<< стр. 2(всего 2)СОДЕРЖАНИЕ
В© 2008 by Taylor & Francis Group, LLC
335
SECTION 10.4 NUMERICAL EXAMPLES

The above technique can be used to produce an elliptic curve E and a prime
p such that E(Fp ) is a desired group (when such a curve exists). For example,
suppose we want
E(Fp ) Z2 вЉ• Z2 вЉ• Z63 .
We take
N = 252, p = 271, ap = 20,
so N = p + 1 в€’ ap . We choose
в€љ
в€’1 + в€’171
П„= .
2
As weвЂ™ll see below, this choice imposes certain congruence conditions on the
Frobenius map that force E(Fp ) to have the desired form. We computed the
polynomial satisп¬Ѓed by j(П„ ) above. This polynomial has the root 5 mod 271.
Putting this value into the formula (10.4) yields the elliptic curve E given by

y 2 = x3 + 70x + 137 (mod 271).

It has 252 points and has complex multiplication by the order
в€љ
1 + в€’171
R=Z
2

of discriminant в€’171 = a2 в€’ 4p. The characteristic polynomial of the Frobe-
p
nius endomorphism П†p is
X 2 в€’ 20X + 271,
в€љ
so П†p corresponds to a root 10 В± в€’171. The choice of sign is irrelevant
for our purposes (it corresponds to how we choose to identify R with the
endomorphism ring), so we assume
в€љ
П†p = 10 + в€’171.

Therefore, в€љ
в€’171
1+
в‰Ў1
П†p = 1 + 2 4 + (mod 2R).
2
It follows that П†p acts as the identity on points of order 2, so E(Fp ) has a
subgroup isomorphic to Z2 вЉ• Z2 . In fact,

E = {в€ћ, (40, 0), (56, 0), (175, 0)} вЉ‚ E(Fp ).

Since 252 = 4 Г— 63,
Z2 вЉ• Z2 вЉ• Z63 .
E(Fp )

в€љ we instead want the group to be cyclic of order 252, we could use R =
If
Z[ в€’171] so that П†p would not be congruent to 1 mod 2 or mod 3. We would

В© 2008 by Taylor & Francis Group, LLC
336 CHAPTER 10 COMPLEX MULTIPLICATION

then п¬Ѓnd a new set of П„k corresponding to the discriminant в€’4 В· 171, a new
j-invariant mod p, and a newв€љE.
1+ в€’19
If we had used R = Z , then we would have obtained an elliptic
2
curve with group isomorphic to Z6 вЉ• Z42 , since П†p в‰Ў 1 (mod 6R ) in this
case.
This technique has many uses. For example, in , the curve E deп¬Ѓned
by
y 2 = x3 + 3x в€’ 31846 (mod 158209)
was dedicated to Arjen Lenstra on the occasion of his thesis defense on May
16, 1984. The curve satisп¬Ѓes

Z5 вЉ• Z16 вЉ• Z1984 .
E(F158209 )

(If the defense had been one month later, such a dedication would have been
impossible.) Finding elliptic curves with groups that are cyclic of large prime
order is very useful in cryptography (see Chapter 6). Finding elliptic curves of
a given order is also useful in primality proving (see Section 7.2). A detailed
discussion of the problem, with improvements on the method presented here,

10.5 KroneckerвЂ™s Jugendtraum
The Kronecker-Weber theorem says that if K/Q is a п¬Ѓnite Galois extension
with abelian Galois group, then

K вЉ† Q(e2ПЂi/n )

for some integer n. This can be viewed as saying that the abelian extensions of
Q are generated by the values of an analytic function, namely e2ПЂiz , at rational
numbers. KroneckerвЂ™s Jugendtraum (youthful dream) is that the abelian
extensions of an arbitrary number п¬Ѓeld might similarly be generated by special
values of a naturally occurring function. This has been accomplished for
imaginary quadratic п¬Ѓelds. Some progress has also been made for certain other
п¬Ѓelds by Shimura using complex multiplication of abelian varieties (higher
dimensional analogues of elliptic curves).
If E is an elliptic curve given by y 2 = x3 + Ax + B, then its j-invariant is
given by j = 6912A3 /(4A3 + 27B 2 ). Therefore, if E is deп¬Ѓned over a п¬Ѓeld L,
then the j-invariant of E is contained in L. Conversely, if j = 0, 1728 lies in
some п¬Ѓeld L, then the elliptic curve
3j 2j
y 2 = x3 + x+
1728 в€’ j 1728 в€’ j

В© 2008 by Taylor & Francis Group, LLC
337
EXERCISES

is deп¬Ѓned over L and has j-invariant equal to j в€€ L. Therefore, for any j there
is an elliptic curve with j-invariant equal to j deп¬Ѓned over the п¬Ѓeld generated
by j.

THEOREM в€љ 10.16
Let K = Q( в€’D) be an imaginary quadratic п¬Ѓeld, let OK be the ring of
algebraic integers in K, and let j = j(OK ), where OK is regarded as a lattice
in C. Let E be an elliptic curve deп¬Ѓned over K(j) with j-invariant equal to
j.
1. Assume K = Q(i), Q(e2ПЂi/3 ). Let F be the п¬Ѓeld generated over K(j) by
the x-coordinates of the torsion points in E(Q). Then F/K has abelian
Galois group, and every extension of K with abelian Galois group is
contained in F .
2. If K = Q(i), the result of (1) holds when F is the extension generated
by the squares of the x-coordinates of the torsion points.
3. If K = Q(e2ПЂi/3 ), the result of (1) holds when F is the extension gen-
erated by the cubes of the x-coordinates of the torsion points.

For a proof, see, for example, [111, p. 135] or . Note that j(OK )
is algebraic, by Proposition 10.4. The j-invariant determines the lattice for
the elliptic curve up to homothety (Corollary 9.20), so an elliptic curve with
invariant j(OK ) automatically has complex multiplication by OK .
The x-coordinates of the torsion points are of the form

r1 , r2 в€€ Q,
в„˜(r1 П‰1 + r2 П‰2 ),

where в„˜ is the Weierstrass в„˜-function for the lattice for E. Therefore, the
abelian extensions of K are generated by j(OK ) and special values of the
function в„˜. This is very much the analogue of the Kronecker-Weber theorem.
There is much more that can be said on this subject. See, for example,
 and .

Exercises
в€љ в€љ
10.1 Let K = Q( d) and K = Q( d ) be quadratic п¬Ѓelds. Let ОІ в€€ K
and ОІ в€€ K and assume ОІ, ОІ в€€ Q. Suppose that ОІ + ОІ lies in a
quadratic п¬Ѓeld. Show that K = K . (Hint: It suп¬ѓces to consider the
в€љ в€љ
case ОІ = a d and ОІ = b d . Let О± = ОІ + ОІ . Show that if О± is a root
of a quadratic polynomial with coeп¬ѓcients in Q, then we can solve for
в€љ в€љ в€љ
d, say, in terms of d and obtain d в€€ K .)

В© 2008 by Taylor & Francis Group, LLC
338 CHAPTER 10 COMPLEX MULTIPLICATION

10.2 Let R be an order in an imaginary quadratic п¬Ѓeld. Regard R as a subset
of C. Show that if r в€€ R, then its complex conjugate r is also in R.
This means that if L is a lattice with complex multiplication by R, then
there are two ways to embed R into the endomorphisms of L, namely
via the assumed inclusion of R in C and also via the complex conjugate
embedding (that is, if r в€€ R and в€€ L, deп¬Ѓne r в€— = r ). This means
that when we say that R is contained in the endomorphism ring of a
lattice or of an elliptic curve, we should specify which embedding we
are using. For elliptic curves over C, this is not a problem, since we
can implicitly regard R as a subset of C and take the action of R on L
as being the usual multiplication. But for elliptic curves over п¬Ѓelds of
positive characteristic, we cannot use this complex embedding.
в€љ
1+ в€’43
is a principal ideal domain to show that
10.3 Use the fact that Z 2
в€љ
ПЂ 43
e is very close to an integer.
10.4 Let x = a + bi + cj + dk lie in the Hamiltonian quaternions.
(a) Show that
(a + bi + cj + dk)(a в€’ bi в€’ cj в€’ dk) = a2 + b2 + c2 + d2 .

(b) Show that if x = 0, then there exists a quaternion y such that
xy = 1.
(c) Show that if we allow a, b, c, d в€€ Q2 (= the 2-adics), then a2 + b2 +
c2 + d2 = 0 if and only if a = b = c = d = 0. (Hint: Clearing
denominators reduces this to showing that a2 + b2 + c2 + d2 в‰Ў 0
(mod 8) implies that a, b, c, в‰Ў 0 (mod 8).)
(d) Show that if x, y are nonzero Hamiltonian quaternions with 2-adic
coeп¬ѓcients, then xy = 0.
(e) Let p be an odd prime. Show that the number of squares a2 mod p,
including 0, is (p + 1)/2 and that the number of elements of Fp of
the form 1 в€’ b2 (mod p) is also (p + 1)/2.
(f) Show that if p is a prime, then a2 + b2 + 1 в‰Ў 0 (mod p) has a
solution a, b.
(g) Use HenselвЂ™s lemma (see Appendix A) to show that if p is an odd
prime, then there exist a, b в€€ Qp such that a2 + b2 + 1 = 0. (The
hypotheses of HenselвЂ™s lemma are not satisп¬Ѓed when p = 2.)
(h) Let p be an odd prime. Show that there are nonzero Hamiltonian
quaternions x, y with p-adic coeп¬ѓcients such that xy = 0.
10.5 Show that a nonzero element in a deп¬Ѓnite quaternion algebra has a
multiplicative inverse. (Hint: Use the ideas of parts (1) and (2) of
Exercise 10.4.)

В© 2008 by Taylor & Francis Group, LLC

 << стр. 2(всего 2)СОДЕРЖАНИЕ