Elliptic Curves Spring 2013 Lecture #14 04/02/2013

Similar documents
13 Endomorphism algebras

13 Endomorphism algebras

Elliptic Curves Spring 2015 Lecture #7 02/26/2015

14 Ordinary and supersingular elliptic curves

Introduction to Arithmetic Geometry Fall 2013 Lecture #7 09/26/2013

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

NOTES ON FINITE FIELDS

5 Dedekind extensions

Elliptic Curves Spring 2015 Lecture #23 05/05/2015

Introduction to Arithmetic Geometry Fall 2013 Lecture #23 11/26/2013

Explicit Complex Multiplication

c ij x i x j c ij x i y j

Elliptic Curves Spring 2013 Lecture #8 03/05/2013

20 The modular equation

over a field F with char F 2: we define

Automorphisms and bases

5 Dedekind extensions

7 Orders in Dedekind domains, primes in Galois extensions

w d : Y 0 (N) Y 0 (N)

RINGS: SUMMARY OF MATERIAL

Math 121 Homework 5: Notes on Selected Problems

GEOMETRIC CONSTRUCTIONS AND ALGEBRAIC FIELD EXTENSIONS

School of Mathematics and Statistics. MT5836 Galois Theory. Handout 0: Course Information

24 Artin reciprocity in the unramified case

(1) A frac = b : a, b A, b 0. We can define addition and multiplication of fractions as we normally would. a b + c d

Polynomials, Ideals, and Gröbner Bases

THE DIFFERENT IDEAL. Then R n = V V, V = V, and V 1 V 2 V KEITH CONRAD 2 V

20 The modular equation

Section 31 Algebraic extensions

Part IV. Rings and Fields

Elliptic Curves Spring 2017 Lecture #5 02/22/2017

MINKOWSKI THEORY AND THE CLASS NUMBER

DOES XY 2 = Z 2 IMPLY X IS A SQUARE?

1 Fields and vector spaces

Computing the endomorphism ring of an ordinary elliptic curve

Factorization in Polynomial Rings

An Introduction to Supersingular Elliptic Curves and Supersingular Primes

FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS

Thus, the integral closure A i of A in F i is a finitely generated (and torsion-free) A-module. It is not a priori clear if the A i s are locally

Extension fields II. Sergei Silvestrov. Spring term 2011, Lecture 13

Theorem 5.3. Let E/F, E = F (u), be a simple field extension. Then u is algebraic if and only if E/F is finite. In this case, [E : F ] = deg f u.

The Kummer Pairing. Alexander J. Barrios Purdue University. 12 September 2013

Introduction to Elliptic Curves

6 Ideal norms and the Dedekind-Kummer theorem

6]. (10) (i) Determine the units in the rings Z[i] and Z[ 10]. If n is a squarefree

CHAPTER 0 PRELIMINARY MATERIAL. Paul Vojta. University of California, Berkeley. 18 February 1998

MATH 326: RINGS AND MODULES STEFAN GILLE

(IV.C) UNITS IN QUADRATIC NUMBER RINGS

Lecture 2: Elliptic curves

Solutions to odd-numbered exercises Peter J. Cameron, Introduction to Algebra, Chapter 2

(January 14, 2009) q n 1 q d 1. D = q n = q + d

Understanding hard cases in the general class group algorithm

Math 145. Codimension

On elliptic curves in characteristic 2 with wild additive reduction

FACTORING IN QUADRATIC FIELDS. 1. Introduction

Gaussian integers. 1 = a 2 + b 2 = c 2 + d 2.

Homework 6 Solution. Math 113 Summer 2016.

1 Absolute values and discrete valuations

4. Noether normalisation

THE TATE MODULE. Seminar: Elliptic curves and the Weil conjecture. Yassin Mousa. Z p

Algebra Exam Syllabus

8 Point counting. 8.1 Hasse s Theorem. Spring /06/ Elliptic Curves Lecture #8

Computing the image of Galois

Honors Algebra 4, MATH 371 Winter 2010 Assignment 3 Due Friday, February 5 at 08:35

Algebraic Number Theory

ALGEBRA II: RINGS AND MODULES OVER LITTLE RINGS.

