The group structure of rational points of elliptic curves over a finite field

Transcription

1 The group structure of rational points of elliptic curves over a finite field 2015/09 ECC 2015, Bordeaux, France Damien Robert Équipe LFANT, Inria Bordeaux Sud-Ouest Institut de Mathématiques de Bordeaux September 2015

2 Introduction Cryptography! We are interested in E ( q ), were E is an elliptic curve over a finite field q ; References: [Sil86; Len96; Wat69; WM71; Mil06];

3 Torus An elliptic curve E / is a torus E = /Λ, where Λ is a lattice Λ = τ +, (τ H). Let (z,λ) = 1 w Λ\{0 E } (z w ) 1 2 w be the Weierstrass -function and 2 E 2k (Λ) = 1 w Λ\{0 E } be the (normalised) Eisenstein series of weight 2k. w 2k Then /Λ E, z ( (z,λ), (z,λ)) is an analytic isomorphism to the elliptic curve y 2 = 4x 3 60E 4 (Λ) 140E 6 (Λ) = 4x 3 g 2 (Λ) g 3 (Λ). In particular the elliptic functions are rational functions in, : (E ) = (, ). Two elliptic curves E = /Λ and E = /Λ are isomorphic if there exists α such that Λ = αλ ; Two elliptic curves are isomorphic if and only if they have the same j -invariant: j (Λ) = j (Λ ). g 3 2 j (Λ) = 1728 g g. 2 3

4 Lattices is homogeneous of degree 2 and of degree 3: (αz,αλ) = α 3 (z,λ); Up to normalisation one has Λ = τ + with τ H g the upper half plane; This gives a parametrisation of lattices Λ by τ H g ; a b If Sl c d 2 ( ) then a new basis of Λ is given by (a τ + b, c τ + d ); We can normalize this basis by multiplying by (c τ + d ) 1 to get Λ = a τ+b c τ+d + ; The isomorphism class of elliptic curves is then parametrized by H g /Sl 2 ( ).

5 Elliptic curves over a field k Definition An elliptic curve E /k (k perfect) can be defined as A nonsingular projective plane curve E /k of genus 1 together with a rational point 0 E E (k); A nonsingular projective plane curve E /k of degree 3 together with a rational point 0 E E (k); A nonsingular projective plane curve E /k of degree 3 together with a rational point 0 E E (k) which is a point of inflection; A non singular projective curve with equation (the Weierstrass equation) Y 2 Z + a 1 X Y Z + a 3 Y Z 2 = X 3 + a 2 X 2 Z + a 4 X Z 2 + a 6 Z 3 (in this case 0 E = (0 : 1 : 0));

6 Choice of the base point Remark If E is a nonsingular projective plan curve of degree 3 and O E (k), then if O is an inflection point there is a linear change of variable which puts E into Weierstrass form and O = (0 : 1 : 0), but otherwise needs a non linear change of variable to transform O into an inflection point; If chark > 3 then a linear change of variable on the Weierstrass equation gives the short Weierstrass equation: y 2 = x 3 + a x + b.

7 Class of isomorphisms of elliptic curves The Weierstrass equation: y 2 + a 1 x y + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 has discriminant E = b 2 b 8 8b 3 27b 2 + 9b 2 b 4 b 6 so it defines an elliptic curve whenever E 0. (Here b 2 = a a 2, b 4 = 2a 4 + a 1 a 3, b 6 = a a 6, b 8 = a 2 1 a 6 + 4a 2 a 6 a 1 a 3 a 4 + a 2 a 2 3 a 2 4 ). The j -invariant of E is j E = (b b 4) 3 E When we have a short Weierstrass equation y 2 = x 3 + a x + b, the discriminant is 16(4a b 2 ) and the j -invariant is 4a 3 j E = a b. 2 Theorem Two elliptic curves E and E are isomorphic over k if and only if j E = j E.

8 Isomorphisms and Twists The isomorphisms (over k) of isomorphisms of elliptic curves in Weierstrass form are given by the maps for u, r, s, t k, u 0. (x, y ) (u 2 x + r, u 3 y + u 2 s x + t ) If we restrict to elliptic curves of the form y 2 = x 3 +a x +b then s = t = 0. A twist of an elliptic curve E /k is an elliptic curve E /k isomorphic to E over k but not over k. Example Every elliptic curve E / q : y 2 = x 3 + a x + b has a quadratic twist E : δy 2 = x 3 + a x + b for any non square δ q. E and E are isomorphic over 2 q. If E / q is an ordinary elliptic curve with j E {0,1728} then the only twist of E is the quadratic twist. If j E = 1728, then E admits 4 twists. If j E = 0, then E admits 6 twists.

9 The addition law Let E be an elliptic curve given by a Weierstrass equation Then (E,0 E ) is an abelian variety; The addition law is recovered by the chord and tangent law; If k = this addition law coincides with the one on modulo the lattice Λ. (The addition law of an abelian variety is fixed by the base point, and the base point 0 corresponds to the point at infinity of E since and have a pole at 0). For E : y 2 = x 3 + a x + b the addition law is given by P +Q = R = (x R, y R ) α = y Q y P or α = f (x P ) when P = Q x Q x P 2y P x R = α 2 x P x Q y R = y P + α(x R x P ) Indeed write l P,Q : y = αx + β the line between P and Q (or the tangent to E at P when P = Q). Then y R = αx R + β and y P = αx P + β so y R = α(x R x P ) + y P. Furthemore x R, x P, x Q are the three roots of x 3 + a x + b (αx + β) 2 so x P + x Q + x R = α 2.

