Cryptography Reference
In-Depth Information
The partial derivatives evaluated at (0
,α
)are2
α
+
H
d
and
H
d
−
1
α
−
F
2
d
−
1
. When
α
2
char(
k
)
=
2 the point being singular would imply
H
d
=−
2
α
in which case
F
2
d
=
+
α
2
(
H
d
/
2)
2
H
d
α
H
d
H
d
−
1
/
2. One easily sees that these
equations contradict the conditions of Lemma
10.1.8
.
Hence,
C
†
is a hyperelliptic curve and
ρ
:
C
=−
=−
and
F
2
d
−
1
=
H
d
−
1
α
=−
C
†
is a birational map. It follows that
ρ
induces a morphism between the corresponding projective curves. The point(s) (0
,α
)are
the images of the point(s) at infinity on
C
. Hence, we can use
C
†
to visualise the points at
infinity on
C
.
Up to now the phrase “hyperelliptic curve” has meant a projective non-singular curve of
genus
g
→
≥
2 that has an affine model as a hyperelliptic equation. Definition
10.1.10
gives
an equivalent formulation that will be used throughout the topic. Technically, this is an
abuse of notation since
C
is not projective.
Definition 10.1.10
Let
k
be a perfect field. Let
H
(
x
)
,F
(
x
)
∈ k
[
x
] be such that:
deg(
H
(
x
))
≥
3ordeg(
F
(
x
))
≥
5;
the affine hyperelliptic equation
C
:
y
2
+
H
(
x
)
y
=
F
(
x
)is
k
-irreducible and non-
singular;
the conditions of Lemma
10.1.6
and Lemma
10.1.8
hold.
Then
C
is called a
hyperelliptic curve
.The
genus
of the hyperelliptic curve is
g
=
{
−
−
}
max
deg(
H
(
x
))
1
,
deg(
F
(
x
))
1)
/
2
(see Section
10.1.3
for justification of this).
It looks like Definition
10.1.10
excludes some potentially interesting equations (such as
y
2
+
H
(
x
)
y
=
F
(
x
) where deg(
F
(
x
))
=
4 and deg(
H
(
x
))
=
2
). In fact, it can be show
n
that all the algebr
ai
c sets excluded by the definition
a
re either
k
-reducible, singular over
k
or birational over
k
to a curve of genus 0 or 1 over
k
.
The equation
α
2
+
H
d
α
−
F
2
d
=
0 can have a
k
-rational repeated root, two roots in
k
,
or two conjugate roots in
k
. It follows that there are three possible behaviours at infinity:
a single
k
-rational point, two distinct
k
-rational points and a pair of distinct points defined
over a quadratic extension of
(which are Galois conjugates). These three cases correspond
to the fact that the place at infinity in
k
k
[
x
] is ramified, split or inert respectively in the field
k
k
extension
(
x
). A natural terminology for the three types of behaviour at infinity is
therefore to call them ramified, split and inert.
(
C
)
/
Definition 10.1.11
Let
C
be a hyperelliptic curve a
nd
let
C
†
be as in equation (
10.2
). Let
ρ
:
C
C
†
be as above. Let
α
+
,α
−
be the roots in
of the polynomial
α
2
→
k
+
H
d
α
−
F
2
d
.
∞
+
for the
point at infinity
on
C
such that
ρ
(
∞
+
)
(0
,α
+
) and
∞
−
for the
We write
=
∞
−
)
(0
,α
−
).
point such that
ρ
(
=
α
−
then
C
is called a
ramified model of a hyperelliptic curve
. If there are two
distinct points at infinity with
α
+
,α
−
∈ k
If
α
+
=
then
C
is called a
split model of a hyperelliptic
curve
and if
α
+
,α
−
∈ k
then
C
is an
inert model of a hyperelliptic curve
.
One finds in the literature the names
imaginary hyperelliptic curve
(respectively,
real
hyperelliptic curve
) for ramified model and split model respectively. Exercise
10.1.13
