ALGORITHMS FOR ALGEBRAIC CURVES

Transcription

1 ALGORITHMS FOR ALGEBRAIC CURVES SUMMARY OF LECTURE 4 1. SCHOOF S ALGORITHM Let K be a finite field with q elements. Let p be its characteristic. Let X be an elliptic curve over K. To simplify we assume that p is not in {2, 3} and X is given by a reduced Weierstrass equation. Schoof s algorithm computes the order of X(K). We denote by Φ = Φ (q) the Frobenius endomorphism. We know that (1) Φ 2 tφ + q = 0 End(X), and this equality remains true for the retriction of Φ to the l-torsion subgroup X[l] for any integer l. Namely (2) Φ 2 tφ + q = 0 End(X[l]). Schoof s algorithm computes t mod l by looking at the action of Φ on X[l]. If we compute t mod l for enough primes l then we can deduce the actual value of t in [ 2 q, +2 q]. So we need to compute t mod l for primes l such that (3) l > 4 q. For each given l, we find t mod l by testing the identity (2) for every possible value of t in [0,..., l 1]. To this end, we need a non-trivial l-torsion point on X. We consider the ring R l = F q [x, y]/i, where I is the ideal in F q [x, y] generated by the affine equation y 2 x 3 ax b of the curve X, and the l-division polynomial ψ l (x). The ring R l is the residue ring at X[l] O. Equivalently Spec(R l ) = X[l] O. The point P = (x mod I, y mod I) X K R l has order l. We compute Φ(P ), then Φ(Φ(P )), then qp, then Φ(Φ(P )) + qp, then all multiples kφ(p ) for 0 k l 1. We compare Φ(Φ(P )) + qp and the various kφ(p ) until we find a match. This gives t modulo l. Computing Φ(P ) boils down to computing x q and y q modulo I. Using fast exponentiation we need O(log q) operations in R l. Computing Φ(Φ(P )) has the same complexity. Computing qp requires O(log q) operations in R l using fast exponentiation again. Computing the kφ(p ) requires O(l) operations in R l. The total cost is thus (l + log q) operations in R l. 1

2 2 SUMMARY OF LECTURE 4 Since the dimension of R l is l 2 1, the cost of one operation in R l is l 2+o(1) operations in K is we use fast arithmetic. The cost of one operation in K is (log q) 1+o(1) using fast arithmetic. The total cost to compute t mod l is thus (4) (l + log q)l 2+o(1) (log q) 1+o(1). Now we must compute t mod l for several l. To achieve the condition in Equation (3) we can take all primes l O(log q) and the number of such primes is then O(log q). This is because there exists a constant C such that l > C exp(l). l L To obtain the total cost of Schoof s algorithm we thus replace l by log q in Equation (4) and multiply by log q. We obtain T = (log q) 5+o(1). Note that if we use elementary school algorithms for arithmetic operations with integers and polynomials, then the cost will be T = (log q) 8+o(1). The memory space used by the algorithm is M = (log q) 3, because we need to store the division polynomials ψ l. They have degree (l 2 1)/2 and coefficients in K. 2. ACCELERATING SCHOOF S ALGORITHM Schoof s algorithm is not so convenient in practive because its complexity, though polynomial, is a bit high. To improve on it we may try to replace ψ l (x) by a small degree factor of it. This raises the following interresting question: which is the degree of the irreducible factors of ψ l? To answer this question we set Γ = Gal( K/K) the absolute Galois group of K. It acts on the roots of ψ l (x). It also acts on X[l]. These two actions are related. Indeed, the map x : X[l] O {roots of ψ l } is Galois equivariant. It is a 2 to 1 map if l is odd. Controlling the Galois action on X[l] is easy because X[l] is a 2-dimensional vector space over F l and the Galois action is linear (it is compatible with the group law). Further Γ is a procyclic group topologically generated by the Frobenius Φ. And the characteristic polynomial of Φ acting on X[l] is x 2 tx + q F l [x]. Elkies improvement to Schoof s algorithm assumes that t 2 4q is a non-zero square in F l. Then Φ is a semi-simple and split endomorphism of X[l]. We have x 2 tx + q = (x a)(x b) F l. There are two eigenspaces G a and G b in X[l] associated with the two roots a and b. Both G a O and G b O are stable by the Galois action. They correspond to two degree (l 1)/2 factors f a (x) and f b (x) of ψ l (x). If we could replace ψ l (x) by one of these two factors in Schoof s algorithm, we would reduce the time complexity to (log q) 4+o(1) using fast arithmetic and (log q) 6+o(1) using elementary

3 ALGORITHMS FOR ALGEBRAIC CURVES 3 school arithmetic. The space complexity also would decreases to O((log q) 2 ). This is an important improvement also. This raises two questions. Is it often the case that t 2 4q is a non-zero square modulo l? This is equivalent to l splits in the quadratic ring Z[Φ]. One prime over two splits. However, there is no proof that one small prime over two splits. Even GRH cannot ensure this for primes log q. However, we expect that one small prime over two splits and this is indeed almost always the case. Another question is : how do we compute f a (x) and f b (x)? We may use Berlekamp s algorithm but this is just as long as Schoof s algorithm. So we don t do that. We need another more intelligent method. Elkies idea is that computing f a reduces to computing the eigenspace G a. One associates to G a the degree l quotient isogeny I a : X X a = X/G a. Elkies suggest to compute first the target elliptic curve X a, then the isogeny I a, then the kernel Ker(I a ) = G a, then the polynomial f a (x). So we need an efficient way to compute target curves for degree l isogenies from X. This is done using the modular curve Y 0 (l). 3. THE MODULAR CURVE Let K be a field with characteristic p and let l be a prime to p integer. We call I the category whose objects are the degree l isogenies I : X Y defined over K. A morphism between two such objects I 1 : X 1 Y 1 and I 2 : X 2 Y 2 is a pair of isomorphisms u : X 1 X 2 and v : Y 1 Y 2, such that I 2 u = vi 1. We call S the category whose objects are pairs (X, G) where X is an elliptic curve over K and G a cyclic subgroup(scheme) of degree l. A morphism between (X 1, G 1 ) and (X 2, G 2 ) is an isomorphism u : X 1 X 2 such that u(g 1 ) = G 2. These two categories are equivalent. Isomorphism classes of objects in either categories are parametrized by K-points on a K-algebraic smooth affine curve denoted Y 0 (l). In fact Y 0 (l) does not depend on K. One can define Y 0 (l) over Z[ 1 ] and show that it is a coarse l moduli space. See Vélu s thesis [Vel2]. We shall be happy with the naive interpretation that Y 0 (l) parametrizes degree l isogenies between elliptic curves. For example, for l = 1, we parametrize elliptic curves up to isomorphism. So Y 0 (1) is just the affine line A 1. To every elliptic curve X one associates its j-invariant and define a point in A 1. We often write Y (1) instead of Y 0 (1). Let [I : X Y ] be the point on Y 0 (l) associated with the isomorphism class of the isogeny I : X Y. We can associate to it the point [X] on Y (1) associated with the isomorphism class of the curve X. We thus define a map j X : Y 0 (l) Y (1). In fact j X ([I : X Y ]) = [X] = j(x). We similarly define a map j Y : Y 0 (l) Y (1)

4 4 SUMMARY OF LECTURE 4 by j X ([I : X Y ]) = [Y ] = j(y ). The maps j X and j Y both have degree l + 1, because a generic elliptic curve has l + 1 pairwise non-isomorphic isogenies of degree l, corresponding to the l + 1 lines in the affine plane The product map (F l ) 2 = X[l]. j X j Y : Y 0 (l) A 2 is a birational equivalence between Y 0 and its image, the affine plane curve denoted C 0 (l). This is not an isomorphism unfortunately, and the plane curve C 0 (l) is a singular plane model for Y 0 (l). This will suffice for most computational purposes however. We denote by E l (x, y) = 0 the equation of the affine plane curve C 0 (l). In particular E l (j X, j Y ) = 0. The degree of E l in either variables is l + 1. To every point [I : X Y ] on Y 0 (l) we can associate the point [Î : Y X] representing the (isomorphism class of) the dual isogeny. This defines an involution w : Y 0 (l) Y 0 (l) called the Atkin-Lehner involution. The existence of this involution is reflected by the fact that the equation E l (x, y) is symmetric. The leading term of E l (x, y), when seen as a polynomial in the variable x is x l+1 times constant, which we can normalize to be one. This is because the quotient of an elliptic curve by a subgroup of order l is always an elliptic curve. Then, the leading term of E l (x, y), when seen as a polynomial in the variable y is y l+1. Further, when we normalize this way, all the coefficients in E l (x, y) are rational integers. For example, for l = 2, we have E 2 (x, y) = x 3 + y 3 x 2 y (x 2 y + xy 2 ) (x 2 + y 2 ) xy (x + y) The use of this is that for any field K and any elliptic curve X over K, if we replace x by the j-invariant of X in the above equation, the resulting degree 3 polynomial in y has roots the j-invariants of the l + 1 = 3 isogenous curves to X by a degree l = 2 isogeny. 4. THE DECOMPOSITION OF ψ l, AN EXAMPLE We consider the elliptic curve X with equation y 2 = x 3 + x over the field K = F 3. The cardinality of X(K) is 4. So the trace t of Φ is zero. The characteristic polynomial of Φ is x We set l = 7 and ask how ψ 7 (x) factors? We first consider the action of Φ on X[7] = (F 7 ) 2. This is a linear action. The characteristic polynomial of Φ factors modulo 7 as (x 2)(x + 2) F 7 [x]. So the matrix of Φ in a well chosen basis is ( 2 ) It makes sense to first look at the action of Φ on the set P(X[7]) = P 1 (F 7 ) of lines in X[7]. There are l+1 such lines. Both eigenspaces are fixed by Φ. The remaining l 1 lines are the lines

5 ALGORITHMS FOR ALGEBRAIC CURVES 5 with equation y = λx where the slope λ takes any value in F l. The image of the line with slope λ by Φ is easily seen to be the line with slope λ, because the quotient of the two eigenvalues is 2/2 = 1. So the action of Φ on P 1 (F 7 ) has two fixed points and 3 orbits of size 2. We now look at the action on X[7]. Clearly the origin O is fixed by Φ. Consider the line with equation x = 0. This is the eigenspace associated with the eigenvalue 2. Points in this line are multiplied by 2. Since the order of 2 in F 7 is 6, we obtain one orbit of size 6. Consider now the line with equation y = 0. This is the eigenspace associated with the eigenvalue 2. Points in this line are multiplied by 2. Since the order of 2 in F 7 is 3, we obtain two orbit of size 3. The remaining points belong to lines that are not fixed by Φ. Recall these lines form orbits of size 2. So we study the action of Φ 2 = 3 on these points. The order of 3 in F 7 is 3. So the orbits for the action of Φ 2 have length 3. And the orbits for the action of Φ have length 6. We obtain 6 orbits of size 6. Altogether we have found 1 orbit of size 1, orbits of size 6, and 2 orbits of size 3. The decomposition type is (1 1, 3 2, 6 7 ). We now look at the Galois action on the roots of ψ l. These roots are the x-coordinates of l-torsion points. Since two opposite points have the same x coordinate, these roots correspond to pairs of opposite points in X[l]. The calculation is almost the same as before. Consider the line with equation x = 0. This is the eigenspace associated with the eigenvalue 2. Points in this line are multiplied by 2. This time we identify a point and its opposite, so what matters is the order of 2 in the quotient F 7/{1, 1}. This order is 3. So we obtain one orbit of size 3. Consider now the line with equation y = 0. This is the eigenspace associated with the eigenvalue 2. Points in this line are multiplied by 2. Since the order of 2 in F 7/{1, 1} is 3, we obtain one orbit of size 3. The remaining points belong to lines that are not fixed by Φ. Recall these lines form orbits of size 2. So we study the action of Φ 2 = 3 on these points. The order of 3 in F 7/{1, 1} is 3. So the orbits for the action of Φ 2 have length 3. And the orbits for the action of Φ have length 6. We obtain 3 orbits of size 6. Altogether we have found 3 orbits of size 6, and 1+1 orbits of size 3. The decomposition type is (3 2, 6 3 ). Indeed this is confirmed by the calculation in PARI/GP? E=[0,0,0,1,0];? Psi7=elldivpol(ellinit(E),7)*Mod(1,3) %2 = Mod(1, 3)*x^24 + Mod(2, 3)*x^22 + Mod(1, 3)*x^20 + Mod(2, 3)*x^18 + Mod(1, 3)*x^16 + Mod(2, 3)*x^14 + Mod(2, 3)*x^12 + Mod(1, 3)*x^8 + Mod(2, 3)*x^6 + Mod(1, 3)*x^2 + Mod(2, 3)? factor(psi7) %3 = [Mod(1, 3)*x^3 + Mod(1, 3)*x^2 + Mod(2, 3)*x + Mod(1, 3) 1] [Mod(1, 3)*x^3 + Mod(2, 3)*x^2 + Mod(2, 3)*x + Mod(2, 3) 1]

6 6 SUMMARY OF LECTURE 4 [Mod(1, 3)*x^6 + Mod(2, 3)*x^4 + Mod(1, 3)*x^2 + Mod(1, 3) 1] [Mod(1, 3)*x^6 + Mod(1, 3)*x^5 + Mod(2, 3)*x^4 + Mod(2, 3)*x^3 + Mod(2, 3)*x^2 + Mod(2, 3)*x + Mod(1, 3) 1] [Mod(1, 3)*x^6 + Mod(2, 3)*x^5 + Mod(2, 3)*x^4 + Mod(1, 3)*x^3 + Mod(2, 3)*x^2 + Mod(1, 3)*x + Mod(1, 3) 1] REFERENCES [Vel2] J. Vélu. Courbes elliptiques munies d un sous-groupe Z/nZ µ n. Mémoires de la Société Mathématique de France, no. 57 (1978), pp