10 Elliptic curves over other fields Why look at? For cryptography we work with elliptic curves over finite fields; Everything that is true over is true over other fields except when it is not true (non algebraically closed fields, characteristic p ). Example: there are n 2 points of n-torsion. For things that are not true over other fields, change the definition so that it remains true. Examples: the subscheme E [n] has degree n 2, definition of the Tate module T p E as a p-divisible group when the characteristic is p

11 Elliptic curves over other fields Why look at? For cryptography we work with elliptic curves over finite fields; Everything that is true over is true over other fields except when it is not true (non algebraically closed fields, characteristic p ). Example: there are n 2 points of n-torsion. For things that are not true over other fields, change the definition so that it remains true. Examples: the subscheme E [n] has degree n 2, definition of the Tate module T p E as a p-divisible group when the characteristic is p

12 Elliptic curves over other fields Why look at? For cryptography we work with elliptic curves over finite fields; Everything that is true over is true over other fields except when it is not true (non algebraically closed fields, characteristic p ). Example: there are n 2 points of n-torsion. For things that are not true over other fields, change the definition so that it remains true. Examples: the subscheme E [n] has degree n 2, definition of the Tate module T p E as a p-divisible group when the characteristic is p

13 Elliptic curves over other fields Why look at? For cryptography we work with elliptic curves over finite fields; Everything that is true over is true over other fields except when it is not true (non algebraically closed fields, characteristic p ). Example: there are n 2 points of n-torsion. For things that are not true over other fields, change the definition so that it remains true. Examples: the subscheme E [n] has degree n 2, definition of the Tate module T p E as a p-divisible group when the characteristic is p

14 Transferring results from to other fields If k is an algebraically closed field of characteristic 0 and of cardinality 2 ℵ then k is isomorphic to ; 0 If k is an algebraically closed field of characteristic 0 it is elementary equivalent to so the first order statements valid over are valid over k too; If a first order statement is true over, it is also true for all algebraically closed field of characteristic p >> 0 (by compacity arguments); If E / q is an elliptic curve over a finite field, it can be lifted to an elliptic curve over q (and q is a subfield of q which is isomorphic to by the explanation above); If E / q is an ordinary elliptic curve, there is a lift to q which respects End(E ); A polynomial in [X 1,..., X n ] which is 0 on a Zariski dense subset of n is identically null. Example If A Mat n (R ) is a matrix, then adj A.A = A.adj A = det A.Id. Indeed this is true for diagonalisable matrices over which form a dense Zariski subset (standard linear algebra), so it is true over any ring because the adjoint matrix is given by universal polynomials in the coefficients of A.

15 Field of definition Let E /k be an elliptic curve, and let k 0 be the base field of k; There exist an elliptic curve E 0 over k 0 (j (E )) which is a twist of E ; E can then be defined over a finite algebraic extension of k 0 (j (E )); k 0 (j (E )) is either algebraic over k 0 or of transcendance degree 1. Corollary Every elliptic curve can be defined over a finite extension of p (T ) or (T ). If chark = 0, E can be defined over a subfield of.

16 n-torsion over k = E [n] = {P E (k) n.p = 0 E }; If E = /Λ, E [n] = 1 n Λ/Λ; E [n] ( /n ) 2.

17 n-torsion over k = k Let k be an algebraically closed field of characteristic p; Let E : y 2 = x 3 + a x + b be an elliptic curve (for simplicity we assume p = 0 or p > 3); Since E has dimension one, E (k) is infinite (Exercice); The subscheme E [n] has dimension 0 and degree n 2 ;

18 Proof Via division polynomials: there exists a unitary polynomial ϕ n (x ) of degree n 2 such that [n]p = 0 E if and only if ϕ n (x P ) = 0 (Exercice: why does ϕ n not depend on y?); Via dual isogenies: [n] : E E is its own dual isogeny, so [deg[n]] = [n] [n] = [n 2 ], and deg[n] = n 2 ; Via divisors: if D is a divisor on E, the theorem of the cube shows that [n] D is linearly equivalent to n2 +n 2 D + n2 n 2 [ 1] D. But deg[n] D = deg[n]degd so deg[n] = n2 +n+n 2 n 2 = n 2.

19 Group structure of the n-torsion d [n] is the multiplication by n map on the tangent space T 0E E, so [n] is étale whenever p n; In this case #E [n](k) = n 2 so E [n] ( /n ) 2 (Exercice); Either #E [p ](k) = p (in which case E is an ordinary elliptic curve), or #E [p](k) = 0 (and E is a supersingular elliptic curve); If E is ordinary, E [p e ] = /p e µ p e where µ p = Spec [T ]/(T p e 1); If E is supersingular, E [p e ] = α 2 p e where α p e = Spec [T ]/T p e is connected.

20 Proof Let π be the (small) Frobenius, π be the Verschiebung, then π is purely inseparable, and π π = [p], π π = [p], degπ = deg π = p; The Weil pairing e n shows that E [n] (and in particular E [p]) is self-dual; If π is separable, then /p is a subscheme of E [p ] and so is its dual µ p. Taking degrees yield E [p] = Ker π Kerπ = /p µ p. Otherwise π is not separable, so Kerπ cannot be µ p (because its dual /p would be a subscheme of E [p ]) which implies that Kerπ = α p (α p is self-dual).

