Effective Geometry and Arithmetic of Curves: an Introduction

Effective geometry and arithmetic of curves: an introduction

Online CIMPA course

RENNESUNIVERSITY Contents

1 Presentation of the course ...... 7 1.1 Content of the course7 1.2 References7 1.3 Notation7

I Effective geometry of curves

2 Afﬁne and projective varieties: a quick review ...... 11 2.1 Afﬁne varieties 11 2.2 Projective varieties 15 2.3 Maps between projective varieties 19 2.4 Bézout theorem 21

3 Elementary properties of curves ...... 23 3.1 Uniformizers 23 3.1.1 Construction of functions with speciﬁc Laurent tails...... 24 3.2 Maps between curves 26 3.2.1 Dictionary curves/function ﬁelds...... 26 3.3 Divisors 29 3.4 Differentials 32 3.4.1 Generalities...... 32 3.4.2 Residue...... 34 4 Riemann-Roch and Riemann-Hurwitz ...... 37 4.1 Proof of Riemann-Roch theorem 37 4.1.1 Répartitions and H1(D) ...... 37 4.1.2 Dual of the space of répartitions...... 39 4.1.3 The residue map and Serre duality...... 40 4.2 Corollaries 41 4.3 Riemann-Hurwitz theorem 42

5 Description of the curves up to genus 5 ...... 45 5.1 Genus 0 case 45 5.2 Genus 1 case 46 5.3 Genus 2 case 47 5.4 Interlude: canonical map and hyperelliptic curves 48 5.5 Genus 3 case 50 5.6 Genus 4 case 50 5.7 Genus 5 and beyond 51

II Arithmetic of curves and its Jacobian over ﬁnite ﬁelds

6 Number of points of curves over ﬁnite ﬁelds ...... 55 6.1 Weil conjectures for curves 57 6.1.1 Rewriting of Z(C/k,T) ...... 58

6.1.2 δ0 = 1 ...... 59 6.1.3 Functional equation...... 60 6.1.4 Riemann hypothesis...... 60 6.2 Maximal number of points 62 6.2.1 General arguments...... 62 6.2.2 Asymptotics...... 65 6.2.3 The cases g = 1 and 2 ...... 65 6.3 Codes 66 6.3.1 Deﬁnitions...... 66 6.3.2 AG-codes...... 68 6.3.3 Modular codes...... 70

7 Jacobian of curves ...... 73 7.1 Abelian varieties: algebraic and complex point of view 74 7.2 Jacobians 78 7.3 Application to cryptography 80 7.4 Construction of curves with many points 82 7.4.1 Weil polynomial vs Frobenius characteristic polynomial...... 82 7.4.2 A construction of maximal curve of genus 3 over F2n ...... 85 III Appendices

8 Using MAGMA and some (open) problems ...... 91 8.1 Some basic tools: exercises 91 8.1.1 Wording...... 91 8.1.2 Solutions...... 93 8.2 Some (more) open exercises 95 8.2.1 Isomorphisms between hyperelliptic curves...... 95 8.2.2 Number of points on plane curves...... 95 8.2.3 Good correspondences between curves...... 95 8.2.4 Constraints on the Weil polynomial for curves...... 96 8.2.5 Codes from modular curves...... 96 8.2.6 Distribution of curves over finite fields...... 96 8.2.7 Number of points on a genus 4 curve...... 96 8.2.8 Number of points on a genus 5 curve...... 97 8.2.9 Non-special divisors on a curve over a finite field...... 97 8.3 Good models of curves of genus ≤ 5 97 8.3.1 Wordings...... 97 8.4 Isomorphisms-Automorphisms 100 8.5 Exploring the number of points of curves over finite fields 101 8.5.1 Wordings...... 101 8.5.2 Solutions...... 102

Bibliography ...... 105 Articles 105 Books 106

Index ...... 108

1. Presentation of the course

1.1 Content of the course 1.2 References The references for Chapter 2 will be [42, Chap.I] for a fast overview and [38, chap.I, chap.II], [30, Chap.II] or [44, chap.1, 2, 3] for a more exhaustive understanding. Although we are interested in effective aspects, the algorithms behind the systematic computations would bring us too far. We refer to [25] for an introduction to the topic. Chapter 3 follows [42, Chap.II] and partly [41] for the properties of the residue. Chapter 4 is a mix of [41] and [34]. For the models of curves in Chapter 5, there are information in [20], [28], [34] and [33] and part of the underlying theory is also contained in [30, Chap.IV]. The proof of Weil conjecture in Chapter 6 and the consequences for maximal curves are inspired by [8] and [3]. The application to codes is in [46]. Chapter 7 is an overview and the interested reader will be able to learn much more from various sources. For the complex theory [24, chap.IV], [26] and [22] give a deeper and deeper path into the theory. For the general point of view, [24, chap.V] provides a ﬁrst overview at the general theory whereas [24, chap.VII] focuses on Jacobians. The application to cryptography can be found in various sources, for instance in [23]. The ﬁnal application to construction of curves takes some arguments from [24, chap.V] and then from [13].

1.3 Notation In the rest of the course (and unless specified) we will use the following notation • k a perfect field (i.e. all its finite extensions are separable) of characteristic p equal to 0 or a prime. • for varieties V/k, we will write P ∈ V instead of P ∈ V(k¯).

IEffective geometry of curves

2 Afﬁne and projective varieties: a quick review ...... 11 2.1 Afﬁne varieties 2.2 Projective varieties 2.3 Maps between projective varieties 2.4 Bézout theorem

3 Elementary properties of curves ...... 23 3.1 Uniformizers 3.2 Maps between curves 3.3 Divisors 3.4 Differentials

4 Riemann-Roch and Riemann-Hurwitz . 37 4.1 Proof of Riemann-Roch theorem 4.2 Corollaries 4.3 Riemann-Hurwitz theorem

5 Description of the curves up to genus 5 45 5.1 Genus 0 case 5.2 Genus 1 case 5.3 Genus 2 case 5.4 Interlude: canonical map and hyperelliptic curves 5.5 Genus 3 case 5.6 Genus 4 case 5.7 Genus 5 and beyond

2. Afﬁne and projective varieties: a quick review

2.1 Affine varieties Definition 2.1.1 For every n > 0, we define the affine space of dimension n as

n n A = {(x1,...,xn) ∈ k }

and its k-rational points as n n A (k) = {(x1,...,xn) ∈ k }.

n n σ σ σ If P = (a1,...,an) ∈ A = A (k), for every σ ∈ Gal(k/k), we deﬁne P = (a1 ,...,an ). We see n n that A (k) = {P ∈ A ,s.t. P = Pσ ∀σ ∈ Gal(k/k)}. This point of view is often useful because it allows to see an arithmetic problem (i.e. over k) as a geometric problem (i.e. over k) plus a Galois action.

Let now Rn = k[X1,...,Xn] and I ⊂ Rn be an ideal. Deﬁnition 2.1.2 The afﬁne algebraic set associated to I is the set of points

n V(I) = {P ∈ A s.t. f (P) = 0 ∀ f ∈ I}.

If I is deﬁned over k (i.e. I can be generated by polynomials with coefﬁcients in k) then the n set of k-rational points of V(I) is the set V(I)(k) = V(I)∩A (k) = {P ∈ V(I) s.t. P = Pσ ∀σ ∈ Gal(k/k)}.

The noetherian property of Rn shows that we can assume that I is finitely generated by a set n of polynomials f1,..., fm. Hence V(I) = {P ∈ A s.t. fi(P) = 0 ∀1 ≤ i ≤ m}. We will also denote V = V(( f1,..., fm)) as the set defined by V : f1 = 0,..., fm = 0. The action of σ ∈ Gal(k/k) on elements of Rn (induced by the action on each coefficients) defines an action on the algebraic sets: if V = V(I) for I = ( f1,..., fm) an ideal of Rn one defines σ σ σ σ V = V(( f1 ,..., fm )). One can prove that V = V for all σ if and only if V = V(J) with J defined over k. 12 Chapter 2. Affine and projective varieties: a quick review

n Example 2.1 V((1)) = /0and V((0)) = A . Let k = R and let us draw some pictures of algebraic sets in A2 and A3. By the way, the picture behind the title of this chapter is also (the real points of an) algebraic set given by a quartic equation in A3 and called a Kümmer surface.

Figure 2.1: V : Y − X2 = 0 Figure 2.2: V : X2Y + XY 4 − X4 −Y 4 = 0

Figure 2.3: V : X2 +Y 2 − Z2 = 0 Figure 2.4: V : Y − X2 = 0,Y = 2 √ The last picture defines two points (± 2,2). Note that although V is defined over Q, it has no Q- n rational points. More generally, a point (a1,...,an) ∈ A is defined by I = (X1 − a1,...,Xn − an). n n 2 Let us fix n ≥ 1 and look at the Q-rational points of Vn : x + y − 1 = 0 in A . Proving that Vn(Q) = {(1,0),(0,1)} when n > 1 is odd and Vn(Q) = {(±1,0),(0,±1)} when n > 2 is even is equivalent to prove Fermat last theorem. One can therefore guess that statements over non- algebraically closed fields are often deep. Note that the underlying idea is that there is also a strong control of the geometry on the arithmetic. It can for instance be proved computing only a geometric invariant of Vn (its genus, see Definition 3.4.5) that its set of Q-rational points must be finite for all n > 4 (consequence of Mordell conjecture proved by Faltings). On the contrary the (genus 1) curve V : y2 − x3 − 17 = 0 has infinitely many Q-rational points. n Not all subsets of A are algebraic. For example, one can see that as inverse image of {0} by continuous functions, these sets must be closed for the usual topology. But this is not sufficient: we will see in Exercise 2.5 that the graph of sinx is not algebraic. 2.1 Affine varieties 13

R It can easily be seen that V : {ideals} → {algebraic sets} is decreasing. Moreover for any set of ideals we have that ∩iV(Ii) = V(∑i Ii) and V(I) ∪V(J) = V(IJ) (see Exercise 2.1). This proves that using algebraic sets as closed subsets we can deﬁne a topology, called the Zariski topology. This topology is very different from the usual one as for instance it is not separated (the open sets are somehow too large).

n Deﬁnition 2.1.3 If V ⊂ A is an algebraic set, one deﬁnes the ideal of V as

I(V) = { f ∈ Rn s.t. f (P) = 0 ∀P ∈ V}.

With this deﬁnition we get a map I which goes now from the set of algebraic sets to the set of ideals. If V = V(I), one can check that V(I(V)) = V (i.e. I is injective, see Exercise 2.2). Conversely 3 I ⊂ I(V(I)) but in general there is no equality. For instance if I = (X1 ) ⊂ R1 then I(V(I)) = (X1). This is somehow the only issue as the following central result shows (for a proof, see for instance [38, Chap.I]).

Theorem 2.1.1 — Nullstellensatz. Let I be an ideal of Rn. Then I(V(I)) = rac(I) where

r rac(I) = {P ∈ Rn, ∃r ∈ N, P ∈ I}.

In particular it implies that V(I) = /0iff I = (1).

R The bridge realized by I and V between ‘geometry’ and ‘algebra’ is a fantastic source of ideas to address problems by using tools coming from both worlds. It might be interesting to keep track of the multiplicities as well, which is not possible here. This idea is at the origin of a reﬁnement of classical algebraic geometry into the theory of schemes.

n Definition 2.1.4 An affine algebraic set in A is an affine variety if I = I(V) is a prime ideal. One can then defined the coordinate ring associated to V as k[V] = Rn/I and the function field associated to V as k(V) = Frac(k[V]). If I is defined over k, the subset of functions f which admit a representative in k[X1,...,Xn] is denoted k(V).

Note that prime ideals satisfy I = rac(I) and hence varieties are completely described by their ideals. Moreover, in topological terms they correspond to (absolutely) irreducible algebraic sets V, i.e. V 6= V1 ∪V2 with Vi a proper algebraic set in V (see Exercise 2.3). This is equivalent to the fact that all open non empty algebraic set in V are dense. We chose here to consider the geometric situation (i.e. over C) which is not the case in all books. For us, the variety V(Y 2 + X2(X − 1)2) over R is not irreducible (even if the ideal Y 2 + X2(X − 1)2 ⊂ R[X,Y] is).

R We will show in Exercise 2.4 that an algebraic set V can always be written (in a unique way up to permutation) as a ﬁnite union of varieties Vi such that Vi 6⊂ Vj for i 6= j. The Vi are called the irreducible components of V. For instance in the following picture, the algebraic set V can be written as the union of a line and a sphere.

Although we will mainly deal with projective varieties and their morphisms, let us give the definition of affine morphisms. n m Definition 2.1.5 Let V ⊂ A and W ⊂ A be two affine varieties and φ : V → W a map which we write by its components (φ1,...,φm) with φi : V → k¯. One says that φ is a morphism if each φi ∈ k[V].

It is easy to see that for each f ∈ k¯[W], one can associate φ ∗ f = f ◦ φ and that φ ∗ is a morphism of k¯-algebra of k[W] to k[V]. One can shows that φ → φ ∗ is bijective [38, I.prop.6.7]. 14 Chapter 2. Afﬁne and projective varieties: a quick review

Deﬁnition 2.1.6 If V is a variety, we called its dimension the integer dimV equal to the transcendence degree of k(V).

Since Rn is ﬁnitely generated, it is also the case of k(V). This implies that if t1,...,td ∈ k(V) form a transcendence basis then k(V)/k(t1,...,td) is a ﬁnite algebraic extension.

R In the language of Zariski topology, we have the following equivalent deﬁnition. The dimension of V is the supremum of all lengths of chains V1 ) V2 ) ... ) Vt of non-trivial subvarieties of V.

n n Example 2.2 Since k(A ) = k(X1,...,Xn), we see that dimA = n. If f ∈ Rn is non constant then V = V(( f )) has dimension n − 1. We say that V is a hypersurface. 1 In the case n = 1 (resp. 2,3), we say that V is a curve (resp. a surface, a threefold ). If k = C the dimension coincides with the dimension of V seen as an analytic variety. For a computational perspective see [25, Chap.9].

Deﬁnition 2.1.7 Let V = V(I) be a variety with I = ( f1,..., fm). Then V is non-singular (or smooth) at P ∈ V if ∂ f J = i ∂Xj 1≤i≤m,1≤ j≤n evaluated at P has rank n − dimV. If P is non-singular its tangent space is the linear subspace of n A deﬁned by the left kernel of the matrix J.

R When the variety is not irreducible, this notion can be extended by asking that the previous criterion is satisﬁed taking for dimV the maximum of the dimensions of the irreducible components containing P. But actually in the case that there is more than one component, P is always singular.

The singularity of a point P ∈ V is a local condition (i.e. it can be looked in an open set around the point we consider). Considering the coordinate ring k[V] and the maximal ideal

1In French: solide 2.2 Projective varieties 15

MP = { f ∈ k[V] s.t. f (P) = 0}, we can look at the local ring OP at P, which is the localization of k[V] at MP. In other words,

OP = { f ∈ k(V) s.t. f = f1/ f2, f1, f2 ∈ k[V] with f2(P) 6= 0}.

R As a local ring, OP has a unique maximal ideal, MP, which consists of all non-units in OP.

It was ﬁrst proved by Zariski that the extrinsic deﬁnition of singular point (i.e. as variety inside a projective space) can actually be seen intrinsically. The point P is smooth if and only if 2 the dimension of the k-vector space MP/MP is equal to dimV. For instance, consider the curve 2 3 2 2 2 Y = X at P = (0,0). Then MP = (X,Y) and MP/MP ' hX + MP ,Y + MP i.

Exercise 2.1 Show that for any set of ideals we have that ∩iV(Ii) = V(∑i Ii) and V(I)∪V(J) =

V(IJ).

Exercise 2.2 Let V = V(I) be an afﬁne algebraic set. Prove that V(I(V)) = V and that I ⊂ I(V(I)).

Exercise 2.3 Let V = V(I) be an afﬁne algebraic set. Show that I(V) is prime if and only if V cannot be written as an union of two V(Ji) unless one is the whole set.

Exercise 2.4 Let V be a non-empty afﬁne algebraic set over an algebraically closed ﬁeld k. Show that one can write V uniquely (up to permutation) in the form V = V1 ∪ ···Vr where the Vi are varieties and Vi 6⊂Vj for i 6= j (hint: for the existence, assume that there is a “undecomposable” V = V(I) for which I is maximal for this property). In particular, if we have F ∈ Rn such that a1 ar F = F1 ···Fr with the Fi irreducible, coprime and ai > 0. Then I(V((F))) = (F1 ···Fr). The decomposition of V(F) into irreducible components is given by V((F)) = V((F1)) ∪ ··· ∪ V((Fr)).

2 Exercise 2.5 Show that V = {(x,y) ∈ C s.t. y = sinx} is not an algebraic set.

Exercise 2.6 If V is a algebraic set and P ∈/ V a point, show that there exists a polynomial F

such that F(x) = 0 for all x ∈ V and F(P) = 1.

2.2 Projective varieties

Let k be a field and n > 0. We say that two n + 1-uplets of elements of k (x0,x1,...xn) and 0 0 0 ¯∗ 0 (x0,x1,...,xn) are equivalent if there exists λ ∈ k such that xi = λxi for all 0 ≤ i ≤ n. We denote 0 0 0 (x0,x1,...xn) ∼ (x0,x1,...xn). n n+1 Definition 2.2.1 The projective space of dimension n over k, denoted P is the set (k \ {0})/ ∼. Its elements are the equivalence classes of n + 1-uplets (x0,...,xn), denoted (x0 : x1 ... : xn). n n The k-rational points of P , denoted P (k) is the subset of points with a representative which 16 Chapter 2. Affine and projective varieties: a quick review

coefficients are all in k. Be careful here than, for instance the point of P 2(C) defined by (π : π : π) is equivalent to (1 : 1 : 1) and therefore is in P 2(Q). 1 Example 2.3 This is a way of representing the real points of the projective line P . Indeed each non zero vector in R2 except the horizontal one is up to a scalar a vector which cuts the line y = 1 giving a bijection between points x on the line y = 0 and components (x,1) of the vector. The horizontal vector (with components (1,0) up to scalar) is an extra point which will call the point at infinity. (−3,1) (0,1) (2,1)

(1,0) = ∞ −3 0 2 n n More generally, the projective space P contains in a natural way the afﬁne space A : to (x0 : ... : xn) n with xn 6= 0 one associate (x0/xn,x1/xn,...,xn−1/xn) ∈ A . Conversely, to the point (x0,...,xn−1) ∈ n n A one associates the point (x0 : x1 : ... : xn−1 : 1) ∈ P . Hence the points such that xn = 0 can be n−1 2 2 1 seen as the points at inﬁnity and form a P . Hence for instance P = A ∪ P .

R Projective geometry has been used for a long time as it enables to gather in a similar picture, cases which look different in the afﬁne case. This is the case of the classiﬁcation of conics for instance as illustrated in Figure 2.2. It was also used to prove results like Pappus or Desargues theorem.

Deﬁnition 2.2.2 A homogeneous polynomial in Rn+1 = k[X0,...,Xn] (pay attention to the in- dices of the variables) is a polynomial such that every monomial has the same degree. This is equivalent to the fact that there exists d ∈ N such that for all λ ∈ k, one has

d f (λX0,...,λXn) = λ f (X0,...,Xn).

A homogeneous ideal in Rn+1 is an ideal generated by homogeneous polynomials.

n Let f be a homogeneous polynomial and P = (x0 : ... : xn) ∈ P . If f (x0,...,xn) = 0 this is the case for any representative of P. Hence it makes sense to write f (P) = 0.

Deﬁnition 2.2.3 Let I be a homogeneous ideal of Rn+1. The projective algebraic set associated n to I is the subset of P deﬁned by

n Vp(I) = {P ∈ P s.t. f (P) = 0 ∀ f ∈ I}.

If I can be generated by polynomials with coefﬁcients in k, we deﬁne the k-rational points of Vp 2.2 Projective varieties 17

as n Vp(I)(k) = Vp ∩ P (k). 2 2 2 Example 2.4 Let us for instance consider I = (X +Y − 3Z ) ⊂ Q[X,Y,Z]. Let us look at its Q-rational points. We can first look at the affine points letting Z = 1. We then get the equation of the conic V : X2 +Y 2 = 3. Then we can let Z = 0. We then get X2 +Y 2 = 0 which set of solutions 1 in P is {(±i : 1)}. Hence Vp(I) is the union of V and two points at infinity (±i : 1 : 0). 2 Let us prove now that Vp(Q) = /0. Indeed if (x : y : z) ∈ P (Q) is a solution, we can clear up the denominators and common factors to assume that there exists a solution (x,y,z) ∈ Z3 with gcd(x,y,z) = 1. Now x2 + y2 ≡ 0 (mod 3) so x ≡ y ≡ 0 (mod 3). This implies that x2 and y2 are divisible by 9 but then 3 divides z: excluded. There is a projective version of the Nullstellsatz (see for a proof [38, Chap.2]).

Theorem 2.2.1 — Projective Nullstellensatz. Let I be a homogeneous ideal of Rn+1. 1. Vp(I) = /0 ⇐⇒ (X0,...,Xn) ∈ rac(I); 2. If Vp(I) 6= /0then Ip(Vp(I)) = rac(I).

Deﬁnition 2.2.4 A projective set Vp(I) is a projective variety if I is prime.

We resume here the link between afﬁne and projective varieties. We deﬁne for i = 1,...,n

n n φi : A → P (x0 : ... : xn−1) 7→ (x0 : ... : xi−1 : 1 : xi : ...xn−1).

This map is invertible over Ui = {(x0 : ... : xn), xi 6= 0} with inverse morphism

(x0,...,xn) → (x0/xi,...,xi−1/xi,xi+1/xi,...,xn/xi).

n n The Ui cover P (as open sets for the Zariski topology on P and as afﬁne varieties which can be n identify with A ). Under this identiﬁcation, if Vp = Vp(( f1,..., fm)), one can see that

n V = Vp ∩ A = V(( f1(X0,...,1,...,Xn−1),..., fm(X0,...,1,...,Xn−1))).

Note that V can be empty but that there is at least one i for which it is not.

Definition 2.2.5 If f ∈ k¯[X1,...,Xn] is a non-zero polynomial of degree d we define the homogeneous polynomial ∗ d X1 Xn f (X0,...,Xn) = X0 f ,..., . X0 X0 n ∗ ∗ ∗ Now if V = V(I) ∈ A , we denote V = Vp(I ) where I = { f ,for f ∈ I \{0}} the projective n closure of V in P . In the langage of Zariski topology, this is really the closure of V. 2 2 2 Example 2.5 Let us consider V = V((Y − X )) ∈ A . We see that V = Vp((ZY − X )). In the same spirit as drawing the projective line in Example 2.3, we can see the affine plane as the plane defined by Z = 1 in A3 and the parabola V inside it (see the figure below). The line Z = 0,X = 0 in A3 defines the missing point (0 : 1 : 0) ∈ V. With this extra line the surface is a closed subset of A3. 18 Chapter 2. Affine and projective varieties: a quick review

On the other hand, consider V =V((F,G)) where F =Y −Z2 and G = X −Z3 in k[X,Y,Z]. Then 0 ∗ ∗ 0 V = Vp((F ,G )) is not equal to V¯ . Indeed, V contains for instance the projective line at infinity Z = 0,T = 0. However I∗ = (F∗,(FT −G)∗,(F(Y +Z2)−GZ)∗) = (YT −Z2,YZ −XT,Y 2 −XZ) and now there is only one point at infinity. See [26, p.78] for a nice exercise to prove this. There is tight links between an affine variety V and its projective closure V. For instance n n n n V = V ∩ A (for the compatible choice of A ⊂ P ). Moreover if Vp is projective then Vp ∩ A is n affine and if it is not empty then Vp ∩ A = Vp. Thanks to this, one can transport some definitions to the projective world. n n n Definition 2.2.6 Let Vp be a projective variety and A ⊂ P such that V = Vp ∩ A is not empty. The dimension of Vp, dimVp, is the dimension of V and the function field of Vp is k(Vp) = k(V). A point P ∈ V ⊂ Vp is non singular (or smooth) if it is non-singular in V. The variety Vp is non-singular if all its points are non-singular. The local ring at P is the local ring at P of V. One n can show (see Exercise 2.10) that these do not depend on the choice of A . At a non-singular point P, one can define its tangent space as the projective closure of the affine tangent space.

R One can also deﬁne the function ﬁeld of a projective variety V = Vp(I) directly as f k(V) = s.t. f ,g homogeneous of the same degree and g ∈/ I / ∼ g

where f /g ∼ f 0/g0 iff f g0 − f 0g ∈ I.

Exercise 2.7 Let V be a projective set over an algebraically closed ﬁeld k and P,Q ∈ V two

distinct points. Show that there exists a function f ∈ k(V) such that f (P) 6= f (Q).

Exercise 2.8 1. Let F(x,y,z) be a homogeneous polynomial of degree d over a ﬁeld k. Show (Euler relation) ∂F ∂F ∂F x + y + z = d · F(x,y,z) ∂x ∂y ∂z 2.3 Maps between projective varieties 19

(hint: take partial derivative of F(λx,λy,λz) = λ dF(x,y,z) with respect to λ and then λ = 1). 2. If d is coprime to the characteristic of k, show that the projective set C : F = 0 is singular at P0 = (x0 : y0 : z0) if and only if

∂F ∂F ∂F (P ), (P ), (P ) = (0,0,0). ∂x 0 ∂y 0 ∂z 0

3. If P0 is not singular, an equation of the tangent at P is ∂F ∂F ∂F (P )x + (P )y + (P )z = 0. ∂x 0 ∂y 0 ∂z 0

2 3 4. Study the singularities of C1/C : y z = x over C..

Exercise 2.9 Study the singularities of (you can use MAGMA to check your computations) 1. C : (x2 + y2 − 1)3 + 27x2y2 = 0 ; 2. C : (x2 + y2)(x − 1)2 = 4x2 (one can use this curve to do the trissection of an angle, cf. [32, p.25]). 3 3 3 3 3. The projective surfaces S1 : xt − yz = 0 and S2 : x + y + z +t = 0 and then the curve 3 3 3 3 3 C : {xt − yz = 0, x + y + z +t = 0} = S1 ∩ S2 ⊂ P . 0 2 0 0 4. Same with S1 : t − yz = 0 et C = S1 ∩ S2.

n n Exercise 2.10 If Vp is a projective variety in P and if Vi = Vp ∩φi(A ) 6= /0 for i 6= j Show that k(Vi) ' k(Vj).

