Lower bounds on the maximal number of rational points on curves over finite fields

Abstract For a given genus 
$g \geq 1$
 , we give lower bounds for the maximal number of rational points on a smooth projective absolutely irreducible curve of genus g over 
$\mathbb{F}_q$
 . As a consequence of Katz–Sarnak theory, we first get for any given 
$g>0$
 , any 
$\varepsilon>0$
 and all q large enough, the existence of a curve of genus g over 
$\mathbb{F}_q$
 with at least 
$1+q+ (2g-\varepsilon) \sqrt{q}$
 rational points. Then using sums of powers of traces of Frobenius of hyperelliptic curves, we get a lower bound of the form 
$1+q+1.71 \sqrt{q}$
 valid for 
$g \geq 3$
 and odd 
$q \geq 11$
 . Finally, explicit constructions of towers of curves improve this result: We show that the bound 
$1+q+4 \sqrt{q} -32$
 is valid for all 
$g\ge 2$
 and for all q.


Introduction
Researchers who study N q (g), the maximal number of rational points on curves 1 of genus g over a finite field F q , generally follow the lead of Serre's 1985 Harvard lectures [Ser20] and focus on two cases: one in which q is fixed and the genus goes to infinity, and one in which g is fixed and q varies.In the first case, a great number of results have been achieved that control the asymptotic behaviour of the ratio N q (g)/g; see [Bee22] and the references there.In the second case, while a closed formula is known for N q (0), N q (1) [Deu41] and N q (2) [Ser83], the exact nature of the growth of N q (g) for fixed q remains open in general.One of the tantalising challenges already proposed in [Ser20, section 4•3] is to determine whether for every g, the value N q (g) remains at a bounded distance from the Hasse-Weil bound 1 + q + 2g √ q for all q, as is the case for g = 0, 1 and 2. It is hard even to get good heuristics for this question (see our attempt in Remark 2•5), and in a recent personal communication J-P.Serre raised a less ambitious question: is it possible to give for each g a positive constant c such that for all sufficiently large q, we have N q (g) ≥ 1 + q + c √ q ?In this paper we provide several methods that lead to a positive answer to the question, even when we limit our consideration to hyperelliptic curves.
Serre not only asked this question but also suggested that it might be answered through the consideration of the (weighted) sum S n (q, H g ) of the nth powers of the traces of Frobenius of genus-g hyperelliptic curves over F q , for even n.This strategy is at the root of the computations we present in Section 3, which is chronologically the first path we followed.Using the explicit formula from [Ber09] for n = 6, one finds for instance that for g ≥ 3 and q ≥ 25, we have N q (g) ≥ 1 + q + 1.55 √ q.
We then quickly realised that by using Katz-Sarnak theory, one can actually get an optimal result of this flavor, namely that for every ε > 0 and every g, there exists a q 0 such that for q > q 0 , one has N q (g) ≥ 1 + q + (2g − ε) √ q (see Corollary 2•3).We were surprised to find no trace of this result in the existing literature, as it can be derived easily.Notice though that a related result appears already in [Ser20, remark 1•1•2]: For every curve C/F q and ε > 0, we have |#C(F q i ) − (q i + 1)| ≥ (2g − ε) q i for infinitely many i.
One drawback of the method used in Section 2 in comparison with the one in Section 3 is of course that the value of q 0 is unknown.It is then tempting to push the method of Section 3 using S n (q, H g ) further on, in particular since one shows in Theorem 3•9 that the limit when n goes to infinity of a 2n (g) := lim q→∞ S 2n (q, H g ) q 2g−1+n/2 2. Lower bounds from Katz-Sarnak distribution For g ≥ 2, let M g denote the (coarse) moduli space of smooth projective genus-g curves, and let H g denote the subspace of hyperelliptic curves.Note that M g (F q ) and H g (F q ) consist of F q -isomorphism classes of curves that have models over F q .Let M g (F q ) and H g (F q ) denote the sets of F q -isomorphism classes of (the appropriate types of) curves over F q .
As a consequence of Theorem 2•1, we obtain the following result.For M g this is [Lac16, corollary 4•3]; the proof for H g follows the same argument presented in [Lac16].
Proof.Applying Proposition 2•2 to H g , we find that for q large enough there exists c > 0 such that Since F : R → [0, 1] does not depend on q and is a continuous, non-negative, strictly increasing function on [−2g, 2g] with F(2g) = 1, we have also, for q large enough, Since #H g (F q ) = q 2g−1 [BG01, proposition 7•1, p. 87], multiplying the previous inequality by this cardinality, we see that there exists a hyperelliptic curve C/F q with #C(F q ) ≥ 1 + q + (2g − ε) √ q points.Taking its quadratic twist C gives the other inequality.
Remark 2•4.Actually, the theory of Katz-Sarnak (in particular [KS99, 9•6•10]) allows us to prove a similar result for low-dimensional families of curves.For a given prime , let S be a connected normal scheme, separated and of finite type over Z[1/ ].Let X/S be a smooth scheme such that for each finite field k of characteristic different from and each point s ∈ S(k), X s /k is a curve of genus g.We assume that for each X s the geometric monodromy group satisfies [KS99, 9•3•7•2]; in particular, it is conjugate in GL 2g to a constant group.
Examples of such families include for instance the generic element of the one-parameter families y 2 = f (x)(x − t) of hyperelliptic curves [Hal08] or cyclic triple covers of P 1 [AP07].Now we simply assume that the dimension of the image of S ⊗ k in the moduli space is at least 1.Then there exists a function g(q) going to infinity such that #S(F q ) ≥ g(q).Moreover, Katz-Sarnak implies that for x ∈ [−2g, 2g] we have for a strictly increasing distribution function F(x) and a decreasing function f (q) going to 0. Given ε > 0, let q be large enough so that which shows there is at least one curve in the family X/S with more than 1 + q + (2g − ε) √ q points.More generally, this argument can be adapted to prove the existence of a curve with number of points in the interval Remark 2•5.The lower bound of Corollary 2•3 is of course far from answering Serre's question on the existence of a curve with bounded defect.Even the question of the existence of infinitely many p for which there exist defect-0 curves of a fixed genus g over F p is open.The following is a naive attempt to make up our mind on a direction to take for this challenge.The Jacobians of such curves are isogenous to powers of an ordinary elliptic curve E/F p with trace − 2 √ p .It is tempting to look at the number of principally polarized abelian varieties of this type up to isomorphism.Using the equivalence of categories [KNRR21, corollary 3•6], this is the same as counting, up to isometry, unimodular positive definite hermitian R-lattices of rank g where R = Z[x]/(x 2 + 2 √ p x + p).When R is maximal, crude estimations of the mass formulae and class numbers of [Sie35, Sie37] kindly provided by [Kir22] show that their number should be smaller than C(g) × disc(R) g(g+1)/4+o (1) , where C(g) is a constant that does not depend on R. Since disc(R) is smaller than 4 √ p, we get at most p g(g+1)/8+o(1) distinct principally polarized abelian varieties isogenous to the power of an elliptic curve with trace − 2 √ p .If one makes the assumption that Jacobians over F p are well distributed among principally polarised abelian varieties over F p , the 'chance' to fall in the Jacobian locus may be estimated as p (3g−3)−g(g+1)/2 .Hence for g > 6, it is heuristically unlikely to find a defect-0 curve over F p when p is large.We believe that the assumption that R be maximal is not necessary, but proving this would require a better understanding of the mass formulae for non-projective R-lattices.

