SLIDE 1
Computing genus 2 curves from invariants on the Hilbert moduli space - - PowerPoint PPT Presentation
Computing genus 2 curves from invariants on the Hilbert moduli space - - PowerPoint PPT Presentation
Computing genus 2 curves from invariants on the Hilbert moduli space Journal of Number Theory, Special Issue on Elliptic Curve Cryptography http://eprint.iacr.org/2010/294 Kristin Lauter, Microsoft Research Joint work with: Tonghai Yang,
SLIDE 2
SLIDE 3
Challenge:
Generate C/Fq with #J(C)(Fq) = N, N a large prime. Strategy: Construct curves with a known order using complex multiplication (CM) techniques.
- 1. Given N1 = #C(Fq) and N2 = #C(Fq2) Fp, this determines a
quartic CM number field K by the characteristic polynomial of Frobenius.
- 2. Compute ”modular invariants” associated to the field K.
- 3. Reconstruct the curve from its invariants via Mestre’s algorithm.
SLIDE 4
Computing the CM field K
For an ordinary genus 2 curve C over a prime field Fq, let N1 = #C(Fq) and N2 = #C(Fq2). Then #J(C)(Fq) = (N2
1 + N2)/2 − q.
(1) Set s1 := q + 1 − N1 and s2 := 1 2
- s2
1 + N2 − 1 − q2
. Then the quartic polynomial satisfied by the Frobenius endomorphism of the Jacobian is f (t) = t4 − s1t3 + s2t2 − qs1t + q2. Thus the Jacobian of the curve has endomorphism ring equal to an
- rder in the quartic CM field K = Q[t]/(f (t)).
SLIDE 5
Genus 2 curves with CM
K = quartic primitive CM field. A curve C over C has CM by OK if OK embeds in the endomorphism ring of Jac(C). CM points on the moduli space of principally polarized abelian surfaces correspond to isomorphism classes of CM curves.
SLIDE 6
The Siegel moduli space
The Siegel moduli space A2 parameterizes abelian surfaces with principal polarization. Let Sp2(Z) be the symplectic group over Z of genus two, consisting of 4 × 4-integral matrices g satisfying gJgt = J, J =
- I2
−I2 0
- where I2 is the identity matrix of order 2. Let
H2 = {τ = ( τ1 τ2
τ2 τ3 ) ∈ M2(C) : ℑτ > 0}
be the Siegel upper half-plane of genus two, and let X2 = Sp2(Z)\H2 be the open Siegel modular 3-fold.
SLIDE 7
The Siegel moduli space
Here Sp2(R) acts on H2 via A B
C D
- τ = (Aτ + B)(Cτ + D)−1.
We can give explicit representatives for all the CM points on A2(C): {τ : C2/I2 τ has CM by OK}/Sp4(Z)
SLIDE 8
Absolute Igusa invariants
Igusa gave 3 Siegel modular functions h1, h2, h3, the absolute Igusa invariants. h1 = 2 · 35 χ5
12
χ6
10
, h2 = 33 23 ψ4χ3
12
χ4
10
, h3 = 3 25 (ψ6χ2
12
χ3
10
+ 22 · 3ψ4χ3
12
χ4
10
).
SLIDE 9
Igusa class polynomials
Definition The Igusa class polynomials Hi(x) =
- {τ: C2/I2 τ has CM by OK }
Sp4(Z)
(x − hi(τ)), i = 1, 2, 3.
SLIDE 10
The Hilbert modular surface
F = Q( √ D) be a real quadratic field with prime discriminant D ≡ 1 mod 4 σ(a + b √ D) = a − b √ D is the non-trivial Galois conjugate of F
- ver Q.
ǫ > 0 is a unit such that σ(ǫ)ǫ = −1. Let X = SL2(OF)\H2 be the open Hilbert modular surface.
SLIDE 11
For z = (z1, z2) and a ∈ F, we denote z∗ = diag(z1, z2), and a∗ = diag(a, σ(a)). We also denote γ∗ = a∗ b∗
c∗ d∗
- ,
for γ = a b
c d
- ∈ SL2(F).
