DESCENT ON ELLIPTIC CURVES

DESCENT ON ELLIPTIC CURVES MICHAEL STOLL Abstract. Let E be an elliptic curve over Q (or, more generally, a number field). Then on the one hand, we hav...

0 downloads 191 Views 321KB Size
DESCENT ON ELLIPTIC CURVES MICHAEL STOLL Abstract. Let E be an elliptic curve over Q (or, more generally, a number field). Then on the one hand, we have the finitely generated abelian group E(Q), on the other hand, there is the Shafarevich-Tate group (Q, E). Descent is a general method of getting information on both of these objects — ideally complete information on the Mordell-Weil group E(Q), and usually partial information on (Q, E). What descent does is to compute (for a given n > 1) the n-Selmer group Sel(n) (Q, E); it sits in an exact sequence

X

X

X(Q, E)[n] −→ 0 and thus contains combined information on E(Q) and X(Q, E). 0 −→ E(Q)/nE(Q) −→ Sel(n) (Q, E) −→

The main problem I want to discuss in this “short course” is how to actually do this explicitly, with some emphasis on obtaining representations of the elements of the Selmer group as explicit covering spaces of E. These explicit representations are useful in two respects — they allow a search for rational points (if successful, this proves that the element is in the image of the left hand map above), and they provide the starting point for performing “higher” descents (e.g., extending a p-descent computation to a p2 -descent computation). Prerequisites: Basic knowledge of elliptic curves (e.g., Silverman’s book [Si1]), some Galois cohomology and algebraic number theory (e.g., Cassels–Fr¨ohlich [CF]).

Date: December 1, 2010. 1

2

MICHAEL STOLL

This chapter contains the notes (with little changes) I wrote for the “short course” with the same title I gave at the Institut Henri Poincar´e in the fall of 2004. The purpose of the course was to give an introduction to the topic and at the same time discuss some (then) recent results. Owing to the introductory nature of the text, we give proofs of most theorems, even though some can be found in the literature. Also, in some cases such a proof may be less elegant, but more elementary, than necessary. The results described in these notes (if not “classical”, i.e., to be found in, e.g., Silverman’s book [Si1]) were obtained in collaboration with John Cremona, Tom Fisher, Cathy O’Neil, Ed Schaefer and Denis Simon. In some respect, the present text is by now fairly obsolete, since everything that is in it can be found in [ScSt, CFOSS1, CFOSS2] (or will be found in [CFOSS3]). However, we think that these notes may still be of some use, since they give a good overview over the ideas, without going too much into technical details. If you want to know more about these, you are welcome to consult the papers mentioned above. I would like to particularly advertise Theorems 2.4 and 2.7. While it has been known for a long time that n-Selmer groups of elliptic curves can be computed in principle, these results give a rather precise statement on what is required if one really wants toy perform such a computation. As it turns out, this is usually less demanding when n is a prime number, but even so, it is rarely feasible (with current technology regarding the computational theory of algebraic number fields) to perform the computation when n ≥ 5. 1. The Selmer Group In the following, K will be a number field, and E will be an elliptic curve defined over K. E is an algebraic group over K, and so its set of rational points, E(K), forms a group, the so-called Mordell-Weil group. By the Mordell-Weil theorem, it is a finitely generated abelian group, and one of the big questions is how to determine it (in the sense of, say, giving generators as points in E(K) and relations). Descent is the main tool used for that, both in theory and in practice. Doing an n-descent on E means to compute the n-Selmer group Sel(n) (K, E), which we will introduce in this section. Note that saying that E(K) is a finitely generated abelian group amounts to asserting the existence of an exact sequence 0 −→ E(K)tors −→ E(K) −→ Zr −→ 0 with r ≥ 0 an integer and E(K)tors a finite abelian group; it consists of all elements of E(K) of finite order. Less canonical, but sometimes more convenient, we also have E(K) ∼ = E(K)tors ⊕ Zr .

DESCENT ON ELLIPTIC CURVES

3

For any concrete curve E, it is fairly straightforward to find E(K)tors , and we will not be concerned with how to do that in these lectures. The hard part is to determine the rank r. This is where descent helps. 1.1. Definition and first properties. We first set some (fairly standard) notation. If v is a place of K, we write Kv for the completion of K at v and Kvunr for the maximal unramified extension of Kv . If v is a finite place, then kv denotes the residue class field of Kv . If k is any field, k¯ denotes an algebraic closure of k. Let n > 1 be an integer. The usual definition of the n-Selmer group makes use of Galois cohomology. We follow the usual convention in writing H j (k, M ) for the Galois cohomology group H j (Gal(k), M ), where k is a field, Gal(k) is the absolute Galois group of k, and M is a Gal(k) module (with continuous action; the group cohomology also is defined in terms of continuous cocycles). ¯ Consider the short exact sequences of GK = Gal(K/K)-modules n

¯ −→ E(K) ¯ −→ E(K) ¯ −→ 0 0 −→ E[n](K) (which is usually just written n

0 −→ E[n] −→ E −→ E −→ 0 ). Then we have the long exact sequence of cohomology groups n

δ

n

0 −→ E[n](K) −→ E(K) −→ E(K) −→ H 1 (K, E[n]) −→ H 1 (K, E) −→ H 1 (K, E) . We deduce from it another short exact sequence: δ

0 −→ E(K)/nE(K) −→ H 1 (K, E[n]) −→ H 1 (K, E)[n] −→ 0 It turns out that knowing E(K) is essentially equivalent to knowing its free abelian rank r = rank E(K). (Once we know r, we can look for points until we have found r independent ones. Then we only need to find the K-rational torsion points and “saturate” the subgroup generated by the independent points. All of this can be done effectively.) Now the idea is to use the above exact sequence to at least get an upper bound on r: r can be read off from the size of the group E(K)/nE(K) on the left, and so any bound on that group will provide us with a bound on r. From the exact sequence, we see that E(K)/nE(K) sits inside H 1 (K, E[n]); however this group is infinite, and so it does not give a bound. But we can use some additional information. We know (trivially) that any Krational point on E is also a Kv -rational point, for all places v of K. Now it is possible to compute the image of the local map δ

v E(Kv )/nE(Kv ) −→ H 1 (Kv , E[n])

for any given v explicitly; and for all but a finite explicitly determinable set of places S, the image just consists of the “unramified part” of H 1 (Kv , E[n]). This

4

MICHAEL STOLL

means that in some sense, we can compute all the necessary “local” conditions and use this information in bounding the “global” group E(K)/nE(K). Formally, we define the n-Selmer group of E, Sel(n) (K, E), to be the subgroup of H 1 (K, E[n]) of elements that under all restriction maps resv are in the image of δv in the following diagram. / E(K)/nE(K)

0

0

/

Q v

/ H 1 (K, E[n])

δ

/ H 1 (K, E)[n]

II II II II II α Q II II v resv II II II $

  Q δv Q 1 v E(Kv )/nE(Kv ) / H (Kv , E[n]) v

/

Q

Q

v

/0

resv

 H (Kv , E)[n] 1

v

/0

Equivalently, Sel(n) (K, E) is the kernel of the map α. The image of Sel(n) (K, E) in H 1 (K, E)[n] is the kernel of the rightmost vertical map in the diagram. More generally, one defines the Shafarevich-Tate group of E, (K, E) to be Y ¢ ¡ H 1 (Kv , E) . (K, E) = ker H 1 (K, E) −→

X

X

v

Then we get another short exact sequence: δ

0 −→ E(K)/nE(K) −→ Sel(n) (K, E) −→

X(K, E)[n] −→ 0 .

This time, one can (and we will) prove that the middle group is finite. And at least in principle, it is computable. In this way, we can compute the product (#E(K)/nE(K))(# (K, E)[n]), and in particular, we obtain a bound on the rank r. The obstruction against this bound being sharp lies in (K, E), which is therefore also an interesting object. Of course, its size (conjectured, but not generally proved to be finite) also shows up in the famous Birch and SwinnertonDyer conjecture, and there are other reasons to study (K, E) for its own sake. We need some more notions and notation. The unramified part of H 1 (Kv , E[n]) is the kernel of the restriction map H 1 (Kv , E[n]) −→ H 1 (Kvunr , E[n]). For any finite set of places S of K containing the infinite places, we define H 1 (K, E[n]; S) to be the subgroup of H 1 (K, E[n]) of elements that map into the unramified part of H 1 (Kv , E[n]) for all places v ∈ / S. The finiteness of the Selmer group then follows from the two observations that Sel(n) (K, E) ⊂ H 1 (K, E[n]; S) for a suitable finite set S, and that H 1 (K, E[n]; S) is finite for all finite sets S of places of K. The latter is a standard fact; in the end it reduces to the two basic finiteness results of algebraic number theory: finiteness of the class group and finite generation of the unit group.

