Arithmetic, Geometry, Cryptography and Coding Theory 2009

CONTEMPORARY MATHEMATICS 521

Arithmetic, Geometry, Cryptography and Coding Theory 2009 12th Conference on Arithmetic, Geometry, Cryptography and Coding Theory March 30–April 3, 2009 Marseille, France Geocrypt Conference April 27–May 1, 2009 Pointe-à-Pitre, Guadeloupe, France European Science Foundation Exploratory Workshop Curves, Coding Theory, and Cryptography March 25–29, 2009 Marseille, France David Kohel Robert Rolland Editors

American Mathematical Society

Arithmetic, Geometry, Cryptography and Coding Theory 2009

This page intentionally left blank

CONTEMPORARY MATHEMATICS

521

Arithmetic, Geometry, Cryptography and Coding Theory 2009

12th Conference on Arithmetic, Geometry, Cryptography and Coding Theory March 30–April 3, 2009 Marseille, France Geocrypt Conference April 27–May 1, 2009 Pointe-à-Pitre, Guadeloupe, France European Science Foundation Exploratory Workshop Curves, Coding Theory, and Cryptography March 25–29, 2009 Marseille, France

David Kohel Robert Rolland Editors

American Mathematical Society Providence, Rhode Island

Editorial Board Dennis DeTurck, managing editor George Andrews Abel Klein Martin J. Strauss

2000 Mathematics Subject Classiﬁcation. Primary 11G10, 11G15, 11G20, 14G10, 14G15, 14G50, 14H05, 14H10, 14H45, 14Q05.

Library of Congress Cataloging-in-Publication Data International Conference “Arithmetic, Geometry, Cryptography and Coding Theory” (2009 : Mar- seille, France) Arithmetic, geometry, cryptography, and coding theory 2009 : Geocrypt, April 27–May 1, 2009, Point-`a-Pitre, Guadeloupe : 12th Conference on Arithmetic, Geometry, Cryptography, and Coding Theory, March 30–April 3, 2009, Marseille, France : European Science Foundation Exploratory Workshop on Curves, Coding Theory, and Cryptography, March 25–29, 2009, Marseille, France / David Kohel, Robert Rolland, editors. p. cm. — (Contemporary mathematics ; v. 521) Includes bibliographical references. ISBN 978-0-8218-4955-2 (alk. paper) 1. Arithmetical algebraic geometry—Congresses. 2. Coding theory—Congresses. 3. Cryp- tography—Congresses. I. Kohel, David R., 1966– II. Rolland, Robert. III. European Science Foundation. Exploratory Workshop on Curves, Coding Theory, and Cryptography (2009 : Mar- seille, France) IV. Title. QA242.5.I58 2009 516.35—dc22 2010010568

Copying and reprinting. Material in this book may be reproduced by any means for edu- cational and scientiﬁc purposes without fee or permission with the exception of reproduction by services that collect fees for delivery of documents and provided that the customary acknowledg- ment of the source is given. This consent does not extend to other kinds of copying for general distribution, for advertising or promotional purposes, or for resale. Requests for permission for commercial use of material should be addressed to the Acquisitions Department, American Math- ematical Society, 201 Charles Street, Providence, Rhode Island 02904-2294, USA. Requests can also be made by e-mail to [email protected]. Excluded from these provisions is material in articles for which the author holds copyright. In such cases, requests for permission to use or reprint should be addressed directly to the author(s). (Copyright ownership is indicated in the notice in the lower right-hand corner of the ﬁrst page of each article.) c 2010 by the American Mathematical Society. All rights reserved. The American Mathematical Society retains all rights except those granted to the United States Government. Copyright of individual articles may revert to the public domain 28 years after publication. Contact the AMS for copyright status of individual articles. Printed in the United States of America. ∞ The paper used in this book is acid-free and falls within the guidelines established to ensure permanence and durability. Visit the AMS home page at http://www.ams.org/ 10987654321 151413121110

Contents

Preface vii Differentially 4-uniform functions Yves Aubry and François Rodier 1 Computing Hironaka’s invariants: Ridge and directrix Jer´ emy´ Berthomieu, Pascal Hivert and Hussein Mourtada 9 Nondegenerate curves of low genus over small finite fields Wouter Castryck and John Voight 21 Faster side-channel resistant elliptic curve scalar multiplication Alexandre Venelli and François Dassance 29 Non linéaritédesfonctionsbooléennes données par des polynômes de degré binaire 3 définies sur F2m avec m pair Eric Ferard´ and François Rodier 41 A note on a maximal curve Arnaldo Garcia and Henning Stichtenoth 55 Computing Humbert surfaces and applications David Gruenewald 59 Genus 3 curves with many involutions and application to maximal curves in characteristic 2 Enric Nart and Christophe Ritzenthaler 71

Uniqueness of low genus optimal curves over F2 Alessandra Rigato 87 Group order formulas for reductions of CM elliptic curves Alice Silverberg 107 Families of explicit isogenies of hyperelliptic Jacobians Benjamin Smith 121 Computing congruences of modular forms and Galois representations modulo prime powers Xavier Taixes´ i Ventosa and Gabor Wiese 145

This page intentionally left blank

Preface

The 12th conference Arithmetic, Geometry, Cryptography and Coding The- ory (AGC2T 12) took place in Marseille at the Centre International de Recontres Mathématiques (CIRM) from 30 March to 3 April 2009. This biennial conference has been a major event in applied arithmetic geometry for nearly a quarter cen- tury, organized by the research group Arithmétique et Théorie de l’Information of the Institut de Mathématiques de Luminy. There were more than 40 research talks and 80 participants from sixteen countries. This year the AGC2T was preceded by a three-day Exploratory Workshop funded by the European Science Foundation on Curves, Coding Theory, and Cryptography, which brought some 30 researchers together for expository lectures and discussions on the arithmetic of curves and applications. We especially thank the speakers Dan Bernstein, Claus Diem, Ralf Gerk- mann, Hendrik Hubrechts, Ian Kimming, Tanja Lange, Gabriele Nebe, Christophe Ritzenthaler, Patrick Solé, and Gabor Wiese for their lectures, and all participants of both events for creating a stimulating research environment. Less than one month later, on a different continent, the ATI group, together with the eRISCS laboratory of the Université de la Mediterranée, Marseille and the AOC laboratory (Analyse, Optimisation, Contrôle) of the Université des Antilles et de la Guyane, assembled 34 participants for the first Geocrypt conference from 27 April to 1 May 2009, in Pointe-à-Pitre, Guadeloupe. We thank Yves Aubry, Stephane Ballet, Vicent Cossart, Noam Elkies, Everett Howe, Marc Girault, Marc Joye, Gilles Lachaud, Kristin Lauter, Heeralal Janwa, Gary McGuire, Christophe Ritzenthaler, Fran¸cois Rodier, Karl Rubin, René Schoof, Alice Silverberg, Peter Stevenhagen, and John Voight for their mathematical contributions, making this both an enjoyable and informative extension of the AGC2T conference. We also thank Microsoft Research for financial support as well as RégisBlache for the occasion of his habilitation defense to make this possible. The 12 articles of this volume represent a selection of research presented at this trilogy of events in the spring of 2009.

vii

This page intentionally left blank

Contemporary Mathematics Volume 521, 2010

Diﬀerentially 4-uniform functions

Yves Aubry and Fran¸cois Rodier

Abstract. We give a geometric characterization of vectorial Boolean functions with differential uniformity ≤ 4. This enables us to give a necessary condition on the degree of the base field for a function of degree 2r − 1tobe differentially 4-uniform.

1. Introduction F Fm We are interested in vectorial Boolean functions from the 2-vectorial space 2 to itself in m variables, viewed as polynomial functions f : F2m −→ F2m over the m ﬁeld F2m in one variable of degree at most 2 − 1. For a function f : F2m −→ F2m , we consider, after K. Nyberg (see [16]), its diﬀerential uniformity

δ(f)= max{x ∈ F2m | f(x + α)+f(x)=β}. α=0,β This is clearly a strictly positive even integer. Functions f with small δ(f) have applications in cryptography (see [16]). Such functions with δ(f) = 2 are called almost perfect nonlinear (APN) and have been extensively studied: see [16]and[9] for the genesis of the topic and more recently [3]and[6] for a synthesis of open problems; see also [7] for new constructions and [20] for a geometric point of view of differential uniformity. Functions with δ(f) = 4 are also useful; for example the function x −→ x−1, which is used in the AES algorithm over the field F28 , has differential uniformity 4 on F2m for any even m. Some results on these functions have been collected by C. Bracken and G. Leander [4, 5]. We consider here the class of functions f such that δ(f) ≤ 4, called differentially 4-uniform functions. We will show that for polynomial functions f of degree d = r 2 − 1 such that δ(f) ≤ 4 on the field F2m ,thenumberm is bounded by an expression depending on d. The second author demonstrated the same bound in thecaseofAPNfunctions[17, 18]. The principle of the method we apply here was already used by H. Janwa et al. [13] to study cyclic codes and by A. Canteaut [8] to show that certain power functions could not be APN when the exponent is too large.

2000 Mathematics Subject Classification. 11R29,11R58,11R11,14H05. Key words and phrases. Boolean functions, almost perfect nonlinear functions, varieties over finite fields.

c 2010 Americanc 0000 Mathematical (copyright Societyholder) 1

2 YVES AUBRY AND FRANC¸OIS RODIER

Henceforth we ﬁx q =2m. In order to simplify our study of such functions, let us recall the following elementary results on diﬀerential uniformity; the proofs are straightforward: Proposition 1. (i) Adding a polynomial whose monomials are of degree 0 or a power of 2 to a function f does not change δ(f). (ii) For all a, b and c in Fq, such that a =0 and c =0 we have δ(cf(ax + b)) = δ(f). (iii) One has δ(f 2)=δ(f). Hence, without loss of generality, from now on we can assume that f is a polynomial mapping from Fq to itself which has neither terms of degree a power of 2 nor a constant term, and which has at least one term of odd degree. To any function f : Fq −→ Fq, we associate the polynomial f(x)+f(y)+f(z)+f(x + y + z). Since this polynomial is clearly divisible by (x + y)(x + z)(y + z), we can consider the polynomial f(x)+f(y)+f(z)+f(x + y + z) P (x, y, z):= f (x + y)(x + z)(y + z) which has degree deg(f) − 3ifdeg(f) is not a power of 2.

2. A characterization of functions with δ ≤ 4 We will give, as in [17], a geometric criterion for a function to have δ ≤ 4. We consider in this section the algebraic set X deﬁned by the elements (x, y, z, t)inthe 4 aﬃne space A (Fq) such that

Pf (x, y, z)=Pf (x, y, t)=0. 4 We set also V the hypersurface of the aﬃne space A (Fq) deﬁned by (1) (x + y)(x + z)(x + t)(y + z)(y + t)(z + t)(x + y + z + t)=0.

The hypersurface V is the union of the seven hyperplanes H1,...,H7 deﬁned respectively by the equations x + y =0,...,x + y + z + t =0. We begin with a simple lemma: Lemma 2. The following two properties are equivalent: (i) there exist 6 distinct elements x0,x1,x2,x3,x4,x5 in Fq such that ⎧ ⎨⎪x0 + x1 = α, f(x0)+f(x1)=β x + x = α, f(x )+f(x )=β ⎩⎪ 2 3 2 3 x4 + x5 = α, f(x4)+f(x5)=β

(ii) there exist 4 distinct elements x0,x1,x2,x4 in Fq such that x0 + x1 + x2 + x =0 and such that 4 f(x0)+f(x1)+f(x2)+f(x0 + x1 + x2)=0

f(x0)+f(x1)+f(x4)+f(x0 + x1 + x4)=0.

DIFFERENTIALLY 4-UNIFORM FUNCTIONS 3

Proof. Suppose that (i) is true. Then we have x0 +x1 +x2 = α+x2 = x3 and so f(x0)+f(x1)+f(x2)+f(x0 +x1 +x2)=f(x0)+f(x1)+f(x2)+f(x3)=0. The second equation holds true in the same way. Finally, we have x0 + x1 + x2 + x4 = x3 + x4 =0 . Conversely, let us set α = x0 + x1, β = f(x0)+f(x1)andx3 = α + x2 = x0 + x1 + x2.Thenf(x2)+f(x3)=f(x2)+f(x0 + x1 + x2)=f(x0)+f(x1)=β. Furthermore, we have x3 = x0 because x1 = x2 and we have x3 = x1 since otherwise we would have x2 = α + x3 = α + x1 = x0. Setting x5 = α + x4 = x0 + x1 + x4 we have f(x4)+f(x5)=f(x4)+f(x0 + x1 + x4)=f(x0)+f(x1)=β.Wehavex3 = x4 since otherwise we would have 0=x3 + x4 = x0 + x1 + x2 + x4 which is not the case by hypothesis. Finally x3 = x5 since otherwise we would have x2 = x4, and so all the six elements x0,x1,x2,x3,x4,x5 are diﬀerent.

We can now state a geometric characterization of diﬀerentially 4-uniform functions:

Theorem 3. The diﬀerential uniformity of a function f : Fq −→ Fq is not larger than 4 if and only if:

X(Fq) ⊂ V where X(Fq) denotes the set of rational points over Fq of X. Proof. The diﬀerential uniformity is not larger than 4 if and only if for any ∈ F∗ ∈ F α q and any β q, the equation f(x + α)+f(x)=β has at most 4 solutions, that is to say

{x ∈ Fq|f(x)+f(y)=β, x + y = α}≤4.

But this is equivalent to saying that we cannot ﬁnd 6 distinct elements x0,x1,x2,x3,x4,x5 F in q such that ⎧ ⎨⎪x0 + x1 = α, f(x0)+f(x1)=β x + x = α, f(x )+f(x )=β ⎩⎪ 2 3 2 3 x4 + x5 = α, f(x4)+f(x5)=β. By the previous lemma, this is equivalent to saying that we cannot ﬁnd 4 distinct elements x0,x1,x2,x4 in Fq such that x0 + x1 + x2 + x4 =0andsuchthat f(x0)+f(x1)+f(x2)+f(x0 + x1 + x2)=0

f(x0)+f(x1)+f(x4)+f(x0 + x1 + x4)=0.

But this can be reformulated by saying that the rational points over Fq of the variety X are contained in the variety V ,thatistosayX(Fq) ⊂ V .

3. Monomial functions with δ ≤ 4 If the function f is a monomial of degree d>3: f(x)=xd

4 YVES AUBRY AND FRANC¸OIS RODIER then the polynomials Pf (x, y, z)andPf (x, y, t) are homogeneous polynomials and we can consider the intersection X of the projective cones S1 and S2 of dimension 2 deﬁned respectively by Pf (x, y, z)=0andPf (x, y, t) = 0 with projective 3 coordinates (x : y : z : t) in the projective space P (Fq). 3 Even if X is now a projective algebraic subset of the projective space P (Fq), Theorem 3 tells us also that:

δ(f) ≤ 4 if and only if X(Fq) ⊂ V,

3 where V is the hypersurface of P (Fq) deﬁned by Equation (1). Indeed, the algebraic sets X and V in this section are closely related to but not equal to the sets X and V of the previous section. The set X of this section (resp. V ) is the set of lines through the origin of the set X (resp. V ) of the previous section which is invariant under homotheties with center the origin. For convenience, we keep the same notations.

Lemma 4. The projective algebraic set X has dimension 1, i.e. it is a projective curve.

Proof. We have to show that the projective surfaces S1 and S2 do not have common irreducible components. Since S1 and S2 are two cones, it is enough to prove that the vertex of one of the cones doesn’t lie in the other cone. The coordinates of the vertex of the cone S2 is(0:0:1:0).Toshowthatitdoesn’t lie in S1, we will prove that Pf (0:0:1:0)= 0. Indeed, S1 is deﬁned by the polynomial xd + yd + zd +(x + y + z)d P (x, y, z)= · f (x + y)(x + z)(y + z) Setting x + y = u, we obtain:

xd +(x + u)d + zd +(u + z)d P (x, y, z)= , f u(x + z)(x + u + z) which gives xd−1 + zd−1 + uQ(x, z) P (x, y, z)= , f (x + z)(x + u + z) where Q is some polynomial in x and z. This expression takes the value 1 at the point(0:0:1:0).

3 NowweknowthatX is a projective curve in P (Fq), and in order to estimate its number of rational points over Fq, we must determine its irreducibility. We will prove that the curve C7, deﬁned as the intersection of S2 with the projective plane H7 of equation x + y + z + t = 0, is an absolutely irreducible component of X,and hence that X is reducible.

Proposition 5. The intersection of the curve X with the plane H7 with the equation x + y + z + t =0is equal to the curve C7 := S2 ∩ H7.

Proof. Since X = S1 ∩ S2,itisenoughtoprovethatC7 ⊂ S1.Sincet = x + y + z the points of intersection of the cone S2 with the plane x + y + z + t =0

DIFFERENTIALLY 4-UNIFORM FUNCTIONS 5 satisfy: xd + yd + td +(x + y + t)d 0=P (x, y, t)= f (x + y)(x + t)(y + t) xd + yd +(x + y + z)d + zd = (x + y)(y + z)(x + z)

= Pf (x, y, z), so they belong to S1.

Proposition 6. The projective plane curve C7 is isomorphic to the projective plane curve C with equation xd + yd + zd +(x + y + z)d P (x, y, z)= =0. f (x + y)(x + z)(y + z)

Proof. The projection from the vertex of the cone S1 deﬁnes an isomorphism oftheprojectiveplaneH7 with equation x + y + z + t = 0 onto the plane with equation t = 0, and it maps C7 onto the curve C with equation Pf (x, y, z)=0. Proposition 7. Let C be a plane curve of degree deg(C) and which is not contained in V .Then: (C∩V )(Fq) ≤ 7deg(C). Proof. The variety V is the union of seven projective planes. Each plane cannot contain more than deg(C) points, therefore V contains at most 7 deg(C) rational points in C.

In order to get a lower bound for the number of rational points over Fq on the curve C, hence on the curve X, we need to know if C is absolutely irreducible or not. This question has been discussed by H. Janwa, G. McGuire and R. M. Wilson in [14] and very recently by F. Hernando and G. McGuire in [10]. Proposition 8. If d =2r − 1 with r ≥ 3, then the projective curve X has an absolutely irreducible component C deﬁned over F2 in the plane x + z + t =0and this component C is isomorphic to the curve C.

Proof. One checks that the intersection of the cone S1 with the plane x + z + t = 0 is the same as the intersection of the cone S2 with that plane. Hence one can show, as in Proposition 6, that the intersection of the curve X with the plane x + z + t = 0 is isomorphic to the curve C. Furthermore,itisprovedin[14]that the curve C is absolutely irreducible since, deg(C)=2r − 1 ≡ 3(mod4). Hencewecanstate d Theorem 9. Consider the function f : Fq −→ Fq deﬁned by f(x)=x with d =2r − 1 and r ≥ 3.If5 ≤ d

Proof. The curve C is an absolutely irreducible plane curve of arithmetic genus πC =(d − 4)(d − 5)/2.Accordingto[1](seealso[2] for a more general statement), the number of rational points of the (possibly singular) absolutely irreducible curve C satisﬁes 1/2 |#C (Fq) − (q +1)|≤2πC q .

6 YVES AUBRY AND FRANC¸OIS RODIER

Hence 1/2 #C (Fq) ≥ q +1− 2πC q . The maximum number of rational points on the curve C on the surface V is 1/2 7(d−3) by Proposition 7. If q +1−2πC q > 7(d−3), then C (Fq) ⊂ V , therefore X(Fq) ⊂ V ,andδ(f) > 4 by Theorem 3. But this condition is equivalent to 1/2 q − 2πC q − 7(d − 3) + 1 > 0.

The condition is satisﬁed when

1/2 − − 2 q >πC + 7(d 3) 1+πC hence when q ≥ d4 − 18d3 + 121d2 − 348d + 362 or 5 ≤ d

4. Polynomials functions with δ ≤ 4

If the function f is a polynomial of one variable with coefficients in Fq of degree d>3, we consider again as in section 3 the intersection X of S1 and S2,whichare 4 now cylinders in the affine space A (Fq) with equations respectively Pf (x, y, z)=0 and Pf (x, y, t) = 0 and which are of dimension 3 as affine varieties. Lemma 10. The algebraic set X has dimension 2, i.e. it is an affine surface. Moreover, it has degree (d − 3)2.

Proof. We have to show that the hypersurfaces S1 and S2 do not have a common irreducible component. Since these hypersurfaces are two cylinders, it is enough to prove that the polynomial defining S1 does not vanish on the whole of a straight line (x0,y0,z,t0)wherex0,y0,t0 are fixed and satisfy Pf (x0,y0,t0)=0. Indeed, S1 is defined by the polynomial Pf (x, y, z), which takes the value

f(x0)+f(y0)+f(z)+f(x0 + y0 + z) Pf (x0,y0,z)= (x0 + y0)(x0 + z)(y0 + z) at the point (x0,y0,z,t0). If we set x0 + y0 = s0, the homogeneous term of degree di in Pf (x, y, z) becomes − di 1 di−1 di(x0 + z )+s0Qi(x0,z) (z + s0 + x0)(z + x0) where Qi is a polynomial in x0 and z of degree di − 2. If di is odd, the numerator of this term is of degree di − 2, and hence does not vanish, so it is the same for the polynomial Pf (x0,y0,z). Hence, X has dimension 2. Moreover, X is the intersection of two hypersurfaces of degree d − 3, thus it has degree (d − 3)2. The surface X is reducible. Let X = i Xi be its decomposition in absolutely irreducible components. 4 We embed the affine surface X into a projective space P (Fq) with homogeneous coordinates (x : y : z : t : u). Consider the hyperplane at infinity H∞ defined by the equation u =0andletX∞ be the intersection of the projective closure X of X with H∞.ThenX∞ is the intersection of two surfaces in this hyperplane, which

DIFFERENTIALLY 4-UNIFORM FUNCTIONS 7 are respectively the intersections S1,∞ and S2,∞ of the cylinders S1 and S2 with that hyperplane. The homogeneous equations of S1,∞ and S2,∞ are xd + yd + zd +(x + y + z)d P d (x, y, z)= x (x + y)(x + z)(y + z) and xd + yd + td +(x + y + t)d P d (x, y, t)= · x (x + y)(x + t)(y + t) By Proposition 8, the intersection of the curve X∞ with the plane x + z + t =0 (inside the hyperplane at infinity) is an absolutely irreducible component C of the curve X∞ of multiplicity 1, defined over F2. So the only absolutely irreducible component of X,sayX1, which contains C is defined over Fq. Proposition 11. Let X be an absolutely irreducible projective surface of degree > 1. Then the maximum number of rational points on X which are contained in the hypersurface V ∪ H∞ is

(X∩(V ∪ H∞)) ≤ 8(deg(X )q +1). Proof. As deg(X ) > 1, the surface X is not contained in any hyperplane. Thus, a hyperplane section of X is a curve of degree deg(X ). Using the bound on the maximum number of rational points on a general hypersurface of given degree proved by Serre in [19], we get the result.

m Theorem 12. Let q =2 . Consider a function f : Fq −→ Fq of degree d =2r − 1 with r ≥ 3.If31 ≤ d 4.Ford<31, we get δ(f) > 4 for d =7and m ≥ 22 and also if d =15and m ≥ 30. Proof. From an improvement of a result of S. Lang and A. Weil [15]proved by S. Ghorpade and G. Lachaud [11, section 11], we deduce

2 2 2 3/2 5 |#X1(Fq) − q − q − 1|≤((d − 3) − 1)((d − 3) − 2)q + 36(2d − 3) q ≤ (d − 3)4q3/2 + 36(2d − 3)5q. Hence 2 4 3/2 5 #X1(Fq) ≥ q + q +1− (d − 3) q − 36(2d − 3) q. Therefore, if q2 + q +1− (d − 3)4q3/2 − 36(2d − 3)5q>8((d − 3)q +1), then #X(Fq) ≥ #X1(Fq) > 8((d − 3)q + 1), and hence X1(Fq) ⊂ V ∪ H∞ by Proposition 11. As X is the set of affine points of the projective surface X,we deduce that X(Fq) ⊂ V and so the differential uniformity of f is at least 6 from Theorem 3. This condition can be written q − (d − 3)4q1/2 − 36(2d − 3)5 − 8(d − 3) > 0. This condition is satisfied when q1/2 >d4 − 12d3 +54d2 + 1044d + 5265 + 25920/d if d ≥ 2, or d

8 YVES AUBRY AND FRANC¸OIS RODIER

References [1] Y. Aubry and M. Perret, A Weil theorem for singular curves, Arithmetic, Geometry and Coding Theory, (Luminy, 1993), Walter de Gruyter, 1-7, Berlin - New-York 1996. [2] Y. Aubry and M. Perret, On the characteristic polynomials of the Frobenius endomorphism for projective curves over finite fields, Finite Fields and Their Applications, 10 (2004), no. 3, 412-431. [3] T.P. Berger, A. Canteaut, P. Charpin and Y. Laigle-Chapuy, On almost perfect nonlinear functions over F2n , IEEE Trans. Inform. Theory 52 (2006), no. 9, 4160-4170. [4] C. Bracken and G. Leander, New families of functions with differential uniformity of 4, to be published with the proceedings of the workshop BFCA08, Copenhague, 2008. [5] C. Bracken and G. Leander, A highly nonlinear differentially 4-uniform power mapping that permutes fields of even degree, preprint, arXiv:0901.1824v1. [6] L. Budaghyan, C. Carlet and G. Leander, Two classes of quadratic APN binomials inequivalent to power functions, IEEE Trans. Inform. Theory, vol. 54, pp. 4218-4229, 2008. [7] L. Budaghyan, C. Carlet and A. Pott, New constructions of almost perfect nonlinear and almost bent functions. Proceedings of the Workshop on Coding and Cryptography 2005, P. Charpin and Ø. Ytrehus eds, pp. 306-315, 2005. [8] A. Canteaut, Differential cryptanalysis of Feistel ciphers and differentially δ-uniform mappings, In Selected Areas on Cryptography, SAC’97, pp. 172-184, Ottawa, Canada, 1997. [9] C. Carlet, P. Charpin and V. Zinoviev, Codes, bent functions and permutations suitable for DES-like cryptosystems, Designs, Codes and Cryptography, 15(2), pp. 125-156, 1998. [10] F. Hernando and G. McGuire, Proof of a conjecture on the sequence of exceptional numbers, classifying cyclic codes and APN functions, arXiv:0903.2016v1, [cs.IT] ; (math.AG), 11 march 2009. [11] S. R. Ghorpade and G. Lachaud, Etale cohomology, Lefschetz theorems and number of points of singular varieties over finite fields, Mosc. Math. J., 2 (2002), n. 3, 589-631. [12] R. Harshorne, Algebraic geometry, Graduate Texts in Math., 52 (1977), Springer-Verlag. [13] H. Janwa and R. M. Wilson, Hyperplane sections of Fermat varieties in P 3 in char. 2 and some applications to cyclic codes, Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, Proceedings AAECC-10 (G Cohen, T. Mora and O. Moreno Eds.), Lecture Notes in Computer Science, Vol. 673, Springer-Verlag, NewYork/Berlin 1993. [14] H. Janwa, G. McGuire and R. M. Wilson, Double-error-correcting cyclic codes and absolutely irreducible polynomials over GF(2), Applied J. of Algebra, 178, 665-676 (1995). [15] S. Lang and A. Weil, Number of points of varieties in finite fields, Amer. J. Math. 76, (1954), pp. 819-827. [16] K. Nyberg, Differentially uniform mappings for cryptography, Advances in cryptology— Eurocrypt ’93 (Lofthus, 1993), 55–64, Lecture Notes in Comput. Sci., n◦ 765, Springer, Berlin, 1994. [17] F. Rodier, Bornes sur le degrédespolynômes presque parfaitement non-linéaires, Contempo- rary Math., Vol. 487, 169-181 2009); arXiv:math/0605232v3 [math.AG], 2 may 2008. [18] F. Rodier, Bounds on the degrees of APN polynomials, to be published with the proceedings of the workshop BFCA08, Copenhague, 2008. [19] J. -P. Serre, LettreaM.Tsfasman, ` Astérisque 198-199-200 (1991), 351-353. [20] J. F. Voloch, Symmetric cryptography and algebraic curves, Algebraic Geometry and its Applications, Ser. Number Theory Appl., 5, World Sci. Publ., Hackensack, NJ, 135-141 (2008).

Institut de Mathematiques´ de Toulon, Universite´ du Sud Toulon-Var, France, and, Institut de Mathematiques´ de Luminy, Marseille, France E-mail address: [email protected] and [email protected]

Contemporary Mathematics Volume 521, 2010

Computing Hironaka’s invariants: Ridge and Directrix

J´er´emy Berthomieu, Pascal Hivert, and Hussein Mourtada

Abstract. In this note we present Hironaka’s invariants as developped by Giraud: the ridge and the directrix. We give an effective definition and a functorial one and show their equivalence. The fruit is an effective algorithm that computes the additive generators of the ”ridge”, and the generators of its invariant algebra.

Introduction The problem of the resolution of singularities has made a tremendous progress thanks to Hironaka’s contribution. In this article, we want to present some objects that he introduced to resolve singularities, in particular we compute the subtle invariant: the ridge (The notion ”ridge” is ”faˆıte”in the original (French) literature). Take an ideal I ⊂ R, for instance R a polynomial ring (or a localization thereof) over any field. Take x ∈ Spec(R/I). The directrix and the ridge live in the tangent cone at x. The directrix is a vector space, the ridge an additive group. These two objects are given only by the class of isomorphisms of R/I.Evenmore, these invariants “commute with smooth morphisms” [5]. In particular, for any isomorphism: φ : R/I −→ S/J, both R/I and S/J have isomorphic tangent cone, directrix and ridge at x and φ(x). Giraud shows in [5] that the ridge is the tangent cone of a “maximal contact variety” (see [9]). The ridge as we will see is generated by additive polynomials. In characteristic 0, this means that the ridge is a linear space, therefore a “maximal contact variety” is smooth. In characteristic p>0, additive polynomials may not be linear, therefore the ridge may not be linear and a “maximal contact variety” may not be smooth. This is the crucial fact why Hironaka’s proof is not generalized for free to positive characteristic. This generates a major difficulty, still not overcome in the desingularization problem. An another difficulty is that if you blow up a singular variety X along a singular point x ∈ X, the points “near” to x areontheProjofthe ridge of the tangent cone. In [8], Hironaka shows that, in characteristic p>0there are examples of points “near” to x which are not on the Proj of the directrix of the tangent cone. In the 70’s a large literature about “Hironaka’s groups” appeared: people has tried to classify the cases where “near” points are not on the Proj of the Directrix of the tangent cone. The Ridge and “Hironaka’s groups” are closely

Key words and phrases. Algebraic geometry, invariants, resolution of singularities. AMS Classiﬁcation 32S45, 14Q99, 14L30.

1 c 2010 American Mathematical Society 9

2J10 ER´ EMY´ BERTHOMIEU, PASCAL HIVERT, AND HUSSEIN MOURTADA related, but we do not want to say more about this classification problem which is known to be quite difficult. Nowadays, the ridge seems to be forgotten though it is a very interesting object. The contribution of this paper is the computation of a basis of the ideal of the ridge whose elements are additive polynomials. Indeed, in [4, 5], Giraud shows how to compute a set of generators of this ideal, but they are not additive polynomials in general: see Example 3.7. We also hope that we clarified Giraud’s proofs.

Acknowledgement. V. Cossart1 gave a talk on this topic in Geocrypt2 and he initiated us in a working group about desingularization in positive characteristic. He is at the origin of this work, we would like to thank him for his helpful remarks. The authors are very grateful to both the referees for their constructive comments about this paper.

1. Notation and prerequisites, naive deﬁnitions of Ridge and Directrix Until the end of this article, k denotes a ﬁeld of any characteristic. We give in this section an overview about cones, ridges and directrices. n A linear space of dimension n is A := Spec R,whereR := k[X1,...,Xn]. A n cone C embedded in A is given as Spec k[X1,...,Xn]/I where I ⊂ k[X1,...,Xn] is a homogeneous ideal.

Definition 1.1 (Directrix). The directrix of C is the linear space of equations in Y1,...,Yτ , the smallest set of linear forms such that

(1.1) I =(I ∩ k[Y1,...,Yτ ])k[X1,...,Xn]. In a few words, the smallest list of variables to deﬁne I. Geometrically, there are linear subspaces W ⊂ An such that C + W = C (take W = 0 for instance), and if W1 and W2 are such, then so is W1 + W2. The directrix corresponds to the biggest linear subspace W of An such that C + W = C.

Definition 1.2 (Naive deﬁnition of the ridge). The ridge [8]ofC is the additive space of equations in P1,...,Pe, the smallest set of additive polynomials such that

(1.2) I =(I ∩ k[P1,...,Pe])k[X1,...,Xn]. This definition looks inconsistent, existence is not clear. Consistance is given in Section 2.2. Obviously, they coincide in characteristic 0, but in characteristic p>0, they are in general different. In this paper, following Giraud [4, 5], we show that it is easy to compute the ridge (easier than the directrix). Let us note that the ridge has good properties (commutes to base changes, for example) that the directrix has not. For instance, suppose that k has characteristic p>0andthat λ ∈ k is not a p-power, take I =(Xp + λY p)k[X, Y ], then the directrix is V(X, Y ), the ridge is V(I), where V(I) stands for the variety defined√ by ideal I. Change k in kˆ its algebraic closure, then the directrix is V(X + p λY ), the ridge is still V(I).

1Universit´ede Versailles–St-Quentin-en-Yvelines, CNRS LMV, UMR 8100 2GEOCRYPT2009

COMPUTING HIRONAKA’S INVARIANTS: RIDGE AND DIRECTRIX 113

2. The Ridge: formal definition, main properties. An 2.1. Ridge as a functor. Let k be the n-dimensional affine space over k. C An As above let betheconedefinedin k by the homogeneous ideal I, and let G be the quotient R/I. The natural k-algebra homomorphism

Δ:k[X1,...,Xn] −→ k[X1,...,Xn] ⊗ k[Y1,...,Yn] Xi → Xi + Yi An gives k the natural structure of a group scheme. We will call + the law that it An defines. If we see k as its functor of points, then we can define the sub-functor of the category of Schemes over k to the category of Sets as follows: for a k-Scheme An ∈C S, F (S) is the subset of of the S-points v in k such that v + c (S) for every S-point c of C(S). Now, we give some consequences of the definition. Let S be a k-Scheme, firstly, 0isaS-point which lies in C(S), so for all v in F (S), 0 + v is an element of C(S), that is to say F (S) ⊂C(S). Therefore, seen as functors F is a subset of C. Secondly, F (S) is a group scheme. The S-point 0 lies trivially in F (S). Let two S-points v and w in F (S), the definition ensures that translations by v and w send the cone C(S) to itself, so the composition, which is just the translation by v + w has the same property. This forces (v + w)tobeinF (S). Moreover, the inverse of the translation by v, which is the translation by −v, preserves C( S), that is to say −v ∈ F (S). Proposition-Definition 2.1. The functor F is representable by a scheme F . We call this scheme the ridge of C. The remarks below say that F , the ridge of C is a group scheme, subscheme of C, so the ridge of F (seen as a subscheme of C)istheridgeF .

Proof. 1. Let N be the maximum degree of a set of generators f1,...,fm of I.LetG be the homogeneous component of degree of G (G is a graded algebra because I is homogeneous). Let H := ≤N G the k-vector space which is of ∈ ﬁnite dimension, we can ﬁnd a k-basis of H formed by monomials ei, i Λ. It Ai B B is easy to compute it, f = X + n λ X .SoH is spanned by X , i B∈N ,B

s : R −→ R ⊗k R −→ R ⊗k G, where the ﬁrst morphism is Δ and the second morphism is the canonical one. For every d ∈ N,d ≤ N and f ∈ Id, s(f) is homogeneous of degree d, therefore s(f) ∈ R ⊗ H and it can be uniquely written ⊗ ∈ s(f)= s(f) e, with s(f) Rd−deg(e). ∈Λ

This follows from the fact that R ⊗k H is a free R-module generated by the 1⊗e’s. Now, f1,...,fm span I, so we define J the ideal generated by s(fi),∈ Λ, 1 ≤ i ≤ m. An 3. Claim The subscheme of k defined by J represents the functor f. Indeed, it is sufficient to verify that for a k-algebra B, the functor of points of Spec(R/J)

4J12 ER´ EMY´ BERTHOMIEU, PASCAL HIVERT, AND HUSSEIN MOURTADA

An applied to B coincides with F (B). The data of a B-point of k is a equivalent to the data of a homomorphism v : R −→ B, which gives rise to

Δ v⊗1 R −→ R ⊗k R −→ R ⊗k G −→ B ⊗ G. If we want the translation by v to map C in C, i.e. that v belongs to F (B), (v⊗1)◦s must annihilate I. This means that I should be in the kernel of (v ⊗ 1) ◦ s and therefore the image of the translation by v is included in C. This is equivalent to ⊗ ◦ ⊗ ∈ ≤ ⊗ (v 1) s(f)= ∈Λ v(s(f)) e =0foreveryf Id,d N. But since B k H is free of base 1 ⊗ e, ∈ Λ, this is equivalent to v(s(f)) = 0, therefore v factors by R/J and it is a an R/J-point.

Recall that F is an additive group and there is no reason for the si(fj )’s to be additive polynomials in the general case. The idea of Giraud is to find a condition on f1,...,fm to have this property. We define by the Taylor formula, derivations of f, homogeneous polynomial X ∈ Nn X A of degree s,DA f with A by f(X + Y )= A∈Nn,|A|≤s DA f(X)Y .This X derivations DA are known as “Hasse-Schmidt” derivations. Notations 2.2. From now on, we will only use the graded lexical order (grlex). Hence “Gröbner basis” will always mean “Gröbner basis with respect to the grlex order”. The ideal of the Ridge will be denoted by J. A ∈ For any P = A∈Nn λAX k[X], P =0,exp(P )isthegreatestA such that λA =0. For any homogeneous ideal I = {0} in k[X], the set {exp(P ); P ∈ I −{0}} is denoted exp(I) and is called the exponent of the ideal I.

Corollary 2.3 (Giraud). If f1,...,fm, the homogeneous generators of I, X ∈ | | satisfy DA fi =0with A exp(I) and A < deg(fi),thenJ is spanned by the X ∈ Nn | | DA fi’s with A , A < deg(fi). Proof. We keep the same notations as in Proposition 2.1 and we identify ⊗ ¯ ⊗ A R k R with k[X,Y]. Let Yi be the class of Yi in R k R/I. Since the Yi ’s, A A ∈ exp(I), represent a k-basis of R/I,theY¯i ’s, A ∈ exp(I), give a basis of the free R-module R ⊗k R/I. So with respect to this basis using the Taylor formula, X we have that the s(f)’s, deﬁned as above, are the DA fi’s, when the fi’s are as above.

Definition 2.4. A basis of I which veriﬁes the statement of Lemma 2.3 will be called a “Giraud basis” of the cone. By the deﬁnition of the Hasse-Schmidt derivations above and for f ∈ R we have − − X A (2.1) f(X + Y ) f(X) f(Y )= DA f (X)Y . 0<|A|

(2.2) U = {f ∈ R ||f(X + Y ) − f(Y ) ∈ J ⊗k k[Y ]} . An Clearly this is a subalgebra of R, and it is the invariant algebra of the ridge in k .

COMPUTING HIRONAKA’S INVARIANTS: RIDGE AND DIRECTRIX 135

Indeed, since the diagonal morphism from R to R ⊗k R identiﬁes with k[X] → k[X,Y], f(X) → f(X + Y ), An then U is the algebra of functions on k such that for every k-scheme S and every × An S-point (u, v)ofF k k ,wehavef(u + v)=f(u). Let’s call Π the following morphism Π: R → R ⊗k R → R/J ⊗k R f (X) → f (X) → f (X) . Elements of U are those whose images by Δ and by Π are the same, hence it is the kernel of Δ − Π. This means it is the kernel of the double morphisme (Δ, Π). Since R has a graded structure, it inherits also a graded structure and from Formulae (2.1) and (2.2), for d ∈ N we have ∈ | X ∈ ≤ −| | (2.3) Ud = f Jd DA f J, d d ,d= d A . ∈ | |≤ X ∈ By Taylor formula, for all f Ud and for all multi-indices A, A d,DA f Ud−|A|. Lemma 2.6. With notations as above, let H be a k-graded subalgebra of k[X], then the following assertions are equivalent. ∈ | |≤ X ∈ (1) For all f Hd, for all multi-index A, A d, DA f Hd−|A|. (2) There exist additive homogeneous polynomials θ1,...,θs,... such that

H = k[θ1,...,θs,...]. Furthermore, in positive characteristic p, if the conditions above are fulﬁlled, up to a re-indexation of the variables, one can take pαi ≤ ≤ ∞ (2.4) θi = Xi + ti(Xi+1,...,Xn), 1 i s< ,

αi ≤ αi+1, 1 ≤ i ≤ s − 1 and ti, additive polynomials, in k[Xi+1,...,Xn]. Proof. For 1 ⇒ 2, we follow Giraud’s idea [4] pages I-29, 30. Let K be the subalgebra of H generated by all additive homogeneous polynomials. Let N ∈ N A ∈ ∈ such that Hd = Kd for all d 1, take C =(0,...,0,p , 0,...,0) and A A A ∗ βi0 − X X ∈ D =(0,...,0,p (qi 1), 0,...,0). We have DC X DD X = aX , a k .By X ∈ X ∈ hypothesis, DC f HN−|C| = KN−|C| and DD f HN−|D| = KN−|D|, A is the X A X A ∈ exponent of DC X DD X KN−. This is a contradiction and A does not exist, hence f is additive.

6J14 ER´ EMY´ BERTHOMIEU, PASCAL HIVERT, AND HUSSEIN MOURTADA B Letusprovetheconverse.Wedenoteg = λBθ ∈ k[θ1,...,θs,...]. We have B g(X + X )= λBθ(X + X ) B = λB(θ(X)+θ(X )) B = λ θ(X)B−B θ(X)B B B C g(X + X )= PC (θ(X))X , C with PC ∈ k[θ1,...,θs,...]. The next lemma applied to I = H>0 ends the proof. Lemma 2.7. Let char k = p>0, with notations as above, let K be a k-graded subalgebra of k[X], and I be an ideal generated by a set of additive homogeneous polynomials φ1,...,φm,..., then, up to a re-indexation of the variables, we can take pαi ≤ ≤ ≤ ∞ (2.5) θi = Xi + ti(Xi+1,...,Xn), 1 i s n< ,

αi ≤ αi+1, 1 ≤ i ≤ s − 1 and ti, additive polynomials, in k[Xi+1,...,Xn].

Proof. We may assume deg(φi) ≤ deg(φi+1), 1 ≤ i ≤ m − 1. By making linear combinations among the φi of smallest degree, up to a re-indexation of the variables, we may assume that pαi (2.6) φi = Xi + ti(Xi+1,...,Xn), with μi =0, φi of smallest degree. Claim. We may assume Formula (2.4) for every φi. Indeed, let i0 be the smallest index such that we have not this formula for φi0 ,then α p i0 φi0 = μi0,j Xj , 1≤j≤m ∈ where μi0,j k. Assume for instance that μi,1 = 0, then we change φi0 in

α −α − μi,1 p i0 1 ∈ φi0,1 := φi0 φ1 k[X2,...,Xn], μ1 ∈ by an easy induction, we change φi0 in φi0,i0−1 k[Xi0 ,...,Xn], the reader ends the claim.

Corollary 2.8. Let U be k[θ1,...,θs], then it is a polynomial algebra of variables θ1,...,θs. Proof. Left to the reader.

Corollary 2.9. With notations as above, R isafreemoduleoverU of basis

A αi X ,A=(a1,...,an),ai

COMPUTING HIRONAKA’S INVARIANTS: RIDGE AND DIRECTRIX 157

Furthermore, A B αi n n exp X θ ; A =(a1,...,an),ai

0 Ud and d>0 Vd. From Corollary 2.3, we have that V+R = J therefore U+R = V+R = J. On the other hand since R is faithfully ﬂat over U (see Corollary 2.9), we have that V+U = U+. And we deduce by induction on the degree that V = U. 2.2. Naive and formal deﬁnitions coincide.

Proposition 2.11. Let J ⊂ k[X1,...,Xn] be a homogeneous ideal generated by additive polynomials, then there exists G := {φ1,...,φs}, a reduced homogeneous Gröbner basis of J, such that, up to a re-indexation of the variables, pαi (2.7) φi = μiXi + ti(Xi+1,...,Xn), with μi =0 , 1 ≤ i ≤ s, αi ≤ αi+1, 1 ≤ i ≤ s − 1 and ti, additive polynomials, in k[Xi+1,...,Xn]. Furthermore, up to a re-indexation of the variables, Formula (2.7) is true for all reduced homogeneous Gröbner bases of J. Proof. The first assertion is a direct consequence of Lemma 2.7: it is clear that a set of generators verifying Formula (2.4) is a reduced homogeneous Gröbner basis of J.

Corollary 2.12. Let I be a homogeneous ideal of k[X1,...,Xn],letG := {γ1,...,γs} be any reduced homogeneous Gr¨obner basis of J the ideal of the ridge of V(I),then I =(I ∩ k[γ1,...,γs])k[X1,...,Xn],

U = k[γ1,...,γs] and if K is a k-algebra generated by additive polynomials such that

(2.8) I =(I ∩ K)k[X1,...,Xn], then U ⊂ K. Proof. X Let (f1,...,fm) be a Giraud basis of I, by Lemma 2.3, the DA fi’s generate U, so Proposition 2.10 forces that there exists a reduced Gr¨obner basis (θ1,...,θs)ofJ whose the form is α pi θi = Xi + ti(Xi+1,...,Xn).

It follows that (θ1,...,θs)isabasisofU as a k-algebra. Now, the particular case A = 0 gives that the fi’s are elements of U,soI =(I ∩ K)k [X1,...,Xn]. Futhermore, as the ridge of J is J,ifG := {μ1,...,μs} is any reduced homogeneous Gr¨obner basis of J, Lemma 2.3 and Proposition 2.10 applied to G give that U = k[μ1,...,μs].

8J16 ER´ EMY´ BERTHOMIEU, PASCAL HIVERT, AND HUSSEIN MOURTADA

Let K be a k-algebra generated by additive polynomials such that

I =(I ∩ K)k [X1,...,Xn] .

We can find a basis (g1,...,gs)ofI, with gi ∈ K, and then by Lemma 2.3, the X | | DA gi’s, with A < deg fi, generate U. But Proposition 2.6 ensures that this derivations are in K. Finally, U ⊂ K. Proposition 2.13. There is a one-to-one correspondance between algebras generated by homogeneous additive polynomials included in k [X] and ideals generated by homogeneous additive polynomials of k[X] . ⎧ ⎫ ⎧ ⎫ ⎨ algebras generated by ⎬ ⎨ ideals generated by ⎬ ←→ ⎩ homogeneous additive ⎭ ⎩ homogeneous additive ⎭ polynomials polynomials A → A+k [X] k [X]V (J) ← J This correspondance preserves the inclusion. Example 2.14. Let us explain the correspondance with an example in an algebraic closed field of characteristic 3. Denote by U the algebra generated by X3 and Y 3 + Z3. It is clear that the ideal J, image of U by the first arrow, is spanned by these polynomials. For the reverse, it is enough to find homogeneous additive polynomials in the a a algebra (as in the proof of Lemma 2.6). Let such a polynomial P = αX3 +βY 3 + a γZ3 be in this algebra. We have a a a P (X + X) − P (X)=αX3 + βY 3 + γZ3 . So the condition P (X +X ) − P (X ) ∈ J ⊗ k[X ] implies β = γ that is to say a a P = αX3 + β Y 3 + Z3 . This algebra is also equal to U. Proof. The first arrow is well-defined. The construction of the second arrow is a consequence of Lemma 2.7 and Corollary 2.8. The bijection is easy to verify.

Corollary 2.15. Let I1 and I2 be homogeneous ideals of k[X1,...,Xn],the following assertions are equivalent:

(1) the ridge of I2 contains (as a subscheme) the ridge J1 of I1, (2) I2 =(I ∩ k[θ1,...,θs]) k[X1,...,Xn], where G := (θ1,...,θs) is any reduced homogeneous Gröbner basis of J1. Proof. Left to the reader. Now the reader should be convinced that the naive definition 1.2 and the formal definition 2.1 of the ridge coincide.

3. An algorithm to compute the ridge and the directrix 3.1. An algorithm to compute a “Giraud basis” of the cone. We want to point out that a “Giraud basis” is far from a “reduced Gr¨obner basis”. Let us give an exemple to explain it.

3 3 Example 3.1. I =(f1,f2) ⊂ k[X, Y ]wheref1 = XY , f2 = X + Y .Then 4 (f1,f2) is a “Giraud basis” and not a “reduced Gr¨obner basis”, (f1,f2,f3 = Y )is a “reduced Gr¨obner basis”.

COMPUTING HIRONAKA’S INVARIANTS: RIDGE AND DIRECTRIX 179

Remark 3.2. A reduced Gröbnerbasis of the cone truncated to the degree of the greatest given generator is a “Giraud basis”. We use this easy remark. Our algorithm to compute a “Giraud basis” is almost aGröbner basis algorithm except we trash out any computed S-polynomial whose degree is greater than the greatest given generator. Actually, since we can know the degree of a S-polynomial before calculating it (recall all our polynomials are homogeneous), if the degree doesn’t match our condition, we skip the computing part. Although they have not been implemented, any known improvement for computing a Gröbner basis, such as in [10, 1],canbeusedinthisalgorithm. Algorithm 3.3. Giraud basis algorithm. Input : Homogeneous polynomials f1,...,fm, such that deg f1 ≤ ··· ≤ degfm, generating I. Ouput : Homogeneous polynomials g1,...,gr, such that deg gi ≤ deg fm, generating I and verifying Giraud’s lemma hypotheses.

(1) for i from 1 to m, fi ← fi/ lc (fi); (2) compute a Gröbner basis of I by trashing the polynomials with higer degrees than deg fm; (3) minimalize and reduce this basis; (4) return the truncated reduced Gröbner basis. It should be noted that this kind of algorithm has already been implemented in computer algebra softwares such as Singular. p p Example 3.4. Let I =(f1,f2) ⊂ k[X, Y ], where f1 = X, f2 = X + Y and (X,Y ) | | ∈ p =chark.Asf2 is additive, DA (f2)=0,forallA, A 0. In case 1, where char k = 0, to compute the ridge (which is also the directrix by Section 1), we propose the following algorithm. Let us note that, in this case, where X char k = 0, up to multiplication by invertibles, the DA ’s are the usual differential operators, hence in step 2, our algorithm may be apparently improved when we X have a good implementation of the DA ’s. Algorithm 3.5. Ridge generators in characteristic 0 algorithm. Input : f1,...,fm homogeneous polynomials verifying Giraud’s lemma hypotheses. X ≤ ≤ Output : DA fi’s of degree 1 for all i,1 i m. (1) L ←∅; (2) for i from 1 to m (a) gi ← fi X + X ; A (b) for each monomial X in gi

1018 JER´ EMY´ BERTHOMIEU, PASCAL HIVERT, AND HUSSEIN MOURTADA A (i) h ← coeﬀ gi,X ; (ii) if deg h =1,thenL ← L ∪{h}. (3) return L. The case 2 is the most interesting and the most diﬃcult. By Giraud’s Corollary 2.3, up to a change of indices on the variables, there is a basis

AF :=<φ1, ··· ,φτ >, pqi pqi ∈ ≤ ≤ ≤ ≤ ··· ≤ where φi = Xi + i+1≤j≤n λjXj , with λj k, 1 i τ, q1 q2 qτ . ThereisnohopethatAF ⊂E, see the example below. Lemma 3.6. With hypotheses and notations as above, let us denote

Ep := {ψ ∈E, deg(ψ) is a p-power}.

Then Ep generates the ideal of the ridge. Let us note that this generalizes the case 1.

Proof. We start with an example and a remark. Example 3.7. I =(f),f = Xp + Y p−1X + Zp ∈ k[X, Y ]. Then E = {Xp + Y p−1X + Zp,Yj X, Y i, 1 ≤ i ≤ p − 1, 0 ≤ j ≤ p − 1}, p p−1 p Ep = {X, Y, X + Y X + Z }, AF = {X, Y, Zp}. Remark 3.8. With hypotheses and notations as above, elements of minimal degree of J are additive polynomials. Indeed, elements of minimal degree of J are linear combinations with coeﬃ- cients in k of elements of minimal degree of a set of generators. As J is generated by additive polynomials (by a general argument or by Proposition 3.9 below), these elements are linear combinations of additive polynomials, hence they are additive. Let us go back to the proof of Lemma 3.6. Take any ψ0 ∈E of minimal degree such that deg(ψ0)isnotap-power, let d := deg(ψ0). Then the ideals of R, the ﬁrst generated by ψ ∈AF ,withdegψdfor i>i1, ∈ A A −{ } one must have ψ0 (φ1,...,φi1 ). Then replace F by F ψ0 and make an induction on the cardinality of the set of generators.

Proposition 3.9. Let G := (θ1,...,θs) be a reduced homogeneous Gr¨obner basis of J the ideal of the ridge of V(I), I be a homogeneous ideal of k[X1,...,Xn], with deg(θi) ≤ deg(θi+1), 1 ≤ i ≤ s − 1.Thenθi is an additive polynomial for all i, 1 ≤ i ≤ s. Proof. ∈G By contradiction. Let θi0 with i0 minimal such that θi0 is not an additive polynomial, let d =deg(θi ). Then 0 B C θi0 = μBX + μC X , B∈Nn,|B|=d C∈Nn,|C|=d B=(0 ,...,pα,0,...,0) C=(0,...,pα,0,...,0)

COMPUTING HIRONAKA’S INVARIANTS: RIDGE AND DIRECTRIX 1911 where μB ∈ k and μC ∈ k ˜ ¯ θi0 =: θi0 + θi0 , ˜ ¯ with θi0 =0,θi0 additive. ˜ Let B0 := exp(θi0 )=:(b1,...,bn). Claim.ThereexistsB coordinate wise strictly smaller than B0 such that X X ˜ ψ0 := DB (θi0 )=DB (θi0 ) =0.

Indeed, either there exists j, such that bj =0and bj < |B0|.Thenwecantake B =(b1,...,bi−1, 0,bi+1,...,bn)

X B0 bj and we have DB (X )=Xj and bj B−B ψ0 = μB0 Xj + μBX , B= B0 (B−B)∈Nn α either B0 =(0,...,0,p q, 0,...,0) with q relatively prime to p and q is positive. We take B =(0,...,0,pα(q − 1), 0,...,0), X B0 D X =(q − 1)Xj and B − B−B ψ0 =(q 1)μB0 Xj + μBX .

B= B0 (B−B)∈Nn As the ridge of the ridge is the ridge,

0 = ψ0 ∈ J. ≥ As deg(ψ0) < deg(θi0 ), θi0 is not an element of minimal degree of J: i0 2. By ∈ − ∈ − ∈ Lemma 2.3, ψ0 J,soexp(ψ0)=B0 B exp(θ1,...,θi0−1), so B0 B G exp(θ1,...,θi0−1), which contradicts the reducedness of .

Algorithm 3.10. Computation of θi’s. Input : f1,...,fm homogeneous polynomials verifying Giraud’s lemma hypotheses. X ≤ ≤ Output : DA fi’s of degree a p-power for all i,1 i m. (1) L ←∅; (2) for i from 1 to m (a) gi ← fi (X + X ); A (b) for each monomial X in gi A (i) h ← coeﬀ gi,X ; (ii) if deg h = pr,thenL ← L ∪{h}. (3) return a reduced Gr¨obner basis of L.

This last algorithm gives us a sequence of θi’s. Remark 3.11. Calling a Gr¨obner basis algorithm means that all the computation will be done in S instead of in k[θ1,...,θs]. Using the techniques of Remark 2.6 and Lemma 2.7, we can ﬁnd an algorithm with computations in k[θ1,...,θs]. We do not think we can save a good amount of time nor memory with such an algorithm that would compute the polynomial algebra k[θ1,...,θs] hidden in k [X].

1220 JER´ EMY´ BERTHOMIEU, PASCAL HIVERT, AND HUSSEIN MOURTADA

Remark 3.12 (Computation of the directrix). In the case where k is perfect, by Deﬁnitions 1.1 and 1.2, the directrix is the reduction of the ridge. Furthermore, αi the θi’s, 1 ≤ i ≤ s are p -powers, then the ideal of the directrix is pα1 pαs ( θ1,..., θs). We do not know any direct method to compute it. Indeed Fr¨ohlich and Shepherdson have even shown that testing if an element is a p-th power is not decidable in general [2, Section 7] (see also the example in [3, Remark 5.10]).

References [1] Bardet, M., Faugere,` J.-C. and Salvy, B.,OnthecomplexityofGröbner basis computation of regular and semi-regular overdetermined algebraic equations, Proc. International Confer- ence on Polynomial System Solving (ICPSS, November 24 - 25 - 26 2004, Paris, France), 71–75. [2] Frohlich,¨ A. and Shepherdson, J. C., Effective procedures in field theory, Philos. Trans. Roy. Soc. London. Ser. A., 248 (1956), 407–432, [3] von zur Gathen, J., Hensel and Newton methods in valuation rings, Mathematics of Com- putation 42 (1984), 637–661. [4] Giraud, J., Etude´ locale des singularités, Cours de 3e cycle, Universitéd’Orsay, (1971–72). [5] Giraud, J., Contact maximal en caractéristique positive, Ann. Sc. ENS 4e série 8 (1975), 201–234. [6] Hironaka, H., Resolution of singularities of an algebraic variety over a field of characteristic zero, Ann. Math. 79 (1964), 109–326. [7] Hironaka, H., Characteristic polyhedra of singularities, J. Math. Kyoto U. 7(3) (1967), 251– 293. [8] Hironaka, H., Additive groups associated with points of a projective space, Ann. Math. 92 (1970), 327–334. [9] Kollar,´ J., Lectures on resolution of singularities, Annals of Mathematics Studies, Princeton University Press, Princeton, NJ 166 (2007) [10] Lazard, D.,Gröbner bases, Gaussian elimination and resolution of systems of algebraic equations, Computer algebra (London, 1983).

Laboratoire d’Informatique de l’Ecole´ polytechnique, Ecole´ polytechnique, Route de Saclay, 91128 Palaiseau Cedex, France E-mail address: [email protected] Laboratoire de Mathematiques´ de Versailles, Universite´ de Versailles–St-Quentin- en-Yvelines, 45 avenue des Etats-Unis,´ 78035 Versailles Cedex, France E-mail address: [email protected] Laboratoire de Mathematiques´ de Versailles, Universite´ de Versailles–St-Quentin- en-Yvelines, 45 avenue des Etats-Unis,´ 78035 Versailles Cedex, France E-mail address: [email protected]

Contemporary Mathematics Volume 521, 2010

Nondegenerate curves of low genus over small ﬁnite ﬁelds

Wouter Castryck and John Voight

Abstract. In a previous paper, we proved that over a finite field k of suffi- ciently large cardinality, all curves of genus at most 3 over k can be modeled by a bivariate Laurent polynomial that is nondegenerate with respect to its Newton polytope. In this paper, we prove that there are exactly two curves of genus at most 3 over a finite field that are not nondegenerate, one over F2 and one over F3. Both of these curves have extremal properties concerning the number of rational points over various extension fields.

Let k be a perfect ﬁeld with algebraic closure k. To a Laurent polynomial i j ∈ ±1 ±1 f = (i,j)∈Z2 cijx y k[x ,y ], we associate its Newton polytope Δ(f), the 2 2 convex hull in R of the points (i, j) ∈ Z for which cij = 0. An irreducible Laurent polynomial f is called nondegenerate with respect to its Newton polytope if for all faces τ ⊂ Δ(f) (vertices, edges, and Δ(f) itself), the system of equations ∂f| ∂f| (∗) f| = x τ = y τ =0 τ ∂x ∂y ∗ 2 | i j has no solution in k ,wheref τ = (i,j)∈Z2∩τ cijx y . AcurveC over k is called nondegenerate if it is birationally equivalent over k to a curve deﬁned by a Laurent polynomial f ∈ k[x±1,y±1] that is nondegenerate with respect to its Newton polytope. For such a curve, a vast amount of geometric information is encoded in the combinatorics of Δ(f). For example, the (geometric) genus of C is equal to the number lattice points (points in Z2) lying in the interior of Δ(f). Owing to this connection, nondegenerate curves have become popular objects of study in explicit algebraic geometry. (See e.g. Batyrev [1] and the introduction in our preceding work [5] for further background and discussion.) In a previous paper [5], we gave a partial answer to the natural question: Which curves are nondegenerate? Theorem. Let C be a curve of genus g over k. Suppose that one of these conditions holds: (i) g =0; (ii) g =1,andC(k) = ∅;

1991 Mathematics Subject Classification. Primary 14H45, Secondary 14M25. Key words and phrases. nondegenerate curves, finite fields, Newton polytope. The first author is a postdoctoral fellow of FWO-Vlaanderen. He would like to thank Alessan- dra Rigato for some helpful comments on curves over finite fields having many or few rational points.

1 c 2010 American Mathematical Society 21

222 WOUTER CASTRYCK AND JOHN VOIGHT

(iii) g =2, 3, and either 17 ≤ #k<∞,or#k = ∞ and C(k) = ∅; (iv) g =4,andk = k. Then C is nondegenerate. ≥ Mnd If g 5, then the locus g of nondegenerate curves inside the coarse moduli Mnd space of curves of genus g satisfies dim g =2g +1,exceptforg =7where Mnd dim 7 =16. In particular, a generic curve of genus g is nondegenerate if and only if g ≤ 4. Throughout the rest of this article, we assume that k is a finite field, and we consider the cases excluded in condition (iii) above by the condition that #k ≥ 17. Based on a number of preliminary experiments, we guessed [5, Remark 7.2] that this condition is superfluous. In truth we have the following theorem, which constitutes the main result of this paper. Theorem. Let C be a curve of genus g ≤ 3 over a finite field k.ThenC is nondegenerate unless k = F2 or k = F3,andC is birational to 4 2 2 C2: (x + y) =(xy) + xy(x + y +1)+(x + y +1) over F2, 3 2 2 C3: y − y =(x +1) over F3, respectively.

Both C2 and C3 have genus 3. In particular, all curves of genus 2 are nondegenerate. Intriguingly, C2 and C3 have other remarkable properties: they obtain an extremal number of rational points over certain extension fields of F2 and F3, respectively. The paper is organized into four sections. In Sections 1–2, we refine the bound on #k which guarantees that a curve of genus 2 or 3 over k is nondegenerate. In Section 3, we perform an exhaustive computation using the computer algebra system Magma [3] to reduce the bound further. At the same time, we search the remaining finite fields F2 and F3 for curves that are not nondegenerate. We conclude by discussing the extremal properties of the two resulting curves in Section 4.

1. Refining the bound for hyperelliptic curves If char k is odd, then any hyperelliptic curve over k is easily seen to be nondegenerate. Indeed, it is well-known that a hyperelliptic curve of genus g is birationally equivalent over k to an affine curve of the form y2 = p(x), where p(x) ∈ k[x]isa squarefree polynomial of degree 2g +1or2g + 2. Then directly from the definition (∗), one sees that the polynomial f(x, y)=y2 − p(x) is nondegenerate with respect to its Newton polytope. If instead char k = 2, then a hyperelliptic curve of genus g has an affine model of the more general form (1.1) y2 + r(x)y = p(x) with r(x) ∈ k[x]ofdegreeatmostg +1,andp(x) ∈ k[x]ofdegreeatmost2g +2, and at least 2g + 1 if deg r(x)

NONDEGENERATE CURVES OF LOW GENUS OVER SMALL FINITE FIELDS23 3 in (1.1). This might however fail if k = F2 and the hyperelliptic curve C has the property that the degree 2 morphism π : C → P1 is completely split over k, i.e., there are two distinct points in C(k) above each point 0, 1, ∞∈P1(k). This erratum has no eﬀect on any further statement in the paper [5].

Themainresultofthissectionisasfollows.

Proposition 1.2. Let C be a hyperelliptic curve of geometric genus g ≥ 2 over a ﬁnite ﬁeld k.If#k is odd or #k ≥ g +4,thenC is nondegenerate.

Proof. Let #k = q. By the above, we may assume that q ≥ 8isevenand that C is given by an equation of type (1.1). Let f(x, y)=y2 + r(x)y + p(x). First, we claim that after applying a birational transformation we may assume that r(x) is a polynomial of degree g + 1 with nonzero constant term. Since q ≥ g +4>g+1,thereisana ∈ k such that r(x − a) has nonzero constant term, so replacing x ← x − a we may assume r(x) has nonzero constant term. Then the transformed polynomial

f (x, y)=x2g+2f(1/x, y/xg+1)=y2 + r(x)y + p(x), which corresponds to applying the Z-aﬃne map

(X, Y ) → (2g +2− X − (g +1)Y,Y ) to the exponent vectors of f(x, y), has the property that deg r(x)=g + 1. Making another substitution x ← x − b then completes the argument. Then using the deﬁnition (∗), a short case-by-case analysis of the possible Newton polytopes shows that if p(x) is squarefree, then f(x, y)=y2 + r(x)y + p(x) is nondegenerate with respect to its Newton polytope. For each t(x) ∈ k[x]of degree at most g + 1, consider the change of variables y ← y + t(x); then under 2 this transformation we have p(x) ← pt(x)=p(x)+r(x)t(x)+t(x) and r(x)is unchanged. We use a sieving argument to show that there exists a choice of t(x) g+2 such that pt(x) is squarefree. Note we have q choices for t(x). Suppose that pt is not squarefree. Then pt(x) is divisible by the square of a ≤ 2 | monic irreducible polynomial v(x)ofdegreem g + 1. But note that if v pt1 2 | and v pt2 for two choices t1,t2, then subtracting we have 2 | 2 2 v r(t1 + t2)+t1 + t2 =(t1 + t2)(r + t1 + t2).

Moreover, if v divides each of these two factors then in fact v | r. We are then led to consider two cases. First, suppose that v r. Then either 2 2 v | (t1 + t2)orv | (r + t1 + t2). Let h = (g +1)/2.Ifm =degv ≤ h,thenby 2 g+1−2m+1 g+2−2m sieving we conclude that v | pt for at most 2q =2q values of t. 2 On the other hand, if m>hthen deg v >g+ 1 so by sieving we now have v | pt for at most two values of t. Since the number of monic irreducible polynomials of m degree m over k is bounded by q /m, the number of values of t such that pt is

424 WOUTER CASTRYCK AND JOHN VOIGHT divisible by v2 with v r is at most q2 qh qh+1 qg+1 q(2qg+2−2)+ (2qg+2−4)+···+ (2qg+2−2h)+2 + ···+2 2 h h +1 g +1 qg qg+2−h qh+1 qg+1 =2 qg+1 + + ···+ + + ···+ 2 h h +1 g +1 g 2 h qg+2−i qi = 2+ qg+1 +2 + g +1 i i i=2 i=h+1 g+1 − ≤ 2 g+1 q 1 ≥ 2+ q +2 − (note h 1) g +1 q 1 2 2 ≤ 2+ + qg+1. g +1 q − 1

Next, suppose that v | r.Theninanycasev | (t1 + t2), and hence there are at g+1−m+1 2 most q values of t such that v | pt. Since deg r ≤ g +1,intheworstcase r splits into g + 1 linear factors over k, and we have at most (g +1)qg+1 values of 2 t for which pt is divisible by v for some v | r. Putting these together, we can ﬁnd a value of t(x) such that pt(x)issquarefree if 2 2 qg+2 > g +3+ + qg+1, g +1 q − 1 which holds whenever q ≥ g +4,sinceg ≥ 2andq ≥ 8. For our genera of interest g =2andg = 3, Proposition 1.2 proves that all hyperelliptic curves are nondegenerate except possibly over F2 and F4.

2. Refining the bound for plane quartics In this section, we refine the bound as in Section 1 but now for plane quartics. Lemma 2.1. Let C ⊂ P2 be a nonsingular plane quartic over a finite field k.If #k ≥ 7,thenC is nondegenerate. Proof. Again analyzing the conditions of nondegeneracy [5, Examples 1.5– 1.6], we see that to prove that C is nondegenerate it suffices to find three nonconcurrent k-rational lines in P2 which are not tangent to C. The projective transformation which maps the three intersection points to the coordinate points (and the lines to the coordinate lines) realizes C as nondegenerate with respect to a Newton polytope of the following type:

4 3

431

(A dashed line appears as a face if our transformed curve contains the corresponding coordinate point.)

NONDEGENERATE CURVES OF LOW GENUS OVER SMALL FINITE FIELDS25 5

Write m =#C(k)andq =#k. Since there are q2 + q + 1 lines which are k-rational in P2, and the number of k-rational lines through a fixed point is q +1, it suffices to prove that C has strictly less than q2 k-rational tangent lines. We claim that the number of k-rational tangent lines is at most m + 28. Of course each point of C(k) determines a tangent line. Suppose a k-rational line is tangentatapointofC(k) \ C(k); then it is also tangent at each of the Galois conjugates of the point, which since C is defined by a plane quartic immediately implies that the point is defined over a quadratic extension and that the line is a bitangent. By classical geometry and the theory of theta characteristics, there are at most 28 bitangents (see e.g. Ritzenthaler [13, Corollary 1]), and this proves the claim. Thus if q2 >m+ 28, we can find three nonconcurrent nontangent lines. By the Weil bound, it is sufficient that √ q2 >q+1+6 q +28 which holds whenever q ≥ 8. In fact, when q =7thenm ≤ 20 by a result of Serre [14] (see also Top [15]), and so q2 >m+ 28 for all q ≥ 7. This lemma therefore proves that all plane quartics defined over finite fields are nondegenerate except possibly over Fq with q ≤ 5.

3. Computational results From the results of the previous two sections, in order to prove our main theorem we performed an exhaustive computation in Magma to deal with the remaining cases:

(1a) hyperelliptic curves of genus g =2overF2 and F4; (1b) hyperelliptic curves of genus g =3overF2 and F4; 2 (2) nonsingular quartics in P over F2, F3, F4 and F5 (genus g =3). To this end, we essentially enumerated all irreducible polynomials whose Newton polytope is contained in 4 2 2

6 8 4 respectively, regardless of whether they define a curve of genus g or not. For each of these, we checked whether the Newton polytope contained g interior lattice points, since by Baker’s inequality [2, Theorem 4.1] an irreducible Laurent polynomial f ∈ k[x±1,y±1] defines a curve whose (geometric) genus is at most the number of lattice points in the interior of Δ(f). The polynomials f that passed this test were then checked for nondegeneracy with respect to the edges of Δ(f). Checking nondegeneracy with respect to the edges boils down to checking squarefreeness of a number of univariate polynomials of small degree, which can be done very efficiently. The nondegeneracy condition with respect to the vertices of Δ(f) is automatic. The nondegeneracy condition with respect to Δ(f) itself is also automatic if f defines a genus g curve (by Baker’s inequality), so we can disregard any polynomial for which this condition is not satisfied.

626 WOUTER CASTRYCK AND JOHN VOIGHT

The polynomials f that were not nondegenerate with respect to the edges then saw further investigation. First, and only at this stage, we verified that in fact f defines a curve of genus g. Then, repeatedly, we applied a random transformation to f of the following form: (1) (x, y) ← (x − a, y − h(x)) for a ∈ k and h(x) ∈ k[x]ofdegreeatmostg +1 (for hyperelliptic curves); (2) a projective linear transformation (for plane quartics). We then again checked the resulting polynomial for nondegeneracy with respect to the edges. Polynomials for which there were 1000 failures in a row were stored in a list. In each of the hyperelliptic curve cases the list remained empty, implying the following lemma. Lemma 3.1. All hyperelliptic curves of genus at most 3 defined over a finite field are nondegenerate. In the plane quartic case, the list eventually contained exactly one polynomial for k = F2: 4 2 2 f2 :(x + y) +(xy) + xy(x + y +1)+(x + y +1) .

We then tried all projective linear transformations in PGL3(F2) and found that, quite remarkably, f2 is invariant under each of these transformations—the canonical embedding here is truly canonical! Let C2 denote the complete nonsingular model of the curve defined by f2. Over k = F3, we were left with a set of polynomials that turned out to be all projectively equivalent to the polynomial 3 2 2 f3 = y − y − (x +1) . We exhaustively verified that none of the projectively equivalent polynomials is nondegenerate with respect to its Newton polytope. Let C3 denote the complete nonsingular model of the curve defined by f3. Over F4 and F5, the list remained empty. We therefore have the following proposition. Proposition 3.2. Over any finite field k, all curves C/k of genus at most 3 are nondegenerate, except if k = F2 and C is k-birationally equivalent to C2,orif k = F3 and C is k-birationally equivalent to C3. Proof. It remains to show that if C is a nonhyperelliptic curve of genus 3 which can be modeled by a nondegenerate Laurent polynomial f,thenitcanbe modeled by a nondegenerate Laurent polynomial whose Newton polytope is contained in 4Σ, the convex hull of the points (0, 0), (0, 4), and (4, 0).Thisistrue because Δ(f) has three interior lattice points which are not collinear, since C is not hyperelliptic [5, Lemma 5.1]. Applying a Z-affine transformation to the exponent vectors, we may assume that in fact the interior lattice points of Δ(f)are(1, 1), (1, 2), and (2, 1). But then Δ(f) is contained in the maximal polytope with these interior lattice points, which is 4Σ [5, Lemma 10.2]. The result follows. We briefly comment on the total complexity of the above computation. Since we are only interested in curves up to birational equivalence, rather than simply enumerating all polynomials of a given form one could instead enumerate curves

NONDEGENERATE CURVES OF LOW GENUS OVER SMALL FINITE FIELDS27 7 by their moduli. Questions of this type in low genus have been pursued by many authors: Cardona, Nart, and Pujolàs [4] and Espinosa Garc´ıa, Hernández Encinas, and Muñoz Masqué[8] study genus 2; Nart and Sadornil [12] study hyperelliptic curves of genus 3; Nart and Ritzenthaler [11] study nonhyperelliptic curves of genus 3 over fields of even characteristic; and Nart [10] gives a closed formula for the number of hyperelliptic curves in odd characteristic. In this paper we used a more naive approach since it is more transparent, easier to implement, and at the same time still feasible. We did however make use of the following speed-ups. For hyperelliptic curves of genus g =3with#k = 4, the coefficient of x8 and the constant term can always be taken 1; for plane quartics with #k = 4, the coefficients of x4 and y4 and the constant term can always be taken 1. Finally, for plane quartics with #k = 5, from the proof of Lemma 2.1, we may assume that there exist at least two k-rational tangent lines that are only tangent over k (otherwise there exist enough nontangent lines to ensure nondegeneracy); transforming these to x-andy- axis, we may thus assume that f(x, 0) = (ax2 +bx+1)2 and f(0,y)=(cy2 +dy+1)2 with a, b, c, d ∈ k. We conclude this section with the following question: does there exist a hyperelliptic curve which is not nondegenerate, at all (i.e. of any genus, over any perfect field)?

4. Extremal properties

The curve C2 can be found in many places in the existing literature. It en- joys some remarkable properties concerning the number #C2(F2m )ofF2m -rational points for various values of m.First,ithasnoF2-rational points. However, over F4 and F8 it has 14 and 24 points, respectively; in both cases, this is the maximal number of rational points possible on a complete nonsingular genus 3 curve, and in each case C2 is the unique curve obtaining this bound (up to isomorphism). How- ever, over F32 the curve becomes pointless again! And once more, it is the unique curve having this property. For the details, see Elkies [6, Section 3.3]. We refer to work of Howe, Lauter, and Top [9, Section 4] for more on pointless curves of genus 3. It is remarkable that this curve is also distinguished by considering conditions of nondegeneracy. In fact, C2 is a twist of the reduction modulo 2 of the Klein quartic (defined by the equation x3y+y3z+z3x = 0), which has more extremal properties. For instance, Elkies [6, Section 3.3] has shown that the Klein quartic modulo 3 is extremal over fields of the form F9m .Ifm is odd, its number of points is maximal. If m is even, its number of points is minimal. Although the curve C3 is not isomorphic over F3 to the Klein quartic, over F27 it has the same characteristic polynomial of Frobenius, 2 3 being (T + 27) . It follows that C3 shares the extremal properties of the Klein quartic over fields of the form F36m : C3 has the maximal number of points possible if m is odd, and the minimal number of points possible if m is even.

References [1] V. Batyrev, Variations of the mixed Hodge structure of aﬃne hypersurfaces in algebraic tori, Duke Math. J. 69(2), pp. 349–409 (1993) [2] P. Beelen, R. Pellikaan, The Newton polygon of plane curves with many rational points, Des. Codes Cryptogr. 21, pp. 41–67 (2000) [3] W. Bosma, J. Cannon, C. Playoust, The Magma algebra system. I. The user Language,J. Symbolic Computation 24(3-4), pp. 235–265 (1997)

828 WOUTER CASTRYCK AND JOHN VOIGHT

[4] G. Cardona, E. Nart, J. Pujolas` , Curves of genus two over fields of even characteristic, Math. Z. 250(2005), no. 1, pp. 177–201 [5] W. Castryck, J. Voight, On nondegeneracy of curves, Algebra & Number Theory 3(3), pp. 255–281 (2009) [6] N. Elkies, The Klein quartic in number theory, pp. 51–102 in S. Levy (ed.), The eightfold way: the beauty of Klein’s quartic curve, MSRI Publication Series 35, Cambridge University Press, 352 pp. (1999) [7] A. Enge, How to distinguish hyperelliptic curves in even characteristic, proceedings of Public– key Cryptography and Computational Number Theory (Warsaw 2000), de Gruyter, Berlin, pp. 49–58 (2001) [8] J. Espinosa Garc´ıa, L. Hernandez´ Encinas, J. Munoz˜ Masque´, A review on the isomorphism classes of hyperelliptic curves of genus 2 over finite fields admitting a Weierstrass point, Acta Appl. Math. 93(1-3), pp. 299–318 (2006) [9] E. Howe, K. Lauter, J. Top, Pointless curves of genus three and four, Arithmetic, geometry and coding theory (AGCT 2003), Sémin. Congr. 11, Soc. Math. France, Paris, pp. 125–141 (2005) [10] E. Nart, Counting hyperelliptic curves, Adv. Math. 221, pp. 774–787 (2009) [11] E. Nart, C. Ritzenthaler, Non-hyperelliptic curves of genus three over finite fields of characteristic two, J. Number Theory 116(2), pp. 443–473 (2006) [12] E. Nart, D. Sadornil, Hyperelliptic curves of genus three over finite fields of even characteristic, Finite Fields Appl. 10(2), 198–220 (2004) [13] C. Ritzenthaler, Point counting on genus 3 nonhyperelliptic curves, Algorithmic number theory, Lecture Notes in Comput. Sci. 3076, Springer, Berlin, pp. 379–394 (2004) [14] J.-P. Serre, Rational points on curves over finite fields, lectures given at Harvard University, notes by F. Gouveaˆ , available at http://www.math.rug.nl/~top/Serrelectures.pdf [15] J. Top, Curves of genus 3 over small finite fields, Indag. Math. 14(2), pp. 275–283 (2003)

Katholieke Universiteit Leuven, Departement Wiskunde, Afdeling Algebra, Celes- tijnenlaan 200B, B-3001 Leuven (Heverlee), Belgium E-mail address: [email protected] University of Vermont, Department of Mathematics and Statistics, 16 Colchester Ave, Burlington, VT 05401, USA E-mail address: [email protected]

Contemporary Mathematics Volume 521, 2010

Faster Side-Channel Resistant Elliptic Curve Scalar Multiplication

Alexandre VENELLI and Fran¸cois DASSANCE

Abstract. We present a new point scalar multiplication algorithm on classical Weierstrass elliptic curves over fields of characteristic greater than 3. Using Meloni’s formula that efficiently adds two points with the same Z-coordinates, we develop an algorithm computing [k]P only with these point additions. We combine Meloni’s addition with a modified version of a Montgomery ladder, a well-established side-channel resistant method for scalar multiplication. Our aim is to construct an algorithm that is resistant, by construction, against Sim- ple Power Analysis (SPA) and Fault Analysis (FA) while still being efficient. We present four versions of our algorithm with various speed-ups depending on the available memory of the device. Finally, we compare our method with state-of-the-art algorithms at the same level of side-channel resistance.

1. Introduction Smart cards and more generally low powered computational devices, need ef- ﬁcient algorithms which must be resistant to side-channel analysis. Side-channel attacks use information observed during the execution of the algorithm to determine the secret key. The two main classes of side-channel attacks are: simple side-channel attacks, like Simple Power Analysis (SPA), which analyze the trace of a single execution of the algorithm, and diﬀerential side-channel attacks, like Dif- ferential Power Analysis (DPA), which compare the traces of multiple executions. Another kind of implementation attacks are Fault Attacks (FA). Initially reported on RSA, they were quite naturally extended to other group based crytosystems. Biel, Meyer and Mller [BMM00] showed how to exploit errors in elliptic curve scalar multiplications. Their results were extended by Ciet and Joye [CJ05]. Elliptic curve (EC) cryptosystems are of great interest because they require less memory and hardware ressources than other cryptographic standards like RSA for a given security level. They are considered particularly suitable for implementation on smart cards and mobile devices. Because of the physical characteristics of these devices and their use in potentially hostile environments, they are particularly sensitive to side-channel attacks. The most important operation in EC cryptosystems is the point scalar multiplication [k]P . Its computational cost is decisive in the

2010 Mathematics Subject Classiﬁcation. 14H52, 65Y10.

c 2010 Americanc 0000 Mathematical (copyright Societyholder) 291

230 ALEXANDRE VENELLI AND FRANÇ OIS DASSANCE overall efficiency of the EC algorithms but securing it can be very time consum- ing. Numerous articles in the literature deal with securing the scalar multiplication against different side-channel attacks. We propose a new scalar multiplication algorithm that overcomes both the efficiency and the side-channel resistance problems. We use Meloni’s addition formula that is very efficient but requires the two input points to have the same Z-coordinate. Modifying the Montgomery ladder algorithm, we obtain an algorithm that uses only Meloni’s addition and that is resistant against SPA and FA like Montgomery’s algorithm. This paper is organized as follows: we first briefly review elliptic curve arithmetic in Section 2. Then Section 3 presents classical side-channel resistant scalar multiplication algorithms on elliptic curves. In Section 4 we introduce our faster multiplication algorithms. Finally, Section 5 analyzes the security against side- channel attacks of our algorithm and compares its efficiency with other methods at the same level of side-channel resistance.

2. Elliptic curve arithmetic

We consider elliptic curves defined over K = Fp, with p>3, a finite field of p elements. An elliptic curve E over a field K is defined by an equation of the form: E/K : y2 = x3 + ax + b where a, b ∈ K satisfy Δ = 4a3+27b2 =0mod p. The set of all the points on E with the point at infinity, denoted ∞, is equipped with an additive group structure. The coordinate system chosen for a point addition or doubling is very important in terms of efficiency. One can look at [BL07] for a summary of addition and doubling’s complexity in different coordinate systems. In practice, the Jacobian coordinates are often used because they offer a great compromise between computational costs and memory usage. A point P in Jacobian coordinates is noted P =(X, Y, Z) X Y and represents the affine point ( Z2 , Z3 ). Classical addition and doubling formulas [BL07] are as follows: Point doubling. Let P =(X, Y, Z), P3 =[2]P =(X3,Y3,Z3) and suppose P = −P . A = X2,B= Y 2,C= B2,D= Z2,E=2((X + B)2 − A − C),

F =3A + aD2,G= F 2 − 2E ⎧ ⎨⎪X3 = G, − − ⎪Y3 = F (E G) 8C, ⎩ 2 Z3 =(Y + Z) − B − D. A point doubling can be done with 1 multiplications and 8 squarings in the ﬁeld K,noted1M +8S. Point addition. Let P1 =(X1,Y1,Z1), P2 =(X2,Y2,Z2) both unequal to ∞ and P2 = ±P1.LetP3 = P1 + P2 =(X3,Y3,Z3). 2 2 A = Z1 ,B= Z2 ,C= X1B, D = X2A, E = Y1Z2B, F = Y2Z1A, G = D − C, H =(2G)2,I= GH, J =2(F − E),K= CH

FASTER SIDE-CHANNEL RESISTANT ELLIPTIC CURVE SCALAR MULTIPLICATION31 3

⎧ 2 ⎨⎪X3 = J − I − 2K, − − ⎪Y3 = J(K X3) 2EI, ⎩ 2 Z3 =((Z1 + Z2) − A − B)G. A general point addition costs 11M +5S. We use in our point scalar multiplication algorithm the simpliﬁed addition formula found by Meloni [Mel07]. If P1 =(X1,Y1,Z)andP2 =(X2,Y2,Z)aretwo points in Jacobian coordinates with the same Z-coordinate, the following formula can be applied: Simpliﬁed point addition. Let P1 =(X1,Y1,Z), P2 =(X2,Y2,Z) both unequal to ∞ and P2 = ±P1.LetP3 = P1 + P2 =(X3,Y3,Z3). A =(X − X )2,B= X A, C = X A, D =(Y − Y )2, 2 ⎧ 1 1 2 2 1 ⎨⎪X3 = D − B − C, Y =(Y − Y )(B − X ) − Y (C − B), ⎩⎪ 3 2 1 3 1 Z3 = Z(X2 − X1). The point addition in this special case only costs 5M +2S. It is even faster than the general point doubling in Jacobian coordinates. In this state, the algorithm is not very useful because it is unlikely for both P1 and P2 to have the same Z-coordinate. Meloni noticed that, while computing the addition, one can easily modify the entry point P1 so that P1 and P1 + P2 have the same Z-coordinate at the end of the addition. He calls this algorithm

NewAdd(P1,P2) → (P˜1,P1 + P2).

NewAdd. Let P1 =(X1,Y1,Z), P2 =(X2,Y2,Z) both unequal to ∞ and P2 = ±P1.LetP3 = P1 + P2 =(X3,Y3,Z3). A =(X − X )2,B= X A, C = X A, D =(Y − Y )2,E= Y (C − B), 2 1 ⎧ 1 2 2 1 1 ⎨⎪X3 = D − B − C, Y =(Y − Y )(B − X ) − E, ⎩⎪ 3 2 1 3 Z3 = Z(X2 − X1), and ⎧ ⎨⎪X1 = B, Y = E, ⎩⎪ 1 Z = Z3. Meloni also shows that the classical doubling can be modiﬁed so that it returns P˜ and [2]P with same Z-coordinate without adding computational cost.

3. Classical side-channel resistant scalar multiplication algorithms A standard method for performing the scalar multiplication [k]P is the left-to- right double-and-add algorithm (Algorithm 1). It is the elliptic curve equivalent of the square-and-multiply for exponentiation in ﬁnite ﬁelds. Let k be a positive integer and P a point on an elliptic curve. Let n−1 1 0 k = kn−12 + ···+ k12 + k02 be the binary representation of k where kn−1 = 1. We can compute [k]P as follows with the left-to-right double-and-add algorithm.

432 ALEXANDRE VENELLI AND FRANC¸ OIS DASSANCE

Algorithm 1: Left-to-right double-and-add

input : P ∈ E and k =(kn−1 ...k1k0)2 output:[k]P ∈ E 1 Q ← P ; 2 for i ← n − 2 to 0 do 3 Q ← [2]P ; 4 if ki =1then 5 Q ← Q + P ;

6 return Q

With standard addition and doubling formulas, an attacker can detect bit information on the scalar k by SPA [Cor99]. The power consumption traces of an addition and a doubling are diﬀerent enough to be distinguished. Coron proposed in 1999 a dummy addition method [Cor99], also known as double-and-always-add, which represents the simplest algorithm of this type (Algorithm 2).

Algorithm 2: Double-and-always-add

input : P ∈ E and k =(kn−1 ...k1k0)2 output:[k]P ∈ E

1 Q0 ← P ; 2 for i ← n − 2 to 0 do 3 Q0 ← [2]Q0; 4 Q1 ← Q0 + P ; ← 5 Q0 Qki /* Qki equals either Q0 or Q1 */;

6 return Q0

Chevallier-Mames et al. [CMCJ04] proposed the idea of side-channel atomicity. Each elliptic curve operation is implemented as the repetition of blocks of instructions that look alike in the power trace. The code of the scalar multiplication algorithm is then unrolled such that it appears as a repetition of the same atomic block. The sequence of blocks does not depend on the scalar used and their algorithm is then secure against SPA. A doubling in Jacobian coordinates is computed using 10 atomic blocks and 16 blocks for an addition, each atomic block costing 1M. However their construction uses dummy operations and can then be sensitive to fault attacks. Another approach to SPA resistance is using indistinguishable addition and doubling algorithms in the scalar multiplication [CJ01, BDJ04]. Jacobi form, Hesse form or Edwards form elliptic curves allow the same algorithm for both additions and doublings. However, we only consider in this paper standardized curves recommanded by specifications [X9.98, NIS00, SEC00]. Brier et al. [BDJ04] proposed a unified addition and doubling formula for generic Weierstraß curves that cost 16M +3S for Jacobian coordinates. One of the benefits of this type of countermeasure is that there is no use of dummy operations, hence fault analysis techniques cannot be used.

FASTER SIDE-CHANNEL RESISTANT ELLIPTIC CURVE SCALAR MULTIPLICATION33 5

We can also mention the NAF-based multiplication algorithms [JY00, OT04]. The non-adjacent (NAF) form is a unique signed digit representation of an integer using the digits {−1, 0, 1}, such that no two adjacent digits are both non-zeros. NAF algorithms take advantage of the fact that negating a point on an elliptic curve simply requires a change in the sign of the Y -coordinate, substractions are cheap operations. However classical NAF multiplications can be sensitive to sign change fault attacks [BOS06]. Recently, the authors of [GLS09]and[LG09] pointed out the use of Meloni’s formulas for the purpose of precomputations in NAF-based multiplication algorithms. Finally, we consider the Montgomery ladder algorithm (Algorithm 3) which was originally proposed in [Mon87] only for Montgomery-type elliptic curves. In [BJ02], Brier and Joye generalized the algorithm to any elliptic curves in short Weierstraß equations. Montgomery’s original idea was based on the fact that the sum of two points whose difference is a known point can be computed without the y-coordinate of the two points. His algorithm is very efficient on a certain family of elliptic curves, called Montgomery’s curves. In this case, the differential addition costs 4M +2S and the doubling 2M +2S +1D where 1D is a multiplication by a constant. Brier and Joye’s adaptation requires 9M +2S for an addition and 6M +3S for a doubling. The complexity of this general algorithm is then n(15M +5S)+3M + S + I for a n-bit scalar, where I is a modular inversion in the field Fp and 3M + S + I is the cost to recover the Y -coordinate at the end. We can also note Izu and Takagi work [IT02] that, at the same moment as Brier and Joye, also generalized Montgomery’s ladder. They obtained slightly better results with a complexity of n(13M +4S)+11M +2S for a n-bit scalar.

Algorithm 3: Montgomery ladder

input : P ∈ E and k =(kn−1 ...k1k0)2 output:[k]P ∈ E

1 P0 ← P ; 2 P1 ← [2]P ; 3 for i ← n − 2 to 0 do 4 ← Pk¯i P0 + P1; ← 5 Pki [2]Pki ;

6 return P0

Since the Montgomery ladder is, by construction, an interesting algorithm for side-channel resistance (see Section 5) we use it as a basis for our multiplication. However, we can’t use classical doublings with Meloni’s addition formula in a point scalar multiplication algorithm as, for each bit, we would need to compute [2]Pki

(Algorithm 3, Line 5) so that it has the same Z-coordinate as Pk¯i = P0 + P1 (Al- gorithm 3, Line 4). We would lose the beneﬁt of the simpliﬁed addition. Meloni proposed a Fibonacci-and-add algorithm [Mel07] that performed scalar multiplication only using his addition formula. The gain of the addition is counteracted by a representation of the scalar k that is much larger than its binary representation. By modifying the Montgomery ladder structure, we are able to only use Meloni’s additions while using the binary representation of k.

634 ALEXANDRE VENELLI AND FRANC¸ OIS DASSANCE

4. Our side-channel resistant multiplication Let R,an-bit integer, be the order of the elliptic curve point P , and let k

Algorithm 4: Montgomery ladder with additions

input : P ∈ E and k =(kn−1 ...k1k0)2 output:[k]P ∈ E

1 P1 ← P ; 2 P2 ← [2]P ; 3 for i ← n − 2 to 0 do 4 P1 ← P1 + P2; k¯i 5 P2 ← P1 +(−1) P ;

6 return P2

4.1. A naive approach to the Z-coordinate problem. In order to use simplified additions, we must have ZP2 = ZP1 at the end of each round in order to add them in the next. Fortunately, this is a property of the NewAdd algorithm. Also, the point ±P must have the same Z-coordinate as P1 before computing k¯i P2 ← P1 +(−1) P (Algorithm 4, Line 5). We could recalculate an updated P at each round with ZP = ZP1 but we would need to: (1) Store the point P =(X, Y, Z) during the whole scalar multiplication. (2) Compute and store the modular inversion Z−1 at the beginning of the algorithm. (3) Compute, at each round, if P =(X, Y, Z)andP1 =(X1,Y1,Z1), the −1 integer λ = Z1Z . Finally, we would have P = ±(λX, λY, λZ)fora total of 4M. For a n-bit scalar k, the cost of a multiplication [k]P will be n(2(5M +2S)+ 4M + S)+I = n(14M +5S)+I where I is the cost of an inversion in Fp. 4.2. Updating P ’s coordinates more efficiently. We propose to recom- pute the point P at each round within a modified addition algorithm (Algorithm 5), with an appropriate Z-coordinate. We call

NewAddSub(P ,P ) → (P˜ ,P + P ,P − P ) with Z = Z = Z − . 1 2 1 1 2 1 2 P˜1 P1+P2 P1 P2 In NewAddSub we take the simpliﬁed addition and we add the subtraction for additional cost 1M +1S in time. Finally our NewAddSub costs 6M +3S where NewAdd costs 5M +2S. We can now write a point scalar multiplication algorithm called FullMult (Al- gorithm 6). We note Q [0], Q [1] and Q [2] respectively the outputs of NewAddSub P˜1, P1 + P2 and P1 − P2 (Algorithm 6 lines 4 and 7). At each round, line 6, the algorithm will get an updated point P with the correct Z-coordinate thanks to the added substraction in NewAddSub. Also, after the second NewAddSub, we always

FASTER SIDE-CHANNEL RESISTANT ELLIPTIC CURVE SCALAR MULTIPLICATION35 7

Algorithm 5: NewAddSub

input : P1 =(X1,Y1,Z)andP2 =(X2,Y2,Z) output:(P˜1,P1 + P2,P1 − P2)

1 R1 ← X2 − X1; 2 Z ← Z · R1 /* Final Z */; ← 2 3 R1 R1; 4 X ← X · R /* X */; 1 1 1 P˜1 5 X2 ← X2 · R1; 6 R1 ← Y2 − Y1; ← 2 7 R2 R1; ← − − 8 R2 R2 X1 X2 /* XP1+P2 */; 9 R3 ← X1 − R2; 10 R3 ← R1 · R3; 11 Y2 ←−Y2 − Y1; ← 2 12 R4 Y2 ; ← − − 13 R4 R4 X1 X2 /* XP1−P2 */; 14 X2 ← X2 − X1; 15 R ← Y · X /* Y */; 1 1 2 P˜1 ← − 16 X2 R3 R1 /* YP1+P2 */; 17 Y1 ← X1 − R4; 18 Y1 ← Y1 · Y2; ← − 19 Y2 Y1 R1 /* YP1−P2 */; 20 return P˜1 =(X1,R1,Z),P1 + P2 =(R2,X2,Z),P1 − P2 =(R4,Y2,Z)

have: if P1 =[r] P ,thenP2 =[r − 1] P . Hence, in the next round, line 6, we again get an updated P = P1 − P2.

Algorithm 6: FullMult

input : P ∈ E and k =(kn−1 ...k1k0)2 output:[k]P ∈ E

1 P1 ← [2]P ; 2 P2 ← P ;

// We assume ZP1 = ZP2 3 for i ← n − 2 to 0 do 4 Q ← NewAddSub(P1,P2); 5 P1 ← Q [1] /* P1 ← (P1 + P2) */; 6 P2 ← Q [2] /* P2 ← (P1 − P2)=P */; k¯i 7 Q ← NewAddSub(P1, (−1) P2); ← ← ˜ ← 8 P1 Q [ki] /* P1 P1 or P1 P1 + P2 */; ¯ 9 P2 ← Q ki /* P2 ← P˜1 or P2 ← P1 + P2 */;

10 return P2

836 ALEXANDRE VENELLI AND FRANC¸ OIS DASSANCE

This basic FullMult only uses the NewAddSub algorithm, for a n-bit scalar the complexity is n(12M +6S). We note that the second NewAddSub (Algorithm 6 line 7) is only a simple NewAdd. If one has enough space to code these two algorithms, amodiﬁedFullMult’ can run in: n(NewAddSub + NewAdd)=n((6M +3S)+(5M +2S)) = n(11M +5S). We can further improve the performance of our algorithm if we note that within the loop of the scalar multiplication, the Z-coordinate of the points is not used in the NewAddSub or in the NewAdd for computing either the X or Y coordinates. We can then reduce our FullMult algorithm into a LightMult version where we don’t take care of the Z inside the loop but compute the ﬁnal Z in the last round for minimal computational cost. We easily modify our NewAddSub into a LightAddSub such that

LightAddSub(P ,P ) → (P˜ ,P + P ,P − P ) with Z = Z = Z − , 1 2 1 1 2 1 2 P˜1 P1+P2 P1 P2 where LightAddSub is the same algorithm as NewAddSub but without computing the Z.ThenLightAddSub costs 5M +3S. The multiplication algorithm has to be slightly modified by computing the last round of the loop on ki separately in order to get the right Z-coordinate. We call this algorithm LightMult (Algorithm 7). If one has enough space, we can use the same trick as in FullMult algorithm replacing the LightAddSub in Algorithm 7, lines 8 and 20, with a version of the original NewAdd without computing the Z-coordinate called LightAdd. We finally obtain a modified LightMult’ that runs in: n(LightAddSub + LightAdd)=n((5M +3S)+(4M +2S)) = n(9M +5S).

5. Resistance against side-channel attacks Side-channel attacks are based on the observation that side-channel leakage (power consumption, electromagnetic emissions, etc.) depends on the instruction being executed, or on the data being handled. Standard double-and-add algorithms, like Algorithm 1, contain conditional branching where different instructions are executed depending on the bit values of the scalar. The two branches then behave differently and this translates to a change of side-channel information being leaked by the device. With simple power analysis-like attacks, an attacker can easily distinguish bit values. Therefore, algorithms with dummy operations, like double-and-always-add (Algorithm 2), were proposed. The conditional branching now contains the same operations by adding dummy operations to equalise the side-channel leakage. The standard Montgomery ladder is highly regular as it computes, for each bit regardless of its value, a doubling andanaddition. Our multiplication algorithms are based on an adapted Montgomery ladder. Our four proposed algorithms each compute the same sequence of instructions regardless of the value the bit of the scalar takes. The computations are a fixed pattern unrelated to the bit information of k. Thus, simple power analysis-like attacks are defeated. The side-channel information also becomes a fixed pattern. The Montgomery ladder is secure against SPA and its security is independant of the formulas used within the ladder. Differential side-channel analysis estimates the value of an intermediate result of the algorithm using statistical tools. DPA-like attacks need a so-called leakage

FASTER SIDE-CHANNEL RESISTANT ELLIPTIC CURVE SCALAR MULTIPLICATION37 9

Algorithm 7: LightMult

input : P ∈ E and k =(kn−1 ...k1k0)2 output:[k]P ∈ E

1 P1 ← [2]P ; 2 P2 ← P ;

// We assume ZP1 = ZP2 3 Psave ← P ; 4 for i ← n − 2 to 1 do 5 Q ← LightAddSub(P1,P2); 6 P1 ← Q [1] /* P1 ← (P1 + P2) */; 7 P2 ← Q [2] /* P2 ← (P1 − P2)=P */; k¯i 8 Q ← LightAddSub(P1, (−1) P2); ← ← ˜ ← 9 P1 Q [ki] /* P1 P1 or P1 P1 + P2 */; ¯ 10 P2 ← Q ki /* P2 ← P˜1 or P2 ← P1 + P2 */; // Last round 11 Q ← LightAddSub(P1,P2); 12 P1 ← Q [1] /* P1 ← (P1 + P2) */; 13 P2 ← Q [2] /* P2 ← (P1 − P2)=P */; // Compute ZP ← ∗ 14 Zfinal XP2 YPsave ; −1 15 Zfinal ← (Zfinal) ; ← ∗ 16 Zfinal Zfinal YP2 ; ← ∗ 17 Zfinal Zfinal XPsave ; ← ∗ 18 Zfinal Zfinal ZPsave ; ← ∗ − 19 Zfinal (Zfinal (XP2 XP1 )); k¯i 20 Q ← LightAddSub(P1, (−1) P2); ← ← ˜ ← 21 P1 Q [ki] /* P1 P1 or P1 P1 + P2 */; ¯ 22 P2 ← Q ki /* P2 ← P˜1 or P2 ← P1 + P2 */; ← 23 P2 [XP2 ,YP2 ,Zfinal]; 24 return P2

function that computes for each input message the hypothetical power consumption of a targeted intermediate value that also depends on the value of the secret. The guessed consumption is then compared to the actual power consumption trace of the device in order to ﬁnd a statistical relation. SPA-resistance does not imply DPA-resistance of an algorithm. However, our proposed SPA-resistant algorithms are easy to enhance. Countermeasures against DPA aim to make impossible the guessing of the leakage function output by using random numbers. A lot of randomization methods have been proposed for elliptic curve cryptosystems. Coron in [Cor99] proposed representing elliptic curve points using randomized projective coordinates. Let P =(x, y, z) be a point in Jacobian projective coordinates. Then for all non-zero integers r,(r2x, r3y, rz) represents the same point. Only knowing the point P , the bit sequence of the randomized point is so

1038 ALEXANDRE VENELLI AND FRANÇ OIS DASSANCE different to P that statistical tools of DPA can’t find relationships. The additional computational cost is 4M +1S at the beginning of the scalar multiplication. Joye and Timen [JT01] proposed the use of randomized isomorphisms between elliptic curves. A point P =(x, y) is randomized into (r−2x, r−3y, 1) in Jacobian coordinates for an non-zero integer r, with elliptic curve parameters a = r−4a and b = r−6b. The advantage of this method is that the Z-coordinate of the randomized point is 1. Hence, optimizations in the elliptic curve algorithms can be applied. However, Joye-Tymen randomization requires more additional storage than Coron’s. The intial transformation of the point requires 4M +2S plus the storage of two field elements. We can also briefly mention other randomization techniques against DPA. Coron [Cor99] introduced the randomized exponent method, as well as the randomized base point. Clavier and Joye [CJ01] proposed splitting the scalar k into r and k − r, with r a random integer. One then computes [k] P as [k − r] P +[r] P . Fault attacks are based on the fact that a fault during a cryptographic computation leads to a faulty result. If the device does not detect the fault and does not prevent the output, an attacker can exploit the results. Using knowledge of faulty results, correct ones and the precise place of induced faults, an attacker can recover bits of a secret. Numerous mechanisms for fault injection have been discovered and researched [HCN+04]. Double-and-always-add algorithms are obviously susceptible to fault attacks. As previously seen, the algorithm runs in constant time, the same operations are computed regardless of bit values. Hence, an attacker can easily detect the operations in Algorithm 2, lines 3 and 4. If, for example, ki equals 0, and the adversary injects a fault in the computation of Q1. This intermediate result is a dummy operation and the final result of the multiplication has not changed. Therefore, the attacker knowns that ki = 0 because his fault had no effect on the final result. By repeating this technique, he can recover the secret scalar. This type of fault injection is also called computational safe-error attack. However, for the Montgomery ladder, the situation is different as every intermediate result is used to compute the final result. Hence, if the attacker induces a fault the final result will inevitably be corrupted. Joye and Yen [JY02] proposed a slight modification to the Mont- gomery ladder in order to make it resistant to M safe-error attacks, an attack that implies stronger assumptions in the attacker’s capabilities. Recently, Fouque et al. [FLRV08] presented the twist curve attacks: a powerful fault attack against a Montgomery ladder implementation using no y-coordinate. However, for our case, the y-coordinate is used in all our propositions. In order to thwart many attacks, a good set of countermeasures would be: random splitting of the scalar [CJ01] and point verification [BMM00] that checks if a point lies on a curve or not. Our proposed algorithms combined with this set of countermeasures are resistant to known attacks.

6. Conclusion We presented in this paper a new scalar multiplication algorithm for elliptic curves which is as resistant as the Montgomery ladder and faster than its adaptation for generic curves. Table 1 compares the eﬃciency of our algorithms with the generic Montgomery ladder algorithms. We can attain a complexity of 9M +5S per bit of scalar with our LightMult’ algorithm on any elliptic curve over a prime ﬁeld

FASTER SIDE-CHANNEL RESISTANT ELLIPTIC CURVE SCALAR MULTIPLICATION39 11

Table 1. Summary of scalar multiplication algorithms

Complexity (per bit of scalar) Generic Montgomery ladder [BJ02] 15M +5S Improved Izu-Takagi [IT02] 13M +4S FullMult 12M +6S FullMult’ 11M +5S LightMult 10M +6S LightMult’ 9M +5S whereas, Izu-Takagi’s generic Montgomery ladder costs 13M +4S. We have also shown the side-channel resistance of Montgomery, type algorithms against simple side-channel attacks and fault attacks. Hence, combining one of our algorithm propositions with a DPA randomization technique will provide an eﬃcient scalar multiplication resistant against main side-channel threats.

References [BDJ04] E. Brier, I. Déchène, and M. Joye, Unified point addition formulæ for elliptic curve cryptosystems, Embedded Cryptographic Hardware: Methodologies and Architectures. Nova Science Publishers (2004), 247–256. [BJ02] E. Brier and M. Joye, Weierstraß elliptic curves and side-channel attacks, PKC 2002, LNCS, 2002, pp. 335–345. [BL07] J. D. Bernstein and T. Lange, Explicit-formulas database, 2007, http://www.hyperelliptic.org/EFD. [BMM00] I Biehl, B. Meyer, and V. Müller, Differential fault attacks on elliptic curve cryptosystems, CRYPTO 2000, LNCS 1880 (2000), 131–146. [BOS06] J. Blömer, M. Otto, and J.P. Seifert, Sign change fault attacks on elliptic curve cryptosystems, FDTC 2005, LNCS 4236 (2006), 36–52. [CJ01] C. Clavier and M. Joye, Universal exponentiation algorithm a first step towards prov- able spa-resistance, CHES 2001, LNCS 2162 (2001), 300–308. [CJ05] M. Ciet and M. Joye, Elliptic curve cryptosystems in the presence of permanent and transient faults, Designs, Codes and Cryptography 36 (2005), 33–43. [CMCJ04] B. Chevallier-Mames, M. Ciet, and M. Joye, Low-cost solutions for preventing simple side-channel analysis: Side-channel atomicity, IEEE Transactions on Computers 53 (2004), 760–768. [Cor99] J.-S. Coron, Resistance against differential power analysis for elliptic curve cryptosystems, CHES 1999, LNCS 1717 (1999), 292–302. [FLRV08] P-A Fouque, R Lercier, D Réal, and F Valette, Fault attack on elliptic curve montgomery ladder implementation, Proceedings of FDTC 2008, 2008, pp. 92–98. [GLS09] S.D. Galbraith, X. Lin, and M. Scott, Endomorphisms for faster elliptic curve cryptography on a large class of curves, EUROCRYPT 2009, LNCS 5479 (2009), 518–535. [HCN+04] H. B.-E. Hamid, H. Choukri, D. Naccache, M. Tunstall, and C. Whelan, The sorcerer’s apprentice guide to fault attacks, Cryptology ePrint Archive, Report 2004/100, 2004, http://eprint.iacr.org/2004/100. [IT02] T. Izu and T. Takagi, A fast parallel elliptic curve multiplication resistant against side channel attacks, PKC 2002, LNCS 2274 (2002), 371–374. [JT01] M. Joye and C. Tymen, Protections against differential analysis for elliptic curve cryptography, CHES 2001, LNCS 2162 (2001), 377–390. [JY00] M. Joye and S.M. Yen, Optimal left-to-right binary signed-digit recoding, IEEE Trans- actions on Computers 49 (2000), 740–748. [JY02] , The montgomery powering ladder, CHES 2002, LNCS 2523 (2002), 1–11. [LG09] P. Longa and C. Gebotys, Fast multibase methods and other several optimizations for elliptic curve scalar multiplication, PKC 2009, LNCS 5443 (2009), 443–462.

1240 ALEXANDRE VENELLI AND FRANC¸ OIS DASSANCE

[Mel07] N. Meloni, New point addition formulae for ecc applications, Arithmetic of Finite Fields, LNCS 4547 (2007), 189–201. [Mon87] P.L. Montgomery, Speeding the pollard and elliptic curve methods of factorization, Mathematics of Computation 48 (1987), 243–264. [NIS00] NIST, Recommended elliptic curves for federal government use, appendix to FIPS 186-2, 2000. [OT04] K. Okeya and T. Takagi, Sca-resistant and fast elliptic scalar multiplication based on wnaf, IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences 87 (2004), 75–84. [SEC00] SEC2, Standards for Eﬃcient Cryptography Group/Certicom Research, Recom- manded Elliptic Curve Cryptography Domain Parameters, 2000. [X9.98] ANSI X9.62, Public Key Cryptography for the Financial Services Industry: The Ellip- tic Curve Digital Signature Algorithm (ECDSA), Cornell University, Research Report, 1998.

IML - ERISCS, UniversitedelaM´ editerran´ ee,´ Case 907, 163 Avenue de Luminy, 13288 Marseille Cedex 09, FRANCE E-mail address: [email protected] ATMEL Secure Microcontroller Solutions, Zone Industrielle, 13106 Rousset, FRANCE E-mail address: [email protected]

Contemporary Mathematics Volume 521, 2010

Non linéaritédesfonctionsbooléennes données par des polynômes de degrébinaire3définies sur F2m avec m pair

Eric F´erard and Fran¸cois Rodier

Resum´ e.´ Nous étudions la non linéaritédesfonctionsdéfinies sur F2m où m est un entier pair, associées aux polynômes de degrébinaire3ouàdespolynômes plus généraux. Nous en déduisons un critère pour que des fonctions vectorielles ne soient pas APN.

English extended abstract. Boolean functions are an important tool in computer sciences. They are especially useful in private key cryptography for designing stream ciphers. For security reasons, and also because Boolean functions need also to have other properties than nonlinearity such as bal- ancedness or high algebraic degree, it is important to have the possibility of choosing among many Boolean functions, not only bent functions, that is functions with the highest possible non linearity, but also functions which are close to be bent in the sense that their nonlinearity is close to the nonlinearity of bent functions. m F Fm Let q =2 and 2m assimilated as a vector space to 2 . In this article, we want to study functions of the form Tr G(x), where G is a polynomial on F2m and Tr the trace of F2m over F2 and m is even. The authors have already dealt with the case m odd [7]. For m even, many people got interested in finding bent functions of this form. To only mention the case of monomials, one can get the known cases (Gold , Dillon/Dobbertin, Niho exponents) in the paper of Leander [8]. We will show that such functions are not bent, but have rather good nonlinearity or autocorrelation properties. We use for that recent results of Maisner and Nart [10] about zeta functions of supersingular curves of genus 2. On the other hand, vectorial Boolean functions are used in cryptography to construct block ciphers. An important criterion on these functions is a high resistance to the differential cryptanalysis. Nyberg [12] has introduced the notion of almost perfect nonlinearity (APN) to study differential attacks. We relate this notion to the notion above, and we will give some criterion for a function not to be almost perfect nonlinear.

1991 Mathematics Subject Classification. Primary 94A60 ; Secondary 11T71, 14G50, 94B27. Key words and phrases. Fonction booléenne, non linéarité, indice de somme des carrés, courbe supersingulière, fonction APN de genre 2.

411

2E42 RICFERARD´ AND FRANC¸OIS RODIER

1. Introduction Les fonctions booléennes jouent un rôle important en cryptographie. Pour des raisons de sécurité, elles doivent avoir notamment une haute non-linéarité, mais aussi d’autres propriétés telles que l’équilibre ou le degré algébrique élevé(cf.[1, 3, 4, 5]). En outre, il est essentiel d’avoir un choix étendu de fonctions booléennes ayant ces propriétes. La non-linéarité d’une fonction booléenne f à m variables est la distance (de Hamming) de f à l’ensemble des fonctions affinesa ` m variables. Elle est toujours inférieurea2 ` m−1 −2m/2−1.Lesfonctionsbooléennes atteignant cette borne n’existe que pour m pair et sont dites courbes ([11]).

m Soit k = Fq un corps fini à q =2 éléments. Soit Tr la trace de k sur F2 et soit χ0 l’unique caractère non trivial de F2. Notons χ le caractère de k défini par χ = χ0 ◦ Tr. Lorsque m est un entier naturel pair, on a cherché des fonctions courbes de la forme x −→ χ(G(x)) où G est un polynôme sur k. Par exemple, les fonctions de r Gold x −→ χ(x2 +1) sont des fonctions courbes (voir [8]). Dans cet article, nous considérons, lorsque m est un entier naturel pair, les fonctions booléennes de la forme x −→ χ(G(x)) où G est un polynôme à coefficients dans k de la forme s 7 2i+1 G(x)=a7x + bix i=0 où a7 =0et s est un entier naturel. Nous verrons que de ces fonctions booléennes ne sont pas courbes, mais qu’elles ont des propriétés de non-linéaritéplutôt bonnes. Nous utiliserons pour cela des résultats de van der Geer et van der Vlugt ([19]) et de Maisner et Nart ([10]) sur les courbes supersingulières de genre 2. Par ailleurs, les fonctions booléennes vectorielles sont utilisées en cryptographie pour construire des algorithmes de chiffrements par bloc. Ces fonctions doivent avoir une résistance élevéealacryptanalysediff´ ` erentielle. Pour étudier les at- taques différentielles, Nyberg [12]adéfini la notion de non-linéarité presque parfaite (APN). Les résultats obtenus au sujet de la non-linéarité, nous permettent de donner un critère pour qu’une fonction ne soit pas presque parfaitement non-linéaire. Les auteurs ont étudiéces fonctions quand m est impair (voir [7]).

2. Préliminaires Fm Une fonction booléenne à m variables est une application de l’espace Vm = 2 dans F2.

Soit χ0 l’unique caractère non trivial de F2. La transformée de Walsh de f est la fonction définie sur Vm par f(v)= χ0(f(x)+v · x)

x∈Vm o`u v · x d´esigne le produit scalaire usuel sur Vm.

NON LINEARITE´ DES FONCTIONS BOOLEENNES´ DONNEES´ PAR DES POLYNOMESˆ 43 3

La non-linéarité d’une fonction booléenne f à m variables, notée nl(f), est la distance de f à l’ensemble des fonctions affinesa ` m variables. On peut prouver que la non-linéaritéestégale à

m−1 1 nl(f)=2 − f∞. 2 ∞ | | où f =supv∈Vm f(v) (voir Theorem 1, p. 417 [11]). D’après l’identité de Parseval, on a 1 ||f||2 = f(v)2 = q. 2 q v∈Vm √ Pour toute fonction booléenne f à m variables, on a donc q ≤f∞ ≤ q.

L’indice de somme des carrées d’une fonction booléenne f à m variables, intro- duit par Zhang et Zheng [21], est 1 σ = f(x)4 = f4. f q 4 x∈Vm Notons que f2 ≤f4 ≤f∞.

3. Les fonctions boolénnes x −→ Tr G(x) où G est un polynôme de degré binaire 3 Soit m un entier pair. Soit k un corps finia ` q =2m éléments. Soit f la fonction booléenne à m variables définie par f(x)=χ(G(x)) où G un polynôme à coefficients k de la forme s 7 2i+1 G(x)=a7x + bix i=0 avec a7 =0et s un entier naturel.

4 3.1. Evaluation de f 4. Proposition 1. Pour s ≥ 5,ona

|4 − 2 |≤ · s 3/2 f 4 4q 117 2 q . La d´emonstration sera donn´ee dans la section 5.

3.2. Evaluation de f∞.

Proposition 2. Pour s ≥ 4 et m ≥ 12+2s,ona √ m s 3q +2 3 ≤f∞ ≤ 2 q.

La d´emonstration sera donn´ee dans la section 5.

4E44 RICFERARD´ AND FRANC¸OIS RODIER

4. Fonctions presque parfaitement non-lin´eaires

Une fonction F : Fq −→ Fq est dite presque parfaitement non-linéaire ∈ F∗ ∈ F ∈ F si, pour tout a q et b q,ilexisteauplusdeuxéléments z q tels que F (z + a)+F (z)=b. Proposition 3. Si m ≥ 12+2s et s ≥ 5,lafonction −→ G : k k −→ 7 s 2i+1 x a7x + i=0 bix n’est pas presque parfaitement non-linéaire. Demonstration.´ ∈ Pour γ k,soitfγ définie par fγ (x)=χ(G(γx)). Chabaud 4 2 et Vaudenay ont montréque ∗ f ≥ 2q (q − 1) et que la fonction G est γ∈k γ 4 4 2 − presque parfaitement non-linéaire si et seulement si γ∈k∗ fγ 4 =2q (q 1) (voir [6]). D’aprèsla proposition 1, on a 4 ≥ − 2 − · s 3/2 fγ 4 (q 1)(4q 117 2 q ). γ∈k∗ Si m ≥ 12 + 2, alors 4q2 − 117 · 2sq3/2 > 2q2 et G n’est pas presque parfaitement non-linéaire.

5. Etude de courbes hyperelliptiques m Soitk un corps fini à q =2 éléments où m est un entier pair. Soit G(x)= 7 s 2i+1 a7x + 0 bix un polynôme à coefficients dans k avec a7 =0. Rodier a montré(cf[13, 14]) que 4 2 f 4 = q + Xα α∈k∗ ou l’on a posé 2 Xα = χ(G(x)+G(x + α)) . x∈k

2 2 On a Xα =(#Cα(k) − q − 1) où Cα est la courbe d’équation affine y + y = G(x + α)+G(x). Cette dernière est isomorphe àlacourbed’équation affine

y2 + y = a α2x5 +(a α4 + a1/2α1/2)x3 7 7 7 − 1/4 3/4 1/2 5/2 6 2 i 2i + a7 α + a7 α + a7α + (biα) + biα x + G(α).

5.1. La théorie de van der Geer et van der Vlugt. Soit C une courbe d’équation affine y2 +y = ax5 +bx3 +cx+d avec a =0.Soit R le polynôme linéaire ax4 + bx2 + c2x. L’application

Q : k −→ F2 x −→ Tr(xR(x)) est la forme quadratique associ´ee `a la forme symplectique

k × k −→ F2, (x, y) −→ =Tr(xR(y)+yR(x)).

NON LINEARITE´ DES FONCTIONS BOOLEENNES´ DONNEES´ PAR DES POLYNOMESˆ 45 5

On a #C(k)=1+2#Q−1(0). Le radical W de la forme symplectique <, > co¨ıncide avec l’ensemble des zéros dans k du polynôme F2-linéaire et séparable 4 16 4 8 2 2 Ea,b := a x + b x + b x + ax. ≤ ≤ ≡ On a : 0 w =dimF2 W 4,w m (mod 2) et la codimension du noyau V de Q dans W est égale à0 ou 1. Le polynôme Ea,b se factorise dans k[x]: 5 Ea,b(x)=xP (x)(1 + x P (x)) avec P = a2x5 + b2x + a. Theor´ eme` 1 (van der Geer - van der Vlugt [19]). Si V ⊂ W ,alors#C(k)= 1+q.SiV = W ,alors #C(k)=1+q ± 2wq.

2 −1 −7 5.2. Réduction de la courbe y + y = G(x). Soit e = a7 α . −1/4 −3/4 Considérons le cas où e = 1. Posons λ = a7 α + α.LacourbeCα est alors isomorphe àlacourbed’équation y2 + y = ax5 + ax3 + c + d 5 2 3 4 1/2 1/2 où a = λ a7α = λ (a7α + a α )et 7 6 1/4 3/4 1/2 5/2 2−i 2i c = λ a7α + a7 α + a7 α + (biα) + biα . On étudie le polynôme P (x)=a2x5 +a2x+a. Remarquons que z = λ−1α est racine de P et que P (x)=a2z4(x + z)(x4z−4 + x3z−3 + x2z−2 + xz−1 + e) −4 −1 −7 avec e = z +1=a7 α . 7 −1 Si e =1c.-à-d. α = a7 , alors la courbe Cα est isomorphe àlacourbe d’équation y2 + y = ax5 + cx + d avec a = λ5a α2 = α−5 et 7 6 1/4 3/4 1/2 5/2 2−i 2i c = λ(a7α + a7 α + a7 α + (biα) + biα ) où l’on a posé λ =1.Lepolynôme P (x) se factorise dans k[x] sous la forme P (x)=a2x5 + a = a2z4(x + z)(z−2x2 + ζz−1x +1)(z−2x2 + ζ2z−1x + e) où z = λ−1α = α et ζ ∈ k est une racine primitive troisième de l’unité.

−1 −7 5.3. Valeurs prises par Xα. Soit e = a7 α . Supposons que e ∈ (k∗)3 de telle sorte qu’il existe l ∈ k tel que l3 = e.Les autres racines cubiques de e sont lζ, lζ2. On peut donc choisir l tel que Tr l =0(car l + lζ + lζ2 = 0). Il existe donc u ∈ k tel que l = u2 + u et on a P (x)=a2z4(x + z)(z−2x2 + uz−1x +(1+u)3)(z−2x2 +(u +1)z−1x + u3). Si Tr u =0,ilexistev ∈ k tel que u = v2 + v et le polynôme P se décompose en un produit de termes linéaires de k[x]. Les racines de P dans k sont z,zv3,z(v + 1)3,z(v + ζ)3 et z(v + ζ2)3. D’après Maisner et Nart (voir [10]), on a w =4et 3 3 3 4 W =.OnaXα =2 q si et seulement si Q(zv3)=Q(z(v +1)3)=Q(z(v + ζ)3)=0. Si Tr u =1,alorsz est l’unique racine de P dans k et on a w =2etW =< 2 z,uz > (voir [10]). Donc Xα =2 q si et seulement si Q(uz)=0.

6E46 RICFERARD´ AND FRANC¸OIS RODIER

Supposons e ∈ (k∗)3. Dans ce cas, le polynôme P a exactement deux racines dans k (cf Maisner-Nart [10]). Les racines de P dans une clôture algébrique k de k, différentes de z,sontzv3 où v ∈ k est solution de (v4 + v)3 =(v3)4 +(v3)3 +(v3)2 +(v3)=e. Parmi ces racines, il y en a une, et une seule, qui appartient à k. Donc, il existe v ∈ k tel que v3 ∈ k. On a w =2etW =où y est l’unique élément de k vérifiant y4 + y3 + 2 2 y + y = e.OnaXα =2 q si et seulement si Q(zy)=0.

Proposition . −1 −7 4 Soit e = a7 α et 1/4 7/4 1/4 7/4 2 1+2i 2−i 1+2i η =1+a7 α +(a7 α ) + (biα ) + biα .

∗ 3 4 3 (1) Supposons e ∈ (k ) . S’il existe v ∈ k tel que e =(v + v) ,alorsXα =0 4 4 ou 2 q et on a Xα =2 q si et seulement si Tr ηv3 =Trη(v +1)3 =Trη(v + ζ)3 =0.

2 3 2 Sinon, il existe u ∈ k tel que e =(u + u) et on a Xα =0ou 2 q.Ona 2 Xα =2 q si et seulement si Tr ηu =1.Deplus,onaTr u =1. ∗ 3 2 4 3 2 (2) Si e ∈ (k ) ,alorsXα =0ou 2 q.Ilexistey ∈ k tel que y +y +y +y = e 2 et Xα =2 q si et seulement si Tr ηy =0. Demonstration.´ Lorsque e = 1, d’une part, si Z est racine de P (x), alors Q(Z)=Tr(aZ5 + cZ)etd’autrepart,siZ est une racine de x5P (x) + 1, alors Q(Z)=Tr(aZ5 + cZ). Supposons que u soit un élément de k vérifiant Tr u =1et(u2 + u)3 = e = −1 −7 7 5 −1 −2 a7 α . On a alors a7α (u + u)=u + u et

Q(uz)=Tra(uz)5 + c(uz) 7 5 7 1/4 7/4 1/2 7/2 =Tra7α u + a7α u + a7 α u + a7 α u + 2−i 2−i+1 2i+1 + bi α u + biα u

=Tr(η +1)u =Tr(ηu)+1.

4 3 −1 −7 Supposons que v soit un élément de k vérifiant (v +v ) = e = a7 α .Alors 15 3 3 a7α7(v + v )=v +1et 3 7 15 7 3 1/4 7/4 3 1/2 7/2 3 Q(v z)=Tra7α v + a7α v + a7 α v + a7 α v + 2−i 2−i+1 3 2i+1 3 + bi α v + biα v =Tr(ηv3). Soit y ∈ k tel que y4 + y3 + y2 + y = e.Onvérifie que Q(ηy)=Tr(ηy).

5.4. Estimation du nombre de α donnant les diﬀ´erentes valeurs prises par Xα.

NON LINEARITE´ DES FONCTIONS BOOLEENNES´ DONNEES´ PAR DES POLYNOMESˆ 47 7

2 3 5.4.1. Courbes algébriques. Soit C1 la courbe d’équation affine (u + u) = γx7. Cette courbe a un unique pointa ` l’infini. Ses points singuliers sont les points (0, 0), (0, 1) et le pointa ` l’infini. La valuation en (0, 0) de x (resp. u)estv(0,0)(x)=3 (resp. v(0,0)(u) = 7). La valuation en l’infini de x (resp. u)estv∞(x)=−6(resp. v∞(u)=−7). La courbe C1 est de genre 3 (voir [17] Proposition VI.3.1, Proposition III.7.8). 4 3 7 Soit C2 la courbe d’équation affine (v +v) = γx . Elle a un unique pointa ` l’infini. Ses points singuliers sont le pointa ` l’infini et les points (0, 0), (0, 1), (0,ζ), (0,ζ2). La valuation en l’infini de x (resp. v)estv∞(x)=−12 (resp. v∞(v)=−7). La valuation en (0, 0) de x (resp. v)estv(0,0)(x)=3(resp.v(0,0)(v) = 7). La courbe C2 est de genre 9 (voir [17] Proposition VI.3.1, Proposition III.7.8). Soit C la courbe d’équation affine y4 + y3 + y2 + y = γx7. Cette courbe a un unique point à l’infini. Ses points singuliers sont le pointa ` l’infini et le point (0, 1). La valuation en l’infini de x (resp. y)estv∞(x)=−4(resp.v∞(y)=−7). La valuation en (0, 0) de x (resp. v)estv(0,0)(x)=1(resp.v(0,0)(y) = 7). La courbe C est de genre 3 (voir [17] Proposition VI.3.1). 5.4.2. Bornes pour les sommes exponentielles. Soit X une courbe complète et non singulièredegenreg.Soitf une fonction rationnelle sur X qui n’est pas de la forme φ2 + φ avec φ une fonction rationnelle sur X.Soit S = χ(f(z)) où la somme est sur les points rationnels sur k de X qui ne sont pas des pôlesde f. Soit (f)∞ le diviseur des pôles de f et t le nombre de pôles de f,sansmulti- plicité. √ Theor´ eme` 2 (Bombieri [2]). On a |S|≤(2g − 2+t +deg(f)∞) q.

2 5.4.3. Le nombre de α tel que Xα =2 q. Supposons s ≥ 4. 2 On veut estimer le nombre N(X22q)deα vérifiant Xα =2 q. On a vu que c’est le cas si et seulement si il existe u ∈ k tel que (u2 + u)3 = e, Tr u =1, Tr ηu =1ou e ∈ (k∗)3 et Tr ηy =0où y est un élément de k vérifiant y4 + y3 + y2 + y = e. Si u est un élément de k tel que (u2 + u)3 = e, Tr u =Trηu = 1, alors on a ((u +1)2 +(u +1))3 = e, Tr(u +1)=1, Tr η(u +1)=1. On a w =2etW = {0,z,uz,(u+1)z} (voir [10]) et il ne peut donc exister d’élément u dans k différent de u, u +1 telque(u2 + u)3 = e, Tr u =Trηu =1.Onen déduit que N(X22q)=n2/2+n1 où n2 est le nombre de couple (x, u) sur la courbe C1 tel que Tr u =Trηu =1etn1 le nombre de couple (x, y) sur la courbe C tel que Tr ηy =0. On commence par évaluer le nombre de (u, α)vérifiant Tr u =Trηu =1et 2 3 −7 −1 (u + u) = α a7 . On a 2i 1+2i 2 4 7 Tr ηu =Tr u + bi(u + u)α +(u + u )a7α . Soit S1 := χ(Tr u)

(x,u)∈C1(k)−C1,∞

8E48 RICFERARD´ AND FRANÇOIS RODIER où C1,∞ = {(0, 0), (0, 1), ∞}. D’après le théorème 2, on a √ √ |S1|≤(2g − 2+t +deg(u)∞) q =12 q. Soit N le nombre de couples (α, u) sur la courbe C tels que Tr u =1.Alors 1 1 S1 = χ(Tr u)= 1 − N1 =#C1(k) − 2N1 − 1. Tr u=0 Donc | | √ #C1(k) S1 +2 N1 − = ≤ 6 q +1. 2 2 Sur la courbe C1,onconsidère la fonction s 2i −1−2i −7 2 4 g(u)=u + bi(u + u)x + γx (u + u ). i=0 s−1 On peut montrer que, pour ψ = γ1/2x3u−3(ux−1)2 , la valuation au pointa ` l’infini de g(u)+ψ2 + ψ est un entier impair négatif.Onendéduit que la fonction g n’est pas de la forme φ2 + φ (pour s ≥ 4). Soit S2 := χ(g(u))

(x,u)∈C1(k)−C1,∞ avec C1,∞ = {(0, 0), (0, 1), ∞}.Ledegré du diviseur des pôles de g(u)est s deg(g(u))∞ =7(2 − 2). D’après le théorème 2, on a √ √ s |S2|≤(2g − 2+t +deg(g)∞) q =7(2 − 1) q.

Si N2 d´esigne le nombre de couples (α, u) sur la courbe C tels que Tr g(u)=0, alors S2 = 1 − N2 =#C1(k) − 2N2 − 3. Tr f=1 Donc | | √ #C1(k) S2 +3 7 s 3 N2 − = ≤ (2 − 1) q + . 2 2 2 2 Soit S3 = χ(g(u)+u).

(x,u)∈C1(k)−C1,∞ La fonction g(u)+u n’est pas de la forme φ2 + φ.Ledegr´e du diviseur des pˆoles s de g(u)+u est deg(g(u)+u)∞ =7(2 − 2). Soit N1,2 le nombre de couples (α, u) sur la courbe C tels que Tr(g(u)+u) = 0. Alors

√ #C1(k) 7 s 3 N1,2 − ≤ (2 − 1) q + . 2 2 2

Lemme 1. Soit ψ1 et ψ2 deux fonctions définies sur un ensemble fini X à valeurs dans F2. Posons, pour i =1, 2,

Ni =#{x ∈ X : ψi(x)=0} et N1,2 =#{x ∈ X : ψ1(x)=ψ2(x)}. Alors 1 #{x ∈ X : ψ (x)=ψ (x)=0} = (N + N + N − #X). 1 2 2 1 2 1,2

NON LINEARITE´ DES FONCTIONS BOOLEENNES´ DONNEES´ PAR DES POLYNOMESˆ 49 9

Demonstration.´ Voir Férard et Rodier [7] lemme 6.7. On déduit de ce lemme que 1 #C (k) #C (k) #C (k) #C (k) n = N − 1 + N − 1 + N − 1 + 1 . 2 2 1 2 2 2 1,2 2 4 Donc √ #C1(k) s−1 1 n2 − ≤ 7 · 2 − q +2. 4 2 On évalue ensuite le nombre (y, α)vérifiant Tr μy =0ety4 + y3 + y2 + y = −7 −1 α a7 . Sur la courbe C,onconsidère la fonction 2i −1−2i −7 2 4 h(y)=y + bi(y + y)x + γx (y + y ).

Soit S = χ(h(x)) (x,y)∈C (k)−C∞ où C∞ = {(0, 0), (0, 1), ∞}. s−1 On peut montrer que, pour ψ = γ1/2x3y−2(yx−1)2 , la valuation au pointa ` l’infini de h(y)+ψ2 + ψ est un entier impair négatif. Par conséquent, la fonction h 2 n’est pas de la forme φ +φ.Ledegré du diviseur des pôlesde h(y)estdegh(y)∞ = 7(2s − 2). D’après le théorème 2, on a √ √ s |S|≤(2g − 2+t +deg(h)∞) q ≤ 7(2 − 1) q.

Donc | | √ #C (k) S +3 7 s 3 n1 − = ≤ (2 − 2) q + . 2 2 2 2

2 Proposition 5. Soit s ≥ 4.LenombreN(X22q) de α tels que Xα =2 q v´eriﬁe

√ 5 s−2 N(X22q) − q ≤ 21 · 2 q. 8 Demonstration.´ On a 1 #C1(k) #C (k) N(X22q)= n2 − + n1 − 2 4 2 1 1 5 5 + #C (k) − q − 1 + #C(k) − q − 1 + q + . 8 1 2 8 8 D’o`u

5 N(X22q) − q 8 1 1 √ 7 √ 3 3√ 3√ 5 ≤ 7 · 2s−1 − q +2 + (2s − 2) q + + q + q + 2 2 2 2 8 2 8 43 √ 25 = 21 · 2s−2 − q + . 8 8

1050 ERIC FERARD´ AND FRANC¸OIS RODIER

4 5.4.4. Le nombre de α tel que Xα =2 q. Supposons s ≥ 5. 4 On veut donner une estimation du nombre N(X24q)deα tel que Xα =2 q. Si v est un élément de k tel que (v4 + v)3 = e, Tr ηv3 =Trη(v +1)3 =Trη(v + ζ)3 = 0, alors on a ((v +1)4 +(v +1))3 =((v + ζ)4 +(v + ζ))3 =((v + ζ2)4 +(v + ζ2))3 = e et on déduit de η(v + ζ2)3 = η(v3 +(v +1)3 +(v +1)3 +1)que Trη(v + ζ2)3 =0. Dans ce cas, on a w =4etW = (voir [10]). On en déduit que N(X24q)=n4/4où n4 estlenombredecouple(α, v)vérifiant (∗). Pour donner une estimation de n4, nous utiliserons le lemme suivant.

Lemme 2. Soit ψ1,ψ2,ψ3 trois fonctions définies sur un ensemble fini X à F { ∈ } valeurs dans 2.Pouri =1, 2 et 3, posons Ni =#x X : ψi(x)=0.Pour { ∈ } { ∈ i, j =1, 2, 3, posons Ni,j =#x X : ψi(x)=ψj (x) .SoitN =#x X : ψ1(x)+ψ2(x)+ψ3(x)=0}. Le cardinal de l’ensemble {x ∈ X : ψ1(x)=ψ2(x)= ψ3(x)=0} est égal à 1 3 (N + N + N + N + N + N + N ) − #X. 4 1 2 3 1,2 1,3 2,3 4 ´ Demonstration. Pour i, j, k ∈ F2,onposeNi,jk = {x ∈ F2 : ψ1(x)= } i, ψ2(x)=j, ψ3(x)=k . On exprime les huit nombres #X, N ,N1,N2,N3,N1,2,N1,3 et N2,3 en fonction des Ni,j,k. On obtient ainsi huit équations linéairesque l’on résout en inversant la matrice. Sur la courbe C ,onconsidère la fonction 2 3 3·2i 3 −1−2i −7 6 12 f(v)=v + bi(v + v )x + γx (v + v ). On peut vérifier que la fonction f(v)n’estpasdelaformeφ2 + φ.Lespôles de f(v) sont parmi les points (0, 0), (0, 1), (0,ζ), (0,ζ2)etlepointà l’infini. Un calcul montre que ces points sont exactement les pôles de f(v) et que le degré du diviseur des pôlesde f(v)est s − deg f(v)∞ = 21(2 2). On considère la somme exponentielle S = χ(f(v)). Le théorème 2 montre que 1 √ | |≤ s − S1 21(2 1) q. Soit N le nombre de couple (x, v) sur la courbe C tel que Tr f(v) = 1. On a 1 2 | | √ #C2(k) S1 +5 s 5 N − = ≤ 21(2 − 1) q + . 1 2 2 2 Le nombre N2 (resp. N3)decouple(x, v) sur la courbe C2 tel que Tr f(v +1)=1 (resp. Tr f(v + ζ)=1)vérifielemême encadrement. Les fonctions f(v)+f(v +1),f(v)+f(v + ζ)etf(v +1)+f(v + ζ) ne sont pas de la forme φ2 + φ. On peut montrer que les pôles de chacunes de ces fonctions sont lespoints(0, 0), (0, 1), (0,ζ), (0,ζ2)etlepointà l’infini et que, le degré du diviseur des pôles est 8(2s − 3). Soit N1,2 le nombre de couple (x, v) sur la courbe C2 tel que Tr f(v)=Trf(v +1).

NON LINEARITE´ DES FONCTIONS BOOLEENNES´ DONNEES´ PAR DES POLYNOMESˆ 51 11 Soit S1,2 = χ(f(v)+f(v + 1)). D’après le théorème 2, on a √ | |≤ s − S1,2 8(2 1) q. Comme précédemment, on obtient

| | √ #C2(k) S1,2 +5 s 5 N − = ≤ 4(2 − 1) q + . 1,2 2 2 2

De mˆeme, on a

√ #C2(k) s 5 N − ≤ 4(2 − 1) q + 1,3 2 2 et √ #C2(k) s 5 N − ≤ 4(2 − 1) q + 2,3 2 2 o`u N1,3 (resp. N2,3)d´esigne le nombre de couple (x, v) sur la courbe C2 tel que Tr f(v)=Trf(v + ζ)(resp.Trf(v +1)=Trf(v + ζ)).

Soit N le nombre de couple (x, v) sur la courbe C2 tel que

Tr(f(v)+f(v +1)+f(v + ζ)) = 0.

La fonction f(v)+f(v +1)+f(v + ζ)n’estpasdelaformeφ2 + φ.Onadeg(f(v)+ s f(v +1)+f(v + ζ))∞ = 21(2 − 2). On en d´eduit que

√ #C2(k) s 5 N − ≤ 21(2 − 1) q + . 2 2

4 Proposition 6. Soit s ≥ 5.LenombreN(X24q) de α tels que Xα =2 q v´eriﬁe

√ q s N(X24q) − ≤ 6 · 2 q. 32

Demonstration.´ D’après le lemme précédent, on a 1 3 n = (N + N + N + N + N + N + N ) − #C (k). 4 4 1 2 3 1,2 1,3 2,3 4 2 Donc

q #C2(k) #C2(k) #C2(k) #C2(k) 16N(X 4 )− = N − +N − +N − +N − 2 q 2 1 2 2 2 3 2 1,2 2 #C (k) #C (k) #C (k) 1 1 + N − 2 + N − 2 + N − 2 + #C (k) − q − 1 + . 1,3 2 2,3 2 2 2 2 2 On en d´eduit que

√ q s 35 1 1 16 N(X24q) − ≤ 96(2 − 1) q + + |#C2(k) − q − 1| + 32 2 2 2 √ √ ≤ 96(2s − 1) q +9 q +18.

1252 ERIC FERARD´ AND FRANC¸OIS RODIER

4 5.5. Démonstration de l’évaluation de f 4 (proposition 1). On peut maintenant montrer la proposition 1. On a 4 2 2 2 4 f 4 = q + Xα = q +2 qN(X22q)+2 qN(X24q) ∈ ∗ α k 2 2 5 4 q =4q +2 q N(X 2 ) − q +2 q N(X 4 ) − . 2 q 8 2 q 32 D’où 4 2 2 5 4 q |f − 4q |≤2 q N(X 2 ) − q +2 q N(X 4 ) − 4 2 q 8 2 q 32 ≤ 117 · 2sq3/2. 5.6. Démonstration de l’évaluation de f∞ (proposition 2). On a, d’après la borne de Weil

√ | | · ≤ − f(v) = χ0(f(x)+v x) (deg f 1) q. x∈Vm 4 ≤ 2 ≥ D’autre part, on a f 4 q f ∞ et, d’après la proposition 5, pour s 4, on a 4 2 2 2 7 2 s 3/2 f = q + X ≥ q +2 qN(X 2 ) ≥ q − 21 · 2 q 4 α 2 q 2 α∈k∗ √ On en déduit que, si m ≥ 12 + 2s,alorsf∞ > 3q.Deplus,d’après Moreno et m Moreno [9, Theorem 2] (voir aussi [7]), f∞ est divisible par 2 3 .

Références [1] P. Barthélémy, R. Rolland, P. Véron, Cryptographie,Hermès, Paris, 2005. [2] E. Bombieri, On exponential sums in finite fields. Amer. J. Math., 88, 1966, pp. 71-105. [3] C. Carlet, On cryptographic complexity of Boolean functions, Proceedings of the Sixth Conference on Finite Fields with Applications to Coding Theory, Cryptography et Rela- ted Areas (G.L. Mullen, H. Stichtenoth et H. Tapia-Recillas Eds), Springer (2002), pp. 53-69. [4] C. Carlet, On the algebraic thickness et non-normality of Boolean functions, with developments on symmetric functions, submitted to IEEE Trans. Inform. Theory. [5] C. Fontaine, Contributiona ` la recherche de fonctions booléennes hautement non linéaires et au marquage d’images en vue de la protection des droits d’auteur,Thèse, Université Paris VI (1998). [6] F. Chabaud, S. Vaudenay, Links between differential and linear cryptanalysis. De Santis, Alfredo (ed.), Advances in cryptology - EUROCRYPT ’94. Workshop on the theory and application of cryptographic techniques, Perugia, Italy, May 9-12, 1994. Proceedings. Berlin : Springer-Verlag. Lect. Notes Comput. Sci. 950, 356-365 (1995). [7] E. Férard, F. Rodier, Non linéaritédesfonctionsbooléennes donnés par des traces de polynômes de degrébinaire3. Proceedings of the First SAGA Conference on Algebraic Geometry and its Applications (J. Chaumine, J. Hirschfeld & R. Rolland Eds), World Scientific Publishing (2008) pp. 388-409. [8] N.G. Leander, Monomial bent functions. IEEE Trans. Inform. Theory 52 (2006), no. 2, 738–743. [9] C. Moreno, O. Moreno, The MacWilliams-Sloane conjecture on the tightness of the Carlitz-Uchiyama bound and the weights of duals of BCH codes. IEEE Trans. Inform. Theory 40 (1994), no. 6, 1894–1907. [10] D. Maisner, E. Nart, Zeta functions of supersingular curves of genus 2, Canad. J. Math. 59 (2007), no. 2, 372–392.

NON LINEARITE´ DES FONCTIONS BOOLEENNES´ DONNEES´ PAR DES POLYNOMESˆ 53 13

[11] F.J. MacWilliams, N.J.A. Sloane, The Theory of Error-Correcting Codes, North- Holland, Amsterdam (1977). [12] K. Nyberg, Differentially uniform mappings for cryptography. Advances in cryptology— EUROCRYPT ’93 (Lofthus, 1993), 55–64, Lecture Notes in Comput. Sci., 765, Springer, Berlin, 1994. [13] F. Rodier, Sur la non-linéaritédesfonctionsbooléennes, Acta Arithmetica, vol 115, (2004), 1-22. [14] F. Rodier, On the nonlinearity of Boolean functions, Proceedings of WCC2003, Work- shop on coding et cryptography 2003 (D. Augot, P. Charpin, G. Kabatianski eds), INRIA (2003), pp. 397-405. [15] F. Rodier, Borne sur le degrédespolynômes presque parfaitement non-linéaires; prépublication. Disponible dans ArXiv : math.AG/0605232, 2006. [16] J-P. Serre, Majorations de sommes exponentielles. Journées Arithmétiques de Caen (Univ. Caen, Caen, 1976), pp. 111-126. Astérisque No. 41-42, Soc. Math.France, Paris, 1977. [17] H. Stichtenoth, Algebraic Function Fields et Codes, Springer, 1993. [18] P. St˘anic˘a, Nonlinearity, local et global avalanche characteristics of balanced Boolean functions, Discrete Math. 248 (2002), no. 1-3, 181–193. [19] G. van der Geer, M. van der Vlugt, Reed-Muller codes and supersingular curves. I, Compositio Math. 84, (1992), 333-367. [20] G. van der Geer, M. van der Vlugt, Supersingular Curves of Genus 2 over finite fields of Characteristic 2 , Math. Nachr. 159, (1992), 73-81. [21] X.-M. Zhang, Y. Zheng, GAC —the Criterion for Global Avalanche Characteristics of Cryptographic Functions, Journal of Universal Computer Science, vol. 1, no. 5 (1995), 316-333.

UniversitedePolyn´ esie´ franc¸aise, Tahiti E-mail address: [email protected] Institut de Mathematiques´ de Luminy – C.N.R.S. 163 avenue de Luminy, Case 907, Marseille Cedex 9, France E-mail address: [email protected]

This page intentionally left blank

Contemporary Mathematics Volume 521, 2010

A Note on a Maximal Curve

Arnaldo Garcia and Henning Stichtenoth

Abstract. In this note we give a simple proof for the maximality of a curve over a finite field that was recently introduced by Abdon-Bezerra-Quoos. The main ingredient of our proof is a result of Frey-Rück.

1. Introduction Let k be a finite field of square cardinality |k| = 2, with being some prime power. By definition, a k-maximal curve C is an algebraic curve (projective, nonsingular and geometrically irreducible) defined over k such that its number |C(k)| of k-rational points attains the Hasse-Weil upper bound; i.e., (1.1) |C(k)| = |k| +1+2g(C) |k|, where g(C) denotes the genus of the curve C. In this note we will be concerned with thecasewhere = qn and n ≥ 3 is an odd integer. We fix the following notations: • n ≥ 3isanoddinteger, • q isapowerofaprimenumberp, • k is the finite field with q2n elements, • N := (qn +1)/(q +1). Observe that N is an integer since n is odd. It is a result due to Abdon-Bezerra-Quoos [ABQ] that the following affine plane equation defines a k-maximal curve:

2 (1.2) Y q − Y = ZN . We denote by χ the curve given by Eqn.(1.2). In [ABQ], the maximality of χ is proved by an explicit determination of the Z-coordinates of the k-rational points, which is in fact very technical and does not give any insight why the curve is maximal. The maximality of χ was later used in [GGS] to prove that the two equations

2 (1.3) Y q − Y = ZN and Xq + X = Y q+1 deﬁne an aﬃne space curve whose non-singular projective model is k-maximal.

1991 Mathematics Subject Classiﬁcation. MSC(2010) : 11T06, 11G20, 14G15, 14H25. This paper was written while the ﬁrst author visited Sabanci University in May 2009. His visit was supported by TUBITAK,¨ Sabanci University and CNPq (Proc. 307569/2006-3).

1 c 2010 American Mathematical Society 55

256 ARNALDO GARCIA AND HENNING STICHTENOTH

The particular case n = 3 in Eqn.(1.3) is due to Giulietti-Korchmaros [GK]. For q = 2 these curves are particularly interesting since they provide the only examples of maximal curves for which it is known that they are not covered by the Hermitian curve over k. Maximal curves have the so-called subcover property; i.e., if we have a surjective covering C1 →C2 defined over k and C1 is a k-maximal curve, then C2 is also k- maximal (see [L]). The Hermitian curve is the best-known maximal curve over k,see[Sti, Lemma 6.4.4]; it can be defined by the affine plane equation n n n (1.4) W q − W = αXq +1 with αq −1 = −1 . q+1 Setting Z1 = X in Eqn.(1.4) and noting that the element α is an N-th power in the field k, it follows from the subcover property above that also the following equation gives a k-maximal curve: n (1.5) W q − W = ZN . The aim of this note is to give a simple proof for the maximality of the curve χ in Eqn.(1.2). This will be done by comparing certain subcovers of the curve χ with some subcover of the curve defined by Eqn.(1.5); the latter one we already know to be maximal over k, again by the subcover property of maximal curves. The new ingredient of this simplification is a theorem due to Frey-Rück [FR] (see also the appendix of [DSV]) about relations between Zeta functions in Galois coverings of curves defined over finite fields. Our proof avoids the explicit determination of the Z-coordinates of the rational points in Eqn.(1.2). It would be nice to have a simplification of the proof of the maximality also for the curve in Eqn.(1.3) for n ≥ 5(see[G] for the Giulietti-Korchmaros case n =3).

2. Proof of the Theorem We start with a remark describing a speciﬁc quotient curve of the curve given by Eqn.(1.5). Remark 2.1. Setting in Eqn.(1.5)

n n 2 w := W q /p + W q /p + ···+ W p + W, we get that the following equation (2.1) wp − w = ZN defines a k-maximal curve. Now we present our proof of the theorem of Abdon-Bezerra-Quoos [ABQ]. Theorem 2.2. The curve χ which is defined by the equation 2 Y q − Y = ZN ,N=(qn +1)/(q +1) , is maximal over the field k of cardinality q2n,withn ≥ 3 odd. Proof. Denote by P1 the projective line corresponding to the Z-coordinate. From the defining equation of the curve χ we see that χ covers P1 and that this covering is p-elementary abelian of degree q2. We are going to show that all intermediate covers C: ϕ χ −→ C −→ P1 with deg ϕ = p,

A NOTE ON A MAXIMAL CURVE 573 are maximal curves over k. After having proved this assertion, the theorem follows immediately from [DSV, Cor.6.7]. ∈ F× In Eqn.(1.2) we set, for β q2 ,

2 2 2 y := (βY )q /p +(βY )q /p + ···+(βY )p +(βY ) , then we get the following equation:

2 (2.2) yp − y = β(Y q − Y )=βZN . F× As the element β varies over q2 , the curves given by Eqn.(2.2) are exactly the intermediate curves C mentioned above, see [GS1]. Since

qn +1 (q2 − 1) divides (qn − 1) · =(qn − 1)(q +1), N ∈ F× ∈ F× any β q2 is in fact an N-th power in the field k.Thusforeachβ q2 ,thecurve C defined by Eqn.(2.2) is k-isomorphic to the curve given by Eqn.(2.1). Hence all such curves C are k-maximal, which finishes the proof of the theorem.

9 7 Remark 2.3. It has been shown that the curve over F36 given by Y −Y = X (which is the special case q = n = 3 of Eqn.(1.2)) is not Galois covered by the Hermitian curve over F36 ,see[GS2]. It seems plausible that this assertion holds for all curves in Eqn.(1.2) with q =2.Inthecase q = 2 it is Galois covered, see [ABQ]. A surprizing fact is that both the Hermitian curves and the curves χ from Eqn.(1.2) are ﬁbre products over P1 of curves which are isomorphic to the one deﬁned by Eqn.(2.1). Remark 2.4. Using the curve (1.3), one can construct other curves with many rational points as follows. Denote by ϕ(X) the polynomial

q2 3 3 X − X q+1 (2.3) ϕ(X):=Xq + X − (Xq + X)(q +1)/(q+1) =(Xq + X) · . Xq + X

Then the maximal curve over k = Fq2n deﬁned by Eqn.(1.3) can also be given by the equation

n (2.4) Zq +1 = ϕ(X). The high inseparability of ϕ(X) in Eqn.(2.3) is the key point in showing that the genus γ of the curve given by Eqn.(2.4) is small; we have that (2.5) 2γ =(q − 1) · (qn+1 + qn − q2). From the maximality of this curve we get n+2 3 2 (2.6) x ∈ Fq2n ϕ(x) ∈ Fqn = q − q + q . Now we deﬁne another curve C over k by

n (2.7) Zq + Z = ϕ(X). The genus and number of rational points of C are given by (2.8) 2g(C)=(qn − 1)(q3 − q2)and|C(k)| =(qn+2 − q3 + q2) · qn +1,

458 ARNALDO GARCIA AND HENNING STICHTENOTH where the last equality above follows from Eqn.(2.6). One should also compare the genera in Eqn.(2.5) and Eqn.(2.8). The curve C is particularly interesting for q =2; in this case one has (2.9) 2g(C)=4· 2n − 4and|C(k)| =4· 22n − 4 · 2n +1. Note that a maximal curve over k with the genus as in Eqn.(2.9) (if such a curve exists) would have 5 · 22n − 4 · 2n +1k-rational points.

References [ABQ] M. Abdn, J. Bezerra and L. Quoos, Further examples of maximal curves, Journal of Pure and Applied Algebra 213 (2009), 1192 - 1196. [DSV] I. Duursma, H. Stichtenoth and C. Voss, Generalized Hamming weights for duals of BCH codes, and maximal algebraic function fields,inArithmetic, Geometry and Coding Theory, R. Pellikaan, M. Perret and S.G. Vladut (Eds.), de Gruyter Berlin-New York (1996), 53-65. [FR] G. Frey and H.-G. Rück, The strong Lefschetz principle in algebraic geometry,Manuscr. Math. 55 (1986), 385-401. [G] A. Garcia, A note on the Giulietti-Korchmaros maximal curve, to appear in Proceedings of AGCT-11 (held at CIRM, Marseille, Nov. 2007). [GGS] A. Garcia, C. Güneri and H. Stichtenoth, A generalization of the Giulietti-Korchmros maximal curve, to appear in Adv. Geom.. [GS1] A. Garcia and H. Stichtenoth, Elementary abelian p-extensions of algebraic function fields, Manuscr. Math. 72 (1991), 67-79. [GS2] A. Garcia and H. Stichtenoth, A maximal curve which is not a Galois subcover of the Hermitian curve, Bull. Braz. Math. Soc. 37 (2006), 139-152. [GK] M. Giulietti and G. Korchmaros, A new family of maximal curves over a finite field,Math. Ann. 343 (2009), 229–245. [L] G. Lachaud, Sommes d‘Eisenstein et nombre de points de certaines courbes algebriques sur les corps finis,C.R.Acad.Sci.Paris305 (1987), 729-732. [Sti] H. Stichtenoth, Algebraic function fields and codes,2nd Edition, Graduate Texts in Mathe- matics 254, Springer Verlag, 2009.

IMPA- Estrada Dona Castorina 110, 22460-320, Rio de Janeiro, Brazil Current address: IMPA- Estrada Dona Castorina 110, 22460-320, Rio de Janeiro, Brazil E-mail address: [email protected] Sabanci University, 34956 Istanbul, Turkey Current address: Sabanci University, 34956 Istanbul, Turkey E-mail address: [email protected]

Contemporary Mathematics Volume 521, 2010

Computing Humbert Surfaces and Applications

David Gruenewald

Abstract. We describe an algorithm which computes components of Hum- bert surfaces in terms of Rosenhain invariants, based on Runge’s method [16]. We demonstrate how Humbert equations can be used to improve the Eisentr¨ager-Lauter algorithm [6] to compute the endomorphism ring of a genus 2 Jacobian, as well as improve aspects of the CRT method to compute Igusa class polynomials.

Introduction In recent times, attention has been focused on improving algorithms related to hyperelliptic curves over finite fields. To construct hyperelliptic curves suitable for use in public key cryptography, it is necessary to determine the zeta function of the curve, or equivalently, the endomorphism algebra of its Jacobian. Thus determining explicit models for moduli spaces for principally polarized abelian varieties with prescribed endomorphism ring is not only of mathematical interest but an important problem with practical applications. In this article we describe an algorithm for computing equations of Humbert surfaces — moduli spaces for principally polarized abelian surfaces (p.p.a.s) pos- sessing real multiplication by a real quadratic order. The approach taken is to use Fourier expansions of modular forms with some level structure and apply Runge’s method [16] to find relations among them. We then present two applications for Humbert surface equations. The fact that every quartic CM-field contains a real quadratic field means that a CM-point can be identified as a point on a Humbert surface. This is used to great effect in both speeding up endomorphism ring computations for genus 2 Jacobians over finite fields and speeding up the CRT method for computing Igusa class polynomials. Most of the equations of Humbert components we produce are too large to include in this article. For convenience we have made this data accessible online [9]. Acknowledgements. I would like to thank David Kohel for his supervision of my doctoral thesis of which this forms a part, and to the anonymous referee for providing helpful suggestions.

2010 Mathematics Subject Classiﬁcation. Primary 11G15. Supported by an APA scholarship at the University of Sydney.

cc20102010 American American Mathematical Mathematical Society 591

260 DAVID GRUENEWALD

1. Preliminaries To begin, we describe the moduli space of principally polarized abelian surfaces (p.p.a.s) over the complex numbers. For general properties of complex abelian varieties we refer the reader to [2].

1.1. The Siegel modular threefold. Denote by H2 the Siegel upper half plane of degree 2, which by deﬁnition is the set of 2 by 2 symmetric matrices over C whose imaginary part is positive deﬁnite: t H2 = {τ ∈ Mat2×2(C) | τ = τ,Im (τ) > 0} .

Each τ ∈H2 corresponds to a principally polarized complex abelian surface Aτ ∈ C with period matrix (τI2) Mat2×4( ). Two abelian surfaces Aτ and Aτ are ab ∈ Z isomorphic if and only if there is a symplectic matrix M = cd Sp4( )such that τ = M(τ):=(aτ + b)(cτ + d)−1. Quotienting out by this action, we obtain A Z \H the moduli space 2 =Sp4( ) 2 of isomorphism classes of principally polarized abelian surfaces. It is a quasi-projective variety of dimension 3 and is called the Siegel modular threefold. The sets of abelian surfaces having the same endomorphism ring form subvarieties of A2.LetA be a principally polarized abelian surface. Then End(A)isan order in End(A) ⊗ Q which is isomorphic to either a quartic CM field, an indefinite quaternion algebra, a real quadratic field or in the generic case Q. The irreducible components of the corresponding moduli spaces in A2 which have “extra endomorphisms” have dimensions 0, 1, 2 and are known as CM points, Shimura curves and Humbert surfaces respectively.

1.2. Humbert surfaces. Humbert [13] showed that for each positive discriminant Δ there is a unique irreducible Humbert surface HΔ in A2, and any matrix τ1 τ2 ∈H ( τ2 τ3 ) 2 satisfying the equation

(∗) kτ1 + τ2 − τ3 =0 lies on the Humbert surface HΔ of discriminant Δ = 4k + >0. For a modern account of Humbert’s work the reader is referred to [3, §4]. The function field of A2 is rational, generated by three algebraically indepen- Z dent Siegel modular functions j1,j2,j3 for Sp4( ) called (absolute) Igusa invariants [4, p.3]. Hence there is an irreducible polynomial HΔ(j1,j2,j3) whose zero set is the Humbert surface of discriminant Δ. Unfortunately, working with Igusa invariants directly is impractical due to the large degrees and coefficients of the polynomial. One fares better by working in a finite cover of the moduli space, adding some level structure. Runge [16] constructed an algorithm to compute Humbert components in the ∗ cover Γ (2, 4)\H2 using theta functions and their Fourier expansions. Our objective is to extend this to other models; in particular to A2(2), the Siegel modular threefold with level 2 structure using Rosenhain invariants.

2. Level 2 structure

Let M2 denote the moduli space of genus 2 curves. Torelli’s theorem [2,The- orem 11.1.7] says that the map sending a curve C to its Jacobian variety Jac(C) is injective and deﬁnes a birational map M2 →A2. In fact, the image of the

COMPUTING HUMBERT SURFACES AND APPLICATIONS 613

Torelli map is precisely the complement of the Humbert surface H1 in A2 (see [2, Corollary 11.8.2(a)]). 2 6 − Given a genus 2 curve y = i=1(x ui) over the complex numbers, we can send three of the ui to 0, 1, ∞ via a fractional linear transformation to get an isomorphic curve with a Rosenhain model: 2 y = x(x − 1)(x − λ1)(x − λ2)(x − λ3).

The λi are called Rosenhain invariants. The ordered tuple (0, 1, ∞,λ1,λ2,λ3) determines an ordering of the Weierstrass points and a level 2 structure on the corresponding Jacobian, that is, determines a point of A2(2). Let M2(2) denote the moduli space of genus 2 curves together with a full level 2 structure. The points of M2(2) are given by triples (λ1,λ2,λ3)wheretheλi are all distinct and different from 0 and 1. The forgetful morphism M2(2) →M2 is a Galois covering of degree 720 = |S6| where S6 acts on the Weierstrass 6-tuple by permutations, followed by renormalising the first three coordinates to (0, 1, ∞). As functions on M2(2), the Rosenhain invariants generate the coordinate ring of M2(2) and hence generate the function field of A2(2).

3. Theta constants and Rosenhain invariants Let τ ∈H2 and write m =(a, b)andm =(c, d). The classical theta constants (of half integral characteristic) are deﬁned by 1 m m m m θ (τ)= exp 2πi (x + ) · τ · t(x + )+(x + ) · t( ) abcd 2 2 2 2 2 x∈Z2 where a, b, c, d are either 0 or 1. As a function of τ ∈A2 there are 720 diﬀerent Rosenhain invariant triples, any of which may be used. By Thomae’s formula [15, Ch. 8] we can express each of these in terms of theta functions. Write

ϑ1 = θ0000(τ)

ϑ2 = θ0011(τ)

ϑ3 = θ0010(τ)

ϑ4 = θ0001(τ)

ϑ8 = θ1100(τ)

ϑ10 = θ1111(τ) , then 2 2 2 2 2 2 ϑ1ϑ3 ϑ3ϑ8 ϑ1ϑ8 e1 = 2 2 ,e2 = 2 2 ,e3 = 2 2 . ϑ2ϑ4 ϑ4ϑ10 ϑ2ϑ10 deﬁnes a Rosenhain triple (c.f. Gaudry [8, §7.5]).

4. Fourier series expansions We now describe the Fourier expansion of even theta constants restricted to a Humbert surface of discriminant Δ ≡ 0 or 1 mod 4, adapted from ideas in Runge’s paper [16].

462 DAVID GRUENEWALD

Write Δ = 4k + where is either 0 or 1, hence the pair (k, ) is uniquely determined. From equation (∗) the Humbert surface of discriminant Δ can be deﬁned by the set τ1 τ2 HΔ = ∈H2 τ2 kτ1 + τ2 modulo the usual Sp (Z) equivalence relation. Restrict θ to H to get 4 abcd Δ 2 2 2 πi(x1c+x2d) (2x1+a) +k(2x2+b) 2(2x1+a)(2x2+b)+(2x2+b) θabcd(τ)= e r q 2 (x1,x2)∈Z where r = e2πiτ1/8 and q = e2πiτ2/8. Unfortunately the exponent of q can be negative. To overcome this diﬃculty, make the invertible substitution r = pq to produce the expansion 2 2 2 − 2 (−1)x1c+x2dp(2x1+a) +k(2x2+b) q(2x1+a+2x2+b) +(k+ 1)(2x2+b) 2 (x1,x2)∈Z which is computationally more favourable, being an element of Z[p, q]whichwecall the Fourier expansion of θabcd restricted to HΔ. Addition and muliptication of restricted Fourier expansions are just the usual addition and muliptication operations in Z[[p, q]]. To compute the expansions of Rosenhain invariants we need to know how to invert elements of Q[[p, q]] where possible. It is well known fact about power series rings that f(p, q) ∈ Q[[p, q]] is a unit if and only if f(0, 0) = 0, where the inverse given by the geometric series f(p, q) n f(0, 0)−1 1 − . f(0, 0) n≥0 An implementation on a computer uses truncated Fourier expansions, where arithmetic is done in Q[[p, q]]/(pN ,qN ) for some positive N. The truncated ex- −1 pansion of f can be rapidly computed using log2(N) iterations of Newton’s method. From the expansions we observe that ϑ1,ϑ2,ϑ3,ϑ4 have constant term 1, hence 1+k k+−1 1+k k+−1 are invertible, but ϑ8 =2p q + ... and ϑ10 = −2p q + ... have zero constant term. Fortunately one can show that ϑ8 and ϑ10 are in the ideal (p1+kqk+−1)Z[[p, q]] hence by cancelling out the p1+kqk+−1 factors, the quotient ϑ8/ϑ10 makes sense in Z[[p, q]]. Thus we are able to compute the Rosenhain invariants λ1,λ2,λ3 as Fourier expansions restricted to a Humbert surface.

5. The algorithm We describe an algorithm to find the equation of an irreducible component of HΔ in a finite cover of A2, thus generalising Runge’s method to different covering spaces. We shall then apply this to A2(2) using Rosenhain invariants as coordinate functions. Algorithm 5.1. Let φ : A →A2 be a finite cover of A2. Then the preimage −1 (i) { } φ (HΔ) is a union of Humbert components HΔ . Given functions fi(τ) i=1,...,n A (i) generating the function field of , compute HΔ (f1,...,fn)asfollows: (i) (1) Calculate the degree of the Humbert components HΔ (given by a prede- termined formula derived from Theorem 5.1 below).

COMPUTING HUMBERT SURFACES AND APPLICATIONS 635

(2) Compute power series representations of the fi(τ) restricted to HΔ ⊂H2. (i) (3) Solve HΔ (f1,...,fn) = 0 in the power series ring (truncated series with large precision) using linear algebra. In addition, if φ is a Galois cover and we understand the action of the Galois group (i) explicitly, then we can compute all the HΔ from the Galois orbit of one component. 5.1. Degree formula. Much arithmetic-geometric information is known re- garding Humbert surfaces, and more generally Hilbert modular surfaces (see [12], [17]).WeshallstateafamousresultofvanderGeer,fromwhichthedegreeofany Humbert surface component in any finite cover can be derived. But first we need to introduce some notation. Define GΔ to be the (level 1) Humbert surface divisor 2 GΔ = v(Δ/x )HΔ/x2 x≥1 x2|Δ where 1 1 if Δ = 1 or 4, v(Δ) = 2 1otherwise.

Let H2(z) be the elliptic modular form of weight 5/2forthegroupΓ0(4)asdefined 2πiz Δ in Cohen [5, §3]. For Δ ≡ 0, 1 (mod 4) define aΔ to be the coefficient of (e ) in the Fourier expansion of 120H2(z). Below is a table listing the first few values of aΔ:

Δ 1 4 5 8 9 12 13 16 17 20 21 24 aΔ 10 70 48 120 250 240 240 550 480 528 480 720

Table 1. First few values of aΔ.

These numbers have an elementary description [5, Proposition 4.1] due to a formula of Siegel, Δ − x2 12Δ − 2 if Δ is a square, aΔ =24 σ1 + 4 0otherwise x∈Z where σ1(n)= d|n d, the sum of positive divisors function. We can now state the theorem of van der Geer.

Theorem 5.1. ([12, Theorem 8.10]) The Humbert surface divisor GΔ is the 1 zero divisor of a level 1 Siegel modular form of weight deg(GΔ)= 2 aΔ.Inpartic- ular, we have 2 1 v(Δ/x )deg(H 2 )= a . Δ/x 2 Δ x≥1 x2|Δ

The Humbert surface HΔ is the zero divisor of a Siegel modular form; its weight can be determined computing the degree of HΔ recursively using the theorem above.

1 Z \H v(Δ) is the order of the isotropy subgroup of HΔ in Sp4( ) 2.

664 DAVID GRUENEWALD

5.1.1. Degrees in A2(2). The natural map φ : A2(2) →A2 is a finite Galois −1 cover (with Galois group S6), hence all Humbert components in φ (HΔ) ⊂A2(2) are hypersurfaces of the same degree. The number of Humbert components m(Δ) ∗ in the Satake compactification A (2) of A2(2) has been determined by Besser [1]: 2⎧ ⎨⎪10 if Δ ≡ 1mod8 m(Δ) = 15 if Δ ≡ 0mod4. ⎩⎪ 6ifΔ≡ 5mod8 ∗ With this information, the degree of an irreducible polynomial FΔ,i defining a A∗ 2 Humbert component in 2(2) is given by the recursive formula 2 ∗ aΔ = m(Δ/x )deg(F(Δ/x2),i). x>0

This provides an upper bound on the degree of the polynomials FΔ,i(e1,e2,e3). ∗ From computational evidence it appears deg FΔ =degFΔ for nonsquare discrimi- − 1 ∗ nants Δ and that deg Fn2 =(1 n )degFn2 for all n.

Δ 1 4 5 8 9 12 13 16 17 20 21 24 ∗ deg(FΔ,i) 1 4 8 8 24 16 40 32 48 32 80 48 Table 2. Table of degrees

5.2. Algebraic relations and optimizations. From the previous sections we can write down Rosenhain invariants e1,e2,e3 represented as truncated power series. We know the degree of the relation we are searching for. To find an algebraic relation of degree d, compute all monomials in e1,e2,e3 of degree atmost d and use linear algebra to find linear dependencies between the monomials. We now illustrate our algorithm by computing a Humbert component of H5. Example 5.2. (Δ = 5). The Fourier expansions of the Rosenhain invariants restricted to H5 beginwiththeterms 4 8 12 12 e1 = 1+16p q + O(p q ), 4 8 4 4 4 8 8 8 8 8 12 12 e2 = 1+4q +8q − 8p q − 24p q +4p q +48p q + O(p q ), 4 8 4 4 4 8 8 8 8 8 12 12 e3 = 1+4q +8q +8p q +40p q +4p q +48p q + O(p q ). From the degree formula, the defining polynomial has degree 8. Using power series with precision 65, we compute the Humbert polynomial: 2 2 − 2 3 2 4 3 − 4 − 2 − 2 2 2 3 3 e2e3 2e2e3 + e2e3 +2e1e2e3 2e1e2e3 2e1e2e3 2e1e2e3 +4e1e2e3 +2e1e2e3 − 3 3 2 4 − 2 3 2 2 2 2 − 2 2 2 − 2 3 − 2 3 2e1e2e3 + e1e3 2e1e2e3 + e1e2 +4e1e2e3 4e1e2e3 2e1e2 2e1e2e3 2 3 2 2 4 − 2 4 2 4 2 − 3 3 − 3 3 2 3 3 +4e1e2e3 + e1e2 2e1e2e3 + e1e2e3 2e1e3 2e1e2e3 +4e1e2e3 +2e1e2e3 − 3 2 2 3 3 − 3 3 2 4 2 − 4 2 4 2 2 2e1e2e3 +2e1e2e3 2e1e2e3 + e1e3 2e1e2e3 + e1e2e3. Once one component has been determined, the others can easily be found by looking at the Rosenhain S6-orbit of a component.

2By working with the polynomial degree rather than the component degree, we avoid the annoyance of H1 having multiplicity 2 which would otherwise complicate the formula.

COMPUTING HUMBERT SURFACES AND APPLICATIONS 657

Example 5.3. (Δ = 1). Points of H1 are not Jacobians of hyperelliptic curves so they cannot have a valid Weierstrass model. Applying Runge’s method we ﬁnd two components e1 = e2 and e2 = e3 and permuting the roots we obtain nine relations in total:

ei − ej =0,i= j, ei =0,ei − 1=0,i,j∈{1, 2, 3}. These are the necessary and sufficient conditions for a Rosenhain model to be degenerate. 5.2.1. Symmetries. The fixed groups of the Humbert components in this model can be computed [10, §3.5]. As we know, S6 acts on the Rosenhain invariants via the natural action on (0, 1, ∞,e1,e2,e3). Let hΔ be the Humbert component computed using the above algorithm. The fixed group of hΔ for even discriminant splits into two cases, G if k is odd FixS (h4k)= 6 g−1Gg if k is even where G ⊂ S6 is a group of order 48 generated by three elements

(0,e1,e3, ∞,e2, 1), (e1,e2)and(1,e1,e3,e2); the conjugating element is g =(1, ∞)(e1,e2,e3). Ignoring discriminant 1 which is a degenerate case, the ﬁxed group of Δ ≡ 1 (mod 8) is a group of order 72 generated by (0,e1)(1,e2)(∞,e3), (e1,e2)and(e2,e3). For Δ ≡ 5 (mod 8) the ﬁxed group is a group of order 120 generated by

(0,e1)(1,e2)(∞,e3), (1,e3,e2,e1, ∞)and(∞,e1,e3,e2). By making use of some of the simpler fixed group symmetries, we can reduce the size of the linear algebra computation. For example, the discriminant 12 component h12 satisfies h12(e2,e1,e3)=h12(e1,e2,e3) which means we only need roughly half the a b c b a c number of evaluated power series since e1e2e3 and e1e2e3 havethesamecoefficient. 5.3. Runtime analysis. The runtime of the algorithm is greatly affected by d+3 3 the O( 3 )=O(d ) monomials that need to be evaluated. The linear algebra d+3 solution requires finding the kernel of a matrix with O( 3 )rowsandintheorder of (N/4)2 columns where N is the precision of the power series, which gives a runtime cost of order O(d6N 2). To have any chance of finding a unique relation, the number of monomials must be less than the precision used, so that the runtime is at least of order O(d9). From the table it is evident that the degree increases with the discriminant, so as it stands this algorithm can only find equations with small degrees. Besides discriminant 21, we managed to produce Rosenhain Humbert components for all the discriminants listed in the above table (see [9]). This extends the equations found in the literature ([13],[11]) which go up to discriminant 8. See the Appendix for the equation of the discriminant 12 Humbert component we found.

6. Applications In this section we show how Humbert surface equations can be used to speed up endomorphism ring calculations and improve the CRT method of computing Igusa class polynomials [6].

866 DAVID GRUENEWALD

6.1. Computing endomorphism rings. Let J beagenus2Jacobiande- ﬁned over Fp which is geometrically simple and ordinary. Then the endomorphism algebra End(J) ⊗ Q is a primitive quartic CM-ﬁeld K = Q(π)whereπ is the Frobenius endomorphism, and we have that

Z[π, π] ⊆ End(J) ⊆OK . Currently, the best deterministic methods of computing End(J)arebasedon the Eisentr¨ager-Lauter algorithm [6]. The complexity for calculating End(J)is determined by the index of largest known suborder of End(J), namely Z[π, π]. O Z ei Write [ K : [π, π]] = i . Computing End(J) relies on computing a basis for ei the i -torsion over its splitting ﬁeld for each prime i = p, an expensive calculation. We can improve the situation by using Humbert equations. In the case where the Igusa invariants for J lie on the Humbert surface Hdisc(K+), it follows that J has real multiplication by OK+ and so

Z[π, π] ⊆OK+ [π, π] ⊆ End(J) ⊆OK and the index [OK : OK+ [π, π]] will be smaller in many cases. 6.2. Computing Igusa class polynomials mod p. Effective algorithms for computing End(J) are needed in CM constructions for the cryptographical application of constructing abelian surfaces with a prescribed number of points, over a large prime field. Here one makes use of precomputed polynomials called Igusa class polynomials (i) − ∈ Q PK = (X ji(A)) [X],i=1, 2, 3, ∼ {A/C p.p.a.s | End(A)=OK }/= where the ji are Igusa invariants of A. The CRT method of computing Igusa class polynomials computes the reduc- (i) tions PK,p modulo primes p and combines the information using the Chinese re- mainder theorem (CRT) to reconstruct the rational coefficients. Let p be a prime for which the Igusa class polynomials split completely. Then (i) − PK,p = (X ji(A)) {A/F p.p.a.s | End(A)=O }/∼ p K =Fp F3 (i) where the Igusa invariants (j1,j2,j3)foreachA are in p. Hence to compute PK,p we must find all Fp-isomorphism classes of principally polarized abelian surfaces A over Fp having the maximal order OK as its endomorphism ring. We briefly outline the procedure in [6, §5.3] used to find Igusa invariants ∈ F3 F (j1,j2,j3) p of the genus 2 curves over p whose Jacobian has endomorphism algebra K. For each candidate triple, one constructs the associated hyperelliptic curve C using Mestre’s algorithm ([14],[4]) then counts points on Jac(C) to determine whether its Frobenius endomorphism is compatible with an ordinary p-Weil number of K. If it passes this test one computes the cardinality of C,thereby determining the endomorphism algebra. If it equals K, we proceed to compute the F3 endomorphism ring. The runtime is dominated by the size of the search space p. An order of magnitude improvement is achieved using Humbert surfaces. From + the identity OK ∩K = OK+ it follows that the Igusa invariants of p.p.a.s’s having + endomorphism ring OK must lie on HΔ where Δ = disc(K ). Thus in the case where we have a model for the Humbert surface of discriminant Δ, the search space

COMPUTING HUMBERT SURFACES AND APPLICATIONS 679

3 2 is reduced from p triples to the |HΔ(Fp)| = O(p )pointsontheHumbertsurface mod p. We remark that since there are infinitely many primitive quartic CM fields whose maximal order contains OK+ , our improvements can be applied to all of these fields. √ 6.3. Example. Take the cyclic CM field K = Q(i 2+ 2) having class number 1, also considered in [7, Example 9.1]. The Igusa class polynomials have degree 1 so there is one triple of Igusa invariants having maximal endomorphism ring. Using Freeman and Lauter’s implementation of the CRT method, more than 40% of the running time was spent on generating all 1281 genus 2 Jacobians over F113 having endomorphism algebra K (see [7, Table 1]). We shall demonstrate our improvements to computing the Igusa class√ polynomials mod 113. The real quadratic subfield is K+ = Q( 2) so the maximal order has discriminant 8. With our improvements, we check each triple of Igusa invariants first to see if it lies on H8 to avoid unnecessary point counting. This step is simply amounts to 2 evaluating a polynomial in three variables over F113. There are 12665 = 113 − 104 3 points on H8(F113), far less than the total 113 curves. Once we have a point on H8 over F113, we do point counting determine whether its endomorphism algebra is K. The first point we encounter on H8 having endomorphism algebra K is (1, 67, 37) ∈ F113 corresponding to a genus 2 Jacobian J with Frobenius endomorphism π satisfying π4 +4π3 + 102π2 + 452π + 12769 = 0. We find that End(J) is an index 14 suborder of the maximal order. The index of 9 Z[π, π]inOK is 3584 = 2 · 7, but as we know the endomorphism ring is contained 3 in OK+ [π, π] which has smaller index [OK : OK+ [π, π]] = 2 · 7, the computation is faster than for a random genus 2 Jacobian over F113 with endomorphism algebra K.

References [1] Amnon Besser, Elliptic fibrations of K3 surfaces and QM Kummer surfaces,Math.Z.228 (1998), no. 2, 283–308. MR MR1630575 (99f:14047) [2] Christina Birkenhake and Herbert Lange, Complex abelian varieties, second ed., Grundlehren der Mathematischen Wissenschaften [Fundamental Principles of Mathematical Sciences], vol. 302, Springer-Verlag, Berlin, 2004. MR MR2062673 (2005c:14001) [3] Christina Birkenhake and Hannes Wilhelm, Humbert surfaces and the Kummer plane,Trans. Amer. Math. Soc. 355 (2003), no. 5, 1819–1841 (electronic). MR MR1953527 (2003m:14064) [4] Gabriel Cardona and Jordi Quer, Field of moduli and field of definition for curves of genus 2, Computational aspects of algebraic curves, Lecture Notes Ser. Comput., vol. 13, World Sci. Publ., Hackensack, NJ, 2005, pp. 71–83. MR MR2181874 (2006h:14036) [5] Henri Cohen, Sums involving the values at negative integers of L-functions of quadratic characters, Math. Ann. 217 (1975), no. 3, 271–285. MR MR0382192 (52 #3080) [6] K. Eisenträger and K. Lauter, A CRT algorithm for constructing genus 2 curves over finite fields, To appear in Proceedings of ‘Arithmetic, Geometry, and Coding Theory’, (AGCT-10), Marseille (2005). [7] D. Freeman and K. Lauter, Computing endomorphism rings of jacobians of genus 2 curves over finite fields, Symposium on algebraic geometry and its applications, World Scientific, 2008, pp. 29–66. [8] Pierrick Gaudry, Fast genus 2 arithmetic based on theta functions, Preprint, 2005. [9] David Gruenewald, Humbert surface data, http://sites.google.com/site/humbertequations/.

