Add to collection(s) Add to saved
  1. Math
  2. Statistics And Probability

: So our next speaker is Wouter Castryck from Katholieke Universiteit

advertisement 
>>: So our next speaker is Wouter Castryck from Katholieke Universiteit Leuven.
He's presently visiting MIT. He'll be speaking on the primality of genus 2
Jacobians.
>> Wouter Castryck: Okay. Thanks. I would also like to thank the organizers for
giving me the opportunity to talk here. It's really a fun place to be and an
interesting place to be.
So the presentation that I will give today contains joint work with Hendrik
Hubrechts, Alessandra Rigato and Andrew Sutherland. So here's the outline of
the talk. So first I will focus on the genus 1 case. But I will give alternative
heuristics in favor of a conjecture due to Galbraith and McKee who gave
heuristics estimating the probability that if you take a random elliptic curve over a
finite field what is the probability that the number of points will be prime?
But our heuristics will be different from Galbraith and McKee's, and they will be
more suitable or better suitability to generalized genus 2 and then we'll elaborate
this in the second part. So the first two parts will be like almost all of the talk and
then at the end I will discuss some asymptotics because you can like keep
formulating new conjectures for every genus. But we won't do that. But it's
interesting to look at the asymptotics. And then some concluding remarks.
Okay. So here Galbraith and McKee conjecture. So let me fix notation. For now
FQ will be a finite field of characteristic at least 5. But this doesn't matter. It's
just to have this nice shape of elliptic curves. So elliptic curve for me will be an
equation Y square equal X cubed plus AX plus B. And we will say, we will take it
at random. What do we mean by taking an elliptic curve at random? Well, we
mean taking a pair AB from this set at random. Okay? So we like kill the
discriminant locus and then we take a random pair.
And then NE will be a random variable as well. And it will be the number of
points on the elliptic curve over FQ. And we mean really on the projected
models, including the number -- the point at infinity.
And then the main question of the day is what is the probability that this number
NE is prime? Obviously this is a very hard question because we don't even know
whether every Hasse interval contains at least one prime number, so it will be
very heuristical. But let's have a look at it.
And one motion that you all know about the cryptography. So if you want to the
use an elliptic curve for cryptographic purposes the cardinality's preferably prime
or prime up to a small cofactor. But everything that I will tell here will be
generalized to the situation where you allow a small cofactor. So that's not really
the thing.
Okay. So here's some general facts on the distribution of the number of points
on the elliptic curve. So I mentioned Hasse's theorem. The number of points on
the elliptic curve is always contained in this interval, centered around Q plus 1.
And then there's like a well known thing. If we rescale this, so we put the center
around zero and then we divide by two square root of Q to end up with a number
between minus 1 and 1.
It makes sense to have a look at the asymptotics for Q growing to infinity. And
then there's like theorem, and I don't know exactly who it is due to, but at least
Birch, Yoshida, and I put Katz Sarnak there for safety [laughter]. Gave lack of
proof of this theorem. Sorry. I think Bryan Birch did it for growing prime fields,
and then Yoshida did it for growing extension degrees like the -- no? Yeah.
Well. In any case -- yeah. It's heuristical talk anyway, so I don't care. [laughter].
So here is a some experimental evidence. It's a bit stupid experiment because
we took 100,000 curves over a field which is not so big, so we have -- will have
count many curves multiple times. But that doesn't matter. We already see like
this semicircle coming. Okay?
But now the interesting thing is this is a histogram of this experiment and the
interval is like 15 possible cardinalities. So we counted the number of -- this
denotes the number of elliptic curves. And our experiment was cardinalities like
between -- yeah, I don't know by heart, but some set of 15 possible cardinalities.
But if we -- this is just the very same experiment. But now the interval is one. So
every bar denotes single cardinality. And you see that the semicircle, okay, it's
still there. But it's not very nicely there. And this is not due to the fact that our
field is rather small, this is really always the picture. Okay?
So it doesn't -- it converts it to a semicircle, but only if you do this like scaling. If
you look at the individual traces or numbers of points, it's not really a very nice
thing. Note that you have gaps, that trace is congruent, so you have gaps at
some point here. This is due to the supersingular locus but that's not the topic of
today.
Let's add colors to this histogram. So the green bars correspond to the
cardinalities that are odd and the red bars correspond to cardinalities that are
even. So you see that there are a lot more curves having an even number of
points than there are curves having an odd number of points. And this is clearly
not a coincidence. Okay. And this is, in fact, easy to prove. But I want to
include a proof because it seems not very well known. Yeah? So the probability
that the number of points on an elliptic curve, a randomly chosen elliptic curve is
even is about two-thirds, okay? So here's how the simplest proof works.
Okay. So we said that we took -- okay. There's a pointer here I think. Yeah. So
we said that we took an elliptic curve Y squared equals a polynomial of this
shape. But for the proof we will replace this by random elliptic curve defined by a
polynomial of this shape. This doesn't matter pause like this completing the cube
thing that you've all -- that you all know is uniform. So it's Q to 1, so the
probabilities don't change.
So we assume that E is defined by Y squared equals F of X for a random
square-free F of X of this form. Now, the number of points will be even if and
only if the elliptic curve has two torsion. But the two torsion points are exactly the
roots of F of X. So this will happen if and only if F of X is reducible. So our
question, what is the probability that the number of points on elliptic curve is even
boils down to the question what is the probability that a randomly chosen degree
tree polynomial is reducible? And this could be an exercise to show that this is
really two-thirds asymptotically.
There's a very neat argument here, but it can be done like really naively. But the
neat argument is that the irreducible polynomials are precisely the minimal
polynomials of elements of FQ cubed. And the correspondence is 3-to-1.
Because every such irreducible polynomial will be the minimal polynomial of 3
elements.
So there's approximately Q cubed elements here. And the correspondence to
this 3-to-1 so this is like the number of irreducible polynomials. This is the total
number of polynomials, and you get one-third. So the -- though the number of
reducible polynomials is two-thirds. Okay. So that's the only proof I'm going to
give today.
This can be generalized to other primes so we were wondering what is the
probability that it's divisible by two. Well, now the more general question is we
pick a prime number L. What is the probability that the number of points on our
elliptic curve will be divisible by L in and there's a theorem by Lenstra which was
basically mentioned yesterday in Stefi Goldwasser's [phonetic] talk because it's
the underlying -- well, he actually mentioned that elliptic curves -- the cardinalities
of elliptic curves behave roughly like random integers in the Hasse interval, so
this is like the underlying theorem of Lenstra for that.
So you see the probability of being divisible by L depends on Q mod L. If Q is
not 1 mod L, it's approximately 1 over L minus 1. If Q is 1 mod L, it's
approximately L over L square minus 1.
In any case, in every L if Q is big because this is asymptotically the probability of
having L torsion will be strictly bigger than 1 over L. Okay? So that's like the
main line of thoughts.
So this suggests that the probability of having a prime number of rational points
will be than we would naively expect because the probability of having small
factors is bigger than we naively expect. All right?
So this is like the thing that we will try to quantify. So from now on we will
assume that our field size is prime, that this is just for simplicity. So here's some
heuristics to estimate the probability that a random number in the Hasse interval
is prime. So it's very knife heuristics when it's a number of prime if it's not
divisible by 2, not by 3, not by 5, not by 7, not by 11, and so on.
So we assume that this is like independent. It's not true. But asymptotically it will
be. And the probability that it's not divisible by L is L minus 1 over L. We multiply
all these probabilities up to like to square root of P basically because if it has a
divisor bigger than square root of P, it will also have a divisor smaller than square
root of P and we end up with like this formula and this behaves like one over log
P. Okay?
So that's like a heuristic derivation of the prime number theorem. We do the
same thing for elliptic curves using Lenstra's estimates. So what is the
probability that the number of the points on the elliptic curve is prime? We do the
very same thing. Note that we have the distinction between P congruent to 1
modulo L and P not congruent to 1 modulo L.
If P is not congruent to 1 modulo L the probability of being divisible by L was 1
over L minus 1 so not being divisible by L has probability L minus 2 over L minus
1. And then we do the same for P congruent to one modulo L. So this is like the
probability heuristically that a randomly chosen elliptic curve has a prime number
of rational points.
And then we take the ratio.
>>: [inaudible] the scope of the square root [inaudible].
>> Wouter Castryck: But my elliptic curve will have a number of points contained
in the Hasse interval.
>>: Yes, but L [inaudible].
>>: It's not divisible by [inaudible].
>> Wouter Castryck: It's not, yeah.
>>: [inaudible].
>> Wouter Castryck: Of course in the heuristics in the end we will ->>: [inaudible].
>> Wouter Castryck: This is just naive heuristics, right? And if even number of
point is prime it suffices to check it and we know if some number is prime and we
know that it's smaller than P plus 1 plus 2 times square root of P, then it suffices
to check that it's not divisible by prime numbers that are smaller than number,
right?
>>: This is a [inaudible] it's not the same as predictive.
>> Wouter Castryck: Yeah, but it's just a heuristic so they don't claim like -- but
in the end yeah, because the factors for big P will be so close to one we will
just ->>: [inaudible].
>> Wouter Castryck: You can talk this about this later.
In any case, if we just apply this naive heuristics, we take the quotient and now I
get rid of these bounds because asymptotically they will be so chose to 1 that
they don't matter anymore. So this is like the erasure.
And then if we rearrange terms, I don't expect to you do this like on the spot, but
you can rearrange terms like this. And this is exactly the conjecture posted by
Galbraith and McKee in 2000. So the CP, depending on P is this constant, so we
see that except for the last factor this is like a product of all number -- of numbers
being smaller than one and this will be the dominant factor, then the probability
that a naive -- that a number of points off elliptic curve divided by the probability
that the number of points -- sorry, the probability that the number of points on the
randomly chosen elliptic curve is prime divided by the probability that a random
number in the Hasse interval is prime will be approximately CP. That's the
conjecture.
And if you elaborate this like if you forget about this last factor you get 0.44. If
you include the last factor like in the worst-case scenario, you get 0.62. Okay?
So that's the conjecture of Galbraith and McKee. But the funny thing is that they
give alternate heuristics. So it's a bit surprising because it's a rather complicated
formula but they give really different heuristics to obtain the very same formula.
