Sato-Tate and notions of generality in cryptography David R. Kohel - PowerPoint PPT Presentation

Sato-Tate and notions of generality in cryptography David R. Kohel Institut de Math´ ematiques de Luminy Geocrypt 2011, Corsica, 20 June 2011

Families of curves in cryptography We consider C → S a family of curves, such that each fiber over a closed point x of S is a curve C/k = F q . In cryptographic applications we are interested in the properties of J = Jac( C ) as we vary x in S . Examples. The first examples are elliptic curves. 1. E : y 2 = x 3 + ax + b over S , where S = Spec( Z [ a, b, 1 6 ab ]) ⊂ A 2 / Z [1 6] , a family of dimension 3. 2. E : y 2 + xy = x 3 + ax 2 + b/S where S = Spec( F 2 [ a, b, 1 b ]) ⊂ A 2 / F 2 , a family of dimension 2.

Examples of cryptographic curve families 3. E : y 2 = x 3 + x 2 − 3 x + 1 /S , where S = Spec( Z [1 2]) , a CM family with endomorphism ring Z [ √− 2] , of dimension 1. Next we consider families of genus 2 curves. 4. C : y 2 = x 5 + 5 x 3 + 5 x + t over S , where 30( t 2 + 4)]) ⊂ A 1 / Z [ 1 1 S = Spec( Z [ t, 30] , √ a 2-dimensional family with real multiplication by Z [(1 + 5) / 2] for which we will present an efficient point-counting algorithm. 5. C : y 2 = x 5 + 1 , a one-dimensional CM family over S = Spec( Z [ 1 10]) .

Notions of generality in cryptography We address the question: ”What is special about special curves?” The notion of speciality can be separated into the geometric and arithmetic properties. Geometric speciality. If C → S is a family (of genus g curves), what is the induced image S → X in the moduli space (in M g ). Arithmetic speciality. Here we distiguish the (local) level structure and the (global or geometric) Galois distributions. a. What level structure is fixed by the family? — Is there an exceptional N such that the Galois representation ρ N : Gal(¯ ¯ Q / Q ) → GL 2 g ( Z /N Z ) is smaller than expected? b. What is the image of the Galois action on the Tate module? ρ ℓ : Gal(¯ Q / Q ) → Aut( T ℓ ( J )) ∼ = GL 2 g ( Z ℓ ) .

Frobenius angles and normalized traces Let E/ Q be an elliptic curve, with discriminant ∆ , viewed as a scheme over S = Spec( Z [ 1 ∆ ]) . The Sato–Tate conjecture concerns the distribution of the Frobenius angles at primes p . For each p , let π = π p be the Frobenius endomorphism on ¯ E/ F p and χ ( T ) = T 2 − a p T + p its characteristic polynomial of Frobenius. Set t p equal to the normalized Frobenius trace t p = a p / √ p, and denote by θ p in [0 , π ] the Frobenius angle, defined by t p = 2 cos( θ p ) . We set µ p = e iθ p (the unit Frobenius), and χ ( T ) = T 2 − t p T + 1 = ( T − µ p )( T − ¯ µ p ) . �

Sato–Tate Conjecture Sato–Tate Conjecture. Suppose that E/ Q is a non-CM elliptic curve. For [ α, β ] ⊂ [0 , π ] , � β 2 sin 2 ( θ ) |{ p ≤ N | α ≤ θ p ≤ β }| lim = dθ, |{ p ≤ N }| π N →∞ α or equivalently for [ a, b ] ⊂ [ − 2 , 2] , √ � b |{ p ≤ N | a ≤ t p ≤ b }| 4 − t 2 lim = dt. |{ p ≤ N }| 2 π N →∞ a The analogous distributions for CM elliptic curves is classical: � β |{ p ≤ N | α ≤ θ p ≤ β }| = 1 dθ = β − α lim · |{ p ≤ N }| π π N →∞ α

Sato–Tate distributions We call the distributions µ ( θ ) on [0 , π ] and µ ( t ) and [ − 2 , 2] , defined by √ µ ( θ ) = 2 sin 2 ( θ ) 4 − t 2 dθ and µ ( t ) = dt, π 2 π the Sato–Tate distributions for non-CM E/S . For a CM curve E/S , the analogous Sato–Tate distributions are classical: � dθ � � � µ ( θ ) = 1 and µ ( t ) = 1 dt , π + δ π/ 2 √ 4 − t 2 + δ 0 2 2 π where δ x is the Dirac distribution. Restricting to the 50% of ordinary primes, we have distributions µ 0 ( θ ) = dθ dt √ and µ 0 ( t ) = 4 − t 2 · π π

Sato–Tate plots Generic curve CM curve 2 sin 2 ( θ ) 1 dθ πdθ π 0.8 0.8 0.7 0.7 0.6 0.6 0.5 0.5 0.4 0.4 0.3 0.3 0.2 0.2 0.1 0.1 0.5 1 1.5 2 2.5 3 0.5 1 1.5 2 2.5 3 √ 4 − t 2 1 dt √ 4 − t 2 dt 2 π π 1 1 0.8 0.8 0.6 0.6 0.4 0.4 0.2 0.2 -2 -1 1 2 -2 -1 1 2

Galois representation groups Where do these come from? The CM case is easy: the ordinary Frobenius endomorphisms π p lie = R 2 and their unit normalizations µ p in K ⊗ R in a CM field K ∼ are uniformly distributed around the unit circle �� �� cos( θ ) sin( θ ) ∼ = S 1 . SO(2) = − sin( θ ) cos( θ ) The supersingular Frobenius endomorphisms lie in a coset of the normalizer in USp(2) = SU(2) : � i �� i cos( θ ) � �� 0 i sin( θ ) SO(2) = · 0 − i i sin( θ ) − i cos( θ ) The ordinary distribution dθ/π arises from the uniform distribution on the unit circle (hence of θ ∈ [0 , π ]) ; the supersingular coset has uniform trace zero.

Galois representation groups The generic normalized Frobenius representations lie in �� α � � � β � � | α | 2 + | β | 2 = 1 USp(2) = SU(2) = · − ¯ β α ¯ This group is isomorphic to the unit quaternions: ( H ∗ ) 1 = { a + bi + ( c + di ) j | a 2 + b 2 + c 2 + d 2 = 1 } ∼ = S 3 on identifying α = a + bi and β = c + di . The Sato–Tate distribution arises from the Haar measure on SU(2) . Setting α = a + bi = cos( ρ )(cos( σ ) + i sin( σ )) , β = c + di = sin( ρ )(cos( τ ) + i sin( τ )) , the conjugacy class (on which trace is a class function) is � � � e iθ � α β 0 ∼ − ¯ e − iθ β α ¯ 0 with trace 2 cos( θ ) = 2 cos( ρ ) cos( σ ) .

Alternative Sato–Tate domains Noting that D = a 2 p − 4 p is the discriminant of the ring Z [ π ] , in the case that E/ Q has CM by an order O , we have D = m 2 D O for some integer m . In order to study the distribution of Frobenius discriminants, this motivates setting � � = m 2 D O u 2 = D p = t 2 − 4 p and considering the Frobenius distribution in terms of u . � In the non-CM case, the coordinate u = D/p measures the distribution of normalized square root discriminants (of Z [ π ] ). In the CM case, √ D O remains fixed, and u gives information about the normalized conductors m/ √ p = [ O : Z [ π ]] / √ p at ordinary primes.

Sato–Tate plots Generic curve CM curve √ 4 − t 2 1 dt √ 4 − t 2 dt 2 π π 1 1 0.8 0.8 0.6 0.6 0.4 0.4 0.2 0.2 -2 -1 1 2 -2 -1 1 2 u 2 2 √ √ 4 − u 2 du 4 − u 2 du π π 3 3 2.5 2.5 2 2 1.5 1.5 1 1 0.5 0.5 -2 -1 1 2 -2 -1 1 2

Refined conjectures: Lang–Trotter Let N be a positive integer. For primes p ≤ N we can ask what proportion of primes have given trace of Frobenius. In particular how many are supersingular? If the Sato–Tate distribution converges well in small intervals, then for a non-CM elliptic curve we might expect this proportion to be: √ √ � 1 / � 1 � �� 1 / � � N N 2 4 − t 2 dt = 2 t 4 − t 2 + 2 tan − 1 2 t √ π π 4 − t 2 0 0 4 √ = · π N Multiplying by π ( N ) ∼ N/ log( N ) gives Lang–Trotter (for a = 0 ): Conjecture [Lang–Trotter]. Let E/ Q be a non-CM elliptic curve and a a fixed integer. If there are no congruence obstructions, the number of primes p up to N with a p = a converges to a nonzero √ constant times N/ log( N ) .

Generalized Sato–Tate framework Conjecturally, there exists a compact subgroup H of USp(2 g ) , with connected component H 0 , H 0 ⊳ H ⊆ USp(2 g ) , such that the unit Frobenius elements are equidistributed in H . Remark. The partition into the cosets in G = H/H 0 is explained by the Chebotarev density theorem. In general one has a decomposition µ = | C 0 | | G | µ 0 + | C 1 | | G | µ 1 + · · · | C r | | G | µ r , where C 0 , C 1 , . . . C r are the conjugacy classes of G . Here we focus on the distribution µ = µ 0 in the principle coset H 0 (a vast simplification), and the case g = 2 (see work of Kedlaya & Sutherland). We also simplify (experimentally and theoretically) by averaging over fibres over a base scheme.

Sato–Tate domains Let C/ F q be a curve and χ ( T ) its Frobenius characteristic polynomial χ ( T ) = T 2 g − a 1 T 2 g − 1 + · · · − a 1 q g − 1 T + q g . and define the unit Frobenius characteristic polynomial by χ ( T ) = χ ( √ qT ) = T 2 g − s 1 T 2 g − 1 + · · · − s 1 T + 1 � q g g � ( T 2 − t j T + 1) . = j =1 By the Weil conjectures, the roots α j of χ ( T ) satisfy | α j | = √ q , so we write µ j = α j √ q = e iθ j , and t j = µ j + ¯ µ j = 2 cos( θ j ) , where µ j ¯ µ j = 1 .

Domains for Sato–Tate distributions Rather than defining s j to be the j -th coefficient of � χ ( T ) , sym j ( { µ 1 , ¯ µ 1 , . . . µ g , ¯ µ g } ) , we let the s j be the normalized symmetric products not including any terms (as factors of summands) of the form µ j ¯ µ j (= 1) . Thus for g = 2 χ ( T ) = T 4 − s 1 T 3 + ( s 2 + 2) T 2 − s 1 T + 1 , � and for g = 3 : χ ( T ) = T 6 − s 1 T 5 + ( s 2 + 3) T 4 − ( s 3 + 2 s 1 ) T 2 + · · · � A na¨ ıve application of the Weil bounds gives bounds on the symmetric sums and s j , equal to their respective number of monomials: � g � � 2 g � | s j | ≤ 2 j vs. | sym j ( { µ 1 , ¯ µ 1 , . . . , µ g , ¯ µ g } ) | ≤ · j j