Decomposed Richelot isogenies of
Jacobian varieties of hyperelliptic curves
and generalized Howe curves

Toshiyuki Katsura
The University of Tokyo, [email protected] Katsuyuki Takashima
Waseda University, [email protected]

Abstract

We advance previous studies on decomposed Richelot isogenies (Katsura–Takashima (ANTS 2020) and Katsura (J. Algebra)) which are useful for analysing superspecial Richelot isogeny graphs in cryptography. We first give a characterization of decomposed Richelot isogenies between Jacobian varieties of hyperelliptic curves of any genus. We then define generalized Howe curves, and present two theorems on their relationships with decomposed Richelot isogenies. We also give new examples including a non-hyperelliptic (resp. hyperelliptic) generalized Howe curve of genus 5 (resp. of genus 4).

1 Introduction

1.1 Background

Richelot isogenies of Jacobian varieties of nonsingular projective curves are generalizations of 2-isogenies of elliptic curves (see Definition 2 for the detail), and such isogenies of Jacobians of superspecial genus-1 and 2 curves are frequently used in post-quantum cryptography, which remains secure even when large scale quantum computers are deployed for cryptanalysis. Consequently, intensive study ([4, 30, 10, 3, 5] etc.) has been devoted to security evaluation of the isogeny-based cryptography in recent years. Here, cryptographic operations consist of random walks on graphs of isogenies between Jacobian varieties of superspecial curves.

Costello and Smith [5] used “decomposed” subgraphs of the superspecial isogeny graphs for their cryptanalysis successfully, in which decomposed principally polarized abelian varieties are cleverly used for efficiency improvements of the cryptanalysis. Richelot isogenies with such decomposed ones as codomain are called decomposed Richelot isogenies. Recent works have clarified the detailed information on such decomposed isogenies and the associated isogeny graph structures (Katsura–Takashima [18], Florit–Smith [9, 8], and Jordan–Zaytman [15]), which can be useful for more accurate analysis of the Costello–Smith attack. (See [29, 7] also.)

For a (hyperelliptic) curve $C$ of genus 2, Katsura and Takashima [18] showed that the equivalence of existence of a decomposed Richelot isogeny from its Jacobian variety and existence of an order-2 (long) element in the reduced automorphism group. A similar equivalence for hyperelliptic curves of genus 3 was also shown by Katsura [17]. These results give a basis for our present work.

Howe [12] investigated the nonsingular projective model of the fibre product of two elliptic curves (which satisfy some condition) w.r.t. the two hyperelliptic structures. Such curves were called Howe curves in subsequent works [21, 20]. For a genus-3 curve $C$ , Katsura [17] established another interesting equivalence that $C$ is a Howe curve if and only if it has a completely decomposed Richelot isogeny, whose target is a product of three elliptic curves. It indicates an initimate relationship between Howe curves and decomposed Richelot isogenies. We will further study the relationship for generalized Howe curves of any genus (which we will define in Section 4).

1.2 Our contributions

We generalize the works [18, 17] in higher genus cases, and give a unified approach for investigating close connections among the three notions of decomposed Richelot isogenies, non-inversion automorphisms of order 2, and generalized Howe curves.

1.

We first give a decomposition criterion (Theorem 1) by using non-inversion automorphisms of order 2 for hyperelliptic curves of any genus, which are important in almost all cryptographic applications. As is already mentioned above, it is useful for analysing Richelot isogeny graphs in higher genus cases, where there exist works for the genus-2 case by Katsura–Takashima [18] and Florit–Smith [9, 8], and for the genus-3 case by Howe–Leprévost–Poonen [13] and Katsura [17].
2.

We then define a generalized Howe curve by the nonsingular projective model of the fibre product of two hyperelliptic curves (which satisfy some condition) w.r.t. the two hyperelliptic structures. We show a criterion of when a generalized Howe curve of genus $g\geq 4$ is hyperelliptic (Theorem 2). It is simply described by using branch points of the underlying two hyperelliptic curves. As a collorary, we show that any hyperelliptic curve with an automorphism of order 2 (which is not the inverse) is realized as a generalized Howe curve (Remark 1).
3.

Thirdly, we give a strong decomposition theorem for generalized Howe curves of any genus (Theorem 3). Our present result is a generalization of two preceding facts: one is a complete decomposition theorem of genus-3 Howe curves [17, Theorem 6.2], and the other is Theorem 1 since hyperelliptic curves with a non-inversion order-2 automorphism are given by generalized Howe curves as indicated above.
4.

We show several examples in Section 5. In particular, we give a generalized Howe curve of genus 5 which is non-hyperelliptic in Example 4 and that of genus 4 which is hyperelliptic in Example 5, both of which are newly obtained from our theorems.

While we believe that our theorems, in particular, Theorem 2, represent a meaningful advance in this research area, our understanding on the relationship between decomposed Richelot isogenies and generalized Howe curves is still slightly limited. See comments after Remark 1 in Section 4.

1.3 Related Works

Isogeny-based Cryptography

As we already pointed out in Section 1.1, a detailed study of decomposed isogenies leads to a better understanding of security of superspecial isogeny based cryptography via the Costello–Smith attack. In fact, very recently, Santos–Costello–Frengley [29] proposed to use a novel search algorithm whether a genus-2 curve has an $(N,N)$ -decomposed isogenous neighbor for $2\leq N\leq 11$ for improving the Costello–Smith attack. The main ingredient of their attack is given by explicit parametrizations of moduli spaces of genus-2 curves whose Jacobians have an $(N,N)$ -decomposed isogeny, which are described by Kumar [22]. The useful, explicit descriptions depend on the special situation of genus 2. In general, it seems to be difficult to give such explicit equations of the moduli spaces for higher genera (and to efficiently compute on them). Therefore, we think that our results are a first step for employing ”decomposed neighbors” for efficiently solving the higher genus isogeny problem.

