Women in Numbers Europe III: Research Directions in Number Theory (Association for Women in Mathematics Series, 24) [1st ed. 2021] 3030776999, 9783030776992

Table of contents :
Preface
Acknowledgements
Contents
From p-modular to p-adic Langlands Correspondences for U(1,1)(Qp2/Qp): Deformations in the Non-supercuspidal Case
1 Introduction
1.1 General Notation
2 Non-supercuspidal Representations of G over Fp
2.1 Principal Series Representations and Characters of G
2.2 Special Series Representations
2.3 Classification of Non-supercuspidal Representations of G
3 A Non-supercuspidal Semisimple Langlands Correspondence
3.1 Galois Representations and Dual Groups Associated with G
3.2 From Langlands Parameters to C-Parameters
3.3 A Langlands Correspondence for Non-supercuspidal Representations
4 Deforming Non-supercuspidal Representations of G
4.1 Deforming Parabolically Induced Representations
4.2 Deformations of Special Series Representations
5 Deforming Langlands Parameters
5.1 Definition of C-Parameters in Characteristic Zero
5.2 Inertial Types and Generic C-Parameters
5.2.1 Genericity for Classical Inertial Types
5.2.2 Genericity for C-Valued Inertial Types
5.2.3 Genericity for C-Parameters and Their Inertial Types
5.3 Deforming Galois Parameters
5.3.1 Universal Framed Deformations
5.3.2 Intermission: Frobenius-Twist Self-Dual Inertial Types
5.3.3 Potentially Crystalline Deformations with Prescribed Hodge Type and Inertial Type
5.4 From C-Parameters to Kisin Modules
5.4.1 From C-Parameters to Genuine p-adic Galois Representations
5.4.2 Kisin Modules with Prescribed Descent Data and Height
5.4.3 Frobenius-Twist Self-Dual Kisin Modules and Associated Galois Representations
5.5 Some Explicit Deformation Rings for C-Parameters
5.5.1 Shape of a Kisin Module over k
5.5.2 A Deformation Problem for Kisin Modules
5.5.3 Some Consequences on Deformations of C-Parameters
References
Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees
1 Introduction
1.1 Contributions
2 Background
2.1 Elliptic Curves over Finite Fields
2.1.1 Isogenies and Endomorphisms
2.1.2 Supersingular -Isogeny Graphs
2.2 Quaternion Algebras over Q
2.2.1 Arithmetic of Quaternion Algebras
2.2.2 -Ideal Graph of a Quaternion Algebra
2.2.3 Norm Forms of Maximal Orders
2.3 The Bruhat–Tits Tree for PGL2(Q)
3 The Graph of the Bad Reduction of Shimura Curves
3.1 Shimura Curves from Indefinite Quaternion Algebras
3.2 The -Adic Upper Half-Plane
3.3 -Adic Shimura Curves
3.4 Computing the Graph of the Special Fibre of a Shimura Curve
4 Different Views on Supersingular Isogeny Graphs
4.1 Supersingular Elliptic Curves and Endomorphism Rings: Deuring's Correspondence
4.2 The Bruhat–Tits Tree, an Unfolding of the Supersingular Isogeny Graph
4.2.1 The Tate Module
4.2.2 Translating Vertices of Bruhat–Tits Trees into Sublattices of the Tate Module
4.2.3 Translating Sublattices of the Tate Module into Subgroups of Elliptic Curves
4.2.4 Non-backtracking Walks in G as Level-Increasing Paths from the Root of Tl
4.3 Bruhat–Tits Tree Quotients and Supersingular Isogeny Graphs: Ribet's Correspondence
4.4 The Bruhat–Tits Tree and Quaternion Orders
5 Towards Cryptographic Applications
5.1 A Truncated Bruhat–Tits Tree from SIKE Parameters
5.2 Isogenies from Paths in the Bruhat–Tits Tree
5.3 Explicit Computations with the Bruhat–Tits Tree
5.4 Computing and Exploiting Norm Equations
6 Conclusion
References
Semi-Regular Sequences and Other Random Systems of Equations
1 Introduction
2 Notation and Preliminaries
2.1 Commutative Algebra Review
2.2 Homogeneous Semi-Regular Sequences
2.3 The Macaulay Matrix and the Solving Degree of a System of Equations
3 Solving Degree, Degree of Regularity, and Castelnuovo-Mumford Regularity
4 Solving Degree of Cryptographic Semi-regular Systems
4.1 Homogeneous Cryptographic Semi-regular Sequences
4.2 Inhomogeneous Cryptographic Semi-regular Sequences
5 A Consequence of the Eisenbud-Green-Harris Conjecture
5.1 Limits to the Applicability of Theorem 5.4 and Relation with the Degree of Regularity
6 Values of r(n+k,n) for 2 ≤k,n ≤100
References
Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space
1 Introduction
1.1 Notation
2 Stable Reduction and Admissible Covers
2.1 The Set-up
2.2 Stable Reduction of Covers
2.3 Combinatorial Description of the Stable Reduction
2.4 Computing the Stable Reduction
3 The Smooth Plane Quartic Case
3.1 Invariants
3.2 Main Results
4 Proofs of Main Results
4.1 Main Result with Non-degenerate Conic
4.2 Main Result with Degenerate Conic
5 Hyperelliptic Case
5.1 Invariants
5.2 The Main Theorem and Its Proof
Appendix: Admissible Covers
References
The Complexity of MinRank
1 Introduction
2 Main Results
References
Fields of Definition of Elliptic Fibrations on Covers of Certain Extremal Rational Elliptic Surfaces
1 Introduction
1.1 Relation to the Literature
2 Preliminaries and Setting
3 Rational Curves on K3 Surfaces
4 Extremal Rational Elliptic Surfaces
4.1 Minimal Models for Extremal RES Over k
5 Double Covers of Extremal Rational Elliptic Surfaces
5.1 Arithmetic Models of Extremal Rational Elliptic Surfaces
6 The Surfaces R9 and X9
6.1 Negative Curves on R9
6.2 The K3 Surface X9
6.3 Classification of All the Possible Fibrations of the K3 Surface X9
6.3.1 Torsion of the Mordell–Weil Group for the Elliptic Fibrations Associated to X9
6.4 Determining the Type of Each Fibration of X9
7 The Surfaces R4, R3, R2 and the Surfaces X4, X3, X2
7.1 The Rational Elliptic Surfaces R4, R3, and R2
7.2 The K3 Surfaces X4, X3, X2
7.3 Classification of All the Possible Fibrations on the K3 Surfaces X4, X3, and X2
7.4 Determining the Type of Each Fibration of X4, X3, and X2
References
Integers Represented by Ternary Quadratic Forms
1 Introduction
2 The Brauer-Manin Obstruction for Integral Points
3 Local Solutions to Qa,b,c=n
4 Generator of the Brauer Group of Xa,b,c
5 Computation of the Local Evaluation Maps at Odd Primes
5.1 Case p=∞
5.2 Case p a Prime, 2

Citation preview

Association for Women in Mathematics Series

Alina Carmen Cojocaru Sorina Ionica Elisa Lorenzo García Editors

Women in Numbers Europe III Research Directions in Number Theory

Association for Women in Mathematics Series Volume 24

Series Editor Kristin Lauter Facebook Seattle, WA, USA

Association for Women in Mathematics Series

Focusing on the groundbreaking work of women in mathematics past, present, and future, Springer’s Association for Women in Mathematics Series presents the latest research and proceedings of conferences worldwide organized by the Association for Women in Mathematics (AWM). All works are peer-reviewed to meet the highest standards of scientific literature, while presenting topics at the cutting edge of pure and applied mathematics, as well as in the areas of mathematical education and history. Since its inception in 1971, The Association for Women in Mathematics has been a non-profit organization designed to help encourage women and girls to study and pursue active careers in mathematics and the mathematical sciences and to promote equal opportunity and equal treatment of women and girls in the mathematical sciences. Currently, the organization represents more than 3000 members and 200 institutions constituting a broad spectrum of the mathematical community, in the United States and around the world. Titles from this series are indexed by Scopus.

More information about this series at https://link.springer.com/bookseries/13764

Alina Carmen Cojocaru • Sorina Ionica Elisa Lorenzo García Editors

Women in Numbers Europe III Research Directions in Number Theory

Editors Alina Carmen Cojocaru Department of Mathematics, Statistics and Computer Science University of Illinois at Chicago Chicago, USA

Sorina Ionica Laboratoire MIS University of Picardie Jules Verne Amiens, France

Institute of Mathematics “Simion Stoilow” of the Romanian Academy Bucharest, Romania Elisa Lorenzo García Laboratoire IRMAR Université de Rennes 1 Rennes, France

ISSN 2364-5733 ISSN 2364-5741 (electronic) Association for Women in Mathematics Series ISBN 978-3-030-77699-2 ISBN 978-3-030-77700-5 (eBook) https://doi.org/10.1007/978-3-030-77700-5 © The Authors and the Association for Women in Mathematics 2021 This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Preface

The conference Women in Numbers—Europe 3 (WINE 3) took place at La Hublais Center in Cesson-Sévigné (Bretagne, France) during August 26–30, 2019. This was the third in a series of successful collaborative conferences held in Europe, named WINE, and initiated by the Women in Numbers (WIN) network. WIN and WINE conferences bring together self-identified female researchers at multiple career stages to conduct research projects in number theory. Generally, experienced faculty invited at the conference propose research projects and guide early career participants towards the completion of these projects. The benefits flow in both directions: on the one hand, senior researchers meet and mentor junior researchers, whose contributions stimulate the research program of the former; on the other hand, graduate students and postdocs learn about important topics by embarking on research projects with peers and new mentors. Since their inception, WIN conferences have been successful in fostering a productive network of collaborators among women conducting research in number theory. Notably, some of the working groups formed at these conferences have grown into long-lasting research teams, showing the positive impact of WIN events on the development of contemporary research in number theory. Each WIN and WINE conference leads to the publication of a proceedings volume, which showcases research projects initiated during the conference. As with other volumes, the current proceedings aim to highlight the contributions to number theory of many female mathematicians working in the field. For this purpose, we gathered research and expository papers that emerged from projects started at the conference WINE 3, as well as contributed papers. All submitted papers were reviewed by anonymous referees, following a standard refereeing protocol. The published papers are the result of a two-round revision process. The volume covers a wide range of topics in several areas of contemporary number theory, such as: algebraic number theory, arithmetic geometry, automorphic

v

vi

Preface

forms, and applications to coding theory and cryptography. Our hope is that readers with different backgrounds in number theory will find the material in this volume useful and inspiring to their own research. Chicago, IL, USA Amiens, France Rennes, France November 2020

Group photo taken at the WINE 3 conference

Alina Carmen Cojocaru Sorina Ionica Elisa Lorenzo García

Acknowledgements

We are grateful to the numerous sponsors of the Women in Numbers Europe 3 conference for their financial support, without which the event as well as this manuscript could not have happened. We acknowledge financial support from the Henri Lebesgue Center in Rennes, Clay Institute of Mathematics, Foundation Compositio Mathematica, the Association for Women in Mathematics, Microsoft Research, University of Picardie Jules Verne and the Groupe de Travail Théorie des Nombres. We are greatly indebted to the leaders of the working groups at the conference for sharing their ideas and guiding the groups through their projects.

vii

Contents

From p-modular to p-adic Langlands Correspondences for U(1, 1)(Qp2 /Qp ): Deformations in the Non-supercuspidal Case . . . . . . . . . . . Ramla Abdellatif, Agnes David, Beth Romano, and Hanneke Wiersema Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Laia Amorós, Annamaria Iezzi, Kristin Lauter, Chloe Martindale, and Jana Sotáková Semi-Regular Sequences and Other Random Systems of Equations . . . . . . . Mina Bigdeli, Emanuela De Negri, Manuela Muzika Dizdarevic, Elisa Gorla, Romy Minko, and Sulamithe Tsakou

1

39

75

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Irene Bouw, Nirvana Coppola, Pınar Kılıçer, Sabrina Kunzweiler, Elisa Lorenzo García, and Anna Somoza The Complexity of MinRank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Alessio Caminata and Elisa Gorla Fields of Definition of Elliptic Fibrations on Covers of Certain Extremal Rational Elliptic Surfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Victoria Cantoral-Farfán, Alice Garbagnati, Cecília Salgado, Antonela Trbovi´c, and Rosa Winter Integers Represented by Ternary Quadratic Forms . . . . . . . . . . . . . . . . . . . . . . . . . 207 Bernadette Faye, Lilian Matthiesen, Damaris Schindler, Magdaléna Tinková, and Kristýna Zemková Construction of Poincaré-type Series by Generating Kernels . . . . . . . . . . . . . . . 233 Yasemin Kara, Moni Kumari, Jolanta Marzec, Kathrin Maurischat, Andreea Mocanu, and Lejla Smajlovi´c

ix

x

Contents

The Hasse Norm Principle in Global Function Fields . . . . . . . . . . . . . . . . . . . . . . . 275 Adelina Mânz˘a¸teanu, Rachel Newton, Ekin Ozman, Nicole Sutherland, and Rabia Gül¸sah Uysal Asymptotics of Class Numbers for Real Quadratic Fields . . . . . . . . . . . . . . . . . . 291 Nicole Raulf Some Split Symbol Algebras of Prime Degree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Diana Savin and Vincenzo Acciaro

From p-modular to p-adic Langlands Correspondences for U(1, 1)(Qp2 /Qp ): Deformations in the Non-supercuspidal Case Ramla Abdellatif, Agnes David, Beth Romano, and Hanneke Wiersema

MSC Codes (2020) 11F70, 11F80, 20G05, 22E50

1 Introduction Langlands correspondences are non-abelian, and mostly still conjectural, generalisations of class field theory. Recall that, given a non-Archimedean local field F with positive residual characteristic p and separable closure F , the local version of class field theory provides a natural identification of continuous C-valued characters of F := Gal(F /F ) with smooth complex characters (i.e. irreducible smooth representations) of F × = GL1 (F ). In 1967, Langlands conjectured that some analogous correspondence should exist for higher-dimensional representations (characters being one-dimensional representations), and that n-dimensional continuous representations of F should naturally correspond to some admissible smooth representations of GLn (F ). He even went further, as he conjectured later that such a statement should hold for reductive groups G other than GLn if one prescribes certain conditions on the image of the Galois representations involved in such correspondences, and if one allows correspondences with finite fibres that R. Abdellatif LAMFA – Université de Picardie Jules Verne, Amiens Cedex 1, France e-mail: [email protected] A. David () Université de of Bourgogne Franche-Comté, CNRS, LMB - UMR 6623, Besançon Cedex, France Université de Rennes 1, CNRS, IRMAR - UMR 6625, Rennes, France e-mail: [email protected] B. Romano Mathematical Institute, University of Oxford, Oxford, UK e-mail: [email protected] H. Wiersema King’s College London, Strand Campus, London, UK e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 A. C. Cojocaru et al. (eds.), Women in Numbers Europe III, Association for Women in Mathematics Series 24, https://doi.org/10.1007/978-3-030-77700-5_1

1

2

R. Abdellatif et al.

are not necessarily one-to-one. More specifically, we should be able to gather the relevant representations of G = G(F ) into disjoint sets called packets, each of which should correspond to a single Galois representation. For more details and explanations of this so-called classical setting, in which the representations of both G and F are defined over C, the reader should for instance refer to [Bor76]. In the last decades, congruences between modular forms as well as deformations of p-modular Galois representations have played important roles in the proofs of some major arithmetical results, such as Wiles’ proof of Shimura–Taniyama– Weil conjecture [Wil95] and Kisin’s work on the Fontaine–Mazur conjectures [Kis09]. These advances motivate in turn the search for analogues of Langlands correspondences that classify representations with coefficients in rings other than C. The latest examples are given by p-modular Langlands correspondences, which take coefficients in an algebraically closed field of characteristic p, and p-adic Langlands correspondences, which take coefficients in a (large enough) finite extension of Qp . In both of these settings, while we can often understand the Galois side of the correspondence, the so-called automorphic counterpart is still very mysterious [AHHV16], even when studying representations of GL2 (F ) [BP12, Le19, Wu19]. A natural question in this setting is how compatible the p-adic and p-modular statements are. More precisely, if E is a finite extension of Qp with ring of integers O, maximal ideal p, and residue field k = O/p, then any representation π defined over O naturally gives (via reduction modulo p) a representation π over k. On the other hand, given a representation over k, deformation theory allows us to study representations over O whose reduction modulo p is isomorphic to π . The ability to move between characteristic p and characteristic zero naturally leads to the following kind of functoriality problem: let k be an algebraically closed field of characteristic p and let π be an irreducible smooth k-representation of a p-adic group G that corresponds (under an appropriate p-modular Langlands correspondence) to a continuous representation σ of F . Is it possible to relate deformation theories for σ and π under an appropriate p-adic Langlands correspondence? Equivalently, how do reduction modulo p and deformation theory help to connect the aforementioned p-modular and p-adic Langlands correspondences? Note that the ability to answer these questions through deformation theory is a keystone in Colmez’s proof of padic Langlands correspondences for GL2 (Qp ) for p ≥ 5 [Col10, Kis10], so it is natural to consider them when interested in p-adic Langlands correspondences for other p-adic groups. To our knowledge, this has not been studied much besides the GLn (F ) case, even in the -adic case (i.e. when k is an algebraically closed field of positive characteristic  = p, see [Vig96]), though the relevant deformations in this setting are quite well understood on the Galois side [BG19, BP20]. In a current work in progress, the two first authors study the case of special linear group SL2 (Qp ), which is the first group for which a semisimple p-modular Langlands correspondence involving actual packets has been proved [Abd14]. The present paper focuses on the case of the quasi-split unramified unitary group G = U(1, 1)(Qp2 /Qp ), which is the first non-split group for which a semisimple p-modular Langlands correspondence has been settled [Koz16]. Note that this correspondence also involves actual packets:

Deformation Theory for U(1, 1)(Qp2 /Qp )

3

it is not a one-to-one, but a finite-to-one, correspondence. Our question is the following: how does this semisimple correspondence behave under deformations, i.e. when the objects it involves are lifted to p-adic representations/parameters? This paper explains what is known so far in this direction for non-supercuspidal objects. As above, let G = U(1, 1)(Qp2 /Qp ). First, in Sect. 2, we review basic definitions about representations of p-adic groups in the context of the group G, including the definition of a non-supercuspidal representation of G. We finish the section with the classification of irreducible smooth non-supercuspidal representations of G over Fp , where Fp denotes an algebraic closure of the residue field of Qp . In Sect. 3 we introduce Langlands parameters and describe where non-supercuspidal representations fit into the semisimple Langlands correspondence Kozioł attached to representations of G [Koz16]. In Sect. 4 we begin to explore how the semisimple Langlands correspondence behaves when lifted to characteristic 0. To do so, we describe recent results of Hauseux–Sorensen–Schmidt [HSS18, HSS19] about the behaviour of parabolic induction under deformation, and we explicitly determine which representations of G their results apply to on the automorphic side. Finally, in Sect. 5 we use recent work of Kozioł–Morra to study how the Galois side of the correspondence behaves under deformation [KM20]. Our method here is to use the theory of Kisin modules to better understand the deformations of interest. The distinction between supercuspidal and non-supercuspidal representations has a counterpart on the Galois side of the correspondence, but we do not need to make this distinction for the main results of Sect. 5. We can afford to be more general in this section because the results on the Galois side are uniform. (In contrast, the construction and deformations of supercuspidal representations on the automorphic side involves different techniques than for their non-supercuspidal counterparts.) We point out open problems related to deformations on both sides of the Langlands correspondence that are the subject of work in progress.

1.1 General Notation We fix a prime integer p. We let Qp denote the field of p-adic numbers and we fix a separable closure Qp of Qp , as well as an algebraic closure Fp of the residue field Fp of Qp . We let Zp denote the ring of integers of Qp . Given any positive integer n, we let Qpn be the unique unramified extension of degree n of Qp in Qp and we denote by Zpn its ring of integers. We fix an isomorphism Zpn /pZpn → Fpn ⊂ Fp identifying the residue field of Qpn with Fpn , and we write x ∈ Fpn for the image of x ∈ Zpn under the composite map Zpn  Zpn /pZpn → Fpn . These maps extend to a reduction map Zp → Fp , which we also denote x → x, and which allows us to identify the residue field of Qp with Fp .   Let c denote the nontrivial element of Gal(Qp2 /Qp ) and, for g = xz wy ∈   c(y) GL2 (Qp2 ), write c(g) for c(x) c(z) c(w) . We write G for the unramified quasi-split

4

R. Abdellatif et al.

unitary group in two variables defined over Qp and set G = G(Qp ). As usual, and more concretely, we identify G = U(1, 1)(Qp2 /Qp ) with the following subgroup of GL2 (Qp2 ), where g ∗ = c(g)t denotes the conjugate transpose of g ∈ GL2 (Qp2 ):      01 ∗ 01 G = g ∈ GL2 (Qp2 ) | g g= . 10 10   We write I2 = 10 01 for the 2 × 2 identity matrix. We let B be the subgroup of upper-triangular matrices in G. It is a Borel subgroup of G with Levi decomposition B = T U , where U denotes the unipotent radical of B and T the maximal torus of G made of all diagonal matrices in G:    x 0 × | x ∈ Qp2 . T = t (x) := 0 c(x)−1 Note that U is an abelian group, isomorphic to the additive group (Qp , +). We let B − be the opposite Borel to B with respect to T . Note that B − is nothing but the subgroup of lower-triangular matrices in G. We let W be the Weyl group of G. Recall that we have W = NG (T )/T , where we write NG (T ) for the normaliser of T in G. The group W has two elements, and we let s0 denote  the non-trivial one. A representative of s0 in NG (T ) is given by the matrix s = 01 10 . We let Gder = SU(1, 1)(Qp2 /Qp ) denote the derived group of G: it consists of all matrices in G with determinant 1. Recall that, once we fix an element ε ∈ Qp2   such that Qp2 = Qp (ε) and c(ε) = −ε, conjugation by the element 0ε 01 defines a isomorphism from Gder to SL2 (Qp ). Given any ring R, any character χ : H → R × of a group H , and any positive integer n, we write χ n : H → R × for the R-valued character of H given by χ n (h) := χ (h)n . For any group H , we write 1H for the trivial representation of H over Fp . Given any finite extension F /Qp , we write F := Gal(Qp /F ) for its absolute Galois group and IF ⊂ F for the inertia subgroup of F . We fix an element ab is equal to the image of ϕ ∈ Qp such that the image of ϕ in the abelianisation Q p

ab p−1 under the reciprocity map Q× p → Qp of local class field theory. It is useful to recall that we have the following short exact sequence, where WQp ⊂ Qp denotes the Weil group of Qp and ϕ  Z denotes the subgroup of Qp generated by ϕ:

1 −→ IQp −→ WQp −→ ϕ −→ 1 .

Deformation Theory for U(1, 1)(Qp2 /Qp )

5

2 Non-supercuspidal Representations of G over Fp In this section, we recall the classification of irreducible smooth non-supercuspidal representations of G = U(1, 1)(Qp2 /Qp ) over Fp , as first established in [Abd11, Chapitre 5]. Given a commutative ring A, recall that a representation (π, V ) of G on an A-module V is called smooth if every element

of V has open stabiliser in G. Equivalently, this means that V can be written as V K , where the union is taken K

over the open subgroups K of G, and where V K := {v ∈ V | π(k)v = v for all k ∈ K} denotes the subspace of K-fixed vectors in V . We write Mod∞ G (A) for the category of smooth representations of G over A, and define similarly Mod∞  (A) for any topological group . Given any closed subgroup H of G and any smooth A[H ]-module V , we set IndG H (V ) = {f : G → V | there exists a compact open subgroup Kf ⊂ G such that f (hgk) = h · f (g) for all h ∈ H, g ∈ G, k ∈ Kf } . The A-module IndG H (V ) is naturally endowed with a smooth action of G by right ∞ ∞ translations, and the corresponding functor IndG H : ModH → ModG is called smooth induction from H to G. A particular case of smooth induction is given by parabolic induction, when H is a (proper) parabolic subgroup of G. In our setting, G is of relative rank 1 over F , hence if H is a proper parabolic subgroup, we can assume without loss of generality that H = B is the Borel subgroup defined above. Parabolic induction is then defined as follows: given a smooth character χ : T → A× , we can inflate χ to a character of B trivial on U (still denoted by χ ) and consider IndG B (χ ). ∞,adm Remark 2.1 Note that IndG (A) → B actually defines a functor ModT ∞,adm ∞,adm (A), where we write ModX (A) for the full subcategory of Mod∞ ModG X (A) K whose objects are admissible representations, i.e. such that V is an A-module of finite type for any compact open subgroup K of G.

When classifying irreducible smooth representations of G over A = Fp , a natural first step is to study parabolically induced representations, not only because of their uniform and easy construction, but also because they reflect representations of G that come from (proper) reductive subgroups of G. This leads to the following definition. Definition 2.2 Let π be an irreducible smooth representation of G over A. • We say that π is non-supercuspidal if π is isomorphic to a subquotient of × IndG B (χ ) for some smooth character χ : T → A . • We say that π is a principal series representation if π is isomorphic to a parabolically induced representation IndG B (χ ) for some smooth character χ : T → A× .

6

R. Abdellatif et al.

Following [Abd11, Théorème 5.1.2], we know that isomorphism classes of irreducible smooth non-supercuspidal representations of G over Fp split into three disjoint families: characters, principal series representations, and special series representations. We now recall the explicit description of these objects, as stated in [Koz16, Theorem 4.3]. This requires us to introduce the following notation. For × × → Fp the smooth character trivial on Z× any λ ∈ Fp , we denote by μλ : Q× p2 p2 ×

that maps p to λ. Also, we let ω : Q× → Fp be the smooth character such that p2 is the reduction modulo p of u ∈ Z× . ω(p) = 1 and ω(u) = u ∈ F× p2 p2

2.1 Principal Series Representations and Characters of G As T is naturally isomorphic to Q× via the group homomorphism Q× → T that p2 p2 ×

maps x to t (x), all characters μλ , for λ ∈ Fp , and ω can (and will) also be seen as smooth characters of T . It is then straightforward to check that any smooth character × of T is of the form μλ ωr for a unique pair (r, λ) ∈ Z × Fp with 0 ≤ r ≤ p2 − 2. By [Abd11, Théorème 5.3.1, (2)], a parabolically induced representation IndG B (χ ) is irreducible if and only if χ does not extend to a smooth character of G, so to describe the principal series representations of G we must identify which of these characters can be extended to smooth characters of G. ×

Lemma 2.3 Let (r, λ) ∈ Z × Fp with 0 ≤ r ≤ p2 − 2. The smooth character ×

×

μλ ωr : T → Fp extends to a smooth character χ : G → Fp if, and only if, λ = 1 and r = m(p − 1) with 0 ≤ m ≤ p. In this case, we have χ = ω−m ◦ det. Proof Let μλ ωr be a smooth character of T that extends to a smooth character χ of G. Then χ must be trivial on the derived group Gder of G, hence it is trivial on the diagonal torus of Gder , which means that we must have χ (x) = 1 whenever × c(x) = x, i.e. whenever x belongs to Q× p . As p belongs to Qp , we must have r χ (t (p)) = (μλ ω )(p) = 1, i.e. λ = 1. Now let ζ be a root of unity of order p2 − 1 in Q× : then ζ lies in Z× and p2 p2

. Since ζ p+1 belongs to Q× ω(ζ ) generates the multiplicative group F× p , we must p2

have χ (t (ζ p+1 )) = 1, i.e. ζ r(p+1) = 1. This implies, as ζ is of order p2 − 1, that p − 1 divides r, hence r = m(p − 1) with 0 ≤ m ≤ p. Conversely, if r satisfies such a condition, then ωr = (ωp−1 )m is the restriction of the smooth character × ω−m ◦ det : G → Fp , since for any k we have (ωk ◦ det)(t (ζ )) = ωk (ζ c(ζ )−1 ) =   ωk (ζ ζ −p ) = ωk (ζ 1−p ) = ζ (1−p)k . ×

Corollary 2.4 Let (r, λ) ∈ Z × Fp with 0 ≤ r ≤ p2 − 2. If (r, λ) = ((p − 1)m, 1) r for all 0 ≤ m ≤ p, then IndG B (μλ ω ) is an irreducible smooth representation of G.

Deformation Theory for U(1, 1)(Qp2 /Qp )

7

Proof This is a direct application of [Abd11, Théorème 5.3.1, (2)] using Lemma 2.3.  

2.2 Special Series Representations Now assume that χ is a smooth character of T that extends to a smooth character ωr ◦ det of G. Up to twisting by ω−r ◦ det, we can assume that χ is trivial and focus on the parabolically induced representation IndG B (1B ). We know from [Abd11, Théorème 5.3.10, (2)] that IndG (1 ) is a reducible representation of G of B B length 2, with the trivial character 1G as subrepresentation. The irreducible quotient representation StG := IndG B (1B )/1G is called the Steinberg representation, and twists of the Steinberg representation by smooth characters of G are called special series representations. Such representak tions are exactly those that appear as irreducible quotients of IndG B (ω ◦ det) for any integer 0 ≤ k ≤ p.

2.3 Classification of Non-supercuspidal Representations of G If we combine the results of the previous subsections, we recover the following classification of non-supercuspidal representations of G, as given in [Koz16, Theorem 4.3]. Theorem 2.5 Let V be an irreducible smooth, non-supercuspidal representation of G. Then V is isomorphic to one and only one of the following representations: • ωk ◦ det, with 0 ≤ k ≤ p; • (ωk ◦ det) ⊗ StG , with 0 ≤ k ≤ p; × r 2 • IndG B (μλ ω ) with (r, λ) ∈ Z × Fp such that 0 ≤ r ≤ p − 2 and (r, λ) = ((p − 1)m, 1) for all 0 ≤ m ≤ p. Proof We saw above that all these representations are irreducible smooth nonsupercuspidal representations of G over Fp . We know from [Abd11, Lemme 5.4.1] (resp. [Abd11, Lemme 5.4.3]) that principal series (resp. special series) representations coming from distinct characters are non-isomorphic. As principal series representations and special series representations are infinite dimensional, they cannot be isomorphic to smooth characters of G. Finally, [Abd11, Lemme 5.5.1, Corollaire 5.5.4] ensures that a principal series representation cannot be isomorphic to a special series representations as their spaces of I (1)-invariant

8

R. Abdellatif et al.

vectors have different dimensions (as vectors spaces over Fp ), where I (1) denotes the standard pro-p Iwahori subgroup of G.   Remark 2.6 The classification of supercuspidal representations of G is also known, as it was proven by Kozioł [Koz16, Theorem 5.7]. Note that it is one of the only three cases where such a classification is explicit (see [Bre03] and [Abd14] for the two other cases). We choose to not recall this part of the classification in this paper as it would require a lot of extra material that we do not use at all in the sequel. For the record, let us nevertheless mention that one of the next steps of our research project is to understand how supercuspidal representations deform.

3 A Non-supercuspidal Semisimple Langlands Correspondence Following Langlands philosophy, (packets of) isomorphism classes of irreducible smooth representations of a reductive p-adic group should correspond to equivalence classes of Langlands parameters, which roughly correspond to certain (packets of) Galois representations. For our group G = U(1, 1)(Qp2 /Qp ), this statement has been clarified and proven by Kozioł in [Koz16, Section 6]. The goal of this section is to explain what happens to packets of non-supercuspidal representations under such a correspondence.

3.1 Galois Representations and Dual Groups Associated with G To make precise the conditions put on the Galois representations that should appear in the p-modular Langlands correspondence for G, we need to define some algebraic groups that are naturally attached to (the algebraic group U(1, 1) that defines) G in this setting. The first one is the L-group, or Langlands group, which already appears in the classical (complex) correspondence and is defined as follows. (Recall that ϕ is the Frobenius automorphism fixed in Sect. 1.) Definition 3.1 The L-group associated to G is defined as L G := GL2 (Fp )  Qp , where the action of Qp on GL2 (Fp ) is given by the following formulae (for g ∈ GL2 (Fp ) and h ∈ Qp2 ): ϕ g ϕ −1 =



0 1 −1 0

hgh−1 = g .



(g t )−1



 0 1 −1 −1 0

= det(g)−1 g ,

(1) (2)

Deformation Theory for U(1, 1)(Qp2 /Qp )

9

For further use and generalisation, we note here that the group GL2 (Fp ) involved in Definition 3.1 is actually the group of Fp -points of the usual dual group of U(1, 1). As the latter splits over the quadratic unramified extension Qp2 of Qp , the Fp -points of its dual group naturally identify with the Fp -points of the dual group of the split form, i.e. of GL2 . The second group we are interested in is the C-group, as defined in [BG13, Definition 5.3.2] by Buzzard–Gee. As explained in the introduction of [BG13], their initial motivation was to define an alternative to the L-group that makes it possible to state reasonable generalisations of Clozel’s algebraicity conjectures for groups other than GLn . Since this alternative appears in Kozioł–Morra’s work as a convenient tool to deform certain families of Galois parameters [KM20], we need to understand how it relates to the classical L-group L G used by Kozioł to state the semisimple correspondence [Koz16, Definition 6.20]. Note that defining the C-group of G requires us to assume p = 2, though the previously mentioned semisimple correspondence holds for an arbitrary prime p. Thus assume for now that p is odd. The C-group associated to G is the L-group of some Gm -extension of the algebraic group U(1, 1) that is characterised by [BG13, Proposition 5.3.1]. At this point in the paper, we only need the following concrete description of its Fp -points. If we let C G denote this group, then we have (as in [BG13, Section 8.3] or [Koz16, Appendix A]): C

G=

     × × GL2 (Fp ) × Fp / (−I2 , −1)  Qp  GL2 (Fp ) × Fp  Qp , (3) ×

where Qp acts trivially on the Fp -factors and by formulae (1) and (2) on the GL2 (Fp )-factors (on both sides of the isomorphism). Note that the latter isomorphism in (3) is given by    a0 2 (g, a) → g, a . 0a

(4)

3.2 From Langlands Parameters to C-Parameters We now recall classical definitions related to Langlands parameters involving the L-group of G. Later, we will adjust our definitions to work with parameters defined using the C-group of G, to connect more clearly to the setting developed in [KM20]. ˆ := GL2 (Fp ) denote the left-hand factor in the definition To ease notation, we let G of L G. Definition 3.2 A Langlands parameter is a group homomorphism φ : Qp → L G = GL2 (Fp )  Qp such that the composition of φ with the canonical

10

R. Abdellatif et al.

projection L G → Qp is the identity map. We say that two Langlands parameters ˆ are equivalent if they are conjugate by an element of G. Let φ : Qp → L G be a Langlands parameter. According to (2), Qp2 acts ˆ hence the restriction of φ to Q 2 is of the form h →  φ0 (h)h for trivially on G, p ˆ some group homomorphism φ0 : Q 2 → G. p

Definition 3.3 Given a Langlands parameter φ, the group homomorphism φ0 : Qp2 → GL2 (Fp ) defined above is a two-dimensional p-modular representation of Qp2 called the Galois representation associated to φ. Note that, by construction, a Langlands parameter φ is completely determined by the image φ(ϕ) of the Frobenius element and by its Galois representation φ0 . But, unlike in the classical complex setting, the Galois representation φ0 is always reducible [Koz16, Proposition 6.13]. This implies that its image lies in a Borel subgroup of GL2 (Fp ), which is (up to conjugacy, which does not change the isomorphism class of φ0 as a representation of Qp2 ) the subgroup P of its upper-triangular matrices. Equivalently, this means that φ0 is an extension of × the form 1 → χ1 → → χ2 → 1, where χ1 , χ2 : Qp2 → Fp are continuous characters. Since non-supercuspidal representations come by definition from irreducible smooth representations of T (as subquotients of well-chosen parabolically induced representations, see Definition 2.2), they should correspond, under the p-modular Langlands correspondence for G, to Galois representations coming from the corresponding Levi factor of P , i.e. to Galois representations that × decompose as χ1 ⊕ χ2 for some continuous characters χ1 , χ2 : Qp2 → Fp . Letting P := ZN be the Levi decomposition of P , with N being the unipotent radical of P , this observation translates on the level of Langlands parameters into the requirement that the corresponding Langlands parameter φ factors through the natural Qp equivariant embedding L Z → L G induced by the canonical embedding Z → G. We will say that such Langlands parameters are non-supercuspidal. To give an explicit description of such parameters (as in [Koz16, Proposition × 6.17]), we need to introduce the following notation. For any λ ∈ Fp , we let ×

μ2,λ : Qp2 → Fp be the group homomorphism that is trivial on IQp2 and satisfies p2 −1

μ2,λ (ϕ 2 ) = λ. Now fix an element 2 ∈ Qp such that 2 1 =

p+1 2 .

by ωn (h) =

For n ∈ {1, 2}, we let ωn : IQp →

n ( h· n ).

× Fp

= p, and let

be the character given

According to [Bre07, Lemma 2.5], ωn can be extended to a ×

smooth character ωn : Qpn → Fp that maps ϕ n to 1. It is easy to check [Koz16, ×

Corollary 6.3] that smooth characters of Qp2 → Fp are of the form μ2,λ ω2r for ×

some pair (r, λ) ∈ Z × Fp with 0 ≤ r ≤ p2 − 2.

Deformation Theory for U(1, 1)(Qp2 /Qp )

11

Proposition 3.4 A Langlands parameter φ : Qp →

LG

× and only if, there exists a pair (r, λ) ∈ Z × Fp with 0 ≤ equivalent to the Langlands parameter ψr,λ, defined by

is non-supercuspidal if,

r ≤ p2 − 2 such that φ is

    0 μ2,λ−1 ω2r (h) 10 h ψr,λ (ϕ) = ϕ and ψr,λ (h) = −pr 0λ 0 μ2,λ ω2 (h) ×

×

for any h ∈ Qp2 . Moreover, if (r, λ) ∈ Z × Fp and (r  , λ ) ∈ Z × Fp are such

that 0 ≤ r, r  ≤ p2 − 2, then ψr,λ and ψr  ,λ are equivalent Langlands parameters if, and only if, we have (r  , λ ) = (r, λ) or (r  , λ ) = (−pr + m(p2 − 1), λ−1 ) for some m ∈ Z. Proof The characterisation of non-supercuspidal parameters comes from [Koz16, Proposition 6.17]. The characterisation of equivalence classes of such parameters is done in [Koz16, Lemma 6.18].   As mentioned earlier, we would like to connect these parameters to C-groups: this is why we now define the notion of C-parameters (also called C G-valued Langlands parameters), and explain how they relate to the (non-supercuspidal) ˆ for the Langlands parameters defined above. In the next definition, we write C G × left-hand factor (GL2 (Fp ) × Fp )/ (−I2 , −1) appearing in the definition of C G (see (3)). Definition 3.5 A C-parameter is a group homomorphism φ : Qp → C G such that the composition of φ with the canonical projection C G → Qp is the identity map. We say that two C-parameters are equivalent if they are conjugate by an element of C G. ˆ Under (4), we can (and will) consider C-parameters to take values in (GL2 (Fp )× × ˆ with GL2 (Fp ) × Fp )  Qp ; hence we will also use isomorphism (4) to identify C G × Fp . This point of view allows for a more straightforward connection with Langlands parameters, as the latter take values in GL2 (Fp )  Qp . Similarly to what was done r,λ , indexed in Proposition 3.4 for Langlands parameters, we define C-parameters ψ × 2 by pairs (r, λ) ∈ Z × Fp with 0 ≤ r ≤ p − 2, by setting    10 , 1 ϕ and 0λ

r μ 0 −1 ω2 (h) 2,λ r,λ (h) = ω1 (h), ω1 (h) h ψ −pr−(p+1) (h) 0 μ2,λ ω2

r,λ (ϕ) = ψ

for any h ∈ Qp2 . We observe that, by construction, there is a one-to-one correspondence between these C-parameters and non-supercuspidal Langlands parameters as given in Propo-

12

R. Abdellatif et al.

sition 3.4. In particular, equivalence classes of C-parameters are characterised in the same way as equivalence classes of Langlands parameters are in the last part of Proposition 3.4.

3.3 A Langlands Correspondence for Non-supercuspidal Representations Historically, the first group for which the formulation of a (classical or p-modular) local Langlands correspondence involves actual packets (i.e. is not a one-to-one correspondence) is the special linear group SL2 . Thus before we discuss L-packets for G in the present setting, we briefly review the logic that goes into making analogous definitions for SL2 . In the classical setting (see the introduction of [LL79]), packets for SL2 can be seen (on the automorphic side) as an incarnation of the action of GL2 by conjugation on smooth representations of SL2 , as most packets correspond to GL2 -orbits of irreducible representations. Each of these so-called L-packets corresponds to an equivalence class of group homomorphisms Qp → PGL2 (C), which in turn can be thought of as the set of Galois representations lifting a fixed projective Galois representation. In the p-modular setting, we can follow the same philosophy to define a local Langlands correspondence for supercuspidal representations of SL2 (Qp ) [Abd14, Section 4.2]: in this case, L-packets consist of GL2 (Qp )-orbits of irreducible supercuspidal representations of SL2 (Qp ) over Fp , but these packets can also be defined as Jordan–Hölder factors of a given irreducible supercuspidal representation of GL2 (Qp ). Note that, unlike in the classical case, there is no multiplicity-one result for p-modular representations (compare [LL79, Lemma 2.6] with [Abd14, Théorème 4.12 (2)] for r = (p − 1)/2). The non-supercuspidal case for SL2 (Qp ) is even trickier than the supercuspidal case. First note that, as twisting a representation by a character of GL2 (Qp ) does not change its restriction to SL2 (Qp ), non-isomorphic representations of GL2 (Qp ) can be isomorphic as representations of SL2 (Qp ). This can actually occur even for pairs of representations that remain non-isomorphic after twisting by any character of GL2 (Qp ), see [Abd14, Théorèmes 2.16 and 4.12]. Moreover, [Abd14, Proposition 2.8] shows that non-supercuspidal representations are fixed (up to isomorphism) under the action of GL2 (Qp ) by conjugation, which prevents us from defining Lpackets simply as GL2 -orbits of irreducible smooth representations. Indeed, doing so would imply that any natural map from irreducible representations of SL2 (Qp ) to the set of equivalence classes of Langlands parameters for SL2 (Qp ) (i.e. of projective Galois representations in this context) would map distinct L-packets to the same projective representation, which does not make sense for a correspondence. This motivates the introduction of (reducible) semisimple representations in the non-supercuspidal setting [Abd14, Definition 4.13]: their factors correspond to irreducible representations that should match with the same projective representation,

Deformation Theory for U(1, 1)(Qp2 /Qp )

13

and their construction ensures that they are stable under GL2 -conjugation, hence that the original concept of an L-packet is in some way preserved. Note that [Abd14, Théorème 3.18] relates these semisimple representations with semisimplifications of well-known smooth representations of SL2 (Qp ). Following the same philosophy, we are led to make the following definitions for G. ×

Definition 3.6 Given (r, λ) ∈ Z × Fp with 0 ≤ r ≤ p2 − 2, we write π(r, λ) for −pr ). the semisimplification of IndG B (μλ−1 ω ×

For instance, we have, for 0 ≤ r ≤ p − 1 and λ ∈ Fp :

π(r, λ) =

⎧ G −pr ) ⎪ ⎪ ⎨IndB (μλ−1 ω (ωp

◦ det) ⊕ ((ωp

⎪ ⎪ ⎩1 ⊕ St G G

if (r, λ) = (0, 1), (p − 1, 1), ◦ det) ⊗ StG )

if (r, λ) = (p − 1, 1), if (r, λ) = (0, 1).

Remark 3.7 Although Definition 3.6 is uniform for all pairs (r, λ), the representation π(0, 1) actually naturally arises as the semisimplification of a non-trivial extension of 1G by StG , not of a parabolically induced representation. Though it has no impact in the definition of a semisimple Langlands correspondence, it must be kept in mind for future work. For more information on this phenomenon, the reader may refer to [Abd14, Théorèmes 3.16 and 3.18], where the corresponding objects and phenomena for GL2 and SL2 are introduced. Note that assuming 0 ≤ r ≤ p − 1 is not restrictive in the context of Langlands correspondences, since Proposition 3.4 shows that an equivalence class of Langlands parameters (or, equivalently, of C-parameters) always contains a parameter whose index r satisfies this condition. Also note that, similarly to what happens for SL2 and following [Koz16, Proposition 5.10], each of these representations is fixed (up to isomorphism) under the action of 

 01 01 × GU(1, 1)(Qp2 /Qp ) := g ∈ GL2 (Qp2 ) | g g=κ for some κ ∈ Qp . 10 10 ∗

According to Proposition 3.4, distinct pairs (r, λ) and (r  , λ ) may correspond to equivalent C-parameters, so we are led to define the following semisimple representations of G to obtain suitable representatives of L-packets. ×

Definition 3.8 For (r, λ) ∈ Z × Fp with 0 ≤ r ≤ p − 1, we define (r, λ) as the following semisimple representation of G:   (r, λ) := π(r, λ) ⊕ (ωr+1 ◦ det) ⊗ π(p − 1 − r, λ−1 ) . For any integer k, we also set (r, λ, k) := (ωk ◦ det) ⊗ (r, λ).

14

R. Abdellatif et al.

Note that (r, λ, k) is an L-packet for G in the sense of [Koz16, Definition 5.9], since it is by construction fixed under the action of GU(1, 1)(Qp2 /Qp ). We can now state the non-supercuspidal part of the p-modular semisimple Langlands correspondence for G [Koz16, Definition A.5]. Definition 3.9 The non-supercuspidal part of the semisimple p-modular correspondence for G is the following matching between equivalence classes of Cr  ,λ and isomorphism classes of L-packets (r, λ, k): for any 0 ≤ parameters ψ × r ≤ p − 1, λ ∈ Fp and 0 ≤ k < p + 1, (r−1)+(1−p)k,λ ←→ (r, λ, k) . ψ

4 Deforming Non-supercuspidal Representations of G Our purpose is to study how the p-modular Langlands correspondence defined above behaves when it is functorially lifted to characteristic 0, i.e. to p-adic representations/parameters. To define precisely what we mean by functorial lifting requires the use of deformation theory. This section gathers what is known about deformations of non-supercuspidal representations of G; its Galois counterpart, relative to the deformation of Galois parameters, is postponed to Sect. 5. From now on, we let E/Qp be a (large enough) finite extension of fields. We let O be the ring of integers of E and k = O/ O be its residue field, where  denotes a fixed uniformiser of O. We write Art(O) (respectively: Noe(O); Pro(O)) for the category of local Artinian (respectively: local complete Noetherian; local profinite) O-algebras A such that the structural morphism from O to A is local and induces an isomorphism between k and the residue field of A; the morphisms are local Oalgebra morphisms (respectively: local O-algebra morphisms; continuous local Oalgebra morphisms). Note that Art(O) is the full subcategory of Artinian rings (in Pro(O) and) in Noe(O) and that Noe(O) is the full subcategory of Noetherian rings in Pro(O). We write H for the Qp -points of a connected reductive group defined over Qp . (In the sequel, H will mainly be either G or T , as defined above.) Definition 4.1 Let π be a representation of H over k. A lift of π to A ∈ Art(O) is a pair (π, φ) where π is a smooth A[H ]-module that is free over A, and φ : π → π is an A[H ]-linear surjection that induces an A[H ]-linear isomorphism π ⊗A k → π . A morphism of lifts (π, φ) → (π  , φ  ) is an A[H ]-linear morphism i : π → π  such that φ = φ  ◦ i.

Deformation Theory for U(1, 1)(Qp2 /Qp )

15

For any A ∈ Art(O), we let Defπ (A) be the set of isomorphism classes of lifts of π to A. Then any smooth k-representation π of H defines a functor Defπ : Art(O) → Set . Considering the strong connection between non-supercuspidal representations and parabolic induction functors, it seems natural to wonder how much these deforma∞ tion functors are compatible with the parabolic induction functor IndG B : ModT → ∞ ModG . In a series of two papers [HSS18, HSS19], Hauseux–Schmidt–Sorensen addressed this question: we now recall the results we need from these papers.

4.1 Deforming Parabolically Induced Representations Let χ : T → k × be a smooth character and let χ be a lift of χ to A ∈ Art(O). By [HSS18, Lemma 2.1], the parabolically induced representation IndG B χ is a free A-module, and the natural surjection A → k induces a k[G]-linear isomorphism G (IndG B χ ) ⊗A k  IndB χ . G In other words, IndG B χ is a lift of IndB χ over A. Furthermore, any morphism of lifts (χ1 , φ1 ) → (χ2 , φ2 ) of χ over the same ring A induces a morphism G G G G (IndG B χ1 , IndB (φ1 )) → (IndB χ2 , IndB (φ2 )) of lifts of IndB (χ ) over A. In [HSS18, Section 2.5], Hauseux–Schmidt–Sorensen show that we actually have a morphism of functors

IndG B : Defχ → DefIndG χ . B

They also give sufficient conditions for this morphism to be an isomorphism, which lead to the following statement for the group G. Theorem 4.2 Let χ = μλ ωr be a smooth k-character of T . Assume that λ = ±1 or that r − 1 is not divisible by p − 1. Then IndG B : Defχ → DefIndG χ B

is an isomorphism. Note that this statement requires us to assume that E/Qp is large enough, to ensure that χ actually takes values in the finite field k, and not only in k. Proof Let  = {α} be the set of positive roots for G with respect to (B − , T ), and write sα for the corresponding reflection in the Weyl group. Following [HSS18, Corollary 4.18] for F = Qp , it suffices to check that χ = χ α ⊗ (ω−1 ◦ α).

(5)

16

R. Abdellatif et al.

Since χ α (x) = χ(c(x)−1 ) for all x ∈ Qp2 , checking (5) is equivalent to find some x ∈ Qp2 such that χ (xc(x)) = (ω−1 ◦ α)(x), i.e. such that χ(N(x)) = (ω−1 ◦ α)(x) , where N : Qp2 → Qp denotes the norm map. We now want to explicitly describe α. To do this, let us recall that we fixed an element ε ∈ Qp2 such that {1, ε} is a basis for Qp2 over Qp and c(ε) = −ε. If g denotes the Lie algebra of G, then a basis for the Lie algebra of G over Qp is given by         1 0 ε0 0ε 00 , , , . 0 −1 0ε 00 ε0 As any element t (x) = x −1 c(x)−1



x 0 0 c(x)−1

 of T acts on

0 0 ε 0

as multiplication by

N(x)−1 ,

= we see that α is given by the inverse of the norm map, hence checking condition (5) now boils down to finding some x ∈ N (Q× ) such p2 that χ (x) = ω(x). But we have, for any u ∈ Z× p and any integer n, χ(up2n ) = λ2n ur . If λ = ±1, then χ (p2 ) = ω(p2 ). If r − 1 is not divisible by p − 1, then there exists × × 2 some unit u ∈ Z× p such that ω(u) = χ(u). As N (Qp2 ) = p × Zp , the result follows.   Further note that under the assumptions of Theorem 4.2, the deformations of χ (hence of IndG B (χ)) are well-understood: according to [HSS18, Proposition 4.17], DefIndG (χ ) (A) is in natural bijection with HomPro(O) (, A) for any A ∈ Art(O), the B

univ ), and this bijection is functorial converse map being given by ψ → IndG B (ψ ◦ χ in A ∈ Art(O). In this statement,  denotes the Iwasawa algebra associated to the torus T (see [Sch11, Section 19.7] for a precise definition) and χ univ : T →  is the so-called universal deformation of χ (see [HSS18, Proposition 4.17] for the explicit formula defining χ univ ). To completely understand deformations of parabolically induced representations, we now have to answer the following open question.

•

? Question 1

r What are the deformations of IndG B (μλ ω ) when λ = ±1, or when p − 1 divides r − 1?

Note that a direct comparison with Corollary 2.4 shows that the major part of the representations covered by this question are irreducible representations of G, hence of greatest interest in the Langlands program.

Deformation Theory for U(1, 1)(Qp2 /Qp )

17

4.2 Deformations of Special Series Representations Given A ∈ Art(O) and a smooth character σ : T → A× that extends to a smooth character of G, we can proceed as in the p-modular setting (see [Abd11, Section 5.3.2]) to show that σ is a subrepresentation of IndG B (σ ). We can hence define the Steinberg representation as the quotient representation G StG B (σ ) := IndB (σ )/σ.

Note that, if A = k and σ is a smooth k-character of T that extends to a smooth k-character of G, then StG B (σ )  StG ⊗ σ , where StG denotes the Steinberg representation we defined in Sect. 2.2. Following [HSS19, Section 9], we obtain, for any smooth character χ : G → k × , a natural transformation StG B : Defχ → DefStG ⊗χ .

(6)

Theorem 4.3 The natural transformation (6) is an isomorphism of functors. Proof This is a straightforward application of [HSS19, Proposition 10], as onedimensional representations are obviously admissible.   In other words, understanding deformations of representations in the special series amounts to understanding deformations of smooth k-characters of G, and the latter are once again well-understood by [HSS18, Proposition 4.17]. Following [HSS19, Corollary 15], and using the same notation as in Sect. 4.1, we obtain a similar statement to the one we get for parabolically induced representations: for any smooth character χ : G → k × and any A ∈ Noeth(O), we have a natural bijection between DefStG ⊗χ (A) and HomPro(O) (, A), whose converse map is given univ ), and this bijection is moreover functorial in A ∈ Art(O). by ψ → StG B (ψ ◦ χ

5 Deforming Langlands Parameters In this section, we summarise what is known about deformations of the parameters defined in Sect. 3.2 and explain what questions we aim to solve. One can view this section as the Galois counterpart of Sect. 4 with the difference that, as mentioned in the introduction, a priori we make no specific assumption on the Galois parameters here (while Sect. 4 only holds for non-supercuspidal representations). We follow [KM20] for most of the section. We start by introducing C-parameters in characteristic zero as well as the notion of an inertial type. We also introduce genericity for C-parameters as we will need to impose some genericity conditions on the Galois parameters we want to deform. We recall some notions from deformation theory, specialised to our setting. We then show how one transfers from C-parameters to genuine p-adic

18

R. Abdellatif et al.

Galois representations. It turns out that we can study the deformations of these representations by relating them to Kisin modules. We end with demonstrating to what extent we can determine the deformations of our Galois parameters explicitly using Kisin modules. We keep the same notation as above and we furthermore fix an embedding σ0 : Qp2 → E, as well as a (p2 − 1)th root π of −p in E (which exists ωπ : as E/Qp is assumed to be large enough). We let L = Qp2 (π ) and write  Gal(L/Qp2 ) → Z× for the character given by  ωπ (g) = p2

g(π ) π .

We also set

ωπ : Gal(L/Qp2 ) → O× . Note that  ωπ and  ω2 do not depend on  ω2 := σ0 ◦  the choice of π .

5.1 Definition of C-Parameters in Characteristic Zero To define a suitable notion of C-parameters in characteristic 0, we first have to define the C-group in characteristic 0, which is actually straightforward. Indeed, as mentioned in Sect. 3.1, the group C G arises as the Fp -points of a certain algebraic group, which we will call C G. Thus we may extend our definition to define C G(R) for any topological Zp -algebra R as follows (see [KM20, Section 2.3] for further details): C

  ˆ ˆ G(R) := GL2 (R) × R × / (−I2 , −1) and C G(R) := C G(R)  Qp ,

where Qp still acts via formulae (1) and (2). Note that we will continue to write ˆ p ) (respectively C G(Fp )). Also note that the (respectively C G) instead of C G(F ˆ isomorphism (4) still holds in this setting, so we can (and will) identify C G(R) with × C × GL2 (R) × R and G(R) with (GL2 (R) × R )  Qp . The topology on C G(R) ˆ is considered as algebraic group. Note that is the one inherited from R when C G   this topology coincides with the usual topology on GL2 (R) × R × / (−I2 , −1)  Qp for the rings considered in the remainder of the paper. We can now define (equivalence classes of) parameters as follows, where R denotes a topological Zp algebra.

CG ˆ

Definition 5.1 An (R-valued) C-parameter is a continuous homomorphism ρ : Qp → C G(R) such that the composition of ρ with the canonical projection C G(R) →  Qp is the identity map. We say that two C-parameters are equivalent if ˆ they are conjugate by an element of C G(R). Note that formula (2) ensures that this definition is equivalent to the one given in [KM20, Definition 4.1]. We also note that there are similar definitions for the R-points of the L-group as well as R-valued L-parameters, and that the R-valued analogue of the isomorphism (4) establishes a natural connection between R-valued Langlands parameters and R-valued C-parameters.

Deformation Theory for U(1, 1)(Qp2 /Qp )

19

Remark 5.2 As in the p-modular setting (see Definition 3.3), and following [KM20, Section 5.3.2], there is a natural bijection between C-parameters in characteristic 0 and genuine Galois representations enriched with extra data. This bijection will be made explicit in Sect. 5.4.1.

5.2 Inertial Types and Generic C-Parameters We now characterise the C-parameters that will be the focus of the remainder of the paper. A common way to have some control on Galois objects consists in putting some conditions on their restrictions to the inertia subgroup, and we will proceed in this way to define a suitable notion of genericity, inspired by similar notions for genuine representations of absolute Galois groups. We thus introduce the notion of an inertial type, which appears in different useful settings that will be described in this subsection.

5.2.1

Genericity for Classical Inertial Types

We start by recalling the definition of an inertial type. This definition serves as a guide when defining the suitable objects in our setting, and furthermore, we will define constraints on our deformation problems in terms of these objects. Definition 5.3 An inertial type is a group homomorphism τ : IQp2 → GL2 (O) that has open kernel and extends to a representation of the full Weil group WQp2 . Many useful examples of inertial types come from restrictions to IQp2 of representations of the full Galois group Qp2 . In particular, we consider the following family of inertial types, which we will see are essentially the only parameters necessary for studying non-supercuspidal parameters. Definition 5.4 Given any pair (a, b) of integers, we write τa,b : IQp2 → GL2 (O) for the inertial type given by  ω2a ⊕  ω2b . When a ≡ b mod p2 − 1, we say that τa,b is a principal series inertial type. Note that these inertial types are (by construction) tamely ramified, which means that they are trivial on the wild inertia subgroup. Moreover, if τ : IQp2 → GL2 (O) is an inertial type whose kernel contains IL , hence that factors through IQp2 /IL  Gal(L/Qp2 ), then there exists a pair of integers (a, b) such that τ  τa,b . (Recall that L = Qp2 (π ), as defined at the beginning of the section.) Remark 5.5 One should be careful with the terminology of “principal series”, as it is not as transparent as it may seem at first. In the classical setting of complex representations, any object on the Galois side labelled as “principal series” should indeed be related to non-supercuspidal representations (see for instance [BM02,

20

R. Abdellatif et al.

Section A.1.2]). In the current setting, one might expect that principal series inertial types would only be involved in non-trivial deformations of non-supercuspidal parameters, but such an expectation already fails for GL2 . Indeed, [BM02, Proposition 6.1.2(iii)] gives instances of irreducible p-modular representations of Qp that correspond to supercuspidal representations via the p-modular local Langlands correspondence for GL2 (Qp ) and that admit non-zero deformations indexed by a (generic) principal series inertial type. We can define a genericity criterion for these inertial types. As  ω2 is of order p2 − 1, we can assume that −a and −b are non-negative integers both less than p 2 − 1. Their respective p-basis decompositions are hence of the following form: −a = a0 + pa1 and −b = b0 + pb1 with 0 ≤ a0 , a1 , b0 , b1 ≤ p − 1. For further use, it is convenient to set a := (a0 , a1 ) and b := (b0 , b1 ). Definition 5.6 Let τa,b be a principal series inertial type, with a and b chosen as above, and let n be a positive integer. We say that τa,b is n-generic if: ∀ i ∈ {0, 1}, n < |ai − bi | < p − n .

(7)

When condition (7) is satisfied, we will also say that the pairs (−a, −b) and (a, b) are n-generic.

5.2.2

ˆ Inertial Types Genericity for C G-Valued

ˆ The next step towards C-parameters consists in defining C G-valued inertial types, and what genericity means for them, in a way that is compatible with the definitions of Sect. 5.2.1. For any topological Zp -algebra R, [KM20, Definition 4.1] defines R-valued inertial types using the L-group. Since GL2 (R) acts by conjugation on such parameters, we can consider them up to equivalence and use the bijection of [GHS18, Lemma 9.4.5] to come back to C G(R)-valued homomorphisms. We hence get the following definition of C G(R)-valued inertial types. ˆ Definition 5.7 Let R be a topological Zp -algebra. A C G(R)-valued inertial type C ˆ is a continuous group homomorphism IQp → G(R) that extends to an R-valued ˆ C-parameter Q → C G(R). Two C G(R)-valued inertial types τ1 and τ2 are said to p

ˆ be equivalent, written τ1  τ2 , if they are conjugate by an element of C G(R).

Following [KM20, Definition 4.1.4] for f = 1, we now introduce a family of inertial types that is the analogue, in this setting, of the previously defined family of principal series inertial types. In particular, it will be used to define a convenient notion of genericity for C-parameters, and we will see later (in Lemma 5.12) that all representations of IQp coming (via the Langlands correspondence of [Koz16]) from generic non-supercuspidal representations of G can actually be described as ˆ such C G-valued inertial types.

Deformation Theory for U(1, 1)(Qp2 /Qp )

21

Definition 5.8 Given a pair of integers (a, b) and w ∈ W , where W is the Weyl ˆ as follows. If w = 1, then we set: group of G, we define τw (a, b) : IQp → C G ∀ h ∈ IQp , τ1 (a, b)(h) =

   0 ω2 (h)a+1+p(1−b) , ω (h) . 1 0 ω2 (h)b−pa

(8)

   0 ω2 (h)a+1−pa , ω (h) . 1 0 ω2 (h)b+p(1−b)

(9)

If w = s0 , then we set: ∀ h ∈ IQp , τs0 (a, b)(h) =

ˆ We can now define genericity for C G-valued inertial types as follows. ˆ ˆ Definition 5.9 Let n be a positive integer. A C G-valued inertial type τ : IQp → C G 2 is called n-generic if there exists a triple (w, a, b) ∈ W × Z such that τ  τw (a, b) and n < a − b + 1 < p − n. Remark 5.10 The pair of integers (a, b) introduced here appear because they give a way to parametrise the characters of a split maximal torus of GL2 . The notion of n-genericity in [KM20] is given in terms of the n-depth of a such a character, as defined in [KM20, Definition 3.2], and a direct calculation shows that this notion is equivalent to Definition 5.9. For more details on these constructions, the reader is invited to read [KM20, Sections 2.2.3 and 4.1.4].

5.2.3

Genericity for C-Parameters and Their Inertial Types

We now use Definition 5.9 to define what it means for a p-modular C-parameter to be n-generic. First we must set up some additional notation. Let ρ : Qp → C G be a C-parameter. Then by the same logic as in Sect. 3.2, the restriction ρ|IQp is ˆ of the form ρ(h) = (ρ0 (h), h), where ρ0 is a C G-valued inertial type. By abuse of notation we write ρ0 as ρ|IQp . Definition 5.11 Let n be a nonnegative integer. A C-parameter ρ : Qp → C G is n-generic if there exists an element w ∈ W and a pair of integers (a, b) such that n < a − b + 1 < p − n and ρ|IQp  τw (a, b). Note that n-genericity is determined solely by the restriction of parameters to the inertia subgroup IQp . The next lemma tells us that n-generic non-supercuspidal Langlands parameters (as described in Sect. 3.2) must correspond to the trivial element of the Weyl group.

22

R. Abdellatif et al. ×

Lemma 5.12 Let (r, λ) ∈ Z × Fp with 0 ≤ r ≤ p2 − 2 and n ≥ 0. If the nonsupercuspidal C-parameter ψr,λ : Qp → C G is n-generic, then there exists a pair (a, b) ∈ Z2 such that n < a − b + 1 < p − n and ψr,λ |IQp  τ1 (a, b). Proof By construction, we know that for any h ∈ IQp , we have ψr,λ |IQp (h) =

   0 ω2 (h)p+1+r , ω (h) . 1 0 ω2 (h)−pr

(10)

Assume that ψr,λ is n-generic, which means that there exists a pair (a, b) of integers and an element w ∈ W such that ψr,λ |IQp  τw (a, b) with n < a−b+1 < p−n. As W = s0  Z/2Z, we only have to prove that w= s0 . We do this by contradiction, and assume that w = s0 . Comparing (9) to (10) shows that we must then satisfy one of the two following cases. p+1+r

Case 1: We have ω2 we must have

a+1−pa

= ω2

−pr

and ω2

b+p(1−b)

= ω2

, which implies that

p + r ≡ a(1 − p) mod p2 − 1 and −pr ≡ b(1 − p) + p mod p2 − 1. The first congruence gives that r ≡ a(1 − p) − p mod p2 − 1. Plugging into the second congruence then shows that we must have p2 (a + 1) − pa ≡ b + p(1 − b) mod p2 − 1, which can be rewritten as a − pa + 1 ≡ b + p − pb mod p2 − 1, i.e. as a − b + 1 ≡ p(a − b + 1) mod p2 − 1. The latter congruences implies that p2 − 1 divides (p − 1)(a − b + 1), hence that p +1 divides a −b +1. Write a −b +1 = m(p +1) with m ∈ Z. The n-genericity condition then implies that n < m(p + 1) < p − n. Having 0 ≤ n < m(p + 1) shows that m is positive, hence m(p + 1) is at least p + 1 > p ≥ p − n, which contradicts the fact that m(p + 1) < p − n. Case 1 hence cannot occur. −pr a+1−pa p+1+r b+p(1−b) Case 2: We have ω2 = ω2 and ω2 = ω2 . Then a calculation similar to those in Case 1 show that a + pb + 1 is divisible by p + 1, hence a − b + 1 = a + pb + 1 − (p + 1)b must also be divisible by p + 1, but we proved above that this cannot occur. As neither of these cases can occur, w cannot be equal to s0 and the lemma is proven.   Remark 5.13 Note that the non-trivial Weyl element s0 does not appear as parameter when considering n-generic non-supercuspidal C-parameters. Due to [Koz16,

Deformation Theory for U(1, 1)(Qp2 /Qp )

23

Corollary 6.16], we suspect that types indexed by s0 may be related to n-generic supercuspidal parameters, but this is work in progress. Now assume that B is a finite local E-algebra and ρ : Qp → C G(B) is an Bvalued C-parameter. Following [BG19, Section 3.2], we can define its inertial type using the associated Weil–Deligne representation WD(ρ). Definition 5.14 Let τ : IQp2 → GL2 (O) be an inertial type and ρ : Qp → C G(B) be a C-parameter. We say that ρ has inertial type τ if WD(ρ)|IQ 2  τ ⊕ 1IQ 2 , where 1IQ

p2

p

denotes the trivial character of IQp2 .

p

Under some mild conditions, we can find the inertial type of ρ by looking at the so-called base change of ρ, which is a linear representation of Qp2 defined as follows. Definition 5.15 Let R be a topological Zp -algebra, and let ρ : Qp → a C-parameter. Write the restriction of ρ to Qp2 as ρ|Q

p2

C G(R)

be

= ρ2 ⊕ ρ1 with ρ2 : Qp2 → GL2 (R) and ρ1 : Qp2 → R × .

We then say that ρ2 is the base change of ρ, and we write BC(ρ) := ρ2 . We also define the multiplier of ρ as the composite character ρ

ιˆ

Qp −→ C G(R) −→ R × . where ιˆ is as defined in [KM20, Section 2.3.3]. Note that ρ1 is basically the restriction to Qp2 of the multiplier of ρ. In particular, we say that ρ has cyclotomic multiplier if ρ1 is the (reduction modulo p of the) cyclotomic character Qp → Z× p. The notions of base change and of inertial type interact in the following proposition, which follows from [KM20, Section 5.3.3]. Proposition 5.16 Let ρ : Qp → C G(B) be a C-parameter with cyclotomic multiplier and let τ : IQp2 → GL2 (O) be a principal series inertial type. Then ρ has inertial type τ if, and only if, we have WD(BC(ρ))|IQ 2  τ . p

We thus have several notions of genericity appearing in the context of Cparameters, so we wonder to which extent they are compatible. In particular, we are interested in how compatible n-genericity is with reduction modulo p, or with deformation theory as defined in Sect. 5.3 below. In particular, we hence aim to solve the following question.

24

R. Abdellatif et al.

•

? Question 2

Given a B-valued C-parameter ρ : Qp → C G(B) with principal series inertial type τ , let ρ¯ : Qp → C G be its reduction modulo p. Is n-genericity for ρ (i.e. for τ , in the sense of Definition 5.6) equivalent to n-genericity for ρ¯ (in the sense of Definition 5.11)?

5.3 Deforming Galois Parameters As we did for p-modular representations in Sect. 4, we now want to deform pmodular C-parameters. We will do so in the framework of deformation theory as first introduced by Mazur in this setting [Maz89], then later developed by many authors. We start by recalling some basic facts and definitions. We then specialise to specific deformations that are not only more convenient to handle, since they can be quite well-understood via some (advanced and technical) semi-linear algebra that will be introduced in the next subsections, but also do carry some interesting geometric and arithmetic information related to Langlands correspondences. In particular, we will introduce the notion of a Hodge–Tate type, which relates to the classical notion of Hodge–Tate weights, and make more assumptions on the inertial types we will use. Though it may not be obvious at first sight, these notions and assumptions we make on the Galois side have a natural counterpart on the automorphic side, as can be seen in the model case of GL2 . In this setting, a first automorphic interpretation of these data is given by the Breuil–Mézard conjecture [BM02, Conjecture 1.1]. This conjecture has the following motivation: starting from a continuous p-modular two-dimensional representation ρ¯ of Qp , one wants to understand the deformations of ρ¯ with prescribed inertial type τ and Hodge–Tate weights (0, k − 1). The Breuil–Mézard conjecture predicts that the ring parametrising these deformations can be (at least partially) understood through the study of the semisimplification of the representation σ (τ ) ⊗ Symk−2 ((Qp )2 ) of GL2 (Zp ), where σ (τ ) is uniquely determined by τ via the local Langlands correspondence for GL2 (Qp ) [BM02, Section A.1.5]. Another automorphic interpretation, related to the previous one, explicitly appears in the origin of the p-adic Langlands program. Indeed, one of the core statement of this program is [Bre12, Théorème 5.1], where one sees that the connection between the smooth and algebraic representations attached to a given (potentially semi-stable) Galois representation ρp can only be made via an automorphic interpretation of its Hodge–Tate weights, again with the representation Symk−2 ((Qp )2 ) that showed up earlier (and is usually called a Serre weight in this context).

Deformation Theory for U(1, 1)(Qp2 /Qp )

5.3.1

25

Universal Framed Deformations

Recall that Noe(O) is the category of complete Noetherian local O-algebras with residue field k. For any A in Noe(O), we write φA : A → k for the reduction map. Let  be a profinite group, and let ρ¯ :  → C G(k) be a continuous group homomorphism. Definition 5.17 The functor of framed deformations of ρ¯ is the functor Dρ ¯ that associates to each A in Noe(O) the set of continuous representations ρA :  → C G(A) such that the composition ρA

φA

 −→ C G(A) −→ C G(k) is equal to ρ. ¯ We say that Dρ ¯ (A) is the set of framed deformations of ρ¯ to A. Unless we add extra assumptions on  and/or on ρ, ¯ there is a priori no reason ensuring that the functor Dρ is representable. In our work, we only consider the ¯ case where  is the absolute Galois group F with F being either Qp or Qp2 . In this setting, we have the following nice result, which directly follows from [Bal12, Theorem 1.2.2]. Theorem 5.18 Let F be a finite extension of Qp and ρ¯ : F → C G(k) be a continuous representation. Then the framed deformation functor Dρ ¯ is representable by an object Rρ of Noe(O). ¯ Langlands parameters that naturally appear in the Langlands program (for instance, arising in the cohomology of Shimura varieties or coming from automorphic forms) satisfy additional properties, typically being potentially semi-stable or crystalline. We will then focus on deformations of a fixed C-parameter modulo p with these kinds of additional conditions. These deformations are described by some quotients of the universal ring Rρ ¯ that will be introduced in Sect. 5.3.3. Note that the geometry of these quotients is the subject of the Breuil–Mézard conjecture mentioned above; they also play an important role in global modularity results and are related to Serre weight conjectures.

5.3.2

Intermission: Frobenius-Twist Self-Dual Inertial Types

Recall that we have fixed a geometric Frobenius ϕ (see Sect. 1). Note that our definition implies that ϕ −1 is an arithmetic Frobenius. Definition 5.19 Given a principal series inertial type τ of the form η1 ⊕ η2 , we call p−1

p−1

τ ∨ := η1−1 ⊕ η2−1 the dual type of τ and σ ∗ τ := η1 ⊕ η2 the Frobenius-twist of τ . When σ ∗ τ  τ ∨ , we say that τ is Frobenius-twist self-dual.

26

R. Abdellatif et al.

Principal series inertial types that are Frobenius-twist self-dual can be described p−1 a

p−1 b

ω2b , then τ ∨ =  ω2−a ⊕ ω2−b and σ ∗ τ =  ω2 ⊕ ω2 . explicitly. Indeed, if τ =  ω2a ⊕ A direct calculation shows that such a type τ is Frobenius-twist self-dual if, and only (1−p)a (1−p)b ⊕ ω2 or if, there exists integers a, b such that τ is either of the form  ω2 −pa of the form  ω2a ⊕  ω2 . Note that, according to [KM20, Section 4.4], this is also equivalent to asking that τ is given by the restriction to IQp2 of the base change of an O-valued C-parameter ρ : Qp → C G(O) with trivial multiplier. 5.3.3

Potentially Crystalline Deformations with Prescribed Hodge Type and Inertial Type

In this subsection, we let F denote either Qp or Qp2 and we let B be any finite local E-algebra. We first transfer to C-parameters the classical conditions imposed on genuine Galois representations arising in Langlands program, namely being potentially crystalline and of Hodge type (1, 0, 1). For a review of these notions in the classical setting, the reader is invited to read for instance [Col13]. Definition 5.20 A C-parameter F → C G(B) is potentially crystalline if, and only if, its composition with any faithful algebraic representation C G − → GLn is potentially crystalline in the classical sense of [Fon94, 5.1.4]. Definition 5.21 Assume that ρ : F → C G(B) is a C-parameter with cyclotomic multiplier. We say that ρ has p-adic Hodge type (1, 0, 1) when its base change BC(ρ) has p-adic Hodge type (1, 0), which means that BC(ρ) has Hodge–Tate weights {−1, 0}. Given ρ¯ as in Theorem 5.18 and a principal series inertial type τ : IQp2 → GL2 (O) that is Frobenius-twist self-dual (in the sense of Definition 5.19), we are interested in lifts of ρ¯ that are potentially crystalline with p-adic Hodge type (1, 0, 1), inertial type τ and cyclotomic multiplier. They are parametrised by a quotient of the universal framed deformation ring Rρ ¯ . The existence and properties of this quotient have been established in our case in [BG19, Sections 3.2 and 3.3] (see also the proof of [Bal12, Proposition 3.0.12] and [KM20, Section 5.3.2]). In the following theorem, ρ u is the universal C-parameter from Qp to C G(Rρ ¯ ¯ ) lifting ρ. Theorem 5.22 Let τ : IQp2 → GL2 (O) be a principal series inertial type that is

Frobenius-twist self-dual. Then there exists a unique quotient Rρτ¯ of Rρ ¯ satisfying the following property: for any finite local E-algebra B, and any morphism x from τ u Rρ ¯ to B, x factors through Rρ¯ if and only if the C-parameter x ◦ ρ from Qp to C G(B) is potentially crystalline with p-adic Hodge type (1, 0, 1), inertial type τ and cyclotomic multiplier.

Deformation Theory for U(1, 1)(Qp2 /Qp )

27

5.4 From C-Parameters to Kisin Modules Using p-adic Hodge theory, the potentially crystalline lifts we described in the previous section can be described by objects of semi-linear algebra, which are easier to handle. First, we will explain in Sect. 5.4.1 how we have, on the one hand, a natural bridge between C-parameters and genuine two-dimensional Galois representations enriched with extra structures. Doing so, we will give an explicit statement for the bijection announced in Remark 5.2. Then, we will explain how to relate (most of) these Galois representations to a category of modules (called Kisin modules) over an appropriate power series ring, which motivates why we become interested in deformations of such modules in the next subsection of this paper. 5.4.1

From C-Parameters to Genuine p-adic Galois Representations

Let R be a topological Zp -algebra. The notion of base change introduced in Definition 5.15 is a first step in connecting R-valued C-parameters to twodimensional R-linear Galois representations, but it is clearly not enough as non-equivalent C-parameters could have isomorphic base changes. Going further hence requires extra structures given by the notion of polarisation, which we define now. Definition 5.23 Let ρ˜ : Qp2 → GL2 (R) be a continuous group homomorphism, and let θ : Qp → R × be a continuous character. A polarisation of ρ˜ compatible with θ is an isomorphism α : ρ˜ ϕ v→ρ(ϕ ˜ −2 )v

ρ˜ −−−−−−−→ ρ˜

ϕ −2

−1

∼

→ ρ˜ ∨ ⊗ θ such that the composite map

  −1  ϕ −1 ∨ α⊗θ −1 ∨  ∨ ϕ −1 can  −−−→ ρ˜ ⊗ θ −→ ρ˜ ⊗ θ −1 −−−−−−−−−→ ρ˜ αϕ

−1

is the multiplication by −θ (ϕ −1 ) map. Considering triples (ρ, ˜ θ, α) as in Definition 5.23 is now enough to distinguish between non-equivalent C-parameters, as stated by the next theorem. Theorem 5.24 Let ρ : Qp → C G(R) be a C-parameter with multiplier ρ1 . −1 ) and let α be the R-endomorphism 1. Let A be the GL2 (R)-component  ρ(ϕ  0 −1 of 2 −1 of R defined by α(v) := 1 0 A v. Then α is a polarisation of BC(ρ) compatible with ρ1 . 2. The previous construction induces a bijection ρ → (BC(ρ), ρ1 , α) from Rvalued C-parameters to triples (ρ, ˜ θ, α) where ρ˜ denotes a continuous morphism from Qp2 to GL2 (R), θ a continuous R-character of Qp and α a polarisation of ρ˜ compatible with θ .

Proof This is [CHT08, Lemma 2.1.1] rephrased in the language of [KM20, Section 5.3.2].  

28

R. Abdellatif et al.

From now on, we fix θ to be the cyclotomic character. In particular Theorem 5.24 actually gives a bijection between C-parameters ρ : Qp → C G(R) with cyclotomic multiplier and pairs (ρ, ˜ α) where ρ˜ : Qp2 → GL2 (R) is a continuous representation of Qp2 and α is a polarisation of ρ˜ compatible with the cyclotomic

character (note that in that case −θ (ϕ −1 ) = −1).

5.4.2

Kisin Modules with Prescribed Descent Data and Height

Thanks to Theorem 5.24, we are reduced to understanding genuine Galois representations endowed with some extra structure. To do this, we introduce a category of modules over a power series ring, called Kisin modules, which allow to translate arithmetic and geometric properties into semi-linear algebra. These modules come with decorations that reflect the extra data that appeared on our Galois representations, and with a natural functor from Kisin modules to Galois representations that preserves these decorations but is not, in general, an equivalence of categories (see Sect. 5.4.3). Though the construction of decorated Kisin modules is a bit technical, it is really useful since these modules and their deformations are much easier to compute than the Galois representations they parametrise. From now on, we let R denote  a complete  local Noetherian O-algebra with residue field k and we set SR := Zp2 ⊗Zp R [[u]]. The ring SR is equipped with a Frobenius endomorphism ϕ that is trivial on R, sends u to up , and is the arithmetic Frobenius on Zp2 (i.e. satisfies ϕ = ϕ −1 on Zp2 ). Definition 5.25 A Kisin module over R with height in [0, 1] is a pair (M, φM ), where M is a finitely generated projective SR -module, and φM : ϕ ∗ M := SR ⊗SR ,ϕ M → M is an SR -linear map, that satisfies (up

2 −1

  + p)M ⊆ φM ϕ ∗ M ⊆ M .

(11)

We let Y [0,1] (R) be the category of Kisin modules over R with height in [0,1]. Given an object (M, φM ) in Y [0,1] (R) and an integer i in {0, 1}, we define M(i) as the R[[u]]-submodule of M on which Zp2 acts through the embedding σ0 ◦ϕ i , where σ0 still denotes the embedding of Qp2 into E we fixed initially:     M(i) = m ∈ M | ∀x ∈ Zp2 , (x ⊗ 1R )m = 1Zp2 ⊗ (σ0 ◦ ϕ i )(x) m .

(12)

Note that, as an R[[u]]-module, M decomposes as a direct sum M(0) ⊕ M(1) . Recall that π is a fixed (p2 − 1)th root of −p in E and that we set L = Qp2 (π ). Given g in Gal(L/Qp2 ), we define gˆ as the Zp2 ⊗Zp R-linear automorphism of SR that sends u to ( ωπ (g) ⊗ 1R ) u. Note that we have, for all g, h in Gal(L/Qp2 ): ˆ  gh = gˆ ◦ h and ϕ ◦ gˆ = gˆ ◦ ϕ. Further note that for any i ∈ {0, 1}, both M(i)

Deformation Theory for U(1, 1)(Qp2 /Qp )

29

and uM(i) are stable under the action of Gal(L/Qp2 ) on M, which ensures that the following definition makes sense. Definition 5.26 Let (M, φM ) be an object of Y [0,1] (R) such that M is of rank 2 as an SR -module, and let τ be a principal series inertial type. A descent data of type τ ˇ g∈Gal(L/Qp2 ) of M that on M is a collection of Zp2 ⊗Zp R-linear automorphisms (g) satisfies the following conditions: 1. 2. 3. 4.

for any g in Gal(L/Qp2 ), gˇ is g-semilinear; ˆ ˇ = gˇ ◦ h; ˇ for all g and h in Gal(L/Qp2 ), one has gh for any g in Gal(L/Qp2 ), gˇ ◦ φM = φM ◦ ϕ ∗ g; ˇ for any i in {0, 1}, the R[Gal(L/Qp2 )]-module M(i) /uM(i) is isomorphic to τ ⊗O R.

We let Y [0,1],τ (R) be the full subcategory of Y [0,1] (R) whose objects are rank 2 modules having descent data of type τ . Finally, we define a full subcategory of Y [0,1],τ (R) that is the category of Kisin modules we are really interested in. Definition 5.27 We let Y τ (R) be the full subcategory of Y [0,1],τ (R) whose objects are Kisin modules with determinant satisfying the following equality:  2    up −1 + p det M = φM ϕ ∗ (det M) . Note that this is the category denoted by Y μ,τ (R) in [KM20, Definition 5.4]. Below we give explicit examples of Kisin modules in Y τ (R) (see Sects. 5.5.1 and 5.5.2). Note that full classification results for the objects of Y τ (R) are actually available: see Proposition 5.37, Definition 5.40 and Remark 5.41, as well as [CDM18, Proposition 3.1.9]. They give in particular a very concrete description of the action of the Frobenius morphism φM in some bases adapted to the descent data.

5.4.3

Frobenius-Twist Self-Dual Kisin Modules and Associated Galois Representations

As for inertial types, we have a notion of Frobenius-twist self-duality for Kisin modules. Let σ denote the automorphism of SR that is given by the identity map on R, fixes u, and is given by the arithmetic Frobenius ϕ −1 on Zp2 . Given a Kisin ∗ module (M, φM ) in Y τ (R), its pullback σ ∗ M by σ defines an object of Y σ τ (R), where σ ∗ τ is the Frobenius-twist of τ introduced in Definition 5.19. We obtain ∗ this way a functor from Y τ (R) to Y σ τ (R), which can be iterated via successive pullbacks by σ . On the other hand, if R is local Artinian, we define the Cartier dual of M as M∨ := HomSR (M, SR ). The next proposition ensures that this definition gives what one can expect from Cartier duality in this context, and shows in particular that it is compatible with duality for inertial types.

30

R. Abdellatif et al.

Proposition 5.28 Assume that R is Artinian. Then the map sending M to M∨ ∨ induces an involutive functor from Y τ (R) into Y τ (R). Proof This comes from the first statement in [KM20, Proposition 5.12]. σ ∗M

 

∨

In particular, if τ is Frobenius-twist self-dual, then and M both belong ∨ ∗ to Y τ (R) = Y σ τ (R). This enables the following definition of polarisation for Kisin modules, which actually mimics the corresponding notion for continuous twodimensional R-linear representations of Qp2 (Definition 5.23). Definition 5.29 Assume that R is Artinian and that τ is Frobenius-twist self-dual, and let (M, φM ) be an object of Y τ (R). A polarisation on the Kisin module M is an ∨ ∼ isomorphism ι : σ ∗ M −→ M∨ in Y τ (R) such that the composite map    can   σ ∗ι ∨ (ι∨ )−1 can M −→ σ ∗ σ ∗ M −→ σ ∗ M∨ −→ σ ∗ M −→ M . is equal to − idM . τ (R) be the category of Frobenius-twist self-dual Kisin modules (of We let Ypol type τ ): its objects are pairs (M, ι) with M an object of Y τ (R) and ι a polarisation τ (R) are given by morphisms in Y τ (R) that commute on M, and morphisms in Ypol with the given polarisations. Frobenius-twist self-dual Kisin modules are closely related to polarised Galois representations, hence to C-parameters, introduced in Definition 5.23. Indeed, let us fix a sequence of compatible pn -th roots of −p in Qp , which means a sequence p (pn )n≥0 of elements of Qp such that p0 = −p and pn+1 = pn for any integer n ≥ 0. For any k ≥ 1, set

Qpk ,∞ :=



Qpk (pn ) .

n≥0

Following [LLHLM18, Section 2.3], one can naturally define a contravariant functor ∗ from Y τ (R) to the category of R-linear representations of  Tdd Qp2 ,∞ . The following statement essentially claims that if τ is a reasonable type, any tamely ramified pmodular C-parameter with cyclotomic multiplier comes from at most one Kisin module in Y τ (k). Lemma 5.30 Let ρ¯ : Qp → C G be a tamely ramified C-parameter with cyclotomic multiplier and let τ : IQp2 → GL2 (O) be a 2-generic principal series inertial type that is Frobenius-twist self  dual. Then there exists at most one Kisin ∗ M  BC(ρ)| module M ∈ Y τ (k) such that Tdd ¯ Q 2 . Moreover, if such an M p ,∞

exists, then there exists a unique polarisation ι¯ on M that is compatible (under the previous isomorphism) with the polarisation defined by ρ¯ through the bijection of Theorem 5.24.

Deformation Theory for U(1, 1)(Qp2 /Qp )

31

Proof This is [KM20, Lemma 5.19], which is an analogue of [LLHLM18, Theorem 3.2] for the unitary group G.   Note that the existence of M as above is a necessary condition for the ring Rρτ¯ to be non-zero. Also note that the genericity assumption is what ensures the uniqueness of M when it exists. Hence, from now on, we will always assume that τ is a 2generic principal series Frobenius-twist self-dual inertial type. Lemma 5.30 suggests that deforming Kisin modules may be a good way to approach deformations of Cparameters and the quite explicit nature of these modules suggests that deforming them may give rise to quite explicit rings. The next (and last) subsection will make these expectations a bit more precise under a genericity assumption on ρ. ¯

5.5 Some Explicit Deformation Rings for C-Parameters The goal of this last part is to give some explicit calculations of deformation rings for deformations of C-parameters with prescribed inertial type. We fix a principal series inertial type τ that is 2-generic (in the sense of Definition 5.6). We write τ = η1 ⊕ η2 and we fix the ordering of these two characters. For convenience of 2 writing, we set v := up −1 .

5.5.1

Shape of a Kisin Module over k

In order to deform objects of Y τ (k), it would be helpful to have a classification of these objects. A way to distinguish between them is to introduce the notion of shape of such modules: this is the goal of this first subsection, and it requires some preliminary notation and definitions that are valid over any object R of Art(O). Given a Kisin module M ∈ Y [0,1],τ (R), we know from Sect. 5.4.2 that the underlying R[[u]]-module decomposes as M(0) ⊕ M(1) . To take into account the action of Gal(L/Qp ) on these components (via τ ), we introduce the following R[[v]]-submodules of M. (i)

Definition 5.31 For i in {0, 1} and j in {1, 2}, we write Mj for the ηj -isotypical component of M(i) , i.e. for the R[[v]]-submodule of elements of M(i) on which (i) Gal(L/Qp ) acts by ηj . Similarly, we write ϕ Mj for the ηj -isotypical component   of ϕ ∗ M(i) .    (i+1) (considering i + 1 mod 2 in Since we have ϕ ∗ M(i) = ϕ ∗ M (i) the exponent if necessary), we can restrict φM to ϕ Mj to get a map (i)

(i)

(i+1)

φM,j : ϕ Mj → Mj

.

32

R. Abdellatif et al.

 (0) (1)  such that, for any i in Definition 5.32 An eigenbasisof M is a pair β = β ,β  {0, 1}, β (i) is an ordered basis f1(i) , f2(i) of the R[[u]]-module M(i) that satisfies (i) (i) f1(i) ∈ M(i) 1 and f2 ∈ M2 .

Just like above Definition 5.6, we write the inertial type τ as  ω2−a1 ⊕  ω2−a2 , with a1 and a2 between 0 and p2 − 2 (recall that we have fixed the ordering of the two characters in τ ). For j in {0, 1}, we write aj in terms of its base-p expansion: aj = aj,0 + aj,1 p, with (aj,0 , aj,1 ) ∈ {0, . . . , p − 1}2 . To keep track of the action of τ on each of the factors M(i) (corresponding to the two embeddings of Zp2 into E), we also define, for j in {0, 1}: 

(0)

aj = aj (1)

aj = aj,1 + aj,0 p. Recall that W is the Weyl group of G, which is canonically isomorphic to Z/2Z. Definition 5.33 An orientation of τ is a pair (w0 , w1 ) of elements of W  Z/2Z such that (i) ∀ i ∈ {0, 1}, a(i) wi (1) ≥ awi (2) .

(13)

Remark 5.34 As τ is assumed to be 2-generic, its orientation is uniquely defined. The 2-genericity assumption (see (7)) implies indeed that the inequalities (13) must be strict. Remark 5.34 ensures that we can talk about the orientation (w0 , w1 ) of τ . We then have the following result, which gives convenient bases for the isotypical components associated with w0 (2) and w1 (2), and is straightforward to check from Definition 5.32.   Proposition 5.35 Let β = β (0) , β (1) be an eigenbasis of M. With the notation of Definition 5.32, we set,1 for all i ∈ {0, 1},    (i)  (i) (i) (i) a −a aw (1) −aw (2) (i−1) (i−1) i i . βw(i)i (2) := u wi (1) wi (2) fw(i)i (1) , fw(i)i (2) and ϕ βw(i−1) := u ⊗ f , 1 ⊗ f (2) (1) (2) w w i i i (i)

(i)

(i−1)

Then βwi (2) is a basis of the R[[v]]-module Mwi (2) , and ϕ βwi (2) is a basis of the (i−1)

R[[v]]-module ϕ Mwi (2) .

1 With

i − 1 replaced by 1 in the second formula if i = 0, as usual.

Deformation Theory for U(1, 1)(Qp2 /Qp )

33

The next definitions and proposition justify the name “convenient bases” used above. Definition 5.36 Given an eigenbasis β of M and an index i ∈ {0, 1}, we define A(i) ∈ M2 (R[[v]]) as the matrix of the R[[v]]-linear map β (i)

(i)

φM,w

i+1 (2)

ϕ β (i) wi+1 (2)

(i+1)

(i)

: ϕ Mwi+1 (2) → Mwi+1 (2) where ϕ Mwi+1 (2) is endowed with the basis (i+1)

(i+1)

(i)

and Mwi+1 (2) is endowed with the basis βwi+1 (2) . The matrix Aβ is called the matrix of the partial Frobenius of M at embedding i and with respect to β.

Proposition 5.37 Let M ∈ Y τ (k) be a Kisin module over k. Then there exists an (0) (1) eigenbasis β of M such that each of the matrices Aβ and Aβ has one of the ∗ × following forms (with c¯i,j ∈ k and c¯i,j ∈ k ): w i (i)

Aβ

t

∗ v c¯1,1 0 ∗ v c¯2,1 c¯2,2

t

∗ c¯1,2 c¯1,1 ∗ 0 v c¯2,2



w

∗ 0 c¯1,2 ∗ v c¯2,1 0

Moreover, the pair ( w0 , w 1 ) in {t, t , w}2 determined this way does not depend on the choice of the eigenbasis β, but only on the Kisin module M. Definition 5.38 The pair ( w0 , w 1 ) given by Proposition 5.37 is called the shape of M. Remark 5.39 The actual definition of the shape involves the extended affine Weyl group of G, but we choose to give this handy definition to avoid extra technicalities in this survey paper. For more details on the way to define the shape via Weyl elements, we suggest the reference [KM20, Section 5.1.9].

5.5.2

A Deformation Problem for Kisin Modules

In this penultimate subsection, we define a deformation problem for Frobeniustwist self-dual Kisin modules related to the deformation ring we introduced in Sect. 5.3.3 for C-parameters. We have a precise understanding of the form of the Kisin modules for any local Artinian R, generalising Proposition 5.37, which holds for the finite field k. This understanding leads to a very explicit description of the ring representing these deformations of Kisin modules (Theorem 5.45). We first require a basis compatible with all the structures (descent data, polarisation) on the Kisin modules. We introduce this basis now. Definition 5.40 Let M be in Y τ (R) and ( w0 , w 1 ) be the shape of its reduction M ⊗R k to k.

34

R. Abdellatif et al.

• A gauge basis  of M isan eigenbasis β of M such that the matrices of the partial (0) (1) Frobenius Aβ , Aβ have the form in the table below, prescribed by the shape ∗ in R × and c in R \ R × ). of M (with ci,j in R, ci,j i,i

w i (i)

Aβ

t

t



∗ (v + p)c1,1 0 ∗ c2,2 vc2,1



∗ c1,1 c1,2 ∗ 0 (v + p)c2,2

w

∗ c1,1 c1,2 ∗ c vc2,1 2,2 ∗ c∗ c1,1 c2,2 = −pc1,2 2,1

• If moreover the inertial type τ is Frobenius-twist self-dual, R is local Artinian and ι is a polarisation on M, a gauge basis β is called compatible with ι if it satisfies: ι (σ ∗ β) = (1, −1)β ∨ . Remark 5.41 For R = k, a gauge basis is an eigenbasis such that the matrices of the partial Frobenius have the form in the table of Proposition 5.37. For general local Artinian R, compatible gauge bases exist by analogues of [LLHLM18, Theorem 4.1] and [KM20, Proposition 5.17].  0 From  now on, we assume that τ is Frobenius-twist self-dual. Recalling that s = 1 is also a lift in G of the non-trivial element of W , we can state the following 10 result [KM20, Lemma 5.18(i)]. τ (R) and let β be a gauge basis of M Lemma 5.42 Let (M, ι) be an object of Ypol compatible with ι. Then we have the following relation:

  (0) (1) −t s. Aβ = (v + p)s Aβ Remark 5.43 Note that this relation implies in particular that the shape of an object τ (k) is necessarily of the form ( (M, ι) ∈ Ypol w, w ), i.e. that w 0 = w 1 [KM20, Lemma 5.17 (i)]. We are now ready to define the aforementioned nice deformation problem for Frobenius-twist self-dual Kisin modules over k. Definition 5.44 Let τ be a 2-generic principal series type that is Frobenius-twist τ (k) and let β be a gauge basis on M that self-dual. Let (M, ι) be an object of Ypol is compatible with ι. For any ring R in Art(O), we define D

τ,β

(R) as the set M,pol τ (R), j is an of quadruples (MR , ιR , jR , βR ), where (MR , ιR ) is an object of Ypol R  ∨ −1 ∗ isomorphism from MR ⊗R k to M such that jR ◦ (ιR ⊗R k) = ι¯ ◦ σ jR , and βR is a gauge basis of M, compatible with ιR and lifting β (by jR ).

Deformation Theory for U(1, 1)(Qp2 /Qp )

35

According to [KM20, Section 5.3.1], this defines a functor D τ,β

τ,β

that is M,pol ∈ Noe(O). The latter ring has the following

representable by some object R M,pol explicit description [KM20, Theorem 5.18], which can be deduced from the previous results once we note that the choice of a triple (MR , ιR , βR ) as above is (1) equivalent to the choice of a matrix AβR whose form is prescribed by the shape of M in the table of Definition 5.40. Theorem 5.45 We keep the previous notation and assumptions. In particular, we expl

τ,β

let ( w, w ) be the shape of M. Then R is isomorphic to the ring Rw  given by M,pol ∗ the following table (the variables xi,j correspond to the coefficients ci,j − [c∗i,j ] of the universal matrices in the table of Definition 5.40). w  expl Rw 

t ∗ , x ∗ ]] O[[c2,1 , x1,1 2,2

t ∗ , x ∗ ]] O[[c1,2 , x1,1 2,2

w ∗ , x ∗ ]]/(x y O[[x1,1 , y2,2 , x1,2 1,1 2,2 + p) 2,1

τ,β

In particular, the form of R only depends on the shape of M. M,pol 5.5.3

Some Consequences on Deformations of C-Parameters

Let ρ¯ : Qp → C G be a tamely ramified p-modular C-parameter and let τ : IQp2 → GL2 (O) be a principal series inertial type that is Frobenius-twist selfdual. Further assume that ρ¯ is 1-generic, that τ is 2-generic, and that there exists ∗ M ∼ BC(ρ) a Kisin module in M ∈ Y τ (k) such that Tdd ¯ |Q 2 . In this case, = p ,∞

we know from Lemma 5.30 that such a Kisin module is unique and that it comes with a natural polarisation ι. This ensures that it makes sense to define the shape of ρ¯ with respect to τ as the shape of the corresponding Frobenius-twist self-dual Kisin module (M, ι). Remark 5.43 shows that this shape is of the form ( w, w ), and our assumptions allow us to use the previous results, and in particular the explicit formulae given by Theorem 5.45. This leads to the following result, which is a reformulation in this context of [KM20, (5.3.2)]. Theorem 5.46 We have an isomorphism of formal power series rings of the following form: expl Rρτ¯ [[S1 , S2 ]] ∼ = Rw  [[T1 , T2 , T3 , T4 ]] .

Note that Theorem 5.46 does not completely describe Rρτ¯ , as it does not describe the image of this subring under the given isomorphism. To fully understand the deformation problem Dρτ¯ , we now plan to solve the following problem.

36

R. Abdellatif et al.

•

? Question 3

Can we explicitly determine the deformation ring Rρτ¯ , without the variables S1 , S2 ? The isomorphism of [KM20, (5.3.2)] is valid for deformations of the absolute Galois group of Qpf (not only Qp ). In this broader context, it identifies expl

expl

Rρτ¯ [[S1 , . . . , S2f ]] and Rw being the completed tensor  [[T1 , T2 , T3 , T4 ]], Rw  product of f explicit deformation rings (one for each factor (see (12)) of the Kisin module). The additional formal smooth variables S1 , . . . , S2f and T1 , T2 , T3 , T4 correspond respectively to the gauge basis on the polarised Kisin module and the framing on the Galois representation. Thus, we expect the f pairs of variables Si to expl correspond to the f factors of the ring Rw  . Acknowledgments We are grateful for the opportunity to work together on this project and we wish to thank the organisers of the Women In Numbers Europe 3 conference. We also thank the referees for their careful reading and their valuable comments. The first author was partially supported by the ANR projects PerCoLaTor (ANR-14-CE25-0002-01) and GeRepMod (ANR-16-CE40-0010-01). The second author was partially supported by the ANR projects CLapCLap (ANR-18-CE40-0026) and FLAIR (ANR-17-CE40-0012). The third author has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No. 714405) while working on this project. The fourth named author was supported by the Engineering and Physical Sciences Research Council [EP/L015234/1], through the EPSRC Centre for Doctoral Training in Geometry and Number Theory (the London School of Geometry and Number Theory) at University College London.

References [Abd11] Ramla Abdellatif. Autour des représentations modulo p des groupes réductifs padiques de rang 1. 2011. Thèse de doctorat de l’Université Paris-Sud 11. [Abd14] Ramla Abdellatif. Classification des représentations modulo p de SL(2, F). Bull. Soc. Math. France, 142(3):537–589, 2014. [AHHV16] Noriyuki Abe, Guy Henniart, Florian Herzig, and Marie-France Vignéras. A classification of irreducible admissible mod p representations of p-adic reductive groups. J. Amer. Math. Soc., 30(2):495–559, 2016. [Bal12] Sundeep Balaji. G-valued potentially semi-stable deformation rings. PhD thesis, 2012. [BG13] Kevin Buzzard and Toby Gee. The conjectural connections between automorphic representations and Galois representations. In Automorphic forms and Galois representations. Vol. 1, volume 414 of London Math. Soc. Lecture Note Ser., pages 135–187. Cambridge Univ. Press, Cambridge, 2013. [BG19] Rebecca Bellovin and Toby Gee. G-valued local deformation rings and global lifts. Algebra Number Theory, 13(2):333–378, 2019.

Deformation Theory for U(1, 1)(Qp2 /Qp )

37

[BM02] Christophe Breuil and Ariane Mézard. Multiplicités modulaires et représentations de GL2 (Zp ) et de Gal(Qp /Qp ) en l = p (avec une annexe de G. Henniart). Duke Math. J., 115:205–310, 2002. [Bor76] Armand Borel. Formes automorphes et séries de Dirichlet, d’après R.P. Langlands. Séminaire Bourbaki, 17(466):183–222, 1976. [BP12] Christophe Breuil and Vytautas Paskunas. Towards a modulo p Langlands correspondence for GL(2). Memoirs of the Amer. Math. Soc., 216, 2012. [BP20] Jeremy Booher and Stefan Patrikis. G-valued Galois deformation rings when l = p. Math. Res. Letters, to appear, 2020. [Bre03] Christophe Breuil. Sur quelques représentations modulaires et p-adiques de GL2 (Qp ), I. Compositio Math, 138(2):165–188, 2003. [Bre07] Christophe Breuil. Representations of Galois and of GL2 in characteristic p. Lectures Notes at Columbia University, 2007. [Bre12] Christophe Breuil. Correspondances de Langlands p-adique, compatibilité localglobal et applications (d’après Colmez, Emerton, Kisin. . . ). Astérisque, 348:119– 147, 2012. [CDM18] Xavier Caruso, Agnès David, and Ariane Mézard. Un calcul d’anneaux de déformations potentiellement Barsotti-Tate. Trans. Amer. Math. Soc., 370(9):6041– 6096, 2018. [CHT08] Laurent Clozel, Michael Harris, and Richard Taylor. Automorphy for some l-adic lifts of automorphic mod l Galois representations. Publ. Math. de l’IHES, 108(1):1– 181, 2008. [Col10] Pierre Colmez. Représentations de GL2 (Qp ) et (ϕ, )-modules. Astérisque, 330:281–509, 2010. [Col13] Pierre Colmez. Le programme de Langlands p-adique. In European Math. Soc., editor, European Congress of Mathematics Krakow 2012, pages 259–284. 2013. [Fon94] Jean-Marc Fontaine. Représentations p-adiques semi-stables. Astérisque, 223:113– 184, 1994. [GHS18] Toby Gee, Florian Herzig, and David Savitt. General Serre weight conjectures. J. Eur. Math. Soc., 20(12):2859–2949, 2018. [HSS18] Julien Hauseux, Tobias Schmidt, and Claus Sorensen. Deformation rings and parabolic induction. J. Théorie Nombres Bordeaux, 30(2):695–727, 2018. [HSS19] Julien Hauseux, Tobias Schmidt, and Claus Sorensen. Functorial properties of generalised Steinberg representations. J. Number Theory, 195:312–329, 2019. [Kis09] Mark Kisin. The Fontaine-Mazur conjecture for GL2 . J. Amer. Math. Soc., 22(3):641–690, 2009. [Kis10] Mark Kisin. Deformations of GQp and GL2 (Qp ) representations. Astérisque, 330:511–527, 2010. [KM20] Karol Kozioł and Stefano Morra. Serre weight conjectures for p-adic unitary groups of rank 2. preprint, arxiv: 1810.03827v3, 2020. [Koz16] Karol Kozioł. A classification of the irreducible mod-p representations of U(1, 1)(Qp2 /Qp ). Ann. Inst. Fourier, 66(4):1545–1582, 2016. [Le19] Daniel Le. On some nonadmissible smooth irreducible representations for GL(2). Math. Res. Letters, 26(6):1747–1758, 2019. [LL79] Jean-Pierre Labesse and Robert Phelan Langlands. L-indistinguishability for SL(2). Can. J. Math., 31:726–785, 1979. [LLHLM18] Daniel Le, Bao V. Le Hung, Brandon Levin, and Stefano Morra. Potentially crystalline deformation rings and Serre weight conjectures: shapes and shadows. Invent. Math., 212(1):1–107, 2018. [Maz89] Barry Mazur. Deforming Galois representations. In Galois groups over Q, volume 16, pages 385–437. Springer, New-York, 1989. [Sch11] Peter Schneider. p-adic Lie groups, volume 344 of Grundlehren der Mathematischen Wissenschaften. Springer-Verlag, Heidelberg, 2011.

38

R. Abdellatif et al. [Vig96] Marie-France Vignéras. Représentations l-modulaires d’un groupe réductif padique avec l = p, volume 137 of Progress in Math. Birkhauser, Boston, 1996. [Wil95] Andrew Wiles. Modular elliptic curves and Fermat’s last theorem. Annals of Math., 42(3):443–551, 1995. [Wu19] Zhixiang Wu. A note on presentations of supersingular representations of GL2 (F ). preprint, arxiv:1911.12030v2, 2019.

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees Laia Amorós, Annamaria Iezzi, Kristin Lauter, Chloe Martindale, and Jana Sotáková

MSC Codes (2020) Primary: 14G50, 11G05; Secondary: 05C75, 11R52

1 Introduction Post-Quantum Cryptography (PQC) is a subfield of cryptography that focuses on cryptosystems designed to withstand an attacker who has access to a quantum computer. An emerging field in post-quantum cryptography is isogeny-based cryptography, which is based on the hardness of computing a large-degree isogeny between two given elliptic curves. Most practical proposals in the area restrict to isogenies of supersingular elliptic curves, which were introduced into cryptography by Charles, Goren and Lauter [11] (first published in 2006 [10]) for constructing cryptographic hash functions. Later, Jao and De Feo [23] proposed a Diffie–Hellman style key exchange based on supersingular isogenies called SIDH, or Supersingular Isogeny Diffie–Hellman. Post-quantum cryptography has enjoyed an increase in

L. Amorós Department of Computer Science, Aalto University, Espoo, Finland e-mail: [email protected] A. Iezzi Department of Mathematics and Statistics, University of South Florida, Tampa, FL, USA Laboratoire GAATI, Université de la Polynésie Française, Punaauia, French Polynesia e-mail: [email protected] K. Lauter Facebook, Seattle, WA, USA C. Martindale () Department of Computer Science, University of Bristol, Bristol, UK e-mail: [email protected] J. Sotáková QuSoft and Institute for Logic, Language and Computation, University of Amsterdam, Amsterdam, The Netherlands e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 A. C. Cojocaru et al. (eds.), Women in Numbers Europe III, Association for Women in Mathematics Series 24, https://doi.org/10.1007/978-3-030-77700-5_2

39

40

L. Amorós et al.

interest since the advent of the NIST international ‘competition’ [31], initiated in 2016, to find a post-quantum cryptographic standard. The only isogeny-based submission in the NIST competition is the key encapsulation mechanism SIKE [3], or Supersingular Isogeny Key Encapsulation, which is based on SIDH. To assure the long-term security of schemes for future use in widely deployed cryptosystems we need more research on the hardness of computing isogenies in supersingular isogeny graphs. There are other competitive schemes [4, 7, 8] based on different assumptions (inspired by ordinary elliptic curves following [14, 16, 37]) that emerged since NIST submissions closed, but in this article we focus on the setting of SIDH. Both the CGL hash function and SIKE are based on the supersingular -isogeny graph, consisting of vertices which are isomorphism classes of supersingular elliptic curves defined over Fp , where p is a prime of cryptographic size. Each isomorphism class has a representative defined over Fp2 , and vertices are labelled with the j invariant of the curve, all of which are in Fp2 . The edges are degree- isogenies, where  = p is prime; in SIKE  = 2 or 3. We denote the supersingular -isogeny graph by G ; it has ≈ p/12 vertices,1 is connected, undirected and ( + 1)regular at every vertex except for those vertices that represent elliptic curves with non-trivial automorphisms. If p ≡ 1 (mod 12) then the supersingular isogeny graph is Ramanujan [12, 35]. Ramanujan graphs are optimal expander graphs: they have good mixing properties and short walks end at an approximately uniformly distributed vertex, where the approximation depends on the expansion constant. It is important for security that the inherent algebraic properties of the supersingular isogeny graph do not give rise to non-trivial attacks. For instance, there should be no special paths that can be constructed with non-negligible probability, and starting at the vertex specified in SIKE should not give skewed data. Experimental verification is of course out of the question for cryptographic-size examples. Recently [2] studied the special properties of the Fp -subgraph, and [28] showed that there are exponentially many weak starting curves for the SIKE protocol. These two papers show that the graph does have some inherent structure that may be exploited in cryptanalysis, which motivated our attempt in this work to gain a better understanding of the algebraic structures associated to the isogeny graph. The ‘algebraic structures associated to the isogeny graphs’ that are typically studied are quaternion algebras: indeed the Deuring correspondence [17] maps a supersingular elliptic curve defined over Fp2 to its endomorphism ring, which is a maximal order in the quaternion algebra Bp,∞ over Q ramified only at p and ∞. This map gives a correspondence2 between the Fp -isomorphism classes of supersingular elliptic curves and maximal orders in Bp,∞ (up to conjugation), and maps isogenies of degree  to left-ideals of norm . The hard problem of pathfinding on the supersingular isogeny graph can be solved in heuristic polynomial

1 See

e.g. [40, Theorem 4.1]. Pizer [35] used this description of supersingular isogeny graphs to prove the Ramanujan property when p ≡ 1 (mod 12). 2

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

41

time on the corresponding graph of quaternion orders [26], but it is a fundamental hard problem to make the correspondence between the two graphs explicit [19]. In this paper we propose that we take one step further, from quaternion algebras to Bruhat–Tits trees. Bruhat–Tits trees are combinatorial objects whose vertices and edges have a very simple representation as two-by-two matrices: for a prime , the Bruhat–Tits tree for PGL2 (Q ), denoted by T , is a ( +1)-regular infinite tree, for  10 which one can choose the root as the vertex with label , representing a Z 01 basis of a maximal order in M2 (Q ). Starting from the root one can build the rest of the tree, knowing that from each vertex there are  + 1 outgoing edges labelled with the matrices     10 0 , i = 0, 1, . . . ,  − 1, or ; i  01 these labels can be thought of as ‘directions’. Every edge gives the basis change from a vertex to an adjacent one. So, in particular, a vertex can be labelled with the sequence of the edges leading to it from the root. Translating this sequence into the product of the corresponding matrices returns a matrix that represents the Z -basis of a maximal order in M2 (Q ). The connection between Bruhat–Tits trees, quaternion algebras, and supersingular -isogeny graphs was explained in [12] and [13]. The bijection between the class set of maximal orders in a quaternion algebra and the double quotient of PGL2 (Q ) is given in [12, Section 5.3.1, Equation (1)]. This series of bijections was used to show the Ramanujan property of supersingular -isogeny graphs. This is further explained in [13, Proposition 7.2], and the definition and generators for the Bruhat– Tits tree are given in [13, Section 6.2, Equation (8)]. However, these expositions were not aimed at a cryptographic audience and they did not cover the details of the corresponding graph structure. The main goal of this paper is to provide an expository resource about these connections, as well as highlighting their potential applications in the cryptanalysis of isogeny-based protocols that make use of supersingular elliptic curves defined over Fp2 , such as the CGL hash function and SIKE.

1.1 Contributions Bruhat–Tits trees are standard tools when studying Shimura curves, and their applications in number theory are plentiful. However, they are usually described in language inaccessible to cryptographers. We give a thorough expository treatment in Sect. 3 that will hopefully help to remedy this gap. Section 4 explicitly connects the different viewpoints on supersingular isogeny graphs: quaternion ideal graphs and Bruhat–Tits trees. We show how to translate, via the -adic Tate module of a given elliptic curve, the notions of ‘directions’

42

L. Amorós et al.

and ‘distance from the root’ of the Bruhat–Tits tree T into the setting of the supersingular -isogeny graph G . This allows us to interpret non-backtracking walks in G as ‘distance-increasing’ (or level-increasing) walks in T . We also review the classical Deuring correspondence between quaternion orders and supersingular elliptic curves and the classical correspondence due to Ribet [36] between the quotient of the Bruhat–Tits tree T by a well-chosen matrix group and the supersingular -isogeny graph G . Finally we outline the explicit correspondence between quaternion orders and vertices of the Bruhat–Tits trees following [29]. In Sect. 5 we move away from expository material and give some tentative suggestions for using Bruhat–Tits trees in cryptanalysis, since two-by-two matrices are very easy to work with. In Sect. 5.1 we explain how truncating the Bruhat– Tits tree at a certain level gives a close approximation of the subgraph of the supersingular isogeny graph relevant for SIKE. In Sect. 5.2 we give an algorithm to compute the isogeny corresponding to a given path in the Bruhat–Tits tree. We have also implemented this algorithm and include an explicit example. In Sect. 5.3 we explore the BTQuotient module by [20] for general quotients of Bruhat–Tits trees. We show how the functions already written there can be used to compute with cryptographic-size isogeny graphs, the case of interest to us, which was not covered by their code. In particular, we use the code in [20] to study the norm equations in specific directions of the Bruhat–Tits tree. In Sect. 5.4, we give an example of how the algorithms adapted from BTQuotient may be used to study SIKE: we exhibit a path in the Bruhat–Tits tree for which we can completely parameterize the norm equations of the corresponding orders on the quaternion graph.

2 Background In this section we give a brief expository overview of the necessary background of elliptic curves, quaternion algebras and Bruhat–Tits trees. We use the notation p for a prime p > 3 and q = pn for a prime power. We reserve  for a prime  = p.

2.1 Elliptic Curves over Finite Fields We summarise the basic arithmetic of elliptic curves over finite fields. The interested reader can look at [40, Ch. III&V] for more details. Let E be an elliptic curve defined over Fq (we may instead just write E/Fq ). The set of points E(Fq ) equipped with an operation of addition forms an abelian group. If 2, 3  q, we can assume without loss of generality that E is given by a Weierstrass equation E : y 2 = x 3 + Ax + B, where A, B ∈ Fq and 4A3 + 27B 2 = 0. We associate to E an element j (E) ∈ Fq , called the j-invariant of E and defined as 3 . The j -invariant is an Fq -isomorphism invariant. j (E) := 1728 4A34A +27B 2

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

2.1.1

43

Isogenies and Endomorphisms

Given two elliptic curves E1 and E2 defined over Fq , an isogeny ϕ : E1 → E2 defined over Fq (resp. Fq ) is a non-constant rational map defined over Fq (resp. Fq ) which is also a surjective group homomorphism; it follows that the kernel ker(ϕ) is always finite. One example is, for m ∈ Z, the multiplication-by-m map on any elliptic curve E, denoted by [m] : E → E, sending P → mP . The degree of an isogeny ϕ is its degree as a rational map; we refer to an isogeny of degree  as an -isogeny. In particular, when ϕ is separable (which is always the case when p  deg(ϕ)), we have deg(ϕ) = | ker(ϕ)|. Also, for every -isogeny ϕ : E1 → E2 , there exists a (canonical) dual -isogeny  ϕ : E2 → E1 such that ϕ ◦  ϕ =  ϕ ◦ ϕ = []. Given generators of its kernel, the rational maps defining an isogeny can be computed in time linear in the degree via Vélu’s formulas [41]. An endomorphism of an elliptic curve E is either an isogeny ϕ : E → E or the zero morphism. One example is given by the multiplication-by-m map [m] defined above. Note that [m] is an isogeny of degree m2 and is separable if and only if p  m; in this case E[m] := ker([m]) ∼ = Z/mZ × Z/mZ. We also refer to E[m] as the m-torsion subgroup of E and to its elements as the m-torsion points of E (these points are defined over Fq ). Another example of an endomorphism of E/Fq is the Frobenius endomorphism πq , or just π , defined as follows: π:

E → E (x, y) → (x q , y q ).

The set of all endomorphisms of E defined over Fq , denoted End(E), is a ring with the operations of addition and composition, and we refer to it as the endomorphism ring of E. For an elliptic curve E/Fq , the endomorphism ring End(E) is either an order in an imaginary quadratic field (in which case we call E ordinary) or a maximal order in a quaternion algebra ramified only at p = char(Fq ) and ∞ (in which case we call E supersingular). Any supersingular elliptic curve E satisfies j (E) ∈ Fp2 and so E can be defined over Fp2 . For an ordinary curve E/Fq , the endomorphism ring End(E) can be any order in the imaginary quadratic field Q(π ) containing Z[π ]. For a supersingular elliptic curve E/Fq , if q = p then the Frobenius endomorphism does not act like a scalar so in particular is not in Z; if q = p2 , the Frobenius does act like a scalar. If j (E) ∈ Fp it is a hard problem in isogeny-based cryptography [25, 19] to find non-scalar endomorphisms of E. This article will only consider supersingular elliptic curves.

44

L. Amorós et al.

Fig. 1 Supersingular 2-isogeny graph for p = 241. Every vertex of the graph corresponds to a supersingular j -invariant in F2412

2.1.2

Supersingular -Isogeny Graphs

Let  and p be prime numbers with  = p. First we define the graph whose vertices are j -invariants of supersingular elliptic curves defined over Fp and such that there is a (directed) edge from j (E1 ) to j (E2 ) for every -isogeny (defined over Fp ) ϕ : E1 → E2 . The number of edges from j (E1 ) to j (E2 ) is independent of the choice of the curves E1 , E2 . Because there are  + 1 cyclic subgroups in E[] for any E, there are  + 1 outgoing edges from every j -invariant j (E); loops and multi-edges are possible. For every -isogeny ϕ : E1 → E2 , there is a dual -isogeny ϕˆ : E2 → E1 . We identify the edge corresponding to ϕ with the edge corresponding ϕ; ˆ we call the resulting (undirected) graph the supersingular -isogeny graph G := G (Fp ). For p ≡ 1 mod 12, we obtain a ( + 1)-regular graph (at every vertex, there are  + 1 edges). However, for p ≡ 1 mod 12, the j -invariants 0 and 1728 can be supersingular. Due to the extra automorphisms of the curves Ej with j -invariant j ∈ {0, 1728}, multiple isogenies ϕi : Ej → E have the same dual isogeny ϕˆ : E → Ej ; in this identification, we therefore end up with fewer edges from j = 0 and j = 1728. For instance, for j = 1728 and  = 2, there is always a 2-isogeny φ : E1728 → E1728 and a pair of isogenies ϕ, ψ : E1728 → E287496 ˆ Therefore, there are two edges from j = 1728 in G2 ending which satisfy ϕˆ = ψ. at j = 1728 and j = 287,496. In Fig. 1, we have p = 241 and  = 2. Note that 241 ≡ 1 mod 12 and so the graph G2 is 3-regular.

2.2 Quaternion Algebras over Q A quaternion algebra over Q is a central simple  algebra that has dimension 4 over a,b Q. For a, b ∈ Q − {0} we denote by Q the Q-algebra generated by a basis {1, i, j, k} such that i 2 = a, j 2 = b, and ij = −j i = k. Any quaternion algebra B

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

over Q is isomorphic to



a,b Q



45

for some a, b ∈ Z. For every prime p we define Bp := B ⊗Q Qp ,

and for the infinite prime ∞ we define B∞ := B ⊗Q R. A quaternion algebra B over Q is said to be ramified or non split at p (resp. at ∞) if Bp (resp. B∞ ) is a division algebra. It is said to be unramified or split at p (resp. at ∞) if Bp ∼ = M2 (Qp ) (resp. B∞ ∼ = M2 (R)). Moreover it is called definite (resp. indefinite) if it is ramified (resp. split) at ∞. The discriminant of B is the product of all ramified primes in B, so it is a square-free positive integer. A quaternion algebra B over Q is endowed with a standard involution given by conjugation: the conjugate of an element α = x + yi + zj + tk ∈ B is α = x − yi − zj − tk, where x, y, z, t ∈ Q. The reduced trace of α is trd(α) = α + α, and the reduced norm of α is nrd(α) = αα. It is easy to check that trd(α), nrd(α) ∈ Q. The endomorphism ring of any supersingular elliptic curve over Fq , where q is a power of p, is a maximal order in the quaternion algebra over Q ramified only at p and ∞, denoted by Bp,∞ . Pizer [34] gave an explicit description for all such possible quaternion algebras. Theorem 1 Let p be an odd prime. Then, up to isomorphism, the unique quaternion algebra Bp,∞ over Q ramified at p and ∞ is given by:   • Bp,∞ = −1,−p , if p ≡ 3 (mod 4); Q   • Bp,∞ = −2,−p , if p ≡ 5 (mod 8);  Q  • Bp,∞ = −r,−p , if p ≡ 1 (mod 8), with a prime r such that r ≡ 3 (mod 4) Q   and pr = −1. Moreover, we have r = O(log2 p) under the generalized Riemann hypothesis [19].

2.2.1

Arithmetic of Quaternion Algebras

Just like number fields, quaternion algebras are endowed with rich arithmetic, but the non-commutativity produces some interesting differences. We recall here the basic concepts for the convenience of the reader. For a quaternion algebra B over Q, an ideal of B is a Z-lattice of B of rank 4. An order of B is an ideal which is also a subring. A maximal order is an order that is not properly contained in another order. Unlike in number fields, maximal orders in quaternion algebras are not necessarily unique.

46

L. Amorós et al.

Example 1 We can always write down a maximal order in Bp,∞ for any p [34, Prop 5.2]. For example, if p ≡ 3 mod 4 and {1, i, j, k} is a basis of Bp,∞ with i 2 = −1 i+j and j 2 = −p and k = ij , we can take the maximal order Z ⊕ Zi ⊕ Z 1+k 2 ⊕Z 2 . Let O be an order of B. An ideal I of B is said to be a left ideal (resp. right ideal) of O if OI := {xI : x ∈ O} ⊆ I (resp. I O := {I x : x ∈ O} ⊆ I ). The reduced norm nrd(I ) of an ideal I is gcd{nrd(α) : α ∈ I }. Two ideals I and J of B belong to the same left-ideal class (resp. right-ideal class) if there exists β ∈ B × such that I = Jβ (resp. I = βJ ). For a maximal order O we denote by Cll (O) the set of left-ideal classes (analogously, Clr (O) is the set of right-ideal classes), which is a finite set. To any ideal I of B we associate two orders: • the left order of I , i.e. the order Ol (I ) := {x ∈ B : xI ⊆ I }; • the right order of I , i.e. the order Or (I ) := {x ∈ B : I x ⊆ I }. Note that I is a left ideal for its left order and a right ideal for its right order. In particular, if O is maximal and I is a left ideal of O then Ol (I ) = O, as O ⊆ Ol (I ). We say that two maximal orders O1 and O2 are linked if there exists an ideal I in B such that Ol (I ) = O1 and Or (I ) = O2 . If two orders are linked then they have the same number of left (or right) ideal classes. In particular, since any two maximal orders of B are linked, maximal orders have all the same number of left (or right) ideal classes. Two orders O1 and O2 are said to be conjugate (or of the same type) if there exists α ∈ B × such that O2 = α −1 O1 α. By the Skolem–Noether theorem for central simple algebras, two orders are conjugate if and only if they are isomorphic as rings.

2.2.2

-Ideal Graph of a Quaternion Algebra

Let Brt(B) denote the set of all the left ideal classes of all maximal orders in B (up to conjugation). For ideal classes [I ], [J ] in Brt(B) such that Or (I ) = Ol (J ) we denote the multiplication of [I ] and [J ] by [I ] ∗ [J ]. (Brt(B), ∗) is clearly not a group, since the operation is not defined for all classes. However, the operation ∗ does equip Brt(B) with a groupoid structure [43, Chapter 19] and (Brt(B), ∗) is known as the Brandt groupoid of B [6]. We can visualise the Brandt groupoid of B as a graph whose vertices are the maximal orders of B considered up conjugation, and an edge connects two vertices whenever the corresponding maximal orders are linked by an ideal. In Fig. 2 we represent the Brandt groupoid for the quaternion algebra B241,∞ . We omit half of the edges: if the inverse of an ideal was already represented, then its representation was not included. If we only consider ideal classes which admit representatives of a certain norm, we get the following definition. Definition 1 (-Ideal Graph) Let B be a quaternion algebra over Q of discriminant D. For every prime   D we define the -ideal graph of B as the undirected graph

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

47

Fig. 2 Graph of the Brandt groupoid for the quaternion algebra B241,∞

whose vertices are the maximal orders in B considered up to conjugation, and two vertices are connected by an edge if the corresponding maximal orders are linked by a left ideal class admitting a representative of reduced norm . Note that the sets of vertices and edges of the -ideal graph do not depend on the choice of representatives of the vertices [43, Theorem 19.1.8]. Finally, we comment on the relationship of the -ideal graph and the -isogeny graph. For a supersingular elliptic curve E/Fp2 denote by E p any elliptic curve with j -invariant j (E)p . Then End(E) and End(E p ) are isomorphic as rings, hence conjugate. Therefore, in the -ideal graph, vertices corresponding to End(E) and End(E p ) are identified. Since -isogenies correspond to ideals of norm  (for more details, see Sect. 4.1), there is an edge between the isomorphism classes of End(E) and End(E  ) if and only if there is an -isogeny between E and E  . Because of the above, the supersingular -isogeny graph is a 2-covering of the -ideal graph, except for the vertices defined over Fp (for which we have a 1-to-1 correspondence). As an example, for  = 2 and p = 241, we plot in Fig. 3 the 2-ideal graph for the quaternion algebra B241,∞ , which can be compared with the supersingular 2-isogeny graph for p = 241 in Fig. 1.

2.2.3

Norm Forms of Maximal Orders   with r, p ∈ Z>0 and basis {1, i, j, k} such Let B be the quaternion algebra −r,−p Q that i 2 = −r, j 2 = −p and k 2 = −pr. For a, b, c, d ∈ Q, the reduced norm

48

L. Amorós et al.

Fig. 3 2-ideal graph for B241,∞ . Compare also with the supersingular 2-isogeny graph for p = 241 in Fig. 1

introduced in the previous section defines a quadratic form in four variables: nrd(a + bi + cj + dk) = a 2 + rb2 + pc2 + prd 2 .

(1)

The structure of the quaternion algebra B is related to the properties of the quadratic form nrd. For instance, the property of being a definite quaternion algebra (which, over Q is the same as having i 2 < 0, j 2 < 0) is equivalent to the norm form being positive definite. We can also associate an integral quadratic form to any order O in B. Once an integral basis {βi }4i=1 of O is fixed, an element α in O can be written as α = aβ1 + bβ2 + cβ3 + dβ4 , with a, b, c, d ∈ Z. If we compute the reduced norm of α in this basis, we obtain a quadratic form in four variables over Z which we refer to as the norm form of O. The norm form of different orders can be used for attacks [33, 28] under special circumstances; this is discussed further in Sect. 5.4. Example 2 Let p ≡ 3 (mod 4). We take the maximal order i+j 1+k O = Z ⊕ Zi ⊕ Z ⊕Z ⊆ Bp,∞ = 2 2



 −1, −p , Q

where i 2 = −1, j 2 = −p  and k2 = −p. We can write an element α in O as i+j α = a + bi + c 2 + d 1+k , with a, b, c, d ∈ Z. Then using the reduced 2

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

49

norm (1) we can compute the norm form associated to the order O:      1+k i+j +d nrd(α) = nrd a + bi + c 2 2     c c d d i+ j+ k = nrd a + + b + 2 2 2 2     p+1 2 p+1 2 2 c + ad + d 2. = a + b + bc + 4 4

2.3 The Bruhat–Tits Tree for PGL2 (Q ) There are several ways to define the Bruhat–Tits tree associated to PGL2 (Q ). Its vertices can be described as: • • • •

classes of homothetic Z -lattices in Q2 , classes of equivalent norms on these lattices, classes of matrices in PGL2 (Q )/PGL2 (Z ), or maximal orders in the quaternion algebra M2 (Q ).

For more details on each case see [29, Chapter 2]. We will give the definition of the Bruhat–Tits tree as a graph whose vertices are homothety classes of lattices, but we will still use the other interpretations in order to get an explicit description that we can work with. We consider lattices in Q2 . Two lattices M, M  ⊆ Q2 are said to be homothetic if  there exists λ ∈ Q×  such that M = λM. The homothety class of M will be denoted  by {M}. Given two homothety classes {M} and {M } one can always choose their representatives such that, for some n ∈ N, we have that n M ⊆ M  ⊆ M. For example, if M = m1 , m2 , then we can take M  = m1 , n m2 [38, Chapter 2, Section 1.1]. Two homothety classes {M} and {M  } are said to be adjacent if their representatives can be chosen so that M  M   M. Note that this is equivalent to M  having index  in M. Definition 2 (Bruhat–Tits Tree) The Bruhat–Tits tree associated to PGL2 (Q ) is the infinite tree T with set of vertices Ver(T ) given by the set of homothety classes of lattices of Q2 , and whose set of edges Ed(T ) is the set of pairs of adjacent homothety classes. The graph T is a ( + 1)-regular tree [38, Chapter II]. The group PGL2 (Q ) acts on Ver(T ) by matrix multiplication: if M = m1 , m2 ⊆ Q2 and γ ∈ GL2 (Q ) then γ · M := γ m1 , γ m2 , and the induced action of PGL2 (Q ) on the classes of

50

L. Amorós et al.

lattices is then well-defined. The action PGL2 (Q ) × Ver(T ) → Ver(T ), (γ , v) → γ · v induces a homeomorphism PGL2 (Q )/PGL2 (Z )  T , where PGL2 (Q ) is taken with its natural topology. This bijection gives a way to represent each vertex by a class of matrices: if v = {M}, then the vertex v can be also represented by the class {αM } ∈ PGL2 (Q )/PGL2 (Z ) such that αM is the matrix whose columns form a basis of the lattice M. In the same way edges from any vertex can be labelled by the +1 two-by-two integer matrices of the form 

 10 , where i = 0, . . . ,  − 1, i 

 or

 0 ; 01

(2)

we refer to these as ‘directions’ 0, . . . ,  − 1 and ∞ respectively. Notice that each edge has two different labels, depending on which of the two vertices one chooses as the origin. If we fix a distinguished vertex as the root of the tree, we can describe the (0) (0) Bruhat–Tits tree T more explicitly. Let  1 0v = {α } denote the vertex of T whose (0) representative is the matrix α := 0 1 . We will define below the vertices of T ‘level by level’: for k ≥ 0, we say that a vertex v is at level k if the distance between v and the chosen root is equal to k. There is a unique vertex at level 0, the root of the tree (Fig. 4).   (1) (1) – Level 1: for every i1 ∈ {0, 1, . . . ,  − 1, ∞}, let vi1 = αi1 denote the vertex represented by the matrix

(1)

αi1 :=

⎧  ⎪ 1 0 ⎪ ⎪ , ⎪ ⎪ ⎨ i1 

if i1 = ∞,

  ⎪ ⎪ ⎪ 0 ⎪ ⎪ , ⎩ 01

if i1 = ∞. (1)

(1)

(1)

These matrices define +1 different vertices v0 , . . . , v−1 , v∞ adjacent to v (0) .

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

51

Fig. 4 The Bruhat–Tits tree T for  = 3

– Level 2: for every vertex vi(1) at level 1, we define  new adjacent vertices vi(2) , 1 1 ,i2 with i2 ∈ {0, 1, . . . ,  − 1}, represented by the matrices ⎧  ⎪ 1 0 ⎪ ⎪ , if i1 = ∞, ⎪ ⎪ ⎨ i1 + i2  2 (2) αi1 ,i2 :=   ⎪ ⎪ ⎪ 2 i2  ⎪ ⎪ if i1 = ∞. ⎩ 0 1 , (k)

– Level k: we denote a generic vertex at distance k from v (0) by vi1 ,...,ik , where i1 ∈ {0, 1, . . . ,  − 1, ∞}, and ij ∈ {0, 1, . . . ,  − 1} for j = 2, . . . , k. Note that (k) (k−1) the vertex vi1 ,...,ik at level k is connected to the vertex vi1 ,...,ik−1 at level k − 1. We = {αi(k) }, where have vi(k) 1 ,...,ik 1 ,...,ik

αi(k) := 1 ,...,ik

⎧ ⎪ 1 0 ⎪ ⎪ ⎪ k j −1 k , ⎪ ⎪ j =1 ij  ⎨

⎪ k ⎪ ⎪ ij j −1 k ⎪ j =2 ⎪ ⎪ , ⎩ 0 1

if i1 = ∞ (3) if i1 = ∞.

52

L. Amorós et al.

Given the description of T , it is easy to see that there are ( + 1)k−1 vertices at level k. Moreover, we have the following ascending chain of subtrees of T . For (k) every k ≥ 0, let T denote the subtree of T with set of vertices (k)

Ver(T ) = {v = {α} : det(α) = i for i ≤ k}. We call T(k)  the truncated tree at level k. Then we have (k) (k+1) (0) Ver(T(0) ) for every k ≥ 0, and T =  ) = {v }, Ver(T ) ⊆ Ver(T



T(k)  .

k≥0

3 The Graph of the Bad Reduction of Shimura Curves Shimura curves are compact Riemann surfaces defined using quaternion algebras that can be regarded as algebraic curves. They generalise modular curves: modular curves are constructed using congruence subgroups of the matrix algebra M2 (Q), while Shimura curves are constructed using subgroups of any given quaternion algebra different from M2 (Q). There is a close connection between graphs of bad reductions of Shimura curves and supersingular isogeny graphs, which we will explore in more detail in Sect. 4.3. Graphs of bad reductions of Shimura curves can be computed as quotients of the Bruhat–Tits tree. Let D > 1 be an integer and let  be a prime such that   D. After defining a group that we will denote by ,+ , and which depends on  and on the definite quaternion algebra ramified at primes dividing D and at ∞, we will show how to compute the quotient graph of the Bruhat–Tits tree ,+ \T . In Sect. 4.3 we will show that this graph is a double covering of the supersingular isogeny graph G . In order to properly define the group ,+ , we need to introduce the theory of Shimura curves to the reader, both over Q and over Q . We stress that this theory is very technical, with tools from different areas (such as schemes, uniformisation of algebraic curves, or rigid analytic geometry). Definitions are usually complicated for a first-time approach, so we will try to explain the theory in a simplified way, prioritising helping the reader gain intuition and keeping the analogy with the complex case.3 Here is the outline of this section: in Sect. 3.1 we define Shimura curves over Q. In Sect. 3.2 we introduce the -adic upper half plane and in Sect. 3.3 we define

3

See [29, 5] for a more rigorous introduction.

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

53

Shimura curves over Q . Finally in Sect. 3.4 we are ready to compute the graph we are interested in: ,+ \T .

3.1 Shimura Curves from Indefinite Quaternion Algebras Let H be an indefinite quaternion algebra over Q of discriminant DH > 1 and let O ⊆ H be a maximal order (which, since H is indefinite and over Q, is unique up to isomorphism). Since H is indefinite, we have a canonical embedding  : H → M2 (R) of H into the algebra of the 2 × 2 matrices with coefficients in R. Let O× := {α ∈ O | nrd(α) = ±1} denote the unit group of O. In order to look at this group as a matrix group, we consider its image under  and we define: + := (O× )/{±1} ⊆ PSL2 (R). The group + is a discrete subgroup of PSL2 (R), so one can consider its action on the complex upper half-plane H := {z ∈ C : Im(z) > 0}  × H → H,  a+ b   az+b c d , z → cz+d , which is well-defined. The quotient + \H is a Riemann surface that is compact if DH > 1. The case DH = 1 gives a non-compact quotient which, after compactifying, can be regarded as an algebraic curve known as a modular curve. In this case, the algebra H is just the matrix algebra M2 (Q) and + is the modular group PSL2 (Z). For a positive integer N, let 0 (N ) denote the subgroup in SL2 (Z) of all matrices that reduce modulo N to an upper triangular matrix. It is well known (check for example [40] for more details) that there exists a smooth projective curve X0 (N ) defined over Q and a complex analytic isomorphism jN,0 : 0 (N ) \ H → X0 (N )(C) such that the elliptic curve Eτ associated to an element τ ∈ 0 (N )\H is defined over K = Q(jN,0 (τ )). Remark 1 The notion of a modular curve of a given level also has its counterpart in the theory of Shimura curves: an Eichler order of a given level. An Eichler order is the intersection of two maximal orders, and its level is the index in either of the maximal orders. A maximal order is an Eichler order of level 1; for the sake of simplicity we will present the theory with maximal orders only.

54

L. Amorós et al.

When DH > 1, Shimura [39] proved that there exists an algebraic curve X(DH ) defined over Q and an isomorphism J : + \H → X(DH )(C)

(4)

characterised by certain arithmetic properties related to complex multiplication theory. The curve X(DH ) is known as the (canonical model of the) Shimura curve of discriminant DH (and level N = 1). The isomorphism J is called the complex or ∞-adic uniformisation of X(DH ). Since X(DH ) is an algebraic curve over Q, it makes sense to consider its reductions modulo a prime. For a prime   DH , the reduction X(DH )F is smooth [30]. A prime  such that  | DH is called a prime of bad reduction; the reduction of a Shimura curve at a bad prime X(DH )F has totally degenerate semistable bad reduction: it is connected and isomorphic to several copies of projective lines P1 , and its only singularities are ordinary double points [27, Sect. 3]. In this case, we will call X(DH )F the special fibre or bad reduction at  of the Shimura curve X(DH ). This special fibre can be interpreted as a graph in the following way (see [27] for more details). Definition 3 (Graph of the Special Fibre) Let D > 1 be an integer and  be a prime such that  | D. The graph G of the special fibre at  of X(D) is defined as follows. The vertices of G correspond to the irreducible components of X(D)F over F , which are isomorphic to the projective line P1F over F . The edges of G correspond to double points, i.e. two vertices of G are connected by an edge if the corresponding irreducible components intersect. In order to compute these graphs explicitly, we need to go to the -adic side of the theory of Shimura curves.

3.2 The -Adic Upper Half-Plane We start by briefly introducing the -adic upper half-plane,4 an -adic analogue to the complex upper half-plane, which is the starting point of the construction of -adic Shimura curves. Let Q denote the field of -adic numbers and C the completion of a fixed algebraic closure Q of Q . Let P1Q denote the algebraic projective line over Q .  The -adic upper half-plane is a -adic rigid analytic variety H over Q whose set of L-points, for every field extension Q ⊆ L ⊆ C , is H (L) := P1Q (L) − P1Q (Q ), 4 We are using the prime  to be consistent with the isogeny graphs to which we want to connect this theory. In the Shimura curves literature, p is widely used as the chosen prime, so p-adic upper half-plane is more standard.

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

55

that is, removing the Q -points. One important property of the -adic upper halfplane is that it has a good “reduction” map that takes H to the Bruhat–Tits tree T . Proposition ([29], Thm. 2.2.31) For every field extension Q ⊆ L ⊆ C , there is a map Red : H (L) → T satisfying the following property: it is equivariant with respect to the action of PGL2 (Q ), that is, for every z ∈ H (L) and every γ ∈ PGL2 (Q ), we have that Red(γ · z) = γ · Red(z).   By taking the direct limit of this construction, we obtain the tree T as the graph of the reduction mod  of H . We can think of the Bruhat–Tits tree as the skeleton of the -adic upper half plane via this reduction map. This reduction map will be useful to describe the special fibres of a Shimura curve.

3.3 -Adic Shimura Curves Let H denote an indefinite quaternion algebra over Q of discriminant DH = D, with D > 1 and   D. To highlight the importance of the prime  in what follows, we will write D instead of DH . We consider as before the embedding  : H → M2 (R). We are interested in the -adic analogue +, of the group + defined in Sect. 3.1. We will first define an intermediate group  . The group  is defined, following ˇ Cerednik [9, Theorem 2.1], by interchanging the prime  for ∞ in the quaternion algebra H . That is, instead of the indefinite quaternion algebra H , we consider the definite quaternion algebra B = BD,∞ of discriminant D and ramified at ∞. Let OB ⊆ B be a maximal order in B and define the localised order OB [1/] := OB ⊗Z Z[1/] over Z[1/]. Like in the complex case, there exists an -adic matrix immersion  : B → M2 (Q ). The unit group in OB [1/] is formed by the elements in OB [1/] whose reduced norm is a unit in Z[1/]: OB [1/]× : = {α ∈ OB [1/] : nrd(α) ∈ Z[1/]× } = {α ∈ OB [1/] : nrd(α) = k , k ∈ Z}. We define the (discrete cocompact) subgroup  of PGL2 (Q ) as  :=  (OB [1/]× )/Z[1/]× .

56

L. Amorós et al.

Remark 2 The maximal Z-order OB might not be unique up to conjugation, as the quaternion algebra B is definite. Nevertheless, the Z[1/]-order OB [1/] is unique up to conjugation, as it satisfies Eichler’s condition [42, Corollaire 5.7]. In [18], Drinfel’d constructed an -adic analogue of the isomorphism (4) called Drinfel’d integral model of the Shimura curve X(D), extending the modular interpretation of X(D)(C) over Q . Jordan and Livné [24] give an important ˇ consequence of Cerednik and Drinfel’d’s results that we will use. We finally have all the ingredients to define the group ,+ ⊂ PGL2 (Q ) mentioned in the beginning of Sect. 3. We define it as the subgroup of  whose elements have as reduced norm an even power of . More precisely: ,+ :=  ({α ∈ OB [1/]× | nrd(α) = 2n , for n ∈ Z})/Z[1/]× ⊆  . Our interest in this group comes from Drinfel’d’s theorem, which gives a bijection between the following sets of Q2 -points: ,+ \H (Q2 )  X(D)(Q2 ), where Q2 denotes the quadratic unramified extension of Q contained in C . Moreover, this theorem states that the graph of the special fibre X(D)F is the graph ,+ \T . We will see in Sect. 4.3 that the graph ,+ \T is a 2-covering of the supersingular -isogeny graph G .

3.4 Computing the Graph of the Special Fibre of a Shimura Curve In this section we see how to compute the graph G of the special fibre at  of the Shimura curve X(D) of discriminant D, with   D, using its interpretation as the quotient ,+ \T of the Bruhat–Tits tree T . In [20] the authors take a computational approach to this problem and provide an algorithm, which they implemented in Sage, to compute the graph G for every quaternion algebra. It is also possible to construct the graph G explicitly when the left-ideal class number of the quaternion algebra BD,∞ is 1, as was done in [1]. The code in [20] allows us to compute the graph of special fibres of Shimura curves, such as in Fig. 5. The result can be represented as a compact graph or as a fundamental domain inside T whose edges are labelled by representatives of the 2 × 2 matrices as described in Sect. 2.3. As we will see in Sect. 4.3, the graph G is a double covering of the supersingular -isogeny graph G .

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

57

Fig. 5 Graph of the special fibre at  = 2 of the Shimura curve X(61 · 2) (left) and fundamental domain of X(61 · 2) inside T2 (right), computed with the code provided in [20].) Vertices with the same colour correspond to (classes of) lattices  with the same endomorphism ring End(), see also Sect. 4.4

4 Different Views on Supersingular Isogeny Graphs In this section, we explain how the three viewpoints met in the previous sections, supersingular isogeny graphs, quaternion ideal graphs, and (quotients of) Bruhat– Tits trees, are interrelated. In Sect. 4.1 we recap Deuring’s correspondence, which shows the relationship between the supersingular -isogeny graph G and the quaternion -ideal graph. In Sect. 4.2 we show how to explicitly identify vertices and edges of the Bruhat–Tits tree T with supersingular elliptic curves and isogenies, via -adic Tate modules. This allows us to think of the Bruhat–Tits tree as an “unfolding” of the supersingular isogeny graph. In Sect. 4.3 we recap Ribet’s correspondence, which shows that the quotient of the tree of Sect. 4.2 by the group +, of Sect. 3.3 gives a graph that is a double cover of the supersingular isogeny graph G . Finally, in Sect. 4.4 we explain how to relate the vertices of the Bruhat– Tits tree T to maximal orders in the quaternion algebra Bp,∞ .

4.1 Supersingular Elliptic Curves and Endomorphism Rings: Deuring’s Correspondence In this subsection, we briefly recall Deuring’s correspondence [17] between supersingular elliptic curves defined over Fp and maximal orders in Bp,∞ , which translates -isogenies into left-ideals of reduced norm . This correspondence establishes a natural connection between supersingular isogeny graphs and quaternionic ideal graphs.

58

L. Amorós et al.

∼ Bp,∞ , where Let E/Fp be a supersingular elliptic curve. Then End(E) ⊗ Q = Bp,∞ is the definite quaternion algebra over Q of discriminant p, and End(E) is isomorphic to a maximal order O in Bp,∞ . To any left ideal I ⊆ O we associate the subgroup E(I ) of E(Fp ), where E[I ] =



ker(α).

α∈I

This subgroup is necessarily finite, and if p  nrd(I ) we have nrd(I ) = #E[I ]. We can consider the associated isogeny ϕI : E → E/E[I ] with kernel E[I ]. Then ϕI is an isogeny of degree deg(ϕI ) = nrd(I ) and the right order Or (I ) of I can be identified with End(E/E[I ]). Conversely, any isogeny ϕ : E → E  is of the form ϕ = ρ ◦ ϕI for some left ideal I ⊆ O and some isomorphism ρ : E/E[I ] → E  [43, Cor. 42.2.21]. Moreover, we have E/E[I ] ∼ = E/E[J ] if and only if I and J are in the same × . Therefore, starting from left-ideal class of O, that is, if I = Jβ for some β ∈ Bp,∞ E, we can enumerate all the isomorphism classes of supersingular elliptic curves isogenous to E by taking isogenies ϕI for [I ] running over the left-ideal classes of O. Moreover, left ideals of reduced norm  give isogenies of norm . Note that there is no bijection between isomorphism classes of supersingular elliptic curves and isomorphism classes (or conjugacy classes, or types) of maximal orders in Bp,∞ : elliptic curves with conjugate supersingular j -invariants j and j p will have endomorphism rings which are isomorphic as rings. Example 3 Let p ≡ 3 (mod 4) and let E : y 2 = x 3 +x be the supersingular elliptic curve defined over F√p with j (E) = 1728. If we identify i with the endomorphism ϕ : (x, y) → (−x, −1y), j with the endomorphism π : (x, y) → (x p , y p ), and set k := ij , then End(E) = Z ⊕ i Z ⊕

i+j 1+k Z⊕ Z, 2 2

which is the maximal order in Bp,∞ that we met already in Example 1.

4.2 The Bruhat–Tits Tree, an Unfolding of the Supersingular Isogeny Graph There is a correspondence between vertices of the supersingular -isogeny graph G and the Bruhat–Tits tree T . This can be described explicitly once a specific elliptic curve E in G (or better its Tate module) has been identified with the root (1, 0), (0, 1) of T . Through this correspondence we can interpret nonbacktracking paths starting from E in G as paths from the chosen root of T in the infinite tree T that increase the distance from the root at every step. We call

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

59

this a “level-increasing” path on T . The Bruhat–Tits tree T can then be seen as an “unfolding” of the supersingular isogeny graph G , which may help in studying walks in G , an idea we return to in Sect. 5.

4.2.1

The Tate Module

For any elliptic curve E, there is a natural choice of a Z -lattice: the Tate module T (E). Let E/Fp be an elliptic curve and let  = p be a prime. We have that E[n ] ∼ = Z/n Z × Z/n Z as abelian groups and we have connecting maps [] : E[n+1 ] → E[n ], P → P . The Tate module is defined to be the inverse limit of E[n ] with respect to the connecting maps: T (E) = lim E[n ]. ←

Because of the structure of E[n ], there exists an isomorphism T (E) ∼ = Z × Z ∞ } where as Z -modules. Therefore, any T (E) admits a basis {(Pn )∞ , (Q ) n n=1 n=1 n {Pn , Qn }∞ n=1 is a system of compatible bases of E[ ]: for all n ≥ 1 we have that {Pn , Qn } is a basis of E[n ] and Pn+1 = Pn , Qn+1 = Qn . The connecting maps commute with isogenies: for any n and for any isogeny ϕ : E → E  , we have ϕ(E[n ]) ⊆ E  [n ]. By taking inverse limits, we obtain a map on the Tate modules ϕ : T (E) → T (E  ). Now we turn to endomorphisms. By [40, Chap. III Thm 3.4] we have that End(E) → End(T (E)). Moreover, both End(E) and T (E) come with a Galois action. For a supersingular elliptic curve E over Fp , we know that j (E) ∈ Fp2 and hence E can be defined over Fp2 . Moreover, we can assume that tr(π ) = ±2p (remember we assume p > 3). Possibly replacing E by its quadratic twist, we can therefore assume that tr(π ) = −2p. In this case, the Frobenius endomorphism acts like the scalar [−p] and so all endomorphisms of E and T (E) are necessarily Galois equivariant, that is, commute with the Frobenius endomorphism. This allows us to specialise Tate’s theorem (as stated in [40, Chap. III Thm 3.7]): End(E) ⊗Z Z ∼ = End(T (E)). Recall that the endomorphism ring of any Z -lattice of rank 2 is a maximal order in the local quaternion algebra M2 (Q ) and, as such, it is conjugate to M2 (Z ). In other words, any lattice  ⊆ (Q )2 of rank 2 admits a basis in which End() = M2 (Z ). In conclusion, by choosing a basis of the Tate module T (E), we can identify the elliptic curve E with the vertex (1, 0), (0, 1) in the Bruhat–Tits tree. Moreover, this

60

L. Amorós et al.

lattice retains arithmetic information about E, since End(E) ⊗Z Z ∼ = End(T (E)). We will see in the next two subsections that any other vertex of the Bruhat–Tits tree built from T (E) can also be interpreted as an elliptic curve.

4.2.2

Translating Vertices of Bruhat–Tits Trees into Sublattices of the Tate Module

The Tate module T (E) is a Z -lattice of rank 2, so its endomorphism ring is a maximal order in M2 (Q ), thus is conjugated to M2 (Z ). In particular, by choosing a basis of T (E), we can identify T (E) with the lattice (1, 0), (0, 1) = Z × Z and then End(T (E)) = M2 (Z ). This is the same  as identifying T (E) with the vertex of the Bruhat–Tits tree given by the matrix 10 01 . Starting from the root vertex, we can build the rest of the Bruhat–Tits tree by identifying each vertex at level k with a cyclic sublattice of index k in T (E). If ∞ {(Pn )∞ n=1 , (Qn )n=1 } is a given basis of T (E), we can use the description of vertices of the Bruhat–Tits tree in terms of matrices (given in Sect. 2.3) for obtaining explicit bases for the corresponding sublattices. For instance, given i1 ∈ {0, 1, . . . , −1, ∞} (k) and ij ∈ {0, 1, . . . ,  − 1} for j ≥ 2, we associate to the matrix αi1 ,...,ik described (k)

in (3) the cyclic sublattice Li1 ,...,ik ⊆ T (E) of index k with basis: (k)

Li1 ,...,ik :

⎧ k ∞ ∞ j −1 k ⎪ ⎨ {(Pn + j =1 ij  Qn )n=1 , ( Qn )n=1 },

if i1 = ∞,

⎪ ⎩ {(k P )∞ , (k i j −1 P + Q )∞ }, n n=1 n n n=1 j =2 j

if i1 = ∞.

Remark 3 The Bruhat–Tits tree associated to the Tate module T (E) can be also found, in a less explicit form, in De Feo’s Habilitation thesis [15, Sec I.4].

4.2.3

Translating Sublattices of the Tate Module into Subgroups of Elliptic Curves

Because T (E) is the inverse limit of the torsion subgroups, there is a canonical map T (E) → E[k ] for every k ≥ 1. In particular this map sends a cyclic sublattice of index k in T (E) into a cyclic subgroup of order k in E[k ]. Hence the Bruhat–Tits tree coming from the Tate module can be translated into a tree where at each level k we find all the cyclic subgroups of order k of E[k ]. ∞ More explicitly, if OE denotes the identity of E and {(Pn )∞ n=1 , (Qn )n=1 } is a basis of T (E), we have: • v (0) = OE is the root vertex. • Each vertex at level k corresponds to a cyclic subgroup of E[k ] of order k . • A vertex v (k) = R (k) at level k is connected to a vertex v (k+1) = R (k+1) at level (k + 1) if and only if R (k+1) = R (k) .

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

61

• For i1 ∈ {0, 1, . . . ,  − 1, ∞} and ij ∈ {0, 1, . . . ,  − 1} for j ≥ 2, the (k) (k) corresponding vertex at level k is vi1 ,...,ik = Ri1 ,...,ik , where  Ri(k) 1 ,...,ik

:=

 Pk + ( kj =1 ij j −1 )Qk , if i1 = ∞, k ( j =2 ij j −1 )Pk + Qk , if i1 = ∞.

Example 4 The  + 1 vertices at level 1, that is, adjacent to the root v (0) , are (1) (1) (1) (1) (1) v0 , . . . , v−1 , v∞ . For every i1 ∈ {0, . . . ,  − 1, ∞}, vi1 = Ri1 , where  Ri(1) := 1

 ∞, P1 + i1 Q1 , if i1 = if i1 = ∞. Q1 ,

Each one of these  + 1 vertices has  adjacent vertices at level 2, and so on. It is easy now to translate our vertices (i.e. subgroups) into elliptic curves. Indeed, (k) for every (i1 , . . . , ik ) ∈ {0, . . . ,  − 1, ∞} × {0, . . . ,  − 1}k−1 , if G := Ri1 ,...,ik , then E/G is isomorphic to an elliptic curve which is k -degree isogenous to E.

4.2.4

Non-backtracking Walks in G as Level-Increasing Paths from the Root of Tl

Starting from a supersingular elliptic curve E we can perform a finite or infinite walk in the supersingular -isogeny graph G . If the walk is finite of length k and nonbacktracking, the landing curve E  is isomorphic to E/G where G is a subgroup of E[k ] of order k . As seen in Sect. 4.2.3, given a basis {Pk , Qk } of E[k ] there exists (i1 , . . . , ik ) ∈ {0, . . . ,  − 1, ∞} × {0, . . . ,  − 1}k−1 such that G = Pk + (

k  j =1

j −1

ij 

)Qk or

G = (

k 

ij j −1 )Pk + Qk .

j =2

In the second case we set i1 = ∞. This way we can label our walk in G with the finite sequence (i1 , i2 , . . . , ik ). Now, from {Pk , Qk } we can build a basis ∞ k−j P , Q = k−j Q for every {(Pn )∞ k j k n=1 , (Qn )n=1 } of T (E) such that Pj =  j = 1, . . . , k, and we can consider the Bruhat–Tits tree T built with respect to this basis. Then we can interpret the non-backtracking walk (i1 , i2 , . . . , ik ) in G as the level-increasing walk from the root of T which takes the ‘direction’ in+1 at each level n. Of course this reasoning could be easily extended to infinite non-backtracking walks and in this case the label would be an infinite sequence (i1 , i2 , . . .). In conclusion the explicit description of the Bruhat–Tits tree offers a way of putting an orientation on a supersingular isogeny graph, once a supersingular curve is chosen together with a basis of its Tate module.

62

L. Amorós et al.

4.3 Bruhat–Tits Tree Quotients and Supersingular Isogeny Graphs: Ribet’s Correspondence Fix a prime p and let E(p) = {E1 , . . . , Eh } be a system of representatives of isomorphism classes of supersingular elliptic curves over Fp . For i, j ∈ {1, . . . , h} and n ∈ N, let Iij (n, p) = {ϕ | ϕ : Ei → Ej is an isogeny with deg(ϕ) = n}. Recall that End(E1 ) is isomorphic to a maximal order O1 in Bp,∞ , the definite quaternion algebra over Q of discriminant p. Take a prime  = p and define from the order O1 [1/] the group ,+ ⊆ PGL2 (Q ) as in Sect. 3.3. As we have seen, when we quotient the Bruhat–Tits tree T by this group we obtain a graph G := ,+ \ T which can be interpreted as the graph of the special fibre at  of the Shimura curve X(p) coming from an indefinite quaternion algebra of discriminant p. Ribet [36] showed that the graph G is a double covering of the supersingular -isogeny graph G . More precisely, Ribet [36, Prop. 4.4.] proves the following graph relation: Ver(G) = E(p) Ed(G) =





E(p),

Iij (, p)/ ∼,

1≤i,j ≤h

where an isogeny ϕ ∈ Iij (, p) is considered as an edge [Ei , Ej ] and two edges given by ϕ, ϕ  ∈ Iij (, p) are identified, i.e. ϕ ∼ ϕ  , if and only if there is α ∈ Aut(Ej ) and β ∈ Aut(Ei ) such that ϕ  = α ◦ ϕ ◦ β (Fig. 6). Fig. 6 Comparison of the graph of the special fibre at  of the Shimura curve X(p · ) (top) and the supersingular -isogeny graph (bottom) for  = 2 and p = 61. Vertices with the same colour on the top map under Ribet’s correspondence to the vertex of the same colour on the bottom. Compare also with the colouring of the vertices in Fig. 5

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

63

Remark 4 Note that Ribet’s correspondence is a 2:1 covering from G to the supersingular -isogeny graph G , whereas Deuring’s correspondence is only 2:1 onto the vertices defined over Fp2 − Fp , and 1:1 onto the vertices defined over Fp . In particular, there cannot be a perfect 1:1 correspondence between the quaternion ideal graph and the Bruhat–Tits quotient G. Remark 5 The correspondence between supersingular isogeny graphs and the Bruhat–Tits tree is explained in [12] and [13]. By Deuring’s correspondence, isomorphism classes of supersingular elliptic curves are in bijection with the class set of a maximal order in the quaternion algebra Bp,∞ (and we get such a bijection for any choice of a maximal order). This class set is in bijection with a double coset of the adelic points of a quaternion algebra. Section 7 of [13] is devoted to explaining strong approximation for the adelic quotient, which gives a bijection between the vertices of the supersingular isogeny graph and the double cosets O[−1 ]× \GL2 (Q )/GL2 (Z ), where T = GL2 (Q )/GL2 (Z ) is the Bruhat–Tits tree.

4.4 The Bruhat–Tits Tree and Quaternion Orders Following [29, Sec. 2.2.2.4], we know how to relate the vertices of a Bruhat–Tits tree, viewed as classes of homothetic Z -lattices in Q2 , to maximal orders in B := Bp,∞ . Let O be a maximal order of B. For a prime  = p, we consider the localisation B := B ⊗Q Q , and write O for the localization of O. Since B is split at , there is an isomorphism B ∼ = M2 (Q ). Under this isomorphism, the maximal order O gets mapped to a maximal order in M2 (Q ). But in M2 (Q ), any maximal order is conjugate to the maximal order M2 (Z ): as described in Sect. 3.3, we can choose an embedding  : B → M2 (Q ) such that  (O) = M2 (Z ), and the embedding  is the composition of the localization map and a conjugation in M2 (Q ). Under  , other maximal orders in B map to maximal orders in M2 (Q ), and hence are endomorphism rings of lattices in Q2 . The embedding  factors as the localization map B → B and an isomorphism  : B → M2 (Q ). Given a homothety class {M} of Z -lattices of rank 2, define O{M} := −1 (End(M)). The order O{M} is maximal in B [42, II.2.1]. In fact, the set of vertices of the Bruhat–Tits tree T is in bijection with the set of maximal orders of B , and the bijection is given by {M} ∈ Ver(T ) → O{M} ⊆ B ,

64

L. Amorós et al.

and this bijection depends on the isomorphism  and the choice of a basis for Q2 [29, Sec. 2.2.2.4]. We emphasize that this construction depends on the choice of the embedding  . Conversely, if we take any maximal order O ⊆ Bp,∞ , we can choose  such that  (O) = M2 (Z ), which is the endomorphism ring of the lattice (1, 0), (0, 1) , i.e. choose O as root of the Bruhat–Tits tree. Remark 6 The Bruhat–Tits tree T can also be interpreted in terms of global orders in B. For a fixed maximal order O ⊆ B, consider the set of maximal orders O ⊆ B defined locally by 

O˜ := O˜, for ˜ = ,  −1 O := xO x , for some x ∈ B .

This set is in bijection with the set of local maximal orders in B (loc. cit.). Note that we can choose O to be such that O = O{M 0 } , with M 0 = M2 (Z ) = (1, 0), (0, 1) .

5 Towards Cryptographic Applications In this section we explore the possibility of using Bruhat–Tits trees for cryptanalysis of isogeny-based protocols that make use of supersingular elliptic curves defined over Fp2 , which includes the CGL hash function [11] and any SIDH-based protocols (e.g. [3]) but excludes commutative isogeny-based proposals like CSIDH [8]. In Sect. 5.1 we explain why the Bruhat–Tits tree truncated at a certain level may actually be more instructive than the supersingular isogeny graph G for cryptanalysis of, for example, SIKE. We find this interesting for several reasons: • Computing paths on the Bruhat–Tits tree T is much more efficient and simple than computing paths in isogeny graphs G or graphs of quaternion orders, since it just involves linear algebra with M2 (Z ), see Sect. 5.3. • Computing a path from a given vertex on the Bruhat–Tits tree to the root vertex (corresponding by our choices to j = 1728) is trivial. • Computing the isogeny corresponding to a given path is simple and efficient, see Algorithm 1. • Information about the quaternion order corresponding to a given vertex, such as its norm form, can be read off from the label of the vertex. A speculative cryptanalytic application of this is discussed in 5.4.

5.1 A Truncated Bruhat–Tits Tree from SIKE Parameters In this section, we argue that the truncation of the Bruhat–Tits tree, as defined at the end of Sect. 2.3, is a useful tool for the cryptanalysis of SIKE since it gives a

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

65

convenient ‘approximation’ of the subgraph of G relevant for SIKE. The parameter setup in SIKE already specifies a basis of two torsion groups of the form E[e ] of a given supersingular elliptic curve E, and the truncated Bruhat–Tits tree can be built from this basis as described in Sects. 4.2.1 and 4.2.4; this is not captured by the graph G because G only keeps track of which curves are -isogenous. In SIKE, the prime p is chosen such that p = 2eA 3eB − 1 and the starting elliptic curve E0 such that tr(E0 ) = −2p, so that #E(Fp2 ) = (p + 1)2 . Moreover, in the protocol we are given, as public parameters, a basis {PA , QA } of E0 [2eA ] ⊆ E0 (Fp2 ) and a basis {PB , QB } of E0 [3eB ] ⊆ E0 (Fp2 ). Alice (resp. Bob) takes a pseudorandom walk in the supersingular isogeny graph G2 (resp. G3 ) of length eA (resp. eB ) from E0 . This pseudorandomness is achieved by choosing an integer 0 ≤ nA < 2eA (resp. 0 ≤ nB < 3eB ) and by computing the isogeny ϕA : E0 → EA (resp. ϕB : E0 → EB ) with kernel GA = PA +nA QA (resp. GB = PB +nB QB ). Note that these isogenies can be computed very efficiently as a sequence of Fp2 -rational 2- and 3-isogenies. We follow Alice’s walk step by step. First note that for every 1 ≤ k ≤ eA , e {2 A −k PA , 2eA −k QA } is a system of compatible bases of E0 [2k ], which allows us to consider the Bruhat–Tits tree T2 with root E0 and truncated at level eA . Following (e ) the notation introduced in Sect. 2.3, we will denote by T2 A this truncated Bruhat– Tits tree. Now, the first step of Alice’s walk in G2 is given by the isogeny E0 → E0 / 2eA −1 (PA + nA QA ) . Since 2eA −1 (PA + nA QA ) = 2eA −1 PA + i1 2eA −1 QA where nA ≡ i1 (mod 2), and {2eA −1 PA , 2eA −1 QA } is a basis of E0 [2], this step can be identified on T2(eA ) with the step from the root in the direction i1 , which is labelled by the matrix 

 1 0 . i1 2

More in general, if we represent nA with its 2-adic expansion, i.e. nA =

eA 

ij 2j −1 ,

ij ∈ {0, 1} for all j = 1, . . . , eA ,

j =1

then it is easy to see that the kth step of Alice’s walk on G2 corresponds to a (e ) level-increasing step on T2 A in the direction ik . Hence, we can label Alice’s walk with the sequence (i1 , i2 , . . . , ieA ). In other words we can see all Alice’s non(e ) backtracking walks from E0 on G2 as level-increasing walks from the root on T2 A . Moreover, the choice in SIKE of the kernel generator of the form PA + nQA (e ) (e ) restricts us to the subtree T2  T2 A obtained from T2 A by ‘trimming’ the

66

L. Amorós et al.

direction ∞. This subtree has on its kth level the elliptic curves given by the quotients E0 / 2eA −k (PA + nQA )

for 0 ≤ n < 2eA − 1. Therefore, the leaves of the subtree T2 correspond to all the possible public keys EA . Mutatis mutandis, Bob’s walk from E0 to EB in G3 can be considered as a levelincreasing walk on the subtree T3 of the Bruhat–Tits tree T3 truncated at level eB and trimmed of the ∞ direction. The vertices in T for  ∈ {2, 3} do not necessarily correspond to curves with different j -invariants. We can map T ⊆ T → G by identifying vertices corresponding to curves with the same j -invariant and by identifying equivalent edges. However, in [32], Onuki, Aikawa, and Takagi compute that the image of T in G is ‘almost a tree’, and in cases of interest, it is indeed a tree: the image of T in G is a tree for (the parameter sets in) SIKEp434 for  = 2 and for SIKEp504 for both  = 2 and  = 3; for SIKE p434 and  = 3 the mapping of T3 into G3 glues two pairs of vertices together. A similar computation is in principle possible for larger parameter sets. If we want a level-increasing walk on the Bruhat–Tits tree, we need to avoid the ∞ direction in all except possibly the first step. In SIKE, the ∞ direction is avoided altogether by the explicit choice of kernel generators PA + nQA for 0 ≤ n < eAA . However, there is another design choice of SIDH/SIKE for  = 2 that can be thought of as avoiding the ∞ direction: For A = 2, the j -invariant j = 1728 admits a self-loop and two 2-isogenies to the elliptic curve with j -invariant j = 287,496. Therefore, SIKE chooses the starting curve E6 : y 2 = x 3 + 6x 2 + x and, for the 2-isogeny walks, chooses a basis {PA , QA } ⊆ E6 [2eA ] such that none of the 2eA isogenies pass through j = 1728. This is equivalent to [2eA −1 ]PA = (0, 0).

5.2 Isogenies from Paths in the Bruhat–Tits Tree Given a level-increasing path of length k from the root vertex v (0) in the Bruhat– Tits tree–corresponding to an elliptic curve E0 of known endomorphism ring and a choice of a ‘suitable basis’ {Pk , Qk } ⊆ E0 [k ], defined below–we show that it is easy to translate the path into a sequence of isogenies starting at E0 . Let E be a supersingular elliptic curve over Fp2 . Recall that the Bruhat–Tits tree can be constructed in two fashions. The first was described   in Sect. 4.2.1: use a basis of the Tate module T (E) to map E to the vertex 10 01 . Moreover, projecting the basis of T (E) to E[k ] we get a basis {Pk , Qk } of E[k ] and the directions in the Bruhat–Tits tree exactly correspond to the choice of the kernel generators, as seen in Sect. 4.2.4. We call the basis {Pk , Qk } of E[k ] a ‘suitable basis’. Alternatively, under any localization map  : Bp,∞ → Bp,∞ ⊗Q Q ∼ = M2 (Q ),

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

67

the endomorphism ring O maps to a maximal order in M2 (Q ) and hence is the endomorphism ring of some lattice in Q2 . This maps E to some vertex in the Bruhat– Tits tree T ; if desirable we can place E at the root of the tree by choosing the  for which  (End(E)) = M2 (Z ). In some cases, having taken the second approach, it is still possible to recover a suitable basis. Specifically, if we know the endomorphism ring End(E) = O ⊆ Bp,∞ , then we can find a suitable basis: take any basis {Pk , Qk } of E[k ]. Denote by {α1 , α2 , α3 , α4 } a basis of O and compute the images  (αi ) ∈ M2 (Q ). We can interpret them as maps in End(T (E)) and compute the action of  (αi ) on {Pk , Qk }. Provided that  is small, it is not difficult to construct a basis {Pk , Qk } of E[k ] such that the action of αi on E[k ] is given by the matrices  (αi ). Algorithm 1 Computing the isogeny corresponding to a non-backtracking path in the Bruhat–Tits tree

∼ O. Require: 1. A supersingular elliptic curve E/Fp2 with known endomorphism ring End(E) = 2. An embedding  : O → M2 (Q ) sending  (O) = M2 (Z ) and a suitable basis {P , Q} of E[k ]. (k) 3. A vertex w in the truncated Bruhat–Tits tree T at distance d ≤ k from the vertex v. Ensure: Sequence of -isogenies (ϕ1 , . . . , ϕd ) such that ϕ = ϕd ◦ · · · ◦ ϕ1 : E → Ed is the isogeny corresponding to the path from v to w. 1. Compute the shortest path from v to w in the Bruhat–Tits tree, as a sequence of directions (i1 , . . . , id ) with i1 ∈ {0, . . . ,  − 1, ∞} and ij ∈ {0, . . . ,  − 1} for j ≥ 2, as defined in Equation (2). 2. (j = 1 case) Set E0 = E. 1. If i1 = ∞, set S1 = P + [i1 ]Q and T1 = Q. Otherwise, set S1 = Q and T1 = P . 2. Compute the -isogeny ϕ1 : E0 → E1 with kernel [k−1 ]S1 . 3. Replace S1 = ϕ1 (S1 ) and T1 = ϕ1 (T1 ). 3. for j = 2, . . . , d do 3a. Set Sj = Sj −1 + [ij · j −1 ]Tj −1 . (Note that the order of Sj is k−j +1 .) 3b. Compute the -isogeny ϕj : Ej −1 → Ej with kernel [k−j ]Sj . 3c. Replace Sj = ϕj (Sj ) and Tj = ϕj (Tj ). end for return (ϕ1 , . . . , ϕd ) and Ed .

Remark 7 In Algorithm 1, we assume that the vertex corresponding to E is at the root v (0) of the Bruhat–Tits tree. However, it is easy to extend the algorithm to (k) compute paths between elliptic curves corresponding to any vertices v, w ∈ T . (k) Since T is a tree, we obtain the shortest path from v to w by walking towards the root vertex until they reach the same vertex u (and take the minimal choice of u). Then the shortest path from v to w is the path v → u → w. The isogeny corresponding to this path can be obtained by first computing the isogenies corresponding to the paths v (0) → u → v and v (0) → u → w and

68

L. Amorós et al.

then composing the dual of the isogeny corresponding to the path u → v with the isogeny corresponding to the path u → w. Note also that identifying the direction towards the root from the vertex v on level k corresponding to a lattice  is easy: it is the matrix form Mi of the unique direction i such that Mi  =  ·  for some lattice  ⊆ Z × Z . Then  = 1 (Mi ) can be taken as a representative of the unique class of lattices that gives the unique neighbour of v on level k − 1. Example 5 In this example, we set p = 2128 · 381 − 1 and E0 /Fp : y 2 = x 3 − x be the supersingular elliptic curve with j -invariant 1728. We want to compute the first 4 steps in the Bruhat–Tits T3 tree in direction 2. We choose Fp2 = Fp (α) with α 2 + α + 1 = 0. i+j We know that End(E0 ) ∼ = O0 = Z ⊕ Zi ⊕ Z 2 ⊕ Z k+1 2 . Since 4 we are only interested in the action of O on E0 [3 ], we use the function _local_splitting_map_big with precision = 4 to compute the local embedding O → M2 (Z ) sending  0 2 + 2 · 3 + 2 · 32 + 2 · 33 + O(34 ) , i → 0 1 + O(34 )   0 1 + O(34 ) . j → 0 2 + 2 · 3 + 2 · 32 + 2 · 33 + O(34 ) 

(5) (6)

We approximate the action of these matrices on E[34 ] by the matrices  i →

0 −1 1 0



 and

j →

 1 0 . 0 −1

(7)

From this we see that we can obtain a suitable basis {P , Q} ⊆ E0 [34 ] by 4 choosing any P = (x√ P , yP ) ∈ E[3 ] with coefficients in Fp and then setting Q = i(P ) = (−xP , −1yP ). We choose the following: P =(69090058121126534543553450914202471243149444112687236282196103950536986575674, 148149179690951251741543247140201574693797196524757723926115591348205576560175) √

−1 =150890214974780584126857431087264183670758326556949855297519874595445943566335 · α + 150890214974780584126857431087264183670982595900206857014222565567585690058751

Q = i(P ) =(81800156853654049583303980173061712428057421130776622448729152589188449975493, 57842937584409593785324373889306193510590044719301263585722539745470214420327 · α + 104366576279595088956090902488285188590898454981382561158323898142597825485747)

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

69

Applying Algorithm 1 for the directions (2, 2, 2, 2) (that is, sidestepping Step 1.) we obtain the following sequence of isogenies: E0 → E1 → E2 → E3 → E4 j (E1 ) = 150890214974780584126857431087234357757534333818741013404936225109756328767167, j (E2 ) = 75470002103040437929709447505045839662407841445272772730326492794701048289144, j (E3 ) = 98355284167081716305955875905001120164000782500252214878995465883556281372665, j (E4 ) = 1388066880339297988118686463466172299814501399414830259912841487232310472184.

5.3 Explicit Computations with the Bruhat–Tits Tree To explicitly compute neighbours in the quotient of the Bruhat–Tits tree, we adapt the code from [20], which is also available in Sage [22]. The module BTQuotient [21] allows one to enumerate the entire graph given by the quotient of the Bruhat–Tits tree T by the group ,+ , that in turn gives a double covering of the isogeny graph G (note that while their definition of ,+ is slightly different from ours, the groups are the same). The code from [20], also contains functions to compute many other useful things, for example the maximal order in the quaternion algebra associated to a given vertex in the Bruhat–Tits graph. As written, the code of [20] relies on first enumerating the entire graph before performing any other computations (as the focus of Franc and Masdeu is computing small explicit examples) but in fact this is mainly for convenience and it is easy to extend their work to cryptographic sizes. We adapt their algorithm for computing the norm form of a quaternion order corresponding to a given vertex in the Bruhat–Tits quotient in Algorithm 2 so that it can be used for examples of cryptographic size. For simplicity, we specialize Algorithm 2 as follows: we choose p ≡ 3 mod 4, for the root vertex of the Bruhat–Tits tree T we use the supersingular elliptic curve i+j 2 E : y 2 = x 3 − x, with the maximal order Z ⊕ iZ ⊕ 1+k 2 Z ⊕ 2 Z with i = −1 and 2 j = −p and which can be identified with endomorphisms of E as in Example 3. In Sect. 5.4, we discuss a way of making use of Algorithm 2 for cryptanalysis of supersingular isogeny graph cryptosystems. For this, we also need to compute the elliptic curve corresponding to a vertex of the Bruhat–Tits tree, and the -powerisogeny to it corresponding to the path in the Bruhat–Tits tree, which we have described in Algorithm 1.

5.4 Computing and Exploiting Norm Equations In this section, we explore the feasibility of using the description of Bruhat–Tits trees to deterministically find an elliptic curve whose endomorphism ring satisfies

70

L. Amorós et al.

Algorithm 2 Computing norm equations for cryptographic sizes with p ≡ 3 (mod 4) Require: A vertex v ∈ M2 (Z ) in the Bruhat–Tits tree. Ensure: The norm form of the maximal order corresponding to v, if the root of the tree k+1 corresponds to the maximal order O0 = Z ⊕ Zi ⊕ Z i+j 2 ⊕Z 2 . 1. Define  : Bp,∞ → M2 (Q ) to be an embedding for which  (O0 ) = M2 (Z ), and compute  (i),  (j ), and  (k).   2. Label the initial vertex v (0) = 10 01 with the order O0 . 3. Apply the basis change v to the basis of v (0) (as elements of M2 (Z )). The new basis B is the basis of the maximal order of v. 4. Row reduce the basis B and deduce the basis  B = {β0 , β1 , β2 , β3 } in terms of 1, i, j, k (via  ). 5. Compute the reduced norm N of an element aβ0 + bβ1 + cβ2 + dβ3 , where a, b, c, d ∈ Z are variables. return N .

certain desirable properties. This study is motivated by the recent paper [28], in which it is shown that, under certain plausible heuristics, there exist exponentially many supersingular elliptic curves over Fp2 which, if used as a starting curve for the SIDH protocol, can give an improvement over the generic meet-in-the-middle attack by exploiting the public torsion point images. For simplicity, let us consider an SIDH setup in which p = 2eA 3eB − 1, and the starting curve E0 /Fp has j invariant 1728, as in Sect. 5.1, and additionally suppose that 2eA ≤ 3eB . In this case, a curve E/Fp2 is defined to be insecure if there exist θ ∈ End(E), τ ∈ End(E0 ), n ∈ Z, and < 2eA such that nrd(θ ) = 22eA nrd(τ ) + n2 = 32eB . In particular, insecure curves are characterised by the existence of such an endomorphism θ , and by the intersection of their endomorphism rings with End(E0 ). With this in mind, we give an example in which we can parametrize the norm form of this intersection for a certain path in the Bruhat–Tits tree, with a view to using this as a tool in future cryptanalysis. Example 6 Let p = 2128 381 − 1, and let On be a maximal order obtained by taking 1 ≤ n ≤ 81 steps on the 3-left ideal graph in direction 2 from the starting point i+j End(E0 ) ∼ = O0 = Z ⊕ Zi ⊕ Z 2 ⊕ Z k+1 2 . Then the norm form of the order O0 ∩ On is 1 n 32n 3n ((3 −1)2 p+(3n +1)2 )(a 2 +b2 )+ (p+1)(c2 +d 2 )+ ((3n −1)p+3n +1)(ac+bd). 4 4 2

This example was computed using the code available at www.martindale.info/ research/BT.

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

71

In future work we hope to parameterize all the norm forms of intersections of maximal orders corresponding to the endpoints of a chain of n isogenies in the isogeny graph for SIKE or SIDH5 in this way. The hope is that one can determine the properties needed by an endomorphism ring for a particular cryptanalytic tool, such as insecure curves in the sense of [28]. One can then look at the parametrization to determine if such a quaternion order appears in the required neighbourhood of the graph, and if necessary traverse the Bruhat–Tits tree to compute a path to j = 1728 from the order in question. Traversing the Bruhat–Tits tree is very fast and simple, involving only multiplication of matrices in M2 (Z ), and Algorithm 1 then translates this path to an isogeny. A final note on the potential to use this in cryptanalysis: [28, Proposition 23] shows that it would be possible to use a path from j = 1728 to an insecure curve to get an attack on a protocol starting from j = 1728, if there is an insecure curve sufficiently close to j = 1728. A classification of the kind described above should allow us to say exactly where the closest insecure curve is to be found on the Bruhat– Tits tree and consequently in the isogeny graph, giving a result on the (in)security of SIDH.

6 Conclusion Supersingular isogeny graphs are typically studied using quaternion algebras: Deuring’s correspondence translates questions about supersingular elliptic curves to questions about maximal orders in quaternion algebras. We propose that we take one step further, from quaternion algebras to Bruhat–Tits trees. The main advantage of looking at supersingular isogeny graphs as quotients of Bruhat–Tits trees is that every vertex and edge can be labelled by a simple two-bytwo matrix, which allows for a simple manipulation, as well as giving directions in the isogeny graph. Moreover, we defined the truncated Bruhat–Tits tree and argued how these trees give an approximation to the subgraph of G relevant for SIKE. The truncated Bruhat–Tits tree also captures the choice of torsion basis, which is a part of the protocol set up. We believe that the directions of a path in the Bruhat–Tits tree can give insight into the arithmetic of the endomorphism rings of the elliptic curves along that path. Acknowledgments We want to thank the organisers of the Women in Numbers Europe 3 conference for giving us the opportunity to work on this project. We also wish to thank the anonymous reviewers for their helpful comments. Jana Sotáková, as well as a follow up visit of Laia Amorós, Annamaria Iezzi and Chloe Martindale at the CWI in Amsterdam, were supported by the Dutch Research Council (NWO) through

5

Although we will focus at first on the SIKE parameters, it could be that the most interesting case occurs for a different parameter set within the SIDH family of protocols.

72

L. Amorós et al.

Gravitation-grant Quantum Software Consortium—024.003.037. Laia Amorós was supported by Academy of Finland grant #282938 and by Helsinki Institute for Information Technology HIIT. Chloe Martindale was partially supported by CHIST-ERA USEIT (NWO project 651.002.004).

References 1. Amorós, L., Milione, P.: Mumford curves covering p-adic Shimura curves and their fundamental domains. Trans. Amer. Math. Soc. 371(2), 1119–1149 (2019) 2. Arpin, S., Camacho-Navarro, C., Lauter, K., Lim, J., Nelson, K., Scholl, T., Sotáková, J.: Adventures in Supersingularland. Preprint at https://eprint.iacr.org/2019/1056 (2019) 3. Azarderakhsh, R., Koziel, B., Campagna, M., LaMacchia, B., Costello, C., Longa, P., De Feo, L., Naehrig, M., Hess, B., Renes, J., Jalali, A., Soukharev, V., Jao, D., Urbanik, D.: Supersingular Isogeny Key Encapsulation. Available at http://sike.org (2017) 4. Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: Efficient Isogeny Based Signatures Through Class Group Computations. In: Galbraith, S. D., Moriai, S. (eds.) Advances in Cryptology – ASIACRYPT 2019, Lecture Notes in Comp. Sci, vol. 11921, pp. 227–247. Springer (2019) 5. Boutot, J.-F., Carayol, H.: Uniformisation p-adique des courbes de Shimura: les théorèmes de ˇ Cerednik et de Drinfeld. Astérisque 196–197, 45–158 (1991) 6. Brandt, H.: Zur Zahlentheorie der Quaternionen. Jahresbericht der Deutschen MathematikerVereinigung 53, 23–57 (1943) 7. Castryck, W., Decru, T.: CSIDH on the Surface. In: Ding, J., Tillich, J.-P. (eds.) Post-Quantum Cryptography, Security and Cryptology, vol. 12100, pp. 111–129. Springer (2020) 8. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: An Efficient PostQuantum Commutative Group Action. In: Peyrin, P., Galbraith, S. (eds.) Advances in Cryptology – ASIACRYPT 2018, Lecture Notes in Comp. Sci, vol. 11274, pp. 395–427. Springer (2018) ˇ 9. Cerednik, I.V.: Uniformization of algebraic curves by discrete arithmetic subgroups of PGL2 (kw ) with compact quotients. Math. USSR Sbornik 29(1), 55–78 (1976) 10. Charles, D.X., Goren, E.Z., Lauter, K.E.: Cryptographic hash functions from expander graphs. Preprint available at https://eprint.iacr.org/2006/021 (2006) 11. Charles, D.X., Goren, E.Z., Lauter, K.E.: Cryptographic hash functions from expander graphs. Journal of Cryptology 22(1), 93–113 (2009) 12. Charles, D.X., Goren, E.Z., Lauter, K.E.: Families of Ramanujan graphs and quaternion algebras. In: Harnad, J., Winternitz, P. (eds.) Groups and symmetries. CRM Proc. Lecture Notes, vol. 47, pp. 53–80. Amer. Math. Soc. (2009) 13. Costache, A., Feigon, B., Lauter, K., Massierer, M., Puskas, A.: Ramanujan Graphs in Cryptography. In: Balakrishnan, J., Folsom, A., Lalín, M., Manes, M. (eds) Research Directions in Number Theory, Association for Women in Mathematics Series, vol 19, pp. 1–40. Springer (2018) 14. Couveignes, J.-M.: Hard Homogeneous Spaces. Preprint at https://ia.cr/2006/291 (2006) 15. De Feo, L.: Exploring Isogeny Graphs. Habilitation Thesis (2018) 16. De Feo, L., Kieffer, J., Smith, B.: Towards Practical Key Exchange from Ordinary Isogeny Graphs. In: Peyrin, T., Galbraith, S. (eds.) Advances in Cryptology – ASIACRYPT 2018. Lecture Notes in Comp. Sci., vol 11274, pp. 365–394. Springer (2018) 17. Deuring, M.: Die Typen der Multiplikatorenringe elliptischer Funktionenkörper. Abh. Math. Sem. Hansischen Univ 14, 197–272 (1941) 18. Drinfel’d, V.G.: Coverings of p-adic symmetric regions. Functional Analysis and Its Applications 10(2), 107–115 (1976)

Explicit Connections Between Supersingular Isogeny Graphs and Bruhat–Tits Trees

73

19. Eisentraeger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J., Rijmen, V. (eds.) Advances in Cryptology – EUROCRYPT 2018. Lecture Notes in Comp. Sci., vol 10822, pp. 329–368. Springer (2018) 20. Franc, C., Masdeu, M.: Computing fundamental domains for the Bruhat–Tits tree for GL2 (Qp ), p-adic automorphic forms, and the canonical embedding of Shimura curves. LMS Journal of Computation and Mathematics 17(1), 1–23 (2014) 21. Franc, C., Masdeu, M.: BTQuotient package. Available at https://github.com/mmasdeu/ btquotients 22. Franc, C., Masdeu, M.: BTQuotient Module. Available at https://doc.sagemath.org/html/en/ reference/modsym/sage/modular/btquotients/btquotient.html 23. Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B. Y.(eds.) Post-Quantum Cryptography. PQCrypto 2011. Lecture Notes in Comp. Sci., vol 707, pp. 19–34. Springer (2011) 24. Jordan, B.W., Livné, R.: Local diophantine properties of Shimura curves. Math. Ann. 270(2), 235–248 (1984) 25. Kohel, D.: Endomorphism rings of elliptic curves over finite fields. PhD Thesis of the University of California at Berkely (1996) 26. Kohel, D., Lauter, K., Petit, C., Tignol, J.-P.: On the quaternion -isogeny path problem. LMS Journal of Computation and Mathematics 17, 418–432 (2014) 27. Kurihara, A.: On some examples of equations defining Shimura curves and the Mumford uniformization. J. Fac. Sci. Univ. Tokyo, Sect. IA Math 25(3), 277–300 (1979) 28. Kutas, P., Martindale, C., Panny, L., Petit, C., Stange, K.E.: Weak instances of SIDH variants under improved torsion-point attacks. Preprint at https://eprint.iacr.org/2020/633 (2020) 29. Milione, P.: Shimura curves and their p-adic uniformizations. PhD Thesis of the Universitat de Barcelona (2015) 30. Morita, Y.: Reduction mod p of Shimura curves. Hokkaido Math. J 10(2), 209–238 (1981) 31. National Institute of Standards and Technology. Post-quantum cryptography standardization (December 2016) 32. Onuki, H., Aikawa, Y., Takagi, T.: The Existence of Cycles in the Supersingular Isogeny Graphs Used in SIKE. In: Proceedings of 2020 International Symposium on Information Theory and its Applications, ISITA 2020, pp. 358–362, 9366119 (2020) 33. Petit, C.: Faster Algorithms for Isogeny Problems Using Torsion Point Images. In: Takagi, T., Peyrin, T. (eds.) Advances in Cryptology ASIACRYPT 2017. Lecture Notes in Comp. Sci., vol 10625, pp. 330–353. Springer (2017) 34. Pizer, A.: An Algorithm for Computing Modular Forms on 0 (N ). Journal of Algebra 64(2), 340–390 (1980) 35. Pizer, A.: Ramanujan graphs and Hecke operators. Bull. Amer. Math. Soc. (N.S.) 23(1), 127– 137 (1990) 36. Ribet, K.A.: On modular representations of Gal(Q/Q) arising from modular forms. Invent. Math 100(2), 431–476 (1990) 37. Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Preprint at https:// ia.cr/2006/145 (2006) 38. Serre, J.-P.: Arbres, amalgames, SL2 . Société Mathèmatique de France (1977) 39. Shimura, G.: Construction of Class Fields and Zeta Functions of Algebraic Curves. Ann. of Math. 85(1), 58–159 (1967) 40. Silverman, J.H.: The Arithmetic of Elliptic Curves, 2nd Edition. Springer (2009) 41. Vélu, J.: Isogénies entre courbes elliptiques. Comptes Rendus de l’Académie des Sciences de Paris 273, 238–241 (1971) 42. Vignéras, M.-F.: Arithmátique des algèbres de quaternions. Springer (1980) 43. Voight, J.: Quaternion Algebras, v.0.9.22. Available at https://math.dartmouth.edu/~jvoight/ quat.html (2020)

Semi-Regular Sequences and Other Random Systems of Equations Mina Bigdeli, Emanuela De Negri, Manuela Muzika Dizdarevic, Elisa Gorla, Romy Minko, and Sulamithe Tsakou

MSC Codes (2020) Primary: 94A60, 13P10, 13P15, 13D40, 13P25

1 Introduction Cryptosystems and digital signature algorithms based on the hardness of solving systems of multivariate polynomial equations belong to one of the five major families of post-quantum cryptography, multivariate (public-key) cryptography.

This work was started during the collaborative conference “Women in Numbers Europe 3”. The authors would like to acknowledge the organizers Sorina Ionica, Holly Krieger, and Elisa Lorenzo Garcia as well as the Henri Lebesgue Center, which hosted the conference. The symbolic algebra computations were performed with CoCoA 5 [1], Macaulay2 [18], Magma [10], and Wolfram Mathematica [31]. M. Bigdeli School of Mathematics, Institute for Research in Fundamental Sciences (IPM), Teheran, Iran e-mail: [email protected] E. De Negri Dipartimento di Matematica, Università di Genova, Genova, Italy e-mail: [email protected] M. M. Dizdarevic Faculty of Natural Sciences and Mathematics, University of Sarajevo, Sarajevo, Bosnia and Herzegovina e-mail: [email protected] E. Gorla () Institut de Mathématiques, Université de Neuchâtel, Neuchâtel, Switzerland e-mail: [email protected] R. Minko Mathematical Institute, University of Oxford, Oxford, UK e-mail: [email protected] S. Tsakou Laboratoire MIS, Université de Picardie Jules Verne, Amiens, France e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 A. C. Cojocaru et al. (eds.), Women in Numbers Europe III, Association for Women in Mathematics Series 24, https://doi.org/10.1007/978-3-030-77700-5_3

75

76

M. Bigdeli et al.

Many systems arising in this context consist of quadratic equations and are therefore referred to as multivariate quadratic (MQ) systems. Given a system of quadratic polynomials over a finite field, F, and a vector y, the problem of finding a vector x such that F(x) = y, referred to as the MQ problem, is known to be NP-hard. Polynomial system solving is also a crucial step in index-calculus algorithms to solve the discrete logarithm problem on an elliptic curve, a hyperelliptic curve, or an abelian variety. In such algorithms, one attempts to find a decomposition of a point of an elliptic curve (or of an abelian variety) over a chosen factor base. Such a decomposition is produced as a solution to a suitable system of polynomial equations. In this setting, most systems considered will not have any solutions and once in a while one will produce a system which has a solution and hence produces a relation. The found relations allow the attacker to set up a linear system, whose solution reveals the discrete logarithm. The best known approach for solving an arbitrary system of polynomial equations over a finite field is finding a Gröbner basis of the ideal generated by the polynomials in the system [12]. The first algorithm for computing Gröbner bases was introduced by Buchberger [11] in 1965. Subsequently a number of systemsolver algorithms have been proposed, including [23, 21, 13, 16, 7]. For a thorough summary, we refer the reader to [20]. Importantly, these algorithms do not rely on the specific algebraic structure of the original polynomials; they can therefore be applied to any system of equations. In particular, the complexity of computing a Gröbner basis of the public key of a multivariate cryptosystem or a multivariate digital signature algorithm gives an upper bound on the security of that system. Consequently, we are motivated to find tighter bounds on the complexity of Gröbner basis algorithms. Several system solvers use Gaussian elimination of Macaulay matrices [20] to obtain a Gröbner basis. The complexity depends on the size to which this matrix grows, which in turn depends on the solving degree D of the system. This is the degree at which Gaussian elimination on the matrix reveals a Gröbner basis. It is difficult to know D in advance, so in practice the complexity of a system solver is often estimated from the degree of regularity of the system. Bardet, Faugère, and Salvy analyzed the F5 Algorithm in [3], giving a definition for the degree of regularity and an asymptotic upper bound on this degree for cryptographic semiregular sequences. This bound is used widely in the cryptography community to estimate the security of multivariate polynomial cryptosystems and digital signatures. In Sect. 3 of this paper, we provide evidence that the degree of regularity does not bound the solving degree of a system, in the case of inhomogeneous systems. Examples of this kind already appear in [12]. In this paper, however, we provide examples for which the difference between the degree of regularity and the solving degree is larger than in previously known examples. Often cryptographers make the assumption that the systems that they analyze are random, where random means that the coefficients of the polynomials in F

Semi-Regular Sequences and Other Random Systems of Equations

77

are chosen uniformly at random from the coefficient field. Of course, in practice MQ cryptosystems are not random in this sense, as they must be equipped with a backdoor with which a trusted user can easily invert the system. However, this invertible map is hidden by secret affine transformations, such that the resulting public system resembles a random system. In the same way, systems coming from index-calculus are not truly random systems. They, however, more closely resemble random systems, especially since they usually have no solutions, as it is the case for an overdetermined random system of equations. In Sects. 4 and 5 of this paper, we consider two distinct mathematical formulations for randomness of a system of equations. The first family of random systems that we consider are (cryptographic) semi-regular systems. Notice that systems whose coefficients are chosen uniformly at random in an infinite field (or in a large enough field) are known to be semi-regular for some choices of the parameters, and conjectured to always be. The second family of random systems that we consider are overdetermined quadratic systems of m equations in n variables, which contain a regular sequence of n polynomials. Notice that a system of quadratic equations for which the coefficients of the first n polynomials are chosen uniformly at random over an infinite (or large enough) field belongs to this family (the remaining m − n polynomials can be chosen arbitrarily). Therefore, this is a family of random systems which is larger than the one which is usually studied in the cryptographic literature. The structure of the paper is organized as follows. In Sect. 2 we review some mathematical background on commutative algebra and semi-regular sequences that will be needed in the rest of the paper. In Sect. 3 we compare the notions of solving degree, degree of regularity, and Castelnuovo-Mumford regularity and give examples of polynomial systems for which the solving degree is greater than degree of regularity. Subsequently, in Sect. 4 we derive explicit bounds on the solving degree of homogeneous systems of n + 1 equations in n variables, and for systems of m quadratic or cubic equations in n variables, for any m. Motivated by the examples in Sect. 3, we propose a new definition of cryptographic semi-regular sequence for inhomogeneous systems and we provide bounds for the solving degree of inhomogeneous systems which are cryptographic semi-regular systems according to our definition. Section 5 describes how the Eisenbud-Green-Harris conjecture, if true, can be used to bound the solving degree of overdetermined systems of quadratic polynomials. We conclude the paper by discussing some limitations to the applicability of the results of Sect. 5 to systems arising in cryptography, and a connection to the degree of regularity. In the appendix, we provide tables of bounds for the solving degree of semi-regular systems of m = n + k quadratic equations in n variables for 2 ≤ k, n ≤ 100 and online we provide the values of the bounds for 2 ≤ k, n ≤ 500.

78

M. Bigdeli et al.

2 Notation and Preliminaries In this section we recall some concepts, definitions and results which will be used throughout the paper. Let K be a field and let R = K[x1 , . . . , xn ] be the polynomial ring in n variables with coefficients in K. Denote by Mon(R) the set of monomials of R and consider the degree reverse lexicographic order on R. We let max. GB. deg(I ) denote the largest degree of an element in the reduced degree reverse lexicographic Gröbner basis of the ideal I . For a ∈ R we denote by a! and "a# the floor and the ceiling of a, respectively. Let F = {f1 , . . . , fm } ⊆ R be a system of polynomial equations and let I = (f1 , . . . , fm ) be the ideal that they generate. A system is overdetermined if m > n. Let di = deg(fi ) for 1 ≤ i ≤ m. We may assume without loss of generality that di ≥ 2 for all i. In fact, if F contains a polynomial of degree 0, this is either 0 and can be eliminated, or an element of K \ {0} and the reduced degree lexicographic Gröbner basis of I is the polynomial 1. If F contains a polynomial of degree 1, this can be used to produce a new system in one less equation and one less variable, which has the same solutions as F. If the equations of F are not homogeneous, then we may associate to F the system Fh = {f1h , . . . , fmh }. Here, for f ∈ R, we denote by f h ∈ S = R[t] the homogenization of f with respect to a new variable t. If F is a system of m inhomogeneous equations in n variables, then Fh is a system of m homogeneous equations in n + 1 variables. Denote by J = (Fh ) ⊆ S the ideal generated by Fh . One may associate to F another homogeneous system, whose equations are obtained from those of F by dropping the lower degree monomials. Precisely, for f ∈ R let f top = f h (x1 , . . . , xn , 0) be the polynomial obtained from f by homogenizing it with respect to t and setting t = 0. In other words, f top is the homogeneous part of f of highest degree. We regard f top as an element of R. Then top

top

Ftop = {f1 , . . . , fm } is a system of m homogeneous equations in n variables. Denote by (Ftop ) ⊆ R the ideal generated by Ftop . For any f1 , . . . , fm ∈ R, we may assume without loss of generality that top top f1 , . . . , fm are linearly independent. In fact, in case they are not, an equivalent system of equations with linearly independent homogeneous parts of highest degree can be obtained in polynomial time from f1 , . . . , fm by Gaussian elimination.

Semi-Regular Sequences and Other Random Systems of Equations top

79

top

Notice that if f1 , . . . , fm are linearly independent, then so are f1 , . . . , fm and f1h , . . . , fmh . For d ≥ 0, denote by Rd the K-vector space generated by the monomials of R of  . If I ⊆ R, then degree d. Then dimK Rd = n+d−1 d Id = {f ∈ I | f homogeneous of degree d} ∪ {0} is a finite dimensional K-vector space for all d ≥ 0. Clearly, (R/I )d = Rd /Id is also a finite dimensional K-vector space of dimension dimK (R/I )d = dimK Rd − dimK Id .

2.1 Commutative Algebra Review Let I ⊆ R be a homogeneous ideal and suppose that f1 , . . . , fμ is a minimal system of generators of I with deg fi = di for all i. Then I is the homomorphic image of a free R-module F0 . More precisely, there is an epimorphism φ0 : F0 → I , where μ F0 = ⊕i=1 R(−di ) with the basis {e1 , . . . , eμ } and φ0 (ei ) = fi . By R(−di ) we mean a copy of the ring in which the degree of each element is shifted by di , i.e., the n   a xj j in R(−di ) is ( nj=1 aj ) + di . With this new grading, degree of a monomial j =0

φ0 becomes a degree-preserving homomorphism, which means that each element of degree d in F0 maps to an element of the same degree in I . The kernel of φ0 is generated by a finite number of homogeneous elements. As for I , the R-module ker φ0 is the homomorphic image of a free R-module F1 and one may give a new grading to the elements of F1 , so that the map φ1 : F1 → ker φ0 becomes degreepreserving. Since ker φ0 ⊆ F0 , φ1 may also be regarded as a degree-preserving map from F1 to F0 , whose kernel is a homogeneous, finitely generated R-module. This process terminates after a finite number of steps, because for some p ≤ n we have ker φp = 0 due to the Hilbert Syzygy Theorem. Thus we obtain an exact sequence of the form 0 → Fp → · · · → F2 → F1 → F0 → I → 0

(1) R

in which each Fi is a free R-module of the form Fi = ⊕j R(−j )βi,j (I ) . We say that the exact sequence (1) has length p. Definition 2.1 An exact sequence as in (1) constructed as we described above is a R (I ) are the graded Betti graded minimal free resolution of I and the numbers βi,j numbers of I . The Castelnuovo-Mumford regularity of I , regR (I ), is defined as R (I ) = 0}. regR (I ) = max{j − i : βi,j

80

M. Bigdeli et al.

If F = {f1 , . . . , fm } is a sequence of homogeneous polynomials, we let regR (F) denote the regularity of the ideal I = (F). The depth of R/I is the maximum length of a regular sequence in R/I . The ideal I is Cohen-Macaulay if the Krull dimension of R/I is equal to its depth.   It can be shown that the depth of R/I is n − p − 1, where p is the length of a minimal free resolution of I . Although a graded minimal free resolution of a homogeneous ideal I is not unique, the graded Betti numbers of I are. In particular, the Castelnuovo-Mumford regularity of I and the depth of R/I are independent of the graded minimal free resolution used to compute them. Definition 2.2 Let I ⊆ R be a homogeneous ideal. The Hilbert function of R/I is the function HR/I : N −→ N d −→ dimK (R/I )d . The Hilbert series of R/I is the formal power series H SR/I (z) =



HR/I (d)zd .

d≥0

 d Notation 2.3 Let h(z) = d≥0 hd z ∈ Z[[z]] be a formal power series in the variable z, with integer coefficients. We denote by [h(z)] the formal power series that one obtains by truncating h(z) after the last consecutive positive coefficient, that is [h(z)] =

 

hd z d ,

d=0

where  = sup{d ≥ 0 | h0 , . . . , hd > 0}.

 

We are often interested in homogeneous ideals with the following property. Definition 2.4 Let I ⊆ R be a homogeneous ideal. We say that I is Artinian if there exists a d ≥ 0 s.t. Id = Rd .   Remark 2.5 The ideal I ⊆ R is Artinian if and only if H SR/I (z) is a polynomial.   It can be shown that a homogeneous ideal I = (f1 , . . . , fm ) ⊆ R is Artinian if and only if F = {f1 , . . . , fm } contains a regular sequence of n polynomials. This is the case if and only if the system f1 = · · · = fm = 0 has no projective solutions, i.e., the only solution of the system is x1 = · · · = xn = 0. Throughout the paper, we often consider inhomogeneous systems F with at least a solution. For such a system, J = (Fh ) is not Artinian. However, if J is Cohen-

Semi-Regular Sequences and Other Random Systems of Equations

81

Macaulay, one can consider an Artinian reduction. We give the definition of Artinian reduction only in the special case which will interest us. Definition 2.6 Let Fh ⊆ S be a homogeneous system of polynomial equations which has finitely many (projective) solutions over the algebraic closure of K. Let  ∈ S1 be a homogeneous linear form such that   0 modulo J = (Fh ). The ideal H = J + ()/() ⊆ S/() is an Artinian reduction of J .

 

Notice that a linear form  as in Definition 2.6 may not exist. In that case, the ideal J does not have an Artinian reduction over K. Remark 2.7 In the situation of Definition 2.6 one has regS (J ) = regS/() (H ).

2.2 Homogeneous Semi-Regular Sequences In cryptography, we are often interested in analyzing the behavior of sequences of polynomials which are chosen “at random”. In algebraic geometry, this can be formalized via the concept of genericity. A property is generic or holds generically if there exists a nonempty Zariski-open set where the property holds. By identifying a polynomial with the vector of its coefficients, both the set of homogeneous polynomials of degree d and that of arbitrary polynomials of degree ≤ d can be regarded as a projective space. Notice that we identify polynomials which are the same up to a nonzero scalar multiple. Hence a generic homogeneous polynomial of degree d is a homogeneous polynomial of degree d, which belongs to a given nonempty Zariski-open set in the projective space of all homogeneous polynomials of degree d. Similarly, a generic polynomial of degree ≤ d is a polynomial of degree ≤ d, which belongs to a given nonempty Zariski-open set in the projective space of all polynomials of degree ≤ d. Along the same lines, one defines a generic sequence of polynomials. Notice that, in order for the concept of genericity to be meaningful, one needs to work over an infinite field. In fact, over an infinite field, a nonempty Zariski-open set is dense, i.e., its closure is the whole space. Over a finite field, on the other side, the Zariski topology is the discrete topology. Hence, over a finite field, every set of polynomials is a Zariski-open set. In particular, a proper Zariski-open set is never dense over a finite field. Therefore, over a finite field, a generic property is no longer a property which is true “almost everywhere”. Semi-regular sequences were first introduced by Pardue in [25], which was later expanded and published as [26].

82

M. Bigdeli et al.

Definition 2.8 Let R = K[x1 , . . . , xn ] and assume that K is an infinite field. If A = R/I , where I is a homogeneous ideal, and f ∈ Rd , then f is semi-regular on A if for every e ≥ d, the vector space map Ae−d → Ae given by multiplication by f is of maximal rank (that is, either injective or surjective). A sequence of homogeneous polynomials f1 , . . . , fm is a semi-regular sequence if each fi is semiregular on A/(f1 , . . . , fi−1 ), 1 ≤ i ≤ m.   Remark 2.9 If m ≤ n, then f1 , . . . , fm is a semi-regular sequence if and only if it is a regular sequence.   Semi-regular sequences are conjectured by Pardue to be generic sequences of polynomials in [26, Conjecture B]. He proves that this fact is equivalent to Fröberg’s Conjecture [15], which is known to be true for many classes of ideals. See [29] for an up-to-date list of these classes. Therefore, assuming that [26, Conjecture B] holds, “random” sequences of polynomials with coefficients in an infinite field K are semi-regular. One advantage of dealing with semi-regular sequences is that their Hilbert function is known. Proposition 2.10 ([26, Proposition 1]) Let f1 , . . . , fm ∈ R be homogeneous polynomials of degrees d1 , . . . , dm . Then f1 , . . . , fm is a semi-regular sequence on R if and only if 

 di i=1 (1 − z ) n (1 − z)

H SR/(f1 ,...,f ) (z) =



for 1 ≤  ≤ m.

 

The interest of semi-regular sequences for multivariate cryptography was first observed in [3]. Since the definition of semi-regular sequences adopted by Bardet, Faugère, and Salvy differs by the one given by Pardue, we will use the term cryptographic semi-regular sequence. The definition we give below is equivalent to [3, Definition 3], as shown in [2, Proposition 3.2.5]. Definition 2.11 Let K be an arbitrary field. A sequence of homogeneous polynomials f1 , . . . , fm ∈ R is a cryptographic semi-regular sequence if  H SR/(f1 ,...,fm ) (z) =

m di i=1 (1 − z ) (1 − z)n

 .

Remark 2.12 Any cryptographic semi-regular sequence with m ≥ n generates an Artinian ideal.   Notice that Definition 2.8 makes sense also over an arbitrary field. We now briefly compare semi-regular sequences over an arbitrary field with cryptographic semi-regular sequences. First of all, any semi-regular sequence is a cryptographic semi-regular sequence by Proposition 2.10. The fact that the converse does not hold follows from the example just above [26, Conjecture B].

Semi-Regular Sequences and Other Random Systems of Equations

83

Above we discussed a conjecture by Pardue which implies that sequences of polynomials whose coefficients are chosen uniformly at random over an infinite field are semi-regular with high probability. Pardue’s Conjecture and the related Fröberg’s Conjecture have been extensively studied and there is evidence in support of their correctness. In [4, Conjecture 2], Bardet, Faugère, and Salvy conjecture that, for n → ∞, the proportion of cryptographic semi-regular sequences in the set of all sequences of m polynomials in F2 [x1 , . . . , xn ] of degrees d1 , . . . , dm tends to 1. In [19, Theorem 7.14], Hodges, Molina, and Schlather disprove this conjecture and prove that the proportion tends to 0 as n tends to ∞. They also propose variations of the conjecture that “most” sequences of m polynomials in F2 [x1 , . . . , xn ] are semiregular and prove some related results. To the extent of our knowledge, none of these conjectures has been studied for finite fields different from F2 .

2.3 The Macaulay Matrix and the Solving Degree of a System of Equations For d ≥ 1, the Macaulay matrix Md (F) of a polynomial system F = {f1 , . . . , fm } is a matrix with entries in K whose columns are indexed by all elements of Mon(R) of degree ≤ d, sorted in decreasing order from left to right with respect to the degree reverse lexicographic order. The rows are indexed by the polynomials mi fj , where fj ∈ F, mi ∈ Mon(R), and deg mi fj ≤ d. The (k, l)-th entry of the matrix is the coefficient of the index of column l in the polynomial which is the index of row k. In order to compute a Gröbner basis of I , one performs Gaussian elimination on the Macaulay matrix for increasing values of d. The complexity of computing the reduced row echelon form (RREF) of these matrices is bounded by a known function of the solving degree, which is the largest degree which is involved in the computation. Therefore, the solving degree is the relevant parameter to estimate, in order to estimate the complexity of computing the solutions of the system F. We analyze the following algorithm to compute the reduced Gröbner basis of I with respect to the degree reverse lexicographic order. Start in degree d = max{d1 , . . . , dm }. Perform Gaussian elimination on Md (F) to compute its RREF. Since the rows of Md (F) correspond to the polynomials mi fj , Gaussian elimination corresponds to taking linear combinations of these polynomials. Hence, every row in the RREF corresponds to a polynomial in the ideal generated by F. In order to better keep track of what happens to each row, we use a variant of Gaussian elimination which does not permute the rows. Suppose the kth row of Md (F) is indexed by the polynomial mi fj . Then the kth row in the RREF corresponds to a polynomial of the form [mi fj + a linear combination of other rows of Md (F)]. If computing the RREF produces a polynomial f which has leading term strictly smaller than that of mi fj and deg(f ) < d, then one appends to the matrix new rows uf for all u ∈ Mon(R) such that deg(uf ) ≤ d. This condition is checked for all rows. Gaussian elimination is then performed on the resulting matrix, and the process is repeated. Eventually, no degree reductions will be produced. Then we have either found a Gröbner basis of I and we stop, or we have not and we proceed to the next degree, d + 1.

84

M. Bigdeli et al.

The algorithm as described will compute a Gröbner basis for I . It does not, however, give a method for verifying whether the final matrix output corresponds to a Gröbner basis. One stopping criterion is that the S-polynomials corresponding to the output basis reduce to 0. Suppose we want to verify the output after d iterations. The stopping criterion can be verified by Gaussian elimination, however, this will be of a matrix in degree d  , where d < d  ≤ 2d −1. Another possible stopping criterion is giving an a priori bound on the solving degree. Concretely, if one can prove that the solving degree of a system F is at most D, then one can stop the computation in degree D. Definition 2.13 Suppose n ≤ m and d1 ≤ · · · ≤ dm . The Macaulay bound is m 

(di − 1) + 1.

i=m−n+1

The Macaulay bound was shown by Lazard [23] to bound from above the degrees of the polynomials in a Gröbner basis of (F), for a homogeneous system F that has finitely many solutions over the algebraic closure of K. Definition 2.14 The solving degree of F, solv. deg(F), is the least degree d in which the algorithm described above returns a degree reverse lexicographic Gröbner basis of I .   Intuitively, the solving degree is the largest degree of the polynomials involved in the computation of the reduced degree reverse lexicographic Gröbner basis of I .

3 Solving Degree, Degree of Regularity, and Castelnuovo-Mumford Regularity Let F = {f1 , . . . , fm } ⊆ R and consider the degree reverse lexicographic order on R. We are interested in bounding the solving degree of F. The concept of degree of regularity is widely used in the cryptographic literature. Definition 3.1 ([3, Definition 4]) Let F be a system of polynomial equations and assume that (Ftop )d = Rd for d % 0. The degree of regularity of F is dreg (F) = min{d ≥ 0 | (Ftop )d = Rd }. If (Ftop )d = Rd for all d ≥ 0, we let dreg (F) = ∞. It follows from [12, Proposition 4.5] that if

top Id

  = Rd for some d ≥ 0, then

dreg (F) = reg(Ftop ).

Semi-Regular Sequences and Other Random Systems of Equations

85

Many authors use the degree of regularity as a heuristic upper bound or estimate for the solving degree. To the best of our knowledge, however, this has never been formalized and we could not find a proof in the literature that the degree of regularity produces an estimate for the solving degree. The next examples show that the degree of regularity is not an upper bound for the solving degree and that their difference can be non-negligible. The next two examples are inspired by an example in [6, Page 10]. In both of them we use the largest step degree computed via the computer algebra system Magma [10], as a proxy for the solving degree. More precisely, we use the value of the largest step degree which appears in the Magma computation as a value of the solving degree. Example 3.2 Let R = F7 [x, y, z] and let fx = x 7 − x, fy = y 7 − y, fz = z7 − z be the field equations. Consider the equations f1 = x 5 + y 5 + z5 − 1, f2 = x 3 + y 3 + z2 − 1, f3 = y 6 − 1, f4 = z6 − 1. Consider the systems of equations F=

⎧ 3 ⎨ ⎩

fij

j =1

⎫ ⎬ 1 ≤ i1 ≤ i2 ≤ i3 ≤ 4 ∪ {fx , fy , fz }. ⎭

Observe that the system generates a radical ideal, since it contains the field equations. Using Magma one can compute solv. deg(F) = 24 > 15 = dreg (F). Notice that F contains equations of degree 18, however, this still does not account for the gap between the solving degree and the degree of regularity of F.   Example 3.3 Let R = F7 [x, y, z] and let fx = x 7 − x, fy = y 7 − y, fz = z7 − z be the field equations. Consider the equations f1 = x 5 + y 5 + z5 − 1, f2 = x 3 + y 3 + z2 − 1, f3 = fx , f4 = fy , f5 = fz . Consider the systems of equations F=

⎧ ⎨  ⎩

1≤i≤j ≤5

⎫ ⎬ fi fj

⎭

∪ {fx , fy , fz }.

Observe that F generates a radical ideal, since it contains the field equations. Using Magma one can compute solv. deg(F) = 21 > 13 = dreg (F).

86

M. Bigdeli et al.

Notice that F contains equations of degree 14, however, this still does not account for the gap between the solving degree and the degree of regularity of F.   Example 3.4 Let F = {x 4 − 1, x 2 y − x 2 , y 2 − 1} ⊆ Z7 [x, y]. The ideal (Ftop ) = (x 4 , x 2 y, y 2 ) is generated by a cryptographic semi-regular sequence and dreg (F) = 4. The reduced Gröbner bases of the ideal I = (F) with respect to the degree reverse lexicographic order with x > y is {y − 1, x 4 − 1} and solv. deg(F) = 5 > 4 =   dreg (F). The regularity of the ideal generated by the system Fh obtained by homogenizing the equations of F with respect to a new variable is an upper bound on the solving degree of F, whenever the equations of Fh generate an ideal in generic coordinates. This is the case in particular if F contains the field equations. We refer the reader to [12, Definition 1.11] for the definition of generic coordinates. Theorem 3.5 ([12, Theorem 3.23 and Theorem 3.26]) Consider the degree reverse lexicographic order on R. Assume that F = {f1 , . . . , fm } ⊆ R contains the field equations and let J = (f1h , . . . , fmh ) ⊆ S. Then solv. deg(F) ≤ reg(J ). It follows from Theorem 3.5 that, whenever t  0 modulo J = (Fh ), then the degree of regularity bounds the solving degree. Unfortunately, it is often the case that t | 0 modulo J , as we discuss in Sect. 5.1. Therefore, the applicability of the next result is limited. Corollary 3.6 Consider the degree reverse lexicographic order on R. Assume that F = {f1 , . . . , fm } ⊆ R contains the field equations and let J = (f1h , . . . , fmh ) ⊆ S. If t  0 modulo J , then solv. deg(F) ≤ dreg (F). top top Proof Let (Ftop ) = (f1 , . . . , fm ) ⊆ R. The natural isomorphism S/(t) ∼ = R top maps J + (t)/(t) to (F ). If t  0 modulo J , then (Ftop ) is an Artinian reduction of J , hence

reg(J ) = reg(Ftop ) = dreg (F). The thesis now follows from Theorem 3.5.

 

4 Solving Degree of Cryptographic Semi-regular Systems Let F = {f1 , . . . , fm } ⊆ R be a system of homogeneous or inhomogeneous equations. In the first subsection we provide explicit bounds on the solving degree of F when the polynomials are homogeneous. In the second subsection we propose

Semi-Regular Sequences and Other Random Systems of Equations

87

a definition of semi-regularity for inhomogeneous polynomials, which is different from that of [5]. Then we derive explicit bounds on the solving degree of F when the polynomials are inhomogeneous. In addition, in the appendix we provide a table of upper bounds for the solving degree of cryptographic semi-regular systems with n variables and m = n + k quadratic equations, for 1 ≤ n, k ≤ 100.

4.1 Homogeneous Cryptographic Semi-regular Sequences The definition of cryptographic semi-regular sequence implicitly provides a bound for the solving degree of the corresponding system. In fact, since the Hilbert series of a cryptographic semi-regular sequence is given by the formula in Definition 2.11, for any given choice of m, n and the degrees d1 , . . . , dm , one can use the formula to compute the Castelnuovo-Mumford regularity of the ideal I generated by the equations of the system F. Explicitly, the degree of the term with the first non-positive coefficient in the Hilbert series expansion is equal to the CastelnuovoMumford regularity of I . The Castelnuovo-Mumford regularity of I provides a bound for the solving degree of F by [12, Theorem 3.22], under the assumption that the ideal I is in generic coordinates. However, even if such a bound can be computed for any choice of m, n, d1 , . . . , dm , it is a difficult task to provide an explicit formula for it. If m ≤ n, then a cryptographic semi-regular sequence is a regular sequence. The Castelnuovo-Mumford regularity of a regular sequence is given by a simple formula, which coincides with the Macaulay bound for m = n. If m > n, asymptotic formulas for the degree of regularity of a cryptographic semi-regular sequence (which in this situation coincides with the Castelnuovo-Mumford regularity of the ideal that the sequence generates) are given in [3, 5]. In this subsection we produce new explicit bounds for the solving degree of homogeneous cryptographic semi-regular systems. Instead of making an asymptotic analysis, we study the situation when the difference m − n is small. More precisely, we provide explicit formulas in the cases: m = n + 1, n + 2 ≤ m ≤ n + 5 and the equations are quadratic, or m = n + 2 and the equations are cubic. Our first result concerns the solving degree of systems consisting of n+1 generic homogeneous polynomials f1 , . . . , fn+1 of degrees di = deg(fi ), d1 ≤ · · · ≤ dn+1 over an infinite field. This can be easily computed by using a result of Migliore and Mirò-Roig [24]. Notice that, since the polynomials are generic and the field is infinite, then f1 , . . . , fn are a complete intersection. Therefore, (f1 , . . . , fn )d = Rd for d ≥ d1 + · · · + dn − n + 1. Therefore, if dn+1 ≥ d1 + · · · + dn − n + 1, then the last equation may be removed from the system, as fn+1 ∈ (f1 , . . . , fn ). Hence we may assume without loss of generality that dn+1 ≤ d1 + · · · + dn − n. Theorem 4.1 Let K be an infinite field and let F = {f1 , . . . , fn+1 } consist of n + 1 generic homogeneous polynomials of degrees di = deg(fi ) in n variables. Let d1 ≤ d2 ≤ · · · ≤ dn+1 . Assume without loss of generality that dn+1 ≤ d1 + · · · + dn − n.

88

M. Bigdeli et al.

Then F is a cryptographic semi-regular sequence and $ solv. deg(F) ≤

% d1 + · · · + dn+1 − n − 1 + 1. 2

In particular, if d1 = · · · = dn+1 = 2, then $ solv. deg(F) ≤

% n+1 +1 2

and if d1 = · · · = dn+1 = 3, then solv. deg(F) ≤ n + 2. Proof Let I = (f1 , . . . , fn+1 ) ⊆ R. The fact that F is a cryptographic semi-regular sequence is explained in [24], using results from [28, 30]. By [24, Lemma 2.5] one has % $ d1 + · · · + dn+1 − n − 1 + 1. reg(I ) = 2 If d1 = · · · = dn+1 = 2, then $ reg(I ) =

% n+1 + 1. 2

If d1 = · · · = dn+1 = 3, then reg(I ) ≤ n + 2. Since I is generated by generic polynomials, then it is in generic coordinates. Therefore we conclude by [12, Theorem 3.22].   The same result holds for homogeneous cryptographic semi-regular systems over a finite field. Over a field of characteristic zero, a random sequence of n + 1 polynomials will be semi-regular, hence also cryptographic semi-regular, see [27]. However, we cannot make the same claim for polynomials over a finite field. Hence, in Theorem 4.2, we specify F to be a homogeneous cryptographic semi-regular sequence. The proof of Theorem 4.2 is the same as the proof of Theorem 4.1. Theorem 4.2 Let K be a finite field and let F = {f1 , . . . , fn+1 } be a homogeneous cryptographic semi-regular sequence of polynomials of degrees di = deg(fi ) in n variables. Let I = (f1 , . . . , fn+1 ). Let d1 ≤ d2 ≤ · · · ≤ dn+1 . Assume without loss of generality that dn+1 ≤ d1 + · · · + dn − n. Then $ max. GB. deg(I ) ≤

% d1 + · · · + dn+1 − n − 1 + 1. 2

Semi-Regular Sequences and Other Random Systems of Equations

89

In particular, if d1 = · · · = dn+1 = 2, then $ max. GB. deg(I ) ≤

% n+1 +1 2

and if d1 = · · · = dn+1 = 3, then max. GB. deg(I ) ≤ n + 2. If in addition I is in generic coordinates, then $ solv. deg(F) ≤

% d1 + · · · + dn+1 − n − 1 + 1. 2

In particular, if d1 = · · · = dn+1 = 2 and I is in generic coordinates, then $ solv. deg(F) ≤

% n+1 +1 2

and if d1 = · · · = dn+1 = 3 and I is in generic coordinates, then solv. deg(F) ≤ n + 2. Remark 4.3 Notice that the bound obtained in Theorems 4.1 and 4.2 implies that solv. deg(F) ≤ d1 + . . . + dn − n, since dn+1 ≤ d1 + . . . + dn − n. In particular, this bound is always better than the Macaulay bound.   We now study the case when n + 2 ≤ m ≤ n + 5 and the equations are homogeneous and quadratic. The assumption that F generates an ideal which is in generic coordinates is satisfied for “sufficiently general” polynomials, or when F contains the homogenizations of the field equations. Theorem 4.4 Let F = {f1 , . . . , fm } be a cryptographic semi-regular sequence of homogeneous polynomials of degree 2 in n variables. Let I = (F) and let ⎧& ' √ ⎪ ⎪ (4 + n − 4 + n)/2 ⎪ ⎪ & ' √ ⎪ ⎨ (6 + n − 16 + 3n)/2 ( * ) √ √ r(m, n) = 2 )/2 ⎪ (8 + n − 128 + 39n + 3n 20 + 3n + 2 ⎪ ⎪( * ) ⎪ √ √ ⎪ ⎩ (10 + n − 40 + 5n + 2 288 + 75n + 5n2 )/2

if m = n + 2, if m = n + 3, if m = n + 4, if m = n + 5.

90

M. Bigdeli et al.

Then max. GB. deg(I ) ≤ r(m, n). If in addition we assume that I is in generic coordinates, then solv. deg(F) ≤ r(m, n). Proof Let I = (f1 , . . . , fm ) ⊆ R. Since m > n and F = {f1 , . . . , fm } is a cryptographic semi-regular sequence, then there exists a d such that Id = Rd . The Castelnuovo-Mumford regularity of I is the least such degree. By the definition of cryptographic semi-regular sequence, reg(I ) is the least degree in which the formal power series (1 − z2 )m /(1 − z)n has a non-positive coefficient. One has ⎛ ⎞

  m−n m     m − n m (1 − z2 )m zj ⎠ zi = (1 − z)m−n (1 + z)m = ⎝ (−1)j j i (1 − z)n =

m m−n   j =0

i=0

j =0

i=0

   m i+j j m−n z (−1) . j i

(2)

Hence the coefficient of zk in (2) is Ck =

   k   m−n m (−1)l l k−l l=0

and for k ≥ m − n we have Ck =

m−n  l=0

=



  m−n m (−1) l k−l l

   m−n  m!(m − n)!  2m − n − k k (−1)l m−n−l l k!(2m − n − k)! l=0

Setting r := m − n, we have Ck =

(n + r)! f (r, k), k!(2r + n − k)!

(3)

where    r   k l 2r + n − k f (r, k) = r! (−1) . r −l l l=0

(4)

Semi-Regular Sequences and Other Random Systems of Equations

91

By (3), Ck and f (r, k) have the same sign. Hence in order to find reg(I ), it suffices to find the smallest k for which f (r, k) is non-positive. (i) Letting m = n + 2 in (4), we obtain f (2, k) = 4k 2 − 4(4 + n)k + n2 + 7n + 12. As a function of k, f (2, k) has two zeros k1 = (4 + n −

√ 4 + n)/2,

k2 = (4 + n +

√

4 + n)/2.

So it is positive in (−∞, k1 ) ∪ (k2 , +∞), and is negative in (k1 , k2 ). Since "k1 #√< k2 , the first non-positive coefficient of zk in (2) occurs for k = "(4 + n − 4 + n)/2#. (ii) Letting m = n + 3 in (4), we obtain f (3, k) = −8k 3 + 12(6 + n)k 2 − 2(92 + 33n + 3n2 )k + n3 + 15n2 + 74n + 120.

As a function of k, f (3, k) has three zeros √ k1 = (6+n− 16 + 3n)/2,

k2 = (6+n)/2,

√ k3 = (6+n+ 16 + 3n)/2,

it is positive in (−∞, k1 ) ∪ (k2 , k3 ), and negative in (k1 , k2 ) ∪ (k3 , +∞). Since "k1 # < k2 , then reg(I ) = "k1 #. (iii) Letting m = n + 4 in (4), we obtain f (4, k) =16k 4 − 32(8 + n)k 3 + 8(172 + 45n + 3n2 )k 2 − 8(352 + 148n + 21n2 + n3 )k + n4 + 26n3 + 251n2 + 1066n + 1680. As a function of k, f (4, k) admits four zeros / k1 = (8 + n − k2 = (8 + n − k3 = (8 + n + k4 = (8 + n +

/ / /

20 + 3n +

√ ) 2 128 + 39n + 3n2 )/2,

20 + 3n −

√ ) 2 128 + 39n + 3n2 )/2,

20 + 3n −

√ ) 2 128 + 39n + 3n2 )/2,

20 + 3n +

√ ) 2 128 + 39n + 3n2 )/2.

This function is positive in (−∞, k1 ) ∪ (k2 , k3 ) ∪ (k4 , +∞), and negative in (k1 , k2 ) ∪ (k3 , k4 ). Since "k1 # < k2 , then reg(I ) = "k1 #.

92

M. Bigdeli et al.

(iv) Letting m = n + 5 in (4), we obtain f (5, k) = − 32k 5 + 80(10 + n)k 4 − 80(92 + 19n + n2 )k 3 − 2(27024 + 12450n + 2175n2 + 170n3 + 5n4 )k + 40(760 + 246n + 27n2 + n3 )k 2 + n5 + 40n4 + 635n3 + 5000n2 + 19524n + 30240. As a function of k, f (5, k) admits five zeros /   √ ) 1 10 + n − 40 + 5n + 2 288 + 75n + 5n2 2 /   √ ) 1 10 + n − 40 + 5n − 2 288 + 75n + 5n2 i2 = 2 i1 =

10 + n 2 /   √ ) 1 2 10 + n + 40 + 5n − 2 288 + 75n + 5n i4 = 2 /   √ ) 1 2 10 + n + 40 + 5n + 2 288 + 75n + 5n i5 = 2 i3 =

Since the polynomial function f (k, 5) is continuous and positive in i ∈ (−∞, i1 ) ∪ (i2 , i3 ) ∪ (i4 , i5 ), the first change in sign from positive to negative occurs when / 1 0  √ ) 1 . 10 + n − 40 + 5n + 2 288 + 75n + 5n2 k= 2 We have proved that the Castelnuovo-Mumford regularity of I is reg(I ) = r(m, n). The bound on the degree of the elements of the degree reverse lexicographic Gröbner basis of I now follows from [12, Proposition 4.5 and Remark 4.6]. The bound on the solving degree follows from [12, Theorem 3.22], under the assumption that I is in generic coordinates.   Theorems 4.2 and 4.4 also provide an upper bound for the solving degree of homogeneous cryptographic semi-regular sequences for larger values of m. Corollary 4.5 Let F = {f1 , . . . , fm } be a cryptographic semi-regular sequence of homogeneous polynomials of degree d = 2, 3 in n variables. Assume that m ≥ n+5 if d = 2 and that m ≥ n + 1 if d = 3. Let I = (F) and let r(n, d) =

* ( ) √ √ (10 + n − 40 + 5n + 2 288 + 75n + 5n2 )/2 if d = 2, n+2

if d = 3.

Semi-Regular Sequences and Other Random Systems of Equations

93

Then max. GB. deg(I ) ≤ r(n, d). If in addition we assume that I is in generic coordinates, then solv. deg(F) ≤ r(n, d). Proof Notice that r(n, 2) is the Castelnuovo-Mumford regularity of an ideal H generated by a cryptographic semi-regular sequence consisting of n + 5 homogeneous quadratic polynomials. Moreover, r(n, 3) is the Castelnuovo-Mumford regularity of an ideal H generated by a cryptographic semi-regular sequence consisting of n + 1 homogeneous cubic polynomials. Since I contains such an ideal H and H is Artinian, then reg(I ) ≤ reg(H ). The bound on the degree of the elements of the degree reverse lexicographic Gröbner basis of I now follows from [12, Proposition 4.5 and Remark 4.6]. The bound on the solving degree of F follows from [12, Theorem 3.22], under the assumption that I is in generic coordinates.  

4.2 Inhomogeneous Cryptographic Semi-regular Sequences Let F = {f1 , . . . , fm } ⊆ R be a system of inhomogeneous polynomial. Inhomogeneous cryptographic semi-regular sequences are defined in [5, Definition 5] as sequences F such that Ftop is a cryptographic semi-regular sequence, according to Definition 2.11. This definition allows the authors to estimate the degree of regularity of F. The examples that we presented in Sect. 3, however, show that the degree of regularity of F can be quite a bit smaller than its solving degree. In view of those examples, therefore, we propose a different definition. Instead of looking at the sequence Ftop of homogeneous parts of highest degree, we consider the sequence Fh of the homogenizations of the original polynomials, with respect to a new variable. Definition 4.6 An inhomogeneous system of polynomials F = {f1 , . . . , fm } ⊆ R is a cryptographic semi-regular sequence if Fh = {f1h , . . . , fmh } ⊆ S = R[t] is a cryptographic semi-regular sequence.   Definition 4.6 is very natural also in view of Pardue’s Conjecture [26, Conjecture B]. Informally, Pardue’s Conjecture states that semi-regular sequences are sequences of generic polynomials, i.e. random systems of polynomials. If we think of a random inhomogeneous polynomial f ∈ R of degree d as a linear combination with randomly chosen coefficients of the monomials of R of degree less than or equal to d, then its homogenization f h ∈ S is a linear combination with randomly chosen coefficients of the monomials of S of degree d. In other words, f is a random

94

M. Bigdeli et al.

inhomogeneous polynomial of degree d if and only if f h is a random homogeneous polynomial of degree d. Definition 4.6 allows us to apply our results on homogeneous systems from the previous subsection to systems of inhomogeneous polynomials. As a direct consequence of Theorems 4.1, 4.2, 4.4, and Corollary 4.5, we obtain the following results. Theorem 4.7 Let K be an infinite field and let F = {f1 , . . . , fm } ⊆ R be a sequence of generic inhomogeneous polynomials of degrees di = deg(fi ), with m ∈ {n + 1, n + 2}. If m = n + 2, assume without loss of generality that dn+2 ≤ d1 + · · · + dn+1 − n − 1. Then F is a cryptographic semi-regular sequence and  d1 + · · · + dn+1 − n if m = n + 1, solv. deg(F) ≤ 2 d1 +···+dn+2 −n−2 3 + 1 if m = n + 2. 2 In particular, if d1 = · · · = dm = 2, then  solv. deg(F) ≤

n+2 if m = n + 1, 4n5 + 2 if m = n + 2, 2

and if d1 = · · · = dn+1 = 3, then  solv. deg(F) ≤

2n + 3 if m = n + 1, n + 3 if m = n + 2.

Proof If m = n + 1, the thesis follows from observing that the homogenization of a sequence of n + 1 generic inhomogeneous polynomials in n variables is a sequence of n + 1 generic homogeneous polynomials in n + 1 variables, hence it is a regular   sequence. If m = n + 2, the thesis follows from applying Theorem 4.1 to Fh . The reason for working over an infinite field in Theorems 4.1 and 4.7 is that the notion of generic polynomials is defined only over infinite fields. Over finite fields, one can no longer speak of generic polynomials. Nevertheless, one obtains the same bounds for cryptographic semi-regular sequences over finite fields. The next theorem follows from applying Theorem 4.2 to Fh . Theorem 4.8 Let K be a finite field and let F = {f1 , . . . , fm } ⊆ R be a cryptographic semi-regular sequence of inhomogeneous polynomials of degrees di = deg(fi ), with m ∈ {n + 1, n + 2}. Let I = (f1 , . . . , fm ). If m = n + 2, assume without loss of generality that dn+2 ≤ d1 + · · · + dn+1 − n − 1. Let  r(n, d1 , . . . , dm ) =

d21 + · · · + dn+1 − 3 n if m = n + 1, d1 +···+dn+2 −n−2 + 1 if m = n + 2. 2

Semi-Regular Sequences and Other Random Systems of Equations

95

If d1 = · · · = dm = 2, then  r(n, 2, . . . , 2) =

n+2 if m = n + 1, 4n5 2 + 2 if m = n + 2,

and if d1 = · · · = dn+1 = 3, then  r(n, 3, . . . , 3) =

2n + 3 if m = n + 1, n + 3 if m = n + 2.

Then max. GB. deg(I ) ≤ r(n, d1 , . . . , dm ). If in addition J = (Fh ) is in generic coordinates, then solv. deg(F) ≤ r(n, d1 , . . . , dm ). We now give an example of inhomogeneous cryptographic semi-regular sequences coming from index-calculus. Example 4.9 Using PYTHON, we performed the index-calculus algorithm on elliptic curves defined over finite fields Fq n , q a large prime number and n ∈ {3, 4, 5}. Following the approach of Joux-Vitse [9], we tried to decompose a random point on the curve as a sum of n − 1 points of the factor basis and obtained overdetermined systems of n equations in n − 1 variables. Almost all the systems we produced are inhomogeneous cryptographic semi-regular systems. When we homogenize them, we obtain regular sequences of n polynomials in n variables. Therefore, their solving degree is bounded by d1 +· · ·+dn −(n−1) where d1 , · · · , dn are the degrees of the n polynomials. Notice that, since systems of this kind usually have no solutions, it is natural to expect that their homogenizations also have no solutions. Since the homogenizations are systems of n polynomials in n variables, they have no solutions if and only if they are regular sequences.   We conclude the section with two more bounds on the solving degree of cryptographic semi-regular sequences of inhomogeneous polynomials. They follow from applying Theorem 4.4 and Corollary 4.5 to Fh . Theorem 4.10 Let F = {f1 , . . . , fm } be a cryptographic semi-regular sequence of inhomogeneous polynomials of degree 2 in n variables. Let I = (F) and let ⎧& ' √ ⎪ (5 + n − 5 + n)/2 ⎪ ⎪ ⎪ & ' √ ⎪ ⎨ (7 + n − 19 + 3n)/2 ( * ) √ √ r(m, n) = 2 )/2 ⎪ (9 + n − 23 + 3n + 2 170 + 45n + 3n ⎪ ⎪ ( * ) ⎪ √ √ ⎪ ⎩ (11 + n − 45 + 5n + 2 368 + 85n + 5n2 )/2

if m = n + 3, if m = n + 4, if m = n + 5, if m ≥ n + 6.

96

M. Bigdeli et al.

Then max. GB. deg(I ) ≤ r(m, n). Assume in addition that Fh generates an ideal which is in generic coordinates. Then solv. deg(F) ≤ r(m, n). Theorem 4.11 Let m ≥ n + 2 and let F = {f1 , . . . , fm } be a cryptographic semiregular sequence of inhomogeneous polynomials of degree 3 in n variables. Let I = (F), then max. GB. deg(I ) ≤ n + 3. Assume in addition that Fh generates an ideal which is in generic coordinates. Then solv. deg(F) ≤ n + 3.

5 A Consequence of the Eisenbud-Green-Harris Conjecture In this section, we present a conjecture formulated by Eisenbud, Green, and Harris in [14]. The conjecture, if true, has implications on the solving degree of overdetermined systems of quadratic equations, which we explore in this section. Before we state the conjecture, we give a definition and establish some notation. Definition 5.1 Let  ≥ 0, d > 0. The Macaulay expansion of  with respect to d is       d 2 1 = + ··· + + d 2 1 where d > d−1 > · · · > 1 ≥ 0. Set 0(d) := 0 and      2 1 d + ··· + + . := d +1 3 2 

(d)



  Notice that ab = 0 if a < b. It is easy to show that the Macaulay expansion of  with respect to d exists and is unique. Example 5.2 The Macaulay expansion of 8 with respect to 3 is             4 3 1 4 3 1 (3) 8= + + , hence 8 = + + = 2. 3 2 1 4 3 2

Semi-Regular Sequences and Other Random Systems of Equations

97

The Macaulay expansion of 10 with respect to 3 is             5 1 0 5 1 0 (3) 10 = + + , hence 10 = + + = 5. 3 2 1 4 3 2 The Eisenbud-Green-Harris Conjecture is a well-known conjecture in algebraic geometry, which has many equivalent formulations. The one that best suits our purpose is the following one. Conjecture 5.3 ([14], Conjecture (Vm )) Assume that f1 , . . . , fm ∈ R are homogeneous polynomials and that I = (f1 , . . . , fm ) contains a regular sequence of n quadratic polynomials. Then HR/I (d + 1) ≤ HR/I (d)(d)  

for all d > 0.

In the next theorems, we explore the implications of Conjecture 5.3 on the solving degree of systems of quadratic equations. Theorem 5.4 Assume that Conjecture 5.3 holds. Let F = {f1 , . . . , fm } ⊆ R be a system of homogeneous linearly independent quadratic polynomials such that I = (f1 , . . . , fm ) is Artinian. Let α be the unique integer such that     n  n+1 n−α − = i n, Theorem 5.4 provides a better bound than the Macaulay bound.   In spite of its simplicity, Theorem 5.4 has nontrivial consequences. For example, it implies the following bound on the complexity of solving systems of quadratic equations over fields of characteristics 2. The assertion follows immediately from Theorem 5.4. Due to its length and technicality, we omit the description of Weil descent from this paper. Interested readers should refer to [8, Chapter 7]. Corollary 5.6 Assume that Conjecture 5.3 holds. Let F be a system of m homogeneous quadratic equations in F2d [x1 , . . . , xn ] such that the ideal (F ) is Artinian. Choose a basis of F2d over F2 and let F be the system which contains the Weil descent of the equations of F and the field equations and let  =  of F2 . Let I = (F) nd dimK (I2 ). Let a be the unique integer such that nd i=nd−a i <  ≤ i=nd−a−1 i. Then max. GB. deg(I ) ≤ nd − a. If in addition I is in generic coordinates, then solv. deg(F) ≤ nd − a. Theorem 5.4 can be used to bound the solving degree of an inhomogeneous system of equations as follows. Theorem 5.7 Assume that Conjecture 5.3 holds. Let F = {f1 , . . . , fm } ⊆ R be a system of inhomogeneous linearly independent quadratic polynomials such that J = (Fh ) ⊆ S is Artinian. Let α be the unique integer such that     n+2 n+1−α − = 2 2

n+1  i=n+1−α

i 0, and ν(b) = ν(c) = 0. We determine the stable reduction of Y under these conditions. This is a special case of case (f.vi) of Theorem 2: the result there is formulated more symmetrically in terms of the invariants we introduce in Sect. 3.1. We let X0 be the model of a conic X defined by Eq. (2) and use the notation of Eq. (5) for the branch points of f : Y → X. Write β (respectively γ ) for the root of pb (respectively pc ) of valuation zero, with pb , pc defined as in Eq. (3). Both roots, α and α  , of pa have positive valuation, ν(α) + ν(α  ) = ν(B) and we can assume ν(α) ≤ ν(α  ). In particular, 0 = ν(C) < ν(α) < ν(B), and the branch points Pa , Pa and Pc reduce to the point (0 : 1 : 0), the branch points Pb and Pc reduce to the point (1 : 0 : 0), and Pb = (−2C : 0 : β) reduces to a different point from the previous ones on the special fiber X0 of X0 . This is depicted in Fig. 4. In particular, X0 is not stably marked. The previous discussion implies that X 0 is one of the irreducible components of the special fiber X of the stably marked model X. Inspection of the cases in Figs. A.1–A.5 yields that the decorated graph (X, D) is of type IV.2, IV.3 or III.6. In order to determine the reduction type of X, it suffices to distinguish between these three cases. We can do this by considering the coordinate Fig. 4 Configuration of the branch points on the component X0 P

a,

c

b

P

,P b

P¢

c

P¢

,P

a¢

X0

128

I. Bouw et al.

ξ = ξt of X corresponding to t = (Pa , Pa , Pb ). This coordinate is given by βu + αv + 2Cw . 2(α − a) · v

ξ=

Here u, v, w are the coordinates of X as in Eq. (2). Using the assumptions on the valuations of the parameters A, B, C, a, b, c one computes that ξ(Pb ) = ξ(Pc ) = ∞. Hence the type of X only depends on ξ(Pc ). One may check that ξ(Pb ) = ∞ as well, by finding a different expression for ξ . However, this is not needed to distinguish between the possibilities for X. Namely, Pa , Pa , and Pc specialize to pairwise distinct points of the component X ξ different from the intersection point of X ξ with the rest of X if and only if ξ(Pc ) ∈ {0, 1, ∞}. Otherwise, we need an additional coordinate ξ  to separate Pc from the point Q ∈ {Pa , Pa , Pb } with ξ(Pc ) ≡ ξ(Q) (mod π ). However, to decide what decorated graph occurs it suffices to know for which point Q this holds. It is not necessary to calculate the coordinate ξ  explicitly. The possible configurations of the components X 0 and Xξ are depicted in Fig. 5. Recall that ν(α) ≤ ν(α  ), so ν(α) ≤ ν(a) and 2ν(α) ≤ ν(BC). We have ξ(Pc ) =

αγ − 2Bβ −2Bβ + αγ = . 2(α − a)γ αγ − α  γ

By our assumptions, we have that ν(α − a) ≥ ν(α). Hence we get ξ(Pc ) = 0. There remain three cases:

ξ(Pc ) =

⎧ ⎪ ⎪ ⎨ξ(Pa ) = 1

iff ν(α  ) > ν(α) iff ν(BC) > 2ν(a), (type IV.3),

ξ(Pb ) = ∞ ⎪ ⎪ ⎩ = 0, 1, ∞

iff ν(α − a) > ν(α) iff ν(a ) > ν(BC) = 2ν(a), (type IV.2), otherwise, (type III.6).

One may check that the last case occurs if and only if ν(a ) = ν(BC) < 2ν(a).

P c¢ Pa

Pa

c

b

,P b

P

c

b

P

,P b

b

Fig. 5 Possible configurations of X ξ and X 0

P a¢

P¢

,P

P c¢

P¢

P

c

P a¢

b

P a¢

P¢

P a , P c¢

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space

129

Fig. 6 The factorization of f¯ restricted to Y 1

As in the proof of Theorem 1 one finds that the reduction type of Y is Winky Cat if X is of type III.6, Cat if X is of type IV.3, and Garden if X is of type IV.2. If X is of type III.6, then the curve Y has one component Y 1 of positive genus. The curve Y 1 is an elliptic curve and the restriction of f to Y 1 factors as Y 1 → Xξ  → X ξ , where X ξ  := Y 1 / σc is a projective line. Lemma 3 yields a description of the inertia generators. We explain how to compute the j -invariant of Y 1. The map X ξ  → X ξ has degree 2 and is exactly branched at ξ(Pa ) = 0 and ξ(Pa ) = 1. Normalizing the unique point of X ξ  above Pa (respectively Pa ) to 0 (respectively 1) and one of the points above the intersection point of Xξ with the rest of X to ∞, we obtain Fig. 6. The coordinate ξ can then be written as a quotient of polynomials of degree less than or equal to 2 in ξ  , and from the conditions above we obtain Xξ  → Xξ : ξ  → ξ =

(ξ  )2 . 2ξ  − 1

The degree-2 map Y 1 → Xξ  is branched at the inverse image of ξ(Pc ) =: λ and ξ = ∞, i.e., at ξ  = ∞, μ1 = 1/2 and the two roots μ2 and μ3 of t 2 − 2λt + λ. Using the assumptions on the parameters we find that λ = α/2(α − a). Taking the cross ratio of these 4 points, we find that j (Y 1 ) ≡

26 (a 2 + 12BC)3 (mod π ). 2a · 4BC

Remark 3 (a) In Proposition 3 we formulate certain minimality conditions on the parameters A, B, C, a, b, c. Assuming these conditions, Eq. (2) defines a model of X, which we denote by X0 . In the situation of Example 1 this model is semistable. However, this is not true in general. It may happen that the special fiber X0 of

130

I. Bouw et al.

X0 is not reduced. In Proposition 7(ii) this case is characterized. The method to compute the stable model of X still works, but one needs to go to an extension of K to find a model of X whose special fiber is reduced. More details can be found in the proof of Lemma 14. (b) In Example 1 we sketched a systematic method for computing the invariants of the components of positive genus of the stable reduction of a curve Y . This method has the advantage that it always works. Once one knows the type of the stable reduction of a curve Y , it is sometimes faster to explicitly write down a model Y of Y , that is not necessarily semistable, to calculate the invariants of the components of positive genus of the stable reduction of a curve Y . Namely, let Y be a not necessarily semistable model of Y and assume that the normalization of its reduced special fiber contains an irreducible component Z of positive genus. Then the uniqueness of the stable model implies that Z is stab also an irreducible component of the normalization of the stable reduction Y of Y . Therefore an equation for Z may be used to compute the invariants for the corresponding irreducible component of the stable reduction. This method is used, for example, in the proof of Lemma 6. We refer to this proof for more details.

3 The Smooth Plane Quartic Case Let Y /K be a smooth projective plane quartic over a complete discrete valuation field of characteristic 0 and residue characteristic p ≥ 0 different from 2, such that AutK (Y ) contains a subgroup isomorphic to V = C2 ×C2 . Recall that, by Lemma 2, Y admits an equation of the form: Y : Ax 4 + By 4 + Cz4 + ay 2 z2 + bz2 x 2 + cx 2 y 2 = 0 for some A, B, C, a, b, c ∈ K, possibly after replacing K by a finite extension, as in Eq. (1). In Sect. 3.2 we identify the reduction type of a given curve Y /K, where all possible types are listed in Fig. A.6. Before stating the results we discuss the problem that an equation of the form (1), and hence the coefficients A, B, C, a, b, c, for Y /K are only unique up to K-isomorphisms. Proposition 3 states a normalization condition for the valuation of the coefficients of Eq. (1). This allows us in Proposition 4 to quar exhibit a set of invariants I3 , I3 , I3 , I6 for the special locus M3,V . Proposition 3 allows us to assume that I3 , I3 , I3 , I6 have non-negative valuation and at least one has valuation zero. The classification of the reduction types of Y in terms of the invariants is stated in Theorems 2 and 3.