MT5836 Galois Theory MRQ

Math 120 HW 9 Solutions

Finite Fields: An introduction through exercises Jonathan Buss Spring 2014

Introduction to Arithmetic Geometry Fall 2013 Lecture #18 11/07/2013

HONDA-TATE THEOREM FOR ELLIPTIC CURVES

Algebraic Number Theory Notes: Local Fields

COMPLEX MULTIPLICATION: LECTURE 15

Algebraic structures I

Supplement. Algebraic Closure of a Field

NOTES ON SPLITTING FIELDS

Introduction to Arithmetic Geometry Fall 2013 Lecture #5 09/19/2013

Elliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019

Solution. That ϕ W is a linear map W W follows from the definition of subspace. The map ϕ is ϕ(v + W ) = ϕ(v) + W, which is well-defined since

Galois groups of polynomials and the construction of finite fields

TOTALLY RAMIFIED PRIMES AND EISENSTEIN POLYNOMIALS. 1. Introduction

Computations/Applications

COMPLEX MULTIPLICATION: LECTURE 14

Algebraic function fields

Introduction to Arithmetic Geometry Fall 2013 Lecture #17 11/05/2013

15 Dirichlet s unit theorem

THE ARITHMETIC OF NUMBER RINGS. Peter Stevenhagen

TROPICAL SCHEME THEORY

Math 210B: Algebra, Homework 4

Algebraic number theory

x = π m (a 0 + a 1 π + a 2 π ) where a i R, a 0 = 0, m Z.

Some algebraic number theory and the reciprocity map

Hans Wenzl. 4f(x), 4x 3 + 4ax bx + 4c

p-adic fields Chapter 7

Public-key Cryptography: Theory and Practice

4.5 Hilbert s Nullstellensatz (Zeros Theorem)

MODULES OVER A PID. induces an isomorphism

Rings. EE 387, Notes 7, Handout #10

Integral Extensions. Chapter Integral Elements Definitions and Comments Lemma

Math 121 Homework 4: Notes on Selected Problems

Transcription:

18.783 Elliptic Curves Spring 2013 Lecture #14 04/02/2013 A key ingredient to improving the efficiency of elliptic curve primality proving (and many other algorithms) is the ability to directly construct an elliptic curve E/F q with a specified number of rational points, rather than generating curves at random until a suitable curve is found. To do this we need to develop the theory of complex multiplication. Recall from Lecture 7 that for any elliptic curve E/k, the multiplication-by-n maps [n] form a subring of the endomorphism ring End(E). This subring is isomorphic to Z, and it is notationally convenient to simply identify it with Z. 1 Thus the inclusion Z End(E) always holds. For curves with complex multiplication, this inclusion is strict. Definition 14.1. An elliptic curve E/k has complex multiplication (CM) if End(E) Z. As we shall see in later lectures, the term arises from the fact that endomorphisms of elliptic curves over C can be viewed as multiplication-by-α maps, for some complex number α. If End(E) = Z then α is an integer, and in general, α is an algebraic integer. 14.1 Endomorphism rings of elliptic curves Our first objective is to classify the different endomorphism rings that are possible. We will consider this problem in its full generality, for an elliptic curve E over a field k of characteristic p (possibly p = 0). We begin by summarizing some of the basic facts about End(E) that we will need, several of which we saw previously in Lecture 7. Lemma 14.2. Z lies in the center of End(E). Proof. (nφ)(p ) = nφ(p ) = φ(np ) = (φn)(p ) for all n Z, φ End(E), and P E(k). Lemma 14.3. End(E) has no zero divisors. Proof. Recall that every nonzero isogeny α has a finite kernel, since ker α deg α. If α, β End(E) are both nonzero, then both have finite kernels, and therefore αβ has a finite kernel, since the preimage of ker β under α must be finite. Therefore αβ 0. Recall that every nonzero isogeny α: E 1 E 2 has a unique dual isogeny αˆ : E 2 E 1 for which αˆα = [deg α]. The dual of an endomorphism is clearly an endomorphism, and for every nonzero n Z we have nˆ = n. We analogously define ˆ0 = 0, and note that ˆ00 = deg 0. The trace of an endomorphism is defined as tr φ = φ + φ, ˆ and for all φ End(E) and all positive integers n prime to p we have deg φ det φ n mod n and tr φ tr φ n mod n, where φ n denotes the restriction of φ to E[n] Z/nZ Z/nZ; see Theorem 7.14. Lemma 14.4. For all φ, λ End(E), we have deg(φλ) = deg φ deg λ. 1 With this identification in mind, we often write n instead of [n]. Note that nφ = φ + + φ is the same endomorphism as the composition [n] φ, so there is no risk of confusion. 1 Andrew V. Sutherland

