Elliptic Curves Spring 2015 Lecture #7 02/26/2015

Similar documents
Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

14 Ordinary and supersingular elliptic curves

Elliptic Curves Spring 2013 Lecture #14 04/02/2013

Elliptic Curves Spring 2017 Lecture #5 02/22/2017

Elliptic Curves Spring 2015 Lecture #23 05/05/2015

13 Endomorphism algebras

5 Dedekind extensions

Mappings of elliptic curves

Computing the image of Galois

Introduction to Arithmetic Geometry Fall 2013 Lecture #23 11/26/2013

13 Endomorphism algebras

Elliptic Curves Spring 2013 Lecture #8 03/05/2013

18.312: Algebraic Combinatorics Lionel Levine. Lecture 22. Smith normal form of an integer matrix (linear algebra over Z).

5 Dedekind extensions

Introduction to Arithmetic Geometry Fall 2013 Lecture #7 09/26/2013

Introduction to Elliptic Curves

THE TATE MODULE. Seminar: Elliptic curves and the Weil conjecture. Yassin Mousa. Z p

NOTES ON FINITE FIELDS

Math 120 HW 9 Solutions

COMPLEX MULTIPLICATION: LECTURE 15

Lecture 2: Elliptic curves

8 Point counting. 8.1 Hasse s Theorem. Spring /06/ Elliptic Curves Lecture #8

Algebra Exam Fall Alexander J. Wertheim Last Updated: October 26, Groups Problem Problem Problem 3...

φ(xy) = (xy) n = x n y n = φ(x)φ(y)

and this makes M into an R-module by (1.2). 2

COMPLEX MULTIPLICATION: LECTURE 14

Math 121 Homework 5: Notes on Selected Problems

ALGEBRA QUALIFYING EXAM PROBLEMS LINEAR ALGEBRA

(1) A frac = b : a, b A, b 0. We can define addition and multiplication of fractions as we normally would. a b + c d

8 Complete fields and valuation rings

Computing the endomorphism ring of an ordinary elliptic curve

Notes on p-divisible Groups

Elliptic Curves over Finite Fields 1

Bulletin of the Iranian Mathematical Society

School of Mathematics and Statistics. MT5836 Galois Theory. Handout 0: Course Information

Dedekind Domains. Mathematics 601

FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS

Identifying supersingular elliptic curves

Elliptic curve cryptography. Matthew England MSc Applied Mathematical Sciences Heriot-Watt University

HONDA-TATE THEOREM FOR ELLIPTIC CURVES

An Introduction to Supersingular Elliptic Curves and Supersingular Primes

Algebraic Number Theory

Introduction to Arithmetic Geometry Fall 2013 Lecture #17 11/05/2013

x = π m (a 0 + a 1 π + a 2 π ) where a i R, a 0 = 0, m Z.

Introduction to Arithmetic Geometry Fall 2013 Lecture #18 11/07/2013

Explicit Complex Multiplication

24 Artin reciprocity in the unramified case

ALGEBRA II: RINGS AND MODULES OVER LITTLE RINGS.

Definitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations

20 The modular equation

Elliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019

Honors Algebra 4, MATH 371 Winter 2010 Assignment 4 Due Wednesday, February 17 at 08:35

Algebra Exam Syllabus

Galois theory of fields

Public-key Cryptography: Theory and Practice

LECTURE 2. Hilbert Symbols

7 Orders in Dedekind domains, primes in Galois extensions

MA 162B LECTURE NOTES: THURSDAY, FEBRUARY 26

NUNO FREITAS AND ALAIN KRAUS

Part II Galois Theory

Solutions of exercise sheet 8

Torsion subgroups of rational elliptic curves over the compositum of all cubic fields

Hamburger Beiträge zur Mathematik

6 Ideal norms and the Dedekind-Kummer theorem

Riemann surfaces with extra automorphisms and endomorphism rings of their Jacobians

Math 249B. Nilpotence of connected solvable groups

MATH 326: RINGS AND MODULES STEFAN GILLE

Graduate Preliminary Examination

1 Fields and vector spaces

Finite Fields: An introduction through exercises Jonathan Buss Spring 2014

COUNTING POINTS ON ELLIPTIC CURVES OVER F q

AN INTRODUCTION TO ELLIPTIC CURVES

Graph structure of isogeny on elliptic curves

p-adic fields Chapter 7

ALGEBRA QUALIFYING EXAM SPRING 2012

Cover Page. The handle holds various files of this Leiden University dissertation.

