18.783 Elliptic Curves Spring 2019 Lecture #14 04/1/2019 14 Ordinary and supersingular elliptic curves Let E=k be an elliptic curve over a field of positive characteristic p. In Lecture 7 we proved that for any nonzero integer n, the multiplication-by-n map [n] is separable if and only if n is not divisible by p. This implies that the separable degree of the multiplication-by-p map cannot be p2 = deg[p], it must be either p or 1, meaning that its kernel E[p] is either cyclic of order p or trivial. The terms ordinary and supersingular distinguish these two cases: E is ordinary () E[p] ' Z=pZ. E is supersingular () E[p] = f0g. We now want to explore this distinction further, and relate it to our classification of 0 endomorphism algebras. In the previous lecture we showed that End (E) := End(E) ⊗Z Q 0 has dimension 1; 2, or 4 as a Q-vector space, depending on whether End (E) is isomorphic to Q, an imaginary quadratic field, or a quaternion algebra. In this lecture we will show 0 that over fields of positive characteristic we never haveEnd (E) ' Q, and that we can only have End0(E) isomorphism to a quaternion algebra when E is supersingular. Before we begin, let us recall some facts about isogenies proved in Lectures 6 and 7. We assume throughout that we are working in a field k of positive characteristic p. n 1. Any isogeny α can be decomposed as α = αsep ◦ π , where αsep is separable, and π is the (purely inseparable) p-power Frobenius map π :(x : y : z) 7! (xp : yp : zp). n n 2. If α = αsep ◦ π then degs α := deg αsep, degi α := p , and deg α = (degs α)(degi α). 3. We have # ker α = degs α (so E is supersingular if and only if degs[p] = 1). 4. We have deg(α ◦ β) = (deg α)(deg β), and similarly for degs and degi. 5. A sum of inseparable isogenies is inseparable and the sum of a separable and an inseparable isogeny is separable (a sum of separable isogenies need not be separable). 6. The multiplication-by-n map [n] is inseparable if and only if pjn. Recall that an isogeny α is purely inseparable when degs α = 1, equivalently, when ker α = f0g. Thus an elliptic curve is supersingular if and only if the multiplication-by-p map [p] is purely inseparable. This makes it clear that the property of being ordinary or supersingular is invariant under base change: if E=k is an elliptic curve over k and L=k is any field extension, the separable degree of [p] on EL does not depend on L. Warning 14.1. As noted in the previous lecture, in this course the ring End(E) consists of endomorphisms defined over k; if we wish to refer to endomorphisms defined over k¯ we will write End(Ek¯) or refer to the geometric endomorphism ring (or algebra). Many authors use 1 End(E) to denote End(Ek¯), but this distinction is important. The property of being ordinary or supersingular is an isogeny invariant. Theorem 14.2. Let φ: E1 ! E2 be an isogeny of elliptic curves. Then E1 is supersingular if and only if E2 is supersingular (and E1 is ordinary if and only if E2 is ordinary). 1 For example, there are algorithms that apply to any elliptic curve E=Fq for which End(E) is an imaginary quadratic field, but one often finds them written under the strictly stronger assumption that E is ordinary. Lecture by Andrew Sutherland Proof. Let p1 2 End(E1) and p2 2 End(E2) denote the multiplication-by-p maps on E1 and E2, respectively. We have p2 ◦ φ = φ + ··· + φ = φ ◦ p1, thus p2 ◦ φ = φ ◦ p1 degs(p2 ◦ φ) = degs(φ ◦ p1) degs(p2) degs(φ) = degs(φ) degs(p1) degs(p2) = degs(p1): The elliptic curve Ei is supersingular if and only if degs(pi) = 1; the theorem follows. In what follows we will often want to refer to the image of E under the p-power Frobenius p p p (p) isogeny (x : y : z) 7! (x : y : z ) which will shall denote E . When E is defined over Fp (p) (p) we will have E = E and π will be the Frobenius endomorphism πE, but in general E is the elliptic curve obtained by taking an equation for E and raising each coefficient to the pth power (it does not matter which equation we pick, the curve E(p) is well-defined up to isomorphism). We similarly define E(q) to be the image of the q-power Frobenius isogeny. Note that [p] = ππ^ is purely inseparable if and only if π^ is purely inseparable (since π is always purely inseparable), thus E is supersingular if and only if π^ is purely inseparable. In order to simplify the presentation we will often assume p > 3 and use short Weierstrass equations y2 = x3 + Ax + B to define our elliptic curves, but except for where explicitly noted otherwise, all results in this lecture also hold in characteristic 2 and 3. An advantage of using short Weierstrass equations is that it allows us to put isogenies in our standard u(x) s(x) form v(x) ; t(x) y , with u; v; s; t 2 k[x] chosen so that u ? v and s ? t. We also note that [p] = ππ^, where π^ is the dual of the p-power Frobenius isogeny π. The multiplicativity of separable degrees implies that [p] is purely inseparable if and only if π^ is (since π is always purely inseparable) and degπ ^ = p is prime, so π^ is purely inseparable if and only if it is inseparable. Thus E is supersingular if and only if π^ is inseparable, a fact we will use to shorten the proofs that follow. 14.1 Ordinary/supersingular elliptic curves over finite fields Theorem 14.3. An elliptic curve E=Fq is supersingular if and only if tr πE ≡ 0 mod p. Proof. If E is supersingular then [p] = ππ^ is purely inseparable, in which case π^ is insepa- n n n rable, as are π^ = πc =π ^E and πE = π . Their sum [tr πE] = πE +π ^E is then inseparable, so p must divide tr πE, equivalently, tr πE ≡ 0 mod p. Conversely, if tr πE ≡ 0 mod p, then [tr πE] is inseparable, as is π^E = [tr πE] − πE. This means that π^n and therefore π^ is inseparable which implies that E is supersingular. Corollary 14.4. Let E=Fp be an elliptic curve over a field of prime order p > 3. Then E is supersingular if and only if tr πE = 0, equivalently, if and only if #E(Fp) = p + 1. p p Proof. By Hasse’s theorem, j tr πEj ≤ 2 p, and 2 p < p for p > 3. Warning 14.5. Corollary 14.4 does not hold for p ≤ 3; there are supersingular curves over F2 and F3 with nonzero Frobenius traces. p This should convince you that supersingular curves over Fp are rare: there are ≈ 4 p possible values for tr πE, all but one of which correspond to ordinary curves. 18.783 Spring 2019, Lecture #14, Page 2 Theorem 14.6. Let E bep an elliptic curve over a finite field Fq and suppose πE 62 Z. Then 0 2 End (E) = Q(πE) ' Q( D) is an imaginary quadratic field with D = (tr πE) − 4q. This applies in particular whenever q is prime, and also whenever E is ordinary. Proof. The Frobenius endomorphism πE is a root of its characteristic polynomial 2 x − (tr πE)x + deg πE; p 2 2 with discriminant D = (tr πE) − 4 deg π = (tr πE) − 4q, so Q(πE) ' Q( D). The 2 assumption πE 62 Z implies πE 62 Q, since πE is an algebraic integer, and that tr(πE) 6= 4q, so D < 0 (by the Hasse bound) and Q(πE) is an imaginary quadratic field. 0 We can write any α 2 End (E) as α = sφ with s 2 Q and φ 2 End(E). Writing φ as φ(x; y) = (r1(x); r2(x)y) in standard form, we have q q q q q q (φπE)(x; y) = (r1(x ); r2(x )y ) = (r1(x) ; r2(x) y ) = (πEφ)(x; y); thus φ, and therefore α, commutes with πE. Therefore α 2 Q(πE), by Lemma 13.18, so 0 End (E) = Q(πE) as claimed. n Corollary 14.7. Let E be anp elliptic curve over Fq with q = p . If n is odd or E is ordinary, 0 2 then End (E) = Q(πE) ' Q( D) is an imaginary quadratic field with D = (tr πE) − 4q. 2 p Proof. If πE 2 Z then D = (tr πE) − 4 deg πE = 0 and 2 q = ± tr πE 2 Z, which is possible only if q is a square and tr πE is a multiple of p, in which case n is even and E is supersingular. The corollary then follows from Theorem 14.6. If E=Fq is an ordinary elliptic curve, or more generally, whenever πE 62 Z, the subring Z[πE] of End(E) generated by πE is a lattice of rank 2. It follows that Z[πE] is an order in the imaginary quadratic field K := End0(E), and is therefore contained in the maximal order OK (the ring of integers of K). The endomorphism ring End(E) need not equal Z[π], but the fact that it contains Z[π] and is contained in OK constrains End(E) to a finite set of possibilities.