Andrew V. Sutherland

Computing Hilbert class polynomials with the Chinese remainder theorem

We present a space-efficient algorithm to compute the Hilbert class polynomial H_D(X) modulo a positive integer P, based on an explicit form of the Chinese Remainder Theorem. Under the Generalized Riemann Hypothesis, the algorithm uses O(|D|^(1/2+o(1))log P) space and has an expected running time of O(|D|^(1+o(1)). We describe practical optimizations that allow us to handle larger discriminants than other methods, with |D| as large as 10^13 and h(D) up to 10^6. We apply these results to construct pairing-friendly elliptic curves of prime order, using the CM method.

MODULAR POLYNOMIALS VIA ISOGENY VOLCANOES

We present a new algorithm to compute the classical modular polynomial l in the rings Z(X;Y ) and (Z=mZ)(X;Y ), for a prime l and any positive integer m. Our approach uses the graph of l-isogenies to eciently compute l mod p for many primes p of a suitable form, and then applies the Chinese Remainder Theorem (CRT). Under the Generalized Riemann Hypoth- esis (GRH), we achieve an expected running time of O(l 3 (logl) 3 log logl), and compute l mod m using O(l 2 (logl) 2 +l 2 logm) space. We have used the new algorithm to compute l with l over 5000, and l mod m with l over 20000. We also consider several modular functions g for which g is smaller than l, allowing us to handle l over 60000.

Computing the endomorphism ring of an ordinary elliptic curve over a finite field

Abstract We present two algorithms to compute the endomorphism ring of an ordinary elliptic curve E defined over a finite field F q . Under suitable heuristic assumptions, both have subexponential complexity. We bound the complexity of the first algorithm in terms of log q , while our bound for the second algorithm depends primarily on log | D E | , where D E is the discriminant of the order isomorphic to End ( E ) . As a byproduct, our method yields a short certificate that may be used to verify that the endomorphism ring is as claimed.

Sato-Tate distributions and Galois endomorphism modules in genus 2

For an abelian surface A over a number eld k, we study the limit- ing distribution of the normalized Euler factors of the L-function of A. This distribution is expected to correspond to taking characteristic poly- nomials of a uniform random matrix in some closed subgroup of USp(4); this Sato-Tate group may be obtained from the Galois action on any Tate module of A. We show that the Sato-Tate group is limited to a particular list of 55 groups up to conjugacy. We then classify A according to the Galois module structure on the R-algebra generated by endomorphisms of AQ (the Galois type), and establish a matching with the classi cation of Sato-Tate groups; this shows that there are at most 52 groups up to con- jugacy which occur as Sato-Tate groups for suitable A and k, of which 34 can occur for k = Q. Finally, we exhibit examples of Jacobians of hyperel- liptic curves exhibiting each Galois type (over Q whenever possible), and observe numerical agreement with the expected Sato-Tate distribution by comparing moment statistics.

New equidistribution estimates of Zhang type

In May 2013, Y. Zhang [52] proved the existence of infinitely many pairs of primes with bounded gaps. In particular, he showed that there exists at least one h ě 2 such that the set tp prime | p` h is primeu is infinite. (In fact, he showed this for some even h between 2 and 7ˆ 10, although the precise value of h could not be extracted from his method.) Zhang’s work started from the method of Goldston, Pintz and Yıldırım [23], who had earlier proved the bounded gap property, conditionally on distribution estimates concerning primes in arithmetic progressions to large moduli, i.e., beyond the reach of the Bombieri–Vinogradov theorem. Based on work of Fouvry and Iwaniec [11, 12, 13, 14] and Bombieri, Friedlander and Iwaniec [3, 4, 5], distribution estimates going beyond the Bombieri–Vinogradov range for arithmetic functions such as the von Mangoldt function were already known. However, they involved restrictions concerning the residue classes which were incompatible with the method of Goldston, Pintz and Yıldırım. Zhang’s resolution of this difficulty proceeded in two stages. First, he isolated a weaker distribution estimate that sufficed to obtain the bounded gap property (still

Constructing elliptic curves over finite fields with prescribed torsion

We present a method for constructing optimized equations for the modular curve X_1(N) using a local search algorithm on a suitably defined graph of birationally equivalent plane curves. We then apply these equations over a finite field F_q to efficiently generate elliptic curves with nontrivial N-torsion by searching for affine points on X_1(N)(F_q), and we give a fast method for generating curves with (or without) a point of order 4N using X_1(2N).

Class Invariants by the CRT Method

We adapt the CRT approach for computing Hilbert class polynomials to handle a wide range of class invariants. For suitable discriminants D, this improves its performance by a large constant factor, more than 200 in the most favourable circumstances. This has enabled record-breaking constructions of elliptic curves via the CM method, including examples with |D| > 1015.

Computing L-series of hyperelliptic curves

We discuss the computation of coefficients of the L-seriesassociated to a hyperelliptic curve over Q of genus at most 3, using pointcounting, generic group algorithms, and p-adic methods.

Computing Hasse–Witt matrices of hyperelliptic curves in average polynomial time

We present an algorithm that computes the Hasse-Witt matrix of given hyperelliptic curve over Q at all primes of good reduction up to a given bound N. It is simpler and faster than the previous algorithm developed by the authors.

Accelerating the CM method

Given a prime q and a negative discriminant D, the CM method constructs an elliptic curve E/Fq by obtaining a root of the Hilbert class polynomial HD(X) modulo q. We consider an approach based on a decomposition of the ring class field defined by HD, which we adapt to a CRT setting. This yields two algorithms, each of which obtains a root of HD mod q without necessarily computing any of its coefficients. Heuristically, our approach uses asymptotically less time and space than the standard CM method for almost all D. Under the GRH, and reasonable assumptions about the size of log q relative to ∣D∣, we achieve a space complexity of O((m+n)log q) bits, where mn=h(D) , which may be as small as O(∣D∣1/4 log q) . The practical efficiency of the algorithms is demonstrated using ∣D∣>1016 and q≈2256, and also ∣D∣>1015 and q≈233220. These examples are both an order of magnitude larger than the best previous results obtained with the CM method.