Efficient computation of universal elliptic Gauß sums
EEFFICIENT COMPUTATION OF UNIVERSAL ELLIPTIC GAUSS SUMS
CHRISTIAN J. BERGHOFF
Abstract.
In [2] it has been shown that the elliptic Gauß sums whose use has been proposedin the context of counting points on elliptic curves and primality tests in [15, 11] can becomputed by using modular functions. In this work we give detailed algorithms for thenecessary computations mentioned in [2], all of which have been implemented in C. Weanalyse the relatively straightforward algorithms derived from the theory and provide severalimprovements speeding up computations considerably. In addition, slightly generalizing [2]we describe how (elliptic) Jacobi sums may be determined in a very similar way and showhow this can be used. We conclude by an analysis of space and run-time requirements of thealgorithms.
Contents
1. Elliptic curves 12. Computation of the universal elliptic Gauß sums 32.1. Prerequisites 32.2. Laurent series 42.3. Rational expression 73. Point-counting in the Elkies case 133.1. Gauß sums 133.2. Jacobi sums 143.3. Run-time and memory requirements 17References 181.
Elliptic curves
Within this work we will only consider primes p ą E : Y “ X ` aX ` b “ f p X q , where a, b P F p . We will always identify E with its set of points E p F p q . For the followingwell-known statements cf. [22, 25]. We assume that the elliptic curve is neither singular norsupersingular. It is a standard fact that E is an abelian group with respect to point addition.Its neutral element, the point at infinity, will be denoted O . For a prime ‘ ‰ p , the ‘ -torsionsubgroup E r ‘ s has the shape E r ‘ s – Z { ‘ Z ˆ Z { ‘ Z . In the endomorphism ring of E the Frobenius homomorphism φ p : p X, Y q ÞÑ p ϕ p p X q , ϕ p p Y qq “ p X p , Y p q a r X i v : . [ m a t h . N T ] J u l Christian J. Berghoff satisfies the quadratic equation(1.1) 0 “ χ p φ p q “ φ p ´ tφ p ` p, where | t | ď ? p by the Hasse bound. By restriction φ p acts as a linear map on E r ‘ s . Thenumber of points on E over F p is given by E p F p q “ p ` ´ t and is thus immediate fromthe value of t .Schoof’s algorithm computes the value of t modulo ‘ for sufficiently many small primes ‘ by considering χ p φ p q modulo ‘ and afterwards combines the results by means of the ChineseRemainder Theorem. In the original version this requires computations in extensions of degree O p ‘ q .However, a lot of work has been put into elaborating improvements. Let ∆ “ t ´ p denotethe discriminant of equation (1.1). Then we distinguish the following cases:(1) If ` ∆ ‘ ˘ “
1, then ‘ is called an Elkies prime . In this case, the characteristic equationfactors as χ p φ p q “ p φ p ´ λ qp φ p ´ µ q mod ‘ , so when acting on E r ‘ s the map φ p hastwo eigenvalues λ, µ P F ˚ ‘ with corresponding eigenpoints P, Q . Since λµ “ p and λ ` µ “ t , it obviously suffices to determine one of them. So we have to solve thediscrete logarithm problem λP “ φ p p P q “ p P px , P py q , which only requires working in extensions of degree O p ‘ q .(2) If ` ∆ ‘ ˘ “ ´
1, then ‘ is called an Atkin prime . In this case the eigenvalues of φ p are in F ‘ z F ‘ and there is no eigenpoint P P E r ‘ s . We do not consider this case.The approach to Elkies primes was further improved in numerous publications, e. g.[14, 12, 4, 9, 5, 23]. We focus on the new ideas introduced in [17]. The algorithm it presentsallows to work in extensions of degree n , where n runs through maximal coprime divisors of ‘ ´
1, using so-called elliptic Gaussian periods .A variant of this approach was presented in [16] and [18]. It relies instead on so-called elliptic Gauß sums . For a character χ : p Z { ‘ Z q ˚ Ñ x ζ n y of order n with n | ‘ ´ G ‘,n,χ p E q “ ‘ ´ ÿ a “ χ p a qp aP q u for an ‘ -torsion point P on E , where u “ y for n even and u “ x for n odd. As was shown in[16],(1.3) G ‘,n,χ p E q n , G ‘,n,χ p E q m G ‘,n,χ m p E q P F p r ζ n s for m ă n holds. In addition, the index in F ˚ ‘ of the eigenvalue λ corresponding to P can directly becalculated modulo n using the equation(1.4) G ‘,n,χ p E q p “ χ ´ p p λ q G ‘,n,χ p p E q ñ G ‘,n,χ p E q m G ‘,n,χ m p E q p G ‘,n,χ p E q n q q “ χ ´ m p λ q , where p “ nq ` m holds. When the quantities from equation (1.3) have been computed, it thussuffices to do calculations in the extension F p r ζ n s of degree ϕ p n q to derive the index of λ in F ˚ ‘ modulo n before composing the modular information by means of the Chinese remaindertheorem. In the following sections we will be concerned with the efficient computation of the fficient computation of universal elliptic Gauß sums universal elliptic Gauß sums , which were defined in [2, Corollary2.25], instead of using the definition (1.2), which requires passing through larger extensions.2. Computation of the universal elliptic Gauß sums
Prerequisites.
We first recall some facts from [2], to which we refer the reader fordetails. A modular function of weight k P Z for a subgroup Γ Ď SL p Z q is a meromorphicfunction f p τ q on the upper complex half-plane H “ t τ P C : = p τ q ą u satisfying(2.1) f p γτ q “ p cτ ` d q k f p τ q for all γ “ ` a bc d ˘ P Γ , where γτ “ aτ ` bcτ ` d , and some technical conditions. Equation (2.1) in particular implies f can bewritten as a Laurent series in terms of q N “ exp ` πiτN ˘ for some N P N depending on Γ . Weuse the notation q “ q and consider the groups Γ “ Γ p ‘ q : “ (cid:32)` a bc d ˘ P SL p Z q : ‘ | c ( . Thefield of modular functions of weight 0 for a group Γ will be denoted by A p Γ q . The Fricke-Atkin-Lehner involution w ‘ acts on modular functions f p τ q via f p τ q ÞÑ f ` ´ ‘τ ˘ “ : f ˚ p τ q ,where f ˚ p τ q “ f p ‘τ q for f p τ q P A p SL p Z qq holds. We recall the Laurent series x p w, q q “ ` w p ´ w q ` ÿ n “ ÿ m “ mq nm p w m ` w ´ m q ´ mq nm , (2.2) y p w, q q “ w ` w p ´ w q ` ÿ n “ ÿ m “ m p m ` q ´ q nm p w m ´ w ´ m q ` q n p m ` q p w m ` ´ w ´p m ` q q ¯ , (2.3) η p q q “ q ˜ ` ÿ n “ p´ q n ´ q n p n ´ q{ ` q n p n ` q{ ¯¸ , (2.4) m ‘ p q q “ ‘ s ˆ η p q ‘ q η p q q ˙ s with s “ p , ‘ ´ q . (2.5)We further use p p q q “ ř ζ P µ ‘ ,ζ ‰ x p ζ, q q , the modular discriminant ∆ p q q “ η p q q and thewell-known j -invariant j p q q , which is surjective on C . There is a polynomial M ‘ P C r X, Y s ,sometimes referred to as the canonical modular polynomial, such that M ‘ p X, j p q qq is irre-ducible over C p j p q qqr X s and m ‘ p q q is one of its roots. Furthermore, deg M ‘ “ ‘ ´ p ‘ ´ , q holds.Now for a prime ‘ let n | ‘ ´ χ : F ˚ ‘ Ñ µ n be a character of order n . Defining(2.6) G ‘,n,χ p q q “ G ‘,n p q q : “ ÿ λ P F ˚ ‘ χ p λ q V p ζ λ‘ , q q with V “ x, n ” ,y, n ” , corollary 2.25 and proposition 2.16 of [2] imply the following Theorem 2.1.