X

X

X

DESCENT ON ELLIPTIC CURVES

5

Theorem 1.1. If S is a finite set of places of K containing the infinite places, then H 1 (K, E[n]; S) is finite. Proof: This is a standard result, see for example [Se2, II.6.2] for a more general version. We give a proof tailored to the situation at hand, since it also gives some insight into the computational issues. There is a finite extension L = K(E[n]) of K (the n-division field of E) such that E[n] becomes a trivial L-Galois module. We have the inflation-restriction exact sequence 0 −→ H 1 (L/K, E[n](L)) −→ H 1 (K, E[n]) −→ H 1 (L, E[n]) , and the group on the left is finite. Taking into account the ramification conditions, we see that H 1 (K, E[n]; S) maps into H 1 (L, E[n]; SL ) with finite kernel, where SL is the set of places of L above some place of K in S. Therefore it suffices to show that H 1 (L, E[n]; SL ) is finite. Now H 1 (L, E[n]) = H 1 (L, (Z/nZ)2 ) = Hom(GL , (Z/nZ)2 ) , and the ramification condition means that the fixed field of the kernel of a homomorphism coming from H 1 (L, E[n]; SL ) is unramified outside SL . On the other hand, this fixed field is an abelian extension of exponent dividing n; it is therefore contained in the maximal abelian extension M of exponent n that is unramified outside SL . By Kummer theory√ (L contains the nth roots of unity because of the n-Weil pairing), M = L( n U ) for some subgroup U ⊂ L× /(L× )n . Enlarging SL by including the primes dividing n, the ramification condition translates into U = L(SL , n) = {α ∈ L× : n | v(α) for all v ∈ / SL }/(L× )n (the “n-Selmer group of OL,SL ”). Applying the Snake Lemma to the diagram below then provides us with the exact sequence × × 0 −→ OL,S /(OL,S )n −→ L(SL , n) −→ ClSL (L)[n] −→ 0 . L L × Since the SL -unit group OL,S is finitely generated and the SL -class group ClSL (L) L is finite, U = L(SL , n) is finite, and hence so is the extension M . We see that all the homomorphisms have to factor through the finite group Gal(M/L), whence

6

MICHAEL STOLL

H 1 (L, E[n]; SL ) is finite. 0

0 _ _ _/

0

0

 × OL,S L

n

 L×

n

 / L×

 / L× /(L× )n

/0

 / ISL

n

 / ISL

 / IS /nIS L L

/0

 ClSL (L)

n

 / ClS (L) L

 × / OL,S

L

 0

 / L(SL , n) _ _ _ _/

 0

2 Before we state the next result, we need some more notation. The definitions can be found in [Si2, Ch. IV]. Let E be the N´eron model of E over OKv . We write E(k¯v )0 for the connected component of the identity on the special fiber of E, E(Kvunr )0 for the subgroup of E(Kv unr) consisting of points mapping into E(k¯v )0 (these are the points of good reduction on a minimal Weierstrass model at v), and E(Kvunr )1 for the kernel of reduction at v (consisting of the points whose reduction is zero). There is an exact sequence 0 −→ E(K unr )0 −→ E(K unr ) −→ Φv (k¯v ) −→ 0 , v

v

where Φv is the component group of the special fiber of E. This is a finite algebraic group defined over kv . The order cv (E) = #Φv (kv ) of its subgroup of elements defined over kv is called the Tamagawa number of E at v. The following result implies that Sel(n) (K, E) is finite. Theorem 1.2. Sel(n) (K, E) ⊂ H 1 (K, E[n]; S) where S is any finite set of places of K containing the infinite places, the places dividing n and the finite places v such that gcd(cv (E), n) > 1. Proof: We have to show that for ξ ∈ Sel(n) (K, E) ⊂ H 1 (K, E[n]) and for v ∈ / S, ξ maps to zero in H 1 (Kvunr , E[n]). Consider the exact sequences 0 −→ E(K unr )0 −→ E(K unr ) −→ Φv (k¯v ) −→ 0 0 −→

v unr 1 E(Kv )

−→

v unr 0 E(Kv )

−→ E(k¯v )0 −→ 0

DESCENT ON ELLIPTIC CURVES

7

Applying the Snake Lemma to multiplication-by-n on these sequences gives exact sequences of cokernels E(Kvunr )0 /nE(Kvunr )0 −→ E(Kvunr )/nE(Kvunr ) −→ Φv (k¯v )/nΦv (k¯v ) and E(Kvunr )1 /nE(Kvunr )1 −→ E(Kvunr )0 /nE(Kvunr )0 −→ E(k¯v )0 /nE(k¯v )0 . We claim that the image of E(Kv ) in E(Kvunr ) is divisible by n. Let P ∈ E(Kv ). Then in the first sequence, the image of P in the group furthest on the right is in Φv (kv )/(Φv (kv ) ∩ nΦv (k¯v )), and this group is trivial, since cv (E) = #Φv (kv ) is prime to n. Hence the image of P comes from E(Kvunr )0 /nE(Kvunr )0 . In the second sequence, the group on the right is trivial, because the k¯v -points of a connected commutative algebraic group over kv form a divisible group. The first group is also trivial, because it is a Zp -module (with p the residue characteristic of v), and n is invertible in this ring. Hence E(Kvunr )0 /nE(Kvunr )0 = 0, and the image of P must vanish in E(Kvunr )/nE(Kvunr ). Now consider the following diagram. E(Kv )/nE(Kv ) 

E(Kvunr )/nE(Kvunr )

δv

δvunr

/ H 1 (Kv , E[n])  / H 1 (K unr , E[n]) v

We have seen that the left vertical arrow is the zero map, therefore the image of δv also maps trivially under the right vertical map. This exactly means that the elements of the Selmer group (mapping into the image of E(Kv ) in H 1 (Kv , E[n])) are unramified at v. 2 1 unr Remark: The proof shows that in general, the image of E(Kv ) in H (Kv , E[n]) is isomorphic to Φv (kv )/(Φv (kv ) ∩ nΦv (k¯v )) for all finite places v that do not divide n. In particular, the order of the image divides the Tamagawa number cv (E). 1.2. Interpretation of Selmer group elements. The definition of the Selmer group as a subgroup of H 1 (K, E[n]) is rather abstract, its elements being given by classes of 1-cocycles with values in E[n]. However, it is possible to give the Selmer group elements much more concrete interpretations. This is based on the following general fact, see [Se2, III.1]. Proposition 1.3. Let X be some algebraic or geometric object, defined over K. Then the set of twists of X, i.e., objects Y defined over K such that X and Y are ¯ up to K-isomorphism, is parameterized by H 1 (K, AutK¯ (X)). isomorphic over K, (When the automorphism group of X is abelian, this is an abelian group; otherwise, it is a pointed set with the class of X as its distinguished element.)

8

MICHAEL STOLL

Proof: This is quite standard (at least in many concrete manifestations, in particular in the cases we need; see [CFOSS1] for details). The map from the twists to H 1 (K, AutK¯ (X)) is obtained as follows. Let Y be a twist of X. Then ¯ Then ξσ = φσ φ−1 defines a there is an isomorphism φ : Y → X, defined over K. 1-cocycle with values in AutK¯ (X), and postcomposing φ by an automorphism of X changes ξ into a cohomologous cocycle. To get the map in the reverse direction, ¯ one takes the K-“points” of X and “twists” the action of GK by ξ by decreeing ¯ that the action of σ on Y (which has the same underlying set of K-“points” as X) is given by the action of σ on X, followed by ξσ−1 . This is the nontrivial direction, and one needs to check that a suitable principle of “Galois descent” holds. 2 (n) 1 Since Sel (K, E) ⊂ H (K, E[n]), this means that we can obtain interpretations of Selmer group elements via interpretations of elements of H 1 (K, E[n]) as twists. ¯ So we have to look for “objects” whose (K-)automorphism group is E[n]. Principal homogeneous spaces. Let us first look at a somewhat simpler situ∼ = ation related to H 1 (K, E). Consider “objects” of the form C _ _ _/ E , where the ¯ Two such diagrams are isomorphic if there is an isomorphism is defined over K. ∼ = isomorphism C −→ C 0 and a point P ∈ E such that the diagram C _ _ _/ E 

 · +P

  0 _ _ _/ E C

=

commutes. Then the automorphisms of the trivial object E −→ E are just the ¯ The objects are called principal translations, so the automorphism group is E(K). homogeneous spaces for E, and they are classified (up to K-isomorphisms) by the Weil-Chˆatelet group WC(K, E) = H 1 (K, E). Given a curve C as above, we can change the isomorphism to E by any translation without changing the isomorphism class of C as a principal homogeneous space. So given C, the only ambiguity in endowing it with a structure as a principal homogeneous space comes from the automorphism group of E as an elliptic curve. Generically, this is just {±1}, and so there will be at most two structures as a principal homogeneous space for E on C. (The two will coincide when either one has order dividing 2 in H 1 (K, E).) Note also that a principal homogeneous space has an algebraic group action of E ¯ then on it. If φ : C −→ E is an isomorphism (over K), C × E 3 (P, Q) 7−→ P + Q := φ−1 (φ(P ) + Q) ∈ C is defined over K, since it is unchanged when φ is post-composed with a translation on E. Also, there is a well-defined (over K) “difference morphism” C × C 3 (P, P 0 ) 7−→ P − P 0 := φ(P ) − φ(P 0 ) ∈ E

DESCENT ON ELLIPTIC CURVES

9

such that, for example, P +(P 0 −P ) = P 0 . Conversely, given morphisms C ×E −→ C and C × C −→ E satisfying the usual properties, C becomes a principal homogeneous space (in the sense above) by picking any point P0 ∈ C and considering the isomorphism C 3 P 7→ P − P0 ∈ E. So we could have defined principal homogeneous spaces also through actions of E on curves C. (In fact, this is what is usually done.) If C has a K-rational point P , then there is a K-defined isomorphism φ : C −→ E that maps P to O. We obtain a diagram C

φ

/E

φ

 E

E

showing that C is trivial as a principal homogeneous space (i.e., K-isomorphic to = E −→ E). In this context, the elements of (K, E) are represented by principal homogeneous spaces with Kv -points for every place v, or with points “everywhere locally”, up to isomorphism over K. Nontrivial elements of (K, E) are those that have points everywhere locally, but no global points, i.e., those that “fail the Hasse Principle”.

