Misplaced Pages

Real hyperelliptic curve

Article snapshot taken from[REDACTED] with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.

In mathematics, there are two types of hyperelliptic curves, a class of algebraic curves: real hyperelliptic curves and imaginary hyperelliptic curves which differ by the number of points at infinity. Hyperelliptic curves exist for every genus g 1 {\displaystyle g\geq 1} . The general formula of Hyperelliptic curve over a finite field K {\displaystyle K} is given by C : y 2 + h ( x ) y = f ( x ) K [ x , y ] {\displaystyle C:y^{2}+h(x)y=f(x)\in K} where h ( x ) , f ( x ) K {\displaystyle h(x),f(x)\in K} satisfy certain conditions. In this page, we describe more about real hyperelliptic curves, these are curves having two points at infinity while imaginary hyperelliptic curves have one point at infinity.

Definition

A real hyperelliptic curve of genus g over K is defined by an equation of the form C : y 2 + h ( x ) y = f ( x ) {\displaystyle C:y^{2}+h(x)y=f(x)} where h ( x ) K {\displaystyle h(x)\in K} has degree not larger than g+1 while f ( x ) K {\displaystyle f(x)\in K} must have degree 2g+1 or 2g+2. This curve is a non singular curve where no point ( x , y ) {\displaystyle (x,y)} in the algebraic closure of K {\displaystyle K} satisfies the curve equation y 2 + h ( x ) y = f ( x ) {\displaystyle y^{2}+h(x)y=f(x)} and both partial derivative equations: 2 y + h ( x ) = 0 {\displaystyle 2y+h(x)=0} and h ( x ) y = f ( x ) {\displaystyle h'(x)y=f'(x)} . The set of (finite) K {\displaystyle K} –rational points on C is given by C ( K ) = { ( a , b ) K 2 b 2 + h ( a ) b = f ( a ) } S {\displaystyle C(K)=\left\{(a,b)\in K^{2}\mid b^{2}+h(a)b=f(a)\right\}\cup S} where S {\displaystyle S} is the set of points at infinity. For real hyperelliptic curves, there are two points at infinity, 1 {\displaystyle \infty _{1}} and 2 {\displaystyle \infty _{2}} . For any point P ( a , b ) C ( K ) {\displaystyle P(a,b)\in C(K)} , the opposite point of P {\displaystyle P} is given by P ¯ = ( a , b h ) {\displaystyle {\overline {P}}=(a,-b-h)} ; it is the other point with x-coordinate a that also lies on the curve.

Example

Let C : y 2 = f ( x ) {\displaystyle C:y^{2}=f(x)} where f ( x ) = x 6 + 3 x 5 5 x 4 15 x 3 + 4 x 2 + 12 x = x ( x 1 ) ( x 2 ) ( x + 1 ) ( x + 2 ) ( x + 3 ) {\displaystyle f(x)=x^{6}+3x^{5}-5x^{4}-15x^{3}+4x^{2}+12x=x(x-1)(x-2)(x+1)(x+2)(x+3)} over R {\displaystyle R} . Since deg f ( x ) = 2 g + 2 {\displaystyle \deg f(x)=2g+2} and f ( x ) {\displaystyle f(x)} has degree 6, thus C {\displaystyle C} is a curve of genus g = 2.

The homogeneous version of the curve equation is given by Y 2 Z 4 = X 6 + 3 X 5 Z 5 X 4 Z 2 15 X 3 Z 3 + 4 X 2 Z 4 + 12 X Z 5 . {\displaystyle Y^{2}Z^{4}=X^{6}+3X^{5}Z-5X^{4}Z^{2}-15X^{3}Z^{3}+4X^{2}Z^{4}+12XZ^{5}.} It has a single point at infinity given by (0:1:0) but this point is singular. The blowup of C {\displaystyle C} has 2 different points at infinity, which we denote 1 {\displaystyle \infty _{1}} and 2 {\displaystyle \infty _{2}} . Hence this curve is an example of a real hyperelliptic curve.

In general, every curve given by an equation where f has even degree has two points at infinity and is a real hyperelliptic curve while those where f has odd degree have only a single point in the blowup over (0:1:0) and are thus imaginary hyperelliptic curves. In both cases this assumes that the affine part of the curve is non-singular (see the conditions on the derivatives above)

Arithmetic in a real hyperelliptic curve

In real hyperelliptic curve, addition is no longer defined on points as in elliptic curves but on divisors and the Jacobian. Let C {\displaystyle C} be a hyperelliptic curve of genus g over a finite field K. A divisor D {\displaystyle D} on C {\displaystyle C} is a formal finite sum of points P {\displaystyle P} on C {\displaystyle C} . We write D = P C n P P {\displaystyle D=\sum _{P\in C}{n_{P}P}} where n P Z {\displaystyle n_{P}\in \mathbb {Z} } and n p = 0 {\displaystyle n_{p}=0} for almost all P {\displaystyle P} .