As a remarkable recent progress related to decomposed Richelot isogenies, Castryck–Decru [2] proposed a clever use of genus-2 Richelot isogenies to attack the “elliptic curve” based SIDH key exchange protocol [6]. One of their key observations is that decomposition events of Richelot isogenies can be used to check right guesses among several possibilities for solving SIDH-type isogeny problems. Their attack was extended and improved by several authors soon [23, 28]. And, in particular, Robert [28] employed 8-dimensional abelian varieties and their isogenies for establishing a polynomial-time attack against SIDH protocols with arbitrary starting elliptic curves. We note that the attacks can be applied to only special cases of isogeny problems with auxiliary points as in the SIDH case, but not be applicable to the general elliptic curve isogeny problems (without auxiliary points).

Enumeration of Superspecial Howe Curves

In a subsequent work to ours, Moriya–Kudo [25] explicitly wrote down our constructions, and established efficient algorithms for computing decomposed Richelot isogenies and generalized Howe curves in the genus-3 case. In a series of papers, Kudo and Harashita have investigated the existence and counting of superspecial curves with coauthors (see [19] for a survey of their works). Then, Moriya–Kudo also applied their explicit algorithms to search and enumerate superspecial generalized Howe curves. We can find their Magma codes for the computations at [24].

Our paper is organized as follows: Section 2 gives mathematical preliminary results which are also shown in [17, 1]. Section 3 presents a criterion for decomposed Richelot isogenies in the hyperelliptic curve case (Theorem 1). Section 4 first defines generalized Howe curves and then gives two theorems (Theorems 2 and 3) on decomposed Richelot isogenies in the generalized Howe curve case. Section 5 shows several examples.

Notation and conventions

For an abelian variety $A$ and divisors $D$ , $D^{\prime}$ on $A$ , we use the following (standard) notation: $id_{A}$ and $\iota_{A}$ denote the identity of $A$ and the inversion of $A$ , respectively. $\hat{A}={\rm Pic}^{0}(A)$ denotes the dual (Picard variety) of $A$ . $D\approx D^{\prime}$ denotes algebraic equivalence. For a vector space $V$ and a group $G$ which acts on $V$ , we denote by $V^{G}$ the invariant subspace of $V$ .

Acknowledgement

Research of the first author is partially supported by JSPS Grant-in-Aid for Scientific Research (C) No.23K03066. Research of the second author is supported by JSPS Grant-in-Aid for Scientific Research (C) JP22K11912, JST CREST JPMJCR2113, and MEXT Quantum Leap Flagship Program (MEXT Q-LEAP) JPMXS0120319794.

2 Preliminaries

We will review necessary mathematical preliminaries that are developed in [17, 1].

Let $k$ be an algebraically closed field of characteristic $p>2$ . In this section, we prepare some notation and some known lemmas to examine the structure of Richelot isogenies. For an abelian variety $A$ and a divisor $D$ on $A$ , we have a homomorphism

\begin{array}[]{rccc}\Phi_{D}:&A&\longrightarrow&{\rm Pic}^{0}(A)=\hat{A}\\ &x&\mapsto&T_{x}^{*}D-D\end{array}

(cf. Mumford [26]). Here, $T_{x}$ is the translation by $x\in A$ . We know that $\Phi_{D}$ is an isogeny if $D$ is ample.

Let $C$ be a nonsingular projective curve of genus $g$ defined over $k$ . We denote by $J(C)$ the Jacobian variety of $C$ , and by $\Theta$ the principal polarization on $J(C)$ given by $C$ . We have a natural immersion (up to translation)

\alpha_{C}:C\hookrightarrow J(C)={\rm Pic}^{0}(C).

By the abuse of terminology, we sometimes denote $\alpha_{C}(C)$ by $C$ . The morphism $\alpha_{C}$ induces a homomorphism

\alpha_{C}^{*}:\widehat{J}(C)={\rm Pic}^{0}(J(C))\longrightarrow{\rm Pic}^{0}(C)=J(C).

First, we give two lemmas which make clear relations of some homomorphisms.

Lemma 1

$\alpha_{C}^{*}=-\Phi_{\Theta}^{-1}$ .

For the proof, see Birkenhake–Lange [1, Proposition 11.3.5].

Let $f:C\longrightarrow C^{\prime}$ be a morphism of degree $2$ from $C$ to a nonsingular projective curve $C^{\prime}$ of genus $g^{\prime}$ . We denote by $J(C^{\prime})$ the Jacobian variety of $C^{\prime}$ , and by $\Theta^{\prime}$ the principal polarization on $J(C^{\prime})$ given by $C^{\prime}$ . For an invertible sheaf ${\mathcal{O}}_{C}(\sum m_{i}P_{i})\in J(C)$ ( $P_{i}\in C$ , $m_{i}\in{\bf Z}$ ), the homomorphism $N_{f}:J(C)\longrightarrow J(C^{\prime})$ is defined by

N_{f}({\mathcal{O}}_{C}(\sum m_{i}P_{i}))={\mathcal{O}}_{C^{\prime}}(\sum m_{i}f(P_{i})).

By suitable choices of $\alpha_{C}$ and $\alpha_{C^{\prime}}$ , we may assume

N_{f}\circ\alpha_{C}=\alpha_{C^{\prime}}\circ f,

that is, we have a commutative diagram

\begin{array}[]{ccc}C&\stackrel{{\scriptstyle\alpha_{C}}}{{\hookrightarrow}}&J(C)\\ f\downarrow&&\quad\downarrow N_{f}\\ C^{\prime}&\stackrel{{\scriptstyle\alpha_{C^{\prime}}}}{{\hookrightarrow}}&J(C^{\prime}).\end{array}

Lemma 2

$\Phi_{\Theta}\circ f^{*}=\hat{N}_{f}\circ\Phi_{\Theta^{\prime}}$ .

For the proof, see Birkenhake–Lange [1, equation 11.4(2)] or Katsura [17, Lemma 2.2].

Using Lemmas 1 and 2, we have the following lemma which is essential to show the existence of a decomposed Richelot isogeny.

Lemma 3

$(f^{*})^{*}(\Theta)\approx 2\Theta^{\prime}$ .

For the proof, see Birkenhake–Lange [1, Lemma 12.3.1] or Katsura [17, Lemma 2.3].

