noncomputable def OrdinarySupersingular.separableDegree {F : Type u} [Field F] [DecidableEq F] {E₁ E₂ : WeierstrassCurve.Affine F} (φ : Isogeny E₁ E₂) : ℕ

The separable degree of an isogeny φ : E₁ → E₂, i.e., the degree of the separable part of the induced extension of function fields.

theorem OrdinarySupersingular.separableDegree_pos {F : Type u} [Field F] [DecidableEq F] {E₁ E₂ : WeierstrassCurve.Affine F} (φ : Isogeny E₁ E₂) : 0 < separableDegree φ

The separable degree of an isogeny is strictly positive.

theorem OrdinarySupersingular.separableDegree_comp {F : Type u} [Field F] [DecidableEq F] {E₁ E₂ E₃ : WeierstrassCurve.Affine F} (ψ : Isogeny E₂ E₃) (φ : Isogeny E₁ E₂) : separableDegree (ψ.comp φ) = separableDegree ψ * separableDegree φ

Separable degree is multiplicative under composition of isogenies.

noncomputable def OrdinarySupersingular.mulByPIsogeny {F : Type u} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] : Isogeny E E

The multiplication-by-p map [p] : E → E viewed as an isogeny, where p is the characteristic of the base field.

theorem OrdinarySupersingular.mulByPIsogeny_apply {F : Type u} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (P : E.Point) : (mulByPIsogeny E p).toAddMonoidHom P = ↑p • P

The multiplication-by-p isogeny acts on points by the usual ℤ-scalar multiplication by p.

theorem OrdinarySupersingular.mulByP_comp_separableDegree {F : Type u} [Field F] [DecidableEq F] {E₁ E₂ : WeierstrassCurve.Affine F} (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (φ : Isogeny E₁ E₂) : separableDegree ((mulByPIsogeny E₂ p).comp φ) = separableDegree (φ.comp (mulByPIsogeny E₁ p))

For any isogeny φ : E₁ → E₂, pre- and post-composition with the multiplication-by-p maps yield isogenies with the same separable degree.

def OrdinarySupersingular.pTorsionSubgroup {F : Type u} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] : Set E.Point

The p-torsion subgroup of E: the set of points P killed by multiplication by p.

def OrdinarySupersingular.IsSupersingular {F : Type u} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] : Prop

An elliptic curve E over a field of characteristic p is supersingular if its p-torsion subgroup is trivial.

def OrdinarySupersingular.IsOrdinary {F : Type u} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] : Prop

An elliptic curve E over a field of characteristic p is ordinary if it admits a nonzero p-torsion point.

theorem OrdinarySupersingular.isOrdinary_iff_not_supersingular {F : Type u} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] : IsOrdinary E p ↔ ¬IsSupersingular E p

E is ordinary iff it is not supersingular.

theorem OrdinarySupersingular.isSupersingular_iff_separableDegree {F : Type u} [Field F] [DecidableEq F] {E : WeierstrassCurve.Affine F} (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] : IsSupersingular E p ↔ separableDegree (mulByPIsogeny E p) = 1

Supersingularity is equivalent to the multiplication-by-p isogeny having separable degree 1 (i.e., being purely inseparable).

theorem OrdinarySupersingular.ordinary_or_supersingular {F : Type u} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] : IsOrdinary E p ∨ IsSupersingular E p

Every elliptic curve over a field of characteristic p is either ordinary or supersingular.

theorem OrdinarySupersingular.separableDegree_mulByP_eq_of_isogeny {F : Type u} [Field F] [DecidableEq F] {E₁ E₂ : WeierstrassCurve.Affine F} (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (φ : Isogeny E₁ E₂) : separableDegree (mulByPIsogeny E₁ p) = separableDegree (mulByPIsogeny E₂ p)

Isogenous elliptic curves have the same separable degree for their multiplication-by-p isogenies; in particular, this is an isogeny invariant.

theorem OrdinarySupersingular.isSupersingular_iff_of_isogeny {F : Type u} [Field F] [DecidableEq F] {E₁ E₂ : WeierstrassCurve.Affine F} (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (φ : Isogeny E₁ E₂) : IsSupersingular E₁ p ↔ IsSupersingular E₂ p

