Representatives of Ideal Classes

Corollary V.2.17. Let C/k be an imaginary quadratic hyperelliptic curve given by (V.4) and letO denote the integral closure of k[x] ink(C). Then,

Pic⁰(C)∼= Cl(O).

Proof. SinceC/k is imaginary quadratic, the infinite place p_∞ ofk(x)/k is ramified in k(C) and ifP∞ denotes the unique place ink(C) lying abovep_∞, we have Div∞(O) = Z(P∞). So the only divisor of degree 0 in Div∞(O) is the zero divisor, i.e. Div⁰_∞(O) = {0}. Hence,R(O) ={0}. By example V.2.13 we know that the assumptions of theorem V.2.16 are met. So we can apply the theorem to get Pic⁰(C)∼= Cl(O).

The situation for real quadratic hyperelliptic curves is different, but if there exists a finite ramified placep of k(x)/k of degree 1 with uniformizer p∈k[x], it is possible to convert the real into an imaginary quadratic representation.

Lemma V.2.18. Let C/k be a real quadratic hyperelliptic curve given by (V.4). As-sume that there exists a finite ramified place pof k(x)/k of degree 1 with uniformizer p∈k[x]. Thenk(C) is an imaginary quadratic hyperelliptic function field over k(¹_p).

Proof. By proposition III.1.4 we have div(1

p)∞= div(p)0 =e(P|p)v_p(p)(P) = 2(P),

i.e. [k(C) : k(¹_p)] = deg(div(¹_p)∞) = 2. In this representation, the infinite place of k(¹_p)/k is ramified.

V.2. THE GROUP LAW FOR HYPERELLIPTIC CURVES 97 Knowing that {1, y} is a local integral basis at the finite place p, we can apply Kummer’s theorem (see theorem III.3.14) onk(C), whereas the minimal polynomial of y is given by (V.4). Together with the fact that k(x)_p ∼=k[x]/(p) by theorem III.1.10 wherep∈k[x] is the uniformizer forpwe immediately deduce the following (cf. [Eng00, Ch. 3, proposition 3.10, p. 48]):

Proposition V.2.20. Let p be a finite place of k(x)/k with uniformizer p ∈ k[x].

Consider the roots of

Y²+h(x)Y −f(x) (mod (p))

(by (V.4)), a polynomial ink(x)p[Y], in the residue class fieldk(x)p ∼=k[x]/(p).

1. If there is no root, then p is inert, and the only extensionP of p satisfies pO = P ∩ O.

2. If there is a double rootb+ (p), then p is ramified, and the unique extension P of p satisfiespO= (P∩ O)² with P∩ O= (p, y−b) =pO+ (y−b)O.

3. If there are two distinct roots b+ (p) and b⁰+ (p) =−b−h(x) + (p), then p is splitting, and the extensions P₁ and P₂ of psatisfy pO= (P₁∩ O)(P₂∩ O) with P₁∩ O= (p, y−b) and P₂∩ O= (p, y−b⁰).

In particular, any prime ideal ofO is generated by at most two elements.

Remark V.2.21. In terms of the hyperelliptic involution, the theorem yields:

1. Ifpis inert, then P∩ O= (p) = (ω(p)).

2. Ifpis ramified, thenP ∩ O= (p, y−b) = (ω(p), ω(y−b)).

3. Ifpis splitting, then P₂∩ O= (ω(p), ω(y−b)).

Proof. 1. This follows asp∈k[x].

2. Sinceb+ (p) is a double root in k(x)p, we have

(Y −b)²≡Y²+h(x)Y −f(x) (mod (p)).

Then, by Kummer’s theorem, we know thaty−b∈P. But by proposition V.1.9, this means that ω(y−b) =y−b sincep is ramified.

3. By the theorem, there existsg ∈k[x] such that b⁰+b+h(x) =p·g∈(p)⊆pO.

Furthermore, we have ω(y−b) = −y−h(x)−b since b ∈ k[x]. Together, this means

(p, ω(y−b)) = (p,−y−h(x)−b) = (p,−y+b⁰) = (p, y−b⁰) =P2∩ O.