So what did, in fact, like for each prime candidate, prime divisor L, we had a
factor and we multiplied them. But I resist something like the analytic
Hurwitz-Kronecker class number formula counting elliptic curves with a given
trace basically. And this is like a product of other factors and they select the right
other factors out of these products. So it's like a joule thing.
But in any case this is the Galbraith and McKee conjecture. So the probability
that the number of points on elliptic curve is prime is about half the probability
that you will naively expect. Yeah?
>>: [inaudible] going back to the [inaudible] comment. That first product does
the [inaudible] this characteristic argument, it points out that you get [inaudible]
not a constant.
>> Wouter Castryck: Okay.
>>: And so it -- it would be interesting to look at, yeah, this [inaudible] so sort of
your argument is saying that you get the same row constant in the [inaudible]
estimate. Is that right? I mean, you check that empirically, right?
>>: Empirically once you take the [inaudible].
>>: And you get the same row constant. Yeah. Okay. Cool.
>> Wouter Castryck: Thanks for pointing that out. I checked it empirically, but I
didn't know it is a constant. Yeah.
So here is an interpretation of these theorems by Lenstra which will allow us to
generalize the whole thing to genus 2. So and that's a kind of random matrix
theorem. So suppose we have a number N which is co-prime to the field size
and we have and elliptic curve E over FQ. Then we can associate this it's
N-torsion subgroup. Okay in and this -- we all know that this is a -- this has the
structure of a two dimensional Z modulo N module. So we can take a basis of
the this module, you can have Frobenius act on the module and then we end up
with the matrix of Frobenius basically. Okay? So this is a matrix taking
coefficient -- two-by-two matrix taking coefficients in C modulo N. And it's well
known that this has trace exactly the trace of our elliptic curve modulo N and
determinant Q modulo N. Okay?
Now, choosing another basis yields a conjugated matrix, okay? So the matrix of
Frobenius is not a canonical thing we can associate with the elliptic curve but the
conjugacy class of Frobenius is a canonical thing we can associate to the elliptic
curve.
And then like the random matrix statement which in this form did not appear in
literature so far, so therefore I write quasi theorem but it's like almost certainly
true. So there are some almost proofs of this.
So here is how it goes. We take any conjugacy class of matrices having
determinant Q, and the probability that our conjugacy class will be the given
conjugacy class is proportional to the size of the conjugacy class. Okay?
So this is like the quasi-theorem. This is likely to follow from Chebotarev's
density theorem applied to the modulo cover XN over X1. And so this is like in
the case that Q is congruent to 1 modulo N, this is really Chebotarev's density
theorem. But in general you have to work with [inaudible]. It also follow from
Katz-Sarnak probably. This was elaborated by Jeffrey Achter, but he imposed
some hypotheses which are a bit annoying for us.
Okay. So here's an example to get in touch with the flavor of this random matrix
statement. So what proportion of elliptic curve satisfies that the foo L torsion is
rational, okay? Well the foo L torsion is rational if and only if the L torsion
subgroup has a basis consisting of rational points. So the main thing is
Frobenius will always be the identity matrix and every conjugated matrix will be
the identity matrix.
So this is a very conjugacy class. So this is the smallest you can imagine. And
why the random matrix the quasi-theorem, the chance that this happens is
proportional to the size of the conjugacy class. And the total number of matrices
having determinant Q is L cubed minus L so. This probably is roughly 1 over L
cubed minus L. Okay? So that's just an example.
And then this will allow us to give an alternative proof of the probability that the
number of points on the elliptic curve is even equals two-thirds at the limit. So
there are six two-by-two matrices, modulo two having determinant Q, which is
one modulo Q. So here they are. And you see that the first four have trace zero.
And the last two of them have trace one. So according to the random matrix
statement, so the probability that we will have trace zero is four out of six. Okay?
So that's two-thirds.
And because this theorem says that if you want to count the elliptic curves having
a certain property like having a certain trace, this says that you have to count the
number of matrices having this trace. Yeah. Okay.
More generally if L is a prime not dividing Q then you can do this exercise. You
can condominium the number of matrices for which Q plus 1 minus trace of the
matrix is congruent to 0 modulo L. And then it's an exercise to see that these
give these proportions. So it depends on Q modulo L. If it's not 1, it's L squared
plus L. If it's 1 -- okay. So this is just a technical boring exercise. But the nice
thing is that if you take the quotients you exactly get Lenstra's estimates.
So this is like a more general, the random matrix statement is like a more general
statement than Lenstra's statements. And this corresponds to the fact that
modular cover -- that modular curve XN covers the modular curves that Lenstra
used to prove this theorem.
Okay. So here's how to adapt to genus 2. So we will again fix the same
notation. So if FQ is a finite field of characteristic at least 3, now because we will
look at half elliptic curves of the following form. So Y squared equals F of X is a
random genus 2 curve. What do we mean by a random genus 2 curve? Well,
either if F of X is taken from this set uniformly at random, so F of X is a 1X
squared polynomial of degree 6, either F of X will be taken from this set uniformly
at random. So where we have degree 5 now.
So why do we study these two notions? Well, this is something which is very
often used in cryptography, okay, imposing a Weierstrass point at infinity. This is
like closer to the theoretical structure of genus 2 curves. And these are, in fact,
distinct notions as we will see in the -- on the next slide.
But any case so we have this number of points on the hyperelliptic curve, on the
Jacobian, and the question of this second part of the talk is what is the probability
that this is a prime number? And again, the motivation can be found in
cryptography to a less extent. Okay. So we will have a look at the same
question that we had in the elliptic curve case because it's again rather
elementary. So there's a probability that a number of points on the Jacobian is
even. Okay? And here we will see this distinction between taking FX out of H6,
so degree 6 polynomial, or taking FX to be a degree 5 polynomial.
So here's a standard fact. I won't go into details of the proof, but using the
Riemann and Roch theorem, it's a fairly easy exercise. So W1 till W 6 are the
Weierstrass points of our hyperelliptic curve, and then it can be proven that every
nonzero point of the Jacobian, which we think of as the divisor class group,
contains a unique pair of divisors WI minus WJ, WJ minus WI. So these will be
linearly equivalent.
But apart from that, two different -- for different pair IJ you get a nonequivalent
divisor. So hope such divisors do you obtain? All 15 because this is taking 2 out
of 6. And this is exactly the number of nonzero points of the Jacobian because
there are 16 points in the true torsion point of the Jacobian, so 15 non attractive
ones. Okay?
And such a pair is FQ rational if and only if it's like fixed by Frobenius, okay? So
if either both points are rational, either they are interchanged by Frobenius. And
then you see that when -- so if we take an elliptic curve of form -- hyperelliptic
curve of the form Y squared equals F of X with F of X in H6, so what is the
probability that the Jacobian will have two torsion while the Jacobian will have
two torsion if it has a rational point of this form. So if it has a set of Weierstrass
points satisfying this. So, in other words, if F of X has either two linear factors
either quadratic factor. So in general if it has a quadratic factor.
And then you can just do a naive exercise to show that it's 26 out of 46, the
probability asymptotically.
On the other hand, if you take Y squared equals F of X with F in H 5, then we
already have a Weierstrass point which is rational at infinity. We have it for free.
So it suffices to have a linear factor or a quadratic factor. So this is like a weaker
condition and indeed the probability that the a process bigger, so it will be
four-fifths. And the exact same proof as we did in the elliptic curve case works
here. Okay? So you see that there's a big difference on the probability of having
rational 2 torsion.
So from now on suppose that F of X is chosen from H6 uniformly at random
okay, because this works from a theoretical point of view. So let's describe the
random matrix model in genus 2, okay? So this is the biggest part of this section.
So again we take a number N which is called prime to the field size and to a
genus 2 curve we can associate the N-torsion subgroup of its Jacobian. Okay?
And so it's this, exactly the same definition. And now it's well known that this has
structure of four differentials, Z module, N module. So now let's try to copy the
argument of the elliptic curve case naively. So we take a ZN module basis. We
associate this matrix of Frobenius, okay? Again, we will have that this has
determinant Q modulo N and instead of having trace N modulo N, it will satisfy
this because the number of points in the Jacobian is the characteristic polynomial
evaluated in 1 and this is the characteristic polynomial evaluated in 1.
So this will be satisfied. But now if you would like to -- if you just do this naively,
so if you pick another basis we obtain -- we ends up with the conjugated matrix.
And if you try to formulate a random matrix statement in this genus 2 case, just
naively, so we can associate to H a conjugacy class of matrices of Frobenius.
We pick another -- we pick a fixed conjugacy class where there's the probability
that our conjugacy class will be equal to this one. Is it proportional to the size of
the conjugacy class? The answer is no. Okay?
So we can't just -- can't just do this naively. So -- and the thing is that there's like
a more canonical choice of a basis to be made, and this is due to the existence
of the Weil pairing. So I assume that you know the Weil pairing. So what is the
setup? Well, repeat a perimeter Nth root of unity. And we know that the Weil
pairing pairs two elements of the N-torsion subgroup to an Nth root of unity,
okay? So to the group generated by the -- by our perimeter Nth root of unity.
So this is not really a pairing in the sense of linear algebra because this is like -this is multiplicative, so we take like a logarithm to resolve this. But this is not
canonical. It depends on the choice -- so this map depends on the choice of our
primitive generated. Okay? But suppose we fix our primitive generated, then
this becomes canonical and then the Weil pairing is skew-symmetric,
nondegenerate bilinear pairing on the N-torsion subgroup. And such pairings are
called symplectic pairings.
And then there's a theorem by Darboux that says our module will admit a basis
with respect to which our symplectic pairing -- well, the matrix of which will have
this shape, this simple shape. And we'll denote this matrix by omega, okay?
So this is like a more canonical choice of bases that we can make. We don't just
pick any bases, we pick a Darboux basis. But notes it's more canonical, but it's
not entirely canonical bottom it depends on the choice of our primitive root of
unity. And the Darboux basis itself is not unique. Okay? So let's have a look at
the influence of picking other stuff there.
So let's rephrase this. So if we translate this and pull this back along this map,
then this is like the condition for a basis of the 2-torsion subgroup to be a
Darboux basis. So our basis should consist of four points, P1, P2, Q1, Q2. And
PI and QI -- sorry, PI and PJ should always pair to 1, which corresponds to a
zero in this matrix. But along this logarithmic map it's one in the exponent -sorry, it's a one -- it's zero in the exponent. And PI and QJ should pair to a power
of our primitive Nth root of unity. So P1 and Q1 should pair to zeta and P1 and
Q2 to pair to one. Okay?
So this is the condition for a basis to be a Darboux basis. So let's pick like a
multiplicative unit in Z modulo N. Then we can have a look at another primitive
Nth root of unity, ever other primitive Nth root of unity will be of this form. And
from this line it immediately follows that if this is a Darboux basis with respect to
zeta N, then this will be a Darboux basis with respect to zeta Nth to the power D.
And this is because of the properties of the Weil pairing. If we put a D here then
this D moves to the exponent here. So that's exactly what we want.
So that's already one thing that this kind of solved. If you pick a different Nth root
of unity, all we have to change -- we have a matrix of base change and the matrix
of base change will be of this form. Okay? So do not denote this matrix by GD.
So recall the non-canonical part was choosing primitive Nth of unity -- root of
unity, taking another Nth root of unity and conjugating such a matrix GD. But
then we have this choice of a Darboux basis. And this is -- will be more
interesting. So if we have a -- if we pick a different Darboux basis than we must
have this identity, right? And this equals this. And if we elaborate this, then we
will have this. So a matrix of base change M between Darboux bases must
satisfy that omega is equal to TM times omega times M. Okay?
And matrices satisfying this are called symplectic matrices. So this is a group,
it's a group, this is a group of symplectic matrices. So these are the matrices of
base change that we should take into account. Along with this matrices GD that
we already had. Okay. So what happens if we apply both? Well, you can
elaborate this. I won't go into the details. But it's not so surprising that this D
here will end up somewhere here. Okay?
So a product of a symplectic matrix and such a matrix GD will satisfy a condition
that resembles this could it a lot. But instead of just being omega here, we will
have D times omega here. Okay?
Matrices satisfying this also have a name. They are called d-symplectic. Okay?
So d-symplectic matrices are matrices satisfying TM times omega times M
equals D times omega. And this is not the group, okay. If you multiply to these
symplectic matrices you will end up with the square symplectic matrix I think.
But if you gather them all together you get a group. And this is the group of
symplectic similitudes. So it's generated by our symplectic matrices, and it's
generated by the matrices GD all together. So these are the matrices that we
have to consider if we do base change, right? So this is the group of symplectic
similitudes.
And one particular example of a symplectic similitudes is a matrix of Frobenius
with respect to a Darboux basis, okay? So if we have a Darboux basis because
Frobenius shifts through the Weil pairing, so if we apply Frobenius to the points
it's the same as applying Qth power Frobenius to the evaluation, we will end up
that the matrix of Frobenius with respect to a Darboux basis will satisfy this. So
this Q comes in front here because of this logarithm. So the Q was here but
because of taking the logarithm, it comes in front. Okay?
So in particular, a matrix of Frobenius with respect to a Darboux basis will be
q-symplectic. So now we have all the ingredients for formulating the random
matrix theorem or statement. It's also again suffers the same incompletenesses
in theory L in the literature I mean.
But if we associate to H to an I elliptic curve an orbit of Frobenius, so it will end
up in this set of q-symplectic matrices of taking another root of unit or taking
another Darboux basis end up with conjugation by a symplectic similitude, so this
is kind of the conjugacy classes that we have to consider.
So if we fix a conjugacy class inside this group under conjugation by the
symplectic similitudes, then the probability that our conjugacy class of Frobenius
will equal this conjugacy class is proportional to the size of the conjugacy class.
So this is the random matrix statement. I put the question mark here because it's
not -- I think Achter has a 10 here, but it probably should be much smaller.
Okay? So a 10 will probably suffice but it doesn't matter. We only care about the
asymptotics. Okay.
So then we can elaborate Lenstra's theorem in genus 2. So let L be a primary
number not dividing Q. And then we just count the number of matrices in this
group of q-symplectic similitudes of q-symplectic matrices satisfying that the
determinant of M minus identity matrix is congruent to 0. Okay?
And then this is like an annoying exercise. I will mention a theorem by Achter
and Holden later on that allows you to just -- yeah. It basically gives a recursive
formula for this, for growing genus. So you can use the theorem by Achter and
Holden to obtain this. You can also do this more naively. In genus 2 it still
works. Okay?
So these are the -- like the numbers of matrices. Again we have like a
separation between Q -- not congruent to 1 modulo L and Q congruent to 1
modulo L. This is the total number of symplectic matrices. So we take quotients
and we ends up with these probabilities. And these work -- match very well with
practice, okay? So it's -- it's a theorem. I mean, the thing that I will say on the
next slide matches very well with practice as well.
Okay? So this is the probability that this should be an H here that number of
points on our Jacobian of our randomly chosen hyperelliptic curve is divisible by
12. And you see it's still bigger than 1 over L. But the effect is smaller, has
become smaller. It's closer to 1 over L.
So we just do the very same heuristics here. So again, yeah, this same constant
must appear because it matches very well with practice and so P1 is a probability
that the random number in the -- what I called the generalized Hasse interval so
we know that it contains the number of points on the Jacobian is prime. And P2
of P is a probability that NH is prime. And we take the quotients and I just wrote
it like in a similar form as the Galbraith and McKee conjecture. And you end up
with this very ugly conjecture. Okay?
So we are more interested in the values this takes. Well, now it's between .63
and .80. So the effect of this favoring prime numbers is still there but to a less
extent than in the elliptic curve case. Okay? Now, maybe I'll come back to this
later if I have time but I will already mention the outcome here. So remember
that we suppose that F of X was taken to be a degree 6 polynomial. But in the
beginning we also considered this degree 5 polynomials. Okay? So if a
polynomial is taken of to be of degree 5 uniformly at random, which is often
preferred in practice, we know that the probability of having 2 torsion increase
from 26-45ths to 4-5ths. But what about odd primes L? So you can prove, but I
will skip this for now, that it only affects the probability of having 2 torsion. So
that in the other cases you still have like a random matrix statement for alt N.
And then you can just do the same logarithmic key heuristics and you end up
with the same CP except by this factor, which is like some combination of these
two things. Okay? So it's just a naive heuristics.
So taking a random hyperelliptic curve Y squared equals F of X with F of X of
degree 5. It affects the probability of primality because it affects the probability of
having 2 torsion to a strong extend. But that's basically all that happens. Okay?
So now let's do some philosophical thing. Until like last week, until I started
discussing with Andrew about this, I expected that the effect of disfavoring prime
numbers would like flatten out if the genus tends to infinity, because in genus 1
we had the interval .44 until .62, something like that. In genus 2 we have the
interval .63 to .80.
But the fascinating thing is that if you elaborate this for genus 3, it shifts to the left
again. Okay? If you elaborate this for genus 4, it shifts to the right again.
Elaborate for genus 5 and so on.
And it converges to some interval. And there are some very fascinating
constants showing up there. So let me first rephrase the random matrix
statement like for general -- for general genus. So this was supposed to be 2G
plus 2. I'm sorry. So F of X is chosen from H through G plus 2 uniformly at
random. So this diffs the genus G hyperelliptic curve. And then in the very same
manner using the Weil pairing you can like associate an orbit of q-symplectic
matrices to our hyperelliptic curve and then this is like the random matrix
statement. So an orbit of q-symplectic matrices is about as likely as its own
proportional size. Yeah?
>>: [inaudible] Q and G are both going to infinity, it dependent on which -knowing how fast they're going or ->> Wouter Castryck: This is for Q going to infinity, then this will see the error
term here.
>>: So [inaudible].
>> Wouter Castryck: This is for fixed G. And the asymptotics we will do will be
for growing G. So indeed there's some heuristic thing there. Yeah? And this
exponent here is supposed to be like if you follow Achter's elaboration but again
he has some hypotheses which are annoying for us. But if you follow his
elaboration, you get like two times G square here in the exponent. Okay? But
probably can be done better.
Well, then these are the proportions. So Achter and Holden if 2003 paper gave a
recursive formula to count this number. Like if you know the formula for genus 1
you can apply it to obtain the formula for genus 2. Once you know both you
apply it to obtain a formula for genus 3. You can just compute it using a
computer. And then using Sloane's integer sequence database, we notice that
that's in the limits we ended up with these probabilities. And they really match
very well. And, yeah, we can prove this case like if L is 5 or more already. So
this should be possible to prove.
But these are the limit probabilities. So that's fascinating that this other phi
function, so it's not the torsion functions, it's the Euler q-series basically pops up
here in the limit. Right?
So these are the probabilities if Q is congruent to one modular L, then we have
one minus this ratio, okay. So phi of 1 over L. So plug in 1 over L here. Divided
by phi 1 over L square and more like general case if Q is not congruent to 1
modulo L you end up with this probability. Okay?
I think that's fascinating because if you apply this Galbraith-McKee heuristics,
you have these very nice expressions and so this multiples over powers of Q.
But then in the Galbraith and McKee heuristic we will multiply over prime
numbers so you can rearrange terms and you ends up with like products of zeta
values here.
So this is the limiting -- if you accept this and you accept the heuristics that we do
to end up with the Galbraith-McKee conjecture in genus 1 and genus 2, then this
is like the limiting interval. Okay? So this is like the product of all zeta values
starting from 2 and then a denominator, this is the product of all alt zeta values
starting from 3 in the denominator and here is like this correcting term, and this is
there because P minus 1 is always divisible by 2 at least. Okay?
And as I said, it like jumps and it converges to this interval. And genus 2 is
actually the least deviating case from what we naively expect. So if you take a
random genus 2 curve, the probability that it's prime will be closest to what we
naively expect. And the elliptic curve case is the worst case and everything else
is in between. And at the end we have this interval. Okay.
So let me go back. I think I still have time. Yeah. So let me go back to this
case. So we discussed the case where F of X is chosen from the set H5
uniformly at random. Okay? So which is preferred in practice. We know that the
-- it affects the probability of having two torsion but what about odd primes L. So
we already know the outcome. It will not affect the probability of having odd
torsion. And the key trick in proving this, and we can only do this for genus 2 for
now, is that their exists subsets here so -- and they are like union of conjugacy
classes so they will match probable.
