# Isogenies in Theory and Praxis

## Abstract

We want to give an overview on arithmetical aspects of abelian varieties and their torsion structures, isogenies, and resulting Galois representations. This is a wide and deep territory with a huge amount of research activity and exciting results ranging from the highlights of pure mathematics like the proof of Fermat’s last theorem to stunning applications to public-key cryptography. Necessarily we have to be rather superficial, and thus specialists in the different aspects of the topics may be disappointed. But I hope that for many, and in particular for young researchers, the chapter may serve as an appetizer and will raise interest for a fascinating area of mathematics with many open problems (some are very hard and worth a Fields Medal but others are rather accessible).

The first section of the chapter gives basic notions, definitions, and properties of abelian varieties. Disguised as examples one will find their theory over the complex numbers \(\mathbb{C}\) and the special case of elliptic curves. The second section discusses the situation over finite fields, in particular the role of the Frobenius endomorphism, and over number fields where the most interesting results and challenging conjectures occur. Finally we discuss algorithmic aspects of isogenies, mostly of elliptic curves, and relations to cryptography.

## 1 General Theory

We begin by explaining the background of the subjects we shall discuss in the chapter. Instead of citing a large number of original papers, we mostly refer to the handbook [ACF] where the reader can find all relevant items mentioned below discussed on different levels of abstraction and with an extensive bibliography helping to go deeper to details in his/her favorite subjects. The second standard reference will be [M1] where the background for abelian varieties is explained.

### 1.1 Abelian Varieties

#### 1.1.1 Notations and Definitions

In the whole chapter *K* denotes a field with char(*K*) = *p* ≥ 0, and overfields containing *K* are denoted by *L*.

*K*_{s} is a fixed separable closure of *K*.

The *absolute Galois group*\(G_{K} = \mathrm{Aut}_{K}(K_{s})\) is the group of field automorphisms of *K*_{s} that leave elements of *K* fixed.

*G*_{K} has a natural topology as *profinite group* in which subgroups of finite index form a system of neighborhoods of the unit element. It is important that *G*_{K} is compact with respect to this topology.

**Affine Varieties** Affine varieties \(V _{a} \subset \mathbb{A}^{n}\) are zero sets of ideals \(I_{V _{a}}\) with *coordinate ring*\(K[X_{1},\ldots,X_{n}]/I_{V _{a}}\) and, if \(I_{V _{a}}\) is a prime ideal, with function field \(F_{V _{a}} = \mathit{Quot}(K[X_{1},\ldots,X_{n}]/I_{V _{a}})\). In this case *V* is *irreducible* in the Zariski topology and the dimension \(\dim (V _{a})\) of *V*_{a} is the transcendental degree of \(F_{V _{a}}\) over *K*.

### Example 1

- 1.
\(\mathbb{A}^{n}\) is the affine space defined by the zero ideal in \(K[X_{1},\ldots,X_{n}]\).

- 2.Take
*n*= 2 and \(I_{a} =<f(X_{1},X_{2})> \neq \{0\}\). Then*V*_{a}is the*plane affine curve*defined by the equationIts coordinate ring is \(K[X_{1},X_{2}]/ <f(X_{1},X_{2})>\).$$\displaystyle{f(X_{1},X_{2}) = 0.}$$It is

*irreducible*iff \(f(X_{1},X_{2})\) is an irreducible polynomial.In this case

*F*(*V*_{a}) is an algebraic extension of*K*(*X*_{i}) iff \(f(X_{1},X_{2})\) is not constant as function of*X*_{i}.

*L*of

*K*define

A *morphism ϕ* is a *polynomial* map from *V*_{a} to an affine variety *W*_{a}.

*ϕ*

^{∗}of the coordinate ring of

*W*

_{a}to the coordinate ring of

*V*

_{a}, which extends to an inclusion

*W*

_{a}and

*V*

_{a}are prime ideals.

### Example 2

Let *V*_{a} be an irreducible plane affine curve. Take \(W_{a} = \mathbb{A}^{1}\), \(\phi (X_{1}) = X_{1}\), *ϕ*(*X*_{2}) = 0.

Then *ϕ* is the projection of *V*_{a} to the line *X*_{2} = 0.

Assume that *ϕ* is not the constant map. Then *ϕ*^{∗} induces the natural injection \(K(X_{1}) \subset K(X_{1},X_{2}).\)

**Projective Varieties** The next important step is to define *projective* varieties. Recall that a polynomial \(F(Y _{0},\ldots,Y _{n})\) is homogenous of degree *d* iff every monomial occurring in *F* with coefficient ≠ 0 has degree *d*.

An ideal \(I \subsetneq K[Y _{0},\ldots,Y _{n}]\) is homogenous iff it is generated by homogenous polynomials.

*projective variety V*defined over

*K*is the zero set \(\mod \sim\) of a homogenous ideal \(I_{V } \subset K[Y _{0},\ldots,Y _{n}]\) for appropriate

*n*. The

*L*-rational points of

*V*are

### Example 3

- 1.
The projective space \(\mathbb{P}^{n}/K\) is the projective variety defined by the zero ideal in \(K[Y _{0},\ldots,Y _{n}]\). Its

*L*-rational points are \(\mathbb{P}^{n}(L) = L^{n+1}/ \sim.\) - 2.Take
*n*= 2 and*I*= <*F*(*X*,*Y*,*Z*) > where*F*is a homogenous polynomial of degree*d*. Then*V*is the*plane projective curve*defined by the equationIt is$$\displaystyle{F(X,Y,Z) = 0}$$*irreducible*iff*F*is an irreducible polynomial.

**Affine Covers of Projective Varieties**We recall the easy observation that every homogenous polynomial \(F(Y _{0},\ldots,Y _{n})\) can be transformed into

*n*+ 1 polynomials \(f_{j}(X)\) (\(j = 0,\ldots,n\)) in

*n*variables by the transformation

*t*

_{j}can be interpreted as rational map from \(\mathbb{P}^{n}\) to \(\mathbb{A}^{n}\) which is defined and bijective when restricted to

*U*

_{j}consisting of points with

*Y*

_{j}coordinates ≠ 0. By the inverse transform, we embed \(\mathbb{A}^{n}\) into \(\mathbb{P}^{n}\) and so

*U*

_{j}is isomorphic to \(\mathbb{A}^{n}\) as affine variety. Inside of \(\mathbb{P}^{n}\) it is an open subset in the Zariski topology.

As result we get a finite open covering of \(\mathbb{P}^{n}\) by *n* + 1 affine subspaces.

### Remark 1

There are many possibilities to find such covers. But having chosen homogenous coordinates \((Y _{0},\ldots,Y _{n})\), the above cover is rather usual, and one occasionally calls the projective variety \(U_{0}: Y _{0} = 0\) “infinite hyperplane.”

*U*

_{j}of \(\mathbb{P}^{n}\), one can intersect it with projective varieties

*V*and get

*Converse process*: Given a polynomial \(f(X_{1},\ldots,X_{n})\) of degree

*d*, we get a homogenous polynomial \(f^{h}(Y _{0},\ldots,Y _{n})\) of degree

*d*by the transformation

Assume that *V*_{a} is an affine variety with ideal \(I_{a} \subset K[X_{1},\ldots,X_{n}]\). By applying the homogenization explained above to all polynomials in *I*_{a}, we get a homogenous ideal \(I_{a}^{h} \subset K[Y _{0},\ldots,Y _{n}]\) and a projective variety \(V\) with ideal \(I_{a}^{h}\) containing *V*_{a} in a natural way.

*V* is called a projective closure of *V*_{a}.

A bit misleading one calls \(V \cap U_{0} = V \setminus V _{a}\) “infinite points” of *V*_{a}.

### Example 4

*E*

_{a}the corresponding affine plane curve.

*Y*

_{0}, we define the homogenized polynomial

*E*.

Then *E∖ E*_{a} consists of exactly one point *P*_{∞} that is the projective class of (0, 0, 1).

### Remark 2

Example 4 introduces an important object. If *E*_{a} has no singular points,^{1} then *E*_{a} is an *elliptic curve given by a Weierstrass equation* (see Definition 3).

A morphism between projective varieties *V* and *W* is a map from *V* to *W* that is, restricted to any affine piece of *V*, an affine morphism (i.e., a polynomial map) to an affine piece of *W*.

If *V* is a projective variety whose ideal *I*_{V} is a prime ideal, then the function field *F*_{V} of *V* is the function field of a non-empty affine Zariski-open part *V*_{a} of *V*. (This is independent of the choice of *V*_{a}.)

In this case the dimension of *V* is the transcendental degree of *F*_{V} over *K*.

**Group Schemes** For more details and proofs concerning the following notions and results, we refer to [ACF] or [M1], Chap. III, 11.