The degree of D = P C n P P {\textstyle D=\sum _{P\in C}{n_{P}P}} is defined by deg ( D ) = P C n P . {\displaystyle \deg(D)=\sum _{P\in C}{n_{P}}.} D {\displaystyle D} is said to be defined over K {\displaystyle K} if D σ = P C n P P σ = D {\textstyle D^{\sigma }=\sum _{P\in C}n_{P}P^{\sigma }=D} for all automorphisms σ of K ¯ {\displaystyle {\overline {K}}} over K {\displaystyle K} . The set D i v ( K ) {\displaystyle Div(K)} of divisors of C {\displaystyle C} defined over K {\displaystyle K} forms an additive abelian group under the addition rule a P P + b P P = ( a P + b P ) P . {\displaystyle \sum a_{P}P+\sum b_{P}P=\sum {(a_{P}+b_{P})P}.}

The set D i v 0 ( K ) {\displaystyle Div^{0}(K)} of all degree zero divisors of C {\displaystyle C} defined over K {\displaystyle K} is a subgroup of D i v ( K ) {\displaystyle Div(K)} .

We take an example:

Let D 1 = 6 P 1 + 4 P 2 {\displaystyle D_{1}=6P_{1}+4P_{2}} and D 2 = 1 P 1 + 5 P 2 {\displaystyle D_{2}=1P_{1}+5P_{2}} . If we add them then D 1 + D 2 = 7 P 1 + 9 P 2 {\displaystyle D_{1}+D_{2}=7P_{1}+9P_{2}} . The degree of D 1 {\displaystyle D_{1}} is deg ( D 1 ) = 6 + 4 = 10 {\displaystyle \deg(D_{1})=6+4=10} and the degree of D 2 {\displaystyle D_{2}} is deg ( D 2 ) = 1 + 5 = 6 {\displaystyle \deg(D_{2})=1+5=6} . Then, deg ( D 1 + D 2 ) = deg ( D 1 ) + deg ( D 2 ) = 16. {\displaystyle \deg(D_{1}+D_{2})=\deg(D_{1})+\deg(D_{2})=16.}

For polynomials G K [ C ] {\displaystyle G\in K} , the divisor of G {\displaystyle G} is defined by d i v ( G ) = P C o r d P ( G ) P . {\displaystyle \mathrm {div} (G)=\sum _{P\in C}{\mathrm {ord} }_{P}(G)P.} If the function G {\displaystyle G} has a pole at a point P {\displaystyle P} then o r d P ( G ) {\displaystyle -{\mathrm {ord} }_{P}(G)} is the order of vanishing of G {\displaystyle G} at P {\displaystyle P} . Assume G , H {\displaystyle G,H} are polynomials in K [ C ] {\displaystyle K} ; the divisor of the rational function F = G / H {\displaystyle F=G/H} is called a principal divisor and is defined by d i v ( F ) = d i v ( G ) d i v ( H ) {\displaystyle \mathrm {div} (F)=\mathrm {div} (G)-\mathrm {div} (H)} . We denote the group of principal divisors by P ( K ) {\displaystyle P(K)} , i.e., P ( K ) = { d i v ( F ) F K ( C ) } {\displaystyle P(K)=\{\mathrm {div} (F)\mid F\in K(C)\}} . The Jacobian of C {\displaystyle C} over K {\displaystyle K} is defined by J = D i v 0 / P {\displaystyle J=Div^{0}/P} . The factor group J {\displaystyle J} is also called the divisor class group of C {\displaystyle C} . The elements which are defined over K {\displaystyle K} form the group J ( K ) {\displaystyle J(K)} . We denote by D ¯ J ( K ) {\displaystyle {\overline {D}}\in J(K)} the class of D {\displaystyle D} in D i v 0 ( K ) / P ( K ) {\displaystyle Div^{0}(K)/P(K)} .

