Say I want to find an endomorphism of an ordinary elliptic curve $E$ with kernel size of a prime $l$ that divides the cardinality of $E$. Is this possible in its endomorphism ring and what is the proof?
Asked
Active
Viewed 357 times
3
-
2What do you mean by “the cardinality of $E$” ? – Lubin Aug 07 '19 at 04:20
-
1I presume you are dealing with an elliptic curve $E$ over the finite field $\Bbb F_q$ and have a prime $l$ dividing $|E(\Bbb F_q)|$. Also you are assuming $E$ ordinary, so its endomorphism ring is $R=\Bbb Z[\alpha]$ where $\alpha$ is an imaginary quadratic integer. The problem I see is that $R$ need not have unique factorisation, and so may have an ideal of norm $l$ which isn't principal. – Angina Seng Aug 07 '19 at 05:06
-
1@Lord Shark the Unknown How then should I limit my choice of $E$ such that $R$ will have a unique factorization? What is the case for supersingular elliptic curves? – edlothia Aug 07 '19 at 07:00
-
1But, @LordSharktheUnknown, isn’t it worse than that? Unique factorization or not, if $\ell$ is a prime that doesn’t split, surely there will be no endomorphism with kernel of order $\ell$. Or am I at my usual level of misunderstanding? – Lubin Aug 07 '19 at 13:40
1 Answers
3
Let $E$ be an ordinary elliptic curve defined over a finite field $\mathbb{F}_q$. An endomorphism of degree $\ell$ is exactly an element of $\operatorname{End}(E)$ of norm $\ell$, so an endomorphism of degree $\ell$ exists if and only if there exists an element in $\operatorname{End}(E)$ of norm $\ell$. (EDIT #1: Your question was about kernels of size $\ell$, which is usually, but not always, equivalent to isogenies of degree $\ell$. The exception is if the isogeny is inseparable. So we assume that you are looking for separable endomorphisms.)
Of course, a necessary condition for the existence of an element of norm $\ell$ is the existence of a prime ideal of norm $\ell$. This part is easy: A prime ideal of norm $\ell$ exists in $\operatorname{End}(E)$ if and only if $\operatorname{disc}(\operatorname{End}(E))$ is zero or a quadratic residue mod $\ell$.
Unfortunately, the above necessary condition is not sufficient. For the rest of this answer I will assume that we are in the fairly common case where $\operatorname{End}(E) \cong \mathbb{Z}[\sqrt{-D}]$ and $D$ is not zero mod $\ell$. (If you want to understand the other cases, you had better understand this case first; it's easier.) From the definition of norm, we know that $\ell$ is the norm of an element in $\operatorname{End}(E)$ if and only if $\ell$ is a prime of the form $x^2 + Dy^2$. An entire graduate textbook has literally been written on this exact topic (Primes of the form $x^2+ny^2$, by David Cox), so one should not expect any easy answers here. The eventual classification theorem proved in that book (Theorem 9.2) states that $\ell$ is of the form $x^2+Dy^2$ if and only if the following two things both hold:
- $-D$ is a quadratic residue modulo $\ell$, and
- The Hilbert class polynomial $H_{-4D}(X)$ of $\operatorname{End}(E)$ has a root mod $\ell$.
That's just the existence question. We haven't even gotten to computation! Fortunately, if you understand all of the above theory, the computation part is relatively easy.
- Solve the equation $\ell = x^2 + Dy^2$ for integers $x$ and $y$, using Cornacchia's algorithm.
- Use Stark's algorithm to find the endomorphism $\phi$ corresponding to $\sqrt{-D}$.
In the easy and fairly common case where $\sqrt{-D} = \pi_q$ ($q$-th power Frobenius map), you don't have to do anything here, since you already know how $\pi_q$ acts on $E$; you can just set $\phi = \pi_q$.EDIT #2: The previous sentence doesn't actually happen. What actually happens frequently is $\operatorname{End}(E) \cong \mathbb{Z}[\pi_q]$, in which case we have $\pi_q = (t + \sqrt{-D})/2$ by the characteristic equation of Frobenius. One can then easily solve for $\sqrt{-D}$ in terms of $\pi_q$ and the trace of Frobenius. - Now $x+y\phi$ and $x-y\phi$ are endomorphisms of $E$ of degree $\ell$. Done.
djao
- 1,119
-
An element of norm $\ell$ exists if and only if a principal ideal of norm $\ell$ exists: If $\alpha$ has norm $\ell$ then $(\alpha)$ has norm $\ell$, and vice-versa. – djao Aug 08 '19 at 05:28
-
I mentioned near the beginning of my third paragraph that I am assuming the endomorphism ring is $\mathbb{Z}[\sqrt{D}]$. Of course it could be something else as you said, but the second case doesn't require subsantially more theory than the first case; it's just the same theory with different numbers. – djao Aug 08 '19 at 05:34
-
You mean a principal ideal of norm $\ell$ (if the ideal is not principal then it is an isogeny, not an endomorphism). Also the endomorphism ring might be $O=Z[\frac{1+ \sqrt{-D}}{2}]$ or $O=Z[n \sqrt{-D}]$ in which case (class field theory, elliptic curves with complex multiplication) it is about $Frob_{\ell,F/Q(\sqrt{-D})}$ where $F$ is the ring class field corresponding to $O$ – reuns Aug 08 '19 at 05:34
-
Uh, can you stop editing your comment constantly? It's difficult to reply to a moving target. What I said (element of norm $\ell$) is equivalent to what you said (principal ideal of norm $\ell$), so I don't know why you're "correcting" me from one to the other thing. Both of your comments about endomorphism ring are anticipated by my third paragraph; I am assuming even discriminant and no funniness with conductors. I make and made no claims that I cover every case. – djao Aug 08 '19 at 05:37
-
-
Search for "Stark's algorithm" in https://www.math.auckland.ac.nz/~sgal018/crypto-book/ch25.pdf. The original reference is H.M. Stark, "Class-Numbers of Complex Quadratic Fields" https://doi.org/10.1007/978-3-540-38509-7_5 Lecture Notes in Mathematics vol. 320 pp. 153-174. – djao Aug 27 '21 at 03:23