W
IEB
B
OSMA
P
ETER
S
TEVENHAGEN
On the computation of quadratic 2-class groups
Journal de Théorie des Nombres de Bordeaux, tome
8, n
o2 (1996),
p. 283-313
<http://www.numdam.org/item?id=JTNB_1996__8_2_283_0>
© Université Bordeaux 1, 1996, tous droits réservés.
L’accès aux archives de la revue « Journal de Théorie des Nombres de Bordeaux » (http://jtnb.cedram.org/) implique l’accord avec les condi-tions générales d’utilisation (http://www.numdam.org/conditions). Toute uti-lisation commerciale ou impression systématique est constitutive d’une infraction pénale. Toute copie ou impression de ce fichier doit conte-nir la présente mention de copyright.
Article numérisé dans le cadre du programme Numérisation de documents anciens mathématiques
On the
computation
ofquadratic
2-class groupspar WIEB BOSMA ET PETER STEVENHAGEN
RÉSUMÉ. Nous décrivons un algorithme dû à Gauss, Shanks et Lagarias qui
étant donné un entier D ~ 0,1 mod 4 non carré et la factorisation de D, détermine la structure du 2-sous-groupe de Sylow du groupe des classes de l’ordre quadratique de déterminant D ; la complexité de cet algorithme est
en temps polynomial probabiliste en log |D|.
ABSTRACT. We describe an algorithm due to Gauss, Shanks and Lagarias
that, given a non-square integer D ~ 0, 1 mod 4 and the factorization of D,
computes the structure of the 2-Sylow subgroup of the class group of the
quadratic order of discriminant D in random polynomial time in log |D|.
1. Introduction.
Let D =
o, I
mod 4 be a non-squareinteger,
and denoteby
Cl(D)
the strictclass group of the
quadratic
order O =Z[(D
+B/D)/2]
of discriminant D.The group
Cl(D)
may be identified with the class group ofprimitive
integral
binary
quadratic
forms of discriminantD,
and thisyields
adescription
thatis very useful for
explicit
computations.
There do existalgorithms
thatcompute
CI(D)
in a time that issubexponential
in thelength log D
of theinput;
see[3]
and[5,
7]
for therespective
cases D > 0 and D 0.However,
thesealgorithms
are far frompolynomial-time,
and it isunlikely
thatthey
will be used in the near future for discriminants Dhaving
morethan,
say,50 decimal
digits.
The
algorithm
in this paperonly
computes
the2-Sylow
subgroup
C(D) =
CI(D)2
of the class group. It runs in randompolynomial
time[8, j
]
if the factorization of D isgiven
aspart
of theinput,
and it handles most50-digit
discriminants in a matter of seconds. In contrast to the situation foralgorithms
thatcompute
the full class groupC1(D),
it turns out thatnot
only
the size ofD,
but also the number ofprime
factors of D and theClass. Math. : Primary 11Y40, 11R11; Secondary 11E16, 11E20.
Mots-clés : Quadratic _ 2-class groups, - _ , binary and ternary quadratic - forms.
’depth’
of theresulting
class groupgreatly
influence therunning
time. Forinstance,
consider the501-digit
discriminantwhich is the
product
of fiveprimes
exceeding
101°°
that are 1 mod 4 andsquares modulo each other. It is chosen in such a way that
C(D) ~
C4
X C128
has
high
4-rank. It takes less than a second to find theelementary
abelian2-groups
C(173.
D~ ^-_’
Cfl t3£
C( -43. D).
Now consider thesample
of 2-class groupswith
approximate timings
on a Sun MP670 workstation indicated inbrack-ets. We see that the
algorithm
takes more time if theresulting
2-class group is ’further’ fromelementary 2-abelian,
and that the realquadratic
case D > 0 appears to be somewhat harder than the
imaginary
quadratic
case. We will
give
acomplete
quantitative
explanation
for bothobser-vations. Note that
computation
of the full class group for any of these discriminants iscurrently completely
unfeasible.The basis of our
algorithm
is a method to solve theduplication
equation
2x = c inquadratic
class groups that is due to Gauss[6,
section286}.
It hasbeen
implemented
and used tocompute
variousimaginary
quadratic
2-class groupsC(D)
by
ShanksD.
All of Shanks’sexamples
werecyclic
or almostcyclic,
and he did notgive
analgorithm
to handlegeneral
D.Doing
so isessentially
a matter of linearalgebra,
as was shownby
Lagarias
[],
whoana-lyzed
thealgorithm
from thepoint
of view of itscomputational
complexity
but referred to[]
for apractical
implementation.
There does not seem to bea
complete description
of the mathematical content of thealgorithm
in theexisting literature,
and this paper intends to fill this gap. It turns out that acareful
description
of the mathematics leads tosomething
which is not toofar from an actual
implementation
in ahigh
levelprogramming language
like that of
Moreover,
itnaturally
yields
analgorithm
thatin-cludes the
improvements
of Shanksregarding
the Gaussian solution of theduplication
equation
and avoids the unnecessarycoprimality
assumptions
The
algorithm
has beensuccessfully
exploited
[]
in the verification of the heuristics of the second author[9, ] regarding
thesolvability
inintegers
of thenegative
Pellequation x2 -
dy2 =
-1. This verification involved thecomputation
ofC(D)
for several millions oflarge, highly
non-cyclic
realquadratic
2-class groups.The
description
of the actualalgorithm
is contained in section 3 of this paper. It ispreceded by
a summary of the basic results onbinary
quadratic
forms and followed
by
a workedexample illustrating
some technicalpoints
of the
algorithm.
Thealgorithm
itself isessentially
a matter of linearalgebra
once one knows how togenerate
the 2-torsionsubgroup
ofCI(D)
and how to solve the
equation
2x = c for elements c in theprincipal
genus
2Cl(D).
The’division-by-2-algorithm’
used insolving
2x = c is based onthe reduction
theory
ofternary
quadratic
forms. As this reductiontheory
isconsiderably
less well known than thecorresponding theory
forbinary
quadratic forms,
a concisedescription
of it has been included as section 5. It is used in section6,
which deals with the solution of theduplication
equation
that forms the backbone of the
algorithm.
A final section 7 comments onthe
performance
of thealgorithm.
We thank Andreas
Meyer
fordetecting
a number oftypos
in an earlierversion of this paper.
2.
Quadratic
class groups.Let D =
0,1
mod 4 be aninteger
that is not a square. The class groupCI(D)
of discriminant D is defined to be thequotient
of the group of in-vertible ideals of thequadratic
orderC~D
=Z[(D+B/D)/2]
by
thesubgroup
ofprincipal
idealshaving
atotally
positive generator.
Note that theposi-tivity requirement
isautomatically
fulfilled fornegative D,
and thatCI(D)
is the(strict)
class group of thequadratic
fieldQ( m)
if D isfundamental,
i.e.,
if D is the discriminant of the fieldC~(~).
The relative ease with which one can
perform
computations
inCI(D)
comes from an alternativedescription
in terms ofbinary
quadratic
forms which is due to Gauss. Consider the set.~D
ofprimitive
integral
binary
quadratic
forms of discriminantD,
i.e.,
forms Q =
(a,
b,
c)
=ax 2 +bxy+cy 2
in two
variabIes x, y
withcoefficients a,
b,
c E Z thatsatisfy
gcd(a,
b,
c)
= 1and b2 -
4ac = D. For D0,
werequire
in addition that a ispositive.
The groupSL2 (Z)
ofintegral
2 x 2-matrices of determinant 1 has a naturalright
action onFD
definedby
QS(x, y)
=Q(sx
+ty, ux
+vy)
for S =group
Cl(D)
under the mapThe power of
~ in
the map above isonly
there to’preserve
orientation’ and vanishes fornegative
D.By
transport
ofstructure,
XD /SL(Z)
be-comes a group that we
identify
withCI{D) . Accordingly,
wespeak
of theclass rather than of the orbit of a form in
Cl(D) .
In the case that D is asquare, which we have excluded so
far,
the orbit space can bemade into a group
by
Gauss’soriginal
method that we will discuss laterin this section.
Following
Gauss[6,
end of section249],
we will write the groupoperation
inC1(D)
additively.
This appears to be the mostconve-nient notation for
computational
purposes, as mostcomputations
in class groups usetechniques
coming
from linearalgebra,
and it is in line with thecommon usage to treat divisor class groups as additive
objects.
As the forms
(a,
b,
c)
and(a,
b +2ka,
c + kb-I-1~2a)
are in the same classfor all k E
Z,
every class contains a form(a, b, c)
withbi
~ It is nothard to show
[2,
propositions
5.3.4 and5.6.3]
that every class contains aquadratic
form(a,
b,
c)
withso it follows that
CI(D)
is finite for allD,
square or not. Given a formin one can
efficiently
compute
[8]
a unimodular transformation thatreduces this form to one of the
finitely
many forms(a,
b,
c) satisfying lbl
jai
.JiDi73.
However,
it is not ingeneral possible
to decideefficiently
whether two
quadratic
forms are in the same class inCl(D).
This is aserious
difEculty
thatprevents
us fromworking
directly
in the class group itself.Instead,
one has a finite set of reduced forms4DD
that mapssurjec-tively
to the class groupCl(D),
and one works with these reduced forms asrepresentatives
of the classes ofCl(D).
For D0,
anappropriate
def-inition of reduced forms ensures that the map
lb D -
Cl(D)
is abijection
and the situation is
perfectly satisfactory.
For D > 0however,
there areusually
many reduced formsmapping
to the same class inCI(D),
and inthis case an
arbitrary
form in can beefficiently
reduced to a form inq.D,
but not to an element ofCl(D).
As anexample,
one can think of theform
(-l, 0, d)
for d > 0 thatrepresents
the unit element inCl(4d)
if andonly
if thenegative
Pellequation x2 -
dy2
= -1 is solvable inintegers.
This
example
is of fundamentalimportance
in0.
In the case of non-square discriminants
D,
our map shows that theto the unit element in
Cl(D).
Theopposite
form(a,
-b,
c)
of(a,
b,
c)
isthe inverse of the class of
(a,
b,
c)
as it maps to theconjugate
ideal class inCl(D).
If we work out how themultiplication
of ideals translates intoa
composition
formula forquadratic forms,
we find[2, 5.4.6]
that the sumof the classes of the
primitive
quadratic
forms(a,,
bi,
cl)
and(a2,
b2,
C2)
inCI(D)
contains a form(a3,
b3,
C3) satisfying
It was shown
by
Dirichlet that the forms can be chosen in such a wayinside their
equivalence
class that oneonly
needs toperform
compositions
for which d
= 1,
known ascompositions
of ’concordant forms’. Infact,
it suffices[4,
lemma3.2]
to have acomposition
of concordant forms(al, b, cl)
and
(a2,
b,
C2)
having
the same middle coefficient b that satisfiesb2 -= D
mod4ala2-
In thissituation,
one has ci = and c2 = for someinteger
c,
and
(2.2)
yields
anidentity
that is known as Dirichlet
composition
of forms.Together
with the reduction ofarbitrary
forms to forms in a finite setthe
composition
formulaeprovide
us with acomputational
model forthe class group. More
precisely,
there is for each D a finite set4~D
of reduced forms of discriminant D that isusually
toolarge
to be enumerated. Given a form F E one canefficiently
find some formFred
E40D
that is in the same class. GiventPD,
thecomposition
formula(2.2)
makes it
possible
tocompute
efficiently
a reduced formF3
=Fi
oF2
Eq. D
whose class in
CI(D)
is the sum of the classes ofFl
andF2.
Theopposite
of a reduced form is
trivially
computed,
so we canperform
the’group
operations’
ofCI(D)
on the level ofHowever,
sinceequivalence
cannotbe tested
efficiently
when D islarge
andpositive, passing
from16 D
toCl(D)
is an
entirely
non-trivial matter. It isexactly
thiscomplication
which led Shanks[,
p.849]
to believe that one cannotalways
decideefficiently
whether certain 2-torsion classes in
CI(D)
areactually
trivial. We will comeback to this
problem,
which will turn out ot benon-existent,
in section 3. Theambiguity
between forms and their classes will however necessitate acareful formulation of our
algorithm
in section3,
where wecompute
the2-primary
part
ofCI(D)
whileworking
withrepresenting
forms.As we will be interested in
duplication
in the class group in latersections,
we mention thefollowing
important
example
of concordantcomposition.
2.4. DUPLICATION LEMMA. Let be
a form of
discriminant
D withgcd(a,
b)
= 1.If A, v
E Zsatisfy
Aa + vb =1,
then we have2[(a,
b,
c)]
=[(a2, b -
2vac,
c’)]
ECI(D)
for
someinteger
c’. Inparticular,
we have2j(a, b, c)~
=I(a2,b,c/a)] if a
divides c. E3This lemma can be used in the
opposite
direction to solve theequation
2(PJ
=[Q]
for a formQ
thatrepresents
asquare k2
coprime
to 2D.Indeed,
suppose we haveQ(u, v)
=k2
for certain u, v EZ,
and assume without lossof
generality
that u and v arecoprime.
Transforming
Q
by
a unimodularmatrix S =
~vt~,
we obtain anequivalent
formQs
satisfying
0)
=k2,
so we have
Qs
=(k2,
l,
m)
for certainl,
m E Z. The form(k,
l,
km)
ofdiscriminant l2
-4k2m
= D isprimitive
sincegcd(k, l)
=gcd(k, 2D)
=1,
and theduplication
lemma shows that we have2((k, l, km)] =
[(k2, l,
n)]
=IQ]
-In section
6,
we willemploy
theoriginal
description
of Gauss of thegroup structure on
Cl(D),
which isquite
different from the one we havegiven
above and also works for square discriminants. In thisdescription,
aform
Q
=(a3,
b3,
c3)
of discriminant D is thecomposition
of twoprimitive
quadratic
forms(a,,
bl,
cl)
and(a2,
b2,
C2)
of discriminant D if there exist bilinear relationsover Z that
yield
theidentity
and
satisfy
an’orientability
condition’ thatdistinguishes
the formsbi,
cl)
and
(a2,
b2,
C2)
in(2.5)
from theiropposite
forms(al, -bl, cl)
and(a2,
-b2,
C2)
-WriteI I
for the subdeterminants of our bilinear relations. An
elementary
computa-tion
[4,
exercise3.1]
shows that if(2.5)
holds for a formQ
of discriminantD,
then we
necessarily
have612
=tai
and613
=~a2.
Theorientability
con-dition is that the
+-sign
holds in both cases. Note that thepreceding
defi-nition for the
composition
of forms is indeed defined onSL2(Z)-equlvalence
If
Q
is acomposition
asspecified above,
the determinants6jj
satisfy
and the coefficients of
Q
areConversely,
given
primitive
formsQ,
=(al,b1,cI)
andQ2
=(a2, b2, c2)
and
integers
Si, ti
for which(2.6)
and(2.7)
hold,
we havebi -
4a,cl
= b2
-4aZC2
= D for some discriminant D and((a3, b3,
=[Qll
+(Q2 E Cl(D).
For non-square
D,
Gauss’s definitionyields
the same group structure onCI(D)
as the Dirichletcomposition
(2.3).
This is immediate from theob-servation that the identities
(2.6)
and(2.7)
are satisfied for the forms in(2.3)
if one takes the bilinear relationsequal
toIn the
particular
case where we want toduplicate
a form inCI(D),
theidentities
(2.6)
suggest
that we should take S2 = S3 and t2 = t3. The resultwill be used in section 6 to prove the correctness of the
algorithm
to solve theduplication
equation
2x = c E2Cl(D).
2.8. LEMMA. Let F =
(a, b, c)
be aprimitive
quadratic form of
discrimi-nant
D,
and suppose we aregiven integers
si, tifor
i =1, 2, 3
satisfying
the identitiesThen the class
2[F]
ECI(D)
contains theform
If a and b are
coprime
in thislemma,
we can find A and vsatisfying
Aa+ vb =1 and take
3.
Computing
quadratic
2-class groups.Let D -
0, 1
mod 4 be a non-squareinteger
for which we have acomplete
factorization. We want to
compute
the strict 2-class group C C Cl of thequadratic
order of discriminant D. Thecomputation
isessentially
a matter of linearalgebra
over the field of 2 elementsF2.
For this reason, we takethe values of all
quadratic
characters in this section to lie inF2
rather than in themultiplicative
group(-1).
The factorization of D
provides
us with the two basicingredients
of ouralgorithm.
The first is anF2-basis
of the character group~D
ofC/2C
=Cl/2CI, commonly
known as the group of genus characters of Cl. Thesecond is a
generating
set ofambiguous
forms, i.e.,
a set of forms whose classesgenerate
the 2-torsionsubgroup
C[2]
=Cl[2]
of C c Cl. The classesin Cl of the elements of our set will not in
general
form anF2-basis
forC(2~.
Let d be the discriminant of the field We have D = for some
integer
f >
1 thatequals
the index of thequadratic
order of discriminant D inside the maximal order inFor an odd
prime
divisor p ofD,
we write xp :(Z /DZ)* -
F2
for thequadratic
character ofconductor p
and xd =(~) :
(Z/DZ)* -
F2
for thequadratic
charactercorresponding
to the fieldQ(@) .
The group of field characters
Xd
corresponding
to D is the groupof Dirichlet characters on
(Z/DZ)*.
Here p ranges over the oddprime
divisors of d. If d is
odd,
the characters xp form a basis of3id
and theirproduct equals
~d. If d is even, theproduct
of xd and all characters xp is aquadratic
character of2-power
conductor associated to thequadratic
field of discriminant -4 or ~8. Thischaracter,
which we denotecorrespondingly
by
x-4, X8 or x-8, and the characters xp now form a basis for Inall cases, the order of
3Cd
equals
2’,
with t the number of distinctprime
divisors of d. The abelian field
corresponding
to~d
is the genus field ofthe
quadratic
fieldQ( vD).
It is the maximal abelian extension of that is unramified at all finiteprimes
and abelian overQ.
The full group
3CD
of genus characters associated to the discriminant D has a similardefinition,
butspecial
care is needed to obtain the correctcharacters of
2-power
conductor.Writing
3C’ D
for the group of charactersof
f ,
we haveA basis of
3CD
is obtainedby
adding
to a basis for3id
the characters xpfor the odd
prime
divisors off
that do not divide d and the charactersX-4 and x8 as
specified
in the definition above. One finds that if D has udistinct
prime
divisors,
then~D
has dimension u + 1 if D is divisibleby
32(and
contains allquadratic
characters of2-power
conductor), u -
I for D = 4 mod 16(when
d is odd andf -
2 mod4)
and u otherwise. The abelian fieldGD
corresponding
to3CD
is the genus field of thequadratic
order of discriminant D. It the maximal abelian extension ofQ
that is contained in thering
class field of conductorf
ofQ( v’Ï5).
By
class fieldtheory,
the Galois group iscanonically
isomorphic
toCI/2CI
=C/2C,
and it follows that there is aperfect
pairing
ofF2-vector
spaces
More
explicitly,
the value of acharacter X
E~D
on a class[Q]
E Cl is thecommon
x-value
of theintegers
coprime
to D that arerepresented
by
Q.
One deduces that the value of a
character X
E3ED
of conductor k on theclass of
(a,
b,
c)
in Clequals
If the conductor k
of x
is aprime
powerdividing
D,
as in the case of the’basis characters’ of
3i D
mentionedabove,
theprimitivity
of the formim-plies
that at least one of these conditions is satisfied. Ouralgorithm
willonly
use such basis characters. Forgeneral X
E3CD,
one uses itsrepresenta-tion on the basis.
Alternatively,
one canreplace
a form ofdiscriminant
Dby
anequivalent
form(a, b, c)
satisfying
gcd(a, D)
=1,
cf.[4,
ex.2.18].
An element E Cl is in theprincipal
genus 2CI if andonly
if all charactersof
3ED
vanish onit,
so the genus characters enable us to decideefficiently
whether an element of Cl is in 2CI. In section
6,
we will prove thefollowing.
3.4. DIVISION-BY-2-ALGORITHM. Given a
form
Q
whose class lies in2CI,
we canefficiently
find
aform
Pe 1’D
satisfying
=tQ]
E Cl.The class of the form P in 3.4 is
only
determined up tocomposition
with classes fromCI[21,
and all we know is that the form P foundby
thealgo-rithm lies in one of these classes. Even when
Q
is in the trivialclass,
thereis no
guarantee
that P will be in the trivial class.Apart
from anexplicit description
of the character group ofC/2C,
thefactorization of D also
yields
generators
for thesubgroup
C[2]
ofambiguous
ideal classes in Cl. This is due to the well known fact thatC[2]
consists of classes of invertibleOD-ideals
I COD
of indexdividing
D. We cantake classes of ideals of
prime
power index asgenerators.
If p is an oddprime
dividing
D,
say there is an invertibleOD-ideal
Ip
=Z ~ pk +
Z ’
(D
+~)/2
of indexpk
in the orderO D .
As this ideal isequal
to itsconjugate
inOD ,
its class inCl(D)
is a 2-torsion element. It is the class of thequadratic
formFor D - 0 mod
4,
say2111 D
with t >2,
we have anambiguous
formthat is the
principal
form for D == 4 mod 16. If D is divisibleby
32,
there is anotherambiguous
formthat is needed to
complete
ourgenerating
set ofambiguous
forms.Thus,
ifwe start with the set of forms prime, we obtain a
generating
setSo
by leaving
outQZ
for D - 4 mod 16 andincluding
Q2
for D - 0 mod 32. If D has u distinctprime
divisors,
thenSo
has u + 1 elements if D isdivisible
by
32,
it has u - 1 elements for D - 4 mod16,
and u elementsotherwise. This is
exactly
theF-dimension
of the character group3ED,
and as thecardinality
ofC[2]
equals
#(C/2C) =
we concludethat there is
exactly
one non-trivial relation in Cl between the elements ofSo.
Fornegative D,
thetriviality
of the ideal class((~)] _ ((~))
E Clyields
the desired relation in all cases but one(the
easy case d =-4).
Wecan then form an
F2-basis
forC[2]
fromSo
by
leaving
out anappropriate
element. For D > 0
however,
the relation between theambiguous
ideal classes is much more subtle. If the fundamental unit eD EOD
is of normambiguous
ideal class((1+ED)]
= 0yields
the desired relation. Theproblem
is of course that ED is
usually
toolarge
to becomputable
inpractice.
For this reason, we have to start ouralgorithm
for D > 0 with agenerating
set
So
forC[21,
not anF2-basis.
This difference between the real andthe
imaginary
case accounts for theslightly
larger running
times of thealgorithm
forpositive
D. The relation between thegenerators
ofC[2]
for D > 0 can be obtained as aby-product
of thecomputation
of C. Fromthe relation we can determine the
sign
of the norm of eD withoutexplicitly
computing
ED. This feature of thealgorithm
isexploited
in[].
The
computation
of Cproceeds by
the construction of anF2-basis
forthe left
argument
of the characterpairing
For the
right
argument
we have our basis X of characters ofprime
power conductor indicated above. The basis B C
0D
of forms whose classesyield
a basis forC/2C
will be constructed as adisjoint
union of setsAj
( j
=1, 2, ... )
in such a way that the classes of the forms inBi
=form a basis for the canonical
image
ofC[2’]
inC/2C.
The basisA,
for theimage
of the 2-torsionsubgroup
C[2]
will be formed from the setSo
of
ambiguous
forms. Moregenerally,
we will carry a setSi
of2’+’-torsion
formsalong
atstage
i.Roughly speaking,
the characterpairing
is used to’split’
the setSi
into a set of basis forms and a set of forms that mapto 2C. We divide the latter forms
by
2using
ouralgorithm
3.4 to obtain the set,S’z+z
of2i+2-torsion
forms needed at the next level. We continue until the unionUj
Aj
yields
a basis forC/2C.
We are then doneby
thefollowing elementary
lemma on abelian2-groups.
3.5. LEMMA. Let G be a
finite
abelian2-group, X
a basisfor
its groupof
quadratic
characters,
and suppose we have adisjoint
union B =Aj
of
finite
setsAj
C G such that thefollowing
holds:a. the 2-torsion
subgroup
G[2] is
generated
by
the elements withb. the matrix a
non-singular
square matrix.Then B maps to an
FZ
-basisfor
G/2G,
the elements inAj
have exact order2i
in G and the natural mapProof.
Thenon-singularity
of the character matrix in(b)
implies
that the elements in B map to a basis forG/2G,
so these elementsgenerate
thegroup G. As
G[2]
andG/2G
have the sameF2-dimension,
the elements ofthe form
2j-laj
with aj
EAj
that occur in(a)
necessarily
form a basisfor
G(2~.
Inparticular,
the elements ofAj
have exact order2-~
In orderto obtain the
required isomorphism
forG,
we have to show that for anyrelation = 0 E G with coefficients
kb
EZ,
we haveord2(kb) > j(b)
for all b E B.
Here j(b)
denotes theindex j
for which b is inAj .
Suppose
that,
on thecontrary,
theinteger
n = ispositive.
Then we can
multiply
our relationby
2n-1
and write it asBy
definitionof n,
theexpressions
in brackets areintegral
and not all even.This
implies
that we would have a non-trivial relation between the basiselements of
G[2] .
Contradiction. DNote that the conclusion of the lemma
implies
that the subsetBi
= U~=l
Aj
C G maps to a basis of the canonical
image
ofG[2Z1
inG/2G.
We now describe an inductive
algorithm
thatcomputes
sets of formsA~
C0D
such that thehypotheses
of lemma 3.5apply
to their classes in G = C. We notedalready
that theproblem
withworking
with forms is thatwe cannot decide whether two different forms are different as elements of C.
However,
the forms in the setsAj
that arecomputed
by
ouralgorithm
areconstructed in such a way that the
quadratic
character values of each twoof these forms are distinct. This means that B =
Aj
can indeedby
viewed as a subset of G =
C,
asrequired by
3.5.Thus,
we do not run intothe
problem
encounteredby
Shanks[,
p.849] .
The sets of formsSZ
thatare constructed
during
thealgorithm
do not ingeneral
mapinjectively
toC.
Our
algorithm
computes
more thanjust
a set of formsAj
atstage j.
The data it stores after i
steps
are thefollowing:
1. a
ah’sjoint
unionU"=1
Aj
of finite sets of formsAj,
together
witha collection of forms
Si
such thatC[2]
isgenerated by
elements of the formI
with aj EAj
and2’[s]
with 8 ESi.
2. a subset
XZ
C X of characters such that the matrix isa
non-singular
square matrix.Initialization. At the initial
stage i
=0,
we haveBo -
and ourInduction
step.
Suppose
we have X atstage
i. Then the setBi
isnot a set of
generators
forC,
and weproceed
to the nextstage
as follows.Consider the character matrix
whose columns
X(a)
EFf
give
the’complete quadratic
character’ of the forms a EBy
(2),
the elementsX (a)
for aE Bi
areindependent
in and we can compose each of the elements ofSi
with forms fromBz
toobtain that all characters in
Xi
vanish on it. Afterdoing
so, we still have(1)
for our modified setSZ,
and the new columnsX (s)
for s ESi
span asubspace
Tl CFf
that islinearly
disjoint
from the spacespanned by
the columnsX(a)
with a EB;.
