Imaginary hyperelliptic curve

From Wikipedia, the free encyclopedia
Jump to: navigation, search

A hyperelliptic curve is a particular kind of algebraic curve. There exist hyperelliptic curves of every genus g \geq 1. If the genus of a hyperelliptic curve equals 1, we simply call the curve an elliptic curve. Hence we can see hyperelliptic curves as generalizations of elliptic curves. There is a well-known group structure on the set of points lying on an elliptic curve over some field K, which we can describe geometrically with chords and tangents. Generalizing this group structure to the hyperelliptic case is not straightforward. We cannot define the same group law on the set of points lying on a hyperelliptic curve, instead a group structure can be defined on the so-called Jacobian of a hyperelliptic curve. The computations differ depending on the number of points at infinity. This article is about imaginary hyperelliptic curves, these are hyperelliptic curves with exactly 1 point at infinity. Real hyperelliptic curves have two points at infinity.

Formal definition[edit]

Hyperelliptic curves can be defined over fields of any characteristic. Hence we consider an arbitrary field K and its algebraic closure \overline{K}. An (imaginary) hyperelliptic curve of genus g over K is given by an equation of the form

C : y^2 + h(x) y = f(x) \in K[x,y]

where h(x) \in K[x] is a polynomial of degree not larger than g and f(x) \in K[x] is a monic polynomial of degree 2g + 1. Furthermore we require the curve to have no singular points. In our setting, this entails that no point (x,y) \in \overline{K} \times \overline{K} satisfies both y^2 + h(x) y = f(x) and the equations 2y + h(x) = 0 and h'(x)y = f'(x). This definition differs from the definition of a general hyperelliptic curve in the fact that f can also have degree 2g+2 in the general case. From now on we drop the adjective imaginary and simply talk about hyperelliptic curves, as is often done in literature. Note that the case g = 1 corresponds to f being a cubic polynomial, agreeing with the definition of an elliptic curve. If we view the curve as lying in the projective plane \mathbb{P}^2(K) with coordinates (X:Y:Z), we see that there is a particular point lying on the curve, namely the point at infinity (0:1:0) denoted by O. So we could write C = \{ (x,y) \in K^2 | y^2 + h(x) y = f(x) \} \cup \{ O \} .

Suppose the point P = (a,b) not equal to O lies on the curve and consider \overline{P} = (a, -b-h(a)). As (-b-h(a))^2 + h(a)(-b-h(a)) can be simplified to b^2 +h(a) b, we see that \overline{P} is also a point on the curve. \overline{P} is called the opposite of P and P is called a Weierstrass point if P = \overline{P}, i.e. h(a) = -2b. Furthermore, the opposite of O is simply defined as \overline{O} = O.

Alternative definition[edit]

The definition of a hyperelliptic curve can be slightly simplified if we require that the characteristic of K is not equal to 2. To see this we consider the change of variables x \rightarrow x and y \rightarrow y - \frac{h(x)}{2}, which makes sense if char(K) \not= 2. Under this change of variables we rewrite y^2 + h(x) y = f(x) to  \left(y - \frac{h(x)}{2} \right)^2 + h(x) \left(y - \frac{h(x)}{2}\right) = f(x) which, in turn, can be rewritten to y^2 = f(x) + \frac{h(x)^2}{4}. As \deg(h) \leq g we know that \deg(h^2) \leq 2g and hence f(x) + \frac{h(x)^2}{4} is a monic polynomial of degree 2g + 1. This means that over a field K with char(K) \not= 2 every hyperelliptic curve of genus g is isomorphic to one given by an equation of the form C : y^2 = f (x) where f is a monic polynomial of degree 2g + 1 and the curve has no singular points. Note that for curves of this form it is easy to check whether the non-singularity criterion is met. A point P = (a,b) on the curve is singular if and only if b = 0 and f'(a) = 0. As  b = 0 and  b^2 = f(a) , it must be the case that f(a) = 0 and thus  a is a multiple root of  f . We conclude that the curve C : y^2 = f(x) has no singular points if and only if  f has no multiple roots. Even though the definition of a hyperelliptic curve is quite easy when char(K) \not=2, we should not forget about fields of characteristic 2 as hyperelliptic curve cryptography makes extensive use of such fields.


