Computational Class Field Theory: Bstract

Download as pdf or txt
Download as pdf or txt
You are on page 1of 38

Algorithmic Number Theory

MSRI Publications
Volume 44, 2008
Computational class eld theory
HENRI COHEN AND PETER STEVENHAGEN
ABSTRACT. Class eld theory furnishes an intrinsic description of the abelian
extensions of a number eld which is in many cases not of an immediate algo-
rithmic nature. We outline the algorithms available for the explicit computation
of such extensions.
CONTENTS
1. Introduction 497
2. Class eld theory 499
3. Local aspects: ideles 503
4. Computing class elds: preparations 508
5. Class elds as Kummer extensions 509
6. Class elds arising from complex multiplication 515
7. Class elds from modular functions 522
8. Class invariants 529
Acknowledgements 532
References 533
1. Introduction
Class eld theory is a twentieth century theory describing the set of nite
abelian extensions L of certain base elds K of arithmetic type. It provides a
canonical description of the Galois groups Gal(L,K) in terms of objects dened
inside K, and gives rise to an explicit determination of the maximal abelian
quotient G
ab
K
of the absolute Galois group G
K
of K. In the classical examples,
K is either a global eld, that is, a number eld or a function eld in one variable
over a nite eld, or a local eld obtained by completing a global eld at one
of its primes. In this paper, which takes an algorithmic approach, we restrict to
the fundamental case in which the base eld K is a number eld. By doing so,
we avoid the complications arising for p-extensions in characteristic p >0.
497
498 HENRI COHEN AND PETER STEVENHAGEN
Class eld theory describes G
ab
K
for a number eld K in a way that can be
seen as a rst step towards a complete description of the full group G
K
G

.
At the moment, such a description is still far away, and it is not even clear what
kind of description one might hope to achieve. Grothendiecks anabelian Galois
theory and his theory of dessins denfant [Schneps 1994] constitute one direction
of progress, and the largely conjectural Langlands program [Bump et al. 2003]
provides an other approach. Despite all efforts and partial results [V olklein
1996], a concrete question such as the inverse problemof Galois theory which
asks whether, for a number eld K, all nite groups G occur as the Galois group
of some nite extension L,Kremains unanswered for all K.
A standard method for gaining insight into the structure of G
K
, and for re-
alizing certain types of Galois groups over K as quotients of G
K
, consists of
studying the action of G
K
on arithmetical objects related to K, such as the di-
vision points in of various algebraic groups dened over K. A good example
is the Galois representation arising from the group Em|() of m-torsion points
of an elliptic curve E that is dened over K. The action of G
K
on Em|()
factors via a nite quotient T
m
GL
2
(,m) of G
K
, and much is known
[Serre 1989] about the groups T
m
. Elliptic curves with complex multiplication
by an order in an imaginary quadratic eld K give rise to abelian extensions of
K and yield a particularly explicit instance of class eld theory.
For the much simpler example of the multiplicative group G
m
, the division
points of G
m
() are the roots of unity in . The extensions of K they generate
are the cyclotomic extensions of K. Because the Galois group of the extension
K K(
m
) obtained by adjoining a primitive m-th root of unity
m
to K natu-
rally embeds into (,m)
+
, all cyclotomic extensions are abelian. For K=,
Kronecker discovered in 1853 that all abelian extensions are accounted for in
this way.
THEOREM 1.1 (KRONECKERWEBER). Every nite abelian extension L
is contained in some cyclotomic extension (
m
).
Over number elds K =, there are more abelian extensions than just cyclo-
tomic ones, and the analogue of Theorem 1.1 is what class eld theory provides:
every abelian extension K L is contained in some ray class eld extension
K H
m
. Unfortunately, the theory does not provide a natural system of
generators for the elds H
m
that plays the role of the roots of unity in Theorem
1.1. Finding such a system for all K is one of the Hilbert problems from 1900
that is still open. Notwithstanding this problem, class eld theory is in princi-
ple constructive, and, once one nds in some way a possible generator of H
m
over K, it is not difcult to verify that it does generate H
m
. The information
we have on H
m
is essentially an intrinsic description, in terms of the splitting
and ramication of the primes in the extension K H
m
, of the Galois group
COMPUTATIONAL CLASS FIELD THEORY 499
Gal(H
m
,K) as a ray class group Cl
m
. This group replaces the group (,m)
+
that occurs implicitly in Theorem 1.1 as the underlying Galois group:
(,m)
+

~
Gal((
m
),). (a mod m) (o
a
:
m

a
m
). (1-2)
We can in principle nd generators for any specic class eld by combining our
knowledge of its ramication data with a classical method to generate arbitrary
solvable eld extensions, namely, the adjunction of radicals. More formally, we
call an extension L of an arbitrary eld K a radical extension if L is contained
in the splitting eld over K of a nite collection of polynomials of the form
X
n
a, with n
1
not divisible by char(K) and a K. If the collection of
polynomials can be chosen so that K contains a primitive n-th root of unity for
each polynomial X
n
a in the collection, then the radical extension K L is
said to be a Kummer extension. Galois theory tells us that every Kummer ex-
tension is abelian and, conversely, that an abelian extension KL of exponent
n is Kummer if K contains a primitive n-th root of unity. Here the exponent of
an abelian extension K L is the smallest positive integer n that annihilates
Gal(L,K). Thus, for every nite abelian extension K L of a number eld
K, there exists a cyclotomic extension K K() such that the base-changed
extension K() L() is Kummer.
In Section 5, we compute the class elds of K as subelds of Kummer ex-
tensions of K() for suitable cyclotomic extensions K() of K. The practical
problem of the method is that the auxiliary elds K() may be much larger than
the base eld K, and this limits its use to not-too-large examples.
If K is imaginary quadratic, elliptic curves with complex multiplication solve
the Hilbert problem for K, and this yields methods that are much faster than the
Kummer extension constructions for general K. We describe these complex
multiplication methods in some detail in our Sections 6 to 8. We do not discuss
their extension to abelian varieties with complex multiplication [Shimura 1998];
nor do we discuss the analytic generation of class elds of totally real number
elds K using Stark units [Cohen 2000, Chapter 6].
2. Class eld theory
Class eld theory generalizes Theorem 1.1 by focusing on the Galois group
(,m)
+
of the cyclotomic extension (
m
) rather than on the specic
generator
m
. The extension (
m
) is unramied at all primes p m, and
the splitting behavior of such p only depends on the residue class (p mod m)
(,m)
+
. More precisely, the residue class degree
p
= F
p
(
m
) : F
p
| of the
primes over p m equals the order of the Frobenius automorphism (o
p
:
m

p
m
) Gal((
m
),), and this is the order of (p mod m) (,m)
+
under the
standard identication (1-2).
500 HENRI COHEN AND PETER STEVENHAGEN
Now let K L be any abelian extension of number elds. Then for each
prime p of K that is unramied in L, by [Stevenhagen 2008, Section 15] there is
a unique element Frob
p
Gal(L,K) that induces the Frobenius automorphism
x x
#k
p
on the residue class eld extensions k
p
k
q
for the primes q in L
extending p. The order of this Frobenius automorphism Frob
p
of p in Gal(L,K)
equals the residue class degree k
q
: k
p
|, and the subgroup (Frob
p
) Gal(L,K)
is the decomposition group of p.
We dene the Artin map for L,K as the homomorphism
[
L{K
: I
K
(z
L{K
) Gal(L,K). p Frob
p
(2-1)
on the group I
K
(z
L{K
) of fractional
K
-ideals generated by the primes p of K
that do not divide the discriminant z
L{K
of the extension KL. Such primes
p are known to be unramied in L by [Stevenhagen 2008, Theorem 8.5]. For
an ideal a I
K
(z
L{K
), we call [
L{K
(a) the Artin symbol of a in Gal(L,K).
For K =, we can rephrase Theorem 1.1 as follows.
THEOREM 2.2 (KRONECKERWEBER). If L is an abelian extension,
there exists an integer m
>0
such that the kernel of the Artin map [
L{
contains all -ideals x with x >0 and x 1 mod m.
The equivalence of Theorems 1.1 and 2.2 follows from the analytic fact that an
extension of number elds is trivial if all primes outside a density zero subset
split completely in it. Thus, if all primes p 1 mod m split completely in
L, then all primes of degree one are split in (
m
) L(
m
) and L is
contained in the cyclotomic eld (
m
).
The positivity condition on x in Theorem2.2 can be omitted if the primes p
1 mod m also split completely in L, that is, if L is totally real and contained
in the maximal real subeld (
m

-1
m
) of (
m
). The allowed values of min
Theorem 2.2 are the multiples of some minimal positive integer, the conductor
of L. It is the smallest integer m for which (
m
) contains L. The prime
divisors of the conductor are exactly the primes that ramify in L, and p
2
divides
the conductor if and only if p is wildly ramied in L.
For a quadratic eld Lof discriminant d, the conductor equals [d[, and Theo-
rem 2.2 says that the Legendre symbol

d
x

only depends on x modulo [d[. This


is Eulers version of the quadratic reciprocity law. The main statement of class
eld theory is the analogue of Theorem 2.2 over arbitrary number elds K.
THEOREM 2.3 (ARTINS RECIPROCITY LAW). If K L is an abelian exten-
sion, there exists a nonzero ideal m
0

K
such that the kernel of the Artin map
[
L{K
in (2-1) contains all principal
K
-ideals x
K
with x totally positive and
x 1 mod m
0
.
COMPUTATIONAL CLASS FIELD THEORY 501
This innocuous-looking statement is highly nontrivial. It shows there is a pow-
erful global connection relating the splitting behavior in L of different primes of
K. Just as Theorem 2.2 implies the quadratic reciprocity law, Artins reciprocity
law implies the general power reciprocity laws from algebraic number theory;
see [Artin and Tate 1990, Chapter 12, ~ 4; Cassels and Fr ohlich 1967, p. 353].
It is customary to treat the positivity conditions at the real primes of K and
the congruence modulo m
0
in Theorem 2.3 on equal footing. To this end, one
formally denes a modulus m of K to be a nonzero
K
-ideal m
0
times a subset
m
o
of the real primes of K. For a modulus m=m
0
m
o
, we write
x 1 mod
+
m
if x satises ord
p
(x 1) ord
p
(m
0
) at the primes p dividing the nite part m
0
and if x is positive at the real primes in the innite part m
o
of m.
In the language of moduli, Theorem 2.3 asserts that there exists a modulus
m such that the kernel ker [
L{K
of the Artin map contains the ray group R
m
of principal
K
-ideals x
K
generated by elements x 1 mod
+
m. As in the
case of Theorem 2.2, the set of these admissible moduli for K L consists
of the multiples m of some minimal modulus f
L{K
, the conductor of K L.
The primes occurring in f
L{K
are the primes of K, both nite and innite, that
ramify in L. An innite prime of K is said to ramify in L if it is real but has
complex extensions to L. As for K = , a nite prime p occurs with higher
multiplicity in the conductor if and only if it is wildly ramied in L.
If m=m
0
m
o
is an admissible modulus for KL and I
m
denotes the group
of fractional
K
-ideals generated by the primes p coprime to m
0
, then the Artin
map induces a homomorphism
[
L{K
: Cl
m
=I
m
,R
m
Gal(L,K). p| Frob
p
(2-4)
on the ray class group Cl
m
= I
m
,R
m
modulo m. Our earlier remark on the
triviality of extensions in which almost all primes split completely implies that
it is surjective. By the Chebotarev density theorem [Stevenhagen and Lenstra
1996], even more is true: the Frobenius automorphisms Frob
p
for p I
m
are
equidistributed over the Galois group Gal(L,K). In particular, a modulus m is
admissible for an abelian extension K L if and only if (almost) all primes
p R
m
of K split completely in L.
Since the order of the Frobenius automorphism Frob
p
Gal(L,K) equals the
residue class degree
p
of the primes q in L lying over p, the norm N
L{K
(q) =
p
(
p
of every prime ideal q in
L
coprime to m is contained in the kernel of the
Artin map. A nontrivial index calculation shows that the norms of the
L
-ideals
coprime to m actually generate the kernel in (2-4). In other words, the ideal
group A
m
I
m
that corresponds to L, in the sense that we have ker [
L{K
=
502 HENRI COHEN AND PETER STEVENHAGEN
A
m
,R
m
, is equal to
A
m
=N
L{K
(I
m
L
) R
m
. (2-5)
The existence theorem from class eld theory states that for every modulus m
of K, there exists an extension K L=H
m
for which the map [
L{K
in (2-4)
is an isomorphism. Inside some xed algebraic closure K of K, the extension
H
m
is uniquely determined as the maximal abelian extension L of K in which
all primes in the ray group R
m
split completely. It is the ray class eld H
m
modulo m mentioned in the introduction, for which the analogue of Theorem
1.1 holds over K. If K L is abelian, we have L H
m
whenever m is an
admissible modulus for L. For L = H
m
, we have A
m
= R
m
in (2-5) and an
Artin isomorphism Cl
m

