Trying to understand

The first time that we noticed the symmetry of the histograms we didn't have any idea of were it was coming from and, much less, how to give a proof of this ``experimental fact''.

The first idea, suggested by Jim Carlson, was to look at the isomorphism classes of curves. In other words: instead of looking at all the possible curves at the same time, consider only those curves that are isomorphic to a given one. If this smaller set of curves still exhibits the same symmetry then, perhaps, it will be easier to understand the phenomenon here.

Before going on, we have to understand what we mean by isomorphic curves. It is a simple but lengthy exercise to see that two elliptic curves in Weierstrass form

$$C: y^2 = x^3 + b x +c C': y^2=x^3+b'x+c' a,b,a',b' \in \ensuremath{\mathbb{Z}}_p$$

are isomorphic if (and only if) there is $\alpha\in F$ such that $b'=\alpha^4b$ and $c' = \alpha^6 c$. In this case the isomorphism $m_\alpha: C\rightarrow C'$ is given by $m_\alpha(x,y) = (\alpha^2x, \alpha^3 y)$. One aspect is unclear here: what is $F$? $F$ is any field extension⁴ of $\ensuremath{\mathbb{Z}}_p$. We say then that $C$ and $C'$ are isomorphic over $F$. If $\alpha \in \ensuremath{\mathbb{Z}}_p$ the two curves are isomorphic in ``the usual sense'' and, in particular, points on both curves are identified by $m_\alpha$, so, both curves have the same number of elements. But, if $\alpha\notin \ensuremath{\mathbb{Z}}_p$ the two curves are seen to be ``the same'' only after we consider points $(x,y)$ with $x,y\in F$. An example of this kind of problem will come in a moment.

The $j$-invariant of the curve $C$ given by (1) is

$$j(C) = \frac{48^3 b^3}{4b^3+27c^2}.$$

It is easy to see that this number is unchanged if we replace $C$ by an isomorphic curve $C'$. Conversely, two curves that have the same $j$-invariant are isomorphic over some extension of $\ensuremath{\mathbb{Z}}_p$.

Example 3   Consider the following curves over $\ensuremath{\mathbb{Z}}_5$:

$$\begin{split}C_1 &: y^2=x^3+x+2,\\ C_2 &: y^2=x^3+x+3,\\ C_3 &: y^2=x^3+4x+1. \end{split}$$

It is easy to check that their $j$-invariant (mod $5$) is $1$ so that they are isomorphic in some extension of $\ensuremath{\mathbb{Z}}_5$. Lets make explicit the isomorphisms.

Start with $C_1$ and $C_2$. We saw above that the isomorphism is given by $m_\alpha$ for some $\alpha$ and that it mapped $b$ to $\alpha^4 b$ and $c$ to $\alpha^6 c$. For these two curves we have

$$\frac{3}{1} = \frac{\alpha^6\cdot 2}{\alpha^2\cdot 1} = \alpha^2 2$$

so that $3=2\alpha^2$, or, $\alpha^2=4$ (remember that we are working over $\ensuremath{\mathbb{Z}}_5$). Thus we can take $\alpha=2$ and the isomorphism is given by $m_2(x,y) = (2^2 x, 2^3 y) = (4x,3y)$, that is clearly defined over $\ensuremath{\mathbb{Z}}_5$.

Now consider the curves $C_1$ and $C_3$. The same argument as above leads to $\alpha^2 = 2$ and we see that $2$ is not a square in $\ensuremath{\mathbb{Z}}_5$, so that $\alpha$ is not in $\ensuremath{\mathbb{Z}}_5$. So we ``extend'' $\ensuremath{\mathbb{Z}}_5$ by adding a square root of $2$, that is, we consider $F=\ensuremath{\mathbb{Z}}_5[\sqrt{2}]$. In $F$ we can take $\alpha = \sqrt{2}$ and consider $m_{\sqrt{2}}:C_1(F) \rightarrow C_3(F)$ given by $m_{\sqrt{2}}(x,y) = (\sqrt{2}^2 x, \sqrt{2}^3 y) = (2x, 2\sqrt{2} y)$. Notice that if you apply the isomorphism to a point in $C_1(\ensuremath{\mathbb{Z}}_5)$, like $(1,2)$, we get a point in $C_3(F)$, $m_{\sqrt{2}}(1,2) = (2,4\sqrt{2})$ but is not in $C_3(\ensuremath{\mathbb{Z}}_5)$. Therefore, $C_1$ and $C_3$ are isomorphic over $F$ but not over $\ensuremath{\mathbb{Z}}_5$.

It is easy to check that $\char93 C_1(\ensuremath{\mathbb{Z}}_5) = \char93 C_2(\ensuremath{\mathbb{Z}}_5) = 4$ (they had to agree because the curves are isomorphic over $\ensuremath{\mathbb{Z}}_5$), but $\char93 C_3(\ensuremath{\mathbb{Z}}_5) = 8$, showing that $C_1$ and $C_3$ are not isomorphic over $\ensuremath{\mathbb{Z}}_5$. A nice exercise is to check that the cardinality of all three curves over $F$ --where they are isomorphic-- is $32$. More about this in Section 4.

Now that we understand the notion of isomorphism and being warned that some subtleties are involved --field extensions-- we can try to understand how all the elliptic curves in one isomorphism class (that is, having the same $j$-invariant) are related to each other. Say that $C$ is given by (1), and take $t\in \ensuremath{\mathbb{Z}}_p^* = \ensuremath{\mathbb{Z}}_p -\{0\}$.

• If $t$ is a square, $m_{\sqrt{t}}$ is an isomorphism (over $\ensuremath{\mathbb{Z}}_p$) between $C$ and some other curve $C_t$. In this case, $\char93 C(\ensuremath{\mathbb{Z}}_p) = \char93 C_t(\ensuremath{\mathbb{Z}}_p)$.
• If $t$ is not a square we consider the extension $F=\ensuremath{\mathbb{Z}}_p[\sqrt{t}]$ and, again, have an isomorphism between $C$ and some other curve $C_t$, only that this time the isomorphism is defined over $F$, so that $\char93 C(F) = \char93 C_t(F)$ but in general $\char93 C(\ensuremath{\mathbb{Z}}_p) \neq \char93 C_t(\ensuremath{\mathbb{Z}}_p)$. In fact, since $t$ is not a square in $\ensuremath{\mathbb{Z}}_p$ we can use the argument used in the proof of Proposition 1 to conclude that $\char93 C(\ensuremath{\mathbb{Z}}_p) + \char93 C_t(\ensuremath{\mathbb{Z}}_p) = 2(p+1)$.

This procedure explains how one curve is associated to several other curves in its isomorphism class. In principle, one curve $C_t$ is constructed for each value of $t\in \ensuremath{\mathbb{Z}}_p^* = \ensuremath{\mathbb{Z}}_p -\{0\}$, but it could happen that we obtain the same curve $C_t$ for different values of $t$. Lets look into this problem more closely.

If we start from $C$ with coefficients $(b,c)$, application of $m_{\sqrt{t}}$ generates a curve $C_t$ with coefficients $(t^2b, t^3c)$ so that if $bc\neq 0$, and $(t_1^2b, t_1^3c) = (t_2^2 b, t_2^3c)$ we conclude that $t_1 = t_2$ and we obtained a different curve for each value of $t\in \ensuremath{\mathbb{Z}}_5^*$. These are all the curves in the isomorphism class.

But suppose that we start from the curve $(b,0)$ --whose $j$-invariant is congruent to $\frac{48^3}{4} = 27648$ mod $p$. Then we obtain the curve $(t^2b,0)$ and, if $(t_1^2b, 0) = (t_2^2 b, 0)$ we can only conclude that $t_1 = \pm t_2$. Thus, we only obtain half of the curves in the isomorphism class! In any case, the number of solutions of these curves are still paired as described above. To obtain the other half of the curves we can choose one of the curves that we didn't obtain before and repeat the process to obtain all curves in this isomorphism class⁵.

Finally, if we start from the curve $(0,c)$ --that has $j$-invariant 0-- we see that $(0,t_1^3 c) = (0,t_2^3c)$ that only says that $t_1 = t_2 u$, where $u$ is a cubic root of $1$ in $\ensuremath{\mathbb{Z}}_p$: for different values of $p$ this can have only one solution (if $p\equiv 5 \pmod{6}$) or three different solutions (if $p\equiv 1 \pmod{6}$). So in this case it may again happen that to cover all the isomorphic curves we have to add to the family obtained from the initial curve some additional curves. But, again, in each family the symmetry in the cardinality remains valid⁶.

All together, this argument sheds some light on how the number of solutions of different curves with the same $j$-invariant (and so isomorphic over some field extension of $\ensuremath{\mathbb{Z}}_p$) are distributed.

Remark 4   The construction mapping $C$ to $C'$ used in the proof of Proposition 1 appears naturally as the isomorphism $m_{\sqrt{t}}$ for $t$ non-square in $\ensuremath{\mathbb{Z}}_p$.

Example 5   Consider the case of $p=5$, whose histogram is shown in Figure 1. The $j$-invariant (mod $5$) ranges from 0 to $4$.

The ``generic case'' corresponding to curves with coefficients $b$ and $c$ with $bc\neq 0$ is as follows: pick one curve, and choose $t=1,2,3,4$. For $t=1,4$ (the squares in $\ensuremath{\mathbb{Z}}_5$) $m_{\sqrt{t}}$ produces a curve that is isomorphic over $\ensuremath{\mathbb{Z}}_5$ and thus has the same number of rational points over $\ensuremath{\mathbb{Z}}_5$. For $t=2,3$ (the non-squares in $\ensuremath{\mathbb{Z}}_5$) $m_{\sqrt{t}}$ produces a curve that is isomorphic over a quadratic extension of $\ensuremath{\mathbb{Z}}_5$; in this case, the number of points is such that $\char93 C(\ensuremath{\mathbb{Z}}_5) + \char93 (m_{\sqrt{t}} C)(\ensuremath{\mathbb{Z}}_5) = 12$. Thus for the ``generic case'' in each isomorphism class there are $4$ curves, two with the same number of points and two with the ``symmetric'' number.

Next consider the case when $b=0$, that is the $j=0$ case. Starting from the curve with $c=1$, since every $w\in \ensuremath{\mathbb{Z}}_5$ is a cube we can take $t=\sqrt[3]{w}$ and the curve $(b,c)=(0,1)$ is mapped to $(0,w)$ under $m_{\sqrt{t}}$. Since $1$ and $4$ are squares in $\ensuremath{\mathbb{Z}}_5$, $(0,1)$ and $(0,3)$ have the same number of points over $\ensuremath{\mathbb{Z}}_5$, while $(0,2)$ and $(0,4)$ have the symmetric number. In any case, all these curves have the same number of points, $6$.

Finally we consider the case of $c=0$. Starting from the curve $(b,c) = (1,0)$ we choose $t=2$ and obtain the curve $(4,0)$, but since $t$ is not a square both curves have symmetric number of points. The other values of $t\in \ensuremath{\mathbb{Z}}_5^*$ don't produce any new curves. So we pick another of the curves in the isomorphism class: $(2,0)$. Choosing $t=2$ produces the curve $(3,0)$ that has the symmetric number of points. Notice that if we wanted to find an isomorphism between the curve $(1,0)$ and $(2,0)$ we have to choose $t=\sqrt{2}$, so that, eventually, the isomorphism will be defined over $\ensuremath{\mathbb{Z}}_5[\sqrt[4]{2}]$.