Group Structures of Elliptic Curves:

Transcription

1 Group Structures of Elliptic Curves: Statistics, Heuristics, Algorithms, Numerics Igor E. Shparlinski University of New South Wales Sydney

2 2 Introduction Two common beliefs A. Besides possible torsion groups, we know where little about possible group structures of elliptic curves over Q. B. We know everything we need about possible group structures of elliptic curves over IF q, Hans- Georg Rück; Rene Schoof; Michael Tsfasman; Felipe Voloch; A. is certainly correct, e.g. there is a discrepancy, between heuristic and computation. How about B.? We show that it also here there are also many exciting open questions waiting for more theory, heuristic models and numerical tests.

3 3 Our Goals Show a broad variety of exciting problems related to group structures of elliptic curves Give a glimpse of number theoretic techniques and methods which have been used to tackle these problems Outline several open problems and directions for further investigation both theoretically heuristically numerically

4 4 Notation and Main Facts Fields and curves IF q = finite field of q elements. p always denotes a prime number. An elliptic curve E is given by a Weierstraß equation over IF q or Q (if gcd(q, 6) = 1). y 2 = x 3 + ax + b If gcd(q, 6) > 1 there are usually some technical complications but most of the results can be extended to this case too.

5 5 Bounds We use A B and B A (I. M. Vinogradov) A = O(B) (E. Landau) The notations and more compact and easier to use. they are more versitile as allow They are more versitile as allow us to write B A and admit more informative chains like A B = C Now try O(B) = A and A = O(B) = C

6 6 Main Facts Hasse Weil bound: #E(IF q ) q 1 2q 1/2 E(IF q ) is an Abelian group, which we write additively, of rank at most 2, with a special point at infinity O as the neutral element. In particular, as for any Abelian group of rank at most 2, E(IF q ) = Z/M Z/L with L M = e q (E), the exponent of E(IF q ).

7 7 Some Questions Is it typical for E to be have a large exponent e q (E) ( =the size of the largest cyclic subgroup of E(IF q ))? How often a random curve E is cyclic? What is a typical arithmetic structure of #E(IF q )? E.g. how often #E(IF q ) is prime? smooth? squarefree? How many N [q 2q 1/2 + 1, q + 2q 1/2 + 1] are taken as cardinalities #E(IF q )? What are possible group structures which can be represented by elliptic curves? That is, given a group G can we find a curve with G = E(IF q ) (for some q or for a given q)?

8 Sometimes we also fix the field IF q and the curve E/IF q and consider E(IF q n) in the extension fields. 8 What is a random curve? We consider statistics in the following situations: The field IF q is fixed, the curve E runs through all elliptic curves over IF q (or over some natural classes of curves). vertical aspect The curve E is defined over Q (and fixed). We consider reductions E(IF p ) modulo consecutive primes p horizontal aspect The curve E runs through some natural family of curves over Q (e.g., given by Weierstraß equations with the integer coefficients in a box a A, b B) and we consider reductions E(IF p ) modulo consecutive primes p diagonal aspect Remark: Usually the vertical aspect is easier and horizontal aspect is most difficult; the diagonal aspect is a compromise.

9 9 Group Structure of E(IF q ) and Arithmetic Properties of #E(IF q )... are closely related. E.g. the question about the size of gcd(#e(if q ), q 1) appears very frequently. Another example: Since L M = e q (E) #E(IF q ), if #E(IF q ) is squarefree that E(IF q ) is cyclic. Extra Motivation These questions also have various cryptographic applications. Hess, Lange and Shparlinski ( ) Bounds on the discrepancy of many pseudorandom number generators on elliptic curves are nontrivial only if the exponent e q (E) q 1/2+ε.

10 10 Complex Multiplication If E is an elliptic curve over an algebraic number field, IK then endomorphism ring End IK (E) of E over IK, contains a copy of the integers corresponding to the morphisms P np for each n Z. If End IK (E) is strictly bigger than Z, we say E has complex multiplication (CM) for in that case, it is a classical result that the ring is isomorphic to an order in an imaginary quadratic field. Otherwise, we say E is a non-cm curve. Many of the questions about elliptic curves fall naturally into these two categories, the CM case and the non-cm case. Typically, the CM case is the easier since there is an additional structure.

11 11 Finding the Group Structure Naive Probablilistic Algorithm Compute #E(IF q ) (deterministically) Factor #E(IF q ) Take a random point P E(IF q ) and compute its order After several trials, declare the LCM of all achieved orders to be the exponent e of the group E(IF q ), and put M = e, L = #E(IF q )/M, E(IF q ) = Z/M Z/L Complexity: Subexponential (even on average)

12 12 Miller s Algorithm Miller ( ) There is a probabilistic algorithm which is based on the Weil pairing. It runs in time (log q) O(1) + time to factor d(q) = gcd(#e(if q ), q 1) Friedlander, Pomerance and Shparlinski (2005) Typically d(q) is easy to factor: the expected time is (log q) 1+o(1).

13 13 Deterministic Algorithm Kohel and Shparlinski (2001) Deterministic algorithm which runs in time q 1/2+o(1) (in fact it produces a set of generators). The result is based on the extension of Bombieri s bound of exponential sums P H exp ( 2π 1Tr (f(p )) /p ) = O(q 1/2 ) for any subgroup H E(IF q ) and any function f which is not constant on E.

14 14 Curves over High Degree Extensions Let E be a curve over IF q n (think of q being small and n large). Voloch and Shparlinski (2011) A deterministic construction of a small set of points of E(IF q n) that contains a point of the largest possible order. This is an analogue of the results of Shoup (1991) and Shparlinski (1991) on small sets in high degree extensions of finite fields containing primitive elements.

15 15 Group Structure of E(IF q ) Classical Results E(IF q ) is either cyclic or isomorphic to a product of two cyclic groups Z/M Z/L with L M = e q (E). Max Deuring (1941) All values N [q 2q 1/2 +1, q+2q 1/2 +1], except for a small number of explicitly described exceptions, are taken as cardinalities #E(IF q ) (for q = p there is no exception). Note: About q 2 Weierstraß equations, about 4q 1/2 possible values for N.