Choose a Z-basis {e1, e2} for OF: OF = Ze1 + Ze2, (2) and define R =
- e1
e2 σ(e1) σ(e2)
- .
(3)
SLIDE 12
Map between Hilbert and Siegel
We define the maps φ : H2 → H2, φ(z) = Rtdiag( ǫ √ D z1, σ( ǫ √ D )z2)R, (4) and φ : SL2(F) → Sp2(Q), φ(γ) = Sγ∗S−1, (5) S = diag(Rt, R−1)diag(I2, ( √ D ǫ )∗).
SLIDE 13
F = Q( √ 5)
Assume F = Q( √ 5), and let ǫ = 1+
√ 5 2
. Let φ : SL2(OF)\H2 → Sp2(Z)\H2, φ(z) =
- 1
1 σ(ǫ) ǫ
ǫ √ 5 z1
− σ(ǫ)
√ 5 z2
1 σ(ǫ) 1 ǫ
- =
- ǫ
√ 5 z1− σ(ǫ) √ 5 z2 z2−z1 √ 5 z2−z1 √ 5
− σ(ǫ)
√ 5 z1+ ǫ √ 5 z2
- be the map defined above, and let e(z) := e2πiz and
q1 = e( ǫ √ 5 z1−σ(ǫ) √ 5 z2) = e(1 + √ 5 2 √ 5 z1−1 − √ 5 2 √ 5 z2), q2 = e(z2 − z1 √ 5 ).
SLIDE 14
Then for a holomorphic Siegel modular form f of weight k for Sp2(Z), g = φ∗f is a symmetric holomorphic Hilbert modular form for SL2(OF) with the Fourier expansion: g(z) = af (0) +
- t=a+b 1−
√ 5 2
∈O+
F
ag(t)qa
1qb 2,
with
SLIDE 15
Pullback
ag(t) =
- condition(∗)
af
- m1
1 2 m 1 2 m m2
- .
Condition (*): m1, m2 ∈ Z+, m ∈ Z, m2 < 4m1m2, m1 + m2 = a, m + m2 = b (6)
SLIDE 16
Hilbert Eisenstein series
F = Q( √ 5) ǫ = 1+
√ 5 2
. The Eisenstein series of even weight k ≥ 2: Gk(z) = 1 +
- t=a+b 1−
√ 5 2
∈O+
F
bk(t)qa
1qb 2,
(7) where bk(t) = κk
- (µ)⊃(t)
(µ)k−1. (8) κk = (2π)2k√ 5 (k − 1)!25kζF(k)
SLIDE 17
Coefficients for the Hilbert Eisenstein series
0 < a ≤ 3, 1 − √ 5 2 a < b < 1 + √ 5 2 a Gk(z) = 1 + κk(1 + q2)q1 + κk
- q−1
2
+ (1 + 4k−1) + (1 + 5k−1)q2 + (1 + 4k−1)q2
2 + q3 2
- q2
1 +
κk[(1 + 5k−1)q−1
2
+ (1 + 9k−1) + (1 + 11k−1)q2 + (1 + 11k−1)q2
2
+(1 + 9k−1)q3
2 + (1 + 5k−1)q4 2]q3 1.
SLIDE 18
Theta series
Let θ6 = −
67 253352 (G6 − G 3 2 ),
θ10 = 2−103−55−57−1(412751G10 −5·67·2293G 2
2 G6 +22 ·3·7·4231G 5 2 ),
θ12 = 2−2(θ2
6 − G2θ10)
SLIDE 19
Gundlach invariants
Theorem (Gundlach) (1) The ring of symmetric holomorphic Hilbert modular forms for SL2(OF) is a polynomial ring of G2, G6, and θ10. (2) The field of symmetric meromorphic Hilbert modular functions for SL2(OF) are rational functions of J1 = θ6 G 3
2
and J2 = G 5
2
θ10 . We call J1 and J2 the Gundlach invariants.
