Computing an ` kernel polynomial from an irreducible factor of

an irreducible factor of

ψ

In this section, we will develop a method to construct an `-kernel polynomial from an irreducible factor ofψ`. More precisely, given such a factorh, we give a

criterion forhto be a factor of an`-kernel polynomialfofEand a construction of f fromh when it exists. We start with the following proposition.

Proposition 3.4.1. LetE be an elliptic curve overK and let f be an `-kernel polynomial ofE. Supposef factorizes over a fieldL⊇K asf =Qn<sub>i=1</sub>fi where each fi is irreducible over L. Then deg(fi)= `₂−_n1 for all i.

Proof. Let x1 be a root of f. Then for any root x2 of f, there exists m ∈ Z

with 1 ≤ m < ` such that rm(x1) = x2. Since E is defined over K, rm is a rational function in x with coefficients in K ⊆ L and hence x2 ∈ L(x1). By

symmetry, the same argument shows that x1 ∈ L(x2). Thus L(x1) = L(x2),

which implies that all the irreducible factors off overLhave the same degree, and the result follows.

Since the multiplication by m map [m] maps a factor of a kernel poly- nomial to another factor of the same kernel polynomial, the above proposition shows that [m] takes an irreducible factor of a kernel polynomial to another irreducible factor of the same kernel polynomial. The following proposition shows how to construct a kernel polynomialf from an irreducible factor off. Proposition 3.4.2. Let E be an elliptic curve over K and let f be an `- kernel polynomial of E. Let h be an irreducible degree d factor of f over a field L ⊇ K. If a is a semi-primitive root modulo `, then f = Qe_i=1τi

a(h) where e= `₂−_d1.

Proof. Let b ∈ _Z be such that ab ≡ 1 (mod `). Note that b is also a semi-primitive root modulo `. By Proposition 3.3.1, we have Qe_i=1τ_ai(h) = Qe

i=1[b]

i_{(h). Moreover by Proposition 3.4.1, f has e irreducible factors of de-} gree d overL. Since [b] takes an irreducible factor off to another irreducible factor of f, it suffices to show that [b]i_{(h) are distinct for eachi= 1, ..., e.}

Suppose [b]i_{(h) = [b]}j_{(h) for some i, j with 1 ≤ i < j ≤ e. Then there} exists an irreducible factor h0 of f such that [b]k(h0) = h0 for some k < e.

This implies thatb does not generate (_Z/`_Z)×/{±1}, which is a contradiction. Therefore [b]i_{(h) are distinct for each i= 1, ..., e and hence f =}Qe

i=1τai(h) as required.

the`-division polynomialψ`. By Proposition 3.4.1, if the degree ofhdoes not divide `−<sub>2</sub>1, then h is not a factor of an `-kernel polynomial of E. Otherwise, the proposition below gives a criterion for whether the given factor is a factor of an`-kernel polynomial of E or not.

Proposition 3.4.3. Let E be an elliptic curve overK. Leth be an irreducible degree d factor of ψ` over a field L ⊇ K such that d divides `−₂1. Let a be a semi-primitive root modulo` and let e= `₂−_d1. Then τ_ae(h) =h if and only if h

is a factor of an `-kernel polynomial of E.

Proof. Supposehis a factor of an`-kernel polynomialf of E. By Proposition 3.4.1, we know that the number of irreducible factors of f over L is e. Since

a is a semi-primitive root modulo `, the polynomials h, τa(h), ..., τae−1(h) are precisely all the distinct irreducible factors off, as in the proof of proposition 3.4.2. Suppose τe

a(h) 6= h. Then there exists an irreducible factor h0 of f

such that [b]k_(h

0) = h0 for some 1 ≤ k < e where ab ≡ 1 (mod `). This is a

contradiction as in the proof of proposition 3.4.2.