2.3 Maps between projective varieties n Deﬁnition 2.3.1 Let V1 and V2 ⊂ P be two projective varieties. A map φ : V1 → V2 is a rational map if φ = ( f0 : ... : fn) with each fi ∈ k(V1) such that for all P ∈ V1 at which f0,..., fn are deﬁned (which is assumed to be non-empty) φ(P) ∈ V2. Equivalently, one can ask the fi to be homogeneous polynomials of the same degree, not all in I(V1) and that for all F ∈ I(V2), one has F( f1,..., fn) ∈ I(V1).

If V1 and V2 are defined over k then we say that a rational map φ : V1 → V2 is defined over k if there exists a representative of ( f0 : ... : fn) which is defined over k.

Deﬁnition 2.3.2 A rational map φ = ( f0 : ... : fn) is regular (or deﬁned) at P ∈ V1 if there exist g0,...,gn ∈ k[X0,...,Xn] homogeneous polynomials of the same degree such that fig j ≡ f jgi

(mod I(V1)) and there is a i0 for which gi0 (P) 6= 0. In that case we let φ(P) = (g0(P) : ... : gn(P)). If φ is regular everywhere, we say that φ is a morphism. If there exists a rational map ψ : V2 → V1 such that ψ ◦ φ = φ ◦ ψ = id, we say that φ (and ψ) is a birational map (or that V1 and V2 are birationnally equivalent). If φ and ψ are morphism, then they are isomorphisms and we write V1 ' V2. If V1,V2 and φ are deﬁned over k then we write V1 'k V2.

As we see from the definition, the notion of birational map induces an isomorphism between the function fields of the two varieties (and hence at least the dimensions are the same). However, 20 Chapter 2. Affine and projective varieties: a quick review as we can see in Example 2.6, one variety can be singular and the other not. Isomorphisms on the contrary carry all the geometric properties of the variety. However as one can also see in the examples below, it does not necessarily preserve arithmetic properties unless it is defined over the field we are interesting in. 2 2 2 1 Example 2.6 Let us assume that chark 6= 2, V : X + Y = Z and φ : V → P defined by (X : Y : Z) 7→ (X + Z : Y). Clearly φ is regular everywhere, except maybe at y = 0,x = 1,z = −1. 2 2 2 2 But (X +Z)(X −Z) ≡ −Y (mod I(V1)). So φ = (X +Z : Y) = (X −Z : Y(X −Z) = (Y : Y(X − Z)) = (Y : X −Z) and so φ(1 : 0 : −1) = (0 : 2) = (0 : 1) is regular and φ is a morphism. Moreover ψ : P 1 → V defined by (S : T) 7→ (S2 − T 2 : 2ST : S2 + T 2) is a morphism and φ ◦ ψ = ψ ◦ φ = id. So V ' P 1. The map φ : P 2 → P 2 defined by (X : Y : Z) 7→ (X2 : XY : Z2) is regular everywhere except at (0 : 1 : 0) (as the ideal defining V1 is 0, no non-trivial rewriting is possible). Let us now consider V : Y 2Z = X3, φ : V → P 1 defined by (X : Y : Z) → (Y : X) and ψ : P 1 → V defined by (S : T) → (S2T : S3 : T 3). The map ψ is a morphism and φ ◦ ψ = ψ ◦ φ = id so V is birationally equivalent to P 1. But φ is not defined at P = (0 : 0 : 1). If it were, then R = k[X,Y]/(Y 2 − X3) ' k[S] where S = Y/X. But ψ∗(X) = S2 and ψ∗(Y) = S3. Moreover ψ∗ is injective so R ' k[S2,S3] ( k[S]. Note that whereas P 1 is smooth, V is singular at P. 2 2 2 2 2 2 Last example: let V1 : X +Y = Z and V2 : X +Y = 3Z . These two curves are not isomorphic√ over Q since V2(Q) = /0 (see Example 2.4) whereas√ V1(Q) is infinite. But V1 ' V2 over Q( 3) by φ : V2 → V1 defined as (X : Y : Z) 7→ (X : Y : 3Z). Two varieties not isomorphic over a field k but isomorphic over k are called twists. n If k is of characteristic p > 0, an important map is the Frobenius morphism Frobp. If V ⊂ P p p σ it is defined by the rational map (X0 : ... : Xn ) from V to V . As all the coordinates cannot be zero, this defines a morphism. One denote Frobpn = Frobp ◦··· ◦ Frobp composed n times. It is the pn pn morphism (X0 : ... : Xn ). If V is defined over a finite field Fq then Frobq : V → V and its fixed points are the rational points of V.

Exercise 2.11 Let V be the projective variety deﬁned by Y 2Z − (X3 + Z3) = 0. Show that the map φ : V → P 2 given by (X : Y : Z) 7→ (X2 : XY : Z2) is a morphism.

Exercise 2.12 It can be proved that the automorphisms of n are linear although the proof is P ∗ not elementary (see [30, Ex.7.1.1]). Hence this group is isomorphic to PGLn+1 = GLn+1(k)/k . n Prove that given n + 2 points of P in general position (i.e. if n = 1 the points are distinct, if n = 2 three are not on a line, if n = 3 four are not in a plane,. . . ), there exists an automorphism n of P which transforms this set into the set

{(1 : ... : 0),...,(0 : ...0 : 1 : 0...0),...(0 : ... : 1)} ∪ {(1 : ... : 1)}.

Prove that this automorphism is deﬁned over a ﬁeld k if and only if each original point is as well. Remark: there is a MAGMA function to do this transformation : TranslationOfSimplex(P,Q).

R The automorphism groups of affine spaces are much more complicated and the exact results are only known for the line and the plane (this is also a good reason to prefer projective spaces!). Note that some of them are not linear (for instance, one could take for the plane x0 = ax + b and y0 = cy + f (x) where f is any polynomial. 2.4 Bézout theorem 21

1 ax+b Note that in the case of P , an automorphism acts as (x : 1) 7→ ( cx+d : 1) when cx+d 6= 0. This morphism is a homography which is also called a Möbius transform.

2.4 Bézout theorem Let C = V(F) and C0 = V(G) be two projective plane curves with no common component over an algebraically closed field k. Then C ∩C0 is finite as it is a dimension 0 algebraic set (see also Exercise 2.13). We now want to make this more precise, using an ad hoc definition for the multiplicity of intersection. Let us choose the coordinates X,Y,Z in such a way that q = (0 : 1 : 0) does not belong to C and C0 and such that L : Y = 0 is not a component of C or C0. We also assume that no line through q contains more than one point of intersection of C ∩C0. We write in this m n coordinates F = A0Y +...+Am and G = B0Y +...+Bn where Ai,Bi ∈ k[X,Z] are homogeneous 0 polynomials of degree i. Since q ∈/ C ∪C we get that A0(0,0)B0(0,0) 6= 0 so there are non-zero constant. From resultant theory, it follows that the resultant R(X,Z) of F and G with respect to Y is a homogenous polynomial –check this by the definition– of degree mn and that a projective point (x : z) is a solution of R if and only if there exists y such that (x : y : z) is a solution of F and G (note that there is no issue with the leading terms as we are thinking projectively). More geometrically, (x : z) is the projection from q (i.e. the vertical projection) on the line Y = 0 of the intersection point (x : y : z). Note that because of our assumption, y is unique for each (x : z). We hence obtain our first result. Proposition 2.4.1 C and C0 have at most mn intersection points. To go further, we then define the multiplicity of intersection at a point p = (x : y : z) as the multiplicity of the ‘projective’ root (x : z) in R. With this definition, one has of course Proposition 2.4.2 Counting with multiplicity, C and C0 have exactly mn intersection points.

R More intrinsically, the intersection multiplicity is the length of the OP-module OP/(F,G) (see [30]). Without this, one can prove the following: 1. the deﬁnition of intersection multiplicity does not depend on the choice of a coordinate system. Intuitively, this comes from the fact that the multiplicity of the roots has to be constant as the roots stay the same for any continuous change of variables. 2. Let νp(C) be the multiplicity of a point p = (a,b) on the curve C, i.e. if we write i j F = ∑i αi(x − a) (y − b) , the multiplicity is the degree of the lowest non-vanishing term in this expression. In particular a point p is non-singular if and only if its multiplicity is one. Determinant manipulations show that the intersection multiplicity 0 0 0 at p of C and C is greater or equal to νp(C) · νp(C ). If C and C are non singular at p then the intersection multiplicity is 1 if the tangents are distinct.

Exercise 2.13 Let F,G ∈ k[x,y] with k algebraically closed and gcd(F,G) = 1. 1. Show that there exists d ∈ k[x] non-zero and A,B ∈ k[x,y] such that d = AF + BG. 2. Deduce that V(F) ∩V(G) is ﬁnite.

Exercise 2.14 Show the following result: 2 Proposition 2.4.3 If two projective plane curves C1,C2 of degree n intersect in exactly n points 22 Chapter 2. Afﬁne and projective varieties: a quick review

and that there exists a irreducible curve D of degree m < n containing mn of these points, then there exists a curve of degree at most n − m containing the n(n − m) residual points.

To do so, let F1,F2,G the equations of C1,C2 and D and p = [a : b : c] be a point of D which is not in C1 ∩C2. Show that there exists a linear combination of F1 and F2 containing p. Conclude using Bézout.

One can use this to prove the following corollary (Pascal mystical hexagon): The opposite sides of a hexagon inside an irreducible conic meet in three collinear points.

Figure 2.5: Pascal mystical hexagon 3. Elementary properties of curves

In the sequel, we will consider smooth dimension 1 projective algebraic varieties over a ﬁeld k, which we simply call curves. In scheme language, it is a scheme over k of dimension 1, integral and proper over k with regular local rings.

3.1 Uniformizers

n n n Let C ⊂ P be a curve over k and P ∈ C. Considering P ∈ A ⊂ P we can look at the affine n open subset C ∩ A which contains P, which is an affine curve Caff. As we saw in Definition 2.2.6, the local ring at P on C is by definition the local ring OP = k[Caff]P. For any f ∈ OP, one can d define ordP( f ) = max{d ∈ N, f ∈ MP } and call it the order of f at P (with ordP(0) = ∞). Using ordP( f /g) = ordP( f ) − ordP(g), we can extend ordP to k(C). As C is a curve and P is smooth, [21, Prop.9.2] (see Exercise 3.2 for a plane curve) implies that its local rings are discrete valuation rings. This means that MP is principal, i.e. there exists tP ∈ OP 1 (which we can identify with a function in k(C)) which generates MP and called a uniformizer at n P. If f ∈ OP, one can write f = u ·tP where n = ordP( f ) and since ordP(u) = 0, we see that u is a unit. In particular all the uniformizers at P differ only by a unit in OP.

Example 3.1 Good examples of discrete valuation rings are k[[X]] (with maximal ideal (X) and i ord(∑i≥0 aiX ) = min(i s.t. ai 6= 0} or the localization of Z at a prime ideal p0 (with maximal idea ei ∏ pi (p0) and ord f = e0). p i ∏pi6=p0 i

Deﬁnition 3.1.1 Let f ∈ k(C) and P ∈ C. If ordP( f ) > 0, one says that f has a zero at P and if ordP( f ) < 0, we say that f has a pole at P. Note that if ordP( f ) ≥ 0, then f ∈ OP and so f is regular at P.

1 1 Example 3.2 Let us consider the case of C = P at P = (0 : 1). Considering P ∈ A = {Z 6= 0},

1In French: uniformisante 24 Chapter 3. Elementary properties of curves

we see that

1 k(P ) = { f = f1/ f2 ∈ k(X,Z) s.t. f1, f2homogeneous of the same degree}' k(X)

by letting Z = 1 in the expressions. Therefore we see that

OP = { f ∈ k(X) s.t. f = f1/ f2, f1, f2 ∈ k[X] with f2(0) 6= 0}.

Its maximal ideal Mp = { f ∈ k[X] s.t. f (0) = 0} = (X). Hence if f = f1/ f2 ∈ k(X) we can write a fi = X i gi avec gi(0) 6= 0 for i = 1,2. Then ordP f = a1 − a2. 2 3 2 Let us consider now the case of C : Y Z = X + XZ at the point P = (0 : 0 : 1). Then MP = (Y) 2 2 since X = Y /(X + 1) ∈ OP. In particular ordP Y = 1 and ordP X = 2. It is a consequence of noetherian property of the coordinate rings [30, Chap.II.6.1] that a function f has only a ﬁnite number of poles and zeros and of the projectivity of C [30, Chap.I.3.4a] that if it has no poles then f is constant.

Lemma 3.1.1 Let C be a smooth curve and let t be a uniformizer at a point P ∈ C. Then k(C) is a ﬁnite separable extension of k(t).

Proof. The field k(C) is clearly a finite extension of k(t) since t ∈/ k¯, k(C) has transcendence degree 1 and is finitely generated over k. Now let x ∈ k(C). We will show that x is separable over k(t). We only need to consider the case where characteristic p of k is > 0. i j i j Let Φ(T,X) = ∑ai jT X a minimal polynomial for x. If Φ contains a non-zero term ai jT X with j 6≡ 0 (mod p) then ∂Φ(X,t)/∂X is not identically zero so x is separable over k(t). Suppose now that Φ(T,X) = Ψ(T,X p) and we will derive a contradiction. The main point is to note that if F(T,X) is any polynomial then F(T p,X p) is a p-th power. This is true since k is perfect and so every element of k is a p-th power. We now regroup the terms in Ψ(T,X p) according to powers of T

p−1 p−1 p ip jp k p k Ψ(T,X ) = ∑ ∑ bi, j,kT X T = ∑ φk(T,X) T . k=0 i, j k=0

Now by assumption Φ(t,x) = 0. On the other hand, since t is uniformizer at P we have

p k ordP(φk(t,x) t ) = pordP(φk(t,x)) + kordP(t) ≡ k (mod p).

p−1 p k Thus each terms of the sum ∑k=0 φk(t,X) t has a distinc order at P and all of them must vanish. But on of the φk(T,X) must involve X and for that k the relation φk(t,x) = 0 contradicts the fact that Φ had minimal degree in X. A consequence of the primitive element theorem is that k(C) = k(t)[Y]/F(t,Y), i.e. V = V(F) ⊂ A2 is birationally equivalent to C. We call it a plane model of C. Note that it can be singular.

Exercise 3.1 Let f ∈ k(C) be a non-constant function. Prove that f cannot be algebraic over k.

3.1.1 Construction of functions with speciﬁc Laurent tails Let C/k be a curve and P ∈ C. 3.1 Uniformizers 25

m i Deﬁnition 3.1.2 A Laurent polynomial r = ∑i=n ciz , for −∞ < n ≤ m < +∞ and cm 6= 0, is a called a Laurent tail of a function f ∈ k(C) at P if ordP( f − r(tP)) > m.

aIn French: reste de Laurent

R One can prove that the completion of the local ring at P with respect to the maximal ideal is isomorphic to k[[X]]. Locally at P, one can think about a function as a Laurent series in tP. But, even without this result, given f ∈ k(C) and P ∈ C, one can deﬁne for any n ≥ ordP( f ) a Laurent polynomial r in t = tP such that ordP( f − r(t)) ≥ n. This can be done by recursion ord ( f ) ord ( f ) noticing that f −( f /t P )(P)t P has order less than ordP( f ). This implies in particular that if ordP( f ) = ordP(g), there exists α ∈ k such that ordP( f − αg) > ordP( f ).

We are going to show that we can construct functions with given Laurent tails at a ﬁnite number of points. Lemma 3.1.2 For any distinct points P,Q ∈ C there exists a function f with a zero at P and a pole at Q.

Proof. Since P 6= Q, there exists a function f such that f (P) 6= f (Q) (see Exercise 2.7). By replacing f by 1/ f if necessary we may assume that P is not a pole of f . If Q is a pole of f then f − f (P) is a solution. Otherwise ( f − f (P))/( f − f (Q)) is solution. This can be extended by a simple induction. Lemma 3.1.3 For any ﬁnite number of points P,Q1,...,Qn ∈ C, there is a function f with a zero at P and a pole at each Qi.

Proof. The case n = 1 has been done, so let’s assume that we have constructed g with the property up to Qn−1. Let h be a function with a zero at P and a pole at Qn. Then for large m, the function m f = g+h has the required zeroes and poles. Indeed, f has certainly a zero at P. Now at Qi, if h has not a pole, nothing changes. If it has a pole, it is enough to take m such that mordQi (h) < ordQi (g) to ensure that f has a pole there too. Indeed, note that for any two functions f1, f2 one has that ordP( f1 + f2) ≥ min(ordP( f1),ordP( f2)) with equality if ordP( f1) 6= ordP( f2).

Lemma 3.1.4 For any ﬁnite number of points P,Q1,...,Qn ∈ C and any N ≥ 1, there is a function

f such that ordP( f − 1) ≥ N and ordQi ( f ) ≥ N for all i.

N Proof. Consider the function g with a zero at P and pole at each Qi. Then f = 1/(1 + g ) is a solution.

Proposition 3.1.5 — Laurent series approximation. Fix a ﬁnite number of points P1,...,Pn and choose ri Laurent polynomials at each Pi. There is a function f such that at each Pi, f as ri as a Laurent tail at each Pi.

Proof. Let N be bigger than the degree of all ri. For f to have ri as a Laurent tail at Pi, we need that ordPi ( f − ri(tPi )) ≥ N. Let M be the minimum of the ordPi ri(tPi ) (M can be negative). By

Lemma 3.1.4, there are functions hi such that ordPi (hi − 1) ≥ N − M and ordPj (hi) ≥ N − M for all

j 6= i. Consider then f = ∑hi · ri(tPi ). We have

f − ri(tPi ) = ∑ h jr j(tPj ) + (hi − 1)ri(tPi ). j6=i

Since ordPi h j ≥ N − M for all j 6= i we see that ordPi h jr j(tPj ) ≥ N and similarly for the last term.

The sum as therefore this property as well so ordPi ri(tPi )) ≥ N. 26 Chapter 3. Elementary properties of curves

Corollary 3.1.6 Fix a ﬁnite number of points P1,...,Pn ∈ C and integers mi. Then there exists a function f with order mi at Pi for all i.

Exercise 3.2 Let C = V(F) ⊂ P 2 be a dimension 1 afﬁne variety over k. Let P ∈ C be a smooth point. We are going to show that OP is a discrete valuation ring and that if L = V(aX + bY + c) is any line through P which is not tangent to C at P, then its image in OP is a uniformizer at P 1. Show that by a change of variables we can assume that P = (0,0) that Y = 0 is the tangent at P and that L = V(X). 2. Show that MP = (X,Y) 3. Show that F = YG − X2H where G = a + higher terms with a 6= 0 and H ∈ k[X]. 4. Conclude that MP = (X).

3.2 Maps between curves Rational maps on (smooth) curves have a very nice property. n Proposition 3.2.1 Let C be a curve and V ⊂ P a variety. A rational map φ : C → V is a morphism.

Proof. Let us write φ = ( f0 : ... : fn) for fi ∈ k(C). Let P ∈ C and t be a uniformizer at C. Let −d −d −d d = min{ordP fi}. Then ordP(t fi) ≥ 0 for all i and ordP(t f j) = 0 for some j. So each t fi is −d regular at P and (t f j)(P) 6= 0. Therefore φ is regular at P.

Example 3.3 Let C/k be a curve and f ∈ k(C) be a function. Then f deﬁnes a rational map which we also denote f : C → P 1 given by ( f : 1). From Proposition 3.2.1, this map is actually a morphism. It is given explicitly by f (P) = ( f (P) : 1) when f is regular at P and (1 : 0) when f has a pole at P. Conversely if φ = ( f : g) : C → P 1 is a rational map then either g ∈ I(C) and φ is the constant map (1 : 0) or φ corresponds to the function f /g ∈ k(C). Since C is projective, its image by a morphism φ : C → V is a closed algebraic subset of V. Since C is (absolutely) irreducible, this image is a variety (if not write the image as the union of two proper algebraic sets and C is the union of their pre-images). It is either of dimension 0 and therefore a point, or a 1-dimensional variety. In particular

Proposition 3.2.2 Let φ : C1 → C2 a morphism between a curve and a dimension 1 projective variety. Then either φ is constant or surjective.

Let C1,C2 be two 1-dimensional projective varieties defined over k and φ : C1 → C2 a non- constant rational map defined over k. The composition with φ induces an injection of function fields fixing k

∗ φ : k(C2) → k(C1) f = f ◦ φ.

Notice that the injectivity follows from the fact that if f φ is the zero map then for all Q ∈ C2 one has f (Q) = 0. Indeed since φ is surjective, there exists P ∈ C1 such that φ(P) = Q so f (Q) = f ◦ φ(P) = 0.

3.2.1 Dictionary curves/function ﬁelds The following theorem (see [30, Chap.II.6.8, Chap.I.6.12] allows to connect the theory of curves to the theory of function ﬁelds. 3.2 Maps between curves 27

Theorem 3.2.3 Let C1,C2 be two 1-dimensional projective varieties defined over k. • Let φ : C1 → C2 be a non-constant map defined over k. Then k(C1) is a finite extension of ∗ φ (k(C2)). • Let ι : k(C2) → k(C1) be an injection of function fields fixing k. Then there exists a unique ∗ non-constant map φ : C1 → C2 defined over k such that φ = ι. • Let F ⊂ k(C1) be a subfield of finite index containing k. Then there exists a (smooth) 0 0 curve C /k, unique up to k-isomorphism, and a non-constant map φ : C1 → C defined over k so that φ ∗(k(C0)) = F.

If F/k is a field extension of transcendence degree 1 such that F ∩ k = k, we have seen that we can write F = k(X,Y)/ f (X,Y) where f ∈ k[X,Y]. Hence F is the (k-rational elements in the) field of functions of the projective 1-dimensional variety C1 = V(( f (X,Y))). Using item 3 with F = k(C1), we see that to any such field one can associate a unique curve. There is therefore an equivalence of categories between these fields and curves and we could develop the study of curves purely in terms of function fields theory. This is the point of view taken for instance in [45]. Notice that this theorem contains (and actually can be proved, see [27]) a theory of desingularization of plane curves. Locally, the (smooth) curve is given by the integral closure of k[X,Y]/ f (X,Y) in F. This procedure, called normalization, works only for dimension 1 varieties (in general a normal variety can still be singular).

R Extension of function fields over finite fields can be put in parallel to extension of number fields (the two topics are unified under the name of global fields). One can translate questions from one topic to the other, for instance the Riemann hypothesis. It is often the case that the function field version is easier.

Example 3.4 In the case where f ∈ k(C) is a non-constant function, then since f is not algebraic over k, we see that k( f ) ⊂ k(C) is a subﬁeld of ﬁnite index. The corresponding curve is obviously 1 P with the morphism induced by f .

Definition 3.2.1 Let φ : C1 → C2 be a map between two 1-dimensional projective varieties. If ∗ φ is constant, we define the degree of φ to be 0 otherwise deg(φ) = [k(C1) : φ (k(C2))]. We say ∗ that φ is separable if the extension of fields k(C1)/φ (k(C2) is so.

A direct consequence of Theorem 3.2.3 is (see [42, Cor.2.4.1])

Corollary 3.2.4 If φ : C1 → C2 is a degree 1 map between two (smooth) curves then φ is an isomorphism.

1 Example 3.5 Let us look at low degree maps φ : C → P . If degφ = 1, then C is isomorphic to P 1. Consider the degree 2 maps and assume that chark 6= 2 (C will be an example of hyperelliptic ∗ curves see Section 5.4 for more). The injection φ : k(P 1) = k(X) ,→ k(C) show that k(C) = k(X)[Y]/(Y 2 − f (X)) where f = a/b ∈ k(X) with a,b ∈ k[X]. We can simplify this a bit more. Quotient out by Y 2 −a/b is the same as (bY)2 −ab. If we write ab = c2g with g square free then we bY 2 0 2 get c − g. Let us denote C the affine algebraic set defined by Y − g(X) = 0. By construction 0 k(C0) ' k(C) so C (the projective closure of C0) and C are birationally equivalent. Let us see if they are isomorphic. The affine part C0 is smooth: indeed a point P = (X,Y) ∈ C0 would be singular if (∂g/∂X)(P) = (∂g/∂Y)(P) = 0. As characteristic is not 2, this implies that Y = 0 and that X is 0 therefore a double root of g, which is excluded. Since C : Y 2Zdeg(g)−2 = g∗(X,Z), the only point at 0 infinity is (0 : 1 : 0). It is easy to see that this is a singular point as soon as degg > 3, so C is not 0 smooth (if degg = 1,2 then C is a conic). Let us show how to construct C in the case n = 6 (for notational reasons). 28 Chapter 3. Elementary properties of curves

Let us consider the map ψ : P 2 → P 4 deﬁned by (X : Y : Z) 7→ (Z3 : XZ2 : X2Z : X3 : YZ2).

4 4 If we call (X0 : X1,X2 : X3 : Y) the coordinates on P , its image is a sub-variety S of P deﬁned by 2 2 3 many equations such as X2X0 = X1 ,X3X0 = X1 . 0 Look now at the projective closure of the image of C ⊂ A2 ⊂ P 2 under the map ψ. It is contained into the intersection of S with

2 4 6 5 6 Y X0 = a6X1 + a5X1 X0 + ... + a0X0 2 2 2 6 = a6(X3X0 ) + a5(X3X0 )(X2X0)X0 + ... + a0X0

2 2 3 4 since X2X0 = X1 ,X3X0 = X1 and so on. As we can factor out in the previous equation X0 , we will consider the irreducible component V deﬁned by S intersected with

2 2 2 2 Y = a6X3 + a5X3X2 + a4X2 + a3X2X1 + a2X2X0 + a1X1X0 + a0X0 .