### Definition 1

*G*with a morphism

*addition law*, a morphism

*inversion morphism*and a unit element

*zero section*, satisfying the axioms of composition in groups interpreted in the language of morphisms.

- 1.Associativity expressed as identity between maps from
*G*×*G*×*G*to*G*:$$\displaystyle{\oplus \circ (\oplus \times \mathit{id}_{G}) = \oplus \circ (\mathit{id}_{G} \times \oplus ).}$$ - 2.Existence of a neutral element:where$$\displaystyle{\oplus _{\vert \{e\}\times G} = \mathit{pr}_{2}(\{e\} \times G)}$$
*pr*_{2}is the projection to the second factor of the Cartesian product. - 3.Existence of inverse elements:is the constant map with image point$$\displaystyle{\oplus \circ (\mathit{id}_{G}\times \iota )}$$
*e*.

If the addition law is commutative, i.e., it is compatible with interchanging the components in *G* × *G*, then *G* is a commutative group scheme.

We remark that for all overfields *L* of *K*, we get that *G*(*L*) is a group; the addition law in *G*(*L*) is given by rational functions with coefficients in *K*, and so for all fields \(K \subset L \subset K_{s}\), the Galois group *G*_{L} acts on *G*(*K*_{s}) with \(G(L) = G(K_{s})^{G_{L}}\).

### Example 5

*μ*

_{n}as affine variety with ideal generated by

*e*is the point

*X*

_{1}= 1 and \(\iota (X_{1}):= X_{1}^{n-1}\).

The resulting group scheme is the scheme of the *n*th roots of unity.

For overfields *L* of *K*, one gets that *G*(*L*) is the group of elements *ζ* in *L* with *ζ*^{n} = 1.

Here comes the key subject for the chapter:

### Definition 2

An abelian variety *A* is an **absolutely**^{2}**irreducible projective group scheme**.

Because of the importance for theory and practice, the case *d* = 1 deserves an extra definition.

### Definition 3

An abelian variety of dimension 1 is called **elliptic curve***E*.

### Theorem 1

*Let A be an abelian variety. Then A is a commutative group scheme, and hence, A(L) is an abelian group.*

A proof of this result can be found in [M1], Chap. 2.4.

### Example 6 (Abelian varieties over \(\mathbb{C}\))

We shall sketch the “classical” case: \(K = \mathbb{C}\). For details we refer to [ACF], Section 5.1 or [M1], Chapter I.

Projective varieties are compact analytic varieties.

*A*be an abelian variety over \(\mathbb{C}\) and denote by \(A_{\mathbb{C}}\) the associated analytic variety. From the classification of compact commutative Lie groups it follows that

*period matrix Ω*whose imaginary part

*Im*(

*Ω*) is positive definite. Hence, \(\varOmega\) is an element in the

*Siegel upper half plane*\(\mathbb{H}_{d}\).

*Ω*is determined up to transformations with elements in \(\mathit{Sp}(d, \mathbb{Z})\), the group of symplectic matrices with determinant 1 and integral entries.

The equivalence classes of elements of \(\mathbb{H}_{d}\) modulo \(\mathit{Sp}(d, \mathbb{Z})\) form a **moduli space** for abelian varieties of dimension *d* defined over *C*.

It is worthwhile to look at the special case *d* = 1, i.e., *A* is an elliptic curve *E*.

*Ω*is a 1 × 1 matrix with entry

*τ*is unique up to Möbius transformations

*E*by

*E*

_{τ}.

To find an equation for the curve *E*, one uses the *j*-function and so defines a one-to-one cover map from \(\mathbb{H}/\mathit{Sl}(2/\mathbb{Z})\) to the affine line.

This very explicit theory provokes the question:

Can one find algebraic versions of period matrixes to define explicit moduli spaces for abelian varieties?

For *d* = 1 we have the very satisfying algebraic theory of elliptic curves that will be discussed below.

Much more difficult is the situation for *d* > 1.

The first groundbreaking step was done in a series of three celebrated papers of Mumford [M2] where he “translated” the classical theory of theta functions into an algebraic frame and introduced theta groups and used theta null points to define points corresponding to abelian varieties (with level structure) on the moduli space.

From the computational point of view, this representation is not optimal since the degree of the defining equations and the number of variables is large. An enormous step forward is done by recent work of Lubicz, Robert, Faugère, Gaudry and others and can be found in the beautiful paper [LR].

It opens a wide area for computational research, and so we encourage to go deeper to the (partly solved)

### Open Problem 1

*Find fast algorithms to compute moduli points for given*^{3}*abelian varieties over finite or*\(\mathfrak{p}\)*-adic fields, and conversely, attach to moduli points the corresponding abelian varieties with addition law as explicit and efficient as possible.*

### 1.2 Homomorphisms of Group Schemes

Let \(G_{1},G_{2}\) be group schemes defined over *K*.

### Definition 4

- 1.A morphismis a homomorphism iff it is compatible with the addition laws in$$\displaystyle{\phi: G_{1} \rightarrow G_{2}}$$
*G*_{i}, i.e.,In particular,$$\displaystyle{\oplus _{G_{2}} \circ (\phi \times \phi ) =\phi \circ \oplus _{G_{1}}.}$$*ϕ*induces a group homomorphism from*G*_{1}(*L*) to*G*_{2}(*L*) that is given by rational functions defined over*K*and hence compatible with the action of*G*_{K}on points over*K*_{s}.The set of homomorphism from

*G*_{1}to*G*_{2}defined over*K*is denoted by \(\mathrm{Hom}_{K}(G_{1},G_{2})\). - 2.
The kernel ker

*ϕ*is the scheme-theoretical inverse image of the zero section of*G*_{2}under*ϕ*.It is a subgroup scheme of

*G*_{1}.Its

*K*_{s}-rational points are the*K*_{s}-rational points of*G*_{1}mapped under*ϕ*to \(e_{G_{2}}\). - 3.\(\phi \in \mathrm{ Hom}_{K}(G_{1},G_{2})\) is an isogeny iff:
- (a)
ker(

*ϕ*) is a finite group scheme. - (b)
The image under

*ϕ*of the connected component of the unit element of \(G_{1}^{0}\) of*G*_{1}in the Zariski topology has the same dimension as the connected component of the unit element of*G*_{2}. For instance, if*G*_{1}and*G*_{2}are irreducible, then \(\dim (G_{1}) =\dim (G_{2})\).

- (a)

#### 1.2.1 Isogenies of Abelian Varieties

Let *A*, *B* be abelian varieties.

First we note a remarkable “rigidity property” of abelian varieties.

### Theorem 2

*A morphism*

*is a homomorphism iff*\(\phi (0_{A}) = 0_{B}\)

*.*

The proof can be found in [M1], Chapter II, Corollary 1.

Now assume that \(\phi \in \mathrm{ Hom}_{K}(A,B)\) is an isogeny.

By definition ker(*ϕ*) is a finite group scheme and \(\dim A =\dim B\). So *ϕ* induces an embedding *ϕ*^{∗} of finite index of the function field *F*_{B} into *F*_{A}.

The degree of *ϕ* is \([F_{A}:\phi ^{{\ast}}(F_{B})]\), its separable degree is \([F_{A}:\phi ^{{\ast}}(F_{B})]_{s}\mathit{ep}\).

*ϕ* is separable if its degree is equal to its separable degree, and this is so iff ker(*ϕ*) is an étale group scheme.

*ϕ*)(

*K*

_{s}) is a

*G*

_{K}-module that determines

*ϕ*uniquely.

### Example 7

Take \(n \in \mathbb{N}\) and *A* = *B*. Define the map [*n*] as *n* − 1-fold composition of ⊕_{A}.

Then [*n*] is an isogeny that maps *A* to *A* and hence is an isogeny in \(\mathrm{End}_{K}(A):=\mathrm{ Hom}_{K}(A,A).\)

The kernel of [n] is denoted by *A*[*n*] and its points are called *n*-torsion points.

[*n*] is separable iff *n* is prime to char(*K*) = *p*.

The separable degree of [*p*] is *p*^{k} with \(0 \leq k \leq \dim _{K}(A)\). *k* is the *p*-rank of *A* and *A* is ordinary iff \(k =\dim _{K}(A)\).

**Scalar Multiplication** We assume that *A* is an abelian variety of positive dimension.

For negative integers *z*, define \([z] =\iota _{A}[-z]\) and denote by [0] the constant map with image *e*_{A}. One checks very easily that these definitions yield an injection of \(\mathbb{Z}\) into *End*_{K}(*A*). We mention without proof that one knows more: For “generic” abelian varieties we get that \(\mathrm{End}_{K}(A) = \mathbb{Z}\), and abelian varieties for which this equality does not hold have usually interesting properties (see Example 8 below for elliptic curves).