21 Tate modules The l-adic numbers l = lim /l n are a way to handle all the residue rings /l n at once, = lim /n = l l. Likewise the Tate modules are a way to encode the (l-primary) torsion subgroup: E [n](k) T (E )/nt (E ); T l (E ) = lim E [l n ](k) T (E ) = lim E [n](k) T l (E ) = 2 if p l; l If E is ordinary T p (E ) = p, and T (E ) = (where = lim /n ) p n and E (k) tors = / (p) / ; If E is supersingular T p (E ) = 0 and T (E ) = and E (k) tors = (p ) / (p ) /.

22 The group of rational points over a finite field If k = q then E (k) is finite; In fact (Exercice): E (k) = /n 1 /n 2 with n 1 n 2. We will study how n 1, and n 2 vary under isogenies and fields extensions.

23 The Weil pairing over E = /( + τ ); The function e n : E [n] E [n] µ n (P,Q ) e 2πi n x P y Q x Q y P where P = x P + τy P and Q = x Q + τy Q is bilinear and non degenerate; The value does not depend on the choice of basis for the lattice 0 1 a b Λ = + τ : let J =, then if Sl 1 0 c d 2 ( ), a c b d xp y P T a J c b d xq y Q = xp T a c T J y P xp t b a J d c xq b xq = d y Q y P y Q = x P y Q x Q y P

24 Divisors Let C be a projective smooth and geometrically connected curve; A divisor D is a formal finite sum of points on C : D = n 1 [P 1 ] + n 2 [P 2 ] + n e [P e ]. The degree degd = n i. If f k(c ) is a rational function, then Div f = ord P (f )[P ] P ((O C ) P the stalk of functions defined around P is a discrete valuation ring since C is smooth and ord P (f ) is the corresponding valuation of f at P ). Example e If C = 1 then Div (X α i i ) k = f (X β i e i [α i ] f i [β i ] + ( β i α i ). In particular i ) degdiv f = 0 and conversely any degree 0 divisor comes from a rational function.

25 Linear equivalence class of divisors For a general curve, if f k(c ), Div(f ) is of degree 0 but not any degree 0 divisor D comes from a function f ; A divisor which comes from a rational function is called a principal divisor. Two divisors D 1 and D 2 are said to be linearly equivalent if they differ by a principal divisor: D 1 = D 2 + Div(f ). PicC = Div 0 C /Principal Divisors A principal divisor D determines f such that D = Div f up to a multiplicative constant (since the only globally regular functions are the constants).

26 Divisors on elliptic curves Theorem Let D = n i [P i ] be a divisor of degree 0 on an elliptic curve E. Then D is the divisor of a function f k(e ) (ie D is a principal divisor) if and only if ni P i = 0 E E (k) (where the last sum is not formal but comes from the addition on the elliptic curve). In particular P E (k) [P ] [0 E ] Jac(E ) is a group isomorphism between the points in E and the linear equivalence classes of divisors; Proof. We will give an algorithm (Miller s algorithm) which starts from a divisor D = n i [P i ] of degree 0 and constructs a rational function f such that D is linearly equivalent to [ n i P i ] [0 E ]. If n i P i = 0 E then D is principal. Conversely we have to show that if P = n i P i 0 E then [P ] [0 E ] is not principal. But if we had a function f such that Div(f ) = [P ] [0 E ], then the morphism E 1 : x (1 : f (x )) associated to f would be k birational. But this is absurd: E is an elliptic curve so it has genus 1, it cannot have genus 0.

27 Rational divisors A divisor D over a perfect field is rational if it is stable under the Galois action; If f k(e ) then Div f is a rational divisor, conversely if f k(e ) and Div f is rational then there exists α k such that αf k(e ); A linear equivalence class of divisors [D ] is rational if it is stable under the Galois action: σd D σ Gal(k/k); Over an elliptic curve E, if D [P ] [0 E ] then D is rational if and only if P is rational; Over a curve C with C (k) 0 then a rational equivalence class of divisors has a representative given by a rational divisor; In particular the map P [P ] [0 E ] is Galois-equivariant.

28 Miller s functions Let µ P,Q be a function with divisor [P ] + [Q ] [P +Q ] [0 E ]; Using the geometric interpretation of the addition law on E one can construct µ P,Q explicitly: if P = Q then µ P,Q = x x P ; Otherwise let l P,Q be the line going through P and Q (if P = Q then we take l P,Q to be the tangent to the elliptic curve at P ). Then Div(l P,Q ) = [P ] + [Q ] + [ P Q ] 3[0 E ]. Let v P,Q be the vertical line going through P +Q and P Q; Div(v P,Q ) = [P +Q ] + [ P Q ] 2[0 E ]; µ P,Q = l P,Q v P,Q ; Explicitly if E : y 2 = x 3 + a x + b is given by a short Weierstrass equation, µ P,Q = y α(x x P ) y P x + (x P + x Q ) α 2 (1) with α = y P y Q x P x Q when P Q and α = f (x P ) 2y P when P = Q.

29 Miller s algorithm: reducing divisors Let D = [P ] + [Q ] + D 0 be a divisor of degree 0; Using µ P,Q we get that D = Div(µ P,Q ) + [P +Q ] + D 0 + [0 E ]; We can iterate the reduction until there is only one non zero point in the support: D = Div(g ) + [R ] [0 E ]; D is principal if and only if R = 0 E, in which case g is a function (explicitly written in terms of the µ P,Q ) with divisor D (and normalised at 0 E ).