Let ‘ , n , χ be as above. Furthermore, let r “ $’&’% min (cid:32) r : n ` r P N ( , n ” , , n “ , , else and e ∆ “ $’&’% n ` r , n ” , , n “ , n , else. Christian J. Berghoff
Define the universal elliptic Gauß sum(2.7) τ ‘,n p q q : “ G ‘,n p q q n p p q q r ∆ p q q e ∆ . Then τ ‘,n p q q has coefficients in Q r ζ n s and is a holomorphic modular function of weight for Γ p ‘ q . There exist k ě and a polynomial Q p X, Y q P C r X, Y s with deg Y p Q q ă deg Y p M ‘ q such that (2.8) τ ‘,n p q q B M ‘ B Y p m ‘ p q q , j p q qq “ m ‘ p q q ´ k Q p m ‘ p q q , j p q qq . If we can efficiently compute the polynomial Q in (2.8), we obtain a rational expressionfor τ ‘,n p q q in terms of j p q q and m ‘ p q q . As detailed in [2, Section 3], for an elliptic curve E { F p this formula readily translates to a formula for the elliptic Gauß sum G ‘,n p E q n from (1.2) interms of the values j p E q , m ‘ p E q which may be efficiently computed.2.2. Laurent series.
General remarks.
When dealing with Laurent series g p q q “ ř i “ i g i q i in this sectionwe will write ord p g q “ i for the order and lc p g q “ g i for the leading coefficient of the series.We first remark that when computing the Laurent series of the universal elliptic Gauß sums τ ‘,n p q q the part in formula (2.2) which is independent from w vanishes due to the well-knownproperties of character sums.In addition, in our implementation using the GMP library [13] we wished to use as long aspossible the data type for integers for efficiency reasons, and only to convert our results intorational numbers in the last step. In order to realise this plan, we analyse the denominatorsof the Laurent series of the universal elliptic Gauß sums.We first remark that in formula (2.2) used to compute the x -coordinate all coefficients exceptfor the constant one, which is independent from q , lie in Z r ζ ‘ s and that they lie in Z r ζ ‘ s forformula (2.3) corresponding to the y -coordinate. The constant term yields a power possiblydividing the denominator of the expression. The exact value of v ‘ is computed in Lemma 2.2.
Let v ‘ be the exponent of ‘ in the denominator of the Gauß sum τ ‘,n p q q . Thenwe obtain v ‘ ď r n‘ ´ s , n odd, r n‘ ´ s , n even.Proof. As is well-known, p ‘ q “ p ´ ζ ‘ q ‘ ´ holds when both sides are considered as ideals in Z r ζ ‘ s “ O p Q r ζ ‘ sq . This implies ‘ p ´ ζ ‘ q ´ k “ e p ´ ζ ‘ q ‘ ´ p ´ ζ ‘ q ´ k “ e p ´ ζ ‘ q ‘ ´ ´ k for e P Z r ζ ‘ s ˚ . Since p ´ ζ ‘ q R Z r ζ ‘ s ˚ , this yields ‘ p ´ ζ ‘ q ´ k P Z r ζ ‘ s ô k ď ‘ ´ . More generally, one obtains ‘ v ‘ p ´ ζ ‘ q ´ k “ e p ´ ζ ‘ q v ‘ p ‘ ´ q´ k P Z r ζ ‘ s ô k ď v ‘ p ‘ ´ q ô v ‘ ě k‘ ´ . fficient computation of universal elliptic Gauß sums v ‘ can be taken to be r k‘ ´ s . The shape of the constant terms in formulae (2.2) and(2.3) as well as theorem 2.1 yield the assertion. (cid:3) We remark that the coefficients of 12 p p q q are likewise integers. Since ∆ p q q has leadingcoefficient 1, the coefficients of ∆ p q q ´ are also integers. From these considerations and thedefinition of τ ‘,n p q q in theorem 2.1 we deduce Corollary 2.3.
Let ‘ be a prime and let n | ‘ ´ . Let r “ min t r : n ` r P N u for n ” be defined as in theorem 2.1 and v ‘ as in lemma 2.2. Define c “ $’&’% r ‘ v ‘ , n ” , ¨ ‘ v ‘ , n “ , n ‘ v ‘ , else . Then the coefficients of c ¨ τ ‘,n p q q lie in Z r ζ n s . An improved algorithm.
As is evident from (2.6), G ‘,n p q q P Q r ζ n , ζ ‘ spp q qq holds. Inorder to compute τ ‘,n p q q up to precision prec p ‘, n q we need to determine, in particular, the n -th power of an element of this field, which requires O p log n M p ‘n prec p ‘, n qqq multiplications in Z , if we use the multiple of τ ‘,n p q q from corollary 2.3. Equation (2.22)implies we can choose prec p ‘, n q “ ‘ p e ∆ ` v ` q . In the worst case n, v P O p ‘ q holds, whichyields a rapidly growing run-time of O p log n M p ‘ qq for this step. We now wish to show howthis run-time can be significantly reduced.In particular, we make use of the following Lemma 2.4.
Let G χ p ζ ‘ q “ ř λ P F ˚ ‘ χ p λ q ζ λ‘ denote the ordinary cyclotomic Gauß sum. Thenwe obtain G ‘,n,χ p q q G χ ´ p ζ ‘ q P Q r ζ n spp q qq . Proof.
By definition the expression in question lies in Q r ζ ‘ , ζ n spp q qq . We consider the actionof the galois group G of the field extension Q r ζ ‘ , ζ n s{ Q r ζ n s on this expression. Since p ‘, n q “ G “ x σ : ζ ‘ ÞÑ ζ c‘ y , where c is a generator of F ˚ ‘ . As shown in theproof of corollary 2.25 in [2], σ p G ‘,n,χ p q qq “ χ ´ p c q G ‘,n,χ p q q holds. In the same vein one can show σ p G χ p ζ ‘ qq “ χ ´ p c q G χ p ζ ‘ q , which immediately implies the invariance of the expression in question under σ . (cid:3) Using this lemma we modify the algorithm for determining τ ‘,n p q q , which results fromformulae (2.2), (2.3), (2.6) and (2.7), in the following way. Instead of directly computing the n -th power of G ‘,n,χ p q q , we calculate: Algorithm 1.
Fast computation of G ‘,n,χ p q q n Input: ‘, n, prec p ‘, n q Output: G ‘,n,χ p q q n Compute G ‘,n,χ p q q up to precision prec p ‘, n q using formulae (2.2), (2.3), (2.6). Christian J. Berghoff T : “ G ‘,n,χ p q q G χ ´ p ζ ‘ q T : “ T n T : “ G χ ´ p ζ ‘ q n return T “ T T ´ It is obvious that T “ G ‘,n,χ p q q n holds and we thus compute the result we wish for.According to lemma 2.4 the run-time for step 2 is merely O p log n M p n prec p ‘, n qqq “ O p log n M p ‘ qq , since a whole power of ‘ is saved in the degree of the polynomials to be multiplied. It islikewise easy to see that T can be computed in run-time O p log n M p ‘n qq and T in run-time O p prec p ‘, n q M p n qq , which is negligible.The determination of T , however, requires O p prec p ‘, n q M p ‘n qq operations when using anaive implementation. We show how to reduce this cost considerably by computing G ‘,n,χ p q q G χ ´ p ζ ‘ q “ ÿ λ ,λ P F ˚ ‘ χ p λ q V p ζ λ ‘ , q q χ ´ p λ q ζ λ ‘ “ ÿ c “ λ λ ´ P F ˚ ‘ χ p c q ÿ λ P F ˚ ‘ ζ λ c ´ ‘ V p ζ λ ‘ , q q . Before further transforming the inner sum, we remark V p ζ ‘ , q q “ ÿ i “ q i ‘ ´ ÿ k “ a i,k ζ k‘ ñ V p ζ λ ‘ , q q “ ÿ i “ q i ‘ ´ ÿ k “ a i,k ζ λ k‘ , which follows by applying an appropriate power of the automorphism σ : ζ ‘ ÞÑ ζ c‘ . Hence,one obtains ÿ λ P F ˚ ‘ ζ λ c ´ ‘ V p ζ λ ‘ , q q “ ÿ i “ q i ÿ λ P F ˚ ‘ ζ λ c ´ ‘ ‘ ´ ÿ k “ a i,k ζ λ k‘ “ ÿ i “ q i ÿ λ P F ˚ ‘ ‘ ´ ÿ k “ a i,k ζ λ p k ` c ´ q ‘ “ ÿ i “ q i ¨˚˝ ÿ λ P F ˚ ‘ a i, ´ c ´ ` ‘ ´ ÿ k “ k ‰´ c ´ a i,k ÿ λ “ λ p k ` c ´ qP F ˚ ‘ ζ λ ‘ ˛‹‚ “ ÿ i “ q i ¨˚˝ p ‘ ´ q a i, ´ c ´ ` ‘ ´ ÿ k “ k ‰´ c ´ a i,k ‘ ´ ÿ λ “ ζ λ ‘ ˛‹‚ “ ÿ i “ q i ¨˚˝ p ‘ ´ q a i, ´ c ´ ´ ‘ ´ ÿ k “ k ‰´ c ´ a i,k ˛‹‚ “ : ÿ i “ b i p c q q i , where the last equality holds because of ř ‘ ´ i “ ζ i‘ “
0. In total, this yields G ‘,n,χ p q q G χ ´ p ζ ‘ q “ ÿ i “ q i ÿ c P F ˚ ‘ χ p c q b i p c q with b i p c q P Q . Furthermore, for c , c P F ˚ ‘ b i p c q “ b i p c q ` ‘ p a i, ´ c ´ ´ a i, ´ c ´ q (2.9)obviously holds, whence the computation of b i p c q , c P F ˚ ‘ , requires a run-time of O p ‘ q for fixed i . In order to compute T up to the required precision, we thus proceed as follows: Algorithm 2.
Speed-up of step 1 in algorithm 1 fficient computation of universal elliptic Gauß sums Input: ‘, n, prec p ‘, n q Output: G ‘,n,χ p q q G χ ´ p ζ ‘ q Determine the coefficients a i,k of V p ζ ‘ , q q using formulae (2.2) and (2.3), respectively, for i “ , . . . , prec p ‘, n q , k “ , . . . , ‘ ´ For i “ , . . . , prec p ‘, n q determine the values b i p c q , c P F ˚ ‘ , using (2.9). return ř prec p ‘,n q i “ q i ř c P F ˚ ‘ χ p c q b i p c q .Using this algorithm the value T can be determined using O p ‘ prec p ‘, n qq operations, which,for large n , is negligible as compared to the amount required by the second step of the newalgorithm.To avoid the less efficient GMP data type for rational numbers when computing T inalgorithm 1 we again examine by which factor we have to multiply intermediate results toensure all coefficients are integers. The required statement is furnished by Lemma 2.5.
Let ‘ be a prime and χ be a character of order n | ‘ ´ . Then one obtains ‘ n G χ p ζ ‘ q ´ n P Z r ζ n s . Proof.
The identity σ p G χ p ζ ‘ qq “ χ ´ p c q G χ p ζ ‘ q shown in lemma 2.4, where σ : ζ ‘ ÞÑ ζ c‘ and x c y “ F ˚ ‘ , implies G χ p ζ ‘ q n P Q r ζ n s . Using the definition of the Gauß sums it is evident that G χ p ζ ‘ q n actually lies in Z r ζ n s . Fur-thermore, a general property exhibited by Gauß sums (cf. [21, p. 91]) is G χ p ζ ‘ q G χ ´ p ζ ‘ q “ χ p´ q ‘. Raising this equation to the n -th power and using χ p´ q n “
1, we obtain G χ p ζ ‘ q n G χ ´ p ζ ‘ q n “ ‘ n and hence ‘ n G χ p ζ ‘ q ´ n “ G χ ´ p ζ ‘ q n P Z r ζ n s . (cid:3) Corollary 2.6.
The universal elliptic Gauß sum τ ‘,n p q q can be computed using O p log n M p n prec p ‘, n qqq multiplications in Z . Rational expression.
In this section we present algorithms by means of which it willbe possible to compute the polynomial Q from theorem 2.1 and thus to determine a rationalexpression in terms of j p q q and m ‘ p q q for the universal elliptic Gauß sums τ ‘,n once theirLaurent series have been computed as discussed in section 2.2.Slightly rewriting equation (2.8) we obtain the representation τ ‘,n p q q B M ‘ B Y p m ‘ p q q , j p q qq “ Q p m ‘ p q q , j p q qq , (2.10)where Q p X, Y q “ ř i max i “ i min ř v ´ k “ c i,k X i Y k with deg Y p M ‘ q “ v “ ‘ ´ p ‘ ´ , q according to [20,pp. 61–62] holds. The polynomial M ‘ can be determined using algorithm 5.8 from [20]. The Christian J. Berghoff left hand side of this equation can be computed up to a certain precision using the known q -expansions and the algorithms from section 2.2. As is evident from the definition of m ‘ aswell as η , the Laurent series m ‘ p q q has order v . Furthermore, ord p j q “ ´ p m i‘ j k q “ iv ´ k . Hence, all summands of the expression Q p m ‘ p q q , j p q qq “ i max ÿ i “ i min v ´ ÿ k “ c i,k m i‘ j k exhibit different orders, which allows to compute the coefficients c i,k successively using theprecomputed left hand side of equation (2.10). Full details are given in [3], where it is alsoshown that it suffices to compute all occurring Laurent series up to precision p v ` e ∆ q ‘ .It turns out, however, that for complexity reasons it makes sense to replace the function m ‘ p q q by another modular function a ‘ p q q with similar properties. This function is mentionedin [20, 9] as an alternative to m ‘ p q q in the context of Schoof’s algorithm. Its associated(minimal) polynomial A ‘ p X, j p q qq indeed exhibits a significantly smaller degree in j and sig-nificantly smaller coefficients than M ‘ p X, j p q qq and was used, for example, in achieving thepoint-counting record described in [10].We first require the following Definition 2.7.
Let f p τ q be a modular function of weight 1 and r a prime. The r -th Heckeoperator T r acts on f via T r p f qp τ q “ r r ´ ÿ k “ f ˆ τ ` kr ˙ ` f p rτ q . Lemma 2.8. [20, p. 74] Let ‘ ą , s “ p ,‘ ` q and let r be an odd prime satisfying s | r ´ , ´ r‘ ¯ “ , ˆ ‘r ˙ “ . Then the function (2.11) a ‘ p τ q “ T r p η p τ q η p ‘τ qq η p τ q η p ‘τ q is a modular function of weight for Γ p ‘ q which is holomorphic on H . Furthermore, a ‘ p τ q is invariant under the Fricke-Atkin-Lehner involution w ‘ . In order to perform actual computations using a ‘ p τ q we need its Laurent series up to therequired precision. For its determination we use formula (2.4) for the Laurent series of the η -function and subsequently apply Proposition 2.9. [20, p. 74] Let a p τ q “ exp ´ πiτ zs ¯ ÿ k “ a k exp p πikτ q fficient computation of universal elliptic Gauß sums be the Laurent series of a function a p τ q , where gcd p z, s q “ . Then T r p a p τ qq “ exp ´ πiτ zs ¯ ¨˚˚˝ ÿ k “ r | ks ` z a k exp ˆ πiτ ks ` p ´ r q zrs ˙ ` ÿ k “ a k exp ˆ πiτ kr ` p r ´ q zs ˙¸ (2.12) holds. We now write v : “ ´ ord p a ‘ q . The minimal polynomial A ‘ p X, j p τ qq P C r j p τ qsr X s of a ‘ p τ q has the form(2.13) A ‘ p X, j p τ qq “ ‘ ` ÿ i “ v ÿ k “ a i,k X i j p τ q k according to [20, p. 77]. An easy calculation shows that the congruence ks ` z ” r implies v “ ‘ ă
29 as well as for ‘ P t , , , u . Thus, in this case the minimalpolynomial A ‘ p X, j q has degree 0 in j . Hence, a ‘ p τ q P C holds and for these mostly smallvalues of ‘ we still have to resort to m ‘ p τ q for computations. To determine the minimalpolynomial A ‘ p X, j p τ qq of a ‘ p τ q we use the algorithm presented in [20, p. 79].We first prove an analogue to proposition 2.16 of [2] and equation (2.8). Proposition 2.10.
Let ‘, n, χ be as in section 2.1. Then for a holomorphic modular function g p τ q of weight for Γ p ‘ q , in particular for τ ‘,n , there exists a polynomial Q p X, Y q P C r X, Y s with deg Y p Q q ă deg Y p A ‘ q such that (2.14) g p τ q B A ‘ B Y p a ‘ p τ q , j p τ qq “ Q p a ‘ p τ q , j p τ qq holds.Proof. Applying corollary 2.15 of [2] and setting f p τ q “ a ‘ p τ q , it suffices to show that a ‘ : H Ñ C is surjective, since this implies the holomorphic functions in C p a ‘ p τ qq are givenby O “ C r a ‘ p τ qs .By definition, A ‘ p a ‘ p τ q , j p τ qq “ w ‘ to this equation we obtain that a ‘ p τ q is also a root of A ‘ p X, j p ‘τ qq . Equation (2.13) yields(2.15) ‘ ` ÿ i “ X i v ÿ k “ a i,k j p ‘τ q k “ A ‘ p X, j p ‘τ qq “ ‘ ` ÿ i “ s ‘ ` ´ i p τ q X i , where s ‘ ` ´ i p τ q are the elementary-symmetric polynomials in the roots a ‘ p τ q “ f p τ q , . . . , f ‘ p τ q of A ‘ p X, j p ‘τ qq . In [20, p. 77] it is shown the Laurent series of these functions have the ordersord p f i q “ ´ v, ď i ă ‘, ord p f ‘ q “ ´ ‘v, from which we concludeord p s q “ , ord p s ‘ ` ´ i q “ ´ ‘v ´ p ‘ ´ i q v “ ´p ‘ ´ i q v, ď i ď ‘. Christian J. Berghoff
Using ord p j p ‘τ qq “ ´ ‘ equation (2.15) implies a , v ‰ a i, v “ i ą
0. So A ‘ p c, Y q is a polynomial of degree 2 v in Y for any c P C . Due to the surjectivity of j there exists τ P H such that A ‘ p c, j p τ qq “
0. Now the roots of A ‘ p X, j p τ qq are well known to be a ‘ p S k p τ qq for aset of representatives S k , 0 ď k ď ‘ , of SL p Z q{ Γ p ‘ q , cf. Lemma 2.11 of [2]. Thus, for one ofthese matrices S k the identity c “ a ‘ p S k τ q holds. Hence, a ‘ attains all values c P C . (cid:3) Equation (2.14) implies the enumerator of the rational expression for τ ‘,n consists of mono-mials of the form a i‘ j k with 0 ď k ď v ´
1. However, ord p a i‘ j k q “ ´ iv ´ k “ ord p a i ´ ‘ j k ` v q obviously holds for k ă v . Hence, we are faced with pairs of two monomials of equal order.This implies the coefficients c i,k of the polynomial Q cannot be successively computed, whichis the case when using m ‘ as pointed out above. Of course they can still be obtained by invert-ing the matrix corresponding to the linear system defined by equation (2.14). However, thiswould require significantly higher costs. In order to solve this problem we use the following Lemma 2.11.
Let f p τ q be a function which is anti-invariant under the action of w ‘ , i. e.,let f ˚ “ ´ f . Let g p τ q P A p Γ p ‘ qq not be invariant under w ‘ . Then g p τ q “ g p τ q ` g ˚ p τ q ` p g p τ q ´ g ˚ p τ qq f p τ q f p τ q “ : g p q p τ q ` g p q p τ q f p τ q holds if f p τ q ‰ , where g p q p τ q , g p q p τ q are invariant under w ‘ .Proof. Evident from the prerequisites, since g ˚˚ “ g . (cid:3) To determine the rational expression for τ ‘,n p q q , we proceed as follows: Algorithm 3.
Determining the rational expression for τ ‘,n using a ‘ Input: ‘, n, prec p ‘, n q Output:
Rational expression for τ ‘,n p q q Determine g P A p Γ p ‘ qq with g ˚ “ ´ g . Determine τ ‘,n and τ ˚ ‘,n up to precision prec p ‘, n q using algorithm 1 and the formulae fromsection 2.1 and equation (2.20). Compute τ p q ‘,n , τ p q ‘,n according to lemma 2.11. For both functions determine rational expressions R , R in terms of a ‘ and j . Compute τ ‘,n : “ R p a ‘ , j q ` R p a ‘ ,j q g .We have to specify how the steps 1 and 4 are done in practice. Concerning the determinationof g we remark that g p τ q : “ m ˚ ‘ p τ q ´ m ‘ p τ q is anti-invariant under w ‘ and thus fulfils theconditions we require. In addition, it has a relatively small order, which is relevant fromcomplexity reasons. Furthermore, for every g with these properties w ‘ p g q “ g obviouslyholds. Hence, we can compute a rational expression for g in terms of a ‘ and j using algorithm4 below. The value for g itself is calculated on the elliptic curve in question, as is detailedin section 3.1. Before presenting an algorithm for step 4, we investigate the orders of severalLaurent series. Lemma 2.12.
Let A ‘ p X, j q be the minimal polynomial of a ‘ . Hence, (2.16) 0 “ A ‘ p a ‘ , j q “ ‘ ` ÿ i “ v ÿ k “ a i,k a i‘ j k holds according to [20, p. 77], where ord p a ‘ q “ ´ v . Then the following statements hold true:(1) ord ` BB Y A ‘ p a ‘ , j q ˘ ě ´p ‘ ` q v ` . fficient computation of universal elliptic Gauß sums (2) ord ` BB Y A ‘ p a ‘ , j p q ‘ qq ˘ ě ´p v ´ q ‘. Proof.
First of all we examine which of the coefficients of A ‘ do not vanish. Since ord p a i‘ j k q “´ iv ´ k holds, searching for two summands a i ‘ j k , a i ‘ j k of equal order leads to the equation p i ´ i q v “ p k ´ k q . As this implies v | k ´ k , depending on the values of k , k the equation exhibits the solutions p i, q , p i ´ , v q , p i ´ , v q and p i, k q , p i ´ , k ` v q for 0 ă k ă v . Paying heed to the restrictionsfor possible values of i and k this directly implies ord p a i‘ j k q ě ´p ‘ ` q v for all summandswhose coefficients do not vanish. Hence,(2.17) a i,k ‰ ñ ´ iv ´ k ě ´p ‘ ` q v holds. We now investigate BB Y A ‘ p a ‘ , j q “ ‘ ` ÿ i “ v ´ ÿ k “ p k ` q a i,k ` a i‘ j k . From (2.17) we deduce a i,k ` ‰ ñ ´ iv ´ p k ` q ě ´p ‘ ` q v ñ ord p a i‘ j k q “ ´ iv ´ k ě ´p ‘ ` q v ` . The second assertion is proved analogously after applying w ‘ to equation (2.16). (cid:3) Let f p τ q P A p Γ p ‘ qq be invariant under the action of w ‘ . According to proposition 2.10there exists a polynomial Q P C r X, Y s with deg Y p Q q ă v such that(2.18) f p τ q BB Y A ‘ p a ‘ , j q “ Q p a ‘ , j q and f p τ q BB Y A ‘ p a ‘ , j p q ‘ qq “ Q p a ‘ , j p q ‘ qq , where the second equation arises from the application of w ‘ to the first one. To determinethe rational expression using a ‘ and j we thus use the following Algorithm 4.
Determining the rational expression for f p τ q using a ‘ Input: ‘, n, f p τ q Output: Q p X, Y q “ ř i ř k q i,k X i Y k from equation (2.18) Set Q : “
0, prec p ‘, n q : “ ´ ord p f q ` p ‘ ` q v . Compute j p q q , a ‘ p q q up to precision prec p ‘, n q using formulae (2.4), (2.11) and (2.12). Compute A ‘ p X, Y q using algorithm 5.26 from [20]. Compute s : “ f p τ q BB Y A ‘ p a ‘ , j q and s : “ f p τ q BB Y A ‘ p a ‘ , j p q ‘ qq up to precision prec p ‘, n q . Set p : “ ord p s q , p : “ ord p s q . while s ‰ do o : “ p , o : “ p while p ă o ` ‘ ´ do Determine p i , k q , p i , k q satisfying ord p a i s ‘ j k s q “ p , s “ ,
2, with 0 ď k ă v and k “ k ` v . Compute s : “ s ´ q i ,k a i ‘ j k . Compute s : “ s ´ lc p s q lc p a i ‘ j k q a i ‘ j k . Set Q : “ Q ` lc p s q lc p a i ‘ j k q X i Y k . p : “ p ` end while while p ă o ` ‘ ´ do Determine p i , k q , p i , k q satisfying ord p a i s ‘ j p q ‘ q k s q “ p , s “ ,
2, with 0 ď k ă v and k “ k ` v .2 Christian J. Berghoff
Compute s : “ s ´ q i ,k a i ‘ j p q ‘ q k . Compute s : “ s ´ lc p s q lc p a i ‘ j p q ‘ q k q a i ‘ j p q ‘ q k . Set Q : “ Q ` lc p s q lc p a i ‘ j p q ‘ q k q X i Y k . p : “ p ` end while end while return Q .The idea of the algorithm consists in considering the equations s “ Q p a ‘ , j q as well as s “ s ˚ “ Q p a ‘ , j ˚ q in turns. The restrictions satisfied by the orders of the Laurent seriesallow to compute sets of ‘ ´ Lemma 2.13.
Algorithm 4 works correctly.Proof.
To prove this we have to show the following statements:(1) The specified precision suffices to find the polynomial Q .(2) The coefficients q i ,k and q i ,k used in steps 10 and 16, respectively, have alreadybeen computed unless they vanish.Concerning the first point we remark again that according to proposition 2.10 Q p X, Y q con-tains only positive powers of a ‘ . Hence, the order o of its summands satisfies(2.19) ord ˆ f p τ q BB Y A ‘ p a ‘ , j q ˙ “ ord p f q ´ p ‘ ` q v ` ď o ď , where the equality follows from lemma 2.12. Since the value p ranging over the order of s strictly increases in each iteration of loop 8, the specified precisionprec p ‘, n q “ ´ ord p f q ` p ‘ ` q v is sufficient.Concerning the second issue we observe that according to lemma 2.12 after t iterations ofloop 6 o ě o p t q : “ ord p f q ´ p ‘ ` q v ` ` p ‘ ´ q t, o ě o p t q : “ ord p f q ´ p v ´ q ‘ ` p ‘ ´ q t holds. Furthermore, one calculates o p t q “ o p t q ` p ‘ ´ qp v ´ q . Now assume that in step 9 o p t q ď p “ ´ i v ´ k ă o p t q ` ‘ ´ k “ k ` v , this yields o p t q ´ p ‘ ´ q k ď ´ i v ´ k ‘ ă o p t q ´ p ‘ ´ qp k ´ q k “ k ` v ñ o p t q ´ p ‘ ´ qp k ` q ď ´ i v ´ k ‘ ă o p t q ´ p ‘ ´ q k . Now k ě ´ i v ´ k ‘ “ p has already held in a preceding iteration unless thecoefficient vanishes a priori (if o p t q ´ p ‘ ´ q k ď o p q holds). Thus, the coefficient q i ,k isalready known.In the same vein assume that o p t q ď p “ ´ i v ´ k ‘ ă o p t q ` ‘ ´ o p t q ` p ‘ ´ q k ď ´ i v ´ k ă o p t q ` p ‘ ´ qp k ` qñ o p t q ` p ‘ ´ qp k ` ´ v q ď ´ i v ´ k ă o p t q ` p ‘ ´ qp k ` ´ v q . fficient computation of universal elliptic Gauß sums k ď v ´ k ` ´ v ď ´ i v ´ k “ p has to hold at the latest inthe t ` s is performed before loop14 the coefficient q i ,k is already known unless it vanishes. (cid:3) To compute the rational expression using a ‘ we apply algorithm 4 to the functions τ p q ‘,n , τ p q ‘,n .Using lemma 2.23 from [2] and equation (2.2) an easy calculation shows(2.20) w ‘ p x p ζ t‘ , q qq “ p ‘τ q x p q t , q ‘ q for 1 ď t ď ‘ ´
1, an analogue statement holds for y p ζ t‘ , q q . Hence, ord p x ˚ p ζ t‘ , q qq ě p y ˚ p ζ ‘ , q qq ě
1, which implies(2.21) ord ´ τ p q ‘,n ¯ ě n ´ ‘e ∆ , ord ´ τ p q ‘,n ¯ ě n ´ ‘e ∆ ´ ord p m ‘ q . Corollary 2.14.
Algorithm 4 computes Q using ˜ O pp v ` e ∆ q ‘ q multiplications in Z .Proof. In each iteration of loop 8 the order of s strictly decreases by the construction ofthe algorithm, which implies the loop is called at most prec p ‘, n q times. Furthermore, eachcall of loops 8 and 14 in turn requires a constant number of multiplications of Laurent seriesprovided some intermediate results are stored. We remark that, due to the values assumedby i and k in loop 14, this has to be done in a clever way in order to obtain an efficientimplementation. The Laurent series to be multiplied are computed up to precision prec p ‘, n q .Using (2.21) and step 1 of the algorithm to deduce(2.22) prec p ‘, n q “ ‘e ∆ ´ n ` ord p m ‘ q ` p ‘ ` q v “ O p ‘ p e ∆ ` v qq and taking into account that intermediate results are multiplied by the factor from corollary2.3 the assertion follows. (cid:3) Equation (2.22) shows the precision required for finding the rational expression and thus therun-time of all partial computations depend on the value of v . Apart from the functions m ‘ and in particular a ‘ one might conceive using further alternatives. One approach to find suchfunctions which is due to an idea of Atkin may be found in [19, pp. 262–265]. However, thisprocedure does not seem to have been much used in former computations, since it is relativelycomplicated and does not easily lend itself to the construction of a general algorithm. Weremark that for any function f ‘ one might use as an alternative the results from [1] imply thelower bound(2.23) | ord p f ‘ q| “ : v ě ‘ for the best possible values.3. Point-counting in the Elkies case
Gauß sums.
In this section we give some details on how the representation(3.1) G ‘,n,χ p q q n p p q q r ∆ p q q e ∆ “ R p a ‘ p q q , j p q qq ` R p a ‘ p q q , j p q qq g p q q precomputed by means of algorithms 3 and 4 may be used for counting points on an ellipticcurve E : Y “ X ` aX ` b over a finite field F p having j -invariant different from 0 and 1728.4 Christian J. Berghoff
As shown in detail in [2], for an Elkies prime ‘ equation (3.1) translates to the formula(3.2) G ‘,n,χ p E q n p p E q r ∆ p E q e ∆ “ R p a ‘ p E q , j p E qq ` R p a ‘ p E q , j p E qq g p E q in terms of values associated to E . Here G ‘,n,χ p E q is the elliptic Gauß sum defined by equation(1.2), j p E q and ∆ p E q are the well-known j -invariant and discriminant of E , p p E q may becomputed using the formulae from [19, pp. 269–271] and a ‘ p E q is found as a root of the poly-nomial A ‘ p X, j p E qq . Computing these values one directly obtains G ‘,n,χ p E q n , which yields theindex modulo n in F ˚ ‘ of the eigenvalue λ of the Frobenius homomorphism φ p using equation(1.4) provided p ” n holds. It is obvious that having determined this value moduloall maximal prime power divisors n of ‘ ´ λ by using the Chinese RemainderTheorem, from which we glean t mod ‘ from equation (1.1) as needed in Schoof’s algorithm.Proceeding in this way to use equation (1.4) we avoid passing through large extensions of F p , which would be necessary when computing G ‘,n,χ p E q directly from its definition (1.2).The advantage stems from (1.3) stating that G ‘,n,χ p E q n lies in a much smaller extension than G ‘,n,χ p E q .Computing the roots of the polynomial A ‘ p X, j p E qq in F p yields two possible values for a ‘ p E q corresponding to the two eigenvalues λ and µ of φ p from section 1. As already remarkedbelow algorithm 3, in equation (3.2) we choose g “ m ˚ ‘ ´ m ‘ and precompute g as a rationalexpression in terms of a ‘ and j by means of algorithm 4. This again translates to a formulaon E for g p E q , which yields two possible values for g p E q after a root extraction.Since m ˚ ‘ “ ‘ s m ‘ ´ m ‘ for s as in (2.5) holds, the correct one among the two candidates ˘ g p E q can be determined by solving the equations ‘ s x ´ x “ ˘ g p E q and checking for all solutions x whether they are roots of M ‘ p X, j p E qq . This yields the valueof m ‘ p E q corresponding to g p E q at the same time. It would also be conceivable to determine m ‘ p E q as a root of M ‘ p X, j p E qq and then to directly compute the value g p E q . However, theroot-finding step turns out to have a significantly higher run-time than the approach justpresented.Once a ‘ p E q or m ‘ p E q are computed, the value p p E q is determined using the formulae from[20, pp. 102–106] or [19, pp. 269–271], respectively. Since the first approach again requiresfinding the roots of some polynomial we prefer the second variant on grounds of performance.We remark that the value B A ‘ B Y p a ‘ p E q , j p E qq used as the denominator of the different rationalexpressions computed by means of algorithm 4 may be zero in isolated cases, though thishappens very rarely in practice. In this case we resort to the second possible value for a ‘ p E q .The same holds true for the values p p E q and g p E q “ ‘ s m ‘ p E q ´ m ‘ p E q (but [2, p. 16] implies m ‘ p E q ‰ Jacobi sums.
Theory.
As was remarked above, the approach using the (universal) elliptic Gauß sumsonly works if p ” n holds. In order to be able to use formula (1.4) for arbitrary primes p , the Jacobi sums G ‘,n,χ p E q m G ‘,n,χm p E q have to be determined as well. Directly using the function G ‘,n,χ p q q m G ‘,n,χm p q q to construct a modular function of weight 0 for Γ p ‘ q along the lines of [2, Corollary fficient computation of universal elliptic Gauß sums H . However, both [2,Proposition 2.16] and proposition 2.10 crucially rely on the holomorphicity of the functions g , τ ‘,n for proving the existence of a rational expression of a special form well-suited for efficientcomputations. Hence, we slightly rearrange the key equation (1.4). To this end, we remarkthat writing m “ n ´ m we obtain(3.3) p “ n p q ` q ´ m , m ” ´ m mod n, which yields the new equation χ ´ m p λ q “ p G ‘,n,χ p E q n q q ` G ‘,n,χ p E q m G ‘,n,χ ´ m p E q . (3.4)In the proof of corollary 2.24 of [2] it is shown that for γ P Γ p ‘ q G ‘,n,χ p q p γτ qq k “ p cτ ` d q ek χ ´ k p d q G ‘,n,χ p q q k holds, where e “ n odd and e “ n even holds. For this reason G ‘,n,χ p q q k G ‘,n,χ ´ k p q q is a modular function of weight e p k ` q for Γ p ‘ q . In particular, we obtain the following Lemma 3.1.
Let ‘ be a prime, n | ‘ ´ , χ : F ˚ ‘ Ñ µ n be a character of order n and let k P N .If n is even, let k be odd. Furthermore, let r “ min t r : k ` ` r P N u , n ” , min t r : p k ` q` r P N u , n ” and e ∆ “ k ` ` r , n ” , p k ` q` r , n ” . Then J ‘,n,χ,k p q q “ J ‘,n,k p q q “ G ‘,n,χ p q q k G ‘,n,χ ´ k p q q p p q q r ∆ p q q e ∆ is a modular function of weight for Γ p ‘ q which is holomorphic on H and whose coefficientslie in Q r ζ n s . We call J ‘,n,k p q q a universal elliptic Jacobi sum .Proof. Using the above considerations the proof proceeds in exactly the same way as the onefor corollary 2.24 of [2]. For even n the condition on k guarantees the existence of a suitablevalue for r . (cid:3) From our theory it follows that J ‘,n,k p q q admits a representation as a rational expression R k in terms of j p q q as well as m ‘ p q q and a ‘ p q q , respectively. This expression can be determinedusing the algorithms presented in section 2.2 and 2.3 for computing the universal elliptic Gaußsums. It is evident from equation (2.20) that ord p J ˚ ‘,n,k q ě p k ` q ´ ‘e ∆ holds. Hence, weobtain(3.5) ord ´ J p q ‘,n,k ¯ ě p k ` q ´ ‘e ∆ , ord ´ J p q ‘,n,k ¯ ě p k ` q ´ ‘e ∆ ´ ord p m ‘ q when applying algorithm 4.Having computed the rational expression R k , one can determine the value J ‘,n,χ,k p E q “ G ‘,n,χ p E q k G ‘,n,χ ´ k p E q in the same vein as in the previous section 3.1. In order to determine the index of λ in p Z { ‘ Z q ˚ modulo n , we thus proceed as follows: Algorithm 5.
Determining the index of λ modulo n Christian J. Berghoff
Input: ‘, n, E
Output:
Index of λ in p Z { ‘ Z q ˚ modulo n Determine G ‘,n,χ p E q n using equation (3.2). Determine J ‘,n,χ,m p E q , where m is as in equation (3.3). Determine the index of λ using equation (3.4).We remark that in the representation p “ nq ` m we obviously have p m, n q “
1. In par-ticular, m and m are odd if n is even, which implies the second step is only performed forvalues of m covered by lemma 3.1.Applying this method we can use equation (1.4) for all maximal prime power divisors n of ‘ ´
1, which yields the value of λ by means of the Chinese Remainder Theorem and thus t modulo ‘ . Having computed this value for sufficiently many primes ‘ , we can determine thevalue of t and finally that of E p F p q using again the CRT as in Schoof’s algorithm.3.2.2. Implementation.
When implementing the computation of the Laurent series of theJacobi sums and the determination of the rational expression we again avail ourselves of theideas exposed in section 2.2. In particular, the expressions G ‘,n,χ k are multiplied by suitablecyclotomic Gauß sums before their product is computed. In this way all multiplications canagain be performed in Q r ζ n s instead of in Q r ζ ‘ , ζ n s , which accounts for a significant run-timereduction.For fixed ‘ , n all required Jacobi sums J ‘,n,χ,k p q q are computed successively. As mentioned,these only have to be computed for k coprime to n . Furthermore, equation (1.4) directlyimplies that for m “
1, i. e. m “ n ´
1, no Jacobi sum is needed. Hence, our computationis as follows:
Algorithm 6.
Computing the Jacobi sums corresponding to ‘ and n Input: ‘, n, prec p ‘, n q Output:
Jacobi sums J ‘,n,χ,k for 1 ď k ď n ´ p k, n q “ Determine T “ T : “ G ‘,n,χ p q q G χ ´ p ζ ‘ q , S “ S : “ G χ ´ p ζ ‘ q up to precision prec p ‘, n q . for k “ to n ´ do If p k, n q ą
1, go to step 8. Determine T : “ G ‘,n,χ ´ k p q q G χ k p ζ ‘ q , S : “ G χ k p ζ ‘ q . T : “ T T , S : “ SS . T : “ T S ´ . Compute J ‘,n,χ,k p q q by multiplication of T by suitable powers of p p q q and ∆ p q q . T : “ T T , S : “ SS . end for Step 8 obviously guarantees that T “ T k as well as S “ S k hold in each iteration in step5, which proves the correctness. Let c be a generator of p Z { n Z q ˚ . Since p ‘, n q “ p Q r ζ ‘ , ζ n s{ Q r ζ ‘ sq “ x σ : ζ n ÞÑ ζ cn y . As σ is a homomorphism, it follows σ p G ‘,n,χ p q qq “ G ‘,n,χ c p q q and σ p G χ ´ p ζ ‘ qq “ G χ ´ c p ζ ‘ q . Thus, the expression in step 4 can be recovered from the precomputed values T , S withnegligible costs by applying the homomorphism ζ n ÞÑ ζ kn .The most costly step inside the loop is the computation of T and the updating of T . Eachof these requires O p M p n prec p ‘, n qqq operations. Using equations (2.19) and (3.5) we see that fficient computation of universal elliptic Gauß sums p ‘, n q “ ‘ p e ∆ ` v ` q when afterwards applying algorithm 4 to compute the rational expression in terms of a ‘ and j .3.3. Run-time and memory requirements.
We compute G ‘,n,χ p E q n using equation (3.2).Once the values of j, a ‘ , ∆, p and g on E have been determined as detailed in section 3.1,the evaluation of the right hand side of this equation requires a further prec p ‘, n q operationsto determine R i p a ‘ , j q , i “ ,
2. As shown in equation (2.22), the value prec p ‘, n q , whichprovides a bound on the degree of enumerator and denominator of R in terms of j and a ‘ ,can be chosen to be prec p ‘, n q “ p v ` e ∆ ` q ‘. Since the expression R p a ‘ , j q lies in F p r ζ n s , thecost for computing G ‘,n,χ p E q n using (3.2) amounts to O pp v ` e ∆ ` q ‘ M p n qq multiplications in F p . The computation of J ‘,n,χ,m p E q requires comparable costs according to section 3.2.2. Itis easy to see that these costs dominate the work for precomputing the values j, m ‘ , ∆ , p , g .Subsequently, according to equation (3.4) the essential work consists in determining the power p G ‘,n,χ p E q n q q ` , which requires O p M p n q log q q “ O p M p n q log p q operations, since n ! p holds.Hence, the total run-time amounts to(3.7) O p M p n qpp v ` e ∆ ` q ‘ ` log p qq . We compare this to the algorithm presented in [17], whose run-time is given by O ˆ C p ‘ q log ‘n ` M p n q log p ` C ? n p n q ˙ using the notation from that article, which was one of the starting points of our research.Here(3.8) O ˆ C p ‘ q log ‘n ` C ? n p n q ˙ “ ˜ O ´ ‘ ω ` ` n ω ` ¯ holds, where 2 ď ω ă F p . The theoreticalrecord is ω » .
38 from [7]. Comparing (3.7) and (3.8) we realise that our approach mightbe competitive provided n and v are comparatively small. Due to e ∆ « n one should at leastrequire n ď ? ‘ .Recent results by Tenenbaum in [24], which build on the well-known asymptotic formulae forsmooth numbers in [8], showΥ p x, y q “ t z ď x : p k || z ñ p k ď y u „ xρ p u q for x Ñ 8 , where x “ y u , for the count of y -ultrafriable numbers ď x . Here ρ p u q denotes the Dickmann function. For u “ ρ p u q « . ‘ we consider the values of n are small enough that an improvement of the run-time might bepossible.However, since equation (2.23) implies v “ O p ‘ q holds asymptotically, we find that our al-gorithm exhibits an asymptotic run-time of O p ‘ M p n qq and is not competitive with the onefrom [17].One might observe that the run-time for the computation of the q -th power of G ‘,n p E q n canbe reduced if the n -th cyclotomic polynomial is reducible over F p . In this case the extension F p r ζ n s{ F p only has degree min t k : p k ” n u “ ord n p p q . This observation can account8 Christian J. Berghoff for an improvement in run-time merely in a few cases, though.However, the memory requirements are much more forbidding than run-time when con-sidering practical applications for counting points on elliptic curves. As follows from theobservations in section 2.3, the polynomial Q corresponding to τ ‘,n p q q contains prec p ‘, n q co-efficients from Q r ζ n s . Experimental results suggest the height (the logarithm of the maximalabsolute value) of these coefficients is essentially proportional to v (similar results are well-known from [6] for the modular function j p q ‘ q ) and thus asymptotically proportional to ‘ according to (2.23). Hence, they imply˜ O p prec p ‘, n q n‘ q “ ˜ O pp v ` e ∆ q n‘ q bytes of memory are required in order to store all the coefficients of Q . Using again v “ O p ‘ q as well as n “ O p ‘ q in the worst case we obtain a memory requirement of ˜ O p ‘ q bytes. Thismeans in the worst case for ‘ «
100 the expected memory requirement for representing thepolynomial Q amounts to about 100 MB, which is confirmed by our computations. Theexpected memory requirement rises to 1 . ‘ «
200 and to about 1 TB for ‘ « Q for fixed ‘ and n has tobe precomputed for ϕ p n q ´ E { F p for arbitrary primes p , it is evident that the proposed method rapidly leaves the realmsof possibility. We observe that for the records set in [10] prime numbers up to ‘ « ‘ « References [1] Dan Abramovich. A linear lower bound on the gonality of modular curves.
Internat. Math. Res. Notices ,20:1005–1011, 1996.[2] Christian Berghoff. Universal elliptic Gauß sums and applications. arXiv.org , 2017. URL: https://arxiv.org/pdf/1707.08075.pdf .[3] Christian Berghoff.
Universelle elliptische Gauß-Summen und der Algorithmus von Schoof . PhD thesis,Universität Bonn, 2017. URL: http://hss.ulb.uni-bonn.de/2017/4725/4725.htm .[4] Alin Bostan, François Morain, Bruno Salvy, and Éric Schost. Fast algorithms for computing isogeniesbetween elliptic curves.
Math. Comp. , 77(263):1755–1778, 2008.[5] Reinier Bröker, Kristin Lauter, and Andrew V. Sutherland. Modular polynomials via isogeny volcanoes.
Math. Comp. , 81(278):1201–1231, 2012.[6] Paula Cohen. On the coefficients of the transformation polynomials for the elliptic modular function.
Math. Proc. Cambridge Philos. Soc. , 95(3):389–402, 1984.[7] Don Coppersmith and Shmuel Winograd. Matrix multiplication via arithmetic progressions.
J. SymbolicComput. , 9(3):251–280, 1990.[8] Nicolaas G. de Bruijn. On the number of positive integers ď x and free prime factors ą y . II. Nederl.Akad. Wetensch. Proc. Ser. A 69=Indag. Math. , 28:239–247, 1966.[9] Andreas Enge. Computing modular polynomials in quasi-linear time.
Math. Comp. , 78(267):1809–1824,2009.[10] Andreas Enge and François Morain. Sea in genus 1: 2500 decimal digits. Posting to the Number TheoryList, 2006.[11] Jens Franke, Thorsten Kleinjung, Andreas Decker, and Anna Grosswendt. Format of the certificate(version 0.1). 2012. URL: .[12] Pierrick Gaudry and François Morain. Fast algorithms for computing the eigenvalue in the Schoof-Elkies-Atkin algorithm. In
ISSAC 2006 , pages 109–115. ACM, New York, 2006.[13] Torbjörn et al. Granlund. GNU multiple precision arithmetic library 6.1.0, November 2015. URL: https://gmplib.org/ .[14] Markus Maurer and Volker Müller. Finding the eigenvalue in Elkies’ algorithm.
Experiment. Math. ,10(2):275–285, 2001. fficient computation of universal elliptic Gauß sums [15] Preda Mihăilescu. Dual elliptic primes and applications to cyclotomic primality proving. MathematicaGottingensis , 2006.[16] Preda Mihăilescu. Elliptic curve Gauss sums and counting points.
Mathematica Gottingensis , 2006.[17] Preda Mihăilescu, François Morain, and Éric Schost. Computing the eigenvalue in the Schoof-Elkies-Atkinalgorithm using abelian lifts. In
ISSAC 2007 , pages 285–292. ACM, New York, 2007.[18] Preda Mihăilescu and Victor Vuletescu. Elliptic Gauss sums and applications to point counting.
Journalof Symbolic Computation , 45:825–836, 2010.[19] François Morain. Calcul du nombre de points sur une courbe elliptique dans un corps fini: aspects algo-rithmiques.
J. Théor. Nombres Bordeaux , 7(1):255–282, 1995. Les Dix-huitièmes Journées Arithmétiques(Bordeaux, 1993).[20] Volker Müller.
Ein Algorithmus zur Bestimmung der Punktanzahl elliptischer Kurven über endlichenKörpern der Charakteristik größer drei . PhD thesis, Universität des Saarlandes, 1995.[21] Goro Shimura.
Introduction to the arithmetic theory of automorphic functions . Publications of the Mathe-matical Society of Japan, No. 11. Iwanami Shoten, Publishers, Tokyo; Princeton University Press, Prince-ton, N.J., 1971. Kanô Memorial Lectures, No. 1.[22] Joseph H. Silverman.
The arithmetic of elliptic curves , volume 106 of
Graduate Texts in Mathematics .Springer, Dordrecht, second edition, 2009.[23] Andrew V. Sutherland. On the evaluation of modular polynomials. In
ANTS X—Proceedings of the TenthAlgorithmic Number Theory Symposium , volume 1 of
Open Book Ser. , pages 531–555. Math. Sci. Publ.,Berkeley, CA, 2013.[24] Gérald Tenenbaum. On ultrafriable integers.
Q. J. Math. , 66(1):333–351, 2015.[25] Lawrence C. Washington.
Elliptic curves: Number theory and Cryptography . Discrete Mathematics andits Applications (Boca Raton). Chapman & Hall/CRC, Boca Raton, FL, second edition, 2008.
Universität Bonn, Mathematisches Institut, Endenicher Allee 60, 53115 Bonn, Germany
E-mail address ::