Computing images of Galois representations attached to elliptic curves

Let E be an elliptic curve without complex multiplication (CM) over a number field K, and let G_E(ell) be the image of the Galois representation induced by the action of the absolute Galois group of K on the ell-torsion subgroup of E. We present two probabilistic algorithms to simultaneously determine G_E(ell) up to local conjugacy for all primes ell by sampling images of Frobenius elements; one is of Las Vegas type and the other is a Monte Carlo algorithm. They determine G_E(ell) up to one of at most two isomorphic conjugacy classes of subgroups of GL_2(Z/ell Z) that have the same semisimplification, each of which occurs for an elliptic curve isogenous to E. Under the GRH, their running times are polynomial in the bit-size n of an integral Weierstrass equation for E, and for our Monte Carlo algorithm, quasi-linear in n. We have applied our algorithms to the non-CM elliptic curves in Cremona's tables and the Stein--Watkins database, some 140 million curves of conductor up to 10^10, thereby obtaining a conjecturally complete list of 63 exceptional Galois images G_E(ell) that arise for E/Q without CM. Under this conjecture we determine a complete list of 160 exceptional Galois images G_E(ell) the arise for non-CM elliptic curves over quadratic fields with rational j-invariants. We also give examples of exceptional Galois images that arise for non-CM elliptic curves over quadratic fields only when the j-invariant is irrational.Comment: minor edits, 47 pages, to appear in Forum of Mathematics, Sigm

Computing Hilbert class polynomials with the Chinese Remainder Theorem

We present a space-efficient algorithm to compute the Hilbert class polynomial H_D(X) modulo a positive integer P, based on an explicit form of the Chinese Remainder Theorem. Under the Generalized Riemann Hypothesis, the algorithm uses O(|D|^(1/2+o(1))log P) space and has an expected running time of O(|D|^(1+o(1)). We describe practical optimizations that allow us to handle larger discriminants than other methods, with |D| as large as 10^13 and h(D) up to 10^6. We apply these results to construct pairing-friendly elliptic curves of prime order, using the CM method.Comment: 37 pages, corrected a typo that misstated the heuristic complexit

A Generic Approach to Searching for Jacobians

We consider the problem of finding cryptographically suitable Jacobians. By applying a probabilistic generic algorithm to compute the zeta functions of low genus curves drawn from an arbitrary family, we can search for Jacobians containing a large subgroup of prime order. For a suitable distribution of curves, the complexity is subexponential in genus 2, and O(N^{1/12}) in genus 3. We give examples of genus 2 and genus 3 hyperelliptic curves over prime fields with group orders over 180 bits in size, improving previous results. Our approach is particularly effective over low-degree extension fields, where in genus 2 we find Jacobians over F_{p^2) and trace zero varieties over F_{p^3} with near-prime orders up to 372 bits in size. For p = 2^{61}-1, the average time to find a group with 244-bit near-prime order is under an hour on a PC.Comment: 22 pages, to appear in Mathematics of Computatio

Structure computation and discrete logarithms in finite abelian p-groups

We present a generic algorithm for computing discrete logarithms in a finite abelian p-group H, improving the Pohlig-Hellman algorithm and its generalization to noncyclic groups by Teske. We then give a direct method to compute a basis for H without using a relation matrix. The problem of computing a basis for some or all of the Sylow p-subgroups of an arbitrary finite abelian group G is addressed, yielding a Monte Carlo algorithm to compute the structure of G using O(|G|^0.5) group operations. These results also improve generic algorithms for extracting pth roots in G.Comment: 23 pages, minor edit

A local-global principle for rational isogenies of prime degree

Let K be a number field. We consider a local-global principle for elliptic curves E/K that admit (or do not admit) a rational isogeny of prime degree n. For suitable K (including K=Q), we prove that this principle holds when n = 1 mod 4, and for n < 7, but find a counterexample when n = 7 for an elliptic curve with j-invariant 2268945/128. For K = Q we show that, up to isomorphism, this is the only counterexample.Comment: 11 pages, minor edits, to appear in Journal de Th\'eorie des Nombres de Bordeau