Isogenies in Theory and Praxis

Chapter

Abstract

We want to give an overview on arithmetical aspects of abelian varieties and their torsion structures, isogenies, and resulting Galois representations. This is a wide and deep territory with a huge amount of research activity and exciting results ranging from the highlights of pure mathematics like the proof of Fermat’s last theorem to stunning applications to public-key cryptography. Necessarily we have to be rather superficial, and thus specialists in the different aspects of the topics may be disappointed. But I hope that for many, and in particular for young researchers, the chapter may serve as an appetizer and will raise interest for a fascinating area of mathematics with many open problems (some are very hard and worth a Fields Medal but others are rather accessible).

The first section of the chapter gives basic notions, definitions, and properties of abelian varieties. Disguised as examples one will find their theory over the complex numbers \(\mathbb{C}\) and the special case of elliptic curves. The second section discusses the situation over finite fields, in particular the role of the Frobenius endomorphism, and over number fields where the most interesting results and challenging conjectures occur. Finally we discuss algorithmic aspects of isogenies, mostly of elliptic curves, and relations to cryptography.

1 General Theory

We begin by explaining the background of the subjects we shall discuss in the chapter. Instead of citing a large number of original papers, we mostly refer to the handbook [ACF] where the reader can find all relevant items mentioned below discussed on different levels of abstraction and with an extensive bibliography helping to go deeper to details in his/her favorite subjects. The second standard reference will be [M1] where the background for abelian varieties is explained.

1.1 Abelian Varieties

1.1.1 Notations and Definitions

In the whole chapter K denotes a field with char(K) = p ≥ 0, and overfields containing K are denoted by L.

Ks is a fixed separable closure of K.

The absolute Galois group\(G_{K} = \mathrm{Aut}_{K}(K_{s})\) is the group of field automorphisms of Ks that leave elements of K fixed.

GK has a natural topology as profinite group in which subgroups of finite index form a system of neighborhoods of the unit element. It is important that GK is compact with respect to this topology.

Affine Varieties Affine varieties \(V _{a} \subset \mathbb{A}^{n}\) are zero sets of ideals \(I_{V _{a}}\) with coordinate ring\(K[X_{1},\ldots,X_{n}]/I_{V _{a}}\) and, if \(I_{V _{a}}\) is a prime ideal, with function field \(F_{V _{a}} = \mathit{Quot}(K[X_{1},\ldots,X_{n}]/I_{V _{a}})\). In this case V is irreducible in the Zariski topology and the dimension \(\dim (V _{a})\) of Va is the transcendental degree of \(F_{V _{a}}\) over K.

Example 1

  1. 1.

    \(\mathbb{A}^{n}\) is the affine space defined by the zero ideal in \(K[X_{1},\ldots,X_{n}]\).

     
  2. 2.
    Take n = 2 and \(I_{a} =<f(X_{1},X_{2})> \neq \{0\}\). Then Va is the plane affine curve defined by the equation
    $$\displaystyle{f(X_{1},X_{2}) = 0.}$$
    Its coordinate ring is \(K[X_{1},X_{2}]/ <f(X_{1},X_{2})>\).

    It is irreducible iff \(f(X_{1},X_{2})\) is an irreducible polynomial.

    In this case F(Va) is an algebraic extension of K(Xi) iff \(f(X_{1},X_{2})\) is not constant as function of Xi.

     
For overfields L of K define
$$\displaystyle{V _{a}(L) =\{ x = (x_{1},\ldots,x_{n}) \in L^{n};\,\,f(x) = 0\,\forall f \in I_{ V _{a}}\}.}$$
So \(\mathbb{A}^{n}(L) = L^{n}\).

A morphism ϕ is a polynomial map from Va to an affine variety Wa.

It induces a map ϕ of the coordinate ring of Wa to the coordinate ring of Va, which extends to an inclusion
$$\displaystyle{F_{W_{a}}\hookrightarrow F_{V _{a}}}$$
if the ideals defining Wa and Va are prime ideals.

Example 2

Let Va be an irreducible plane affine curve. Take \(W_{a} = \mathbb{A}^{1}\), \(\phi (X_{1}) = X_{1}\), ϕ(X2) = 0.

Then ϕ is the projection of Va to the line X2 = 0.

Assume that ϕ is not the constant map. Then ϕ induces the natural injection \(K(X_{1}) \subset K(X_{1},X_{2}).\)

Projective Varieties The next important step is to define projective varieties. Recall that a polynomial \(F(Y _{0},\ldots,Y _{n})\) is homogenous of degree d iff every monomial occurring in F with coefficient ≠ 0 has degree d.

An ideal \(I \subsetneq K[Y _{0},\ldots,Y _{n}]\) is homogenous iff it is generated by homogenous polynomials.

For elements \(y,y^{{\prime}}\) in \(L^{n+1}\setminus \{(0,0,\ldots 0)\}\), define
$$\displaystyle{y \sim y^{{\prime}}\mbox{ iff there is }\lambda \in L^{{\ast}}\mbox{ with }y =\lambda \cdot y^{{\prime}}.}$$
A projective variety V defined over K is the zero set \(\mod \sim\) of a homogenous ideal \(I_{V } \subset K[Y _{0},\ldots,Y _{n}]\) for appropriate n. The L-rational points of V are
$$\displaystyle{\{y = (y_{0},\ldots,y_{n}) \in L^{n+1};f(y) = 0\forall f \in I_{ V }\}/ \sim.}$$

Example 3

  1. 1.

    The projective space \(\mathbb{P}^{n}/K\) is the projective variety defined by the zero ideal in \(K[Y _{0},\ldots,Y _{n}]\). Its L-rational points are \(\mathbb{P}^{n}(L) = L^{n+1}/ \sim.\)

     
  2. 2.
    Take n = 2 and I = < F(X, Y, Z) > where F is a homogenous polynomial of degree d. Then V is the plane projective curve defined by the equation
    $$\displaystyle{F(X,Y,Z) = 0}$$
    It is irreducible iff F is an irreducible polynomial.
     
Affine Covers of Projective Varieties We recall the easy observation that every homogenous polynomial \(F(Y _{0},\ldots,Y _{n})\) can be transformed into n + 1 polynomials \(f_{j}(X)\) (\(j = 0,\ldots,n\)) in n variables by the transformation
$$\displaystyle{t_{j}: Y _{i}\mapsto X_{i}:= Y _{i}/Y _{j}.}$$
We remark that tj can be interpreted as rational map from \(\mathbb{P}^{n}\) to \(\mathbb{A}^{n}\) which is defined and bijective when restricted to Uj consisting of points with Yj coordinates ≠ 0. By the inverse transform, we embed \(\mathbb{A}^{n}\) into \(\mathbb{P}^{n}\) and so Uj is isomorphic to \(\mathbb{A}^{n}\) as affine variety. Inside of \(\mathbb{P}^{n}\) it is an open subset in the Zariski topology.

As result we get a finite open covering of \(\mathbb{P}^{n}\) by n + 1 affine subspaces.

Remark 1

There are many possibilities to find such covers. But having chosen homogenous coordinates \((Y _{0},\ldots,Y _{n})\), the above cover is rather usual, and one occasionally calls the projective variety \(U_{0}: Y _{0} = 0\) “infinite hyperplane.”

Having an affine cover Uj of \(\mathbb{P}^{n}\), one can intersect it with projective varieties V and get
$$\displaystyle{V =\bigcup _{j}V _{j,a}\mbox{ with }V _{j,a}:= V \cap U_{j}}$$
as union of affine varieties.
Converse process: Given a polynomial \(f(X_{1},\ldots,X_{n})\) of degree d, we get a homogenous polynomial \(f^{h}(Y _{0},\ldots,Y _{n})\) of degree d by the transformation
$$\displaystyle{X_{i}\mapsto Y _{i}/Y _{0}\mbox{ for }i = 1,\ldots,n}$$
and then clearing denominators.

Assume that Va is an affine variety with ideal \(I_{a} \subset K[X_{1},\ldots,X_{n}]\). By applying the homogenization explained above to all polynomials in Ia, we get a homogenous ideal \(I_{a}^{h} \subset K[Y _{0},\ldots,Y _{n}]\) and a projective variety \(V\) with ideal \(I_{a}^{h}\) containing Va in a natural way.

V is called a projective closure of Va.

A bit misleading one calls \(V \cap U_{0} = V \setminus V _{a}\) “infinite points” of Va.

Example 4

Take
$$\displaystyle{f(X_{1},X_{2}) = X_{2}^{2}+a_{ 1}X_{1}X_{2}+a_{3}X_{2}-X_{1}^{3}-a_{ 2}X_{1}^{2}-a_{ 4}X_{1}-a_{6}\mbox{ with }a_{i} \in K}$$
and denote by Ea the corresponding affine plane curve.
Introducing the variable Y0, we define the homogenized polynomial
$$\displaystyle{F(Y _{0},Y _{1},Y _{2}) = Y _{0}Y _{2}^{2}+a_{ 1}Y _{0}Y _{1}Y _{2}+a_{3}Y _{0}^{2}Y _{ 2}-Y _{1}^{3}-a_{ 2}Y _{0}Y _{1}^{2}-a_{ 4}Y _{0}^{2}Y _{ 1}-a_{6}Y _{0}^{3}.}$$
The corresponding plane projective curve is denoted by E.

Then E∖ Ea consists of exactly one point P that is the projective class of (0, 0, 1).

Remark 2

Example 4 introduces an important object. If Ea has no singular points,1 then Ea is an elliptic curve given by a Weierstrass equation (see Definition 3).

A morphism between projective varieties V and W is a map from V to W that is, restricted to any affine piece of V, an affine morphism (i.e., a polynomial map) to an affine piece of W.

If V is a projective variety whose ideal IV is a prime ideal, then the function field FV of V is the function field of a non-empty affine Zariski-open part Va of V. (This is independent of the choice of Va.)

In this case the dimension of V is the transcendental degree of FV over K.

Group Schemes For more details and proofs concerning the following notions and results, we refer to [ACF] or [M1], Chap. III, 11.

Definition 1

A group scheme is an affine or projective variety G with a morphism
$$\displaystyle{\oplus: G \times G \rightarrow G,}$$
the addition law, a morphism
$$\displaystyle{\iota: G \rightarrow G,}$$
the inversion morphism and a unit element
$$\displaystyle{e \in G(K),}$$
in a more highbrow language, the zero section, satisfying the axioms of composition in groups interpreted in the language of morphisms.
  1. 1.
    Associativity expressed as identity between maps from G × G × G to G:
    $$\displaystyle{\oplus \circ (\oplus \times \mathit{id}_{G}) = \oplus \circ (\mathit{id}_{G} \times \oplus ).}$$
     
  2. 2.
    Existence of a neutral element:
    $$\displaystyle{\oplus _{\vert \{e\}\times G} = \mathit{pr}_{2}(\{e\} \times G)}$$
    where pr2 is the projection to the second factor of the Cartesian product.
     
  3. 3.
    Existence of inverse elements:
    $$\displaystyle{\oplus \circ (\mathit{id}_{G}\times \iota )}$$
    is the constant map with image point e.
     

If the addition law is commutative, i.e., it is compatible with interchanging the components in G × G, then G is a commutative group scheme.

We remark that for all overfields L of K, we get that G(L) is a group; the addition law in G(L) is given by rational functions with coefficients in K, and so for all fields \(K \subset L \subset K_{s}\), the Galois group GL acts on G(Ks) with \(G(L) = G(K_{s})^{G_{L}}\).

Example 5

Define μn as affine variety with ideal generated by
$$\displaystyle{X_{1}^{n} - 1}$$
or homogeneously by
$$\displaystyle{Y _{1}^{n} - Y _{ 0}^{n}.}$$
Define
$$\displaystyle{\oplus:\mu _{n} \times \mu _{n} \rightarrow \mu _{n}}$$
by
$$\displaystyle{(X_{1},X_{2})\mapsto Z_{1} = X_{1} \cdot X_{2}.}$$
e is the point X1 = 1 and \(\iota (X_{1}):= X_{1}^{n-1}\).

The resulting group scheme is the scheme of the nth roots of unity.

For overfields L of K, one gets that G(L) is the group of elements ζ in L with ζn = 1.

Here comes the key subject for the chapter:

Definition 2

An abelian variety A is an absolutely2irreducible projective group scheme.

Because of the importance for theory and practice, the case d = 1 deserves an extra definition.

Definition 3

An abelian variety of dimension 1 is called elliptic curveE.

Theorem 1

Let A be an abelian variety. Then A is a commutative group scheme, and hence, A(L) is an abelian group.

A proof of this result can be found in [M1], Chap. 2.4.

Example 6 (Abelian varieties over \(\mathbb{C}\))

We shall sketch the “classical” case: \(K = \mathbb{C}\). For details we refer to [ACF], Section 5.1 or [M1], Chapter I.

Projective varieties are compact analytic varieties.

Let A be an abelian variety over \(\mathbb{C}\) and denote by \(A_{\mathbb{C}}\) the associated analytic variety. From the classification of compact commutative Lie groups it follows that
$$\displaystyle{A_{\mathbb{C}}\mathop{\cong}\mathbb{C}^{d}/\varLambda \mbox{ with }d =\dim (A)}$$
and
$$\displaystyle{\varLambda = \mathbb{Z}^{d} \oplus \varOmega \mathbb{Z}^{d}}$$
with symmetric period matrix Ω whose imaginary part Im(Ω) is positive definite. Hence, \(\varOmega\) is an element in the Siegel upper half plane\(\mathbb{H}_{d}\). Ω is determined up to transformations with elements in \(\mathit{Sp}(d, \mathbb{Z})\), the group of symplectic matrices with determinant 1 and integral entries.

The equivalence classes of elements of \(\mathbb{H}_{d}\) modulo \(\mathit{Sp}(d, \mathbb{Z})\) form a moduli space for abelian varieties of dimension d defined over C.

It is worthwhile to look at the special case d = 1, i.e., A is an elliptic curve E.

Ω is a 1 × 1 matrix with entry
$$\displaystyle{\tau \in \mathbb{H}:=\{ z \in \mathbb{C};\mathit{Im}(z)> 0\}.}$$
τ is unique up to Möbius transformations
$$\displaystyle{z\mapsto \frac{\mathit{az} + b} {\mathit{cz} + d}}$$
with elements \(\left (\begin{array}{ll} a&b\\ c &d \end{array} \right ) \in \mathit{Sl}(2, \mathbb{Z})\). To emphasize this connection we sometimes denote E by Eτ.

To find an equation for the curve E, one uses the j-function and so defines a one-to-one cover map from \(\mathbb{H}/\mathit{Sl}(2/\mathbb{Z})\) to the affine line.

This very explicit theory provokes the question:

Can one find algebraic versions of period matrixes to define explicit moduli spaces for abelian varieties?

For d = 1 we have the very satisfying algebraic theory of elliptic curves that will be discussed below.

Much more difficult is the situation for d > 1.

The first groundbreaking step was done in a series of three celebrated papers of Mumford [M2] where he “translated” the classical theory of theta functions into an algebraic frame and introduced theta groups and used theta null points to define points corresponding to abelian varieties (with level structure) on the moduli space.

From the computational point of view, this representation is not optimal since the degree of the defining equations and the number of variables is large. An enormous step forward is done by recent work of Lubicz, Robert, Faugère, Gaudry and others and can be found in the beautiful paper [LR].

It opens a wide area for computational research, and so we encourage to go deeper to the (partly solved)

Open Problem 1

Find fast algorithms to compute moduli points for given3abelian varieties over finite or\(\mathfrak{p}\)-adic fields, and conversely, attach to moduli points the corresponding abelian varieties with addition law as explicit and efficient as possible.

1.2 Homomorphisms of Group Schemes

Let \(G_{1},G_{2}\) be group schemes defined over K.

Definition 4

  1. 1.
    A morphism
    $$\displaystyle{\phi: G_{1} \rightarrow G_{2}}$$
    is a homomorphism iff it is compatible with the addition laws in Gi, i.e.,
    $$\displaystyle{\oplus _{G_{2}} \circ (\phi \times \phi ) =\phi \circ \oplus _{G_{1}}.}$$
    In particular, ϕ induces a group homomorphism from G1(L) to G2(L) that is given by rational functions defined over K and hence compatible with the action of GK on points over Ks.

    The set of homomorphism from G1 to G2 defined over K is denoted by \(\mathrm{Hom}_{K}(G_{1},G_{2})\).

     
  2. 2.

    The kernel kerϕ is the scheme-theoretical inverse image of the zero section of G2 under ϕ.

    It is a subgroup scheme of G1.

    Its Ks-rational points are the Ks-rational points of G1 mapped under ϕ to \(e_{G_{2}}\).

     
  3. 3.
    \(\phi \in \mathrm{ Hom}_{K}(G_{1},G_{2})\) is an isogeny iff:
    1. (a)

      ker(ϕ) is a finite group scheme.

       
    2. (b)

      The image under ϕ of the connected component of the unit element of \(G_{1}^{0}\) of G1 in the Zariski topology has the same dimension as the connected component of the unit element of G2. For instance, if G1 and G2 are irreducible, then \(\dim (G_{1}) =\dim (G_{2})\).

       
     

1.2.1 Isogenies of Abelian Varieties

Let A, B be abelian varieties.

First we note a remarkable “rigidity property” of abelian varieties.

Theorem 2

A morphism
$$\displaystyle{\phi: A \rightarrow B}$$
is a homomorphism iff\(\phi (0_{A}) = 0_{B}\).

The proof can be found in [M1], Chapter II, Corollary 1.

Now assume that \(\phi \in \mathrm{ Hom}_{K}(A,B)\) is an isogeny.

By definition ker(ϕ) is a finite group scheme and \(\dim A =\dim B\). So ϕ induces an embedding ϕ of finite index of the function field FB into FA.

The degree of ϕ is \([F_{A}:\phi ^{{\ast}}(F_{B})]\), its separable degree is \([F_{A}:\phi ^{{\ast}}(F_{B})]_{s}\mathit{ep}\).

ϕ is separable if its degree is equal to its separable degree, and this is so iff ker(ϕ) is an étale group scheme.

In this case
$$\displaystyle{\vert \ker (\phi )(K_{s})\vert =\deg (\phi )}$$
and ker(ϕ)(Ks) is a GK-module that determines ϕ uniquely.

Example 7

Take \(n \in \mathbb{N}\) and A = B. Define the map [n] as n − 1-fold composition of ⊕A.

Then [n] is an isogeny that maps A to A and hence is an isogeny in \(\mathrm{End}_{K}(A):=\mathrm{ Hom}_{K}(A,A).\)

The kernel of [n] is denoted by A[n] and its points are called n-torsion points.

[n] is separable iff n is prime to char(K) = p.

The separable degree of [p] is pk with \(0 \leq k \leq \dim _{K}(A)\). k is the p-rank of A and A is ordinary iff \(k =\dim _{K}(A)\).

Scalar Multiplication We assume that A is an abelian variety of positive dimension.

For negative integers z, define \([z] =\iota _{A}[-z]\) and denote by [0] the constant map with image eA. One checks very easily that these definitions yield an injection of \(\mathbb{Z}\) into EndK(A). We mention without proof that one knows more: For “generic” abelian varieties we get that \(\mathrm{End}_{K}(A) = \mathbb{Z}\), and abelian varieties for which this equality does not hold have usually interesting properties (see Example 8 below for elliptic curves).

The induced operation of \(\mathbb{Z}\) on A is called scalar multiplication and is very important both for theoretical and practical applications. Hence, there is much work invested in order to develop fast algorithms to evaluate [n].

A prominent example is to expand n dyadically and then use addition and doubling (i.e., evaluation of [2]) to get an algorithm of complexity polynomially in log(n). But there are many more refined ways applicable in generic or specific situations (e.g., using fast inversion, “dividing” by 2, using [3], and using the Montgomery ladder). Though a lot of work is done and there is a vast literature (see, for instance [ACF], Chapter 9), there is still room for faster algorithms in special situations. This is an interesting research area and motivates to formulate an

Open Problem 2

Try to find optimal algorithms for scalar multiplication in interesting instances.

Remark 3

Isogenies of abelian varieties are “quasi-isomorphisms”:to \(\phi: A \rightarrow B\) there exists an isogeny \(\varPsi: B \rightarrow A\) such that \(\varPsi \circ \phi = [\deg (\phi )]\). Hence, to be isogenous defines an equivalence relation defining isogeny classes of abelian varieties.

Example 8

We continue the discussion given in Example 6 and assume that A, B are abelian varieties over \(\mathbb{C}\) of dimension dA and dB with lattices ΛA and ΛB.

Homomorphisms from A to B correspond to homomorphisms of the attached compact Lie algebras and hence are given by linear maps:
$$\displaystyle{\alpha: \mathbb{C}^{d_{A} } \rightarrow \mathbb{C}^{d_{B} }}$$
with the additional property that
$$\displaystyle{\alpha (\varLambda _{A}) \subset \varLambda _{B}.}$$
As a consequence we get that, up to isomorphisms, the isogenies from an abelian variety A correspond to sublattices ΛB of rank dA of ΛA, and the degrees of the isogenies are equal to the indices of the sublattices in ΛA.

In particular, the degree of [n] is \(n^{2\dim (A)}\).

As application we determine the endomorphisms of elliptic curves Eτ given by the lattice \(\mathbb{Z} \oplus \tau \mathbb{Z}\) with \(\tau \in \mathbb{H}\). We look for isogenies η attached to \(\alpha \in \mathbb{C}\) such that \(\alpha =\mu _{1} +\mu _{2}\tau\) and \(\alpha \cdot \tau =\lambda _{1} +\lambda _{2}\tau\) with \(\mu _{i},\lambda _{i} \in \mathbb{Z}\). Hence,
$$\displaystyle{\mu _{2}\tau ^{2} + (\mu _{ 1} -\lambda _{2})\tau -\lambda _{1} = 0}$$
and so we get that either μ2 = 0 and so η = [μ1] or τ satisfies a quadratic polynomial over \(\mathbb{Q}\) and all isogenies of Eτ are given by elements α in the imaginary quadratic field \(\mathbb{Q}(\tau )\).

A closer look (see [De]) using more properties of elliptic curves shows that τ is an algebraic integer and that the isogenies of Eτ form an order4Oτ in \(\mathbb{Q}(\tau )\).

It follows

Theorem 3

The ring of endomorphism of elliptic curves E over fields of characteristic 0 is either equal to\(\mathbb{Z}\)(generic case) or equal to an order in an imaginary quadratic field. In the second case, the period τ of E (interpreted in an obvious way over\(\mathbb{C}\)) is an integer in an imaginary quadratic field, and E hascomplex multiplication(or is a CM curve).

In particular, the ring of endomorphisms of an elliptic curves defined over a field of characteristic 0 is commutative.

Isogenies of Elliptic Curves and Modular Curves

Let E be an elliptic curve defined over K.

A separable isogeny of E can be composed by a cyclic isogeny η of E of degree n (i.e., ker(η)(Ks) is a GK- invariant cyclic subgroup of order n in E[n](Ks)) followed by a scalar multiplication.

Turning things round we look, for n prime to p, for the functor that associates to overfields L of K all pairs

$$\displaystyle{\{(E,C_{n})/L;\,\, C_{n}\,\,E\mbox{ elliptic curve over }L,\,C_{n} \subset E(K_{s})\mbox{ cyclic of order }n,\,G_{L}\mbox{ -invariant}\}/ \sim }$$

where ∼ denotes equivalence modulo isomorphisms of pairs.

This functor defines a moduli problem (over K) that has for \(K = \mathbb{C}\) a geometric presentation. That means that there is a curve over \(\mathbb{C}\) such that its points parameterize the above-described pairs for \(K = \mathbb{C}\). The necessary ingredients for the construction of this curve are contained in Examples 6 and 8.

To be explicit, define
$$\displaystyle{Y _{0}(N)_{\mathbb{C}} = \mathbb{H}/\varGamma _{0}(n)}$$
with
$$\displaystyle{\varGamma _{0}(n) = \left \{\left (\begin{array}{ll} a&b\\ c &d \end{array} \right ) \in \mathit{Sl}(2, \mathbb{Z})\,\,c \equiv 0\mod n\right \}.}$$
This is an affine curve with a natural cover map to the affine line \(\mathbb{H}/\mathit{Sl}(2, \mathbb{Z})\) parameterizing isomorphy classes of elliptic curves over C. Since isogenies of degree n of elliptic curves correspond to inclusions of lattices with index n, it follows that the points on \(X_{0}(N)(\mathbb{C})\) parameterize isomorphy classes of pairs (E, η) of elliptic curves E with cyclic isogenies η of degree N over \(\mathbb{C}\).
By general principles this yields the existence of the modular curve
$$\displaystyle{Y _{0}(n)\mbox{ defined over }\mathbb{Z}[1/n]}$$
with Y0(N) isomorphic to \(Y _{0}(N)_{\mathbb{C}}\) over \(\mathbb{C}\) with the property that elements in Y0(n)(K) correspond to elliptic curves with cyclic isogenies of degree n.5

Y0(n) and its projective completion X0(n) (obtained by adding “cusps”) is explicitly known and very well understood. It has a rich structure (keywords: Hecke operators and modular forms) that is responsible for deep connections with number theory, and we shall see below how the determination of rational points on modular curves leads to very interesting diophantine results and conjectures and hence to (deep and difficult) open problems.

We go back to the general situation and assume that A, B are abelian varieties over K. In the context of isogenies, natural questions arise, which we formulate as Tasks:
  1. 1.

    Decide whether A and B are isogenous,

     
  2. 2.

    If A is isogenous to B, find an isogeny (of low degree).

     
  3. 3.

    Compute explicitly the image B of a given isogeny of A when its kernel is known.

     
  4. 4.

    Compute explicitly the isogeny map from A to B if the kernel of the isogeny is known.

     

For elliptic curves a lot is known to solve these tasks (see [Le]). Nevertheless algorithmic problems are still open and challenging. We shall come back to this below.

The situation is much more difficult and unclear for higher dimensional abelian varieties. Here a big step forward (in particular for task 3) is made in [LR] and [FLR]. But many questions remain widely open if one asks the questions in this generality. For special cases the situation may be much better. As example see [S] or [FK2]. So it is a challenging

Open Problem 3

Find interesting instances for which the tasks formulated above can be solved at least partly.

1.2.2 -Adic and Galois Representations

The main reference for this subsection is [M1], Chapter IV. The facts with examples but mostly without proof can be found in [ACF].

Let as usual A be an abelian variety of dimension d and take \(n \in \mathbb{N}\). In the whole subsection, we assume that n is prime to char(K).

We shall study A[n] and derived objects.

For \(K = \mathbb{C}\), it follows from Example 6 that as abelian groups
$$\displaystyle{A[n]\mathop{\cong}(\mathbb{Z}/n)^{2d}.}$$
By general arguments like Lefschetz principle and Hensel’s lemma, we get that this is true in general:
$$\displaystyle{A[n](K_{s})\mathop{\cong}(\mathbb{Z}/n)^{2d}.}$$
GK acts on A[n] and so yields a representation
$$\displaystyle{\rho _{A,n}: G_{K} \rightarrow \mathrm{Aut}((\mathbb{Z}/n)^{2d})}$$
or, after a choice of a base in A[n],
$$\displaystyle{\rho _{A,n}: G_{K} \rightarrow \mathit{Gl}(2d, \mathbb{Z}/n).}$$
Take a prime p and n = k and use the natural maps
$$\displaystyle{[\ell]: A[l^{k+1}] \rightarrow A[\ell^{k}]}$$
to define the projective limit
$$\displaystyle{T_{\ell}(A):=\mathop{ \lim \nolimits }\limits_\longleftarrow _{k}A[\ell^{k}],}$$
the -adic Tate module of A.

It follows that \(T_{\ell}(A)\mathop{\cong}(\mathbb{Z}_{\ell})^{2d}\) and that \(V _{\ell}(A):= T_{\ell}(A) \otimes \mathbb{Q}_{\ell}\) is a \(\mathbb{Q}_{\ell}\)-vector space of dimension 2d.6

GK operates on T(A). This action induces a \(\mathbb{Z}_{\ell}\)-adic representation attached to A given by the projective limit
$$\displaystyle{\mathop{\lim \nolimits }\limits_\longleftarrow _{k}\rho _{A,\ell^{k}}.}$$
By tensorizing with \(\mathbb{Q}_{\ell}\), we get the -adic representation
$$\displaystyle{\tilde{\rho }_{A,\ell},}$$
a representation of dimension 2d of GK over the -adic numbers \(\mathbb{Q}_{\ell}\) with representation space V(A).
A quite similar construction can be made with homomorphisms
$$\displaystyle{\phi: A \rightarrow B:}$$
By restricting ϕ to A[lk], we get homomorphisms
$$\displaystyle{\phi _{\ell^{k}}: A[\ell^{k}] \rightarrow B[\ell^{k}]}$$
and so as projective limit an T- homomorphism
$$\displaystyle{\widetilde{\phi _{\ell}}: T_{\ell}(A) \rightarrow T_{\ell}(B),}$$
which has a finite co-kernel if ϕ is an isogeny, and by tensorizing with \(\mathbb{Q}_{\ell}\), we get an homomorphism between V(A) and V(B), also denoted by \(\widetilde{\phi _{\ell}}\). It is easily seen that for isogenies ϕ, the map \(\widetilde{\phi _{\ell}}\) restricted to T(A) is injective, and it is an isomorphism between V(A) and V(B).

We have a natural homomorphism from HomK(A, B) into \(\mathrm{Hom}_{G_{K}}(T_{\ell}(A),T_{\ell}(B))\).

Taking A = B, we get an injective representation from EndK(A) into \(\mathrm{End}_{G_{K}}(T_{\ell}(A))\), the group of endomorphisms of the \(\mathbb{Z}_{\ell}\)-module T(A) that commute with the action of GK. This representation is called the -adic representation of endomorphisms of A.

Remark 4

The Tate modules (and their p-adic counterpart, the Dieudonné module, which we do not discuss here) and the embedding of HomK(A, B) into \(\mathrm{Hom}_{G_{K}}(T_{\ell}(A),T_{\ell}(B))\) play a key role for the study of abelian varieties, and they give a lot of information about the absolute Galois group of K (see [T] and [Fa]). They are the counterparts in the étale cohomology of the lattices in the complex theory.

Application: Endomorphisms of Elliptic Curves

Every endomorphism η ≠ 0 of E is an isogeny, and so \(\mathrm{End}_{K}(E)\bigotimes \mathbb{Q}\) is a skewfield.

The action of EndK(E) on the -adic Tate module of E induces an injection of EndK(E) into \(\mathit{Gl}(2, \mathbb{Z}_{\ell}).\)

From algebra it follows that \(\mathrm{End}_{K}(E)\bigotimes \mathbb{Q}\) is equal to \(\mathbb{Q}\), a quadratic field or a quaternion field. This information and some more ingredients from the theory of elliptic curves allow us to characterize EndK(E).

Case in which E cannot be defined over an absolute algebraic field (i.e., its absolute invariant jE (see Example 4) is transcendental over its prime field): we get that \(\mathrm{End}_{K}(E) = \mathbb{Z}\).

Case of number fields: We have seen already that over fields K of characteristic 0, the ring EndK(E) is commutative, and so quaternion fields are excluded.

Generically it is equal to \(\mathbb{Z}\); in special cases we have complex multiplication (CM) and EndK(E) is an order in an imaginary quadratic field (see Example 8).

Case of finite fields: Over finite fields the generic case is the CM-case. In this case the elliptic curve E is ordinary, i.e., \(E[p](K_{s})\mathop{\cong}\mathbb{Z}/p\) (see 1.2.1).

If [p] is purely inseparable, then EndK(E) is an order in a well-determined quaternion algebra and E is called supersingular. Supersingular elliptic curves are (up to twists) defined over \(\mathbb{F}_{p^{2}}\) and isogenous to each other.

1.3 Jacobian Varieties

Till now abelian varieties occurred in a rather abstract way, and in spite of the work of Mumford and Lubicz–Robert, it is difficult and often too complicated to find explicit equations and addition laws.

The situation is much better for an important subclass of abelian varieties, which historically came first (already in the nineteenth century) and which motivated A. Weil to define abelian varieties: Jacobian varieties attached to curves.

Let C be a projective non-singular curve 7 of genus g over K (see [ACF], Definition 4.107) with divisor group
$$\displaystyle{\mathcal{D}(K_{s}):=\{ D =\sum _{P\in C(K_{s})}z_{P} \cdot P;z_{P} \in \mathbb{Z}\mbox{ and almost all }z_{P} = 0\}.}$$
The subgroup of divisors of degree 0 is
$$\displaystyle{\mathcal{D}(K_{s})^{0}:=\{ D;\sum z_{ P} = 0\}.}$$
The Galois group GK acts by linear extension in a natural way on \(\mathcal{D}(K_{s})\). For \(K \subset L \subset K_{s}\), define
$$\displaystyle{\mathcal{D}(L)^{0} = (\mathcal{D}(K_{ s})^{0})^{G_{L} }.}$$
Examples for divisors of degree 0 are principal divisors: \(0\neq f \in F_{C} \cdot K_{s}\) has the principal divisor
$$\displaystyle{(f) =\sum z_{P}P\mbox{ where }z_{P}\mbox{ is the order of vanishing of }f\mbox{ in }P.}$$
Obviously the set of principal divisors form a subgroup \(\mathcal{P}\) of \(\mathcal{D}(K_{s})^{0}\). Define
$$\displaystyle{\mathcal{P}(L):= \mathcal{P}\cap \mathcal{D}(L)^{0}}$$
and
$$\displaystyle{\mathrm{Pic}_{C}^{0}(L):= \mathcal{D}(L)^{0}/\mathcal{P}(L),}$$
the L-rational divisor class group of degree 0 of C.8

Theorem 4 (Abel–Jacobi)

The functor
$$\displaystyle{L\mapsto \mathrm{Pic}_{C}^{0}(L)}$$
is representable by an abelian variety of dimension g, theJacobian varietyJC, i.e., in a functorial way we have
$$\displaystyle{J_{C}(L) =\mathrm{ Pic}_{C}^{0}(L).}$$
The theorem of Riemann–Roch ([ACF], Theorem 4.106) yields the following:
$$\displaystyle{J_{C}\mbox{ is birationally equivalent to }C^{g}/S_{ g}}$$
where Sgis the symmetric group of g letters acting on the g-fold Cartesian product of C by permuting the factors.

Hence, the addition on Jacobian varieties is reduced to the addition of divisor classes of curves, and the theorem of Riemann–Roch tells that there are distinguished representatives, namely, positive divisors of degree ≤ g. It follows that addition of classes is possible if one can find for divisors of degree ≥ g + 1 positive divisors in the same class but of degree ≤ g.

Example 9 (Elliptic Curves as Jacobians)

Assume that C is a projective regular curve of genus 1 with aK-rational point P.

By the theorem of Riemann–Roch one gets the following: every L-rational divisor class c of degree 0 of E contains exactly one point P ∈ C(L) with
$$\displaystyle{P - P_{\infty }\in c.}$$
The map
$$\displaystyle{J_{C}(L) \rightarrow C}$$
$$\displaystyle{c\mapsto P}$$
is an explicit isomorphism from JC(L) to C(L).

Hence, C is an elliptic curve and C(L) is an abelian group.

Weierstrass Equation The theorem of Riemann–Roch yields the following: we find a Weierstrass equation for E in the projective plane (see Example 4), and if p ≠ 2, 3,9 we can normalize to get
$$\displaystyle{E: Y ^{2}Z = X^{3} + \mathit{aXZ}^{2} + \mathit{bZ}^{3}}$$
with
$$\displaystyle{\varDelta _{E} = -16(4a^{3} + 27b^{2})\neq 0.}$$
We refind the j-invariant that was classically defined as meromorphic function on \(\mathbb{H}\): For a = 0, set jE = 0; for b = 0 set \(j_{E} = 12^{3}\); and for ab ≠ 0, define
$$\displaystyle{j_{E} = 12^{3}\frac{-4a^{3}} {\varDelta _{E}}.}$$
We remark that jE determines E up to twists and that to every j ∈ K we find E with jE = j (see [ACF], 18.1.1). E has exactly one point with Z = 0. Choosing this point as P = (0, 1, 0), we can describe the addition in coordinates and get the well-known addition formulas.

There is a vast literature in this area (see, for instance, [ACF] and many publications, e.g., by D. Bernstein and T. Lange), but nevertheless it is till nowadays not impossible to do even better, and so we formulate a (minor)

Open Problem 4

Find optimal equations and algorithms for scalar multiplication for elliptic curves over given fields\(\mathbb{F}_{q}\)(depending on the structure of\(\mathbb{F}_{q}\)and the architecture of the used computer maybe).

2 Abelian Varieties over Special Fields

2.1 \(K = \mathbb{F}_{q}\)

In this subsection we take \(K = \mathbb{F}_{q}\), the field with q = pd elements, and denote by \(\mathbb{F}_{p,\infty }\) its algebraic closure.

The Frobenius automorphism πp of \(\mathbb{F}_{p,\infty }\) is defined by
$$\displaystyle{x\mapsto \pi _{p}(x):= x^{p}.}$$
\(\pi _{q} =\pi _{ p}^{d}\) is a topological generator of the absolute Galois group \(G_{\mathbb{F}_{q}}\) of \(\mathbb{F}_{q}\).

2.1.1 The Frobenius Isogenie

We attach to the Galois element πq a geometric object by extending its operation to points in \(\mathbb{P}^{n}(\mathbb{F}_{p,\infty })\).

This yields a homogenous polynomial map
$$\displaystyle{(X_{0},\ldots,X_{n})\mapsto (X_{0}^{q},\ldots X_{ n}^{q})}$$
and so the Galois element induces morphisms of varieties V over \(\mathbb{F}_{q}\) which, by abuse of notation, we also denote by πq.
We assume that V is irreducible. Going to affine pieces and choosing affine coordinates \(X_{1},\ldots,X_{n}\), one easily see that
$$\displaystyle{\pi _{q}^{{\ast}}(V )}$$
is the subfield of FV generated by \(X_{1}^{q},\ldots,X_{n}^{q}\) and so \(F_{V }/\pi _{q}^{{\ast}}(V )\) is purely inseparable of degree qdim(V ). 

The Frobenius morphism πq is compatible with polynomials with coefficients in K and so with the addition on abelian varieties A over \(\mathbb{F}_{q}\). Hence, πq is a purely inseparable isogeny of degree \(q^{\dim (A)}\) called Frobenius endomorphism.

Since
$$\displaystyle{\pi _{q} \in \mathrm{ End}_{\mathbb{F}_{q}}(A)\setminus \mathbb{Z} \cdot \mathit{id}_{A}\neq \varnothing,}$$
we get that \(\mathrm{End}_{\mathbb{F}_{q}}(A)\) has elements different from scalar multiplications.

The Characteristic Polynomial of the Frobenius Endomorphism Since GFq is topologically generated by πq, it follows that the representations ρA, n, respectively \(\tilde{\rho }_{A,\ell}\) of abelian varieties A, are determined by \(\rho _{A,n}(\pi _{q})\) respectively \(\tilde{\rho }_{A,\ell}(\pi _{q})\).

A fundamental result of Tate [T] is that \(\tilde{\rho }_{A,\ell}\) is a semi-simple representation, i.e., it is determined by its characteristic polynomial
$$\displaystyle{\chi (T)(\tilde{\rho }_{A,\ell}(\pi _{q})).}$$
We vary the primes (always ≠ p) and get a globalization that is due to A. Weil:

Theorem 5

\(\chi (T)(\tilde{\rho }_{A,\ell}(\pi _{q})) \in \mathbb{Z}[T]\)is a monic polynomial χA,q(T) of degree 2dim (A) independent of ℓ, and for all\(n \in \mathbb{N}\)
$$\displaystyle{\chi _{A,q}(T) \equiv \chi (T)(\rho _{A,n}(\pi _{q}))\mod n.}$$
It follows that\(\chi _{A,q}(\pi _{q})(A) =\{ 0_{A}\}\).

This theorem justifies the statement that χA, q(T) is the characteristic polynomial on A of πq.

Point Counting Here comes one of the most important applications of the Frobenius endomorphism.

Since \(A(\mathbb{F}_{p,\infty })^{G_{\mathbb{F}_{q}} } = A(\mathbb{F}_{q})\) and since \(\pi _{q} -\mathit{id}_{A}\) is a separable isogeny, it follows from
$$\displaystyle{A(\mathbb{F}_{q}) =\ker (\pi _{q} -\mathit{id}_{A})}$$

Theorem 6

$$\displaystyle{\mid A(\mathbb{F}_{q})\vert =\chi _{A,q}(1).}$$

Hence a strategy to determine \(\mid A(\mathbb{F}_{q})\vert\) is to compute χA, q(T).

The deep basic result for these computations is due to Hasse (d = 1) and Weil (“Riemann hypothesis for curves”):

Theorem 7

The eigenvalues of πqare complex integers with absolute value equal to q1∕2.

$$\displaystyle{\mbox{ Hence, }\mid A(\mathbb{F}_{q})\vert = q^{\dim (A)} + \mathcal{O}(q^{\dim (A)-1/2}).}$$
An immediate consequence is that the ith coefficient of \(\chi _{A,q}(T)\) is an integer with absolute value bounded by \(\left (\begin{array}{c} 2\dim (A)\\ i\end{array} \right )q^{(2\dim (A)-i)/2}\)([ACF ], Corollary 5.8.2). Hence, to determine \(\chi _{A,q}(T)\) is enough to compute an approximation of sufficient precision.

Example 10

For elliptic curves E defined over \(\mathbb{F}_{q}\), we have
$$\displaystyle{\mid \,\mid (E(F_{q})\mid + 1 - q\mid \leq 2 \cdot q^{1/2}.}$$

2.1.2 The Isogeny Theorem over Finite Fields

Finally we stress the importance of the Frobenius isogenies by the following result of Tate [T]:

Theorem 8

Let A,B be abelian varieties defined over\(\mathbb{F}_{q}\)with Tate modules\(T_{\ell}(A)\)and T(B).
  1. (i)

    A is isogenous to B iff for one ℓ ≠ p, the Galois module\(T_{\ell}(A)\bigotimes \mathbb{Q}\)is isomorphic to\(T_{\ell}(B)\bigotimes \mathbb{Q}\).

     
  2. (ii)

    A is isogenous to B iff the characteristic polynomials of the Frobenius endomorphisms on A and B are equal.

     

We remark that this result “reduces” Task 1 in Sect. 1.2.1 to the computation of the characteristic polynomial of abelian varieties. We shall see in Sect. 3.2 how one can attack this task. Because of its importance, we formulate it already here as one major

Open Problem 5

Find fast algorithms to compute for abelian varieties A defined over\(\mathbb{F}_{q}\)the characteristic polynomial of the Frobenius endomorphism.

2.2 Abelian Varieties over Number Fields

We look at the mathematically most interesting case: the field K is a number field, i.e., a finite algebraic overfield of \(\mathbb{Q}\). The exciting task is to relate arithmetical properties of these fields with diophantine properties of geometric objects, and it turned out that abelian varieties are a very useful tool for this.

We begin with a by now classical result of Serre [Se1].

Theorem 9

Assume that the elliptic curve E over K has no complex multiplication.

There is a number nEsuch that for all primes ℓ > nE, we have
$$\displaystyle{\rho _{E,\ell}(G_{K}) = \mathit{Gl}(2, \mathbb{Z}/\ell).}$$
In particular E has only finitely many K-rational cyclic isogenies.

How can one determine nE for given E?

What are the exceptions?

Open Problem 6 (Conjecture Due to J.P. Serre)

Can one find n0depending only on K such that for all E (outside a finite exceptional set)\(n_{E} = n_{0}\)?

Remark

For \(K = \mathbb{Q}\) and elliptic curves one knows more: Mazur has determined a list of all isogenies of all elliptic curve and exceptional small images of \(\rho _{E,n}\) are understood (up to the non-split Cartan case).

For general number fields K, the order of rational torsion points of elliptic curves over E can be bounded by an estimate depending on the degree of K over \(\mathbb{Q}\) only (theorem of Merel and Parent).

Open Problem 7

Can one generalize Theorem 9to abelian varieties of dimension ≥ 2?, For example, is it true for abelian varieties with\(\mathrm{End}_{K}(A) = \mathbb{Z}\)that for almost all rational primes ℓ, the image of ρA,ℓcontains\(\mathit{GSp}(2\dim (A), \mathbb{Z}/\ell)\), the symplectic group of dimension 2dim (A) over\(\mathbb{Z}/\ell\)?

All results obtained in this direction rely on work of Serre [Se2]. Interesting progress is made by Hall in [Ha].

2.2.1 Local-Global Methods

How can one prove results like Theorem 9? Besides the specific properties of the investigated objects, one looks at the arithmetical structure of number fields given by a system of valuations with well-known completions.

To be concrete take \(K = \mathbb{Q}\).

First, we have the absolute value | | (an archimedean valuation) with completion \(\mathbb{R}\) and algebraic closure \(\mathbb{C}\).

Next we have the ring of integers \(\mathbb{Z}\) with prime ideals \(p \cdot \mathbb{Z}\) which give rise to non-archimedean p-adic valuations wp with
$$\displaystyle{w_{p}(x) = \mbox{ maximal power of }p\mbox{ dividing }x,}$$
completion \(\mathbb{Q}_{p}\), its algebraic closure \(\mathbb{Q}_{p,s}\) with absolute Galois groups Gp, and residue field \(\mathbb{F}_{p}\). It is crucial that Gp can be identified (uniquely up to conjugation) with a subgroup of \(G_{\mathbb{Q}}\), the decomposition group of an extension of \(w_{p}\) to \(\mathbb{Q}_{s}\).

For general \(K\), replace | | by metrics induced by embeddings of K in \(\mathbb{C}\), \(\mathbb{Z}\) by its integral closure OK in K and wp by valuations attached to prime ideals \(\mathfrak{p}\) of OK containing p.

Diophantine objects over K can be interpreted over the completions (localization) or modulo \(\mathfrak{p}\) (reduction).

This relates diophantine problems over finite fields, \(\mathbb{C}\), p-adic fields, and number fields.

The aim is to get local-global information (going in both direction).

Here is a first prominent example.

2.2.2 CM Theory

We use an embedding of K in \(\mathbb{C}\) and look at elliptic curves E over K as
$$\displaystyle{E = \mathbb{C}/(\mathbb{Z} +\tau \mathbb{Z}).}$$
We recall that E has complex multiplication if τ is an algebraic integer generating an imaginary quadratic field \(K_{E}:= \mathbb{Q}(\tau )\) and then EndC(E) is an order \(O_{E} \in O_{K_{E}}\).

Class field theory tells more:

The \(\mathbb{C}\)-isomorphy classes of elliptic curves E isogenous to E correspond one-to-one to the ideal classes of orders OE in \(O_{K_{E}}\), the absolute invariant of E generates the ring class fields HE of OE, and \(\rho _{E,n}(G_{H_{E}})\) is an abelian group and so not containing \(\mathit{Sl}(2, \mathbb{Z}/n).\)

From number theory we know that for given n, there are only finitely many orders in imaginary quadratic fields with class number ≤ n, and so there are, up to twists, only finitely many elliptic curves with CM defined over K( hence, only finitely many twist classes of elliptic curves are excluded in Theorem 9).

The relation of elliptic curves with CM over number fields to elliptic curves over finite fields is given by a central result, Deuring’s lifting theorem.

Theorem 10

Let E be an ordinary elliptic curve over\(\mathbb{F}_{q}\). There is an elliptic curve\(\tilde{E}\)defined over a number field K and a prime ideal\(\mathfrak{p}\)of OKsuch that\(\tilde{E}\mod \mathfrak{p} = E\ \mathrm{and}\ \mathrm{End}(\tilde{E}) =\mathrm{ End}(E)\).

Hence End(E) is an order in an imaginary quadratic field \(K_{\tilde{E}}\) and the Frobenius endomorphism πq corresponds to an imaginary quadratic algebraic integer with norm q. The discriminant of its characteristic polynomial \(\chi _{E,q}(T) = (T -\lambda _{1})(T -\lambda _{2})\) is negative and so \(\lambda _{1}\lambda _{2} = q\) and \(\mathrm{trace}(\phi _{q})^{2} - 4q <0\). But then \((\vert E(\mathbb{F}_{q})\vert - q - 1))^{2} - 4q = \mathrm{trace}(\phi _{q})^{2} - 4q <0\).

So we get a proof (due to Deuring–Hasse) of the “Riemann hypothesis for elliptic curves” (Theorem 7):
$$\displaystyle{\vert \vert E(\mathbb{F}_{q})\vert - q - 1)\vert <2\sqrt{q}.}$$
Due to Shimura–Taniyama there is a beautiful generalization of CM theory to abelian varieties of higher dimension replacing imaginary quadratic fields by CM-fields of larger degree. For abelian varieties of dimension 2 and 3 this is explained in [ACF], Chapter 18.

Open Problem 8

Generalize the algorithmic aspects of CM from elliptic curves to Jacobians of curves of small genus.

Remark 5

For curves of genus 2 and 3, part of the work is done in the theses of A. Spallek and A. Weng.

2.2.3 Local-Global Principles for Galois Representations

We go deeper into the arithmetic of number fields K.

Let \(\mathfrak{p}\) be a prime of K, L a Galois extension of K and \(\tilde{\mathfrak{p}}\) a prime in OL that contains \(\mathfrak{p}\) with residue field \(\mathbb{F}_{q}\). Assume that \(\mathfrak{p}\) is unramified in LK.10

A Frobenius automorphism\(\sigma _{\mathfrak{p}}\) is an element in G(LK) that is continuous with respect to the \(\tilde{\mathfrak{p}}\)-adic metric and which acts modulo \(\tilde{\mathfrak{p}}\) like πq.

We remark that \(\sigma _{\mathfrak{p}}\) is determined by \(\mathfrak{p}\) (only) up to conjugation.

Let V be a finite dimensional vector space over \(\mathbb{C}\) or over a finite field \(\mathbb{F}_{q}\) or over an -adic field. We endow V with either the discrete topology (\(K = \mathbb{C}\) or \(K = \mathbb{F}_{q}\)) or the -adic topology. Let
$$\displaystyle{\rho: G_{K} \rightarrow \mathrm{Aut}(V )}$$
be a continuous representation, which is semi-simple, i.e., ρ is determined by the characteristic polynomials of the images under ρ. We assume in addition that \(K_{s}^{\ker (\rho )}/K\) is unramified outside of a finite set S of primes.

Theorem 11 (Density Theorem of Čebotarev)

ρ is uniquely determined by
$$\displaystyle{(\chi (\rho (\sigma _{\mathfrak{p}}))(T))_{\mathfrak{p}\notin S\mbox{ prime of }O_{ K}}.}$$

This theorem is the reason for the deep relations between Galois theory and arithmetic.

Remark 6

There is a constructive version of Theorem 11: given two representations
$$\displaystyle{\rho _{i}: G_{K} \rightarrow \mathrm{Aut}(V );i = 1,2}$$
with \(K_{s}^{\ker (\rho _{1})} = K_{s}^{\ker (\rho _{2})}\) there is a number n depending on arithmetical invariants of ρi like the discriminant of \(K_{s}^{\ker (\rho _{i})}\) such that
$$\displaystyle{\rho _{1}\mathop{\cong}\rho _{2},}$$
iff
$$\displaystyle{\chi (\rho _{1}(\sigma _{\mathfrak{p}}))(T) =\chi (\rho _{2}(\sigma _{\mathfrak{p}}))(T)\mbox{ for all }\mathfrak{p}\mbox{ with }\mathrm{Norm}(\mathfrak{p}) \leq n.}$$

This result makes identification of Galois representation effective. Unfortunately, the bound n tends to be very large (even under the assumption of the generalized Riemann hypothesis GHR [Oe]), and so the result can only very rarely be used for computational investigations. But there are situations where one can do better, for instance, if one knows that the representations are related to modular forms [R].

Open Problem 9

Find (or conjecture) effective versions of Theorem 11in special but interesting instances.

2.2.4 The Theorem of Faltings

Let A be an abelian variety defined over a number field.

Theorem 12

\(\tilde{\rho }_{A,\ell}\)is semi-simple.

This is an extremely deep theorem obtained by Faltings in the celebrated paper [Fa]. Among others, it implies Mordell conjecture:

Curves of genus > 1 have only finitely many K-rational points

On the way to his result Faltings proved

Theorem 13 (Isogeny Theorem)

Abelian varieties A and B are isogenous iff for one prime ℓ
$$\displaystyle{\tilde{\rho }_{A,\ell}\mathop{\cong}\tilde{\rho }_{B,\ell}.}$$
In fact Faltings proved that for given A, B there is a number n(A, B) such that A is isogenous to B iff for one n > n(A, B)
$$\displaystyle{\rho _{A,n}\mathop{\cong}\rho _{B,n}.}$$
Warning: The following problem is difficult and is closely related to Open Problem 9.

Open Problem 10

Give reasonable estimates for n(A,B) in terms of the conductors of A,B. Hint:Look at the work of Masser–Wüstholz.

2.2.5 Conjectures for Elliptic Curves

To show how deeply Galois representations and diophantine problem are related, we go to elliptic curves over number fields and formulate really challenging OPEN PROBLEMS, which, because of their importance and difficulty, are called
$$\displaystyle{\mathbf{CONJECTURES}.}$$
They can be found in [FK1]. They express that, up to some exceptions, only isogenous elliptic curves should have groups of torsion points that are isomorphic as Galois modules.

Conjecture 1 (Darmon)

There is a number n0(K) such that for all elliptic curves E, Eover K and all n ≥ n0(K) we get
$$\displaystyle{\mbox{ If }\rho _{E,n}\mathop{\cong}\rho _{E^{{\prime}},n}\mbox{ then }E\mbox{ is isogenous to }E^{{\prime}}.}$$

A variant of this conjecture is

Conjecture 2 (Kani)

There is a number n0(independent of K) such that for n ≥ n0there are, up to twist pairs, only finitely many pairs (E,E) of elliptic curves defined over K which are not isogenous and with\(\rho _{E,n}\mathop{\cong}\rho _{E^{{\prime}},n}\).

For prime numbers n, we can choose n0= 23.

Much easier but also not proved is

Conjecture 3 (Frey)

We fix an elliptic curve E0∕K.

There is a number\(n_{0}(E_{0},K)\)such that for all elliptic curves E over K and all\(n \geq n_{0}(E_{0},K)\)we get
$$\displaystyle{\mbox{ If }\rho _{E,n}\mathop{\cong}\rho _{E_{0},n}\mbox{ then }E\mbox{ is isogenous to }E_{0}.}$$

We remark that this conjecture can be formulated in a much more general way ([Fr1], Conjecture 5), which is proved if we replace number fields by function fields in one variable.

We mention amazing consequences of this conjecture:

It implies the (in-)famous
$$\displaystyle{\mathbf{ABC -conjecture}}$$
and the
$$\displaystyle{\mathbf{asymptoticFermatconjecture}}$$
and has implications to the theory of modular forms. These conjectures can also be found in [Fr1] (Conjecture 1 and Conjecture 2).

To give the flavor of these conjectures, we formulate a version of the ABC-conjecture over \(\mathbb{Q}\) that is due to Masser and Oesterlé:

Conjecture 4

For all\(\epsilon \in \mathbb{R}_{>0}\)there is a number\(c_{\epsilon } \in \mathbb{R}\)such that for integers A,B with A ⋅ B ≠ 0 and gcd(A,B) = 1, we get
$$\displaystyle{\vert A\vert \leq c_{\epsilon } \cdot \left (\prod _{p\vert A\cdot B\cdot (A-B)}\,p\right )^{1+\epsilon }.}$$

3 Algorithmic Aspects and Applications

In this section the focus lies on computational aspects of abelian varieties over finite fields \(\mathbb{F}_{q}\). Many of the results are motivated and initiated by problems from public-key cryptography. A more detailed discussion of this fruitful interaction between algorithmic algebraic geometry and data security can be found in [Fr2] and [Fr3].

3.1 Addition on Jacobian Varieties over Finite Fields

Jacobian varieties are accessible to computations via curve arithmetic and enjoy the rich structure of abelian varieties. As first example we look at the addition on Jacobian varieties. We use the general theory of Jacobian varieties (Sect. 1.3) and recall that for the addition on them, one needs a reduction algorithm among divisors in the same class. This problem was solved by Heß [He] and by Diem and leads to an outstanding result inside of the rapidly progressing algorithmic algebraic geometry.

Theorem 14 (Diem, Heß)

Let C be a curve of genus g over\(\mathbb{F}_{q}\).

The arithmetic in the degree 0 class group of C can be performed in an expected time which is polynomially bounded in g and log(q).

In practice it is still challenging to find algorithms that are fast enough for applications. A lot of work is done (even for curves of genus 1) to find equations for C for which the addition is optimal, and till now there are many publications that give special fast addition algorithms for special instances of curves and fields. So we find an

Open Problem 11

Implement the addition algorithm efficiently for Jacobian varieties of curves of low genus (e.g., g ≤ 4) and find optimal equations (maybe depending on the field\(\mathbb{F}_{q}\)).

3.2 Point Counting

A major task is the computation of the Frobenius endomorphism πq.

This is motivated by the outstanding role this endomorphism plays in theory (Theorem 8) and practice (point counting).

Special (but nevertheless sufficiently “random”) instances are found by using the CM-theory and hence to begin with the ring of endomorphisms of Jacobians over \(\mathbb{C}\).

To compute the characteristic polynomial of πq for large q and for “random” abelian varieties, one uses its action on an accessible vector space (usually a cohomology group) and an approximation algorithm. This becomes effective because of the Hasse-Weil estimates of the coefficients (Theorem 7).

To proceed one uses the whole arsenal of arithmetic geometry, namely:
  • étale cohomology that leads to algorithms first introduced for elliptic curves by R. Schoof, which become practical for elliptic curves because of using isogenies instead of points (Atkin–Elkies), and so usually one calls them SEA-algorithms

  • p-adic cohomology (work of Kedlaya, Vercauteren, Gerkmann, and many others)

  • p-adic lifting by effective p-adic versions of Deuring’s lifting theorem (Theorem 10) for elliptic curves and versions for higher dimension (keyword canonical lifts) given by p-adic theta functions, cf. Open Problem 1 (work of Satoh, Lubicz, Carls, Mestre, and many others)

  • deformation theory (geometric-algebraic or differential-geometric) (Lauder, M. Li)

An extensive discussion of these methods can be found in [ACF], Chapter 17.

Result: In cryptographic relevant ranges we get:
  • We can count points on random elliptic curves.

  • We can count points on Jacobians of random curves over fields of small (and even medium) characteristic.

