Imaginary Hyperelliptic Curve

A hyperelliptic curve is a particular kind of algebraic curve.
There exist hyperelliptic curves of every genus $g \geq 1$. If the genus of a hyperelliptic curve equals 1, we simply call the curve an elliptic curve. Hence we can see hyperelliptic curves as generalizations of elliptic curves. There is a well-known group structure on the set of points lying on an elliptic curve over some field $K$, which we can describe geometrically with chords and tangents. Generalizing this group structure to the hyperelliptic case is not straightforward. We cannot define the same group law on the set of points lying on a hyperelliptic curve, instead a group structure can be defined on the so-called Jacobian of a hyperelliptic curve. The computations differ depending on the number of points at infinity. Imaginary hyperelliptic curves are hyperelliptic curves with exactly 1 point at infinity: real hyperelliptic curves have two points at infinity.

Formal definition

Hyperelliptic curves can be defined over fields of any characteristic. Hence we consider an arbitrary field $K$ and its algebraic closure $\overline$. An (imaginary) hyperelliptic curve of genus $g$ over $K$ is given by an equation of the form
C : y^2 + h(x) y = f(x) \in K ,y
where h(x) \in K /math> is a polynomial of degree not larger than $g$ and f(x) \in K /math> is a monic polynomial of degree $2g + 1$. Furthermore, we require the curve to have no singular points. In our setting, this entails that no point $(x,y) \in \overline \times \overline$ satisfies both $y^2 + h(x) y = f(x)$ and the equations $2y + h(x) = 0$ and $h'(x)y = f'(x)$. This definition differs from the definition of a general hyperelliptic curve in the fact that $f$ can also have degree $2g+2$ in the general case. From now on we drop the adjective imaginary and simply talk about hyperelliptic curves, as is often done in literature. Note that the case $g = 1$ corresponds to $f$ being a cubic polynomial, agreeing with the definition of an elliptic curve. If we view the curve as lying in the projective plane $\mathbb^2(K)$ with coordinates $(X:Y:Z)$, we see that there is a particular point lying on the curve, namely the point at infinity $(0:1:0)$ denoted by $O$. So we could write $C = \ \cup \$.

Suppose the point $P = (a,b)$ not equal to $O$ lies on the curve and consider $\overline = (a, -b-h(a))$. As $(-b-h(a))^2 + h(a)(-b-h(a))$ can be simplified to $b^2 +h(a) b$, we see that $\overline$ is also a point on the curve. $\overline$ is called the opposite of $P$ and $P$ is called a Weierstrass point if $P = \overline$, i.e. $h(a) = -2b$. Furthermore, the opposite of $O$ is simply defined as $\overline = O$.

Alternative definition

The definition of a hyperelliptic curve can be slightly simplified if we require that the characteristic of $K$ is not equal to 2. To see this we consider the change of variables $x \rightarrow x$ and $y \rightarrow y - \frac$, which makes sense if char$(K) \not= 2$. Under this change of variables we rewrite $y^2 + h(x) y = f(x)$ to $\left(y - \frac \right)^2 + h(x) \left(y - \frac\right) = f(x)$ which, in turn, can be rewritten to $y^2 = f(x) + \frac$. As $\deg(h) \leq g$ we know that $\deg(h^2) \leq 2g$ and hence $f(x) + \frac$ is a monic polynomial of degree $2g + 1$. This means that over a field $K$ with char$(K) \not= 2$ every hyperelliptic curve of genus $g$ is isomorphic to one given by an equation of the form $C : y^2 = f (x)$ where $f$ is a monic polynomial of degree $2g + 1$ and the curve has no singular points. Note that for curves of this form it is easy to check whether the non-singularity criterion is met. A point $P = (a,b)$ on the curve is singular if and only if $b = 0$ and $f'(a) = 0$. As $b = 0$ and $b^2 = f(a)$, it must be the case that $f(a) = 0$ and thus $a$ is a multiple root of $f$. We conclude that the curve $C : y^2 = f(x)$ has no singular points if and only if $f$ has no multiple roots. Even though the definition of a hyperelliptic curve is quite easy when char$(K) \not=2$, we should not forget about fields of characteristic 2 as hyperelliptic curve cryptography makes extensive use of such fields.