Definition 1

Let $A_{i}$ be abelian varieties with principal polarizations $\Theta_{i}$ ( $i=1,2,\ldots,n$ ), respectively. The product $(A_{1},\Theta_{1})\times(A_{2},\Theta_{2})\times\ldots\times(A_{n},\Theta_{n})$ means the principally polarized abelian variety $A_{1}\times A_{2}\times\ldots\times A_{n}$ with principal polarization

\Theta_{1}\times A_{2}\times A_{3}\times\ldots\times A_{n}+A_{1}\times\Theta_{2}\times A_{3}\times\ldots\times A_{n}+\ldots+A_{1}\times A_{2}\times\ldots\times A_{n-1}\times\Theta_{n}.

Lemma 4

Let $A$ , $A_{1}$ and $A_{2}$ be abelian varieties, and let $f:A_{1}\times A_{2}\longrightarrow A$ be an isogeny. Let $\sigma$ be an automorphism of $A$ such that $\sigma\circ f=f\circ(id_{A_{1}}\times\iota_{A_{2}})$ and $\Theta$ be a polarization of $A$ such that $\sigma^{*}\Theta\approx\Theta$ . Then,

(A_{1}\times A_{2},f^{*}\Theta)\cong(A_{1},f|^{*}_{A_{1}}\Theta)\times(A_{2},f|^{*}_{A_{2}}\Theta).

For the proof, see Katsura [17, Lemma 3.3].

Definition 2 (Richelot isogenies in genus $g$ )

Let $C$ be a nonsingular projective curve of genus $g$ , and $J(C)$ be the Jacobian variety of $C$ . We denote by $\Theta$ the canonical principal polarization of $J(C)$ . Let $A$ be a $g$ -dimensional abelian variety with principal polarization $D$ , and $f:J(C)\longrightarrow A$ be an isogeny. The isogeny $f$ is called a Richelot isogeny if $2\Theta\approx f^{*}(D)$ . A Richelot isogeny $f$ is said to be decomposed if there exist two principally polarized abelian varieties $(A_{1},\Theta_{1})$ and $(A_{2},\Theta_{2})$ such that $(A,D)\cong(A_{1},\Theta_{1})\times(A_{2},\Theta_{2})$ . Moreover, the isogeny $f$ is said to be completely decomposed if $A$ with principal polarization $D$ is decomposed into $g$ principally polarized elliptic curves.

3 Hyperelliptic curves

Let $\iota$ be the hyperelliptic inversion of a hyperelliptic curve $C$ of genus $g$ ( $g\geq 2$ ) and $\sigma$ be an automorphism of order 2 of $C$ which is not the inversion. We set $\tau=\sigma\circ\iota$ . We have a morphism $\psi:C\longrightarrow{\bf P}^{1}\cong C/\langle\iota\rangle$ . Since the morphism $\psi$ is given by ${\rm H}^{0}(C,\Omega_{C}^{1})$ and $\sigma$ acts on it, the automorphism $\sigma$ induces an automorphism of ${\bf P}^{1}$ . In case $\sigma$ has a fixed point in the branch points of $\psi$ , $\sigma$ has two fixed points in the branch points. Moreover, by a suitable choice of the coordinate $x$ of ${\bf A}^{1}\subset{\bf P}^{1}$ we may assume that the two fixed points are given by $x=0$ and $\infty$ , and that

\sigma:x\mapsto-x;\quad y\mapsto y.

Then the branch points are given by

0,1,-1,\sqrt{a_{1}},-\sqrt{a_{1}},\sqrt{a_{2}},-\sqrt{a_{2}},\ldots,\sqrt{a_{g-1}},-\sqrt{a_{g-1}},\infty.

Here, $a_{i}$ ’s are mutually different and they are neither 0 nor 1. The normal form of the curve $C$ is given by

\displaystyle y^{2}=x(x^{2}-1)(x^{2}-a_{1})(x^{2}-a_{2})\ldots(x^{2}-a_{g-1}).

Therefore, on the curve $C$ the action of $\sigma$ is given by

x\mapsto-x,~{}y\mapsto\pm\sqrt{-1}y,

which is of order 4, a contradiction. Therefore, $\sigma$ has no fixed points on the branch points.

Now, let the branch points be given by

1,-1,\sqrt{a_{1}},-\sqrt{a_{1}},\sqrt{a_{2}},-\sqrt{a_{2}},\ldots,\sqrt{a_{g}},-\sqrt{a_{g}}.

Here, $a_{i}$ ’s are mutually different and they are neither 0 nor 1. The normal form of the curve $C$ is given by

\displaystyle y^{2}=(x^{2}-1)(x^{2}-a_{1})(x^{2}-a_{2})\ldots(x^{2}-a_{g}).

(3.1)

Elements $x^{2}$ and $y$ are invariant under $\sigma$ . We set ${u}=x^{2}$ and ${v}=y$ . Then, the defining equation of the curve $C/\langle\sigma\rangle$ is given by

{v}^{2}=({u}-1)({u}-a_{1})({u}-a_{2})\ldots({u}-a_{g}).

We set $C_{\sigma}=C/\langle\sigma\rangle$ . We have the quotient morphism $f_{1}:C\longrightarrow C_{\sigma}$ . Elements $xy$ and $x^{2}$ are invariant under $\tau$ . We set ${u}=x^{2}$ and ${v}=xy$ . Then, the defining equation of the curve $C/\langle\tau\rangle$ is given by

{v}^{2}={u}({u}-1)({u}-a_{1})({u}-a_{2})\cdots({u}-a_{g}).

We set $C_{\tau}=C/\langle\tau\rangle$ . We have the quotient morphism $f_{2}:C\longrightarrow C_{\tau}$ . We denote by $g(C)$ (resp. $g(C_{\sigma})$ , resp. $g(C_{\tau})$ ) the genus of $C$ (resp. $C_{\sigma}$ , resp. $C_{\tau}$ ). It is easy to see that $g=g(C)=g(C_{\sigma})+g(C_{\tau})$ . We have a morphism

f=(f_{1},f_{2}):C\longrightarrow C_{\sigma}\times C_{\tau}.

Then, we have a homomorphism

N_{f}=(N_{f_{1}},N_{f_{2}}):J(C)\longrightarrow J(C_{\sigma})\times J(C_{\tau}).