16 16 More Precise Results Rück; Tsfasman; Voloch : (1988) Roughly speaking, with only few fully described exceptions, for any L and M with L gcd(m, q 1) and such that LM can be realised as a cardinality of an elliptic curve over IF q, there is also E for which E(IF q ) = Z/LZ Z/M Z. Farashahi and Shparlinski (2010) Study the distribution of various group structures. Still many open questions and mysterious facts that wait to be explained.

17 17 Distribution of #E(IF q ) Fix the field Vary the curve Lenstra (1987) For any N [p 2p 1/2 + 1, p + 2p 1/2 + 1], the probability that #E(IF p ) = N for a random curve E is O ( p 1/2 log p(log log p) 2). For any, but at most two values, in the half interval N [p p 1/2 + 1, p + p 1/2 + 1], the probability that #E(IF p ) = N for a random curve E is at least cp 1/2 (log p) 1 for an absolute constant c > 0. Under the ERH, there are no exceptions and the bound becomes cp 1/2 (log log p) 1. Moral: Cardinalities are uniformly distributed... more or less.

18 18 Fix the curve over IF q Vary the extension Boring... #E(IF q ) tells everything about #E(IF q n). Fix the curve over Q Vary the prime Let f E (N) = #{p : #E(IF p ) = N} Clearly, f E (N) = O ( ) N 1/2 log N and Kowalski (2005) Some interesting conjectures. N M f E (N) = O (π(m)), David and Smith (2013): Asymptotic formula for f E (N) on average over some families of curves. No nontrivial individual results!!

19 19 Distribution of #E(IF q ) q 1 Sato-Tate Conjecture: For a curve E over IF q, define the angle ψ E [0, π] via cos ψ E = #E(IF q) q 1 2. q For a random curve E Pr [ψ E [α, β]] µ ST (α, β) where µ ST (α, β) = 2 π β α sin2 θ dθ, Question: What is a random curve here?

20 20 Fix the field Vary the curve: Brian Birch (1968) Sato-Tate Conjecture holds in the vertical aspect Nick Katz & Peter Sarnak (1988) Generalized to more general curves. Fix the curve over Q: Vary the prime: Taylor (2006) Sato-Tate Conjecture holds in the horizontal aspect. Vary both the prime and the curve: Banks and Shparlinski (2006) Sato-Tate Conjecture holds in the diagonal aspect with rather mild averaging over curves. Fix the curve over IF q Vary the extension: Ahmadi and Shparlinski (2009) Sato-Tate Conjecture fails but there is a different distribution function.

21 21 Curves vs. Weierstraß Equations Let q = p be prime. We consider curves given by Weierstraß equations E a,b : Y 2 = X 3 + ax + b, where a, b IF p are such that 4a b 2 0. We are interested in the distribution of isomorphic and isogenous curves among the family {E a,b } when a and b run through some interesting sets. The most commonly studied case is (a, b) B for a box B = [u 1 + 1, u 1 + h 1 ] [u 2 + 1, u 2 + h 2 ]

22 22 Isomorphism over IF p : E a,b = Er,s over IF p if and only if for some x IF p ax 4 r (mod p) and bx 6 s (mod p) Counting function: Our main object of interest: T a,b,p (B) = #{E r,s : (r, s) B, E r,s = Ea,b } where B = [u 1 + 1, u 1 + h 1 ] [u 2 + 1, u 2 + h 2 ]. We expect T a,b,p (B) B p. Motivation: Sato-Tate Conjecture on average By Brian Birch (1968), the family E a,b, (a, b) IF 2 p satisfies the Sato-Tate Conjecture = the same result for E r,s, (r, s) B.

23 23 Large boxes: B p 1+ε One can expect an asymptotic formula for T a,b,p (B) Fixed (a, b) Fouvry and Murty (1996): Weil bound of exponential sums: for all (a, b) IF 2 p, T a,b,p (B) h 1h 2 p as p, provided that for some fixed ε > 0 h 1 h 2 p 3/2+ε and min{h 1, h 2 } p 1/2+ε. Motivation: Lang-Trotter Conjecture on average

24 24 Lang-Trotter vs Sato-Tate The Sato-Tate Conjecture predicts the statistical distribution of #E(IF q ) q 1 2 q [ 2, 2] The Lang-Trotter Conjecture predicts the statistical distribution of individual values #E(IF q ) q 1 = t It is seemingly a much more difficult conjecture and our current knowledge of its vertical, horizontal, diagonal aspects reflects this belief. E.g. horisontally, Hendrik Lenstra (1987): For all but 2 integers t [p p 1/2, p + p 1/2 ] #{(a, b) IF 2 p : #E a,b (IF p ) p 1 = t} p3/2 log p.

25 25 Averaging over (a, b) Baier and Zhao ( ): Method and results similar to those of Fouvry and Murty (1996). Banks and Shparlinski (2009): Burgess bound of character sums for almost all (a, b) IF 2 p T a,b,p (B) h 1h 2 p as p, provided that for some fixed ε > 0 h 1 h 2 p 1+ε and min{h 1, h 2 } p 1/4+ε. For p 1 (mod 4), we have T a,b,p (B) h 1h 2 p provided that for some fixed ε > 0 h 1 h 2 p 1+ε and min{h 1, h 2 } p 1/4e1/2 +ε.

26 26 Averaging over (a, b) and p Banks and Shparlinski (2009): Large sieve inequaliry for almost all p and (a, b) IF 2 p T a,b,p (B) h 1h 2 p as p, provided that for some fixed ε > 0 h 1 h 2 p 1+ε and min{h 1, h 2 } p ε. Motivation: Sato-Tate Conjecture on average Banks and Shparlinski (2009): It holds on average over primes p x and the family of 4AB curves E a,b : y 2 = x 3 + ax + b, a A, b B provided that AB x 1+ε and min{a, B} x ε.