X

X

First interpretation: n-coverings. Here, our object X is the multiplicationn π by-n map E −→ E. The twists are covering maps C −→ E such that there is an ¯ such that the following diagram commutes. isomorphism C −→ E over K C

π

/E

n

/E

 

E π

Such a C −→ E is called an n-covering of E. An isomorphism between two nπ π0 coverings C −→ E and C 0 −→ E is given by an isomorphism φ : C −→ C 0 such that the following diagram commutes. C

π

/E

π0

/E

φ

 C0

n

The automorphisms of E −→ E are then given by the translations by n-torsion points (acting on the left E), so that we indeed obtain E[n] as the automorphism group. In this interpretation, the map E(K)/nE(K) −→ H 1 (K, E[n]) comes about as π follows. To a point P ∈ E(K), we associate the n-covering E −→ E such that

10

MICHAEL STOLL

π(Q) = nQ + P . It is easy to check that the isomorphism class of the covering π only depends on P mod nE(K). On the other hand, each n-covering C −→ E such that C(K) 6= ∅ is isomorphic to one of this form: there is an isomorphism between C and E defined over K (mapping a K-rational point on C to O ∈ E); ∼ π = under the composed map E −→ C −→ E, the origin O maps to some P ∈ E(K), and then the map must be Q 7→ nQ + P . Tracing through the definition of the connecting map δ shows that the map defined here coincides with δ under our interpretation. For the Selmer group elements, this means that they correspond to the n-coverings that have points everywhere locally. π

Note that the curve C in an n-covering C −→ E carries the structure of a principal ¯ homogeneous space for E: any K-isomorphism C −→ E in the definition above provides such a structure, and since these isomorphisms are all related by translations (by n-torsion points), the isomorphism class of the principal homogeneous space structure is well-defined. This gives us the map H 1 (K, E[n]) −→ H 1 (K, E) in the coverings interpretation.

Second interpretation: Maps to Pn−1 . Here is another interpretation. On E, we can consider the map to Pn−1 that is given by the complete linear system associated to n · O. Other objects are diagrams C ∼ =





 E

/S 

∼ = 

/ Pn−1

¯ Twists of Pn−1 like S are called with the dashed isomorphisms defined over K. Severi-Brauer varieties; they are classified (according to the general principle) by H 1 (K, PGLn ). Since PGLn is non-abelian, this is just a pointed set; however, applying Galois cohomology to the exact sequence 0 −→ Gm −→ GLn −→ PGLn −→ 0 , one obtains an injection H 1 (K, PGLn ) −→ H 2 (K, Gm ) = Br(K) identifying H 1 (K, PGLn ) with the n-torsion Br(K)[n] in the Brauer group of K. (See [Se1, X.5]. Note that we use H 1 (K, GLn ) = 0, which is an easy generalization of Hilbert’s Theorem 90.)

DESCENT ON ELLIPTIC CURVES

11

An isomorphism between two such diagrams is given by a pair of isomorphisms C −→ C 0 and S −→ S 0 such that the diagram [email protected]

@

/S

@

@

E

 · +P 

 ~ C0

~

~

 E >

~

|y / Pn−1

y

y

y

 

 / Pn−1 Db

D

D

D

 / S0

¯ commutes, with some choice of P ∈ E and some automorphism of Pn−1 over K. n−1 Automorphisms of E −→ P are therefore given by translations on E that fix the linear system |n · O|. Translation by P does this if and only if n · P ∈ |n · O|, i.e., iff P ∈ E[n]. So we obtain again the correct automorphism group, and we see that H 1 (K, E[n]) also classifies diagrams as above, up to isomorphism over K. The map to H 1 (K, E) comes through “forgetting” the right half of the diagram. In particular, we see that the curve C in both the coverings and the maps to Pn−1 interpretation of a given element in H 1 (K, E[n]) is the same (as a principal homogeneous space for E). So, also in our second interpretation, the elements of the Selmer group are those diagrams such that C has points everywhere locally. This implies that also the Severi-Brauer variety S has points everywhere locally. Now there is the very important local-global principle for the Brauer group: P M v invv Br(Kv ) −→ Q/Z −→ 0 0 −→ Br(K) −→ v

is exact. In particular, an element of the Brauer group of K that is locally trivial is already (globally) trivial. This implies that S has a K-rational point, and so S∼ = Pn−1 . Whence the following result. Proposition 1.4. The elements of Sel(n) (K, E) are in 1-to-1 correspondence with K-isomorphism classes of diagrams C ∼ =

 

E

/ Pn−1 

∼ =

  / Pn−1

such that C has points everywhere locally. Let us look at what this means for various small values of n.

12

MICHAEL STOLL

n = 2: On E, the map to P1 given by |2 · O| is just the x-coordinate. It is a 2-to-1 map ramified in four points (namely, E[2]). Any twist C −→ P1 will have the same geometric properties, which means that C can be realized by a model of the form y 2 = f (x) = a x4 + b x3 + c x2 + d x + e . (This is an affine model; a somewhat better way is to consider y 2 = F (x, z) = a x4 + b x3 z + c x2 z 2 + d xz 3 + e z 4 in a (1, 2, 1)-weighted projective plane.) n = 3: The map E −→ P2 given by |3 · O| is an embedding of degree 3, realizing E as a plane cubic curve. Similarly, any element of the 3-Selmer group can be realized as a plane cubic curve, with an action of E[3] on it through linear automorphisms. n = 4: Here we obtain a degree-4 embedding into P3 ; its image is given as the intersection of two quadrics. More generally, for n ≥ 4, the image in Pn−1 is given as the intersection of n(n − 3)/2 quadrics; for n ≥ 5, this is no longer a complete intersection. For n = 5, there is a nice description by sub-Pfaffians of a 5 × 5 matrix of linear forms. For general elements of H 1 (K, E[n]), we obtain another forgetful map. If we forget the left hand side of the diagram, then we obtain a map Ob : H 1 (K, E[n]) −→ H 1 (K, PGLn ) = Br(K)[n] , the “obstruction” against an embedding (or a map) into Pn−1 . Warning. This map is not a homomorphism! 1.3. What the Selmer group can be used for. The most obvious use of the Selmer group is to provide an upper bound for the Mordell-Weil rank r: we have nr =

# Sel(n) (K, E) # Sel(n) (K, E) ≤ . #(E(K)tors /nE(K)tors )# (K, E)[n] #(E(K)tors /nE(K)tors )

X

To get this, it is sufficient to just compute the order of the Selmer group. Moreover, by computing the sizes of various Selmer groups (for coprime values of n), we can compare the bounds we get, and in some cases deduce lower bounds on the order of (K, E). For example, if we get r ≤ 3 from the 2-Selmer group and r ≤ 1 from the 3-Selmer group, then we know that # (K, E)[2] ≥ 4. On the other hand, in order to show that the rank bound we get is sharp, we need to prove that all elements of the Selmer group come from K-rational points on E. This is rather easy if we find sufficiently many independent points on E. However, in many cases, some of the generators of E(K) can be rather large and will not be

X

X

DESCENT ON ELLIPTIC CURVES

13

found by a systematic search. Here, it is useful to represent the elements of the Selmer group as n-coverings C. We then have a diagram deg n

C

/ Pn−1

deg n2 π

 E

deg 2n

 / P1

deg 2 x

with a rational map of degree 2n on the right hand side. For example, when n = 2, the map P1 −→ P1 on the right hand side is given by two quartic forms (the quartic showing up in the equation of the 2-covering C and its quartic covariant). From the general theory of heights, we expect the logarithmic height of a point on C, as given by its image in Pn−1 , to be smaller by a factor of about 1/2n than that of the x-coordinate of its image on E. This will make these points much easier to find on C (in Pn−1 ) than on E. If we find a K-rational point on C, we know that the corresponding element of the n-Selmer group is in the image of δ, and we can improve the lower bound on the rank. Note that in practice, to really be fairly certain that the points on C are as small as expected, it is necessary to have a “small” model of C, i.e., given by equations with small coefficients. In case we do not find a K-rational point on C, we can use the curve C as the basis for “higher descents”; in this way we may be able to prove that C does not have any K-rational points, or find points on curves that cover C. The program for the following will therefore be to first show how one can compute the p-Selmer group for a prime number p (the most important case). Then we will discuss how to obtain from this computation actual covering curves. But first, we will introduce another interpretation of the elements of H 1 (K, E[n]). Third interpretation: Theta groups. In the second interpretation, on the morphism E −→ Pn−1 there is an action of E[n]; in particular, E[n] acts on Pn−1 by automorphisms. Thus we obtain a homomorphism χE : E[n] −→ PGLn . We can then define ΘE by the following diagram. This works on the level of group ¯ schemes or on the level of groups (of K-points). For details see [CFOSS1]. 0

0

/ Gm / Gm

α

/ ΘE  / GLn

β

/ E[n]

/0

χE

 / PGLn

/0

Proposition 1.5. In the above, for any θ, θ0 ∈ ΘE , we have ¡ ¢ −1 [θ, θ0 ] = θθ0 θ−1 θ0 = α en (β(θ), β(θ0 ) , where en : E[n] × E[n] −→ µn ,→ Gm is the n-Weil pairing.

