Elliptic Gauß sums and Schoof’s algorithm

Elliptic Gauß sums and Schoof’s algorithm

Christian J. Berghoff Universität Bonn, Mathematisches Institut, Endenicher Allee 60, 53115 Bonn, Germany berghoff@math.uni-bonn.de
Abstract.

We present a new approach to handling the case of Atkin primes in Schoof’s algorithm for counting points on elliptic curves over finite fields. Our approach is based on the theory of polynomially cyclic algebras developed in [MV10], which we recall as far as necessary, and was elaborated in [Ber13]. We then proceed to describe our method, which essentially relies on transferring costly computations in extensions of to isomorphic ones endowed with a special structure allowing to reduce run-time. We analyse the new run-time and conclude this procedure yields some improvement as compared to the classical approaches.

1. Introduction

In this document we consider a new approach for a building block of Schoof’s algorithm, which computes the number of rational points of an elliptic curve over a finite field . In order to do so, we first recall some details on so-called polynomially cyclic algebras that were defined in [MV10] before proceeding to present our new method in section 3. A large proportion of the new content presented in this section stems from the master’s thesis [Ber13] following first considerations to this end effected in [MV10]. Whereas former improvements in run-time for Schoof’s algorithm essentially result from reducing the degree of the extensions of in which computations are performed, our overall strategy is to transfer calculations to an isomorphic extension the structure of which allows to make the step dominating the run-time much more efficient.

Within this work we will only consider primes and thus assume that the curve in question is given in the Weierstraß form

where . We will always identify with its set of points . For the following well-known statements cf. [Sil09, Was08]. We assume that the elliptic curve is neither singular nor supersingular. It is a standard fact that is an abelian group with respect to point addition. Its neutral element, the point at infinity, will be denoted . For a prime , the -torsion subgroup has the shape

Using the addition formulae for one can derive polynomials such that

(1.1)

In the endomorphism ring of the Frobenius homomorphism

satisfies the quadratic equation

(1.2)

where by the Hasse bound. By restriction acts as a linear map on . The number of points on over is given by and is thus immediate from the value of .
The idea of Schoof’s algorithm now consists in computing the value of for sufficiently many small primes by considering and in afterwards combining the results by means of the Chinese Remainder Theorem. In the original version this requires computations in extensions of degree .
However, a lot of work has been put into elaborating improvements. Let denote the discriminant of equation (1.2). Then we distinguish the following cases:

  1. If , then is called an Elkies prime. In this case, the characteristic equation factors as , so when acting on the map has two eigenvalues with corresponding eigenpoints . Since and , it obviously suffices to determine one of them. So we have to solve the discrete logarithm problem

    which only requires working in extensions of degree .

  2. If , then is called an Atkin prime. In this case the eigenvalues of are in and there is no eigenpoint . There is a generic method for computing the value of for Atkin primes, which is of equal run-time as the one available for Elkies primes. However, it does not yield the exact value of but only a set of candidates and is thus only efficient provided the cardinality of this set is small.

2. Polynomially cyclic algebras

In this section we recall facts on polynomially cyclic algebras, which were first described in [MV10]. This general framework will be used in the next section in order to elaborate a new approach to the Atkin case in Schoof’s algorithm.

Definition 2.1.

[MV10, p. 6] Let be a finite field and a polynomial with . Then we call the -algebra a polynomially cyclic algebra with cyclicity polynomial and we call a cyclic polynomial if the following conditions are satisfied:

  1. ,

  2. and for .

Here .

Remark 2.2.
  1. Every irreducible polynomial is cyclic as well. Its cyclicity polynomial is , where .

  2. If a polynomial is cyclic with cyclicity polynomial , the same holds true in all extensions of .

The following theorem provides several ways to describe cyclic polynomials.

Theorem 2.3.

[MV10, p. 6] The following conditions are equivalent:

  1. is cyclic.

  2. There exists a polynomial which cyclically permutes the roots of , i. e., for every root of the equality holds and the elements , are pairwise distinct.

  3. In the factorisation over all factors have the same degree and are pairwise distinct.

Next we describe some of the properties of polynomially cyclic algebras.

Theorem 2.4.

[MV10, p. 9] Let , , be a polynomially cyclic algebra with cyclicity polynomial , let . Then the following statements hold:

  1. The cyclicity polynomial induces an automorphism of -algebras of order in virtue of

    We write , so is the automorphism group of , generated by , which we also call the galois group of .

  2. We have , so holds.

Theorem 2.5.

[MV10, p. 11] Let be a polynomially cyclic algebra. Then the following statements hold:

  1. Let be a field extension. Then is a polynomially cyclic -algebra and there is a canonical isomorphism .

  2. Let be a subgroup. Then the subalgebra of all elements invariant under ,

    is polynomially cyclic. Conversely, if is a polynomially cyclic algebra there exists such that .
    The dimension of equals the index . In addition, there is a canonical isomorphism .

Starting from our definitions and using the properties of polynomially cyclic algebras we have mentioned we now proceed to define Lagrange resolvents in these. Again, we closely follow [MV10, p. 12]. Let , , again be a polynomially cyclic algebra with . Let be a primitive -th root of unity with minimal polynomial . We now define

Since holds, theorem 2.5 implies is a polynomially cyclic algebra over and using the canonical isomorphism we can identify the groups and . Now let be a multiplicative character. For we define the Lagrange resolvent as

The following theorem establishes some properties of the Lagrange resolvent.

Theorem 2.6.

[MV10, pp. 12-13] Let be two characters. Then the following statements hold:

  1. For we obtain

  2. If , then

  3. Likewise, we obtain

  4. For and we have

The Lagrange resolvents can now be used to solve the following general problem, which we will afterwards consider in a special case:
Let , , with cyclicity polynomials , , be two isomorphic polynomially cyclic algebras. Denoting by the automorphism induced by and setting as well as , we wish to determine, more precisely, an isomorphism

(2.1)

such that holds.

Remark 2.7.

We can only obtain an isomorphism in this shape if forms a normal basis of together with its conjugates. It turns out, however, that for the practical application we consider this seems to be always the case, which yields the existence of isomorphism (3.2) below.

In order to determine isomorphism (2.1) we can avail ourselves of the following statement:

Theorem 2.8.

[MV10, p. 14] Let, as just mentioned, be isomorphic polynomially cyclic -algebras and be the isomorphism . Let further be a primitive -th root of unity and be defined as above. Let be characters with . Then there exists , such that

More precisely,

holds.

By means of this theorem the coefficients in (2.1) can be determined in the following way [MV10, p. 14]:
For let be a character with and assume the value is known. This implies

Hence,

where , and . One thus obtains a linear system of equations for the coefficients , which can be used to determine them because of the following

Proposition 2.9.

The matrix is regular if holds. More precisely,

holds.

Proof.

It is obvious that the columns of may be rearranged to form a Vandermonde matrix of the form where and holds. The general formula for the determinant of Vandermonde matrices implies

hence

Since , holds, one obtains . Hence,

so . ∎

3. Application

We first recall the ray-polynomial from [MV10].

Definition 3.1.

Let be an elliptic curve over , a prime and a point in . Then the ray-polynomial corresponding to is defined by

We remark that the ray-polynomial depends only on the subspace of spanned by . It has the following properties:

Lemma 3.2.
  1. is a cyclic polynomial, whose cyclicity polynomial can be easily computed from the well-known division polynomials of [MV10, p. 8].

  2. The field of definition of is , where is the degree of an irreducible factor of the modular polynomial (for a definition cf. [Cox89]). This follows from [Sch95, Theorems 6.1, 6.2] and is shown in [MV10, p. 3]. In the Elkies case, for an appropriate the ray-polynomial coincides with the Elkies factor (cf. [Sch95, Mor95]) and is thus .

Our overall strategy is the same as in Schoof’s algorithm. We wish to determine the value by considering the equation . Plugging in an -torsion point and restricting to -coordinates we obtain

(3.1)

where is as in equation (1.1). Setting as in lemma 3.2 and all computations can be performed in . Lemma 3.2 again implies that is a polynomially cyclic algebra. We denote by the generator of the galois group induced by the cyclicity polynomial . As in Schoof’s algorithm, calculating the action of dominates the run-time. Since , the overall complexity comprises operations in .
Using the results presented in section 2 we want to describe an approach allowing to decrease the run-time. Our main idea, which was first sketched in [MV10] and worked out in detail in [Ber13], is to construct a polynomially cyclic algebra which is isomorphic to the algebra defined by means of and which allows for an efficient computation of the Frobenius homomorphism. After that, we wish to solve the resulting discrete logarithm problem in this algebra. Our approach is applicable for Atkin primes and contrasts with the various improvements available for the Elkies case, which essentially rely on transferring computations into smaller extensions of , a strategy which is impossible for Atkin primes. Obviously, our approach requires that the isomorphism between the two algebras be explicitly computed.

3.1. The isomorphic algebra

We now proceed to define the algebra .

Proposition 3.3.

Let , be a primitive -th root of unity and . Then is a polynomially cyclic algebra with , where holds.

Proof.

We first prove that indeed lies in . From [Sch95, Theorem 6.1, 6.2] we deduce that acts on as a scalar matrix . Hence, exhibits the double eigenvalue . Denoting the eigenvalues of this implies . Since this implies and thus . This means the Frobenius homomorphism maps roots of to other roots of this polynomial, which thus lies in .
Now let be a generator of . Then obviously generates , which implies the polynomial permutes the roots of . So is cyclic. ∎

Lemma 3.4.

Using the above notations as algebras over .

Proof.

First, we know

Furthermore, according to the above considerations as well as are polynomially cyclic algebras and hence the polynomials as well as decompose into irreducible factors of equal degree. It now remains to show that the degree of the factors in the factorisation of the two polynomials coincides, which implies that the factors occurring in the decomposition of and into a product of fields are isomorphic. This follows since we work over and it is thus sufficient to show that these fields have the same degree over . Since , holds and thus for we have

We first consider . As mentioned in proposition 3.3 there is such that for all . Now let be a factor of . Writing , we obtain

where .

Now let be a factor of . Anew we use the fact that and hence holds. It follows

As the groups and are isomorphic by virtue of , we glean

So there exists an isomorphism

(3.2)

Furthermore, we require . The isomorphism should thus commute with the automorphism of both algebras such that the prerequisites of theorem 2.8 are satisfied.

Remark 3.5.

As already stated in remark 2.7 we only obtain an isomorphism of shape (3.2) if , form a basis of the algebra . This can easily be checked during actual computations and has in practice always been the case.

3.2. Construction of the isomorphism

In order to determine the coefficients of the isomorphism (3.2) we follow the explanations after theorem 2.8.

Let be an -th root of unity, , and

(3.3)

a character of order . We identify with the character

Then the following holds:

Lemma 3.6.

Let

Let further

Then

Proof.

Using the isomorphism and the property we compute

Using the above definitions we first glean . Further, we obtain

Similarly, we get .

Remark 3.7.

The quantities are essentially the well-known cyclotomic Gauß sums. Since they are formed in natural analogy to these, the values were named elliptic Gauß sums in [MV10].

We first concern ourselves with the computation of . The fact that holds and theorem 2.6 imply that as well as lie in . From the last lemma we deduce

Hence, we obtain

(3.4)

The cost for computing , which lies in by definition, thus consists in calculating the -th powers of the two Lagrange resolvents and in extracting a -th root in .

Having determined for a character of order , we can employ another one of the properties from theorem 2.6 to compute . Namely, property 3 implies

Likewise

holds. This yields

(3.5)

Hence, the values can be determined without extracting a root again.

Now assume that for all maximal prime divisors the values have been determined and let be a character of order , so . Then we obtain

Here,

and in a similar vein , where holds. Thus, we derive the equation

(3.6)

Choosing for all as in (3.3) as a primitive character allows us to compute for all characters by evaluating this formula for .

Having computed these values, we find ourselves in the situation described by theorem 2.8 and are provided with a linear system of the form

(3.7)

where , and . Since , the matrix is regular according to proposition 2.9. Hence, we can finally determine the coefficients of the isomorphism .

3.2.1. Improvement

In order to avoid computing for all the characters of order , which produces major costs, in this section we present an alternative approach for determining .

First, using the definition of we derive

By means of these identities we calculate

Hence, we require exactly the values to specify the isomorphism

arising by restriction of to these sub-algebras.
To determine the one has to compute the values by extracting one -th root as in section 3.2. Subsequently, one directly proceeds to solve a linear system of equations instead of determining for general characters of order . Our new approach consists in computing the isomorphism for and in inductively constructing the isomorphism from these intermediate data.

Let and and assume the isomorphisms