30 Miller s algorithm: double and add If D = n[p ] n[0 E ] one can combine the reduction above with a double and add algorithm; let λ and P E (k); we define f λ,p k(e ) to be the function normalized at 0 E thus that: Div(f λ,p ) = λ[p ] [λp ] (λ 1)[0 E ]. In particular D = Div f n,p + [np ] [0 E ]; If λ,ν, we have f λ+ν,p = f λ,p f ν,p f λ,ν,p where f λ,ν,p := µ λp,νp is the function associated to the divisor [(λ + ν)p ] [(λ)p ] [(ν)p ] + [0 E ] and normalized at 0 E ;

31 Miller s algorithm: example Let D be a general divisor of degree 0. How to apply a double and add algorithm to reduce D? Write D = D 1 + 2D 2 + 4D Example: D = 5[P ] + 7[Q ] 12[0 E ]; Reduce: [P ] + [Q ] 2[0 E ] [P +Q ] [0 E ]; Double: 2[P +Q ] 2[0 E ] [2P + 2Q ] [0 E ]; Add: [2P + 2Q ] + [Q ] 2[0 E ] [2P + 3Q ] [0 E ]; Double: 2[2P + 3Q ] 2[0 E ] [4P + 6Q ] [0 E ]; Add: [4P + 6Q ] + [P +Q ] 2[0 E ] [5P + 7Q ] [0 E ];

32 Evaluating functions on divisors If f is a function with support disjoint from a divisor D = n i [P i ], then one can define f (D ) = f (P i ) n i If D is of degree 0, then f (D ) depends only on Div f ; Miller s algorithm allows, given Div f to compute f (D ) efficiently, the data Div f can then be seen as a compact way to represent the function f. Technicality: during the execution of Miller s algorithm we introduce temporary points in the support of the divisors we evaluate, so we may get a zero or a pole during the evaluation even through f has support disjoint to D ; One way to proceed is to extend the definition of f (P ) when ord P (f ) = n by fixing a uniformiser u P (a function with simple zero at P ), and defining f (P ) to be (f /u ord P (f ) P )(P ). Since C is smooth, O p = k[[u P ]], f k((u P )) and f (P ) is then the first coefficient in the Laurent expansion of f along u P. For an elliptic curve a standard uniformiser at 0 E is u = x /y ; a function f is said to be normalised at 0 E if f (0 E ) = 1. This fixes uniquely f in its equivalence class Div f.

33 Evaluating functions on divisors: example Algorithm (Evaluating f r,p on Q) Return Input: r, P = (x P, y P ) E [r ]( q ),Q = (x Q, y Q ) E ( q d ). Output: f r,p (Q ) where Div f r,p = r [P ] r [0 E ]. 1 Compute the binary decomposition: r := I b i =0 i 2 i. Let T = P, f 1 = 1, f 2 = 1. 2 For i in [I..0] compute 1 α, the slope of the tangent of E at T. 2 f 1 = f1 2(y Q α(x Q x T ) y T ), f 2 = f2 2(x Q + 2x T α 2 ). 3 T = 2T. 4 If b i = 1, then compute 1 α, the slope of the line going through P and T. 2 f 1 = f 2 1 (y Q α(x Q x T ) y T ), f 2 = f 2 (x Q + x P + x T α 2 ). 3 T = T + P. f 1 f 2.

34 The Weil pairing over algebraically closed fields Theorem Let E be an elliptic curve, r a number and P and Q two points of r -torsion on E. Let D P be a divisor linearly equivalent to [P ] [0 E ] and D Q be a divisor linearly equivalent to [Q ] [0 E ]. Then e W,r (P,Q ) = ɛ(d P,D Q ) r (r D P ) (D Q ) (r D Q ) (D P ) (2) is well defined. Furthermore the application E [r ] E [r ] µ r : (P,Q ) e W,r (P,Q ) is a pairing, called the Weil pairing. The pairing e W,r is an alternate pairing, which means that e W,r (P,Q ) = e W,r (Q,P ) 1. Proof. An essential ingredient of the proof is Weil s reciprocity theorem: if f,g K (E ), then f (Div(g )) = ɛ(div f,divg )g (Div(f )). (Note: ɛ(div f,divg ) = 1 if the two divisors have disjoint support.)

35 Weil s pairing in practice Recall that f r,p is the function with divisor r [P ] r [0 E ] (and normalised at 0 E ) constructed via Miller s algorithm; Similarly f r,q has divisor r [Q ] r [0 E ]; e W,r (P,Q ) = ( 1) r f r,p (Q ) f r,q (P ) ; If during the execution of Miller s algorithm to evaluate f r,p (Q ) we find a pole or a zero, then we know that Q is a multiple of P and that e W,r (P,Q ) = 1.

36 Embedding degree If q is a finite field, the embedding degree e is the smallest integer such that q e = q (µ r ); Alternatively, if r = l is prime, it is the smallest integer such that r q e 1. If σ Gal(k/k), e r (σp,σq ) = σ (e (P,Q )) (by unraveling the definition), so if P,Q k then e (P,Q ) k; In particular if E [l] E ( q ) and l is prime, then l q 1. More generally if E [r ] E ( q ) then µ r q.

37 Application of the Weil pairing Remark Extremely useful for cryptography (MOV attack, pairing-based cryptography); For cryptography rather use optimised pairings derived from the Tate pairing; Application for the group structure: P,Q E [l] form a basis of the l-torsion if and only if e W,l (P,Q ) 1 (Exercice: compare the complexity with the naive method); More generally: P,Q E [r ] form a basis of the r -torsion if and only if e W,r (P,Q ) is a primitive r -root of unity (Exercice: what is the complexity to check this?); If P,Q E [n], e W,nm (P,Q ) = e W,n (P,Q ) m so the Weil pairings glue together to give a symplectic structure on the Tate module T (E ).

