Computing the image of Galois

Transcription

1 Computing the image of Galois Andrew V. Sutherland Massachusetts Institute of Technology October 9, 2014 Andrew Sutherland (MIT) Computing the image of Galois 1 of 25

2 Elliptic curves Let E be an elliptic curve over Q, defined by an equation y 2 = x 3 + Ax + B, where A, B Z satisfy 4A B 2 0. The set of Q-rational points forms an abelian group E(Q). The group operation is given by the chord-and-tangent law: For any extension k/q, the group E(k) is defined similarly. Andrew Sutherland (MIT) Computing the image of Galois 2 of 25

3 Torsion subgroups Let m be a positive integer. Points P E(Q) for which are m-torsion points. mp = P + + P = 0 The set of m-torsion points form a subgroup E[m] Z/mZ Z/mZ. The field Q(E[m]) obtained by adjoining the coordinates of the m-torsion points is a finite Galois extension of Q. Example: Q(E[2]) is the splitting field of f (x) = x 3 + Ax + B. Andrew Sutherland (MIT) Computing the image of Galois 3 of 25

4 The action of Galois Consider the Galois group G = Gal(Q(E[m])/Q). G acts on the set E[m], since for σ G and P E[m]: 1. The point σp = (σx P, σy P ) is on the curve E. (apply σ to the curve equation: y 2 P = x 3 P + Ax P + B). 2. The point σp lies in E[m]. (apply σ to the m-division polynomial: ψ m (x P, y P ) = 0). 3. We have σ 1 (σ 2 P) = (σ 1 σ 2 )P and 1 G acts trivially. Moreover, each σ defines an automorphism of E[m]: 4. σ(p + Q) = σp + σq. (apply σ to the equations defining the group law). Andrew Sutherland (MIT) Computing the image of Galois 4 of 25

5 Galois images The action of Gal(Q(E[m]/Q) on E[m] induces a representation ρ E,m : Gal(Q(E[m])/Q) Aut(E[m]), known as the mod-m Galois representation attached to E. By identifying Aut(E[m]) with Aut(Z/mZ Z/mZ). we view the image of ρ E,m as a subgroup of GL 2 (Z/mZ). We are interested in computing this subgroup. We shall focus primarily on the case where m is a prime l. Andrew Sutherland (MIT) Computing the image of Galois 5 of 25

6 Complex multiplication An endomorphism of an elliptic curve E is a rational map from E to itself that is also a group homomorphism. Example: P np = P + + P. The set of endomorphisms forms a ring End(E) under point addition and composition. The multiplication-by-n maps form a subring isomorphic to Z. For E/Q we usually have End(E) Z, but for certain curves (13, up to isomorphism over Q) this is not true, in which case we say that E has complex multiplication (CM). We shall focus on elliptic curves without CM. Andrew Sutherland (MIT) Computing the image of Galois 6 of 25

7 Surjectivity For elliptic curves E without CM, ρ E,l is usually surjective (but if E has CM, then ρ E,l is never surjective for l > 2). Let k be a number field and let E be an elliptic curve over k. Theorem (Serre) If E does not have CM then im ρ E,l = GL 2 (Z/lZ) for all sufficiently large primes l. Conjecture For each number field k there is a uniform bound l max such that im ρ E,l = GL 2 (Z/lZ) for every E/k and every l > l max. For k = Q, it is widely believed that l max = 37. Andrew Sutherland (MIT) Computing the image of Galois 7 of 25

8 Non-surjectivity If E has a rational point of order l, then ρ E,l is not surjective. For E/Q this occurs for l 7 (Mazur). If E admits a rational l-isogeny, then ρ E,l is not surjective. For E/Q without CM, this occurs for l 17 and l = 37 (Mazur). But ρ E,l may be non-surjective even when E does not admit a rational l-isogeny. Even when E has a rational l-torsion point, this does not uniquely determine the image of ρ E,l. Classifying the possible images of ρ E,l that arise over Q may be viewed as a refinement of Mazur s theorems. One can consider the same question for any number field k, but we will focus on k = Q. Andrew Sutherland (MIT) Computing the image of Galois 8 of 25

9 Applications There are many practical and theoretical reasons for wanting to compute the image of ρ E,l, and for searching for elliptic curves with a particular mod-l or mod-m Galois image: Explicit BSD computations. Modularity lifting. Computing Lang-Trotter constants. The Koblitz-Zywina conjecture. Optimizing the elliptic curve factorization method (ECM). Local-global questions. Andrew Sutherland (MIT) Computing the image of Galois 9 of 25

10 Computing the image of Galois the hard way In principle, there is a very simple algorithm to compute the image of ρ E,l in GL 2 (Z/lZ) (up to conjugacy): 1. Construct the field L = Q(E[l]) as an (at most quadratic) extension of the splitting field of E s lth division polynomial. 2. Pick a basis (P, Q) for E[l] and determine the action of each element of Gal(L/Q) on P and Q. In practice this is computationally feasible only for very small l (say l 7); the degree of L is typically on the order of l 4. Indeed, this is substantially more difficult than just computing the Galois group, which is already a hard problem. We need something faster, especially if we want to compute lots of Galois images (which we do!). Andrew Sutherland (MIT) Computing the image of Galois 10 of 25

11 Main results A very fast algorithm to compute im ρ E,l up to isomorphism, (and usually up to conjugacy), for elliptic curves over number fields of low degree and moderate values of l (say l < 200). If ρ E,l is surjective, the algorithm proves this unconditionally. If not, its output is heuristically correct with very high probability (in principle, this can also be made unconditional). The current implementation handles elliptic curves over Q and quadratic extensions of Q, and all primes l < 100. The algorithm can also compute ρ E,m for composite m, and it generalizes to abelian varieties of higher dimension (but the computations are much more time consuming). Andrew Sutherland (MIT) Computing the image of Galois 11 of 25

12 Main results We have used the algorithm to compute the mod-l Galois image of every elliptic curve in the Cremona and Stein-Watkins databases for all primes l < 80. This includes about 140 million curves, including all curves of conductor 350, 000. The results have been incorporated into the LMFDB ( We also analyzed more than curves in various families. The result is a conjecturally complete classification of 63 non-surjective mod-l Galois images that can arise for an elliptic curve E/Q without CM. Andrew Sutherland (MIT) Computing the image of Galois 12 of 25

13 A probabilistic approach Let E p denote the reduction of E modulo a good prime p l. The action of the Frobenius endomorphism on E p [l] is given by (the conjugacy class of) an element A p,l im ρ E,l with tr A p,l a p mod l and det A p,l p mod l, where a p = p + 1 #E p (F p ) is the trace of Frobenius. By varying p, we can randomly sample im ρ E,l. The Čebotarev density theorem implies equidistribution. Andrew Sutherland (MIT) Computing the image of Galois 13 of 25

14 Example: l = 2 GL 2 (Z/2Z) S 3 has 6 subgroups in 4 conjugacy classes. For H GL 2 (Z/2Z), let t a (H) = #{A H : tr A = a}. Consider the trace frequencies t(h) = (t 0 (H), t 1 (H)): 1. For GL 2 (Z/2Z) we have t(h) = (4, 2). 2. The subgroup of order 3 has t(h) = (1, 2). 3. The 3 conjugate subgroups of order 2 have t(h) = (2, 0) 4. The trivial subgroup has t(h) = (1, 0). 1,2 are distinguished from 3,4 by a trace 1 element (easy). We can distinguish 1 from 2 by comparing frequencies (harder). We cannot distinguish 3 from 4 at all (impossible). Sampling traces does not give enough information! Andrew Sutherland (MIT) Computing the image of Galois 14 of 25

15 Using the fixed space of A p The l-torsion points fixed by the Frobenius endomorphism form the F p -rational subgroup E p [l](f p ) of E p [l]. Thus fix A p = ker(a p I) = E p [l](f p ) = E p (F p )[l] It is easy to compute E p (F p )[l], and this gives us information that cannot be derived from a p alone. We can now easily distinguish the subgroups of GL 2 (Z/2Z) by looking at pairs (a p, r p ), where r p is the rank of fix A p (0, 1, or 2). There are three possible pairs, (0, 2), (0, 1), and (1, 0). The subgroups of order 2 contain (0, 2) and (0, 1) but not (1, 0). The subgroup of order 3 contains (0, 2) and (1, 0) but not (0, 1). The trivial subgroup contains only (0, 2). Andrew Sutherland (MIT) Computing the image of Galois 15 of 25

16 Subgroup signatures The signature of a subgroup H of GL 2 (Z/lZ) is defined by s H = { ( det A, tr A, rk fix A ) : A H}. Note that s H is invariant under conjugation. Remarkably, s H determines the isomorphism class of H. Theorem Let l be a prime and let G and H be subgroups of GL 2 (Z/lZ) with surjective determinant maps. If s G = s H then G H. Andrew Sutherland (MIT) Computing the image of Galois 16 of 25

17 The subgroup lattice of GL 2 (Z/lZ) Our strategy is to determine im ρ E,l by identifying its location in the lattice of (conjugacy classes of) subgroups of GL 2 (Z/lZ). For any subgroup H GL 2 (Z/lZ), we say that a set of triples s is minimally covered by s H if we have s s H, and also s s G = s H s G for all subgroups G GL 2 (Z/lZ). If s is minimally covered by both s G and s H, then G H. Andrew Sutherland (MIT) Computing the image of Galois 17 of 25

18 The algorithm Given an elliptic curve E/Q, a prime l, and ɛ > 0, set s, k 0, and for each good prime p l: 1. Compute a p = p + 1 #E(F p ) and r p = rk(e(f p )[l]). 2. Set s s (p mod l, a p mod l, r p ) and increment k. 3. If s is minimally covered by s H, for some H GL 2 (Z/lZ), and if δh k < ɛ, then output H and terminate. Here δ H is the maximum over G H of the probability that the triple of a random A G lies in s H (zero if H = GL 2 (Z/lZ)). The values of s H and δ H are precomputed all H. Andrew Sutherland (MIT) Computing the image of Galois 18 of 25

19 Efficient implementation If ρ E,l is surjective, we expect the algorithm to terminate in O(log l) iterations, typically less than 10 for l < 100. Otherwise, if ɛ = 2 n we expect to need O(log l + n) iterations, typically less than 2n (we use n = 256). By precomputing the values a p and r p for every elliptic curve E/F p for all primes p up to, say, 2 16, the algorithm is essentially just a sequence of table-lookups, which makes it very fast. It takes just two minutes to analyze all 1,887,909 curves in Cremona s tables for all l < 80 (on a single core). Precomputing the s H and δ H is non-trivial, but this only ever needs to be done once for each prime l. Andrew Sutherland (MIT) Computing the image of Galois 19 of 25

20 Distinguishing conjugacy classes Among the non-surjective Galois images that arise with l < 80 for elliptic curves over Q without CM and conductor , there are 45 distinct signatures. These correspond to 63 possible conjugacy classes. How can we determine which of these actually occur? Andrew Sutherland (MIT) Computing the image of Galois 20 of 25

21 Example: l = 3 In GL 2 (Z/3Z) the subgroups H 1 = ( ), ( ) and H2 = ( ) ( , 2 0 ) 0 1 both have signature {(1, 2, 1), (2, 0, 1), (1, 2, 2)}, and are isomorphic to S 3. Every element of H 1 and H 2 has 1 as an eigenvalue. In H 1 the 1-eigenspaces all coincide, but in H 2 they do not. H 1 corresponds to an elliptic curve with a rational point of order 3, whereas H 2 corresponds to an elliptic curve that has a rational point of order 3 locally everywhere, but not globally. Andrew Sutherland (MIT) Computing the image of Galois 21 of 25

22 Distinguishing conjugacy classes Let d H denote the least index of a subgroup of H that fixes a nonzero vector in (Z/lZ) 2. Then d H1 = 1, but d H2 = 2. For H = im ρ E,l, the quantity d H is the degree of the minimal extension L/Q over which E has an L-rational point of order l. This can be determined using the l-division polynomial. Using d H and s H we can determine the conjugacy class of H = im ρ E,l in all but one case that arises among the 45 signatures we have found. In this one case, we compute im ρ E,l the hard way (for just a few curves). It turns out that all 63 of the identified conjugacy classes do arise as the Galois image of an elliptic curve over Q. Andrew Sutherland (MIT) Computing the image of Galois 22 of 25

23 Non-surjective Galois images for E/Q w/o CM and conductor l GAP id index d H δ H a p N p type 1 #{E} #{j(e)} no no C s yes no no B yes yes yes C ns yes no no C s no yes no C s yes no no B no no no B no yes yes N(C s) yes yes no B yes yes yes N(C ns) yes no no C s no no no C s no yes no C s yes yes yes C s yes yes yes N(C s) yes no no B no no no B no no no B no no no B no yes yes N(C s) yes yes no B yes yes no B yes yes yes N(C ns) yes Andrew Sutherland (MIT) Computing the image of Galois 23 of 25

24 Non-surjective Galois images for E/Q w/o CM and conductor l GAP id index d H δ H a p N p type 1 #{E} #{j(e)} yes yes B yes yes yes S 4 yes yes no N(C s) no yes no N(C s) yes no no B no no no B no no no B no no no B no no no B no no no B no yes yes N(C s) yes yes no B yes yes no B yes yes no B yes yes yes N(C ns) yes yes yes B no yes yes B no yes yes B yes no no B no no no B no no no B no no no B no no no B yes 54 1 Andrew Sutherland (MIT) Computing the image of Galois 24 of 25

25 Non-surjective Galois images for E/Q w/o CM and conductor l GAP id index d H δ H a p N p type 1 #{E} #{j(e)} no no B yes yes yes N(C ns) yes yes yes S 4 yes yes yes B no yes yes B no yes yes B no yes yes B no yes no B yes yes yes B yes yes yes B yes yes yes B yes yes yes B yes yes yes B yes yes yes B yes yes yes B yes yes yes B yes yes yes B yes 32 1 Andrew Sutherland (MIT) Computing the image of Galois 25 of 25