7 The isomorphism between Cl(O) and Cl(F )

Theorem 7.1. The ideal class groupCl(O), is isomorphic to the form class group Cl(F).

This theorem will be proved through a series of lemmas. We will start with proving that there exists a well defined map φ fromCl(F) toCl(O).

For a map to be well defined, it can’t map one element to several elements, or classes in this case. So we need to prove that one equivalence class maps to no more than one coset in the ideal class group.

The form class group consists of equivalence classes, where equivalences are based on matrices with determinants equal to one. The group of all such matrices, is calledSL2(Z). Thus it suffices to look at how the generators of this group behave when mapped.

Thus we can safely assume that deg(A) ≤ deg(C). Because deg(A) ≤ deg(C) there exists a Q and anR, such that

C =QA+R

7 /The isomorphism between Cl(O) andCl(F)

where Q, R ∈ k[x], and deg(R) < deg(A), which implies that it is possible to write

By definition of the reminder, deg(R) < deg(A) and we know that deg(A) ≤ deg(C), which implies that deg(R) < deg(C). It is possible to repeat this pro-cess, and because deg(R)<deg(C), we get a descending chain that is bound to terminate in finitely many steps. Thus after finitely many steps, C becomes 0.

So we can write W =E₁E₂...E_sW⁰, where E_i = de-terminant of Ei is one for all i. By definition of the matrix W, its determinant is equal to one as well. We know that det(AB) = det(A)∗det(B). This implies that the determinant of the matrixW⁰=

A⁰ B⁰ 0 D⁰

has to be one. Which further implies that D⁰=A⁰⁻¹, resulting in the matrix

W⁰=

This implies that W⁰ is just a multiple of T1 and T2(M). We know that W = E1E2...EsW⁰, and we just proved that the matrices Ei and W⁰ are multiples of T1 andT2(M), which in turn proves that W is a multiple of T1 and T2(M). This proves that SL2(Z)is generated by T1 and T2(M).

Lemma 7.3. Let φ: be a map from Cl(F) to Cl(O), such that φ:Ax²+ 2Bxy+Cy²7→ hA, B+yi By this, φ is a well defined surjective map.

Proof: As a result of lemma 7.2, it is sufficient to look at how the generators T₁ and T2(M), map. The matrix T1 maps (A, B, C) to (C,−B, A).

(A, B, C)7→ hA, B+yi (C,−B, A)7→ hC,−B+yi

hA, B+yi and hC,−B +yi have already been proved to be equivalent to each other. The matrix T₂(M) maps (A, B, C)∈ Cl(F), to (A,(B+AM), C), where M ∈k[x].

(A, B, C)7→ hA, B+yi

(A,(B+AM), C)7→ hA,(B+AM) +yi

hA, B+yiandhA,(B+AM) +yiare equivalent to each other, because it is only a multiple of A that differentiates them.

We also defined (mA, B,_m^C) to be equivalent to (A, B, C) therefore we have to prove this as well.

(A, B, C)7→ hA, B+yi

mA, B, C m

7→ hmA, B+yi

hmA, B+yiandhA, B+yiare equivalent to each other, becausemis an element ink^∗, thus it does not change the ideal it generates. This proves that the mapφis well defined, as it maps one class to one coset. Proposition 6.1 guarantees that all binary quadratic forms are equivalent to a reduced binary quadratic form, where deg(B) < deg(A) < deg(C) and deg(A) ≤ g. Proposition 5.2 guarantees that each coset in the ideal class group Cl(O) has one element such that deg(B) <

deg(A) < deg(C) and deg(A) ≤ g. As all elements in the form class group Cl(F) are equivalent to an element on the form deg(B)<deg(A)<deg(C) and deg(A) ≤ g, and all cosets in the ideal class group Cl(O) have one element on the same form, the map φ has to be surjective. This concludes our proof.

