Galois Theory: the Key toNumbers and Cyphers

Gerhard FreyInstitute for Experimental Mathematics

University of Duisburg-Essenfrey@iem.uni-due.de

Summer School ConferenceCoding, Cryptography and

Number TheoryAugust 13-15-th Gottingen

1

1 Two Independent Problems?

THEME 1

2

1.1 Fermat’s Claim

FERMAT and his INSPIRATION

3

Cubum autem in duos cubos, aut quadrato-quadratum in duos quadratoquadratos, etgeneraliter nullam in infinitaum ultra qua-dratum potestatem in duos ejusdem nomi-nis fas es dividere: cujus rei demonstratio-nem mirabilem sane detexi. Hanc marginisexiguitas non caperet.

4

In modern language:

Claim 1 Let X,Y, Z be integers, p a pri-me number > 2.If

Xp + Y p = Zp

thenX · Y · Z = 0.

5

This is, as you all know, a THEOREMproved by Andrew Wilesin collaboration with Richard Taylorin 1994.If you explain it to your neighbor it can hap-pen that he asks:

Okay - so what... ?

6

THEME 2

1.2 Data Security

7

Situation: A wants to send a message mto B. She uses a noisy and public channel.(All channels are noisy and public.)So we want to make the transaction

(A,m, B) 7→ (B, m, A)

secure. This has (at least) 3 aspects:

• Reliability (engineers)

• Correctness (coding theory, engineers andmathematicians)

• Authenticity, privateness (cryptography,mathematicians, computer scientists, en-gineers)

Solutions have to be simple, efficient andcheap!

8

1.3 The Common Roof

There was a basic decision about sixty yearsago:Messages are stored and transmitted as num-bers.

This makes it possible to apply

Arithmetic

to data security. We shall concentrate to thethird aspect which uses

ENCRYPTION

provided by cryptography.

9

2 Arithmetical Domains

2.1 Hierarchy of fields

Diophantine problems ask for properties ofsolutions of (systems of) polynomial equati-ons in certain “number” domains R.We list some of the interesting domains.

2.1.1 Finite Fields

As usual we denote by Fq the field withq = pd elements.A typical diophantine problem:Let f (X) be a polynomial without multipleroots.For how many x ∈ Fq is f (x) a square?In principle, this can be answered by tryingall elements in Fq.But for large q this naive approach is tootime consuming. Can we do better?The answer is: yes - as we shall see later.

10

2.1.2 Local Fields

A local field Kv is a field with a (rank-1-)valuation v that is locally compact and com-plete with respect to the topology inducedby v.

The archimedean case If v is archime-dean the field Kv is isomorphic toR (real case) orC (complex case).v is given by an absolute value |.|vDefine wv := −εv · log(|.|v)with εv = 1 in the real case andε = 2 in the complex case.Methods to solve diophantine problems co-me from (differential) topology, real and com-plex analytic function theory and can usepowerful approximation algorithms.Interesting questions concern the size of so-lutions, compactness, connected components,...

11

The non-archimedean case Kv is eit-her a p−adic field, i.e. a finite algebraic ex-tension of Qp, ora power series field over a finite field Fv.The valuation ring Ov is a regular local ringwith maximal ideal mv.The residue field of v is Fv := Ov/mv.The reduction ρv is the quotient map fromOv to Fv.A lifting of x ∈ Fv is an element x ∈ Ov

(sometimes with side conditions) such thatρv(x) = x.Solutions of polynomial equations over Ov

are related to solutions of the reduced sy-stem via reduction maps and lifting algo-rithms likeHensel’s lemma and Newton iteration.Over Kv (or better: the completion of its al-gebraic closure) there is the powerful tool ofrigid analysis to treat diophantine problems.

12

2.1.3 Global Fields

A global field K is either a number field ora function field of one variable over a finitefield F0. A place v of K is an equivalenceclass of valuations of K.

Definition 1 .

1. • ΣfK is the set of non-archimedean

places of K.

• A prime divisors p is an element ofΣf

K.

• Its corresponding valuation ring isdenoted by Op, its maximal ideal bymp and its residue field by Fp.

• The degree of p is log(|Fp|) if K is anumber field, and [Fp : F0] if K is afunction field.

• The completion of K with respect top is denoted by Kp. It is a local field.

• vp is the valuation in p with valuegroup Z and wp := deg(p) · vp.

13

2. • By S∞ we denote the set of archi-medean places of K.

• An element v ∈ S∞ corresponds toan embeddings of K into R (real place)or into C (complex case).

•We denote by |.|v the induced abso-lute value and define

wv := −εv log |.|v.

3. ΣK := ΣfK ∪ S∞ is the set of places of

K.

Sum Formula: For x ∈ K∗ we have∑

v∈ΣK

wv(x) = 0.

14

2.2 Divisors

Let K be a global field.

Definition 2 .

1. The divisor group DK is the free abe-lian group generated by Σf

K.

2. For D =∏

p∈ΣfK

pzp define

deg(D) :=∑

p∈ΣfK

zp · deg p

andrad(D) =

∏

zp 6=0

p.

3. For x ∈ K∗ define

•(x0) =

∏

p∈ΣfK ;vp(x)>0

pvp(x),

•(x∞) =

∏

p∈ΣfK ;vp(x)<0

p−vp(x),

• (x) = (x0) − (x∞) is the principaldivisor of x.

15

2.3 Local-Global Sequences

Let K be a global field.The localization map is

K∏

ιv−→∏

v∈ΣK

Kv.

Obviously this localization can be restrictedto subrings of K.Example: Let S 6= ∅ be a set of places of Kcontaining the archimedean ones. Let OS bethe ring of S-integers in K.Then we have the sequence

OS

∏′ ιp−→∏

p∈ΣK\SOp

∏′ ρp−→∏

p∈ΣK\SFp.

Here∏′ stands for the product over all pla-

ces not contained in S.

16

2.4 Height

We are interested in K-rational points inprojective spaces satisfying certain equati-ons. It is important to have a measure fortheir size: the height.For x = (x0, . . . , xn) ∈ Pn(K) define

h(x) :=∑

v∈ΣK

maxi=0,...,n{−wv(xi)}.

Because of the sum formula this is well-defined.

Definition 3 The height of x ∈ K∗ is

h(x) := h((1, x))

=∑

v∈ΣK ; wv(x)<0

−wv(x)

=∑

v∈ΣK ; wv(x)>0

wv(x).

17

Example 1 • For K = Q and y = r/s,r, s ∈ Z \ {0} we get

h(y) = log(max(|r|, |s|).• For a function field F and a non-constant

y ∈ K we get

h(y) = [K : F0(y)].

Remark 1 It is easily seen that the heightis effective, i.e. for given B ∈ R there areonly finitely many x ∈ K with h(x) ≤ B.So a strategy to determine points on cur-ves is to exclude points with large heightand then to determine (by search, refi-nement of the discussion,..) all points ofsmall height.

18

THEME I

FLT is obviously a diophantine problem overZ or better, because of the homogeneity, inP2(Q).

Generalizations

1. ReplaceQ by a number field K or a func-tion field of one variable over a finite fieldFq and ask for K- solutions of

Cp : Xp + Y p = Zp.

2. Choose (a,b,c)∈ K∗ and ask for K-rationalpoints on

Cp,a,b,c : aXp + bY p = cZp

in P2(K).

A first answer: Since the genus of Cp,a,b,c islarger than 1 it follows from

Faltings’ Theorem that the set ofsolutions is finite.

19

But how to determine the exact number?In general, this is one of the big unsolvedproblems.Hence the following “Refinement” is high-ly interesting:Instead of looking at the set of K-rationalpoints of Cp,a,b,c(K) for one p look at

La,b,c(K) := {(x, y, z) ∈ P2(K)

such that there is one p

with (x, y, z) ∈ Cp,a,b,c(K)}.Conjecture 1 La,b,c(K) is a finite set.

This conjecture is known only for specialtriples (a, b, c) for K = Q or very few smallextension fields.We shall say more about it soon.And we shall see that it is true for fields Kthat are function fields.

20

2.4.1 Affine Conjectures

Till now we were looking for solutions of ho-mogeneous polynomials, and hence one canask for solutions in K or in subrings, e.g. inintegers or more generally orders, as long asone can “clear” denominators.By dehomogenisation we come to an affinediophantine problem, and then it is a bigdifference whether we look for solutions inintegers (classical diophantine problems) orin K.The Theorem of Siegel-Mahler saysthat an affine curve of genus ≥ 1 (so el-liptic curves are included) has only finitelymany points with integral coordinates, andit is even allowed to have a fixed finite set ofprimes dividing the denominator of the coor-dinates of the solutions. This result is mucholder than Faltings theorem and easier to beproved.

21

Look at FLT.The affine problem over Z is:For odd primes p the only solutions of

xp − yp = 1

in Z2 are (1, 0) and (0,−1).This is easily verified.But a generalization leads to a much dee-per problem and its solution is a highlightof Number Theory of our age.It deals again with “families” of curves.

Theorem 1 (Preda Mihailescu (2002)Let x, y ∈ Z \ {0},m, n ∈ N \ {1} with

xn − ym = 1.

Then n = 2, m = 3, | x |= 3 and y = 2.

This theorem was known as E. Catalan’sConjecture (1842).

22

2.4.2 Hasse Principle

Obviously a polynomial has a solution overK only if it has one over

∏v∈ΣK

Kv.So testing the diophantine problem over allcompletions is a first step (that is usuallyfairly easy because of results like Hensel’slemma and Newton iteration algorithms andso the integral version of the localizationmap reduces nearly everything to finite fields).But what can we say in the much more in-teresting converse direction?A Hasse-Principle of a diophantine pro-blem B is the following statement:B has a solution over K iff it has asolution in

∏v∈ΣK

Kv.The famous result of Hasse- Minkowski isthat the Hasse principle is true for quadra-tic forms.Unfortunately it is, in general, not true formore more complicated polynomial systems,for instance for curves of positive genus orfor systems of quadratic forms.Hence we need more vigourous ‘localizationmaps” and global ties.

23

3 The ABC-Conjecture

Most of the problems above are statementsabout (families of) ternary polynomials:For a, b, c ∈ K∗ and (n1, n2, n3) ∈ N3 withni large enough determine all solutions of

aXn1 + bY n2 = cZn3

in K respectively in orders of K.With exponents growing one can hope thatthese solutions are very rare.The common feature of the solutions is thatsums of “powerful”numbers have to be againpowerful, and this contradicts the

ABC-Conjecture

24

We state the conjecture in the most generalform (as done in JA 1987 in Ulm).

Definition 4 Let Π be the prime field ofK.x ∈ K is admissible if K/Π(x) is finiteseparable.

Conjecture 2 Let K be a field with divi-sor theory, e.g. a global field.There are real constants d(K), c(K, d) suchthat for all admissible x ∈ K \ {0, 1} wehave

h(x) ≤ c(K, d)+d(K) deg(rad((x(x−1)))).

A refinement of this conjecture is the pre-diction of the values of the constants.In the function field case we shall see thatwe can take d(K) = 1 and that c(K, d) islinear in the genus of K.For K = Q the constant d(Q) has be lar-ger than 1, and an optimistic guess would bethat d(Q) = 1 + ε is allowed for all ε > 0.

25

The formulation of Conjecture 2 does notmotivate its name.Here is a variant in the number field case:Take A 6= B ∈ OK \ {0} and C = A−B.Assume in addition that A and B have nocommon prime divisor. Take x = A/C. Thenx− 1 = B/C.Then h(x) = h(A/B) and rad((x(x−1))) =rad((ABC−2)).Look at the special case that |A|v > |B|vfor all v ∈ S∞.Then Conjecture 2 implies

|NK/Q(A)| ≤ c(d,K)+d(K) deg(rad((ABC))).

26

Take K = Q.

Conjecture 3 (Masser-Oesterle)

1. There exist constants c, d such that forall A ∈ N one has for all numbers Bthat are relatively prime to A:

A ≤ c(∏

p|AB(A−B)

p)d

2. Strong version:For all ε > 0 one cantake d = 1 + ε and c = c(ε).

Remark 2 N. Elkies made the remar-kable observation that the strong versionof Conjecture 3 implies an effective ver-sion of Faltings’ theorem.

27

3.1 Applications

Obviously the ABC-Conjecture is tailored todeal with diophantine problems like soluti-ons of families of equations of type

aXn1 + bY n2 = cZn3.

Look at Catalan’s equation and take a so-lution of xn − ym = 1 with integers (x, y).Using the strong form of Conjecture 3 weget that

xn · ym ≤ c(ε)2(xy)2+2ε

and so

1 ≤ c(ε)2x−n+2εy−m+2ε

and we get for all n > 2,m > 2 uniformbounds for the size of x, y.We remark that this is much weaker thanMihailescu’s theorem.A similar procedure yields immediately a“good part” (but not all) of FLT but it yieldsthe asymptotic Fermat Conjecture.

28

3.2 The Conjecture behind: The HeightConjecture for Elliptic Curves

It may be astonishing that the ABC-conjecturedid not arise from equations of Fermat typebut from the arithmetical theory of ellipticcurves.

3.2.1 Notation for Elliptic Curves

Recall:An elliptic curve E over a field K is a regu-lar plane projective cubic with at least onerational point.For simplicity we shall assume that char(K)is prime to 6. Then we find a short Weier-straß equation

E : Y 2Z = X3 + AXZ2 + BZ3

with A,B ∈ K and discriminant

∆E := −16(4A3 + 27B2) 6= 0.

The absolute invariant jE is defined as

jE := −1234A3

∆E.

29

Definition 5 The elliptic curve E is ad-missible iff its absolute invariant jE is ad-missible.

Convention: In the following it is alwaysassumed that E is admissible.

30

Take a prime divisor p of K with normedvaluation vp =: v. For simplicity we shallassume that 6 /∈ p.Choose a Weierstraß equation Ep with coef-ficients Ap, Bp for E such that

v(Ap) ≥ 0 ≤ v(Bp)

minimal with this property.Then v(∆Ep) is the minimal non-negativevalue of discriminants of curves isomorphicto E.Define the discriminant divisor of E by

∆E :=∏

pv(∆Ep).

Define by Ep the curve over Fp defined byreduction of Ap, Bp modulo p.Ep is an elliptic curve iff p does not divide∆E.In this case E has good reduction at p.If v(jE) < 0 then v(∆E) = −v(jE) and Ehas bad reduction. After possibly a quadra-tic extension of K the curve E is isomorphicto a Tate curve.

31

E is semi-stable at p if it has either goodreduction or it is isomorphic to a Tate curveafter an unramified extension.The conductor of E is a divisor

NE =∏

pnp

with np a non-negative integer, np > 0 iff pdivides ∆E and np = 1 iff E is semi-stablewith bad reduction.Otherwise np=2 if 2 /∈ p.If 2 ∈ p then np is bounded by propertiesof K and is computed by the so-called Tatealgorithm.It is well known that there is a finite extensi-on K1 of K such that E×K1 is semi-stableat all non-archimedean places of K1.This motivates the definition: The geometricconductor of E is

NE, geom :=∏

wp(jE)<0

p.

32

3.2.2 The Height of Elliptic Curves

Observation (Parshin , Conjecture of Sz-piro):In the function field case deg(∆E) isbounded by a small multiple of deg(NE). Weuse (JA 1987) the Faltings’ height h(E)of elliptic curves.First assume that E is semi-stable. Then

h(E) = hgeom(E) = h∞(E) + 1/12h(jE)

where h∞(E) is the contribution of archime-dean places (hence occurs only in the num-ber field case). It is computed analyticallywith the help of the analytic periods. A use-ful observation is that for periods going toi ·∞ the geometric height of E converges to1/12h(jE).In general we use the field extension K1 overwhich E is semi-stable, and compute thegeometric height over this field.By dividing through the degree [K1 : K] weget the geometric height of E over K. Forus it is enough to state

h(E) ≤ hgeom(E) + 1/2 deg(NE ·N−1Egeom

).

33

3.2.3 The Height Conjecture

Conjecture 4 .