3•1. Weighted trace powers
Let us define the correct moments we want to compute.If C/F q is a genus-g curve, we denote by [C] the set of representatives of its twists and define The following result is probably well known, but we provide a proof for lack of proper reference (note that the case s 0 (C) = 1 can be found in [vdGvdV92, proposition 5•1]).PROPOSITION 3•1.For every curve C/F q and every n ≥ 0, s n (C) is an integer.
For this, we will need some elementary lemmas.As in [MT10, proposition 9], let us define for g ∈ Aut F q (C), the set [g] Fr of elements h such that there exists x ∈ Aut F q (C) with h = xg Fr x −1 , where Fr is the geometric F q -Frobenius morphism (acting here on x −1 ).To a given set [g] Fr , one can associate a twist C of C.
LEMMA 3•3.Let K be a field of characteristic 0, let n and k be positive integers and let G be a finite subgroup of GL k (K).
(ii) Hence, the map g → g ⊗n from G to G ⊗n ⊆ GL kn (K) induces a surjective morphism on its image G n .
(iii) The matrix P G n = (1/#G) g∈G g ⊗n = (1/#G n ) g∈G n g is a projection.Hence its eigenvalues are 0 and 1.
By abuse of notation we denote by g ∈ Aut F q (C) the corresponding element in Aut F q (T JacC) that we see as a matrix of size 2g × 2g with coefficients in Z for a prime = p.We fix an embedding Z → C of Z into the complex numbers.Let π C denote the Frobenius endomorphism of JacC or its matrix for the action on T JacC in some arbitrary basis.Let us recall from [MT10,proposition 11] that if C is a twist of C given by an element The first equality is by definition, the second one by Lemma 3•2, the third one by the Weil Conjectures, the fourth one is a classical property of the tensor product of matrices (see for instance [Ser98, chapter 2 proposition 2]), the fifth one is [MT10, proposition 11], the sixth one is Lemma 3•3(i), the seventh is the commutativity of the sum and the trace of matrices, and the eighth is Lemma 3•3(ii).Now, since for every g ∈ Aut F q (C) we have g • Fr = Fr • g for some g ∈ Aut F q (C), we see that π ⊗n C commutes with P G n , hence the eigenvalues of their product are the product of the eigenvalues.It is well known that the complex eigenvalues of π C , and therefore of π ⊗n C , are algebraic integers, while the eigenvalues of P G n are 0 or 1.We conclude that the trace is an algebraic integer as well.Now the conclusion follows since we know that s n (C) is also a rational number, so it must be an integer.
For X = M g or H g we denote by S n (q, X ) the sum of the s n (C) when C runs over a set of representatives for the F q -isomorphism classes of curves in X over F q .Then, for two polynomials f and g, let [f /g] denote the polynomial quotient in the Euclidian division of f by g.In Theorem 3•4 and Remark 3•5, the polynomial quotients correspond to the stable part of the cohomology, see [MPP19, section 1•5] together with [Ber09, section 13].
Proof.In [Ber09, section 7,10] it is described how to compute S i (q, H g ) for i = 2, 4 and 6.Note that in the notation of [Ber09], S i (q) equals a 1 i | g .
There exists a hyperelliptic genus-g curve C/F q with #C(F q ) ≥ 1 + q + a q √ q and a hyperelliptic curve C /F q with #C (F q ) ≤ 1 + q − a q √ q.
Proof.By the above, we see that there are curves C 1 , . . ., C q 2g−1 over F q such that S n (q) = q 2g−1 i=1 s n (C i ).Since n is even, all the s n (C i ) are non-negative and so there must be a j such that s n (C j ) ≥ S n (q)/q 2g−1 .Since s n (C j ) can be seen as a weighted average, and it then follows that there is a C ∈ [C j ] such that (#C(F q ) − q − 1) n ≥ S n (q)/q 2g−1 .This shows that #C(F q ) ≤ q + 1 − a q √ q with a q = (S n (q)/q 2g−1+n/2 ) 1/n .The quadratic twist of C gives the curve with the opposite bound.
One sees that the coefficient of the leading term of S n (q) controls the growth of the bound on the number of points.This coefficient can be obtained quickly, even when a complete formula for S n (q) is out of reach, thanks to a relation with representation theory of the compact symplectic group USp 2g .
THEOREM 3•8.For every g ≥ 2 and even n ≥ 2 let a n (g) := lim q→∞ S n (q, X ) q dim X +n/2 with X = M g or H g .Then a n (g) is equal to the number of times the trivial representation appears in the USp 2g -representation V ⊗n with V the standard representation.
Proof.Using Theorem 2•1 with f = Tr n , we see that and that this integral also can be written as Tr(m ⊗n ) dm .
By the orthogonality of characters it follows that this integral counts the number of times that the trivial representation appears in the nth tensor product of the standard representation.
The sequence a n (g) is called a moment sequence in [KS09]; in their notation it equals M[s 1 ](n).In this paper Kedlaya and Sutherland give an effective formula to compute a n (g) in terms of a sum of determinants of binomial expressions.However, to prove the following limit result, it is easier to use the integral.THEOREM 3•9.For every g ≥ 2, we have Let us now change variables by setting t i = 2 cos (θ i ).Then Equation (3•3) becomes Since all factors inside the integral of a 2n (g) are positive, the value of the integral is greater than the one taken on any sub-domain of [−2, 2] g .Fix 0 < ε < 1 and define that the values of the t i are separated by at least ε/(2g − 1) and are close to 2. Then . So lim inf n→∞ (a 2n (g)) 1/2n ≥ 2g and the result follows.

