Lattices from elliptic curves over finite fields

# Lattices from elliptic curves over finite fields

Lenny Fukshansky  and  Hiren Maharaj Department of Mathematics, 850 Columbia Avenue, Claremont McKenna College, Claremont, CA 91711 8543 Hillside Road, Rancho Cucamonga, CA 91701
###### Abstract.

In their well known book  Tsfasman and Vladut introduced a construction of a family of function field lattices from algebraic curves over finite fields, which have asymptotically good packing density in high dimensions. In this paper we study geometric properties of lattices from this construction applied to elliptic curves. In particular, we determine the generating sets, conditions for well-roundedness and a formula for the number of minimal vectors. We also prove a bound on the covering radii of these lattices, which improves on the standard inequalities.

###### Key words and phrases:
function fields, elliptic curves, well-rounded lattices
###### 2010 Mathematics Subject Classification:
Primary: 11H06, 11G20
The first author was partially supported by NSA Young Investigator Grant #1210223 and Simons Foundation grants #208969, 279155.

## 1. Introduction

Let be a lattice of rank , and let be the -dimensional subspace of  spanned by . The minimum distance of is

 d(L)=min{∥x∥:x∈L},

where is the usual Euclidean norm in . The lattice (sphere) packing in  associated to  is the arrangement of balls of radius  centered at points of , and the density of such packing is the proportion of  taken up by this arrangement, i.e.

 (1) Δ(L)=ωkd(L)k2kdetL,

where is the volume of a -dimensional unit ball. Given a -dimensional subspace of , the lattice packing problem in  is to find a lattice  such that and is maximal among all lattice packing densities in . It is easy to see that the lattice packing density problem in  is equivalent to this problem in , where we denote the maximal lattice packing density achieved by . The values of  are currently only known for dimensions   and   with explicit constructions of lattices achieving these densities. More generally, the famous Minkowski-Hlawka theorem states that in every dimension  there exists a lattice whose packing density is , where stands for the Riemann zeta-function. Unfortunately, the known proofs of Minkowski-Hlawka theorem are non-constructive, and for arbitrary dimensions constructions of lattices satisfying this bound are not known. On the other hand, the mere existence of this bound motivated various constructions of asymptotic families of lattices, one in every dimension, whose packing density comes as close as possible to Minkowski-Hlawka. One such family, which produces particularly nice results as  are the so-called function field lattices, constructed by Tsfasman and Vladut (see , pp. 578–583).

We use notation of . The construction of function field lattices given in  is as follows. Let be an algebraic function field (of a single variable) with the finite field as its full field of constants. Let be the set of rational places of . Corresponding to each place , let denote the corresponding normalized discrete valuation and let be the set of all nonzero functions whose divisor has support contained in the set . Then is an abelian group, for each , and we let

 degf=∑vi(f)>0vi(f)=12n−1∑i=0|vi(f)|.

Define the homomorphism (here , the number of rational places of ) by

 ϕP(f)=(v0(f),v1(f),…,vn−1(f)).

Then is a finite-index sublattice of the root lattice

 An−1={x∈Zn:n−1∑i=0xi=0}

with minimum distance

 (2) d(LP)≥min{√2degf:f∈O∗P∖Fq},

and

 (3) detLP≤√nhF≤√n(1+q+n−q−1g)g,

where is the genus of and is the divisor class number of , that is, the size of the group of divisor classes of of degree 0, denoted by . Here, as in , we can identify with the set of all divisors with support in and with all such divisors of degree . We will often make use of this identification when working with lattice vectors by working with the corresponding divisors instead.

Equation (1) above indicates that to maximize the packing density one should take a lattice with the quotient of minimum distance to the determinant as large as possible. In the Tsfasman-Vladut construction above, this can be achieved when the quotient is relatively large, as indicated in . In particular, Tsfasman and Vladut consider families of curves for which the packing density of the corresponding lattices is asymptotically good as  grows. On the other hand, it is well known (see, for instance ) that lattices in  with particularly high packing density are usually well-rounded, i.e., their sets of minimal nonzero vectors (with respect to Euclidean norm) contain linearly independent ones. This observation prompted us to ask the following natural question.

###### Question 1.1.

For which algebraic function fields is the corresponding lattice well-rounded?

The main goal of this note is to provide the following partial answer to this question.

###### Theorem 1.2.

Let be an algebraic function field over with and . Then the corresponding lattice is generated by its minimal vectors, and hence well-rounded.