14

MICHAEL STOLL

Proof: Let T, T 0 ∈ E[n]. We have to show that for any two lifts θ, θ0 ∈ GLn of χE (T ) and χE (T 0 ), we have [θ, θ0 ] = en (T, T 0 ) In (where In is the n × n identity matrix). For this, note that Pn−1 can be identified with P(L(n · O)∗ ). For every T ∈ E[n], × ¯ choose fT ∈ K(E) such that div(fT ) = n · T − n · O. Then the action of T ∗ on P(L(n · O) ) is induced by ¡ ¢ L(n · O) 3 f 7−→ P 7→ fT (P )f (P − T ) ∈ L(n · O) . Note that a choice of θ lifting χE (T ) corresponds to a choice of fT . Now the action of the commutator [θ, θ0 ] is given on L(n · O) by ¡ ¢ fT (P ) fT 0 (P − T ) f 7−→ P 7→ f (P ) . fT (P − T 0 ) fT 0 (P ) The factor in front of f (P ) is constant (where defined) as can be checked by verifying that its divisor is zero, and is equal to en (T, T 0 ), see for example Exercise 3.16 in [Si1]. 2 The proof shows that ΘE can be represented as the set × ¯ {(T, fT ) : T ∈ E[n], fT ∈ K(E) , div(fT ) = n · T − n · O} with the group structure given by (T, fT )(T 0 , fT 0 ) = (T + T 0 , P 7→ fT (P )fT 0 (P − T )) ; also α(λ) = (O, λ) and β(T, fT ) = T . More generally, we define a theta group of level n for E to be an exact sequence (of K-group schemes) β

α

0 −→ Gm −→ Θ −→ E[n] −→ 0 such that for θ, θ0 ∈ Θ, we have again ¡ ¢ [θ, θ0 ] = α en (β(θ), β(θ0 ) . (Note that this implies that Θ is a central extension of E[n] by Gm .) An isomorphism of two such diagrams is given by a GK -isomorphism φ : Θ −→ Θ0 making the following diagram commutative. / Gm /Θ / E[n] /0 0 φ

0

/ Gm

 / Θ0

/ E[n]

/0

Working out what the automorphisms (in the sense of isomorphisms of theta groups) of ΘE are, we find that they are of the form (T, fT ) 7−→ (T, ϕ(T )fT ) for a homomorphism ϕ : E[n] −→ Gm . Such a ϕ necessarily takes values in µn , and

DESCENT ON ELLIPTIC CURVES

15

by the non-degeneracy of the Weil pairing en , there is some T 0 ∈ E[n] such that ϕ(T ) = en (T 0 , T ). We see that the automorphism group is again E[n]. Furthermore, we have the following result. ¯ (i.e., Proposition 1.6. All theta groups of level n for E are isomorphic over K as abstract group extensions). Proof: Short proof: On the level of abstract groups, theta groups are classified ¯ × ). There is a canonical map by H 2 ((Z/nZ)2 , K ¯ × ) −→ H 2 ((Z/nZ)2 , K

^2

¯ ×) Hom((Z/nZ)2 , K

¯ × is divisible by n, this map is an isomorphism induced by the commutator. Since K by a result from group cohomology. Since theta groups are represented on the left as the elements that map to the Weil paring en in the right hand group, there is only one such extension, up to isomorphism. Sketch of long, but down-to-earth proof: choosing any set-theoretic section E[n] −→ Θ mapping O to the neutral element, the underlying set of Θ can be identified ¯ × × E[n]. The group structure is then given by a map with K ¯× f : E[n] × E[n] −→ K such that (λ, T )(λ0 , T 0 ) = (λλ0 f (T, T 0 ), T + T 0 ) . From the group axioms, we find that f has to satisfy f (O, T ) = f (T, O) = 1 ,

f (T, T 0 )f (T + T 0 , T 00 ) = f (T, T 0 + T 00 )f (T 0 , T 00 ) .

(I.e., f is a normalized 2-cocycle.) We also have that f (T, T 0 ) = en (T, T 0 )f (T 0 , T ) . If we have two theta groups Θ1 and Θ2 , with multiplication given by f1 and f2 , then setting f (T, T 0 ) = f1 (T, T 0 )/f2 (T, T 0 ), f satisfies the cocycle condition, and ¯ ×. it is symmetric: f (T, T 0 ) = f (T 0 , T ). We now construct a map ϕ : E[n] −→ K 0 Set ϕ(O) = 1. Pick a basis T, T for E[n]. Set ¡ ¢−1/n ϕ(T ) = f (T, T )f (T, 2T ) . . . f (T, (n − 1)T ) ¡ ¢−1/n ϕ(T 0 ) = f (T 0 , T 0 )f (T 0 , 2T 0 ) . . . f (T 0 , (n − 1)T 0 ) ¯ × is divisible by n). Then with any choice of the nth roots (here we need that K we continue by defining ϕ(mT ) = f (T, T )f (T, 2T ) . . . f (T, (m − 1)T ) ϕ(T )m ϕ(mT 0 ) = f (T 0 , T 0 )f (T 0 , 2T 0 ) . . . f (T 0 , (m − 1)T 0 ) ϕ(T 0 )m ϕ(mT + m0 T 0 ) = f (mT, m0 T 0 ) ϕ(mT )ϕ(m0 T 0 )

16

MICHAEL STOLL

Now we have by an easy induction using the cocycle relation that f (aT, bT ) =

ϕ(aT 0 + bT 0 ) ϕ(aT 0 )ϕ(bT 0 ) ϕ(aT + bT 0 ) 0 . and f (aT, bT ) = ϕ(aT )ϕ(bT 0 ) ϕ(aT + bT ) , ϕ(aT )ϕ(bT )

f (aT 0 , bT 0 ) =

Since we can express f (aT + bT 0 , cT + dT 0 ) in terms of values like the above, we get that ϕ(P + Q) f (P, Q) = ϕ(P )ϕ(Q) for all P, Q ∈ E[n]. Then Θ2 3 (λ, P ) 7−→ (ϕ(P )λ, P ) ∈ Θ1 is an isomorphism. 2 1 We deduce that H (K, E[n]) parameterizes theta groups of level n for E, up to K-isomorphism. These theta groups are not geometric objects like our n-covering curves, but they are quite useful. If C −→ Pn−1 in our second interpretation represents an element of Sel(n) (K, E), then we can easily find the corresponding theta group ΘC . Namely, E[n] acts by automorphisms on this diagram and thus gives us a homomorphism χC : E[n] −→ PGLn . As before, we can then define ΘC to be the pull-back of the image of χC under the canonical map GLn −→ PGLn : 0

0

/ Gm

/ ΘC

/ E[n]

/ Gm

 / GLn

 / PGLn

/0

χC

/0

For more general diagrams C −→ S, GLn and PGLn have to be replaced by their twists corresponding to Ob(C → S) = S; in this way, we obtain ΘC as a subgroup of A× S , where AS is the central simple algebra corresponding to S. (See below.) 2. Computation of the Selmer Group as an Abstract Group The interpretations given so far are not very well suited for actually computing the n-Selmer group. (For n = 2, this is not quite true: John Cremona’s mwrank program actually enumerates 2-coverings in order to find the 2-Selmer group.) So we will need some other representation of the Selmer group that is more algebraic in nature and yields itself more easily to computation. The main results of this section are Theorems 2.4 and 2.7.

DESCENT ON ELLIPTIC CURVES

17

Before we go into this, let me remark that the various Selmer groups are related. From the diagram 0

/ E[m]

0

 / E[mn]

0

 / E[n]

/E

m

/E

/0

mn

 /E

/0

n

/E

/0

n

/E

m

m

 /E

we can deduce an exact sequence E(K)[n] −→ Sel(m) (K, E) −→ Sel(mn) (K, E) mE(K)[mn] (K, E)[n] −→ Sel(n) (K, E) −→ −→ 0 . m (K, E)[mn]

0 −→

X X

Here the map Sel(m) −→ Sel(mn) is induced by the inclusion E[m] ,→ E[mn], and the map Sel(mn) −→ Sel(n) is induced by multiplication by m E[mn] −→ E[n]. In particular, the composition Sel(n) −→ Sel(mn) −→ Sel(n) (the first map coming from the diagram where the roles of m and n are exchanged) is multiplication by m on Sel(n) . Together with the exact sequence above, this implies that Sel(mn) (K, E) ∼ = Sel(m) (K, E) × Sel(n) (K, E) whenever m and n are coprime. Therefore it is sufficient to compute Sel(n) (K, E) when n = pf is a prime power. 2 The first step in this is to consider the case n = p. The computation of Sel(p ) (K, E) (and for higher powers of p) then is most easily done by computing the fibers of 2 the canonical map Sel(p ) (K, E) −→ Sel(p) (K, E) one by one. (This procedure is sometimes referred to as “second” or “higher descent”.) Fourth interpretation: via ´ etale algebras. The goal of the interpretation I will explain now is to ease computation of the Selmer group. So we will consider an algebraic realization of H 1 (K, E[n]) and not a geometric one. In what follows, one of the main characters of the play will be the ´etale algebra R of E[n]. This is just the affine coordinate algebra of the 0-dimensional scheme E[n]. More concretely, we have ¯ GK , R = Map(E[n], K)

so that

E[n] = Spec R .

18

MICHAEL STOLL

¯ Note The elements of R are the GK -equivariant maps on E[n] with values in K. that the action of σ ∈ GK is ¡ ¢ −1 f 7−→ f σ : T 7→ f (T σ )σ . For example, any rational function on E defined over K and not having poles in E[n] will give an element of R. Since E[n] is an ´etale K-scheme, R is an ´etale algebra: it is isomorphic to a product of (finite) field extensions of K, one for each GK -orbit on E[n]. If T is a point in one such orbit, then the corresponding field extension is K(T ) (i.e., K with the coordinates of the n-torsion point T adjoined). For example, we always have a splitting R = K × R1 , where the K corresponds to the singleton orbit {O}, and R1 corresponds to E[n] \ {O}. ¯ = R ⊗K K ¯ = Map(E[n], K). ¯ We will also use R As an algebra, this is just 2 E[n] ∼ ¯ n ¯ K = K , but the action of GK is “twisted” by its action on E[n], permuting the factors. ¯ × is the multiplicative group of maps from E[n] into K ¯ × , and In this context, R R× is the subgroup of GK -equivariant such maps. For example, every T ∈ E[n] gives a map ¯× , e(T ) : E[n] 3 S 7→ en (T, S) ∈ µn ⊂ K and so we obtain an injective (because en is non-degenerate) homomorphism ¯× . e : E[n] −→ R The idea now is to extend this to (the beginning of) a resolution of E[n] as a KGalois module, in order to get some more or less concrete realization of H 1 (K, E[n]). In general, if RA and RB are the coordinate rings of two affine K-schemes A and B, then RA ⊗K RB is the coordinate ring of A × B. So R ⊗K R is the algebra of ¯ and R ¯ ⊗K¯ R ¯ = (R ⊗K R) ⊗K K ¯ is GK -equivariant maps from E[n] × E[n] into K, the algebra of all such maps. Now observe that all e(T ), for T ∈ E[n], are not only maps, but homomorphisms ¯ × . I.e., α = e(T ) satisfies the relations α(T1 + T2 ) = α(T1 )α(T2 ). By E[n] −→ K the non-degeneracy of the Weil pairing, we also know that the e(T ) are all the homomorphisms. This implies that, if we define ³ α(T1 )α(T2 ) ´ × ¯ ¯ ⊗K¯ R) ¯ ×, ∂ : R 3 α 7−→ (T1 , T2 ) 7→ ∈ (R α(T1 + T2 ) then e ∂ ¯ × −→ ¯ ⊗K¯ R) ¯ × 0 −→ E[n] −→ R (R

will be exact. In order to use that to realize H 1 (K, E[n]), we need to know what the image of the map ∂ is. One obvious property of all ∂α is that they are symmetric:

DESCENT ON ELLIPTIC CURVES

19

∂α(T1 , T2 ) = ∂α(T2 , T1 ). But there are more conditions they satisfy. Let us define ³ ´ ¯ K¯ R) ¯ × 3 ρ 7−→ (T1 , T2 , T3 ) 7→ ρ(T1 , T2 )ρ(T1 + T2 , T3 ) ∈ (R⊗ ¯ K¯ R⊗ ¯ K¯ R) ¯ ×. ∂ : (R⊗ ρ(T1 , T2 + T3 )ρ(T2 , T3 ) ¯ to be the subalgebra of Then we have the following result. We define Sym2K¯ (R) ¯ ¯ R ⊗K¯ R consisting of symmetric maps (and similarly Sym2K (R) for R and K). Proposition 2.1. The following is an exact sequence. ¢ ∂ e ∂ ¡ ¯ × −→ ¯ × −→ ¯ ⊗K¯ R ¯ ⊗K¯ R) ¯ × 0 −→ E[n] −→ R Sym2K¯ (R) (R ¡ ¢ ¯ × . It is immediately Proof: We only have to show exactness at Sym2K¯ (R) ¡ ¢ ¯ × . On the other hand, if ρ ∈ Sym2¯ (R) ¯ × such checked that ∂∂α = 1 for α ∈ R K ¯ × , ρ is a symmetric 2-cocycle, and we have that ∂ρ = 1, then as a map E[n]2 −→ K seen in our discussion of theta groups that each such 2-cocycle is a coboundary, ¯×. 2 which translates into ρ = ∂α for some α ∈ R Corollary 2.2. There is an isomorphism ¡ ¢ ker ∂ | Sym2K (R)× ∼ = −→ H 1 (K, E[n]) . H= ∂R× It is defined as follows. Take ρ ∈ Sym2K (R)× such that ∂ρ = 1. Then there is ¯ × such that ∂γ = ρ. Now the Galois 1-cocycle σ 7→ γ σ /γ takes values some γ ∈ R in the kernel of ∂, so we can write γ σ /γ = e(Tσ ), where σ 7→ Tσ is a 1-cocycle with values in E[n] representing the image of ρ in H 1 (K, E[n]). Proof: From the proposition, we get the short exact sequence ¡ ¢ e ∂ ¯ × −→ ¯ × −→ 0 . 0 −→ E[n] −→ R ker ∂ | (Sym2K¯ (R)) Apply the long exact cohomology sequence to get ¡ ¢ δ ∂ ¯×) = 0 . R× −→ ker ∂ | Sym2K (R)× −→ H 1 (K, E[n]) −→ H 1 (K, R (The latter equality is an easy generalization of Hilbert’s Theorem 90.) The description of the isomorphism follows the definition of the connecting map δ above. 2 2 2 1 × Therefore, we can represent H (K, E[n]) as a subquotient of SymK (R) /(SymK (R)× )n . Putting in the condition that the elements are unramified outside the set S of places of K described in Thm. 1.2, we see that Sel(n) (K, E) is contained in a subquotient of the “n-Selmer group” of the S-integers of Sym2K (R), √ {ρ ∈ Sym2K (R)× : Sym2K (R)( n ρ) unramified outside S} 2 . SymK (R)(S, n) = (Sym2K (R)× )n

20

MICHAEL STOLL

This is a finite group that is effectively computable. However, this computation requires the knowledge of the class and unit groups of the number fields occurring as factors of Sym2K (R). If n = p is an odd prime, we have a splitting Y Sym2K (R) ∼ Lj × L , =K× j

where K corresponds to {(O, O)}, Lj corresponds to the set {(T, jT ) : O 6= T ∈ E[p]} (where j runs through a set of representatives of F× p modulo identifying inverses), and L corresponds to the set of unordered bases of E[p]. The cardinality of this set, and therefore the degree of L, is (p − 1)2 p(p + 1)/2. Generically, L is a number field of that relative degree over K, and so even for p = 3, this is outside the range of practical applicability of current methods in computational algebraic number theory. So we will need a better, smaller representation. But let us first see how one could use our current representation at least in principle to actually compute the Selmer group. For this, note that the result of Thm. 1.2 can be extended to show that the Selmer group can be obtained by a finite computation: Sel(n) (K, E) = {ξ ∈ H 1 (K, E[n]; S) : ∀v ∈ S : resv (ξ) ∈ δv (E(Kv )/nE(Kv ))} (For this, one needs to show that the image of E(Kv )/nE(Kv ) in H 1 (Kv , E[n]) is exactly the unramified part, for all v ∈ / S.) In order to turn this into an algorithm, we first need to find the image HS of H 1 (K, E[n]; S) in H. This is obtained through the computation of Sym2K (R)(S, n) and then passing to the relevant subquotient. (For this, we need to find R(S, n) and compute its image under ∂.) Then we need to have explicit representations of the maps resv and δv , for all v ∈ S. For the restriction maps, we just observe that the result of Cor. 2.2 works over any field K and is functorial. Applying this observation to the field extension K ⊂ Kv , we get ¡ ¢ ker ∂ | (Sym2K (R) ⊗K Kv )× resv : H −→ Hv = ; ∂(R ⊗K Kv )× this is induced by the canonical map Sym2K (R) −→ Sym2K (R) ⊗K Kv . Note also that Hv is a finite group. To get a nice representation of δv (or δ), we remind ourselves of the usual definition of the Weil pairing. Let T ∈ E[n] be an n-torsion point. Then there is a rational function GT ∈ K(T )(E)× such that X X div(GT ) = n∗ (T ) − n∗ (O) = P− Q. P :nP =T

Q:nQ=O

This divisor is stable under translations by elements of E[n], therefore we have that GT (P + S) = c(S)GT (P ) for some constant c(S) independent of P , when S ∈ E[n]. This constant is en (S, T ). We can choose these functions GT in such a way that G : T 7→ GT is Galois-equivariant. Then we can interpret G as an

DESCENT ON ELLIPTIC CURVES

21

element of R(E)× (where R(E) = K(E) ⊗K R; its elements are GK -equivariant ¯ maps from E[n] into K(E)), and we have G(P + T ) = e(T )G(P ) for P ∈ E \ E[n2 ] and T ∈ E[n]. Now consider the following diagram. / E[n]

0

/E 

/ E[n]

0

/E

n



e



 

