Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Philosophy

>> Kristin Lauter: Okay. So today we're very pleased... Stevenhagen here visiting from the University of Leiden where he's...

advertisement 
>> Kristin Lauter: Okay. So today we're very pleased to have Professor Peter
Stevenhagen here visiting from the University of Leiden where he's chair of the
math department. And we're especially pleased to have had two of Peter's
students also here, Reinier Broker and Marco Streng, who was an intern last fall.
Peter is an expert on many aspects of algebraic number theory. He has written
about Hubert's 12th problem and has produced a collection of surveys in number
theory which will be of great value to the community, I'm sure. So today he's
going to talk about constructing abelian surfaces with a given number of points.
Thanks, Peter.
>> Peter Stevenhagen: Thank you, Kristin. I'm happy to be with Microsoft. First
time so thanks for the invitation. And this talk is actually part of a set of two talks
since later this afternoon Everett Howe will be separately announced, I suppose.
He'll also give a talk on a similar topic. So I'm supposed to set the stage for the
things he'll be saying at the same time as telling about the result which is sort of
the main thing in this talk.
So we are looking -- we'll be looking at some kind of inverse problem to the point
counting. So point counting means we will be working with varieties defined over
finite fields. So all the time I will be working with finite fields F and I'll specify in
their order will be a finite field. Most of the time later on we will just be prime field
FP and given a variety of refinite fields so V over F is a variety and usually when I
say variety I mean something like smooth projected variety, so described by
algebraic equations. Smooth projected variety.
Then certain thing will have a number of points living in projected space, so what
you can do for all these Vs, you can count the number of points so that's the
point counting map, point counting and then you get a non-negative integer so V
will be sent to its set of points defined over the finite field F. That's the set of
points and it has a cardinality which I will briefly refer to just as the order of the
variety over that finite field. So if I simply say order of the variety, I mean its
number of points over that finite field F.
So this is point counting. And the problems I will be looking at and Everett will
look at as well this afternoon is some kind of inverse to this, namely first of all,
you can ask given a variety how do you efficiently count its number of points so
efficiency will of course be of points since all these problems will be finite. I
mean, given the finite field there's a -- if your space is find the dimensions only
finding many points and you can simply count how many points there are there.
So actually finding an algorithm is never a problem, but doing it efficiently as we
will see is much harder. So the inverse problem which we will be looking at so
can we go back? That's sort of the central topic this afternoon. Can we produce
varieties having a specific number of points? And usually you want to go back so
that's -- so that's sort of explicit construction map. The other question is given
integer N, no negative integer, positive usually, the question is can you find a
variety having that many points? And usually you want more conditions on the
variety, so for the inverse map usually we won't be working with all varieties, but
we will specify -- well, say type X, additional condition so you should think of X as
referring to for instance X additional conditions [inaudible] you might specify. The
dimension of your variety say I want curves or surfaces or whatever. Fix
dimension. Otherwise usually problem becomes too easy since any number of
course if you have complete freedom is easy to realize as a point set of some
kind of curve. If you want [inaudible] curve is sort of easy fixed dimension or if I
go for curves then specific genus. And in fact, we won't do the full generality
actually today. We'll mostly be speaking on genus 2, curves of genus 2 and their
associated Jack observe bans which are abelian surfaces occurring in the title of
my talk.
And as I said, the whole problem is doing things efficiently, so we want efficient
algorithms. And efficient has two meanings. It has a practical meaning, sort of
the if I can -- if I give you a number N that you can sort of in a short time actually
use a computer and find the solution to the problem, so there's a -- it means
practical. It also has a theoretical meaning of polynomial time. And I won't take
a very strict polynomial time computer science meaning in the sense that if it's
heuristic, heuristic polynomial time we're usually just as happy. So we won't
often insist on proving that the thing is polynomial time for reason that I will
explain, but if I can sort of explain why it should be polynomial time and it
behaves fine in practice, then for our purposes it will be good enough today.
Okay. So this is the general setting. And as I said already, usually in going back
you want to specify which category or variety you're looking at. And dimension is
the first obvious thing. So if you start from the beginning, you would say look at
curves. Can you produce curves over finite fields, having so and so many points.
And first of all it will of course depend on the cardinality of finite field. So usually
if Q is the dimension, is the cardinality of your finite field and the dimension of
your variety is the D, then the point sets will be of order roughly something like Q
to the D. And in practice if you want to solve this problem for all N as we will, that
means that we will almost always be restricting to prime fields. There's very
many primes among your -- the set of all positive integers. But if you look at
prime power, that's a very thin subset and usually you won't realize too many Ns
using Fs of true prime power cardinality.
So most of the time those people don't like arbitrary finite fields most of the time.
F will in fact be a prime field, FP. Okay. So let's look at our problem. The case
of curves, curves -- well, you can specify the complexity of a smooth projected
curve by saying what the genus is going to be and the genus is a non negative
integer for genus 0 you're looking at conics and for conics there isn't much going
on. They tend to have P plus 1 points that just look like P1s if they have points at
all.