We also investigate a variety of geometric properties of the lattice when has genus 1, i.e., when the underlying curve is elliptic, in particular establishing formulas for the minimum distance (Lemma 3.1) and the number of minimal vectors (Theorem 3.2) of , and conclude with a non-trivial bound on the covering radii of such lattices (Theorem 3.4). In Section 2 we set the notation and prove several preliminary lemmas on elliptic curves and corresponding function fields, in particular obtaining an explicit description for a generating set of the lattice  in the case of elliptic curves (Theorem 2.3). We then prove our main results in Section 3. We are now ready to proceed.

## 2. Notation and preliminary results

In this section we establish some necessary preliminaries on elliptic curves. An elliptic curve is a pair , where is a curve of genus 1 and . In this paper, the elliptic curves are always defined over a finite field . It can be shown [5, Proposition 6.1.2] that if then , where and is square-free of degree three, and if then , where either (here has degree ) or with and .

Let denote the set of places of of degree 1. There is a unique common pole of and which we denote by . This place has degree 1 and so belongs to . Define the map

 Φ:P→Cl0(E)

by . This map [5, Proposition 6.1.7] is a bijection and induces an (abelian) group structure on : . The place is the identity element of this group. It follows that if and are rational places, then is a principal divisor if and only if . Thus the Riemann-Roch space has positive dimension if and only if .

We need to distinguish between the operations of the group of divisors and the elliptic curve group law; and we also need to distinguish between places and their corresponding points on the elliptic curve. We do so as follows. Each place of corresponds to a unique point on the elliptic curve defined by any one of the above given equations. We denote the corresponding point in bold font . Thus the sum is a divisor of the function field while the sum is really another point on according to the elliptic curve group law. Henceforth we assume that where and are related by any one of the defining equations above for an elliptic curve.

Suppose the degree 1 places of are where is the unique common pole of and . In accordance with the notation introduced above, denotes the set of places . For a place , we denote by the place of corresponding to the additive inverse of (so ). Note that .

We define to be the line through and if both , that is for some and the points lie on this line. Note that if () then is the tangent line to at the point . If () then . If or then we define .

If and and then it is well known that has three points of intersection with the elliptic curve and thus

 (m(P,Q))=P+Q+R′−3Q∞.

Here it is possible that , in which case . If , then

 m(P,Q)=x−x(P)=x−x(Q)

and

 (m(P,Q))=P+P′−2Q∞.

Thus, if and , it follows that

 (m(P,Q)x−x(R))=P+Q−R−Q∞.

Suppose that . Then we define the following function:

One easily checks in all three cases the divisor of is

 (F(P,Q))=−P−Q+R+Q∞.

We repeatedly use the result that if is a divisor and a function in an algebraic function field, then .

###### Proposition 2.1.

Let be rational places of . Then for a rational place of , if and only if , in which case

 L(P+Q−R−Q∞)=spanK(F(P,Q)).
###### Proof.

The forward implication is obvious. For the reverse implication, let be a rational place of and suppose that

 L(P+Q−R−Q∞)≠0.

We need to show that . First suppose that , then

 1F(P,Q)L(P+Q−R−Q∞)=L(S−R),

where is the additive inverse of the third point of intersection of the line with the elliptic curve  (it may happen that ). Since has positive dimension, it follows that and so that

 L(P+Q−R−Q∞)=spanK(F(P,Q)).

If , then and is nontrivial by assumption and it follows that so and .

Likewise, the reverse implication is true if . ∎

###### Theorem 2.2.

For an integer , if and only if

 L(nP−nQ∞)=spanK{F(P,P)F(P,2P)…F(P,(n−1)P)}.
###### Proof.

For this result is trivial so we assume that . For , we put . Observe that for , , and so

 L(P+Pk−1−Pk−Q∞)=spanK{F(P,Pk−1)}.

We will use this fact repeatedly. Suppose that . Then , whence

 L(P+Pn−1−2Q∞)=spanK{F(P,Pn−1)}.

Since for , the following identities are true:

 L(P+Pn−2−Pn−1−Q∞) = spanK{F(P,Pn−2)} L(P+Pn−3−Pn−2−Q∞) = spanK{F(P,Pn−3)} ⋮ L(P+P−P2−Q∞) = spanK{F(P,P)}.

Notice that if and then . Combining this observation with the above identities, we obtain

 (4) L(nP−nQ∞)=spanK{F(P,P)F(P,P2)…F(P,Pn−1)}.

On the other hand, assume that (4) holds. Since the divisor of

 F(P,P)F(P,P2)…F(P,Pn−2)

is

 (−P−P+P2+Q∞)+(−P−P2+P3+Q∞) +…+(−P−Pn−2+Pn−1+Q∞) =−(n−1)P+Pn−1+(n−2)Q∞,

we have that

 1F(P,P)F(P,P2)…F(P,Pn−2)L(nP−nQ∞)=L(P+Pn−1−2Q∞)

is nontrivial. By Proposition 2.1 it follows that , that is, , as required. ∎

###### Theorem 2.3.

Let

 D:=rQ∞+n−1∑i=1aiPi

be a divisor of degree . Then is principal if and only if

 n−1∑i=1aiPi=Q∞.

If is principal, then , where is the product of functions of the form with . The group is generated by the functions where . Consequently, the lattice is generated by vectors of the form where .

###### Proof.

We can assume without loss of generality that for . Indeed, for a place and integer , let

 Tk(P):=F(P,P)F(P,2P)…F(P,(k−1)P).

Suppose that and let be the order of the point . By Theorem 2.2, the divisor of is . Therefore

where

 D′:=(r−ℓkj)Q∞+n−1∑i=1,i≠jaiPi+(aj+ℓkj)Pj

and for sufficiently large . Moreover, is a principal divisor if and only if is a principal divisor and

 n−1∑i=1,i≠jaiPi+(aj+ℓkj)Pj=n−1∑i=1aiPi.

Now write

 D=rQ∞+Q1+Q2+…+Qt,

where repetitions among the ’s are allowed and . Put

 Si:=Qt−i+Qt−i+1+…+Qt,  Ti:=Qt−i+Qt−i+1+…+Qt.

In accordance with the notation above, is the place corresponding to the point . Put

 f:=F(Qt−1,Qt)F(Qt−2,T1)F(Qt−3,T2)…F(Q1,Tt−2).

We claim that

 1fL(D)=L(−Q∞+Tt−1).

This follows from the fact that the divisor of the function is

 (Qt−1+Qt−T1−Q∞)+(Qt−2+T1−T2−Q∞) + (Qt−3+T2−T3−Q∞)+…+(Q1+Tt−2−Tt−1−Q∞) = Qt+Qt−1+...+Q1−Tt−1−(t−1)Q∞,

and

 D−(1/f)=−Q∞+Tt−1.

The result now follows, since the divisor is principal if and only if , that is, . Furthermore, is principal if and only if , that is, .

The remaining statement of the theorem now follows quickly. Note that each function has its support in , that is . Further observe that the set is the union of all where runs over all principal divisors with support in . From the above, we see that is the span of products of functions of the form where . This completes the proof. ∎

## 3. Lattices from elliptic curves

We are now ready to prove our main results. We first establish an explicit value for the minimum distance of the lattice  in case of elliptic curves.

###### Lemma 3.1.

Suppose that . Then the minimum distance of is and the minimal vectors of are of the form where are distinct and . If then the minimum distance of is and the minimal vectors are of the form , and where .

###### Proof.

Since a divisor is principal if and only if , it follows that for any . First assume that . Then there are two distinct points , both not equal to , such that . Hence where . The divisor of the function is , so . On the other hand, (2) guarantees that . Thus .

Now consider a minimal vector of . Then must be of the form where are distinct rational places. Note also that is a principal divisor. Suppose that . Then is a principal divisor and so is . From Proposition 2.1 we see that . Thus the minimal vectors of are of the form where are distinct and .

Next assume that . Then where . The following are vectors of : , , , . Thus if is a lattice vector, then so is where and and . One easily checks that the only possibilities for the minimum vectors are , and , so . ∎

Next we prove a formula for the number of minimal vectors in .

###### Theorem 3.2.

Assume that and let denote the number of 2-torsion points of . Then the number of minimal vectors in is

 (5) nϵ⋅(n−ϵ)(n−ϵ−2)4+(n−nϵ)⋅n(n−2)4.
###### Proof.

Define the homomorphism by . Then the kernel of is the set of 2-torsion points of and the image of has points.

Fix a point of . First we count the number of solutions to the equation where are distinct points of . Observe that if and only if .

If there are solutions to . Thus there are possible points such that , and so there are pairs such that and . Hence the number of pairs , disjoint from , such that , is . In total, there are possible minimal vectors such that . The size of the image of is so the total number of possible minimal vectors such that with is

If there are no solutions to . Then similar reasoning as above shows that there are minimal vectors with . Thus by the above argument and Lemma 3.1, the number of minimal vectors of is given by (5). ∎

We are now ready to prove our main result, which is just a restatement of Theorem 1.2.

###### Theorem 3.3.

Suppose that has at least 5 points. Then the lattice is generated by its minimal vectors. In particular, this means that it is well-rounded.

Proof: We know from Theorem 2.3 that the lattice is generated by nonzero vectors of the form where . It suffices to show that each such vector can be written in terms of minimal vectors. Suppose that is not a minimal vector, that is, suppose that are not all distinct. Notice that, since is a nonzero principal divisor, it cannot happen that or equals . Similarly, it also cannot happen that or . Thus one of the following must be true: or .