Lower bounds from explicit constructions
Corollary 2•3 shows that for a fixed genus g and fixed ε > 0, for every large enough q there is a hyperelliptic curve C/F q of genus g whose number of points is within ε √ q of the Weil bound.In this section we prove a result that is much weaker than this, but that has the advantages of working for every q and g ≥ 2 and of being constructive -see Section 4•3.
THEOREM 4•1.Let g > 1 be an integer and let q be a prime power.
(i) If q is odd, there is a hyperelliptic curve C/F q of genus g with (ii) If q is even, there is a hyperelliptic curve C/F q of genus g with Remark 4•2.When q is small with respect to g, there are in fact hyperelliptic curves of genus g over F q having 2q + 2 rational points, the largest number possible for a hyperelliptic curve over F q of any genus.The sharpest result in this direction that we are aware of is [Pog17, theorem 1•6], which implies that for g ≥ 2, if q is odd and q ≤ 2g + 3, or if q is even and q ≤ g + 1, then there is a hyperelliptic curve of genus g over F q with 2q + 2 rational points.
(The cited result speaks of curves with no points, but the quadratic twist of such a curve has 2q + 2 points.) The basic idea of our proof of Theorem 4•1 is to create a tower of double covers of hyperelliptic curves, each with at least as many rational points as the one below it.Here is the structure of the argument in the case where q is odd: Let C be a hyperelliptic curve of genus g over F q .If C has exactly two rational Weierstrass points then we can construct hyperelliptic double covers D of C, one of genus 2g and one of genus 2g + 1, such that D has exactly two rational Weierstrass points and such that #D(F q ) ≥ #C(F q ).By using a double-and-add process starting from a curve of genus 2, we can reach every genus whose binary expansion starts with 10; starting from a curve of genus 3, we can reach every genus whose binary expansion starts with 11.Thus, the lower bound we get in the statement of the theorem is essentially the largest number of points we can obtain on a curve of genus 2 that is suitable as a starting curve for our construction.
In Section 4•1 we flesh out the tower-building argument for odd q sketched in the preceding paragraph.We also explain how to construct appropriate base curves of genus 2 by gluing together elliptic curves with many points, and appropriate base curves of genus 3 by taking unramified double covers of such genus-2 curves.In Section 4•2 we show how to modify the argument for odd q in order to deal with the fact that in characteristic 2, hyperelliptic curves are Artin-Schreier extensions of P 1 rather than Kummer extensions.
The double-cover argument that we use to prove Theorem 4•1 was inspired by a similar double-cover argument from [EHK+04], which shows that if C is a not-necessarily-hyperelliptic curve of genus g over F q , then for every h ≥ 4g there is a curve D/F q of genus h that is a double cover of C and that has at least as many rational points as does C.

4•1. Odd characteristic
In this section, we prove Theorem 4•1 for finite fields of odd characteristic.We start by stating and proving several lemmas that we will use in the proof.
LEMMA 4•3.Let q be an odd prime power and let C/F q be a hyperelliptic curve of genus g with fewer than q rational Weierstrass points.Then there is a hyperelliptic curve D of genus 2g + 1 that is a double cover of C and that has at least as many rational points as does C.
If C has exactly two rational Weierstrass points, then D can be chosen to have exactly two rational Weierstrass points.
Remark 4•4.If C/F q is a hyperelliptic curve with #C(F q ) > q + 3 then C has fewer than q rational Weierstrass points.
Proof.Let ϕ be the canonical map from C to P 1 .There are at least 2 points of P 1 that do not ramify in ϕ, and we can pick two such points and choose a coordinate function x on P 1 so that those two points lie at 0 and ∞.That means that C has a hyperelliptic model of the form Let n be a nonsquare in F q , and consider the two hyperelliptic curves D : y 2 = f (x 2 ) and D : y 2 = f (nx 2 ).We note that both f (x 2 ) and f (nx 2 ) are separable polynomials of degree 4g + 4, so both D and D have genus 2g + 1.The two natural double covers D → C and D → C are quadratic twists of one another, and it follows that #D(F q ) + #D (F q ) = 2#C(F q ).Therefore, one of these two curves has at least as many rational points as does C.
Suppose C has exactly two rational Weierstrass points.This time, we choose our coordinate function x on P 1 so that these two points lie over x = 1 and x = n, where n is a nonsquare element of F q .Then x = 0 and x = ∞ do not ramify in ϕ, so again we have a model of the form y 2 = f , where f ∈ F q [x] is a separable polynomial of degree 2g + 2 such that f (0) = 0, and we proceed as before.Note that the Weierstrass point (1,0) of C splits into two rational Weierstrass points of D and (n,0) splits into nonrational points of D, while (n,0) splits into two rational Weierstrass points of D and (1,0) splits into nonrational points of D .Therefore, each of D and D has exactly two rational Weierstrass points, so no matter which one we choose as our cover, we have the desired number of rational Weierstrass points.
LEMMA 4•5.Let q be an odd prime power and let C/F q be a hyperelliptic curve of genus g with exactly two rational Weierstrass points.Then there is a hyperelliptic curve D/F q of genus 2g that is a double cover of C, that has exactly two rational Weierstrass points, and that has at least as many rational points as does C.
Proof of Lemma 4•5.Let ϕ be the canonical map from C to P 1 , and choose a coordinate function x on P 1 so that the two rational Weierstrass points of C lie over x = 0 and x = ∞.Then C has a hyperelliptic model of the form y 2 = f , where f ∈ F q [x] is a separable polynomial of degree 2g + 1 such that f (0) = 0 and such that f has no other rational roots.
https://doi.org/10.1017/S0305004123000476Published online by Cambridge University Press By scaling x and y, if necessary, we can also assume that f is monic.For every nonzero a ∈ F q let h a (x) = f (x 2 − a 2 ), so that h a is a monic separable polynomial in F q [x] of degree 4g + 2 whose only rational roots are x = a and x = −a.Let D a be the hyperelliptic curve y 2 = h a .Then D a has genus 2g and is a double cover of C, and D a has exactly two rational Weierstrass points.We will show that there is a value of a so that #D a (F q ) ≥ #C(F q ).Let χ denote the quadratic character on F q , so that for z ∈ F q we have χ(z) = 1 if z is a nonzero square, χ(z) = 0 if z = 0, and χ(z) = −1 if z is a nonsquare.Consider the degree-4 map D a → P 1 that takes a point (x,y) of D a to the point x 2 − a 2 of P 1 .A finite point z of P 1 will have a rational point of D lying over it if and only if there are rational solutions to x 2 = z + a 2 and the value of f (z) is a square.Even stronger: The number of rational points of D lying over z is equal to (1 + χ(z + a 2 ))(1 + χ(f (z)).On the other hand, if z = ∞ then there are two rational points of D lying over it, because h a is monic of even degree.Thus the number of rational points on D is given by where the third equality follows from the fact that #C(F q ) = 1 + z∈F q (1 + χ(f (z))) and the final equality follows from the fact that the sum over all z of χ(z + a 2 ) is zero, since the number of nonzero squares in F q is equal to the number of nonsquares.Define To complete the proof, we need only show that there is a nonzero a such that N a ≥ −1.
We will also need an analog of N a when a = 0, which we define as follows.Let c be the coefficient of x in the polynomial f , and let h 0 be the monic separable polynomial of degree 4g such that f (x 2 ) = x 2 h 0 (x).Let D 0 be the hyperelliptic curve of genus 2g − 1 given by y 2 = h 0 .Arguing as before, we find that https://doi.org/10.1017/S0305004123000476Published online by Cambridge University Press If we define N 0 to be Since D 0 is hyperelliptic, it can have at most 2q rational points in addition to the 1 + χ(c) points it has that lie over x = 0. Thus, Consider the sum, over all a ∈ F q , of N a .We have where the last equality follows because χ(f (0)) = 0.For nonzero z ∈ F q , consider the genus-0 curve X z defined by y 2 = x 2 + z.The curve X z has two points at infinity, so arguing as before we find that Since X z has genus 0 and hence 1 + q rational points, we see that a∈F q χ(a 2 + z) = −1 when z = 0. Therefore, Suppose there were no nonzero a with N a ≥ −1.Then we would have which would imply 1 + q ≤ 2, a contradiction.Therefore there must be a nonzero a with N a ≥ −1, and for every such a the curve D a satisfies the desired conditions.Lemmas 4•3 and 4•5 give us the means to iterate a construction, but we still need base curves to start with.These will be provided by Lemmas 4•8 and 4•9.To prepare for the proofs of those lemmas, we need some background information on 2-isogenies and 2-isogeny volcanoes.
Let q be an odd prime power and let t be an integer, coprime to q, with t 2 < 4q.Let C t be the isogeny class of ordinary elliptic curves over F q with trace t, and set := t 2 − 4q < 0. Write = F 2 0 for a fundamental discriminant 0 .For every divisor f of F, there are elliptic curves in C t whose endomorphism rings are isomorphic to the quadratic order of discriminant f 2 0 [Wat69, theorem 4•2, pp.538-539].The height of the isogeny class C t (more properly, the height of the 2-isogeny volcano associated to C t ) is equal to the 2-adic valuation of the conductor F. If E is an elliptic curve in C t whose endomorphism ring has discriminant f 2 0 , then the level of E is the 2-adic valuation of f .(This is the terminology of [FM02]; Kohel used different terminology in his thesis [Koh96], which introduced these concepts.)We see that C t contains elliptic curves of every level from 0 to the height of C t .
LEMMA 4•6.Let C t be an ordinary isogeny class of trace t and discriminant = F 2 0 as above, and suppose C t has height h > 0. Then: (i) every elliptic curve in C t of level h has exactly one rational point of order 2, and the image of the corresponding 2-isogeny is an elliptic curve of level h − 1; (ii) every elliptic curve in C t of level with 0 < < h has exactly three rational points of order 2. For two of these points, the image of the corresponding 2-isogeny is a curve of level + 1, and for the third the image is an elliptic curve of level − 1; (iii) every elliptic curve in C t of level 0 has exactly three rational points of order 2. The images of the corresponding 2-isogenies are curves of level 0 or 1, and the number of points giving rise to a curve of level 0 is equal to 2, 1, or 0, corresponding to whether 0 ≡ 1 mod 8, 0 ≡ 0 mod 4, or 0 ≡ 5 mod 8.
LEMMA 4•7.Let q be an odd prime power and let E : y 2 = (x − a)(x − b)(x − c) be an elliptic curve over F q with all of its 2-torsion rational.Let ϕ : E → F be the 2-isogeny with kernel generated by the point (a,0) on E. Then all of the 2-torsion of F is rational if and only if (a − b)(a − c) is a square.Proof.By shifting x-coordinates on E by a, we see that it suffices to prove the statement when a = 0. Using [Sil09, example 4•5, p. 70], for example, we find that one model for F is given by y The 2-torsion of F is all rational if and only if the quadratic x 2 + 2(b + c)x + (b − c) 2 splits, which happens if and only if its discriminant 16bc is a square.LEMMA 4•8.Let q be an odd prime power.Then there is a curve C/F q of genus 2 with exactly two rational Weierstrass points such that https://doi.org/10.1017/S0305004123000476Published online by Cambridge University Press Proof.For q < 512 we find examples of such curves by computer search; a list of examples is included with the ancillary files included with the arXiv version of this paper.Thus we may assume that q > 512.
First consider the case where q ≡ 3 mod 4. Let t be the largest integer such that t ≡ q + 1 mod 8 and (t, q) = 1 and t 2 ≤ 4q, so that t > 2 √ q − 16 > 0. Set := t 2 − 4q and write = F 2 0 for a fundamental discriminant 0 .We note that ≡ 4 mod 32, so that F ≡ 2 mod 4 and 0 ≡ 1 mod 8.If we let C −t be the isogeny class of elliptic curves of trace −t over F q , then C −t has height 1.
Let E be an elliptic curve in C −t of level 0. By Lemma 4•6, E has two rational 2-isogenies to elliptic curves of level 0 and one rational 2-isogeny to an elliptic curve E of level 1. Write E as y 2 = x(x − a)(x − b), with coordinates chosen so that the 2-isogeny from E to E has kernel generated by (0,0).Since E does not have all of its 2-torsion rational, Lemma 4•7 shows that ab is not a square; on the other hand, since the other curves 2-isogenous to E do have their 2-torsion rational, we find that a(a − b) and b(b − a) are both squares.