(3.2)

The automorphisms $\sigma$ and $\tau$ induce the automorphisms of $J(C)$ , and we have natural isomorphisms:

\begin{array}[]{l}{\rm H}^{0}(J(C),\Omega_{J(C)}^{1})\cong{\rm H}^{0}(C,\Omega_{C}^{1})\cong{\rm H}^{0}(C,\Omega_{C}^{1})^{\langle\sigma^{*}\rangle}\oplus{\rm H}^{0}(C,\Omega_{C}^{1})^{\langle\tau^{*}\rangle}\\ \cong{\rm H}^{0}(C_{\sigma},\Omega_{C_{\sigma}}^{1})\oplus{\rm H}^{0}(C_{\tau},\Omega_{C_{\tau}}^{1})\cong{\rm H}^{0}(J(C_{\sigma}),\Omega_{J(C_{\sigma})}^{1})\oplus{\rm H}^{0}(J(C_{\tau}),\Omega_{J(C_{\tau})}^{1}).\end{array}

Therefore, $N_{f}$ is an isogeny. Note that

N_{f_{1}}\circ f_{1}^{*}=[2]_{J(C_{\sigma})},\quad N_{f_{2}}\circ f_{2}^{*}=[2]_{J(C_{\tau})}.

By our construction, we have

N_{f_{1}}\circ f_{2}^{*}=0,\quad N_{f_{2}}\circ f_{1}^{*}=0.

Therefore, we have

N_{f}\circ f^{*}=[2]_{J(C_{\sigma})\times J(C_{\tau})}.

Dualizing the situation (3.2), we have

f^{*}:J(C_{\sigma})\times J(C_{\tau})\longrightarrow J(C).

Theorem 1

Let $C$ be a hyperelliptic curve with an automorphism $\sigma$ of order 2, which is not the inversion. We set $\tau=\sigma\circ\iota$ as above. Then, the isogeny $N_{f}:J(C)\longrightarrow J(C_{\sigma})\times J(C_{\tau})$ is a decomposed Richelot isogeny.

Proof. Since $\sigma$ induces an isomorphism from $J(C)$ to $J(C)$ and we may assume that this isomorphism is an automorphism of $J(C)$ , we have a commutative diagram

\begin{array}[]{ccc}J(C_{\sigma})\times J(C_{\tau})&\stackrel{{\scriptstyle id_{J(C_{\sigma})}\times\iota_{J(C_{\tau})}}}{{\longrightarrow}}&J(C_{\sigma})\times J(C_{\tau})\\ f^{*}\downarrow&&\quad\downarrow f^{*}\\ \quad J(C)&\stackrel{{\scriptstyle\sigma}}{{\longrightarrow}}&J(C)\\ N_{f}\downarrow&&\quad\downarrow N_{f}\\ J(C_{\sigma})\times J(C_{\tau})&\stackrel{{\scriptstyle id_{J(C_{\sigma})}\times\iota_{J(C_{\tau})}}}{{\longrightarrow}}&J(C_{\sigma})\times J(C_{\tau}).\end{array}

Since $\sigma^{*}(\Theta)=\Theta$ , using Lemma 4, we have

f^{*}(\Theta)\approx f_{1}^{*}(\Theta)\times J(C_{\tau})+J(C_{\sigma})\times f_{2}^{*}(\Theta).

Therefore, by Lemma 3, we see

f^{*}(\Theta)\approx 2(C_{\sigma}\times J(C_{\tau}))+2(J(C_{\sigma})\times C_{\tau}).

Dualizing this situation, we have

N_{f}^{*}((C_{\sigma}\times J(C_{\tau}))+(J(C_{\sigma})\times C_{\tau}))\approx 2\Theta.

This means that $N_{f}$ is a decomposed Richelot isogeny outgoing from $J(C)$ . $\sqcap$ $\sqcup$

4 Generalized Howe curves

Let $C_{1}$ , $C_{2}$ be the nonsingular projective models of two hyperelliptic curves defined respectively by

\begin{array}[]{l}C_{1}:y_{1}^{2}=(x-a_{1})(x-a_{2})\ldots(x-a_{r})(x-a_{r+1})\ldots(x-a_{2g_{1}+2}),\\ C_{2}:y_{2}^{2}=(x-a_{1})(x-a_{2})\ldots(x-a_{r})(x-b_{r+1})\ldots(x-b_{2g_{2}+2})\end{array}

Here, $a_{i}\neq a_{j}$ , $b_{i}\neq b_{j}$ for $i\neq j$ , and $a_{i}\neq b_{j}$ for any $i,j$ . We assume $0<g_{1}\leq g_{2}$ . The genera of these curves are given by

g(C_{1})=g_{1},~{}g(C_{2})=g_{2}.

Let $\psi_{1}:C_{1}\longrightarrow{\bf P}^{1}$ and $\psi_{2}:C_{2}\longrightarrow{\bf P}^{1}$ be the hyperelliptic structures. We have $r$ common branch points of $\psi_{1}$ and $\psi_{2}$ ( $0\leq r\leq 2g_{1}+2)$ ). We consider the fiber product $C_{1}\times_{{\bf P}^{1}}C_{2}$ :

\begin{array}[]{ccc}C_{1}\times_{{\bf P}^{1}}C_{2}&\stackrel{{\scriptstyle\pi_{2}}}{{\longrightarrow}}&C_{2}\\ \pi_{1}\downarrow&&\downarrow\psi_{2}\\ C_{1}&\stackrel{{\scriptstyle\psi_{1}}}{{\longrightarrow}}&{\bf P}^{1}.\end{array}

We assume that there exists no isomorphism $\varphi:C_{1}\longrightarrow C_{2}$ such that $\psi_{2}\circ\varphi=\psi_{1}$ . Then, the curve $C_{1}\times_{{\bf P}^{1}}C_{2}$ is irreducible. We denote by $C$ the nonsingular projective model of $C_{1}\times_{{\bf P}^{1}}C_{2}$ , and we denote by $h:C\longrightarrow C_{1}\times_{{\bf P}^{1}}C_{2}$ the resolution of singularities. We call $C$ a generalized Howe curve. If $g_{1}=g_{2}=1$ , $C$ is called a Howe curve, which was originally defined in genus 4 by Howe [12] (see also Kudo–Harashita–Senda [21], Oort [27] and van der Geer–van der Vlugt [11]). The naming comes from Kudo-Harashita-Senda, loc. cit. In the case of genus 3, a Howe curve is nothing but a Ciani curve. We set $f_{i}=\pi_{i}\circ h$ for $i=1,2$ . Then, the degree of $f_{i}$ is 2. We have the following proposition.