The induced operation of \(\mathbb{Z}\) on *A* is called scalar multiplication and is very important both for theoretical and practical applications. Hence, there is much work invested in order to develop fast algorithms to evaluate [*n*].

A prominent example is to expand *n* dyadically and then use addition and doubling (i.e., evaluation of [2]) to get an algorithm of complexity polynomially in log(*n*). But there are many more refined ways applicable in generic or specific situations (e.g., using fast inversion, “dividing” by 2, using [3], and using the *Montgomery ladder*). Though a lot of work is done and there is a vast literature (see, for instance [ACF], Chapter 9), there is still room for faster algorithms in special situations. This is an interesting research area and motivates to formulate an

### Open Problem 2

*Try to find optimal algorithms for scalar multiplication in interesting instances.*

### Remark 3

Isogenies of abelian varieties are “quasi-isomorphisms”:to \(\phi: A \rightarrow B\) there exists an isogeny \(\varPsi: B \rightarrow A\) such that \(\varPsi \circ \phi = [\deg (\phi )]\). Hence, to be isogenous defines an equivalence relation defining *isogeny classes* of abelian varieties.

### Example 8

We continue the discussion given in Example 6 and assume that *A*, *B* are abelian varieties over \(\mathbb{C}\) of dimension *d*_{A} and *d*_{B} with lattices *Λ*_{A} and *Λ*_{B}.

*A*to

*B*correspond to homomorphisms of the attached compact Lie algebras and hence are given by linear maps:

*A*correspond to sublattices

*Λ*

_{B}of rank

*d*

_{A}of

*Λ*

_{A}, and the degrees of the isogenies are equal to the indices of the sublattices in

*Λ*

_{A}.

In particular, the degree of [*n*] is \(n^{2\dim (A)}\).

*E*

_{τ}given by the lattice \(\mathbb{Z} \oplus \tau \mathbb{Z}\) with \(\tau \in \mathbb{H}\). We look for isogenies

*η*attached to \(\alpha \in \mathbb{C}\) such that \(\alpha =\mu _{1} +\mu _{2}\tau\) and \(\alpha \cdot \tau =\lambda _{1} +\lambda _{2}\tau\) with \(\mu _{i},\lambda _{i} \in \mathbb{Z}\). Hence,

*μ*

_{2}= 0 and so

*η*= [

*μ*

_{1}] or

*τ*satisfies a quadratic polynomial over \(\mathbb{Q}\) and all isogenies of

*E*

_{τ}are given by elements

*α*in the imaginary quadratic field \(\mathbb{Q}(\tau )\).

A closer look (see [De]) using more properties of elliptic curves shows that *τ* is an algebraic integer and that the isogenies of *E*_{τ} form an order^{4}*O*_{τ} in \(\mathbb{Q}(\tau )\).

It follows

### Theorem 3

*The ring of endomorphism of elliptic curves E over fields of characteristic 0 is either equal to*\(\mathbb{Z}\)*(generic case) or equal to an order in an imaginary quadratic field. In the second case, the period τ of E (interpreted in an obvious way over*\(\mathbb{C}\)*) is an integer in an imaginary quadratic field, and E has***complex multiplication***(or is a CM curve).*

*In particular, the ring of endomorphisms of an elliptic curves defined over a field of characteristic 0 is commutative.*

**Isogenies of Elliptic Curves and Modular Curves**

Let *E* be an elliptic curve defined over *K*.

A separable isogeny of *E* can be composed by a cyclic isogeny *η* of *E* of degree *n* (i.e., ker(*η*)(*K*_{s}) is a *G*_{K}- invariant cyclic subgroup of order *n* in *E*[*n*](*K*_{s})) followed by a scalar multiplication.

Turning things round we look, for *n* prime to *p*, for the functor that associates to overfields *L* of *K* all pairs

where ∼ denotes equivalence modulo isomorphisms of pairs.

This functor defines a *moduli problem* (over *K*) that has for \(K = \mathbb{C}\) a geometric presentation. That means that there is a curve over \(\mathbb{C}\) such that its points parameterize the above-described pairs for \(K = \mathbb{C}\). The necessary ingredients for the construction of this curve are contained in Examples 6 and 8.

*C*. Since isogenies of degree

*n*of elliptic curves correspond to inclusions of lattices with index

*n*, it follows that the points on \(X_{0}(N)(\mathbb{C})\) parameterize isomorphy classes of pairs (

*E*,

*η*) of elliptic curves

*E*with cyclic isogenies

*η*of degree

*N*over \(\mathbb{C}\).

**modular curve***Y*

_{0}(

*N*) isomorphic to \(Y _{0}(N)_{\mathbb{C}}\) over \(\mathbb{C}\) with the property that elements in

*Y*

_{0}(

*n*)(

*K*) correspond to elliptic curves with cyclic isogenies of degree

*n*.

^{5}

*Y*_{0}(*n*) and its projective completion *X*_{0}(*n*) (obtained by adding “cusps”) is explicitly known and very well understood. It has a rich structure (keywords: Hecke operators and modular forms) that is responsible for deep connections with number theory, and we shall see below how the determination of rational points on modular curves leads to very interesting diophantine results and conjectures and hence to (deep and difficult) * open problems*.

*A*,

*B*are abelian varieties over

*K*. In the context of isogenies, natural questions arise, which we formulate as

**Tasks:**

- 1.
Decide whether

*A*and*B*are isogenous, - 2.
If

*A*is isogenous to*B*, find an isogeny (of low degree). - 3.
Compute explicitly the image

*B*of a given isogeny of*A*when its kernel is known. - 4.
Compute explicitly the isogeny map from

*A*to*B*if the kernel of the isogeny is known.

For elliptic curves a lot is known to solve these tasks (see [Le]). Nevertheless algorithmic problems are still open and challenging. We shall come back to this below.

The situation is much more difficult and unclear for higher dimensional abelian varieties. Here a big step forward (in particular for task 3) is made in [LR] and [FLR]. But many questions remain widely open if one asks the questions in this generality. For special cases the situation may be much better. As example see [S] or [FK2]. So it is a challenging

### Open Problem 3

*Find interesting instances for which the tasks formulated above can be solved at least partly.*

#### 1.2.2 *ℓ*-Adic and Galois Representations

The main reference for this subsection is [M1], Chapter IV. The facts with examples but mostly without proof can be found in [ACF].

Let as usual *A* be an abelian variety of dimension *d* and take \(n \in \mathbb{N}\). In the whole subsection, we assume that *n* is prime to char(*K*).

We shall study *A*[*n*] and derived objects.

*G*

_{K}acts on

*A*[

*n*] and so yields a representation

*A*[

*n*],

*ℓ*≠

*p*and

*n*=

*ℓ*

^{k}and use the natural maps

*ℓ*-adic Tate module of

*A*.

It follows that \(T_{\ell}(A)\mathop{\cong}(\mathbb{Z}_{\ell})^{2d}\) and that \(V _{\ell}(A):= T_{\ell}(A) \otimes \mathbb{Q}_{\ell}\) is a \(\mathbb{Q}_{\ell}\)-vector space of dimension 2*d*.^{6}

*G*

_{K}operates on

*T*

_{ℓ}(

*A*). This action induces a \(\mathbb{Z}_{\ell}\)-adic representation attached to

*A*given by the projective limit

*ℓ*-adic representation

*d*of

*G*

_{K}over the

*ℓ*-adic numbers \(\mathbb{Q}_{\ell}\) with representation space

*V*

_{ℓ}(

*A*).

*ϕ*to

*A*[

*l*

^{k}], we get homomorphisms

*T*

_{ℓ}- homomorphism

*ϕ*is an isogeny, and by tensorizing with \(\mathbb{Q}_{\ell}\), we get an homomorphism between

*V*

_{ℓ}(

*A*) and

*V*

_{ℓ}(

*B*), also denoted by \(\widetilde{\phi _{\ell}}\). It is easily seen that for isogenies

*ϕ*, the map \(\widetilde{\phi _{\ell}}\) restricted to

*T*

_{ℓ}(

*A*) is injective, and it is an isomorphism between

*V*

_{ℓ}(

*A*) and

*V*

_{ℓ}(

*B*).

We have a natural homomorphism from Hom_{K}(*A*, *B*) into \(\mathrm{Hom}_{G_{K}}(T_{\ell}(A),T_{\ell}(B))\).

Taking *A* = *B*, we get an injective representation from End_{K}(*A*) into \(\mathrm{End}_{G_{K}}(T_{\ell}(A))\), the group of endomorphisms of the \(\mathbb{Z}_{\ell}\)-module *T*_{ℓ}(*A*) that commute with the action of *G*_{K}. This representation is called the *ℓ*-adic representation of endomorphisms of *A*.

### Remark 4

The Tate modules (and their *p*-adic counterpart, the Dieudonné module, which we do not discuss here) and the embedding of Hom_{K}(*A*, *B*) into \(\mathrm{Hom}_{G_{K}}(T_{\ell}(A),T_{\ell}(B))\) play a key role for the study of abelian varieties, and they give a lot of information about the absolute Galois group of *K* (see [T] and [Fa]). They are the counterparts in the *étale cohomology* of the lattices in the complex theory.

**Application: Endomorphisms of Elliptic Curves**

Every endomorphism *η* ≠ 0 of *E* is an isogeny, and so \(\mathrm{End}_{K}(E)\bigotimes \mathbb{Q}\) is a skewfield.

The action of End_{K}(*E*) on the *ℓ*-adic Tate module of *E* induces an injection of End_{K}(*E*) into \(\mathit{Gl}(2, \mathbb{Z}_{\ell}).\)

From algebra it follows that \(\mathrm{End}_{K}(E)\bigotimes \mathbb{Q}\) is equal to \(\mathbb{Q}\), a quadratic field or a quaternion field. This information and some more ingredients from the theory of elliptic curves allow us to characterize End_{K}(*E*).

*Case in which E cannot be defined over an absolute algebraic field* (i.e., its absolute invariant *j*_{E} (see Example 4) is transcendental over its prime field): we get that \(\mathrm{End}_{K}(E) = \mathbb{Z}\).

*Case of number fields*: We have seen already that over fields *K* of characteristic 0, the ring End_{K}(*E*) is commutative, and so quaternion fields are excluded.

Generically it is equal to \(\mathbb{Z}\); in special cases we have complex multiplication (CM) and End_{K}(*E*) is an order in an imaginary quadratic field (see Example 8).

*Case of finite fields*: Over finite fields the generic case is the CM-case. In this case the elliptic curve *E* is ordinary, i.e., \(E[p](K_{s})\mathop{\cong}\mathbb{Z}/p\) (see 1.2.1).

If [*p*] is purely inseparable, then End_{K}(*E*) is an order in a well-determined quaternion algebra and *E* is called *supersingular*. Supersingular elliptic curves are (up to twists) defined over \(\mathbb{F}_{p^{2}}\) and isogenous to each other.

### 1.3 Jacobian Varieties

Till now abelian varieties occurred in a rather abstract way, and in spite of the work of Mumford and Lubicz–Robert, it is difficult and often too complicated to find explicit equations and addition laws.

The situation is much better for an important subclass of abelian varieties, which historically came first (already in the nineteenth century) and which motivated A. Weil to define abelian varieties: *Jacobian varieties attached to curves*.

*C*be a projective non-singular curve

^{7}of genus

*g*over

*K*(see [ACF], Definition 4.107) with

*divisor group*

*G*

_{K}acts by linear extension in a natural way on \(\mathcal{D}(K_{s})\). For \(K \subset L \subset K_{s}\), define

*principal divisors*: \(0\neq f \in F_{C} \cdot K_{s}\) has the principal divisor

*.*

**the L-rational divisor class group of degree 0 of C**^{8}

### Theorem 4 (Abel–Jacobi)

*The functor*

*is representable by an abelian variety of dimension g, the*

**Jacobian variety***J*

_{C}

*, i.e., in a functorial way we have*

*The*theorem of Riemann–Roch ([ACF],

*Theorem*

*4.106) yields the following:*

*where S*

_{g}

*is the symmetric group of g letters acting on the g-fold Cartesian product of C by permuting the factors.*

Hence, the addition on Jacobian varieties is reduced to the addition of divisor classes of curves, and the theorem of Riemann–Roch tells that there are distinguished representatives, namely, positive divisors of degree ≤ *g*. It follows that addition of classes is possible if one can find for divisors of degree ≥ *g* + 1 positive divisors in the same class but of degree ≤ *g*.

### Example 9 (Elliptic Curves as Jacobians)

Assume that *C* is a projective regular curve of genus 1 **with a****K****-rational** point *P*_{∞}.

*theorem of Riemann–Roch*one gets the following: every

*L*-rational divisor class

*c*of degree 0 of

*E*contains exactly one point

*P*∈

*C*(

*L*) with

*J*

_{C}(

*L*) to

*C*(

*L*).

Hence, *C* is an elliptic curve and *C*(*L*) is an abelian group.

**Weierstrass Equation**The theorem of Riemann–Roch yields the following: we find a

**Weierstrass equation**for

*E*in the projective plane (see Example 4), and if

*p*≠ 2, 3,

^{9}we can normalize to get

*j*-invariant that was classically defined as meromorphic function on \(\mathbb{H}\): For

*a*= 0, set

*j*

_{E}= 0; for

*b*= 0 set \(j_{E} = 12^{3}\); and for

*ab*≠ 0, define

*j*

_{E}determines

*E*up to twists and that to every

*j*∈

*K*we find

*E*with

*j*

_{E}=

*j*(see [ACF], 18.1.1).

*E*has exactly one point with

*Z*= 0. Choosing this point as

*P*

_{∞}= (0, 1, 0), we can describe the addition in coordinates and get the well-known

*addition formulas*.

There is a vast literature in this area (see, for instance, [ACF] and many publications, e.g., by D. Bernstein and T. Lange), but nevertheless it is till nowadays not impossible to do even better, and so we formulate a (minor)

### Open Problem 4

*Find optimal equations and algorithms for scalar multiplication for elliptic curves over given fields*\(\mathbb{F}_{q}\)*(depending on the structure of*\(\mathbb{F}_{q}\)*and the architecture of the used computer maybe).*

## 2 Abelian Varieties over Special Fields

### 2.1 \(K = \mathbb{F}_{q}\)

In this subsection we take \(K = \mathbb{F}_{q}\), the field with *q* = *p*^{d} elements, and denote by \(\mathbb{F}_{p,\infty }\) its algebraic closure.

*π*

_{p}of \(\mathbb{F}_{p,\infty }\) is defined by

#### 2.1.1 The Frobenius Isogenie

We attach to the Galois element *π*_{q} a **geometric object** by extending its operation to points in \(\mathbb{P}^{n}(\mathbb{F}_{p,\infty })\).

*homogenous polynomial map*

*Galois*element induces

*morphisms*of varieties

*V*over \(\mathbb{F}_{q}\) which, by abuse of notation, we also denote by

*π*

_{q}.

*V*is irreducible. Going to affine pieces and choosing affine coordinates \(X_{1},\ldots,X_{n}\), one easily see that

*F*

_{V}generated by \(X_{1}^{q},\ldots,X_{n}^{q}\) and so \(F_{V }/\pi _{q}^{{\ast}}(V )\) is purely inseparable of degree

*q*

^{dim(V )}.

The Frobenius morphism *π*_{q} is compatible with polynomials with coefficients in *K* and so with the addition on abelian varieties *A* over \(\mathbb{F}_{q}\). Hence, *π*_{q} is a purely inseparable isogeny of degree \(q^{\dim (A)}\) called Frobenius endomorphism.

**The Characteristic Polynomial of the Frobenius Endomorphism** Since *G*_{Fq} is topologically generated by *π*_{q}, it follows that the representations *ρ*_{A, n}, respectively \(\tilde{\rho }_{A,\ell}\) of abelian varieties *A*, are determined by \(\rho _{A,n}(\pi _{q})\) respectively \(\tilde{\rho }_{A,\ell}(\pi _{q})\).

*ℓ*(always ≠

*p*) and get a

*globalization*that is due to A. Weil:

### Theorem 5

*is a monic polynomial χ*

_{A,q}

*(T) of degree 2*dim

*(A) independent of ℓ, and for all*\(n \in \mathbb{N}\)

*It follows that*\(\chi _{A,q}(\pi _{q})(A) =\{ 0_{A}\}\)

*.*

This theorem justifies the statement that *χ*_{A, q}(*T*) is *the characteristic polynomial* on *A* of *π*_{q}.

**Point Counting** Here comes one of the most important applications of the Frobenius endomorphism.

### Theorem 6

Hence a strategy to determine \(\mid A(\mathbb{F}_{q})\vert\) is to compute *χ*_{A, q}(*T*).

The deep basic result for these computations is due to Hasse (*d* = 1) and Weil (“Riemann hypothesis for curves”):

### Theorem 7

*The eigenvalues of π*_{q}*are complex integers with absolute value equal to q*^{1∕2}*.*

*i*th coefficient of \(\chi _{A,q}(T)\) is an integer with absolute value bounded by \(\left (\begin{array}{c} 2\dim (A)\\ i\end{array} \right )q^{(2\dim (A)-i)/2}\)([ACF ], Corollary 5.8.2). Hence, to determine \(\chi _{A,q}(T)\) is enough to compute an approximation of sufficient precision.

