Elliptic Gauß sums and Schoof’s algorithm

# Elliptic Gauß sums and Schoof’s algorithm

Christian J. Berghoff Universität Bonn, Mathematisches Institut, Endenicher Allee 60, 53115 Bonn, Germany
###### Abstract.

We present a new approach to handling the case of Atkin primes in Schoof’s algorithm for counting points on elliptic curves over finite fields. Our approach is based on the theory of polynomially cyclic algebras developed in [MV10], which we recall as far as necessary, and was elaborated in [Ber13]. We then proceed to describe our method, which essentially relies on transferring costly computations in extensions of to isomorphic ones endowed with a special structure allowing to reduce run-time. We analyse the new run-time and conclude this procedure yields some improvement as compared to the classical approaches.

## 1. Introduction

In this document we consider a new approach for a building block of Schoof’s algorithm, which computes the number of rational points of an elliptic curve over a finite field . In order to do so, we first recall some details on so-called polynomially cyclic algebras that were defined in [MV10] before proceeding to present our new method in section 3. A large proportion of the new content presented in this section stems from the master’s thesis [Ber13] following first considerations to this end effected in [MV10]. Whereas former improvements in run-time for Schoof’s algorithm essentially result from reducing the degree of the extensions of in which computations are performed, our overall strategy is to transfer calculations to an isomorphic extension the structure of which allows to make the step dominating the run-time much more efficient.

Within this work we will only consider primes and thus assume that the curve in question is given in the Weierstraß form

 E:Y2=X3+aX+b=f(X),

where . We will always identify with its set of points . For the following well-known statements cf. [Sil09, Was08]. We assume that the elliptic curve is neither singular nor supersingular. It is a standard fact that is an abelian group with respect to point addition. Its neutral element, the point at infinity, will be denoted . For a prime , the -torsion subgroup has the shape

 E[ℓ]≅Z/ℓZ×Z/ℓZ.

Using the addition formulae for one can derive polynomials such that

 (1.1) k(X,Y)=(Gk(X),YHk(X)).

In the endomorphism ring of the Frobenius homomorphism

 ϕp:(X,Y)↦(φp(X),φp(Y))=(Xp,Yp)

 (1.2) 0=χ(ϕp)=ϕ2p−tϕp+p,

where by the Hasse bound. By restriction acts as a linear map on . The number of points on over is given by and is thus immediate from the value of .
The idea of Schoof’s algorithm now consists in computing the value of for sufficiently many small primes by considering and in afterwards combining the results by means of the Chinese Remainder Theorem. In the original version this requires computations in extensions of degree .
However, a lot of work has been put into elaborating improvements. Let denote the discriminant of equation (1.2). Then we distinguish the following cases:

1. If , then is called an Elkies prime. In this case, the characteristic equation factors as , so when acting on the map has two eigenvalues with corresponding eigenpoints . Since and , it obviously suffices to determine one of them. So we have to solve the discrete logarithm problem

 λP=ϕp(P)=(Ppx,Ppy),

which only requires working in extensions of degree .

2. If , then is called an Atkin prime. In this case the eigenvalues of are in and there is no eigenpoint . There is a generic method for computing the value of for Atkin primes, which is of equal run-time as the one available for Elkies primes. However, it does not yield the exact value of but only a set of candidates and is thus only efficient provided the cardinality of this set is small.

## 2. Polynomially cyclic algebras

In this section we recall facts on polynomially cyclic algebras, which were first described in [MV10]. This general framework will be used in the next section in order to elaborate a new approach to the Atkin case in Schoof’s algorithm.

###### Definition 2.1.

[MV10, p. 6] Let be a finite field and a polynomial with . Then we call the -algebra a polynomially cyclic algebra with cyclicity polynomial and we call a cyclic polynomial if the following conditions are satisfied:

1. ,

2. and for .

Here .

###### Remark 2.2.
1. Every irreducible polynomial is cyclic as well. Its cyclicity polynomial is , where .

2. If a polynomial is cyclic with cyclicity polynomial , the same holds true in all extensions of .

The following theorem provides several ways to describe cyclic polynomials.

###### Theorem 2.3.

[MV10, p. 6] The following conditions are equivalent:

1. is cyclic.

2. There exists a polynomial which cyclically permutes the roots of , i. e., for every root of the equality holds and the elements , are pairwise distinct.

3. In the factorisation over all factors have the same degree and are pairwise distinct.

Next we describe some of the properties of polynomially cyclic algebras.

###### Theorem 2.4.

[MV10, p. 9] Let , , be a polynomially cyclic algebra with cyclicity polynomial , let . Then the following statements hold:

1. The cyclicity polynomial induces an automorphism of -algebras of order in virtue of

 ν:A→A,α↦C(α).

We write , so is the automorphism group of , generated by , which we also call the galois group of .

2. We have , so holds.

###### Theorem 2.5.

[MV10, p. 11] Let be a polynomially cyclic algebra. Then the following statements hold:

1. Let be a field extension. Then is a polynomially cyclic -algebra and there is a canonical isomorphism .

2. Let be a subgroup. Then the subalgebra of all elements invariant under ,

 AH:={a∈A:h(a)=a ∀h∈H},

is polynomially cyclic. Conversely, if is a polynomially cyclic algebra there exists such that .
The dimension of equals the index . In addition, there is a canonical isomorphism .

Starting from our definitions and using the properties of polynomially cyclic algebras we have mentioned we now proceed to define Lagrange resolvents in these. Again, we closely follow [MV10, p. 12]. Let , , again be a polynomially cyclic algebra with . Let be a primitive -th root of unity with minimal polynomial . We now define

 Aρn=A[T]/(Kn(T)).

Since holds, theorem 2.5 implies is a polynomially cyclic algebra over and using the canonical isomorphism we can identify the groups and . Now let be a multiplicative character. For we define the Lagrange resolvent as

 (χ,α)=∑σ∈Gal(A/K)χ(σ)σ(α)=n∑i=1χ(νi)νi(α)=n∑i=1χ(ν)iνi(α)∈Aρn.

The following theorem establishes some properties of the Lagrange resolvent.

###### Theorem 2.6.

[MV10, pp. 12-13] Let be two characters. Then the following statements hold:

1. For we obtain

 σ(χ,α)=χ−1(σ)(χ,α).
2. If , then

 (χ,α)r∈K[ρn].
3. Likewise, we obtain

 (χ,α)⋅(χ′,α)(χ⋅χ′,α)∈K[ρn],provided(χ⋅χ′,α)∈A∗holds.
4. For and we have

 (χ,α)q=χ−q(φq)(χq,α).

The Lagrange resolvents can now be used to solve the following general problem, which we will afterwards consider in a special case:
Let , , with cyclicity polynomials , , be two isomorphic polynomially cyclic algebras. Denoting by the automorphism induced by and setting as well as , we wish to determine, more precisely, an isomorphism

 (2.1) φ:A1→A2,α1↦n∑i=1aiνi2(α2)withai∈K

such that holds.

###### Remark 2.7.

We can only obtain an isomorphism in this shape if forms a normal basis of together with its conjugates. It turns out, however, that for the practical application we consider this seems to be always the case, which yields the existence of isomorphism (3.2) below.

In order to determine isomorphism (2.1) we can avail ourselves of the following statement:

###### Theorem 2.8.

[MV10, p. 14] Let, as just mentioned, be isomorphic polynomially cyclic -algebras and be the isomorphism . Let further be a primitive -th root of unity and be defined as above. Let be characters with . Then there exists , such that

 φ((χ1,α1))=(χ2,α2)⋅β(χ2).

More precisely,

 β(χ2)=n∑i=1aiχ−12(νi2)

holds.

By means of this theorem the coefficients in (2.1) can be determined in the following way [MV10, p. 14]:
For let be a character with and assume the value is known. This implies

 β(χ2,j)=n∑i=1aiχ−12,j(νi2)=n∑i=1aiρ−ijn,\textupj=1,…,n.

Hence,

 M⋅→a=→β,

where , and . One thus obtains a linear system of equations for the coefficients , which can be used to determine them because of the following

###### Proposition 2.9.

The matrix is regular if holds. More precisely,

 (det(M))2=(−1)n⋅(n+1)/2+1⋅nn

holds.

###### Proof.

It is obvious that the columns of may be rearranged to form a Vandermonde matrix of the form where and holds. The general formula for the determinant of Vandermonde matrices implies

 det(M′)=∏1≤i

hence

 (−1)n⋅(n−1)/2det(M′)2= ∏1≤i≠j≤n(ρjn−ρin)=n∏j=1n∏i=1i≠j(ρjn−ρin) = n∏j=1ρjnn∏i=1i≠j(1−ρi−jn)=n∏j=1ρjnn−1∏i=1(1−ρin).

Since , holds, one obtains . Hence,

 (−1)n⋅(n−1)/2det(M′)2=n∏j=1(ρjn⋅n)=nnρ∑nj=1jn=nnρn⋅(n+1)/2n=(−1)n+1⋅nn,

so . ∎

## 3. Application

We first recall the ray-polynomial from [MV10].

###### Definition 3.1.

Let be an elliptic curve over , a prime and a point in . Then the ray-polynomial corresponding to is defined by

 EP(X)=(ℓ−1)/2∏a=1(X−(aP)x)∈¯¯¯Fp[X].

We remark that the ray-polynomial depends only on the subspace of spanned by . It has the following properties:

###### Lemma 3.2.
1. is a cyclic polynomial, whose cyclicity polynomial can be easily computed from the well-known division polynomials of [MV10, p. 8].

2. The field of definition of is , where is the degree of an irreducible factor of the modular polynomial (for a definition cf. [Cox89]). This follows from [Sch95, Theorems 6.1, 6.2] and is shown in [MV10, p. 3]. In the Elkies case, for an appropriate the ray-polynomial coincides with the Elkies factor (cf. [Sch95, Mor95]) and is thus .

Our overall strategy is the same as in Schoof’s algorithm. We wish to determine the value by considering the equation . Plugging in an -torsion point and restricting to -coordinates we obtain

 (3.1) (ϕ2p(P)+pP)x=Gt(φp(Px)),

where is as in equation (1.1). Setting as in lemma 3.2 and all computations can be performed in . Lemma 3.2 again implies that is a polynomially cyclic algebra. We denote by the generator of the galois group induced by the cyclicity polynomial . As in Schoof’s algorithm, calculating the action of dominates the run-time. Since , the overall complexity comprises operations in .
Using the results presented in section 2 we want to describe an approach allowing to decrease the run-time. Our main idea, which was first sketched in [MV10] and worked out in detail in [Ber13], is to construct a polynomially cyclic algebra which is isomorphic to the algebra defined by means of and which allows for an efficient computation of the Frobenius homomorphism. After that, we wish to solve the resulting discrete logarithm problem in this algebra. Our approach is applicable for Atkin primes and contrasts with the various improvements available for the Elkies case, which essentially rely on transferring computations into smaller extensions of , a strategy which is impossible for Atkin primes. Obviously, our approach requires that the isomorphism between the two algebras be explicitly computed.

### 3.1. The isomorphic algebra

We now proceed to define the algebra .

###### Proposition 3.3.

Let , be a primitive -th root of unity and . Then is a polynomially cyclic algebra with , where holds.

###### Proof.

We first prove that indeed lies in . From [Sch95, Theorem 6.1, 6.2] we deduce that acts on as a scalar matrix . Hence, exhibits the double eigenvalue . Denoting the eigenvalues of this implies . Since this implies and thus . This means the Frobenius homomorphism maps roots of to other roots of this polynomial, which thus lies in .
Now let be a generator of . Then obviously generates , which implies the polynomial permutes the roots of . So is cyclic. ∎

###### Lemma 3.4.

Using the above notations as algebras over .

###### Proof.

First, we know

 deg2(K(U))=#(F∗ℓ)2=ℓ−12=deg2(EP(T)).

Furthermore, according to the above considerations as well as are polynomially cyclic algebras and hence the polynomials as well as decompose into irreducible factors of equal degree. It now remains to show that the degree of the factors in the factorisation of the two polynomials coincides, which implies that the factors occurring in the decomposition of and into a product of fields are isomorphic. This follows since we work over and it is thus sufficient to show that these fields have the same degree over . Since , holds and thus for we have

 [L:A]=min{m:φrmp(z)=z ∀z∈L}.

We first consider . As mentioned in proposition 3.3 there is such that for all . Now let be a factor of . Writing , we obtain

 [L1:A] =min{m:φrmp(z)=z ∀z∈L1}=min{m:φrmp(θ)=θ} =min{m:(amP)x=θ}=min{m:amP=±P} =ordS(a),

where .

Now let be a factor of . Anew we use the fact that and hence holds. It follows

 [L2:A] =min{m:φrmp(z)=z ∀z∈L2}=min{m:φrmp(ζℓ)=ζℓ} =min{m:ζprmℓ=ζℓ}=min{m:prm≡1modℓ} =ordG(pr).

As the groups and are isomorphic by virtue of , we glean

 [L1:A]=ordS(a)=ordG(a2)=ordG(pr)=[L2:A].

So there exists an isomorphism

 (3.2) α:B→C,θ↦(ℓ−1)/2∑i=1biζc2iℓwithbi∈A.

Furthermore, we require . The isomorphism should thus commute with the automorphism of both algebras such that the prerequisites of theorem 2.8 are satisfied.

###### Remark 3.5.

As already stated in remark 2.7 we only obtain an isomorphism of shape (3.2) if , form a basis of the algebra . This can easily be checked during actual computations and has in practice always been the case.

### 3.2. Construction of the isomorphism

In order to determine the coefficients of the isomorphism (3.2) we follow the explanations after theorem 2.8.

Let be an -th root of unity, , and

 (3.3) χq:Gal(B/A)→A[ρq], ν↦ρq

a character of order . We identify with the character

 χq,2:Gal(C/A)→A[ρq], σ↦ρq.

Then the following holds:

###### Lemma 3.6.

Let

 b(q)i=(ℓ−1)/(2q)∑k=1bkq+i,1≤i≤q, and θ(q)=(ℓ−1)/(2q)∑j=1νjq(θ) and ζ(q)ℓ=(ℓ−1)/(2q)∑j=1σjq(ζℓ).

Let further

 τe(χq)=q∑a=1ρaqνa(θ(q)) and τ(χq)=q∑j=1ρjqσj(ζ(q)ℓ) % as well as β(χq)=q∑i=1ρ−iqb(q)i.

Then

 α(τe(χq))=β(χq)⋅τ(χq).
###### Proof.

Using the isomorphism and the property we compute

 α((χq,θ)) =(ℓ−1)/2∑a=1ρaqα(νa(θ))=(ℓ−1)/2∑a=1ρaqσa⎛⎝(ℓ−1)/2∑i=1biζc2iℓ⎞⎠ =(ℓ−1)/2∑a=1ρaq(ℓ−1)/2∑i=1biσa(ζc2iℓ)=(ℓ−1)/2∑i=1biρ−iq(ℓ−1)/2∑a=1ρa+iqσa+i(ζℓ) =(ℓ−1)/2∑i=1biρ−iq(ℓ−1)/2∑j=1ρjqσj(ζℓ)=q∑i=1ρ−iq(ℓ−1)/(2q)∑k=1bkq+i(ℓ−1)/2∑j=1ρjqσj(ζℓ) =β(χq)⋅(χq,ζℓ).

Using the above definitions we first glean . Further, we obtain

 (χq,θ)=(ℓ−1)/2∑a=1ρaqνa(θ)=q∑a=1(ℓ−1)/(2q)∑j=1ρjq+aqνjq+a(θ)=q∑a=1ρaqνa(θ(q)).

Similarly, we get .

###### Remark 3.7.

The quantities are essentially the well-known cyclotomic Gauß sums. Since they are formed in natural analogy to these, the values were named elliptic Gauß sums in [MV10].

We first concern ourselves with the computation of . The fact that holds and theorem 2.6 imply that as well as lie in . From the last lemma we deduce

 τe(χq)q=α(τe(χq)q)=α(τe(χq))q=β(χq)q⋅τ(χq)q.

Hence, we obtain

 (3.4) β(χq)q=τe(χq)qτ(χq)q.

The cost for computing , which lies in by definition, thus consists in calculating the -th powers of the two Lagrange resolvents and in extracting a -th root in .

Having determined for a character of order , we can employ another one of the properties from theorem 2.6 to compute . Namely, property 3 implies

 ze,1:=τe(χq)⋅τe(χq)τe(χ2q)∈A[ρq]andz1:=τ(χq)2τ(χ2q)∈A[ρq].

Likewise

 ze,i:=τe(χiq)⋅τe(χq)τe(χi+1q)∈A[ρq]andzi:=τ(χiq)⋅τ(χq)τ(χi+1q)∈A[ρq]

holds. This yields

 (3.5) β(χ2q)=α(τe(χ2q))τ(χ2q)=α(τe(χq)2)τ(χq)2⋅z1ze,1=β(χq)2⋅z1ze,1andβ(χi+1q)=β(χiq)β(χq)⋅zize,i.

Hence, the values can be determined without extracting a root again.

Now assume that for all maximal prime divisors the values have been determined and let be a character of order , so . Then we obtain

 β(χn)=α(τe(χn))τ(χn)=α(τe(∏q∣∣nχeqq))τ(∏q∣∣nχeqq).

Here,

 α⎛⎝τe⎛⎝∏q∣∣nχeqq⎞⎠⎞⎠=∏q∣∣nα(τe(χeqq))⋅α(τe(∏q∣∣nχeqq))∏q∣∣nα(τe(χeqq))=:∏q∣∣nα(τe(χeqq))⋅ze,n

and in a similar vein , where holds. Thus, we derive the equation

 (3.6) β(χn)=∏q∣∣nα(τe(χeqq))⋅ze,n∏q∣∣nτ(χeqq)⋅zn=ze,nzn⋅∏q∣∣nβ(χeqq).

Choosing for all as in (3.3) as a primitive character allows us to compute for all characters by evaluating this formula for .

Having computed these values, we find ourselves in the situation described by theorem 2.8 and are provided with a linear system of the form

 (3.7) M⋅→b=→β,

where , and . Since , the matrix is regular according to proposition 2.9. Hence, we can finally determine the coefficients of the isomorphism .

#### 3.2.1. Improvement

In order to avoid computing for all the characters of order , which produces major costs, in this section we present an alternative approach for determining .

First, using the definition of we derive

 α(θ)=(ℓ−1)/2∑i=1biσi(ζℓ)% andα(νk(θ))=(ℓ−1)/2∑i=1biσi+k(ζℓ).

By means of these identities we calculate

 α(θ(q))= α⎛⎝(ℓ−1)/(2q)∑j=1νjq(θ)⎞⎠=(ℓ−1)/(2q)∑j=1(ℓ−1)/2∑i=1biσi+jq(ζℓ) = (ℓ−1)/2∑i=1biσi⎛⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜⎝(ℓ−1)/(2q)∑j=1σjq(ζℓ)ζ(q)ℓ⎞⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟⎠=q∑i=1(ℓ−1)/(2q)∑k=1bkq+ib(q)iσkq+i(ζ(q)ℓ)=σi(ζ(q)ℓ)=q∑i=1b(q)iσi(ζ(q)ℓ).

Hence, we require exactly the values to specify the isomorphism

 αq:A[θ(q)]→A[ζ(q)ℓ]

arising by restriction of to these sub-algebras.
To determine the one has to compute the values by extracting one -th root as in section 3.2. Subsequently, one directly proceeds to solve a linear system of equations instead of determining for general characters of order . Our new approach consists in computing the isomorphism for and in inductively constructing the isomorphism from these intermediate data.

Let and and assume the isomorphisms