It is possible to extend the hyperelliptic involution to finite divisors (i.e. divisors not containing infinite places):

Definition V.2.22. Letpbe a finite place ofk(x)/kand letP1, P2 be the (not neces-sarily distinct) places ofk(C)/k extending it.

1. Ifpis inert or ramified, then P :=P₁ =P₂, and we defineω(P) :=P.

2. Ifpis splitting, then P1 6=P2, and we define ω(P1) :=P2 resp. ω(P2) :=P1. It is trivial that, by this definition, ω is an involution on the set of finite places. This definition can be additively extended toI(O).

Having defined it for finite divisors, we can also define it for fractional ideals:

Definition V.2.23. LetP∩ Obe a prime ideal ofOfor some finite placeP ofk(C)/k.

We define

ω(P∩ O) :=ω(P)∩ O.

Since every fractional ideal is the product of prime ideals (with possibly negative mul-tiplicities), we can extend this definition multiplicatively to I(O). It is clear that, in this way,ω is an involution on I(O).

As an immediate consequence of proposition V.2.20, we have the following result:

Corollary V.2.24. LetP be a place ofk(C)/kextending some finite placepofk(x)/k.

Then we have for everyz∈k(C):

v_ω(P)(z) =v_P(ω(z)).

Proof. Consider the prime ideal P ∩ O of O. By theorem V.2.20 we know that this ideal is generated by two elements, say P ∩ O = (r, s). Consequently, we know that ω(P)∩ O= (ω(r), ω(s)) by remark V.2.21. Now, if z∈ O then we have the relation

z∈ω(P) ⇐⇒ ω(z)∈ω(ω(P)) =P.

By considering the generators of P ∩ O and ω(P) ∩ O it follows immediately that v_ω(P)(z) = vP(ω(z)). This in turn implies the result for k(C) since it is the field of fraction ofO.

Another proof of this can be found in [Sti93, Ch. III, lemma 5.2, p. 89].

Principal Divisors

Recall from section V.2.3 that

πO(Princ(C)) = Princ(O), i.e. div(zO) =πO(div(z))

for any z ∈ k(C). Our first aim is to show that a similar result exists for finitely generated ideals, namely that it is possible to deduce the divisor of a finitely generated ideal from the divisors of its generators.

V.2. THE GROUP LAW FOR HYPERELLIPTIC CURVES 99 Definition V.2.25. We define the greatest common divisor of two divisors of Div(C) as

gcdX

m_P(P),X n_P(P)

:=X

min(m_P, n_P)(P).

Proposition V.2.26. Forr, s∈ O, we have

div(rO+sO) = gcd(π_O(div(r)), πO(div(s))) =πO(gcd(div(r),div(s))).

So, the divisor of a finitely generated ideal is the image of the greatest common divisor of the divisors of its generators underπO.

Proof. See [Eng00, Ch. 3, proposition 3.12, p. 49].

This proposition actually concerns all ideals of O since O is Noetherian, which means that every integral ideal is finitely generated and so is every fractional ideal of O by remark V.2.3 (see also lemma V.2.2). We know that the divisor of an ideal of O determines its decomposition into prime ideals, so we have found an easy way to decompose an ideal ofO. In certain situations, we can write down the explicit form of a divisor of a principal ideal:

Proposition V.2.27. Leta, b ∈k[x] and let P denote the extention of a finite place pof k(x)/k.

1. If a = Q

pp^vp(a) with p ∈ k[x] irreducible, vp := vp(a) ≥ 0 and p the place of k(x)/kwith uniformizerp, then

div(aO) = X

pinert

vp(P) + X

pram.

2vp(P) + X

pspl.

(vp(P) +vp(ω(P))).

2. IfN_k(C)/k(x)(y−b) =Q

pp^vp withp∈k[x] irreducible, v_p ≥0 and p the place of k(x)/kwith uniformizerp, thenvp >0 implies thatpis not inert and thatb+ (p) is a root of Y²+hY −f (mod p). If p is ramified, then v_p ∈ {0,1}. Let P be such that P∩ O= (p, y−b). Then:

div((y−b)O) =X

p

vp(P).

3. If, in the situation of part 2,a|N_k(C)/k(x)(y−b) witha=Q

pp^vp(a)as in part 1, then

div((a, y−b)O) =X

p

vp(a)(P) with deg(div((a, y−b)O)) = deg(a).

Proof. Parts 1 and 2 are proved in [Eng00, Ch. 3, proposition 3.13, p. 49]. For the third part, we apply proposition V.2.26:

div((a, y−b)O) = gcd(div(aO),div((y−b)O)) =X

p

vp(a)(P).

Then, it is clear that

deg(div((a, y−b)O)) = X

pinert

0 + X

pram.

v_p(a) deg(p) + X

pspl.

v_p(a) deg(p) = deg(a),

since deg(P) =f·deg(p), wheref denotes the inertia degree.

The Unique Representation of Integral Ideals of O

We state the main result of this section, which is a generalization of theorem V.2.20:

Theorem V.2.28. Let C/k be a hyperelliptic curve given by (V.4) and let a be an integral ideal of O. Then there exist unique elements a, b, d ∈ k[x] with a, d monic, deg(b)<deg(a) anda|N_k(C)/k(x)(y−b) =b²+bh(x)−f(x) such that

a= (d)(a, y−b).

We will give a constructive proof based on [Eng00, Ch. 3, theorem 3.14, p. 50], which will be the starting point for later algorithms. Our proof will be much more detailed though. But before we are able to do so, we need to do some preliminary work, beginning with the extended Euclidean algorithm to find the greatest common divisor of two polynomials:

Algorithm 2Extended Euclidean Algorithm INPUT: Two polynomials f, g∈k[x].

OUTPUT: Polynomials (u, v, d) such thatu·f +v·g=dwith d= gcd(f, g).

1: u←1, d←f, v1←0 and v3←g

2: repeat

3: r←(dmod v₃) and q←(d−r)/v₃ {this is ED=Euclidean Division}

4: t←u−v1·q, u←v1, d←v3, v1←t and v3 ←r

5: until v3 = 0

6: v←(d−f ·u)/g

7: return (u, v, d)

Proof of algorithm 2. See [Coh96, Ch. 3, algorithm 3.2.2, p. 113].

Remark V.2.29. Clearly, by applying the extended Euclidean algorithm recursively, it is possible to compute the greatest common divisor of more than two polynomials f1, . . . , fn with corresponding representation. We calculate

f := gcd(f₁, . . . , fn−1) =u₁f₁+· · ·+un−1fn−1

and apply the algorithm tof and fn:

gcd(f, f_n) =uf +vf_n.

V.2. THE GROUP LAW FOR HYPERELLIPTIC CURVES 101 This in turn yields

gcd(f₁, . . . , f_n) = gcd(f, f_n) = (uu₁)f₁+· · ·+ (uun−1)fn−1+vf_n.

Also, we will need the concept of the norm of an integral ideal which is defined with the help of the following lemma:

Lemma V.2.30. Ifais an integral ideal ofO, thena·ω(a) is a principal ideal, generated by an element ofk[x].

Proof. See [Eng00, Ch. 3, proposition 3.15, p. 51].

Definition V.2.31.Letabe an integral ideal such thata·ω(a) is generated bya∈k[x]

(cf. lemma V.2.30). We define

N(a) :=a·ω(a)∩k[x] =ak[x]

and call it thenorm of a.

If an integral ideal is of a special form, we can immediately write down its norm:

Lemma V.2.32. 1. If a = (a, y−b) with a, b ∈ k[x] and a | b² +bh −f, then N(a) =ak[x].

2. Ifb= (d) withd∈k[x], then N(b) =d²k[x].

Proof. This is [Eng00, Ch. 3, lemma 3.16, p. 51].

We are finally able to prove the main result:

Proof of theorem V.2.28. Existence. Firstly, we prove the existence for prime ideals P∩ O ofO. We know that P lies above the unique finite placep:=P∩k(x) ofk(x), which in turn has a monic irreducible polynomialp∈k[x] as a uniformizer. It follows by theorem V.2.20 that

P∩ O= (p, y−b)

with eitherb =y orb ∈k[x] and deg(b) <deg(a). If b= y, we are done. Otherwise, we know that b+ (p) is a root of Y²+h(x)Y −f(x) modulo p, i.e. p | b²+hb−f, which proves the existence.

Now, since every integral ideal is the uniquely determined product of finitely many prime ideals, it suffices to show that the product of two ideals of the given form is in the same form again. So ifa₁= (a1, y−b1) anda₂= (a2, y−b2) withai, bi∈k[x] and ai |b²_i +bih−f for i = 1,2, we show that there exist a, b, d ∈ k[x] with d, a monic, deg(b) <deg(a) and a| b²+hb−f such that a:= a₁a₂ = (d)(a, y−b). To find this representation, we simply calculate the producta:

a= (a₁a₂, a₁y−a₁b₂, a₂y−a₂b₁, y₂−(b₁+b₂)y+b₁b₂).

Buty²=f−hy by (V.4), i.e.

a= (a₁a₂, a₁y−a₁b₂, a₂y−a₂b₁,(b₁+b₂+h)y−(b₁b₂+f)). (V.6) By algorithm 2, we can effectively compute elementsd, u1, u2, u3 ∈k[x] such that

d= gcd(a₁, a₂, b₁+b₂+h) =u₁a₁+u₂a₂+u₃(b₁+b₂+h). (V.7) Furthermore, we can show thatb:= ^u1a1b2+u2a2b_d^1+u3(b1b2+f) is an element ofk[x] as

b= u₁a₁b₂+ (d−u₁a₁−u₃(b₁+b₂+h))b₁+u₃(b₁b₂+f) d

by using (V.7), which in turn equals b1+a1

d(u1(b2−b1)−u3c1) =b2+a2

d(u2(b1−b2)−u3c2)∈k[x] (V.8) by puttingc_i := ^b2i+b_a^ih−f

i fori= 1,2. Now, the definition ofbtogether with (V.7) yield d(y−b) =dy−db=u1a1(y−b2) +u2a2(y−b1) +u3((b1+b2+h)y−(b1b2+f)), i.e. d(y−b) ∈ a by (V.6). An easy calculation reveals that a = (a₁a₂, a₁(y−b₂)−

a1

dd(y−b), a₂(y−b₁)−^a_d²d(y−b),(b₁+b₂+h)y−(b₁b₂+f)−^b1+b_d^2+hd(y−b), d(y−b)), i.e.

a= (a₁a₂, a₁(b−b₂), a₂(b−b₁),(b₁+b₂+h)b−(b₁b₂+f), d(y−b)).

But, by (V.7), (b1+b2+h)bis equal to

(u1a1b1+u2a2b2)(b1+b2+h) + (d−u1a1−u2a2)(b1b2+u) d

which, by definition ofc₁ andc₂, equals a1a2

d (u1c2+u2c1) + (b1b2+f).

We have shown:

a= a1a2

d d,a1a2

d (u2(b1−b2)−u3c2),a1a2

d (u1(b2−b1)−u3c1), a1a2

d (u1c2+u2c1), d(y−b)

.

Sinceω(y−b) =−y−h−b, we can easily compute the norm ofy−bby remark V.1.8:

N_k(C)/k(x)(y−b) = (b−y)(y+h+b) =b²+hb−f.

V.2. THE GROUP LAW FOR HYPERELLIPTIC CURVES 103 One verifies that this is equal to

a₁a₂

d (u₁u₂(b₁+b₂) +u₃(u₁c₂+u₂c₁))h+u²₃c₁c₂

+ (u1a1+ 2u3b1)u1c2+ (u2a2+ 2u3b2)u2c1+ 2u1u2(b1b2−f) ,

which is an element of (d⁻¹)a and is divisible by a := ^a1_d^a2², i.e. a | b²+bh−f. By computing

t= gcd

d, u₂(b₁−b₂)−u₃c₂, u₁(b₂−b₁)−u₃c₁, u₁c₂+u₂c₁,(b²+bh−f)d² a1a2

with algorithm 2, we obtain

a= (d) (at, y−b).

On the other hand, we know that the ideal norm is multiplicative and so we can apply lemma V.2.32, which yields:

N(a) =d²at=a1a2tk[x], since ifa·˜a=b²+bh−f for some ˜a∈k[x], thent| ^(b2+bh−f_a ^)d2

1a2 = ˜a, i.e. at|b²+bh−f. By the same argument, we obtain

N(a) =N(a1)N(a2) =a1a2k[x].