1. There is a number d and for all fi-nite sets S ⊂ ΣK there is a numberc(K, d, S) such that for all admissibleelliptic curves E defined over K thatare semi-stable at all places v /∈ S onehas

hgeom(E) ≤ c(K, d, S) + d deg(NE,geom)

or, equivalently

2.

h(jE) ≤ c′(K, d, S, ε)+6(d+ε)(∑

wp(jE)<0

Np)

for all ε > 0. In the function field caseε = 0 is allowed.

3. There is a constant d and a constantc(K, d) such that for all elliptic curvesE defined over K we get

h(E) ≤ c(K, d) + d deg(NE).

Remark 3 1. d = 1/2 is allowed if K isa function field, d = 1/2 + ε should bepossible for K = Q.

34

2. The height conjecture can be generali-zed to abelian varieties.

35

3.3 Conjecture 4 implies Conjecture2

Astonishing Fact:The mighty ABC-conjecture follows from adiophantine property of elliptic curves.In other words: Ternary diophantine pro-blems of Fermat type are, asymtotically, go-verned by curves of genus 1!The reason is the “easy” observation thatsolutions of

A−B = C

can be interpreted as relations between pointsof order 2 of elliptic curves.

Theorem 2 The height conjecture for ad-missible elliptic curves (with explicit con-stants) implies the ABC-conjecture (witheasily derived explicit constants).

36

We sketch the proof in the special case thatK = Q.For A,B ∈ Z relatively prime define

EA,B : Y 2 = X(X − A)(X + B).

E is semi-stable outside of 2, has discrimi-nant ∆A,B = (AB(A−B))2 and conductor2δrad((AB(A−B))) with δ ≤ 3.Its j−invariant is

jA,B = 28A2 + B2 − AB)3

A2B2(A−B)2.

We can assume that A ∈ N and A > B.Then

h(jA,B) = c′ + 6 log(A).

The height conjecture with constants c, dyields

h(jEA,B) ≤ log(| (123(≤ 12(c+d log(rad((AB(A−B)).

Hence

log(|A|) ≤ c′′ + 2d log(rad((AB(A−B)).

37

3.4 Why The Height Conjecture andso the ABC-conjecture Could beTrue

Zero: The consequences are so nice!

First,there are very large tables that seem to con-firm the conjecture (means nothing!)

Secondly,the height conjecture for elliptic curves it istrue over function fields!I gave a short and elementary proof usingonly Riemann-Hurwitz genus formula.

38

Thirdly,there is a structural reason both in thefunction field case and in the number fieldcase behind:Looking at elliptic curves over orders in glo-bal fields leads to

arithmetical surfaces,

and the very nice original proof by Szpi-ro of the height conjecture in the functionfield case uses this structure, in particularthe Bogomolov-Miyaoke-Yau inequality bet-ween Chern classes.It makes sense to formulate such an inequa-lity for arithmetical surfaces over integers,and its truth would yield ABC.

39

THEME 2

4 Public Key Cryptography

4.1 New Direction

Just in time, at the beginning of commu-nication via electronic networks, came theground breaking article of W. Diffie andM. E. Hellman published 1976 introducingthe concept of public key cryptography.Its security depends on the hardness (com-plexity) of mathematical problems that arethe background of the crypto primitives.In these lectures we shall concentrate to sy-stems based on discrete logarithms.

40

4.2 DL-Systems

We take a (big) prime number ` and a group(G, ◦) of order ` with generator g0.DHCP: For secretly and randomly chosena, b ∈ {1, . . . , `}, and published g1 = ga

0, g2 =gb

0 the challenge is: compute

ga·b0 .

DHCP is called the Diffie-Hellman compu-tational problem.It is obvious that we can solve DHCP if wecan solve the following task:For randomly chosen g1, g2 ∈ G computek ∈ N with

g2 = gk1 .

k mod n is the Discrete Logarithm (DL)logg1(g2).Fact: The crypto primitive determining se-curity of the Diffie-Hellman key exchange ingeneric groups is (up to algorithms of sub-exponential complexity) the DL.

41

4.2.1 Mathematical Tasks

To use (families of) groups G for DL-systemswe have to solve three crucial tasks:

1. Present G in a compact way(ideally O(log(| G |))).

2. Group composition and inversion is easyand fast.

3. The DL in G is (to the best of our know-ledge) very hard and so unfeasible in prac-tice (ideally exponential in | G |).

It is surprisingly difficult to achieve thesetasks, and the only known way to find goodcandidates for DL-systems is to use deep re-sults from Arithmetic Geometry.

42

4.3 Bilinear Structures and Applica-tions

Let (G, ◦) be a DL-system. In particular,G is a cyclic group of order ` and so a Z-module.

Definition 6 Assume that there are Z-modules B and C and a bilinear map Q :G×B → C with

i) the group composition laws in G, B andC as well as the map Q are fast(e.g. polynomial time).

ii) For random b ∈ B we have Q(g1, b) =Q(g2, b) iff g1 = g2 .

We call (G,Q) a DL-system with bilinearstructure.

There are destructive aspects of bilinear struc-tures (transfer of DL, decision problem is ea-sy) but also constructive aspects:Tripartite Key Exchange,Identity Based Protocols, andShort Signatures.

43

5 Arithmetic Geometry Enters

The main source for groups that are candi-dates for DL-systems are divisor class groupsof function fields K of genus g > 0 over fi-nite fields Fq.We already have defined the divisor groupDK of K.

Definition 7

D0K := {D ∈ DK; deg(D) = 0}

is the divisor group of K of degree O.

PrincK = {(x); x ∈ K∗}is its subgroup consisting of principal di-visors.

C0K := D0

K/PrincK

is the divisor class group of degree 0 ofK.

44

For d ∈ N define Kd := K · Fqd and thefunctor

Pic0C : Fqd 7→ C0

Kd.

The important fact is that Pic0C is represen-

table by an explicitly given abelian variety:Let C be the unique projective irreducibleregular curve with function field K, and letJC be the Jacobian variety of C. Then weget in a canonical way

C0Kd

= JC(Fqd).

It is clear but worth mentioning that for el-liptic curves (g = 1) we have an isomor-phism between E and JE and the set of ra-tional points E(K) is an abelian group withexplicitly given polynomial addition formu-las.

So we can use the whole machinery of abeli-an varieties to study divisor class groups offunction fields. In particular, C0

K is a finiteabelian group, and for all n

C0K[n] ⊂ (Z/n)2g.

45

There is one theorem that rules the arith-metic of function fields, the

Theorem of Riemann-Roch.

By using it one can

• find a plane equation (with singularities)for a curve C ′ with function field K,

• represent divisor classes by positive divi-sors of degree g,

• hence represent elements in JC(Fq) in acompact way,

• compose divisor classes.

46

A high point of algorithm arithmetic geome-try is

Theorem 3 ( Heß, Diem)Let C be a curve of genus g over Fq.The arithmetic in the degree 0 class groupof C can then be performed in an expectedtime which is polynomially bounded in dand log(q) and hence one can perform thearithmetic in the degree 0 class group ofC in an expected number of field opera-tions which is polynomially bounded in gand log(q).

So tasks 1 and 2 listed above for DL-systemsare satisfied for subgroups of prime order ofdivisor class groups.

Remark 4 For special curves like ellip-tic curves and hyperelliptic curves of lowgenus there are much more efficient com-position formulas or algorithms than ob-tained by the general approach. This iscrucial for applications (cf. lecture of R.Avanzi).

47

5.1 Bilinear Structures

Abelian varieties have (kind of analogy toabelian groups) natural dualities (keyword:Riemann form), and Jacobian varieties areself-dual.Hence there is a natural bilinear form onC0

K[n], the Weil pairing (which is symplec-tic).With a little bit more theory one finds theTate-pairing. We shall come to a discussi-on, in particular concerning the complexityof the evaluation of these pairings, later on.

48

5.2 On the (In)-Security of DiscreteLogarithms

There remain two things to do.First, one has to find curves C for which|JC(Fq)| is (almost) a big prime number.This is an interesting diophantine problem.But before investing a lot of work one hasto think about the hardness of DL in divisorclass groups.Coming out of the structural richness of the-se groups one can apply index-calculus at-tacks.

49

The bleak result is

Theorem 4 (Diem, Gaudry, Thome,Theriault )

• There exists a (probabilistic) algorithmwhich computes the DL in the divisorclass group of curves of genus g in ex-pected time of O(q(2−2/g)).Hence these groups are weaker than ge-neric groups for g ≥ 4.

• (Diem): There exists a (probabilistic)algorithm which computes the DL inthe divisor class group of plane curvesof degree 4 in expected time of O(q).So non-hyperelliptic curves of genus 3have divisor classes with weak discretelogarithms.

50

So we have the task to find elliptic and hy-perelliptic curves of genus 2 over Fq withlarge divisor class groups whose order is al-most a prime number.

Big Question: Has the ABC-Conjecture so-mething in common with this task?

51

THEMEGalois Theory

6

Let K be a field, Ks its separable closure.

Definition 8 .GK := AutK(Ks) is the (absolute) Galoisgroup of K.

Example 2 GFq∼= Z is topologically ge-

nerated by the Frobenius automorphismφq mapping elements of Fq,s to their q-thpower.

GK is a compact pro-finite group. Withoutmentioning we shall assume that maps in-volving topological groups are continuous.

52

6.1 Local-Global Galois Theory

We have discussed a hierarchy of fields ran-ging from finite fields Fq over local fields Kv

to global fields K.This is reflected by Galois groups.The global Galois group GK is big and com-plicated. It is studied by restricting to de-composition groups Gp whose structure ismuch simpler.

Definition 9 Let v be a place of the glo-bal field K and v an extension to Ks in-ducing the topology tv.

Gv := {σ ∈ GK; σ is continuous with respect to tv}is the decomposition group of v.

Gv depends on the choice of v but differentextensions of given v lead to decompositiongroups that are conjugate in GK.So objects that are invariant under conjuga-tion (like characteristic polynomials) dependonly on v.

53

Gv has, as Galois group of a local field, arather easy structure.If v is archimedean then Gv = {id} or Gv ={id, τ} with τ a complex conjugation.

Assume that v corresponds to a prime divi-sor p containing p and let p be a prime idealin the integral closure of (Op ∩K)in Ks.Then Gp has a subgroup canonically isomor-phic to Ip := GKnr

pwhere Knr

p is the maxi-mal unramified extension of Kp in Kp,s.

Definition 10 Ip is the inertia group pwhich is determined up to conjugation byp.

By Hilbert theory one sees that Ip is a pro-solvable group, and that its pro-p-Sylow sub-group Iw

p is normal. It is the wild ramifica-tion group.The fixed field of Iw

p is the maximal tame-

ly ramified extension Ktp of Kp, the Galois

group G(Ktp/K

nrp ) is the tame ramification

group.

54

The quotient Gp/Ip is canonically isomor-phic to GFp and hence is generated by a di-stinguished element φp where φp modulo pis the Frobenius automorphism of Fp.

Via these identifications one can define con-jugacy classes of Frobenius elements σp ∈GK attached to each p.It is the interplay between the arithmeticalproperties of K reflected by the set of placesp and the group theoretical properties of GK

reflected by the set of subgroups Gp whichdeeply relates Galois theory with arithmetic.

55

7 Galois Representations

Definition 11 Let R be a topological ring.A Galois representation of dimension d isa continuous homomorphism

ρ : GK → Gld(R).

Equivalently: There is a free topologicalR-module V of rank d with continuousGK-action which makes V to a R[GK]-module.Equivalent representations have isomor-phic R[GK]-modules as representations spaces.

56

It follows that im(ρ) is a compact topologi-cal group with profinite topology.In particular, im(ρ) is finite if either the to-pology of R is discrete or connected.

Let Kρ be the fixed field of ker(ρ).Since ker(ρ) is closed we have that Kρ/Kis Galois with G(Kρ/K) ∼= im(ρ).

Definition 12 The representation ρ is semi-simple iff the representation space Vρ is asemi-simple GK-module.This is so iff the representation ρ is de-termined (up to equivalence) by all thecharacteristic polynomials χρ(σ(T ) of theimages of elements in GK.

57

7.1 Examples of Representations

We assume that natural numbers n and pri-me numbers ` are prime to char(K) .

7.1.1 The Cyclotomic Character

Denote by µn the group scheme of roots ofunity of order dividing n. Let ζn be a gene-rator of µn.For σ ∈ GK define χn(σ) := k with k ∈Z/n∗ and

σ(ζn) = ζkn.

χn is the cyclotomic character.Of course, it is semi-simple.

58

7.2 Representations Attached to Abe-lian Varieties

Let A be an abelian variety of dimension g.As examples we can take elliptic curves (g=1)or Jacobian varieties of curves of genus g.Denote by A[n] the kernel of the multiplica-tion by n.A basic result about torsion points of abeli-an varieties yields that

A[n](Ks) ∼= (Z/n)2g.

GK acts on A[n](Ks) in a natural way, andthis action induces a Galois representationdenoted by

ρA,n : GK → Gl2g(Z/n).

59

A generalization:Take a prime ` and define the `−adic Tatemodule

T`(A) := proj − limA[`k]

on which GK acts continuously (w.r.t. the`-adic topology).The corresponding Galois representation isdenoted by

ρA,`.

It is a 2g-dimensional Z`-adic Galois repre-sentation.By tensoring with Q` we get representationsover fields.By abuse of language we shall denote theresulting representation again by ρA,`.

60

7.3 Isogenies and Endomorphisms

Definition 13 Let A,B be abelian varie-ties defined over K.A K-rational homomorphism

η : A → B

is a morphism of K-schemes that is com-patible with addition.The kernel of eta is a group scheme ker(η).If Dim(A) = Dim(B) and if ker(η) is fi-nite then η is an isogeny. The order ofker(η) is the degree of η, and η is separa-ble if ker(η) is etale.EndK(A) is the ring of endomorphisms ofA.

61

Example 3 1. Let η be an isogeny of Aof prime degree ` 6= char(K). Then ηis separable and ker(η)(Ks) is a groupof order ` with GK-action. Hence ρA,`

is not irreducible.

2. Let K be a finite field with q elements.Define by φq the Frobenius automor-phism of Ks that maps elements x ∈Ks to xq.φq operates in a natural way on pro-jective spaces and so on abelian varie-ties and induces a purely inseparableendomorphism of degree qdim(A) calledFrobenius endomorphism. By ab-use of language we denote this endo-morphism again by φq.

62

7.4 Isogenies of Elliptic Curves

7.4.1 Modular Curves

First we remark that, up to isomorphisms,isogenies of a given elliptic curve are in one-to one correspondence with finite subgroupschemes of E.Special Case: Let n be a number primeto char(K).A K-rational cyclic isogeny η of degree nhas a kernel with ker(η)(Ks) ∼= Z/n.Hence such cyclic isogenies correspond toGalois representation ρE,n whose image iscontained in a Borel subgroup of Gl(2,Z/n).(Isomorphy classes of) Elliptic curves withthis additional structure are parameterizedby a modular curve

X0(n)

that is a (coarse) moduli scheme.So, (up to twists) elliptic curves with cyclicisogeny of degree n over K correspond toX0(n)(K).Hence Galois representations of type ρE,n

with image contained in a Borel subgrouplead to a diophantie problem.

63

We can go one step further and look at thecase that ker(η)(K) ∼= Z/n, hence we havea cyclic subgroup of order n in E(K).Then ρE,n has an eigenvalue 1 mod n.Curves E with specified K−rational pointof order n are parameterized by the modularcurve

X1(n).

For n ≥ 3 this is a fine moduli space, and sopairs (E, P ) with E an elliptic curve and Pa point of order n correspond 1−1 to pointson X1(n)(K).

64

7.4.2 Deuring’s Theorem

Using lattices one sees that for elliptic cur-ves over C the ring EndC(E) is commutativeand is either Z · idE

∼= Z (generic case) oran order OE in an imaginary quadratic fieldKE = Q(

√−d) (CM-case).In the last case the j invariant of E is analgebraic integers contained in the ring classfield of OE. By a Lefschetz principle it fol-lows that the same result is true over anyfield of characteristic 0. Much deeper are re-sults of M. Deuring obtained in a beautifulpaper.

65

Theorem 5 Let K be a field of charac-teristic p and E an elliptic curve definedover K.

1. If jE is not algebraic over the primefield of K then EndK(E) = Z.

2. If E is supersingular (i.e. the endo-morphism [p] · idE is purely insepara-ble) then jE is contained in Fp2 andEndK(E) is an order in a quaternionalgebra.

3. Lifting Theorem If E/Fp is ordina-ry and jE ∈ Fq then there exists anelliptic curve E over a number field Kwith EndK(E) = EndFp(E) and a pri-me divisor p of K such that

Ep mod p = E.

In particular, the Frobenius endomor-phism φq of E can be interpreted ascomplex number generating the ima-ginary quadratic field Quot(EndK(E)).E is uniquely determined over C andis called the canonical lift of E.

66

8 Galois Representations over Fini-te Fields

We want to study representations ρA,` ofGFq attached to abelian varieties.Representations ρ of GFq are uniquely deter-mined by ρ(φq), and if they are semi-simple,by

χρA,`(φq)(T ).

It is not too difficult to see

Proposition 1 There is a monic polyno-mial χA(T ) ∈ Z[T ] of degree 2g such thatfor all n ∈ N prime to p we get

χρA,n(φq)(T ) ∼= χA(T ) mod n

and|A(Fq)| = χA(1).

Definition 14 χA(T ) is the characteristicpolynomial of the Frobenius endomorphismof A.

Corollary 1 We can count the numberof points in A(Fq) if we can determineχA(T ).

67

8.1 Theorem of Hasse-Weil

The key result for all algorithms to computeχA(T ) is an enormous and deep precision ofProposition 1.

Theorem 6 (Hasse-Weil) All zeroes ofχA(T ) have (complex) value

√q (“Rie-

mann Hypothesis”).Hence |A(Fq)| ∼ qg.

The coefficients of χA(T ) are integers boun-ded by qg and so can be determined by com-puting χρA,n

(φq)(T ) for n > qg.

Example 4 Let E be an elliptic curve overFq.The characteristic polynomial of the Fro-benius endomorphism of E is

χE(T ) = T 2 − tET + q

with |tE| ≤ 2√

q.(tE is the trace of the Frobenius endomor-phism.) Hence

||E(Fq)|−q−1| ≤ 2√

q “Riemann Hypothesis”.

This inequality is the theorem of Hasse(-Deuring).

68

8.1.1 Proof of the Theorem of Hasse-Deuring (1936)

An easy special argument for supersingularelliptic curves settles the theorem for thesecurves.For ordinary E we use Deuring’s lifting theo-rem and so we can look at φq as complexnumber generating an imaginary quadraticfield with minimal polynomial

T 2 − tET + q.

The discriminant of this polynomial is nega-tive, and so

t2E − 4q < 0.

Hence|tE| ≤ 2

√q.

Remark 5 This proof is, historically, ve-ry important, some people say that it marksthe beginning of arithmetic geometry.It shows that to get information about ob-jects over finite fields it may be useful togo to local fields or even global fields.We shall see more examples soon.

69

8.2 Isogenies

The following result shows the power of Ga-lois representations over finite fields.

Theorem 7 (Tate)The isogeny class of an abelian varietydefined over Fq is uniquely determined byχA(T ).

Corollary 2 Elliptic curves E, E ′ definedover Fq are isogenous iff

|E(Fq)| = |E ′(Fq)|.Question: Can one compute isogenies ex-plicitly?Optimistic guess: with complexity polyno-mial in log(q), g, deg(η).Indeed, this is true for elliptic curves, one ofthe high points of computational arithmeticgeometry!

70

Proposition 2 (Velu, Lercier, Morain, Cou-veignes, Galbraith, Hess, Smart,...)To compute a cyclic isogeny of degree `of an elliptic curve one has to performO(`2 + ` log(`) log(q)) field operations.

This is astonishingly effective but neverthe-less exponential in `. So one can only handlenot too long chains of isogenies of small de-gree.An analogous result is nearly established forcurves of genus 2 (algebraic theory of Theta-functions) and is a fascinating area of ma-thematical research.Can it be applied to cryptography?

71

8.3 Application to Theme 2:Point Coun-ting

By the Hasse-Weil result we get an estima-te for the size of the coefficients of χA(T )which depends only on q and g.

8.3.1 The Etale Approach

This approach is due to Schoof and, for abe-lian varieties, to Pila. In principle, one com-putes the action of the Frobenius automor-phism on points whose order is a small powerof small primes different from p and thenuses the Chinese remainder theorem to de-termine the coefficients of χA(T ) exactly.In principle, this works with complexity po-lynomially in log(q), dim(A). But in practicethis is too slow even for elliptic curves.

72

The idea due to Atkin and Elkies and broughtto perfection by Morain, Lercier, Couveig-nes,...is to use isogenies instead of points (i.e. useprojective representations), and with the re-sult of Proposition 2 about the computationthis works so fast that we can determinethe number of points on elliptic curves inall cryptographically interesting ranges.Since one can estimate, at least heuristically,the probability that the order of the ratio-nal points ofrandomly chosen elliptic curvesis (almost) prime one can solve the last taskand find many elliptic curves E such thatE(Fq) is a good candidate for a DL-system.

73

9 Galois Representations over Lo-cal Fields

let Kp be a local field with residue field Fq.The Galois group Gp becomes more com-plicate since we have to deal with ramifiedextensions.Let ρ be a Galois representation of Gp.

Definition 15 ρ is unramified at p iff Ip ⊂ker(ρ). ρ is tamely ramified at p iff Ip/(Ip∩ker(ρp)) has (profinite) order prime to char(Fp).

74

9.1 The Local L-series and and Con-ductor

9.1.1 Local Artin L-series

We assume now that ρ is a complex repre-sentation of GK. In addition we assume thatρ is semi simple).Let V be a representation space of ρ and let

Kρ := Kker(ρ)s . First assume that ρ is unra-

mified at p. It follows that we have a uni-quely determined element σp ∈ G(Kρ/K)with reduction equal to φq|Kρp.

Definition 16 The local L-series of ρ is

Lρ,p(s) := χρ(σp(q−s)−1

with s ∈ C.An `-adic generalisation:Assume the ρ is an unramified `-adic repre-sentation and that the characteristic poly-nomial of ρ(σp has coefficients in Z. Thenwe define the local L-series as above.

75

We go back to complex representations andassume that Kρ/K is ramified of order ep.We do not have a well defined action of Fro-benius elements. But we have such an actionon V Ip and so we can define in general thelocal L-series of ρ at p as

Lρ,p(s) := χρ(σp|V Ip)(q−s)−ep

with s ∈ C and ep =| Ip | .

76

9.1.2 Artin Conductor

To define the Artin conductor one has touse the filtration of Ip by higher ramificationgroups.We assume that the image of ρ is finite, e.g.ρ is a representation over C or over a finitefield.Let G be the Galois group of Kρ/K. The-re is a filtration of G by higher ramificationgroups Gi+1 ⊂ Gi with G1 = G, G0 = Ip.For i > 0 the groups Gi are p-groups withp = char(Fp) and give the wild ramificationpart.Let Vi = V Gi and di = codimV Vi.

Definition 17 The exponent fp of the con-ductor of ρ at p is

fp =∑i≥0

1

[G0 : Gi]di.

The Artin conductor of ρ is N ′ρp

:= pfp.

In particular, fp > 0 iff ρ is ramified.

77

9.2 Representations and the Arith-metic of Abelian Varieties

Let A be an abelian variety defined over Kp.Recall: The type of reduction is described bythe exponent fA,p of the conductor divisorNA,p of A.A has good reduction iff this exponent is 0.A has semi stable reduction iff the exponentis ≤ 1.

Theorem 8 (Criterion of Neron-Ogg-Shafarevich )

ρA,`

is ramified iff fA,p > 0.

Remark 6 For given `k the conductor ofρA,`k clearly divides the conductor of A,and for k large enough, we shall have equa-lity.But for small enough k there may be agap.It is a very interesting diophantine que-stion to find such “congruence primes” `.

78

9.2.1 Local L-series of Abelian Varie-ties

Assume that A has good reduction Ap.Since for all primes ` 6= p the representationρA,` is unramified the local L−series of ρA,`

is defined and independent of `.

Definition 18

LA(s)p := LρA,`,p(s) := χρA,`(σp(q−s)−1

= χAp(T )(q−s)

is the local factor of the L-series of A atp.

