Kummer theory for finite fields Jean-Marc Couveignes Institut de - PowerPoint PPT Presentation

Kummer theory for finite fields Jean-Marc Couveignes Institut de Mathématiques de Bordeaux Workshop FAST, September 2017

Specializing isogenies between algebraic groups Le G / K be a commutative algebraic group over a perfect field and T ⊂ G ( K ) a finite subgroup and I : G → H the quotient by T . Set d = # T = deg ( I ) . Assume there is a K -rational point a in H such that I − 1 ( a ) is irreducible. Any b ∈ G (¯ F p ) such that I ( b ) = a defines a degree d cyclic extension L = K ( b ) of K . Indeed we have a non-degenerate pairing <, > : H ( K ) / I ( G ( K )) × Gal ( I − 1 ( H ( K ))) → T If a ∈ H ( K ) take b ∈ I − 1 ( a ) and set < a , a > = a ( b ) − b .

Geometric automorphisms Automorphisms of K ( b ) / K admit a geometric description. They act by translation. Let φ be a generator of Gal ( K ( b ) / K ) . There is a t ∈ T such that φ ( b ) = b ⊕ G t . Kummer : G = H = G m and I = [ d ] . See G ⊂ A 1 with z -coordinate and z ( 0 G ) = 1 and z ( P 1 ⊕ G m P 2 ) = z ( P 1 ) × z ( P 2 ) , z ( I ( P )) = z ( P ) d , z ( t ) = ζ , z ( b ⊕ G m t ) = ζ × z ( b ) . Artin-Schreier : G = H = G a and I = ℘ See G a = A 1 with z -coordinate z ( 0 G ) = 0 and z ( P 1 ⊕ G a P 2 ) = z ( P 1 ) + z ( P 2 ) , z ( ℘ ( P )) = z ( P ) p − z ( P ) , z ( P ⊕ G a t ) = z ( P ) + c where c = z ( t ) ∈ F p .

Specializing isogenies between algebraic groups Le G / K be a commutative algebraic group over a perfect field and T finite étale sub-group-scheme and I : G → H the quotient by T . Set d = # T = deg ( I ) . Assume there is a K -rational point a in H such that I − 1 ( a ) is irreducible. Any b ∈ G (¯ F p ) such that I ( b ) = a defines a degree d cyclic extension L = K ( b ) of K . Indeed we have a bijection κ : H ( K ) / I ( G ( K )) → H 1 ( Gal ( I − 1 ( H ( K ))) , T ) If a ∈ H ( K ) take b ∈ I − 1 ( a ) and set κ ( a )( a ) = a ( b ) − b . Any T -torsor is a fiber of I .

Degree maps Strategy : find smoothness bases that are Galois invariant. deg ( z × t ) ≤ deg ( z ) + deg ( t ) , there are p n elements with degree < n for n ≤ d , there is an algorithm that factors certain elements in L d − 1 = F q as products of elements with smaller degree. There is a significant proportion of such smooth elements. We look for such degree functions that are Galois invariant.

Kummer theory Classify cyclic degree d extensions of K with characteristic p prime to d containing a primitive d -th root of unity. Embed K in a Galois closure ¯ K . Let H be a subgroup of K ∗ containing ( K ∗ ) d . 1 d ) . Set L = K ( H 1 d ) / K ) an homomorphism One associates to every a in Gal ( K ( H κ ( a ) from H / ( K ∗ ) d to µ d 1 d ) κ ( a ) : θ �→ a ( θ . 1 θ d 1 d ) / K ) to The map a �→ κ ( a ) is an isomorphism from Gal ( K ( H Hom ( H / ( K ∗ ) d , µ d ) . Classifies abelian extensions of K with exponent dividing d .

An example This example is given by Joux et Lercier : Take p = 43 and d = 6 so q = 43 6 and let A ( X ) = X 6 − 3 which is irreducible in F 43 [ X ] . So F q = F 43 [ X ] / X 6 − 3. Since p = 43 is congruent to 1 modulo d = 6 we have φ ( x ) = x 43 = ( x 6 ) 7 × x = 3 7 x = ζ 6 x with ζ 6 = 3 7 = 37 mod 43.

Kummer theory of finite fields If K = F q then any subgroup H of K ∗ is cyclic. We must assume d | q − 1 and set q − 1 = md . We take H = K ∗ so K ∗ / ( K ∗ ) d is cyclic with order d corresponding to the unique degree d extension of K : Let r be a generator of K ∗ and 1 d . s = r Set L = K ( s ) . The Galois group is generated by the Frobenius φ and φ ( s ) = s q so κ ( φ )( r ) = φ ( s ) = s q − 1 = ζ = r m s The map r �→ ζ from K ∗ / ( K ∗ ) d to µ d is exponentiation by m .

Artin-Schreier theory Classifies degree p extensions of K . Here the map X �→ X d is replaced by X �→ X p − X = ℘ ( X ) . One adds to K the roots of X p − X = a . Let H be a subgroup of ( K , +) containing ℘ ( K ) and set L = K ( ℘ − 1 ( H )) . To every a in Gal ( L / K ) one associates an homomorphism κ ( a ) from H /℘ ( K ) to ( F p , +) : κ ( a ) : θ �→ a ( ℘ − 1 ( θ )) − ℘ − 1 ( θ ) . The map a �→ κ ( a ) is an isomorphism from the Galois group Gal ( L / K ) to Hom ( H /℘ ( K ) , F p ) .

Artin-Schreier for finite fields Assume K = F q with q = p f . The kernel of ℘ : F q → F q is F p and the quotient F q /℘ ( F q ) has order p . The unique extension L of degree p of F q is generated by b = ℘ − 1 ( a ) with a ∈ F q − ℘ ( F q ) . φ ( b ) − b is in F p and the map a �→ φ ( b ) − b is an isomorphism from K /℘ ( K ) to F p . More explicitly φ ( b ) = b q and φ ( b ) − b = b q − b = ( b p ) p f − 1 − b = ( b + a ) p f − 1 − b since ℘ ( b ) = b p − b = a . So b p f − b = b p f − 1 − b + a p f − 1 and iterating we obtain φ ( b ) − b = b p f − b = a + a p + a p 2 + · · · + a p f − 1 . So the isomorphism from K /℘ ( K ) to F p is the absolute trace.

An example Take p = 7 and f = 1, so q = 7. The absolute trace of 1 is 1, so we set K = F 7 and A ( X ) = X 7 − X − 1 and we set L = F 7 7 = F 7 [ X ] / ( A ( X )) . Setting x = X mod A ( X ) , one has φ ( x ) = x + 1.

A different algebraic group We first take G to be the Lucas torus. Assume p is odd. Let D be a non-zero element in K . Let P 1 be the projective line with homogeneous coordinates [ U , V ] and affine coordinate u = U V . G ⊂ P 1 is the open subset with inequation U 2 − DV 2 � = 0 . u ( 0 G ) = ∞ and u ( P 1 ⊕ G P 2 ) = u ( P 1 ) u ( P 2 )+ D u ( P 1 )+ u ( P 2 ) and u ( ⊖ G P 1 ) = − u ( P 1 ) .

A different algebraic group U 2 − DV 2 � = 0 . u ( 0 G ) = ∞ and u ( P 1 ⊕ G P 2 ) = u ( P 1 ) u ( P 2 )+ D u ( P 1 )+ u ( P 2 ) and u ( ⊖ G P 1 ) = − u ( P 1 ) . Assume K = F q and D is not a square in F q . # G ( F q ) = q + 1 and u ∈ F q ∪ {∞} . The Frobenius endomorphism φ : [ U , V ] �→ [ U q , V q ] is nothing but multiplication by − q . Indeed √ √ D ) q = U q − DV q ( U + V because D is not a square F q .

Using the Lucas Torus If d divides q + 1 then G [ d ] is F q -rational. Set q + 1 = md and consider the isogeny I = [ d ] : G → G . The quotient G ( F q ) / I ( G ( F q )) = G ( F q ) / G ( F q ) d is cyclic of order d . Let r be a generator of G ( F q ) and choose s ∈ I − 1 ( r ) . Let L = K ( s ) = K ( u ( s )) a degree d extension of K . For any a ∈ Gal ( L / K ) , the difference a ( s ) ⊖ G s lies in G [ d ] and the pairing < a , r > �→ a ( s ) ⊖ G s induces an isomorphism from Gal ( L / K ) to Hom ( G ( K ) / ( G ( K )) d , G [ d ]) . Here Gal ( L / K ) is generated by φ and < φ, r > is φ ( s ) ⊖ G s . Remember that φ ( s ) = [ − q ] so ( φ, r ) = [ − q − 1 ] s = [ − m ] r .

Lucas polynomials Call σ the u -coordinate of s and τ the one of t then φ ( σ ) = τσ + D σ + τ and the Frobenius acts like a linear rational transform. Let A ( X ) = � s ∈ I − 1 ( r ) ( X − u ( s )) be the minimal polynomial of u ( s ) and set L = K [ X ] / A ( X ) . � d √ � DV ) d = � U d − 2 k V 2 k D k + One has ( U + 0 ≤ 2 k ≤ d 2 k √ � � d U d − 2 k − 1 V 2 k + 1 D k . D � 1 ≤ 2 k + 1 ≤ d 2 k + 1    d � 0 ≤ 2 k ≤ d u ( P ) d − 2 k  D k 2 k So u ([ k ] P ) =   d � 1 ≤ 2 k + 1 ≤ d u ( P ) d − 2 k − 1  D k  2 k + 1

An example Take p = q = 13 and d = 7 so m = 2. Check D = 2 is not a square in F 13 . √ Find r = U + 2 V such that r has order p + 1 = 14 in √ 2 ) ∗ / F ∗ F 13 ( 13 . For example U = 3 et V = 2 are fine. √ 2 is u ( r ) = 3 The u -coordinate of 3 + 2 2 = 8. A ( X ) = X 7 + 3 X 5 + 10 X 3 + 4 X − 8 ( 7 X 6 + 5 X 4 + 6 X 2 + 8 ) . Set t = [ − m ] r = [ − 2 ] r so u ( t ) = 4. Since Frobenius acts like translation by t : X p = 4 X + 2 X + 4 mod A ( X ) .

A non-linear flag      d d A ( X )= � 0 ≤ 2 k ≤ d X d − 2 k  D k − u ( r ) � 1 ≤ 2 k + 1 ≤ d X d − 2 k − 1  D k .  2 k 2 k + 1 Set x = X mod A ( X ) . The Galois group acts on x by linear rational transforms so it is sensible to define for every k < d P k = { a 0 + a 1 x + a 2 x 2 + · · · + a k x k b 0 + b 1 x + b 2 x 2 + · · · + b k x k | ( a 0 , a 1 ,..., a k , b 0 , b 1 ,..., b k ) ∈ K 2 k + 2 } . One has K = P 0 ⊂ P 1 ⊂ · · · ⊂ P d − 1 = L and the the P k are Galois invariant. Further P k × P l ⊂ P k + l if k + l ≤ d − 1.

Using elliptic curves This time we take G = E / F q an ordinary elliptic curve. Let i be a degree d ideal of End ( E ) dividing φ − 1. Assume i is invertible and End ( E ) / i is cyclic. Set T = Ker i ⊂ E ( F q ) and I : E → F = E / T . The quotient F ( F q ) / I ( E ( F q )) is isomorphic to T . Choose a in F ( F q ) such that a mod I ( E ( F q )) is a generator. Choose b ∈ I − 1 ( a ) and set L = K ( b ) a degree d extension. Clearly φ ( b ) = b ⊕ G t for some t ∈ T . For any integer k ≥ 0 call F k the set of functions in F q ( E ) with degree ≤ k having no pole at b . P k = { f ( b ) | f ∈ F k } . Clearly K = P 0 = P 1 ⊂ P 2 ⊂ · · · ⊂ P d = L and P k × P l ⊂ P k + l . Since F k is invariant by T , also P k is invariant by Gal ( L / K ) because φ ( f ( b )) = f ( φ ( b )) = f ( b ⊕ G t ) .