### Example 10

*E*defined over \(\mathbb{F}_{q}\), we have

#### 2.1.2 The Isogeny Theorem over Finite Fields

Finally we stress the importance of the Frobenius isogenies by the following result of Tate [T]:

### Theorem 8

*Let A,B be abelian varieties defined over*\(\mathbb{F}_{q}\)

*with Tate modules*\(T_{\ell}(A)\)

*and T*

_{ℓ}

*(B).*

- (i)
*A is isogenous to B iff for one ℓ ≠ p, the Galois module*\(T_{\ell}(A)\bigotimes \mathbb{Q}\)*is isomorphic to*\(T_{\ell}(B)\bigotimes \mathbb{Q}\)*.* - (ii)
*A is isogenous to B iff the characteristic polynomials of the Frobenius endomorphisms on A and B are equal.*

We remark that this result “reduces” Task 1 in Sect. 1.2.1 to the computation of the characteristic polynomial of abelian varieties. We shall see in Sect. 3.2 how one can attack this task. Because of its importance, we formulate it already here as one major

### Open Problem 5

*Find fast algorithms to compute for abelian varieties A defined over*\(\mathbb{F}_{q}\)*the characteristic polynomial of the Frobenius endomorphism.*

### 2.2 Abelian Varieties over Number Fields

We look at the mathematically most interesting case: the field *K* is a number field, i.e., a finite algebraic overfield of \(\mathbb{Q}\). The exciting task is to relate arithmetical properties of these fields with diophantine properties of geometric objects, and it turned out that abelian varieties are a very useful tool for this.

We begin with a by now classical result of Serre [Se1].

### Theorem 9

*Assume that the elliptic curve E over K has no complex multiplication.*

*There is a number n*

_{E}

*such that for all primes ℓ > n*

_{E}

*, we have*

*In particular E has only finitely many K-rational cyclic isogenies.*

How can one determine *n*_{E} for given *E*?

What are the exceptions?

### Open Problem 6 (Conjecture Due to J.P. Serre)

*Can one find n*_{0}*depending only on K such that for all E (outside a finite exceptional set)*\(n_{E} = n_{0}\)*?*

### Remark

For \(K = \mathbb{Q}\) and elliptic curves one knows more: Mazur has determined a list of all isogenies of all elliptic curve and exceptional small images of \(\rho _{E,n}\) are understood (up to the non-split Cartan case).

For general number fields *K*, the order of rational torsion points of elliptic curves over *E* can be bounded by an estimate depending on the degree of *K* over \(\mathbb{Q}\) only (theorem of Merel and Parent).

### Open Problem 7

*Can one generalize Theorem *9*to abelian varieties of dimension ≥ 2?, For example, is it true for abelian varieties with*\(\mathrm{End}_{K}(A) = \mathbb{Z}\)*that for almost all rational primes ℓ, the image of ρ*_{A,ℓ}*contains*\(\mathit{GSp}(2\dim (A), \mathbb{Z}/\ell)\)*, the symplectic group of dimension 2*dim *(A) over*\(\mathbb{Z}/\ell\)*?*

All results obtained in this direction rely on work of Serre [Se2]. Interesting progress is made by Hall in [Ha].

#### 2.2.1 Local-Global Methods

How can one prove results like Theorem 9? Besides the specific properties of the investigated objects, one looks at the arithmetical structure of number fields given by a system of valuations with well-known completions.

To be concrete take \(K = \mathbb{Q}\).

First, we have the absolute value | | (an archimedean valuation) with completion \(\mathbb{R}\) and algebraic closure \(\mathbb{C}\).

*p*-adic valuations

*w*

_{p}with

*G*

_{p}, and residue field \(\mathbb{F}_{p}\). It is crucial that

*G*

_{p}can be identified (uniquely up to conjugation) with a subgroup of \(G_{\mathbb{Q}}\), the decomposition group of an extension of \(w_{p}\) to \(\mathbb{Q}_{s}\).

For general \(K\), replace | | by metrics induced by embeddings of *K* in \(\mathbb{C}\), \(\mathbb{Z}\) by its integral closure *O*_{K} in *K* and *w*_{p} by valuations attached to prime ideals \(\mathfrak{p}\) of *O*_{K} containing *p*.

Diophantine objects over *K* can be interpreted over the completions (*localization*) or modulo \(\mathfrak{p}\) (*reduction*).

This relates diophantine problems over finite fields, \(\mathbb{C}\), p-adic fields, and number fields.

The aim is to get local-global information (going in both direction).

Here is a first prominent example.

#### 2.2.2 CM Theory

*K*in \(\mathbb{C}\) and look at elliptic curves

*E*over

*K*as

*E*has complex multiplication if

*τ*is an algebraic integer generating an imaginary quadratic field \(K_{E}:= \mathbb{Q}(\tau )\) and then End

_{C}(

*E*) is an order \(O_{E} \in O_{K_{E}}\).

*Class field theory* tells more:

The \(\mathbb{C}\)-isomorphy classes of elliptic curves *E*^{′} isogenous to *E* correspond one-to-one to the ideal classes of orders *O*_{E} in \(O_{K_{E}}\), the absolute invariant of *E*^{′} generates the ring class fields *H*_{E} of *O*_{E}, and \(\rho _{E,n}(G_{H_{E}})\) is an abelian group and so not containing \(\mathit{Sl}(2, \mathbb{Z}/n).\)

From number theory we know that for given *n*, there are only finitely many orders in imaginary quadratic fields with class number ≤ *n*, and so there are, up to twists, only finitely many elliptic curves with CM defined over *K*( hence, only finitely many twist classes of elliptic curves are excluded in Theorem 9).

The relation of elliptic curves with CM over number fields to elliptic curves over finite fields is given by a central result, **Deuring’s lifting theorem**.

### Theorem 10

*Let E be an ordinary elliptic curve over*\(\mathbb{F}_{q}\)*. There is an elliptic curve*\(\tilde{E}\)*defined over a number field K and a prime ideal*\(\mathfrak{p}\)*of O*_{K}*such that*\(\tilde{E}\mod \mathfrak{p} = E\ \mathrm{and}\ \mathrm{End}(\tilde{E}) =\mathrm{ End}(E)\)*.*

Hence End(*E*) is an order in an imaginary quadratic field \(K_{\tilde{E}}\) and the Frobenius endomorphism *π*_{q} corresponds to an imaginary quadratic algebraic integer with norm *q*. The discriminant of its characteristic polynomial \(\chi _{E,q}(T) = (T -\lambda _{1})(T -\lambda _{2})\) is negative and so \(\lambda _{1}\lambda _{2} = q\) and \(\mathrm{trace}(\phi _{q})^{2} - 4q <0\). But then \((\vert E(\mathbb{F}_{q})\vert - q - 1))^{2} - 4q = \mathrm{trace}(\phi _{q})^{2} - 4q <0\).

**Shimura–Taniyama**there is a beautiful generalization of CM theory to abelian varieties of higher dimension replacing imaginary quadratic fields by CM-fields of larger degree. For abelian varieties of dimension 2 and 3 this is explained in [ACF], Chapter 18.

### Open Problem 8

*Generalize the algorithmic aspects of CM from elliptic curves to Jacobians of curves of small genus.*

### Remark 5

For curves of genus 2 and 3, part of the work is done in the theses of A. Spallek and A. Weng.

#### 2.2.3 Local-Global Principles for Galois Representations

We go deeper into the arithmetic of number fields *K*.

Let \(\mathfrak{p}\) be a prime of *K*, *L* a Galois extension of *K* and \(\tilde{\mathfrak{p}}\) a prime in *O*_{L} that contains \(\mathfrak{p}\) with residue field \(\mathbb{F}_{q}\). Assume that \(\mathfrak{p}\) is unramified in *L*∕*K*.^{10}

A **Frobenius automorphism**\(\sigma _{\mathfrak{p}}\) is an element in *G*(*L*∕*K*) that is continuous with respect to the \(\tilde{\mathfrak{p}}\)-adic metric and which acts modulo \(\tilde{\mathfrak{p}}\) like *π*_{q}.

We remark that \(\sigma _{\mathfrak{p}}\) is determined by \(\mathfrak{p}\) (only) up to conjugation.

*V*be a finite dimensional vector space over \(\mathbb{C}\) or over a finite field \(\mathbb{F}_{q}\) or over an

*ℓ*-adic field. We endow

*V*with either the discrete topology (\(K = \mathbb{C}\) or \(K = \mathbb{F}_{q}\)) or the

*ℓ*-adic topology. Let

*semi-simple*, i.e.,

*ρ*is determined by the characteristic polynomials of the images under

*ρ*. We assume in addition that \(K_{s}^{\ker (\rho )}/K\) is unramified outside of a finite set

*S*of primes.

### Theorem 11 (Density Theorem of Čebotarev)

*ρ is uniquely determined by*

This theorem is the reason for the deep relations between Galois theory and arithmetic.

### Remark 6

*n*depending on arithmetical invariants of

*ρ*

_{i}like the discriminant of \(K_{s}^{\ker (\rho _{i})}\) such that

This result makes identification of Galois representation effective. Unfortunately, the bound *n* tends to be very large (even under the assumption of the generalized Riemann hypothesis GHR [Oe]), and so the result can only very rarely be used for computational investigations. But there are situations where one can do better, for instance, if one knows that the representations are related to modular forms [R].

### Open Problem 9

*Find (or conjecture) effective versions of Theorem *11*in special but interesting instances.*

#### 2.2.4 The Theorem of Faltings

Let *A* be an abelian variety defined over a number field.

### Theorem 12

\(\tilde{\rho }_{A,\ell}\)*is semi-simple.*

This is an extremely deep theorem obtained by Faltings in the celebrated paper [Fa]. Among others, it implies Mordell conjecture:

**Curves of genus > 1 have only finitely many K-rational points**

On the way to his result Faltings proved

### Theorem 13 (Isogeny Theorem)

*Abelian varieties A and B are isogenous iff for one prime ℓ*

*A*,

*B*there is a number

*n*(

*A*,

*B*) such that

*A*is isogenous to

*B*iff for one

*n*>

*n*(

*A*,

*B*)

*Warning:*The following problem is difficult and is closely related to Open Problem 9.

### Open Problem 10

*Give reasonable estimates for n(A,B) in terms of the conductors of A,B. Hint:Look at the work of Masser–Wüstholz.*

#### 2.2.5 Conjectures for Elliptic Curves

**OPEN PROBLEMS**, which, because of their importance and difficulty, are called

### Conjecture 1 (Darmon)

*There is a number n*

_{0}

*(K) such that for all elliptic curves E, E*

^{′}

*over K and all n ≥ n*

_{0}

*(K) we get*

A variant of this conjecture is

### Conjecture 2 (Kani)

*There is a number n*_{0}*(independent of K) such that for n ≥ n*_{0}*there are, up to twist pairs, only finitely many pairs (E,E*^{′}*) of elliptic curves defined over K which are not isogenous* and *with*\(\rho _{E,n}\mathop{\cong}\rho _{E^{{\prime}},n}\)*.*

*For prime numbers n, we can choose n*_{0}*= 23.*

Much easier but also not proved is

### Conjecture 3 (Frey)

*We* fix *an elliptic curve E*_{0}*∕K.*

*There is a number*\(n_{0}(E_{0},K)\)

*such that for all elliptic curves E over K and all*\(n \geq n_{0}(E_{0},K)\)

*we get*

We remark that this conjecture can be formulated in a much more general way ([Fr1], Conjecture 5), which is proved if we replace number fields by function fields in one variable.

We mention amazing consequences of this conjecture:

To give the flavor of these conjectures, we formulate a version of the ABC-conjecture over \(\mathbb{Q}\) that is due to Masser and Oesterlé:

### Conjecture 4

*For all*\(\epsilon \in \mathbb{R}_{>0}\)

*there is a number*\(c_{\epsilon } \in \mathbb{R}\)

*such that for integers A,B with A ⋅ B ≠ 0 and gcd(A,B) = 1, we get*

## 3 Algorithmic Aspects and Applications

In this section the focus lies on computational aspects of abelian varieties over finite fields \(\mathbb{F}_{q}\). Many of the results are motivated and initiated by problems from public-key cryptography. A more detailed discussion of this fruitful interaction between algorithmic algebraic geometry and data security can be found in [Fr2] and [Fr3].

### 3.1 Addition on Jacobian Varieties over Finite Fields

Jacobian varieties are accessible to computations via curve arithmetic and enjoy the rich structure of abelian varieties. As first example we look at the addition on Jacobian varieties. We use the general theory of Jacobian varieties (Sect. 1.3) and recall that for the addition on them, one needs a reduction algorithm among divisors in the same class. This problem was solved by Heß [He] and by Diem and leads to an outstanding result inside of the rapidly progressing algorithmic algebraic geometry.

### Theorem 14 (Diem, Heß)

*Let C be a curve of genus g over*\(\mathbb{F}_{q}\)*.*

*The arithmetic in the degree 0 class group of C can be performed in an expected time which is polynomially bounded in g and log(q).*

In practice it is still challenging to find algorithms that are fast enough for applications. A lot of work is done (even for curves of genus 1) to find equations for *C* for which the addition is optimal, and till now there are many publications that give special fast addition algorithms for special instances of curves and fields. So we find an

### Open Problem 11

*Implement the addition algorithm efficiently for Jacobian varieties of curves of low genus (e.g., g ≤ 4) and find optimal equations (maybe depending on the field*\(\mathbb{F}_{q}\)*).*

### 3.2 Point Counting

A major task is the computation of the Frobenius endomorphism *π*_{q}.

This is motivated by the outstanding role this endomorphism plays in theory (Theorem 8) and practice (point counting).

Special (but nevertheless sufficiently “random”) instances are found by using the *CM*-theory and hence to *begin* with the **ring of endomorphisms** of Jacobians over \(\mathbb{C}\).

To compute the characteristic polynomial of *π*_{q} for large *q* and for “random” abelian varieties, one uses its action on an accessible vector space (usually a cohomology group) and an approximation algorithm. This becomes effective because of the Hasse-Weil estimates of the coefficients (Theorem 7).

*étale cohomology*that leads to algorithms first introduced for elliptic curves by R. Schoof, which become practical for elliptic curves because of using isogenies instead of points (Atkin–Elkies), and so usually one calls them SEA-algorithms*p-adic cohomology*(work of Kedlaya, Vercauteren, Gerkmann, and many others)*p*-adic*lifting*by effective*p*-adic versions of Deuring’s lifting theorem (Theorem 10) for elliptic curves and versions for higher dimension (keyword*canonical lifts*) given by*p*-adic theta functions, cf. Open Problem 1 (work of Satoh, Lubicz, Carls, Mestre, and many others)*deformation*theory (geometric-algebraic or differential-geometric) (Lauder, M. Li)

An extensive discussion of these methods can be found in [ACF], Chapter 17.

**Result:**In cryptographic relevant ranges we get:

We can count points on random elliptic curves.

We can count points on Jacobians of random curves over fields of small (and even medium) characteristic.

We have still problems with random curves of genus 2 (but see work of Gaudry and Schost [GS] and [CL]), and we have many

*special*families of curves whose members are accessible for point counting (e.g., by CM-methods) ([ACF], Chapter 18).

### Open Problem 12

- 1.
*Count points on Jacobians of genus 2 (without CM) and of genus 3 (with or without CM).* - 2.
*There is a lifting theorem for*ordinary*abelian varieties analogous to Deuring’s lifting theorem for elliptic curves.*

*Study algorithmic aspects of the lifting theorems.*

### 3.3 Computation of Isogenies

We come back to the tasks formulated in Sect. 1.2.1 but now restricted to the case that \(K = \mathbb{F}_{q}\). One of the question was: Can one, for given *A*, compute explicitly isogenies *η* as concrete functions?

An optimistic answer would be: yes, with complexity polynomial in \(\log (q),\dim (A),\deg (\eta )\).

*Y*

_{0}(

*n*). The basic work was done (after Deuring) by Vélu [V], and accelerations that make the algorithm efficient are due to Couveignes, Lercier, Elkies, and many others. These algorithms are responsible for the efficiency of point counting on elliptic curves by SEA-algorithms. It turns out that the cost for the computation of an isogeny of degree

*ℓ*is

There are hopeful beginnings of a similar theory for genus 2 curves [CL, FLR, GS] that promise to become a fascinating area of mathematical research.

So we state it as an

### Open Problem 13

*Find effective formulas for isogenies between abelian varieties or Jacobian varieties of genus 2 and 3.*

The big disadvantage of the formulas for isogenies is that they are polynomial in the degree of the isogenies.

So they are only usable for isogenies of small degree. To repair this one uses more number theory and assumes in addition that the abelian variety is of CM-type with endomorphism ring *O* that is an order in a CM-field *K*. (For elliptic curves *E* this is equivalent with the condition that *E* is ordinary.)