~
Gal(H
m
,K).
EXAMPLE 2.6.1. It will not come as a surprise that for K=, the ray class eld
modulo (m) ois the cyclotomic eld (
m
), and the ray class group Cl
(m)o
is the familiar group (,m)
+
acting on the m-th roots of unity. Leaving out
the real prime oof , we nd the ray class eld modulo (m) to be the maximal
real subeld (
m

-1
m
) of (
m
). This is the maximal subeld in which the
real prime ois unramied.
EXAMPLE 2.6.2. The ray class eld of conductor m =(1) is the Hilbert class
eld H =H
1
of K. It is the largest abelian extension of K that is unramied at
all primes of K, both nite and innite. Since I
1
and R
1
are the groups of all
fractional and all principal fractional
K
-ideals, respectively, the Galois group
Gal(H,K) is isomorphic to the ordinary class group Cl
K
of K, and the primes
of K that split completely in H are precisely the principal prime ideals of K.
This peculiar fact makes it possible to derive information about the class group
of K from the existence of unramied extensions of K, and conversely.
The ray group R
m
is contained in the subgroup P
m
I
m
of principal ideals
in I
m
, and the quotient I
m
,P
m
is the class group Cl
K
of K for all m. Thus, the
ray class group Cl
m
=I
m
,R
m
is an extension of Cl
K
by a nite abelian group
P
m
,R
m
that generalizes the groups (,m)
+
from (1-2). More precisely, we
have a natural exact sequence

+
K
(
K
,m)
+
Cl
m
Cl
K
0 (2-7)
in which the residue class of x
K
coprime to m
0
in the nite group
(
K
,m)
+
=(
K
,m
0
)
+

Q
p[m
1
(1)
consists of its ordinary residue class modulo m
0
and the signs of its images
under the real primes p[m
o
. This group naturally maps onto P
m
,R
m
Cl
m
,
with a kernel reecting the fact that generators of principal
K
-ideals are only
unique up to multiplication by units in
K
.
COMPUTATIONAL CLASS FIELD THEORY 503
Interpreting both class groups in (2-7) as Galois groups, we see that all ray
class elds contain the Hilbert class eld H =H
1
from Example 2.6.2, and that
we have an Artin isomorphism
(
K
,m)
+
,im
+
K
|
~
Gal(H
m
,H) (2-8)
for their Galois groups over H. By Example 2.6.1, this is a generalization of
the isomorphism (1-2).
In class eld theoretic terms, we may specify an abelian extension KL by
giving an admissible modulus m for the extension together with the correspond-
ing ideal group
A
m
=kerI
m
Gal(L,K)| (2-9)
arising as the kernel of the Artin map (2-4). In this way, we obtain a canonical
bijection between abelian extensions of K inside K and ideal groups R
m

A
m
I
m
of K, provided that one allows for the fact that the same ideal group
A
m
can be dened modulo different multiples m of its conductor, that is, the
conductor of the corresponding extension. More precisely, we call the ideal
groups A
m
1
and A
m
2
equivalent if they satisfy A
m
1
I
m
=A
m
2
I
m
for some
common multiple m of m
1
and m
2
.
Both from a theoretical and an algorithmic point of view, (2-5) provides an
immediate description of the ideal group corresponding to L as the norm group
A
m
=N
L{K
(I
m
L
) R
m
as soon as we are able to nd an admissible modulus
m for L. In the reverse direction, nding the class eld L corresponding to an
ideal group A
m
is much harder. Exhibiting practical algorithms to do so is the
principal task of computational class eld theory, and the topic of this paper.
Already in the case of the Hilbert class eld H of K from Example 2.6.2, we
know no canonical generator of H, and the problem is nontrivial.
3. Local aspects: ideles
Over K = , all abelian Galois groups are described as quotients of the
groups (,m)
+
for some modulus m
1
. One may avoid the ubiquitous
choice of moduli that arises when dealing with abelian elds by combining the
Artin isomorphisms (1-2) at all nite levels m into a single pronite Artin
isomorphism
lim

m
(,m)
+
=
b

~
Gal(
ab
,) (3-1)
between the unit group
b

+
of the pronite completion
b
of and the absolute
abelian Galois group of . The group
b

+
splits as a product
Q
p

+
p
by the
Chinese remainder theorem, and
ab
is obtained correspondingly as a com-
positum of the elds (
p
1) generated by the p-power roots of unity. The
504 HENRI COHEN AND PETER STEVENHAGEN
automorphism corresponding to u = (u
p
)
p

b

+
acts as
u
p
on p-power
roots of unity. Note that the component group
+
p

+
maps to the inertia group
at p in any nite quotient Gal(L,) of Gal(
ab
,).
For arbitrary number elds K, one can take the projective limit in (2-7) over
all moduli and describe Gal(K
ab
,K) by an exact sequence
1
+
K

b

+
K

Q
p real
(1)
)
K
Gal(K
ab
,K) Cl
K
1. (3-2)
which treats somewhat asymmetrically the nite primes occurring in
b

+
K
=
Q
p nite
U
p
and the innite primes. Here [
K
maps the element 1 at a real
prime p to the complex conjugation at the extensions of p. The image of [
K
is
the Galois group Gal(K
ab
,H) over the Hilbert class eld H, which is of nite
index h
K
=# Cl
K
in Gal(K
ab
,K). For an abelian extension L of K containing
H, the image of the component group U
p

+
K
in Gal(L,H) is again the inertia
group at p in Gal(L,K). As H is totally unramied over K, the same is true if
L does not contain H: the inertia groups for p in Gal(LH,K) and Gal(L,K)
are isomorphic under the restriction map.
A more elegant description of Gal(K
ab
,K) than that provided by the se-
quence (3-2) is obtained if one treats all primes of K in a uniform way and
redenes the Artin map [
K
as we will do in (3-7) using the idele group
A
+
K
=
Q
t
p
K
+
p
={(x
p
)
p
: x
p
U
p
for almost all p]
of K. This group [Stevenhagen 2008, Section 14], consists of those elements in
the Cartesian product of the multiplicative groups K
+
p
at all completions K
+
p
of
K that have their p-component in the local unit group U
p
for almost all p. Here
U
p
is, as before, the unit group of the valuation ring at p if p is a nite prime of K;
for innite primes p, the choice of U
p
is irrelevant as there are only nitely many
such p. We take U
p
= K
+
p
, and write U
o
to denote
Q
p innite
K
+
p
= K

.
Note that we have
Q
p nite
U
+
p
=
b

+
K
.
The topology on A
+
K
is the restricted product topology: elements are close
if they are p-adically close at nitely many p and have a quotient in U
p
for
all other p. With this topology, K
+
embeds diagonally into A
+
K
as a discrete
subgroup. As the notation suggests, A
+
K
is the unit group of the adele ring
A
K
=
Q
t
p
K
p
, the subring of
Q
p
K
p
consisting of elements having integral
components for almost all p.
To any idele x =(x
p
)
p
, we can associate an ideal x
K
=
Q
p nite
p
ord
p
(x
p
)
,
and this makes the group I
K
of fractional
K
-ideals into a quotient of A
+
K
.
For a global element x K
+
A
+
K
, the ideal x
K
is the principal
K
-ideal
generated by x, and so we have an exact sequence
1
+
K

b

+
K
U
o
A
+
K
,K
+
Cl
K
1 (3-3)
COMPUTATIONAL CLASS FIELD THEORY 505
that describes the idele class group A
+
K
,K
+
of K in a way reminiscent of (3-2).
To obtain Gal(K
ab
,K) as a quotient of A
+
K
,K
+
, we show that the ray class
groups Cl
m
dened in the previous section are natural quotients of A
+
K
,K
+
. To
do so, we associate to a modulus m=m
0
m
o
of K an open subgroup W
m
A
+
K
,
as follows. Write m=
Q
p
p
n(p)
as a formal product, with n(p) =ord
p
(m
0
) for
nite p, and n(p) {0. 1] to indicate the innite p in m
o
. Now put
W
m
=
Q
p
U
(n(p))
p
for subgroups U
(k)
p
K
+
p
that are dened by
U
(k)
p
=
8

<

:
U
p
1 p
k
U

p
U
p
=
+
if k =0;
if p is nite and k >0;
if p is real and k =1.
Here we write U

p
for real p to denote the subgroup of positive elements in U
p
.
Because
+
and
+
>0
have no proper open subgroups, one sees from the deni-
tion of the restricted product topology on A
+
K
that a subgroup H A
+
K
is open
if and only if it contains W
m
for some modulus m.
LEMMA 3.4. For every modulus m=
Q
p
p
n(p)
of K, there is an isomorphism
A
+
K
,K
+
W
m

~
Cl
m
that maps (x
p
)
p
to the class of
Q
p nite
p
ord
p
(yx
p
)
. Here y K
+
is a global
element satisfying yx
p
U
n(p)
p
for all p[m.
PROOF. Note rst that the global element y required in the denition exists by
the approximation theorem. The precise choice of y is irrelevant, since for any
two elements y and y
t
satisfying the requirement, we have y,y
t
1 mod
+
m.
We obtain a homomorphism A
+
K
Cl
m
that is surjective since it maps a prime
element
p
at a nite prime p m to the class of p. Its kernel consists of the
ideles that can be multiplied into W
m
by a global element y K
+
.
If m is an admissible modulus for the nite abelian extension K L, we can
compose the isomorphism in Lemma 3.4 with the Artin map (2-4) for K L
to obtain an idelic Artin map
b
[
L{K
: A
+
K
,K
+
Gal(L,K) (3-5)
that no longer refers to the choice of a modulus m. This map, which exists
as a corollary of Theorem 2.3, is a continuous surjection that maps the class
of a prime element
p
K
+
p
A
+
K
to the Frobenius automorphism Frob
p

Gal(L,K) whenever p is nite and unramied in K L.
506 HENRI COHEN AND PETER STEVENHAGEN
For a nite extension L of K, the adele ring A
L
is obtained from A
K
by a
base change K L, so we have a norm map N
L{K
: A
L
A
K
that maps A
+
L
to A
+
K
and restricts to the eld norm on L
+
A
+
L
. Since it induces the ideal
norm I
L
I
K
on the quotient I
L
of A
+
K
, one deduces that the kernel of (3-5)
equals (K
+
N
L{K
A
+
L
|) mod K
+
, and that we have isomorphisms
A
+
K
,K
+
N
L{K
A
+
L
| I
m
,A
m