Define elements α i and β i of F q , for i = 1, 2, 3, by be the isomorphism that takes (α i , 0) to (β i , 0) for each i.Since the discriminant of the endomorphism ring of E is congruent to 1 mod 8, the curve E has no nontrivial automorphisms, and ψ is not the restriction to E[2] of an automorphism of E. Therefore, from [HLP00, propositions 3 and 4, p. 324] we obtain a curve C of genus 2 whose Jacobian is isogenous to E 2 , and the formulas in the cited results give us a model for C. In this case, we find that C is given by y 2 = h with Now, since ab and −1 are both nonsquare, it follows that −b/a is a square, so the first quadratic factor in h splits.On the other hand, since b(b − a) is a square, we see that (a − b)/b is not a square, so the second quadratic factor of h is irreducible.Likewise, the third quadratic factor is irreducible.Therefore, C has exactly two rational Weierstrass points.Since the Jacobian of C is isogenous to E 2 , we have #C(F q ) = 1 + q + 2t > 1 + q + 4 √ q − 32.Now we turn to the case where q ≡ 1 mod 4. Let t be the largest integer such that t ≡ 2 mod 4 and (t, q) = 1 and t 2 ≤ 4q, so that t > 2 √ q − 8 > 0. Let C −t be the isogeny class of ordinary elliptic curves over F q with trace −t, set := t 2 − 4q, and write = F 2 0 for a fundamental discriminant 0 .We note that ≡ 0 mod 16, so that either the height h of C −t is at least 2, or h = 1 and 0 ≡ 0 mod 4.
Let E be an elliptic curve in C −t of level h − 1. Lemma 4•6 shows that if h ≥ 2, then E has two 2-isogenies to elliptic curves of level h and one to an elliptic curve of level h − 2. The curves of level h have only one rational point of order 2, while the curve of level h − 2 has three rational points of order 2. On the other hand, if h = 1 and 0 ≡ 0 mod 4 then E has two 2-isogenies to elliptic curves of level 1 and one to an elliptic curve of level 0. Again, the curves of level 1 have only one rational point of order 2, while the curve of level 0 has three rational points of order 2.
We see that in every case, E can be written in the form where ab is a square and where (a − b)/a and (b − a)/b are both nonsquares.Taking α i and β i as before, we find that the curve C given by y 2 = h, with has Jacobian isogenous to E 2 .We again find that the first quadratic factor splits and the other two are irreducible, so once again C has exactly two rational Weierstrass points.We also once again have #C(F q ) = 1 + q + 2t.Thus, for every odd prime power q we have shown that there is a curve of genus 2 over F q with exactly two rational Weierstrass points and with #C(F q ) > 1 + q + 4 √ q − 32.
LEMMA 4•9.Let q be an odd prime power.Then there is a hyperelliptic curve C/F q of genus 3 with exactly two rational Weierstrass points and with Proof.The statement for q < 512 is verified by computer search; a list of examples of such curves can be found in the ancillary files included with the arXiv version of this paper.We assume now that q > 512.
First consider the case where q ≡ 3 mod 4. As in the proof of Lemma 4•8, we let t be the largest integer such that t ≡ q + 1 mod 8 and (t, q) = 1 and t 2 ≤ 4q, so that t > 2 √ q − 16 > 0. We see that := t 2 − 4q can be written F 2 0 for a fundamental discriminant 0 that is congruent to 1 modulo 8 and a conductor F that is congruent to 2 modulo 4. If we let C −t be the isogeny class of elliptic curves of trace −t over F q , then C −t has height 1.
Let E be an elliptic curve in C −t of level 0. Lemma 4•6 shows that E has two rational 2isogenies to elliptic curves of level 0. Let E be one of these curves, and write E as y 2 = x(x − a)(x − b), with coordinates chosen so that the 2-isogeny from E to E has kernel generated by (0,0).Since E is of level 0 it has all of its 2-torsion rational, so Lemma 4•7 shows that ab is a square; therefore b/a is also a square, say b/a = c 2 .
Define elements α i and β i of F q , for i = 1, 2, 3, by and let ψ : be the isomorphism that takes (α i , 0) to (β i , 0) for each i.Since the discriminant of the endomorphism ring of E is congruent to 1 mod 8, the curve E has no nontrivial automorphisms, and ψ is not the restriction to E[2] of an automorphism of E.
Once again we use [HLP00, propositions 3 and 4, p. 324] to show that there is a genus-2 curve C whose Jacobian is (2,2)-isogenous to E 2 , and we find that one model for such a C is given by y 2 = h with Since the Jacobian of C is isogenous to E 2 , we have #C(F q ) = 1 + q + 2t > 1 + q + 4 √ q − 32.Now we replace x with (2c 2 x + 1 − c 2 )/(2cx + c 3 − c) and scale y appropriately to find that C can also be written y 2 = f , where Note that the quadratic factor is irreducible.Now, as in the proof of Lemma 4•3, we consider two double covers of C. Let g = f /x, let n be a nonsquare element of F q , let D be the curve y 2 = g(x 2 ), and let D be the curve y 2 = g(nx 2 ).The curves D and D are both double covers of C: The map (x, y) → (x 2 , xy) sends D to C, and the map (x, y) → (nx 2 , xy) sends D to C. The two covers are quadratic twists of one another, so we have #D(F q ) + #D (F q ) = 2#C(F q ), so at least one of D and D has at least as many points as C. Also, the two curves are both hyperelliptic of genus 3. Furthermore, the rational Weierstrass point (1,0) of C splits into two rational Weierstrass points of D while the rational Weierstrass point lying over x = −(c 2 − 1) 2 /(4c 2 ) does not, because −1 is not a square, whereas for D the splitting behaviour of these two points is reversed.Thus, both D and D have exactly two rational Weierstrass points.
We have shown that there is a hyperelliptic curve over F q of genus 3 with exactly two rational Weierstrass points and with more than 1 + q + 4 √ q − 32 rational points.Now consider the case q ≡ 1 mod 4. If q ≡ 1 mod 16 or q ≡ 13 mod 16, let t be the largest integer congruent to 2 or 14 modulo 16 that is coprime to q and such that t 2 < 4q; if q ≡ 5 mod 16 or q ≡ 9 mod 16, let t be the largest integer congruent to 6 or 10 modulo 16 that is coprime to q and such that t 2 < 4q.In both cases we have t > 2 √ q − 16.Let := t 2 − 4q and write = F 2 0 for a fundamental discriminant 0 .Our choice of t guarantees that ≡ 0 mod 64, so F ≡ 0 mod 4. If we let C −t be the isogeny class of elliptic curves of trace −t over F q , then the height h of C −t is at least 2.
Let E be an elliptic curve in C −t of level h − 2, and let E be an elliptic curve of height h − 1 that is 2-isogenous to E. Write E as y 2 = x(x − a)(x − b) so that the kernel of the 2isogeny to E contains the point (0,0).Since E has all of its 2-torsion rational, Lemma 4•7 shows that ab is a square, so we can write b = ac 2 for some c ∈ F q .Then the fact that the other two curves 2-isogenous to E have all of their 2-torsion rational implies that a 2 (1 − c 2 ) and a 2 c 2 (c 2 − 1) are squares, so c 2 − 1 is a square.
We compute that one model for E is given by Here, the isogeny E → E corresponds to the 2-torsion point (0,0).The other two 2isogenous take E to curves of level h, which each have exactly one rational point of order 2, so Lemma 4•7 tells us that the two values 4a 2 c(c + 1) 2 and −4a 2 c(c − 1) 2 are not squares.This shows that c is not a square.Now we use the formulae from [HLP00, proposition 4, p. 324] to construct a curve of genus 2 whose Jacobian is (2,2)-isogenous to E × E .In particular, we take α 1 := 0, α 2 := a, α 3 := ac 2 , β 1 := 0, β 2 := −a(c + 1) 2 , β 3 := −a(c − 1) 2 in [HLP00, proposition 4, p. 324] and we find that the resulting curve C is given by y 2 = h, where The first of the quadratic factors in the above expression for h is irreducible, because c 2 − 1 is a square but c is not.The other two quadratic factors split, and if we let i denote a square root of −1 in F q , then the roots of h are and rescale y appropriately, we find that C can also be written as y 2 = f , where Note that the quadratic factor is irreducible, and that the root r := 4c(c 2 − 1)/(c 2 + 2c − 1) 2 is not a square, because c is not a square while c 2 − 1 is.
Let g = f /x, let n be a nonsquare element of F q , let D be the curve y 2 = g(x 2 ), and let D be the curve y 2 = g(nx 2 ).As before, the curves D and D are both double covers of C and the two covers are quadratic twists of one another, so at least one of D and D has at least as many points as C. The two curves are both hyperelliptic of genus 3.And finally, the rational Weierstrass point (1,0) of C splits into two rational Weierstrass points of D while the rational Weierstrass point (r,0) does not, whereas for D the splitting behaviour of these two points is reversed.Thus, both D and D have exactly two rational Weierstrass points.
We have shown that there is a hyperelliptic curve of genus 3 over F q with exactly two rational Weierstrass points and with more than 1 + q + 4 √ q − 32 rational points.With all of these preparatory results at hand, the proof of Theorem 4•1 for odd q is very short.
Proof of Theorem 4•1(i).We prove the result by induction on g.The statement is true for g = 2 and g = 3 by Lemmas 4•8 and 4•9.Now suppose Theorem 4•1(i) holds for all g less than some integer G > 3. We will show it also holds when g = G.
For convenience's sake, let us set c q = 5 if q < 512 and c q = 32 if q > 512.Set h = G/2 .Then h > 1, and we may apply Theorem 4•1(i) to show that for every q, there is a hyperelliptic curve C/F q of genus h with exactly two rational Weierstrass points and with #C(F q ) > 1 + q + 4 √ q − c q .
If G is odd, we apply Lemma 4•3 to the curve C and find that there is a hyperelliptic curve D of genus 2h + 1 = G with exactly two rational Weierstrass points and with #D(F q ) ≥ #C(F q ).
If G is even, we apply Lemma 4•5 to the curve C and find that there is a hyperelliptic curve D of genus 2h = G with exactly two rational Weierstrass points and with #D(F q ) ≥ #C(F q ).4•2.Characteristic 2.
In this section, we prove Theorem 4•1 for finite fields of characteristic 2. The spirit of the proof is very similar to the odd characteristic case, but the switch to Artin-Schreier extensions instead of Kummer extensions requires a few technical modifications.We begin with some basic observations about hyperelliptic curves in characteristic 2.
If q is a power of 2 and C is a hyperelliptic curve over F q , then C has a model of the form y 2 + y = f for a rational function f ∈ F q (x).Replacing y with y + u for a rational function u ∈ F q (x) turns the equation for C into y 2 + y = f + u 2 + u, and by modifying f in this way we can assume that all of the poles of f , including the pole at ∞, have odd order.Suppose f has r poles, with orders d 1 , . . ., d r .Then the Weierstrass points of C are precisely the points lying over the poles of f in P 1 , and [Sti09, proposition 3•7•8, p.127] shows that the genus g of C is given by LEMMA 4•10.Let q be a power of 2 and let C/F q be a hyperelliptic curve of genus g, so that C has a model y 2 + y = f for a rational function f ∈ F q (x) all of whose poles have odd order.Given a ∈ F × q and b ∈ F q , let h = f ((x 2 + x + b)/a) and let D be the curve defined by y 2 + y = h.Then: (i) if f has no pole at infinity, the genus of D is 2g + 1; (ii) if f has a pole of order d > 1 at infinity, the genus of D is 2g; (iii) if f has a simple pole at infinity, write f = cx + F for a constant c ∈ F × q and a rational function F with no pole at infinity.Then the genus of D is 2g if a = c, and is 2g − 1 if a = c.Proof.Each finite pole of f , say of order d, gives rise to two finite poles of h, each of order d, and if f has no pole at infinity then neither does h.If f has a total of r poles, none of them at infinity, of orders d 1 , . . ., d r , then h has 2r poles, of orders d 1 , d 1 , d 2 , d 2 , . . ., d r , d r , and the genus of D is given by Suppose f has a pole at infinity of order d.We can write where the c i are elements in F q with c d = 0 and F is a rational function with no pole at infinity.Then the polar decomposition of h at infinity is If d > 1 we can replace y with y + ( c d /a d )x d to find that at infinity the curve D looks like The contribution of the pole of h at infinity to the genus of D is d, while the contribution of the pole of f at infinity to the genus of C is (d + 1)/2.Combining this with the contributions of the finite poles, which behave as above, we find that the genus of D is 2g.
On the other hand, if d = 1 then we have and by replacing y with y + ( √ c 1 /a)x we find that at infinity the curve D a looks like y 2 + y = (c 1 /a + c 1 /a)x + (lower degree terms) .
If a = c 1 then the coefficient of x is nonzero and the contribution of the pole at infinity to the genus is 1, and we compute as above that the genus of D is 2g.On the other hand, if a = c 1 then the pole at infinity can be removed, and there is no contribution to the genus.In this case we check that the genus of D is 2g − 1.
LEMMA 4•11.Let q be power of 2 and let C/F q be a hyperelliptic curve of genus g with fewer than q + 1 rational Weierstrass points.Then there is a hyperelliptic curve D of genus 2g + 1 that is a double cover of C and that has at least as many rational points as does C.
If in addition C has at least two rational Weierstrass points, then D can be chosen to have at least two rational points.
Remark 4•12.If C/F q is a hyperelliptic curve with #C(F q ) > q + 1 then C has fewer than q + 1 rational Weierstrass points.
Proof.Let ϕ be the canonical map from C to P 1 .There is at least one point of P 1 that does not ramify in ϕ, and we can pick one such point and choose a coordinate function x on P 1 so that this point lies at ∞.This means that C has a hyperelliptic model of the form y 2 + y = f , where f ∈ F q (x) is a rational function, all of whose poles have odd order, and with no pole at ∞.
Let n be an element of F q whose absolute trace -that is, its trace to F 2 -is equal to 1. Consider the two hyperelliptic curves D : y 2 + y = f (x 2 + x) and D : y 2 + y = f (x 2 + x + n).By Lemma 4•10, both D and D have genus 2g + 1.Also, the obvious double covers D → C and D → C are quadratic twists of one another, and it follows that #D(F q ) + #D (F q ) = 2#C(F q ).Therefore, one of these two curves has at least as many rational points as does C.
Suppose C has at least two rational Weierstrass points.We can choose our coordinate function x so that one of these points lies over the point x = 0 of P 1 , while the other lies over the point x = n of P 1 , where n is an element of F q of absolute trace 1.The Weierstrass point lying over x = 0 splits into two rational Weierstrass points of D, and the Weierstrass point lying over x = n splits into two rational Weierstrass points of D .Therefore, no matter which of the two curves has at least as many rational points as C, it has at least two rational Weierstrass points.LEMMA 4•13.Let q > 2 be a power of 2 and let C/F q be a hyperelliptic curve of genus g that has at least two rational Weierstrass points and with #C(F q ) > q.Then there is a hyperelliptic curve D/F q of genus 2g that is a double cover of C, that has at least two rational Weierstrass points, and that satisfies Proof.Let ϕ : C → P 1 be the canonical double cover.Suppose C has at least three rational Weierstrass points.We can choose a coordinate function x on P 1 so that these three points lie over 0, n, and ∞, where n is an element of F q of absolute trace 1.If f has a simple pole at infinity and if the coefficient c 1 of x in the polar expansion (4•1) is equal to 1, we can choose https://doi.org/10.1017/S0305004123000476Published online by Cambridge University Press another element n of F q of absolute trace 1 and then scale x by a factor of n /n; this has the effect of replacing n with n and of modifying the coefficient c 1 so that it is no longer equal to 1. Thus, we may assume that c 1 = 1.
Consider the two curves D : y 2 + y = f (x 2 + x) and D : y 2 + y = f (x 2 + x + n).We see from Lemma 4•10 that both D and D have genus 2g, and one of them has at least as many rational points as does C. Furthermore, the Weierstrass point of C that lies above x = 0 splits into two rational Weierstrass points on D, while the Weierstrass point of C lying above (n,0) splits into two rational Weierstrass points on D .Thus, at least one of D and D will satisfy the conclusion of the lemma.
We can now turn to the case where C has exactly two rational Weierstrass points.This time, we can choose a coordinate function x on P 1 so that C has a hyperelliptic model of the form y 2 + y = f , where f ∈ F q (x) is a rational function that has odd-order poles at 0 and ∞ and no other rational poles.If #C(F q ) < 2q, then there must be a rational point of P 1 that does not have a rational point of C lying over it; in this case, we scale x so that this point becomes the point x = 1 of P 1 .In particular, this means that f (1) has absolute trace 1.On the other hand, if #C(F q ) = 2q, then every point of P 1 (F q ) other than 0 and ∞ splits into two rational points of C, so f (a) has absolute trace 0 for every a ∈ F × q .Let n be an element of F q whose absolute trace is 1.For every a ∈ F q , set h a := f ((x 2 + x)/(a 2 + a + n)) and let D a be the curve y 2 + y = h a .If the polynomial x 2 + x + n + c 1 (with c 1 defined in (4•1)) has roots in F q , we let s 0 and s 1 be those roots; otherwise, we take s 1 = 0 and s 2 = 1.We see from Lemma 4•10 that D a has genus 2g for all a ∈ F q different from s 1 and s 2 .
Let us compute the number of rational points on D a .Let χ : P 1 (F q ) → {−1, 0, 1} be the function that takes ∞ to 0 and that takes an element z ∈ F q to 1 or −1 depending on whether the absolute trace of z is 0 or 1.We see, for example, that just as we had in odd characteristic.Let n a be the number of rational points on D a at infinity, so that n a = 1 if D a has a Weierstrass point at infinity and n a is either 0 or 2 otherwise.Arguing as in the odd-characteristic case, we find that https://doi.org/10.1017/S0305004123000476Published online by Cambridge University Press Suppose #C(F q ) = 2q, so that χ(f (z)) = 1 for all z ∈ F × q .Then for every a ∈ F q \ {s 0 , s 1 } we have and for such a we also know that n a = 1.Thus, for every such a the curve D a has 2q − 1 points, and so satisfies the conditions listed in the lemma.
We are left with the case where #C(F q ) < 2q.We will show that in this case there is an a ∈ F q , not equal to s 1 or s 2 , such that N a ≥ 0. Recall that in this case, we normalised f so that χ(f (1)) = −1.
We compute: When z = 0, the interior sum is equal to q.When z = 1, the interior sum is equal to −q.
When z ∈ F q \ F 2 , we calculate the interior sum as follows.Let X z be the genus-0 curve Therefore, , so that N a is the difference between the number of rational points of D a not lying over ∞ and the number of rational points of C not lying over ∞.Since D a has two rational Weierstrass points not lying over ∞ we have #D a (F q ) − n a ≤ 2q − 2, so N a ≤ 2q − 1 − #C(F q ).Suppose, to obtain a contradiction, that for every a ∈ F q other than s 1 and s 2 we had #D a (F q ) < #C(F q ), so that N a ≤ −1.Then we would have so that #C(F q ) ≤ q.This contradicts the hypothesis of the lemma.Therefore, there is at least one value of a for which D a has genus 2g and #D a (F q ) ≥ #C(F q ).We have already seen that every such D a has three rational Weierstrass points, so we are done.
Lemmas 4•11 and 4•13 give us the machinery with which to build an induction as in the previous subsection, and once again we are left with the task of producing curves of genus 2 and 3 with many points to use as base cases.Such curves are provided by the following lemma.
LEMMA 4•14.Let q be a power of 2 with q > 8. Then for g = 2 and g = 3 there is a hyperelliptic curve C/F q of genus g with at least two rational Weierstrass points and with #C(F q ) > 1 + q + 4 √ q − 12.
Proof.We observe that an ordinary elliptic curve over F q can be written in the form y 2 + y = x + a/x if and only if it has a rational point of order 4, one such point being ( √ a, 0).Furthermore, such a curve has a rational point of order 8 if and only if a has absolute trace 0; in this case, if we write a = b 2 + b, then an 8-torsion point is given by ((a 4 + a 3 ) 1/4 , b 1/4 ).
Let t 0 and t 4 be the largest integers less than or equal 2 √ q such that 1 + q + t 0 ≡ 0 mod 8 and 1 + q + t 4 ≡ 4 mod 8, so that t i > 2 √ q − 8 for both values of i and t i > 2 √ q − 4 for one value of i.For i = 0 and i = 4, let E i be an ordinary elliptic curve over F q with trace t i .Then we can write the E i in the form y 2 + y = x + a i /x, where a 0 has absolute trace 0 and a 4 has absolute trace 1.
Let C be the hyperelliptic curve Clearly C has three rational Weierstrass points.Also, if we set z = y + √ a i /(a 0 + a 4 )x, then and the quotient of this curve by the involution that sends (x,z) to (x + 1, z) is clearly Now let D be the double cover of C obtained by adjoining a root of to the function field of C. Combining equations (4•3) and (4•4) and writing v = y + u, we find that D can be written in the form are Weierstrass points.Thus, one of D and D will be a hyperelliptic curve of genus 3 with the desired properties.
Proof of Theorem 4•1 (ii).For q = 2, 4 and 8, we need to show that there are hyperelliptic curves of every genus g > 1 with at least 4, 9 and 16 points, respectively.For q = 2 and q = 4 this follows from Lemma 4•15 below.For q = 8, Lemma 4•15 gives us the desired hyperelliptic curve when g ≥ 4, so we are left to find examples of genus 2 and genus 3.These are provided by the genus-2 curve y 2 + y = x 5 + x 3 and the genus-3 curve y 2 + y = rx 7 , where r satisfies r 3 + r + 1 = 0; both of these curves have 17 rational points.Now assume that q > 8.We prove the result by induction on g.The statement is true for g = 2 and g = 3 by Lemma 4•14.Now suppose Theorem 4•1(ii) holds for all g less than some integer G > 3. We will show it also holds when g = G.
Set h = G/2 .Then h > 1, and we may apply Theorem 4•1(ii) to show that for every q, there is a hyperelliptic curve C/F q of genus h with at least two rational Weierstrass points and with #C(F q ) > 1 + q + 4 √ q − 12.
If G is odd, we apply Lemma 4•11 to the curve C and find that there is a hyperelliptic curve D of genus 2h + 1 = G with at least two rational Weierstrass points and with #D(F q ) ≥ #C(F q ).
If G is even, we apply Lemma 4•13 to the curve C and find that there is a hyperelliptic curve D of genus 2h = G with at least two rational Weierstrass points and with #D(F q ) ≥ #C(F q ) or with #D(F q ) = 2q − 1.
LEMMA 4•15.Let q > 1 be a power of 2 and let g be an integer with g ≥ q/2.Then there is a hyperelliptic curve of genus g over F q having 2q + 1 rational points.
Proof.Consider the function F q → F q that sends a to a 2g+1 .By Lagrange interpolation, there is a polynomial f ∈ F q [x] of degree at most q − 1 that agrees with this function.Therefore, the polynomial x 2g+1 + f has degree 2g + 1 and evaluates to 0 for every x ∈ F q .Therefore the curve y 2 + y = x 2g+1 + f has 2q + 1 rational points and has genus g.

4•3. Remarks on constructing examples
We mentioned earlier that our arguments in this section suggest an algorithm for constructing the curves whose existence is asserted by Theorem 4•1.In particular, Lemmas 4•8, 4•9 and 4•14 provide explicit ways of finding the base curves of genus 2 and 3 with which to start the construction; these lemmas require that we find an elliptic curve over F q with a certain specific trace and with all of its 2-torsion points rational.In general it is a difficult problem to find an elliptic curve over a given finite field with a given number of points, and the best general algorithm for doing so is essentially to pick elliptic curves at random until one finds one with the desired order.In our case, the discriminant of the endomorphism ring of the curves we want is smaller than average -it's O( √ q) instead of O(q) -so we might choose to use the Hilbert class polynomial method [Sut11] instead.
Once we have a starting curve, we need to recursively construct curves in the tower leading to the desired genus.Lemmas 4•3 and 4•11 tell us how to quickly produce a curve of genus 2g + 1 from a curve of genus g, with the new curve having at least as many points as the old; the work required is simply that of counting points on a single hyperelliptic curve of genus 2g + 1.It is more difficult to produce a curve of genus 2g from a curve of genus g, with the new curve having at least as many points as the old.Lemmas 4•5 and 4•13 tell us that there is at least one curve in an explicit one-parameter family with the desired properties, but in the worst case we might have to count points on essentially all curves in the family before finding one that works.Heuristically, though, we expect to find a good curve after only a few tries.
In the worst case, then, we might need to count points on as many as O(q log g) hyperelliptic curves over F q in order to find a curve of genus g over F q with close to q + 1 + 4 √ q points.In practice, we find that many fewer steps are required, and we expect the algorithm sketched above to require counting points on O( log g) hyperelliptic curves, once we have found the base curve of genus 2 or 3.
We might compare this heuristic complexity to that of the naïve method of picking hyperelliptic curves of genus g over F q at random until we find one with close to q + 1 ± 4 √ q points.Essentially, the naïve method requires waiting for a four-sigma event to occur, so we might expect to try about 15,000 curves on average before finding one with more than q + 1 + 4 √ q points.

4 u 2
+ u + a 0 + a 4 + a 0 + a 4 .(4•5)Becausethe absolute trace of a 0 + a 4 is 1, the quadratic twist D → C of the double cover D → C can be given byv 2 + v = √ a 0 a 4 u 2 + u + a 0 + a 4 + a 2 0 + a 2 4 u 2 + u + a 0 + a 4 .(4•6)One of the two curves D and D will have at least as many points as C, and D and D each have exactly two rational Weierstrass points: On both curves, the points with u = 0 and u = 1 https://doi.org/10.1017/S0305004123000476Published online by Cambridge University Press