Universal elliptic Gauß sums and applications
We present new ideas for computing the elliptic Gauß sums introduced in [15, 13] which constitute an analogue of the classical cyclotomic Gauß sums and whose use has been proposed in the context of counting points on elliptic curves and primality tests [14, 7]. By means of certain well-known modular functions we define the universal elliptic Gauß sums and prove they admit an efficiently computable representation in terms of the -invariant and another modular function. After that, we show how this representation can be used for obtaining the elliptic Gauß sum associated to an elliptic curve over a finite field , which may then be employed for counting points or primality proving.
1. Elliptic curves
Within this work we will only consider primes and thus assume that the curve in question is given in the Weierstraß form
where . We will always identify with its set of points . For the following well-known statements cf. [26, 29]. We assume that the elliptic curve is neither singular nor supersingular. It is a standard fact that is an abelian group with respect to point addition. Its neutral element, the point at infinity, will be denoted . For a prime , the -torsion subgroup has the shape
In the endomorphism ring of the Frobenius homomorphism
satisfies the quadratic equation
where by the Hasse bound. By restriction acts as a linear map on . The number of points on over is given by and is thus immediate from the value of .
The idea of Schoof’s algorithm now consists in computing the value of modulo for sufficiently many small primes by considering modulo and in afterwards combining the results by means of the Chinese Remainder Theorem. In the original version this requires computations in extensions of degree .
However, a lot of work has been put into elaborating improvements. Let denote the discriminant of equation (1.1). Then we distinguish the following cases:
If , then is called an Elkies prime. In this case, the characteristic equation factors as , so when acting on the map has two eigenvalues with corresponding eigenpoints . Since and , it suffices to determine one of them by solving the discrete logarithm problem
which only requires working in extensions of degree .
If , then is called an Atkin prime. In this case the eigenvalues of are in and there is no eigenpoint . There is a generic method for computing the value of for Atkin primes, which is of equal run-time as the one available for Elkies primes. However, it does not yield the exact value of but only a set of candidates and is thus only efficient provided the cardinality of this set is small.
The approach to Elkies primes was further improved in numerous publications, e. g. [12, 8, 2, 6, 3, 27]. We focus on the new ideas introduced in . The algorithm it presents allows to work in extensions of degree , where runs through maximal coprime divisors of , using so-called elliptic Gaussian periods.
A variant of this approach was presented in  and . It relies instead on so-called elliptic Gauß sums. For a character of order with these are defined in analogy to the classical cyclotomic Gauß sums via
for an -torsion point on , where for even and for odd. As was shown in ,
holds. In addition, the discrete logarithm in of the eigenvalue corresponding to can directly be calculated modulo using the equation
where holds. When the quantities from equation (1.3) have been computed, it thus suffices to perform calculations in the extension of degree to derive the discrete logarithm of in modulo before composing the modular information by means of the Chinese remainder theorem. In the following sections we will present a way to compute the quantities in question using universal elliptic Gauß sums, which we will define in equation (2.19), instead of using the definition (1.2), which requires passing through larger extensions.
2. Universal elliptic Gauß sums
2.1. Modular functions
As usual, we denote and . Elements act on the upper complex half-plane via
are subgroups of that we will later use.
[10, p. 125] Let be a meromorphic function on , and , such that for some . Furthermore, let satisfy the following conditions:
for all . This implies in particular that may be written as a Laurent series in terms of
In the Fourier expansion
holds for , , for all . One also says that is meromorphic at the cusps.
Then is called a modular function of weight for . We denote by the set of all such modular functions.
It suffices to check the second condition for a set of representatives of .
[9, p. 112] Let be a modular function for . Let be a prime. Then we define the Fricke-Atkin-Lehner involution by
For this yields
We will make use of the following modular functions:
is the Dedekind -function. The Eisenstein series and are modular functions of weight and , respectively, for . is the discriminant of the elliptic curve corresponding to the lattice (cf. theorem 2.18) and is its -invariant. They are likewise modular functions for of weight and , respectively. is a modular function of weight for . The function was studied in detail in , where it is shown to be a modular function of weight for . We remark that this already follows from general results on so-called eta-quotients established in [22, 21].
The -invariant is surjective and plays a fundamental role in the theory of modular functions, as is shown by the following
Denoting by the subset of holomorphic functions of weight for we have
so the modular functions of weight are the rational functions in , whereas the holomorphic ones are the polynomials in .
2.2. Modular functions for
Our goal now is to prove the following statement, which can be seen as a generalization of theorem 2.5 to the group and which is crucial for later considerations.
Let be a modular function of weight for , but not for . Then
holds. In particular, for there exist polynomials with
We shall proceed in several steps. First, we show the following
Let be a normal divisor of finite index in . Then is a galois extension with
Let , then holds for all : Since is a normal divisor in , the equation holds for . We deduce
Furthermore, is meromorphic at the cusps, since is. Replacing by , we see that
defines a bijection. Due to the invariance of the elements of under (since induces the identity) and of under it follows that the finite group is the automorphism group of and fixes . Galois theory now implies our claim. ∎
A special case is given by
[24, p. 134] Let . is a galois extension with
We remark that obviously implies the isomorphism and hence
Let be a subgroup of with , then
holds. In particular is a finite extension of of degree .
Since is the kernel of the reduction map modulo , holds. This yields . Since we have in addition
the statement concerning the galois group is implied by galois theory. Hence, we obtain and . ∎
For we glean
Before proving theorem 2.6 we still need the following
Let be a field, . Then
defines a bijection and there are no intermediate groups between and .
The first statement is trivial since the -action on is transitive and is the stabiliser of .
the action of on is transitive.
Now let . Then and are contained in , as is the stabiliser of . On this account there exists such that
hence or equivalently holds. Thus, and generate , which means there are no intermediate groups between and . ∎
Proof of theorem 2.6.
Let be a prime. The considerations above show
as well as
Hence, by galois theory the intermediate fields of the extension correspond exactly to the intermediate groups between and . Applying lemma 2.10 with and observing that holds, we deduce there are no intermediate groups between and and thus no intermediate fields between and . This directly implies for any . ∎
Hence, modular functions of weight for , in particular the universal elliptic Gauß sums to be defined in corollary 2.25, admit a representation as a rational expression in terms of and another modular function . However, theorem 2.6 only implies the existence of such an expression. In order to obtain an efficient algorithm for determining it we will need further results. In addition we have to discuss the choice of the second function . For the following results we closely follow [5, pp. 228–231]. However, our results are slightly more general.
Let be holomorphic on . Then there exists an irreducible polynomial such that
First, we remark that , where
is a system of representatives for , as is shown in [19, p. 54]. We now consider the polynomial in
and examine its coefficients. Since they are elementary symmetric polynomials in terms of they are obviously holomorphic on . Let . Since the constitute a system of representatives of , the values , , are a permutation of the values . Hence, the coefficients of are invariant under . The modular function is meromorphic at the cusps, so this is also the case for . Hence, the coefficients are meromorphic at the cusps and thus functions in . According to theorem 2.5 they are therefore polynomials in . Thus, there exists a polynomial satisfying
which obviously has as one of its roots. Since there are no intermediate fields between and as we have seen, the polynomial has to be irreducible. ∎
The following statement, which may be proven by a generalisation of the considerations from [5, pp. 230–231] finally provides a first approach for an efficient algorithm.
Let be a modular function and . Then admits the representation
where is a polynomial in which can be explicitly specified in terms of
If is holomorphic, one even obtains ; hence, the enumerator of the rational expression is a polynomial in and .
The representation from theorem 2.12 is far from optimal from an algorithmic point of view since it does not allow to obtain good bounds on the powers of , the coefficients of which grow very fast, occurring in the enumerator. We will rather make use of the following statements.
[20, pp. 206–208] Let be an extension of fields, be a ring. Let have the minimal polynomial of degree . Then the -module
has the -basis
Let be a holomorphic modular function and let with minimal polynomial with . Then admits a representation of the form
We apply lemma 2.14 for , and and hence . Furthermore, we choose
Obviously, all elements of and hence as well as are holomorphic. So . Using lemma 2.14 we obtain the assertion. ∎
We now consider special values for .
In  the choice , where is defined as in (2.6), was extensively examined and made applicable in the context of Schoof’s algorithm. The construction of and the relation between and imply is also holomorphic on . In this case we write . The polynomial has likewise coefficients in and the degree in the second variable is , as is shown in [19, pp. 61–62]. This causes its coefficients to grow much slower than those of .
Using this specialisation we obtain the following
Let be a holomorphic modular function. Then admits the following representation:
for a and a polynomial with .
We apply corollary 2.15, setting . As mentioned, is holomorphic, and this also holds for . We now show , which implies the holomorphic functions in are given by . The assertion then follows using corollary 2.15.
By definition, holds. Applying the Fricke-Atkin-Lehner involution from definition 2.3 to this equation we obtain that is a root of . Writing yields
where are the elementary-symmetric polynomials in the roots of . In [19, p. 63] it is shown the Laurent series of these functions have the orders
from which we conclude
Using equation (2.9) now implies and for . So is a polynomial of degree in if . Due to the surjectivity of there exists such that . Thus, for one of the transformations introduced in lemma 2.11 the identity holds. Hence, attains all values . ∎
2.3. The Tate curve
In this section we will define the universal elliptic Gauß sums before considering applications in section 3. We first recall the Weierstraß -function.
[5, p. 200] Let be the lattice generated by . The Weierstraß -function associated to is defined via
For the special lattices with we write
Its derivative is
[26, pp. 159–161] Let be an elliptic curve. Then there exist , such that setting there is a complex-analytic isomorphism
The following series expansions of the Weierstraß -function will be used several times:
[25, p. 50] Let , . Then for the following equations hold:
Using the equation for the geometric series and its derivatives the series expansions for and may be transformed, which is useful both for proofs and for actual computations. In this way for we obtain the formulae
In the cases we consider is a root of unity. Hence all series expansions can be studied in this form since for .
[25, p. 410–411]
There is a complex-analytic isomorphism
As follows from the last statement, the Tate curve parametrises isomorphism classes of elliptic curves over . This is the main idea of the applications presented in section 3. One can compute the objects in question, the elliptic Gauß sums from equation (1.2), as formal power series in by means of the Tate curve. Proposition 2.16 and corollary 2.25 show that the resulting power series admit a representation as a rational expression in terms of and . These formulae may then be specialised to a concrete elliptic curve over (or over after reduction) by replacing the formal variable by as detailed in section 3.
We now study the behaviour of and under transformations from . Using lemma 2.19 this will yield results on the behaviour of as well as . First, we derive the following
Let and . Then
where we make use of the abbreviation