SLIDE 20
Alternative choices for Gundlach invariants
Use the invariants J1 and J3, where J3 = J1 + J−1
2
= θ6G 2
2 + θ10
G 5
2
. This choice has the advantage that both invariants are rather small. Another possible choice is to use invariants J2 and J4 where J4 = J1J2 = θ6G 2
2
θ10 . This choice has the advantage that both invariants have denominator θ10.
SLIDE 21
Pullback of Igusa invariants to Gundlach invariants
Proposition φ∗h1 = 8J2(3J2
1J2 − 2)5,
φ∗h2 = 1 2J2(3J2
1J2 − 2)3,
φ∗h3 = 2−3J2(3J2
1J2 − 2)2(4J2 1J2 + 25 · 32J1 − 3).
SLIDE 22
Algorithm for computing Gundlach invariants
Input: K a primitive quartic CM field, p a prime which splits completely into principal ideals in K ∗, the reflex of K, and S a collection of 2 or 4 possible group orders for Jacobians of genus 2 curves over Fp with CM by K. Output: Gundlach invariants modulo p for genus 2 curves with CM by K and equations for curves C over Fp with #J(C) ∈ S.
- 1. Find ∆ ∈ OF such that ∆ is totally negative, K = F(
√ ∆) OK = OF + OF b0 + √ ∆ 2 .
- 2. Let M = Q(
√ ∆,
- σ(∆)) be the Galois closure of K over Q.
Im( √ ∆) > 0, Im(
- σ(∆)) > 0.
SLIDE 23
Algorithm...
- 3. Find the class number hK and the ideals generating the class
group of K.
- 4. Write ideal a of K in the form
a = [a, b + √ ∆ 2 ] = OFa + OF b + √ ∆ 2 such that a is totally positive with aOF =K/F a, and that z = b+
√ ∆ 2a
. z([a], Φ) = Φ(z) = (z, σz) ∈ H2 is the CM point in X = SL2(OF)\H2 associated to the ideal class z([a], Φ′) = (ǫz, σ′(ǫz)) ∈ H2 is the CM point of CM type Φ′ associated to a.
SLIDE 24
Algorithm
- 5. Compute Ji(z([a], Φ)) and Ji(z([a], Φ′)). Form the minimal
polynomials P1(X) and P2(X). Reduce modulo a prime p not dividing the denominators and find roots (mod p).
- 6. Compute φ∗hi (mod p) via the pull-back formulas. Apply
Mestre’s algorithm to pairs of roots from step 5 to construct a genus 2 curve over the finite field Fp.
SLIDE 25
Why is this better than using Igusa invariants?
CM points are easier to write down. Two variables instead of three (fewer exponentials to evaluate, fewer multiplications) Smaller height. Two invariants instead of three. Good control over precision needed.
SLIDE 26
Comparison with others’ work
Three methods for computing Igusa class polynomials:
1 Complex analytic method: Spallek, van Wamelen, Weng,
Cohn-L, Dupont, Streng
2 CRT Chinese Remainder Theorem: Eisentraeger-L., Freeman,
Broker, Gruenewald, Robert
3 p-adic method: Gaudry, Houtmann, Kohel, Ritzenthaler,
Weng, Carls, Lubicz
SLIDE 27
Joint work with Michael Naehrig
Examples database Improvements to the algorithm Understanding the factorization of coefficients of class polynomials
SLIDE 28
K = Q(
- −26 − 2
√ 5), non-normal, class number 1
precision: 3000 number of terms in Eisenstein series: 30 Time for computing polynomials: 8.400 s P2 = X 2 − 2588193X + 1511654400000 P4 = X 2 + 1251X + 324000 c2,0 = 213 · 310 · 55, c2,1 = 35 · 10651, c2,2 = 1 c4,0 = 25 · 34 · 53, c4,1 = 32 · 139, c4,2 = 1
SLIDE 29
K = Q(
- −5 +
√ 5), normal, class number 2
precision: 3000 number of terms in Eisenstein series: 20 Time for computing polynomials (Magma): 1.810 s P2 = 121X 2 − 5716137600000X + 9183300480000000000 = 121(X − 47239200000)(X − 194400000/121) P4 = 121X 2 − 29628000X + 54675000000 = 121(X − 243000)(X − 225000/121) c2,0 = 216 · 315 · 510, c2,1 = 210 · 35 · 55 · 7351, c2,2 = 112 c4,0 = 26 · 37 · 58, c4,1 = 25 · 32 · 53 · 823, c4,2 = 112
SLIDE 30
K = Q(
- −14 − 2
√ 5), non-normal, class number 2
precision: 3000 number of terms in Eisenstein series: 25 Time for computing polynomials (Magma): 7.410 s P2 = 49X 4 − 217136775168X 3 + 183163100112001695744X 2 −17409591332317849190400000X +584985350410076160000000000 P4 = 49X 4 − 5851584X 3 + 148455970560X 2 −21859269120000X − 361117440000000
SLIDE 31
K = Q(
- −14 − 2
√ 5), non-normal, class number 2
c2,0 = 234 · 320 · 510 c2,1 = 227 · 315 · 55 · 7 · 79 · 5231 c2,2 = 218 · 311 · 37 · 1129 · 94421 c2,3 = 214 · 35 · 54539 c2,4 = 72 c4,0 = 214 · 38 · 57 · 43 c4,1 = 212 · 36 · 54 · 13 · 17 · 53 c4,2 = 28 · 35 · 5 · 193 · 2473 c4,3 = 26 · 32 · 10159 c4,4 = 72
SLIDE 32
K = Q(
- −66 − 10
√ 5), non-normal, class number 3
precision: 3000 number of terms in Eisenstein series: 100 Time for computing polynomials (Magma): 305.360 s P2 = X 6 − 14361341769X 5 + 48530935318126967414X 4 −6753971583972445270702277X 3 +1350060851930542237903564800000X 2 −134258998051837482119331840000000000X +4628420142484694262349824000000000000000 P4 = X 6 + 139611X 5 + 4817153636X 4 − 3802138545451X 3 +1557132203428000X 2 − 378359130128000000X +44566851776000000000
SLIDE 33
K = Q(
- −66 − 10
√ 5), non-normal, class number 3
c2,0 = 242 · 39 · 515 · 2815 c2,1 = 226 · 36 · 510 · 7 · 479 · 1699 · 49329760913 c2,2 = 215 · 33 · 55 · 6659 · 488743 · 150037582573 c2,3 = 13 · 519536275690188097746329 c2,4 = 2 · 313 · 77525455779755539 c2,5 = 33 · 15919 · 33413 c2,6 = 1 c4,0 = 215 · 59 · 2812 · 8819 c4,1 = 210 · 56 · 7 · 3378206519 c4,2 = 25 · 53 · 389283050857 c4,3 = 1621 · 2345551231 c4,4 = 22 · 673 · 1789433 c4,5 = 3 · 173 · 269 c4,6 = 1
SLIDE 34
K = Q(
- −30 − 6
√ 5), normal, class number 4
precision: 3000 number of terms in Eisenstein series: 60 Time for computing polynomials (Magma): 52.960 s P2 = 961X 4 − 10446951283200000X 3 +44375383336320000000000X 2 −45630255522816000000000000000X −17631936921600000000000000000000 P4 = 961X 4 − 3359976000X 3 + 4518279000000X 2 +7145550000000000X − 92745000000000000
SLIDE 35
K = Q(
- −30 − 6
√ 5), normal, class number 4
c2,0 = 232 · 316 · 520 c2,1 = 225 · 312 · 515 · 191 · 439 c2,2 = 216 · 39 · 510 · 337 · 10453 c2,3 = 212 · 34 · 55 · 10076149 c2,4 = 312 c4,0 = 212 · 34 · 513 · 229 c4,1 = 210 · 33 · 511 · 67 · 79 c4,2 = 26 · 32 · 56 · 59 · 67 · 127 c4,3 = 26 · 3 · 53 · 139999 c4,4 = 312
SLIDE 36
K = Q(
- −6 −
√ 5), non-normal, class number 4
precision: 3000 number of terms in Eisenstein series: 240 Time to compute polynomials (Magma): 2290.250 s
P2 = 529X 8 − 906756999727104X 7 +346158557025018350146158592X 6 −564260103063914026233904731521024X 5 +201611557172586486774045507195422900224X 4 +1188790268775347682307679034847474483200000X 3 +14591665686244083042479219252142444380160000000000X 2 +1399772229305552269755440311695990325248000000000000000X +47168276421148474829957491746060789350400000000000000000000 P4 = 529X 8 − 1072514112X 7 + 517120008137216X 6 + 204757555574980608X 5 −724812765867541692416X 4 + 434077018652827582464000X 3 −199409785438298832896000000X 2 + 41908452090722648064000000000X −7681447885906313216000000000000
SLIDE 37
K = Q(
- −6 −
√ 5), non-normal, class number 4
c2,0 = 268 · 312 · 520 · 50095 c2,1 = 263 · 310 · 515 · 83 · 1014674956751031349 c2,2 = 253 · 37 · 510 · 17 · 17583018821 · 253760436053 c2,3 = 245 · 34 · 55 · 27585937 · 4838744112380831 c2,4 = 235 · 79 · 101 · 163 · 4728433 · 13547767 · 70427869 c2,5 = 230 · 18288367 · 28734559621330853 c2,6 = 219 · 11 · 281 · 347 · 4027 · 388757 · 393203 c2,7 = 211 · 32 · 19 · 103 · 25137821 c2,8 = 232 c4,0 = 228 · 512 · 947 · 4933 · 50092 c4,1 = 234 · 32 · 59 · 367 · 503 · 751753 c4,2 = 223 · 56 · 19 · 97 · 313 · 751 · 3511777 c4,3 = 220 · 3 · 53 · 41611 · 26529401939 c4,4 = 215 · 22119530208360037 c4,5 = 214 · 3 · 499 · 2963 · 2817517
SLIDE 38
K = Q(
- −330 + 66
√ 5), normal, class number 8
precision: 3000 number of terms in Eisenstein series: 350 Time to compute polynomials (Magma): 5403.030 s
P2 = 8700896126036551483736041X 8 −32550875692547568160555206013385025122918400000X 7 +125923144169110910076831696022908759633958010880000000000X 6 −3532308132779706667907638602077212120324453171200000000000000000X 5 +18896258614901229917530949381166658369177393928601600000000000000000000X 4 +7800469817656548637197234751939633948831062058598400000000000000000000/ 0000000X 3 −3629732840117760643236110044328988723510897945115361280000000000000000/ 00000000000000X 2 +1733970682309350778884467784690379871686391383826890752000000000000000/ 00000000000000000000X +1120633980717268862429707139886254780366536757477376000000000000000000/ 0000000000000000000000
SLIDE 39
K = Q(
- −330 + 66
√ 5), normal, class number 8
P4 = 8700896126036551483736041X 8 +529171959706861316033186870106048000X 7 +39711888130001408728642075379641344000000X 6 +661069949180561165913677507650977792000000000X 5 +2807886486943137234407534221470990336000000000000X 4 −2135600046844317696167810940870328320000000000000000X 3 −10474190593591978993574208657728471040000000000000000000X 2 +7853812718487216446731436819900006400000000000000000000000X −32377347499758980266585847601561600000000000000000000000000 P4-coefficients: c4,8 = 114 · 292 · 612 · 2112 · 2412 · 2712 c4,7 = 29 · 3 · 53 · 113 · 49253 · 26291379817 · 1599084712499 c4,6 = 216 · 32 · 56 · 112 · 53 · 671918858429137008360873343 c4,5 = 225 · 33 · 59 · 11 · 17 · 53 · 73 · 193 · 797 · 1871 · 1794212865865807 c4,4 = 233 · 34 · 512 · 7 · 43 · 127 · 12907 · 482413 · 69446456336729 c4,3 = 244 · 35 · 516 · 19 · 232 · 73 · 152531 · 29253882917683 c4,2 = 248 · 36 · 519 · 7 · 1056061 · 362022885111720449 c4,1 = 260 · 37 · 523 · 283 · 923284368270711347