27 27 More details about averaging: Let P be any property of elliptic curves. We use E a,b : Y 2 = X 3 + ax + b and write π a,b (x; P) = #{p x : E a,b satisfy P over IF p } We want to have an asymptotic formula 1 4AB a A b B π a,b (x; P) = Main Term+Error Term For the Main Term mainly the methods of Algebraic Number Theory have been used, e.g. the Chebotarev Density Theorem For the Error Term mainly the methods of Analytic Number Theory have been used, e.g. bounds of exponential and character sums. Reducing the Error Term = Reducing the amount of Averaging = Getting closer to Individual Estimates of π a,b (x; P)

28 28 Examples P = t: #E(F p ) = p + 1 t π a,b (x; t), Lang-Trotter conjecture P = (α, β): arccos #E(IF p) p 1 2 p [α, β] π a,b (x; α, β), Sato-Tate conjecture P = N: #E(F p ) = N π a,b (x; N), Kowalski problem P = P: #E(F p ) is prime: π a,b (x; P) P = S: #E(F p ) is square-free: π a,b (x; S) P = D: t 2 p 4p, where t p = p + 1 #(IF p ), is square-free: π a,b (x; D)

29 29 Sato-Tate Conjecture on Average Banks and Shparlinski (2009): If AB x 1+ε and min{a, B} x ε. then 1 4AB where a A b B π a,b (x; α, β) µ ST (α, β)π(x) µ ST (α, β) = 2 π β α sin2 θ dθ, Banks and Shparlinski (2009) Similar results for #E r,s (IF p ) with some prescribed arithmetic properties: square-free, multiples of some integer m, etc. Note In these questions deriving the main term was either done before or easy.

30 30 Other Applications: The method of Banks and Shparlinski (2009) was used by to reduce the amount of averaging in several similar problems Balog, Cojocaru and David (2011): primality, that is, π a,b (x; P) on average David and Jiménez Urroz (2010): square-freeness of the discriminants, that is, π a,b (x; D) on average Martin, Pollack and Smith (2012): the number of curves with a given numbere of points, that is, π a,b (x; N) on average Note: For the above problems dealing with the main terms is a very difficult task which required the authors to use very delicate tools.

31 31 Generalisations and Open Problems: Shparlinski (2011) Similar results for #E r,s (IF p ) with (r, s) from some other sets, including polynomial values. The original result of Fouvry and Murty (1996) about the average value of π a,b (x; t) with t = 0 was extended to arbitrary t by David and Pappalardi (1996) but it has never been improved. Open Question 1 Obtain an asymptotic formula for π a,b (x; t) in the region which is smaller than A, B p 3/2+ε and min{a, B} p 1/2+ε. Open Question 2 What about curves of higher genus? The method of Fouvry and Murty (1996): can be extended to hyperelliptic curves, but for Banks and Shparlinski (2009) it is important that we have to control only two coefficients.

32 32 Small boxes: B < p One can expect only upper bounds on T a,b,p (B) Observation E a,b = Er,s = for some x IF p ax 4 r (mod p) and bx 6 s (mod p) r 3 b 2 a 3 s 2 (mod p). Set λ = a 3 /b 2. Then T a,b,p (B) #{(r, s) B : r 3 λs 2 (mod p)}. More generally, for f IF p [X] we define: N f (B) = #{f(x) y 2 (mod p) : (x, y) B}. For h 1, h 2 p 1/2+ε standard methods, based on the Weil bound for exponential sums allow to estimate T a,b,p (B). We are interested in smaller boxes

33 33 Consider only squares B = Q = [u 1 + 1, u 1 + h] [u 2 + 1, u 2 + h] Cilleruelo, Shparlinski & Zumalacárregui (2011), Chang, Cilleruelo, Garaev, Hernández, Shparlinski & Zumalacárregui (2012): For any cubic polynomial f IF p [X] and a square Q, we have N f (Q) h 1+o(1) h 2/3 if h < p 1/8, (h 4 /p) 1/6 if p 1/8 h < p 5/23, (h 3 /p) 1/16 if p 5/23 h < p 1/3. Example: f(x) = X 3 shows the bound N f (Q) h 1/3+o(1), which holds for h < p 1/8, is tight.

34 34 The proof is based on a variety of tools from analytic number theory: The bound of Bombieri and Pila (1989) on the number of integral points on an absolutely irreducible curve of degree d 2 in a square [0, H] [0, H] The version of Wooley (2011) on the Vinogradov Mean Value Theorem The method Weyl (1916) of estimating exponential sums

35 35 Annoying Drawback The above result not cover the whole range 1 h < p and does not yield a nontrivial estimate for p 1/3 < h < p 1/2. Note that splitting Q into smaller squares fails as the number of these squares grows quadratically. Chang (2014) has recently introduced several new ideas and obtained a nontrivial estimate for h p 1/3+4/23. Open Question 3 Bridge the above gap and obtain a nontrivial estimate for p 1/3+4/23 < h < p 1/2.

36 36... Even More Annoying and Important Drawback All previous results only study isomorphic curves ( p Weierstrass equations) and all based on E a,b = E r,s = for some x IF p ax 4 r (mod p) and bx 6 s (mod p) On the other hand, many underlying problemns, e.g., Sato Tate and Lang Trotter Conjectures appeal to a larger family ( p 3/2 Weierstrass equations) of isogenous curves. So far no one succeeded in taking any advantage of this extra degree of freedom.

37 37 Exponent eq(e) Clearly if E(IF q ) is cyclic, then e q (E) = #E(IF q ) q as good as it gets; if E(IF q ) is isomorphic to a product of two cyclic groups Z/M Z/L with L M, then e q (E) = M #E(IF q ) 1/2 q 1/2... falls below the threshold q 1/2+ε needed for application to pseudorandom number generators. Better Bounds?

38 38 Rene Schoof (1991) If E (defined over Q) has no complex multiplication then for all primes e p (E) Cp 1/2 log p log log p for some absolute constant C > 0... still below the threshold p 1/2+ε. under the ERH, for infinitely many primes, e p (E) = O ( p 7/8 log p ). If E : y 2 = x 3 x then E has complex multiplication over Z[i]. On the other hand, e p (E) = k p 1/2 for every prime p of the form p = k

39 39 Bill Duke (2003) For almost all primes p (i.e., for all but o(π(x)) primes p x) and all curves E over IF p e p (E) p 3/4 ε... comfortably above the p 1/2+ε threshold!! Kevin Ford and Shparlinski (2005) The above bound is tight. A similar bound for Jacobians of curves of genus g 2. Even Better Bounds? The bounds on the discrepancy of many sequences from elliptic curves attain their full strength when e p (E) is of order close to p.

40 40 Question: Is it typical for e q (E) to be close to q? Duke (2003) For any curve E (defined over Q) and almost all primes p e p (E) p 1 ε unconditionally if E has complex multiplication and under the ERH, otherwise. Shparlinski (2003) For any prime p and almost all curves E (defined over IF p ) e p (E) p 1 ε. Freiberg and Kurlberg (2012); Wu (2013): Under the GRH, and uncoditionally for CM-curves: p x e p (E) C(E) x2 log x where 0 < C(E) < 1 depends only on E.

41 41 Luca and Shparlinski. (2004) Let E be an ordinary curve defined over IF q. Then for almost all integers n, for all integers n, e q n(e) q n 2n(log n) 1/6. e q n(e) q n/2+c(q)n/ log n

42 42 The proofs are based of some deep facts of the theory of Diophantine Approximations Subspace Theorem; Lower bounds of linear forms of p-adic logarithms; Upper bounds on the number of zeros of linear recurrence sequences. Essentially the proof of the first bound follows the ideas of Pietro Corvaja and Umberto Zannier (2004). It also gives a subexponential upper bound on d(q n ) = gcd(#e(if q n), q n 1) which also appears in the estimate of the complexity of the structure finding algorithm of Miller ( ).

43 43 Luca, McKee and Shparlinski (2004) Let E be an ordinary curve defined over IF q. Then for infinitely many integers n, e q n(e) q n exp ( n c/ log log n). for some c > 0 depending only on q. The proof is based on: studying the degree d(r) of the extension of IF q generated by points of r-torsion groups (i.e. groups of points P on E in the algebraic closure IF q with rp = O) for distinct primes r; a modification of a result of Adleman, Pomerance and Rumely (1983) on constructing integers n which have exponentially many divisors of the form r 1, where r is prime.

44 44 How do we proceed? Combine the following facts: Weil Pairing: If E(IF q ) = Z/M Z/L with L M, then L q 1. Hendrik Lenstra (1987) For any N, the probability that #E(IF q ) = N for a random curve E is O ( q 1/2 log q(log log q) 2). Thus all values of N [q 2q 1/2, q + 2q 1/2 ] are taken about the same number of times. The question about e q (E) is now reduced to studying how often N [q 2q 1/2 + 1, q + 2q 1/2 + 1] has a large common divisor with q 1.

45 45 Is the Cyclicity Typical? Fix the field Vary the curve: Sergei Vlăduţ (1999) At least 75% of elliptic curves over IF q are cyclic, but not 100%. Fix the curve over IF q : Vary the extension: Sergei Vlăduţ (1999) Over every finite there is a curve E such that E(IF q n) is cyclic for a positive proportion of n. Fix the curve over Q: Vary the prime: Related to the Lang Trotter Conjecture! Cojocaru, Murty, Duke ( ) (a series of results) under the ERH the set of primes for which E(IF p ) is cyclic is of positive density (depending on E); the smallest prime for which E(IF p ) is cyclic is not too large.

46 46 Arithmetic Structure of #E(IF q ) Primality Possible questions The Holy Grail is to prove at least one out of the following claims (also very important for elliptic curve cryptography): For every q, there are sufficiently many curves E over IF q, such that #E(IF q ) is prime; for a curve E over IF q, #E(IF q n)/#e(if q ) is prime for infinitely many integers n; for a curve E over Q without torsion points, #E(IF p ) is prime for infinitely many primes p. All are out of reach!

47 47 One of the obstacles is the lack of the results about primes in short intervals. We have to know about primes more than even the GRH can tell us. Heuristic Naive guess: is totally wrong. Pr[#E(IF p ) is prime] 1/ log p The values of #E(IF p ) are not random integers w.r.t. divisibility by small primes. The naive heuristic was corrected by Koblitz (1988) but was still wrong. Zyvina (2011) gave a correct (?) formula. its derivation is quite subtle.

48 48 Large and Small Prime Divisors of #E(IF q ) Question: What if we ask for curves such that #E(IF q ) does not have a large prime divisor? Hendrik Lenstra (1987) For the rigorous analysis of the elliptic curve factorisation we need to show that there are sufficiently many curves over IF p for which #E(IF p ) is smooth. Still unknown! Hendrik Lenstra, Jonathan Pila and Carl Pomerance (1993) The current knowledge is enough to analyze rigorously the hyperelliptic smoothness test (larger intervals... ). Question: What if we only ask for curves such that #E(IF q ) has a large prime divisor? Harman (2005) For a positive proportion of n [q + 1 q 1/2, q q 1/2 ], the largest prime divisor P (n) n 0.74

49 49 Number of Prime Divisors Miri & Murty (2001) Cojocaru (2005) Under the ERH, for any non-cm elliptic curve E over Q, one has an analogue of the Turán Kubilius inequality: p x (ω (#E(IF p )) log log p) 2 = O(π(x) log log x) where, as usual, π(x) = #{p x}. Yu-Ru Liu (2004) For CM curves, a similar result is obtained unconditionally.

50 50 Miri & Murty (2001) Cojocaru (2005) Steuding & Weng (2005) Jiménez & Iwaniec (2006) There are at least C(E)x/(log x) 2 primes p x such that Ω(#E(IF p )) 9, if E is a non-cm curve, ω(#e(if p )) 6, if E is a non-cm curve, ω(#e(if p )) 2, if E is a CM curve.

51 51 CM Discriminants For a curve E defined over IF p we put t = #E(IF p ) p 1 and write t 2 4p = r 2 s where s is squarefree. Then either s or 4s is the discriminant of the endomorphism ring of E, or CM discriminant. Luca & Shparlinski (2004) The discriminant is usually large for a random curve; All curves modulo p define 2p 1/2 +O(p 1/3 ) distinct discriminants. The last bound is based on an improvement of a result of Cutter, Granville & Tucker (2003) on square divisors of values of quadratic polynomials.

52 52 Yet Another Point of View What do we know about E(IF q )? E(IF q ) is of rank two: E(IF q ) = Z n Z nk E.g., nk is the exponent of E(IF q ). Two Questions Question 1: What pairs (n, k) can be realised by all possible prime powers q and curves E/IF q and how frequently? Question 2: What pairs (n, k) can be realised for a given q and all curves E/IF q and how frequently?