We sketch the strategy.^{11}

An isogenous variety *A*^{′} has also CM with a ring of endomorphism *O*^{′} ⊂ *K*. First, assume that *O* ⊂ *O*^{′}. By definition *O* and *O*^{′} are lattices of dimension \(d =\dim (A)\) and so correspond to abelian varieties \(\tilde{A} = \mathbb{C}^{d}/O\) and \(\tilde{B} = \mathbb{C}^{d}/O^{{\prime}}\) (Example 6). The inclusion of \(O^{{\prime}}\) in *O* induces an isogeny from \(\tilde{A}\) to \(\tilde{B}\). If [*O*^{′}: *O*] is small, one can hope to describe the corresponding isogeny. (One has a good chance that in practical cases this will be so.)

The next step is to assume that *O* = *O*^{′} (or that at least the degree of the isogeny *η* one wants to compute is a prime not dividing [*O*^{′}: *O*]).

For simplicity assume that \(B\mathop{\cong}\tilde{B}\). Isogenies of degree *ℓ* to *B* correspond to ideals \(\mathfrak{L}\) in *O* with norm *ℓ*. But one has more freedom. Changing by isomorphisms means to change \(\mathfrak{L}\) by a principal ideal, and one of the main results of CM theory is that the isomorphism classes of abelian varieties with endomorphism ring *O* correspond to *ideal classes* of *O*. This gives an idea how to treat isogenies of large prime degree between abelian varieties with endomorphism ring *O*: one has to find prime ideals \(\mathfrak{p}_{1},\ldots,\mathfrak{p}_{k}\) in *O* with small norm and *k* “not large” such that \(\prod _{i}\,\mathfrak{p}_{i}\) is in the same ideal class as \(\mathfrak{L}\), and then compute the chain of isogenies with kernel \(\mathfrak{p}_{i}\). There are theorems in algebraic number theory (Minkowski’s theorem and smoothness results known from algorithms to factor numbers) and *heuristics* (like GRH) that predict that with a high probability, this search will be successful.

In the next paragraph we shall write down the results for isogenies of elliptic curves relying on these principles. We formulate already here the

### Open Problem 14

*Assume that*\(C_{1},\,\,C_{2}\)*are curves of genus 2 over*\(\mathbb{F}_{q}\)*with Jacobian varieties of CM-type that are isogenous.*

*Use CM theory to compute isogenies.*

**Finding Isogenies of Elliptic Curves over**\(\mathbb{F}_{q}\) A good part of the following results rely on the groundbreaking paper [K] of Kohel. We apply the considerations from above to ordinary elliptic curves *E*, *E*^{′} defined over \(\mathbb{F}_{q}\) with endomorphism ring *O*_{E}. It is evident that the class number *h*_{E} of *O*_{E} and so the discriminant \(\varDelta _{O_{E}}\) of *O*_{E} will play an important role. For random *E* we have to expect that *h*_{E} is of size \(\mathcal{O}(q^{1/2})\) and so that the algorithms to find isogenies are exponential in log(*q*). The beautiful result of Galbraith and Stolbunov in [GSt] is

### Theorem 15

*The cost for finding an isogeny between elliptic curves whose endomorphism ring is*\(O_{K_{E}}\)

*is*

This result hints that for large *q* and randomly chosen *E*, it is hard to find isogenies, and in fact there are cryptographic schemes that propose to use this problem as crypto primitive (for one version of such schemes, see cf. 3.3.1 below).

In the discussion above, we have remarked that there are similarities with algorithms factoring numbers. In fact, an approach due to Jao and Soukharev shows (under “reasonable” heuristics like GRH) the following.

### Theorem 16 ([JS], Theorem 4.1)

*Assume that E is an ordinary elliptic curve given in Weierstrass form with given Frobenius endomorphism π*_{q}*(i.e.*, \(\vert E(\mathbb{F}_{q})\vert\)*is known) and endomorphism ring O*_{E}*.*

*Take*\(n \in \mathbb{N}\)*and assume that*\([O_{E}: \mathbb{Z}[\pi _{q}]]\)*is prime to*\(\vert E(\mathbb{F}_{q^{n}})\vert\)*and let*\(\mathfrak{L}\)*be an ideal of O*_{E}*whose norm is a prime number ℓ.*

*Take*\(P \in E(\mathbb{F}_{q^{n}})\)*.*

*Then there is an algorithm that computes an elliptic curve E*

^{′}

*and an isogeny*

*with kernel*\(\mathfrak{L}\)

*and the X-coordinate of η(P) in running time that is polynomial in*\(\log (\ell),\,\log (q),\,n\)

*and*

**subexponential***in*\(\log (\varDelta _{O_{E}})\)

*(for the explicit estimate, see*[JS]).

#### 3.3.1 Two Applications

**Equivalence of Discrete Logarithms in Isogeny Classes** A very important crypto primitive for public-key cryptography is the discrete logarithm (DL) in the group of rational points \(E(\mathbb{F}_{q})\) of elliptic curves *E* over finite fields. The (till now justified) hope is that the complexity of *DL* is exponential in the order of the largest prime dividing \(\vert E(\mathbb{F}_{q})\vert\). But it is well known that one has to be careful since some elliptic curves (e.g., supersingular curves) can be attacked by algorithms with subexponential complexity. Very often, this is done by a transfer, i.e., by a *subexponentially computable* map into another group in which the DL is vulnerable (see [ACF], Chapter 22).

An obvious question is whether one can use isogenies as transfer maps.

The answer is no because of a very nice result that uses, besides the above discussed methods to compute isogenies, the equivalence of the isogeny graph of elliptic curves with the same ring of endomorphism over \(\mathbb{F}_{q}\) with a graph of ideals in this endomorphism ring (again Deuring’s lifting theorem is crucial). With properties of this graph induced by classical analytic number theory of imaginary quadratic number fields, one gets

### Theorem 17 (Jao et al. [JMV])

*Discrete logarithms in isogenous elliptic curves over*\(\mathbb{F}_{q}\)*are subexponentially equivalent.*

### Open Problem 15

*Prove the same result for Jacobian varieties of CM-type attached to curves C of genus 2.*

**The Couveignes–Stolbunov Crypto System** This system is a cryptosystem based on a *principally homogeneous space*.

*E*is ordinary. We denote by

*S*

_{E}the set of isomorphy classes (over \(\mathbb{F}_{p,\infty }\)) of elliptic curves \(E^{{\prime}}/\mathbb{F}_{q}\) with

Again we use the one-to-one correspondence between *S*_{E} and the ideal class group *Cl*(*O*) of *O*.

In fact, *S*_{E} is a *principal homogenous* space with translation group *Cl*(*O*) with the following action:

Lift *E* to \(\tilde{E}\) (Deuring’s lifting theorem). Without loss of generality assume that the lattice defining \(\tilde{E}\) over \(\mathbb{C}\) is *O*. Take an ideal \(\mathfrak{a} \subset O\) with divisor class *c*.

Then *c* ⋅ [*E*] is the isomorphy class of the elliptic curves *E*^{′} whose Deuring lift is over \(\mathbb{C}\) defined by the lattice \(\mathfrak{a}\).

This can be used for a crypto system going back to Couveignes and implemented by Stolnikov.

As private key, take *c*, and as public key, the *j*-invariant of *E*^{′}.

To make this computable, one has to find in each ideal class of *O* an ideal that is the product of prime ideals with small norm. Hence, one has to use the same techniques as in Sect. 3.3.

### Remark 7

The system is slow for one cannot use a square and multiply algorithm.

It can be shown that the crypto primitive is NOT the DL in

*Cl*(*O*), and so a direct application of Shor’s algorithm for quantum computers does not work.Nevertheless there is an algorithm using quantum computer that breaks the system in subexponential time.

### 3.4 Constructions of Isogenies by Correspondences

We end by describing a general construction of isogenies between abelian subvarieties of Jacobian varieties. This construction can be done over arbitrary ground fields *K*. It is important in our context because of its immediate applications to DL systems attached to divisor classes of curves over finite fields.

**Correspondences**of curves

*C*,

*D*are induced by morphisms

*H*is a common cover of

*C*and

*D*) and application of conorm, respectively norm maps, on divisor class groups:

If the degrees of *f*_{i} are not too large, one can compute the maps on divisor classes explicitly.

*C*with a cover

*H*the Galois closure of this cover and for

*D*the fixed curve under a subgroup of the Galois group (“monodromy group”) of

*f*. By this, one has natural connections with

*Hurwitz spaces*and their very rich theory ([FK1] and [FK2]).

One example for this method is Weil descent if \(\mathbb{F}_{q}\neq \mathbb{F}_{p}\) that may transfer a seemingly hard DL problem to an easier one.

Another example was worked out in [FK2] explaining B. Smith’s isogeny of degree 8 mapping hyperelliptic curves of genus 3 to *non*-hyperelliptic curves of genus 3 (and so weakening the DL [Di]). The result of Smith is

### Theorem 18 (Smith)

*There are*\(\mathcal{O}(q^{5})\)*isomorphism classes of hyperelliptic curves of genus 3 defined over*\(\mathbb{F}_{q}\)*for which the discrete logarithm in the divisor class group of degree 0 has complexity*\(\mathcal{O}(q)\)*, up to log-factors.*

*Since*\(\vert \mathrm{Pic}^{0}(C)\vert = \mathcal{O}(q^{3})\)*, the DL system of these hyperelliptic curves of genus 3 is weak.*

To get this result Smith has to use certain heuristics.

The advantage of the approach by Hurwitz spaces is, besides delivering a structural background, that these spaces are often accessible for explicit description. For instance, in the case discussed here, one can determine the four-dimensional subspace in the moduli space of hyperelliptic curves of genus 3 consisting of curves that are in the image of Smith’s isogeny, and so justify his heuristics [FK3].

### Open Problem 16

*Find interesting correspondences of low degree between Jacobian varieties induced by correspondences between curves and (possibly) attached to Hurwitz spaces.*

## Footnotes

- 1.
That is the tangent space of every point of

*E*_{a}has dimension 1; see [ACF], Sect. 4.4.1. - 2.
That is, irreducible as variety over

*K*_{s}. - 3.
For example, by homogenous equations.

- 4.
See Definition 2.81 in [ACF] or any textbook on algebraic number theory.

- 5.
Caution for specialists: because of the existence of twists,

*Y*_{0}is only a coarse moduli space. - 6.
\(\mathbb{Z}_{\ell}\) is the ring of

*l*-adic integers and \(\mathbb{Q}_{\ell}\) the field of*ℓ*-adic numbers (see [ACF]). - 7.
The tangent space of every point of

*C*has dimension 1, see [ACF], Sect. 4.4.1 - 8.
Poles give rise to negative “order of vanishing”.

- 9.
For

*p*| 6, see [ACF] 13.1.1 and 13.3. - 10.
That is, the normalized valuation attached to \(\tilde{\mathfrak{p}}\) is a continuation of the one attached to \(\mathfrak{p}.\)

- 11.
In the following we simplify by looking at abelian varieties with

*principal polarization*(e.g., Jacobian varieties) and then neglect some more subtle points concerning these polarizations.

### References

- [ACF]H. Cohen, G. Frey (eds.),
*Handbook of Elliptic and Hyperelliptic Curve Cryptography*(CRC, Providence, 2005)Google Scholar - [CL]R. Carls, D. Lubicz, A p-adic quasi-quadratic time point counting algorithm. Int. Math. Res. Not.
**4**, 698–735 (2009)MathSciNetGoogle Scholar - [De]M. Deuring, Die Typen der Multiplikatorenringe elliptischer Funktionenkörper. Abh. Math. Sem. Hamb.
**14**, 197–272 (1941)CrossRefGoogle Scholar - [Di]C. Diem, An index calculus algorithm for plane curves of small degree, in
*Proceedings of ANTS VII*, ed. by F. Heß, S. Pauli, M. Pohst. Lecture Notes in Computer Science, vol. 4076 (Springer, Berlin, 2006), pp. 543–557Google Scholar - [Fa]G. Faltings, Endlichkeitssätze für abelsche Varietäten über Zahlkörpern. Invent. Math.
**73**, 349–366 (1983)CrossRefMATHMathSciNetGoogle Scholar - [FLR]J.-Ch. Faugère, D. Lubicz, D. Robert, Computing modular correspondences for abelian varieties. J. Algebra
**343**, 248–277 (2011)CrossRefMATHMathSciNetGoogle Scholar - [FK1]G. Frey, E. Kani, Curves of genus 2 with elliptic differentials and associated Hurwitz spaces. Cont. Math.
**487**, 33–82 (2009)CrossRefMathSciNetGoogle Scholar - [FK2]G. Frey, E. Kani, Correspondences on hyperelliptic curves and applications to the discrete logarithm, in
*Proceedings of SIIS, Warsaw 2011*, ed. by P. Bouvry, M. Klopotek, F. Leprévost, M. Marciniak, A. Mykowiecka, H. Rybiński. Lecture Notes in Computer Science, vol. 7053 (Springer, Berlin, 2012), pp. 1–19Google Scholar - [FK3]G. Frey, E. Kani, Normal Forms of Hyperelliptic Curves of Genus 3, preprintGoogle Scholar
- [Fr1]G. Frey, On ternary equations of Fermat type and relations with elliptic curves, in
*Modular Forms and Fermat’s Last Theorem*, ed. by G. Cornell, J.H. Silverman, G. Stevens (Springer, New York, 1997), pp. 527–548CrossRefGoogle Scholar - [Fr2]G. Frey, Applications of arithmetical geometry to cryptographic constructions, in
*Proceedings of Finite Fields and Application*(2001), pp. 128–161Google Scholar - [Fr3]G. Frey, Relations between arithmetic geometry and public key cryptography. Adv. Math. Commun.
**4**, 281–305 (2010)CrossRefMATHMathSciNetGoogle Scholar - [GSt]St. Galbraith, A. Stolbunov, Improved algorithm for the isogeny problem for ordinary elliptic curves. Appl. Algebra Eng. Commun. Comput.
**24**, 107–131 (2013)Google Scholar - [GS]P. Gaudry, E. Schost, Hyperelliptic point counting record: 254 bit jacobian, June 2008. http://webloria.loria.fr/~gaudry/record127
- [Ha]C. Hall, An open-image theorem for a general class of abelian varieties. Bull. Lond. Math. Soc.
**43**, 703–711 (2011)CrossRefMATHMathSciNetGoogle Scholar - [He]F. Heß, Computing Riemann–Roch spaces in algebraic function fields and related topics. J. Symb. Comput.
**33**(4), 425–445 (2002)CrossRefMATHGoogle Scholar - [JMV]D. Jao, S.D. Miller, R. Venkatesan, Do all elliptic curves of the same order have the same difficulty of discrete log?, in
*Advances of Cryptology-Asiacrypt 2005*. Lecture Notes in Computer Science, vol. 3788 (Springer, Berlin 2005), pp. 21–40Google Scholar - [JS]D. Jao, V. Soukharev, A subexponential algorithm for evaluating large degree isogenies, in
*Algorithmic Number Theory*(Springer Berlin 2010), pp. 219–233Google Scholar - [K]D. Kohel, Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, Berkeley, 1996Google Scholar
- [Le]R. Lercier, Algorithmique des courbes elliptiques dans les corps finis. Thèse, LIX-CNRS, 1997Google Scholar
- [LR]D. Lubicz, D. Robert, Computing isogenies between abelian varieties. Compos. Math.
**148**, 1483–1515 (2012)CrossRefMATHMathSciNetGoogle Scholar - [M1]D. Mumford,
*Abelian Varieties*(Oxford University Press, Oxford, 1970)MATHGoogle Scholar - [M2]D. Mumford, On the equations defining abelian varieties I–III. Invent. Math.
**1**, 287–354 (1967); Invent. Math.**3**, 75–135 (1967); Invent. Math.**3**, 215–244 (1967)Google Scholar - [Oe]J. Oesterlé, Versions effectives du théorème de Chebotarev sous l’hypothèse de Riemann généralisée. Astérisque
**61**, 165–167 (1979)MATHGoogle Scholar - [R]K. Ribet, On modular representations of \(G(\bar{\mathbb{Q}}\vert \mathbb{Q})\) arising from modular forms. J. Math.
**100**, 431–476 (1990)MATHMathSciNetGoogle Scholar - [Se1]J.P. Serre, Propriétés galoisiennes des points d’ordre fini des courbes elliptiques. Invent. Math.
**15**, 259–331 (1972)CrossRefMATHMathSciNetGoogle Scholar - [Se2]J.P. Serre, Résumé des cours de 1985–1986 (Annuaire du Collège de France, 1986)Google Scholar
- [S]B. Smith, Isogenies and the Discrete Logarithm Problem in Jacobians of Genus 3 Hyperelliptic Curves, in
*Advances in Cryptology: EUROCRYPT 2008, Istanbul*. Lecture Notes in Computer Science, vol. 4965 (2008)Google Scholar - [T]J. Tate, Endomorphisms of abelian varieties over finite fields. Invent. Math.
**2**, 134–144 (1966 )CrossRefMATHMathSciNetGoogle Scholar - [V]J. Vélu, Isogénies entre courbes elliptiques. C.R. Acad. Sci. Paris Ser. A
**273**, 238–241 (1971)Google Scholar