DTU (Copenhagen) September 2005

AGM for elliptic curves

By
Christophe RITZENTHALER
2
Contents
1 p-adic numbers 5
1.1 Projective limit, completion and discrete valuation ring . . . . . . . . . 5
1.2 Z
p
, Q
p
and their (unramied) extensions . . . . . . . . . . . . . . . . . . 8
1.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.3.1 p-adics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.3.2 For beginners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2 Elliptic curves over C 13
2.1 Torus and elliptic curves . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2 Isogeny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3 Elliptic curves over nite elds 17
3.1 Zeta function of elliptic curves . . . . . . . . . . . . . . . . . . . . . . . 17
3.1.1 Reviews on elliptic curves . . . . . . . . . . . . . . . . . . . . . . 19
3.1.2 Weil conjectures : the proof for g = 1 . . . . . . . . . . . . . . . 22
3.2 Ordinary and supersingular elliptic curves . . . . . . . . . . . . . . . . . 23
3.2.1 Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2.2 Lift, canonical lift . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4 Fast computations of Zeta functions 27
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.2 The complex theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.2.1 Computation of periods . . . . . . . . . . . . . . . . . . . . . . . 30
4.2.2 Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.3 2-adic method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.3.1 Lift . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4.3.2 Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.3.3 Trace of the Frobenius . . . . . . . . . . . . . . . . . . . . . . . . 36
4.3.4 Complexity and Conclusion . . . . . . . . . . . . . . . . . . . . . 37
3
4 CONTENTS
Chapter 1
p-adic numbers
Our philosophy will be simple : take what is good about nite elds (i.e unicity of
extensions of a given degree, Galois extensions with cyclic group structures) and leave
the bad things (i.e analytic problems like (x
p
)

= 0). Indeed, analysis in character-

istic p > 0 (and also representation theory) are not very convenient and there is a
common trick (projective limits) to pass to a characteristic 0 structure. In the case of
nite elds, these new structures can be built in a lot of dierent ways and arrive then
with rich (analytic and arithmetic) properties that we will try to sum up in this chapter.
References : Serre (Local elds) A.J. Baker (an introduction to p-adic numbers
and p-adic analysis), on the web.
1.1 Projective limit, completion and discrete valuation ring
A rst point of view is the (formal) algebraic construction that relies on projective limit.
We give here an ad-hoc denition.
Denition 1.1.1. Let (A
i
, p
ij
)
iN
a directed family of rings (i.e the p
ij
are compatible
homomorphisms from A
i
to A
j
for all i j). Let =

A
i
and consider the subset A
of of all elements (a
i
) with a
i
A
i
and for i j, p
ij
(a
i
) = a
j
. A is a subring of
denoted lim

A
i
and called the projective (or inverse) limit of the (A
i
, p
ij
)
iN
.
Example 1. Let p be a prime and for i j let p
ij
: Z/p
i
Z Z/p
j
Z be the natural
projections. This is a directed family.
This inverse limit can also be characterized by an universal property :
Proposition 1.1.1. A comes with a family of morphisms p
i
: A A
i
such that : if B
is a ring and
i
: B A
i
a family of compatible morphisms (i.e for i j the following
diagram is commutative
5
6 CHAPTER 1. P-ADIC NUMBERS
B

i
//

@
@
@
@
@
@
@
@
A
i
p
ij

A
j
) then there is a morphism : B A such that for all i the following diagram is
commutative :
B

//

@
@
@
@
@
@
@
A
p
j

A
j
Remark 1. In the case of the example, the natural morphisms from Z Z/p
i
Z shows
that there is a morphism from Z to the projective limit. This morphism is injective so
the projective limit is a ring of characteristic 0.
The second point of view is analytic. We want to say some words on completions.
Let R be a domain (i.e an integral commutative ring with unity) and K its eld of
fractions.
Denition 1.1.2. A surjective homomorphism v : K

(Z, +) is called a (discrete)

valuation if for all x, y K

one has
v(x +y) inf(v(x), v(y)).
We make the convention that v(0) = +.
Example 2. In the case of R = Z, one can dene for each prime p a valuation v = v
p
called the p-adic valuation in the following way : for 0 = a Z, v(a) = max{r : p
r
|a}
and if x = a/b Q

one denes v(x) = v(a) v(b). It is easy to check the dierent

properties.
Denition 1.1.3. A map N : R R
+
is called a norm (or absolute value) on R if
N(x) = 0 i x = 0.
N(xy) = N(x)N(y) for all x, y R.
N(x +y) N(x) +N(y) for all x, y R.
If moreover one can replace the last inequality by
N(x +y) max(N(x), N(y))
then the norm is called non-archimedian (or ultrametric).
1.1. PROJECTIVE LIMIT, COMPLETION AND DISCRETE VALUATION RING7
Example 3. On Q (or R, C) one has the usual norm which is archimedian. But on Q
one can also create (innitely many) non-archimedian norms in the following way : for
each prime p, one denes for x = 0, N(x) = |x|
p
= p
v(x)
. It is easy to check that this
denes a non archimedian norm on Q.
Let us remark that a famous theorem (Ostrawskis theorem) claims that the norms pre-
sented here are the only (non-trivial) ones over Q up to equivalence (N
1
, N
2
are equiv-
alent if N
1
= N
s
2
for s R
>0
).
R is now given with a norm N.
Denition 1.1.4. A sequence (a
n
) of elements of R is said to be Cauchy (w.r.t N) if
> 0 M N such that m, n > M N(a
m
a
n
) < .
A ring R is said complete (w.r.t. N) if every Cauchy sequence with coecients in R
converges in R.
One remembers that not every Cauchy sequence with coecients in Q (with its usual
norm) is convergent in Q (for instance 10
n

2/10
n
) and that leads to the denition of
R as limit of all Cauchy sequences. This construction works in general. Let us dene
CS(R) the set of Cauchy sequences in R and Null(R) the set of sequences with limit 0.
One can then prove the following result.
Proposition 1.1.2. The ring

R = CS(R)/Null(R) with the norm

N((a
n
)) = limN(a
n
)
is complete. The norm

N extends the norm N (for the canonical embedding of R in

R
as a constant sequence) and it is non archimedian i N is.
In the next section we will apply this result in the case Q (or Z) and | |
p
.
A last point of view will be the arithmetic one.
Proposition 1.1.3. Let K be a eld with a discrete valuation. Then the set R of x K
such that v(x) 0 is a principal domain with a unique non-zero maximal ideal M. Such
a ring is called a discrete valuation ring. In particular R is a local ring (i.e with a unique
non-zero prime ideal).
Proof. Let be an element such that v() = 1. Every x R can be written in the
form x =
n
u with n = v(x) and v(u) = 0. Now v(u) = 0 implies u invertible (because
v(1/u) = 0 too). So every non-zero ideal of R is of the form
n
R with n 0 which
shows that R is indeed a discrete valuation ring.
Reciprocally if R is a discrete valuation ring with prime ideal (), it is easy to see
that every non zero element x of the eld of fraction K

can be written in x =
n
u with
u invertible and n Z unique. The map x n is a valuation on K. Note that the
elements with valuation 0 are exactly the invertible elements of R. They are called the
units of R.
8 CHAPTER 1. P-ADIC NUMBERS
Example 4. If K = Q with the p-adic valuation, one nds R = Z
(p)
the localization
of Z in p (i.e elements of Q of the form r/s with s not divisible by p). This ring has a
unique maximal ideal, namely (p).
Another kind of example is k((T)) the eld of formal power series in one variable over
the eld k. For every non zero formal series
f(T) =