So the first interesting case, and that's a very important case first interesting case
for us which will also be the motivating example to use in all genus 2
constructions interesting case where you look at curves of genus 1. So that
basically means we're looking at elliptic curves. So that's the elliptic curve
construction problem, elliptic curves.
Efficient. If I say polynomial time, then you see that you have to bound the
runtime of the algorithm you're going to give in terms of the length of the input or
the input in the case of the reverse arrow here you're just giving an integer, so
the size of the input is just log N and how much bits does it take to specify the
output? Well, usually if you have a specific type X kind of variety you're just
writing down a number of equations so for elliptic curves the typical equation if
you choose your model in the standard [inaudible] way for instance than elliptic
curve for most cardinalities looks like this where A and B are in your finite fields.
So you see that what it takes to specify an elliptic curve is just two coefficients,
two elements A and B from your finite field F.
So the output size is, well, two -- it's two elements from F and to specific an
element from F you need log cardinality of F bits. So in for the prime field your
output size something like log P. So let me just input size log N, output size
something like log P, and since curves over FP have about P points, we'll be
more precise later on, just roughly the same thing as log N. So small input, small
output and theoretically there's no restriction in the sense that it should be
possible to find an algorithm, polynomial time in log N that gives you an elliptic
curve having N points.
Okay. There's one important thing in going back for this arrow that is the role of
the finite field in the question. Since you can fix your finite fields so there's two
versions of the question, two different versions I should say, namely you can sort
of fix your field from the beginning, and then you have a fixed finite field, and you
can ask given an integer N, can you produce in this case an elliptic curve having
N points of older N over that finite field of F.
So for fixed F, that means given N you have to produce the appropriate elliptic
curve over F, or you can say, well, the input is only N, and I allow you freedom of
choice in the finite field F. So allow choice of F as part of the output. So that
means that you have much more freedom. You can select your favorite field FP
over which you're going to construct your elliptic curve. So clearly this is the
easier problem of the two. And the results that we'll be describing occur in the
thesis of any broker and it's basically that if you fixed your field F, so this is 1 and
this is 2, in this elliptic case, I will explain why in one it's -- it's really hard. As far
as we know, it's exponentially hard. Being at the best algorithms that we can
think of are just exponential time.
And in the second case, if you allow freedom of the choice of your finite field F,
then it's not quite polynomial time but if N is provided in factor form, so that
means that you get a factorization of N, factored form, because as you know,
factoring N is something we don't know how to do in time polynomial, in N it's a
hard problem, but if the input is given in factored form, then 2 is polynomial time,
well, basically for all N, let me just say for almost all N, almost all N and it's
almost all has a meaning that will make precise little bit later on, just the kind of
result that you should think of.
And of course this afternoon the main topic is if you replace elliptic curves by
curves of genus 2 the factor will be two problems as my abelian surface problem
and there is the two genus 2 curve problem that Everett will speak on and we will
discuss results for both of these problems separately. As we will see, these
problems are in fact rather different.
Okay. So just in the elliptic case -- so in the elliptic curve, just before I actually
provide the solution let me say what's going to happen in genus 2. The elliptic
curve constructing a thing is just writing down this Y square equation, so
corresponding to Y square equals XQ plus AX plus B, there is this standard
picture, and the reason that elliptic curves are in fact very popular is that in that
case if you compute an elliptic curve and you have take a set of points EF is in
fact a group.
As soon as you have a group, you have all time -- all kinds of cryptographic
primitives like discreet logarithmic problems that makes elliptic curves in this
particular case very popular, so in that case you also have sort of a strong
reason to be -- to be willing to able -- be willing to construct groups in that case
for which the order is of some nice kind, for instance prime order is something
you would like for discreet logs.
So also has rather than just being a pure mathematical question it also has a
cryptographic reason for being interesting. And this being a group, that is
something that becomes a little bit different if you go for a higher genus is being a
group is caused by the fact that for elliptic curves, E can in fact be identified with
its Jacobian. And the Jacobian is a thing that you can produce for any curve
that's always going to be a group. In this case it's the same thing, the Jacobian
is a group that you can make out of a curve, the group of points, the set of points
on a curve is not naturally a group. You can look at the group it generates just to
free abelian group generated by the points. That's called a divisor group. So
that's div of E. And that's a huge group, which is much bigger than the group of
points that you have here.
If you mold out by principle divisors, so privilege divisors are gotten by looking at
functions in your curve, principle divisors on E and you mold out by that subgroup
and you look at the zero -- the degree zero part, you get this definition, this is a
group by definition where you created and in general the group of the set of
points maps into this group. For an elliptic curve it's in fact a bijection since two
point you can associate the divisor class of thing that you denote by P minus
zero, the point zero is the projective point that always doesn't occur on the EF
picture that's the point finite of the elliptic curve. That's what you take as the unit
point, the zero point for the addition and with that definition you see that there's a
bijection between the points -- the set of points of an elliptic curve and the points
of a Jacobian. And in fact it's an isomorphism of group scheme so it's true if you
leave out the biggest fields altogether.
So genus 2 -- so this is the genus 1 case -- you get two problems. And these two
problems are exactly the topics of this talk and the next talk. So if your C is a
curve of genus 2, you also have a map -- well, first of all, there's a similar model.
Here we have a YSS model, these two curves are also hyper elliptic, they can be
written in the form Y square equals some polynomial. So they like Y square
equals F of X and now you take the degree of F, degree of F, which can be 3 or 4
in these elliptic models it becomes 4 or 5 or 6. In the genus 2 case we have to
take separate polynomials. That's a detail. But usually they look like this. So the
picture is a bit more complicated, have more eggs up.
That's a genus 2 curve. And its set of points doesn't form a group, but you still
have exactly the same thing. You can map C using the point of infinity which is
again looking in the picture there's O of C, the unique point of infinity is the five
example and unique point you can map C into J, the Jacobian of the curve C in
exactly the same way. You can map a point on your curve to its divisor class, P
minus O. But in that case it's not going to be an isomorphics group scheme. C is
not a group scheme at all. It will just imbed the set of points in this group in this
way.
And this is the group, so from a cryptographic point of view, people tend to be
interested in the Jacobian rather than in the curve itself. So this is the N -- the
dimension is actually the genus of the curve, so in this case, it's a
two-dimensional abelian variety, it's an abelian surface. And just like the points
on the elliptic curve look like P minus O with P ranging over the points of the
elliptic curve, you can specify points on the Jacobian by taking sums of two
points, P1 plus P2 minus twice the point at infinity, that's degree zero divisor and
these elements represent things on the Jacobian. As you see it takes now two
points, a two-dimensional thing unlike the case of an elliptic curve where it's
something one-dimensional it's just a curve itself.
So my general problem in genus 2 sort of splits in two different problems, namely
you can specify integer N and ask for a genus 2 curve having exactly N points.
That's the direct analogue of the elliptic question where you ask for an elliptic
curve having exactly N points over some finite field or you could say, well, I want
to do cryptography, I want to have a group, let's look at the Jacobian and then
the question becomes given N, can you produce genus 2 curve which the
Jacobian has exactly N points over a finite field which will usually then be FP
again.
So now we have -- let me erase this, two different questions. So question one,
given N find -- in fact, as I said, there's two questions. This is hard so one is
already too hard for elliptic curves, so we don't expect to be able to do it for
genus 2 either which is only more complicated, so one we will sort of leave out
from now on if I say realize N as an order, I do allow you the choice of the finite
field in such a way that you can adapt it to your needs. So the second version of
the problem is the thing we'll be looking at in the rest of this talk and it will also be
the approach Everett will be taking.
So given N, rather than saying find C, I should say find the finite field, find F and
C over F of such that I should be more efficient, I should say that's the problem,
both problems start like this, like this, where there's version 1 you can ask that
the number of points of C define over F becomes equal to N, so it's curves of
order N or second one, if the Jacobian is denoted by J, you can ask for a curve
that has the property if you take a Jacobian and you count points that you get a
group of order N.
And I will look at this problem in my talk, so this is for now, and this problem is
the problem that Everett will talk about. And in fact Everett will have a positive
result, and I will have a negative result. But it's part of the same problem -- in
fact, that's something I should have said right in the beginning is all arise, this is
all joint work with Kristin, Everett and myself as our San Diego project that is still
unfinished but it's getting close to some kind of answer.
And the answer that we will give today is that for curves you can do it in many
cases and do it means that you find an efficient algorithm, again under the same
conditions in the elliptic case. In fact, the solution will be related to the elliptic
case. And I will also show that for Jacobian, sort of cryptographic case if you
want, the answer is that we cannot do it efficiently at least not using the methods
that we have been using in the elliptic case, the CM methods that I will explain in
a moment.
So how do we attack a problem in the elliptic case and in which way can we
extend that attack to the genus 2 case? So in the elliptic case first of all, I should
of course observe that the problem being finite there should be an algorithm, so if
you don't -- if you don't have to be efficient how would you just do it if say P is
small or N is very small? Yeah? So there's always a naive algorithm, which you
just proceed by trial and error. Yeah?
If you have an elliptic curve over a finite field which will be FP for practical
purposes since there are just many primes and not many prime powers, if you
count the number of points of the elliptic curve over a finite field, then you will find
an element in the Hassa [phonetic] interval around P, it will be in the interval P
plus 1 minus pi square root P, P plus 1 plus 2I square root P, and conversely any
elements in this Hassa interval arises at the order of some elliptic curve over FP.
So the naive algorithm is just try a random curves so that means given N, you
pick a prime such that N lies in this interval. So if I call this Hassa interval around
PHP, so you -- yeah, you could say pick P such that N is in the Hassa interval
around P, you can [inaudible] symmetrically if you define HP for any integer P
like this, N being an HP is exactly the same thing as saying that P is in the Hassa
interval around M. Yeah?
>>: [inaudible].
>> Peter Stevenhagen: That's a problem. So you see it you want to prove that
around any integer there will be a prime which is no further than twice the square
root from the integer M, you have to prove theorems and prime gaps. And as it
happens, these theorems are currently too weak to prove that such a prime really
exists.