Supersingularity is an isogeny invariant: if E₁ and E₂ are isogenous, then E₁ is supersingular iff E₂ is.

theorem OrdinarySupersingular.intSmulEndomorphism_algebraic {F : Type u_1} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (m : ℤ) : EllipticCurve.IsAlgebraicEndomorphism E (m • 1)

Scalar multiplication by an integer m (acting on E.Point via m • id) gives a well-defined algebraic endomorphism of E.

def OrdinarySupersingular.intSmulEndomorphism {F : Type u_1} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (m : ℤ) : EllipticCurve.EndomorphismRing E

The endomorphism of E given by multiplication by the integer m, packaged as an element of the endomorphism ring of E.

noncomputable def OrdinarySupersingular.frobEndomorphism {F : Type u_1} [Field F] [Fintype F] [DecidableEq F] (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (E : WeierstrassCurve.Affine F) : EllipticCurve.EndomorphismRing E

The Frobenius endomorphism of E over a finite field F of characteristic p, as an element of the endomorphism ring.

noncomputable def OrdinarySupersingular.dualFrobEndomorphism {F : Type u_1} [Field F] [Fintype F] [DecidableEq F] (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (E : WeierstrassCurve.Affine F) : EllipticCurve.EndomorphismRing E

The dual (Verschiebung) of the Frobenius endomorphism, as an element of the endomorphism ring.

theorem OrdinarySupersingular.frobEndomorphism_insep {F : Type u_1} [Field F] [Fintype F] [DecidableEq F] (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (E : WeierstrassCurve.Affine F) : PointCounting.EndInsep (frobEndomorphism p E)

The Frobenius endomorphism is inseparable.

theorem OrdinarySupersingular.frob_add_dualFrob_eq_trace {F : Type u_1} [Field F] [Fintype F] [DecidableEq F] (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (E : WeierstrassCurve.Affine F) : frobEndomorphism p E + dualFrobEndomorphism p E = intSmulEndomorphism E (Hasse.traceFrobenius E)

The defining identity π + π̂ = [t] in the endomorphism ring: Frobenius plus its dual equals multiplication by the trace of Frobenius.

theorem OrdinarySupersingular.intSmulEndomorphism_insep_iff {F : Type u_1} [Field F] [Fintype F] [DecidableEq F] (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (E : WeierstrassCurve.Affine F) (m : ℤ) : PointCounting.EndInsep (intSmulEndomorphism E m) ↔ ↑p ∣ m

Multiplication-by-m is inseparable iff p ∣ m.

theorem OrdinarySupersingular.isSupersingular_iff_dualFrob_insep {F : Type u_1} [Field F] [Fintype F] [DecidableEq F] (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (E : WeierstrassCurve.Affine F) : IsSupersingular E p ↔ PointCounting.EndInsep (dualFrobEndomorphism p E)

Supersingularity of E/F_q is equivalent to inseparability of the dual Frobenius.

theorem OrdinarySupersingular.isSupersingular_iff_trace_dvd {F : Type u_1} [Field F] [Fintype F] [DecidableEq F] (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (E : WeierstrassCurve.Affine F) : IsSupersingular E p ↔ ↑p ∣ Hasse.traceFrobenius E

Supersingularity of E/F_q is equivalent to p dividing the trace of Frobenius. The proof uses Lemma 7.1: if α is an inseparable isogeny, then α + β is inseparable iff β is.

theorem OrdinarySupersingular.jInvariant_pow_frobenius {F : Type u} [Field F] (A B : F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] : jInvariant (A ^ p ^ 2) (B ^ p ^ 2) = jInvariant A B ^ p ^ 2

Frobenius compatibility of the j-invariant: applying the p^2-power Frobenius to the coefficients A, B and to the resulting j-invariant agree.

theorem OrdinarySupersingular.supersingular_frobeniusTwist_iso {F : Type u} [Field F] [DecidableEq F] (A B : F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (hss : IsSupersingular { a₁ := 0, a₂ := 0, a₃ := 0, a₄ := A, a₆ := B } p) : ∃ (μ : F), μ ≠ 0 ∧ A ^ p ^ 2 = μ ^ 4 * A ∧ B ^ p ^ 2 = μ ^ 6 * B

