Imaginary hyperelliptic curve explained

g\geq1

. If the genus of a hyperelliptic curve equals 1, we simply call the curve an elliptic curve. Hence we can see hyperelliptic curves as generalizations of elliptic curves. There is a well-known group structure on the set of points lying on an elliptic curve over some field

, which we can describe geometrically with chords and tangents. Generalizing this group structure to the hyperelliptic case is not straightforward. We cannot define the same group law on the set of points lying on a hyperelliptic curve, instead a group structure can be defined on the so-called Jacobian of a hyperelliptic curve. The computations differ depending on the number of points at infinity. Imaginary hyperelliptic curves are hyperelliptic curves with exactly 1 point at infinity: real hyperelliptic curves have two points at infinity.

Formal definition

Hyperelliptic curves can be defined over fields of any characteristic. Hence we consider an arbitrary field

and its algebraic closure

\overline{K}

. An (imaginary) hyperelliptic curve of genus

over

is given by an equation of the form

C : y^2 + h(x) y = f(x) \in K[x,y]

where

h(x)\inK[x]

is a polynomial of degree not larger than

and

f(x)\inK[x]

is a monic polynomial of degree

2g+1

. Furthermore, we require the curve to have no singular points. In our setting, this entails that no point

(x,y)\in\overline{K} x \overline{K}

satisfies both

y²+h(x)y=f(x)

and the equations

2y+h(x)=0

and

h'(x)y=f'(x)

. This definition differs from the definition of a general hyperelliptic curve in the fact that

can also have degree

2g+2

in the general case. From now on we drop the adjective imaginary and simply talk about hyperelliptic curves, as is often done in literature. Note that the case

g=1

corresponds to

being a cubic polynomial, agreeing with the definition of an elliptic curve. If we view the curve as lying in the projective plane

P^2(K)

with coordinates

(X:Y:Z)

, we see that there is a particular point lying on the curve, namely the point at infinity

(0:1:0)

denoted by

. So we could write

C=\{(x,y)\inK²|y²+h(x)y=f(x)\}\cup\{O\}

Suppose the point

P=(a,b)

not equal to

lies on the curve and consider

\overline{P}=(a,-b-h(a))

. As

(-b-h(a))²+h(a)(-b-h(a))

can be simplified to

b²+h(a)b

, we see that

\overline{P}

is also a point on the curve.

\overline{P}

is called the opposite of

and

is called a Weierstrass point if

P=\overline{P}

, i.e.

h(a)=-2b

. Furthermore, the opposite of

is simply defined as

\overline{O}=O

Alternative definition

The definition of a hyperelliptic curve can be slightly simplified if we require that the characteristic of

is not equal to 2. To see this we consider the change of variables

x → x

and

y → y-

	h(x)
	2

, which makes sense if char

(K)\not=2

. Under this change of variables we rewrite

y²+h(x)y=f(x)

\left(y - \frac \right)^2 + h(x) \left(y - \frac\right) = f(x)

which, in turn, can be rewritten to

y²=f(x)+

	h(x)²
	4

. As

\deg(h)\leqg

we know that

\deg(h²⁾\leq2g

and hence

f(x)+

	h(x)²
	4

is a monic polynomial of degree

2g+1

. This means that over a field

with char

(K)\not=2

every hyperelliptic curve of genus

is isomorphic to one given by an equation of the form

C:y²=f(x)

where

is a monic polynomial of degree

2g+1

and the curve has no singular points. Note that for curves of this form it is easy to check whether the non-singularity criterion is met. A point

P=(a,b)

on the curve is singular if and only if

b=0

and

f'(a)=0

. As

b=0

and

b²=f(a)

, it must be the case that

f(a)=0

and thus

is a multiple root of

. We conclude that the curve

C:y²=f(x)

has no singular points if and only if

has no multiple roots. Even though the definition of a hyperelliptic curve is quite easy when char

(K)\not=2

, we should not forget about fields of characteristic 2 as hyperelliptic curve cryptography makes extensive use of such fields.

Example

As an example consider

C:y²=f(x)

where

f(x)=x⁵-2x^4-7x³+8x²+12x=x(x+1)(x-3)(x+2)(x-2)

over

. As

has degree 5 and the roots are all distinct,

is a curve of genus

g=2

. Its graph is depicted in Figure 1.

From this picture it is immediately clear that we cannot use the chords and tangents method to define a group law on the set of points of a hyperelliptic curve. The group law on elliptic curves is based on the fact that a straight line through two points lying on an elliptic curve has a unique third intersection point with the curve. Note that this is always true since

lies on the curve. From the graph of

it is clear that this does not need to hold for an arbitrary hyperelliptic curve. Actually, Bézout's theorem states that a straight line and a hyperelliptic curve of genus 2 intersect in 5 points. So, a straight line through two point lying on

does not have a unique third intersection point, it has three other intersection points.

Coordinate ring

The coordinate ring of over is defined as

K[C]=K[x,y]/(y^{2+h(x)y-f(x)).}

r(x,y)=y^2+h(x)y-f(x)

is irreducible over

\overline{K}

, so

\overline{K}[C]=\overline{K}[x,y]/(y^{2+h(x)y-f(x))}

is an integral domain.

G(x,y)\in\overline{K}[C]

can be written uniquely as

G(x,y)=u(x)-v(x)y

with

u(x),v(x)\in\overline{K}[x]

Norm and degree

The conjugate of a polynomial function in

\overline{K}[C]

is defined to be

\overline{G}(x,y)=u(x)+v(x)(h(x)+y).

The norm of is the polynomial function

N(G)=G\overline{G}

. Note that, so is a polynomial in only one variable.

If, then the degree of is defined as

\deg(G)=max[2\deg(u),2g+1+2\deg(v)].

Properties:

\deg(G)=\deg_x(N(G))

\deg(GH)=\deg(G)+\deg(H)

\deg(G)=\deg(\overline{G})

Function field

The function field of over is the field of fractions of, and the function field

\overline{K}(C)

of over

\overline{K}

is the field of fractions of

\overline{K}[C]

. The elements of

\overline{K}(C)

are called rational functions on .For such a rational function, and a finite point on, is said to be defined at if there exist polynomial functions such that and, and then the value of at is

R(P)=G(P)/H(P).

For a point on that is not finite, i.e. =

, we define as:

\deg(G)<\deg(H)

then

R(O)=0

, i.e. R has a zero at O.

\deg(G)>\deg(H)

then

R(O)

is not defined, i.e. R has a pole at O.

\deg(G)=\deg(H)

then

R(O)

is the ratio of the leading coefficients of and .

For

R\in\overline{K}(C)^*

and

P\inC

R(P)=0

then is said to have a zero at,

If is not defined at then is said to have a pole at, and we write

R(P)=infty

Order of a polynomial function at a point

For

G=u(x)-v(x) ⋅ y\in\overline{K}[C]²

and

P\inC

, the order of at is defined as:

ord_P(G)=r+s

if is a finite point which is not Weierstrass. Here is the highest power of which divides both and . Write and if, then is the highest power of which divides, otherwise, .

ord_P(G)=2r+s

if is a finite Weierstrass point, with and as above.

ord_{P(G)=-\deg(G)}

if .

The divisor and the Jacobian

In order to define the Jacobian, we first need the notion of a divisor. Consider a hyperelliptic curve

over some field

. Then we define a divisor

to be a formal sum of points in

, i.e.

D = \sum_

where

c_P\in\Z

and furthermore

\{c_P\midc_P ≠ 0\}

is a finite set. This means that a divisor is a finite formal sum of scalar multiples of points. Note that there is no simplification of

c_P[P]

given by a single point (as one might expect from the analogy with elliptic curves). Furthermore, we define the degree of

\deg(D) = \sum_ \in \Z

. The set of all divisors

Div(C)

of the curve

forms an Abelian group where the addition is defined pointwise as follows

\sum_ + \sum_ = \sum_

. It is easy to see that

0 = \sum_

acts as the identity element and that the inverse of

\sum_

equals

\sum_

. The set

Div^0(C)=\{D\inDiv(C)\mid\deg(D)=0\}

of all divisors of degree 0 can easily be checked to be a subgroup of

Div(C)

.
Proof. Consider the map

\varphi:Div(C) → Z

defined by

\varphi(D)=\deg(D)

, note that

forms a group under the usual addition. Then

\varphi(\sum_ + \sum_)= \varphi(\sum_)= \sum_= \sum_ + \sum_= \varphi(\sum_) + \varphi(\sum_)

and hence

\varphi

is a group homomorphism. Now,

Div^0(C)

is the kernel of this homomorphism and thus it is a subgroup of

Div(C)

Consider a function

f\in\overline{K}(C)^*

, then we can look at the formal sum div

(f) = \sum_

. Here

ord_P(f)

denotes the order of

. We have that ord

_P(f)<0

has a pole of order

-ord_P(f)

ord_P(f)=0

is defined and non-zero at

and

ord_P(f)>0

has a zero of order

ord_P(f)

.^[1] It can be shown that

has only a finite number of zeroes and poles,^[2] and thus only finitely many of the ord

_P(f)

are non-zero. This implies that div

(f)

is a divisor. Moreover, as

\sum_ = 0

, it is the case that

\operatorname{div}(f)

is a divisor of degree 0. Such divisors, i.e. divisors coming from some rational function

, are called principal divisors and the set of all principal divisors

Princ(C)

is a subgroup of

Div^0(C)

.
Proof. The identity element

0 = \sum_

comes from a constant function which is non-zero. Suppose

D_1 = \sum_, D_2 = \sum_ \in \mathrm(C)

are two principal divisors coming from

and

respectively. Then

D_1 - D_2 = \sum_

comes from the function

f/g

, and thus

D₁-D₂

is a principal divisor, too. We conclude that

Princ(C)

is closed under addition and inverses, making it into a subgroup.

J(C):=Div^0(C)/Princ(C)

which is called the Jacobian or the Picard group of

. Two divisors

D_1,D₂\inDiv^0(C)

are called equivalent if they belong to the same element of

J(C)

, this is the case if and only if

D₁-D₂

is a principal divisor. Consider for example a hyperelliptic curve

C:y²+h(x)y=f(x)

over a field

and a point

P=(a,b)

. For

n\inZ_>0

the rational function

f(x)=(x-a)ⁿ

has a zero of order

at both

and

\overline{P}

and it has a pole of order

. Therefore, we find

\operatorname{div}(f)=nP+n\overline{P}-2nO

and we can simplify this to

\operatorname{div}(f)=2nP-2nO

is a Weierstrass point.

Example: the Jacobian of an elliptic curve

For elliptic curves the Jacobian turns out to simply be isomorphic to the usual group on the set of points on this curve, this is basically a corollary of the Abel-Jacobi theorem. To see this consider an elliptic curve

over a field

. The first step is to relate a divisor

to every point

on the curve. To a point

we associate the divisor

D_P=1[P]-1[O]

, in particular

in linked to the identity element

O-O=0

. In a straightforward fashion we can now relate an element of

J(E)

to each point

by linking

to the class of

D_P

, denoted by

[D_P]

. Then the map

\varphi:E\toJ(E)

from the group of points on

to the Jacobian of

defined by

\varphi(P)=[D_P]

is a group homomorphism. This can be shown by looking at three points on

adding up to

, i.e. we take

P,Q,R\inE

with

P+Q+R=O

P+Q=-R

. We now relate the addition law on the Jacobian to the geometric group law on elliptic curves. Adding

and

geometrically means drawing a straight line through

and

, this line intersects the curve in one other point. We then define

P+Q

as the opposite of this point. Hence in the case

P+Q+R=O

we have that these three points are collinear, thus there is some linear

f\inK[x,y]

such that

and

satisfy

f(x,y)=0

. Now,

\varphi(P)+\varphi(Q)+\varphi(R)=[D_P]+[D_Q]+[D_R]=[[P]+[Q]+[R]-3[O]]

which is the identity element of

J(E)

[P]+[Q]+[R]-3[O]

is the divisor on the rational function

and thus it is a principal divisor. We conclude that

\varphi(P)+\varphi(Q)+\varphi(R)=\varphi(O)=\varphi(P+Q+R)

The Abel-Jacobi theorem states that a divisor $D = \sum_$ is principal if and only if

has degree 0 and

\sum_ = O

under the usual addition law for points on cubic curves. As two divisors

D_1,D₂\inDiv^0(E)

are equivalent if and only if

D₁-D₂

is principal, we conclude that

D_1 = \sum_

and

D_2 = \sum_

are equivalent if and only if

\sum_ = \sum_

. Now, every nontrivial divisor of degree 0 is equivalent to a divisor of the form

[P]-[O]

, this implies that we have found a way to ascribe a point on

to every class

[D_P]

. Namely, to

[D_P]=[1[P]-1[O]]

we ascribe the point

(P-O)+O=P

. This maps extends to the neutral element 0 which is maped to

0+O=O

. As such the map

\psi:J(E) → E

defined by

\psi([D_P])=P

is the inverse of

\varphi

. So

\varphi

is in fact a group isomorphism, proving that

and

J(E)

are isomorphic.

The Jacobian of a hyperelliptic curve

The general hyperelliptic case is a bit more complicated. Consider a hyperelliptic curve

C:y²+h(x)y=f(x)

of genus

over a field

. A divisor

is called reduced if it has the form

D = \sum_^ - k [O]

where

k\leqg

P_i\not=O

for all

i=1,...,k

and

P_i\not=\overline{P_j}

for

i\not=j

. Note that a reduced divisor always has degree 0, also it is possible that

P_i=P_j

i\not=j

, but only if

P_i

is not a Weierstrass point. It can be proven that for each divisor

D\inDiv^0(C)

there is a unique reduced divisor

such that

is equivalent to

. Hence every class of the quotient group

J(C)

has precisely one reduced divisor. Instead of looking at

J(C)

we can thus look at the set of all reduced divisors.

Reduced divisors and their Mumford representation

A convenient way to look at reduced divisors is via their Mumford representation. A divisor in this representation consists of a pair of polynomials

u,v\inK[x]

such that

is monic,

\deg(v)<\deg(u)\leqg

and

u|v²+vh-f

. Every non-trivial reduced divisor can be represented by a unique pair of such polynomials. This can be seen by factoring

u(x) = \prod_^

\overline{K}

which can be done as such as

is monic. The last condition on

and

then implies that the point

P_i=(x_i,v(x_i))

lies on

for every

i=1,...,k

. Thus

D = \sum_^ - k[O]

is a divisor and in fact it can be shown to be a reduced divisor. For example, the condition

\deg(u)\leqg

ensures that

k\leqg

. This gives the 1-1 correspondence between reduced divisors and divisors in Mumford representation. As an example,

0 = \sum_

is the unique reduced divisor belonging to the identity element of

J(C)

. Its Mumford representation is

u(x)=1

and

v(x)=0

. Going back and forth between reduced divisors and their Mumford representation is now an easy task. For example, consider the hyperelliptic curve

C:y²=x⁵-4x⁴-14x³+36x²+45x=x(x+1)(x-3)(x+3)(x-5)

of genus 2 over the real numbers. We can find the following points on the curve

P=(1,8)

Q=(3,0)

and

R=(5,0)

. Then we can define reduced divisors

D=[P]+[Q]-2[O]

and

D'=[P]+[R]-2[O]

. The Mumford representation of

consists of polynomials

and

with

\deg(v)<\deg(u)\leqg=2

and we know that the first coordinates of

and

, i.e. 1 and 3, must be zeroes of

. Hence we have

u(x)=(x-1)(x-3)=x^2-4x+3

. As

P=(1,v(1))

and

Q=(3,v(3))

it must be the case that

v(1)=8

and

v(3)=0

and thus

has degree 1. There is exactly one polynomial of degree 1 with these properties, namely

v(x)=-4x+12

. Thus the Mumford representation of

u(x)=x²-4x+3

and

v(x)=-4x+12

. In a similar fashion we can find the Mumford representation

(u',v')

, we have

u'(x)=(x-1)(x-5)=x²-6x+5

and

v(x)=-2x+10

. If a point

P_i=(x_i,y_i)

appears with multiplicity n, the polynomial v needs to satisfy

\left.\left(\frac\right)^j\left[v(x)^2+v(x)h(x)-f(x)\right]\right|_ = 0

for

0\leqj\leqn_i-1

Cantor's algorithm

There is an algorithm which takes two reduced divisors

D₁

and

D₂

in their Mumford representation and produces the unique reduced divisor

, again in its Mumford representation, such that

is equivalent to

D₁+D₂

. As every element of the Jacobian can be represented by the one reduced divisor it contains, the algorithm allows to perform the group operation on these reduced divisors given in their Mumford representation. The algorithm was originally developed by David G. Cantor (not to be confused with Georg Cantor), explaining the name of the algorithm. Cantor only looked at the case

h(x)=0

, the general case is due to Koblitz. The input is two reduced divisors

D₁=(u_1,v₁₎

and

D₂₌(u_2,v₂₎

in their Mumford representation of the hyperelliptic curve

C:y²+h(x)y=f(x)

of genus

over the field

. The algorithm works as follows

Using the extended Euclidean algorithm compute the polynomials

d_1,e_1,e₂\inK[x]

such that

d₁=\gcd(u_1,u₂₎

and

d₁=e₁u₁+e₂u₂

Again with the use of the extended Euclidean algorithm compute the polynomials

d,c_1,c₂\inK[x]

with

d=\gcd(d_1,v₁+v₂+h)

and

d=c_1d₁+c_2(v_1+v₂₊h)

s₁=c_1e₁

s₂=c_1e₂

and

s₃=c₂

, which gives

d=s_1u₁+s₂u₂+s_3(v_1+v_2+h)

	u_1u₂
	d²

and

	s_1u_1v₂+s_2u_2v₁+s₃(v_1v₂+f)
	d

\modu

u'=

	f-vh-v²
	u

and

v'=-h-v\modu'

\deg(u')>g

, then set

u=u'

and

v=v'

and repeat step 5 until

\deg(u')\leqg

Make

monic by dividing through its leading coefficient.

Output

D=(u',v')

The proof that the algorithm is correct can be found in.^[3]

Example

As an example consider the curve

C:y²=x⁵-4x⁴-14x³+36x²+45x=x(x+1)(x-3)(x+3)(x-5)

of genus 2 over the real numbers. For the points

P=(1,8)

Q=(3,0)

and

R=(5,0)

and the reduced divisors

D₁=[P]+[Q]-2[O]

and

D₂₌[P]+[R]-2[O]

we know that

(u₁=x^2-4x+3,v₁=-4x+12)

, and

(u₂=x^2-6x+5,v₂=-2x+10)

are the Mumford representations of

D₁

and

D₂

respectively.

We can compute their sum using Cantor's algorithm. We begin by computing

d₁=\gcd(u_1,u₂₎=x-1

, and

d₁=e₁u₁+e₂u₂

for

e₁=

	1
	2

, and

e₂=-

	1
	2

In the second step we find

d=\gcd(d_1,v₁+v₂+h)=\gcd(x-1,-6x+22)=1

and

1=c_1d₁+c_2(v_1+v₂₊h)

for

c₁=

	3
	8

and

c₂=

	1
	16

Now we can compute

s₁=c_1e₁=

	3
	16

s₂=c_1e₂=-

	3
	16

and

s₃=c₂=

	1
	16

. So

	u_1u₂
	d²

=u_1u₂₌x⁴-10x³+32x²-38x+15

and

\begin{align} v&=

	s_1u_1v₂+s_2u_2v₁+s₃(v_1v₂+f)
	d

\modu\\ &=

	1
	16

(x⁵-4x⁴-8x³-10x²+119x+30)\modu\\ &=

	1
	4

(5x³-41x^{2+83x-15).
\end{align}}

Lastly we find

u'=

	f-v²
	u

	1
	16

(-25x²+176x-15)

and

v'=-v\modu'=-

	72
	125

(17x-5)

. After making

monic we conclude that

D=(-25x²+176x-15,-

	72
	125

(17x-5))

is equivalent to

D₁+D₂

More on Cantor's algorithm

Cantor's algorithm as presented here has a general form, it holds for hyperelliptic curves of any genus and over any field. However, the algorithm is not very efficient. For example, it requires the use of the extended Euclidean algorithm. If we fix the genus of the curve or the characteristic of the field (or both), we can make the algorithm more efficient. For some special cases we even get explicit addition and doubling formulas which are very fast. For example, there are explicit formulas for hyperelliptic curves of genus 2^[4] ^[5] and genus 3.

For hyperelliptic curves it is also fairly easy to visualize the adding of two reduced divisors. Suppose we have a hyperelliptic curve of genus 2 over the real numbers of the form

C:y²=f(x)

and two reduced divisors

D₁=[P]+[Q]-2[O]

and

D₂=[R]+[S]-2[O]

. Assume that

P,Q\not=\overline{R},\overline{S}

, this case has to be treated separately. There is exactly 1 cubic polynomial

a(x)=

	3
a
	0x

+a₁x²+a₂x+a₃

going through the four points

P,Q,R,S

. Note here that it could be possible that for example

P=Q

, hence we must take multiplicities into account. Putting

y=a(x)

we find that

y²=f(x)=a^2(x)

and hence

f(x)-a^2(x)=0

. As

f(x)-a^2(x)

is a polynomial of degree 6, we have that

f(x)-a^2(x)

has six zeroes and hence

a(x)

has besides

P,Q,R,S

two more intersection points with

, call them

and

, with

T\not=\overline{U}

. Now,

P,Q,R,S,T,U

are intersection points of

with an algebraic curve. As such we know that the divisor

D=[P]+[Q]+[R]+[S]+[T]+[U]-6[O]

is principal which implies that the divisor

[P]+[Q]+[R]+[S]-4[O]

is equivalent to the divisor

-([T]+[U]-2[O])

. Furthermore, the divisor

[P]+[\overline{P}]-2[O]

is principal for every point

P=(a,b)

as it comes from the rational function

b(x)=x-a

. This gives that

-([P]-[O])

and

[\overline{P}]-[O]

are equivalent. Combining these two properties we conclude that

D₁+D₂=([P]+[Q]-2[O])+([R]+[S]-2[O])

is equivalent to the reduced divisor

[\overline{T}]+[\overline{U}]-2[O]

. In a picture this looks like Figure 2. It is possible to explicitly compute the coefficients of

a(x)

, in this way we can arrive at explicit formulas for adding two reduced divisors.

Notes and References

http://www.hyperelliptic.org/tanja/conf/summerschool07/talks/Dechene_Picard.pdf Isabelle Déchène, The Picard Group, or how to build a group from a set
Web site: An elementary introduction to hyperelliptic curves. Alfred J.. Menezes. Yi-Hong. Wu. Robert J.. Zuccherato. November 7, 1996. 15. 2024-06-28.
10.1090/S0025-5718-1987-0866101-0. David G.. Cantor. David G. Cantor. Computing in the Jacobian of a hyperelliptic curve. Mathematics of Computation. 48. 177. 1987. 95–101. free.
http://www.emis.de/journals/BAG/vol.46/no.1/b46h1lei.pdf Frank Leitenberger, About the Group Law for the Jacobi Variety of a Hyperelliptic Curve
10.1007/s00200-004-0154-8. T. Lange. Formulae for Arithmetic on Genus $2$ Hyperelliptic Curves. Applicable Algebra in Engineering, Communication and Computing. 15. 5. 2005. 295–328. 10.1.1.109.578.