>>: Don't you have gap cadence where the two ages aren't exactly -- [inaudible]
makes the two conditions differently, B and Hassa N there is a plus 1 there and
of course the square root can be a little bit bigger than one than the other. So ->> Peter Stevenhagen: This is exactly the same thing.
>>: It's exactly the same thing?
>> Peter Stevenhagen: Yeah. Yeah. This is the this is square root P minus 1
square, and this is square root P plus 1 square. And if you write down the
inequalities and you -- well, you get exactly the same condition. We will see in a
moment why it is symmetric in P and M. So this is the practical problem that you
may not be able to find a prime which is sufficiently close to M. In theory. But as
I said, I erase it already, I think, we will be practical. And for practical point of
view, you know that's the prime number of theorem that around N about one in
log N integers is going to be a prime number. So that means in this interval there
will be loads of prime numbers. And in practice if you pick random integers you
will find a prime -- well, half the time log N so to speak.
So this being my practical approach, I'm happy if I have a big interval if it can pick
random integers they will be prime. But probability 1 over log N. So that's an
expected runtime which a proven runtime. And as I say proving it is just way too
harsh. You have to prove the -- you have to bound the gaps between prime
numbers which people cannot do. But that's something analytic [inaudible] we
won't be bothered by too much.
So if you do this, you pick your P such that it's in the [inaudible] around N and
then what you do, look at random elliptic curves E over FP, count the number of
points on the elliptic curve, that is something count that can be done efficiently,
so use Schoof's algorithm, so in that case at least point counting is something we
can do efficiently, you just count until you hit N.
And if you look at the distribution of orders over these intervals and you make
sure that your prime is not too far from N, it's pretty much equal distributed. It's
not exactly the case, it's more like a circular thing, but it means that the expected
runtime you just have an interval of length, multiple of square root P, and you
have some N, integer N you want to hit and that happens probability 1 over
square P. So the runtime, runtime in that case is O -- well, square root P and
square root N of course the same thing, yeah, in the sense that P and N have the
same order of magnitude as you see here, so P is roughly equal to N. That's
what happens with curves. You see that the runtime becomes O and to the
one-half plus a little bit to do your Schoof counting.
So that's the square root in algorithm, meaning that it's certainly exponential and
for large values of N, it will work. At least it is a solution. It's a probabilistic
algorithm. And let me compare it to a deterministic algorithm that will be used,
and that requires a little bit of background in elliptic curves, namely if you want to
count points that are defined over FP, then you have the map from elliptic curve
to itself, if E is defined over FP you have the map on points which maps well for F
fine point just raises everything to the power of P. That's the Frobenius. It's a
map from E to itself. It's an endomorphism with respect to group [inaudible] E
being defined over FP. And we are looking for points that have coordinates in
FP, meaning that in fact it's being fixed by this Frobenius.
So the set of points E over FP is fix points of Frobenius been just and you can
also phrase it a little bit more algebraically, namely Frobenius is an
endomorphism so you look at the ring of endomorphisms of this elliptic curve,
inside just multiplication by integers, any point you can just double it or triple it, so
you get Z as a [inaudible] and you also have this Frobenius thing inside the
endomorphism ring. And this -- the FP rational points, they just form the kernel
of what people call 1 minus Frobenius, things that are mapped to 0 by 1 minus
Frobenius you're saying that the Frobenius of the point is just the point itself.
And the way people approach all point counting for elliptic curves is by actually
studying this, and the more endomorphism ring that's also the case for Schoof's
algorithm. And what you need to know then is that the Frobenius it satisfies a
quadratic equation. It's the characteristic polynomial of its action on the
[inaudible] model if you want, but it just -- the only thing you need to know is that
the polynomial looks like this, it's a quadratic polynomial and it just means that
this subring, so if pi is a zero of this imaginary quadratic polynomial, this -- yeah,
so the discriminate will be negative, so delta, which is T square minus 4P, would
be a negative integer and this ring generated by Z and Frobenius is just -- well,
how you want to write it? It's a [inaudible] quadratic ring. It looks like Z delta plus
square root delta over 2. It's the quadratic order of discriminate delta.
And knowing what is Frobenius, what it generates is exactly what you need to
know since if you want to look at the kernel of 1 minus Frobenius, then you look
at -- so usually the Frobenius which is in here will correspond to an element in
this quadratic order that people call pi that's associated by number, it's the zero
of this polynomial, so that's T plus square root delta over 2. And what we're
looking at is just the kernel of multiplication by 1 minus pi and the theory tells you
that the number of elements in this kernel, that's the order of the elliptic curve
over FP, is what you get as the norm of this 1 minus Frobenius, the element 1
minus pi and that's just saying it's 1 minus pi times its complex conjugate.
And pi, pi bar is P, as you see, it is the product of the two roots of the quadratic
polynomial, so you'll find P plus 1 minus pi plus pi bar and pi plus pi bar that's the
integer T called the trace of Frobenius, the trace of the quadratic integer pi and
as you see T square is no more than 4P, so this deviation from P plus 1 is at
most twice the square root of P and that's exactly what you find in the house of
bounds for elliptic curve.
Okay. So point counting just amounts to analyzing what Frobenius does and it's
the same thing, so to speak, as computing the elements pi in the endomorphism
ring as an imaginary quadratic element. And the reason that everything is
symmetric in P and N to come back to your question is the way P and N arise is
that P is pi pi bar and if N is the order, so if N is the order of the elliptic curve,
then you see the N is one minus pi times one minus pi bar, so it means that N
can be written as new times new bar where pi plus nu equals one. So that's
completely symmetric in P and N. Here I'm just writing that nu is in fact one
minus pi and that's the identity.
Okay. So, so much for point counting. So that just means that what you want to
do is analyze the Frobenius element and constructing an elliptic curve with a
given number of points just amounts to writing down an elliptic curve for which
the Frobenius is some prestriped element pi given rise to the right equations. So
to construct an elliptic curve with a given number of points what do you need to
do? You have to construct an elliptic curve which you can say something on the
associated [inaudible] number pi. In fact, these are the equations that you try
and solve in the quadratic order of delta where everything is taking place.
Let me see how much this I want to give on this. Basically the method that is
used to produce elliptic curve deterministically that's called complex multiplication
CM, and what it does is that rather than writing down the elliptic curve in
characteristic P right away over FP, it creates the elliptic curve with the right
endomorphism ring over the complex numbers, finds it to be algebraic and
reduces it [inaudible]. So it's a big detour. So find E with the endomorphism ring
of E equal to the right thing O delta, since giving your input so if you have an N
and a P, and you want to realize an elliptic curve having N points over FP, you
see from this equation that N equals P plus 1 minus T, so that gives you the
desired trace of Frobenius, and then you see the delta which is T squared minus
4P is the order in which everything is going to happen.
So then this ring O delta that you need to find your pi and nu. I'm not going to
specify in much detail how that happens, but given this ring, you can write down
a finite list of elliptic curves for which the endomorphism ring is actually equal to
O delta. It correspondence by the complex analytic theory to the ideal classes of
this order.
That's because in of the complex numbers you can make elliptic curves as C
modular letters and these letters are exactly the ideal classes for the order O
delta. So what you do is you write down the J invariants of the associated elliptic
curves. That's just an expression in terms of the As and Bs that gives you the
isomorphism class of elliptic curves. So you find them over C, that is they are J
invariants. These are complex numbers, but in fact they are algebraic since it
turns out if you take the polynomial, which has all these J invariants of elliptic
curves as its roots, all J invariants of elliptic curves E up to isomorphism,
complex analytic endomorphism from which the endomorphism ring is
isomorphic to O delta, then you get only five as many isomorphism classes
correspond to the class group here. It's called a class polynomial, a Hubert class
polynomial of the order O delta that would be called H delta, it will be a political in
ZX. That's the algebraic property of the whole thing. These complex numbers
are in fact algebraic numbers, they're algebraic integers and once you're here,
you can reduce everything mult P, pick a root that's going to be your J invariant
over FP and you simply write down the elliptic curves. So reduce mult P, and
take E over FP, maybe E bar if you want, such that it's J invariant is the root of
this polynomial H delta mult P. It will always be in the prime field in FP, and
you've got your elliptic curve.
It's a very nice deterministic algorithm, and the only problem is that you have to
compute this polynomial, and it's a huge polynomial, its degrees about square
root delta, its coefficients are of size square root delta. This takes time just to
compute the thing, takes time big 0 of delta, in fact absolute value of delta being
negative.
And the problem is if you not look at what your delta was, T is something, can be
anything, small but at most 2 square root P, T square minus 4P is something of
order P, which means of order N. And that means that this very nice algorithm
has runtime order something like big O of N. And the conclusion is that this
mathematically better algorithm behaves awful in practice since just a naive thing
was only square root N. And this better algorithm is just N itself.
So it's not going to work unless you something tricky, and that's what occurs in
Reinier's thesis, namely you reverse your point of view a little bit rather than
picking your P close to N and just take any T that happens to come out. The
reason it doesn't work is that delta will be too large. You just reverse your whole
thing, you say let delta be small. So you take your order as small as possible in
such a way that you can find a prime such as these equations hold.
What does it mean? You just take the smallest delta for which you can factor N
into two elements in O delta, so that's Reinier's approach, Broker's theorem if you
want approach, whatever, approach, find the minimal O delta such that you can
factor your N as nu times nu bar in O delta. That means you have to factor
integer in this quadratic order, not just in ideals, but principle ideals, and the norm
of 1 minus nu, 1 minus nu is a thing that I call pi here. That's the thing that has to
give rise to P. That should be the prime number. It's a prime number P. If you
approach it this way, you analyze it, you find that actually just delta is going to be
of no more than the square of the logarithm. So minimal delta is expected to be
big O of the square of log N so it's going to be polynomial time. Since the delta
determines the runtime, it's going to be big O of delta if delta is something which
is the power of log N, you're fine.
And if I say expect it, I mean that there's a heuristic analysis of exactly of the kind
one out of every log N numbers of N is prime. That kind of argument gives rise
to this theorem.
Okay. So here's the approach that works in genus 1, and the question is can you
generalize this somehow to genus 2 for these two examples? So that means
that you have to generalize the elliptic theory to a genus 2 case. And what I
wrote down here is also true for genus 2 curves, only the Frobenius lives in a ring
which is a little bit bigger. It's exactly the same kind of argument you look at
Frobenius, it's and endomorphism, the Jacobian, and its characteristic polynomial
so genus 2. You also have point counting on the curve and its Jacobian is the
same thing basically as determining the very number pi that is the root of the
characteristic polynomial of Frobenius. So determining the characteristic
polynomial of Frobenius.
>>: Excuse me.
>> Peter Stevenhagen: Yeah?
>>: [inaudible].
>> Peter Stevenhagen: You mean prime proving?
>>: [inaudible].
>>: [inaudible] approach just the complex analytic [inaudible]. Just the fact that
you use -- once you determine the delta, then you use the what is called the
[inaudible] approach to detect [inaudible].
>> Peter Stevenhagen: Oh, yeah. That's a very classical algorithm. So this
computing age delta from delta that is the classical complex multiplication
algorithm that was also used by [inaudible] that is basically 19th Century. Yes?
>>: [inaudible] numbers of [inaudible].
>> Peter Stevenhagen: Yeah. But it's only efficient if delta is really small. See
it's the runtime is O delta. So that means you can only do it if your delta is going
to be -- yeah. So the reason that -- so the method is not new in the sense that
it's just complex multiplication, but the way you approach it is not by selecting,
picking your prime and doing it for N over delt P, that's the hard problem given
order for a fixed field FP. You sort of select your P as it comes out of this
analysis of the small O delta. So you have to factor N, that's the reason factors N
being the principle ideals, that's something you have to check efficiently again
and then just this sort of a random number and as soon as it is going to be prime
you have found your P. That's the way the algorithm works.
And the hope is of course you can do the same thing in genus 2. So that means
that this theory now tells you that rather than looking at a quadratic polynomial
that gives rise to everything, there's a degree 4 polynomial, so the polynomial
now looks like X2 to 4 minus AXQ, something like this. It is somewhat symmetric
like this, P square. And once you have this correct polynomial Frobenius, you
know everything there is to know about C and J, namely then the order of C over
FP becomes P plus 1 minus A, which the trace of Frobenius just as before. And
the order of the Jacobian, surface over FP, its order is in fact what you get if you
plug in -- if this polynomial is F we will compute F over 1 which is the norm of
where all the [inaudible] careful basically of 1 minus pi in the generic situation
where pi is the root of this polynomial, so generically, this will be reducible, then
Q of pi is the field of degree 4. It's a CM field, meaning it has a unique real
quadratic subfield, K plus, and there's Q, these are quadratic extensions, use Q,
pi plus pi bar. Now from the norm of 1 minus P, which is element -- well,
something close to P scared these As and Bs are again something very bounded
just like here the P, the trace of Frobenius polynomial is at most 2I square root P
similarly here you have the A is no more than four times curve P and B is
something close to 2P, no more than I think 4P away from it. So the order you
plug in X equals 1, it's roughly P square. And here is the deviation. This is the
order P square. Order of magnitude.
That's because this is a curve and this is a surface. So that means both Everett
and for my problem we need to find suitable line numbers giving rise to things
that have the right number of points. Either on the curve or on the Jacobian. So
either you want this to be equal to N or you want this to be equal to N.
And want to focus on the case where you want to fix the number of points on
your Jacobian so you want one minus pi to have norm equal to N. And then I am
show that if you do that by complex multiplication, which is the only algorithm we
can hope to sort of generalize this Broker approach that will be intrinsically
exponential. So -- and I will explain why. So CM approach to realizing N as the
order of the Jacobian over some prime field FP.
Well, what do you need to know all the things that's generalized if you want
[inaudible] CM construction, now you have to do it for genus 2 and the theory.
Well, if you attended the talk by Marco Streng, I think you heard more about it,
but it takes a talk by itself, so let me just say that rather than computing this
Hubert class polynomial in genus 2 there are in fact three polynomials, modular
spaces 3 dimensional and these polynomials were called Igusa class
polynomials.
So I'm not going to explain it in any detail. So rather than finding elliptic curve
with a given and a endomorphism ring, then theory that finds you elliptic curve
and now a curve of genus 2C of genus 2 such at the endomorphism ring of the
Jacobian is whatever it should be, some order O, and O is now an order in the
quadratic field, so if you want the ring of integers or an order in this K can be
done in a similar way, and the runtime will also be exponential to this [inaudible].
In the case of the classical [inaudible], it's really big O of D, it's sort of sharp, the
size of the output is what it takes to compute the whole stuff. Here it's not as
sharp. Your discriminates -- well, I guess Everett will tell you more about
discriminates so as you can see it's a quadratic subfield so in fact two
discriminates, there's a discriminate of K plus and you can write delta K as the
delta of this K plus times something else that you can call delta minus.
And the runtime it will be exponential in delta. Marco Streng proved that it can be
bounded by some power of delta K. I think he proves seven halves. That's a
highly known trivial theorem. That's Marco Streng's result. It's big O. This is an
upper bound. And it is at least since now in the case of the Broker result you
prove that something is efficient, you just need an upper bound on how difficult
something is. If you want to show that something is really difficult, you need a
lower bound on the runtime and a lower bound of the runtime, if you look at the
similar way and similar means that rather than going down the Hubert class
polynomial, you need to think the Igusa class polynomial, so there's something,
there's in fact three of them, but each of them is associated ring of integers of the
number of field K, OK, and these Igusa class polynomials their agree equals
delta minus. And that's the delta minus that you find here as a factor of the
discriminate, but since delta minus is in fact a multiple, maybe not N, so a
multiple N, times the delta of K plus, you see that delta minus is so to speak the
bigger factor of delta K, so it's at least the square root. So it's at least a degree
of the Igusa polynomial, Igusa class polynomial, which is roughly speaking delta
minus two to one half, and that's at least delta K to the one-fourth. So the
runtime is bounded by delta K to the seven halves and there's also a lower bound
which is at least a fourth root of delta K.
>>: Do you not on the left [inaudible] minus class number and that's about the
square root of delta minus?
>> Peter Stevenhagen: Yes. And this was a short cut just to say that it's roughly
equal to this delta minus:
>>: [inaudible].
>> Peter Stevenhagen: The far left. Oh, this -- it is the class number and the
class number is roughly equal to delta minus. The square root of delta minus.
Yeah. Sorry.
>>: So [inaudible].
>> Peter Stevenhagen: Sorry?
>>: [inaudible].
>> Peter Stevenhagen: Yeah. So in the [inaudible] case you have to list the
ideal classes of your quadratic order, right?
>>: [inaudible] a similar way of [inaudible].
>> Peter Stevenhagen: Yes. Similar way means that you have points in the
[inaudible] space, it's now a two-dimensional thing where you evaluate certain
transcendental functions like J function, and these give you the roots of the Igusa
class polynomial. So it's a complex approximation. And the polynomial in the
end is going to be algebraic, it is rational coefficients. So you approximated as
complex numbers. You use so well that you recognize the fractions. It's pretty
non trivial since these are huge polynomials but it can be done. And well, the
more triviality sort of is visible from the seven and a halves. It takes a lot of time
to do this, also in practice.
And it's also much more recent in the sense that people now start doing this,
there's databases. David Cole has a huge website which list these Igusa class
polynomials. Where the classical ones where you find them in waiver more than
100 years ago.
Okay. So there's a lower bound for the CM algorithm and the question I want to
ask -- well, answer in the last few minutes is why, unlike the elliptic case, won't it
be possible to do it with a discriminate which is bounded by some power of log
N? That what you would like to get a polynomial time for at least heuristically
polynomial time algorithm. And the reason that it didn't happen is basically
because it's not sufficiently many of these case, and another way to say it is that
for the curve case P and N are of the same size. For the Jacobian, you see the
P square is close to N, so P can be no more than square root N. And that's
going to kill you in the following way. So question is which K can be used on the
small Ks to give rise to a given N? So to realize ON up to some bound by CN
methods, the CN method, meaning that you find a number pi in such a way that
the norm of 1 minus pi is N, how many Ks will we need? Well, any K, that's from
step 1, any K has no more -- well, how many numbers pi can you find such that
the norm of 1 minus pi is going to be N and N is below B? Well, then you need
primes of norm no more than square root B. And by the prime number of
theorem for the number field there will be no more than up to a log then square
root B. So there's no more than B to the one half, well there's log B if you want,
very numbers pi with norm of one minus pi below B. So that means that one field
K only gives rise to this many line numbers at most, and that's an upper bound.
So to do all the Ns up to B, you will need very many. So to realize all this be up
to N, you see that we'll need at least square root B times log B different number
fields. Different CM fields K.
And the question is if you have that many different CM fields K, how large will
their discriminates be? So it means just like quadratic fields you want to know
how many there are for which the discriminate is bounded. Well, in the quadratic
case, it's fairly easy, that sort of a linear thing since you just take number fields,
the deltas are essentially the square free numbers and the square free numbers
up to some bound is grown linearly in B. Something similar holds for CM fields,
but it's much harder to prove. Let me do that here.
There's a theorem of Cohen [phonetic] and to other people from Bordeaux, Dias
and Olivier [phonetic] from 2000 something, 2, somewhere around there. If you
count the number of CM fields K, so K, K cortex CM, of discriminate no more
than some bound B, we should call it X, it's not the same B as there, if you count
those then asymptotically this behaves like a constant, a very inexplicit constant
as you can compute like X. So just like in the quadratic case, there is linear
growth. If you bound discriminate by X you get a multiple of X, that many
number fields. So it's the same kind of result for quadratic fields. It's easy, they
just count basically square free numbers into something involving pis and zeta 2
times X.
The same theorem holds here. And that means that if you take at least so many
fields, then the discriminate has to grow also like square root B. So you will need
-- we'll need K with discriminate at least square root B. Let's just forget about
log. Not so interesting. And if you now look at the runtime, if you do CM for such
a K which you will need if you want to do all the ends up to B, you see that the
runtime for such K, the runtime will be at least -- well, we have [inaudible] here,
the runtime, oh, I erased it. Well, the runtime, let me repeat it, the runtime was at
least discriminate delta K to the one-fourth. So it means that in this case you get
at least B to do one-eighth. So that means that it will be exponential in terms of
the bound. So if you want to do all ends up to the bound, then you get at least
some positive power of N.
This is somewhat weak result, as you see that there's various steps where I've
been a little bit sloppy. In fact, since the runtime, the lower bound is just given in
terms of delta minus it would be better to prove a theorem that replaces delta K
by delta minus. And if you do that, then at least Cohen says that you get
something if you do this then you get times log X. So bounding delta minus gives
something which a little bit more than linear but only logarithmic factor. And if
you do that here, then you conclude that the beta, the B to the one eight is in fact
at least B to the one over four. So it's even more exponential than the first
version, and even that is sort of bad in the sense that the lower bound is real a
lower bound as it only uses the degree of the Igusa class polynomial and in
practice [inaudible] computation with the Igusa class polynomials. They're huge.
So the size in fact should be much bigger than the square root of delta minus.
But it's hard to prove upper bounds for these coefficients, just like in the case of
the upper class polynomials. For all we know they might be sparse. And many
[inaudible] could be zero. That never happens. But proving it is very difficult for
all I know.
Okay. So this is an example where a problem is just too hard to do it by CM
methods. So negative result and it will be second talk and a positive result.
Thank you.
[applause].
>> Peter Stevenhagen: No questions? Well -- yes?
>>: [inaudible] occurred in 19 '60s.
>> Peter Stevenhagen: You mean for elliptic curves or genus 2 curves or
[inaudible].
>>: Are there [inaudible].
>> Peter Stevenhagen: Well, in elliptic case -- well, you see for elliptic curves the
offered of the curve is in fact the norm of the element, so you would expect that if
your number is highly composite, there are potentially more elements that would
have that norm. If you want prime order, then there has to be prime in your
quadratic order. So I would guess that prime order is relatively -- there are not as
many, so in 1915 is not a prime order so it's hard to compare to 1916 from that
point of view. Maybe 1917 is prime.
>>: [inaudible].
>> Peter Stevenhagen: Neither is prime. Exactly. But I would guess that it
depends on the smoothness of the number.
>>: I would expect heuristically that if you're looking at elliptic curves you would
get roughly N elliptic curves over some field that have [inaudible] points.
>> Peter Stevenhagen: Depending on what you fix, right? If you -- yeah. You
can ask the oldest question, you can ask in various ways you want to fix a field
and then ask how many curves are there over that field with so many points or
where you fix your -- huh?
>>: [inaudible].
>> Peter Stevenhagen: And for genus 2 it's a difference because the number of
points on the curve is not the norm, all right, so it's [inaudible] structure, and I
think it shouldn't make a big difference. I mean trace reserve properties.
>>: [inaudible] but is a number of points on the curve rather than the Jacobian
[inaudible] used in [inaudible].
>> Peter Stevenhagen: No, it's not a group. So it's not yet used in crypto I
should say.
>>: [inaudible].
>> Peter Stevenhagen: It's very safe against the discreet lower than the
[inaudible] there is no group. There is no discreet logarithm.
>>: [inaudible].
>> Peter Stevenhagen: But it also is -- yeah, yeah. Yeah, so cryptographically
speaking the number of points on the curve is maybe -- well, that's your topic.
You should sort of [inaudible] I shouldn't say it's useless. It's a beautiful question
if you want it's a more natural one, right, elliptic curve genus 2 curves. It's only
because of crypto that you want to look at Jacobians. What can I say?
>>: Yeah.
>> Peter Stevenhagen: Okay.
>> Kristin Lauter: More questions? Well, we're going to go and have some
coffee in the cafe area with Peter before Everett's talk. So let's thank you Peter
again.
[applause]
Related documents
COMPUTER PROBLEMS: DAY 10 (1) Find the first 10,000 pythagorean triples.
COMPUTER PROBLEMS: DAY 10 (1) Find the first 10,000 pythagorean triples.
M360 Mathematics of Information Security
M360 Mathematics of Information Security
MATH 360 Mathematics of Information Security
MATH 360 Mathematics of Information Security
MATH 655 Supplementary Homework Fall 2012
MATH 655 Supplementary Homework Fall 2012
Course MA342P — Sample Paper 2 Timothy Murphy May 2, 2016
Course MA342P — Sample Paper 2 Timothy Murphy May 2, 2016
18.727 Topics in Algebraic Geometry: Algebraic Surfaces MIT OpenCourseWare .
18.727 Topics in Algebraic Geometry: Algebraic Surfaces MIT OpenCourseWare .
Download
advertisement