Proof. For any φ and λ we may pick an integer n p such that n is strictly greater than both deg(φλ) and deg φ deg λ. We then have deg(φλ) det(φ n λ n ) det φ n det λ n deg φ deg λ mod n, and therefore the nonnegative integers deg(φλ) and deg φ deg λ must be equal. We now now show that, as an operator on End(E), the dual map is an anti-commutative linear involution, also called an anti-involution. Theorem 14.5. Let φ and λ be elements of End(E) and let a and b be integers. following properties hold: ˆ (i) φ = φ, (ii) φλ = λφ, ˆ ˆ (iii) aφ + bλ = aφ ˆ + bλ. ˆ Proof. Property (i) was proved in Lecture 7 for nonzero isogenies, and note that ˆ0 = ˆ0 = 0. Property (ii) is immediate if either endomorphism is zero, and otherwise we have (λφ)(φλ) ˆ ˆ = λ(deg ˆ φ)λ = (deg φ)λλ ˆ = deg φ deg λ = deg(φλ), which implies φλ = λφ, ˆ ˆ by definition. For property (iii) we use Lemma 7.9 to obtain aφ + bλ = aφ + bλ = φa ˆ + λb ˆ = aφ ˆ + bλ, ˆ which completes the proof. Finally, we recall Theorem 7.13, which states that every endomorphism φ satisfies the characteristic equation φ 2 tr(φ)φ + deg φ = 0. (1) 14.2 The endomorphism algebra of an elliptic curve The additive group of End(E), like all abelian groups, is a Z-module. Thus we can think of the ring End(E) as a Z-module with a multiplication operation that is distributive and commutes with scalar multiplication by elements of Z. We now want to upgrade our Z-module with multiplication to a Q-vector space with multiplication, that is, a Q-algebra, where the multiplication must be compatible with the vector field operations, but need not be commutative. To do this we take the tensor product of End(E) with Q. Definition 14.6. The endomorphism algebra of E is End 0 (E) = End(E) Z Q. General tensor product constructions can be rather abstract (see [1, p. 22] for a quick review of tensor products), but tensoring a Z-module with Q is the simplest possible case; all we are really doing is extending our ring of scalars Z to the field Q. With this in mind, we write the tensor φ s as sφ. In general, not every element of a tensor product R S is of the form r s (an elementary tensor), but in the case of End 0 (E) this is true. Lemma 14.7. Every element of End 0 (E) can be written as sφ, with s Q and φ End(E). Proof. It suffices to show that s 1 φ 1 + s t φ 2 can be written as s 3 φ 3, where s 1, s 2, s 3 Q and φ 1, φ 2, φ 3 End(E). Let s 1 = a/b and s 2 = c/d with a, b, c, d Z. Then a c s 1 φ 1 + s 2 φ 2 = φ 1 + b d φ 2 = ad bd φ 2 + bc bd φ 2 = 1 ( ) adφ1 + bcφ 2, bd so we may take s 3 = 1 bd and φ 3 = adφ 1 + bcφ 2. The 2

We now extend the dual map to End 0 (E) by scalars, defining sφ = sφˆ for all s Q. This implies that ŝ = s for all s Q (take φ = 1), thus αˆ ˆ = α holds for all α End 0 (E). We also have α β = βαˆ ˆ for all α, β End 0 (E), since this holds for elements of End(E) and scalars commute. The fact that the dual map is Z-linear on End(E) implies that it is Q-linear on End 0 (E). Thus all three properties of Theorem 14.5 hold for the dual map on End 0, and it is an anti-involution, also known as the Rosati involution. The Rosati involution allows us to extend the notions of degree and trace on End(E) to a norm N and a trace T defined on all of End 0 (E). Definition 14.8. Let α End 0 (E). The (reduced) norm of α is Nα = ααˆ and the trace of α is T α = α + αˆ. With these definitions the characteristic equation (1) also holds in End 0 (E), since for any α End 0 (E) we have α 2 T (α)α + Nα = α 2 (α + αˆ)α + ααˆ = α 2 α 2 αˆα + ααˆ = 0. Here we have used the fact that α commutes with its dual αˆ (this is true in End(E), and scalars commute with every element of End 0 (E)). We now show that both Nα and T α lie in Q, and derive some other useful properties of the norm and the trace. Lemma 14.9. For all α End 0 (E) we have Nα Q 0, with Nα = 0 if and only if α = 0. Proof. Write α = cφ, with c Q and φ End(E). Then Nα = ααˆ = c 2 deg φ 0. If either c or φ is zero then α = 0 and Nα = 0, and otherwise Nα > 0. Corollary 14.10. Every nonzero α End 0 (E) has a multiplicative inverse α 1. Proof. Let β = αˆ/nα. Then αβ = ααˆ/nα = Nα/Nα = 1 (and we similarly have βα = (αˆ/nα)α = αˆα/nα = ααˆ/nα = Nα/Nα = 1), so β = α 1. The corollary implies that End 0 (E) is a division ring (also known as a skew field). Thus End 0 (E) is a field if and only if it is commutative. As we saw in Problem Set 4, End(E), and therefore End 0 (E), need not be commutative, so End 0 (E) is not necessarily a field. Lemma 14.11. Let α, β End 0 (E) and c, d Q. The following hold: (i) T α = 1 + Nα N(1 α) Q; (ii) T (cα + dβ) = ct α + dt β; (iii) If T α = 0 then α 2 = Nα Q 0. Proof. For (i) we have 1 + ααˆ (1 α)(1 αˆ) = α + αˆ = T α, which must lie in Q since Nα and N(1 α) lie in Q. For (ii) we note that the trace map on End(E) is Z-linear and the Rosati involution fixes Q. For (iii) we apply α 2 (T α)α + Nα = 0. We are now ready to prove our main result, which classifies the possible endomorphism algebras of an elliptic curve. 3

Theorem 14.12. End 0 (E) is isomorphic to one of the following: (i) The field of rational numbers Q; (ii) An imaginary quadratic number field Q(α), with α 2 < 0; (iii) A quaterion algebra of the form 2 Q + αq + βq + αβq, where α 2 < 0, β 2 < 0, and αβ = βα. Note that End 0 (E) is commutative if and only if we are in one of the first two cases. Proof. The Q-algebra End 0 (E) obviously contains Q. If it equals Q, then we are in case (i). Otherwise, choose α End 0 (E) \ Q. By replacing α with α 1 2T α, we may assume without loss of generality that T α = 0. Then, by Lemma 14.11, α 2 < 0, so Q(α) is an imaginary quadratic number field. If End 0 (E) = Q(α), then we are in case (ii). Otherwise, choose β End 0 (E) \ Q(α). As above, we assume without loss of generaility that T β = 0 (so β 2 < 0). Furthermore, by replacing β with T (αβ) β α (2) 2α 2 we can assume that T (αβ) = 0 (one can check this by multiplying (2) by α and taking ˆ the trace). Thus T α = T β = T (αβ) = 0. This means that α = αˆ, β = β, and αβ = α β = ˆβαˆ. Substituting the first two equalities into the third, αβ = βα. To prove that Q(α, β) is a quaternion algebra, it only remains to show that 1, α, β, and αβ are linearly independent over Q. By construction, 1, α, and β are linearly independent. Now suppose for the sake of contradiction that for some a, b, c Q. We then have αβ = a + bα + cβ, (αβ) 2 = (a 2 + b 2 α 2 + c 2 β 2 ) + 2a(bα + cβ). The LHS lies in Q, since T (αβ) = 0, as does the first term on the RHS, since T α = T β = 0. Thus bα+cβ must lie in Q, and it follows that both b and c are nonzero, since α, β Q. But if we let d = bα + cβ, then β = (d bα)/c lies Q(α), which is our desired contradiction. We now claim that End 0 (E) = Q(α, β). Suppose not. Let γ End 0 (E) \ Q(α, β). As with β, we may assume without loss of generality that T γ = 0 and T (αγ) = 0, which implies αγ = γα, as above. Then αβγ = βαγ = βγα, so α commutes with βγ. By Lemma 14.13 below, βγ Q(α). But then γ Q(α, β), which is a contradiction. Lemma 14.13. Suppose that α, β End 0 (E) commute and that α Q. Then β Q(α). Proof. As in the proof of the Theorem 14.12, we can linearly transform α and β to some α = α + a and β = β + bα + c, where a, b, c Q, so that T α = T β = T (α β ) = 0, and therefore α β = β α (set a = 1 2T α and use (2) to determine b and c). We also have α β = β α, since if α and β commute then so do α and β, since they are polynomials in α and β. But then 2α β = 0, which means α = 0 or β = 0, since End 0 (E) has no zero divisors. We cannot have α = 0, since α Q, so β = 0, which implies β Q(α). 2 A general quaternion algebra over Q has α 2, β 2 Q and αβ = βα. The constraint α 2, β 2 < 0 make this a definite quaternion algebra, which is the only kind of quaternion algebra we shall consider. 4

14.3 Orders Having classified the possible endomorphism algebras End 0 (E), our next task is to classify the possible endomorphism rings End(E). We begin with the following corollary to Theorem 14.12. Corollary 14.14. The additive group of End(E) is isomorphic to Z r, where r is 1, 2, or 4, depending on whether End 0 (E) is isomorphic to Q, and imaginary quadratic field, or a definite quaternion algebra, respectively. Proof. It follows from Lemma 14.3 that the additive group of End(E) is torsion-free. The fact that every element of End(E) satisfies a monic quadratic equation with integer coefficients implies that End(E) is finitely generated (the proof is essentially the same as the proof that the ring of integers of a number field is finitely generated, see either [1, Ch. 2] or [3, Ch. 2]). Thus the additive group of End(E) is isomorphic to Z r for some r, and r must equal to the dimension of End 0 (E) as a Q-vector space, since End 0 (E) = End(E) Q. The corollary follows. Definition 14.15. Let K be a Q-algebra of finite dimension r as a vector space over Q. An order O in K is a subring whose additive group is isomorphic to Z r. Equivalently, O is a subring that is finitely generated as a Z-module and for which K = O Q. It follows from Corollary 14.14 that the endomorphism ring End(E) is an order in the Q-algebra End 0 (E) = End(E) Q. Note that if End 0 (E) = Q, then we must have End(E) = Z, since Z is the only order in Q. Corollary 14.16. If E is an elliptic curve with complex multiplication then End(E) is either an order in an imaginary quadratic field, or an order in a quaternion algebra. Every order lies in some maximal order (an order that is not contained in any other); this follows from Zorn s lemma. In general, maximal orders need not be unique, but when the Q-algebra K is a number field 3 (a finite extension of Q), this is the case. In view of Corollary 14.16, we are primarily interested in the case where K is an imaginary quadratic field, but it is just as easy to prove this for all number fields. We first need to recall a few standard results from algebraic number theory. 4 Definition 14.17. An algebraic number α is a complex number that is the root of a polynomial with coefficients in Q. An algebraic integer is a complex number that is the root of a monic polynomial with coefficients in Z. Two fundamental results of algebraic number theory are (1) the set of algebraic integers in a number field form a ring, and (2) every number field has an integral basis (a basis whose elements are algebraic integers). The following theorem gives a more precise statement. Theorem 14.18. The set of algebraic integers O K in a number field K forms a finitely generated ring whose additive group is isomorphic to Z r, where r = [K : Q] is the dimension of K as a Q-vector space. 3 Some authors define a number field as any subfield of C, distinguishing finite extensions of Q as algebraic number fields. We adopt the more common convention that all number fields are algebraic number fields. 4 Algebraic number theory is not a prerequisite for this course. We do presume some familiarity with imaginary quadratic fields; these are covered in most algebra courses. 5

Proof. See Theorems 2.9 and 2.16 in [3] (or see Theorem 2.1 and Corollary 2.30 in [1]), and then apply the definition of an order. Theorem 14.19. The ring of integers O K of a number field K is its unique maximal order. Proof. The previous theorem implies that O K is an order. To show that it is the unique maximal order, we need to show that every order O in K is contained in O K. It suffices to show that every α O is an algebraic integer. Viewing O as a lattice of rank r = [K : Q], consider the sublattice generated by all powers of α. Let [β 1,..., β r ] be a basis for this sublattice, where each β i is a Z-linear combination of powers of α. Let n be an integer larger than any of the exponents in any of the powers of α that appear in any β i. Then α n = c 1 β 1 + + c r β r, for some c 1,..., c n Z, and this determines a monic polynomial of degree n with α as a root. Therefore α is an algebraic integer. Finally, we characterize the orders in imaginary quadratic fields, which are the number fields we are most interested in. Theorem 14.20. Let K be an imaginary quadratic field with ring of integers O K. The orders in K are precisely the lattices Z + fo K, where f is any positive integer. Proof. We first show that O = Z+fO K is a ring. The lattice O is contained in the ring O K and contains 1. It suffices to show that O is closed under multiplication. So let a + fα and b + fβ be arbitrary elements of O, with a, b Z and α, β O K. Then (a + fα)(b + fβ) = ab + afβ + bfα + abf 2 αβ = ab + f(aβ + bα + abfαβ) O, since ab Z and (aβ + bα + abfαβ) O K. So O is a subring of K. To see that O is an order, note that O Q = O K Q = K. Now let O be any order in K. The maximal order O K is a rank 2 lattice containing 1, so we may write O K as [1, τ] for some τ Z for which O K = Z[τ]. Let f be the least positive integer for which fτ O. The lattice [1, fτ] lies in O, and we claim that in fact O = [1, fτ]. Any element α of O must lie in O K and is therefore of the form α = a + bτ for some a, b Z. The element bτ = α a than lies in O, and the minimality of f implies that f divides b. Thus O = [1, fτ] = Z + fo K. The integer f in Theorem 14.20 is called the conductor of the order O = Z + fo K. 5 It is equal to the index of O in O K. References [1] J. S. Milne, Algebraic number theory, online course cnotes http://www.jmilne.org/ math/coursenotes/ant.html, 2013. [2] Joseph H. Silverman, The arithmetic of elliptic curves, Graduate Texts in Mathematics 106, second edition, Springer 2009. [3] Ian Stewart and David Tall, Algebraic number theory and Fermat s last theorem, third edition, A.K. Peters, 2002. 5 The conductor f should not be confused with the conductor of an elliptic curve, which we will see later. 6

MIT OpenCourseWare http://ocw.mit.edu 18.783 Elliptic Curves Spring 2013 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback