6

In Mathematics of Isogeny Based Cryptography by De Feo, he mentions the following example:

enter image description here

It seems I haven't understood something important about complex multiplication.

  • How does $ (x,y) \mapsto (-x,iy)$ make sense in the first place if $E$ is over $\mathbb Q$, not $\mathbb C$ or $\mathbb Q(i)$? $(-x,iy)$ isn't a ($\mathbb Q$-rational) point in $E$.

  • If we grant that $(-x,iy)$ is a point, and so don't require it to be $\mathbb Q$-rational, what's the problem with doing the same for $\mathbb F_p$? Why is the fact that $-1$ is not a square mod $p$ a problem?

  • Given that $-1$ is a square in $\mathbb F_{p^2}$, why does this mean End$(E(p))$ is not commutative?

When he introduces the curve in example 38 on the previous page, he treats it as a curve over $\mathbb C$.

I'm clearly missing something basic. If you could point it out I would be grateful.

rollover
  • 1,364

1 Answers1

7

You are right that the automorphism $[i] \colon (x,y) \mapsto (-x,iy)$ is not defined over $\mathbf Q$. Sometimes if people want to be a little more precise they would only say that $y^2 = x^3 + x$ over $\mathbf Q$ only has potential complex multiplication. But just saying it has complex multiplication is still quite common. Even though these automorphisms don't act on the curve over $\mathbf Q$ the fact they exist changes the way the elliptic curve behaves in a huge way, so it does make sense to distinguish these curves, even if you can't actually apply the endomorphism to $\mathbf Q$ points.

For $\mathbf F_p$ if $-1$ is non-square the automorphism again is only defined over an extension, as then $i$ does not lie in $\mathbf F_p$ but we will always have $i\in \mathbf F_{p^2}$.

Over a finite field ($p$ odd) we also have the Frobenius endomorphism $$Fr \colon (x,y) \mapsto (x^p,y^p)$$ we can see that if $i \in \mathbf F_{p^2} \smallsetminus \mathbf F_p$ then $$(Fr \circ [i]) (x,y) = Fr(-x,iy) = ((-x)^p, i^p y^p) = (-x^p, -i y^p)$$ which is not the same as $$ ([i] \circ Fr) (x,y) = [i] (x^p,y^p) = (-x^p, iy^p)$$ so the two automorphisms don't commute. Here I used that $p \equiv 3 \pmod 4$ as this is equivalent to $-1$ not being a square.

Aphelli
  • 37,929
Alex J Best
  • 4,718
  • 1
    I fixed the link -- the example is only in a newer version. – rollover Jun 17 '21 at 11:53
  • Regarding $-1$ being non-square: what's the difference to it being a square? – rollover Jun 17 '21 at 11:54
  • 1
    Ok I added an answer the the last bullet too. If $-1$ is a square in $\mathbf F_p$ then $i$ is in $\mathbf F_p$ and so it is fixed by frobenius (raising to $p$th power) and hence the argument that the operators don't commute doesn't work! – Alex J Best Jun 17 '21 at 12:00
  • Oh I get it. The sentence "... does not descend to ..." really threw me off, making me think it was supposed to be on $E/\mathbb Q$ which doesn't make sense. Of course then, if $-1$ is a square it will work. Forest for the trees! :D – rollover Jun 17 '21 at 12:06