Example

As an example consider $C : y^2 = f(x)$ where $f(x) = x^5 - 2x^4-7x^3 + 8x^2 + 12x = x (x + 1) (x - 3) (x + 2) (x - 2)$ over $\mathbb$. As $f$ has degree 5 and the roots are all distinct, $C$ is a curve of genus $g = 2$. Its graph is depicted in Figure 1.

From this picture it is immediately clear that we cannot use the chords and tangents method to define a group law on the set of points of a hyperelliptic curve. The group law on elliptic curves is based on the fact that a straight line through two points lying on an elliptic curve has a unique third intersection point with the curve. Note that this is always true since $O$ lies on the curve. From the graph of $C$ it is clear that this does not need to hold for an arbitrary hyperelliptic curve. Actually, Bézout's theorem states that a straight line and a hyperelliptic curve of genus 2 intersect in 5 points. So, a straight line through two point lying on $C$ does not have a unique third intersection point, it has three other intersection points.

Coordinate ring

The coordinate ring of over is defined as
:K = K ,y(y^2+h(x)y-f(x)).

The polynomial $r(x,y)=y^2+h(x)y-f(x)$ is irreducible over $\overline$, so
:\overline \overline ,y(y^2+h(x)y-f(x))
is an integral domain.

Note that any polynomial function G(x,y) \in \overline /math> can be written uniquely as

:$G(x,y)=u(x)-v(x)y$ with u(x), v(x) \in \overline /math>

Norm and degree

The conjugate of a polynomial function in \overline /math> is defined to be
:$\overline(x,y)=u(x)+v(x)(h(x)+y).$

The norm of is the polynomial function $N(G)=G\overline$. Note that , so is a polynomial in only one variable.

If , then the degree of is defined as
:\deg(G)=\max \deg(u),2g+1+2\deg(v)
Properties:
:$\deg(G) = \deg_x(N(G))$
:$\deg(GH)= \deg(G)+\deg(H)$
:$\deg(G) = \deg(\overline)$

Function field

The function field of over is the field of fractions of , and the function field $\overline(C)$ of over $\overline$ is the field of fractions of \overline /math>. The elements of $\overline(C)$ are called rational functions on .
For such a rational function, and a finite point on , is said to be defined at if there exist polynomial functions such that and , and then the value of at is
:$R(P)=G(P)/H(P).$
For a point on that is not finite, i.e. = $O$, we define as:

:If $\deg(G)<\deg(H)$ then $R(O)=0$, i.e. ''R'' has a zero at ''O''.
:If $\deg(G)>\deg(H)$ then $R(O)$ is not defined, i.e. ''R'' has a pole at ''O''.
:If $\deg(G)=\deg(H)$ then $R(O)$ is the ratio of the leading coefficients of and .

For $R\in\overline(C)^*$ and $P\in C$,
:If $R(P)=0$ then is said to have a zero at ,
:If is not defined at then is said to have a pole at , and we write $R(P) = \infty$.

Order of a polynomial function at a point

For G = u(x)-v(x)\cdot y\in\overline 2 and $P \in C$, the order of at is defined as:
:$\mathrm_P(G)=r+s$ if is a finite point which is not Weierstrass. Here is the highest power of which divides both and . Write and if , then is the highest power of which divides , otherwise, .
:$\mathrm_P(G)=2r+s$ if is a finite Weierstrass point, with and as above.
:$\mathrm_P(G)=-\deg(G)$ if .

The divisor and the Jacobian

In order to define the Jacobian, we first need the notion of a divisor. Consider a hyperelliptic curve $C$ over some field $K$. Then we define a divisor $D$ to be a formal sum of points in $C$, i.e. $D = \sum_$ where $c_P \in\Z$ and furthermore $\$ is a finite set. This means that a divisor is a finite formal sum of scalar multiples of points. Note that there is no simplification of c_P /math> given by a single point (as one might expect from the analogy with elliptic curves). Furthermore, we define the degree of $D$ as $\deg(D) = \sum_ \in \Z$. The set of all divisors $\mathrm(C)$ of the curve $C$ forms an Abelian group where the addition is defined pointwise as follows $\sum_ + \sum_ = \sum_$. It is easy to see that $0 = \sum_$ acts as the identity element and that the inverse of $\sum_$ equals $\sum_$. The set $\mathrm^0(C) = \$ of all divisors of degree 0 can easily be checked to be a subgroup of $\mathrm(C)$.

''Proof''. Consider the map $\varphi : \mathrm(C) \rightarrow \mathbb$ defined by $\varphi(D) = \deg(D)$, note that $\mathbb$ forms a group under the usual addition. Then $\varphi(\sum_ + \sum_) = \varphi( \sum_) = \sum_ = \sum_ + \sum_ = \varphi(\sum_) + \varphi(\sum_)$ and hence $\varphi$ is a group homomorphism. Now, $\mathrm^0(C)$ is the kernel of this homomorphism and thus it is a subgroup of $\mathrm(C)$.

Consider a function $f \in \overline(C)^$, then we can look at the formal sum div$(f) = \sum_$. Here $\mathrm_(f)$ denotes the order of $f$ at $P$. We have that ord$_(f) < 0$ if $f$ has a pole of order $-\mathrm_(f)$ at $P$, $\mathrm_(f) = 0$ if $f$ is defined and non-zero at $P$ and $\mathrm_(f) >0$ if $f$ has a zero of order $\mathrm_(f)$ at $P$. It can be shown that $f$ has only a finite number of zeroes and poles,Alfred J. Menezes, Yi-Hong Wu, Robert J. Zuccherato, An elementary introduction to hyperelliptic curves
page 15 and thus only finitely many of the ord$_(f)$ are non-zero. This implies that div$(f)$ is a divisor. Moreover, as $\sum_ = 0$, it is the case that $\operatorname(f)$ is a divisor of degree 0. Such divisors, i.e. divisors coming from some rational function $f$, are called principal divisors and the set of all principal divisors $\mathrm(C)$ is a subgroup of $\mathrm^0(C)$.

''Proof''. The identity element $0 = \sum_$ comes from a constant function which is non-zero. Suppose $D_1 = \sum_, D_2 = \sum_ \in \mathrm(C)$ are two principal divisors coming from $f$ and $g$ respectively. Then $D_1 - D_2 = \sum_$ comes from the function $f/g$, and thus $D_1 - D_2$ is a principal divisor, too. We conclude that $\mathrm(C)$ is closed under addition and inverses, making it into a subgroup.

We can now define the quotient group $J(C) := \mathrm^0(C) / \mathrm(C)$ which is called the Jacobian or the Picard group of $C$. Two divisors $D_1, D_2 \in \mathrm^0(C)$ are called equivalent if they belong to the same element of $J(C)$, this is the case if and only if $D_1 - D_2$ is a principal divisor. Consider for example a hyperelliptic curve $C : y^2 + h(x) y = f(x)$ over a field $K$ and a point $P = (a,b)$ on $C$. For $n \in \mathbb_$ the rational function $f(x) = (x-a)^n$ has a zero of order $n$ at both $P$ and $\overline$ and it has a pole of order $2n$ at $O$. Therefore, we find $\operatorname(f) = nP + n\overline - 2n O$ and we can simplify this to $\operatorname(f) = 2nP - 2nO$ if $P$ is a Weierstrass point.