Figure 1: Example of a hyperelliptic curve

As an example consider C : y^2 = f(x) where f(x) = x^5 - 2x^4-7x^3 + 8x^2 + 12x = x (x + 1) (x - 3) (x + 2) (x - 2) over \mathbb{R}. As f has degree 5 and the roots are all distinct, C is a curve of genus g = 2. Its graph is depicted in Figure 1.

From this picture it is immediately clear that we cannot use the chords and tangents method to define a group law on the set of points of a hyperelliptic curve. The group law on elliptic curves is based on the fact that a straight line through two points lying on an elliptic curve has a unique third intersection point with the curve. Note that this is always true since O lies on the curve. From the graph of C it is clear that this does not need to hold for an arbitrary hyperelliptic curve. Actually, Bézout's theorem states that a straight line and a hyperelliptic curve of genus 2 intersect in 5 points. So, a straight line through two point lying on C does not have a unique third intersection point, it has three other intersection points.

Coordinate ring[edit]

The coordinate ring of C over K is defined as


The polynomial \,r(x,y)=y^2+h(x)y-f(x) is irreducible over \overline{K}, so


is an integral domain.
Proof. If r (x,y) were reducible over \overline{K}, it would factor as (y - u(x)) · (y - v(x)) for some u,v\overline{K}. But then u(x) · v(x)= f(x) so it has degree 2g + 1, and u(x) + v(x) = h(x) so it has degree smaller than g, which is impossible.

Note that any polynomial function G(x,y)\in\overline{K}[C] can be written uniquely as

\,G(x,y)=u(x)-v(x)y   with u(x), v(x) \overline{K}[x]

Norm and degree[edit]

The conjugate of a polynomial function G(x,y) = u(x) - v(x)y in \overline{K}[C] is defined to be


The norm of G is the polynomial function N(G)=G\overline{G}. Note that N(G) = u(x)2 + u(x)v(x)h(x) - v(x)2f(x), so N(G) is a polynomial in only one variable.

If G(x,y) = u(x) - v(x) · y, then the degree of G is defined as




Function field[edit]

The function field K(C) of C over K is the field of fractions of K[C], and the function field \overline{K}(C) of C over \overline{K} is the field of fractions of \overline{K}[C]. The elements of \overline{K}(C) are called rational functions on C. For R such a rational function, and P a finite point on C, R is said to be defined at P if there exist polynomial functions G, H such that R = G/H and H(P) ≠ 0, and then the value of R at P is


For P a point on C that is not finite, i.e. P = O, we define R(P) as:

If \;\deg(G)<\deg(H)  then R(O)=0, i.e. R has a zero at O.
If \;\deg(G)>\deg(H)  then R(O)  is not defined, i.e. R has a pole at O.
If \;\deg(G)=\deg(H)  then R(O)  is the ratio of the leading coefficients of G and H.

For R\in\overline{K}(C)^* and P\in C,

If \;R(P)=0 then R is said to have a zero at P,
If R is not defined at P then R is said to have a pole at P, and we write R(P)=\infty.

Order of a polynomial function at a point[edit]

For G=u(x)-v(x)\cdot y\in\overline{K}[C]^2 and P\in C, the order of G at P is defined as:

\;ord_P(G)=r+s if P = (a,b) is a finite point which is not Weierstrass. Here r is the highest power of (x-a) which divides both u(x) and v(x). Write G(x,y) = (x - a)r(u0(x) - v0(x)y) and if u0(a) - v0(a)b = 0, then s is the highest power of (x - a) which divides N(u0(x) - v0(x)y) = u02 + u0v0h - v02f, otherwise, s = 0.
\;ord_P(G)=2r+s if P = (a,b) is a finite Weierstrass point, with r and s as above.
\;ord_P(G)=-\deg(G) if P = O.