  • We have still problems with random curves of genus 2 (but see work of Gaudry and Schost [GS] and [CL]), and we have many special families of curves whose members are accessible for point counting (e.g., by CM-methods) ([ACF], Chapter 18).

Open Problem 12

  1. 1.

    Count points on Jacobians of genus 2 (without CM) and of genus 3 (with or without CM).

     
  2. 2.

    There is a lifting theorem for ordinary abelian varieties analogous to Deuring’s lifting theorem for elliptic curves.

     

Study algorithmic aspects of the lifting theorems.

3.3 Computation of Isogenies

We come back to the tasks formulated in Sect. 1.2.1 but now restricted to the case that \(K = \mathbb{F}_{q}\). One of the question was: Can one, for given A, compute explicitly isogenies η as concrete functions?

An optimistic answer would be: yes, with complexity polynomial in \(\log (q),\dim (A),\deg (\eta )\).

In fact, this is true for elliptic curves and relies on the computation of equations for the modular curve Y0(n). The basic work was done (after Deuring) by Vélu [V], and accelerations that make the algorithm efficient are due to Couveignes, Lercier, Elkies, and many others. These algorithms are responsible for the efficiency of point counting on elliptic curves by SEA-algorithms. It turns out that the cost for the computation of an isogeny of degree is
$$\displaystyle{\mathcal{O}(\ell^{2} +\ell\log (\ell)\log (q)).}$$

There are hopeful beginnings of a similar theory for genus 2 curves [CL, FLR, GS] that promise to become a fascinating area of mathematical research.

So we state it as an

Open Problem 13

Find effective formulas for isogenies between abelian varieties or Jacobian varieties of genus 2 and 3.

The big disadvantage of the formulas for isogenies is that they are polynomial in the degree of the isogenies.

So they are only usable for isogenies of small degree. To repair this one uses more number theory and assumes in addition that the abelian variety is of CM-type with endomorphism ring O that is an order in a CM-field K. (For elliptic curves E this is equivalent with the condition that E is ordinary.)

We sketch the strategy.11

An isogenous variety A has also CM with a ring of endomorphism O ⊂ K. First, assume that O ⊂ O. By definition O and O are lattices of dimension \(d =\dim (A)\) and so correspond to abelian varieties \(\tilde{A} = \mathbb{C}^{d}/O\) and \(\tilde{B} = \mathbb{C}^{d}/O^{{\prime}}\) (Example 6). The inclusion of \(O^{{\prime}}\) in O induces an isogeny from \(\tilde{A}\) to \(\tilde{B}\). If [O: O] is small, one can hope to describe the corresponding isogeny. (One has a good chance that in practical cases this will be so.)

The next step is to assume that O = O (or that at least the degree of the isogeny η one wants to compute is a prime not dividing [O: O]).

For simplicity assume that \(B\mathop{\cong}\tilde{B}\). Isogenies of degree to B correspond to ideals \(\mathfrak{L}\) in O with norm . But one has more freedom. Changing by isomorphisms means to change \(\mathfrak{L}\) by a principal ideal, and one of the main results of CM theory is that the isomorphism classes of abelian varieties with endomorphism ring O correspond to ideal classes of O. This gives an idea how to treat isogenies of large prime degree between abelian varieties with endomorphism ring O: one has to find prime ideals \(\mathfrak{p}_{1},\ldots,\mathfrak{p}_{k}\) in O with small norm and k “not large” such that \(\prod _{i}\,\mathfrak{p}_{i}\) is in the same ideal class as \(\mathfrak{L}\), and then compute the chain of isogenies with kernel \(\mathfrak{p}_{i}\). There are theorems in algebraic number theory (Minkowski’s theorem and smoothness results known from algorithms to factor numbers) and heuristics (like GRH) that predict that with a high probability, this search will be successful.

In the next paragraph we shall write down the results for isogenies of elliptic curves relying on these principles. We formulate already here the

Open Problem 14

Assume that\(C_{1},\,\,C_{2}\)are curves of genus 2 over\(\mathbb{F}_{q}\)with Jacobian varieties of CM-type that are isogenous.

Use CM theory to compute isogenies.

Finding Isogenies of Elliptic Curves over\(\mathbb{F}_{q}\) A good part of the following results rely on the groundbreaking paper [K] of Kohel. We apply the considerations from above to ordinary elliptic curves E, E defined over \(\mathbb{F}_{q}\) with endomorphism ring OE. It is evident that the class number hE of OE and so the discriminant \(\varDelta _{O_{E}}\) of OE will play an important role. For random E we have to expect that hE is of size \(\mathcal{O}(q^{1/2})\) and so that the algorithms to find isogenies are exponential in log(q). The beautiful result of Galbraith and Stolbunov in [GSt] is

Theorem 15

The cost for finding an isogeny between elliptic curves whose endomorphism ring is\(O_{K_{E}}\)is
$$\displaystyle{\mathcal{O}(q^{1/4+o(1)}\log ^{2}(q)\log \log (q)).}$$

This result hints that for large q and randomly chosen E, it is hard to find isogenies, and in fact there are cryptographic schemes that propose to use this problem as crypto primitive (for one version of such schemes, see cf. 3.3.1 below).

In the discussion above, we have remarked that there are similarities with algorithms factoring numbers. In fact, an approach due to Jao and Soukharev shows (under “reasonable” heuristics like GRH) the following.

Theorem 16 ([JS], Theorem 4.1)

Assume that E is an ordinary elliptic curve given in Weierstrass form with given Frobenius endomorphism πq(i.e., \(\vert E(\mathbb{F}_{q})\vert\)is known) and endomorphism ring OE.

Take\(n \in \mathbb{N}\)and assume that\([O_{E}: \mathbb{Z}[\pi _{q}]]\)is prime to\(\vert E(\mathbb{F}_{q^{n}})\vert\)and let\(\mathfrak{L}\)be an ideal of OEwhose norm is a prime number ℓ.

Take\(P \in E(\mathbb{F}_{q^{n}})\).

Then there is an algorithm that computes an elliptic curve Eand an isogeny
$$\displaystyle{\eta: E \rightarrow E^{{\prime}}}$$
with kernel\(\mathfrak{L}\)and the X-coordinate of η(P) in running time that is polynomial in\(\log (\ell),\,\log (q),\,n\)andsubexponentialin\(\log (\varDelta _{O_{E}})\)(for the explicit estimate, see [JS]).

3.3.1 Two Applications

Equivalence of Discrete Logarithms in Isogeny Classes A very important crypto primitive for public-key cryptography is the discrete logarithm (DL) in the group of rational points \(E(\mathbb{F}_{q})\) of elliptic curves E over finite fields. The (till now justified) hope is that the complexity of DL is exponential in the order of the largest prime dividing \(\vert E(\mathbb{F}_{q})\vert\). But it is well known that one has to be careful since some elliptic curves (e.g., supersingular curves) can be attacked by algorithms with subexponential complexity. Very often, this is done by a transfer, i.e., by a subexponentially computable map into another group in which the DL is vulnerable (see [ACF], Chapter 22).

An obvious question is whether one can use isogenies as transfer maps.

The answer is no because of a very nice result that uses, besides the above discussed methods to compute isogenies, the equivalence of the isogeny graph of elliptic curves with the same ring of endomorphism over \(\mathbb{F}_{q}\) with a graph of ideals in this endomorphism ring (again Deuring’s lifting theorem is crucial). With properties of this graph induced by classical analytic number theory of imaginary quadratic number fields, one gets

Theorem 17 (Jao et al. [JMV])

Discrete logarithms in isogenous elliptic curves over\(\mathbb{F}_{q}\)are subexponentially equivalent.

Open Problem 15

Prove the same result for Jacobian varieties of CM-type attached to curves C of genus 2.

The Couveignes–Stolbunov Crypto System This system is a cryptosystem based on a principally homogeneous space.

We continue to assume that E is ordinary. We denote by SE the set of isomorphy classes (over \(\mathbb{F}_{p,\infty }\)) of elliptic curves \(E^{{\prime}}/\mathbb{F}_{q}\) with
$$\displaystyle{\mathrm{End}_{\mathbb{F}_{p,\infty }}(E^{{\prime}}) =\mathrm{ End}_{ \mathbb{F}_{p,\infty }}(E) = O \subset \mathbb{Q}(\sqrt{-d}).}$$

Again we use the one-to-one correspondence between SE and the ideal class group Cl(O) of O.

In fact, SE is a principal homogenous space with translation group Cl(O) with the following action:

Lift E to \(\tilde{E}\) (Deuring’s lifting theorem). Without loss of generality assume that the lattice defining \(\tilde{E}\) over \(\mathbb{C}\) is O. Take an ideal \(\mathfrak{a} \subset O\) with divisor class c.

Then c ⋅ [E] is the isomorphy class of the elliptic curves E whose Deuring lift is over \(\mathbb{C}\) defined by the lattice \(\mathfrak{a}\).

This can be used for a crypto system going back to Couveignes and implemented by Stolnikov.

As private key, take c, and as public key, the j-invariant of E.

To make this computable, one has to find in each ideal class of O an ideal that is the product of prime ideals with small norm. Hence, one has to use the same techniques as in Sect. 3.3.

Remark 7

  • The system is slow for one cannot use a square and multiply algorithm.

  • It can be shown that the crypto primitive is NOT the DL in Cl(O), and so a direct application of Shor’s algorithm for quantum computers does not work.

  • Nevertheless there is an algorithm using quantum computer that breaks the system in subexponential time.

3.4 Constructions of Isogenies by Correspondences

We end by describing a general construction of isogenies between abelian subvarieties of Jacobian varieties. This construction can be done over arbitrary ground fields K. It is important in our context because of its immediate applications to DL systems attached to divisor classes of curves over finite fields.

Correspondences of curves C, D are induced by morphisms
$$\displaystyle{f_{1}: H \rightarrow C\mbox{ and }f_{2}: H \rightarrow D}$$
(hence H is a common cover of C and D) and application of conorm, respectively norm maps, on divisor class groups:
$$\displaystyle{\mathrm{Pic}^{0}(C)\stackrel{f_{ 2,{\ast}}\circ f_{1}^{{\ast}}}{\longrightarrow }\mathrm{Pic}^{0}(D).}$$
Under mild conditions one can assure that
$$\displaystyle{\eta: J_{C} \rightarrow J_{D}}$$
has finite kernel.

If the degrees of fi are not too large, one can compute the maps on divisor classes explicitly.

Very often one uses curves C with a cover
$$\displaystyle{f: C \rightarrow \mathbb{P}^{1},}$$
and takes for H the Galois closure of this cover and for D the fixed curve under a subgroup of the Galois group (“monodromy group”) of f. By this, one has natural connections with Hurwitz spaces and their very rich theory ([FK1] and [FK2]).

One example for this method is Weil descent if \(\mathbb{F}_{q}\neq \mathbb{F}_{p}\) that may transfer a seemingly hard DL problem to an easier one.

Another example was worked out in [FK2] explaining B. Smith’s isogeny of degree 8 mapping hyperelliptic curves of genus 3 to non-hyperelliptic curves of genus 3 (and so weakening the DL [Di]). The result of Smith is

Theorem 18 (Smith)

There are\(\mathcal{O}(q^{5})\)isomorphism classes of hyperelliptic curves of genus 3 defined over\(\mathbb{F}_{q}\)for which the discrete logarithm in the divisor class group of degree 0 has complexity\(\mathcal{O}(q)\), up to log-factors.

Since\(\vert \mathrm{Pic}^{0}(C)\vert = \mathcal{O}(q^{3})\), the DL system of these hyperelliptic curves of genus 3 is weak.

To get this result Smith has to use certain heuristics.

The advantage of the approach by Hurwitz spaces is, besides delivering a structural background, that these spaces are often accessible for explicit description. For instance, in the case discussed here, one can determine the four-dimensional subspace in the moduli space of hyperelliptic curves of genus 3 consisting of curves that are in the image of Smith’s isogeny, and so justify his heuristics [FK3].

Open Problem 16

Find interesting correspondences of low degree between Jacobian varieties induced by correspondences between curves and (possibly) attached to Hurwitz spaces.

Footnotes

  1. 1.

    That is the tangent space of every point of Ea has dimension 1; see [ACF], Sect. 4.4.1.

  2. 2.

    That is, irreducible as variety over Ks.

  3. 3.

    For example, by homogenous equations.

  4. 4.

    See Definition 2.81 in [ACF] or any textbook on algebraic number theory.

  5. 5.

    Caution for specialists: because of the existence of twists, Y0 is only a coarse moduli space.

  6. 6.

    \(\mathbb{Z}_{\ell}\) is the ring of l-adic integers and \(\mathbb{Q}_{\ell}\) the field of -adic numbers (see [ACF]).

  7. 7.

    The tangent space of every point of C has dimension 1, see [ACF], Sect. 4.4.1

  8. 8.

    Poles give rise to negative “order of vanishing”.

  9. 9.

    For p | 6, see [ACF] 13.1.1 and 13.3.

  10. 10.

    That is, the normalized valuation attached to \(\tilde{\mathfrak{p}}\) is a continuation of the one attached to \(\mathfrak{p}.\)

  11. 11.

    In the following we simplify by looking at abelian varieties with principal polarization (e.g., Jacobian varieties) and then neglect some more subtle points concerning these polarizations.

References

  1. [ACF]
    H. Cohen, G. Frey (eds.), Handbook of Elliptic and Hyperelliptic Curve Cryptography (CRC, Providence, 2005)Google Scholar
  2. [CL]
    R. Carls, D. Lubicz, A p-adic quasi-quadratic time point counting algorithm. Int. Math. Res. Not. 4, 698–735 (2009)MathSciNetGoogle Scholar
  3. [De]
    M. Deuring, Die Typen der Multiplikatorenringe elliptischer Funktionenkörper. Abh. Math. Sem. Hamb. 14, 197–272 (1941)CrossRefGoogle Scholar
  4. [Di]
    C. Diem, An index calculus algorithm for plane curves of small degree, in Proceedings of ANTS VII, ed. by F. Heß, S. Pauli, M. Pohst. Lecture Notes in Computer Science, vol. 4076 (Springer, Berlin, 2006), pp. 543–557Google Scholar
  5. [Fa]
    G. Faltings, Endlichkeitssätze für abelsche Varietäten über Zahlkörpern. Invent. Math. 73, 349–366 (1983)CrossRefMATHMathSciNetGoogle Scholar
  6. [FLR]
    J.-Ch. Faugère, D. Lubicz, D. Robert, Computing modular correspondences for abelian varieties. J. Algebra 343, 248–277 (2011)CrossRefMATHMathSciNetGoogle Scholar
  7. [FK1]
    G. Frey, E. Kani, Curves of genus 2 with elliptic differentials and associated Hurwitz spaces. Cont. Math. 487, 33–82 (2009)CrossRefMathSciNetGoogle Scholar
  8. [FK2]
    G. Frey, E. Kani, Correspondences on hyperelliptic curves and applications to the discrete logarithm, in Proceedings of SIIS, Warsaw 2011, ed. by P. Bouvry, M. Klopotek, F. Leprévost, M. Marciniak, A. Mykowiecka, H. Rybiński. Lecture Notes in Computer Science, vol. 7053 (Springer, Berlin, 2012), pp. 1–19Google Scholar
  9. [FK3]
    G. Frey, E. Kani, Normal Forms of Hyperelliptic Curves of Genus 3, preprintGoogle Scholar
  10. [Fr1]
    G. Frey, On ternary equations of Fermat type and relations with elliptic curves, in Modular Forms and Fermat’s Last Theorem, ed. by G. Cornell, J.H. Silverman, G. Stevens (Springer, New York, 1997), pp. 527–548CrossRefGoogle Scholar
  11. [Fr2]
    G. Frey, Applications of arithmetical geometry to cryptographic constructions, in Proceedings of Finite Fields and Application (2001), pp. 128–161Google Scholar
  12. [Fr3]
    G. Frey, Relations between arithmetic geometry and public key cryptography. Adv. Math. Commun. 4, 281–305 (2010)CrossRefMATHMathSciNetGoogle Scholar
  13. [GSt]
    St. Galbraith, A. Stolbunov, Improved algorithm for the isogeny problem for ordinary elliptic curves. Appl. Algebra Eng. Commun. Comput. 24, 107–131 (2013)Google Scholar
  14. [GS]
    P. Gaudry, E. Schost, Hyperelliptic point counting record: 254 bit jacobian, June 2008. http://webloria.loria.fr/~gaudry/record127
  15. [Ha]
    C. Hall, An open-image theorem for a general class of abelian varieties. Bull. Lond. Math. Soc. 43, 703–711 (2011)CrossRefMATHMathSciNetGoogle Scholar
  16. [He]
    F. Heß, Computing Riemann–Roch spaces in algebraic function fields and related topics. J. Symb. Comput. 33(4), 425–445 (2002)CrossRefMATHGoogle Scholar
  17. [JMV]
    D. Jao, S.D. Miller, R. Venkatesan, Do all elliptic curves of the same order have the same difficulty of discrete log?, in Advances of Cryptology-Asiacrypt 2005. Lecture Notes in Computer Science, vol. 3788 (Springer, Berlin 2005), pp. 21–40Google Scholar
  18. [JS]
    D. Jao, V. Soukharev, A subexponential algorithm for evaluating large degree isogenies, in Algorithmic Number Theory (Springer Berlin 2010), pp. 219–233Google Scholar
  19. [K]
    D. Kohel, Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, Berkeley, 1996Google Scholar
  20. [Le]
    R. Lercier, Algorithmique des courbes elliptiques dans les corps finis. Thèse, LIX-CNRS, 1997Google Scholar
  21. [LR]
    D. Lubicz, D. Robert, Computing isogenies between abelian varieties. Compos. Math. 148, 1483–1515 (2012)CrossRefMATHMathSciNetGoogle Scholar
  22. [M1]
    D. Mumford, Abelian Varieties (Oxford University Press, Oxford, 1970)MATHGoogle Scholar
  23. [M2]
    D. Mumford, On the equations defining abelian varieties I–III. Invent. Math. 1, 287–354 (1967); Invent. Math. 3, 75–135 (1967); Invent. Math. 3, 215–244 (1967)Google Scholar
  24. [Oe]
    J. Oesterlé, Versions effectives du théorème de Chebotarev sous l’hypothèse de Riemann généralisée. Astérisque 61, 165–167 (1979)MATHGoogle Scholar
  25. [R]
    K. Ribet, On modular representations of \(G(\bar{\mathbb{Q}}\vert \mathbb{Q})\) arising from modular forms. J. Math. 100, 431–476 (1990)MATHMathSciNetGoogle Scholar
  26. [Se1]
    J.P. Serre, Propriétés galoisiennes des points d’ordre fini des courbes elliptiques. Invent. Math. 15, 259–331 (1972)CrossRefMATHMathSciNetGoogle Scholar
  27. [Se2]
    J.P. Serre, Résumé des cours de 1985–1986 (Annuaire du Collège de France, 1986)Google Scholar
  28. [S]
    B. Smith, Isogenies and the Discrete Logarithm Problem in Jacobians of Genus 3 Hyperelliptic Curves, in Advances in Cryptology: EUROCRYPT 2008, Istanbul. Lecture Notes in Computer Science, vol. 4965 (2008)Google Scholar
  29. [T]
    J. Tate, Endomorphisms of abelian varieties over finite fields. Invent. Math. 2, 134–144 (1966 )CrossRefMATHMathSciNetGoogle Scholar
  30. [V]
    J. Vélu, Isogénies entre courbes elliptiques. C.R. Acad. Sci. Paris Ser. A 273, 238–241 (1971)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Institute for Experimental MathematicsUniversity of Duisburg-EssenEssenGermany

Personalised recommendations