~
Gal(L,K). (3-6)
with A
m
the ideal group modulo m that corresponds to L in the sense of (2-9).
Taking the limit in (3-5) over all nite abelian extensions KL inside K, one
obtains the idelic Artin map
[
K
: A
+
K
,K
+
G
ab
K
=Gal(K
ab
,K). (3-7)
This is a continuous surjection that is uniquely determined by the property that
the [
K
-image of the class of a prime element
p
K
+
p
A
+
K
maps to the
Frobenius automorphism Frob
p
Gal(L,K) for every nite abelian extension
KL in which p is unramied. It exhibits all abelian Galois groups over K as
a quotient of the idele class group A
+
K
,K
+
of K.
The kernel of the Artin map (3-7) is the connected component of the unit
element in A
+
K
,K
+
. In the idelic formulation, the nite abelian extensions of
K inside K correspond bijectively to the open subgroups of A
+
K
,K
+
under the
map
L[
-1
K
Gal(K
ab
,L)| =(K
+
N
L{K
A
+
L
|) mod K
+
.
In this formulation, computational class eld theory amounts to generating, for
any given open subgroup of A
+
K
,K
+
, the abelian extension KL correspond-
ing to it.
EXAMPLE 3.8. Before continuing, let us see what the idelic reformulation of
(3-1) comes down to for K = . Every idele x = ((x
p
)
p
. x
o
) A
+

can
uniquely be written as the product of the rational number
sign(x
o
)
Q
p
p
ord
p
(x
p
)

+
and a unit idele u
x

Q
p

+
p

>0
=
b

>0
. In this way, the Artin map
(3-7) becomes a continuous surjection
[

: A
+

,
+

>0
Gal(
ab
,).
Its kernel is the connected component {1]
>0
of the unit element in A
+

,
+
.
Comparison with (3-1) leads to a commutative diagram of isomorphisms
COMPUTATIONAL CLASS FIELD THEORY 507
b

+ -1
//
can ~

+
~ (3-1)

A
+

,(
+

>0
)
~
//
Gal(
ab
,)
(3-8)
in which the upper horizontal map is not the identity. To see this, note that the
class of the prime element
+
I
A
+

in A
+

,(
+

>0
) is represented by the
idele x =(x
p
)
p

+
having components x
p
=
-1
for p = and x
I
=1. This
idele maps to the Frobenius of , which raises roots of unity of order coprime
to to their -th power. Since x is in all W
m
for all conductors m=
k
, it xes
-power roots of unity. Thus, the upper isomorphism 1 is inversion on
b

+
.
Even though the idelic and the ideal group quotients on the left hand side of the
arrow in (3-6) are the same nite group, it is the idelic quotient that neatly
encodes information at the ramifying primes p[m, which seem absent in the
other group. More precisely, we have for all primes p an injective map K
+
p

A
+
K
,K
+
that can be composed with (3-7) to obtain a local Artin map [
K
p
:
K
+
p
Gal(L,K) at every prime p of K. If p is nite and unramied in KL,
we have U
p
ker [
K
p
and an induced isomorphism of nite cyclic groups
K
+
p
,(
(
p
p
)U
p
=K
+
p
,N
L
q
{K
p
L
+
q
|
~
(Frob
p
) =Gal(L
q
,K
p
).
since Frob
p
generates the decomposition group of p in Gal(L,K), which may
be identied with the Galois group of the local extension K
p
L
q
at a prime
q[p in L. It is a nontrivial fact that (3-5) induces for all primes p of K, including
the ramifying and the innite primes, a local Artin isomorphism
[
L
q
{K
p
: K
+
p
,N
L
q
{K
p
L
+
q
|
~
Gal(L
q
,K
p
). (3-10)
In view of our observation after (3-2), it maps U
p
,N
L
q
{K
p
U
q
| for nite p iso-
morphically onto the inertia group of p.
We can use (3-10) to locally compute the exponent n(p) to which p occurs
in the conductor of K L: it is the smallest nonnegative integer k for which
we have U
(k)
p
N
L
q
{K
p
L
+
q
|. For unramied primes p we obtain n(p) =0, as
the local norm is then surjective on the unit groups. For tamely ramied primes
we have n(p) = 1, and for wildly ramied primes p, the exponent n(p) may
be found by a local computation. In many cases it is sufcient to use an upper
bound coming from the fact that every d-th power in K
+
p
is a norm from L
q
,
with d the degree of K
p
L
q
(or even KL). Using Hensels Lemma [Buhler
and Wagon 2008], one then nds
n(p) e(p,p)

1
p1
ord
p
(e
p
)

1. (3-11)
508 HENRI COHEN AND PETER STEVENHAGEN
where e(p,p) is the absolute ramication index of p over the underlying ratio-
nal prime p and e
p
is the ramication index of p in K L. Note that e
p
is
independent of the choice of an extension prime as K L is Galois.
4. Computing class elds: preparations
Our fundamental problem is the computation of the class eld L that cor-
responds to a given ideal group A
m
of K in the sense of (2-5). One may
give A
m
by specifying m and a list of ideals for which the classes in the ray
class group Cl
m
generate A
m
. The rst step in computing L is the computa-
tion of the group I
m
,A
m
that will give us control of the Artin isomorphism
I
m
,A
m

~
Gal(L,K). Because linear algebra over provides us with good
algorithms [Cohen 2000, Section 4.1] to deal with nite or even nitely gener-
ated abelian groups, this step essentially reduces to computing the nite group
Cl
m
of which I
m
,A
m
is quotient.
For the computation of the ray class group Cl
m
modulo m = m
0
m
o
, one
computes, in line with [Schoof 2008], the three other groups in the exact se-
quence (2-7) in which it occurs, and the maps between them. The class group
Cl
K
and the unit group
+
K
in (2-7) can be computed using the algorithm de-
scribed in [Stevenhagen 2008, Section 12], which factors smooth elements of

K
over a factor base. As this takes exponential time as a function of the base
eld K, it can only be done for moderately sized K. For the group (
K
,m
0
)
+
,
one uses the Chinese remainder theorem to decompose it into a product of local
multiplicative groups the form (
K
,p
k
)
+
. Here we need to assume that we are
able to factor m
0
, but this is a safe assumption as we are unlikely to deal with
extensions for which we cannot even factor the conductor. The group (
K
,p
k
)
+
is a product of the cyclic group k
+
p
=(
K
,p)
+
and the subgroup (1p),(1p
k
),
the structure of which can be found inductively using the standard isomorphisms
(1 p
a
),(1 p
a1
) k
p
and, more efciently,
(1 p
a
),(1 p
2a
)
~
p
a
,p
2a
between multiplicative and additive quotients. In many cases, the result can be
obtained in one stroke using the p-adic logarithm [Cohen 2000, Section 4.2.2].
Finding Cl
m
from the other groups in (2-7) is now a standard application of
linear algebra over . The quotient I
m
,A
m
gives us an explicit description of
the Galois group Gal(L,K) in terms of Artin symbols of
K
-ideals.
For the ideal group A
m
, we next compute its conductor f, which may be a
proper divisor of m. This comes down to checking whether we have A
m

I
m
R
n
for some modulus n[m. Even in the case A
m
= R
m
, the conductor
can be smaller than m, as the trivial isomorphism (,6)
+

~
(,3)
+
of ray
class groups over K= shows. The conductor f obtained, which is the same as
COMPUTATIONAL CLASS FIELD THEORY 509
the conductor f
L{K
of the corresponding extension, is exactly divisible by the
primes that ramify in K L. In particular, we know the signature of L from
the real primes dividing f. With some extra effort, one can even compute the
discriminant z
L{K
using Hasses F uhrerdiskriminantenproduktformel
z
L{K
=
Y
y:I
m
{A
m
-

f(y)
0
. (4-1)
Here y ranges over the characters of the nite group I
m
,A
m
Gal(L,K),
and f(y)
0
denotes the nite part of the conductor f(y) of the ideal group A
y
modulo m satisfying A
y
,A
m
=ker y. All these quantities can be computed by
the standard algorithms for nite abelian groups.
EXAMPLE 4.2. If KL is cyclic of prime degree , we have a trivial character
of conductor (1) and 1 characters of conductor f
L{K
, so (4-1) reduces to
z
L{K
=(f
L{K
)
I-1
0
.
In particular, we see that the discriminant of a quadratic extension KL is not
only for K = , but generally equal to the nite part of the conductor of the
extension.
Having at our disposal the Galois group Gal(L,K), the discriminant z
L{K
, and
the Artin isomorphismI
m
,A
m

~
Gal(L,K) describing the splitting behavior
of the primes in K L, we proceed with the computation of a generator for
L over K, that is, an irreducible polynomial in KX| with the property that its
roots in K generate L.
Because the computation of class elds is not an easy computation, it is often
desirable to decompose Gal(L,K) as a product
Q
i
Gal(L
i
,K) of Galois groups
Gal(L
i
,K) and to realize Las a compositumof extensions L
i
that are computed
separately. This way one can work with extensions L,K that are cyclic of prime
power order, or at least of prime power exponent. The necessary reduction of
the global class eld theoretic data for L,K to those for each of the L
i
is only
a short computation involving nite abelian groups.
5. Class elds as Kummer extensions
Let K be any eld containing a primitive n-th root of unity
n
, and let KL
be an abelian extension of exponent dividing n. In this situation, Kummer theory
[Lang 2002, Chapter VIII, ~ 68] tells us that L can be obtained by adjoining to
K the n-th roots of certain elements of K. More precisely, let W
L
=K
+
L
+
n
be the subgroup of K
+
of elements that have an n-th root in L. Then we have
510 HENRI COHEN AND PETER STEVENHAGEN
L=K(
n
_
W
L
), and there is the canonical Kummer pairing
Gal(L,K) W
L
,K
+
n
(
n
)
(o. n) (o. n) =(n
1{n
)
o-1
=
o(
n
_
n)
n
_
n
.
(5-1)
By canonical, we mean that the natural action of an automorphism t Aut(K)
on the pairing for K L yields the Kummer pairing for tK tL, that is,
(tot
-1
. tn) =(o. n)
r
. (5-2)
The Kummer pairing is perfect, that is, it induces an isomorphism
W
L
,K
+
n

~
Hom(Gal(L,K).
+
). (5-3)
In the case where Gal(L,K) is cyclic of order n, this means that L =K(
n
_
)
and W
L
= K
+
L
+
n
= () K
+
n
for some K. If
n
p
also generates L
over K, then and are powers of each other modulo n-th powers.
We will apply Kummer theory to generate the class elds of a number eld K.
Thus, let Lbe the class eld of K fromSection 4 that is to be computed. Suppose
that we have computed a small modulus f for L that is only divisible by the
ramifying primes, such as the conductor f
L{K
, and an ideal group A
f
for L by
the methods of Section 4. With this information, we control the Galois group
of our extension via the Artin isomorphism I
f
,A
f

~
Gal(L,K). Let n be
the exponent of Gal(L,K). Then we can directly apply Kummer theory if K
contains the required n-th roots of unity; if not, we need to pass to a cyclotomic
extension of K rst. This leads to a natural case distinction.
Case 1: K contains a primitive n-th root of unity
n
. Under the restrictive
assumption that K contains
n
, the class eld L is a Kummer extension of K,
and generating L=K(
n
_
W
L
) comes down to nding generators for W
L
,K
+
n
.
We rst compute a nite group containing W
L
,K
+
n
. This reduction is a familiar
ingredient from the proofs of class eld theory [Artin and Tate 1990; Cassels
and Fr ohlich 1967].
LEMMA 5.4. Let K L be nite abelian of exponent n, and assume
n
K.
Suppose S is a nite set of primes of K containing the innite primes such that
(1) K L is unramied outside S;
(2) Cl
K
,Cl
n
K
is generated by the classes of the nite primes in S.
Then the image of the group U
S
of S-units in K
+
,K
+
n
is nite of order n
#S
,
and it contains the group W
L
,K
+
n
from (5-1).
The rst condition in Lemma 5.4 means that S contains all the primes that divide
our small modulus f. The second condition is automatic if the class number of K
is prime to n, and it is implied by the rst if the classes of the ramifying primes
COMPUTATIONAL CLASS FIELD THEORY 511
generate Cl
K
,Cl
n
K
. Any set of elements of Cl
K
generating Cl
K
,Cl
n
K
actually
generates the full n-part of the class group, that is, the product of the p-Sylow
subgroups of Cl
K
at the primes p[n. In general, there is a lot of freedom in the
choice of primes in S outside f. One tries to have S small in order to minimize
the size n
#S
of the group (U
S
K
+
n
),K
+
n
containing W
L
,K
+
n
.
PROOF OF LEMMA 5.4. By the Dirichlet unit theorem [Stevenhagen 2008,
Theorem 10.9], the group U
S
of S-units of K is isomorphic to j
K

#S-1
.
As j
K
contains
n
, the image (U
S
K
+
n
),K
+
n
U
S
,U
n
S
of U
S
in K
+
,K
+
n
is nite of order n
#S
.
To show that (U
S
K
+
n
),K
+
n
contains W
L
,K
+
n
, pick any W
L
. Since
K K(
n
_
) is unramied outside S, we have () = a
S
b
n
for some product
a
S
of prime ideals in S and b coprime to all nite primes in S. As the primes
in S generate the n-part of Cl
K
, we can write b = b
S
c with b
S
a product of
prime ideals in S and c an ideal of which the class in Cl
K
is of order u coprime
to n. Now
u
generates an ideal of the form (
u
) =a
t
S
(;
n
) with a
t
S
a product
of prime ideals in S and ; K
+
. It follows that
u
;
-n
K
+
is an S-unit, and
so
u
and therefore is contained in U
S
K
+
n
.
In the situation of Lemma 5.4, we see that KL is a subextension of the Kum-
mer extension KN =K(
n
_
U
S
) of degree n
#S
. We have to nd the subgroup
of U
S
,U
n
S
corresponding to L. This amounts to a computation in linear algebra
using the Artin map and the Kummer pairing. For ease of exposition, we assume
that the set S we choose to satisfy Lemma 5.4 contains all primes dividing n.
This implies that N is the maximal abelian extension of exponent n of K that
is unramied outside S.
As we compute L as a subeld of the abelian extension K N, we replace
the modulus f of K L by some multiple m that is an admissible modulus for
KN. Clearly m only needs to be divisible by the ramied primes in KN,
which are all in S. Wild ramication only occurs at primes p dividing n, and
for these primes we can take ord
p
(m) equal to the bound given by (3-11). The
ideal group modulo m corresponding to N is I
n
m
P
m
because N is the maximal
exponent-n extension of K of conductor m; hence the Artin map for K N is
I
m
I
m
,(I
n
m
P
m
) =Cl
m
,Cl
n
m

~
Gal(N,K). (5-5)
The induced map I
m
Gal(L,K) is the Artin map for K L, which has
the ideal group A
m
corresponding to L as its kernel. Let
L
I
m
be a nite
set of ideals of which the classes generate the ,n-module A
m
,(I
n
m
P
m
)
Gal(N,L). We then have to determine the subgroup V
L
U
S
consisting of
those S-units : U
S
that have the property that
n
_
: is left invariant by the Artin
symbols of all ideals in
L
, since the class eld we are after is L=K(
n
_
V
L
).
512 HENRI COHEN AND PETER STEVENHAGEN
We are here in a situation to apply linear algebra over ,n, because the
Kummer pairing (5-1) tells us that the action of the Artin symbols [
N{K
(a) of
the ideals a I
m
on the n-th roots of the S-units is described by the pairing of
,n-modules given by
I
m
,I
n
m
U
S
,U
n
S
(
n
)
(a. u) ([
N{K
(a). u) =(u
1{n
)
)
N=K
(a)-1
.
(5-6)
Making this computationally explicit amounts to computing the pairing for some
choice of basis elements of the three modules involved.
For (
n
) we have the obvious ,n-generator
n
, and I
m
,I
n
m
is a free ,n-
module generated by the primes p , S. If K is of moderate degree, the gen-
eral algorithm [Stevenhagen 2008, Section 12] for computing units and class
groups can be used to compute generators for U
S
, which then form a ,n-
basis for U
S
,U
n
S
. In fact, nding s 1 = #S 1 independent units in U
S
that generate a subgroup of index coprime to n is enough: together with a
root of unity generating j
K
, these will generate U
S
,U
n
S
. This is somewhat
easier than nding actual generators for U
S
, because maximality modulo n-th
powers is not difcult to establish for a subgroup U U
S
having the right rank
s =#S. Indeed, each reduction modulo a small prime p,S provides a character
U U
S
k
+
p
,(k
+
p
)
n
(
n
), the n-th power residue symbol at p. By nding
s independent characters, one shows that the intersection of their kernels equals
U
n
=U U
n
S
.
For a prime p ,S and u U
S
, the denitions of the Kummer pairing and the
Frobenius automorphism yield
(Frob
p
. u) =(u
1{n
)
Frob
p
-1
u
(Np-1){n
k
+
p
.
where Np =#k
p
is the absolute norm of p. Thus (Frob
p
. u) is simply the power
of
n
that is congruent to u
(Np-1){n
k
+
p
. Even when p is large, this is not
an expensive discrete logarithm problem in k
+
p
, since in practice the exponent
n L : K| is small: one can simply check all powers of
n
k
+
p
. Since (
n
)
reduces injectively modulo primes p n, the n-root of unity (Frob
p
. u) can be
recovered from its value in k
+
p
.
From the values (Frob
p
. u), we compute all symbols ([
N{K
(a). u) by lin-
earity. It is now a standard computation in linear algebra to nd generators for
the subgroup V
L
,U
n
S
U
S
,U
n
S
that is annihilated by the ideals a
L
under
the pairing (5-6). This yields explicit generators for the Kummer extension
L=K(
n
_
V
L
), and concludes the computation of Lin the case where K contains

n
, with n the exponent of Gal(L,K).
COMPUTATIONAL CLASS FIELD THEORY 513
Case 2: K does not contain
n
. In this case L is not a Kummer extension of K,
but L
t
=L(
n
) is a Kummer extension of K
t
=K(
n
).
L
t
=L(
n
)
L
s
s
N
N
N
N
N
N
N
N
N
N
N
K
t
=K(
n
)
P
P
P
P
P
P
P
P
P
P
P
p
p
LK
t
K
(5-7)
To nd generators of L
t
over K
t
by the method of Case 1, we need to lift the
class eld theoretic data from K to K
t
to describe L
t
as a class eld of K
t
.
Lifting the modulus f = f
0
f
o
for K L is easy: as K
t
is totally complex,
f
t
= f
0

K
0 is admissible for K
t
L
t
. From the denition of the Frobenius
automorphism, it is immediate that we have a commutative diagram
I
K
0
,f
0
Artin
//
N
K
0
=K

Gal(L
t
,K
t
)
res

I
K,f
Artin
//
Gal(L,K)
As the restriction map on the Galois groups is injective, we see that the inverse
norm image N
-1
K
0
{K
A
f
I
K
0
,f
0 is the ideal group of K
t
corresponding to the
extension K
t
L
t
. Because N
-1
K
0
{K
A
f
contains P
K
0
,f
0 , computing this inverse
image takes place inside the nite group Cl
K
0
,f
0 , a ray class group for K
t
.
We perform the algorithm from Case 1 for the extension K
t
L
t
to nd
generators of L
t
over K
t
. We are then working with (ray) class groups and S-
units in K
t
rather than in K, and S has to satisfy Lemma 5.4 condition (2) for
Cl
K
0 . All this is only feasible if K
t
is of moderate degree, and this seriously
restricts the values of n one can handle in practice. Our earlier observation
that we may decompose I
f
,A
f
Gal(L,K) into a product of cyclic groups
of prime power order and generate L accordingly as a compositum of cyclic
extensions of K is particularly relevant in this context, as it reduces our problem
to a number of instances where KL is cyclic of prime power degree. Current
implementations [Fieker 2001] deal with prime power values up to 20.
We further assume for simplicity that we are indeed in the case where KL
is cyclic of prime power degree n, with K
t
=K(
n
) =K. Suppose that, using
the algorithm from Case 1, we have computed a Kummer generator 0 L
t
for
which we have L
t
= K
t
(0) = K(
n
. 0) and 0
n
= K
t
. We then need to
descend 0 efciently to a generator j of L over K. If n is prime, one has
514 HENRI COHEN AND PETER STEVENHAGEN
L=K(j) for the trace
j =Tr
L
0
{L
(0). (5-8)
For prime powers this does not work in all cases. One can however replace 0
by 0 k
n
for some small integer k to ensure that 0 generates L
t
over
K, and then general eld theory tells us that the coefcients of the irreducible
polynomial

0
L
=
Y
rGal(L
0
{L)
(X t(0)) LX| (5-9)
of 0 over L generate L over K. As we took KL to be cyclic of prime power
degree, one of the coefcients is actually a generator, and in practice the trace
works. In all cases, one needs an explicit description of the action of the Galois
group Gal(L
t
,L) on 0 and
n
in order to compute the trace (5-8), and possibly
other coefcients of
0
L
in (5-9). Finally, if we have L = K(j), we need the
action of Gal(L,K) on j in order to write down the generating polynomial

)
K
=
Y
oGal(L{K)
(X o(j)) KX|
for K L that we are after.
As before, the Artin map gives us complete control over the action of the
abelian Galois group Gal(L
t
,K) on L
t
=K(
n
. 0), provided that we describe
the elements of Gal(L
t
,K) as Artin symbols. We let m be an admissible mod-
ulus for K L
t
; the least common multiple of f
L{K
and n
Q
p real
p is an
obvious choice for m. All we need to know is the explicit action of the Frobenius
automorphism Frob
p
Gal(L
t
,K) of a prime p m of K on the generators
n
and 0 of L
t
over K. Note that p does not divide n, and that we may assume that
=0
n
is a unit at p.
The cyclotomic action of Frob
p
Gal(L
t
,K) is given by Frob
p
(
n
) =
Np
n
,
with Np =#k
p
the absolute norm of p. This provides us with the Galois action
on K
t
and yields canonical isomorphisms
Gal(K
t
,K) imN
K{
: I
m
(,n)
+
|.
Gal(K
t
,(LK
t
)) imN
K{
: A
m
(,n)
+
|.
In order to understand the action of Frob
p
on 0 =
n
_
, we rst observe that
K L
t
= K
t
(0) can only be abelian if is in the cyclotomic eigenspace of
(K
t
)
+
modulo n-th powers under the action of Gal(K
t
,K). More precisely,
applying (5-2) for K
t
L
t
with t =Frob
p
, we have Frob
p
o Frob
-1
p
=o since
Gal(L
t
,K) is abelian, and therefore
(o. Frob
p
()) =(o. )
Frob
p
=(o. )
Np
=(o.
Np
)
COMPUTATIONAL CLASS FIELD THEORY 515
for all o Gal(L
t
,K
t
). By (5-3), we conclude that
Frob
p
() =
Np
;
n
p
(5-10)
for some element ;
p
K
t
. Knowing how Frob
p
acts on K
t
=K(
n
), we can
compute ;
p
by extracting some n-th root of Frob
p
()
-Np
in K
t
. The element
;
p
is only determined up to multiplication by n-th roots of unity by (5-10).
Because we took to be a unit at p, we have ;
n
p
1 mod p by denition of
the Frobenius automorphism, and so there is a unique element ;
p
1 mod p
satisfying (5-10). With this choice of ;
p
, we have
Frob
p
(0) =0
Np
;
p
because the n-th powers of both quantities are the same by (5-10), and they are
congruent modulo p. This provides us with the explicit Galois action of Frob
p
on 0 for unramied primes p.
The description of the Galois action on 0 and
n
in terms of Frobenius sym-
bols is all we need. The Galois group Gal(L
t
,L) Gal(K
t
,(LK
t
)), which
we may identify with the subgroup N
K{
(A
m
) of (,n)
+
, is either cyclic or,
if n is a power of 2, generated by 2 elements. Picking one or two primes p
in A
m
with norms in suitable residue classes modulo n is all it takes to gener-
ate Gal(L
t
,L) by Frobenius automorphisms, and we can use these elements to
descend 0 to a generator j for L over K. We also control the Galois action of
Gal(L,K) =I
m
,A
m
on j, and this makes it possible to compute the irreducible
polynomial
)
K
for the generator j of L over K.
6. Class elds arising from complex multiplication
As we observed in Example 2.6.1, the ray class elds over the rational number
eld are the cyclotomic elds. For these elds, we have explicit generators
over that arise naturally as the values of the analytic function q : x e
2tix
on the unique archimedean completion of . The function q is periodic
modulo the ring of integers of , and it induces an isomorphism
,
~
T ={z : zz =1]
x q(x) =e
2tix
(6-1)
between the quotient group , and the circle group T of complex numbers
of absolute value 1. The KroneckerWeber theorem 1.1 states that the values
of the analytic function q at the points of the torsion subgroup , ,
generate the maximal abelian extension
ab
of . More precisely, the q-values
at the m-torsion subgroup
1
m
, of , generate the m-th cyclotomic eld
(
m
). Under this parametrization of roots of unity by ,, the Galois action
516 HENRI COHEN AND PETER STEVENHAGEN
on the m-torsion values comes from multiplications on
1
m
, by integers a
coprime to m, giving rise to the Galois group
Gal((
m
),) =Aut(
1
m
,) =(,m)
+
(6-2)
from (1-2). Taking the projective limit over all m, one obtains the identica-
tion of Gal(
ab
,) with Aut(,) =
b