79

9.3 Application to Theme 2

9.3.1 p-adic Approach for Point Coun-ting

Already by the proof of the Hasse resultabout points on elliptic curves over finitefields it became obvious that in order to getinformation about objects over finite fieldsFpd it may be useful to lift these objects tolocal fields.Another striking example is formed be me-thods to count points on varieties over finitefields by lifting them p-adically. It is charac-teristical for these methods that their com-plexity depends polynomially on d, p and sothey are suitable for finite fields with re-latively small characteristic.The first example is due to Satoh. He ma-de Deuring’s lifting theorem explicit, not tonumber fields (that is in general hopeless)but to p-adic fields, namely to the Witt vec-tor field with residue field Fq.

80

In the same family belong the algorithmsgoing back to Mestre and called AGM-methods.They work excellently for curves of genus≤ 3.In both cases one lifts the Frobenius en-domorphism to carefully chosen modelsover p-adic fields.Using formal p-adic geometry (rigid analy-sis) Kedlaya lifts the Frobenius endomor-phism to power series rings.Kedlaya’s algorithm works quite general (seework of Vercauteren, Gerkmann, ...) and againexcellent for hyperelliptic curves.

81

9.3.2 Duality

As said already Tate duality comes intrinsi-cally with curves and their Jacobian varie-ties or mor general, abelian varieties.It is a Galois-cohomological pairing that usesthe Weil pairing and that ends in the Brauergroup of the base field.Hence for base field Fp we get only the tri-vial pairing since the Brauer group of finitefields is trivial.But for local fields the situation is total-ly different since we have ramified extensi-ons available. A classical theorem of Tatesays that in this case the pairing is non-degenerate.On the other side the pairing is very explicitfor Jacobian varieties and uses evaluation offunctions of the attached curve.Beginning with a curve over Fq we lift it toa curve over a local field with residue fieldFq and use this description.

82

In the end we can forget the lifting againand get the result

Theorem 9 (F.-Ruck)Let C be a projective regular absolutelyirreducible curve over Fq.Let ` be a prime dividing |JC(Fq)|, let kbe the smallest natural number such that`|(qk − 1). Let ζ` be an `-th root of unityin Fqk.

Define G := JC[`] ∩ JC(Fq) and G⊥ :={Q ∈ JC(Fk

q) ∩ JC[`]; φq(Q) = q ·Q}.There is an explicit non-degenerate pai-ring

Q : G×G⊥ →< ζ` >

that can be computed with complexity po-lynomial in k · log q.In particular, G is a group with bilinearstructure if k = O(log(`).

We remark that this result has (positive andnegative) consequences for DL-systems ba-sed on curves with supersingular Jacobianvarieties.

83

10 Global Galois Representations

In the following we take K as number fieldthough most of considerations can be donefor function fields.

10.1 Application to Theme 2

A last time we come back to applications ofarithmetic geometry to cryptography. (Thisdoes not mean that we have told everything.)

10.1.1 Class field Theory

A classical high point of number theory isclass field theory.This theory describes abelian extensions ofnumber fields K with given ramification bythe “arithmetic” in orders of K.Explicit class field theory is available for Q(Kronecker-Weber) and for so-called CM-fields (totally imaginary extensions of degree2 of totally real fields of degree d)(Taniyama-Shimura.

84

The classical case: d = 1 and K is an ima-ginary quadratic field. Then class fields ofK are generated by j-invariants of ellipticcurves with complex multiplication. We dis-cussed this already in the connection withDeuring’s lifting theorem.One of the main results is that the Frobeni-us endomorphism of corresponding ellipticcurves modulo prime divisors p of K corre-sponds to elements in K of norm |Fp.By beginning with an order in a CM-fieldwe know a priory the order of the group ofpoints over Fp of the reduction of any abeli-an variety with this ring of endomorphism,and we can look for appropriate p (and findthem very fast).Only then we compute the associated abeli-an variety A.This works very well for Jacobian of curvesof genus 1, 2, 3. (Diploma rhesis A. Spallek1990, PhD thesis Spallek 1994, PhD ThesisWeng 2001, all in Essen.) And the methodhas till today a certain importance.

85

We summarize our results.

Theorem 10 In cryptographic relevant are-as

• we can count points on random ellipticcurves,

• we can count points on Jacobians ofrandom curves over fields of small (andeven medium) characteristic.

• we have still problems with random cur-ves of genus 2 over prime fields but canuse class field theory of CM-fields tofind an abundance of curves of genus2 suitable for DL-systems,

• and, of course, we have many specialfamilies of curves whose members areaccessible for point counting.

86

10.1.2 Isogenies Do Not Change DL’sof Elliptic Curves

We use once more the CM-theory, now forelliptic curves.We fix an order O in an imaginary quadra-tic field and look at SE, the set of isomor-phy classes (over Fq) of elliptic curves E ′/Fq

with

End(E ′) = End(E) = O ⊂ Q(√−d).

Explicit class field theory tells us that thereis a 1-to-1 correspondence between SE andthe ideal class group Cl(O) of O.The isogeny graph to O has as vertices theelements in SE and edges correspond to iso-geny of small degree (with respect to somebound).Hence paths are chains of isogenies of smalldegree, and the local theory tells us that wecan walk along such paths quickly.

87

Now comes number theory (theory of mo-dular forms, see below) and yields that theisogeny graph has remarkable properties.

Theorem 11 (Jao, Miller, Venkatesan)The isogeny graph is an expander graph.So discrete logarithms in isogeny classesof elliptic curves over Fq with the samering of endomorphism are subexponenti-ally equivalent.

88

Now we turn seriously to Theme 1.

10.2 Conjecture of Fontaine-Mazur

How to find Representations?We know one family of such representations:Let A be an abelian variety over K. ThenρA,` is a representation with the `-adic Tate-module of A as representation space.There is a finite set SA of places of K (thedivisors of the conductor of A computed lo-cally) at which A has not good reduction,and hence ρA,` is unramified outside of SA.Following Fontaine-Mazur we define

Definition 19 An `-adic Galois represen-tation ρK is geometric iff it is unramifiedoutside a finite set of places and if it ispotentially semi-stable at places dividing`.

89

Look at the example above and recall thatthe `- Tate-modules of abelian varieties isthe first etale cohomology group with coef-ficients in Z`.The amazing prediction is that by using suchcohomology groups we should get essentiallyall `-adic Galois representations of numberfields.

Conjecture 5 (Fontaine-Mazur) An ir-reducible `-adic representation of GK isgeometric iff it is isomorphic to a subquo-tient of a Tate twist of an etale cohomolo-gy group of a smooth projective algebraicvariety over K.

This conjecture is known in rare but import-ant cases. To demonstrate its strength wegive one consequence:

Conjecture 6 Let F(K, `) be the Galoisgroup of the maximally unramified pro-`-extension of K .Then any quotient of F(K, `) which is an`-adic analytic group is finite.

90

10.3 Diophantine Applications and Con-jectures

Galois representations influence deeply thearithmetic of abelian varieties.

Theorem 12 (Faltings)ρA,` is semi simple.

Here are consequences of this fact.

Theorem 13 (Isogeny Theorem of Fal-tings)Two abelian varieties are isogenous iff forone (and hence for all) prime(s) ` the at-tached `-adic representations are equiva-lent over Q`.

Corollary 3 (Conjecture of Shafarevich)For a given finite set T of places of Kand given d there are only finitely manyabelian varieties of dimension d with goodreduction outside of T .

Corollary 4 (Conjecture of Mordell)Curves of genus ≥ 2 have only finitelymany K-rational points.

91

Recall that a result of Tate yields that abe-lian varieties over finite fields are isogenousiff their local L-series are equal.

Theorem 14 (Effective version of theIsogeny Theorem (Faltings))For given abelian varieties A1 and A2 the-re is a number n such that A1 is isogenousto A2 iff the local L-series are equal for aset of primes li with norm(

∏li) > n.

92

10.4 Congruent Torsion Structures

We try to make the last statement effective.Assume that for a number N we find Ga-lois invariant subgroups Ci ⊂ Ai[N ] withC1 Galois isomorphic to C2. How large (de-pending on K, dim Ai, NAi

)1 has the orderof C1 to be in order to force A1 and A2 tohave isogenous abelian subvarieties?

1here and in the following global conductors of abelian varieties and representations are theproducts of the local conductors

93

We formulate conjectures for elliptic curves.We look at pairs of elliptic curves E and E ′

defined over K.

Conjecture 7 (Darmon)There is a number n0(K) such that forall elliptic curves E, E ′ over K and alln ≥ n0(K) we get:

If ρE,n∼= ρE′,nthen E is isogenous to E ′.

94

A variant is

Conjecture 8 (Kani)There is a number n0 (independent of K)such that for n ≥ n0 there are, up to twistpairs, only finitely many pairs (E, E ′) ofelliptic curves which are not isogenous andwith ρE,n

∼= ρE′,n.For prime numbers n we can choose n0 =23.

Geometric background: Description of themoduli space and Lang’s conjecture for ge-neral surfaces.

95

Much weaker is a conjecture I stated 25 yearsago:

Conjecture 9 We fix an elliptic curveE0/K.There is a number n0(E0, K) such thatfor all elliptic curves E, over K and alln ≥ n0(E0, K) we get:

If ρE,n∼= ρE0,n then E is isogenous to E0.

Remark 7 Conjecture 9 is true for glo-bal fields if the height conjecture is true.Hence its analogue over function fieldsholds.

96

10.5 A Local-Global Relation

One crucial result behind the results of Fal-tings is a local-global principle for Galois re-presentations.

Theorem 15 (Cebotarev’s Density Theo-rem)Let ρ be a Galois representation of GK

which is ramified only at finitely manyplaces of K.If ρ is semi simple then ρ is determinedby

{χρ(σp)(T ); p runs over the places of K}.It is even allowed to omit arbitrary finitesets of primes.

97

10.6 Global L-series

We put the local information together andform, inspired by the density theorem, theglobal L-series of abelian varieties.For finitely many “bad primes” we use anexplicit recipe to define a rational functionf ∗(s) and we form the infinite product

LA(s) := f ∗(s) ·∏

l prime to NA

LA,l(s)

with a complex variable s. This product isa Dirichlet series analytic in a half plane. Ithas to be seen as an analogue of the Rie-mann Zeta-function.

98

TheConjecture of Taniyama-Shimura-(Hasse)and

Birch and Swinnerton-Dyer (BSD)

is that LA(s) has an analytic continuationto C (recall Artin’s conjecture!), and thatits analytic behavior at s = 1 contains allinteresting information about the group ofK-rational points of A like its rank (order ofthe zero), the Tate-Shafarevich- group whichdescribes the failure of the Hasse principle)and the Neron-Tate regulator.

99

11 K = Q

By using elliptic curves we have many ex-amples of representations of dimension 2 withthe additional property that the determi-nants of complex conjugations are−1. In thespirit of the conjecture of Fontaine-Mazurwe look for more general geometric realiza-tions. Surprisingly it is enough to take veryspecial varieties if we take K = Q.

100

11.1 Modular Curves and Forms

Let H be the complex upper half plane, andH∗ = H ∪Q ∪ {i∞}.The elements in Q∪{i∞} are called cusps.

The group Sl(2,R) is acting on H∗ in theusual way.For N ∈ N define

Γ0(n) := {(

a bc d

)∈ Sl(2,Z);

c ≡ 0 mod n}and

Γ1(n) := {(

a bc d

)∈ Sl(2,Z);

a ≡ 1 mod n, c ≡ 0 mod n}Let χ be a Dirichlet character with conduc-tor dividing N .

101

Definition 20 Let k be a non negativeinteger. Let f be a holomorphic functi-on on H which is bounded near the cusps

and satisfies: For all {(

a bc d

)∈ Γ0(N)

and z ∈ H we have

f

(az + b

cz + d

)= χ(d)(cz + d)kf (z).

Then f is a modular form of weight k

with nebentype χ. If in addition f vanis-hes in the cusps, then f is a cusp form.

102

The set of modular forms of weight k andnebentype χ forms a finite dimensional C-vectorspace which is denoted by Mk(N,χ).The subspace of cusp forms is denoted bySk(N, χ).

For k ≥ 2 it is not difficult to determinethe dimension of Mk(N,χ) resp. Sk(N,χ).The reason for this fact is the Riemann-Roch theorem related to divisors of the mo-dular curves that stand behind Γ0(N) andΓ1(N). These curves are compact quotientsof H∗ and hence projective algebraic curvesX0(N) and X1(N) well known to us: Thecurves are defined over Z and are (coarserespectively fine) moduli spaces for pairs ofelliptic curves with cyclic isogeny of degreeN respectively pairs of elliptic curves with afixed point of order N .

103

Using the Riemann-Hurwitz genus formulait is easy to compute the genus g(X0(N)) ofX0(N)C.For instance for a prime N one has g(X0(N)) =[

N12

]. For us it is enough to know that

g(X0(N)) = O(N).

Example 5 • n = 2: X(2) and hence X1(2)and X0(2) have genus 0 (why? Give arational parametrization) and therefo-re are isomorphic to P1.

• n = 11: X0(11) is a elliptic curve withWeierstraß equationE : y2 + y = x3 − x2 − 10x− 20.

104

The q-expansion principle For f ∈Mk(N, χ) we have f (z + 1) = f (z), and sof has a Fourier expansion around i∞:

If q = e2πiz (z ∈ H), then

f (z) =

∞∑n=0

anqn with an ∈ C.

The q-expansion principle states that f isuniquely determined by its Fourier coefficients(an)n∈N.

Definition 21 Let R be a ring containingZ[χ]. Then Mk(N,χ)(R)

(resp. Sk(N,χ)(R)) are the elements inMk(N, χ) (resp. Sk(N, χ)) with an ∈ R.

Fact: Mk(N, χ)(R) = Mk(N, χ)(Z[χ]) ⊗R. So both Mk(N, χ) and Sk(N, χ) have abasis consisting of elements of Mk(N, χ)(Z[χ])resp. Sk(N, χ)(Z[χ]).

For cusp forms f we obviously have: a0 = 0.f is normed, if a1 = 1.

105

11.2 Eigenforms

Sk(n, χ)(C) has a Hermitian structur by thePetersson Scalar product and has ma-ny self-adjoint endomorphisms, the Heckeoperators forming the Hecke algebra T.

Definition 22 f ∈ Mk(n, χ) is an ei-genform, if for all primes p†n we have:Tpf = λp · f with λp ∈ C (i.e. λp is theeigenvalue of f with respect to Tp).

106

11.3 New Forms

In general, it is not true that the collection(λp) determines normalized f ∈ Sk(m,χ)uniquely but for so-called “New forms”(acrucial refinement of eigenforms) this holds.

Theorem 16 (Atkin-Li)

• Normalized New forms are determinedby their eigenvalues.

• The Mellin transform of the Fourierexpansion of a New form f is an Eu-ler product: To f ∈ Sk(n, χ) define

Lf(s) :=

∞∑j≥1

ajj−s,

the associated L- series.

Then

Lf(s) =∏

p

(1−app−s +χ(p)pk−1−2s)−1.

107

• The L-series satisfies the Functio-nal equation:

nk/2(nz)−kf(− 1

nz

)= γ · f (−z)

with γ ∈ C.If χ = χ0, then

nk/2(nz)−kf(− 1

nz

)= wff

with wf ∈ {1,−1}.

108

11.4 Structure of the Jacobian of X0(n)

The following results are due to Shimura.Take a New form f =

∑j≥1 ajq

j.Kf = Q(a1, · · · , aj · · · ) is a totally realfield of degree d with embeddings If := {σ1, · · · , σd}.The cusp form f induces an algebra homo-morphism

λf : T⊗Q→ Q

by sending T to a1(T (f )).Let Uf := ker(λf) ∩ T.The image Uf(J0(n)) is a subgroup schemeof the Jacobian of X0(n).Define:

Af := J0(N)/Uf(J0(n)).

109

Theorem 17 • Af is an Q-irreducible abe-lian variety of dimension[Kf : Q].

• If n is square free then Af is absolutelyirreducible.

• Af has good reduction outside of n.

•Θ : Kf → End(Af)⊗Q

given by Θ(aj) = Tj | Af gives Af realmultiplication.

• The above construction gives a decom-position (up to Q-isogenies) of the “Newpart” of J0(n) in simple varieties overQ, each occurring with multiplicity one,and hence, by using the degenerationmaps, of J0(n).

110

11.4.1 Example: Modular elliptic Cur-ves

Take an elliptic curve E over Q with con-ductor NE and assume that there is a nonconstant morphism

ϕ : X0(NE) → E.

Let ωE be the Neron differential of E: Onetakes a minimal (“best possible”) Weierstraßequation

Y 2 +a1XY +a3Y = X3 +a2X2 +a4X +a6

for E and ω = dX2Y +a1X+a3

.

ϕ∗(ω) is a holomorphic differential on X0(NE)(Z)and hence

ϕ∗(ω) = f (z)dz with fE(z) ∈ S2(NE)

is a cusp form of level NE, weight 2

and

fE(z) =

∞∑j=1

ajqj with aj ∈ Z.

fE is the modular form attached to E and itis the key to the arithmetic of E (providedthat BSD is true).

111

11.5 Modular Representations

11.5.1 The Eichler-Shimura Relation

This is the central relation relation betweenthe Hecke algebra and arithmetic.It is due to Eichler and Shimura.

Theorem 18 Let p 6= ` be a prime, p ly-ing over p and σp the Frobenius automor-phism.Then as endomorphisms of T`(Af) we getthe identity

Tp = σp + σtp

where σtp is the dual of the Frobenius mor-

phism, called “Verschiebung”, and Tp isthe p-th Hecke operator..

112

11.6 Representations to New forms

Theorem 19 (Shimura, Deligne-Serre)Let f = q +

∑j≥2 ajq

j be a New form ofweight k and level n , ` a prime numbernot dividing n.Then there exists a unique semi–simple`-adic representation

ρ` : GQ → GL(2, Kf ⊗Q`)

such that ρ` is unramified outside n and

tr(ρ`(σp)) = ap, det(ρ`(σp)) = pk−1

for all p prime to `n.

Remark 8 K ⊗ Q` =∏

l|` Kl and so ρ`

splits in l-adic representation for all pri-me divisors l of ` in Kf .

113

Let Fq be a field with q = `r.

Definition 23 A representation

ρ : GQ → Gl(2,Fq)

is modular of level n and weight k iff thereis a New form f in Sk(n) and a divisorl of ` in Kf such that ρ is the reductionmodulo l of ρ` attached to f .

Remark 9 There is an alternative des-cription:modular representations in characteristic` are related to maximal ideals m ⊂ Tcontaining `: Then ρm is induced by theaction of GQ on ∩T∈mker(T ) which is afinite group scheme ⊂ J0(n)[`].

114

11.7 L-series

We have mentioned already that the Mellintransform of the Fourier expansion of a Newform is a Dirichlet series which admits anEuler product representation.To be explicit in the case that f ∈ S2(n):Define

Lp(f, t) = 1− apt + pt2 if p † n,

Lp(f, t) = 1− apt if p | nand

L(f, s) =∏

p∈PLp(f, ps)−1.

One sees easily that L(f, s) is holomorphicon C.By using Eichler-Shimura and by some workconcerning the divisors of n one gets

Theorem 20 The L-series of Af is equalto

LAf(s) =

∏

σ∈If

L(fσi, s).

In particular, the Shimura-Weil conjec-ture is true for abelian varieties which areisogenous to subvarieties of J0(n) (andJ1(n)).

115

Remark 10 For simplicity, we have as-sumed in the above discussion that the ne-bentype of the New forms was trivial.But all the results and definitions aboutrepresentations can be generalized to thenebentype case, too. Hence we have thenotion of modular representations with ne-bentype, too. This nebentype χ occurs inthe determinant by the condition:

det(ρ(σp)) = pk−1χ(p).

116

11.8 Serre’s Conjecture

Let F be a finite field.Let

ρ : GQ → GL(2,F)

be a continuous, absolutely irreducible, two-dimensional, odd repre sentation with Artinconductor Nρ′.Nρ,its prime-to-p part, is called the Serreconductor.Following Serre (Duke J. 1987) one definesa weight kρ with 2 ≤ kρ ≤ p2 − 1 if p 6= 2(kρ = 2 or 4 if p = 2).k(ρ) is determined by an explicit recipe de-pending on ρ|Ip. For a careful definition seeG. Wiese (http://maths.pratum.net/).

117

Theorem 21 (Serre’s conjecture: Kha-re, Wintenberger, Kisin, Taylor, etal.)Let ρ be as above.Then ρ is modular (with nebentype possi-bly to satisfy the determinant condition)of level Nρ and weight kρ.

118

Example 6 • If ρ is finite at p the weightis equal to 2.Here finiteness means that the repre-sentation space Vρ defines a finite groupscheme at p.This is so if Q(Vρ(Q)) is “little rami-fied” at p, i.e. it is obtained be a tameextension followed by radical extensi-ons extracting roots of p−adic units.

• Let E be a semi stable elliptic curveover Q with j-invariant jE with Min(0, vp(jE))divisible by p. Then ρE,p is modular ofweight 2 with trivial nebentype and le-vel2δ ·∏p6=l†Min (0,vl(jE)) l.

119

11.9 Applications

11.9.1 Artin’s Conjecture

Theorem 22 The L-series of irreducibletwo-dimensional odd complex representa-tions ρ are holomorphic.

For the proof one only needs to look at thecase that the projective image of ρ is A5.But since A5 = PGl(2,F5) can be interpretρ as representation satisfying the conditionsof Theorem 21 and gets the result.

120

11.9.2 Taniyama’s Conjecture

Let E be an elliptic curve over Q with con-ductor NE.We know that for almost all p the repre-sentation ρE,p is irreducible and finite at p.Hence it is modular of weight 2, trivial ne-bentype and level dividing NE.Since there only finitely many New formssatisfying these conditions we can assumethat there are infinitely many p and one Newform f such that characteristic polynomialsof ρp and ρf are congruent modulo primesdividing p in Kf .It follows that f has coefficients in Z andhence defines an elliptic curve Ef .But then the effective version of Faltings’theorem yields that E is isogenous to Ef

and hence modular.

121

11.9.3 Fermat’s Last Theorem

If Ap −Bp = Cp define

E : Y 2 = X(X − Ap)(X + Bp).

ρE,p is modular of weight 2 and level 2 (Theo-rem 21).But since S2(2) = 0 such a representationdoes not exist.

122

11.10 Congruences

Part of Theorem 21 is that the conductorand hence the level of modular representa-tions attached to abelian varieties can bemuch smaller that the conductor of `-adicrepresentation.This means that different eigenforms are con-gruent modulo certain primes.Hence the corresponding non-isogenous fac-tors of J1(n) have finite subschemes whichare Galois isomorphic.

123

11.10.1 The Height Conjecture for El-liptic Curves

Take E over Q and

ϕ : X0(NE) → E

a minimal parametrization.Let ωE be the Neron differential of E anddefine ωE∗ := ϕ∗(ωE).Then

h(E) = −1

2log

1

2π

∫

E(C)

|ωE ∧ ωE|

and so

h(E) = −1

2log

( 1

2πdeg ϕ

) ∫

X0(N)

|ω∗E∧ω∗E|

= −1

2log

(c2

2π deg ϕ

) ∫

UNE

|fE|2dz

where deg ϕ is the degree of ϕ, c ∈ Z andconjecturally 1 and UNE

is a fundamentaldomain of H∗ modulo Γ0(NE).

Theorem 23 (F.-Mai-Murty)The height conjecture over Q is true ifflog deg(ϕ) = O(logNE).

124

Interpretation of deg ϕϕ∗(E) = E∗ is an elliptic subvariety of J0(NE)which occurs with multiplicity 1.Let B be the kernel of ϕ∗. Then E∗/B is afinite group scheme K.We can assume that E has no rational cyclicisogeny (Mazur) and so K = E[n] for somen.It follows that the degree of ϕ is equal to n.Hence the height conjecture is true iff for allelliptic curves E

log | E∗ ∩B) |= O(log NE).

. By using the elliptic curves

EA,B : Y 2 = X(X − A)(X −B)

one shows

Theorem 24 (F.-Mai-Murty) The ABC-conjecture over Q is equivalent with thedegree conjecture.

125