Proposition 1

The genus $g(C)$ of $C$ is equal to $2(g_{1}+g_{2})+1-r$ .

Proof. Let $P\in{\bf P}^{1}$ be a common branch point of $\psi_{1}$ and $\psi_{2}$ . We can choose a coordinate $x$ on ${\bf A}^{1}\subset{\bf P}^{1}$ such that $P$ is locally defined by $x=0$ . Then, the equation of $C_{1}$ (resp. $C_{2}$ ) around $P$ is given by

y_{1}^{2}=u_{1}x\quad(\mbox{resp.}~{}y_{2}^{2}=u_{2}x).

Here, $u_{1}$ and $u_{2}$ are units at $P$ . We denote by $\tilde{P}$ the point of the fiber product $C_{1}\times_{{\bf P}^{1}}C_{2}$ over $P$ . Then, around $\tilde{P}$ the fiber product $C_{1}\times_{{\bf P}^{1}}C_{2}$ is defined by

y_{1}^{2}=u_{1}x,~{}y_{2}^{2}=u_{2}x.

Therefore, by eliminating $x$ , the equation around $\tilde{P}$ is given by the equation $u_{2}y_{1}^{2}=u_{1}y_{2}^{2}$ . This means that $\tilde{P}$ is a singular point with two branches. Therefore, on $C$ , $\tilde{P}$ splits into two nonsingular points and $P$ is not a branch point of $f_{1}$ .

By the meaning of fiber product, the ramification points of $\psi_{1}$ whose images by $\psi_{1}$ are not branch points of $\psi_{2}$ are not branch points of $f_{1}$ , and the points on $C_{1}$ which are not ramification points of $\psi_{1}$ and whose images by $\psi_{1}$ are branch points of $\psi_{2}$ are branch points of $f_{1}$ . Therefore, on the curve $C$ , $f_{1}$ has $2(2g_{2}+2-r)$ ramification points of index 2. Applying the Hurwitz formula to the morphism $f_{1}:C\longrightarrow C_{1}$ , we have

2(g(C)-1)=2\cdot 2(g(C_{1})-1)+2(2g_{2}+2-r).

Therefore, we have $g(C)=2(g_{1}+g_{2})+1-r$ . $\sqcap$ $\sqcup$

We denote by $\iota_{C_{1}}$ (resp. $\iota_{C_{2}}$ ) the hyperelliptic involution of $C_{1}$ (resp. $C_{2}$ ). Then, these involutions lift to automorphisms of $C$ as follows:

\begin{array}[]{l}\sigma=\iota_{C_{1}}:y_{1}\mapsto-y_{1},y_{2}\mapsto y_{2},x\mapsto x,\\ \tau=\iota_{C_{2}}:y_{1}\mapsto y_{1},y_{2}\mapsto-y_{2},x\mapsto x.\end{array}

Both $\sigma$ and $\tau$ are of order 2 and we have $\sigma\circ\tau=\tau\circ\sigma$ . Clearly, we have $C/\langle\sigma\rangle\cong C_{2}$ and $C/\langle\tau\rangle\cong C_{1}$ . We set $y_{3}=y_{1}y_{2}/(x-a_{1})(x-a_{2})\cdots(x-a_{r})$ . Then, we have a curve $C_{3}=C/\langle\sigma\circ\tau\rangle$ , which is given by the equation

y_{3}^{2}=(x-a_{r+1})\cdots(x-a_{2g_{1}+2})(x-b_{r+1})\cdots(x-b_{2g_{2}+2}).

Since the degree of the polynomial of right hand side is $2(g_{1}+g_{2})+4-2r$ , the genus of the curve $C_{3}$ is given by

g(C_{3})=g_{1}+g_{2}+1-r,

(4.1)

and we have

g(C)=g(C_{1})+g(C_{2})+g(C_{3}).

(4.2)

We have natural projections $f_{i}:C\longrightarrow C_{i}$ ( $i=1,2,3$ ). We denote by $(J(C_{i}),\Theta_{i})$ the Jacobian varieties of $C_{i}$ ( $i=1,2,3$ ).

Theorem 2

Under the notation above, assume $g(C)\geq 4$ . Then, the generalized Howe curve $C$ is hyperelliptic if and only if $r=g_{1}+g_{2}+1$ , i.e., the curve $C_{3}$ is rational.

Proof.First, we note $r\leq g_{1}+g_{2}+1$ . Because if $r>g_{1}+g_{2}+1$ , by $r\leq 2g_{1}+2$ and $g_{1}\leq g_{2}$ we have $g_{1}=g_{2}$ and $r=2g_{1}+2$ and all the branch points on ${\bf P}^{1}$ of $C_{1}$ and $C_{2}$ coincide. Therefore, $C_{1}$ is isomorphic to $C_{2}$ , and there exists an automorphism $\varphi:C_{1}\longrightarrow C_{2}$ such that $\psi_{1}=\psi_{2}\circ\varphi$ . Therefore, the fiber product $C_{1}\times_{{\bf P}^{1}}C_{2}$ is reducible by the universality of fiber product, and we already excluded this case.

If $r=g_{1}+g_{2}+1$ , then we have $g(C_{3})=0$ and we have a morphism $C\longrightarrow C_{3}$ of degree 2. Therefore, $C$ is hyperelliptic. If $r<g_{1}+g_{2}+1$ , then we have $g(C_{3})>0$ . Since we have $g(C)\geq 4$ , by (4.2) there exists $C_{i}$ such that $g(C_{i})\geq 2$ and we have a morphism $f_{i}:C\longrightarrow C_{i}$ . Since $f_{i}$ is separable, we have an injective homomorphism

{\rm H}^{0}(C_{i},\Omega_{C_{i}}^{1})\longrightarrow{\rm H}^{0}(C,\Omega_{C}^{1}).

