Efficient Reduction on the Jacobian Variety of Picard curves

Picard curves

J.-P. Cherdieu , J. Estrada , E. Reinaldo

July 15, 1998

Abstract

In this paper, a system of coordinates for the elements on the Jaco- bian Variety of Picard curves is presented. These coordinates possess a nice geometric interpretation and provide us with an unifying envi- ronment to obtain an explicit structure of abelian variety for the Jaco- bian, as well as an ecient algorithm for the reduction and addition of divisors. Exploiting the geometry of the Picard curves, a completely eective reduction algorithm is developed, which works for curves de- ned over any ground eld^k, with^char(^k) = 0 or^char(^k)⁶= 3.

In the generic case, the algorithm works recursively with the sys- tem of coordinates representing the divisors, instead of solving for points in their support. Hence, only one factorization is needed (at the end of the algorithm) and the processing of the system of coor- dinates involves only linear algebra and evaluation of polynomials in the denition eld of the divisor^D to be reduced. The complexity of this deterministic reduction algorithm is^O(^deg(^D)) . The addition of divisors may be performed iterating the reduction algorithm.

0AMS Subject Classi cation: 14H45, 14H40, 14H05, 14Q05, 14Q20, 11G10, 11T71.

Key Words: Picard curves, Jacobian Varieties, Addition Law, Discrete logarithm.

1

1 Introduction

In the present paper we present a fast and completely eective algorithm for the reduction of divisors on the Jacobian Variety of Picard curves. Our algorithm works correctly for any Picard curve C(k) dened over a eld k with char(k) = 0 or char(k) ⁶= 3. This algorithm is an improvement of an algorithm presented in 5]. The modications are based on a renement of the coordinates introduced in 5] (hence, they can also be used to endow the Jacobian Variety of C(k), J(C), with an explicit extructure of abelian vari- ety). The complexity of this new algorithm is, also, linear in the degree of the eective divisorD(i.e.O(deg(D))) to be reduced, but the new algorithm possess certain features that permits us to diminish the cost of the compu- tation of of a point as well as obtaining explicit formulas wich in fact are useful to lower down the complexity. We have implemented the algorithm in the symbolic computation language MAPLE V, permiting us to test the algorithm and to show several non-trivial examples.

The Picard Curves are genus three plane projective curve which has been intensively studied due to their conection with certain Hilbert's problems (c.f. 7], 8], 9], 10]) as well as to the study of some linear error correcting codes (c.f. 6]).

2 Notations and Terminology

Let k be an arbitrary eld and k its algebraic closure. Let X(k) be a k- dened plane projective curve in ^P2k (here k-dened means that the poly- nomial dening X(k) has all its coecients in k) and K^X(k) be the eld of rational functions on X(k). Let alsoX(k) be the subset ofk-rational points of X(k) and K^X(k) be the subeld of k-rational functions on X(k).

A divisorD onX(k) is a formal sum D= ^X

P2X(k)

m^PP m^{P 2Z}

where all but a nite set of the m^P are zero (i.e. D is an element of the free abelian group Div(X(k)) generated by the elements of X(k)). Given D we associate to it the number deg(D) = ^P

P2X(k)

m^P the map deg() is an 2

homorphism from Div(X(k)) onto ^Z. A divisor D is said to be k-rational i all its points have coordinates in k (i.e m^{P 6}= 0⁾P ²X(k)).

To any element f in K^X(k) we associate the divisors (f)⁰ and (f)¹ of zeros and poles of f, respectivelly. Denote also by (f) = (f)^{0 ;}(f)¹ the divisor of f.

A divisor D is said to be principal i there exists a rational function f such that D= (f). The fact deg((f)) = 0 joined to (fg) = (f) +(g) shows that the set ^P(X(k)) of principal divisors forms a subgroup of the group Div⁰(X(k)) of divisor of degree zero. Then, the quotient group

J(X(k)) =Div⁰(X(k))=^P(X(k))

is called the Jacobian variety of X(k). We may consider also the subgroup J^k(X(k)) of k-rational points of the Jacobian, i.e. the set of classesxhaving a representant D, with D k-rational.

If k is a nite eld it is known thatJ^k(X(k)) is a nite abelian group.

3 Some Geometric Facts About Picard Curves

Let k be an arbitrary eld of char(k) ⁶= 3, and let k denote its algebraic closure.

De nition 3.1

A Picard curveC^p4(k) is a genus three plane projective curve with model:

C^p4(k) :WY^3;W⁴p⁴(X

W^{) = 0 (1)}

where p⁴(x) =x⁴+a³x+a²x+a¹x+a⁰ is a polynomial in k x]:

Forchar(k) = 0 orchar(k)>3 it is not dicult to prove thatC^p4(k) will be non-singular if and only if the discriminant ofp⁴ is dierent from zero (i.e.

p⁴ has no multiple roots in k). Moreover, every curve C^p4(k) is birationally equivalent to a Picard curve C^pb4(k), with p^b4(x) =x⁴+^ba²x²+^ba¹x+^ba⁰ (c.f.

4]), hence, without lost of generality, we may suppose in (1) a³ = 0.

3

If the eld k is algebraically closed every Picard curve C^p4(k) has ve total ramication points R¹ ::: R⁵ with respect to the covering morphism

^x : C^p4(k) ^{;! P1k} (x:y:z) ^7;! x

The points Rⁱ = (rⁱ : 0 : 1) i = 1 ::: 4 where rⁱ are the roots of p⁴(x) and R⁵ = P¹ = (0 : 1 : 0), the point at innity on C^p4(k). Moreover, if represents a primitive cubic root of unity in k (i.e. ² + + 1 = 0) the mapping

: C^p4(k) ^;! C^p4(k)

(x:y :z) ^7;! (x:y:z) (2) is an automorphism of C satisfying:

^x=id^P1k and ³ =id^Cp4(k):

Given two points P¹ and P² we call them conjugate if P¹ = (P²) or P² = (P¹) (from here on, we will denote (P) simply by P).

Lemma 3.2

^{Let Cp4(k}) be a non-singular Picard curve. Then the eective divisors of the canonical class K, of C^p4(k), are those which are the inter- section of lines with C^p4(k).

Proof. It is an easy consequence of the fact that:

!¹ = 1ydx !^{2 =} x

y²dx !³ = y

y²dx (3)

where

x= X

W y= Y

W ⁽⁴⁾

constitute a basis of (0) (c.f. 2]).

4 Explicit Algebraic Model for the Jacobian Variety of a Picard Curve

>From here on C^p4(k) will be a xed Picard curve, hence, we will denote it simply by C.

4

De nition 4.1

Given an ane eective divisor D we call it semireduced if there exists no P¹ such that DP¹+P¹+²P¹. We set also

Div⁺ⁱ(C) :=^fD²Div(C)^jD k-rational semireduced of degree i^g for i 0, and

D(r s) = ^s

i=r

Div⁺ⁱ(C) for 0r < s.

Given a polynomialf(x y)²k x y] we dene the order off(x y) atP¹ as:

ord^P1(f(x y)) =^{; P1}(f(x y)).

where, ^P1() denotes the valuation ofatP¹. We will also call the leading term of the polynomialf(x y) to the terma^i1j1xⁱ¹y^j1 satisfying the equality:

P

1(v^D(x y)) = min

ij P

1(a^ijxⁱy^j) = ^P1(a^i1j1xⁱ¹y^j1). (5) LetDbe an element of^D(2 4). We will assign toD the conicv^D(x y) = a²⁰x²+a¹⁰x+a⁰¹y+a¹¹xy+a²⁰y²+a⁰⁰ of least order at P¹ satisfying the condition:

(v^D(x y))⁰ D (6)

normalized by the additional condition that its leading term is monic. Note that in certain cases the conic may degenerate in a line or in the zero poly- nomial and that v^D(x y) satises

ord^P1(v^D(x y))8^;(5^;deg(D)). (7) We call v^D the interpolating conic of D.

Lemma 4.2

^{Let v(x y) = a20x2+a10x+a01y+a11xy+a20y2+a00: Then}

the following equivalences hold:

1. ord^P1(v(x y)) = 7^, a⁰²= 0 and a¹¹⁶= 0.

5

2. ord^P1(v(x y)) = 6^, a⁰²= 0, a¹¹ = 0 and a²⁰⁶= 0.

3. ord^P1(v(x y)) = 4^, a⁰²= 0, a¹¹ = 0, a^{20 6}= 0 anda^{01 6}= 0.

Proof. Consider the local parameter t = ^xy at P¹, and impose the required vanishing conditions on v^D(x y).

De nition 4.3

Given a divisor D of degree 3 we callD collinear if there exist three points P¹ P² P³ in supp(D) and a liner⁰ such that (r⁰)⁰ P¹+ P²+P³. Otherwise, D is called generic.

Lemma 4.4

Given a divisor D in ^D(3 4), the following propositions are equivalent:

a) v^D(x y) is linear or factorizes in linear factors.

b) D+P¹ is collinear.

c) v^D(x y) = a²⁰x² +a¹⁰x+a⁰¹y+a¹¹xy+a⁰⁰ with a²¹¹a⁰⁰+ a²⁰¹a^{20 ;} a¹¹a⁰¹a¹⁰= 0

Note: recall that after (7) and lemma 4.2 we may assume a⁰² = 0.

Proof. a) ⁾ c). If v^D(x y) is a line then a¹¹ = a²⁰ = 0. Hence a²¹¹a⁰⁰+a²⁰¹a^20;a¹¹a⁰¹a¹⁰ = 0 holds. If v^D(x y) is of degree two then, after lemma 4.2, a⁰² = 0: Furthermore, v^D(x y) factorizes in linear factors if and only if

4det

0

@

a^{20 a112 a102}

a

11

2 0 ^a201

a

10

2 a

01

2 a⁰⁰

1

A=a²¹¹a⁰⁰+a²⁰¹a^20;a¹¹a⁰¹a¹⁰ = 0:

c) ⁾ b). If a²¹¹a⁰⁰+a²⁰¹a^20;a¹¹a⁰¹a¹⁰ = 0 then if a¹¹ = a²⁰ = 0 then obviously holds b). Else, depending on whether a¹¹=a⁰¹ = 0 or not we get either

v^D(x y) = (a²⁰x²+a¹⁰x+a⁰⁰) =r¹r² or

v^D(x y) = (a²⁰x+a¹¹y+a^10;a²⁰a⁰¹=a¹¹)(x+a⁰¹=a¹¹) =r¹r². 6

In any case v^D factorizes as a product of lines. Then, if D ² Div⁺⁴(C), D+P¹ contains ve points and at least three of them belong tor¹ orr². If D²Div⁺³(C) then the same reasoning applies to D+ 2P¹.

b)⁾a). Follows directly from Bezout's theorem.

Let's denote by the correspondence

:^D(2 4) ^;!k x]kx y]k y] which assigns to a divisor D the 3-tuple of polynomials

(D) = (u^D(x) v^D(x y) w^D(y)) (8) where:

u^D(x) = ^Y

P

i

2supp(D)

(x^;xⁱ) (9)

w^D(y) = ^Y

P

i

2supp(D)

(y^;yⁱ) (10)

v^D(x y) = the interpolating conic at D, (11) where, Pⁱ = (xⁱ : yⁱ : 1). The correspondence fails to be injective on

D(2 4): let x¹ and x² be elements of k satisfying p⁴(x¹) = p⁴(x²) ⁶= 0, and suppose y⁰ is a root of y^3;p⁴(x¹) = 0, then the divisors

D¹ = (x¹ :y⁰ : 1) + (x¹ :y⁰ : 1) + (x² :y⁰ : 1) + (x² :²y⁰ : 1), D² = (x¹ :y⁰ : 1) + (x¹ :²y⁰ : 1) + (x² :y⁰ : 1) + (x² :y⁰ : 1) have the same image by . Nevertheless, if we restrict it to the set

D

0(2 4) = ⁴

i=2

Div⁰⁺ⁱ where,

Div⁰⁺ⁱ(C) =^fD²Div⁺ⁱ(C)^jD does not contains two conjugate points^g for i= 2 3, and

Div⁰⁺⁴(C) =^fD²Div⁺ⁱ(C)^jD ⁶=P¹ +P¹+P²+P^{2 g} we obtain:

7

Lemma 4.5

The correspondence restricted to ^D0(2 4) denes a bijection onto its image (^D0(2 4)).

Proof. For D in Div^{+0 2}, Div⁰⁺³ or D in Div⁰⁺⁴, with D+P¹ generic, after lemma 4.4, we obtain thatv^D(x y) is a conic (or a line) whose coecient of y is a polynomial in x not vanishing in the x-coordinates of the points in D. Therefore, factoringu^D(x) we can recover thex-coordinates of the points on supp(D) and substituting in v^D(x y) we nd the y-coordinates. The remaining cases are:

1. D=P¹+P²+P³+P⁴ with P¹+P²+P³ collinear, P^{4 6}=^kPⁱ,k = 1 2, i= 1 2 3. Thenv^D(x y) = r¹(x y)(x^;x⁴), where (r¹)^{0 <}P¹+P²+P³, r¹ = x+y+, ⁶= 0: Factoring u^D(x) and substituting in r¹ we recoverP¹ P² P³:The y-coordinate ofP⁴ is obtained as the root of the linear polynomial

L= w^D(y)

(y^;y¹)(y^;y²)(y^;y³)

2. D is generic but D+P¹ is collinear. Then D =P¹+P²+P³+P³ with P^{1 6}= ^kP^2, k = 1 2 and v^D(x y) = r¹(x y) (x ^;x³), with (r¹)^{0 <} P¹ +P², r¹ = x +y +, ⁶= 0. Factoring u^D(x) and substituting in r¹ we recover P¹ P². We nd the y-coordinate of ³P³ as the root of the linear polynomial

L= R^x(v^D C)

g:c:d(R^x(r¹ C) R^x(v^D C))

Remark 4.6

^{If k} is algebraically closed then, after lemma 4.5, the mapping denes a bijection from^D0(2 4) onto the set ; of 3-uples (u(x) v(x y) w(y)) satisfying:

1. 2deg(u) = deg(w)4, u and w monic.

2. v(x y) =a²⁰x²+a¹⁰x+a⁰¹y+a¹¹xy+a⁰⁰ is the minimal normalized conic which satises u^jR^y(v C), w^jR^x(v C) and a¹¹x+a^{01 6}0.

8

If k is not algebraically closed (^D0(2 4)) is a proper subset of ;.

The mapping could be used to introduce an explicit structure of abelian variety in J(C) :

Theorem 4.7

(Explicit structure of abelian variety for J(C).)

The Jacobian Variety J(C) of a Picard curve contains a subgroup of 3^; torsion points, ^T and a Zariski closed subset ^Zof J(C), such that:

1. ^Z is isomorphic to an ane algebraic variety. Furthermore, ^Z is the complete intersection of three polynomial equations in A^6k, which may be explicitly given.

2. ^T = (^Z=3^Z)³ and J(C) =^t2T(^Z +t)

3. The family ^A=^fZ+t^jt^{2 Tg} is the atlas of a structure of algebraic variety onJ(C) . Moreover, ^AendowsJ(C) with a structure of abelian variety.

Proof. For a detailed proof of this theorem we refer the reader to our paper 5] and for the analogous case of hyperelliptic curves to the book of Mumford 13].

5 An ecient reduction algorithm in the Ja- cobian of a Picard curve.

In the present section we will construct an ecient eective reduction al- gorithm in the Jacobian variety of a Picard curve. This algorithm works correctly in any eld k with char(k) = 0 or char(k) ⁶= 3, but our main in- terest (motivated by applications) will be the case when kis a nite eld^Fq. Let's state, clearly, the problem we will solve:

Reduction problem:

Given an eective ane divisorD(by ane we mean P^{1 2}= supp(D)) nd an eective ane divisor D^f, with deg(D^f) 3, such that: D^;deg(D)P¹=D^{f ;}deg(D^f)P¹.

9

The reduction algorithm we present in this paper is based on the following geometric idea:

Suppose given an eective ane divisorD⁰ =P¹+P²+P³+P⁴ of degree four. If the points on the divisor D⁰ are collinear, then, by lemma 3.2, D⁰ is in the canonical class andD^0;4P¹ = 0. Otherwise, to nd the reduction of D^0;4P¹ we take the interpolating conic v⁰ of the divisor D⁰. Then, after the relation (7), v⁰ intercepts C, counting multiplicities, in at most three more ane points H¹ H² H³. Therefore, we obtain:

(v⁰) = (D^0;4P¹) + (D^1;3P¹)

D^0;4P¹ = ^;(D^1;3P¹) (12) where D¹ = H¹+H²+H³: Now, consider the interpolating conic v¹ of the divisor D¹ v¹ intercepts C in the additional pointsM¹ M² M³, then holds:

D^{1 ;}3P¹ =^;(D^2;3P¹) (13) with D² =M¹+M²+M³: Combining (12) and (13) , we get:

(D^0;4P¹)= (D^2;3P¹): (14) Therefore, the degree three divisor D² will be the reduced divisor of D⁰.

A possible reduction algorithm for an eective ane divisor D, of arbi- trary degree, could be the

Algorithm1

in Table 1 (c.f. pag. 23).

Remark 5.1

>From the computational point of view,

Algorithm1

^{may be}

very expensive, since in two of its steps it is necessary to factorize polynomials in kx].

Our next objective will be to modify algorithm

Algorithm1

constructing a factorization free reduction algorithm with computational complexity linear in deg(D). The modied algorithm we will present may be summarized as follows:

1. Suppose that the divisorDis partitioned as D=D⁰+E⁰+E¹+:::+ E^N;1 with E^j ane and eective, forj = 1 ::: N^;1 and the reduc- tion process (in algorithm

Algorithm1

) is performed by constructing a sequence of eective ane divisors

D⁰ D¹ D² D³ ::: D^3jD^3j+1 D^3j+2::: D^3N D^3N+1 D^3N+2 (15) 10

where

D^3j =D^3(j;1)+2+E^(j;1), for j = 1 ::: N and

D^3j;4P¹=^;(D^3j+1;deg(D^3j+1)P¹)= (D^3j+2;deg(D^3j+2)P¹) with, 0 deg(D^3j+1), deg(D^3j+2) 3, deg(D^3j) = 4 and deg(E^j;1) = 4^;deg(D^3j+2). Hence,

D^;deg(D)P¹ = (D^3N+2;deg(D^3N+2)P¹) and D^3N+2 is the reduction ofD.

2. If the divisorsD^h,h= 0 ::: 3N+ 2 are in^D1(2 4) we will assign to D^h its coordinatesD^h= (D^h). Then we obtain a sequence

D⁰ D¹ D² D³ ::: D^3jD^3j+1 D^3j+2::: D^3N D^3N+1 D^3N+2: (16) 3. The basic idea is: given D⁰ (resp. D⁰), depending on whether D^{0 2}

D

0(2 4) or not, we compute D^h or D^h, for h 1, recursively, from the previous divisors in the sequences (15) and (16). The recursive computation of the D^h and D^h will be done, in the worst case, by solving a small (of dimension at most 44)k-dened linear system in each step. Finally, known D^3N+2 = (u^3N+2 v^3N+2 w^3N+2) we recover the points in supp(D^3N+2) after Lemma 4.5.

Remark 5.2

^Given D^3j+1 D^3j+2, we can prove (c.f. 5]) the equalities:

v^3j+1 =v^3j+2 (17)

and

u^3j+2 =

R^y(v^3j+1 C) u^3j+1

(18)

w^3j+2 =

R^x(v^3j+1 C) w^3j+1

(19)

where () means that the polynomial is divided by the coecient of its leading term. Note, also, that if v^3j+1 does not depends explicitly on x then

w^3j+2=w^3j+1: (20) 11

Lemma 5.3

^{Let be} D^{3j 2}Div⁺⁴, explicitly known, then we can compute:

1. D^3j provided D^{3j 2}Div^{+0 4}.

2. D^3j+1 and D^3j+2 provided D^{3j 2}= Div⁰⁺⁴.

Proof.

1. We compute u^3j+1 and w^3j+1 as in (9) and (10) and v^3j+1 by solving linear systems of sizes at most 44:

2. Necessarily D^3j = P¹ +P¹ +P² +P² with P^{1 6}= ^kP² k = 1 2: Then D^3j+1 = ²P¹ +²P², hence we compute u^3j+1 and w^3j+1 as in (9) and (10). The interpolating conic v^3j+1 is, clearly, the line joining ²P¹ with ²P² (in case P¹ = P², the tangent line to ²P¹). Known D^3j+1 = (u^3j+1 v^3j+1 w^3j+1) we compute D^3j+2 = (u^3j+2 v^3j+2 w^3j+2) using remark 5.2.

Lemma 5.4

^{Let D3j = (u3j v3j w3j}) be the coordinates of a divisor D^3j in Div⁰⁺⁴(C), then, one of the following possibilities holds:

1. we can compute

D^3j+1 = (u^3j+1 v^3j+1 w^3j+1) and D^3j+2 = (u^3j+2 v^3j+2 w^3j+2) with v^3j+1 (and therefore v^3j+2) dependent on y.

2. we can compute D^3j+2 explicitly.

(it is not necessary to know D^3j explicitly.)

Proof. It is necessary to consider the cases:

1. Casev^3j(x y) is linear. Then the points in supp(D^3j) are collinear and D^3j;4P¹= 0 hence D^3j+2 = 0.

2. Casev^3j(x y) is a conic not factorizing in linear factors (i.e.v^3j(x y) = a²⁰x²+a¹⁰x+a⁰¹y+a¹¹xy+a⁰⁰ witha²¹¹a⁰⁰+a²⁰¹a^20;a¹¹a⁰¹a¹⁰⁶= 0).

We begin computing u^3j+1 and w^3j+1 using (18) and (19). To recover v^3j+1(x y) =b²⁰x²+b¹⁰x+b⁰⁰+b⁰¹y, we solve the 44 linear system R^y(v^3j v^3j+1) =u^3j+1 where is a constant⁶= 0. (21) This system has determinant a²¹¹a⁰⁰+a²⁰¹a^20;a¹¹a⁰¹a^{10 6}= 0, hence, it has a unique solution. Selecting conveniently we normalizev^3j+1:

12

3. Casev^3j(x y) is a conic that factorizes in linear factors (i.e.v^3j(x y) = r¹(x y)(x+a⁰¹=a¹¹) with r¹(x y) = (a²⁰x+a¹¹y+a^10;a²⁰a⁰¹=a¹¹))

(a) If (x+a⁰¹=a¹¹)^{2 j}u^3j, thenD^3j =P¹+P²+P³+P³withP¹ P² P³ unknown. In this case, as in case 2, we will try to computeD^3j+1. First we compute u^3j+1 and w^3j+1. Clearly, we can not use the system (21) to recover v^3j+1: Next, we nd ²P³: x³ = ^;a⁰¹=a¹¹ and ²y³ is the root of the linear polynomial

L= w^3j+1

g:c:d(R^x(r¹ C) w^3j+1)

if g:c:d(R^x(r¹ C) w^3j+1) is a polynomial of degree 2. If it is not the case that means ²P³ is a root of r¹ and substituting x³ inr¹ we recover ²y³: Once we have ²P³, we must consider the cases:

i. IfP³ (resp. P³) anulatesr¹(x y) then the underlying divisor D^3j is collinear and as the polynomial u^3j+1=(x+a⁰¹=a¹¹)² is linear we may recover the other interception point, M, of r¹(x y) with C. Clearly, D^3j+2 = M +²M + P³ (resp.

D^3j+2=M +²M +P³)

ii. we try to nd v^3j+1 as the solution of the 44 linear system v^3j+1(²P³) = 0

R^y(v^3j+1 r¹) =(u^3j+1=(x+a⁰¹=a¹¹)) (22) This system has determinant (a¹¹)²r¹(²P³) which if dierent from zero i r¹(²P³)⁶= 0. If this is the case, we can recover v^3j+1 and D^3j+1. Otherwise, (r¹(x y))⁰ P¹+P²+²P³+M and we can recoverM: x^M is the root of the linear polynomial

L= u^3j+1 (x+a⁰¹=a¹¹)²

and evaluating x^M in r¹ recover the y^M: Now, D^3j+1 = 2 ²P³+M: and we may nd v^3j+1 from one of the systems:

v^3j+1(²P³) = 0 of order two

v^3j+1(M) = 0 (23)

13

if ²P^{3 6}=M (with determinant ^;3y³²(x^3;x^M)^{2 6}= 0) or v^3j+1(²P³) = 0 of order three (24) if ²P³ =M (with determinant ^;54²y^{73 6}= 0)

(b) If (x +a⁰¹=a¹¹)^{2 -} u^3j the unknown D^3j is necessarily equal to D^3j =P¹+P² +P³+P⁴ with, let's say, P¹ P² P³ collinear (i.e.

(r¹(x y))⁰ P¹+P²+P³), then,

D^3j;4P¹ = ^;(P⁴+²P⁴+M ^;3P¹)

= (M +²M +P^4;3P¹)

whereM is the fourth point in which r¹(x y) intersectsC:To nd P⁴ and M we proceed as follows: x⁴ = ^;a⁰¹=a¹¹, x^M is the root of the linear polynomial

L^M = R^y(r¹ C)(x+a⁰¹=a¹¹) u^{3j ,}

if r¹ depends on x, then y^M is obtained evaluating r¹ in x^M and y⁴ is the root of the lineal polynomial

L¹ = w^3j(y^;y^M) R^x(r¹ C)

otherwise, y^M is the solution (in y) ofr¹ = 0 and y⁴ is the root of the linear polynomial

L¹ = w^3j (y^;y^M)³

Hence we may recover D^3j+2 =M +²M +P⁴ explicitly.

In those cases where we have computedD^3j+1 then using remark 5.2, we may compute D^3j+2.

Lemma 5.5

^{Given D3j+1 = (u3j+1 v3j+1 w3j+1) and D3j+2 = (u3j+2 v3j+2}

w^3j+2) and known the divisor E^j;1 then, exactly one of the following cases holds:

1. we can compute D^3(j+1) = (u^3(j+1) v^3(j+1) w^3(j+1)) explicitly.

14

2. we can compute D^3(j+1)+1 and D^3(j+1)+2 explicitly.

3. we can compute the D^3(j+1)+2 explicitly and it is k-rational.

Proof. The strategy will be try to compute D^3(j+1) if possible, if it is not possible then we are in the other cases. First, we compute u^3(j+1) and w^3(j+1) as

u^3(j+1) = u^{3j+2 Y}

Pi2supp(Ej;1)

(x^;xⁱ) (25)

w^3(j+1) = w^{3j+2 Y}

Pi2supp(Ej;1)

(y^;yⁱ) (26)

then, we try to nd v^3(j+1) from the linear system

v^3(j+1)(Pⁱ) = 0 with P^{i 2}supp(E^j;1)

R^y(v^3j+2 v^3(j+1)) = u^3j+2 a non-zero contant. (27) We must consider the following cases:

1. Case v^3j+2 linear (i.e. v^3j+2 =b¹⁰x+b⁰⁰+y). Then E^j;1 =P⁰¹+P⁰² and the system (27) has determinant equal to

;3y⁰¹² v^3j+2(P⁰¹)² if P⁰¹=P⁰² (x^01;x⁰²)v^3j+2(P⁰¹)v^3j+2(P⁰²) ifP⁰¹⁶=P⁰² then, we have to consider the excluding cases:

(a) Case u^3j+2(P⁰¹) or u^3j+2(P⁰²) = 0: Then as u^3j+2 is of degree 2 we can recover D^3j+2 without making factorizations, then holds D^3(j+1) =D^3j+2+P⁰¹+P⁰² and we may apply lemma 5.3.

(b) Case v^3j+2(P⁰¹) = 0 and u^3j+1(P⁰¹) = 0 (resp. v^3j+2(P⁰²) = 0 and u^3j+1(P⁰²) = 0), then the divisor D^3(j+1) is a collinear divisor and we can compute the other point M in which v^3j+2 intercepts C:

ThenD^3j+2 =M+²M+P⁰² (resp. D^3j+2 =M+²M+P⁰¹).

(c) Case P⁰¹ =P⁰², then set v^3(j+1) = (x^;x⁰¹)v^3j+2 (d) Otherwise, the system (27) is solvable.

15

2. Case v^3j+2 is a conic (i.e. v^3j+2 = b²⁰x² +b¹⁰x+b⁰⁰+y, b^{20 6}= 0) and E^j;1 =P⁰¹. Then, we begin computingu^3(j+1), w^3(j+1) as in (25) and (26), respectively. Now, the system (27) has determinantb²⁰v^3j+2(P⁰¹) and we have the cases:

(a) ifv^3j+2(P⁰¹)⁶= 0 we recover w^3(j+1) from (27).

(b) ifv^3j+2(P⁰¹) = 0 and u^3j+1(P⁰¹) = 0, clearly v^3(j+1) =v^3j+2. (c) if v^3j+2(P⁰¹) = 0 and u^3j+2(P⁰¹) = 0 we look for w^3(j+1) in the

system

v^3(j+1)(P⁰¹) = 0 of order two:

R^y(v^3j+2 v^3(j+1))=(x^;x⁰¹) =(u^3j+2=(x^;x⁰¹)) ⁶= 0 (28) i. In case P⁰¹ is not a ramication point, the previous system

has determinant

b²⁰(6y⁰¹² x⁰¹b²⁰+ 3y²⁰¹b¹⁰+p^I4(x⁰¹)) (29) this expression is equal to zero if and only ifv^3j+2 has a zero of order two in P⁰¹. If it is the case, then, as u^3j+2 is of degree three,u^3j+2=(x^;x⁰¹)² is linear inxand we can recover (without factorizing) the other point P² in D^3j+2, and we apply lemma 5.3 to D^3(j+1) = 3P⁰¹+P². Otherwise we solve (28) to ndv^3(j+1):

ii. In case P⁰¹ is a ramication point, the determinant of (28) is b²⁰, hence, we can solve for v^3(j+1).

Combining lemmas (5.3,5.4,5.5) we can construct the algorithm

Algo- rithm2

(see Table 2 in pag. 24) which is the announced ecient modication to algorithm

Algorithm1

(see Table 1).

Proposition 5.6

Given the divisor D the

Algorithm 2

computes the re- duced divisor of D making O(deg(D)) operations in k and only one factor- ization of a polynomial, of degree at most 3 in kx]: Morover, if the ground eld k is ^Fq, the constantc that realizes O(deg(D)) satises:

c2(4log²(q))³: (30)

16

Proof. The fact that the algorithm in Table 2 makes the reduction of D is an inmediate consequence of lemmas (5.3,5.4,5.5). The complexity in every iteration of algorithm is O(1) operations in k, hence, the total cost is O(deg(D)). Moreover, in the worst case, in lemmas (5.3,5.4,5.5) the most expensive computations are done solving linear systems of order (at most) 44. Hence, in each iteration of the algorithm we have to solve (at most) 2 linear systems of sizes (at most) 44, which give the estimate of (30).

Let's illustrate with an example the application of

Algorithm 2

^.