Elliptic Curves, Group Schemes,

Algebraic Geometry: MIDTERM SOLUTIONS

Course 311: Michaelmas Term 2005 Part III: Topics in Commutative Algebra

Dieudonné Modules and p-divisible Groups

Algebraic structures I

THE STRUCTURE OF THE MODULI STACK OF ELLIPTIC CURVES

Introduction to Arithmetic Geometry

On elliptic curves in characteristic 2 with wild additive reduction

Integral Extensions. Chapter Integral Elements Definitions and Comments Lemma

ALGORITHMS FOR ALGEBRAIC CURVES

A connection between number theory and linear algebra

Isogeny invariance of the BSD conjecture

Factorization in Polynomial Rings

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

ELLIPTIC CURVES OVER FINITE FIELDS

The Kummer Pairing. Alexander J. Barrios Purdue University. 12 September 2013

D-MATH Algebra I HS 2013 Prof. Brent Doran. Exercise 11. Rings: definitions, units, zero divisors, polynomial rings

Math 429/581 (Advanced) Group Theory. Summary of Definitions, Examples, and Theorems by Stefan Gille

Automorphisms and bases

Number Theory Fall 2016 Problem Set #3

GALOIS GROUPS ATTACHED TO POINTS OF FINITE ORDER ON ELLIPTIC CURVES OVER NUMBER FIELDS (D APRÈS SERRE)


c ij x i x j c ij x i y j

Modern Computer Algebra

Transcription:

18.783 Elliptic Curves Spring 2015 Lecture #7 02/26/2015 7 Endomorphism rings 7.1 The n-torsion subgroup E[n] Now that we know the degree of the multiplication-by-n map, we can determine the structure of E[n] as a finite abelian group. Recall that any finite abelian group G can be written as a direct sum of cyclic groups of prime power order (unique up to ordering). Since #E[n] always divides deg[n] = n 2, to determine the structure of E[n] it suffices to determine the structure of E[l e ] for each prime power l e dividing n. Theorem 7.1. Let E/k be an elliptic curve and let p = char(k). For each prime l: { Z/l e Z Z/l e Z if l = p, E[l e ] Z/l e Z or {0} if l = p. Proof. We first suppose l = p. The multiplication-by-l map [l] is then separable of degree l 2, so E[l] = ker[l] has order l 2. Every nonzero element of E[l] has order l, so we must have E[l] Z /lz Z/lZ. If E[l e ] P 1 P r with P i E(k) of order l e i > 1, then E[l] l e 1 1 P l er 1 P (Z/lZ) r, thus r = 2 (this argument applies to any abelian group G: the l-rank r of G[l e ] is the same as the l-rank of G[l]). It follows that E[l e ] Z/l e Z Z/l e Z, since E[l e ] has order l 2e and contains no elements of order greater than l e. We now suppose l = p. Then [l] is inseparable and its kernel E[l] has order strictly less than deg [l] = l 2. Since E[l] is a l-group of order less than l 2, it must be isomorphic to either Z/lZ or {0}. In the latter case we clearly have E[l e ] = {0} and the theorem holds, so we now assume E[l] Z/lZ. If E[l] = P with P E(k) a point of order l, then since the isogeny [l] : E E is surjective, there is a point Q E(k) for which lq = P, and the point Q then has order l 2. Iterating this argument shows that E[l e ] contains a point of order l e, and by the argument above it has l-rank 1, so we must have E[l e ] Z/l e Z. The two possibilities for E[p] admitted by the theorem lead to the following definitions. We do not need this terminology today, but it will be important in the weeks that follow. Definition 7.2. Let E be an elliptic curve defined over a field of characteristic p > 0. If E[p] Z/pZ then E is said to be ordinary, and if E[p] {0}, we say that E is supersingular. Remark 7.3. The term supersingular is unrelated to the term singular (recall that an elliptic curve is nonsingular by definition). Supersingular refers to the fact that such elliptic curves are exceptional. Corollary 7.4. Let E/k be an elliptic curve. Every finite subgroup of E(k) is the direct sum of at most two cyclic groups, at most one of which has order divisible by the characteristic p of k. In particular, when k = F q is a finite field we have E(F q ) Z/mZ Z/nZ for some positive integers m, n with m n and p m. 1 Andrew V. Sutherland