The divisor and the Jacobian[edit]

In order to define the Jacobian, we first need the notion of a divisor. Consider a hyperelliptic curve C over some field K. Then we define a divisor D to be a formal sum of points in C, i.e. D = \sum_{P \in C}{c_P [P]} where c_P \in\Z and furthermore \{c_P | c_P \not= 0 \} is a finite set. This means that a divisor is a finite formal sum of scalar multiples of points. Note that there is no simplification of c_P[P] given by a single point (as one might expect from the analogy with elliptic curves). Furthermore we define the degree of D as \deg(D) = \sum_{P \in C}{c_P} \in \Z. The set of all divisors \mathrm{Div}(C) of the curve C forms an Abelian group where the addition is defined pointwise as follows \sum_{P \in C}{c_P [P]} + \sum_{P \in C}{d_P [P]} = \sum_{P \in C}{(c_P + d_P)[P]}. It is easy to see that 0 = \sum_{P \in C}{0 [P]} acts as the identity element and that the inverse of \sum_{P \in C}{c_P [P]} equals \sum_{P \in C}{-c_P [P]}. The set \mathrm{Div}^0(C) = \{D \in \mathrm{Div}(C) | \deg(D) = 0\} of all divisors of degree 0 can easily be checked to be a subgroup of \mathrm{Div}(C).
Proof. Consider the map \varphi : \mathrm{Div}(C) \rightarrow \mathbb{Z} defined by  \varphi(D) = \deg(D), note that \mathbb{Z} forms a group under the usual addition. Then \varphi(\sum_{P \in C}{c_P [P]} + \sum_{P \in C}{d_P [P]}) = \varphi( \sum_{P \in C}{(c_P + d_P)[P]}) = \sum_{P \in C}{c_P + d_P} = \sum_{P \in C}{c_p} + \sum_{P \in C}{d_p} = \varphi(\sum_{P \in C}{c_P [P]}) + \varphi(\sum_{P \in C}{d_P [P]}) and hence  \varphi is a group homomorphism. Now, \mathrm{Div}^0(C) is the kernel of this homomorphism and thus it is a subgroup of \mathrm{Div}(C).

Consider a function f \in \overline{K}(C)^{*}, then we can look at the formal sum div(f) = \sum_{P \in C}{\mathrm{ord}_{P}(f)[P]}. Here ord_{P}(f) denotes the order of f at P. We have that ord_{P}(f) < 0 if f has a pole of order -ord_{P}(f) at P, ord_{P}(f) = 0 if f is defined and non-zero at P and ord_{P}(f) >0 if f has a zero of order ord_{P}(f) at P.[1] It can be shown that f has only a finite number of zeroes and poles,[2] and thus only finitely many of the ord_{P}(f) are non-zero. This implies that div(f) is a divisor. Moreover, as \sum_{P \in C}{\mathrm{ord}_{P}(f)} = 0,[2] it is the case that div(f) is a divisor of degree 0. Such divisors, i.e. divisors coming from some rational function f, are called principal divisors and the set of all principal divisors \mathrm{Princ}(C) is a subgroup of \mathrm{Div}^0(C).
Proof. The identity element 0 = \sum_{P \in C}{0 [P]} comes from a constant function which is non-zero. Suppose D_1 = \sum_{P \in C}{\mathrm{ord}_{P}(f)[P]}, D_2 = \sum_{P \in C}{\mathrm{ord}_{P}(g)[P]} \in \mathrm{Princ}(C) are two principal divisors coming from f and g respectively. Then D_1 - D_2 = \sum_{P \in C}{(\mathrm{ord}_{P}(f) - \mathrm{ord}_P(g))[P]} comes from the function  f/g, and thus D_1 - D_2 is a principal divisor, too. We conclude that \mathrm{Princ}(C) is closed under addition and inverses, making it into a subgroup.

We can now define the quotient group J(C) := \mathrm{Div}^0(C) / \mathrm{Princ}(C) which is called the Jacobian or the Picard group of C. Two divisors D_1, D_2 \in \mathrm{Div}^0(C) are called equivalent if they belong to the same element of J(C), this is the case if and only if D_1 - D_2 is a principal divisor. Consider for example a hyperelliptic curve C : y^2 + h(x) y = f(x) over a field K and a point P = (a,b) on C. For n \in \mathbb{Z}_{>0} the rational function f(x) = (x-a)^n has a zero of order n at both P and \overline{P} and it has a pole of order 2n at O. Therefore we find div(f) = nP + n\overline{P} - 2n O and we can simplify this to div(f) = 2nP - 2nO if P is a Weierstrass point.