We chooseAi+l
C ,Si
such that the columnsX(a)
with a E form a basis ofV,
and wepick
a set of charactersY
C X such that the matrix isnon-singular.
Weclearly
have Yi
1Xi
=0,
and we setXi+I
=Xi
to obtain(2)
forstage i
+ 1.The
remaining
forms in are nowcomposed
with forms fromAi+1
in such a way that the characters inX ~ Xi
also vanish on them. Thenall characters in X vanish on these modified
forms,
so their classes are in2C. We now
apply
ourdivision-by-2-algorithm
3.4 to each of the modifiedforms in and take the solutions obtained as the set
Si+,.
If s is in
Si,
we canby
construction write[s]
E C as a sum of classes[az+lj
with E and2[sz+lj
with E We conclude that thesets
12’[s] :
s E and ai+1 E si+l Egenerate
the samesubgroup
ofC [2j ,
so we have(1)
forstage i
+ 1 as well.Termination. The
algorithm
terminates atstage i
if we haveXi =
X.This is bound to
happen
as we haveXi
= X if andonly
if C is annihilatedby
2i.
To seethis,
suppose first that C is annihilatedby
2z.
Condition(1)
then
implies
that the elementsgenerate
C[2],
so the number~Bz
of such elements is at leastequal
todimC[2] =
~X .
It follows from(2)
that we have~Xz -
~Bz > #X,
soXi -
X.Conversely,
if we findX2
= X atstage i,
then C is annihilatedby
2’
as it can begenerated by
aset
Bi
of2’-torsion
elements.We conclude that after lV
steps,
with2N
the exponent ofC,
we havefound a basis B =
A~
for C that satisfies theconditions
of lemma 3.5.This finishes the
description
of thealgorithm.
In the actual
implementation
of thealgorithm,
we used a refinement that ensures that the final character matrix becomes lowertrian-gular.
Instead oftaking
forAi+l
some subset ofSi
whoseX-image
spansV,
onealternately picks
a character and constructs a form toproduce
Yi
andAi+I,
as follows.Let Si
be our set offorms,
modified such that allcharac-ters in
Xi
vanish onSi,
and look at the submatrixMI =
of
Mi .
Weset Yi =
S
=A;+i
and do thefollowing
until all entries ofMi’
equal
zero. Pick a form aE Si
and acharacter X
E X -Xi
such thatx(c~) ~
0,
add X
to the setYi
and move the form a fromS2
toAi+1.
Com-pose theremaining
forms s E,Sz
that have 0 with a-thisyields
a new setSZ and
continue with the new, smaller matrix This process, which is calledechelonization,
produces
anon-singular
lower-triangular
ma-trix for the
ordering
of forms and characterssuggested
above.Moreover,
itreplaces
sZ
by
a set of forms with classes in2C,
andSi+l
is constructed from this setapplying
3.4.At the final
stage i
= N of thealgorithm,
there is no need toapply
thedivision-by-2-algorithm
3.4 tocompute
a setSN
of2 N+ ’-torsion
forms. In theimaginary
case D0,
this is clear since we can takeSo
to be a basisand find
SN - 0.
In the real case D >0,
we have to work withan extra
generator
inSo.
At the finalstage
N,
wecompute
from aset
AN
thatcompletes
our basis B and asingle
form sD E 2C to whichwe can
apply
3.4 to find thesingle
element ofsN.
As[SDI
is divisibleby
2 in a group of
exponent
2~,
we have o. We can, at the costof a little extra
administration,
carry notonly
the setSi
along
atstage
i,
but also for each s
E Si
therepresentation
of2’[s]
in terms of ouroriginal
2-torsion
generators
inSo.
This issimply
doneby
keeping
track of how the forms inSi+l
are constructed atstage i
from theprevious
set If we doso, the relation 0 for D > 0
provides
us with thedependency
between the
ambiguous
forms inSo .
If,
for some reason, we would have even moregenerators
inSa,
we could in the same way find acomplete
setof relations between them.
Given an element c E
C,
theexplicit
knowledge
of the characterpairing
with
respect
to the basis B for C enables us to write c on the basis B. Fromthe
pairing,
onecomputes
a sumbo E
C of elements in B C C that has thesame
quadratic
character values as c = Co. Thisyields
Co =
bo
+2ci
for some class cl E C that can be foundby
3.4. Oneinductively
computes
sumsbi EC
of elements in B such that ci for I =0,1, ... ,
N - 1.The desired
representation
for c is then c =The number k of divisions
by
2performed
by
thealgorithm
tocompute
Ccan
easily
be derived from the group structure of C: for any factor(Z/2-~Z)
in therepresentation
of lemma 3.5 one has toperform j -
1 divisionsby
2.However,
since for D > 0 there is at anystage
in thealgorithm
one moregenerator
than the rank of the groupnecessitates,
the number of divisionsWriting h
=#C
for the 2-class number of D and r E{u -
2, u -
1, u}
forthe 2-rank of
C,
we findThis
explains
the observation in the introduction that ouralgorithm
usually
needs more time for real class groups than for
comparable
imaginary
classgroups.
4. A worked
example.
In order to illustrate the abstract
description
in theprevious section,
wecompute
by
way ofexample
the realquadratic
2-class group C ofdiscrimi-nant
which has 7 distinct
prime
factors. We use the notation from theprevious
section.
In our
example,
the group of field characters3Cd
corresponding
to D has order23
and isgenerated by
thequadratic
characters X13, X9[, X137 andThe
product
of these four characterscorresponds
to the fieldand vanishes on
C,
so we can form anF2-basis
of3id
by dropping
X149 from our set ofgenerators.
By
(3.1),
we cancomplete
this to a basis X for thegroup of genus characters
~D
on Cby
adding
the characters X-4, X7 andOur initial set
So
ofambiguous
forms consists of a formQp
for eachodd
prime
divisor of D and the formQ2
=(4, 0, -D/16)
at 2.We initialize our
algorithm
by
taking
Bo
=Xo = 0
andcompute
thecharacter matrix
Mo
=using
(3.3).
Thisyields
The space V
spanned
by
the columns ofMo
is3-dimensional,
and the 3 x 3-submatrixcorresponding
to the formsQ2, Q7
andQ13
and the setlower-triangular
matrix,
we choose the 3 basis elements inA,
as the classesof the forms
These elements span the
image
C2
ofC[2]
inC/2C.
We obtainBI
=Al
UBo
=Al
andXi
=Xo
UYo
=Yo.
The 4
remaining
formsQ4i, Q97, Q137
andQ149
fromSo
are nowcom-posed
with forms fromAl
to make all characters vanish onthem,
and we use our
division-by-2-algorithm
tocompute
the forms slj ESi
from theduplication
equations
The matrix
M1
of character values in the next iterationstep
isreadily
evaluated asOnly
the column of S14 lies outside the spacespanned by
the columns of the forms in ThusA2
contains asingle element,
for which we takeAs x41 is the
only
character that does not vanish on aI2, we takeYl -
and obtain a set
X2 = Yo
UY1
ofcardinality
4. The threeremaining
forms inSl
are nowcomposed
with forms inB2
=Al n A2
to make them divisibleThe next matrix of character values
M2
becomesAll 3 columns of the forms
S2
lie in the spacespanned by
the columns of the forms inB2
=A,
U A2.
Thisimmediately yields
Y2 = 0
=A3,
so wehave
X3 - X2
andB3 - B2, and 83
contains 3 forms that arecomputed
from the
equations
The character matrix
M3
becomeswhich has maximal rank 6. This means that we have found the structure of our group to be
C23
xC4
xCr6.
In order to obtain a lowertriangular
character
matrix,
we take our final twogenerators
of order 16 asand add
Y3
=IX137, X971
in thesuggested
order to our character basis.and our
algorithm
terminates. The elements aij listed in thetop
row form an ordered basis ofC,
i.e.,
the setsAi =
satisfy
thehypotheses
of lemma 3.5 for G = C.In the final
stage
of thealgorithm,
it turns out that the character columnof the form S32 E
S3
lies in the spacegenerated by
theprevious
columns,
so we have to
compute
S33 before we find that the character matrix hasmaximal rank. In the cases where we are
lucky enough
to obtainalready
acharacter matrix of full rank before the final column has been
computed,
our
algorithm
suppresses thecomputation
of the formcorresponding
to thisfinal column. This saves an
application
of thedivision-by-2-algorithm.
Forlarge
positive
discriminants,
theresulting
gain
can be considerable.As observed in the
previous section,
the’superfluous generator’
332 in the finalstage
of ouralgorithm
is notentirely
useless: it carries informationon the relation between the
ambiguous
forms in the initial setSo .
Moreexplicitly,
the character values of S32 tell us that the elementis in 2C. As C is of
exponent
16,
thisimplies
that SD is annihilatedby
8.Using
the definition of Sij and the order relations2iaij =
0,
theresulting
relation8S32
+8a4l
= 0 iseasily
traced back toyield
This is the
unique
non-trivial relation between the initialgenerators
Qp.
We notedalready
that such relations can inprinciple
be found from thefundamental unit In this
fairly
smallexample
it is stillpossible
tocompute
~Dexplicitly.
It has norm1,
and we havewhere each
of t, u, v
is aninteger
ofapproximately
230 decimaldigits.
Wefind that
(eD
+1 ) /t
is an element of norm 13 - 97 -412 ,
from which we canread off the relation indicated above.
5.
Ternary quadratic
forms.This section describes the reduction
theory
ofternary
quadratic
formsthat is the basis of the
division-by-2-algorithm
in section 6.Let n > 1 be an
integer,
and L = Zn an n-dimensional lattice withEnd(L)
=M.(Z),
we have an associatedquadratic
form F =FA
on Ldefined
by
F(X) _
(AX, X). Writing
A as a matrix withrespect
to the standard basis of
L,
we haveFor n = 2 and n =
3,
we usevariables x,
y and z. If A ranges over theintegral
symmetric
~n
xn)-matrices,
thenFA
ranges over thequadratic
forms F = for which the ’mixed coefficients’ Cij with
i 54 j
are even.We define the determinant
det(F)
of a form Fcorresponding
to asym-metric matrix A
by
det(F)
=det~A).
Inparticular,
the determinant of aquadratic form Q
=ax2
+2bxy
+Cy2
is for usequal
toThere is a natural
right
action ofGLn(Z)
on the set ofquadratic
forms in n variablesby
’coordinate transformations’. If a form Fcorresponds
to a
symmetric
matrix A and S EGLn (Z)
is a coordinatechange,
thenFs
=(ASX, SX) =
(ST AsX,
X) clearly
corresponds
to the matrixST AS.
Here
S~’
denotes thetranspose
of S.Two
quadratic
forms F and G are said to beequivalent
if there existsa unimodular transformation S E
SLn(Z)
such thatFs
= G. Note that-idL
actstrivially
and has determinant(20131)~?
so theGLn(Z)-orbits
andthe
SLn (Z)-orbits
of forms coincide in odd dimension. Theadjoint
A* of a matrix A = is the matrixwhere the
(i, j )-minor
mij of A is the determinant of the matrix that isobtained from A
by
deleting
the i-th row and thej-th
column. If A isinvertible,
one hasThis
immediately yields
thegeneral
identities det A* = and A*B* _(AB)*,
and an easy checkyields
the usefulidentity
For a
quadratic
form Fcorresponding
to asymmetric
matrix A,
theadjoint
form F* of F is the formcorresponding
to A* .Passing
to theadjoint
iscompatible
with the action ofSLz(Z)
in the sense that we have(FS)* =
For n =
2,
we have Gauss’sbinary
quadratic
forms(a,
2b,
c)
=ax2
+2bxy+Cy2
with even middle coefficientcorresponding
tosymmetric
matricesIdentity
(2.1)
tells us that every form of determinant A isequivalent
to a form with first coefficient
lal
Moreover,
a unimodulartransformation that
yields
such anequivalent
form can beefficiently
com-puted
E8] .
For n = 3 we obtain
ternary
forms,
and for forms of non-zero determinant the reductiontheory proceeds
by
a combination ofbinary
reduction of boththe form itself and its
adjoint.
Suppose
theternary
form F of determinant0
corresponds
to asymmetric
matrix A = withadjoint
A*= (Ai j )i~~-1.
Then we can use suitable unimodular transformations ofthe form
/ - B.
as if we were to reduce the
quadratic
formF(x,
y,0)
=a, lX2
+2al2XY
+a22y2
of determinant alla2z -ai2 =
A33,
andproduce
aternary
formF with
unchanged
adjoint
coefficientA33
but with allsatisfying
lalli [
0.
Similarly, by
applying
the unimodular matrixto F we leave all invariant and
change
F*by
anapplication
ofChoosing
the coefficients ofSl
as ifreducing
thequadratic
form F*(0,
y,x) =
A3gx2 - 2A23XY
+A 22 y2,
which has determinantf3gf22 -
f23 -
AFall
by
(5.1),
we cansatisfy
theinequality
IA331 [
Alternating
these two
transformations,
weget
smaller values oflalll
and~A33I
untilboth
inequalities
laill :5
4A33/3
andA33I
V41allAF113
hold at theA semi-reduced form remains semi-reduced under unimodular
transforma-tions of the form
and we can use these to
produce
a reducedternary
form. There are twopossibilities,
depending
on whether the coefficient all of our semi-reducedform is zero or not.
In case all = 0 we also have
A33
= al2 =0,
and thereforeAF
= -aI3a22.
Looking
at the effect ofS2
onF,
we see that anappropriate
choice ofS2
yields
a form withA semi-reduced form with alI = 0
satisfying
(5.3)
is said to be reduced. Forgiven
OF,
there areonly
finitely
manypossible
values of al3 and a22, so the number of reduced forms ofgiven
determinant with all = 0 is finite. For a semi-reduced form withall =1=
0,
weapply
S2
with suitable 312 toobtain
As
A33
does notvanish,
asimple
inspection
of the action ofon F* shows that we can further achieve
A semi-reduced form with
all =1=
0satisfying
(5.4)
and(5.5)
is calledre-duced. It is
again
true that there areonly finitely
many reduced forms ofgiven
determinant with 0.Indeed,
we havebounded
the coefficientsal2 and
A13 ~ A23,
a A33
in terms ofAF,
and thefollowing
elementary
completion
lemma shows that in oursituation,
these coefficients andAF
5.6. LEMMA.
Suppose
we aregiven
rational numbers~,
all, aI2,A13,
A23
and
A33
satisfying ðalIA33 =1=
0. Then there exists aunique
rationalsymmetric
(3
x3)-matrix
A = with determinant A andadjoint
A* =
(Aij )3
i. e.,
there is aunique
way todefine
the starred entries insuch that A is rational and
symmetric
with determinant A andadjoint
A* .Proof.
As al l is non-zero, we can define a22by
the relationWe now use
A33 #
0 to defineAn, A12, A22
as theunique
solutions to theequations
and form the rational
symmetric
matrix B = It is clear that ifmatrices A and A* of the
required
sortexist,
then the relations(5.7)
holdby
(5.1)
and A isuniquely
determinedby
theequality
A* = B. Let ustherefore,
in accordance with(5.7),
define the rationalsymmetric
matrix A =by
theidentity
~A = B* .Passing
to theadjoint
yields
6,2 A*
=det(B) -
B,
so we see from(*)
that we haved2
=det(B)
andA* = B. Thus A has the correct
adjoint,
and from AA = B* = A** we seethat its determinant
equals
A. C7As every
ternary
form isequivalent
to a reducedform,
we see that thenumber of
equivalence
classes ofternary
forms of determinant A is finite for every A. As anexample
that we will need in the nextsection,
let ustake A = -1 and determine the
equivalence
classes. The entries of thesymmetric
matricescorresponding
to theternary
form F and itsadjoint
willagain
be denotedby
aij andAij,
respectively.
By
(5.2),
a semi-reducedternary
form F of determinant A = -1 haseither an =
A33 =
0 or)all) = IA331
‘
= 1. In thecase al l =