Proof. Let p be the characteristic of k, and let T be a finite subgroup of E(k) of order n. If p n, then T E[n] Z/nZ Z/nZ can clearly be written as a sum of two cyclic groups. Otherwise we may write T G H where H is the p-sylow subgroup of T, and we have G E[m] Z/mZ Z/mZ, where m = G is prime to p and H has p-rank at most 1. It follows that T can always be written as a sum of at most two cyclic groups, at most one of which has order divisible by p. Now that we know what the structure of E(F q ) looks like, our next goal is to bound its cardinality. We will prove Hasse s Theorem, which states that #E(F q ) = q + 1 t, where t 2 q. To do this we need to introduce the endomorphism ring of E. 7.2 Endomorphism rings For any pair of elliptic curves E 1 /k and E 2 /k, the set hom(e 1, E 2 ) of homomorphisms from E 1 to E 2 (defined over k) consists of all morphisms of curves E 1 E 2 that are also group homomorphisms E 1 (k) E 2 (k); since a morphism of curves is either surjective or constant, this is just the set of all isogenies from E 1 to E 2 plus the zero morphism. For any algebraic extension L/k, we write hom L (E 1, E 2 ) for the homomorphisms from E 1 to E 2 that are defined over L. 1 The set hom(e 1, E 2 ) forms an abelian group under addition, where the sum α + β is defined by (α + β)(p ) := α(p ) + β(p ), and the zero morphism is the identity. For any α hom(e 1, E 2 ) we have α + + α = nα = [n] α, where [n] is the multiplication-by-n map on E 1. Provided α and n are nonzero, both [n] and α are surjective, as is nα, thus nα = 0. It follows that hom(e 1, E 2 ) is torsion free (but hom(e 1, E 2 ) = {0} is possible). Definition 7.5. Let E/k be an elliptic curve. The endomorphism ring of E is the additive group End(E) := hom(e, E) with multiplication defined by composition (so αβ = α β). Warning 7.6. Some authors use End(E) to mean End k(e) rather than End k (E). To verify that End(E) is in fact a ring, note that it has a multiplicative identity 1 = [1] (the identity morphism), and for all α, β, γ End(E) and P E(k) we have ((α + β)γ)(p ) = (α + β)(γ(p )) = α(γ(p )) + β(γ(p )) = (αγ + βγ)(p ) (γ(α + β))(p ) = γ(α(p ) + β(p )) = γ(α(p )) + γ(β(p )) = (γα + γβ)(p ), where we used the fact that γ is a group homomorphism to get the second identity. For every integer n the multiplication-by-n map [n] lies in End(E), and the map n [n] defines an ring homomorphism Z End(E), since [0] = 0, [1] = 1, [m] + [n] = [m + n] and [m][n] = [mn]. As noted above, hom(e, E) is torsion free, so the homomorphism 1 Technically speaking, these homomorphisms are defined on the base changes E 1L and E 2L of E 1 and E 2 to L, so hom L(E 1, E 2) is really shorthand for hom(e 1L, E 2L ). 2

n [n] is injective and may regard Z as a subring of End(E); we will thus feel free to write n rather than [n] when it is convenient to do so. Note that this immediately implies that the multiplication-by-n maps commute with every element of End(E). Indeed, for any α End(E) and P E(k) we have (α [n])(p ) = α(np ) = α(p + + P ) = α(p ) + + α(p ) = nα(p ) = ([n] α)(p ). When k = F q is a finite field, the q-power Frobenius endomorphism π E also commutes with every element of End(E). This follows from the basic fact that for any rational function q q r Fq(x 1,..., x n ) we have r(x 1,..., x n ) q = r(x 1,..., x n ), and we can apply this to the rational maps defining any α End(E). Thus the subring Z[π E ] generated by π E lies in the center of End(E). Remark 7.7. It can happen that Z[π E ] = Z. For example, when E[p] = {0} and q = p 2 the multiplication-by-p map [p] is purely inseparable and we must have [p] = π 2 = π E. For any nonzero α, β End(E), the product αβ = α β is surjective, since α and β are both surjective; in particular, αβ is not the zero morphism. It follows that End(E) is has no zero divisors, so the cancellation law holds (on both the left and the right, a fact we will freely use in what follows). 7.3 The dual isogeny In order to develop a deeper understanding of the structure of the endomorphism ring End(E) we want to introduce the dual isogeny. But first let us record the following lemma. Lemma 7.8. Let α = α 1 α 2 be an isogeny. Then deg α = (deg α 1 )(deg α 2 ). Proof. It is clear that #(ker α) = #(ker α 1 )#(ker α 2 ), since these are surjective group homomorphisms. It follows that deg s α = (deg s α 1 )(deg s α 2 ). It is also clear that composing any isogeny with a purely inseparable isogeny of degree q multiplies the degree by q: both u(x q )/v(x q ) and (u(x)/v(x)) q have degree q deg(u/v) as rational functions (max degree of numerator and denominator). The lemma follows. Corollary 7.9. For any isogeny α = α 1 α 2 we have deg s α = (deg s α 1 )(deg s α 2 ) and deg i α = (deg i α 1 )(deg i α 2 ). Proof. This follows from the fact that deg β = (deg s β)(deg i β) for any isogeny β. Theorem 7.10. For any isogeny α: E 1 E 2 there exists a unique isogeny αˆ : E 2 E 1 for which αˆ α = [n], where n = deg α. Proof. We proceed by induction on the number of prime factors of n. If n = 1 then α is an isomorphism and αˆ is just the inverse isomorphism. If α has prime degree l different from that characteristic of the field we are working in, then α is separable and α(e 1 [l]) is a subgroup of E 2 (k) of cardinality l 2 /l = l. If we let α : E 2 E 3 be the separable isogeny with α(e[l]) as its kernel (applying Theorem 6.8), then the kernel of α α is E[l] and since [n]: E 1 E 1 is a separable isogeny with the same kernel, there is an isomorphism ι: E 3 E 1 for which ι α α = [n] and we may take αˆ = ι α. If α has prime degree p equal to the characteristic of k, there are two cases. 3

Case 1: If α is separable then we must have ker α = E[p] Z/pZ, and since deg[p] = p 2 and deg s [p] = p, we have [p] = π α for some separable isogeny α of degree p, where π denotes the p-power Frobenius morphism (see Remark 6.5). Since α and α are separable isogenies with the same kernel E[p], we can write α = ι α for some isomorphism ι; we then have αˆ = π ι. Case 2: If α is inseparable then we must have α = π. If E[p] = {0} then [p] is purely inseparable of degree p 2, so [p] = π 2 and αˆ = π. If E[p] Z/pZ then [p] = α π for some separable isogeny α of degree p and αˆ = α. If n is composite then we may decompose α into a sequence of isogenies of prime degree (see Corollary 6.9). In particular we can write α = α 1 α 2, where α 1, α 2 have degrees n 1, n 2 < n with n 1 n 2 = n. We now claim that and therefore αˆ = αˆ2 αˆ1. Indeed, we have αˆ2 αˆ1 α = [n], (αˆ2 αˆ1) α = αˆ2 αˆ1 α 1 α 2 = αˆ2 [n 1 ] α 2 = αˆ2 α 2 [n 1 ] = [n 2 ] [n 1 ] = [n], where α 2 [n 1 ] = α 2 [n 1 ] because for any P E(k) we have (α 2 [n 1 ])(P ) = α 2 (n 1 P ) = α 2 (P + +P ) = α 2 (P )+ +α 2 (P ) = n 1 α 2 (P ) = ([n 1 ] α 2 )(P ), since α is a group homomorphism (note that above we have used [n 1 ] and [n 2 ] to generically denote multiplication maps on possibly different elliptic curves in the argument above). Definition 7.11. The isogeny αˆ given by the theorem is the dual isogeny of α. Remark 7.12. There is a general notion of a dual isogeny for abelian varieties of any dimension. If we have an isogeny of abelian varieties α: A 1 A 2 then the dual isogeny ˆ αˆ : A 2 Â1, is actually an isogeny between the dual abelian varieties Aˆ 2 and Aˆ 1. We won t give a definition of the dual abelian variety here, but the key point is that in general, abelian varieties are not isomorphic to their duals. But abelian varieties of dimension one (elliptic curves) are self-dual. This is yet another remarkable feature of elliptic curves. As a matter of convenience we extend the notion of a dual isogeny to hom(e 1, E 2 ) and End(E) by defining ˆ0 = 0, and define deg 0 = 0, which we note is consistent with ˆ0 0 = [0] and the fact that degrees are multiplicative. Lemma 7.13. For an isogeny α of degree n we have deg αˆ = deg α = n and α αˆ = αˆ α = [n]. ˆ Thus αˆ = α. For any integer n the endomorphism [n] is self-dual. Proof. The first statement follows from (deg αˆ)(deg α) = deg[n]. We now note that (α αˆ) α = α (αˆ α) = α [n] = [n] α, and therefore α αˆ = [n]; since the isogenies involved are all surjective, it follows that we can cancel α on the LHS and RHS to obtain α αˆ = [n]. The last statement follows from the fact that [n] [n] = [n 2 ] = [deg n]. 4

