Galois Theory: the Key toNumbers and Cyphers
Gerhard FreyInstitute for Experimental Mathematics
University of [email protected]
Summer School ConferenceCoding, Cryptography and
Number TheoryAugust 13-15-th Gottingen
1
1 Two Independent Problems?
THEME 1
2
1.1 Fermat’s Claim
FERMAT and his INSPIRATION
3
Cubum autem in duos cubos, aut quadrato-quadratum in duos quadratoquadratos, etgeneraliter nullam in infinitaum ultra qua-dratum potestatem in duos ejusdem nomi-nis fas es dividere: cujus rei demonstratio-nem mirabilem sane detexi. Hanc marginisexiguitas non caperet.
4
In modern language:
Claim 1 Let X,Y, Z be integers, p a pri-me number > 2.If
Xp + Y p = Zp
thenX · Y · Z = 0.
5
This is, as you all know, a THEOREMproved by Andrew Wilesin collaboration with Richard Taylorin 1994.If you explain it to your neighbor it can hap-pen that he asks:
Okay - so what... ?
6
THEME 2
1.2 Data Security
7
Situation: A wants to send a message mto B. She uses a noisy and public channel.(All channels are noisy and public.)So we want to make the transaction
(A,m, B) 7→ (B, m, A)
secure. This has (at least) 3 aspects:
• Reliability (engineers)
• Correctness (coding theory, engineers andmathematicians)
• Authenticity, privateness (cryptography,mathematicians, computer scientists, en-gineers)
Solutions have to be simple, efficient andcheap!
8
1.3 The Common Roof
There was a basic decision about sixty yearsago:Messages are stored and transmitted as num-bers.
This makes it possible to apply
Arithmetic
to data security. We shall concentrate to thethird aspect which uses
ENCRYPTION
provided by cryptography.
9
2 Arithmetical Domains
2.1 Hierarchy of fields
Diophantine problems ask for properties ofsolutions of (systems of) polynomial equati-ons in certain “number” domains R.We list some of the interesting domains.
2.1.1 Finite Fields
As usual we denote by Fq the field withq = pd elements.A typical diophantine problem:Let f (X) be a polynomial without multipleroots.For how many x ∈ Fq is f (x) a square?In principle, this can be answered by tryingall elements in Fq.But for large q this naive approach is tootime consuming. Can we do better?The answer is: yes - as we shall see later.
10
2.1.2 Local Fields
A local field Kv is a field with a (rank-1-)valuation v that is locally compact and com-plete with respect to the topology inducedby v.
The archimedean case If v is archime-dean the field Kv is isomorphic toR (real case) orC (complex case).v is given by an absolute value |.|vDefine wv := −εv · log(|.|v)with εv = 1 in the real case andε = 2 in the complex case.Methods to solve diophantine problems co-me from (differential) topology, real and com-plex analytic function theory and can usepowerful approximation algorithms.Interesting questions concern the size of so-lutions, compactness, connected components,...
11
The non-archimedean case Kv is eit-her a p−adic field, i.e. a finite algebraic ex-tension of Qp, ora power series field over a finite field Fv.The valuation ring Ov is a regular local ringwith maximal ideal mv.The residue field of v is Fv := Ov/mv.The reduction ρv is the quotient map fromOv to Fv.A lifting of x ∈ Fv is an element x ∈ Ov
(sometimes with side conditions) such thatρv(x) = x.Solutions of polynomial equations over Ov
are related to solutions of the reduced sy-stem via reduction maps and lifting algo-rithms likeHensel’s lemma and Newton iteration.Over Kv (or better: the completion of its al-gebraic closure) there is the powerful tool ofrigid analysis to treat diophantine problems.
12
2.1.3 Global Fields
A global field K is either a number field ora function field of one variable over a finitefield F0. A place v of K is an equivalenceclass of valuations of K.
Definition 1 .
1. • ΣfK is the set of non-archimedean
places of K.
• A prime divisors p is an element ofΣf
K.
• Its corresponding valuation ring isdenoted by Op, its maximal ideal bymp and its residue field by Fp.
• The degree of p is log(|Fp|) if K is anumber field, and [Fp : F0] if K is afunction field.
• The completion of K with respect top is denoted by Kp. It is a local field.
• vp is the valuation in p with valuegroup Z and wp := deg(p) · vp.
13
2. • By S∞ we denote the set of archi-medean places of K.
• An element v ∈ S∞ corresponds toan embeddings of K into R (real place)or into C (complex case).
•We denote by |.|v the induced abso-lute value and define
wv := −εv log |.|v.
3. ΣK := ΣfK ∪ S∞ is the set of places of
K.
Sum Formula: For x ∈ K∗ we have∑
v∈ΣK
wv(x) = 0.
14
2.2 Divisors
Let K be a global field.
Definition 2 .
1. The divisor group DK is the free abe-lian group generated by Σf
K.
2. For D =∏
p∈ΣfK
pzp define
deg(D) :=∑
p∈ΣfK
zp · deg p
andrad(D) =
∏
zp 6=0
p.
3. For x ∈ K∗ define
•(x0) =
∏
p∈ΣfK ;vp(x)>0
pvp(x),
•(x∞) =
∏
p∈ΣfK ;vp(x)<0
p−vp(x),
• (x) = (x0) − (x∞) is the principaldivisor of x.
15
2.3 Local-Global Sequences
Let K be a global field.The localization map is
K∏
ιv−→∏
v∈ΣK
Kv.
Obviously this localization can be restrictedto subrings of K.Example: Let S 6= ∅ be a set of places of Kcontaining the archimedean ones. Let OS bethe ring of S-integers in K.Then we have the sequence
OS
∏′ ιp−→∏
p∈ΣK\SOp
∏′ ρp−→∏
p∈ΣK\SFp.
Here∏′ stands for the product over all pla-
ces not contained in S.
16
2.4 Height
We are interested in K-rational points inprojective spaces satisfying certain equati-ons. It is important to have a measure fortheir size: the height.For x = (x0, . . . , xn) ∈ Pn(K) define
h(x) :=∑
v∈ΣK
maxi=0,...,n{−wv(xi)}.
Because of the sum formula this is well-defined.
Definition 3 The height of x ∈ K∗ is
h(x) := h((1, x))
=∑
v∈ΣK ; wv(x)<0
−wv(x)
=∑
v∈ΣK ; wv(x)>0
wv(x).
17
Example 1 • For K = Q and y = r/s,r, s ∈ Z \ {0} we get
h(y) = log(max(|r|, |s|).• For a function field F and a non-constant
y ∈ K we get
h(y) = [K : F0(y)].
Remark 1 It is easily seen that the heightis effective, i.e. for given B ∈ R there areonly finitely many x ∈ K with h(x) ≤ B.So a strategy to determine points on cur-ves is to exclude points with large heightand then to determine (by search, refi-nement of the discussion,..) all points ofsmall height.
18
THEME I
FLT is obviously a diophantine problem overZ or better, because of the homogeneity, inP2(Q).
Generalizations
1. ReplaceQ by a number field K or a func-tion field of one variable over a finite fieldFq and ask for K- solutions of
Cp : Xp + Y p = Zp.
2. Choose (a,b,c)∈ K∗ and ask for K-rationalpoints on
Cp,a,b,c : aXp + bY p = cZp
in P2(K).
A first answer: Since the genus of Cp,a,b,c islarger than 1 it follows from
Faltings’ Theorem that the set ofsolutions is finite.
19
But how to determine the exact number?In general, this is one of the big unsolvedproblems.Hence the following “Refinement” is high-ly interesting:Instead of looking at the set of K-rationalpoints of Cp,a,b,c(K) for one p look at
La,b,c(K) := {(x, y, z) ∈ P2(K)
such that there is one p
with (x, y, z) ∈ Cp,a,b,c(K)}.Conjecture 1 La,b,c(K) is a finite set.
This conjecture is known only for specialtriples (a, b, c) for K = Q or very few smallextension fields.We shall say more about it soon.And we shall see that it is true for fields Kthat are function fields.
