Background on Curves and Jacobians

4.3 Abelian varieties

56 Ch. 4 Background on Curves and Jacobians

(iii) the neutral element, i.e., aK-rational point 0∈ G(K), satisfying the usual group laws:

m◦(Id_G×m) =m◦(m×Id_G)(associativity), m_|{0}×G=p₂,

wherep2is the projection ofG × Gon the second argument, and m◦(i×Id_G)◦δ_G =c₀,

whereδ_Gis the diagonal map fromGtoG × Gandc0is the map which sendsGto0.

LetLbe an extension field ofK. LetG(L)denote the set ofL-rational points. The setG(L)is a group in which the sum and the inverse of elements are computed by evaluating morphisms that are defined overK, that do not depend onL, and in which the neutral element is the point0.

A surprising fact is that ifGis a projective variety the group lawmis necessarily commutative.

Definition 4.54 Projective algebraic groups are calledabelian varieties.

From now on we shall requiremto becommutative. We can use a classification theorem which yields thatGis an extension of an abelian variety by an affine (i.e., the underlying variety is affine) algebraic group. So, for cryptographic purposes we can assume thatGis either affine or an abelian variety as by Theorem 2.23 one is interested only in (sub)groups of prime order.

Affine commutative group schemes that are interesting for cryptography are called tori. The reader can find the definition and an interesting discussion on how to use them for DL systems in [SIRU 2004].

Remark 4.55 To make the connection with abelian groups more obvious we replace “m(P, Q)”

with the notationP⊕QforP, Q∈ G(K)andi(P)by−P.

We shall concentrate on abelian varieties from now on and shall use as standard notationAinstead ofG.

4.3.2 Birational group laws

Assume that we are given an abelian varietyA. Since we want to useAfor DL systems we shall not only need structural properties ofAbut explicitly compute with its points. In general this seems to be hopeless. Results of Mumford [MUM 1966] and Lange–Ruppert [LARU1985] show that the number of coordinate functions and the degree of the addition formulas both grow exponentially with the dimension of the abelian variety. Therefore, we have to use special abelian varieties on which we can describe the addition at least on open affine parts.

By definitionAcan be covered by affine subvarietiesV_i. Choose one suchV :=V_i. Forldepending onV one finds coordinate functionsX₁, . . . , X_ldefiningV by polynomial relations

f1(X1, . . . , Xl), . . . , fk(X1, . . . , Xl) .

TheL-rational pointsV(L)⊂ A(L)are the elements(x₁, . . . , x_l)∈L^l, where the polynomialsf_i vanish simultaneously. The addition law can be restricted toV ×V and induces a morphism

mV :V ×V → A.

§ 4.3 Abelian varieties 57

For generic points ofV ×V the image ofmV is again contained inV. SomV is given byaddition functionsRi∈K(X1, . . . , Xl;Y1, . . . , Yl)such that for pairs ofL-rational points inV ×V we get

(x₁, . . . , x_l)⊕(y₁, . . . , y_l)

=

R₁(x₁, . . . , x_l;y₁, . . . , y_l), . . . , R_l(x₁, . . . x_l;y₁, . . . , y_l) . Remark 4.56 This is a birational description of the addition law that is true outside proper closed subvarieties ofV ×V. The set of points where this map is not defined is of small dimension and hence with high probability one will not run into it by chance. But it can happen that we use pairs of points on purpose (e.g., lying on the diagonal inV ×V) for which we need an extra description ofm.

We shall encounter examples of abelian varieties with birational description of the group law in later chapters. In fact it will be shown that one can define abelian varieties from elliptic and hyperelliptic curves — they constitute even the main topics of this book.

4.3.3 Homomorphisms of abelian varieties

We assume thatAandBare abelian varieties overKwith addition laws⊕(resp.⊕). Letϕbe an element ofMor_K(A,B).

Example 4.57 LetP ∈ A(K)and define

tP :A → A Q → P⊕Q.