When X0 6= 0, the map

2 3 (X0 : X1 : X2 : X3 : Y) 7→ (1 : X : X : X : Y)

0 has for image C , therefore V is birationally equivalent to C. When X0 = 0, then X1 = 0 since 2 2 √ X2X0 = X1 and X2 = 0 since X3X1 = X2 hence we get two points with Y = ± a6,X3 = 1. In 2 3 the open subset with X3 = 1, we have X1 = X2 and X0 = X2 hence we see that V ∩ {X3 = 1} is isomorphic to

2 2 3 4 5 6 6 Y = a6 + a5X2 + a4X2 + a3X2 + a2X2 + a1X2 + a0X2 = X2 g(1/X2)

2 3 2 √ using X3 = 1, X0X3 = X2 and X1X3 = X2 . Hence the points (0,± a6) are smooth since the roots 6 of X2 g(1/X2) are the inverse of the roots of g. We conclude that V is smooth and therefore is isomorphic to C (by unicity of the smooth model in the birational equivalence class of a curve).

R The smooth model of C is not a complete intersection. Actually it can be proven that this is never the case for hyperelliptic curves (see [30, IV.ex.5.1]). A more fancy way to ﬁnd a model for C is to look at C inside the weighted projective space 1, degg ,1 P 2 when degg is even (which over a ﬁeld with order large enough can always be assumed). Doing, so Y 2 = f ∗(X,Z) is directly the equation we are looking for.

As for the case of number fields extension and their Dedekind rings, it is essential to look at ramification behavior of the primes (here points). This motivates the following definition.

Deﬁnition 3.2.2 Let φ : C1 → C2 be a non-constant morphism of smooth curves and P ∈ C1. The ramiﬁcation index of φ at P, denoted eφ (P) is given by

∗ eφ (P) = ordP(φ tφ(P))

where tφ(P) ∈ k(C2) is a uniformizer at φ(P). We say that φ is unramified at P if eφ (P) = 1 and φ is unramified if it is unramified everywhere. A point P with eφ (P) > 1 is called a ramification point for φ.

1 1 3 2 5 Example 3.6 Let φ : P → P over Q deﬁned by (X : Y) 7→ (X (X −Y) : Y ). The point P = ∗ 5 (1 : 0) is mapped onto (1 : 0) which has uniformizer Y at that point. Hence ordP φ Y = ordP Y = 5. Let us consider now an afﬁne point P = (a : 1) with image (a3(a − 1)2 : 1) with uniformizer 3.3 Divisors 29

t = X − a3(a − 1)2. We therefore get φ ∗t = X3(X − 1)2 − a3(a − 1)2 and we are interested at the multiplicity of the root a of P = X3(X − 1)2 − a3(a − 1)2. Computing the discriminant of P, we see that P has a multiple root if and only if X = 0 (with multiplicity 3), X = 1 (with multiplicity 2) an X = 3/5 (with multiplicity 2). Graphically, one can think of the situation like this (0 : 1)(1 : 1) (3/5 : 1) P 1

3 2 2 5

1 (0 : 1) (108 : 3125) P (0 : 1) P

where the number on the line indicates its ramiﬁcation index (if none it is 1).

Example 3.7 Let us see how to to compute an example with MAGMA .

P:=PolynomialRing(Rationals(),3); PP:=ProjectiveSpace(P); C:=Curve(PP,x^3*y+y^3*z+z^3*x); P1:=PolynomialRing(Rationals(),2); PP1:=ProjectiveSpace(P1); D:=Curve(PP1); phiAmb:=mapPP1| [x,y]>; phi:=Restriction(phiAmb,C,D); R:=RamificationDivisor(phi); S:=Support(R); Degree(R); 10 R; Divisor 1*Place at (0 : 0 : 1) + 2*Place at (1 : 0 : 0) + 1*Place at (-1/3*$.1^3 : $.1 : 1) Degree(phi); 3 // this is an example of Riemann-Hurwitz formula 2*Genus(C)-2 eq Degree(phi)*(2*Genus(D)-2)+Degree(RamificationDivisor(phi));

It does not seem that the degree of R is equal to 1 + 2 + 1. The problem comes from the fact that MAGMA denotes by a place the Galois orbit of a point. If we look at the ﬁeld of deﬁnition of the last place, we get that

pt:=RepresentativePoint(S[3]); Parent(pt); Set of points of C with coordinates in Number Field with defining polynomial $.1^7 - 18 over the Rational Field

Hence the last element in R is a divisor of degree 7.

3.3 Divisors We will start with the following deﬁnition of divisors which exists for any smooth variety (see [30, page II.6]). 30 Chapter 3. Elementary properties of curves

Definition 3.3.1 A divisor on a curve C is a formal sum D = ∑P∈C nPP where nP 6= 0 for a finite number of P. We will also write nP = D(P). We call degD = ∑nP the degree of σ σ D and we say that D is k-rational if for all σ ∈ Gal(k/k), one has D = ∑nPP = D. If ∗ f ∈ k(C) , we define the divisor of f as div f = ∑ordP( f )P (if f = 0, we let div f = /0). We

also write div0 f = ∑ordP( f )>0 ordP( f )P and div∞ f = −∑ordP( f )<0 ordP( f )P. Hence div f = 0 div0 f − div∞ f . Finally we say that two divisors are linearly equivalent, D ∼ D , if there exists f ∈ k(C) such that D = D0 + div f .

R A√k-rational divisor√ has not necessarily all its points deﬁned over k. For instance the divisor ( 2 : 0 : 1) + (− 2 : 0 : 1) on the curve C : x2 + y2 = 2z2 is Q-rational. Notice however that n if a function f ∈ k(C) then div f is rational. Indeed, consider if at P one has f = utP then at σ σ n σ σ P , f = u tPσ . Since f = f one gets that the exponent at P of f is n as well.

∗ Let φ :C1 →C2 a morphism. To a point Q ∈C2, we associate the divisor φ (Q) = ∑P∈φ −1(Q) eφ (P)P. By linearity we can extend this map to any divisor of C2. We have the following properties

Proposition 3.3.1 Let φ : C1 → C2 be a non-constant morphism of smooth curves. Then for every Q ∈ C2 ∑ eφ (P) = degφ. P∈φ −1(Q)

If f is a function on C1 then deg(div f ) = 0.

Proof. The proof of the ﬁrst item comes directly from [30, page II.6.9] where it is proved that ∗ 1 degφ D = degφ · degD. For the second, look at the morphism φ : C1 → P associated to f by ∗ Example 3.3. Clearly φ ((0) − (∞)) = div f and we can apply the same result.

Definition 3.3.2 Let C/k be a smooth curve. We define div(C)(k) the group of divisors on C which are k-rational. We define the Picard group of C over k and denote it Pic(C)(k) the group n div(C)(k)/ ∼. Since deg(div f ) = 0, for any n ∈ Z, one can consider Pic (C)(k) the subset of Pic(C)(k) of divisors of degree n. Note that only Pic0(C)(k) is stil a group.

0 R We will see in Chapter 7 that Pic (C)(k) are the k-rational points of a projective variety, called the Jacobian, at least when C(k) 6= /0.

Deﬁnition 3.3.3 Let D be a divisor on C. We deﬁne the Riemann-Roch space associated to D as the k-vector space

L (D) = { f ∈ k(C)∗ s.t. div f + D ≥ 0} ∪ {0},

0 where a divisor D = ∑nPP is ≥ 0 (one says effective) if nP ≥ 0 for all P.

R Notice that if f ∈ L (D1) and g ∈ L (D2) then f · g ∈ L (D1 + D2) by deﬁnition of the order nP at a point as belonging to the ideal MP . Notice also that for any D and g ∈ k(C), one has that L (D) ' L (D + divg).

Lemma 3.3.2 L (D) is a ﬁnite dimensional k-vector space. One denotes `(D) its dimension.

Proof. We can write D = ∑nP>0 nPP + ∑nP<0 nPP. Clearly L (D) ⊂ L (∑nP>0 nPP) hence we can restrict to D ≥ 0. Clearly if D is empty, then L (D) = k since a function without pole is 3.3 Divisors 31 constant (Proposition 3.2.2). It is then enough to prove that `(D + P) ≤ `(D) + 1. Let assume there exists f ∈ L (D + P) \ L (D). Then for any other g ∈ L (D + P) \ L (D), we have that ordP(g) = ordP( f ) = −(nP +1) (if bigger, then f ,g would be in L (D)). Therefore, using Remark 3.1.1, there exists α ∈ k such that ordP(g + α f ) = −nP and so g + α f ∈ L (D). The dimension increases then by at most 1. The following lemma proves that if D is k-rational then there exists a basis of L (D) with elements in k(C). Lemma 3.3.3 Let V be a k¯-vector space and assume that Gal(k¯/k) acts continuously on V in a manner compatible with its action on k¯. Let

Gal(k¯/k) σ Vk = V = {v ∈ V s.t. v = v for all σ ∈ Gal(k¯/k)}.

Then V = k¯ ⊗k Vk.

Proof. It suffices to show that every v ∈ V is a k¯-linear combination of vectors in Vk. Choose a v ∈ V, and let L/k be a finite Galois extension such that v is fixed by Gal(k¯/L) (the fact that Gal(k¯/k) acts continuously on V means precisely that the subgroup {σ s.t. vσ = v} has finite index in Gal(k¯/k). We take L to be the Galois closure of its fixed field.) Let {α1,...,αn} be a basis for L/k and let n σ j {σ1,...,σn} = Gal(L/k). For each 1 ≤ i ≤ n, consider the vector wi = ∑ j=1(αiv) = TrL/k(αiv). It is clearly Gal(k¯/k)-invariant so wi ∈ Vk. Now a basic result in field theory says that the matrix σ j σ j (αi )i, j is invertible (see [39, p.39]) so each v (and in particular v) is an L-linear combination of the wi.

R This is also a consequence of Hilbert 90 theorem for GLn(k). Indeed, let f1,..., fd be a basis σ of L (D). For any σ ∈ Gal(k/k) there exists a matrix Mσ ∈ GLd(k) which maps fi onto fi . These matrices satisfy the cocycle relations and hence by Hilbert 90, there exists N ∈ GLd(k) −1σ such that Mσ = N N. One can then check that gi = N fi deﬁnes a k-rational basis.

We can also derive the following lemma which will be useful in the proof of Riemann-Roch theorem. Lemma 3.3.4 Let f be a non-constant function on C and D = div∞( f ). There exists a constant m0 such that for all m ≥ m0 one has `(mD) ≥ (m − m0 + 1)deg(D).

Proof. Consider f as a morphism from C → P 1 we see that k¯(C) is an extension of degree d = degD ∗ ¯ 1 ∗ ¯ ¯ of f k(P ) ' f k(X) ' k( f ). Let g1,...,gd be a basis of this extension. By the following lemma, there exist polynomials ri such that hi = ri( f )gi have poles only at the poles of f . These functions are linearly independent over k¯( f ) and there is an integer m0 such that hi ∈ L (m0D). Now for any i m ≥ m0, the functions ( f h j)1≤ j≤d are in L (mD) as long as i ≤ m − m0 since f ∈ L (D). These are all linearly independent over k¯, so we get the conclusion.

The lemma we need is the following in the case A = −divgi for each i. Lemma 3.3.5 Let A be a divisor and D = div∞( f ) with f non-constant. There is an integer m > 0 and g 6= 0 such that A − divg ≤ mD. Moreover g can be taken to be a polynomial in f .

Proof. Let P1,...,Pk the points in the support of A of positive multiplicities and which are not poles A(P ) of f . Then f − f (Pi) has a zero at Pi, hence ( f − f (Pi)) i has a zero at Pi to at least order A(Pi) and no other poles than the poles of f . Taking the product over all these Pi gives a function g 6= 0, polynomial in f which is the solution (notice that if there is no Pi, then g = 1). 32 Chapter 3. Elementary properties of curves

∗ Exercise 3.3 Let φ : C1 → C2 be a non-constant morphism of curves and f ∈ k(C2) ,P ∈ C1. Prove that ∗ ordP(φ f ) = eφ (P)ordφ(P)( f ).

Exercise 3.4 Let φ : C1 → C2 and ψ : C2 → C3 two morphisms between curves and P ∈ C1. Prove that eψ◦φ (P) = eψ (φ(P)) · eφ (P).

1 1 Exercise 3.5 Check directly for φ : P → P that ∑P∈φ −1(Q) eφ(P) = degφ for all Q and that in characteristic 0, #φ −1(Q) = deg(φ) for all but ﬁnitely many Q.

3.4 Differentials 3.4.1 Generalities Let C be a curve over k.

Deﬁnition 3.4.1 The space of differential forms on C, denoted ΩC, is the k¯(C)-vector space generated by symbols of the form dx where x ∈ k¯(C) subject to the usual relations: 1. d(x + y) = dx + dy; 2. d(xy) = xdy + ydx; 3. da = 0 for all a ∈ k¯.

∗ Let φ : C1 → C2 a non-constant map of curves. Then the natural map φ induces a map on ∗ ∗ ∗ differentials φ (∑ fidxi) = ∑(φ fi)d(φ xi)). ¯ ∗ 0 Proposition 3.4.1 1. ΩC is a k(C)-vector space of dimension 1. If ω ∈ ΩC and ω ∈ ΩC, one denotes ω0/ω = g the unique function such that ω0 = gω. 2. Let x ∈ k¯(C). Then dx is a basis for ΩC if and only if k¯(C)/k¯(x) is a ﬁnite separable extension. 3. Let φ : C1 → C2 be a non-constant map of curves. Then φ is separable if and only if the map ∗ φ : ΩC2 → ΩC1 is injective.

Proof. see [27] for some proofs in the plane case. Let us show the last item. Choose y ∈ k¯(C2) so ¯ ¯ ¯ ∗ ¯ that ΩC2 = k(C2)dy and k(C2)/k(y) is a separable extension. Note φ k(C2) is then separable over ∗ ¯ ¯ ∗ ∗ ∗ ∗ φ k(y) = k(φ y). Now φ : ΩC2 → ΩC1 is injective ⇔ d(φ y) 6= 0 ⇔ d(φ y) is a basis for ΩC1 ∗ ∗ ⇔ k¯(C1)/k¯(φ y) is separable ⇔ k¯(C1)/φ k¯(C2) is separable, where the last equivalence follows ∗ ¯ ¯ ∗ because we already know that φ k(C2)/k(φ y) is separable. Proposition 3.4.2 Let P ∈ C and t ∈ k¯(C) be a uniformizer at P. 1. For every ω ∈ ΩC, there exists a unique g ∈ k¯(C) depending on ω and t such that ω = gdt. We denote g = ω/dt. 2. Let f ∈ k¯(C) regular at P. Then d f /dt is also regular at P. 3. The quantity ordP(ω/dt) depends only on ω and P. This is called the order of ω at P and denoted ordP(ω). 4. Let x ∈ k¯(C) such that k¯(C)/k¯(x) is separable and x(P) = 0. Then for all f ∈ k¯(C), one has ordP( f dx) = ordP( f ) + ordP(x) − 1 if p = 0 or p - ordP(x) and ordP( f dx) ≥ ordP( f ) + ordP(x) if p > 0 and p|ordP(x). 5. For all but ﬁnitely many P ∈ C, one has ordP(ω) = 0. Proof. 1. This is a consequence of Lemma 3.1.1 and of the ﬁrst two items of Proposition 3.4.1. 3.4 Differentials 33

2. See [30, page IV.2.1]. 3. Let t0 be another uniformizer. Since dt/dt0 and dt0/dt are both regular at P according to the 0 0 0 second item, we have that ordP(dt /dt) = 0 Since ω = gdt = g(dt/dt )dt the result follows. n 4. Write x = ut with ordP(u) = 0. Then

dx = (nutn−1 + (du/dt)tn)dt.

Now from the second item du/dt is regular at P. Hence if n 6= 0 in k, the first term dominates. We obtain n−1 ordP( f dx) = ordP( f nut dt) = ordP( f ) + n − 1. If p > 0 and p|n then the first term vanishes which yields the result. 5. Let x ∈ k¯(C) so that k¯(C)/k¯(x) is separable and write ω = f dx. The map x : C → P 1 ramifies only at finitely many points of C. Discarding finitely many points, we can therefore assume that f (P) 6= 0,∞, that x(P) 6= ∞ and that the map x is unramified at P. But the latter two conditions implies that x − x(P) is a uniformizer at P so ordP(ω) = ordP( f d(x − x(P))) = 0.

Deﬁnition 3.4.2 Let ω ∈ ΩC. The divisor associated to ω is divω = ∑P ordP(ω) · P. The form ω is regular at P if ordP(ω) ≥ 0 at P.

∗ If ω1,ω2 are non-zero differentials, there exists f ∈ k¯(C) such that ω1 = f ω2. Hence divω1 = div f + divω2. Deﬁnition 3.4.3 The canonical divisor class on C is the image in Pic(C) of div(ω) for any non-zero differential ω. Any divisor, denoted κ, in this class is called a canonical divisor.

1 Example 3.8 Let us show hat there are no regular differentials on P . Let t = X/Z be a uniformizer at P0 = (0 : 1). Note that t −α is a uniformizer at P = (α : 1) for all α ∈ k so ordP dt = 2 ordP d(t − α) = 0. However at ∞ = (1 : 0), 1/t is a uniformizer so ord∞ dt = ord∞ −t d(1/t) = 1 −2 ord∞ − t d(1/t) = −2. Hence divdt = −2∞ and for any ω ∈ ΩP 1 one has degdivω = −2 so ω cannot be regular. In analogy to the Riemann-Roch spaces, we will introduce the following notation. ∗ Deﬁnition 3.4.4 Let D be a divisor. We denote Ω(D) = {ω ∈ ΩC s.t. divω ≥ D} ∪ {0}.

Proposition 3.4.3 For any divisor D, one has that L (κ − D) ' Ω(D).

Proof. Let ω be a non-zero differential on C such that divω = κ. The application f 7→ f ω is a morphism from L (κ − D) to Ω(D) since div f + κ − D ≥ 0 so div( f ω) ≥ D. Its inverse is the 0 0 deﬁned by ω 7→ ω /ω.

In particular the k-vector space of regular differentials is ﬁnite. This dimension is an important invariant.

Deﬁnition 3.4.5 We call the genus of C the dimension of L (κ) and denote it gC.

R If k = C, we can identify C with a compact Riemann surface and the genus defined here is the genus of the Riemann surface. It is therefore a topological invariant of C. In [20, p.216], one shows that both definitions agree using the Gauß-Bonnet formula. Over any field, two isomorphic curves have the same genus. 34 Chapter 3. Elementary properties of curves

3.4.2 Residue i Let ω = gdt ∈ ΩC for a uniformizer t at P. Writing g = ∑ait , one denotes Rest (ω) = a−1. Lemma 3.4.4 This notion depends only on P, and denote it therefore ResP(ω). Proof. Let us ﬁrst note the following properties 1. Rest (ω) is k-linear in ω; 2. Rest (ω) = 0 if ordP(ω) ≥ 0; 3. Rest (dg) = 0 for every g ∈ k¯(C); ∗ 4. Rest (dg/g) = ordP(g) for every g ∈ k¯(C) . i Only the two last ones are not obvious. To prove the third, notice that if you derivate ∑ait then −1 n there is no t term. For the fourth, write dg = t u with ordP(u) = 0. Then we ﬁnd dg/g = ndt/t + du/u

whence Rest (dg/g) = n + Rest (du/u) = n since u is regular at P. n Let s be another uniformizer at P and write ω = ∑n≥0 ands/s + ω0 with ordP(ω0) ≥ 0. Then n Ress(ω) = a1 and Rest (ω) = ∑an Rest (ds/s ). As Rest (ds/s) = 1 according to the last item, it comes down to proving that n Rest (ds/s ) = 0 for n ≥ 2. (3.1) When the ﬁeld k has characteristic 0, one has that ds/sn = dg with g = −1/(n − 1)sn−1 and then the result follows from the third item. We are going to reduce the characteristic p case to this case. 2 3 First, we can suppose after multiplying s by a scalar factor that s = t +b2t +b3t +.... We deduce that 1 1 = (1 − nb t + ... + c ti + ...) sn tn 2 i where the ci are polynomials in b2,...,bi+1 with integer coefﬁcients and independent of the i−1 characteristic. By multiplying with ds = dt + 2b2tdt + ... + ibit dt + ..., we deduce that ∞ ds dt i n = n · ∑ dit s t i=0

where the di are as before polynomials in the b2,...,bi+1 with integer coefﬁcients and independent n of the characteristic. In particular dn−1 = Rest (ds/s ). Since (3.1) is valid in characteristic 0, the polynomial dn−1(b2,...,bn) vanishes for any bi taken in a ﬁeld of characteristic 0. This polynomial is therefore identically zero and the result holds also in characteristic p. We conclude this section with an important tool called the residue theorem (see [34, p.121] for an analytic proof, [34, p.253] for an algebraic proof in characteristic 0, [41, pages II.11, 12] for a proof in any characteristic).

Theorem 3.4.5 For any differential ω ∈ ΩC

∑ ResP(ω) = 0. P∈C

Example 3.9 Let us see how to to compute an example with MAGMA . P:=PolynomialRing(Rationals(),3); PP:=ProjectiveSpace(P); C:=Curve(PP,x^3*y+y^3*z+z^3*x); kappa:=CanonicalDivisor(C); L:=RiemannRochSpace(kappa); Dimension(L); 3.4 Differentials 35

Exercise 3.6 We give a proof of Theorem 3.4.5 in the case of C = P 1 over an algebraically closed ﬁeld k. 1. Consider a rational fraction P(X)/Q(X). Show that one can write P/Q as a sum of terms n ∗ of the form c(X − a) with c ∈ k ,a ∈ k and n ∈ Z. By linearity, one can restrict to one of these cases. 2. Show for each cases that the formula holds.

Exercise 3.7 Let us ﬁnd out a basis of regular differentials on hyperelliptic curves.

4. Riemann-Roch and Riemann-Hurwitz

4.1 Proof of Riemann-Roch theorem A fundamental tool (although it looks very anecdotical!) is the following result.

Theorem 4.1.1 Let C/k be a smooth curve of genus g and κ a canonical divisor. Then for all divisor D, one has that `(D) = degD − g + 1 + `(κ − D). In particular since `(κ) = g, one has that degκ = 2g − 2.

There are various proofs of this result: the quickest ones use cohomological theorems [30, page IV.1] ; old-fashioned ones use plane curves with singularities [27, Chao.8] or [20, Appendix A] ; in the langage of function ﬁelds (and adèles, one can follow [45]). We will reproduce here the proof of [41] where some of the cohomological arguments are worked out using [34].

Example 4.1 Let us check Riemann-Roch theorem with MAGMA .

P:=PolynomialRing(Rationals(),3); PP:=ProjectiveSpace(P); C:=Curve(PP,x^3*y+y^3*z+z^3*x); P1:=C![1,0,0]; P2:=C![0,1,0]; P3:=C![0,0,1]; kappa:=CanonicalDivisor(C); D:=3*Divisor(P1)+Divisor(P2)+Divisor(P3); Dimension(D) eq Degree(D)-Genus(C)+1+Dimension(kappa-D);

4.1.1 Répartitions and H1(D)

Deﬁnition 4.1.1 A répartition on C is a formal sum ∑P rP ·P with rP ∈ k(C) such that ordP(rP) < 0 for a ﬁnite number of P. 38 Chapter 4. Riemann-Roch and Riemann-Hurwitz

One denotes T the k¯-vector space of répartitions. Ordinary divisors are of course contained in the previous deﬁnition. We can use them to “ﬁlter” the k¯-vector space of répartitions in the following way. We denote D = ∑D(P) · P and

T [D] = {∑rP · P s.t. ordP(rP) + D(P) ≥ 0 for all P}.

Moreover one can see k¯(C) as a subgroup of T by associating to f the repartition ∑ f · P. One defines as well αD : k¯(C) → T /T [D]. Let us remark that L (D) = ker(αD). Conversely, one can ask what the image of αD is. Note that if Z ∈ T /T [D] is such that rP = 0 and D(P) = 0, a preimage of Z under αD must be regular at P. Therefore constructing preimages is not a simple application of Proposition 3.1.5. The problem of constructing functions with specified répartitions is called the Mittag-Leffler problem for C. Algebraically, the problem is measured by 1 H (D) := cokerαD = T /(T [D] + k¯(C)). The notation reflects the general theory of cohomology but we will not develop any general background here. We first need to show that H1(D) has finite dimension. Notice that with more background from algebraic geometry, this follows from the fact that we are dealing with coherent sheaves. From the exact sequence

0 → L (D) → k¯(C) → T /T [D] → H1(D) → 0, one deduces the short exact sequence

0 → k¯(C)/L (D) → T /T [D] → H1(D) → 0.

Now suppose that D1 ≤ D2. Since T [D1] ⊂ T [D2] we have a surjective map t : T /T [D1] → T /T [D2] and we can build the following commutative exact diagram

α D1 1 0 / k¯(C)/L (D1) / T /T [D1] / H (D1) / 0

t α D2 1 0 / k¯(C)/L (D2) / T /T [D2] / H (D2) / 0.

As the vertical maps are all surjective, the snake lemma gives a short exact sequences between their kernels. The one from the left is simply L (D2)/L (D1) hence

dimker(k¯(C)/L (D1) → k¯(C)/L (D2)) = dimL (D2) − dimL (D1).

n It is not difﬁcult to see that dimker(t) = deg(D2) − deg(D1) since at each point P, the tP with 1 −D2(P) < n ≤ −D1(P) form a basis of such functions. If we denote H (D2/D1) the kernel of the right map we see that the short exact sequence

1 0 → L (D2)/L (D1) → ker(t) → H (D1/D2) → 0

1 implies that H (D1/D2) is also ﬁnite-dimensional, more precisely 1 Lemma 4.1.2 dimH (D1/D2) = (deg(D2) − dimL (D2)) − (deg(D1) − dimL (D1)). Proposition 4.1.3 There is an integer M such that for any divisor A on C one has deg(A) − `(A) ≤ M.

Proof. Fix a function f and D = div∞ f . Let M such that deg(mD) − `(mD) ≤ M for all m ≥ 0 by Lemma 3.3.4. Now, using Lemma 3.3.5, there exists g and an integer m such that B = A − divg ≤ 4.1 Proof of Riemann-Roch theorem 39

mD. Note that degB = degA and L (B) ' L (A). Therefore degA − `(A) = degB − `(B) = deg(mD) − `(mD) − dimH1(B/mD) ≤ deg(mD) − `(mD) ≤ M.

Let A0 be such that deg(A0) − `(A0) is maximal. 1 Lemma 4.1.4 For this divisor A0, we have H (A0) = 0.

1 Proof. Suppose that H (A0) 6= 0. Then there is a répartition Z ∈ T /T [A0] which is not αA0 ( f ). By increasing A0 to a divisor B we may take t(Z) = 0 in T /T [B]. Therefore the class of t(Z) in 1 1 1 H (B) is zero. Hence the class of Z in H (A0) is in fact in the kernel H (A0/B), thus this kernel is nonzero. But by Lemma 4.1.2,

1 1 ≤ dimH (A0/B) = (deg(B) − dimL (B)) − (deg(A0) − `(A0))

which is non-positive by the maximality of deg(A0) − `A0.

Proposition 4.1.5 For any D, H1(D) is a ﬁnite dimensional vector space over k¯.

Proof. Let A0 be as before and write D − A0 = P − N where P and N are non-negative divisors. 1 1 1 1 Then H (A0) surjects onto H (A0 + P), so that H (A0 + P) = 0 also. Therefore H (A0 + P − N) ' 1 H ((A0 + P − N)/(A0 + P)) which is ﬁnite dimensional. Since D = A0 + P − N we are done. Applying again Lemma 4.1.2, this gives a ﬁrst form of Riemann-(Roch) theorem:

dimL (D) − dimH1(D) = deg(D) + 1 − dimH1(/0).

The problem is now to understand the dimension of the H1 in terms of Riemann-Roch spaces only.

4.1.2 Dual of the space of répartitions Let us denote J[D] the dual of the vector space H1(D). Let f ∈ k¯(C) and α ∈ J = ∪J[D], the latter being a k-vector space since we can always see J[D1], J[D2] inside a J[D3]. The map r 7→ hα, f ri is a linear form on T vanishing on k¯(C). We denote it by f α. We have f α ∈ J. Indeed if α ∈ J[D] and f ∈ L (∆) then f α vanishes on T [D − ∆], thus belongs to J[D − ∆]. The operation ( f ,α) → f α endows J with the structure of a k¯(C)-vector space. Proposition 4.1.6 The dimension of J over k¯(C) is at most 1.

Proof. We argue by contradiction. Let α,α0 ∈ J linearly independent over k¯(C). Since J is the 0 union of the J[D] one can ﬁnd D such that α,α ∈ J[D]. Let d = deg(D). For every n ≥ 0 let ∆n be 0 a divisor of degree n. If f ,g ∈ L (∆n), then f α,gα ∈ J[D − ∆n]. Furthermore as they are linearly independent over k¯(C), we see that the map

L (∆n) ×L (∆n) → J[D − ∆n] f , g 7→ f α + gα0 is injective. Now

1 1 dimJ[D−∆n] = dimL (D−∆n)−deg(D−∆n)−1+dimH (/0) ≤ dimL (D)−d −1+dimH (/0)+n 40 Chapter 4. Riemann-Roch and Riemann-Hurwitz

which grows like a + n for a constantn. On the other hand

1 dimL (∆n) ≥ n + 1 − dimH (/0)

so 2dimL (∆n) grows at least like b + 2n for a constant n. The growth rate are therefore incompati- ble.

4.1.3 The residue map and Serre duality 1 The space H (D) measures whether a répartition Z = ∑rP ·P can come from an f . This can also be measured by the residue theorem. For illustration, if Z ∈ T /T [/0], we are asking if there exists f such that ordP f −rP ≥ 0 for all poles P of f . Let ω be a regular differential. Then f ω has poles only at the poles of f and the negative terms of the Laurent series of f ω are determined by the negative terms of the Laurent series of f . Now since ∑P ResP( f ω) = 0, we get that ∑P ResP(rPω) = 0 if α0( f ) = ∑rP · P as desired. This is therefore a necessary condition. Serre duality says that this condition is actually also sufﬁcient. Let ω ∈ ΩC and r ∈ T . We deﬁne the bilinear form

hω,ri = ∑ResP(rPω). P

This deﬁnition is legitimate since rPω is regular for almost all P. One has the following properties 1. hω,ri = 0 if r ∈ k¯(C) because of the residue theorem; 2. hω,ri = 0 if r ∈ T [D] and ω ∈ Ω(D) since then rPω is regular at all P; 3. If f ∈ k¯(C) then h f ω,ri = hω, f ri. For every differential ω, let θ(ω) be the linear form on T which sends r to hω,ri. The previous properties shows that if ω ∈ Ω(D) then θ(ω) ∈ J[D] since J[D] is by deﬁnition the dual of T /(T [D] + k¯(C)). Lemma 4.1.7 If ω is a differential such that θ(ω) ∈ J[D] then ω ∈ Ω(D).

Proof. Otherwise, there would be P ∈ C such that ordP(ω) < ordP(D). Put n = ordP(ω) + 1 and let r be the répartition whose components are ( rQ = 0 if Q 6= P, n rP = 1/tP.

We have ordP(rPω) = −1 whence ResP(rPω) 6= 0 and hω,ri= 6 0; but since n ≤ ordP(D), r ∈ T [D], hence we arrive at a contradiction since θ(ω) is assumed to vanish on T [D].

Theorem 4.1.8 — Serre Duality. For every divisor D, the map θ is an isomorphism from Ω(D) to J[D].

Proof. Let us show that θ is injective. Indeed, if θ(ω) = 0, the previous lemma shows that ω ∈ Ω(∆) for all ∆, hence ω = 0. Next θ is surjective. Indeed according to item (3), θ is a k¯(C)-linear map from ΩC to J. As ΩC has dimension 1 and J has dimension at most 1, θ maps ΩC onto J. If we ﬁx a canonical divisor κ = div(ω) then using the isomorphism of Proposition 3.4.3, we see that dimΩ(D) = dimL (κ − D) and combined with Serre duality gives Riemann-Roch theorem. 4.2 Corollaries 41

Exercise 4.1 Prove that a curve C has genus 0 iff there exists two distinct points P,Q ∈ C such that (P) ∼ (Q).

4.2 Corollaries In order to understand better the constraint on `(D) in terms of the degree of D, we let r(D) = `(D) − 1. If D is effective then k ⊂ L (D) and therefore r(D) ≥ 0. Reciprocally, if r(D) ≥ 0, then there exists a function f such that div f + D ≥ 0 and we can therefore assume that D is effective. In that case PL (D) '{effective divisors ∼ D} is a projective space of dimension r(D), called the linear system associated to D. Indeed D + div f = D + divg iff div f = divg i.e. div( f /g) = /0, ∗ which means that f /g is constant or f = αg with α ∈ k . Finally we denote i(D) = `(κ − D) the index of speciality of D. A divisor D with i(D) > 0 is said special. Since deg(κ) = 2g − 2, we see that special divisors have degree less or equal to 2g − 2. Notice that the canonical divisor κ is the unique divisor (up to linear equivalence) of degree 2g − 2 such that `(κ) = g. Indeed if κ0 is another degree 2g − 2 divisor with `(κ0) = g then g = `(κ0) = 2g − 2 − g + 1 + `(κ − κ0) = g − 1 + `(κ − κ0). The divisor κ − κ0 is of degree 0 hence κ −κ0 +div( f ) ≥ 0 is also of degree 0 and can be effective iff κ −κ0 = −div( f ) = div(1/ f ).

Moreover from the proof of Lemma 3.3.2, we see that r(D) ≤ deg(D). We get the ﬁrst picture where the blue zone represents the special divisors. This picture can be reﬁned using Clifford theorem (see Exercise 4.2) and even more using Brill-Noether theorem [20, p.159] as it is visible on the second picture.

r r Brill Noether curve g − (r + 1)(g − d + r) = 0

Clifford line r = d − g r = d/2 r = d − g κ κ g − 1 • g − 1 •

Special Divisors

g 2g − 2 d g 2g − 2 d

Let us point out that as for topology, the genus is somehow a good indicator of the complexity of the curve: indeed when it grows, one needs increasing the degree of an effective divisor D to ﬁnd a non-constant function in L (D).

Exercise 4.2 We are going to prove the following version of Clifford’s theorem : let D be an 1 effective special divisor on the curve C over k = k. Then r(D) ≤ 2 degD. Prove this result admitting the following lemma Lemma 4.2.1 Let D,E be effective divisors on C. Then r(D) + r(E) ≤ r(D + E). For the proof of the lemma, let us consider the map

φ : |D| × |E| → |D + E| 42 Chapter 4. Riemann-Roch and Riemann-Hurwitz

It is the projective map induces by the afﬁne map

L (D) × L (E) → L (D + E) ( f ,g) 7→ ( f g)

Show that for any R ∈ |D + E|, φ −1(R) is ﬁnite (may be empty). Deduce from [30, III.ex.11.2] that φ is a ﬁnite morphism and that the dimension of φ(|D| × |E|) = r(D) + r(E). Conclude.

R There is a more precise version which says that equality occurs iff D = 0 or D = κ or C is hyperelliptic and D is linearly equivalent to a multiple of the divisor P + ι(P) for P ∈ C and ι : C → C the canonical involution (see loc. cit.).

4.3 Riemann-Hurwitz theorem Finally, we state another important result to compute the genus of a curve (see [42, page II.5.9]).

Theorem 4.3.1 — Riemann-Hurwitz theorem. Let φ : C1 → C2 be a non-constant separable morphism then

2gC1 − 2 ≥ degφ · (2gC2 − 2) + ∑ (eφ (P) − 1) P∈C1

with equality if chark = 0 or if chark - eφ (P) for all P.

∗ Proof. Let ω 6= 0 ∈ ΩC2 and P ∈ C1 and let Q = φ(P). Since φ is separable, φ ω 6= 0. We wish to ∗ relate ordP(φ ω) and ordQ ω. Write ω = f dt where t is a uniformizer at Q. Then letting e = eφ (P), we have φ ∗t = use where s is a uniformizer at P and u(P) 6= 0,∞. Hence

φ ∗ω = (φ ∗ f )d(φ ∗t) = φ ∗ f d(use) = φ ∗ f (eue−1 + (du/ds)se)ds.

Now ordP(du/ds) ≥ 0 so we see that

∗ ∗ ordP(φ ω) ≥ ordP(φ f ) + e − 1

with equality if and only if e 6= 0 in k. Further

∗ ordP φ f = eφ (P)ordQ( f ) = eφ (P)ordQ ω.

Hence adding over P ∈ C1 yields ∗ degdivφ ω ≥ ∑eφ (P)ordφ(P) ω + eφ (P) − 1 P = ∑ ∑ eφ (P)ordQ ω + ∑ eφ (P) − 1 Q∈C2 P∈φ −1(Q) P∈C1 = (degφ)(degdivω) + ∑eφ (P) − 1 P Now Hurwitz’s theorem is a consequence of Theorem 4.1.1 which says that on a curve of genus g degdivω = 2g − 2.

One can remove the constraints on chark by involving higher ramiﬁcation groups when the R ∗ cover k(C1)/φ (k(C2) is Galois see [45, Th.III.4.12, Th.III.8.8]. 4.3 Riemann-Hurwitz theorem 43

4 4 4 Example 4.2 Let us compute the genus of C : F = 0 with F = X +Y + Z in characteristic different from 2. We first check that the variety is smooth. Indeed a point of C is singular ∂F ∂F ∂F iif X , Y , Z = (0,0,0) (see Exercise 2.8) then (X,Y,Z) = (0,0,0). We know consider the morphism φ : (X : Y : Z) 7→ (X : Y) ∈ P 1. The genus of P 1 is 0 since we have seen that on P 1 there is no regular differential. We need to know the ramification points P = (x : y : z) of φ. If y = 0 then x = 1 and z4 = −1 has four distinct solutions. Since by Proposition 3.3.1, the sum of the ramification index over (1 : 0) is equal to the degree (which is 4 since k(C) = k(X,Y)[Z]/(Z4 − (X4 +Y 4))) we see that all these points are unramified. We can now assume y = 1 and then z4 = −(x4 + 1) which for the same reason is 4 unramified except if x = −1. For each of the four solutions xi of this equation we have a unique point P = (xi : 1 : 0) which maps to (xi : 1), hence the ramification index is 4.We can now apply Riemann-Hurwitz 2gC − 2 = 4 · (−2) + 4 · (4 − 1) implies that gC = 3. One can check that this is the case over Q for instance using the following MAGMA commands P:=PolynomialRing(Rationals(),3); PP:=ProjectiveSpace(P); C:=Curve(PP,X^4+Y^4+Z^4); Genus(C);

R There are other ways to compute the genus of plane curves C (or embedded in a smooth surface) which are consequences of the adjunction formula 2g − 2 = C.(C + K) where K is the canonical divisor on the surface. For plane curves of degree d, C ∼ dH and K ∼ −3H then 2g − 2 = d(d − 3) Here for d = 4 we find g = 3. Note that this proves that not all curves can be written as plane (smooth) curves. For dimension 1 variety V of P 2 of degree d, one has that the smooth curve in the birational equivalence class of V has genus equal to (d−1)(d−2) 2 − ∑P∈V δP where δP is zero if P is not singular and 1 if P is a node [30, IV.ex.1.8]. This is crucial as any curve over k is birational to a plane curve with only nodes as singularities [30, page IV.3.11]. In the same line of thoughts, all curves can be embedded in P 3 but not 3 necessarily over k! For instance there exists a genus 14 curve over F2 with 16 > #P (F2), so this curve cannot be embedded in P 3. This curve cannot neither come from a plane variety with only nodes since the number of F2-rational points of (the desingularization of) this variety is at most 7 · 2 (when all the nodes are rational). It has been showed in [37] that the 3 existence of an i > 0 such that #C(Fqi ) > #P (Fqi ) is the only type of obstruction for the embedding in P 3 over a finite field.

Exercise 4.3 Let φ : C1 → C2 a non-constant morphism between curves.

1. Show that gC1 ≥ gC2 . 2. Prove that if there is equality then g = 0 or (g = 1 and φ is unramiﬁed) or (g ≥ 2 and φ is an isomorphism).

Exercise 4.4 Let k be an algebraically closed field. Let C be a curve of genus gC > 1 and G be the group of automorphisms of C. It is known that this is always a finite group. In the first part of this exercise, we are going to prove this result when C is hyperelliptic and the characteristic of k is different from 2. 2 We write C : Y = f (X) where f is of degree 2gC + 2 (a singular model for C). Recall that 44 Chapter 4. Riemann-Roch and Riemann-Hurwitz

isomorphisms of hyperelliptic curves are of the form

aX + b eY g : (X,Y) 7→ , cX + d (cX + d)g+1

a b with M = ∈ GL (k) and e ∈ k∗. We denote g the induces automorphism of 1 given c d 2 e P by (X : Z) 7→ (aX + bZ : cX + dZ) and we therefore have a surjective morphism from G to Ge = {ge, g ∈ G}. 1. Show that the kernel of this morphism is generated by the hyperelliptic involution ι. Hence in order to prove that G is finite, it is enough to prove that Ge is. Let ge∈ Ge. 2. Show that the 2g + 2 points (xi,0) ∈ C where xi are the roots of f are the fixed points of ι. 3. Show that ge permutes the points Qi = (xi : 1). 4. Show that an automorphism of P 1 which fixes 3 distinct points is the identity. 5. Conclude that there exists an injective morphism from Ge into Sym2g+2 and that #G ≤ 2(2g + 2)!. 6. Describe briefly how to compute the elements of G given a factorization of f . We now come back to the case where C is not necessarily hyperelliptic and we assume that G is finite. We assume also that the characteristic of k does not divide #G = n. We know that there exists a curve D/k and a morphism φ : C → D separable of degree n such that for all Q ∈ D, φ −1(Q) = {g(P), g ∈ G}, where P ∈ C is any point such that φ(P) = Q (the curve D is the “quotient” of C by G and in particular φ ◦ g = φ for all g ∈ G). Let P ∈ C be a point with ramification index eφ (P) = r. 7. Show that φ −1(φ(P)) consists of exactly n/r points, each of ramification index r. Let P1,...,Ps be a maximal set of ramification points of C lying over distinct points of D and let eφ (Pi) = ri. 8. Show that Riemann-Hurwitz formula implies

s 2gC − 2 1 = 2gD − 2 + ∑ 1 − . n i=1 ri

9. As gC ≥ 2, then the left side is > 0. Show that if gD ≥ 0, s ≥ 0, ri ≥ 0 are integers such that s 1 2gD − 2 + ∑ 1 − > 0 i=1 ri then the minimal value of this expression is 1/42. 10. Conclude that n ≤ 84(gC − 1).

5. Description of the curves up to genus 5

We want to give equations which describe curves up to genus 5. In the sequel C will be a curve of genus g deﬁned over k.

5.1 Genus 0 case We know from Riemann-Roch theorem that κ is a divisor of degree −2, hence

`(−κ) = 2 − 0 + 1 + `(2κ) = 3.

Let hx,y,zi be a basis of L (−κ). Since `(−κ) > 0, we can assume that −κ is effective and equal 2 to ∑nPP with nP positive. If P is a pole of x, say, one has that −ordP x ≤ nP hence −ordP x = 2 2 −2ordP x ≤ 2nP. From this, we conclude that x ∈ L (−2κ) and similarly for xy,xz,y ,yz and z2. But `(−2κ) = 4 − 0 + 1 = 5. So there is a linear relation between these functions, i.e. there exists a homogenous quadratic polynomial Q ∈ k[X,Y,Z] such that Q(x,y,z) = 0. The polynomial Q is absolutely irreducible: otherwise there would be a linear relation between x,y,z. Hence Q is absolutely irreducible and deﬁnes a smooth conic. To conclude, let us show that φ : C → Vp(Q) deﬁned by φ(P) = (x(P) : y(P) : z(P)) is an isomorphism. By Corollary 3.2.4, it is enough to show that φ is of degree 1 over k. Since −κ is of degree 2 then any linear combinaison ax + by + cz has at most two zeros. Now, there is a line in P 2 (any which is not tangent to the conic) which intersects the conic in two distinct points Q1,Q2. After a change of variables we can assume −1 −1 −1 that this line is X = 0 and φ (Q1),φ (Q2) are distinct zeros of x, therefore φ (Qi) = {Pi}

(since φ is surjective) and ordPi x = 1 (because P1 + P2 is already of degree 2 and x has no more 1 zeros). Let us consider the composition ψ : C → Vp(Q) → P which maps P to x(P). One has that

eψ (P1) = ordP x = 1. But eφ (P1)|eψ (P1) (see Exercise 3.4) and so eφ(P1) = 1. Now we conclude using Proposition 3.3.1 that

degφ = ∑ eP(φ) = eP1 (φ) = 1 −1 P∈φ (Q1) . 46 Chapter 5. Description of the curves up to genus 5

Proposition 5.1.1 Every genus 0 curve over k is k-isomorphic to a plane smooth conic. Conversely, this is true as well, since over k, one can parametrize a smooth conic and it is therefore k-isomorphic to P 1, hence of genus 0.

5.2 Genus 1 case We will assume that C has a k-rational point O (always true over k or over a ﬁnite ﬁeld, see Exercise 8.2). Since degκ = 0, we see that

`(O) = 1 − 1 + 1 + 0 = 1, L (O) = h1i `(2O) = 2 − 1 + 1 + 0 = 2, L (2O) = h1,xi `(3O) = 1 − 1 + 1 + 0 = 3, L (O) = h1,x,yi `(6O) = 1 − 1 + 1 + 0 = 6, L (O) = h1,x,x2,x3,y,y2,xyi. We conclude as before that there is a relation ay2 + bxy + cy = dx3 + ex2 + f x + g

and that ad 6= 0 (otherwise all functions have a pole of different order at O and the expression cannot vanish). We can therefore replace y by d2ay and x by adx to get

2 3 2 y + a1xy + a3y = x + a2x + a4x + a6. Let us call 2 2 3 2 2 3 2 E : Y Z + a1XYZ + a3YZ = X + a2X Z + a4XZ + a6Z ⊂ P and consider the morphism φ : C → E deﬁned by φ(P) = (x(P) : y(P) : 1). This is well deﬁned at O as well since if t is a uniformizer at O then

φ(O) = (t3x(O) : t3y(O) : t3(O)) = (0 : 1 : 0) since x (resp. y) has a pole of order 2 (resp. 3) at O. We need to show that φ is an isomorphism, 1 1 i.e. we will show that k(x,y) = k(C). The morphism φx : C → P (resp. φy : C → P ) deﬁned by φx(P) = (x(P) : 1) (resp. φy(P) = (y(P) : 1)) is of degree 2 (resp. 3) since x (resp. y) has a unique pole of order 2 (resp. 3). We therefore get that

k(C)

2 k(x,y) 3

Õ | " k(x) k(y)

which forces [k(C) : k(x,y)] to divide 2 and 3 so to be equal to 1. To conclude, we still need to prove that E is smooth. Let us think that it is not. Since the point (0 : 1 : 0) is smooth, we can assume that it is an affine point which is singular and after translation we can let it be (0 : 0 : 1). The affine 2 3 2 2 equation of E is then of the form Y + a1XY = X + a2X . Let t = Y/X. We get t + a1t = x + a2. Hence the rational map ψ : E → P 1 defined by ψ(X : Y : 1) = (X : Y) is of degree 1 with inverse −1 2 3 2 ψ (1 : t) = (t + a1t − a2 : t + a1t − a2t : 1). By composition ψ ◦ φ is a morphism of degree 1 between smooth curves, hence an isomorphism. But the genus of P 1 is 0, so this is absurd and E is smooth. 5.3 Genus 2 case 47

R We could also use the fact that a plane 1-dimensional variety of degree 3 is smooth if and only if its genus is 1 since for a plane curve of degree d, one has g ≤ (d − 1)(d − 2)/2 with equality if smooth.

Proposition 5.2.1 Let C be a genus 1 curve over k with a k-rational point O. Then C is k-isomorphic to a plane curve

2 2 3 2 2 3 E : Y Z + a1XYZ + a3YZ − (X + a2X Z + a4XZ + a6Z ) = 0

called a Weierstrass model of C.

R What happens if there is no k-rational point? The situation does not admit a ﬁxed answer and depends on the smallest degree n of a k-rational division D (which is unbounded for curves over Q [17]). One gets [6] • if n = 2, a model y2 = F(x) with F of degree 4; • if n = 3, a plane smooth cubic; • if n = 4, the intersection of two quadrics in P 3; • if n > 4, a non-complete intersection.

5.3 Genus 2 case

In that case degκ = 2 and `(κ) = 2. Hence there exists a non-constant function x ∈ L (κ). Since divx+κ ≥ 0, we see that x has at most a pole of order 2 at a unique point P or a pole at two distinct points P1 and P2 (x cannot have a single pole of order 1 since it would induce an isomorphism with P 1). Let φ : C → P 1 the morphism deﬁned by x. It is then of degree 2 and we are in the situation studied in Example 3.5 if chark 6= 2. We know that C is bitationally equivalent to H : Y 2 = f (X) where f ∈ k[X] is a separable polynomial. Using Riemann-Hurwitz formula (see Theorem 4.3.1, we get that

(2g − 2) = 2 = 2(−2) + ∑eφ (P) − 1

hence we see that φ is ramified at 6 points. Each affine point (x0,0) ∈ H is ramified so deg f ≤ 6 (see the picture below). If deg f = 6, then we have seen that the smooth model of H is indeed not ramified at infinity (there are two points) and we are done. The same analysis would show that if deg f = 5 then φ is ramified at the unique point at infinity. Hence Proposition 5.3.1 Every genus 2 curve over a field k of characteristic different from 2 is k- birationally equivalent to an affine curve H : Y 2 = f (X) with f ∈ k[X] of degree 5 or 6. Note that if moreover #k > 5 and deg f = 5 then we can assume that f (0) 6= 0 by a translation defined over k. Then Y 2 1 = f X3 X

implies that Y 2 = X6 f (1/X) = g(X) where g is a polynomial of degree 6. Hence with the exception of k = F3 or F5, we can always assume deg f = 6. 48 Chapter 5. Description of the curves up to genus 5

Figure 5.1: Ramiﬁcation points (in blue) of the map φ

R The characteristic 2 case can be found in [4] for instance.

5.4 Interlude: canonical map and hyperelliptic curves Before we proceed further, we will need some extra information about a particular morphism, called the canonical map. In general, if D is a divisor on C such that `(D) > 1 one can deﬁnie r φD : C → P with r = r(D) = `(D) − 1 by choosing a basis (s0,...sr) of L (D) and mapping φD(P) = (s0(P) : ... : sr(P)) (as we did in genus 0 for instance). One can study when this map is an embedding in general but we will restrict to the case of D = κ (and g ≥ 2) (for the general theory, see [30, IV.Prop.3.1]). • First note that for any P ∈ C, there exists an i such that si(P) 6= 0. Indeed if not, there would exist P such that si(P) = 0 for all 0 ≤ i ≤ r, then all the si ∈ L (κ − P) which would be of dimension g. Then `(P) = 1 − g + 1 + `(κ − P) = 2 which is excluded since g > 0. • Let us see when this morphism is injective. This will be the case iff for P 6= Q, one can ﬁnd s ∈ L (κ) such that s(P) = 0 but s(Q) 6= 0. This will not be the case iff `(κ − P) = `(κ) − 1 = g − 1 = `(κ − P − Q) which is equivalent to `(P + Q) = 2. This is the case iff there is a non-constant degree 2 map over k to P 1. • If this is the case, by “taking the limit” P = Q, one can also prove that this map is an immersion (i.e. send a smooth point onto a smooth point). Indeed since `(κ −2P) < `(κ −P) there exists s ∈ L (κ) such that ordP(s) = 1. Therefore the map φD is of degree 1 and hence an isomorphism on its image.

Deﬁnition 5.4.1 We say that C is a hyperelliptic curve (resp. non-hyperelliptic curve) when φK is not an embedding (resp. is an embedding). The image φK(C) of a non-hyperelliptic curve is called the canonical embedding of C.

r Note that V = φκ (C) ⊂ P is a non-degenerate 1-dimensional variety, i.e. it is not contained in any hyperplane. Indeed, an hyperplane is given by a non-zero linear combinaison s of the si and this function s would be zero on all of C, hence would be zero. Note that the intersections of V with a hyperplane H : s = 0 are the zeros of s. Now, we can assume that κ is effective then 5.4 Interlude: canonical map and hyperelliptic curves 49 divs + κ ≥ 0 so s has at most 2g − 2 poles counted with their orders. If it would have less then s ∈ L (κ − P) but we have seen that this is not possible. Hence s has exactly 2g − 2 poles and therefore zeros with multiplicities. We will say therefore that the canonical image of the curve is a curve of degree 2g − 2. By Bézout theorem [30, page I.7.7], it can be shown that a complete intersection of hypersurfaces of degre d1,...,dt is of degree d1 ···dt (see [44, Sec.5.5] for more intuitive way of seeing the degree).

g−1 R This is a characterization of this embedding. Indeed if φ : C → P is a non-degenerate embedding then one can consider the divisor D = φ(C)∩H where H : s = 0 is any hyperplane. Moreover, by hypothesis, D has degree 2g − 2. The Riemann-Roch space L (D) contains all the hyperplane sections s (since the quotient of two sections is a function on the curve, they are all linearly equivalent) which is a vector-space of dimension g. We have seen in Section 4.2 that these properties characterize κ. The canonical embedding allows a geometric interpretation of the index of speciality. Indeed if D = ∑Pi, the Pi all distinct, we see that L (κ −D) is the space of linear forms which passes g−1 by the points Pi. Hence i(D) = g − 1 − d where d is the dimension (as subvariety of P ) of the intersection of the hyperplanes containing all the points Pi. This is still the case if some of the Pi are the same asking for hyperplanes with higher tangency conditions.

Let us analyze hyperelliptic curves further. We have seen that C is hyperelliptic iff there exist two points P,Q ∈ C(k) distinct for which `(P + Q) = 2. This implies that there exists a degree 2 morphism ρ : C → P 1 and over k of characteristic different from 2 we are back to the case studied in Example 3.5. Lemma 5.4.1 — [33, VII.Prop.4.29]. The morphism ρ is unique (up to a choice of coordinates of P 1) and therefore defined over k. One can find another proof based on “Riemann inequality” in [45, page VI.2.4]. Since the extension k(C)/k(P 1) is uniquely determined and Galois, it induces by Theorem 3.2.3 a unique involution ι : C → C defined over k and called the hyperelliptic involution. From the existence of φ, we see that there is always a k-morphism of degree 2 from C to a conic in P 2. If this conic has a point then we are back to the familiar situation and we can write C : Y 2 = f (X). We say that C admits a hyperelliptic equation.

R To go further, one has to look more closely at the canonical map. One can show that over k one has φκ g− C / P 1 dX XdX Xg−1dX g−1 (X,Y) / ( Y : Y ... : Y ) = (1 : X : ... : X ) 3 ρ Segré embedding ψ P 1 X g−1 ∗ By definition of the canonical map, for a hyperplane H ⊂ P , one has φ (H ∩ φK(C)) ∼ κ. | {z } =D ∗ The image of ψ (D) is a divisor of degree g − 1 on P 1, hence it is linearly equivalent to 1 ∗ (g − 1)P for any P ∈ P . We therefore get that κ ∼ (g − 1)ρ P. This also implies that ρ∗κ = ∗ ∗ ∗ ∗ (ρ∗ρ )(ψ D) = 2(ψ D). Starting with H defined over k we then get a divisor ψ D which | {z } =2 0 ∗ g−2 k k g D = D + 1 is defined over (since κ and ρ are defined over ). If is even then ψ 2 κP is a k-rational divisor of degree 1. By Riemann-Roch theorem, we see `(D0) = 1 so D0 is linearly equivalent to a k-rational effective divisor of degree 1, i.e. a k-rational point. This proves that ρ(C) is a conic with a k-rational point and therefore k-isomorphic to P 1. Hence, we have proved that if C/k is a hyperelliptic curve of even genus then C admits a hyperelliptic equation. Note that there are counterexamples in odd genus. 50 Chapter 5. Description of the curves up to genus 5

In the sequel, we will restrict ourselves to non-hyperelliptic curves but note that in MAGMA , hyperelliptic curves have much more functionalities developed (in particular for genus 2 and 3).

R MAGMA can compute canonical embeddings in the following way: P:=PolynomialRing(Rationals(),3); PP:=ProjectiveSpace(P); C:=Curve(PP,X^5+Y^5+Y^2*Z^3); Genus(C); 4 phi:=CanonicalMap(C); C2:=CanonicalImage(C,phi); PP:=AmbientSpace(C2); C2; Curve over Rational Field defined by -X2^2 + X1*X3, X1^2*X2 + X3^3 + X4^3

5.5 Genus 3 case Let us identify C with its image by the canonical embedding in P 2. It is therefore a plane curve defined by F(X,Y,Z) = 0. Since the intersection of a line with C is of degree 4, we conclude that C is a plane smooth quartic. Conversely, any plane smooth quartic is a genus 3 non hyperelliptic curve by the first part of Remark 5.4. Proposition 5.5.1 Any non hyperelliptic genus 3 curve over a field k is k-isomorphic to a plane smooth quartic. Conversely any plane smooth quartic is a non hyperelliptic genus 3 curve.

R The picture at the beginning of the chapter is a genus 3 non hyperelliptic curves with its 28 bitangents (lines which are tangent to the quartic at 2 (not necessarily distinct) points). One can prove that over a ﬁeld of characteristic different from 2, a plane smooth quartic has always exactly 28 such lines.

5.6 Genus 4 case Let P(r,d) be the space of homogeneous polynomials of degree d in r + 1 variables. r+d Lemma 5.6.1 One has that dimP(r,d) = d . Proof. Fixing a monomial is giving r bars among d points. For instance ···|·|· is the representation 3 of the monomial x0x1x2. Hence representing all the monomials is the same as choosing r elements r+d r+d (which will become bars) among r + d. We then get dimP(r,d) = r = d . Let us identify the image of C with its canonical embedding. Let H : h = 0 be a hyperplane in P 3, then d(H ∩C) ' dκ and we get a morphism

P(3,d) → L (dκ) F F 7→ . hd When d = 1, we know that this is an isomorphism. When d = 2, one has that dimP(3,2) = 10 3 whereas `(2κ) = 9. Therefore there is a quadric Q = Vp(q) ⊂ P which vanishes identically on C. The quadric Q is absolutely irreducible because no hyperplane vanishes identically on C. There cannot be 2 independent quadrics since it would deﬁned a curve of degree 4 when degC = degκ = 6. 5.7 Genus 5 and beyond 51

Hence Q is unique. When d = 3, we see that dimP(3,3) = 20 whereas `(3κ) = 15. The kernel is of dimension at least 5 and contains qX,qY,qZ,qT but also a new absolutely irreducible cubic surface E. The intersection of Q and E deﬁnes a curve of degree 6 which is therefore equal to C. Proposition 5.6.2 A non hyperelliptic genus 4 curve is the intersection in P 3 of a unique quadric and a cubic surface in P 3.

5.7 Genus 5 and beyond To go further, one needs more knowledge on divisors and good references are [34] and then [20]. One needs ﬁrst to prove Castelnuevo’s bounds (see [20, III.§2]) which use the uniform/general position theorem which is subtle in positive characteristic (for instance it becomes wrong for singular 1-dimensional varieties). One can ﬁnd a proof for curves in [15]. One also needs Max Noether’s theorem see [20]:

Theorem 5.7.1 If C is a non hyperelliptic curve of genus g then P(g − 1,d) → L (dκ) is surjective for all d ≥ 1.

This shows in particular that C is projectively normal. Enrique-Babbage theorem [20] shows that g− if C is a non-hyperelliptic curve of genus g over k canonical embedded in P 1 then it is either an intersection of quadrics or trigonal (i.e. there is a degree 3 map to P 1) or it is isomorphic to a smooth plane quintic (of genus 6). Petri’s analysis completes this description by giving the coordinate rings in terms of generators and first sizygies. In his [35, Lecture I], Mumford says that this work enables to say “I have seen every curve once”. But Frank Olaf Schreyer does not agree with this point of view in his second lectures in 2002: “this is non-sense. We have no idea j how to solve the many equations among the aik which garanties that we have a Gröbner basis” (the coefficients which defines the curves). His work is to make this description manageable and thanks to him one can now (with MAGMA for instance) draw at random a curve up to genus 15.

g−1 R When g > 5, Petri’s result implies that one cannot take g − 2 random quadrics in P and hope for a genus g curve as the following example shows, whereas Schreyer’s functionalities allow this. g:=6;FF:=GF(11);P:=PolynomialRing(FF,g); PP:=ProjectiveSpace(P); L:=LinearSystem(PP,2); Leq:=[Random(L) : i in [1..g-2]]; C:=Curve(PP,Leq); Genus(C); 17 C:=RandomCurveByGenus(6,FF); Genus(C); 6 Let us point out that we could also look for more compact representation of our objects. This is the purpose of Section 8.3.

To come back to genus 5 non hyperelliptic case, C is contained into the intersection of three quadrics in P 4. If C is also not trigonal then this intersection is complete, otherwise one needs to add some equations of higher degree. Indeed, C is trigonal iff there exists an effective divisor D of degree 3 such that `(D) ≥ 2, i.e. i(D) ≥ 3 but this implies that the support of D is on a line by the geometric version of Riemann-Roch theorem. Such a curve can be easily represent by a singular model with a node as illustrated by the following picture: the degree 3 map is the one defines by parametrizing the line aX + bY = 0 through the node (0 : 0 : 1) by {(a : b) ∈ P 1} and the image of a point on C \{(0 : 0 : 1)} is the (a : b) which correspond to the line through this point. 52 Chapter 5. Description of the curves up to genus 5 Arithmetic of curves and its II Jacobian over finite fields

6 Number of points of curves over ﬁnite ﬁelds ...... 55 6.1 Weil conjectures for curves 6.2 Maximal number of points 6.3 Codes

7 Jacobian of curves ...... 73 7.1 Abelian varieties: algebraic and complex point of view 7.2 Jacobians 7.3 Application to cryptography 7.4 Construction of curves with many points

6. Number of points of curves over ﬁnite ﬁelds

e Let C be a curve of genus g over a finite field k = Fq with q = p for p a prime. As this curve is n n n n− contained in a P we see that its number of k-rational points is smaller than #P (k) = q + q 1 + ... + 1. Can we make this bound more precise? In particular, could it be intrinsically associated to some invariant of the curve? We can distinguish two cases: g− • If the curve is non-hyperelliptic then we can embed it in P 1 and therefore the bound depends only on the genus (but exponentially); • If the curve C is hyperelliptic, we know that it is a degree 2 cover of a conic, which over a finite field has always a point, so the latter is actually a P 1. Since #P 1(k) = q + 1, one gets that #C(k) ≤ 2q + 2 which does not depend on the genus. To get a more precise idea, one can do some numeric simulations for g = 1 (resp. g = 2) and 5 ≤ p ≤ 100 (resp. 3 ≤ p ≤ 30) where we are going to plot the maximal number of points of a curve of genus g over (see Section 8.5 for the implementation in MAGMA ). We compare this Fp √ number Np(g) with the function x 7→ x + 1 and then Np(g) − (p + 1) with x 7→ 2g x which seems to fit well with the data. For genus 1, the results are quite amazing: the value N (1) seems to be exactly equal to √ √p 1 + p + b2 pc. For g = 2, the comparison with 1 + p + 2b2 pc is less convincing1. We could expect that for small values of p ≤ 7 since in that case the bound 2p + 2 is smaller! But this still happens for p = 13,17. Can this be explained? Another experiment which was made in Section 8.5 was to see the influence of the number of points over Fp of a curve on the number of points over its extensions. It seems that the number of Fqe -rational points of a curve of genus g defined over Fq is controlled by the number of Fqi -rational points of the curve for 1 ≤ i ≤ g. All these features will be gathered and explained in the study of Weil conjectures for curves.

√ 1At first sight, one should compare with 1 + p + b4 pc but we will see that the previous one is a sharper bound. 56 Chapter 6. Number of points of curves over finite fields

Figure 6.1: Growth of Np(1) Figure 6.2: Growth of Np(1) − (p + 1)

Figure 6.3: Growth of Np(2) Figure 6.4: Growth of Np(2) − (p + 1) 6.1 Weil conjectures for curves 57

6.1 Weil conjectures for curves In 1949, André Weil made a series of very general conjectures concerning the number of points on varieties defined over finite fields. We restrict to the case of curves. Let k = Fq and for all n ≥ 1, let kn be the extension of degree n of k. Let C/k be a (projective smooth) curve of genus g over k. Definition 6.1.1 The Zeta function of C over k is the power series ! ∞ T n Z(C/k;T) = exp ∑ #C(kn) · . n=1 n

1 Example 6.1 Let us look at P (or equivalently any genus 0 curve by Exercise 8.1): indeed 1 n #P (kn) = q + 1 so 1 Z( 1/k;T) = exp(−log(1 − T) − log(1 − qT)) = . P (1 − T)(1 − qT)

Theorem 6.1.1 — Weil conjectures. With the above notations, we have the following properties. 1. Rationality : Z(C/k;T) ∈ Q(T). 2. Functional equation :

Z(C/k;1/(qT)) = (qT 2)1−gZ(C/k;T).

3. Riemann hypothesis : there exists a polynomial f ∈ Z[T] of degree 2g, called the Weil polynomial of C such that 2g f (T) = ∏(1 − Tαi) i=1 √ with |αi| = q for all i and such that

f (T) Z(C/k;T) = . (1 − T)(1 − qT)

−s If we let ζC(s) = Z(C/k,q ), we see that the zeros of ζC(s) have a real part equal to 1/2 R −s which is the analogue of the classical Riemann hypothesis for ζ(s) = ∑n≥1 n .

n 2g n Corollary 6.1.2 We have #C(Fqn ) = 1 + q − ∑i=1 αi .

Proof. We have n log(Z(C/k;T) = ∑#C(kn)T /n = log( f (T)) − log(1 − T) − log(1 − qT) n n n = ∑log(1 − αiT) + ∑T /n + ∑q T /n ! n n n = ∑ −(∑αi ) + 1 + q T /n. n i 58 Chapter 6. Number of points of curves over ﬁnite ﬁelds

2 3 Example 6.2 Consider the elliptic curve : E/F7 : y = x + 2. It has 9 rational points, namely (0 : 1 : 0),(0 : 3 : 1),(0 : 4 : 1),(3 : 1 : 1),(3 : 6 : 1),(5 : 1 : 1),(5 : 6 : 1),(6 : 1 : 1),(6 : 6 : 1). So we must have 7T 2 + T + 1 Z(E/ ;T) = . F7 (1 − T)(1 − 7T) 2 In particular the number of points of E/F49 is 1+49−(1 −2·7) = 63 which can be checked with MAGMA in the following way

E:=EllipticCurve([0,0,0,0,GF(7)!2]); #Points(ChangeRing(E,GF(49)));

These conjectures were solved by Weil in the case of curves and abelian varieties using intersection theory on C ×C, see for instance [8] or [7] for a modern use of the techniques. The general case was solved by Deligne in 1973 using cohomological techniques. We will present here the main ideas of an elementary proof due to Stepanov and Bombieri.

Example 6.3 MAGMA can compute Weil polynomials as long as there are speciﬁc algorithms to do so (see Section 7.3) or the genus and the ﬁeld are not too large.

P:=PolynomialRing(GF(11),3); PP:=ProjectiveSpace(P); Q:=PolynomialRing(Rationals()); C:=Curve(PP,X^5+Y^5+Y^2*Z^3); Q!LPolynomial(C); 14641*T^8 - 2299*T^6 + 231*T^4 - 19*T^2 + 1 Note that once the Weil polynomial is computed, it is almost for free to get the one for the same curve over any extension. For instance

Q!LPolynomial(C,2); 214358881*T^8 - 67319318*T^7 + 12049543*T^6 - 1618496*T^5 + 170005*T^4 - 13376*T^3 + 823*T^2 - 38*T + 1

gives the Weil polynomial of C over F112 .

6.1.1 Rewriting of Z(C/k,T) In the finite field case, the structure of Gal(k¯/k) is simple: it is generated by a single element q σ σ n−1 σ : x 7→ x .A place of degree n is a divisor D = P + P + ... + P for P ∈ C(kn) which is not in n C(km) for m|n. Let us denote Pic (C)(k) the set of linear equivalence classes of k-rational divisor of degree n (See Definition 3.3.2). If φn is the number of places of degree n then #C(kn) = ∑m|n mφm. One then gets

∞ ! ∞ degD −1 m −φm m log ∏ (1 − T ) = log ∏ (1 − T ) = − ∑ φm log(1 − T ) D place m=1 m=1 ! ∞ ∞ T mn ∞ T m = ∑ φm ∑ = ∑ ∑ nφn m=1 n=1 n m=1 n|m m ∞ T m = ∑ Nm = logZ(C/k,T). m=1 m 6.1 Weil conjectures for curves 59

Hence we get ∞ ∞ degD −1 ideg(D) n Z(C/k,T) = ∏ (1 − T ) = ∏ ∑ T = ∑ AnT D place D place i=0 n=0

where An is the cardinal of An which is the k-rational effective divisor of degree n (with A0 = 1). Indeed, every k-rational effective divisor is uniquely a sum of places with a given multiplicity. Let δ0 = min{degD > 0 s.t. D is defined over k}. This number is reached by the degree of a divisor D0 (we will see that δ0 = 1). If δ0 - n, then An = 0 since otherwise writing n = aδ0 +r with 0 < r < δ0, one sees that for D ∈ An, one gets a k-rational divisor D − aD0 of degree r < δ0. n 0 If δ0|n, the map D 7→ D−n/δD0 shows that there is a bijection between Pic (C)(k) and Pic (C)(k). Note that this is a set of finite order h. Indeed for m ≥ g and divisible by δ, we see using Riemann- Roch theorem that each class contains an effective divisor. The points in the support of such a divisors can be gathered by orbit under σ of length less or equal to m, hence are defined over a degree at most m of k. The number of such points is finite and so is #Picm(C)(k) = #Pic0(C)(k). We get that q`(D)−1 − 1 qn−g − 1 An = ∑ #|D| = ∑ = h D∈Picn(C)(k) D∈Picn(C)(k) q − 1 q − 1 the last equality being true as soon as n > 2g − 2. This means that 2g−2 n n f (T) Z(C/k,T) = AnT + AnT = ∈ Q(T). (6.1) ∑ ∑ (1 − T δ0 )(1 − (qT)δ0 ) n=0 n>2g−2,δ0|n | {z } polynomial

6.1.2 δ0 = 1 Lemma 6.1.3 For all d ≥ 1 d Z(C/kd,T ) = ∏ Z(C/k,εT). ε s.t. εd =1 Proof. ! ∞ (εT)m Z(C/k,εT) = exp #C(k ) ∏ ∏ ∑ m m ε s.t. εd =1 ε s.t. εd =1 m=1 ! ∞ T m = exp #C(k ) εm ∑ m m ∑ m=1 ε s.t. εd =1 m Now ∑ε s.t. εd =1 ε = 0 if d - m and d if d|m. We hence get ! ∞ (εT)md Z(C/k,εT) = exp #C(k ) = Z(C/k ,T d). ∏ ∑ md m d ε s.t. εd =1 m=1 d dδ dδ From (6.1), we see that Z(C/kd,T ) is of the form f1(T)/((1 − T 1 )(1 − (qT) 1 )) with δ δ δ1 ≤ δ0 whereas Z(C/k,εT) is of the form f (εT)/((1 − (εT) 0 )(1 − (εqT) 0 )). When d = δ0, the denominator of the product is (1 − T δ0 )δ0 (1 − (qT)δ0 )δ0 . Note that the expression (6.1) (as a sum d of a polynomial and the fraction) shows that the order of the pole of Z(Ckd ,T ) at 1 is exactly 1 whereas it is δ0 for the product. By comparing the orders, we see that δ0 = 1.

This implies that there is a k-rational divisor of degree 1 and we have seen that this is not necessarily the case over number fields, even for elliptic curves (see Remark 5.2). 60 Chapter 6. Number of points of curves over finite fields

6.1.3 Functional equation

Using the fact that δ0 = 1, we can rewrite 1 Z(C/k,T) = (A(T) + hB(T)) q − 1

`(D) deg(D) qgT 2g−1 1 where A(T) = ∑D deg(D)≤2g−2 q T and B(T) = 1−qT − 1−T . Since D → κ − D is a bijection between divisor classes of degree 0 ≤ n ≤ 2g − 2, we get that A(T) = qg−1T 2g−2A(1/(qT)) and on the other hand B(T) = qg−1T 2g−2B(1/(qT)) and then the functional equation. Using the latter one also sees that deg f = 2g.

6.1.4 Riemann hypothesis One starts with a reduction lemma. Lemma 6.1.4 The following properties are equivalent √ 1. |α | = q for all i; i √ 2. |αi| ≤ q for all i; 3. There exists an A > 0 such that for inﬁnitely many m

m m/2 |#C(km) − (1 + q )| ≤ Aq .

Proof. Let us prove that 2 implies 1. The functional equation shows that the application α 7→ q/α √ √ is a bijection on the set {α }. Hence if |α | ≤ q for all i, then |q/α | ≤ q for all i but then √ i i i |αi| ≥ q for all i. Let us prove that 3 implies 2. The series S(z) = ∞ (αm + ... + αm )zm is equal to 2g 1 ∑m=0 1 2g ∑i=1 1−αiz and its convergence radius is R = (max|α |)−1. The inequality of 3 shows that R ≥ q−1/2 hence √ i |αi| ≤ q for all i.

We therefore have to prove an upper bound and a lower bound on C(km) for inﬁnitely many m. 2 Let us start with the upper bound. We can assume that q = q0 and that there exists a point Q ∈ C(k). One then construct very carefully a function f ∈ L ((q0(2g + q0) + q0 + 1)Q) such that f (P) = 0 for all P ∈ C(k) \{Q} (see Exercise 6.1). One then gets that √ #C(k)−1 ≤ degree of the zero divisor of f ≤ degree of the pole divisor of f ≤ q+1+(2g+1) q.

For the lower bound, the argument is more involved. As we can assume that C(k) has a point, we can construct a function defined over k which induces a morphism C → P 1. Looking at the function field extension k(P 1) → k(C), we can consider its Galois closure K (with Galois group G) and this field corresponds to a curve C0 defined over a finite extension of k and a morphism 0 φ : C → C → P 1. Extending once more the field k, we can assume that the curve and the morphism are defined over k. Note that since any k-rational point on C0 maps to a k-rational point on C, to get a lower bound on #C(k) it is enough to get one on #C0(k) = #{P ∈ C0(k) s.t. Pσ = P}. Now for all but finitely many Q ∈ P 1(k) (there are only a finite number of ramified points), we −1 have that φ (Q) = {P1,...,P#G}. One denotes N(C0,h) = #{P ∈ C0(k) s.t. Pσ = h(P)}.

In particular #C0(k) ≥ N(C0,1). The construction of f above can be adapted to prove that N(C0,h) ≤ √ q + (2gC0 + 1) q + 1. Now

0 1 ∑ N(C ,h) = #G · #P (k) + O(1). h∈G 6.1 Weil conjectures for curves 61

1 −1 σ −1 σ Indeed for Q ∈ P (k), if Pi ∈ φ (Q) then Pi ∈ φ (Q) so Pi = h(Pi) for h ∈ G. Moreover except when Q is a point over which φ is ramified we have exactly #G elements in the fibre. Here O(1) takes into account the fixed contribution of the ramification points which does not change when taking extensions of k (when k is large enough). From this and the upper bound one deduces that √ N(C0,h) = q + O(q1/2) and in particular N(C0,1) − q − 1 ≥ A q.

R These techniques to prove arithmetic results with well designed functions have received a lot of attention lately (see [40]). For instance it can be used to prove a ﬁnite version of Kakeya n q+n−1 set: let K ⊂ k a set containing an afﬁne line in each direction. Then #K ≥ n . Another result that can be proved is: let A,B be two non empty subsets of Z/pZ with p a prime then

#{u + v s.t. u ∈ A,v ∈ B} ≥ min(p,#A + #B − 1).

2 Exercise 6.1 Let C/Fq be a curve of genus g ≥ 1 with q = q0 and assume that there exists a point Q ∈ C(Fq). Let us deﬁne for m ≥ 1,

q0 q0 L = L (mQ) ⊗ L (nQ) = { ∑ xi zi : xi ∈ L (mQ), zi ∈ L (nQ)}. i∈I,I ﬁnite

1. Using the fact that `(mQ) ≤ `((m + 1)Q) ≤ `(mQ) + 1, show that there exists a basis f1,..., fr of L (mQ) such that ordQ( fi) < ordQ( fi+1). q0 2. Show that if n < q0 then every y ∈ L can be written in a unique way as ∑ fi zi (proceed by comparing the orders at Q of f q0 z and − r f q0 z for i = min{i s.t. z 6= 0}. i0 i0 ∑i=i0+1 i i 0 i 3. Conclude that dimL = dimL (nQ) · dimL (mQ). This enables to deﬁne the following application

ψ :L → L ((m + q0n)Q) r q0 q0 ∑ fi zi 7→ ∑ fizi i=1 i

q 4. Prove that ψ(x + y) = ψ(x) + ψ(y) and that ψ(λ 0 x) = λψ(x) for λ ∈ Fq. q0 5. Prove that if ker(ψ) 6= 0 and f = ∑ fi zi ∈ kerψ then for each P ∈ C(Fq) \{Q}, one has f (P) = 0 (one can compute f (P)q0 ). We let m = 2g + q0 and we assume that q0 is big enough so that there exists 2g − 1 ≤ n < q0. 6. Prove that dimL ≥ (m + 1 − g) · (n + 1 − g). 7. Prove that `((m + q0n)Q) = m + q0n + 1 − g. 8. Show that kerψ 6= 0.

0 Exercise 6.2 Let C/Fq be a curve of genus g and h(Fq) = #Pic (C)(Fq). We denote f the Weil polynomial of C/Fq • Show that h(Fq) = f (1); n • Show that if d is a prime dividing h(Fq) and if n ≥ 1 is such that d|n(q −1)/(q−1) then d|h(Fqn )/h(Fq).

Exercise 6.3 Let C/Fq be a curve with Weil polynomial f = ∏(1 − aiT). Prove that the Weil n polynomial of C/Fqn is ∏(1 − ai T) for all n > 0. 62 Chapter 6. Number of points of curves over ﬁnite ﬁelds

6.2 Maximal number of points Among the many questions which can be asked about curves over finite fields, the one which has attracted the most attention is the one about their maximal number of points2 mainly because of its application to coding theory (see Section 6.3). We have seen that Corollary 6.1.2 says also that #C(k) = 1 + q − ∑αi which implies that √ |#C(k) − 1 − q| ≤ |∑αi| ≤ ∑|αi| ≤ 2g q. This has two easy consequences : 1. if q is large enough compared to g, C has always at least one k-rational point; In particular when g = 0 or 1, C has always a k-rational point. √ 2.# C(k) ≤ 1 + q + 2g q. This bound is know as Hasse-Weil bound. This leads us to introduce the following definition.

Definition 6.2.1 Let g ≥ 0 be an integer and q a prime power. We denote by Nq(g) the maximal number of points of a curve of genus g over Fq. A curve which number of rational points reaches this value is called a maximal curve. For several decades, number theorists assumed that the Hasse-Weil bound was optimal (at least when q is large enough) until 1973 when Stark improved the bound by two in a particular case. Since then, there has been a (mathematical) world-wide game consisting at finding the exact value of Nq(g). Indeed, except for g = 1,2 (see Section 6.2.3) this value is not known in general and so things are handle case by case. In order to keep track of the progress made on the question a web site has been created. There are two directions to tackle this problem : 1. Decrease the bound: we are going to give some of the arguments used in this direction. 2. Constructing/proving existence of curves: we are not going to deal theoretically with this question (but let have a look at the challenges contained in Exercises 8.6 and 8.7). Let us just say that roughly speaking on can distinguish the following approaches : • Methods from general class field theory (powerful but not explicit); • Methods from class field theory based on Drinfeld modules of rank 1 (explicit); • Fiber products of Artin-Shreier curves; • Towers of curves with many points; • Miscellaneous methods as : formulas for Nq(1),Nq(2), explicit curves, e.g. Hermitian curves, Klein’s quartic, modular curves, quotient of curves with many points and curves obtained by computer search.

R This domain is quite new: after Weil’s proof, it was re-lauched by Serre’s lectures at Harvard in 1985. Plenty of mysteries remain: note that the intuitive fact that limq→∞ Nq(g) = ∞ has been proved only in 2002 [10] and that despite many efforts the values of Nq(3) are not known for all q.

6.2.1 General arguments We are going to give general arguments (i.e which are good for g q) which follow Serre’s idea of ‘formules explicites’. Let us start with Serre’s original improvement.

2Note that for a few years, the question of the repartition of the number of points has gained a lot of attention and has created a new ﬁeld called arithmetic statistic. 6.2 Maximal number of points 63

Theorem 6.2.1 — Hasse-Weil-Serre bound. For every curve C/Fq of genus g, on has that √ #C(Fq) ≤ q + 1 + gb2 qc.

Proof. The functional equation is equivalent to the fact that the Weil polynomial satisﬁes T 2g · f (1/(qT)) = f (T). Hence if α is a root of f then α = q/α is also (this was clear when α ∈ \ i √ i √ i i C R by Galois and the fact that |αi| = q but if αi = ± q then this is not imply by the Riemann g hypothesis). Hence we have that #C(Fq) = q + 1 − ∑i=1(αi + αi). Let √ xi = b2 qc + 1 + αi + αi.

By the Riemann hypothesis, xi are totally positive algebraic integers. Therefore their product is at least 1. It follows from the arithmetic-geometric mean inequality that

!1/g 1 g g ∑ xi ≥ ∏xi ≥ 1. g i=1 i=1

So we have ∑xi ≥ g which is easily seen to imply the result.

A second improvement is due to Ihara. Consider C also over Fq2 . We have g 2 2 2 #C(Fq) ≤ #C(Fq2 ) = q + 1 − ∑(αi + αi ) i=1 g 2 2 = q + 1 + 2gq − ∑(αi + αi) i=1 g !2 2 1 ≤ q + 1 + 2gq − ∑ αi + αi g i=1

The last inequality is Cauchy-Schwartz (with the vectors (α1,...,αg) and (1,...,1)). We conclude that 1 #C( ) ≤ q2 + 1 + 2qg − (#C( ) − q − 1)2. Fq g Fq

Theorem 6.2.2 q 2 2 #C(Fq) ≤ q + 1 + ( (8q + 1)g + 4(q − q)g − g)/2 √ which is better than Hasse-Weil bound if g ≥ (q − q)/2.

Now we come to the best known estimate due to Drinfeld and Vladut.˘ The proof is an extension of Ihara’s argument. It involves a consideration of all ﬁnite extensions of Fq. Recall that φd is the ∞ n number of places of C of degree d. So we have #C(Fqm ) = ∑d|m dφd. Let Ψ(T) = ∑n=1 cnT be a polynomial (i.e cn = 0 for n large enough) with non negative coefﬁcients for which

Ψ(t) + Ψ(t) + 1 ≥ 0 for all t ∈ C with |t| = 1. (6.2)

n By Ψd(T) we denote the polynomial ∑n≡0 (mod d) cnT .

Theorem 6.2.3 Let C be a curve over Fq of genus g and Ψ(T) be a polynomial as above. We 64 Chapter 6. Number of points of curves over ﬁnite ﬁelds

have −1/2 1/2 −1/2 ∑ dφdΨd(q ) ≤ g + Ψ(q ) + Ψ(q ). d≥1

√ iθ Proof. As usual, let α j denote the zeros of χ. By the Riemann hypothesis, we have α j = qe j with θ j ∈ R. Moreover suppose we have ordered the α j such that θg+ j = −θ j. We have that

g n n/2 inθ j −inθ j #C(Fqn ) = q + 1 − q ∑(e + e ). j=1

So g iθ j −iθ j inθ j −inθ j 0 ≤ ∑(Ψ(e ) + Ψ(e ) + 1) = g + ∑cn(e + e ) j=1 j,n −n/2 n = g + ∑ q cn(q + 1 − #C(Fqn )) n≥1 1/2 −1/2 −n/2 = g + Ψ(q ) + Ψ(q ) − ∑ ∑ q dφdcn d≥1 n≡0 (mod d) and the inequality follows.

−1/2 −1/2 −1/2 Since ∑d dφdΨd(q ) ≥ φ1Ψ1(q ) = #C(Fq)Ψ(q ), the theorem clearly implies that (Oesterlé’s bound): g + Ψ(q1/2) #C(Fq) − 1 ≤ . Ψ(q−1/2)

If one takes Ψ(T) = T/2 one ﬁnds Hasse-Weil bound. One can try also Ψ = (4T + 3T 2 + 2T 3 + T 4)/5.

R For q and g ﬁxed there is an explicit optimal Ψ (see [16]).

Example 6.4 Let fix g = 3 and q = 2. The Hasse-Weil bound is approximately 11.48. Hasse- Weil-Serre’s bound is 9, Ihara’s bound is 8. With our polynomial we can find 7. We can find this bound in another way : we know that a genus 3 non hyperelliptic curve C can be embedded as a plane quartic, so

2 1 |C(k)| ≤ max( |P (k)| , 2|P (k)| ) ≤ max(4 + 2 + 1,2 · (2 + 1)) ≤ 7. | {z } | {z } non hyperelliptic hyperelliptic

Moreover we have N2(3) = 7 since the curve

y2z2 + yz3 + xy3 + x2y2 + x3z + xz3 = 0

reaches this bound.

R A lot of special arguments have been developed and implemented (look at the information when you click on an upper bound of the tables). Nevertheless, as the tables show, plenty of cases are still open. 6.2 Maximal number of points 65

6.2.2 Asymptotics One fixes a finite field Fq and wants to study the behavior of Nq(g) when g is large. It is classical to study the quotient Nq(g)/g, and more precisely the number N (g) A(q) := lim sup q . g→∞ g From the work done in Section 6.2.1, one has the following upper bounds for A(q). √ Theorem 6.2.4 1. Hasse-Weil’s bound : A(q) ≤ 2 q. √ A(q) ≤ b qc 2. Hasse-Weil-Serre’s bound√ : 2 . 3. Ihara’s bound : A(q) ≤ 2q − 1 . 2 √ 4. Drinfeld and Vladut’s˘ bound : A(q) ≤ q − 1.

Proof. Only the last point requires some explanations. From Theorem 6.2.3 we see that 1 A(q) ≤ . Ψ(q−1/2) We must choose our polynomial Ψ(T) in order to get an estimate for A(q). The larger we can take the cn, the better the estimate will be. However we have that Z 2π 1 iθ −iθ 0 ≤ (1 + Ψ(e ) + Ψ(e ))(1 − cos(nθ))dθ = 1 − cn. π 0

So cn ≤ 1 and we cannot choose all cn = 1 since they should be zero for large n. We will instead choose a sequence of polynomials whose coefﬁcients approach 1. For instance, let us take N i Ψ(T) = ∑(1 − )T i. i=1 N + 1 One veriﬁes that 1 1 + Ψ(T) + Ψ(T −1) = (1 + T + ... + T N)(1 + T −1 + ... + T −N) N + 1 which proves the condition (6.2). It is easy to see that this gives a decreasing sequence of bounds on A(q), the limit of which is √ q − 1.

6.2.3 The cases g = 1 and 2 For completeness, we give here without proof (based on complex multiplication theory for genus 1 and 2 and theory of hermitian modules for genus 2) the general result.

Theorem 6.2.5 — [5]. ( √ √ q + b2 qc if p|(q + 1 + b2 qc) and if q = pe with e odd; Nq(1) = √ q + 1 + b2 qc otherwise.

We give here for reference the case of genus 2 which is due to Serre.

Theorem 6.2.6 — [0]. If q is a square different from 4 and 9 then √ Nq(2) = q + 1 + 4 q.

Moreover N4(2) = 10 and N9(2) = 20. 66 Chapter 6. Number of points of curves over finite fields √ If q is not a square, we denote q = pe and m = b2 qc. We say that q is special if one of the following properties is satisfied • p|m. • it exists an integer x such that q = x2 + 1. • it exists an integer x such that q = x2 + x + 1. • it exists an integer x such that q = x2 + x + 2. If q is non special then Nq(2) = q + 1 + 2m.

If q is special then √ ( √ 5−1 q + 2m if {2 q} ≥ 2 ; Nq(2) = q + 2m − 1 otherwise where {} denotes the fractional part of the number.

Exercise 6.4 The maximal number of k-rational points of singular algebraic variety can also be interesting to look at. Let C/Fq be a plane 1-dimension algebraic set of degree n which irreducible components are n rational lines. Prove that

nq − n(n − 3)/2 ≤ #C(Fq) ≤ nq + 1.

Show that the lower limit is achieved if and only if no three of the n lines are concurrent while the upper limit is achieved if and only if the n lines are concurrent. Note that if n = q + 1, the 2 latter passes through all Fq-rational points of P .

6.3 Codes This is part of [46]. For a more basic (and different) introduction to codes, see the following video. Linear codes are a nice domain of applications of the theory we have developed so far.

6.3.1 Deﬁnitions Let A be a ﬁnite set of order q, which we call an alphabet. The set An is equipped with the Hamming metric : the distance d(a,b) is the number of coordinates in which a and b differ:

d((a1,...,an),(b1,...,bn)) = |{i|ai 6= bi}|.

Any non-empty subset C ⊂ An is called a q − ary code of length n. The log-cardinality is k = logq(#C). The minimum distance is deﬁned as d = min{d(a,b)|a,b ∈ C,a 6= b}.

A code with these parameters is called an [n,k,d]q-code. The following relative parameters are also useful : the rate R = k/n and the relative minimum distance δ = d/n. Let us briefly explain why codes are called error-correcting. Start with a given message which is long enough and written in the alphabet A. When this message is transmitted over a channel it is distorted by random fluctuations (noise). Here is a way out. Take an [n,k,d]q-code C. Let for simplicity k be an integer. Cut the message into pieces of length k each. Map every word of length k to an element of C, i.e fix an embedding E : Ak ,→ C ⊂ An, and instead of the piece a ∈ Ak of the message let us transmit the corresponding word E(a) of length n (we encode the message). The transmission is now 1/R times slower, which justifies the term rate for R. On the other end of the channel, we obtain a distorted word E(a)0 ∈ An and we transform it into the nearest word 6.3 Codes 67

E(a)00 ∈ C (i.e we decode the message). If the number of distortions is at most d(d − 1)/2e, then E(a)00 = E(a), i.e the decoding is correct. Therefore, a ‘good’ code is a code with large n and R, δ as close as possible to 1. Both for the construction of good codes and for the design of algorithm of coding and decoding, the notion of a code over an arbitrary alphabet is too poor in structure. m Deﬁnition 6.3.1 Let A = Fq with q = p .A linear code C of length n is a linear subspace n C ⊂ Fq. For linear code k = dimC, d = min{|a|,a ∈ C,a 6= 0} where |a| = |{i|ai 6= 0}| being the weight of a.

n Example 6.5 C = Fq is an [n,n,1]q-code. n C = {(v1,...,vn) ∈ Fq/∑vi = 0} is a [n,n − 1,2]q code. Let P = {P1,...,Pn} ⊂ Fq. Consider the linear space L(a) of all polynomials in one variable of degree at most a with coefﬁcients in Fq. We have dim(L(a)) = a + 1. For n > a a non-zero polynomial f (x) ∈ L(a) cannot vanish at all points of P. Moreover it has at least (n − a) non-zero values at points of P. The evaluation map

n Ev : L(a) → Fq f 7→ ( f (P1),..., f (Pn)) is then injective and its image is an [n,a + 1,n − a]q-code called a Reed-Solomon code of degree a.

As we will see all these codes are a particular case of genus 0 code. 2 Consider the couples (δ(C),R(C)) for all linear codes C. They form a subset Vq of [0,1] . We denote Uq the set of limit points of Vq, i.e. (δ,R) ∈ Uq iff there exists an inﬁnite sequence of different (linear) codes Ci such that

lim(δ(Ci),R(Ci)) = (δ,R).

Since there is only a ﬁnite number of codes of each length, for each sequence n(Ci) → ∞. If δ > 0 and R > 0 such a sequence of codes Ci is called asymptotically good.

Theorem 6.3.1 There exists a continuous function αq(δ), δ ∈ [0,1] such that

Uq = {(δ,R) s.t. 0 ≤ R ≤ αq(δ)}.

Moreover αq(0) = 1 and αq(δ) = 0 for (q − 1)/q ≤ δ ≤ 1, and αq decreases on the segment [0,(q − 1)/q].

R The same result exists for non-linear code.

Almost nothing is now about this function (is it convex, differentiable ?) except some upper and lower bounds which are called asymptotic bounds.

Proposition 6.3.2 — The Singleton bound. αq(δ) ≤ 1 − δ.

n Proof. Let C ⊂ Fq a subspace of dimension k. If d is its minimum distance it means that for all v ∈ C at most n − d components of v are 0. Suppose that k > n − d + 1 then there exists a non zero vector in C with n − d + 1 zero components (by solving the corresponding system). So we get a contradiction and k ≤ n − d + 1. This gives us R ≤ 1 − δ + 1/n so by passing to the limit, we get αq(δ) ≤ 1 − δ.

We report also the following lower bound for comparison with the AG-bound. 68 Chapter 6. Number of points of curves over ﬁnite ﬁelds

Proposition 6.3.3 — Gilbert-Varshamov bound. Let

Hq(x) = xlogq(q − 1) − xlogq x − (1 − x)logq(1 − x).

One has αq(δ) ≥ 1 − Hq(δ).

R One also has the Hamming upper bound

αq(δ) ≤ 1 − Hq(δ/2).

We can summarize the different bound in the following picture when q = 2 where the red line is Singleton bound, the blue line Gilbert-Varshamov bound and the green one the Hamming upper bound.

6.3.2 AG-codes Algebraic-geometric codes (AG-codes) were discovered by V.D. Goppa and came as a result of many years of thinking over the possible generalization of Reed-Solomon codes. Their success comes from the improvements they give on the asymptotic problem. Let X/Fq be a curve such that X(Fq) 6= /0. Let P = (P1,...,Pn) ⊂ X(Fq) be n Fq-rational points and X and D be a Fq-rational divisor with `(D) > 0. We assume that Supp(D) ∩ P = /0. Consider the map

n Ev :L (D) → Fq

f 7→ ( f (P1),..., f (Pn)).

We get a code C = Ev(L (D)). We use the notation C = (X,P,D). Suppose that D is chosen in such a way that any function f ∈ L (D) has at most b zeros at Fq- rational points on X. If n > b then Ev is an embedding, k = `(D) and d ≥ n−b. The Riemman-Roch theorem makes it possible to estimate the parameters of C.

Theorem 6.3.4 Let X be a curve of genus g and let 0 ≤ deg(D) = a < n = #P. Then C = (X,P,D) is a [n,k,d]q-code with k ≥ a − g + 1 and d ≥ n − a. 6.3 Codes 69

Proof. Let D = D1 −D2, D1 ≥ 0,D2 ≥ 0. A non-zero function f ∈ L (D) has at most a1 = deg(D1) poles and at least a2 = deg(D2) zeroes in Supp(D) since D + ( f )0 − ( f )∞ ≥ 0. Hence the number of its zeros out of the SupportD is at most a1 − a2 = a. We have suppose that a < n so Ev is an embedding. Moreover Ev( f ) has at least n − a non-zero coordinates, thus d ≥ n − a. On the other hand C ' L (D), i.e k = `(D) ≥ a − g + 1 according to the Riemann-Roch theorem.

Corollary 6.3.5 Let X be a curve of genus g over Fq and let N = #X(Fq) > g−1. Then for any n = g+1,...,N and for any k = 1,...,n−g there exists a linear [n,k,d]q-code whose parameters satisfy k + d ≥ n − g + 1.

1 Example 6.6 It is clear that the Reed-Salomon codes are examples of AG-code with X = P . 2 3 Consider the cubic X/F2 : y +y = x +x. It has 5 points over F2 : (0,0),(0,1),(1,0),(1,1) and O. We take D = 2(O); then we have L (D) = {0,1,x,x + 1} and evaluating at the remaining 4 points we obtain the following code :  (0,0) 0 1 0 1   (0,1) 0 1 0 1     (1,0) 0 1 1 0  (1,1) 0 1 1 0 a hardly impressing [4,2,2]-code (a good one can be constructed with the Klein’s quartic and some additional tricks of coding theory). Let us show now why the AG-codes are so important in the asymptotic theory and why we are interesting in curves with many points.

Theorem 6.3.6 If there exists a family of curves Xi over Fq of genus gi → ∞ such that g γ = liminf i < 1 Ni

where Ni = #Xi(Fq), then αq(δ) ≥ 1 − γ − δ.

Proof. According to the last corollary, the codes constructed from Xi have parameters [ni,ki,di]q, where ni = 1,2,...,Ni and ki = 0,1,...,ni − gi and

ki + di ≥ ni − gi + 1, i.e. taking n = N , R = 1 − gi−1 − δ . Passing at the limit one obtains the result. i i i Ni i

Nq(g) Recall that A(q) = limsup g and so we can construct a family with γ = 1/A(q). So ﬁnding curves with many points, gives large A(q) so small γ and then good lower bound for α . √ q In fact if q is an even power of a prime then A(q) = q − 1 (in Section 6.3.3 we will prove that this is the case for q = p2) and so we get

Corollary 6.3.7 If q is an even power of a prime then

√ −1 αq(δ) ≥ 1 − ( q − 1) − δ. 70 Chapter 6. Number of points of curves over ﬁnite ﬁelds

R This AG-bound was a big revolution in the theory of codes because it improves for many cases the classical Gilbert-Varshamov bound which was so far believed optimal. For instance, here with q = 112, where as before the red line is Singleton bound, the blue line Gilbert-Varshamov bound, the green one the Hamming upper bound and now the black line is the AG-bound.

3 Example 6.7 We construct a [25,9,16]16 code over F16 using the genus 1 curve X + X2Z +Y 3 +Y 2Z + Z3 = 0. F := GF(16); P2 := ProjectiveSpace(F, 2); f := x^3+x^2*z+y^3+y^2*z+z^3; X := Curve(P2, f); g := Genus(X); found, place_k := HasPlace(X, 9+g-1); D := DivisorGroup(X) ! place_k; C := AlgebraicGeometricCode(places1, D);

6.3.3 Modular codes

We want to construct a family of curves of genus gi over Fp2 with Ni rational points such that limsupNi/gi = p − 1. We are going to do that by using the modular curves X0(N) (the general case requires Drinfeld modular curves). Let N ≥ 3 and let MN be the moduli problem for the elliptic curves with a cyclic subgroup of order N. MN is representable and is an afﬁne curve over Spec(Z[1/N]). One can compactify it ∗ ∗ in a smooth projective scheme MN over Spec(Z[1/N]) and MN ⊗ C is isomorphic to the classical modular curve X0(N) which is given in terms of a certain quotient of the upper half plane. If p does not divide N then X0(N) has good reduction and deﬁnes a curve Xe0(N) over Fp. Note that the case N = 1 is simply the moduli problem of classifying elliptic curves and we have seen that in this case 1 X0(N) = P We want to give a lower bound on the number #Xe0(N)(Fp2 ). Lemma 6.3.8 Let E be a supersingular elliptic curve over Fp. Then j(E) ∈ Fp2 i.e there exists a model of E over Fp2 . Moreover the Frobenius endomorphism acts as ε[p] where ε is an automorphism of E. 2 ¯ Proof. Let q = p . As Ker([p])(Fq) = {O} we see that [q] is purely inseparable. Let σ ∈ ¯ σ p p Gal(Fp/Fp) be the generator and Frobp the isogeny from E → E given by (x,y) 7→ (x ,y ). 6.3 Codes 71

Denoting by Frob\p the dual isogeny, since Frob\p ◦ Frobp = [p], we see that Frob\p is purely inseparable. It follows that we have the following factorization

Frob\p Eσ / E >

ψ Frobp ! Eσ 2 where ψ has degree 1 i.e. is an isomorphism. So

2 2 j(E) = j(Eσ ) = j(E)σ hence j(E) ∈ Fp2 . Let F = Frobq be the Frobenius endomorphism of E. Since [p] is purely inseparable and of degree 2 p , the same argument as above implies that F = ε[p] where ε is an automorphism of E.

Let E/Fp2 be a supersingular elliptic curve whose j-invariant is different from 0 and 1728. The Frobenius endomorphism acts like ±[p]. For all ` prime to p, the cyclic subgroups of E of order ` ¯ are then all deﬁned over Fp2 . Indeed if P ∈ E[`] \{O} then for σ ∈ Gal(Fp2 /Fp2 ) the Frobenius σ σ automorphism we get P = ±[p]P so < P >=< P >. Consider the modular curves Xe0(`) such that ` satisﬁes also ` ≡ 11 (mod 12). Using the complex model of X0(`), one can compute the genus and it is equal to (` + 1)/12. Moreover the “forgetful morphism” X0(`) → X0(1) is of degree ` + 1 since their are ` + 1 possible subgrougs of order ` in E[`] ' (Z/`Z)2. Moreover by the above argument, all the points lying over the supersingular j-invariants (different from 0 and 1728) are rational over Fp2 . Since there are roughly (p − 1)/12 supersingular j-invariants, there are, up to a slight error due to the cusps and the j-values 0 and 1728, at least (` + 1)(p − 1)/12 rational points on Xe0(`). So the ratio 2 #Xe0(`)(Fp) ≥ p − 1. g Xe0(`)

As we have seen that A(Fp2 ) ≤ p − 1 we conclude that A(Fp2 ) = p − 1.

R In 1996, Garcia and Stichtenoth constructed an explicit tower Xl over Fq2 reaching the bound : start with X1 the projective line with coordinates x1 and deﬁne Artin-Schreier covers Xl by

q q+1 yl+1 + yl+1 = xl

with xl = yl/xl−1. Elkies proved that this tower is in fact modular.

R When q is not a square, much less is know : one know that there is a constant c > 0 such that

A(q) ≥ clog2(q) One has also A(q3) ≥ 2(q2 − 1)/(q + 2). More recently good bounds have been found for all values of non-square q which are not prime (see [2]). When q = p, the best lower bounds are obtained using class ﬁeld theory (for instance one has that A(q) ≥ (logq)/96).

7. Jacobian of curves

Let C/k be a curve of genus g > 0. We have already seen in Definition 3.3.2 a definition of Picn(C)(k). The notation used for Pic0(C)(k0) suggests that the elements coud be seen as k0- rational points over a variety. The purpose of this chapter is to make sense to the following definition/proposition and to be able to compute with such an object. Definition 7.0.1 Let C/k be a curve of genus g > 0 and k0/k an extension. There exists a principally polarized abelian varietya, called the Jacobianb of C and denoted JacC of dimension g such that (JacC)(k) = Pic0(C)(k)Gal(k/k) and such that (JacC)(k0) = Pic0(C)(k0) as soon as C(k0) 6= /0(or more generally if there exists a k0-rational divisor of degree 1).

aIn French: variété abélienne principalement polarisée bIn French: jacobienne

0 R Note that it may happen that (JacC)(k) is strictly larger than Pic (C)(k). Consider for instance 2 4 a genus 1 curve E/Q without rational point given by E :Y = −X −1 for instance. Let x0 ∈ Q 4 be a root of X = −1 and P1 = (x0,0),P2 = (−x0,0), P3 = (ix0,0) and P4 = (−ix0,0) be 4 points on E. Let us consider the divisor D = P1 + P2 − (P3 + P4). It is not Q-rational because σ : x → ix does not let D invariant. However Gal(Q/Q) factors through Gal(Q(x0)/Q) which i is a cyclic extension of degree 4 generated by σ. We have that Dσ = (−1)iD. In all cases 2 2 σ σ σ X −x0 D ∼ D because in the case D = −D one has D − D = 2D = div 2 2 . Hence Jac(C)(Q) X +x0 0 is strictly larger than Pic (Q).

Exercise 7.1 Let C be a curve over k and D be a k-rational divisor class of degree 0 (i.e. an element of (JacC)(k)). 1. Show that if `(D) = 1 then D is k-rational. 2. Let us assume from now on that C has a k-rational point P0. Using the inequality 0 0 0 0 `(D ) ≤ `(D + P0) ≤ `(D ) + 1 for any divisor D (proved in the proof of Lemma 3.3.2), show that there exists an integer n such that `(D + nP0) = 1. 74 Chapter 7. Jacobian of curves

3. Conclude that D is k-rational.

7.1 Abelian varieties: algebraic and complex point of view Let us start with a crash course on abelian varieties. Definition 7.1.1 An abelian variety over a field k is a dimension g > 0 projective and smooth variety A such that there exists • a morphism defined over k: + : A × A → A (addition), • a morphism defined over k: − : A → A (inverse), •a k-rational point O ∈ A(k), for which A(k) is a commutative group with identity element O.

R Actually, one needs much less than this. In [24, Chap.5], one sees that any projective group variety is automatically commutative and smooth.

Example 7.1 The first example of an abelian variety is an elliptic curve (i.e. a genus 1 curve with a rational point O). We have seen in Proposition 5.2.1 how to write all these curves by a Weierstrass model. The group law on E can be defined geometrically (see [42, Chap.III] and Picture 7.1 in the 2 case of an equation y = f (x)). But also using Riemann-Roch theorem. Indeed, if P1,P2 ∈ E(k), by Riemann-Roch there exists a unique point P such that P − O ∼ P1 − O + P2 − O and we define P = P1 + P2. One can prove that the two definitions coincide

Figure 7.1: Group law on an elliptic curve

From these elementary pieces, we can then build abelian varieties of higher dimensions: given elliptic curves E1,...,Eg over a ﬁeld k, the variety E1 × ··· × Eg is an abelian variety of dimension g over k. This is of course implemented in MAGMA

E:=EllipticCurve([GF(23)!0,0,0,1,2]); P1:=E![0,5,1]; P2:=E![1,2,1]; P1+P2; (8 : 19 : 1)

7.1 Abelian varieties: algebraic and complex point of view 75

A word about morphisms. Let A,B be two abelian varieties. Every morphism f : A → B is the composition of a homomorphism (i.e. preserving the group structures) with a translation (i.e. a morphism P 7→ P + P0 for P0 ∈ B). Among the homomorphisms the following ones are the most important. Definition 7.1.2 Let f : A → B be a homomorphism such that one of the following equivalent properties holds : 1. dimA = dimB and f is surjective; 2. dimA = dimB and ker( f ) is a finite group (scheme); 3. f is finite, flat and surjective. f is called an isogeny.

R For any isogeny φ : A → B, there exists an isogeny ψ : B → A such that ψ ◦ φ = [deg(φ)]. We can therefore define an equivalence relation on the set of abelian varieties of the same dimension over a field k and get isogeny classes of abelian varieties. This is a weaker notion than k-isomorphisms but over finite fields it conserves most of the arithmetic information: two abelian varieties are isogenous over Fq if and only if they have the same number of points over Fqn for all n > 0 [18]. In particular, the Jacobians of two curves over a finite field are isogenous if and only if their Zeta functions are the same. We will show one direction in Section 7.4.1.

It is in general difﬁcult to work with the equations of a genera abelian variety. Mumford in [12] proved that an abelian variety of dimension g over k can be given (in characteristic different g− from 2) by quadratic equations in P 4 1. The dimension of this space is quickly very large and the intersection far from being complete. Nevertheless, abelian varieties have a well understood structure which is mostly analogous to the structure of the complex torus over C.

Indeed over C, it can be shown that A(C) is isomorphic (as a group) to a complex torus, i.e. g g there exists a discrete subgroup Λ ⊂ C ' R2 generated by 2g R-linearly independent vectors (a g lattice) such that A(C) ' C /Λ. In particular it shows that the subgroup of n-torsion points of A, g A[n](C) = {P ∈ A(C) s.t. nP = O} is isomorphic to (Z/nZ)2 (see Picture 7.2). Such a result is still true over any ﬁeld k as long as n is prime to the characteristic of k.

Figure 7.2: The 4-torsion on a dimension 1 complex torus

Proposition 7.1.1 — [24, V.Th.8.2, Rem.8, 5]. Let A/k be an abelian variety of dimension g and let n > 0 be an integer. Then [n] : A → A deﬁned by P 7→ nP is an isogeny of degree n2g; Moreover 76 Chapter 7. Jacobian of curves

g i ker[n](k) ' (Z/nZ)2 iff the characteristic p of k does not divide n. Otherwise, ker[p ](k) ' i (Z/p Z)γ with 0 ≤ γ ≤ g and γ is called the p-rank of A.

R An elementary proof for ﬁnite ﬁelds can be found in [31, Th.9.72].

Let us denote by End(A) the ring of homomorphisms of A over k. For a “generic” abelian variety over a number field, End(A) = h[1]i ' Z]. However, certain abelian varieties over Q have larger endomorphism ring (note that in all cases the endomorphism ring is a free Z-module of finite rank). Their structure is well known [36] and among them the so called CM-abelian varieties (CM stands for Complex Multiplication) have received the most interests. They are the ones for which End(A) is an order1 in a number field K/Q of degree 2g which is a quadratic imaginary extension of a totally real subfield (such a field is called a CM-field). The arithmetic theory of CM-elliptic curves is very rich and can be found in [43, Chap.II].

Example 7.2 In [43, page II.2.3.1], it is proved that there are only 3 isomorphism classes of elliptic curves over C which possess an endomorphism of order 2 (and they are therefore CM because an elliptic curve E over C for which End(E) 6= Z is necessarily CM). They√ are • E : y2 = x3 + x with CM by Z[i] with j = 1728 generated by (here α = 1 + −1) 1 1 (x,y) 7→ α−2 x + ,α−3y 1 − x x2 √ √ • E : y2 = x3 + 4x2 + 2x with CM by Z[ −2] with j = 8000 generated by (here α = −2) 2 2 (x,y) 7→ α−2 x + 4 + ,α−3y 1 − x x2 √ √ 2 3 1+ −7 1+ −7 • E : y = x −35x+98 with CM by Z[ 2 ] with j = −3375 generated by (here α = 2 ) 7(1 − α)4 7(1 − α)4 (x,y) 7→ α−2 x − ,α−3y 1 + x + α2 − 2 (x + α2 − 2)2

Note that all j-invariants are integers (this is an important properties of CM elliptic curves). When g > 1, not every complex torus is an abelian variety. In order to be so, one must add the data of a Riemann form. First recall that a hermitian form H :V 2 → C on a finite-dimension complex vector space V is a map such that u 7→ H(u,v) is linear, the map v 7→ H(u,v) is antilinear and H(u,v) = H(v,u) fo all u,v. We can always write H = S+iE where E : V 2 → R is an antisymmetric bilinear map which we call the imaginary part of H. g Definition 7.1.3 Let T = C /Λ be a complex torus. A Riemann form on T is an hermitian form g H on C such that its imaginary part E is integer valued on Λ, i.e. E(x,y) ∈ Z for all x,y ∈ Λ. If g H(u,u) > 0 for all u ∈ C , we say that H is positive definite.

Theorem 7.1.2 — [24, IV. Th.A]. A complex torus is the complex point of an abelian variety if and only if it admits a positive deﬁnite Riemann form.

Example 7.3 Let us look at the dimension 1 case. A torus can be written C/Λ with Λ = Zλ1 + Zλ2 which can be chosen such that im(λ1/λ2) > 0. A Riemann form on T is given by the 2 × 2-matrix H = 1 id. We will show in Exercise 7.2 how to link the torus to an elliptic curve. imλ1λ2 The construction of CM-abelian varieties starts with a CM-ﬁeld K of degree 2g. We consider g

1 i.e. a Z-lattice which spans K over Q. 7.1 Abelian varieties: algebraic and complex point of view 77 embeddings φ1,...,φg of K in C which are not complex conjugated and O an order in K. We can g ∗ form the complex torus A = C /Λ where Λ = {(φ1(a),...,φg(a)), a ∈ O}. For any t ∈ K which is such that t¯ = −t and im(φi(t)) > 0 for i = 1,...,g, this deﬁnes an abelian variety for the Riemann form H deﬁned by H(x,y) = trK/Q(txy¯). An “orthogonal case” is the one of Eg, where E is an elliptic curve. It can be proved (see [36, p.209]) that the principal polarizations on Eg are in bijection with the set of g×g hermitian matrices

M with coefficients in End(E) ⊂ C which are positive definite with determinant 1. In the algebraic setting, this notion is an avatar of the notion of polarization which can be developed over any field. We will not try to define it here, but we just say that A/C is principally polarized if the Pfaffian of E on the Z-module Λ is equal to 1. Recall that given a free Z-module A of rank 2g and a non-degenerate alternating form E on A, there exists a basis (called a symplectic 0 ∆ basis) λ ,...,λ of Λ such that the matrix of E in this basis is where ∆ = diag(δ ,...,δ ) 1 2g −∆ 0 1 g where the δi are positive integers with δ1|δ2|···|δg. The Pfaffian is defined by δ1 ···δg.

R This is the gate to the theory of moduli spaces of principally polarized abelian varieties of dimension g: one can show that there exists a quasi-projective variety of dimension g(g + 1)/2 which classiﬁes principally polarized abelian varieties up to isomorphisms (be careful that here the isomorphism respect also the polarization). Over C, this space is isomorphic to Hg/Sp2g(Z) where Hg is the space of g × g-symmetric complex matrices with positive deﬁnite imaginary part and Sp2g(Z) is a certain subgroup of GL2g(Z) which AB elements acts on τ ∈ by (Aτ + B)(Cτ + D)−1. The link between the analytic CD Hg and algebraic representations can be made through analytic functions called theta functions and their relations.

Exercise 7.2 Let Λ = Zλ1 + Zλ2 be a lattice in C with im(λ1/λ2) > 0. One calls a theta function on Λ an entire function θ on C such that for all λ ∈ Λ there exist aλ ,bλ (called the type of θ) such that for all z ∈ C

θ(z + λ) = e2iπ(aλ z+bλ ) · θ(z).

1. Using the analytic map z 7→ z/λ2, show that the complex torus C/Λ is isomorphic to T = C/(Zτ + Z) where τ = λ1/λ2. In the sequel we will assume that we are in the case Λ = Zτ + Z. 2. Deﬁne for a,b ∈ R the function (called Riemann theta functions)

a iπ(τ(m+a)2+2(m+a)(z+b)) θ [b] = ∑ e . m∈Z Show that they are theta functions for Λ. To an entire function f , we can associate its zero-divisor div( f ) = ∑z∈Γ ordz( f )[z] where Γ = {xτ + y, x,y ∈ [0,1[} is a fundamental domain for Λ. Although a theta function is not a function on T since it is not periodic, its zero-divisor is invariant by translation by Λ and therefore deﬁnes a divisor on T a a 0 3. Show that the divisor of θ [b] is te translate of θ [0] by aτ + b. 4. Show that (1,τ) is a direct basis of Λ and that if θ is a theta function then

a1τ − aτ 1 = deg(div(θ)) 78 Chapter 7. Jacobian of curves

(hint: integrate θ 0/θ along the edges of a parallelogram translated from the fundamental domain and not containing a zero of θ.) 5. Conclude that the divisor of a Riemann theta function is of degree 1. h1/2i a 6. Show that θ 1/2 is odd and so that divθ [b] = [τ(a + 1/2) + (b + 1/2)]. Let us denote

0 1/2 0 h1/2i θ00 = θ [0], θ10 = θ 0 , θ01 = θ 1/2 , θ11 = θ 1/2 .

2 3 7. Show that the three function X = θ00θ11,Y = θ10θ01θ11 and Z = θ00 are theta functions with the same type and that they do not have a commun zero. One therefore gets a well deﬁned map φ : z 7→ (X(z) : Y(z) : Z(z)) ∈ P 2(C). We want to show that φ(T) = E where E is the elliptic curve deﬁned by Y 2 = X(αX − β)(βX + α) where 2 2 θ10(0) θ01(0) α = 2 and β = 2 . θ00(0) θ00(0) 2iπ j(τ/8+z/2+k/4) 8. Show that θ jk(z) = e θ00(z + (k + jτ)/2). 2 2 2 9. Show the relation θ01(z) = βθ00(z) + αθ11(z) (hint: show that both members are even theta functions of the same type which are zero at 0 and have the same value at (1+τ)/2). 2 2 2 2 2 2 10. Show the relation θ10(z) = αθ00(z)−βθ11(z) and θ00(z) = βθ01(z)+αθ10(z) (hint: apply the previous relation at z + (1 + τ)/2 and at z + 1/2). 11. Deduce from these equalities that E is smooth and that φ(T) is included in E. It remains to prove that φ is bijective. 12. Show that φ(τ/2 + 1/2) = (0 : 1 : 0). 13. Let (x : y : 1) ∈ E. Show that the function R : z 7→ (X/Z)(z) − x admits a root z0 (hint: consider by absurd 1/R and use the fact that a holomorphic function on the torus is constant). 14. Show that Y/Z(z) = ±y. Conclude that φ is surjective. 15. Show that R admits exactly z0,−z0 as roots on T and conclude that φ is injective. Actually φ is an isomorphism of complex varieties. This can be proved by showing that its

tangent map is everywhere injective.

aSince T will be ultimately an algebraic variety, we know that there is no non-constant function without poles. So there is no non-constant entire functions on the T. What we are constructing here are sections of line bundles (or sheafs).

7.2 Jacobians

We restrict to the case where C(k) 6= /0 and let P0 ∈ C(k). Weil’s construction of the Jacobian relies on constructing a “birational group law” on an open part of Pic0(C) and then gluing translates of this (see [24, Chap.VII]). The construction of the birational group law uses Riemann-Roch theorem as follows. Let Symg C be the (smooth!) variety given by the quotient of Cg by the action of the group of permutations. Clearly Symg C(k) is in bijection with the degree g effective divisors on C. g 0 Lemma 7.2.1 The map φ : Sym C(k) → Pic (C)(k) deﬁned by φ(D) = D − gP0 is surjective and there exists an open subset of Symg(C) on which it is bijective.

Proof. From Riemann-Roch theorem, we see that for any D ∈ Pic0(C)(k), we have that `(D + gP0) > 0. Hence there exists an effective degree g divisor D0 such that φ(D0) = D. The fiber of this map can be identified with |D| and therefore φ is injective at the point for which i(D0) = `(κ − D0) = 0. Let us show that this is an open condition. Claim: let D be a divisor on C for which i(D) > 0. Then there exists a non-empty open subset U of C such that i(D + Q) = i(D) − 1 for any Q ∈ U. Indeed since i(D) = `(κ − D) > 0, there exists an effective divisor D0 such that D0 ∼ κ − D. Then i(D + Q) = `(D0 − Q). Hence if we choose Q 7.2 Jacobians 79 outside the support of D0 and the possible common zeroes of any basis of `(D0) we are imposing an extra linear condition and therefore i(D + Q) = i(D) − 1. Now start with D = /0, then i(D) = g > 0. Applying the previous lemma g times, we find that there g exists an open subset U in Sym C such that i(D) = 0 for all D ∈ U.

One can define a birational group law on Symg C (see Example 7.4 for an intuitive geometric construction in the case of plane quartics) which induces the group law on an open part of JacC. Actually one can characterize JacC as the unique abelian variety which is birationally equivalent to Symg C. ∞ ∞ ∞ ∞ Example 7.4 Let C/k be a plane smooth quartic and D = P1 + P2 + P3 an effective k-rational divisor of degree 3. Let D be a rational degree 0 divisor of C. Then there exists a rational effective divisor D+ of degree 3 such that D+ − D∞ ∼ D. We have seen that generically the divisor D+ is unique. By abuse of language we say that a curve C0 goes through nP if i(C,C0;P) = n, where i(C,C0;P) 0 denotes the intersection multiplicity of C and C at P. Let D1,D2 ∈ Jac(C)(k). Then D1 + D2 is equivalent to a divisor D = D+ − D∞, where the points in the support of D+ are given by the following algorithm: + + 1. Take a cubic E defined over k which goes (with multiplicity) through the support of D1 ,D2 ∞ ∞ ∞ and P1 ,P2 ,P4 . This cubic also crosses C in the residual effective divisor D3. ∞ ∞ 2. Take a conic Q defined over k which goes through the support of D3 and P1 ,P2 . This conic also crosses C in the residual effective divisor D+.

Figure 7.3: Description of the algorithm

The proof goes as follows. C being canonically embedded, (E ·C) ∼ 3κ where κ = κC is the canonical divisor of C. Therefore we have

+ + ∞ ∞ ∞ D1 + D2 + P1 + P2 + P4 + D3 ∼ 3κ.

Similarly, (Q ·C) ∼ 2κ so ∞ ∞ D3 + P1 + P2 + De ∼ 2κ ∞ ∞ ∞ ∞ ∞ and (l ·C) = P1 + P2 + P3 + P4 ∼ κ. Combining these three relations, we obtain

+ + ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ D1 + D2 + P1 + P2 + P4 + D3 ∼ D3 + P1 + P2 + De + P1 + P2 + P3 + P4 80 Chapter 7. Jacobian of curves

so + + ∞ D1 + D2 ∼ De + D . Now we subtract 2D∞ on both sides:

∞ D1 + D2 ∼ De − D ∼ D

+ So De = D . ∞ + The cubic E and conic Q are both defined over the field k because of the k-rationality of Pi , D1 + and D2 . Historically, the first construction of Jacobian is through the complex theory of Riemann surfaces. The existence of a symplectic basis λ1,...,λ2g of the homology for the intersection pairing on the surface (see Picture 7.4) enables to define a 2g × g matrix

R ω ··· R ω  λ1 1 λ2g 1  . .  Ω =  . .  R ω ··· R ω λ1 g λ2g g

g 2g by integrating a basis of “holomorphic 1-forms on C” ω1,...,ωg. The complex torus C /ΩZ is an abelian variety for the Riemann form H deﬁnes by

0 −1 H(x,y) = ixΩ t Ω¯ t y¯. 1 0

Figure 7.4: Periods on Riemann surfaces

R One can wonder where the principal polarization appears in the algebraic setting. Another way to describe polarization is by a certain divisor on the abelian variety. Here the divisor is g−1 simply the image of Sym C by the map D 7→ D − (g − 1)P0.

A classical and important problem (Schottky problem) is to characterize the locus of Jacobian inside abelian varieties. More speciﬁcally, if we denote Mg the moduli space of genus g curves and Ag the moduli space of principally polarized abelian varieties of dimension g, the map C 7→ JacC is an injective map thanks to the so-called Torelli theorem. Since for g > 1, the dimension of Mg is 3g − 3 and the dimension of Ag is g(g + 1)/2, this map has not a dense image as soon as g > 3. Finding the equations of this locus is still an active research area.

7.3 Application to cryptography Cryptography is playing a more and more important role in our society : smart-card, INTERNET payment, online banking. . . . All these applications needs to protect information. There exists two 7.3 Application to cryptography 81 main strategies. The first one, historically, is called symmetric key cryptography which requires both parts to share a secret key before starting the protocole. In 1976, Diffie and Hellman introduced the new concept of public key cryptography. This protocol solves in particular the important problem (for INTERNET) of a creation of secret key over a non-secure channel. Here is the principle : 1. Goal : Alice and Bob wants to share a secret key (to cipher and decipher after with a traditional symmetric protocol for instance). 2. let G be a group that we can assume to be isomorphic to Z/nZ. Let g ∈ G be a generator. a 3. Alice chooses a ∈ Z and sends g to Bob. b 4. Bob chooses b ∈ Z and sends g to Alice. 5. Secret shared : gab. a One sees that the difficulty to break the code is based on the difficulty to compute a = logg(g ) (in fact to compute gab knowing ga,gb but these two problems are believed equivalent). This type of problem is called discrete logarithm problem. Do there exist groups for which this problem is difficult (whereas the computation of ga remains easy of course) ? A problem is said difficult if one cannot solve it in a reasonable time with a good computer. More specifically that means that the number of operations would be greater than 280.2 For a general group G, there is always an attack in p|G| (called rho-Pollard and based on the birthday paradox), so |G| must have at least 160 bits.

One is of course interested in groups for which the order is as small as possible (for speed and memory requirements), so groups for which the previous attack is the best possible. This is ∗ not the case of G = (Fq,×) for instance. Based on the so-called index calculus algorithm, there exists sub-exponential and even when the characteristic is small quasi-exponential attacks which ∗ are effective (in 2014 a DLP in F21279 was broken). In 1985, Koblitz and Miller introduced the idea to look at the group forms by the Fq-rational points of an elliptic curve. This idea was then generalized to the Fq-rational points of the Jacobian of a curve of genus g. However, when g > 2, there exist attacks which are slightly better than the generic one and therefore most of the work is concentrated on curves of genus 1 and 2 for which no better attacks is known in general when q is ∗ prime (the recent progress on the DLP on Fq for small characteristics has translated via the Weil pairing into attacks on elliptic curves over these ﬁelds). Nobody knows how to prove that a better attack does not exist and this is of course a big fear of all banks and governments as cryptosystems based on Jacobian (at least elliptic curves) are widely used nowadays. Moreover the possible rise of quantum computers would lead to polynomial attacks on the DLP problem asking for a switch of paradigm towards code, isogeny or lattice based cryptography.

How to choose the curve with a good G = (JacC)(Fq)? The ﬁrst requirement is that #(JacC)(Fq) ≈ 2160. g g−1/2 Lemma 7.3.1 Let C/Fq be a curve of genus g Then #(JacC)(Fq) = q + O(q ).

Proof. In Exercise 6.2, it is proved that #(JacC)(Fq) = f (1) where f is the Weil-polynomial of the curve. The coefﬁcients of f are symmetric functions in the roots α which are all of absolute value √ i √ q. The leading coefﬁcient is qg whereas the others are bounded by O( q2g−1) which gives the result.

This means for g = 1,2 that we are computed with a curve over Fq where q has more than 80 bits. The Pohlig-Hellmann algorithm enables for any cyclic group to reduce the complexity of the DLP to the largest subgroups of G with prime order. We therefore need that G has a large prime. Two ways exist to obtain this curve :

2See in this note how this number seems like a good bound on feasible computations. 82 Chapter 7. Jacobian of curves

• One takes random curves of genus g over Fq and one has a fast way to compute the Weil polynomial. This cannot be naive counting of points on the curve as the order of the field is so large. These algorithms belong to two categories : 1. `-adics methods : for g = 1 (Schoof’s algorithm which was improved into the so-called SEA method): work in large characterisitics. For genus 2 curves, the best current records are over fields of size 128 bits. 2. Cohomological methods, p-adic methods and deformation theory which work really fast and for more general curves but which are restricted to small characteristics. In MAGMA , fast algorithms are available for hyperelliptic curves and general curves of genus less than or equal to 5. • One constructs a curve over a number field whose Jacobian has complex multiplication. Then one reduces the curve modulo suitable large prime for which it is easy to compute the order from the CM-structure. These CM methods have been developed for g = 1,2 (and certain g = 3) curves. Once the curve constructed, one also wants to have fast operations on its Jacobian. For elliptic curves, this is achieved in a plethoric number of ways depending on the curve, the protocole, the field, etc. See this web page to get a rough idea. For genus 2, the fastest algorithms do not work directly with the curve or the Jacobian J but with its Kümmer surface J/±1 which has a nice representation as a singular quartic surface in P 3 (this is the picture at the beginning of Chapter 2). Exercise 7.3 Using the description of the group law for quartic in Example 7.4, implement a Diffie-Hellman protocol for genus 3 non hyperelliptic curve. How fast can you make it? Note that there is not much hope that this may be useful for cryptography, the need of fast arithmetic on higher genus curves over finite fields exists in arithmetic statistics (see Sutherland’s webpage

for pictures).

7.4 Construction of curves with many points 7.4.1 Weil polynomial vs Frobenius characteristic polynomial Let A be an abelian variety of dimension g defined over a field k of characteristic p. Let ` 6= p be a n n g prime. We have seen in Proposition 7.1.1 that for all n ≥ 1, A[` ](k) ' (Z/` Z)2 . Definition 7.4.1 T (A) = A[`n](k) `-Tate module A We call ` ←−lim the of .

i In down-to-earth terms, an element of T`(A) is an infinite sequence (an) where each ai ∈ A[` ](k) and n n 2g such that ài = ai−1 (with à1 = 0). Since A[` ](k) ' (Z/` Z) , we see that T`(A) is isomorphic to 2g the group Z` where Z` is the `-adic numbers. The fraction field of Z` is denoted Q` and is a field of characteristic 0 which is a completion of Q. There is a valuation on Z`, called the `-adic valuation −n n defined by |a| = ` where n is the largest integer such that a/` ∈ Z`. This extend multiplicatively to Q` and then to any finite extension K of Q` with ring of integer O and uniformizer π such that |π| = #(O/π)−1. Since u commutes with the multiplication by ` (look at the action on divisors), we see that u 2g acts on T`(A) and therefore on the Q`-vector space T`(A) ⊗ Q ' (Q`) . We denote u` the induced morphism and by χu ∈ Q`[T] its characteristic polynomial.

We will need the following geometric result.

Proposition 7.4.1 — [24, Prop.12.4, p.125]. The function End(A) ⊗ Q → Q, u 7→ deg(u) is a polynomial function of degree 2g on the ﬁnite Q-algebra End(A) ⊗ Q (note that deg(uv) = deg(u ◦ g v) = deg(u) · deg(v) and we use that deg(nu) = n2 deg(u) to extend the degree over Q ). In 7.4 Construction of curves with many points 83 particular if u ∈ End(A) then there exists a unique monic polynomial Pu ∈ Z[T] of degree 2g such that Pu(r) = deg(u − r) fro all integers r. We will need the following lemmas. Lemma 7.4.2 Let P(X) = ∏(X −ai) and Q = ∏(X −bi) be monic polynomials of the same degree with coefﬁcients in Q`. If |∏G(ai)| = |∏G(bi)| for all G ∈ Z[X] then P = Q.

Proof. By continuity P and Q will satisfy the same condition for all G with coefﬁcients in Q`. Let d and e be the multiplicities of a1 as a root of P and Q respectively. We shall prove that d = e. Let ¯ ¯ α ∈ Q` be “close to” a1 but not equal to a1 in the sense of the extension of the valuation to Q`. Then d e |P(α)| = |α − a1| · ∏ |α − ai|, |Q(α)| = |α − a1| · ∏ |α − bi|. ai6=a1 bi6=a1 ¯ Let G be the minimal polynomial of α over Q` and m = degG. Let Σ be a subset of Gal(Q`/Q`) such that {ασ , σ ∈ Σ} is the set of distinct conjugates of α.Then

σ ∏∏(ai − α ) = ∏G(ai). i Σ i

Because σ permutes the ai, this is also

σ σ σ ∏(ai − α ) = ∏(ai − α ) i i

¯ σ σ and because the elements of Gal(Q`/Q`) preserves the valuations |ai − α | = |ai − α|. Hence

m m |∏G(ai)| = |∏(ai − α)| , |∏G(bi)| = |∏(bi − α)| . So the hypothesis implies that

d e |α − a1| · ∏ |α − ai| = |α − a1| · ∏ |α − bi|. ai6=a1 bi6=a1

As α approaches a1 the factors not involving a1 will remain constant from which it follows that d = e. Lemma 7.4.3 Let E be an algebra over a ﬁeld K and let δ : E → K be a polynomial function on E such that δ(uv) = δ(u)δ(v) for all u,v ∈ E. Let u ∈ E and let P = ∏(X − ai) be a polynomial such that P(x) = δ(u − x). Then δ(G(u)) = ±∏G(ai) for all G ∈ K[X].

Proof. After extending K, we may assume that the roots ti of G and of P lie in K. Then by continuity

δ(G(u)) = δ(∏(u −t j)) = ∏P(t j) = ∏(t j − ai) = ±∏G(ai). j i, j i

Lemma 7.4.4 Let u` : T`(A) → T`(A) be a morphism of Z`-modules. Then #keru` = v(detu`). i Proof. Since Z` is principal with non-trivial ideals of the forms (` ), the Smith normal form, there e e exists two invertible matrices S,T such that we can write u` as u` = S · diag(` 1 ,...,` 2g ) · T. We therefore see that the cardinal of the kernel of u` has valuation ∑ei (we include the case e = ∞ to ni ∑ni get the 0 ideal) and also detu` = ε · ∏` = ε · ` where ε is the determinant of ST hence a unit since S and T are invertible.

Proposition 7.4.5 For every ` 6= p, one has that χu = Pu. 84 Chapter 7. Jacobian of curves

Proof. Let ai be the roots of χu and bi be the roots of Pu and let G = ∏(X − t j) ∈ Z[X]. Using Lemma 7.4.3, with ﬁrst δ = deg on E = End(A) ⊗ Q, we get that degG(u) = ±∏G(bi) and similarly with δ = det on E = End(T`(A) ⊗ Q) we get detG(u`) = ±∏G(ai). For an abelian variety and any f ∈ End(A), one has that deg f = #ker f (this is clear if f is separable) and v(deg f ) = v(#ker f ) = #ker f` = v(det f`) by Lemma 7.4.4. Applying this to f = G(u), we therefore get that |∏G(ai)| = |∏G(bi)| and we can conclude using Lemma 7.4.2.

R Can we overpass the assumption on separability? We use it for G(u) and the latter will be separable if for instance G has a constant coefﬁcient prime to p. But we can impose that in the proof of Lemma 7.4.2 since we need that G is the minimal polynomial of an element closed to a given root of P. By shifting P(X + r), we can always assume that the root a1 we are interested is a unit and therefore α as well and we are ﬁne.

Deﬁnition 7.4.2 The previous result shows that to an abelian variety A/Fq of dimension g, the characteristic polynomial of F acting on V`(A) is of degree 2g with coefﬁcients in Z, independent of `. We call it the characteristic polynomial of the Frobenius of A. We denote it by χA.

Let us assume from now on that A = JacC where C is a curve deﬁned over Fq with Weil 0 polynomial f = ∏(1 − aiX). A is an abelian variety deﬁned over Fq and A(Fq) ' Pic (C)(Fq). In n particular #A(Fqn ) = ∏(1 − ai ). On the other hand, let F = Frobq be the Frobenius endomorphism of A. We denote by χ = χF = ∏(T − bi) ∈ Q`[T] its characteristic polynomial.

Theorem 7.4.6 One has that χ = X2g f (1/X). In particular χ and f have the same roots.

Proof. From Proposition 7.4.5, we know that χ = PF = ∏(X − bi) and since χ is the characteristic n polynomial of F, we see that PFn = ∏(X −bi ) for all n > 0. We need to prove that PF = ∏(X −ai). Since n n n n #ker(F − id) = deg(F − id) = ∏(1 − bi ) = ∏(1 − ai ), the proof is over once we get that the last equality for all n implies that ai = bi (up to a permutation). Let us consider the formal series

∏(1 − an) ∏(1 − bn) R = i T n, R = i T n. a ∑ n b ∑ n

n Expanding the products and using that −log(1 − T) = ∑T /n, the equality of Ra = Rb gives

∏(1 − aiT) · ∏(1 − aia jakT)··· ∏(1 − biT) · ∏(1 − bib jbkT)··· = . (1 − T) · ∏(1 − aia jT)··· (1 − T) · ∏(1 − bib jT)···

We therefore get that bi = ∏ ai and conversely that a j = ∏ bi. Hence ai is a product of a js j∈Ii √ i∈Ji but since the absolute values of the ai is q this is impossible if this product if not of a single term. Hence #Ij = 1 and #Ji = 1 and {bi} = {ai}.

Let now A,B be two abelian varieties over Fq.

Proposition 7.4.7 One has χA×B = χA × χB. If φ : A → B is a homomorphism with ﬁnite kernel deﬁned over Fq then χA|χB. In particular if A is isogenous to B over Fq, then χA = χB. 7.4 Construction of curves with many points 85

Proof. The ﬁrst property is a simple consequence of the fact that V`(A × B) = V`(A) ⊕V`(B) and 0 0 F|A×B(D,D ) = (F|A(D),F|B(D ). For the second property, let N = #ker(φ) and let ` be coprime to N p. Then φ : A → φ(A) ⊂ B is an isogeny and we have seen that there exists φ 0 : φ(A) → A such 0 that φ ◦ φ = [N]. Since N is prime to `, we see that φ is therefore an isomorphism between V`(A) −1 −1 and V`(φ(A)) ⊂ V`(B). Moreover one has that on V`(A), φ ◦ FB ◦ φ = FAφ ◦ φ = FA since φ is deﬁned over Fq. Hence the characteristic polynomial of FA divides the one of FB.

R Actually Tate [18] proved that A is isogenous to B if and only if χA = χB.

7.4.2 A construction of maximal curve of genus 3 over F2n This is part of [13].

Let k = F2n and consider the family

2 2 2 Ca,c,d/k : (aX +Y ) + cZ(X +Y + Z) + d(XY)) = XYZ(X +Y + Z)

with a,c,d ∈ k such that a 6= 0,cd 6= 0,c + d 6= 1. It is easy to prove that C is smooth and that

i1(X,Y,Z) = (Y,X,Z), i2(X,Y,Z) = (X,Y,X +Y + Z), i3(X,Y,Z) = (Y,X,X +Y + Z)

define involution on C. From [41, p.48, Sec.12], the set-quotient of a curve by a finite subgroup of its automorphism group is again an algebraic curve. In this case it is easy to find explicit equations for the quotients by the subgroups generated by i1,i2 or i3.

Proposition 7.4.8 The quotients of C by hi1i,hi2i and hi3i are respectively

2 3 2 2 2 4 4 E1 : Y + XY = X + c d X + d a 2 3 2 2 2 4 4 E2 : Y + XY = X + c d X + c a 2 3 2 2 2 4 4 E3 : Y + XY = X + c d X + (c + d + 1) a .

Proof. We start with the quotient by the involution i1. We work with the afﬁne model of C obtained by letting Z = 1. The functions X1 = X +Y, Y1 = XY are stable by i1, and they lead to the following equation for the quotient curve

2 2 2 4 2 2 2 d Y1 + X1Y1 +Y1 = a X1 + c X1 + c .

To ﬁnd a Weiertrass model for this curve, we invoque MAGMA (note that we need to specify a point on the curve ; fortunately it is easy to see that (0 : 1 : 0) is so). F:=FunctionField(GF(2),3); P:=PolynomialRing(F,3); PP:=ProjectiveSpace(P); C:=Curve(PP,d^2*y^2*z^2+x*y*z^2+y*z^3+a^2*x^4+c^2*x^2*z^2+c^2*z^4); E:=EllipticCurve(C,C![0,1,0]); SimplifiedModel(E); Elliptic Curve defined by y^2 + x*y = x^3 + c^2*d^2*x^2 + a^4*d^4 over Multivariate rational function field of rank 3 over GF(2)

For the involution i2 we work with the afﬁne model obtained by letting Y = 1. The functions X1 = X, Z1 = Z(X + Z + 1) are invariant and they yield the following model for the quotient curve:

2 2 2 4 2 2 2 F : c Z1 + X1Z1 = a X + d X + a . 86 Chapter 7. Jacobian of curves

2 3 The change of variables X1 = X2/ac, Z1 = (Y2 +X2 )/ac gives a birationnal map to E2 deﬁned over k. To deal with the third quotient we make the change of variables X ← Y1 + Z1, Y ← X1 + Z1. The 0 curve C = Ca,c,d,r becomes the curve C = Ca,c+d+1,d,r and the involution i3 becomes i2. Therefore, the quotient curve is isomorphic to the elliptic curve

Y 2 + XY = x3 + ((c + d + 1)2d2x2 + (c + d + 1)4a4.

2 obtained from E2 by changing c ← c+d +1. This curve is isomorphic to E3 via Y ← Y +d X.

We are going to see that the Ei are pieces of JacC. Lemma 7.4.9 Let π : C1 → C2 be a morphism of degree d between two curves and assume that ∗ ∗ gC2 > 0. Then π : JacC2 → JacC1 deﬁnes a homomorphism such that JacC2 ∼ π (JacC2).

Proof. To prove the proposition, let us define π∗ : JacC1 → JacC2 defined by ∑niPi 7→ ∑niπ(Pi). ∗ ∗ From Proposition 3.3.1, it appears that π∗ ◦ π = [degπ]. Hence kerπ ⊂ ker[degπ] which is finite.

Example 7.5 Let  X2 = X2 + Z2,  1 0 2 2 2 C/F17 : X2 = X0 + 2Z ,  2 2 2 X3 = X0 + 3Z 4 be a genus 5 curves into P . The involutions which ﬁxes all variables except Xi 7→ −Xi deﬁne quotient curves Ci for instance  X = X2 + Z2, (  0 2 2 2 2 2 2 X2 = X0 + 2Z , 3 C1/F17 : X = X + 2Z , ' ⊂ P . 2 0 X2 = X2 + 3Z2  2 2 2 3 0 X3 = X0 + 3Z

2 2 The Ci are genus 1 curves and for instance fC1 = 17T + 6T + 1 which divides fC = (17T − 2T + 3 2 2 1) (17T + 6T + 1) .

Let πi : C → Ei be the quotient maps. From the previous lemma, we have morphisms with ∗ ﬁnite kernels πi : JacEi = Ei → JacC and Proposition 7.4.7 shows that fEi | fC. A more precise ∗ ∗ ∗ computation would show that (π1 × π2 × π3 ) : E1 × E2 × E3 → JacC is actually an isogeny. This ∗ could be proved directly by studying (πi)∗ ◦π j , or by the action on the differentials or using a result of [9]. Hence from the same proposition we actually get that fC = fE1 · fE2 · fE3 .

Consider the case where c = d = 1 and n > 2 odd. We then have that E1 = E2 = E3 is the 2 3 2 4 elliptic curve E : Y + XY = X + X + a . As n is odd, Theorem√ 6.2.5 shows that there exists an n n elliptic curve E0/k such that #E0 = 1 + 2 + m where m = b2 2 c. Assume that m ≡ 1 (mod 4) (one can show that this happens inﬁnitely many often). Then E0 is an ordinary elliptic curve (i.e. its 0 2-rank is equal to 1) and has therefore a non-zero j-invariant j0. Such an ordinary elliptic curve E 0 2 3 2 1 0 can be written E : Y + XY = X + r0X + where r0 ∈ {0,1} and r0 = 0 if and only if E has a jE0 rational 4-torsion point. Since m ≡ 1 (mod 4) and n > 2, we see that this is not the case, hence we can write E = E . This shows that f = f 3 and in particular #C(k) = q + 1 + 3m, so the curve is 0 C E0 maximal.

R The same kind of arguments enables to solve many other cases in characteristic 2. The only open case is when m ≡ 3 (mod 4). It could be solved if one can prove that there exist elliptic j1 j2 curves Ei/k with trace m and j-invariants ji such that trk/ 2 = 0. F2 ( j1+ j2+ j3) 7.4 Construction of curves with many points 87

R Another nice open problem that I learnt from Omran Ahmadi: show that the Weil polynomial 2 3 −1 2 2k+1 −1 of D1/F2 : y +y = x +x always divides the Weil polynomial of Dk : y +y = x +x .

III Appendices

8 Using MAGMA and some (open) problems 91 8.1 Some basic tools: exercises 8.2 Some (more) open exercises 8.3 Good models of curves of genus ≤ 5 8.4 Isomorphisms-Automorphisms 8.5 Exploring the number of points of curves over ﬁnite ﬁelds

Bibliography ...... 105 Articles Books

Index ...... 108

8. Using MAGMA and some (open) problems

8.1 Some basic tools: exercises 8.1.1 Wording The most important thing is the help. There exist two sorts : the html ﬁles are the most conve- nient. They contain, besides the description of each command, examples and even mathematical background. You can access commands by topic (ﬁnite groups, commutative algebra, algebraic geometry) or through the index. The second help is online : when you want information about a command, let’s say RandomPrime, you type RandomPrime;.

A last tip before we start : there is a automatic completion with ‘tab’. This is useful when you do not remember exactly the name : MAGMA follows very closely the exact deﬁnition.

We will start with some examples that look really similar to Maple. To Evaluate an expression you need to end it with ;. To define an object you write f:=. . . . As you may see it does not display the result. To see it you have to write f;. 1. Compute 123 + 33 . 10 √127 2. Compute 2 + 3. 3. Compute 200! and factorize this number. 4. Is 21233 + 321 prime (IsPrime)? Some examples how to handle sets, sequences, lists : 5. Define the sets I = {1,4,10}, J = {2,4,8}. Do the following operations : I ∪ J and I ∩ J. 6. Create a random list of 10 integers. Extract the 8th. Unlike Maple, MAGMA require to define properly where you are working. You cannot open a MAGMA section and write : f = x3 + 3;. MAGMA does not know yet what is x. It is sometimes a bit tedious when you want to work with polynomials in a lot of variables but the counterpart is that it allows much more objects than the two others softwares : polynomials over extensions of finite fields or p-adic fields, matrices with coefficients in function fields . . . . And it is much more accurate, mathematically speaking ! 92 Chapter 8. Using MAGMA and some (open) problems

Very important fields for us are the field of rationals and finite fields : 7. Create the field of rationals. 8. Create the field F = F23 (GF). 9. Add 20 and 5 in this field. This leads to the notion of coercion (for instance F!20). 10. Create the field K = F234 . What is a defining polynomial for this field ? Compute the square root of 10 in this field. One would like also to create extensions by choosing a defining polynomial. 11. Create the polynomial ring R with variable x over F5. 12. Create the polynomial f = x6 +3x+3. Evaluate f at 2. Is f irreducible ? What is its splitting field ? Call it F < w >. 13. Create an extension of F of degree 3 by a polynomial of your choice. Once we have the basic fields, we can construct polynomial rings in several variables on them 14. Construct the polynomial ring P = Q[x,y,z]. 15. Consider f = x4 + y4 + z4 ∈ P. 16. Prove that f is irreducible. 17. Compute the resultant R in x of f and ∂ f /∂x. 18. Create the ring P2 = Q[u,v] and the morphism (x,y,z) 7→ (1,u,v) with hom< P-> P2 | 1,u,v>. 19. Map R into P2 with this morphism. We can now define varieties, in particular curves. There are multiple ways to define them, depending if they are general curves, elliptic curves, hyperelliptic curves,. . . . Depending on the type of curves and fields, you have also access to a larger panel of functionalities and of efficiency. Let us consider here only some basics ones. 20. Define the projective space S = 2 (ProjectiveSpace(P)). P Q 21. Define the curve C : f = 0 in S. 22. Is it singular? What is its genus? 23. Consider the curve C over F = F73 (ChangeRing). Let’s call it D. Is D smooth? 24. Compute its number of points. 25. Find the flexes of D. Another example in space: 26. Define the polynomial ring R with variables x,y,z,u,v over the rationals. 27. Define the 3 homogeneous polynomials f1, f2, f3 :

 f 1 = x2 + y2 + z2 − uv  f 2 = xu − yv   f 3 = 2x2 + 3y2 − zy + u2 + v2

28. Deﬁne the projective space associated to R 29. Deﬁne the Scheme C : f1 = f2 = f3 = 0. 30. What is its dimension ? 31. Is it singular ?

We will need only basic programming properties, like loops (for...do, while...do) and branchement (if...then...else) which you end with (end for, end while, end if). 32. Create a loop that runs through the primes less than 100 (NextPrime). 33. For each prime 11 ≤ p ≤ 100, reduce the curve C from (21) over and stop when its √ Fp number of rational points reaches the maximal value 1 + p + 3 · b2 pc. 8.1 Some basic tools: exercises 93

Automorphisms. Let G,H,M be the following matrices

 ζ 4 0 0   0 1 0   ζ − ζ 6 ζ 2 − ζ 5 ζ 4 − ζ 3  −1 G =  0 ζ 2 0 , H =  0 0 1 , M = √  ζ 2 − ζ 5 ζ 4 − ζ 3 ζ − ζ 6 , − 0 0 ζ 1 0 0 7 ζ 4 − ζ 3 ζ − ζ 6 ζ 2 − ζ 5

where ζ is a 7th root of unity. Show that the automorphisms of P 2 given by these matrices are automorphisms of the Klein’s quartic x3y + y3z + z3x = 0. What is the order of the group generated by these matrices ?

R In characteristic 0, One can show (using Hurwitz bound) that automorphism group of the curve is generated by these elements. This is not true in characteristic 3 (this is the only case).

8.1.2 Solutions 123/10+33/127; 2+Sqrt(3); Factorial(200); Factorization($1); IsPrime(2^1233+321);

I:={1,4,10}; J:={2,4,8}; I join J; I meet J; L:=[Random(10,2000) : i in [1..10]]; L[8];

F:=GF(23); F!(20+5); K:=GF(23^4); DefiningPolynomial(K); Sqrt(K!10);

R:=PolynomialRing(GF(5)); f:=x^6+3*x+3; Evaluate(f,2); IsIrreducible(f); F:=SplittingField(f);

R2:=PolynomialRing(F); g:=y^3+w*y+4; F2:=ext;

P:=PolynomialRing(Rationals(),3); f:=x^4+y^4+z^4; IsIrreducible(f); R:=Resultant(f,Derivative(f,x),x); P2:=PolynomialRing(Rationals(),2); phi:=hom P2 | 1,u,v>; 94 Chapter 8. Using MAGMA and some (open) problems phi(R);

PP:=ProjectiveSpace(P); C:=Curve(PP,f); IsSingular(C); D:=ChangeRing(C,GF(73)); PP2:=AmbientSpace(D); IsSingular(D); // here it checks the singularity of the curve directly over \bar{k} #Points(D); H:=Curve(PP2,Determinant(HessianMatrix(D))); pts:=Points(H meet D); // this was by hand or there is a function which does it pts:=Points(Flexes(D));

R:=PolynomialRing(Rationals(),5); RR:=ProjectiveSpace(R); f1:=x^2+y^2+z^2-u*v; f2:=x*u-y*v; f3:=2*x^2+3*y^2-z*y+u^2+v^2; C:=Scheme(RR,[f1,f2,f3]); Dimension(C); IsSingular(C); p:=2; while p le 100 do print p; p:=NextPrime(p); end while;

P:=PolynomialRing(Rationals(),3); f:=x^4+y^4+z^4; PP:=ProjectiveSpace(P); C:=Curve(PP,f); p:=11; while p le 100 do Cp:=ChangeRing(C,GF(p)); B:=1+p+3*Floor(2*Sqrt(p)); if #Points(Cp) eq B then print p; break; end if; p:=NextPrime(p); end while;

F:=CyclotomicField(7); G:=Matrix([[a^4,0,0],[0,a^2,0],[0,0,a]]); H:=Matrix([[0,1,0],[0,0,1],[1,0,0]]); M:=-1/Sqrt(F!(-7))*Matrix([[a-a^6,a^2-a^5,a^4-a^3],[a^2-a^5,a^4-a^3,a-a^6], [a^4-a^3,a-a^6,a^2-a^5]]); 8.2 Some (more) open exercises 95

GG:=MatrixGroup<3,F | G,H,M>; // here we are lucky that the group is indeed finite in GL (whereas we should look in PGL). #GG; P:=PolynomialRing(F,3); PP:=ProjectiveSpace(P); C:=Curve(PP,x^3*y+y^3*z+z^3*x); g:=Automorphism(PP,G); h:=Automorphism(PP,H); m:=Automorphism(PP,M); m(C) eq C;h(C) eq C; g(C) eq C;

8.2 Some (more) open exercises 8.2.1 Isomorphisms between hyperelliptic curves 2 From Exercise 8.9, one sees that an isomorphism between two hyperelliptic curves Y = fi(X) with deg( f1) = deg( f2) = 2n over an algebraically closed ﬁeld k of characteristic p 6= 2 is mainly a b ∗ deﬁned by ∈ GL (k) such that (cX + d)2n · f ( aX+b ) = α f (X) for α ∈ k (we say that c d 2 1 cX+d 2 f1 and f2 are equivalent). How would you test such an equivalence in practice? In particular are 10 f1 = X + 1 and

10 9 8 7 6 4 3 2 f2 = 26X + 30X + 8X + 6X + X + 16X + 14X + X + 2X + 26 ¯ over F31 equivalent?

8.2.2 Number of points on plane curves Instead of considering smooth curves of genus g, one could consider projective algebraic set of 2 degree d in P (Fq). What can be said about the maximal number of points when 1. there is no additional condition? 2. we assume the algebraic set to be smooth? 3. we assume the algebraic set to be irreducible?

8.2.3 Good correspondences between curves In order to construct curves with many points, a strategy uses correspondences between curves over a finite field k = Fq with good properties. Here, we will focus on finding two morphisms f ,g : C1 → C2 such that g = φ ◦ f ◦ ψ where φ and ψ are two automorphisms with some stability properties. More precisely, • denote by R a subset of C1(k) containing the ramification points of f ; • denote S ⊂ C1(k) the inverse image under f of a set of points on C2 such that all P ∈ S are k-rational and unramified. We ask that • ψ preserves R and S ; • φ preserves their image by f ; • there exists a point Q ∈ R such that f (Q) = g(Q) but Q is not a ramified point for g. 1 Can you find such examples? You can of course start with C1 = C2 = P . 96 Chapter 8. Using MAGMA and some (open) problems

8.2.4 Constraints on the Weil polynomial for curves Let C be a curve of genus g over a ﬁnite ﬁeld . We say that the curve has defect e ≥ 0 if √ Fq #C(Fq) = q+1+gm−e with m = b2 qc. Having small defects e = 0,1,... give big constraints on the Weil polynomials f of C. For instance, using the same arguments as the proof of Theorem 6.2.1, one can show that if e = 0 then f = (1 +mX +qX2)g. What can you say about other small defects?

8.2.5 Codes from modular curves

We have seen that over Fp2 , the codes constructed from the modular curves X0(`) are asymptotically optimal. How are the parameters of these codes “at ﬁnite distance” (for small values of p and small values of `)? You can compare to these tables.

8.2.6 Distribution of curves over finite fields Instead of considering each curve individually, one could look at the following question: given a finite field Fq and a genus g > 0, how many curves are there with a given number of points N? Looking at the bounds of Hasse-Weil-Serre, it may be better to look at the quantity t = √ (#C(Fq) − q − 1)/(gm) where m = b2 qc which is in the interval [−1,1]. You can then try: 1. to consider all elliptic curves of the form Y 2 = X3 +AX +B (in characteristic greater than 3); 2. all elliptic curves up to Fq-isomorphisms; 3. all elliptic curves in the family Y 2 = X(X − 1)(X − λ) for λ 6= 0,1; 4. (families of) higher genus curves; 5. all genus g curves up to Fq-isomorphisms (how to get them?)

8.2.7 Number of points on a genus 4 curve We will now deal with genus 4 non hyperelliptic curves over a field of characteristic different from 2. The canonical embedding shows that C = Q ∩ E ⊂ P 3 where Q is an absolutely irreducible quadric and E a cubic surface. 1. Prove that the rank of Q is greater than 2. 2. We will restrict to the case where rank of Q is equal to 4. Show that if k is algebraically closed then Q ' xt − yz = 0 ' P 1 × P 1. Show that if k is a finite field then Q ' P 1 × P 1 if detQ is a square. 3. We now assume that Q = xt − yz. Now let φ : P 1 × P 1 → Q the isomorphism given by ((X : Y),(Z,T)) 7→ (XZ : XT : YZ : YT). Show that under this isomorphism, C becomes 0 C ⊂ P 1 × P 1 with

3 2 2 3 X P0(Z,T) + X YP1(Z,T) + XY P2(Z,T) +Y P3(Z,T) = 0