nn
0
a
n
T
n
one denes the order v(f) = n
0
. The valuation ring is denoted k[[T]].
A few more denitions. As M is maximal, R/M is a eld called the residue eld of R.
In the rst example it is F
p
, in the second it is k. The element is called a uniformizer.
If A has characteristic 0 and the residue eld has characteristic p > 0, one can identify
Z with a subring of R and p with an element of R. The integer e = v(p) is called
the absolute ramication index of R. R is absolutely unramied if e = 1, i.e if p is a
uniformizer of R.
Theorem 1.1.1. For every perfect eld k of characteristic p, there exists a complete
discrete valuation ring and only one (up to unique isomorphism) which is absolutely
unramied and has k as its residue eld. One denotes this ring W(k) ( ring of Witt
vectors).
1.2 Z
p
, Q
p
and their (unramied) extensions
We have the following equivalent denitions, depending on the point of view (algebraic,
analytic or arithmetic).
Theorem 1.2.1. Let p be a prime. The following constructions yield the same ring
denoted Z
p
.
1. The projective limit of the direct family (Z/p
i
Z, p
ij
) with p
ij
: Z/p
i
Z Z/p
j
Z the
natural projections.
2. The completion of Z with respect to | |
p
.
3. W(F
p
).
In the same way Q
p
can be seen as the eld of fractions of Z
p
or directly as the
completion of Q w.r.t. | |
p
.
This theorem shows us that Z
p
is a complete discrete valuation ring of characteristic
0 with residue eld F
p
and eld of fraction Q
p
. Q embeds in Q
p
and is dense for the
topology induced by | |
p
.
1.2. Z
P
, Q
P
AND THEIR (UNRAMIFIED) EXTENSIONS 9
Proposition 1.2.1. Let R be a complete discrete valuation ring with eld of fractions K
and residue eld k. Let S be a system of representatives of k in R and an uniformizer.
Every element a R can be written uniquely as a convergent series
a =

n=0
s
n

n
with s
n
S.
Every element x K can be written as
x =

n
s
n

n
with s
n
S.
Proof. The second assertion results from the rst by multiplying by a suitable negative
power of . By denition of S, there exists s
0
S such that a s
0
0 (mod ). If
ones writes a = s
0
+ a
1
and apply the same procedure to a
1
one obtains an s
1
S
such that
a = s
0
+s
1
+a
2

2
,
and so on. The series

s
n

n
converges to a and one sees that it is unique. Conversely
every series of this form is convergent since its general term converges to zero and R is
complete.
In the case of Z
p
we can take = p and S = {0, . . . , p 1} N.
The rst and second interpretations give also convenient ways to represent an element :
in the rst case it is the sequence (

i1
n=0
s
n
p
n
(mod p
i
)) and the sequence (

i1
n=0
s
n
p
n
)
in the second case.
Example 5. The integer 13 is represented by (1, 4, 13, 13, . . .), (13, 13, . . .) = (1, 4, 13, . . .)
or 1 + 1 3 + 1 3
2
in Z
3
.
Th. 1.1.1 shows us also that we can dene complete discrete valuation rings with
residue eld F
q
for every q = p
m
in a unique way. One denotes such rings Z
q
and their
eld of fractions Q
q
. Applying Prop. 1.2.1 one can represent elements of these elds by
series

n
s
n
p
n
with s
n
S
for some representative set S of F
q
. A convenient way to proceed is then the following
: let

P F
p
[T] be a dening polynomial of the extension F
q
/F
p
and P Z[T] a lift of
this polynomial as a monic polynomial of degree m. Then the elements of Q
q
can be
represented by

n
P
n
()p
n
where P
n
is a polynomial of degree less than m with coecient in {0, . . . , p 1} and
is a root of P.
10 CHAPTER 1. P-ADIC NUMBERS
Of course Z
p
(resp. Q
p
) embeds naturally in Z
q
(resp. Q
q
) and so we have an extension
of elds Q
q
/Q
p
. As our elds copy the case of nite elds, one obtains the following
pleasant result.
Proposition 1.2.2. The extension Q
q
/Q
p
is Galois with Galois group Z/mZ Gal(F
q
/F
p
).
It is generated by an element called the Frobenius substitution characterized by the
property : for all x Z
q
, x

(mod p) = x
p
(mod p).
Remark 2. More generally, every nite extension K of Q
p
is a local eld (i.e a complete
eld with discrete valuation and a nite residue eld). But K/Q
p
may be ramied and
p not an uniformizer in K.
Note also that the appellation local eld has a counterpart, the global elds (i.e number
elds or function elds in one variable over nite elds). In a sense, global elds may
be studied locally and then by gluing the various local information together. This leads
to the theory of ad`eles.
1.3 Exercises
1.3.1 p-adics
Write 50, 137 as a power series in Z
13
. Compute 137 + 50 in Z
13
.
We would like to do that with the software MAGMA. If you have never used MAGMA
before, start with the next section.
1. Create the structure.
2. Change the output shape.
3. Compute 137 + 50 in Z
13
.
4. Compare.
Now we can do other operations : take the inverse of 137 for instance, or its square.
Does 137 admit a square root in Q
13
?
We want to deal now with extensions :
1. Create the structure.
2. What is the dening polynomial of L.
3. Does 137 admits a square root in this extension ?
4. Give the residue eld of L.
5. Give the Frobenius substitution.
6. Apply it to

137 and check the reduction property.

1.3. EXERCISES 11
1.3.2 For beginners
To start : type magma (and return).
The most important thing is the help. There exist two sorts : the html les are
the most convenient. They contain, besides the description of each command, examples
and even mathematical background. You can access commands by topic (nite groups,
commutative algebra, algebraic geometry) or through the index.
The second help is online : when you want information about a command, lets say
RandomPrime, you type RandomPrime;.
A last tip before we start : there is a automatic completion with tab. This is useful
when you do not remember exactly the name : MAGMA follows very closely the exact
denition.
We will start with some examples that look really similar to MAPLE. To Evaluate
an expression you need to end it with ;. To dene an object you write f:=. . . . As you
may see it does not display the result. To see it you have to write f;.
1. Compute
123
10
+
33
127
.
2. Compute 2 +

3.
3. Compute 200! and factorize this number.
4. Is 2
1233
+ 321 prime ?
Some examples how to handle sets, sequences, lists :
1. Dene the sets I = {1, 4, 10}, J = {2, 4, 8}. Do the following operations : I J
and I J.
2. Create a random list of 10 integers. Extract the 8th.
Unlike MATHEMATICA/MAPLE, MAGMA require to dene properly where you
are working. You cannot open a MAGMA section and write : f = x
3
+ 3;. MAGMA
does not know yet what is x. It is sometimes a bit tedious when you want to work with
polynomials in a lot of variables but the counterpart is that it allows much more objects
than the two others softwares : polynomials over extensions of nite elds or p-adic
elds, matrices with coecients in function elds . . . . And it is much more accurate,
mathematically speaking !
Very important elds for us are nite elds :
1. Create the eld F = F
23
.
2. Add 20 and 5 in this eld. This leads to the notion of coercion.
3. Create the eld K = F
23
4. What is a dening polynomial for this eld ? Compute
the square root of 10 in this eld.
12 CHAPTER 1. P-ADIC NUMBERS
One would like also to create extensions by choosing a dening polynomial.
1. Create the polynomial ring R with variable x over F
5
.
2. Create the polynomial f = x
6
+ 3x + 3. Evaluate f at 2. Is f irreducible ? What
is its splitting eld ? Call it F < w >.
3. Create an extension of F of degree 3 by a polynomial of your choice.
Chapter 2
Elliptic curves over C
Curves have not always been curves, before they were . . . surfaces ! Indeed it is a deep
and nice result that irreducible algebraic smooth curves over C and compact Riemann
surfaces are actually the same notion seen under two dierent spotlights. Hence curves
over C inherit a bunch of analytic properties. Moreover in the case of elliptic curves
over C, the structure is even richer : the curves are (connex, compact) Lie groups and
can be represented by quotients of C by a lattice (i.e tori) as we will see.
Reference : Silverman (the arithmetic of elliptic curves, Chap.VI)
2.1 Torus and elliptic curves
Let C be a lattice, that is is a discrete subgroup of C which contains an R-
basis of C. There exists two elements
i
C (linearly independent over R) such that
= Z
1
+Z
2
.
Let us consider the topological variety X = C/. X is called a torus. Indeed, topo-
logically, X is a square where the 2 pairs of opposite borders have been identied. In
particular X is of genus 1 (it is a donuts with 1 hole). One shows that X is in fact an
compact analytic variety. Moreover it is easy to describe the functions on it
Denition 2.1.1. An elliptic function is a meromorphic function f(z) on C which
satises
f(z +) = f(z) for all , z C.
Elliptic functions with no poles are constant as the surface is compact. Can we
construct non constant elliptic functions ?
Denition 2.1.2. The Weierstrass P-function is dened by the series
P(z, ) =
1
z
2
+