38 The Tate pairing over a finite field Theorem Let E be an elliptic curve, r a prime number, P E [r ]( q e ) a point of r -torsion defined over q e and Q E ( q e ) a point of the elliptic curve defined over q e. Let D P be a divisor linearly equivalent of [P ] [0 E ] and D Q be a divisor linearly equivalent of [Q ] [0 E ]. Then e T,r (P,Q ) = (r D P ) (D Q ) q e 1 r (3) is well defined and does not depend on the choice of D P and D Q. Furthermore the application E [r ]( q e ) E ( q e )/r E ( q e ) µ r : (P,Q ) e T,r (P,Q ) is a pairing, called the Tate pairing.

39 Tate s pairing in practice Recall that f r,p is the function with divisor r [P ] r [0 E ] (and normalised at 0 E ) constructed via Miller s algorithm; e T,r (P,Q ) = f r,p (Q ) q e 1 r ; If during the execution of Tate s algorithm to evaluate f r,p (Q ) we find a pole or a zero, then we use D Q = [Q + R ] [R ] instead (for R a random point in E ( q e )) and evaluate e T,r (P,Q ) = If R E ( q ) and e > 1 we have fr,p (Q + R ) f r,p (R ) q e 1 r e T,r (P,Q ) = f r,p (Q + R ) q e 1 r. ;

40 Tate pairing and the Frobenius The Weil pairing, Tate pairing and the Frobenius are related; Let P E [r ]( q e ) and Q E ( q e ). Let Q 0 E [r ](k) be any point such that rq 0 = Q; π e Q 0 Q 0 E [r ] (Exercice) e T,r (P,Q ) = e W,r (P,(π e 1)Q 0 ) If Q = Q + r R with R E ( q e ) then one can choose Q 0 = Q 0 + R so that (π e 1)(Q 0 ) = (π e 1)(Q 0 ); So the value of e T,r (P,Q ) depends only on the class of Q E ( q e )/r E ( q e ).

41 Proof The link between the Weil and Tate pairing comes from Weil s reciprocity; If E [r ] E ( q e ), then (π e 1)E [r ] = 0 so πe 1 r is an endomorphism; Since the Weil pairing is non degenerate, to show that the Tate pairing is non degenerate we just need to show that πk 1 r : E ( q e ) E [r ] is surjective; The kernel of πk 1 r restricted to E ( q e ) is r E ( q e ), so the image is isomorphic to E ( q e )/r E ( q e ); E ( q e ) = /a /b with a b, and since E ( q e ) E [r ], we know that r a and r b ; We deduce that E ( q e )/r E ( q e ) is isomorphic to /r /r, in particular it has cardinal r 2 so the application is indeed surjective; The general case comes from Galois cohomology applied to the exact sequence 0 E [r ] E (k) E (k) > 0.

42 Field of definition of the r -roots of unity By the CRT, we may assume that r = l n ; µ l n lives in q e whenever v l (q e 1) n; If µ l q then q (µ l ) = q e with e l 1; If µ l q, then v l (q e 1) = v l (q 1) unless l e ; If µ l q, v l (q l 1) = v l (q 1) + 1 (except possibly when l = 2 and v l (q 1) = 1 where v l (q l 1) can increase by more than 1); (Hint: write q e 1 = (q 1)(1+q +q 2 + +q k 1 )) = (q 1)(q 1+q q e 1 1+e )).

43 Endomorphisms and isogenies An isogeny is a non constant rational application ϕ : E 1 E 2 between two elliptic curves E 1 and E 2 that commutes with the addition law; A rational application ϕ is an isogeny if and only if ϕ(0 E1 ) = 0 E2 (and ϕ 0); An isogeny is surjective on the k-points and has finite kernel; The degree of ϕ is [k(e 2 ) : ϕ k(e 1 )]; An isogeny ϕ : E 1 E 2 admits a dual ϕ : E 2 E 1 such that ϕ ϕ = [degϕ] and ϕ ϕ = [degϕ]; We write E 1 [ϕ] = Kerϕ; degϕ = deg E 1 [ϕ] (as a scheme), Kerϕ determines ϕ (up to automorphisms); If ϕ is separable (for instance if p degϕ) then E 1 [ϕ] = {P E 1 (k) ϕp = 0 E2 } so degϕ = #E 1 [ϕ](k); Conversely a finite subscheme group K determines an isogeny E E /K of degree deg K ; Over an elliptic curve, every isogeny is (up to isomorphisms) the composition of a separable isogeny and a power of the small Frobenius π p. An endomorphism ϕ End(E ) is an isogeny from E to E.

44 Endomorphism and isogenies over Let E 1 = /Λ 1 and E 2 = /Λ 2 ; An isogeny comes from a linear map z αz where αλ 1 Λ 2 ; The kernel is α 1 Λ 2 /Λ 1 ; If E = /Λ an endomorphism comes from a linear map z αz where αλ Λ; Write Λ = τ, we get that if α then τ satisfy a quadratic equation and α [τ]; (τ) is then a quadratic imaginary field and End(E ) an order (because it stabilizes a lattice).

45 Field of definition of endomorphisms Let E /k be an elliptic curve (k perfect); It may happen that endomorphisms of E are defined over a larger field than k (Exercice: but there are always defined over a finite extension of k); We let End(E ) = End k (E ) and End k (E ) the subring of rational endomorphisms; ϕ End(E ) is defined over k if and only if it is stable under Gal(k/k); In particular if k = q and π is the Frobenius, then End k (E ) is the commutant of π in End(E ). If l /k is an extension of field, then End l (E )/End k (E ) is torsion free (Exercice: if mϕ is rational, then so is ϕ). Remark If k is not perfect and l /k is a purely inseparable extension of k then End l (E ) = End k (E ).