+
from (3-1), and we saw in Example
3.8 that the relation with the Artin isomorphism is given by the commutative
diagram (3-8). To stress the analogy with the complex multiplication case, we
rewrite (3-8) as
b

+ -1
//
can ~

+
=A
+

,(
+

>0
)
~ Artin

Aut(,)
~
//
Gal(
ab
,)
(6-3)
where 1 denotes inversion on
b

+
.
Fromnowon, we take K to be an imaginary quadratic eld. Then K has a sin-
gle archimedean completion K, and much of what we said for the analytic
function q on , has an analogue for the quotient group ,
K
. In complete
analogy, we will dene an analytic function
K
: ,
K

1
() in (6-14)
with the property that its nite values at the m-torsion subgroup
1
m

K
,
K
of
,
K
generate the ray class eld H
m
of K of conductor m
K
. However, to
dene this elliptic function
K
on the complex elliptic curve ,
K
, we need
an algebraic description of ,
K
, which exists over an extension of K that is
usually larger than K itself. The Hilbert class eld H =H
1
of K from Example
2.6.2 is the smallest extension of K that one can use, and the torsion values of

K
generate class elds over H. This makes the construction of H itself into an
important preliminary step that does not occur over , as is its own Hilbert
class eld.
In this section, we give the classical algorithms for constructing the extensions
K H and H H
m
. The next section provides some theoretical background
and different views on complex multiplication. Our nal Section 8 shows how
such views lead to algorithmic improvements.
Complex multiplication starts with the fundamental observation [Silverman
1986, Chapter VI] that for every lattice , the complex torus , admits
a meromorphic function, the Weierstrass -function

/
: z z
-2

P
o/\0
(z o)
-2
o
-2
|.
that has period lattice and is holomorphic except for double poles at the points
of . The corresponding Weierstrass map
COMPUTATIONAL CLASS FIELD THEORY 517
W : ,E
/

2
(). z
/
(z) :
t
/
(z) : 1|
is a complex analytic isomorphism between the torus , and the complex
elliptic curve E
/

2
() dened by the afne Weierstrass equation
y
2
=4x
3
g
2
()x g
3
().
The Weierstrass coefcients
g
2
() =60
P
o/\0
o
-4
and g
3
() =140
P
o/\0
o
-6
(6-4)
of E
/
are the Eisenstein series of weight 4 and 6 for the lattice . The natural
addition on , translates into an algebraic group structure on E
/
() some-
times referred to as chord and tangent addition. On the Weierstrass model E
/
,
the point O =0 : 1 : 0| =W(0 mod ) at innity is the zero point, and any line
in
2
() intersects the curve E
/
in 3 points, counting multiplicities, that have
sum O.
All complex analytic maps ,
1
,
2
xing the zero point are multi-
plications z zz with z satisfying z
1

2
. These are clearly group
homomorphisms, and in the commutative diagram
,
1
z
//
W
1
~

,
2
W
1
~

E
/
1

//
E
/
2
(6-5)
the corresponding maps
z
: E
/
1
E
/
2
between algebraic curves are known
as isogenies. For z = 0, the isogeny
z
is a nite algebraic map of degree

2
: z
1
|, and E
/
1
and E
/
2
are isomorphic as complex algebraic curves if
and only if we have z
1
=
2
for some z . The isogenies E
/
E
/
form
the endomorphism ring
End(E
/
) ={z : z] (6-6)
of the curve E
/
, which we can view as a discrete subring of . The z-value
of the analytically dened endomorphism multiplication by z is reected
algebraically as a true multiplication by z of the invariant differential dx,y on
E
/
coming from dz =d(
/
),
t
/
. If End(E
/
) is strictly larger than , it is a
complex quadratic order and E
/
is said to have complex multiplication (CM)
by .
To generate the class elds of our imaginary quadratic eld K, we employ an
elliptic curve E
/
having CM by
K
. Such a curve can be obtained by taking
equal to
K
or to a fractional
K
-ideal a, but the Weierstrass coefcients (6-4)
for =a will not in general be algebraic.
518 HENRI COHEN AND PETER STEVENHAGEN
In order to nd an algebraic model for the complex curve E
/
, we scale
to a homothetic lattice z to obtain a -isomorphic model
E
z/
: y
2
=4x
3
z
-4
g
2
()x z
-6
g
3
()
under the Weierstrass map. The discriminant z=g
3
2
27g
2
3
of the Weierstrass
polynomial 4x
3
g
2
x g
3
does not vanish, and the lattice function
z() =g
2
()
3
27g
3
()
2
is of weight 12: it satises z(z) =z
-12
z(). Thus, the j -invariant
j() =1728
g
2
()
3
z()
=1728
g
2
()
3
g
2
()
3
27g
3
()
2
(6-7)
is of weight zero and is an invariant of the homothety class of or, equiva-
lently, the isomorphism class of the complex elliptic curve ,. It generates
the minimal eld of denition over which , admits a Weierstrass model.
If E
/
has CM by
K
, then is homothetic to some
K
-ideal a. It follows
that, up to isomorphism, there are only nitely many complex elliptic curves E
/
having CM by
K
, one for each ideal class in Cl
K
. Because any automorphism
of maps the algebraic curve E
/
to an elliptic curve with the same endomor-
phism ring, we nd that the j -invariants of the ideal classes of
K
form a set of
h
K
=# Cl
K
distinct algebraic numbers permuted by the absolute Galois group
G

of . This allows us to dene the Hilbert class polynomial of K as


Hil
K
(X) =
Y
ajCl
K
(X j(a)) X|. (6-8)
Its importance stems from the following theorem, traditionally referred to as the
rst main theorem of complex multiplication.
THEOREM 6.9. The Hilbert class eld H of K is the splitting eld of the
polynomial Hil
K
(X) over K. This polynomial is irreducible in KX|, and the
Galois action of the Artin symbol o
c
=[
H{K
(c) of the ideal class c| Cl
K

Gal(H,K) on the roots j(a) of Hil
K
(X) is given by j(a)
o
c
=j(ac
-1
).
To compute Hil
K
(X) from its denition (6-8), one compiles a list of
K
-ideal
classes in the style of Gauss, who did this in terms of binary quadratic forms.
Every
K
-ideal class a| has a representative of the form t , with t K
a root of some irreducible polynomial aX
2
bX c X| of discriminant
b
2
4ac =z
K{
. If we take for t the root in the complex upper half plane H,
the orbit of t under the natural action

(z) =
z
;z
COMPUTATIONAL CLASS FIELD THEORY 519
of the modular group SL
2
() on H is uniquely determined by a| Cl
K
. In this
orbit, there is a unique element
t
a
=
b
_
b
2
4ac
2a
H
that lies in the standard fundamental domain for the action of SL
2
() on H
consisting of those z H that satisfy the two inequalities [Re(z)[
1
2
and zz 1
and, in case we have equality in either of them, also Re(z) 0. This yields a
description
a| =
h

b
_
b
2
4ac
2a

i
(a. b. c)
of the elements of Cl
K
as reduced integer triples (a. b. c) whose discriminant
is b
2
4ac = z
K{
. As we have Re(t
a
) = b,2a and t
a
t
a
= c,a, the re-
duced integer triples (a. b. c) corresponding to t
a
in the fundamental domain for
SL
2
() are those satisfying
[b[ a c and b
2
4ac =z
K{
.
where b is nonnegative if [b[ =a or a =c. For reduced forms, one sees from the
inequality z
K{
=b
2
4ac a
2
4a
2
=3a
2
that we have bounds [b[ a
p
[z
K{
[,3, so the list is indeed nite and can easily be generated [Cohen 1993,
Algorithm 5.3.5]. See [Cox 1989] for the classical interpretation of the triples
(a. b. c) as positive denite integral binary quadratic forms aX
2
bXY cY
2
of discriminant b
2
4ac =z
K{
.
If we put j(t) = j(t ), the j -function (6-7) becomes a holomorphic
function j : H invariant under the action of SL
2
(). As it is in particular
invariant under t t 1, it can be expressed in various ways in terms of the
variable q =e
2tir
from (6-1). Among them is the well-known integral Fourier
expansion
j(t) =j(q) =q
-1
744 196884q . . . q
-1
q|| (6-10)
that explains the normalizing factor 1728 in the denition (6-7) of j . It implies
[Lang 1987, Chapter 5, ~ 2] that the roots of Hil
K
(X) in (6-8) are algebraic
integers, and so Hil
K
(X) is a polynomial in X| that can be computed exactly
from complex approximations of its roots that are sufciently accurate to yield
the right hand side of (6-8) in X| to one-digit precision. For numerical
computations of j(t), one uses approximate values of the Dedekind j-function
j(t) =q
1{24
Y
n1
(1 q
n
) =q
1{24
X
n
(1)
n
q
n(3n-1){2
. (6-11)
520 HENRI COHEN AND PETER STEVENHAGEN
which has a lacunary Fourier expansion that is better suited for numerical pur-
poses than (6-10). From j-values one computes f
2
(t) =
_
2j(2t),j(t) and
nally j(t) as
j(t) =
(f
24
2
(t) 16)
3
f
24
2
(t)
. (6-12)
This nishes the description of the classical algorithm to compute the Hilbert
class eld H of K.
Having computed the irreducible polynomial Hil
K
(X) of j
K
= j(
K
), we
can write down a Weierstrass model E
K
for ,
K
over H =K(j
K
) (or even
over (j
K
)) and use it to generate the ray class eld extensions H H
m
.
Choosing E
K
is easy in the special cases K =(
3
). (i ), when one of g
2
=
g
2
(
K
) and g
3
= g
3
(
K
) vanishes and the other can be scaled to have any
nonzero rational value. For K = (
3
). (i ), the number z =
p
g
3
,g
2

+
is determined up to sign, and since we have
c
K
=z
-4
g
2
=z
-6
g
3
=g
3
2
g
-2
3
=27
j
K
j
K
1728
.
the model y
2
= 4x
3
c
K
x c
K
for ,z
K
is dened over (j
K
) H. A
more classical choice is z
2
=z,(g
2
g
3
), with g
2
, g
3
and z associated to
K
,
giving rise to the model
E
K
: y
2
=n
K
(x) =4x
3

c
K
(c
K
27)
2
x
c
K
(c
K
27)
3
. (6-13)
Any scaled Weierstrass parametrization W
K
: ,
K

~
E
K
with E
K
dened
over H can serve as the imaginary quadratic analogue of the isomorphism q :
,
~
T in (6-1). For the model E
K
in (6-13), the x-coordinate
z
K
(zz) =
z
-2

K
(z) of W
K
(z) is given by the Weber function

K
(z) =
g
2
(
K
)g
3
(
K
)
z(
K
)