\{0}
_
1
(z +)
2

1

2
_
.
13
14 CHAPTER 2. ELLIPTIC CURVES OVER C
The function P

= dP(z, )/dz is also an elliptic function. One can prove that all elliptic
function is a polynomial in P and P

.
Let us dene also the Eisenstein series G
n
of weight n by
G
n
=

\{0}

n
.
The fundamental result is
Theorem 2.1.1. The elliptic functions P and P

satisfy the equation

P
2
= 4P
3
60G
4
P 140G
6
.
This is the ane equation for an elliptic curve E. The map
u : C/ E(C)
[z] (x = P(z) : y = P

(z) : 1) z /
[z] (0 : 1 : 0) z
is a complex analytic isomorphism of Riemann surfaces and a group homomorphism (for
the natural additive structure on C/.
Reciprocally if E/C is an elliptic curve, there exists a lattice such that C/ is iso-
morphic to E(C) (uniformization theorem).
Remark 3. Note that u

(dx/y) = d(P(z))/P

(z) = dz.
A natural question is then the following : starting from C how can we compute a
lattice ?
Proposition 2.1.1. Let E/C be an elliptic curve with Weierstrass coordinate functions
x, y. Let , be paths on E(C) giving a basis for H
1
(E, Z). Then if

1
=
_

dx/y and
2
=
_

dx/y
and if is the lattice generated by the
i
one has complex analytic isomorphism
F : E(C) C/, F(P) =
_
P
O
dx/y (mod ).
This map is inverse of u.
2.2 Isogeny
Let
1
,
2
be lattices in C. If C has the property that
1

2
, then
: C/
1
C/
2
, (z) = z (mod
2
)
is clearly a holomorphic homomorphism. They are more or less the only ones and more
important for us, they give all the isogenies on the associated elliptic curve.
2.2. ISOGENY 15
Proposition 2.2.1. The association
{ C :
1

2
} {holomorphic maps : C/
1
C/
2
with (0) = 0}
is a bijection.
The natural inclusion
{isogenies E
1
E
2
} {holomorphic maps : C/
1
C/
2
with (0) = 0}
is a bijection.
Remark 4. Knowing the isogeny f, one can easily get by the relation f

(dx/y) =
dx/y. In particular [m] m.
This theorem is very convenient to prove without troubles some results about iso-
genies that require much more work in a pure algebraic setting. Recall the following
denition, valid for any eld K.
Denition 2.2.1. Let E/K be an elliptic curve and m 2 be an integer. The isogeny
[m] : E E is of degree m
2
and we can look at the kernel of this map, which we denote
E[m] and which is called the m-torsion subgroup of E. It is a group (scheme) of order
m
2
.
Over C (and by Lefschetzs principle, for any algebraically closed eld of characteristic
0), one gets easily
Corollary 2.2.1. As abstract group
E[m] Z/mZ Z/mZ.
Proof. Let be a lattice such that E(C) is isomorphic to C/. Then
E[m] (C/)[m]
1
m
/ Z/mZ Z/mZ.
Theorem 2.2.1. Let E/C be an elliptic curve and
i
generators for the lattice asso-
ciated to E. Then either
1. End(E) = Z or
2. Q(
1
/
2
) is a quadratic imaginary extension of Q and End(E) is an order in
Q(
2
/
1
).
Recall that an order R in a number eld K is a subring of K which is nitely
generated as a Z-module and satises RQ = K.
16 CHAPTER 2. ELLIPTIC CURVES OVER C
Proof. Let =
2
/
1
. Since is homothetic to Z + Z we may replace by Z + Z.
Let
R = { C : },
so R End(E). Then for any R there exists integers a, b, c, d such that
= a +b and = c +d.
Eliminating yields

2
(a +d) +ad bc = 0.
So R is integral over Z.
If R = Z let choose R \ Z. Then with the notations as above b = 0 so eliminating
gives a non trivial equation
b
2
(a d) c = 0.
Therefore Q() is a quadratic imaginary extension of Q. As R Q() and R is integral
over Z it follows that R is an order in Q().
Remark 5. Elliptic curves over C (or in characteristic 0) which have a strictly bigger
endomorphism group than Z are rare and are called CM-elliptic curves (CM for Com-
plex Multiplication). They play a deep and important role in both theoretical and
computational arithmetic as we will see in Sec. 3.2.2.
Chapter 3
Elliptic curves over nite elds
This is the main object of this course. Indeed if we consider the rational points of an
elliptic curve over a nite eld, they form a nite group which is used as cryptosystem
for the Die-Helman protocol. An important thing about this group is to be able to
compute its order quickly in order to check that it is a prime number (or almost a prime
number). Methods to do this exist as we will see at the end of the week (Chap. 4) but
they are based on heavy mathematical notions.
Note that these properties are not particular to elliptic curves but can be adapted to
curves in general. However, we will restrict here to the genus 1 case.
In the following k is the nite eld F
q
with q = p
m
and K denotes any (perfect) eld.
3.1 Zeta function of elliptic curves
In 1949, Andre Weil made a series of very general conjectures concerning the number of
points on varieties dened over nite elds. We restrict here to the case of curves.
Let k = F
q
and for all n 1, let k
n
be the extension of degree n of k. Let C/k be a
(projective smooth) curve of genus g over k.
Denition 3.1.1. The Zeta function of C over k is the power series
Z(C/k; T) = exp
_

n=1
|C(k
n
)|
T
n
n
_
.
Theorem 3.1.1 (Weil conjectures). With the above notations, we have the following
properties.
1. Rationality :
Z(C/k; T) Q(T).
2. Functional equation :
Z(C/k; 1/(qT)) = (qT
2
)
1g
Z(C/k; T).
17
18 CHAPTER 3. ELLIPTIC CURVES OVER FINITE FIELDS
3. Riemann hypothesis :
there exists a polynomial f Z[T] of degree 2g such that
f(T) =
2g

i=1
(1 T
i
)
with |
i
| =

q for all i and such that
Z(C/k; T) =
f(T)
(1 T)(1 qT)
.
Corollary 3.1.1. We have |C(F
q
n)| = 1 +q
n

2g
i=1

n
i
.
Proof. We have
log(Z(C/k; T) =

|C(k
n
)|T
n
/n = log(f(T)) log(1 T) log(1 qT)
=

log(1
i
T) +

T
n
/n +

q
n
T
n
/n
=

n
_

i
(
n
i
) + 1 +q
n
_
T
n
/n
If we particularize to the case of elliptic curves (g = 1).
Theorem 3.1.2. Let k be a eld with q elements and E/k be an elliptic curve. Then
there is an a Z (called the trace of E/k) such that
Z(E/k; T) =
1 aT +qT
(1 T)(1 qT)
Further Z(E : k; 1/qT) = Z(E/k; T) and
1 aT +qT
2
= (1 T)(1 T) with || = || =

q.
Corollary 3.1.2. With the notations above, there exists a polynomial (called the Frobe-
nius polynomial of E/k)
:= T
2
aT +q = (T )(T )
such that |E(k)| = (1) and for every extension k
n
of k of degree n, |E(k
n
)| = (1