G

/R ¯×



/0

r

 ¡ ¢ ¯ × / ker ∂ | Sym2¯ (R) K

/0

The map r is defined as shown: to find r(P ), take some Q ∈ E such that nQ = P , then r(P ) = ∂G(Q). This is well defined, since another choice Q0 in place of Q will differ from Q by addition of an n-torsion point T , so ∂G(Q0 ) = ∂G(Q + T ) = ∂(e(T )G(Q)) = ∂G(Q) , since ∂e(T ) = 1. This also shows that r is defined over K, so r ∈ Sym2K (R)(E)× . × ¯ To find out what function rT1 ,T2 ∈ K(E) is, let us determine its divisor. By definition, GT1 (Q)GT2 (Q) rT1 ,T2 (nQ) = , GT1 +T2 (Q) so ¡ ¢ n∗ div(rT1 ,T2 ) = n∗ (T1 ) + n∗ (T2 ) − n∗ (T1 + T2 ) − n∗ (O) . So rT1 ,T2 has simple zeros at T1 and T2 and simple poles at T1 + T2 and O: it is the function witnessing that T1 + T2 is the sum of T1 and T2 . So, up to normalizing constants, with respect to a Weierstraß model of E, rT1 ,T2 is the equation of the line joining T1 and T2 divided by the equation of the (vertical) line joining T1 + T2 and O. For suitable normalization of the GT , we can take quite concretely the following. Here, the line joining two points T1 and T2 , such that T1 , T2 , T1 +T2 6= O (the tangent line at T of E, when T1 = T2 = T ) is supposed to have equation y = λT1 ,T2 x + mT1 ,T2 . Take

    

1

if T1 = O or T2 = O;

x − x(T1 ) if T1 + T2 = O, T1 6= O;  y − λT1 ,T2 x − mT1 ,T2   if T1 , T2 , T1 + T2 6= O.  x − x(T1 + T2 ) Now, chasing through the definitions of the connecting homomorphisms rT1 ,T2 =

∼ =

δ

E(K) −→ H 1 (K, E[n]) and H −→ H 1 (K, E[n]) , we easily find the following. δ

Proposition 2.3. The composition E(K) −→ H 1 (K, E[n]) −→ H is induced by r : E(K) \ E[n] −→ Sym2K (R)× .

22

MICHAEL STOLL

The “missing” values on E(K)[n] can be obtained by a suitable rescaling and limiting process. This result is again valid for all fields K and functorial in K, so we can use it to compute the local maps δv : E(Kv )/nE(Kv ) ,→ Hv . Since we can easily compute the size of the group on the left hand side — say, n = p is a prime, then   if v is finite and v - p; 0 dimFp E(Kv )/pE(Kv ) = dimFp E(Kv )[p] + [Kv : Qp ] if v | p;  −[K : R] if v is infinite — v we can just pick random points in E(Kv ) until their images in Hv generate a subspace of the correct size. Having found all the “local images” Jv = δv (E(Kv )/pE(Kv )) ⊂ Hv ,

for v ∈ S,

the determination of the Selmer group as a subgroup of HS is reduced to linear algebra over Fp . Mutatis mutandis, this will also work for arbitrary n. Let us summarize the discussion. Theorem 2.4. There is an effective procedure for computing the n-Selmer group of an elliptic curve over a number field K. It requires class group and unit group computations in extensions of K of the form K({T1 , T2 }), where {T1 , T2 } is an unordered pair of n-torsion points of E. As mentioned above, as it stands, this result is rather theoretical, since the number fields that occur are too large for practical computations. However, we can improve the situation. Restricting to n-torsion subgroups in the basic exact sequence ¡ ¢ e ∂ ¯ × −→ ¯ × −→ 0 , 0 −→ E[n] −→ R ker ∂ | (Sym2K¯ (R)) we obtain e ∂ ¯ −→ ¯ −→ 0 . 0 −→ E[n] −→ µn (R) ∂µn (R)

This gives us ¡

¢ ¯ GK ∂µn (R) ¯ ∼ 0 −→ −→ H 1 (K, E[n]) −→ H 1 (K, µn (R)) = R× /(R× )n . ∂µn (R) ¯ × ) = 0. The isomorphism comes in the usual way from the fact that H 1 (K, R Now we have the following nice fact (see [DSS, ScSt]). ¢ ¡ ¯ GK = ∂µp (R). Proposition 2.5. If n = p is a prime, then ∂µp (R) For the proof, one basically checks all possibilities for the image of GK in Aut(E[p]) ∼ = GL2 (Fp ), the most interesting case being when the image is a p-Sylow subgroup. Remark: The result is not true in general for composite n. For example, taking n = 4, there are 20 conjugacy classes (out of 62) of subgroups of GL2 (Z/4Z) such

DESCENT ON ELLIPTIC CURVES

23

that the kernel above has order 2 or even 4. To give a very concrete example, consider the elliptic curve y 2 = x3 + x + 2/13 over Q; then the index of ∂µ4 (R) ¯ is 2. (Here the subgroup is the one problematic in the GQ -invariants of ∂µ4 (R) one of index 2. It occurs generically when the discriminant of the cubic is minus a square.) In any case, we have a homomorphism ∼ =

H −→ H 1 (K, E[n]) −→ R× /(R× )n . ¯ it is obtained By the definition of the Kummer map R× /(R× )n −→ H 1 (K, µn (R)), 2 × as follows. Take ρ ∈ SymK (R) representing an element of H, so ∂ρ = 1. Then ¯ × such that ∂γ = ρ. Now γ σ /γ ∈ ker ∂ ⊂ µn (R) ¯ for all σ ∈ GK , there is γ ∈ R n × × hence γ ∈ R . If we change ρ into ρ · ∂α with α ∈ R , then γ n changes into γ n αn , and we get a well-defined map H −→ R× /(R× )n . A somewhat more explicit description is to say that the map is induced by Sym2K (R)×

n−1 Y ¡ ¢ 3 ρ 7−→ T 7→ ρ(T, jT ) ∈ R× . j=0

So when n = p is a prime number, then we can use the image of H in R× /(R× )p instead of H itself. The advantage of this is obvious: the field extensions of K occurring in R are usually much smaller than the ones in Sym2K (R). Generically, R = K × R1 , with R1 a field extension of K of degree p2 − 1. For K = Q and p = 3, this leads to octic number fields, where computations are feasible. ˜ of H in R× /(R× )p , To make this approach work, we need to know the image H δ ˜ and we need to realize the map E[p] −→ H 1 (K, E[p]) −→ H. ˜ given α ∈ R× , if The first question is answered by looking at the map H → H: 2 ˜ then α = γ p such that ∂γ ∈ Sym (R). This means that α(R× )p ∈ H, K 2 × × p ˜ = {α ∈ R : ∂α ∈ (SymK (R) ) } , H (R× )p

˜ S , the image of HS , as a subgroup of R(S, p). (There is and we can compute H ˜ that for p > 3 uses smaller fields, and it only requires another description of H checking for pth powers in fields of degree at most p2 − 1; compare [ScSt].) ˜ we find ρ representing Note also that given α ∈ R× representing√an element of H, p ˜ the the corresponding element of H as ρ = ∂α. By the characterization of H, ∼ ˜ root exists, and since H = H, it does not matter which root we take if there is a choice (as long as it is symmetric and a cocycle, i.e., ∂ρ = 1); they will all represent the same element of H.

24

MICHAEL STOLL

For the realization of δ, consider the following diagram. 0

/ E[p]

0

 / µp (R) ¯

/E

p

 

e



 

G

 /R ¯×

/E

p



/0

F

 /R ¯×

/0

Here, F ∈ R(E)× is the function such that FT (pQ) = GT (Q)p for T ∈ E[p]. We find that the divisor of FT is p · T − p · O, and if F (pQ) = G(Q)p with G ∈ R(E)× , then F induces a well-defined map F : E(K) \ E[p] −→ R× /(R× )p , independent of the particular choice of F . Tracing through the definitions shows: δ

Proposition 2.6. The composition E(K) −→ H 1 (K, E[p]) −→ R× /(R× )p is given by F on E(K) \ E[p]. Again, this is functorial in K, and so we can use it for the local maps δv . The algorithm for computing Sel(p) (K, E) then works as before, but now working within R instead of Sym2K (R). Theorem 2.7. Let p be a prime number. There is an algorithm that computes Sel(p) (K, E), which is efficient modulo computation of class and unit groups in the number fields K(T ), where T runs through points of order p on E. 3. Constructing geometric representations of Selmer group elements Our goal in the following will be to find explicitly the n-coverings corresponding to given elements of the n-Selmer group. We assume that we have realized the Selmer group as a subgroup of ¡ ¢ ker ∂ | Sym2K (R)× H= . ∂R× In practice, n = p, and we will have computed the p-Selmer group as a subgroup √ ˜ ⊂ R× /(R× )p , but we can easily transfer this to H, by the map α 7→ p ∂α on of H representatives. We first need to explain the connection between our third and fourth interpretations of elements of H 1 (K, E[n]) in some detail. By the general theory of central group extensions, theta groups are classified by the GK -equivariant symmetric 2¯ × ), modulo the coboundaries of GK -equivariant 1-cochains. cocycles in Z 2 (E[n], K The correspondence is as follows. First note that for every theta group α

0 −→ Gm −→ Θ −→ E[n] −→ 0 , ¯ −→ Θ(K) ¯ (equivalently, a morthere is a K-defined set-theoretic section E[n](K) phism E[n] → Θ of K-schemes that is a section to Θ → E[n]). To see this,