(4.3)

Suppose $C$ is hyperelliptic. Note that $C_{i}$ is a hyperelliptic curve. Since the hyperelliptic structure of $C$ (resp. $C_{i}$ ) is given by ${\rm H}^{0}(C,\Omega_{C}^{1})$ (resp. ${\rm H}^{0}(C_{i},\Omega_{C_{i}}^{1})$ ) we have the following commutative diagram by (4.3):

\begin{array}[]{ccc}C&\stackrel{{\scriptstyle f_{i}}}{{\longrightarrow}}&C_{i}\\ \downarrow&&\downarrow\\ ~{}{\bf P}^{1}&\longrightarrow&~{}{\bf P}^{1}.\end{array}

(4.4)

We have a field extension $k(C)/k(x)$ . This is a Galois extension and the Galois group is isomorphic to ${\bf Z}/2{\bf Z}\times{\bf Z}/2{\bf Z}$ . Therefore, we have 3 intermediate fields of the field extension $k(C)/k(x)$ , and the 3 intermediate fields are given by $k(C_{i})$ ( $i=1,2,3$ ) whose genera are greater than or equal to 1. However, by the diagram (4.4) we have one more intermediate field $k({\bf P}^{1})$ , a contradiction. $\sqcap$ $\sqcup$

From Theorem 2, the Howe curves of genus 4 which are constructed with $g_{1}=1$ , $g_{2}=1$ and $r=1$ are non-hyperelliptic, which is known to Kudo-Harashita-Howe [20, Lemma 2.1].

Theorem 3

Let $C$ be a generalized Howe curve defined as above. Then, $C$ has a decomposed Richelot isogeny given by a natural isogeny

N_{f}:J(C)\longrightarrow J(C_{1})\times J(C_{2})\times J(C_{3}).

Proof. We have a homomorphism

N_{f}=(N_{f_{1}},N_{f_{2}},N_{f_{3}}):J(C)\longrightarrow J(C_{1})\times J(C_{2})\times J(C_{3}).

Since we have natural isomorphisms:

	$\displaystyle{\rm H}^{0}(J(C),\Omega_{J(C)}^{1})\cong{\rm H}^{0}(C,\Omega_{C}^{1})$
	$\displaystyle\quad\quad\cong{\rm H}^{0}(C,\Omega_{C}^{1})^{\langle\sigma^{}\rangle}\oplus{\rm H}^{0}(C,\Omega_{C}^{1})^{\langle\tau^{}\rangle}\oplus{\rm H}^{0}(C,\Omega_{C}^{1})^{\langle\tau^{}\circ\sigma^{}\rangle}$
	$\displaystyle\quad\quad\cong{\rm H}^{0}(C_{\sigma},\Omega_{C_{\sigma}}^{1})\oplus{\rm H}^{0}(C_{\tau},\Omega_{C_{\tau}}^{1})\oplus{\rm H}^{0}(C_{\sigma\circ\tau},\Omega_{C_{\sigma\circ\tau}}^{1})$
	$\displaystyle\quad\quad\cong{\rm H}^{0}(J(C_{1}),\Omega_{J(C_{1})}^{1})\oplus{\rm H}^{0}(J(C_{2}),\Omega_{J(C_{2})}^{1})\oplus{\rm H}^{0}(J(C_{3}),\Omega_{J(C_{3})}^{1}),$

we see that $N_{f}$ is an isogeny. Then by a similar method to the one in Theorem 1, we have

2\Theta\approx{N_{f}}^{*}(\Theta_{1}\times J(C_{2})\times J(C_{3})+J(C_{1})\times\Theta_{2}\times J(C_{3})+J(C_{1})\times J(C_{2})\times\Theta_{3})

and $N_{f}$ is a decomposed Richelot isogeny. $\sqcap$ $\sqcup$

Remark 1

Under the notation in Section 3, we set $C_{1}=C_{\sigma}$ and $C_{2}=C_{\tau}$ . Let $\psi_{i}:C_{i}\longrightarrow{\bf P}^{1}$ ( $i=1,2$ ) be the hyperelliptic structures. Then, by the universality of fiber product we have $C\cong C_{1}\times_{{\bf P}^{1}}C_{2}$ . In this case, we have $\sigma\circ\tau=\iota$ , and $C_{3}=C/\langle\iota\rangle\cong{\bf P}^{1}$ . This means that the hyperelliptic curve $C$ is a generalized Howe curve which satisfies the condition $r=g_{1}+g_{2}+1$ in Theorem 2, and that Theorem 1 is a special case of Theorem 3.

If the genus of the Howe curve $C$ is 3, then the converse of Theorem 3 holds (cf. [17, Theorem 6.3]), that is, if there exists a completely decomposed Richelot isogeny outgoing from the Jacobian variety $J(C)$ , then the curve $C$ is a Howe curve. However, if the genus of the curve $C$ is large, it seems to be difficult to formulate the converse. Assume the target of the Richelot isogeny is decomposed into 3 principally polarized abelian varieties as in Theorem 3. First, if the dimension of a principally polarized abelian variety is large, then it is not necessarily a Jacobian variety. If the components of the decomposition are all Jacobian varieties, the automorphism of order 2 of the target does not necessarily determine a good automorphism of $C$ if the curve is not hyperelliptic. Note that for an automorphism $\sigma$ of order 2 of the non-hyperelliptic curve $C$ of genus 3 the quotient curve $C/\langle\sigma\rangle$ is always an elliptic curve (cf. Katsura [17, Corollary 5.2]). Such facts work well in the case of genus 3. But we cannot expect similar results in higher genus.

5 Examples

In this section, we assume the characteristic $p\neq 2$ and give some concrete examples.

Example 1

We consider the nonsingular complete model $C$ of a curve defined by the equation

x^{4}+y^{4}+x^{2}y^{2}+1=0.

