv(x Pi ) =y�Pi for 1 i 3.
2 ≤ ≤ 2 To reduceD one setsu †(x) = monic (v(x) F(x))/u(x) = monic( x + 5x 6)= − − − (x 3)(x 2) andv †(x) = v(x) (modu †(x)) = 9x 7. −One can− check that div(−y v(x)) = (P ) + (P −) + (P ) + (P ) + (P ) whereP = − 1 2 3 4 5 4 (2, 11) andP 5 = (3, 20), that div(u †(x)) = (P4) + (ι(P4)) + (P5) + (ι(P5)) and that − − 2 D div(u †(x), y v †(x)) A = (ι(P )) + (ι(P )). See Figure 10.1 for an illustration. ≡ − ∩ 4 5 Exercise 10.3.19. Show that the straight linesl(x, y) andv(x) in the elliptic curve addition law (Definition 7.9.1) correspond to the polynomialsy v(x) andu †(x) (beware of the double meaning ofv(x) here) in a Cantor reduction step.− Lemma 10.3.20. LetC:y 2 +H(x)y=F(x) and let(u(x), v(x)) be the Mumford representation of a semi-reduced divisorD. Writed H = deg(H(x)), dF = deg(F(x)), d u = deg(u(x)) andd v = deg(v(x)). Letd = max d H , d F /2 . Let(u †(x), v†(x)) be the polynomials arising from a Cantor reduction step.{ ⌈ ⌉}

1. Ifd d then deg(u †(x)) d 2. v ≥ ≤ u − 2. Ifd 2d 1 andd d>d then deg(u†(x)) d 1 (this holds even ifd =d). F ≤ − u ≥ v ≤ − H 218 CHAPTER 10. HYPERELLIPTIC CURVES

Figure 10.1: Cantor reduction on a hyperelliptic curve.

ι(P5)

ι(P4) P2

P1

P3

P4

P5

3. Ifd = 2d andd > d > d then deg(u†(x)) d 1. F u v ≤ − Proof: Note thatd > d . Ifd d then u v v ≥ deg(v(x)2 +H(x)v(x) F(x)) max 2d , d +d , d max 2(d 1), d+(d 1),2d . − ≤ { v H v F }≤ { u − u − } 2 Hence, deg(u†(x)) = deg(v +Hv F) d max d 2,d 1,2d d =d 2. − − u ≤ { u − − − u} u − Ifd F 2d 1 andd u d>d v then, by a similar argument, deg(u†(x)) 2d 1 d d≤ 1.− Finally, ifd ≥ = 2d andd > d > d then deg(v2 +Hv+F)=2≤d and− − u ≤ − F u v deg(u†) = 2d d < d.  − u Theorem 10.3.21. SupposeC:y 2 +H(x)y=F(x) is a hyperelliptic curve of genusg with deg(F(x)) 2g+1. Then every semi-reduced divisor is equivalent to a semi-reduced divisor of degree≤ at mostg. Proof: Perform Cantor reduction steps repeatedly. By Lemma 10.3.20 the desired con- dition will eventually hold.  Theorem 10.3.21 is an “explicit Riemann-Roch theorem” for hyperelliptic curves with a single point at infinity (also for hyperelliptic curvesy 2 +H(x)y=F(x) with two points at infinity but deg(F(x)) 2g + 1) as it shows that every divisor class contains a representative as an affine effective≤ divisor of degree at mostg. The general result is completed in Lemma 10.4.6 below. Definition 10.3.22. LetC:y 2 +H(x)y=F(x) be a hyperelliptic curve of genusg.A semi-reduced divisor onC is reduced if its degree is at mostg. Exercise 10.3.23. LetC:y 2 +H(x)y=F(x) be a hyperelliptic curve withd= max deg(H), deg(F)/2 . Let (u(x), v(x)) be the Mumford representation of a divi- sor with{ deg(⌈v(x))< deg(⌉}u(x))

Proof: First note thatd H g + 1 andd F 2g + 2. LetD 3′ =D 1 +ι (D2) so that ≤ ≤ ∗ D′ D D 0asanaffine divisor. LetD be the semi-reduced divisor equivalent 3 ≡ 1 − 2 ≡ 3 toD 3′ (i.e., by removing all occurences (P)+(ι(P ))). Note that the degree ofD 3 is at most 2g and thatD 3 = 0. SinceD 3 0 andD 3 is an effective affine divisor we have 6 2 ≡ D3 = div(G(x, y)) onC A for some non-zero polynomialG(x, y). Without loss of generalityG(x, y) =a(x)∩b(x)y. Furthermore,b(x)= 0 (since div(a(x)) is not semi- reduced for any non-constant− polynomiala(x)). 6 Exercise 10.1.26 shows that the degree of div(a(x) b(x)y) onC A 2 is the degree ofa(x) 2 +H(x)a(x)b(x) F(x)b(x) 2. We need this− degree to be∩ at most 2g. This is − easily achieved ifd F 2g (in which cased H =g + 1 for the curve to have genusg). ≤ 2 2 However, if 2g+1 d F 2g + 2 then we need either deg(a(x) ) = deg(F(x)b(x) ) or ≤ ≤ 2 deg(H(x)a(x)b(x)) = deg(F(x)b(x) ). The former case is only possible ifd F is even (i.e., dF = 2g + 2). Ifd F = 2g + 1 andd H g then the latter case implies deg(a(x)) g + 1 + deg(b(x)) and so deg(a(x)2)> deg(≤F(x)b(x) 2) and deg(G(x, y))>2g. ≥ For hyperelliptic curves offixed (small) genus it is possible to give explicit formulae for the general cases of the composition and reduction algorithms. For genus 2 curves this was done by Harley [277] (the basic idea is to formally solve foru †(x) such that 2 u†(x)u(x) = monic(v(x) +H(x)v(x) F(x)) as in equation (10.11)). For extensive discussion and details (and also for non-a− ffine coordinate systems for efficient hyperelliptic arithmetic) we refer to Sections 14.4, 14.5 and 14.6 of [16].

10.4 Addition in the Divisor Class Group

We now show how Cantor’s addition and reduction algorithms for divisors on the affine curve can be used to perform arithmetic in the divisor class group of the projective curve. Afirst remark is that Lemma 10.3.3 implies that every degree zero divisor class + + on a hyperelliptic curve has a representative of the formD+n ( ) +n −( −) where +∞ ∞ D is a semi-reduced (hence, affine and effective) divisor andn , n− Z (necessarily, + ∈ deg(D)+n +n − = 0).

10.4.1 Addition of Divisor Classes on Ramified Models On a hyperelliptic curve with ramified model there is only a single point at infinity. We will show in this section that, for such curves, one can compute in the divisor class group using only affine divisors. We use the Cantor algorithms for addition, semi-reduction, and reduction. In general, if one has a semi-reduced divisorD then, by case 1 of Lemma 10.3.20, a reduction step reduces the degree ofD by 2. Hence, at most deg(D)/2 reduction steps are possible. 220 CHAPTER 10. HYPERELLIPTIC CURVES

Theorem 10.4.1. LetC be a hyperelliptic curve with ramified model. Then every degree 0 divisor class onC has a unique representative of the formD n( ) whereD is semi- reduced and where0 n g. − ∞ ≤ ≤ Proof: Theorem 10.3.21 showed that every affine divisor is equivalent to a semi-reduced divisorD such that 0 deg(D) g. This corresponds to the degree zero divisorD n( ) wheren = deg(D). Uniqueness≤ ≤ was proved in Lemma 10.3.24. − ∞  A degree zero divisor of the formD n( ) whereD is a semi-reduced divisor of degree n and 0 n g is called reduced. We− represent∞ D using Mumford representation as (u(x), v(≤x))≤ and we know that the polynomialsu(x) andv(x) are unique. The divisor class is defined overk if and only if the corresponding polynomialsu(x), v(x) k[x]. Addition of divisors is performed using Cantor’s composition and reduction algorithms∈ as above. Exercise 10.4.2. LetC:y 2 +H(x)y=F(x) be a ramified model of a hyperelliptic curve overF q. Show that the inverse (also called the negative) of a divisor class onC represented as (u(x), v(x)) is (u(x), v(x) (H(x) (modu(x)))). − − Exercise 10.4.3. LetC be a hyperelliptic curve overk of genusg with ramified model. LetD 1 andD 2 be reduced divisors onC. Show that one can compute a reduced divisor 3 representingD 1 +D 2 inO(g ) operations ink. Show that one can compute [n]D 1 in O(log(n)g3) operations ink (here [n]D means then-fold additionD +D + +D ). 1 1 1 ··· 1 When the genus is 2 (i.e.,d = 3) and one adds two reduced divisors (i.e., effective divisors of degree 2) then the sum is an effective divisor of degree at most 4 and so only one reduction operation≤ is needed to compute the reduced divisor. Similarly, for curves of any genus, at most one reduction operation is needed to compute a reduced divisor equivalent toD+(P ) whereD is a reduced divisor (such ideas were used by Katagi, Akishita, Kitamura and Takagi [333, 332] to speed up cryptosystems using hyperelliptic curves). For larger genus there are several variants of the divisor reduction algorithm. In Sec- tion 4 of [118], Cantor gives a method that uses higher degree polynomials thany v(x) and requires fewer reduction steps. In Section VII.2.1 of [65], Gaudry presents a− reduc- tion algorithm, essentially due to Lagrange, that is useful wheng 3. The NUCOMP algorithm (originally proposed by Shanks in the numberfield setting)≥ is another useful alternative. We refer to Jacobson and van der Poorten [323] and Section VII.2.2 of [65] for details. It seems that NUCOMP should be used once the genus of the curve exceeds 10 (and possibly even forg 7). ≥ Exercise 10.4.4. LetC be a hyperelliptic curve of genus 2 over afieldk with a ramified model. Show that everyk-rational divisor class has a unique representative of one of the following four forms: 1. (P) ( ) whereP C(k), includingP= . Hereu(x) = (x x ) oru(x)=1. − ∞ ∈ ∞ − P 2. 2(P) 2( ) whereP C(k) excluding pointsP such thatP=ι(P ). Here u(x)− = (x∞x )2. ∈ − P 3. (P)+(Q) 2( ) whereP,Q C(k) are such thatP,Q= ,P=Q,P=ι(Q). Hereu(x) =− (x∞x )(x x ∈). 6 ∞ 6 6 − P − Q 4. (P)+(σ(P )) 2( ) whereP C(K) C(k) for any quadraticfield extensionK/k, Gal(K/k) =−σ ∞andσ(P) P,∈ ι(P) −. Hereu(x) is an irreducible quadratic in k[x]. h i 6∈{ } 10.4. ADDITION IN THE DIVISOR CLASS GROUP 221

Exercise 10.4.5 can come in handy when computing pairings on hyperelliptic curves.

2 2 Exercise 10.4.5. LetD 1 = div(u1(x), y v 1(x)) A andD 2 = div(u2(x), y v 2(x)) A be semi-reduced divisors on a hyperelliptic− curve∩ with ramified model over− k. Write∩ d = deg(u (x)) andd = deg(u (x)). LetD = div(u (x), y v (x)) A 2 be a semi- 1 1 2 2 3 3 − 3 ∩ reduced divisor of degreed 3 such thatD 3 d 3( ) D 1 d 1( ) +D 2 d 2( ). Show that ifd =d thenD d ( ) D D−. ∞ ≡ − ∞ − ∞ 2 3 1 − 1 ∞ ≡ 3 − 2 10.4.2 Addition of Divisor Classes on Split Models This section is rather detailed and can safely be ignored by most readers. It presents results of Paulus and R¨uck [479] and Galbraith, Harrison and Mireles [219]. LetC be a hyperelliptic curve of genusg overk with a split model. We have al- ready observed that every degree zero divisor class has a representative of the form + + + D+n ( ) +n −( −) whereD is semi-reduced andn , n− Z. Lemma 10.3.20 has shown∞ that we may∞ assume 0 deg(D) g + 1. One could consider∈ the divisor to be reduced if this is the case, but≤ this would≤ not be optimal. The Riemann-Roch theorem implies we should be able to take deg(D) g but Cantor reduction becomes “stuck” if the input divisor has degreeg+1. The following≤ simple trick allows us to reduce to semi-reduced divisors of degreeg (and this essentially completes the proof of the “Riemann-Roch theorem” for these curves). Recall the polynomialG +(x) of degreed=g + 1 from Exercise 10.1.28.

Lemma 10.4.6. Lety 2 +H(x)y=F(x) be a hyperelliptic curve of genusg overk with split model. Letu(x), v(x) be a Mumford representation such that deg(u(x)) =g+1. Define + + v‡(x) =G (x) + (v(x) G (x) (modu(x))) k[x], − ∈ where we mean thatv(x) G +(x) is reduced to a polynomial of degree at most deg(u(x)) 1 =g. Define − −   2 v‡(x) +H(x)v ‡(x) F(x) u†(x) = monic − andv †(x) = v ‡(x) H(x) (modu †(x)). u(x) − − (10.12) Then deg(u†(x)) g and ≤ 2 2 2 2 div(u(x), y v(x)) A = div(u†(x), y v †(x)) A div(u †(x)) A +div(y v ‡(x)) A . − ∩ − ∩ − ∩ − (10.13)∩

2 Proof: Note thatv ‡(x) v(x) (modu(x)) and sov ‡(x) +H(x)v ‡(x) F(x) ≡ − ≡ 0 (modu(x)), henceu †(x) is a polynomial. The crucial observation is that deg(v‡(x)) = + deg(G (x)) =d=g + 1 and so the leading coefficient ofv ‡(x) agrees with that of + 2 G (x). Hence deg(v‡(x) +H(x)v ‡(x) F(x)) 2d 1=2g + 1 and so deg(u †(x)) − ≤ − ≤ 2d 1 d=d Q1=g as claimed. To show equation (10.13) it is sufficient to write − − − l e u(x)u†(x) = (x x ) i and to note that i=1 − i Xl 2 div(y v ‡(x)) A = e (x , v‡(y )) − ∩ i i i i=1 2 2 = div(u(x), y v(x)) A + div(u†(x), y+H(x) +v †(x)) A − ∩ ∩ and that div(u†(x)) = div(u†(x), y v †(x)) + div(u†(x), y+v †(x) +H(x)). − 222 CHAPTER 10. HYPERELLIPTIC CURVES

Example 10.4.7. LetC:y 2 =F(x) =x 6 + 6 = (x 1)(x + 1)(x 2)(x +2)(x + 3 − − − 3)(x + 3) overF 7. ThenG (x) =x . Consider the divisorD = (1,0)+( 1,0)+ (2, 0) with Mumford representation (u(x), v(x)) = ((x 1)(x+1)(x 2), 0). Performing− − − standard Cantor reduction givesu †(x) =F(x)/u(x) = (x + 2)(x 3)(x + 3), which corresponds to the trivial divisor equivalenceD ( 2,0)+(3,0)+(− 3, 0). Instead, + + ≡ − 3 3 − we takev ‡ =G� (x) + ( G (x) (mod
u(x))) =x + ( x +u(x)) =u(x). Then 2 − 2 − u†(x) = monic (v‡(x) F(x))/u(x) =x + 5x + 2 andv †(x) = 3x + 5. The divisor −2 div(u†(x), y v †(x)) A is a sum (P)+(σ(P )) whereP C(F 2 ) C(F ) andσ is the − ∩ ∈ 7 − 7 non-trivial element of Gal(F72 /F7).