1068 DAVID GRUENEWALD

[10] David Gruenewald, Explicit algorithms for humbert surfaces, Ph.D. thesis, University of Sydney, 2008. [11] Ki-ichiro Hashimoto and Naoki Murabayashi, Shimura curves as intersections of Humbert surfaces and defining equations of QM-curves of genus two, Tohoku Math. J. (2) 47 (1995), no. 2, 271–296. MR MR1329525 (96b:14023) [12] Friedrich Hirzebruch and Gerard van der Geer, Lectures on Hilbert modular surfaces, Séminaire de Mathématiques Supérieures [Seminar on Higher Mathematics], vol. 77, Presses de l’UniversitédeMontréal, Montreal, Que., 1981, Based on notes taken by W. Hausmann and F. J. Koll. MR MR639898 (83i:10037) [13] Georges Humbert, Sur les fonctions abéliennes singulières,ŒuvresII (1936), 297–401. [14] Jean-Fran¸cois Mestre, Construction de courbes de genre 2 à partir de leurs modules, Effective methods in algebraic geometry (Castiglioncello, 1990), Progr. Math., vol. 94, Birkhäuser Boston, Boston, MA, 1991, pp. 313–334. MR MR1106431 (92g:14022) [15] David Mumford, Tata lectures on theta. II, Progress in Mathematics, vol. 43, Birkhäuser Boston Inc., Boston, MA, 1984, Jacobian theta functions and differential equations, With the collaboration of C. Musili, M. Nori, E. Previato, M. Stillman and H. Umemura. MR MR742776 (86b:14017) [16] Bernhard Runge, Endomorphism rings of abelian surfaces and projective models of their moduli spaces, Tohoku Math. J. (2) 51 (1999), no. 3, 283–303. MR MR1707758 (2000g:14056) [17] Gerard van der Geer, Hilbert modular surfaces, Ergebnisse der Mathematik und ihrer Gren- zgebiete (3) [Results in Mathematics and Related Areas (3)], vol. 16, Springer-Verlag, Berlin, 1988. MR MR930101 (89c:11073)

COMPUTING HUMBERT SURFACES AND APPLICATIONS 6911

Appendix: Equation for discriminant 12

4 4 − 4 5 4 6 − 4 7 4 8 − 3 4 − 3 5 3 6 − 0=e2e3 4e2e3 +6e2e3 4e2e3 + e2e3 4e1e2e3 16e1e2e3 +40e1e2e3 3 7 − 3 8 4 4 − 4 5 − 4 6 4 7 − 16e1e2e3 4e1e2e3 + 160e1e2e3 160e1e2e3 160e1e2e3 + 160e1e2e3 5 3 − 5 4 5 5 − 5 6 − 5 7 6 3 − 132e1e2e3 272e1e2e3 +808e1e2e3 272e1e2e3 132e1e2e3 +384e1e2e3 6 4 − 6 5 6 6 − 7 3 7 4 − 7 5 384e1e2e3 384e1e2e3 +384e1e2e3 256e1e2e3 +512e1e2e3 256e1e2e3 + 2 2 4 2 2 5 2 2 6 2 2 7 2 2 8 − 2 3 4 − 6e1e2e3 +40e1e2e3 + 164e1e2e3 +40e1e2e3 +6e1e2e3 160e1e2e3 2 3 5 − 2 3 6 − 2 3 7 − 2 4 3 2 4 4 − 2 4 5 352e1e2e3 352e1e2e3 160e1e2e3 272e1e2e3 +1344e1e2e3 608e1e2e3 + 2 4 6 − 2 4 7 2 5 2 − 2 5 3 − 2 5 4 − 2 5 5 − 1344e1e2e3 272e1e2e3 +384e1e2e3 416e1e2e3 480e1e2e3 480e1e2e3 2 5 6 2 5 7− 2 6 2 2 6 3− 2 6 4 2 6 5− 416e1e2e3+384e1e2e3 762e1e2e3+1064e1e2e3 348e1e2e3+1064e1e2e3 2 6 6 2 7 2 − 2 7 3 − 2 7 4 2 7 5 − 3 4 − 762e1e2e3 + 384e1e2e3 384e1e2e3 384e1e2e3 + 384e1e2e3 4e1e2e3 3 5 3 6 − 3 7 − 3 8 − 3 2 4 − 3 2 5 − 16e1e2e3 +40e1e2e3 16e1e2e3 4e1e2e3 160e1e2e3 352e1e2e3 3 2 6 − 3 2 7 3 3 3 − 3 3 4 3 3 5 − 3 3 6 352e1e2e3 160e1e2e3 +808e1e2e3 608e1e2e3 +3696e1e2e3 608e1e2e3 + 3 3 7− 3 4 2− 3 4 3− 3 4 4− 3 4 5− 3 4 6− 808e1e2e3 384e1e2e3 480e1e2e3 2208e1e2e3 2208e1e2e3 480e1e2e3 3 4 7− 3 5 3 5 2− 3 5 3 3 5 4− 3 5 5 384e1e2e3 256e1e2e3+1064e1e2e3 608e1e2e3+3696e1e2e3 608e1e2e3+ 3 5 6 − 3 5 7 3 6 − 3 6 2 − 3 6 3 − 3 6 4 − 1064e1e2e3 256e1e2e3 +384e1e2e3 416e1e2e3 480e1e2e3 480e1e2e3 3 6 5 3 6 6 − 3 7 − 3 7 2 3 7 3 − 3 7 4 − 416e1e2e3 +384e1e2e3 132e1e2e3 272e1e2e3 +808e1e2e3 272e1e2e3 3 7 5 4 4 − 4 5 4 6 − 4 7 4 8 4 4 − 4 5 − 132e1e2e3 +e1e3 4e1e3 +6e1e3 4e1e3 +e1e3 +160e1e2e3 160e1e2e3 4 6 4 7− 4 2 3 4 2 4− 4 2 5 4 2 6− 160e1e2e3+160e1e2e3 272e1e2e3+1344e1e2e3 608e1e2e3+1344e1e2e3 4 2 7 − 4 3 2 − 4 3 3 − 4 3 4 − 4 3 5 − 272e1e2e3 384e1e2e3 480e1e2e3 2208e1e2e3 2208e1e2e3 4 3 6− 4 3 7 4 4 − 4 4 2 4 4 3 4 4 4 480e1e2e3 384e1e2e3+512e1e2e3 348e1e2e3+3696e1e2e3+1496e1e2e3+ 4 4 5− 4 4 6 4 4 7− 4 5 − 4 5 2− 4 5 3− 3696e1e2e3 348e1e2e3+512e1e2e3 384e1e2e3 480e1e2e3 2208e1e2e3 4 5 4− 4 5 5− 4 5 6− 4 6 4 6 2− 4 6 3 2208e1e2e3 480e1e2e3 384e1e2e3 272e1e2e3+1344e1e2e3 608e1e2e3+ 4 6 4 − 4 6 5 4 7 − 4 7 2 − 4 7 3 4 7 4 1344e1e2e3 272e1e2e3 +160e1e2e3 160e1e2e3 160e1e2e3 +160e1e2e3 + 4 8 − 4 8 4 8 2 − 4 8 3 4 8 4 − 5 3 − 5 4 e1e2 4e1e2e3 +6e1e2e3 4e1e2e3 + e1e2e3 132e1e2e3 272e1e2e3 + 5 5 − 5 6 − 5 7 5 2 2 − 5 2 3 − 5 2 4 − 808e1e2e3 272e1e2e3 132e1e2e3 +384e1e2e3 416e1e2e3 480e1e2e3 5 2 5 − 5 2 6 5 2 7 − 5 3 5 3 2 − 5 3 3 480e1e2e3 416e1e2e3 +384e1e2e3 256e1e2e3 +1064e1e2e3 608e1e2e3 + 5 3 4− 5 3 5 5 3 6− 5 3 7− 5 4 − 5 4 2− 3696e1e2e3 608e1e2e3+1064e1e2e3 256e1e2e3 384e1e2e3 480e1e2e3 5 4 3− 5 4 4− 5 4 5− 5 4 6 5 5 − 5 5 2 2208e1e2e3 2208e1e2e3 480e1e2e3 384e1e2e3+808e1e2e3 608e1e2e3+ 5 5 3 − 5 5 4 5 5 5 − 5 6 − 5 6 2 − 5 6 3 − 3696e1e2e3 608e1e2e3 +808e1e2e3 160e1e2e3 352e1e2e3 352e1e2e3 5 6 4 − 5 7 − 5 7 5 7 2 − 5 7 3 − 5 7 4 6 3 − 160e1e2e3 4e1e2 16e1e2e3 +40e1e2e3 16e1e2e3 4e1e2e3 +384e1e2e3 6 4 − 6 5 6 6 − 6 2 2 6 2 3 − 6 2 4 384e1e2e3 384e1e2e3 +384e1e2e3 762e1e2e3 +1064e1e2e3 348e1e2e3 + 6 2 5 − 6 2 6 6 3 − 6 3 2 − 6 3 3 − 6 3 4 − 1064e1e2e3 762e1e2e3 +384e1e2e3 416e1e2e3 480e1e2e3 480e1e2e3 6 3 5 6 3 6− 6 4 6 4 2− 6 4 3 6 4 4− 416e1e2e3+384e1e2e3 272e1e2e3+1344e1e2e3 608e1e2e3+1344e1e2e3 6 4 5 − 6 5 − 6 5 2 − 6 5 3 − 6 5 4 6 6 272e1e2e3 160e1e2e3 352e1e2e3 352e1e2e3 160e1e2e3 +6e1e2 + 6 6 6 6 2 6 6 3 6 6 4 − 7 3 7 4 − 40e1e2e3 + 164e1e2e3 +40e1e2e3 +6e1e2e3 256e1e2e3 + 512e1e2e3 7 5 7 2 2 − 7 2 3 − 7 2 4 7 2 5 − 7 3 − 256e1e2e3 +384e1e2e3 384e1e2e3 384e1e2e3 +384e1e2e3 132e1e2e3 7 3 2 7 3 3 − 7 3 4 − 7 3 5 7 4 − 7 4 2 − 272e1e2e3 +808e1e2e3 272e1e2e3 132e1e2e3 +160e1e2e3 160e1e2e3 7 4 3 7 4 4 − 7 5 − 7 5 7 5 2 − 7 5 3 − 7 5 4 160e1e2e3 +160e1e2e3 4e1e2 16e1e2e3 +40e1e2e3 16e1e2e3 4e1e2e3 + 8 4 − 8 4 8 4 2 − 8 4 3 8 4 4 e1e2 4e1e2e3 +6e1e2e3 4e1e2e3 + e1e2e3

Groupe de Recherche ERISCS; Parc Scientifique de Luminy-ESIL; 13288 Marseille, France E-mail address: [email protected]

This page intentionally left blank

Contemporary Mathematics Volume 521, 2010

Genus 3 curves with many involutions and application to maximal curves in characteristic 2

Enric Nart and Christophe Ritzenthaler

Abstract. Let k = Fq be a finite field of characteristic 2. A genus 3 curve C/k has many involutions if the group of k-automorphisms admits a C2 × C2 subgroup H (not containing the hyperelliptic involution if C is hyperelliptic). Then C is an Artin-Schreier cover of the three elliptic curves obtained as the quotient of C by the nontrivial involutions of H, and the Jacobian of C is k-isogenous to the product of these three elliptic curves. In this paper we exhibit explicit models for genus 3 curves with many involutions, and we compute explicit equations for the elliptic quotients. We then characterize when a triple (E1,E2,E3) of elliptic curves admits an Artin-Schreier cover by a genus 3 curve, and we apply this result to the construction√ of maximal curves. As a consequence, when q is nonsquare and m := 2 q≡1, 5, 7 (mod 8), we obtain that Nq(3) = 1 + q +3m. We also show that this occurs for an infinite number of values of q nonsquare.

Let C be a smooth, absolutely irreducible, projective curve of genus g>0over a finite field k = Fq. The question to determine the maximal number of points Nq(g)ofsuchacurveC is a tantalizing one. Curves such that #C(k)=Nq(g) ≤ are called maximal√ curves. The Serre-Weil bound shows that Nq(g) 1+q + gm, where m = 2 q. However, no general formula is known for the value of Nq(g) (so far not even for infinitely many values of q)wheng>2isfixedandq is not asquare.Forg = 3, because of the so-called Serre twisting factor (or Serre’s obstruction, see [LR08], [LRZ08]), the best general result is that for a given q, either q+1+3m−Nq (3) ≤ 3orMq(3)−(q+1−3m) ≤ 3, where Mq(3) is the minimum number of points [Lau02]. Although this obstruction is now better understood and can be computed in some cases [Rit09], we are still not able to find Nq(3) for a general q. However, when q is a square, Nq(3) is known for infinitely many values; see [Ibu93] when the characteristic is odd, and [NR08] for the characteristic 2 case, where Nq(3) is determined for all square q. In this article, we construct maximal genus 3 curves over Fq for infinitely many values of q =2n nonsquare. Our result will be the easy consequence of the computation of the decomposition of the Jacobian of all genus 3 curves with many involutions. In section 1 we show that the natural equivalence classes of pairs (C, H),

1991 Mathematics Subject Classiﬁcation. Primary 11G20 ; Secondary 14H25. Key words and phrases. Maximal curves, plane quartic, Serre’s obstruction, totally split Jacobian. The authors acknowledge support from the project MTM2006-11391 of the Spanish MEC and from the project ANR-09-BLAN-0020-01 of the French ANR.

1 c 2010 American Mathematical Society 71

272 ENRIC NART AND CHRISTOPHE RITZENTHALER where C isagenus3curveandH a C2 × C2 subgroup of Autk(C) (not containing the hyperelliptic involution if C is hyperelliptic), are in bijection with the natural equivalence classes of Artin-Schreier covers of triples of elliptic curves (Definition 1.2). In particular, the Jacobian of a genus 3 curve with many involutions is totally split. In section 2 we exhibit models of all k-isomorphism classes of genus 3 curves C with many involutions, and we compute explicit equations for the three elliptic quotients. By retro-engineering, an appropriate choice of values for the parameters of our families enables us to characterize in section 3 the triples (E1,E2,E3)of elliptic curves that admit an Artin-Schreier cover by a genus 3 curve. Theorem 3.1 deals with the hyperelliptic case and Theorems 3.2, 3.3 with the non-hyperelliptic case. These results can be seen as an analogue of [HLP00, Sec.4] in characteristic 2. In section 4 we use these criteria to construct maximal curves when m ≡ 1, 5, 7 (mod 8) (Corollary 4.2). We show that the case m ≡ 1 (mod 4) occurs infinitely often (Lemma 4.3) and so we get an infinite family of values of Nq(g)forg>2 fixed and q nonsquare. In the case where m ≡ 0, 2, 6(mod8)weareabletoshow that Nq(3) ≥ q +1+3m − 3 and we give a sufficient condition for equality. In the other cases, m ≡ 3, 4 (mod 8), the situation is more complicated and we could not get similar results. One may look at this dichotomy as another manifestation of Serre’s obstruction.

n Notations. The ﬁeld k will be Fq, with q =2 , n ≥ 1. We denote the Artin- Schreier subgroup of k by

2 tr AS(k):={x + x | x ∈ k} =ker(k −→ F2), and we ﬁx once and for all an element r0 ∈ k \AS(k)oftrace1.Ifq is nonsquare we q take r0 =1.Wedenotebyσ ∈ Gal(k/k) the Frobenius automorphism, σ(x)=x , which is a generator of this Galois group as a proﬁnite group. We denote s the integer part of the real s and {s} its fractional part. A curve will always mean a smooth, projective and absolutely irreducible curve.

Acknowledgments. We would like to thank the organizers of the conference for giving us the opportunity to present our work. It is also a pleasure to thank Florian Hess for his enlightening remarks on a previous draft of the paper and the referee for his judicious comments.

1. Curves with many involutions and Artin-Schreier covers Definition 1.1. A genus 3 curve C over k is said to have many involutions if Autk(C) admits a subgroup H isomorphic to C2 × C2 and not containing the hyperelliptic involution, if C is hyperelliptic. Let C, C be genus 3 curves with many involutions, with respective C2 × C2 subgroups H, H. We say that the pairs (C, H), (C,H) are equivalent if there is a k-isomorphism ϕ: C → C such that ϕHϕ−1 = H.

Definition 1.2. An Artin-Schreier cover of a triple (E1,E2,E3) of elliptic curves over k is a commutative diagram:

GENUS 3 CURVES WITH MANY INVOLUTIONS 733

C B || BB || BB || BB |}|} B! E1 B E2 E3 BB || BB || BB || B ~|| P1 where C isagenus3curveoverk, and all maps are separable degree two (Artin- Schreier) morphisms deﬁned over k. There is a natural deﬁnition of equivalence of Artin-Schreier covers of triples of elliptic curves, whose formulation is left to the reader. The curve C on the top of an Artin-Schreier cover has many involutions. In fact, 1 k(C)/k(P ) is a biquadratic extension with Galois group isomorphic to C2×C2.The three nontrivial elements of this Galois group are the three nontrivial involutions of the quadratic extensions k(C)/k(Ei), for i =1, 2, 3. Hence, Autk(C)admitsa C2 × C2 subgroup too, and it does not contain the hyperelliptic involution (if C were hyperelliptic), because the quotients of C by these nontrivial involutions are elliptic curves. Conversely, any curve with many involutions arises in this way from an Artin- Schreier cover of three elliptic curves. Proposition 1.3. Let C be a genus 3 curve with many involutions, and H = {1,i1,i2,i3} a C2 × C2 subgroup of Autk(C), not containing the hyperelliptic in- 1 volution if C is hyperelliptic. Then, C/H is isomorphic to P , the curves C/ is are elliptic curves, and the canonical maps C → C/ is →C/H,fors =1, 2, 3, determine an Artin-Schreier cover.

Proof. In all cases, i1,i2,i3 have fixed points (cf. the remarks after the proofs of Propositions 2.1 and 2.3 below) so that the respective quotients of C by these involutions are three genus 1 curves (it cannot be genus 0 curves since these involutions are not the hyperelliptic one). Since k is finite they are elliptic curves E1, E2, E3,overk .Using[KR89, Thm.B] with respect to the group H we get that 2 4 2 2 2 Jac(C) × Jac(C/H) ∼ Jac(E1) × Jac(E2) × Jac(E3) . Hence by dimension count, C/H is of genus 0 and again since k is finite we have 1 1 C/H P . Finally, the three composition morphisms C → Es → C/H P coincide with the canonical quotient map C → C/H, so that they determine an Artin-Schreier cover. Corollary 1.4. There is a natural bijective correspondence between equivalence classes of pairs (C, H) of curves with many involutions, and equivalence classes of Artin-Schreier covers of triples of elliptic curves.

In section 3 we shall determine what triples E1,E2,E3 of elliptic curves over k admit an Artin-Schreier cover (Theorems 3.1, 3.2 and 3.3). By Poincar´e’scomplete reducibility theorem and the proof of Proposition 1.3, we get

Jac(C) ∼ Jac(E1) × Jac(E2) × Jac(E3). Thus, by an appropriate choice of these elliptic curves, the genus 3 curve covering them will be a maximal curve.

474 ENRIC NART AND CHRISTOPHE RITZENTHALER

2. Elliptic quotients of curves with many involutions 2.1. Models of curves of genus 3 with many involutions. The following two propositions are extracted from the results of [NS04, Sec.3] in the hyperelliptic case, and from those of [NR06, Sec.1.4] and [NR08, Sec.3] in the non-hyperelliptic case. Proposition 2.1. Let C be a hyperelliptic genus 3 curve over k,withmany involutions. Then, C is ordinary and it is isomorphic over k to a curve –not necessarily unique– in one of these two families: t 1 t (Hyp ) C : y2+y = a x + +a(t+1) + +r, a a,r,t x x +1 x + t where a, t ∈ k∗, t =1 ,andr ∈{0,r }. These curves have involutions 0 t x + t tx + t i (x, y)= ,y ,i(x, y)= ,y ,i(x, y)= ,y . 1 x 2 x +1 3 x + t 1 1 (Hyp ) C : y2+y = b + +r, b b,r,s,t x2 + x + s x2 + x + t where b, s, t ∈ k, b =0 , s, t ∈ AS(k), s = t,andr ∈{0,r0}. These curves have involutions

i1(x, y)=(x +1,y),i2(x, y)=(x + u, y),i3(x, y)=(x + u +1,y), where u ∈ k satisﬁes u2 + u = s + t.

Moreover any pair (C, H) of a hyperelliptic genus 3 curve C over k with many involutions and a subgroup of k-automorphisms H C2 × C2, not containing the hyperelliptic involution, is equivalent to the pair given by a curve of exactly one of the two families Hypa or Hyp b and the subgroup generated by i1,i2,i3. Proof. ∈ ∪ Only the last claim needs some explanation. For any C Hypa Hyp b, the group H = {1,i1,i2,i3} is the only C2 × C2 subgroup in Aut(C) not containing the hyperelliptic involution. Moreover, no curve in the family Hyp a is isomorphic over k to a curve in the family Hyp b. Remark . √ 2.2 The√ ﬁxed points of i1,i2,i3 always coincide; for the family Hyp a { } 2 they are ( t, y), ( t, y +1) , with y + y = a(t + 1), whereas for the family Hyp b they are the two points at inﬁnity. Proposition 2.3. Let C be a non-hyperelliptic genus 3 curve over k,with many involutions. Then, C is either supersingular and isomorphic over k to a plane quartic in the family SS, or it is ordinary and isomorphic over k to a plane quartic in one of the two families NHypa or NHypb below. 4 2 2 3 3 2 2 4 (SS) Cd,e,f,g : y +fy z +gyz = x z+dx z +ex , 3 with d, e, f, g ∈ k, g =0 ,andtheequationy +fy+g =0has three roots v1,v2,v3 in k. These curves have involutions i1(x, y, z)=(x, y + v1,z),i2(x, y, z)=(x, y + v2,z),i3(x, y, z)=(x, y + v3,z). 2 2 2 2 2 2 (NHypa) Ca,c,e,r :(a(x +y )+cz +xy+ez(x+y)) =(r(x +y )+xy)z(x+y+z),

GENUS 3 CURVES WITH MANY INVOLUTIONS 755 where a, c, e ∈ k, r ∈{0,r0}, c =0 , a = r, r + a + e + c =0 . These curves have involutions i1(x, y, z)=(y, x, z),i2(x, y, z)=(x + z,y + z,z),i3(x, y, z)=(y + z,x + z,z). 2 2 2 2 2 (NHypb) Ca,c,d,r :(a(x +y )+cz(x+y+z)+dxy) =(r(x +y )+xy)z(x+y+z), where a, c, d ∈ k, r ∈{0,r0}, cd =0 , c + d =1 , a + dr =0 . These curves have involutions i1(x, y, z)=(y, x, z),i2(x, y, z)=(x, y, x + y + z),i3(x, y, z)=(y, x, x + y + z). Moreover any pair (C, H) of an ordinary non hyperelliptic genus 3 curve C over k withmanyinvolutionsandasubgroupofk-automorphisms H C2 × C2,is equivalent to the pair given by a curve of exactly one of the two families (NHypa) or (NHypb) and the subgroup generated by i1,i2,i3.

Proof. Again, only the last claim requires some explaination. Let Ha, Hb be the C2 × C2 subgroups generated by the involutions i1,i2,i3 of the curves respec- ∩ tively in NHypa and NHypb. Now there are curves in NHypa NHypb,givenby equations of the type: (a(x2 + y2)+cz(x + y + z)+xy)2 =(r(x2 + y2)+xy)z(x + y + z), with c =0and a = r.Forthesecurves,Autk(C)containstheD8 subgroup generated by Ha ∪Hb; among them, Klein’s quartic (c = a =1,r= 0) has the larger group of automorphisms: Autk(C)=PGL3(F2). Thus, these curves have diﬀerent C2 × C2 subgroups inside Autk(C); however, all these subgroups fall into only two conjugacy classes, represented by Ha and Hb. Hence, these curves determine only two equivalence classes of Artin-Schreier covers, represented by the pairs (C, Ha) and (C, Hb). Summing up, if we think in terms of equivalence of pairs (C, H)then the families NHypa and NHypb have no intersection.

Remark 2.4. The nontrivial involutions in Ha have pairwise disjoint 2-sets of fixed points on any curve in the family NHypa. The nontrivial involutions in Hb have the same 2-set of fixed points on any curve in the family NHypb;itistheset {(x, x, 1), (x +1,x+1, 1)},forx2 + x = cd. 2.2. Ordinary elliptic curves in characteristic 2. Let us review some well- known facts on ordinary elliptic curves over finite fields of characteristic 2. The first result can be easily deduced from [Sil86, Appendix A].

Lemma 2.5. Let E be an elliptic curve over k with j-invariant jE.Then,E is ordinary if and only if jE =0 . In this case, there is a unique element sgn(E) ∈ 2 {0,r0} such that E is k-isomorphic to the curve with Weierstrass equation y +xy = 3 2 −1 x +sgn(E)x +(jE) . We call this discrete invariant sgn(E) the signature of E. Two curves with the same j-invariant and diﬀerent signature are quadratic twist of each other. Lemma 2.6. An ordinary elliptic curve E with sgn(E)=0has always a rational 4-torsion point. Moreover, it has a rational 8-torsion point if and only if tr(1/jE)= 0.

Proof. Let us denote a =1/jE . The non-trivial 2-torsion point of E is (0,a1/2). For any Q =(x, y) ∈ E(k) with x =0,the x-coordinate of 2Q is 2 −2 1/4 1/2 1/4 1/2 1/4 x2Q = x + ax ,sothat(a ,a )and(a ,a + a ) are 4-torsion points.

676 ENRIC NART AND CHRISTOPHE RITZENTHALER

We characterize now the rationality of half of a point on E(k). Let P =(u, v) be a rational point on E(k), with u = 0. The point Q =(x, y)satisﬁes2Q = P if and only if a (2.1) x2 + = u, y2 + xy = x3 + a x2 has a solution in k. The ﬁrst equation has a solution x in k if and only if au−2 ∈ AS(k). Assume this is the case; then, the second equation has a solution y ∈ k if and only if (x3 + a)x−2 ∈ AS(k). But (x3 + a)x−2 = x + ax−2 = x + x2 + u ∈ u +AS(k). Thus, the system (2.1) has a rational solution if and only if u, au−2 ∈ AS(k). On the other hand, since P is a rational point on E, y2 + uy +(u3 + a)=0hasa solution in k so (u3 + a)u−2 = u + au−2 ∈ AS(k). Hence, Q is rational if and only if u ∈ AS(k). If we apply this to the 4-torsion points, with x-coordinate u = a1/4,wegeta rational 8-torsion point on E if and only if tr(a1/4) = 0, or equivalently tr(a)= 0. Recall that, for any elliptic curve E over k, the number of rational points is: #E(k)=q+1−tr(E), where tr(E) ∈ Z is the trace of the Frobenius endomorphism. The above lemma yields some information on the value of tr(E) modulo 8. Corollary 2.7. Let E be an ordinary elliptic curve with sgn(E)=0.Then, if q>2, one has tr(E) ≡ 1(mod4). Moreover, if q>4 then tr(E) ≡ 1(mod8) if and only if tr(1/jE )=0. Remark. Since the twisted elliptic curves have opposite trace, Corollary 2.7 provides analogous information for the trace of the curves with sgn(E)=r0.

Finally, we recall a criterion that relates the signature of two ordinary elliptic curves in terms of a given isomorphism as curves of genus one, deﬁned over the quadratic extension k2 of k. Let E be an ordinary elliptic curve deﬁned by a Weierstrass equation y2 + xy = x3 + rx2 + a, r ∈ k, a ∈ k∗. Let N =(0,a1/2) be the unique nontrivial 2-torsion point of E. Multiplication by −1 is given by the involution i(x, y)=(x, y + x). Let Autg=1(E) be the group of geometric automorphisms of E as a curve of genus one:

Autg=1(E) {1,i} E(k), and, i ◦ τP = τ−P ◦ i, for all P ∈ E(k), where τP ∈ Autg=1(E) is the translation by P . The reader may easily check that a1/2 a1/2y a1/2 a (2.2) τ (x, y)= , + a1/2 + + . N x x2 x x2 Lemma 2.8. Let E/k be an ordinary elliptic curve, F/k a curve of genus one, σ −1 and φ: F → E a k2-isomorphism such that ρ := φ φ ∈ Autg=1(E) is deﬁned over k.Then,F is k-isomorphic to E if and only if ρ =1or ρ = τN ,whereN is the non-trivial 2-torsion point of E.

GENUS 3 CURVES WITH MANY INVOLUTIONS 777

Proof. Clearly ρσρ =1,andρσ = ρ by hypothesis; thus, ρ is an involution. The twists of E as a curve of genus one are parameterized by the pointed set 1 H (Gal(k/k), Autg=1(E)). A 1-cocycle is determined by the choice of an automorphism, and the twist represented by (F, φ) corresponds to the 1-cocycle determined by ρ = φσφ−1. Two automorphisms χ, ϕ determine the same twist if and only if there exists another automorphism ψ such that: ψσϕψ−1 = χ.Inparticular,ρ determines the trivial twist if and only if ρ = ψσψ−1 for some automorphism ψ. σ −1 Now, both for ψ = τP and ψ = τP ◦ i, the automorphism ψ ψ = τP σ−P is a translation. Thus, ρ determines the trivial twist if and only if ρ = τP σ−P for some P ∈ E(k) such that P σ − P is a 2-torsion point. This is equivalent to ρ =1or σ ρ = τN ; in fact one can always ﬁnd points P such that P − P = 0 (a rational point) or P σ − P = N (an irrational halving of a rational point).

2.3. Elliptic quotients of the curves in the family Hypa. Proposition . 2.9 For any curve C = Ca,r,t in the family Hypa, the Jacobian Jac(C) is k-isogenous to E1 × E2 × E3,where 2 3 2 4 E1 : y + xy = x +(r + a(t +1))x +(a(t +1)) 2 3 2 4 E2 : y + xy = x +(r + a(t +1))x +(at) 2 3 2 4 E3 : y + xy = x +(r + a(t +1))x + a .

Proof. Let us compute ﬁrst the quotient of C by the involution i1.The t functions X = x + x + t +1, Y = y,arestablebyi1, and they lead to an Artin- Schreier model for the quotient curve: 1 Y 2 + Y = aX + a(t +1)2 + r + a(t +1). X Now, the change of variables X = a−1x, Y =(y + a2(t +1)2)/x establishes an isomorphism between this curve and E1. x(x+t) For the involution i2,weuseX = x+1 , Y = y, as invariant functions. The quotient curve admits an Artin-Schreier model: Y 2+Y = aX+(at2/X)+r+a(t+1), −1 2 2 which is isomorphic to E2 via X = a x, Y =(y + a t )/x. x(x+1) For the involution i3,weuseX = x+t , Y = y, as invariant functions. The quotient curve admits an Artin-Schreier model Y 2 +Y = aX +(a/X)+r +a(t+1), −1 2 which is isomorphic to E3 via X = a x, Y =(y + a )/x.

2.4. Elliptic quotients of the curves in the family Hypb. Proposition . 2.10 For any curve C = Cb,r,s,t in the family Hypb, the Jacobian Jac(C) is k-isogenous to E1 × E2 × E3,where 2 3 2 4 −4 −4 E1 : y + xy = x + rx + b u (u +1) 2 3 2 4 4 −4 E2 : y + xy = x +(r + r0) x + b u (u +1) 2 3 2 4 −4 4 E3 : y + xy = x +(r + r0) x + b u (u +1) , where u ∈ k satisﬁes u(u +1)=s + t.

Proof. The functions X = x(x +1)andY = y arestablebyi1,andleadto the following Artin-Schreier model for the quotient curve: 1 1 b X + t X + s (2.3) F : Y 2 + Y = b + + r = + + r. X + s X + t s + t X + s X + t

878 ENRIC NART AND CHRISTOPHE RITZENTHALER

Letting c := b/(s + t), the curve F is k-isomorphic to E via 1 X + t X + t (2.4) φ: F −→ E ,φ(X, Y )= c ,c Y + c2 . 1 X + s X + s

For the involution i2 we consider the invariant functions X = x(x + u), Y = y, leading to an Artin-Schreier model: b(s + t) 1 1 F : Y 2 + Y = + r = bu + + r, X2 +(u +1)X + st X + α X + β 2 where α, β ∈ k2 are the roots of X +(u +1)X + st =0.Theybelongtok if and only if tr(st/(u +1)2) = 0, but this is never the case; indeed, st s(u2 + u + s) s2 +(u2 +1)s +(u +1)s s 2 s = = = + + s, (u +1)2 u2 +1 u2 +1 u +1 u +1 so that tr(st/(u +1)2)=tr(s)=1. We are now back to the case of (2.3), with b, s, t replaced respectively by bu, α, β. So, if we now denote c := bu/(α + β)=bu/(u + 1), we get as in (2.4) a 2 3 2 4 k2-isomorphism between F and the elliptic curve y + xy = x + rx + c ,whichis the quadratic twist of E : 2 X + β X + β φ: F −→ E ,φ(X, Y )= c ,c Y + c2 . 2 X + α X + α The automorphism ρ := φσφ−1 of E , as a curve of genus one, is the involution: 2 c2 c2y c4 ρ(x, y)= , + c2 + . x x2 x2 − Hence, ρ = τN (cf. (2.2)), and Lemma 2.8 shows that F and E2 are not k- isomorphic as curves of genus one. Therefore, for any choice of a rational point of F we obtain an elliptic curve necessarily k-isomorphic to E2. For the last involution, the same arguments work, just by substituting u by u +1. 2.5. Elliptic quotients of the curves in the family SS. This is taken directly from [NR08, Sec.3] where the decomposition type of the Jacobian of a supersingular curve of genus 3 in characteristic 2 was treated in full generality.

Proposition 2.11. For any curve C = Cd,e,f,g in the family SS, the Jacobian Jac(C) is k-isogenous to E1 × E2 × E3,where

2 g 3 2 Ei : y + y = x + dx + e, i =1, 2, 3, vi 3 and v1,v2,v3 are the three roots in k of the equation v + fv + g =0.

2.6. Elliptic quotients of the curves in the family NHypa. Proposition . 2.12 For any curve C = Ca,c,e,r in the family NHypa,theJa- cobian Jac(C) is k-isogenous to E1 × E2 × E3,where 2 3 2 2 2 E1 : y + xy = x + ex +(a + r) (a + c + e + r) 2 3 2 2 2 E2 : y + xy = x +(e + r)x + c (a + c + e + r) 2 3 2 2 2 E3 : y + xy = x +(e + r)x + c (a + r) .

GENUS 3 CURVES WITH MANY INVOLUTIONS 799

Proof. We start with the quotient by the involution i1.Weworkwiththe aﬃne model of C obtained by letting z = 1. The functions X = x + y, Y = xy are stable by i1, and they lead to the following equation for the quotient curve Y 2 + XY + Y = a2X4 + rX3 +(e2 + r)X2 + c2, x y + ex ax2 which is isomorphic to E via X = +1,Y = + + r. 1 a + r a + r (a + r)2 For the involution i2, we start by a change of variable : x ← x + y so the involution becomes i2(x, y, z)=(x, y + z,z), and the equation of C becomes (2.5) C : a2x4 + c2z4 +(x2 + y2)y2 + e2z2x2 =(rx2 + yx + y2)z(x + z). We work with the aﬃne model of C obtained by letting x = 1. We choose then Y = y(y + z), Z = z and we obtain the following equation for the quotient Y 2 + ZY + Y = c2Z4 +(e2 + r)Z2 + rZ + a2, −1 −1 −1 2 −1 which is isomorphic to E2 via Z = c x +1,Y = c y + c x + c ex + r. To deal with the third quotient we make the change of variables z ← x + y + z. The curve C = Ca,c,e,r becomes the curve C = Ca+c+e,c,e,r and the involution i3 becomes i2. Therefore, the quotient curve is isomorphic to the elliptic curve obtained from E2 by changing a ← a + c + e. And this is precisely E3.

2.7. Elliptic quotients of the curves in the family NHypb. Proposition . 2.13 For any curve C = Ca,c,d,r in the family NHypb,theJa- cobian Jac(C) is k-isogenous to E1 × E2 × E3,where 2 3 2 2 2 4 4 E1 : y + xy = x + c d x + d (a + dr) 2 3 2 2 2 4 4 E2 : y + xy = x +(c d + r)x + c (a + dr) 2 3 2 2 2 4 4 E3 : y + xy = x +(c d + r)x +(c + d +1) (a + dr) .

Proof. We start with the quotient by the involution i1.Weworkwiththe aﬃne model of C obtained by letting z = 1. The functions X = x + y, Y = xy are stable by i1, and they lead to the following Weierstrass equation for the quotient curve d2Y 2 + XY + Y = a2X4 + rX3 +(c2 + r)X2 + c2, x y ax2 which is isomorphic to E via X = +1, Y = + +r. 1 d(a + rd) d3(a + rd) d3(a + rd)2 For the involution i2 we work with the aﬃne model obtained by letting y =1. The functions X = x, Z = z(x + z + 1) are invariant and they yield the following model for the quotient curve: F : c2Z2 + rX2Z + XZ + rZ = a2X4 + d2X2 + a2. If r = 0, the change of variables X = x/ac, Z =(y + x2)/ac3 sets a k-isomorphism beetwen this curve and E2. However, if r = r0 it is not easy to get rid of the 2 2 term rX Z.Inthiscaseweletα, β ∈ k2 be the roots of x + x + r =0,sothat (αx + β)(βx + α)=rx2 + x + r. The involution of the plane αX + β Z I(X, Z)= , , βX + α (βX + α)2 sets a k2-isomorphism between F and the curve F with equation F : c2Z2 + XZ = A2X4 + d2X2 + A2,

1080 ENRIC NART AND CHRISTOPHE RITZENTHALER

where A = c(a + dr). This curve is k-isomorphic to the quadratic twist E2 of E2 via −→ 3 2 2 2 ψ : F E2,ψ(x, y)=(cAx, c Ay + c A x ). → We apply now Lemma 2.8 to the k2-isomorphism φ = ψI : F E2. Clearly, IσI(x, y)=(x−1,yx−2), and straightforward computation shows that φσφ−1 = σ −1 − ψI Iψ = τN ,whereN is the non-trivial 2-torsion point of E2 (cf. (2.2) for the explicit computation of τN ). Thus, Lemma 2.8 shows that F is not k-isomorphic to E2,anditmustbek-isomorphic to E2. To deal with the third quotient we make the change of variables x ← y + z, y ← x + z.ThecurveC = Ca,c,d,r becomes the curve C = Ca,c+d+1,d,r and the involution i3 becomes i2. Therefore, the quotient curve is isomorphic to the elliptic curve y2 + xy = x3 +((c + d +1)2d2 + r)x2 +(c + d +1)4(a + dr)4. obtained from E2 by changing c ← c + d + 1. This curve is isomorphic to E3 via y ← y + d2x.

3. Triples of elliptic curves admitting an Artin-Schreier cover We invert now the process of the previous section. Given a triple of elliptic curves, we determine when it is possible to reconstruct a genus 3 curve with many involutions, having the given curves as elliptic quotients.

Theorem 3.1. Let (E1,E2,E3) be a triple of ordinary elliptic curves over k, with j-invariants j1,j2,j3.Then,(E1,E2,E3) admits an Artin-Schreier cover by a hyperelliptic genus 3 curve if and only if 1 1 1 (3.1) + + =0. j1 j2 j3 Proof. Propositions 2.9, 2.10 and the last point of Proposition 2.1 show that condition (3.1) is necessary. Conversely, suppose that (3.1) is satisﬁed. In this case we have necessarily q>2. By reordering the indices we may assume that tr(E2) ≡ tr(E3)(mod4). ≡ ≡ If tr(E1) tr(E2) tr(E3) (mod 4), we take a curve Ca,r,t of the family Hypa with 1/4 1/4 1 j3 a = ,t= ,r= a(t +1)+sgn(E1). j3 j2 ≡ If tr(E1) tr(E2) (mod 4), we take a curve Cb,r,s,t of the family Hypb with 1/8 1/8 1 j1 b = ,u= ,r=sgn(E1), j2j3 j2 s an arbitrary element in k \ AS(k)andt = s + u + u2. For the sake of completeness we include the analogous result concerning the family SS, which was obtained in [NR08, Thm.5.18].

Theorem 3.2. Let (E1,E2,E3) be a triple of supersingular elliptic curves over k.Then,ifq>64, (E1,E2,E3) admits an Artin-Schreier cover by a non- hyperelliptic genus 3 curve in the family SS. The applications to the existence of maximal curves when q is nonsquare will be a consequence of the next result.

GENUS 3 CURVES WITH MANY INVOLUTIONS 8111

Theorem 3.3. Assume q>2.Let(E1,E2,E3) be a triple of ordinary elliptic curves with j-invariant j1,j2,j3, and denote sgn(E1,E2,E3):=sgn(E1)+sgn(E2)+ ∗ sgn(E3) ∈{0,r0}. Consider the following elements in k : 2 (j1 + j2 + j3) j1j2j3(j1 + j2 + j3) Ta := ,Tb := 2 . j1j2j3 (j1j2 + j1j3 + j2j3)

Then, (E1,E2,E3) admits an Artin-Schreier cover by a non-hyperelliptic genus 3 curve C if and only if

(3.2) Ta ∈ sgn(E1,E2,E3)+AS(k), or Tb ∈ sgn(E1,E2,E3)+AS(k). Proof. Propositions 2.12, 2.13 and the last point of Proposition 2.3 show that condition (3.2) is necessary. Conversely, assume that (3.2) is satisﬁed. Let −1/4 si =(ji) for i =1, 2, 3. We reorder the indices 1, 2, 3tohavetr(E2) ≡ tr(E3) (mod 4), so that sgn(E1)=sgn(E1,E2,E3). Take r = 0 if tr(E1) ≡ tr(E2) ≡ tr(E3)(mod4),andr = r0 otherwise. We want to show the existence of a curve Ca,c,e,r in the family NHypa,oracurve Ca,c,d,r in the family NHypb, satisfying respectively ⎧ ⎧ ⎪ 2 ⎪ ⎪(a + r)(a + r + e + c)=s1 ⎪d(a + dr)=s1 ⎨ 2 ⎨ c(a + r + e + c)=s2 c(a + dr)=s2 ⎪c(a + r)=s2 ⎪(1 + c + d)(a + dr)=s ⎩⎪ 3 ⎩⎪ 3 e ∈ sgn(E1)+AS(k), cd ∈ sgn(E1)+AS(k). These equations in the unknowns a, c, d, e are easily solved: ⎧ ⎧ s1s3 ⎪a = + r ⎪a = s1 + s2 + s3 + dr ⎨⎪ s2 ⎨⎪ c = s3s2 c = s2 s1 s1+s2+s3 ⎪e = s1s2 + s3s2 + s1s3 ⎪d = s1 ⎩⎪ s3 s1 s2 ⎩⎪ s1+s2+s3 e ∈ sgn(E1)+AS(k). cd ∈ sgn(E1)+AS(k).

The condition cd ∈ sgn(E1)+AS(k)isequivalentto 2 j1j2j3 ∈ 2 sgn(E1)+AS(k). (j1j2 + j1j3 + j2j3) This condition is not symmetric but note that 2 2 2 2 j1j2j j1j j3 j (j + j ) j (j2 + j3) 3 + 2 = 1 2 3 + 1 ∈ AS(k). 2 2 2 (j1j2 + j1j3 + j2j3) (j1j2 + j1j3 + j2j3) j1j2 + j1j3 + j2j3 (j1j2 + j1j3 + j2j3)

This leads to the expression of Tb.

Remarks. In the non hyperelliptic case, the factors Ta, Tb and condition (3.2) reﬂect Serre’s obstruction and they can be compared to the twisting factor T and the “to be a square” condition of [HLP00, Prop.15].

4. Application to maximal curves We are looking for genus 3 curves with many points over a finite field k.The idea we use here is to look for ordinary elliptic curves E such that the triple E,E,E admits an Artin-Schreier cover by a genus 3 curve C. Since Jac(C)isk-isogenous to E ×E ×E, for an adequate choice of the trace of E the curve C will be maximal. Since the hyperelliptic families define only a 2-dimensional locus in the moduli space, the non hyperelliptic families are more suitable for our purpose. However

1282 ENRIC NART AND CHRISTOPHE RITZENTHALER for non hyperelliptic curves, Serre’s precise version of Torelli theorem turns out to be a non√ trivial obstruction and we will only be able to construct maximal curves for 2 q ≡ 3, 4(mod8). √ 4.1. Some values of Nq(3). Let m = 2 q. Serre-Weil bound shows that if C isagenus3curveoverk then #C(k) ≤ q+1+3m.Wewrite#C(k)=q+1+3m−a with a ≥ 0 called the defect of the curve C. As usually we denote

Nq(3) = sup {#C(k)}. C/k of genus 3

When q is a square and q>16, it was shown in [NR08]thatNq(3) = q +1+3m. Accordingto[vdG06], N2(3) = 7 = q +1+3m − 2, Therefore, we now concentrate on the case q nonsquare, q>2. √ Theorem 4.1. Suppose q>2 nonsquare, and let m = 2 q.Ifm ≡ 1, 5, 7 (mod 8), there exists a genus 3 curve C over k with defect 0. If m ≡ 0, 2, 6(mod8), there exists a genus 3 curve C over k with defect 3. Proof. Assume ﬁrst m ≡ 1(mod4).LetE be an ordinary elliptic curve over k with trace −m ≡−1(mod4),andletj ∈ k∗ be the j-invariant of E. We apply Theorem 3.3 to E1 = E2 = E3 = E;wehavesgn(E1,E2,E3)=1andTb =1,so ∼ 3 that there exists a curve in the family NHypb such that Jac(C) E . This curve has defect 0, because #C(k)=q +1− tr(Jac(C)) = q +1+3m. For m ≡ 2 (mod 4) we take an elliptic curve E over k with trace −m +1≡−1 (mod 4), and the same argument shows the existence of a curve in the family NHypb with defect 3: #C(k)=q +1− tr(Jac(C)) = q +1− 3(1 − m). Suppose now m ≡−1(mod8).TakeE an elliptic curve with trace −m ≡ 1 (mod 8) and let j ∈ k∗ be the j-invariant of E. Corollary 2.7 show sthat tr(1/j)=0. We apply Theorem 3.3 to E1 = E2 = E3 = E;nowsgn(E1,E2,E3)=0and ∼ 3 Ta =1/j. so that there exists a curve in the family NHypa such that Jac(C) E . As we saw above, this curve has defect 0. For m ≡ 0 (mod 8) we take an elliptic curve E over k with trace −m +1≡ 1 (mod 8), and the same argument shows the existence of a curve in the family NHypa with defect 3. Remark. More explicitly, for the cases m ≡ 1, 2(mod4)thecurve 2 C : j−1/4(x2 + y2)+z2 + xy + xz + yz = xyz(x + y + z), does the job. And for the cases m ≡ 0, 7 (mod 8) we can take the curve 2 C : j−1/4(x2 + y2 + z2 + xz + yz)+xy = xyz(x + y + z). √ Corollary . ≡ 4.2 Suppose q>2 nonsquare, and let m = 2 q .If√m 1, 5, 7 (mod 8) then Nq(3) = q +1+3m.Ifm ≡ 0, 2, 6(mod8)and {2 q} < 1 − 2 4cos (3π/7) ≈ 0.8019 then Nq(3) = q +1+3m − 3. Proof. We have only to deal with the cases m ≡ 0, 2, 6(mod8).Weuse the results of [Lau01] to prove that defects 0, 1, 2 are not possible. Defect 1 is excluded [Lau01, Prop.2]. For defect 0, the Weil polynomial would be of the form (x2 + mx + q)3.Sincem is even, either x2 + mx + q is the Weil polynomial of a supersingular elliptic curve with trace −m or (x2 +mx+q)3 is the Weil polynomial of a simple abelian threefold. In the former case, the possible traces of the elliptic

GENUS 3 CURVES WITH MANY INVOLUTIONS 8313 √ curves are 0 or ± 2q, and they cannot be equal to −m. For the latter, we can n show that, in any characteristic√ p, this case cannot happen. Let q = p with p any prime, n odd, m = 2 q and assume that (x2 + mx + q)3 is the Weil polynomial of a simple abelian variety over Fq.Using[MN, Prop.2.5], we see that n =3n n n n with n an integer and√m = rp with r coprime√ to p and r<2 p .Letp = u. The equality ru = 2 q is equivalent to ru ≤ 2 u3 ≤ ru +1andso r2u2 ≤ 4u3 ≤ r2u2 +2ru +1. Dividing by u2 we get r 1 r2 ≤ 4u ≤ r2 + 2 + . u u2 √ ≥ ≥ 3 r 1 2 Since r<2 u,foru 17 (and so for q 17 ), one has 2 u + u2 < 1sor =4u. This is impossible because r is coprime to p. We can check the remaining values of q individually.

As for defect 2, we can exclude the cases denoted √ √ √ √ (m, m, m−2), (m, m−1,m−1), (m, m+ 2−1,m− 2−1), (m, m+ 3−1,m− 3−1) in [Lau01, Tab.1], because they imply the existence of a supersingular elliptic quotient with trace −m. The case denoted √ √ −1+ 5 −1 − 5 (m − 1,m+ ,m+ ) 2 2 can be excluded by the resultant 1 method of [HL03, Th.1a]. There remains the case denoted π 2π 3π (m +1− 4cos2 ,m+1− 4cos2 ,m+1− 4cos2 ). 7 7 7 √ Arguing as in [Lau01, 2.1], the assumption on {2 q} excludes this case. This proves our result. It is not clear if we can get rid of the case π 2π 3π (m +1− 4cos2 ,m+1− 4cos2 ,m+1− 4cos2 ) 7 7 7 for q big enough. The isogeny class of abelian threefolds corresponding to this case contains a Jacobian at least for q =2.Moreoverby[How95, Th.1.2], there is always a principally polarized abelian variety in this absolutely simple class. Hence, whether or not it is a Jacobian depends only on Serre’s twisting factor whose behavior is still quite unpredictable.

Remark. These methods yield also minimal curves for m ≡ 1, 3, 7(mod8). 4.2. Infinitely many maximal curves. In the even characteristic case, we F proved in [NR08] that there exists an maximal genus 3√ curve over q for all q square, q>16. Actually,√ we proved that Nq(3) = q +1+2 q for all square q>16 and Mq(3) = q +1− 2 q for all square q>64. In the odd characteristic case, it was shown in [Ibu93] that for any odd prime number p, there is an infinite number of even degree extensions of Fp admitting maximal genus 3 curves. As far as we know, for odd degree extensions of prime fields (any characteristic) no such result is known for curves of genus g>2. The aim of this section is to

1484 ENRIC NART AND CHRISTOPHE RITZENTHALER show that Corollary 4.2 applies for an infinite number of nonsquare q, leading to a result similar to that of Ibukiyama, for odd degree extensions of F2. Lemma 4.3. There are infinitely many nonsquare q such that m ≡ 1(mod4). There are infinitely many nonsquare q such that m ≡ 2(mod4).

Proof. We√ follow the same lines as in [HL03, Proof of Cor.6]. Consider the expression of 2inbase2: √ b b 2=b + 1 + 2 + ... 0 2 22 2n−1 where each bi is either 0 or 1. If q =2 for n ≥ 1, then √ √ n n n−1 bn+1 2 q =2 2=b 2 + b 2 + ...b − 2+b + + ··· . 0 1 n 1 n 2 Hence √ m = 2 q≡2bn−1 + bn (mod 4).

To conclude, it is enough to prove that there are infinitely many couples (bn−1,bn) of the form (0, 1) and infinitely many of the form (1, 0). Otherwise, it would√ mean that, for i big enough, all the bi are 0 or all are 1. This is not possible since 2is irrational. Thus, the following result is an immediate consequence of Corollary 4.2. Corollary 4.4. There are infinitely many nonsquare q =2n such that there is a genus 3 curve with defect 0 over Fq.

References [How95] E. Howe, Principally polarized ordinary abelian varieties over finite fields, Transactions of the American Mathematical Society, 347 (1995), 2361-2401. [HL03] E. Howe, K. Lauter, Improved upper bounds for the number of points on curves over finite fields, Ann. Inst. Fourier 53 (2003), 1677-1737. [HLP00] E. Howe, F. Leprévost, B. Poonen, Large torsion subgroups of split Jacobians of curves of genus two or three.ForumMath.12 (2000), 315-364. [Ibu93] T. Ibukiyama, On rational points of curves of genus 3 over finite fields,Tôhoku Mat. J. 45 (1993) 311-329. [KR89] E. Kani, M. Rosen, Idempotent relations and factors of Jacobians, Math. Ann. 284 (1989), 307-327. [LR08] G. Lachaud, C. Ritzenthaler, On a conjecture of Serre on abelian threefolds, Algebraic Geometry and its applications (Tahiti, 2007), 88–115. World Scientific, Singapore, 2008. [LRZ08] G. Lachaud, C. Ritzenthaler, A. Zykin, Jacobians among Abelian threefolds: a formula of Klein and a question of Serre, preprint available at http://arxiv.org/abs/0802.4017. [Lau01] K. Lauter, Geometric methods for improving the upper bounds on the number of rational points on algebraic curves over finite fields, with an appendix by J. P. Serre, Journal of Algebraic Geometry 10 (2001), 19-36. [Lau02] K. Lauter, The maximum or minimum number of rational points on genus three curves over finite fields, with an Appendix by J-P. Serre, Compositio Math. 134 (2002), 87-111. [MN] D. Maisner, E. Nart, Abelian surfaces over finite fields as Jacobians. With an appendix by Everett W. Howe,Exp.Math.11, (2002), 321-337. [NR06] E. Nart, C. Ritzenthaler, Non-hyperelliptic curves of genus three over finite fields of characteristic two, Journal of Number Theory, 116 (2006), 443-473. [NR08] E. Nart, C. Ritzenthaler, Jacobians in isogeny classes of supersingular abelian threefolds in characteristic 2, Finite Fields and Their Applications 14 (2008), 676-702. [NS04] E. Nart, D. Sadornil, Hyperelliptic curves of genus three over finite fields of even characteristic, Finite Fields and Their Applications 10 (2004), 198-220.

GENUS 3 CURVES WITH MANY INVOLUTIONS 8515

[Rit09] C. Ritzenthaler, Explicit computations of Serre’s obstruction for genus 3 curves and application to optimal curves, preprint available on http://arxiv.org/abs/0901.2920. [vdG06] G. van der Geer, Tables of curves with many points, available on http://www.science. uva.nl/~geer/, (2006). See also http://www.manypoints.org. [Sil86] J.H. Silverman, The arithmetic of elliptic curves, Graduate Texts in Mathematics 106, Springer-Verlag, New York, (1986).

Departament de Matematiques,` Universitat Autonoma` de Barcelona, 08193 Bel- laterra, Barcelona, Spain E-mail address: [email protected] Institut de Mathematiques´ de Luminy, UniversitedelaMedit´ erran´ ee,´ 13288 Luminy, Marseille, France E-mail address: [email protected]

This page intentionally left blank

Contemporary Mathematics Volume 521, 2010

Uniqueness of low genus optimal curves over F2

Alessandra Rigato

Abstract. A projective, smooth, absolutely irreducible algebraic curve X of genus g defined over a finite field Fq is called optimal if for every other such genus g curve Y over Fq one has #Y (Fq) ≤ #X(Fq). In this paper we show that for g ≤ 5 there is a unique optimal genus g curve over F2.Forg =6there are precisely two and for g = 7 there are at least two.

1. Introduction Let X be a projective, smooth and absolutely irreducible genus g curve defined over a finite field Fq. ItiswellknownthatthenumberofFq-rational points of X is bounded and a lot of research has been done to determine whether the bounds are sharp: see for example Sections 5.2 and 5.3 of [Sti] for an overview. The curve X is called optimal ifforeveryothergenusg curve Y over Fq one has #Y (Fq) ≤ #X(Fq). The main result of this paper deals with uniqueness up to F2-isomorphism of small genus optimal curves defined over F2. Theorem 1.1. For g ≤ 5, there exists a unique optimal genus g curve defined over F2. There exist two non-isomorphic genus 6 optimal curves and at least two non-isomorphic genus 7 optimal curves defined over F2.

Examples of small genus optimal curves defined over F2 are already present in [S], [S1]and[N-X]. In this paper we show that for genus g ≤ 5 these examples are unique, while one of the genus 6 curves we construct appears to be new. The proof of this result consists of two steps. We first determine a short list of Zeta functions that an optimal curve over F2 can have. In Section 2 we show that for genus g ≤ 5 there is only one possible Zeta function, while for g =6thereare two. Next we apply class field theory techniques as in [A], [L], [Sch], [S], [S1], and recent results by Howe and Lauter in [H-L] to show that for each possible Zeta function there exists precisely one curve. In Section 3 we discuss curves of genus 0 and 1. Sections 4 to 8 are devoted to curves of genus 2 to 6. Finally, in Section 9 we exhibit two optimal genus 7 curves with different Zeta functions.

2010 Mathematics Subject Classification. Primary 11G20; Secondary 11R37. The author wishes to express her gratitude to her advisor René Schoof, for this work would not have been possible without his precious help. The author also thanks Everett Howe for his interesting and constructive comments and Claus Fieker for his MAGMA computation. Part of this paper was written while the author was supported by the Fund for Scientific Research Flanders (F.W.O. Vlaanderen): research project G.0557.06. c 2010 American Mathematical Society 871

2A88 .RIGATO

2. Zeta function and real Weil polynomial of a curve Throughout this paper a curve is understood to be projective, smooth and absolutely irreducible over a finite field of definition Fq. In order to study optimal genus g curves defined over Fq it is of interest to determine the quantity

Nq(g):=max{#X(Fq) | X is a genus g curve deﬁned over Fq}.

Then, an optimal genus g curve X defined over Fq satisfies #X(Fq)=Nq(g). Several methods have been developed in order to determine Nq(g) for given q and g. The progress is listed and continuously updated in the tables [G-V]. In particular Serre determined very good upper bounds for the number of Fq-rational points F ≤ ≥ in [S1]. For q = 2 he gives the estimate #X( 2) 0.83√g +5.35. For g 2 this improves the Hasse-Weil bound #X(Fq) ≤ q +1+2g q.In[S] Serre also provided examples of genus g curves defined over F2 attaining these bounds. Hence forsmallgenuscurvesheprovedthatN2(g)isasfollows[S1, Theorem 5] g 0 1 2 3 4 5 6 7 N2(g) 3 5 6 7 8 9 10 10

The Zeta function of a genus g curve X deﬁned over Fq is given by 1 Z(t)= , (1 − td)ad d≥1 where

ad =#{P | P place of X such that deg P = d}.

In particular, a1 =#X(Fq). The Zeta function Z(t) is a rational function of the form L(t) Z(t)= , (1 − t)(1 − qt) where g L(t)= (1 − αit)(1 − αit) i=1 √ g 2g 2g−1 for certain αi ∈ C of absolute value q. Therefore L(t)=q t +b2g−1t +...+ b1t +1∈ Z[t] is determined by the coeﬃcients b1,...,bg which are in turn determined by the numbers a1,...,ag. See for example [Sti, Section 5.1] for more details.

To a genus g curve X having L(t) as numerator of its Zeta function, we associate the so-called real Weil polynomial of X: g h(t)= (t − μi) ∈ Z[t], i=1 √ √ where μi = αi + αi is a real number in the interval [−2 q,2 q], for all i =1,...,g. We have (2.1) L(t)=tgh(qt +1/t). One can hence turn the problem of determining the Zeta function of X into the problem of determining the real Weil polynomial of X. Not every polynomial h(t)

UNIQUENESS OF OPTIMAL CURVES 893 √ √ with all zeros in the interval [−2 q, 2 q] and with the property that L(t) 1 = (1 − t)(1 − qt) (1 − td)ad d≥1 for certain integers ad ≥ 0 is necessarily the real Weil polynomial of a curve. The following result is due to Serre [S, page Se 11], [L, Lemma 1].

Proposition 2.1. Let h(t) be the real Weil polynomial of a curve C over Fq. Then h(t) cannot be factored as h(t)=h1(t)h2(t),withh1(t) and h2(t) non-constant polynomials in Z[t] such that the resultant of h1(t) and h2(t) is ±1. This result has been generalized by E. Howe and K. Lauter. Proposition 2.2 below is an improvement [H]of[H-L, Theorem 1.b)] and Proposition 2.3 is [H-L, Theorem 1, Proposition 13]. Recall that the reduced resultant of two polynomials f,g ∈ Z[t] is deﬁned to be the non-negative generator of the ideal (f,g) ∩ Z.

Proposition 2.2. Let h(t)=h1(t)h2(t) be the real Weil polynomial of a curve C over Fq,whereh1(t) and h2(t) are coprime non-constant factors in Z[t].Letr be the reduced resultant of the radical of h1(t) and the radical of h2(t).Ifr =2, then, there exists a degree 2 map C → C ,wherethecurveC is deﬁned over Fq and has either h1(t) or h2(t) as real Weil polynomial.

Proposition 2.3. Let h(t)=(t − μ)h2(t) be the real Weil polynomial of a curve C over Fq,wheret − μ is the real Weil polynomial of an elliptic curve E and h2(t) a non-constant polynomial in Z[t] coprime with t − μ.Ifr = ±1 is the resultant of t − μ and the radical of h2(t),thenC admits a map of degree dividing r to an elliptic curve isogenous to E.

For a curve X we denote by a(X) the vector [a1,a2,...]. The main result of this section is the following. Theorem 2.4. For g ≤ 6 therealWeilpolynomialh(t) and the vector a(X) of an optimal genus g curve X over F2 are as follows: g =1: h(t)=t +2,a(X)=[5, 0, 0, 5, 4, 10,...]; g =2: h(t)=t2 +3t +1,a(X)=[6, 0, 1, 1, 6, 12,...]; g =3: h(t)=t3 +4t2 +3t − 1,a(X)=[7, 0, 1, 0, 7, 7,...]; g =4: h(t)=(t +1)(t +2)(t2 +2t − 2),a(X)=[8, 0, 0, 2, 4, 8,...]; g =5: h(t)=t(t +2)2(t2 +2t − 2),a(X)=[9, 0, 0, 2, 0, 12,...]; g =6: (2.2) h(t)=t(t +2)(t4 +5t3 +5t2 − 5t − 5),a(X) = [10, 0, 0, 0, 3, 10,...], (2.3) h(t)=(t − 1)(t +2)(t2 +3t +1)2,a(X) = [10, 0, 0, 0, 2, 15,...]. Proof. Following [S, page Se Th 38] we compute for each g ≤ 6 a ﬁnite list of monic degree g polynomials h(t) ∈ Z[t] for which a1 is equal to the number of F2-rational points of an optimal genus g curve and for which ad ≥ 0ford ≥ g 2intherelationL(t)=t h(qt +1/t). Moreover√ √ we require that h(t)hasthe property that its zeros are in the interval [−2 2, 2 2]. Finally, we require that the conditions of Proposition 2.1 are satisﬁed. A short computer calculation gives

4A90 .RIGATO a unique polynomial for g ≤ 5 and three polynomials for g =6: (1) h(t)=t(t +2)(t4 +5t3 +5t2 − 5t − 5),a(X) = [10, 0, 0, 0, 3, 10,...]; (2) h(t)=(t − 1)(t +2)(t2 +3t +1)2,a(X) = [10, 0, 0, 0, 2, 15,...]; (3) h(t)=(t +1)(t +2)(t2 +2t − 2)(t2 +2t − 1),a(X) = [10, 0, 0, 1, 0, 12,...]. We show that the third polynomial cannot occur. The resultant of the factors t +2and(t +1)(t2 +2t − 2)(t2 +2t − 1) is −2. Hence, by Proposition 2.3, a genus g =6curveX, having this polynomial as real Weil polynomial, admits a degree 2mapX → E,whereE is a genus one curve having real Weil polynomial t +2. The curve E has parameters a(E)=[5, 0, 0, 5, 4, 10,...], hence E has five places of degree 4 while X has only one. Since E does not have any degree 2 places, this means that one place Q of the degree 4 places of E must ramify in X. The different D of the quadratic function field extension F2(X)/F2(E)satisfies2Q ≤ D (where the coefficient 2 is forced by wild ramification). On the other hand the degree of the different is 2g − 2=10=degD by the Hurwitz formula. Thus D =2Q +2R, where R is a rational point of E. But this is a contradiction because all of five rational points of E split completely in X since #X(F2) = 10.

3. Uniqueness of optimal elliptic curves In this section we prove Theorem 1.1 for curves of genus 0 and 1.

1 Remark 3.1. We denote by P the projective line over F2 and by 0, 1 and ∞ its three rational points. Over a ﬁnite ﬁeld, every genus 0 curve is isomorphic to P1. Therefore P1 is optimal. The Zeta function of P1 is 1 Z(t)= and hence a(P1)=[3, 1, 2, 3, 6,...]. (1 − 2t)(1 − t)

Proposition 3.2. Up to F2-isomorphism, the unique genus 1 curve having ﬁve 2 3 rational points over F2 is the elliptic curve E of aﬃne equation y + y = x + x.

Proof. A genus 1 curve E over F2 having five rational points over F2 is an elliptic curve. Hence E admits a separable degree 2 morphism to P1.Itcanbe described as a smooth cubic in P2 of affine equation of the form y2 + a(x)y = f(x), where a(x)andf(x) are polynomials in F2[x], the first of degree 0 or 1 and the latter of degree 3 [Sil, Appendix A]. Since the point at infinity ∞ of P1 ramifies in E, one has a(x) = 1. The affine points 0 and 1 of P1 have to split, thus we have that f(0) = f(1) = 0 and hence f(x)=x(x +1)(x + a), where a ∈ F2.Ifa =1 we find the equation y2 + y = x3 + x and if a = 0 the equation y2 + y = x3 + x2. These two curves are indeed isomorphic over F2 by changing coordinates through the map (x, y) → (x +1,y).

Remark 3.3. The function field of the genus 1 curve E can also be described as the ray class field of P1 of conductor 4 times a rational point, in which the other two rational points of P1 are both split. Since Aut(P1) acts doubly transitively on {0, 1, ∞}, different choices give rise to isomorphic ray class fields. Remark 3.4. We often refer to this unique optimal elliptic curve E throughout this paper. For future reference, we present here some properties of E.Interms

UNIQUENESS OF OPTIMAL CURVES 915 of the affine equation y2 + y = x3 + x, we denote the five rational points of E as follows: we write P0 for the point at infinity and we put

(3.1) P1 =(0, 0),P2 =(0, 1),P3 =(1, 0),P4 =(1, 1).

The real Weil polynomial of E is h(t)=t + 2. The vector a(E)ofthenumbersad of places of degree d =1, 2,... of E is given by a(E)=[5, 0, 0, 5, 4, 10, 20,...]. 4 Let a ∈ F16 be a root of x + x + 1. Then, the ﬁve places of degree 4 of E have coordinates 3 3 3 3 Q1 =(a ,a + a),Q2 =(a ,a + a +1), 3 3 2 Q3 =(a +1,a),Q4 =(a +1,a+1),Q5 =(a + a +1,a). 5 3 Let b ∈ F32 be a root of x + x + 1, then the four places of degree 5 of E consist of the points of coordinates: 4 4 4 4 R1 =(b, b ),R2 =(b, b +1),R3 =(b +1,b + b),R4 =(b +1,b + b +1). 6 5 Let c ∈ F64 be a root of x +x +1 = 0. The places of degree 6 of E have coordinates 5 3 2 5 4 3 5 3 2 4 2 T1 =(c + c + c + c +1,c + c + c +1),T2 =(c + c + c + c, c + c + c), 3 2 3 2 3 2 3 2 T3 =(c + c +1,c + c + c),T4 =(c + c +1,c + c + c +1), 4 3 2 4 3 2 T5 =(c +1,c + c + c + c),T6 =(c +1,c + c + c + c +1), 3 2 3 2 T7 =(c + c ,c+1),T8 =(c + c ,c), 4 3 2 4 3 2 T9 =(c, c + c + c ),T10 =(c, c + c + c +1).

The order 5 automorphism σ of E given by addition of P1 acts transitively on E(F2) as follows: P0 → P1 → P3 → P4 → P2 → P0. The action of σ on the places of degree4isasfollows:Q1 → Q5 → Q2 → Q4 → Q3 → Q1. On the other hand, the order 4 automorphism of E τ :(x, y) → (x +1,y+ x +1)

ﬁxes P0 and acts transitively on the remaining four rational points: P1 → P4 → P2 → P3 → P1. Similarly, τ ﬁxes Q5 and acts transitively on the remaining degree 4 places: Q1 → Q4 → Q2 → Q3 → Q1. The action of τ on the places of degree 5 is transitive: R1 → R4 → R2 → R3 → R1.

4. Uniqueness of genus 2 optimal curves

Proof of Theorem 1.1 for g =2. A genus 2 optimal curve X over F2 is hyperelliptic. Since X has six rational points, all three rational points of P1 split completely in the double covering X → P1. By Theorem 2.4, the curve X has no places of degree 2 and only one place of degree 3. Thus only one degree 3 place Q of the two degree 3 places of P1 totally ramifies in X. The different D of the corresponding function field extension is hence 2Q, since 2Q ≤ D and deg D =6 by the Hurwitz formula. Any genus 2 curve having six rational points over F2 is hence a double covering of P1 of conductor 2Q,whereQ is a place of P1 of degree 3, in which all rational points of P1 are split. A different choice of the degree 3 1 place of P leads to an F2-isomorphic curve. Indeed, the F2-isomorphism x → 1/x preserves the rational points of P1, but switches the two degree 3 places.

6A92 .RIGATO

5. Uniqueness of genus 3 optimal curves We brieﬂy recall some important results on the Jacobian variety of a curve in order to state and prove a useful lemma.

Let X be a curve defined over Fq.WedenotebyJ ac(X) the Jacobian variety of X and by T the Tate module attached to J ac(X), where is a prime number different from the characteristic of Fq.WesetV = T ⊗ Q.LetF : V → V be the Frobenius map and let V : V → V be the Verschiebung map: the unique mapsuchthatV ◦ F = q.ThenZ[F, V ] ⊆ End(J ac(X)). Next we let φ be the canonical polarization on J ac(X). Then φ can be represented as a non-degenerate alternating form φ : V × V → Q.HereQ denotes the field of -adic numbers. Since φ(F (x),F(y)) = qφ(x, y) for every x, y ∈ V, by bilinearity of φ we have that φ(F (x),F(y)) = qφ(x, y)=φ(qx, y)=φ(V (F (x)),y). It follows that φ(z,F(y)) = φ(V (z),y) for any y, z ∈ V.InotherwordsV is left adjoint to F with respect to φ. Theorem 5.1 (Torelli Theorem [W]). Let X and X be two curves over a perfect field k.Letτ : J ac(X) →Jac(X) be an isomorphism over k compatible with the canonical polarizations. Then (1) if X is hyperelliptic, there exists a unique isomorphism f : X → X over k which gives τ; (2) if X is not hyperelliptic, there exists a unique isomorphism f : X → X over k and a unique ε ∈{±1} such that f gives ετ.

Corollary 5.2. If τ is an automorphism of J ac(X) over k preserving the polarization, then either τ or −τ comes from an automorphism over k of X.

Lemma 5.3. Any genus 3 curve X having exactly seven rational points over F2 admits an automorphism of order 7.

Proof. We show that for a genus 3 curve X having seven rational points over F2 the ring Z[F, V ] ⊆ End(J ac(X)) is isomorphic to Z[ζ7], the ring of integers of Q(ζ7). The minimal polynomial of F + V is the real Weil polyomial of X.By Theorem 2.4 this is h(t)=t3 +4t2 +3t − 1. It is an irreducible polynomial of discriminant 72. Hence, for a root α ∈ Q of h(t), the number field Q(α) is a cyclic extension of degree 3 of Q, which is ramified only at 7. By the Kronecker-Weber Q Q −1 Q Theorem the field (α) is hence the unique degree 3 subfield (ζ7 + ζ7 )of (ζ7) and Z[α] is its ring of integers. Consider now the minimal polynomial of Frobenius x2 − αx +2∈ Z[α][x]. Its discriminant α2 − 8 has norm 7 and hence generates a prime ideal π ⊆ Z[α]lyingovertheprime7ofZ. By class field theory Q(α) admits a unique quadratic extension unramified outside of π and the three infinite primes 5 lying over 7. This is the field Q(ζ7), which has discriminant 7 by the conductor- discriminant formula. The discriminant of Q(α, x) can be computed to be 75 as well by means of the relative discriminant formula for towers of number fields. Hence Z[F, V ]=Z[α, x] is the ring of integers Z[ζ7]ofQ(ζ7)aswanted. Now J ac(X) has in particular an automorphism τ of order 7 corresponding to ζ7. We show that τ preserves the polarization φ. By bilinearity of φ and since V is the complex conjugate of F , the left adjoint to an element τ ∈ Z[F, V ]is its complex conjugate τ.Sinceτ satisfies ττ =1,wehaveinparticularthat −1 φ(τ(x),y)=φ(x, τ(y)) = φ(x, τ (y)) for any x, y in V. This implies that

UNIQUENESS OF OPTIMAL CURVES 937

φ(τ(x),τ(y)) = φ(x, y) for any x, y ∈ V.Inotherwordsτ preserves the polarization φ of J ac(X). By the above Corollary of Torelli’s Theorem the curve X admits hence an automorphism f of order 7. Indeed if f does not induce τ of order 7, but f induces −τ,thenf 2 is an automorphism of order 7 of X.

Proof of Theorem 1.1 for g =3. By Lemma 5.3 the curve X admits an automorphism f of order 7. Then, by Galois correspondence, X is a cyclic covering of degree 7 of a curve which can only be P1 by comparing the genera and the degree of the different in the Hurwitz formula. By the conductor-discriminant formula, the conductor D of such a covering satisfies 6 degD = 18. Since there are seven rational points on X, only one rational point P of P1 splits completely. Thus one has D = Q, where Q is a place of P1 of degree 3. Hence X is a cyclic degree 7 covering of P1 of conductor Q, where one rational point P of P1 splits completely. Different choices of P in {0, 1, ∞} and of the degree 3 place Q give rise to F2-isomorphic curves. Indeed, since the automorphisms group of P1 acts transitively on the rational points, we can always first reduce to the case P = ∞. Next the automorphism x → x +1 fixes P and maps one degree 3 place of P1 into the other one.

6. Uniqueness of genus 4 optimal curves Proof of Theorem 1.1 for g =4. By Theorem 2.4 the real Weil polyno- 2 mial of an optimal genus 4 curve X over F2 is h(t)=(t +1)(t +2)(t +2t − 2). The resultant of the polynomials t +2 and(t +1)(t2 +2t − 2) is 2. Proposition 2.3 implies therefore that the curve X is a double covering of the unique optimal elliptic curve E having real Weil polynomial t + 2 described in Remark 3.4. Since X has no places of degree 2, no rational point of E can be inert in X. Hence, since X has eight rational points, there is only one possibility for the five rational points of E: three of them split completely and two are totally ramified. Denoting by P and P the two wildly ramified rational points of E, we have that the contribution to the different of the quadratic function field extension F2(X)/F2(E)isatleast2P +2P . Since the degree of the different has to be 6 by the Hurwitz formula, the different, which is also the conductor of the extension, is 4P +2P or 2P +4P . Thus any optimal genus 4 curve over F2 is a double covering of the optimal elliptic curve E of conductor 4P +2P or 2P +4P , in which the other three rational points of E split completely. Uniqueness of X follows from the fact that Aut(E)actsdoubly transitively on E(F2) as described in Remark 3.4.

7. Uniqueness of genus 5 optimal curves 2 Lemma 7.1. Let C be the hyperelliptic curve over F2 of affine equation y + y = x5 + x3.LetP be a rational point of C and let K be the ray class field of F2(C) of conductor 4P in which all rational points of C except P split completely. Then K = F2(C) except when P is the point at infinity, in which case we have [K : F2(C)] = 2.

Proof. Let t denote a uniformizer at P and let S = C(F2)\{P }.ByArtin reciprocity the Galois group Gal(K/F2(C)) is isomorphic to the S-ray class group of C modulo 4P [N-X, Section 2.5]. In this case the latter is isomorphic to a quotient ∗ 4 of R = F2[[t]]/(t ) Z4 × Z2 by the S-unit group of C [Sch, Section 8]. We

8A94 .RIGATO show that if P is the point at inﬁnity of C we have Gal(K/F2(C)) Z2.Onthe other hand, if P is one of the other rational points P0 =(0, 0),P0 =(0, 1),P1 =(1, 0), or P1 =(1, 1) of C, the group Gal(K/F2(C)) is trivial. A sketch of the computations follows. i)LetP be the point at inﬁnity of C. Then a basis for the S-unit group of C consists of the functions with principal divisors given by 3 y + x − 3 =2P0 + P1 3P0, x y +1 =3(P − P )+2(P − P ), y 0 0 1 1 x +1 = P − P + P − P . x 1 0 1 0 Let t = y/x3 be a uniformizer at P , then their images in R are: y + x3 ≡ 1+t mod t4, x3 y +1 1 =1+ ≡ 1+t5 ≡ 1modt4, y y x +1 1 =1+ ≡ 1+t2 mod t4, x x since 1/y = t5 + O(t6)and1/x = t2 + O(t4). The element 1 + t generates 2 a subgroup R of R of index 2 and 1+t ∈ R . Therefore Gal(K/F2(C)) R/R Z2. ii)LetP = P0 and x a uniformizer at P . In this case consider the two F2-linearly independent S-units of divisors given by − (x +1) = P1 + P1 2P∞, − (y +1) = 3P0 +2P1 5P∞.

Here P∞ denotes the point at infinity of C. By means of Hensel’s lemma, 5 3 6 we compute the local expansion of y at P0 as y = x + x + O(x ). Therefore their images in R are x +1 ≡ 1+x mod x4, y +1 ≡ 1+x3 mod x4. In this case the group R is generated by the images of the S-units and thus the quotient group is trivial. The other possibilities for P reduce to case ii) by applying the order 4 automorphism ϕ :(x, y) → (x +1,y + x2 +1)ofC. It fixes the point at infinity of C and acts transitively on the other rational points of C. Proof of Theorem 1.1 for g =5. By Theorem 2.4 a genus 5 optimal curve 2 2 X defined over F2 has real Weil polynomial h(t)=t(t +2) (t +2t − 2). Since the principal ideal (t(t +2),t2 +2t − 2) ∩ Z is generated by 2, Proposition 2.2 implies that the curve X is a double covering of a curve C having real Weil polynomial either t(t +2)2 or t2 +2t − 2. If C had t(t +2)2 as real Weil polynomial, it would be a genus 3 curve having seven rational points over F2, which is impossible by Theorem 2.4.

UNIQUENESS OF OPTIMAL CURVES 959

Hence C is a genus 2 curve having five rational points and no place of degree 2. Every genus 2 curve defined over F2 is a hyperelliptic curve. Up to F2-isomorphism there exists a unique hyperelliptic curve C over F2 having real Weil polynomial t2 +2t − 2. Indeed such a hyperelliptic curve has five rational points and no place of degree 2. Thus the different of the function field extension associated to the double covering C → P1 has to be 6Q,whereQ is a rational point of P1. According to the classification of genus 2 curves over F2 in [M-N, page 327], by taking Q = ∞, any such hyperelliptic curve is F2-isomorphic to a projective curve of affine equation 2 5 3 2 y +y = x +ax +bx +c, with a, b, c ∈ F2. Of the eight possible equations arising from the choice of the parameters a, b, c, only the affine equation y2 + y = x5 + x3 describes a projective curve having five rational points over F2 and no places of degree 2. Since X has nine rational points, only one rational point P of C ramifies in the double covering X → C, while the other four rational points of C split completely in X. The different of F2(X)/F2(C) is hence 4P , since it must have degree 4 by the Hurwitz formula. The function field F2(X) is hence an abelian extension of F2(C) of conductor 4P , where the other four rational points of C split completely. The maximal among such abelian extensions is the ray class field K described in Lemma 7.1. Hence P is the point at infinity of C and F2(X)=K.

8. Genus g =6optimal curves Theorem 2.4 lists the two possible real Weil polynomials of an optimal genus 6 curve deﬁned over F2. In this section we give a proof of the existence of a unique genus 6 curve for each of the two listed polynomials.

Proposition 8.1. Up to F2-isomorphism, there is a unique curve having real Weil polynomial as in (2.2) of Theorem 2.4.

Proof. Let X be a genus 6 optimal curve defined over F2 having real Weil polynomial h(t)=t(t +2)(t4 +5t3 +5t2 − 5t − 5). Since the resultant of the factors t +2andt(t4 +5t3 +5t2 − 5t − 5) is −2, there exists a degree 2 morphism X → E by Proposition 2.3. All of the five rational points of E split completely into the ten rational points of X. BytheHurwitzformulathedegreeofthedifferent of F2(X)/F2(E) is 10. Now, since a2(X)=a3(X)=a4(X) = 0, the different is precisely 2R,whereR is a degree 5 place of E. Thus, any such optimal genus 6 curve is a double covering of E of conductor 2R, in which all rational points of E are split. As observed in Remark 3.4, the elliptic curve E has actually four points of degree 5 and the F2-automorphism τ of E acts transitively on them. The choice of a different degree 5 ramifying point, gives thus an F2-isomorphic curve.

In the rest of the section, let X be a genus 6 optimal curve over F2 having real Weil polynomial as in (2.3) of Theorem 2.4.

Proposition 8.2. Up to F2-isomorphism, there is a unique curve having real Weil polynomial as in (2.3) of Theorem 2.4. Lemma 8.3. The curve X is a non-Galois covering of degree 3 of the elliptic curve E such that X is unramiﬁed outside of E(F2). The following deﬁnition introduces a notation for the splitting behavior of the rational points of the elliptic curve E.

1096 A. RIGATO

Definition 8.4. Let X → E be a degree 3 covering defined over F2.Consider a rational point P of E.WesaythatP is a)anA-point, if P splits completely in X; b)aB-point, if P splits into two points of X, one unramified and the other one with ramification index 2; c)aC-point, if P is totally ramified in X with ramification index 3. Moreover we denote by a, b, c the number of A-points, B-points and C-points of E respectively. Proof of Lemma 8.3. By Theorem 2.4, the real Weil polynomial of X is h(t)=(t − 1)(t +2)(t2 +3t +1)2. Since the resultant of the polynomials t +2and (t − 1)(t2 +3t + 1) is equal to 3, by Proposition 2.3 the curve X admits a morphism of degree 3 to the optimal elliptic curve E described in Remark 3.4. Since the parameters of X are a(X) = [10, 0, 0, 0, 2, 15,...], there are no places of degree 2 or 3 on X. Therefore each of the F2-rational points in E can hence be either an A-point, a B-point or a C-point in the sense of Definition 8.4. Then we have a + b + c =5 and 3a +2b + c =10, and hence 2a + b =5 and a = c. This leaves us with the three cases of Table 1. In each case the covering X → E is

Table 1. Splitting behavior of the rational points of E in X

a b c case I 0 5 0 case II 1 3 1 case III 2 1 2

non-Galois since b is never zero. Moreover the function field extension F2(X)/F2(E) is unramified outside of E(F2). Consider indeed the degree of the different, which is 10 by the Hurwitz formula. By Definition 8.4, only one of the two points of X lying over a B-point of E is wildly ramified. This gives a contribution to the degree of the different which is at least 2. The contribution to the different that comes from the rational points of E is therefore at least db +2c with d ≥ 2. Therefore it is at least 5·2=10incaseI,atleast3·2+2 = 8 incase II and at least 1·2+2·2=6in case III. Since there are no points of degree 2, 3 or 4 on X, any other non-rational ramified place of E should have degree strictly larger than 4. But this would give a too large contribution to the different in each of the three cases. Hence there are no other places of E ramifying in X but those of degree one.

Definition 8.5. We denote by X the curve whose function ﬁeld is the normal closure of F2(X) with respect to F2(E): it is a Galois extension of F2(E) having Galois group isomorphic to the symmetric group S3.WedenotebyX the curve having as function ﬁeld the quadratic extension of F2(E) corresponding to the group A3 Z3, the unique (normal) subgroup of S3 of index 2. The situation is described in the following picture:

UNIQUENESS OF OPTIMAL CURVES 9711

s X4 {1} ssÓ 4 ppp} 55 ss ÓÓ 4 pp } 5 ss Ó 44 ppp }} 5 2ss 2 Ó 2 3 2 p 2 } 2 53 sys ÑÓÓ Ù 4 xppp ~}} × 5 X Y Z X Z Z Z Z LLL << ,, 2NN 2BB 20 3 LL < , NN B 00 ØØ 3 L3 <3 , 2 NN B LL << , 3 3NN B3B 00 Ø 2 LL<, NNBB0 ØØ L%Ô NN' ÓØ E G We sum up some arithmetical properties of X and X in the following auxiliary lemmas. Lemma 8.6. a) The A-points of E split completely in X and X. b) Over each B-point of E there are three points of X, each with ramiﬁcation index 2 and there is one point of X with ramiﬁcation index 2. c) Over each C-point of E there is a unique place of X of degree 2. Proof. Let Y bethedegree3coveringofE as in the picture above.

a)EachA-point P of E splits completely over F2(Y ) F2(X)aswell.Hence the function field of X, being the compositum of F2(X)andF2(Y ), is the splitting field of P . Moreover, since the function field of X is contained in it, P splits completely in X as well. b) Since there is more than one point of X lying over a B-point P of E,the decomposition groups of the points lying over P have order 2. Since the ramification index of one of the points of X lying over P is 2, all points of X lying over P have ramification 2. It also follows that there is a unique point of X lying over P . It has ramification index 2. c)LetP be a C-point of E. Since the order of the inertia group of any of the points of X lying over P has order divisible by 3, the same is true for apointP of X lying over P . It follows that X → X is a cyclic degree 3coveringthatisramifiedatP . Therefore, by class field theory, the multiplicative group of the residue field of P must have order divisible by 3. It follows that P must be inert in X. Indeed, in this case the residue field of P is F4.

Lemma 8.7. The curve X is deﬁned over F2 and has genus g =6− c.More- over, the covering X → E is ramiﬁed exactly at the B-points of E.

Proof. Since X → E is unramified outside of E(F2) by Lemma 8.3, the same holds for the covers X and X of E. Lemma 8.6 implies then that X → E is ramified precisely at the B-points of E. By Table 1 there is always at least one such point. Thus, since the residue field of any place contains the constant field, the constant field of X is F2. In order to compute the genus of X we compare the different Diff(X/E)of F2(X )/F2(E) with the different Diff(X/E)ofF2(X)/F2(E). By the Hurwitz formula we have that 10 = 2 · 6 − 2 = deg Diff(X/E) = deg Diff(X/E)tame + deg Diff(X/E)wild. The contribution given to Diff(X/E)bythec tamely ramified points is 2c. Therefore the contribution of the b wildly ramified points is 10 − 2c. Since these are precisely the points that are ramified in X → E, the degree of

1298 A. RIGATO

Diﬀ(X/E)isalsoequalto10− 2c. It follows that 2g − 2=10− 2c,sothat g =6− c as required.

Lemma 8.8. For low degrees d,thenumberad of places of degree d of the curves X and X are as follows: a1(X)=6a +3b, a1(X )=2a + b; a2(X)=c, a2(X )=c; a3(X)=0,a3(X )=0; a4(X)=0,a4(X ) = 10;

a5(X)=0.

Proof. The computation of the numbers a1(X)anda1(X )ofF2-rational points of X and X respectively, follows directly by Lemma 8.6. By the same Lemma the degree 2 places of X are precisely the ones lying over the C-points of E and they are themselves totally ramified in X.Thisgivesa2(X )=c = a2(X). Because of Theorem 2.4, the curve X has parameters a(X) = [10, 0, 0, 0, 2, 15, ...] and in particular a3(X) = 0. Since also a3(E) = 0, it follows at once that a3(X )= a3(X)=0.ThecurveX has no places of degree 2 or 4, thus a4(X)=0.Moreover this means that the five places of degree 4 of E are inert in X. Since they are not ramified, their decomposition group has to be cyclic and hence of order 3. Therefore they are split in X and we have a4(X )=2a4(E)=2· 5=10.

Suppose that a5(X) is not zero, then one of the places of degree 5 of E splits completely in X. This implies that X has at least three places of degree 5, which is not the case. Therefore a5(X)=0.

The following Lemma describes abelian extensions KD of F2(E) for particular choices of the conductor D. These extensions play a role in the proof of Proposition 8.10. The divisor D is a sum of points in E(F2). See Remark 3.4 for the notation.

Lemma 8.9. Let KD denote the ray class ﬁeld of F2(E) of conductor D in which the point at inﬁnity and all places of degree 4 of E split completely. Then KD is trivial when D =4P1 +2P2 +2P3 or D =2P1 +2P2 +4P3. It has degree 2 over F2(E) when D =2P1 +4P2 +2P3.

Proof. Let Q1,Q2,...,Q5 denote the degree 4 places of E aslistedinRemark 3.4 and let S = {Q1,Q2,Q3,Q4,Q5,P0}.AbasisfortheS-unit group of E is given by the following functions ui, i =1,...,5: 4 3 2 u1 = x + x + x + x +1, with (u1)=Q1 + Q2 − 8P0, 4 3 u2 = x + x +1, with (u2)=Q3 + Q4 − 8P0, 2 u3 = x + x +1, with (u3)=Q5 − 4P0, (y + x3)(y + x3 + x2)2 u = , with (u )=Q +2Q − 3Q , 4 y(y + x)(x2 + x +1)3 4 1 3 5 (y + x3)2(y + x3 + x2 +1) u = , with (u )=Q +2Q − 3Q . 5 (y +1)(y + x)(x2 + x +1)3 5 4 1 5

UNIQUENESS OF OPTIMAL CURVES 9913

Then consider the ray class field KD of F2(E) of conductor D =4P1 +4P2 +4P3 in which the places in S split completely. We are interested in the ray class fields KDj , j =1, 2, 3, that are subfields of KD of conductor D1 =4P1 +2P2 +2P3, D2 = 2P +4P +2P and D =2P +2P +4P . The corresponding S-ray class groups 1 2 3 3 1 2 3 ∗ ∗ F 4 ⊕ F 2 ⊕ modulo Dj are quotients of the groups Rj = 2[[tj ]]/(tj ) 2[[tj ]]/(tj ) ∗ F 2 Z × Z × Z × Z 2[[tj ]]/(tj ) 4 2 2 2 by the image of the S-unit group of E [Sch, Section 8]. Here tj , tj , tj denote uniformizers of Pj , Pj , Pj respectively, for {j, j ,j } = {1, 2, 3}. We show that the order of the S-ray class group modulo Dj is 2 for j = 2, while for j =1, 3 this group is trivial. In Table 2, we display in the column marked by Rj , j =1, 2, 3, the images of the ui’s (i = 3) in the group Rj . We remark that the computations for the units u4 and u5 can be performed calculating the local expansions yj of y at Pj,forj =1, 2, 3: 2 3 4 6 7 y1 = x + x + x + x + x + O(x ), 2 3 4 6 7 y2 =1+x + x + x + x + x + O(x ), 2 3 4 6 7 y3 = t + t + t + t + O(t ), where t = x +1.

Table 2. Images of the ui’s in the group Rj ,forj =1, 2, 3.

ui R1 R2 R3 3 3 3 u1 (1 + t1) (1 + t2) (1 + t1)(1 + t2) (1 + t1)(1 + t3)(1 + t2) 3 3 3 u2 (1 + t1)(1 + t3) (1 + t2)(1 + t3) (1 + t3) 2 3 3 3 u4 (1 + t1) (1 + t1)(1 + t2) (1 + t2) (1 + t2) 1+t2 3 3 3 u5 1+t3 (1 + t2)(1 + t3) (1 + t3) (1 + t3)

One checks that in R2 the images of the ui’s for i = 3 generate a subgroup of 3 3 index 2. The image of u3 is (1 + t1)(1 + t2) (1 + t2)(1 + t3) and lies hence in the same subgroup. On the other hand, the images of the ui’s, i = 3, are independent generators of R1: the image of u1 has order 4 and the images of u2, u4 and u5 have order 2. Thus in this case the ray class group is trivial. Similarly for the images of u1, u2, u4 and u5 in R3: also in this case the ray class group is trivial. Proposition 8.10. All rational points of E are ramiﬁed in X.ThecurveX has genus 6 and real Weil polynomial h(t)=t(t +2)(t2 − 5)2.Inotherwords,only the conﬁguration of case I in Table 1 is possible. Proof. According to Table 1, there are three possibilities for the splitting behavior of the rational points of E in X. Moreover by Lemmas 8.7 and 8.8 the genus g and the vector a(X)ofthecurveX are in the three cases as follows: a b c g a(X) case I 0 5 0 6 [5, 0, 0, 10,...] case II 1 3 1 5 [5, 1, 0, 10,...] case III 2 1 2 4 [5, 2, 0, 10,...] Case III cannot occur since in this case the curve X would be a genus 4 curve having N4 = N +2a2 +4a4 =5+2· 2+4· 10 = 49 rational points over F24 , while N4(4) = 45 according to [G-V]. In case II a computer calculation gives only one possible real Weil polynomial for

14100 A. RIGATO

X,namelyh(t)=(t +2)(t2 − 5)(t2 − 2). Now, since the automorphism group of E acts doubly transitively on E(F2) as described in Remark 3.4, we may assume that the point at infinity P0 of E is the unique A-point of E and that P4 =(1, 1) is the unique C-point. The remaining three rational points of E are {P1,P2,P3}. They are B-points of E and hence ramify in X → E by Lemma 8.6. Moreover, since a4(X ) = 10 and a4(E) = 5, all five degree 4 places of E split completely in X . By the Hurwitz formula the degree of the different of F2(X )/F2(E)is8. Therefore Lemma 8.9 implies that F2(X )isequaltotherayclassfieldofF2(E)of conductor 2P1 +4P2 +2P3,inwhichP0 and all degree 4 places of E split completely. Consider now the curve X. It is a degree 3 abelian covering of X.SinceX has 15 rational points by Lemma 8.8, all five rational points of X split completely in X. Moreover, since X → E and X → E are both unramified outside of E(F2), only the degree 2 place P4 of X , which lies over P4 of E ramifies in X.ThecurveX is F hence the ray class field of 2(X ) of conductor P4,whereallrationalplacesofX split completely. A computer calculation with MAGMA shows that the associated ray class group is trivial. Hence case II cannot occur. In case I a computer calculation gives only one possible real Weil polynomial for X,namelyh(t)=t(t +2)(t2 − 5)2. In the next two lemmas we describe two curves appearing in the proof of Propo- sition 8.2. Lemma 8.11. There exists a unique curve C having real Weil polynomial h(t)= (t +2)(t − 1).UptoF2-isomorphism, this is a genus 2 projective curve described by the affine equation y2 + xy = x5 + x4 + x2 + x. Proof. AcurveC having real Weil polynomial h(t)=(t +2)(t − 1) is a genus 2 curve having four rational points and two places of degree 2 over F2. Since it is a hyperelliptic curve, we can consider the double covering C → P1. The different of the corresponding function field extension is 4P +2P ,whereP and P are rational points of P1. Indeed, by the Hurwitz formula, the degree of the different is 6 and, since C has four rational points, two of the rational points of P1 are wildly ramified and one splits completely. The coefficients of P and P are forced to be even since F2(C) is an Artin-Schreier extension of the rational function field. Notice also that the possibility that two rational points of P1 split and the third stays inert in F2(C) is excluded by the fact that in this case the degree 2 place of P1 would be ramified, giving a contradiction in the computation of the different. According to the classification of genus 2 curves over F2 in [M-N, page 327], by taking P = P∞ and P =(0, 0), any such an hyperelliptic curve over F2 is F2- isomorphic to a projective curve of affine equation y2 + y = x3 + ax +1/x + b, with a, b ∈ F2. There are hence four possibilities for the parameters a and b, but only y2 + y = x3 + x +1/x + 1 is the equation of a projective curve having four rational points over F2 and two places of degree 2. This curve is F2-isomorphic to the projective curve of more simple affine equation y2 + xy = x5 + x4 + x2 + x,an isomorphism being given by (x, y) → (x, (y + x2)/x). Lemma 8.12. Let C be the curve of Lemma 8.11. Then C admits an unramified cyclic degree 5 covering in which both the point at infinity P∞ and the point (0, 0) split. This covering is unique up to isomorphism. Moreover, for any other choice of rational points P and P of C, any cyclic unramified degree 5 covering of C in which P and P split, is necessarily trivial.

UNIQUENESS OF OPTIMAL CURVES 10115

Proof. Consider the maximal unramified extension L of the function field K of C where P∞ splits completely. By class field theory, the Galois group Gal(L/K)is isomorphic to the quotient of the class group Pic(C) by the subgroup generated by the image in Pic(C) of the Frobenius element Frob P∞ ∈Gal(L/K)ofP∞. Hence Gal(L/K) Pic0(C). Let h(t) be the real Weil polynomial of C as in Lemma 8.11. By [Sti, Theorem 5.1.15 (c)] the class number #Pic0(C)ofC equals L(1), where L(t) is the numerator of the Zeta function of C.SinceL(1) = h(q + 1) by (2.1), one has #Pic0(C)=h(3) = 10. Therefore there exists a unique unramified cyclic degree 5 extension K of F2(C)inwhichP∞ splits completely. Since the divisor (x) = 2((0, 0) − P∞) is principal, the Frobenius of (0, 0) is trivial in Gal(K /K) 0 Z5 Pic (C)/Z2, so that the rational point (0, 0) is also split in K . On the other hand, if we replace the points P∞ and (0, 0) by any other pair of rational points of C, there is no such unramified cyclic degree 5 extension. To see this,wenotethatC has four rational points: P∞,(0, 0), (1, 0) and (1, 1). If two of these were to split in an unramified cyclic degree 5 covering of C, then 2 times their difference, would be a principal divisor. By adding or subtracting the principal divisors 2((0, 0) − P∞) and 2((1, 0) + (1, 1) − 2P∞), this boils in each case down to the question of whether or not the divisor 2((1, 0) − P∞) is principal. Suppose that 2((1, 0) − 2P∞) is the divisor of a function f ∈ F2(C). Since the only functions in F2(C) with a pole of order 2 at infinity are linear functions in x,wemusthave f = x + 1, but then f also vanishes in (1, 1), a contradiction. Proof of Proposition 8.2. By Lemma 8.3 the genus 6 curve X is a non- Galois covering of degree 3 of the elliptic curve E. Moreover, by Proposition 8.10 the only possibility for the splitting behavior of the rational points of E in X is describedincaseI of Table 1. In other words, all rational points of E are B- points in the sense of Definition 8.4. In order to show that such a curve X is unique, consider the quadratic function field extension F2(X )/F2(E) described in the picture of Definition 8.5. By the Hurwitz formula and Proposition 8.10, this F 4 is an abelian extension of 2(E) of conductor i=0 2Pi where all places of E of degree 4 split completely. Let τ be the order 4 automorphism of E describedinRemark3.4.Thenthe endomorphism τ + 2 of the elliptic curve E has degree 5 and kernel E(F2). The Galois group of the covering τ +2 : E → E consists of the translations by the points Pi of E. It preserves both the set E(F2) and the set of places of E of degree 4. Therefore the covering τ+2 X −→ E −−−→ E is Galois. Similarly, the covering X → X is unramified and cyclic of degree 3. Lemma 8.8 implies that all rational points of X are split. By class field theory, thereexistsauniquedegree3suchacoveringofX. Indeed, let h(t)bethereal Weil polynomial of X as in Proposition 8.10. By [Sti, Theorem 5.1.15 (c)] one has #Pic0(X)=L(1), where L(t) is the numerator of the Zeta function of X. Hence, since by (2.1) one has L(1) = h(3) = 24 · 3 · 5, there exists a unique index 3 subgroup in the class group of X. Thus the function field extension corresponding to the covering τ+2 X −→ E −−−→ E is also Galois. The Galois group G is an extension of Z5 by S3. Since these groups have coprime order and Z5 necessarily acts trivially on S3, the Schur-Zassenhaus

16102 A. RIGATO

Theorem implies that G is a direct product of Z5 and S3. By Galois correspondence there exists hence a tower of function fields corresponding to the morphisms of curves X → Y → E, such that Gal(F2(Y )/F2(E)) S3.Letρ be a generator of Gal(F2(X)/F2(X)) ⊆ S3 and consider invariant fields. We obtain a cyclic covering X → C of degree 5, which is unramified since τ +2:E → E is. o 5 o 5 { } Y X Z5 1

2 2 2 2 o 5 o 5 C X Z5 × Z2 Z2

3 3 3 3 5 oo o 5 E E Z5 × S3 S3 The curve C has genus 2 by the Hurwitz formula. The real Weil polynomial of C is thus a degree 2 factor of the real Weil polynomial of X.SinceC isalsoadegree3 covering of E, the real Weil polynomial of C is divisible by the real Weil polynomial t +2 of E, since the same holds for the corresponding Zeta functions [A-P]. Hence the real Weil polynomial of C is h(t)=(t +2)(t − 1). By Lemma 8.12, the curve C indeed admits such an unramiﬁed cyclic degree 5 covering. Therefore there actually exists a unique curve X with real Weil polynomial equal to polynomial (2.3) in Theorem 2.4 and Proposition 8.2 follows.

9. Genus 7 optimal curves Let E be the optimal genus 1 curve of affine equation y2 + y = x3 + x described in Remark 3.4. In this last section we present a class field theoretic construction of a ray class field of F2(E) whose proper quadratic subfields are function fields of optimal genus 7 curves. We show that the Zeta functions of these curves are not all the same, providing existence of at least two non-isomorphic genus 7 optimal curves over F2. Proposition 9.1. Let K be the function field of E and let Q denote a degree 6 place of K of uniformizer t = x6 + x5 +1.LetL be the ray class field of K of conductor 2Q, in which all five rational points of K split completely. The Galois group Gal(L/K) is isomorphic to Z2 ⊕Z2. The quadratic subfields of K are function fields of optimal genus 7 curves that do not all have the same Zeta function. { } Y0 1 0 00 0 0 00 2 2 002 2 2 02 Õ Ö 0 Z Z Z X21 X2 X3 23 2 2 22 3 2 33 2 22 2 2 32 2 × 3Ö E G 6 5 Proof. Let a ∈ F26 be a root of x +x +1, and let Q be the place that consists of the point (a, a4 + a3 + a2 + 1) and its conjugates. The prime ideal corresponding to Q is p =(x6 + x5 +1,y+ x4 + x3 + x2 + 1). The principal divisor (x6 + x5 +1) 4 3 2 is equal to Q + Q − 12P0 where Q is the place consisting of (a, a + a + a )and its conjugates. We take t = x6 + x5 + 1 as a uniformizer at Q.DenotebyS the set

UNIQUENESS OF OPTIMAL CURVES 10317 of the five rational points of E described in Remark 3.4. Let L be the ray class field of K of conductor 2Q, in which all five rational points in S split completely. Then, by Artin reciprocity, the Galois group G = Gal(L/K) ∗ 2 is isomorphic to the quotient of R = F26 [[t]] /{u : u ≡ 1modt } by the image of ∗ ∗ the S-unit group OS of K.AbasisforOS is given by the functions x, x +1, y and y + x having the following principal divisors

(x)=P1 + P2 − 2P0,

(x +1) = P3 + P4 − 2P0,

(y)=P1 +2P3 − 3P0,

(x + y)=2P1 + P4 − 3P0. In order to compute the image of the S-units in R, we ﬁrst observe that the image of the S-unit x has order 63 modulo t and hence it generates the 63-part of R. Then we compute

x63 − 1 ≡ (x +1)t mod t2, (x +1)63 − 1 ≡ xt mod t2, y63 − 1 ≡ (x5 + x2)t mod t2, (y + x)63 − 1 ≡ (x5 + x4 + x3 + x2)t mod t2.

6 5 Thus Gal(L/K) is isomorphic to the quotient of F2[x]/(x + x + 1) by the additive subgroup H generated by x +1, x, x5 + x2 and x5 + x4 + x3 + x2.Thisisaquotient group of order 4 where all elements have order 2. Hence Gal(L/K) Z2 ⊕ Z2. The three subgroups of order 2 of Gal(L/K) correspond to three coverings X1, X2 and X3 of E as in the diagram. Each curve Xi has ten rational points over F2, since all five rational places of E split completely. Since the non-trivial characters of Gal(L/K) have conductor 2Q, the different of each quadratic extension F2(Xi)/F2(E) has degree 12 and the three curves have genus 7 by the Hurwitz formula. Since N2(7) = 10 by Theorem 5 in [S1], they are three genus 7 optimal curves over F2. To show that the curves are not all isomorphic it suffices to consider the number of places of degree d of each curve Xi for d ≤ 4. Since the rational points of E are all split and E has no places of degree 2 or 3, none of the three curves Xi has places of degree 2 or 3 either. Therefore a curve Xi can only have places of degree 4 if some places of E of degree 4 split completely in Xi. By class field theory, a place P of E splits completely in Xi if and only if the image of the uniformizer of P is trivial in the quotient Ri of R which is the ray class group of the covering 3 2 Xi → E. Consider the index 2 additive subgroups H1 = H + x , H2 = H + x 3 2 6 5 and H3 = H + x + x of F2[x]/(x + x +1). Therayclassgroup Ri associ- 6 5 ated to the curve Xi is isomorphic to the quotient group of F2[x]/(x + x +1) by Hi for i =1, 2, 3. We present the results of the computation in Table 3. The first column lists for j =1,...,5 the degree 4 places Qj of E as in Remark 3.4. In the second and third column we display the uniformizers uj (x, y)’s of the Qj ’s 6 5 and the images gj (x)’s in F2/(x + x +1)ofthe uj (x, y)’s. In other words we 63 2 have uj (x, y) − 1 ≡ gj (x)t mod t . In the last column we write Hi for i =1, 2, 3 whenever gj (x) belongs to Hi.ThecurveX1 has four places of degree 4, since both Q2 and Q5 split. Similarly, also X3 has four places of degree 4. On the other hand

18104 A. RIGATO

Table 3. Splitting behavior of the degree 4 places of E in each curve Xi.

Qj uj(x, y) gj(x) Hi 3 5 Q1 y + x x + x H2 3 4 Q2 y + x +1 x H1 3 2 5 3 Q3 y + x + x x + x + x H3 3 2 4 2 Q4 y + x + x +1 x + x H3 2 5 3 2 Q5 x + x +1 x + x + x H1

the curve X2 has only two places of degree 4, since only Q1 splits. Hence the two curves X1 and X2 are not isomorphic. Remark 9.2. Let σ and τ be the automorphisms of E described in Remark 3.4. Then, the action of σ on the places of degree 6 of E listed in Remark 3.4, is given by T1 → T9 → T3 → T4 → T10 → T1. 2 3 2 Since the elliptic involution τ switches T9 and T10 we have that σ τ preserves 3 2 T10. In terms of adding points on the elliptic curve E one has σ τ :(x, y) → (1, 1) − (x, y). A short computation shows that σ3τ 2 switches the functions x3 and 2 3 6 5 x + x modulo the subgroup H of F2[x]/(x + x + 1). Therefore the curves X1 and X3 are actually isomorphic. For completeness we compute the real Weil polynomials of the optimal genus 7curves.

Proposition 9.3. For i =1, 2, 3, the real Weil polynomial hi(t) and the vector a(Xi) of the curve Xi are 6 5 4 3 2 h1,3(t)=(t+2)(t +5t +3t −15t −15t +9t+8),a(X1,3)=[10, 0, 0, 4, 2, 5, 18,...], 2 4 3 2 h2(t)=(t+2)(t +3t+1)(t +2t −4t −5t+2),a(X2)=[10, 0, 0, 2, 4, 11, 12,...].

Proof. By Remark 9.2 the curves X1 and X3 are isomorphic, therefore they have the same real Weil polynomial. In the proof of Proposition 9.1 we already observed that for the curves X1 and X2 one has a1 =10anda2 = a3 =0.We also proved that a4(X1) = 4 while a4(X2) = 2. Similarly to what was done for the places of degree 4, we consider the splitting behavior of the places of degree 5 of E listed in Remark 3.4 and display the results in Table 4.

Table 4. Splitting behavior of the degree 5 places of E in each curve Xi.

Rk uk(x, y) gk(x) Hi 4 3 R1 y + x x + x +1 H1 4 5 4 R2 y + x +1 x + x + x H3 4 4 3 2 R3 y + x + x x + x + x +1 H2 4 5 4 3 R4 y + x + x +1 x + x + x +1 H2

Summing up we have a5(X1)=2anda(X2) = [10, 0, 0, 2, 4,...]. Since the degree 6 place Q of E is the only ramifying place in each curve X1, i =1, 2, we have that a6(Xi) has to be odd, while a7(Xi) has to be even. We can now determine a parametric form for the real Weil polynomial of each curve Xi:

UNIQUENESS OF OPTIMAL CURVES 10519

i)ForthecurveX1 the values of #X1(F2)=a1 = 10, a2 = a3 =0,a4 =4 and a5 = 2 allow to determine the following parametric form: h(t)=t7 +7t6 +13t5 − 9t4 − 45t3 − 21t2 + αt + β. One can check that only for the values of (α,√ β)=(26√ , 16) and (α, β)= (27, 18) all roots of h(t) lie in the interval [−2 2, 2 2]. Only the ﬁrst pair gives an odd number of degree 6 places, namely a6(X1)=5.Inthiscase a7(X1) = 18. ii) For the values a(X2) = [10, 0, 0, 2, 4,...] we have the parametric real Weil polynomial h(t)=t7 +7t6 +13t5 − 9t4 − 47t3 − 33t2 + αt + β. In this case there are three√ pairs√ of values of (α, β) for which h(t) has all roots in the interval [−2 2, 2 2]: the pair (3, 2), which gives a6 = 10; the pair (4, 4), which gives a6 = 11; and the pair (5, 7), for which a6 = 12. Hence the real Weil polynomial of X2 corresponds to the unique pair (α, β)=(4, 4) for which a6 is not even. In this case a7 = 12.

References [A] R. Auer, Ray class fields of global function fields with many rational places,ActaArith. 95 (2000), 97–122. [A-P] Y. Aubry and M. Perret, Divisibility of zeta functions of curves in a covering,Arch. Math. 82 (2004), 205–213. [G-V] G. van der Geer and M. van der Vlugt, Tables of curves with many points,Math.Comp. 69 (2000), 797–810. Updates at http://www.manypoints.org/ [H] E. Howe, Even sharper upper bounds on the number of points on curves, slides based on work in progress with Kristin Lauter available at http://alumnus.caltech.edu/~however/talks.html. [H-L] E. Howe and K. Lauter, Improved upper bounds for the number of points on curves over finite fields,Ann.Inst.Fourier53 (2003), 1677–1737. [L] K. Lauter, Ray class field constructions of curves over finite fields with many rational points, Algorithmic Number Theory, H. Cohen (ed.), Lecture Notes in Comput. Sci. 1122, Springer, (1996), 187–195. [M-N] D. Maisner and E. Nart, with an appendix by E. Howe, Abelian surfaces over finite fields as Jacobians, Experimental Math. 11 (2002), 321–337. [N-X] H. Niederreiter and C.P. Xing, Rational points on curves over finite fields: Theory and Applications, London Mathematical Society Lecture Note Series 285, Cambridge, 2001. [S] J.-P. Serre, Rational points on curves over finite fields, unpublished notes by Fernando Q. Gouvéa of lectures at Harvard University, 1985. [S1] , Sur le nombre des points rationnels d’une courbe algébrique sur un corps fini,C. R. Acad. Sci. Paris, Sér I Math. 296 (1983), 397–402; (= Oeuvres III, No. 128, 397–402). [Sch] R. Schoof, Algebraic curves and coding theory, UTM 336, Univ. of Trento, 1990. [Sil] J.H. Silverman, The Arithmetic of Elliptic Curves, Springer-Verlag, New York, 1986. [Sti] H. Stichtenoth, Algebraic Function Fields and Codes, Springer-Verlag, Berlin, 2008. [W] A. Weil, Zum Beweis des Torellischen Satzes, Nachr. Akad. Göttingen, Math.-Phys. Kl., (1957), 33–53.

Alessandra Rigato, Katholieke Universiteit Leuven, Department of Mathematics, Celestijnenlaan 200 B, B-3001 Leuven (Heverlee), Belgium E-mail address: [email protected]

This page intentionally left blank

Contemporary Mathematics Volume 521, 2010

Group Order Formulas for Reductions of CM Elliptic Curves

A. Silverberg

Abstract. We give an overview of joint work with Karl Rubin on computing the number of points on reductions of elliptic curves with complex multiplication, including some of the history of the problem.

1. Introduction In this paper we try to give a readable survey of joint work with Karl Rubin on computing the number of points on reductions of CM elliptic curves. Proofs and details appear in [31, 32]. In §2, we give some of the history of the problem. Notation is given in §3. In §§4–6, we state the main results of [31], which give formulas for the group orders of reductions of CM elliptic curves. We give applications (also joint with Rubin) to Q-curves in §7, and to a simple way to do the last step of the CM method of Oliver Atkin and Fran¸cois Morain in §8. Brief sketches of proofs are given in §9and§8.1. An extensive study of the mathematics surrounding such questions can be found in the books of David Cox [5] and Franz Lemmermeyer [17]. Acknowledgments. I thank the organizers of GeoCrypt 2009 for the invitation, Harold Stark for informing me about Wendy Miller’s thesis, and Yuri Zarhin, Karl Rubin, Nick Alexander, and the referees for helpful comments on the paper.

2. Some history If p is an odd prime number and p ≡ 2 (mod 3), then (a(2p−1)/3)3 ≡ a (mod p), so the map x → x3 defines an onto (and thus one-to-one) map from the finite field 2 3 Fp to itself. It follows that if p B ∈ Z, then the elliptic curve y = x + B has p + 1 points mod p, including the point at infinity (since half the values x3 + B are squares, and each such has two square roots). This leads to the question of how many points the elliptic curve y2 = x3 + B has modulo primes p ≡ 1 (mod 3) (i.e., when the curve has ordinary reduction at p, rather than supersingular). The answer is part of a long story that goes back to Carl Friedrich Gauss.

2010 Mathematics Subject Classiﬁcation. 11G15, 11G05, 11G20. This material is based upon work supported by the National Science Foundation under grant CNS-0831004 and the National Security Agency under grant H98230-07-1-0039.

c 2010 American Mathematical Society 107

108 A. SILVERBERG

According to p. 86 (see (4.24)) of Cox’s book [5], the following result can be wrested from §358 of Gauss’s Disquisitiones Arithmeticae [7]. Theorem 2.1 (Gauss, Disquisitiones Arithmeticae, 1801). If p is a prime and p ≡ 1(mod3),thenx3−y3 ≡ 1(modp) has p−2+a solutions, where 4p = a2+27b2 with a, b ∈ Z and a ≡ 1(mod3). If one rephrases the above statement in modern language, it says the following (see §14C of [5]). Theorem 2.2 (Gauss). If p is a prime, p ≡ 1(mod3),andE is the elliptic curve y2 = x3 − 432,then

#E(Fp)=p +1− (π +¯π) √ Z −1+ −3 ≡ where p = ππ¯ in [ 2 ] and π is chosen to be normalized so that π 1 (mod 3). In 1814, in his last diary entry [8], Gauss stated a similar result for a diﬀer- ent curve (see also p. 86 of [5]or§5 of Chapter 11 of [14]). As pointed out by Lemmermeyer in [17], Gauss’s statement was based on numerical evidence, and the ﬁrst published proof was given by Gustav Herglotz [12] in 1921 (see p. 317 and p. 342 of [17] for more on the history). One formulation of Gauss’s statement is the following. Theorem 2.3 (Gauss, Herglotz). Suppose p is a prime and p ≡ 1(mod4). Write p in the form a2 + b2 with integers a and b, normalized so that a + bi ≡ 1 (mod 2 + 2i).Thenx2 + y2 + x2y2 ≡ 1(modp) has p − 3 − 2a =(a − 1)2 + b2 − 4 solutions. Rephrasing this in modern language gives: Theorem 2.4 (Gauss, Herglotz). If p is a prime, p ≡ 1(mod4),andE is the elliptic curve y2 = x3 +4x,then

#E(Fp)=p +1− (π +¯π) where p = ππ¯ in Z[i] with π ≡ 1(mod2+2i). Theorems 2.2 and 2.4 can easily be generalized to deal with the families of sextic, respectively, quartic, twists of the given curve, as follows. Theorem 2.5 (Gauss and others). If p is a prime, p ≡ 1(mod3), p B ∈ Z, and E is y2 = x3 + B,then − 4B 1 4B #E(Fp)=p +1− π − π¯ π 6 π 6 √ Z 1+ −3 ≡ 4B where p = ππ¯ in [ 2 ] with π 1(mod3),andwhere π 6 is the unique sixth root of unity congruent to (4B)(p−1)/6 (mod π). See Theorem 4 on p. 305 of Ireland and Rosen [14] for (an equivalent statement to) the previous result, and Theorem 5 on p. 307 of [14] for the following result. Related references include a well-known paper of Harold Davenport and Helmut Hasse [6] and a paper of A. R. Rajwade [26].

GROUP ORDER FORMULAS FOR CM ELLIPTIC CURVES 109

Theorem 2.6 (Gauss, Herglotz, and others). If p is a prime, p ≡ 1(mod4), p A ∈ Z,andE is y2 = x3 − Ax,then − A 1 A #E(F )=p +1− π − π¯ p π π 4 4 Z ≡ A where p = ππ¯ in [i] with π 1 (mod 2+2i),andwhere π 4 is the unique fourth root of unity congruent to A(p−1)/4 (mod π). Nowadays, the above results are viewed as part of the theory of complex multiplication. The previous two√ results deal with all elliptic curves with complex multi- Z −1+ −3 Z plication (CM) by [ 2 ]and [i], respectively. In a series of papers beginning in the late 1960’s and continuing into the 1980’s, Rajwade and co-authors (see for example [25, 26, 27, 28, 29]) dealt with√ elliptic curves over Q with complex multiplication by the ring of integers in Q( −d) for some small values of d, including d =1, 2, 3, 7, 11, 19, using cyclotomy and the theory of complex multiplication. For example, the next result, which appears√ in a paper of Rajwade [25], deals with all the elliptic curves with CM by Z[ −2]. Related work that uses the theory of cyclotomy includes papers by B. W. Brewer, A. L. Whiteman, and others. a As usual, we use ( m ) to denote the Jacobi (or Legendre) symbol. Theorem 2.7 (Rajwade [25]). If p is a prime, p ≡ 1 or 3(mod8),andE is the elliptic curve y2 = x(x2 − 4ax +2a2) with p a,then a #E(F )=p +1− (π +¯π) p p √ √ where p = ππ¯ in Z[ −2] and π (and π¯) is congruent modulo 4 −2 to an element of √ √ √ √ {1, 3, 1 ± −2, 3 ± −2, 5+2 −2, 7+2 −2}. See the introductions to [28]and[29] for more on the history; they state that Emma Lehmer and Ronald J. Evans conjectured that there would be an answer similar to the ones above for the elliptic curves over√ Q with complex multiplication by the ring of integers in the remaining ﬁelds Q( −d) of class number one. From now on, we assume that d is square-free. In addition to d =1√, 2, 3 given above, the remaining d’s for which the ring of integers OK of K = Q( −d) has class number one are d ∈{7, 11, 19, 43, 67, 163}. The elliptic curves with CM by these OK are the curves A(d) (in the notation of Dick Gross’s thesis [9]) in Table 1 below and their quadratic twists (see [11]or§24 of [9]). For these d,ifp is a prime = d,andp = u2 + dv2 with u, v ∈ 1 Z,then 2 4u (2.1) #(A(d)(Fp)) = p +1− 2u. √ d Here π = u + v −d,soπ +¯π =2u. To show (2.1), one can combine §11.2, Theorem 12.2.1, and §24 of Gross’s thesis [9], which computes the Hecke characters for these elliptic curves using the theory of complex multiplication. In the same way, with Proposition 3.5 of Gross’s 1982 paper [10]inplaceof §24 of Gross’s thesis [9], one can obtain a similar formula, corresponding√ to similar models of elliptic curves with CM by the ring√ of integers in Q( −d), for all prime d ≡ 3 (mod 4). When the class number of Q( −d) is greater than one, the elliptic curves are no longer deﬁned over Q.

110 A. SILVERBERG

Table 1. Curves with CM by OK of class number one

d curve A(d) 7 49a1 y2 + xy = x3 − x2 − 2x − 1 11 121b1 y2 + y = x3 − x2 − 7x +10 19 361a1 y2 + y = x3 − 38x +90 43 1849a1 y2 + y = x3 − 860x + 9707 67 4489a1 y2 + y = x3 − 7370x + 243528 163 26569a1 y2 + y = x3 − 2174420x + 1234136692

For (2.1), see also [41], the work of Rajwade et al., and/or [24, 16, 18]; the latter two employ ideas of Rajwade and Harold Stark. Can this be generalized√ to elliptic curves with CM by orders in imaginary quadratic fields Q( −d) for arbitrary d? Let OF denote the ring of integers in a number field F . The theory of complex multiplication shows that if • E is an elliptic curve over a number field√F , • E has CM by K ⊆ F with K = Q(i), Q( −3), • P is a prime of F where E has good reduction, • π ∈ K is a generator of the principal ideal NF/K(P), • q := NF/Q(P)(=#(OF /P)), then

(2.2) #E(OF /P)=q +1− (π)(π +¯π) with (π) ∈{±1}. To make this explicit in the way that Gauss and others did above, one needs to either choose a suitably normalized π so that the sign (π) in equation (2.2) is 1 (as in Theorems 2.2 and 2.4 above), or else ﬁnd an explicit formula for the sign (π) (as in (2.1) above). Stark [41]√ generalized (2.1) to all the elliptic curves with CM by the ring of integers in Q( −d), when d ≡ 7 or 11 (mod 12) (i.e., when both d ≡ 3(mod4) and 3 d hold), using the theory of complex multiplication and Goro Shimura’s Reciprocity Law [38]. More precisely, Stark showed:

Theorem 2.8 (Stark, Theorem 1 of [41]). Suppose d is a (square-free)√ positive integer and d ≡ 7 or 11 (mod√ 12).If(π) is a prime ideal of Q( −d) of norm p − ∈ 1 Z with (p, 6d)=1, π √= u + v d with u, v 2 , P is a prime ideal of the Hilbert Q − ∈ × class ﬁeld H of ( d) above π, a H ,andordP(a)=0,√ then the reduction mod P of the elliptic curve (deﬁned over H and with CM by Q( −d)) √ a2dγ (τ) a3d −dγ (τ) E : y2 = x3 + 2 x − 3 48 864 has d+1 − p +1− ( 1) 4 a 4u 2u P 2,H d

GROUP ORDER FORMULAS FOR CM ELLIPTIC CURVES 111 √ −3+ −d § points, where τ = 2 , γ2 and γ3 are the Weber functions (see 3 below), and the quadratic residue symbol α is defined in Definition 3.2 below. P 2,H Wendy Miller generalized Stark’s theorem to the case of elliptic curves with CM by the ring of integers in an imaginary quadratic field whose discriminant is even and not divisible by 3, in her 1998 UCSD PhD thesis [19]. In [31], Rubin and I generalized the above results to elliptic curves with CM by arbitrary imaginary quadratic fields K (and arbitrary orders O in OK ). In particular, we give an explicit formula for #E(OF /P), whenever • E is an elliptic curve over a number field F with CM by an order O in an imaginary quadratic field K ⊆ F ,and • P 2 is a prime ideal of OF where E has good reduction. As an application (see §8 below), in [32] we give a faster method for the last step of the Atkin-Morain “CM method” for finding an elliptic curve over a finite field with a specified number of points (also jointly with Rubin). This answers an open question of Atkin and Morain (Conjecture 8.1 of [2]). As Morain points out in the introduction to [20], for implementing the Atkin-Morain Elliptic Curve Primality Proving algorithm [2, 21] and for cryptographic applications, it is important to do this step rapidly, and preferably deterministically. There are many impediments, both theoretical and computational, to generaliz- ing the elliptic curve results to higher dimensional abelian varieties. Nick Alexander is making progress in the two-dimensional case [1], utilizing work of Robert Rumely [35, 33].

3. Weber’s Zoo and Additional Notation For z in the complex upper half plane H,letL = Z + Zz, z −4 −6 g2(z)=60 ω ,g3(z) = 140 ω .

0= ω∈Lz 0= ω∈Lz Recall the Dedekind η-function: ∞ η(z)=eπiz/12 (1 − e2πinz) n=1 and the Weber functions: g (z) g (z) γ (z)=12 2 ,γ(z)=−63 3 , 2 (2πi)4η(z)8 3 (2πi)6η(z)12 which satisfy 3 2 j(z)=γ2(z) = 1728 + γ3(z) . Bryan Birch [4] has referred to these and other Weber functions as “Weber’s zoo”. Our proofs make use of results of Heinrich Weber [42], Bryan Birch [3], and Rein- hard Schertz [36] on the Weber functions. From now on, O is an order in an imaginary quadratic ﬁeld K and D is the discriminant of O. Deﬁne d ∈ Z+ by −D if D is odd d = −D/4ifD is even. √ √ Then K = Q( −d)=Q( D).

112 A. SILVERBERG

Definition 3.1. With O, D,andd as above, deﬁne τD by

D : 1(mod8) 5(mod8) 4 or 8 (mod 32) otherwise √ √ √ √ −3+ −d 3+ −d − − τD : 2 2 3+ d d

By abuse of notation, denote j(τD)byj and for i =1, 2denoteγi(τD)byγi.

Then O = Z+ZτD, H := K(j) is the ring class field of O,andj = j(O)(where j(O)isthej-invariant of any elliptic curve isomorphic to C/O). Definition 3.2. Suppose F is a number field containing the n-th roots of unity ⊂ C ∈ × | μn , P is a prime of F not dividing n,anda F is such that n ordP(a). Letting b be any n-th root of a and letting FrP ∈ Gal(F (b)/F ) denote the Frobenius automorphism associated to P, define the n-th power symbol

bFr P a := ∈ μ ⊂ F. P n,F b n a Remark 3.3. Note that if a ∈OF − P,then can be characterized as P n,F − the unique n-th root of unity that is congruent mod P to a(NF/Q(P√) 1)/n.When n = 2 it is the quadratic residue symbol. When n =6andF = Q( −3) it is the a Q a symbol π 6 in Theorem 2.5, and when n =4andF = (i)itisthesymbol π 4 in Theorem 2.6, where π is a generator of P. If E is y2 = x3 +ax+b,letE(c) denote the quadratic twist y2 = x3 +ac2x+bc3. ∼ If E is deﬁned over C,wesayE has CM by O if End(E) = O. m For x, y ∈ Q,byx ≡ y (mod 2 )wemeanord2(x − y) ≥ m.

4. Main Result, Version I In this section and the next we formulate two versions of our main result. Theorem 4.1 (Corollary 5.4 of [31]). Suppose O is an order of discriminant D in an imaginary quadratic field K, F is a finite√ extension of the ring class field H of O, c ∈ F ×, and (for simplicity) K = Q(i), Q( −3).Withj as in Definition 3.2, let E be as in Table 2.SupposeP 2 is a prime of F where E has good reduction, π is a generator of NF/K(P),andq =NF/Q(P).Then: (i) E is defined over F , (ii) End(E)=O, (iii) j(E)=j,and (iv) (a) if D ≡ 0 or 12 (mod 16) then: O − c2(j−1728) #E( F /P)=q +1 P 4,F D(π)(π +¯π) (b) otherwise: O − c #E( F /P)=q +1 P 2,F D(π)(π +¯π) ∈ where D(π) μ4 will be given in Table 3 below. Note that every elliptic curve E over F such that End(E)=O and j(E)=j occurs in Table 2 for some c.

GROUP ORDER FORMULAS FOR CM ELLIPTIC CURVES 113 Table 2

D E

2 3 3 4 2 3 − c j c γ3j odd y = x 48 x + 864

2 3 3 4 2 3 c j − c iγ3j 4 or 8 (mod 16) y = x + 48 x 864 2 3 3 4 2 2 3 − c j (j−1728) c j (j−1728) 0 or 12 (mod 16) y = x 48 x + 864

5. Main Result, Version II The following lemma allows us to choose a good normalization of τ in the upper half plane such that j(τ)=j(E). Lemma 5.1 (Lemma 6.4(i) of [31]). If E is an elliptic curve over C and End(E) is isomorphic to an order O of discriminant D in an imaginary quadratic field K ⊂ C, then there are τ ∈ H ∩ K and r, s ∈ Q so that (i) j(τ)=j(E), (ii) τ = rτD + s, (iii) r ≡ 1(mod2),and (iv) s ≡ 0(mod4). Theorem 5.2 (Theorem 5.3 of [31]). If: • E : y2 = x3 + ax + b is an elliptic curve over a number field F ⊂ C, • the ring End(E) is isomorphic to an order O in√ an imaginary quadratic field K ⊆ F and (for simplicity) K = Q(i), Q( −3), • P 2 is a prime of F where E has good reduction, • π is a generator of the principal ideal NF/K(P), • q := NF/Q(P), • D is the discriminant of O,and • τ is as in Lemma 5.1, then: • if D is odd, then O − 6bγ3(τ) #E( F /P)=q +1 P 2,F τ (π)(π +¯π) • if D ≡ 4 or 8 (mod 16),then − O − 6biγ3(τ) #E( F /P)=q +1 P 2,F τ (π)(π +¯π) • if D ≡ 0 or 12 (mod 16),then O − 62b2(j(E)−1728) #E( F /P)=q +1 P 4,F τ (π)(π +¯π) ∈ § where we give an algorithm for computing τ (π) μ4 in 6.

6. The functions D and τ

We now deﬁne the functions D and τ used above. Let O2 = O⊗Z Z2. When j(E)=j(O), we can take τ = τD in Theorem 5.2, and then τ (π)= D(π) can be read oﬀ from Table 3. Note that π is not necessarily in O (see Remark

114 A. SILVERBERG √ 9.1 below). However, since P 2andK = Q(i), Q( −3), it follows (see Lemma ∈O× 2.6(iii) and Remark 2.7 of [31]) that π 2 . Table 3. O× → D : 2 μ4

If D is odd: √ √ π3 (mod 4) 1, − −d −1, −d

D(π) 1 −1

If D ≡ 4 (mod 16): √ √ √ π (mod 4) 1, −d, −1+2 −d, 2 − −d otherwise

D(π) 1 −1

If D ≡ 8 (mod 16): √ √ π (mod 4) 1, −1+2 −d, ±1+ −d otherwise

D(π) 1 −1

If D ≡ 12 (mod 16) : √ √ √ √ √ √ π (mod 4) 1, 1+2 −d 2+ −d, −d −1, −1+2 −d 2 − −d, − −d

D(π) 1 i −1 −i

If D ≡ 0 (mod 16) : √ √ √ √ π (mod 4) 1, −1+2 −d ±1 − −d −1, 1+2 −d ±1+ −d

D(π) 1 i −1 −i

In general, take τ, r,ands as in Lemma 5.1 (for E). With D deﬁned in Table 3, then ⎧ ⎪ (π)ifr ≡ 1(mod4), ⎨⎪ D (N Q(π)−1)/2 τ (π)= (π)(−1) K/ if r ≡−1(mod4)andD ≡ 4, 8 (mod 16), ⎪ D ⎩⎪ D(π)ifr ≡−1(mod4)andD ≡ 4, 8 (mod 16).

Remark 6.1. In our results the sign τ (π)isintermsofπ modulo 4, while in the results of Gross and Stark the corresponding sign is in terms of π modulo d — 4u recall the d in Theorem 2.8 and in (2.1). When their results apply, quadratic reciprocity allows one to go back and forth between their results and ours.

7. Q-curves

Recall that K is an imaginary quadratic ﬁeld, and let HK denote the Hilbert class ﬁeld of K.

Definition 7.1 (§11.1 of [9]). An elliptic curve E over HK is a Q-curve if E σ is isogenous over HK to E for all σ ∈ Gal(HK /Q).

GROUP ORDER FORMULAS FOR CM ELLIPTIC CURVES 115 √ With K = Q( −d), in [10] Gross produced a model of a Q-curve with CM by OK , for all prime d ≡ 3 (mod 4). We produce a model of a Q-curve with CM by OK whenever d ≡ 2 or 3 (mod 4) (with d square-free). There are no Q-curves with CM by OK when d>1 is a product of primes congruent to 1 (mod 4). (See Example 3 on p. 527 of [37]and§11.3 of [9].) In the next result, we assume we have a square-free positive integer d ≡ 2or3 (mod 4). Let D = −d if d ≡ 3 (mod 4) and let D =√−4d if d ≡ 2(mod4),soD is the discriminant of the ring of integers of K := Q( −d). Let j denote j(τD)and let γ3 denote γ3(τD). Theorem 7.2 (Theorem 7.4 of [31√]). The following elliptic curve E is a Q- curve deﬁned over Q(j) with CM by Q( −d): ⎧ √ 3 − 4 ⎨ 2 3 dj − d dγ3j ≡ y = x + 48 x 864 if d 3(mod4), √ ⎩ 3 4 y2 = x3 − dj x − d dγ3j if d ≡ 2(mod4). 48 864 √ If d =3 , P 2 is a prime of HK where E has good reduction, π = u + v −d ∈OK 1 2 2 ∈ Z Q is a generator of NHK /K (P) with u, v 2 ,andq =NHK / (P)=u + dv ,then

#E(OF /P)=q +1− f(u, d, q)(π + π) where ⎧ ⎪ 4u ≡ ⎪ d if d 3(mod4), ⎨ f(u, d, q)= (−1)(q−1)(q+d+11)/16 u if d ≡ 6(mod8), ⎪ d/2 ⎩⎪ − (u−1)/2 − (q−1)(q+d+3)/16 u ≡ ( 1) ( 1) d/2 if d 2(mod8). 8. Application to Last Step of CM Method In 1993, Atkin and Morain [2] published an algorithm, now known as the CM method, which has the following inputs and output: Input: • prime p ≥ 5, • (square-free) d ∈ Z+, d = p, • ∈ 1 Z 2 2 U, V 2 such that p = U + dV (U, V ∈ Z if d ≡ 1 or 2 (mod 4)).

Output: an elliptic curve E over Fp such that

#E(Fp)=p +1− 2U.

A version of the CM method is the following. For the CM method, see [2], or A.14 of [13]; Step (3) below is A.14.4.2 of [13]. Assume√ for simplicity that d =1, 3. (1) Compute the minimal polynomial of j( −d)overQ, and ﬁnd a root j of this polynomial in Fp. (2) Write down an elliptic curve E over Fp with j(E)=j.Then#E(Fp)= p +1± 2U. (3) To determine whether to output E or its twist, let N = p +1− 2U, choose a random point P ∈ E(Fp), and compute NP.IfNP = O (and 4UP = O), then #E(Fp)=N as desired; if NP = O, then the twist of E has N points.

116 A. SILVERBERG

In [32], we give algorithms that replace Step (3) (the “last step” of the CM method) with a simpler step (at the possible expense of replacing the class invariant in Step (1) with a different one, though Morain states in §9of[20] that while “it is easier to use invariants of small height,” his article shows that “we might as well favor those invariants that give us a fast way of computing the right equation instead”). We emphasize that our results do not speed up the major bottleneck in the CM method, which is computing class polynomials in Step (1) (note that Step (2) is easy). However, precomputation of minimal polynomials for a desired range of d is standard, and tables are available online. We posted PARI/GP implementations of our algorithms at [30]. See §6of[32] for some examples. Related work appears in [20, 15, 22, 23]. Morain, Andreas Enge, and others have done much work on improving the CM method and finding the best class polynomials. We leave open the problems of modifying and improving our algorithms by using class invariants of smaller height, and of computing the complexity of optimized algorithms. As an example, we next state the algorithm for the case d ≡ 2 (mod 4) (this is Algorithm 3.2 of [32]). The first two steps are standard steps in the CM method. The remaining step is new. As above, input a square-free positive integer d ≡ 2 (mod 4), a prime p ≥ 5, and integers U and V such that p = U 2 + dV 2. The algorithm outputs an elliptic curve E over F such that #E(F )=p +1− 2U. p √ p √ − ≡ − ≡ (1) Let zd = d if d 2 (mod 8) and let zd =3+ d if if d 6(mod8).√ (Pre)compute the minimal polynomial f(w) ∈ Z[w]forγ3(zd) d. ∈ F ∈ F× (2) Compute a root β p of f(w)(modp), compute α := βV/U p , − 2 ∈ F× compute δ := 1728 α p , and let E be: E : y2 = x3 +27δ3x − 54αδ4. (3) If V ≡ 1orU −1 (mod 4) then output E and terminate. Otherwise, find ∈ F× (ν) a non-square ν p and output E . For a concrete example to illustrate the simplicity of the algorithm, consider the case d√= 2 (the√ case considered by Rajwade in [25] — see Theorem 2.7 above). Then γ3( −2) 2 = 112, so f(w)=w − 112. The algorithm can be restated as follows (simplifying the model slightly). If V ≡ 1(mod4)orV ≡ U − 1(mod4), 2 3 −1 ∈ F× output y = x + 135x + 756VU (mod p). Otherwise, find a non-square ν p and output y2 = x3 + 135ν2x + 756ν3VU−1 (mod p). See [32] for algorithms when d ≡ 1, 3 (mod 4) (Algorithm 3.1 and 3.3 of [32]; see also Algorithm 3.4 and 3.5 of [32]). When d ≡ 2 or 3 (mod 4), our algorithms for the last step consist of reading off congruences modulo 4. When d ≡ 1(mod4), asquarerootofd (mod p) also needs to be computed. Remark 8.1. Algorithm 3.3 of [32] gives an alternative algorithm when d ≡ 3 (mod 4) that is closer to the formulations of Stark and Atkin-Morain and requires 4U ≡ computation of the Jacobi symbol d . An alternative algorithm when d 2 (mod 4) (Algorithm 3.2 of [32]), that requires the computation of a Jacobi symbol modulo d/2, is the following. Compute f(w)andβ as above. Compute δ := 2 ∈ F× 2 3 − 3 − 4 1728 + β /d p , and let E be: y = x 27δ dx 54βδ d.Letd = d/2. If either: ≡ U − (U−1)/2 − (p−1)(p+d+3)/16 (i) d 2(mod8)and d =( 1) ( 1) ,or

GROUP ORDER FORMULAS FOR CM ELLIPTIC CURVES 117 ≡ U − (p−1)(p+d+11)/16 (ii) d 6(mod8)and d =( 1) ∈ F× then output E and terminate. Otherwise, ﬁnd a non-square ν p and output E(ν). 8.1. Obtaining the Algorithms from the Main Result. We give a sketch of a proof that the above algorithm for d ≡ 2 (mod 4) works. In the notation√ of the algorithm, the root β of f uniquely determines a prime p of Q(γ3(zd) d)above p.LetP be the prime of the Hilbert class ﬁeld HK above p and (π) (as in Figure 1).

Figure 1. Prime ideals √ P H = K(γ (z ) d) K z 32 d zz 22 zz 2 zz 22 z√ 22 p Q 22 (γ3(zd2) d) 2 22 22 22 22 22 2 22 √ √ 2 K = Q( −d)(π)=(U + V −d) 22 y 2 yy 2 yy 22 yy yy p = ππ¯ Q

Reduction mod P sends: √ √ √−d →−U/V (since π = U + V −d) γ3(zd) d → β iγ3(zd) → βV/U = α 2 2 j(zd) = 1728 + γ3(zd) → 1728 − α = δ.

It follows that E is the reduction mod P of the elliptic curve over H = HK in Theorem 4.1 above, for which we have a formula of the form:

#E(OH /P)=#E(Fp)=p +1− ˜(π) · 2U ∈ with an explicit ˜(π) μ2. One can check that the congruence conditions in the last step of the algorithm hold if and only if 1 = ˜(π).

9. Ideas of Proof of Main Result The method of proof in [31] is similar to the method of Stark [41], which follows an approach used by Rumely in his thesis [33] and in [34]. As did Stark (and Miller), we use the theory of complex multiplication ([38]) and Shimura’s Reciprocity Law (Theorem 6.31(i) of [38]). Suppose that E is an elliptic curve over a number field F ,andE has CM by an order O in an imaginary quadratic field K ⊆ F . Identify O with End(E)via an isomorphism θ : O−∼→ End(E) that is normalized so that ω ◦ θ(α)=αω for all α ∈Oand holomorphic differential forms ω on E.

118 A. SILVERBERG

Let I denote the group of fractional ideals of F supported on the primes of F where E has good reduction. We recall that the Hecke character ψ : I→K× is characterized by the property that for every prime P of F where E has good reduction, writing E˜ for the reduction of E modulo P, then the image of ψ(P) under K = O⊗Q =End(E) ⊗ Q → End(E˜) ⊗ Q is the Frobenius endomorphism of E˜. One then has:

• ψ(P) ∈OK , • ψ(P)OK =NF/K(P), • #E(OF /P)=NF/Q(P)+1− TrK/Q(ψ(P)). In other words, finding π in (2.2) so that the sign (π) is 1 corresponds to finding the generator ψ(P)oftheidealNF/K(P)ofOK that reduces modulo P to the Frobenius endomorphism of E˜. Rumely and Stark considered the family of elliptic curves γ (z) γ (z) E : y2 = x3 − 2 x + 3 . z 48 864 ≡ When d 3(mod4)and3 d (as considered√ by Stark) then Ezd is defined over the Hilbert class field HK of K := Q( −d) and has CM by OK , and then Stark computed the Hecke character for Ezd over HK , and thus the number of points on the reductions of Ezd . If either 3 | d or d ≡ 3 (mod 4), then z canbechosensothatEz has CM by O, but now Ez is defined over a nontrivial extension of H. However, Ez has quadratic twists defined over H. We used the action (as defined by Shimura; [39]or§A5 § § + A of [40]; see also 6.6 of [38]or 1of[34]) of GL2 ( Q) on the space of arithmetic modular forms, and Shimura’s Reciprocity Law, to compute the Hecke characters for these twists. (This is where the most work is.) From that, we computed the Hecke characters, and thus the number of points on the reductions, for all elliptic curves over H with CM by O. Remark 9.1. If ψ is the Hecke character associated to an elliptic curve with CM by an order O,thenψ(P) is in the maximal order OK .WhenP does not divide the conductor of the order O,thenψ(P) lies in the order O. However, when P divides the conductor of O,thenψ(P) is not necessarily in O (contrary to a popular belief). We give a “typical” example of this phenomenon in Example 4.3 of [31], which will hopefully help to dispel the myth that ψ(P) always lies in O.

References [1] N. C. Alexander, Point counting on reductions of CM abelian surfaces,UCIrvinePhD Thesis, in preparation. [2]A.O.L.Atkin,F.Morain,Elliptic curves and primality proving,Math.Comp.61 (1993), 29–68. [3] B. J. Birch, Weber’s class invariants,Mathematika16 (1969), 283–294. [4] B. J. Birch, Heegner’s friends, the modular functions, Park City Mathematics Institute Lecture, July 3, 2009. [5]D.A.Cox,Primesoftheformx2 + ny2, John Wiley & Sons, New York, 1989. [6]H.Davenport,H.Hasse,Die Nullstellen der Kongruenzzetafunktionen in gewissen zyklis- chen F¨allen,J.ReineAngew.Math.172 (1934), 151–182. [7] C. F. Gauss, Disquisitiones arithmeticae (English translation from Latin), Yale University Press, New Haven, Conn.–London 1966.

GROUP ORDER FORMULAS FOR CM ELLIPTIC CURVES 119

[8] C. F. Gauss, Mathematisches Tagebuch, 1796–1814, (German translation from Latin), Fifth edition, Ostwalds Klassiker der Exakten Wissenschaften 256, Verlag Harri Deutsch, Frankfurt am Main, 2005. [9] B. H. Gross, Arithmetic on elliptic curves with complex multiplication, Lect. Notes in Math. 776, Springer, Berlin, 1980. [10] B. H. Gross, Minimal models for elliptic curves with complex multiplication,Compositio Math. 45 (1982), 155–164. [11] T. Hadano, Conductor of elliptic curves with complex multiplication and elliptic curves of prime conductor, Proc. Japan Acad. 51 (1975), 92–95. [12] G. Herglotz, Zur letzten Eintragung im Gaussschen Tagebuch, Ber. Verh. Sächs. Akad. Wiss. Leipzig Math.-Nat. Kl. 73 (1921), 271–276; Ges. Werke 415–420. [13] IEEE 1363-2000: Standard Specifications For Public Key Cryptography, Annex A. Number-Theoretic Background, http://grouper.ieee.org/groups/1363/private/P1363-A-11-12-99.pdf [14] K. Ireland, M. Rosen, A classical introduction to modern number theory, Second Edition, Grad. Texts in Math. 84, Springer, New York, 1990. [15] N. Ishii, Trace of Frobenius endomorphism of an elliptic curve with complex multiplication, Bull. Austral. Math. Soc. 70 (2004), 125–142. [16] A. Joux, F. Morain, Sur les sommes de caractères liées aux courbes elliptiques àmultipli- cation complexe, J. Number Theory 55 (1995), 108–128. [17] F. Lemmermeyer, Reciprocity laws: from Euler to Eisenstein, Springer Monographs in Mathematics, Springer-Verlag, Berlin, 2000. [18] F. Leprévost, F. Morain, Revêtements de courbes elliptiques à multiplication complexe par des courbes hyperelliptiques et sommes de caractères, J. Number Theory 64 (1997), 165–182. [19] W. Miller, Counting points on certain CM elliptic curves modulo primes,UCSDPhD thesis, 1998. [20] F. Morain, Computing the cardinality of CM elliptic curves using torsion points,J.Théor. Nombres Bordeaux 19 (2007), 663–681. [21] F. Morain, Implementing the asymptotically fast version of the elliptic curve primality proving algorithm,Math.Comp.76 (2007), 493–505. [22] Y. Nogami, Y. Morikawa, A method for distinguishing the two candidate elliptic curves in CM method, in Information Security and Cryptology — ICISC 2004, Lect. Notes in Comp. Sci. 3506, Springer, Berlin, 2005, 249–260. [23] Y. Nogami, M. Obara, Y. Morikawa, A method for distinguishing the two candidate elliptic curves in the complex multiplication method, ETRI Journal 28, (2006) 745–760. [24] R. Padma, S. Venkataraman, Elliptic curves with complex multiplication and a character sum, J. Number Theory 61 (1996), 274–282. √ [25] A. R. Rajwade, Arithmetic on curves with complex multiplication by −2, Proc. Cam- bridge Philos. Soc. 64 (1968), 659–672. 2 3 [26] A. R. Rajwade, A note on the number of solutions Np of the congruence y ≡ x − Dx (mod p), Proc. Cambridge Philos. Soc. 67 (1970), 603–605. [27] A. R. Rajwade, The Diophantine equation y2 = x(x2 +21Dx+112D2) and the conjectures of Birch and Swinnerton-Dyer, J. Austral. Math. Soc. Ser. A 24 (1977), 286–295. [28] A. R. Rajwade, J. C. Parnami, A new cubic character sum,ActaArith.40 (1981/82), 347–356. [29] D.√ B. Rishi, J. C. Parnami, A. R. Rajwade, Evaluation of a cubic character sum using the −19 division points of the curve Y 2 = X3 − 23 · 19X +2· 192, J. Number Theory 19 (1984), 184–194. [30] K. Rubin, A. Silverberg, web posting of algorithms and pre-computed polynomials, http://math.uci.edu/ asilverb/bibliography/CMmethod.html [31] K. Rubin, A. Silverberg, Point counting on reductions of CM elliptic curves,J.Number Theory 129 (2009), 2903–2923. [32] K. Rubin, A. Silverberg, Choosing the correct elliptic curve in the CM method,Math. Comp. 79 (2010), 545–561. [33] R. S. Rumely, An explicit formula for the grössencharacter of an abelian variety with complex multiplication, Princeton University PhD Thesis, 1978.

120 A. SILVERBERG

[34] R. S. Rumely, A formula for the grössencharacter of a parametrized elliptic curve,J. Number Theory 17 (1983), 389–402. [35] R. S. Rumely, On the grössencharacter of an abelian variety in a parametrized family, Trans. Amer. Math. Soc. 276 (1983), 213–233. [36] R. Schertz, Weber’s class invariants revisited,J.Théor. Nombres Bordeaux 14 (2002), 325–343. [37] G. Shimura, On the zeta-function of an abelian variety with complex multiplication, Ann. of Math. 94 (1971), 504–533. [38] G. Shimura, Introduction to the arithmetic theory of automorphic functions, Reprint of the 1971 original, Publications of the Mathematical Society of Japan 11, Princeton Univ. Press, Princeton, NJ, 1994. [39] G. Shimura, On certain reciprocity-laws for theta functions and modular forms,Acta Math. 141 (1978), 35–71. [40] G. Shimura, Elementary Dirichlet series and modular forms, Springer, New York, 2007. [41] H. M. Stark, Counting points on CM elliptic curves, Rocky Mountain J. Math. 26 (1996), 1115–1138. [42] H. Weber, Lehrbuch der Algebra III, Braunschweig, 1908.

Mathematics Department, University of California, Irvine, CA 92697, USA E-mail address: [email protected]

Contemporary Mathematics Volume 521, 2010

Families of Explicit Isogenies of Hyperelliptic Jacobians

Benjamin Smith

Abstract. We construct three-dimensional families of hyperelliptic curves of genus 6, 12, and 14, two-dimensional families of hyperelliptic curves of genus 3, 6, 7, 10, 20, and 30, and one-dimensional families of hyperelliptic curves of genus 5, 10 and 15, all of which are equipped with an an explicit isogeny from their Jacobian to another hyperelliptic Jacobian. We show that the Jacobians are generically absolutely simple, and describe the kernels of the isogenies. The families are derived from Cassou–Nogu`es and Couveignes’ explicit classiﬁcation of pairs (f,g) of polynomials such that f(x1) − g(x2) is reducible.

1. Introduction In this article, we construct twelve explicit families of isogenies of hyperelliptic Jacobians. By explicit, we mean that we provide equations for hyperelliptic curves generating the domains and codomains of each isogeny, together with a correspondence on the curves realizing the isogeny as a map on divisor classes. Our main results are summarized by Theorem 1.1, which follows from the examples of §6. Theorem 1.1. For each row of Table 1: There exists a family of explicit isogenies of Jacobians of hyperelliptic curves of genus g over K, splitting multiplication- by-m, with kernel isomorphic to G and isotropic with respect to the m-Weil pairing; the image of the family in the moduli space of such isogenies is n-dimensional, and the generic fibre of the family is an isogeny of absolutely simple Jacobians. Our families of isogenies are derived from the remarkable explicit classification of pairs of polynomials (f,g) such that f(x1) − g(x2) is reducible due to Cassou– Nogùes and Couveignes [5], building on the work of Fried [10, 11, 12], Feit [7, 8, 9], Birch [4], and others. We associate families of pairs of curves to every such pair (f,g), and a family of explicit homomorphisms (between the Jacobians of the curves of each pair) to each factor of f(x1) − g(x2). We show that each homomorphism is in fact an isogeny of (generically) absolutely simple Jacobians, and compute the isomorphism type of its kernel. We also calculate the dimension of the image of each family in its appropriate moduli space.

2010 Mathematics Subject Classiﬁcation. Primary 11G10; Secondary 14H40, 14H25, 14K15. The author is grateful to the mathematics departments at the University of Sydney and Royal Holloway, University of London, where parts of this work were carried out. This research was supported in part by EPSRC grant EP/C014839/1.

2122 BENJAMIN SMITH

Table 1. The essential data of the isogenies in Theorem 1.1

g n [m] G K √ 3 3 2 [2] (Z/2Z) Q(√−7) 5 5 1 [3] (Z/3Z) Q(√−11) Z Z 6 Q − 6 3 [2] ( /2 ) ( 7)√ 6 6 2 [3] (Z/3Z) Q(√ −3 13+1) 4 6 7 2 [4] (Z/4Z) ×(Z/2Z) Q(√−15) 10 10 2 [3] (Z/3Z) Q(√−11) Z Z 9 × Z Z 2 Q − 10 1 [4] ( /4 ) ( /2 ) ( 7)√ 12 12 3 [3] (Z/3Z) Q(√ −3 13+1) 14 3 [4] (Z/4Z)9 ×(Z/2Z)10 Q( −15) 5 10 10 15 1 [8] (Z/8Z) ×(Z/4Z) ×(Z/2Z) Sextic√ CM-ﬁeld (see Ex. 4.11) 20 2 [4] (Z/4Z)19 ×(Z/2Z)2 Q( −7) 30 2 [8] (Z/8Z)11 ×(Z/4Z)19 ×(Z/2Z)19 Sextic CM-ﬁeld (see Ex. 4.11)

Over the complex field, abelian varieties are complex tori, and we may construct isogenies by working with period matrices. Over general fields, these methods are not available to us; the only abelian varieties for which we have a convenient representation for explicit computation are Jacobians of curves, where we can use the standard isomorphism with the divisor class group. However, the Jacobians occupy a positive-codimension subspace of the moduli space of abelian varieties in dimension greater than three, so an isogeny with a Jacobian for a domain generally does not have another Jacobian for a codomain. For this reason, examples of explicit isogenies of higher-dimensional abelian varieties are particularly rare (setting aside endomorphisms such as integer multiplication and Frobenius). We note that recently, Mestre has described a (g + 1)-dimensional family of (Z/2Z)g-isogenies of Jacobians of hyperelliptic curves of genus g for every g ≥ 1(see[20]). Our families of isogenies are defined over number fields, and provide a source of examples of explicit isogenies of high-dimensional abelian varieties over exact fields. th Q Notation. Throughout, ζn denotes a primitive n root of unity in .If i f(x)= i cix is a polynomial over a field K with an automorphism σ,thenwe σ σ i write f (x)for i ci x .ThegenusofacurveX is denoted gX .Ifφ is an isogeny with kernel isomorphic to a group G,thenwesaythatφ is a G-isogeny.

2. The basic construction Suppose (f,g) is a pair of squarefree polynomials of degree at least 5 over a ﬁeld K (of characteristic not 2) such that there exists a nontrivial factorization

f(x1) − g(x2)=A(x1,x2)B(x1,x2). Given such a pair of polynomials, we deﬁne a pair (X, Y ) of hyperelliptic curves by 2 2 X : y1 = f(x1)andY : y2 = g(x2).

The factors A and B of f(x1)−g(x2) deﬁne explicit homomorphisms from JX to JY as follows: Let C be the correspondence on X ×Y deﬁned by

(2.1) C := V (y1 − y2,A(x1,x2)) ⊂ X ×Y.

FAMILIES OF EXPLICIT ISOGENIES OF HYPERELLIPTIC JACOBIANS 1233

The natural projections of X×Y restrict to coverings πX : C → X and πY : C → Y . ∗ Composing the pullback (πX ) : JX → JC with the pushforward (πY )∗ : JC → JY , we obtain a homomorphism

∗ (2.2) φ := (πY )∗(πX ) : JX −→ JY ; we say φ is induced by C. The homomorphism φ is completely explicit: we can compute the image of a divisor class on X under φ by pulling back a representative divisor to C and then pushing the result forward onto Y . Replacing A with B in (2.1), we obtain the homomorphism −φ. Exchanging X † −1 ˆ → and Y in (2.2), we obtain the Rosati dual homomorphism φ = λX φλY : JY JX , ∼ ∼ where λX : JX → JX and λY : JY → JY are the canonical principal polarizations ˆ and φ : JY → JX is the dual homomorphism. (See [1, §11.5] for further details.) If A(x1,x2) divides f(x1) − g(x2), then it also divides F (f(x1)) − F (g(x2)) for d d−1 every polynomial F over K. Therefore, if we let F = x + s1x + ···+ sd−1x + sd be the generic monic polynomial of degree d (where the si are free parameters), let Δf (resp. Δg) be the discriminant of F (f(x)) (resp. F (g(x))), and let T be the parameter space deﬁned by

T := Spec(K[s1,...,sd]) \ (V (Δf ) ∪ V (Δg)) , then we obtain a d-parameter family (X , Y) → T of pairs of curves deﬁned by

X 2 d d−1 ··· : y1 = F (f(x1)) = f(x1) + s1f(x1) + + sd−1f(x1)+sd and Y 2 d d−1 ··· : y2 = F (g(x2)) = g(x2) + s1g(x2) + + sd−1g(x2)+sd, together with a family of homomorphisms φ : JX →JY induced by the correspondence

C = V (y1 − y2,A(x1,x2)) ⊂X×T Y.

That is, for each P in T ,ifCP , XP ,andYP are the fibres of C, X ,andY over P , → then CP induces a homomorphism φP : JXP JYP . If f and g are defined over a polynomial ring K[t], then we define (d +1)- parameter families of pairs of curves and homomorphisms over K, this time param- eterised by T = Spec(K[t, s1,...,sd]) \ (V (Δf ) ∪ V (Δg)), in exactly the same way. Throughout this article we will use T to denote the parameter space of each of our families; the precise definition of T in each case will be clear from the context. We will restrict our attention to the cases deg F = 1 (the linear construction) and deg F = 2 (the quadratic construction). For higher degrees, the Jacobians of X and Y are reducible. Indeed, we have a covering (x, y) → (f(x),y)fromX to 2 the curve X : v = F (u), so JX is an isogeny factor of JX whenever X has positive genus: that is, whenever deg F>2. We aim to construct explicit isogenies of absolutely simple Jacobians, so we will set aside higher-degree polynomials F . Our constructions depend only on f and g, and generalize to curves of the form P (y)=f(x) where deg P ≥ 2. The analysis of the resulting homomorphisms is more detailed, however, and some of the methods we use in §3 do not readily extend to these curves. We will return to these generalizations in future work.

4124 BENJAMIN SMITH

3. Determining kernel structure

Suppose X , Y, T ,andφ : JX →JY are defined (as in the previous section) over a number field K. We want to determine whether φ is an isogeny, and if so to compute a group G isomorphic to its kernel. It suffices to consider the generic fibre φ : JX → JY , which is defined over K(T ). We may assume gX = gY . The first step is to show that JX is absolutely simple; then φ is an isogeny if and only if it is nonzero. Further, if φ is an isogeny and JX is absolutely simple, then JY must also be absolutely simple, and φ itself cannot arise from a product of isogenies of lower-dimensional abelian varieties. Since a reducible abelian variety has no absolutely simple specializations, it is enough to exhibit a point P of the parameter space T such that the specialization JP of JX at P is absolutely simple. In Examples 6.1 and 6.5, there will exist a convenient choice of P allowing us to deduce the simplicity of JP from CM-theory. For the other examples, we will exhibit a prime p of K such that the (good) reduction J P of JP at p is absolutely simple; the absolute simplicity of JP , and thus the absolute simplicity of JX ,then follows from [6, Lemma 6]. To show that J P is absolutely simple, we compute its Weil polynomial χ (that is, the characteristic polynomial of its Frobenius endomorphism) using Kedlaya’s algorithm [15], which is implemented in Magma [13, 2]. For this to be practical, the norm of p must be a power of a small prime, especially for the higher-genus families. If χ is irreducible, then J P is simple. To determine whether J P is absolutely simple, we apply the criterion appearing in [14]: Lemma 3.1 (Howe and Zhu [14,Prop.3]). Let A be a simple abelian variety over a finite field, and let χ be its (irreducible) Weil polynomial. Let π be an element of Q satisfying χ(π)=0.LetD be the set of integers d>1 such that either (1) χ(x) lies in Z[xd],or d d (2) [Q(π):Q(π )] > 1 and Q(π)=Q(π ,ζd). If D is empty, then A is absolutely simple.

Note that D ⊂{d ∈ Z>0 : ϕ(d) | 2dimA}, so this criterion can be eﬃciently checked. In our examples, we will be handling some large Weil polynomials; it will be convenient to use the following, more compact representation.

Definition 3.2. Let A be a g-dimensional abelian variety over Fq with Weil polynomial χ. We deﬁne the Weil coeﬃcients of A to be the integers w1,...,wg such that 2g 2g−1 g g−1 g−1 g χ(x)=x + w1t + ···+ wgx + wg−1qx + ···+ w1q x + q . † Recall that φ φ is an endomorphism of JX ;ifJX and JY are absolutely simple, † † then φ φ =[m]JX for some nonzero integer m.Conversely,ifφ φ =[m]JX for some m,thenφ is an isogeny and ker φ ⊂JX [m]. Since φ is an isogeny of Jacobians (thus respecting the canonical polarizations) by construction, its kernel must be a maximally isotropic subgroup for the m-Weil pairing (cf. [21, Prop. 16.8]); the nondegeneracy of the Weil pairing then gives the following elementary result. † Lemma 3.3. If φ φ =[m]JX for some positive integer m, then the kernel of φ is a maximal isotropic subgroup of JX [m] with respect to the m-Weil pairing, and ∼ φ is a G-isogeny for some subgroup G of (Z/mZ)2gX such that G = (Z/mZ)2gX /G. ∼ Further, if m is squarefree, then G = (Z/mZ)gX .

FAMILIES OF EXPLICIT ISOGENIES OF HYPERELLIPTIC JACOBIANS 1255

Let Ω(X)andΩ(Y )denotetheK(T )-vector spaces of regular differentials on X and Y , respectively. We fix ordered bases i ≤ ≤ i ≤ ≤ Ω(X)= d(x1)/y1 :1 i gX and Ω(Y )= d(x2)/y2 :1 i gY , allowing us to identify differentials in Ω(X)andΩ(Y ) with row vectors, and homomorphisms Ω(X) → Ω(Y ) with gX ×gY matrices acting by multiplication on the right. We have the well-known representation · −→ ∼ DX,Y ( ):Hom(JX ,JY ) Hom(Ω(X), Ω(Y )) = MatgX ×gY (K(T )), sending a homomorphism to its induced map on differentials (see [22, §2.9] for details). This representation is faithful in characteristic zero, and it respects composition: if φ : JX → JY and ψ : JY → JZ are homomorphisms, then

DX,Z (ψφ)=DX,Y (φ)DY,Z(ψ). ∼ In particular, when JX = JY we obtain a representation of rings · −→ DX ( ) : End(JX ) MatgX ×gX (K(T )). † † To determine whether φ is an isogeny, we compute DX (φ φ)=DX,Y (φ)DY,X(φ ) and check that the result is equal to mIgX for some integer m =0.Givenm,we can use Lemma 3.3 to partially determine the group structure of ker φ. It is straightforward to compute DX,Y (φ)whenφ is induced by a correspondence of the form C = V (y1 − y2,A(x1,x2)) ⊂ X × Y . Pulling back our basis of Ω(X)toΩ(C) (via the inclusion of K(T )(X)intoK(T )(C) induced by πX )and then taking the trace from Ω(C)toΩ(Y ) (with respect to the inclusion of K(T )(Y ) into K(T )(C) induced by πY ), we have i Ω(C) i K(T )(C) i DX,Y (φ)(d(x1)/y1)=TrΩ(Y )(d(x1)/y1)=dti/y2, where ti := TrK(T )(Y )(x1).

To compute the traces ti,wewriteA(x1,x2)asapolynomialinx1 over K(T )[x2] (after possibly rescaling to ensure A is monic in x1): d d − j d−j A(x1,x2)=x1 + ( 1) sj (x2)x1 , j=1 th where sj is the j elementary symmetric polynomials in the roots of A viewed as th an element of K(T )(x2)[x1]. But ti is by deﬁnition the i power sum symmetric function in these same roots, so we can express the ti in terms of the sj using the standard Newton–Girard recurrences: j i−1 jsj = (−1) sj−iti. i=1

Each sj is a polynomial in x2 over K(T )ofdegreeatmostj,soeachtraceti is a polynomial in x2 over K(T ) has degree at most i. We can therefore write i j d(ti)/y2 = ti,j d(x2)/y2 j=1 with coeﬃcients ti,j in K(T ); these coeﬃcients are precisely the entries of DX,Y (φ) (with ti,j =0forj>i). We noted in §2thatifφ : JX → JY is induced by a correspondence on X ×Y , † then we obtain the Rosati dual φ : JY → JX by simply exchanging X and Y .

6126 BENJAMIN SMITH

† We may therefore compute DY,X(φ ) in exactly the same way as DX,Y (φ), ex- † i Ω(C) i pressing the diﬀerentials φ∗(d(x2)/y2)=TrΩ(X)(d(x2)/y2) as linear combinations j of the d(x1)/y1. † If φ φ =[m]JX , then Lemma 3.3 allows us to determine the structure of ker φ when m is squarefree. But in our examples we will encounter m =2,3,4,and8; we will therefore need another technique to handle m = 4 and 8. The following useful result follows directly from Lemma 3.3.

Lemma 3.4. Let φ : JX → JY be an isogeny over a ﬁeld of characteristic not 2, † such that φ φ =[m]X with m =4or 8,andletν be the (Z/2Z)-rank of ker φ∩JX [2]. ∼ − − (1) If m =4,thenker φ = (Z/4Z)2gX ν ×(Z/2Z)2(ν gX ). ∼ − − − (2) If m =8,thenker φ = (Z/8Z)2gX ν ×(Z/4Z)ν gX ×(Z/2Z)ν gX .

To apply Lemma 3.4, we need to compute the (Z/2Z)-rank ν of ker φ ∩ JX [2]. Lemma . d − d − 3.5 Let f(x)= i=1(x γi) and g(x)= i=1(x δi) be polynomials of degree d>2 over a ﬁeld of characteristic not 2 such that f(x1) − g(x2) has a 2 2 nontrivial factor A(x1,x2).LetX : y1 = f(x1) and Y : y2 = g(x2) be hyperelliptic curves, and φ : JX → JY the homomorphism induced by the correspondence V (y1 − y2,A(x1,x2)) on X ×Y .The(Z/2Z)-rank of ker φ ∩ JX [2] is given by

rank(Z/2Z)(ker φ ∩ JX [2]) = dim(ker M), × F where M is the 2gX 2gY matrix over 2 with i, j-th entry νi,j + νi,2gY +1 (mod 2), where νi,j denotes the multiplicity of (x2 −δj ) as factor of A(γi,x2) for 1 ≤ i, j ≤ d. Proof. ≤ ≤ Let Wi =(γi, 0) on X and Wi =(δi, 0) on Y for each 1 i d. If d is odd (so d =2gX +1=2gY + 1), then let W2gX +2 (resp. W2gY +2)bethe ≤ ≤ unique point at infinity on X (resp. Y ), and set νi,2gY +2 := 0 for 1 i 2gX . { ≤ ≤ } { ≤ ≤ } The sets Wi :1 i 2gX +2 and Wi :1 i 2gX +2 are then the sets of Weierstrass points of X and Y , respectively. It is well-known that JX [2] (resp. JY [2]) is generated by differences of Weierstrass points of X (resp. Y ), subject to the relations [(W ) − (W )] = 2gX [(W ) − (W )] and 2gX +1 2gX +2 i=1 i 2gX +2 − 2gY − [(W2gY +1) (W2gY +2)] = i=1 [(Wi ) (W2gY +2)]. We therefore fix explicit bases for the 2-torsion:

2g J [2] = [(W ) − (W )]2gX and J [2] = [(W ) − (W )] Y . X i 2gX +2 i=1 Y i 2gY +2 i=1

Since φ restricts to a homomorphism φ|2 : JX [2] → JY [2], we have a representation · −→ ∼ F T2( ):Hom(JX ,JY ) Hom(JX [2],JY [2]) = Mat2gX ×2gY ( 2) (where the isomorphism is determined by our choice of bases.) The (Z/2Z)-rank of ker φ ∩ JX [2] = ker φ|2 is then equal to the nullity of the matrix T2(φ). The entries ti,j of T2(φ) are determined by the relations

2gY − − φ([(Wi) (W2gX +2)]) = ti,j [(Wj) (W2gY +2)] j=1

FAMILIES OF EXPLICIT ISOGENIES OF HYPERELLIPTIC JACOBIANS 1277

(this is well-defined, since the ti,j may be viewed as elements of Z/2Z). Explicitly computing the images of the basis elements, we find 2gY +1 φ([(Wi) − (W2g +2)]) = (νi,j − νi,2g +2)[(W ) − (W )] X j=1 Y i 2gY +2 2gY − − = (νi,j νi,2gY +2)[(Wi ) (W2g +2)] j=1 Y +(ν − ν ) 2gY [(W ) − (W )] i,2gY +1 i,2gY +2 j=1 i 2g+2 2gY = (νi,j + νi,2g +1 − 2νi,2g +2)[(W ) − (W )] j=1 Y Y i 2gY +2 2gY − = j=1(νi,j + νi,2gY +1)[(Wi ) (W2gY +2)], so ti,j ≡ νi,j +νi,2g+1 (mod 2) for 1 ≤ j ≤ 2gY and 1 ≤ i ≤ 2gX . Hence M = T2(φ), and the result follows. In practice, computing the matrix M of Lemma 3.5 can be difficult if the roots of f and g are not all defined over a low-degree extension of the ground field. In our examples, we will be free to choose (reductions of) X and Y in such a way that all of the roots of f and g lie in a small finite field.

4. Pairs of polynomials In order to use the construction of §2 to produce examples of explicit isogenies, we need a source of pairs of polynomials (f,g) such that f(x1) − g(x2) is reducible. We will use the explicit classification of such pairs over C due to Cassou–Noguès and Couveignes [5], which we summarize in Theorem 4.3. This classification is restricted to indecomposable polynomials (in the sense of Definition 4.2), and classifies pairs up to an equivalence relation described in Definition 4.1.

Definition 4.1. We say that polynomials f1 and f2 over K are linear translates if there exist a and b in K, with a = 0, such that f1(x)=f2(ax + b). We say pairs (f1,g1)and(f2,g2) of polynomials are equivalent if there exists c =0and d in K such that f1 and cf2 +d are linear translates and g1 and cg2 +d are linear translates. The “equivalence” of Deﬁnition 4.1 is indeed an equivalence relation on pairs of polynomials. Further, if S is an equivalence class, then f(x1) − g(x2) is either K-reducible for every (f,g)inS or K-irreducible for every (f,g)inS.

Definition 4.2. A polynomial f is decomposable if f(x)=f1(f2(x)) for some polynomials f1 and f2 of degree at least 2, and indecomposable otherwise. Theorem 4.3 (Cassou–Noguès and Couveignes [5]). Let (f,g) be a pair of indecomposable polynomials of degree at least 3 over C,andletσ denote complex conjugation. Assume the classification of finite simple groups. If f and g are linear translates, then f(x1) − g(x2) is divisible by x1 − x2,and (f(x1) − g(x2))/(x1 − x2) is reducible if and only if (f,g) is equivalent to either (1) the pair (xn,xn) for some prime n,or (2) the pair (Dn,Dn) for some prime n,whereDn is defined in Example 4.5.

If f and g are not linear translates, then f(x1) − g(x2) is reducible if and only if (f,g) is equivalent to one of the following (possibly after exchanging f and g): σ (3) a pair in the one-parameter family (f7,f7 ) defined in Example 4.6, or σ (4) the pair (f11,f11) defined in Example 4.7, or σ (5) a pair in the one-parameter family (f13,f13) defined in Example 4.8, or − σ (6) a pair in the one-parameter family (f15, f15) defined in Example 4.9, or

8128 BENJAMIN SMITH

σ (7) the pair (f21,f21) defined in Example 4.10, or σ (8) the pair (f31,f31) defined in Example 4.11. Example . n − n 4.4 (Cyclic polynomials) The difference x1 x2 factors as n−1 n − n − e x1 x2 = (x1 ζnx2). e=0

Example 4.5 (Dickson polynomials). For each n ≥ 1, we let Dn(x)=Dn(x, 1) denote the nth Dickson polynomial of the ﬁrst kind with parameter 1: that is, the −1 n −n unique polynomial of degree n such that Dn(x+x , 1) = x +x . In characteristic zero we have Dn(x)=2Tn(x/2), where Tn is the classical Chebyshev polynomial of degree n (see [19] for further details). We have a nontrivial factorization (n−1)/2 Dn(x1) − Dn(x2)=(x1 − x2) An,i(x1,x2) i=1 (see [19, Theorem 3.12]), where 2 2 − i −i i − −i An,i(x1,x2):=x1 + x2 (ζn + ζn )x1x2 +(ζn ζn ).

Example 4.6 (Polynomials of degree 7). Let α7 be an element of Q satisfying 2 α7 + α7 +2=0; √ the involution σ : α7 → 2/α7 generates Gal(Q(α7)/Q). Note that Q(α7)=Q( −7) is a quadratic imaginary ﬁeld, and σ acts as complex conjugation. Let f7 be the polynomial of degree 7 over Q(α7)[t] deﬁned by 1 7 − 5 − 4 − 2 3 − 2 2 f7(x):= 7 x α7tx α7tx (2α7 +5)t x (4α7 +6)t x 3 2 3 + ((3α7 − 2)t − (α7 +3)t )x + α7t

(our f7 is the g of [5, §5.1] with a2 = α7). We have a nontrivial factorization − σ f7(x1) f7 (x2)=A7(x1,x2)B7(x1,x2), where 3 − 3 − σ 2 2 − σ − − − σ A7 = x1 x2 α7 x1x2 + α7x1x2 +(3 2α7 )tx1 (3 2α7)tx2 +(α7 α7 )t; σ note that A7(x2,x1)=−A7(x1,x2) .BothA7 and B7 are absolutely irreducible.

Example 4.7 (Polynomials of degree 11). Let α11 be an element of Q satisfying 2 α11 + α11 +3=0; → Q Q Q the√ involution σ : α11 3/α11 generates Gal( (α11)/ ). Note that (α11)= Q( −11) is an imaginary quadratic ﬁeld, and σ acts as complex conjugation. Let f11 be the polynomial of degree 11 over Q(α11) deﬁned by 1 11 9 8 − 7 6 f11(x):= 11 x + α11x +2x 3(α11 +4)x +16α11x 5 4 3 − 3(7α11 − 5)x − 30(α11 +4)x + 63(α11 +1)x 2 − 20(5α11 − 1)x − 3(8α11 + 47)x +18α11. § σ (Our f11 is the g of [5, 5.2] with a2 = α11.) We have a nontrivial factorization − σ f11(x1) f11(x2)=A11(x1,x2)B11(x1,x2),

FAMILIES OF EXPLICIT ISOGENIES OF HYPERELLIPTIC JACOBIANS 1299

Table 2. Coeﬃcients of the polynomial f13 (from Ex. 4.8)

d d Coeﬃcient of x in f13 13 1/13 12 0 11 ((9β13 − 39)α13 − 6β13 + 24)t 10 ((9β13 − 39)α13 − 12β13 + 51)t 2 9 ((−174β13 + 753)α13 + (519β13 − 2217))t 2 8 ((1620β13 − 6966)α13 − 36β13 + 162)t 3 7 ((−29781β13 + 128115)α13 + (11988β13 − 51651))t 2 + ((1638β13 − 7047)α13 − 1305β13 + 5616)t 3 6 ((−147933β13 + 636498)α13 + (135999β13 − 585198))t 4 5 ((503631β13 − 2166939)α13 − 585387β13 + 2518938)t 3 +((−18036β13 + 77598)α13 + (119934β13 − 516051))t 4 4 ((−1130922β13 + 4866156)α13 − 1672488β13 + 7196364)t 3 + ((71604β13 − 308097)α13 − 37719β13 + 162297)t 5 3 ((1827441β13 − 7863156)α13 + (2618325β13 − 11266209))t 4 +((−8005635β13 + 34446465)α13 + (3453192β13 − 14858316))t 5 2 ((50157306β13 − 215815671)α13 − 31620618β13 + 136056429)t 4 +((−3343518β13 + 14386410)α13 + (3744792β13 − 16113006))t 6 1 ((−27171504β13 + 116912916)α13 + (11138796β13 − 47927700))t 5 + ((73616121β13 − 316753659)α13 − 96852267β13 + 416733579)t 4 + ((770472β13 − 3315168)α13 − 303912β13 + 1307664)t 6 0 ((−48359916β13 + 208081872)α13 − 48359916β13)t 5 +((−13260672β13 + 57057696)α13 − 13260672β13)t where 5 − 4 − 3 2 3 2 3 2 A11(x1,x2)=x1 α11x1x2 x1x2 +(4α11 +2)x1 + x1x2 +(α11 +6)x1x2 − − 2 − 4 − 2 (2α11 10)x1 (α11 +1)x1x2 +(α11 5)x1x2 − − − 5 3 (12α11 +6)x1x2 +(8α11 7)x1 x2 +(4α11 +2)x2 − 2 (2α11 + 12)x2 +(8α11 + 15)x2 +12α11 +6; − σ note that A11(x2,x1)= A11(x1,x2). Both A11 and B11 are absolutely irreducible.

Example 4.8 (Polynomials of degree 13). Let β13 and α13 be elements of Q satisfying 2 − 2 − β13 5β13 +3=0 and α13 +(β13 2)α13 + β13 =0. → Q Q The involution√ σ : α13 β13/α13 generates Gal( (α13)/ (β13)).√ Observe that Q(β13)=Q( 13) is a real quadratic field, and Q(α13)=Q( −3 13+1)isan imaginary quadratic extension of Q(β13); so Q(α13)isaCM-field,andσ acts as complex conjugation. Let 1 13 − − 11 f13(x)= 13 x + ((9β13 39)α13 6β13 + 24)tx 10 + ((9β13 − 39)α13 − 12β13 + 51)tx + ··· be the polynomial over Q(α13)[t] defined in Table 2 (note f13 is the g of [5, §5.3] with a1 = α13). We have a nontrivial factorization − σ f13(x1) f13(x2)=A13(x1,x2)B13(x1,x2),

10130 BENJAMIN SMITH

Table 3. Coeﬃcients of the polynomial f15 (from Ex. 4.9)

d d d Coeﬃcient of x in f15(x) d Coeﬃcient of x in f15(x) 2 15 1/15 11 −(5α15 + 21)t 2 14 0 10 (74α15 − 142)t − − 1 − 3 2 13 (α15 1)t 9 3 (261α15 349)t +(90α15 + 240)t 3 12 (α15 +7)t 8 −(649α15 + 703)t 4 3 7 (138α15 + 717)t + (1380α15 − 5760)t 4 3 6 −(2192α15 − 7756)t + (2500α15 + 2800)t 1 − 5 − − 4 5 5 (5835α15 4743)t (17790α15 5400)t 5 4 4 (9699α15 + 6153)t + (300α15 − 74400)t 6 5 4 3 (243α15 − 3591)t + (4680α15 + 92880)t + (21375α15 + 4500)t 6 5 2 (7254α15 − 28062)t − (93600α15 − 165600)t 7 6 5 1 −(945α15 + 675)t + (52920α15 − 48600)t − (54000α15 + 216000)t 7 6 0 (675α15 − 5400)t − (10800α15 − 86400)t where 4 4 − 2 2 − − − 2 A13(x1,x2)=x1 + x2 +(β13 3)x1x2 9(3β13 14)tx1x2 + 12(47β13 202)t − − 3 − − 3 ((β13 4)α13 +2)x1x2 +((β13 4)α13 β13 +3)x1x2 − − 2 + 3((17β13 73)α13 12β13 + 50)tx1 − − − 2 3((17β13 73)α13 10β13 + 45)tx2 + 3((5β13 − 22)α13 − 9β13 + 38)tx1 − 3((5β13 − 22)α13 +2β13 − 9)tx2; σ note that A13(x2,x1)=A13(x1,x2) .BothA13 and B13 are absolutely irreducible.

Example 4.9 (Polynomials of degree 15). Let α15 be an element of Q satisfying 2 − α15 α15 +4=0; → Q Q Q the√ involution σ : α15 4/α15 generates Gal( (α15)/ ). Observe that (α15)= Q( −15) is an imaginary quadratic ﬁeld, and σ acts as complex conjugation. Let 1 15 − 13 12 ··· f15(x)= 15 x +(α15 1)tx +(α15 +7)tx + be the polynomial over Q(α15)[t]deﬁnedinTable3(ourf15 is the g of [5, §5.4] − − σ with a1 = α15). We have f15(x1) ( f15(x2)) = A15(x1,x2)B15(x1,x2), where 7 − − 6 − 5 2 − 5 4 3 A15(x1,x2)=x1 (α15 1)x1x2 2x1x2 +(7α15 3)tx1 +(α15 +1)x1x2 4 4 − − 3 4 − 3 2 +22tx1x2 +(5α15 + 65)tx1 (α15 2)x1x2 (10α15 +2)tx1x2 − − 3 − 2 3 − 2 5 (50α15 70)tx1x2 +(9α15 69)t x1 2x1x2 − 2 3 − 2 2 2 2 +(10α15 12)tx1x2 90tx1x2 +(39α15 + 33)t x1x2 − 2 2 6 4 3 + (210α15 150)t x1 + α15x1x2 +22tx1x2 +(50α15 + 20)tx1x2 − − 2 2 2 (39α15 72)t x1x2 + 450t x1x2 − 3 − 2 7 − − 5 ((63α15 + 45)t (225α15 + 900)t )x1 + x2 (7α15 4)tx2 − − 4 − 2 3 − − 2 2 (5α15 70)tx2 (9α15 + 60)t x2 (210α15 60)t x2 3 2 3 + ((63α15 − 108)t − (225α15 − 1125)t )x2 − 675t ; σ note that A15(x2,x1)=A15(x1,x2) .BothA15 and B15 are absolutely irreducible.

Example 4.10 (Polynomials of degree 21). Let α21 be an element of Q such that 2 − α21 α21 +2=0;

FAMILIES OF EXPLICIT ISOGENIES OF HYPERELLIPTIC JACOBIANS131 11

Table 4. Coeﬃcients of the polynomial f21 (from Ex. 4.10)

d d d Coeﬃcient of x in f21(x) d Coeﬃcient of x in f21(x) 21 1 20 0 19 42α21 +42 18 84α21 +84 17 2331α21 − 861 16 8820α21 − 2604 15 46816α21 − 64568 14 227136α21 − 306320 13 417060α21 − 1450470 12 1249248α21 − 6783504 11 −1650124α21 − 18355540 10 −25341624α21 − 54772872 9 −99408078α21 − 104516426 8 −414193752α21 − 32069128 7 −1090995696α21 + 266146344 6 −2279293856α21 + 2006258800 5 −4341402044α21 + 5721876405 4 −4332603072α21 + 10737937392 3 −2459323342α21 + 18242100282 2 1708403396α21 + 16523766868 1 8637088971α21 + 9205492695 0 4696767684α21

→ Q Q Q the√ involution σ : α21 2/α21 generates Gal( (α21)/ ). Observe that (α21)= Q( −7) is an imaginary quadratic ﬁeld, and σ acts as complex conjugation. Let 21 19 18 f21(x)=x +(42α21 + 42)x +(84α21 + 84)x + ··· 21 be the polynomial over Q(α21) deﬁned in Table 4 (so f21(x)=2 g(x/2), where g is the polynomial of [5, §5.5] with a1 = α21). We have a nontrivial factorization − σ f21(x1) f21(x2)=A21(x1,x2)B21(x1,x2), where 5 4 3 2 3 A21(x1,x2)=x1 +(α21 +1)x1x2 +2α21x1x2 +(10α21 + 18)x1 − 2 3 − 2 2 +(2α21 2)x1x2 +(32α21 8)x1x2 +(20α21 +4)x1 − 4 − 2 − +(α21 2)x1x2 +(32α21 24)x1x2 +(32α21 16)x1x2 − 5 − 3 − 2 + (107α21 + 55)x1 x2 +(10α21 28)x2 +(20α21 24)x2 + (107α21 − 162)x2 + 136α21 − 68. − σ Note that A21(x1,x2)= A21(x2,x1). Both A21 and B21 are absolutely irreducible.

Example 4.11 (Polynomials of degree 31). Let α31 and β31 be elements of Q satisfying 3 − 2 − 2 − 2 − β31 13β31 +46β31 32 = 0 and α31 1/2(β31 7β31 +4)α31 + β31 =0.

The involution σ : α31 → β31/α31 generates Gal(Q(α31/Q(β31)); note that Q(β31) is a totally real cubic field, and Q(α31) is a totally imaginary quadratic extension of Q(β31), so Q(α31)isaCM-field,andσ acts as complex conjugation. Let 1 31 − 1 2 − − − 2 − 29 f31(x)= 31 x ( 4 (β31 5β31 10)α31 (β31 7β31 + 12))x − 1 2 − − − 2 − 28 ··· ( 2 (β31 5β31 10)α31 (2β31 14β31 + 24))x + 31 be the polynomial over Q(α31) defined in Tables 5 and 6 (so f31(x)=2 g(x/2)/31, where g is the polynomial of [5, §5.6] with a1 = α31). We have − σ f31(x1) f31(x2)=A31(x1,x2)B31(x1,x2), where 15 1 2 − − 14 A31(x1,x2)=x1 +(4 (β31 9β31 + 14)α31 β31 +4)x1 x2 ··· 1 2 − 1 2 − 14 − 15 + +(4 (β31 9β31 + 14)α31 + 2 (β31 7β31 +2))x1x2 x2

12132 BENJAMIN SMITH

Table 5. Coeﬃcients of f31 (from Ex. 4.11): degrees 14 through 31

d d Coeﬃcient of x in f31(x) 31 1/31 30 0 −1 2 − − 2 − 29 4 (β31 5β31 10)α31+β31 7β31+12 −1 2 − − 2 − 28 2 (β31 5β31 10)α31+2β31 14β31+24 1 2 − 1 2 − 27 4 (43β31 1011β31+2854)α31+ 2 (453β31 3055β31+3248) 2 − 2 − 26 (41β31 977β31+2802)α31+886β31 5986β31+6496 −1 2 − − 2 − 25 4 (17521β31 74509β31 60450)α31+14092β31 77272β31+68380 −1 2 − − 2 − 24 2 (48519β31 204491β31 184718)α31+80184β31 442624β31+403208 −1 2 − 1 2 − 23 4 (1776161β31 9373621β31+3292454)α31+ 2 (2041603β31 11554557β31+8612300) − 2 − 2 − 22 (2942318β31 15455046β31+5475220)α31+7037348β31 40203740β31+30052880 −1 2 − 2 − 21 4 (109481293β31 596329857β31+368885054)α31+46576255β31 265263537β31+187276364 − 1 (384855193β2 −2112196605β +1408837958)α 20 2 31 31 31 2 − +307371526β31 1742220634β31+1208790968 − 1 (5290184805β2 −29820077413β +21851209042)α 19 4 31 31 31 1 2 − + 2 (2521588153β31 13978683691β31+9274523664) −(8697236749β2 −49763738685β +38332116082)α 18 31 31 31 2 − +5911141274β31 32035079054β31+20126371040 − 1 (186111470445β2 −1067698578649β +833400031142)α 17 4 31 31 31 2 − +9484781350β31 47546236774β31+16736919932 − 1 (494148938071β2 −2839948380571β +2256232777618)α 16 2 31 31 31 − 2 − 61154690060β31+368281842924β31 366207873944 − 1 (2214031635615β2 −12716268790027β +10156041792602)α 15 2 31 31 31 − 2 − 960101407852β31+5535136704359β31 4581193619353 −(4484463959192β2 −25746958551032β +20641481233168)α 14 31 31 31 − 2 − 8423937387072β31+48228838157776β31 38143305780784

− σ has total degree 15 and satisfies A31(x1,x2)= A31(x2,x1). Both A31 and B31 are absolutely irreducible. If (f,g)and(f ,g) are equivalent pairs, then the families (X , Y)and(X , Y) associated to (f,g)and(f ,g) by the linear or quadratic constructions of §2are isomorphic. Indeed, if f (x)=cf(a1x + b1)+d and g (x)=cg(a2x + b2)+d for some a1, b1, a2, b2, c,andd with c, a1 and a2 nonzero, then the isomorphism 1/2 (X , Y) → (X , Y ) is defined by s → (s + d)/c and (xi,yi) → (aix1 + bi,c yi) 2 2 for the linear construction, and by (s1,s2) → ((s2 +2d)/c, (s2 + ds1 + d )/c )and (xi,yi) → (aix1 + bi,cyi) for the quadratic construction. Lemma 4.12. With the notation of Examples 4.6 through 4.11: 2 (1) TheimageofthefamilyX : y = fn(x)+s in H(n−1)/2 is one-dimensional for n =11, 21,and31, and two-dimensional for n =7, 13,and15. 2 2 (2) TheimageofthefamilyX : y = fn(x) + s1fn(x)+s2 in H(n−1) is two-dimensional for n =11, 21,and31, and three-dimensional for n =7, 13,and15. Proof. We will show that only finitely many curves in each family X can be isomorphic to a given element of X . This implies that the intersection of X (Q)

FAMILIES OF EXPLICIT ISOGENIES OF HYPERELLIPTIC JACOBIANS133 13

Table 6. Coeﬃcients of f31 (from Ex. 4.11): degrees 13 through 0

d d Coefficient of x in f31(x) − 1 (63813876335979β2 −367007052549207β +296370094708306)α 13 4 31 31 31 − 2 − 52401417590341β31+299616088960507β31 233801230247956 − 1 (84595067837587β2 −488413358269471β +399412816680130)α 12 2 31 31 31 − 2 − 289909376875898β31+1656226239390086β31 1283082623470440 − 1 (276978123366339β2 −1621224937178539β +1399602523915382)α 11 4 31 31 31 − 1 2 − 2 (2756444217062133β31 15735604159262247β31+12145338716741672) (164996225556971β2 −911562557305603β +591654846604694)α 10 31 31 31 − 2 − 5775442801086222β31 +32951684149353882β31 25388487691873328 1 (8153525016709589β2 −46226784686942241β +34465661136373590)α 9 4 31 31 31 − 2 − 21765717548444108β31 +124141863300896800β31 95543137393851316 1 (21507787300535771β2 −122360462847124879β +92829028744745354)α 8 2 31 31 31 − 2 − 71879278651985336β31 +409920655394903344β31 315310665232998936 1 (172549107727779319β2 −982848727924637571β +750639722104375338)α 7 4 31 31 31 − 1 2 − 2 (418768591310359209β31 2388174561757656643β31 +1836495177429186664) (138365490236826262β2 −788531695474992526β +604055823258954628)α 6 31 31 31 − 2 − 530716158860110596β31 +3026599060976364972β31 2327045484274854432 1 (1461494193805567097β2 −8330939217188411741β +6391346186593069190)α 5 4 31 31 31 − 2 − 1132691540565214443β31 +6459518768862357533β31 4965998974814592772 1 (1590470411372385357β2 −9067705413825934465β +6962808016837221182)α 4 2 31 31 31 − 2 − 1998830101622128910β31 +11398708269008017730β31 8762745131128427944 1 (5458654735992646373β2 −31124897594589327589β +23912314632422881618)α 3 4 31 31 31 1 − 2 − + 2 ( 5512701081507844017β31 +31436273506520022779β31 24164866978481400776) (1756872157897042025β2 −10018233805014343961β +7698964739179717386)α 2 31 31 31 − 2 − 2631501460411936866β31 +15005661005014590390β31 11533152751494298576 1 (6099047880687359369β2 −34780055276291665989β +26734049819113493038)α 1 4 31 31 31 − 2 − 1489705167473733478β31 +8494536217258921566β31 6527531886543984036 1 (1290343630884751523β2 −7358426308111535607β +5657092118674073402)α 0 2 31 31 31 −2127333184925614050β31 +1673979108081725054 with the isomorphism class of a curve X in X (Q) is finite, and hence that the map from X into the moduli space of hyperelliptic curves is finite. The dimension of the image of X in the moduli space is then equal to the number of parameters of X . 2 n n−1 n−2 Consider (1): If X : y = c0x + c1x + c2x + ···+ cn is a hyperelliptic curve in the family X (or the open dense subfamily where t =0for n = 7, 13, and 15), then the ci satisfy conditions

(A): c0 =1, (B): c1 =0, (C): c2 =0 , and (D): c3 = κnc2, 2 where κn is defined in Table 7. If X :(y ) = fn(x )+s is isomorphic to X,then there exists a birational map ψ : X → X defined by αx + β y ψ :(x, y) → (x,y)= , γx + δ (γx + δ)(n+1)/2 with α, β, γ, δ,and in Q sastisfying =0and αδ − βγ =0,and X has a defining 2 −2 n+1 equation X : y = (γx + δ) (fn((αx + β)/(x + δ)) + s).

14134 BENJAMIN SMITH

Table 7. Values of κn for Lemma 4.12

n κn n κn

7 1 15 −2α15 +1 11 2/α11 21 2 13 −((2β13 − 9)α6 − β13 +3)/3 31 2

Table 8. Values of λn for Lemma 4.12

n λn

7 (44α7 + 502)/277 11 −(1444α11 + 1292)/1049 13 −((32177912β13 − 144562170)α13 − 14922610β13 + 44742102)/24470889 15 −(11624α15 − 8242)/3061 21 −(1872α21 − 98252)/24889 − 2 − ( (23763234474β31 + 308913876190β31 904140145396)α31 31 2 − + 45939160324β31 413033009792β31 + 22556391264028)/5572804315201

If γ =0,thenwemaytakeδ =1,soψ(x, y)=(αx + β,y). If X is in X then it satisfies (A), (B), (C), and (D). Condition (A) implies αn = 2, while (B) n−2 n−3 n−2 forces β = 0. The coefficients of x and x in fn(αx)+s are then α c2 and n−3 n−3 α c3 = α κnc2, whereupon (C) and (D) imply α = 1, and hence = ±1. We conclude that ψ must be either the identity map or the hyperelliptic involution, depending on the sign of ;ineithercase,X = X. If γ =0,thenwemaytake γ = 1. For the hyperelliptic polynomial of X to have degree n we must have δ = −ρ,whereρ is one of the roots of fn(x)+s. Conditions (A), (B), (C), and (D) then uniquely determine α, β, γ,and (up to sign) in terms of ρ and κn. Since there were only n possible choices of ρ, we find that there are only n possible choices for ψ (up to sign). Hence, there are only n + 1 possible defining equations for curves in X isomorphic to X (in fact, each corresponds to a choice of Weierstrass point of X). The coefficients of x0 and xn−2 in each defining equation uniquely determine a point of the parameter space; hence there are at most n + 1 curves in X isomorphic to X. The proof for (2) is similar, and we only sketch it here. In these cases the 2 2n 2n−i X curves X : y = i=0 cix in (or the open subfamily where t =0forn =7, 13, and 15) satisfy

(A’): c0 =1, (B’): c1 =0, (C’): c2 =0 , (D’): c3 = κnc2, (E’): c4 =0 , (F’): c5 = λnc4, where κn is defined in Table 7 and λn is defined in Table 8. As before, the defining equation of any curve in X isomorphic to X is uniquely determined by (A’), (B’), 2 (C’), (D’), (E’), (F’), and the choice of a root of fn(x) + s1fn(x)+s2.The coefficients of x0, xn, x2n−2 in each defining equation uniquely determine a point of the parameter space. Hence there are at most 2n curves in X isomorphic to X.

FAMILIES OF EXPLICIT ISOGENIES OF HYPERELLIPTIC JACOBIANS135 15

5. Explicit Complex and Real Multiplications We now apply the methods of §2and§3 to the factorizations in Examples 4.4 and 4.5. Most of the resulting families have already been investigated elsewhere, so we treat them only brieﬂy here. Throughout this section, n denotes an odd prime. Example 5.1. The linear construction on (xn,xn) yields a family (X , X )of − X 2 n pairs of hyperelliptic curves of genus (n 1)/2, deﬁned by : yi =√xi +√s.The X 2 n → n curves in are all isomomorphic to X : yi = xi + 1 (via (xi,yi) ( sxi, syi)). The Jacobian JX is absolutely simple by [22, Example 8.4.(1)]. The correspondence − − e × C = V (y1 y2,x1 ζnx2)onX X induces an endomorphism φ of JX . Clearly i ie i d(x1)/y1 = ζn d(x2)/y2 on C,so e 2e (n−1)e/2 DX,Y (φ)=diag(ζn,ζn ,...,ζn ). − e n − n The factors x1 ζnx2 of x1 x2 therefore correspond to explicit generators for a subring of End(JX ) isomorphic to Z[ζn]. Example 5.2. The quadratic construction on (xn,xn) yields a two-parameter X 2 2n n X 2 2n n family ( : y1 = x1 + s1x1 + s2, : y2 = x2 + s1x2 + s2) of pairs of hyperelliptic − → 1/2n 1/2 curves of genus n 1. Twisting by (xi,yi) (s2 xi,s2 yi), we reduce to the one- 2 2n n parameter family X : y = x +s1x +1 of[24, Remark after Proposition 3]. The family X has an involution ι :(x, y) → (1/x, y/xn) which is clearly not the hyper- J − − i elliptic involution, so X is reducible. The correspondences V y1 y2,x2 ζnx1 on X ×T X induce endomorphisms generating a subring of End(JX ) isomorphic to Z[ζn], as in Example 5.1. The quotient of X by ι is a one-parameter family of − Z −1 curves of genus (n 1)/2 whose Jacobians have Real Multiplication by [ζn + ζn ].

Example 5.3. Let Dn and An,i be deﬁned as in Example 4.5. The linear construction on (Dn(x),Dn(x)) yields a one-parameter family X 2 X 2 ( : y1 = Dn(x1)+s, : y2 = Dn(x2)+s); of pairs of hyperelliptic curves of genus (n − 1)/2overQ. The family X is identical to the family Ct of [24, Theorem 1] (where the curves of Example 5.2 also appear). It is shown in [24] that the endomorphisms induced by V (y1 − y2,An,i(x1,x2)) for ≤ ≤ − J Z −1 1 i (n 1)/2 generate a subring of End( X ) isomorphic to [ζn + ζn ] (while − − V (y1 y2,x1 x2) induces [1]JX ). The cases n = 5 and 7 of this construction appear as families of eﬃciently computable endomorphisms in [16]. The absolute simplicity of JX is proven for n>5in[24, Corollary 6], for n = 5 in [16,Remark 15], and is trivial for n = 3 (since then JX is an elliptic curve).

Example 5.4. Applied to (Dn(x),Dn(x)), the quadratic construction yields a two-parameter family X 2 2 X 2 2 ( : y1 = Dn(x1) + s1Dn(x1)+s2, : y2 = Dn(x2) + s1Dn(x2)+s2) of pairs of hyperelliptic curves of genus n − 1. We have a nontrivial factorization 2 2 (Dn(x1) + s1Dn(x1)) − (Dn(x2) + s1Dn(x2) − =(Dn(x1) Dn(x2))(Dn(x1)+Dn(x2)+s1) − (n−1)/2 = (x1 x2) i=1 An,i(x1,x2) ((Dn(x1)+Dn(x2)+s1)).

The correspondences V (y1 − y2,An,i(x1,x2)) on X×T Y induce endomorphisms φi of JX for 1 ≤ i ≤ (n − 1)/2, while the diagonal correspondence V (y1 − y2,x1 − x2)

16136 BENJAMIN SMITH

induces [1]JX .ThematrixDX ,X (φi)islower-triangular,soitscharacteristicpoly- nomial (and hence that of φi)is (n−1) P (x)= (x − tj,j ), j=1 th where tj,j is the j diagonal entry of DX ,X (φi): that is, tj,j is the leading coefficient Ω(Ci) j of the trace tj =TrΩ(X) (d(x1)/y1)writtenasapolynomialinx2.Wehave 2 − i −i · 2 i − −i An,i(x1,x2)=x1 (ζn + ζn )x2 x1 +(x2 + ζn ζn ), i −i 2i −2i 2 − i − −i so t1 =(ζn + ζn )x2, t2 =(ζn + ζn )x2 2(ζn ζn ), and i −i − 2 i − −i tj =(ζn + ζn )x2tj−1 (x2 + ζn ζn )tj−2 for j>2; i −i 2i −2i in particular, the coefficients tj,j satisfy t1,1 = ζn + ζn , t2,2 = ζn + ζn ,and i −i − tj,j =(ζn + ζn )tj−1,j−1 tj−2,j−2 for j>2. ij −ij Solving the second-order linear recurrence, we find tj,j = ζn + ζn for all j>0, so (n−1) − ij −ij 2 P (x)= (x (ζn + ζn )) = m(x) , j=1 −1 Q where m is the minimal polynomial of ζn + ζn over ; hence m(φi)=0.We J Z −1 conclude that φi generates an explicit subring of End( X ) isomorphic to [ζn+ζn ].

6. Families of explicit isogenies We now apply the methods of §2and§3 to the factorizations in Examples 4.6 through 4.11. The examples in this section form the proof of Theorem 1.1.

Example 6.1. Let f7, A7, α7,andσ be as in Example 4.6. The linear con- σ struction on (f7,f ) yields a two-parameter family 7 X 2 Y 2 σ : y1 = f7(x1)+s, : y2 = f7 (x2)+s of pairs of hyperelliptic curves of genus 3 over Q(α7). Specializing X at (s, t)=(1, 0) we obtain the curve X of Example 5.1 with n =7.WesawinExample5.1thatJX is absolutely simple; hence the generic ﬁbre of JX is absolutely simple. The correspondence V (y1 − y2,A7(x1,x2)) on X×TY induces a homomorphism φ : JX →JY .Wehave ⎛ ⎞ α7 00 ⎝ ⎠ DX,Y (φ)= 0 α7 0 , σ − σ (α7 α7)t 0 α7 and therefore † σ DX,Y (φ)DY,X(φ )=DX,Y (φ)DX,Y (φ) =2I3, † ∼ Z Z 3 J A so φ φ =[2]JX ; hence ker φ = ( /2 ) by Lemma 3.3. The image of X in 3 is two-dimensional by Lemma 4.12 and Torelli’s theorem. We conclude that φ is a two-dimensional family of (Z/2Z)3-isogenies of (generically) absolutely simple Jacobians, thus proving Theorem 1.1 for the ﬁrst row of Table 1. (We note that the subfamily at s = 0 appears in the thesis of Kux [17, §4.1].)

FAMILIES OF EXPLICIT ISOGENIES OF HYPERELLIPTIC JACOBIANS137 17

More generally, given a hyperelliptic curve X of genus 3 and a maximal 2-Weil isotropic subgroup S of JX [2], there exists a (possibly reducible, and generally non- 3 hyperelliptic) curve Y of genus 3 and a (Z/2Z) -isogeny φ : JX → JY with kernel S (note that φ may be defined over a quadratic extension of the field of definition of S). An algorithm to compute equations for Y and φ when S is generated by differences of Weierstrass points appears in [23] (it is possible to show, using techniques similar to those of Lemma 3.5, that the kernel of the isogeny of Example 6.1 is not such a subgroup). The case where X is non-hyperelliptic is treated in [18].

Example 6.2. Let f7, A7, α7,andσ be as in Examples 4.6 and 6.1. The σ quadratic construction on (f7,f7 ) yields a three-parameter family X 2 2 Y 2 σ 2 σ : y1 = f7(x1) + s1f7(x1)+s2, : y2 = f7 (x2) + s1f7 (x2)+s2 of pairs of hyperelliptic curves of genus 6 deﬁned over Q(α7). Specializing X at (s1,s2,t)=(1, 0, 1) and reducing modulo a prime over 13, we obtain a curve X F over 169. The Weil polynomial of JX corresponds to the Weil coeﬃcients

w1 = −16,w2 = −46,w3 = 3496,w4 = −36993,w5 = −464728,w6 = 13747140; it is irreducible, so JX is absolutely simple by Lemma 3.1. Hence, the generic ﬁbre of JX is absolutely simple. The correspondence V (y1 − y2,A7(x1,x2)) on X×TY induces a homomorphism φ : JX →JY . We ﬁnd that ⎛ ⎞

α7 00 000 ⎜ ⎟ ⎜ 0 α7 0000⎟ ⎜ ⎟ −(2α +1)t 0 ασ 000 D (φ)=⎜ 7 7 ⎟ . X,Y ⎜ − − ⎟ ⎜ (α7+4)t 2(α7+4)t 0 α7 00⎟ ⎝ 2 − σ σ ⎠ 7(α7+2)t 2(2α7+1)t 3(α7 +4)t 0 α7 0 σ 2 − − 2 σ σ σ 7(α7 +4)t 7(2α7 3)t 3(α7 +4)t 4(2α7 +1)t 0 α7

† σ Since DY,X(φ )=DX,Y (φ) ,wehave † † DX,X (φ φ)=DX,Y (φ)DY,X(φ )=2I6, † ∼ Z Z 6 J A so φ φ =[2]JX ; hence ker φ = ( /2 ) by Lemma 3.3. The image of X in 6 is three-dimensional by Lemma 4.12 and Torelli’s theorem. We conclude that φ is a three-dimensional family of (Z/2Z)6-isogenies of (generically) absolutely simple Jacobians, thus proving Theorem 1.1 for the third row of Table 1.

Example 6.3. Let f11, A11, α11,andσ be as in Example 4.7. The linear σ construction on (f11,f11), yields a one-parameter family X 2 Y 2 σ : y1 = f11(x1)+s, : y2 = f11(x2)+s of pairs of hyperelliptic curves of genus 5 over Q(α11). Specializing X at s =0 and reducing modulo a prime over 7, we obtain a curve X over F49.TheWeil polynomial of JX corresponds to the Weil coeﬃcients

w1 =12,w2 =28,w3 = −152,w4 = 3652,w5 = 53722; it is irreducible, so JX is absolutely simple by Lemma 3.1. Hence, the generic ﬁbre of JX is absolutely simple.

18138 BENJAMIN SMITH

Table 9. Weil coeﬃcients for Example 6.4

i wi i wi i wi i wi i wi 1 0 2 −16 3 196 4 2024 5 2484 6 35208 7 127220 8 10074824 9 24089728 10 −169499466

The correspondence V (A11(x1,x2),y1 − y2)onX×TY induces a homomorphism φ : JX →JY . We ﬁnd that ⎛ ⎞ α11 0 000 ⎜ ⎟ ⎜ 0 ασ 000⎟ ⎜ 11 ⎟ DX,Y (φ)=⎜ α11 +6 0 α11 00⎟ . ⎝ ⎠ 000α11 0 −3(5α11 − 3) 4(2α11 +1) 3(α11 +6) 0 α11 † σ † † Since DY,X(φ )=DX,Y (φ) ,wehaveDX (φ φ)=3I5,soφ φ =[3]JX ; hence ∼ 5 ker φ = (Z/3Z) by Lemma 3.3. The image of JX in A5 is one-dimensional by Lemma 4.12 and Torelli’s theorem. We conclude that φ is a one-dimensional family of (Z/3Z)5-isogenies of (generically) absolutely simple Jacobians, thus proving Theorem 1.1 for the second row of Table 1. (We note that the ﬁbre at s = 0 appears in the thesis of Kux [17, §4.1].)

Example 6.4. Let f11, A11, α11,andσ be as in Examples 4.7 and 6.3. The quadratic construction on (f ,fσ ) yields a two-parameter family 11 11 X 2 2 Y 2 σ 2 : y1 = f11(x1) + s1f11(x1)+s2, : y2 = f11(x2) + s1f11(x)+s2 of pairs of hyperelliptic curves of genus 10 defined over Q(α11). Specializing X at (s1,s2)=(1, 0) and reducing modulo a prime over 7, we obtain a curve X over F49. The Weil polynomial of JX corresponds to the Weil coefficients in Table 9; it is irreducible, so JX is absolutely simple by Lemma 3.1. Hence, the generic fibre of JX is absolutely simple. The correspondence V (A11(x1,x2),y1 − y2)onX×TY induces a homomorphism φ : JX →JY .The10×10 matrix DX,Y (φ) is lower-triangular, with diagonal entries σ σ σ σ σ α11,α11,α11,α11,α11,α11,α11,α11,α11,α11, each of which is an element of norm 3 (we omit the other entries for lack of space). We therefore have † σ DX,Y (φ)DY,X(φ )=DX,Y (φ)DX,Y (φ) =3I10, † ∼ 10 so φ φ =[3]X ; hence ker φ = (Z/3Z) by Lemma 3.3. The image of JX in A10 is two-dimensional by Lemma 4.12 and Torelli’s theorem. We conclude that φ is a two-dimensional family of (Z/3Z)10-isogenies of (generically) absolutely simple Jacobians, thus proving Theorem 1.1 for the sixth row of Table 1.

Example 6.5. Let f13, A13, α13, β13 and σ be as in Example 4.8. The linear construction on (f ,fσ ) yields a two-parameter family 13 13 X 2 Y 2 σ : y1 = f13(x1)+s, : y2 = f13(x2)+s of pairs of hyperelliptic curves of genus 6. Specializing X at (s, t)=(1, 0), we obtain the curve X of Example 5.1 with n = 13, which has an absolutely simple Jacobian; hence the generic ﬁbre of JX is absolutely simple.

FAMILIES OF EXPLICIT ISOGENIES OF HYPERELLIPTIC JACOBIANS139 19

Table 10. Weil coeﬃcients for Example 6.6

i wi i wi i wi i wi 1 20 4 351295 7 67298212 10 −49877419547660 2 −230 5 1293764 8 137879604915 11 1975333453052116 3 −9232 9 −1707055263168 6 −204257742 12 119629530410659866

The correspondence V (A13(x1,x2),y1 − y2)onX×TY induces a homomorphism φ : JX →JY .The6× 6matrixDX,Y (φ) is lower-triangular; if we set e1 := (β13 − 4)α13 +2ande2 := α + 1, then the diagonal entries of DX,Y (φ)are σ e1,e2,e1,e1 ,e2,e2, each of which is an element of norm 3 in Q(β13) (we omit the other entries for lack of space). We therefore have † DX,Y (φ)DY,X(φ )=DX,Y (φ)DX,Y (φ)=3I6, † ∼ Z Z 6 J A so φ φ =[3]JX ; hence ker φ = ( /3 ) by Lemma 3.3. The image of X in 6 is one-dimensional by Lemma 4.12 and Torelli’s theorem. We conclude that φ is a one-dimensional family of (Z/3Z)6-isogenies of (generically) absolutely simple Jacobians, thus proving Theorem 1.1 for the fourth row of Table 1.

Example 6.6. Let f13, A13, α13, β13 and σ be as in Examples 4.8 and 6.5. The quadratic construction on (f ,fσ ) yields a three-parameter family 13 13 X 2 2 Y 2 σ 2 σ : y1 = f13(x1) + s1f13(x1)+s2, : y2 = f13(x2) + s1f13(x2)+s2 of pairs of hyperelliptic curves of genus 12 defined over Q(α13). Specializing X at (s1,s2,t)=(1, 1, 1) and reducing modulo a prime over 5, we obtain a curve X F over 54 . The Weil polynomial of JX corresponds to the Weil coefficients in Ta- ble 10; it is irreducible, so JX is absolutely simple by Lemma 3.1. Hence, the generic fibre of JX is absolutely simple. The correspondence V (A13(x1,x2),y1 − y2)) on X×T Y induces a homomorphism φ : JX →JY .The12×12 matrix DX,Y (φ) is lower-triangular, with diagonal entries σ σ σ σ σ σ e1,e2,e1,e1 ,e2,e2,e2 ,e2 ,e1,e1 ,e2 ,e1

(with e1 and e2 deﬁned as in Example 6.5), each of which has norm 3 in Q(β13) (we omit the other entries for lack of space). We therefore have † σ DX,Y (φ)DY,X(φ )=DX,Y (φ)DX,Y (φ) =3I12, † ∼ 12 so φ φ =[3]X ; hence ker φ = (Z/3Z) by Lemma 3.3. The image of JX in A12 is three-dimensional by Lemma 4.12 and Torelli’s theorem. We conclude that φ is a three-dimensional family of (Z/3Z)12-isogenies of (generically) absolutely simple Jacobians, thus proving Theorem 1.1 for the eighth row of Table 1.

Example 6.7. Let f15, A15, α15,andσ be as in Example 4.9. The linear construction on (f , −f σ ) yields a two-parameter family 15 15 X 2 Y 2 − σ : y1 = f15(x2)+s, : y2 = f15(x2)+s of pairs of hyperelliptic curves of genus 7 deﬁned over Q(α15). Specializing X at (s, t)=(0, 1) and reducing modulo a prime over 17, we obtain a curve X over F17.

20140 BENJAMIN SMITH

Table 11. Weil coeﬃcients for Example 6.8

i wi i wi i wi i wi i wi 1 −4 4 −73 7 5874 10 1252762 13 80232390 2 15 5 1000 8 29004 11 −1381092 14 −230738522 3 −6 6 −1182 9 22810 12 8168424

The Weil polynomial of JX corresponds to the Weil coeﬃcients

w1 =0,w2 = −4,w3 = −30,w4 = 158,w5 = 972,w6 = −2264,w7 = −18434; it is irreducible, so JX is absolutely simple by Lemma 3.1. Hence, the generic ﬁbre of JX is absolutely simple. The correspondence V (A15(x1,x2),y1 − y2)onX×TY induces a homomorphism φ : JX →JY .The7×7matrixDX,Y (φ) is lower-triangular with diagonal entries σ σ − σ − α15,α15, 2,α15, 2, 2, α15, each of which has norm 4 in Q (we omit the other entries for lack of space). Hence † σ DX,Y (φ)DY,X(φ )=DX,Y (φ)DX,Y (φ) =4I7, † so φ φ =[4]JX . Specializing at (s, t)=(1, 0) and reducing modulo a prime over 31, 2 15 2 − 15 we obtain curves X :¯y1 =¯x1 +1and Y :¯y2 = x¯2 + 1, together with an isogeny → − ⊂ × φ : JX JY induced by V A(¯x1, x¯2), y¯1 y¯2 X Y ,where 7 6 − 5 2 4 3 3 4 − 2 5 6 7 A =¯x1 +14¯x1x¯2 2¯x1x¯2 +19¯x1x¯2 +15¯x1x¯2 2¯x1x¯2 +18¯x1x¯2 +¯x2. 15 − 15 F The polynomials x1 +1and x2 + 1 both split completely over 31. Applying ∼ 4 6 Lemmas 3.5 and 3.4, we see that ker φ = (Z/4Z) ×(Z/2Z) . The image of JX in A7 is two-dimensional by Lemma 4.12 and Torelli’s theorem. We conclude that φ is a two-dimensional family of (Z/4Z)4×(Z/2Z)6-isogenies of (generically) absolutely simple Jacobians, thus proving Theorem 1.1 for the ﬁfth row of Table 1.

Example 6.8. Let f15, A15, α15,andσ be as in Examples 4.9 and 6.7. The σ quadratic construction on (f15, −f ) yields a three-parameter family 15 X 2 2 Y 2 σ 2 − σ : y1 = f15(x2) + s1f15(x2)+s2, : y2 = f15(x2) s1f15(x2)+s2 of pairs of hyperelliptic curves of genus 14 defined over Q(α15). Specializing at (s1,s2,t)=(1, 1, 1) and reducing modulo a prime over 17, we obtain a curve X F over 17. The Weil polynomial of JX corresponds to the Weil coefficients in Ta- ble 11; it is irreducible, so JX is absolutely simple by Lemma 3.1. Hence, the generic fibre of JX is absolutely simple. The correspondence V (A31(x1,x2),y1 − y2)onX×TY induces a homomorphism φ : JX →JY .The14×14 matrix DX,Y (φ) is lower-triangular with diagonal entries σ σ − σ − σ − − − − α15,α15, 2,α15, 2, 2, α15,α15, 2, 2, α15, 2, α15,α15, each of which has norm 4 in Q (we omit the other entries for lack of space.) Hence † σ DX,Y (φ)DY,X(φ )=DX,Y (φ)DX,Y (φ) =4I14, † − so φ φ =[4]JX . Specializing at (s1,s2,t)=(0, 1, 0) and reducing modulo a prime 2 30 − 2 30 − over 31, we obtain curves X :¯y1 =¯x1 1andY :¯y2 =¯x2 1, together with an

FAMILIES OF EXPLICIT ISOGENIES OF HYPERELLIPTIC JACOBIANS141 21

Table 12. Weil coeﬃcients for Example 6.9

i 1 2 3 4 5 6 7 8 9 10 wi 4 36 272 1268 6492 28540 142200 453284 1065612 17399206

→ − ⊂ × isogeny φ : JX JY induced by V A(¯x1, x¯2), y¯1 y¯2 X Y ,where 7 6 − 5 2 4 3 3 4 − 2 5 6 7 A =¯x1 +14¯x1x¯2 2¯x1x¯2 +19¯x1x¯2 +15¯x1x¯2 2¯x1x¯2 +18¯x1x¯2 +¯x2. 30 − F The polynomial xi 1 splits completely over 31. Applying Lemmas 3.5 and 3.4, ∼ 9 10 we see that ker φ = (Z/4Z) × (Z/2Z) . The image of JX in A14 is three- dimensional by Lemma 4.12 and Torelli’s theorem. We conclude that φ is a family of (Z/4Z)9 ×(Z/2Z)10-isogenies of (generically) absolutely simple Jacobians, thus proving Theorem 1.1 for the ninth row of Table 1.

Example 6.9. Let f21, A21, α21,andσ be as in Example 4.10. The linear σ construction on (f21,f ) yields a one-parameter family 21 X 2 Y 2 σ : y1 = f21(x1)+s, : y2 = f21(x2)+s of pairs of hyperelliptic curves of genus 10 over Q(α21). Specializing X at s =0and reducing modulo a prime over 5, we obtain a curve X over F25. The Weil polynomial of JX corresponds to the Weil coeﬃcients in Table 12; it is irreducible, so JX is absolutely simple by Lemma 3.1. Hence, the generic ﬁbre of JX is absolutely simple.

The correspondence V (A21(x1,x2),y1 − y2)onX×TY induces a homomorphism J →J × σ 2 φ : X Y .The10 10 matrix DX,Y (φ) is lower-triangular; if we set e =(α21) , then the diagonal entries of DX,Y (φ)are σ 2 σ 2 − σ 2 σ 2 2 − σ 2 σ σ 2 − 2 2 (α21) , (α21) , (α21) , (α21) ,α21, (α21) ,α21α21, (α21) , α21,α21, each of which has norm 4 in Q (we omit the other entries for lack of space). Hence † σ DX,Y (φ)DY,X(φ )=DX,Y (φ)DX,Y (φ) =4I10, † so φ φ =[4]JX . Specializing at s = 425 and reducing modulo a prime over 599, we obtain curves X and Y and an isogeny φ : J → J over F599. Applying ∼ X Y ∼ Lemmas 3.5 and 3.4, we ﬁnd ker φ| = (Z/2Z)11,sokerφ = (Z/4Z)9×(Z/2Z)2. JX [2] The image of JX in A10 is one-dimensional by Lemma 4.12 and Torelli’s theorem. Hence, φ is a one-dimensional family of (Z/4Z)9×(Z/2Z)2-isogenies of (generically) absolutely simple Jacobians; this proves Theorem 1.1 for the seventh row of Table 1.

Example 6.10. Let f21, A21, α21,andσ be as in Examples 4.10 and 6.9. The σ quadratic construction on (f21,f ) yields a two-parameter family 21 X 2 2 Y 2 σ 2 σ : y1 = f21(x1) + s1f21(x1)+s2, : y2 = f21(x2) + s1f21(x2)+s2 of pairs of hyperelliptic curves of genus 10 defined over Q(α21). Specializing X at (s1,s2)=(1, 1) and reducing modulo a prime over 11, we obtain a curve X over F11. The Weil coefficients of JX are listed in Table 13; the corresponding polynomial is irreducible, so JX is absolutely simple by Lemma 3.1. Hence, the generic fibre of JX is absolutely simple. The correspondence C = V (A21(x1,x2),y1 − y2)onX20 ×T Y20 induces a homomorphism φ : JX →JY .The20×20 matrix DX,Y (φ) is a lower-triangular; if

22142 BENJAMIN SMITH

Table 13. Weil coeﬃcients for Example 6.10

i wi i wi i wi i wi i wi 1 −4 5 −1616 9 −431556 13 −83783104 17 −12690445996 2 13 6 5919 10 1564993 14 294134355 18 43906230241 3 −74 7 −24382 11 −5699656 15 −1000833886 19 −144999550062 4 403 8 105299 12 22091457 16 3592033583 20 476625334323

Table 14. Weil coeﬃcients for Example 6.11

i wi i wi i wi i wi 1 25 5 146470 9 −5019303477 13 17625044970092 2 447 6 −1950824 10 9095279162 14 −265293278436450 3 5046 7 −61460901 11 544453054742 15 −4448335615035972 4 42930 8 −750851497 12 5818130546490

we set e := −(α21 + 1), then the diagonal entries of DX,Y (φ)are σ 2 σ 2 − σ 2 σ 2 2 − σ 2 σ σ 2 − 2 2 (α21) , (α21) , (α21) , (α21) ,α21, (α21) ,α21α21, (α21) , α21,α21, σ 2 − σ 2 2 σ − 2 σ 2 2 − 2 2 2 (α21) , (α21) ,α21,α21α21, α21, (α21) ,α21, α21,α21,α21, each of which has norm 4 in Q (we omit the other entries for lack of space). Hence † σ DX,Y (φ)DY,X(φ )=DX,Y (φ)DX,Y (φ) =4I20, † so φ φ =[4]JX . Specializing at (s1,s2)=(1, 6) and reducing at a prime over 29, we → F obtain curves X and Y and an isogeny φ : JX JY over 29. Applying Lemmas 3.5 ∼ 19 2 and 3.4, we see that ker φ = (Z/4Z) ×(Z/2Z) . The image of JX in A20 is two- dimensional by Lemma 4.12 and Torelli’s theorem. Hence φ is a two-dimensional family of (Z/4Z)19×(Z/2Z)2-isogenies of (generically) absolutely simple Jacobians; this proves Theorem 1.1 for the eleventh row of Table 1.

Example 6.11. Let f31, A31, α31, β31,andσ be as in Example 4.11. The linear construction on (f ,fσ ) yields a one-parameter family 31 31 X 2 Y 2 σ : y1 = f31(x1)+s, : y2 = f31(x2)+s of pairs of hyperelliptic curves of genus 15 over Q(α31). Specializing X at s =0 and reducing modulo a prime over 5, we obtain a curve X over F53 .TheWeil polynomial of JX corresponds to the Weil coefficients in Table 14; it is irreducible, J so JX is absolutely simple by Lemma 3.1. Hence the generic fibre of X is absolutely simple. The correspondence C = V (A(x1,x2),y1 − y2)onX×T Y induces a homomorphism φ : JX →JY .The15×15 matrix DX,Y (φ) is lower-triangular; if we set − 2 − − − − 2 − e1 := ((β31 9β31 +14)α31 +4β31 16)/4, e2 := ((β31 6)α31 +β31 8β31 +8)/2, and e3 := α31 − β31 + 4, then the diagonal entries of DX,Y (φ)are σ σ σ σ σ e1,e1,e2,e1,e3,e2,e2 ,e1,e3,e3,e3 ,e2,e3 ,e2 ,e1 , each of which has norm 8 in Q(β31) (we omit the other entries for lack of space). We therefore find † σ DX,Y (φ)DY,X(φ )=DX,Y (φ)DX,Y (φ) =8I15,

FAMILIES OF EXPLICIT ISOGENIES OF HYPERELLIPTIC JACOBIANS143 23

Table 15. Weil coeﬃcients for Example 6.12

i wi i wi 1 86 14 2538874803438283085247 2 3451 15 75551657032201511555544 3 87828 16 2132291122470015060842077 4 1643613 17 58726738607409603792625818 5 43045482 18 1634122583940469502202897151 6 1781887735 19 48450321094461320825161410124 7 76936315232 20 1504867060985705824450391696293 8 3105710470069 21 45345655631250765718117003095430 9 102095895729754 22 1270533776275133738442812562176203 10 2779643454835731 23 34526697723237826449755783511899672 11 71233879362094240 24 956449237011673888073922827627521777 12 2193677250388156081 25 26767220948731629452685495358053131182 13 77619720346267760370 26 757441695740127512275452904130818491239 27 21123226183916202851140834209673472022292 28 575803060349811307421020344590821665754597 29 15365239367923178818677513358710798508553810 30 408015365744689122150660893862413952306834751

† so φ φ =[8]JX . Specializing at s = 0 and reducing modulo a prime over 47, we → F obtain curves X and Y and an isogeny φ : JX JY over 47. Applying Lemmas 3.5 ∼ 5 10 10 and 3.4, we ﬁnd ker φ = (Z/8Z) ×(Z/4Z) ×(Z/2Z) . The image of JX in A15 is one-dimensional by Lemma 4.12 and Torelli’s theorem. We conclude that φ is a one-dimensional family of (Z/8Z)5 ×(Z/4Z)10 ×(Z/2Z)10-isogenies of (generically) absolutely simple Jacobians, thus proving Theorem 1.1 for the tenth row of Table 1.

Example 6.12. Let f31, A31, α31, β31,andσ be as in Examples 4.11 and 6.11. The quadratic construction on (f ,fσ ) yields a two-parameter family 31 31 X 2 2 Y 2 σ 2 σ : y1 = f31(x1) + s1f31(x1)+s2, : y2 = f31(x1) + s1f31(x2)+s2 of pairs of hyperelliptic curves of genus 30 defined over Q(α31). Specializing X at (s1,s2)=(1, 2) and reducing modulo a prime over 3, we obtain a curve X over F36 . The Weil polynomial of JX corresponds to the Weil coefficients in Table 15; it is J irreducible, so JX is absolutely simple by Lemma 3.1. Hence the generic fibre of X is absolutely simple. The correspondence C = V (A31(x1,x2),y1 − y2)onX×T Y induces a homomorphism φ : JX →JY .The30×30 matrix DX,Y (φ) is lower-triangular. If we define e1, e2,ande3 as in Example 6.11, then the diagonal entries of DX,Y (φ)are σ σ σ σ σ e1,e1,e2,e1,e3,e2,e2 ,e1,e3,e3,e3 ,e2,e3 ,e2 ,e1 , σ σ σ σ σ σ σ σ σ σ e1,e2,e3,e2 ,e3,e3 ,e3 ,e1 ,e2,e2 ,e3 ,e1 ,e2 ,e1 ,e1 ; each has norm 8 in Q(β31) (we omit the other entries for lack of space). Hence † σ DX,Y (φ)DY,X(φ )=DX,Y (φ)DX,Y (φ) =8I30, † so φ φ =[8]JX . Specializing at (s1,s2)=(4, 9) and reducing modulo a prime over 47, we obtain curves X and Y and an isogeny φ : J → J over F47. Applying ∼ X Y Lemmas 3.5 and 3.4, we find ker φ = (Z/8Z)11 ×(Z/4Z)19 ×(Z/2Z)19. The image

24144 BENJAMIN SMITH of JX in A30 is two-dimensional by Lemma 4.12 and Torelli’s theorem. Hence, φ is a two-dimensional family of (Z/8Z)11×(Z/4Z)19×(Z/2Z)19-isogenies of (generically) absolutely simple Jacobians; this proves Theorem 1.1 for the twelfth row of Table 1.

References 1. Ch. Birkenhake and H. Lange, Complex abelian varieties (second edition), Grundlehren der mathematischen Wissenschaften 302, Springer-Verlag Berlin, 2004. 2. W. Bosma, J. J. Cannon, and C. Playoust, The Magma algebra system. I. The user language, J. Symbolic Comput. 24(3-4) (1997), 235–265 3. W. Bosma, J. J. Cannon, et. al., Handbook of Magma Functions,SchoolofMathematicsand Statistics, University of Sydney (1995) 4. J. W. S. Cassels, Factorization of polynomials in several variables, Proceedings of the 15th Scandinavian Congress, Oslo 1968, Lecture Notes in Math. 118 (1970), 1–17 5. P. Cassou–Nogues and J.-M. Couveignes, Factorisations explicities de g(y) − h(z), Acta Arith. 87 (1999), no. 4, 291–317 6. C.-L. Chai and F. Oort, A note on the existence of absolutely simple Jacobians, J. Pure Appl. Algebra 155 (2001), 115–120 7. W. Feit, Automorphisms of symmetric balanced incomplete block designs, Math. Z. 118 (1970), 40–49 8. W. Feit, On symmetric balanced incomplete block designs with doubly transitive automorphism groups, J. Comb. Theory Ser. A 14 (1973), 221–247 9. W. Feit, Some consequences of the classification of finite simple groups, Proc. Sympos. Pure Math. 37 (1980), 175–181 10. M. Fried, On a conjecture of Schur, Michigan Math. J. 17 (1970), 41–55 11. M. Fried, The field of definition of function fields and a problem in the reducibility of polynomials in two variables, Illinois J. Math. 17 (1973), 128–146 12. M. Fried, Exposition on an arithmetic-group theoretic connection via Riemann’s existence theorem, Proceedings of Symposia in Pure Math. 37 (1980), 571–602 13. M. C. Harrison, Implementation of Kedlaya’s algorithm, in [2, 3] 14. E. W. Howe and H. J. Zhu, On the existence of absolutely simple abelian varieties of a given dimension over an arbitrary field, J. Number Theory 92 (2002), 139–163 15. K. S. Kedlaya, Counting points on hyperelliptic curves using Monsky–Washnitzer cohomology, J. Ramanujan Math. Soc. 16 (2001), no. 4, 323–338 16. D. R. Kohel and B. A. Smith, Efficiently computable endomorphisms for hyperelliptic curves, in Algorithmic number theory: proceedings of ANTS-VII,LNCS4076 (2006) 495–509 17. G. Kux, Construction of algebraic correspondences between hyperelliptic function fields using Deuring’s theory,Ph.D.thesis,Universität Kaiserslautern (2004) 18. D. Lehavi and C. Ritzenthaler: An explicit formula for the arithmetic geometric mean in genus 3, Experiment. Math. 16 (2007) 421–440 19. R. Lidl, G. L. Mullen and G. Turnwald, Dickson polynomials, Pitman Monog. Surveys Pure Appl. Math. 65, Longman Scientific and Technical (1993) 20. J.-F. Mestre, Couples de jacobiennes isogénes de courbes hyperelliptiques de genre arbitraire. Preprint arXiv:0902.3470v1 [math.AG] 21. J. S. Milne, Abelian Varieties, In G. Cornell and J. H. Silverman (ed.), Arithmetic Geometry, Springer (1986) 22. G. Shimura, Abelian varieties with complex multiplication and modular functions, Princeton Math. Ser. 46, Princeton University Press (1998) 23. B. Smith, Isogenies and the discrete logarithm problem in Jacobians of genus 3 hyperelliptic curves. In N. Smart (ed.), EUROCRYPT 2008,LNCS4965 (2008) 163–180 24. W. Tautz, J. Top, and A. Verberkmoes, Explicit hyperelliptic curves with real multiplication and permutation polynomials, Canad. J. Math. 43 (1991), no. 5, 1055–1064

INRIA Saclay–ˆIle-de-France / Laboratoire d’Informatique de l’Ecole´ polytechnique (LIX), 91128 Palaiseau Cedex, France E-mail address: [email protected]

Contemporary Mathematics Volume 521, 2010

Computing Congruences of Modular Forms and Galois Representations Modulo Prime Powers

Xavier Taix´es i Ventosa and Gabor Wiese

Abstract. This article starts a computational study of congruences of modular forms and modular Galois representations modulo prime powers. Algo- rithms are described that compute the maximum integer modulo which two monic coprime integral polynomials have a root in common in a sense that is deﬁned. These techniques are applied to the study of congruences of modular forms and modular Galois representations modulo prime powers. Finally, some computational results with implications on the (non-)liftability of modular forms modulo prime powers and possible generalisations of level raising are presented.

1. Introduction Congruences of modular forms modulo a prime and – from a different point of view – modular forms over F play an important role in modern Arithmetic Geom- etry. The most prominent recent example is Serre’s modularity conjecture, which has just become a theorem of Khare, Wintenberger and Kisin. We particularly mention the various techniques for Level Raising and Level Lowering modulo that were already crucial for Wiles’s proof of Fermat’s Last Theorem. Motivated by this, it is natural to study congruences modulo n of modular forms and Galois representations. However, as working over non-factorial and non-reduced rings like Z/nZ introduces many extra difficulties, one is led to first approach this subject from an algorithmic and computational point of view, which is the topic of this article. We introduce a definition of when two algebraic integers a, b are congruent modulo n. Our definition, which might appear non-standard at first, was forced upon us by three requirements: Firstly, we want it to be independent of any choice of number field containing a, b. Secondly, in the special case n = 1 a congruence modulo should come down to an equality in a finite field. Finally, if a, b lie in some

2010 Mathematics Subject Classiﬁcation. 11F33 (primary); 11F11, 11F80, 11Y40. Both authors acknowledge partial support by the European Research Training Network Ga- lois Theory and Explicit Methods MRTN-CT-2006-035495. G. W. also acknowledges partial support by the Sonderforschungsbereich Transregio 45 Periods, moduli spaces and arithmetic of algebraic varieties of the Deutsche Forschungsgemeinschaft.

2X146 AVIERTAIXES´ I VENTOSA AND GABOR WIESE number field K that is unramified at , then a congruence of a and b modulo n should be a congruence modulo λn,whereλ is a prime dividing in K. Since algebraic integers are – up to Galois conjugacy – most conveniently represented by their minimal polynomials, we address the problem of determining for which prime powers n two coprime monic integral polynomials have zeros which are congruent modulo n. We prove that a certain number, called the reduced discriminant or – in our language – the congruence number of the two polynomials, in all cases gives a good upper bound and in favourable cases completely solves this problem. In the cases when the congruence number is insufficient, we use a method based on the Newton polygon of the polynomial whose roots are the differences of the roots of the polynomials we started with. With these tools at our disposal, we target the problem of computing congruences modulo n between two Hecke eigenforms. Since our motivation comes from arithmetic, especially from Galois representations, our main interest is in Hecke eigenforms. It quickly turns out, however, that there are several possible well justi- fied notions of Hecke eigenforms modulo n. We present two, which we call strong and weak. The former can be thought of as reductions modulo n of q-expansions of holomorphic normalised Hecke eigenforms; the latter can be understood as linear combinations of holomorphic modular forms, which are in general not eigenforms, but whose reduction modulo n becomes an eigenform (our definition is formulated in a different way, but can be interpreted to mean this). We observe that Ga- n lois representations to GL2(R), where R is an extension of Z/ Z in the sense of Section 2, can be attached to both weak and strong Hecke eigenforms (under the condition of residual absolute irreducibility). Modular forms can be represented by their q-expansions (e.g. in Z/nZ), i.e. by power series. For computational purposes, such as uniquely identifying a modular form and comparing two modular forms, it is essential that already a finite segment of a certain length of the q-expansions suffices. We notice that a sufficient length is provided by the so-called Sturm bound, which is the same modulo n as in characteristic 0. The computational problem that we are mostly interested in is to determine congruences modulo n between two newforms, i.e. equalities between strong Hecke eigenforms modulo n. This problem is perfectly suited for applying our methods of determining congruences modulo n of zeros of integral polynomials. The reason for this is that the Fourier coefficient ap of a normalised Hecke eigenform is a zero of thecharacteristicpolynomialoftheHeckeoperatorTp acting on a suitable integral modular symbols space (see e.g. [S]or[W2]). Thus, in order to determine the prime powers modulo which two newforms are congruent, we compute the congruences between the roots of these characteristic polynomials for a suitable number of p. One important point deserves to be mentioned here: If the two newforms that we want to compare do not have the same levels (but the same weights), one cannot expect that they are congruent at all primes; a different behaviour is to be expected at primes dividing the levels. We address this problem by applying the usual degeneracy maps ‘modulo n’ in order to land in the same level. All these considerations lead to an algorithm, which we sketch. We point out that this algorithm is much faster than the (naive) one which works with the coefficients of the modular forms as algebraic integers in a (necessarily big) number field.

CONGRUENCES OF MODULAR FORMS MODULO PRIME POWERS 1473

We implemented the algorithm and performed many computations which led to observations that we consider very interesting. Some of the results are reported upon in Section 4. We are planning to investigate questions like ‘Level Raising’ in more detail in a subsequent work. We remark that the algorithm was already used in [DT] to determine some numerical examples satisfying the main theorem of that article.

Acknowledgements. X. T. would like to thank Gerhard Frey for suggesting the subject of the article as PhD project. G. W. would like to thank Frazer Jarvis, Lara Thomas, Christophe Ritzenthaler, Ian Kiming and, in particular, Gebhard B¨ockle for enlightening discussions and e-mail exchanges relating to the subject of this article, as well as Kristin Lauter for pointing out the article [Po]. Special thanks are due to Michael Stoll for suggesting the basic idea of one algorithm, as well as to one of the referees for also suggesting it together with many other improvements in notation and presentation. Thanks are also due to the second referee for pointing out that there should be a relation to the paper [ARS].

Notation. We introduce some standard notation to be used throughout. In the article and p always refer to prime numbers. By an -adic field we shall Q Q Q Q understand a finite field extension of . We fix algebraic closures of and Q Z Z Q Q of .By and we denote the integers of and , respectively. If K is either a number field or a local field, then OK denotes its ring of integers. In the latter case, πK denotes a uniformiser, i.e. a generator of the maximal ideal of OK ,and vK is the valuation satisfying vK (πK )=1.Moreover,v denotes the valuation on Q K and on normalised such that v()=1.

2. Congruences modulo n In this section we give our deﬁnition of congruences modulo n for algebraic and -adic integers and discuss how to compute them.

2.1. Definition. Since a question on congruences is a local question, we place ourselves in the set-up of -adic fields. Let α, β ∈ Z. In our definition of congruences modulo n weareledbythreerequirements:(1)Ifn =1,wewantthatα ≡ β mod if and only if the reductions of α and β are equal in F.(2)Ifα and β are n elements of some finite unramified extension K/Q,thenwewantα ≡ β mod − ∈ n if and only of α β (πK ). (3) We want the definition to be independent of any choice of K/Q containing α and β. We propose the following definition.

Definition 2.1. Let n ∈ N.Letα, β ∈ Z.Wesaythatα is congruent to β n n modulo ,forwhichwewriteα ≡ β mod , if and only if v(α − β) >n− 1. Note that this definition satisfies our three requirements. Note also the trivial equivalence n (2.1) α ≡ β mod ⇔v(β − α)≥n. In the sequel of this article we will often speak of congruences modulo n of (global) Q → Q algebraic integers by fixing an embedding . The same notation will be used also in this situation without further comments.

4X148 AVIERTAIXES´ I VENTOSA AND GABOR WIESE

2.2. Interpretation in terms of ring extensions. In this section we propose an interpretation of the above definition of congruences modulo n in terms of ring extension of Z/nZ. This interpretation gives us a much better algebraic handle for working with such congruences because we will be able to use equality instead of congruence. We were led to Definition 2.1 by the following considera- tion: Let K/Q be a finite extension and n ∈ N. What is the minimal m such that Z →O Z nZ O m the inclusion K induces an injection of / into K /(πK )? In order to formulate the answer, we introduce a function.

Definition 2.2. Let L/K/Q be finite field extensions and let eL/K denote the ramification index of L/K.Forn ∈ N,letγL/K (n)=(n − 1)eL/K +1. This function satisfies the following simple properties:

(i) For n =1,wehaveγL/K (1) = 1. (ii) If L/K is unramiﬁed, then γL/K (n)=n. (iii) For extensions M/L/K,wehavemultiplicativity: γM/K(n)=γM/L(γL/K (n)). (iv) For extensions L/K, the integer γL/K (n) is the minimal one such that the O →O O n →O γL/K (n) embedding K L induces an injection K /(πK ) L/(πL ). (v) For α, β ∈ K/Q we have: − ≥ ⇔ − − ⇔ ≡ n vK (α β) γK/Q (n) v(α β) >n 1 α β mod . Note that (i)–(iii) precisely correspond to the requirements (1)–(3) from Sec- tion 2.1. By (iv) we have produced ring extensions

γ Q (n) γ Q (n) Z nZ →O K/ →O L/ / K /(πK ) L/(πL ). Property (v) immediately yields a reformulation of the congruence of α and β γ Q (n) n O K/ modulo as an equality in the residue ring K /(πK ). In order to interpret congruences as equalities without always having to choose some ﬁnite extension of Q, we now make the following construction, which for n = 1 boils down to F. We deﬁne

γ Q (n) Z nZ O K/ / :=−→ lim K /(πK ), K Q Q where K runs through all subextensions of of ﬁnite degree over and the inductive limit is taken with respect to the maps in (iv). The natural projections γ Q (n) O O K/ K K /(πK ) give rise to a surjective ring homomorphism n πn : Z Z/ Z. Now we can make another reformulation of our deﬁnition of congruences modulo n: Let α, β ∈ Z.Thenwehave n α ≡ β mod ⇔ πn(α)=πn(β).

In the sequel, we will always choose the πn in a compatible way, i.e. if m

Deﬁning γK/Q (n)asn times the ramiﬁcation index eK/Q would have avoided that

CONGRUENCES OF MODULAR FORMS MODULO PRIME POWERS 1495

problem. But then γ(1) = eK/Q = 1, in general, which is not in accordance with n the usual usage of modulo . This other possibility can be understood as Z/ Z. 2.3. Computing congruences modulo n. If one does not require one fixed embedding into the complex numbers, algebraic integers are most easily represented by their minimal polynomials. Thus, it is natural to study congruences between algebraic integers entirely through their minimal polynomials. This is the point of view that we adapt and it leads us to consider the following problem. Problem 2.4. We fix, once and for all, for every n compatibly, ring homomor- n phisms πn : Z → Z Z/ Z.LetP, Q ∈ Z[X] be two coprime monic polynomials and let n ∈ N. How can we decide the validity of the following assertion? “There exist α, β ∈ Z such that (i) P (α)=Q(β)=0and n (ii) πn(α)=πn(β) (i.e. α ≡ β mod ).” In this article, we will give two algorithms for treating this problem. The first one arose from the idea that one could try to use greatest common divisors. This notion seems to be the right one for n = 1, but it is not well behaved for n>1 since the ring Z/nZ[X] is not a principal ideal domain. However, the algorithm for approximating greatest common divisors of two polynomials over Z presented in Appendix A of [FPR] led us to consider the notion of congruence number or reduced resultant. It can be used to give quite a fast algorithm, which, however, does not always give a complete answer. The second algorithm, which we call the Newton polygon method, always solves Problem 2.4 but tends to be slower (experimentally). Its basic idea was suggested to us by Michael Stoll after a talk of the second author and was immediately put into practice. However, since the first version of this article had already been finished, the algorithm was not included in it, so that it was again suggested to us by one of the referees. In this section we will present both algorithms in detail. It should be pointed out explicitly that Problem 2.4 cannot be solved completely by considering only the reductions of P and Q mod n if n>1. This is a major difference to the case n = 1. The difference is due to the fact that in the problem we want α and β to be zeros of P and Q:ifα and β are elements in Z/nZ such that inside that ring P (α)=Q(β) = 0, then it is not clear if they are reductions of zeros of P and Q. Congruence number. The congruence number of two integral polynomials provides an upper bound for congruences in the sense of Problem 2.4. It is defined in such a way that it can easily be calculated on a computer.

Definition 2.5. Let R be any commutative ring. By R[X]

R[X]greatest common divisor of P and Q. In particular, with R a factorial integral domain and P, Q primitive polynomials, the Sylvester map is injective if and only if P and Q are coprime. Consequently, if P, Q ∈ Z[X]are

6X150 AVIERTAIXES´ I VENTOSA AND GABOR WIESE primitive coprime polynomials, then any non-zero polynomial of smallest degree is a constant polynomial. Definition 2.6. Let P, Q ∈ Z[X] be coprime polynomials. We define the congruence number c(P, Q)ofP and Q as the smallest positive integer c such that the constant polynomial c is in the image of the Sylvester map of P and Q. We remark that for monic coprime polynomials P and Q via polynomial division the principal ideal (c(P, Q)) can be seen to be equal to the intersection of the ideal of constant integral polynomials with the ideal in Z[X] generated by all polynomials rP + sQ when r, s run through all of Z[X]. In [Po] the congruence number is called the reduced resultant. Note that in general the reduced resultant is a proper divisor of the resultant. It makes sense to replace Z by Z everywhere and to define a congruence number as a constant polynomial in the image of the Sylvester map having the lowest -adic valuation. Although this element is not unique, its valuation is. The congruence number gives an upper bound for the n in Problem 2.4: Proposition 2.7. Let P, Q ∈ Z[X] be coprime polynomials and let n be the exact power of dividing c(P, Q). Then there are no α, β ∈ Z such that (i) P (α)=Q(β)=0and n (ii) πm(α)=πm(β) (i.e. α ≡ β mod ) for any m>n. Proof. By assumption there exist r, s ∈ Z[X] such that c = c(P, Q)=rP+sQ. Let α, β ∈ Z be zeros of P and Q, respectively, such that πm(α)=πm(β). We obtain π (c)=π r(α)P (α)+s(α)Q(α) m m = πm s(α) πm Q(α) = πm s(β) πm Q(β) =0. This means that m divides c, whence m ≤ n. On the computation of the congruence number. The idea for the computation of the congruence number is very simple: we use basic linear algebra and the Sylvester matrix. The point is that the Sylvester map is described by the standard Sylvester matrix S of P and Q (or rather its transpose if one works with column vectors) for the standard bases of the polynomial rings. We describe in words the straight forward algorithm for computing the congruence number c(P, Q)aswell as for finding polynomials r, s such that c(P, Q)=rP + sQ with deg(r) < deg(Q) and deg(s) < deg(P ). The algorithm consists of bringing S into row echelon (or Hermite) form, i.e. one computes an invertible integral matrix B such that BS has no entries below the diagonal. The congruence number c(P, Q) is (the absolute value of) the bottom right entry of BS and the coefficients of r and s are the entries in the bottom row of B. This algorithm works over the integers and over -adic rings with a certain precision, i.e. Z/nZ. We note that by reducing BS modulo , one can read off the greatest common divisor of the reductions of P and Q modulo : its coefficients (up to normalization) are the entries in the last non-zero row of the reduction of BS modulo .Thishas the following trivial, but noteworthy consequence. Corollary 2.8. Suppose that P and Q are primitive coprime polyomials in Z[X].ThenP and Q have a non-trivial common divisor modulo if and only if the congruence number of P and Q is divisible by .

CONGRUENCES OF MODULAR FORMS MODULO PRIME POWERS 1517

Applications of the congruence number. We now examine when the congruence number is enough to solve Problem 2.4 for given P, Q and for all n. In cases when it is not, we will give a lower bound for the maximum n for which the assertions of the problem are satisfied. We start with the observation that the congruence number suffices to solve our problem for n =1. Proposition 2.9. Let n =1. Assume that P and Q are coprime monic polynomials in Z[X]. The assertion in Problem 2.4 is satisfied if and only if the congruence number c(P, Q) is divisible by . Proof. The calculations of the proof of Proposition 2.7 show that if the assertion is satisfied, then divides c(P, Q). Conversely, if divides c(P, Q)thenby Corollary 2.8 the reductions of P and Q have a non-trivial common divisor and thusacommonzeroinF. All zeros in F lift to zeros in Z. Q → Q We fix an embedding . Our further treatment will be based on the following simple observation. Let M ⊂ Q be any number field containing all the roots of the monic coprime polynomials P, Q ∈ Z[X] and let c = c(P, Q)= rP +sQ ∈ Z − with r, s [X], deg(r) < deg(Q), deg(s) < deg(P )andfactorQ(X)= i(X βi) in Z[X]. Then for α ∈ Z such that P (α)=0wehave (2.2) vM (c)=vM s(α) + vM (α − βi). i

Our aim now is to ﬁnd a lower bound for the maximum of vM (α − βi) depending on πM (c). For that we discuss the two summands in the equation separately. We ﬁrst treat vM s(α) .ByF we denote the reduction modulo of an integral polynomial F . Proposition 2.10. Suppose that divides c(P, Q). (a) If s and Q are coprime, then vM s(α) =0for all α ∈ Z with π1(Q(α)) = 0. (b) If one of P or Q does not have any multiple factors, then there is α ∈ Z such that P (α)=0, π1(Q(α)) = 0 and vM (s(α)) = 0,orthereisβ ∈ Z such that Q(β)=0, π1(P (β)) = 0 and vM (r(β)) = 0. F Z (c) If P is an irreducible polynomial in [X] and Q is irreducible in [X],then s and Q are coprime and vM s(α) =0for all α ∈ Z with π1(Q(α)) = 0.

Proof. (a) Since s and Q are coprime, the reduction of α cannot be a root of both of them. (b) We prove that there exists y ∈ F which is a common zero of P and Q, but not a common zero of r and s at the same time. Assume the contrary, i.e. that r(y)=s(y) = 0 for all y ∈ F with P (y)=Q(y)=0.LetG ∈ F[X]be the monic polynomial of smallest degree annihilating all y ∈ F with the property P (y)=Q(y)=0.ThenG divides P , Q as well as by assumption r and s. Hence, we have 2 0=rP + sQ = G r1P1 + s1Q1 with certain polynomials r1, P1, s1, Q1 ∈ F[X]. We obtain the equation

(2.3) 0 = r1P1 + s1Q1

8X152 AVIERTAIXES´ I VENTOSA AND GABOR WIESE and we also have deg(r1) < deg(Q1) and deg(s1) < deg(P1). As either P or Q does not have any multiple factor, it follows that P1 and Q1 are coprime. This contradicts Equation 2.3. Hence, we have y ∈ F with P (y)=Q(y)=0andr(y) =0or s(y) =0.If r(y) = 0 then we lift y to a zero β of Q. In the other case we lift y to a zero α of P . a (c) The assumptions imply that Q = P for some a. As the degree of s is smaller than the degree of P , it follows that s and P are coprime. Thus also, s and Q are coprime and we conclude by (a). − We now treat the term i vM (α βi). Proposition 2.11. Suppose that divides c(P, Q) and that α is a root of P which is congruent to some root of Q modulo (which exists by Proposition 2.9). Assume without loss of generality that β1 is a root of Q which is closest to α, i.e. such that vM (α − β1) ≥ vM (α − βi) for all i. (a) Suppose that Q has no multiple factors (i.e. the discriminant of Q is not divisible by , or, equivalently, the congruence number of Q and Q is not divisible by ). − − Then i vM (α βi)=vM (α β1). − ≥ 1 − (b) In general we have vM (α β1) deg(Q) i vM (α βi) .

Proof. (a) If Q does not have any multiple factors, then vM (β1 − βi)=0for all i =1.Consequently, vM (α − βi)=vM (α − β1 + β1 − βi)=0fori =1. (b)istrivial.

We summarise of the preceding discussion in the following corollary, solving Problem 2.4 if P and Q do not have any multiple factors, and giving a partial answer in the other cases.

Corollary 2.12. Let P, Q be coprime monic polynomials in Z[X] (or Z[X]) and let n be the highest power of dividing the congruence number c := c(P, Q) and let r, s ∈ Z[X] (or Z[X]) be polynomials such that c = rP + sQ with deg(r) < deg(Q) and deg(s) < deg(P ). (a) If n =0,thennorootofP is congruent modulo to a root of Q. (b) If n =1, then there are α, β in Z (in Z, respectively) with P (α)=Q(β)=0 such that they are congruent modulo , and there are no α1, β1 in Z (in Z, respectively) with P (α)=Q(β)=0such that they are congruent modulo 2. (c) Suppose now that n ≥ 1 and that one of the following properties holds: (i) P does not have any multiple factors and Q does not have any multiple factors (i.e. c(P, P ) and c(Q, Q)). (ii) Q does not have any multiple factors and s and Q are coprime. (iii) P does not have any multiple factors and r and P are coprime. Then there are α, β in Z (in Z, respectively) with P (α)=Q(β)=0such that n they are congruent modulo and there are no α1, β1 in Z (in Z, respectively) n+1 with P (α1)=Q(β1)=0such that they are congruent modulo . (d) Suppose that n ≥ 1. n (i) If s and Q are coprime, let m = deg(Q) . n (ii) If r and P are coprime, let m = deg(P ) . (iii) If (i) and (ii) do not hold, let m =1

CONGRUENCES OF MODULAR FORMS MODULO PRIME POWERS 1539

Then there are α, β in Z (in Z, respectively) with P (α)=Q(β)=0such that m they are congruent modulo and there are no α1, β1 in Z (in Z, respectively) n+1 with P (α1)=Q(β1)=0such that they are congruent modulo . Proof. In the proof we use the notation introduced above. The upper bounds in (b)-(d) were proved in Proposition 2.7. (a) follows from Proposition 2.9. (b) The existence of a congruence follows from Corollary 2.8. (c) In case (i), by Proposition 2.10 (b) we can choose α, β ∈ Z congruent modulo with P (α)=0andβ ∈ Z with Q(β) = 0 such that vM (s(α)) = 0 or vM (r(β)) = 0. Without loss of generality (after possibly exchanging the roles of (P, r)and(Q, s)) we may assume the former case. In case (ii), by Proposi- tion 2.10 (a) any α ∈ Z with P (α)=0andπ1(Q(α)) = 0 will satisfy vm(s(α)) = 0. In both cases, from Proposition 2.11 and Equation 2.2 we obtain the equality

n vM (c)=vM ( )=vM (α − β1), where β1 comes from Proposition 2.11. This gives the desired result. Case (iii) is just case (ii) with the roles of (P, r)and(Q, s) interchanged. (d) also follows from Propositions 2.10 and 2.11 and Equation 2.2. More precisely, in case (i) we have the inequality vM (c) en n n v (α − β ) ≥ = ≥ −1 e +1=γ Q ( ), M 1 deg(Q) deg(Q) deg(Q) M/ deg(Q) where e is the ramiﬁcation index of M/Q. Hence, πm(α − β1) = 0 with m = n deg(Q) . Case (ii) is case (i) with the roles of (P, r)and(Q, s) interchanged.

Remark 2.13. It is straightforward to turn Corollary 2.12 into an algorithm. Say, P, Q ∈ Z[X] are coprime monic polynomials. First we compute the congruence numbers c(P, P )andc(Q, Q ). If any of these is zero, then we factor P (respectively, Z Q)in [X] into irreducible polynomials P = i Pi (respectively, Q = j Qj ). We then treat any pair (Pi,Qj ) separately and return the maximum upper and the maximum lower bound for congruences of zeros. For simplicity of notation, we now call the pair (P, Q). Now we compute the congruence numbers c = c(P, Q)andcP = c(P, P )as well as cQ = c(Q, Q ), all of which are non-zero by assumption. Along the way we also compute polynomials r, s ∈ Z[X] such that c = rP + sQ and deg(r) < deg(Q) and deg(s) < deg(P ). For each prime power n (with n ≥ 1) exactly dividing c we do the following. If does not divide cP cQ, then we are in case (c)(i) and we know that there are α, β ∈ Z such that P (α)=0=Q(β)andπn(α)=πn(β). This is best possible and we have obtained a complete answer to Problem 2.4. If is coprime to cP or cQ, we check whether we are in case (c)(ii) or (c)(iii). Then we also obtain equality of the upper and lower bound and thus a complete answer to Problem 2.4. If we are in neither of these cases, then we use the much weaker lower bounds of part (d). In order to get a best possible result in this case, too, one can make use of the Newton polygon method to be described next. Newton polygon method. We now present the second algorithm for treating Problem 2.4. The basic idea of this algorithm was suggested to us by Michael Stoll. Let still P, Q ∈ Z[X] be coprime monic polynomials. Consider factorisations in

10154 XAVIER TAIXES´ I VENTOSA AND GABOR WIESE

Z[X]: u v P (X)= (X − αi)andQ(X)= (X − βj ). i=1 j=1 v − − Now take Q(X + Y )= j=1(X (βj Y )), considered as a polynomial in X with coefficients in Z[Y ] and let F (Y ) be the resultant of P (X)andQ(X + Y ) with respect to the variable X. By well known properties of the resultant one has u v F (Y )=± (Y − (βj − αi)). i=1 j=1 Hence, the roots of F (Y ) are precisely the differences of the roots of P and Q. Thus, the slopes of the Newton Polygon of F (Y ) ∈ Z[Y ]arethev(βj − αi). We obtain the following result, solving Problem 2.4. Proposition 2.14. Let P, Q ∈ Z[X] be coprime monic polynomials and set n := s,wheres is the biggest slope of the Newton polygon of the polynomial F ∈ Z[Y ] defined above. Then there are α, β ∈ Z such that (i) P (α)=Q(β)=0and n (ii) πn(α)=πn(β) (i.e. α ≡ β mod ). Moreover, n is the biggest integer satisfying this property. Proof. Let α, β ∈ Z with P (α)=Q(β) = 0 such that the slope of β − α − Q → Q is equal to s, i.e. v(β α)=s (subject to the fixed embedding ). The proposition is an immediate consequence of Definition 2.1 and Equation 2.1.

3. Modular forms and Galois representations modulo n In this section, we apply the methods from Section 2 to the study of congruences of modular forms and modular Galois representations modulo n. n As in Section 2, we keep ring homomorphisms πn : Z → Z (Z/ Z), compatibly for n, fixed. In this section, we restrict to Γ0(N) for simplicity. Everything can be generalised without any problems to Γ1(N) with the obvious modifications. Moreover, also for the simplicity of the exposition all our modular forms are cusp forms. 3.1. Modular forms modulo n. For studying the notion of congruences modulo n of modular forms it is useful to introduce the terminology of modular forms over Z/nZ or, in abuse of language, modular forms modulo n. In contrast to the case n = 1, one must be aware that lifting of modular forms over Z/nZ to characteristic zero is not automatic. This will be reflected in our notions. We let Sk(Γ0(N)) denote the C-vector space of holomorphic cuspidal modular forms of weight k and level N.

Definition 3.1. Let T := Tk(Γ0(N)) be the Z-subalgebra of EndC(Sk(Γ0(N))) generated by all the Hecke operators Tn, n ∈ N. (i) A modular form of weight k and level N over Z/nZ (or modulo n) is a Z-module homomorphism f : T → (Z/nZ). (ii) A modular form f over Z/nZ is a weak Hecke eigenform if f is a ring homomorphism.

CONGRUENCES OF MODULAR FORMS MODULO PRIME POWERS 15511

(iii) A weak Hecke eigenform f over Z/nZ is a strong Hecke eigenform if f factors T → Z −−→πn Z nZ into ring homomorphisms ( / ). m (iv) Any normalised holomorphic Hecke eigenform f = q + m≥2 am(f)q (with 2πiz n q = e and am ∈ Z) gives rise to a strong Hecke eigenform over Z/ Z → via T −T−−−−m am→ Z −−→πn (Z/nZ). This modular form will be referred to as the reduction of f modulo n. (v) If the reductions modulo n of two normalised holomorphic eigenforms f and g agree, then we say that f and g are congruent modulo n. This is the same n as the congruence am(f) ≡ am(g)mod for all m ∈ N with the notion of n congruence from Section 2. If the congruence ap(f) ≡ ap(g)mod holds for all primes p but possibly ﬁnitely many, we say that f and g are congruent modulo n at almost all primes.

Remark 3.2. (a) It is often useful to think of a modular form f over Z/nZ ∞ n ∈ Z nZ as the q-expansion n=1 f(Tn)q / [[q]]. (b) As T is a finitely generated (and free) Z-module, every weak eigenform f can γ Q (n) T →O K/ → Z nZ be factored as K /(πK ) / for a suitable -adic field K. φ πn n n (c) Let f : T −→ Z −−→ Z/ Z be a strong Hecke eigenform modulo .Thekernel of φ is a minimal prime ideal p of T. As such, it corresponds to a Gal(Q/Q)- conjugacy class of holomorphic Hecke eigenforms, since L := Frac(T/p) ⊆ Q is a number field (recall that T is a finitely generated free Z-module) and p is the kernel of the ring homomorphism

T T/p ⊂ L→ Q ⊂ C,Tm → am, 2πimz which corresponds to the normalised holomorphic eigenform m≥1 ame and depends on the choice of the embedding L→ Q. Hence, the notion of strong Hecke eigenform modulo n implies that the form f is the reduction of a holomorphic Hecke eigenform modulo n. (d) For n = 1, the notion of weak and strong Hecke eigenform agree. The reason is that the kernel of f : T → F is a maximal ideal, since the image of f is a (finite) field. Every maximal ideal of T contains a minimal prime ideal p and, hence, f factors as T → T/p → Z → Z F. (e) Weak Hecke eigenforms need not be strong Hecke eigenforms in general. See, for instance, Section 4.2. ∼ (f) Let R be any ring. Since HomZ(T, Z) ⊗Z R = HomZ(T,R) due to the freeness of T as a finitely generated Z-module and since HomZ(T, Z) can be identified with the holomorphic modular forms having integral Fourier expansions, any homomorphism f : T → R (e.g. weak/strong eigenform) can be seen as an R-linear combination of holomorphic modular forms (which are not necessarily eigenforms). (g) Another issue concerns the absence of a good Galois theory for the extensions of Z/nZ discussed in Section 2: Let K be an -adic field. Not every ring O →O m → homomorphism K K /(πK ) comes from a field homomorphism K K. Suppose, for example, that OK = Z[X]/(P (X)) is the ring of integers of a ramified extension of Q.Ifα is a root of P and if m is big enough, then m−1 m−1 ∈ m α + π is not a root of P , but nevertheless P (α + π ) (πK ), whence m−1 O →O m sending α to α+π uniquely defines a ring homomorphism K K /(πK ),

12156 XAVIER TAIXES´ I VENTOSA AND GABOR WIESE

which does not lift to a field automorphism K → K. Hence, a strong Hecke eigenform modulo n can give rise to many weak Hecke eigenforms modulo n. (h) Finally, we would like to point out a connection, as suggested by one of the referees, between the congruence number and the congruence exponent of modular abelian varieties defined in the paper [ARS] by Agashe, Ribet and Stein and our notions. Let J be the Jacobian (over Q) of some modular curve (say, X0(N)) and A, B abelian subvarieties of J such that J = A + B and A ∩ B is finite. For the moment, let T be the Hecke algebra of J, i.e. the subring of the endomorphism ring of J generated by all Hecke operators. Denote by TA and TB the Hecke algebras of A and B, respectively. The natural map φ : T → TA ⊕ TB given by sending an operator T to its restrictions to A and B is injective due to the condition J = A + B. Thus, we can view T as an abelian subgroup of TA ⊕ TB, which has finite index, since A ∩ B is finite. Agashe, Ribet and Stein define the congruence exponent (and the congruence number)ofA as the exponent (the number of elements) of the abelian group (TA ⊕ TB)/T. Note that the definition also depends on B. Now we establish the connection to our set-up. The Hecke algebra T is known to be isomorphic to the Hecke algebra T2(Γ0(N)). Applying the functor HomZ(·, Z/nZ), we obtain the exact sequence

n α 0 → HomZ((TA ⊕ TB)/T, Z/ Z) −→

n n β n HomZ(TA, Z/ Z) ⊕ HomZ(TB, Z/ Z) −→ HomZ(T, Z/ Z). Note that the term on the right is precisely the group of weight 2 modular n forms modulo on Γ0(N) in our definition. Let us now take two normalised newforms f and g in S2(Γ0(N)) in distinct Galois conjugacy classes such that f corresponds to a ring homomorphism f : TA → C and g to g : TB → C. ∨ This is the case, for instance, if A =(J/If J) and B = If J,whereIf is the kernel of the ring homomorphism T → C belonging to f. Assume that f and g are congruent modulo n. This means by definition that (f,−g)isin n the kernel of β.Weanalysetheelementψ ∈ HomZ((TA ⊕ TB)/T, Z/ Z)such that α(ψ)=(f,−g). It satisfies ψ((T1, 0) + T)=f(T1) − g(0) = 1, since f is n normalised. Consequently, Z/ Z is in the image of ψ. Hence, (TA ⊕ TB)/T contains an element of order n. We conclude that n divides the congruence exponent of A (and, of course, also the congruence number). 3.2. Galois Representations modulo n. We are interested in congruences modulo n (in the sense of Section 2) between 2-dimensional -adic Galois representations (i =1, 2) Q Q → O ρi :Gal( / ) GL2( Ki ), O i.e. Ki is the ring of integers of an -adic field. For that let K be an -adic field n containing K1 and K2. We study the reductions of the representations modulo :

nat. proj. γ Q (n) (n) Q Q → O −−−−−−→ O K/ ρi :Gal( / ) GL2( K ) GL2( K /(πK )). n Definition 3.3. The representations ρ1 and ρ2 are called congruent modulo γ Q (n) (n) (n) O K/ Q Q if ρ1 and ρ2 are isomorphic as ( K /(πK ))[Gal( / )]-modules.

CONGRUENCES OF MODULAR FORMS MODULO PRIME POWERS 15713

Remark 3.4. The insistence on taking the natural projection is owed to the γ Q (n) O →O K/ fact that there may be ‘too many’ maps from K K /(πK ), as mentioned in Remark 3.2 (g).

Theorem 3.5. If the ρi are residually absolutely irreducible, then they are congruent modulo n if and only if the traces of Frobenius elements agree, i.e. (n) (n) Tr(ρ1 (Frobp)) = Tr(ρ2 (Frobp)), at a dense set of primes p. Proof. Chebotarev’s Theorem applied to the Proposition in [M2], p. 253. Q → Q Subject to a fixed choice of a field embedding , to a normalised holo- m morphic eigenform f = amq ∈ Sk(Γ0(N)) one can attach an -adic Galois representation ρf, :Gal(Q/Q) → GL2(K) with some (suitably large) -adic field K. This Galois representation has the properties that it is unramified outside and the level of f and the trace of Frobp is equal to ap at all unramified primes p.

γ Q (n) Proposition . T →O K/ 3.6 Any weak or strong eigenform f : K /(πK ) of level N and weight k has an attached residual Galois representation ρf,.Ifρf, is absolutely irreducible, f gives rise to a Galois representation

γ Q (n) (n) Q Q → O K/ ρf, :Gal( / ) GL2( K /(πK )) which is unramiﬁed outside N and satisﬁes for every p N

(n) (n) k−1 Tr(ρf, (Frobp)) = ap, and det(ρf, (Frobp)) = p , wherewewriteap for the p-th coeﬃcient of f,i.e.ap = f(Tp). Proof. Any weak modular form modulo n gives rise to a strong modular form modulo by reduction, and hence we dispose of ρf,. If the residual representation is absolutely irreducible, Theorem 3 (p. 225) from [C] implies the existence of a Galois representation

ρ :Gal(Q/Q) → GL2(T ⊗Z Z)

f γ Q (n) T → T⊗ Z −→O1 K/ with the desired properties. Note that f factors as Z K /(πK ). It hence suﬃces to compose ρ with the natural map coming from f1.

n (n) 3.3. Sturm bound modulo . If two Galois representations ρi (i =1, 2) as in the previous subsection come from weak or strong modular forms modulo n, then one can decide whether they are equivalent by comparing only finitely many coefficients, since one disposes of an effective bound for the two modular forms modulo n to be equal. Such a bound is given by the Sturm bound ([St]).

Theorem 3.7. Let Γ be a congruence group containing Γ1(N),letk ≥ 1 and let B be the Sturm bound deﬁned by kb b − 1 B := − , 12 N where b =[SL2(Z):Γ]. The Hecke algebra T acting on the space Sk(Γ) is generated as a Z-module by the Hecke operators Tn for 1 ≤ n ≤ B. Moreover, for Γ=Γ0(N) the algebra T is generated as a Z-algebra by the Tp for the primes p ≤ B. Proof. Theorem 9.23 and Remark 9.24 from [S].

14158 XAVIER TAIXES´ I VENTOSA AND GABOR WIESE

γ Q (n) Theorem . T →O K/ 3.8 Let f,g : K /(πK ) be two weak or strong Hecke n eigenforms modulo on Γ0(N) for some weight k.Letb =[SL2(Z):Γ0(N)].If for all primes kb b − 1 p ≤ − 12 N we have n f(Tp)=g(Tp) (i.e. “ap(f) ≡ ap(g)mod ”), then f is equal to g as a Hecke eigenform modulo n.

Proof. As for Γ = Γ0(N)wehavethatT is generated as a Z-algebra by the Hecke operators Tp for the primes p ≤ B (Theorem 3.7), it follows that f and g are uniquely determined by their values at Tp for primes p ≤ B.

Remark 3.9. The Sturm bound can easily be extended to modular forms with nebentype, see e.g. [S], Corollary 9.20. Wementionthatin[CKR], the Sturm bound is proved by other means and is also extended to the situation when the two modular forms have diﬀerent weights. It is also useful to remark that the Sturm bound for modular forms modulo n is also a direct consequence of the Sturm bound for modular forms over F and Nakayama’s Lemma: If T ⊗Z F is generated as F-vector space by the Hecke oper- n n ators T1,...,TB,thenT ⊗Z Z/ Z is generated as a Z/ Z-modulo by T1,...,TB, too.

3.4. Application of degeneracy maps. Theorem 3.8 gives a criterium for the Galois representations attached to two Hecke eigenforms f ∈ Sk(Γ0(N)) and n g ∈ Sk(Γ0(Nm)) to be congruent modulo (under the assumption that the representations are residually irreducible). However, most of the time when studying congruences of Galois representations attached to modular forms f and g,theas- sumptions of Theorem 3.8 will not be fulfilled, as f and g will typically differ at some prime dividing one of the levels. Hence, we now propose a stronger criterion. In order to formulate it, we introduce some straightforward notation. Definition 3.10. Let R be a commutative ring (in the sequel, either R = C, R = Z or R is an extension of Z/nZ as in Section 2) and d ∈ N.LetN,m,n ∈ N. The degeneracy map for a positive divisor d of m is defined to be the map

φd :HomZ(Tk(Γ0(N)),R) → HomZ(Tk(Γ0(Nm)),R) which sends f ∈ HomZ(Tk(Γ0(N)),R) to the element of HomZ(Tk(Γ0(Nm)),R) that maps Tn to φ(Tn/d), if d divides n, and to 0 otherwise. Let f : Tk(Γ0(N)) → R be a modular form over R.Theold space of f over R in level Nm is defined as the R-span of the image of f under the degeneracy maps for each positive d | m inside HomZ(Tk(Γ0(Nm)),R). On q-expansions, the degeneracy map for d corresponds to the R-module en- d domorphism of R[[q]] given by q → q . The degeneracy map φd is well defined with R = Z by the classical theory of modular forms (via the identification of HomZ(T (Γ (N)), Z) with those holomorphic cusp forms in S (Γ (N)) having in- k 0 k 0 ∼ tegral Fourier expansions) and due to the isomorphism HomZ(Tk(Γ0(N)), Z)⊗ZR = HomZ(Tk(Γ0(N)),R) it is well defined for all rings R.

CONGRUENCES OF MODULAR FORMS MODULO PRIME POWERS 15915

Proposition 3.11. Let f and g be weak Hecke eigenforms modulo n of weight k for Γ0(N) and Γ0(Nm), respectively, and assume that their residual Galois representations are absolutely irreducible. Then the Galois representations modulo n attached to f and g are isomorphic if there is a weak Hecke eigenform f˜ modulo n in the oldspace of f modulo n in ˜ n level Nm such that g(Tp)=f(Tp) (i.e. “ap(g) ≡ ap(˜g)mod ”) for the primes p up to the Sturm bound for weight k and Γ0(Nm).

Proof. The assumptions imply that the equality g(Tp)=f(Tp)holdsforall primes p except possibly those with p dividing m. Hence, we can conclude by Theorem 3.5.

Proposition 3.11 gives rise to a straightforward algorithm (see Section 3.5), since the characteristic polynomials of the Hecke operators at p | m on the oldspace of f can be described explicitly as follows. Let f ∈ Sk(Γ0(N)) and g ∈ Sk(Γ0(Nm)) be Hecke eigenforms. Suppose that r is the maximum exponent such that pr | m. r Then Tp acts on the old space of f in level p N as the (r +1)× (r +1)matrix ⎛ ⎞ ap(f)100... 0 ⎜ k−1 ⎟ ⎜ −δp 010... 0 ⎟ ⎜ ⎟ ⎜ 0001... 0 ⎟ (3.1) T˜ = ⎜ ⎟ p ⎜ . . ⎟ ⎜ . . ⎟ ⎝ 0 ... 00 0 1⎠ 0 ... 00 0 0 where δ =0ifp | N and δ =1otherwise(see[W1]). Let [f]betheZ-span of the Gal(Q/Q)-conjugacy class of f; say that its rank is d. The operator Tp acts on the image of [f] in level mN as the d·(r+1)×d·(r+1) matrix resulting from (3.1), in which we substitute every 0 by the d×d dimensional 0d matrix, 1 becomes the d-identity 1d,theentryap(f) is replaced by the d × d matrix of the Hecke operator Tp on [f], and δ is either 0d or 1d.Sinceallthe elements below the diagonal are 0 for all the blocks under the second line of blocks, we know that the characteristic polynomial of this big matrix will be the product of Xd(r−1) and the characteristic polynomial of the block matrix Tp 1d (3.2) k−1 . −δp · 1d 0d d i We now compute the characteristic polynomial of (3.2). Let Pf,p = i=0 ciX = d − j=1(X aj ) be the characteristic polynomial of the upper left block, where the aj ˜ ˜ lie in some algebraic closure. With two polynomial variables X,Y we hence have ˜ − ˜ ˜ i ˜ d−i ˜ 2 k−1 ˜ j (X ajY )= i ciX Y . We now plug in X = X + δp and Y = X and obtain d d 2 k−1 d−i 2 k−1 i (X − aj X + δp )= ciX (X + δp ) . j=1 i=0 By taking the Jordan normal form (over an algebraic closure) and rearranging the matrix, we see that this is the characteristic polynomial of (3.2). Hence, the

16160 XAVIER TAIXES´ I VENTOSA AND GABOR WIESE characteristic polynomial P˜f,p of 3.1 is d dr−i 2 k−1 i (3.3) P˜f,p = ciX (X + δp ) , i=0 which can be computed very quickly from Pf,p. Let us remark that, if p | N,this dr r−1 polynomial is simply X · Pf,p and, if p N and d =1,thenP˜f,p is X times the characteristic polynomial of the p-Frobenius element. Remark 3.12. (a) It appears worthwhile to investigate the existence of a partial converse to Proposition 3.11. A true converse cannot hold if f is in the lowest possible level, since it is easy to construct a counter example if n =1, k =2and = 2 and there is a weight-1 form embedded into weight 2. Under certain conditions (e.g. k<and Nm) a converse could conceivably exist. To illustrate the problem with a particular example, let us consider the unique Hecke eigenform f modulo 2 in level Γ0(23) of weight one. It satisfies a2(f)=1∈ F2. It can be embedded into weight 2 for the same level in two different ways (multiplying by the Hasse invariant, which does not change the q-expansion, and applying the Frobenius, which sends q to q2). Consequently, there are two distinct Hecke eigenforms over F2 in weight 2 for Γ0(23) whose 2 coefficients at 2 are precisely the roots of X + X +1∈ F2[X]. The coefficients at the other primes are equal to the coefficients of f, whence the attached mod 2 Galois representations are equal. Consequently, a converse to Proposition 3.11 cannot exist (since in this case m =1). (b) The trick used in [CKR] will always work for deciding whether the representations attached to f and g are congruent modulo n: By applying degeneracy maps at all primes dividing Nm one can force all coefficients ap(f)andap(g) to be congruent to zero modulo n for all p | Nm. This allows the application of the Sturm bound. But, usually the level and hence the bound will be bigger than the bound in Proposition 3.11. (c) We mention a point which will be discussed in more detail in Section 4.3. We are mostly interested in congruences of Galois representations modulo n attached to holomorphic eigenforms, hence, it seems natural to stick to strong Hecke eigenforms. However, since we formulated Proposition 3.11 for weak Hecke eigenforms, we do not need to have a congruence mod n of -adic zeros at p | m, but a simple equality in the residue ring is enough. Currently, in the algorithm we are not using this subtle distinction, but, as we will see in the example, it can make a difference. 3.5. Algorithm. The aim is to study the following problem algorithmically.

Problem 3.13. Let f1,f2 be newforms in levels N1,N2 and weights k1,k2. { n1 nr } ∈ Determine a ﬁnite list of prime powers 1 ,...,r such that for all i {1,...,r} the i-adic Galois representations attached to the modular forms f1 and ni ni+1 f2 are congruent modulo i and are incongruent modulo i , and for any distinct from all the i the -adic Galois representations of f1 and f2 are incongruent modulo . Towards this problem we employ the methods developed in the Section 2. Due to its greater speed we ﬁrst apply the congruence number method, which by Propo- sition 2.7 gives an upper bound for the possible congruences. Only if in one of the

CONGRUENCES OF MODULAR FORMS MODULO PRIME POWERS 16117 applications of Corollary 2.12 the upper bound is unequal to the lower bound we make use of the Newton polygon method.

We hence start by computing the congruence numbers cp = c(Pf1,p,Pf2,p)for all primes p N1N2 up to some bound (e.g. the Sturm bound), where Pfi,p denotes the characteristic polynomial (in Z[X]) of the Hecke operator Tp acting on the span of the Gal(Q/Q)-conjugacy class [fi]offi. Let us number the primes p1,p2,....We compute a slightly modified greatest common divisor of all cp, taking in account only the prime-to-p part of cp, because we want to disregard the coefficient ap when reducing modulo powers of p.Moreprecisely,ifwehavetwocp1 and cp2 ,the v (c ) · p1 p2 · first greatest common divisor that we compute will be c =gcd(cp1 p1 ,cp2 vp2 (cp1 ) p2 ). Once we have one c computed, we can improve it for the next pi with v (c) · pi c =gcd(cpi pi ,c). The significance of the number c is that it gives an upper bound for Problem 3.13: if a prime power n does not divide c, then there cannot exist any congruence modulo n between the -adic Galois representations attached to f1 and f2. Our approach to a solution of Problem 3.13 is based on Theorem 3.8 and Proposition 3.11 in order to obtain a lower bound, which in favourable cases equals the upper bound c. However, whether we use the congruence number method or the Newton polygon method for computing congruences between zeros of the characteristic polynomials of the Hecke operators, we have to assume the following hypothesis, which – roughly speaking – says that it is no loss to work with Pf,p instead of with its roots.

Hypothesis 3.14. Let f1 and f2 be two newforms and n ∈ N. Suppose that for all primes p there are embeddings σ : K→ Q (i =1, 2) such that i,p n σ1,p ap(f1) ≡ σ2,p ap(f2) mod . n Then there are embeddings σ1,σ2 such that σ1(f1) ≡ σ2(f2)mod .

An equivalent formulation is the following: If Pf1,p and Pf2,p have roots con- n gruent modulo (in the sense of Section 2) for all p, then there are members f˜i in the Gal(Q/Q)-conjugacy class of fi for i =1, 2 such that f1 is congruent to f2 modulo n. In the sequel we shall assume this hypothesis to be satisﬁed. Note that by using characteristic polynomials of Hecke operators we lose track of which form in the Gal(Q/Q)-conjugacy class really satisﬁes a congruence. By abuse of language n we will nevertheless speak of a congruence between ρf, and ρg, modulo when ˜ indeed we only have a congruence of ρf,˜ and ρg,˜ for some members f andg ˜ of the conjugacy classes of f and g, respectively. We now sketch our algorithm for treating Problem 3.13. Input: f ∈ Sk(Γ0(Nf )) and g ∈ Sk(Γ0(Ng)) be two normalised eigenforms. Output: (L−,L+) (for an explanation see below).

• (Upper bound) For every prime p Nf Ng up to the Sturm bound B (see Theorem 3.7), we compute the congruence number cp = c(Pf,p,Pg,p)and + we calculate L =gcdp≤B(cp) with the modiﬁed greatest common divisor described above. We recall that Pf,p denotes the characteristic polynomial of the Hecke operator Tp acting on the span [f] of the Galois conjugacy class of f, which can for instance be obtained as the characteristic polynomial of the action of Tp on a suitable modular symbols space.

18162 XAVIER TAIXES´ I VENTOSA AND GABOR WIESE

− • | + dp dp For every L , we compute L1, =minp≤B( ), where is the maximal power of modulo which Pf,p and Pg,p have a root in common. This number is obtained from the congruence number method if the value returned by it is best possible, i.e. if we are in case (c) or (b) of Corol- lary 2.12. Otherwise, the Newton polygon method is employed. We then − − form the product L1 = |L+ L1,. • Suppose for this step that Ng = mNf and that ρf, and ρg, are abso- | + + − lutely irreducible. Then, for every L such that v(L ) = v(L1 ), we − ˜ dp ˜ compute L2, =minp≤B( )asfollows:Ifp m, then we put dp = dp.If d˜p p | m,welet be the maximal power of modulo which P˜f,p and Pg,p have a root in common with P˜f,p as in Equation (3.3). This number is again calculated by the congruence number method or the Newton poly- − − gon method as in the previous step. Again we compute L = + L . 2 |L 2, • − − − We compute L = |L+ max(L1,,L2,). • Return (L−,L+). + Proposition 2.7 ensures that L is an upper bound, i.e. that ρf, and ρg, are incongruent modulo m (more precisely, this holds for any members of the m + − conjugacy classes of f and g)if L . Theorem 3.8 guarantees that L1 is a lower bound (under Hypothesis 3.14), meaning that under the hypothesis ρf, and n n | − ρg, are congruent modulo if L1 (with the slight abuse of language pointed − out above). The lower bound L1 will in general be very bad (e.g. 1) due to the Hecke operators Tp for p | m (in the situation of the third step). This is taken care − of in the third step and Proposition 3.11 tells us that L2 is a lower bound in the same sense as before (still under Hypothesis 3.14). Consequently, L− is a lower bound under Hypothesis 3.14. Remark 3.15. We point out that this algorithm might miss a congruence n modulo due to the Hecke operator T. Hence, one might want to exclude the operators T in all the steps. Then, however, we do not have the congruence of g with an oldform of f (as in Proposition 3.11), hence, the congruence of the Galois representations suggested by the output of the algorithm will not be a proved result even under Hypothesis 3.14 (but the correct one in most cases).

4. Examples and numerical data In this section we present some cases which were computed using the algorithm described above and which we consider interesting. Several more examples can be found in [T]. For our calculations we used the computer algebra system Magma ([Magma]).

4.1. Examples of congruences in the same level. We computed all congruences between modular forms of weight 2 and the same level up to level 2000. In Table 1, (Nj ,ij )meanstheij -thforminlevelNj for j =1, 2(accordingtoaninter- nal ordering in Magma), where in these cases we have N1 = N2. In all these cases, we found L− = L+ so that under Hypothesis 3.14 we obtained all congruences. • The biggest exponents that we found appear in 27 and 25. • For n = 4, we ﬁnd some congruences modulo 34 (alsomodulo24). • For n = 3, the primes =5and = 7 appear.

CONGRUENCES OF MODULAR FORMS MODULO PRIME POWERS 16319

N1 i1 N2 i2 lower bound upper bound 1479 16 1479 8 27 27 1027 2 1027 1 25 25 602 8 602 7 25 25 1454 7 1454 1 34 34 1171 4 1171 2 34 34 1147 6 1147 5 73 73 1726 6 1726 3 53 53 1629 4 1629 3 53 53 613 2 613 1 7 · 472 7 · 472 1939 4 1939 2 372 · 4423 372 · 4423 1906 5 1906 3 192 192 1763 8 1763 5 3 · 132 3 · 132 1761 8 1761 7 2 · 8581981 2 · 8581981 1241 2 1241 1 1933 · 8713 1933 · 8713 71 2 71 1 2 · 32 2 · 32 109 3 109 1 22 22 155 4 155 2 24 24 233 3 233 1 33 33 785 2 785 1 73 73 1073 6 1073 3 2 · 172 2 · 172 1481 3 1481 1 52 · 2833 52 · 2833 Table 1. Extract from the computational results.

• For n = 2 we already have many diﬀerent primes, 472 being the biggest square of a prime that we found. • For n = 1 we just listed some of the biggest congruences that we found. 2 · 8581981 = 17163962 and 1933 · 8713 = 16842229 are just two examples of congruences, but in this case we had several primes to choose from.

4.2. Simple example for strong = weak. We now analyse the example with the smallest level in the above table more thoroughly. On Γ0(71) there are two Gal(Q/Q)-conjugacy classes of newforms in weight 2. The coefficient fields of both of them are isomorphic; they have degree 3, discriminant 257 and are non-Galois. The prime 3 factors in two prime ideals P1 and P2 of residue degrees 1 and 2. This means that each of the two Gal(Q/Q)-conjugacy classes gives us precisely one n n strong Hecke eigenform fi modulo 3 with coefficients in Z/3 Z for i =1, 2; the others taken modulo 3 have coefficients in F9. We compute that f1 and f2 are congruent modulo 9, but incongruent modulo 27. Let T ⊂ EndC(S2(Γ0(71))) be the Hecke algebra, i.e. the subring generated by the Hecke operators. The above discussion shows that there is a maximal ideal m of Tˆ := T ⊗Z Z3 such that the localisation Tˆm has two minimal prime ideals, corresponding to the two strong Hecke eigenforms f1 and f2. A computer calculation yields Tˆ ⊗ Z Z ∼ Z Z 2 that m Z3 /9 = /9 [X]/(X ). Thus, we have three weak Hecke eigenforms modulo9comingfromTˆm,namely Tˆ Tˆ ⊗ Z Z ∼ Z Z 2 −X−−−−−−−−−−−−−−→0orX→3orX→→6 Z Z m m Z3 /9 = /9 [X]/(X ) /9 .

20164 XAVIER TAIXES´ I VENTOSA AND GABOR WIESE

Since we know that there is only one strong Hecke eigenform modulo 9, two of them cannot be strong.

4.3. Example in levels 149 and 149 · 13. On Γ0(149) for weight 2 there are two Gal(Q/Q)-conjugacy classes of newforms. The degrees of the coefficient fields are 3 and 9. Let f be any of the forms whose coefficient field Qf has degree 9. The prime 3 is unramified in Qf and there is a prime P of residue degree 1 in the ring of integers Of of Qf . Mazur’s Eisenstein ideal ([M1]) shows that the residual representation ρf,P of f modulo P is irreducible, since 149 is a prime number and 3 does not divide 149 − 1. We first want to determine the image of the residual representation. A quick computation of a couple of coefficients of f shows that the image of ρf,P contains all possible combinations of trace and determinant. Consulting the list of subgroups of GL2(F3) tells us that next to the full GL2(F3) there is only one other subgroup satisfying this property. That subgroup, however, does not contain any element of order 3. Due to the semistability at 13 and 149 this group is excluded, whence the image is the full GL2(F3). There is a newform g of weight 2 on Γ0(13 · 149) and a prime ideal Λ dividing 3 in its coefficient field such that the strong Hecke eigenform of g obtained by reducing its q-expansion modulo Λ is equal to the strong Hecke eigenform of f modulo P at all prime coefficients except at 13. In fact, our algorithm gives us a congruence modulo 310 (in the sense defined before) at all primes up to the Sturm bound, except 13. Moreover, 310 is also an upper bound. At the prime 13 we want to apply Proposition 3.11 (i.e. the third item of the algorithm), and we hence apply the methods from Corollary 2.12 to Pg,13 and P˜f,13. However, the upper and the lower bounds we obtain with this method are 39. Hence, the output of our algorithm would be a congruence modulo 39 of the Galois representations attached to f and g as lower bound and 310 as upper bound. We analyse the situation a bit more closely 80 2 by hand. The polynomial Pg,13 is equal to (X +1) . The polynomial P˜f,13 = Q with Q ∈ Z[X] an irreducible polynomial of degree 18. Evaluating Q at −1 (the zero 6 10 ˜ of Pg,13) gives 2 · 3 · 6869. This means that there is a weak Hecke eigenform f in 10 ˜ theoldspaceoff modulo 3 such that f(T13)=−1. Hence, Proposition 3.11 yields that f˜ and g are congruent modulo 310 as weak Hecke eigenforms. Consequently, the attached Galois representations of f and g are congruent modulo 310. We give a more formal argument for the existence of the weak Hecke eigenform 10 modulo 3 .LetT be the Hecke algebra on S2(Γ0(149 · 13)) (as Z-algebra) and let Told Z [f] be the Hecke algebra (as -algebra) on the image of [f] under the 13-degeneracy map, where as before [f] denotes the span of the Galois conjugacy classes of f.By T Told restricting Hecke operators, we obtain a surjective ring homomorphism [f] . Told ˜ The algebra [f] is generated by the identity matrix and T13 (see Equation (3.1)). 2 Since the minimal polynomial of T˜13 is either Q or Q , the composition ˜ →− T Told −T−−−−13 →1 Z 10Z [f] /3 is a well-defined ring homomorphism, i.e. the desired weak Hecke eigenform modulo 310.

n 4.4. Congruences with Eisenstein series modulo . Let f ∈ S2(Γ0(N)) such that ρf, is reducible (and semi-simple by deﬁnition). This means that f is

CONGRUENCES OF MODULAR FORMS MODULO PRIME POWERS 16521 congruent modulo to an Eisenstein series in the same level and weight at almost all primes. The converse of this statement also holds. In the context of this article, it is natural to study congruences between newforms and Eisenstein series modulo n and to do so via the congruence number and the Newton polygon method. By computing congruences modulo n with Eisenstein series, we study up to which n the representation ρf,n has the same traces at the first couple of Frobenius elements at good primes as an extension of the cyclotomic character modulo n by the trivial representation. Let f be a newform of weight k and level N. We implemented an algorithm, which for all primes p N up to the Sturm bound computes the maximal prime powers modulo which Pf,p (as before, this is the characteristic polynomial of Tp acting on [f]) and the characteristic polynomial of Tp acting on the Eisenstein subspace in the given level and weight have a root in common. We then proceed as earlier, obtaining an upper bound for a congruence with an Eisenstein series as well as an unproved lower bound (note that we do not take all operators into account). A famous theorem of Mazur’s ([M1]) states that in weight 2 and prime level N there is a cusp form which is congruent to the Eisenstein series modulo at almost N−1 all primes for every dividing the numerator of 12 . One can ask in how far this theorem holds modulo n. It quickly turns out that a too naive generalisation is false. We propose to study the following in a subsequent paper. Let f1,...,fr be all newforms in prime level N and weight 2 for the trivial Dirichlet character. ni For i =1,...,r let be the highest power of such that fi is congruent at almost all primes to the Eisenstein series of level N and weight 2 modulo ni .Put n := n1 + ...+ nr. Question 4.1. Is n at least as big as (or even equal to) the -valuation of the N−1 numerator of 12 ? n 4.5. Level raising modulo . Let f ∈ S2(Γ0(N)) be a newform. The term level raising modulo n in the simplest case refers to the problem of identifying primes p N such that there is a newform g in S2(Γ0(Np)) with the property that f and g are congruent modulo n at almost all primes. A necessary condition for level raising of the form f modulo at the prime p N when its Galois representation is residually irreducible, is that divides the congruence number c(Pf,p,X− (p +1)) or the congruence number c(Pf,p,X +(p + 1)). It is a famous theorem of Ribet’s ([R]) that the converse also holds (modulo ). It is natural to ask whether or in which sense level raising generalises to congruences modulo n. We start by an observation which we consider very interesting. Let f be the only newform on Γ0(17) in weight 2 and let p = 59. The coefficient a59(f)=−12 and we find that 9 divides c(Pf,59,X− 60) = c(X +12,X− 60) = 72 and that 3 divides c(Pf,59,X+ 60) = c(X +12,X+ 60) = 48. However, there does not seem to be a congruence modulo 9 of f with any form in level 17 · 59. Instead, there appear to be three newforms in that level which are congruent to f modulo 3 at almost all primes. Hence, we conclude that the condition that n divides one of the above congruence numbers is not a sufficient one for level raising of strong Hecke eigenforms. This confirms a remark by Richard Taylor.1

1This remark was made in the Problem Book for the MSRI Modular Forms Summer Work- shop organised by William Stein in 2006.

22166 XAVIER TAIXES´ I VENTOSA AND GABOR WIESE

We propose to study the following question in a subsequent paper. Let f ∈ S2(Γ0(N)) be some newform and let p N be a prime. Further, let g1,...,gr be ni all newforms in S2(Γ0(Np)). For i =1,...,r let be the highest power of such ni that gi is congruent to f modulo at almost all primes. Put n := n1 + ...+ nr 2 2 and let c be the maximum integer such that Pf,p and X − (p +1) have a root in common modulo c. Question 4.2. Is n equal to the -valuation of c? An inequality (in a greater generality) is provided by Theorem 2 of [D].

References [ARS] A. Agashe, K. Ribet, W. Stein. The Modular Degree, Congruence Primes and Multi- plicity One, 2009, to appear in a volume in honor of Serge Lang. [C] H. Carayol. Formes Modulaires et Représentations Galoisiennes à valeurs dans un An- neau Local complet. Contemporary Mathematics 165 (1994), 213–237. [CKR] I. Chen, I. Kiming, J. B. Rasmussen. On Congruences mod pm Between Eigenforms and Their Attached Galois Representations. Journal of Number Theory, in press, 2010. [D] F. Diamond. Congruence primes for cusp forms of weight k ≥ 2, in Courbes modulaires et courbes de Shimura (Orsay, 1987/1988),Astérisque 196–197 (1991), 205–213. [DT] L. Dieulefait, X. Taixés i Ventosa. Congruences between modular forms and lowering the level mod n. Journal de Théoriedes Nombres de Bordeaux 21 (2009), no.1, 109–118. [FPR] D. Ford, S. Pauli, X.-F. Roblot. A Fast Algorithm for Polynomial Factorization over Qp.J.Théor. Nombres Bordeaux 14 (2002), no. 1, 151–169. [M1] B. Mazur. Modular curves and the Eisenstein ideal. Inst. Hautes Etudes´ Sci. Publ. Math. No. 47 (1977), 33–186 (1978). [M2] B. Mazur. An introduction to the deformation theory of Galois representations,inMod- ular Forms and Fermat’s Last Theorem. Tata Institute of Fundamental Research Studies in Mathematics, Springer, New York, 1997, 243–311. [Magma] W. Bosma, J.J. Cannon, C. Playoust. The Magma Algebra System I: The User Lan- guage. J. Symbolic Comput. 24 (1997), 235–265. [Po] M. Pohst. A note on index divisors. in Computational number theory (Debrecen, 1989), 173–182, de Gruyter, Berlin, 1991. [R] K. A. Ribet. Raising the levels of modular representations. Séminaire de Théorie des Nombres, Paris 1987–88, 259–271, Progr. Math., 81, Birkhäuser Boston, Boston, MA, 1990. [S] W. Stein. Explicitly Computing with Modular Forms. Graduate Studies in Mathematics, American Math Society, 2007. [St] J. Sturm. On the congruence of modular forms. Number theory (New York, 1984–1985), 275–280, Lecture Notes in Math., 1240, Springer, Berlin, 1987. [T] X. Taixés i Ventosa. Theoretical and algorithmic aspects of congruences between modular Galois representations. PhD thesis, Universität Duisburg-Essen, 2009. [W1] G. Wiese. Dihedral Galois Representations and Katz Modular Forms. Documenta Math. 9 (2004), 123–133. [W2] G. Wiese. On modular symbols and the cohomology of Hecke triangle surfaces. Interna- tional Journal of Number Theory (2009) 5(1), 89–108.

Universitat Pompeu Fabra, Departament d’Economia i Empresa, Ramon Trias Fargas 25-27, 08005 Barcelona E-mail address: [email protected] Universitat¨ Duisburg-Essen, Institut fur¨ Experimentelle Mathematik, Ellernstr. 29, 45326 Essen, Germany E-mail address: [email protected] URL: http://maths.pratum.net/

Titles in This Series

527 Ricardo Castaño-Bernard, Yan Soibelman, and Ilia Zharkov, Editors, Mirror symmetry and tropical geometry, 2010 526 Helge Holden and Kenneth H. Karlsen, Editors, Nonlinear partial differential equations and hyperbolic wave phenomena, 2010 525 Manuel D. Contreras and Santiago D´ıaz-Madrigal, Editors, Five lectures in complex analysis, 2010 524 Mark L. Lewis, Gabriel Navarro, Donald S. Passman, and Thomas R. Wolf, Editors, Character theory of finite groups, 2010 523 Aiden A. Bruen and David L. Wehlau, Editors, Error-correcting codes, finite geometries and cryptography, 2010 522 Oscar Garc´ıa-Prada, Peter E. Newstead, Luis Alverez-C´´ onsul, Indranil Biswas, Steven B. Bradlow, and TomásL. Gómez, Editors, Vector bundles and complex geometry, 2010 521 David Kohel and Robert Rolland, Editors, Arithmetic, geometry, cryptography and coding theory 2009, 2010 520 Manuel E. Lladser, Robert S. Maier, Marni Mishna, and Andrew Rechnitzer, Editors, Algorithmic probability and combinatorics, 2010 519 Yves Félix, Gregory Lupton, and Samuel B. Smith, Editors, Homotopy theory of function spaces and related topics, 2010 518 Gary McGuire, Gary L. Mullen, Daniel Panario, and Igor E. Shparlinski, Editors, Finite fields: Theory and applications, 2010 517 Tewodros Amdeberhan, Luis A. Medina, and Victor H. Moll, Editors, Gems in experimental mathematics, 2010 516 Marlos A.G. Viana and Henry P. Wynn, Editors, Algebraic methods in statistics and probability II, 2010 515 Santiago Carrillo Menéndez and JoséLuisFernández Pérez, Editors, Mathematics in finance, 2010 514 Arie Leizarowitz, Boris S. Mordukhovich, Itai Shafrir, and Alexander J. Zaslavski, Editors, Nonlinear analysis and optimization II, 2010 513 Arie Leizarowitz, Boris S. Mordukhovich, Itai Shafrir, and Alexander J. Zaslavski, Editors, Nonlinear analysis and optimization I, 2010 512 Albert Fathi, Yong-Geun Oh, and Claude Viterbo, Editors, Symplectic topology and measure preserving dynamical systems, 2010 511 Luise-Charlotte Kappe, Arturo Magidin, and Robert Fitzgerald Morse, Editors, Computational group theory and the theory of groups, II, 2010 510 Mario Bonk, Jane Gilman, Howard Masur, Yair Minsky, and Michael Wolf, Editors, In the Tradition of Ahlfors-Bers, V, 2010 509 Primitivo B. Acosta-Humánez and Francisco Marcellán, Editors, Differential algebra, complex analysis and orthogonal polynomials, 2010 508 Martin Berz and Khodr Shamseddine, Editors, Advances in p-Adic and non-archimedean analysis, 2010 507 Jorge Arvesú,Francisco Marcellán, and Andrei Mart´ınez-Finkelshtein, Editors, Recent trends in orthogonal polynomials and approximation theory, 2010 506 Yun Gao, Naihuan Jing, Michael Lau, and Kailash C. Misra, Editors, Quantum affine algebras, extended affine Lie algebras, and their applications, 2010 505 Patricio Cifuentes, JoséGarc´ıa-Cuerva, Gustavo Garrigós, Eugenio Hernández, JoséMar´ıa Martell, Javier Parcet, Alberto Ruiz, Fernándo Soria, JoséLuis Torrea, and Ana Vargas, Editors, Harmonic analysis and partial differential equations, 2010 504 Christian Ausoni, Kathryn Hess, and Jérôme Scherer, Editors, Alpine perspectives on algebraic topology, 2009 503 Marcel de Jeu, Sergei Silvestrov, Christian Skau, and Jun Tomiyama, Editors, Operator structures and dynamical systems, 2009

TITLES IN THIS SERIES

502 Viviana Ene and Ezra Miller, Editors, Combinatorial Aspects of Commutative Algebra, 2009 501 Karel Dekimpe, Paul Igodt, and Alain Valette, Editors, Discrete groups and geometric structures, 2009 500 Philippe Briet, Fran¸cois Germinet, and Georgi Raikov, Editors, Spectral and scattering theory for quantum magnetic systems, 2009 499 Antonio Giambruno, César Polcino Milies, and Sudarshan K. Sehgal, Editors, Groups, rings and group rings, 2009 498 Nicolau C. Saldanha, Lawrence Conlon, Rémi Langevin, Takashi Tsuboi, and Pawel Walczak, Editors, Foliations, geometry and topology, 2009 497 Maarten Bergvelt, Gaywalee Yamskulna, and Wenhua Zhao, Editors, Vertex operator algebras and related areas, 2009 496 Daniel J. Bates, GianMario Besana, Sandra Di Rocco, and Charles W. Wampler, Editors, Interactions of classical and numerical algebraic geometry, 2009 495 G. L. Litvinov and S. N. Sergeev, Editors, Tropical and idempotent mathematics, 2009 494 Habib Ammari and Hyeonbae Kang, Editors, Imaging microstructures: Mathematical and computational challenges, 2009 493 Ricardo Baeza, Wai Kiu Chan, Detlev W. Hoffmann, and Rainer Schulze-Pillot, Editors, Quadratic Forms—Algebra, Arithmetic, and Geometry, 2009 492 Fernando Giráldez and Miguel A. Herrero, Editors, Mathematics, Developmental Biology and Tumour Growth, 2009 491 Carolyn S. Gordon, Juan Tirao, Jorge A. Vargas, and Joseph A. Wolf, Editors, New developments in Lie theory and geometry, 2009 490 Donald Babbitt, Vyjayanthi Chari, and Rita Fioresi, Editors, Symmetry in mathematics and physics, 2009 489 David Ginzburg, Erez Lapid, and David Soudry, Editors, Automorphic Forms and L-functions II. Local aspects, 2009 488 David Ginzburg, Erez Lapid, and David Soudry, Editors, Automorphic forms and L-functions I. Global aspects, 2009 487 Gilles Lachaud, Christophe Ritzenthaler, and Michael A. Tsfasman, Editors, Arithmetic, geometry, cryptography and coding theory, 2009 486 Frédéric Mynard and Elliott Pearl, Editors, Beyond topology, 2009 485 Idris Assani, Editor, Ergodic theory, 2009 484 Motoko Kotani, Hisashi Naito, and Tatsuya Tate, Editors, Spectral analysis in geometry and number theory, 2009 483 Vyacheslav Futorny, Victor Kac, Iryna Kashuba, and Efim Zelmanov, Editors, Algebras, representations and applications, 2009 482 Kazem Mahdavi and Deborah Koslover, Editors, Advances in quantum computation, 2009 481 Aydın Aytuna, Reinhold Meise, Tosun Terzio˘glu, and Dietmar Vogt, Editors, Functional analysis and complex analysis, 2009 480 Nguyen Viet Dung, Franco Guerriero, Lakhdar Hammoudi, and Pramod Kanwar, Editors, Rings, modules and representations, 2008 479 Timothy Y. Chow and Daniel C. Isaksen, Editors, Communicating mathematics, 2008 478 Zongzhu Lin and Jianpan Wang, Editors, Representation theory, 2008 477 Ignacio Luengo, Editor, Recent Trends in Cryptography, 2008

For a complete list of titles in this series, visit the AMS Bookstore at www.ams.org/bookstore/.

This volume contains the proceedings of the 12th conference on Arithmetic, Geometry, Cryptography and Coding Theory, held in Marseille, France from March 30 to April 3, 2009, as well as the first Geocrypt conference, held in Pointe-à-Pitre, Guadeloupe, from April 27 to May 1, 2009, and the European Science Foundation exploratory workshop on Curves, Coding Theory, and Cryptography, held in Marseille, France from March 25 to 29, 2009. The articles contained in this volume come from three related symposia organized by the group Arithmétique et Théorie de l’Information in Marseille. The topics cover arithmetic properties of curves and higher dimensional varieties with applications to codes and cryptography.

CONM/521 AMS on the Web www.ams.org