There are two canonical ways of representing divisor classes for real hyperelliptic curves C {\displaystyle C} which have two points infinity S = { 1 , 2 } {\displaystyle S=\{\infty _{1},\infty _{2}\}} . The first one is to represent a degree zero divisor by D ¯ {\displaystyle {\bar {D}}} such that D = i = 1 r P i r 2 {\textstyle D=\sum _{i=1}^{r}P_{i}-r\infty _{2}} , where P i C ( F ¯ q ) {\displaystyle P_{i}\in C({\bar {\mathbb {F} }}_{q})} , P i 2 {\displaystyle P_{i}\not =\infty _{2}} , and P i P j ¯ {\displaystyle P_{i}\not ={\bar {P_{j}}}} if i j {\displaystyle i\neq j} The representative D {\displaystyle D} of D ¯ {\displaystyle {\bar {D}}} is then called semi reduced. If D {\displaystyle D} satisfies the additional condition r g {\displaystyle r\leq g} then the representative D {\displaystyle D} is called reduced. Notice that P i = 1 {\displaystyle P_{i}=\infty _{1}} is allowed for some i. It follows that every degree 0 divisor class contain a unique representative D ¯ {\displaystyle {\bar {D}}} with D = D x deg ( D x ) 2 + v 1 ( D ) ( 1 2 ) , {\displaystyle D=D_{x}-\deg(D_{x})\infty _{2}+v_{1}(D)(\infty _{1}-\infty _{2}),} where D x {\displaystyle D_{x}} is divisor that is coprime with both 1 {\displaystyle \infty _{1}} and 2 {\displaystyle \infty _{2}} , and 0 deg ( D x ) + v 1 ( D ) g {\displaystyle 0\leq \deg(D_{x})+v_{1}(D)\leq g} .

The other representation is balanced at infinity. Let D = 1 + 2 {\displaystyle D_{\infty }=\infty _{1}+\infty _{2}} , note that this divisor is K {\displaystyle K} -rational even if the points 1 {\displaystyle \infty _{1}} and 2 {\displaystyle \infty _{2}} are not independently so. Write the representative of the class D ¯ {\displaystyle {\bar {D}}} as D = D 1 + D {\displaystyle D=D_{1}+D_{\infty }} , where D 1 {\displaystyle D_{1}} is called the affine part and does not contain 1 {\displaystyle \infty _{1}} and 2 {\displaystyle \infty _{2}} , and let d = deg ( D 1 ) {\displaystyle d=\deg(D_{1})} . If d {\displaystyle d} is even then D = d 2 ( 1 + 2 ) . {\displaystyle D_{\infty }={\frac {d}{2}}(\infty _{1}+\infty _{2}).}

If d {\displaystyle d} is odd then D = d + 1 2 1 + d 1 2 2 . {\displaystyle D_{\infty }={\frac {d+1}{2}}\infty _{1}+{\frac {d-1}{2}}\infty _{2}.} For example, let the affine parts of two divisors be given by

D 1 = 6 P 1 + 4 P 2 {\displaystyle D_{1}=6P_{1}+4P_{2}} and D 2 = 1 P 1 + 5 P 2 {\displaystyle D_{2}=1P_{1}+5P_{2}}

then the balanced divisors are

D 1 = 6 P 1 + 4 P 2 5 D 1 5 D 2 {\displaystyle D_{1}=6P_{1}+4P_{2}-5D_{\infty _{1}}-5D_{\infty _{2}}} and D 2 = 1 P 1 + 5 P 2 3 D 1 3 D 2 {\displaystyle D_{2}=1P_{1}+5P_{2}-3D_{\infty _{1}}-3D_{\infty _{2}}}

Transformation from real hyperelliptic curve to imaginary hyperelliptic curve

Let C {\displaystyle C} be a real quadratic curve over a field K {\displaystyle K} . If there exists a ramified prime divisor of degree 1 in K {\displaystyle K} then we are able to perform a birational transformation to an imaginary quadratic curve. A (finite or infinite) point is said to be ramified if it is equal to its own opposite. It means that P = ( a , b ) = P ¯ = ( a , b h ( a ) ) {\displaystyle P=(a,b)={\overline {P}}=(a,-b-h(a))} , i.e. that h ( a ) + 2 b = 0 {\displaystyle h(a)+2b=0} . If P {\displaystyle P} is ramified then D = P 1 {\displaystyle D=P-\infty _{1}} is a ramified prime divisor.

The real hyperelliptic curve C : y 2 + h ( x ) y = f ( x ) {\displaystyle C:y^{2}+h(x)y=f(x)} of genus g {\displaystyle g} with a ramified K {\displaystyle K} -rational finite point P = ( a , b ) {\displaystyle P=(a,b)} is birationally equivalent to an imaginary model C : y 2 + h ¯ ( x ) y = f ¯ ( x ) {\displaystyle C':y'^{2}+{\bar {h}}(x')y'={\bar {f}}(x')} of genus g {\displaystyle g} , i.e. deg ( f ¯ ) = 2 g + 1 {\displaystyle \deg({\bar {f}})=2g+1} and the function fields are equal K ( C ) = K ( C ) {\displaystyle K(C)=K(C')} . Here:

x = 1 x a {\displaystyle x'={\frac {1}{x-a}}} and y = y + b ( x a ) g + 1 {\displaystyle y'={\frac {y+b}{(x-a)^{g+1}}}} i

