On the distribution of orders of Frobenius action on ℓ -torsion of abelian surfaces
OOn the distribution of orders of Frobenius actionon (cid:96) -torsion of abelian surfaces
Kolesnikov N. S. and Novoselov S. A.Immanuel Kant Baltic Federal University { nikolesnikov1, snovoselov } @kantiana.ru Abstract
The computation of the order of Frobenius action on the (cid:96) -torsion isa part of Schoof-Elkies-Atkin algorithm for point counting on an ellipticcurve E over a finite field F q . The idea of Schoof’s algorithm is to computethe trace of Frobenius t modulo primes (cid:96) and restore it by the Chineseremainder theorem. Atkin’s improvement consists of computing the order r of the Frobenius action on E [ (cid:96) ] and of restricting the number t (mod (cid:96) )to enumerate by using the formula t ≡ q ( ζ + ζ − ) (mod (cid:96) ). Here ζ is aprimitive r -th root of unity. In this paper, we generalize Atkin’s formulato the general case of abelian variety of dimension g . Classically, finding ofthe order r involves expensive computation of modular polynomials. Westudy the distribution of the Frobenius orders in case of abelian surfacesand q ≡ (cid:96) ) in order to replace these expensive computations byprobabilistic algorithms. The computation of the Frobenius order and its usage for counting points onelliptic curves is a part of Atkin’s contribution to Schoof-Elkies-Atkin (SEA)algorithm (see, [19] and [6, § E be an elliptic curve defined over a finite field F q of characteristic p and let (cid:96) (cid:54) = p be a prime number. The Frobenius endomorphism on E [ (cid:96) ] canbe represented as an element of PGL ( F (cid:96) ), a projective general linear groupof matrices. If r is the order of Frobenius as element of PGL ( F (cid:96) ), then theFrobenius trace t of elliptic curve satisfies Atkin’s formula [19, Prop.6.2]: t ≡ q ( ζ + ζ − ) (mod (cid:96) ) , (1)where ζ is a primitive r -th root of unity. So to determine t (mod (cid:96) ) in thealgorithm, we only need to enumerate primitive roots ζ instead of enumerating The reported study was funded by RFBR according to the research project 18-31-00244.A preliminary version of this paper was presented by the authors at SibeCrypt’19 [13]. a r X i v : . [ m a t h . N T ] J a n ll (cid:96) possible variants. The computation of r itself in SEA-algorithm is done byusing the factorization of modular polynomials.The formula (1) can be generalized to abelian varieties of higher dimension.The order r in this case is defined as the order of Frobenius endomorphismas an element of PGL g ( F (cid:96) ) (see § A is an abelian surface over a finitefield F q and a , a are coefficients of the characteristic polynomial of Frobeniusendomorphism on A , that is χ A,q ( T ) = T + a T + a T + a qT + q , then ( a − q ) = η η q (mod (cid:96) ) (2)and a = ( √ η ± √ η ) q (mod (cid:96) ) , (3)where η = ζ + ζ − + 2, η = ζ + ζ − + 2, and ζ , ζ are r -th roots of unity.This formula appears in [14] in a slightly different form and with additionalrestrictions implying that ζ , ζ are primitive. In [3, Prop. 3.14] there is a morerestrictive formula for vanilla abelian surfaces with real multiplication. In ourwork, we give explicit formulae for any abelian variety of dimension g withrelaxed restrictions on r -th roots to make it suitable for general case. We alsoprovide simplified versions of our formulae for dimensions 2 , r , we can reduce the number of coefficientsof characteristic polynomial (mod (cid:96) ) to enumerate in the genus 2 generalizationof Schoof’s algorithm [10]. However, modular polynomials [5, 9] for the caseof dimension g ≥ p in general case are currently missing. In this work,we develop a probabilistic approach to point counting and study the distributionof order r in the case of abelian surfaces and q ≡ (cid:96) ). Our contribution.
