Add to collection(s) Add to saved
  1. Business

>> Kristin Lauter: Okay. So our next talk... Polytechnique in France. Francois is well known for his...

advertisement

>> Kristin Lauter: Okay. So our next talk will be given by Francois Morain from Ecole

Polytechnique in France. Francois is well known for his work on elliptic curve primality proving algorithm and has held many world records, probably still does. And today he will speak to us on elliptic curves with complex multiplication, history and computations.

>> Francois Morain: Okay. Thank you, Kristin. So thank you for inviting me. Thank you for putting my talk in a decent time period because as you can imagine, we are all jet lagged. And so just after my talk probably I will go to sleep and so on and so on.

So welcome back to the jet lagged session. And the last [inaudible]. And so I'm in the third position, so many things have already been told. I will try not to destroy Rene's talk this afternoon. And add some things and some more pictures.

So I have to thank you my two presenting colleagues for giving all the words and theorems and so on so I can be quick about some points.

So I also changed my title, sorry. It evolved something between four and five this morning. And so I decided finally to put computations instead of perspectives which is far away from what I want to talk to you about. And after that, after all my interest is numbers. So history's good, numbers are good, and perspectives you'll see I put some of them on my slides anyway. And I also put some exercises for you. Probably much easier than what [inaudible] suggested. I don't know where you can find students that can do that in their first year. But anyways [inaudible]. I will try next week, but pretty sure it won't go.

Okay. So a little bit of history, classical theorems, what I call a new era. And I will insist on doing old things and new things about modular curves and class invariants.

Okay. History. I have nothing to say really about history because so many people worked on era -- theory, sorry that I have no time in fact to remember everything. To remind everything so just apparently Gaus was also the inventor of complex multiplication. But since invented so many things we -- I mean -- okay. Anyway, it's

Gaus.

And so I did hear a very good book presenting the theory and history of earlier times and computations and theory about complex multiplication. And you already heard the name

Kronecker's Jugendtraum. And this is good reading. So sometimes he forgets some names here and there, but anyway a good lecture -- I mean, sorry, a good reading.

Okay. A new era. So it begins with Rene Schoof's -- I mean, for me, at least in begins in '85. I guess it's why we are here 25 later. And he gave the first polynomial time deterministic algorithm blah, blah, blah. And so now as I have a question to ask you.

When was the last time you read that paper? [laughter]. So, yeah, you see I was with that old piece of talks. And so I decided to protect a very important papers. So like the

VESTA form to get here and then a very, very important paper is this one. This is my old copy of [inaudible]. It's very -- I mean, since I had to read it a lot of times it's written and

I've got some corrections, also, but everybody knows how to correct a paper. And I had to stop [inaudible]. So okay, when was the last time you read that paper? Never did?

You should always read [inaudible] papers. What's the exact saying? Don't remember all the [inaudible].

So, okay. And you already heard the story about marketing and so on. So I don't have to comment on this. And so the marketing point was here to compute that problem which seems a bit easy, compute a square root of one but -- so you can do that in many cases. And very easily. But you need something deterministic.

And as you know, computing square roots mod P might involve some quadratic non-residue, and that's not deterministic. At least at the time of today.

And so probably you do not remember but this is the first paper that introduces CM techniques, in fact. If you read carefully that paper when you don't need to learned the other papers, everything is in there. In a kind of strange way because to reach that goal you have to start from the elliptic curve with complex multiplication, you have to build it, and after that you get the square root.

Probability pooling with CM here is just reverse kind of transposition principle. So everything is in there. Took me quite some years to agree on this. But everything is there.

So this is another reason why you should read it. So history again. So you already heard many version of this history. And I can -- maybe [inaudible] or not here but here.

So it is here we already see this already saw this. So here I insist on the precursor, so to speak, of primality proving.

So first [inaudible] was done by Bosma in his master thesis, I guess, where he used special primes in Z of I and Z of rho, which is kind of ancestor of -- I mean the first two cases of CM primes.

And at the same time, Chudnovsky brothers write an IBM report starting from ECM or things like this and tried to list all -- I mean a long list of collection of possible parameterizations of elliptic curves looking for one that would give ECM the fast ECM

[inaudible]. So this report was not available very easily at that time. Finally it went in print '87.

So primality proving, I see two independent threads. I mean on the one hand, Atkin says

-- said okay, let's try to use CM curves to actually prove the primality of real numbers.

And the second thread is okay, can we do -- can we use elliptic curves to get the primality proving is in RP. So for elliptic curves it can not work because we need some very deep precise analytic number of theorem which is still conjecture, but obviously it's true. And it does work if you use hyperelliptic curves of [inaudible] and corresponding

CM properties which was done by Adelman and Huang.

And here, okay, so I should put this a long time ago [inaudible] if I follow Victor's presentation. So I will stick to primality proving in the rest of my talk.

So suppose I want to do some ECC. At this point you have two methods. So first one is take a curve at random and wait for the curve to have good properties, which means that

you have to compute its cardinality and all of the properties like being smooth or not smooth or whatever.

But the problem with Schoof's algorithms -- sorry, Schoof's algorithm, sorry, and its improvements is that at the beginning it was rather slow to implement and almost impossible to make run on elliptic curve cryptographic sites.

Or you can build E as the reduction of some CM curve. If provided you can do that. You have properties here. And it's easy -- I mean, we will see that computing card at of E is trivial if it does small CM.

But then you are not sure your curve here is good. I mean, maybe if it does small CM then it could be endangered by some unknown properties or something that we did not use yet. Anyway, CM curves are the only way of dealing with problems like computing or finding pairing friendly curves or things like this. But still we have -- in these 25 years, we still have this dichotomy. Here rather slow could be made rather fast, if you want, or faster. Here you have the same problems again. So we still have two threads. Here we concentrate on the second one and most probably when we recommend on this part.

So we need theorems to go a little further than what Professor Phi told us. So everything is related to properties of imaginary quadratic fields. And orders of discriminant D fail. So I remind you that ring of integer can be generated by some

[inaudible] here, quadratic integer plus number would be H of O and the class group of O will be generated by CL of O.

Typically example, D is minus 4, K is Q of I, ZK is 1, I, class group is trivial, and class number of courses 1.

And one of the most important theorems in CM theory can be summarized here. You can represent prime number P as a some of squares, so to speak if and only if P splits in the ring class field KD. And so easy case, so to speak. It is a case where its conductor is 1 when you hit the inductor's field.

How do you build this guy? Second important theorem is that you can build it using a singular value of the modular invariant J, where J is defined maybe by these theories with some very precise coefficients here.

So in theory, you can solve this problem by solving this problem, for instance. So we'll try to -- I mean, we spend some time explaining how to build this in an efficient way.

And one day we will see the relationship with [inaudible].

Okay. More on the Galois theory of this guy, KD over K. It's a Galois extension. And the Galois group is isomorphic class group CL of O. And as a result the degree of the extension is a class number of O. And we have an explicit Galois action that we can use if we want to do that. So minimal polynomial of J of any element of the class group is just a product of all of these factors. And it happens that this polynomial has coefficients in Z. Which is a very important point if you want to do computations. If you long somewhere in Q, then it's kind of boring because you need something -- you need to know something about denominators and here you are really on integers.

And so if I just rewrite one of the presenting theorems then this equation is satisfiable if and only if P splits mod D. Sorry. If P splits in the Q of square root of D which is a necessary condition and HD of X is polynomial as HO roots mod. So as a triggered example which is -- which can be proven with over techniques is that 4 P can be learned as the sum of squares here, specifically square if and only if P equals two or P congruent one mod 4.

Good references for this are the old lecture notes in math number 21. When was the last time blah, blah, blah? Nobody -- okay. Serre, Cox, Cohn, et cetera, et cetera. So everything is in there. And everybody should read everything anyway. [laughter]. I mean I could put also Weber and Frieke, but this is for following slides.

Okay. How do you compute this? That's very easy. You compute your class group.

So, okay this class group is easy to compute. So you represent all your ideas into class group like this and you evaluate J of alpha 1 over alpha 2 as a multi-precision number.

So since we are not afraid of complex multiply -- of floating point numbers, it works well.

We compute the first values, class number one. That's very interesting. More interesting H of minus 23 is this guy and this is a case of known -- of order with conductor nontrivial conductor, sorry. You have these big guys.

So you recover again my theorems about writing P as a sum of squares. And here you have a condition for 4P to be returned as this sum of quadratics and coefficients if and only if this condition is satisfied and that polynomial explicit mod.

And so immediately you can see that we are not happy with big numbers like this. And so a large part of progress is invert, progress invert was to or has been to reduce the coefficient surface.

So it's time to introduce elliptic curves at some point. So you already saw that we spoke about elliptic curves and their complex analytic presentation, then that's easy, you look at the endomorphism ring of E and Professor Phi already told us about all possibilities and we are interested here in cases where the elliptic curve has endormorphism greater than Z.

And the fundamental theorem all right given to you that is the only possibilities that the endormorphism ring is a quadratic order in some imaginary quadratic K.

Trivial example, E with this equation has CM by Z of I, always the same thing. And if I collapse or if I collect all my theorems until now then I say E over C has CM if and only if it's invariant G of A is a root of some class polynomial HD of X for some D.

And obviously this is completely noneffective. And what we do generally speaking is that we take some HD of X, compute the root and use A. This is the way we are going to work with it.

What happens over finite fields, [inaudible] have already been cited and Hasse's theorem tells you something on the cardinality. And everything is contained in Deuring's works where it tells you that there's correspondence between reduction of elliptic curves but P and the set of elliptic curves defined over FP. And in theory it's possible to stop

from T here and find the curve E here over the extension KD and reduce it and get the equation for the elliptic curve E here with that cardinality here.

So if [inaudible] you can do that practice to do that, you cannot. Or more precisely if you look at this, it's not really effective or it is, but you see you have to compute this guy here and if you take a random elliptic curve here, this guy is big. So these guys are big. And so big meaning I don't know, exponential in log P and computing the class polynomial will be infeasible and so we cannot do. At least we have no method to do it.

So these are at the same time good news and bad news. Good news because we have a bound on the cardinality of E. As we've already said each time you make T vary you get another group. So you have plenty of groups. If you have plenty of groups you are happy pause you can do factorization and primality proving. We'll see that in a moment.

Bad news is that given E it's difficult to compute its cardinality. All you have to use is

Schoof's algorithm. And everything I told here can be generalized except maybe on some traces here. But everything is known.

Okay. So we have everything we need to understand Schoof's algorithm. So marketing point. And maybe we can improve it a little bit. So how do you compute square root of minus one? That's very easy. You take my curve, Y squared is X to the third plus X.

You compute its cardinality using Schoof's algorithm. That can be done deterministic polynomial time. And when theory tells you that, in fact, this cardinality you have computed is necessary of the perform P plus 1 minus 2U where P is U squared plus V squared. So now that's easy. You know the cardinality. You deduce U, you deduce V because [inaudible] square root of an integer is easy, deterministic [inaudible] no, just kidding. That's true, but it is not a difficult point. And from that you get square root of minus 1. That's not kidding but that's beautiful. Sometimes marketing can be good.

Sometimes not. Butt anyway.

And I claim I can improve this a little bit. This complexity to this. So now O is [inaudible] and O approximately what will happen. What is this complexity here? No specialists in the room? Surprising to say the least.

So this is complexity of the improvements of [inaudible] to the basic algorithm. So what do I need? Waiting. Okay. I need again factors of my division polynomial. Have I thought about this? That's funny. Okay. Here it is. I mean, we are not dealing with ordinary elliptic curves, we are dealing with CM curves and we know everything about

CM curves. In particular, we know exactly when the division polynomial FL so that's a new object you will hear more properties later. And this guy codes the [inaudible] points of order L. And so we can be sure that in any of my talks P is a prime, L is a prime and sometimes we can be equal but I mean this is a prime.

So everybody knows that primes congruent to 3 mod 4 do not split in Q of I, and, in fact, if you look at FL, it's irreducible over Q of I.

On the contrary, if L splits mod 4, then FL has two -- I use that eigenfactor for a reason that will be clear in five minutes and in particular you can factor UFL as a product of two degree L minus 1 over two polynomials with coefficients over Q of E and some guy here

which happens to be -- sorry, irreducible. And you have many more properties like here you have only square -- I mean even powers here. And it's funny to play with this guy.

So what do I do now? I compute this over Q of I. And now I'm looking for what happens mod P -- sorry, mod L. I work in this ugly looking extension. Remember, I cannot -- I know that I exist mod P. Okay? So this is not a finite field by very far. So this is the order stuff when we work over with eigenfactors within the [inaudible] algorithm and I had [inaudible] this extension. So this is not an extension. You're look for a root of this.

So I play the -- I can run the Schoof's algorithm. I find the eigenvalue here, modulo of this eigenfactor here, and if I've got enough on cells like this then I can use a sort of

Chinese and Mandarin theory to get my trace mod in small primes. And I've done the same thing as the C algorithm. I'm working over polynomials here of degree L minus 1 over 2. Okay. There's a slight overhead working in this. But still this gives a good -- it's a good complexity.

How do I compute these guys? Because obviously I don't want to compute FL factor of

L. That's 2P. Okay. That's deterministic blah, blah, blah. No, not deterministic anyway.

But it's not fast. So next ingredient is to use what are called generalized differentiation polynomials. In fact, we can define polynomials -- sorry. Division polynomials of integer indices. This is a classical way [inaudible] you can do that also for complex indices there. And more precisely each case, in each case where E is CM.

So here what I want to do really is to write my polynomial here, maybe this one, as a sum F of complex syntax and it's precisely F2 plus I. And Satoh gave a long list of recurrence relations for computing all these guys. And you have -- I mean if you ever encountered a division polynomials you know that they are a bunch of equations like this. And there's never [inaudible] here but you can divert in polynomial time, and that's okay. After that you have to be a little careful because we are working in that non-extension.

So equality testing is not comparing objects, it's computing some GCD here. Every time you have to compute some equality, you have to test the equality of coefficients by computing GCD. And it works. For instance, take this example of P is 241. So everybody knows that prime congruent to 1 mod 8 is the most difficult guys to compute square roots in the finite field. So my F here is this polynomial here where I reduced mod P. I compute the action of the [inaudible] this is it. And so we realize that from that is 1 mod 5. Should be minus 1. Sorry. Anyway. That's what [inaudible] but in fact you don't really need this extension of Schoof's algorithm for kind of bizarre reason is that here it's definitely not an extension. So what happens some very, very, very often? Or most of the ways is that you can discover square root of minus 1 during the computations. For instance here I told you that you have to compute X to the P squared,

Y to the P squared modulo of this polynomial. Sometimes you have situations like this, like YP is some random number times Y. So if you raise it to the power of P here, you have X to P to the squared is plus or minus Y which means that this guy is a square root of minus 1.

And so in order the cases I tried, I always found square root of minus 1 well before the bound given by this PRT -- PR. So this is not a proof. I'm not sure I can prove it but that's fun.

Okay. Let's move to the next topic. So [inaudible] so many pictures of many people, and so this is a real live picture an more interesting like people posting like okay

[inaudible]. So this is dog here.

And so it's time also to put some citations. So that's a [inaudible] I received a long time ago, '88. Most of you were not here. And so you see working with Atkin was kind of interesting for -- in many aspects. And one of the aspects was to learn English. And the importance of being very precise in using words like implementing. So I better not say I implement blah, blah, blah anyway. And there is something like the difference between perhaps and maybe. And things like this. So this is very important for when you try to learn that language.

Anyway the idea of [inaudible] was kind of using all the ideas just changing -- we call that changing the power supply or power energy like impressing -- creating electricity out of coal by using atomic energy or something like this. If we could just do the classical thing like converse of farmer's theorem like, okay, if I can factor a minus 1 then I can prove the primality of N. And so the idea was just using the same scheme and instantiating it with other things, other things being elliptic curves with CM. And so being in loop of ECPP from very far away from hyperspace is something like this, [inaudible] algorithm. You try to represent this quadratic partition here. If you can succeed in doing that and this number factors in some way, then you are more or less if in its prime you are creating the cardinality of an elliptic curve mod N. And if N is prime then this curve has order N, so you just have to find the proof that it is an elliptic curve of point of order N. You can the curve with techniques related to class fields and so on. And that's it. And you just have to prove recursively the primality of the cofactor.

And this is not an algorithm until I explain you -- or until I give you precise definition of this set of fundamental discriminants. In fact, it's a [inaudible] algorithm in -- I mean, you can -- it highly depends on D here and many factorization parameters and so on and so on.

So basic thing to do is to take the set D as the set of all the discriminants which have size bound in log N squared. And after that you do some analysis and you realize that you need log squared discriminant before one of them will give you some splitting, and this cost you the cost of computing square root of D mod N which is asymptotically this and you have to do a recursive proof of this length. And when you add everything here you end up with a running time of O tilde of log N to the fifth. And this theory is dominant step here and all of our steps will have this complexity.

So this analyst was done by Lenstra and Lenstra in 1990 in the [inaudible] of complexity theory or whatever, computer science maybe. So I must say that Atkin was not very interested in that part. I was not either at that time. We were more interested in proving numbers to be prime than to which complexity we could reach. That's a mistake, okay.

But that's life.

>>: [inaudible].

>> Francois Morain: Yeah. Sure. I never said it's deterministic. So I insist this is probabilistic. I mean the analysis is completely heuristic in particular. So this is the kind

of bright way to see -- to say hand wavy. Sorry. Okay. And what you gain at the end is generalized Pratt certificate if you insist. It does size log squared, you have loss N steps and each step comprises log N numbers. And if you want to change the certificate once we have spent all our life doing this is log N to the third. So as usual O tilde means we count -- we use fast methods to do multiplication.

Okay. Short history. So I mean it's very difficult for me to do history on things I do. And as a matter of fact, this is why there are people doing history. You are not supposed to do the history of what you did because it's a kind of analyst loop. So just some facts. I can get some primality proving of numbers in the Cunningham tables, I mean the largest one at that time. If I remember correctly, this is a -- this was a 243 decimal digits. At that time the program by Cohn and Lenstra using Jacoby sums where was able to do numbers up to 150 or 200 decimal digits. So Atkin went a little further.

Can I some things with larger numbers, co-factor of F 11, and then I just redid the computations among other things and in that way I was able to do 1,000 decimal digits.

So the problems at that time where class polynomials because it was apparent that going further would need more small invariants. There was some competition by Marcel

Martin and his program PRIMO, which runs only on nonlinear stuff, so to speak, yeah.

And, in fact, it was a kind of slipping because nobody cares about primality proving. So that's a fact of life except for some stupid numbers like [inaudible] numbers or whatever.

So we don't -- we send all our life doing clever algorithms, and it ends up [inaudible] of numbers. As far primality proving is concerned, of course.

I mean, I -- I mean -- okay.

And then there was this controversy with [inaudible]. It's always -- I mean it's kind of topology to have controversies with [inaudible]. [laughter]. But I said precise things on the exact collect of ECPP. So I told him there was a faster method that nobody tried because we didn't care, in fact. And so to make things clearer, I had to write the problem myself to show that it was indeed fast. And, in fact, when you look at it, you just replaces your set of discriminants by some product of small discriminants. And the idea is that you reduce the complexity of the square root finding by this trick.

So now everybody works in O till day of log N to the 4 and we were able to do many things like 10,000 decimal digits, 1500 -- no, 15,000 and 20,000. So now everybody can guess what will be the next slide.

>>: [inaudible].

>> Francois Morain: Sorry?

>>: The [inaudible] [laughter].

>> Francois Morain: What?

>>: The picture of Dan?

>> Francois Morain: No. Everybody knows Dan is a [inaudible] who doesn't know Dan?

[laughter]. It will be more fun [inaudible] okay. Anyway.

Okay. So of course I cannot go here -- come here without a new record. And you see this is like numerology that's very easy. You find a size, so see 25050 because we see the 25th -- okay -- anniversary. [laughter]. Sleepy or hungry or -- and okay. I just manage to do that just before coming, which was actually nice. But I mean it's not really fun because it's a polynomial time algorithm. And you know the complexities so you know the time it takes in theory. And after that you have to have some idle machines and blah, blah, blah, blah, blah, blah. So in the event I'm still alive 25 years from now, I will do 50025. So since we organize ours of ECC whatever, are two thousand and 35 are certainly in the audience you can count on me if I'm still alive. [laughter]. I mean with a brain, also. Otherwise -- okay. Otherwise I will tell you that I have proven these or [inaudible] or something like that. Which would be embarrassing for you. Not for me because without a brain I cannot [inaudible], you know.

Okay. So some details as you insist. And this [inaudible] blah, blah, blah. GMP or bank or whatever. And you see the time spend in the whole algorithm is dominated by the time it takes to check the -- to do primality of the -- on the cofactors at each step. Which is a kind of silly thing.

So computing class polynomials is here. Takes no time. So I did not need the help of

Andreas or Andrew [inaudible] singular. I was able to do that myself with my old program. And you see that step one takes some time. Step two also. Checking the certificate is just four days. Four and a half days. Okay. So everything is okay with primality proving. I push a button and I leave and now I can do theory. This is the advantage of computers. They do -- what you don't want to do and we do not complain and blah, blah, blah.

Contrary to many people's -- anyway. Okay. So what happened. Contrary to the primality approving algorithms we can extract the real important piece of it. It's constructing elliptic curves. Because I -- as I already told you nobody cares about primality proving. But some people care about this building curves with CM because then I can meet some properties I want to do serious things like [inaudible].

So I did some paper here explaining that we can build cyclic elliptic curves with this was answering a conjecture by [inaudible] already cited, absolutely I guess no interest any more. But you can make some over parameters vary. So we tend to fix E and -- fix P and vary E, but you can do the other way around. So that's Reinier and Peter which is there.

You can do pairing friendly curves. I'm pretty sure we have a talk on pairings at some point. And you can use also that in EAKS. Which is the elliptic analog of KS. So this is very important. This is a primitive that we extracted from our problem. So now ECCP can die. We have still this primitive around. And it -- it's okay.

So just want to insist on a slightly different context. Why is that? In primality proving we are dealing with very big numbers, [inaudible] stuff, very far away from crypto applications. But we don't care. This is a number theory, you know, numbers. It's not

supposed to be useful, you know. But it's full of math and that's easy -- no, that's not easy, but that's fun.

Blah, blah, blah, blah, blah, blah. And compared to this, cryptography you need very small primes. But here you know that P is a prime. Maybe it was proven by ECPP but that's another story. So here it's -- there are some differences. Here maybe you are not satisfied with all discriminants. Here we take all discriminants.

And here you want to maybe some cardinality which is prime which has some impact on this. And here certainly we do not want our curve to have a prime order. Otherwise you enter an infinite loop. Yeah, yeah. I can assure you.

And here nobody cares about checking by certificates. So maybe they are wrong. No, they are not. Nobody checks. Here maybe you could dream of having people verify certificates. Maybe. But maybe not. But in both cases you have to deal with big Ds and big class numbers. What did I start? When did I start?

>> Kristin Lauter: Ten minutes to.

>> Francois Morain: Ten minutes to. Oh, plenty of time. Great.

Okay. So what is a CM method? This is an approximation of the CM method. Input P.

Maybe a finite field here. Marginal finite field. And U and V [inaudible] output a curve which has this cardinality. Here I had a proof of correctness because sometimes you want to do neat things.

Here I put U and V as inputs. If they are not I can add them and blah, blah, blah. Proof of correctness. This is the tricky part. Maybe I do not -- I mean for primality proving, the proof of correctness is a proof of the next step. Okay? In CM stuff you have to prove that this number is actually the cardinality of that [inaudible] which might involve factoring

M. And everybody knows that factoring M is difficult. So there are many tricks here, okay, to speed up things. That's not deterministic. But you can be rather confident that you -- his condition is satisfied.

In fact, you have to exhibit generators. And exhibiting generators as Victor told you might involve some pairings and after that where do you find the generators? That's far from deterministic.

So more precise version of the same thing is now with the output I want E to have CM by the order I gave. Here you can find some methods where you find a curve which has this cardinality but maybe it has nothing to do with here. It's a good endormorphism on the morphism ring. If you don't care, that's okay, if you do care, then you have to prove that E has this endormorphism, right. And this might not be very easy, depending on the size and factorization of the conductor. But we saw two precise things about a CM effective. You can find variance.

So how you work in practice. So this is a basic [inaudible]. You have to compute this class polynomial or have it on some disk, whatever. Find a root P, find a care of this invariance and prove that the cardinality is okay.

So computing HD of X, now we can divert in [inaudible] G1 plus of [inaudible]. I won't say anything about this. You have to wait for [inaudible] talk.

Find the root of HD, J of X. This is computer algebra techniques so everybody knows everything. Atkin did some interesting things about this, speeds up and so on. You can try to spend all your life finding the rate curve here. This needs [inaudible] very interesting math by Galois. There was quite a long history about this. The last step is -- was done by Rubin and Silverberg when using the J invariant. So there are formulas for even all this and J we can find the right twist here.

So there's still some work to be done when you do not choose J because we never use J for large examples. I can do that in some cases, but it's not completely satisfactory.

And after that, you can spend quite a lot of time trying to find adequate parameterizations and so on and so forth.

So this is already to build a curve with CM. Here I did not list things about proof, correctness and so on. And not for Galois stuff. So I want to go to conclude my talk by this last part, trying to put numbers everywhere.

And concentrate on this problem. How do I find smaller polynomials for building my extension field case. And here again there are two cases. First one I just want and equation for my invariants class or whatever. So probably you just need a generator of the extension field and you can of some minimal polynomial, it can be very small, for instance using units, elliptic units and things like this. So I refer this to Hajir and so on.

And basic you do not have to relate this to any elliptic curve. All you are trying to build a

CM elliptic curve and at some point you have to have its invariant J. So you have to find the relation between your minimal element and J and instantly this means modular curves.

So this is the traditional ancestral way of dealing with the class invariants. You start from some known value of some singular modulars, J square root of minus 2 and you

[inaudible] in this which is a modular question for X0 of 2, and that's kind of miracle it factors and you find roots which are [inaudible]. And everybody knows that 64 is less than 8,000 so you found a smaller invariant.

And so the game here is to generalize this of long list of modular equations and modular functions and so on and so forth.

So very briefly sometimes I put a zero upstairs and sometimes downstairs but I mean they are isomorphic or whatever, so our modular function is something invariant by these guys here. And modular function is you take the minimal polynomial of this function, apply to these co-sets. I don't really need this but at some pointed you have to define

[inaudible].

So why do these invariants exist? Because you see I take a random equation at random, this one. Why would it split? Okay? So what is obvious is that if J of tau is an algebraic integer so is F to tau and, in fact, it tells that you if you manage to find one guy

F of Z, which is in KD and -- sorry, this is a goal we want to reach, sorry, if we know that

FZ is KD and its conjugates also, we are done. And, in fact, everything relies on

Shimura's reciprocity law, which tells you when this precisely occurs.

And you have at least two variants of Shimura's reciprocity law. And we prefer to use

Schertz's simplified formulation because we can apply it to families of functions basically.

So how can we measure that we have a good invariant? There is this theory by Hindry and Silverman telling you that if F and J are roots of [inaudible] equations the ratio of heights is more or less the same thing as the ratio of the degrees of the two variables.

And what you want is a constant here which is the smallest possible. Because you see when you want something here which is much more [inaudible] this guy here.

So that's easy now. You take your modular functions on some gamma 0 of N, compute the magical constant and when you have it you are happy, if it's strictly smaller than one.

And things since it can be proven that -- I mean, we have a formula for the genus of X of

O of N. In fact, this genus is more or less musable of N divided by 12 which means that asymptotically in a very, very, very broad sense this content -- constant, sorry, tends to one over 12.

But we have many cases where we can do better. I mean, when N is small our special properties we can do better than that. But we cannot dream, we cannot asymptotically better than one over 12.

So time for another citation. Which is a bit puzzling the first time you read it. So when you are young you are trying to read these things and you find citations like this and when you are interested in algorithms then you are a bit astonished by algorithms. So since we are the citation here. So you see okay what -- how do I -- how can I implement luck? That's the first point. Theta functions, okay. Why not. This is variable and this is the standard way nowadays, so to speak.

So when can we be lucky when we have nice families like eta quotients as many people did like [inaudible]. We have infinite family for instance for X0 of L to the N. Remember

0 upstairs or downstairs is not very relevant. So we have many things and we are trying to find algorithms out of this and this is [inaudible].

But there's one nice thing is Newman's lemma which tells you that some product of eta functions give you what you want. If you have luck, and this is a kind of minimal function, so to speak, and you are happy. So you can do that for each case where the genus of [inaudible] of N is 0 which means degree J is one. In that case, magical constant is, so to speak, minimal as it can be, which is one of the user of M. These values for the invariant. These are the products. And these are particular cases given by Newman. But at least they were known to Klein and Fricke. And you see you have these magical constants here and this guy has kind of [inaudible] this product of theta function as the inverse of the magical constant equal to 36.

So this is a table of invariants and their respective inverse of magical constant. And there's a conjecture. So which comes from Selberg, Abramovich, and written in that language by Broker and Stevenhagen that you cannot do better than 96. We are far away from it. We have just 72. And we are cheating here a little bit. So I tried to find these better examples, but it seems to waste. I mean, 48 there are not a lot of them. My

table will be completely -- not completed but extended by Andreas in his talk. So I have

[inaudible] to his talk you want to see what happens here. And see, we have many examples of 36. Which means that we can use them in particular instance.

So what we did, which we are currently doing with my student Brier is to look at all examples where modular curves of quotients by subgroups of the Atkin-Lehner involutions by the -- sorry, by one of the subgroups of the group of Atkin-Lehner involutions which are more or less the same as subgroup of the endormorphism of the of pair which have low genus. Why do we do this? Because you see when you quotient modular curve by some involution, then the resulting equation will have a degree in G multiplied by two. But then you end up on the curve which can have a very small genus.

And then you have to balance the increase here and the decrease here. And still we have to find the modulars of everything which are relating J to the appropriate function.

So we cannot be satisfied with minimal equation of 10 by whatever means and not related to J. So we have to redo everything already done [inaudible] or most everything.

So if we could do a lot of computations. So that's a very neat book. You have, I don't know, 300 pages of theory and 200 pages of computations, which is what we like. It's kinds of extension of Weber and so on and so on. And contrary to this [inaudible] did not seem to like computations. I do not know if you agree. [inaudible] not very numerical.

Anyway, and so the best we can do -- I mean, this is history again. If you -- if we want to use the functions of -- I mean the minimal functions found by Atkin and his laundry method, then we ends up with very good constants. For instance, for 71, X0 of -- X0 star of 71 as genus zero and you have this good constant here.

So you see there's another citation. I took in the paper written for the retirement of Atkin, and so everybody knows but I can be put in the list of overs so I'm quite happy or honored to be in the overs. And it sent me a long time ago another way of looking at his minimal functions because you see here the laundry method is kind of difficult method we wanted to prove that the functions were indeed functions. The best thing to do in that case is to recognize is functions as quotient of something everybody knows. So everybody knows about eta, the eta function, probably perhaps not so many people are aware of this kind of generalized eta series. And the -- I've got a long list of these minimal functions in terms of these generalized theta functions. And problem we should share these ideas because there are many things I don't understand in that.

So this is one of my first open problem is should have we do something about it? So okay, I should not write things downstairs. Okay. Sorry. So I guess many people in this audience have received a lot of e-mails by Oliver. So maybe we could try to not to lose them and edit them in some ways. So if anybody agrees we can try to do something.

Because I can put everything on my white page but probably it's not the best thing to do.

Anyway, I can give these tables that are very useful for many reasons.

So I will be quick on that. The best paper on quotients of modular curves is certainly read by Gonzalez and Lario when they give tables, precise tables they are correct and methods to find the equations in algorithmic -- I mean sufficiently algorithmic way. And also they explain how to use intermediate quadratic fields predicted by Galois theory.

So maybe I can show you the idea here on this big example. I start from X0 of 30. 30 has three different prime factors. So you can decompose -- these are not extensions.

But if you put Q of X0, these are extensions. You quotient this by this involution which is

W 15, you find a function here. So this is a lucky part again. You find this function for invariants and a good function for this guy here, and you quotient here by W3 and you end up on X0 star of 30.

And each type here corresponds to quadratic extension of defining extension here.

Whoops. Sorry.

And you see you have functions here which are invariants. In fact, if you put everything together then you have this extension which splits over these three quadratic extensions.

And this has the effect of decreasing the degree of the class polynomial. We will see that in a moment. Okay. So from the tables of Gonzalez and Lario, you have all examples where the genus of some quotient is zero. And I put here some of the results.

And these are indices of Atkin-Lehner's involutions and the corresponding magical functions. So you see that you can have 36, 36 here, you have 24, 27 here, so they are not so bad.

So this is just [inaudible] zero. So you have still somewhere for the [inaudible] over general but probably it's not [inaudible]. So again, lots of examples. Maybe this one, not this one. Okay, this one. For instance, yesterday in the plain why not? I imitated what

[inaudible] did with these theta functions and in fact, for 95 and 119 I could find some generalized theta functions which give the help modular for these two cases. And you see that kind of family here. Everything is covariant to 23, 24, 40, 23, you have this, 47 you have this, and probably for all of our cases you have the same kind of result. But I mean the plan took a lot of time but not enough time for me to end the list.

So the results which we have obtained -- and we looked at all of the interesting quotients. We still have some problems identifying known functions but, I mean, I am confident we will do that. And from this and the splitting in quadratic extensions you have cases where you trust polynomials here have very strange properties and

[inaudible] I guess will give you, for example, with eta quotients. And for instance, look at this example, 60 -- discriminate 60 -- 660 divisible by 110 and the class polynomial is an 8 power, 84 power.

So we have plenty of computations around here and that's what is important. Open problem for complexity reasons and for practical reasons, some of you might know that we can evaluate classical theta functions very rapidly which means O of -- M of NM is a time to multiply two [inaudible] integers and the corresponding question can we evaluate a generalized theta function rapidly? I have no clue about this, so that's an exercise for you. This is the interest of being invited speaker. I ask you questions and you're supposed to give answers. An exercise.

And that's it. So this is a perspective slide. Okay. So after the 200 years of study we have some satisfactory results. We have beautiful numbers and equations which is the important thing. At least in my mind and I'm almost sure in Atkin's mind also. And of many people in the community. What remains to be done of course -- is of course the

I/O genus case where you have very few results. This game of using modular equations to guess class invariants is very difficult, much more difficult because modular equations

are difficult and there are many parameters and you will have some talk about computing objects like this. And it's not as easy as what we have done in genus 1. So just of course I haven't told you anything. Everything on the subject. I probably forgot very important things. But, I mean, these are most of the things I forgot to tell you about will certainly be described in the next talks. So you have to stay here until Friday night, otherwise you'll miss some important things. And thank you for your attention.

>> Kristin Lauter: Questions for Francois?

>>: I was wondering for the very fast HD computation that you mentioned in your big example how much slower would it be to do a very naive J approach?

>> Francois Morain: No clue. I can measure it for you if you insist. You're not supposed to say yes at that point, you know. [laughter]. You have to wait for some more sleep. I mean I have to sleep before answering your question. I don't know. I recompute it for you. And you see you have 200 -- I mean, sorry, you have 2,000 invariants. For this one it took five days for these guys to go approximately five days.

Each -- I mean I'm pretty sure in many cases I was able to have a constant like 30 or 36 so roughly speaking I don't know, 10 days, 15 days, whatever.

I mean, a way of answering the question is but not all cases are big. Okay? So now I can decide what is big, what is small. So I had the zillions of slides about sizes of invariants for the [inaudible] cases. But I thought it was too many for today. So I will do that anyway.

But I mean, invariants like Newman 18 and guys like this are very, very important -- useful. And I'm not in the state of -- I mean, I'm not in -- not in the state but I'm not in the process of selecting by discriminants only based on this because for reasons I already explained not so many numbers want to be smooth but size so you cannot be restrictive about these. And obviously if you want to do CM for crypto things then probably a lot of invariants we suggest to use cannot be used because you want D prime, for instance, or not divisible by small numbers and so on and so on.

But still, I mean, after that you can wait for Andreas and you will give you better answer, or Drew will give you better answer.

>>: I'm just curious in addressing Dan's question, it's not just the height factor, also the fact that you're getting these powers -- I mean the quadratic extensions --

>> Francois Morain: Yes.

>>: I mean, if you had height factor of 36 and then you had a power, that's a pretty big multiple.

>> Francois Morain: Yes. Unfortunately my program ended before I was able to

[inaudible] computers sometimes do what you want. So -- and I needed a plane to finish the computations. Any way. Yes?

>>: Just to reassure you by answering the very first question you asked, I did refer to

Rene's thesis last week. [laughter].

>> Francois Morain: What was the question again?

>> Kristin Lauter: When did you last read it.

>> Francois Morain: Okay. Okay. Great.

>> Kristin Lauter: Okay. So with that, I think we can thank the speaker again and we're going to have lunch here.

[applause]

Related documents
Vocabulary Unit 5
Vocabulary Unit 5
A real Christian is an odd number, anyway. He
A real Christian is an odd number, anyway. He
Amelia Mann: This is Amelia Mann. I am interviewing Nola... interview at her home in Springfield, Missouri. The date is...
Amelia Mann: This is Amelia Mann. I am interviewing Nola... interview at her home in Springfield, Missouri. The date is...
Download
advertisement