DESCENT ON ELLIPTIC CURVES

25

¯ −→ Θ(K); ¯ then for any σ ∈ GK , sσ /s gives a map pick any section s : E[n](K) × ¯ −→ K ¯ , which (as a function of σ) is a cocycle, hence can be interE[n](K) ¯ × ). Now H 1 (K, R ¯ × ) = 0, so there is some map preted as an element of Z 1 (K, R × σ σ ¯ −→ K ¯ such that s (T )t (T ) = s(T )t(T ); replacing s by st therefore t : E[n](K) yields a K-defined section. ¯ 2 −→ K ¯ × by Given such a section s, we obtain a K-defined 2-cocycle φ : E[n](K) −1 −1 setting φ(T1 , T2 ) = α (s(T1 )s(T2 )s(T1 + T2 ) ). Changing the section s amounts to a change of φ by the coboundary of a K-defined 1-cochain. The commutator condition translates into φ(T1 , T2 ) = en (T1 , T2 )φ(T2 , T1 ). ¯ −→ ΘE (K) ¯ ⊂ GLn (K), ¯ then we Now if we fix a K-defined section χ˜E : E[n](K) obtain a 2-cocycle ε in the way described for a general theta group. Then the “difference” φ/ε will be a symmetric 2-cocycle, since the commutator condition cancels. If n is odd, then there is a specific way of choosing a lift χ˜E such that ε becomes a power of the Weil pairing en ; in fact, ε = ekn such that 2k ≡ 1 mod n. Given a symmetric 2-cocycle ρ, we get from ΘE to Θρ by “twisting” the multiplication in ΘE by ρ. Writing (T, λ) for the element λχ˜E (T ), the multiplication in ΘE is (T1 , λ1 )(T2 , λ2 ) = (T1 + T2 , λ1 λ2 ε(T1 , T2 )) , whereas the multiplication in Θρ will be (T1 , λ1 )(T2 , λ2 ) = (T1 + T2 , λ1 λ2 ρ(T1 , T2 )ε(T1 , T2 )) . Now, our definition of the maps ∂ was exactly such that they correspond to the coboundary maps in the standard cochain complex ∂ ∂ ¯ × ) −→ ¯ × ) −→ ¯ ×) . C 1 (E[n], K C 2 (E[n], K C 3 (E[n], K

Therefore, the elements of H represent exactly the K-defined symmetric 2-cocycles modulo the coboundaries of K-defined 1-cochains. Tracing through the definitions, we see that the theta group Θρ corresponds to the same element of H 1 (K, E[n]) as the image of ρ in H. Recall the obstruction map Ob : H 1 (K, E[n]) −→ H 1 (K, PGLn ) ∼ = H 2 (K, µn ) = Br(K)[n] . In our second interpretation, it was given by mapping C −→ S to the element of H 1 (K, PGLn ) corresponding to the twist S of Pn−1 . From this it is obvious that Ob = χE,∗ is the map induced by χE : E[n] −→ PGLn on cohomology. (χE was defined in Section 1.3 in the course of discussing the “third interpretation” of the Selmer group elements.) Now H 1 (K, PGLn ) also classifies K-isomorphism classes of central simple algebras of dimension n2 over K; these are twists of the matrix algebra Matn (K). Therefore, one possible way of representing the obstruction explicitly is through the

26

MICHAEL STOLL

construction of the corresponding central simple algebra. Given a theta group Θ, we obtain this in a very simple way: observe that the set A¯Θ of all linear combinations of elements of Θ (where we use the scalar multiplication coming from the ¯ theta group structure) is in a natural way a K-algebra of dimension n2 carrying an action of GK (we simply extend the multiplication we have on Θ linearly). We let AΘ denote the K-algebra of GK -invariant elements. For ΘE , we obtain in this ¯ with its usual GK -action; this is because ΘE natway the matrix algebra Matn (K) ¯ urally sits inside GLn and spans the matrix algebra. The K-isomorphism between ¯ ¯ ¯ ΘE and Θ extends to a K-isomorphism between Matn (K) and AΘ , showing that AΘ is indeed a central simple K-algebra. It is then obvious that AΘ corresponds to Ob(Θ). As an aside, note that there is a completely natural and coordinate-free K-defined isomorphism ∼ =

hΘE i −→ End(L(n · O)) given by identifying ΘE with the set of pairs (T, fT ) as before and using their action on L(n · O). How do we realize the central simple algebra Ob(ξ) in terms of ρ ∈ Sym2K (R)× representing ξ ∈ H 1 (K, E[n])? Note that once we fix a section s : E[n] −→ Θ, the ¯ and elements of AΘ = hΘiGK are identified with K-equivariant maps E[n] −→ K therefore can be viewed as elements of R. The map is X z(T )s(T ) 7−→ (z : T 7→ z(T )) ∈ R . AΘ 3 T

Therefore, we can use R as the underlying K-vector space, and we only have to define a new multiplication. Let us do it first with ΘE . From the definitions, we get that the multiplication on A = AΘE must be defined by X ¡ ¢ z1 ∗ε z2 = T 7→ ε(T1 , T2 )z1 (T1 )z2 (T2 ) . T1 +T2 =T

In general, for Aρ = AΘρ , we define the multiplication as X ¡ ¢ z1 ∗ερ z2 = T 7→ ε(T1 , T2 )ρ(T1 , T2 )z1 (T1 )z2 (T2 ) . T1 +T2 =T

¯ × . Then in the realizations given above, Proposition 3.1. Let ρ = ∂γ with γ ∈ R ¯ a K-isomorphism between Aρ and A is given by φγ : A¯ρ 3 z 7−→ γ z ∈ A¯ , ¯ where the multiplication is that of R(!).

DESCENT ON ELLIPTIC CURVES

27

Proof: We compute X

¡ φγ (z1 ∗ερ z2 ) = T 7→ γ(T )

¢ ε(T1 , T2 )ρ(T1 , T2 )z1 (T1 )z2 (T2 )

T1 +T2 =T

¡ = T 7→

X

¢ ε(T1 , T2 )γ(T1 )z1 (T1 )γ(T2 )z2 (T2 )

T1 +T2 =T

= φγ (z1 ) ∗ε φγ (z2 ) . 2 Remark: One can view A and Aρ as twisted versions of the group algebra of E[n]. ¯ is R, ¯ with convolution as multiplication: The group algebra (over K) X ¡ ¢ z1 ∗ z2 = T 7→ z1 (T1 )z2 (T2 ) . T1 +T2 =T

We can also consider the GK -invariant subalgebra (R, ∗). Now it turns out that (R, ∗) is actually isomorphic to (R, ·) (i.e., with point-wise multiplication). This isomorphism is given by “Fourier transform” in the following way. Define ³ ´ 1 X ¯ ¯. R 3 α 7−→ α ˆ : T 7→ 2 en (T, S)α(S) ∈ R n S c =α ˆˆ = α/n2 . Furthermore, ˆ· is Then one can easily check that αβ ˆ ∗ βˆ and that α ∼ = defined over K, so it gives an isomorphism (R, ·) −→ (R, ∗). We get A = (R, ∗ε ) by twisting convolution in such a way that commutators on the image of E[n] evaluate to the Weil pairing. Now suppose that ρ represents an element ξ in the n-Selmer group. Then we ∼ = know that the obstruction vanishes, hence there is an isomorphism ι : Aρ −→ Matn (K). Given such an isomorphism, we can write the cocycle representing Ob(ξ) ∈ H 1 (K, PGLn ) explicitly as a coboundary. In the diagram below, we ¯ of Matn , which must be conjugation by some obtain an automorphism (over K) ¯ matrix M ∈ GLn (K). ι / Matn A¯ρ φγ

M

  ∼ = / ¯ Mat A n We can find M (which is well-defined up to a multiplicative constant) from the automorphism by linear algebra. Proposition 3.2. We have that for all σ ∈ GK , P(M σ M −1 ) = χE (ξσ ) . Here P(X) denotes the image of X ∈ GLn in PGLn .

28

MICHAEL STOLL

Proof: The map labeled M in the diagram above is X 7→ M XM −1 . Applying σ to the diagram, we see that on the one hand, by the bottom isomorphism, X X γσ γσ z 7−→ z(T ) (T )χ˜E (T ) = z(T )en (ξσ , T )χ˜E (T ) . γ γ T T (Recall that in our fourth interpretation, e(ξσ ) = γ σ /γ, where ∂γ = ρ.) On the other hand, we need to have that X γσ z 7−→ z(T )M σ M −1 χ˜E (T )M M −σ . γ T Comparing these expressions shows that M σ M −1 χ˜E (T ) = en (ξσ , T )χ˜E (T )M σ M −1 for all T ∈ E[n]. If we write M σ M −1 = X χ˜E (ξσ ), then we find that X commutes with all χ˜E (T ) and therefore with all of Matn . Therefore X must be a scalar matrix, and P(M σ M −1 ) = P(χ˜E (ξσ )) = χE (ξσ ) . 2 From this, we can draw the following useful conclusion. Corollary 3.3. With the notations above, the second interpretation of an element ξ ∈ Sel(n) (K, E) can be realized in the form / Pn−1

C



 

 E



|n·O|

 M

/ Pn−1

Note that for n ≥ 3, the horizontal arrows are embeddings, and so the map on the left is given by restriction of the map on the right. Proof: We note that by the previous proposition, the cocycle associated to the diagram is exactly ξ. 2 In practical terms, this means that we make the linear change of variables corresponding to M > (acting on the right) in the equations of E ⊂ Pn−1 to obtain equations for C. However, recall that in order to find M , we need to actually have an isomorphism between Aρ and Matn (K). To find such an isomorphism explicitly is a nontrivial problem, even though we already know that such an isomorphism exists. When n = 2, this turns out to be equivalent to finding a K-rational point on a conic, knowing that it has points everywhere locally. The problem of “trivializing the algebra” that comes up here can be viewed as a generalization of this very classical problem.

DESCENT ON ELLIPTIC CURVES

29

At least in theory, the problem can be reduced to solving a norm equation (over K or some extension of K). In practice, however, the data defining the algebra structure on Aρ can be very large (they come in the end from elements of R(S, n) and often will involve units of the number fields occurring in R), making this approach impractical. On the other hand, at least when working over Q, we have a method that seems to work very well in practice (at least when n = 3, which is the only case where the first step, the computation of the Selmer group as a group, can be carried out successfully), although we have so far not proved that it really always works. The idea is to first find a maximal order in Aρ , which we know is isomorphic to Matn (Z). Then we apply a certain reduction procedure with the goal of reducing the structure constants in size until they are small enough to read off an isomorphism. Even though it is not immediately relevant to what we are doing in these lectures, I would like to mention the following. Proposition 3.4. (1) The obstruction map is even: Ob(−ξ) = Ob(ξ). (2) The Weil pairing cup-product pairing ∪e : H 1 (K, E[n]) × H 1 (K, E[n]) −→ H 2 (K, µn ) can be expressed in terms of the obstruction map: ξ ∪e η = Ob(ξ + η) − Ob(ξ) − Ob(η) . In particular, Ob is a quadratic map: Ob(mξ) = m2 Ob(ξ) ,

Ob(ξ + η) + Ob(ξ − η) = 2 Ob(ξ) + 2 Ob(η) .

Proof: (1) We get the diagram corresponding to −ξ from the diagram corresponding to ξ by composing it with inversion on E: /S C 





 / Pn−1





 E −1

 E

 / Pn−1

In particular, the Brauer-Severi variety for −ξ is the same (namely S) as the one for ξ. (2) This is a straight-forward, if somewhat tedious, verification using cocycles. 2 Remark: There is another way of obtaining the model of C in Pn−1 (which is the one actually currently used in my 3-descent program). It roughly works as follows.

30

MICHAEL STOLL φ

Instead of mapping E −→ Pn−1 , we can also map to the dual curve, i.e., we send P ∈ E to the point in (Pn−1 )∨ corresponding to the osculating hyperplane at φ(P ) (for n = 3, this is just the tangent line, for n = 2, it is φ(P ) ∈ (P1 )∨ = P1 itself). We can combine φ and this morphism φ∨ : E −→ (Pn−1 )∨ into a single 2 morphism and then follow it by the Segre embedding, where we can identify Pn −1 with P(Matn ) and the embedding with multiplication of column vectors by row vectors. The image of Segre is therefore the set of rank-1 matrices. (φ,φ∨ )

Segre

2 −1

E −→ Pn−1 × (Pn−1 )∨ −→ Pn

= P(Matn )

The image of E in P(Matn ) will also be contained in the hyperplane of trace-zero matrices; this corresponds to the fact that φ(P ) is on the hyperplane φ∨ (P ). Now there is a commutative diagram E

(φ,φ∨ )

/ Pn−1 × (Pn−1 )∨

Segre

/ P(Matn ) O χ ˜E

G

 ¯ _ _ _ _ _ _ _ ·t_ _ _ _ _ _ _ _/ P(R) ¯ P(R) where t ∈ R is a certain element satisfying t(O) = 0, t(T ) 6= 0 for all T 6= O. For example, when n = 3 and χ˜E is chosen so as to make ε = e23 , then t(T ) = 1/y(T ) (w.r.t. a Weierstraß model of E). ¯ Twisting by the cocycle represented by ρ = ∂γ, we obtain a model C1 of C in P(R) −1 as γ · G(E). This can be computed explicitly in terms of ρ only: applying ∂, we have z ∈ C1 ⇐⇒ γz ∈ G(E) ⇐⇒ ρ∂z ∈ r(E) , and the latter leads to quadratic equations in z, from which r(E) can be eliminated. Then t · C1 will be contained in the rank-1, trace-0 locus of P(A¯ρ ) (identifying ι underlying vector spaces). If we have an isomorphism Aρ −→ Matn (K), then we obtain C by projecting ι(t · C1 ) ⊂ P(Matn ) to any nonzero column. 4. Minimization and Reduction I would like to come back to the diagram P1 o

x

Eo

π

C

|D|



∼ =

∼ =

Eo



n

 E

/S

|n·O|

ι ∼ =

/ Pn−1

 / Pn−1

From this diagram, one can read off that π ∗ (O) ∼ nD as divisors on C. Now there is a theory of heights on varieties. For a very ample divisor D, one defines |D|

h

hD : C −→ PN −→ R≥0

DESCENT ON ELLIPTIC CURVES

31

via the logarithmic height on PN . This is well-defined up to bounded functions. The main facts are that this induces a homomorphism {divisors on C} −→

{functions C → R≥0 } {bounded functions} φ

and that it is compatible with dominant morphisms C 0 −→ C in the sense that hφ∗ D = hD ◦ φ + O(1) for divisors D on C. So if Q ∈ C(K) and P = π(Q) ∈ E(K), we get that 1 1 hπ∗ O (Q) + O(1) = hO (P ) + O(1) n n 1 1 h2O (P ) + O(1) = h(x(P )) + O(1) . = 2n 2n So up to something bounded, going from E to C divides logarithmic heights by 2n. Now, to really make use of this, one needs the “O(1)” to be fairly small. How large the error is depends mainly on the size of the coefficients in the equations describing C (and E) — the smaller they are, the better. So we would like to choose coordinates on Pn−1 in such a way that C is described by small equations. There are two ways in which the equations can be large. The first is that the model is not minimal, i.e., it has unnecessary prime powers in its discriminant. So in a first step, one will try to remove these and obtain a minimal model. This step, called “minimization”, has been worked out in theory and practice for n = 2, 3, 4 and is being worked on for n = 5. Then, assuming now that the model is minimal, we still can make coordinate changes by SLn (Z). So we would like to find such a coordinate change that makes the coefficients of our equations small. This step, called “reduction”, has been worked out (for this special case at least) in theory for all n, and is implemented for n = 2, 3, 4. For details, see [CFS]. hD (Q) =

There is an implementation in MAGMA (in its current form mostly due to Tom Fisher and Steve Donnelly) that computes the 3-Selmer group Sel(3) (Q, E) (inside R× /(R× )3 ) of an elliptic curve E over Q. It then transfers the elements into H, finds the structure constants for the central simple algebras associated to them, computes an isomorphism with Mat3 (Q), finds the equations for the model in P8 and then projects the model into P2 ; finally this is minimized and reduced. This program works quite well in practice for curves of moderate size and produces a list of curves corresponding to (Sel(3) (Q, E)\{0})/{±1}. (Note that elements that are negatives of each other give rise to the same curve, which has two different structures as a principal homogeneous space for E.)

32

MICHAEL STOLL

References [CF] [CFOSS1] [CFOSS2] [CFOSS3] [CFS]

[DSS] [ScSt] [Se1] [Se2] [Si1] [Si2]

¨ hlich: Algebraic number theory, Academic Press, 1993. J.W.S. Cassels, A. Fro J.E. Cremona, T.A. Fisher, C. O’Neil, D. Simon, M. Stoll: Explicit ndescent on elliptic curves. I. Algebra, J. reine angew. Math. 615, 121–155 (2008). J.E. Cremona, T.A. Fisher, C. O’Neil, D. Simon, M. Stoll: Explicit ndescent on elliptic curves. II. Geometry, J. reine angew. Math. 632, 63–84 (2009). J.E. Cremona, T.A. Fisher, C. O’Neil, D. Simon, M. Stoll: Explicit ndescent on elliptic curves. III. Algorithms, in preparation. J.E. Cremona, T.A. Fisher, M. Stoll: Minimisation and reduction of 2-, 3and 4-coverings of elliptic curves, Algebra & Number Theory 4, No. 6, 763–820 (2010). Z. Djabri, E.F. Schaefer, N. Smart: Computing the p-Selmer group of an elliptic curve, Trans. Amer. Math. Soc. 352, 5583–5597 (2000). E.F. Schaefer, M. Stoll: How to do a p-descent on an elliptic curve, Trans. Amer. Math. Soc. 356, 1209–1231 (2004). J.-P. Serre: Local fields, Springer GTM 67, Springer-Verlag, New York Berlin Heidelberg, 2nd corrected printing, 1995. J.-P. Serre: Galois cohomology, Springer-Verlag, Berlin Heidelberg, 1997. J.H. Silverman: The arithmetic of elliptic curves, Springer GTM 106, SpringerVerlag, Berlin Heidelberg New York Tokyo, 1986. J.H. Silverman: Advanced topics in the arithmetic of elliptic curves, Springer GTM 151, Springer-Verlag Berlin Heidelberg New York, 1994.

¨ t Bayreuth, 95440 Bayreuth, Germany. Mathematisches Institut, Universita E-mail address: [email protected]