20
2.4.1 Affine Conjectures
Till now we were looking for solutions of ho-mogeneous polynomials, and hence one canask for solutions in K or in subrings, e.g. inintegers or more generally orders, as long asone can “clear” denominators.By dehomogenisation we come to an affinediophantine problem, and then it is a bigdifference whether we look for solutions inintegers (classical diophantine problems) orin K.The Theorem of Siegel-Mahler saysthat an affine curve of genus ≥ 1 (so el-liptic curves are included) has only finitelymany points with integral coordinates, andit is even allowed to have a fixed finite set ofprimes dividing the denominator of the coor-dinates of the solutions. This result is mucholder than Faltings theorem and easier to beproved.
21
Look at FLT.The affine problem over Z is:For odd primes p the only solutions of
xp − yp = 1
in Z2 are (1, 0) and (0,−1).This is easily verified.But a generalization leads to a much dee-per problem and its solution is a highlightof Number Theory of our age.It deals again with “families” of curves.
Theorem 1 (Preda Mihailescu (2002)Let x, y ∈ Z \ {0},m, n ∈ N \ {1} with
xn − ym = 1.
Then n = 2, m = 3, | x |= 3 and y = 2.
This theorem was known as E. Catalan’sConjecture (1842).
22
2.4.2 Hasse Principle
Obviously a polynomial has a solution overK only if it has one over
∏v∈ΣK
Kv.So testing the diophantine problem over allcompletions is a first step (that is usuallyfairly easy because of results like Hensel’slemma and Newton iteration algorithms andso the integral version of the localizationmap reduces nearly everything to finite fields).But what can we say in the much more in-teresting converse direction?A Hasse-Principle of a diophantine pro-blem B is the following statement:B has a solution over K iff it has asolution in
∏v∈ΣK
Kv.The famous result of Hasse- Minkowski isthat the Hasse principle is true for quadra-tic forms.Unfortunately it is, in general, not true formore more complicated polynomial systems,for instance for curves of positive genus orfor systems of quadratic forms.Hence we need more vigourous ‘localizationmaps” and global ties.
23
3 The ABC-Conjecture
Most of the problems above are statementsabout (families of) ternary polynomials:For a, b, c ∈ K∗ and (n1, n2, n3) ∈ N3 withni large enough determine all solutions of
aXn1 + bY n2 = cZn3
in K respectively in orders of K.With exponents growing one can hope thatthese solutions are very rare.The common feature of the solutions is thatsums of “powerful”numbers have to be againpowerful, and this contradicts the
ABC-Conjecture
24
We state the conjecture in the most generalform (as done in JA 1987 in Ulm).
Definition 4 Let Π be the prime field ofK.x ∈ K is admissible if K/Π(x) is finiteseparable.
Conjecture 2 Let K be a field with divi-sor theory, e.g. a global field.There are real constants d(K), c(K, d) suchthat for all admissible x ∈ K \ {0, 1} wehave
h(x) ≤ c(K, d)+d(K) deg(rad((x(x−1)))).
A refinement of this conjecture is the pre-diction of the values of the constants.In the function field case we shall see thatwe can take d(K) = 1 and that c(K, d) islinear in the genus of K.For K = Q the constant d(Q) has be lar-ger than 1, and an optimistic guess would bethat d(Q) = 1 + ε is allowed for all ε > 0.
25
The formulation of Conjecture 2 does notmotivate its name.Here is a variant in the number field case:Take A 6= B ∈ OK \ {0} and C = A−B.Assume in addition that A and B have nocommon prime divisor. Take x = A/C. Thenx− 1 = B/C.Then h(x) = h(A/B) and rad((x(x−1))) =rad((ABC−2)).Look at the special case that |A|v > |B|vfor all v ∈ S∞.Then Conjecture 2 implies
|NK/Q(A)| ≤ c(d,K)+d(K) deg(rad((ABC))).
26
Take K = Q.
Conjecture 3 (Masser-Oesterle)
1. There exist constants c, d such that forall A ∈ N one has for all numbers Bthat are relatively prime to A:
A ≤ c(∏
p|AB(A−B)
p)d
2. Strong version:For all ε > 0 one cantake d = 1 + ε and c = c(ε).
Remark 2 N. Elkies made the remar-kable observation that the strong versionof Conjecture 3 implies an effective ver-sion of Faltings’ theorem.
27
3.1 Applications
Obviously the ABC-Conjecture is tailored todeal with diophantine problems like soluti-ons of families of equations of type
aXn1 + bY n2 = cZn3.
Look at Catalan’s equation and take a so-lution of xn − ym = 1 with integers (x, y).Using the strong form of Conjecture 3 weget that
xn · ym ≤ c(ε)2(xy)2+2ε
and so
1 ≤ c(ε)2x−n+2εy−m+2ε
and we get for all n > 2,m > 2 uniformbounds for the size of x, y.We remark that this is much weaker thanMihailescu’s theorem.A similar procedure yields immediately a“good part” (but not all) of FLT but it yieldsthe asymptotic Fermat Conjecture.
28
3.2 The Conjecture behind: The HeightConjecture for Elliptic Curves
It may be astonishing that the ABC-conjecturedid not arise from equations of Fermat typebut from the arithmetical theory of ellipticcurves.
3.2.1 Notation for Elliptic Curves
Recall:An elliptic curve E over a field K is a regu-lar plane projective cubic with at least onerational point.For simplicity we shall assume that char(K)is prime to 6. Then we find a short Weier-straß equation
E : Y 2Z = X3 + AXZ2 + BZ3
with A,B ∈ K and discriminant
∆E := −16(4A3 + 27B2) 6= 0.
The absolute invariant jE is defined as
jE := −1234A3
∆E.
29
Definition 5 The elliptic curve E is ad-missible iff its absolute invariant jE is ad-missible.
Convention: In the following it is alwaysassumed that E is admissible.
30
Take a prime divisor p of K with normedvaluation vp =: v. For simplicity we shallassume that 6 /∈ p.Choose a Weierstraß equation Ep with coef-ficients Ap, Bp for E such that
v(Ap) ≥ 0 ≤ v(Bp)
minimal with this property.Then v(∆Ep) is the minimal non-negativevalue of discriminants of curves isomorphicto E.Define the discriminant divisor of E by
∆E :=∏
pv(∆Ep).
Define by Ep the curve over Fp defined byreduction of Ap, Bp modulo p.Ep is an elliptic curve iff p does not divide∆E.In this case E has good reduction at p.If v(jE) < 0 then v(∆E) = −v(jE) and Ehas bad reduction. After possibly a quadra-tic extension of K the curve E is isomorphicto a Tate curve.
31
E is semi-stable at p if it has either goodreduction or it is isomorphic to a Tate curveafter an unramified extension.The conductor of E is a divisor
NE =∏
pnp
with np a non-negative integer, np > 0 iff pdivides ∆E and np = 1 iff E is semi-stablewith bad reduction.Otherwise np=2 if 2 /∈ p.If 2 ∈ p then np is bounded by propertiesof K and is computed by the so-called Tatealgorithm.It is well known that there is a finite extensi-on K1 of K such that E×K1 is semi-stableat all non-archimedean places of K1.This motivates the definition: The geometricconductor of E is
NE, geom :=∏
wp(jE)<0
p.
32
3.2.2 The Height of Elliptic Curves
Observation (Parshin , Conjecture of Sz-piro):In the function field case deg(∆E) isbounded by a small multiple of deg(NE). Weuse (JA 1987) the Faltings’ height h(E)of elliptic curves.First assume that E is semi-stable. Then
h(E) = hgeom(E) = h∞(E) + 1/12h(jE)
where h∞(E) is the contribution of archime-dean places (hence occurs only in the num-ber field case). It is computed analyticallywith the help of the analytic periods. A use-ful observation is that for periods going toi ·∞ the geometric height of E converges to1/12h(jE).In general we use the field extension K1 overwhich E is semi-stable, and compute thegeometric height over this field.By dividing through the degree [K1 : K] weget the geometric height of E over K. Forus it is enough to state
h(E) ≤ hgeom(E) + 1/2 deg(NE ·N−1Egeom
).
33
3.2.3 The Height Conjecture
Conjecture 4 .
1. There is a number d and for all fi-nite sets S ⊂ ΣK there is a numberc(K, d, S) such that for all admissibleelliptic curves E defined over K thatare semi-stable at all places v /∈ S onehas
hgeom(E) ≤ c(K, d, S) + d deg(NE,geom)
or, equivalently
2.
h(jE) ≤ c′(K, d, S, ε)+6(d+ε)(∑
wp(jE)<0
Np)
for all ε > 0. In the function field caseε = 0 is allowed.
3. There is a constant d and a constantc(K, d) such that for all elliptic curvesE defined over K we get
h(E) ≤ c(K, d) + d deg(NE).
Remark 3 1. d = 1/2 is allowed if K isa function field, d = 1/2 + ε should bepossible for K = Q.
34
2. The height conjecture can be generali-zed to abelian varieties.
35
3.3 Conjecture 4 implies Conjecture2
Astonishing Fact:The mighty ABC-conjecture follows from adiophantine property of elliptic curves.In other words: Ternary diophantine pro-blems of Fermat type are, asymtotically, go-verned by curves of genus 1!The reason is the “easy” observation thatsolutions of
A−B = C
can be interpreted as relations between pointsof order 2 of elliptic curves.
Theorem 2 The height conjecture for ad-missible elliptic curves (with explicit con-stants) implies the ABC-conjecture (witheasily derived explicit constants).
36
We sketch the proof in the special case thatK = Q.For A,B ∈ Z relatively prime define
EA,B : Y 2 = X(X − A)(X + B).
E is semi-stable outside of 2, has discrimi-nant ∆A,B = (AB(A−B))2 and conductor2δrad((AB(A−B))) with δ ≤ 3.Its j−invariant is
jA,B = 28A2 + B2 − AB)3
A2B2(A−B)2.
We can assume that A ∈ N and A > B.Then
h(jA,B) = c′ + 6 log(A).
The height conjecture with constants c, dyields
h(jEA,B) ≤ log(| (123(≤ 12(c+d log(rad((AB(A−B)).
Hence
log(|A|) ≤ c′′ + 2d log(rad((AB(A−B)).
37
3.4 Why The Height Conjecture andso the ABC-conjecture Could beTrue
Zero: The consequences are so nice!
First,there are very large tables that seem to con-firm the conjecture (means nothing!)
Secondly,the height conjecture for elliptic curves it istrue over function fields!I gave a short and elementary proof usingonly Riemann-Hurwitz genus formula.
38
Thirdly,there is a structural reason both in thefunction field case and in the number fieldcase behind:Looking at elliptic curves over orders in glo-bal fields leads to
arithmetical surfaces,
and the very nice original proof by Szpi-ro of the height conjecture in the functionfield case uses this structure, in particularthe Bogomolov-Miyaoke-Yau inequality bet-ween Chern classes.It makes sense to formulate such an inequa-lity for arithmetical surfaces over integers,and its truth would yield ABC.
39
THEME 2
4 Public Key Cryptography
4.1 New Direction
Just in time, at the beginning of commu-nication via electronic networks, came theground breaking article of W. Diffie andM. E. Hellman published 1976 introducingthe concept of public key cryptography.Its security depends on the hardness (com-plexity) of mathematical problems that arethe background of the crypto primitives.In these lectures we shall concentrate to sy-stems based on discrete logarithms.
40
4.2 DL-Systems
We take a (big) prime number ` and a group(G, ◦) of order ` with generator g0.DHCP: For secretly and randomly chosena, b ∈ {1, . . . , `}, and published g1 = ga
0, g2 =gb
0 the challenge is: compute
ga·b0 .
DHCP is called the Diffie-Hellman compu-tational problem.It is obvious that we can solve DHCP if wecan solve the following task:For randomly chosen g1, g2 ∈ G computek ∈ N with
g2 = gk1 .
k mod n is the Discrete Logarithm (DL)logg1(g2).Fact: The crypto primitive determining se-curity of the Diffie-Hellman key exchange ingeneric groups is (up to algorithms of sub-exponential complexity) the DL.
41
4.2.1 Mathematical Tasks
To use (families of) groups G for DL-systemswe have to solve three crucial tasks:
1. Present G in a compact way(ideally O(log(| G |))).
2. Group composition and inversion is easyand fast.
3. The DL in G is (to the best of our know-ledge) very hard and so unfeasible in prac-tice (ideally exponential in | G |).
It is surprisingly difficult to achieve thesetasks, and the only known way to find goodcandidates for DL-systems is to use deep re-sults from Arithmetic Geometry.
42
4.3 Bilinear Structures and Applica-tions
Let (G, ◦) be a DL-system. In particular,G is a cyclic group of order ` and so a Z-module.
Definition 6 Assume that there are Z-modules B and C and a bilinear map Q :G×B → C with
i) the group composition laws in G, B andC as well as the map Q are fast(e.g. polynomial time).
ii) For random b ∈ B we have Q(g1, b) =Q(g2, b) iff g1 = g2 .
We call (G,Q) a DL-system with bilinearstructure.
There are destructive aspects of bilinear struc-tures (transfer of DL, decision problem is ea-sy) but also constructive aspects:Tripartite Key Exchange,Identity Based Protocols, andShort Signatures.
43
5 Arithmetic Geometry Enters
The main source for groups that are candi-dates for DL-systems are divisor class groupsof function fields K of genus g > 0 over fi-nite fields Fq.We already have defined the divisor groupDK of K.
Definition 7
D0K := {D ∈ DK; deg(D) = 0}
is the divisor group of K of degree O.
PrincK = {(x); x ∈ K∗}is its subgroup consisting of principal di-visors.
C0K := D0
K/PrincK
is the divisor class group of degree 0 ofK.
44
For d ∈ N define Kd := K · Fqd and thefunctor
Pic0C : Fqd 7→ C0
Kd.
The important fact is that Pic0C is represen-
table by an explicitly given abelian variety:Let C be the unique projective irreducibleregular curve with function field K, and letJC be the Jacobian variety of C. Then weget in a canonical way
C0Kd
= JC(Fqd).
It is clear but worth mentioning that for el-liptic curves (g = 1) we have an isomor-phism between E and JE and the set of ra-tional points E(K) is an abelian group withexplicitly given polynomial addition formu-las.
So we can use the whole machinery of abeli-an varieties to study divisor class groups offunction fields. In particular, C0
K is a finiteabelian group, and for all n
C0K[n] ⊂ (Z/n)2g.
45
There is one theorem that rules the arith-metic of function fields, the
Theorem of Riemann-Roch.
By using it one can
• find a plane equation (with singularities)for a curve C ′ with function field K,
• represent divisor classes by positive divi-sors of degree g,
• hence represent elements in JC(Fq) in acompact way,
• compose divisor classes.
46
A high point of algorithm arithmetic geome-try is
Theorem 3 ( Heß, Diem)Let C be a curve of genus g over Fq.The arithmetic in the degree 0 class groupof C can then be performed in an expectedtime which is polynomially bounded in dand log(q) and hence one can perform thearithmetic in the degree 0 class group ofC in an expected number of field opera-tions which is polynomially bounded in gand log(q).
So tasks 1 and 2 listed above for DL-systemsare satisfied for subgroups of prime order ofdivisor class groups.
Remark 4 For special curves like ellip-tic curves and hyperelliptic curves of lowgenus there are much more efficient com-position formulas or algorithms than ob-tained by the general approach. This iscrucial for applications (cf. lecture of R.Avanzi).
47
5.1 Bilinear Structures
Abelian varieties have (kind of analogy toabelian groups) natural dualities (keyword:Riemann form), and Jacobian varieties areself-dual.Hence there is a natural bilinear form onC0
K[n], the Weil pairing (which is symplec-tic).With a little bit more theory one finds theTate-pairing. We shall come to a discussi-on, in particular concerning the complexityof the evaluation of these pairings, later on.
48
5.2 On the (In)-Security of DiscreteLogarithms
There remain two things to do.First, one has to find curves C for which|JC(Fq)| is (almost) a big prime number.This is an interesting diophantine problem.But before investing a lot of work one hasto think about the hardness of DL in divisorclass groups.Coming out of the structural richness of the-se groups one can apply index-calculus at-tacks.
49
The bleak result is
Theorem 4 (Diem, Gaudry, Thome,Theriault )
• There exists a (probabilistic) algorithmwhich computes the DL in the divisorclass group of curves of genus g in ex-pected time of O(q(2−2/g)).Hence these groups are weaker than ge-neric groups for g ≥ 4.
• (Diem): There exists a (probabilistic)algorithm which computes the DL inthe divisor class group of plane curvesof degree 4 in expected time of O(q).So non-hyperelliptic curves of genus 3have divisor classes with weak discretelogarithms.
50
So we have the task to find elliptic and hy-perelliptic curves of genus 2 over Fq withlarge divisor class groups whose order is al-most a prime number.
Big Question: Has the ABC-Conjecture so-mething in common with this task?
51
THEMEGalois Theory
6
Let K be a field, Ks its separable closure.
Definition 8 .GK := AutK(Ks) is the (absolute) Galoisgroup of K.
Example 2 GFq∼= Z is topologically ge-
nerated by the Frobenius automorphismφq mapping elements of Fq,s to their q-thpower.
GK is a compact pro-finite group. Withoutmentioning we shall assume that maps in-volving topological groups are continuous.
52
6.1 Local-Global Galois Theory
We have discussed a hierarchy of fields ran-ging from finite fields Fq over local fields Kv
to global fields K.This is reflected by Galois groups.The global Galois group GK is big and com-plicated. It is studied by restricting to de-composition groups Gp whose structure ismuch simpler.
Definition 9 Let v be a place of the glo-bal field K and v an extension to Ks in-ducing the topology tv.
Gv := {σ ∈ GK; σ is continuous with respect to tv}is the decomposition group of v.
Gv depends on the choice of v but differentextensions of given v lead to decompositiongroups that are conjugate in GK.So objects that are invariant under conjuga-tion (like characteristic polynomials) dependonly on v.
53
Gv has, as Galois group of a local field, arather easy structure.If v is archimedean then Gv = {id} or Gv ={id, τ} with τ a complex conjugation.
Assume that v corresponds to a prime divi-sor p containing p and let p be a prime idealin the integral closure of (Op ∩K)in Ks.Then Gp has a subgroup canonically isomor-phic to Ip := GKnr
pwhere Knr
p is the maxi-mal unramified extension of Kp in Kp,s.
Definition 10 Ip is the inertia group pwhich is determined up to conjugation byp.
By Hilbert theory one sees that Ip is a pro-solvable group, and that its pro-p-Sylow sub-group Iw
p is normal. It is the wild ramifica-tion group.The fixed field of Iw
p is the maximal tame-
ly ramified extension Ktp of Kp, the Galois
group G(Ktp/K
nrp ) is the tame ramification
group.
54
The quotient Gp/Ip is canonically isomor-phic to GFp and hence is generated by a di-stinguished element φp where φp modulo pis the Frobenius automorphism of Fp.
Via these identifications one can define con-jugacy classes of Frobenius elements σp ∈GK attached to each p.It is the interplay between the arithmeticalproperties of K reflected by the set of placesp and the group theoretical properties of GK
reflected by the set of subgroups Gp whichdeeply relates Galois theory with arithmetic.
55
7 Galois Representations
Definition 11 Let R be a topological ring.A Galois representation of dimension d isa continuous homomorphism
ρ : GK → Gld(R).
Equivalently: There is a free topologicalR-module V of rank d with continuousGK-action which makes V to a R[GK]-module.Equivalent representations have isomor-phic R[GK]-modules as representations spaces.
56
It follows that im(ρ) is a compact topologi-cal group with profinite topology.In particular, im(ρ) is finite if either the to-pology of R is discrete or connected.
Let Kρ be the fixed field of ker(ρ).Since ker(ρ) is closed we have that Kρ/Kis Galois with G(Kρ/K) ∼= im(ρ).
Definition 12 The representation ρ is semi-simple iff the representation space Vρ is asemi-simple GK-module.This is so iff the representation ρ is de-termined (up to equivalence) by all thecharacteristic polynomials χρ(σ(T ) of theimages of elements in GK.
57
7.1 Examples of Representations
We assume that natural numbers n and pri-me numbers ` are prime to char(K) .
7.1.1 The Cyclotomic Character
Denote by µn the group scheme of roots ofunity of order dividing n. Let ζn be a gene-rator of µn.For σ ∈ GK define χn(σ) := k with k ∈Z/n∗ and
σ(ζn) = ζkn.
χn is the cyclotomic character.Of course, it is semi-simple.
58
7.2 Representations Attached to Abe-lian Varieties
Let A be an abelian variety of dimension g.As examples we can take elliptic curves (g=1)or Jacobian varieties of curves of genus g.Denote by A[n] the kernel of the multiplica-tion by n.A basic result about torsion points of abeli-an varieties yields that
A[n](Ks) ∼= (Z/n)2g.
GK acts on A[n](Ks) in a natural way, andthis action induces a Galois representationdenoted by
ρA,n : GK → Gl2g(Z/n).
59
A generalization:Take a prime ` and define the `−adic Tatemodule
T`(A) := proj − limA[`k]
on which GK acts continuously (w.r.t. the`-adic topology).The corresponding Galois representation isdenoted by
ρA,`.
It is a 2g-dimensional Z`-adic Galois repre-sentation.By tensoring with Q` we get representationsover fields.By abuse of language we shall denote theresulting representation again by ρA,`.
60
7.3 Isogenies and Endomorphisms
Definition 13 Let A,B be abelian varie-ties defined over K.A K-rational homomorphism
η : A → B
is a morphism of K-schemes that is com-patible with addition.The kernel of eta is a group scheme ker(η).If Dim(A) = Dim(B) and if ker(η) is fi-nite then η is an isogeny. The order ofker(η) is the degree of η, and η is separa-ble if ker(η) is etale.EndK(A) is the ring of endomorphisms ofA.
61
Example 3 1. Let η be an isogeny of Aof prime degree ` 6= char(K). Then ηis separable and ker(η)(Ks) is a groupof order ` with GK-action. Hence ρA,`
is not irreducible.
2. Let K be a finite field with q elements.Define by φq the Frobenius automor-phism of Ks that maps elements x ∈Ks to xq.φq operates in a natural way on pro-jective spaces and so on abelian varie-ties and induces a purely inseparableendomorphism of degree qdim(A) calledFrobenius endomorphism. By ab-use of language we denote this endo-morphism again by φq.
62
7.4 Isogenies of Elliptic Curves
7.4.1 Modular Curves
First we remark that, up to isomorphisms,isogenies of a given elliptic curve are in one-to one correspondence with finite subgroupschemes of E.Special Case: Let n be a number primeto char(K).A K-rational cyclic isogeny η of degree nhas a kernel with ker(η)(Ks) ∼= Z/n.Hence such cyclic isogenies correspond toGalois representation ρE,n whose image iscontained in a Borel subgroup of Gl(2,Z/n).(Isomorphy classes of) Elliptic curves withthis additional structure are parameterizedby a modular curve
X0(n)
that is a (coarse) moduli scheme.So, (up to twists) elliptic curves with cyclicisogeny of degree n over K correspond toX0(n)(K).Hence Galois representations of type ρE,n
with image contained in a Borel subgrouplead to a diophantie problem.
63
We can go one step further and look at thecase that ker(η)(K) ∼= Z/n, hence we havea cyclic subgroup of order n in E(K).Then ρE,n has an eigenvalue 1 mod n.Curves E with specified K−rational pointof order n are parameterized by the modularcurve
X1(n).
For n ≥ 3 this is a fine moduli space, and sopairs (E, P ) with E an elliptic curve and Pa point of order n correspond 1−1 to pointson X1(n)(K).
64
7.4.2 Deuring’s Theorem
Using lattices one sees that for elliptic cur-ves over C the ring EndC(E) is commutativeand is either Z · idE
∼= Z (generic case) oran order OE in an imaginary quadratic fieldKE = Q(
√−d) (CM-case).In the last case the j invariant of E is analgebraic integers contained in the ring classfield of OE. By a Lefschetz principle it fol-lows that the same result is true over anyfield of characteristic 0. Much deeper are re-sults of M. Deuring obtained in a beautifulpaper.
65
Theorem 5 Let K be a field of charac-teristic p and E an elliptic curve definedover K.
1. If jE is not algebraic over the primefield of K then EndK(E) = Z.
2. If E is supersingular (i.e. the endo-morphism [p] · idE is purely insepara-ble) then jE is contained in Fp2 andEndK(E) is an order in a quaternionalgebra.
3. Lifting Theorem If E/Fp is ordina-ry and jE ∈ Fq then there exists anelliptic curve E over a number field Kwith EndK(E) = EndFp(E) and a pri-me divisor p of K such that
Ep mod p = E.
In particular, the Frobenius endomor-phism φq of E can be interpreted ascomplex number generating the ima-ginary quadratic field Quot(EndK(E)).E is uniquely determined over C andis called the canonical lift of E.
66
8 Galois Representations over Fini-te Fields
We want to study representations ρA,` ofGFq attached to abelian varieties.Representations ρ of GFq are uniquely deter-mined by ρ(φq), and if they are semi-simple,by
χρA,`(φq)(T ).
It is not too difficult to see
Proposition 1 There is a monic polyno-mial χA(T ) ∈ Z[T ] of degree 2g such thatfor all n ∈ N prime to p we get
χρA,n(φq)(T ) ∼= χA(T ) mod n
and|A(Fq)| = χA(1).
Definition 14 χA(T ) is the characteristicpolynomial of the Frobenius endomorphismof A.
Corollary 1 We can count the numberof points in A(Fq) if we can determineχA(T ).
67
8.1 Theorem of Hasse-Weil
The key result for all algorithms to computeχA(T ) is an enormous and deep precision ofProposition 1.
Theorem 6 (Hasse-Weil) All zeroes ofχA(T ) have (complex) value
√q (“Rie-
mann Hypothesis”).Hence |A(Fq)| ∼ qg.
The coefficients of χA(T ) are integers boun-ded by qg and so can be determined by com-puting χρA,n
(φq)(T ) for n > qg.
Example 4 Let E be an elliptic curve overFq.The characteristic polynomial of the Fro-benius endomorphism of E is
χE(T ) = T 2 − tET + q
with |tE| ≤ 2√
q.(tE is the trace of the Frobenius endomor-phism.) Hence
||E(Fq)|−q−1| ≤ 2√
q “Riemann Hypothesis”.
This inequality is the theorem of Hasse(-Deuring).
68
8.1.1 Proof of the Theorem of Hasse-Deuring (1936)
An easy special argument for supersingularelliptic curves settles the theorem for thesecurves.For ordinary E we use Deuring’s lifting theo-rem and so we can look at φq as complexnumber generating an imaginary quadraticfield with minimal polynomial
T 2 − tET + q.
The discriminant of this polynomial is nega-tive, and so
t2E − 4q < 0.
Hence|tE| ≤ 2
√q.
Remark 5 This proof is, historically, ve-ry important, some people say that it marksthe beginning of arithmetic geometry.It shows that to get information about ob-jects over finite fields it may be useful togo to local fields or even global fields.We shall see more examples soon.
69
8.2 Isogenies
The following result shows the power of Ga-lois representations over finite fields.
Theorem 7 (Tate)The isogeny class of an abelian varietydefined over Fq is uniquely determined byχA(T ).
Corollary 2 Elliptic curves E, E ′ definedover Fq are isogenous iff
|E(Fq)| = |E ′(Fq)|.Question: Can one compute isogenies ex-plicitly?Optimistic guess: with complexity polyno-mial in log(q), g, deg(η).Indeed, this is true for elliptic curves, one ofthe high points of computational arithmeticgeometry!
70
Proposition 2 (Velu, Lercier, Morain, Cou-veignes, Galbraith, Hess, Smart,...)To compute a cyclic isogeny of degree `of an elliptic curve one has to performO(`2 + ` log(`) log(q)) field operations.
This is astonishingly effective but neverthe-less exponential in `. So one can only handlenot too long chains of isogenies of small de-gree.An analogous result is nearly established forcurves of genus 2 (algebraic theory of Theta-functions) and is a fascinating area of ma-thematical research.Can it be applied to cryptography?
71
8.3 Application to Theme 2:Point Coun-ting
By the Hasse-Weil result we get an estima-te for the size of the coefficients of χA(T )which depends only on q and g.
8.3.1 The Etale Approach
This approach is due to Schoof and, for abe-lian varieties, to Pila. In principle, one com-putes the action of the Frobenius automor-phism on points whose order is a small powerof small primes different from p and thenuses the Chinese remainder theorem to de-termine the coefficients of χA(T ) exactly.In principle, this works with complexity po-lynomially in log(q), dim(A). But in practicethis is too slow even for elliptic curves.
72
The idea due to Atkin and Elkies and broughtto perfection by Morain, Lercier, Couveig-nes,...is to use isogenies instead of points (i.e. useprojective representations), and with the re-sult of Proposition 2 about the computationthis works so fast that we can determinethe number of points on elliptic curves inall cryptographically interesting ranges.Since one can estimate, at least heuristically,the probability that the order of the ratio-nal points ofrandomly chosen elliptic curvesis (almost) prime one can solve the last taskand find many elliptic curves E such thatE(Fq) is a good candidate for a DL-system.
73
9 Galois Representations over Lo-cal Fields
let Kp be a local field with residue field Fq.The Galois group Gp becomes more com-plicate since we have to deal with ramifiedextensions.Let ρ be a Galois representation of Gp.
Definition 15 ρ is unramified at p iff Ip ⊂ker(ρ). ρ is tamely ramified at p iff Ip/(Ip∩ker(ρp)) has (profinite) order prime to char(Fp).
74
9.1 The Local L-series and and Con-ductor
9.1.1 Local Artin L-series
We assume now that ρ is a complex repre-sentation of GK. In addition we assume thatρ is semi simple).Let V be a representation space of ρ and let
Kρ := Kker(ρ)s . First assume that ρ is unra-
mified at p. It follows that we have a uni-quely determined element σp ∈ G(Kρ/K)with reduction equal to φq|Kρp.
Definition 16 The local L-series of ρ is
Lρ,p(s) := χρ(σp(q−s)−1
with s ∈ C.An `-adic generalisation:Assume the ρ is an unramified `-adic repre-sentation and that the characteristic poly-nomial of ρ(σp has coefficients in Z. Thenwe define the local L-series as above.
75
We go back to complex representations andassume that Kρ/K is ramified of order ep.We do not have a well defined action of Fro-benius elements. But we have such an actionon V Ip and so we can define in general thelocal L-series of ρ at p as
Lρ,p(s) := χρ(σp|V Ip)(q−s)−ep
with s ∈ C and ep =| Ip | .
76
9.1.2 Artin Conductor
To define the Artin conductor one has touse the filtration of Ip by higher ramificationgroups.We assume that the image of ρ is finite, e.g.ρ is a representation over C or over a finitefield.Let G be the Galois group of Kρ/K. The-re is a filtration of G by higher ramificationgroups Gi+1 ⊂ Gi with G1 = G, G0 = Ip.For i > 0 the groups Gi are p-groups withp = char(Fp) and give the wild ramificationpart.Let Vi = V Gi and di = codimV Vi.
Definition 17 The exponent fp of the con-ductor of ρ at p is
fp =∑i≥0
1
[G0 : Gi]di.
The Artin conductor of ρ is N ′ρp
:= pfp.
In particular, fp > 0 iff ρ is ramified.
77
9.2 Representations and the Arith-metic of Abelian Varieties
Let A be an abelian variety defined over Kp.Recall: The type of reduction is described bythe exponent fA,p of the conductor divisorNA,p of A.A has good reduction iff this exponent is 0.A has semi stable reduction iff the exponentis ≤ 1.
Theorem 8 (Criterion of Neron-Ogg-Shafarevich )
ρA,`
is ramified iff fA,p > 0.
Remark 6 For given `k the conductor ofρA,`k clearly divides the conductor of A,and for k large enough, we shall have equa-lity.But for small enough k there may be agap.It is a very interesting diophantine que-stion to find such “congruence primes” `.
78
9.2.1 Local L-series of Abelian Varie-ties
Assume that A has good reduction Ap.Since for all primes ` 6= p the representationρA,` is unramified the local L−series of ρA,`
is defined and independent of `.
Definition 18
LA(s)p := LρA,`,p(s) := χρA,`(σp(q−s)−1
= χAp(T )(q−s)
is the local factor of the L-series of A atp.
79
9.3 Application to Theme 2
9.3.1 p-adic Approach for Point Coun-ting
Already by the proof of the Hasse resultabout points on elliptic curves over finitefields it became obvious that in order to getinformation about objects over finite fieldsFpd it may be useful to lift these objects tolocal fields.Another striking example is formed be me-thods to count points on varieties over finitefields by lifting them p-adically. It is charac-teristical for these methods that their com-plexity depends polynomially on d, p and sothey are suitable for finite fields with re-latively small characteristic.The first example is due to Satoh. He ma-de Deuring’s lifting theorem explicit, not tonumber fields (that is in general hopeless)but to p-adic fields, namely to the Witt vec-tor field with residue field Fq.
80
In the same family belong the algorithmsgoing back to Mestre and called AGM-methods.They work excellently for curves of genus≤ 3.In both cases one lifts the Frobenius en-domorphism to carefully chosen modelsover p-adic fields.Using formal p-adic geometry (rigid analy-sis) Kedlaya lifts the Frobenius endomor-phism to power series rings.Kedlaya’s algorithm works quite general (seework of Vercauteren, Gerkmann, ...) and againexcellent for hyperelliptic curves.
81
9.3.2 Duality
As said already Tate duality comes intrinsi-cally with curves and their Jacobian varie-ties or mor general, abelian varieties.It is a Galois-cohomological pairing that usesthe Weil pairing and that ends in the Brauergroup of the base field.Hence for base field Fp we get only the tri-vial pairing since the Brauer group of finitefields is trivial.But for local fields the situation is total-ly different since we have ramified extensi-ons available. A classical theorem of Tatesays that in this case the pairing is non-degenerate.On the other side the pairing is very explicitfor Jacobian varieties and uses evaluation offunctions of the attached curve.Beginning with a curve over Fq we lift it toa curve over a local field with residue fieldFq and use this description.
82
In the end we can forget the lifting againand get the result
Theorem 9 (F.-Ruck)Let C be a projective regular absolutelyirreducible curve over Fq.Let ` be a prime dividing |JC(Fq)|, let kbe the smallest natural number such that`|(qk − 1). Let ζ` be an `-th root of unityin Fqk.
Define G := JC[`] ∩ JC(Fq) and G⊥ :={Q ∈ JC(Fk
q) ∩ JC[`]; φq(Q) = q ·Q}.There is an explicit non-degenerate pai-ring
Q : G×G⊥ →< ζ` >
that can be computed with complexity po-lynomial in k · log q.In particular, G is a group with bilinearstructure if k = O(log(`).
We remark that this result has (positive andnegative) consequences for DL-systems ba-sed on curves with supersingular Jacobianvarieties.
83
10 Global Galois Representations
In the following we take K as number fieldthough most of considerations can be donefor function fields.
10.1 Application to Theme 2
A last time we come back to applications ofarithmetic geometry to cryptography. (Thisdoes not mean that we have told everything.)
10.1.1 Class field Theory
A classical high point of number theory isclass field theory.This theory describes abelian extensions ofnumber fields K with given ramification bythe “arithmetic” in orders of K.Explicit class field theory is available for Q(Kronecker-Weber) and for so-called CM-fields (totally imaginary extensions of degree2 of totally real fields of degree d)(Taniyama-Shimura.
84
The classical case: d = 1 and K is an ima-ginary quadratic field. Then class fields ofK are generated by j-invariants of ellipticcurves with complex multiplication. We dis-cussed this already in the connection withDeuring’s lifting theorem.One of the main results is that the Frobeni-us endomorphism of corresponding ellipticcurves modulo prime divisors p of K corre-sponds to elements in K of norm |Fp.By beginning with an order in a CM-fieldwe know a priory the order of the group ofpoints over Fp of the reduction of any abeli-an variety with this ring of endomorphism,and we can look for appropriate p (and findthem very fast).Only then we compute the associated abeli-an variety A.This works very well for Jacobian of curvesof genus 1, 2, 3. (Diploma rhesis A. Spallek1990, PhD thesis Spallek 1994, PhD ThesisWeng 2001, all in Essen.) And the methodhas till today a certain importance.
85
We summarize our results.
Theorem 10 In cryptographic relevant are-as
• we can count points on random ellipticcurves,
• we can count points on Jacobians ofrandom curves over fields of small (andeven medium) characteristic.
• we have still problems with random cur-ves of genus 2 over prime fields but canuse class field theory of CM-fields tofind an abundance of curves of genus2 suitable for DL-systems,
• and, of course, we have many specialfamilies of curves whose members areaccessible for point counting.
86
10.1.2 Isogenies Do Not Change DL’sof Elliptic Curves
We use once more the CM-theory, now forelliptic curves.We fix an order O in an imaginary quadra-tic field and look at SE, the set of isomor-phy classes (over Fq) of elliptic curves E ′/Fq
with
End(E ′) = End(E) = O ⊂ Q(√−d).
Explicit class field theory tells us that thereis a 1-to-1 correspondence between SE andthe ideal class group Cl(O) of O.The isogeny graph to O has as vertices theelements in SE and edges correspond to iso-geny of small degree (with respect to somebound).Hence paths are chains of isogenies of smalldegree, and the local theory tells us that wecan walk along such paths quickly.
87
Now comes number theory (theory of mo-dular forms, see below) and yields that theisogeny graph has remarkable properties.
Theorem 11 (Jao, Miller, Venkatesan)The isogeny graph is an expander graph.So discrete logarithms in isogeny classesof elliptic curves over Fq with the samering of endomorphism are subexponenti-ally equivalent.
88
Now we turn seriously to Theme 1.
10.2 Conjecture of Fontaine-Mazur
How to find Representations?We know one family of such representations:Let A be an abelian variety over K. ThenρA,` is a representation with the `-adic Tate-module of A as representation space.There is a finite set SA of places of K (thedivisors of the conductor of A computed lo-cally) at which A has not good reduction,and hence ρA,` is unramified outside of SA.Following Fontaine-Mazur we define
Definition 19 An `-adic Galois represen-tation ρK is geometric iff it is unramifiedoutside a finite set of places and if it ispotentially semi-stable at places dividing`.
89
Look at the example above and recall thatthe `- Tate-modules of abelian varieties isthe first etale cohomology group with coef-ficients in Z`.The amazing prediction is that by using suchcohomology groups we should get essentiallyall `-adic Galois representations of numberfields.
Conjecture 5 (Fontaine-Mazur) An ir-reducible `-adic representation of GK isgeometric iff it is isomorphic to a subquo-tient of a Tate twist of an etale cohomolo-gy group of a smooth projective algebraicvariety over K.
This conjecture is known in rare but import-ant cases. To demonstrate its strength wegive one consequence:
Conjecture 6 Let F(K, `) be the Galoisgroup of the maximally unramified pro-`-extension of K .Then any quotient of F(K, `) which is an`-adic analytic group is finite.
90
10.3 Diophantine Applications and Con-jectures
Galois representations influence deeply thearithmetic of abelian varieties.
Theorem 12 (Faltings)ρA,` is semi simple.
Here are consequences of this fact.
Theorem 13 (Isogeny Theorem of Fal-tings)Two abelian varieties are isogenous iff forone (and hence for all) prime(s) ` the at-tached `-adic representations are equiva-lent over Q`.
Corollary 3 (Conjecture of Shafarevich)For a given finite set T of places of Kand given d there are only finitely manyabelian varieties of dimension d with goodreduction outside of T .
Corollary 4 (Conjecture of Mordell)Curves of genus ≥ 2 have only finitelymany K-rational points.
91
Recall that a result of Tate yields that abe-lian varieties over finite fields are isogenousiff their local L-series are equal.
Theorem 14 (Effective version of theIsogeny Theorem (Faltings))For given abelian varieties A1 and A2 the-re is a number n such that A1 is isogenousto A2 iff the local L-series are equal for aset of primes li with norm(
∏li) > n.
92
10.4 Congruent Torsion Structures
We try to make the last statement effective.Assume that for a number N we find Ga-lois invariant subgroups Ci ⊂ Ai[N ] withC1 Galois isomorphic to C2. How large (de-pending on K, dim Ai, NAi
)1 has the orderof C1 to be in order to force A1 and A2 tohave isogenous abelian subvarieties?
1here and in the following global conductors of abelian varieties and representations are theproducts of the local conductors
93
We formulate conjectures for elliptic curves.We look at pairs of elliptic curves E and E ′
defined over K.
Conjecture 7 (Darmon)There is a number n0(K) such that forall elliptic curves E, E ′ over K and alln ≥ n0(K) we get:
If ρE,n∼= ρE′,nthen E is isogenous to E ′.
94
A variant is
Conjecture 8 (Kani)There is a number n0 (independent of K)such that for n ≥ n0 there are, up to twistpairs, only finitely many pairs (E, E ′) ofelliptic curves which are not isogenous andwith ρE,n
∼= ρE′,n.For prime numbers n we can choose n0 =23.
Geometric background: Description of themoduli space and Lang’s conjecture for ge-neral surfaces.
95
Much weaker is a conjecture I stated 25 yearsago:
Conjecture 9 We fix an elliptic curveE0/K.There is a number n0(E0, K) such thatfor all elliptic curves E, over K and alln ≥ n0(E0, K) we get:
If ρE,n∼= ρE0,n then E is isogenous to E0.
Remark 7 Conjecture 9 is true for glo-bal fields if the height conjecture is true.Hence its analogue over function fieldsholds.
96
10.5 A Local-Global Relation
One crucial result behind the results of Fal-tings is a local-global principle for Galois re-presentations.
Theorem 15 (Cebotarev’s Density Theo-rem)Let ρ be a Galois representation of GK
which is ramified only at finitely manyplaces of K.If ρ is semi simple then ρ is determinedby
{χρ(σp)(T ); p runs over the places of K}.It is even allowed to omit arbitrary finitesets of primes.
97
10.6 Global L-series
We put the local information together andform, inspired by the density theorem, theglobal L-series of abelian varieties.For finitely many “bad primes” we use anexplicit recipe to define a rational functionf ∗(s) and we form the infinite product
LA(s) := f ∗(s) ·∏
l prime to NA
LA,l(s)
with a complex variable s. This product isa Dirichlet series analytic in a half plane. Ithas to be seen as an analogue of the Rie-mann Zeta-function.
98
TheConjecture of Taniyama-Shimura-(Hasse)and
Birch and Swinnerton-Dyer (BSD)
is that LA(s) has an analytic continuationto C (recall Artin’s conjecture!), and thatits analytic behavior at s = 1 contains allinteresting information about the group ofK-rational points of A like its rank (order ofthe zero), the Tate-Shafarevich- group whichdescribes the failure of the Hasse principle)and the Neron-Tate regulator.
99
11 K = Q
By using elliptic curves we have many ex-amples of representations of dimension 2 withthe additional property that the determi-nants of complex conjugations are−1. In thespirit of the conjecture of Fontaine-Mazurwe look for more general geometric realiza-tions. Surprisingly it is enough to take veryspecial varieties if we take K = Q.
100
11.1 Modular Curves and Forms
Let H be the complex upper half plane, andH∗ = H ∪Q ∪ {i∞}.The elements in Q∪{i∞} are called cusps.
The group Sl(2,R) is acting on H∗ in theusual way.For N ∈ N define
Γ0(n) := {(
a bc d
)∈ Sl(2,Z);
c ≡ 0 mod n}and
Γ1(n) := {(
a bc d
)∈ Sl(2,Z);
a ≡ 1 mod n, c ≡ 0 mod n}Let χ be a Dirichlet character with conduc-tor dividing N .
101
Definition 20 Let k be a non negativeinteger. Let f be a holomorphic functi-on on H which is bounded near the cusps
and satisfies: For all {(
a bc d
)∈ Γ0(N)
and z ∈ H we have
f
(az + b
cz + d
)= χ(d)(cz + d)kf (z).
Then f is a modular form of weight k
with nebentype χ. If in addition f vanis-hes in the cusps, then f is a cusp form.
102
The set of modular forms of weight k andnebentype χ forms a finite dimensional C-vectorspace which is denoted by Mk(N,χ).The subspace of cusp forms is denoted bySk(N, χ).
For k ≥ 2 it is not difficult to determinethe dimension of Mk(N,χ) resp. Sk(N,χ).The reason for this fact is the Riemann-Roch theorem related to divisors of the mo-dular curves that stand behind Γ0(N) andΓ1(N). These curves are compact quotientsof H∗ and hence projective algebraic curvesX0(N) and X1(N) well known to us: Thecurves are defined over Z and are (coarserespectively fine) moduli spaces for pairs ofelliptic curves with cyclic isogeny of degreeN respectively pairs of elliptic curves with afixed point of order N .
103
Using the Riemann-Hurwitz genus formulait is easy to compute the genus g(X0(N)) ofX0(N)C.For instance for a prime N one has g(X0(N)) =[
N12
]. For us it is enough to know that
g(X0(N)) = O(N).
Example 5 • n = 2: X(2) and hence X1(2)and X0(2) have genus 0 (why? Give arational parametrization) and therefo-re are isomorphic to P1.
• n = 11: X0(11) is a elliptic curve withWeierstraß equationE : y2 + y = x3 − x2 − 10x− 20.
104
The q-expansion principle For f ∈Mk(N, χ) we have f (z + 1) = f (z), and sof has a Fourier expansion around i∞:
If q = e2πiz (z ∈ H), then
f (z) =
∞∑n=0
anqn with an ∈ C.
The q-expansion principle states that f isuniquely determined by its Fourier coefficients(an)n∈N.
Definition 21 Let R be a ring containingZ[χ]. Then Mk(N,χ)(R)
(resp. Sk(N,χ)(R)) are the elements inMk(N, χ) (resp. Sk(N, χ)) with an ∈ R.
Fact: Mk(N, χ)(R) = Mk(N, χ)(Z[χ]) ⊗R. So both Mk(N, χ) and Sk(N, χ) have abasis consisting of elements of Mk(N, χ)(Z[χ])resp. Sk(N, χ)(Z[χ]).
For cusp forms f we obviously have: a0 = 0.f is normed, if a1 = 1.
105
11.2 Eigenforms
Sk(n, χ)(C) has a Hermitian structur by thePetersson Scalar product and has ma-ny self-adjoint endomorphisms, the Heckeoperators forming the Hecke algebra T.
Definition 22 f ∈ Mk(n, χ) is an ei-genform, if for all primes p†n we have:Tpf = λp · f with λp ∈ C (i.e. λp is theeigenvalue of f with respect to Tp).
106
11.3 New Forms
In general, it is not true that the collection(λp) determines normalized f ∈ Sk(m,χ)uniquely but for so-called “New forms”(acrucial refinement of eigenforms) this holds.
Theorem 16 (Atkin-Li)
• Normalized New forms are determinedby their eigenvalues.
• The Mellin transform of the Fourierexpansion of a New form f is an Eu-ler product: To f ∈ Sk(n, χ) define
Lf(s) :=
∞∑j≥1
ajj−s,
the associated L- series.
Then
Lf(s) =∏
p
(1−app−s +χ(p)pk−1−2s)−1.
107
• The L-series satisfies the Functio-nal equation:
nk/2(nz)−kf(− 1
nz
)= γ · f (−z)
with γ ∈ C.If χ = χ0, then
nk/2(nz)−kf(− 1
nz
)= wff
with wf ∈ {1,−1}.
108
11.4 Structure of the Jacobian of X0(n)
The following results are due to Shimura.Take a New form f =
∑j≥1 ajq
j.Kf = Q(a1, · · · , aj · · · ) is a totally realfield of degree d with embeddings If := {σ1, · · · , σd}.The cusp form f induces an algebra homo-morphism
λf : T⊗Q→ Q
by sending T to a1(T (f )).Let Uf := ker(λf) ∩ T.The image Uf(J0(n)) is a subgroup schemeof the Jacobian of X0(n).Define:
Af := J0(N)/Uf(J0(n)).
109
Theorem 17 • Af is an Q-irreducible abe-lian variety of dimension[Kf : Q].
• If n is square free then Af is absolutelyirreducible.
• Af has good reduction outside of n.
•Θ : Kf → End(Af)⊗Q
given by Θ(aj) = Tj | Af gives Af realmultiplication.
• The above construction gives a decom-position (up to Q-isogenies) of the “Newpart” of J0(n) in simple varieties overQ, each occurring with multiplicity one,and hence, by using the degenerationmaps, of J0(n).
110
11.4.1 Example: Modular elliptic Cur-ves
Take an elliptic curve E over Q with con-ductor NE and assume that there is a nonconstant morphism
ϕ : X0(NE) → E.
Let ωE be the Neron differential of E: Onetakes a minimal (“best possible”) Weierstraßequation
Y 2 +a1XY +a3Y = X3 +a2X2 +a4X +a6
for E and ω = dX2Y +a1X+a3
.
ϕ∗(ω) is a holomorphic differential on X0(NE)(Z)and hence
ϕ∗(ω) = f (z)dz with fE(z) ∈ S2(NE)
is a cusp form of level NE, weight 2
and
fE(z) =
∞∑j=1
ajqj with aj ∈ Z.
fE is the modular form attached to E and itis the key to the arithmetic of E (providedthat BSD is true).
111
11.5 Modular Representations
11.5.1 The Eichler-Shimura Relation
This is the central relation relation betweenthe Hecke algebra and arithmetic.It is due to Eichler and Shimura.
Theorem 18 Let p 6= ` be a prime, p ly-ing over p and σp the Frobenius automor-phism.Then as endomorphisms of T`(Af) we getthe identity
Tp = σp + σtp
where σtp is the dual of the Frobenius mor-
phism, called “Verschiebung”, and Tp isthe p-th Hecke operator..
112
11.6 Representations to New forms
Theorem 19 (Shimura, Deligne-Serre)Let f = q +
∑j≥2 ajq
j be a New form ofweight k and level n , ` a prime numbernot dividing n.Then there exists a unique semi–simple`-adic representation
ρ` : GQ → GL(2, Kf ⊗Q`)
such that ρ` is unramified outside n and
tr(ρ`(σp)) = ap, det(ρ`(σp)) = pk−1
for all p prime to `n.
Remark 8 K ⊗ Q` =∏
l|` Kl and so ρ`
splits in l-adic representation for all pri-me divisors l of ` in Kf .
113
Let Fq be a field with q = `r.
Definition 23 A representation
ρ : GQ → Gl(2,Fq)
is modular of level n and weight k iff thereis a New form f in Sk(n) and a divisorl of ` in Kf such that ρ is the reductionmodulo l of ρ` attached to f .
Remark 9 There is an alternative des-cription:modular representations in characteristic` are related to maximal ideals m ⊂ Tcontaining `: Then ρm is induced by theaction of GQ on ∩T∈mker(T ) which is afinite group scheme ⊂ J0(n)[`].
114
11.7 L-series
We have mentioned already that the Mellintransform of the Fourier expansion of a Newform is a Dirichlet series which admits anEuler product representation.To be explicit in the case that f ∈ S2(n):Define
Lp(f, t) = 1− apt + pt2 if p † n,
Lp(f, t) = 1− apt if p | nand
L(f, s) =∏
p∈PLp(f, ps)−1.
One sees easily that L(f, s) is holomorphicon C.By using Eichler-Shimura and by some workconcerning the divisors of n one gets
Theorem 20 The L-series of Af is equalto
LAf(s) =
∏
σ∈If
L(fσi, s).
In particular, the Shimura-Weil conjec-ture is true for abelian varieties which areisogenous to subvarieties of J0(n) (andJ1(n)).
115
Remark 10 For simplicity, we have as-sumed in the above discussion that the ne-bentype of the New forms was trivial.But all the results and definitions aboutrepresentations can be generalized to thenebentype case, too. Hence we have thenotion of modular representations with ne-bentype, too. This nebentype χ occurs inthe determinant by the condition:
det(ρ(σp)) = pk−1χ(p).
116
11.8 Serre’s Conjecture
Let F be a finite field.Let
ρ : GQ → GL(2,F)
be a continuous, absolutely irreducible, two-dimensional, odd repre sentation with Artinconductor Nρ′.Nρ,its prime-to-p part, is called the Serreconductor.Following Serre (Duke J. 1987) one definesa weight kρ with 2 ≤ kρ ≤ p2 − 1 if p 6= 2(kρ = 2 or 4 if p = 2).k(ρ) is determined by an explicit recipe de-pending on ρ|Ip. For a careful definition seeG. Wiese (http://maths.pratum.net/).
117
Theorem 21 (Serre’s conjecture: Kha-re, Wintenberger, Kisin, Taylor, etal.)Let ρ be as above.Then ρ is modular (with nebentype possi-bly to satisfy the determinant condition)of level Nρ and weight kρ.
118
Example 6 • If ρ is finite at p the weightis equal to 2.Here finiteness means that the repre-sentation space Vρ defines a finite groupscheme at p.This is so if Q(Vρ(Q)) is “little rami-fied” at p, i.e. it is obtained be a tameextension followed by radical extensi-ons extracting roots of p−adic units.
• Let E be a semi stable elliptic curveover Q with j-invariant jE with Min(0, vp(jE))divisible by p. Then ρE,p is modular ofweight 2 with trivial nebentype and le-vel2δ ·∏p6=l†Min (0,vl(jE)) l.
119
11.9 Applications
11.9.1 Artin’s Conjecture
Theorem 22 The L-series of irreducibletwo-dimensional odd complex representa-tions ρ are holomorphic.
For the proof one only needs to look at thecase that the projective image of ρ is A5.But since A5 = PGl(2,F5) can be interpretρ as representation satisfying the conditionsof Theorem 21 and gets the result.
120
11.9.2 Taniyama’s Conjecture
Let E be an elliptic curve over Q with con-ductor NE.We know that for almost all p the repre-sentation ρE,p is irreducible and finite at p.Hence it is modular of weight 2, trivial ne-bentype and level dividing NE.Since there only finitely many New formssatisfying these conditions we can assumethat there are infinitely many p and one Newform f such that characteristic polynomialsof ρp and ρf are congruent modulo primesdividing p in Kf .It follows that f has coefficients in Z andhence defines an elliptic curve Ef .But then the effective version of Faltings’theorem yields that E is isogenous to Ef
and hence modular.
121
11.9.3 Fermat’s Last Theorem
If Ap −Bp = Cp define
E : Y 2 = X(X − Ap)(X + Bp).
ρE,p is modular of weight 2 and level 2 (Theo-rem 21).But since S2(2) = 0 such a representationdoes not exist.
122
11.10 Congruences
Part of Theorem 21 is that the conductorand hence the level of modular representa-tions attached to abelian varieties can bemuch smaller that the conductor of `-adicrepresentation.This means that different eigenforms are con-gruent modulo certain primes.Hence the corresponding non-isogenous fac-tors of J1(n) have finite subschemes whichare Galois isomorphic.
123
11.10.1 The Height Conjecture for El-liptic Curves
Take E over Q and
ϕ : X0(NE) → E
a minimal parametrization.Let ωE be the Neron differential of E anddefine ωE∗ := ϕ∗(ωE).Then
h(E) = −1
2log
1
2π
∫
E(C)
|ωE ∧ ωE|
and so
h(E) = −1
2log
( 1
2πdeg ϕ
) ∫
X0(N)
|ω∗E∧ω∗E|
= −1
2log
(c2
2π deg ϕ
) ∫
UNE
|fE|2dz
where deg ϕ is the degree of ϕ, c ∈ Z andconjecturally 1 and UNE
is a fundamentaldomain of H∗ modulo Γ0(NE).
Theorem 23 (F.-Mai-Murty)The height conjecture over Q is true ifflog deg(ϕ) = O(logNE).
124
Interpretation of deg ϕϕ∗(E) = E∗ is an elliptic subvariety of J0(NE)which occurs with multiplicity 1.Let B be the kernel of ϕ∗. Then E∗/B is afinite group scheme K.We can assume that E has no rational cyclicisogeny (Mazur) and so K = E[n] for somen.It follows that the degree of ϕ is equal to n.Hence the height conjecture is true iff for allelliptic curves E
log | E∗ ∩B) |= O(log NE).
. By using the elliptic curves
EA,B : Y 2 = X(X − A)(X −B)
one shows
Theorem 24 (F.-Mai-Murty) The ABC-conjecture over Q is equivalent with thedegree conjecture.
125