The genus of this curve is 3 and $C$ has automorphisms $\sigma$ , $\tau$ of order 2 given by

\begin{array}[]{l}\sigma:x\mapsto-x,~{}y\mapsto y\\ \tau:x\mapsto x,~{}y\mapsto-y.\end{array}

We set $u=\sqrt[4]{3}y/\sqrt{2}$ and $v=x^{2}+(y^{2}/2)$ (resp. $u=\sqrt[4]{3}x/\sqrt{2}$ and $v=y^{2}+(x^{2}/2)$ ). Then, $u,v$ are invariant under the action of the group $\langle\sigma\rangle$ (resp. the group $\langle\tau\rangle$ ) and the quotient curve $E_{\sigma}=C/\langle\sigma\rangle$ (resp. $E_{\tau}=C/\langle\tau\rangle$ ) is an elliptic curve defined by the equation

v^{2}+u^{4}+1=0.

Since the group $G=\langle\sigma,\tau\rangle\cong{\bf Z}/2{\bf Z}\times{\bf Z}/2{\bf Z}$ acts on $C$ and we have $C/G\cong{\bf P}^{1}$ , we see that the original curve $C$ is a non-hyperelliptic Howe curve given by the fiber product $E_{\sigma}\times_{{\bf P}^{1}}E_{\tau}$ . Since $u=y/x$ and $v=1/x^{2}$ are invariant under the action of the group $\langle\sigma\circ\tau\rangle$ , we have the third elliptic curve $E_{\sigma\circ\tau}=C/\langle\sigma\circ\tau\rangle$ defined by

v^{2}+u^{4}+u^{2}+1=0.

We have a natural morphism $C\longrightarrow E_{\sigma}\times E_{\tau}\times E_{\sigma\circ\tau}$ , and this morphism induces a completely decomposed Richelot isogeny

J(C)\longrightarrow E_{\sigma}\times E_{\tau}\times E_{\sigma\circ\tau}.

Example 2

We consider the nonsinglar complete model $C$ of a hyperelliptic curve defined by the equation

y^{2}=x^{8}+x^{4}+1.

The genus of this curve is 3 and $C$ has automorphisms $\sigma$ , $\iota$ of order 2 given by

\begin{array}[]{l}\sigma:x\mapsto-x,~{}y\mapsto y,\\ \iota:x\mapsto x,~{}y\mapsto-y.\end{array}

The automorphism $\iota$ is a hyperelliptic involution. We set $u=x^{2}$ and $v=y$ (resp. $u=x^{2}$ and $v=xy$ ). Then, $u,v$ are invariant under the action of the group $\langle\sigma\rangle$ (resp. the group $\langle\sigma\circ\iota\rangle$ ) and the quotient curve $E_{\sigma}=C/\langle\sigma\rangle$ (resp. $C_{\sigma\circ\iota}=C/\langle\sigma\circ\iota\rangle$ ) is a curve defined by the equation

v^{2}=u^{4}+u^{2}+1\quad(\mbox{resp.}~{}v^{2}=u(u^{4}+u^{2}+1)).

$E_{\sigma}$ is an elliptic curve and $C_{\sigma\circ\iota}$ is a curve of genus 2. We have a natural morphism $C\longrightarrow E_{\sigma}\times C_{\sigma\circ\iota}$ , and this morphism induces a decomposed Richelot isogeny

J(C)\longrightarrow E_{\sigma}\times J(C_{\sigma\circ\iota}).

On the other hand, we consider the following automorphism:

\tau:x\mapsto 1/x,~{}y\mapsto y/x^{4}.

We set $u=x+(1/x)$ and $v=y/x^{2}$ (resp. $u=x-(1/x)$ and $v=y/x^{2}$ ). Then, $u$ and $v$ are invariant under the action of the group $\langle\tau\rangle$ (resp. the group $\langle\sigma\circ\tau\rangle$ ) and the quotient curve $E_{\tau}=C/\langle\tau\rangle$ (resp. $E_{\sigma\circ\tau}=C/\langle\sigma\circ\tau\rangle$ ) is an elliptic curve and given by the equation

v^{2}=u^{4}-4u^{2}+3\quad(\mbox{resp.}~{}v^{2}=u^{4}+4u^{2}+3).

Since the group $G=\langle\tau,\sigma\circ\tau\rangle\cong{\bf Z}/2{\bf Z}\times{\bf Z}/2{\bf Z}$ acts on $C$ and we have $C/G\cong{\bf P}^{1}$ , we see that the original curve $C$ is a hyperelliptic Howe curve given by the fiber product $E_{\tau}\times_{{\bf P}^{1}}E_{\sigma\circ\tau}$ . We have a natural morphism $C\longrightarrow E_{\sigma}\times E_{\tau}\times E_{\sigma\circ\tau}$ and this induces a completely decomposed Richelot isogeny

J(C)\longrightarrow E_{\sigma}\times E_{\tau}\times E_{\sigma\circ\tau}.

Example 3

We consider the nonsingular complete model ${C}$ of a curve defined by the equation

\displaystyle{C}:\ x^{4}+y^{4}+1=0.

The genus of this curve is 3 and ${C}$ has automorphisms $\sigma$ , $\tau$ of order 2 given by

\begin{array}[]{l}\sigma:x\mapsto-x,~{}y\mapsto y,\\ \tau:x\mapsto x,~{}y\mapsto-y.\end{array}

We set $u=y$ and $v=x^{2}$ (resp. $u=x$ and $v=y^{2}$ ). Then, $u,v$ are invariant under the action of the group $\langle\sigma\rangle$ (resp. the group $\langle\tau\rangle$ ) and the quotient curve $E_{\sigma}={C}/\langle\sigma\rangle$ (resp. $E_{\tau}={C}/\langle\tau\rangle$ ) is an elliptic curve defined by the equation

v^{2}+u^{4}+1=0.

(5.1)

Since the group $G=\langle\sigma,\tau\rangle\cong{\bf Z}/2{\bf Z}\times{\bf Z}/2{\bf Z}$ acts on ${C}$ and we have ${C}/G\cong{\bf P}^{1}$ , we see that the original curve ${C}$ is a non-hyperelliptic Howe curve given by the fiber product $E_{\sigma}\times_{{\bf P}^{1}}E_{\tau}$ . Since $u=y/x$ and $v=1/x^{2}$ are invariant under the action of the group $\langle\sigma\circ\tau\rangle$ , we have the third elliptic curve $E_{\sigma\circ\tau}={C}/\langle\sigma\circ\tau\rangle$ defined by the equation (5.1). We have a natural morphism ${C}\longrightarrow E_{\sigma}\times E_{\tau}\times E_{\sigma\circ\tau}$ , and this morphism induces a completely decomposed Richelot isogeny

J({C})\longrightarrow E_{\sigma}\times E_{\tau}\times E_{\sigma\circ\tau}.

