1 Introduction

Arithmetic geometry lies at the intersection of number theory and algebraic geometry, and aims at unearthing connections between the arithmetic and geometric properties of algebraic varieties. Central to this field are Galois representations, that form the subject of this survey and that have proven instrumental in understanding many arithmetic properties of algebraic varieties in general and of abelian varieties in particular.

The basic idea behind Galois representations is a common theme in algebraic topology: the study of geometric objects—or, in this case, algebro-geometric objects—can be greatly facilitated by the introduction of invariants, and in particular of invariants with a vector space structure (cohomology groups). In our arithmetic setting, we will directly construct certain vector spaces which, by their very definition, carry an interesting action of a Galois group. A more sophisticated point of view shows that this somewhat ad hoc construction is in fact just another cohomology theory, the \(\ell \)-adic étale cohomology of Artin and Grothendieck.

Before introducing any formal definitions, to motivate the reader we begin with a list of several natural problems in arithmetic and geometry (some more important than others!), the solution of which depends in an essential way on the study of Galois representations.

  1. 1.

    Fermat’s ‘last theorem’, proved by Wiles [1]: all solutions to the diophantine equation

    $$\begin{aligned} x^n + y^n = z^n, \quad x, y, z, n \in \mathbb {Z}, n>2 \end{aligned}$$

    satisfy \(xyz=0\).

  2. 2.

    Mordell’s conjecture, now a theorem of Faltings [2]: let K be a number field and let C/K be a smooth projective curve of genus at least 2. The set of K-rational points of C is finite.

  3. 3.

    Artin’s conjecture on primitive roots, now a theorem of Hooley [3] under the assumption of the generalised Riemann hypothesis. Let \(n \in \mathbb {Z}\) be neither a perfect square nor \(-1\). There are infinitely many prime numbers p such that \(n \bmod p\) is a generator of the cyclic group \(\mathbb {F}_p^\times \), that is to say, the multiplicative order of \(n \bmod p\) is equal to \(p-1\).

  4. 4.

    Let X be a smooth projective curve defined over a number field K. Determine the endomorphism ring of the Jacobian of X (over K or over \(\overline{K}\)); in particular, decide whether X admits non-constant maps to elliptic curves. This problem is solved in principle as a consequence of Faltings’s results [2], and now essentiallyFootnote 1 also in practice thanks to [5,6,7].

  5. 5.

    Let S be the set of prime numbers that divide at least one element of the set \(\{2^n+1: n \in \mathbb {N}\}\). The set S admits natural density, equal to \(\frac{17}{24}\) (Hasse [8]). For every prime \(q>2\), the set of prime divisors of numbers of the form \(q^n+1\) also admits natural density, but its value is \(\frac{2}{3}\) (for all q).

  6. 6.

    Let K be a number field, A/K be an abelian variety, and \(\pi : X \rightarrow A\) be a ramified cover,Footnote 2 also defined over K. Suppose that A(K) is Zariski-dense in \(A(\overline{K})\): then, the set of points in A(K) that do not lie in \(\pi (X(K))\) is Zariski-dense in \(A(\overline{K})\) [9, 10].

Leaving aside the spectacular applications (1)–(3), which are well-known, in this survey we will sketch the proofs of (4)–(6), showing how all these results rely on a sufficiently detailed knowledge of the Galois representations attached to algebraic groups (and in particular, abelian varieties). An especially important theme will be the bigness of the images of these representations, which we will discuss in more detail in Sect. 7.

2 Motivation: Hasse’s result on prime divisors of \(2^n+1\)

To motivate the introduction of Galois representations, we sketch a (modern) proof of a theorem of Hasse. Before stating this result, we recall that the natural density of a set S of primes is defined as the limit

$$\begin{aligned} {\text {Dens}}(S) = \lim _{T \rightarrow \infty } \frac{\#\{p \in S: p \le T \}}{\#\{p: p \text { prime}, p \le T\}}, \end{aligned}$$

provided that the limit exists.

Theorem 1

(Hasse [8]) Let S be the set of prime numbers that divide at least one element of the set \(\{2^n+1: n \in \mathbb {N}\}\). The set S admits natural density, equal to \(\frac{17}{24}\).

Fix an odd prime p. It is immediate to see that there exists \(n \in \mathbb {N}\) such that \(p \mid 2^n+1\) if and only if the multiplicative order k of 2 modulo p is even: indeed, if k is even, then \(n=k/2\) will do, and otherwise the congruence \(2^n \equiv -1 \pmod {p}\) has no solution. Thus, we want to understand whether or not the multiplicative order of 2 modulo p is odd. Equivalently, we want to know if \(G=\langle 2 \rangle \subseteq \mathbb {F}_p^\times \) is a group of odd order.

A simple but crucial observation is that a finite abelian group G (denoted multiplicatively) has odd order if and only if for every element \(g \in G\) there exists \(g' \in G\) such that \(g=(g')^2\). Equivalently, since in our case \(G=\langle 2 \rangle \) is cyclic, we see that G has odd order if and only if G contains a square root of 2. Since we do not know exactly what G is, the following reformulation is easier to handle: 2 is a square in G if and only if for every \(k \ge 1\) there exists \(g_k \in \mathbb {F}_p^\times \) such that \(g_k^{2^k}=2\) (suppose that \(2^k\) is the maximal power of 2 that divides \([\mathbb {F}_p^\times :G]\). Then \(g_{k+1}^{2^k}\) is in G, and is a square root of 2). When the \(g_k\) do exist, we can even arrange for them to satisfy \(g_k^{2^j} = g_{k-j}\) for all \(k \ge j \ge 0\). So we see that our original question is equivalent to the following (the wording of which we will clarify in a moment):

$$\begin{aligned}{} & {} { Consider}, \,{ for}\,{ every}\, k \ge 1,\,{ all}\,{ solutions}\, { in}\, \overline{\mathbb {Q}}\,{ of}\, { the}\, { equation}\, x^{2^k} = 2.\, \\{} & {} \quad { Determine}\, { the}\,{ (density}\,{ of)}\, { primes}\, p\, { such}\, { that},\, { for}\, { every}\, k\ge 1,\, \\{} & {} \quad { at}\, { least}\, { one}\, { of}\, { these}\, { solutions}\, `{} { is}\, { defined}\,{ modulo}\, p'. \end{aligned}$$

To make the last condition more precise, note that each solution \(\beta _{2^k} \in \overline{\mathbb {Q}}\) of \(x^{2^k}=2\) lies in a finite extension \(L_k\) of \(\mathbb {Q}\) and is an algebraic integer. It is therefore an element of the ring of integers \(\mathcal {O}_{L_k}\), and we can ‘reduce it modulo p’ by considering all quotients \(\mathcal {O}_{L_k}/\mathfrak {p}\) that are finite fields of characteristic p (equivalently, \(\mathfrak {p}\) is a prime ideal of \(\mathcal {O}_{L_k}\) that contains p). The condition we are interested in is that at least one such quotient is isomorphic to \(\mathbb {F}_p\), and not to one of its extensions. This would ensure that one can make sense of \(\beta _{2^k}\) as an element of the finite field \(\mathbb {F}_p\).

Algebraic number theory is well-equipped to deal with such questions: first of all, one notices that the field extension \(\mathbb {Q}_{2^k, 2}\) of \(\mathbb {Q}\) obtained by adding all roots of the polynomial \(x^{2^k}-2\) is a Galois extension. Secondly, the splitting behaviourFootnote 3 of primes in \(\mathbb {Q}_{2^k, 2}\) is governed by Frobenius elementsFootnote 4, special elements of the Galois group of \(\mathbb {Q}_{2^k, 2}\) over \(\mathbb {Q}\). Finally, elementary considerations about the roots of \(x^{2^k}-2\) show that \(\mathbb {Q}_{2^k,2}\) contains the cyclotomic field \(\mathbb {Q}(\zeta _{2^k})\). The situation thus looks as in Fig. 1, where we denote by \(H_{2^k}, V_{2^k}\) and \(G_{2^k}\) the Galois groups of the various Galois extensions that appear in the diagram.

Fig. 1
figure 1

The Kummer extensions generated by the 2-power roots of 2

Full size image

To motivate the generalisation that we will describe in the next section, we make two fundamental remarks:

  1. 1.

    Consider the algebraic group \(\mathbb {G}_{m, \mathbb {Q}}\), or—almost equivalently—the abstract group \(\overline{\mathbb {Q}}^\times \) (which in the present context should be thought of as the group of geometric points of \(\mathbb {G}_{m, \mathbb {Q}}\)). The intermediate field \(\mathbb {Q}(\zeta _{2^k})\) is generated by the subgroup of torsion points in \(\overline{\mathbb {Q}}^\times \) of order dividing \(2^k\). The larger field \(\mathbb {Q}_{2^k, 2}\) is generated by the ‘division points of 2 of order \(2^k\)’, that is to say, the solutions \(\beta _{2^k}\) of the equation \(x^{2^k}=2\) in \(\overline{\mathbb {Q}}^\times \).

  2. 2.

    With reference to Fig. 1, an element in the Galois group \(H_{2^k}\) is completely determined by its action on the torsion points of \(\overline{\mathbb {Q}}^\times \) of order dividing \(2^k\) (that is, the roots of unity of order dividing \(2^k\)). These points form a cyclic group of order \(2^k\). Thus, there is a canonical (injective) representation

    $$\begin{aligned} H_{2^k} \rightarrow {\text {Aut}} \langle \zeta _{2^k} \rangle \cong (\mathbb {Z}/2^k\mathbb {Z})^\times \end{aligned}$$

    that identifies \(H_{2^k}\) with a subgroup of \((\mathbb {Z}/2^k\mathbb {Z})^\times \).

    Similarly, an element \(\sigma \) of \(V_{2^k}\) is completely determined by its action on a fixed \(2^k\)-th root \(\beta _{2^k}\) of 2, and one has

    $$\begin{aligned} \sigma (\beta _{2^k})/\beta _{2^k} \in \langle \zeta _{2^k} \rangle \cong \mathbb {Z}/2^k\mathbb {Z}: \end{aligned}$$

    we then have an injective representation

    $$\begin{aligned} V_{2^k} \rightarrow \langle \zeta _{2^k} \rangle \end{aligned}$$

    sending \(\sigma \) to \(\sigma (\beta _{2^k})/\beta _{2^k}\). The two representations can also be combined into an injective representation

    $$\begin{aligned} G_{2^k} \rightarrow \langle \zeta _{2^k} \rangle \rtimes {\text {Aut}} \langle \zeta _{2^k} \rangle . \end{aligned}$$

One can pass to the limit in k in these constructions: the field \(\mathbb {Q}(\zeta _{2^k}, 2^{1/2^k}: k \in \mathbb {N})\) is an infinite Galois extension of \(\mathbb {Q}\), whose Galois group \(G_{2^\infty }\) embeds inside

$$\begin{aligned} \mu _{2^\infty } \rtimes {\text {Aut}} \mu _{2^\infty } \cong \mathbb {Z}_2 \rtimes \mathbb {Z}_2^\times \end{aligned}$$

via a representation that we call simply \(\rho \). Here \(\mu _{2^\infty }\) is the group of all roots of unity of 2-power order. Using some elementary algebraic number theory one can now show that, for an odd prime p, the following are equivalent:

  1. 1.

    the residue class of 2 has odd order in the multiplicative group \(\mathbb {F}_p^\times \);

  2. 2.

    the equation \(x^{2^h} = 2\) has a solution in \(\mathbb {F}_p^\times \) for every \(h \ge 1\);

  3. 3.

    for every \(h \ge 1\), there is a \(2^h\)-th root of 2 in \(\mathbb {Q}(\zeta _{2^k}, 2^{1/2^k}: k \in \mathbb {N})\) that is fixed by the Frobenius element \({\text {Frob}}_p \in {\text {Gal}}\left( \mathbb {Q}(\zeta _{2^k}, 2^{1/2^k}: k \in \mathbb {N}) / \mathbb {Q} \right) \) corresponding to p (or, more precisely, to any prime \(\mathfrak {p}\) of the ring of integers \(\mathcal {O}\) of \(\mathbb {Q}(\zeta _{2^k}, 2^{1/2^k}: k \in \mathbb {N})\) lying over p);

  4. 4.

    writing \(\rho ({\text {Frob}}_p)=(t, \alpha )\), with \(t \in \mathbb {Z}_2\) and \(\alpha \in \mathbb {Z}_2^\times \), the 2-adic valuation of t is at least the 2-adic valuation of \(\alpha -1\).

We have already discussed the equivalence between (1) and (2). We now recall that an element \(y \in \overline{\mathbb {F}_p}\) lies in \(\mathbb {F}_p\) if and only if \({\text {Frob}}(y)=y\), where now we denote by \({\text {Frob}}\) the Frobenius automorphism \(x \mapsto x^p\) of \(\overline{\mathbb {F}_p}\). Moreover, Hensel’s lemma shows that reduction modulo \(\mathfrak {p}\) gives a bijection between solutions to \(x^{2^k}=2\) in \(\overline{\mathbb {F}_p}\) and solutions in \(\mathcal {O}\). Finally, by definition we have \(({\text {Frob}}_p x) \bmod \mathfrak {p} = {\text {Frob}}(x \bmod \mathfrak {p})\) for all \(x \in \mathcal {O}\). Combining these ingredients, one obtains easily the equivalence of (2) and (3). The equivalence between (3) and (4) is simple group theory, and we will not give details here.

At this point, one can invoke Chebotarev’s theorem: Frobenius elements are equidistributed in \(G_{2^\infty }\), so the ‘probability’Footnote 5 that a prime p satisfies conditions (1)–(4) above is given by the Haar measureFootnote 6 in \(\rho (G_{2^\infty })\) of the set of pairs \((t, \alpha )\) with \(v_2(\alpha -1) \le v_2(t)\).

It is now purely a matter of calculation to establish that this density is equal to 7/24, which concludes the proof of Hasse’s theorem. Notice however that the final calculation requires one to understand precisely the group \(G_{2^\infty }\).

We conclude this section with a few remarks:

  1. 1.

    The calculation in question is greatly simplified by the fact that \(G_{2^\infty }\) is an open subgroup of \(\mathbb {Z}_2 \rtimes \mathbb {Z}_2^\times \). This is related to the idea that the images of Galois representations tend to be big (namely, as large as possible, up to finite index).

  2. 2.

    Replacing 2 by 3 (or more generally any odd prime) in the above discussion changes very little, except for the fact that the group \(G_{3^\infty }\) is equal to \(\mathbb {Z}_3 \rtimes \mathbb {Z}_3^\times \), while \(G_{2^\infty }\) is a (finite-index) proper subgroup of \(\mathbb {Z}_2 \rtimes \mathbb {Z}_2^\times \). This is due to the fact that \(\sqrt{2}\), which is a 2-division point of 2, already belongs to the cyclotomic extension \(\mathbb {Q}(\mu _{2^\infty })\), while the extensions \(\mathbb {Q}(\mu _{2^\infty })\) and \(\mathbb {Q}(3^{1/2^k}: k \in \mathbb {N})\) are linearly disjoint. This difference explains the different values of the densities of the sets

    $$\begin{aligned} S_2 = \{ p: \exists n \text { such that } p \mid 2^n+1 \} \quad \text { and } \quad S_3 = \{ p: \exists n \text { such that } p \mid 3^n+1 \}, \end{aligned}$$

    for which one finds

    $$\begin{aligned} {\text {Dens}}(S_2) = \frac{17}{24} \quad \text { and } \quad {\text {Dens}}(S_3) = \frac{2}{3} = \frac{16}{24}. \end{aligned}$$
    (1)

    See below the first comment after Theorem 3 for a sketch of the computation of \({\text {Dens}}(S_3)\).

Remark 1

The fact that the relative extension \(\mathbb {Q}(\zeta _8, 2^{1/8}) / \mathbb {Q}(\zeta _8)\) has degree 4 instead of the ‘expected’ 8 is thus crucially important to the arithmetic of this problem. In general, one expects the inclusion \(V_{2^n} \subseteq \mathbb {Z}/2^n\mathbb {Z}\) to be an equality, and interesting phenomena happen when this is not the case. We will return to this point several times.

3 Torsion and division fields

The fields \(\mathbb {Q}(\zeta _{2^k})\) and \(\mathbb {Q}(\zeta _{2^k}, 2^{1/2^k})\) considered in the previous section are special instances of torsion fields and division fields of algebraic groups, respectively. We now define these notions in general and introduce some closely related Galois representations.

Let K be a number field with absolute Galois group \(\Gamma _K:= {\text {Gal}}(\overline{K}/K)\). Let A be a connected, commutative algebraic group over K (the main examples to keep in mind are the multiplicative group—whose geometric points correspond to \(\overline{K}^\times \)—and abelian varieties). We use the additive notation for the group operation on A. Fix moreover a point \(P \in A(K)\)—usually, but not necessarily, of infinite order. For every positive integer n we define:

  1. 1.

    the torsion representation

    $$\begin{aligned} \rho _{A, n}: \Gamma _K \rightarrow {\text {Aut}} A[n], \end{aligned}$$

    given by the natural action on the n-torsion points \(A[n]:= \{ P \in A(\overline{K}) \bigm \vert nP=0 \}\). The subfield K(A[n]) of \(\overline{K}\) corresponding to \(\ker \rho _{A, n}\) under Galois theory is called the n-th torsion field of A: it is the unique minimal extension of K over which all the geometric n-torsion points of A are defined. Concretely, this means that the n-torsion subgroups of A(K(A[n])) and of \(A(\overline{K})\) are equal, and that K(A[n]) is minimal for this property.

    We also note that our assumptions on A and K imply that there exists an integer b such that \(A[n] \cong (\mathbb {Z}/n\mathbb {Z})^{b}\) for all positive integers n (this b is the first Betti number of the complex manifold \(A(\mathbb {C})\); in particular, it is equal to 1 for the multiplicative group, and to \(2 \dim A\) if A is an abelian variety).

  2. 2.

    the Kummer representation

    $$\begin{aligned} \kappa _{A, P, n}: {\text {Gal}}(\overline{K}/K(A[n])) \rightarrow A[n], \end{aligned}$$

    sending \(\sigma \) to \(\sigma (P_n)-P_n\), where \(P_n\) is any point in \(A(\overline{K})\) such that \(n P_n = P\). One checks easily that this definition is independent of the choice of \(P_n\). The subfield \(K_{n, P}:= K(A[n], \frac{1}{n}P)\) of \(\overline{K}\) corresponding to \(\ker \kappa _{A, P, n}\) under Galois theory is called the n-th division field of P: it is the unique smallest extension of K over which all the solutions to the equation \(nx = P\) are defined.

  3. 3.

    the arboreal representation, which combines the above into a homomorphism

    $$\begin{aligned} \Gamma _K \rightarrow A[n] \rtimes {\text {Aut}} A[n]. \end{aligned}$$

The torsion and division fields fit into a diagram very similar to Fig. 1

figure a

where the Galois groups \(H_n, V_n\) and \(G_n\) are respectively isomorphic to the images of \(\rho _{A, n}\), \(\kappa _{A, P, n}\), and the arboreal representation.

Remark 2

It is easy to show that \(V_n \subseteq A[n]\) is a module over the group ring \(\displaystyle \frac{\mathbb {Z}}{n\mathbb {Z}}[H_n]\). This is a crucial ingredient in many arguments that involve \(V_n\).

Taking \(n=\ell ^k\), all these constructions pass to the limit in k, giving rise to the so-called \(\ell \)-adic representations attached to A and P. For example, the \(\ell \)-adic torsion representation is a morphism

$$\begin{aligned} \rho _{A, \ell ^\infty }: \Gamma _K \rightarrow {\text {Aut}}( \varprojlim _n A[\ell ^n]) \cong {\text {GL}}_{b}(\mathbb {Z}_\ell ), \end{aligned}$$

where—as above—the integer b is such that \(A[n] \cong (\mathbb {Z}/n\mathbb {Z})^b\) for all \(n \ge 1\). The inverse limit \(\varprojlim _n A[\ell ^n] =: T_\ell (A)\) is called the Tate module of A. It is important to notice that the image of the \(\ell \)-adic representations consists of automorphisms of a free \(\mathbb {Z}_\ell \)-module. In particular, independently of the choice of the isomorphism \({\text {Aut}}( \varprojlim _n A[\ell ^n]) \cong {\text {GL}}_{b}(\mathbb {Z}_\ell )\), it makes sense to consider the characteristic polynomial of \(\rho _{A, \ell ^\infty }(\sigma )\) for \(\sigma \in \Gamma _K\). This is a priori a monic polynomial of degree b with coefficients in \(\mathbb {Z}_\ell \). In many important instances, it turns out that this polynomial actually has integer coefficients, see Theorem 6 below.

Remark 3

The \(\ell \)-adic torsion representation attached to A can be more succinctly defined as (the dual of) the first étale cohomology group \(H^1_{\acute{\text {e}}\text {t}}(A_{\overline{K}}, \mathbb {Z}_\ell )\). This approach gives a more geometric view of these representations.

The general philosophy that underlies much of the work described in the rest of this paper is that the images \(H_n\) and \(V_n\) of these Galois representations should be as large as they can be, up to finite index, once one takes into account the ‘obvious’ geometric restrictions. Making this precise for the group \(H_n\) requires a certain effort and leads to the Mumford–Tate conjecture [4], which we do not want to state in detail here. For the case of \(V_n\), the situation is easier to describe. In particular, we have the following theorem, originally due to Ribet [11] for the case when n is a prime number and later extended by Bertrand [12] and Hindry [13] to arbitrary n.

Theorem 2

(Ribet, Bertrand, Hindry) Let K be a number field and let A/K be the product of an abelian variety and an algebraic torus. Let \(\alpha \in A(K)\) be a rational point. Suppose that the set \(\{ n\alpha : n \in \mathbb {Z}\}\) is Zariski-dense in \(A(\overline{K})\). There exists a positive integer \(B=B(A/K, \alpha )\) such that, for all \(n \ge 1\), the index \([A[n]: V_n]\) divides \(B(A/K, \alpha )\). In particular, the inequality

$$\begin{aligned} \# V_n \ge \frac{1}{B(A/K, \alpha )} \#A[n] \end{aligned}$$

holds for all \(n \ge 1\).

Remark 4

As we have seen in Remark 1, interesting arithmetic phenomena arise when \(V_n \subsetneq A[n]\), so one would like to understand as precisely as possible the set of n for which \(V_n \ne A[n]\). Since the index \([A[n]: V_n]\) is divisible only by primes that appear in n, Theorem 2 shows that we have \(V_n = A[n]\) whenever \((n, B(A/K, \alpha ))=1\). However, a major drawback of Theorem 2 is its ineffectivity: the proof does not give any indication of how to compute, or even bound, the integer \(B(A/K, \alpha )\).

In the next few sections we describe some more recent results in which Galois representations feature prominently, either as the object of study or as a fundamental tool for the proofs. In particular, we will describe some cases for which Theorem 2 can be made effective (Sect. 4), and also explain in some examples what it means for \(H_n\) to be as large as possible, up to the restrictions imposed by the geometry of A (see Sect. 7).

4 Application I: Kummer theory for algebraic groups

We begin by describing extensions of Theorem 1. As we have seen, that result can be phrased as follows: we take the rational point \(\alpha = 2 \in \mathbb {Q}^\times = \mathbb {G}_m(\mathbb {Q})\) and consider, for (almost) every prime p, the reduction \(\alpha _p = (2 \bmod p)\) in \(\mathbb {G}_m(\mathbb {F}_p)=\mathbb {F}_p^\times \). Note that the reduction \(\alpha _p\) makes sense as an element of \(\mathbb {F}_p^\times \) for all but finitely many primes p—in this case, the only ‘bad’ prime is \(p=2\). Hasse’s theorem is then the statement that the set of primes p for which \(\alpha _p\) has odd order is 7/24. We can then ask the following more general question: fix an algebraic group A over \(\mathbb {Q}\), a point \(\alpha \in A(\mathbb {Q})\), and an auxiliary prime \(\ell \). The reductions \(\alpha \bmod p \in A(\mathbb {F}_p)\) make sense for all but finitely many primes p. We can then define

$$\begin{aligned} {\text {Dens}}_{\ell , \alpha }:= {\text {Dens}} \left\{ p: \ell \not \mid {\text {ord}}(\alpha \bmod p) \right\} . \end{aligned}$$

The first result we mention describes \({\text {Dens}}_{\ell , \alpha }\) for a large class of groups A:

Theorem 3

(Lombardo–Perucca [14]) With notation as above, suppose that A is the product of an abelian variety and an algebraic torus. Assume that the set \(\{n\alpha : n \in \mathbb {Z}\}\) is Zariski-dense in \(A(\overline{\mathbb {Q}})\). The following hold:

  1. 1.

    There is an explicit formula expressing \({\text {Dens}}_{\ell , \alpha }\) as an \(\ell \)-adic integral.

  2. 2.

    Rationality: the density \({\text {Dens}}_{\ell , \alpha }\) is a rational number.

  3. 3.

    Universality of denominators: for every positive integer g there is a polynomial \(p_g(t) \in \mathbb {Z}[t]\) such that for all \(A/\mathbb {Q}\) of dimension g that are products of abelian varieties and tori and for all points \(\alpha \in A(\mathbb {Q})\) one has

    $$\begin{aligned} {\text {Dens}}_{\ell , \alpha } \cdot p_g(\ell ) \in \mathbb {Z}[1/\ell ]. \end{aligned}$$

Several remarks are in order:

  • In part (1) of the theorem, the relevant \(\ell \)-adic integral is taken over the image \(G_{\ell ^\infty }\) of the \(\ell \)-adic Galois representation of A, seen as an \(\ell \)-adic manifold (see [15, §7.4] for an introduction to the relevant theory). The real-valued function f to be integrated is locally constant, and the \(\ell \)-adic integral in question can be written as the series

    $$\begin{aligned} \sum _v \mu _{G_{\ell ^\infty }}(\{f(x)=v\}) \cdot v, \end{aligned}$$

    where v ranges over the image of f and \(\mu _{G_{\ell ^\infty }}\) is the normalised Haar measure of the compact group \(G_{\ell ^\infty }\). For example, in the simplest case of \(A=\mathbb {G}_m\), \(\ell =2\) and \(\alpha =q\) (a prime different from 2), the integral to be computed is

    $$\begin{aligned} \begin{aligned} \int _{\mathbb {Z}_2^\times } |x-1|_{2}&= \sum _{n \ge 0} \mu _{\mathbb {Z}_2^\times }(\{x \in \mathbb {Z}_2^\times :|x-1|_2 = 2^{-n}\}) \cdot 2^{-n} \\&= \sum _{n \ge 1} 2^{-n} \cdot 2^{-n} = \frac{1}{3}. \end{aligned} \end{aligned}$$

    Here \(\mathbb {Z}_2^\times \) is (isomorphic to) the Galois group over \(\mathbb {Q}\) of the 2-adic division field \(\mathbb {Q}(\zeta _{2^k}: k \ge 1)\) associated with \(\mathbb {G}_m\). The result is \({\text {Dens}}_{2,q}\), that is, the density of primes p for which 2 does not divide the order of q modulo p. As discussed right after the statement of Theorem 1, such primes form the complement of the set of primes p for which there exists \(n \ge 1\) such that \(p \mid q^n+1\). Thus, the calculation just sketched is essentially what gives the value \({\text {Dens}}(S_3) = \frac{2}{3} = 1- \frac{1}{3}\) of Eq. (1).

  • This result generalises to algebraic groups over number fields and we have chosen to state this version purely to simplify the notation.

  • The assumption that \(\{n\alpha : n \in \mathbb {Z}\}\) is Zariski-dense is essentially harmless, since one can always replace A with the Zariski closure Z of \(\{n\alpha : n \in \mathbb {Z}\}\). The only substantial requirement is that Z be connected.

  • Prior to this result, the rationality of \({\text {Dens}}_{\ell , \alpha }\) was only known in those cases when its value could be computed exactly.

  • Theorem 3 generalises results by Jones–Rouse [16], who had given an explicit expression for \({\text {Dens}}_{\ell , \alpha }\) under a strong genericity assumption on \(\alpha \).

  • Part (3) of the statement can be read as follows: since \({\text {Dens}}_{\ell , \alpha }\) is a rational number in [0, 1], its ‘arithmetic complexity’ (technically: its height) is given by its denominator. The theorem shows that this denominator is, up to an unbounded power of \(\ell \), given by the value at \(\ell \) of a universal polynomial \(p_g(t)\).

Example 1

A polynomial \(p_1(t)\) satisfying the conclusion of part (3) of the theorem for \(g=1\) can be computed explicitly: one can take

$$\begin{aligned} p_1(t) = (t - 1)(t^2 - 1)^2(t^4 - 1)(t^6 - 1). \end{aligned}$$

Improvements are possible if one knows more about the algebraic group in question: for example, if A is an elliptic curve without complex multiplication, it suffices to take \( p_1(t) = (t - 1)(t^2 - 1)^2(t^6 - 1). \)

Example 2

In the case of dimension 1 (that is, when A is either a torus or an elliptic curve) the results of [14, 17] allow us to explicitly compute \({\text {Dens}}_{\ell , \alpha }\). For example,

  1. 1.

    if A is the elliptic curve \(y^2+y = x^3+6x+27\), \(\alpha \) is the point of infinite order (5, 13), and \(\ell =3\), one can compute that \({\text {Dens}}_{\ell , \alpha } = \frac{23}{104}\). Notice that the denominator 104 does cancel out with \(p_1(3)\), which includes a factor of \(3^6-1 = 7 \cdot 104\).

  2. 2.

    if A is the elliptic curve \(y^2 +y = x^3 +7140\), the point \(\alpha \) is (56, 427), and \(\ell =13\), one has \({\text {Dens}}_{\ell , \alpha }=1-\frac{36270}{(13-1)(13^2-1)}\). As expected, the denominator is again a divisor of \(p_1(13)\).

Both these examples are not covered by the work of Jones and Rouse [16].

When suitably interpreted, these results can also lead to non-linear generalisations of Hasse’s theorem, in the following sense. The numbers \(a_n = 2^n+1\) are the values of the linear recurrence

$$\begin{aligned} {\left\{ \begin{array}{ll} a_0 = 2 \\ a_1 = 3 \\ a_{n+1} = 3a_n - 2a_{n-1}. \end{array}\right. } \end{aligned}$$

One can also consider non-linear integer recurrences, such as the Somos 4-sequence:

$$\begin{aligned} {\left\{ \begin{array}{ll} a_0=a_1=a_2=a_3=1 \\ a_{n+1} = \frac{a_na_{n-2} + a_{n-1}^2}{a_{n-3}} \quad n \ge 3. \end{array}\right. } \end{aligned}$$

By interpreting \(a_n\) in terms of denominators of points on the elliptic curve \(y^2+y=x^3-x\), Jones and Rouse [16, Corollary 1.2] have shown that

$$\begin{aligned} {\text {Dens}}\left\{ p \text { prime}: p \mid a_n \text { for some }n \ge 0 \right\} = \frac{11}{21}. \end{aligned}$$

Many more similar examples can be constructed.

As mentioned in Remarks 1 and 4, one would like to know how often \(V_n\) is a proper subgroup of A[n], and more generally how large the index \([A[n]: V_n]\) can be. The case of the multiplicative group \(\mathbb {G}_m\) has been much studied by Perucca and her collaborators [18,19,20,21]. For the case of elliptic curves, we have the following result, whose second part is particularly strong, since it gives not just effectivity, but even uniformity over the family of all elliptic curves over \(\mathbb {Q}\):

Theorem 4

(Lombardo–Tronto [22, 23]) Let E be an elliptic curve over a number field K and let \(\alpha \in E(K)\) be a point of infinite order.

  1. 1.

    An integer \(B(E/K, \alpha )\) as in Theorem 2 is effectively computable.

  2. 2.

    Let E be defined over \(\mathbb {Q}\). Suppose that \(\alpha \) is a primitive point, that is, a point whose class in \(E(\mathbb {Q}) / E(\mathbb {Q})_{{\text {tors}}} \cong \mathbb {Z}^r\) is not divisible by any integer \(k>1\). For all \(n \ge 1\) we have

    $$\begin{aligned} {[}E[n]: V_n] \mid b, \end{aligned}$$

    where b is the universal constant

    $$\begin{aligned} b = 2^{28} \cdot 3^{18} \cdot 5^8 \cdot 7^7 \cdot 11^5 \cdot (13 \cdot 17 \cdot 19 \cdot 37 \cdot 43 \cdot 67 \cdot 163). \end{aligned}$$

Remark 5

We do not know if the constant b appearing in the second half of the statement is optimal. However, [23] shows that the optimal value of b must be divisible by each of the primes 2, 3, 5, 7, 11, 13, 17, 19, 37, 43, 67, 163. Thus, at most the exponents strictly greater than 1 can be improved.

The bulk of the proof of Theorem 4 concerns the action of \(H_n\) on \(V_n\) (see Remark 2). The arguments would be easy if one had a positive answer to Serre’s uniformity question [24], namely the question of whether the equality \(H_p = {\text {GL}}_2(\mathbb {Z}/p\mathbb {Z})\) holds for every non-CM elliptic curve \(E/\mathbb {Q}\) and every prime \(p>37\) (progress on this question has been made in [25,26,27]; for the state of the art, see [28]). It is striking that—even though we still don’t have an answer to Serre’s question—we know enough about the groups \(H_n\) to obtain a completely uniform statement like Theorem 4 (2).

5 Application II: ramified covers of abelian varieties

In this section we describe an application of Kummer representations that is fully in the spirit of diophantine geometry, namely we describe how to use it to obtain information about the geometric distribution of rational points on certain varieties of general type.Footnote 7.

We will mostly be interested in questions of Zariski density: given a variety X over a field K, one says that a set \(S \subseteq X(K)\) is Zariski-dense in X if \(S \subseteq X(\overline{K})\) is dense for the classical Zariski topology on \(X(\overline{K})\) (in the special cases we consider here, this is equivalent to a more general scheme-theoretic notion of Zariski density).

Let X be a smooth variety over a number field K. When X is of general type, one expects (for example, on the basis of certain far-reaching conjectures of Lang) that X should have ‘few’ rational points—precisely, that the set X(K) should not be Zariski-dense in X. In the setting of higher-dimensional varieties, however, there are very few results on the ‘scarcity’ of rational points. As a special class of varieties of general type, one can consider ramified covers \(\pi : X \rightarrow A\), where A is an abelian variety over a number field K (see [29]). This is in some sense the simplest case for which the predicted Zariski non-density of rational points is still open.

When A(K) is not Zariski-dense in A, then certainly X(K) (which maps to A(K)) is also not Zariski-dense in X, so the interesting case to consider is when A(K) is Zariski-dense. In this situation, we can show that many rational points on A do not lift to points in X(K)—that is to say, \(\pi (X(K))\) is much smaller than A(K), which gives some indication for the scarcity of rational points on X:

Theorem 5

(Corvaja, Demeio, Javanpeykar, Lombardo, Zannier [10]) Let \(\pi : X \rightarrow A\) be a ramified coverFootnote 8, where A is an abelian variety over a number field K. Assume that A(K) is Zariski-dense in A. There is a finite-index coset of A(K) that does not intersect \(\pi (X(K))\).

We note that this theorem can be recast as a version of Hilbert’s irreducibility theorem over a base that is an abelian variety instead of a rational variety; we do not pursue this here. We also point out that, if \(\pi : X \rightarrow A\) is an unramified (=étale) cover and X has at least one K-rational point, then X is itself an abelian variety, and can easily have a Zariski-dense set of K-rational points, so the assumption that \(\pi \) is ramified is necessary.

The proof of the above theorem relies on the following idea. Fix a finite extension L/K and a prime \(\mathfrak {p}\) of the ring of integers \(\mathcal {O}_L\) at which A and X have good reduction; suppose for simplicity that X is projective. There are well-defined mod-\(\mathfrak {p}\) reduction maps \(A(L) \rightarrow A(\mathcal {O}_L/\mathfrak {p})\) and \(X(L) \rightarrow X(\mathcal {O}_L/\mathfrak {p})\). Working over finite fields, it is not very hard to show that many points in \(A(\mathcal {O}_L/\mathfrak {p})\) do not lift to \(X(\mathcal {O}_L/\mathfrak {p})\). Fix such a point T that does not lift. Let Q be any point in A(K) whose reduction modulo \(\mathfrak {p}\) coincides with T: such points cannot be in the image \(\pi (X(K))\), as follows easily from inspection of the following diagram.

Indeed, if \(Q = \pi (R)\) for some \(R \in X(K)\), then \(T = {\text {red}}_\mathfrak {p}(Q)={\text {red}}_\mathfrak {p}(\pi (R))=\pi ({\text {red}}_{\mathfrak {p}}(R))\), which contradicts the definition of T.

The proof of Theorem 5 consists of two main steps:

  1. 1.

    reduce to the case where A is geometrically simple, hence the multiples of any point \(P \in A(K)\) of infinite order are Zariski-dense in A;

  2. 2.

    show that (for suitably chosen T and P) there are many integer multiples of P whose reduction modulo \(\mathfrak {p}\) coincides with T—by the above argument, such points do not lie in \(\pi (X(K))\).

The fundamental tool to understand the reduction modulo \(\mathfrak {p}\) of P, as was the case with Hasse’s result in Sect. 2, is the study of the Kummer representations attached to A/L and P, and in particular, the fact that the image of the Kummer map \(\kappa _{A/L, n}\) is equal to A[n] for sufficiently many integers n (see Remark 4).

6 Application III: endomorphism rings of Jacobians

Our final application is almost purely geometric in nature. Let C be a (smooth projective) curve defined over a number field K. Attached to C is its Jacobian variety \({\text {Jac}}(C)\), an abelian variety defined over K. The precise definition of \({\text {Jac}}(C)\) is a bit subtle, but when C possesses a K-rational point b, it can be defined via a simple universal property: there is an embedding of C into its Jacobian that sends b to \(0 \in {\text {Jac}}(C)\), and this embedding is initial among all maps from C to abelian varieties that send b to the zero element.

The endomorphism rings of \({\text {Jac}}(C)\) and \({\text {Jac}}(C_{\overline{K}})\) are interesting invariants that capture some of the geometry of C (in particular, all the correspondences between C and other curves), and one would like to compute them algorithmically. This has many applications, e.g., to the determination of rational points, or even to the computation of integrals (the latter is related to the theory of 1-periods).

For the sake of definiteness, we will use as example the question of determining whether there exist any maps from C to a curve of genus 1 (defined over K or over \(\overline{K}\)). This is a small part of the problem of determining the ring \({\text {End}}({\text {Jac}}(C))\), respectively \({\text {End}}({\text {Jac}}(C)_{\overline{K}})\). We now discuss how Galois representations help us answer this question, and easily allow us to distinguish between the hyperelliptic curves

$$\begin{aligned} C_1 : y^2=4x^6 + 12x^5 + 9x^4 + 30x^3 + 45x^2 + 57 \end{aligned}$$
(2)

and

$$\begin{aligned} C_2: \, y^2=4x^6 + 12x^5 + 9x^4 + 30x^3 + 45x^2 + 56. \end{aligned}$$

Here \(C_1\) admits no non-constant maps to genus-1 curves (even over \(\mathbb {C}\)), whereas \(C_2\) admits a degree-7 morphism to the elliptic curve

$$\begin{aligned} E_{54.a2}: z^2 = w^3 - 51w + 142 \end{aligned}$$

defined over \(\mathbb {Q}\).

Remark 6

Even knowing that there is a morphism \(C_2 \rightarrow E_{54.a2}\) doesn’t necessarily make it easy to find it! Explicit equations are as follows:

$$\begin{aligned} w(x)= & {} \frac{1-78x+ 72x^2 - 102x^3 +36x^4 - 12x^5 - 7x^6 +6x^7 }{(1-x+x^2)^2(7+3x^2+2x^3)}\\ z(x,y)= & {} \frac{4 (8+3 x^2+2 x^3) (-19+18 x-12 x^2+13 x^3+9 x^4+12 x^5+4 x^6+9 x^7+2 x^9)}{(1-x+x^2)^3 (7+3 x^2+2 x^3) (56+45 x^2+30 x^3+9 x^4+12 x^5+4 x^6)}y. \end{aligned}$$

We now describe the ingredients that go into showing that \(C_1\) does not admit any map to a curve of genus 1. The basic idea is that, given a morphism of curves \(f: C \rightarrow C'\) defined over K, one has an induced map \({\text {Jac}}(C) \rightarrow {\text {Jac}}(C')\) (this follows easily from the universal property of Jacobians). The general theory of abelian varieties provides a dual map \({\text {Jac}}(C') \rightarrow {\text {Jac}}(C)\), which sends the \(\ell \)-power torsion of \({\text {Jac}}(C')\) to the \(\ell \)-power torsion of \({\text {Jac}}(C)\), thus inducing a non-trivial homomorphism between the \(\ell \)-adic torsion representations attached to \({\text {Jac}}(C')\) and \({\text {Jac}}(C)\) respectively. It is easy to see that this construction gives an embedding \(f^*\) of the \(\ell \)-adic Tate module \(T_\ell {\text {Jac}}(C')\) into \(T_\ell {\text {Jac}}(C)\), in a way that is compatible with the action of \(\Gamma _K\) (as in the previous sections, given a number field K, we denote by \(\Gamma _K\) the absolute Galois group \({\text {Gal}}(\overline{K}/K)\)). If the map \(f: C \rightarrow C'\) is defined over a field extension L of K, then \(f^*\) is equivariant with respect to the Galois group \(\Gamma _L\). The conclusion is that if there is a map \(f: C \rightarrow C'\) with \(g(C')=1\) defined over K (respectively \(\overline{K}\)), then the Galois representation attached to \({\text {Jac}}(C)\) has a 2-dimensional subspaceFootnote 9 that is stable under \(\Gamma _K\) (respectively a finite-index subgroup thereof).

The other ingredient we need is that it is not very hard to sample special elements from \(\rho _{A, \ell ^\infty }(\Gamma _K)\), or at least, it is easy to determine their characteristic polynomials. In order to discuss this, we recall the following definition:

Definition 1

(Good reduction) Let K be a number field and let \(\mathfrak {p}\) be a prime of the ring of integers of K. We say that A has good reduction at \(\mathfrak {p}\) if (up to isomorphism) A is given by equations with coefficients in \(\mathcal {O}_K\) that, when reduced modulo \(\mathfrak {p}\), give rise to an abelian variety over the residue field \(\mathcal {O}_K/\mathfrak {p}\). Equivalently, but more technically, we say that A has good reduction at \(\mathfrak {p}\) if A extends to an abelian scheme \(\mathcal {A}\) over the local ring \(\mathcal {O}_{K, \mathfrak {p}}\). Similarly, we say that a curve C has a good reduction at \(\mathfrak {p}\) if it can be defined by equations with coefficients in \(\mathcal {O}_K\) that remain non-singular upon reduction modulo \(\mathfrak {p}\).

Remark 7

It is easy to see that a smooth curve has good reduction at all but finitely many primes (indeed, any given model of C is nonsingular modulo all but finitely many primes). Moreover, \({\text {Jac}}(C)\) has good reduction at a prime \(\mathfrak {p}\) whenever C does. Thus, given a curve C, it is easy to determine a finite set of primes S that contains those at which \({\text {Jac}}(C)\) does not have good reduction.

When A has good reduction at a prime \(\mathfrak {p}\) we have a well-defined reduction \(A_{\mathfrak {p}}\), which is an abelian variety over the finite field \(\mathbb {F}_{\mathfrak {p}} = \mathcal {O}_K/\mathfrak {p}\). With this notion at hand we can now state the following important theorem:

Theorem 6

Let A be an abelian variety over a number field K and let \(\mathfrak {p}\) be a prime ideal of the ring of integers \(\mathcal {O}_K\). Suppose that A has good reduction at \(\mathfrak {p}\), so that we have a well-defined reduced abelian variety \(A_{\mathfrak {p}}\) over the residue field \(\mathbb {F}_{\mathfrak {p}} = \mathcal {O}_K/\mathfrak {p}\). Let \({\text {Frob}}_{\mathfrak {p}}\) be any Frobenius element in \(\Gamma _K\) corresponding to the prime \(\mathfrak {p}\) and let \(\ell \) be a rational prime distinct from the residue characteristic of \(\mathfrak {p}\).

  1. 1.

    The characteristic polynomial of \(\rho _{A, \ell ^\infty }( {\text {Frob}}_{\mathfrak {p}} )\) has integer coefficients and is independent both of the specific Frobenius element \({\text {Frob}}_{\mathfrak {p}}\) and of the auxiliary prime \(\ell \) (integrality and independence of \(\ell \) follow from [30, Exposé IX, Théorème 4.3 (b)], while independence of the choice of the Frobenius element is a consequence of the general Néron–Ogg–Shafarevich criterion [31, Theorem 1]).

  2. 2.

    Write q for the size of the residue field of \(\mathfrak {p}\). The characteristic polynomial of \(\rho _{A, \ell ^\infty }( {\text {Frob}}_{\mathfrak {p}} )\) is determined by the cardinalities \(\#A_{\mathfrak {p}}(\mathbb {F}_{q^i})\) for \(i \ge 1\) (in fact, \(i \le \max \{2\dim A, 18\}\) suffices, see [32]).

  3. 3.

    When \(A={\text {Jac}}(C)\) is the Jacobian of a curve C of genus g, itself having good reduction at \(\mathfrak {p}\), the characteristic polynomial of \(\rho _{A, \ell ^\infty }( {\text {Frob}}_{\mathfrak {p}} )\) is determined by \(\#C(\mathbb {F}_{q^i})\) for \(i=1,\ldots ,g\) (see [33, Corollary 5.1.17]).

In the notation of the theorem, the characteristic polynomial of \(\rho _{A, \ell ^\infty }( {\text {Frob}}_{\mathfrak {p}} )\) is called the characteristic polynomial of the Frobenius at \(\mathfrak {p}\).

Notice that counting the number of rational points of a curve over a finite field is straightforward, since there are only finitely many possible values for each of the variables, and we can simply test them all (much more sophisticated algorithms are available, for example those based on rigid cohomology: see [34] for a survey of these and other methods). This implies that characteristic polynomials of Frobenius can be computed easily, and therefore gives us comparatively easy access to elements in the image of the Galois representation.

Combining our previous remarks with Theorem 6 (1), one obtains the following. Let \(\mathfrak {p}\) be a prime of good reduction of C. Suppose that the characteristic polynomial of \(\rho _{{\text {Jac}}(C), \ell ^\infty }({\text {Frob}}_{\mathfrak {p}})\) is irreducible over \(\mathbb {Z}\): then the \(\ell \)-adic Galois representation associated with \({\text {Jac}}(C)\) is irreducible, hence C admits no maps to lower-genus curves defined over K. Moreover, this characteristic polynomial is effectively computable.

Example 3

We show that the Jacobian of the curve \(C_1\) defined in Eq. (2) is geometrically irreducible. Fix arbitrarily an auxiliary prime \(\ell \ne 5\). The characteristic polynomial of \(\rho _{{\text {Jac}}(C_1),\ell ^\infty }({\text {Frob}}_5)\) is \(x^4 - 2x^3 + x^2 - 10x + 25\), which is irreducible over \(\mathbb {Z}\). This already proves that \({\text {Jac}}(C_1)\) is irreducible over \(\mathbb {Q}\). To prove geometric irreducibility, one first shows (using Galois representations again!) that if \({\text {Jac}}(C_1)\) is geometrically reducible, then it splits over a Galois extension F/K of degree dividing 48. Moreover, the Galois group of F/K has exponent dividing 12. This implies that, if \({\text {Jac}}(C_1)\) is geometrically reducible, then the characteristic polynomial of \(\rho _{{\text {Jac}}(C_1),\ell ^\infty }({\text {Frob}}_p^{12})\) is reducible over \(\mathbb {Z}\) for all \(p \ne \ell \) at which \(C_1\) has good reduction [5, Proposition 4.3]. Thus, in practice, one just has to determine the characteristic polynomial of \(\rho _{{\text {Jac}}(C_1),\ell ^\infty }({\text {Frob}}_5^{12})\)—which can be read off the characteristic polynomial of \(\rho _{{\text {Jac}}(C_1),\ell ^\infty }({\text {Frob}}_5)\) using simple linear algebra—and check that it is irreducible, which in this case it is.

Much more generally, combining the results of [5,6,7], one has the following result.

Theorem 7

(Lombardo, Costa–Mascot–Sijsling–Voight, Costa–Lombardo–Voight) Let C be a smooth projective curve defined over a number field K. There is an efficient algorithm to compute \({\text {End}}({\text {Jac}}(C)_{\overline{K}})\) which enjoys the following properties:

  1. 1.

    it always outputs an upper bound for the \(\mathbb {Z}\)-rank of \({\text {End}}({\text {Jac}}(C)_{\overline{K}})\);

  2. 2.

    it always outputs a lower bound for the \(\mathbb {Z}\)-rank of \({\text {End}}({\text {Jac}}(C)_{\overline{K}})\);

  3. 3.

    if the upper- and lower-bounds coincide, it outputs generators of the endomorphism ring of \({\text {Jac}}(C)_{\overline{K}}\), expressed as self-correspondences of C, together with a proof that these endomorphisms generate \({\text {End}}({\text {Jac}}(C)_{\overline{K}})\);

  4. 4.

    if the Mumford–Tate conjecture holds for the Jacobian of C (this is automatic if the genus of C is at most 3), the upper- and lower-bounds of parts (1) and (2) coincide.

We also note that—since the algorithm gives explicit generators for \({\text {End}}({\text {Jac}}(C)_{\overline{K}})\)—one can also compute the Galois action on them, hence recover \({\text {End}}({\text {Jac}}(C)_L)\) for any field extension L/K. Thus, in practice, the algorithm implicit in Theorem 7 allows for the efficient determination of the endomorphism ring of Jacobians, because whenever the algorithm terminates, its output is certifiably correct.

Concerning the proof of Theorem 7, the upper bound of part (1) is obtained by looking at characteristic polynomials of Frobenius elements, much in the same spirit as described above. On the other hand, lower bounds as in (2) are more easily obtained by relying on complex-analytic methods that go beyond the realm of Galois representations. A different, more algebraic technique to recover the decomposition up to isogeny of a Jacobian is discussed in [35]. It is less general than the complex-analytic methods behind Theorem 7, but in the situations where it works, it also applies to curves defined over fields of positive characteristic.

In a slightly different direction, I have also given an unconditional algorithm [5, §3] to compute \({\text {End}}({\text {Jac}}(C)_{\overline{K}})\) which relies only on Galois representations. Its interest is purely theoretical, however, since its asymptotic running time is so high that it would be impossible to use it on any concrete example. Finally, the hardest part in the proof of the theorem is of course (4), which shows that looking at characteristic polynomials of Frobenius is enough to give a sharp upper bound on the rank of the endomorphism ring.

We conclude this section with a question:

Question 1

The ring \({\text {End}}({\text {Jac}}(C)_{\overline{K}})\) is closely related to the set of correspondences between C and other curves (that is, pairs \((C', D)\), where \(C'\) is another smooth projective curve and \(D \subset C \times C'\) is a closed curve projecting surjectively onto both C and \(C'\)). Note that a non-constant morphism \(f: C \rightarrow C'\) gives rise to a correspondence, namely the graph of f. In many cases, knowing \({\text {End}}({\text {Jac}}(C)_{\overline{K}})\) is enough to determine all non-constant morphisms \(C \rightarrow C'\), but to the best of my knowledge, this has not been worked out in complete generality. The hardest case seems to be when C admits a map onto a curve \(C'\) whose Jacobian has an infinite group of automorphisms, and it would be interesting to understand it in detail.

7 Degrees of fields generated by division points

The main question in this section is to understand the degrees of field extensions generated by torsion points of abelian varieties. This is a topic that underlies everything that has been discussed so far: torsion fields are contained in the division fields of every point, and the better we understand the structure of torsion, the better grip we have on non-torsion points as well. The guiding philosophy (which is made precise by the Mumford–Tate conjecture [4]) is that the images of the \(\ell \)-adic representations attached to abelian varieties should be large, unless there is a good geometric reason for them not to be. To make this somewhat more precise, we begin by remarking that—if we replace K by a finite extension \(K'\)—the images of the \(\ell \)-adic torsion representations attached to an abelian variety A/K change only up to finite index. Up to commensurability, these images are therefore independent of the ground field K, and hence essentially only depend on the geometric object \(A_{\overline{K}}\).

The Mumford–Tate conjecture clarifies, at least conjecturally, how the geometry of \(A_{\overline{K}}\) is reflected in the images of the Galois representations up to commensurability. While we won’t state the Mumford–Tate conjecture in detail, because of its technically involved nature, we give some examples to give a flavour of the expected results.

Example 4

(Elliptic curves) Let E be an elliptic curve defined over a number field K. Consider the endomorphism ring R of the elliptic curve \(E_{\overline{K}}\). It is well known that there are two possibilities for this ring: either it is isomorphic to \(\mathbb {Z}\) (in which case all the endomorphisms of \(E_{\overline{K}}\) are of the form \(P \mapsto nP\) for some \(n \in \mathbb {Z}\)), or it is an order in a quadratic imaginary field (that is, \(R \otimes _{\mathbb {Z}} \mathbb {Q} \cong \mathbb {Q}(\sqrt{-d})\) for some \(d>0\)). We call these two possibilities the non-CM and CM cases, respectively (where ‘CM’ is short for ‘complex multiplication’).

  1. 1.

    In the non-CM case, the Mumford–Tate conjecture (a theorem of Serre [24] in this case) predicts that for all primes \(\ell \) the image of \(\rho _{E, \ell ^\infty }\) should have finite index inside \({\text {GL}}_2(\mathbb {Z}_\ell )\).

  2. 2.

    In the CM case, assuming for simplicity \({\text {End}}(E) = {\text {End}}(E_{\overline{K}})\), there are commuting actions of \({\text {Gal}}(\overline{K}/K)\) and R on \(T_\ell (E)\), which forces the image of \(\rho _{E, \ell ^\infty }\) to land inside \({\text {GL}}_{R \otimes \mathbb {Z}_\ell }(T_\ell (E)) \cong (R \otimes \mathbb {Z}_\ell )^\times \), the automorphisms of \(T_\ell (E)\) as an \((R \otimes \mathbb {Z}_\ell )\)-module. This is of course a much smaller group than the whole \({\text {GL}}(T_\ell (E))\). In this case, the Mumford–Tate conjecture predicts that the image of \(\rho _{E, \ell ^\infty }\) should have finite index inside \({\text {GL}}_{R\otimes \mathbb {Z}_\ell }(T_\ell (E))\). This case of the conjecture is also known to hold, thanks to results of Deuring [36] that were later reformulated by Weil [37] and Serre–Tate [31]. The finiteness of the index \([{\text {GL}}_{R\otimes \mathbb {Z}_\ell }(T_\ell (E)): \rho _{E, \ell ^\infty }(\Gamma _K)]\) can be made quantitative, as for example in [38] or [39].