Together, this means thatt= 1, i.e. we have shown:

a= (d)(a, y−b).

By multiplyingaanddby suitable constants ink^∗⊆ O^∗, we can achieve that they are both monic. Similarly, we can add a suitable multiple of a to b to achieve deg(b) <

deg(a). This shows the existence of the desired representation of a.

Uniqueness. By using the definition of ideal multiplication and the fact that (d) is a principal integral ideal, we obtain:

a= (d)(a, y−b) =daO+d(y−b)O.

But by proposition V.2.19, we haveO=k[x] +yk[x], i.e.

a=d(ak[x] +k[x]−(b+h)k[x])y+d(ak[x] +f k[x]−bk[x]).

So elements ofa are of the form ry+s for r, s ∈ k[x] with d| r and d| s. We have proven thatdy−db∈aand hence,d= gcd(r :ry+s∈a). Sodis uniquely defined by a. On the other hand, N(a) = d²ak[x] by lemma V.2.32, which yields the uniqueness ofa. The uniqueness ofb follows from proposition V.2.27(3), sinceais unique.

Semireduced Divisors

The unique representation of an integral ideal ofO that we have met in the previous theorem can be used to find designated representatives of ideal classes.

Proposition V.2.33. Letabe an integral ideal ofOwith corresponding divisorD:=

div(a) =P

vP(P). Then the following are equivalent:

1. (p⁻¹)a is not integral for any irreducible polynomial p∈k[x].

2. D−πO(div(p)) =D−div(p)0 0 for any irreducible polynomialp∈k[x].

3. IfP is inert, thenvP = 0; ifP is ramified, thenvP ∈ {0,1}; ifP is splitting, then v_P = 0 orv_ω(P) = 0.

4. a= (a, y−b) for a, b∈k[x], amonic, deg(b)<deg(a) anda|b²+bh−f. Proof. This is [Eng00, Ch. 3, proposition 3.18, p. 54].

This result leads to the following definition:

Definition V.2.34. If the assertions of the proposition are satisfied, we call the divisor D= div((a, y−b)O) semireduced and denote it by div(a, b).

Corollary V.2.35. IfD:= div(a, b) is a semireduced divisor, thenω(D) = div(a,−b−

h mod a) is semireduced and lies in the opposite ideal class, i.e. D+ω(D) = div(dO) for somed∈k[x] (here, “moda” does not mean the residue class modabut the actual residue from the Euclidean algorithm).

Proof. See [Eng00, Ch. 3, proposition 3.20, p. 55].

Now, the main result of this subsection is that every ideal class contains such a semireduced divisor. Unfortunately, this semireduced divisor need not be unique.

Theorem V.2.36. Any ideal class contains a (not necessarily unique) semireduced divisor.

Proof. Let div(a)∈I(O) be a representative of a given ideal class, where ais an ideal ofO. Recall from section V.2.2 that a is integral if and only if div(a)≥0. Therefore, if a is fractional, then it exists a place P of k(C)/k extending some finite place p of k(x)/kwith uniformizerp∈k[x] such that m_P(a)<0. Ifpis splitting, we may assume thatm_ω(P)(a)≥m_P(a) (otherwise we switchP andω(P)) and the ideal class of div(a) is the same as of

div((pO)^−mP(a)a) = div((P ∩ O)^−mP(a)(ω(P)∩ O)^−mP(a)a) and ifp is ramified, it is the same as of

div((pO)^−mP(a)a) = div((P∩ O)^−2mP(a)a).

V.2. THE GROUP LAW FOR HYPERELLIPTIC CURVES 105 The multiplicity of P in this new representative is certainly non-negative and since div(a) has only finitely many such places we may iterate this procedure to find a representative div(b) of our given ideal class withb an integral ideal.

Now, by theorem V.2.28 we have the representation b= (d)(a, y−b).

In terms of divisors this means

div(b) = div(dO) + div(a, b)

which implies that div(b) and div(a, b) represent the same ideal class.

Im Dokument The Arithmetic of Elliptic and Hyperelliptic Curves with Applications to Pairing-Based Cryptography (Seite 102-111)