Real hyperelliptic curve explained

g\geq1

. The general formula of Hyperelliptic curve over a finite field

is given by

C : y^2 + h(x) y = f(x) \in K[x,y]

where

h(x),f(x)\inK

satisfy certain conditions. In this page, we describe more about real hyperelliptic curves, these are curves having two points at infinity while imaginary hyperelliptic curves have one point at infinity.

Definition

A real hyperelliptic curve of genus g over K is defined by an equation of the form

C:y^2+h(x)y=f(x)

where

h(x)\inK

has degree not larger than g+1 while

f(x)\inK

must have degree 2g+1 or 2g+2. This curve is a non singular curve where no point

(x,y)

in the algebraic closure of

satisfies the curve equation

y^2+h(x)y=f(x)

and both partial derivative equations:

2y+h(x)=0

and

h'(x)y=f'(x)

. The set of (finite)

–rational points on C is given by

C(K) = \left\ \cup S

where

is the set of points at infinity. For real hyperelliptic curves, there are two points at infinity,

infty₁

and

infty₂

. For any point

P(a,b)\inC(K)

, the opposite point of

is given by

\overline{P}=(a,-b-h)

; it is the other point with x-coordinate a that also lies on the curve.

Example

Let

C:y^2=f(x)

where

f(x) = x^6 +3x^5 - 5x^4 - 15x^3 + 4x^2 + 12x = x(x-1)(x-2)(x+1)(x+2)(x+3)

over

. Since

\degf(x)=2g+2

and

f(x)

has degree 6, thus

is a curve of genus g = 2.

The homogeneous version of the curve equation is given by $Y^2 Z^4 = X^6 + 3 X^5 Z - 5 X^4 Z^2 - 15 X^3 Z^3 + 4X^2 Z^4 + 12X Z^5.$ It has a single point at infinity given by (0:1:0) but this point is singular. The blowup of

has 2 different points at infinity, which we denote

infty₁

and

infty₂

. Hence this curve is an example of a real hyperelliptic curve.

In general, every curve given by an equation where f has even degree has two points at infinity and is a real hyperelliptic curve while those where f has odd degree have only a single point in the blowup over (0:1:0) and are thus imaginary hyperelliptic curves. In both cases this assumes that the affine part of the curve is non-singular (see the conditions on the derivatives above)

Arithmetic in a real hyperelliptic curve

In real hyperelliptic curve, addition is no longer defined on points as in elliptic curves but on divisors and the Jacobian. Let

be a hyperelliptic curve of genus g over a finite field K. A divisor

is a formal finite sum of points

. We write

D = \sum_

where

n_P\in\Z

and

n_p=0

for almost all

The degree of $D= \sum_$ is defined by $\deg(D) = \sum_.$

is said to be defined over

D^\sigma = \sum_n_P P^\sigma = D

for all automorphisms σ of

\overline{K}

over

. The set

Div(K)

of divisors of

defined over

forms an additive abelian group under the addition rule

\sum a_P P + \sum b_P P = \sum .

The set

Div⁰(K)

of all degree zero divisors of

defined over

is a subgroup of

Div(K)

We take an example:

Let

D₁=6P₁+4P₂

and

D₂=1P₁+5P₂

. If we add them then

D₁+D₂=7P₁+9P₂

. The degree of

D₁

\deg(D₁₎=6+4=10

and the degree of

D₂

\deg(D₂₎=1+5=6

. Then,

\deg(D₁+D₂₎=\deg(D₁₎+\deg(D₂₎=16.

For polynomials

G\inK[C]

, the divisor of

is defined by

\mathrm(G)=\sum_ _P(G)P.

If the function

has a pole at a point

then

-{ord

}_P (G) is the order of vanishing of

. Assume

G,H

are polynomials in

K[C]

; the divisor of the rational function

F=G/H

is called a principal divisor and is defined by

div(F)=div(G)-div(H)

. We denote the group of principal divisors by

P(K)

, i.e.,

P(K)=\{div(F)\midF\inK(C)\}

. The Jacobian of

over

is defined by

J=Div^0/P

. The factor group

is also called the divisor class group of

. The elements which are defined over

form the group

J(K)

. We denote by

\overline{D}\inJ(K)

the class of

Div⁰(K)/P(K)

There are two canonical ways of representing divisor classes for real hyperelliptic curves

which have two points infinity

S=\{infty_1,infty₂\}

. The first one is to represent a degree zero divisor by

\bar{D}

such that

D=\sum_^r P_i-r\infty_2

, where

P_i\inC(\bar{F

}_q),

P_i\not=infty₂

, and

P_i\not=\bar{P_j}

i ≠ j

The representative

\bar{D}

is then called semi reduced. If

satisfies the additional condition

r\leqg

then the representative

is called reduced.^[1] Notice that

P_i=infty₁

is allowed for some i. It follows that every degree 0 divisor class contain a unique representative

\bar{D}

with

D= D_x-\deg(D_x) \infty_2+v_1 (D)(\infty_1-\infty_2),

where

D_x

is divisor that is coprime with both

infty₁

and

infty₂

, and

0\leq\deg(D_x)+v_1(D)\leqg

The other representation is balanced at infinity. Let

D_infty=infty_1+infty₂

, note that this divisor is

-rational even if the points

infty₁

and

infty₂

are not independently so. Write the representative of the class

\bar{D}

D=D_1+D_infty

,where

D₁

is called the affine part and does not contain

infty₁

and

infty₂

, and let

d=\deg(D₁₎

. If

is even then

D_\infty= \frac(\infty_1+\infty_2).

is odd then

D_\infty= \frac \infty_1+\frac \infty_2.

For example, let the affine parts of two divisors be given by

D_1=6P₁₊4P₂

and

D₂=1P₁₊5P₂

then the balanced divisors are

D_1=6P₁₊4P_2-

5D
	infty₁

-5D
	infty₂

and

D_2=1P₁₊5P_2-

3D
	infty₁

-3D
	infty₂

Transformation from real hyperelliptic curve to imaginary hyperelliptic curve

Let

be a real quadratic curve over a field

. If there exists a ramified prime divisor of degree 1 in

then we are able to perform a birational transformation to an imaginary quadratic curve.A (finite or infinite) point is said to be ramified if it is equal to its own opposite. It means that

P=(a,b)=\overline{P}=(a,-b-h(a))

, i.e. that

h(a)+2b=0

. If

is ramified then

D=P-infty₁

is a ramified prime divisor.^[2]

The real hyperelliptic curve

C:y^2+h(x)y=f(x)

of genus

with a ramified

-rational finite point

P=(a,b)

is birationally equivalent to an imaginary model

C':y'^{2+\bar{h}(x')y'=\bar{f}(x')}

of genus

, i.e.

\deg(\bar{f})=2g+1

and the function fields are equal

K(C)=K(C')

.^[3] Here:

In our example

C:y^2=f(x)

where

f(x)=x⁶+3x⁵-5x⁴-15x³+4x²+12x

, h(x) is equal to 0. For any point

P=(a,b)

h(a)

is equal to 0 and so the requirement for P to be ramified becomes

b=0

. Substituting

h(a)

and

, we obtain

f(a)=0

, where

f(a)=a(a-1)(a-2)(a+1)(a+2)(a+3)

, i.e.,

a\in\{0,1,2,-1,-2,-3\}

From, we obtain $x= \frac$ and $y= \frac$ . For g = 2, we have $y = \frac$ .

For example, let

a=1

then

x= \frac

and

y= \frac

, we obtain

\left(\frac\right)^2=\frac \left(\frac +1\right)\left(\frac +2\right)\left(\frac +3\right)\left(\frac -1\right)\left(\frac -2\right).

To remove the denominators this expression is multiplied by

x⁶

, then:

y'^2=(x'+1)(2x'+1)(3x'+1)(4x'+1)(1)(1-x')

giving the curve

C' : y'^2 = \bar(x')

where

\bar(x') = (x'+1) (2x'+1) (3x'+1) (4x'+1) (1) (1-x') = -24x'^5-26x'^4 + 15x'^3 + 25x'^2 + 9x'+1 .

is an imaginary quadratic curve since

\bar{f}(x')

has degree

2g+1

Notes and References

Erickson . Stefan . Jacobson . Michael J., Jr. . Stein . Andreas . 10.3934/amc.2011.5.623 . 4 . Advances in Mathematics of Communications . 2855275 . 623–666 . Explicit formulas for real hyperelliptic curves of genus 2 in affine representation . 5 . 2011.
Jacobson . Michael J. Jr. . Scheidler . Renate . Renate Scheidler . Stein . Andreas . 10.2478/v10127-010-0030-9 . Tatra Mountains Mathematical Publications . 2791633 . 31–65 . Cryptographic aspects of real hyperelliptic curves . 47 . 2010.
Galbraith . Steven D. . Lin . Xibin . Morales . David J. Mireles . Galbraith . Steven D. . Paterson . Kenneth G. . Pairings on hyperelliptic curves with a real model . https://eprint.iacr.org/2008/250 . 10.1007/978-3-540-85538-5_18 . 2733918 . 265–281 . Springer . Lecture Notes in Computer Science . Pairing-Based Cryptography – Pairing 2008, Second International Conference, Egham, UK, September 1–3, 2008. Proceedings . 5209 . 2008.