Example 5.7

^{Let p = 37, k =Fp and p4(x) = x4+ 2x. The L}-polynomial of C^p4 is

L(t) = 50653t⁶+ 24642t⁵+ 6660t⁴+ 1225t³+ 180t²+ 18t+ 1

and the cardinal of the group of k-rational points of the Jacobian, J^p(C^p4), of C^p4 is

#^jJ^p(C^p4)^j=^L(1) = 327793:

The group J^p(C^p4) is cyclic: the curve C^p4 has only one k-rational ane ramication point R¹ = (0 : 0 : 1) and the calss P^1;P¹], where P¹ is any other ane point, generates J^p(C^p4). Let P¹ = (5 : 29 : 1) then the explicit computation of the reduction of 7 P^1;P¹] is shown in Table 3 . Now, after lemma 4.5, (applied to D¹¹) we recover the reduced divisor

D^f =P^1f +P^2f +P^3f where

P^1f = (33²+ 6+ 10 : 5²+ 17+ 1 : 1) P^2f = (34²+ 8+ 10 : 13²+ 35+ 1 : 1) P^3f = (7²+ 23+ 10 : 19²+ 22+ 1 : 1)

andk() is an algebraic extention ofk dened by the k-irreducible polynomial z³+ 2:

17

6 Further Remarks.

6.1 Improving the Complexity

In fact the complexity estimate given in (30) is an overestimate of the real complexity by the following reasons:

1. We can make an exhaustive analysis of all the possible linear systems of equations and give explicit formulas connecting the divisors with their coordinates and the successive coordinates. This translates the problem of solving linear systems to the evaluation of some rational formulas. Moreover, since the interpolating conics vⁱ (and the uⁱ, wⁱ) are unique up constant non-zero factors then, the above mentioned formulas could be rewriten in such a way that they are polymonials in k, hence, they do not involve divisions in k. Therefore, we need only to use the arithmetic of k as ring, not as a eld, and this reduces the complexity of the algorithm.

2. In several steps of the

Algorithm 2

it jumps from D⁰ to D² (resp.

to D⁵) by solving one linear system (resp. performing only elemetary polynomial operations). Clearly, this reduces the complexity of the computations. Computer experiments show that this cases are not infrequent (specially in the case when the divisor to reduce is a multiple of a point).

3. In the special case when D = N P¹ it is possible to design especial strategies: suppose that in some intermediate step of the algorithm we obtain a divisor D² (resp. aD⁵) explicitly, i.e.D² (resp. D⁵) is the re- duction ofN¹P¹, for certainN¹ < N. Then, it is possible to substitute the original problem (i.e. to nd the reduction ofD=NP¹) by the new one of nding the reduction of a¹D²+b¹P¹ (resp. a¹D⁵+b¹P¹) , whereN =a¹N¹+b¹. IfN¹ is suciently big then, since deg(D²)3 (resp. deg(D⁵) 3) the original problem is considerablely reduced.

Proceeding recursively the complexity of computing the reduction of a large multiple of a point could be dramaticaly reduced.

The next example illustrates the discution in 3:

18

Example 6.1

(With the same notation of example 5.7) Let's compute the reduction ofD= 27793P¹, P¹ = (5 : 29 : 1). First we obtain: 35(P^1;P¹)= (P¹¹+P¹²)^;2P¹, where P¹¹= (5 : 31 : 1) and P¹² = (19 : 2 : 1), then

D= 27793(P^1;P¹)= 794(P¹¹+P¹²) + 3P^1;797P¹:

We nd that 35(P^11;P¹)= (P¹¹¹+P¹¹²)^;2P¹ and 35(P^12;P¹)= (P¹²¹ +P¹²²) ^;2 P¹, where P¹¹¹ = (19 : 20 : 1), P¹¹² = (5 : 14 : 1), P¹²¹= (19 : 20 : 1) and P¹²² = (13 : 18 : 1), then

794(P¹¹+P^12;P¹)= 22(P¹¹¹+P¹¹²+P¹²¹+P¹²²) + 24(P¹¹+P¹²)^;136P¹

and the computation of the reduction of D = 27793P¹ is simplied to the computation of the reduction of the divisor

D¹ = 22(P¹¹¹+P¹¹²+P¹²¹+P¹²²) + 24(P¹¹+P¹²) + 3P¹

which is of degree 139. Finally, the reduction of D¹ is D^f = (0 : 0 : 1).

Then, as the class D^{f ;}P¹] is a 3-torsion on J^p(C^p4), the class P^1;P¹] is a generator of J^p(C^p4) and J^p(C^p4) is a cyclic group.

6.2 Comparison with Cantor's Algorithm for Hyperel- liptic Curves

Suppose given an hyperelliptic curve (of genus three) and a Picard curve over the same ground eld k. When computing the reduction of small divisorsD both algorithms have similar complexities. The more important dierences appears in the computation of the reduction of a large divisorD(in particular in the computation of a large multiples of a point).

1. Our algorithm has less memory requirements: Cantor's algorithm (c.f.

1], 12]) associates polynomials coordinates to D, if D = M P¹ with M big, it has to operate (at least in the inicial steps) with large poyno- mials in our algorithm it is only necessary to store the point P¹ and the value M.

19

2. When computing large multiples of a point our algorithm could be faster than Cantor's algorithm: applying the tecniques mentioned in 1 and 3 of 6.1 we can lower signicantly the complexity of computing large multiples of a point. No such tecnique, is known by the authors for Cantor's algorithm in the hyperelliptic case.

In summary, we can expect that good implementation of our algorithm could be as fast as Cantor's algorithm. Additionally it has the advantage of requiring less memory storage.

6.3 Comparison with the General Algorithm of Huang and Ierardi

It is more dicult to compare our algorithm with the fairly general algorithm of Huang and Ierardi (c.f. 11]). The reasons are several:

1. The approach they follow is dierent: they solve the eective Riemann- Roch problem and then, apply this to solve the problem of the addition (reduction).

2. It is dicult (at least for us) from the paper 11] to estimate the real complexity of the algorithms they present when applied to Picard curves, for intance, it is dicult to estimate how big is the constant involved in their O(deg(D)) complexity estimate.

3. We don't know any references to eective implementation of this algo- rithm.

In spite of this diculties we can quote the following:

1. Our algorithm (as Cantor's algorithm) is completelly deterministic: it does not requiere to make probabilistic searches, hence, it has no limi- tations on the cardinality of ground eld k.

2. Our algorithm is specic for Picard curves. Consequently, it uses (and reects) special geometric features of this curves that permit us to di- minish the complexity: our algorithm handles very eciently cases in which appears collinearity of divisors, we obtained also ecient tech- niques to compute multiples of a point, etc.

20

By the above reasons one may expect that our algorithm is faster and better in the Picard curves case.

Acknowledgements

We wish to thank R.-P. Holzapfel, for his valuable comments, discussions and encouragements. Also, to G. Frey and U. Krieger for their valuable comments. This work was partially supported by a DFG grant.

Last but not least, the rst and second authors want to thank the third author for his warm hospitality during their stay at U.A.G, Guadeloupe.

References

1] Cantor, D., \Computing in the Jacobian of a hyperelliptic curve,"Math.

of Computation, 48 (1987), 95-101.

2] Estrada Sarlabous. J, \Higher dierentials on Cyclic Curves,". Math.

Nachr. 135 (1988), 311-317.

3] Estrada Sarlabous. J, \On the Jacobian Varieties of Picard Curves De- ned over Fields of Characteristic p,". Math. Nachr. 152 (1991), 329-340.

4] Estrada Sarlabous. J., \A niteness theorem for Picard curves with good reduction,". Appendix I of Ball models and some Hilbert Problems by R.-P. Holzapfel. Lectures in Mathematics. Birkh!auser-Verlag, (1995).

5] Estrada Sarlabous. J, Reinaldo Barreiro. E, Pi~neiro Barcel#o. J.A.,. \On the Jacobian Varieties of Picard curves: explicit Addition Law and Alge- braic Structure," (to appear in Math. Nachr.), Preprint Nr. 95-5 Hum- bold Univ. zu Berlin, 1995.

6] Estrada Sarlabous. J., Pi~neiro Barcel#o. J.A., \Decoding of codes in Pi- card curves,". submitted to Math. Nachricten 1997.Preprint Nr. 96-30 Humbold Univ. zu Berlin, 1996.

7] Holzapfel, R.-P., \Geometry and arithmetic around Euler partial dier- ential equations,". Dt. Ver. d. wiss., Berlin/Reidel Publ. Comp., Dor- drecht (1986).

21

8] Holzapfel, R.-P., \On the algebraic value of the Picard modular func- tion,". Proc. Special. Di .Equations, Arkata (1991).

9] Holzapfel, R.-P., \Transcendental Ball Points of Algebraic Picard Inte- grals,". Math. Nachr. 162 (1993).

10] Holzapfel, R.-P., Ball models and some Hilbert problems. Lectures in Mathematics. Birkh!auser-Verlag (1995).

11] Huang, M.-D and Ierardi, D.J., \Ecient algorithms for the eective Riemann-Roch problem and for addition in the Jacobian of a curve,".

Proc. of the twenty-rst ACM Symp. on the fundations of Computer Science, (May 1991).

12] Koblitz, N., Hyperelliptic cryptosystems, Journal of cryptology 1, pp.

139-150.

13] Mumford, D., Tata Lectures on Theta II. Jacobian theta functions and dierential equations. Progress in Math, Vol.42, Birkh!auser Verlag (1984).

Ernesto Reinaldo Barreiro Jorge Estrada Sarlabous

Department of Geometry and Combinatorics.

CEMAFIT/ICIMAF, Calle E No. 309, esquina 15, Vedado, La Habana, Cuba

Jean-Pierre Cherdieu

D#epartement de Math#ematiques et Informatique Universit#e des Antilles et de la Guyane

Campus de Fouillole, F97159 Pointe-%a-Pitre e-mails:

alejo@cidet.icmf.inf.cu matdis@cidet.icmf.inf.cu

Jean-Pierre.cherdieu@univ-ag.fr

22

Algorithm1

(receives D and returns D^f)

1-

If

deg(D)3

then

D is already reduced, set D^f :=D and go to

End

^.

else

^{take D0 D,deg(D0}) = 4 and set D=D^;D⁰:

2-Compute the interpolating conic v⁰ of D⁰.

3-Factorize R^y(v⁰ C) (resultant with respect to y) to obtain the x-coordinates of the points onsupp(D¹), usingv⁰ compute their y-coordinates.

4-Known D¹ compute the conic v¹ interpolating C at D¹ + 2P¹.

5-

If

deg(D)<4^;deg(D²)

then

^set D^f =D²+D and go to

End

^.

else

^take

E⁰ D, deg(E⁰) = 4^;deg(D²), set D³ :=D²+E⁰,D⁰ :=D³ and go to 2.

End

Return(D^f)

Table 1:

Algorithm1

: the naive one

23