Counting points on curves: the general case Jan Tuitman, KU Leuven - PowerPoint PPT Presentation

Counting points on curves: the general case Jan Tuitman, KU Leuven October 14, 2015 Jan Tuitman, KU Leuven Counting points on curves: the general case October 14, 2015 1 / 26

Introduction Algebraic curves Let X be a smooth projective algebraic curve of genus g over some finite field F q with q = p n . Example (Projective line, g = 0) X = P 1 F q . Example (Elliptic curve, g = 1) F q : y 2 z = x 3 + axz 2 + bz 3 } X = { ( x : y : z ) ∈ P 2 where p � = 2 (and 4 a 3 + 27 b 2 � = 0 ). Example (Non-hyperelliptic curve, g = 4) X = { ( x : y : z : w ) ∈ P 3 F q } : S 2 ( x , y , z , w ) = S 3 ( x , y , z , w ) = 0 } where S 2 , S 3 ∈ F q [ x , y , z , w ] are a quadric and a cubic, respectively (and some smoothness condition is satisfied). Jan Tuitman, KU Leuven Counting points on curves: the general case October 14, 2015 2 / 26

Introduction Zeta functions Let | X ( F q i ) | denote the number of points of X with values in F q i (the number of solutions of the equations for X in this field). Recall that the zeta function of X is defined as � ∞ � | X ( F q i ) | T i � Z ( X , T ) = exp . i i =1 It follows from the Weil conjectures that Z ( X , T ) is of the form χ ( T ) (1 − T )(1 − qT ) , where χ ( T ) ∈ Z [ T ] of degree 2 g , with inverse roots that 1 have complex absolute value q 2 are permuted by the map x → q / x . Jan Tuitman, KU Leuven Counting points on curves: the general case October 14, 2015 3 / 26

Introduction Example: the projective line Let us do an easy example. We have | P 1 ( F q i ) | = q i + 1 so that � ∞ � ( q i + 1) T i Z ( P 1 � F q , T ) = exp i i =1 � ∞ � ∞ � � T i ( qT ) i � � = exp exp i i i =1 i =1 1 = (1 − T )(1 − qT ) Jan Tuitman, KU Leuven Counting points on curves: the general case October 14, 2015 4 / 26

Introduction The problem Problem Compute Z ( X , T ) , or equivalently χ ( T ) , in an efficient way. Remark This problem is often referred to as ’counting points’. Remark Let J X denote the Jacobian variety of X. Then | J X ( F q ) | = χ (1) . Computing | J X ( F q ) | is important for the Discrete Logarithm Problem on J X ( F q ) . If this order only has small prime factors then the DLP is easy. However, in cryptography only curves of genus ≤ 2 are used, and for those curves good algorithms for counting points already exist. Jan Tuitman, KU Leuven Counting points on curves: the general case October 14, 2015 5 / 26

p -adic cohomology Constructing p -adic cohomology To compute zeta functions, we will use so called p -adic cohomology. We are going to explain the construction of construction of p -adic cohomology only in the case of a smooth affine curve: U = { ( x 1 , . . . , x m ) ∈ A m F q : f 1 ( x 1 , . . . , x m ) = . . . = f ℓ ( x 1 , . . . , x m ) = 0 } where the f i ( x 1 , . . . , x m ) are all elements of F q [ x 1 , . . . , x m ] (and some smoothness condition is satisfied). We denote R = F q [ x 1 , . . . , x m ] / ( f 1 , . . . , f ℓ ) , so that U = Spec( R ). First we need to lift to characteristic 0. Jan Tuitman, KU Leuven Counting points on curves: the general case October 14, 2015 6 / 26

p -adic cohomology Lifting to characteristic 0 Let Q q denote the unique unramified extension of Q p of degree n and Z q the ring of integers of Q q . Let f 1 , . . . , f ℓ ∈ Z q [ x 1 , . . . , x m ] denote lifts of f 1 , . . . , f ℓ (for which the smoothness condition is still satisfied). We denote U = { ( x 1 , . . . , x m ) ∈ A m Z q : f 1 ( x 1 , . . . , x m ) = . . . = f ℓ ( x 1 , . . . , x m ) = 0 } and again R = Z q [ x 1 , . . . , x m ] / ( f 1 , . . . , f ℓ ) , so that U = Spec( R ). Jan Tuitman, KU Leuven Counting points on curves: the general case October 14, 2015 7 / 26

p -adic cohomology Weak completion Consider the ring of power series over Z q in m variables that converge p -adically on a disk of radius strictly greater than 1: Z q � x 1 , . . . , x m � † = { a I x I : a I ∈ Z q and ∃ ρ > 1 s.t. | I |→∞ | a I | ρ | I | = 0 } � lim where I = ( i 1 , . . . , i m ) and | I | = i 1 + . . . + i m . We then define the weak completion of R as R † = Z q � x 1 , . . . , x m � † / ( f 1 , . . . , f ℓ ) . This is also called an overconvergent or dagger algebra. Jan Tuitman, KU Leuven Counting points on curves: the general case October 14, 2015 8 / 26

p -adic cohomology p -adic cohomology Now we define the overconvergent 1-forms Ω 1 R † = ( R † dx 1 ⊕ . . . ⊕ R † dx m ) / ( d f 1 , . . . , d f ℓ ) and the overconvergent De Rham complex: d → R † → Ω 1 0 − − − − − − − − R † − − − − → 0 where d is defined by dg = ∂ g ∂ x 1 dx 1 + . . . + ∂ g ∂ x m dx m . The p -adic (or rigid) cohomology spaces of U are then defined as H 0 H 1 rig ( U ) = ker d ⊗ Q q rig ( U ) = coker d ⊗ Q q . It can be shown that these are finite dimensional vector spaces over Q q that do not depend on any of the choices made in their construction. Jan Tuitman, KU Leuven Counting points on curves: the general case October 14, 2015 9 / 26

p -adic cohomology Lefschetz formula The map F q that sends each x i to x q i defines a map from U to itself, or equivalently a homomorphism from R to itself. One can show that F q can be lifted to the weak completion R † , i.e. that there exists a homomorphism F q from R † to itself, such that F q reduces to F q modulo p . This homomorphism is called a Frobenius lift. It acts naturally on the p -adic cohomology spaces and the following formula holds: det(1 − ( q F − 1 q ) T | H 1 rig ( U )) Z ( U , T ) = (1 − qT ) assuming that U is connected. Jan Tuitman, KU Leuven Counting points on curves: the general case October 14, 2015 10 / 26

p -adic cohomology Example: the affine line minus zero In this simple case no weak completion is needed R = F q [ x , 1 / x ] U = Spec( R ) Ω 1 R = Z q [ x , 1 / x ] R = Z q [ x , 1 / x ] dx dx H 0 H 1 rig ( U ) = Q q rig ( U ) = Q q x = d ( x q ) � dx � = q dx F q ( x ) = x q F q x q x x and we check that the Lefschetz formula gives the correct zeta function � ∞ � ( q i − 1) T i Z ( U , T ) = (1 − T ) � (1 − qT ) = exp i i =1 Jan Tuitman, KU Leuven Counting points on curves: the general case October 14, 2015 11 / 26

p -adic cohomology Some remarks For X smooth projective (so not affine), the Lefschetz formula becomes det(1 − ( q F − 1 q ) T | H 1 rig ( X )) Z ( X , T ) = . (1 − T )(1 − qT ) Here one may also replace q F − 1 by F q (by Poincar´ e duality). q Actually, one never computes directly with F q , but instead with F p . However, F p is only σ -semilinear, where σ is the unique lift of the p -th power map from F q to Z q . All of this is not very important for the rest of this talk. Jan Tuitman, KU Leuven Counting points on curves: the general case October 14, 2015 12 / 26

Kedlaya’s algorithm Hyperelliptic curves Kedlaya (2001) applied p -adic cohomology to the computation of zeta functions of hyperelliptic curves in odd characteristic. Let F q be a finite field with q = p n and p an odd prime. Moreover, let X be the projective nonsingular curve of genus g with affine equation y 2 = Q ( x ) with Q ( x ) ∈ F q [ x ] monic and separable of degree 2 g + 1. Take out all of the ramification points of the map x : X → P 1 F q from the curve and consider the open affine subset F q : y 2 = Q ( x ) and y � = 0 } U = { ( x , y ) ∈ A 2 of X with coordinate ring R = F q [ x , y , 1 / y ] / ( y 2 − Q ( x )) . Jan Tuitman, KU Leuven Counting points on curves: the general case October 14, 2015 13 / 26

Kedlaya’s algorithm Frobenius lift and cohomology Let Q ∈ Z q [ x ] be any monic lift of Q and define R = Z q [ x , y , 1 / y ] / ( y 2 − Q ( x )) R † = Z q � x , y , 1 / y � † / ( y 2 − Q ( x )) . We construct a Frobenius lift F p on R † by setting F p ( x ) = x p 1 + Q σ ( x p ) − Q ( x ) p � 1 2 . 2 = y p � 1 F p ( y ) = Q σ ( x p ) y 2 p Theorem (Kedlaya) A basis for H 1 rig ( U ) is given by [ x 0 dx y , . . . , x 2 g − 1 dx y , x 0 dx y 2 , . . . , x 2 g dx y 2 ] and the first 2 g vectors form a basis for the subspace H 1 rig ( X ) . Jan Tuitman, KU Leuven Counting points on curves: the general case October 14, 2015 14 / 26

Kedlaya’s algorithm Kedlaya’s algorithm Algorithm Apply F p to the basis [ x 0 dx y , . . . , x 2 g − 1 dx y ] of H 1 rig ( X ) . Reduce resulting elements of Ω 1 R † back to this basis by substracting df with f ∈ R † and read off the matrix Φ p of F p on H 1 rig ( X ) . Compute the matrix Φ q = Φ σ n − 1 . . . Φ σ p Φ p of F q on H 1 rig ( X ) . p Determine χ ( T ) = det(1 − Φ q T ) numerator of Z ( X , T ) . Theorem (Kedlaya) This algorithm runs in time: ˜ space: ˜ O ( pg 4 n 3 ) O ( pg 3 n 3 ) Remark Implemented in MAGMA by M. Harrison, quite practical. Jan Tuitman, KU Leuven Counting points on curves: the general case October 14, 2015 15 / 26