53 53 How to compute n and k? Probablilistic Algorithm Compute #E(IF q ) (determistically) Factor #E(IF q ) Take a random point P E(IF q ) and compute its order After several trials, declare the largest achieved order to be the exponent e of the group E(IF q ), and put n = #E(IF q )/e and k = e/n. Complexity: Subexponential (even on average)

54 54 Miller (2004): Faster probabilistic algorithm (still subexponential) Friedlander, Polmerance & Shparlinski (2006): Average case analysis (polynomial). Deterministic Algorithm Kohel & Shparlinski (2000): Bounds of exponential sums An explicit set S E(IF q ) with #S = q 1/2+o(1) containing a point of the largest possible order Computing n and k deterministically in time q 1/2+o(1)

55 55 What do we know about n and k? Hasse Bound: #E(IF q ) = n 2 k = q + 1 t where t 2q 1/2 Weil pairing n q 1 Lemma 4 If q is a prime power, and E/IF q is such that then E(IF q ) = Z n Z nk, q = n 2 k + nl + 1 where l 2 k. Warning: These conditions are almost if and only if, but not quite...

56 56 Arbitrary Field IF q What do we study? We introduce and study the set S Π = {(n, k) IN IN : prime power q and E/IF q with E(IF q ) = Z n Z nk } We are also study the subset S π S Π defined by S π = {(n, k) IN IN : prime p and E/IF p with E(IF p ) = Z n Z nk } Remark: Given a pair (n, k) we can test whether (n, k) S Π or (n, k) S π in finitely many steps.

57 57 One expects S π and S Π to be reasonably dense in IN IN. However, the complementary sets appear to be rather large: List of the pairs (n, k) S Π with n, k 25: (11, 1), (11, 14), (13, 6), (13, 25), (15, 4), (19, 7), (19, 10), (19, 14), (19, 15), (19, 18), (21, 18), (23, 1), (23, 5), (23, 8), (23, 19), (25, 5), (25, 14). To investigate the distribution of the elements of S π and of S Π, we introduce the sets S π (N, K) = { (n, k) S π : n N, k K }, S Π (N, K) = { (n, k) S Π : n N, k K }, We obtain estimates for the cardinalities of these sets in various ranges of N and K

58 58 We consider the set of primes p such that Z n Z nk can be realized as the group of points of an elliptic curve over IF p : J π (n, k) = {primes p : E/IF p for which E(IF p ) = Z n Z nk }. We obtain an asymptotic formula in certain ranges of N and K for J π (N, K) = n N k K #J π (n, k), Motivated by Lemma 4, we compare N k,m = {n IN : p prime and E/IF p m with E(IF p m) = Z n Z kn }. and Ñ k,m = {n IN : l Z, p prime with l 2 k and p m = n 2 k + ln + 1}.

59 59 Basic Tools Characterisation of cardinalities Waterhouse (1969): Lemma 5 Let q = p m be a power of a prime p and let N = q + 1 a. There is an elliptic curve E/IF q with #E(IF q ) = N if and only if a 2 q and a satisfies one of the following: (i) gcd(a, p) = 1; (ii) m even and a = ±2 q; (iii) m is even, p 1 (mod 3), and a = ± q; (iv) m is odd, p = 2 or 3, and a = ±p (n+1)/2 ; (v) m is even, p 1 (mod 4), and a = 0; (vi) m is odd and a = 0.

60 60 Characterisation of group structures Rück and Voloch (1987) Lemma 6 Let N be an integer that occurs as the order of an elliptic curve over a finite field IF q where q = p m is a power of a prime p. Write N = p e n 1 n 2 with p n 1 n 2 and n 1 n 2. (possibly n 1 = 1). There is an elliptic curve E over IF q such that if and only if E(IF q ) = Z p e Z n1 Z n2 1. n 1 = n 2 in the case (ii) of Lemma 5; 2. n 1 q 1 in all other cases of Lemma 5.

61 61 Prime fields Combining Lemmas 5 and 6 we get: Corollary 7 If p + 1 N 2 p and N = n 1 n 2 with n 1 n 2 and n 1 p 1 then there is an elliptic curve E/IF p with E(IF p ) = Z n1 Z n2. Recall: J π (n, k) = {primes p : E/IF p for which E(IF p ) = Z n Z nk }. Corollary 8 We have p J π (n, k) if and only if p = n 2 k + nl + 1 where l 2 k. Corollary 8 means that for prime q = p, Lemma 4 is an if and only if statement

62 62 Analytic number theory Here we study J π (N, K) = n N k K #J π (n, k), Corollary 8: If n and l fixed, we count primes p = n 2 k + nl + 1 l 2 /4 k K. or p nl + 1 (mod n 2 ) where n 2 l 2 /4 + nl + 1 p n 2 K + nl + 1. Put π(x; m, a) = # { p x : p a (mod m) } Lemma 9 For all N, K IN we have ( J π (N, K) = π(n 2 K + nl + 1; n 2, nl + 1) n N l 2 K ) π( 4 1 n2 l 2 + nl; n 2, nl + 1).

63 63 What is next? Good News: functions J π (N, K) is expressed via classical Bad News: We need to study primes in short arithmetic progressions: modulus N 2, the length K, while unconditional results are very weak. Good News: We need this on average over n: recall Bombieri-Vinogradov Bad News: The averaging is over square moduli, rather than over all moduli up to a certain limit. Good News: Baier & Zhao (2008), Baker (2010), have exactly this version of the Bombieri-Vinogradov theorem!

64 64 Classical Bombieri-Vinogradov Lemma 10 For fixed ε > 0 and C > 0, we have m x 1/2 ε max gcd(a,m)=1 ψ(x; m, a) x ϕ(m) x (log x) C. Bombieri-Vinogradov for Squares As usual, we set ψ(x; m, a) = n x n a (mod m) Λ(n), where Λ(n) is the von Mangoldt function. Baier & Zhao (2008); Baker (2010): Lemma 11 For fixed ε > 0 and C > 0, we have m x 43/180 ε m max gcd(a,m)=1 ψ(x; m2, a) x ϕ(m 2 ) x (log x) C. Moduli m 2 run up to almost x 43/90, only a little bit behind of x 1/2 as in the Bombieri-Vinogradov theorem.

