Frobenius distributions

Frobenius distributions

David Kohel

Institut de Math´ematiques de Luminy

Explicit point counting and cryptography

The original motivation for this talk is to understand the properties of RM curves with a view towards cryptography. For example, in the family considered by Tautz, Top, and Verberkmoes:

C:y² =x⁵−5x³+ 5x+t,

overA¹ = Spec(Q[t]), the fibers have Jacobians with real multiplication byZ[φ] =Z[(1 +√

5)/2]. Moreover, the real endomorphismφis explicitly computable (K. & Smith), and with Gaudry and Smith we developed:

Theorem (Gaudry,K. & Smith)

There exists an algorithm for the point counting problem in a family of genus 2 curves with efficiently computable RM of class number 1, whose complexity is inO((loge q)⁵).

Explicit point counting example

Letq= 2⁵¹²+ 1273 (prime), and consider the curve overFq from the familyC, specialized at (random)

t= 290856663337872724379982611299198017497 745330036809577622325698680737527027201 447147791988284560426970082027081672153 2434975921085316560590832659122351278.

Letπ be the Frobenius endomorphism, and setπ+ ¯π =m+nφ, soa₁ = 2m+nanda₂= (a²₁−n²5)/4 =m²+mn−n², where

χ(t) =x⁴−a₁x³−(a₂+ 2q)x²−a₁qx+q². The values ofm andn for this curve are

m=−337854124520269537701791313386794895966 56475470770107628408426925155470967294, n=−377860207781982563173685700281838428004

73749792142072230993549001035093288492.

Cryptographic notions of generality

We can compute zeta functions as efficiently as for elliptic curves (and even better — unconditionally), but can we in good faith recommend the use of such curves for cryptographic applications?

Q1: In what way is an RM family special?

Q2: Can we characterize the Frobenius characteristic polynomials which arise in this family? How random are they?

First we recall some standard families of interest.

Examples of families of curves

We considerC →S a family of curves, such that each fiber over a closed pointx of S is a curve C/k=Fq.

Examples. Elliptic curves.

1. E:y² =x³+ax+boverS, where S = Spec(Z[a, b, 1

6ab])⊂A²/Z[1 6], a family of dimension 3.

2. E:y²+xy =x³+ax²+boverS, where S = Spec(F2[a, b,1

b])⊂A²/F2, a family of dimension 2.

3. E:y² =x³+x²−3x+ 1overS = Spec(Z[¹₂]),a CM family with endomorphism ringZ[√

−2], of dimension 1.

Examples of families of genus 2

Examples. Genus 2 curves.

4. C:y²=x⁵+a₃x³+a₂x²+a₁x+a₀, over S = Spec(Z[a0, . . . , a3][1

∆])⊂A⁴/Z[1 10], a 5-dimensional family.

5. C:y²=x⁵+ 5x³+ 5x+t, the RM family of Tautz, Top, and Verberkmoes, over

S= Spec(Z[t, 1

10(t²+ 4)])⊂A¹/Z[ 1 10], a 2-dimensional family with real multiplication byZ[(1 +√

5)/2].

6. C:y²=x⁵+ 1, a CM family overS = Spec(Z[1 10]).

Frobenius angles and normalized traces

LetE/Qbe an elliptic curve, with discriminant ∆, viewed as a scheme overS= Spec(Z[_∆¹]). The Sato–Tate conjecture concerns the distribution of the Frobeniusanglesat primes p.

For eachp, letπ =πp be the Frobenius endomorphism onE/F¯ p

and

χ(T) =T²−a_pT+p

its characteristic polynomial of Frobenius. Sett_p equal to the normalized Frobenius trace

t_p =a_p/√ p,

and denote byθ_p in [0, π]the Frobenius angle, defined by t_p = 2 cos(θ_p). We setµ_p =e^iθp (the unit Frobenius), and

χ(Te ) =T²−t_pT+ 1 = (T−µ_p)(T −µ¯_p).

Sato–Tate Conjecture

Sato–Tate Conjecture. Suppose that E/Qis a non-CM elliptic curve. For[α, β]⊂[0, π],

Nlim→∞

|{p≤N |α≤θp ≤β}|

|{p≤N}| = Z _β

α

2 sin²(θ) π dθ,

or equivalently for[a, b]⊂[−2,2],

N→∞lim

|{p≤N |a≤tp ≤b}|

|{p≤N}| = Z b

a

√ 4−t²

2π dt.

The analogous distributions forCM elliptic curvesis classical:

N→∞lim

|{p≤N |α≤θp ≤β}|

|{p≤N}| = 1 π

Z _β

α

dθ = β−α π ·

Sato–Tate distributions

We call the distributionsµ(θ) on[0, π]andµ(t) and[−2,2], defined by

µ(θ) = 2 sin²(θ)

π dθ and µ(t) =

√ 4−t²

2π dt, theSato–Tate distributionsfor non-CM E/S.

For a CM curveE/S, the analogous Sato–Tate distributions are classical:

µ(θ) = 1 2

dθ π +δ_π/2

and µ(t) = 1 2

dt π√

4−t² +δ0

, whereδ_x is the Dirac distribution. Restricting to the 50%of ordinary primes, we have distributions

µ₀(θ) = dθ

π and µ₀(t) = dt π√

4−t²·

Sato–Tate plots

Generic curve CM curve

2 sin²(θ)

π dθ 1

πdθ

0.5 1 1.5 2 2.5 3

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8

0.5 1 1.5 2 2.5 3

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8

√4−t²

2π dt 1

π√ 4−t²dt

-2 -1 1 2

0.2 0.4 0.6 0.8 1

-2 -1 1 2

0.2 0.4 0.6 0.8 1

Galois representation groups

Where do these come from?

The CM case is easy: the ordinary Frobenius endomorphismsπ_p lie in a CM fieldK and their unit normalizations µ_p in K⊗R∼=R² are uniformly distributed around the unit circle

SO(2) =

cos(θ) sin(θ)

−sin(θ) cos(θ)

∼=S¹.

The supersingular Frobenius endomorphisms lie in a coset of the normalizer inUSp(2) = SU(2):

SO(2) i 0

0−i

=

icos(θ) isin(θ) isin(θ)−icos(θ)

·

The ordinary distributiondθ/π arises from the uniform distribution on the unit circle (hence ofθ∈[0, π]); the supersingular coset has uniform trace zero.

Galois representation groups

The generic normalized Frobenius representations lie in USp(2) = SU(2) =

α β

−β¯ α¯

|α|²+|β|²= 1

· This group is isomorphic to the unit quaternions:

(H^∗)¹ ={a+bi+ (c+di)j|a²+b²+c²+d² = 1} ∼=S³ on identifyingα=a+biandβ =c+di. The Sato–Tate distribution arises from the Haar measure onSU(2). Setting

α=a+bi= cos(ρ)(cos(σ) +isin(σ)), β =c+di= sin(ρ)(cos(τ) +isin(τ)), the conjugacy class (on which trace is a class function) is

α β

−β¯ α¯

∼

e^iθ 0 0 e^−iθ

with trace2 cos(θ) = 2 cos(ρ) cos(σ).

Generalized Sato–Tate framework

Conjecturally, there exists a compact subgroupH ofUSp(2g), with connected componentH₀,

H0/ H ⊆USp(2g),

such that the unit Frobenius elements are equidistributed inH.

Remark. The partition into the cosets inG=H/H₀ is explained by the Chebotarev density theorem. In general one has a

decomposition

µ= |C₀|

|G|µ₀+ |C₁|

|G|µ₁+· · ·|C_r|

|G|µ_r, whereC₀, C₁, . . . C_r are the conjugacy classes ofG.

Here we focus on the distributionµ=µ0 in the principle coset H0

(a vast simplification), and the caseg= 2 (see work of Kedlaya &

Sutherland). We also simplify (experimentally and theoretically) by averaging over fibres over a base scheme.

Sato–Tate domains

LetC/Fq be a curve and χ(T) its Frobenius characteristic polynomial

χ(T) =T^2g−a1T^2g−1+· · · −a1q^g−1T +q^g. and define the unit Frobenius characteristic polynomial by

χ(Te ) = χ(√ qT)

q^g =T^2g−s1T^2g−1+· · · −s1T + 1

=

g

Y

j=1

(T²−t_jT + 1).

By the Weil conjectures, the rootsαj of χ(T) satisfy|α_j|=√ q, so we writeµ_j = ^√αj_q =e^iθj, andt_j =µ_j + ¯µ_j = 2 cos(θ_j).

