Possible Group Structures of Elliptic Curves over Finite Fields

Transcription

1 Possible Group Structures of Elliptic Curves over Finite Fields Igor Shparlinski (Sydney) Joint work with: Bill Banks (Columbia-Missouri) Francesco Pappalardi (Roma) Reza Rezaeian Farashahi (Sydney)

2 1 Introduction Two common beliefs A. Besides possible torsion groups, we know where little about possible group structures of elliptic curves over Q. B. We know everything we need about possible group structures of elliptic curves over IF q, Ruck, Schoof, Voloch, Waterhouse,... A. is certainly correct... How about B.?

3 2 What do we know about E(IF q )? E(IF q ) is of rank two: E(IF q ) = Z n Z nk E.g., nk is the exponent of E(IF q ). Two Questions Question 1: What pairs (n, k) can be realised by all possible prime powers q and curves E/IF q and how frequently? Question 2: What pairs (n, k) can be realised for a given q and all curves E/IF q and how frequently?

4 3 How to compute n and k? Probablilistic Algorithm Compute #E(IF q ) (determistically) Factor #E(IF q ) Take a random point P E(IF q ) and compute its order After several trials, declare the largest achieved order to be the exponent e of the group E(IF q ), and put n = #E(IF q )/e and k = e/n. Complexity: Subexponential (even on average)

5 4 V. Miller (2004): Faster probabilistic algorithm (still subexponential) J. Friedlander, C. Polmerance & I. Shparlinski (2006): Average case analysis (polynomial). Deterministic Algorithm D. Kohel & I. Shparlinski (2000): Bounds of exponential sums An explicit set S E(IF q ) with #S = q 1/2+o(1) containing a point of the largest possible order Computing n and k deterministically in time q 1/2+o(1)

6 5 What do we know about n and k? Hasse Bound: #E(IF q ) = n 2 k = q + 1 t where t 2q 1/2 Weil pairing n q 1 Lemma 1 If q is a prime power, and E/IF q is such that then E(IF q ) = Z n Z nk, q = n 2 k + nl + 1 where l 2 k. Warning: These conditions are almost if and only if, but not quite...

7 6 Arbitrary Field IF q What do we study? We introduce and study the set S Π = {(n, k) IN IN : prime power q and E/IF q with E(IF q ) = Z n Z nk } We are also study the subset S π S Π defined by S π = {(n, k) IN IN : prime p and E/IF p with E(IF p ) = Z n Z nk } Remark: Given an pair (n, k) we can test whether (n, k) S Π or (n, k) S π in finitely many steps.

8 7 One expects S π and S Π to be reasonably dense in IN IN. However, the complementary sets appear to be rather large: List of the pairs (n, k) S Π with n, k 25: (11, 1), (11, 14), (13, 6), (13, 25), (15, 4), (19, 7), (19, 10), (19, 14), (19, 15), (19, 18), (21, 18), (23, 1), (23, 5), (23, 8), (23, 19), (25, 5), (25, 14). To investigate the distribution of the elements of S π and of S Π, we introduce the sets S π (N, K) = { (n, k) S π : n N, k K }, S Π (N, K) = { (n, k) S Π : n N, k K }, We obtain estimates for the cardinalities of these sets in various ranges of N and K

9 8 We consider the set of primes p such that Z n Z nk can be realized as the group of points of an elliptic curve over IF p : J π (n, k) = {primes p : E/IF p for which E(IF p ) = Z n Z nk }. We obtain an asymptotic formula in certain ranges of N and K for J π (N, K) = n N k K #J π (n, k), Motivated by Lemma 1, we compare N k,m = {n IN : p prime and E/IF p m with E(IF p m) = Z n Z kn }. and Ñ k,m = {n IN : l Z, p prime with l 2 k and p m = n 2 k + ln + 1}.

10 9 Basic Tools Characterisation of cardinalities Waterhouse (1969): Lemma 2 Let q = p m be a power of a prime p and let N = q + 1 a. There is an elliptic curve E/IF q with #E(IF q ) = N if and only if a 2 q and a satisfies one of the following: (i) gcd(a, p) = 1; (ii) m even and a = ±2 q; (iii) m is even, p 1 (mod 3), and a = ± q; (iv) m is odd, p = 2 or 3, and a = ±p (n+1)/2 ; (v) m is even, p 1 (mod 4), and a = 0; (vi) m is odd and a = 0.

11 10 Characterisation of group structures Rück and Voloch (1987) Lemma 3 Let N be an integer that occurs as the order of an elliptic curve over a finite field IF q where q = p m is a power of a prime p. Write N = p e n 1 n 2 with p n 1 n 2 and n 1 n 2. (possibly n 1 = 1). There is an elliptic curve E over IF q such that if and only if E(IF q ) = Z p e Z n1 Z n2 1. n 1 = n 2 in the case (ii) of Lemma 2; 2. n 1 q 1 in all other cases of Lemma 2.

12 11 Prime fields Combining Lemmas 2 and 3 we get: Corollary 4 If p + 1 N 2 p and N = n 1 n 2 with n 1 n 2 and n 1 p 1 then there is an elliptic curve E/IF p with E(IF p ) = Z n1 Z n2. Recall: J π (n, k) = {primes p : E/IF p for which E(IF p ) = Z n Z nk }. Corollary 5 We have p J π (n, k) if and only if p = n 2 k + nl + 1 where l 2 k. Corollary 5 means that for prime q = p, Lemma 1 is an if and only if statement

13 12 Analytic number theory Here we study J π (N, K) = n N k K #J π (n, k), Corollary 5: If n and l fixed, we count primes p = n 2 k + nl + 1 l 2 /4 k K. or p nl + 1 (mod n 2 ) where n 2 l 2 /4 + nl + 1 p n 2 K + nl + 1. Put π(x; m, a) = # { p x : p a (mod m) } Lemma 6 For all N, K IN we have ( J π (N, K) = π(n 2 K + nl + 1; n 2, nl + 1) n N l 2 K ) π( 4 1 n2 l 2 + nl; n 2, nl + 1).

14 13 What is next? Good News: functions J π (N, K) is expressed via classical Bad News: We need to study primes in short arithmetic progressions: modulus N 2, the length K, while unconditional results are very weak. Good News: We need this on average over n: recall Bombieri-Vinogradov Bad News: The averaging is over square moduli, rather than over all moduli up to a certain limit. Good News: Baier & Zhao (2008) have exactly this version of the Bombieri-Vinogradov theorem!

15 14 Bombieri-Vinogradov theorem modulo squares As usual, we set ψ(x; m, a) = n x n a (mod m) Λ(n), where Λ(n) is the von Mangoldt function. Baier & Zhao (2008): Lemma 7 For fixed ε > 0 and C > 0, we have m x 2/9 ε m max gcd(a,m)=1 ψ(x; m2, a) x ϕ(m 2 ) x (log x) C. Moduli m 2 run up to almost x 4/9, only a little bit behind of x 1/2 as in the Bombieri-Vinogradov theorem.

16 15 Are we done? Not quite.... Things still to be taken care of: Switch from ψ to π Partial summation! The upper limits in π(n 2 K + nl + 1; n 2, nl + 1) and π( 1 4 n2 l 2 +nl; n 2, nl+1) are moving with n. Separate the range of summation over n, into O( 1 log N) intervals [M, M + M] replace n 2 with M 2, up to the error term of O((M 2 n 2 )K) = O(M 2 K ) optimise We can deal with J π (N, K) for N K 2/5 ε, i.e., for groups generated by E/F p with a large torsion group over IF p.

17 16 Sets S Π (N, K) and S Π (N, K) Theorem 8 For any ε > 0 and N K 2/5 ε, NK #S Π (N, K) #S π (N, K) NK log K. Proof. If p = 1 + n 2 k then #S π (N, K) (n, (p 1)/n 2 ) S π (N, K) n N N/2 n N 1 log K 1 log K π(n 2 K, n 2, 1) π(n 2 K, n 2, 1) N/2 n N N/2 n N ψ(n 2 K, n 2, 1) ψ(n 2 K/4, n 2, 1). The result of Baier & Zhao (2008), i.e., Lemma 7, applies if N (N 2 K) 2/9 δ for some δ > 0 or N K 2/5 ε for some ε > 0.

18 17 Suppose that K is fixed We are interested in prime powers: q = n 2 k + nl + 1 and l 2 k Good News: Sieve methods can be used for upper bounds Bad News: We need explicit bounds and we have 4k 1/2 progressions. Good News: When k is fixed this should work.

19 18 Selberg sieve: Theorem 9 For any integer K 1 there exists a constant A(K) such that #S Π (N, K) A(K) N log N. E.g., there are infinitely many pairs (n, k) which do not lie in S Π. More precisely: Corollary 10 For every k 0, almost all (n, k 0 ) S Π.

20 19 Suppose that N is fixed It is quite reasonable to believe that S Π contains all pairs (n, k) IN IN with n N 0 except for at most finitely many. This is a consequence of an analogue of the Cramer s Conjecture for primes in a fixed arithmetic progression (and is out of reach... ). Easier (?) Question: Let n 0 be fixed. Is it true that for almost k, (n 0, k) S Π?

21 20 Set S Π (N, K) \ S π (N, K) Question: Prime powers q = p m with m 2 are very rare. Do they contribute to S Π? Yes! N #(S Π (N, 1) \ S π (N, 1)) (1 + o(1)) 12 log N Open Question: Any contribution to S Π \ S π from k 2?

22 21 Sets N k,m and Ñk,m Recall: N k,m = {n IN : p prime and E/IF p m with E(IF p m) = Z n Z kn }. and Ñ k,m = {n IN : l Z, p prime with l 2 k and p m = n 2 k + ln + 1}. We have N k,m Ñk,m Question Is the inclusion proper? Theorem 11 We have, N k,1 = Ñk,1. Proof. Easy!

23 22 For m = 2, the situation is more complicated. We have: Theorem 12 We have that N k,2 = Ñk,2 except possibly in the following cases: (i) k = p and p 1 (mod 4) when (ii) k = p 2 ± p + 1 and p 1 (mod 3); (iii) k = M 2, M > 1. In the cases (i) and (ii), we have Ñk,2 \ N k,2 {1} while in the case (iii) we have and N M 2,2 = {1} if M is prime otherwise Ñ M 2,2 \N M 2,2 {(p±1)/m : p 1 (mod M) is prime}.

24 23 Proof. Uses some properties of the Pell equation. Corollary 13 Suppose that k is not a perfect square. We have the following: N k,2 (T ) k log T. Furthermore N 1,2 (T ) = π(t 1) + π(t + 1) #{p T + 1 : p, p 2 are prime} For m 3, the situation is more complicated, even for k = 1...

25 24 Missed group structures Here are the values of the counting function f(d) of missed pairs (n, k) with max{n, k} D for D = f D, D D

26 25 We also plot the values of the counting function F (N, K) of missed pairs (n, k) with n N and k K for N, K K N, K N

27 26 We see that for each fixed N = N 0 the line F N0 (K) = F (N, K) becomes flat quite quickly but still continues to slowly grow. Heuristics predictions for F (N, K) A pair (n, k) contributes to F (N, K) if kn 2 + ln + 1 is not a prime power for l 2k 1/2 (and in some other exceptional cases). Standard heuristic: kn 2 + ln + 1 is a prime power with probability ρ(n, k, l) = n ϕ(n) log(kn 2 + ln + 1) (the ratio n/ϕ(n) accounts for the fact that we seek prime powers in the arithmetic progression 1 mod n).

28 27 So (n, k) [1, N] [1, K] contributes to F (N, K) with probability ϑ(n, k) = l 2k 1/2 (1 ρ(n, k, l)) Thus, we expect that F (N, K) is close to B(N, K) = n N k K ϑ(n, k). We have not studied the function B(N, K) analytically, but we note that for any fixed ε > 0 ϑ(n, k) 1 if k (log n) 2 ε, 0 if k (log n) 2+ε.

29 28 Here is the 3D plot of β(n, K) = F (N, K), 1 N, K 1000 B(N, K) Β N, K K N It seems to stabilise but not at 1 but rather at Question: Why does this happen?

30 29 Fixed Field IF q Frequency of the group structures This case seems to be easier... yet full of mystery. G(q; m, n) = number of IF q -isomorphism classes of elliptic curves E over IF q such that E(IF q ) Z m Z n. Lemma 3 characterises m and n with G(q; m, n) > 0 We compute G(q; m, n) via some sums with class numbers.

31 30 Let c t be the largest integer such that c 2 t (t 2 4q) and (t 2 4q)/c 2 t 0 or 1 (mod 4). Let s t be the largest integer such that s 2 t q + 1 t and s t q 1. We note that s t c t. For each positive divisor m of s t, let M t (m) = {e IN : m e, e c t } and S t (m) = M t (m) \ l IN, l>m m l, l s t M t (l). Let m n and m q 1 be such that for t = q + 1 mn we have t 2 4q and gcd(t, p) = 1, then G(q; m, n) = ( t 2 ) 4q h l S t (m)... + seven more special cases when p t. l 2

32 31 Number of distinct group structures The following result gives explicit formulas for the number F (q) of distinct group structures of all elliptic curves over IF q. Let τ(s) be the divisor function and let ( ) ( ) 1 3 η = and ζ = p p Theorem 14 Let q = p k be a power of a prime p. For the number F (q) of distinct group structures of all elliptic curves over IF q, we have F (q) = t Z, t 2 4q, gcd(t,p)=1 + τ(s t ) η 2, k is odd, p > 3, η 2, k is odd, p = 2, 3, η 2 ζ, k is even, p > 3, 5, k is even, p = 2, 3.

33 32 Extreme and average values Theorem 14 + some analytic number theory: Theorem 15 When q = p α via the set of prime powers, we have 1. lim sup q F (q) q (1 1/p) = 2π2 3 ; 2. lim inf q q odd F (q) q (1 1/p) = 5; 3. lim inf k F (2 k ) = 2; 2k/2 4. where q Q ϑ = 8 3 F (q) = (ϑ + o(1)) Q3/2 log Q, m=1 1 m 2 ϕ(m) =

34 33 Most common group structure Let G(q) = max n,m G(q; m, n). Standards bounds on the class number imply that G(p) = p 1/2+o(1). (1) So it is natural to study G(p) scaled by p 1/2. Experiments with primes p < 500, 000 show that scaling by p 1/2 log p is more natural and the ratio G(p)/p 1/2 log p stabilises in a reasonably narrow strip between roughly 0.1 and 0.2. Question. Refine (1)

35 x 10 5 For p < 500, 000 the value of G(p) is achieved with m = 1 (i.e., for cyclic point groups). For some primes the same value is also achieved for some pairs (m, n) with m = 2 and never for m 3.

36 35 We also compare G(p) with I(p) = max I(p; N ), N where I(p; N ) = # of distinct isomorphism classes of curves E/IFp with #E(IFp) = N (i.e. I(p; N ) is the size of the isogeny class of N ) x 10 For primes p < 500, 000: G(p)/I(p) = 1 for p = 2, 5, 7, 17, 29, 41, 101, 1009, 1109, 1879, 4289 G(p)/I(p) < 1/2 for p = 37591, , , These extreme values are invisible on the picture...

37 36 Questions 1. Are these sporadic exceptions or are theree infinitely many such p? 2. Can we say anything about lim sup p G(p)/I(p) and lim inf p G(p)/I(p). 3. Explain the presence of several horizontal lines on the picture.

38 37 Clearly, one expects that the value of G(p) is achieved for (m, n) for which t = p + 1 N, where N = mn, is small, so that = t 2 4p is large absolute value which leads to a large value of I(p; N). However this is offset by the fact that for N having many divisors so the value of I(p; N) is split between τ(s t ) values of G(p; m, n). This effect is observed in the numerical results which show that if G(p; m, n) = G(p) then t = p + 1 mn is small but not necessary very small. In particular, most of the time G(p) and I(p) are achieved on different values of t, namely in about 82.2% of the cases within the above range of primes p

39 38 Let T max (p) = {t : t = p + 1 mn, G(p; m, n) = G(p)}, that is, for each p, T max (p) is the set of the traces corresponding to the most popular group structures. #T max (p) # of p < 500, We have #T max (p) = 1 in about 52% of the cases. The set T max (p) is symmetric: T max (p) = T max (p) for primes out of the total number of

40 39 Scaled values t/p1/2, where t Tmax, for primes p < 500, x 10 Question. Explain the behaviour and striucure of Tmax(p)

41 40 Conclusion log log log n has been proved to go to infinity with n, but it has never been observed doing so... Carl Pomerance