There exists subsets W0 till WR of this set of q-symplectic matrices for the
following holds. If our matrix of Frobenius is contained in WI, and since these are
unions of conjugacy classes this is a well defined statement, okay, well, if our
matrix is contained in WI, then our hyperelliptic curve has I rational Weierstrass
points. Conversely if FH has I rational Weierstrass points our matrix of Frobenius
will be contained in this union of conjugacy classes.
So this is an nice thing in genus 2. And it makes use of the following
isomorphism. I won't go into the details of this but this only holds in genus 2.
Okay? So this is no longer true in [inaudible]. So the symmetric group on the
Weierstrass points is isomorphic to the symplectic group. So this isomorphism, if
you use this, you end up with this [inaudible].
Okay. So why is this useful? So here's like the statement that we -- and I will
use approximately here. I won't care about error terms. So here's the statement
that we would like to prove. We take a fixed orbit of matrices inside this set of
q-symplectic matrices and their conjugation by the symplectic similitudes like
before, but now N is supposed to be odd, okay? And then we would like to prove
that the probability that our Frobenius conjugacy class equals the given
conjugacy class is proportional to the size of the given conjugacy class. So that's
what we would like to prove.
But in a way we would like to use like the random matrix statement for F of X
chosen from genus 6. So we have F of X chosen uniformly at random from H5
and we know that this statement is true for H6, so we would like to kind of
translate this situation to the situation where F was chosen uniformly at random
of X6. Okay.
Now, F is so far still chosen uniformly at random for H5, but it suffices to prove
this statement for F of X chosen uniformly at random of this supervise set of H5
for each I. So what is this subset? It's the set of polynomials of degree 5 that
have exactly I rational roots. Okay in so this is H5 I.
Why is sufficient to prove this statement for this new randomness notion? Well,
it's because simply these sets partition H5. Okay? If I have the probability -- the
same probability for each of the partition, the probability will also hold in general.
Okay? So that's a first step. This is a new randomness notion.
And now we apply another new randomness notion. We will now suppose that F
is chosen from H6. So polynomials of degree 6 having exactly I rational roots.
Okay? So why is it sufficient to suppose that F is chosen from this set uniformly
at random? Well, we can always go from -- so suppose I here is at least 1, then
there's like a way to swipe, so we have at least 1 rational FQ root. Okay? And
then there's a canonical way or a classical way to swipe this point at infinity and
to end up with a polynomial of degree 5. Maybe I should explain this a bit what I
mean by the classical thing.
So we have a polynomial Y square equals F of X and F of X is of degree 6. Is
this visible for everybody? F of X is of degree 6 and suppose it has a root at X
equals 0 for simplicity, otherwise we just do a translate. Well then we do the
following birational transformation. We consider -- okay. We consider the
following thing. And, yeah, if you laboratory this and you multiple everything with
X to the power of 6 maybe you already see it, then you end up with an equation
of form Y square equals say G of X or this will be of degree 5. Okay?
So this is like the thing I mean by swiping a point to infinity. So here I swipe the
point X equals 0, Y equals 0 to infinity using this. And you can do this for other
rational points, okay. If you have a point alpha 0 that you want to swipe to infinity
you first apply this translate. And then you proceed. Okay? So this is -- this is
the reason why we made this distinction between the number of rational roots
because this swipe a point to infinity relation if you just apply it from H6 to H5,
this is not uniform because it like the degree of this map they say it's not really a
map, it's just like a relation. But the degree of this relation depends on the
number of rational roots. So the more roots you can swipe to infinity like the
bigger the degree of this correspondence will be. So that's the reason why we
made this distinction between all these sets H5I, H6I. Okay?
But once you make this distinction then it's generically uniform. Okay? So this is
like the reduction we made. We took F of X uniformly at random from the set H5.
But like this reduction shows that it suffices to take F uniformly at random from
the set H6 imposing I rational roots. Okay.
So then here is how the proof works. So, yeah, this is like a rephrasing of this
randomness notion so we took F uniformly at random of taking -- taking F
uniformly at random of this set means taking F uniformly at random from H6
subject to the condition that our polynomial has i rational roots. But we had these
conjugacy classes or these unions of conjugacy classes really expressing this,
okay?
So our randomness notion is the following. F -- well, this is hidden here because
this is like the same probability sign as we did -- we used the random matrix
theorem for H6. So F is chosen from H6 uniformly at random. But it's subject to
the condition that Frobenius acting on the 2 torsion is contained in WI. Okay?
So this is like -- this is this thing with this randomness notion. Okay? That's the
very same thing. So we you've this theorem at the beginning here.
Now, N is odd so we can apply China remaindering. So the q-symplectic
matrices over Z modulo 2N they can be written as a direct sum -- well, this is not
really a set, okay? So the direct sum is a bit abuse of notation, but you all know
what I mean. Z modulo N direct some Z modulo 2. I mean, this is not a group.
Did I say set? Yeah. So this is not a group. So it's not really a direct sum of
groups but it works using Chinese remaindering. Okay?
So this is like the probability that we want to estimate. So this is the definition
basically of conditional probability. So the -- we want to estimate the probability
that FH equals our given conjugacy class F and that simultaneously the two
torsion part of FH is contained in WI, proportional to the probability that the 2
torsion part is contained in WI.
Okay. So under this correspondence this means that the Frobenius -- the
conjugacy class of Frobenius acting on the 2N torsion should be contained in this
direct sum this. Yeah. That's the same thing under this Chinese remaindering.
And now we can apply our random matrix statement for polynomials randomly
chosen from F in H6. So this is like the thing we want to estimate. So by our
random matrix statement this is proportional to the size of this union of conjugacy
class because it's a union of conjugacy classes. Okay? So we have this
proportional to the number of q-symplectic matrices modulo 2N. Okay? And
now we just apply Chinese remaindering again, and we end up with these
proportions. So the number of point -- number of matrices here is just number of
matrices here times number of matrices here by Chinese remaindering same
here. And then we have this denominator and this again we apply the random
matrix theorem or quasi theorem in -- for the old randomness notion so it's
proportional to the size of this union of conjugacy classes and we take the
quotient and we get the desired result. Okay?
So this like explains why 2 torsion is the only torsion that is affected by our new
randomness notion, and in general we still have our randomness statement. We
still have this randomness statement. Okay?
And this, we don't know yet how to prove and for higher genus because we really
made use of this statement here which is like genus 2 thing. So I've skipped this.
And I'm basically done here. So let me just end with some concluding remarks.
So as I said in the beginning there, was some motivation from cryptography,
okay? But then in the end, when we did write the Galbraith-McKee conjecture
and all of these analyzations, we suddenly restricted to Q equals a prime number
P. But, in fact, this is easily generalizable to arbitrary fields. We just have these
-- have to take care of the factor corresponding to the field size because
probability of having trace congruent to 0 modulo the field characteristic and if the
field characteristic is small, this is really an important thing, will be 0 instead of
like 1 over L minus 1.
So but it's -- but for the rest you just change the corresponding factor and you
end up with the conjecture that matches fairly well with practice. It's
generalizable to primality up to a given co-factor. You just get rid have the
corresponding factors. And then you can ask various -- using this random matrix
statement you can ask various other non relevant questions at least for
cryptographers. For instance, what is the probability that the number of points on
the hyperelliptic curve itself is prime?
But here's it's remarkable that the formulas that -- that there are no nice forms to
explain these probabilities. Because they are like in the formulas the number of
points on some elliptic curve will appear, for instance. See. So there are no nice
formulas. So the nice world is really here.
Yeah. And that's it. So thank you for listening.
[applause].
>>: I have a question. So when L is much, much smaller than Q than apparently
it has more than its fair share of [inaudible] elliptic curve [inaudible]. And when L
is large like close to the order of the curve and has less than its fair share
[inaudible] so is there some middle point where it has equal share to be correct
as some function of Q like square root of Q or ->> Wouter Castryck: That's an interesting question. I don't really know. Well, I
don't know if it can be expressed as a nice function of Q. That's your question,
right? There must be some transition point for every given situation, but if it can
be nicely described in terms of Q I didn't think about that. Yes?
>>: So just to comment on that. This is nothing that the [inaudible] it says what
you do is you go up to the point where the constant becomes right. And it turns
out to have something to do with the [inaudible] constant. You've got [inaudible]
and then that is about right it's sort of very stupid speculation [inaudible].
>>: I wanted to return to your [inaudible] the diagram you had [inaudible] where
you showed circle with the [inaudible] and so on. Yeah. That one. If we correct
for mod 2 and mod 3 and mod 7, then how uniform this result [inaudible].
>> Wouter Castryck: That's an interesting question. So if you do like the correct
-- if you add correction factors?
>>: Yes.
>> Wouter Castryck: Then you will like -- well, it's a bit more subtle than I will say
now. But if you like correct probabilities with these factors, then you end up with
the -- exactly the square root. So you -- you can apply these very same
heuristics basically to for instance count the number of points having a given
trace. And the thing you do is you start from the subtly distribution, which is like
something like this, I don't know by heart, and then you correct. And if you do
this naively -- well, not entirely naively, but fairly naively, then you rediscover the
[inaudible] class number formula. Then you get an exact expression for the
number of points. So this correcting thing is really -- it will help. It will help to
approach this [inaudible] distribution.
>>: [inaudible]?
>> Wouter Castryck: Yes.
>>: What happens [inaudible] if instead of looking at that Jacobians that you look
and say principally pulverize the [inaudible] varieties because as the genus gets
bigger, Jacobians don't look like a typical ->> Wouter Castryck: Yes, then the same [inaudible] at least like conjecturally.
So, no, sorry, I thought we were at the end of the slides. So this will still hold
probably. Okay? Yeah. So he's formulas by Achter and Holden, they even
formulated for principally pulverized [inaudible]. Yes?
>>: Let's thank all the speakers of the morning session.
[applause]
Related documents
Tips for Problem Solving
Tips for Problem Solving
Anne Frank – Anticipation Guide Discussion Rules
Anne Frank – Anticipation Guide Discussion Rules
The Princess Bride Anticipation Guide
The Princess Bride Anticipation Guide
Student Technical Lecture Topic Assignment Process
Student Technical Lecture Topic Assignment Process
SMU CSE 5337/7337 Spring 2015
SMU CSE 5337/7337 Spring 2015
Kate Chopin - Brookwood High School
Kate Chopin - Brookwood High School
Download
advertisement