Here,tPis called thetranslation byP and lies inMorK(A,A).

A surprising fact is that for allϕ∈Mor_K(A,B)we have ϕ(P⊕Q) =ϕ(P)⊕ϕ(Q)

for all pointsP, Q ofA if and only if ϕ(0) is the neutral element of B. In other words every morphism fromAtoBis ahomomorphismwith respect to the addition laws up to the translation mapt₋(ϕ(0))inB. The set of homomorphisms fromAtoBis denoted byHomK(A,B).

LetLbe an extension field ofK and takeϕ ∈ HomK(A,B). We get a group homomorphism ϕL:A(L)→ B(L)which is given by evaluating polynomials with coefficients inK. An important observation is thatϕLcommutes with the action of the Galois groupGK ofK.

The set of homomorphismsHomK(A,B) becomes aZ-module in the usual way: for ϕ1, ϕ2 ∈ HomK(A,B)and pointsP ofAdefine

(ϕ1+ϕ2)(P) :=

ϕ1(P)⊕ϕ2(P) .

In many cases it is useful to deal with vector spaces instead of modules, and so we define HomK(A,B)⁰:= HomK(A,B)⊗ZQ.

In the next chapter we shall see thatHomK(A,B)⁰is a finite dimensional vector space overQ.

Remark 4.58 Homomorphisms of abelian varieties behave in a natural way under base change: let Lbe an extension field ofKand letAL,BLbe the abelian varieties obtained by scalar extension to L,HomL(A,B) := HomL(AL,BL). The Galois groupGLacts in a natural way onMorL(AL,BL) and hence onHomL(A,B).

58 Ch. 4 Background on Curves and Jacobians

Lemma 4.59 With the notations from above we get

(i) LetL0be the algebraic closure ofKinL. ThenHomL(A,B) = HomL₀(A,B).

(ii) ForLcontained inKwe getHomL(A,B) = Hom_K(A,B)^GL.

Because of the next results we can think of abelian varieties as behaving like abelian groups.

Proposition 4.60 Takeϕ∈Hom_K(A,B).

(i) The imageIm(ϕ)ofϕis a subvariety ofB, which becomes an abelian variety by restrict- ing the addition law fromB, i.e., it is an abelian subvariety ofB.

(ii) The kernelker(ϕ)ofϕis by definition the inverse image of0_B. It is closed (in the Zariski topology) inA. Its points consist of all points inA(K)that are mapped to0_Bbyϕ_Kand hence form a subgroup ofA(K).

(iii) The kernelker(ϕ)contains a maximal absolutely irreducible subvarietyker(ϕ)⁰contain- ing0_A. This subvariety is called theconnected component of the unity of ker(ϕ). It is an abelian subvariety ofA.

(iv) For the dimension one has dim

Im(ϕ) + dim

ker(ϕ)⁰

= dim(A).

Remark 4.61 Warning: in general it is not true that the sequence of abelian groups 0→ker(ϕ)(L)→ A(L)→Im

ϕ(L)

→0 is exact. This holds, however, ifL=K.

4.3.4 Isomorphisms and isogenies

To study abelian varieties it is (as usual) important to have an insight into isomorphisms between them. Very closely related to isomorphisms are homomorphisms which preserve the dimension of the abelian variety. They are intensively used both in theory and in applications to cryptography.

Definition 4.62 We assume thatA,Bare abelian varieties overK.

(i) The mapϕ∈Hom_K(A,B)is anisogenyif and only ifIm(ϕ) =Bandker(ϕ)is finite.

(ii) The morphism ϕis anisomorphism if and only if there is a ψ ∈ Hom_K(B,A)with ϕ◦ψ= Id_Bandψ◦ϕ= Id_A. So necessarily one hasker(ϕ) ={0_A}.

(iii) The varietyA is isogenous to B (A ∼ B) if and only if there exists an isogeny in HomK(A,B).

(iv) The varietyAis isomorphic toB(A B) if and only if there exists an isomorphism in HomK(A,B).

Letϕ ∈ Hom_K(A,B)be dominant. By mappingf ∈ K(B)tof ◦ϕwe get an injectionϕ^∗of K(B)intoK(A)(cf. Remark 4.45).

Proposition 4.63 The homomorphismϕ∈ Hom_K(A,B)is an isogeny if and only ifdim(A) = dim(B)anddim

ker(ϕ)⁰

= 0.

Equivalently we have thatϕis dominant andK(A)is a finite algebraic extension ofϕ^∗ K(B)

. The relationsand∼(cf. Corollary 4.76) are equivalence relations between abelian varieties.

Hence we can speak about (K-)isogeny classes (resp. (K-)isomorphism classes) of abelian varieties overK.

§ 4.3 Abelian varieties 59

Definition 4.64 Letϕbe an isogeny fromAtoB. Thedegree ofϕis defined as[K(A) :ϕ^∗ K(B)

].

The isogenyϕis calledseparableif and only ifK(A)/ϕ^∗ K(B)

is a separable extension. It is called(purely) inseparableifK(A)/ϕ^∗

K(B)

is purely inseparable. In this caseker(ϕ) ={0} but neverthelessϕis not an isomorphism in general.

As for abelian groups we can describe the abelian varieties that are isomorphic to a homomorphic image ofA.

LetCbe a closed set (with respect to the Zariski topology) inAwithC(K)a subgroup ofA(K).

Then there exists an (up toK-isomorphisms unique) abelian varietyBdefined overKand a unique π:=π_C ∈Hom_K(A,B)such that

• Im(π) =B,

• ker(π) =Cand

• K

A)/π^∗(K(B)

is separable.

Definition 4.65 With the notation from above we call B =: A/C the quotient of Amodulo C.

Hence,B(K) =A(K)/C(K).

For general homomorphismsϕ∈HomK(A,B)we get:

ϕ=ψ◦π_ker(ϕ)

whereψis a purely inseparable isogeny fromA/ker(ϕ)toIm(ϕ).

Hence we can classify all abelian varieties defined overKthat are separably isogenous toAup to isomorphisms:

Proposition 4.66 TheK-isomorphism classes of abelian varieties that areK-separably isogenous toAcorrespond one-to-one to the finite subgroupsC⊆ A(K)that are invariant under the action of GK. They are isomorphic toA/C. The fieldK(A)is a separable extension ofπ^∗

K(A/C) , which is a Galois extension with Galois group canonically isomorphic toC: the automorphisms ofK(A) fixing π^∗

K(A/C)

are induced by translation maps tP with P ∈ ker(π), i.e., π^∗

K(A/C) consists of the functions onAthat are invariant under translations of the argument by points inC.

To describe all abelian varieties that areK-isogenous toAwe have to compose separable isogenies with purely inseparable ones. As seen the notion of finite subgroups ofA(K)is not sufficient for this; we would have to go to the category ofgroup schemesto repair this deficiency. This is beyond the scope of this introduction. For details see e.g., [MUM1974, pp. 93].

For our purposes there is a most prominent inseparable isogeny, theFrobenius homomorphism.

Assume thatchar(K) = p > 0. We recall that we have defined the Frobenius morphismφp(cf.

Example 4.39) for varieties overK. It is easily checked thatφp(A)is again an abelian variety over K. By the description ofφ^∗_p it follows at once thatφp is a purely inseparable isogeny of degree p^dim(A)and its kernel is{0}.

Now we consider the special case thatB=A.

Definition 4.67 The homomorphismsEnd_K(A) := Hom_K(A,A)are theendomorphisms ofA. The setEnd_K(A)is a ring with composition as multiplicative structure.

Example 4.68 Assume thatK =Fp. Thenφp induces the identity map on polynomials overK and soφp(A) =A. Therefore,φp∈EndK(A). It is called theFrobenius endomorphism.

A slight but important generalization is to considerK = Fq withq = p^d. Thenφq := φ^d_p is the relative Frobenius automorphism fixingKelement wise. We can apply the considerations made above toφq and get a totally inseparable endomorphism ofAof degreep^ddim(A)which is called the (relative) Frobenius endomorphism ofA.

60 Ch. 4 Background on Curves and Jacobians

To avoid quotient groups we introduce a further definition.

Definition 4.69 An abelian variety is simple if and only if it does not contain a proper abelian subvariety.

Assume thatAis simple. It follows thatϕ∈ HomK(A,B)is either the zero map or has a finite kernel, hence its image is isogenous toA.

Proposition 4.70 IfAis simple thenEndK(A)is a ring without zero divisors andEndK(A)⁰ :=

EndK(A)⊗Qis a skew field.

One proves by induction with respect to the dimension that every abelian variety is isogenous to the direct product of simple abelian varieties. So we get

Corollary 4.71 EndK(A)⁰is isomorphic to a product of matrix rings over skew fields.

4.3.5 Points of finite order and Tate modules

We come to most simple but important examples of elements inEndK(A).

Forn∈Ndefine

[n] :A → A

as the(n−1)-fold application of the addition ⊕to the point P ∈ A. Forn = 0define[0]as zero map, and forn < 0 define[n] := −[|n|]. By identifying nwith [n] we get an injective homomorphism ofZintoEndK(A).

By definition[n] commutes with every element in EndK(A)and withGK and so lies in the center of theGK-moduleEndK(A).

The kernel of[n] is finite if and only ifn = 0. Hence[n] is an isogeny forn = 0. It is an isomorphism if|n|= 1.

Definition 4.72 Letn∈N.

(i) The kernel of[n]is denoted byA[n].

(ii) The points inA[n]are calledn-torsion points.

(iii) There exists a homogeneous ideal defined overKsuch thatA[n](K)is the set of points onA(K)at which the ideal vanishes. It is called then-division ideal.

For the latter we recall thatAis a projective variety with a fixed embedding into a projective space.

For elliptic curves (cf. Section 4.4.2.a) which are abelian varieties of dimension one then-division ideal is a principal ideal. The generating polynomial is called then-division polynomial. We will give the division polynomials explicitly in Section 4.4.5.a together with a recursive construction.

A fundamental result is

Theorem 4.73 The degree of[n]is equal ton^{2 dim(A)}. The isogeny[n]is separable if and only ifn is prime tochar(K). In this caseA[n](K)(Z/nZ)^{2 dim(A)}. Ifn=p^swithp= char(K)then A[p^s](K) =Z/p^tsZwithtdim(A)independent ofs.

A proof of these facts can be found in [MUM1974, p. 64].

Definition 4.74 Letp= char(K).

(i) The varietyAis calledordinaryifA[p^s](K) =Z/p^tsZwitht= dim(A).

§ 4.3 Abelian varieties 61

(ii) IfA[p^s](K) =Z/p^tsZthen the abelian varietyAhasp-rankt.

(iii) IfAis an elliptic curve, i.e., an abelian variety of dimension1(cf. Section 4.4.2.a), it is calledsupersingularif it hasp-rank0.

(iv) The abelian varietyAis supersingular if it is isogenous to a product of supersingular elliptic curves.

Remark 4.75 If an abelian varietyAis supersingular then it hasp-rank0. The converse is only true for abelian varieties of dimension2.

Corollary 4.76 Letϕbe an isogeny fromAtoBof degreen=t

i=1^k_iⁱwithiprimes.

(i) There is a sequenceϕ_iof isogenies from abelian varietiesAitoAi+1withA1=Aand At+1=Bwithdeg(ϕ_i) =^k_iⁱandϕ=ϕ_t◦ϕ_t−1◦ · · · ◦ϕ₁.

(ii) Assume thatnis prime tochar(K). LetBn =ϕ

A[n](K)

. ThenBnisGK-invariant, B/Bnis isomorphic toAandπB_n◦ϕ= [n].

(iii) IfAis ordinary then takingϕ=φp

[p] =φ_p◦π_A[p]=π_φp(A[p])◦φ_p.

Example 4.77 Assume thatK =Fpand thatAis an ordinary abelian variety overK. Then there is a uniquely determined separable endomorphismVp ∈EndK(A)calledVerschiebungwith

[p] =φp◦Vp=Vp◦φp

of degreep^dim(A), whereφ_pis the absolute Frobenius endomorphism Corollary 4.78 Letbe a prime different fromchar(K)andk∈N. Then

[]A[^k+1] =A[^k].

We can interpret this result in the following way: the collection of groups . . .A[^k+i], . . . ,A[^k], . . .

forms a projective system with connecting maps [ⁱ] and so we can form their projective limit lim←−A[^k]. The reader should recall that the system with groupsZ/^kZ has as projective limit the-adic integersZ(cf. Chapter 3). In fact there is a close connection:

Definition 4.79 Letbe a prime different fromchar(K). The-adic Tate module ofAis T(A) := lim

←−A[^k].

Corollary 4.80 The Tate moduleT(A)is (asZ-module) isomorphic toZ^{2 dim( A)}.

4.3.6 Background on

-adic representations

The torsion points and the Tate modules of abelian varieties are used to construct most impor- tant representations. The basic fact provided by Proposition 4.73 is that for alln ∈ Nprime to char(K) the groupsA[n](K) are freeZ/nZ-modules and for primes different fromchar(K) the Tate modulesT(A)are freeZ-modules each of them having rank equal to2 dim(A). Hence AutK(A[n]), respectively Aut_Z

T(A)

, can be identified (by choosing bases) with the group

62 Ch. 4 Background on Curves and Jacobians

of invertible2 dim(A)×2 dim(A)-matrices overZ/nZ, respectivelyZ. Likewise one can iden- tifyEndK(A[n])andEnd_Z

T(A)

with the2 dim(A)×2 dim(A)-matrices overZ/nZorZ, respectively.

The first type of these representations relates the arithmetic ofKto the arithmetic ofAvia Galois theory. This will become very important in the case thatK is a finite field or a finite algebraic extension of eitherQor ap-adic fieldQp.

The Galois action ofGK onA(K)mapsA[^k]into itself and extends in a natural way toT(A).

Hence both the groups of points inA[n]and inT(A)carry the structure of aGK-module and so they give rise to representations ofGK.

Definition 4.81 For a natural numbernprime tochar(K)therepresentation induced by the action ofGKonA[n]is denoted byρ_A, n.

For primesprime tochar(K)the representation induced by the action onT(A)is denoted by

˜

ρ_A, and is called the-adic Galois representation attached toA.

Second, we takeϕ∈ EndK(A). It commutes with[n]for all natural numbers and so it operates onT(A)continuously with respect to the-adic topology. Let T(ϕ) denote the corresponding element inEnd_Z

T(A) .

With the results about abelian varieties we have mentioned already, it is not difficult to see that the set of points of-power order inA(K)is Zariski-dense, i.e., the only Zariski-closed subvariety ofAcontaining all points of-power order is equal toAitself.

It follows thatT(ϕ) = 0if and only ifϕ= 0and so we get an injective homomorphismTfrom EndK(A)intoEnd_Z

T(A) .

Much deeper and stronger is the following result:

Theorem 4.82 We use the notation from above. The Tate module,T induces a continuousZ- module monomorphism, again denoted byT, fromEnd_Z

T(A)

⊗_ZZintoEnd_Z T(A)

. For the proof see [MUM 1974, pp. 176].

It follows thatEndK(A)is a free finitely generatedZ-module of rank

2 dim(A)2

and so EndK(A)⊗Qis a finite dimensional semisimple algebra overQ. There is an extensive theory about such algebras and a complete classification. For more details see again [MUM1974, pp.

193].

Moreover we can associate toϕthe characteristic polynomial χ

T(ϕ)

(T) := det

T−T(ϕ) ,

which is a monic polynomial of degree2 dim(A)with coefficients inZby definition.

But here another fundamental result steps in:

Theorem 4.83 The characteristic polynomialχ T(ϕ)

(T)does not depend on the prime number and has coefficients inZ, hence it is a monic polynomial of degree2 dim(A)inZ[T].

For the proof see [MUM 1974, p. 181].

Because of this result the following definition makes sense.

Definition 4.84 Let ϕbe an element inEndK(A). The characteristic polynomialχ(ϕ)_A(T) is equal to the characteristic polynomial ofT(ϕ)for anydifferent fromchar(K).

Corollary 4.85 We get

deg(ϕ) =χ(ϕ)_A(0)

§ 4.3 Abelian varieties 63

and more generally

deg([n]−ϕ) =χ(ϕ)_A(n).

Fornprime tochar(K)the restriction ofϕtoA[n]has the characteristic polynomial χ(ϕ)_A(T) (modn).

There is an important refinement of Theorem 4.82 taking into account the Galois action. As seenG_K is mapped intoEnd_Z

T(A)

by the representationρ˜_A, . By definition the image ofTcommutes with the image ofρ˜_A, and hence we get:

Corollary 4.86 Moving to the Tate moduleTinduces a map fromEndK(A)toEnd_Z[GK] T(A)

. Example 4.87 LetK=Fpand letAbe an abelian variety defined overK.

The Frobenius automorphism ofKhas a Galois-adic representationρ˜_A, (φp)and a representa- tion as endomorphism ofAinEnd_Z

T(A)

. By the very definition both images inEnd_Z T(A) coincide.

It follows that the endomorphismφp attached to the Frobenius automorphism ofKcommutes with every element inEndK(A).

Moreover its characteristic polynomialχ(φp)_A(T)is equal to the characteristic polynomial of

˜

ρ_A, (φp)for allprime tochar(K).

Fornprime tochar(K), the kernel of[n]−φphas orderχ(φp)_A(n).

4.3.7 Complex multiplication

The results of the section above are the key ingredients for the study ofEndK(A).

For instance, it follows for simple abelian varietiesAthat a maximal subfieldFofEndK(A)⊗Q is a number field of degree at most2 dim(A)overQ, cf. [M^UM1974, p. 182].

Definition 4.88 A simple abelian varietyAoverKhascomplex multiplicationifEndK(A)⊗Q contains a number fieldF of degree2 dim(A)overQ.

If anF of this maximal degree exists then it has to be a field ofCM-type. That means that it is a quadratic extension of degree2of a totally real fieldF₀(i.e., every embedding ofF₀intoClies in R), and no embedding ofF intoCis contained inR. Therefore,F = End_K(A)⊗Q.

IfKis a field of characteristic0we get more:

Proposition 4.89 LetK be a field of characteristic0. LetAbe a simple abelian variety defined overKwith complex multiplication. ThenEndK(A)⊗Qis equal to a number fieldF of degree 2 dim(A)which is of CM-type. The ringEnd_K(A)is an order (cf. Definition 2.81) inF.

Example 4.90 LetKbe a field of characteristic0and letE be an elliptic curve overK(cf. Sec- tion 4.4.2.a). Then either EndK(E) = {[n] | n ∈ Z} orE has complex multiplication and EndK(E)is an order in an imaginary quadratic field. In either case the ring of endomorphisms ofEis commutative.

The results both of the proposition and of the example are wrong ifchar(K)>0.

For instance, take a supersingular curveE defined over a finite fieldFp² (cf. Definition 4.74).

Then the center ofEnd_F

p2(E)⊗Qis equal toQ, andEnd_F

p2(E)⊗Qis a quaternion algebra over an imaginary quadratic number fieldF (in fact there are infinitely many such quadratic number fields). HenceE has complex multiplication butEnd_F

p2(E)⊗Qisnotcommutative andnotan order inF.