If E : y² = x³ + Ax + B is supersingular, then E is isomorphic to its p²-Frobenius twist: there exists μ ≠ 0 with A^(p²) = μ⁴ A and B^(p²) = μ⁶ B.

theorem OrdinarySupersingular.supersingular_jInvariant_eq_frobeniusTwist {F : Type u} [Field F] [DecidableEq F] (A B : F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (hss : IsSupersingular { a₁ := 0, a₂ := 0, a₃ := 0, a₄ := A, a₆ := B } p) : jInvariant A B = jInvariant (A ^ p ^ 2) (B ^ p ^ 2)

A supersingular curve has the same j-invariant as its p²-Frobenius twist.

theorem OrdinarySupersingular.supersingular_jInvariant_in_Fp2 {F : Type u} [Field F] [DecidableEq F] (A B : F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (hss : IsSupersingular { a₁ := 0, a₂ := 0, a₃ := 0, a₄ := A, a₆ := B } p) : jInvariant A B ^ p ^ 2 = jInvariant A B

The j-invariant of a supersingular elliptic curve lies in F_{p²}: it is fixed by the p²-power Frobenius.

noncomputable def OrdinarySupersingular.GeometricEndomorphismAlgebra {F : Type u} (E : WeierstrassCurve.Affine F) : Type u

The geometric endomorphism algebra of E: End(E_{\bar F}) ⊗_ℤ ℚ, the endomorphism algebra of E after base-change to the algebraic closure.

@[implicit_reducible]

noncomputable instance OrdinarySupersingular.GeometricEndomorphismAlgebra.instRing {F : Type u} (E : WeierstrassCurve.Affine F) : Ring (GeometricEndomorphismAlgebra E)

Ring structure on the geometric endomorphism algebra.

@[implicit_reducible]

noncomputable instance OrdinarySupersingular.GeometricEndomorphismAlgebra.instAlgebra {F : Type u} (E : WeierstrassCurve.Affine F) : Algebra ℚ (GeometricEndomorphismAlgebra E)

ℚ-algebra structure on the geometric endomorphism algebra.

theorem OrdinarySupersingular.GeometricEndomorphismAlgebra.instFiniteDimensional {F : Type u} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) : FiniteDimensional ℚ (GeometricEndomorphismAlgebra E)

The geometric endomorphism algebra of E is finite-dimensional over ℚ.

@[implicit_reducible]

noncomputable instance OrdinarySupersingular.GeometricEndomorphismAlgebra.instPDInvAlgebra {F : Type u} (E : WeierstrassCurve.Affine F) : PositiveDefiniteInvolutionAlgebra (GeometricEndomorphismAlgebra E)

Positive-definite involution algebra structure (Rosati involution) on the geometric endomorphism algebra of E.

theorem OrdinarySupersingular.GeometricEndomorphismAlgebra.instNontrivial {F : Type u} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) : Nontrivial (GeometricEndomorphismAlgebra E)

The geometric endomorphism algebra of E is nontrivial.

theorem OrdinarySupersingular.geometricEndomorphismAlgebra_classification {F : Type u_1} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) : EndAlgClassification (GeometricEndomorphismAlgebra E)

The geometric endomorphism algebra of any elliptic curve falls into the three-way Albert classification (rational / imaginary quadratic / quaternion).

def OrdinarySupersingular.IsQuaternionEndAlgebra {F : Type u} (E : WeierstrassCurve.Affine F) : Prop

The predicate that the geometric endomorphism algebra of E is a quaternion algebra: it has ℚ-dimension 4 with two anticommuting elements squaring to negative rationals.

theorem OrdinarySupersingular.supersingular_endAlgebra_not_rational {F : Type u} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (hss : IsSupersingular E p) : Module.finrank ℚ (GeometricEndomorphismAlgebra E) ≠ 1

For a supersingular elliptic curve, the geometric endomorphism algebra has ℚ-dimension strictly greater than 1, i.e., it is not just ℚ.

theorem OrdinarySupersingular.supersingular_endAlgebra_not_imaginaryQuadratic {F : Type u} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (hss : IsSupersingular E p) : Module.finrank ℚ (GeometricEndomorphismAlgebra E) ≠ 2

For a supersingular elliptic curve, the geometric endomorphism algebra is not an imaginary quadratic field, i.e., its ℚ-dimension is not 2.

theorem OrdinarySupersingular.supersingular_geometricEndomorphismAlgebra_quaternion {F : Type u} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (hss : IsSupersingular E p) : IsQuaternionEndAlgebra E

The geometric endomorphism algebra of a supersingular elliptic curve is a quaternion algebra (over ℚ).

theorem OrdinarySupersingular.quaternionEndAlgebra_anticommuting_endomorphisms {F : Type u} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (hquat : IsQuaternionEndAlgebra E) : ∃ (α : EllipticCurve.EndomorphismRing E) (β : EllipticCurve.EndomorphismRing E), α ≠ 0 ∧ β ≠ 0 ∧ α * β + β * α = 0

If the geometric endomorphism algebra of E is a quaternion algebra, there exist two nonzero anticommuting endomorphisms α, β in the endomorphism ring of E.

theorem OrdinarySupersingular.ordinary_torsion_anticommutation_contradiction {F : Type u} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (hord : IsOrdinary E p) (α β : EllipticCurve.EndomorphismRing E) (hα : α ≠ 0) (hβ : β ≠ 0) (hanti : α * β + β * α = 0) : False

For an ordinary elliptic curve, two nonzero anticommuting endomorphisms cannot exist: the existence of a nontrivial p-torsion point contradicts the anticommutation relation.

theorem OrdinarySupersingular.ordinary_not_quaternionEndAlgebra {F : Type u} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (hord : IsOrdinary E p) : ¬IsQuaternionEndAlgebra E

The geometric endomorphism algebra of an ordinary elliptic curve is not a quaternion algebra.

theorem OrdinarySupersingular.quaternionEndAlgebra_imp_supersingular {F : Type u} [Field F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (hquat : IsQuaternionEndAlgebra E) : IsSupersingular E p

If the geometric endomorphism algebra of E is a quaternion algebra, then E is supersingular.

def OrdinarySupersingular.IsImaginaryQuadraticEndAlgebra {F : Type u} (E : WeierstrassCurve.Affine F) : Prop

The predicate that the geometric endomorphism algebra of E is an imaginary quadratic field: it has ℚ-dimension 2 with a non-rational element squaring to a negative rational.

theorem OrdinarySupersingular.ordinary_geometricEndomorphismAlgebra_imaginaryQuadratic {F : Type u} [Field F] [Fintype F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] (hord : IsOrdinary E p) : IsImaginaryQuadraticEndAlgebra E

The geometric endomorphism algebra of an ordinary elliptic curve over a finite field is an imaginary quadratic field.

theorem OrdinarySupersingular.supersingular_ordinary_dichotomy {F : Type u} [Field F] [Fintype F] [DecidableEq F] (E : WeierstrassCurve.Affine F) (p : ℕ) [Fact (Nat.Prime p)] [CharP F p] : IsSupersingular E p ∧ ↑p ∣ Hasse.traceFrobenius E ∧ IsQuaternionEndAlgebra E ∨ IsOrdinary E p ∧ ¬↑p ∣ Hasse.traceFrobenius E ∧ IsImaginaryQuadraticEndAlgebra E

The supersingular/ordinary dichotomy over a finite field: every elliptic curve E/F_q is either supersingular (in which case p divides the trace of Frobenius and the geometric endomorphism algebra is a quaternion algebra) or ordinary (in which case p does not divide the trace and the algebra is an imaginary quadratic field).

theorem OrdinarySupersingularClassification.conductor_dvd_of_le {d : ℤ} {f₁ f₂ : ℕ} (h : ConductorOrder.conductorOrder d f₁ ≤ ConductorOrder.conductorOrder d f₂) : f₂ ∣ f₁