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space

131

3.1 Invariants Let Y /K be given as in Eq. (1); such equation can be normalized, as given by the following result: Proposition 3 After a suitable change of variables in Eq. (1) we can always assume that the valuation of at least one of the elements in each set {A, B, c}, {A, b, C}, {a, B, C}, {A, b, c}, {a, B, c}, {a, b, C} is zero while all the others are non-negative. Proof Let or , os , ot ∈ O be elements with valuation r, s, t ∈ Q≥0 respectively. We assume the valuation to be normalized by ν(p) = 1, where p > 0 is the residue characteristic of ν. We allow K to be replaced by a finite extension (if necessary) such that K contains an element of this valuation. Observe that the change of variables (x, y, z) → (or x, os y, ot z) changes the valuation of the coefficients as follows ν(A) → ν(A) + 4r,

ν(B) → ν(B) + 4s,

ν(C) → ν(C) + 4t,

ν(a) → ν(a) + 2s + 2t,

ν(b) → ν(b) + 2r + 2t,

ν(c) → ν(c) + 2r + 2s.

Let U be one of the sets listed in the statement, and assume that all the valuations of the parameters in U are positive. We will see how to obtain an isomorphic model for Y that is normalized with respect to all the sets for which the original model was normalized, and also with respect to U . By symmetry it is enough to consider the cases where U is {A, b, c} or {A, B, c}. • For the first case consider the change (x, y, z) → (x/π1 , y, z) with π1 ∈ O an element of valuation ν(π1 ) = min(ν(A)/4, ν(b)/2, ν(c)/2). With this change, the valuation of at least one among A, b, c becomes zero, and the valuations of a, B, and C remain the same. • Assume now that the model is normalized with respect to every set of the form {L, m, n}, and assume that it is not with respect to {A, B, c}. It follows that ν(a) = ν(b) = 0, since otherwise we could normalize further with respect to either {a, B, c} or {A, b, c}. Consider now the change (x, y, z) → (x/π2 , y/π2 , π2 z) with π2 ∈ O an element of valuation ν(π2 ) = min(ν(A)/4, ν(B)/4, ν(c)/4). With this change, the valuation of at least one among A, B, c becomes zero,

132

I. Bouw et al.

the valuations of a and b remain the same, and the valuation of C increases by 4ν(π2 ). The increase of the valuation of C does not affect the normalization with respect to any other set, since any set containing C also contains a or b, which have valuation zero, as explained above.   Dixmier–Ohno invariants [10, 23] classify isomorphism classes of plane quartics. Moreover, in [22] a reconstruction method is presented to compute the equation of a curve corresponding to a given tuple of Dixmier–Ohno invariants. In [21, Function IsInstrataD4] the expressions for Dixmier–Ohno invariants for quartics in the quar locus M3 are given. However, it is more convenient to work with a smaller set quar of invariants, specifically for the locus M3,V instead of the general Dixmier–Ohno invariants; indeed explicit computation with these is unnecessarily complicated. We therefore consider the four invariants as in the following statement. Proposition 4 The elements I3 = ABC,

I3 = Aa + Bb + Cc ,

I3 = −4ABC + Aa 2 + Bb2 + Cc2 − abc,

I6 = a b c

quar

are invariants for the locus M3,V . Proof By Lemma 2(1), any isomorphism between plane quartics in M3,V has to preserve the automorphism group ⎛ ⎞ ⎛ ⎞ 6 −1 0 0 −1 0 0 7 V  ⎝ 0 −1 0⎠ , ⎝ 0 1 0 ⎠ ⊂ AutK (Y ). 0 0 1 0 0 −1 Since plane quartics are given by their canonical models, isomorphisms between them are linear. Moreover, those isomorphisms leave invariant by conjugation the quar previous group. This implies that isomorphisms of plane quartics in M3,V are given by products of permutation matrices and diagonal matrices. Hence the elements from the statement of the lemma considered as element of K[A, B, C, a, b, c] are quar invariants for the locus M3,V .   Remark 4 Notice that I3 = (X). Proposition 5 The invariants I3 , I3 , I3 and I6 are generators for the invariants quar algebra of the locus M3,V . Proof In general, for any characteristic different from 2, we can proceed as follows: first, we normalize to obtain A = B = C = 1. With this normalization the group of linear transformations acts on K[a, b, c] via the finite group ⎛ ⎞ ⎛ ⎞ ⎛ ⎞ 6 001 010 i 0 0 7 G := ⎝1 0 0⎠ , ⎝1 0 0⎠ , ⎝0 i 0 ⎠ . 010 001 0 0 −1

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space

133

Then, we compute the invariants K[a, b, c]G via Derksen’s algorithm [11, Algorithm 4.1.9] with the Magma [3] function FundamentalInvariants, and we obtain generators: 1, a 2 + b2 + c2 , abc, a 2 b2 + a 2 c2 + b2 c2 . After denormalizing we get the weight 3, 3, 3, 6 invariants ABC, Aa 2 + Bb2 + Cc2 , abc, ABa 2 b2 + BCb2 c2 + CAc2 a 2 . In order to do the computations in Magma [3] we needed to fix the field, so we fixed the fields F3 and Q because the order of G is a product of a power of 2 and a power of 3. For any other characteristic p > 3 and because of Molien’s Formula [11, Theorem 3.2.2] we always find the same Hilbert series H (K[a, b, c]G , t) = 1 G is generated by 3 invariants H (Q[a, b, c]G , t) = (1−t 2 )(1−t 3 )(1−t 4 ) , so K[a, b, c] of weights 2, 3, and 4. Since the 3 expressions a 2 +b2 +c2 , abc, a 2 b2 +a 2 c2 +b2 c2 are invariants for any characteristic and the one of weight 4 is not a multiple of the square of the one of weight 2, they are generators of K[a, b, c]G for all characteristics different from 2.  

Remark 5 In characteristic 0 we know that the Dixmier–Ohno invariants generate the invariant ring of smooth plane quartics [10, 23]. Work in progress by R. Lercier, E. Lorenzo García, and C. Ritzenthaler aims to show that this also holds in characteristic p > 7. The Dixmier–Ohno invariants of plane quartics can be written in terms of the invariants I3 , I3 , I3 and I6 (see [2, InvariantsGenerateDO] for the details), which gives another proof of Proposition 5 in the characteristic 0 case. The invariants I3 , I3 , I3 , I6 are homogeneous of weight 3, 3, 3, 6, respectively. Moreover, considered as functions on the weighted projective space P33,3,3,6 , they are algebraically independent. To state the classification theorems for the reduction types of plane quartics it is also convenient to define I = ABa b + ACa c + BCb c . The invariant I is in the algebra generated by I3 , I3 , I3 , I6 . Concretely, we have 4I + I6 − I32 + 16I3 I3 + 2I3 I3 − I32 = 0.

(6)

We now restate Proposition 3 in terms of these invariants: Corollary 1 After a change of variables as in Proposition 3 we can always work with an integer model as in Eq. (1) such that all the valuations of I3 , I3 , I3 and I6 are non-negative and at least one is equal to zero. Proof Suppose that all four invariants have positive valuation. Then we have ν(I3 ) = ν(ABC) > 0, and without loss of generality we can assume that ν(A) is positive. Since ν(I3 ), ν(I3 ) and ν(I6 ) are positive, we obtain ν(Bb2 + Cc2 ), ν(abc), ν(BCb2 c2 ) > 0, respectively. So we are in one of the following scenarios:

134

I. Bouw et al.

• ν(B), ν(C), ν(abc) > 0, or • ν(B), ν(c) > 0 or, symmetrically, ν(C), ν(b) > 0, or • ν(b), ν(c) > 0, but all contradict the normalization conditions in Proposition 3. Hence the corollary follows.  

3.2 Main Results In this section we characterize the possible reduction types of a plane quartic curve Y in terms of the valuations of the four invariants I3 , I3 , I3 , I6 . We assume that Y is given by an equation of the form Ax 4 + By 4 + Cz4 + ay 2 z2 + bx 2 z2 + cx 2 y 2 = 0, normalized as in Proposition 3; in particular by Corollary 1 all the invariants have non-negative valuation, and at least one of them has valuation zero. Additionally, we use the invariant I determined by Eq. (6). In terms of the invariants, we have (Y ) = 220 I3 I34 I62 .

(7)

Proposition 6 Let Y be a plane quartic defined by Ax 4 + By 4 + Cz4 + ay 2 z2 + bx 2 z2 + cx 2 y 2 = 0 normalized as in Proposition 3. Let (Y ) be the discriminant of Y . The following statements are equivalent: (i) Y has potentially good reduction, (ii) ν((Y )) = 0, (iii) ν(I3 ) = ν(I3 ) = ν(I6 ) = 0. Proof If ν((Y )) = 0, then the curve has good reduction. If Y has potentially good reduction then over a finite extension of the base field, it admits a plane quartic integral model with good reduction, and because of Theorem 3.15 in [17], this model can be taken in the form Ax 4 + By 4 + Cz4 + ay 2 z2 + bx 2 z2 + cx 2 y 2 = 0 with A, B, C, a, b, c ∈ O, ν((Y )) = 0. In particular, with ν(I3 ), ν(I3 ), ν(I3 ), ν(I6 ) ≥ 0 and hence with ν(I3 ) = ν(I3 ) = ν(I6 ) = 0. Finally, the fact that (iii) implies (ii) is immediate from the expression for (Y ) in Eq. (7).   In what follows we assume that Y has geometric bad quartic reduction. Our result concerning the characterization of the possible reduction types is divided into two statements, depending on whether ν(I3 ) is zero (Theorem 2) or positive

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space

135

(Theorem 3). Recall from Remark 4 that I3 is the discriminant of the conic X defined by Eq. (2). Hence the two cases correspond to the reduction of this conic being non-degenerate or degenerate (see also Remark 3(b)). Theorem 2 is proved in Sect. 4.1 and Theorem 3 in Sect. 4.2. In these sections we also give the Igusa invariants (respectively the j -invariant) of the irreducible components of the stable reduction of Y with positive genus in each of the cases. Theorem 2 Let Y be a plane quartic curve defined by Ax 4 + By 4 + Cz4 + ay 2 z2 + bx 2 z2 + cx 2 y 2 = 0 normalized as in Proposition 3. Let (Y ) be the discriminant of the quartic Y , and let (X) be the discriminant of the conic X defined by Eq. (2), which we assume to have valuation 0, that is, ν(I3 ) = 0. Then if the valuation of (Y ) is positive, Y has geometric bad reduction and one of the cases in Table 1 occurs.

Table 1 Cases of Theorem 2

(a) (b) (c) (d) (e) (f.i)

ν(I3 ) =0 =0 =0 >0 >0

ν(I3 ) ν(I3 ) =0 =0 =0 >0 =0 =0 =0 =0

ν(I6 ) >0 >0 >0 =0 >0

(f.ii)

(f.iii) > 0

=0

=0

>0

(f.iv) (f.v) (f.vi) (g) (h)

>0 >0

=0 >0

=0 =0

=0 =0

ν(I ) Other conditions =0 >0 >0 =0 =0 2ν(I ) > ν(I3 ) + ν(I6 ) > 2ν(I3 ) or ν(I3 ) < ν(I ) < ν(I6 ) 2ν(I ) > ν(I3 ) + ν(I6 ) > 2ν(I6 ) or ν(I3 ) > ν(I ) > ν(I6 ) > 0 2ν(I ) > ν(I3 ) + ν(I6 ) = 2ν(I3 ) or ν(I3 ) = ν(I ) = ν(I6 ) ν(I ) < ν(I3 ), ν(I ) < ν(I6 ) ν(I ) = ν(I3 ) < ν(I6 ) ν(I ) = ν(I6 ) < ν(I3 ) >0 >0

Decorated graphs II.3 III.1 IV*.1 II.4 III.2 IV.1

Stable curve Loop DNA Braid Lop Looop Grl Pwr

IV.3

Cat

II.1

Candy

IV.2

Garden

III.5

Tree

III.6

Winky Cat

III.3 IV*.3

Loop Looop

Lem. 6 7 8

9

10 11

136

I. Bouw et al.

Theorem 3 Let Y be a plane quartic curve defined by Ax 4 + By 4 + Cz4 + ay 2 z2 + bx 2 z2 + cx 2 y 2 = 0 normalized as in Proposition 3. Let (Y ) be the discriminant of the quartic Y , and let (X) be the discriminant of the conic X defined by Eq. (2), which we assume to have positive valuation, that is, ν(I3 ) > 0. Then the valuation of (Y ) is positive, Y has geometric bad quartic reduction and one of the cases in Table 2 occurs. A decision tree reading the conditions of Tables 1 and 2 is given in [2]. Also a SageMath [25] implementation is given there. It takes as input the coefficients (A, B, C, a, b, c) of a smooth plane quartic in M3,V , not necessarily normalized, and outputs the reduction type computed with Theorems 2 and 3. In the following section we give a detailed proof of the two theorems, using the strategy explained in Sect. 2.4. In particular, for each case, we determine the special fiber (X, D) of the stably marked model of (X, D), thus we obtain one of the twenty decorated graphs depicted in the appendix and, as in the proof of Theorem 1, we

Table 2 Cases of Theorem 3

(a) (b.i) (b.ii) (b.iii) (c.i) (c.ii)

(c.iii)

(c.iv) (c.v) (c.vi) (c.vii) (d) (e)

ν(I3 ) ν(I3 ) ν(I3 ) ν(I6 ) ν(I ) Other conditions =0 >0 =0 0 < ν(I3 ) < ν(I6 ) > 0 > 0 = 0 ν(I3 ) > ν(I6 ) > 0 ν(I3 ) = ν(I6 ) > 0 2ν(I6 ) = 3ν(I3 ) ≤ 6ν(I3 ) 2ν(I6 ) > 3ν(I3 ) and 2ν(I3 ) ≥ ν(I3 ) = ν(I32 − 16I3 I3 ) 2ν(I6 ) > 3ν(I3 ) and = 0 > 0 > 0 > 0 > 0 2ν(I3 ) = ν(I3 ) < ν(I32 − 16I3 I3 ) 2ν(I6 ) < 3ν(I3 ) and 3ν(I3 ) ≥ ν(I6 ) 3ν(I3 ) < ν(I3 I3 ) < ν(I6 ) 3ν(I3 ) < ν(I6 ) < ν(I3 I3 ) 3ν(I3 ) < ν(I3 I3 ) = ν(I6 ) >0 >0 =0 =0 >0 =0 >0 >0

Decorated graphs II.2 IV*.2 IV.5 III.4 I

Stable curve Lem. DNA 12 DNA 13 Braid Candy Good (hyp)

II.3

Loop (hyp)

III.1

DNA (hyp) 14

II.2

DNA (hyp)

IV*.2

DNA (hyp)

IV.5

Braid (hyp)

III.4

Candy (hyp)

III.7 IV.4

Cave Braid

15 16

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space

137

deduce the corresponding stable curve, which is the special fiber of the stable model of Y (Sect. 2.2). Remark 6 The stable curve of type Candy corresponds to the decorated graphs II.1 (see Theorem 2(f.iii)) and III.4 (see Theorem 3(b.iii) and Theorem 3(c.vii)). Here, this can really be considered as two different reduction types, since the j -invariants of the elliptic curves Y 1 and Y 2 of the stable curve behave differently. In the first case, it is shown in Lemma 9 that j (Y 1 ) and j (Y 2 ) depend on the value of the invariants and are in general not the same in k. In the second case, Y 1 and Y 2 are isomorphic and j (Y 1 ) = j (Y 2 ) = 1728. This is proved in Lemma 13 and Corollary 2. The difference between the two cases may be explained by considering the action of V on the stable reduction Y of Y . We refer to the proofs of the results for more details. Example 2 As an example we consider the curve Y : 2x 4 + 2y 4 + 15z4 − 11y 2 z2 − 11x 2 z2 + 3x 2 y 2 = 0. Its automorphism group AutC (Y ) is isomorphic to D4 . Additional to the action of V , there is an automorphism (x : y : z) → (y, −x : z) of order 4. All its automorphisms are defined over Q. We have that (X) = I3 = 24 ,

(Y ) = 22 · 3 · 5 · 72 .

This curve has been studied by Howe–Leprévost–Poonen [15, Corollary 16]. They show that the conductor of this curve is N = 2940 = (Y ), which is the smallest value for a curve of genus 3 that we know of. The curve can also be found in Sutherland’s database of non-hyperelliptic genus-3 curves over Q with small discriminant [28]. In fact, it is the curve with smallest discriminant in this database. When we apply the results of this section to this curve for the primes p = 3, 5, 7, we find that the reduction type of Y is Lop for p = 3, 5 (case (d) of Theorem 2) and Loop for p = 7 (case (a) of Theorem 2).

4 Proofs of Main Results 4.1 Main Result with Non-degenerate Conic In this section we prove Theorem 2, i.e., we treat the case that the reduction of the conic X is non-degenerate. In particular in this section we assume that I3 = (X) has valuation zero. Equation (2) defines a smooth model X0 of X over O. Its special fiber, which we denote by X0 , is an irreducible component of the special fiber X

138

I. Bouw et al.

of X, where (X, D) is the stably marked model of (X, D) from Proposition 1(1). Recall that D denotes the branch divisor of f : Y → X. Moreover, the special fiber (X, D) of the stably marked model of (X, D) is a decorated graph defined in Definition 3. In the proof of Theorem 1 we have seen that there are 20 possibilities for the decorated graph, which determine the 13 possibilities for the stable reduction of Y . The possibilities for the decorated graph and the stable reduction of Y are listed in the appendix. The strategy of the proofs is explained in Example 1. We assume that D splits over K and use the notation Pa , Pa , Pb , Pb , Pc , Pc as in Eq. (5) for the 6 branch points of f . The following lemma is useful in determining the cases for the decorated graph. Lemma 5 If ν(a ) is positive, then the points Pa , Pa specialize to the same point in X 0 . If ν(A) is positive, then one point among Pb , Pb and one point among Pc , Pc specialize to the same point in X 0 . Proof Let π be a uniformizing element of K. If ν(a ) is positive, then the two roots of pa (T ) = T 2 − 2aT + 4BC = (T − a)2 − a are congruent modulo π , thus Pa , Pa , as in Eq. (5), specialize to the same point in X0 because α 2 ≡ a 2 ≡ 4BC (mod π ). Similarly, if ν(A) is positive, one root of pb (T ) = T 2 − 2bT + 4AC and one root of pc (T ) = T 2 − 2cT + 4AB have positive valuation, thus one point among Pb , Pb and one point among Pc , Pc specialize to (1 : 0 : 0) in X 0 .   Lemma 6 (Theorem 2, Cases (a)–(c)) Let Y be as in Theorem 2, hence ν(I3 ) = 0. Assume that ν(I3 ) = 0 and ν(I6 ) > 0. Then one of the following occurs: (a) If ν(I ) = 0, then the decorated graph has type II.3 and the reduction type of the curve is Loop, with j -invariant j = 16(16I3 I3 + I )3 /(I3 I3 I 2 ); (b) if ν(I3 ) = 0 and ν(I ) > 0, then the decorated graph has type III.1 and the reduction type of the curve is DNA; and (c) if ν(I3 ) > 0 and ν(I ) > 0, then the decorated graph has type IV*.1 and the reduction type of the curve is Braid. Proof From the conditions on the invariants, it follows that the valuations ν(A), ν(B), ν(C) are zero, and in case (a) (respectively (b), (c)) we get that exactly one (respectively two, three) of the valuations ν(a ), ν(b ), ν(c ) is positive. Lemma 5 implies that Pi and Pi specialize to the same point of X0 if and only if the valuation of i is positive for i ∈ {a, b, c}. Moreover, since we have ν(ABC) = 0, Lemma 5 implies that no two points from different pairs specialize to the same point of X0 . Since the 6 branch points specialize to at least 3 pairwise distinct points of X 0 it follows that X0 is an irreducible component of the special fiber X of the stably marked model of (X, D). From this it follows that we are in one of the cases II.3, III.1 or IV*.1. We obtain that X is of type II.3 (respectively III.1 or IV*.1) if exactly one (respectively two or three) of the valuations ν(a ), ν(b ), ν(c ) are positive. As in the proof of Theorem 1 it follows that the stable reduction Y of Y is Loop (respectively DNA or Braid).

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space

139

To compute the j -invariant in case (a) with √ assume√that a is the discriminant √ positive valuation. Chose square roots B and C with ν(a − 2 BC) > 0 in ¯ Extend K to contain them if needed and rename it as well as the corresponding K. notions O, ν and π for the ring of integers, valuation and uniformizer. We write X0 as Au2 + (bw + cv)u + G2 (v, w) = 0, √ √ where G2 (v, w) ≡ ( Bv + Cw)2 (mod π ). Here we use that ν(a ) is positive. Write Y0 for the normalization of X0 in the function field of Y . Its special fiber Y 0 is birationally given by Y 0 : Ax 4 + (bz2 + cy 2 )x 2 + G2 (y 2 , z2 ) = 0. There exists a change of coordinates S ∈ GL3 (K) such that the equation for Y0 with respect to the new variables (x1 = x, y1 , z1 ) still has integral coefficients and G2 (y, z) ≡ y12 z12 (mod π ). Here we use the assumption ν(ABC) = 0. Hence Y 0 may birationally be given by Y 0 : Ax14 + G3 (y1 , z1 )x12 + y12 z12 ≡ 0 (mod π ) for some polynomial G3 (y1 , z1 ) = a0 z12 +a1 z1 y1 +a2 y12 ∈ O[y1 , z1 ]. We set z1 = 1, multiply the equation by (1 + a2 x 2 ), and define y2 = ((1 + a2 x12 )y1 + a1 x12 /2)/x1 . A short calculation shows that Y 0 is birationally given by Y 0 : y22 ≡ −(1 + a2 x 2 )(a0 + Ax 2 ) + a12 /4x 2 (mod π ). This is an elliptic curve with j -invariant j≡

16(16I3 I3 + I )3 (mod π ). I3 I3 I 2

(8)

This expression is also valid if ν(b ) (resp. ν(c )) is positive instead of ν(a ). We have already seen that the stable reduction Y of Y is Loop. It follows that the normalization of Y is the normalization of Y 0 . The statement on the j -invariant in the lemma follows.   Remark 7 Notice that while checking the validity of Eq. (8) is straightforward, the computation of the right-hand side from the left-hand side is not. The former was computed after some manipulations of the expression of the j -invariant computed with SageMath [25] taking into account the congruencies modulo π . Lemma 7 (Theorem 2, Case (d)) Let Y be as in Theorem 2, hence ν(I3 ) = 0. Assume ν(I3 ) > 0, ν(I6 ) = 0 and ν(I ) = 0. Then the decorated graph has type II.4 and the reduction type of the curve is Lop, and the Igusa invariants of the genus-2

140

I. Bouw et al.

curve are J2 =I3 I3 − I32 + 2I6 + 24I, J4 =I32 I6 + 64I3 I3 I − 64I32 I + 128I6 I + 768I 2 , J6 =I32 I6 I − 32I3 I3 I 2 + 32I32 I 2 − 64I6 I 2 − 256I 3 , J8 =I34 I62 + 256I3 I33 I6 I − 256I34 I6 I + 512I32 I62 I + 4608I32 I6 I 2 − 32768I3 I3 I 3 + 32768I32 I 3 − 65536I6 I 3 − 196608I 4 , J10 =I34 I62 I. Proof From the conditions on the invariants, it follows that exactly one valuation among ν(A), ν(B), ν(C) is positive and that all the valuations ν(a ), ν(b ), ν(c ) are zero. Assume ν(A) > 0. Then, by Lemma 5, a point with inertia generator σb and a point with inertia generator σc both specialize to (1 : 0 : 0), hence the decorated graph has type II.4 and the reduction of the curve is Lop. We determine an equation for the normalization of the stable reduction Y of Y . Since we are in case Lop this is a curve of genus 2. Arguing as in the proof of Lemma 6, we find that Y is birationally given by Y : x2 ≡ −

By 4 + ay 2 z2 + Cz4 . cy 2 + bz2

Hence t 2 = (x(cy 2 + bz2 ))2 = −(cy 2 + bz2 )(By 4 + ay 2 z2 + Cz4 ) is the genus-2 curve we are looking for. We computed its Igusa invariants with SageMath [25]. As mentioned in Remark 7, the equalities in the statement of the lemma are straightforward to check, while stating them was not and required smart manipulations.   Lemma 8 (Theorem 2, Case (e)) Let Y be as in Theorem 2, hence ν(I3 ) = 0. Assume ν(I3 ) > 0, ν(I3 ) = 0, ν(I6 ) > 0 and ν(I ) = 0. Then the decorated graph has type III.2 and the reduction type of the curve is Looop. Proof From the conditions on the invariants, it follows that exactly one valuation among ν(A), ν(B), ν(C) and exactly one among ν(a ), ν(b ), ν(c ) are positive while only one among ν(Aa ), ν(Bb ), ν(Cc ) is also positive. Assume ν(Aa ) > 0. Then, by Lemma 5, the points Pa and Pa both specialize to (0 : 1 : −1), and a point with inertia generator σb and a point with inertia generator σc both specialize to (1 : 0 : 0), hence the decorated graph has type III.2 and the reduction of the curve is Looop.   Lemma 9 (Theorem 2, Case (f)) Let Y be as in Theorem 2, hence ν(I3 ) = 0. Assume ν(I3 ) > 0, ν(I3 ) = 0, ν(I6 ) > 0 and ν(I ) > 0. Then one of the following occurs:

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space

141

(i) If 2ν(I ) > ν(I3 )+ν(I6 ) > 2ν(I3 ) or ν(I3 ) < ν(I ) < ν(I6 ), then the decorated graph has type IV.1 and the reduction type of the curve is Grl Pwr. (ii) If 2ν(I ) > ν(I3 )+ν(I6 ) > 2ν(I6 ) or ν(I3 ) > ν(I ) > ν(I6 ), then the decorated graph has type IV.3 and the reduction type of the curve is Cat. (iii) If 2ν(I ) > ν(I3 ) + ν(I6 ) = 2ν(I3 ) or ν(I3 ) = ν(I ) = ν(I6 ), then the decorated graph has type II.1 and the reduction type of the curve is Candy, and the j -invariants of the two genus-1 components of the special fiber are the roots of the polynomial   I62 I3 I3 t 2 −24 I62 I + 3 · 24 I3 I3 I62 + 3 · 28 I3 I3 I6 I − 213 I32 I32 I6 + 212 I3 I3 I 2 t  3 + 28 I6 + 24 I + 28 I3 I3

(iv) If ν(I ) < ν(I3 ) and ν(I ) < ν(I6 ), then the decorated graph has type IV.2 and the reduction type of the curve is Garden. (v) If ν(I ) = ν(I3 ) < ν(I6 ), then the decorated graph has type III.5, the reduction type of the curve is Tree, and the j -invariant of the genus-1 component of the special fiber is j = 24 (I + 24 I3 I3 )3 /(I 2 I3 I3 ). (vi) If ν(I ) = ν(I6 ) < ν(I3 ), then the decorated graph has type III.6, the reduction type of the curve is Winky Cat, and the j -invariant of the genus-1 component of the special fiber is j = 24 (I6 + 24 I )3 /(I62 I ). Proof The conditions on the invariants imply that we may assume ν(Cc ) = 0,

ν(A) > 0, and ν(Bb ) > 0

after permuting the variables, if necessary. In order to determine the stable reduction of Y in the different subcases, we use two different coordinates for X. The coordinates ξ1 =

βu + αv + 2Cw 2(α − a)v

ξ2 =

βu + αv + 2Cw , 2(β − b)u

correspond to t1 = (Pa , Pa , Pb ) and t2 = (Pb , Pb , Pa ) in the notation of Sect. 2.4. The coordinates ξ1 and ξ2 define models X1 and X2 of X, which may or may not be isomorphic over O. We write X1 and X2 for the special fibers of the corresponding models. We use the same notation for further coordinates we introduce in the course of the proof. The coordinate ξ1 is the same we considered in Example 1, which corresponds to case (vi) of the current lemma. In this proof, we choose α to be a root of pa (T ) = T 2 − 2aT + 4BC of minimal valuation. Similarly, we choose β and γ to be a root of pb (T ) = T 2 − 2bT + 4AC and pc (T ) = T 2 − 2cT + 4AB of minimal valuation. (i) If either 2ν(I ) > ν(I3 ) + ν(I6 ) > 2ν(I3 ) or ν(I3 ) < ν(I ) < ν(I6 ), then ν(a ) > ν(B) and ν(b ) > ν(A). Moreover, ν(Aa ) = ν(Bb ).

142

I. Bouw et al.

We may assume, without loss of generality, that ν(B) ≤ ν(A). It follows that 2ν(β) = ν(A) ≥ ν(B) = 2ν(α) = 2ν(a) and 2ν(α − a) = ν(a ). We define a new coordinate ξ3 =

β π˜ 3 u + απ3 v + 2Cπ3 w , 2(α − a)v

where π3 and π˜ 3 are chosen such that ν(−βB π˜ 3 + αγ π3 ) = ν(α − a). (This is obviously possible). One computes that the points Pa and Pa both specialize to ξ3 = 0 on X 3 , the points Pb , Pb , and Pc specialize to ξ3 = ∞ on X 3 , and ξ3 (Pc ) specializes to a point with ξ3 = 0, ∞ on X 3 . Similarly, we find a coordinate ξ4 such that the points Pa , Pa , and Pc specialize to ξ4 = 0 on X4 , the points Pb and Pb specialize to ξ4 = ∞ on X4 , and ξ3 (Pc ) specializes to a point with ξ4 = 0, ∞ on X4 . We conclude that the decorated graph is of type IV.1, and the irreducible components of X are X 1 , X 3 , X 4 , X 2 from left to right. The reduction type of the curve is Grl Pwr. (ii) If either 2ν(I ) > ν(I3 ) + ν(I6 ) > 2ν(I6 ) or ν(I3 ) > ν(I ) > ν(I6 ), then ν(a ) < ν(B) and ν(b ) < ν(A). We may assume that ν(b ) ≤ ν(a ). One calculates that the points Pa and Pc both specialize to the point ξ1 = 1, the points Pb , Pb , and Pc specialize to the point ξ1 = ∞, and Pa specializes to ξ1 = 0 on X1 . Similarly, one computes that the points Pa , Pa , Pc specialize to the point ξ2 = ∞, the points Pb and Pc to the point ξ2 = 1, and Pb to ξ2 = 0 on X2 . We conclude that the decorated graph has type IV.3: the irreducible components X1 and X2 are the two middle components. The reduction type of the curve is Cat. (iii) If 2ν(I ) ≥ ν(I3 ) + ν(I6 ) = 2ν(I3 ), then ν(a ) = ν(B) and ν(b ) = ν(A). We may assume, without loss of generality, that ν(B) ≤ ν(A). One computes that Pb , Pb , and Pc all specialize to the point ξ1 = ∞ on X 1 . Moreover, the point Pc specializes to a point with ξ1 = 0, 1, ∞ on X 1 . In particular, the points Pa , Pa , Pc and Pb specialize to pairwise distinct points of X 1 . Similarly, one checks that the points Pb , Pb , Pc , and Pa specialize to pairwise distinct points on X2 . Hence X has type II.1 and the reduction type of the curve is Candy. The stable reduction Y of Y consists of two genus-1 curves intersecting in two points. To calculate their j -invariants we proceed as in Example 1. Let Y i be the irreducible component of Y above Xi for i = 1, 2. The coordinate ξ1 of X1 is identical to the coordinate from Example 1, hence we find the same expression j (Y 1 ) ≡ A similar calculation yields

26 (a 2 + 12BC)3 (mod π ). 2a · 4BC

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space

j (Y 2 ) ≡

143

26 (b2 + 12AC)3 (mod π ). 2b · 4AC

One checks that the j -invariants j (Y 1 ) and j (Y 2 ) are the roots of the polynomial given in the statement. (iv) Assume ν(I ) < ν(I3 ) and ν(I ) < ν(I6 ). We may assume, without loss of generality, that ν(b ) < ν(A). It follows that ν(B) < ν(a ). One computes that Pa , Pa , and Pc specialize to the point ξ2 = ∞ and Pb and Pc specialize to the point ξ2 = 1 on X 2 . By definition of ξ2 the point Pb specializes to ξ2 = 0. Define ξ3 =

γ (1 − 2B)u + 4B 2 v + 2αBw . −2Bv

Then the points Pa and Pa specialize to ξ3 = 0, the points Pb , Pb , and Pc specialize to ξ3 = ∞, and Pc specializes to ξ3 = 1 on X 3 . We conclude that the decorated graph has type IV.2. The components are X1 , X3 , X2 , and a fourth one to which we did not give a name. The reduction type of the curve is Garden. (v) Assume ν(I ) = ν(I3 ) < ν(I6 ). We may assume, without loss of generality, that ν(b ) = ν(A). It follows that ν(B) < ν(a ). Case 1: We first consider the case that ν(A) ≤ ν(B). Lemma 5 implies that Pa , Pa , and Pc specialize to the same point (0 : 1 : 0) of X 0 . The points Pb and Pb specialize to the same point of X0 , as well, and that Pa , Pc , and Pb specialize to pairwise distinct points of X 0 . As in the previous cases, we may check that ξ1 (Pc ) ≡ 0, 1, ∞ (mod π ). We conclude that the decorated graph has type III.5. The irreducible components are X1 , X0 , and X 2 from left to right. The reduction type of Y is Tree. The genus-1 component Y 1 of the stable reduction is the normalization of the component corresponding to coordinate ξ1 . Again, we are in the situation of Example 1 and get j (Y 1 ) ≡

26 (a 2 + 12BC)3 (mod π ). 2a · 4BC

In terms of invariants this can be expressed as j (Y 1 ) ≡ 24 (I + 24 I3 I3 )3 /(I 2 I3 I3 ). Case 2: If we are not in case 1 then ν(A) > ν(B). In this case Pb , Pb , and Pc (resp. Pa , Pa ) specialize to the same point of X0 , and Pa , Pb , Pc specialize to pairwise distinct points on X0 . Moreover, ξ2 (Pc ) ≡ 0, 1, ∞ (mod π ).

144

I. Bouw et al.

As in the previous case, the decorated graph has type III.5 and the reduction type of Y is tree. The component of genus 1 is the unique irreducible component Y 2 above the component X2 corresponding to the coordinate ξ2 . We get j (Y 2 ) ≡

26 (b2 + 12AC)3 (mod π ). 2b · 4AC

In terms of invariants we get the same expression as in the above case, j (Y 2 ) ≡ 24 (I + 24 I3 I3 )3 /(I 2 I3 I3 ). (vi) Assume that ν(I ) = ν(I6 ) < ν(I3 ). We may assume, without loss of generality, that ν(b ) < ν(A) and ν(B) = ν(a ). One computes that the points Pa , Pa , Pb , and Pc specialize to pairwise distinct points on X 1 . Moreover, the points Pb , Pb and Pc specialize to the same point of X 1 . The points Pa , Pa , and Pc specialize to the same point ξ1 = ∞, the points Pb and Pc specialize to the point ξ2 = 1, and Pb specializes to the point ξ2 = 0 on X2 . This shows that X has type III.6: the irreducible components are X1 , X 2 , and a further component from left to right. The reduction type of the curve Y is Winky Cat. As in Example 1 one computes that the j -invariant of the irreducible component Y 1 above X1 is j (Y 1 ) ≡

26 (a 2 + 12BC)3 (mod π ). 2a · 4BC

In terms of invariants, this is j (Y 1 ) ≡ 24 (I6 + 24 I )3 /(I62 I ). Lemma 10 (Theorem 2, Case (g)) Let Y be as in Theorem 2, hence ν(I3 ) = 0. Assume that ν(I3 ) > 0, ν(I3 ) = 0, ν(I6 ) = 0 and ν(I ) > 0. Then the decorated graph has type III.3 and the reduction type of the curve is Loop. The j -invariant of the genus-1 component is j = 16

(I32 − 16I3 I3 + 16I32 )3 I3 I34 (I3 − I3 )

.

Proof From the conditions on the invariants, it follows that ν(a ) = ν(b ) = ν(c ) = 0 and exactly two among ν(A), ν(B), ν(C) are positive. Now Lemma 5 implies that branch points with the same inertia generator do not specialize to the same point on X 0 . Without loss of generality, we may assume that A and B have

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space

145

positive valuation and that ν(C) = 0. We conclude that the points Pa , Pa , Pb , Pb specialize to pairwise distinct points of X0 . Up to possibly interchanging Pc and Pc , it follows from Lemma 5 that Pc specializes to the same point as one of {Pb , Pb } on X 0 . Analogously using that ν(B) > 0 implies that Pc specializes to the same point as one of {Pa , Pa } on X 0 . Hence the decorated graph has type III.3: the irreducible component X 0 is the middle component of X. The reduction type of the curve is Loop. Let Y 0 be the irreducible component above X 0 of the stable reduction Y of Y . To compute j (Y 0 ) we argue as in the proof of Lemma 6. After applying a suitable coordinate change in GL3 (K) on Y , we find a birational equation for Y 0 : Y 0 : (cx 2 + az2 )y 2 + bx 2 z2 + Cz4 = 0. Setting x = 1 we recognize Y 0 as an elliptic curve and find j (Y 0 ) =

16(I32 − 16I3 I3 + 16I32 )3 16(a 2 b2 + 14abcC + c2 C 2 )3 (mod π ). ≡ abcC(ab − cC)4 I3 I34 (I3 − I3 )

Lemma 11 (Theorem 2, Case (h)) Let Y be as in Theorem 2, hence ν(I3 ) = 0. Assume ν(I3 ) > 0, ν(I3 ) > 0, ν(I ) > 0, and ν(I6 ) = 0. Then the decorated graph has type IV*.3 and the reduction type of the curve is Looop. Proof From the conditions on the invariants, it follows that ν(a ) = ν(b ) = ν(c ) = 0 and ν(A), ν(B), ν(C) are positive. Lemma 5 implies that branch points with the same inertia generator do not specialize to the same point on X0 . Moreover, for every pair i = j ∈ {a, b, c} one of the branch points with inertia generator σi and one of the branch points with inertia generator σj specialize to the same point of X 0 . We conclude that the decorated graph has type IV*.3.  

4.2 Main Result with Degenerate Conic As in Sect. 4.1 we write X0 for the model of X defined by Eq. (2) and X 0 for its special fiber. Since we assume that the left-hand side of Eq. (2) for X is normalized as in Proposition 3, X0 is indeed a model, and X0 is a conic over the residue field k of K. In this section we prove Theorem 3, which treats the case that X 0 is degenerate. Recall that this implies that I3 = (X) has positive valuation. The classification of degenerate conics in characteristic different from 2 implies therefore that X0 is either reducible or non-reduced. In the first case, X0 consist of red two irreducible components. In the second case the underlying reduced scheme X 0 is irreducible.

146

I. Bouw et al.

Proposition 7 Assume that ν(I3 ) is positive. (i) The curve X 0 is reducible and the points Pa , Pa specialize to different irreducible components of X 0 if and only if ν(a ) is zero. red (ii) The curve X 0 is non-reduced and X 0 is irreducible if and only if ν(a ), ν(b ) and ν(c ) are all positive. (iii) Assume that X 0 is reduced and ν(C) = 0. Let α (respectively β) be a root of pa (T ) = T 2 − 2aT + 4BC (respectively pb (T ) = T 2 − 2bT + 4AC). Then the two points Pa = (0 : −2C : α) and Pb = (−2C : 0 : β) specialize to the same irreducible component of X 0 if and only if the valuation of α(2b − β) + (2a − α)β − 4Cc is positive. Proof (i) If ν(a ) is positive, then the two roots of T 2 − 2aT + 4BC are congruent modulo π , thus Pa , Pa specialize to the same point on X0 . Assume that ν(a ) = 0 and that Pa , Pa specialize to the same irreducible red

component of X 0 . This also includes the case that X0 is reduced. We denote red the irreducible component of X 0 to which Pa , Pa specialize by X1 . It follows from Eq. (2) that u = 0 is an equation for X1 . But u is a factor of the lefthand side of Eq. (2) (mod π ) if and only if the valuations of B, C, and a are positive, which contradicts the assumption ν(a ) = 0. Statement (i) follows. red (ii) Assume that X 0 is non-reduced. Then X0 is irreducible and the left-hand side of Eq. (2) modulo π is a square. We conclude that we may choose square roots of A, B, C (mod π ) such that √ 2 AB ≡ c,

√ 2 AC ≡ b,

√ 2 BC ≡ a.

This implies that that valuations of a , b and c are positive. The converse is similar. Statement (ii) follows. (iii) Assume that X0 is reduced and ν(C) = 0. We write X 1 and X2 for the irreducible components of X 0 . Note that if Pa and Pb specialize to the same irreducible component X 1 of X 0 , then X 1 is defined by X1 : βu + αv + 2Cw = 0. We write α  = 2a − α (resp. β  = 2b − β) for the second root of pa (resp. pb ). Statement (i) implies that the points Pa = (0 : α : −2B) = (0 : −2C : α  ) and Pb = (β : 0 : −2A) = (−2C : 0 : β  ) specialize to X2 , which may be given by X 2 : β  u + α  v + 2Cw = 0. Computing the product of the equations for X 1 and X2 we obtain

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space

147

(βu + αv + 2Cw)(β  u + α  v + 2Cw) = 4CAu2 + 4BCv 2 + 4C 2 w 2 + 4Cavw + 4Cbuw + (αβ  + α  β)uv. The right-hand side of this equation is congruent to the left-hand side of Eq. (2) if and only if ν(α(2b − β) + (2a − α)β − 4Cc) > 0. Lemma 12 (Theorem 3, Case (a)) Let Y be as in Theorem 3, hence we have ν(I3 ) > 0. Assume that ν(I3 ) = ν(I6 ) = 0. Then the decorated graph has type II.2 and the reduction of the curve is DNA. Proof From the conditions on the invariants, it follows that the valuations of A, B, C, a, b, c are zero. Then, by Lemma 5, all 6 branch points specialize to pairwise distinct points of X 0 . Proposition 7 implies that X0 is reducible, and the branch points with the same inertia generator specialize to different irreducible components of X0 . Therefore the decorated graph has type II.2, thus the reduction of the curve is DNA.   Lemma 13 (Theorem 3, Case (b)) Let Y be as in Theorem 3, in particular ν(I3 ) > 0. Assume that ν(I6 ) > 0 and ν(I ) = 0. Then one of the following occurs: (i) if ν(I6 ) > ν(I3 ), the decorated graph has type IV*.2 and the reduction of the curve is DNA; (ii) if ν(I6 ) < ν(I3 ), the decorated graph has type IV.5 and the reduction of the curve is Braid; and (iii) otherwise, the decorated graph has type III.4, the reduction type of the curve is Candy, and the j -invariants of the genus-1 components of the special fiber are j1 = j2 = 1728. Proof It follows from the conditions ν(I6 ) > 0 and ν(I ) = 0 that exactly one among ν(a ), ν(b ), ν(c ) is positive. Without loss of generality we may assume that ν(a ) > 0. Then ν(I ) = 0 also implies ν(BC) = 0. It follows from Proposition 7 that X 0 is reduced, has two irreducible components and the points Pa , Pa both specialize to the intersection of these two components. Now, fix β and γ to be roots of pb (T ) = T 2 − 2bT + 4AC and pc (T ) = 2 T − 2cT + 4AB, respectively, that have valuation 0. Claim: We may choose β and γ so that they additionally satisfy ν((2b − β)γ + β(2c − γ ) − 4Aa) > 0. Moreover, there exist coordinates ξ1 and ξ2 such that Pa and Pa specialize to the intersection point τ of the corresponding irreducible components X1 and X2 and Pb and Pc (respectively Pb and Pc ) specialize to pairwise distinct points of X1 (respectively X2 ) different from τ . Assume first that ν(A) = 0. Then all the roots of pb and pc have valuation 0. In this case it follows from the proof of Proposition 7(iii) that we may choose β and γ as in the claim. That proof then also implies that Pb and Pc (resp. Pb , Pc ) specialize

148

I. Bouw et al.

to the same component of X 0 . Moreover, Proposition 7(i) implies that the points Pb , Pb , Pc , Pc specialize to pairwise distinct points on X 0 . This proves the claim in this case. Next assume that ν(A) is positive. Then ν((2b − β)γ + β(2c − γ ) − 4Aa) > 0 for any choice of β and γ , but there are unique roots β of pb and γ of pc with ν(β) = ν(γ ) = 0. With this choice, we have that Pb and Pc both specialize to the point (1 : 0 : 0) in the smooth locus of X 0 and in particular to the same irreducible component of X. Let ξ1 and ξ2 be coordinates corresponding to t1 = (Pb , Pc , Pa ) and t2 = (Pb , Pc , Pa ) as in Sect. 2.4. The corresponding components X 1 and X 2 satisfy the conditions in the claim. It remains to compute a component separating Pa , Pa . Consider ξ3 =

βu + αv + 2Cw . 2v(α − a)

This is the coordinate corresponding to t3 = (Pa , Pa , Pb ). One checks ξ3 (Pc ) = ∞. The decorated graph of X depends on the value of ξ3 (Pb ) = ξ3 (Pc ). Using Eq. (2) and that β is a root of pb we find the equivalent expression for the coordinate ξ3 =

−2β(cu + Bv + aw) + α(2Au + βw) . 2(α − a)(2Au + βw)

We obtain ξ3 (Pb ) =

4cC − α(2b − β) − (2a − α)β . 4(α − a)(β − b)

Note that the discriminant factors as follows: (X) = (4cC − α(2b − β) − (2a − α)β)(4cC − αβ − (2a − α)(2b − β)). Let δ = ν(−4Cc + α(2b − β) + (2a − α)β) and note ν(−4Cc+αβ+(2a−α)(2b−β))=ν(4(α−a)(β−b)−4Cc+α(2b−β)+(2a−α)β) ≥ min(ν((α − a)(β − b)), δ), where ν(α − a) = 12 ν(a ). Then, we are in one of the following cases: • If 2δ < ν(a ), then one has ν((X)) = 2δ < ν(a ) and ξ3 (Pb ) = ∞. In this case, X is of type IV*.2. The component X3 is the left most vertical component. • If 2δ > ν(a ), then one has ν((X)) = δ +1/2ν(a ) > ν(a ), and ξ(Pb ) = 0. In this case, X is of type IV.5. The component X3 is the one in the middle that intersects X1 .

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space

149

• If 2δ=ν(a ) and ν(αβ+(2a−α)(2b−β)−4Cc)>δ, one has ν((X)) > ν(a ), and ξ(Pb ) = 1. In this case, X is again of type IV.5, but the component X 3 is the one in the middle that intersects X 2 . • Lastly, if 2δ = ν(a ) and ν(αβ + (2a − α)(2b − β) − 4Cc) = δ, then one has ν((X)) = ν(a ), and ξ(Pb ) = 0, 1, ∞. In this case, X is of type III.4. The component X3 is the central one. This yields the case distinction from the statement of the lemma. It remains to compute the j -invariant of the two components of the stable reduction Y of Y in case (iii) of the lemma. In this case Y consists of two genus-1 curves Y 1 and Y 2 intersecting in two points. These two curves are permuted by the action of σb and σc . Hence Y 1  Y 2 . The map f : Y → X extends to a finite and flat map f : Y → X3 , where X 3 is the special fiber of the model of X defined by the coordinate ξ3 . Moreover, f is Galois with Galois group V . The map f : Y → X factors as Y → Y / σi → X for i ∈ {a, b, c}. We write ◦ ◦ Y = Y 1  Y 2 for the normalization of Y . The induced map f : Y → Y / σi for i = b, c just identified the two irreducible components. It follows that the elliptic curve Ei = Y / σi has good reduction for i = b, c and its reduction is Ei = Y / σi . This implies that Eb and Ec are elliptic curves and they are both isomorphic to Y 1  Y 2 . Therefore j (Y 1 ) ≡ j (Y 2 ) ≡ j (Eb ) ≡ j (Ec ) (mod π ). To compute j (Y 1 ) it remains therefore to compute the reduction of j (Eb ) (mod π ). We have Eb : Ax 4 + Bv 2 + Cz4 + avz2 + bz2 x 2 + cx 2 v = 0. After a change of coordinates in GL3 (O), we can assume B = C = 1, a = 2+a1 π1 and c = b +b1 π12 for a suitable element π1 ∈ O of positive valuation. A direct computation of the j -invariant yields j (Eb ) ≡ 1728 mod π .   Lemma 14 (Theorem 3, Case (c)) Let Y be as in Theorem 3 and assume that ν(I3 ) = 0, ν(I3 ) > 0, ν(I6 ) > 0 and ν(I ) > 0. Then Y has (maybe bad) hyperelliptic reduction. More specifically, (i) if 2ν(I6 ) = 3ν(I3 ) ≤ 6ν(I3 ), then Y has good hyperelliptic reduction, (ii) if 2ν(I6 ) > 3ν(I3 ) and 2ν(I3 ) ≥ ν(I3 ) = ν(I32 − 16I3 I3 ), then the decorated graph has type II.3 and the reduction of the curve is Loop, (iii) if 2ν(I6 ) > 3ν(I3 ) and 2ν(I3 ) = ν(I3 ) < ν(I32 − 16I3 I3 ), then the decorated graph has type III.1 and the reduction of the curve is DNA, (iv) if 2ν(I6 ) < 3ν(I3 ) and 3ν(I3 ) ≥ ν(I6 ), then the decorated graph has type II.2 and the reduction of the curve is DNA, (v) if 3ν(I3 ) < ν(I3 I3 ) < ν(I6 ), then the decorated graph has type IV*.2 and the reduction of the curve is DNA, (vi) if 3ν(I3 ) < ν(I6 ) < ν(I3 I3 ), then the decorated graph has type IV.5 and the reduction of the curve is Braid, and (vii) if 3ν(I3 ) < ν(I3 I3 ) = ν(I6 ), then the decorated graph has type III.4 and the reduction of the curve is Candy.

150

I. Bouw et al.

Proof It follows from the conditions on the invariants that ν(A), ν(B) and ν(C) are zero and that ν(a ), ν(b ) and ν(c ) are all positive. Therefore, the special fiber X0 of the model of X defined by Eq. (2) is nonreduced, see Proposition 7. We claim that Y has (not necessarily good) hyperelliptic reduction. Note that there exists a choice of square roots such that the equation of Y can be written as √ √ √ √ √ √ ( Ax 2 + By 2 + Cz2 )2 + (a − 2 BC)y 2 z2 + (b − 2 AC)x 2 z2 + (c − AB)x 2 y 2 = 0,

in such a way that the coefficients of x 2 y 2 , y 2 z2 and z2 x 2 have all positive valuation. Let π1 ∈ O be an element with √ √ √ min{ν(a − 2 BC), ν(b − 2 AC), ν(c − AB)}/2. √ Assume that the minimum of these valuations is attained by a − 2 BC, then we can rewrite the equation of Y as follows:  √ √ √ π12 t 2 = −((a − 2 BC)y 2 z2 + (b − 2 AC)x 2 z2 + (c − ABx 2 y 2 )r ), Y : √ √ √ π1 t = Ax 2 + By 2 + Cz2 . (9) After making a suitable change of coordinates in GL3 (K) that sends the conic √ √ √ Ax 2 + By 2 + Cz2 = 0 to x12 −y1 z1 = 0, and taking z1 = 1 and y1 = x12 in the reduction of the first equation defining Y in Eq. (9), we get a hyperelliptic equation t 2 = x18 + Mx16 + N x14 + Mx12 + 1 with coefficients: √ √ b B −c C , M = −4 √ √ A(a − 2 BC) √ √ √ b B + c C − 4 ABC . N = −2 + 8 √ √ A(a − 2 BC) Its invariants, as defined in Proposition 8, are (L1 : L2 : L3 ) = (2I3 : 16I3 I3 : −4I6 I3 ) ∈ P21,2,3 . Notice that this equality of projective points is not a coordinate-wise equality, but one in a weighted projective space. Let π2 ∈ O be an element of valuation min(ν(L1 ), ν(L2 )/2, ν(L3 )/3). Then we have

2I3 16I3 I3 −4I6 I3 (L1 : L2 : L3 ) = : : ∈ P21,2,3 . π2 π22 π23

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space

151

This is still not a coordinate-wise equality, but a coordinate-wise valuation equality. It follows that we may assume that min(ν(L1 ), ν(L2 ), ν(L3 )) = 0. Rewriting the normalized invariants in Theorem 4 in terms of I3 , I3 , I3 , I6 and I yields the result.   Lemma 15 (Theorem 3, Case (d)) Let Y be as in Theorem 3, hence ν(I3 ) > 0. Assume that ν(I3 ) > 0, ν(I6 ) = 0 and ν(I ) = 0, then the decorated graph has type III.7 and the reduction type of the curve is Cave. Proof From the conditions on the invariants, it follows that ν(a ) = ν(b ) = ν(c ) = 0 and exactly one of ν(A), ν(B), ν(C) is positive. We may assume that ν(A) > 0. Proposition 7 implies that X0 is reducible and that branch points with the same inertia generator specialize to different irreducible components of X 0 . Proposition 3 implies that one of the branch points Pb , Pb and one of the branch points Pc , Pc specialize to the same irreducible component of X 0 . Moreover, that proposition implies that none of the branch points specialize to the singular point of X 0 . Hence the decorated graph has type III.7 and the reduction type of the curve is Cave.   Lemma 16 (Theorem 3, Case (e)) Let Y be as in Theorem 3, in particular ν(I3 ) > 0. Assume that ν(I3 ) > 0, ν(I3 ) = 0 and ν(I ) > 0, then the decorated graph has type IV.4 and the reduction of the curve is Braid. Proof From the conditions on the invariants and Eq. (6), it follows that ν(a ) = ν(b ) = ν(c ) = 0 and exactly two among ν(A), ν(B), ν(C) are positive. We may assume, without loss of generality, that ν(C) = 0. Now Proposition 7 implies that X 0 is reducible and that branch points with the same inertia generator specialize to different irreducible components of X0 . Moreover, Proposition 7(iii) implies that Pc specializes to the same point as one of {Pb , Pb } on X and Pc specializes to the same point as one of {Pa , Pa } up to renaming Pc and Pc . Hence the decorated graph has type IV.4. The two irreducible components of X 0 are the central ones. The reduction of the curve is Braid.  

5 Hyperelliptic Case In this section we give an analogous result to Theorems 2 and 3 for the hyperelliptic hyp case, i.e., for curves in M3,V . Recall that (K, ν) is a complete discretely valued field of characteristic 0 and residue characteristic p ≥ 0 different from 2. Recall that we replace K by a finite extension, if necessary, without changing the notation. Let Y /K be a genus-3 hyperelliptic curve such that AutK (Y ) contains a subgroup V  C2 × C2 such that for every non-trivial element σ ∈ V the quotient Y / σ has genus 1. Then we can write (see [5, Section 4.3] or [19, Table 3]): Y : y 2 = x 8 + Mx 6 + N x 4 + Mx 2 + 1,

(10)

152

I. Bouw et al.

and we identify V with the group generated by σ1 (x, y) = (−x, y) and σ2 (x, y) = (1/x, y/x 4 ). We set σ3 := σ1 σ2 . In particular, the genus-3 hyperelliptic curve Y is a V -Galois cover of a conic, and we obtain the following diagram.

where Y : y 2 = x 8 + Mx 6 + N x 4 + Mx 2 + 1, X : w2 = v 2 + (M − 4)v + (−2M + N + 2) with w =

y x2

and v = (x + x1 )2 . Moreover, we compute the discriminants

(Y ) =24 (−2M + N + 2)2 (2M + N + 2)2 (M 2 − 4N + 8)4 , (X) =M 2 − 4N + 8. The problem with the hyperelliptic model given in Eq. (10) is that it is singular at the infinity point (0 : 1 : 0) and it is not easy to keep track of the ramification data. Instead, we choose to work with the smooth model:  Y :

t 2 = y 4 + My 3 z + Ny 2 z2 + Myz3 + z4 , 0 = x 2 − yz

⊆ P3K,(1,1,1,2) ,

where now the automorphisms are given by σ1 ((x : y : z : t)) = (−x : y : z : t) and σ2 ((x : y : z : t)) = (x : z : y : t). (11) We get the following equation for the conic X := Y /V : Y → X : w 2 = v 2 + (M − 4)uv + (−2M + N + 2)u2 ⊆ P2K (x : y : z : t) → (u : v : w) = (x 2 : (y + z)2 : t), (12)

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space

153

and the six branch points in X are σ1 : P1 = (0 : 1 : 1),

P1 = (0 : 1 : −1),

σ2 : P2 = (1 : 4 : λ),

P2 = (1 : 4 : −λ),

σ3 : P3 = (1 : 0 : μ),

P3 = (1 : 0 : −μ),

(13)

where λ is a root of T 2 − (2M + N + 2) and μ is a root of T 2 − (−2M + N + 2). Note that the discriminant of this conic is still (X) = M 2 − 4N + 8. Remark 8 If ν((X)) > 0, then the conic always reduces to the product of two M−4 different lines ( M−4 2 u + v − w)( 2 u + v + w).

5.1 Invariants Shioda [26] gives 9 invariants J2 , J3 , . . . , J10 for genus-3 hyperelliptic curves, which we call the Shioda invariants. The Shioda invariants parametrize the hyp 5-dimensional locus of hyperelliptic curves M3 inside the moduli space of genushyp hyp 3 curves M3 . The stratum M3,V is the intersection of M3,V with M3 , and by Lemma 1(3) it is a 2-dimensional stratum. In [19, Lemma 3.14], the authors give (sufficient and necessary) conditions hyp in terms of the Shioda invariants for a curve to belong to the stratum M3,V . Loc. cit. also gives expressions to compute parameters M, N from the Shioda invariants, thus obtaining a model Y : y 2 = x 8 + Mx 6 + N x 4 + Mx 2 + 1. hyp

However, using the Shioda invariants restricted to the stratum M3,V is not practical to characterize the stable reduction of Y , so we define invariants for the hyp stratum M3,V . hyp

Proposition 8 The invariant ring of M3,V is generated by the following invariants of weight 1, 2 and 3 respectively: L1 = N + 10, L2 = M 2 − 4N + 8, L3 = (2M + N + 2)(2M − N − 2). Proof First we need to check that they are invariants. Secondly that they generate the ring of invariants. Isomorphisms between hyperelliptic curves y 2 = f (x, z) are given by linear maps (x, z) → (a11 x + a12 z, a21 x + a22 z). Since the isomorphisms between curves in the family y 2 = x 8 + Mx 6 + N x 4 + Mx 2 + 1 preserve the automorphism group generated by (x, z) → (−x, z) and (x, z) → (z, x), every isomorphism can be

154

I. Bouw et al.

written as a composition of i : (x, z) → (x, −z), r : (x, z) →  (x + z, x − z) and automorphisms of the curve. Notice that r 2 = i 2 = (ri)3 = Id, and that they generate a finite group G isomorphic to S3 . This implies that all the curves isomorphic to the one with parameters (M, N ) are the curves with parameters: (M, N ), (−M, N ), ((8M − 4N + 56)/(2M + N + 2), (−20M + 6N + 140)/(2M + N + 2)), (−(8M − 4N + 56)/(2M + N + 2), (−20M + 6N + 140)/(2M + N + 2)), ((−8M − 4N + 56)/(−2M + N + 2), (20M + 6N + 140)/(−2M + N + 2)), (−(−8M − 4N + 56)/(−2M + N + 2), (20M + 6N + 140)/(−2M + N + 2)). (14) We proceed as in the proof of Proposition 5. Magma [3] produces the invariants L1 , L2 and L3 as generators of the algebra of invariants K[M, N ]G for the fields F3 and Q. Again, Molien’s Formula [11, Theorem 3.2.2] extends the result to any field of characteristic different from 2.   Remark 9 The following equalities hold: (X) = L2 and (Y ) = 24 L42 L23 . hyp

Remark 10 If the curve Y ∈ M3,V has a model as in Eq. (10) given by the parameters (M, N), then there is always a pair in Eq. (14) such that the valuation of both terms is non-negative so again the valuation of the invariants Li can be assumed to be non-negative. In this situation, the valuation of the three invariants Li cannot be simultaneously positive. In that case N ≡ −10 mod π because of ν(L1 ) > 0, M 2 ≡ 16 mod π because of ν(L3 ) > 0, but then L2 ≡ 64 mod π and ν(L2 ) cannot be positive. Proposition 9 Let y 2 = x 8 + Mx 6 + N x 4 + Mx 2 + 1 be a hyperelliptic curve in hyp M3,V with invariants L1 , L2 , L3 defined as in Proposition 8. It has potentially good reduction if and only if ν(L21 /L2 ) ≥ 0 and ν(L32 /L23 ) = 0. Proof By Remark 10, we can assume M, N, Li ∈ O and at least one of the Li having valuation zero. If ν(L21 /L2 ) ≥ 0 and ν(L32 /L23 ) = 0 hold then we have ν(L1 ) ≥ ν(L2 )/2 = ν(L3 )/3 ≥ 0. This gives us ν(L2 ) = ν(L3 ) = 0 and ν((Y )) = ν(24 L42 L23 ) = 0. Hence the curve has good reduction. Conversely, assume the curve has potentially good reduction, then there exists a hyperelliptic curve model of Y having good reduction. Because of Corollary 3.5 in [17] this model can be taken of the form y 2 = x 8 + Mx 6 + N x 4 + Mx 2 + 1 with M, N ∈ O and ν((Y )) = 0. Now, because of Remark 10 we can also assume ν(L1 ), ν(L2 ), ν(L3 ) ≥ 0. So ν(L21 /L2 ) ≥ 0 and ν(L32 /L23 ) = 0.  

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space

155

5.2 The Main Theorem and Its Proof We characterize the possible reduction types of a genus-3 hyperelliptic curve Y in hyp M3,V in terms of the invariants L1 , L2 and L3 defined in Proposition 8. Because of Proposition 9, and once the invariants are normalized as in Remark 10, Y has potentially good reduction if and only if ν((Y )) = 0. The theorem below describes the different types of bad reduction when ν((Y )) > 0. Theorem 4 Let Y be a hyperelliptic genus-3 curve defined by Y : t 2 = y 4 + My 3 z + Ny 2 z2 + Myz3 + z4 , x 2 = yz ⊆ P31,1,1,2 and normalized as in Remark 10. Let X be the conic Y / σ1 , σ2 with σ1 , σ2 given as in Eq. (11). Then if the valuation of (Y ) is positive, Y has geometric bad reduction and one of the cases in Table 3 occurs. Proof Recall (Y ) = 24 L23 (X)4 and (X) = L2 , and assume ν((Y )) > 0. If the valuation ν(L2 ) is zero, then ν(L3 ) > 0 holds, i.e., at least one of the valuations ν(2M + N + 2), ν(−2M + N + 2) is positive; and the conic X has good reduction. If exactly one of them is positive, that is, ν(N + 2) = 0, then the special fiber X of the stably marked model of X is of type II.3. Otherwise, if both ν(2M + N + 2) and ν(−2M + N + 2) are positive, and hence ν(N + 2) > 0 and ν(L1 ) = 0, then the special fiber X of the stably marked model of X is of type III.1. Statements (a) and (b) then follow from noticing that if ν(L1 ) > 0, then we write 23 L3 − 22 L2 L1 + L31 = −(N + 2)(L3 − 25 L1 ), hence ν(N + 2) > 0 if and only if ν(L21 − 4L2 ) > 0. Suppose now ν(L2 ) > 0. Then by Remark 8, the conic X is a product of two lines. If ν(L3 ) = 0, that is, we are in case (c), then the branch points P1 and P1 specialize to different lines by Proposition 7(i), and the same holds for P2 , P2 and P3 , P3 . So we obtain that X is of type II.2. Table 3 Cases of Theorem 4 ν(L1 ) (a) (b) (c) (d.i) (d.ii) (d.iii)

=0

=0

ν(L2 ) =0 =0 >0

ν(L3 ) >0 >0 =0

>0

>0

Other conditions ν(L21 − 4L2 ) = 0 ν(L21 − 4L2 ) > 0 ν(L2 L1 ) < ν(L3 ) ν(L2 L1 ) > ν(L3 ) ν(L2 L1 ) = ν(L3 )

Decorated graph II.3 III.1 II.2 IV*.2 IV.5 II.4

Stable curve Loop DNA DNA DNA Braid Candy

156

I. Bouw et al.

Finally we assume ν(L2 ) > 0, ν(L3 ) > 0. We write L2 = (M + 4 − 2λ)(M + 4 + 2λ) = (M − 4 − 2μ)(M − 4 + 2μ),

(15)

where λ is a root of T 2 − (2M + N + 2) with ν(λ) > 0 and μ is a root of T 2 − (−2M + N + 2) with ν(μ) = 0. Notice that we get ν(M + 4) > 0 and ν(M − 4) = 0 by Eq. (15). Then the conic X reduces to a product of two lines and the branch points P2 and P2 specialize to (1 : 4 : 0), the intersection of the lines. Consider the coordinate ξ=

−(4 + λ)u + v + w , (4 − λ)u − v + w

where u, v, w are the coordinates of X as in Eq. (12), which satisfies ξ(P1 ) = ∞, ξ(P1 ) = 0, ξ(P2 ) = 1 and ξ(P2 ) = (M + 4 − 2λ)(M + 4 + 2λ)−1 . Depending on the value of ξ(P2 ) we get different possibilities for the decorated graph. We have: ⎧ ⎪ ∞ ⎪ ⎪ ⎪ ⎪ ⎪ ⎨0 ξ(P2 ) = ⎪ ⎪ 1 ⎪ ⎪ ⎪ ⎪ ⎩ = 0, ∞, 1

iff ν(M + 4 + 2λ) > ν(M + 4 − 2λ), (type IV.5), iff ν(M + 4 + 2λ) < ν(M + 4 − 2λ), (type IV.5), iff ν(M + 4 + 2λ) = ν(M + 4 − 2λ) = ν(M + 4) < ν(λ), (type IV*.2), iff ν(M + 4 + 2λ) = ν(M + 4 − 2λ) = ν(λ) ≤ ν(M + 4), (type III.4).

The different cases there can be rewritten as: 1. Case IV*.2 if and only if 2ν(M 2 − 16) ≥ ν(L2 ) and 2ν(M 2 − 16) < ν(L3 ), 2. Case IV.5 if and only if 2ν(M 2 − 16) < ν(L2 ), and 3. Case III.4 if and only if 2ν(M 2 − 16) ≥ max{ν(L2 ), ν(L3 )}; and one can check that these conditions are equivalent to the ones in the statement.   Corollary 2 (i) The j -invariant of the genus-1 component of the special fiber in Theorem 4(a) is j = 24 (12L2 + L21 )3 /((4L2 − L21 )2 L2 ). (ii) The j -invariants of the two genus-1 components of the special fiber in Theorem 4(d.iii) are equal to 1728. Proof (i) In order to compute the j -invariant of the elliptic curve component E of Y in case (a), we assume first that ν(−2M +N +2) > 0. Then modulo π the equation of Y reduces to y 2 = (x 2 + 1)2 (x 4 + (M − 2)x 2 + 1),

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space

157

so the elliptic curve we are looking for is ( x 2y+1 )2 = (x 4 + (M − 2)x 2 + 1) with j=

24 (12L2 + L21 )3 (4L2 − L21 )2 L2

mod π.

(ii) In order to compute the j -invariants of the two elliptic curves in case (d.iii) we proceed as in Lemma 13(iii) to get that the two elliptic curves are isomorphic between them and isomorphic to the intermediate elliptic curves E1 = Y / σ1

and E2 = Y / σ2 or E3 = Y / σ3 depending on ±2M + N + 2 having positive valuation. The elliptic curve E1 is given by the equation: y 2 = x 4 + Mx 3 + N x 2 + Mx + 1, where ν(N − 6) = 2ν(M ± 4), and hence with j -invariant: j ≡ 1728 mod π.

Appendix: Admissible Covers

Fig. A.1 Stably marked curve with 6 marked points and one component (I)

Fig. A.2 Stably marked curves with 6 marked points and two components

1

3 1

1

2

3 2

3

2 3

2

1

II.1

II.2

1

2

1

1

2

2 II.3

3

3

1

2 II.4

3

3

158 Fig. A.3 Stably marked curves with 6 marked points and three components

I. Bouw et al.

3

1 3

1 2

2 III.1 3

1 1

2 2

3 III.2

1

1 3

2 2

3 III.3

1

1 2

2 3

3 III.4

1 3

1 3

2 2 III.5 1

3

1 2

2 3 III.6

1 2

1 3

2 3 III.7

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space Fig. A.4 Stably marked curves with 6 marked points and four components, all containing at least one marked point

159

3

1 3

1

2

2 IV.1 3

1 1

2

2

3 IV.2 3

1 2

2

1

3 IV.3 3

1 2

2

3

1 IV.4

1

1 2

2

3

3 IV.5

1

2

3

1

2

2

1

2

3

1

2

3

1

3

3

2

3

1

IV*.1

IV*.2

IV*.3

Fig. A.5 Stably marked curves with 6 marked points and four components, one of which doesn’t contain any marked point

160

I. Bouw et al.

Lop

Cave

Loop

Winky cat

Looop

Grl pwr

DNA

Garden

Candy Braid

Tree Cat

Fig. A.6 Admissible covers. The genus-2 components correspond to the thick dashed lines, and the genus-1 components correspond to the thick solid lines. The remaining components have genus 0

Reduction Types of Genus-3 Curves in a Special Stratum of their Moduli Space

161

Table A.1 Correspondence between the decorated graphs in Figs. A.1, A.2, A.3, A.4, and A.5 and the stable curves in Fig. A.6 Stable curve Good Candy DNA Loop Lop DNA Looop Loop Candy Tree

Decorated graph I II.1 II.2 II.3 II.4 III.1 III.2 III.3 III.4 III.5

Stable curve Winky Cat Cave Grl Pwr Garden Cat Braid Braid Braid DNA Looop

Decorated graph III.6 III.7 IV.1 IV.2 IV.3 IV.4 IV.5 IV*.1 IV*.2 IV*.3

Acknowledgments This project began at the Women in Numbers Europe 3 workshop in Rennes, August 2019. We are grateful to the organizers for bringing us together and providing us with an excellent working environment to get this project underway. We thank Christophe Ritzenthaler for his ideas for the proofs of Propositions 5, 6, 8, and 9.

References 1. M. Börner, I. I. Bouw, and S. Wewers. Picard curves with small conductor. In Algorithmic and experimental methods in algebra, geometry, and number theory, pages 97–122. Springer, Cham, 2017. 2. I. I. Bouw, N. Coppola, P. Kılıçer, S. Kunzweiler, E. Lorenzo García, and A. Somoza. Reduction types of genus-3 curves in a special stratum of their moduli space. https://github. com/NirvanaC93/Invariants-Special-Strata-Genus-3-Curves, 2020. 3. W. Bosma, J. Cannon, and C. Playoust. The Magma algebra system. I. The user language. J. Symbolic Comput., 24(3–4):235–265, 1997. Computational algebra and number theory (London, 1993). 4. I. I. Bouw, A. Koutsianas, J. Sijsling, and S. Wewers. Conductor and discrimant of Picard curves. To appear in J. London Math. Soc., http://front.math.ucdavis.edu/1902.09624. 5. I. I. Bouw. Tame covers of curves: p-ranks and fundamental groups. PhD thesis, Utrecht University, 1998. 6. I. I. Bouw and S. Wewers. Computing L-functions and semistable reduction of superelliptic curves. Glasg. Math. J., 59(1):77–108, 2017. 7. E. Ciani. I varii tipi possibili di quartiche piane più volte omologico-armoniche. Palermo Rend., 13:347–373, 1899. 8. T. Dokchitser, V. Dokchitser, C. Maistret, and A. Morgan. Semistable types of hyperelliptic curves. In Algebraic curves and their applications, volume 724 of Contemp. Math., pages 73–135. Amer. Math. Soc., Providence, RI, 2019. 9. M. Demazure. Résultant, discriminant. Enseign. Math. (2), 58(3–4):333–373, 2012. 10. J. Dixmier. On the projective invariants of quartic plane curves. Adv. in Math., 64:279–304, 1987. 11. H. Derksen and G. Kemper. Computational invariant theory. Invariant Theory and Algebraic Transformation Groups, I. Springer-Verlag, Berlin, 2002. Encyclopaedia of Mathematical Sciences, 130.

162

I. Bouw et al.

12. P. Deligne and D. Mumford. The irreducibility of the space of curves of given genus. Inst. Hautes Études Sci. Publ. Math., (36):75–109, 1969. 13. S. Flon. Ramification dans le corps des modules. Annales de l’Institut Fourier, 54(2):253–293, 2004. 14. P.-G. Henn. Die Automorphismengruppen der algebraischen Funktionenkörper vom Geschlecht 3. PhD thesis, Heidelberg, 1976. 15. E. W. Howe, F. Leprévost, and B. Poonen. Large torsion subgroups of split Jacobians of curves of genus two or three. Forum Math., 12(3):315–364, 2000. 16. Q. Liu. Courbes stables de genre 2 et leur schéma de modules. Math. Ann., 295(2):201–222, 1993. 17. R. Lercier, Q. Liu, E. Lorenzo García, and C. Ritzenthaler. Reduction type of smooth quartics. To appear in Algebra & Number Theory, 2019. https://arxiv.org/abs/1803.05816. 18. G. Lachaud and C. Ritzenthaler. On some questions of Serre on abelian threefolds. In Algebraic geometry and its applications, volume 5 of Ser. Number Theory Appl., pages 88–115. World Sci. Publ., Hackensack, NJ, 2008. 19. R. Lercier and C. Ritzenthaler. Hyperelliptic curves and their invariants: geometric, arithmetic and algorithmic aspects. J. Algebra, 372:595–636, 2012. 20. R. Lercier, C. Ritzenthaler, F. Rovetta, and J. Sijsling. Parametrizing the moduli space of curves and applications to smooth plane quartics over finite fields. LMS J. Comput. Math., 17(suppl. A):128–147, 2014. 21. R. Lercier, C. Ritzenthaler, and J. Sijsling. quartic_reconstruction; a magma package for reconstructing plane quartics. https://github.com/JRSijsling/quartic_reconstruction, 2016. 22. R. Lercier, C. Ritzenthaler, and J. Sijsling. Reconstructing plane quartics from their invariants. Discrete & Computational Geometry, pages 1–41, 2018. 23. T. Ohno. The graded ring of invariants of ternary quartics I, 2007. unpublished. 24. M. Romagny and S. Wewers. Hurwitz spaces. In Groupes de Galois arithmétiques et différentiels, volume 13 of Sémin. Congr., pages 313–341. Soc. Math. France, Paris, 2006. 25. W. A. Stein et al. SageMath, the Sage Mathematics Software System (Version 7.4). The SageMath Development Team, 2016. http://www.sagemath.org. 26. T. Shioda. On the graded ring of invariants of binary octavics. American J. of Math., 89(4):1022–1046, 1967. 27. J. H. Silverman. The arithmetic of elliptic curves, volume 106 of Graduate Texts in Mathematics. Springer, Dordrecht, second edition, 2009. 28. A. V. Sutherland. A database of nonhyperelliptic genus-3 curves over Q. In Proceedings of the Thirteenth Algorithmic Number Theory Symposium, volume 2 of Open Book Ser., pages 443–459. Math. Sci. Publ., Berkeley, CA, 2019. 29. A. Vermeulen. Weierstrass points of weight two on curves of genus three. PhD thesis, University of Amsterdam, Amsterdam, 1983. 30. S. Wewers. Deformation of tame admissible covers of curves. In Aspects of Galois theory (Gainesville, FL, 1996), volume 256 of London Math. Soc. Lecture Note Ser., pages 239–282. Cambridge Univ. Press, Cambridge, 1999.

The Complexity of MinRank Alessio Caminata

and Elisa Gorla

MSC Codes (2020) 94A60, 13P10, 13P15, 14G50, 13P25

1 Introduction The MinRank Problem asks to find an element of low rank in a given space of matrices. In its classical formulation, one searches for a matrix whose rank is at most a chosen integer, in a vector space given via a system of generators. (Classical) MinRank Problem Let k be a field and let m, n, r, k be positive integers. Given as input k matrices M1 , . . . , Mk of size m × n with entries in k, find x1 , . . . , xk ∈ k such that the corresponding linear combination satisfies rank

k 

xi Mi

≤ r.

i=1

 The entries of the matrix M = ki=1 xi Mi are linear polynomials in the variables x1 , . . . , xk . The following is a natural generalization of the MinRank Problem. Generalized MinRank Problem Let k be a field and let m, n, r, k be positive integers. Given as input a matrix M of size m × n with entries in k[x1 , . . . , xk ], compute the set of points in kk where the evaluation of M has rank at most r.   Both of these problems arise naturally within cryptography and coding theory, as well as in numerous other applications. Within multivariate cryptography, the

A. Caminata Dipartimento di Matematica, Università di Genova, Genova, Italy e-mail: [email protected] E. Gorla () Institut de Mathématiques, Université de Neuchâtel, Neuchâtel, Switzerland e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 A. C. Cojocaru et al. (eds.), Women in Numbers Europe III, Association for Women in Mathematics Series 24, https://doi.org/10.1007/978-3-030-77700-5_5

163

164

A. Caminata and E. Gorla

MinRank Problem plays a central role in the cryptanalysis of several systems, including HFE and its variants [14, 1, 5, 18, 7], the TTM Cryptosystem [12], and the ABC Cryptosystem [16, 17]. Within coding theory, the problem of decoding a linear rank-metric code is always an instance of the MinRank Problem, and in some cases it can be modeled as a generalized MinRank Problem, where some entries of the matrix have degree greater than one, see e.g. [15, 11]. Further applications of the generalized MinRank Problem to nonlinear computational geometry, real geometry and optimization, and other problems in symbolic computation are discussed in the introduction of [10]. Following [14], we distinguish the following three situations. Definition 1 A MinRank Problem is under-defined if k > (n − r)(m − r), welldefined if k = (n − r)(m − r), and over-defined if k < (n − r)(m − r). There are at least three ways of approaching the MinRank Problem: the KipnisShamir modeling [14], the linear algebra search [12], and the minors modeling. We concentrate on the latter. The minors modeling relies on the following observation: A vector (a1 , . . . , ak ) is a solution of the (classical or generalized) MinRank Problem for a matrix M if and only if all minors of size r + 1 of M vanish at this point. Thus we can find the solutions of the generalized MinRank Problem by solving the polynomial system consisting of all minors of size r + 1 of M. This is a system of multivariate polynomial equations F = {f1 , . . . , fs }, so one may attempt to solve it by means of the usual Gröbner bases methods. The complexity of these methods is controlled by the solving degree of F, that is the highest degree of polynomials appearing during the computation of a degree reverse lexicographic Gröbner basis of F. In this paper, we take another look at the complexity of solving the generalized MinRank Problem with the minors modeling. We focus on the under-defined and well-defined situations, which we treat with a unified approach. Notice that no fully provable, general results on the complexity of the over-defined case are currently available. The results from [6], in combination with classical commutative algebra results, provide us with a simple provable estimate for the complexity of the homogeneous version of the generalized MinRank Problem. As a special case of our main result, we obtain a simple and concise proof of the main results from [9, 10], which avoids lengthy technical computations.

2 Main Results We fix an infinite field k and positive integers m, n, r, k. Without loss of generality, we assume that n ≥ m and r < m. We focus on the MinRank Problem in the underdefined and well-defined case. We state the results in increasing order of generality.

The Complexity of MinRank

165

Theorem 1 ([9], Corollary 4) The solving degree of the minors modeling of a generic classical well-defined square MinRank Problem (m = n and k = (n − r)2 ) is upper bounded by solv. deg(F) ≤ nr − r 2 + 1. Theorem 2 ([10], Lemma 18, Corollary 19, Lemma 22, Corollary 23) Let M be an m × n matrix whose entries are generic homogeneous polynomials of degree d in k[x1 , . . . , xk ] and assume k ≥ (m − r)(n − r). Let F be the polynomial system of the minors of size r + 1 of M. Then the solving degree of F is upper bounded by solv. deg(F) ≤ (m − r)(nd − n + r) + 1. The previous theorems recover the main results of [9, 10]. We obtain them as a consequence of our more general Theorem 3, by letting m = n and di,j = 1 (Theorem 1), or di,j = d (Theorem 2). We consider an m × n matrix M, whose entry in position (i, j ) is a polynomial of degree di,j in k[x1 , . . . , xk ], for all i, j . Up to permuting the rows of M, we may assume that d1,1 ≤ d2,1 ≤ · · · ≤ dm,1 . Moreover, assume that the following two conditions hold: 1. di,j > 0 for all i, j . 2. di,j + dh, = di, + dh,j for all i, j, , h. Finally, we assume that the entries of M are generic polynomials. One may think of this assumption as the coefficients of each polynomial being randomly chosen. Theorem 3 Let M be an m × n matrix as above and assume k ≥ (m − r)(n − r). Let F be the polynomial system of the minors of size r + 1 of M. Then the solving degree of F is upper bounded by solv. deg(F) ≤ (m − r)

r  i=1

di,i +

m 

n 

di,j − (m − r)(n − r) + 1.

i=r+1 j =r+1

Proof Under our assumptions, the homogenizations of the (r + 1)-minors of M are the (r + 1)-minors of the matrix obtained from M by homogenizing its entries. Therefore, we may assume without loss of generality that the entries of M are generic homogeneous polynomials. The main result of [6, Section 3.3] implies that solv. deg(F) ≤ reg I, where I is the ideal generated by the polynomials of F and reg I denotes the Castelnuovo-Mumford regularity of I . We can compute it as follows. First, since the polynomials of M are generic and the matrix M is homogeneous, by combining Eagon-Northcott’s Theorem [8, Theorem 3] with [4, Theorem 2.5] one obtains that the quotient ring S = k[x1 , . . . , xk ]/I is Cohen-Macaulay and the

166

A. Caminata and E. Gorla

ideal I has codimension codim(I ) = (m − r)(n − r). Recall that the codimension of a homogeneous ideal in a polynomial ring k[x1 , . . . , xk ] is the difference between k and the Krull dimension of the quotient of the polynomial ring by the ideal. Now consider the quotient ring T = k[X]/Ir+1 (X), where X = (xi,j ) is a matrix of size m × n whose entries are distinct variables, deg(xi,j ) = di,j , k[X] is the polynomial ring over k with variables the entries of X, and Ir+1 (X) denotes the ideal generated by the minors of size r + 1 of X. By Hochster and Eagon [13, Corollary 4] codim(Ir+1 (X)) = (m − r)(n − r), see also [3, Theorem 3.7.1]. Since codim(I ) = codim(Ir+1 (X)), by Bruns and Vetter [4, Theorem 3.5] a minimal graded free resolution of S is obtained from a minimal graded free resolution of T by substituting xi,j with the entry of M in position (i, j ), for all i and j . In particular regk[x1 ,...,xk ] (S) = regk[X] (T ), where reg(S) = reg(I ) − 1 and reg(T ) = reg(Ir+1 (X)) − 1. Moreover, since T is Cohen-Macaulay, we can express its regularity in terms of its a-invariant (see [3, Definition 3.6.13]) and of the codimension of Ir+1 (X). We have reg(T ) = a(T )−a(k[X])−codim(Ir+1 (X)) = a(T )+

n m  

di,j −(m−r)(n−r),

i=1 j =1

where a denotes the a-invariant, the first equality follows from [3, Examples 3.6.15 b)], and the second from [3, Examples 3.6.15 a)] and codim(Ir+1 (X)) = (m − r)(n − r). By Bruns and Herzog [2, Corollary 1.5] a(T ) = −r

m 

di,i −

n r  

di,j ,

i=1 j =m+1

i=1

where di,j = ei + fj in the notation of [2]. Putting everything together we obtain reg(I ) = reg(S) + 1 = a(T ) +

n m  

di,j − (m − r)(n − r) + 1

i=1 j =1

= (m − r)

r  i=1

which proves the statement.

di,i +

m 

n 

di,j − (m − r)(n − r) + 1,

i=r+1 j =r+1

 

Remark 4 Theorem 3 analyzes the under-defined and well-defined situations. In the over-defined situation, assume that k is sufficiently small and that di,j = 1 for all i and j . Then the minors of size r + 1 of M generate the maximal ideal to the power

The Complexity of MinRank

167

r + 1. In particular, solv. deg(F) = r + 1. Remark 5 The word “generic” used in the statements is a technical term from algebraic geometry, which means “there exists a nonempty open set” of polynomials for which the result holds. This is exactly the same use of generic as in [9, 10]. We stress that the genericity assumption is often essential to a type of approach that uses algebraic geometry. To the extent of our knowledge, this assumption appears also in all the previous works that use similar methods. Usually one thinks of a generic property as a property that holds for “almost every point” of the ambient space. In order for this intuition to be true, however, one needs to work over an infinite field, or at least over a large enough field extension of k (if k is a finite field). In fact, a nonempty open set over an infinite field may contain only a few points, or even no point, over a given finite subfield. One may therefore be lead to think that theorems with a genericity assumption are of little use over finite fields. This is however not the case. In fact, if an open set is nonempty over the algebraic closure, then it will contain most points over a large enough (but finite) field extension of k. Therefore, if we are willing to take a field extension, we have that a generic property holds for most points. In addition, any open set is defined by a finite number of conditions. Whenever one can explicitly describe them, one can check whether any given point (including points over any finite field) satisfies them, which is equivalent to checking whether the point belongs to the open set. These conditions may always be expressed as a set of polynomial equations which should not all vanish on the point in question. Sometimes, when the polynomials are difficult to describe explicitly or involve a large number of terms, one may choose to describe the conditions as equivalent properties that can be checked directly. E.g., in the proof of Theorem 3, for any minor of the matrix M one can check whether the homogenization of the minor is equal to the corresponding minor of the matrix obtained from M by homogenizing its entries. This condition can be expressed also as a polynomial in the coefficients of the entries of M, namely the condition on the homogenization holds if and only if the polynomial does not vanish on the coefficients of the entries of M. In particular, whenever we are able to explicitly state the genericity conditions, one can directly check whether a given system of equations satisfies the genericity properties, independently of the field of definition (which can also have small cardinality).   In the next theorem we explicitly state the genericity conditions of Theorem 3, so that they can be checked directly over any finite field. This provides a version of Theorem 3 over finite fields. Theorem 6 Let k be a finite field. Let M be an m×n matrix whose entry in position (i, j ) is a polynomial of degree di,j > 0 in k[x1 , . . . , xk ], for all i, j . Assume that k ≥ (m − r)(n − r), d1,1 ≤ d2,1 ≤ · · · ≤ dm,1 , and di,j + dh, = di, + dh,j for all i, j, , h. Let F be the polynomial system of the minors of size r + 1 of M. Let t be

168

A. Caminata and E. Gorla

a new variable, let M h be the matrix obtained from M by homogenizing its entries with respect to t, and let J = Ir+1 (M h ). Suppose that codim(J ) = (m − r)(n − r), that t  0 modulo J , and that the homogenization with respect to t of each (r + 1)minor of M equals the corresponding (r + 1)-minor of M h . Then the solving degree of F is upper bounded by solv. deg(F) ≤ (m − r)

r  i=1

di,i +

m 

n 

di,j − (m − r)(n − r) + 1.

i=r+1 j =r+1

Acknowledgments We are grateful to an anonymous referee for a detailed reading and comments which helped us improve the clarity of the proof of the main theorem.

References 1. LUK BETTALE, JEAN-CHARLES FAUGÈRE, LUDOVIC PERRET, Cryptanalysis of HFE, multiHFE and variants for odd and even characteristic, Designs, Codes and Cryptography vol. 69, no. 1, 1–52, 2013. 2. WINFRIED BRUNS, JÜRGEN HERZOG, On the computation of a-invariants, Manuscripta Mathematica vol. 77, pp. 201–213, 1992. 3. WINFRIED BRUNS, JÜRGEN HERZOG, Cohen-Macaulay rings. Revised edition, Cambridge Studies in Advanced Mathematics, vol. 39, Cambridge University Press, 1998. 4. WINFRIED BRUNS, UDO VETTER, Determinantal Rings, Lecture Notes in Mathematics, 1327, Springer-Verlag, Berlin, 1988. 5. DANIEL CABARCAS, DANIEL SMITH-TONE, JAVIER A. VERBEL, Key Recovery Attack for ZHFE, Post-quantum cryptography, 289–308, Lecture Notes in Computer Science, 10346, Springer, Cham, 2017. 6. ALESSIO CAMINATA, ELISA GORLA, Solving multivariate polynomial systems and an invariant from commutative algebra. In: Proceedings of Arithmetic of Finite Fields, 8th International Workshop, J.C. Bajard and A. Topuzoglu Eds, Lecture Notes in Computer Science, 12542 LNCS, pp. 3–36, Springer, 2021. 7. JINTAI DING, RAY PERLNER, ALBRECHT PETZOLDT, DANIEL SMITH-TONE, Improved cryptanalysis of H F Ev − via projection, Post-quantum cryptography, 375–395, Lecture Notes in Computer Science, 10786, Springer, Cham, 2018. 8. JOHN A. EAGON, DOUGLAS G. NORTHCOTT, Ideals Defined by Matrices and a Certain Complex Associated with Them, Proceedings of the Royal Society of London. Series A, Mathematical and Physical Sciences, vol. 269, n. 1337, pp. 188–204, 1962. 9. JEAN-CHARLES FAUGÈRE, MOHAB SAFEY EL DIN, PIERRE-JEAN SPAENLEHAUER, Computing Loci of Rank Defects of Linear Matrices using Gröbner Bases and Applications to Cryptology, Proceedings of the 2010 International Symposium on Symbolic and Algebraic Computation, ISSAC ’10, pp. 257–264, Munich, Germany, 2010. 10. JEAN-CHARLES FAUGÈRE, MOHAB SAFEY EL DIN, PIERRE-JEAN SPAENLEHAUER, On the Complexity of the Generalized MinRank Problem, Journal of Symbolic Computation, vol. 55, pp. 30–58, 2013. 11. ELISA GORLA, FELICE MANGANIELLO, JOACHIM ROSENTHAL, An algebraic approach for decoding spread codes, Advances in Mathematics of Communications, vol. 6, n. 4, pp. 443– 466, 2012.

The Complexity of MinRank

169

12. LOUIS GOUBIN, NICOLAS T. COURTOIS, Cryptanalysis of the TTM Cryptosystem, Advances in Cryptology, Proceedings of ASIACRYPT 2000, Lecture Notes in Computer Science, vol. 1976, Springer-Verlag, pp. 44–57, 2000. 13. MELVIN HOCHSTER, JOHN A. EAGON, Cohen-Macaulay Rings, Invariant Theory, and the Generic Perfection of Determinantal Loci, American Journal of Mathematics, vol. 93, n. 4, pp. 1020–1058, 1971. 14. AVIAD KIPNIS, ADI SHAMIR, Cryptanalysis of the HFE public key cryptosystem, Advances in Cryptology, Proceedings of Crypto ’99, LNCS no. 1666, Springer-Verlag, pp. 19–30, 1999. 15. FELICE MANGANIELLO, ELISA GORLA, JOACHIM ROSENTHAL, Spread codes and spread decoding in network coding, Proceedings of the IEEE International Symposium on Information Theory—ISIT, 881–885, 2008. 16. DUSTIN MOODY, RAY PERLNER, DANIEL SMITH-TONE, An asymptotically optimal structural attack on the ABC multivariate encryption scheme, Post-quantum cryptography, 180–196, Lecture Notes in Computer Science, 8772, Springer, Cham, 2014. 17. DUSTIN MOODY, RAY PERLNER, DANIEL SMITH-TONE, Improved attacks for characteristic2 parameters of the cubic ABC simple matrix encryption scheme, Post-quantum cryptography, 255–271, Lecture Notes in Computer Science, 10346, Springer, Cham, 2017. 18. JEREMY VATES, DANIEL SMITH-TONE, Key recovery attack for all parameters of H F E − , Post-quantum cryptography, 272–288, Lecture Notes in Computer Science, 10346, Springer, Cham, 2017.

Fields of Definition of Elliptic Fibrations on Covers of Certain Extremal Rational Elliptic Surfaces Victoria Cantoral-Farfán, Alice Garbagnati, Cecília Salgado, Antonela Trbovi´c, and Rosa Winter

MSC Codes (2020) 14J26 14J27 14J28

1 Introduction One main distinction of K3 surfaces, among others, is that they form the only class of surfaces that might admit more than one elliptic fibration with section, which is not of product type [17, Lemma 12.18]. It is therefore a natural problem to classify such fibrations. This has been done in the past three decades, via different methods by several authors, see for instance [15, 14, 7, 2, 3, 6] and [1]. Recently, the second and third authors have proposed a new method to classify elliptic fibrations on K3 surfaces which arise as double cover of rational elliptic surfaces. We refer the reader to [5] and [6] for more details. Let X be a K3 surface obtained as a double cover of an extremal rational elliptic surface defined over a number field k. The purpose of this paper is to determine

V. Cantoral-Farfán KU Leuven, Department of Mathematics, Leuven, Belgium e-mail: [email protected] A. Garbagnati Università Statale degli Studi di Milano, Dipartimento di Matematica, Milano, Italy e-mail: [email protected] C. Salgado () Instituto de Matemática, Universidade Federal do Rio de Janeiro (UFRJ), Cidade Universitária, Ilha do Fundão, Brasil e-mail: [email protected] A. Trbovi´c Department of Mathematics, University of Zagreb, Zagreb, Croatia e-mail: [email protected] R. Winter Max-Planck-Institut für Mathematik in den Naturwissenschaften, Leipzig, Germany e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 A. C. Cojocaru et al. (eds.), Women in Numbers Europe III, Association for Women in Mathematics Series 24, https://doi.org/10.1007/978-3-030-77700-5_6

171

172

V. Cantoral-Farfán et al.

fields of definition of the distinct elliptic fibrations on X, i.e., fields over which the classes of the fiber and of at least one section are defined (see Definition 1). We also determine, in some examples, an upper bound for the degree of the field over which the Mordell–Weil group admits a set of generators. Extremal rational elliptic surfaces have been classified by Miranda and Persson in [10]. There are sixteen configurations of singular fibers on such surfaces. We restrict further our attention to smooth double covers of extremal rational elliptic surfaces with distinct reducible fibers, i.e. such that there are no two reducible fibers of the same Kodaira type. Given a genus 1 fibration on such a K3 surface, we show that it admits a section over a field that depends on the action of the cover involution on its fibers (see Theorem 1). We illustrate this last result for K3 surfaces that arise as a double cover branched over two smooth fibers of the extremal rational elliptic surfaces with one unique reducible fiber and also on smooth double covers of the surface with fiber configurations either (I I I ∗ , I2 ) or (I I I ∗ , I I I ). Remark that among those sixteen configurations of singular fibers on extremal rational elliptic surfaces only four of them have a unique reducible fiber, namely (I9 , 3I1 ), (I I ∗ , I I ), (I I ∗ , 2I1 ) and (I4∗ , 2I1 ). As only the configuration of reducible fibers plays a role in our arguments, we narrow these down to three classes and study those extremal rational elliptic surfaces, denoted by R9 , R2 , and R4 and the corresponding K3 surfaces X9 , X2 , and X4 , respectively. We denote by R3 an extremal rational elliptic surface with fibers either (I I I ∗ , I2 ) or (I I I ∗ , I I I ) and its generic K3 cover X3 . Notice that the surface X4 also occurs as a double cover of R3 and hence, X3 and X4 belong to the same family of K3 surfaces. A reason to explore elliptic fibrations on Xi , i = 2, 3, 4, 9 is that they have different behavior with respect to the cover involution of Xi → Ri . Fibrations that are preserved by this involution are easier to describe via linear systems of curves on a rational surface, and one can also exhibit a Weierstrass equation for those as pointed out in [1] and [6]. In particular, on X3 and X4 , which can be identified, we have two different involutions (induced by the covers X4 → R4 and X3 → R3 ) and the behavior of each fibration on X3  X4 with respect to these two involutions can be different. This paper is organized as follows. In Sect. 2 we introduce the notations which remain in force during the paper and lay down our setting. Section 3 is devoted to the study of rational curves on the K3 surface X obtained as a double cover of a rational elliptic surface R. More precisely, motivated by the work done in [5] and [6], we study the behavior of the image by the quotient map π : X → R of rational curves on X and we determine the rational curves on X coming from a section defined over k of the elliptic fibration ER . While Sect. 3 is of geometric nature, Sect. 4 is dedicated to study the arithmetic of extremal rational elliptic surfaces defined over k. In particular, we obtain the quite intriguing fact that with a possible unique exception all extremal rational elliptic surfaces can be obtained, over the ground field, as a blow-up of base points of a pencil of genus one curves in P2 or P1 × P1 , Lemma 4. Section 5 is dedicated to the study of K3 surfaces coming from double covers of extremal rational elliptic surfaces. We prove in Theorem 1 that a genus 1 fibration on X admits a section over a field which depends on the action of the cover involution on the fibers of the genus 1 fibration. Finally, in Sects. 6 and 7 we

Fields of Definition of Elliptic Fibrations

173

illustrate the previous result. More precisely, in Sect. 6 we give a classification of elliptic fibrations on the surface X9 given by a generic double cover of an extremal rational elliptic surface R9 with an I9 . We present a fiber class corresponding to each fibration on X9 using sections and components of the reducible fibers of the fibration induced by the elliptic fibration on R9 . We also study the Mordell–Weil groups of each fibration and the fields of definition of the fibrations and their Mordell–Weil groups. Section 7 has similar results for the K3 covers of the rational elliptic surfaces R2 , R3 and R4 , with reducible fibers (I I ∗ ), (I I I ∗ , I2 ) and (I4∗ ), respectively.

1.1 Relation to the Literature Fields of definition of the Mordell–Weil group of non-isotrivial elliptic surfaces were studied independently by Swinnerton–Dyer in [19] and Kuwata in [8] via different methods than the ones presented here. While the first focused on elliptic surfaces fibered over P1 , the latter dealt with basis of arbitrary genus. Nevertheless, both works are concerned with more general elliptic surfaces than the scope of this paper. In Kuwata’s work he supposes that each component of the reducible fibers is defined over the ground field k. Let E be the generic fiber of an elliptic surface defined over k with base curve C. He proves that there is an explicitly computable number m and an explicitly computable extension L/k such that ¯ mE(k(C)) = mE(L(C)). Our work differs from Kuwata’s in several ways. Firstly, while he focusses on one unique elliptic fibration on a surface, we consider one elliptic fibration which we assume is defined over some number field k and use it as a point of start to study the other elliptic fibrations present on the surface. Thus in our work, one elliptic fibration is defined over the ground field, while the others not necessarily. For that reason we are concerned with different fields of definition, namely the one of the elliptic fibration and that of the Mordell–Weil group. Secondly, we focus on an specific class of surfaces, namely K3 surfaces. The further assumption that the K3 is a double cover of an extremal rational elliptic surface guarantees that the fields of definition will be much smaller than those for arbitrary elliptic surfaces. Indeed, fields of definition of the Mordell–Weil group of an elliptic surface can be quite large, for instance in [19] Swinnerton–Dyer constructed an elliptic surface for which the field of definition of the Mordell– Weil group has degree 27 · 34 · 5, and the degrees of the fields of definition in Kuwata’s work are also much larger than the bounds obtained here. Finally, it is worth to mention that Kuwata’s work deals with fields of arbitrary characteristic while we focus on number fields. We expect that our work allows generalizations to that setting and the restriction has been made for the matter of simplicity but also because some of our work builds up on Miranda and Persson’s work in [10], and on two of the author’s paper [5]. Both settings are restricted to characteristic zero.

174

V. Cantoral-Farfán et al.

2 Preliminaries and Setting Let R be a rational elliptic surface, i.e. a smooth projective rational surface endowed with a relatively minimal genus one fibration. We assume throughout this article that such a fibration admits a section. We denote by ER : R → P1

(1)

the elliptic fibration on R. Let d : C → P1 be a double cover of P1 branched on 2n points pi , i = 1, . . . , 2n. Then the fiber product R ×P1 C is endowed with an elliptic fibration R ×P1 C → C, induced by ER . We call the fibers E−1 R (pi ), i = 1, . . . , 2n, the branch fibers. If all the branch fibers are smooth, then the fiber product R ×P1 C is smooth, and we denote it by X. Otherwise, R ×P1 C is singular and we denote by X its smooth model such that the elliptic fibration EX : X → C, induced by ER , is relatively minimal.

Assume that R, the fibration ER and the zero section O are all defined over a given number field k, which we fix once and for all. If the morphism d is defined over k then so is the fiber product, its possible desingularization X and the inherited elliptic fibration EX . The surface R ×P1 C is naturally endowed with an involution, namely the cover involution of the map R×P1 C → R induced by the 2 : 1 map d : C → P1 . It extends to an involution τ ∈ Aut(X) which is the cover involution of the generically 2 : 1 cover X → R. we denote by π the quotient map π : X → X/τ  bir R. From now on we make the following assumptions. • d : C → P1 is defined over k, • n = 1, i.e. d : C → P1 is branched in two points. Hence C  P1 , • the (two) branch fibers are reduced. As a consequence of the previous assumptions we have that X is a K3 surface over k (see [17, Example 12.5]), the involution τ is non-symplectic, i.e. it does not preserve the symplectic form defined on X, since the quotient of a K3 by a symplectic involution is again a K3 surface (see [13]), and both EX and its zero section are defined over k. Moreover, if the branch fibers are smooth, the reducible fibers of EX occur in pairs that are exchanged by τ . Notation 1 We denote by τ ∗ the involution induced by τ on NS(X).

Fields of Definition of Elliptic Fibrations

175

We recall that, due to their geometry, i.e. trivial canonical class and regularity, K3 surfaces might admit more than one elliptic fibration, all with basis P1 , see for instance [17, Lemma 12.18]. Let X be as above, then it admits an elliptic fibration EX and at least another elliptic fibration different from EX [3, §8.1] and [6, Proposition 2.9]. One can divide the elliptic fibrations on X in three different classes, depending on the action of τ on its fibers. In particular, let η be an elliptic fibration on X then, by [5, Section 4.1], it is • of type 1 with respect to τ , if τ preserves all the fibers of η; • of type 2 with respect to τ , if τ does not preserve all the fibers of η, but maps a fiber of η to another one. In this case τ is induced by an involution of the basis of η : X → P1 . It fixes exactly two fibers and τ ∗ preserves the class of a fiber of η; • of type 3, if τ maps fibers of η to fibers of another elliptic fibration. In this case τ ∗ does not preserve the class of the generic fiber of η. The distinct elliptic fibrations on X are not necessarily defined over k. Moreover, different fibrations might be defined over different fields. The aim of this paper is to take a first step into understanding how the action of the involution τ on the fibers of a given fibration might influence its field of definition. Throughout this paper we adopt the following definition. Definition 1 Given X as above and an elliptic fibration η on X, then the smallest field extension of k over which the class of a fiber of η is defined and η admits a section is called the field of definition of the fibration η. We denote it by kη . We denote by kη,MW the smallest field extension of kη over which the Mordell–Weil group of η admits a set of generators. Remark 1 The reader should be aware that in Definition 1 our starting data is a K3 surface X constructed as a base change of a rational elliptic surface R. Thanks to this construction X inherits an elliptic fibration from R which is defined over a number field k. All other fields of definition that appear in this paper are (possibly trivial) field extensions of k. In this sense, the field of definition is unique, but when considering X without this preliminary data then the field is no longer necessarily unique. Indeed, one could for instance obtain the same X as a double cover of another rational elliptic surface R  defined over a different field k  .

3 Rational Curves on K3 Surfaces Let X be a K3 surface as in Sect. 2. In this section we study the behavior of the image by the quotient map π of the rational curves on X. As in the case of elliptic curves, this behavior depends on the action of the cover involution τ on the rational curve.

176

V. Cantoral-Farfán et al.

Lemma 1 Let C be a smooth rational curve on X and D = π(C) its image on R. Denote by m the intersection number C · τ (C). Then D is of one of the following types. (i) A fiber component of ER on R. (ii) A section of ER . (iii) An m-section of ER , where m > 0. Moreover, if π is branched over two smooth fibers of ER then (i) implies m = 0. Proof Let C be a smooth rational curve on X and D = π(C). By the adjunction formula we have that C 2 = −2. We consider the following cases τ (C) = C and τ (C) = C. 1. τ (C) = C. In this case, the involution can either act as the identity on C or as an involution of C. If the former holds then D is a (−2)-curve on R and therefore it is a component of a fiber of ER . If τ acts as an involution on C then since π∗ (C) = 2D, we have that 2D 2 = C 2 = −2. Hence D 2 = −1, and in particular D is a section of ER . 2. τ (C) = C  = C. Then m ≥ 0, then π ∗ (D)2 = 2D 2 = (C + C  )2 = −4 + 2m. Hence D 2 = m − 2. By the adjunction formula we have that D(−KR ) = m. To conclude it is enough to recall that the class of a fiber of the elliptic fibration on R is given by −KR . Thus, D is an m-section of ER if m > 0, or a fiber component of ER if m = 0. Moreover, if π is branched over two different smooth fibers, τ (C) = C implies that τ is an involution of C, and thus D is a section of the elliptic fibration ER . Hence if D is a component of a fiber one must have τ (C) = C, i.e., case 2. with m = 0.   The next lemma deals with rational curves on X that come from sections defined over k of the elliptic fibration ER . As sections do not split on the double cover we show that their inverse image is as irreducible curve defined over k. Lemma 2 Let PR be a section of ER : R → P1 that is defined over k, then PX := π −1 (PR ) is an irreducible smooth rational curve of X and τ (PX ) = PX . In particular PX is defined over k. Proof If PR is a section of an elliptic fibration on a rational surface then it meets the branch locus of R ×P1 P1 → R, which is given by two fibers, in two points. Thus its inverse image is a 2 : 1 cover of a rational curve branched in two points, i.e. either an irreducible smooth rational curve or the union of two smooth rational curves meeting in two points. If the inverse image of PR is the union of two curves, say P1 and P2 , we have π ∗ (PR ) = P1 + P2 . Since the inverse image of a fiber FR , which is not a branch fiber, consists of two disjoint fibers, we have π ∗ (FR ) = (F1 + F2 ). But then we would have π ∗ (FR )π ∗ (PR ) = 2 = (F1 + F2 )(P1 + P2 ) = 2(F1 P1 ) + 2(F1 P2 ), where we used that F1 and F2 are linearly equivalent, since they are fibers of the same fibration on X. This would imply that either P1 or P2 is a component of a fiber, which is not possible, because they intersect in two points which lie in two different fibers, namely the ramification fibers. We conclude that π −1 (PR ) is

Fields of Definition of Elliptic Fibrations

177

a smooth rational curve. Even if one has to blow up some points to obtain X from R ×P1 P1 , the strict transform of the inverse image of PR , which we denote by PX , remains irreducible and thus τ (PX ) = PX . Since the double cover map d is assumed to be defined over k and so are the points that one has to possibly blow up, we have that PX is also defined over k.  

4 Extremal Rational Elliptic Surfaces In what follows we analyze the arithmetic of extremal rational elliptic surfaces defined over k. Let us recall that an extremal rational elliptic surface has Mordell– Weil rank equal to 0, and thus only finitely many sections, i.e. (−1)-curves. Lemma 3 Let R be an extremal rational elliptic surface defined over k. Assume that all reducible fibers of the elliptic fibration are distinct. Then the Néron–Severi group NS(R) admits generators defined over a field extension of k of degree at most 2. Proof There are two main ingredients in the proof of the statement. The first one is the Shioda–Tate formula which tells us that NS(R)/T  MW(ER ), where T = O, F ⊕

(2)



v∈reducible fibers $v,i , with $v,i denoting the nv components i∈Sv E−1 R (v), Sv = {1, · · · , nv − 1} and, since the surface is

of the reducible fiber extremal, MW(ER ) is a finite group. The second is the fact that the absolute Galois group Gk¯ acts on NS(R) preserving the intersection pairing. Recall that both the zero section O and the class of a smooth fiber F are defined over k. A reducible fiber with exactly two components has each component defined over k since the component that intersects the zero section is preserved Gk¯ . Thus in what follows we can focus on reducible fibers with at least three components. By the hypothesis on the reducible fibers being distinct, there are at most two such fibers, say Fv1 and Fv2 , see the table in [10, Thm. 4.1]. Assume w.l.o.g that Fv1 is the fiber with more reducible components. Each reducible fiber is globally defined over k because, by assumption, it is unique. Hence its trivial component is also defined over k. Since the latter intersects at most two other components, these are Gk¯ -conjugate and as a pair they form a Gk¯ -orbit. The same happens to all other components that are not defined over k. Let kR /k be the quadratic extension over which the fiber components of Fv1 are defined. We show that each section is defined over kR . The Mordell–Weil group is globally defined over k since its elements are precisely the (−1)-curves in the Néron–Severi group. Moreover because each section C intersects transversally a unique fiber component of Fv1 , the point of intersection is mapped by any element in Gk¯ to another point of intersection of a component of Fv1 and a section. Since a component of a fiber is mapped by Gk¯ either to itself or to a unique other fiber component defined over kR , the intersection point is also defined

178

V. Cantoral-Farfán et al.

over kR . Thus C is a rational curve with a kR -point and hence it is also defined over kR . It remains to show that the components of Fv2 are defined over kR . This follows from the fact that after contracting the sections and certain fiber components of Fv1 we reach either P2 or P1 × P1 cf. Lemma 4. The components of Fv2 are thus rational curves with kR -points that correspond to the contracted curves, and hence are defined over kR as well.   Example 1 The extremal rational elliptic surface with Weierstrass equation y 2 = x 3 − 3(t 2 − 3)(t − 2)2 x + t (2t 2 − 9)(t − 2)3

(3)

has reducible fibers of types I1∗ and I4 . Its Mordell–Weil group is Z/4Z with two sections defined over Q, namely √ [0, 1, 0] and [t 2 − 2t, 0, 1], and two conjugate sections, namely [(t −3)(t −2), ±3 3(t −2)2 , 1], which are defined over a quadratic extension. The reader can find this example as X141 in [10, Table 5.2]. The next example shows that the hypothesis on the distinct reducible fibers is indispensable in Lemma 3. Example 2 The extremal rational elliptic surface with Weierstrass equation y 2 = x 3 + (3t 4 + 24t)x + 2t 6 + 40t 3 − 16

(4)

has four reducible fibers √ of type I3 . Its Mordell–Weil group is defined over a biquadratic extension Q(i, 3). This corresponds to the surface X3333 in [10, Table 5.3]. See also Remark 2(iii). Notation 2 In what follows, we keep the notation introduced in Lemma 3 and denote by kR the extension of k over which the Néron–Severi group NS(R) admits a set of generators given by fiber components and sections of the elliptic fibration on R, and by GR the Galois group Gal(kR /k). We keep the subscript R for the Galois group to reinforce the dependence on the surface. By Lemma 3, if the Kodaira types of the reducible fibers of ER are different then kR /k has degree at most 2. Remark 2 (i) Certain configurations of reducible fibers force the Galois group GR to be trivial. Thus such surfaces always admit a set of generators for their Néron–Severi group over the ground field k. This holds for instance for any rational elliptic surface over k which has reducible fiber configurations (I I ∗ ), (I I I ∗ , I2 ), (I I I ∗ , I I I ) or (I4∗ ); see the proof of Lemma 4 or [16, Cor. 4.4]. (ii) Five out of sixteen configurations of reducible fibers on extremal rational elliptic surfaces, namely (2I0∗ ), (2I5 ), (2I4 , 2I2 ), (I2∗ , 2I2 ) and (4I3 ) do not satisfy the hypothesis of Lemma 3, see [10, Theorem 4.1]. (iii) Extremal rational elliptic surfaces with repeated reducible fibers have their Néron–Severi group defined, in general, over extensions of larger degree. For instance, a rational elliptic surface with reducible fiber configuration (2I5 ) has, in general, its Néron–Severi group defined over an extension of degree four,

Fields of Definition of Elliptic Fibrations

179

with cyclic Galois group (see the proof of Lemma 4), while a surface R0 with (2I0∗ ) has, in general, NS(R0 ) defined over an extension of the ground field with Galois group given by the dihedral group of order 12. Indeed, the Galois group is generated by an involution which preserves each section and switches the two I0∗ -fibers and by S3 which preserves the fibers, and permutes the nontrivial elements of MW(R0 ) = (Z/2Z)2 .

4.1 Minimal Models for Extremal RES Over k We recall that every rational elliptic surface defined over and algebraically closed field of characteristic zero can be obtained as the blow-up of the base points of a pencil of generically smooth cubics [4, §5.6.1] or [9, Lemma IV.1.2.]. This fact clearly does not hold, in general, over a number field k. For instance, the blow-up of the base point of the anti-canonical linear system of a k-minimal del Pezzo surface of degree one is a rational elliptic surface defined over k which does not admit a blow down to P2 as it is clearly not even k-rational. On the other hand, if one restricts our attention to extremal rational elliptic surfaces then one can show that they are always k-rational, with possible exception given by those with reducible fiber configuration (2I0∗ ).1 Still this is not enough to assure that they can be obtained as a blow-up of the projective plane. Indeed, we provide an example in Proposition 2 for which this does not hold. Nonetheless, we obtain a quite intriguing fact, namely that with a possible exception of surfaces with configuration (2I0∗ ), all extremal rational elliptic surfaces can be obtained, over the ground field, as a blow-up of base points of a pencil of genus one curves in P2 or P1 × P1 , in Lemma 4. Despite its simple proof, this intriguing fact is not in the literature and likely not known to many experts. Since an extremal rational elliptic surface has finite Mordell–Weil group, it has only finitely many curves of negative self-intersection [9, Proposition VIII.1.2]. The Galois group GR acts on NS(R) preserving the intersection pairing. Since, by hypothesis, the zero section of the fibration ER is defined over k it is always preserved by GR . From now on we will use the following notation for the irreducible components of a reducible fiber: the component which intersects the zero section will be denoted by C0 ; in a fiber of type In , the components Ci , i ∈ Z/nZ are numbered requiring that Ci Cj = 1 if and only if |i − j | = 1. Lemma 4 Let R be an extremal rational elliptic surface defined over k with at most one non-reduced fiber. Then R is k-isomorphic to the blow-up of the base points of a pencil of cubic curves in P2 or a pencil of curves of bidegree (2, 2) in P1 × P1 . In particular, such surfaces are always k-rational.

1 These can be k-birational to a k-minimal Châtelet surface depending on whether the elliptic fibration has a 2-torsion section over k or not.

180

V. Cantoral-Farfán et al.

Proof We recall that the Galois group GR preserves the zero section, maps a fiber of a certain Kodaira type to a fiber of the same Kodaira type and maps sections to sections. The consequences are the following: (i) If MW(ER ) = {0} or MW(ER ) = Z/2Z, then GR maps each section to itself; (ii) If every reducible fiber is of different Kodaira type, then GR maps the zero component of each fiber to itself; (iii) If both (i) and (ii) are satisfied, then GR is trivial since in that case the fiber with most components is a non-reduced fiber of type I I ∗ , I I I ∗ or I4∗ (see the table in [10, Thm. 4.1]) and each component is preserved by the Galois group because the zero section and the two torsion sections are preserved and defined over k; (iv) If there is a fiber which is preserved by GR as, for example, in case (ii) and it is either of type In or of type I V ∗ , then GR restricted to that fiber and to MW(ER ) acts trivially or as the hyperelliptic involution because it has to preserve the intersection properties of the components of the reducible fiber of type In . Using these properties of GR , one is able to find an explicit contraction γ defined over k, which maps a rational elliptic surface R either to P2 or to P1 × P1 for all the extremal rational elliptic surfaces R with reducible fiber configuration different from (2I0∗ ). Fibrations (I I ∗ , I I ), (I I ∗ , 2I1 ), (I I I ∗ , I I I ), (I I I ∗ , I2 , I1 ), (I4∗ , 2I1 ): GR is trivial because (iii) in the previous list is satisfied. One first contracts all the sections, then contracts the image of the components of the fibers I I ∗ , I I I ∗ , I4∗ , respectively, that are the (−1)-curves after the previous contractions. One iterates this process in order to contract 9 curves. The composition of all these contractions is a map R → P2 , defined over k. Fibrations (I V ∗ , I V ), (I V ∗ , I3 , I1 ): by (iv), GR acts trivially or coincides with the hyperelliptic involution. After contracting all the sections, one obtains three (−1)-curves in the image of the I V ∗ -fiber. One is preserved by GR , the other two might be exchanged by it. After contracting these three curves, one is in a similar situation, i.e. there are three (−1)-curves, forming two or three orbits for GR . After contracting also these three curves, one obtains a k-rational map from R to P2 . Fibrations (I9 , 3I1 ), (I8 , I2 , 2I1 ), (I6 , I3 , I2 ): by (iv), GR acts trivially or coincides with the hyperelliptic involution. First one contracts all the sections. Then one contracts some curves in the image of the fibers of type I9 , I8 and I6 respectively, but not in the other reducible fibers. For the fiber I9 one contracts the images of the components C0 , preserved by GR , and of C3 and C6 , which are either fixed or switched by GR ; after that one contracts the images of the curves C2 and C7 , which are also either fixed or switched by GR . For the fiber I8 one contracts the images of components C0 and C4 , which are preserved by GR , and of the components C2 and C6 , which are either fixed or conjugate under GR . For the fiber of type I6 one contracts the images of components C0 and C3 , which are preserved by GR . In all the cases one obtains a k-rational map from R to P1 × P1 . Fibrations of type (4I3 ) and (2I4 , 2I2 ): in both these cases there are many sections, namely 9 sections in case (4I3 ) and 8 in case (2I4 , 2I2 ). Since the torsion

Fields of Definition of Elliptic Fibrations

181

sections are disjoint and GR preserves MW(ER ), one can contract simultaneously all the sections. This produces a k-rational map to P2 in case (4I3 ) and to P1 × P1 in case (2I4 , 2I2 ). Fibration of type (2I5 , 2I1 ): we have GR ⊆ Z/4Z, and if GR = Z/4Z then the action of the generator of GR is the following. t0 → t0 , C0(1) ↔ C0(2) , t1 → t3 → t4 → t2 → t1 , C1(1) → C1(2) → C4(1) → C4(2) , C2(1) → C2(2) → C3(1) → C3(2) , where (j ) Ci the i-th component of the j -th fiber of type I5 . To obtain a k-rational map to (1) P2 , one first contracts all the sections, and then one contracts the components C1 , (2) (1) (2) C1 , C4 , C4 , which form an orbit if GR = Z/4Z. Fibration of type (I2∗ , 2I2 ) and (I1∗ , I4 , I1 ): one contracts first the four sections and then the images of the four simple components of the fiber of type Ii∗ . This gives a k-rational map to P1 × P1 .   Proposition 1 Let R be a semi-stable extremal rational elliptic surface defined over k and m the order of the Mordell–Weil group. Then the following holds. (i) If m is odd and R has a unique reducible fiber then R admits a contraction over k to P1 × P1 . (ii) If m is odd and R has at least two reducible fibers then R admits a contraction over k to P2 . (iii) If m is even then R admits a contraction over k to P1 × P1 . Proof The result follows by the proof of the previous lemma. Indeed, if R is a semi-stable extremal elliptic fibration and m is odd, then the fibration on R is one of the following: (I9 , 3I1 ), (2I5 , 2I1 ), (4I3 ). The first fibration corresponds to case (i) and can be contracted to P1 × P1 , for every action of GR . The other two fibrations correspond to the case (ii) and it was already proved that they can be contracted to P2 . If m is even (case (iii)), then the fibration on R is one of the following: (I8 , I2 , 2I1 ), (I6 , I3 , I2 ), (2I4 , 2I2 ) and in the proof of the previous lemma is shown that all of them can be contracted to P2 .   Remark 3 The converse of the different cases in Proposition 1 is not always true; some of the surfaces treated in Lemma 4 can be contracted, over an algebraically closed field, to both P2 and P1 × P1 . Whether or not these surfaces can be contracted to both P2 and P1 × P1 over k as well depends on the action of GR , and in particular on the action of the hyperelliptic involution on the reducible fibers. See Proposition 2 and Fig. 1, where we show this for a surface with fibers (I9 , 3I1 ).

5 Double Covers of Extremal Rational Elliptic Surfaces In the rest of this article we consider K3 surfaces that are double covers of extremal rational elliptic surfaces defined over k and branched on two smooth Gk¯ -conjugate fibers. Let X be such a surface. Recall that since the extremal rational elliptic

182

V. Cantoral-Farfán et al.

surfaces considered here2 are rigid, their K3 double covers have a 2-dimensional moduli space, as each branch point is allowed to vary in P1 . In this section we show that the field over which a genus one fibration on X admits a section depends on the action of the cover involution on the fibers of the genus one fibration. Notation 3 Let R and X be as above and t1 , · · · , tm ∈ P1k points over which the reducible fibers of R are located. Since the base change map X → R is branched only over smooth fibers, there are two distinct points above each ti . Then τ restricted to the pair of fibers of EX above each ti is a field homomorphism, which we denote by σi . We denote by kτ the Galois field extension of k whose Galois group is generated by σ1 , · · · , σm . By construction kτ /k is an extension of even degree dividing 2m . We denote by kR,τ the compositum of the fields kR and kτ . Lemma 5 Let R be an extremal rational elliptic surface as above and X a generic member of the 2-dimensional family given by double covers of R branched in two smooth fibers. Then NS(X) admits a set of generators over kR,τ . Proof Since the Néron–Severi group has rank 10 and the Mordell–Weil group has rank zero, it follows from the Shioda–Tate formula that the reducible fibers of an extremal rational elliptic surface R have in total 8 components contributing to the set of generators of NS(R). Since X is a double cover of an extremal rational elliptic surface R branched on smooth fibers, the reducible fibers of the inherited fibration EX contribute with 16 components to a set of generators of NS(X). If X is generic among such surfaces then it lies in a 2-dimensional family and hence NS(X) has rank 18 and is generated by fiber components, the zero section and a smooth fiber of EX . All such curves are defined at most over kR,τ .   Theorem 1 Let R be an extremal rational elliptic surface defined over k such that its reducible fibers are all of distinct Kodaira types. Let X be a K3 surface obtained as a double cover of R branched on two smooth fibers conjugate under Gk¯ , τ the cover involution and η a genus 1 fibration on X. Then the following hold. (i) If η is of type 1 w.r.t. τ then η is defined over kR and admits a section over kR,τ . (ii) If η is of type 2 w.r.t. τ then it is defined and admits a section over k. Proof For (ii) notice that because the branch locus is smooth there is only one fibration of type 2, namely the one induced by the elliptic fibration on R. Indeed, different fibrations of type 2 correspond to different contractions of (−1)-curves in X/τ that are components of non-relatively minimal elliptic fibrations. Since the branch locus is smooth there are no (−1)-curves to be contracted and, in particular, X/τ  R. Since the double cover morphism is defined over k so is the induced elliptic fibration on X and the zero section inherited from R. If η is of type 1 then each fiber is the pull-back of a conic3 in R [5, Theorem 4.2]. Let C be such a conic. exclude rational elliptic surfaces with (2I0∗ ). These have a 1-dimensional moduli space. conic is a rational curve C such that C · (−KR ) = 2.

2 We 3A

Fields of Definition of Elliptic Fibrations

183

Since NS(R) is generated by curves defined over kR then the class of C has a divisor C0 whose components are defined over kR . Moreover, as the fibers of η are fixed by τ , the pull-back C0 is also defined over kR . Its class moves in X giving the elliptic fibration η.   The fibrations of type 3 are certainly more difficult to study by using the geometry related with R. Indeed, even if X is a double cover of R, the fibrations of type 3 are not easily related with the geometry of R, by definition, since they are not preserved by the cover involution. But, one is still able to prove that certain fibrations of type 3 are defined on certain fields, if one is able to find components of their reducible fiber is a proper way, as observed in the next Remark. Remark 4 Since the irreducible components of reducible fibers and of the sections of the elliptic fibration on K3 surface are rational curves, they are rigid in their class. So if their class is defined over a certain field, say kR,τ , and they are irreducible curves, then they are defined over kR,τ . Suppose now that the Néron–Severi group is defined over kR,τ and it is generated by a certain set of classes of irreducible rational curves. If the union of some of these curves is a reducible fiber F of a fibration η, then the reducible fiber F and its class are defined over kR,τ . In particular the fibration η is defined on kR,τ and if also a section of η can be found among the generators of the Néron–Severi, then η is an elliptic fibration on kR,τ . So, in order to prove that a fibration of type 3 defined on a K3 surface satisfying the assumptions of Theorem 1, is defined over kR,τ , it suffices to find among the generators of NS(X) a configuration of (−2)-curves which corresponds to a reducible fiber of η. Remark 5 We believe that it is always possible to find a fibration of type 3 as in the previous remark, at least for the K3 surfaces X as in Theorem 1. We are able to prove this for all the elliptic fibrations of type 3 on the surfaces considered in Sects. 6.3 and 7.3 of this paper. Hence for all the surfaces considered in this paper, we have that the fields of definition of the elliptic fibrations on the K3 surfaces X as in Theorem 1 are at most biquadratic extensions of k, by the explicit description of the elliptic fibration and the Remark 4. Remark 6 Certain sections on elliptic K3 surfaces as above might be defined over a smaller subfield of kR,τ that contains k. See, for instance, the fifth column of lines 2, 3, 4, 9, 11, and 12 in Table 2. Following the geometric classification of extremal rational elliptic surfaces by Miranda and Persson [10, Theorem 4.1], we notice that, among those surfaces, only four of them have only one reducible fiber, namely (I9 , 3I1 ), (I I ∗ , I I ), (I I ∗ , 2I1 ), and (I4∗ , 2I1 ). From a lattice theoretic point of view the surfaces with singular fibers (I I ∗ , I I ) and (I I ∗ , 2I1 ) are the same since, from that perspective, only the reducible fibers matter. Moreover, they share the same properties of interest to us, namely reducible fibers and fields of definition of components of fibers and thus we denote both of them by R2 . In the following sections, we study those extremal rational elliptic surfaces, denoted by R9 , R2 , and R4 and their corresponding K3

184

V. Cantoral-Farfán et al.

surfaces X9 , X2 , and X4 , respectively. We also study the surface R3 which has two reducible fibers (I I I ∗ , I I I ) and its generic K3 cover X3 . The justification for considering R3 as well is the fact that the surface X4 occurs also as double cover of R3 and hence X3 and X4 belong to the same family of K3 surfaces.

5.1 Arithmetic Models of Extremal Rational Elliptic Surfaces Over algebraically close fields, all rational elliptic surfaces can be obtained by the blow up of the base points of a pencil of genus 1 curves in the projective plane. Over a number field k, this no longer holds true. Nevertheless, if one restricts attention to extremal rational elliptic surfaces, we have shown in Lemma 4 that, with one possible exception, they can be obtained as a blow up of a pencil of genus 1 curves in the plane or in the ruled surface P1 × P1 . The realization of the blow down of an extremal rational elliptic surface R to either rational minimal model is connected to, but not always determined by, the Galois group GR introduced in Notation 2. More precisely, given singular fiber configurations on an extremal rational elliptic surface might entail more than one possible action of the Galois group Gk¯ on its fiber components and hence, with a few exceptions, it does not make sense anymore to speak about the extremal rational elliptic surface with a given configuration as one does over algebraically closed fields. In what follows we keep the notation Ri and Xi for a surface with fiber configuration described in the previous paragraph. We study what are the possible actions of Gk¯ on each configuration. We show, in Propositions 2 and 5 respectively, that R9 might admit two possible actions, while R2 , R3 , R4 always admit a unique action.

6 The Surfaces R9 and X9 Let R9 be an extremal rational elliptic surface with one reducible fiber of type I9 and X9 a K3 surface obtained by a double cover of R9 branched in two smooth Gk¯ -conjugate fibers. In this section, we classify all the possible fibrations of the K3 surface X9 and determine their types with respect to the cover involution τ9 , a field over which the class of a fiber is defined and a field over which the Mordell–Weil group is defined.

Fields of Definition of Elliptic Fibrations

185

6.1 Negative Curves on R9 Recall that the configuration I9 is given by 9 smooth rational curves meeting in a cycle with dual graph A˜8 (see [9, Table I.4.1]4 ). The singular fibers of R9 are I9 + 3I1 and the Mordell–Weil group is Z/3Z = {O, t1 , t2 }, where O is the zero section and t1 and t2 are 3-torsion sections. The Néron–Severi group of R9 contains also the classes of the irreducible components of the unique reducible fiber, denoted by C0 , C1 , . . . , C8 . The intersections which are not trivial are the following Ci2 = −2; OC0 = t1 C3 = t2 C6 = 1;

Ci Cj = 1 iff |i − j | = 1;

(5)

O2 = t12 = t22 = −1.

(6)

The following result tells us that R9 can always be obtained as the blow-up of the eight base points on a pencil of curves of bi-degree (2,2) in P1 × P1 , and that if the Galois group GR9 fixes each 3-torsion section then R9 can also be obtained as the blow-up of the nine base points of a pencil of cubics in P2 (see also Lemma 4). Both blow-ups occur in multiple points, i.e., points with assigned multiplicities. Proposition 2 If for every g ∈ GR9 = Gal(kR9 /k) we have g(t1 ) = t1 , then GR9 = {id} and R9 can be contracted both to P2 and to P1 × P1 . If there exists at least one g ∈ GR9 such that g(t1 ) = t1 , then g(t1 ) = t2 , GR9 = Z/2Z = g and g is the elliptic involution ιR9 restricted to the fiber I9 . In this case R9 can be contracted to P1 × P1 but not to P2 . Proof Let F be the class of a fiber of ER9 . Since F is preserved by GR9 , for each g ∈ GR9 we have 1 = t1 F = g(t1 )g(F ) and thus g(t1 ) is necessarily a section. It is different from O as the latter is fixed by GR9 . Hence either g(t1 ) = t1 or g(t1 ) = t2 . We begin with g(t1 ) = t1 . In that case g(t2 ) = t2 and since t1 intersects the fiber component C3 and t2 intersects C6 , we have g(C3 ) = C3 and g(C6 ) = C6 . Since each other fiber component intersects one among C0 , C3 and C6 , it is also fixed by g. Hence GR9 is trivial. We pass to the case g(t1 ) = t2 . This implies that g(C3 ) = C6 . The fiber components intersecting C3 and C6 must be switched by g and, a posteriori, so must C1 and C8 . We have g(Ci ) = C9−i . Hence, in that case, GR9 has order 2 and is generated by the elliptic involution. Let us now consider the contraction of the (−1)-curves on R9 , i.e., the sections O, t1 and t2 . The reader might find it helpful to follow Fig. 1 in parallel. First one contracts the three sections, which are all disjoint and form either 3 or 2 orbits for the action of GR9 , depending on whether GR9 is {id} or Z/2Z. Let us denote by β1 : R9 → R  this contraction. The curves β1 (C0 ), β1 (C3 ), β1 (C6 ) are disjoint (−1)-curves of R  and form 2 or 3 orbits with respect to GR9 . Secondly, we call β2 : R  → R  the contraction of these three curves. The curves β2 (β1 (Ci )) for i = 1, 2, 4, 5, 7, 8 are (−1)-curves on R  . The curves β2 (β1 (C2 )) and β2 (β1 (C7 )) 4 Though

this table contains a typo, namely a fiber of In has dual graph A˜ n−1 .

186

V. Cantoral-Farfán et al.

form 1 or 2 orbits with respect to GR9 . Hence they can be contracted in order to obtain a minimal surface. Let us denote by β3 : R  → R  this contraction. Then R  is P1 ×P1 , the curves β3 (β2 (β1 (C1 ))) and β3 (β2 (β1 (C5 ))) are curves of bidegree (1, 0) in P1 × P1 and the curves β3 (β2 (β1 (C4 ))) and β3 (β2 (β1 (C8 ))) are curves of bidegree (0, 1). Hence the image of the reducible fiber I9 is a reducible curve of bidegree (2, 2) in P1 × P1 . There is another possible choice of curves to contract on R  in order to obtain a minimal surface. If GR9 = {id}, one can contract the curves β2 (β1 (C1 )), β2 (β1 (C4 )), β2 (β1 (C7 )) obtaining P2 as minimal surface. But these curves do not form an orbit for GR9 if GR9 = Z/2Z, hence this contraction is allowed only if GR9 is trivial.   Figure 1 shows the contractions β1 , β2 , and β3 of the fiber I9 as in the proof of Proposition 2. Black lines represent curves defined over k. Lines of the same color (not black) represent curves that are conjugate under the action of GR9 if GR9 = {id}; of course if GR9 = {id} then all curves are defined over k. Dotted lines represent (−1)-curves, lines with label 0 represent curves with self-intersection 0, and all other lines represent (−2)-curves. Remark 7 If one contracts R9 to P1 × P1 , the elliptic involution defined on R9 induces an involution of P1 × P1 , which is precisely the exchange of the two rulings. Indeed ιR9 maps C1 to C8 and C4 to C5 , so the automorphism induced by ιR9 on P1 × P1 maps the (1, 0)-curves β3 (β2 (β1 (C1 ))) and β3 (β2 (β1 (C5 ))) to the (0, 1)curves β3 (β2 (β1 (C8 ))) and β3 (β2 (β1 (C4 ))). Remark 8 Over the complex field all the rational elliptic fibrations can be contracted to a pencil of cubics in P2 and for each extremal rational elliptic fibration, the equation of an associated pencil is known [4, Proof of Theorem 5.6.2]. In particular, an equation of a pencil of cubics associated to the surface R9 in P2(z0 :z1 :z2 ) is given by P9 := (z0 z1 z2 ) + t (z02 z1 + z12 z2 + z22 z0 ).

(7)

The base points of P9 are (1 : 0 : 0), (0 : 1 : 0) and (0 : 0 : 1), each with multiplicity 3. After blowing up these points one obtains a rational elliptic surface, with a reducible fiber over t = 0. A birational map from P2 to P1 × P1 is given by the blow-up of two points and the contraction of the line through these points. For example the maps α1 : P1(x0 :x1 ) × P1(y0 :y1 ) → P2 , α1 ((x0 : x1 ), (y0 : y1 )) = (x0 y0 : x0 y1 : x1 y0 )

(8)

α2 : P2(z0 :z1 :z2 ) → P1 × P1 , α2 (z0 : z1 : z2 ) = ((z0 : z2 ), (z0 : z1 ))

(9)

are birational inverse maps. They correspond to blowing up the points (0 : 1 : 0) and (0 : 0 : 1) in P2 and to contracting the line z0 = 0. We observe that the points (0 : 1 : 0) and (0 : 0 : 1) are base points of the pencil P9 . The birational image of this pencil is a bidegree (2, 2) pencil in P1 × P1 , given by

Fields of Definition of Elliptic Fibrations

Fig. 1 Two ways to contract the fiber I9

187

188

V. Cantoral-Farfán et al.

(x0 x1 y0 y1 ) + t (x02 y0 y1 + x0 x1 y12 + x12 y02 ),

(10)

which still corresponds to R9 . We conclude that the pencil (10), considered as pencil of curves of bidegree (2, 2) over a certain field k, defines the rational elliptic surface R9 over k. We already observed that the Galois action on R9 corresponds to an involution exchanging the rulings of P1 × P1 and indeed, with the chosen coordinates, it is ((x0 : x1 ), (y0 : y1 )) → ((y1 : y0 ), (x1 : x0 )). The following example illustrates the two different Galois actions that occur in Proposition 2. Example 3 In Remark 8, we saw that the pencil of cubics given by P9 = (z0 z1 z2 )+ t (z02 z1 + z12 z2 + z22 z0 ) gives rise to an R9 surface. A Weierstrass equation for this surface is y 2 = x 3 − (432t 3 + 10368)xt + 3456t 6 + 124416t 3 + 746496,

(11)

and the Mordell–Weil group consists of three sections defined over Q, which are given by [0, 1, 0] and [12t 2 , ±864, 1]. We conclude from 2 that in this case we have GR9 = {id}. Another example of an R9 surface is given by the Weierstrass equation y 2 = x 3 − 3(t 3 + 24)xt + 2(t 6 + 36t 3 + 216),

(12)

which has Mordell–Weil group given by the section [0, 1, 0] and the two sections √ group of this surface is [t 2 − 1, ±3 3t, 1] [10, Table 5.3]. So the Mordell–Weil √ trivial over Q, and defined over the quadratic extension Q( 3). We conclude from Proposition 2 that in this case we have GR9 = Z/2Z, and the surface can not be contracted to P2 .

6.2 The K3 Surface X9 Let X9 be a K3 surface obtained by a generic base change of order 2 on the rational elliptic surface R9 as described in Sect. 2. Then the elliptic fibration ER9 : R9 → P1 induces an elliptic fibration EX9 : X9 → P1 on X9 . We denote by ιX9 the elliptic involution on EX9 . We denote by τ9 the cover involution of π : X9 → R9 . By definition the fibration EX9 is of type 2 with respect to τ . So, by Theorem 1, the field of definition of the elliptic fibration and of a section of it is k. Nevertheless there could be other sections or components of some reducible fibers which are not defined over k.

Fields of Definition of Elliptic Fibrations

189

In what follows we describe the Galois group GEX9 ,MW , i.e., the Galois group of the field extension kEX9 /k over which all components of reducible fibers and sections of the fibration EX9 are defined. Proposition 3 The Galois group GEX9 ,MW of the elliptic fibration EX9 : X9 → P1 is as follows • GEX9 ,MW  (Z/2Z)2 if, and only if, GR9  Z/2Z and the branch fibers of π are not defined over kR9 , • GEX9 ,MW  Z/2Z if, and only if, GR9  Z/2Z and the branch fibers of π are defined over kR9 , • GEX9 ,MW  Z/2Z if, and only if, GR9 = {id} and the branch fibers of π are not defined over kR9 , • GEX9 ,MW = {id} if, and only if, GR9 = {id} and the branch fibers of π are defined over kR9 . Proof This follows from a simple analysis of whether the extensions kR9 and kτ9 are linearly disjoint or not. This depends of course on the branch locus of the base change map. See the discussion in Notation 2.   j

The elliptic fibration EX9 has two fibers of type I9 . Let us denote by $i , for i = 0, . . . , 8, j = 1, 2 the i-th component of the j -th fiber of type I9 . The sections of ER9 induce sections of EX9 , and thus MW(EX9 ) = {OX9 , T1 , T2 }. Thus j

π(OX9 ) = O, π(T1 ) = t1 , π(T2 ) = t2 , π($i ) = Ci , i = 0, . . . , 8, j = 1, 2. (13) The automorphism τ9 is the cover involution of π and thus τ9 (OX9 ) = OX9 , τ9 (T1 ) = T1 , τ9 (T2 ) = T2 , τ9 ($1i ) = $2i , i = 0, . . . , 8. (14) Figure 2 summarizes the above. Proposition 4 The Néron–Severi group of X9 has rank 18, signature (1, 17), discriminant group Z/9Z and its discriminant form is the opposite to the one of A8 . The transcendental lattice of X9 is the unique (up to isometries) even lattice with signature (2, 2), discriminant group Z/9Z and discriminant form equal to the one of A8 . Proof The Néron–Severi group contains the 18 linearly independent classes OX9 , j T1 , T2 and $i , for i = 1, . . . , 8, j = 1, 2. Hence it has rank at least 18. On the other hand the family of X9 is a two dimensional family (because of the choice of two branch fibers of the double cover X9 → R9 ). So the Néron– Severi has rank at most 18. We conclude that the 18 classes listed before form a basis of NS(X9 ).The intersection form and the discriminant form of NS(X9 ) can be explicitly computed and one can check that it has discriminant 9. In

190

V. Cantoral-Farfán et al.

Fig. 2 Reducible fibers and sections of the fibration EX9 on X9

   1 9 2 /9 and particular, a generator for the discriminant group is 2 i=1 i $i − $i   8 its discriminant form is Z/9Z 9 , which is the opposite to the discriminant form of A8 . The discriminant form of the transcendental lattice is the opposite of the discriminant form of the Néron–Severi group. Hence the transcendentallattice  TX9 is an even lattice with signature (2, 2) and discriminant form Z/9Z −8 9 . The transcendental lattice is uniquely determined by these data by [12, Theorem 1.13.2]. We observe that the discriminant form of TX9 is the same as the one of A8 and that rank (TX9 ) + 4 = rank (A8 ).   Corollary 1 The filed kE9 coincides with kR,τ . Proof By Proposition 4 the classes of the reducible fibers and of the sections of EX9 form a basis of NS(X). Each of these classes corresponds to a unique curve (since these are negative curves), which is a smooth rational curve. Hence the field where all these classes are defined coincides with the field where NS(X) is defined. The former is kE9 by definition, the latter is kR9 ,τ9 by Lemma 5.  

Fields of Definition of Elliptic Fibrations

191

6.3 Classification of All the Possible Fibrations of the K3 Surface X9 In order to find all elliptic fibrations on X9 , we use Nishiyama’s method explained in [14]. As explained in [14, Section 6.1], if one is able to find a lattice T0 which is negative definite, has the same discriminant form of the transcendental lattice of a K3 surface and its rank is the rank of the transcendental group plus four, then there is an operative method to classify the configuration of the reducible fibers of the elliptic fibrations on the surface. In our particular case, by Proposition 4, we put T0 = A8 and in order to classify the elliptic fibrations on X9 (and in particular the lattice W of each of these elliptic fibration, with the notation of [14]) we have to find the orthogonal complements of primitive embeddings of the root lattice A8 in the 24 possible lattices listed (by their root type) by Niemeier [11, Satz 8.3] (or [14, Theorem 1.7]). By [14, Lemmas 4.1 and 4.3] we know that A8 embeds primitively uniquely, up to the action of the Weyl group, in Am for m ≥ 8, in Dn for n ≥ 9, and in no other root lattice. The orthogonal complements of these embeddings in the 24 Niemeier lattices are then found in [14, Corollary 4.4], and this determines the reducible fibers and the rank of the Mordell–Weil group for each fibration. These results are summarized in Table 1. Note that line 1 is the fibration EX9 . Apart from the torsion part of the Mordell–Weil group, everything is found by Nishiyama’s method as explained above. We compute the torsion parts in what follows.

6.3.1

Torsion of the Mordell–Weil Group for the Elliptic Fibrations Associated to X9

By [18, Table 1], we can immediately conclude that the torsion of the fibrations in lines 2, 3, 4, 5, 8, 9, and 12 is trivial, and the torsion part of fibrations 6, 7, 10, and 11 is either Z/2Z or trivial. Fibration 11 comes from the orthogonal complement of the embedding of A8 in a lattice N of rank 24 with root type A24 . We observe that N/A24 = Z/5Z ([11, Satz 8.3] or [14, Theorem 1.7]). By Nishiyama [14, Lemma 6.6, iii)], the torsion of the elliptic fibration corresponding to this embedding of A8 in N has to be contained in N/A24 , so this fibration does not have a 2-torsion section and the torsion part of the Mordell–Weil group is trivial. Note that, in terms of the notation of our configuration of 2I9 (see Fig. 2), we find a fiber of type I16 composed of the following curves on X9 . $10 , $11 , $12 , $13 , T1 , $23 , $12 , $21 , $20 , $28 , $27 , $26 , T2 , $16 , $17 , $18 .

(15)

Moreover, $15 , $14 , $25 , $24 are sections for this fibration. Let $14 be the 0-section, = 0 [17, Chap. 11 then the height h($25 ) of the section $25 is 2 · 2 + 0 − 8(16−8) 16 §11.8], and therefore it is a torsion section [17, Theorem 11.5]. Since we know that the fibration in line 11 has trivial torsion, and the fibration in line 7 is the only other

192

V. Cantoral-Farfán et al.

Table 1 Elliptic fibrations of X9 no 1 2 3 4 5 6 7 8 9 10 11 12

Niemeier A⊕3 8 E8 ⊕ D16 E7⊕2 ⊕ D10 E7 ⊕ A17 D24 ⊕2 D12 D9 ⊕ A15 D9 ⊕ A15 E6 ⊕ D7 ⊕ A11 D6 ⊕ A⊕2 9 A24 A⊕2 12

Embedding A8 ⊂ A8 A8 ⊂ D16 A8 ⊂ D10 A8 ⊂ A17 A8 ⊂ D24 A8 ⊂ D12 A8 ⊂ D 9 A8 ⊂ A15 A8 ⊂ A11 A8 ⊂ A9 A8 ⊂ A24 A8 ⊂ A12

Roots orth. A⊕2 8 E8 ⊕ D7 E7⊕2 E7 ⊕ A8 D15 D12 ⊕ A3 A15 D 9 ⊕ A6 E6 ⊕ D7 ⊕ A2 D 6 ⊕ A9 A15 A12 ⊕ A3

Reducible fibers 2I9 I I ∗ + I3∗ 2I I I ∗ I I I ∗ + I9 ∗ I11 I8∗ + I4 I16 I5∗ + I7 I V ∗ + I3∗ + I3 I2∗ + I10 I16 I13 + I4

MW Z/3Z Z Z2 Z Z Z/2Z ⊕ Z Z/2Z ⊕ Z Z Z Z/2Z ⊕ Z Z Z

one with reducible fiber of type I16 , we conclude that we found a representation of the fibration in line 7, and therefore the torsion part of the Mordell–Weil group of this fibration is Z/2Z. Finally, we find that the torsion part of the Mordel–Weil groups of the fibrations in lines 6 and 10 are Z/2Z in the same way as we did for line 7. We find the class of the fiber of the other elliptic fibrations, by giving the components of one reducible fiber in terms of the configuration of 2I9 (see Fig. 2). The rational curves orthogonal to the class of the fiber are necessarily components of other reducible fibers, hence we list all the irreducible components of at least one reducible fiber and some components of the others for each elliptic fibration. I8∗ + I4 $21 , $28 , 2$20 , 2OX9 , 2$10 , 2$18 , 2$17 , 2$16 , 2$15 , 2$14 , 2$13 , $12 , T1 + $26 , $25 , $24 , I2∗ + I10 $18 , $10 , 2$11 , 2OX9 , 2$20 , $28 , $21 + T2 , $16 , $15 , $14 , $13 , T1 $23 , $24 , $25 , $26 , $16 . For this configuration of I8∗ + I4 we find the three sections $27 , $23 , and $22 . If we set $27 as the 0-section, then $23 has height 0 and hence it is a 2-torsion section. Since there is only one fibration with reducible fiber I8∗ + I4 in our list, we conclude that this configuration represents the fibration in line 6. Hence the torsion part of the Mordell–Weil group is Z/2Z. For the fibration in line 10 we have the same reasoning, after finding the sections $14 , $27 , $26 , $22 , setting $12 as the 0-section and finding that $27 is a 2-torsion section.

Fields of Definition of Elliptic Fibrations

193

6.4 Determining the Type of Each Fibration of X9 In what follows, we assume that the surface R9 is general, i.e., its Galois group GR9 is not trivial. The goal of this section is to find an example, for each fibration η in Table 1, and to determine for each example the following: (a) The type with respect to the cover involution τ9 ; (b) an upper bound for the degree over k of a field of definition of the fibration, that is, a field over which the reducible fiber and a 0-section are defined; (c) an upper bound for the degree over k of a field kη,MW over which the Mordell– Weil group of the fibration admits a set of generators. The results are summarized in Table 2, with the notations introduced in Sects. 4, 5, and 6. For each fibration in Table 1 we find a configuration of (parts of the) reducible fibers in terms of the curves in Fig. 2. Note that for lines 6, 7, and 10, this is done in the previous section. I I ∗ + I3∗ $26 , 2$27 , 3$28 , 4$20 , 5OX9 , 6$10 , 4$18 , 2$17 , 3$11 + $24 , $22 , 2$23 , 2T1 , 2$13 , 2$14 , $15 . 2I I I ∗ $15 , 2$16 , 3T2 , 4$26 , 3$25 , 2$24 , $23 , 2$27 + $21 , 2$20 , 3OX9 , 4$10 , 3$11 , 2$12 , $13 , 2$18 . I I I ∗ + I9 $10 , 2$18 , 3$17 , 4$16 , 3$15 , 2$14 , $13 , 2T2 + $27 , $28 , $20 , $21 , $22 , $23 , $24 , $25 . I5∗ + I7 $15 , T2 , 2$16 , 2$17 , 2$18 , 2$10 , 2OX9 , 2$20 , $21 , $28 + $25 , $24 , $23 , T1 , $13 , $12 . I V ∗ + I3∗ + I3 $26 , 2T2 , 3$16 , 2$15 , $14 , 2$17 , $18 $11 , $12 .

+ OX9 , $28 , 2$20 , 2$21 , 2$22 , 2$23 , T1 , $24

+

I13 + I4 T2 , $16 , $15 , $14 , $13 , T1 , $23 , $22 , $21 , $20 , $28 , $27 , $26 + $18 , $10 , $11 . To find the elliptic fibrations described in lines 5 and 11 of the Table 1, we need to find another rational curve on X9 . We recall that the K3 surface X9 has an infinite number of rational curves, and considering the elliptic fibration with fibers I V ∗ + I3∗ + I3 we are able to describe one of them. Indeed, the divisor

194

V. Cantoral-Farfán et al.

F := $26 + 2T2 + 3$16 + 2$15 + $14 + 2$17 + $18

(16)

corresponds to a reducible fiber of type I V ∗ of this elliptic fibration. In particular F is the class of the fiber of this fibration, and the divisor OX9 + $28 + 2$20 + 2$21 + 2$22 + 2$23 + T1 + $24 is linearly equivalent to F and corresponds to the fiber of type I3∗ . The remaining reducible fiber consists of three curves meeting in a triangle, one is $11 , one is $12 and we denote the third one by M. Since $11 + $12 + M is a fiber of the elliptic fibration, M is linearly equivalent to F − $11 − $12 . In particular this implies that the intersections properties of M are the following: M$11 = M$12 = M$27 = M$25 = 1 and M is orthogonal to all the other curves appearing in Fig. 2. Let us consider the following configuration of curves: I16 $16 , $15 , $14 , $13 , $12 , M, $25 , $24 , $23 , $22 , $21 , $20 , OX9 , $10 , $18 , $17 . The curves T2 and $27 are sections of this fibration. Assume that T2 is the zero section, then $27 is a section, orthogonal to the zero section and meeting the reducible fiber I16 in his fifth component. Thus the height of this section is 9 16 . As a consequence, the lattice spanned by the irreducible components of the reducible fiber of type I16 , the zero section T2 and the section $27 is a sublattice of NS(X9 ), which has the same rank and the same discriminant of NS(X9 ) and therefore coincides with NS(X9 ). So there are no torsion sections for this elliptic fibration (otherwise one should add their contribution to obtain the Néron–Severi group). As a consequence the fibration whose class of the fiber is $16 + $15 + $14 + $13 + $12 + M + $25 + $24 + $23 + $22 + $21 + $20 + OX9 + $10 + $18 + $17

(17) corresponds to the fibration in line 11 of Table 1. ∗ is Similarly, the fibration in line 5 of Table 1 with a reducible fiber of type I11 given by $24 , $26 , 2$25 , 2M, 2$12 , 2$13 , 2$14 , 2$15 , 2$16 , 2$17 , 2$18 , 2$10 , 2OX9 , 2$20 , $21 , $28 .

(18) Corollary 2 For each fibration in Table 1, there exists at least one elliptic fibration on X9 with the properties given in the list which is defined over kR9 ,τ9 . Proof The result follows by 1 for the fibration of type 1 and 2. For the fibration of type 3, one wants to apply Remark 4. For all the listed fibrations with the exception j of the 11, we are able to write the class of the fiber as a linear combination of $i , OX9 and Tk . All these curves are defined on kR9 ,τ9 , by 1. In the case of the fibration 11, we introduced another curve, M. Since its class is written as a linear combination of the classes generating NS(X), its class is defined over kR9 ,τ8 . Since it is a negative effective class, we deduce that it is supported either on an irreducible rational curve

Fields of Definition of Elliptic Fibrations

195

Table 2 Types of the different elliptic fibrations of X9 and fields of definition

no

Roots Orth.

Type

Sections

1

A⊕2 8

2

OX9 , T1 , T2

Field of Def. 0-section OX9 /k

2

E8 ⊕ D7

3

T2 , $25

T2 /kR

kR,τ9

≤4

3

E7⊕2

3

T1 , $22 , $14

T1 /kR

kR,τ9

≤4

4

E7 ⊕ A8

3

OX9 , T1 , $11 , $12

OX9 /k

kR,τ9

≤4

3

$22 , $23

$22 /kR,τ9

kR,τ9

≤4

3

$22 , $23 , $27

$27 /kR,τ9

kR,τ9

≤4

1

$14 , $15 , $24 , $25

$14 /kR,τ9

kR,τ9

≤4

3

$14 , $22 , $26 , $27

$14 /kR,τ9

kR,τ9

≤4

$10 /kτ9

kR,τ9

≤4

5

D15

6

D12 ⊕ A3

Field of Def. all sections kR

[kη,MW : k] ≤2

7

A15

8

D 9 ⊕ A6

9

E6 ⊕ D7 ⊕ A2

3

$10 , $13 , $25 , $27

10

D 6 ⊕ A9

1

$17 , $27 , $12

$17 /kR,τ9

kR,τ9

≤4

11

A15

3

T2 , $27 , $28 , $26

T2 /kR

kR,τ9

≤4

3

OX9 , $12 , $17 , $24 , $25

OX9 /k

kR,τ9

≤4

12

A12 ⊕ A3

or on the union of rational curves. Since it is a component of a fiber of a certain fibration, at least on the closure of the field of definition of the fibration, it is an irreducbile curve (where it is defined). Hence, M is an irreducible smooth rational curve defined over kR9 ,τ9   We gave an example for each fibration in Table 1. We choose a section for each of them to be the zero section and we determine their type with respect to τ . By using Proposition 3 we describe the properties of the fields kη,MW , which follow by the previous Corollary. The results are listed in Table 2.

7 The Surfaces R4 , R3 , R2 and the Surfaces X4 , X3 , X2 In this section we establish an analogous study for the extremal rational surfaces Ri , for i = 4, 3, 2. We classify all the possible fibrations of the K3 surfaces Xi and determine their types with respect to the cover involutions τi , for i = 4, 3, 2.

196

V. Cantoral-Farfán et al.

7.1 The Rational Elliptic Surfaces R4 , R3 , and R2 Let R4 be an extremal rational elliptic surface with one reducible fiber of type I4∗ . Its Mordell–Weil group is Z/2Z = {O, t1 }, where O is the zero section and t1 is a 2-torsion section. Recall that a fiber of type I4∗ is given by 9 smooth rational curves meeting with dual graph D˜8 , see [9, Table I.4.1]. The Néron–Severi group of R4 contains also the classes of the irreducible components of the reducible fiber, denoted by C0 , C1 , . . . , C8 . The intersections which are not trivial are the following: Cl2 = −2, C0 C2 = C6 C8 = 1,

(19)

Cl Cj = 1 if and only if |l − j | = 1 and {l, j } ⊂ {2, 3, 4, 5, 6},

(20)

OC0 = t1 C8 = 1,

and

O2 = t12 = −1.

(21)

Let R3 be an extremal rational elliptic surface over k with one reducible fiber of type I I I ∗ . As R3 is extremal, there is another reducible fiber which is either an I2 or an I I I . Its Mordell–Weil group is Z/2Z = {O, t1 }, where O is the zero section and t1 is a 2-torsion section. Recall that a fiber of type I I I ∗ is given by 8 smooth rational curves meeting with dual graph E˜7 , see [9, Table I.4.1]. The Néron–Severi group of R3 contains also the classes of the irreducible components of the reducible fiber. Denoted by Cl the components of the I I I ∗ fiber and by Dl the ones of the other reducible fiber, the intersections which are not trivial are the following: Cl2 = −2, Cl Cj = 1 if and only if |l − j | = 1 and {l, j } ⊂ {0, 1, 2, 3, 4, 5, 6}, (22) C3 C7 = 1,

D0 D1 = 2,

Dj2 = −2,

OC0 = t1 C6 = OD0 = t1 D1 = 1 and

O2 = t12 = −1.

(23) (24)

Let R2 be an extremal rational elliptic surface over k with one reducible fiber of type I I ∗ . The other singular fibers are either I I or 2I1 . Its Mordell–Weil group is {O}, i.e., it is trivial. Recall that a fiber of type I I ∗ is given by 9 smooth rational curves meeting with dual graph E˜8 , see [9, Table I.4.1]. The Néron–Severi group of R2 contains also the classes of the irreducible components of the reducible fiber, denoted by C0 , C1 , . . . , C8 . The intersections which are not trivial are the following: Cl2 = −2, Cl Cj = 1 if and only if |l − j | = 1 and {l, j } ⊂ {0, 1, 2, 3, 4, 5, 6, 7}, (25) C8 C5 = 1,

OC0 = 1,

O2 = −1.

(26)

The following result shows that the surfaces Ri have trivial Galois group GRi , that is its Néron-Severi group admits a set of generators over k given by the zero

Fields of Definition of Elliptic Fibrations

197

section, a smooth fiber and the non-trivial fiber components of the reducible fibers. It also presents their contractions of negative curves to minimal k-rational surfaces. Proposition 5 Let R be one the following surfaces: R2 , R3 , R4 . Then GR is trivial. Moreover, the surfaces R2 , R3 and R4 can be contracted to P2 ; the surfaces R3 and R4 can be also contracted to P1 × P1 and the surfaces R2 and R3 can be also contracted to F2 , the Hirzebruch surface with a unique (−2)-curve. Proof The proof is similar to the one of Proposition 2. Indeed, for R = R2 or R3 , each g ∈ GR , g(O) = O and if MW = {O, t1 }, g(t1 ) has to be a section different from O and hence g(t1 ) = t1 . Thus for each Ri , i = 2, 3, the sections are preserved and this implies, arguing via the intersection of the components of the reducible fibers as in Proposition 2, that all the components of the unique reducible fibers are fixed. Let us consider the surface of type R3 . We have three different possibilities, to obtain three different surfaces: • Let us contract the sections O and t1 . Then we contract the images of C0 and C6 (which are now (−1)-curves); the images of C1 and C5 ; the images of C2 and C4 . There remain the images of C3 , which is a curve with self-intersection 0, and of C7 , which is a curve with self-intersection −2. There are no (−1)-curves on this surface, so we obtain a minimal rational surface, with two independent classes in the Néron–Severi group which have self-intersection 0 and −2. Hence we obtained F2 . • Let us contract first the section O and then (in this order), the images of the components C0 , C1 , C2 , C3 . Now the image of C7 is a (−1)-curve. We contract it. It remains a unique (−1)-curve, which is the section t1 . We contract it and then (in this order) the images of the components C6 and C5 . We obtain a minimal rational surface whose Néron–Severi group is generated by one class (we contracted 9 curves), which is the image of C4 . This rational surface is necessarily P2 . • Let us contract first the section O and then (in this order), the images of the components C0 , C1 , C2 , C3 . Now the image of C4 is a (−1)-curve. We contract it. Then we contract t1 and the image of the component C5 . We obtain a minimal rational surface, whose Néron–Severi group is generated by the two classes which are the images of C7 and C5 . Their self-intersection is 0 and they meet in a point, so we obtained P1 × P1 . Let us now consider the surface R2 (see Fig. 3). There is a unique (−1)-curve, the section O. So we contract it, and then we contract (in this order) the images of the components C0 , C1 , C2 , C3 , C4 , C5 . Now both the images of C6 and C8 are (−1)-curves and they meet in a point. • If one contracts the image of C8 , one obtains a minimal surface, whose generators of the Néron–Severi group are the images of C7 and C6 and this surface is F2 (because of the presence of a (−2)-curve, image of C7 ).

198

V. Cantoral-Farfán et al.

Fig. 3 Contractions of R2 to F2 and to P2

• If one contracts the image of C6 , then one has to contract the image of C7 and one obtains a minimal rational surface, whose Néron–Severi group has one generator (the image of C8 ) and thus the surface is P2 . Let us consider the surface of type R4 . We contract first the section O and then (in this order) the images of the components C0 , C2 , C3 , C4 , C5 , C6 . Now we have three (−1) curves, i.e. the images of C7 , C8 and t1 . The image of C8 meets both the images of C7 and of t1 : if one contracts the image of C8 , one obtains the minimal surface P1 × P1 ; if one contracts the images of t1 and C7 one obtains P2 .  

7.2 The K3 Surfaces X4 , X3 , X2 Let Xi be a K3 surface obtained by a generic base change of order 2 on the rational elliptic surface Ri for i = 4, 3, 2 as in Sect. 2. Let Pi and Qi be the points corresponding to the branch fibers of the cover Xi → Ri . We have the following result, analogous to Proposition 3. Proposition 6 The Galois group GEXi of the elliptic fibration EXi : Xi → P1 is contained in (Z/2Z). It is trivial if and only if the points Pi and Qi are defined over the ground field.

Fields of Definition of Elliptic Fibrations

199

Proof The group GRi is trivial by Proposition 5, so the unique Galois action is the one of the cover involution τi , which is trivial if and only if the branch fibers are defined over the ground field.   The elliptic fibrations EXi , i = 4, 3, 2, are induced by ERi . We fix the following notation: each component Cl (resp. Dl ) of a reducible fiber of ERi corresponds to j j two curves $l (resp. l ), j = 1, 2 on Xi which are components of two different reducible fibers on Xi . Moreover the zero section of ERi induces the zero section, OXi , of EXi and, if there is a torsion section t1 on Ri , it induces a torsion section T1 on Xi . So we have the following curves on Xi : j

j

$l j = 1, 2; OXi ; T1 if i = 2; l j = 1, 2, l = 0, 1 if i = 3.

(27)

Denote by πi : Xi → Ri the double cover of Ri induced by the base change and by τi the cover involution. We have πi (OXi ) = O, πi ($1l ) = πi ($2l ) = Cl ,

(28)

πi (T1 ) = t1 if i = 2, πi (1l ) = πi (2l ) = Dl if i = 3.

(29)

τi (OXi ) = OXi , τi ($1l ) = $2l , τi (T1 ) = T1 if i = 2, τi (1l ) = 2l if i = 3. (30) Figures 4, 5, and 6 summarize the above. Note that in Fig. 5, 12 and 22 are both connected to T1 .

Fig. 4 Reducible fibers and sections of the fibration EX4 on X4

200

V. Cantoral-Farfán et al.

Fig. 5 Reducible fibers and sections of the fibration EX3 on X3

Fig. 6 Reducible fibers and sections of the fibration EX2 on X2

Proposition 7 The Néron–Severi group of Xi has rank 18, signature (1, 17), for every i = 2, 3, 4. Both lattices NS(X4 ) and of NS(X3 ) are isometric to U ⊕ D8 ⊕ E8 and their transcendental lattices are both isometric to U ⊕ U (2), which has the same discriminant group and form as D8 . In particular X3 and X4 lie in the same family of K3 surfaces, namely the family of U ⊕ D8 ⊕ E8 -polarized K3 surfaces. The lattice NS(X2 ) is isometric to U ⊕ E8 ⊕ E8 and its transcendental lattice is isometric to U ⊕ U , which has the same discriminant form of E8 . j

Proof The curves in the Figs. 4, 5, and 6 (i.e. the curves $l , OXi , T1 if i = 2 j and l if i = 3) generate NS(Xi ). They are not all linearly independent, but if one extracts a basis, one obtains 18 independent generators of NS(Xi ). Since one knows all the intersection properties of these generators, one can explicitly compute their intersection matrix. This identifies the lattice NS(Xi ) and in particular its discriminant group and form. We observe that all the lattices that appear are 2elementary, i.e., the discriminant group is (Z/2Z)a , a ∈ N. So the transcendental lattice is a 2-elementary lattice with signature (2, 2). The indefinite 2-elementary lattices are completely determined by their signature and their length, i.e., by a, and

Fields of Definition of Elliptic Fibrations

201

by another invariant, often denoted by δ, which is zero in all the cases considered. This allows us to identify the transcendental lattices.  

7.3 Classification of All the Possible Fibrations on the K3 Surfaces X4 , X3 , and X2 In the same way as we did for X9 in Sect. 6.3, we classify elliptic fibrations on the surfaces X4  X3 and X2 in what follows. By Proposition 7 we take T = D8 for X3  X4 , and T = E8 for X2 and apply Nishiyama’s method. By Nishiyama [14, Lemmas 4.1 and 4.3] we know that D8 only embeds primitively in Dn for n ≥ 8, and E8 only embeds primitively in E8 . The orthogonal complements of these embeddings in the 24 Niemeier lattices are then found in [14, Corollary 4.4]. Those results are summarized in Tables 3 and 4. We notice that the fibrations on X2 , X3 and X4 were already classified in [6, Table 2, case k = 8 and Table 1 case k = 8, δ = 0] via different methods.

7.4 Determining the Type of Each Fibration of X4 , X3 , and X2 As in Sect. 6.4 we determine the type of each fibration obtained in Sect. 7.3 (Tables 3 and 4) with respect to the cover involutions τi , for i = 4, 3, 2. We determine moreover the sections and their fields of definition. This study allows us to obtain an upper bound for the degree over k of a field of definition kη of a given fibration Table 3 Elliptic fibrations of X3 and X4 no 1 2 3 4 5 6

Niemeier E8 ⊕ D16 E7⊕2 ⊕ D10 D24 ⊕2 D12 D8⊕3 D9 ⊕ A15

Embedding D8 ⊂ D16 D8 ⊂ D10 D8 ⊂ D24 D8 ⊂ D12 D8 ⊂ D8 D8 ⊂ D9

Roots Orth. E8 ⊕ D8 E7⊕2 ⊕ A⊕2 1 D16 D12 ⊕ D4 D8⊕2 A15

Reducible fibers I I ∗ + I4∗ 2I I I ∗ + 2I2 ∗ I12 I8∗ + I0∗ 2I4∗ I16

MW {O} Z/2Z {O} Z/2Z Z/2Z Z/2Z ⊕ Z

Table 4 Elliptic fibrations of X2 no 1 2

Niemeier E8⊕3 E8 ⊕ D16

Embedding E8 ⊂ E8 E8 ⊂ E8

Roots Orth. E8⊕2 D16

Reducible fibers 2I I ∗ ∗ I12

MW {O} Z/2Z

202

V. Cantoral-Farfán et al.

η, and an upper bound for the degree over k of a field of definition kη,MW of a set of generators of the Mordell–Weil group of the fibration. By Proposition 5 we know that the Galois group GRi is trivial and all the fiber components of Ri are defined over k, for i = 4, 3, 2. In order to determine the field of definition of the sections, the only action that is taken into account is the one of the cover involutions τi , for i = 4, 3, 2. To determine the type of each fibration in Table 3 (resp. Table 4) with respect to τ4 (resp. τ3 and τ2 ), we find a configuration of (parts of the) reducible fibers in terms of the curves in Fig. 4 (resp. Figs. 5 and 6). The fibration in line 5 (resp. line 2 and line 1) is represented in Fig. 4 (resp. Figs. 5 and 6). The configurations associated to the fibers in lines 1, 2, 3, 4, and 6 in Table 3 for the K3 surface X4 are listed below: I I ∗ + I4∗ $10 , 2$12 , 3$13 , 4$14 , 5$15 , 6$16 , 4$18 , 2T1 , 3$17 + $20 , $21 , 2$22 , 2$23 , 2$24 , 2$25 , 2$26 , $27 , 2I I I ∗ + 2I2 $13 , 2$14 , 3$15 , 4$16 , 3$18 , 2T1 , $28 , 2$17 + $10 , 2OX4 , 3$20 , 4$22 , 3$23 , 2$24 , $25 , 2$21 + $11 + $27 , ∗ I12

$17 , $18 , 2$16 , 2$15 , 2$14 , 2$13 , 2$12 , 2$10 , 2OX4 , 2$20 , 2$22 , 2$23 , 2$24 , 2$25 , 2$26 , $28 , $27 , I8∗ + I0∗ $18 , $17 , 2$16 , 2$15 , 2$14 , 2$13 , 2$12 , 2$10 , 2OX4 , 2$20 , 2$22 , $21 , $13 + $28 , $27 , 2$26 , $25 , I16 $18 , $16 , $15 , $14 , $13 , $12 , $10 , OX4 , $20 , $22 , $23 , $24 , $25 , $26 , $28 , T1 . The configurations associated to the fibers in lines 1, 3, 4, 5, and 6 in Table 3 for the K3 surface X3 are listed below: I I ∗ + I4∗ $20 , 2OX3 , 3$10 , 4$11 , 5$12 , 6$13 , 4$14 , 2$15 , 3$17 + 12 , 22 , 2T1 , 2$26 , 2$25 , 2$24 , 2$23 , $27 , $22 , ∗ I12

11 , 21 , 2OX3 , 2$10 , 2$11 , 2$12 , 2$13 , 2$14 , 2$15 , 2$16 , 2T1 , 2$26 , 2$25 , 2$24 , 2$23 , $22 , $27 ,

Fields of Definition of Elliptic Fibrations

203

I8∗ + I0∗ $12 , $17 , 2$13 , 2$14 , 2$15 , 2$16 , 2T1 , 2$26 , 2$25 , 2$24 , 2$23 , $22 , $27 + $20 , $10 , 2OX3 , 11 , 21 , 2I4∗ 11 , 21 , 2OX3 , 2$10 , 2$11 , 2$12 , 2$13 , $14 , $17 + $22 , $27 , 2$23 , 2$24 , 2$25 , 2$26 , 2T1 , $16 , I16 $13 , $14 , $15 , $16 , T1 , $26 , $25 , $24 , $23 , $22 , $21 , $20 , OX3 , $10 , $11 , $12 . ∗ Finally, in terms of the configuration of 2I I ∗ we find a fiber of type I12 representing the fibration in line 2 of Table 4 by including every curve in Fig. 6 except $17 , $27 ; the latter are sections for this fibration. Note that all the reducible fibers listed above only appear once in Table 3 (resp. Table 4), hence we know that they represent the corresponding fibrations in those tables. Therefore, using these configurations, we can determine the type of the corresponding fibration with respect to τ4 (resp. τ3 and τ2 ), and find sections for the corresponding fibration. By choosing a 0-section, we determine whether the different sections are fixed by τ4 (resp. τ3 and τ2 ) or not. The results are listed in Table 5 (resp. Tables 6 and 7).

Table 5 Types of the different elliptic fibrations of X4 with respect to τ4 and fields of definition no

Roots Orth.

Type

Sections

Field of Def. 0-section

Field of Def. all sections

[kη,MW : k]

1

E8 ⊕ D8

3

OX4

OX4 /k

k

1

2

E7⊕2

3

$12 , $26

$12 /kτ4

kτ4

≤2

3

D16

1

T1

T1 /k

k

1

4

D12 ⊕ D4

3

T1 , $24

T1 /k

kτ4

≤2

5

D8⊕2

2

OX4 , T1

OX4 /k

k

1

1

$11 , $17 , $21

$11 /kτ4

kτ4

≤2

6

A15

⊕ A⊕2 1

204

V. Cantoral-Farfán et al.

Table 6 Types of the different elliptic fibrations of X3 with respect to τ3 and fields of definition Type

Sections

Field of Def. 0-section

Field of Def. all sections

[kη,MW : k]

E8 ⊕ D8

3

$21

$21 /kτ3

kτ3

≤2

E7⊕2

2

OX3 , T1

OX3 /k

k

1

3

$21

$21 /kτ3

kτ3

≤2

$21 /kτ3

kτ3

≤2

no

Roots Orth.

1 2

⊕ A⊕2 1

3

D16

4

D12 ⊕ D4

1

$11 , $21

5

D8⊕2

3

$15 , $21

$15 /kτ3

kτ3

≤2

6

A15

1

$17 , $27 , 11 ,

$17 /kτ3

kτ3

≤2

Table 7 Types of the different elliptic fibrations of X2 with respect to τ2 and fields of definition no

Roots Orth.

Type

Sections

Field of Def. 0-section

Field of Def. all sections

[kη,MW : k]

1

E8⊕2

2

O

O/k

k

1

1

$17 , $27

$17 /kτ2

kτ2

≤2

2

D16

Acknowledgments The authors would like to thank the organizing committee of the third Women in Numbers Europe workshop, where this project started. They would also like to express gratitude to the referees for their careful reading and suggestions that improved the paper. The authors would like to warmly acknowledge Adam Logan for catching a mistake on an earlier version of this paper regarding the description of the fibration on X9 with a D15 fibre. Victoria Cantoral-Farfán was partially supported by KU Leuven IF C14/17/083. Cecília Salgado was partially supported by FAPERJ grant E-26/203.205/2016, the Serrapilheira Institute (grant Serra-1709-17759), Cnpq grant PQ2 310070/2017-1 and the Capes-Humboldt program. Antonela Trbovi´c was supported by the QuantiXLie Centre of Excellence, a project co-financed by the Croatian Government and European Union through the European Regional Development Fund—the Competitiveness and Cohesion Operational Programme (Grant KK.01.1.1.01.0004).

References 1. Balestrieri, F., Desjardins, J., Garbagnati, A., Maistret, C., Salgado, C., Vogt, I.: Elliptic Fibrations on Covers of the Elliptic Modular Surface of Level 5. In: Bouw I., Ozman E., Johnson-Leung J., Newton R. (eds) Women in Numbers Europe II. Association for Women in Mathematics Series, vol 11. Springer, Cham. (2018) https://doi.org/10.1007/978-3-31974998-3_9 2. Bertin, M.J., Garbagnati, A., Lecacheux, O., Hortch, R., Mase, M., Salgado, C., Witcher, U.: Classifications of Elliptic Fibrations of a Singular K3 Surface, In: Bertin M., Bucur A., Feigon B., Schneps L. (eds) Women in Numbers Europe. Association for Women in Mathematics Series, vol 2. Springer, Cham. (2015) https://doi.org/10.1007/978-3-319-17987-2_2 3. Comparin, P., Garbagnati, A.: Van Geemen–Sarti involutions and elliptic fibrations on K3 surfaces double cover of P2 . J. Math. Soc. Japan 66 no. 2, 479–522 (2014) 4. Cossec, F. R., Dolgachev, I.V.: Enriques surfaces I. Progress in Math. 76, Birkhäuser Basel (1989)

Fields of Definition of Elliptic Fibrations

205

5. Garbagnati, A., Salgado, C.: Linear systems on rational elliptic surfaces and elliptic fibrations on K3 surfaces. J. Pure Appl. Algebra 223 no. 1, 277–300 (2019) 6. Garbagnati, A., Salgado, C.: Elliptic fibrations on K3 surfaces with non–symplectic involution fixing rational curves and a curve of positive genus. Rev. Mat. Iberoamericana 36 no. 4, 1167– 1206 (2020) 7. Kloosterman, R.: Classification of all Jacobian elliptic fibrations on certain K3 surfaces. J. Math. Soc. Japan 58 no. 3, 665–680 (2006) 8. Kuwata, M.: The field of definition of the Mordell-Weil group of an elliptic curve over a function field. Compositio Math. 76 no. 3, 399–406 (1990) 9. Miranda, R.: The basic theory of elliptic surfaces. Available via https://www.math.colostate.edu/miranda/BTES-Miranda.pdf. Cited 24 Sep 2020 10. Miranda, R., Persson, U.: On extremal rational elliptic surfaces. Math. Zeitschrift 193, 537–558 (1996) 11. Niemeier, H.-V.: Definite quadratische Formen der Dimension 24 und Diskriminante 1, J Number Theory 5, 142–178 (1973) 12. Nikulin, V.V.: Integer symmetric bilinear forms and some of their geometric applications. Izv. Akad. Nauk SSSR Ser. Mat. 43 no. 1, 111–177 (1979) 13. Nikulin, V.V.: Finite groups of automorphisms of Kählerian K3 surfaces. Tr. Mosk. Mat. Obs. 38, 75–137 (1979) 14. Nishiyama, K.: The Jacobian fibrations on some K3 surfaces and their Mordell–Weil groups. Japan. J. Math. (N.S.). 22 no.2, 293–347 (1996) 15. Oguiso, K.: On Jacobian fibrations on the Kummer surfaces of the product of nonisogenous elliptic curves, J. Math. Soc. Japan 41, 651–680 (1989) 16. Salgado, C.: Arithmetic and Geometry of rational elliptic surfaces. Rocky Mountain J. Math. 46 no. 6, 2061–2076 (2016) 17. Schuett, M., Shioda, T.: Elliptic surfaces. Algebraic geometry in East Asia—Seoul 2008, Advanced Studies in Pure Mathematics 60, 51–160 (2010) 18. Shimada, I.: On elliptic K3 surfaces. Michigan Math. J. 47 no. 3, 423–446 (2000), arXiv version with the complete table: arXiv:math/0505140 19. Swinnerton-Dyer, H.P.F.: The field of definition of the Néron-Severi group. In: Erd˝os P., Alpár L., Halász G., Sárközy A. (eds) Studies in Pure Mathematics. Birkhäuser, Basel. (1983) https:// doi.org/10.1007/978-3-0348-5438-2_62

Integers Represented by Ternary Quadratic Forms Bernadette Faye, Lilian Matthiesen, Damaris Schindler, Magdaléna Tinková, and Kristýna Zemková

MSC Codes (2020) 14J26 14J27 14J28

1 Introduction In this note, we focus on the study of quadratic forms from the perspective of the violation of the integral Hasse principle. Let Q be a quadratic form over the integers in s variables. We examine under which conditions the equation Q(x1 , x2 , . . . , xs ) = n has a solution over Z. It is obvious that the existence of a solution over Z implies that our equation is solvable over the ring of p-adic integers Zp for p prime, and over R. However, the opposite implication is not true in general. If there are local

B. Faye Université Gaston-Berger de Saint-Louis, Saint Louis, Senegal e-mail: [email protected] L. Matthiesen KTH, Department of Mathematics, Stockholm, Sweden e-mail: [email protected] D. Schindler () Mathematisches Instituut, Universität Göttingen, Göttingen, Germany e-mail: [email protected] M. Tinková Faculty of Mathematics and Physics, Department of Algebra, Charles University, Prague, Czech Republic e-mail: [email protected] K. Zemková Fakultät für Mathematik, Technische Universität Dortmund, Dortmund, Germany e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 A. C. Cojocaru et al. (eds.), Women in Numbers Europe III, Association for Women in Mathematics Series 24, https://doi.org/10.1007/978-3-030-77700-5_7

207

208

B. Faye et al.

solutions over Zp for every prime p and over R but no solution in Z, then we say that the integral Hasse principle fails. It is known that the integral Hasse principle holds for representation of integers by indefinite quadratic forms in at least 4 variables [Hs, Kn]. For s = 3, which we particularly study in this paper, this principle fails for infinitely many cases of these forms [SPX]. All the so far found examples of the failure of the integral Hasse principle can be explained via the Brauer-Manin obstruction, which was introduced by Manin [Ma] and later developed by Colliot-Thélène and Xu [CTXu] in the context of integral points. We provide its more detailed description in Sect. 2. Moreover, for indefinite ternary quadratic forms, Colliot-Thélène and Xu [CTXu] prove that the Brauer-Manin obstruction is the only obstruction to the integral Hasse principle. Diagonal ternary quadratic forms are in greater detail investigated in the paper of Mitankin [Mi]. Following these results, we focus on some other families of ternary quadratic forms. For more situations where the integral Brauer-Manin obstruction has been studied for concrete families, see for example [Be, BK, BL, BLo, Ch, CTWX, CTXu, JS, LM]. Section 2 is devoted to an overview of the Brauer-Manin obstruction to the integral Hasse principle; we also specify here the families of quadratic forms which we later examine in this paper. It is followed by a study of local solutions in Sect. 3. In Sect. 4 we are concerned with the derivation of the generator of the Brauer group corresponding to our quadratic forms; we use methods developed by ColliotThélène and Xu [CTXu] and used by Mitankin in [Mi]. Section 5 provides a detailed computation of local evaluation maps at odd primes. This also includes the description of some useful tools as well as several general results discussing the possible obstruction to the integral Hasse principle. Local evaluation maps at the prime 2 are covered by Sect. 6, where we introduce some families of quadratic forms to which we can apply the earlier computations from this paper. Section 7 is then devoted to a composition of the partial results from the previous sections into the proofs of our main results. In Sect. 8, we derive an asymptotic formula for the number of integers n of bounded size for which there is a Brauer-Manin obstruction for the representation of n by a certain ternary quadratic form that has earlier been studied in [Xu]. The main part of our results is covered by Theorems 3 and 4. In their statements, we discuss the behavior of two families of quadratic forms from the perspective of the violation of the integral Hasse principle. In the first family, the Brauer-Manin obstruction occurs only for one specific form which has been studied previously in [Xu]. The second one contains infinitely many forms for which there exist integers n for which there is a violation of the integral Hasse principle. On the other hand, Corollary 5 gives an example of a family of quadratic forms in which no BrauerManin obstruction occurs. Considering a quadratic form Q, let NBM (Q) denotes the set of n ∈ N for which there is a Brauer-Manin obstruction to a solution over Z. We are also interested in the number of natural numbers n up to some height N for which there is a BrauerManin obstruction to the integral Hasse principle. In particular, we will examine the quadratic form studied in [Xu] and prove the following theorem.

Integers Represented by Ternary Quadratic Forms

209

Theorem 1 Let Q(x, y, z) = −9x 2 + 2xy + 7y 2 + 2z2 . Then we have √

√ N N C %{n ≤ N | n ∈ N, n ∈ NBM (Q)} = √ √ +o √ log N 2π log N where C is a positive constant. Note that g(N) = o(f (N)) means that

lim g(N ) N →+∞ f (N )

= 0. To reach this result,

we will use the Selberg-Delange method (e.g., [Te]). The constant C arises as an infinite product of certain expressions over primes. We provide its explicit formula in Sect. 8.

2 The Brauer-Manin Obstruction for Integral Points In this section, we follow the description introduced by Colliot-Thélène and Xu in [CTXu, §1]. Let X be a separated scheme of finite type over Z. We put X := X ⊗Z Q. The Grothendieck–Brauer group is a contravariant functor from the category of schemes over a fixed base to the category of abelian groups. For background on the Brauer group, we refer to Poonen’s book [Po], the forthcoming book by Colliot-Thélène and Skorobogatov [CTS] and Grothendieck’s exposés [GRo]. We denote the cohomological Brauer group by Br(X). By a result of Gabber (see [CTS, Theorem 3.3.2] and [dJo]) the torsion of the cohomological Brauer group is isomorphic to the Brauer-Azumaya group for quasi-projective schemes over an affine scheme. Moreover, by a theorem of Grothendieck, the cohomological Brauer group is a torsion group for regular integral noetherian schemes (see e.g. Lemma 3.5.2 in [CTS]). The varieties considered in this note will satisfy all the properties, and hence in our applications the cohomological Brauer group is isomorphic to the Brauer-Azumaya group. For each η in the Brauer group Br(X), one calls the map evη,p : X(Qp ) → Br(Qp ), which evaluates η at a given p-adic point on X, the local evaluation map associated with η. For each prime p including the one at infinity, there is an embedding invp : Br(Qp ) → Q/Z, coming from local  class field theory. An adèle on the Q-variety X is a point {xp } ∈ p≤∞ X(Qp ), such that, for all but finitely many p, the point xp belongs to X(Zp ). The set of adèles of X is denoted X(AQ ). There is a natural diagonal embedding X(Q) ⊂ X(AQ ).

210

B. Faye et al.

There is a natural pairing between X(AQ ) and the Brauer group Br(X) of X: X(AQ ) × Br(X) → Q/Z,  ({xp }, η) → invp (evη,p (xp )). p≤∞

This pairing is called the Brauer-Manin pairing. Any element of X(Q) is in the left kernel of the pairing. The above pairing induces a pairing X(A) × (Br(X)/ Br0 (X)) → Q/Z  where X(A) := X(R) × p 3 and one of the following is satisfied: • 0 ≤ h ≤ 2κ − 3 and n0 ≡ ±1 (mod 8); • h = 2κ − 2 or h ≥ 2κ; • h = 2κ − 1 and n0 ≡ ±1, 3 (mod 8). As we will see, except for the quadratic form (2), the integral Hasse principle holds for all these cases. Our next aim is to find an infinite family of quadratic forms for which the Brauer-Manin obstruction occurs. Theorem 4 Let π be an odd prime such that π ≡ 1 (mod 8). Suppose a + b = π κ where a, b ∈ Z, κ ∈ N0 and b ≡ b02 (mod π ) for some b0 ∈ Z not divisible by π , and c = π . Let n ∈ N and write n = π h m where h, m ∈ N0 and π  m. Then n is represented by Qa,b,c over Z if and only if one of the following holds: 1. κ = 0 and h ≥ 0; 2. κ ≥ 1, 0 ≤ h < 2κ and both b0 and m are squares modulo π ; 3. κ ≥ 1, 0 ≤ h < 2κ, b0 is not a square modulo π , m is a square modulo π and a. h is odd or b. m is not a square over Z or   c. there exists an odd prime q | m = s 2 such that πq = −1; 4. κ ≥ 1 and h ≥ 2κ. As we will see in Corollary 3, there is a Brauer-Manin obstruction to the integral Hasse principle for certain integers n in Theorem 4(3) with h even and m = s 2 divisible by suitable primes. In all the other cases, there is no Brauer-Manin obstruction, i.e., the existence of solutions over R and Zp for all primes p, which is discussed in Lemma 4, implies the existence of a solution over Z.

3 Local Solutions to Qa,b,c = n In the study of a possible violation of the Hasse principle, it is necessary to know if there exist local solutions to the equation Qa,b,c (x, y, z) = n,

Integers Represented by Ternary Quadratic Forms

213

for a given integer n. To accomplish this task, we will use two tools. First of all, we can apply Hensel’s lemma, which tells us, under which conditions a solution mod p can be lifted to a solution in Zp . Secondly, we can use a substitution, in particular, the substitution of the form rp = yp − xp and tp = axp + byp .

(3)

This substitution is invertible over Zp if the matrix   −1 1 a b is invertible, i.e., if its discriminant −(a + b) is not divisible by p. In that case, a solution over Zp always exists since we can put rp = n, tp = 1 and zp = 0. Thus, our main goal is to find local solutions for primes appearing in the prime factorization of a + b. We will start with the family of quadratic forms introduced in Theorem 3. Lemma 1 Let a = 2κ + 1, b = 2κ − 1 and c = 2 where κ ∈ N, κ ≥ 3. Let n ∈ N and write n = 2h m where h, m ∈ N0 and 2  m. Then n is locally represented for all places by Qa,b,c if and only if one of the following holds: 1. 0 ≤ h ≤ 2κ − 3 and m ≡ ±1 (mod 8); 2. h = 2κ − 2 or h ≥ 2κ; 3. h = 2κ − 1 and m ≡ ±1, 3 (mod 8). Proof First of all, let us say that since c = 2 > 0 and a > 0, our equation has a solution in R. Moreover, for 2 < p < +∞, p prime, we can use the substitution (3), thus there is a local solution for these primes. Let us now consider p = 2. Using the substitution yp − xp = rp , we can rewrite our equation as r2 ((2κ − 1)r2 + 2κ+1 x2 ) + 2z22 = n. In the case when n is odd, we consider the equation mod 8 and get −r22 + 2z22 ≡ n (mod 8). Since r22 , z22 ≡ 0, 1, 4 (mod 8), this equation is solvable modulo 8 if and only if n ≡ ±1 (mod 8). Moreover, we have ∂Qa,b,c (x2 , r2 , z2 ) (mod 4) = −2r2 (mod 4). ∂r2 Since our solutions modulo 8 have to have r22 ≡ 1 (mod 8), they cannot annihilate ∂Qa,b,c ∂r2 (mod 4). Thus, due to Hensel’s lemma, they can be lifted to solutions in Z2 .

214

B. Faye et al. (1)

If n = 2m where 2  m, we necessarily have r2 = 2r2 , and, after dividing by 2, we obtain (1)

(1)

r2 (2(2κ − 1)r2 + 2κ+1 x2 ) + z22 = m.

(4)

Considering possible classes mod 8, the Eq. (4) has a solution modulo 8 exactly for m ≡ ±1 (mod 8). The partial derivative of the right side of the Eq. (4) with respect to z2 is congruent to 2z2 (mod 4). It is easy to see that our solutions modulo 8 do not annihilate this partial derivative modulo 4. Therefore, Hensel’s lemma implies (1) a solution (x2 , r2 , z2 ) of (4) in Z2 . A solution of Qa,b,c (x2 , r2 , z2 ) = n in Z2 then (1) can be obtained as (x2 , 2r2 , z2 ). For n = 22 m where 2  m, we can use the previous step of this proof. (1) Consequently, we can deduce that z2 = 2z2 , thus (1)

(1)

r2 ((2κ − 1)r2 + 2κ x2 ) + 2(z2 )2 = m. As before, we have a local solution for m ≡ ±1 (mod 8). We proceed analogously, (i) (i+1) (i) (i+1) getting alternatively r2 = 2r2 and z2 = 2z2 , but still having solutions only for m ≡ ±1 (mod 8). However, for n = 22κ−2 m with 2  m we get an equation of the form r2(κ−1) ((2κ − 1)r2(κ−1) + 4x2 ) + 2(z2(κ−1) )2 = m.

(5)

Reducing mod 8, we deduce that −(r2(κ−1) )2 + 4r2(κ−1) x2 + 2(z2(κ−1) )2 ≡ m (mod 8). In this case, m can attain all residue classes modulo 8. Moreover, the solutions modulo 8 do not annihilate the partial derivative of (5) with respect to r2(κ−1) modulo 4. Thus they can be lifted to solutions in Z2 by Hensel’s lemma. If n = 22κ−1 m with 2  m, we have (κ)

(κ)

(κ−1) 2

−2(r2 )2 + 4r2 x2 + (z2

) ≡ m (mod 8).

This time, m cannot be congruent to −3 (mod 8) since then we necessarily get (κ) (κ) −2(r2 )2 + 4r2 x2 ≡ 4 (mod 8), which is not possible. For n = 22κ m we obtain (κ)

(κ)

(κ)

−(r2 )2 + 2r2 x2 + 2(z2 )2 ≡ m (mod 8),

Integers Represented by Ternary Quadratic Forms

215

which has again a local solution for all the considered residue classes. In the next step, we have an equation of the form (κ+1) 2

−2(r2

(κ+1)

) + 2r2

(κ)

x2 + (z2 )2 ≡ m (mod 8),

solvable for all odd m. Moreover, for all n = 22κ+2 m, we can see that (κ+1)

r2

(κ+1)

((2κ − 1)r2

(κ+1) 2

+ x2 ) + 2(z2

(κ+1)

) =m (κ+1)

has a solution of the form r2 = m, x2 = 1 − (2κ − 1)r2 = 1 − (2κ − 1)m (κ+1) and z2 = 0. Since this choice is possible for all natural numbers n of this form, admitting m even, the proof is completed.   Now we derive the analogous result for small values of κ not covered by the previous lemma. Lemma 2 Let a = 2κ + 1, b = 2κ − 1, c = 2 where κ ∈ {0, 1, 2}. Let n ∈ N and write n = 2h m where h, m ∈ N0 and 2  m. Then n is locally represented for all places by Qa,b,c if and only if one of the following holds: 1. κ = 0 and h ≥ 1; 2. κ = 1 and h = 0, or h ≥ 2, or h = 1 and m ≡ ±1, 3 (mod 8); 3. κ = 2 and either h = 0 and m ≡ ±3 (mod 8), or h = 1 and m ≡ ±1 (mod 8), or h = 2, or h = 3 and m ≡ ±1, 3 (mod 8), or h ≥ 4. Proof Similarly as in the proof of Lemma 1, we note that there exist solutions in R (because c > 0 and a > 0) and in Zp for all odd primes (because the substitution (3) is invertible). Therefore, we focus only on p = 2. In that case, we set r2 = y2 − x2 and rewrite the quadratic form as r2 (2κ+1 x2 + (2κ − 1)r2 ) + 2z22 = n.

(6)

If κ = 0, then (6) has the form 2r2 x2 + 2z22 = n. It is immediate that this equation does not have any solution for n odd. On the other hand, if n is even, then x2 = n2 , r2 = 1, z2 = 0 gives a solution (even a global one). If κ = 1, we are dealing with the equation r2 (4x2 + r2 ) + 2z22 = n. We proceed analogously as in the proof of Lemma 1: Considering residue classes modulo 8, we start with h = 0 and then iteratively proceed to higher powers of 2, (i) (i+1) (i) (i+1) while setting r2 = 2r2 in steps with h odd and z2 = 2z2 in steps with h even. In each step, we get that all odd classes are possible except for h = 1

216

B. Faye et al. (2)

where m ≡ −3 (mod 8) cannot occur. Finally, at h = 4, we end with r2 = 22 r2 , (2) z2 = 22 z2 and (2) 

(2) 

x2 + r2

r2

 (2) 2 + 2 z2 = m.

Here we can set r2(2) = 1, x2 = m − 1, z2(2) = 0, and this way produce a solution for any m, odd and even alike. Finally, let κ = 2; then (6) becomes r2 (8x2 + 3r2 ) + 2z2 = n. For n odd, looking at this equation modulo 8 and applying Hensel’s lemma implies that there is a Z2 solution if and only if n ≡ ±3 (mod 8). (1) Now suppose n = 2m with 2  m; then necessarily r2 = 2r2 , and so (1)

(1)

r2 (8x2 + 6r2 ) + z22 = m. Considering the quadratic residues modulo 8 implies that the equation has a solution only for m ≡ ±1 (mod 8). If n = 22 m, we get r2(1) (8x2 + 6r2(1) ) + z2 = 2m, and thus z2 = 2z2(1) . Examining the residue classes modulo 8, we obtain that any odd m is possible. Again, we iterate the process for increasing values of h while (i) (i+1) (i) (i+1) alternating r2 = 2r2 in steps with h odd and z2 = 2z2 in steps with h even. In each step, we get that any odd m is possible except for h = 3 where m ≡ −3 (mod 8) cannot occur. Finally, at the step with h = 6, we end up with the equation (3)

r2

   2 (3) (3) x2 + 3r2 + 2 z2 = m,

(3)

which allows the solution r2 = 1, x2 = m − 3, z2 = 0 for any value of m.

 

The following lemma shows the cases of local solutions for one particular subset of the family (I) below, see Sect. 6.2. We omit the proof since it is analogous to the previous ones. Lemma 3 Let a = 2, b = 2κ − 2, c = 2κ+δ−1 g − 1 where κ ∈ N, κ ≥ 4, δ ∈ N0 , and g ∈ N is odd. Let n ∈ N and write n = 2h m where h, m ∈ N0 and 2  m. Then n is locally represented for all places by Qa,b,c if and only if one of the following holds: 1. 0 ≤ h ≤ 2κ − 6 and m ≡ −1, −3 (mod 8);

Integers Represented by Ternary Quadratic Forms

217

2. h = 2κ − 5 or h ≥ 2κ − 3; 3. h = 2κ − 4 and m ≡ ±1, −3 (mod 8). Now we will state an analogous lemma for the family of quadratic forms introduced in Theorem 4. Lemma 4 Let π be an odd prime such that π ≡ 1 (mod 8). Suppose a + b = π κ for some κ ∈ N0 , b ≡ b02 (mod π ) for some b0 ∈ Z not divisible by π and c = π . Let n ∈ N and write n = π h m where h, m ∈ N0 and π  m. Then n is locally represented by Qa,b,c if and only if one of the following holds: 1. κ = 0 and h ≥ 0; 2. κ ≥ 1, 0 ≤ h < 2κ and m is a square modulo π ; 3. κ ≥ 1 and h ≥ 2κ. Proof Since the proof of this lemma is similar to the case when a + b = 2κ , we will show only a sketch of the main instance. Since a + b = π κ , the local solutions always exist over R and over Zp for all primes p except for π . If n is not divisible by π , we get the equation of the form rπ (brπ + π κ xπ ) + π zπ2 = n, where we use the same substitution as before. According to Hensel’s lemma, we have to investigate this equation by applying modulo π . Then we obtain brπ2 ≡ n (mod π ) for κ ≥ 1. Since we assume b being a square modulo π , n is also a square modulo π . Let n ≡ n20 (mod π ); then rπ2 ≡ (b0−1 n0 )2 is solvable in rπ for any n0 (using that n, and hence also n0 , is not divisible by π ). For h ≥ 1, we use the same method as before.  

4 Generator of the Brauer Group of Xa,b,c In this section, we apply the algorithm from [Mi, Sec. 2] and [CTXu, §5.8] to compute a generator of the group Br Xa,b,c / Br0 (Xa,b,c ). We assume that Xa,b,c has local points everywhere and then use [CTXu, Theorem 6.3] for the description of the Brauer group of Xa,b,c . First, we set d := cn; note that the discriminant of the quadratic form Qa,b,c 2  equals −c a+b , but we are interested only in its value modulo Q∗2 . If d is a square 2 in Q, then Br Xa,b,c / Br Q = 0 and there is no Brauer-Manin obstruction. Therefore, from now on we assume that d is not a square in Q and that Xa,b,c contains a rational point. Then Br Xa,b,c / Br Q  Z/2Z, and it is possible to explicitly describe a nontrivial generator of this group. Let Ya,b,c ⊆ P3 be the smooth projective quadric given by the homogeneous equation Qa,b,c (x, y, z) − nt 2 = 0;

218

B. Faye et al.

then M := (1, 1, 0, 0) is a Q-rational point in Ya,b,c . One can easily compute that the linear form l1 (x, y, z, t) := y − x defines the tangent plane to Ya,b,c at M. Then η := (y − x, d) is a nontrivial generator of the group Br Xa,b,c / Br Q. Furthermore, let l2 , l3 , l4 be linear forms and γ ∈ Q∗ a constant such that Qa,b,c (x, y, z) − nt 2 = l1 l2 + γ (l32 − dl42 ). Then since Qa,b,c (x, y, z) − nt 2 = 0, we have −l1 l2 = γ (l32 − dl42 ), i.e., −l1 l2 γ = γ 2 · NormQ(√d)/Q (l3 +

√ dl4 );

hence, the Hilbert symbol (−l1 (x, y, z, t)l2 (x, y, z, t)γ , d)p = 1 for any prime p (including ∞). Therefore, l1 and −γ l2 have the same value of Hilbert symbols, and it follows that (−γ l2 (x, y, z, 1), d) would be, as an element of the group Br Xa,b,c / Br Q, equal to η. Noting that Qa,b,c (x, y, z) − nt 2 = (y − x)(ax + by) + cz2 − nt 2 , we can simply set l2 (x, z, y, t) := ax + by and γ := c. The generator of Br Xa,b,c / Br Q is the quaternion algebra η = (y − x, cn), and (y − x, cn) = (−c(ax + by), cn) as elements of that group.

5 Computation of the Local Evaluation Maps at Odd Primes Recall that an adelic point {xp } ∈ X(A) lies in the Brauer-Manin set X(A)Br(X) if and only if the sum 

invp ◦ evη,p (xp )

(7)

p≤∞

is equal to zero. Let us outline two main tools which will be used to compute the Brauer-Manin set: (A) If, for a prime  p, we have evη,p = 1 constantly, then the map invp ◦ evη,p : X(Zp ) → 0, 12 is constantly zero, and hence there is no contribution to the sum (7) at this prime. (B) If there is a prime q for which the map evη,q (and thus also the map invq ◦ evη,q ) is surjective, then X(A)Br(X) =∅, i.e., there is no Brauer-Manin obstruction (see [Mi, Rem. 2.1]): Suppose p≤∞ invp ◦ evη,p (xp ) = 12 for some {xp } ∈ X(A); we can exchange xq with xq ∈ X(Zq ) for which invq ◦ evη,q takes the other value, and hence the values on the new adelic point sum up to 0.

Integers Represented by Ternary Quadratic Forms

219

Let a, b, c ∈ Z and c > 0. In the rest of this section, we compute the maps evη,p for all but finitely many primes p in dependence on the number n, where Xa,b,c :

(y − x)(ax + by) + cz2 = n.

(8)

In view of Sect. 4, this means to evaluate the Hilbert symbol (yp − xp , cn)p

(9)

at all points (xp , yp , zp ) ∈ Xa,b,c (Zp ). In the following, we set (cf. the substitution (3) in Sect. 3) rp = yp − xp , tp = axp + byp ;

(10)

note that this is an invertible change of coordinates in Xa,b,c (Zp ) whenever p does not divide a + b.

5.1 Case p = ∞ Since the homogeneous equation (y − x)T12 + cnT22 = T32 √ has always a solution (0, 1, cn) in Z∞ = R for n > 0 and c > 0, it follows that (y∞ − x∞ , cn)∞ = 1 for any (x∞ , y∞ , z∞ ) ∈ Xa,b,c (Z∞ ) = Xa,b,c (R). Thus, evη,∞ = 1, and according to (A), the infinite prime has no contribution to the sum (7).

5.2 Case p a Prime, 2 < p < ∞ and p  (a + b) In the following, we will write yp − xp = pα u, cn = pβ v,

where p  u, v,

(11)

 β  α u v p p

(12)

because then (yp − xp , cn)p = (−1)αβ   where

• p

denotes the Legendre symbol.

p−1 2

220

B. Faye et al.

Lemma 5 If p is an odd prime not dividing a + b, then the map evη,p attains the value 1. Proof Consider the point given by yp − xp = 1, axp + byp = n, zp = 0; we get α = 0 and u = 1 in (11), and so (yp − xp , cn)p = 1.   It will be useful to know if the map evη,p is constant (in which case (A) applies), or if the map is surjective (so we can use (B)) because in the latter case we can avoid computing the Hilbert symbol at the prime p = 2. To ease the notation, we use the classical p-adic valuation, i.e., for a prime p and n ∈ Z, vp (n) equals to the highest power of p dividing n.   Let vp (cn) be odd; then β is odd. Consider ν ∈ Zp such that pν = −1, and denote ν its inverse in Zp . We define a point in Xa,b,c (Zp ) through yp− xp = ν, axp + byp = νn, zp = 0. Then α = 0, u = ν, and (yp − xp , cn)p = Together with Lemma 5, we get the following:

ν p

= −1.

Lemma 6 Let p be an odd prime not dividing a + b such that vp (cn) is odd. Then the map evη,p is surjective. Let vp (cn) be even (possibly zero). If cn is a square, then evη,p = 1 trivially. Thus, suppose that cn is not a square. Then β is even and (12) translates to (yp − xp , cn)p =

 vp (yp −xp ) v . p

First assume vp (c) = vp (n) = 0. If vp (yp − xp ) = 0, then (yp − xp , cn)p = 1 follows immediately. On the other hand, if vp (yp −xp ) > 0, then p divides yp −xp , and hence p also divides (yp − xp )(axp + byp ) = n − czp2 .   It follows that cn ≡ (czp )2 (mod p); hence, cn = 1 and we obtain (yp − p  vp (yp −xp ) = 1. All in all we get the constant map evη,p = 1. xp , cn)p = cn p Now suppose vp (n) = 0 but vp (c) > 0. Then vp (n − czp2 ) = 0 for any point (xp , yp , zp ) ∈ Xa,b,c (Zp ). It follows that p does not divide yp − xp by (8), i.e., α = vp (yp −xp ) = 0; therefore, (yp −xp , cn)p = 1 and the map evη,p is constantly equal to 1. Finally, let vp (n) > 0. In this case we can consider the point in Xa,b,c (Zp ) given −1 by yp −xp = p, axp +byp =  , zp = 0; at this point, we have vp (yp −xp ) = 1,  np and thus (yp − xp , cn)p = pv . We summarize the obtained results into a lemma.

Integers Represented by Ternary Quadratic Forms

221

Lemma 7 Let p be an odd prime such that vp (cn) is even, and let cn = pvp (cn) v.   1. If vp (n) = 0 or pv = 1, then evη,p = 1 constantly.   2. If vp (n) > 0 and pv = −1, then evη,p is surjective. From the lemmas we have proved so far, we can derive the following corollary. Corollary 1 Let n be an integer, and assume that one of the following holds: 1. There exists a prime q = 2, ∞ not dividing a + b with vq (cn) odd. 2. vp (cn) is even for every prime p = 2, ∞, v2 (cn) is odd, and there exists a prime q = 2, ∞ dividing n but not dividing a + b such that q ≡ ±3 (mod 8).   Then there is no Brauer-Manin obstruction, and thus n ∈ Nloc Qa,b,c if and only  if n ∈ Nglob Qa,b,c . Proof If (1) holds, then Lemma 6 applies and there is no Brauer-Manin obstruction according to (B). If (2) holds, we can write cn = 2v2 (cn) q vq (cn) s 2 for a suitable s ∈ Z; then

  2v2 (cn) s 2 2 = −1, = q q and thus Lemma 7(2) together with (B) implies that there is no Brauer-Manin obstruction. In that case, the result of [CTXu] ensures that the existence of all local solutions is sufficient for the existence of a global solution.   For later use, we point out a special case of the previous statement. Corollary 2 Assume that a + b = 2κ , κ ≥ 0. Let n be an integer, and let us write cn = 2v2 (cn) m. Assume that one of the following holds: 1. m is not a square, i.e., there exists a prime q = 2, ∞ with vq (cn) odd, 2. m is a square, v2 (cn) is odd, and there exists a prime q = 2, ∞ dividing n such that q ≡ ±3 (mod 8).   Then there is no Brauer-Manin obstruction, and thus n ∈ Nloc Qa,b,c if and only  if n ∈ Nglob Qa,b,c .

5.3 Case p a Prime, 2 < p < ∞ and p | (a + b) In this subsection, we assume that a + b is a power of an odd prime number π , i.e., a + b = π κ for some κ ≥ 0, and c = π . Moreover, we will consider only b’s such that b ≡ b02 (mod π ) for some integer b0 not divisible by π . On account of Lemma 6, we have that there is no Brauer-Manin obstruction if n is divisible by a prime p = 2, π, ∞ such that vp (n) is odd. To deal with the remaining cases, we can suppose n = π k 2l s 2 where 2, π  s.

222

B. Faye et al.

If π n is a square, then the map evη,π is constantly equal to 1. Otherwise, we have (yπ − xπ , π n)π = (yπ − xπ , π ε1 2ε2 )π where ε1 , ε2 ∈ {0, 1}. From now on, we will restrict to the cases when π ≡ 1 (mod 8) and ε2 = 0. This is motivated by calculations performed in Sect. 6.1, particularly by Lemma 9. Moreover, having these assumptions, we can put ε1 = 1 to get non-square cases of π n. Thus we have n = π 2k s 2 with π  s but possibly with 2 dividing s. We can also refine conditions put on s. Especially, Lemma 7(2) implies   that there is no obstruction if πp = −1 for some p dividing s, p = 2, π, ∞.     Recalling that π ≡ 1 (mod 8), we have πp = πp , and thus we may assume that   s consists only of primes q such that πq = 1. Let us continue in the investigation of the Hilbert symbol for the prime π . We have  u   1 α  u  = (yπ − xπ , π n)π = (yπ − xπ , π )π = π π π where yπ − xπ = π α u and π  u. To get more information about u, we use some results from Sect. 3 (see the proof of Lemma 4). If k ≥ κ, we can always find a global solution of our equation. For 0 ≤ k < κ, we have b(rπ(i) )2 ≡ b02 u2 ≡ s 2 (mod π ) (i)

where i is the smallest index such that π  rπ . Since s is divisible only by primes  q such that πq = 1, necessarily s is a square modulo π . Thus the value of u π depends on whether b0 is a square modulo π or not. Hence we can state the following conclusion. Lemma 8 Let π be an odd prime such that π ≡ 1 (mod 8). Suppose a + b = π κ , b ≡ b02 (mod π ) for some b0 ∈ Z not divisible by π and c = π . Let n = π 2k s 2 with k ≥ 0 and s divisible only by primes q such that πq = 1. 1. If b0 is a square modulo π , then evη,π attains the value 1. 2. Let b0 be not a square modulo π . If 0 ≤ k < κ, then evη,π = −1 constantly. On the other hand, if k ≥ κ, then there is a global solution to (8), and hence evη,π attains the value 1.

6 Computation of the Local Evaluation Maps at p = 2 Similarly as in the previous section, we write for any (x2 , y2 , z2 ) ∈ Xa,b,c (Z2 ) y2 − x2 = 2α u, cn = 2β v,

where 2  u, v;

(13)

Integers Represented by Ternary Quadratic Forms

223

here we have (y2 − x2 , cn)2 = (−1)ε(u)ε(v)+αω(v)+βω(u) ,

(14)

where ε(m) :=

m−1 m2 − 1 and ω(m) := . 2 8

Note that ε(m) ≡

 0 (mod 2) 1 (mod 2)

if m ≡ 1 (mod 4), if m ≡ −1 (mod 4).

Furthermore, it is easy to see that ω(m) actually depends only on the residue classes of m modulo 8; we get  ω(m) ≡

0 (mod 2)

if m ≡ ±1 (mod 8),

1 (mod 2)

if m ≡ ±3 (mod 8).

6.1 Case with a + b Odd The power of a + b being odd follows by the fact that the substitution (10) is invertible in Z2 . Consider an arbitrary odd integer m and set y2 − x2 = m, ax2 + by2 = nm−1 , z2 = 0; this satisfies (8), and hence defines a point in Xa,b,c (Z2 ). Then α = 0, and (14) translates into (y2 − x2 , cn)2 = (−1)ε(u)ε(v)+βω(u) , where β = v2 (cn) and u = m. First suppose that β is odd. If v ≡ 1 (mod 4), then (y2 − x2 , cn)2 = (−1)ω(m) ; taking m ≡ 1 (mod 8) and m ≡ 3 (mod 8), respectively, gives the values 1 and −1. Similarly, if v ≡ −1 (mod 4), then (y2 − x2 , cn)2 = (−1)ε(m)+ω(m) ; considering m ≡ 1 (mod 8) and m ≡ −1 (mod 8), respectively, gives the values 1 and −1. Thus, the map evη,2 is surjective if β is odd. Now let β be even. If v ≡ 3 (mod 4), we can again choose m ≡ 1 (mod 4), resp. m ≡ −1 (mod 4), to get both values of the Hilbert symbol; thus, also in this case the map evη,2 is surjective. On the other hand, if v ≡ 1 (mod 4), we get (y2 − x2 , cn)2 = 1; but we cannot conclude that evη,2 is constantly 1, because we

224

B. Faye et al.

have not covered all the points in Xa,b,c (Z2 ). So we have to use another strategy for this case. Consider an arbitrary point (x2 , y2 , z2 ) ∈ Xa,b,c (Z2 ), and assume that β = v2 (cn) is even and v ≡ 1 (mod 4). Then ε(v) = 0, so (14) translates into (y2 − x2 , cn)2 = (−1)αω(v) . If v ≡ 1 (mod 8), then ω(v) = 0, and we get (y2 − x2 , cn)2 = 1. Hence, assume v ≡ 5 (mod 8); we need to decide if α = v2 (y2 − x2 ) can be odd. First suppose that n is odd but c is even. Then (y2 − x2 )(ax2 + by2 ) ≡ 1 (mod 2), so in particular y2 − x2 must be odd. We conclude that α = 0, and thus evη,2 = 1 constantly in this case. On the other hand, for any other combination of parity of n and c, we can choose z2 ∈ {0, 1} such that n − cz22 is even. Then setting y2 − x2 = 2 produces a welldefined point in Xa,b,c (Z2 ), in particular x2 =

n − cz22 − 4b n − cz22 + 4a , y2 = , z2 = 0 or 1. 2(a + b) 2(a + b)

At this point, we obviously have α = v2 (y2 − x2 ) = 1; therefore, we discovered a point with (y2 − x2 , cn)2 = −1. Since we have previously found another point for which the map evη,2 attained the positive value, it follows that the map evη,2 is surjective. Lemma 9 Assume that a + b is odd. Let n be an integer, and write cn = 2v2 (cn) v. The map evη,2 is surjective if and only if one of the following holds: 1. v2 (cn) is odd, 2. v2 (cn) is even and v ≡ 3 (mod 4), 3. v2 (cn) is even, v ≡ 5 (mod 8) and either n is even or c is odd. The map evη,2 = 1 constantly in all the other cases (i.e., if v2 (cn) is even and either v ≡ 1 (mod 8), or v ≡ 5 (mod 8), n is odd and c is even). Together with some results from the previous section, we get the following corollary: Corollary 3 Let π be an odd prime such that π ≡ 1 (mod 8). Suppose a+b = π κ , b ≡ b02 (mod π ) for some b0 ∈ Z not divisible by π and c = π . Then there is a 2k 2 Brauer-Manin  q obstruction if and only if n = π s with s divisible only by primes q such that π = 1, 0 ≤ k < κ and b0 is not a square modulo π .   Proof If vp (π n) is odd or πp = −1 for some p = 2, π, ∞ dividing n, then Lemma 6 says that there is no Brauer obstruction to the integral Hasse principle.

Integers Represented by Ternary Quadratic Forms

225

According to Lemma 9, we can make the same conclusion for natural numbers n such that v2 (π n) is odd. On the other hand, evη,p for p = π is constantly equal to 1 for all the remaining cases of n. Lemma 8 gives us that evη,π attains 1 if vπ (n) ≥ 2κ, vπ (n) is odd or b0 is a square modulo π . Otherwise, evη,π is constantly equal to −1, thus the BrauerManin obstruction occurs.  

6.2 Case with a + b = 2κ , κ ≥ 0 Recall that if cn is a square (in particular, v2 (cn) is even), then the Brauer group is trivial (see Sect. 4), and thus evη,2 = 1 constantly. Invoking Corollary 2, we need to compute the value of evη,2 only for those n’s such that cn = 2v2 (cn) s 2 with v2 (cn) odd and s divisible only by primes q ≡ ±1 (mod 8) (possibly s = 1). Let v2 (cn) = 2k + 1 for some k ≥ 0, i.e., we have cn = 22k+1 s 2 ; inserting this into the Eq. (14), we get (y2 − x2 , 22k+1 s 2 )2 = (y2 − x2 , 2)2 = (−1)ω(u)

(15)

with y2 − x2 = 2α u. We slightly rewrite the equation in (8); the most useful form will be (y − x)(acx + bcy) = 22k+1 s 2 − c2 z2 . We will restrict to the following families of quadratic forms (assuming a + b = 2κ ): (I) (II) (III) (IV)

c(a + b) divides ac + 2 in Z2 ; c is odd and a + b divides ac + 1 in Z2 ; c is odd and a + b divides ac − 2 in Z2 ; c = 2 and a = 2κ + 1, b = 2κ − 1 for some κ ≥ 0.

In each of these cases, we will define a point P such that evη,2 (P ) = 1. We will do so through choosing the values of y2 − x2 , acx2 + bcy2 and z2 , the assumptions above assuring that the points are indeed well-defined. Note that ω(s) = 0 by the assumption on s. Looking again at the Eq. (15) and noting that, in these cases, u = s, it is clear that indeed evη,2 (P ) = 1 for each point P defined in Table 1. Table 1 Definition of points P with evη,2 (P ) = 1

Case (I)

y2 − x2 2k s

acx2 + bcy2 2k+1 s

z2 0

(II)

2k s

2k s

2k s c

(III)

2k s

−2k+1 s

(IV), k > 0

2k s

−2k+1 s

2k+1 s c 2k s

226

B. Faye et al.

As we have already mentioned at the beginning of the subsection, the case with v2 (cn) even is trivial, since then cn is a square. Hence, we have just proven the following lemma. Lemma 10 Let a, b, c be as in (I)–(IV), and n ∈ N is such that cn = 2v2 (cn) s 2 with s divisible only by primes q ≡ ±1 (mod 8). 1. If v2 (cn) is even, then evη,2 = 1 constantly. 2. If v2 (cn) is odd, and furthermore v2 (n) > 0 in (IV), then the map evη,2 attains the value 1. Remark 1 Suppose that v2 (cn) > 1 is odd. In the case (IV), we can say even more if κ ≤ 3: Set  νs =

s+2

if s ≡ 1 (mod 8),

s+4

if s ≡ −1 (mod 8);

then we have νs ≡ 3 (mod 8). Write ν s for the inverse of νs in Z2 , and define the point P :

y2 − x2 = 2k νs , acx2 + bcy2 = −2k+1 s 2 ν s , z2 = 2k s.

This is indeed a point in Xa,b,c (Z2 ), as y2 = 2k−1

(2κ + 1)νs − s 2 ν s , 2κ

where k = v2 (n) > 0, νs ≡ ν s (mod 8) and s 2 ≡ 1 (mod 8). Since evη,2 (P  ) = −1, we conclude that the map evη,2 is in this case surjective. In (IV), we have to solve the case with k = 0 (i.e., with n = s 2 odd) separately: the quadric (8) has now the form   (y − x) (2κ + 1)x + (2κ − 1)y + 2z2 = s 2 .

(16)

We look at this equation at a point (x2 , y2 , z2 ) ∈ Xa,b,c (Z2 ) modulo 2; we get x22 + y22 ≡ 1 (mod 2), and it follows that y2 − x2 is odd. Therefore, (14) gives (y2 − x2 , 2n)2 = (−1)ω(y2 −x2 ) . If κ = 0 or κ = 2, then, looking at the Eq. (8) modulo 2, resp. modulo 8, one can check easily that there is no global solution for n = s 2 odd (cf. Lemma 2). If κ = 1, then setting x = 0, y = s, z = 0 gives a global solution whenever n = s 2 . Thus, we can suppose that κ ≥ 3. Looking at the Eq. (16) modulo 8, we obtain −(y2 − x2 )2 + 2z22 ≡ 1 (mod 8)

Integers Represented by Ternary Quadratic Forms

227

and since y2 − x2 is odd, it follows that z22 ≡ 1 (mod 8), and thus 2z22 ≡ 2 (mod 16). Write r2 = y2 − x2 ; we have   r2 (2κ − 1)r2 + 2κ+1 x2 = s 2 − 2z22 . Moreover, since s is divisible only by primes q ≡ ±1 (mod 8), we have s 2 ≡ 1 (mod 16). Then ω(y2 − x2 ) = ω(r2 ) = =

r22 − 1 r2 − 1 ≡ (2κ − 1) 2 + 2κ−2 r2 x2 8 8

s 2 − 2z22 − (2κ − 1) (2κ − 1)r22 + 2κ+1 r2 x2 − (2κ − 1) = 8 8 1 − 2 − (2κ − 1) ≡ = 2κ−3 (mod 2). 8

It follows that  ω(y2 − x2 ) ≡

1 (mod 2) if κ > 3, 0 (mod 2) if κ = 3.

We conclude the following lemma. Lemma 11 Let a = 2κ + 1, b = 2κ − 1, c = 2. Further suppose that n = s 2 with s divisible only by primes q ≡ ±1 (mod 8). 1. If κ = 0 or κ = 2, then there does not exist any global solution. 2. If κ = 1, then there always exists a global solution. 3. If κ = 3, then  evη,2 = −1 constantly. In particular, then n satisfies n ∈ NBM Qa,b,c . 4. If κ > 3, then evη,2 = 1 constantly. Corollary 4  If a, b, c are as in (I)–(III), then no n ∈ N is obstructed, i.e.,  Nloc Qa,b,c = Nglob Qa,b,c . If a, b, c are as in (IV), then the Brauer-Manin obstruction occurs only for κ = 3 and n = s 2 with s divisible only by primes q ≡ ±1 (mod 8). Proof Recall that in our situation, Brauer-Manin obstruction is the only obstruction to the integral Hasse principle (see [CTXu]). Invoking Corollary 2, we have that an obstruction can occur only for n’s such that cn = 2v2 (cn) s 2 with s divisible only by primes q ≡ ±1 (mod 8). For cases (I)–(III) and case (IV) with v2 (n) > 0, Lemma 10 applies. The remaining case is covered by Lemma 11.   Thus if we consider the family from Lemma 3, which is covered by (I), we can state the following corollary. Note that, in contrast to Theorems 3 and 4, this provides an example of an unobstructed family of quadratic forms.

228

B. Faye et al.

Corollary 5 Let a = 2, b = 2κ − 2, c = 2κ+δ−1 g − 1 where κ ≥ 4, δ ≥ 0 and g ∈ Z is odd. Let n ∈ N and write n = 2h m with 2  m. Then n is represented by Qa,b,c over Z if and only if one of the following holds: 1. 0 ≤ h ≤ 2κ − 6 and m ≡ −1, −3 (mod 8); 2. h = 2κ − 5 or h ≥ 2κ − 3; 3. h = 2κ − 4 and m ≡ ±1, −3 (mod 8).

7 Proofs of the Main Theorems Proof of Theorem 3 The situation in this theorem corresponds to the family (IV). Thus, it follows from Corollary 4 that no obstruction occurs if κ = 3; in that case, every local solution in Lemmas 1 and 2 produces a global solution. If κ = 3, then we need to remove from the local solutions the case when n = s 2 with s divisible only by primes q ≡ ±1 (mod 8), i.e., the case when h = 0, n0 = 1 and there is no prime p dividing s with p ≡ ±3 (mod 8).   Proof of Theorem 4 Corollary 3 gives us the cases when there is no Brauer-Manin obstruction, i.e., the existence of local solutions specified in Lemma 4 guarantees that the equation is solvable over Z. If b ≡ b02 (mod π ) where b0 is not a square 2k 2 modulo π , then the Brauer-Manin obstruction   occurs if n = π s , 0 ≤ k < κ and s is divisible only by primes q such that πq = 1. This is the only case when the local solutions do not produce a global solution.  

8 Proof of Theorem 1 In this part, we will prove Theorem 1. We consider the quadratic form Q(x, y, z) = −9x 2 + 2xy + 7y 2 + 2z2 and aim to find an asymptotic formula for the number of natural numbers n of bounded size for which there is a Brauer-Manin obstruction to the integral Hasse principle. We will use the Selberg-Delange method, which is described in [Te, Chapter II.5]. Recall that this quadratic form belongs to case (IV), and we have κ = 3. Thus, according to Corollary 4, the Brauer-Manin obstruction occurs if and only if n is an odd square divisible only by primes congruent to ±1 (mod 8). To find the number of those √ numbers n up to some N , it suffices to count the number of natural numbers n up to N which are divisible only by the considered primes.

Integers Represented by Ternary Quadratic Forms

229

To reach this aim, let us consider the character χ defined for prime numbers p in the following way: ⎧ ⎨1 χ (p) := −1 ⎩ 0

if p ≡ ±1 (mod 8), if p ≡ ±3 (mod 8), if p = 2.

Note that throughout this section, the letter p stands for prime numbers. Using this, we define the function L(s, χ ) :=

∞  χ (n) n=1

ns

=

 p

χ (p) 1− ps

−1 .

Thus, multiplying by the Riemann zeta function ζ (s) we obtain   1 −1 L(s, χ )ζ (s) = 1 − s 2

 p≡±1 (mod 8)

  1 −2 1− s p

 p≡±3 (mod 8)

  1 −1 1 − 2s . p

Let A : N → {0, 1} be given by 



A(n ) := Thus



√ n ≤ N

1 if n is divisible only by primes p ≡ ±1 (mod 8), 0 otherwise.

A(n ) indicates our desired value. Let ∞  A(n ) = D(s) := ns  n =1

 p≡±1 (mod 8)

  1 −1 1− s p

and   1 −1 H (s) := 1 − s 2



 1−

p≡±3 (mod 8)

1 p2s

Then L(s, χ )ζ (s) = D(s)2 H (s) and the function D(s) can be expressed as D(s) =

)

/ ζ (s) L(s, χ )H (s)−1 .

−1 .

230

B. Faye et al.

Therefore, it is possible to write D(s) as D(s) = G(s; z)ζ (s)z with z = 12 , which satisfies the requirements of the Selberg-Delange method. Following this procedure we can deduce that  √ n ≤ N

A(n ) =

 √ √ √ √ 1 N (log N )z−1 N (log N )z−1 G(1; z)γ0 (z) + o (z)

where γ0 (z) is a coefficient in the Taylor series of the function s z−1 ζ (s)z of the form ∞  1 γj (z)(s − 1)j . j! j =0

For z = 12 , we have γ0 (z) = 1. Moreover, we can easily see that :    ;   χ (p) −1 1 1 ; 1− 1− 2 , G(1; z) = √ < p p 2 p p≡±3 (mod 8) where the expression after theorem. Thus

√1 2

is equal to the constant C from the statement of our

⎛ √ ⎞ √ N N C A(n ) = √ / √ + o ⎝ / √ ⎠ , √ 2π log N log N n ≤ N 

and the proof is completed. Acknowledgments This note originated at a WINE3 workshop at Rennes—we thank the organisers Sorina Ionica, Holly Krieger and Elisa Lorenzo Garcia for creating this opportunity. Moreover, we thank the anonymous referee’s for their careful reading of this manuscript and valuable comments. L.M. is supported by the Swedish Research Council Grant No. 2016-05198 and by a prize of the Göran Gustafsson Foundation. D. S. was supported by a NWO grant ˇ 016.Veni.173.016M. M. T. was supported by Czech Science Foundation (GACR), grant 1704703Y, by the Charles University, project GA UK No. 1298218, by Charles University Research Centre program UNCE/SCI/022, by project PRIMUS/20/SCI/002, and by the project SVV-2017260456. K. Z. was supported by DFG project HO 4784/2-1.

References [Be] Berg, J.: Obstructions to integral points on affine Châtelet surfaces. arXiv:1710.07969 [BK] Bright, M., Kok, I.: Failure of strong approximation on an affine cone. Involve, a Journal of Mathematics 12(2), 321–327 (2019)

Integers Represented by Ternary Quadratic Forms

231

[BLo] Bright, M., Loughran, D.: Brauer-Manin obstruction for Erd˝os-Straus surfaces. arXiv:1908.02526 [BL] Bright, M., Lyczak, J.: A uniform bound on the Brauer groups of certain log K3 surfaces. Michigan Math. J. 68(2), 377–384 (2019) [Ch] Chen, S.: Integral points on twisted Markoff surfaces. arXiv:1904.06864 [CTS] Colliot-Thélène, J.-L., Skorobogatov, A. N.: The Brauer-Grothendieck group. Preprint. [CTWX] Colliot-Thélène, J.-L., Wei, D., Xu, F.: Brauer-Manin obstruction for Markoff surfaces. Ann. Sc. Norm. Super. Pisa Cl. Sci.. To appear. arXiv:1808.01584 [CTXu] Colliot-Thélène, J.-L., Xu, F.: Brauer-Manin obstruction for integral points of homogeneous spaces and representation by integral quadratic forms. Compos. Math. 145, 309–363 (2009) [dJo] de Jong, A. J.: A result of Gabber. Available at http://www.math.columbia.edu/dejong/ [GRo] Grothendieck, A.: Le groupe de Brauer, I, II, III. In: Dix exposés sur la cohomologie des schémas. Masson, Paris; North-Holland, Amsterdam (1968) [Hs] Hsia, J. S.: Representations by spinor genera. Pac. J. Math. 63, 147–152 (1976) [JS] Jahnel, J., Schindler, D.: On integral points on degree four del Pezzo surfaces. Israel J. Math. 222, no. 1, 21–62 (2017) [Kn] Kneser, M.: Darstellungsmaße indefiniter quadratischer Formen. Math. Z. 77, 188–194 (1961) [LM] Loughran, D., Mitankin, V.: Integral Hasse principle and strong approximation for Markoff surfaces. Int. Math. Res. Not. IMRN. To appear. arxiv:1807.10223 [Ma] Manin, Yu. I.: Cubic forms, algebra, geometry, arithmetic. North-Holland Publishing Co. and American Elsevier Publishing Co., Amsterdam-London and New York (1974) [Mi] Mitankin, V.: Failures of the Integral Hasse Principle for Affine Quadric Surfaces. J. Lond. Math. Soc. 95, 1035–1052 (2017) [Po] Poonen, B.: Rational points on varieties. Graduate Studies in Mathematics. 186, Amer. Math. So. (2017) [SPX] Schulze-Pillot, R., Xu, F.: Representations by spinor genera of ternary quadratic forms. Contemp. Math. 344, 323–337 (2004) [Te] Tenenbaum, G.: Introduction to Analytic and Probabilistic Number Theory. Cambridge University Press, Cambridge (1995) [Xu] Xu, F.: On representations of spinor genera II. Math. Ann. 332, 37–53 (2005)

Construction of Poincaré-type Series by Generating Kernels Yasemin Kara, Moni Kumari, Jolanta Marzec, Kathrin Maurischat, Andreea Mocanu, and Lejla Smajlovi´c

MSC Codes (2020) 11F72, 43A22, 58J35, 35J05

1 Introduction Let  ⊂ PSL2 (R) be a Fuchsian group of the first kind having a fundamental domain F with a finite hyperbolic area. It acts on the complex upper half-plane H = {x+iy : x, y ∈ R , y > 0} and the quotient space can be identified with the Riemann surface M = \H. We fix a real weight k, such that there exists a unitary multiplier system χ of weight k on the cover   of  in SL2 (R). Throughout the paper we will assume the weight k and the multiplier system to be arbitrary but fixed.

Y. Kara Faculty of Arts and Sciences, Mathematics Department, Bogazici University, Bebek, Istanbul, Turkey e-mail: [email protected] M. Kumari School of Mathematics, Tata Institute of Fundamental Research, Mumbai, India J. Marzec Institute of Mathematics, Kazimierz Wielki University, Bydgoszcz, Poland e-mail: [email protected] K. Maurischat Lehrstuhl A Mathematik, RWTH Aachen University, Aachen, Germany e-mail: [email protected] A. Mocanu e-mail: [email protected] L. Smajlovi´c () Department of Mathematics, University of Sarajevo, Sarajevo, Bosnia and Herzegovina e-mail: [email protected];[email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 A. C. Cojocaru et al. (eds.), Women in Numbers Europe III, Association for Women in Mathematics Series 24, https://doi.org/10.1007/978-3-030-77700-5_8

233

234

Y. Kara et al.

The hyperbolic Laplacian of weight k on M is the operator k = −y 2 (∂x2 + ∂y2 ) + 2kiy∂x ,

(1)

given in terms of rectangular coordinates x + iy ∈ H. It acts on the space Dk of all twice continuously differentiable, square-integrable functions on H, which transform in a suitable way with respect to the weight k unitary multiplier system χ on   (a precise definition is given in Sect. 2). Note that the operator −y 2 (∂x2 + ∂y2 ) + kiy(∂x + i∂y ), with k ∈ 12 Z, arising in t he context of harmonic Maass forms, is also called the weight k Laplacian, see e.g. [1]. This operator and the operator k are special cases of a differential operator investigated by Maass in [21] (see also [28]). In some papers (e.g. [22]), k is referred to as the Maass-Laplacian, but we will call k the weight k Laplacian. It is the analogue of the non-Eucledian Laplacian for non-analytic automorphic forms on \H of weight k. Namely, the weighted Laplacian preserves the transformation behavior of functions from Dk (cf. formula (8) below); it can be represented as a composition of differential operators of the first order (the lowering and raising Maass operators) mapping weight k forms into forms of weight k ± 1 (or k ± 2, depending on the scaling taken); the kernel of k − k(1 − k) is isomorphic to the set of meromorphic differentials on F, where F ⊆ H is a fundamental domain for , of weight k with unitary multiplier system, see [11, Section 1.4] and references therein for a precise statements of those properties of k . The spectral theory of k was carefully developed in [29, 30, 8, 9] and [23, 24, 25]. It was proved that the Hilbert space Hk of all square-integrable functions on H, which transform in a suitable way with respect to the weight k unitary multiplier system on co-compact   , is a direct sum of countably many finite dimensional eigenspaces spanned by the eigenfunctions ϕj associated to the discrete eigenvalues λj of k . When the surface \H is non-compact, the operator k possesses both a discrete and a continuous spectrum; hence the space Hk is a sum of the eigenspaces spanned by the eigenfunctions ϕj and the Eisenstein series associated to each cusp of \H. For more details, see Sect. 2.4 below. In the seminal paper [10], Fay computed the basic eigenfunction expansions (in both rectangular and hyperbolic polar coordinates) of the resolvent kernel for the operator k acting on the Hilbert space of real weight k automorphic forms. He applied it to the construction of an automorphic “prime form” and automorphic functions with prescribed singularities. Following the ideas of Selberg [31], Hejhal developed the trace formula for k on the space \H and derived various applications of it, such as a distribution of pseudo-primes and the computation of the dimension of the space of classical cusp forms of weight 2k ∈ N.

Construction of Poincaré-type Series by Generating Kernels

235

1.1 Poincaré-type Series The resolvent kernel for k , defined in Sect. 3.2, is a special case of Poincaré-type series, which is the series defined by summing over the group  (or over its cover   ) the weight k point-pair invariant, multiplied by certain other factors depending on the element of  (or   ) in the index of the sum. Loosely speaking, the weight k point-pair invariant is a function k(z, w) of z, w ∈ H which is radial/spherical (meaning it depends only upon the hyperbolic distance between z and w) and which transforms “nicely” with respect to the weight k pseudo-action of   (see Definition 1). In most applications (and so is the case with the resolvent kernel), the point-pair invariant is taken to depend upon one or two complex parameter(s) with large enough real part (to ensure the convergence of the series). When the point-pair invariant is well-chosen, Poincaré-type series become very important objects of study. This is because their Fourier expansions (in different coordinates) together with a Laurent/Taylor series expansion in an additional complex variable s (usually at s = 1 or s = 0) carry important information. For example, when the multiplier system is identity, the constant term in the Laurent series expansion of the resolvent kernel at s = 1 gives rise to a holomorphic automorphic “prime form”, see [10, Theorem 2.3]. Such a form is an important object in the construction of automorphic forms with prescribed singularities. In case when M is compact and the multiplier system is one-dimensional, the constant term in the Laurent series expansion of the resolvent kernel at s = 1 gives rise to a unique Prym differential with multipliers, see [10, p. 163]. The resolvent kernel asymptotic is used more recently in [13] with k ∈ 12 N to establish effective sup-norm bounds on average for weight 2k cusp forms for . In this paper, we consider the weighted Laplacian with a real weight k, which enables the exploration of the behavior of constructed objects as the weight varies continuously.1 The construction of Eisenstein and Poincaré-type series on the full modular group, depending on two variables—a complex variable s parameterizing the eigenvalue 1/4 − s 2 of k and the real weight k (which in this special case can be taken to belong to the interval (0, 12))—have been undertaken by Brugemann in the series of papers [2, 3, 4]. He proved that those series depend real-analytically on k and that, for k = 0, all square-integrable modular forms (of a certain type) occur in such families.

1.2 Our Results We follow an approach of [19] and [7] towards the construction of Poincaré-type series associated to the weighted Laplacian. It is similar to Bruggeman’s in the sense 1 This line of investigation was not undertaken in this paper, but we plan to pursue it in forthcoming

research.

236

Y. Kara et al.

that we undertake the “operator” approach, looking at appropriate distributions. However, our starting point is the “wave distribution” (see Definition 4), a concept which does not appear in [2, 3, 4]. We illustrate this approach in Sect. 6, by constructing a new Poincaré-type series Ks (z, w), for z, w ∈ F and ,(s) % 0, which transforms “nicely” with respect to the weight k multiplier system. We then obtain its meromorphic continuation with respect to the s variable and deduce its representation in terms of the sum over the group of a certain point-pair invariant, i.e. in terms of the “geometric” automorphic kernel K˜ s (z, w), see Sect. 6.2. The strength of our method can be illustrated by Corollary 1, where meromorphic continuation of the kernel K˜ s (z, w) is deduced “for free”, i.e. without any further analysis of e.g. its Fourier expansion. More precisely, starting with the spectral expansion theorem [11, Theorem 1.6.4], we construct the wave distribution associated to the weighted Laplacian. We prove in Proposition 3 that the wave distribution acts on a rather large space of test functions and that it can be represented as an integral operator with a certain kernel (Theorem 2). In Proposition 3, we also derive sufficient conditions on the test function so that the wave distribution acting on this test function produces an L2 -automorphic kernel. To guarantee the absolute convergence of the aforementioned objects we need bounds for their discrete and, in case when the surface is non-compact, continuous spectra. It turns out that even though the spectral properties of k are well studied, both analytically and computationally (see [32]), the properties of the eigenvalues associated to its discrete spectrum that are different from the minimal eigenvalue |k|(1 − |k|) have not received much attention in the non-compact setting. This is probably because in the non-compact setting the discrete spectrum still remains very mysterious; for example it is not even known in general whether it is finite or infinite. For that reason, in Sect. 4 we prove the sup-norm bound supz∈F |ϕj (z)| - |λj | for the eigenfunctions associated to discrete eigenvalues λj of k , uniform in j . This result is of independent interest, because it is proved in a general setting of a possibly non-compact surface, real weight k and vector-valued eigenfunctions ϕj . In the non-compact setting, we also derive the sup-norm bound for the growth of a certain weighted integral of the (vector-valued) Eisenstein series along the critical line (Proposition 2(b)). The definition of the wave distribution enables one to construct automorphic kernels through the action of the wave distribution on suitably chosen test functions. In Sect. 6, a new L2 -automorphic kernel Ks (z, w), called the basic automorphic kernel, is constructed through the action of the wave distribution on the test function gs (u) = (s−1/2) cosh(u)−(s−1/2) for ,(s) % 0. The kernel Ks (z, w) is called (s) the basic kernel, because, as will be seen in [20], both the resolvent kernel and, consequently, the Eisenstein series, can be expressed in terms of this kernel and its translates in the s-variable. It is analogous to the basic automorphic kernel constructed in [7] in the setting of smooth, compact, projective Kähler varieties.

Construction of Poincaré-type Series by Generating Kernels

237

Using the properties of the wave distribution, it is possible to construct Poincarétype series that are not square-integrable by taking appropriate sums/integrals of the wave distribution (see e.g. [19, Section 7] in the special case of the multiplier system equal to 1). We leave this investigation to the subsequent paper [20]. This approach to the construction of Poincaré-type series has many advantages. Firstly, the construction depends only on the spectral properties of the Laplacian, and we believe it can be applied in more general settings, with the Laplacian replaced by the Casimir element (see a discussion in Sect. 2.2 below). Secondly, the problem of the meromorphic continuation of Poincaré series, which is usually attacked by means of Fourier series expansion and serious analytic considerations related to the coefficients in those series, is simplified. Namely, the meromorphic continuation essentially boils down to establishing a suitable functional relation between the Fourier transform of the test function at s and at s + α, for a suitable translation parameter α (see Lemma 7 below). For this reason, the scaling factor (s−1/2) appears in the test function gs (u) above. (s) Moreover, this approach provides additional flexibility in the construction of Poincaré series, depending on the desired properties of the series, under the action of k . Namely, assume that one is interested in the construction of Poincaré series Ps (z, w) on M, such that k Ps (z, w) equals a certain function of Ps (z, w). Then, representing Ps (z, w) as the wave distribution acting on an unknown test function, this construction boils down to solving a second order differential equation satisfied by this test function, with some natural boundary conditions, such as e.g. decay to zero as ,(s) → ∞. This task is not easy, but it may turn out to be easier than solving the partial differential equation that is to be satisfied by the point-pair invariant generating the series Ps (z, w) as a sum over the group  (or its cover   ).

1.3 Outline of the Paper The paper is organized as follows: in Sect. 2, we introduce the basic notation, define the weighted Laplacian, the unitary multiplier system and the spaces of functions we are interested in and we recall the spectral expansion theorem. In Sect. 3, the construction of the geometric automorphic kernel is presented, following the approach undertaken in [15] and [16] and the pre-trace formula for the resolvent kernel is recalled from [11]. Section 4 is devoted to proof of the non-trivial supnorm bound for the eigenfunctions of the weighted Laplacian, a result necessary for the construction of the wave distribution associated to k in Sect. 5. Properties of the wave distribution are identified in Sect. 5 and applied to the construction of the basic automorphic kernel in Sect. 6.

238

Y. Kara et al.

2 Preliminaries We collect a number of well-known results on the hyperbolic geometry of the upper half-plane, the notion of Laplacians, unitary multiplier systems, and spectral expansions. References for these are, for example [29, 30, 15] and [11]. [5, Chap. 2] is a good reference for 2.2. In order to ensure that all the choices are consistent, we include short proofs of some basic lemmas.

2.1 Basic Notation Let  ⊂ PSL2 (R) denote a Fuchsian group of the first kind. It acts by fractional linear transformations on the hyperbolic upper half-plane H. We choose once and for all a connected fundamental domain F ⊆ H for . We further assume F (and therefore every fundamental domain) to have finite hyperbolic area. Then M := \H is a finite volume hyperbolic Riemann surface, which we allow to have elliptic fixed points and c cusps. Locally, M is identified with its universal cover H, and each point on M has a unique representative in F. We rely on this identification of M with F whenever a definition of a function on M uses the choice of a representative in H. This in particular applies to the kernel functions in this paper. Let   denote the cover of  in SL2 (R), i.e. the set of all matrices γ ∈ SL2 (R) such that [±γ ] ∈ . Throughout this paper, assume that   contains −I , where I stands for the identity element of SL2 (R). Let μhyp denote the hyperbolic metric on M, which is compatible with the complex structure of M, and has constant negative curvature equal to minus one. dx 2 + dy 2 2 2 is given by dshyp := . Denote the The hyperbolic line element dshyp y2 hyperbolic distance from z ∈ H to w ∈ H by dhyp (z, w). It satisfies the relation   cosh dhyp (z, w) = 1 + 2u(z, w),

(2)

where u(z, w) :=

|z − w|2 . 4 .(z).(w)

(3)

In the sequel, we will need the displacement function σ (z, w), which is defined as σ (z, w) := 1 +

|z − w|2 |z − w|2 = . 4 .(z).(w) 4 .(z).(w)

(4)

Construction of Poincaré-type Series by Generating Kernels

239

2.2 Weighted Laplacian We recall that, for any real k, the hyperbolic Laplacian on M of weight k is defined by (1) and it is a second order differential operator applied to twice differentiable functions f : H → C. H. Maass [21] introduced in broader generality, for real numbers α and β, the differential operator   α,β = −y 2 ∂x2 + ∂y2 + (α − β)iy∂x − (α + β)y∂y . Specializing to α + β = 0, we recover the classical Laplace–Beltrami operator on H of weight α − β (which is, among others, subject of Roelcke’s work [28, 29, 30]). There is a slight ambiguity in the notation used: the operator α,β with α − β = α + β = k is also called the weighted Laplacian of weight k in the literature. It is that one which is used in the theory of mock modular forms (see e.g. [1]) for half-integral k ∈ 12 Z. Our choice of the weighted Laplacian is the specialization to weight 2k of the Laplace–Beltrami operator    = −y 2 ∂x2 + ∂y2 + y∂x ∂θ ,  which in turn equals the Casimir operator for SL2 (R), up to a multiplicative constant. Here, SL2 (R)  H × SO2 is equipped with coordinates x, y, and θ . More precisely, the action of SL2 (R) on L2 (  \SL2 (R)) by right translations comes along with an action of its Lie algebra on C ∞ -vectors, given by differential operators. The Casimir element generates the center of the universal enveloping Lie algebra and, written with respect to the coordinates ∂x , ∂y , ∂θ , this operator coincides with ˜ above. By Schur’s lemma, the Casimir acts as a the Laplace–Beltrami operator  constant on any irreducible representation of SL2 (R). In turn, any eigenfunction of the Casimir, respectively the Laplace–Beltrami, together with its SL2 (R)-translates generates an irreducible representation. On the other hand, when restricting to eigenfunctions of weight 2k for the maximal compact subgroup SO2 of SL2 (R), the Casimir operator specializes to our choice of the weighted Laplacian k . In turn, the isomorphism of   \SL2 (R)/SO2 with \H induces an isomorphism of the SO2 -eigenfunctions on   \SL2 (R) with automorphic forms of weight 2k on H.

2.3 Unitary Multiplier System 

 ∗∗ ∈  and every complex number z, define j (γ , z) := cz + d cd and Jγ ,k (z) := exp(2ik arg j (γ , z)). For every γ =

240

Y. Kara et al.

Definition 1 A function μ : H2 → C∗ satisfying the transformation property μ(γ z, γ w) = μ(z, w)Jγ ,k (z)Jγ ,k (w)−1 for all γ ∈ SL2 (R) and all z, w ∈ H is called a weight k point-pair invariant. Note that, due to the fact that SL2 (R) acts transitively on point-pairs of a fixed hyperbolic distance, a point-pair invariant of weight zero is just an ordinary pointpair invariant depending only on the hyperbolic distance of the point-pair (z, w). Further, if μ is a weight k point-pair invariant and  is a weight zero point-pair invariant, then μ ·  is also a weight k point-pair invariant. Furthermore, if ν is also a weight k point-pair invariant, then μ/ν is a point-pair invariant of weight zero. Lemma 1 Decompose the real number k = k1 + k2 with k1 ∈ Z and k2 ∈ (− 12 , 12 ], and define zk = zk1 exp(k2 log z) for the principal branch of the complex logarithm log z. The function Hk : H2 → C∗ given by k  k k   z−w |z − w|2 (1 − ζ )2 Hk (z, w) := − = = , w−z (z − w)2 |1 − ζ |2

for ζ =

z−w , z−w

is a weight k point-pair invariant. Proof The function r : H2 → C given by r(z, w) = 1 −

z−w 2i.(w) = z−w z − .(w)

transforms under SL2 (R) as  r(γ z, γ w) = r(z, w)

cz + d cw + d

 .

(5)

Note that, for all z, w ∈ H, we have z − w ∈ H. In particular, 0 ≤ arg(z − w) < π , which implies that −

π π π < arg(r) = − arg(z − w) ≤ . 2 2 2

We claim that the argument of r transforms as arg(r(γ z, γ w)) = arg(r(z, w)) + arg(cz + d) − arg(cw + d) . To see this, notice that both cz + d and cw + d belong either to upper or lower complex half-plane. In particular, either arg(cz + d), arg(cw + d) ∈ (0, π ) or arg(cz + d), arg(cw + d) ∈ (−π, 0), and it follows that  arg

cz + d cw + d

 = arg(cz + d) − arg(cw + d).

Construction of Poincaré-type Series by Generating Kernels

241

Consequently, since in (5) both values of r have arguments in (− π2 , π2 ] and since 

cz + d arg(r(γ z, γ w)) = arg(r(z, w)) + arg cw + d

 + 2π l

for some l ∈ Z, we must have l = 0. Since  Hk (z, w) = Hk (r(z, w)) =

r |r|

2k1  2k2 r · , |r|

the claim of the lemma follows trivially for k = k1 ∈ Z, using the definition of Jγ ,k1 . For k = k2 ∈ (− 12 , 12 ], it follows from the above by noticing that, for exponent 2k2 ∈ (−1, 1], the power is still given by multiplying the argument, (ei arg(z) )2k2 = e2ik2 arg(z) . The lemma follows for arbitrary real k from our choice of the k-th power.      a1 a2   c1 c2  b1 b2 For every γ1 = a3 a4 and γ2 = b3 b4 ∈ SL2 (R), write γ1 γ2 = c3 c4 . For every z ∈ H, we have a3 γ2 z + a4 =

c3 z + c4 b3 z + b4

and therefore there exists an integer w(γ1 , γ2 ) ∈ {−1, 0, 1}, which is independent of z, such that 2π w(γ1 , γ2 ) = arg(a3 γ2 z + a4 ) + arg(b3 z + b4 ) − arg(c3 z + c4 ).

(6)

The function ωk (γ1 , γ2 ) := exp(4π ikw(γ1 , γ2 )) is called a factor system of weight k. Let (V , ·, · ) be a d-dimensional unitary C-vector space (d < ∞), where the inner product ·, · is semi-linear in the first argument. Let U (V ) denote the unitary group, i.e. the automorphisms u of V respecting the scalar product, u(v), u(w) = v, w for all v, w ∈ V . Definition 2 A (unitary) multiplier system of weight k on   is a function χ :  → U (V ) which satisfies the properties: (a) χ (−I ) = e−2π ik idV and (b) χ (γ1 γ2 ) = ωk (γ1 , γ2 )χ (γ1 )χ (γ2 ). If   contains parabolic elements, then there exists a unitary multiplier system on   for every weight k ∈ R; when   does not contain parabolic elements, a unitary multiplier system on   exists for certain rational values of weight k, depending on the signature of the group , see [11, Proposition 1.3.6]. From now on, we fix k ∈ R such that there exists a unitary multiplier system χ :   → U (V ) of weight k on  , which we also fix.

242

Y. Kara et al.

Lemma 2 For every weight k point-pair invariant μ such that the series S,μ (z, w) :=



χ (γ )Jγ ,k (w)μ(z, γ w)

γ ∈ 

is absolutely convergent for all z, w ∈ H, we have the identity S,μ (ηz, w)Jη,k (z)−1 = χ (η)S,μ (z, w) for all η ∈  . Proof We have to prove that χ (η)



χ (γ )Jγ ,k (w)μ(z, γ w) =

γ ∈ 



χ (γ )Jγ ,k (w)Jη,k (z)−1 μ(ηz, γ w)

γ ∈ 

for every η in   . Setting γ  = η−1 γ and summing over γ  instead of γ by absolute convergence of the series, the above follows from the definitions of multiplier system and weight k point-pair invariant, combined with the implication of (6) that, for any w ∈ H and any η, γ ∈  , ωk (η, γ ) = Jη,k (γ w)Jγ ,k (w)Jηγ ,k (w)−1 .

2.4 Spectral Expansion For every γ ∈   , define the linear operator |[γ , k] on the space of functions f : H → V by f |[γ , k](z) := f (γ z)Jγ ,k (z)−1 . It is important to notice that k commutes with |[γ , k], in other words k (f |[γ , k]) = (k f )|[γ , k] for every twice continuously differentiable function f : H → V . It follows that, if f is such a function and it additionally satisfies f |[γ , k] = χ (γ )f

(7)

(k f )|[γ , k] = χ (γ )k f.

(8)

for every γ ∈   , then

Construction of Poincaré-type Series by Generating Kernels

243

Notice that if f1 , f2 : H → V are functions satisfying (7) then f1 , f2 is a   -invariant, vector-valued function on H. Let F denote an arbitrary fundamental domain of . Let Hk denote the space of (equivalence classes of μhyp -almost everywhere equal) μhyp -measurable functions f : H → V which satisfy the properties:  (a) f |[γ , k](z) = = χ (γ )f (z) for all γ ∈  and (b) /f /2 := F f, f dμhyp < ∞. It follows that Hk is a Hilbert space when equipped with the scalar product > (f, g) :=

F

f, g dμhyp .

For all f1 , f2 ∈ Hk , the function f1 , f2 given by the scalar product on V determines an almost everywhere well-defined function on H. In particular, when = V = C, f, g = f¯ · g and (f, g) = F f (z)g(z)dμhyp (z) is the usual L2 -scalar product. From now on, the equivalence class of a function f : H → V under the equivalence relation μhyp -almost everywhere equal will be denoted by f by abuse of notation. Moreover, identify V = Cd , which implies that x, y =

d 

x j yj

(9)

j =1

for every x = (x1 , . . . , xd )t and y = (y1 , . . . , yd )t in V . Here, Xt denotes the transpose of a matrix X. With these conventions, measurability, differentiability, integrability, etc. of any function f : H → V are defined component-wise. The norm on V corresponding to the scalar product ·, · will be denoted by | · |V . We will at times apply the Hermitian inner product to d ×d matrices, more precisely to xy t for arbitrary x, y ∈ V . Denote the resulting norm by | · |d×d and note that |xy t |d×d = |x|V |y|V . Let Dk denote the set of all twice continuously differentiable functions f ∈ Hk such that k f ∈ Hk . The operator k : Dk → Hk is essentially self-adjoint ˜ k : D˜ k → Hk denote the unique maximal self-adjoint [11, Theorem 1.4.5]. Let  ˜ extension of k with Dk as its domain. In case when   contains parabolic elements, let ζ1 , . . . , ζc denote a complete system of representatives of the   -equivalence classes of cusps of   . Choose matrices A1 , . . . , Ac ∈ SL2 (R), such that the stabilizers  ζj := {γ ∈   | γ ζj = −1  1 1  ζj } are generated by −I and Tj := Aj 0 1 Aj . Let mj denote the multiplicity of the eigenvalue 1 of χ (Tj ). For every j ∈ {1, . . . , c }, choose an orthonormal basis

244

Y. Kara et al.

{vj 1 , . . . , vj d } of V such that  χ (Tj )vj l = e

2π iβj l

vj l , with

βj l = 0,

if 1 ≤ l ≤ mj and

βj l ∈ (0, 1),

if mj < l ≤ d.

For every z ∈ H and s ∈ C with ,(s) > 1, define the parabolic Eisenstein series of weight k for the cusp ζj , the multiplier system χ and the eigenvector vj l as the series Ej l (z, s) :=

1 2



ωk (Aj , γ )−1 χ (γ )−1 vj l JAj γ ,k (z)−1 (.(Aj γ z))s .

(10)

γ ∈ ζj \ 

This series converges uniformly absolutely in (z, s) ∈ H×{s ∈ C | ,(s) ≥ 1+ε} for every ε > 0, hence it defines a C ∞ -function from H × {s ∈ C | ,(s) > 1} to V , which is holomorphic in s. It was shown in [30] that, for every s ∈ C such that ,(s) > 1, the series Ej l (·, s) is an eigenfunction of k , with eigenvalue s(1 − s): k Ej l (·, s) = s(1 − s)Ej l (·, s).

(11)

Furthermore, for every fixed z ∈ H, the series Ej l (z, ·) can be extended to a meromorphic function on C, which is denoted in the same way. This function has only simple poles in the half-plane {s ∈ C | ,(s) > 1/2}, which all lie in the interval (1/2, 1]. It has no poles on the line {s ∈ C | ,(s) = 1/2}, from which it follows that Ej l is continuous on H × {s ∈ C | ,(s) = 1/2}. The Eisenstein series Ej l satisfies (11) in this domain. Recall the following theorem from [11, pp. 37–38]: Theorem 1 (Spectral Expansion) Every function f ∈ D˜ k has an expansion of the following form: mj > ∞ c   1  f (z) = (φn , f )φn (z) + (Ej l (·, 1/2 + it), f )Ej l (z, 1/2 + it)dt, 4π −∞ n≥0

j =1 l=1

˜ k : D˜ k → is a countable orthonormal system of eigenfunctions of  where (φn )n≥0  Hk . The series n≥0 (φn , f )φn converges uniformly absolutely on compact subsets of H. When  is cocompact, the second sum on the right hand side of the above equation is identically zero. Remark 1 In the sequel, whenever we apply the spectral expansion theorem to cocompact , we will assume that the sum over parabolic elements is identically zero and we will not treat that case separately. Let |k|(1 − |k|) = λ0 ≤ λ1 ≤ λ2 ≤ . . . denote the discrete eigenvalues corresponding to the orthonormal system (φn )n≥0 and write λn = 1/4 + tn2

(12)

Construction of Poincaré-type Series by Generating Kernels

for every n where tn = defined as

√ λn − 1/4 and tn ∈ (0, iA] when λn < A := max {1/2, |k| − 1/2} ,

245 1 4;

here, A is

(13)

and note that |k|(1 − |k|) ≥ 14 − A2 . Every λn occurs with finite multiplicity μn and  the series n≥0 λ−2 n converges [11, Theorem 1.6.5].

3 The Automorphic Kernel In this section, we recall the construction of automorphic forms for  with multiplier system χ , using point-pair kernel functions (i.e. kernel functions depending only upon the hyperbolic distance between the points).

3.1 Selberg Harish-Chandra Transform Following [16, pp. 386–387], let  be a real-valued function defined on [0, ∞), four times differentiable in this interval and such that |() (t)| - (t + 4)−δ− , for  = 0, 1, 2, 3, 4 and for some δ > max{1, |k|}. To the weight k point-pair invariant  k(z, w) := Hk (z, w)

 |z − w|2 , .(z).(w)

(14)

where z, w ∈ H, we associate the automorphic kernel K (z, w) :=

1 χ (γ )Jγ ,k (w)k(z, γ w), 2

(15)

γ ∈ 

  |z−w|2 is a which takes values in the endomorphism ring End(V ). Note that  .(z).(w) weight zero point-pair invariant. Due to the bounds on the derivatives of  and to Lemma 2, the automorphic kernel K belongs to D˜ k as a function of z. The Selberg Harish-Chandra transform h of a function  satisfying the conditions stated above can be computed using the following three steps: (i) compute > Q(y) =

k √ y + 4 + iv (y + v 2 ) √ dv y + 4 − iv −∞ ∞

246

Y. Kara et al.

for y ≥ 0; (ii) set g(u) = Q (2(cosh u − 1)); (iii) the Selberg Harish-Chandra transform of  is the Fourier transform of g, i.e. >∞ h (r) =

g(u)eiru du. −∞

The Selberg Harish-Chandra transform exists for complex numbers r with suitably bounded imaginary part. Remark 2 A slightly different, yet equivalent version of the Selberg HarishChandra transform of the point-pair invariant is given in [10, Theorem 1.5]. In the cited text, the automorphic kernel constructed from the point-pair invariant is defined as K˜  (z, w) =

 γ ∈



cw + d χ (γ ) cw + d

k 

z − γw γw − z

k g(cosh(dhyp (z, γ w))),

under the assumption that g(u) is a continuous function of u > 1, with a majorant g1 (u) ∈ L1 ∩L2 (1, ∞) satisfying the following condition: for any δ > 0 there exists a constant m(δ) > 0 such that, for all z, w ∈ H with dhyp (z, w) > δ, > g1 (cosh(dhyp (z, w))) ≤ m(δ)

g1 (cosh(dhyp (ζ, w)))dμhyp (ζ ).

dhyp (ζ,w)∞ h(r) = 2π

g(cosh(y)) 1

2 cosh y + 1

r

  cosh y − 1 d(cosh(y)), F r − k, r + k; 1; cosh y + 1

where F (a, b; c; z) stands for the (Gauss) hypergeometric function. In fact, Eq. (2) yields that K˜  (z, w) = K (z, w), where K (z, w) is defined by (15) with the point-pair invariant function  in definition (14) given by (x) = g(1 + x2 ); in particular h = h . For a function h : D → C, where D is a subset of C, and a constant a > 0 define the following conditions: (S1) h(r) is an even function. (S2) h(r) is holomorphic in the strip |.(r)| < a + for some > 0. (S3) h(r) - (1 + |r|)−2−δ for some fixed δ > 0 as |r| → ∞ in the set of definition of condition (S2).

Construction of Poincaré-type Series by Generating Kernels

247

Choosing a = A as in (13), the conditions (S1)–(S3) are actually the assumptions posed on the test function h in the trace formula [16, Theorem 6.3]. The following proposition holds: Proposition 1 ([16, Section 9.7]) Let A be defined as in (13) and λj = 1/4 + tj2 as in (12). Suppose that the Selberg Harish-Chandra transform h exists and satisfies conditions (S1)–(S3) for a = A. Then the automorphic kernel (15) admits a spectral expansion of the form K (z, w) =



h (tj )φj (z)φj (w)t

λj ≥|k|(1−|k|)

+

mj > ∞ c  1  h (r)Ej l (z, 1/2 + ir)Ej l (w, 1/2 + ir)t dr, 4π −∞ j =1 l=1

(16) which converges absolutely and uniformly on compacta. When  is cocompact, according to Remark 1, the second sum on the right hand side of (16) is identically zero. The assumptions on the test function h, which ensure the convergence of the series and the integral on the right-hand side of (16), can be relaxed. Namely, we will prove in Sect. 5 that, if the function h satisfies the conditions (S1), (S2 ) h(r) is well-defined and even for r ∈ R ∪ [−ia, ia], and (S3) in the set of definition of condition (S2 ) (that is, as |r| → ∞), then the series and integrals on the right-hand side of (16) are well-defined and converge absolutely and uniformly on compacta. However, the assumptions (S1), (S2 ) and (S3) do not imply that the right-hand side of (16) represents a spectral expansion of some L2 -automorphic kernel for a = A.

3.2 Resolvent Kernel and Pre-trace Formula ˜ k ) denote the resolvent set of  ˜ k , i.e. the set of all complex numbers λ for Let ρ( ˜ k −λid ˜ )−1 : Hk → D˜ k is bounded. According to [11, which the linear operator ( Dk ˜ k is the integral kernel of pp. 25–27], the resolvent kernel associated to the operator  ˜ k −s(1−s))−1 , defined for all s ∈ C\{k−n, −k−n | n = 0, 1, 2, . . .} the operator ( with ,(s) > 1 and z, w ∈ H such that z = γ w for all γ ∈  as the automorphic kernel Gs (z, w) :=

1 χ (γ )ks (σ (z, γ w))Jγ ,k (w)Hk (z, γ w), 2 γ ∈ 

(17)

248

Y. Kara et al.

with the point-pair invariant function ks (σ ) := σ −s

(s − k)(s + k) F (s + k, s − k; 2s; σ1 ), 4π (2s)

where σ := σ (z, w) is defined by (4) and F (α, β; γ ; z) denotes the classical Gauss hypergeometric function. The series on the right-hand side of (17) converges normally in the variables z, w ∈ H such that z = γ w and s ∈ C \ {k − n, −k − n | n = 0, 1, 2, . . .} with ,(s) > 1 with respect to the operator norm in the ring of endomorphisms of V . Recall from [11, Formula (2.1.4) on p. 46] the pre-trace formula that follows from the computation of the trace of the resolvent kernel Gs (z, w): Lemma 3 For all s, t ∈ C \ {k − n, −k − n | n = 0, 1, 2, . . .} with ,(t), ,(s) > 1 and z ∈ H, we have   1 1 − |φn (z)|2V λn − λ λn − μ n≥0

mj >∞ c  1  1 − + 1 2−λ 4π + r 4 j =1 l=1 −∞

1 1 4

|Ej l (z, 12 + ir)|2V dr

+ r2 − μ

(18)

d (ψ(s + k) + ψ(s − k) − ψ(t + k) − ψ(t − k)) 4π 1  + Tr(χ (γ )) (ks (σ (z, γ z)) − kt (σ (z, γ z))) Jγ ,k (z)Hk (z, γ z), 2 =−

γ ∈  \{±I }



(x) is the digamma function. where λ := s(1 − s), μ := t (1 − t) and ψ(x) := (x) Moreover, by Dini’s theorem, all the sums and integrals in (18) converge uniformly for every s, t as above and z ∈ H.

When  is cocompact, the sum over cusps on the left hand side of (18) is identically zero.

4 Sup-norm Bounds for the Eigenfunctions Associated to Discrete Eigenvalues In this section, we use (18) to derive the sup-norm bounds for the norm |φn (z)|V , when z ∈ F. Hence, among others, we need an upper bound for the absolute value of the difference gk (s; z, γ z) := ks (σ (z, γ z)) − ks+1 (σ (z, γ z)) analogous to the bound derived in [13, Lemma 6.2]. The proof of [13, Lemma 6.2] could be adopted

Construction of Poincaré-type Series by Generating Kernels

249

to our setting when the weight k is not a positive integer or a half-integer. However, we give a direct proof of a better bound, valid for all real weights k. Lemma 4 Let k ∈ R and let s > |k| be a real number. Then |gk (s; z, γ z)| ≤

s 2π(s 2

− k2)

σ (z, γ z)−s .

(19)

Proof From the definition of hypergeometric series in terms of the Pochhammer symbol (a)j := (a + j )/ (a) and the identity (a + 1)j = (a)j +1 /a, we obtain that ks+1 (σ (z, γ z)) = σ (z, γ z)−s ×

(s − k)(s + k) 4π (2s + 1)

∞  (s + k)j +1 (s − k)j +1 (j + 1) σ (z, γ z)−(j +1) , (j + 1)!(2s + 1)j +1 j =0

so that gk (s; z, γ z) = σ (z, γ z)−s

∞

(s − k)(s + k)  (s + k)j (s − k)j σ (z, γ z)−j . 4π (2s) j !(2s + 1)j j =0

Since σ (z, γ z) ≥ 1, application of [14, Formula 9.122.1] gives ∞  (s + k)j (s − k)j j =0

j !(2s + 1)j

σ (z, γ z)−j ≤

∞  (s + k)j (s − k)j j =0

=

j !(2s + 1)j

(2s + 1) , (s − k + 1)(s + k + 1)

which leads to gk (s; z, γ z) ≤

2s σ (z, γ z)−s . 4π(s − k)(s + k)

The proof is complete; note that we have omitted the absolute values because all expressions are positive, due to the fact that s > |k| is real.   Remark 3 In the case where s = k+ , for some ∈ (0, 1) and some positive integer −s k, the upper bound from (19) becomes 2π k+ (2k+ ) σ (z, γ z) . This is obviously less

than 2π3 σ (z, γ z)−s for all positive integers k, hence the bound (19) is better than the one obtained in [13, Lemma 6.2] using the representation of the resolvent kernel as an integral transform of the heat kernel.

250

Y. Kara et al.

Next, we derive the sup-norm bound for the eigenfunctions of the weighted Laplacian associated to discrete eigenvalues λj , j ≥ 0, and for the integral of the Eisenstein series, when M in non-compact. Throughout this section, identify the surface M with the fundamental domain F. Let Y > 1 be arbitrary and let FYj denote the neighbourhood of the cusp ζj , j ∈ {1, . . . , c }, characterized by Aj FYj = {z ∈ H | − 1/2 ≤ ,(z) ≤ 1/2, .(z) ≥ Y }, where, recall, Aj is the scaling matrix associated to the cusp ζj , for every j ∈ c ? FYj with respect to {1, . . . , c }. Denote by FY the closure of the complement of j =1

F (note that F = FY if  is cocompact). We introduce the constant C(k, M, d) :=

d(|k| + 2) + 8π(|k| + 1)



|k| + 2 |k| + 1

2

d 2volhyp (F)

3

e 2 diamhyp (F) ,

(20)

where diamhyp (F) denotes the hyperbolic diameter of the fundamental domain F. The constant C(k, M, d) clearly depends upon the surface and the multiplier system, but not on the eigenvalue. With this notation, the following proposition holds: Proposition 2 (a) Let φj (z) be the eigenfunction of the Laplacian k associated to the discrete eigenvalue λj . Then sup |φj (z)|V ≤ C(k, M, d)|λj |,

(21)

z∈F

where the constant C(k, M, d) depends on the surface and the multiplier system, but not on the eigenvalue. When λj ≥ 3 + |k|, one can take 1

C(k, M, d) = (C(k, M, d)(|k| + 2)) 2 . (b) In case when   contains parabolic elements, for any j ∈ {1, . . . , c } and l ∈ {1, . . . , mj }, the following bound for the parabolic Eisenstein series (10) of weight k for the cusp ζj , the multiplier system χ and the eigenvector vj l holds: >∞ sup z∈F −∞

1 ( 14 + r 2 + (|k| + 2)2 )2 − (|k| + 2)2

|Ej l (z,

1 2

+ ir)|2V dr ≤

2π C(k, M, d). |k| + 2

(22) Proof Take s = |k| + 2 and t = |k| + 3 in Lemma 3 (note that s, t ∈ / {k − n, −k − n | n = 0, 1, 2, . . .}). Start with an upper bound for the right-hand side of (18). The

Construction of Poincaré-type Series by Generating Kernels

251

sum of the values of digamma functions may be evaluated by applying the functional equation ψ(z + 1) = ψ(z) + z−1 : d d(|k| + 2) |ψ(s + k) + ψ(s − k) − ψ(t + k) − ψ(t − k)| = . 4π 8π(|k| + 1) To bound the sum, use inequality (19). Recall that |Jγ ,k (z)Hk (z, γ z)| = 1 for all z and γ and that χ is unitary, so that 1 2 ≤



Tr(χ (γ )) (ks (σ (z, γ z)) − kt (σ (z, γ z))) Jγ ,k (z)Hk (z, γ z)

γ ∈  \{±I }

 γ ∈\{I }

d(|k| + 2) σ (z, γ z)−(|k|+2) . 8π(|k| + 1)

Furthermore, applying [13, Lemma 3.7] with δ = |k| + 2, we deduce that, for any Y > 1 and any z ∈ FY ,  γ ∈\{I }

d(|k| + 2) σ (z, γ z)−(|k|+2) ≤ 8π(|k| + 1)



|k| + 2 |k| + 1

2

dBY , 2

  where BY = exp 32 diamhyp (FY ) volhyp (FY )−1 . Note that, for every Y ≥ 2, BY is 3  bounded by exp 2 diamhyp (F) volhyp (F)−1 . Hence, for all z ∈ FY and Y ≥ 2, the right-hand side of (18) is bounded from above by the constant C(k, M, d) defined in (20). Now, specialize the pre-trace formula (18) to either one summand or one integral on the left-hand side. (a) Since there are only finitely many eigenvalues that are less than 3 + |k|, it is sufficient to prove (21) for eigenvalues λj ≥ 3 + |k|. Therefore, assume that λj ≥ 3 + |k|. Our choice of s and t in Lemma 3, together with above computations and the assumption on λj , lead to the inequality sup |φj (z)|2V ≤ C(k, M, d)(|k| + 2)λ2j ,

z∈FY

which holds for all Y ≥ 2. It remains to extend it to z ∈ F. Since all eigenfunctions φj are continuous on F and the area of F is finite (with the area of the boundary equal to zero, since  is of the first kind), one deduces

252

Y. Kara et al.

that (z → |φj (z)|V ) ∈ Lp (F) for all p ≥ 1 and, more importantly, that sup |φj (z)|V = lim μ(F)−1/p /|φj (z)|V /p p→∞

z∈F

⎛ = lim ⎝μ(F)−1

>

p→∞

⎞1/p |φj (z)|V dμhyp (z)⎠ p

,

F

where / · /p denotes the Lp -norm (see e.g. [6, Formula (22) on p. 100] for the analogous statement related to eigenfunctions of the Laplacian). Let {Yn }n≥1 be an increasing sequence of real numbers bigger than 2, tending to infinity. For every p > 1, the monotone convergence theorem applied to the sequence |φj (z)|p 1FYn (z), where 1FYn (z) denotes the characteristic function of the set FYn , yields that >

>

p

|φj (z)|V dμhyp (z) = lim

n→∞ F Yn

F

p

|φj (z)|V dμhyp (z)

≤ C(k, M, d)p/2 (|k| + 2)p/2 |λj |p μ(F). Therefore, sup |φj (z)|V ≤ C(k, M, d)1/2 (|k| + 2)1/2 |λj |. z∈F

(b) If M has cusps, fix j ∈ {1, . . . , c } and l ∈ {1, . . . , mj }. The above computations imply that, for s = |k| + 2 and for all Y ≥ 2, >∞ sup

1

(1 z∈FY −∞ 4

+ r2

+ s 2 )2

− s2

|Ej l (z, 12 + ir)|2V dr ≤

2π C(k, M, d). |k| + 2

Proceeding analogously as above, define the function > G(z) :=

∞

1

−∞

( 14 + r 2 + s 2 )2 − s 2

|Ej l (z, 12 + ir)|2V dr,

which is continuous and non-negative on F. Applying the monotone convergence theorem to the sequence G(z)p · 1FYn (z), together with the fact that the

Construction of Poincaré-type Series by Generating Kernels

253

sup-norm is the limit of Lp -norms, and reasoning as in the proof of part (a), we deduce that >∞

1

sup

(1 z∈F −∞ 4

+ r 2 + s 2 )2 − s 2

|Ej l (z, 12 + ir)|2V dr ≤

2π C(k, M, d). |k| + 2

This completes the proof.  

5 The Wave Distribution Associated to the Weighted Laplacian 5.1 The Heat and Poisson Kernel In this section, we define the Poisson kernel for the weighted Laplacian k via the heat kernel. For any t > 0 and ρ ≥ 0, define the heat kernel √ −t/4 > ∞   2 cosh(r/2) 2e re−r /4t dr, Kheat (t; ρ) := T √ 2k cosh(ρ/2) (4π t)3/2 ρ cosh(r) − cosh(ρ)

(23)

where T2k (x) =

A ) ) 1@ (x + x 2 − 1)2k + (x − x 2 − 1)2k , 2

for any real k. Here the k-th powers are chosen as in Lemma 1. Note that, for k ∈ 12 Z, the function T2k (x) coincides with the 2k-th Chebyshev polynomial. The hyperbolic heat kernel on H is defined by KH (t; z, w) := Kheat (t; dhyp (z, w))

(z, w ∈ H).

For any t > 0 and k ∈ R, the same argument as in [12, p. 136] shows that the heat kernel KH (t; ρ) is strictly monotonic decreasing with respect to ρ > 0. In the spirit of [10, p. 157], the hyperbolic heat kernel on M associated to k is defined as Khyp (t; z, w) :=

    1 cw + d k z − γ w k χ(γ ) KH (t; z, γ w) 2 cw + d γw − z

(z, w ∈ F).

γ ∈ 

(24) Lemma 5 For any k ∈ R and t > 0, Khyp (t; z, w) converges absolutely and uniformly on any compact subset of F × F.

254

Y. Kara et al.

Proof Let U be a compact subset of F × F. Since χ is a unitary multiplier system  k  k z−γ w = 1 for any γ ∈   and z, w ∈ F, it follows that and cw+d cw+d γ w−z  χ (γ )

cw + d cw + d

k 

z − γw γw − z

k =

KH (t; z, γ w)

√ d|KH (t; z, γ w)|,

End(V )

(25) where | · |End(V ) denotes hermitian norm on End(V ). Therefore, in order to prove the absolute and uniform convergence of Khyp (t; z, w) for any t > 0 and (z, w) ∈ U , we need to prove the convergence of the series 

KH (t; z, γ w)

γ ∈ 

in C. Introduce the counting function N (ρ; z, w) := #{γ ∈   | dhyp (z, γ w) < ρ}, which is defined for any ρ > 0 and (z, w) ∈ U . Then [26] gives a bound (uniformly for all (z, w) ∈ U ) for the function N (ρ; z, w), namely ρ N (ρ; z, w) = O  (e ),

where the implied constant depends only on   . By Stieltjes integral representation, we have > ∞  KH (t; z, γ w) = Kheat (t; ρ) dN (ρ; z, w). (26) 0

γ ∈ 

Using the fact that Kheat (t; ρ) is a non-negative, continuous and monotonic decreasing function of ρ, write >

∞

>



∞

Kheat (t; ρ) dN(ρ; z, w) = O

ρ

Kheat (t; ρ)e dρ .

0

(27)

0

Following the idea of the proof of [12, Proposition 3.3], we obtain that Kheat (t; ρ) ≤ e−ρ

2 /(8t)

Gk (t),

where the function Gk (t) is given by Gk (t) :=

e−t/4 (4π t)3/2

>

∞ 0

re−r /(8t) kr e dr. sinh(r/2) 2

(28)

Construction of Poincaré-type Series by Generating Kernels

255

Combining (26), (27), and (28), we obtain that 

KH (t; z, γ w) = O  (Gk (t)h(t)),

γ ∈ 

=∞ 2 with h(t) := 0 e−ρ /(8t) eρ dρ and where the implied constant depends only on  . Hence, the proof is complete.   Notice that using the notations introduced in Sect. 2 of the paper, we can rewrite the heat kernel as Khyp (t; z, w) =

1 χ (γ )Jγ ,k (w)−1 Hk (z, γ w)−1 KH (t; z, γ w) 2

(z, w ∈ F).

γ ∈ 

Now using the fact that Hk is a weight k point-pair invariant, χ is a multiplier system and the relation Jη,k (γ z)Jγ ,k (z) = ω2k (η, γ )Jηγ ,k (z),

(η, γ ∈ SL2 (R), z ∈ H),

one can easily prove the following equations: Khyp (t; ηz, w) = Khyp (t; z, w)Jη,k (z)−1 χ (η)−1 , Khyp (t; z, ηw) = Jη,k (w)χ (η)Khyp (t; z, w), for t > 0, z, w ∈ H and η ∈ . The hyperbolic heat kernel Khyp (t; z, w) admits the spectral expansion Khyp (t; z, w) =



e−λj t φj (z)φj (w)t

λj ≥λ0 mj

  1  4π

c

+

j =1 l=1

>

∞ −∞

e−(1/4+r

2 )t

Ej l (z, 1/2 + ir)Ej l (w, 1/2 + ir)t dr. (29)

Let U ⊂ F × F be a compact subset and let t > 0. Using the sup-norm bound (21) for the eigenfunctions φj (j ≥ 0) and applying the norm arising from the Hermitian inner product to a d × d matrix in (9), we obtain that  λ0 ≤λj 0, the series and the integrals on the right hand side of (29) converge absolutely and uniformly on every compact subset of F × F. From the integral representation of KH (t; dhyp (z, w)) and the spectral expansion (29), we deduce that Khyp (t; z, w) satisfies the following estimates, stated component-wise: Khyp (t; z, w) = OF,k (t −3/2 e

2 (z,w)/4t −dhyp

Khyp (t; z, w) = OF,k (e−λ0 t )

as t → 0,

)

(30)

as t → ∞.

(31)

For every Z ∈ C with ,(ζ ) ≥ −|k|(1 − |k|), z, w ∈ F and u ∈ C with ,(ζ ) ≥ 0, the translated by −Z Poisson kernel PM,−Z (u; z, w) is defined as u PM,−Z (u; z, w) := √ 4π

>

∞

Khyp (t; z, w)e−Zt e−u

2 /4t

t −3/2 dt,

(32)

0

where the integral is taken component-wise. This kernel is a fundamental solution of the associated differential operator k + Z − ∂u2 . Furthermore, using the spectral expansion of the heat kernel Khyp (t; z, w) and the identity (see [18]) a e−aλ = √ 4π

>

∞

e−tλ e−a

2 /4t

0

dt , λ ≥ 0, a ∈ C, ,(a) ≥ 0, t 3/2

we have the following spectral expansion PM,−Z (u; z, w) =



e−u

√

λj +Z

λ0 ≤λj

∞

−∞

e−u|r| Ej l (z, 1/2 + ir)Ej l (w, 1/2 + ir)t dr.

Following the steps of the proof of [18, Theorem 5.2], using the estimates (30)– (31) for each component of the heat kernel Khyp (t; z, w) and the fact that Khyp (t; z, w) −

 λj ≤1/4

e−λj t = O(e−λt )

as t → ∞,

Construction of Poincaré-type Series by Generating Kernels

257

where λ is the first eigenvalue of k bigger than 1/4, one can deduce that, for ,(u) > 0 and ,(u2 ) > 0, the Poisson kernel PM,−Z (u; z, w) has an analytic continuation for each entry of the matrix to Z = −1/4. The continuation is given by √  e−u λj −1/4 φj (z)φj (w)t + e−utj φj (z)φj (w)t



PM,1/4 (u; z, w) =

λ0 ≤λj  mj

j =1 l=1

λj ≥1/4 ∞ −∞

e−u|r| Ej l (z, 1/2 + ir)Ej l (w, 1/2 + ir)t dr, (33)

) where tj = λj − 1/4 ≥ 0, for λj ≥ 1/4 and for λj < 1/4 we take the principal ) branch of λj − 1/4. When  is cocompact, the sum over cusps (i.e. the last sum on the right hand side of (33)) is identically zero.

5.2 The Wave Distribution and Its Integral Representation Let L1 (R) denote the space of absolutely integrable functions on R and let C0∞ (R) denote its subspace of all infinitely differentiable functions with compact support. Definition 3 For any a ≥ 0, denote by L1 (R, a) (resp. S  (R, a)) the space of even functions g in L1 (R) (resp. in the Schwartz space on R) such that g(u) exp(|u|a) is absolutely dominated by an integrable function on R. Denote the Fourier transform of every g ∈ L1 (R, a) by > H (r, g) =

∞

−∞

g(u) exp(iru) du,

(34)

with the domain extended to all r ∈ C for which it is well-defined. Notice that, since g is assumed to be even, >

∞

H (r, g) = 2

cos(ur)g(u) du.

(35)

0

The following result is a generalization of Lemma 3 in [19]. Lemma 6 Let n ≥ 3 be an integer. (a) Let g ∈ L1 (R, a) be such that g (l) ∈ L1 (R) for 1 ≤ l ≤ n, and limu→∞ g (l) (u) = 0 for 0 ≤ l ≤ n − 1. Then the Fourier transform H (r, g) is well-defined for r ∈ {z ∈ C | |.(z)| ≤ a} and satisfies the conditions (S1), (S2  ), and (S3) with δ = n − 2.

258

Y. Kara et al.

(b) Let η > 0 and let g ∈ S  (R, a + η) be such that g (j ) (u) exp(|u|(a + η)) is absolutely bounded by some integrable function on R for 1 ≤ j ≤ n − 1. Then the function H (r, g) satisfies the conditions (S1), (S2) for any 0 < < η, and (S3) with δ = n − 2. (c) If g ∈ S  (R, a), then H (r, g) is a Schwartz function in r ∈ R. Proof (a) For all r ∈ {z ∈ C | |.(z)| ≤ a}, u ∈ R and g ∈ L1 (R, a), |g(u) exp(iru)| ≤ |g(u)|e|u|a is dominated by an integrable function on R, and thus H (r, g) is well-defined. It is also even with respect to r. Furthermore, for every r ∈ R, using the assumptions on the decay of g (l) for 0 ≤ l ≤ n − 1 and the fact that g (2j +1) (0) = 0 (since g is even), we obtain that B C∞ > ∞ 1 1 1 − H (r, g) = sin(ur)g(u) sin(ur)g  (u)du 2 r r 0 0 C∞ > ∞ B 1 1 − cos(ur)g  (u)du = 2 cos(ur)g  (u) 2 r r 0 0 = ... B C∞ > ∞ (−1)1+n/2 1 (n−2) n/2 = sin(ur)g (u) + (−1) sin(ur)g (n−1) (u)du n−1 n−1 r r 0 0 C∞ B > ∞ 1 (−1)1+n/2 (n−1) cos(ur)g (u) + (−1)n/2 cos(ur)g (n) (u)du, = n n r r 0 0

when n is even. For odd n, we obtain a similar series of equations, terminating at B C∞ > ∞ 1 1 (n−1) ∓ n sin(ur)g (u) ± sin(ur)g (n) (u)du. n r r 0 0 Hence, using the definition of H (r, g) and the integrability conditions, it follows that  (1 + |r|)n |H (r, g)| ≤ c · 2 n

l=0

>

∞

|g (l) (u)|du - 1,

0

for some constant c. This proves that H (r, g) satisfies the condition (S3) for r ∈ R with δ = n − 2. (b) By assumption, there exists an integrable function G(u) dominating g(u) exp(|u|(a + η))

Construction of Poincaré-type Series by Generating Kernels

259

absolutely. In turn, |g(u) cos(ur)| ≤ G(u) exp(−(η − )|u|) is uniformly bounded in the strip |.(r)| ≤ a + for 0 < < η. Hence, the integral defining H (r, g) converges absolutely and uniformly on any compact set contained in such a strip, and thus defines a holomorphic function on the open strip {r ∈ C | |.(r)| < a + η}. In particular, conditions (S1) and (S2) are satisfied. Similarly, for j = 1, . . . , n − 1, the functions g (j ) (u) cos(ur), as well as g (j ) (u) sin(ur), are bounded absolutely and uniformly in r by some integrable functions Gj (u) exp(−(η − )|u|). Recalling the computation involving partial integration from part (a), we obtain (S3) as well. (c) If g ∈ S  (R, a), then its Fourier transform H (r, g) is a Schwartz function in the variable r ∈ R.   We now define the wave distribution. Definition 4 (Wave Distribution) Let z, w ∈ F. For every g ∈ C0∞ (R), the wave distribution WM,k,χ (z, w) applied to g is defined as WM,k,χ (z, w)(g) :=



H (tj , g)φj (z)φj (w)t

λj ≥|k|(1−|k|) mj > ∞ c  1  + H (r, g)Ej l (z, 1/2+ir)Ej l (w, 1/2 + ir)t dr, 4π −∞ j =1 l=1

(36) ) where λj − 1/4 = tj ≥ 0 for λj ≥ 1/4 and tj ∈ (0, iA] when λj < 14 , where A is defined in (13). Proposition 3 Let z, w ∈ F. (a) For every g as in Lemma 6(a) with a = A and n = 4, the wave distribution WM,k,χ (z, w) is well-defined. (b) Let g ∈ S  (R, A) satisfy the conditions of Lemma 6(b) with n = 4. Then WM,k,χ (z, w)(g) represents the automorphic kernel K (z, w) = K, (z, w) for the inverse Selberg Harish-Chandra transform  of H (·, g). Proof (a) By Lemma 6, the function H (r, g) is well-defined for all r ∈ C with |.(r)| ≤ A, which implies that the finite sum  |k|(1−|k|)≤λj < 14

H (tj , g)φj (z)φj (w)t

260

Y. Kara et al.

converges (recall that lim λj = ∞). Furthermore, if λj ≥ 14 , then tj ∈ R and j →∞

thus H (tj , g) - (1 + |tj |)−4 as j → ∞. Fix z, w ∈ F and observe that H (tj , g)φj (z)φj (w)t ∈ Cd×d . By applying the norm | · |d×d and Hölder’s inequality, we obtain that 

|H (tj , g)φj (z)φj (w)t |d×d =

λj ≥ 14

-

 



|H (tj , g)||φj (z)|V |φj (w)|V

λj ≥ 14

|H (tj , g)||φj (z)|2V

λj ≥ 14

1/2  

1/2 |H (tj , g)||φj (w)|2V

.

λj ≥ 14

Note that, due to the estimate on |H (tj , g)|, each of the factors on the right-hand side can be compared with the sum occurring in the pre-trace formula (18). Use (18) with s = |k| + 2 and t = |k| + 3, as in the proof of Proposition 2, to obtain the following bound: 

|H (tj , g)||φj (z)|2V -

λj ≥ 14

 λj ≥ 14

-

 λj ≥ 14

≤

1 |φj (z)|2V (1 + |tj |)4 1 tj4

+ tj2 ( 12

1 + 2s 2 ) + 16

+ 12 s 2 + s 2 (s 2 − 1)

|φj (z)|2V

C(k, M, d) . 2(|k| + 2)

Convergence of the integral (uniform on compact subsets of F × F) can be proved in a similar way, completing the proof. (b) Because the properties of g imposed by assumption imply those claimed in part (a), the wave distribution is well-defined by the spectral expansion with coefficients H (r, g). The claim follows from Proposition 1, once we establish that H (r, g) belongs to the image of the of the Selberg Harish-Chandra transform. Hence, we have to invert steps (i)–(iii) of page 245. The inverse of H (r, g) under Fourier transformation (iii) is trivially g. Since g is an even C ∞ function, the inverse Q : R+ → C of g under (ii) exists and it is given by    1√ 1) y+4+ y . Q(y) = g 2 log 2 2 It belongs to C ∞ (R+ ). Since g(u) exp((A + η)u) → 0 for u → ∞, we obtain that    1) 1√ Q(y) - exp −(A + η)2 log y+4+ y , 2 2

Construction of Poincaré-type Series by Generating Kernels

261

i.e. Q(y) - (y + 4)−(A+η) . Similarly, for its first derivative    1) 1√ 1   Q (y) = g 2 log y+4+ y √ 2 2 y(y + 4) we find that Q (y) - (y + 4)−(A+η)−1 , and for its second one

   1) 1√ 1 Q (y) = g 2 log y+4+ y √ 2 2 y(y + 4)    ) y+2 1 1√ − g  2 log y+4+ y 3 2 2 (y(y + 4)) 2 



we obtain the estimate Q (y) - (y + 4)−(A+η)−2 . By [15, pp. 455–457], the inverse of Q under (i) is given by 1 (x) = − π

>∞

√ 

Q (x + t ) √ 2

x + 4 + t2 − t

k dt ,

(37)

| (x)| - (x + 4)−α−1 ,

(38)

−∞

x + 4 + t2 + t

where  ∈ C 1 (R+ ) satisfies |(x)| - (x + 4)−α

and

for some α > max{1, |k|}. We have to show that the integral in (37) is C 1 and satisfies the two conditions (38). Let β = A + η + 1. The bound on Q together with its differentiability allows us to conclude that the first condition of (38) holds, once we prove that −1 π

⎡ √

k √

−k ⎤ >∞ 2−t 2−t x + 4 + t x + 4 + t ⎦ dt (x + 4 + t 2 )−β ⎣ √ + √ x + 4 + t2 + t x + 4 + t2 + t 0

- (x + 4)−(β−1/2) . (39)

262

Y. Kara et al.

√ x +t 2 −t Let x1 = x + 4 and introduce the change of variables y = √ 1 2 in the integral x1 +t +t

on the left-hand side of (39). Using √ x1 (1 − y) , √ 2 y

t=

x1 + t 2 =

x1 (1 + y)2 , 4y

√ dt = −

x1 (1 + y) 3

dy ,

4y 2

the integral becomes 1 −(β−1/2) − 4β−1 x1 π

>1

(1 + y)−2β+1 (y β+k−3/2 + y β−k−3/2 ) dy ,

0

which is finite if and only if β − |k| − 3/2 > −1. This inequality in turn holds, due to our choice of A and η > 0. This proves (39) and the first part of (38). Next, we prove that (x) is C 1 and that the second bound of (38) holds. In order to prove that (x) is C 1 , it is sufficient to show that the integrand in (37) is differentiable in x and that the derivative of the integrand is bounded by some integrable function. If so, then  (x) =

−1 π

>∞ −∞

k ⎞ d ⎝  x −t ⎠ dt . Q (x + t 2 ) √ 2 dx x+4+t +t ⎛

√

+ 4 + t2

Differentiability of the integrand with respect to x is obvious, so it remains to prove that ⎛ √

k ⎞ >∞ 2−t −1 d ⎝  x + 4 + t ⎠ dt - (x + 4)−(β+1/2) . (40) Q (x + t 2 ) √ π dx x + 4 + t2 + t −∞

Analogously to the above, starting with the bound for Q , we immediately deduce that −1 π

>∞ −∞

√

k x + 4 + t2 − t Q (x + t ) √ dt - (x + 4)−(β+1/2) . 2 x+4+t +t 

2

Therefore, to prove (40) and complete the proof of part (b), it suffices to show that −1 π

>∞ 0

⎡ √

k √

−k ⎤ 2 2 x+4+t −t x+4+t −t d ⎣ ⎦ dt Q (x + t 2 ) + √ √ 2 dx x+4+t +t x + 4 + t2 + t - (x + 4)−(β+1/2) .

Construction of Poincaré-type Series by Generating Kernels

263

This can be done analogously to the proof of the first bound in (38), i.e. take x1 = √ x +t −t x + 4 and change variables to y = √ 1 2 . Using the bound for Q , it follows 2

x1 +t +t

that the above integral is bounded by k −β−1/2 β−1 4 x π 1

>1

  −β−1/2 (1 + y)−2β (1 − y) y β+k−3/2 − y β−k−3/2 - x1 ,

0

because β − |k| − 3/2 > −1.

 

Theorem 2 Let z, w ∈ F be such that z = w. Then there exists a continuous d × d matrix-valued function W (u; z, w) on R+ such that the following hold: √  u 1/4−λj ) (a) W (u; z, w) = e ( 1/4 − λj )−4 φj (z)φj (w)t + O(u4 ) as λj

∞

WM,k,χ (z, w)(g) =

W (u; z, w)g (4) (u)du.

(41)

0

Proof For every ζ ∈ C \ {0} and t = 0 in the strip {t ∈ C : |.(t)| ≤ A}, define w(ζ, t) :=

e−tζ −

3

l=0 hl,3 (sin t)(−ζ ) t4

l

and set w(ζ, 0) := limt→0 w(ζ, t). In the above definition, hl,3 (x) is a polynomial of degree at most 3 such that, for all t ∈ R with t → 0, hl,3 (sin t) =

tl + O(t 4 ). l!

For the explicit construction of hl,3 (x), see the proof of [7, Theorem 2]. It is easy to see that w(ζ, 0) is well-defined and equal to estimate of hl,3 for 0 ≤ l ≤ 3, we obtain that

ζ4 24 .

If t ∈ R+ , then using the above

w(ζ, t) = Oζ (1) as t → 0. Furthermore, if ,(ζ ) ≥ 0 and t ∈ R+ , then e−tζ and sin(t) are bounded functions as t → ∞. Therefore, w(ζ, t) = Oζ (t −4 ) as t → +∞.

(42)

264

Y. Kara et al.

Note that the above estimates also hold for w(j ) (ζ, t), the j -th derivative of w(ζ, t) with respect to ζ , for j = 1, 2, 3, 4. For z, w ∈ F with z = w and ζ ∈ C with ,(ζ ) ≥ 0, define the following matrix-valued function: 

 (ζ ; z, w) = W

w(ζ, tj )φj (z)φj (w)t

λj ≥λ0 mj > ∞ c  1  + w(ζ, |r|)Ej,l (z, 1/2 + ir)Ej,l (w, 1/2 + ir)t dr, 4π −∞ j =1 l=1

(43) ) where tj = λj − 1/4 for every j ≥ 0 is given by the principal branch of the square root. Recall that, if λj < 1/4, then tj ∈ (0, iA], otherwise tj ≥ 0. Also, in case when  is cocompact, the second sum on the right hand side of (43) is identically zero. Following the same reasoning as in the proof of Proposition 3, part (a) (i.e., using the Hölder inequality, the estimate (42), comparing with the pre-trace formula (18) and using the bounds obtained in Proposition 2), it is clear that for ,(ζ ) ≥ 0 the series  w(ζ, tj )φj (z)φj (w)t λj ≥λ0

converges absolutely and uniformly on F × F. The same holds for the integral >

∞

−∞

w(ζ, |r|)Ej,l (z, 1/2 + ir)Ej,l (w, 1/2 + ir)t dr,

for any pair (j, l) with 1 ≤ j ≤ c and 1 ≤ l ≤ mj , when  is non-compact.  (ζ ; z, w) is a Therefore, for every arbitrary fixed ζ ∈ C with ,(ζ ) ≥ 0, W well-defined matrix-valued function which converges absolutely and uniformly on  (ζ ; z, w) F × F. Moreover, any of the first 4 derivatives with respect to ζ of W converges uniformly and absolutely, provided ,(ζ ) > 0. Therefore, term by term differentiation is valid. By differentiating component-wise four times and using the d4 −ζ t , we obtain that fact that dζ 4 w(ζ, t) = e d4  W (ζ ; z, w) = dζ 4 +



e−ζ

√

λj −1/4

λ0 ≤λj ∞ c  1  e−ζ |r| Ej l (z, 1/2 + ir)Ej l (w, 1/2 + ir)t dr 4π −∞ j =1 l=1

= PM,1/4 (ζ ; z, w),

Construction of Poincaré-type Series by Generating Kernels

265

where PM,1/4 is defined in (32). For ,(ζ ) > 0, define 

P

(k)

PM,1/4 (ζ ; z, w), (ζ ; z, w) = = ζ (k−1) (ξ ; z, w)dξ, 0 P

if k = 0 if k ≥ 1.

(44)

In the above definition, the integral is taken component-wise over a ray contained in the upper half-plane ,(ζ ) > 0. With this definition, we have  (ζ ; z, w) + q(ζ ; z, w), P(4) (ζ ; z, w) = W

(45)

where q(ζ ; z, w) is a d × d matrix-valued function consisting of degree 3 polynomials in ζ , with coefficients depending on z and w at each component. For z = w and ζ → 0, the function P(0) (ζ ; z, w) has a limit; therefore, P(k) (ζ ; z, w) = O(ζ k ) as ζ → 0.

(46)

For every u ∈ R+ , define W (u; z, w) =

  I 1 H   (−iu; z, w) + q(−iu; z, w) . W (iu; z, w) + q(iu; z, w) + W 2i

(47) We claim that the function W (u; z, w) satisfies all the required conditions given in the statement. Using the spectral expansion (33) of the Poisson kernel PM,1/4 (ζ ; z, w) and integrating it four times, we obtain the property (a). Assertion (b) follows using the bound (46) in (45). For a given g as in the statement, we can derive assertion (c) using integration by parts four times on the right-hand side of (41).  

6 The Basic Automorphic Kernel In this section, we study two automorphic kernels, namely the basic and the geometric automorphic kernels. After defining the basic automorphic kernel Ks (z, w) for any z, w ∈ F in an appropriate complex half s-plane in terms of the wave distribution applied to a test function, we prove that it has a meromorphic continuation to the whole complex s-plane. Then we introduce the geometric automorphic kernel K˜ s (z, w) and show that Ks (z, w) = K˜ s (z, w) for ,(s) > max{1, |k|}, thus also obtaining the meromorphic continuation of K˜ s (z, w) to the whole complex s-plane.

266

Y. Kara et al.

6.1 Construction and Meromorphic Continuation of the Basic Automorphic Kernel For z, w ∈ F and s ∈ C with ,(s) > max{1, |k|}, we define the basic automorphic kernel Ks (z, w) by Ks (z, w) :=

  (s − 12 ) 1 WM,k,χ (z, w) cosh(u)−(s− 2 ) . (s)

(48)

Here, WM,k,χ (z, w) is the wave distribution and it is applied to the test function gs (u) =

(s − 12 ) 1 cosh(u)−(s− 2 ) . (s)

(49)

Notice that gs (u) satisfies the conditions in Lemma 6(a) with a = A and n = 4 where A is defined in (13). Thus, Ks (z, w) is well-defined by Proposition 3(a). Lemma 7 For all s ∈ C with ,(s) > max{1, |k|}, n ∈ N, and r ∈ R ∪ [−Ai, Ai], the Fourier transform H (r, ·) (see (34)) of gs given by (49) satisfies the functional equation H (r, gs ) = 

where (s)n =

(s+n) (s)

−

s 2

1 4

2−2n (s)2n   s − ir2 2 − n

1 4

+

 H (r, gs+2n ),

ir 2 n

(50)

denotes the Pochhammer symbol.

Proof Let n ∈ N and s ∈ C with ,(s) > max{1, |k|}. Definitions (35) and (49) imply that 2(s − 12 ) H (r, gs ) = (s)

>

∞

cos(ur) cosh(u)−(s−1/2) du.

0

When r ∈ R \ {0} or r ∈ [−Ai, Ai] \ {0}, or r = 0, we have (see [14, Formulas 3.985.1, 3.512.1 and 3.512.2, respectively]) >

∞

−v

cos(ur) cosh(u) 0

2ν−2  du = (ν)



ν − ir 2



 

ν + ir 2

 ,

(51)

where ,(ν) > A. Hence, for r ∈ R ∪ [−Ai, Ai], using (51) with ν = s − 1/2, ν = s − 1/2 + 2n and the definition of the Pochhammer symbol, we obtain the identity (50).   The functional equation (50) enables us to deduce the meromorphic continuation of the kernel Ks (z, w) to the whole complex s-plane.

Construction of Poincaré-type Series by Generating Kernels

267

Theorem 3 For any z, w ∈ F, the basic automorphic kernel Ks (z, w) admits a meromorphic continuation to the whole complex s-plane. The possible poles of the function (s)(s − 1/2)−1 Ks (z, w) are located at the points s = 1/2 ± itj − 2n, where n ∈ N and λj = 1/4 + tj2 is a discrete eigenvalue of k . When M is noncompact, possible poles of (s)(s − 1/2)−1 Ks (z, w) are also located at the points s = 1 − ρ − 2n, where n ∈ N and ρ ∈ (1/2, 1] is a pole of the parabolic Eisenstein series Ej l (z, s), and the points s = ρ − 2n, where n ∈ N and ρ is a pole of Ej l (z, s) with ,(ρ) < 1/2. Proof The proof we present here follows closely the proof of [19, Theorem 10]. We assume M is non-compact; in case of cocompact , the sums over cusps below are identically zero and there are no poles stemming from poles of the Eisenstein series. Let B := max{1, |k|}. First we prove that Ks (z, w) has a meromorphic continuation to the half-plane ,(s) > B − 2n for any n ∈ N. For s ∈ C with ,(s) > B we use the wave representation (36) of Ks (z, w) to obtain Ks (z, w) =



H (tj , gs )φj (z)φj (w)t

λj ≥|k|(1−|k|) mj > ∞ c  1  + H (r, gs )Ej l (z, 1/2 + ir)Ej l (w, 1/2 + ir)t dr, 4π −∞ j =1 l=1

(52) where λj = 1/4 + tj2 . Letting hn (r, s) := in (52), we get



s 2

−

22n (s) Ks (z, w) = (s + 2n) +

1 4

−

 

ir 2 n

 λj ≥|k|(1−|k|)

s 2

−

1 4

+



ir 2 n

and using formula (50)

H (tj , gs+2n ) φj (z)φj (w)t hn (tj , s)

mj > ∞ c  H (r, gs+2n ) 1  4π hn (r, s) −∞

(53)

j =1 l=1

× Ej l (z, 1/2 + ir)Ej l (w, 1/2 + ir)t dr.  2n It can be easily seen that (a)n = n−1 j =0 (a + j ). This implies that hn (r, s) ∼ r as r → ∞. Hence, the series in (53) arising from the discrete spectrum is locally absolutely and uniformly convergent as a function of s for ,(s) > B − 2n away from the poles of hn (r, s)−1 , i.e. away from the zeros of hn (r, s). Using (a)n =  n−1 j =0 (a + j ), we calculate the zeros of hn (r, s) for ,(s) > B − 2n, which occur at the points s = 1/2 ± itj − 2m for m = 0, . . . , n − 1.

268

Y. Kara et al.

Next, we prove the meromorphic continuation of the integral coming from the continuous spectrum in (53). First, substitute r → 1/2 + ir so that the integral is now over the vertical line whose real part is 1/2 and observe that as a function of s ∈ C the integral, denote it by I1/2,j l (s), is holomorphic for s ∈ C with ,(s) > B − 2n satisfying ,(s) = 1/2 − 2m, where m = 0, . . . , n − 1. In order to get the meromorphic continuation of this function across the lines ,(s) = 1/2 − 2m, we will use the same method applied in the proofs of [17, Theorem 2] and [19, Theorem 10] or in [27]. As a first step, let m = 0 and choose > 0 sufficiently small to guarantee that Ej l (z, s) has no poles in the strip 1/2 − < ,(s) < 1/2 + . For s ∈ C with 1/2 < ,(s) < 1/2 + , we apply the residue theorem to the function I1/2,j l (s) to (1) obtain the meromorphic continuation I1/2,j l (s) of it in the strip 1/2 − < ,(s) < 1/2+ . Then, assuming 1/2− < ,(s) < 1/2 and using the residue theorem again, (2) (1) we get the meromorphic continuation I1/2,j l (s) of the integral I1/2,j l (s) to the strip −3/2 < ,(s) < 1/2. Finally, adding the formulas coming from the applications of the residue theorem we obtain the meromorphic continuation of the integral I1/2,j l (s) to the strip −3/2 < ,(s) ≤ 1/2. Similarly, we can get the meromorphic continuation of the integral I1/2,j l (s) to the strip −3/2 − 2m < ,(s) ≤ 1/2 − 2m for m = 1, . . . , n − 1 by repeating this two-step process. The poles that arise in this process are at s = 1 − ρ − 2m, where ρ is a pole of the Eisenstein series Ej l (z, s) belonging to the line segment (1/2, 1], and at s = ρ − 2m, where ρ is a pole of the Eisenstein series Ej l (z, s) such that ,(s) < 1/2, and m = 0, . . . , n − 1. This completes the proof of the meromorphic continuation of Ks (z, w) to the whole s-plane, as n ∈ N was chosen arbitrarily.  

6.2 The Geometric Automorphic Kernel For ,(s) sufficiently large and for any two points z, w ∈ F, define the geometric automorphic kernel by (s − k)(s + k)  χ (γ ) cosh(dhyp (z, γ w))−s K˜ s (z, w) := √ 2π (s)2  γ ∈

(54)

× F (−k, k; s; (1 + cosh(dhyp (z, γ w)))−1 )Jγ ,k (w)Hk (z, γ w), where F (−k, k; s; (1 + cosh(dhyp (z, γ w)))−1 ) stands for the (Gauss) hypergeometric function. Note that it is possible to extend the above definition to z, w ∈ H. Then, for any fixed w ∈ H, the function K˜ s (z, w) can be viewed as a map from H to End(V ) (which can be identified with Cd×d ). The following proposition shows that (for sufficiently large ,(s)) for any fixed w ∈ H, the columns of the d × d matrix K˜ s (z, w) belong to the space Hk (see Sect. 2.4), when viewed as maps from H to V .

Construction of Poincaré-type Series by Generating Kernels

269

Proposition 4 (a) The series in formula (54) converges normally with respect to the operator norm in the ring End(V ) of endomorphisms of V in the variables (z, w; s), with s in the half-plane ,(s) > 1 and z, w ∈ F. It defines a holomorphic function of s in the half-plane ,(s) > 1. The convergence is uniform when z, w ∈ F are restricted to any compact subset of F. (b) The kernel K˜ s (z, w) is a meromorphic function of s in the half-plane ,(s) > 1, possessing simple poles in this half-plane only when |k| > 1. When |k| > 1, the simple poles are located at s = |k| − n, for integers n ∈ [0, |k| − 1]. (c) For each w ∈ H and s ∈ C with ,(s) > max{1, |k|} each column of the matrix K˜ s (·, w) defines a function in Hk . Proof (a) For any γ ∈   , the hypergeometric function F (−k, k; s; (1 + cosh(dhyp (z, γ w)))−1 ) is well-defined for all s ∈ C, due to the fact that 0 < (1 + cosh(dhyp (z, w)))−1 ≤

1 2

for any two points z, w ∈ F (equality being attained when z = w). Moreover, for all s with ,(s) > 1, the function F (−k, k; s; (1 + cosh(dhyp (z, γ w)))−1 ) is holomorphic, since it is the sum of uniformly convergent holomorphic functions. For all s ∈ C such that ,(s) > 1, it is uniformly bounded by  F −k, k; 1, 12 . Since χ is a unitary multiplier system and |Jγ ,k (w)| = |Hk (z, w)| = 1, when d = 1, the series appearing in the definition of the kernel K˜ s (z, w) is dominated (uniformly in s, for ,(s) > 1) by the series 

cosh(dhyp (z, γ w))−,(s) ,

(55)

γ ∈ 

which converges in the half-plane ,(s) > 1 (see e.g. [27, Lemma 3.3.4]). The convergence is uniform when z, w ∈ F are restricted to any compact subset of F. When d > 1, in order to prove the normal convergence of the series in (54), it is sufficient to notice that χ can be identified with a unitary d × d matrix, √ with matrix norm induced from the Hilbert space norm obviously equal to d. The normal convergence follows again from the convergence of the series (55) for ,(s) > 1, which is uniform when z, w ∈ F are restricted to any compact subset of F. This proves part (a) of the Proposition.

270

Y. Kara et al.

(b) From part (a) it follows that the sum over   on the right-hand side of (54) is a holomorphic function in s, for ,(s) > 1. Therefore the poles of K˜ s (z, w) in the half-plane ,(s) > 1 stem only from possible poles of the factor (s − k)(s + k)/ (s)2 . This factor can have poles in the half-plane ,(s) > 1 only when |k| > 1, and they are located at s = |k| − n, for integers n ∈ [0, |k| − 1]. (c) To prove the last part, use [16, formula (6.11) on p. 387] and note that L2 (\H, m, W) = Hk in Hejhal’s notation. Therefore, it suffices to show that the function J 2 (s − k)(s + k) 1 (1 + 2u)−s F (−k, k; s; 2(1+u) ), (56) s (4u) := π (s)2 where u = u(z, w) is given by (3), satisfies [16, Assumption 6.1 on p. 387]. 1 It is clear from the definition of F (−k, k; s; 2(1+u) ) that it is four times differen  tiable in u ≥ 0 and its derivatives are uniformly bounded by F −k, k; 1, 12 . The

function Fs (u) = (1 + 2u)−s is also four times differentiable as a function of u for any fixed s ∈ C with ,(s) > max{1, |k|} and satisfies the bound Fs (u) - (1 + u)−j −,(s) , (j )

for j = 0, 1, 2, 3, 4, where the implied constant is independent of u. It follows that s (t) is four times differentiable as a function of the real parameter t ≥ 0. Furthermore, for every s ∈ C such that ,(s) > max{1, |k|}, the estimate s (t) - (4 + t)−j −,(s) (j )

holds for j = 0, 1, 2, 3, 4 and t ≥ 0. Thus, the proof is complete.

 

According to Proposition 4, for any fixed complex number s with ,(s) > max{1, |k|}, the kernel K˜ s (z, w) can be viewed as a map from F × F to End(V ). In the following proposition we prove that for all such s, automorphic kernels K˜ s (z, w) and Ks (z, w) are equal on F × F. Proposition 5 For all s ∈ C with ,(s) > max{1, |k|} and for all z, w ∈ F, K˜ s (z, w) = Ks (z, w). Proof In view of Proposition 4(c), it suffices to show that, for ,(s) > max{1, |k|}, the functions K˜ s (z, w) and Ks (z, w) have the same coefficients in the spectral expansion, which amounts to showing that the function s (4u) defined in (56) is

Construction of Poincaré-type Series by Generating Kernels

271

the inverse Selberg Harish-Chandra transform of the Fourier transform hs of the function gs (u) =

1 (s − 12 ) (cosh u)−(s− 2 ) = Qs (eu + e−u − 2). (s)

(57)

Based on [16, Formula (6.6) on p. 386], this is equivalent to showing that (s + 12 ) s− 1 2 2 s (4u) = π (s)

>∞ (4u + t + 2) 2

−∞

1 −(s+ 2 )

√

k 4u + 4 + t 2 − t dt. √ 4u + 4 + t 2 + t (58)

Substitute y = 4u and denote by I (y) the integral on the right-hand side of (58). It follows immediately that ⎡ √

k √

−k ⎤ >∞ 2 2 1 α+t −t α+t −t ⎦ dt, I (y) = (α + t 2 − 2)−(s+ 2 ) ⎣ √ + √ 2 α+t +t α + t2 + t 0

√ 2 where α = y + 4. Introducing a new variable x = √α+t 2 −t , we obtain that α+t +t

1 I (α−4)=α −s 4s− 2

>1

1

(x 2 +2x(1− α4 )+1)−(s+ 2 ) ((x s+k +x s−k−1 )+(x s−k +x s+k−1 ))dx.

0

Substituting x1 = 1/x in the two integrals containing exponents x s−k−1 and x s+k−1 yields the following simplified expression: I (y) =

1 α −s 4s− 2

>∞

x s+k + x s−k 1

0

dx.

y (x 2 + 2x y+4 + 1)s+ 2

Next, write I (y) = I (4u) = I+ (4u) + I− (4u), where 1 I± (4u) = (u + 1)−s 2

>∞ 0

x s±k (x 2

u + 2x u+1

+ 1)

1 s+ 2

dx.

The integral on the right-hand side of the above equation appears in Formula 8.714.2 of [14] for the integral representation of the Legendre function, with cos(ϕ) = u/(u + 1) ∈ (0, 1), μ = s and ν = ±k. For ,(s) > max{1, |k|}, the conditions

272

Y. Kara et al.

,(μ ± ν) > 0 are fulfilled, hence 1 I± (4u) = (u + 1)−s 2

>∞

x s±k 1

0

dx

u (x 2 + 2x u+1 + 1)s+ 2

2s−1 (s + 1)(s ± k + 1)(s ∓ k) −s = P±k (2s + 1)(1 + 2u)s/2



 u , u+1

μ

where Pν stands for the Legendre function. Inserting the above expression for 1

I± (4u) into (58) after applying the doubling formula (2s + 1) = 22s π − 2 (s + 1 2 )(s + 1) for the gamma function, we obtain that 3

2− 2 (s + k)(s − k) s (4u) = √ (s) π      s u u −s −s + (s − k)P−k (1 + 2u)− 2 . × (s + k)Pk u+1 u+1 In order to prove (56), it is left to show that (s + k)Pk−s



     s u u 2 −s 1 . + (s − k)P−k = (1 + 2u)− 2 F −k, k; s; 2(1+u) u+1 u+1 (s)

Apply [14, Formula 8.704], with x = u/(u + 1) ∈ (0, 1), μ = −s and ν = ±k, in order to express the Legendre function in terms of the hypergeometric function: −s P±k



u u+1



s  (1 + 2u)− 2  1 = F ∓k, ±k + 1; s + 1; 2(1+u) . s(s)

Therefore, proof of (56) reduces to proving that     1 1 1 (s + k)F −k, k + 1; s + 1; 2(1+u) + (s − k)F k, −k + 1; s + 1; 2(1+u) s   1 = 2F −k, k; s; 2(1+u) . The above identity follows immediately from the definition of the hypergeometric function and the property (a + 1)j = (a)j a+j a of the Pochhammer symbol (a)j = (a +j )/ (a), for all non-negative integers j , applied with a = k and a = −k.   Remark 4 When k = 0 and χ is the identity, the hypergeometric series   1 F −k, k; s; 2(1+u)

Construction of Poincaré-type Series by Generating Kernels

273

is identically equal to one, hence the series K˜ s (z, w) coincides with the automorphic kernel Ks (z, w) defined in [19, Formula (19)], up to the constant √1 . 2π

By the uniqueness of meromorphic continuation, combining the above proposition with Theorem 3, we arrive at the following corollary: Corollary 1 For any z, w ∈ F, the geometric kernel K˜ s (z, w) admits a meromorphic continuation to the whole complex s-plane. The possible poles of the function (s)(s − 1/2)−1 K˜ s (z, w) are located at the points s = 1/2 ± itj − 2n, where n ∈ N and λj = 1/4 + tj2 is a discrete eigenvalue of k . In case when M is noncompact, possible poles of (s)(s − 1/2)−1 K˜ s (z, w) are also located at the points s = 1 − ρ − 2n, where n ∈ N and ρ ∈ (1/2, 1] is a pole of the parabolic Eisenstein series Ej l (z, s), and at the points s = ρ − 2n, where n ∈ N and ρ is a pole of Ej l (z, s) with ,(ρ) < 1/2. Remark 5 Corollary 1 illustrates the strength of the approach to constructing Poincaré series using generating kernels. Namely, in order to deduce the meromorphic continuation of the automorphic kernel K˜ s (z, w) from its geometric definition (54), one would have to consider some type of Fourier expansion (e.g. an expansion in rectangular or spherical coordinates at a certain point) and investigate certain properties of the coefficients in the expansion (e.g. uniform boundedness, analyticity, etc.). This is a heavy task, which we overcome by considering the wave distribution acting on the function gs defined in (57). Acknowledgments The authors thank the organizers and sponsors of WINE3 for providing a stimulating atmosphere for collaborative work. The authors also thank the referees for their work and useful comments.

References 1. Bringmann, K., Folsom, A., Ono, K., Rolen, L.: Harmonic Maass Forms and Mock Modular Forms: Theory and Applications. AMS Colloquium Publications, 64, AMS, Providence, RI (2017) 2. Bruggeman, R.W.: Modular forms of varying weight. I. Math. Z. 190, 477–495 (1985) 3. Bruggeman, R.W.: Modular forms of varying weight. II. Math. Z. 192, 297–328 (1986) 4. Bruggeman, R.W.: Modular forms of varying weight. III. J. Reine Angew. Math. 371, 144–190 (1986) 5. Bump, D.: Automorphic Forms and Representations. Cambridge University Press (1998) 6. Chavel, I.: Eigenvalues in Riemannian Geometry. Academic Press, New York (1984) 7. Cogdell, J., Jorgenson, J., Smajlovi´c, L.: Spectral construction of non-holomorphic Eisensteintype series and their Kronecker limit formula. In: Donagy, R., Shaska, T. (eds.) Integrable Systems and Algebraic Geometry: Volume 2, pp. 405–449. Cambrige University Press, Cambrige (2020) 8. Elstrodt, J.: Die Resolvente zum Eigenwertproblem der automorphen Formen in der hyperbolischen Ebene. Teil I. Math. Ann. 203, 295–330 (1973) 9. Elstrodt, J.: Die Resolvente zum Eigenwertproblem der automorphen Formen in der hyperbolischen Ebene. Teil II. Math. Z. 132, 99–134 (1973)

274

Y. Kara et al.

10. Fay, J.D.: Fourier coefficients of the resolvent for a Fuchsian group. J. Reine Angew. Math. 293/294, 143–203 (1977) 11. Fischer, J.: An approach to the Selberg trace formula via the Selberg zeta-function. SpringerVerlag, New York (1987) 12. Friedman, J.S., Jorgenson, J., Kramer, J.: Uniform sup-norm bounds on average for cusp forms of higher weights. In: Ballmann, W. et al. (eds.) Arbeitstagung Bonn 2013, pp. 127–154. Birkhäuser, Cham / Springer (2016) 13. Friedman, J.S., Jorgenson, J., Kramer, J.: Effective sup-norm bounds on average for cusp forms of even weight. Trans. Amer. Math. Soc. 372, 7735–7766 (2019) 14. Gradshteyn, I.S., Ryzhik, I.M.: Table of integrals, series and products. Elsevier Academic Press, Amsterdam (2007) 15. Hejhal, D.A.: The Selberg Trace Formula for PSL(2, R) Vol. 1. Springer-Verlag, New York (1976) 16. Hejhal, D.A.: The Selberg Trace Formula for PSL(2, R) Vol. 2. Springer-Verlag, New York (1983) 17. Jorgenson, J., Kramer, J., von Pippich, A.-M.: On the spectral expansion of hyperbolic Eisenstein series. Math. Ann. 346, 931–947 (2010) 18. Jorgenson, J., Lang, S.: Analytic continuation and identities involving heat, Poisson, wave and Bessel kernels. Math. Nachr. 258, 44–70 (2003) 19. Jorgenson, J., von Pippich, A.-M., Smajlovi´c, L.: On the wave representation of elliptic, hyperbolic, and parabolic Eisenstein series. Advances in Math. 288, 887–921 (2016) 20. Kara, Y., Kumari, M., Marzec, J., Maurischat, K., Mocanu, A., Smajlovi´c, L.: Poincaré-type series associated to the weighted Laplacian on finite volume Riemann surfaces (in preparation) 21. Maass, H.: Die Differentialgleichungen in der Theorie der elliptischen Modulfunktionen. Math. Ann. 125, 235–263 (1953) 22. Oshima, K.: Completeness relations for Maass Laplacians and heat kernels on the super Poincaré upper half-plane. J. Math. Phys. 31, 3060–3063 (1990) 23. Patterson, S.J.: The laplacian operator on a Riemann surface. Compositio Math. 31(1), 83–107 (1975) 24. Patterson, S.J.: The laplacian operator on a Riemann surface II. Compositio Math. 32(1), 71– 112 (1976) 25. Patterson, S.J.: The laplacian operator on a Riemann surface III. Compositio Math. 33(3), 227– 259 (1976) 26. Petridis, Y.N., Risager, M.S.: Hyperbolic lattice-point counting and modular symbols. J. Théor. Nombres Bordeaux 21(3), 719–732 (2009) 27. von Pippich, A.-M.: The arithmetic of elliptic Eisenstein series. PhD thesis, HumboldtUniversität zu Berlin (2010) 28. Roelcke, W.: Analytische Fortsetzung der Eisensteinreihen zu den parabolischen Spitzen von Grenzkreisgruppen erster Art. Math. Ann. 132, 121–129 (1956) 29. Roelcke, W.: Das Eigenwertproblem der automorphen Formen in der hyperbolischen Ebene, I. Math. Ann. 167, 292–337 (1966) 30. Roelcke, W.: Das Eigenwertproblem der automorphen Formen in der hyperbolischen Ebene, II. Math. Ann. 168, 261–324 (1967) 31. Selberg, A.: Harmonic analysis and discontinuous groups in weakly symmetric Riemannian spaces with applications to Dirichlet series. J. Indian Math. Soc. 20, 47–87 (1956) 32. Strömberg, F.: Computation of Maass waveforms with nontrivial multiplier systems. Math. Comp. 77(264), 2375–2416 (2008)

The Hasse Norm Principle in Global Function Fields Adelina Mânz˘at¸eanu, Rachel Newton, Ekin Ozman, Nicole Sutherland, and Rabia Gül¸sah Uysal

MSC Codes (2020) 11N45, 11R58 (primary), 11R37, 14G12, 11G35 (secondary)

1 Introduction The Hasse norm principle is said to hold for an extension of global fields L/k if the knot group K(L/k) =

k × ∩ NL/k A× L NL/k L×

is trivial, in other words if an element of k × is a global norm from L/k if and only if it is a norm everywhere locally. Hasse’s original norm theorem [14] shows that the Hasse norm principle holds for cyclic extensions of number fields. Since then, there have been several research articles giving methods for computing knot groups

A. Mânz˘a¸teanu Mathematisch Instituut, Leiden, Netherlands e-mail: [email protected] R. Newton () Department of Mathematics and Statistics, University of Reading, Whiteknights, Reading, UK e-mail: [email protected] E. Ozman Faculty of Arts and Sciences, Bogazici University, Bebek, Istanbul, Turkey e-mail: [email protected] N. Sutherland Computational Algebra Group, School of Mathematics and Statistics, The University of Sydney, NSW, Australia e-mail: [email protected] R. G. Uysal Department of Mathematics, Middle East Technical University, Ankara, Turkey e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 A. C. Cojocaru et al. (eds.), Women in Numbers Europe III, Association for Women in Mathematics Series 24, https://doi.org/10.1007/978-3-030-77700-5_9

275

276

A. Mânz˘a¸teanu et al.

and sufficient criteria for the Hasse norm principle to hold, see [1, 2, 3, 8, 11, 12, 13, 16, 17, 18, 20, 22, 24, 28], for example. Furthermore, new breakthroughs obtained when studying arithmetic objects in families mean there has been a great deal of interest in the frequency of failure of local-global principles—see [5] for a survey of recent progress. In particular, the frequency of failure of the Hasse norm principle for number fields has been studied in [6, 9, 10, 21, 25]. In this paper, we study failures of the Hasse norm principle in the global function field setting. Let q be a power of a prime p, let L/Fq (t) be a finite extension with full constant field Fq f and let n ⊂ Fq [t] be an ideal. In order to compare the number of global norms from L/Fq (t) with the number of everywhere local norms, we define counting functions Nglob (L/Fq (t), n, d) = #{α ∈ Fq [t] ∩ NL/Fq (t) L× | (α, n) = 1, deg α = d}, and Nloc (L/Fq (t), n, d) = #{α ∈ Fq [t] ∩ NL/Fq (t) A× L | (α, n) = 1, deg α = d}. The following constant will play an important role in our results: h = gcd{deg p | p infinite place of L},

(1)

where deg p denotes the degree of the residue field of p over the constant field Fq f of L. We may now state our main theorem: Theorem 1 We have Nglob (L/Fq (t), n, d) 1 = , d→∞ Nloc (L/Fq (t), n, d) #K(L/Fq (t)) lim

f h|d

where the limit is taken over degrees d such that f h | d. In the special case n = Fq [t], Theorem 1 is an integral analogue of [6, Theorem 1.2] in the function field setting. We note that examples where the knot group is nontrivial certainly exist in this setting: for example, √ [27, √ §11.4] shows that the knot group is Z/2Z for the biquadratic extension F5 ( t, t + 1)/F5 (t) since all its decomposition groups are cyclic. In order to obtain Theorem 1, we show that the method of Cohen and Odoni can be used to prove the following local version of [7, Theorem IIB]: Theorem 2 There exists a finite abelian extension Lloc /L with the following properties: (a) if d is a large multiple of f h, then Nloc (L/Fq (t), n, d) is asymptotically hκloc C

  √   q d d B−1 −1 λn {1 + O d −A ω4 (n) } + O q d/2 e2 dω(n) [Lloc : L]

(2)

The Hasse Norm Principle in Global Function Fields

277

where A, B and C are positive constants depending only on L/Fq (t) and 0 < B < 1, ω(n) is the number of distinct prime divisors of n and λn =



{1 + δ(p)q − deg p + δ(p2 )q −2 deg p + . . . }

p| n where δ is the indicator function for norms of fractional ideals of L, see Sect. 3; (b) if d is not a multiple of f h, then Nloc (L/Fq (t), n, d) is only   √   O q d d B−1−A ω4 (n) + O q d/2 e2 dω(n) where the constants involved in the O symbols may be taken uniform in d and n. The constant κloc and its global analogue κglob are defined as follows: × × × κloc = #(F× q ∩ NL/Fq (t) AL ) and κglob = #(Fq ∩ NL/Fq (t) L ).

(3)

One key difference with the number field case handled in [6] is the special role played by the constant fields in the function field setting. A key step in our proof of Theorem 1 is to show that Lloc and its global analogue Lglob both have full constant field Fq f h . This is achieved in Theorem 4 using the following result, which is proved in Sect. 3.2: Theorem 3 Let F be a global function field with full constant field Fq , let m be an effective divisor of F and let H be a finite index subgroup of the ray class group Clm (F ). Then the ray class field corresponding to H has full constant field Fq r , where r is the smallest positive degree of a divisor in H . To obtain an analogue of Theorem 1 for rational functions rather than polynomials, one would need to handle sums over fractional ideals written as quotients of coprime integral ideals, in a similar fashion to what was done at the bottom of p.343 of [6]. The appearance of ω(n) in the error terms of (2) means that these error terms would need to be handled carefully, but we believe this should be possible with some work.

1.1 Notation For a global function field F and an effective divisor m of F , we use the following notation: A× F D(F ) Dm (F )

the group of ideles of F the group of divisors of F the group of divisors of F with support disjoint from the support of m

278

Pm (F ) Clm (F ) Cl0m (F )

A. Mânz˘a¸teanu et al.

Pm (F ) := {div(f ) | f ∈ F × and ordp (f − 1) ≥ ordp m ∀ places p in the support of m} the ray class group of F modulo m, Clm (F ) := Dm (F )/Pm (F ) the degree zero part of Clm (F ), Cl0m (F ) := {[d] ∈ Clm (F ) | deg d = 0}.

Let q be a prime power. For a tower of finite extensions L/K/Fq (t), we use the following notation: n OL IL D∞ (L) K(L/K)

an ideal of Fq [t] the integral closure of Fq [t] in L the multiplicative group of nonzero fractional ideals of OL the group of finite divisors of L × the knot group of L/K, K(L/K) := (K × ∩ NL/K A× L )/NL/K L .

2 Reducing to the Separable Case One major difference between the function field setting and the number field setting is the presence of inseparable extensions in the function field case. Fortunately, Cohen and Odoni [7] give the following lemma allowing us to reduce to the case of a separable extension: Lemma 1 ([7, Lemma 1.1]) Let F be a perfect field of characteristic p = 0. If t is an indeterminate and L is a finite extension of F (t) of degree of inseparability pi , −i then L = KM, where K = F (t p ) and M is the maximal subfield of L separable over F (t); in particular, L/K is separable. Lemma 2 below allows us to transport the property of being a (global or everywhere local) norm from L/Fq (t) to the separable extension L/K given by Lemma 1 and back. Before stating it, we explain what we mean by a fractional ideal of L and describe the correspondence between fractional ideals and finite divisors. Let L/Fq (t) be a finite extension. Write OL for the integral closure of Fq [t] in L. Note that, unlike in the number field case, OL is not canonical—it depends on a choice of generator t for Fq (t)/Fq . We consider the choice of generator t to be fixed throughout this paper. By a fractional ideal of L, we mean a fractional ideal of OL . For α ∈ L× , we write (α) for the principal fractional ideal of OL generated by α. The infinite place of Fq (t) corresponds to the valuation ord∞ on Fq (t) given by  (t)  ord∞ fg(t) = deg g(t) − deg f (t) for nonzero f (t), g(t) ∈ Fq [t]. In other words, the infinite place of Fq (t) corresponds to the prime ideal generated by 1t in Fq [ 1t ]. We write ∞ for the infinite place of Fq (t). Let D(L) denote the group of divisors of L and let D∞ (L) denote the subgroup of finite divisors, meaning those whose support does not include any place above ∞. We identify the finite places of L with the nonzero prime ideals of OL (see [19,

The Hasse Norm Principle in Global Function Fields

279

§5.2], for example). Thus, since OL is a Dedekind domain, the map 

ai pi →

i



pai i

i

allows us to identify D∞ (L) with the multiplicative group of nonzero fractional ideals of OL , which we denote by IL . Having made this identification, we will refer to the degree of a fractional ideal, meaning the degree of the associated divisor. Recall that a place p of L corresponds to a normalised discrete valuation on L. Let Fp denote the residue field of p and let Fq f be the full constant field of L. Then the degree of p is given by deg p = [Fp : Fq f ]. The degree of a divisor a = i ai pi of L is given by deg a =



ai deg pi .

i

Lemma 2 Let L/Fq (t) be a finite extension of degree of inseparability pi , let K = −i Fq (t p ) and let α ∈ Fq (t). Then 1. the fractional ideal (α) of Fq [t] is the L/Fq (t) norm of some fractional ideal of −i OL if and only if the fractional ideal (α p ) of OK is the L/K norm of some fractional ideal of OL ; −i 2. α ∈ NL/Fq (t) L× if and only if α p ∈ NL/K L× ;

p 3. α ∈ NL/Fq (t) A× L if and only if α

−i

∈ NL/K A× L.