n
)(1
n
).
Moreover (Hasse-Weil bound)
||E(k)| q 1| 2

q.
3.1. ZETA FUNCTION OF ELLIPTIC CURVES 19
Example 6. Consider the elliptic curve : E/F
7
: y
2
= x
3
+ 2. It has 9 rational points,
namely (0 : 1 : 0), (0 : 3 : 1), (0 : 4 : 1), (3 : 1 : 1), (3 : 6 : 1), (5 : 1 : 1), (5 : 6 : 1), (6 : 1 :
1), (6 : 6 : 1). So we must have
Z(E/F
7
; T) =
7T
2
+T + 1
(1 T)(1 7T)
.
In particular the number of points of E/F
49
is 1 + 49 (1
2
2 7) = 63 (which can be
checked with a computer).
These conjectures were solved by Weil (in the case of curves and abelian varieties). The
general case was solved by Deligne in 1973.
The rst case g = 0 can be done by hand : indeed |P
1
(k
n
)| = q
n
+ 1 so
Z(P
1
/k; T) = exp(log(1 T) log(1 qT)) =
1
(1 T)(1 qT)
.
Now a genus 0 curve C/k is always k-isomorphic to a non degenerate plane conic.
Chevalleys theorem shows then that this conic has always a rational point so in fact C
is also k-isomorphic to P
1
.
The next case, g = 1, is the case of elliptic curves.
3.1.1 Reviews on elliptic curves
Tate module
We have seen in Chap.2 that for an elliptic curve over C the structure of the m-torsion
is very easy to carry out. In characteristic p > 0, the uniformization theorem is not true
anymore and nasty things happen when [m] is not separable.
Proposition 3.1.1. If m is prime to the characteristic then
E[m] Z/mZ Z/mZ,
and if Char(K) = p > 0 then either
E[p
e
] {0} or
E[p
e
] Z/p
e
Z
for all e 1.
One assumes now that m is prime to the characteristic. The group E[m] comes
equipped with more structure. Namely, each element of the Galois group Gal(K/K)
acts on E[m]. We thus obtain a representation
Gal(K/K) Aut(E[m]) GL
2
(Z/mZ).
This representation is not completely satisfactory because it is generally easier to deal
with representations whose matrices have coecients in a ring of characteristic 0. What
we will do is to t them together thanks to the projective limit we introduced in Chap.
1 :
20 CHAPTER 3. ELLIPTIC CURVES OVER FINITE FIELDS
Denition 3.1.2. Let E be an elliptic curve and l Z a prime. The (l-adic) Tate
module of E is the group
T
l
(E) = lim

n
E[l
n
],
the inverse limit being taken with respect to the natural maps
[l] : E[l
n+1
] E[l
n
].
Since each E[l
n
] is a Z/l
n
Z-module, we see that the Tate module has a natural
structure as a Z
l
-module.
Proposition 3.1.2. As a Z
l
-module T
l
(E) Z
l
Z
l
.
Now the action of Gal(K/K) on each E[l
n
] commutes with the multiplication by [l]
maps used to form the inverse limit, so Gal(K/K) also acts on T
l
(E).
The Tate module is also a useful tool for studying isogenies. If
: E
1
E
2
is an isogeny then it induces a map

l
: T
l
(E
1
) T
l
(E
2
).
We thus obtain a homomorphism
Hom(E
1
, E
2
) Hom(T
l
(E
1
), T
l
(E
2
)).
It is not hard to show that the above homomorphism is injective : indeed if : E
1
E
2
is a non-zero isogeny of degree d then its kernel has at most d
2
points. If it is 0 on
T
l
(E
1
) it is 0 on E[l
n
] for an n such that l
n
> d and so the kernel should contain
|E[l
n
]| = l
2n
> d
2
points.
Weil pairing
We want to add structure on the Tate module. This is achieved by the Weil pairing.
We will not recall the construction but it is a map
e
m
: E[m] E[m]
m
satisfying the following properties :
Proposition 3.1.3 ([Sil92, III.8.1]). The Weil pairing is :
1. bilinear : e
m
(S
1
+S
2
, T) = e
m
(S
1
, T)e
m
(S
2
, T) and e
m
(S, T
1
+T
2
) = e
m
(S, T
1
)e
m
(S, T
2
).
2. alternating : e
m
(S, T) = e
m
(T, S)
1
.
3. non-degenerate : if e
m
(S, T) = 1 for all S E[m], then T = 0.
3.1. ZETA FUNCTION OF ELLIPTIC CURVES 21
4. Galois-invariant : for all Gal(K/K),
e
m
(S, T)

= e
m
(S

, T

).
5. compatible : if S E[mm

] and T E[m] then

e
mm
(S, T) = e
m
([m

]S, T).
6. adjoint : let S E
1
[m], T E
2
[m] and : E
1
E
2
be an isogeny. Then
e
m
(S,

(T)) = e
m
((S), T).
Corollary 3.1.3. If E[m] E(K) then
m
K

.
Proof. The image of e
m
(S, T) as S, T range over E[m] is a subgroup of
m
, say equal
to
d
. It follows that for all S, T E[m],
1 = e
m
(S, T)
d
= e
m
([d]S, T).
The non-degeneracy of e
m
implies that [d]S = O, ans since S is arbitrary, we must have
d = m. Finally if E[m] E(K) then from the Galois invariance of the e
m
pairing we
see that e
m
(S, T) K

for all S, T. Therefore

m
K

.
Let l be a prime dierent from the characteristic of K. We would like to t together
the pairings
e
l
n : E[l
n
] E[l
n
]
l
n
for all n to give an l-adic Weil pairing on the Tate module
e
l
: T
l
(E) T
l
(E) T
l
()
where
T
l
() = lim

l
n Z
l
.
We need only to check the compatibility
e
l
n+1(S, T)
l
= e
l
n([l]S, [l]T)
which follows from Prop.3.1.3 (1) and (5).
Proposition 3.1.4. There exists a bilinear, alternating, non-degenerate, Galois invari-
ant pairing
e
l
: T
l
(E) T
l
(E) T
l
()
such that if : E
1
E
2
is an isogeny, and

are adjoints for the pairing.
22 CHAPTER 3. ELLIPTIC CURVES OVER FINITE FIELDS
3.1.2 Weil conjectures : the proof for g = 1
For the proof we will need the following lemma.
Lemma 3.1.1. Let End(E). Then
det(
l
) = deg() and tr(
l
) = 1 + deg() deg(1 ).
Proof. Let v
1
, v
2
be a Z
l
-basis for T
l
(E) and write the matrix of
l
for this basis as

l
=
_
a b
c d
_
.
We compute
e
l
(v
1
, v
2
)
deg()
= e
l
([deg()]v
1
, v
2
)
= e
l
(

v
1
, v
2
)
= e
l
(v
1
, v
2
)
= e
l
(av
1
+cv
2
, bv
1
+dv
2
)
= e
l
(v
1
, v
2
)
adbc
= e
l
(v
1
, v
2
)
det(
l
)
Since e
l
is non-degenerate, we conclude that deg() = det(
l
). The second part is
classical.
Proof. Let : E E be the q-th power of Frobenius endomorphism. Since 1 is
separable (because the map (1 )

is the identity on the regular dierential and so is

not 0), we have
|E(k)| = deg(1 ).
Similarly for every n 1 and for every extension k
n
of degree n, |E(k
n
)| = deg(1
n
).
From the previous lemma, the characteristic polynomial of
l
has coecients in Z, so
we can factor it over C :
det(T
l
) = T
2
tr(
l
)T + det(
l
) = (T )(T ).
Further, since for every rational number m/n,
det((m/n)
l
) = det(mn
l
)/n
2
= deg(mn)/n
2
0,
it follows that the quadratic polynomial det(T
l
) has complex conjugate roots. Thus
|| = || and
= det(
l
) = deg() = q,
we conclude that || = || =

q.
Finally we note that the characteristic polynomial of
n
l
is given by (T
n
)(T
n
),
3.2. ORDINARY AND SUPERSINGULAR ELLIPTIC CURVES 23
so
log Z(E/k; T) =

n=1
(|E(k
n
)|T
n
/n)
=

n=1
(1
n

n
+q
n
)T
n
/n
= log(1 T) + log(1 T) + log(1 T) log(1 qT)
which concludes the proof.
Remark 6. If we let T = q
s
then we have

E/k
(s) := Z(E/k, q
s
)
and the functional equation reads

E/k
(1 s) =
E/k
(s),
which is an analog for elliptic curve of the Riemman Zeta function for Q. Further if

E/k
(s) = 0 then |q
s
| =

q, so (s) = 1/2.
Remark 7. The general case follows more or less the same pattern. The main dierence
is that the elliptic curve is its own Jacobian. Another is that the real analogue of an
elliptic curve is not only an abelian variety but an abelian variety plus a polarization.
3.2 Ordinary and supersingular elliptic curves
3.2.1 Characterization
Theorem 3.2.1. Let E/k be an elliptic curve. Let Fr : E E
(p)
be the Frobenius
morphism. The following are equivalent :
1. E[p
r
] = 0 for one (all) r 1.
2.

Fr is purely inseparable.
3. The map [p] : E E is purely inseparable and j(E) F
p
2.
4. End(E) is an order in a quaternion algebra.
5.
E
(T) = T
2
+aT +q with p|a.
In this case the curve E is said supersingular (or of Hasse-Witt invariant 0). Otherwise
E is said ordinary (or of Hasse-Witt invariant 1). In the later case one has E[p
r
] =
Z/p
r
Z for all r 1 and End(E) is an order in an imaginary quadratic eld.
Remark 8. We know that E
1
E
2
|E
1
(k)| = |E
2
(k)|. So the Hasse-Witt invariant
is invariant under isogeny.
24 CHAPTER 3. ELLIPTIC CURVES OVER FINITE FIELDS
We want to give an easy way to see when a curve is or not ordinary.
Theorem 3.2.2 ([Sil92, V.4.1]). Let E : y
2
= f(x) be dened over the nite eld k = F
q
of characteristic p > 2.
1. E is supersingular i the coecient of x
p1
in f(x)
(p1)/2
is zero.
2. Let m = (p 1)/2 and dene the polynomial
H
p
(t) =
m

i=0
_
m
i
_
2
t
i
.
Let f(x) = x(x 1)(x ). E is supersingular i is a root of H
p
.
3. The polynomial H
p
() has distinct roots in k.
Proof. We are going to prove the rst point.
Let x k. Then the number of points in E(k) with abscissas x is 0, 1 or 2 and is equal
to f(x)
(q1)/2
+ 1 (seen as an integer). So we have the formula
|E(k)| = 1 +q +

xk
f(x)
(q1)/2
,
which gives modulo p (or seen in k)
|E(k)| = 1 +

xk
f(x)
(q1)/2
.
We have now easily that

xk
x
i
=
_
1 if q 1|i
0 otherwise.
Since f has degree 3, if we multiply out f(x)
(q1)/2
and sum over x k, the only
non-zero term comes from x
q1
. Hence if we let
A
q
= coecient of x
q1
in f(x)
(q1)/2
then
|E(k)| = 1 +A
q
= 1 tr()
where : E E is the Frobenius endomorphism. Now A
q
= 0 tr() 0
(mod p). But = [tr()] , so
A
q
= 0 is inseparable E is supersingular.
It remains to show that A
q
= 0 i A
p
= 0. Writing
f(x)
(p
r+1
1)/2
= f(x)
(p
r
1)/2
(f(x)
(p1)/2
)
p
r
and equating coecients (remember f is a cubic) yields
A
p
r+1 = A
p
r A
p
r
p
and we have the desired result by induction on r.
3.2. ORDINARY AND SUPERSINGULAR ELLIPTIC CURVES 25
Remark 9. Note that (3) shows that there is roughly (p 1)/12 classes of supersingular
elliptic curves up to F
p
-isomorphism.
Supersingular elliptic curves seem to be convenient for cryptography. Indeed it is
very easy to compute their number of points : if E is a supersingular elliptic curve,
its j-invariant is in F
p
2. Let E

be a curve dened over F

p
2 with this invariant. E

is
supersingular, so if a is the trace of the Frobenius over F
p
2 p|a and moreover |a| 2p.
There is then only 5 possibilities for a and it is easy to decide which one is the good
one. Now E

/k and E/k are twists so one can easily compute the order knowing a.
Unfortunately these curves have been proved weak for the discrete logarithm and so
people work rather with ordinary curves. There is no easy way to decide the trace for
an ordinary elliptic curve as it can range over almost the complete interval [2

q, 2

q].
However people have developed fast algorithms to compute this number. In small char-
acteristics, the fastest algorithms are based on p-adic computations via the so-called
canonical lift of the curve.
3.2.2 Lift, canonical lift
Let E be an elliptic curve over k = F
q
. Let Z
q
= W(F
q
) be the ring constructed in
Chap.1 and Q
q
its eld of fractions. Let also be the Frobenius substitution. As E is
dened by an equation with coecients in k, we can lift the non-zero coecients of this
equation over Z
q
and then obtain the equation of an elliptic curve E over Q
q
. The curve
E is called a lift of E.
As we have seen in the proof of the Weil conjectures, the Frobenius endomorphism is
strongly connected to the number of points of the curve and we would like to nd on E
an isogeny that lifts . We restrict to the case of ordinary curves. In this case, we know
that End(E) Q = Q() so we actually ask that our curve E has a quadratic eld for
its endomorphism ring. This situation is quite rare in characteristic 0 as we have seen
in Chap. 2 and we cannot expect this to happen for an arbitrary lift. On this other
hand, such a lift always exists :
Theorem 3.2.3 ([Mes72, V, Th.3.3, Cor. 3.4]). Let E/k be an ordinary elliptic curve.
There exists an unique up to isomorphism elliptic curve E

over Z
q
such that E

k
E and
End
Qq
(E

) End
k
(E).
We call E

the canonical lift of E.

If f End
k
(E), we denote f

End
Qq
(E

) its canonical lift.

Remark 10. This theorem was proved in the case of elliptic curves by Deuring [Deu41]
then generalized by Lubin, Serre and Tate [LST64].
Corollary 3.2.1 ([Mes72, Appendix, Cor 1.2]). E

is the canonical lift of E i there

exists Fr

: E

(A

) lifting Fr.
Remark 11. It is not always possible to lift a supersingular elliptic curve with its ring of
endomorphism as this one may be an order in a quaternion algebra (Caution : it may
also be Z if all the endomorphisms are not rational).
26 CHAPTER 3. ELLIPTIC CURVES OVER FINITE FIELDS
As an isomorphism class of elliptic curve is given by its j-invariant, we can charac-
terized this curve by an unique element J Z
q
. Another useful characterization is the
following.
Theorem 3.2.4 ([VPV01, . 2]). Let x Z
q
such that x J (mod 2
i
) with i N.
Then there exists a unique y Z
q
such that y x
2
(mod 2) and
2
(x, y) = 0. Moreover
y j((

E
(2)
)

) = J

(mod 2
i+1
).
Recall that
p
is the modular polynomial of order p.
Remark 12. It is an important result in CM theory that J is in fact an algebraic integer
and the curve E

exists actually over Q. The degree of the extension Q(J)/Q is given by

the class number of End(E) Q. As the discriminant of this extension is heuristically in

q, the degree of this extension may quickly becomes too big for explicit computations.
As we explained earlier, the general philosophy is to obtain curves in characteristic
0 in order to apply analytic results. Indeed, one has then the outstanding result linking
the geometry and the arithmetic of the Frobenius.
Proposition 3.2.1 (Satoh). Let E be an elliptic curve over k with trace of Frobenius a.
Let be a regular dierential on E

and let c Q
q
the element dened by (

() = c.
Then a = c +q/c.
Chapter 4
Fast computations of Zeta
functions
4.1 Introduction
Cryptography is playing a more and more important role in our society : smart-card,
INTERNET payment, online banking. . . . All these applications needs to protect infor-
mation. There exists two main strategies. The rst one, historically, is called symmetric
key cryptography. Roughly speaking, it is based on combinatoric tricks and only the
owners of the secret key can cipher and decipher. In 1976, Die and Hellman intro-
duced the new concept of public key cryptography. This protocol solves in particular
the important problem (for INTERNET) of a creation of secret key over a non-secure
channel (which was not possible with symmetric cryptography). Here is the principle :
1. Goal : Alice and Bob wants to share a secret key (to cipher and decipher after
with a traditional symmetric protocol for instance).
2. let G be a group that we can assume to be isomorphic to Z/pZ. Let g G be a
generator.
3. Alice chooses a Z and sends g
a
to Bob.
4. Bob chooses b Z and sends g
b
to Alice.
5. Secret shared : g
ab
.
One sees that the diculty to break the code is based on the diculty to compute
a = log
g
(g
a
) (in fact to compute g
ab
knowing g
a
, g
b
but these two problems are believed
equivalent). This type of problem is called discrete logarithm problem. Does it exist
groups for which this problem is dicult (whereas the computation of g
a
remains easy
of course) ? A problem is said dicult if one cannot solve it in a reasonable time with
a good computer. More specically that means that the number of operations would be
greater than 2
60
.
27
28 CHAPTER 4. FAST COMPUTATIONS OF ZETA FUNCTIONS
For a general group G, there is always an attack in
_
|G|, so |G| must have at least 120
bits.
The rst concrete example was given in 1978 and is known as RSA (Rivest, Shamir,
Adleman). It is based on the group F

q
. In order to obtain a dicult problem, one has
to take q with at least 1024 bits because there exist subexponential attacks.
Remark 13. The complexity of the attack or of construction, computations (exponen-
tial, subexponential, polynomial) is measured in term of log
2
|G|.
One is of course interested in groups for which the order is small (and then the protocol
fast) in other words groups with no subexponential attacks. People have tried with ideal
class groups of number elds, but here again there exists a subexponential attack.
Cryptographers are now very interested in the group of rational points of a Jacobian over
a nite elds, at least when the dimension g is less than 4. Indeed with this restriction
no subexponential attack is known in general. We have to consider curves over k = F
2
N
with N 120/g (because the order of the group of rational points on the Jacobian is
approximately |k|
g
).
Note however that nobody has proved that a better attack does not exist and this is of
course a big fear of all banks and governments as cryptosystems based on Jacobian (at
least elliptic curves) are wide used nowadays.
Remark 14. One has proved that a secure group (where no sub-exponential attack
occurs) exists. But nobody is able to construct it.
One important practical aspect is the choice of the curve : indeed we need that the
order of the group of rational points of its Jacobian is almost a prime (i.e contains a
large prime factor). Otherwise it is easy to break the code by working on each factor
and using the Chinese Remainder Theorem. One cannot compute this number by brute
force (counting points on g extensions). Indeed this method is clearly of exponential
complexity and cannot be used with F
q
of cryptographic sizes. Fortunately, two ways
exist to obtain this curve :
One takes random curves of genus g over F
q
and one has a fast way to compute
the number of points. These algorithms belongs to four categories :
1. l-adics methods : for g = 1 (Schoof); works in large characteristics.
2. Cohomological methods : the most used today is Kedlayas algorithm. It
works well when the characteristic is small.
3. p-adic methods based on the canonical lift : they were introduced by Satoh
for elliptic curves in 2000.
4. Deformation theory : this (for the moment theoretical) method was intro-
duced by Lauder in 2002.
On construct a curve over a number eld whose Jacobian endomorphism ring has
a good structure (CM). Then one reduces the curve modulo suitable large prime
for which it is easy to compute the order from the structure. These CM methods
have been developed for g = 1, 2 (and certain g = 3) curves.
4.1. INTRODUCTION 29
On can sum up the state of arts in point counting (i.e methods of the rst strategy) in
the following charts.
Polynomial time algorithm, possible to deal with crypto sizes
Polynomial time algorithm, impossible to reach crypto sizes
Theoretical polynomial time algorithm, not implemented
l-adic methods
p large
p small
p = 2
g = 1 g = 2
g = 3
hyper C
34
general
?
Names: Schoof, Elkies, Atkin, Couveignes, Lercier, Morain, M uller, Dewaghe, Ver-
cauteren, Pila, Cantor, Kampk otter, Huang, Ierardi, Adleman, Harley, Gaudry.
Cohomological methods
p large
p small
p = 2
g = 1 g = 2
g = 3
hyper C
34
general
Names: Kedlaya, G urel, Gaudry, Vercauteren.
p-adic methods (canonical lift)
p large
p small
p = 2
g = 1 g = 2
g = 3
hyper C
34
general
? ? ? ?
30 CHAPTER 4. FAST COMPUTATIONS OF ZETA FUNCTIONS
Names: Satoh, Skjernaa, Fouquet, Harley, G., Vercauteren, Mestre, Taguchi, Ritzen-
thaler, Carls.
Deformation
p large
p small
p = 2
g = 1 g = 2
g = 3
hyper C
34
general
Names: Lauder.
All together
p large
p small
p = 2
g = 1 g = 2
g = 3
hyper
super
general
One sees that even if this domain is only 30 years old, a lot of techniques have
been developed. We will focus on a 2-adic method which is a elegant variant of Satohs
algorithm : the AGM-method for genus 1 curve. This method developed in 2000 by
Mestre and implemented by Lercier-Lubicz is nowadays the fastest one in characteristic
2 : a record over F
2
100002 was obtained. Note that this method was then generalized
to hyperelliptic curves [Mes02] and to non hyperelliptic curves of genus 3 [Rit03]. This
method is based on formulas coming from the analytic theory and theta functions. We
will begin by recalling these classical aspects.
4.2 The complex theory
4.2.1 Computation of periods
It was historically the rst case handled : Lagrange [Lag67, t.II,p.253-312] and Gauss
[Gau70, t.III,p.352-353,261-403] introduced the Arithmetic geometric mean to compute
elliptic integrals.
4.2. THE COMPLEX THEORY 31
Theorem 4.2.1. Let a, b be two reals such that 0 < b < a. We have
_
/2
0
dt
_
a
2
cos
2
t +b
2
sin
2
t
=

2M(a, b)
,
where M(a, b) ( arithmetic geometric mean of a and b) is the common limit of
_
a
0
= a a
n+1
=
an+bn
2
b
0
= b b
n+1
=

a
n
b
n
Since
|a
n+1
b
n+1
| =
(

a
n

b
n
)
2
2
=
(a
n
b
n
)
2
2(

a
n
+

b
n
)
2

(a
n
b
n
)
2
8b
1
these two sequences are adjacent and the convergence is quadratic. This method is then
better than traditional numeric integrations.
The proof is based on a tricky change of variables which transforms the parameters a, b
in the integral into a
1
, b
1
. Taking the limit one has then the theorem.
To understand this change of variables we are going to algebraize our problem. Put
x = e
3
+ (e
2
e
3
) sin
2
t with
_

_
a
2
0
= e
1
e
3
b
2
0
= e
1
e
2
0 = e
1
+e
2
+e
3
We can reformulate the theorem as :
Theorem 4.2.2.
_
e
2
e
3
dx
_
P(x)
=

2M(

e
1
e
3
,

e
1
e
2
)
with P(x) = 4(x e
1
)(x e
2
)(x e
3
), e
3
< e
2
< e
1
.
One recognizes the integral of a regular dierential form on the elliptic curve E : y
2
=
P(x). More precisely, if one denotes by C/ with = Z
1
+ Z
2
(
1
real
2
purely
imaginary) the complex torus E(C), one has the isomorphism
u : C/ E(C)
[z] (x = P(z) : y = P

(z) : 1) z /
[z] (0 : 1 : 0) z
and (see gure 4.1)

1
= 2
_
(
1
+
2
)/2

2
/2
dz = 2
_
(
1
+
2
)/2

2
/2
dP(z)
P

(z)
= 2
_
e
2
e
3
dx
y
= 2
_
e
2
e
3
dt
_
P(t)
The problem is now the computation of a period of a dierential of the 1st kind on a
Riemann surface.
Let =
2
/
1
. In the theory of abelian varieties over C, it is classical to introduce theta
functions. They can be seen as holomorphic sections of sheaves but we want to give here
a more straightforward denition for elliptic curves (see [Ros86] for the general theory).
32 CHAPTER 4. FAST COMPUTATIONS OF ZETA FUNCTIONS
Denition 4.2.1. Let H, ,

{0, 1}. One denes the theta function with

characteristic (,

) by
[

] (z, ) =

nZ
exp(i(n +/2)
2
+ 2i(n +/2)(z +

/2))
It is an analytic function of the variable z. If z = 0, one denotes also [

] (0, ) =
[

] (). When (,

) = (1, 1), [

] () = 0 and is called a theta constant.