Domains for Sato–Tate distributions

Rather than definings_j to be the j-th coefficient of χ(T), we lete thesj be the normalized symmetric products of the ti. These are the coefficients of thereal Weil polynomial.

η(Te ) =

g

Y

i=1

(T−ti) =T^g−s1T^g−1+· · ·+ (−1)^gsg. Thusχ(Te ) =T^gη((Te ²+ 1)/T), and in particular

χ(Te ) =T⁴−s₁T³+ (s₂+ 2)T²−s₁T + 1, and forg= 3:

χ(Te ) =T⁶−s1T⁵+ (s2+ 3)T⁴−(s3+ 2s1)T³+· · · A na¨ıve application of the Weil bounds gives bounds on the symmetric sums andsj, equal to their respective number of monomials:

|s_j| ≤2^j g

j

·

Weyl integration formula

The higher dimensional Frobenius distributions for generic curves or abelian varieties are expected to follow the distribution forUSp_2g. OnXg = [0, π]^g this is given by the Weyl integration formula:

µ_g(θ₁, . . . , θ_g) = 1 g!



 Y

j<k

(2 cosθ_j −2 cosθ_k)





2 g

Y

j=1

2 sin²θj

π dθ_j.

After the change of variables,tj = 2 cosθj, this gives the distribution on the spaceI_g = [−2,2]^g:

µ_g(t₁, . . . , t_g) = 1 g!



 Y

j<k

(t_j −t_k)





2 g

Y

j=1

q 4−t²_j

2π dt_j.

Weyl distributions

In order to descend to the symmetric sums(s₁, . . . , s_g), we apply:

Lemma



 Y

j<k

(tj−tk)



dt1dt2. . . dtg =ds1ds2. . . dsg. to obtain the distribution:

µg(s1, . . . , sg) =

√D₀D₁

(2π)^g ds1. . . dsg. whereD₀ =Q

j<k(t_j −t_k)²= disc(ηe_g(x)), and D1 =Y

j

(4−t²_j) =Y

j

(2+tj)Y

j

(2−t_j) = (−1)^gη(−2)e η(2) =e D₁⁺D⁻₁.

Weyl distributions

We deduce the following distributions forUSp(2g) and the productsSU(2)^g andSO(2)^g:

G(g) µ_g(θ₁, . . . , θ_g)

USp(2g) 1 g!



 Y

j<k

(2 cosθj−2 cosθk)





2 g

Y

j=1

2 sin²θ_j π dθj

SU(2)^g

g

Y

j=1

2 sin²θj

π dθj

SO(2)^g

g

Y

j=1

1 πdθj

Weyl distributions

In terms of(s1, . . . , sg) these give the following distributions G(g) µg(s1, . . . , sg)

USp(2g)

√D₀D₁

(2π)^g ds₁. . . ds_g SU(2)^g g!√

D₁ (2π)^g√

D0

ds1. . . dsg

SO(2)^g g!

π^g√

D₀D₁ ds₁. . . ds_g

corresponding to the expected generic, RM, and CM distributions.

Domains for Sato–Tate distributions

Generic: H₀ =H = USp(4)

µ0= 8(cos(θ1)−cos(θ2))²sin²(θ1) sin²(θ2)

π² dθ1dθ2

RM: H₀ = SU(2)² µ₀ = 4 sin²(θ₁) sin²(θ₂) π² dθ₁dθ₂ CM: H₀ = SO(2)² µ₀ = dθ₁dθ₂

π²

These induced well-defined distributions in terms of the spaces (s1, s2),

(s1, D0 =s²₁−4s2), (s₁,p

s²₁−4s₂) graphical representations follow . . .

Experimental Sato–Tate: generic family

Generic:

Experimental Sato–Tate: RM family

RM:

Experimental Sato–Tate: CM family

CM:

Conjectural Sato–Tate distributions

What are these distributions?

Note: the real and relative unit discriminants are:

D0=s²₁−4s2 andD1= (4−s1+s2)(4 +s1+s2).

Generic: (up to constant scalars) q

(s²₁−4s2)(4−s1+s2)(4 +s1+s2)ds1ds2

RM: p

(4−s₁+s₂)(4 +s₁+s₂)ds₁ds₂ p(s²₁−4s₂)

CM: ds1ds2

p(s²₁−4s₂)(4−s₁+s₂)(4 +s₁+s₂)