K
(z). (6-14)
It has weight 0 in the sense that the right side is invariant under simultaneous
scaling (
K
. z) (z
K
. zz) by z
+
of the lattice
K
and the argument z.
In the special cases K = (i ) and (
3
) that have
+
K
of order 4 and 6,
there are slightly different Weber functions
K
that are not the x-coordinates
on a Weierstrass model for ,
K
over H, but an appropriately scaled square
and cube of such x-coordinates, respectively. In all cases, the analogue of the
KroneckerWeber theorem for K is the following second main theorem of com-
plex multiplication.
COMPUTATIONAL CLASS FIELD THEORY 521
THEOREM 6.15. The ray class eld H
m
of conductor m
K
of K is generated
over the Hilbert class eld H of K by the values of the Weber function
K
at
the nonzero m-torsion points of ,
K
.
In the non-special cases, the values of
K
at the m-torsion points of ,
K
are
the x-coordinates of the nonzero m-torsion points of the elliptic curve E
K
in (6-
13). For K=(i ) and (
3
), one uses squares and cubes of these coordinates.
In all cases, generating H
m
over H essentially amounts to computing division
polynomials T
m
X| that have these x-coordinates as their roots. We will
dene these polynomials as elements of Hx|, because the recursion formulas
at the end of this section show that their coefcients are elements of the ring
generated over by the coefcients of the Weierstrass model of E
K
.
If m is odd, the nonzero m-torsion points come in pairs {P. P] with the
same x-coordinate x
P
=x
-P
, and we can dene a polynomial T
m
(x) Hx|
of degree (m
2
1),2 up to sign by
T
m
(x)
2
=m
2
Y
PE
K
mj(),
PyO
(x x
P
).
For even m, we adapt the denition by excluding the 2-torsion points satisfying
P =P from the product, and dene T
m
(X) Hx| of degree (m
2
4),2 by
T
m
(x)
2
=(m,2)
2
Y
PE
K
mj(),
2PyO
(x x
P
).
The missing x-coordinates of the nonzero 2-torsion points are the zeros of the
cubic polynomial n
K
Hx| in (6-13). This is a square in the function eld of
the elliptic curve (6-13), and in many ways the natural object to consider is the
division polynomial
[
m
(x. y) =
(
T
m
(x)
2yT
m
(x)
if m is odd;
if m is even.
This is an element of the function eld (x. y) living in the quadratic extension
Hx. y| of the polynomial ring Hx| dened by y
2
= n
K
(x). It is uniquely
dened up to the sign choice we have for T
m
. Most modern texts take the sign
of the highest coefcient of T
m
equal to 1. Weber [1908, p. 197] takes it equal
to (1)
m-1
, which amounts to a sign change y y in [
m
(x. y).
By construction, the function [
m
has divisor (1m
2
)O|
P
PyO, mP=O
P|.
The normalizing highest coefcients m and m,2 in T
m
lead to neat recursive
522 HENRI COHEN AND PETER STEVENHAGEN
formulas
[
2m1
=[
m2
[
3
m
[
3
m1
[
m-1
.
[
2m
=(2y)
-1
[
m
([
m2
[
2
m-1
[
2
m1
[
m-2
)
for [
m
that are valid for m > 1 and m > 2. These can be used to compute [
m
and T
m
recursively, using repeated doubling of m. One needs the initial values
T
1
=T
2
=1 and
T
3
=3X
4
6aX
2
12bX a
2
.
T
4
=2X
6
10aX
4
40bX
3
10a
2
X
2
8abX 16b
2
2a
3
.
where we have written the Weierstrass polynomial in (6-13) as n
K
= 4(x
3

ax b) to indicate the relation with the nowadays more common afne model
y
2
=x
3
ax b to which E
K
is isomorphic under (x. y) (x. y,2).
7. Class elds from modular functions
The algorithms in the previous section are based on the main Theorems 6.9
and 6.15 of complex multiplication, which can be found already in Webers
textbook [1908] and predate the class eld theory for general number elds.
The oldest proofs of 6.9 and 6.15 are of an analytic nature, and derive arithmetic
information from congruence properties of Fourier expansions such as (6-10).
Assuming general class eld theory, one can shorten these proofs as it sufces,
just as after Theorem 2.2, to show that, up to sets of primes of zero density, the
right primes split completely in the purported class elds. In particular, it is
always possible to restrict attention to the primes of K of residue degree one in
such arguments. Deuring [1958] provides analytic proofs of both kinds in his
survey monograph.
Later proofs [Lang 1987, Part 2] of Deuring and Shimura combine class eld
theory with the reduction of the endomorphisms in (6-6) modulo primes, which
yields endomorphisms of elliptic curves over nite elds. These proofs are
rmly rooted in the algebraic theory of elliptic curves [Silverman 1986; Silver-
man 1994]. Here one takes for E
/
in (6-6) an elliptic curve E that has CM
by
K
and is given by a Weierstrass equation over the splitting eld H
t
over
K of the Hilbert class polynomial Hil
K
(X) in (6-8). In this case the Weier-
strass equation can be considered modulo any prime q of H
t
, and for almost
all primes, known as the primes of good reduction, this yields an elliptic curve
E
q
= E mod q over the nite eld k
q
=
H
0 ,q. For such q, the choice of an
extension of q to yields a reduction homomorphism E
K
() E
q
(k
q
) on
points that is injective on torsion points of order coprime to q. The endomor-
phisms of E are given by rational functions with coefcients in H
t
, and for
COMPUTATIONAL CLASS FIELD THEORY 523
primes q of H
t
of good reduction there is a natural reduction homomorphism
End(E) End(E
q
)
that is injective and preserves degrees. The complex multiplication by an ele-
ment End(E) =
K
multiplies the invariant differential dx,y on E by ,
so it becomes inseparable in End(E
q
) if and only if q divides . The rst main
theorem of complex multiplication (Theorem 6.9), which states that H
t
equals
the Hilbert class eld H of K and provides the Galois action on the roots of
Hil
K
(X), can now be derived as follows.
PROOF OF THEOREM 6.9. Let p be a prime of degree one of K that is coprime
to the discriminant of Hil
K
(X), and let
K
be an element of order 1 at p,
say p
-1
=b with (b. p) =1. Let a be a fractional
K
-ideal. Then the complex
multiplication : ,a ,a factors in terms of complex tori as
,a
can
,ap
-1

,ab
can
,a.
If E and E
t
denote Weierstrass models over H
t
for ,a and ,ap
-1
, we obtain
isogenies E E
t
E of degree p = Np and Nb with composition . If
we assume that E and E
t
have good reduction above p, we can reduce the
isogeny E E
t
at some prime q[p to obtain an isogeny E
q
E
t
q
of degree p.
This isogeny is inseparable as lies in q, and therefore equal to the Frobe-
nius morphism E
q
E
(p)
q
followed by an isomorphism E
(p)
q

~
E
t
q
. The
result is an equality j(E
(p)
q
) =j(E
t
q
) of j -invariants that amounts to j(a)
p
=
j(ap
-1
) mod q, and this implies the Frobenius automorphism o
q
Gal(H
t
,K)
acts as j(a)
o
q
=j(ap
-1
), independent of the choice of the extension prime q[p.
Because the j -function is an invariant for the homothety class of a lattice, we
have j(a) =j(ap
-1
) if and only if p is principal. It follows that up to nitely
many exceptions, the primes p of degree one splitting completely in K H
t
are the principal primes, so H
t
equals the Hilbert class eld H of K, and the
splitting primes in K H are exactly the principal primes. Moreover, we have
j(a)
o
c
=j(ac
-1
) for the action of the Artin symbol o
c
, and Hil
K
is irreducible
over K as its roots are transitively permuted by Gal(H,K) =Cl
K
.
In a similar way, one can understand the content of the second main theorem
of complex multiplication. If E
K
is a Weierstrass model for ,
K
dened
over the Hilbert class eld H of K, then the torsion points in E
K
() have
algebraic coordinates. As the group law is given by algebraic formulas over H,
the absolute Galois group G
H
of H acts by group automorphisms on
E
tor
K
() K,
K
.
Moreover, the action of G
H
commutes with the complex multiplication action
of End(E
K
)
K
, which is given by isogenies dened over H. It follows that
524 HENRI COHEN AND PETER STEVENHAGEN
G
H
acts by
K
-module automorphisms on E
tor
K
(). For the cyclic
K
-module
E
K
m|()
1
m

K
,
K
of m-torsion points, the resulting Galois representation
G
H
Aut

K
(
1
m

K
,
K
) (
K
,m
K
)
+
of G
H
is therefore abelian. It shows that, just as in the cyclotomic case (6-2),
the Galois action over H on the m-division eld of E
K
, which is the extension
of H generated by the m-torsion points of E
K
, comes from multiplications on
1
m

K
,
K
by integers
K
coprime to m. The content of Theorem 6.15 is
that, in line with (2-8), we obtain the m-th ray class eld of K from this m-
division eld by taking invariants under the action of
+
K
= Aut(E
K
). In the
generic case where
+
K
={1] has order 2, adjoining m-torsion points up to
inversion amounts to the equality
H
m
=H

{x
P
: P E
K
m|(). P =O]

(7-1)
occurring in Theorem 6.15, since the x-coordinate x
P
determines P up to multi-
plication by 1. More generally, a root of unity
+
K
acts as an automorphism
of E
K
by x
jP
=
-2
x
P
, and so in the special cases where K equals (i ) or
(
3
) and
+
K
has order 2k with k =2. 3, one replaces x
P
by x
k
P
in (7-1). The
classical Weber functions replacing (6-14) for K = (i ) and K = (
3
) are

K
(z) =(g
2
2
(
K
),z(
K
))
2

K
(z) and
K
(z) =(g
3
(
K
),z(
K
))
3

K
(z).
PROOF OF THEOREM 6.15. As in the case of Theorem 6.9, we show that the
primes of degree one of K that split completely in the extension KH
t
m
dened
by adjoining to H the m-torsion points of E
K
up to automorphisms are, up
to a zero density subset of primes, the primes in the ray group R
m
. Primes p
of K splitting in H
t
m
are principal as they split in H. For each
K
-generator
of p, which is uniquely determined up to multiplication by
+
K
, one obtains
a complex multiplication by
K
End(E
K
) that xes E
K
m|() up to
automorphisms if and only if p R
m
.
Let p=
K
be a prime of degree 1 over p for which E
K
has good reduction
modulo p. Then the isogeny
t
: E
K
E
K
, which corresponds to multiplica-
tion by as in (6-5), reduces modulo a prime q[p of the m-division eld of E
K
to an endomorphism of degree p. Since is in q, this reduction is inseparable,
and so it equals the Frobenius endomorphism of E
K,q
up to an automorphism.
One shows [Lang 1987, p. 125] that this local automorphism of E
K,q
is induced
by a global automorphism of E
K
, that is, a complex multiplication by a unit in

+
K
, and concludes that
t
induces a Frobenius automorphism above p on H
t
m
.
As the reduction modulo q induces an isomorphism E
K
m|
~
E
K,q
m| on the
m-torsion points, this Frobenius automorphism is trivial if and only if we have
1 mod
+
m
K
for a suitable choice of . Thus, p splits completely in H
t
m
if and only if p is in R
m
, and H
t
m
is the ray class eld H
m
.
COMPUTATIONAL CLASS FIELD THEORY 525
The argument just given shows that we have a concrete realization of the Artin
isomorphism (
K
,m
K
)
+
,im
+
K
|
~
Gal(H
m
,H) from (2-8) by complex
multiplications. Passing to the projective limit, this yields the analogue
b

+
K
,
+
K

~
Gal(K
ab
,H) G
ab
K
of (3-1). For the analogue of (6-3), we note rst that for imaginary quadratic
K, the subgroup U
o
in (3-3), which equals
+
, maps isomorphically to the
connected component of the unit element in A
+
K
,K
+
. Because it is the kernel
of the Artin map [
K
in (3-7), we obtain a commutative diagram
b

+
K
-1
//
~ can

+
K
,
+
K

~

A
+
K
,(K
+

+
)
Artin ~

Aut

K
(K,
K
)
//
Gal(K
ab
,H) Gal(K
ab
,K)
(7-2)
in which the inversion map 1 arises just as in (3-8). Aslight difference with the
diagram (6-3) for is that the horizontal arrows now have a small nite kernel
coming from the unit group
+
K
. Moreover, we have only accounted for the
automorphisms of K
ab
over H, not over K. Automorphisms of H
m
that are not
the identity on H arise as Artin maps o
c
of nonprincipal ideals c coprime to m,
and the proof of Theorem 6.9 shows that for the isogeny
c
in the commutative
diagram
,
K
can
//
W ~

,c
-1
W
0
~

E
K

c
//
E
t
K
.
(7-3)
we have to compute the restriction
c
: E
K
m| E
t
K
m| to m-torsion points.
To do so in an efcient way, we view the j -values and x-coordinates of torsion
points involved as weight zero functions on complex lattices such as
K
or c.
As we may scale all lattices as we did for (6-10) to t with t H, such
functions are modular functions H as dened in [Lang 1987, Chapter 6].
The j -function itself is the primordial modular function: a holomorphic
function on H that is invariant under the full modular group SL
2
(). Every
meromorphic function on H that is invariant under SL
2
() and, when viewed
as a function of q =e
2tir
, meromorphic in q =0, is in fact a rational function
of j . The Weber function
K
in (6-14) is a function

r
(z) =
g
2
(t)g
3
(t)
z(t)

r,1j
(z)
that depends on the lattice
K
=t =t. 1|, and xing some choice of a
generator t of
K
over , we can label its m-torsion values used in generating
526 HENRI COHEN AND PETER STEVENHAGEN
H
m
as
F
u
(t) =
r
(u
1
t u
2
) with u =(u
1
. u
2
)
1
m

2
,
2
\ {(0. 0)]. (7-4)
For m>1, the functions F
u
: H in (7-4) are known as the Fricke functions
of level m. These are holomorphic functions on H that are x-coordinates of m-
torsion points on a generic elliptic curve over (j ) with j -invariant j . As they
are zeroes of division polynomials in (j )X|, they are algebraic over (j ) and
generate a nite algebraic extension of (j ), the m-th modular function eld

m
=(j . {F
u
]
u(
1
m
{)
2
\(0,0)
). (7-5)
Note above that
1
= (j ). We may now rephrase the main theorems of
complex multiplication in the following way.
THEOREM 7.6. Let K be an imaginary quadratic eld with ring of integers
t|. Then the m-th ray class eld extension K H
m
is generated by the nite
values (t) of the functions
m
.
For generic K this is directly clear from Theorems 6.9 and 6.15. In the special
cases K = (i ). (
3
), the functions F
u
(t) in (7-4) vanish at the generator
t of
K
, so an extra argument [Lang 1987, p. 128] involving modied Weber
functions in
m
is needed.
It is not really necessary to take t in Theorem 7.6 to be a generator of
K
; it
sufces that the elliptic curve ,t. 1| is an elliptic curve having CM by
K
.
In computations, it is essential to have the explicit action of Gal(K
ab
,K) on
the values (t) from Theorem 7.6 for arbitrary functions in the modular func-
tion eld =L
m1

m
. As class eld theory gives us the group Gal(K
ab
,K)
in (7-2) as an explicit quotient of the idele class group A
+
K
,K
+
under the Artin
map (3-7), this means that we need to nd the natural action of x A
+
K
on the
values (t) in Theorem 7.6. We will do so by reinterpreting the action of the
Artin symbol o
x
Gal(K
ab
,K) on the function value of at t as the value of
some other modular function
g

(x)
at t, that is,
( (t))
o
x
=
g

(x)
(t). (7-7)
for some natural homomorphism g
r
: A
+
K
Aut() induced by t.
To understand the automorphisms of , we note rst that the natural left
action of SL
2
() on H gives rise to a right action on
m
that is easily made
explicit for the Fricke functions (7-4), using the weight 0 property of
K
. For
M =

SL
2
() we have
F
u
(Mt) =F
u

t
;t

=
g
2
(t)g
3
(t)
z(t)

r,1j
(u
1
(t ) u
2
(;t ))
=F
uM
(t).
COMPUTATIONAL CLASS FIELD THEORY 527
As u = (u
1
. u
2
) is in
1
m

2
,
2
, we only need to know M modulo m, so the
Fricke functions of level m are invariant under the congruence subgroup
1(m) =kerSL
2
() SL
2
(,m)|
of SL
2
(), and they are permuted by SL
2
(). As we have F
-u
1
,-u
2
=F
u
1
,u
2
,
we obtain a natural right action of SL
2
(,m),{1] on
m
.
Besides this geometric action, there is a cyclotomic action of (,m)
+
on
the functions
m
via their Fourier expansions, which lie in (
m
)((q
1{m
))
since they involve rational expansions in
e
2ti(a
1
ra
2
){m
=
a
2
m
q
a
1
{m
for a
1
. a
2
.
On the Fricke function F
u
=F
(u
1
,u
2
)
, the automorphismo
k
:
m

k
m
clearly in-
duces o
k
: F
(u
1
,u
2
)
F
(u
1
,ku
2
)
. Thus, the two actions may be combined to give
an action of GL
2
(,m),{1] on
m
, with SL
2
(,m),{1] acting geo-
metrically and (,m)
+
acting as the subgroup {

1 0
0 k

: k (,m)
+
],{1].
The invariant functions are SL
2
()-invariant with rational q-expansion; so they
lie in (j ), and we have a natural isomorphism
GL
2
(,m),{1]
~
Gal(
m
,(j )). (7-8)
or, if we take the union =
S
m

m
on the left hand side and the corresponding
projective limit on the right hand side,
GL
2
(
b
),{1]
~
Gal(,(j )). (7-9)
Note that
m
contains (
m
)(j ) as the invariant eld of SL
2
(,m),{1],
and that the action of GL
2
(
b
),{1] on the subextension (j )
ab
(j ) with
group Gal(
ab
,)
b

+
is via the determinant map det : GL
2
(
b
),{1]
b

+
.
To discover the explicit form of the homomorphism g
r
in (7-7), let p =
K
be a principal prime of K. Then the Artin symbol o
p
is the identity on H, and
the proof of Theorem 6.15 shows that its action on the x-coordinates of the
m-torsion points of E
K
for m not divisible by can be written as
F
u
(t)
o
p
=F
u
(t) =F
uM

(t).
where M
t
is the matrix in GL
2
(,m) that represents the multiplication by
on
1
m

K
,
K
with respect to the basis {t. 1]. In explicit coordinates, this
means that if t H is a zero of the polynomial X
2
BX C of discriminant
B
2
4C = z
K
and = x
1
t x
2
is the representation of on the -basis
t. 1| of
K
, then we have
M
t
=

Bx
1
x
2
Cx
1
x
1
x
2

GL
2
(,m). (7-10)
528 HENRI COHEN AND PETER STEVENHAGEN
As the Fricke functions of level m generate
m
, we obtain in view of (7-8) the
identity
(t)
o
p
=
M

(t) for
m
and m,
which is indeed of the form (7-7). We can rewrite this in the style of the dia-
gram (7-2) by observing that the Artin symbol of K
+
p
A
+
K
acts as o
p
on
torsion points of order m coprime to p, and trivially on -power torsion points.
Moreover, ( mod K
+
) A
K
,K
+
is in the class of the idele x
b

+
K
having
component 1 at p and
-1
elsewhere. Thus, if we dene
g
r
:
b

+
K
GL
2
(
b
)
x M
-1
x
(7-11)
by sending x =x
1
t x
2

K
to the inverse of the matrix M
x
describing mul-
tiplication by x on
b

K
with respect to the basis t. 1|, then M
x
is given explicitly
as in (7-10), and formula (7-7) holds for and x
b

+
K
if we use the natural
action of GL
2
(
b
) on from (7-9).
To obtain complex multiplication by arbitrary ideles, we note that on the one
hand, the idele class quotient A
+
K
,(K
+

+
) from (7-2), which is isomorphic
to Gal(K
ab
,K) under the Artin map, is the quotient of the unit group
b
K
+
of the
nite adele ring
b
K =
b

=
Y
t
pnite
K
p
A
K
=
b
K
by the subgroup K
+

b
K
+
of principal ideles. On the other hand, not all au-
tomorphisms of come from GL
2
(
b
) as in (7-9): there is also an action of
the projective linear group PGL
2
()

=GL
2
()

,
+
of rational matrices of
positive determinant, which naturally act on H by linear fractional transforma-
tions. It does not x j , as it maps the elliptic curve ,t. 1| dened by t H
not to an isomorphic, but to an isogenous curve. More precisely, if we pick
M =


;

GL
2
()

in its residue class modulo


+
such that M
-1
has
integral coefcients, then the lattice
(;t )
-1
t. 1| =
h
t
;t
.
1
;t
i
=M
-1
h
(t ),(;t ). 1
i
is a sublattice of nite index det M
-1
in (t ),(;t ). 1|. and putting
j =(;t )
-1
, we have a commutative diagram
,t. 1|

//
~ W

,Mt. 1|=,(t ),(;t ). 1|


~
W
0

E
r

//
E
Mr
COMPUTATIONAL CLASS FIELD THEORY 529
as in (7-3). Moreover, the torsion point u
1
tu
2
having coordinates u=(u
1
. u
2
)
with respect to t. 1| is mapped to the torsion point with coordinates uM
-1
with
respect to the basis Mt. 1|.
We let
b
=
b

=
Q
t
p

p
be the ring of nite -ideles. Then every
element in the ring GL
2
(
b
) can be written as UM with U GL
2
(
b
) and M
GL
2
()

. This representation is not unique since GL


2
(
b
) and GL
2
()

have
nontrivial intersection SL
2
(), but we obtain a well-dened action GL
2
(
b
)
Aut() by putting
UM
(t) =
U
(Mt). We now extend, for the zero t H of
a polynomial X
2
BX C X|, the map g
r
in (7-11) to
g
r
:
b
K
+
=(
b
t
b
)
+
GL
2
(
b
)
x =x
1
t x
2
M
-1
x
=

Bx
1
x
2
Cx
1
x
1
x
2

-1
(7-12)
to obtain the complete Galois action of Gal(K
ab
,K)
b
K
+
,K
+
on modular
function values (t). The result is known as Shimuras reciprocity law:
THEOREM 7.13. Let t H be imaginary quadratic, a modular function
that is nite at t, and x
b
K
+
,K
+
a nite idele for K = (t). Then (t) is
abelian over K, and the idele x acts on it via its Artin symbol by
(t)
x
=
g

(x)
(t).
where g
r
is dened as in (7-12).
8. Class invariants
Much work has gone into algorithmic improvements of the classical algo-
rithms in Section 6, with the aim of reducing the size of the class polynomials
obtained. Clearly the degree of the polynomials involved cannot be lowered,
as these are the degrees of the eld extensions one wants to compute. There
are however methods to reduce the size of their coefcients. These already go
back to Weber, who made extensive use of smaller functions than j to compute
class elds in his algebra textbook [Weber 1908]. The function f
2
that we used to
compute j in (6-12), and that carries Webers name (as does the elliptic function
in (6-14)) provides a good example. A small eld such as K =(
_
71), for
which the class group of order 7 is easily computed by hand, already has the
530 HENRI COHEN AND PETER STEVENHAGEN
sizable Hilbert class polynomial
Hil
K
(X) = X
7
313645809715 X
6
3091990138604570 X
5
98394038810047812049302 X
4
823534263439730779968091389 X
3
5138800366453976780323726329446 X
2
425319473946139603274605151187659 X
737707086760731113357714241006081263 .
However, the Weber function f
2
, when evaluated at an appropriate generator of

K
over , also yields a generator for H over K, with irreducible polynomial
X
7
X
6
X
5
X
4
X
3
X
2
2X 1.
As Weber showed, the function f
2
can be used to generate H over K when 2
splits and 3 does not ramify in K. The general situation illustrated by this
example is that, despite the content of Theorem 7.6, it is sometimes possible to
use a function of high level, like the Weber function f
2