46 Characteristic polynomial Let ϕ End k (E ), the characteristic polynomial χ ϕ [X ] is defined as The characteristic polynomial of ϕ on T l (E ) (l p ); The only polynomial such that deg(ϕ n Id) = χ ϕ (n) n ; If End k (E ) is quadratic, as the characteristic polynomial of ϕ in End(E ); If ϕ, as the characteristic polynomial of ϕ in (ϕ); If ϕ, as X 2 2ϕX + ϕ 2 ; Let Tr(ϕ) = ϕ + ˆϕ and N (ϕ) = ϕ ˆϕ = degϕ ; χ ϕ = X 2 Tr(ϕ)X + N (ϕ); Corollary If p n, the characteristic polynomial of ϕ acting on E [n] is χ ϕ mod n. Remark If ϕ End k (E ), ϕ = ϕ.

47 Characteristic polynomial of the Frobenius (k = q ) χ π = X 2 t X + q; The roots of χ π in have absolute value q so t 2 q (Hasse); #E ( q ) = deg(π 1) = χ π (1); χ π n = Res X (χ π (Y ), Y n X ); Theorem (Tate) ζ E = exp #E ( q n ) T n = 1 t T + q T 2 n (1 q T )(1 T ) ; n=1 Two elliptic curves over q are isogenous if and only if they have the same cardinal, if and only if they have the same characteristic polynomial of the Frobenius.

48 Action of the Frobenius on E [l] Let π = t 2 4q; λ 0 If π = 0 mod l then either π = on E [l] (and all l-isogenies are 0 λ λ 1 rational) or π = (and there is one rational l-isogeny); 0 λ π λ 0 If = 1 then π = on E [l] with λ ν l 0 µ l, λµ = q (and there are two rational l-isogenies); π λ 0 If = 1 then π = on E [l] with λ ν l 0 µ l 2, λµ = q (and there are no rational l-isogenies). Corollary If l #E ( q ) then 1 0 If the embedding degree e > 1 then π = and E [l] E ( 0 q q e ); 1 1 Otherwise π = and E [l] E ( 0 1 q l).

49 Isogenies and Tate modules Let l p then Hom(E 1, E 2 ) l Hom(T l E 1,T l E 2 ) is injective [Sil86][Theorem III.7.4] (Exercice: show that Hom(E 1, E 2 ) Hom(T l E 1,T l E 2 ) is injective); In particular End(E ) has rank at most 4; Theorem (Tate,Faltings) If k is a finite field or a number field, then Hom k (E 1, E 2 ) l Hom l (Gal(k/k)) (T le 1,T l E 2 ) Remark Tate s theorem remain valid for l = p when considering the Tate module coming from the duality of p-divisible group schemes.

50 Endomorphism rings and endomorphism fields End k (E ) is either ; Remark An order in a quadratic imaginary field; A maximal order in the definite quaternion algebra ramified at p and. If E is an elliptic curve over a finite field q, then If E is ordinary then End(E ) is an order in a quadratic imaginary field; If E is supersingular then End(E ) is a maximal order in the definite quaternion algebra ramified at p and. Exercice In characteristic 0, End k (E ) is commutative; In characteristic p, End k (E ) = if and only if j (E ) is transcendental.

51 End 0 k (E ) We follow endomorphisms-of-elliptic-curves-and-the-tate-module/ Lemma Hom(E 1, E 2 ) is torsion free. Proof. The degree is multiplicative, so if [m] f = 0 then m = 0 or f = 0. Lemma End k (E ) has no zero divisors, so End 0 k (E ) = End k (E ) is a division algebra

52 Proof (We assume here that p > 2) If End k (E ) has rank 1 then it is (the maximal order of ); Let ϕ End k (E ) \, by translating by an integer we can assume that Trϕ = 0, and since N (ϕ) = degϕ > 0 we get that + ϕ is an order in a quadratic imaginary field. If the rank of End k (E ) = 2 then End k (E ) is an order containing + ϕ. Otherwise ψ ϕψϕ 1 is a linear map of order 2. If ψ is in the 1-eigenspace (Exercice: why does such a ψ exists?) then (1,ϕ,ψ,ϕψ) forms a basis of End k (E ). Thus End 0 (E ) is a quaternion algebra and k End k (E ) an order in the quaternion algebra. Over l p we get that End k E l End(T l E ) = M 2 ( l ) so End 0 E is split k at l; So either End 0 k E = M 2( ) or the definite quaternion algebra ramified at p and. But M 2 ( ) has zero divisors so it cannot be End k (E ).

53 Endomorphism rings over q Let E / q be an elliptic curve, π the Frobenius and χ π = X 2 t X + q; E is supersingular if and only if t is not prime to p, if and only if a power of π is an integer, if and only if End 0 (E ) is a quaternion algebra if and only if the isogeny class (up to isomorphism) over k is finite. Either χ π is irreducible or χ π = X 2 2 ± q X + q = (X q ) 2 and π = ± q. If χ π is irreducible then End 0 = (π) = ( t k 2 4q ) is quadratic imaginary, otherwise End 0 is the definite quaternion algebra k ramified at p and ; If E is ordinary over q, then End k (E ) = End(E ) is an order in (π) containing [π], [π] is maximal at p and p splits. If E is supersingular, then End 0 k (E ) is a quaternion algebra if and only if π, and End k (E ) = End(E ) is then a maximal order. Otherwise End k (E ) is a quadratic order in (π) and is maximal at p (even though [π] may not be maximal at p).