Example: the Jacobian of an elliptic curve[edit]

For elliptic curves the Jacobian turns out to simply be isomorphic to the usual group on the set of points on this curve, this is basically a corollary of the Abel-Jacobi theorem. To see this consider an elliptic curve E over a field K. The first step is to relate a divisor D to every point P on the curve. To a point P on E we associate the divisor D_P = 1 [P] - 1 [O], in particular O in linked to the identity element O-O=0. In a straightforward fashion we can now relate an element of J(E) to each point P by linking P to the class of D_P, denoted by [D_P]. Then the map \varphi: E \rightarrow J(E) from the group of points on E to the Jacobian of E defined by \varphi(P) = [D_P] is a group homomorphism. This can be shown by looking at three points on E adding up to O, i.e. we take P,Q,R \in E with P + Q + R = O or P+Q = -R. We now relate the addition law on the Jacobian to the geometric group law on elliptic curves. Adding P and Q geometrically means drawing a straight line through P and Q, this line intersects the curve in one other point. We then define P+Q as the opposite of this point. Hence in the case P+Q+R=O we have that these three points are collinear, thus there is some linear f \in K[x,y] such that P, Q and R satisfy f(x,y) = 0. Now, \varphi(P) + \varphi(Q) + \varphi(R) = [D_P] + [D_Q] + [D_R] = [[P] + [Q] + [R] - 3[O]] which is the identity element of J(E) as [P] + [Q] + [R] - 3[O] is the divisor on the rational function f and thus it is a principal divisor. We conclude that \varphi(P) + \varphi(Q)+ \varphi(R) = \varphi(O) = \varphi(P+Q+R).

The Abel-Jacobi theorem states that a divisor D = \sum_{P \in E}{c_P [P]} is principal if and only if D has degree 0 and \sum_{P \in E}{c_P P} = O under the usual addition law for points on cubic curves. As two divisors D_1, D_2 \in \mathrm{Div}^0(E) are equivalent if and only if D_1 - D_2 is principal, we conclude that D_1 = \sum_{P \in E}{c_P [P]} and D_2 = \sum_{P \in E}{d_P [P]} are equivalent if and only if  \sum_{P \in E}{c_P P} = \sum_{P \in E}{d_P P}. Now, every nontrivial divisor of degree 0 is equivalent to a divisor of the form  [P] - [O], this implies that we have found a way to ascribe a point on E to every class [D_P]. Namely, to [D_P] = [1 [P] - 1 [O]] we ascribe the point  (P - O)+O = P. This maps extends to the neutral element 0 which is maped to 0+O=O. As such the map \psi: J(E) \rightarrow E defined by \psi([D_P]) = P is the inverse of \varphi. So \varphi is in fact a group isomorphism, proving that E and J(E) are isomorphic.

The Jacobian of a hyperelliptic curve[edit]

The general hyperelliptic case is a bit more complicated. Consider a hyperelliptic curve C: y^2 + h(x) y = f(x) of genus g over a field K. A divisor D of C is called reduced if it has the form D = \sum_{i = 1}^{k}{[P_i]} - k [O] where k \leq g, P_i \not= O for all i = 1,...,k and P_i \not= \overline{P_j} for i \not= j. Note that a reduced divisor always has degree 0, also it is possible that P_i = P_j if i \not= j, but only if P_i is not a Weierstrass point. It can be proven that for each divisor D \in \mathrm{Div}^0(C) there is a unique reduced divisor D' such that D is equivalent to D'.[3] Hence every class of the quotient group J(C) has precisely one reduced divisor. Instead of looking at J(C) we can thus look at the set of all reduced divisors.

Reduced divisors and their Mumford representation[edit]

A convenient way to look at reduced divisors is via their Mumford representation. A divisor in this representation consists of a pair of polynomials u,v \in K[x] such that u is monic, \deg(v) < \deg(u) \leq g and u | v^2 + vh - f. Every non-trivial reduced divisor can be represented by a unique pair of such polynomials. This can be seen by factoring u(x) = \prod_{i = 1}^{k}{(x-x_i)} in \overline{K} which can be done as such as u is monic. The last condition on u and v then implies that the point P_i = (x_i, v(x_i)) lies on C for every i = 1,...,k. Thus D = \sum_{i = 1}^{k}{[P_i]} - k[O] is a divisor and in fact it can be shown to be a reduced divisor. For example the condition \deg(u) \leq g ensures that k \leq g. This gives the 1-1 correspondence between reduced divisors and divisors in Mumford representation. As an example, 0 = \sum_{P \in C}{0 [P]} is the unique reduced divisor belonging to the identity element of J(C). Its Mumford representation is u(x) = 1 and v(x) = 0. Going back and forth between reduced divisors and their Mumford representation is now an easy task. For example consider the hyperelliptic curve C : y^2 = x^5 -4 x^4 -14x^3 +36x^2 + 45 x = x (x + 1) (x - 3) (x + 3) (x - 5) of genus 2 over the real numbers. We can find the following points on the curve P = (1,8), Q = (3,0) and R= (5,0). Then we can define reduced divisors D = [P] + [Q] - 2[O] and D'= [P] + [R] - 2[O]. The Mumford representation of D consists of polynomials u and v with \deg(v) < \deg(u) \leq g = 2 and we know that the first coordinates of P and Q, i.e. 1 and 3, must be zeroes of u. Hence we have u(x) = (x-1)(x-3) = x^2-4x+3. As P = (1,v(1)) and Q = (3, v(3)) it must be the case that v(1) = 8 and v(3) = 0 and thus v has degree 1. There is exactly one polynomial of degree 1 with these properties, namely v(x) = -4x+12. Thus the Mumford representation of D is u(x) = x^2 -4x +3 and v(x) = -4x + 12. In a similar fashion we can find the Mumford representation (u',v') of D', we have u'(x) = (x-1)(x-5) = x^2 -6x + 5 and v(x) = -2x+10. If a point P_i=(x_i,y_i) appears with multiplicity n, the polynomial v needs to satisfy \left(\frac{d}{dt}\right)^j\left[v(x)^2+v(x)h(x)-f(x)\right]_{|_{x=x_i}}=0 for 0\leq j\leq n_i-1.

Cantor's algorithm[edit]

There is an algorithm which takes two reduced divisors D_1 and D_2 in their Mumford representation and produces the unique reduced divisor D, again in its Mumford representation, such that D is equivalent to D_1 + D_2.[4] As every element of the Jacobian can be represented by the one reduced divisor it contains, the algorithm allows to perform the group operation on these reduced divisors given in their Mumford representation. The algorithm was originally developed by David G. Cantor (not to be confused with Georg Cantor), explaining the name of the algorithm. Cantor only looked at the case h(x) = 0, the general case is due to Koblitz. The input is two reduced divisors D_1 = (u_1,v_1) and D_2= (u_2,v_2) in their Mumford representation of the hyperelliptic curve C: y^2 + h(x) y = f(x) of genus g over the field K. The algorithm works as follows

  1. Using the extended Euclidean algorithm compute the polynomials d_1, e_1,e_2 \in K[x] such that d_1 = \gcd(u_1,u_2) and d_1 = e_1 u_1 + e_2 u_2.
  2. Again with the use of the extended Euclidean algorithm compute the polynomials d, c_1,c_2 \in K[x] with d = \gcd(d_1,v_1 + v_2 + h) and d = c_1d_1 + c_2(v_1+v_2+ h).
  3. Put s_1 = c_1e_1, s_2 = c_1e_2 and s_3 = c_2, which gives d = s_1u_1 + s_2 u_2 +s_3(v_1+v_2+h).
  4. Set u = \frac{u_1u_2}{d^2} and v = \frac{s_1u_1v_2 + s_2u_2v_1 + s_3 (v_1v_2 +f)}{d} \mod u.
  5. Set u'= \frac{f - vh -v^2}{u} and v'= -h-v \mod u'.
  6. If \deg(u') > g, then set u = u' and v = v' and repeat step 5 until \deg(u') \leq g.
  7. Make u' monic by dividing through its leading coefficient.
  8. Output D = (u', v').

The proof that the algorithm is correct can be found in .[5]


As an example consider the curve

C : y^2 = x^5 -4 x^4 -14x^3 +36x^2 + 45 x = x (x + 1) (x - 3) (x + 3) (x - 5)

of genus 2 over the real numbers. For the points

P = (1,8), Q = (3,0) and R= (5,0)

and the reduced divisors

D_1 = [P] + [Q] - 2[O] and D_2= [P] + [R] - 2[O]

we know that

(u_1 = x^2-4x+3, v_1 = -4x+12), and
(u_2 = x^2-6x+5, v_2 = -2x+10)

are the Mumford representations of D_1 and D_2 respectively.