The one other fact we need about dual isogenies is the following. Lemma 7.14. For any α, β ˆ hom(e 1, E 2 ) we have α + β = αˆ + β. Proof. We will defer the proof of this lemma the nicest proof uses the Weil pairing, which we will see later in the course. We now return to the setting of the endomorphism ring End(E) of an elliptic curve E/k. Lemma 7.15. For any endomorphism α we have α + αˆ = 1 + deg α deg(1 α). Note that in the statement of this lemma, the integers deg α, and deg(1 α) on the RHS are to be interpreted as elements of End(E) via the embedding n [n]. Proof. For any α End(E) (including α = 0) we have deg(1 α) = 1 α(1 α) = (ˆ1 αˆ)(1 α) = (1 αˆ)(1 α) = 1 (α + αˆ) + deg(α), and therefore α + αˆ = 1 + deg α deg(1 α). A key consequence of the lemma is that α + αˆ is always a multiplication-by-t map for some t Z. Definition 7.16. The trace of an endomorphism α is the integer tr α := α + αˆ. Note that for any α End(E) we have tr αˆ = tr α, and deg αˆ = deg α. 7.4 Endomorphism restrictions to E[n] Let E be an elliptic curve over a field of charcteristic p (possibly p = 0). For any α End(E), we may consider the restriction α n of α to the n-torsion subgroup E[n]. Since α is a group homomorphism, it maps n-torsion points to n-torsion points, so α n is an endomorphism of the abelian group E[n], which we may view as a (Z/nZ)-module. When n is not divisible by p we have E[n] Z/nZ Z/nZ, and we can pick a basis (P 1, P 2 ) for E[n] as a (Z/nZ)-module. This just means that every element of E[n] can be written uniquely as a (Z/nZ)-linear combination of P 1 and P 2 if suffices to pick any P 1, P 2 matrix [ E[ ] n] that generate E[n] as an abelian group. We may represent α n as a 2 2 a b, where a, b, c, d Z/nZ are uniquely determined by c d α(p 1 ) = ap 1 + bp 2, α(p 2 ) = cp 1 + dp 2. Note that this matrix representation depends on our choice of basis, but matrix invariants such as the trace tr α n and the determinant det α n are independent of this choice. A standard technique for proving that two endomorphisms α and β are equal is to prove that α n = β n for some sufficiently large n. If n 2 is larger than the degree of α β, then α n = β n implies that the kernel of α β is infinite and therefore α β = 0 (since 0 is the only endomorphism with infinite kernel) and α = β. To handle situations where we don t know the degree of α β, or don t even know exactly what β is (maybe we just know β n ), we need a more refined result. 5

Lemma 7.17. Let α and β be endomorphisms of an elliptic curve E/k and let m be the maximum of deg α and deg β. Let n 2 m + 1 be an integer that is prime to the characteristic of k, and also prime to deg α and deg β. If α n = β n then α = β. Proof. We shall make use of the following fact that we won t prove here. Let r(x) = u(x)/v(x) be a rational function in k(x) with u v and v monic. Suppose that we know the value of r(x i ) for N distinct values x 1,..., x N for which v(x i ) = 0. Provided that N > 2 max{deg u, deg v} + 1, the coefficients of u and v can be uniquely determined using Cauchy interpolation; ( see [1, 5.8] ) for an efficient algorithm and a proof of its correctness. u(x) s(x) Now let α(x, y) = v(x), t(x) y be in standard form, with u v, and let us normalize u and v so that v is monic. If we know the value of α(p ) at 2 deg α + 2 affine points P ker α with distinct x-coordinates, then we can uniquely determine the coefficients of u and v. Since at most 2 points P E(k) can share the same x-coordinate, it suffices to know α(p ) at 4 deg α + 4 affine points not in ker α. For n 2 m + 1 we have n 2 4m + 4 m + 1, and E[n] contains n 2 1 4 deg α + 4 affine points, none of which lie in ker α, since # ker α divides deg α which is prime to n. Thus knowing α n uniquely determines the x-coordinate of α(p ) for all P E(k). The same argument applies to β n and β, hence α(p ) = ±β(p ) for all P E(k). The kernel of at least one of α + β and α β is then infinite, hence α = ±β. We have n 2 > 4 deg α 4, which implies that α(p ) cannot lie in E[2] for all P E[n] (since #E[2] = 4). Therefore α(p ) = α(p ) for some P E[n], and for this P we have α(p ) = α(p ) = α n (P ) = β n (P ) = β(p ), so α = β and we must have α = β. Theorem 7.18. Let α be an endomorphism of an elliptic curve. Both α and its dual αˆ are roots of the characteristic polynomial λ 2 (tr α)λ + deg α = 0. Proof. α 2 (tr α)α + deg α = α 2 (α + αˆ)α + αˆα = 0, and similarly for αˆ. The following theorem provides the key connection between endomorphisms and their restrictions to E[n]. Theorem 7.19. Let α be an endomorphism of an elliptic curve E/k and let n be a positive integer prime to the characteristic of k. Then tr α tr α n mod n and deg α det α n mod n. Proof. We will just prove the theorem for odd n prime to deg α such that n 2 deg α + 1, which is more than enough to prove Hasse s theorem. The general proof relies on properties of the Weil pairing that we will see later in the course. We note that the theorem holds for α = 0, so we assume α = 0. Let n be as above and let t n = tr α mod n and d n = deg α mod n. Since α and αˆ both satisfy λ 2 (tr α)λ+deg α = 0, both α n and αˆn must satisfy λ 2 t n λ + d n = 0. It follo [ ws ] that α n + αˆn and α n αˆn are the scalar matrices t n I and d n I, respectively. Let α n = a c d b, and let δ n = det αn. The fact that αˆnα n = d n I = 0 with d n prime to n implies that α n is invertible, and we have [ ] αˆ = d α 1 d n d b n n n = det αn c a 6

If we put ɛ := d n / det α n and substitute the above expression for αˆ into α n + αˆn = t n I, we get [ ] [ ] [ ] a b d b tn 0 + ɛ =. c d c a 0 t n Thus a + ɛd = t n, b ɛb = 0, c ɛc = 0, and d + ɛa = t n. Unless a = d and b = c = 0, we must have ɛ = 1, in which case d n = det α n and t n = a + d = tr α n as desired. Otherwise α n is a scalar matrix. Let m be the unique integer with absolute value less than n/2 such that α n = m n, where m n is the restriction of the multiplication-bym map to E[n]. We then have deg m = m 2 and n 2 deg m + 1. Since we also have n 2 deg α + 1 we must have α = m, by Lemma 7.17. But then αˆ = mˆ = m = α and we have tr α = 2m tr mi tr α n mod n and deg α = m 2 det mi det α n mod n. 7.5 Separable and inseparable endomorphisms Recall that the Frobenius endomorphism π E is inseparable. In order to prove Hasse s theorem we will need to know that π E 1 is actually separable. This follows from a much more general result: adding a separable isogeny to an inseparable isogeny always yields a separable isogeny. Lemma 7.20. Let α and β be isogenies from E 1 to E 2, with α inseparable. Then α + β is inseparable if and only if β is inseparable. Proof. If β is inseparable then we can write α = α sep π m and β = β sep π n, where π is the p-power Frobenius map and m, n > 0. We then have α + β = α π m n sep + β sep π = (α sep π m 1 + β sep π n 1 ) π, which is inseparable (any composition involving an inseparable isogeny is inseparable). If α + β is inseparable, then so is (α + β), and α (α + β) = β is a sum of inseparable isogenies, which we have just shown is inseparable. Remark 7.21. Since the composition of an inseperable isogeny with any isogeny is always inseparable, the lemma implies that the set of inseparable endomorphisms in the ring End(E) form an ideal (provided we view 0 as inseparable, which we do). References [1] Joachim von zur Gathen and Jurgen Garhard, Modern Computer Algebra, third edition, Cambridge University Press, 2013. 7

MIT OpenCourseWare http://ocw.mit.edu 18.783 Elliptic Curves Spring 2015 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback