Universal elliptic Gauß sums and applications

# Universal elliptic Gauß sums and applications

Christian J. Berghoff Universität Bonn, Mathematisches Institut, Endenicher Allee 60, 53115 Bonn, Germany
###### Abstract.

We present new ideas for computing the elliptic Gauß sums introduced in [15, 13] which constitute an analogue of the classical cyclotomic Gauß sums and whose use has been proposed in the context of counting points on elliptic curves and primality tests [14, 7]. By means of certain well-known modular functions we define the universal elliptic Gauß sums and prove they admit an efficiently computable representation in terms of the -invariant and another modular function. After that, we show how this representation can be used for obtaining the elliptic Gauß sum associated to an elliptic curve over a finite field , which may then be employed for counting points or primality proving.

## 1. Elliptic curves

Within this work we will only consider primes and thus assume that the curve in question is given in the Weierstraß form

 E:Y2=X3+aX+b=f(X),

where . We will always identify with its set of points . For the following well-known statements cf. [26, 29]. We assume that the elliptic curve is neither singular nor supersingular. It is a standard fact that is an abelian group with respect to point addition. Its neutral element, the point at infinity, will be denoted . For a prime , the -torsion subgroup has the shape

 E[ℓ]≅Z/ℓZ×Z/ℓZ.

In the endomorphism ring of the Frobenius homomorphism

 ϕp:(X,Y)↦(φp(X),φp(Y))=(Xp,Yp)

satisfies the quadratic equation

 (1.1) 0=χ(ϕp)=ϕ2p−tϕp+p,

where by the Hasse bound. By restriction acts as a linear map on . The number of points on over is given by and is thus immediate from the value of .
The idea of Schoof’s algorithm now consists in computing the value of modulo for sufficiently many small primes by considering modulo and in afterwards combining the results by means of the Chinese Remainder Theorem. In the original version this requires computations in extensions of degree .
However, a lot of work has been put into elaborating improvements. Let denote the discriminant of equation (1.1). Then we distinguish the following cases:

1. If , then is called an Elkies prime. In this case, the characteristic equation factors as , so when acting on the map has two eigenvalues with corresponding eigenpoints . Since and , it suffices to determine one of them by solving the discrete logarithm problem

 λP=ϕp(P)=(Ppx,Ppy),

which only requires working in extensions of degree .

2. If , then is called an Atkin prime. In this case the eigenvalues of are in and there is no eigenpoint . There is a generic method for computing the value of for Atkin primes, which is of equal run-time as the one available for Elkies primes. However, it does not yield the exact value of but only a set of candidates and is thus only efficient provided the cardinality of this set is small.

The approach to Elkies primes was further improved in numerous publications, e. g. [12, 8, 2, 6, 3, 27]. We focus on the new ideas introduced in [16]. The algorithm it presents allows to work in extensions of degree , where runs through maximal coprime divisors of , using so-called elliptic Gaussian periods.

A variant of this approach was presented in [15] and [17]. It relies instead on so-called elliptic Gauß sums. For a character of order with these are defined in analogy to the classical cyclotomic Gauß sums via

 (1.2) Gℓ,n,χ(E)=ℓ−1∑a=1χ(a)(aP)V

for an -torsion point on , where for even and for odd. As was shown in [15],

 (1.3) Gℓ,n,χ(E)n,Gℓ,n,χ(E)mGℓ,n,χm(E)∈Fp[ζn]form

holds. In addition, the discrete logarithm in of the eigenvalue corresponding to can directly be calculated modulo using the equation

 (1.4) Gℓ,n,χ(E)p=χ−p(λ)Gℓ,n,χp(E)⇒Gℓ,n,χ(E)mGℓ,n,χm(E)(Gℓ,n,χ(E)n)q=χ−m(λ),

where holds. When the quantities from equation (1.3) have been computed, it thus suffices to perform calculations in the extension of degree to derive the discrete logarithm of in modulo before composing the modular information by means of the Chinese remainder theorem. In the following sections we will present a way to compute the quantities in question using universal elliptic Gauß sums, which we will define in equation (2.19), instead of using the definition (1.2), which requires passing through larger extensions.

## 2. Universal elliptic Gauß sums

### 2.1. Modular functions

In this section we recall some facts on modular functions which we will later use. We refer the reader to [1, 10, 24].

As usual, we denote and . Elements act on the upper complex half-plane via

 γ:H→H,τ↦aτ+bcτ+d.

For

 Γ0(N)= {(abcd)∈Γ:c≡0modN}and Γ(N)= {(abcd)∈Γ:a≡d≡1modN,b≡c≡0modN}={(1001)modN}

are subgroups of that we will later use.

###### Definition 2.1.

[10, p. 125] Let be a meromorphic function on , and , such that for some . Furthermore, let satisfy the following conditions:

1. for all . This implies in particular that may be written as a Laurent series in terms of

 qN=q1N=exp(2πiτN), where we % use the notation q=q1.
2. In the Fourier expansion

 f(γτ)=∑n∈ZanqnN

holds for , , for all . One also says that is meromorphic at the cusps.

Then is called a modular function of weight for . We denote by the set of all such modular functions.

###### Remark 2.2.

It suffices to check the second condition for a set of representatives of .

###### Definition 2.3.

[9, p. 112] Let be a modular function for . Let be a prime. Then we define the Fricke-Atkin-Lehner involution by

 wℓ:f(τ)↦f((0−1ℓ0)τ)=f(−1ℓτ)=:f∗(τ).
###### Remark 2.4.

For this yields

 f∗(τ)=f(−1ℓτ)=f((0−110)ℓτ)=f(ℓτ).

We will make use of the following modular functions:

 (2.1) E4(τ) =E4(q)=1+240∞∑n=1n3qn1−qn, (2.2) E6(τ) =E6(q)=1−504∞∑n=1n5qn1−qn, (2.3) Δ(τ) =E4(τ)3−E6(τ)21728, (2.4) j(τ) =E4(τ)3Δ(τ), (2.5) p1(q) =112ℓ(E2(q)−ℓE2(qℓ)), (2.6) mℓ(q) =ℓs(η(qℓ)η(q))2swiths=12gcd(12,ℓ−1).

Here,

 (2.7) E2(q) =1−24∞∑n=1nqn1−qnand (2.8) η(τ) =η(q)=q124∞∏n=1(1−qn)

is the Dedekind -function. The Eisenstein series and are modular functions of weight and , respectively, for . is the discriminant of the elliptic curve corresponding to the lattice (cf. theorem 2.18) and is its -invariant. They are likewise modular functions for of weight and , respectively. is a modular function of weight for . The function was studied in detail in [19], where it is shown to be a modular function of weight for . We remark that this already follows from general results on so-called eta-quotients established in [22, 21].

The -invariant is surjective and plays a fundamental role in the theory of modular functions, as is shown by the following

###### Theorem 2.5.

Denoting by the subset of holomorphic functions of weight for we have

 A0(Γ)=C(j(τ))andH0(Γ)=C[j(τ)],

so the modular functions of weight are the rational functions in , whereas the holomorphic ones are the polynomials in .

### 2.2. Modular functions for Γ0(ℓ)

Our goal now is to prove the following statement, which can be seen as a generalization of theorem 2.5 to the group and which is crucial for later considerations.

###### Theorem 2.6.

Let be a modular function of weight for , but not for . Then

 A0(Γ0(ℓ))=A0(Γ)(f(τ))=C(f(τ),j(τ))

holds. In particular, for there exist polynomials with

 g(τ)=P1(f(τ),j(τ))P2(f(τ),j(τ)).

We shall proceed in several steps. First, we show the following

###### Theorem 2.7.

Let be a normal divisor of finite index in . Then is a galois extension with

 Gal(A0(Γ′)/A0(Γ))≤Γ/Γ′.
###### Proof.

Let , then holds for all : Since is a normal divisor in , the equation holds for . We deduce

 f(γδτ)=f(~δγτ)=f(γτ)for % allδ∈Γ′.

Furthermore, is meromorphic at the cusps, since is. Replacing by , we see that

 γ∗:A0(Γ′)→A0(Γ′),f↦f∘γ

defines a bijection. Due to the invariance of the elements of under (since induces the identity) and of under it follows that the finite group is the automorphism group of and fixes . Galois theory now implies our claim. ∎

A special case is given by

###### Lemma 2.8.

[24, p. 134] Let . is a galois extension with

 Gal(A0(Γ(N))/A0(Γ))≅Γ/(±Γ(N)).

We remark that obviously implies the isomorphism and hence

 Gal(A0(Γ(N))/A0(Γ))≅SL2(Z/NZ)/{±1}.
###### Corollary 2.9.

Let be a subgroup of with , then

 Gal(A0(Γ(N))/A0(Γ′))≅(±Γ′)/(±Γ(N))

holds. In particular is a finite extension of of degree .

###### Proof.

Since is the kernel of the reduction map modulo , holds. This yields . Since we have in addition

 A0(Γ(N))Γ′={f∈A0(Γ(N)):f∘γ=f ∀γ∈Γ′}=A0(Γ′),

the statement concerning the galois group is implied by galois theory. Hence, we obtain and . ∎

For we glean

 Gal(A0(Γ(N))/A0(Γ0(N)))≅(±Γ0(N))/(±Γ(N))≅{(ab0d)∈SL2(Z/NZ)}/{±1}.

Before proving theorem 2.6 we still need the following

###### Lemma 2.10.

Let be a field, . Then

 G/B →P1(K), g⋅B ↦g⋅∞=g⋅[1,0], where g⋅[v]↦[gv], i. e., (abcd)⋅B ↦[a,c]

defines a bijection and there are no intermediate groups between and .

###### Proof.

The first statement is trivial since the -action on is transitive and is the stabiliser of .
Since

 (1b01)[0,1]↦[b,1],

the action of on is transitive.

Now let . Then and are contained in , as is the stabiliser of . On this account there exists such that

 h⋅∞=b⋅g⋅∞,

hence or equivalently holds. Thus, and generate , which means there are no intermediate groups between and . ∎

###### Proof of theorem 2.6.

Let be a prime. The considerations above show

 G=Gal(A0(Γ(ℓ))/A0(Γ))≅SL2(Z/ℓZ)/{±1}

as well as

 B=Gal(A0(Γ(ℓ))/A0(Γ0(ℓ)))≅{(ab0d)∈SL2(Z/ℓZ)}/{±1}.

Hence, by galois theory the intermediate fields of the extension correspond exactly to the intermediate groups between and . Applying lemma 2.10 with and observing that holds, we deduce there are no intermediate groups between and and thus no intermediate fields between and . This directly implies for any . ∎

Hence, modular functions of weight for , in particular the universal elliptic Gauß sums to be defined in corollary 2.25, admit a representation as a rational expression in terms of and another modular function . However, theorem 2.6 only implies the existence of such an expression. In order to obtain an efficient algorithm for determining it we will need further results. In addition we have to discuss the choice of the second function . For the following results we closely follow [5, pp. 228–231]. However, our results are slightly more general.

###### Lemma 2.11.

Let be holomorphic on . Then there exists an irreducible polynomial such that

 Qf(f(τ),j(τ))=0.
###### Proof.

First, we remark that , where

is a system of representatives for , as is shown in [19, p. 54]. We now consider the polynomial in

 Qf(X,τ)=ℓ∏k=0(X−f(Skτ))

and examine its coefficients. Since they are elementary symmetric polynomials in terms of they are obviously holomorphic on . Let . Since the constitute a system of representatives of , the values , , are a permutation of the values . Hence, the coefficients of are invariant under . The modular function is meromorphic at the cusps, so this is also the case for . Hence, the coefficients are meromorphic at the cusps and thus functions in . According to theorem 2.5 they are therefore polynomials in . Thus, there exists a polynomial satisfying

 Qf(X,j(τ))=ℓ∏k=0(X−f(Skτ)),

which obviously has as one of its roots. Since there are no intermediate fields between and as we have seen, the polynomial has to be irreducible. ∎

The following statement, which may be proven by a generalisation of the considerations from [5, pp. 230–231] finally provides a first approach for an efficient algorithm.

###### Theorem 2.12.

Let be a modular function and . Then admits the representation

 g(τ)=Q(f(τ),j(τ))∂Qf∂X(f(τ),j(τ)),

where is a polynomial in which can be explicitly specified in terms of

 {g(Skτ),f(Skτ),i=0,…,ℓ}.

If is holomorphic, one even obtains ; hence, the enumerator of the rational expression is a polynomial in and .

###### Remark 2.13.

The case we are interested in, viz. when the function is holomorphic, is also a direct consequence of lemma 2.14 from [20, pp. 206–208], which we present below.

The representation from theorem 2.12 is far from optimal from an algorithmic point of view since it does not allow to obtain good bounds on the powers of , the coefficients of which grow very fast, occurring in the enumerator. We will rather make use of the following statements.

###### Lemma 2.14.

[20, pp. 206–208] Let be an extension of fields, be a ring. Let have the minimal polynomial of degree . Then the -module

 Cα={x∈L∣TrL/K(xO[α])⊆O}

has the -basis

 {αif′(α),i=0,…,n−1}.
###### Corollary 2.15.

Let be a holomorphic modular function and let with minimal polynomial with . Then admits a representation of the form

 g(τ)=∑v−1i=0aij(τ)i∂Qf∂Y(f(τ),j(τ)),

where

 ai∈{h(τ)∈C(f(τ)):h(τ) holomorphic}.
###### Proof.

We apply lemma 2.14 for , and and hence . Furthermore, we choose

 O={h(τ)∈K:h(τ) holomorphic}.

Obviously, all elements of and hence as well as are holomorphic. So . Using lemma 2.14 we obtain the assertion. ∎

We now consider special values for .

1. The most obvious and historically first choice is . In this case we write and call the -th modular polynomial. The modular polynomial has coefficients in and is symmetric in and [5, pp. 229–234]. The main problem when using it is that its coefficients grow exponentially in [4].

2. In [19] the choice , where is defined as in (2.6), was extensively examined and made applicable in the context of Schoof’s algorithm. The construction of and the relation between and imply is also holomorphic on . In this case we write . The polynomial has likewise coefficients in and the degree in the second variable is , as is shown in [19, pp. 61–62]. This causes its coefficients to grow much slower than those of .

Using this specialisation we obtain the following

###### Proposition 2.16.

Let be a holomorphic modular function. Then admits the following representation:

 g(τ)=Q(mℓ(τ),j(τ))mℓ(τ)k∂Mℓ∂Y(mℓ(τ),j(τ))

for a and a polynomial with .

###### Proof.

We apply corollary 2.15, setting . As mentioned, is holomorphic, and this also holds for . We now show , which implies the holomorphic functions in are given by . The assertion then follows using corollary 2.15.

By definition, holds. Applying the Fricke-Atkin-Lehner involution from definition 2.3 to this equation we obtain that is a root of . Writing yields

 (2.9) ℓ+1∑i=0Xiv∑k=0ai,kj(ℓτ)k=Mℓ(X,j(ℓτ))=ℓ+1∑i=0sℓ+1−i(τ)Xi,

where are the elementary-symmetric polynomials in the roots of . In [19, p. 63] it is shown the Laurent series of these functions have the orders

 ord(fi)=−v, 0≤i<ℓ,ord(fℓ)=ℓv,

from which we conclude

 ord(sℓ+1−i)=−(ℓ+1−i)v, 1≤i≤ℓ+1,ord(sℓ+1)=0.

Using equation (2.9) now implies and for . So is a polynomial of degree in if . Due to the surjectivity of there exists such that . Thus, for one of the transformations introduced in lemma 2.11 the identity holds. Hence, attains all values . ∎

### 2.3. The Tate curve

In this section we will define the universal elliptic Gauß sums before considering applications in section 3. We first recall the Weierstraß -function.

###### Definition 2.17.

[5, p. 200] Let be the lattice generated by . The Weierstraß -function associated to is defined via

 ℘(z,Λ)=1z2+∑ω∈Λω≠0(1(z−ω)2−1ω2).

For the special lattices with we write

 ℘(z,τ)=℘(z,⟨1,τ⟩Z)=1z2+∑n2+m2≠0(1(z−(m+nτ))2−1(m+nτ)2).

Its derivative is

 ℘′(z,τ)=−2z3−2∑n2+m2≠01(z−(m+nτ))3.
###### Theorem 2.18.

[26, pp. 159–161] Let be an elliptic curve. Then there exist , such that setting there is a complex-analytic isomorphism

The following series expansions of the Weierstraß -function will be used several times:

###### Lemma 2.19.

[25, p. 50] Let , . Then for the following equations hold:

 (2.10) 1(2πi)2℘(z,τ) =112−2∞∑n=1qn(1−qn)2+∑n∈Zqnw(1−qnw)2=:x(w,q), (2.11) 1(2πi)3℘′(z,τ) =∑n∈Zqnw(1+qnw)(1−qnw)3=:2y(w,q).
###### Remark 2.20.

Using the equation for the geometric series and its derivatives the series expansions for and may be transformed, which is useful both for proofs and for actual computations. In this way for we obtain the formulae

 (2.12) x(w,q) =112+w(1−w)2+∞∑n=1∞∑m=1mqnm(wm+w−m)−2mqnm, (2.13) y(w,q) =w+w22(1−w)3+12∞∑n=1∞∑m=1m(m+1)2(qnm(wm−w−m)+qn(m+1)(wm+1−w−(m+1))).

In the cases we consider is a root of unity. Hence all series expansions can be studied in this form since for .

###### Proposition 2.21.

[23, p. 245] Let be the Eisenstein series defined in (2.1) and (2.2) and as in (2.7). Then the following equations hold:

 (2.14) y(w,q)2 =x(w,q)3−E4(q)48x(w,q)+E6(q)864, (2.15) ∑ζ∈μℓ,ζ≠1x(ζ,q) =112ℓ(E2(q)−ℓE2(qℓ))=p1(q).

Equation (2.14) defines the so-called Tate curve introduced in [28]. Among its properties are the following ones:

###### Theorem 2.22.

[25, p. 410–411]

1. The Tate curve is an elliptic curve and

 Δ(Eq)=Δ(q),j(Eq)=j(q)

holds, where , are the corresponding modular functions from equations (2.3) and (2.4).

2. There is a complex-analytic isomorphism

 ψ2:C∗/qZ→Eq(C),w↦{(x(w,q),y(w,q)),w∉qZ,O,w∈qZ.
3. For every elliptic curve there exists with , such that

 Eq≅E(C)

holds. This is given by for the from theorem 2.18. As in theorem 2.18 we write . The isomorphism satisfies , where is from theorem 2.18 and

 θ:C/Λ ~→ C∗/qZ,z↦w=exp(2πiz).

Hence, is defined via

 (x(w,q),y(w,q))↦(℘(αz,αΛ),℘′(αz,αΛ)),O↦O,

where is as in theorem 2.18.

As follows from the last statement, the Tate curve parametrises isomorphism classes of elliptic curves over . This is the main idea of the applications presented in section 3. One can compute the objects in question, the elliptic Gauß sums from equation (1.2), as formal power series in by means of the Tate curve. Proposition 2.16 and corollary 2.25 show that the resulting power series admit a representation as a rational expression in terms of and . These formulae may then be specialised to a concrete elliptic curve over (or over after reduction) by replacing the formal variable by as detailed in section 3.

We now study the behaviour of and under transformations from . Using lemma 2.19 this will yield results on the behaviour of as well as . First, we derive the following

###### Lemma 2.23.

Let and . Then

 (2.16) ℘(z,γτ) =(cτ+d)2℘((cτ+d)z,τ), (2.17) ℘′(z,γτ) =(cτ+d)3℘′((cτ+d)z,τ)

hold.

###### Proof.

We calculate

 ℘(z,aτ+bcτ+d) =1z2+∑n2+m2≠0⎛⎜⎝1(z−(m+naτ+bcτ+d))2−1(m+naτ+bcτ+d)2⎞⎟⎠ =(cτ+d)2⋅1((cτ+d)z)2 +(cτ+d)2∑m2+n2≠0(1((cτ+d)z−Sa,b,c,d(m,n))2−1(Sa,b,c,d(m,n))2) =(cτ+d)2℘((cτ+d)z,τ),

where we make use of the abbreviation