If the conductor-f₁ order is contained in the conductor-f₂ order, then f₂ ∣ f₁. This is the standard correspondence between containment of orders and divisibility of conductors.

noncomputable def OrdinarySupersingularClassification.frobDiscriminant {F : Type u_1} [Field F] [Fintype F] (E : WeierstrassCurve.Affine F) : ℤ

The Frobenius discriminant of E/F_q: t² - 4q, where t = tr π_E.

def OrdinarySupersingularClassification.frobNotInt {F : Type u_1} [Field F] [Fintype F] (E : WeierstrassCurve.Affine F) : Prop

The predicate that the Frobenius endomorphism is not an integer (i.e., t² ≠ 4q), so that ℤ[π_E] is a non-trivial quadratic order.

noncomputable def OrdinarySupersingularClassification.frobeniusOrderConductor {F : Type u_1} [Field F] [Fintype F] (E : WeierstrassCurve.Affine F) (hq : 0 < Fintype.card F) (hnotint : frobNotInt E) : ℕ

The conductor of the order ℤ[π_E] inside the maximal quadratic order with discriminant frobDiscriminant E.

noncomputable def OrdinarySupersingularClassification.endRingConductor {F : Type u_1} [Field F] [Fintype F] (E : WeierstrassCurve.Affine F) (hq : 0 < Fintype.card F) (hnotint : frobNotInt E) : ℕ

The conductor of the endomorphism ring of E inside the maximal quadratic order with discriminant frobDiscriminant E.

theorem OrdinarySupersingularClassification.frobeniusOrder_le_endRing_ax {F : Type u_1} [Field F] [Fintype F] (E : WeierstrassCurve.Affine F) (hq : 0 < Fintype.card F) (hnotint : frobNotInt E) : ConductorOrder.conductorOrder (frobDiscriminant E) (frobeniusOrderConductor E hq hnotint) ≤ ConductorOrder.conductorOrder (frobDiscriminant E) (endRingConductor E hq hnotint)

The Frobenius order ℤ[π_E] is contained in the endomorphism ring End(E), expressed as a containment of the corresponding conductor orders.

theorem OrdinarySupersingularClassification.endRingConductor_dvd_frobeniusOrderConductor {F : Type u_1} [Field F] [Fintype F] (E : WeierstrassCurve.Affine F) (hq : 0 < Fintype.card F) (hnotint : frobNotInt E) : endRingConductor E hq hnotint ∣ frobeniusOrderConductor E hq hnotint

The conductor of End(E) divides the conductor of ℤ[π_E], as a consequence of the order containment ℤ[π_E] ⊆ End(E).

theorem OrdinarySupersingularClassification.endRing_le_maximalOrder {F : Type u_1} [Field F] [Fintype F] (E : WeierstrassCurve.Affine F) (hq : 0 < Fintype.card F) (hnotint : frobNotInt E) : ConductorOrder.conductorOrder (frobDiscriminant E) (endRingConductor E hq hnotint) ≤ ConductorOrder.conductorOrder (frobDiscriminant E) 1

The endomorphism ring is contained in the maximal order O_K (the conductor-1 order), since its conductor is a divisor of 1.

theorem OrdinarySupersingularClassification.theorem_13_8 {F : Type u_1} [Field F] [Fintype F] (E : WeierstrassCurve.Affine F) (hq : 0 < Fintype.card F) (hnotint : frobNotInt E) : (ConductorOrder.conductorOrder (frobDiscriminant E) (frobeniusOrderConductor E hq hnotint) ≤ ConductorOrder.conductorOrder (frobDiscriminant E) (endRingConductor E hq hnotint) ∧ ConductorOrder.conductorOrder (frobDiscriminant E) (endRingConductor E hq hnotint) ≤ ConductorOrder.conductorOrder (frobDiscriminant E) 1) ∧ endRingConductor E hq hnotint ∣ frobeniusOrderConductor E hq hnotint

Theorem 13.8 of Sutherland: for an elliptic curve E/F_q whose geometric endomorphism algebra is an imaginary quadratic field K, the inclusions ℤ[π_E] ⊆ End(E) ⊆ O_K hold, and the conductor of End(E) divides [O_K : ℤ[π_E]].