We give a generalization of Atkin’s formula to abelianvarieties of any dimension. Our formulae are explicit and can be efficientlycomputed. These new formulae allows us to limit the number of possibilities for χ A,q ( T ) (mod (cid:96) ) in case when the order of the Frobenius on A [ (cid:96) ] is known. Oursecond contribution concerns the distribution of orders of matrices in the sym-plectic group Sp ( F (cid:96) ) as elements of PSp ( F (cid:96) ), a projective symplectic group.We obtained closed form expressions for the expected value and variance. Fur-thermore, we calculated the distribution for first primes (cid:96) ≤ q ≡ (cid:96) ). The rest of the paper is organized as follows . In Section § A [ (cid:96) ].Section § § ( F (cid:96) ). In Section § ( F (cid:96) ), we obtain properties of the Frobenius ac-tion distribution: expected order, variance and most common values (modes). In2ryptographic applications we need Jacobians of genus g = 2 curves with groupsize at least 256 bit. Point counting on such curves using generalization of theSchoof’s algorithm requires computations modulo all primes (cid:96) ≤ (9 g + 3) log q [15]. So in this section, we computed the distribution for (cid:96) = 3 , ..., § In this section we introduce notations that are used further. • A general linear group GL n ( F (cid:96) ) is a group of non-degenerate n × n matriceswith elements in F (cid:96) ; • A special linear group SL n ( F (cid:96) ) is a group of n × n matrices having deter-minant ± F (cid:96) ; • A symplectic group Sp g ( F (cid:96) ) := { M ∈ F g × g(cid:96) | M Ω M T r = Ω } , where Ω isa fixed 2 g × g nonsingular skew-symmetric matrix; • A general symplectic group GSp g ( F (cid:96) ) := { M ∈ F g × g(cid:96) | M Ω M T r = c · Ω } ,for some c ∈ F (cid:96) ; • A projective symplectic group PSp g ( F (cid:96) ) is a group Sp g ( F (cid:96) ) modulo scalarmatrices. A [ (cid:96) ] Let A be an abelian variety of dimension g over a finite field F q of characteristic p and (cid:96) (cid:54) = p is a prime. From the work of Tate [22], we haveEnd F q ( A ) ⊗ Z (cid:96) (cid:39) End
Gal( F q / F q ) ( T (cid:96) ( A )) , where T (cid:96) ( A ) is the Tate module of A and Z (cid:96) is a ring of (cid:96) -adic integers. Since T (cid:96) ( A ) (cid:39) ( Z (cid:96) ) g , the Frobenius endomorphism on A can be represented by thematrix F ∈ GL g ( Z (cid:96) ). Using Weil pairing, it can be shown (see [16, p. 358])that F has the following properties:1. F T M F = q · M ;2. the matrix M is skew-symmetric;3. det( M ) is a unit in Z (cid:96) .In other words, F belongs to GSp g ( Z (cid:96) ). The matrix of the action of Frobeniuson A [ (cid:96) ] is defined as F (cid:96) := F (mod (cid:96) ). In the case of q ≡ (cid:96) ) thismatrix belongs to symplectic group Sp g ( F (cid:96) ). The orders of groups Sp g ( F (cid:96) )and PSp g ( F (cid:96) ) are known [4, § g ( F (cid:96) ) = (cid:96) g g (cid:89) i =1 ( (cid:96) i −
1) (4)3nd g ( F (cid:96) ) = (cid:96) g (cid:81) gi =1 ( (cid:96) i − , (cid:96) − . (5)In this work, we study the orders of matrices F (cid:96) as elements of PSp g ( F (cid:96) ). Fromthe introduction we know that in dimension 2 case these orders satisfy Eqs. (2)and (3). In next section we give equations for any dimension. So this informationcan be used for generalization of SEA-algorithm to higher dimension. Now, we derive explicit formulae that relates the order r of the Frobenius actionon A [ (cid:96) ] and the characteristic polynomial χ A,q ( T ) (mod (cid:96) ) of the Frobeniusendomorphism on abelian variety A of dimension g . These formulae are directgeneralization of Atkin’s formula for the dimension 1 case (see Proposition 6.2in [19]) which is used in SEA-algorithm. Our formulae can be used for pointcounting in higher dimension case.Let ϕ be the Frobenius endomorphism on A and let χ A,q ( T ) = T g + a T g − + ... + a g T g + a g − qT + ... + a q g − T + q g be the characteristic polynomial of ϕ . It is known that we can arrange the roots λ i of this polynomial in such way that λ i λ i + g = q for i from 1 to g . So we canwrite χ A,q ( T ) = g (cid:89) i =1 ( T − λ i )( T − qλ i ) . We can associate [11, §
4] the real Weil polynomial h A,q ( T ) to the characteristicpolynomial χ A,q ( T ). This polynomial h A,q ( T ) has the properties: χ A,q ( T ) = T g h A,q (cid:16) T + qT (cid:17) and h A,q ( T ) = g (cid:89) i =1 (cid:18) T − (cid:18) λ i + qλ i (cid:19)(cid:19) . Let h A,q ( T ) = T g + b T g − + ... + b g − T + b g . We can write [11, p. 4, Th.9]: a k = b k + k (cid:88) i =1 (cid:18) g − k − i ) i (cid:19) q i b k − i ) (6)and a k +1 = b k +1 + k (cid:88) i =1 (cid:18) g − k − i ) − i (cid:19) q i b k − i )+1 . (7)4o if we know h A,q ( T ) then we can easily find χ A,q ( T ). There are also recurrentformulae[6, § a k in terms of powers of roots which canbe obtained via Newton-Girard formulae: ka k = S k + S k − a + S k − a + ... + S a k − , (8)where S k = − g (cid:80) i =1 λ ki . Similarly, we have for coefficients b k : kb k = S (cid:48) k + S (cid:48) k − b + S (cid:48) k − b + ... + S (cid:48) b k − , (9)where S (cid:48) k = − g (cid:80) i =1 ( λ i + qλ i ) k .Now let us consider the situation modulo prime (cid:96) and the restriction of theFrobenius endomophism ϕ on A [ (cid:96) ]. Proposition 1.
Let A be an abelian variety of dimension g over a finite field F q of characteristic p , let h A,q ( T ) = g (cid:80) k =0 b k T k be the real Weil polynomial of thecharacteristic polynomial of the Frobenius endomorphism ϕ on A . If (cid:96) (cid:54) = p is aprime, r is the order of ϕ on A [ (cid:96) ] , and gcd( r, (cid:96) ) = 1 then kb k = S (cid:48) k + S (cid:48) k − b + S (cid:48) k − b + ... + S (cid:48) b k − (mod (cid:96) ) where S (cid:48) k = − g (cid:88) i =1 ( η i q ) k ,S (cid:48) k +1 = − g (cid:88) i =1 ( ± ( η i q ) k + ) . Here, η i = ζ i + ζ i + 2 for i = 1 , ..., g and ζ , ..., ζ g are some r -th roots ofunity in F (cid:96) such that lcm(ord( ζ ) , . . . , ord( ζ g )) = r if r is odd and if r is even, lcm(ord( ζ ) , . . . , ord( ζ g )) = r or r .Proof. Let F (cid:96) be a matrix representing action of ϕ on A [ (cid:96) ]. So r is the order of F (cid:96) , i.e. a minimal integer r such that F r(cid:96) = αI for some α . Let P i ∈ A [ (cid:96) ] be suchthat ϕ ( P i ) = [ λ i ] P i and ˜ P i be the corresponding vector from ( Z /(cid:96) Z ) g (cid:39) A [ (cid:96) ].On the one hand, we have F r(cid:96) ˜ P i = α r since ϕ r is represented by the matrix F r(cid:96) = αI for a constant α . On the other hand we have F r(cid:96) ˜ P i = λ ri ˜ P i . So λ r = λ r = ... = λ r g . Since λ i λ i + g = q , we obtain λ ri λ ri + g = λ ri = q r . This implies therelation λ i = ζ i q for some r -th roots of unity ζ i and, since r is minimal, we canderive additional restrictions on the r -th roots. Let n = lcm(ord( ζ ) , ..., ord( ζ g ))then λ n = ... = λ ng = q n . From this in case of 2 n < r we have a contradictionto the minimality of r . Hence 2 n ≥ r and, since n ≤ r and n is a divisor of r ,we have n = r or n = r/
2. 5et η i = ζ i + ζ i + 2 as in the g = 1 case. Since λ i + qλ i = ( ζ i +1) qλ i = ±√ η i q ,the coefficients b k of h A,q ( T ) are elementary symmetric polynomials in variables ±√ η i q . Using the relation λ i = ζ i q , we can write S (cid:48) k and S (cid:48) k +1 from Eq. (9)as S (cid:48) k = − g (cid:88) i =1 ( η i q ) k and S (cid:48) k +1 = − g (cid:88) i =1 ( η i q ) k ( η i − λ i = − g (cid:88) i =1 ( ± ( η i q ) k + ) . In case of gcd( (cid:96), r ) (cid:54) = 1 the Eq. (5) implies that we can write r as r = (cid:96) k r where k | g and (cid:96) (cid:45) r . In this case we can take r = r in Proposition 1.Finally, we apply Proposition 1 to obtain relations modulo (cid:96) : b = − g (cid:88) i =1 ( ±√ η i q ) , b = − g (cid:88) i =1 ( η i q ) + b , b = − g (cid:88) i =1 ± ( η i q ) / + (2 b − b ) b + b b ,... (2 k ) b k = − g (cid:88) i =1 ( η i q ) k + f k ( b , ..., b k − ) , (2 k + 1) b k +1 = − g (cid:88) i =1 ( ± ( η i q ) k + ) + f k +1 ( b , ..., b k ) , (10)where f k and f k +1 are polynomials obtained by substituting the previouslycomputed values of S (cid:48) i to the Eq. (9).Thus, the coefficients a k can be written in terms of √ η i q for k = 1 , ..., g byEqs. (6) and (7). In the following we also use squaring and the fact that b i areelementary symmetric polynomials in ±√ η i q to get rid of signs and to makeformulae (10) simpler. For example, we can write b g = η · ... · η g q g for thecoefficient b g .Note that for g = 1 these formulae give us the formulae from Proposition6.2 in [19]. For the case g = 2 and g = 3, we obtain the following propositions. Proposition 2.
Let A be an abelian surface over a finite field F q and χ A,q ( T ) = T + a T + a T + a qT + q be the characteristic polynomial of the Frobeniusendomorphism ϕ on A , let r be the order of ϕ on A [ (cid:96) ] for (cid:96) (cid:54) = p , and let gcd( (cid:96), r ) = 1 then a = ( √ η ± √ η ) q (mod (cid:96) ) , (11)6 nd ( a − q ) = η η q (mod (cid:96) ) (12) where η = ζ + ζ − + 2 , η = ζ + ζ − + 2 and ζ , ζ are some r -th roots ofunity such that lcm(ord( ζ ) , ord( ζ )) = r in case r is odd and in case r is even, lcm(ord( ζ ) , ord( ζ )) = r or r .Proof. By Eq. (7), we have a = b = ( ±√ η ± √ η ) √ q . Therefore, a =( √ η ± √ η ) q . Since b = ±√ η √ η q , we have b = η η q . From Eq. (6), wecan write a = b + 2 q and therefore ( a − q ) = η η q .If gcd( (cid:96), r ) (cid:54) = 1 then, as in the general case, we can take the integer r suchthat r = (cid:96) k r , (cid:96) (cid:45) r and apply the Proposition 2 for r = r .The formulae in Proposition 2 appears in [14] with additional restrictionson abelian variety A . Our version is fully general with weakened conditions onroots of unity. Proposition 3.
Let A be an abelian variety of dimension over a finite field F q and χ A,q ( T ) = T + a T + a T + a T + a qT + a q T + q be the characteristicpolynomial of the Frobenius endomorphism ϕ on A , let r be the order of ϕ on A [ (cid:96) ] for (cid:96) (cid:54) = p , and let gcd( (cid:96), r ) = 1 then a = ( ±√ η ± √ η ± √ η ) q, a = a + 6 q − ( η + η + η ) , ( a − a q ) = η η η q modulo (cid:96) , where η = ζ + ζ + 2 , η = ζ + ζ + 2 , η = ζ + ζ + 2 for some r -th roots of unity ζ , ζ , ζ such that lcm(ord( ζ ) , ord( ζ ) , ord( ζ )) = r in case r is odd and in case r is even, lcm(ord( ζ ) , ord( ζ ) , ord( ζ )) = r or r .Proof.
1. First relation follows from the fact that a = b = ( ±√ η ± √ η ±√ η ) √ q .2. Since a = b +3 q by Eq. (6), we have 2 a − q = 2 b = − ( η + η + η )+ a .3. We have b = η η η q . Equations (7) and (6) imply a = b + 2 qb = b + 2 qa . Then ( a − qa ) = η η η q . Sp ( F (cid:96) ) In general case the orders of matrices over a finite field were considered in[21, 17, 8, 18, 2]. In this section we study the distribution of orders of matricesin Sp ( F (cid:96) ) as elements of projective symplectic group PSp ( F (cid:96) ). We definethe order of a matrix M ∈ Sp ( F (cid:96) ) to be the minimal number r such that M r = λI for some scalar λ ∈ F (cid:96) . We need such specific definition to derivethe properties of Frobenius orders in the next section. All similar matriceshave the same order, so it is enough to find the orders of conjugacy classes.7 description of conjugate classes in Sp ( F (cid:96) ) with explicit representatives isgiven in Srinivasan’s work [20, p. 489-491]. Using the same notation we denotethe conjugacy classes in Sp ( F (cid:96) ) by A • , B • ( • ) , C • ( • ) , D • with representativeelements A • , B • ( • ) , C • ( • ) , D • respectively. For each class we calculate orders r = ord( M ) of matrices by using the explicit representatives. Since the numberof matrices in a class is also known, we can calculate the probability of a randommatrix M ∈ Sp ( F (cid:96) ) to fall in a given class. We give the orders for classes withtheir respective probabilities in Table 1.8able 1: Orders of matrices in Sp ( F (cid:96) ) as elements of PSp ( F (cid:96) ) and their probabilities. Classes in Sp ( F (cid:96) ) Order of matrices (projective) Probability ( M ∈ Sp ( F (cid:96) ) ∧ M ∈ class ) A , A (cid:48) / ( (cid:96) ( (cid:96) − (cid:96) − A , A (cid:48) , A , A (cid:48) (cid:96) / (2 (cid:96) ( (cid:96) − A , A (cid:48) (cid:96) / (2 (cid:96) ( (cid:96) − A , A (cid:48) (cid:96) / (2 (cid:96) ( (cid:96) + 1)) A , A (cid:48) , A , A (cid:48) (cid:96) / (2 (cid:96) ) B ( i ) (cid:96) +12 s , s = gcd( i, (cid:96) +12 ) 1 / ( (cid:96) + 1) B ( i ) (cid:96) − s , s = gcd( i, (cid:96) − ) 1 / ( (cid:96) − B ( i, j ) (cid:96) − (cid:96) − ,i + j, | i − j | ) / ( (cid:96) − B ( i, j ) (cid:96) +1gcd( (cid:96) +1 ,i + j, | i − j | ) / ( (cid:96) + 1) B ( i, j ) (cid:96) − (cid:96) − ,i ( (cid:96) − j ( (cid:96) +1) , i ( (cid:96) − / ( (cid:96) − B ( i ) (cid:96) +12 s , s = gcd( i, (cid:96) +12 ) 1 / ( (cid:96) ( (cid:96) + 1)( (cid:96) − B ( i ) (cid:96) ( (cid:96) +1)2 s , s = gcd( i, (cid:96) ( (cid:96) +1)2 ) 1 / ( (cid:96) ( (cid:96) + 1)) B ( i ) (cid:96) − s , s = gcd( i, (cid:96) − ) 1 / ( (cid:96) ( (cid:96) − (cid:96) − B ( i ) (cid:96) ( (cid:96) − s , s = gcd( i, (cid:96) ( (cid:96) − ) 1 / ( (cid:96) ( (cid:96) − C ( i ) (cid:96) +1 s , s = gcd( i, (cid:96) + 1) 1 / ( (cid:96) ( (cid:96) + 1)( (cid:96) − C (cid:48) ( i ) s, if 2 (cid:45) s, and 4 (cid:45) s s , if 2 | s, and 4 (cid:45) ss, if 4 | s where s = (cid:96) +1gcd( i,(cid:96) +1) / ( (cid:96) ( (cid:96) + 1)( (cid:96) − C ( i ) , C ( i ) (cid:96) ( (cid:96) +1) s , s = gcd( i, (cid:96) ( (cid:96) + 1)) 1 / (2 (cid:96) ( (cid:96) + 1)) C (cid:48) ( i ) , C (cid:48) ( i ) s, if 2 (cid:45) s, and 4 (cid:45) s s , if 2 | s, and 4 (cid:45) ss, if 4 | s where s = (cid:96) ( (cid:96) +1)gcd( i,(cid:96) ( (cid:96) +1)) / (2 (cid:96) ( (cid:96) + 1)) C ( i ) (cid:96) − i,(cid:96) − /(cid:96) ( (cid:96) − (cid:96) − C (cid:48) ( i ) s, if 2 (cid:45) s, and 4 (cid:45) s s , if 2 | s, and 4 (cid:45) ss, if 4 | s where s = (cid:96) − i,(cid:96) − /(cid:96) ( (cid:96) − (cid:96) − C ( i ) , C ( i ) (cid:96) ( (cid:96) − i,(cid:96) ( (cid:96) − / (2 (cid:96) ( (cid:96) − C (cid:48) ( i ) , C (cid:48) ( i ) s, if 2 (cid:45) s, and 4 (cid:45) s s , if 2 | s, and 4 (cid:45) ss, if 4 | s where s = (cid:96) ( (cid:96) − i,(cid:96) ( (cid:96) − / (2 (cid:96) ( (cid:96) − D / ( (cid:96) ( (cid:96) − ) D , D , D , D (cid:96) / (2 (cid:96) ( (cid:96) − D , D , D , D (cid:96) / (4 (cid:96) ) Having explicit information on orders of matrices in classes, we can nowderive numerical characteristics of the distribution of orders. Let ξ be a randomvariable that takes values in { ord( M ) | M ∈ Sp ( F (cid:96) ) } . Our next goal is to findan expected value and variance of the random variable ξ . Define the expectedorder of a matrix in Sp ( F (cid:96) ) as µ = ( F (cid:96) ) (cid:80) M ∈ Sp ( F (cid:96) ) ord( M ), where theorder is defined for M as an element of PSp ( F (cid:96) ).9ince all matrices in a conjugacy class have the same order, we can split thesum µ into parts which correspond to the conjugacy classes. For a conjugacyclass M the corresponding term in the sum µ is given by the formula µ ( M ) = ord( M ) · M ( F (cid:96) ) = ord( M ) · Pr( ξ = ord( M )) . For classes
A, D the order is fixed. For classes of type B k ( i, j ), B k ( i ), C k ( i ), C (cid:48) k ( i ) the order depends on parameters i, j and we assume that parameters i, j are distributed uniformly among their value sets as (cid:96) → ∞ . So, we can use thefollowing approximation [7] for gcd( i, x ): E ( x ) := 6 π log( x ) + O (1) . The expected orders of symplectic matrices in ∪ i,j B k ( i, j ), ∪ i B k ( i ), ∪ i C k ( i ), ∪ i C (cid:48) k ( i ) are presented in Table 2.Table 2: Expected orders of symplectic matrices Sp ( F (cid:96) ) as elements of PSp ( F (cid:96) ). Classes Quantity of i, j
Expected order B ( i ) ( (cid:96) − E − ( (cid:96) +12 ) B ( i ) ( (cid:96) − E − ( (cid:96) − ) B ( i, j ) ( (cid:96) − (cid:96) − (cid:96) − E − ( (cid:96) − B ( i, j ) ( (cid:96) − (cid:96) − (cid:96) +1 E − ( (cid:96) + 1) B ( i, j ) ( (cid:96) − (cid:96) − E − ( (cid:96) − B ( i ) ( (cid:96) − (cid:96) ( (cid:96) − E − ( (cid:96) +12 ) B ( i ) ( (cid:96) − E − ( (cid:96) ( (cid:96) +1)2 ) B ( i ) ( (cid:96) − (cid:96) ( (cid:96) − E − ( (cid:96) − ) B ( i ) ( (cid:96) − E − ( (cid:96) ( (cid:96) − ) C ( i ) , C (cid:48) ( i ) ( l − (cid:96) ( (cid:96) − E − ( (cid:96) + 1) C ( i ) , C (cid:48) ( i ) ,C ( i ) , C (cid:48) ( i ) 2( l − E − ( (cid:96) + 1) C ( i ) , C (cid:48) ( i ) ( l − (cid:96) ( (cid:96) − E − ( (cid:96) − C ( i ) , C (cid:48) ( i ) ,C ( i ) , C (cid:48) ( i ) 2( l − E − ( (cid:96) − Proposition 4.
Let M be a matrix from Sp ( F (cid:96) ) . Define the order of M to bethe order of M in the group PSp ( F (cid:96) ) . Then1. The expected order of matrix M is equal to µ = π (cid:96) ( (cid:96) − · (2 (cid:96) + 15 (cid:96) − (cid:96) + (cid:96) + 65 (cid:96) −
40) log − ( (cid:96) ) . . The variance of the order’s distribution is equal to δ = (cid:18) π (cid:96) ( (cid:96) − (cid:19) · ψ ( (cid:96) ) log − ( (cid:96) ) − µ , where ψ ( (cid:96) ) = 6 (cid:96) − (cid:96) +420 (cid:96) − (cid:96) +828 (cid:96) +3375 (cid:96) − (cid:96) − (cid:96) +2550 (cid:96) − (cid:96). A [ (cid:96) ] Let A be an abelian surface defined over a finite field F q of odd characteristic p .From § (cid:96) -torsionsubgroup in case q ≡ (cid:96) ) is represented by a symplectic matrix fromSp ( F (cid:96) ). To find the distribution of the Frobenius orders, we use a heuristicassumption that the elements of Frobenius are equidistributed in Sp ( F (cid:96) ). Theassumption was already used in [1] in the context of counting the number ofisogeny classes of abelian varieties. Thus, from Proposition 4 we obtain ourresults for expected order and variance of the Frobenius order. Theorem 1.
Let A be an abelian surface defined over a finite field F q of char-acteristic p . If (cid:96) (cid:54) = p is a prime number and q (cid:29) (cid:96) , then the expected order ofthe Frobenius action on A [ (cid:96) ] is equal to µ . Theorem 2.
Let A be an abelian surface defined over a finite field F q of char-acteristic p . If (cid:96) (cid:54) = p is a prime number, q (cid:29) (cid:96) , then the variance of orderdistribution of the Frobenius action on A [ (cid:96) ] is equal to δ . Theorem 3. (Heuristic). The modes of the random variable ξ are (cid:96) +12 and (cid:96) − . In point counting algorithms, we have to enumerate all primes (cid:96) ≤ (9 g +3) log q . For cryptography on genus 2 curves we work with fields of size 160-bit.In this case the size of the group will be equal to O ( q ) by the Hasse-Weil bound,i.e. 320-bit. So we have to find the characteristic polynomial χ A,q ( T ) (mod (cid:96) )for all primes (cid:96) ≤ χ A,q ( T ) by CRT.Using the data from Table 1, we calculated the distribution of the Frobeniusorders for the first 500 primes (cid:96) = 3 . . . (cid:96) , as follows from Theorem 1, we normalize the order bycalculating the value ord( M ) (cid:96) instead of ord( M ) itself. An obtained family ofdistributions is shown on Fig. 1. Taking an average value of order on different (cid:96) ’s, one can construct the averaged distribution of orders. We present thisdistribution in the Table 3. 11able 3: The distribution for orders of the Frobenius action on A [ (cid:96) ]. Order (1 , (cid:96) ] ( (cid:96), (cid:96) ] (2 (cid:96), (cid:96) +12 ] ( (cid:96) +12 , (cid:96) ( (cid:96) + 1)] (cid:96) − (cid:96) +12 (cid:96) − (cid:96) + 1 Other (cid:96) − (cid:96) +14 (cid:96) − (cid:96) +12 Other% 4 . . . . . . . . . . . . Figure 1: A distribution of orders for the first 500 primes (cid:96) . In Schoof-Pila [15] algorithm determining χ A,q ( T ) (mod (cid:96) ) is done by directenumeration of at most (cid:96) g possible coefficients. Each test requires expensiveoperations like ideal membership test and operations with division polynomialsof degree (cid:96) g . So reducing the number of elements to enumerate is crucial.The obtained results can be used for point counting on abelian variety A inthe following modification of Schoof-Pila method.1. Choose primes (cid:96) such that (cid:81) (cid:96) ≤ H log q (cid:96) > (cid:0) gg (cid:1) q g , where H = (9 g + 3).2. For each prime (cid:96) :(a) Build a list L of tuples ( a , . . . , a g , w ), where a , . . . , a g (mod (cid:96) ) arethe candidates for coefficients of characteristic polynomial χ A,q ( T )(mod (cid:96) ) and w is a probability of ( a , . . . , a g ) to be the coefficients12f χ A,q ( T ) (mod (cid:96) ). This probability is computed by using the dis-tribution of the orders and formulae (6), (7), (10).(b) Sort the list L by w .(c) Determine χ A,q ( T ) by testing tuples from the list starting with theones having high values of w .3. Determine χ A ( T ) from the list of χ A,q ( T ) (mod (cid:96) ) using CRT.To test applicability of the distribution to point counting using the methoddescribed above, we run a series of experiments in SageMath [23] system. Wechoose a set of random primes p of size p > . For each prime p we computea set of (cid:96) ≥ p ≡ (cid:96) ) and a set of 10000 random genus 2hyperelliptic curves with imaginary model y = f ( x ) = x + f x + f x + f x + f x + f . This model is most common in cryptography. Such a curve is generated by arandom monic square-free polynomial f ( x ) in F p [ x ] of degree 5. By Prop. 2, foreach pair ( p, (cid:96) ) we build a list L of pairs ( a , ( a − q ) ) corresponding to smallorders r = (cid:96) ± from Table 3. We choose these orders because they appear inmany conjugacy classes from Table 1 and the most common orders (cid:96) ± lead tobig lists. For each curve we compute the characteristic polynomial χ p ( T ) of theFrobenius endomorphism by built-in methods of SageMath and so we know theexact value of χ p ( T ) (mod (cid:96) ). After that we compared the number of attemptsto find χ p ( T ) (mod (cid:96) ) using classical enumeration (as in Schoof-Pila algorithm)against our proposed search in the list L .Our experiments show that the number of attempts to find the χ p ( T ) (mod (cid:96) )is reduced by ≈ −
12% for (cid:96) ≤
100 where the success rate is decreasing withthe growing of (cid:96) . In the case of (cid:96) >
100 we have the number of attempts reducedby ≈ − χ A,q ( T ) from the lists L each corresponding to different (cid:96) . However a realization of this method is stillan open problem even in the case when we use modular polynomials to determinethe Frobenius order and so we know the exact order. In this work we presented a generalization of Atkin’s formulae to any dimensionand showed that the distribution of Frobenius orders is not uniform for abeliansurfaces over a finite field F q with q ≡ (cid:96) ). Furthermore, we describedpossible applications of this distribution to point counting purposes. The for-mulae can be used to limit the number of possible characteristic polynomials13 A,q ( T ) (mod (cid:96) ) in case when we know the Frobenius order. The distributionallows us to sort the lists of possible χ A,q ( T ) (mod (cid:96) ) by probability.The further work is to use this modular information about distribution effi-ciently in the generalization of Schoof’s algorithm for genus 2 curves [10]. Forelliptic curves there exist Atkin’s “Match and Sort” algorithm and “Chinese andMatch” algorithm [12] due to Joux and Lercier. But for higher dimension thisis still an open problem. References [1] J. Achter and C. Williams. Local heuristics and an exact formula for abeliansurfaces over finite fields.
Canadian Mathematical Bulletin , 58(4):673–691,2015.[2] S. Aivazidis and E. Sofos. On the distribution of the density of maximalorder elements in general linear groups.
The Ramanujan Journal , 38(1):35–59, 2015.[3] S. Ballentine, A. Guillevic, E. L. Garc´ıa, C. Martindale, M. Massierer,B. Smith, and J. Top. Isogenies for point counting on genus two hyperel-liptic curves with maximal real multiplication. In
Algebraic geometry forcoding theory and cryptography , pages 63–94. Springer, 2017.[4] J. N. Bray, D. F. Holt, and C. M. Roney-Dougal.
The Maximal Subgroupsof the Low-Dimensional Finite Classical Groups . London MathematicalSociety Lecture Note Series. Cambridge University Press, 2013.[5] R. Br¨oker and K. Lauter. Modular polynomials for genus 2.
LMS Journalof Computation and Mathematics , 12:326–339, 2009.[6] H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen, and F. Ver-cauteren.
Handbook of elliptic and hyperelliptic curve cryptography . Chap-man and Hall/CRC, 2005.[7] P. Diaconis, P. Erd¨os, et al. On the distribution of the greatest commondivisor. In
A Festschrift for Herman Rubin , pages 56–61. Institute of Math-ematical Statistics, 2004.[8] J. Fulman. Random matrix theory over finite fields.
Bulletin of the Amer-ican Mathematical Society , 39(1):51–85, 2002.[9] P. Gaudry and ´E. Schost. Modular equations for hyperelliptic curves.
Math-ematics of Computation , 74(249):429–454, 2005.[10] P. Gaudry and ´E. Schost. Genus 2 point counting over prime fields.
Journalof Symbolic Computation , 47(4):368–400, 2012.[11] N. E. Hurt.
Many rational points: coding theory and algebraic geometry ,volume 564. Springer Science & Business Media, 2013.1412] A. Joux and R. Lercier. ”chinese & match”, an alternative to atkin’s ”matchand sort” method used in the sea algorithm.
Mathematics of computation ,70(234):827–836, 2001.[13] N. Kolesnikov and S. Novoselov. On the order of the frobenius endomor-phism action on (cid:96) -torsion subgroup of abelian surfaces.
Prikl. Diskr. Mat.Suppl. , (12):11–12, 2019.[14] C. Martindale. Counting points on genus 2 curves over finite fields, 2017.talk at GAGA Seminar in Utrecht, the Netherlands.[15] J. Pila. Frobenius maps of abelian varieties and finding roots of unity infinite fields.
Mathematics of Computation , 55(192):745–763, 1990.[16] H.-G. R¨uck. Abelian surfaces and jacobian varieties over finite fields.
Com-positio Mathematica , 76(3):351–366, 1990.[17] E. Schmutz. The order of a typical matrix with entries in a finite field.
Israel Journal of Mathematics , 91(1-3):349–371, 1995.[18] E. Schmutz. The expected order of a random unitary matrix.
Journal ofGroup Theory , 11(4):495–510, 2008.[19] R. Schoof. Counting points on elliptic curves over finite fields.
Journal deth´eorie des nombres de Bordeaux , 7(1):219–254, 1995.[20] B. Srinivasan. The characters of the finite symplectic group sp (4, q).
Transactions of the American Mathematical Society , 131(2):488–525, 1968.[21] R. Stong. The average order of a matrix.
Journal of Combinatorial Theory,Series A , 64(2):337–343, 1993.[22] J. Tate. Endomorphisms of abelian varieties over finite fields.
Inventionesmathematicae , 2(2):134–144, 1966.[23] The Sage Developers.
SageMath, the Sage Mathematics Software System(Version 8.9) , 2019.