Suppose that . Then and . Since has at least five points, we can choose a rational place such that is not any of or . Put and observe that

 −2P+R+Q∞=(−P−U+S+Q∞)−(P+S−R−U)

We claim that and are minimal vectors.

By choice . Also otherwise . Further, otherwise . Finally, otherwise whence , which is not true. Thus is a minimal vector.

Observe that so is a lattice vector. We already know that are distinct. We must show that none of equals (we pointed out above that ). If then , which is not possible. If then , which is not possible. Thus is a minimal vector.

We have shown that if , then is the difference of two minimal vectors.

Next assume that , so and . Since contains at least 5 rational places, we can choose a rational point different from the points . Put and note that otherwise . Also is a lattice point and so that is also a lattice point. Now

 v=P+Q−2Q∞=(Q+U−S−Q∞)+(P+S−U−Q∞)

is the sum of two lattice points. We claim that and are minimal vectors.

First we show that is a minimal vector. We must show that the places are distinct. By our choice . We already pointed out that . It is not possible for , for otherwise whence , that is thus contradicting our choice of . Finally, , otherwise . Thus is a minimal vector.

Next we show that is a minimal vector. From the argument above we know that are distinct. Since , we also know that and . If then , which is not possible by the choice of . Thus is a minimal vector.

We have shown that is the sum of two minimal vectors, which completes the proof of the theorem.

Finally, we provide an estimate on the covering radius of . Recall that the covering radius (also called the inhomogeneous minimum) of a lattice  is defined as

 μ(L)=inf{r∈R>0:BV(r)+L=V},

where and is the closed ball of radius centered at the origin in . In addition to an estimate on , our next theorem can also be interpreted as a result about the closest vector problem on such lattices.

###### Theorem 3.4.

The covering radius of  satisfies the inequality

 (6) μ(LP)≤12(√n2+4n+8+√n).

In other words, if and , then there exists a lattice point in within distance from . Furthermore, if then there is a lattice point in within distance from .

###### Proof.

Suppose that is a point in , so . Let where is the nearest integer to (note that if is a half integer, then is just the floor of ). Now equals a point for some , .

First suppose that . Put . Then by Theorem 2.3, the vector is a lattice point and the distance between and is

 (7) ||v−w2|| ≤ ||v−w1||+||w1−w2|| ≤ √n/4+√(A0−a0)2+1 = √n/4+√(a0+a1+…+an−1−1)2+1 = √n/2+√S2−2S+2,

where . Now

 |S| = |a0+a1+⋯+an−1|=|(a0−r0)+....+(an−1−rn−1)| ≤ |a0−r0|+...|an−1−rn−1|≤n/2.

Thus

 ||v−w2||≤√n/2+√n2/4+2(n/2)+2=12(√n+√n2+4n+8),

as required.

If , put and . Then

 ||v−w2||≤||v−w1||+||w1−w2||≤√n/4+√(A0−a0)2=√n/2+|S|≤√n/2+n/2,

by the argument above. This is still less than the claimed bound (6).

The remaining assertion of the theorem easily follows from the above argument: if then and , so from (7) we obtain that , as claimed. ∎

###### Remark 3.5.

Suppose that , then  is well-rounded by Theorem 3.3, and by Lemma 3.1. In this case, the standard bounds on covering radius of a lattice (see ) guarantee that

 μ(LP)≤n−1,

which is weaker than our bound (6) when is sufficiently large (this would imply that is also large, since by Hasse’s theorem).

## 4. Acknowledgement

The authors would like to thank Dr Min Sha for his indepth reading, corrections and comments on the previous version of the manuscript. He also pointed out that Theorem 3.3 is still true if the elliptic curve has fewer than 5 points.

## References

•  H. Cohn and A. Kumar. Optimality and uniqueness of the Leech lattice among lattices. Ann. of Math. (2), 170(3):1003–1050, 2009.
•  J. H. Conway and N. J. A. Sloane. Sphere Packings, Lattices, and Groups. Springer-Verlag, 3rd edition, 1999.
•  P. M. Gruber and C. G. Lekkerkerker. Geometry of numbers. North-Holland Publishing Co., 2nd edition, 1987.
•  J. Martinet. Perfect Lattices in Euclidean Spaces. Springer-Verlag, 2003.
•  H. Stichtenoth. Algebraic Function Fields and Codes. Springer, Berlin, 2nd edition, 2009.
•  M. A. Tsfasman and S. G. Vladut. Algebraic-Geometric Codes. Kluwer Academic Publishers, 1991.
You are adding the first comment!
How to quickly get a good reply:
• Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
• Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
• Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters   