Real hyperelliptic curve
There are two types of hyperelliptic curves, a class of algebraic curves: real hyperelliptic curves and imaginary hyperelliptic curves which differ by the number of points at infinity. Hyperelliptic curves exist for every genus [math]\displaystyle{ g \geq 1 }[/math]. The general formula of Hyperelliptic curve over a finite field [math]\displaystyle{ K }[/math] is given by [math]\displaystyle{ C : y^2 + h(x) y = f(x) \in K[x,y] }[/math] where [math]\displaystyle{ h(x), f(x) \in K }[/math] satisfy certain conditions. In this page, we describe more about real hyperelliptic curves, these are curves having two points at infinity while imaginary hyperelliptic curves have one point at infinity.
A real hyperelliptic curve of genus g over K is defined by an equation of the form [math]\displaystyle{ C:y^2+h(x)y = f(x) }[/math] where [math]\displaystyle{ h(x) \in K }[/math] has degree not larger than g+1 while [math]\displaystyle{ f(x) \in K }[/math] must have degree 2g+1 or 2g+2. This curve is a non singular curve where no point [math]\displaystyle{ (x,y) }[/math] in the algebraic closure of [math]\displaystyle{ K }[/math] satisfies the curve equation [math]\displaystyle{ y^2+h(x)y=f(x) }[/math] and both partial derivative equations: [math]\displaystyle{ 2y+h(x)=0 }[/math] and [math]\displaystyle{ h'(x)y=f'(x) }[/math]. The set of (finite) [math]\displaystyle{ K }[/math]–rational points on C is given by [math]\displaystyle{ C(K) = \left\{ (a,b) \in K^2 \mid b^2 + h(a) b = f(a) \right\} \cup S }[/math] where [math]\displaystyle{ S }[/math] is the set of points at infinity. For real hyperelliptic curves, there are two points at infinity, [math]\displaystyle{ \infty_1 }[/math] and [math]\displaystyle{ \infty_2 }[/math]. For any point [math]\displaystyle{ P(a,b)\in C(K) }[/math], the opposite point of [math]\displaystyle{ P }[/math] is given by [math]\displaystyle{ \overline{P} = (a, -b - h) }[/math]; it is the other point with x-coordinate a that also lies on the curve.
Let [math]\displaystyle{ C: y^2=f(x) }[/math] where [math]\displaystyle{ f(x) = x^6 +3x^5 - 5x^4 - 15x^3 + 4x^2 + 12x = x(x-1)(x-2)(x+1)(x+2)(x+3) }[/math] over [math]\displaystyle{ R }[/math]. Since [math]\displaystyle{ \deg f(x) = 2g+2 }[/math] and [math]\displaystyle{ f(x) }[/math] has degree 6, thus [math]\displaystyle{ C }[/math] is a curve of genus g = 2.
The homogeneous version of the curve equation is given by [math]\displaystyle{ Y^2 Z^4 = X^6 + 3 X^5 Z - 5 X^4 Z^2 - 15 X^3 Z^3 + 4X^2 Z^4 + 12X Z^5. }[/math] It has a single point at infinity given by (0:1:0) but this point is singular. The blowup of [math]\displaystyle{ C }[/math] has 2 different points at infinity, which we denote [math]\displaystyle{ \infty_1 }[/math] and [math]\displaystyle{ \infty_2 }[/math]. Hence this curve is an example of a real hyperelliptic curve.
In general, every curve given by an equation where f has even degree has two points at infinity and is a real hyperelliptic curve while those where f has odd degree have only a single point in the blowup over (0:1:0) and are thus imaginary hyperelliptic curves. In both cases this assumes that the affine part of the curve is non-singular (see the conditions on the derivatives above)
Arithmetic in a real hyperelliptic curve
In real hyperelliptic curve, addition is no longer defined on points as in elliptic curves but on divisors and the Jacobian. Let [math]\displaystyle{ C }[/math] be a hyperelliptic curve of genus g over a finite field K. A divisor [math]\displaystyle{ D }[/math] on [math]\displaystyle{ C }[/math] is a formal finite sum of points [math]\displaystyle{ P }[/math] on [math]\displaystyle{ C }[/math]. We write [math]\displaystyle{ D = \sum_{P \in C}{n_P P} }[/math] where [math]\displaystyle{ n_P \in\Z }[/math] and [math]\displaystyle{ n_p=0 }[/math] for almost all [math]\displaystyle{ P }[/math].
The degree of [math]\displaystyle{ D= \sum_{P \in C}{n_P P} }[/math] is defined by [math]\displaystyle{ \deg(D) = \sum_{P \in C}{n_P}. }[/math] [math]\displaystyle{ D }[/math] is said to be defined over [math]\displaystyle{ K }[/math] if [math]\displaystyle{ D^\sigma = \sum_{P \in C}n_P P^\sigma = D }[/math] for all automorphisms σ of [math]\displaystyle{ \overline{K} }[/math] over [math]\displaystyle{ K }[/math]. The set [math]\displaystyle{ Div(K) }[/math] of divisors of [math]\displaystyle{ C }[/math] defined over [math]\displaystyle{ K }[/math] forms an additive abelian group under the addition rule [math]\displaystyle{ \sum a_P P + \sum b_P P = \sum {(a_P + b_P) P}. }[/math]
The set [math]\displaystyle{ Div^0 (K) }[/math] of all degree zero divisors of [math]\displaystyle{ C }[/math] defined over [math]\displaystyle{ K }[/math] is a subgroup of [math]\displaystyle{ Div(K) }[/math].
We take an example:
Let [math]\displaystyle{ D_1 = 6 P_1 + 4 P_2 }[/math] and [math]\displaystyle{ D_2 = 1 P_1 + 5 P_2 }[/math]. If we add them then [math]\displaystyle{ D_1 + D_2 = 7 P_1 + 9 P_2 }[/math]. The degree of [math]\displaystyle{ D_1 }[/math] is [math]\displaystyle{ \deg(D_1) = 6+4 = 10 }[/math] and the degree of [math]\displaystyle{ D_2 }[/math] is [math]\displaystyle{ \deg(D_2) = 1+5 = 6 }[/math]. Then, [math]\displaystyle{ \deg(D_1 + D_2) = \deg(D_1) + \deg(D_2) = 16. }[/math]
For polynomials [math]\displaystyle{ G\in K[C] }[/math], the divisor of [math]\displaystyle{ G }[/math] is defined by [math]\displaystyle{ \mathrm{div}(G)=\sum_{P\in C} {\mathrm{ord}}_P(G)P. }[/math] If the function [math]\displaystyle{ G }[/math] has a pole at a point [math]\displaystyle{ P }[/math] then [math]\displaystyle{ -{\mathrm{ord}}_P (G) }[/math] is the order of vanishing of [math]\displaystyle{ G }[/math] at [math]\displaystyle{ P }[/math]. Assume [math]\displaystyle{ G, H }[/math] are polynomials in [math]\displaystyle{ K[C] }[/math]; the divisor of the rational function [math]\displaystyle{ F=G/H }[/math] is called a principal divisor and is defined by [math]\displaystyle{ \mathrm{div}(F) = \mathrm{div}(G) - \mathrm{div}(H) }[/math]. We denote the group of principal divisors by [math]\displaystyle{ P(K) }[/math], i.e., [math]\displaystyle{ P(K) = \{\mathrm{div}(F) \mid F \in K(C)\} }[/math]. The Jacobian of [math]\displaystyle{ C }[/math] over [math]\displaystyle{ K }[/math] is defined by [math]\displaystyle{ J = Div^0/P }[/math]. The factor group [math]\displaystyle{ J }[/math] is also called the divisor class group of [math]\displaystyle{ C }[/math]. The elements which are defined over [math]\displaystyle{ K }[/math] form the group [math]\displaystyle{ J(K) }[/math]. We denote by [math]\displaystyle{ \overline{D}\in J(K) }[/math] the class of [math]\displaystyle{ D }[/math] in [math]\displaystyle{ Div^0 (K)/P(K) }[/math].
There are two canonical ways of representing divisor classes for real hyperelliptic curves [math]\displaystyle{ C }[/math] which have two points infinity [math]\displaystyle{ S=\{\infty_1,\infty_2 \} }[/math]. The first one is to represent a degree zero divisor by [math]\displaystyle{ \bar{D} }[/math] such that [math]\displaystyle{ D=\sum_{i=1}^r P_i-r\infty_2 }[/math], where [math]\displaystyle{ P_i \in C(\bar{\mathbb{F}}_q) }[/math],[math]\displaystyle{ P_i\not= \infty_2 }[/math], and [math]\displaystyle{ P_i\not=\bar{P_j} }[/math] if [math]\displaystyle{ i \neq j }[/math] The representative [math]\displaystyle{ D }[/math] of [math]\displaystyle{ \bar{D} }[/math] is then called semi reduced. If [math]\displaystyle{ D }[/math] satisfies the additional condition [math]\displaystyle{ r \leq g }[/math] then the representative [math]\displaystyle{ D }[/math] is called reduced.[1] Notice that [math]\displaystyle{ P_i=\infty_1 }[/math] is allowed for some i. It follows that every degree 0 divisor class contain a unique representative [math]\displaystyle{ \bar{D} }[/math] with [math]\displaystyle{ D= D_x-\deg(D_x ) \infty_2+v_1 (D)(\infty_1-\infty_2), }[/math] where [math]\displaystyle{ D_x }[/math] is divisor that is coprime with both [math]\displaystyle{ \infty_1 }[/math] and [math]\displaystyle{ \infty_2 }[/math], and [math]\displaystyle{ 0\leq \deg(D_x )+v_1(D)\leq g }[/math].
The other representation is balanced at infinity. Let [math]\displaystyle{ D_\infty=\infty_1+\infty_2 }[/math], note that this divisor is [math]\displaystyle{ K }[/math]-rational even if the points [math]\displaystyle{ \infty_1 }[/math] and [math]\displaystyle{ \infty_2 }[/math] are not independently so. Write the representative of the class [math]\displaystyle{ \bar{D} }[/math] as [math]\displaystyle{ D=D_1+D_\infty }[/math], where [math]\displaystyle{ D_1 }[/math] is called the affine part and does not contain [math]\displaystyle{ \infty_1 }[/math] and [math]\displaystyle{ \infty_2 }[/math], and let [math]\displaystyle{ d=\deg(D_1) }[/math]. If [math]\displaystyle{ d }[/math] is even then [math]\displaystyle{ D_\infty= \frac{d}{2}(\infty_1+\infty_2). }[/math]
If [math]\displaystyle{ d }[/math] is odd then [math]\displaystyle{ D_\infty= \frac{d+1}{2} \infty_1+\frac{d-1}{2} \infty_2. }[/math] For example, let the affine parts of two divisors be given by
- [math]\displaystyle{ D_1=6P_1+ 4P_2 }[/math] and [math]\displaystyle{ D_2 = 1P_1+ 5P_2 }[/math]
then the balanced divisors are
- [math]\displaystyle{ D_1=6P_1+ 4P_2- 5D_{\infty_1} -5D_{\infty_2} }[/math] and [math]\displaystyle{ D_2=1P_1+ 5P_2- 3D_{\infty_1} -3D_{\infty_2} }[/math]
Transformation from real hyperelliptic curve to imaginary hyperelliptic curve
Let [math]\displaystyle{ C }[/math] be a real quadratic curve over a field [math]\displaystyle{ K }[/math]. If there exists a ramified prime divisor of degree 1 in [math]\displaystyle{ K }[/math] then we are able to perform a birational transformation to an imaginary quadratic curve. A (finite or infinite) point is said to be ramified if it is equal to its own opposite. It means that [math]\displaystyle{ P =(a,b) = \overline{P} = (a, -b-h(a)) }[/math], i.e. that [math]\displaystyle{ h(a)+ 2b=0 }[/math]. If [math]\displaystyle{ P }[/math] is ramified then [math]\displaystyle{ D = P - \infty_1 }[/math] is a ramified prime divisor.[2]
The real hyperelliptic curve [math]\displaystyle{ C:y^2+h(x)y=f(x) }[/math] of genus [math]\displaystyle{ g }[/math] with a ramified [math]\displaystyle{ K }[/math]-rational finite point [math]\displaystyle{ P=(a,b) }[/math] is birationally equivalent to an imaginary model [math]\displaystyle{ C':y'^2+\bar{h}(x')y'=\bar{f}(x') }[/math] of genus [math]\displaystyle{ g }[/math], i.e. [math]\displaystyle{ \deg(\bar{f})=2g+1 }[/math] and the function fields are equal [math]\displaystyle{ K(C)=K(C') }[/math].[3] Here:
[math]\displaystyle{ x'= \frac{1}{x-a} }[/math] and [math]\displaystyle{ y'= \frac{y+b}{(x-a)^{g+1}} }[/math]
In our example [math]\displaystyle{ C: y^2=f(x) }[/math] where [math]\displaystyle{ f(x)=x^6 + 3x^5 - 5x^4 - 15x^3 + 4x^2 + 12x }[/math], h(x) is equal to 0. For any point [math]\displaystyle{ P=(a,b) }[/math], [math]\displaystyle{ h(a) }[/math] is equal to 0 and so the requirement for P to be ramified becomes [math]\displaystyle{ b=0 }[/math]. Substituting [math]\displaystyle{ h(a) }[/math] and [math]\displaystyle{ b }[/math], we obtain [math]\displaystyle{ f(a)=0 }[/math], where [math]\displaystyle{ f(a) = a (a-1) (a-2) (a+1) (a+2) (a+3) }[/math], i.e., [math]\displaystyle{ a \in \{0,1,2,-1,-2,-3\} }[/math].
From (i), we obtain [math]\displaystyle{ x= \frac {ax'+1}{x'} }[/math] and [math]\displaystyle{ y= \frac{y'}{x'^{g+1}} }[/math]. For g = 2, we have [math]\displaystyle{ y = \frac{y'}{x'^3} }[/math].
For example, let [math]\displaystyle{ a=1 }[/math] then [math]\displaystyle{ x= \frac{x'+1}{x'} }[/math] and [math]\displaystyle{ y= \frac{y'}{x'^3} }[/math], we obtain [math]\displaystyle{ \left(\frac{y'}{x'^3 }\right)^2=\frac {x'+1}{x'} \left(\frac {x'+1}{x'}+1\right)\left(\frac {x'+1}{x'}+2\right)\left(\frac {x'+1}{x'}+3\right)\left(\frac {x'+1}{x'}-1\right)\left(\frac {x'+1}{x'}-2\right). }[/math]
To remove the denominators this expression is multiplied by [math]\displaystyle{ x^6 }[/math], then: [math]\displaystyle{ y'^2=(x'+1)(2x'+1)(3x'+1)(4x'+1)(1)(1-x') }[/math] giving the curve [math]\displaystyle{ C' : y'^2 = \bar{f}(x') }[/math] where [math]\displaystyle{ \bar{f}(x') = (x'+1) (2x'+1) (3x'+1) (4x'+1) (1) (1-x') = -24x'^5-26x'^4 + 15x'^3 + 25x'^2 + 9x'+1 . }[/math]
[math]\displaystyle{ C' }[/math] is an imaginary quadratic curve since [math]\displaystyle{ \bar{f}(x') }[/math] has degree [math]\displaystyle{ 2g + 1 }[/math].
- ↑ Erickson, Michael; J. Jacobson Jr.. "Explicit formulas for real hyperelliptic curves of genus 2 in affine representation".[|permanent dead link|dead link}}]
- ↑ M. J. Jacobson Jr; R. Scheidler (12 December 2018). "Cryptographic Aspects of Real Hyperelliptic Curves".
- ↑ D. Galbraith; Xibin Lin. "Pairings on Hyperelliptic Curves with a Real Model".
Original source: hyperelliptic curve.
Read more |