Conversely, suppose that τ_ae(h) = h. Since h is a factor of ψ`, we can writeh as h(x) = d Y i=1 (x−xPi)

whereP1, ..., Pd ∈E[`]. Sinceτae(h) =h, we have for any i= 1, ..., d,

[b]e(x−xPi) = (x−xPj),

where b is such that ab ≡ 1 (mod `) and for some j ∈ {1, ..., d} . Next we claim that the set of points{[b]en_(P

1)|n= 1, ..., d}is equal to the set of points

{P1, ..., Pd} in E[`]/{±1}. Suppose it is not true. Then there exists a point

P ∈ {P1, ..., Pd} such that [b]ek(P) = P in E[`]/{±1} for some 1 ≤ k < d. Note that ek < `−₂1. Since b is a semi-primitive root modulo `, [b]n_{(P) 6=}

P in E[`]/{±1} for all 1 ≤ n < `−₂1, which is a contradiction. Therefore {[b]en(P1) | n = 1, ..., d} = {P1, ..., Pd}. It implies that P1, ..., Pd are in the same cyclic subgroup, sayhP1i. Hence h is a factor of an `-kernel polynomial

of E.

role in constructing kernel polynomials. Since the rational functionrm = [m]∗x has degreem2_{, for computation it is best to choose the smallest semi-primitive}

root modulo`. The following lemma gives a criterion for an element of (<sub>Z</sub>/`_Z)× to be a semi-primitive root modulo`.

Lemma 3.4.4. Let a∈(_Z/`_Z)×. Denote the order of a by|a|.

(1) If ` ≡1 (mod 4), then a is a semi-primitive root modulo ` if and only if |a|=`−1.

(2) If ` ≡3 (mod 4), then a is a semi-primitive root modulo ` if and only if |a| ≥ `−1

2 .

Proof. First note that ifa is a semi-primitive root modulo` then clearly|a| ≥ `−1

2 since the order of the group (Z/`Z)

×

/{±1} is `−₂1. Therefore either |a|=

`−1 or `−₂1.

We first prove the statement (1). Suppose |a| = ` −1. Then since a

generates (_Z/`<sub>Z</sub>)×, it also generates (<sub>Z</sub>/`_Z)×/{±1}, i.e., a is a semi-primitive root modulo`.

Conversely, suppose a is a semi-primitive root modulo `. Then either |a|=`−1 or `−<sub>2</sub>1. If |a| =`−1, then we are done. Suppose |a|= `−₂1. Then

ais a square, so the group H ={ai | i= 1,2, ...,`−<sub>2</sub>1}consists of all squares in (<sub>Z</sub>/`_Z)×. Let h∈(_Z/`<sub>Z</sub>)×\H. Then since `≡ 1 (mod 4),−1 is a square in (_Z/`<sub>Z</sub>)× and hence −h 6∈ H. Thus a cannot generate (<sub>Z</sub>/`_Z)×/{±1}, which contradicts the assumption thatais a semi-primitive root modulo`. Therefore |a|=`−1.

Next we prove the statement (2). Suppose a is a semi-primitive root modulo `. Then either |a|=`−1 or `−<sub>2</sub>1, so |a| ≥ `−1

2 .

Conversely, suppose|a| ≥ `−1

2 . If|a|=`−1, then we are done. Suppose

|a| = `−<sub>2</sub>1. Let H = {ai <sub>| i = 1,2, ...,</sub>`−1

2 }. Since ` ≡ 3 (mod 4), −1 is not a

square and so −1 6∈H. It implies that H = (_Z/`<sub>Z</sub>)×/{±1}, i.e., a generates (<sub>Z</sub>/`_Z)×/{±1}. Therefore a is a semi-primitive root modulo `.

For most ` < 200, either 2 or 3 is a semi-primitive root modulo `. In fact, 2 is semi-primitive modulo ` for

but not for

`= 17,31,41,43,73,89,97,109,113,127,137,151,157,193.

It turns out that 2 or 3 is a semi-primitive root modulo ` for all ` < 200 except for`= 41, 73, 97, 109, 151, 157, 193. However, for `= 41, 73, 97, 109, 151, 157, 193, the smallest semi-primitive root modulo ` is 6, 5, 5, 6, 5, 5, 5 respectively.

For ` < 1000, the smallest semi-primitive root modulo ` is ≤ 6 for all except for 9 out of 167 primes, it is≤13 for all but `= 407. For ` = 407, the smallest semi-primitive root is 21. Hence the smallest semi-primitive root is not too big for most small primes.