These values have the following properties.
Proposition 4.2.1. 1. Limit :
lim
Im +
[
0
0
] () = lim
Im +
[
0
1
] () = 1.
2. Thomaes formula :
_

e
1
e
3
= [
0
0
] ()
2

e
1
e
2
= [
0
1
] ()
2
3. Duplication formula :
_
_
_
[
0
0
] (2)
2
=
[
0
0
]()
2
+[
0
1
]()
2
2
[
0
1
] (2)
2
=
_
[
0
0
] ()
2
[
0
1
] ()
2
Remark 15. As the theta constants are positive reals (because is purely imaginary),
the sign of the square roots is always the positive one. When it is no more the case, the
choice is a bit more subtle (see [Cox84]).
4.2.2 Proofs
We want to give two proofs of Th.4.2.2. The rst one is straightforward. As the
duplication formula is exactly the AGM recursion, we can write
_
_
_
a
0
= [
0
0
] ()
2
a
n
= [
0
0
] (2
n
)
2
b
0
= [
0
1
] ()
2
b
n
= [
0
1
] (2
n
)
2
By the limit property, one has
M
_
[
0
0
] ()
2
, [
0
1
] ()
2
_
= 1.
The AGM recursion being homogeneous, one obtains the theorem thanks to Thomae
formula :
M(a
0
, b
0
) = M(

e
1
e
3

,

1

e
1
e
2

) =

1

M(

e
1
e
3
,

e
1
e
2
) = 1.
4.3. 2-ADIC METHOD 33
The second proof will reveal the true geometry behind the result. Consider again
the elliptic curve E : y
2
= P(x). This curve is isomorphic to the curve E

= E
a
0
,b
0
dened by
E

: y
2
0
= x
0
(x
0
(e
1
e
3
))(x
0
(e
1
e
2
)) (4.1)
= x
0
_
x
0


2

2
1
[
0
0
] ()
4
__
x
0


2

2
1
[
0
1
] ()
4
_
(4.2)
= x
0
(x
0
a
2
0
)(x
0
b
2
0
), (4.3)
One can then construct the following diagram.
C/Z
1
+Z2
2
G:zz
//
u
2

C/Z
1
+Z
2
u

E
2
(C)
g
//
E

(C)
f
oo
where E
2
= E
a
1
,b
1
and f, g are 2-isogenies given by (see for instance [BM89]):
g : (x
1
, y
1
)
_
x
1
(1 +
a
2
1
b
2
1
x
1
a
2
1
),
y
1
(x
2
1
2x
1
a
2
1
+a
2
1
b
2
1
)
(x
1
a
2
1
)
2
_
(4.4)
f : (x
0
, y
0
)
_
y
2
0
4x
2
0
+ (
a +b
2
)
2
,
y
0
(a
2
b
2
x
2
0
)
8x
2
0
_
(4.5)
In particular the kernel of f is < (0, 0) >.
We can now nish the proof : since G

(dz) = dz we have g

(dx
0
/y
0
) = dx
1
/y
1
. Now

1
= 2
_

e
1
dx
y
= 2
_

0
i
2
dx
0
y
0
=
_

0
i
dx
1
y
1
= . . . =
_

0
i
dx
n
y
n
.
By iteration :
E

E
2
. . . E
2
n

. . . E

: y
2
= x(x M(a
0
, b
0
)
2
)
2
.
But E

is a genus 0 curve which means that there exists a parametrization which gives

1
=
_

0
i
dx
_
x(x M(a
0
, b
0
)
2
)
2
=
_
_
2
Arctan(

x
M(a
0
,b
0
)
)
M(a
0
, b
0
)
_
_

0
=

M(a
0
, b
0
)
.
4.3 2-adic method
Let q = 2
N
, k = F
q
and Q
q
be the unramied extension of degree N of Q
2
, Z
q
its
ring of integers, its valuation and the Frobenius substitution (i.e the unique Galois
automorphism of Q
q
such that x x
2
(mod 2), see Chap. 1). The aim of this section
is to give an algorithm which we can present as

E/F
q
ordinary e.c.
lift

E/Z
q
AGM

cv
E/Z
q
canonical lift
AGM

Frobenius trace.
Let us detail now the dierent parts.
34 CHAPTER 4. FAST COMPUTATIONS OF ZETA FUNCTIONS
4.3.1 Lift
In characteristic 0 we want to use the form E
a,b
: y
2
= x(x a
2
)(x b
2
). Of course we
cannot use this model in characteristic 2. We propose two dierent solutions to solve
this problem.
First solution
Lemma 4.3.1 ([Ver03]). Let a, b 1 + 4Z
q
with b/a 1 + 8Z
q
. Then
E
a,b

E : y
2
+xy = x
3
+rx
2
+sx +t
(x, y)
_
x ab
4
,
y x +ab
8
_
for some r, s, t Z
q
such that

E : y
2
+xy = x
3
+
_
a b
8
_
.
We then consider

E as y
2
+xy = x
3
+c, let r Z
q
such that r

c (mod 2) and take
_
a
0
= 1 + 4r
b
0
= 1 4r
The advantage of this model is that there is a rational 4 torsion point (c
1/4
, c
1/2
). This
point enables to nd the sign of tr() that occurs at the end of the algorithm because
tr() 1 (mod 4). The drawback is that this model does not represent all cases.
Moreover it gives no clue about a possible generalization to hyperelliptic cases.
Second solution
Starting with a general ordinary elliptic curve

E : y
2
+ xy = x
3
+ a
2
x
2
+ a
4
x + a
6
,
we can always get rid of the a
6
coecient. We lift then

E naturally and make the
transformation
Y
2
= (y +
x
2
)
2
= x(x
2
+
4a
2
+ 1
4
x + 1).
We can factorize the left member over Q
q
in x(x )(x ) with () = 2 and
() = 2. Let X = x we have then a model
Y
2
= X(X +)(X + ).
As (

1) = (

) = 4, we can take
_
a
0
= 1
b
0
=
_

Z
q
4.3. 2-ADIC METHOD 35
and consider the curve
Y
2
= X(X 1)(X b
2
0
).
Note that this curve is not isomorphic over Q
q
to the original one but is a quadratic
twist. However, as we will obtain the trace of the Frobenius only up to a sign, this is
not an issue.
Remark 16. We have to get rid of the a
6
coecient, otherwise we might have to factorize
the left member in a ramied extension of Q
2
(it is the case for instance with y
2
+xy =
x
3
+ 1).
4.3.2 Convergence
Let start with a model E
0
= E
a
0
,b
0
over Z
q
lifting

E. Let denote E
i
= E
a
i
,b
i
the elliptic
curves obtained by AGM iterations. Let denote also

E

the canonical lift of

E which is
completely characterized by its j-invariant J. We want to prove that the AGM sequence
converges to the Galois cycle associated to the canonical lift. We give two proofs.
First proof
We are going to use Th. 3.2.4. If E and E

are two elliptic curves that are p-isogenous

then
p
(j(E), j(E

)) = 0.
We have of course
2
(E
i
, E
i+1
) = 0 by the complex computations of 4.2. An easy
computation shows also the following congruence.
Lemma 4.3.2. j(E
i+1
) j(E
i
)
2
(mod 2).
By iteration of the AGM we then obtain
j(E
n
) j((