65 65 Are we done? Not quite.... Things still to be taken care of: Switch from ψ to π Partial summation! The upper limits in π(n 2 K + nl + 1; n 2, nl + 1) and π( 1 4 n2 l 2 +nl; n 2, nl+1) are moving with n. Separate the range of summation over n, into O( 1 log N) intervals [M, M + M] replace n 2 with M 2, up to the error term of O((M 2 n 2 )K) = O(M 2 K ) optimise We can deal with J π (N, K) for N K 2/5 ε, i.e., for groups generated by E/F p with a large torsion group over IF p.

66 66 Sets S Π (N, K) and S Π (N, K) Theorem 12 For any ε > 0 and N K 43/94 ε, NK #S Π (N, K) #S π (N, K) NK log K. Proof. If p = 1 + n 2 k then #S π (N, K) (n, (p 1)/n 2 ) S π (N, K) n N N/2 n N π(n 2 K, n 2, 1) 1 log(kn 2 ) 1 log K π(n 2 K, n 2, 1) N/2 n N N/2 n N ψ(n 2 K, n 2, 1) ψ(n 2 K/4, n 2, 1). The result of Baker (2010), i.e., Lemma 11, applies if N (N 2 K) 43/180 δ for some δ > 0 or N K 2/5 ε for some ε > 0.

67 67 Question: Can we say anything nontrivial instead of NK #S Π (N, K) #S π (N, K)? Suppose that K is fixed We are interested in prime powers: q = n 2 k + nl + 1 and l 2 k Good News: Sieve methods can be used for upper bounds Bad News: We need explicit bounds and we have 4k 1/2 progressions. Good News: When k is fixed this should work.

68 68 Selberg s sieve: Theorem 13 For any integer K 1 there exists a constant A(K) such that #S Π (N, K) A(K) N log N. E.g., there are infinitely many pairs (n, k) which do not lie in S Π. More precisely: Corollary 14 For every k 0, almost all (n, k 0 ) S Π.

69 69 Chandee, David, Koukoupoulos, Smith (2012): have given remarkable improvements of the above results. For any fixed A > 1 and ε > 0, for N K 1/4 ε #S π (N, K) = NK + O ( ) NK (log K) A. For N K 1/2 #S π (N, K) NK. For any N 2 and K 1, #S π (N, K) NK3/2 log N.

70 70 Suppose that N is fixed It is quite reasonable to believe that for any N 0 1 the set S Π contains all pairs (n, k) IN IN with n N 0 except for at most finitely many. This is a consequence of an analogue of the Cramer s Conjecture for primes in a fixed arithmetic progression (and is out of reach... ). Easier (?) Question: Open Question 15 Let n 0 be fixed. that for almost k, (n 0, k) S Π? Is it true

71 71 Set S Π (N, K) \ S π (N, K) Question: Prime powers q = p m with m 2 are very rare. Do they contribute to S Π? Yes! #(S Π (N, 1) \ S π (N, 1)) (2 + o(1)) N log N

72 72 There are (2 + o(1))n/ log N positive integers n N with either n 1 or n + 1 is prime; n 2 + 1, n 2 + n + 1 and n 2 n + 1 are all composite. For any such n, either (n 1) 2 or (n + 1) 2 is a prime power, and we have (n, 1) S Π ; however, n 2 + ln + 1 is clearly composite for 2 l 2, and thus (n, 1) S π. Open Question 16 Any contribution to S Π \ S π from k 2?

73 73 Sets N k,m and Ñk,m Recall: N k,m = {n IN : p prime and E/IF p m with E(IF p m) = Z n Z kn }. and Ñ k,m = {n IN : l Z, p prime with l 2 k and p m = n 2 k + ln + 1}. We have N k,m Ñk,m Question Is the inclusion proper? Theorem 17 We have, N k,1 = Ñk,1. Proof. Easy!

74 74 For m = 2, the situation is more complicated. We have: Theorem 18 We have that N k,2 = Ñk,2 except possibly in the following cases: (i) k = p and p 1 (mod 4) when (ii) k = p 2 ± p + 1 and p 1 (mod 3); (iii) k = M 2, M > 1. In the cases (i) and (ii), we have Ñk,2 \ N k,2 {1} while in the case (iii) we have and N M 2,2 = {1} if M is prime otherwise Ñ M 2,2 \N M 2,2 {(p±1)/m : p 1 (mod M) is prime}.

75 75 Proof. Uses some properties of the Pell equation. Corollary 19 Suppose that k is not a perfect square. We have the following: N k,2 (T ) k log T. Furthermore N 1,2 (T ) = π(t 1) + π(t + 1) #{p T + 1 : p, p 2 are prime} For m 3, the situation is more complicated, even for k = 1...

76 76 Missed group structures Here are the values of the counting function f(d) of missed pairs (n, k) with max{n, k} D for D = f D, D D

77 77 We also plot the values of the counting function F (N, K) of missed pairs (n, k) with n N and k K for N, K K N, K N

78 78 We see that for each fixed N = N 0 the line F N0 (K) = F (N, K) becomes flat quite quickly but still continues to slowly grow. Heuristics predictions for F (N, K) A pair (n, k) contributes to F (N, K) if kn 2 + ln + 1 is not a prime power for l 2k 1/2 (and in some other exceptional cases). Standard heuristic: kn 2 + ln + 1 is a prime power with probability ρ(n, k, l) = n ϕ(n) log(kn 2 + ln + 1) (the ratio n/ϕ(n) accounts for the fact that we seek prime powers in the arithmetic progression 1 mod n).

79 79 So (n, k) [1, N] [1, K] contributes to F (N, K) with probability ϑ(n, k) = l 2k 1/2 (1 ρ(n, k, l)) Thus, we expect that F (N, K) is close to B(N, K) = n N k K ϑ(n, k). We have not studied the function B(N, K) analytically, but we note that for any fixed ε > 0 ϑ(n, k) 1 if k (log n) 2 ε, 0 if k (log n) 2+ε.

80 80 Here is the 3D plot of β(n, K) = F (N, K), 1 N, K 1000 B(N, K) Β N, K K N It seems to stabilise but not at 1 but rather at Open Question 20 Why does this happen?

81 81 Fixed Field IF q Frequency of the group structures This case seems to be easier... yet full of mystery. G(q; m, n) = number of IF q -isomorphism classes of elliptic curves E over IF q such that E(IF q ) Z m Z n. Lemma 6 characterises m and n with G(q; m, n) > 0 We compute G(q; m, n) via some sums with class numbers.

82 82 Let c t be the largest integer such that c 2 t (t 2 4q) and (t 2 4q)/c 2 t 0 or 1 (mod 4). Let s t be the largest integer such that s 2 t q + 1 t and s t q 1. We note that s t c t. For each positive divisor m of s t, let M t (m) = {e IN : m e, e c t } and S t (m) = M t (m) \ l IN, l>m m l, l s t M t (l). Let m n and m q 1 be such that for t = q + 1 mn we have t 2 4q and gcd(t, p) = 1, then G(q; m, n) = ( t 2 ) 4q h l S t (m)... + seven more special cases when p t. l 2

83 83 Number of distinct group structures The following result gives explicit formulas for the number F (q) of distinct group structures of all elliptic curves over IF q. Let τ(s) be the divisor function and let ( ) ( ) 1 3 η = and ζ = p p Theorem 21 Let q = p k be a power of a prime p. For the number F (q) of distinct group structures of all elliptic curves over IF q, we have F (q) = t Z, t 2 4q, gcd(t,p)=1 + τ(s t ) η 2, k is odd, p > 3, η 2, k is odd, p = 2, 3, η 2 ζ, k is even, p > 3, 5, k is even, p = 2, 3.

84 84 Extreme and average values Theorem 21 + some analytic number theory: Theorem 22 When q = p α via the set of prime powers, we have 1. lim sup q F (q) q (1 1/p) = 2π2 3 ; 2. lim inf q q odd F (q) q (1 1/p) = 5; 3. lim inf k F (2 k ) = 2; 2k/2 4. where q Q ϑ = 8 3 F (q) = (ϑ + o(1)) Q3/2 log Q, m=1 1 m 2 ϕ(m) =

85 85 Most common group structure Let G(q) = max n,m G(q; m, n). Standards bounds on the class number imply that G(p) = p 1/2+o(1). (1) So it is natural to study G(p) scaled by p 1/2. Experiments with primes p < 500, 000 show that scaling by p 1/2 log p is more natural and the ratio G(p)/p 1/2 log p stabilises in a reasonably narrow strip between roughly 0.1 and 0.2. Open Question 23 Refine (1).

86 x 10 5 For p < 500, 000 the value of G(p) is achieved with m = 1 (i.e., for cyclic point groups). For some primes the same value is also achieved for some pairs (m, n) with m = 2 and never for m 3.

87 87 We also compare G(p) with I(p) = max I(p; N ), N where I(p; N ) = # of distinct isomorphism classes of curves E/IFp with #E(IFp) = N (i.e. I(p; N ) is the size of the isogeny class of N ) x 10 For primes p < 500, 000: G(p)/I(p) = 1 for p = 2, 5, 7, 17, 29, 41, 101, 1009, 1109, 1879, 4289 G(p)/I(p) < 1/2 for p = 37591, , , These extreme values are invisible on the picture...

88 88 Open Question 24 Are these sporadic exceptions or are theree infinitely many such p? Open Question 25 Can we say anything about lim sup p G(p)/I(p) and lim inf p G(p)/I(p). Open Question 26 Explain the presence of several horizontal lines on the picture.

89 89 Clearly, one expects that the value of G(p) is achieved for (m, n) for which t = p + 1 N, where N = mn, is small, so that = t 2 4p is large absolute value which leads to a large value of I(p; N). However this is offset by the fact that for N having many divisors so the value of I(p; N) is split between τ(s t ) values of G(p; m, n). This effect is observed in the numerical results which show that if G(p; m, n) = G(p) then t = p + 1 mn is small but not necessary very small. In particular, most of the time G(p) and I(p) are achieved on different values of t, namely in about 82.2% of the cases within the above range of primes p

90 90 Let T max (p) = {t : t = p + 1 mn, G(p; m, n) = G(p)}, that is, for each p, T max (p) is the set of the traces corresponding to the most popular group structures. #T max (p) # of p < 500, We have #T max (p) = 1 in about 52% of the cases. The set T max (p) is symmetric: T max (p) = T max (p) for primes out of the total number of

91 91 Scaled values t/p1/2, where t Tmax, for primes p < 500, x 10 Question. Explain the behaviour and striucure of Tmax(p)

92 92 Cryptographic Applications Embedding Degree, MOV Attack and Pairing Based Cryptography Alfred Menezes, Tatsuaki Okamoto & Scott Vanstone (1993) MOV constructs an embedding of a fixed cyclic subgroup of order L of E(IF p ) into the multiplicative group IF p k provided L pk 1. Number Field Sieve: discrete logarithm in IF p k can be found in time L p k ( 1/3, (64/9) 1/3 ) where, as usual, L m (α, β) = exp ( (β + o(1))(log m) α (log log m) 1 α). The embedding degree of E(IF q ) with respect to G (of prime order): the smallest k with #G q k 1 Special Case: G = E(IF q ): we call such k simply the embedding degree of E(IF q ).

93 93 If the embedding degree of E(IF p ) = o ( (log p) 2) then the discrete logarithm on E(IF p ) can be solved in subexponential time p o(1). So for standard cryptographic applications we would like to know the the embedding degree is large. On the other hand, for several other cryptographic applications of the Tate or Weil pairing on elliptic one need elliptic curves E with small embedding degree, e.g. k = O(1). So our preferences are different depending on the application. However the requirements do not overlap. We want k to be: at least (log p) 2 to avoid the MOV attack in application in classical elliptic curve cryptography; at most O(1) to avoid the MOV attack in application in pairing based elliptic curve cryptography

94 94 Random Curves over IF p Balasubramanian and Koblitz (1998) For almost all primes p and almost all elliptic curves over IF p of prime cardinality the embedding degree is large. E.g. for a random prime p [x/2, x] and a random curve modulo p of prime cardinality, Pr{embedding degree (log p) 2 } x 1+o(1). Luca and Shparlinski (2004) For all primes p and almost all elliptic curves over IF p of arbitrary cardinality the embedding degree is large: Let K = (log p) O(1). For a randomly chosen curve Pr{embedding degree K} p 1/(4κ+6)+o(1), where κ = log K log 2 p. For K = (log p) 2 the RHS is p 1/14+o(1).

95 95 The proof is based on studying N [p + 1 2p 1/2, p p 1/2 ] with N p k 1, for some k K; Lenstra s bound on the number of curves with E(IF p ) = N. For H h 1 and K 1, we let N(p, K, H, h) be the number of integers N [H h, H + h] with N (p k 1) for some k K. For log H log h log p and log K = O(log 2 p), N(p, K, H, h) h 1 1/(2κ+3)+o(1), where κ = log K log 2 p. Also, similar results about the probability that P (#E(IF p )) p k 1 for k K; #E(IF p ) K k=1 (p k 1).

96 96 Moral A randomly choosen curve over IF p is good for application in classical elliptic curve cryptography; bad for application in pairing based elliptic curve cryptography

97 97 Reductions Modulo a Random Prime Take an ordinary elliptic curve E over Q and consider its reduction modulo a random prime p. For a curve E/Q and real T, K, L > 0, let us define: R E (T ; K, L) = #{p T : #E(IF p ) p 1 0, 2 and E(IF p ) has a subgroup G of prime order l L such that the embedding degree of E(IF q ) with respect to G is at most K}. Cojocaru and Shparlinski (2008) Let T L > 0 and K > 0 be arbitrary real numbers. Then R E (T ; K, L) K 2 T 3/2 L 1. If T L T 1 2 +ε and K T ε/3 for some fixed ε > 0, then R E (T ; K, L) = o(t/ log T ).

98 98 Moral A randomly chosen curve over IF p is good for application in classical elliptic curve cryptography; bad for application in pairing based elliptic curve cryptography

99 99 Considering Random Extensions Take an ordinary elliptic curve E over IF q and consider it over IF q n. Luca and Shparlinski (2006) Subspace Theorem For any δ > 0, there exists a constant c > 0, such that for any sufficiently large X the bound k(q n ) c(log n) 1/6 holds for all positive integers n X except for at most X δ of them.

100 100 Moral A reduction of a curve E over Q modulo a randomly choosen prime p is is not known to be good for application in classical elliptic curve cryptography; bad for application in pairing based elliptic curve cryptography

101 101 Scarcity of Pairing Friendly Fields Supersingular curves give E(IF q ) = q + 1 thus are natural candidates. However, one can also suspect that supersingular curves have some cryptographic weaknesses and thus ask for constructions generating ordinary curves. Let Φ k (X) = k j=0 gcd(j,k)=1 (X exp(2π 1j/k)) be the kth cyclotomic polynomial. E with prime #E(IF q ) = q + 1 t is of embedding degree k q + 1 t Φ k (q) q + 1 t Φ k (t 1).

102 where s is a small square-free positive integer. In this case either s or 4s is the fundamental discriminant of the CM field of E. 102 Typically, such constructions work in two steps: Step 1 Choose a prime l, integers k 2 and t, and a prime power q such that t 2q 1/2, t 0, 1, 2, l q + 1 t, l Φ k (q). (based on black magic or luck). (2) Step 2 Construct an elliptic curve E over IF q with #E(IF q ) = q + 1 t. k should be reasonable small: k = 2, 3, 4, 6, 12, 30, while the ratio log l/ log q should be as large as possible, preferably close to 1. Unfortunately, there is no efficient algorithm for Step 2, except for the case when the t 2 4q has a very small square-free part; that is, when t 2 4q = r 2 s (3)

103 Luca, Jiménez Urroz and Shparlinski (2009) Boxall (2011) Heuristic arguments that the above bound is of right order of magnitude. 103 Let I k (x, y, z) be the number of pairs (q, t) of prime powers q x and integers t such that (2), that is t 2q 1/2, t 0, 1, 2, l q + 1 t, l Φ k (q). is satisfied with some prime l y and (3), that is, t 2 4q = r 2 s is satisfied with some squarefree s z. Thus, I k (x, y, z) is just the total number of isogeny classes of the corresponding elliptic curves. Luca and Shparlinski (2006) Luca, Jiménez Urroz and Shparlinski (2009) I k (x, y, z) ϕ(k) ( xy 1 + x 1/2) z 1/2 log x log log x. If z = x o(1), which is the only practically interesting case anyway, we see that there are very few finite fields suitable for pairing based cryptography.

104 104 Heuristic on MNT curves Atsuko Miyaji, Masaki Nakabayashi and Shunzou Takano 2001 MNT algorithm to produce elliptic curves satisfying the condition (2) with k = 3, 4, 6, and the condition (3) for a given value of s. Luca and Shparlinski 2005 Heuristic estimates on the number of elliptic curves which can be produced by MNT. It seems that they produce only finitely many suitable curves (still this can be enough for practical needs of elliptic curve cryptography).

105 105 Our arguments are based on a combination of the following observations: MNT gives a parametric family of curves whose parameter runs through a solution of a Pell equation u 2 3sv 2 = 8 (for k = 6, and similar for k = 3, 4). Consecutive solutions (u j, v j ) of a Pell equation grow exponentially, as at least s cj and most probably as e cs1/2j for some constant c > 0. The probability of a random integer n to be prime is 1/ log n. MNT curves should satisfy two independent primality conditions (on the field size and on the cardinality of the curve).

106 106 Therefore, the expected total number of MNT curves for every s is bounded, by the order of magnitude, by j=1 or even by 1 (log s cj ) 2 1 log s j=1 1 j 2 1 log s. where j=1 1 (log e cs1/2j ) 2 1 s j=1 1 j 2 1 s. A B A = O(B) Probably the total number of all MNT curves of prime cardinalities (over all finite fields) and of bounded CM discriminant, is bounded by an absolute constant. Apparently the number of all MNT curves of prime cardinalities with CM discriminant up to z, is at most z o(1). Similar heuristic shows that MNT produces sufficiently many curves whose cardinality has a large prime divisor.