Computing L-series coefficients of hyperelliptic curves

Similar documents
The Sato-Tate conjecture for abelian varieties

Counting points on hyperelliptic curves

Counting points on smooth plane quartics

Towards a precise Sato-Tate conjecture in genus 2

Counting points on curves: the general case

Computing zeta functions of nondegenerate toric hypersurfaces

Identifying supersingular elliptic curves

A survey of p-adic approaches to zeta functions (plus a new approach)

Counting Points on Curves using Monsky-Washnitzer Cohomology

FINITE GROUPS AND EQUATIONS OVER FINITE FIELDS A PROBLEM SET FOR ARIZONA WINTER SCHOOL 2016

Elliptic Curves Spring 2013 Lecture #8 03/05/2013

Computing L-series of geometrically hyperelliptic curves of genus three. David Harvey, Maike Massierer, Andrew V. Sutherland

Computations with Coleman integrals

Computing zeta functions of certain varieties in larger characteristic

L-Polynomials of Curves over Finite Fields

Modular polynomials and isogeny volcanoes

Sato-Tate groups of abelian surfaces

Polynomial arithmetic and applications in number theory

Computing modular polynomials with the Chinese Remainder Theorem

8 Point counting. 8.1 Hasse s Theorem. Spring /06/ Elliptic Curves Lecture #8

Constructing genus 2 curves over finite fields

On the evaluation of modular polynomials

A p-adic Birch and Swinnerton-Dyer conjecture for modular abelian varieties

Coleman Integration in Larger Characteristic

Introduction to Arithmetic Geometry

University of Rochester Topology Seminar. Doug Ravenel

Computing the modular equation

Equidistributions in arithmetic geometry

Coleman Integration in Larger Characteristic

SIMPLE THINGS WE DON T KNOW

On some congruence properties of elliptic curves

Definition of a finite group

Counting points on genus 2 curves over finite

Elliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019

Equations for Hilbert modular surfaces

Computation of zeta and L-functions: feasibility and applications

Using zeta functions to factor polynomials over finite fields

Point counting and real multiplication on K3 surfaces

SM9 identity-based cryptographic algorithms Part 1: General

Algorithmic Number Theory for Function Fields

Counting points on elliptic curves over F q

Hyperelliptic curves

Class invariants by the CRT method

Abstracts of papers. Amod Agashe

On the equality case of the Ramanujan Conjecture for Hilbert modular forms

Calculation and arithmetic significance of modular forms

Name: Solutions Final Exam

Torsion subgroups of rational elliptic curves over the compositum of all cubic fields

Elliptic Nets With Applications to Cryptography

Class polynomials for abelian surfaces

Computing the endomorphism ring of an ordinary elliptic curve

Elliptic Curves Spring 2013 Problem Set #5 Due: 03/19/2013

Hyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago

Computing the image of Galois

Elliptic and Hyperelliptic Curve Cryptography

The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem

A point counting algorithm using cohomology with compact support

Non-generic attacks on elliptic curve DLPs

Artin Conjecture for p-adic Galois Representations of Function Fields

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Even sharper upper bounds on the number of points on curves

Lectures on Cryptography Heraklion 2003 Gerhard Frey IEM, University of Duisburg-Essen Part II Discrete Logarithm Systems

Discrete Logarithm Computation in Hyperelliptic Function Fields

The Zeta Function of a Cyclic Language with Connections to Elliptic Curves and Chip-Firing Games

Isogeny graphs, modular polynomials, and point counting for higher genus curves

Hypersurfaces and the Weil conjectures

Frobenius Distributions

TAMAGAWA NUMBERS OF ELLIPTIC CURVES WITH C 13 TORSION OVER QUADRATIC FIELDS

Basic Algorithms in Number Theory

Scalar multiplication in compressed coordinates in the trace-zero subgroup

Tables of elliptic curves over number fields

Lower-Order Biases in Elliptic Curve Fourier Coefficients

The arithmetic of elliptic curves An update. Benedict H. Gross. In 1974, John Tate published The arithmetic of elliptic curves in

Pacific Journal of Mathematics

Lectures on N X (p) Jean-Pierre Serre 7 mai 2012

Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem

Are ζ-functions able to solve Diophantine equations?

LECTURE 2 FRANZ LEMMERMEYER

An Extension of Kedlaya s Algorithm to Hyperelliptic Curves in Characteristic 2

Arithmétique et Cryptographie Asymétrique

Algebraic Geometry Spring 2009

FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS

8 Elliptic Curve Cryptography

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker

MA 162B LECTURE NOTES: THURSDAY, FEBRUARY 26

14 Ordinary and supersingular elliptic curves

On counting and generating curves over small. University of Oklahoma, Norman, OK 73019, USA. Los Angeles, CA 90089, USA

VARIETIES WITHOUT EXTRA AUTOMORPHISMS II: HYPERELLIPTIC CURVES

AMICABLE PAIRS AND ALIQUOT CYCLES FOR ELLIPTIC CURVES OVER NUMBER FIELDS

this to include the explicit maps, please do so!

Explicit p-adic methods for elliptic and hyperelliptic curves

Congruent Number Problem and Elliptic curves

SOLVING SOLVABLE QUINTICS. D. S. Dummit

Verification of the Birch and Swinnerton-Dyer Conjecture for Specific Elliptic Curves

Three-dimensional imprimitive representations of PSL 2 (Z) and their associated vector-valued modular forms

SQUARES FROM SUMS OF FIXED POWERS. Mark Bauer and Michael A. Bennett University of Calgary and University of British Columbia, Canada

SOME MODULAR ABELIAN SURFACES

Elliptic Curves over Finite Fields

THE ARITHMETIC OF ELLIPTIC CURVES AN UPDATE

Constructing Abelian Varieties for Pairing-Based Cryptography

Transcription:

Computing L-series coefficients of hyperelliptic curves Kiran S. Kedlaya and Andrew V. Sutherland Massachusetts Institute of Technology May 19, 2008

Demonstration The distribution of Frobenius traces Let C be a genus g curve defined over Q. We may compute #C/F p = p a p + 1, for each p N where C has good reduction, and plot the distribution of a p / p over the interval [ 2g, 2g]. What does the picture look like for increasing values of N? http://math.mit.edu/ drew

The object of interest The numerator of the zeta function ( ) Z (C/F p ; T ) = exp c k T k /k = k=1 The polynomial L p (T ) has integer coefficients L p (T) (1 T )(1 pt ). L p (T ) = p g T 2g + a 1 p g 1 T 2g 1 + + a g T g + + a 1 T + 1. L p (t) determines the order of the Jacobian #J(C/F) p = L p (1), the trace of Frobenius a p = a 1, and L(C, s) = L p (p s ) 1.

A computational challenge The task at hand Compute L p (T ) for all p N where C has good reduction. We will assume C is hyperelliptic, genus g 3, of the form y 2 = f (x), where f (x) Q[x] has degree 2g + 1 (one point at ). Some questions Which algorithm should we use? (all of them) How big can we make N, in practice? (10 12, 10 8, 10 7 ) The complexity is necessarily exponential in N. We expect to compute many L p (T ) for reasonably small p.

Algorithms Point counting Compute #C/F p, #C/F p 2,...,#C/F p g. Time: O(p), O(p 2 ), O(p 3 ).

Algorithms Point counting Compute #C/F p, #C/F p 2,...,#C/F p g. Time: O(p), O(p 2 ), O(p 3 ). Generic group algorithms Compute #J(C/F p ) = L p (1) and #J( C/F p ) = L p ( 1). Time: O(p 1/4 ), O(p 3/4 ), O(p 5/4 ).

Algorithms Point counting Compute #C/F p, #C/F p 2,...,#C/F p g. Time: O(p), O(p 2 ), O(p 3 ). Generic group algorithms Compute #J(C/F p ) = L p (1) and #J( C/F p ) = L p ( 1). Time: O(p 1/4 ), O(p 3/4 ), O(p 5/4 ). p-adic methods Compute Frobenius charpoly χ(t ) = T 2g L p (T ) mod p k. Time: Õ(p1/2 ).

Algorithms Point counting Compute #C/F p, #C/F p 2,...,#C/F p g. Time: O(p), O(p 2 ), O(p 3 ). Generic group algorithms Compute #J(C/F p ) = L p (1) and #J( C/F p ) = L p ( 1). Time: O(p 1/4 ), O(p 3/4 ), O(p 5/4 ). p-adic methods Compute Frobenius charpoly χ(t ) = T 2g L p (T ) mod p k. Time: Õ(p1/2 ). Polynomial-time algorithms exist (Schoof-Pila) but are impractical.*

Strategy Genus 1 Use O(p 1/4 ) generic group algorithm. Genus 2 Use O(p) point counting plus O(p 1/2 ) group operations. Switch to O(p 3/4 ) group algorithm for p > 10 6. Genus 3 Use O(p) point counting plus O(p) group operations. Switch to Õ(p1/2 ) p-adic plus O(p 1/4 ) group ops for p > 10 5. Elliptic and modular curves over finite fields and related computational issues, (Elkies 1997).

Point counting Enumerating polynomials over F p Define f (x) = f (x + 1) f (x). Enumerate f (x) from f (0) via f (x + 1) = f (x) + f (x) Enumerate k f (n) in parallel starting from k f (0). Complexity Requires only d additions per enumerated value, versus d multiplications and d additions using Horner s method. Total for y 2 = f (x) is (d + 1)p additions (no multiplications). Generalizes to F p n. Efficiently enumerates similar curves in parallel.

Polynomial Finite Finite Evaluation Differences Differences 32 p Genus 2 Genus 3 Genus 2 Genus 3 Genus 2 Genus 3 2 18 192.4 259.8 6.0 6.8 1.1 1.1 2 19 186.3 251.1 6.0 6.8 1.1 1.1 2 20 187.3 244.1 7.2 8.0 1.1 1.3 2 21 172.3 240.8 8.8 9.4 1.2 1.3 2 22 197.9 233.9 12.1 13.4 1.2 1.3 2 23 229.2 285.8 12.8 14.6 2.6 2.7 2 24 258.1 331.8 41.2 44.0 3.5 4.7 2 25 304.8 350.4 53.6 55.7 4.8 4.9 2 26 308.0 366.9 65.4 67.8 4.8 4.6 2 27 318.4 376.8 70.5 73.1 4.9 5.0 2 28 332.2 387.8 74.6 76.5 5.1 5.2 Point counting y 2 = f (x) over F p (CPU nanoseconds/point)

Generic group algorithms High speed group operation Single-word Montgomery representation for F p. Explicit Jacobian arithmetic using affine coordinates. (unique representation of group elements) Modify generic algorithms to perform group operations in parallel to achieve I 3M. Randomization issues The fastest/simplest algorithms are probabilistic. Monte Carlo algorithms should be made Las Vegas algorithms to obtain provably correct results and better performance. Non-group operations also need to be fast (e.g., table lookup).

Standard Montgomery g p 1 10 100 1 10 100 1 2 20 + 7 501 245 215 239 89 69 1 2 25 + 35 592 255 216 286 93 69 1 2 30 + 3 683 264 217 333 98 69 2 2 20 + 7 1178 933 902 362 216 196 2 2 25 + 35 1269 942 900 409 220 197 2 2 30 + 3 1357 949 902 455 225 196 3 2 20 + 7 2804 2556 2526 642 498 478 3 2 25 + 35 2896 2562 2528 690 502 476 3 2 30 + 3 2986 2574 2526 736 506 478 Black box performance (CPU nanoseconds/group operation).

Computing the order of a generic abelian group Computing the structure of G Decompose G as a product of cyclic groups: 1 Compute α for random α G to obtain λ(g) = lcm α. 2 Using λ(g), compute a basis for each Sylow p-subgroup, via discrete logarithms. See Sutherland thesis (2007) for details (avoids SNF). Benefits of working in Jacobians Step 1 is aided by bounds on G and knowledge of G mod l. Given M G < 2M, step 2 takes O( G 1/4 ) group operations. If λ(g) > M, step 2 is unnecessary (often the case). In genus 1, structure is not required, but it is necessary for g > 1.

Optimizing for distribution Generalized Sato-Tate conjecture (Katz-Sarnak) The distribution of L p (p 1/2 T ) for a typical genus g curve is equal to the distribution of the characteristic polynomial of a random matrix in USp(2g) (according to the Haar measure µ). Optimized BSGS search Using µ, we can compute the expected distance of a 1 (or better, a 2 given a 1 ) from its median value, and then choose an appropriate number of baby steps. In genus 3 this reduces the expected search interval by a factor of 10.

y 2 = x 7 +314159x 5 +271828x 4 +1644934x 3 +57721566x 2 +1618034x+141421 Actual a 2 distribution Predicted a 2 distribution

p-adic methods Kedlaya s algorithm over a prime field Approximates the (2g 2g) matrix of the Frobenius action on the Monsky-Washnitzer cohomology, accurate modulo p k : Harvey s improvements Õ(pg 2 k 2 ) = Õ(p) Apply BGS fast linear recurrence reduction to obtain: Õ(p 1/2 g 3 k 5/2 + g 4 k 4 log p) = Õ(p1/2 ) Multipoint Kronecker substitution (Harvey 2007) improves polynomial multiplication by a factor of 3.

Genus 2 Genus 3 N 1 8 1 8 2 16 1 < 1 43 13 2 17 4 2 1:49 18 2 18 12 3 4:42 41 2 19 40 7 12:43 1:47 2 20 2:32 24 36:14 4:52 2 21 10:46 1:38 1:45:36 13:40 2 22 40:20 5:38 5:23:31 41:07 2 23 2:23:56 19:04 16:38:11 2:05:40 2 24 8:00:09 1:16:47 6:28:25 2 25 26:51:27 3:24:40 20:35:16 2 26 11:07:28 2 27 36:48:52 L-series computations in genus 2 and 3 (elapsed times)

N PARI Magma smalljac v1 smalljac v2 2 16 0.26 0.29 0.07 0.04 2 17 0.55 0.59 0.15 0.08 2 18 1.17 1.24 0.30 0.16 2 19 2.51 2.53 0.62 0.31 2 20 5.46 5.26 1.29 0.63 2 21 11.67 11.09 2.65 1.30 2 22 25.46 23.31 5.53 2.68 2 23 55.50 49.22 11.56 5.57 2 24 123.02 104.50 24.31 11.66 2 25 266.40 222.56 51.60 24.54 2 26 598.16 476.74 110.29 52.07 2 27 1367.46 1017.55 233.94 111.24 2 28 3152.91 2159.87 498.46 239.32 2 29 7317.01 4646.24 1065.28 518.16 2 30 17167.29 10141.28 2292.74 1130.85 L-series computations in Genus 1 (CPU seconds)

Conclusion All source code freely available under GPL. drew@math.mit.edu

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback