The probability of primality of the order of a genus 2 curve - PowerPoint PPT Presentation

The probability of primality of the order of a genus 2 curve Jacobian Wouter Castryck joint with Hendrik Hubrechts, Alessandra Rigato, Andrew Sutherland K.U. Leuven / M.I.T. ECC 2010, Redmond P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 1 / 41 ECC 2010, Redmond 1 / 41

Contents Alternative heuristics for Galbraith-McKee (genus g = 1) 1 Adaptation to genus g = 2 2 Asymptotics for g → ∞ 3 Concluding remarks 4 P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 2 / 41 ECC 2010, Redmond 2 / 41

g=1 (slides 2–16) The genus 1 case: Galbraith-McKee conjecture Let F q be a finite field of char ≥ 5. Let E : y 2 = x 3 + Ax + B be a random elliptic curve. I.e., ( A , B ) is taken from the set � 4 A 3 + 27 B 2 � = 0 ( A , B ) ∈ F 2 � � � q uniformly at random. Let N E = # E ( F q ) . Question: what is P ( N E is prime ) ? Motivation: cryptography. P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 3 / 41 ECC 2010, Redmond 3 / 41

g=1 (slides 2–16) The distribution of N E Hasse’s theorem: N E ∈ [ q + 1 − 2 √ q , q + 1 + 2 √ q ] . Let’s rescale this a bit. . . Trace of Frobenius: T E = q + 1 − N E ∈ [ − 2 √ q , 2 √ q ] . Normalized trace of Frobenius: t E = T E / 2 √ q ∈ [ − 1 , 1 ] . Birch, Yoshida, Katz-Sarnak: t E tends to follow a semicircular distribution, i.e. � b 2 1 − t 2 dt . q →∞ P ( a ≤ t E ≤ b ) = � lim π a a b P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 4 / 41 ECC 2010, Redmond 4 / 41

g=1 (slides 2–16) The distribution of N E A histogram of 100.000 curves y 2 = x 3 + Ax + B over F 7 5 , with interval width 15. P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 5 / 41 ECC 2010, Redmond 5 / 41

g=1 (slides 2–16) Subtleties The limit dissolves the discrete nature of N E (or T E ). Same experiment, but now interval width 1: This doesn’t seem to converge to a semicircle very ‘smoothly’ (lots of peaks and valleys). Gaps at T E ≡ 0 mod 7 (supersingular curves). P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 6 / 41 ECC 2010, Redmond 6 / 41

g=1 (slides 2–16) Subtleties The limit dissolves the discrete nature of N E (or T E ). Same experiment, but now interval width 1: This doesn’t seem to converge to a semicircle very ‘smoothly’ (lots of peaks and valleys). Gaps at T E ≡ 0 mod 7 (supersingular curves). P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 7 / 41 ECC 2010, Redmond 7 / 41

g=1 (slides 2–16) Subtleties Easy fact (not very well-known): q →∞ P ( N E is even ) = 2 lim 3 . Proof: The completing-the-cube map { square-free x 3 + ax 2 + bx + c } → { square-free x 3 + Ax + B } is uniform. Thus we may assume that E is defined by y 2 = f ( x ) for a random square-free f ( x ) = x 3 + ax 2 + bx + c . N E is even ⇔ E ( F q ) has 2-torsion ⇔ f ( x ) is reducible. The irreducible f ( x ) are precisely the minimal polynomials of all θ ∈ F q 3 \ F q , and the correspondence is 3-to-1. Thus 3 ( q 3 − q ) 1 q 3 − O ( q 2 ) = 1 q →∞ P ( f ( x ) is irreducible ) = lim lim 3 . � q →∞ P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 8 / 41 ECC 2010, Redmond 8 / 41

g=1 (slides 2–16) Subtleties Lenstra: in general, we have � � if q �≡ 1 mod ℓ � 1 P ( ℓ | N E ) − ℓ − 1 = 0 lim if q ≡ 1 mod ℓ ℓ q →∞ ℓ 2 − 1 for any prime number ℓ not dividing q . Thus: P ( ℓ | N E ) > 1 ℓ ≪ q = ⇒ ℓ . This suggests that P ( N E is prime ) is smaller than one would naively expect. P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 9 / 41 ECC 2010, Redmond 9 / 41

g=1 (slides 2–16) Galbraith-McKee conjecture Let’s try to quantify this (assume q = p is prime): Heuristically (but in fact wrong! ∼ Mertens’ theorem), ℓ − 1 1 P 1 ( p ) = P ( random number is prime ) ≈ � ≈ log p . ℓ ℓ ≤√ p + 1 Using Lenstra’s estimates, heuristically (‘equally wrong’), ℓ 2 − ℓ − 1 ℓ − 2 P 2 ( p ) = P ( N E is prime ) ≈ � � ℓ − 1 · . ℓ 2 − 1 ℓ ∤ p − 1 ℓ | p − 1 ℓ ≤ √ p + 1 ℓ ≤ √ p + 1 So: ℓ 2 − ℓ − 1 ℓ − 2 P 2 ( p ) � ℓ − 1 · � ℓ ∤ p − 1 ℓ | p − 1 ℓ 2 − 1 P 1 ( p ) ≈ . ℓ − 1 � ℓ ℓ P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 10 / 41 ECC 2010, Redmond 10 / 41

g=1 (slides 2–16) Galbraith-McKee conjecture Rearranging terms gives: Conjecture (Galbraith-McKee, 2000): Let c p = 2 � 1 � � 1 � � � 3 · 1 − · 1 + , ( ℓ − 1 ) 2 ( ℓ + 1 )( ℓ − 2 ) ℓ | p − 1 , ℓ> 2 ℓ> 2 then p →∞ ( P 2 ( p ) / P 1 ( p ) − c p ) = 0 . lim c p ∈ [ 0 . 44 , 0 . 62 ] . Galbraith & McKee give a different heuristic argument! They use an analytic Hurwitz-Kronecker class number formula counting equivalence classes of bivariate quadratic forms with given discriminant. P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 11 / 41 ECC 2010, Redmond 11 / 41

g=1 (slides 2–16) Random matrices Let gcd ( n , q ) = 1. To an elliptic curve E / F q we can associate its n -torsion subgroup � nP = ∞ E [ n ] = P ∈ E � � � � � F q . It is well-known that E [ n ] ∼ = Z / ( n ) × Z / ( n ) . Let ( P , Q ) be a Z / ( n ) -module basis of E [ n ] , and let σ : E [ n ] → E [ n ] be q th power Frobenius. Then we can write P σ = [ α ] P + [ β ] Q , Q σ = [ γ ] P + [ δ ] Q . Fact: the matrix � α � β ∈ ( Z / ( n )) 2 × 2 γ δ has trace ≡ T E mod n and determinant ≡ q mod n . P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 12 / 41 ECC 2010, Redmond 12 / 41

g=1 (slides 2–16) Random matrices Choosing another basis yields a GL 2 ( Z / ( n )) -conjugated matrix. Thus we can unambiguously associate to E a conjugacy class F E of matrices of Frobenius (all having trace T E and determinant q ). Let M q ⊂ GL 2 ( Z / ( n )) be the set of matrices of determinant q . Quasi-theorem: Let F be a conjugacy class of matrices of determinant q. Then � ≤ C n 2 � � � P ( F E = F ) − # F � � √ q . � � # M q This is likely to follow from: Chebotarev’s density theorem applied to X ( n ) → X ( 1 ) (in progress) Katz-Sarnak equidistribution as elaborated by Achter, currently modulo some hypotheses. P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 13 / 41 ECC 2010, Redmond 13 / 41

g=1 (slides 2–16) Example 1 What proportion of elliptic curves satisfies E [ ℓ ] ⊂ E ( F q ) ? E [ ℓ ] ⊂ E ( F q ) if and only if E [ ℓ ] has a basis consisting of F q -rational points P and Q . Thus: if and only if �� 1 �� 0 F E = . 0 1 By the random matrix theorem, the chance that this happens is �� �� 1 0 # 0 1 ≈ . # M q # M q = ℓ 3 − ℓ (exercise). Thus 1 P ( E [ ℓ ] ⊂ E ( F q )) ≈ ℓ 3 − ℓ. P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 14 / 41 ECC 2010, Redmond 14 / 41

g=1 (slides 2–16) Example 2 Alternative proof of q →∞ P ( N E is even ) = 2 lim 3 . There are 6 elements of ( Z / ( 2 )) 2 × 2 having determinant q ≡ 1: � � � � � � � � � � � � 1 0 1 1 1 0 0 1 1 1 0 1 , , , , , . 0 1 0 1 1 1 1 0 1 0 1 1 4 of them have trace 0. P ( N E is even ) = P ( q + 1 − T E is even ) = P ( T E is even ) = 4 / 6. P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 15 / 41 ECC 2010, Redmond 15 / 41

g=1 (slides 2–16) Example 2 More generally: let ℓ be a prime number not dividing q . Exercise: # { M ∈ M q | q + 1 − Tr ( M ) ≡ 0 } � ℓ 2 + ℓ if q �≡ 1 mod ℓ = if q ≡ 1 mod ℓ . ℓ 2 Recall: # M q = ℓ 3 − ℓ . Hence we recover Lenstra’s result: � ℓ 2 + ℓ if q �≡ 1 mod ℓ 1 ℓ 3 − ℓ = P ( ℓ | N E ) ≈ ℓ − 1 ℓ 2 if q ≡ 1 mod ℓ . ℓ ℓ 3 − ℓ = ℓ 2 − 1 P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 16 / 41 ECC 2010, Redmond 16 / 41

Contents Alternative heuristics for Galbraith-McKee (genus g = 1) 1 Adaptation to genus g = 2 2 Asymptotics for g → ∞ 3 Concluding remarks 4 P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 17 / 41 ECC 2010, Redmond 17 / 41

g=2 (slides 18–34) The genus 2 case Let F q be a finite field of char ≥ 3. Let H : y 2 = f ( x ) be a random genus 2 curve. I.e., f ( x ) is taken from either H 6 = { f ( x ) ∈ F q [ x ] | f ( x ) monic, square-free, of degree 6 } or H 5 = { f ( x ) ∈ F q [ x ] | f ( x ) monic, square-free, of degree 5 } uniformly at random. These are distinct notions! Let N H = # Jac ( H )( F q ) . Question: what is P ( N H is prime ) ? Motivation: cryptography. P (# Jac(genus 2 curve) is prime ) Wouter Castryck (K.U. Leuven / M.I.T.) 18 / 41 ECC 2010, Redmond 18 / 41