The operation (u(x), v(x)) (u †(x), v†(x)) of equation (10.12) is called composi- tion and reduction at infinity7→ ; the motivation for this is given in equation (10.18) below. Some authors call it a baby step. This operation can be performed even when deg(u(x))

Exercise 10.4.8. Let the notation be as in Lemma 10.4.6. Letd u = deg(u(x)) so that + 2 v‡(x) agrees withG (x) for the leadingd d + 1 coefficients and som = deg(v ‡(x) + − u H(x)v ‡(x) F(x)) d+d 1. Letd † = deg(u†(x)) so thatm=d +d † . Show that − ≤ u − u u u v − (y v ‡(x)) = d, div(y v ‡(x)) = ∞ − − − 2 2 + div(u(x), y v(x)) A +div(u†(x), y+H(x)+v †(x)) A (d u +d u† d)( ) d( −), − ∩ ∩ − − ∞ − (10.14)∞ andv + (y v ‡(x)) = (d u +d u† d). ∞ − − − We now discuss how to represent divisor classes. An obvious choice is to represent classes asD d( +) whereD is an affine effective divisor of degreed (see Paulus and R¨uck [479]− for a∞ full discussion of this case). A more natural representation, as pointed out by Galbraith, Harrison and Mireles [219], is to use balanced representations at infinity. + In other words, wheng is even, to represent divisor classes asD (g/2)(( ) + ( −)) whereD is an effective divisor of degreeg. − ∞ ∞

Definition 10.4.9. LetC be a hyperelliptic curve of genusg overk in split model. Ifg g + (g+1) + is even then defineD = 2 (( ) + ( −)). Ifg is odd then defineD = 2 ( ) + (g 1) ∞ ∞ ∞ ∞ ∞ − ( −). 2 ∞ Letu(x), v(x) k[x] be the Mumford representation of a semi-reduced divisorD= div(u(x), y v(x))∈ A 2 andn Z. Then div(u(x), v(x), n) denotes the degree zero divisor − ∩ ∈ + D+n( ) + (g deg(u(x)) n)( −) D . ∞ − − ∞ − ∞ If 0 deg(u(x)) g and 0 n g deg(u(x)) then such a divisor is called reduced. ≤ ≤ ≤ ≤ − Uniqueness of this representation is shown in Theorem 10.4.19. Wheng is odd then + one could also represent divisor classes usingD = (g+1)/2(( ) + ( −)). This is applicable in the inert case too. A problem is that∞ this would lead∞ to polynomials∞ of higher degree than necessary in the Mumford representation, and divisor class representatives would no longer necessarily be unique. It is important to realise thatu(x) andv(x) are only used to specify the affine divisor. The values ofv + (y v(x)) andv − (y v(x)) have no direct influence over the degree zero divisor under∞ consideration.− Note∞ also− that we allown Z in Definition 10.4.9 in ∈ general, but reduced divisors must haven Z 0. ∈ ≥ + For hyperelliptic curves with split model then , − k and so a divisor (u(x), v(x), n) is defined overk if and only ifu(x), v(x) k[x]. Note∞ that∞ when∈ the genus is even then ∈ 10.4. ADDITION IN THE DIVISOR CLASS GROUP 223

D isk-rational even when the model is inert, though in this case a divisor (u(x), v(x), n) with∞ n= 0 is not defined overk ifu(x), v(x) k[x]. 6 ∈ We may now consider Cantor’s addition algorithm in this setting.

Lemma 10.4.10. LetC be a hyperelliptic curve overk of genusg with split model. Let div(u1(x), v1(x), n1) and div(u2(x), v2(x), n2) be degree zero divisors as above. WriteD i = 2 2 div(ui(x), y v i(x)) A fori=1,2 and letD 3 = div(u3(x), y v 3(x)) A be the semi- − ∩ − ∩ 2 reduced divisor equivalent toD 1 +D 2, ands(x) such thatD 1 +D 2 =D 3 + div(s(x)) A . Letm=g/2 wheng is even andm=(g+1)/2 otherwise. Then ∩

div(u , v , n ) + div(u , v , n ) div(u , v , n +n + deg(s) m). (10.15) 1 1 1 2 2 2 ≡ 3 3 1 2 − Proof: We will show that

div(u , v , n ) + div(u , v , n ) = div(u , v , n +n + deg(s) m) + div(s(x)). 1 1 1 2 2 2 3 3 1 2 − The left-hand side is

+ D1 +D 2 +(n1 +n 2 m)( )+(3m deg(u 1) deg(u 2) n 1 n 2)( −) D . (10.16) − ∞ − − − − ∞ − ∞ ReplacingD +D byD + div(s(x)) A 2 has no effect on the coefficients of + or 1 2 3 ∩ ∞ −, but since we actually need div(s(x)) on the whole ofC we haveD 1 +D 2 =D 3 + ∞ + 2 div(s(x)) + deg(s(x))(( ) + ( −)). Writing div(u3, v3, n3) = div(u3, y v 3) A + + ∞ ∞ − ∩ n3( ) + (g deg(u 3) n 3)( −) D givesn 3 =n 1 +n 2 + deg(s(x)) m as required. ∞ − − ∞ − ∞ − Note that deg(u3) + deg(s) = deg(u1) + deg(u2) so the coefficient of − in equa- tion (10.16) is also correct (as it must be). ∞  We now discuss reduction of divisors on a hyperelliptic curve with a split model. We first consider the basic Cantor reduction step. There are two relevant cases for split models (namely thefirst and third cases in Lemma 10.3.20) that we handle as Lemma 10.4.11 and Exercise 10.4.12.

Lemma 10.4.11. LetC:y 2 +H(x)y=F(x) where deg(F(x)) = 2d=2g+2 be a hyperelliptic curve overk of genusg with split model. Let div(u(x), v(x), n) be a degree zero divisor as in Definition 10.4.9. Let(u †(x), v†(x)) be the polynomials arising from a Cantor reduction step (i.e.,u †(x) andv †(x) are given by equation (10.11)). If deg(v(x)) ≥ d=g+1 then setn † =n + deg(v(x)) deg(u †(x)) =n + (deg(u(x)) deg(u †(x)))/2 and − − if deg(v(x))

div(u, v, n) = div(u†, v†, n†) + div(y v(x)) div(u †(x)) (10.17) − − and div(u,v,n) div(u †, v†, n†). ≡

Proof: If deg(v(x)) d then deg(u(x)) + deg(u †(x)) = 2 deg(v(x)) andv + (y v(x)) = ≥ ∞ − v − (y v(x)) = deg(v(x)). For equation (10.17) to be satisfied we require ∞ − −

n=n † +v + (y v(x)) v + (u†(x)) ∞ − − ∞ and the formula forn † follows (the coefficients of − must also be correct, as the divisors all have degree 0). ∞ In the second case of reduction we have deg(v(x))

Exercise 10.4.12. LetC:y 2 +H(x)y=F(x) where deg(F(x))<2d=2g+2bea hyperelliptic curve overk of genusg with split model. Let div(u(x), v(x), n) be a degree zero divisor as in Definition 10.4.9 such thatd deg(u(x)). Let (u †(x), v†(x)) be the ≤ polynomials arising from a Cantor reduction step. Show that div(u, v, n) div(u †, v†, n†) ≡ where, if deg(v(x))

2 2 + div(u, y v) A D div(u†, y v †) A + ( ) ( −) D (10.18) − ∩ − ∞ ≡ − ∩ ∞ − ∞ − ∞ and so the operation corresponds to addition ofD with the degree zero divisor ( −) + + ∞ − ( ). This justifies the name “composition at infinity”. To add ( ) ( −) one should ∞ + ∞ − ∞ useG −(x) instead ofG (x) in Lemma 10.4.6. Exercise 10.4.15. Prove Lemma 10.4.14. We canfinally put everything together and obtain the main result about reduced divisors on hyperelliptic curves with split model. Theorem 10.4.16. LetC be a hyperelliptic curve overk of genusg with split model. Then every divisor class contains a reduced divisor as in Definition 10.4.9. Proof: We have shown the existence of a divisor in the divisor class with semi-reduced affine part, and hence of the form (u(x), v(x), n) withn Z. Cantor reduction and composition and reduction at infinity show that we can assume∈ deg(u(x)) g. Finally, to show that one may assume 0 n g deg(u(x)) note that Lemma 10.4.14≤ mapsn to ≤ ≤ − n† =n+(g+1) deg(u(x)). Hence, ifn>g deg(u(x)) thenn>n † 0 and continuing − − ≥ the process gives a reduced divisor. On the other hand, ifn< 0 then usingG −(x) instead one hasn † =n+g+1 deg(u †(x)) g deg(u †(x)).  − ≤ − 2 Exercise 10.4.17. LetC:y +H(x)y=F(x) be a hyperelliptic curve of genusg overF q in split model. Ifg is even, show that the inverse of div(u(x), v(x), n) is div(u(x), v(x) (H(x) (modu(x))), g deg(u(x)) n). Ifg is odd then show that computing the inverse− − of a divisor may require− performing− composition and reduction at infinity. 10.4. ADDITION IN THE DIVISOR CLASS GROUP 225

2 6 + 3 Example 10.4.18. LetC:y =x +x + 1 overF 37. Thend = 3 andG (x) =x . Let + D = (1, 22)+(2,17)+( ) ( −) D , which is represented as div(u(x), v(x), 1) where u(x) = (x 1)(x 2) =x∞2 +34− x∞+2 and− v∞(x)=32x+27. This divisor is not reduced. Then 3− − 2 2 v‡(x) =x + 25x + 33 and deg(v‡(x) F(x)) = 4. Indeed,v ‡(x) F(x)=13u(x)u †(x) 2 − − whereu †(x) =x + 28x + 2. It follows thatv †(x) = 7x + 22 and that

div(u(x), v(x),1) div(u †(x), v†(x),0), ≡ which is reduced. Explicit formulae for all these operations for genus 2 curves of the formy 2 =x 6 + 4 3 2 F4x +F 3x +F 2x +F 1x+F 0 have been given by Erickson, Jacobson, Shang, Shen and Stein [199].

Uniqueness of the Representation We have shown that every divisor class for hyperelliptic curves with a split model contains a reduced divisor. We now discuss the uniqueness of this reduced divisor, following Paulus and R¨uck [479]. Theorem 10.4.19. LetC be a hyperelliptic curve overk of genusg with split model. Then every divisor class has a unique representative of the form

+ D+n( ) + (g deg(D) n)( −) D ∞ − − ∞ − ∞ whereD is a semi-reduced divisor (hence, affine and effective) and0 n g deg(D). ≤ ≤ − Proof: Existence has already been proved using the reduction algorithms above, so it suffices to prove uniqueness. Hence, suppose

+ + D1+n1( )+(g deg(D1) n1)( −) D D 2+n2( )+(g deg(D2) n2)( −) D ∞ − − ∞ − ∞ ≡ ∞ − − ∞ − ∞ with all terms satisfying the conditions of the theorem. Then, taking the difference and + adding div(u2(x)) =D 2 +ι(D 2) deg(D 2)(( ) + ( −)), there is a functionf(x, y) such that − ∞ ∞

+ div(f(x, y)) =D +ι(D ) (n + deg(D ) n )( ) (n + deg(D ) n )( −). 1 2 − 2 2 − 1 ∞ − 1 1 − 2 ∞ Sincef(x, y) has poles only at infinity it follows thatf(x, y) =a(x) +yb(x) where a(x), b(x) k[x]. Now, 0 n i n i + deg(Di) g and so g v + (f(x, y)) = ∈ ≤ ≤ ≤ − ≤ ∞ (n2 + deg(D2) n 1) g and g v − (f(x, y)) = (n 1 + deg(D1) n 2) g. But − − ≤ − ≤ ∞ − − ≤ v + (y) =v − (y) = (g + 1) and sob(x) = 0 andf(x, y) =a(x). But div(a(x)) = ∞ ∞ − + D+ι(D) deg(a(x))(( )+( −)) and soD =D ,n +deg(D ) n =n +deg(D ) n − ∞ ∞ 1 2 1 1 − 2 2 2 − 1 andn 1 =n 2.  Exercise 10.4.20. LetC be a hyperelliptic curve overk of genusg=d 1 with split + − model. Show that ( ) ( −) is not a principal divisor and that this divisor is repre- sented as (1,0, g/2 ∞+1).− ∞ ⌈ ⌉ + Ifk=F q is afinitefield then ( ) ( −) hasfinite order. We writeR N for the + ∞ − ∞ + ∈ order of ( ) ( −) and call it the regulator. SinceR(( ) ( −)) is a principal ∞ − ∞ ∞ − ∞ + divisor there is some functionf(x, y) k(C) such that div(f)=R(( ) ( −)). It follows thatf(x, y) k[x, y] (otherwise∈ it would have some affine pole)∞ and is− a∞ unit in the ringk[x, y]. The∈ polynomialf(x, y) is called the fundamental unit of the ringk[x, y] (this is analogous to the fundamental unit of a real quadratic numberfield). 226 CHAPTER 10. HYPERELLIPTIC CURVES

Exercise 10.4.21. Show thatR g+1. ≥ Exercise 10.4.22. LetC be a hyperelliptic curve overk of genusg with split model and letP C(k) be such thatP=ι(P ). Show that the order of the divisor (P) (ι(P )) is always∈ at leastg+1. 6 −

10.5 Jacobians, Abelian Varieties and Isogenies

0 As mentioned in Section 7.8, we can consider Pick(C) as an algebraic group, by consid- ering the Jacobian varietyJ C of the curve. The fact that the divisor class group is an algebraic group is not immediate from our description of the group operation as an algorithm (rather than a formula). Indeed,J C is an Abelian variety (namely, a projective algebraic group). The dimension of the varietyJ C is equal to the genus ofC. Unfortunately, we do not have space to introduce the theory of Abelian varieties and Jacobians in this book. We remark that the Mumford representation directly gives an affine part of the Jacobian variety of a hyperelliptic curve (see Propositions 1.2 and 1.3 of Mumford [445] for the details). An explicit description of the Jacobian variety of a curve of genus 2 has been given by Flynn; we refer to Chapter 2 of Cassels and Flynn [123] for details, references and further discussion. There are several important concepts in the theory of Abelian varieties that are not able to be expressed in terms of divisor class groups.4 Hence, our treatment of hyper- elliptic curves will not be as extensive as the case of elliptic curves. In particular, we do not give a rigorous discussion of isogenies (i.e., morphisms of varieties that are group homomorphisms withfinite kernel) for Abelian varieties of dimensiong> 1. However, we do mention one important result. The Poincar´ereducibility theorem (see Theorem 1 of Section 19 (page 173) of Mumford [444]) states that ifA is an Abelian variety overk andB is an Abelian subvariety ofA (i.e.,B is a subset ofA that is an Abelian variety overk), then there is an Abelian subvarietyB ′ A overk such thatB B ′ isfinite and ⊆ ∩ B+B ′ =A. It follows thatA is isogenous overk toB B ′. If an Abelian varietyA overk has no Abelian subvarieties overk then we call× it simple. An Abelian variety is absolutely simple if is has no Abelian subvarieties over k. Despite not discussing isogenies in full generality, it is possible to discuss isogenies that arise from maps between curves purely in terms of divisor class groups. We now give some examples, butfirst introduce a natural notation.

0 Definition 10.5.1. LetC be a curve over afieldk and letn N. ForD Pic k(C) define ∈ ∈ [n]D=D+ +D(n times). ··· Indeed, we usually assume that [n]D is a reduced divisor representing the divisor class nD. Define Pic0(C)[n] = D Pic 0(C):[n]D=0 . k { ∈ k }

Recall from Corollary 8.3.10 that ifφ:C 1 C 2 is a non-constant rational map (and hence a non-constant morphism) overk between→ two curves then there are correspond- 0 0 0 0 ing group homomorphismsφ ∗ : Pick(C2) Pic k(C1) andφ : Pick(C1) Pic k(C2). → ∗ → 0 Furthermore, by part 5 of Theorem 8.3.8 we haveφ φ∗(D) = [deg(φ)]D on Pick(C2). ∗ 4There are two reasons for this:first the divisor class group is merely an abstract group and so does not have the geometric structure necessary for some of these concepts; second, not every Abelian variety is a Jacobian variety. 10.5. JACOBIANS, ABELIAN VARIETIES AND ISOGENIES 227

In the special case of a non-constant rational mapφ:C E overk whereE is an → 0 elliptic curve we can compose with the Abel-Jacobi mapE Pic k(E) of Theorem 7.9.8 → 0 given byP (P) ( E ) to obtain group homomorphisms that we callφ ∗ :E Pic k(C) 7→0 − O → andφ : Pick(C) E. ∗ → Exercise 10.5.2. Letφ:C E be a non-constant rational map overk whereE is → 0 0 an elliptic curve overk. Letφ ∗ :E Pic k(C) andφ : Pick(C) E be the group homomorphisms as above. Show that→φ is surjective as a∗ map from→ Pic0(C) toE( k) and ∗ k that the kernel ofφ ∗ is contained inE[deg(φ)]. IfC is a curve of genus 2 and there are two non-constant rational mapsφ :C E i → i over k for elliptic curvesE 1,E2 then one naturally has a group homomorphismφ 1, φ2, : 0 ∗ × ∗ Pick(C) E 1(k) E 2(k). If ker(φ1, ) ker(φ 2, ) isfinite then it follows from the theory of Abelian→ varieties× that the Jacobian∗ ∩ varietyJ ∗ is isogenous to the productE E of C 1 × 2 the elliptic curves and one says thatJ C is a split Jacobian. 2 6 2 Example 10.5.3. LetC:y =x + 2x + 1 be a genus 2 curve overF 11. Consider the rational maps φ :C E :Y 2 =X 3 + 2X+1 1 → 1 2 given byφ 1(x, y)=(x , y) and φ :C E :Y 2 =X 3 + 2X 2 + 1 2 → 2 2 3 given byφ 2(x, y)=(1/x , y/x ). The two elliptic curvesE 1 andE 2 are neither isomorphic or isogenous. One has #E (F ) = 16, #E (F ) = 14 and #Pic0 (C)=14 16. 1 11 2 11 F11 · It can be shown (this is not trivial) that ker(φ1, ) ker(φ 2, ) isfinite. Further, since ∗ ∩ ∗ deg(φ1) = deg(φ2) = 2 it can be shown that the kernel ofφ 1, φ 2, is contained in 0 ∗ × ∗ Pick(C)[2]. The Jacobian of a curve satisfies the following universal property. Letφ:C A → be a morphism, whereA is an Abelian variety. LetP 0 C( k) be such thatφ(P 0) = 0 and consider the Abel-Jacobi mapψ:C J (corresponding∈ toP (P) (P )). → C 7→ − 0 Then there is a homomorphism of Abelian varietiesφ ′ :J C A such thatφ=φ ′ ψ. Exercise 10.5.4 gives a special case of this universal property.→ ◦ 2 6 4 2 Exercise 10.5.4. LetC:y =x +a 2x +a 4x +a 6 overk, where char(k)= 2, and let φ(x, y)=(x2, y) be non-constant rational mapφ:C E overk whereE is an6 elliptic curve. LetP C( k) be such thatφ(P ) = . Show→ that the composition 0 ∈ 0 O E C(k) Pic 0(C) E( k), → k → where thefirst map is the Abel-Jacobi mapP (P) (P 0) and the second map isφ , is just the original mapφ. 7→ − ∗

Exercise 10.5.5. Leta 3, a5 k, where char(k)= 2. This exercise gives maps over k 2 ∈ 5 3 6 from the genus 2 curveC:y =x +a 3x +a 5x to elliptic curves. Chooseα,β k such thata =α 2β2 anda = (α 2 +β 2). In other words, ∈ 5 3 − x4 +a x2 +a = (x2 α 2)(x2 β 2) = (x α)(x+α)(x β)(x+β). 3 5 − − − − Sets= √αβ,A = (1 + (α+β)/(2s))/2 andB = (1 (α+β)/(2s))/2. Show that A(x+s) 2 +B(x s) 2 =x 2 + (α+β)x+s 2,B(x+s) −2 +A(x s) 2 =x 2 (α+β)x+s 2 and (x+s) 2 (x− s) 2 = 4sx. Hence, show that − − − − ((x+s) 2 (x s) 2) x(x4 +a x2 +a ) = − − (A(x+s) 2 +B(x s) 2)(B(x+s) 2 +A(x s) 2). 3 5 4s − − 228 CHAPTER 10. HYPERELLIPTIC CURVES

Now, setY=y/(x s) 3 andX = ((x+s)/(x s)) 2. Show that − − AB Y 2 = (X 1)/(4s)(AX+B)(BX+A) = (X 1)(X 2 + (B/A+ A/B)X+1). − 4s −

Calling the above curveE 1, the rational mapφ 1(x, y)=(X, Y ) mapsC toE 1. Similarly, 3 2 2 takingY= y/(x+s) andX = ((x s)/(x+s)) gives an elliptic curveE 2 :Y = (X 1)/(4s)(BX+A)(AX+B) and a− rational mapφ :C E . Note thatE is a − − 2 → 2 2 quadratic twist ofE 1. There is a vast literature on split Jacobians and we are unable to give a full survey. We refer to Sections 4, 5 and 6 of Kuhn [356] or Chapter 14 of Cassels and Flynn [123] for further examples.

10.6 Elements of Ordern

We now bound the size of the set of elements of order dividingn in the divisor class group of a curve. As with many other results in this chapter, the best approach is via the theory of Abelian varieties. We state Theorem 10.6.1 for general curves, but without proof. The result is immediate for Abelian varieties overC, as they are isomorphic toC g/L where L is a rank 2g lattice. The elements of ordern inC g/L are given by then 2g points in 1 n L/L. Theorem 10.6.1. LetC be a curve of genusg overk and letn N. If char(k) = 0 or 0 2g ∈ 0 e gcd(n, char(k)) = 1 then #Pick(C)[n] =n . If char(k) =p>0 then #Pic k(C)[p] =p where0 e g. ≤ ≤ Proof: See Theorem 4 of Section 7 of Mumford [444].  We now present a special case of Theorem 10.6.1 (at least, giving a lower bound), namely elements of order 2 in the divisor class group of a hyperelliptic curve with a ramified model. Lemma 10.6.2. Letk be afield such that char(k)= 2. LetF(x) k[x] be a monic polynomial of degree2g+1 and letC:y 2 =F(x).6 Letd be the number∈ of roots ofF(x) overk. LetB k = (x 1,0),...,(x d,0) wherex 1, . . . , xd k are the roots ofF(x) ink. { } 0 ∈ d Ifd= 2g+1 thenB k generates a subgroup of Pick(C) of exponent 2 and order2 . If 6 0 2g d=2g+1 thenB k generates a subgroup of Pick(C) of exponent 2 and order2 . Exercise 10.6.3. Prove Lemma 10.6.2 via the following method.

1. First, considerB k = P 1,...,P2g+1 and for any subsetT 1,...,2g+1 define { X} ⊂{ } D = (P ) #T( ). T j − ∞ j T ∈ 0 Show thatD T has order 2 in Pick(C).

2. ForT 1,...,2g+1 we define the complementT ′ = 1,...,2g+1 T (so ⊂{ } { }− thatT T ′ =∅ andT T ′ = 1,...,2g+1 ). Show thatD T1 +D T2 D T3 where∩T =T T (T∪ T ). Show{ (using Lemma} 10.3.24 and other results)≡ that 3 1 ∪ 2 − 1 ∩ 2 D D if and only ifT =T orT =T ′. T1 ≡ T2 1 2 1 2 3. Hence, deduce that the subgroup generated byB k consists only of divisor classes represented by reduced divisors with support inB k. Complete the proof by counting such divisor classes (note that ifd<2g + 1 thenT B impliesT ′ B ). ⊂ k 6⊂ k 10.7. HYPERELLIPTIC CURVES OVER FINITE FIELDS 229

Lemma 10.6.2 describes 22g divisor classes over k of order dividing 2. Since The- orem 10.6.1 states that there are exactly 22g such divisor classes over k it follows that every 2-torsion divisor class has a representative of this form. A corollary is that any func- tionf k(C) with divisor div(f)=2(P ) + 2(P ) 4( ) is equal toc(x x )(x x ) ∈ 1 2 − ∞ − 1 − 2 for some c, x1, x2 k. A determination∈ of the 2-torsion in Jacobians of hyperelliptic curves overfinitefields is given by Cornelissen; see [147] and its erratum.

Division Ideals In some applications (particularly when generalising Schoof’s algorithm for point count- ing) it is desired to determine the elements of a given order in the divisor class group. It is therefore necessary to have an analogue of the elliptic curve division polynomials. Early attempts on this problem, in the context of point counting algorithms, appear in the work of Pila and Kampk¨otter. We sketch some results of Cantor [119]. LetC:y 2 =F(x) overk be such thatF(x) is monic of degree 2g + 1 and char(k)= 2 (though Section 9 of [119] does discuss how to proceed when char(k) = 2). Cantor de6 fines polynomialsψ forn g + 1 such that for n ≥ P=(x P , yP ) C( k) we haveψ n(xP , yP ) = 0 if and only ifn((x P , yP ) ( )) lies in the setΘ of all divisor∈ classes with a Mumford representative of the form div(− ∞u(x), y v(x)) having deg(u(x)) g 1. While pointsP C( k) such that [n]((P) ( )) is principal− will be roots of these≤ − polynomials, we stress∈ that these polynomials− do∞ have other roots as well. Also, since most divisor classes do not have representatives of the form (P) ( ) for a pointP on the curve wheng> 1, in general there are divisor classes of ordern −that∞ are not of this form. Equation (8.1) of [119] gives explicit recurrence formulae forψ n in the case wheng = 2. Section 10 of [119] gives thefirst few values ofψ n(x, y) for the genus 2 curvey 2 =x 5 + 1. LetC be a genus 2 curve. Note that ifD=(x , y ) + (x , y ) 2( ) has ordern 1 1 2 2 − ∞ then either [n]((xi, yi) ( )) 0or[n]((x 1, y1) ( )) [n]((x 2, y2) ( )). Hence one canfind general divisors− ∞ ≡ of ordern using formulae− ∞ for≡− computing [n]((−x,∞ y) ( )) and equating polynomials. In other words, to determine divisors of ordern it is− suffi∞cient to obtain rational functions that give the Mumford representation of [n]((x, y) ( )). Letn N and letC be a genus 2 curve overk in ramified model. There− are∞ ∈ polynomialsd n,0(x), dn,1(x), dn,2(x), en,0(x), en,1(x), en,2(x) k[x] of degrees respectively 2n2 3, 2n 2 2, 2n 2 1, 3n 2 2, 3n 2 3, 3n 2 2 such∈ that, for a “generic point” − − − − − − P=(x P , yP ) C( k), the Mumford representation of [n]((xP , yP ) ( )) is ∈  − ∞ 2 dn,1(xP ) dn,2(xP ) e1,n(xP ) e2,n(xP ) x + x+ , yP x+ . dn,0(xP ) dn,0(xP ) e0,n(xP ) e0,n(xP ) Indeed, this can be checked directly for any curveC and any primen by computing Cantor’s algorithm in a computer algebra package. These formulae are not necessarily valid for all pointsP C(k) (such as those for whichn((x P , yP ) ( )) 0). For details we refer to Gaudry’s∈ theses (Section 4.4 of [241] and Section 7.2− of∞ [243]).≡ Information about the use of these, and other, ideals in point counting algorithms is given in Section 3 of Gaudry and Schost [248].

10.7 Hyperelliptic Curves Over Finite Fields

There are afinite number of points on a curveC of genusg over afinitefieldF q. There are alsofinitely many possible values for the Mumford representation of a reduced divisor 230 CHAPTER 10. HYPERELLIPTIC CURVES

0 on a hyperelliptic curve over afinitefield. Hence, the divisor class group Pic Fq (C) of a curve over afinitefield is afinite group. Since the affine part of a reduced divisor is a sum of at mostg points (possibly defined over afield extension of degree bounded byg) it is 0 i not surprising that there is a connection between #C(F q ) : 1 i g and #Pic Fq (C). {0 ≤ ≤ } Indeed, there is also a connection between #Pic F (C):1 i g and #C(F q). The { qi ≤ ≤ } aim of this section is to describe these connections. We also give some important bounds on these numbers (analogous to the Hasse bound for elliptic curves). Most results are presented for general curves (i.e., not only hyperelliptic curves). One of the most important results in the theory of curves overfinitefields is the following theorem of Hasse and Weil. The condition that the roots ofL(t) have absolute value √q can be interpreted as an analogue of the Riemann hypothesis. This result gives precise bounds on the number of points on curves and divisor class groups overfinite fields.

Theorem 10.7.1. (Hasse-Weil) LetC be a curve of genusg overF q. There exists a polynomialL(t) Z[t] of degree2g with the following properties. ∈ 0 1.L(1) = #Pic Fq (C). Q 2. One can writeL(t) = 2g (1 α t) withα C such thatα = α (this is i=1 − i i ∈ g+i i complex conjugation) and α i = √q for1 i g. | | ≤ ≤ 3.L(t) =q gt2gL(1/(qt)) and so

g 1 g g+1 g 1 2g 1 g 2g L(t) = 1 +a 1t+ +a g 1t − +a gt +qa g 1t + +q − a1t − +q t . ··· − − ··· Q 2g n 0 4. Forn N defineL n(t) = (1 α t). Then #Pic (C)=L n(1). ∈ i=1 − i Fqn Proof: The polynomialL(t) is the numerator of the zeta function ofC. For details see Section V.1 of Stichtenoth [589], especially Theorem V.1.15. The proof that α i = √q for all 1 i 2g is Theorem V.2.1 of Stichtenoth [589]. | | A proof≤ ≤ of some parts of this result in a special case is given in Exercise 10.7.14. Exercise 10.7.2. Show that part 3 of Theorem 10.7.1 follows immediately from part 2. Definition 10.7.3. The polynomialL(t) of Theorem 10.7.1 is called theL-polynomial of the curveC overF q.

Theorem 10.7.4. (Schmidt) LetC be a curve of genusg overF q. There there exists a divisorD onC of degree 1 that is defined overF q.

We stress that this result does not prove thatC has a point defined overF q (though whenq is large compared with the genus existence of a point inC(F q) will follow by the Weil bounds). The result implies that even a curve with no points defined overF q does have a divisor of degree 1 (hence, not an effective divisor) that is defined overF q. Proof: See Corollary V.1.11 of Stichtenoth [589].  We now describe the precise connection between the rootsα i of the polynomialL(t) 0 (corresponding to Pic (C)) and #C(F n ) forn N. Fq q ∈ Theorem 10.7.5. LetC be a curve of genusg overF q and letα i C for1 i 2g be as in Theorem 10.7.1. Letn N. Then ∈ ≤ ≤ ∈ X2g n n #C(F n ) =q + 1 α . (10.19) q − i i=1 10.7. HYPERELLIPTIC CURVES OVER FINITE FIELDS 231

Proof: See Corollary V.1.16 of Stichtenoth [589].  Equation (10.19) can be read in two ways. On the one hand it shows that givenL(t) one can determine #C(Fqn ). On the other hand, it shows that if one knows #C(Fqn ) for 1 n g then one hasg non-linear equations in theg variablesα 1,...,α g (there are only≤ g≤ variables sinceα = q/α for 1 i g). The following result shows that one i+g i ≤ ≤ can therefore deduce the coefficientsa 1, . . . , ag giving the polynomialL(t). P 2g n Lemma 10.7.6. (Newton’sQ identities) Letα 1,...,α 2g C and definet n = i=1 αi . Let 2g 2g 2g 1 ∈ a , . . . , a be such that (x α ) =x +a x − + +a . Then, for1 n 2g, 1 2g i=1 − i 1 ··· 2g ≤ ≤ nX1 − nan = t n an iti. − − − i=1

In particular,a = t anda = (t2 t )/2. 1 − 1 2 1 − 2 Exercise 10.7.7.⋆ Prove Lemma 10.7.6.

Exercise 10.7.8. SupposeC is a genus 3 curve overF 7 such that #C(F7) = 8,#C(F 72 ) = 0 2 7 3 92,#C(F 7 ) = 344. DetermineL(t) and hence #Pic F7 (C). (One can takey =x +x+1 forC.)

Exercise 10.7.9.(Weil bounds) LetC be a curve of genusg overF q. Use Theo- rem 10.7.1 and Theorem 10.7.5 to show that

n n #C(F n ) (q + 1) 2g √q | q − |≤ and (√qn 1) 2g #Pic0 (C) ( √qn + 1)2g. − ≤ Fqn ≤

More precise bounds on #C(Fq) are known; we refer to Section V.3 of Stichtenoth [589] for discussion and references. We now sketch the relationship between the above results and theq-power Frobenius mapπ:C C given byπ(x, y)=(x q, yq). This is best discussed in terms of Abelian varieties→ and so is strictly beyond the scope of the present book; however Exercise 10.7.11 shows how to consider the Frobenius map in Pic0 (C). We refer to Section 21 of Mum- Fq ford [444], especially the subsection entitled “Application II: The Riemann Hypothesis”. Briefly, the Frobenius map onC induces a morphismπ:J J whereJ is the Jaco- C → C C bian variety ofC (note thatJ C is defined overF q). Note thatπ is not an isomorphism. This morphism is a group homomorphism with ker(π)= 0 and so is an isogeny. More { } generally, ifA is an Abelian variety overF q then there is aq-power Frobenius morphism n π:A A. Just as in the case of elliptic curves one hasA(F qn ) = ker(π 1) and → n n n− so #A(Fqn ) = ker(π 1) = deg(π 1) (note thatπ is inseparable andπ 1 is a separable morphism). By− considering the− action ofπ on the Tate module (the Tate− mod- ule of an Abelian variety is defined in the analogous way to elliptic curves, see Section 19 of [444]) it can be shown thatπ satisfies a characteristic equation given by a monic polynomialQP A(T) Z[T ] of degree 2g. It follows that deg(π 1)Q =P A(1). Writing 2g ∈ − 2g n PA(T)= i=1(T α i) overC it can be shown that #A(F qn ) = i=1(1 α i ). It follows − − 2g that the rootsα i are the same values as those used earlier, and thatP(T)=T L(1/T ).

Definition 10.7.10. LetC be a curve overF q. The characteristic polynomial of Frobenius is the polynomialP(T)=T 2gL(1/T ). 232 CHAPTER 10. HYPERELLIPTIC CURVES

The Frobenius mapπ:C C also induces the mapπ : Pic0 (C) Pic 0 (C), and → ∗ Fq → Fq we abuse notation by calling itπ as well. IfD is any divisor representing a divisor class in 0 2g 2g 1 g 1 g Pic (C) thenP(π)D 0. In other words, ifP(T)=T +a 1T − + +a 1q − T+q Fq ≡ ··· then 2g 2g 1 g 1 g π (D)+[a ]π − (D)+ +[a q − ]π(D)+[q ]D 0 (10.20) 1 ··· 1 ≡ where the notation [n]D is from Definition 10.5.1.

Exercise 10.7.11. LetC be a curve overF q andD a reduced divisor onC over Fq with Mumford representationP (u(x), v(x)). Letπ be thePq-power Frobenius map onC. For d i (q) d q i a polynomialu(x) = i=0 uix defineu (x) = i=0 ui x . Show that the Mumford representation ofπ (D) is (u(q)(x), v(q) (x)). ∗ Example 10.7.12. (Koblitz [346]) Leta 0,1 and consider the genus 2 curveC a : 2 5 2 ∈{ } y + xy=x + ax + 1 overF 2. One can verify that #C0(F2) = 4, #C1(F2) = 2 and #C0(F22 ) = #C1(F22 ) = 4. Hence the characteristic polynomial of Frobenius is 4 a 3 a 0 P(T)=T + ( 1) T + 2( 1) T + 4. One can determine #PicF2n (Ca) for anyn N. − − 0 0 ∈ Ifn is composite andm n one has #Pic F2m (Ca) #Pic F2n (Ca). For cryptographic | 0 0 | applications one would like #PicF2n (Ca)/#PicF2 (Ca) to be prime, so restrict attention to primes values forn. For example, takingn = 113 anda = 1 gives group order 2 r where r =539 381 is a 225-bit prime. · ··· 0 4 3 IfD Pic F2n (C1) thenπ (D) π (D) [2]π(D) + [4]D 0 whereπ is the map ∈ 0 − − ≡ 2 2 induced on PicF2n (C1) from the 2-power Frobenius mapπ(x, y)=(x , y ) onC. A major result, whose proof is beyond the scope of this book, is Tate’s isogeny theorem.

Theorem 10.7.13. (Tate) LetA andB be Abelian varieties over afieldF q. ThenA isF q-isogenous toB if and only ifP A(T)=P B (T). Similarly,A isF q-isogenous to an Abelian subvariety ofB if and only ifP (T) P (T). A | B Proof: See [601].  Exercise 10.7.14 gives a direct proof of Theorems 10.7.1 and 10.7.5 for genus 2 curves with ramified model.

Exercise 10.7.14.⋆ Letq be an odd prime power. LetF(x) F q[x] be square-free 2 ∈ and of degree 5. ThenC:y =F(x) is a hyperelliptic curve overF q of genus 2 with a n ramified model. Forn=1, 2 letN n = #C(Fqn ) and definet n =q + 1 N n so that n 2 − Nn =q + 1 t n. Definea 1 = t 1 anda 2 = (t1 t 2)/2. Show, using direct calculation − 0 − 2 − and Exercise 10.4.4, that PicFq (C) has orderq +a 1(q+1)+a 2 + 1. An important tool in the study of elliptic curves overfinitefields is the Waterhouse theorem (Theorem 9.10.12). There is an analogous result for Abelian varieties due to Honda and Tate but it is beyond the scope of this book to present this theory (we refer to [602] for details). However, we do give one application. Theorem 10.7.15. (Dipippo and Howe [182]) Letq 4 be a prime power andn Z . ≥ ∈ >1 LetB=( √q 2)/(2( √q 1)) andC=( B √q +1/2)/ √q. IfN N is such that n − n 1/2 − ⌊ ⌋ ∈ N (q + 1) Cq − then there exists an Abelian varietyA overF of dimensionn | − |≤ q such that#A(F q) =N.

10.8 Endomorphisms

LetA 1,A2 be Abelian varieties overk. One defines Hom k(A1,A2) to be the set of all morphisms of varieties fromA 1 toA 2 overk that are group homomorphisms (see Section 10.9. SUPERSINGULAR CURVES 233

19 of [444]). We define Hom(A1,A2) to be Homk(A1,A2). The endomorphism ring of an Abelian varietyA overk is defined to be End k(A) = Homk(A, A). We write End(A) = Homk(A, A). It is beyond the scope of this book to give a complete treatment of the endomorphism ring. However, we make a few general remarks. First, note that Homk(A1,A2) is a Z-module. Second, recall that for elliptic curves every non-zero homomorphism is an isogeny (i.e., hasfinite kernel). This is no longer true for Abelian varieties (for example, letE be an elliptic curve and consider the homomorphismφ:E E E E given byφ(P, Q)=(P, )). However, ifA is a simple Abelian variety× → then× End(A) Q O E ⊗ Z is a division algebra and so every non-zero endomorphismQ is an isogeny in this case. ni Furthermore, if an Abelian varietyA is isogenousQ to i Ai withA i simple (andA i not isogenous toA fori=j) then End(A) Q M (End(A ) Q) whereM (R) is the j Z ∼= i ni i Z n ring ofn n matrices6 over the ringR ⊗(see Corollary 2 of Section⊗ 19 of Mumford [444]). ×

10.9 Supersingular Curves

Recall from Theorem 10.6.1 that ifC is a curve of genusg over afieldk of characteristic p then #Pic0(C)[p] p g. k ≤ Definition 10.9.1. Letkbeafield such that char(k) =p> 0 and letC be a curve of genusg overk. Thep-rank ofC is the integer 0 r g such that #Pic 0(C)[p] =p r. ≤ ≤ k

An Abelian variety of dimensiong overF q is defined to be supersingular if it is g isogenous over Fq toE whereE is a supersingular elliptic curve over Fq. A curveC over Fq is supersingular ifJ C is a supersingular Abelian variety. It follows that thep-rank of a supersingular Abelian variety overF pn is zero. The converse is not true (i.e.,p-rank zero does not imply supersingular) when the dimension is 3 or more; see Example 10.9.8). If thep-rank of a dimensiong Abelian varietyA overF pn isg thenA is said to be ordinary.

Lemma 10.9.2. SupposeA is a supersingular Abelian variety overF q and writeP A(T) for the characteristic polynomial of Frobenius onA. The rootsα ofP A(T) are such that α/√q is a root of unity.

g Proof: Since the isogeny toE is defined over somefinite extensionF qn it follows from part 4 of Theorem 9.11.2 thatα n/√qn is a root of unity. Hence,α/ √q is a root of unity.  The converse of Lemma 10.9.2 follows from the Tate isogeny theorem.

2 5 Example 10.9.3. LetC:y +y=x overF 2. One can check that #C(F2) = 3 and #C(F22 ) = 5 and so the characteristic polynomial of the 2-power Frobenius isP(T)= T 4 + 4 = (T 2 + 2T + 2)(T 2 2T + 2). It follows from Theorem 10.7.13 (Tate’s isogeny − theorem) thatJ C is isogenous toE 1 E 2 whereE 1 andE 2 are supersingular curves × 2 overF 2. The characteristic polynomial of the 2 -power Frobenius can be shown to be 4 2 2 2 T + 8T + 16 = (T + 4) and it follows thatJ C is isogenous overF 22 to the square of a supersingular elliptic curve. HenceC is a supersingular curve. Note that the endomorphism ring ofJ C is non-commutative, since the mapφ(x, y)= 4 3 2 (ζ5x, y), whereζ 5 F 24 is a root ofz +z +z +z + 1 = 0, does not commute with the 2-power Frobenius∈ map.

Exercise 10.9.4.⋆ Show that ifC is a supersingular curve overF q of genus 2 then #Pic0 (C) (q k 1) for some 1 k 12. Fq | − ≤ ≤ 234 CHAPTER 10. HYPERELLIPTIC CURVES

The following result shows that computing thep-rank and determining supersingular- ity are easy whenP(T ) is known.

Theorem 10.9.5. LetA be an Abelian variety of dimensiong overF pn with characteristic 2g 2g 1 g ng polynomial of FrobeniusP(T)=T +a T − + +a T + +p . 1 ··· g ··· 1. Thep-rank ofA is the smallest integer0 r g such thatp a for all1 i g r. ≤ ≤ | i ≤ ≤ − (In other words, thep-rank is zero ifp a for all1 i g and thep-rank isg if | i ≤ ≤ p∤a 1.) 2.A is supersingular if and only if

in/2 p⌈ ⌉ a for all1 i g. | i ≤ ≤ Proof: Part 1 is Satz 1 of Stichtenoth [588]. Part 2 is Proposition 1 of Stichtenoth and Xing [590].  We refer to Yui [639] for a survey of the Cartier-Manin matrix and related criteria for thep-rank.

Exercise 10.9.6. LetA be an Abelian variety of dimension 2 overF p that hasp-rank zero. Show thatA is supersingular.

In fact, the result of Exercise 10.9.6 holds whenF p is replaced by anyfinitefield; see page 9 of Li and Oort [386].

2 Exercise 10.9.7. LetC:y +y=F(x) overF 2n where deg(F(x)) = 5 be a genus 2 hyperelliptic curve. Show thatC has 2-rank zero (and hence is supersingular). Example 10.9.8 shows that, once the genus is at least 3,p-rank zero does not imply supersingularity.

2 7 6 3 3 Example 10.9.8. DefineC:y +y=x overF 2. ThenP(T)=T 2T + 2 and so by Theorem 10.9.5 the 2-rank ofC is zero butC is not supersingular. − Example 10.9.9. (Hasse/Hasse-Davenport/Duursma [185]) Letp> 2 be prime and 2 p C:y =x x + 1 overF p. One can verify thatC is non-singular and the genus ofC − 1 is (p 1)/2. It is shown in [185] that, overF 2 ,L(T)=Φ (( − )pT ) whereΦ (T ) is the − p p p p p-th cyclotomic polynomial. It follows that the roots ofP(T ) are roots of unity and soC is supersingular.