Legendre Polynomials and Complex Multiplication II by Patrick Morton ...

Legendre Polynomials and Complex Multiplication II

by Patrick Morton (IUPUI) PR # 07-06

This manuscript and other can be obtained via the World Wide Web from www.math.iupui.edu

October 2007

1

Legendre Polynomials and Complex Multiplication, II Patrick Morton

1

Introduction

In Part II of this paper we continue the theme of Part I and prove the following theorem concerning irreducible factors of the form x2 +a over Fp of the Legendre polynomial P(p−e)/3 (x), with p ≡ e (mod 3) and e = 1 or 2. Theorem 1.1 If p > 3 is a prime, then the number of distinct, irreducible, binomial quadratic factors of P(p−e)/3 (x) (mod p) is (a √ p h(−3p) − 4rp )/4, where h(−3p) is the class number of the quadratic field Q( −3p);   4, if p ≡ 1 (mod 8), ap = 2, if p ≡ 5 (mod 8),  1, if p ≡ 3 (mod 4); and rp = (1 − ( −3 p ))/2. This theorem, along with Theorem 1(d) of [brm], shows that both class numbers h(−p) and h(−3p) are encoded in the factorization of P(p−e)/3 (x) (mod p), when p ≡ 2 (mod 3), since in this case the number of linear factors (mod p) is a simple function of h(−p). The existence of binomial quadratic factors (bqf ’s) of P(p−e)/3 (x) (mod p) reflects √ the existence of elliptic curves E which are supersingular and for which −3p injects into the endomorphism ring of the curve. As in [m3], we will use the term multiplier for any endomorphism of the curve E, since we identify it with the corresponding normalized meromorphism of the function field K for E. (See [h], [d], [brm, Section 2].) The proof of Theorem 1.1 depends on a detailed understanding of the arithmetic of the Deuring normal form (or Hessian) Eα : Y 2 + αXY + Y = X 3 ,

(1.1)

on which O represents the point at infinity, and for which {O, (0, 0), (0, −1)} is a group of order 3. The choice of this normal form reflects the fact that we 1

are considering a Legendre polynomial of ”index 3”, so to speak, because its degree is roughly (p − 1)/3. In considering the polynomial P(p−e)/4 (x) in Part I it was most natural to use the Legendre normal form, since the corresponding ”index” was 22 , but it would have been possible to use the arithmetic of the Jacobi curve, which has easily identifiable points of order 4. (See [hus].) In order to prove Theorem 1.1, it is necessary to derive several facts about the curve Eα which are interesting in their own right. To begin with, we recall from [brm] that the Hasse invariant of Eα is the value at z = α of the polynomial ˆ p (z) = (−z/3)e−1 W(p−e)/3 (1 − z 3 /27), H

(1.2)

where Wn (x) =

n  2 X n r=0

r

xr .

ˆ p (z) is a projective invariant (mod p) for We first show that the polynomial H the tetrahedral group G12 (∼ = A4 ) of linear fractional mappings in z generated by the two mappings σ1 (z) =

3(z + 6) , z−3

σ2 (z) = ωz,

(ω 3 = 1, ω 6= 1).

This means that for any mapping σ(z) = (az + b)/(cz + d) in G12 we have ˆ p (σ(z)) ≡ ρσ (det σ)(p−1)/2 H ˆ p (z) (mod p), (cz + d)p−1 H

(1.3)

where ρσ (equaling a cube root of unity) is a linear character of the group G12 (the trivial character if p ≡ 1 (mod 3)). This is the analogue for the Deuring normal form of the fact that elements of the anharmonic group in λ fix the polynomial (−1)(p−1)/2 W(p−1)/2 (λ), the Hasse invariant of the Legendre normal form, up to multiplication by ±1. The proof of (1.3) follows the pattern of the proofs of Theorems 5.2 and 5.7 of [m1], and uses two facts about the Hasse invariant which are given in the Appendix of this paper as Theorems A.1 and A.2 (Theorem 3.2 and Proposition 3.4 of [m1]). Equation (1.3) implies the following facts ((part a) was asserted in [brm, p. 85]):

Theorem 1.2 a) The supersingular parameters α of the Deuring normal form (1.1) lie in the finite field Fp2 .

2

b) The j-invariant of any supersingular elliptic curve in characteristic p is a cube in the finite field Fp2 . Note that part b) of this theorem is easy when j is the reduction (mod p) of a root of the class equation HD (x), and 3 does not divide the discriminant D, by well-known results in the theory of complex multiplication (see [co, p. 249, Thm 12.2]). It gives a non-trivial result in the case that D is divisible by 3. We next show that various aspects of the arithmetic on the Deuring normal form Eα can be described very elegantly in terms of solutions of the Fermat curve F er3 : 27X 3 + 27Y 3 = X 3 Y 3 .

(1.4)

The next theorem holds over any field k whose characteristic is not 3. k¯ denotes the algebraic closure of k. Theorem 1.3 a) If (α, β) is a point on F er3 , then there √ is an isogeny φα,β of degree 3 from Eα to Eβ which is defined over k(α, β, −3) and which satisfies φβ,α ◦ φα,β = ±[3] on Eα . b) The curves Eβ and Eγ are isomorphic if and only if there is an α in k¯ and an element σ of G12 for which (α, β) and (σ(α), γ) are both points on the √ curve F er3 . When this holds, there is an isomorphism defined over k(α, β, γ, −3). c) If (α, β) is a point on F er3 in characteristic p 6= 0 and α is a root of ˆ p (z) in (1.2), then β is also a root of H ˆ p (z). For every root α of H ˆ p (z) there H is another root β for which (α, β) is a solution of F er3 . d) If α 6= 0, the points of order 3 on Eα are the points (0, 0), (0, −1), and the points   −3β β − 3ω i (x, y) = , , α(β − 3) β − 3 where β runs over the three elements of k¯ for which (α, β) is a point on the curve F er3 , ω is a primitive cube root of unity, and i = 1, 2. The Fermat curve (1.4) parametrizes 3-isogenies φ with kernel {O, (0, 0), (0, −1)} from one elliptic curve in Deuring normal form to another; if φ : Eα → Eβ is any isogeny with the given kernel, then it follows from parts a) and b) of Theorem 1.3 that for some σ ∈ G12 , (σ(α), β) is a point on F er3 . It follows from Theorems 1.2 and 1.3 that all points of order 3 on a supersingular Eα have coordinates in Fp2 , and that isomorphisms between different supersingular Eα ’s can always be defined over Fp2 . This is the analogue for n = 3 of Theorem 1.5 in [m1] concerning the field of definition of the points of order n on the Tate normal form.

3

√ To prove Theorem 1.1, we must find a criterion for −3p to inject into End(Eα ). We first state the criterion in the form which most directly applies to the binomial quadratic factors of P(p−e)/3 (x). Theorem 1.4 There exists a multiplier µ on the supersingular curve Eα satisfying µ2 = −3p and µ{O, (0, 0), (0, −1)} = O if and only if (α, αp ) is a point on F er3 . When this condition holds, and α 6= 0, µ is given by µ = ±ν ◦ φα,αp , where ν : Eαp → Eα is the Frobenius map: ν(z, w) = (z p , wp ). The condition that (α, αp ) is a point on F er3 is equivalent to the condition that α3 is a root of g(t) = t2 + At + B over Fp , where g(t) is either an irreducible factor or the square of a linear factor of W(p−e)/3 (1 − t/27) (mod p) satisfying B ≡ −27A (mod p). This is the analogue of the first condition in Theorem 1.2 of [m3]. Theorem 1.1 depends on the fact that the bqf ’s of P(p−e)/3 (x) (mod p) are in 1-1 correspondence with the irreducible quadratic factors of W(p−e)/3 (1−t/27) satisfying this condition. We also prove the following more general criterion. Theorem 1.5 Let the curve Eα be supersingular and choose β so that (α, β) lies on the Fermat curve F er3 in (1.4). There is a multiplier µ on Eα satisfying µ2 = −3p if and only if there is some σ in the group G12 for which (σ(β), σ(β)p ) also lies on F er3 . When it exists, µ is defined over Fp2 . This criterion is the analogue of Theorem 1.2 in [m3]. The criterion is more complicated in this case because the j-invariant of the Legendre curve is invariant under the anharmonic group in λ, but the j-invariant of the Deuring normal form Eα , namely j(Eα ) =

α3 (α3 − 24)3 , α3 − 27

(1.5)

is not invariant under G12 : one has to descend to a 3-isogenous curve Eα0 in order for j(Eα0 ) to be invariant under G12 . (See Section 2.) This is the reason why the Fermat curve occurs in the statement of Theorems 1.5 and 1.6. We complete the proof of Theorem 1.1 in Section 5, by using Theorem 1.4 of [m2], which gives an explicit factorization (mod p) of the class equations H−12p (t) or H−3p (t)H−12p (t), depending on the congruence class of p (mod 4). (See Theorem 5.1.) We show, in analogy to the proof in [m3], that the bqf ’s of P(p−e)/3 (x) correspond 1-1 to the quartic factors of K3p (t) = H−12p (t) or H−3p (t)H−12p (t) which are powers of irreducibles (mod p). I acknowledge with gratitude the inspiration and assistance I have received from John Brillhart in this investigation; he empirically discovered the formula in Theorem 1.1 for half of the cases of primes modulo 24, which led me to investigate the remaining cases and to find the count of bqf ’s for P(p−e)/4 (x) in Part I of this paper [m3].

4

2

Properties of W(p−e)/3 (x).

In this section we will determine a group of 12 linear fractional transformations ˆ p (z) in (1.2) invariant, up to multiplication by a root leaving the polynomial H of unity. Let K1 = k(x, y) be the function field of the curve Eα (see (1.1)) in Deuring normal form, where k is any field of characteristic p. We consider the subfield K2 of K1 which corresponds to the group of translations G =< τ > generated by (x, y)τ = (x, y) + (0, 0), an automorphism of order 3, since (0,0) has order 3 on Eα . An easy calculation using the addition law on Eα gives (x, y)τ = (−y/x2 , −y/x3 ), while 2

(x, y)τ = (x, y) + (0, −1) = ((1 + αx + y)/x2 , −(1 + αx + y)2 /x3 ).

With the notation of Theorem A.2 (see Appendix A), we have u = traceK1 /K2 (x) =

x3 + αx + 1 , x2

v = traceK1 /K2 (y) =

y(x3 − 1) − (1 + αx + y)2 x3

=

y(x3 − αx − 2) − (x3 + α2 x + 2αx + 1) , x3

(2.1)

and the equation satisfied by u and v is Eα0 : v 2 + αuv + 3v = u3 − 6αu − α3 − 9.

(2.2)

Now from the standard formulas in Theorem A.1(b), we have the following formulas for the curve Eα0 : c4 = α(α3 + 216), c6 = 5832 + 540α3 − α6 , ∆ = (c34 − c26 )/123 = (α3 − 27)3 , j(Eα0 ) = 5

α3 (α3 + 216)3 . (α3 − 27)3

Theorem A.1 and Theorem A.2(b) imply the following identity. Proposition 2.1. For any α, the Hasse invariants of the isogenous curves Eα and Eα0 are equal in characteristic p: (−α/3)e−1 W(p−e)/3 (1 − α3 /27) =

αr (α3 + 216)r (α6 − 540α3 − 5832)s (α3 − 27)3n Jp (

α3 (α3 + 216)3 ). (α3 − 27)3

(2.3)

This proposition allows us to consider the Hasse invariant of Eα by ”descending” to the isogenous curve Eα0 , whose j-invariant is left invariant by the linear fractional transformations in the group

G12 =< σ1 , σ2 >, where σ1 (z) =

3(z + 6) , σ2 (z) = ωz, ω 3 = 1, ω 6= 1. z−3

This implies the following theorem. In order to state it, we define a mapping on polynomials. If σ(z) = (az + b)/(cz + d) is a linear fractional transformation, we set σ ˆ (f (z)) = (cz + d)deg(f ) f (

az + b ). cz + d

(2.4)

ˆ p (z) = (−z/3)e−1 W(p−e)/3 (1 − z 3 /27) is a Theorem 2.2. The polynomial H projective invariant (mod p) for the group G12 . We have that ˆ p (z)) = ( σ ˆ1 (H

−3 ˆ )Hp (z), p

ˆ p (z)) = ω r H ˆ p (z); σ ˆ2 (H

(2.5)

where r = 21 (1 − (−3/p)) = 0 or 1. Remark. For p > 3, equation (2.5) may also be written in the form ˆ p (z)) ≡ ρσ (det σi )(p−1)/2 H ˆ p (z) (mod p), σ ˆi (H i where ρσ1 = 1 and ρσ2 = ω 2r . Proof. We will show that σ1 (z) and σ2 (z) leave the right side of (2.3) invariant, up to the multiplicative factor given in (2.5). It is easy to check that both maps leave the rational function j(z) = z 3 (z 3 + 216)3 /(z 3 − 27)3 invariant, i.e., 6

j(σi (z)) = j(z). In fact, the extension F (z)/F (j(z)) is normal, where F = Q(ω), and its Galois group is generated by σ1 (z) and σ2 (z). Furthermore, σ ˆ1 (z(z 3 + 216)) = 36 z(z 3 + 216), σ ˆ1 (z 6 − 540z 3 − 5832) = −39 (z 6 − 540z 3 − 5832), and σ1 (z)3 − 27 = 36 (z 3 − 27)/(z − 3)4 . Using the fact that 4r + 6s + 12n = p − 1, it follows from (2.3) that ˆ p ( 3(z+6) ) = (z − 3)p−1 H z−3 36r (z(z 3 + 216))r · (−3)9s (z 6 − 540z 3 − 5832)s (z − 3)12n · 318n

(z 3 − 27)3n Jp (j(z)) (z − 3)12n

ˆ p (z) = (−1)s · 36r+9s+18n · H ˆ p (z) = ( −3 )H ˆ p (z). = (−1)s · 27(p−1)/2 · H p The formula for σ ˆ2 (Hp (z)) is immediate from (2.3). It follows that ˆ p (z)) ≡ ρσ (det σ)(p−1)/2 H ˆ p (z) (mod p), σ ˆ (H holds for any σ in G12 , where ρσ is a cube root of unity. For use in Section 3, we note that the group G12 is isomorphic to the alternating group A4 . Its Klein-4 subgroup is the group V consisting of the linear fractional maps

V = {z,

3(z + 6) , z−3

3(ωz + 6ω 2 ) , z − 3ω

3(ω 2 z + 6ω) } = {z, σ1 (z), σ3 (z), σ4 (z)}, z − 3ω 2 (2.6)

where σ3 = σ2 ◦ σ1 ◦ σ2−1 and σ4 = σ2−1 ◦ σ1 ◦ σ2 . Theorem 2.2 allows us to prove the following result. Theorem 2.3. If p > 3, the supersingular parameters α of the Deuring normal form Eα lie in the field Fp2 . Proof. From Proposition 3 of [brm] we know that α3 ∈ Fp2 whenever Eα is supersingular. If α 6= 0, this implies that W(p−e)/3 (1 − α3 /27) = 0. But, if α is a root of W(p−e)/3 (1 − x3 /27), so is 3(α + 6)/(α − 3), from the invariance proved in Theorem 2.2. Therefore

7

β=(

α+6 3 ) ∈ Fp2 . α−3

This yields α3 + 18α2 + 108α + 216 = β(α3 − 9α2 + 27α − 27), or (18 + 9β)α2 + (108 − 27β)α + γ = 0, γ ∈ Fp2 . The coefficients of α and α2 in the last equation are not both 0, since p > 3. Since α satisfies a linear or quadratic equation over Fp2 , the polynomial x3 − α3 has a linear factor over Fp2 . It therefore splits completely, since the cube roots of unity are in Fp2 . Hence, α lies in Fp2 . This theorem shows that the polynomial W(p−e)/3 (1 − z 3 /27) factors into linear and quadratic factors (mod p), which in turn implies the following result. Theorem 2.4. The j-invariant j0 of any supersingular elliptic curve in characteristic p is a cube in the finite field Fp2 . Proof. Suppose α is an element of the algebraic closure of Fp2 for which j0 = α3 (α3 + 216)3 /(α3 − 27)3 , where we may assume j0 6= 0 or 1728 = 123 . Then from (A.1) we know Jp (j0 ) = 0. Hence, α is a root of W(p−e)/3 (1 − z 3 /27), by (2.3). By Theorem 2.3, α is therefore an element of Fp2 . But this implies j0 is a cube in this field, by the choice of α. q.e.d. It is shown in [m1] that the supersingular parameters of the Tate normal forms with distinguished points of orders 4 and 5 are 4-th powers and 5-th powers, respectively, in the finite fields Fp2 (n = 4) and Fp4 (n = 5). The exact analogue of this fact is not true for the Deuring normal form, since its supersingular parameters are not always cubes in Fp2 . However, calculations with the polynomial W(p−e)/3 (1 − z 3 /27), and the discussion in Weber [w, pp. 255-256], suggest the following conjecture. Conjecture. If the curve Eα is supersingular, then α = 3 + β 3 , where β ∈ Fp2 .

3

The Fermat curve and the Deuring normal form.

In this section we study the properties of the Deuring normal form 8

Eα : Y 2 + αXY + Y = X 3

(3.1)

Eα0 : V 2 + αU V + 3V = U 3 − 6αU − α3 − 9

(3.2)

and the isogenous curve

in more depth. Except when otherwise indicated, the results of this section hold over a field k of any characteristic 6= 2, 3. We ask the question: what is the Deuring normal form of the curve Eα0 ? In other words, for what β is Eα0 ∼ = Eβ ? To answer this question, we put both curves into standard Weierstrass form, with X1 = X + β 2 /12, Y1 = 2Y + βX + 1 and U1 = U + α2 /12, V1 = 2V + αU + 3: Eβ ∼ =: Y12 = 4X13 − (β 4 /12 − 2β)X1 − (−β 6 /216 + β 3 /6 − 1);

(3.3a)

Eα0 ∼ =: V12 = 4U13 − (α4 /12 + 18α)U1 − (−α6 /216 + 5α3 /2 + 27).

(3.3b)

For these curves to be isomorphic the following equations must hold: R(α, β, λ) = (α4 /12 + 18α) − λ4 (β 4 /12 − 2β) = 0,

(3.4a)

S(α, β, λ) = (−α6 /216 + 5α3 /2 + 27) − λ6 (−β 6 /216 + β 3 /6 − 1) = 0, (3.4b)

for some λ in the algebraic closure of k, the field of constants (see [si, p. 50]). Now we compute the resultant of 12R and 216S with respect to the variable λ: Resultantλ (12R, 216S) = 212 · 36 (α3 β 3 − 27α3 − 27β 3 )2 × (α3 + 18α2 + 108α + 216 − α2 β 3 − 3αβ 3 − 9β 3 )2 × (α6 + α5 β 3 − 18α5 + α4 β 6 − 33α4 β 3 + 216α4 − 3α3 β 6 + 144α3 β 3 − 1512α3 −270α2 β 3 + 7776α2 − 27αβ 6 + 1620αβ 3 − 23328α + 81β 6 − 3888β 3 + 46656)2 . Writing g1 (α, β) = α3 β 3 − 27α3 − 27β 3 , we set g2 (α, β) = α3 + 18α2 + 108α + 216 − α2 β 3 − 3αβ 3 − 9β 3 = (α − 3)3 g1 (σ1 (α), β); 9

g3 (α, β) = (α − 3ω)3 g1 (σ3 (α), β); g4 (α, β) = (α − 3ω 2 )3 g1 (σ4 (α), β).

Then the product g3 (α, β)g4 (α, β) equals the 6-th degree factor in the above resultant, and

Resultantλ (12R, 216S) = 212 · 36 ·

4 Y

gi (α, β)2 = 212 · 36 ·

i=1

Y

σ ˆ (g1 (α, β))2 ,

σ∈V

(3.5) where σ ˆ is only applied to the α variable. Hence, the β’s for which Eα0 ∼ = Eβ are either solutions of the equation F er3 : (3α)3 + (3β)3 = (αβ)3 ,

(3.6)

or solutions of a similar equation with α replaced by another element in the orbit V α. Since the terms in g1 (α, β) are cubes, and the elements of V are coset representatives for the group generated by σ2 , the same β’s arise when we replace α by elements of the orbit G12 α. Proposition 3.1 The curve Eα0 is isomorphic to the curve Eβ in Deuring normal form if and only if there is an element σ in G12 (or in V α) for which (σ(α), β) is a point on the Fermat curve (3.6). Proof. We have already verified necessity. To prove sufficiency, suppose that g1 (α, β) = 0. Then the j-invariant of the curve Eβ is α3 α3 27α3 α3 β 3 (β 3 − 24)3 3 3 3 = · (β − 24) = ( − 24) = · (α3 + 216)3 . β 3 − 27 27 27 α3 − 27 (α3 − 27)3 This shows that Eβ and Eα0 have the same j-invariants and are therefore isomorphic. Furthermore, because of the invariance of j(Eα0 ) under G12 , any solution of (3.6) with α replaced by σ(α) also gives a solution of (3.4). This accounts for all possible zeros of the resultant in (3.5), and shows that (3.5) has no extraneous solutions. Corollary 3.2 If (α, β) is a point on F er3 , then Eα and Eβ are isogenous curves.

10

These arguments imply the following result. Theorem 3.3. The curves Eβ and Eγ are isomorphic (over a field k whose characteristic is not 2 or 3) if and only if there exists an α and a σ ∈ G12 (or in V ) such that (α, β) and (σ(α), γ) are both points on the Fermat curve F er3 . Proof. If Eβ and Eγ are isomorphic, let α be an element in the algebraic closure of k for which (α, β) is a point on (3.6). Then Eβ is isomorphic to Eα0 , whence Eγ ∼ = Eα0 . Proposition 3.1 implies that for some σ, (σ(α), γ) is also on (3.6). Conversely, if (α, β) and (σ(α), γ) are both points on (3.6), then Proposition 3.1 shows that Eβ and Eγ are both isomorphic to Eα0 , and are therefore isomorphic to each other. A corollary of this discussion is the fact that the Deuring normal forms of the 3-isogenous curves Eα and Eβ are never simultaneously defined over Q, unless α = β = 0. However, if Eα is supersingular, so is Eα0 and therefore Eβ , by a theorem of Deuring [d]. This says: Theorem 3.4. Assume p is any prime > 3 and (α, β) is a point on F er3 over a field of characteristic p. If α is a supersingular parameter of the Deuring normal ˆ p (z), there is another form, then so is β. For any root α of the Hasse invariant H root β for which (α, β) is a solution of F er3 in the field Fp2 . Theorem 3.4 verifies the content of Theorem 1.3c) of the introduction. We can easily specify an isogeny between Eα and Eβ when α and β satisfy (3.6). Proposition 3.5. If α and β satisfy (3.6) and αβ 6= 0, then the following map φ = φα,β defines an isogeny from Eα : y 2 + αxy + y = x3 to Eβ : w2 + βzw + w = z3: z = φα,β (x) =

w = φα,β (y) =

−β 2 3x3 + α2 x2 + 3αx + 3 , 9α2 x2

√ √ √ β3 {2 −3(x3 −αx−2)y+(3+ −3)αx4 +(2α3 /3+9+ −3)x3 3 3 18α x √ √ √ +(3 − −3)α2 x2 + (3 − 3 −3)αx − 2 −3}.

If α = β = 0, then the mapping z = φ0,0 (x) = w = φ0,0 (y) =

−1 x3 + 1 , 3 x2

√ √ −1 √ { −3(x3 − 2)y + (9 + −3)/2 · x3 − −3} 3 9x

11

is an isogeny from E0 to itself. √ √ Remark. Replacing −3 by − −3 in the formula for w gives the map φ¯α,β , which coincides with the map −φα,β in Hom(Eα ,Eβ ), since φ¯α,β (y) + φα,β (y) = −βz − 1 = −βφα,β (x) − 1.

Proof. First assume αβ 6= 0. We use (3.3) to find the isomorphism between Eα0 and Eβ . By (3.4) and β 3 = 27α3 /(α3 − 27) we have λ4 =

α4 /12 + 18α α 3 9α4 . = (α − 27) = β 4 /12 − 2β 3β β4

Similarly, λ6 =

α6 /216 − 5α3 /2 − 27 −1 3 α6 2 = (α − 27) = −27 . β 6 /216 − β 3 /6 + 1 27 β6

2

4 6 Hence λ2 = −3 α β 2 . (This works even if the coefficient of λ or λ in (3.4) is zero; 0 in these cases j(Eβ ) = j(Eα ) = 0 and 1728, respectively.) With the notation of (3.3), an isomorphism between Eβ and Eα0 is given by

−3

α2 β2 α2 (X + )=U+ , 2 β 12 12

λ3 Y1 = V1 ,

or X=−

β2 β2 , U− 2 3α 9

λ3 Y1 = V1 .

We compose this map with the isogeny from Eα to Eα0 given in (2.1). Putting u for U and z for X yields z=

−β 2 x3 + αx + 1 β 2 −β 2 3x3 + α2 x2 + 3αx + 3 − = . 2 2 3α x 9 9α2 x2

The formula for w follows similarly from λ3 Y1 = V1 , i.e. √ α3 −3 −3 3 (2Y + βX + 1) = 2V + αU + 3, β on replacing Y with w, X with z, V with v and U with u from (2.3). When (α, β) = (0, 0), it can be checked directly that φ0,0 is an isogeny, as well. In order to study the isomorphisms between different Hessian curves we consider the points of order 3 on Eα . 12

Proposition 3.6. (i) The x-coordinates of the points of order 3 on Eα satisfy k(x) = x(3x3 + α2 x2 + 3αx + 3) = 0.

(3.7)

(ii) The x-coordinate x(3P ) is given in terms of x = x(P ) by the formula

x(3P ) =

x9 − 6αx7 − (24 + α3 )x6 − 6α2 x5 − 3αx4 + (3 + α3 )x3 + 3α2 x2 + 3αx + 1 . x2 (3x3 + α2 x2 + 3αx + 3)2 (3.8)

(iii) For any point (α, β) on (3.6) the map φα,β of Proposition 3.5 satisfies the formula φβ,α ◦ φα,β (x) = x(3P ),

(3.9)

and φβ,α ◦ φα,β equals the multiplication map by ±3 on Eα . Thus, either φβ,α or −φβ,α is the dual isogeny to φα,β . Remark. The numerator in (3.8) factors as (x3 − (3 + α)x2 + αx + 1)× (x6 + (3 + α)x5 + (9 − α + α2 )x4 + (2 + 3α + α2 )x3 + (3 + α + α2 )x2 + 2αx + 1) = g(x, α) · g(ωx, ω 2 α) · g(ω 2 x, ωα), where g(x, α) = x3 − (3 + α)x2 + αx + 1. This cubic has Galois group Z/3Z over Q(α) and is one of Shanks’ ”simplest cubics” [sha]. Proof. Completing the square in the equation for Eα gives (2Y + αX + 1)2 = 4X 3 + (αX + 1)2 , so that Eα is isomorphic to E : Y 2 = 4X 3 + (αX + 1)2 . By standard formulas [si] the doubling formula on E is, with x = x(P ): x(2P ) =

x(x3 − αx − 2) , 4x3 + (αx + 1)2

The coordinate x = x(P ) of a point P of order three on E must satisfy x = x(P ) = x(−P ) = x(2P ), which immediately gives (3.7). Formula (3.8) follows from the equation for E and y(2P ) =

(2x6 + α2 x5 + 5αx4 + 10x3 − αx − 1) y (4x3 + α2 x2 + 2αx + 1)2 13

using the tangent-secant construction on the curve E. To prove (3.9), assume αβ 6= 0 and note that φα,β maps the points in Eα [3] to the subgroup {Oβ , (0, 0), (0, −1)} of Eβ , by Proposition 3.5 and (3.7). Since φβ,α maps the latter subgroup to O on Eα , and ψ = φβ,α ◦ φα,β has degree 9, it follows that ker(ψ)=Eα [3]. From this we get first that ψ = ±[3] on Eα for all but the finitely many α for which j(Eα ) = 0, 1728, by [si, p. 77, Cor. 4.11]. Now it is easy to check, using Proposition 3.5, that φωβ,α ◦ φα,ωβ (x) = φβ,α ◦ φα,β (x) = ψ(x), which implies that the coefficients of ψ(x) are expressions in α and β 3 and can therefore be expressed as rational functions of α alone. It follows that (3.9) holds for all α 6= 0, since it holds for all but finitely many α and both sides are rational functions in x and α. That it also holds for α = 0 with the special definition of φ0,0 can be checked directly. An easy calculation using the Tartaglia-Cardan formulas shows that the roots of (3.7) are x = 0 and x=

1 −1 2 α 3 α − (α − 27)1/3 − (α3 − 27)2/3 , 9 9 9

(3.10)

where the cube roots can take three values and their product is α3 − 27. Now let α and β be parameters of Eα satisfying the Fermat equation (3.6), so that Eα and Eβ are isogenous. Then α3 − 27 = 27α3 /β 3 , so the roots in (3.10) may be expressed as

x=

2 −1 2 α 3α 1 9α2 β 3 − 27 2 β + 3β + 9 2 α − − = −α ( ) = −α ( ). 9 9 β 9 β2 9β 2 9β 2 (β − 3)

Using β 3 − 27 = 27β 3 /α3 gives x=

−3β , α(β − 3)

(3α)3 + (3β)3 = (αβ)3 ,

(3.11)

where β can be replaced by ωβ or ω 2 β to give all the nonzero roots of (3.7). Putting this expression in for X in (3.1) shows that the y-coordinates of the corresponding points of order 3 satisfy y2 −

2β + 3 β 2 + 3β + 9 y+ = 0, β−3 (β − 3)2

14

whose solutions are y=

√ 2β + 3 ± 3 −3 β − 3ω i = , i = 1, 2. 2(β − 3) β−3

(3.12)

To summarize, we have: Theorem 3.7. If α 6= 0, the points of order 3 on the Deuring normal form Eα in (3.1) are the points (0, 0), (0, −1) and the points   −3β β − 3ω i (x, y) = , , (3.13) α(β − 3) β − 3 where 27α3 + 27β 3 = α3 β 3 , ω is a primitive cube root of unity, and i = 1, 2. Remarks. (i) If α = 0, the points of order 3 on Eα , other than (0, 0) and (0, −1), are simply (−ω i , ω j ), where i = 0, 1, 2 and j = 1, 2. (ii) If α 6= 0, then the y-coordinates of the 3-division points on Eα are quotients of pairs of the x-coordinates of the same points. (iii) The y-coordinates of the 3-division points are independent of α in the set {α, ωα, ω 2 α}. Corollary 3.8 If Eα is supersingular, the points of order 3 on Eα have coordinates in Fp2 . Corollary 3.9 If an elliptic curve E/K with j(E) 6= 0 is isomorphic over K to a curve Eα in Deuring normal form, and if K contains the coordinates of all eight of the non-trivial points in E[3] (torsion points of order 3), then there is a non-trivial solution of F er3 in K. Proof. Since Eα is isomorphic to E over K, the field K contains the xcoordinates of the points in Eα [3]. But α 6= 0 lies in K so Theorem 3.7 implies that β ∈ K as well. Thus K contains the point (α, β) on F er3 . Now we consider isomorphisms between the curves Eα : Y 2 + αXY + Y = X 3 and Eα0 : Y 02 + α0 X 0 Y 0 + Y 0 = X 03 , where we assume that α, α0 ∈ / {0, (24)1/3 , (24)1/3 ω, (24)1/3 ω 2 }. As in (3.3), Eα and Eα0 are isomorphic only if there is some λ 6= 0 for which (α0 )4 /12 − 2α0 = λ4 (α4 /12 − 2α), −(α0 )6 /216 + (α0 )3 /6 − 1 = λ6 (−α6 /216 + α3 /6 − 1).

15

(3.14)

By Theorem 3.1 we know that (α, β) and (α0 , σ(β)) lie on the Fermat curve F er3 together, for some β and some σ in the group V . If σ = 1, then α0 = ω i α, and an isomorphism between Eα and Eα0 is given by X 0 = ω 2i X, Y 0 = Y. If σ = σ3 or σ4 , then we may replace β by ω i β, for some i, to get that (α, β) and (α0 , σ1 (β)) lie on the Fermat curve together. This has the effect of renaming the points of order three given in Theorem 3.7. Then we let γ=

−3β , α(β − 3)

γ0 =

−3σ1 (β) β+6 . =− α0 (σ1 (β) − 3) 3α0

(3.15)

be the x-coordinates of specific points of order 3 on Eα and Eα0 , respectively. Note that our assumption on α and α0 implies that γ, γ 0 , and λ are non-zero. Using the values α3 = 27β 3 /(β 3 − 27) and α03 = 27σ1 (β)3 /(σ1 (β)3 − 27) for α3 and (α0 )3 in (3.14) gives λ4 =

α0 β(β − 3) , α 3(β + 6)

λ6 =

−1 (β − 3)2 . 27

Hence, λ2 =

−1 α (β − 3)(β + 6) = −γ 0 /γ, 9 α0 β

by (3.15). This formula for λ2 holds even if both sides of (3.14) are zero. Now by standard manipulations, an isomorphism between the curves Eα ∼ =: Y12 = 4X13 − (α4 /12 − 2α)X1 + α6 /216 − α3 /6 + 1, and Eα0 ∼ =: Y102 = 4X103 − (α04 /12 − 2α0 )X10 + α06 /216 − α03 /6 + 1, is given by X10 = λ2 X1 , Y10 = λ3 Y1 . The equation connecting the X-variables is X0 +

γ0 α2 α02 = − (X + ), 12 γ 12

or

X0 = −

γ0 γ 0 α2 α02 γ0 β+6 γ0 X− − =− X− = − X + γ0. γ γ 12 12 γ 3α0 γ 16

(3.16)

This result, which we shall use in the next section, is summarized in: Proposition 3.10. If the curves Eα and Eα0 are isomorphic, and (α3 −24)(α03 − 24)(α3 − α03 )αα0 6= 0, then an explicit isomorphism is given by the equations X0 = −

γ0 X + γ0, γ

(3.17a)

√ √ √ −3 α (β − 3)(β + β −3 + 6) (3 + −3)β + (9 − 3 −3) (β −3)Y + X+ 9 18 β 18

√ 0

Y =

√ =

ω 2 (β − 3ω) −3 (β − 3)Y + X− 9 3γ

√

−3ω(β − 3ω) ; 9

(3.17b)

where γ and γ 0 , given by (3.15), are x-coordinates of specific 3-division points √ on Eα and Eα0 , respectively; ω = (−1 + −3)/2; and β is chosen so that (α, β) and (α0 , σ1 (β)) lie on the curve F er3 . √ We leave the verification of the formula for Y 0 (using λ3 = −(β − 3)/(3 −3)) to the reader. This formula can also be written as √   √ −3(β − 3) 2δ 0 Y = Y − −3ω X − ωδ , (3.17c) 9 γ where δ = (β − 3ω)/(β − 3) is the Y -coordinate of the 3-division point (γ, δ). This isomorphism takes the 3-division points ±(γ, δ) on Eα to the points (0, 0) and (0, −1) on Eα0 . In the non-trivial case not covered by the proposition, where α = 0 and α0 = (24)1/3 , say, then it is easy to see from (3.14) and (3.16) that (3.17a) becomes X 0 = γ 0 X + γ 0 , where γ 0 = −1/31/3 is the x-coordinate of point in Eα0 [3] and γ = −1 is the x-coordinate of a point in Eα [3]. Corollary 3.11 If the supersingular curves Eα and Eα0 are isomorphic, then there is an isomorphism defined over the field Fp2 . Proof. This is clear from the formulas (3.17), Theorem 2.3 and Theorem 3.4, in case (α3 − 24)(α03 − 24)(α3 − α03 )αα0 6= 0. If α3 = α03 it is trivial. If α = 0 and α0 = (24)1/3 , then the j-invariant is 0, so p ≡ 2 (mod 3). In this case the assertion follows from the comments that immediately precede √ the corollary and from the equation 2Y 0 + α0 X 0 + 1 = λ3 (2Y + 1) with λ3 = 1/ −3. We have now verified all the statements of Theorem 1.3 of the Introduction. The computations in this section, particularly those leading to Proposition 3.10, simplify some of Deuring’s calculations in [d, Section 5, pp. 235-237]. Deuring’s 17

formulas are expressed in terms of a solution of the equation X 3 + 27 = Y 3 in place of the equation 27X 3 + 27Y 3 = X 3 Y 3 , but higher degree irrationalities (such as his γh ) occur in his formulas, which is not the case for our formulas. Though we assumed char(k) 6= 2 in our derivation, the resulting formulas (3.17a) and (3.17c) are also valid in characteristic 2, by reduction.

4

Curves with

√

−3p as multiplier.

¯ p (x, y) is In proving Theorem 1.4 we assume Eα is supersingular, that K = F the function field of Eα , and that the element µ of End(Eα ) satisfies µ2 = −3p. This requires that ker(µ) have order 3, since N orm(µ) = [K : K µ ] = 3p and so the degree of inseparability of K/K µ is p. Two of the points of order 3 on Eα are P1 = (0, 0) and P2 = 2P1 = (0, −1). Using points of Eα to represent the corresponding prime divisors of K, the divisor of x on Eα is (x) = P1 P2 /O2 . Thus (xµ ) = P1µ P2µ /(Oµ )2 . Since µ2 = −3p it follows that µP ∈ ker(µ) for any point P of order 3 on Eα . Case 1. We first assume that ker(µ) = {O, P1 , P2 }. Then three points P of order 3 satisfy µP = Pi for each i = 1, 2, so Piµ = Nµ (P ), where Nµ is the norm in the extension K/K µ . (See [brm, eq. (2.1)] or [d, eq. (2)].) Since P, P + P1 , P + P2 are the pre-images of Pi under µ, and these pre-images have distinct x-coordinates, Piµ = Api , where the divisor Ai is the product of three prime divisors P = (c, d), as c runs over the distinct, non-zero roots of (3.7) (so c takes the three distinct values in (3.10)). This gives (xµ ) =

(A1 A2 )p P1µ P2µ = , (Oµ )2 (OP1 P2 )2p

so that 

µ

x =b

3x3 + α2 x2 + 3αx + 3 x2

p ,

(4.1)

¯ p . This formula is reminiscent of the formula for some constant b in Ω = F for z = φα,β (x) in Proposition 3.5, and indeed, we will show that the map µ = ±ν ◦ φα,αp , where ν in Hom(Eαp , Eα ) takes (z, w) on Eαp to (z p , wp ) on Eα . 2

Since µ2 = −3p, then xµ = x(−3p) = x(3p) , where x(n) denotes the effect on x of the meromorphism n in Z. By the proof of Proposition 3 in [brm, p. 89], 2 2 x(p) = axp , for a constant a in Ω for which αp = aα and a3 = 1. From Theorem 2.3, α ∈ Fp2 , which implies that a = 1, as long as α 6= 0. Thus, 2 x(p) = xp when α 6= 0. If α = 0, then E0 is the curve y 2 + y = x3 , and the mapping η : (x, y) → (xp , y p ) defines a meromorphism on E0 with norm p in

18

End(E0 ). Furthermore, trace(η) = 0, since the number of points on E0 /Fp is 2 p + 1 whenever p ≡ 2 (mod 3). Hence, η 2 = −p, which gives x(p) = xp also when α = 0. Now the point P = (x, y) is a transcendental point on Eα , so (3.8) and (4.1) imply that

(3p)

x

p2

= x(3P )

µ2

=x

 =b

3(xµ )3 + α2 (xµ )2 + 3α(xµ ) + 3 (xµ )2

p .

(4.2)

Comparing leading coefficients with (3.8) gives that bp+1 = 1/81, so that b also lies in Fp2 . Taking p2 -th roots in (4.2) yields x(3P ) = b

3c3 z 3 + c2 α2p z 2 + 3cαp z + 3 , c2 z 2

(4.3)

with bp = c and z = 3x + α2 +

3α 3 + 2. x x

Clearing denominators in (4.3) gives c2 (x9 − 6αx7 − (24 + α3 )x6 − ...) = b{81c3 x9 + (81c3 α2 + 9c2 α2p )x8 + (6c2 α2p+2 + 243c3 α + 9cαp + 27c3 α4 )x7 +(243c3 + 162c3 α3 + c2 α2p+4 + 3c3 α6 + 18c2 α2p+1 + 3cαp+2 + 3)x6 + ...}.(4.4) Setting the coefficient of x8 equal to zero gives that c = −α2p /(9α2 ) and therefore b = −α2 /(9α2p ),

α 6= 0.

(4.5)

If α = 0, comparing coefficients of x6 in (4.4) gives b = −9c2 and therefore b3 = −1/93 . Now, comparing coefficients of x7 shows that 27α3p + 27α3 − α3p+3 = 0,

(4.6)

which holds whether or not α = 0. Hence (α, αp ) is a point on the Fermat curve F er3 . If α 6= 0, using (4.5) and comparing with Proposition 3.5 shows that xµ = (φα,αp (x))p . Furthermore, y µ and (φα,αp (y))p satisfy the equation Y 2 + αxµ Y + Y = (xµ )3 , so we deduce that µ = ±ν ◦ φα,αp in End(Eα ), as claimed above. If α = 0, we get the same conclusion using b = −ω i /9. 19

If α3 satisfies the equation t2 + At + B = 0 in Fp , then A = −α3 − α3p and B = α3 α3p , so (4.6) becomes B = −27A. Conversely, suppose that (4.6) holds, where to begin with α 6= 0. Then the isogeny φα,αp is well-defined, and we can consider the mapping µ = ν ◦ φα,αp in End(Eα ). Formula (4.1) still holds, with b given by (4.5), and a formula for y µ can be obtained from Proposition 3.5. These formulas show that the prime divisor O divides the denominators of xµ and y µ , so the meromorphism µ is normalized. Furthermore, µ2 = (ν ◦ φα,αp ) ◦ (ν ◦ φα,αp ).

(4.7)

Now the formulas of Proposition (3.5) easily imply that φα,αp ◦ ν = (

−3 ) ◦ ν˜ ◦ φαp ,α , p

where ν˜ is the Frobenius map in Hom(Eα , Eαp ), i.e., ν˜(x, y) = (xp , y p ). Hence, (4.7) gives µ2 = (±ν ◦ ν˜) ◦ (φαp ,α ◦ φα,αp ) = ±p ◦ ±3 = ±3p in End(Eα ), by (3.9). However, the definiteness of the quaternion algebra End(Eα ) forces the minus sign in this equation, so µ2 = −3p. If α = 0, we similarly define the meromorphism µ by µ = ν ◦ φ0,0 , so that

xµ =

√ √ √ −1 x3 + 1 p −1 ( ) , yµ = (2 −3(x3 − 2)y + (9 + −3)x3 − 2 −3)p . 2 3p 3 x 18x (4.8)

Then it is easy to check that µ is a normalized meromorphism of E0 with µ2 = −3p. This proves Proposition 4.1. There exists a meromorphism µ on the supersingular curve Eα satisfying µ2 = −3p and µ{O, P1 , P2 } = O if and only if (α, αp ) is a point on the Fermat curve F er3 . This is equivalent to the condition that α3 is a root of t2 +At+B over Fp , where B ≡ −27A (mod p). When α 6= 0, the meromorphism µ = ±ν ◦ φα,αp , where φα,αp is defined in Proposition 3.5 and ν maps (z, w) in Eαp to (z p , wp ) in Eα . Case 2. Assume now that ker(µ) = {O, Q1 , Q2 }, where Q1 and Q2 are points on Eα with x-coordinate γ = −3β/(α(β − 3)), and (α, β) is a point on the Fermat curve F er3 . We pick α0 ∈ Ω so that (α0 , σ1 (β)) also lies on F er3 . Then 20

by Theorem 3.3, Eα ∼ = Eα0 , and an explicit isomorphism ι(X, Y ) = (X 0 , Y 0 ) is given by (3.17). The points Qi are mapped under this isomorphism to points Pi0 on Eα0 with P10 = (0, 0) and P20 = (0, −1). We treat the isomorphism ι as a change of coordinates in the common function field K = Ω(x, y) = Ω(x0 , y 0 ) of the curves Eα and Eα0 , where the coefficients in the automorphism ι of K, namely, ι(x) = x0 = ax + b, ι(y) = y 0 = cy + dx + e, are given by the expressions in (3.17). Then the action of the meromorphism µ (satisfying µ2 = −3p) on (x0 , y 0 ) is x0µ = axµ + b, y 0µ = cy µ + dxµ + e. In terms of the curve Eα0 we have ker(µ) = {O0 , P10 , P20 }, where O0 (corresponding to the same prime divisor of K as O) is the base point on Eα0 . Furthermore, the action of µ2 = −3p on points of Eα0 is still given by the multiplication map [−3p], since ι is an isomorphism between the two curves. Proposition 4.1 applies in this situation and we deduce that (α0 , α0p ) is a point on F er3 . However, we also have that (α0 , σ1 (β)) lies on F er3 , so α0p = ω i σ1 (β) for some i ∈ {0, 1, 2}. Hence, α0 = σ(β)p for some element σ of the group G12 , and (σ(β), σ(β)p ) lies on F er3 . Conversely, suppose that (α, β) and (σ(β), σ(β)p ) lie on F er3 . Then we set α0 = σ(β)p and use Theorem 3.3 once again to see that Eα ∼ = Eα0 . Since (α0 , α0p ) is a point on F er3 , Proposition 4.1 implies the existence of a multiplier µ on K (an endomorphism of Eα0 ) with µ2 = −3p. The isomorphism ι has coefficients in Fp2 (by Theorem 2.3 and Corollary 3.11); since the mapping ν ◦ φα0 ,α0p in Case 1 is defined over Fp2 , it follows that the endomorphism µ on Eα is defined over Fp2 as well. This proves: Theorem 4.2 Assume the curve Eα is supersingular and that (α, β) lies on the curve F er3 . Then there is a meromorphism µ on Eα satisfying µ2 = −3p if and only if there is an element σ in the group G12 for which (σ(β), σ(β)p ) also lies on F er3 . When it exists µ is defined over Fp2 . To put this criterion in other terms, note that α0p = ω i σ1 (β) implies that β = σ1 (ω 2i α0p ), hence (α, ω i σ1 (ω 2i α0p )) is a point on F er3 ; i.e. (α, σi (α0p )) is on F er3 , for one of the elements σi in the group V of (2.6). In other words, g1 (σi (α0p ), α) = 0, where g1 (x, y) = x3 y 3 − 27x3 − 27y 3 . But then gi (α0p , α) = σ ˆi (g1 (α0p , α)) = 0, where gi is one of the factors in the resultant factorization (3.5). Hence, we may state Proposition 4.2 in the alternate form:

21

Corollary 4.3. If the curve Eα is supersingular, there is a meromorphism µ on Eα satisfying µ2 = −3p if and only if either (α, αp ) lies on F er3 , or there is an α0 for which (α0 , α0p ) lies on F er3 and gi (α0p , α) = 0 for one of the factors of the resultant (3.5). For example, consider the prime p = 19. The polynomial W6 (1 − t/27) factors as W6 (1 − t/27) ≡ (t2 + 2t + 7)(t2 + 11t + 1)(t2 + 12t + 18) (mod 19).

The √ last factor satisfies the condition B ≡ −27A (mod 19),√and has the√root √ 3 = α3 over F19 13 + −1 = (8 + −1) √ √2 . Setting β = σ1 (8 + −1) = 6 + 7 −1, 3 3 the cube β = (6√ + 7 −1) √= 18 + 14 −1 is a root of the first factor. The point 19 (α, α19 ) = (8 + √−1, 8 − −1) However, √ lies on F er3 , but (β, β 3 ) does not. √ (β, γ) √ = (6 + 7 −1, 2 + 11 −1) lies on F er3 , and γ = (2 + 11 −1)3 = 4 + 17 −1 is a root of the middle factor. It can √ be checked that the orbit of γ √ under the group V is V γ = {2 + 11 −1, 2 −√11 −1}, so that no point of the form (σ(γ), σ(γ)19 ) lies on F er3 . Hence, µ = −3 · 19 injects into End(Eα ) but does not inject into End(Eβ ). On the other √ hand, since σ1 (β) = α, the point (σ1 (β), σ1 (β)19 ) does lie on F er3 , so µ = −3 · 19 injects into End(Eγ ). The j-invariants of these curve are respectively j(Eα ) = j(Eγ ) = 7 ≡ −32768 and j(Eβ ) = −1 ≡ 1728 (mod 19).

5

Binomial quadratic factors of P(p−e)/3 (x).

We are finally ready to give a proof of Theorem 1.1, for which we need the following factorization. See [m2] for the proof. Theorem 5.1. Let p be a prime > 53 and set K3p (t) = H−12p (t) or H−3p (t)H−12p (t) according as p ≡ 3 or 1 (mod 4). Then we have the congruence K3p (t) ≡ t2δ1 (t − 54000)2δ1 (t − 8000)4δ2 (t + 32768)4δ3 ×H−20 (t)4δ4 H−32 (t)4δ5 H−35 (t)4δ6

Q

i (t

where δ1 = 21 (1 − ( −3 p )), δ2 = 12 (1 − ( −8 p )), δ3 = 12 (1 − ( −11 p )), 5 δ4 = 14 (1 − ( −5 p ))(1 − ( p )),

22

2

+ ci t + di )2 (mod p),

2 δ5 = 14 (1 − ( −2 p ))(1 − ( p )), 5 δ6 = 14 (1 − ( −35 p ))(1 − ( p ));

where H−20 (t), H−32 (t) and H−35 (t) are the class equations given by H−20 (t) = t2 − 1264000t − 681472000, H−32 (t) = t2 − 52250000t + 12167000000, H−35 (t) = t2 + 117964800t − 134217728000; and the product is over all the irreducible quadratic factors t2 + ct + d of ssp (t) distinct from H−20 (t), H−32 (t) and H−35 (t) which satisfy Q3 (c, d) = −245 33 59 c + 230 33 56 c2 − 215 32 53 c3 + c4 − 234 59 · 23d −215 33 53 · 23 · 3499cd − 23 · 5 · 23 · 1163c2 d + 24 53 1093 d2 − 23 32 · 31cd2 − d3 ≡ 0 (mod p).

(5.1)

We use the same strategy that we used in proving Theorem 1.1 of [m3]. We will show that binomial quadratic factors (bqf ’s) of the Legendre polynomial P(p−e)/3 (x) over Fp are in 1-1 correspondence with the quartic factors of K3p (t) which are powers of irreducibles (mod p). We first determine which factors of W(p−e)/3 (1 − t/27) correspond to bqf ’s of P(p−e)/3 (x) (mod p). From [m3, Eq. (4.1)] or [psz, VI, problem 85] we have   1+x W(p−e)/3 (x) = (1 − x)(p−e)/3 P(p−e)/3 . 1−x Thus, an irreducible factor x2 + a of P(p−e)/3 (x) corresponds to an irreducible factor of W(p−e)/3 (x) of the form (1 + x)2 + a(1 − x)2 = (a + 1){x2 + 2

1−a x + 1}. 1+a

(5.2)

Converting from W(p−e)/3 (x) to W(p−e)/3 (1 − t/27) takes the factor (5.2) to the factor  1−

t 27

2

 +2

1−a 1+a

    t 1 108 2916 1− +1= t2 − t+ . (5.3) 27 729 a+1 a+1

23

But since 2916 = (−27)(−108), it is clear that factors of the form (5.3) are just the factors t2 + At + B of W(p−e)/3 (1 − t/27) for which B ≡ −27A (mod p), the same condition as in Proposition 4.1! Proposition 5.2. The irreducible, binomial quadratic factors of P(p−e)/3 (x) (mod p) are in 1-1 correspondence with irreducible factors t2 + At + B of W(p−e)/3 (1 − t/27) (mod p) for which B ≡ −27A (mod p). Proof of Theorem 1.1. In what follows we take p > 53 and seek quadratic factors of W(p−e)/3 (1 − t/27) (mod p) which satisfy the criterion of Proposition 5.2. We will make use of the following identity from [brm, Thm. 6]: if Jp (x) is the polynomial of equation (A.2) in Appendix A, and n = deg(Jp (x)) = (p − ep )/12, with p ≡ ep (mod p) and ep ∈ {1, 5, 7, 11}, then

W(p−e)/3 (1 − t/27) ≡ up (t)(t − 27)n Jp



t(t − 24)3 t − 27

 (mod p),

(5.4)

where up (t) = 1, −3(t − 24), t2 − 36t + 216, or − 3(t − 24)(t2 − 36t + 216)

according as ep = 1, 5, 7, or 11. This identity relates irreducible factors of the supersingular polynomial ssp (t) (see (A.1)) to factors of W(p−e)/3 (1 − t/27), whose roots t = α3 are the cubes of supersingular parameters for the curve Eα . By Proposition 4.1 and Deuring’s theory [d], all irreducible quadratic factors t2 + At + B of W(p−e)/3 (1 − t/27) which satisfy B ≡ −27A (mod p) must come from j-invariants which are roots of K3p (t) over Fp , and these j’s are therefore roots of ssp (t). From (A.1) we know that all such j’s are j = 0 or 1728, or roots of Jp (t) over Fp . We will determine the number of irreducible quadratic factors (with root α) which satisfy Proposition 4.1 corresponding to each of the irreducible factors of K3p (t) (mod p) in Theorem 5.1. Linear factors of Jp (t). First of all, if t is a factor of K3p (t), then by j=

α3 (α3 − 24)3 , α3 − 27

24

we have α = 0 or α3 = 24, which correspond to the linear factors t and t − 24 of tW(p−e)/3 (1 − t/27). Hence, j = 0 contributes no bqf ’s to the factorization of P(p−e)/3 (x). We now check when a linear factor (t + b) of Jp (t) with b 6= 0 gives rise to a bqf for P(p−e)/3 (x). This factor corresponds by (5.4) to the quartic factor of W(p−e)/3 (1 − t/27) given by  q(t, b) = (t − 27)

t(t − 24)3 +b t − 27



= t4 − 72t3 + 1728t2 + (b − 13824)t − 27b.

First consider the factor t − 54000. We have q(t, −54000) = (t − 54)(t3 − 18t2 + 756t − 27000), with t3 − 18t2 + 756t − 27000 ≡ (a2 + 45a + 756)t − 27(a2 + 18a + 1000) (mod t2 + at − 27a). The cubic factor has a factor of the form t2 + at − 27a over Fp at most for the primes which divide Resultanta (a2 +45a+756, a2 +18a+1000) = 24 ·5·17·23·29. Thus, the linear factor t − 54000 never contributes a bqf for p > 53. Now, in q(t, −8000) = (t2 − 64t + 1000)(t2 − 8t + 216) = r1 (t)r2 (t)

(5.5)

the first factor has the form t2 + at − 27a only when p = 2, 7, 13; while the second factor is identically of this form, and is irreducible (mod p) exactly when (−2/p) = −1, in other words, exactly when t − 8000 divides K3p (t) (mod p). Further, q(t, 32768) = (t2 − 8t − 512)(t2 − 64t + 1728) = r3 (t)r4 (t),

(5.6)

where the first factor is of the form t2 + at − 27a only when p = 2, 7, 13; and the second factor yields a bqf exactly when (−11/p) = −1, which is the criterion for t + 32768 to divide K3p (t) (mod p). Hence the factors (t − 8000)4 and (t + 32768)4 each contribute exactly one bqf, for p > 53, whenever they occur in the factorization of K3p (t) (mod p). Quadratic factors of Jp (t). We consider now an irreducible quadratic factor t2 + at + b of Jp (t), and the corresponding factor 25

G(t, a, b) = t8 − 144t7 + 8640t6 + (a − 276480)t5 + (4976640 − 99a)t4 +(−47775744 + 3672a)t3 + (191102976 − 60480a + b)t2 +(373248a − 54b)t + 729b of W(p−e)/3 (1 − t/27) according to (5.4). We check that each of the factors H−20 (t), H−32 (t), and H−35 (t) in Theorem 5.1 contributes 2 bqf ’s to the factorization of P(p−e)/3 (x). For H−20 (t) = t2 − 1264000t − 681472000 we have G(t, −1264000, −681472000) = (t4 − 176t3 + 7136t2 − 80896t − 85184) ×(t4 + 32t3 + 7136t2 − 432000t + 5832000) = q1 (t)q2 (t). For H−32 (t) = t2 − 52250000t + 12167000000 we have G(t, −52250000, 12167000000) = (t4 − 436t3 + 18836t2 − 214016t + 97336) ×(t4 + 292t3 + 117116t2 − 6750000t + 91125000) = q3 (t)q4 (t). For H−35 (t) = t2 + 117964800t − 134217728000 we have G(t, 117964800, −134217728000) = (t4 + 432t3 − 20224t2 + 230400t − 512000) ×(t4 − 576t3 + 277696t2 − 14155776t + 191102976) = q5 (t)q6 (t). I claim that the polynomials q2 , q4 and q6 yield 2 bqf ’s each, but that q1 , q3 and q5 do not yield any bqf ’s, for p > 53. For q2 , q4 and q6 this can be seen as follows. Using the formulas for the solution of quartic equations in [vdw, pp. 190-192] we find that a root t2i of q2i (t) is √ √ √ t2 = −8 − 44 −1 + (14 + 22 −1) 5 =

√ √ t4 = −73 + 161 −1 + (70 − 115 −1) 2 = √

√ √ √ !3 −1 + 7 −1 − 5 − −5 ; 2 √ √ √ !3 4 + 2 −1 − 5 2 − 5 −2 ; 2

 √ √ √ √ √ 3 t6 = 144 + 80 −7 + (52 + 36 −7) 5 = 3 + 2 5 + −7 ; 26

(5.7)

where we note that −1, −1 and −7 are squares in Fp in these three cases, respectively, and 5, 2, 5 are non-squares in Fp , because δ4 , δ√ are √ respectively 5 , δ6√ equal to one in Theorem 5.1. Since the coefficients of 5, 2, 5 in these expressions can be zero at most when p divides 142 + 222 = 23 · 5 · 17, 702 + 1152 = 54 · 29, 522 + 7 · 362 = 29 · 23,

it follows that the polynomials q2i (t) split into products of two irreducible quadratics over Fp : √ √ q2 (t) = (t2 + (16 + 88 −1)t − 432 − 2376 −1) √ √ ×(t2 + (16 − 88 −1)t − 432 + 2376 −1), √ √ q4 (t) = (t2 + (146 − 322 −1)t − 3942 + 8694 −1) √ √ ×(t2 + (146 + 322 −1)t − 3942 − 8694 −1), √ √ q6 (t) = (t2 − (288 + 160 −7)t + 7776 + 4320 −7) √ √ ×(t2 − (288 − 160 −7)t + 7776 − 4320 −7). All the quadratics in these factorizations satisfy the condition B = −27A of Proposition 4.1 identically, so q2 , q4 and q6 yield 2 bqf ’s each. Note that the roots of the polynomials q2i (t) are all complex. On the other hand, the roots t2i−1 of the polynomials q2i−1 (t) are all real: √ √ √ t1 = 44 + 10 3 + 14 5 + 8 15; √ √ √ t3 = 109 + 55 3 + 70 2 + 35 6; √ √ √ t5 = −108 − 28 21 + 52 5 + 12 105. It follows that q1 (t) has an irreducible quadratic factor over Fp given by √ √ t2 + At + B = t2 − (88 + 20 3)t + 296 − 240 3, if (3/p) = +1; or

√ √ t2 + At + B = t2 − (88 + 16 15)t + 1616 + 424 15, if (3/p) = −1.

27

The quadratics in these factorizations satisfy the condition B = −27A at most for primes dividing √ N (B + 27A) = N (−2080 − 780 3) = 24 · 52 · 132 · 37 or √ N (B + 27A) = N (−760 − 8 15) = 27 · 5 · 17 · 53. Hence q1 contributes no bqf ’s for p > 53. A similar argument applies to q3 , for p not dividing √ N (B + 27A) = N (−2080 − 780 3) = 24 · 52 · 132 · 37 or √ N (B + 27A) = N (−5530 − 1960 6) = 22 · 52 · 72 · 29 · 53; and to q5 , for p not dividing √ N (B + 27A) = N (5320 + 1320 21) = −28 · 53 · 7 · 37 or √ N (B + 27A) = N (2632 − 328 105) = −29 · 7 · 23 · 53. This argument shows that the three factors H−20 (t), H−32 (t), and H−35 (t) do indeed contribute exactly 2 bqf ’s each to the factorization of P(p−e)/3 (x), for all primes p > 53. We now argue that all of the other quadratic factors q(t) = t2 + at + b in the factorization of Theorem 5.1 contribute just one bqf each. We know that the roots of q(t) are the j-invariants which correspond to the 24 roots α of the polynomial G(t3 , a, b). The argument leading to Theorem 4.2 shows that there is at least one root α of this polynomial for which (α, αp ) lies on F er3 . If α has this property, so do ωα and ω 2 α, and their cubes are all roots of the same quadratic factor t2 + At + B of G(t, a, b) satisfying B ≡ −27A (mod p). Suppose there were a second quadratic factor of G(t, a, b) satisfying this condition. Then there would be another root β of G(t3 , a, b) for which (β, β p ) lies on F er3 and β 6= ω i α, ω i αp . By reversing the roles of β and β p , if necessary, we may assume that α and β correspond to the same root j of q(t). Hence, Eα ∼ = Eβ , so by Theorem 3.3 there is some γ such that (α, γ) and (β, σ(γ)) are points on F er3 . Now β 6= ω i α, so by replacing γ by a suitable ω i γ we may assume that (β, σ1 (γ)) lies on F er3 , and then we may replace α by some ω i α so that γ = αp . But then σ1 (αp ) = ω i β p , so β = ω j σ1 (α).

28

It follows that (α, αp ) and (σ1 (α), σ1 (αp )) both lie on F er3 . Setting x = α and y = αp we see that (x, y) is a comon root of the polynomials −g1 (x, y) = 27x3 + 27y 3 − x3 y 3 and h1 (x, y) = (x + 6)3 (y − 3)3 + (x − 3)3 (y + 6)3 − (x + 6)3 (y + 6)3 .

Now we compute the resultant Ry (−g1 (x, y), h1 (x, y)) = 318 (x − 3)(x2 + 2x + 12)(x2 + 4x + 6)p1 (x)p2 (x)p3 (x),

where p1 (x) = x4 + 2x3 + 26x2 + 60x + 180, p2 (x) = x4 − 8x3 + 26x2 + 60x + 450, p3 (x) = x4 − 12x3 + 28x2 + 48x + 576. One root αi of each pi (x) is given by

α1 =

√ √ √ √ √ √ 4 + 2 −1 − 5 2 − 5 −2 −1 + 7 −1 − 5 − −5 , α2 = , 2 2 √ √ α3 = 3 + 2 5 + −7.

But these are the cube roots of the roots t2i = αi3 of the polynomials q2i (t) in (5.7)! Similarly, the roots of x2 + 4x + 6 and x2 + 2x + 12 are the cube roots of the roots of the polynomials r2 (t) and r4 (t) in (5.5) and (5.6). Thus the only quadratic factors q(t) of Jp (t) which can give rise to this situation are the polynomials H−20 (t), H−32 (t), and H−35 (t) that we considered above. This proves that all other quadratic factors q(t) contribute exactly one bqf each to the factorization of P(p−e)/3 (x), for p > 53. This proves the assertion that the irreducible, binary quadratics factors of P(p−e)/3 (x) are in 1-1 correspondence with the quartic factors of K3p (t) which are powers of irreducibles, since the factors (t − 8000)4 and (t + 32768)4 contribute one bqf each and the terms HDi (t)4 contribute two bqf ’s each (Di = −20, −32, −35). It follows from Theorem 5.1 that P(p−e)/3 (x) has exactly (deg(K3p (t)) − 4δ1 )/4 = (ap h(−3p) − 4rp )/4 29

binomial quadratic factors, for p > 53. For 3 < p ≤ 53 this can be checked directly, and this completes the proof of Theorem 1.1. For example, taking p = 149 and e = 2, the polynomial P49 (x) ≡ 74x(x + 18)(x + 25)(x + 29)(x + 36)(x + 49)(x + 68) ×(x + 81)(x + 100)(x + 113)(x + 120)(x + 124)(x + 131) ×(x2 + 10)(x2 + 18)(x2 + 43)(x2 + 56)(x2 + 87)(x2 + 126) ×(x2 + 2x + 112)(x2 + 20x + 86)(x2 + 52x + 123)(x2 + 58x + 39) ×(x2 + 58x + 110)(x2 + 66x + 67)(x2 + 83x + 67)(x2 + 91x + 39) ×(x2 + 91x + 110)(x2 + 97x + 123)(x2 + 129x + 86)(x2 + 147x + 112) (mod 149) has 6 = (2 · h(−3 · 149) − 4 · 1)/4 = 24/4 binomial quadratic factors and 13 = h(−149) − 1 linear factors (mod 149). (See [brm, Thm. 1(d)].) In this case we have h(−149) = h(−447) = 14. Note that in the above we have discovered non-trivial solutions of √ argument √ √ √ F er3 √ in the fields Q( 5, −5), Q( 5, −7), which are the Hilbert class fields √ of Q( −5) and Q( −35). The roots of the quadratics x2 +4x+6 and x2 +2x+12 √ √ give solutions to F er3 in Q( −2) and Q( −11). Using Theorem 3.7 it can be shown that F er3 √ has a non-tirivial solution in the Hilbert class field of any quadratic field Q( −d) whose discriminant −d ≡ 1 (mod 3).

6

Appendix A: The supersingular polynomial and the Hasse invariant.

The following explicit formulas are taken from [m1]. Let p be a prime > 3, n = (p − ep )/12, with p ≡ ep (mod 12) and ep ∈ {1, 5, 7, 11}. Also, define r and s by r=

1 1 (1 − (−3/p)), s = (1 − (−4/p)). 2 2

Then for p > 3 the supersingular polynomial is given by ssp (t) = tr (t − 1728)s Jp (t), with 30

(A.1)

Jp (t) ≡

  n  X 2n + s 2n − 2k 2k + s

k=0

n−k

(−432)n−k (t − 1728)k (mod p).

(A.2)

Note that s = 1/2(1 − (−4/p)) = 0 or 1 according as p ≡ 1 or 3 (mod 4). For p = 2 and 3, we have ss2 (t) = t and ss3 (t) = t, by results of Deuring [d]. Theorem A.1. a) Let E : Y 2 = 4X 3 − g2 X − g3 be an elliptic curve in Weierstrass normal form with discriminant ∆ = g23 −27g32 and j-invariant j(E) = 1728g23 /∆, defined over a field k of characteristic p, where p > 3. Then the Hasse ˆ p (E) of E/k is given by the formula invariant H ˆ p (E) = (12g2 )r (−216g3 )s ∆n Jp (j(E)). H

(A.3)

b) If the curve E has the form E : Y 2 + a1 XY + a3 Y = X 3 + a2 X 2 + a4 X + a6 , over the field k (with characteristic p > 3), then ˆ p (E) = cr (−c6 )s ∆n Jp (j(E)), H 4

(A.4)

where c4 = b22 − 24b4 , c6 = −b32 + 36b2 b4 − 216b6 , b2 = a21 + 4a2 , b4 = a1 a3 + 2a4 , b6 = a23 + 4a6 , ∆ = (c34 − c26 )/123 , j = j(E) = c34 /∆, as in [hus, pp. 67-68]. Theorem A.2. Let K1 = k(x, y) be an elliptic function field, where x, y satisfy an equation E1 : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 , with ai ∈ k. Let K2 be a subfield of K1 of finite index m = [K1 : K2 ] containing k, which is also elliptic, and assume K1 /K2 is separable. (a) The elements u = T raceK1 /K2 (x) and v = T raceK1 /K2 (y) satisfy a Weierstrass equation 31

E2 : v 2 + d1 uv + d3 v = u3 + d2 u2 + d4 u + d6 , and generate K2 over k. Furthermore, d1 = a1 and d3 = ma3 . ˆ p (E1 ) = H ˆ p (E2 ). (b) The Hasse invariants of E1 and E2 are equal: H See [m1] for the proofs.

7

References

[aig] A. Aigner, Weitere Ergebnisse u ¨ber x3 +y 3 = z 3 in quadratischen K¨orpern, Monatshefte f¨ ur Mathematik 56 (1952), 240-252. [brm] J. Brillhart and P. Morton, Class numbers of quadratic fields, Hasse invariants of elliptic curves, and the supersingular polynomial, J. Number Theory 106 (2004), 79-111. [co] David A.Cox, Primes of the Form x2 + ny 2 ; Fermat, Class Field Theory, and Complex Multiplication, John Wiley and Sons, 1989. [d] Max Deuring, Die Typen der Multiplikatorenringe elliptischer Funktionenk¨orper, Abh. Math. Sem. Hamb. 14 (1941), 197-272. [h] Helmut Hasse, Zur Theorie der abstrakten elliptischen Funktionenk¨orper, I, II, III, in J. reine angew. Math. 175(1936) 55-62, 69-88, 193-208; Papers 47-49 in Hasse’s Gesammelte Abhandlungen, vol. 2, Walter de Gruyter, Berlin, 1975, pp. 223-266. [hus] D. Husem¨ oller, Elliptic Curves, in: Graduate Texts in Mathematics, vol. 111, Springer, Berlin, 1987. [kaz] M. Kaneko, D. Zagier, Supersingular j-invariants, hypergeometric series, and Atkin’s orthogonal polynomials, AMS/IP Studies in Advanced Mathematics, vol. 7, AMS and International Press, Providence, RI, 1998, 97-126. [m1] P. Morton, Explicit identities for invariants of elliptic curves, J. of Number Theory 120 (2006), 234-271. [m2] P. Morton, Ogg’s theorem via explicit congruences for class equations, submitted. [m3] P. Morton, Legendre polynomials and complex multiplication, I, submitted. [psz] G.Polya, G. Szeg˝ o, Aufgaben und Lehrs˝ atze aus der Analysis I, II, in: Die Grundlehren der mathematischen Wissenschaften, vol. 20, Springer-Verlag, Berlin, 1964.

32

[ri] P. Ribenboim, 13 Lectures on Fermat’s Last Theorem, Springer, New York, 1979. [sha] D. Shanks, The simplest cubic fields, Math. Comp. 28 (1974), 1137-1152. [si] J.H. Silverman, The Arithmetic of Elliptic Curves, in: Graduate Texts in Mathematics, vol. 106, Springer, New York, 1986. [si2] J.H. Silverman, Advanced Topics in the Arithmetic of Elliptic Curves, in: Graduate Texts in Mathematics, vol. 151, Springer, New York, 1994. [vdw] B.L. van der Waerden, Algebra, vol. I, Frederick Ungar Publishing Co., New York, 1970. [w] H. Weber, Lehrbuch der Algebra, vol. III, Chelsea Publishing Co., New York, reprint of 1908 edition. Department of Mathematics Indiana University - Purdue University at Indianapolis (IUPUI) Indianapolis, IN 46202-3216, USA

33