E
(2
n
)
)

) (mod 2
n+1
).
Second proof
The second proof uses a result of Carls. It avoids explicit invariants and is then useful
for generalization.
Theorem 4.3.1 ([Car02, Th.3]). Let A be an abelian variety over F
q
, A/Z
q
be an
ordinary abelian scheme with special ber A. One denes a sequence
A = A
0
A
1
. . .
where the kernel of the isogenies are the components A
i
[2]
loc
(i.e the 2-torsion points in
the kernel of the reduction). We have
lim
n
A
nN
= A

i.e for all n, (A

Nn
)/Z
(Nn+1)
q
(A

Nn
)/Z
(Nn+1)
q
where Z
(i)
q
= Z
q
/2
i
Z
q
Z/2
i
Z. In
particular the convergence is linear.
36 CHAPTER 4. FAST COMPUTATIONS OF ZETA FUNCTIONS
Using 4.2 we see that if we still denote by f : E
i
E
i+1
the 2-isogeny induced by
the AGM-iteration, then ker f =< (0, 0) > and (0, 0) reduces on

O (because the kernel
corresponds to the point (, 0) in the reduction, which is of negative valuation). We can
then apply the previous theorem.
4.3.3 Trace of the Frobenius
To compute the Frobenius polynomial we only need the trace of the Frobenius on V
l
(

E)
for l = p. But this trace can be already read on regular dierentials as we have seen in
Prop. 3.2.1. With the notations of the proposition, we have (X) = X
2
(c+q/c)X+q.
We need also the following elementary lemma.
Lemma 4.3.3. Let E
a,b
: y
2
= x(x a
2
)(x b
2
) et E
a

,b
: y
2
= x

(x

a
2
)(x

b
2
)
with
a
2
b
2

a
2
b
2
1 (mod 2). If E and E

are isomorphic then x = u

2
x

and y = u
3
y

with u
2
=
a
2
+b
2
a
2
+b
2
. Furthermore
a
2
b
2
=
a
2
b
2
or
a
2
b
2
=
b
2
a
2
.
Proof. The two curves being isomorphic, there exists (u, r) (Z

q
Q
q
) such that x =
u
2
x

+ r and y = u
3
y

. It is enough to show that r = 0. With the usual notations of

[Sil92, chap.III,1.2], one has
4u
2
(a
2
+b
2
) = b

2
= b
2
+ 12r = 4(a
2
+b
2
) + 12r
0 = u
6
b

6
= 4r(r a
2
)(r b
2
)
The rst equality shows that r 0 (mod 2) and the second that r = 0 since neither a
2
or b
2
are congruent to 0. The rst equality gives also the value of u
2
.
Let E
a
0
,b
0
be the canonical lift. We can then construct the following diagram
E
a

0
,b

Ve

E
a
1
,b
1
g
//

E
a
0
,b
0

f
oo
Fr

gg

E
(2)

E
Fr
oo
where is an isomorphism because the two maps have the same kernel < (0, 0) >. Let
= dx/y, we then get
(Ve

() = (g )

() =

() =

u
with u
2
=
a
2
1
+b
2
1
(a
2
0
)

+(b
2
0
)

because g acts by identity as we can see on the explicit formula or

with the complex interpretation of g as z z.
We want to simplify a bit the expression of u
2
. we have
u
2
=
_
a
1
a

0
_
2
1 +
_
b
1
a
1
_
2
1 +
_
b

0
a

0
_
2
.
4.3. 2-ADIC METHOD 37
Let
1
= b
1
/a
1
and
0
= b
0
/a
0
. By Lem.4.3.3,
2
1
= (
2
0
)

or
2
1
=
1
(
2
0
)

. Let us prove
that it is the rst case which occurs. We can write
i
= 1 +8c
i
with c
i
Z
q
so the rst
case occurs i
c
1
c

0
(mod 4).
By the AGM iteration, we have
1 + 8c
1
=
1 + 4c
0

1 + 8c
0
c
1
c
2
0
(mod 4).
As after the rst iteration c
0
is itself a square
2
0
modulo 4, we have
c

0
(
2
0
)

4
0
c
2
0
(mod 4).
So we get c
1
c

0
(mod 4) which proves
u =
a
1
a

0
.
The trace of the Frobenius endomorphism is the same as the trace of the Verschiebung.
One has
tr() = tr(V ) = tr(Ve

N1
Ve) =
_
1
N(u)
+ 2
N
N(u)
_
with N(u) = Norm
Qq/Q
2
(a
1
/a
0
).
4.3.4 Complexity and Conclusion
Since by the Hasse-Weil theorem tr() 2

q it is enough to compute the previous

norm with N/2 + 2 bits. Several implementations of this method have been achieved
: see [Ver03] for a nice overview and running times. The best complexity obtained is
quasi-quadratic in time and quadratic in space.
One of the attractive aspect of the AGM method is the simplicity of the formulas in-
volved. Another one is the natural generalizations one can obtain for hyperelliptic curves
and non hyperelliptic curves of genus 3. On the contrary it seems that generalization
to other characteristics would be less ecient and less elegant due to the complexity of
the new AGM formulas.
38 CHAPTER 4. FAST COMPUTATIONS OF ZETA FUNCTIONS
Figure 4.1: The map u
0
1
e
1
u
e
2

2
2 e
3
e
2
e
1

1
2
e
3
Bibliography
[BM89] J.-B. Bost & J.-F. Mestre, Moyenne Arithmetico-geometrique et Periodes des
courbes de genre 1 et 2, Gaz. Math., S.M.F. 38 (1989) , 36-64.
[Car02] R. Carls, Approximation of canonical lifts, in preparation, (2002) available on
http://www.math.leidenuniv.nl/
~
carls/.
[Cox84] D. Cox, The arithmetic-geometric mean of Gauss, Enseign. Math. 30 (1984),
275-330.
[Deu41] M. Deuring, Die Typen der Multiplikatoringe elliptischer Funktionenkorper,
Abh. Math. Sem. Univ Hamburg 14 (1941), 197-272.
[Gau70] C.F. Gauss, Werke, Vol. 12, G ottingen, (1870-1927).
[Lag67] J.L. Lagrange, Oeuvres, Vol. 14, Gauthiers-Villars, Paris (1867-1892).
[LST64] J. Lubin & J.-P. Serre & J. Tate, Elliptic Curves and formal groups, notes
disponibles sur http://ma.utexas.edu/users/voloch/lst.html, (1964).
[Mes72] W. Messing, The crystals Associated to Barsotti-Tate Groups : with Applica-
tions to Abelian Schemes, Lect. Notes in Math., 264, Berin-Heidelberg-New-York,
Springer (1972).
[Mes02] J.-F. Mestre, Algorithmes pour compter des points en petite caracteristique en
genre 1 et 2, available at www.maths.univ-rennes1.fr/crypto/2001-02/mestre.
ps (2002).
[Sil92] J.H Silverman, The Arithmetic of Elliptic Curves, 106, Springer, (1992).
[Rit03] C. Ritzenthaler : Probl`emes arithmetiques relatifs ` a certaines familles de courbes
sur les corps nis, PhD thesis, Universite Paris 7 - Denis Diderot, June 2003 avail-
able on http://www.math.jussieu.fr/
~
ritzenth.
[Ros86] M. Rosen, Abelian varieties over C, in Arithmetic Geometry, Cornell & Silver-
man, Springer-Verlag, (1986).
[VPV01] F. Vercauteren, B. Preneel & J. Vandewalle , A memory ecient version of
Satohs algorithm, Adv. in Cryptology, Eurocrypt (2001) (Innsbruck, Austria, Mai
39
40 BIBLIOGRAPHY
2001), Lect. Notes in Comput. Sci. 2045, 1-13, ed. Ptzmann, Berlin, Heidelberg:
Springer-Verlag (2001).
[Ver03] F. Vercauteren computing Zeta functions of curves over nite elds, PhD thesis,
Katholicke Universiteit Leuven, 2003.