In our example C : y 2 = f ( x ) {\displaystyle C:y^{2}=f(x)} where f ( x ) = x 6 + 3 x 5 5 x 4 15 x 3 + 4 x 2 + 12 x {\displaystyle f(x)=x^{6}+3x^{5}-5x^{4}-15x^{3}+4x^{2}+12x} , h(x) is equal to 0. For any point P = ( a , b ) {\displaystyle P=(a,b)} , h ( a ) {\displaystyle h(a)} is equal to 0 and so the requirement for P to be ramified becomes b = 0 {\displaystyle b=0} . Substituting h ( a ) {\displaystyle h(a)} and b {\displaystyle b} , we obtain f ( a ) = 0 {\displaystyle f(a)=0} , where f ( a ) = a ( a 1 ) ( a 2 ) ( a + 1 ) ( a + 2 ) ( a + 3 ) {\displaystyle f(a)=a(a-1)(a-2)(a+1)(a+2)(a+3)} , i.e., a { 0 , 1 , 2 , 1 , 2 , 3 } {\displaystyle a\in \{0,1,2,-1,-2,-3\}} .

From (i), we obtain x = a x + 1 x {\textstyle x={\frac {ax'+1}{x'}}} and y = y x g + 1 {\textstyle y={\frac {y'}{x'^{g+1}}}} . For g = 2, we have y = y x 3 {\textstyle y={\frac {y'}{x'^{3}}}} .

For example, let a = 1 {\displaystyle a=1} then x = x + 1 x {\textstyle x={\frac {x'+1}{x'}}} and y = y x 3 {\textstyle y={\frac {y'}{x'^{3}}}} , we obtain ( y x 3 ) 2 = x + 1 x ( x + 1 x + 1 ) ( x + 1 x + 2 ) ( x + 1 x + 3 ) ( x + 1 x 1 ) ( x + 1 x 2 ) . {\displaystyle \left({\frac {y'}{x'^{3}}}\right)^{2}={\frac {x'+1}{x'}}\left({\frac {x'+1}{x'}}+1\right)\left({\frac {x'+1}{x'}}+2\right)\left({\frac {x'+1}{x'}}+3\right)\left({\frac {x'+1}{x'}}-1\right)\left({\frac {x'+1}{x'}}-2\right).}

To remove the denominators this expression is multiplied by x 6 {\displaystyle x^{6}} , then: y 2 = ( x + 1 ) ( 2 x + 1 ) ( 3 x + 1 ) ( 4 x + 1 ) ( 1 ) ( 1 x ) {\displaystyle y'^{2}=(x'+1)(2x'+1)(3x'+1)(4x'+1)(1)(1-x')} giving the curve C : y 2 = f ¯ ( x ) {\displaystyle C':y'^{2}={\bar {f}}(x')} where f ¯ ( x ) = ( x + 1 ) ( 2 x + 1 ) ( 3 x + 1 ) ( 4 x + 1 ) ( 1 ) ( 1 x ) = 24 x 5 26 x 4 + 15 x 3 + 25 x 2 + 9 x + 1. {\displaystyle {\bar {f}}(x')=(x'+1)(2x'+1)(3x'+1)(4x'+1)(1)(1-x')=-24x'^{5}-26x'^{4}+15x'^{3}+25x'^{2}+9x'+1.}

C {\displaystyle C'} is an imaginary quadratic curve since f ¯ ( x ) {\displaystyle {\bar {f}}(x')} has degree 2 g + 1 {\displaystyle 2g+1} .

References

  1. Erickson, Stefan; Jacobson, Michael J., Jr.; Stein, Andreas (2011). "Explicit formulas for real hyperelliptic curves of genus 2 in affine representation". Advances in Mathematics of Communications. 5 (4): 623–666. doi:10.3934/amc.2011.5.623. MR 2855275.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  2. Jacobson, Michael J. Jr.; Scheidler, Renate; Stein, Andreas (2010). "Cryptographic aspects of real hyperelliptic curves". Tatra Mountains Mathematical Publications. 47: 31–65. doi:10.2478/v10127-010-0030-9. MR 2791633.
  3. Galbraith, Steven D.; Lin, Xibin; Morales, David J. Mireles (2008). "Pairings on hyperelliptic curves with a real model". In Galbraith, Steven D.; Paterson, Kenneth G. (eds.). Pairing-Based Cryptography – Pairing 2008, Second International Conference, Egham, UK, September 1–3, 2008. Proceedings. Lecture Notes in Computer Science. Vol. 5209. Springer. pp. 265–281. doi:10.1007/978-3-540-85538-5_18. MR 2733918.
Category:
Real hyperelliptic curve Add topic