54 Proof (partial) If E is supersingular then π 2 p E E. In particular j E p 2 and π 2 p = [p] ζ where ζ is an automorphism. ζ is then a root of unity in End(E ) so a power of π is an integer. Reciprocally if π n then p π n is inseparable so E is supersingular. t is not prime to p a power of π is an integer (Not trivial exercice, see [Wat69][Chapter 4]); π n End 0 q (E ) is a quaternion algebra (by Tate s theorem); n If End 0 (E ) = (π) is a quadratic field, then the isogeny class is infinite (Exercice: look at isogenies E E i of degree a prime l i inert in O K and prove that the E i are non isomorphic). Conversely all supersingular elliptic curves are defined over p 2 so the isogeny class is finite.

55 Reduction and lifting Let O be an order in a imaginary quadratic field K. Then there are h O (the class number of O) elliptic curves over with endomorphism ring O. They are defined over the ray class field H O of O. If p O, p is a prime of good reduction. Let p be a prime above p in H O. If p is inert in K, E p is supersingular. If p splits, E p is ordinary, and its endomorphism ring is the minimal order containing O of index prime to p. Reciprocally, if E / q is an ordinary elliptic curve, the couple (E,End(E )) can be lifted over q. Corollary If E / q is an ordinary elliptic curve, then End(E ) is an order in K = (π) of conductor prime to p. For every order O of K such that [π] O, there exist an isogenous curve whose endomorphism ring is O. Reciprocally, for every order O of discriminant a non zero square modulo p, let n be the order of one of the prime above p in the class group of O. Then there exist an (ordinary) elliptic curve E over q n with End(E ) = O.

56 Automorphisms and twist The automorphisms of E are the inversible elements in O = End k E. All inversible elements are roots of unity. We usually have O = {±1} except in the following exceptions: 1 j E = 1728 (p 2,3), in this case O is the maximal order in (i ) and #O = 4; 2 j E = 0 (p 2,3), in this case O is the maximal order in (i 3) and #O = 6; 3 j E = 0 (p = 3), in this case E is supersingular and #O = 12; 4 j E = 0 (p = 2), in this case E is supersingular and #O = 24. The Frobenius π K characterizes the isogeny class of E (Tate). A twisted isogeny class will correspond to a Frobenius π π, where there exist n with π n = π n. This give a bijection between the twisted isogeny class and the roots of unity in K. More generally, there is a bijection between O and the twists of E. Remark If E 1 is isogeneous to E 2 over k and k l, Hom k (E 1, E 2 ) = Hom l (E 1, E 2 ) when End k (E 1 ) = End l (E 2 ). In particular a twist to E is never isogenous to E over k if E is ordinary.

57 Isogeny class of elliptic curves over q Let q = p n. The isogeny classes of elliptic curves are given by the value of the trace t by Tate s theorem. The possible value of t are: t prime to p, in this case the isogeny class is ordinary. The other cases give supersingular elliptic curves. The endomorphism fraction ring End 0 ( ) of the isogeny class is either a quaternion algebra k of rank 4, or an imaginary quadratic field. In the latter case, it will become maximal after an extension of degree d, with: 1 If n is even: t = ±2 q, this is the only case where End 0 k ( ) is a quaternion algebra. t = ± q when p 1 mod 3, here d = 3. t = 0 when p 1 mod 4, here d = 2. 2 If n is odd: Remark t = 0, here d = 2. t = ± 2q when p = 2, here d = 4. t = ± 3q when p = 3, here d = 6. Any two supersingular elliptic curves become isogenous after a quadratic extension of degree 2d (with d the degree where their endomorphism ring become maximal). But a new maximal class and up to 3 commutative classes appear in this extension.

58 Isogeny graph and endomorphisms of ordinary elliptic curves The l-isogeny graph looks like a volcano [Koh96; FM02]: Let f E be the conductor of End(E ) O K. At each level v l (f E ) increase by one. At the crater v l (f E ) = 0 and at the bottom v l (f E ) = v l (f ) = ν π where f is the conductor of [π] O K.

59 The α-torsion as an End k (E ) module Theorem ([Len96]) If End k (E ) is commutative, let α End k (E ) be a separable endomorphism. We have an isomorphisme of End k (E )-modules: E [α] End k (E )/αend k (E ). If End k (E ) is non commutative (ie π ), let n. We have an isomorphism of End k (E )-modules: E [n] E [n] End k (E )/n End k (E ). Outline of the proof in the commutative case. End k (E ) is a quadratic order so it is a Gorenstein ring. E [α] is faithful over End k (E )/αend k (E ), which is a finite Gorenstein ring. So E [α] contains a free End k (E )/αend k (E ) module of rank 1, but #E [α] = #End k (E )/αend k (E ) = degα so E [α] is free of rank 1 over End k (E )/αend k (E ).

60 The structure of the rational points Theorem (Lenstra) Let E / q be an ordinary elliptic curve (or suppose that π ). We have as End q (E )-modules: E ( q n ) End q (E ) π n 1 Let π = t 2 4q and the discriminant of ( π ). We have π = f 2 where f is the conductor of [π] O K. In practice if π = d f 2, then = d, f = f 0 0 if d 1 mod 4 or = 4d, f = f 0 /2 otherwise; Let ω = 1+ d 2 if d 1 mod 4 and ω = d otherwise. O K = ω = [ + 2 ]; π = a + f ω with a = t f 2 if d 1 mod 4 and a = t 2 otherwise; Let f E be the conductor of End(E ) O K, f E f since [π] End(E ), f = f E γ where γ E = [End(E ) : [π]]; E ( q ) = /n 1 /n 2 where n 1 n 2, n 1 = gcd(a 1,γ E ) and N = n 1 n 2 = #E ( q ).