48
of level 48, to
generate the Hilbert class eld H of conductor 1. The attractive feature of such
high level functions is that they can be much smaller than the j -function
itself. In the case of f
2
, the extension (j ) (f
2
) is of degree 72 by (6-
12), and this means that the size of the coefcients of class polynomials using
f
2
is about a factor 72 smaller than the coefcients of Hil
K
(X) itself. Even
though this is only a constant factor, and complex multiplication is an intrin-
sically exponential method, the computational improvement is considerable.
For this reason, Webers use of small functions has gained renewed interest in
present-day computational practice.
Shimuras reciprocity law Theorem 7.13 is a convenient tool to understand
the occurrence of class invariants, that is, modular functions of higher
level that generate the Hilbert class eld of K when evaluated at an appropriate
generator t of
K
. Classical examples of such functions used by Weber are ;
2
=
3
_
j and ;
3
=
p
j 1728, which have level 3 and 2. As is clear from (6-12), the
j -function can also be constructed out of even smaller building blocks involving
the Dedekind j-function (6-11). Functions that are currently employed in actual
computations are
j(pz)
j(z)
and
j(pz)j(qz)
j(pqz)j(z)
. (8-1)
which are of level 24p and 24pq. These functions, or sometimes small powers
of them, can be used to generate H, and the resulting minimal polynomials have
much smaller coefcients than Hil
K
(X). We refer to [Cohen 2000, Section 6.3]
COMPUTATIONAL CLASS FIELD THEORY 531
for the precise theorems, and indicate here how to use Theorem 7.13 to obtain
such results for arbitrary modular functions .
Let be any modular function of level m, and assume ( ) is
Galois. Suppose we have an explicit Fourier expansion in (
m
)((q
1{m
)) that
we can use to approximate its values numerically. Suppose also that we know
the explicit action of the generators S : z 1,z and T : z z 1 on . Then
we can determine the Galois orbit of (t) for an element t H that generates

K
in the following way. First, we determine elements x = x
1
t x
2

K
with the property that they generate (
K
,m
K
)
+
,
+
K
. Then the Galois orbit
of (t) over H is determined using Theorem 7.13, and amounts to computing
the (repeated) action of the matrices g
r
(x) GL
2
(,m) (given by the right
hand side of (7-10)) on . This involves writing g
r
(x) as a product of powers
of S and T and a matrix

1 0
0 k

acting on via its Fourier coefcients. Although


may have a large GL
2
(,m)-orbit over (j ), the matrices g
r
(x) only
generate a small subgroup of GL
2
(,m) isomorphic to (
K
,m
K
)
+
,
+
K
,
and one often nds that the orbit of under this subgroup is quite small. In many
cases, one can slightly modify , multiplying it by suitable roots of unity or
raising it to small powers, to obtain an orbit of length one. This means that
is invariant under g
r

+
K
| GL
2
(
b
). As we have the fundamental equivalence
(t)
x
= (t) ==
g

(x)
=. (8-2)
this is equivalent to nding that (t) is a class invariant for K = (t). The
verication that g
r

+
K
| stabilizes takes place modulo the level m of , so it
follows from (7-12) that if (t) is a class invariant for K =(t), then (t
t
)
is a class invariant for K
t
=(t
t
) whenever t
t
H is a generator of
K
0 that
has an irreducible polynomial congruent modulo m to that of t. In particular, a
function of level m that yields class invariants does so for families of quadratic
elds for which the discriminant is in certain congruence classes modulo 4m.
If (t) is found to be a class invariant, we need to determine its conjugates
over K to determine its irreducible polynomial over K as we did in (6-8) for
j(t). This amounts to computing (t)
o
c
as in Theorem 6.9, with c ranging over
the ideal classes of Cl
K
. If we list the ideal classes of Cl
K
as in Section 6 as
integer triples (a. b. c) representing the reduced quadratic forms of discriminant
z
K
, the Galois action of their Artin symbols in Theorem 6.9 may be given by
j(t)
(a,-b,c)
=j

b
_
b
2
4ac
2a

.
For a class invariant (t) a similar formula is provided by Shimuras reciprocity
law. Let a = ((b
_
b
2
4ac),2) a be a
K
-ideal in the ideal class
corresponding to the form (a. b. c). Then the
b

K
-ideal a
b

K
is principal since

K
-ideals are locally principal, and we let x
b

K
be a generator. The element
532 HENRI COHEN AND PETER STEVENHAGEN
x is a nite idele in
b
K
+
, and the Artin symbol of x
-1
acts on (t) as the Artin
symbol of the form (a. b. c). We have U = g
r
(x
-1
)M
-1
GL
2
(
b
) for the
matrix M GL
2
()

dened by
t. 1|M =
h
b
_
b
2
4ac
2
. 2a
i
.
since U stabilizes the
b

K
-lattice spanned by the basis t. 1|. Applying Theorem
7.13 for the idele x
-1
yields the desired formula
(t)
(a,-b,c)
=
U

b
_
b
2
4ac
2a

.
This somewhat abstract description may be phrased as a simple explicit recipe
for the coefcients of U GL
2
(
b
), which we only need to know modulo m,
see [Stevenhagen 2001].
There are limits to the improvements coming from intelligent choices of mod-
ular functions to generate class elds. For any nonconstant function , there
is a polynomial relation v(j . ) =0 between j and , with v X. Y | some
irreducible polynomial with algebraic coefcients. The reduction factor one
obtains by using class invariants coming from (if these exist) instead of the
classical j -values is dened as
r( ) =
deg
(
(v(. j ))
deg
j
(v(. j ))
.
By [Hindry and Silverman 2000, Proposition B.3.5], this is, asymptotically, the
inverse of the factor
lim
h(j(r))-o
h( (t))
h(j(t))
.
Here h is the absolute logarithmic height, and we take the limit over all CM-
points SL
2
() t H. It follows from gonality estimates for modular curves
[Br oker and Stevenhagen 2008, Theorem 4.1] that r( ) is bounded above by
1,(24z
1
), where z
1
is Selbergs eigenvalue as dened in [Sarnak 1995]. The
currently proved bounds [Kim 2003, p. 176] on z
1
yield r( ) 32768,325 ~
100.8, and conjectural bounds imply r( ) 96. Thus Webers function f
2
,
which has r( ) =72 and yields class invariants for a positive density subset of
all discriminants, is close to being optimal.
Acknowledgements
Useful comments on earlier versions of this paper were provided by Reinier
Br oker, Ren e Schoof and Marco Streng. Bjorn Poonen provided us with the
reference to [Kim 2003].
COMPUTATIONAL CLASS FIELD THEORY 533
References
[Artin and Tate 1990] E. Artin and J. Tate, Class eld theory, 2nd ed., Advanced Book
Classics, Addison-Wesley, Redwood City, CA, 1990.
[Br oker and Stevenhagen 2008] R. Br oker and P. Stevenhagen, Constructing elliptic
curves of prime order, pp. 1728 in Computational Arithmetic Geometry, edited by
K. E. Lauter and K. A. Ribet, Contemp. Math. 463, 2008.
[Buhler and Wagon 2008] J. P. Buhler and S. Wagon, Basic algorithms in number
theory, pp. 2568 in Surveys in algorithmic number theory, edited by J. P. Buhler
and P. Stevenhagen, Math. Sci. Res. Inst. Publ. 44, Cambridge University Press, New
York, 2008.
[Bump et al. 2003] D. Bump, J. W. Cogdell, E. de Shalit, D. Gaitsgory, E. Kowalski,
and S. S. Kudla, An introduction to the Langlands program, Birkh auser Boston
Inc., Boston, MA, 2003. Lectures presented at the Hebrew University of Jerusalem,
Jerusalem, March 1216, 2001, Edited by Joseph Bernstein and Stephen Gelbart.
[Cassels and Fr ohlich 1967] J. W. S. Cassels and A. Fr ohlich (editors), Algebraic
number theory, Academic Press, London, 1967.
[Cohen 1993] H. Cohen, A course in computational algebraic number theory, Graduate
Texts in Mathematics 138, Springer, Berlin, 1993.
[Cohen 2000] H. Cohen, Advanced topics in computational number theory, Graduate
Texts in Mathematics 193, Springer, New York, 2000.
[Cox 1989] D. A. Cox, Primes of the form x
2
ny
2
: Fermat, class eld theory and
complex multiplication, John Wiley & Sons, New York, 1989.
[Deuring 1958] M. Deuring, Die Klassenk orper der komplexen Multiplikation, Enzyk-
lop adie der mathematischen Wissenschaften, Band I
2
, Heft 10, Teil II, Teubner,
Stuttgart, 1958.
[Fieker 2001] C. Fieker, Computing class elds via the Artin map, Math. Comp.
70:235 (2001), 12931303.
[Hindry and Silverman 2000] M. Hindry and J. H. Silverman, Diophantine geometry:
an introduction, Graduate Texts in Mathematics 201, Springer, New York, 2000.
[Kim 2003] H. H. Kim, Functoriality for the exterior square of GL
4
and the symmetric
fourth of GL
2
, J. Amer. Math. Soc. 16:1 (2003), 139183.
[Lang 1987] S. Lang, Elliptic functions, Second ed., Graduate Texts in Mathematics
112, Springer, New York, 1987.
[Lang 2002] S. Lang, Algebra, Third ed., Graduate Texts in Mathematics 211, Springer,
New York, 2002.
[Sarnak 1995] P. Sarnak, Selbergs eigenvalue conjecture, Notices Amer. Math. Soc.
42:11 (1995), 12721277.
[Schneps 1994] L. Schneps (editor), The Grothendieck theory of dessins denfants
(Luminy, 1993), London Math. Soc. Lecture Note Ser. 200, Cambridge Univ. Press,
Cambridge, 1994.
534 HENRI COHEN AND PETER STEVENHAGEN
[Schoof 2008] R. J. Schoof, Computing Arakelov class groups, pp. 447495 in
Surveys in algorithmic number theory, edited by J. P. Buhler and P. Stevenhagen,
Math. Sci. Res. Inst. Publ. 44, Cambridge University Press, New York, 2008.
[Serre 1989] J.-P. Serre, Abelian l -adic representations and elliptic curves, Second ed.,
Advanced Book Classics, Addison-Wesley, Redwood City, CA, 1989.
[Shimura 1998] G. Shimura, Abelian varieties with complex multiplication and modu-
lar functions, Princeton Mathematical Series 46, Princeton University Press, Prince-
ton, NJ, 1998.
[Silverman 1986] J. H. Silverman, The arithmetic of elliptic curves, Graduate Texts in
Mathematics 106, Springer, New York, 1986.
[Silverman 1994] J. H. Silverman, Advanced topics in the arithmetic of elliptic curves,
Graduate Texts in Mathematics 151, Springer, New York, 1994.
[Stevenhagen 2001] P. Stevenhagen, Hilberts 12th problem, complex multiplication
and Shimura reciprocity, pp. 161176 in Class eld theory its centenary and
prospect (Tokyo, 1998), edited by K. Miyake, Adv. Stud. Pure Math. 30, Math. Soc.
Japan, Tokyo, 2001.
[Stevenhagen 2008] P. Stevenhagen, The arithmetic of number rings, pp. 209266
in Surveys in algorithmic number theory, edited by J. P. Buhler and P. Stevenhagen,
Math. Sci. Res. Inst. Publ. 44, Cambridge University Press, New York, 2008.
[Stevenhagen and Lenstra 1996] P. Stevenhagen and H. W. Lenstra, Jr., Chebotar ev
and his density theorem, Math. Intelligencer 18:2 (1996), 2637.
[V olklein 1996] H. V olklein, Groups as Galois groups: an introduction, Cambridge
Studies in Advanced Mathematics 53, Cambridge Univ. Press, Cambridge, 1996.
[Weber 1908] H. Weber, Lehrbuch der Algebra, F. Vieweg und Sohn, Braunschweig,
1908. Reprinted by Chelsea Pub., New York, 1961.
HENRI COHEN
LABORATOIRE A2X, U.M.R. 5465 DU C.N.R.S.
UNIVERSIT E BORDEAUX I
351 COURS DE LA LIB ERATION
33405 TALENCE CEDEX
FRANCE
[email protected]
PETER STEVENHAGEN
MATHEMATISCH INSTITUUT,
UNIVERSITEIT LEIDEN, POSTBUS 9512
2300 RA LEIDEN
THE NETHERLANDS
[email protected]

You might also like