Example: the Jacobian of an elliptic curve

For elliptic curves the Jacobian turns out to simply be isomorphic to the usual group on the set of points on this curve, this is basically a corollary of the Abel-Jacobi theorem. To see this consider an elliptic curve $E$ over a field $K$. The first step is to relate a divisor $D$ to every point $P$ on the curve. To a point $P$ on $E$ we associate the divisor D_P = 1 - 1 /math>, in particular $O$ in linked to the identity element $O-O=0$. In a straightforward fashion we can now relate an element of $J(E)$ to each point $P$ by linking $P$ to the class of $D_P$, denoted by _P/math>. Then the map $\varphi: E \to J(E)$ from the group of points on $E$ to the Jacobian of $E$ defined by \varphi(P) = _P/math> is a group homomorphism. This can be shown by looking at three points on $E$ adding up to $O$, i.e. we take $P,Q,R \in E$ with $P + Q + R = O$ or $P+Q = -R$. We now relate the addition law on the Jacobian to the geometric group law on elliptic curves. Adding $P$ and $Q$ geometrically means drawing a straight line through $P$ and $Q$, this line intersects the curve in one other point. We then define $P+Q$ as the opposite of this point. Hence in the case $P+Q+R=O$ we have that these three points are collinear, thus there is some linear f \in K ,y/math> such that $P$, $Q$ and $R$ satisfy $f(x,y) = 0$. Now, \varphi(P) + \varphi(Q) + \varphi(R) = _P+ _Q+ _R= + + ">+ [Q+ [R- 3[O">+ [R">">+ [Q+ [R- 3[O which is the identity element of $J(E)$ as + + - 3 /math> is the divisor on the rational function $f$ and thus it is a principal divisor. We conclude that $\varphi(P) + \varphi(Q)+ \varphi(R) = \varphi(O) = \varphi(P+Q+R)$.

The Abel-Jacobi theorem states that a divisor $D = \sum_$ is principal if and only if $D$ has degree 0 and $\sum_ = O$ under the usual addition law for points on cubic curves. As two divisors $D_1, D_2 \in \mathrm^0(E)$ are equivalent if and only if $D_1 - D_2$ is principal, we conclude that $D_1 = \sum_$ and $D_2 = \sum_$ are equivalent if and only if $\sum_ = \sum_$. Now, every nontrivial divisor of degree 0 is equivalent to a divisor of the form - /math>, this implies that we have found a way to ascribe a point on $E$ to every class _P/math>. Namely, to _P= - 1 [O"> - 1 [O we ascribe the point $(P - O)+O = P$. This maps extends to the neutral element 0 which is maped to $0+O=O$. As such the map $\psi: J(E) \rightarrow E$ defined by $\psi([D_P]) = P$ is the inverse of $\varphi$. So $\varphi$ is in fact a group isomorphism, proving that $E$ and $J(E)$ are isomorphic.

The Jacobian of a hyperelliptic curve

The general hyperelliptic case is a bit more complicated. Consider a hyperelliptic curve $C: y^2 + h(x) y = f(x)$ of genus $g$ over a field $K$. A divisor $D$ of $C$ is called reduced if it has the form D = \sum_^ - k /math> where $k \leq g$, $P_i \not= O$ for all $i = 1,\dots,k$ and $P_i \not= \overline$ for $i \not= j$. Note that a reduced divisor always has degree 0, also it is possible that $P_i = P_j$ if $i \not= j$, but only if $P_i$ is not a Weierstrass point. It can be proven that for each divisor $D \in \mathrm^0(C)$ there is a unique reduced divisor $D'$ such that $D$ is equivalent to $D'$. Hence every class of the quotient group $J(C)$ has precisely one reduced divisor. Instead of looking at $J(C)$ we can thus look at the set of all reduced divisors.

Reduced divisors and their Mumford representation

A convenient way to look at reduced divisors is via their Mumford representation. A divisor in this representation consists of a pair of polynomials u,v \in K /math> such that $u$ is monic, $\deg(v) < \deg(u) \leq g$ and $u , v^2 + vh - f$. Every non-trivial reduced divisor can be represented by a unique pair of such polynomials. This can be seen by factoring $u(x) = \prod_^$ in $\overline$ which can be done as such as $u$ is monic. The last condition on $u$ and $v$ then implies that the point $P_i = (x_i, v(x_i))$ lies on $C$ for every $i = 1,...,k$. Thus D = \sum_^ - k /math> is a divisor and in fact it can be shown to be a reduced divisor. For example, the condition $\deg(u) \leq g$ ensures that $k \leq g$. This gives the 1-1 correspondence between reduced divisors and divisors in Mumford representation. As an example, $0 = \sum_$ is the unique reduced divisor belonging to the identity element of $J(C)$. Its Mumford representation is $u(x) = 1$ and $v(x) = 0$. Going back and forth between reduced divisors and their Mumford representation is now an easy task. For example, consider the hyperelliptic curve $C : y^2 = x^5 -4 x^4 -14x^3 +36x^2 + 45 x = x (x + 1) (x - 3) (x + 3) (x - 5)$ of genus 2 over the real numbers. We can find the following points on the curve $P = (1,8)$, $Q = (3,0)$ and $R= (5,0)$. Then we can define reduced divisors D = + - 2 /math> and D'= + - 2 /math>. The Mumford representation of $D$ consists of polynomials $u$ and $v$ with $\deg(v) < \deg(u) \leq g = 2$ and we know that the first coordinates of $P$ and $Q$, i.e. 1 and 3, must be zeroes of $u$. Hence we have $u(x) = (x-1)(x-3) = x^2-4x+3$. As $P = (1,v(1))$ and $Q = (3, v(3))$ it must be the case that $v(1) = 8$ and $v(3) = 0$ and thus $v$ has degree 1. There is exactly one polynomial of degree 1 with these properties, namely $v(x) = -4x+12$. Thus the Mumford representation of $D$ is $u(x) = x^2 -4x +3$ and $v(x) = -4x + 12$. In a similar fashion we can find the Mumford representation $(u',v')$ of $D'$, we have $u'(x) = (x-1)(x-5) = x^2 -6x + 5$ and $v(x) = -2x+10$. If a point $P_i=(x_i,y_i)$ appears with multiplicity ''n'', the polynomial ''v'' needs to satisfy
\left.\left(\frac\right)^j\left (x)^2+v(x)h(x)-f(x)\right_ = 0
for $0\leq j\leq n_i-1$.

Cantor's algorithm

There is an algorithm which takes two reduced divisors $D_1$ and $D_2$ in their Mumford representation and produces the unique reduced divisor $D$, again in its Mumford representation, such that $D$ is equivalent to $D_1 + D_2$. As every element of the Jacobian can be represented by the one reduced divisor it contains, the algorithm allows to perform the group operation on these reduced divisors given in their Mumford representation. The algorithm was originally developed by David G. Cantor (not to be confused with Georg Cantor), explaining the name of the algorithm. Cantor only looked at the case $h(x) = 0$, the general case is due to Koblitz. The input is two reduced divisors $D_1 = (u_1,v_1)$ and $D_2= (u_2,v_2)$ in their Mumford representation of the hyperelliptic curve $C: y^2 + h(x) y = f(x)$ of genus $g$ over the field $K$. The algorithm works as follows

# Using the extended Euclidean algorithm compute the polynomials d_1, e_1,e_2 \in K /math> such that $d_1 = \gcd(u_1,u_2)$ and $d_1 = e_1 u_1 + e_2 u_2$.
# Again with the use of the extended Euclidean algorithm compute the polynomials d, c_1,c_2 \in K /math> with $d = \gcd(d_1,v_1 + v_2 + h)$ and $d = c_1d_1 + c_2(v_1+v_2+ h)$.
# Put $s_1 = c_1e_1$, $s_2 = c_1e_2$ and $s_3 = c_2$, which gives $d = s_1u_1 + s_2 u_2 +s_3(v_1+v_2+h)$.
# Set $u = \frac$ and $v = \frac \mod u$.
# Set $u'= \frac$ and $v'= -h-v \mod u'$.
# If $\deg(u') > g$, then set $u = u'$ and $v = v'$ and repeat step 5 until $\deg(u') \leq g$.
# Make $u'$ monic by dividing through its leading coefficient.
# Output $D = (u', v')$.

The proof that the algorithm is correct can be found in.

Example

As an example consider the curve

:$C : y^2 = x^5 -4 x^4 -14x^3 +36x^2 + 45 x = x (x + 1) (x - 3) (x + 3) (x - 5)$

of genus 2 over the real numbers. For the points
:$P = (1,8)$, $Q = (3,0)$ and $R= (5,0)$
and the reduced divisors
:D_1 = + - 2 /math> and D_2= + - 2 /math>
we know that
:$(u_1 = x^2-4x+3, v_1 = -4x+12)$, and
:$(u_2 = x^2-6x+5, v_2 = -2x+10)$
are the Mumford representations of $D_1$ and $D_2$ respectively.

We can compute their sum using Cantor's algorithm. We begin by computing
:$d_1 = \gcd(u_1,u_2) = x-1$, and
:$d_1 = e_1 u_1 + e_2 u_2$
for $e_1 = \frac$, and $e_2 = - \frac$.

In the second step we find
:$d = \gcd(d_1,v_1 + v_2 + h) = \gcd(x-1,-6x+22) = 1$ and
:$1 = c_1d_1 + c_2(v_1+v_2+ h)$
for $c_1 = \frac$ and $c_2 = \frac$.

Now we can compute
:$s_1 = c_1e_1 = \frac$,
:$s_2 = c_1e_2 = - \frac$ and
:$s_3 = c_2 = \frac$.
So
:$u = \frac = u_1u_2= x^4 -10x^3 +32x^2 -38x +15$ and
:$\begin v &= \frac \mod u \\ &= \frac(x^5 - 4x^4 -8x^3 -10x^2 +119x + 30 ) \mod u \\ &= \frac(5x^3 -41x^2+83x-15). \end$
Lastly we find
:$u'= \frac = \frac(-25x^2 +176x -15 )$ and
:$v'= -v \mod u' = -\frac(17x-5)$.
After making $u'$ monic we conclude that
:$D = (-25x^2 +176x -15 , -\frac(17x-5))$
is equivalent to $D_1 + D_2$.

More on Cantor's algorithm

Cantor's algorithm as presented here has a general form, it holds for hyperelliptic curves of any genus and over any field. However, the algorithm is not very efficient. For example, it requires the use of the extended Euclidean algorithm. If we fix the genus of the curve or the characteristic of the field (or both), we can make the algorithm more efficient. For some special cases we even get explicit addition and doubling formulas which are very fast. For example, there are explicit formulas for hyperelliptic curves of genus 2

and genus 3.

For hyperelliptic curves it is also fairly easy to visualize the adding of two reduced divisors. Suppose we have a hyperelliptic curve of genus 2 over the real numbers of the form
:$C: y^2 = f(x)$
and two reduced divisors
:D_1 = + - 2 /math> and
:D_2 = + - 2 /math>.
Assume that
:$P,Q \not= \overline,\overline$,
this case has to be treated separately. There is exactly 1 cubic polynomial
:$a(x) = a_0x^3 + a_1 x^2 + a_2 x + a_3$
going through the four points
:$P,Q,R,S$.
Note here that it could be possible that for example $P = Q$, hence we must take multiplicities into account. Putting $y = a(x)$ we find that
:$y^2 = f(x) = a^2(x)$
and hence
:$f(x) - a^2(x) = 0$.
As $f(x)-a^2(x)$ is a polynomial of degree 6, we have that $f(x) - a^2(x)$ has six zeroes and hence $a(x)$ has besides $P,Q,R,S$ two more intersection points with $C$, call them $T$ and $U$, with $T \not= \overline$. Now, $P,Q,R,S,T,U$ are intersection points of $C$ with an algebraic curve. As such we know that the divisor
:D = + + + + + - 6 /math>
is principal which implies that the divisor
: + + + -4 /math>
is equivalent to the divisor
:-( + -2 .
Furthermore, the divisor
: + overline- 2 /math>
is principal for every point $P = (a,b)$ on $C$ as it comes from the rational function $b(x) = x-a$. This gives that -( and $$overline- /math> are equivalent. Combining these two properties we conclude that
:D_1 + D_2 = ( + - 2 + ( + - 2
is equivalent to the reduced divisor
:$$overline+ overline- 2 /math>.
In a picture this looks like Figure 2. It is possible to explicitly compute the coefficients of $a(x)$, in this way we can arrive at explicit formulas for adding two reduced divisors.

References

{{DEFAULTSORT:Imaginary Hyperelliptic Curve
Algebraic curves