CHAPTER VIII Weil Descent Attacks
VIII.2. THE GHS ATTACK
Table VIII.1. Cardinalities ofSmγ,mβ fornOdd Prime
mγ mβ α gC0 ≈#Smγ,mβ
hi hi 0 2d−1 min{qn, sq2d−1/2}†
t−1 hi 0, ω 2d−1 2sqd
t−1 (t−1)hi 0, ω 2d 2sqd+1
Lemma VIII.11. Assume h=tr1+tr2+ 1 withr
1 > r2 >0,gcd{r2, n}= 1
and mb |h. Then there are no or precisely 2(q−1) pairs (γ, β)∈ K2 such that b=γβ andmγ=mβ =h.
Proof. Assume that b = γβ and mγ =mβ =h. Then γ = 0 and β = 0
sinceb= 0, and consequently
γqr1−1+γqr2−1+ 1 = 0, bqr1−1+bqr2−1γqr1−qr2
+γqr1−1= 0. Defineρ=γqr2−1. The first equation implies
γqr1−1=ρ+ 1, (VIII.3)
γqr1−qr2 = (ρ+ 1)/ρ.
Substituting this into the second equation yields bqr1−1 +bqr2−1(ρ+ 1)/ρ+ ρ+ 1 = 0, and then
ρ2+ (bqr1−1+bqr2−1+ 1)ρ+bqr2−1= 0. (VIII.4) On the other hand, any further solutionρ,γ,βto (VIII.4), (VIII.3),γqr2−1= ρandβ=b/γ satisfiesmγ=mβ=hbecause b= 0.
Since mb |h we have that γ/β ∈ k. There are thus at least 2(q−1)
pairwise distinct solutions of the form (λγ, λ−1β) and (λβ, λ−1γ) withλ∈k×. On the other hand, there are at most two possibilities forρand at mostq−1 possibilities forγfor eachρ, resulting in at most 2(q−1) solutions. Namely, for any two solutions γ1, γ2 with γq
r2−1
i = ρ we have that (γ1/γ2)q
r2−1
= 1 and hence γ1/γ2∈Fqr2∩F×qn =F×q sincer2 andnare coprime.
Given b and has in the lemma, γ and β can be computed efficiently as follows, using Langrange’s resolvent [210, p. 289]:
1. Solve forρsuch thatρ2+ (bqr1−1+bqr2−1+ 1)ρ+bqr2−1= 0.
2. Computeθsuch that
γ=θ+ρ−1θq2+ρ−1−q2θq22
+· · ·+ρ−1−q2−···−qn2−2
θq2n−1= 0, whereq2=qr2. This can be achieved by linear algebra overk. 3. Computeβ =b/γ.
If NK/k(ρ)= 1 in step 1 or ifγdoes not satisfy (VIII.3) in step 2, then there
are no solutionsγ, β withmγ=mβ=h.
Example 5: Consider n= 7. Thentn−1 = (t−1)(t3+t+ 1)(t3+t2+ 1), d= 3 ands= 2. Using the first row of Table VIII.1 we see that a proportion of aboutq−2 of all elliptic curves over F
q7 withα= 0 leads togC0 = 7.
In Lemmas VIII.9 and VIII.11 we have discussed the decompositionb= γβ and how to check Ea,b ∈ Sm1,m2 in some special cases. A simple and the currently only known method to do this in full generality is to take all γ∈Bm1 and to test whethermb/γ=m2. Of course, for anyγwe do not need
to check λγ withλ∈k×.
VIII.2.6. Further Details. In this section we present some details on the Artin–Schreier construction of Theorem VIII.1 and provide the parts of the proof of Theorem VIII.1 which have not occurred in the literature.
We letpdenote an arbitrary prime for the moment, abbreviateF =K(x) and let f ∈ F be a rational function. A simple Artin–Schreier extension denoted byEf, is given by adjoining toFa root of the polynomialyp−y−f ∈
F[y]. Examples of such extensions are the function fields of elliptic curves in characteristics two and three.
The Artin–Schreier operator is denoted by ℘(y) =yp−y. We then also
writeF(℘−1(f)) for E
f and℘(F) ={fp−f :f ∈F}. More generally, The-
orem VIII.1 uses the following construction and theorem, which is a special version of [260, p. 279, Theorem 3.3]:
Theorem VIII.12. LetF¯be a fixed separable closure ofF. For every additive
subgroup ∆ ≤F with ℘(F) ⊆∆ ⊆F there is a field C =F℘−1(∆) with F ⊆C ⊆F¯ obtained by adjoining all roots of all polynomialsyp−y−dfor
d∈∆in F¯ toF. Given this, the map
∆→C=F℘−1(∆)
defines a one-to-one correspondence between such additive subgroups ∆ and abelian extensions C/F in F¯ of exponentp.
For our purposes this construction is only applied for very special ∆, which will be introduced in a moment. As in Section VIII.1.2, by a Frobe- nius automorphism with respect toK/k of a function field over K we mean an automorphism of order n = [K : k] of that function field which extends the Frobenius automorphism of K/k. Raising the coefficients of a rational function inF =K(x) to theqth power yields for example a Frobenius auto- morphism ofF with respect toK/k, which we denote byσ.
Forf ∈F we define ∆f :={dp−d+ n−1
i=0 λiσi(f) :d∈F andλi∈Fp}.
This is the subgroup of the additive group of F which is generated by f and contains ℘(F). Also, let mf =
m
VIII.2. THE GHS ATTACK 165