For the next example we will need the \(\ell \)-adic cyclotomic character \(\chi _\ell : \Gamma _K \rightarrow \mathbb {Z}_\ell ^\times \). Recall that this is the function giving the Galois action on \(\ell \)-power roots of unity: for every primitive \(\ell ^n\)-th root of unity \(\zeta _{\ell ^n}\) we have

$$\begin{aligned} \sigma (\zeta _{\ell ^n}) = \zeta _{\ell ^n}^{\chi _\ell (\sigma ) \bmod \ell ^n}. \end{aligned}$$

One can see \(\chi _{\ell }\) as the \(\ell \)-adic Galois representation attached to the group \(\mathbb {G}_m\), whose \(\ell ^n\)-th torsion points are precisely the \(\ell ^n\)-th roots of unity.

Example 5

(Generic abelian surfaces) Let A/K be a principally polarised abelian surface. One can prove that there exists a canonical bilinear form (the Weil pairing)

$$\begin{aligned} \langle \cdot , \cdot \rangle : T_\ell (A) \times T_\ell (A) \rightarrow \mathbb {Z}_\ell (1) = \varprojlim _{n} \mu _{\ell ^n} \end{aligned}$$

that is equivariant for the action of Galois, that is, such that

$$\begin{aligned} \langle gv, gw \rangle = \chi _\ell (g) \langle v,w \rangle \quad \forall v,w \in T_\ell (A), \forall g \in \Gamma _K. \end{aligned}$$

The equivariance of the Weil pairing forces the image of \(\rho _{A, \ell ^\infty }\) to land inside

$$\begin{aligned} {\text {GSp}}(T_\ell (A), \langle \cdot , \cdot \rangle ) = \left\{ g \in {\text {GL}}(T_\ell (A)): \begin{array}{c} \exists \lambda \in \mathbb {Z}_\ell ^\times \text { such that } \\ \langle gv, gw \rangle = \lambda \langle v,w \rangle \quad \forall v,w \in T_\ell (A) \end{array} \right\} . \end{aligned}$$

Suppose \({\text {End}}(A_{\overline{K}})=\mathbb {Z}\). The fact that A is a surface guarantees that the containment \({\text {Im}} \rho _{A, \ell ^\infty } \subseteq {\text {GSp}}(T_\ell (A), \langle \cdot , \cdot \rangle )\) is the only ‘geometric’ restriction on the Galois representation (this comes from the classification of the possible Mumford–Tate groups of abelian surfaces; see Remark 8 below for a partial discussion of the situation in higher dimensions). The Mumford–Tate conjecture then predicts that the image of \(\rho _{A, \ell ^\infty }\) should have finite index inside \({\text {GSp}}(T_\ell (A), \langle \cdot , \cdot \rangle )\). This case of the conjecture is once again a theorem of Serre [40].

Remark 8

The argument of the previous example can be extended to show that the image of \(\rho _{A, \ell ^\infty }\) is always contained in \({\text {GSp}}(T_\ell (A), \langle \cdot , \cdot \rangle )\).

On the other hand, there exist abelian varieties A/K of dimension greater than 2 which satisfy \({\text {End}}(A_{\overline{K}})=\mathbb {Z}\), but whose associated Galois representations have image much smaller than \({\text {GSp}}(T_\ell (A), \langle \cdot , \cdot \rangle )\). The first such example was constructed by Mumford and arises in dimension 4 [41], and many more examples are known (see e.g. [42, §6]). This sort of phenomenon is part of the reason why the Mumford–Tate conjecture is such a subtle problem: the ‘geometric’ restrictions on the image of Galois do not necessarily come from endomorphisms (in general, one has to consider the possible existence of Tate classes in the cohomology of all powers of the abelian variety A. Endomorphisms are just one example: the cohomology class of the graph of an endomorphism gives a Tate class in the cohomology of \(A^2\)). In the opposite direction, Pink [43] (extending earlier unpublished work by Serre) has shown that this phenomenon can occur only for very special values of the dimension of A: for example, if \(\dim A\) is odd and \({\text {End}}_{\overline{K}}(A) = \mathbb {Z}\), then the only restriction on the image of Galois comes from the Weil pairing and the Mumford–Tate conjecture holds.

Remark 9

Many more cases of the Mumford–Tate conjecture have been established, see [44, 45] for more extended references.

In a series of works [39, 46,47,48,49] I have shown how to make these results effective in many cases, giving an upper bound for the index of the image of \(\rho _{A, \ell ^\infty }\) inside the ‘natural target group’ predicted by the Mumford–Tate conjecture, or showing surjectivity (again onto the natural target group) for \(\ell \) large enough. For some more restricted problems (abelian surfaces with certain extra properties, CM abelian varieties, or ruling out especially small images of Galois), these results can even be made uniform, as in [42, 50, 51]. Some of these theorems have been extended to arbitrary abelian varieties by Zywina [52]. The estimates that can be obtained are especially sharp for elliptic curves, for which one can study not just one \(\ell \)-adic representation at a time, but all of them simultaneously, as in the following upper bound [46]. Recall that \(\Gamma _K\) denotes the absolute Galois group \({\text {Gal}}(\overline{K}/K)\).

Theorem 8

There are constants \(c_1, c_2\) such that, for all elliptic curves E over a number field K with \({\text {End}}_{\overline{K}}(E) = \mathbb {Z}\), one has

$$\begin{aligned} \left[ \prod _{\ell } {\text {GL}}_2(\mathbb {Z}_\ell ): \left( \prod _{\ell } \rho _{E, \ell ^\infty }\right) (\Gamma _K) \right] \le c_1 \left( [K:\mathbb {Q}] \cdot \max \{ 1, h(E) \} \right) ^{c_2}, \end{aligned}$$

where h(E), the stable Faltings height [2] of E, is a measure of the arithmetic complexity of E.

Concretely, this can be translated into the following statement about the field of definition of the torsion points of E, where we also make the constants explicit:

Corollary 9

Let K be a number field, let E/K be an elliptic curve, and let \(P \in E(\overline{K})\) be a torsion point of exact order N. The extension K(P) generated by P satisfies

$$\begin{aligned} {[}K(P): K] \ge c(E/K)^{-1} \cdot N^2, \end{aligned}$$

where \( c(E/K) = \zeta (2) \exp (10^{21483}) \cdot [K:\mathbb {Q}]^{\gamma _2} \max \{1, h(E), \log [K:\mathbb {Q}] \}^{2\gamma _2} \) with \(\gamma _2:= 2.4 \cdot 10^{10}\).

Finally, we briefly explain how these (and other) open-image results help proving results in Kummer theory, taking as example Theorem 4. As already pointed out (Remark 2), the image \(V_n\) of the Kummer representation modulo n is a module over the image \(H_n\) of the torsion representation modulo n. When \(n=p\) is a sufficiently large prime (effective), Theorem 8 implies that \(H_p\) is equal to the full group \({\text {GL}}_2(\mathbb {Z}/p\mathbb {Z})\). In this situation, the action of \(H_p \cong {\text {GL}}_2(\mathbb {Z}/p\mathbb {Z})\) on \(E[p] \cong \mathbb {F}_p^2\) is the standard one. Since the only \({\text {GL}}_2(\mathbb {F}_p)\)-submodules of \(\mathbb {F}_p^2\) are \(\{0\}\) and \(\mathbb {F}_p^2\) itself, this implies that \(V_p\) is either \(\{0\}\) or equal to E[p]. The former possibility can only arise if the point \(\alpha \in E(\mathbb {Q})\) is divisible by p in \(E(K_p)\), where \(K_p = \mathbb {Q}(E[p])\). Since by assumption \(\alpha \) is not divisible by p in \(E(\mathbb {Q})\), we are reduced to understanding under what conditions \(\alpha \) becomes divisible by p over the field \(K_p\). It turns out that one can attach to \(\alpha \) a class in \(H^1(H_p, E[p])\) that controls the divisibility of \(\alpha \) by p in the group \(E(K_p)\). However, since \(H_p = {\text {GL}}_2(\mathbb {F}_p)\), one can show easily that \(H^1(H_p, E[p])\) vanishes, and this implies that \(\alpha \) is not divisible by p in \(E(K_p)\). In turn, this gives \(V_p=E[p]\). The extension to arbitrary (composite) n is technically much more complicated, but follows a similar pattern, where problems about the non-torsion point \(\alpha \) are completely reduced to the study of torsion extensions.