Proof Parts (1) and (2) are the content of [7, Lemma 1.2]. We prove (3). First −i suppose  that α p ∈ NL/K A× L . This means that for every place q of K there exists × (βr )r ∈ r|q Lr such that αp

−i

=



(4)

NLr /Kq (βr ).

r|q Let p be a place of Fq (t). By [26, Lemma 7.3], since K/Fq (t) is a purely inseparable extension, there is a unique place q of K above p. Taking NK/Fq (t) of both sides of (4) gives −i

NK/Fq (t) (α p ) =



NKq /(Fq (t))p (NLr /Kq (βr )) =

r| q



NLr /(Fq (t))p (βr ).

(5)

r |p −i

Now observe that NK/Fq (t) (α p ) = α, since K/Fq (t) is a purely inseparable extension of degree pi . Hence (5) becomes α=

 r |p

NLr /(Fq (t))p (βr ).

(6)

280

A. Mânz˘a¸teanu et al.

Since p was arbitrary, we have shown that α ∈ NL/Fq (t) A× L , as required. × Now suppose that α ∈ NL/Fq (t) AL , so for every place p of Fq (t) there exists  (βr )r ∈ r|p L× r such that α=



(7)

NLr /(Fq (t))p (βr ).

r |p Again, for each place p of Fq (t) there exists a unique place q of K above p. i Furthermore, NKq /(Fq (t))p (x) = x p for all x ∈ Kq . Thus, (7) becomes α=

Hence α p

−i

 i (NLr /Kq (βr ))p . r|q

(8)

∈ NL/K A× L , as required.

Lemma 2 shows that α → α p

−i

 

gives bijections

{α ∈ Fq [t]∩NL/Fq (t) L× | (α, n)=1, deg α = d} → {β ∈ OK ∩NL/K L× | (β, n)=1, deg β=d}

and × {α ∈ Fq [t]∩NL/Fq (t) A× L | (α, n)=1, deg α = d} → {β ∈ OK ∩NL/K AL | (β, n)=1, deg β=d} −i

−i

where OK = Fq [t p ] and deg β is the degree with respect to the variable t p . Defining Nglob (L/K, n, d) = #{β ∈ OK ∩ NL/K L× | (β, n) = 1, deg β = d}, and Nloc (L/K, n, d) = #{β ∈ OK ∩ NL/K A× L | (β, n) = 1, deg β = d} gives Nglob (L/Fq (t), n, d) = Nglob (L/K, n, d), and Nloc (L/Fq (t), n, d) = Nloc (L/K, n, d).

(9) (10)

This allows us to restrict to the finite separable extension L/K in order to prove Theorems 1 and 2. We now list two further consequences of Lemma 2 that will be used in the proofs of our main results. Corollary 1 In the setting of Lemma 2, we have × × × F× q ∩ NL/Fq (t) AL = Fq ∩ NL/K AL

The Hasse Norm Principle in Global Function Fields

281

and × × × F× q ∩ NL/Fq (t) L = Fq ∩ NL/K L .

Proof This follows from Lemma 2, since α → α p

−i

is an automorphism of F×  q. 

Corollary 2 In the setting of Lemma 2, the map α → α p

−i

induces an isomorphism

∼

K(L/Fq (t)) − → K(L/K).  

Proof This follows immediately from Lemma 2.

3 Proof of Our Main Results In order to prove Theorem 2, we will adapt the strategy of Cohen and Odoni in [7] to the case of everywhere local norms. Define indicator functions on IK as follows: δ(a) =

δloc (a) =

δglob (a) =

 1 0  1 0  1 0

if a ∈ NL/K IL , otherwise, if a = (β) for some β ∈ K × ∩ NL/K A× L, otherwise, if a = (NL/k (α)) for some α ∈ L× , otherwise.

Lemma 3 We have Nloc (L/Fq (t), n, d) = κloc



δloc (a)

a⊂OK (a,n)=1 deg a=d and Nglob (L/Fq (t), n, d) = κglob



δglob (a).

a⊂OK (a,n)=1 deg a=d Proof The terms κloc and κglob are there to account for the difference between elements of OK and principal integral ideals of OK . Now the result follows from (9) and (10).  

282

A. Mânz˘a¸teanu et al.

The next step is to show that the ideal generated by an everywhere local norm from L/K is the norm of a fractional ideal of OL . This is the content of Corollary 3 below. Lemma 4 Let α ∈ K. Then (α) ∈ NL/K (IL ) if and only if for every finite place p the greatest common divisor of the residue degrees fq/p of the places q above p divides ordp (α). Corollary 3 If α ∈ K × ∩ NL/K (A× L ) then (α) ∈ NL/K (IL ). Proof of Lemma 4 and Corollary 3 Lemma 4 and Corollary 3 are the global function field analogues of [6, Lemma 2.1] and [6, Corollary 2.2]. The same proofs work.   Using Lemma 2 to move between L/Fq (t) and L/K, Corollary 3 means that a first approximation for Nloc (L/Fq (t), n, d) is given by 

(11)

δ(a)

a⊂OK (a,n)=1 deg a=d which counts integral ideals of Fq [t], coprime to n and of degree d, that are norms of fractional ideals of OL . In [7, Theorem IIA], Cohen and Odoni give an asymptotic formula for (11) by studying the Dirichlet series f (n, t) =



δ(a)t deg(a) ,

|t| < q −1 .

a⊂OK (a,n)=1 They then go on to analyse the behaviour of the Dirichlet series fglob (n, t) =



δglob (a)t deg(a) ,

|t| < q −1 ,

a⊂OK (a,n)=1 by expressing δglob in terms of δ and a sum over the characters of a certain finite abelian group coming from class field theory. With some work, this allows them to deduce an asymptotic formula for Nglob (L/Fq (t), n, d) in [7, Theorem IIB]. We seek to employ the same strategy to analyse the behaviour of the Dirichlet series floc (n, t) =



δloc (a)t deg(a) ,

|t| < q −1 ,

a⊂OK (a,n)=1 and thereby prove Theorem 2. This requires us to express δloc in terms of δ and a sum over the characters of a finite abelian group. This is achieved in Lemma 6 after some class field theoretic preliminaries.

The Hasse Norm Principle in Global Function Fields

283

3.1 Class Field Theory We begin by recalling some essential facts. Let m be an effective divisor of a global function field F . Let Dm (F ) denote the group of divisors of F with support disjoint from the support of m. Write Pm (F ) for the subgroup of Dm (F ) consisting of principal divisors div(f ) such that f ∈ F × satisfies ordp (f − 1) ≥ ordp m for all places p in the support of m. The ray class group of F modulo m is defined to be Clm (F ) = Dm (F )/Pm (F ). The group Clm (F ) is never finite. However, its degree zero part Cl0m (F ) = {[d] ∈ Clm (F ) | deg d = 0} is finite, see [26, p.139], for example. Class field theory gives a one-to-one correspondence between the subgroups of finite index of the ray class group Clm (F ) and the finite abelian extensions of F that are unramified away from m. The correspondence is via the Artin map which ∼ gives a canonical isomorphism AE/F : Clm (F )/H − → Gal(E/F ), where E/F is the extension associated to the subgroup H . In particular, the places that split completely in E/F are precisely the places in H . We expect that the following proposition is well known, but we give the proof here for completeness. Proposition 1 Let F be a global function field, let m be an effective divisor of F and let H be a subgroup of the ray class group Clm (F ). Then H has finite index in Clm (F ) if and only if H contains a divisor class of nonzero degree. Proof Let n be the smallest non-negative degree of a divisor class in H and consider the following commutative diagram with exact rows:

The degree map in the bottom row is surjective since Clm (F ) surjects onto Cln (F ) for any n | m. In particular, Clm (F ) surjects onto the class group of F [23, Thm 1.7] and it is well known that the degree map from the class group surjects onto Z. Now the snake lemma gives an exact sequence 0→

Cl0m (F ) Clm (F ) ∩ H 0

→

Clm (F ) → Z/nZ → 0. H

284

A. Mânz˘a¸teanu et al.

Since Cl0m (F ) is finite, we deduce that Clm (F )/H is finite if and only if n = 0.

 

Now define two subgroups of IL : Hglob = {a ∈ IL | NL/K a = (NL/K (α)) for some α ∈ L× } and Hloc = {a ∈ IL | NL/K a = (β) for some β ∈ K × ∩ NL/K A× L }. In [7, §3], Cohen and Odoni show that P∞ (L) = {(β) ∈ IL | β ≡ 1 (mod p) ∀p | ∞} ⊂ Hglob . They also show that Hglob contains an ideal of nonzero degree (see Lemma 9 for a proof that Hglob contains an ideal of degree h). Proposition 1 therefore shows that Hglob defines a ray class field Lglob /L unramified outside the infinite places with Gal(Lglob /L) = IL /Hglob . Since NL/K L× ⊂ K × ∩NL/K A× L we have Hglob ⊂ Hloc . Therefore, Hloc defines a ray class field Lloc ⊂ Lglob unramified outside the infinite places with Gal(Lloc /L) = IL /Hloc . Lemma 5 The norm map NL/K gives isomorphisms ∼

→ IL /Hglob −

NL/K IL {(NL/K (α)) | α ∈ L× }

and ∼

→ IL /Hloc −

NL/K IL . {(β) | β ∈ K × ∩ NL/K A× L}

We denote the quotient groups on the right-hand sides by Gglob and Gloc , respectively. Proof By Corollary 3, {(β) | β ∈ K × ∩ NL/K A× L } ⊂ NL/K IL so the second map is well defined. The rest is clear.   The next lemma is a direct consequence of orthogonality of characters, as in [7, §3]. Lemma 6 For all a ∈ IK , δglob (a) = δloc (a) =

δ(a) #Gglob δ(a) #Gloc



χ (a), and

χ ∈(Gglob )∨

 χ ∈(Gloc )∨

χ (a)

The Hasse Norm Principle in Global Function Fields

285

where G∨ denotes the group of characters of an abelian group G. Lemma 6 has the following immediate consequence: Corollary 4 For |t| < q −1 , fglob (n, t) = floc (n, t) = where f (n, t, χ ) =

1 #Gglob 1 #Gloc 



f (n, t, χ ), and

χ ∈(Gglob )∨

 χ ∈(Gloc

f (n, t, χ ), )∨

δ(a)χ (a)t deg(a) .

a⊂OK (a,n)=1 Let Fglob and Floc denote the degrees of the constant field extensions in Lglob /L and Lloc /L, respectively. Now [7, Theorem IIB] shows that if d is a large multiple of f Fglob , then Nglob (L/Fq (t), n, d) is asymptotically Fglob κglob C

  √   q d d B−1 −1  λn {1 + O d −A ω4 (n) } + O q d/2 e2 dω(n) [Lglob : L]

(12)

where B and C are as in Theorem 2 and A is a positive constant depending only on L/Fq (t). This result is proved using the expression for fglob (n, t) given in Corollary 4. (To be completely accurate, we note that Cohen and Odoni give a superficially different expression for fglob (n, t) in [7, (3.1)], owing to their use of IL /Hglob in place of the isomorphic group Gglob .) Employing the exact analogue of the proof of [7, Theorem IIB] with floc (n, t) in place of fglob (n, t) shows that if d is a large multiple of f Floc , then Nloc (L/Fq (t), n, d) is asymptotically Floc κloc C

  √   q d d B−1 −1 λn {1 + O d −A ω4 (n) } + O q d/2 e2 dω(n) [Lloc : L]

(13)

where A, B and C are as in Theorem 2. Therefore, to complete the proof of Theorem 2, it remains to show that Floc = h, where h is as defined in (1). In fact, we go further and prove in Theorem 4 that Floc = Fglob = h.

3.2 Constant Fields Recall from (1) that h = gcd{deg p | p infinite place of L}.

286

A. Mânz˘a¸teanu et al.

Our main aim in this subsection is to complete the proof of Theorem 2 by proving the following result: Theorem 4 The full constant fields of Lglob and Lloc are both equal to Fq f h . The first step towards the proof of Theorem 4 is to prove Theorem 3. This requires the following result of Hess and Massierer: Lemma 7 ([15, Lemma 3.2]) Let F be a global function field with full constant field Fq and let F  /F be a constant field extension of finite degree. Then Gal(F  /F ) is generated by the Frobenius automorphism ϕ and the Artin map AF  /F : D(F ) → Gal(F  /F ) is given by AF  /F (d) = ϕ deg d . The zero divisor of F is a modulus of F  /F . Proof of Theorem 3 Let E denote the ray class field corresponding to H and suppose that the full constant field of E is Fq s . Let d be a divisor in H . Then d is in the kernel of the Artin map for E/F . Therefore, d is in the kernel of the Artin map for the constant subextension Fq s F /F of degree s. By Lemma 7, this implies that s | deg d. We deduce that s | r, by the definition of r. We will complete the proof by showing that r | s. It suffices to show that Fq r ⊂ E. Let p be a place in H , in other words a place that splits completely in E/F . Then r | deg p, since r is the greatest common divisor of the degrees of the divisors in H . Now Lemma 7 shows that p splits completely in the degree r constant extension Fq r F /F . Therefore, Fq r ⊂ E by the Chebotarev density theorem.   To complete the proof of Theorem 4 we need the following auxiliary results: Lemma 8 Let L/Fq (t) be a finite extension and let α ∈ L× . Then deg(α) = −



ordp α · deg p.

p|∞ Proof Recall that by the degree of a fractional ideal of OL , we mean the degree of the associated divisorof L, as explained in Sect. 2. The divisor corresponding to  (α) = p∞ pordp α is p∞ ordp α · p. Moreover, div α =

 p

ordp α · p =



ordp α · p +

p∞

Taking degrees yields the result since deg(div α) = 0.



ordp α · p.

p|∞  

The Hasse Norm Principle in Global Function Fields

287

Lemma 9 Hglob contains an ideal of degree h. Proof Let p1 , . . . , pn be the infinite places of L and let a1 , . . . , an ∈ Z be such that n 

ai deg pi = h.

(14)

i=1

Choose α ∈ L× such that ordpi α = −ai for i = 1, . . . , n. The principal fractional ideal (α) of OL is in Hglob by definition of Hglob . It follows from Lemma 8 that deg(α) = h.   Lemma 10 Let a ∈ Hloc . Then h | deg a. Proof a ∈ Hloc , there exists β ∈ K × ∩ NL/K A× L with NL/K a = (β). Write  Since ai a = qi , where the qi are prime ideals in OL and the ai are integers. Now (β) = NL/K a =



NL/K (qi )ai =



a i fq

pi

p

i/ i

(15)

where pi = qi ∩ OK . Recall that the full constant field of K is Fq and the full constant field of L is Fq f so fqi /pi deg pi = f deg qi . Now taking degrees in (15) gives deg(β) =



ai fqi /pi deg pi = f



ai deg qi = f deg a.

(16)

Since β ∈ K × ∩ NL/K A× L , for every place p of K there exists (γq )q ∈ such that  β= NLq /Kp (γq ). q|p



×

q | p Lq

(17)

Therefore, ordp β =



ordp (NLq /Kp (γq )) =

q|p



fq/p ordq γq

(18)

q|p

whereby Lemma 8 gives deg(β) = −



ordp β · deg p = −

p|∞



deg p

p|∞



fq/p ordq γq = −f

q|p



ordq γq · deg q.

q|∞

(19) Combining (16) and (19) gives deg a = −

 q|∞

ordq γq deg q.

288

A. Mânz˘a¸teanu et al.

By definition of h, we have h | deg q for all infinite places q of L. Therefore, h | deg a.   Corollary 5 We have h = gcd{deg a | a ∈ Hglob } = gcd{deg a | a ∈ Hloc }. Proof Let dg = gcd{deg a | a ∈ Hglob } and d = gcd{deg a | a ∈ Hloc }. By Lemma 9, Hglob contains a ideal of degree h, whereby dg | h. Since Hglob ⊂ Hloc , we also have d | dg and hence d | h. By Lemma 10, h | deg a for every a ∈ Hloc , whereby h | d and hence h = d = dg .   Now Theorem 4 follows from Theorem 3 and Corollary 5. In addition, Theorem 2 follows from (13) and Theorem 4.

3.3 Proof of Theorem 1 By Theorem 4, Lloc and Lglob both have full constant field Fq f h . Now taking the quotient of (12) by (13) and letting d → ∞ via multiples of f h gives lim

d→∞ f h|d

κglob Nglob (L/Fq (t), n, d) 1 = . · Nloc (L/Fq (t), n, d) κloc [Lglob : Lloc ]

(20)

The following lemma completes the proof of Theorem 1: Lemma 11 The sequence 1→

× F× q ∩ NL/K AL × F× q ∩ NL/K L

→ K(L/K) →

{(β) | β ∈ K × ∩ NL/K A× L} →1 × {(NL/K (α)) | α ∈ L }

is exact. Consequently, #K(L/Fq (t)) =

κloc · [Lglob : Lloc ]. κglob

Proof The right-hand map is given by β → (β). The exactness of the sequence is easily verified. The right-hand term is the kernel of the natural surjection Gglob  Gloc . The size of this kernel is #Gglob /#Gloc = [Lglob : Lloc ]. Now the result follows by the definitions of κloc and κloc in (3), together with Corollaries 1 and 2.   Acknowledgments This project began at the Women in Numbers Europe 3 workshop in August 2019. We are grateful to the organisers for bringing us together and to the Henri Lebesgue Center for providing us with an excellent working environment to get this project underway. We thank Alp Bassa, Titus Hilberdink, Yiannis Petridis and Efthymios Sofos for useful discussions. We are grateful to the anonymous referee for useful feedback which improved the paper. MAGMA [4] was used to investigate examples. Rachel Newton was supported by EPSRC grant EP/S004696/1 and UKRI Future Leaders Fellowship MR/T041609/1. Ekin Ozman conducted part of this research while she was at MPIM-Bonn and would like to express her gratitude for excellent working conditions.

The Hasse Norm Principle in Global Function Fields

289

References 1. S. Bae and H. Jung. Central extensions and Hasse norm principle over function fields. Tokyo J. Math., 24(1):93–106, 2001. 2. H.-J. Bartels. Zur Arithmetik von Konjugationsklassen in algebraischen Gruppen. J. Algebra, 70(1):179–199, 1981. 3. H.-J. Bartels. Zur Arithmetik von Diedergruppenerweiterungen. Math. Ann., 256:465–474, 1981. 4. W. Bosma, J. J. Cannon, C. Fieker, and A. Steel, editors. Handbook of Magma Functions (V2.24). Computational Algebra Group, University of Sydney, 2018. http://magma.maths.usyd. edu.au. 5. T. D. Browning. How often does the Hasse principle hold? In Algebraic Geometry: Salt Lake City 2015, volume 97 of Proc. Sympos. Pure Math., pages 89–102. Amer. Math. Soc., 2018. 6. T. D. Browning and R. Newton. The proportion of failures of the Hasse norm principle. Mathematika, 62:337–347, 2016. 7. S. D. Cohen and R. W. K. Odoni. The Farey density of norm subgroups of global fields (II). Glasg. Math J., 18:57–67, 1977. 8. Y. A. Drakokhrust and V. P. Platonov. The Hasse norm principle for algebraic number fields. Math. USSR-Izv., 29:299–322, 1987. 9. C. Frei, D. Loughran, and R. Newton. The Hasse norm principle for abelian extensions. Amer. J. Math., 140(6):1639–168, 2018. 10. C. Frei, D. Loughran, and R. Newton. Number fields with prescribed norms. With an appendix by Y. Harpaz and O. Wittenberg, 2018. Available at: arXiv:1810.06024. 11. F. Gerth. The Hasse norm principle for abelian extensions of number fields. Bull. Amer. Math. Soc., 83:264–266, 1977. 12. S. Gurak. On the Hasse norm principle. J. reine angew. Math., 299/300:16–27, 1978. 13. S. Gurak. The Hasse norm principle in non-abelian extensions. J. reine angew. Math., 303/304:314–318, 1978. 14. H. Hasse. Beweis eines Satzes und Widerlegung einer Vermutung über das allgemeine Normenrestsymbol. Nachr. Ges. Wiss. Göttingen, Math. Phys. Kl., 1931:64–69, 1931. 15. F. Hess and M. Massierer. Tame class field theory for global function fields. J. Number Theory, 162:86–115, 2016. 16. M. Horie. The Hasse norm principle for elementary abelian extensions. Proc. Amer. Math. Soc., 118(1):47–56, 1993. 17. A. Hoshi, K. Kanai and A. Yamasaki. Norm one tori and Hasse norm principle. 2019. Available at: arXiv:1910.01469. 18. T. Kagawa. The Hasse norm principle for the maximal real subfield of cyclotomic fields. Tokyo J. Math., 18:221–229, 1995. 19. H. Koch. Number Theory: Algebraic Numbers and Functions. Grad. Stud. Math. Amer. Math. Soc., 2000. 20. A. Macedo. The Hasse norm principle for An -extensions. J. Number Theory, 211:500–512, 2020. 21. A. Macedo. Local-global principles for norms. PhD thesis, University of Reading, 2021. Available at: https://www.reading.ac.uk/web/files/maths/MacedoTheses.pdf. 22. A. Macedo and R. Newton. Explicit methods for the Hasse norm principle and applications to An and Sn extensions. Math. Proc. Camb. Philos. Soc., First View, 1–41, 2021. https://doi.org/ 10.1017/S0305004121000268 23. J. S. Milne. Class Field Theory. Available at: https://www.jmilne.org/math/CourseNotes/CFT. pdf. 24. M. J. Razar. Central and genus class fields and the Hasse norm theorem. Compos. Math., 35(3):281–298, 1977. 25. N. Rome. The Hasse norm principle for biquadratic extensions. J. Théor. Nombres Bordeaux, 30(3):947–964, 2018.

290

A. Mânz˘a¸teanu et al.

26. M. Rosen. Number Theory in Function Fields, volume 210 of Grad. Texts in Math. Springer, 2002. 27. J. T. Tate. Global class field theory. In J. W. S. Cassels and A. Fröhlich, editors, Algebraic number theory, pages 162–203. Academic Press Inc. [Harcourt Brace Jovanovich Publishers], London, 1986. Reprint of the 1967 original. 28. D. Wei. The unramified Brauer group of norm one tori. Adv. Math., 254:642–663, 2014.

Asymptotics of Class Numbers for Real Quadratic Fields Nicole Raulf

MSC Codes (2020) 11E41

1 Introduction An important question in number theory is the asymptotic behaviour of class numbers. In this paper we will be interested in class numbers of real quadratic fields. However, those are closely related to class numbers of binary quadratic forms so that we will mostly use the language of quadratic forms. Let D be the set of all positive discriminants d ≡ 0, 1 mod 4 that are not a square and let DF be the set of all fundamental discriminants d. Furthermore, we introduce the sets D− and D− F that contain those discriminants and fundamental discriminants, respectively, for which the negative Pell equation t 2 − du2 = −4 has a solution. For d ∈ D we denote the class number in the narrow sense of primitive binary quadratic forms of discriminant + 2 2 d by h+ d and the fundamental solution of the Pell equation t − du = 4 by d . If the negative Pell equation t 2 − du2 = −4 also has a solution, its fundamental solution is d . Then d2 = d+ . If d is a fundamental discriminant, then h+ d and log d+ are closely related to the class number H (K) and the regulator Reg(K) of √ the real quadratic field K = Q( d). Namely, if the negative Pell equation has a + + solution, then h+ d = H (K) and log d = 2Reg(K), otherwise hd = 2H (K) and + log d = Reg(K). Thus we can use the language of quadratic forms to investigate class numbers of real quadratic fields. One mathematician who advanced the theory of quadratic forms considerably was Gauß and in his Disquisitiones Arithmeticae he gave an asymptotic formula for

This work was supported in part by the Labex CEMPI (ANR-11-LABX-0007-01). N. Raulf () Univ. Lille, CNRS, UMR 8524 – Laboratoire Paul Painlevé, Lille, France e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 A. C. Cojocaru et al. (eds.), Women in Numbers Europe III, Association for Women in Mathematics Series 24, https://doi.org/10.1007/978-3-030-77700-5_10

291

292

N. Raulf

+ the mean value of h+ d log d as d → ∞ (see [Gau86]). Note that he only considered quadratic forms with discriminant d ≡ 0 mod 4. The first proof of this statement that was written down was given by Siegel [Sie44] who was also able to consider all discriminants and gave an error term. Using the theory of prehomogeneous vector spaces Shintani [Shi75] improved this error term. The corresponding formula for the case that we restrict to fundamental discriminants was given by Datskowsky [Dat93] (see also [Tan07]) and Goldfeld, Hoffstein [GH85]. Unfortunately, these formulae do not imply a mean value result for class numbers ordered by the discriminant as our limited knowledge of the solvability of the negative Pell equation prevents us from removing the factor log d+ . We refer the interested reader to the important paper of Fouvry and Klüners [FK10] that studies the negative Pell equation. However, if we change the ordering and order the class numbers with respect to the size of log d+ , then this obstacle disappears. Namely, using the Selberg trace formula and partial summation Sarnak [Sar82] proved that

    2 3/2 2 + O N h+ = Li N (log N ) d

 d∈D, + d ≤N

=N as N → ∞. Here Li(N ) = 2 1/ log t dt. In [Rau09] the class number formula is used to determine the corresponding behaviour for discriminants that belong to a given arithmetic progression or are fundamental discriminants. More precisely, it is proved that there exists an > 0 such that, as N → ∞,  d∈DF , + d ≤N

h+ d

 2−     N 25ζ (3)   −2 −3 2 . 1 − 2p − p Li N + O = 16 log N

(1)

p≥2

See [Roh19] for its relation to quaternionic Artin representations. Other results relating to the behaviour of class numbers obtained by using the class number formula can be found in [Bar66, Sar85]. Higher moments of class numbers and limit distributions of class numbers are discussed in [Bar66, Pet95, Rau16]. However, the result (1) falls short of proving an asymptotic result for class numbers of real quadratic fields ordered by their regulator as for this it is necessary to investigate the solutions of the negative Pell equation more closely (see [Rau09], Remark 5.5, p. 256). In this paper we fill this gap and prove an asymptotic formula for class numbers of real quadratic fields ordered by the size of their regulator using the class number formula. Main Theorem Let P1 := {p : p a prime, p ≡ 1 mod 4}. There exists an such that, as N → ∞,  Reg(K)≤ log N

 2−    N 2 H (K) = C Li N + O log N

>0

Asymptotics of Class Numbers for Real Quadratic Fields

293

where C=

 3  1 − 2p−2 − p−3 25ζ (3)   1 − 2p−2 − p−3 + . 32 8 1 − p−3 p≥2

p∈P1

√ Let N(N) := {d ∈ DF : Reg(Q( d)) ≤ log N } . As N(N ) = (see Corollary 3) we also obtain: Corollary There exists an 1 N(N )

15 8 N

+ O(N 1− )

> 0 such that, as N → ∞,



H (K) =

Reg(K)≤ log N

4C Li (N ) + O 15



N 1− log N

 .

In order to prove our Main Theorem it remains to evaluate the asymptotic behaviour of  + h+ d log d . d∈DF , d ≤N

This is done using the approach of [Rau09] which means we relate it to sums of the form  h+ log d √ d 

+ d

(2)

d∈D

 is a certain subset of D. By the class number formula the summands equal where D   L(1, χd ) with χd (n) = dn being the Jacobi-Legendre symbol so that our problem becomes a problem of evaluating sums of Jacobi-Legendre symbols. The paper is organized as follows: in Sect. 2 we introduce the notation that we will use and translate the problem of treating (2) into the language of L-functions using the class number formula. In this section we only consider those discriminants d that belong to a given arithmetic progression d ≡ a mod m, a ∈ N0 , m ∈ N. We generalize the arguments previously used by [Bar66, Sar85] and [Rau09] so that we can restrict to discriminants for which the negative Pell equation has a solution. In Sect. 3 we determine the leading coefficients for a = 0 explicitly so that in Sect. 4 we can give the asymptotics for the case of fundamental discriminants. Finally, in Sect. 5 we determine the number of all fundamental discriminants d ∈ D− F for which d ≤ N . While the results of this paper are obtained using the class number formula it is also possible to derive results for class numbers using the Selberg trace formula and a bijection between conjugacy classes of hyperbolic elements of PSL2 (Z) and equivalence classes of indefinite binary quadratic forms (see e.g. [Sar82]). In Sect. 6 we show how the Selberg trace formula for Hecke operators allows us to obtain mean value results for class numbers in the case that the generalized Pell equation

294

N. Raulf

t 2 − du2 = 4N has a solution. In [Has19] a mean value formula for class numbers ordered by the regulator is given for the case that N is squarefree.

2 Asymptotics of Class Numbers in Progressions In this section we prove an asymptotic result for class numbers in progressions ordered by the size of d . For this we introduce the following subsets of D: for m ∈ N and a ∈ N0 we define Dm,a := {d ∈ D : d ≡ a mod m}, 9 8 D4,m,a := d ∈ Dm,a : d ≡ 0 mod 4 , 9 8 D8,1,m,a := d ∈ Dm,a : d ≡ 1 mod 8 , 9 8 D8,5,m,a := d ∈ Dm,a : d ≡ 5 mod 8 . If a = 0 we set Dm := Dm,0 , D4,m := D4,m,0 , D8,1,m := D8,1,m,0 and D8,5,m := D8,5,m,0 . The distinction between d ≡ 0 mod 4, d ≡ 1 mod 8 and d ≡ 5 mod 8 is crucial for the evaluation of the leading term. Furthermore, we mention that by elementary considerations as in [FK10], p. 2036 the negative Pell equation t 2 − du2 = −4 only has a possible solution if d and u are not divisible by a prime p ≡ 3 mod 4.

2.1 Reformulation of the Problem We are interested in the asymptotic behaviour of 

h+ d log

+ d

(d,k), d∈Dm,a , k≥1, k d ≤N

as N → ∞. Note that only the term for k = 1 contributes to the main √ the  term, remaining terms for k > 1 are absorbed in the error term. If d = 12 t + u d is the fundamental √ of  solution  the negative Pell equation, all of its solutions are given by d2k+1 = 12 tk + uk d , k ∈ Z, tk2 − du2k = −4. This allows us to replace the summation over k and d by a summation over t and u where d ≤ N translates into 2 < t ≤ N − 1 and u ≤ N . Furthermore, Lemma 1 shows that we can restrict the sum to small us as large us only contribute to the error term. If t and u are given, we denote the discriminant that is obtained through the negative Pell equation

Asymptotics of Class Numbers for Real Quadratic Fields

295

t 2 − du2 = −4 by t2 + 4 . u2   Lemma 1 If m ∈ N, a ∈ N0 and δ ∈ 0, 12 , there exist > 0 and η > 0 such that, as N → ∞,      + + + η 2− . h+ log = h log + O m N d d d(t,u) d(t,u) d(t, u) :=

N δ 2 0, d0 (t0 , u) ≡ 1 mod 8, e > 0, d0 (t0 , u) ≡ 5 mod 8.  

Proof See [Rau09], Lemma 2.13, p. 230. Furthermore, we have: Lemma 4 If e ≡ 0 mod 2 we obtain: ⎧ ⎪p − 2, (p, mu) = 1, p ≡ 1 mod 4, ⎪ −

e ⎪ ⎪ ⎨p,  φm,u,t0 (x) (p, mu) = 1, p ≡ 3 mod 4, = ⎪ p p − 1, p|u, p  m, ⎪ x mod p ⎪ ⎪ 2 ⎩  p · d0 (t0 , u)/p , p|m. If e ≡ 1 mod 2 we get: 



x mod p

− (x) φm,u,t 0 p

e

⎧ ⎪ (p, mu) = 1, ⎪ ⎨−1, = 0, p|u, p  m, ⎪ ⎪ ⎩p · (d (t , u)/p) , p|m. 0 0

Proof This theorem follows from the same arguments as in the proof of [Rau09], Lemma 2.14, pp. 230–231. Note that t 2 ≡ −4 mod p has no solutions if p ≡ 3 mod 4.   − Using the previous two lemmata we obtain an explicit formula for c8n (φm,u,t ): 0

Lemma 5 Let P1 be the set of all primes p that satisfy p ≡ 1 mod 4 and P3 be the set of all primes p that satisfy p ≡ 3 mod 4. Furthermore, if n ∈ N has the decomposition 8n = 2e1 +3 p2e2 . . . pkek , e1 ≥ 0, ej ≥ 1, j = 2, . . . , k, we define F(m, u, t0 ) :=  ej −1 pj (pj − 2) pj ∈P1 , (pj ,mu)=1, ej ≡0 mod 2

×

 pj |m, ej ≡0 mod 2

ej

pj



 pj ∈P3 , (pj ,mu)=1, ej ≡0 mod 2

 d0 (t0 , u) 2 pj





ej

pj

ej −1

−pj

(pj ,mu)=1, ej ≡1 mod 2

 pj |m, ej ≡1 mod 2

ej

pj



 d0 (t0 , u) . pj

  pj ∈P1 , pj |u, pj m

ej −1

pj

(pj − 1)

Asymptotics of Class Numbers for Real Quadratic Fields

299

Then, if n ∈ N has the decomposition 8n = 2e1 +3 p2e2 . . . pkek , ej ≥ 1, j = 1, . . . , k, we get: − c8n (φm,u,t )= 0

⎧ e1 ⎪ d0 (t0 , u) ≡ 1 mod 8, ej ≡ 0 mod 2 ∀ pj |u, pj  m, ⎪ ⎨2 , 8F(m, u, t0 ) (−2)e1 , d0 (t0 , u) ≡ 5 mod 8, ej ≡ 0 mod 2 ∀ pj |u, pj  m, ⎪ ⎪ ⎩0, otherwise.

If n ∈ N has the decomposition 8n = 23 p2e2 . . . pkek , ej ≥ 1, j = 2, . . . , k, then  − c8n (φm,u,t ) 0

= 8F(m, u, t0 )

1,

ej ≡ 0 mod 2 ∀ pj |u, pj  m,

0,

otherwise.

Proof Using the results of Lemma 3 and of Lemma 4 we obtain the statement of the lemma as in [Rau09], pp. 232–233. Note that the fact that t 2 − du2 = −4 implies that all odd prime divisors of u are congruent to 1 mod 4.   We therefore infer the following explicit formulae for the L-functions − C(s, φm,u,t ) 0

∞ −  c8n (φm,u,t ) 0 := . 8ns n=1

Theorem 1 For m ∈ N, a ∈ N0 and u ∈ N we define Pa (m, u, s) :=



ζ (2(s − 1))

p∈P1 , (p,mu)=1

×



(1 − 2p 1−2s − p −s )

 p≥3, p|m, d0 (t0 ,u)≡0 mod p



1 − p −s

  p≥3, p|u, (p,m)=1

p∈P3 , (p,mu)=1



1−p

2(1−s)









1+

p≥3, p|m, d0 (t0 ,u)≡0 mod p

(1 − p 1−2s )

  d0 (t0 , u) 1−s p . p

Note that Pa (m, u, s) depends on a via d0 (t0 , u). Then we get for Re s > 1: ⎧ 2(1−s) ⎪ ⎪ ⎨1 − 2 − C(s, φm,u,t ) = Pa (m, u, s) 1 + 21−s 0 ⎪ ⎪ ⎩1 − 21−s

if d0 (t0 , u) ∈ D4,m,a , if d0 (t0 , u) ∈ D8,1,m,a , if d0 (t0 , u) ∈ D8,5,m,a .

300

N. Raulf

− Proof Note that the multiplicativity of the coefficients of C(s, φm,u,t ) implies 0 − C(s, φm,u,t ) 0

=

 ∞ k=0

 − 1 8 c2k+3 (φm,u,t0 ) 2ks

 ∞ 1 −   8 c8pk (φm,u,t0 ) . pks

p≥3

k=0

Most of these factors have already been calculated in [Rau09], pp. 234–236. We only have to determine the contribution of those primes p ≡ 3 mod 4 which are coprime to mu. For those we get ∞ 1 −  8 c8pk (φm,u,t0 ) k=0

pks

=1+

∞  k=1

1 p2k(s−1)

−

∞ 1 1  1 − p−s = . ps p2k(s−1) 1 − p2(1−s) k=0

For s = 2 we obtain the following result for the leading coefficients in Lemma 2: Corollary 1 Let m ∈ N, a ∈ N0 and u ∈ N. Furthermore, we set Pa (m, u) :=

Pa (m, u, 2) . ζ (2)

Then we get:  3 ζ (2) Pa (m, u)  − , = C 2, φ4,m,u,t 0 4   3 ζ (2) Pa (m, u) − if d0 (t0 , u) ≡ 1 mod 8 and C 2, φ8,m,u,t = 0 2  ζ (2) Pa (m, u)  − if d0 (t0 , u) ≡ 5 mod 8. = C 2, φ8,m,u,t 0 2 Note that these constants are independent of t0 .

2.3 Estimating the Error Terms First of all, let us bound the term of Lemma 2 involving the integral. √ Lemma 6 Let m ∈ N, a ∈ N0 and δ ∈ (0, 12 ). Then for u ≤ N δ / m there exists an ∗ > 0 such that       N − 1 − t0 − − ∗ 1− ∗ = O u I φm,u,t0 (l), N vn (m)u2 − N−1−t t0 ∈Fn (m,a,u) 0≤l≤

0 vn (m)u2

holds as N → ∞ with the implicit constant depending on

∗.

Asymptotics of Class Numbers for Real Quadratic Fields

301

Proof In order to prove the error estimate of the lemma we adapt the argumentation of [Rau09], pp. 236–240 (see also [Sar85], pp. 342–344). We will treat the l ∈ − {0, . . . , (N − 1 − t0 )/(vn (m)u2 )!} for which L(s, φm,u,t (l)) has no zeroes in the 0 region  2   1 3 N := < Re s < 1, |Im s| < 2 log R(N, u) s ∈C: 1− 30 u2 − and those l for which L(s, φm,u,t (l)) has a zero in this region separately. The 0 − contribution of those l for which L(s, φm,u,t (l)) has no zero is easily bounded as 0 the argumentation of [Rau09], pp. 236–237 does not depend on the fact whether the negative Pell equation has a solution and we get





t0 ∈Fn− (m,a,u) 0≤l≤ N−1−t0

  N − 1 − t0 − I φm,u,t (l), 0 vn (m)u2

∗

∗

∗

N 1− u− .

vn (m)u2

In order to handle those l that produce a zero in R(N, u) we count those l and set  N − 1 − t0 − B(N, m, u, t0 ) := 0≤l≤ : L(s, φm,u,t0 (l)) has a zero in R(N, u) . vn (m)u2 Let N(d, N, u) be the number of zeroes of L(s, χd ) in R(N, u). Then as in [Sar85], p. 343 and [Rau09], p. 238 Bombieri’s theorem (see [Mon71], Theorem 12.2, p. 99) implies 

 N(d, N, u) -

d∈DF , d≤(N 2 +4)/u2

N u

1/3 .

(5)

As we consider all discriminants and not just fundamental discriminants we remark that each discriminant d can be written in the form d = df f 2 with df being a fundamental discriminant and f ∈ N. We denote those fundamental discriminants  1/3 that appear in (5) by d1 , . . . , dk . Then k - Nu and B(N, m, u, t0 ) =

k 

Bj (N, m, u, t0 )

(6)

j =1

with  N − 1 − t0 − 2 Bj (N, m, u, t0 ) := l ≤ : φm,u,t0 (l) = dj y for some y ∈ N . vn (m)u2

302

N. Raulf (t0 +vn (m)u2 l)2 +4 u2

Moreover, as each solution of solution

t2

− dj



y 2 u2

= dj y 2 with l ≤

N −1−t0 vn (m)u2

yields a

= −4 with t ≤ N − 1 we see that, for j = 1, . . . , k, 

 t ≤ N − 1 : t 2 − (dj u2 )y 2 = −4 for some y ∈ N .

Bj (N, m, u, t0 ) ≤

t0 ∈Fn (m,a,u)

(7) In order to bound the right-hand side of (7) note that every solution (t, y) of the negative Pell equation t 2 − (dj u2 )y 2 = −4 can be written in the form / tn + yn dj u2

=

2 with

dj u2 being the fundamental implies d2n+1 2 ≤ N we obtain ju

2n+1 dj u2

solution of t 2 − (dj u2 )y 2 = −4. Since t ≤ N − 1

  t ≤ N − 1 : t 2 − (dj u2 )y 2 = −4 for some y ∈ N ≤ n ∈ N0 :



2n+1 ≤N dj u2

- log N

and thus 

B(N, m, u, t0 ) - k · log N -

t0 ∈Fn− (m,a,u)

N 1/2 . u1/3

(8)

With the help of this estimate, standard estimates for the L-series and Stirling’s formula we finally infer 



t0 ∈Fn− (m,a,u) 0≤l≤ N−1−t0 ,

  N − 1 − t0 − I φm,u,t (l), 0 vn (m)u2

vn (m)u2

l yields zeroes



- log (N/u)

B(N, m, u, t0 )

t0 ∈Fn− (m,a,u) 2

1

- N 3 /u 2 . This proves the lemma. Now we bound the remaining terms of Lemma 2.

 

Asymptotics of Class Numbers for Real Quadratic Fields

  Lemma 7 For m ∈ N, a ∈ N0 , δ ∈ 0, 12 and  t0 ∈F4− (m,a,u)



 t0 ∈F4− (m,a,u)

303

√ > 0 we obtain for u ≤ N δ / m

  Pa (m, u) t0 11/10 and = O um v4 (m)u2

N − 1 − t0 v4 (m)u2

1+ 2

  1 1 = O m 2 − N 2 + /u2 .

Furthermore, the same holds if we replace v4 (m) by v8 (m) and F4− (m, a, u) by − − F8,1 (m, a, u) or F8,5 (m, a, u). Proof As in [Rau09], Proof of Lemma 2.20, p. 240 the bounds given in the lemma follow directly from the size of S − (u, m, a, 0 (4)), S − (u, m, a, 1 (8)) and S − (u, m, a, 5 (8)) that can be easily determined using [Lan27], Satz 71, p. 34 and Satz 87, p. 45.  

2.4 The Final Formula for the Asymptotics Having determined in the previous sections the leading coefficients and the error terms that appear in Lemma 2 we now combine these results to prove the following theorem.   Theorem 2 Let m ∈ N, a ∈ N0 and δ ∈ 0, 12 . Then there exist α1 , α2 and α3 ∈ N and 1 , 2 and 3 > 0 so that the following identities hold: 1.





h+ d(t,u) log

N δ 2 0 and an asymptotic behaviour holds: 

+ h+ d log d

 =

d∈Dm , d ≤N

> 0 so that the following

   1 2τ (m)−1  2 α1 2− 1 N . + O m N m 1 − p−3 p∈P1 , p|m

2. For m ≡ 0 mod 2 there exist an α2 > 0 and an 

1

+ h+ d log d

d∈Dm , d ≤N

⎧ ⎨1, 1 2τ (m)−1  = −3 m 1 − p ⎩2, p∈P1 ,

2

> 0 so that

⎫   d2 (m) = 1, ⎬ 2 N + O mα2 N 2− 2 . d (m) = 2, 3 ⎭ 2

p|m

Proof The statement of the theorem follows easily by combining the results of Theorems 3, 4, 5, and 6.   For m = 1 the following corollary results:  + Corollary 2 We obtain d∈D, h+ d log d = d ≤N

N2 2

  + O N 2− 1 , N → ∞.

Remark 3 The result for m = 1 has also been obtained by [Has19]. As the class numbers are ordered by the size of log d+ by partial summation to prove:

d

we can remove the factor

Theorem 8 (Asymptotics of Class Numbers for the Progression d ≡ 0 mod m II) If m ∈ N is not divisible by a prime p ≡ 3 mod 4, we obtain: 1. If m ≡ 1 mod 2 there exist an α1 > 0 and an 1 > 0 so that the following asymptotic behaviour holds: 

h+ d =



d∈Dm , d ≤N

   1 2τ (m)−1  2 α1 2− 1 Li(N ) + O m N / log N . m 1 − p−3 p∈P1 , p|m

2. For m ≡ 0 mod 2 there exist α2 > 0 and  d∈Dm , d ≤N

h+ d =

2τ (m)−1 m



⎧ ⎨1,

1 1 − p −3 ⎩2, p∈P1 ,

2

> 0 so that

⎫

d2 (m) = 1, ⎬ mα2 N 2− 2 2 . Li(N ) + O log N d (m) = 2, 3 ⎭ 2

p|m

Remark 4 Note that for m = 1 the leading term of Theorem 8 is the same as the one given in [Has19].

312

N. Raulf

4 Asymptotics of Class Numbers for Fundamental Discriminants As an application of the results obtained in the previous section, we infer an asymptotic formula for class numbers ordered by the size of the regulator in the case that the considered discriminants are fundamental discriminants. Namely, we prove the following theorem: > 0 such that, as N → ∞,

Theorem 9 There exists an 

h+ d log

+ d

=

d∈DF , d ≤N

  3  1 − 2p−2 − p−3 2 2− . N + O N 8 1 − p−3 p∈P1

Proof It is well-known that d ∈ D is a fundamental discriminant if d ≡ 1 mod 4 and d is squarefree or d ≡ 0 mod 4 and d/4 ≡ 2, 3mod 4 and squarefree. Let us first consider the case d ≡ 1 mod 4. As μ2 (d) = m2 |d μ(m) is the indicator function of squarefree numbers (see [IK04], p. 14), we infer 

h+ d log

+ d



=

d∈DF , d≡1 mod 4, d ≤N

h+ d log

+ d



 

μ(m) h+ d log

+ d

d∈D, m2 |d d ≤N

d∈D sqf, d ≤N

=

=

μ(m)



h+ d log

+ d .

d∈Dm2 , d ≤N

m≥1

By a similar argumentation to the one of the proof of Lemma 1 we obtain that it suffices to include only those m with m ≤ N δ , δ > 0, in the above sum as the contribution of those m with m ≥ N δ can be bounded by O(N 2− ), > 0. Then Theorem 7 implies 

h+ d log

+ d

d∈D sqf, d ≤N

=

  N 2  μ(m) c(m) 2− + O N 2 m2

(9)

m≥1

where

c(m) := 2τ (m)

 p∈P1 , p|m

1 1 − p−3

⎧ ⎪ ⎪ ⎨1, × 2, ⎪ ⎪ ⎩0,

m ≡ 1 mod 2, m ≡ 0 mod 2, m contains a prime divisor p ≡ 3 mod 4.

Asymptotics of Class Numbers for Real Quadratic Fields

313

Note that μ(pk ) = 0 if k ≥ 2. By multiplicativity we get   ∞   μ(m) c(m) 2 μ(pk )c(pk ) 1  1 − = = 2 m2 p2k p2 (1 − p−3 )

m≥1

p≥2 k=0

(10)

p∈P1

so that finally 

h+ d log

+ d

=

d∈D sqf, d ≤N

  1  1 − 2p−2 − p−3 2 2− , N → ∞. N + O N 4 1 − p−3 p∈P1

(11) To treat the remaining fundamental discriminants d ≡ 0 mod 4 note that the negative Pell equation only has a solution if d ≡ 0 mod 8. See e.g. [FK10], p. 2036 for the definition of special discriminants. Therefore we only have to consider the sum 

S  (N) :=

d  ≡2 sqf,

h+ 4d  log

+ 4d 



=

μ(m)

h+ d log

+ d .

d≡8m2 mod 16m2 , d ≤N

m≥1, m≡1 mod 2

mod 4,

4d  ≤N



As P8m2 (16m2 , u) = P(m, u), Lemma 9 and Theorem 3 imply that S  (N ) =

  N 2  μ(m)c(m) 2− + O N 8 m2 m≥1

where in this case the coefficients c(m) are given by 

c(m) = 2

τ (m)

p∈P1 , p|m

1 1 − p−3



1,

m ≡ 1 mod 2,

0,

m ≡ 0 mod 2.

Since we only have to consider small m in the sum, multiplicativity yields  d∈DF , d≡0 mod 4, d ≤N

h+ d log

+ d

=

  1  1 − 2p−2 − p−3 2 2− N + O N 8 1 − p−3 p∈P1

as N → ∞. This proves the theorem. Partial summation allows us again to remove the factor log that we obtain the following theorem:

  + d

in Theorem 9 so

314

N. Raulf

Theorem 10 There exists an 

h+ d =

d∈DF , d ≤N

> 0 such that

 2−  3  1 − 2p−2 − p−3 N 2 . Li(N ) + O −3 8 log N 1−p p∈P1

5 The Size of the Set D− (N) F − In this section we determine the size of the set D− F (N ) = {d ∈ DF : d ≤ N } with DF being the set of fundamental discriminants. In order to obtain its size we first look at the size of those sets whose discriminants belong to an arithmetic progression. For this we define D− ∗ (N ) := {d ∈ D∗ : d ≤ N } where D∗ = D4,m , D8,1,m , D8,5,m or D4,16m2 ,8m2 , respectively.   Lemma 11 Let m ∈ N and δ ∈ 0, 12 . Then, if m does not contain a prime divisor p ≡ 3 mod 4, we obtain:

1. There exist an α1 > 0 and an

1

> 0 such that

⎧ −1  1 + p −2 ⎨1, τ (m)+1   2 1 + p −2 |D− 4,m (N )| = v4 (m) 1 − p −2 ⎩0, p∈P1 , p∈P1 

p|m

+ O m N 1− α1

d2 (v4 (m)) = 2, 3

N

otherwise

 1

.

2. If m ≡ 0 mod 2 then |D8,1,m (N )| = 0. If m ≡ 1 mod 2 there exist an α2 > 0 and an 2 > 0 such that |D− 8,1,m (N)| =

−1  1 + p−2   2τ (m)   1 + p−2 N + O mα2 N 1− 2 . −2 8m 1−p p∈P1 , p|m

p∈P1

3. If m ≡ 0 mod 2 then |D8,5,m (N )| = 0. If m ≡ 1 mod 2 there exist an α3 > 0 and an 3 > 0 such that |D− 8,5,m (N)| =

−1  1 + p−2   2τ (m)   α3 1− 3 1 + p−2 . N + O m N 2m 1 − p−2 p∈P1 , p|m

p∈P1

Asymptotics of Class Numbers for Real Quadratic Fields

4. If m ≡ 1 mod 2 there exist an α4 > 0 and an |D− m (N)| =

315 4

> 0 such that

−1  1 + p−2   9 · 2τ (m)   α4 1− 4 1 + p−2 . N + O m N 8m 1 − p−2 p∈P1 , p|m

p∈P1

Moreover, we obtain: 5. If (2, m) > 1 or m has a prime divisor p ≡ 3 mod 4, then |D− (N )| = 0, 4,16m2 ,8m2 otherwise there exist an α5 > 0 and an 5 > 0 such that |D−

(N )| 4,16m2 ,8m2

=

    1 + p −2 2τ (m)   −2 −1 α5 N 1− 5 . 1 + p N + O m 4m2 1 − p −2 p∈P1 , p|m

p∈P1

Proof The formulae of the lemma follow from the fact that, e.g. |D− 4,m (N )| =

  N  S − (u, m, 0, 0 (4)) α 1− + O m N v4 (m) u2 u≥1

and the series appearing here can be computed using the results of Lemma 8.

 

By Lemma 11 and the argumentation of Sect. 4 the following theorem results: Theorem 11 There exists an |D− F (N )| =

> 0 such that   7 N + O N 1− as N → ∞. 8

As a corollary we obtain:

√ Corollary 3 Let N(N ) := {d ∈ DF : Reg(Q( d)) ≤ log N } . Then there exists an > 0 such that, as N → ∞, N(N ) =

15 N + O(N 1− ). 8

Proof This follows directly from Theorem 11 and [Rau09], Theorem 5.3, p. 256.   √ − Corollary 4 Let N (N ) := {d ∈ : Reg(Q( d)) ≤ log N } and N (N ) := √ − {d ∈ DF : Reg(Q( d)) ≤ log N } . As N → ∞, we have: +

D+ F

N− (N ) 7 ∼ N(N ) 15

and

N+ (N ) 8 ∼ . N(N ) 15

Remark 5 The constants of Corollary 4 should be compared to the constants given in [FK10] who consider the size of the discriminant and not the size of the regulator.

316

N. Raulf

Combining the results of Theorem 9 and Theorem 11 we infer: Theorem 12 With a suitable 1 − |DF (N)|



h+ d

d∈D− F (N )

> 0 we get

 1−  3  1 − 2p−2 − p−3 N . = Li(N ) + O −3 14 log N 1−p p∈P1

Proof This theorem follows from combining the results of Theorem 9 and Theorem 11 and using partial summation afterwards.   We can now prove our main theorem. − + Proof of the Main Theorem We write DF = D+ F ∪ DF where DF contains all those fundamental discriminants for which the negative Pell equation does not have a solution and D− F those for which it does have a solution. Then by [Rau09], Theorem 4.1, p. 252 and Theorem 9



2

H (K)Reg(K) =



h+ d log

+ d

d∈D+ F, + ≤N d

Reg(K)≤log N

+



h+ d log

+ d

d∈D− F, d ≤N

  = CN 2 + O N 2− where C=

 3  1 − 2p−2 − p−3 25ζ (3)   1 − 2p−2 − p−3 + . 32 8 1 − p−3 p≥2

(12)

p∈P1

6 The Selberg Trace Formula In [Li99] Xian-Jin Li considers for Re s > 1 the following L-function LN (s) =

  h+ log d

d∈D u

+ d

(du2 )s

where the sum extends over all positive u such that t 2 − du2 = 4N has a solution and proves that it is analytic for Re s > 1 and admits an analytic continuation to Re s > 0 with a possible pole at s = 1. This L-function appears naturally when

Asymptotics of Class Numbers for Real Quadratic Fields

317

determining a trace formula for Hecke operators TN on the space of Maaß forms. The trace formula reads as follows:      hs (l)tr1/4+l 2 TN = δN cs (I ) + cs (R) + cs (P ) + cs (∞). d(N )hs − 2i + {R}

l

{P }

(13) Here hs is the Selberg transform of ks , tr1/4+l 2 TN the trace of the Hecke operator on the space of Maaß forms with corresponding eigenvalue 1/4+l 2 , d(N ) is the divisor function and on the right-hand side we have the various contributions of elements of    1 ab MN := √ : ad − bc = N /{±I2 }. N cd Li’s L-function then appears using a bijection between conjugacy classes of certain elements of MN and equivalence classes of indefinite binary quadratic forms. The presence of the Hecke operators implies t 2 − du2 = 4N . Then understanding both sides of (13) as a function of s, continuing it analytically and carefully reading Li’s proof, one recognizes that there is indeed a pole of order one at s = 1 with residue ress=1 LN (s) =

d(N ) 2

where we used [Li99], (2.2), p. 217. Thus by a Tauberian Theorem (see e.g. [Ten95], Theorem 15, pp. 246–247) we finally obtain  

h+ d log

+ d

d(N ) x, 2

x → ∞,

d(N ) 2 x , 2

x → ∞,

∼

n≤x d,u: du2 =n

or equivalently,  √ t+u d ≤x 2

h+ d log

+ d

∼

where we sum over solutions of t 2 − du2 = 4N , N > 0. Acknowledgments The author wants to thank Prof. Dr. J. Elstrodt for introducing her to the subject of Hecke operators and class numbers during her diploma project and B. Winn for helpful discussions.

318

N. Raulf

References [Bar66] M. B. Barban. The “large sieve” method and its application to number theory. Russian Math. Surveys, 21(1):49–103, 1966. [Dat93] Boris A. Datskovsky. A mean-value theorem for class numbers of quadratic extensions. In A tribute to Emil Grosswald: number theory and related analysis, volume 143 of Contemp. Math., pages 179–242. Amer. Math. Soc., Providence, RI, 1993. [FK10] Étienne Fouvry and Jürgen Klüners. On the negative Pell equation. Ann. of Math. (2), 172(3):2035–2104, 2010. [Gau86] Carl Friedrich Gauß. Disquisitiones arithmeticae. Springer-Verlag, New York, 1986. Translated and with a preface by Arthur A. Clarke, Revised by William C. Waterhouse, Cornelius Greither and A. W. Grootendorst and with a preface by Waterhouse. [GH85] Dorian Goldfeld and Jeffrey Hoffstein. Eisenstein series of 12 -integral weight and the mean value of real Dirichlet L-series. Invent. Math., 80(2):185–208, 1985. [Has19] Yasufumi Hashimoto. Asymptotic behaviors of class number sums associated with Pelltype equations. Math. Z., 292(1–2):641–654, 2019. [Hoo58] Christopher Hooley. On the representation of a number as the sum of a square and a product. Math. Z., 69:211–227, 1958. [IK04] Henryk Iwaniec and Emmanuel Kowalski. Analytic number theory, volume 53 of American Mathematical Society Colloquium Publications. American Mathematical Society, Providence, RI, 2004. [Lan27] Edmund Landau. Vorlesungen über Zahlentheorie. Erster Band. Verlag von S. Herzel, Berlin, 1927 (Nachdruck: Chelsea, New York, 1950 (Band 1, 1. Teil). [Li99] Xian-Jin Li. On the trace of Hecke operators for Maass forms. In Number theory (Ottawa, ON, 1996), volume 19 of CRM Proc. Lecture Notes, pages 215–229. Amer. Math. Soc., Providence, RI, 1999. [Mon71] Hugh L. Montgomery. Topics in multiplicative number theory. Lecture Notes in Mathematics, Vol. 227. Springer-Verlag, Berlin, 1971. [Pet95] Manfred Peter. Momente der Klassenzahlen binärer quadratischer Formen mit ganzalgebraischen Koeffizienten. Acta Arith., 70(1):43–77, 1995. [Rau09] Nicole Raulf. Asymptotics of class numbers for progressions and for fundamental discriminants. Forum Math., 21(2):221–257, 2009. [Rau16] Nicole Raulf. Limit distribution of class numbers for discriminants in progressions and fundamental discriminants. Int. J. Number Theory, 12(5):1237–1258, 2016. [Roh19] David E. Rohrlich. Quaternionic Artin representations and nontraditional arithmetic statistics. Trans. Amer. Math. Soc., 372(12):8587–8603, 2019. [Sar82] Peter Sarnak. Class numbers of indefinite binary quadratic forms. J. Number Theory, 15(2):229–247, 1982. [Sar85] Peter C. Sarnak. Class numbers of indefinite binary quadratic forms. II. J. Number Theory, 21(3):333–346, 1985. [Shi75] Takuro Shintani. On zeta-functions associated with the vector space of quadratic forms. J. Fac. Sci. Univ. Tokyo Sect. I A Math., 22:25–65, 1975. [Sie44] Carl Ludwig Siegel. The average measure of quadratic forms with given determinant and signature. Ann. of Math. (2), 45:667–685, 1944. [Tan07] Takashi Taniguchi. On proportional constants of the mean value of class numbers of quadratic extensions. Trans. Amer. Math. Soc., 359(11):5517–5524, 2007. [Ten95] Gérald Tenenbaum. Introduction à la théorie analytique et probabiliste des nombres, volume 1 of Cours Spécialisés [Specialized Courses]. Société Mathématique de France, Paris, second edition, 1995.

Some Split Symbol Algebras of Prime Degree Diana Savin and Vincenzo Acciaro

[MSC Codes (2020) 11R04, 11S15, 11R18, 11R29, 11A51, 11R52, 11R54, 11R37, 11S20, 11F85

1 Introduction Let n ≥ 3 be an arbitrary positive integer, and let F be a field with char(F )  n. Let ξ be a primitive n-th root of unity in F . If a, b ∈ F \{0}, the algebra A over F generated by two elements x and y satisfying x n = a, y n = b, yx = ξ xy   b is called a symbol algebra and it is denoted by a, F,ξ . When n = 2 we obtain the well known generalized quaternion algebra over the field F , and indeed a symbol algebra is a natural generalization of a quaternion algebra. Quaternion algebras and symbol algebras are central simple algebras of dimension n2 over the base field F . The results about quaternion algebras and symbol algebras have strong connections with number theory (especially with the ramification theory in algebraic number fields). Different criteria are known for a quaternion algebra or a symbol algebra to split [7, 9, 15]. Explicit conditions for a quaternion algebra over the field of rationals numbers to be split or else a division algebra were studied in [4]. In the paper [13] we investigated the splitting behavior of quaternion algebras over quadratic fields, and of specific symbol algebras over cyclotomic fields. In [14] we found a sufficient

D. Savin () Faculty of Mathematics and Computer Science, Transilvania University of Bra¸sov, Bra¸sov, Romania e-mail: [email protected]; [email protected] V. Acciaro Dipartimento di Economia, Università di Chieti–Pescara, Pescara, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 A. C. Cojocaru et al. (eds.), Women in Numbers Europe III, Association for Women in Mathematics Series 24, https://doi.org/10.1007/978-3-030-77700-5_11

319

320

D. Savin and V. Acciaro

condition for a quaternion algebra over a quadratic field to split. Next, in [2] we gave necessary and sufficient conditions for a quaternion algebra H (α, m) to split over a quadratic field K, and in [3] we obtained a complete characterization of division quaternion algebras H (p, q), where p, q are prime integers, over the composite K of n quadratic number fields. In this paper we study some symbol algebras of prime degree over very specific cyclotomic fields. In Sect. 2 we recall some useful results about symbol algebras, cyclotomic fields and Kummer fields which we will use later. In Sect. 3 we find conditions for a symbol algebra of prime degree over a cyclotomic field to split. The main result of this article is: Main Theorem (Theorem 4) Let be a primitive cubic root of unity and letK √ = Q ( ). Let α ∈ K ∗ , let p be a prime rational integer, p = 3 and let L = K 3 α be the Kummer field. Let OL be the ring of integers of the field L. Let Cl (L) be the ideal class group of the ring OL , let hL be the class number of L and let hp be the order of the class of a prime ideal P in OL , which divides pOL , in the group .  Cl (L) α,u·php Then, there exists a unit u ∈ U (Z [ ]) such that the symbol algebra A = K, splits if and only if α is a cubic residue modulo p. Our results have been computationally validated with the aid of the computer algebra package MAGMA.

2 Some Basic Results We recall here the decomposition behavior of a prime integer in the ring of integers of a cyclotomic field and in the ring of integers of a Kummer field. We will use these facts later to prove our results. Proposition 1 ([8]) Let l ≥ 3 be an integer, ξ be a primitive root of unity of order l. Let K = Q (ξ ) and let OK be the ring of integers of the cyclotomic field K. Then OK = Z [ξ ] . Theorem 1 ([8]) Let l ≥ 3 be an integer, and let ξ be a primitive root of unity of order l. If p is a prime number which does not divide l and f is the smallest positive integer such that pf ≡ 1 mod l, then we have pZ[ξ ] = P1 P2 . . . .Pr , where r = ϕ (l)/f, where ϕ is the Euler’s function and Pj , j = 1, . . . , r are different prime ideals in the ring Z[ξ ]. Theorem 2 ([11]) Let ξ be a primitive root of unity of order l, where l is a prime √ number, and let OL be the ring of integers of the Kummer field L = Q(ξ, l μ), where μ ∈ Q. A prime ideal P of Z[ξ ] decomposes in OL as follows:   • it is equal to the l-power of a prime ideal of OL , if the l-power character Pμ l = 0;   • it is a prime ideal of OL , if Pμ l is a root of order l of unity, different from 1;

Some Split Symbol Algebras of Prime Degree

321

  • it is equal to the product of l different prime ideals of OL , if Pμ l = 1.   We recall now the definition of the l-power character Pμ l . If μ ∈ P , there is a N(P )−1

unique integer c (modulo l) such that μ l ≡ ξ c (mod P ). μ The l-power character P l is defined as:   (i) if μ ∈ P then Pμ l = 0;   (ii) if μ ∈ P then Pμ l is the unique lth root of unity such that μ

N(P )−1 l

≡

μ P

(mod P ).

l

  Moreover Pμ l = 1 if and only if μ ∈ P and the congruence x l ≡ μ (mod P ) is solvable in Z[ξ ]. Let’s recall now some results about central simple algebras. Let A be a central simple algebra over a field K. Then the dimension n of A over K is a square; its positive square root is called the degree of the algebra A. If the equations ax = b, ya = b have unique solutions for all a, b ∈ A, with a = 0, then the algebra A is called a division algebra. A is a division algebra if and only if A has no zero divisors (x = 0, y = 0 ⇒ xy = 0). Let K ⊆ L be a field extension and let A be a central simple algebra over K. Then: • A is called split by K if A is isomorphic to a full matrix algebra over K; • A is called split by L, and L is called a splitting field for A, if A ⊗K L is a full matrix algebra over L. The following splitting criteria for symbol algebras is known: Theorem 3 ([7]) Let K be a field which contains a primitive n-th root of unity ξ , and let a, b ∈ K ∗ . Then the following statements are equivalent:   a,b is split. • The symbol algebra A = K,ξ √ • The element b is a norm from the extension K ⊆ K( n a). For symbol algebras of prime degree the following is true: Remark 1 ([10]) Let n ≥ 3 be a positive integer, and let ξ be a primitive n-th root ∗ of unity. Let K be a field of characteristic  =2 which contains ξ and let α, β ∈ K . α, β If n is prime, then the symbol algebra K,ξ is either split or a division algebra. Lemma 1 ([5]) Let n ≥ 2 be a positive integer, and let ξ be a primitive root of unity of order n. Let K be a field which contains ξ . Let Br (K) be the Brauer group of the field K and let n Br  (K)  be the n-torsion component of Br (K) . Then, the β assignment (α, β) −→ α, K,ξ induces a Z−bilinear map  n  n K ∗ / K ∗ × K ∗ / K ∗ →n Br (K) .

322

D. Savin and V. Acciaro

3 Symbol Algebras Which Split Over Specific Cyclotomic Fields 

α,pc K,ξ



when ξ is a primitive root  √  of unity of prime order q and L is the Kummer field L = Q ξ, q α , for some particular values of c. We start with a small remark about such algebras:

In this section we study the symbol algebras

Remark 2 Let n ≥ 3 be a positive integer, let p be a prime positive integer and let ∗ K = Q (ξ ) where ξ is a primitive root of unity of order n. Let K and let L be α∈  √ n the Kummer field K n α . Then, the symbol algebras A = α,p K,ξ splits.  n Proof By Lemma 1 the symbol algebra A = α,p lies in the same class of the    K,ξ α,1 α,1 algebra K,ξ in the Brauer group of K. But K,ξ splits by Theorem 3, since 1 is always a norm. In the paper  [6] the authors obtained some results about the symbol algebras of hL the form α,p K,ξ . In that paper there is a small mistake, which we fix in the next proposition and in its corollary. Proposition 2 ([6, Prop. 4.1]) Let be a primitive cubic root of unity and let K = Q ( ). Let α ∈ K ∗ be a cubic residue modulo p, where p√= 3 is a prime integer. Let hL be the class number of the Kummer field L = K 3 α . Then, there exists a unit u ∈ U (Z [ ]) such that the symbol algebra A =

α,u·phL K,

splits.

We recall that when (R, +, ·) is a unitary ring with unity 1, then the set of the invertible elements of (R, +, ·) is denoted by U (R), i.e.      U (R) = x ∈ R | ∃x ∈ R such that x · x = x · x = 1 . Corollary 1 ([6, Cor. 4.2]) Let q be an odd prime integer, let ξ be a primitive root of unity of order q, and let K = Q (ξ ). Let p = q be a prime integer and let α ∈ K ∗ be a qpower √  residue modulo p. Let hL be the class number of the Kummer field L = K q α . Then, there exists a unit u ∈ U (Z [ξ ]) such that the symbol 

algebra A =

α,u·phL K,ξ

splits.

In the next two results we show how to generalize the previous results, by replacing hL with some divisors h of hL . Proposition 3 Let q ≥ 3 be a prime positive integer, and K = Q (ξ ) where ξ is a ∗ primitive root of order q of unity. Let α ∈ K , p be a prime rational integer, p = q √ q α be the Kummer field such that α is a q-th power residue and let L = K modulo p. Let OL be the ring of integers of the field L. Let Cl (L) be the ideal class group of the ring OL , let hL be the class number of L and let hp be the order in the

Some Split Symbol Algebras of Prime Degree

323

class group Cl (L) of the class of a prime ideal in OL that divides pOL . Then:   hp 1. there exists a unit u ∈ U (Z [ξ ]) such that the symbol algebra A = α,u·p K,ξ splits;   2. there exists a unit u ∈ U (Z [ξ ]) such that the symbol algebra A = splits.

α,u·pgcd (hp ,q ) K,ξ

A particular case of Proposition 3 is the following corollary. Corollary 2 Let be a primitive cubic root of unity and let K = Q ( ). Let α ∈ K ∗ be a cubic residue modulo p with √ p = 3 a prime integer. Let hL be the class number of the Kummer field L = K 3 α . Let hp be the order in the class group Cl (L) of the class of a prime ideal in OL that divides pOL . Then:   hp 1. there exists a unit u ∈ U (Z [ ]) such that the symbol algebra A = α,u·p K, splits; 2.  there exists  a unit u ∈ U (Z [ ]) such that the symbol algebra A = α,u·pgcd (hp ,3) K,

splits.

Since Proposition 3 is more general than Corollary 2, we will prove only Proposition 3. Before going into the proof of Proposition 3 we would like to show some examples of split symbol algebras, which satisfy the hypotheses of Corollary 2, which were produced by using the computer algebra package MAGMA [12]: • Let K = Q (  ), where 3 = 1, = 1; the class number of Kummer field √ 3 L = Q , 43 is 48. Let p = 23. The ideal 23OL decomposes into the product of three prime ideals of OL , P1 , P2 , P3 in the notations of our example. We denote with [I ] be the class of the ideal I in the class group of L. We  have hp = ord ([P1 ]) = ord ([P2 ]) = ord ([P3 ]) = 12 and gcd hp , 3 = 3. The norm equation 2312 = NL/Q( ) (a) has solutions. Also the norm equation 233 = NL/Q( ) (a) has solutions. But the norm equations 232 = NL/Q( ) (a) , 23 = NL/Q( ) (a) do not have any. This example agrees with the assertion of Corollary 2. 3 = 1, = 1; the class number of Kummer field L = • Let K = Q  ( ), where √ 3 Q , 43 is 48. Let p = 11. The ideal 11OL decomposes into the product of three prime ideals of OL , P 1 , P2 ,P3 . We have hp = ord ([P1 ]) = ord ([P2 ]) = ord ([P3 ]) = 2 and g.c.d hp , 3 = 1. The norm equation 112 = NL/Q( ) (a) has solutions and also the norm equation 11 = NL/Q( ) (a) has solutions. This example agrees again with the assertion of Corollary 2. 3 = 1, = 1; the class number of Kummer field L = • Let K = Q  ( ), where √ 3 Q , 11 is 4. Let p = 19 ≡ 1 (mod 3). The ideal 19OL decomposes into the product of six prime ideals of OL , P11 , P12 , P13 , P21 , P22 , P23 in the notations of our example. We denote with [I ] be the class of the ideal I in the class group

324

D. Savin and V. Acciaro

of L. We have hp = ord ([P11 ]) = ord ([P  12 ])= ord ([P13 ]) = ord ([P21 ]) = ord ([P22 ]) = ord ([P23 ]) = 2 and g.c.d hp , 3 = 1. The norm equation 192 = NL/Q( ) (a) has solutions, and also the norm equation 19 = NL/Q( ) (a) has solutions. This example agrees with the assertion of Corollary 2. We are now going to prove Proposition 3: Proof 1. It is known that OK = Z [ξ ] and it is a Dedekind ring, therefore, any nonzero ideal of OK decomposes uniquely into a product of prime ideals of the ring OK . We split the proof into two cases: • p is a primitive root modulo q. From Theorem 1 it follows   that p remains prime in the ring Z [ξ ] . Since the q-th power character pα is equal to 1, from Theorem 2, it follows that we q

have the following decomposition of the ideal pOL as a product of prime ideals in OL : pOL = P1 · P2 · . . . · Pq , Let hp be the order of the ideal class of P1 in the group Cl (L) . Since the ideals P1 , P2 ,. . . , Pq are conjugate under the action of the Galois group Gal(L/K), it follows that the ideal classes of P1 , P2 ,. . . , Pq have the same h

h

h

order hp in the group Cl (L) . Now (pOL )hp = P1 p P2 p · . . . · Pq p = (βOL )(σ (β)OL ) · . . . · (σ q−1 (β)OL ) for some β ∈ OL , where σ is a generator of Gal(L/K). Hence php OL = NL/K (β) OL . This means that php and NL/K (β) differ by a unit of OL , but, since php ∈ Z and NL/K (β) ∈ K, they really differ by a unit u of Z [ξ ] . So, there exists a unit u ∈ U (Z [ξ ]) such that u · php = NL/K (β). According to Theorem 3 the symbol algebra hp

splits. A = α,u·p K,ξ • p is not a primitive root modulo q. Let’s denote by f the order of p modulo q. According to Theorem 1 we have pZ [ξ ] = P1 · . . . · Pr , where P1 , . . . , Pr are prime ideals in Z [ξ ] and r = φ(q) f (φ as usual denotes the Euler’s function). Since α is a q-th power residue modulo p, it follows that α is a q-th power residue modulo P1 , . . . , Pr . From Theorem 2 we get: pOL = P1 OL · P2 OL · . . . · Pr OL = = P11 · P12 · . . . . · P1q · P21 · P22 · . . . · P2q · . . . · Pr1 · Pr2 · . . . · Prq where P1j , P2j , . . . , Prj are prime ideals in OL , with j ∈ {1, 2, . . . , q} . Since the ideals Pij are the prime divisors of pi OL (i ∈ {1, 2, . . . , r}, j ∈ {1, 2, . . . , q}) it follows that these ideals are conjugate to each other under the action of the Galois group, so their classes have the same order hp . Hence (pOL )hp = (P11 · P21 · . . . · Pr1 )hp · (P12 · P22 · . . . · Pr2 )hp · . . . · h  P1q · P2q · . . . · Prq p

Some Split Symbol Algebras of Prime Degree

325

so there is an element γ ∈ OL such that php OL = NL/K (γ ) OL . It follows that there exists a unit u ∈ U (Z [ξ ]) such that u ·php = NL/K (γ ). From Theorem 3 it follows that the symbol algebras A =

α,u·php K,ξ

splits.

2. According to Lemma1 there exists a unit u ∈ U (Z [ξ ]) such that the symbol q splits. From this and from the first part of the proof, we algebra A = α,u·p K,ξ obtain that there exists a unit u ∈ U (Z [ξ ]) such that the symbol algebra A =   α,u·pgcd (hp ,q ) K,ξ

splits.

The proof of the next proposition follows very closely the proof of the first case of Proposition 3. Proposition 4 Let q be an odd prime positive integer and let K = Q (ξ ) where ξ is ∗ a primitive √  root of order q of unity. Let α ∈ K and let L denote the Kummer field q K α . Let π ∈ Z [ξ ] be a prime element in the ring Z [ξ ] such that α is a q−th power residue modulo π. Let OL be the ring of integers of the field L. Let Cl (L) be the ideal class group of the ring OL , let hL be the class number of L and let hπ be the order in the class group Cl (L) of the class of a prime ideal in OL that divides π OL . Then: (a) there exists a unit  u ∈ U (Z [ξ ]) such that the symbol algebra α,u·π hπ A= splits; K,ξ (b) there exists a unit u ∈ U (Z [ξ ]) such that the symbol algebra gcd(hπ ,q) A = α,u·πK,ξ splits.

  hp In Corollary 2 we obtained a sufficient condition for a symbol algebra α,u·p to K, split over the cyclotomic field K = Q ( ), where is a primitive cubic root of unity. Next, let’s   ask ourselves if this condition is also necessary for the symbol algebra α,u·php to split. The answer is affirmative, according to the following result: K,

Theorem 4 Let be a primitive cubic root of unity and let K = Q ( ). Let α ∈ K ∗, √ 3 let p = 3 be a prime rational integer, and let L denote the Kummer field K α . Let OL be the ring of integers of the field L. Let Cl (L) be the ideal class group of the ring OL , let hL be the class number of L and let hp be the order of a class of a prime ideal in OL , which divides pOL , in the groupCl (L) .Then, there exists a hp splits if and only if unit u ∈ U (Z [ ]) such that the symbol algebra A = α,u·p K, α is a cubic residue modulo p. Proof We have proved the sufficiency in Proposition 3, hence all we need to do is to prove the necessity. that there exists a unit u of Z [ ] such that the  Let’shpassume  symbol algebra A = α,u·p splits, where α is not a cubic residue modulo p. This K, will lead to a contradiction. Clearly p ≡ 1 (mod 3) and α

p−1 3

≡ 1 (mod 3). Since

326

D. Savin and V. Acciaro

OK = Z [ ] is a principal ideal domain, from Theorems 1 and 2 we get pOK = p1 OK · p2 OK ,

(1)

where p1 , p2 are prime elements from OK which remain primes in OL , so pOL = P1 P2 ,

(2)

where P1 = p1 OL , P2 = p2 OL are principal prime ideals of OL . It follows that hp = 1, so (pOL )hp = php OL = P1 P2 ,

(3)

We show now that u · p = u · php , considered as an element of K, can not be the norm of an element of L, for any unit  u of Z [ ]. From Theorem 3 it will follow that α,u·php does not split, and therefore α must be a cubic the symbol algebra A = K, residue modulo p. If u · p = NL/K (β) for some β ∈ L, then by definition u · p = βσ (β)σ 2 (β), where σ generates the Galois group Gal(L/K). But then u · php OL = (βOL )(σ (β)OL )(σ 2 (β)OL ), and this contradicts the decomposition of pOL as the product of two prime ideals P1 and P2 of OL . In the paper [13] we obtained the following result: Proposition 5 ([13, Thm. 3.7]) Let p and q be prime positive integers such that p ≡ 1 (mod q), let ξ be a primitive root of order q of unity and let K = Q (ξ ). Then there  isan integer α not divisible by p whose residue class mod p does not belong to F∗p

q

, and for every such an α, we have:

• the algebra A ⊗K Qp is a division algebra over Qp , where A is the symbol   α,p ; algebra A = K,ξ • the symbol algebra A is a division algebra over K.  √  We consider now a Kummer field with class number 1, for example L = Q , 3 5 , = 1. We consider the prime integers 17 and 19. Now, 5 is a where 3 = 1, cubic residue modulo 17, but 5 is not a cubic residue modulo 19. By using again the computer algebra system MAGMA, we get that the norm equation 17 = NL/Q( ) (a) has solutions, but the norm equation NL/Q( ) (a) = 19 does not have a solution. From Proposition 2 and Proposition 5 we obtain in a very particular situation, i.e. when L is a Kummer field of class number 1, a necessary and sufficient condition for a symbol algebra to split over the third cyclotomic field. Proposition 6 Let be a primitive cubic root of unity and let √K = Q ( ). Let α ∈ K ∗ , let p = 3 be a prime rational integer, and let L = K 3 α be a Kummer

Some Split Symbol Algebras of Prime Degree

327

field with hL = 1. Then, there exists a unit u ∈ U (Z [ ]) such that the symbol algebra A = α,u·p splits if and only if α is a cubic residue modulo p. K, Proof In order to prove the necessity,   we note that, according to Remark 1, with α,p u = 1, the symbol algebra A = K,ξ splits if and only if A is not division algebra over K. From Proposition 5 it follows that α is a cubic residue modulo p or p is not congruent to 1 modulo 3. But, if p is not congruent   to 1 modulo 3 and p = 3, it follows that p ≡ 2 (mod 3) and this implies that pα is equal to 1. Hence, from 3 our previous results, we obtain that α is a cubic residue modulo p. In order to prove the sufficiency, we note that, if α is a cubic residue modulo p, by applying Proposition 2 with hL = 1it follows  that there exists a unit u ∈ α,u·p splits. U (Z [ ]) such that the symbol algebra A = K, Another way to prove Proposition 6 is by using Theorem 4, namely: if hL = 1, from hp | hL it follows that hp = 1, and by applying Theorem 4we obtain that  there exists a unit u ∈ U (Z [ ]) such that the symbol algebra A = and only if α is a cubic residue modulo p.

α,u·p K,

splits if

In the future we will try to generalize the √results contained in Theorem 4 and  Proposition 6 to Kummer fields L = Q ξ, l α , where l ≥ 5 is a prime integer and ξ is a primitive root of order l of the unity. Acknowledgments Since part of this work has been done when the first author visited the University “G. D’Annunzio” of Chieti-Pescara, she wants to thank the Department of Economic Studies of the University for the hospitality and the support. In addition, she wants to thank Professor Claus Fieker for the fruitful discussions about the computer algebra system MAGMA. The authors thank anonymous referees for their comments and suggestions which helped us to improve this paper.

References 1. Acciaro, V.: Solvability of norm equations over cyclic number fields of prime degree, Math. Comput. 216, 1663–1674, (1996) 2. Acciaro, V., Savin, D., Taous, M., Zekhnini, A.: On quaternion algebras that split over specific quadratic number fields, arXiv:1906.11076 (2019) 3. Acciaro, V., Savin, D., Taous, M., Zekhnini, A.: On quaternion algebras over the composite of quadratic number fields, ResearchGate (2019) 4. Alsina, M., Bayer, P.: Quaternion Orders, Quadratic Forms and Shimura Curves, CRM Monograph Series 22, AMS (2004) 5. Draxl, P.K.: Skew fields, LMS Lecture Note Series 81, CUP (2007) 6. Flaut, C., Savin, D.: Some examples of division symbol algebras of degree 3 and 5, Carpathian J. Math 31, 197–204 (2015) 7. Gille, P., Szamuely, T.: Central Simple Algebras and Galois Cohomology, CUP (2006) 8. Ireland, K., Rosen M.: A Classical Introduction to Modern Number Theory, Springer (1992) 9. Lam, T.Y.: Introduction to Quadratic Forms over Fields, AMS (2004) 10. Ledet, A.: Brauer Type Embedding Problems, AMS (2005)

328

D. Savin and V. Acciaro

11. Lemmermeyer, F.: Reciprocity laws, from Euler to Eisenstein, Springer, Heidelberg (2000) 12. The Magma handbook, available at http://magma.maths.usyd.edu.au/magma/handbook/ 13. Savin, D.: About division quaternion algebras and division symbol algebras, Carpathian J. Math. 32, 233–240 (2016) 14. Savin, D.: About split quaternion algebras over quadratic fields and symbol algebras of degree n, Bull. Math. Soc. Sci. Math. Roumanie 108, 307–312 (2017) 15. Voight, J.: The Arithmetic of Quaternion Algebras, available at: http://www.math.dartmouth. edu/jvoight/crmquat/book/quat-modforms-041310.pdf