We can compute their sum using Cantor's algorithm. We begin by computing

d_1 = \gcd(u_1,u_2) = x-1, and
d_1 = e_1 u_1 + e_2 u_2

for e_1 = \frac{1}{2}, and e_2 = - \frac{1}{2}.

In the second step we find

d = \gcd(d_1,v_1 + v_2 + h) = \gcd(x-1,-6x+22) = 1 and
1 = c_1d_1 + c_2(v_1+v_2+ h)

for c_1 = \frac{3}{8} and c_2 = \frac{1}{16}.

Now we can compute

s_1 = c_1e_1 = \frac{3}{16},
s_2 = c_1e_2 = - \frac{3}{16} and
s_3 = c_2 = \frac{1}{16}.


u = \frac{u_1u_2}{d^2} = u_1u_2= x^4 -10x^3 +32x^2 -38x +15 and
v = \frac{s_1u_1v_2 + s_2u_2v_1 + s_3 (v_1v_2 +f)}{d} \mod u
= \frac{1}{16}(x^5 - 4x^4 -8x^3 -10x^2 +119x + 30 ) \mod u
= \frac{1}{4}(5x^3 -41x^2+83x-15).

Lastly we find

u'= \frac{f -v^2}{u} = \frac{1}{16}(-25x^2 +176x -15 ) and
v'= -v \mod u' = -\frac{72}{125}(17x-5).

After making u' monic we conclude that

D = (-25x^2 +176x -15 , -\frac{72}{125}(17x-5))

is equivalent to D_1 + D_2.

More on Cantor's algorithm[edit]

Cantor's algorithm as presented here has a general form, it holds for hyperelliptic curves of any genus and over any field. However, the algorithm is not very efficient. For example, it requires the use of the extended Euclidean algorithm. If we fix the genus of the curve or the characteristic of the field (or both), we can make the algorithm more efficient. For some special cases we even get explicit addition and doubling formulas which are very fast. For example, there are explicit formulas for hyperelliptic curves of genus 2[6] [7] and genus 3.

For hyperelliptic curves it is also fairly easy to visualize the adding of two reduced divisors. Suppose we have a hyperelliptic curve of genus 2 over the real numbers of the form

C: y^2 = f(x)

and two reduced divisors

D_1 = [P] + [Q] - 2 [O] and
D_2 = [R] + [S] - 2 [O].

Assume that

P,Q \not= \overline{R},\overline{S},

this case has to be treated separately. There is exactly 1 cubic polynomial

a(x) = a_0x^3 + a_1 x^2 + a_2 x + a_3

going through the four points


Note here that it could be possible that for example P = Q, hence we must take multiplicities into account. Putting y = a(x) we find that

y^2 = f(x) = a^2(x)

and hence

f(x) - a^2(x) = 0.

As f(x)-a^2(x) is a polynomial of degree 6, we have that f(x) - a^2(x) has six zeroes and hence a(x) has besides P,Q,R,S two more intersection points with C, call them T and U, with T \not= \overline{U}. Now, P,Q,R,S,T,U are intersection points of C with an algebraic curve. As such we know that the divisor

D = [P] + [Q] + [R] + [S] + [T] + [U] - 6 [O]

is principal which implies that the divisor

[P] + [Q] + [R] + [S] -4[O]

is equivalent to the divisor

-([T] + [U] -2 [O]).

Furthermore the divisor

[P] + [\overline{P}] - 2[O]

is principal for every point P = (a,b) on C as it comes from the rational function b(x) = x-a. This gives that -([P]-[O]) and [\overline{P}] - [O] are equivalent. Combining these two properties we conclude that

D_1 + D_2 = ([P] + [Q] - 2[O]) + ([R] + [S] - 2[O])

is equivalent to the reduced divisor

[\overline{T}] + [\overline{U}] - 2[O].

In a picture this looks like Figure 2. It is possible to explicitly compute the coefficients of a(x), in this way we can arrive at explicit formulas for adding two reduced divisors.

Figure 2: Example of adding two elements of the Jacobian