7 /The isomorphism between Cl(O) andCl(F)

Lemma 7.4. Let I = hα1, α2i, where α1, α2 ∈ O, and ψ be a map form Cl(O) to Cl(F), such that

ψ : hα1, α2i 7→ N(α1x+α2y)

N(I) =qα₁,α₂

where N(α1x+α2y) = (α1x+α2y)( ˜α1x+ ˜α2y), and α˜1 and α˜2 are equal to α1

and α2 conjugated. N(I) = _σ(^det_det^β(α1,α2)

β(α₁,α₂)) as defined in definition 5.1 By this ψ is a well defined and surjective map.

Proof:

N(α₁x, α₂y)

=(α1x+α2y)( ˜α1x+ ˜α2y)

=α1α˜1x²+ (α1α˜2+α2α˜1)xy+α2α˜2y²

We know thatα1α˜1, (α1α˜2+α2α˜1)andα2α˜2are in the idealI. We also know that y² =f(x), which is in k[x]. This implies that (α₁α˜1),(α1α˜2+α2α˜1), and (α₂α˜2) are in k[x] and thus multiples of N(I). This implies that (α1α˜1),(α1α˜2+α2α˜1), and (α2α˜2) are divisible byN(I).

This further implies that it is possible to write α1α˜1

N(I) =A (α1α˜2+α2α˜1)

N(I) = 2B α₂α˜₂ N(I) =C

thus proving that ^N(α_N(I)^1x+α2y) is a binary quadratic form.

The discriminant to Ax²+ 2Bxy+Cy² is (2B)²−4AC

=

α1α˜2+α2α˜1

N(I)

2

−4

α1α˜1α2α˜2

N(I)²

=(α₁α˜₂+α₂α˜₁)²−4α₁α˜₁α₂α˜₂ N(I)²

=(α1α˜2−α2α˜1)² N(I)²

34

Let α1=A and α2=B+y, resulting in (α1α˜2−α2α˜1)²

N(I)²

=(A(B−y)−(B+y)A)² N(I)²

=4A²y² N(I)²

=4f(x)

asy² =f(x). The discriminant to a basis hA, B+yiis 4f(x), thus it is the same as for ψ(Ax²+ 2Bxy+Cy²).

Proposition 5.1 states that an idealI inOis on the formhα₁, α₂i. In the proof we went even further, by proving that an ideal inOis actually on the formhA, B+yi.

None of the operations used in the proof will change the discriminant.

It is clear that hα₁, α₂i is equivalent to hU α₁+Rα₂, V α₁+Sα₂i. Thus we need to prove that q_α1,α2 is equivalent toq_{U α1+Rα2,V α1+Sα2}. Let

U R V S

∈SL₂(Z).

If we look at

qα1,α2 = N(α1x+α2y) N(I)

= α1α˜1x²+ (α1α˜2+α2α˜1)xy+α2α˜2y² N(I)

which again gives us

N(I)A=α1α˜1

N(I)2B = (α1α˜2+α2α˜1) N(I)C =α2α˜2

7 /The isomorphism between Cl(O) andCl(F)

has a determinant of one, then so does

and

qU α1+Rα2,V α1+Sα2

= AU²+ 2BRU +CR² x²

+ (2AU V + 2B(U S +RV) + 2CRS)xy + AV²+ 2BV S+CS²

y²

implying that qα1,α2 and qU α1+Rα2,V α1+Sα2 are equivalent. This proves that the map ψ is well defined.

Again, we use proposition 6.1 and 5.2 which guarantees that all binary quadratic forms inCl(F)and cosets inCl(O)are equivalent to an element, where deg(B)<

deg(A) < deg(C) and deg(A) ≤ g. As all elements in the form class group Cl(F) are equivalent to an element on the form deg(B)<deg(A)<deg(C) and deg(A) ≤ g, and all cosets in the ideal class group Cl(O) have one element on the same form, and the fact that ψ is well defined, this implies that ψ has to be surjective. This concludes our proof.

Lemma 7.5. Let φ be as defined in lemma 7.3, and ψ be as defined in lemma 7.4, then

φ◦ψ and ψ◦φ are identity maps.

Proof: For φ◦ψ to be an identity map, then

φ(ψ(hA, B+yi)) =hA, B+yi

ψ(hA,−B+yi)

=q_α1,α2

=α₁α˜₁x²+ (α₁α˜₂+α₂α˜₁)xy+α₂α˜₂y² N(I)

We know that α1=A og α2=B+y, which results in

ψ(hA, B+yi)

=A²x²+ 2ABxy+ (B²−f)y² N(I)

7 /The isomorphism between Cl(O) andCl(F)

In the form class group, we know that A is monic, thus N(I) =A

=A²x²+ 2ABxy+ (B²−f)y² N(I)

=Ax²+ 2Bxy+ (B²−f A )y² ψ(hA, B+yi) =Ax²+ 2Bxy+Cy²

φ(ψ(hA, B+yi))

=φ(Ax²+ 2Bxy+Cy²) φ(ψ(hA, B+yi)) =hA, B+yi

This proves that φ◦ψ is an identity mapping. We know thatψ is surjective. By definition, it is then possible to write all binary quadratic forms as q =ψ(I) for some ideal I. This further implies that ψ(φ(q)) = ψ(φ(ψ(I))). We just proved that φ◦ψ is an identity mapping, thus ψ(φ(q)) =ψ(φ(ψ(I))) =ψ(I) =q, which proves that ψ◦φ is an identity mapping as well, and concludes our proof.

Definition 7.1. Letq₁andq₂be inCl(F), and·be the group operation inCl(O).

We then define the group operation in Cl(F) to be ψ(φ(q1)·φ(q2))

To prove that φ is an homomorphism, let q1 and q2 be binary quadratic forms.

Then, by definition,

φ(q1q2) =φ(ψ(φ(q1)·φ(q2))) As φ◦ψ is an identity mapping, this implies that

φ(q1q2) =φ(ψ(φ(q1)·φ(q2))) =φ(q1)φ(q2) which proves that φ is an homomorphism.

To prove that ψ is an homomorphism, let I1 and I2 be ideals in Cl(O). Lemma 7.3 guarantees thatφis surjective, and all ideals inCl(O)can therefore be written as I =φ(q). This gives us

ψ(I₁·I₂) =ψ(φ(q₁)·φ(q₂)) This is the definition of the group operation in Cl(F), thus

ψ(I₁·I₂) =ψ(φ(q₁)·φ(q₂))

=q1q2

As φ(q_i) =I_i, for i= 1,2, thenψ(I_i) =q_i. This gives us q1q2=ψ(I1)ψ(I2)

This proves thatψ is an homomorphism and concludes the proof of theorem 7.1.

38

8 Conclusion

We have described the four faces of hyperelliptic curves and proved that the form class group and ideal class group are isomorphic. We have also described an algo-rithm that does group operations strictly in the jacobian of hyperelliptic curves.

Further work would have included comparison of the group operations in the ja-cobian and the ideal class group, to see which one is theoretically faster. Ease of visualization would have been emphasized as well, as it seems that some computer security researchers are reluctant to use hyperelliptic curve cryptography because of its complexity. A special case of hyperelliptic curves have recently been given attention as a candidate as the post quantum cryptographic algorithm. Super-singular isogeny Diffie–Hellman key exchange (SIDH), as it is called is based on supersingular elliptic curves and the isogenies between them.

8 /Conclusion

References

[1] Robert J. Zuccherato Alfred J. Menezes Yi-Hong Wu. “An elementary in-troduction to hyperelliptic curves”. In: (1996). url: https : / / www . math . uwaterloo.ca/~ajmeneze/publications/hyperelliptic.pdf.

[2] William Fulton. Algebraic curves. http : / / www . math . lsa . umich . edu /

~wfulton/CurveBook.pdf. 2008.

[3] Tanja Lange. “Efficient Arithmetic on Genus 2 Hyperelliptic Curves over Finite Fields via Explicit Formulae”. In: (2003). url: https : / / eprint . iacr.org/2002/121.pdf.

[4] Krysta M. Svore Kristin Lauter Martin Roetteler Michael Naehrig. “Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms”. In:

(2017). url: https://arxiv.org/abs/1706.06752v3.

[5] Joseph H. Silvermann.The Arithmetic of Elliptic Curves. Springer Sience+Business Media, LLC, 2016. isbn: 978-0-387-09493-9.

40

In document The Four Faces of Hyperelliptic curves (sider 41-50)