61 Torsion and conductor of the order Lemma ([MMS+06]) Let N = n 1 n 2 = #E ( q ), π = a + f ω, n 1 = gcd(a 1,γ E ). v l (a 1) min(v l (f ), v l (N )/2). Proof. N = χ π (1) = (1 π)(1 π). If d 1 mod 4, from π = a + f ω we get N = (a 1) 2 d f 2 so 2v l (a 1) min(2v l (f ), v l (N ). If d 1 mod 4, then (t 2) 2 = f 2 + 4N so 4(a 1) 2 = 4N + f 2 (d 1) 4f (a 1), and taking valuations yield the Lemma too. Corollary If v l (n 1 ) < v l (N )/2 then v l (γ E ) = v l (n 1 ); If v l (n 1 ) = v l (N )/2 then v l (γ E ) v l (N )/2.

62 The structure of the l -torsion in the volcano If E is on the floor, E [l ]( q ) is cyclic: E [l ]( q ) = /l m, with m = v l (N ) (possibly m = 0). If E is on level α < m/2 above the floor, then E [l ]( q ) = /l α /l m α. If ν m/2 then m is even and when E is on level α m/2, E [l ]( q ) = /l m/2 /l m/2. Corollary When E [l ]( q ) = /l α /l m α with α m/2 we can read the l-valuation of the conductor of End k (E ) directly from the rational points! Example If l #E ( q ) then End k (E ) is maximal at l and the volcano has height 1.

63 The structure of the l -torsion in the volcano νe = 0 E [l ]( q ) = /l m/2 /l m/2 νe = 1 E [l ]( q ) = /l m/2 /l m/2 νe = ν 2 E [l ]( q ) = /l 2 /l m 2 νe = ν 1 E [l ]( q ) = /l /l m 1 νe = ν E [l ]( q ) = /l m

64 Torsion and extensions v l (f π e ) = v l (f π ) when l e ; v l (f π l) = v l (f π ) + 1, except when l = 2 and v l (f π) = 1 when the height can increase by more than one [Fou01]; If E [l ]( q ) = /l n 1 /l n 2 (n1 n 2 ) with n 1 > 0 and n 2 > 0 then E [l ]( q e ) = E [l ]( q ) when l e ; With the hypothesis above, if l > 2, E [l ]( l q ) = /ln 1+1 /l n 2+1 ; If l = 2, n 1 and n 2 can increase by more than one (but when v l (f π ) > 1 then n 1 only increase by 1) [IJ13].

65 Number fields If K is a number field, E (K ) is finitely generated (Mordell); E ( ) tors { /n 1 n 10 or n = 12} { /2 /2, /2 /4, /2 /6, /2 /8 } (Mazur).

66 E (k) [Len96] E (k) = E (k) tors E (k)/e (k) tors ; E (k)/e (k) tors is equal to 0 if k is the algebraic closure of a finite field, otherwise it is isomorphic as en End(E ) module to End 0 (E ) #k ; Let p denotes the endomorphisms acting trivially on the tangeant space T 0 (E ); If E is ordinary (rankend(e ) = 2), E (k) tors = End(E ) p /End(E ); Otherwise (rankend(e ) = 4) E (k) tors E (k) tors = End(E ) p /End(E ). Corollary E (k) = E (k) tors if and only if k is algebraic over a finite field. Proof. If k is algebraic over a finite field and P E (k), the coordinates of P are defined over a finite field, so P is of torsion. Conversely we may assume that k is algebraic over p (T ) or or (T ). If E (k) = E (k) tors the Jordan-Hölder factors of the absolute Galois group would be of the form PSL 2 ( q ) (up to a finite number of exceptions). But p (T ), and (T ) all have Galois extension with the symmetric groups S n for all n.

67 Bibliography M. Fouquet and F. Morain. Isogeny volcanoes and the SEA algorithm. In: Algorithmic Number Theory (2002), pp (cit. on p. 58). M. Fouquet. Anneau d endomorphismes et cardinalité des couples elliptiques: aspects algorithmiques. PhD thesis. Palaiseau, Ecole Polytechnique, 2001 (cit. on p. 64). S. Ionica and A. Joux. Pairing the volcano. In: Mathematics of Computation (2013), pp (cit. on p. 64). D. Kohel. Endomorphism rings of elliptic curves over finite fields. PhD thesis. University of California, 1996 (cit. on p. 58). H. Lenstra Jr. Complex multiplication structure of elliptic curves. In: journal of number theory 56.2 (1996), pp (cit. on pp. 2, 59, 66). J. Milne. Elleptic Curves. In: (2006) (cit. on p. 2). J. Miret, R. Moreno, D. Sadornil, J. Tena, and M. Valls. An algorithm to compute volcanoes of 2-isogenies of elliptic curves over finite fields. In: Applied mathematics and computation (2006), pp (cit. on p. 61).

68 J. H. Silverman. The arithmetic of elliptic curves. Vol Graduate Texts in Mathematics. Corrected reprint of the 1986 original. New York: Springer-Verlag, 1986, pp. xii+400. ISBN: (cit. on pp. 2, 49). W. Waterhouse. Abelian varieties over finite fields. In: Ann. Sci. Ecole Norm. Sup 2.4 (1969), pp (cit. on pp. 2, 54). W. Waterhouse and J. Milne. Abelian varieties over finite fields. In: Proc. Symp. Pure Math 20 (1971), pp (cit. on p. 2).