Since the elliptic curve defined by the equation (5.1) has automorphism of order 4, it is isomorphic to the elliptic curve $E_{0}$ defined by

\displaystyle E_{0}:\ y^{2}=x^{3}-x

over an algebraically closed field $k$ . $E_{0}$ is supersingular if and only if $p\equiv 3~{}(\mbox{mod}~{}4)$ . Since our Richelot isogeny is separable, we see that the curve ${C}$ is a superspecial non-hyperelliptic Howe curve if $p\equiv 3~{}(\mbox{mod}~{}4)$ , that is, the Jacobian variety $J({C})$ is isomorphic to a product of three supersingular elliptic curves. The elliptic curve $E_{0}$ has an automorphism $\rho$ of order 4 defined by

\rho:x\mapsto-x,~{}y\mapsto iy.

Here, $i$ is a primitive fourth root of unity. We denote by $F$ the Frobenius morphism of $E_{0}$ . We note that if $p\equiv 3~{}(\mbox{mod}~{}4)$ , the endomorphism ring of $E_{0}$ is given by

\displaystyle{\rm End}(E_{0})={\bf Z}+{\bf Z}\rho+{\bf Z}(1+F)/2+{\bf Z}\rho(1+F)/2

(cf. Katsura [16]).

Remark 2

In the case of curves of genus 3, decomplosed Richelot isogenies are studied in Howe-Leprévost-Poonen [13] and Katsura [17] in detail.

We give two more examples of higher genera. By this method, we can construct many superspecial curves (see also Kudo-Harashita-Howe [20]).

Example 4

Assume the characteristic $p>2$ . We consider two elliptic curves

C_{1}:{y}_{1}^{2}=x^{4}+1,\quad C_{2}:{y}_{2}^{2}=x^{4}-1.

They are isomorphic to each other and supersingular if and only if $p\equiv 3~{}({\rm mod}~{}4)$ . Let $C$ be the generalized Howe curve which is birational to $C_{1}\times_{{\bf P}^{1}}C_{2}$ . Then we have a Galois extension $k(C)/k(x)$ with the Galois group $\cong{\bf Z}/2{\bf Z}\times{\bf Z}/2{\bf Z}$ and we have $k(C)\cong k(x,{y}_{1},{y}_{2})$ . In this case we have $r=0$ , and by the formula (4.1), we have $g(C_{3})=3$ . We set ${y}_{3}={y}_{1}{y}_{2}$ . Then we have

{y}_{3}^{2}=x^{8}-1

which is the equation for the curve $C_{3}$ of genus 3 and we have three intermediate field $k(C_{1})$ , $k(C_{2})$ and $k(C_{3})$ of the field extension $k(C)/k(x)$ . By the calculation of the Cartier operator, we can easily show that $C_{3}$ is superspecial if and only if $p\equiv 7~{}({\rm mod}~{}8)$ . Now, we set $y={y}_{1}+{y}_{2}$ . Then, we have ${y}_{1}{y}_{2}=y^{2}/2-x^{4}$ . Using this equation, we know that the curve $C$ is the nonsingular model of the curve defined by the following equation:

y^{4}=4x^{4}y^{2}-4.

Since we have $r=0$ , $C$ is non-hyperelliptic by Theorem 2. Since we have a Richelot isogeny $J(C)\longrightarrow J(C_{1})\times J(C_{2})\times J(C_{3})$ and the Richelot isogeny is separable, the curve $C$ is superspecial if and only if $p\equiv 7~{}({\rm mod}~{}8)$ .

Incidentally, the three automorphims of order 2 of the curve $C$ are given by

\sigma:x\mapsto x,~{}y\mapsto 2/y,\quad\tau:x\mapsto x,~{}y\mapsto-2/y,

and $\sigma\circ\tau$ .

Example 5

Assume the characteristic $p\geq 7$ . We consider two curves of genus 2:

C_{1}:{y}_{1}^{2}=x^{5}+1,\quad C_{2}:{y}_{2}^{2}=x^{6}+x.

By the isomorphism

x\mapsto 1/x,~{}{y}_{2}\mapsto{y}_{1}/x^{3}

they are isomorphic to each other. Moreover, they are supersingular if and only if $p\equiv 4~{}({\rm mod}~{}5)$ (cf. Ibukiyama-Katsura-Oort [14]). Let $C$ be the generalized Howe curve which is birational to $C_{1}\times_{{\bf P}^{1}}C_{2}$ . Then we have a Galois extension $k(C)/k(x)$ with the Galois group $\cong{\bf Z}/2{\bf Z}\times{\bf Z}/2{\bf Z}$ and we have $k(C)\cong k(x,{y}_{1},{y}_{2})$ . In this case we have $r=5$ , and by the formula (4.1), we have $g(C_{3})=0$ . Therefore, $C$ is hyperelliptic and we have $g(C)=4$ by (4.2). We set ${y}_{3}={y}_{2}/{y}_{1}$ . Then we have the equation of $C_{3}$ :

{y}_{3}^{2}=x

(5.2)

and we have three intermediate fields $k(C_{1})$ , $k(C_{2})$ and $k(C_{3})$ of the field extension $k(C)/k(x)$ . Now, we set $y={y}_{1}+{y}_{2}$ . Then we have

y^{2}=(x^{5}+1)(1+x+2{y}_{3}).

(5.3)

Using the equation (5.2), and putting $z=y/(1+{y}_{3})$ , we have the equation of the curve $C$ over $C_{3}$ :

z^{2}={y}_{3}^{10}+1.

Using the equations (5.3) and (5.2), we have the equation of the curve $C$ :

y^{4}-2(x^{5}+1)(x+1)y^{2}+(x^{5}+1)^{2}(x-1)^{2}=0.

Since we have a Richelot isogeny $J(C)\longrightarrow J(C_{1})\times J(C_{2})$ and the Richelot isogeny is separable, the curve $C$ is superspecial if and only if $p\equiv 4~{}({\rm mod}~{}5)$ .