The probability of primality of the order of a genus 2 curve - - PowerPoint PPT Presentation

The probability of primality of the order of a genus 2 curve Jacobian

Wouter Castryck

joint with Hendrik Hubrechts, Alessandra Rigato, Andrew Sutherland

K.U. Leuven / M.I.T.

ECC 2010, Redmond

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 1/41 ECC 2010, Redmond 1 / 41

Contents 1

Alternative heuristics for Galbraith-McKee (genus g = 1)

2

Adaptation to genus g = 2

3

Asymptotics for g → ∞

4

Concluding remarks

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 2/41 ECC 2010, Redmond 2 / 41

g=1 (slides 2–16)

The genus 1 case: Galbraith-McKee conjecture

Let Fq be a finite field of char ≥ 5. Let E : y2 = x3 + Ax + B be a random elliptic curve.

I.e., (A, B) is taken from the set

• (A, B) ∈ F2

q

• 4A3 + 27B2 = 0
• uniformly at random.

Let NE = #E(Fq). Question: what is P(NE is prime)? Motivation: cryptography.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 3/41 ECC 2010, Redmond 3 / 41

g=1 (slides 2–16)

The distribution of NE

Hasse’s theorem: NE ∈ [q + 1 − 2√q, q + 1 + 2√q]. Let’s rescale this a bit. . .

Trace of Frobenius: TE = q + 1 − NE ∈ [−2√q, 2√q]. Normalized trace of Frobenius: tE = TE/2√q ∈ [−1, 1].

Birch, Yoshida, Katz-Sarnak: tE tends to follow a semicircular distribution, i.e. lim

q→∞ P(a ≤ tE ≤ b) =

b

a

2 π

• 1 − t2 dt.

b a Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 4/41 ECC 2010, Redmond 4 / 41

g=1 (slides 2–16)

The distribution of NE

A histogram of 100.000 curves y2 = x3 + Ax + B over F75, with interval width 15.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 5/41 ECC 2010, Redmond 5 / 41

g=1 (slides 2–16)

Subtleties

The limit dissolves the discrete nature of NE (or TE). Same experiment, but now interval width 1: This doesn’t seem to converge to a semicircle very ‘smoothly’ (lots

• f peaks and valleys).

Gaps at TE ≡ 0 mod 7 (supersingular curves).

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 6/41 ECC 2010, Redmond 6 / 41

g=1 (slides 2–16)

Subtleties

The limit dissolves the discrete nature of NE (or TE). Same experiment, but now interval width 1: This doesn’t seem to converge to a semicircle very ‘smoothly’ (lots

• f peaks and valleys).

Gaps at TE ≡ 0 mod 7 (supersingular curves).

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 7/41 ECC 2010, Redmond 7 / 41

g=1 (slides 2–16)

Subtleties

Easy fact (not very well-known): lim

q→∞ P(NE is even) = 2

3. Proof:

The completing-the-cube map {square-free x3 + ax2 + bx + c} → {square-free x3 + Ax + B} is uniform. Thus we may assume that E is defined by y2 = f(x) for a random square-free f(x) = x3 + ax2 + bx + c. NE is even ⇔ E(Fq) has 2-torsion ⇔ f(x) is reducible. The irreducible f(x) are precisely the minimal polynomials of all θ ∈ Fq3 \ Fq, and the correspondence is 3-to-1. Thus lim

q→∞ P(f(x) is irreducible) = lim q→∞ 1 3(q3 − q)

q3 − O(q2) = 1 3.

• Wouter Castryck (K.U. Leuven / M.I.T.)

P(#Jac(genus 2 curve) is prime) 8/41 ECC 2010, Redmond 8 / 41

g=1 (slides 2–16)

Subtleties

Lenstra: in general, we have lim

q→∞

• P(ℓ | NE) −
• 1

ℓ−1

if q ≡ 1 mod ℓ

ℓ ℓ2−1

if q ≡ 1 mod ℓ

• = 0

for any prime number ℓ not dividing q. Thus: ℓ ≪ q = ⇒ P(ℓ | NE) > 1 ℓ . This suggests that P(NE is prime) is smaller than one would naively expect.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 9/41 ECC 2010, Redmond 9 / 41

g=1 (slides 2–16)

Galbraith-McKee conjecture

Let’s try to quantify this (assume q = p is prime): Heuristically (but in fact wrong! ∼ Mertens’ theorem), P1(p) = P(random number is prime) ≈

• ℓ≤√p+1

ℓ − 1 ℓ ≈ 1 log p. Using Lenstra’s estimates, heuristically (‘equally wrong’), P2(p) = P(NE is prime) ≈

• ℓ ∤ p − 1

ℓ ≤ √p + 1

ℓ − 2 ℓ − 1 ·

• ℓ | p − 1

ℓ ≤ √p + 1

ℓ2 − ℓ − 1 ℓ2 − 1 . So: P2(p) P1(p) ≈

• ℓ∤p−1

ℓ−2 ℓ−1 · ℓ|p−1 ℓ2−ℓ−1 ℓ2−1

• ℓ

ℓ−1 ℓ

.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 10/41 ECC 2010, Redmond 10 / 41

g=1 (slides 2–16)

Galbraith-McKee conjecture

Rearranging terms gives: Conjecture (Galbraith-McKee, 2000): Let cp = 2 3 ·

• ℓ>2
• 1 −

1 (ℓ − 1)2

• ·
• ℓ|p−1, ℓ>2
• 1 +

1 (ℓ + 1)(ℓ − 2)

• ,

then lim

p→∞ (P2(p)/P1(p) − cp) = 0.

cp ∈ [0.44, 0.62]. Galbraith & McKee give a different heuristic argument! They use an analytic Hurwitz-Kronecker class number formula counting equivalence classes of bivariate quadratic forms with given discriminant.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 11/41 ECC 2010, Redmond 11 / 41

g=1 (slides 2–16)

Random matrices

Let gcd(n, q) = 1. To an elliptic curve E/Fq we can associate its n-torsion subgroup E[n] =

• P ∈ E
• Fq

nP = ∞

• .

It is well-known that E[n] ∼ = Z/(n) × Z/(n). Let (P, Q) be a Z/(n)-module basis of E[n], and let σ : E[n] → E[n] be qth power Frobenius. Then we can write Pσ = [α]P + [β]Q, Qσ = [γ]P + [δ]Q. Fact: the matrix α β γ δ

• ∈ (Z/(n))2×2

has trace ≡ TE mod n and determinant ≡ q mod n.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 12/41 ECC 2010, Redmond 12 / 41

g=1 (slides 2–16)

Random matrices

Choosing another basis yields a GL2(Z/(n))-conjugated matrix. Thus we can unambiguously associate to E a conjugacy class FE

• f matrices of Frobenius (all having trace TE and determinant q).

Let Mq ⊂ GL2(Z/(n)) be the set of matrices of determinant q. Quasi-theorem: Let F be a conjugacy class of matrices of determinant q. Then

• P(FE = F) − #F

#Mq

• ≤ C n2

√q . This is likely to follow from:

Chebotarev’s density theorem applied to X(n) → X(1) (in progress) Katz-Sarnak equidistribution as elaborated by Achter, currently modulo some hypotheses.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 13/41 ECC 2010, Redmond 13 / 41

g=1 (slides 2–16)

Example 1

What proportion of elliptic curves satisfies E[ℓ] ⊂ E(Fq)?

E[ℓ] ⊂ E(Fq) if and only if E[ℓ] has a basis consisting of Fq-rational points P and Q. Thus: if and only if FE = 1 1

• .

By the random matrix theorem, the chance that this happens is ≈ #

• 1

1

• #Mq

. #Mq = ℓ3 − ℓ (exercise). Thus P (E[ℓ] ⊂ E(Fq)) ≈ 1 ℓ3 − ℓ.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 14/41 ECC 2010, Redmond 14 / 41

g=1 (slides 2–16)

Example 2

Alternative proof of lim

q→∞ P(NE is even) = 2

3.

There are 6 elements of (Z/(2))2×2 having determinant q ≡ 1:

• 1

1

• ,
• 1

1 1

• ,
• 1

1 1

• ,
• 1

1

• ,
• 1

1 1

• ,
• 1

1 1

• .

4 of them have trace 0. P(NE is even) = P(q + 1 − TE is even) = P(TE is even) = 4/6.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 15/41 ECC 2010, Redmond 15 / 41

g=1 (slides 2–16)

Example 2

More generally: let ℓ be a prime number not dividing q. Exercise: # {M ∈ Mq | q + 1 − Tr(M) ≡ 0} = ℓ2 + ℓ if q ≡ 1 mod ℓ ℓ2 if q ≡ 1 mod ℓ. Recall: #Mq = ℓ3 − ℓ. Hence we recover Lenstra’s result: P(ℓ | NE) ≈ ℓ2+ℓ

ℓ3−ℓ = 1 ℓ−1

if q ≡ 1 mod ℓ

ℓ2 ℓ3−ℓ = ℓ ℓ2−1

if q ≡ 1 mod ℓ.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 16/41 ECC 2010, Redmond 16 / 41

Contents 1

Alternative heuristics for Galbraith-McKee (genus g = 1)

2

Adaptation to genus g = 2

3

Asymptotics for g → ∞

4

Concluding remarks

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 17/41 ECC 2010, Redmond 17 / 41

g=2 (slides 18–34)

The genus 2 case

Let Fq be a finite field of char ≥ 3. Let H : y2 = f(x) be a random genus 2 curve.

I.e., f(x) is taken from either H6 = { f(x) ∈ Fq[x] | f(x) monic, square-free, of degree 6 }

• r

H5 = { f(x) ∈ Fq[x] | f(x) monic, square-free, of degree 5 } uniformly at random. These are distinct notions!

Let NH = #Jac(H)(Fq). Question: what is P(NH is prime)? Motivation: cryptography.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 18/41 ECC 2010, Redmond 18 / 41

g=2 (slides 18–34)

Distinct notions of randomness

What is P(NH is even)? Let W1, . . . , W6 be the Weierstrass points of H. Every non-zero point of Jac(H)[2] (thought of as a divisor class) contains a unique pair {Wi − Wj, Wj − Wi}, where i = j.

Proof: use Riemann-Roch and the fact that there are 6

2

• = 15 pairs.

The pair is Fq-rational iff {Wi, Wj}σ = {Wi, Wj}. In case f(x) ∈ H6: occurs iff f(x) has a quadratic factor.

Exercise: probability ≈ 26

45.

In case f(x) ∈ H5: occurs iff f(x) has a linear or quadratic factor.

Exercise: probability ≈ 4

5.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 19/41 ECC 2010, Redmond 19 / 41

g=2 (slides 18–34)

Random matrices in genus 2

For now, suppose that f(x) is chosen from H6 = { f(x) ∈ Fq[x] | f(x) monic, square-free, of degree 6 } uniformly at random. This works better from a theoretic point of view.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 20/41 ECC 2010, Redmond 20 / 41

g=2 (slides 18–34)

Random matrices in genus 2

Let gcd(n, q) = 1. To a genus 2 curve H/Fq we can associate the n-torsion subgroup of its Jacobian A = Jac(H): A[n] =

• P ∈ A
• Fq

nP = ∞

• .

It is well-known that A[n] ∼ = (Z/(n))4 . Let (P1, P2, P3, P4) be a Z/(n)-module basis of A[n], then Pσ

1 = [α11]P1 + [α12]P2 + [α13]P3 + [α14]P4, . . .

Fact: the matrix F =

• αij
• ∈ (Z/(n))4×4

has determinant ≡ q mod n and satisfies det(F − I) ≡ NH mod n.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 21/41 ECC 2010, Redmond 21 / 41

g=2 (slides 18–34)

Random matrices in genus 2

Choosing another basis yields a GL4(Z/(n))-conjugated matrix. Thus we can unambiguously associate to H a conjugacy class FH

• f matrices of Frobenius.

However, a statement like Let Mq ⊂ GL4(Z/(n)) be the set of matrices of determinant q. Let F be a conjugacy class of matrices of determinant q. Then lim

q→∞

• P(FH = F) − #F

#Mq

• = 0.

turns out to be false.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 22/41 ECC 2010, Redmond 22 / 41

g=2 (slides 18–34)

Symplectic structure of A[n]

Let ζn ∈ Fq be a primitive nth root of unity. The Weil pairing en : A[n] × A[n] → ζn, when composed with the (non-canonical) map ζn → Z/(n) : ζi

n → i,

is a skew-symmetric, nondegenerate, bilinear pairing ·, · on A[n] (called a symplectic pairing). Darboux: A[n] admits a basis with respect to which v, w = tv ·     1 1 −1 −1     · w = tv · Ω · w.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 23/41 ECC 2010, Redmond 23 / 41

g=2 (slides 18–34)

Choosing a different root of unity

Rephrased: a basis {P1, P2, Q1, Q2} is a Darboux basis if en(Pi, Qj) = ζ

δij n ,

en(Pi, Pj) = en(Qi, Qj) = 1. Let d ∈ (Z/(n))×. If {P1, P2, Q1, Q2} is a Darboux basis with respect to ζn, then {P1, P2, dQ1, dQ2} is a Darboux basis with respect to ζd

n .

Denote the matrix of base change with gd =     1 1 d d     .

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 24/41 ECC 2010, Redmond 24 / 41

g=2 (slides 18–34)

Choosing a different Darboux basis

Matrix of base change M between two Darboux bases must satisfy

tv · Ω · w = t(Mv) · Ω · (Mw) = tv · tM · Ω · M · w

for all v, w ∈ (Z/(n))4. Such matrices are called symplectic: Sp4(Z/(n)) =

• M ∈ (Z/(n))4×4
• tM · Ω · M = Ω
• .

Note, if M is symplectic, then

tM · tgd · Ω · gd · M = tgd · tM · Ω · M · gd = dΩ.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 25/41 ECC 2010, Redmond 25 / 41

g=2 (slides 18–34)

Symplectic similitudes

For d ∈ (Z/(n))×, define the d-symplectic matrices as GSp(d)

4 (Z/(n)) =

• M ∈ (Z/(n))4×4
• tM · Ω · M = dΩ
• .

The symplectic similitudes (generated by Sp4(Z/(n)) and {gd}): GSp4(Z/(n)) =

• d∈(Z/(n))×

GSp(d)

4 (Z/(n)).

Because en(Pσ, Qσ) = en(P, Q)q, the matrix F of σ with respect to a Darboux basis satisfies

tv · tF · Ω · F · w = t(Fv) · Ω · (Fw) = q(tv · Ω · w) = tv · (qΩ) · w

for all v, w ∈ (Z/(n))4, i.e., F is q-symplectic.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 26/41 ECC 2010, Redmond 26 / 41

g=2 (slides 18–34)

Random matrices in genus 2 (revisited)

Thus we can unambiguously associate to H an orbit FH of GSp(q)

4 (Z/(n)) under GSp4(Z/(n))-conjugation.

Quasi-theorem: Let F ⊂ GSp(q)

4 (Z/(n)) be an orbit. Then

• P(FH = F) −

#F #GSp(q)

4 (Z/(n))

• ≤ C n?

√q . This is likely to follow from:

A Chebotarev-like statement applied to A2[n] → A2[1] Katz-Sarnak equidistribution as elaborated by Achter, currently modulo some hypotheses.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 27/41 ECC 2010, Redmond 27 / 41

g=2 (slides 18–34)

Lenstra’s theorem in genus 2

Let ℓ be a prime number not dividing q. One can compute #

• M ∈ GSp(q)

4 (Z/(ℓ))

• det(M − I) ≡ 0
• =

ℓ4(ℓ + 1)(ℓ2 + 1)(ℓ2 − 2) if q ≡ 1 mod ℓ ℓ5(ℓ4 − ℓ − 1) if q ≡ 1 mod ℓ. #GSp(q)

4 (Z/(ℓ)) = #Sp4(Z/(ℓ)) = ℓ4(ℓ4 − 1)(ℓ2 − 1).

We conclude: P(ℓ | NE) ≈   

ℓ2−2 (ℓ2−1)(ℓ−1)

if q ≡ 1 mod ℓ

ℓ(ℓ4−ℓ−1) (ℓ4−1)(ℓ2−1)

if q ≡ 1 mod ℓ.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 28/41 ECC 2010, Redmond 28 / 41

g=2 (slides 18–34)

Galbraith-McKee conjecture in genus 2

Notation:

P1(p) = P(random number in generalized Hasse interval is prime). P2(p) = P(NH is prime).

Same heuristics yield (suppose again q = p prime): Conjecture: Let

cp = 38 45 ·

• ℓ>2
• 1 −

1 (ℓ − 1)2 + 1 (ℓ − 1)2 ℓ ℓ2 − 1

• ·
• ℓ|p−1,ℓ>2
• 1 +

1 (ℓ + 1)(ℓ − 2) − 1 (ℓ + 1)(ℓ − 2) ℓ4 − 2ℓ3 + 2ℓ2 − ℓ − 1 ℓ5 − 2ℓ4 + ℓ2 − ℓ + 3

• ,

then lim

p→∞ (P2(p)/P1(p) − cp) = 0.

Now cp ∈ [0.63, 0.80].

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 29/41 ECC 2010, Redmond 29 / 41

g=2 (slides 18–34)

Imposing a rational Weierstrass point

Now, let us briefly discuss the case where f(x) is chosen from H5 = { f(x) ∈ Fq[x] | f(x) monic, square-free, of degree 5 } uniformly at random. This is often preferred in practice. As we’ve seen, P(2 | NH) increases from 26

45 to 4

• 5. . .

What about odd primes ℓ?

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 30/41 ECC 2010, Redmond 30 / 41

g=2 (slides 18–34)

Imposing a rational Weierstrass point (skippable)

Fact: there exist subsets W0, . . . , Wr ⊂ GSp(q)

4 (Z/(2))

such that F ∈ Wi if and only if H has i rational Weierstrass points. The proof uses an isomorphism Sym{W1, . . . , W6} ∼ = Sp4(Z/(2)).

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 31/41 ECC 2010, Redmond 31 / 41

g=2 (slides 18–34)

Imposing a rational Weierstrass point (skippable)

Let n ∤ q be odd and F ⊂ GSp(q)

4 (Z/(n)) be an orbit. Is

P(FH = F) ≈ #F #GSp(q)

4 (Z/(n))

? It suffices to prove this for f(x) randomly chosen from H(i)

5 = { f(x) ∈ Fq[x] | f(x) monic, sqf, deg 5, with i Fq-roots }

for i = 0, . . . , 5, since these partition H5. . . . and even from H(i)

6 = { f(x) ∈ Fq[x] | f(x) sqf, deg 6, with i Fq-roots }

for i = 1, . . . , 6, since the classical swipe-a-point-to-infinity relation H(i)

6 → H(i−1) 5

is generically uniform.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 32/41 ECC 2010, Redmond 32 / 41

g=2 (slides 18–34)

Imposing a rational Weierstrass point (skippable)

Thus: estimate P(FH = F | FH,2 ⊂ Wi) in old H6-sense. Since n is odd, Chinese remaindering gives

GSp(q)

4 (Z/(2n)) ∼

= GSp(q)

4 (Z/(n)) ⊕ GSp(q) 4 (Z/(2)).

We can rewrite

P(FH = F | FH,2 ⊂ Wi) = P(FH = F and FH,2 ⊂ Wi) P(FH,2 ⊂ Wi) = P(FH,2n ⊂ F ⊕ Wi) P(FH,2 ⊂ Wi) .

By the random matrix statement, we have

P(FH,2n ⊂ F ⊕ Wi) ≈ # (F ⊕ Wi) #GSp(q)

4 (Z/(2n))

= #F #GSp(q)

4 (Z/(n))

· #Wi #GSp(q)

4 (Z/(2))

and

P(FH,2 ⊂ Wi) ≈ #Wi #GSp(q)

4 (Z/(2))

.

Taking the quotient gives the requested result.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 33/41 ECC 2010, Redmond 33 / 41

g=2 (slides 18–34)

Imposing a rational Weierstrass point

Taking f(x) from H5 only affects P(NH is even). Conclusion: same Galbraith-McKee generalization, with cp replaced by

9 19cp ∈ [0.30, 0.38].

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 34/41 ECC 2010, Redmond 34 / 41

Contents 1

Alternative heuristics for Galbraith-McKee (genus g = 1)

2

Adaptation this to genus g = 2

3

Asymptotics for g → ∞

4

Concluding remarks

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 35/41 ECC 2010, Redmond 35 / 41

g → ∞ (slides 36–38)

Asymptotics for g → ∞

Let f(x) be chosen from H6 = { f(x) ∈ Fq[x] | f(x) monic, square-free, of degree 2g + 2 } uniformly at random and let H : y2 = f(x). Let FH ⊂ GSp(q)

2g (Z/(n)) be the orbit of Frobenius of H.

Quasi-theorem: Let F ⊂ GSp(q)

2g (Z/(n)) be an orbit. Then

• P(FH = F) −

#F #GSp(q)

2g (Z/(n))

• ≤ C(g)n?(g)

√q . This is likely to follow from:

A Chebotarev-like statement applied to Ag[n] → Ag[1] Katz-Sarnak equidistribution as elaborated by Achter, currently modulo some hypotheses.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 36/41 ECC 2010, Redmond 36 / 41

g → ∞ (slides 36–38)

Asymptotics for g → ∞

A recursive formula due to Achter-Holden allows us to count #

• M ∈ GSp(q)

2g (Z/(ℓ))

• det(M − I) ≡ 0
• for g = 2, 3, 4, 5, 6, . . .

Seemingly, the proportion converges to (and fluctuates around) =

• 1 − φ(1/ℓ)

if q ≡ 1 mod ℓ 1 − φ(1/ℓ)

φ(1/ℓ2)

if q ≡ 1 mod ℓ, where φ(q) =

∞

• j=1

(1 − qj) is the Euler q-series.

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 37/41 ECC 2010, Redmond 37 / 41

g → ∞ (slides 36–38)

Asymptotics for g → ∞

Applying our heuristics gives the following limiting Galbraith-McKee interval: φ(1/4)−1 ∞

k=2 ζ(k),

1 ∞

k=1 ζ(2k + 1)

• ≈ [0.63287, 0.79353].

Genus 2 is actually the least deviating case!

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 38/41 ECC 2010, Redmond 38 / 41

Contents 1

Alternative heuristics for Galbraith-McKee (genus g = 1)

2

Adaptation this to genus g = 2

3

Asymptotics for g → ∞

4

Concluding remarks

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 39/41 ECC 2010, Redmond 39 / 41

Concluding remarks (slides 40–41)

Concluding remarks

Generalizable to arbitrary fields (include supersingular cases). Generalizable to P(NH is prime up to a given cofactor). Adaptable to #H(Fq) instead of #Jac(H)(Fq), but no nice formulas (matrix count involves non-rational varieties).

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 40/41 ECC 2010, Redmond 40 / 41

Concluding remarks (slides 40–41)

Concluding remarks

Thanks for listening!

Wouter Castryck (K.U. Leuven / M.I.T.) P(#Jac(genus 2 curve) is prime) 41/41 ECC 2010, Redmond 41 / 41