GENERALIZED DIVISION POLYNOMIALS
TAKAKAZU SATOH
Abstract
LetEbe an elliptic curve with complex multiplication by the ringOFof integers of an imaginary quadratic fieldF. We give an explicit condition onα∈OFso that there exists a rational function ψαsatisfying divψα=
P∈Ker[α][P]−NF/Q(α)[O] where [α] is the multiplication byαmap.
We give an algorithm to computeψαbased on recurrence formulas among these functions. We prove that the time complexity of this algorithm isO(NF/Q(α)2+ε)bit operations under an FFT based multiplication algorithm asNF/Q(α)tends to infinity for the fixedE.
1. Introduction
Letkbe a perfect field. It is known that for an elliptic curveE/kandn∈N there exists a rational functionψn onEsatisfying div(ψn)=
P∈E[n][P]− n2[O], whereO is the point at infinity. See e.g. Silverman[10, Exercise 3.7]
for char(k)=2, 3, Koblitz[7] for char(k)=2. IfEis given by the Weierstrass model, such functions are polynomials of coordinate functions and they are called division polynomials.
Now letE : Y2 = X3+aX+bbe an elliptic curve admitting complex multiplications by the ringOF of integers of an imaginary quadratic fieldF wherea and bare algebraic integers. Put K := F (a, b). In this paper, we generalize division polynomials for someα ∈OF −Z. Our goal is to give a deterministic algorithm to compute generalized division polynomials and to estimate its bit complexities. More specifically, in Corollary 2.6, we prove that a rational functionψαonEsatisfying div(ψα)=
P∈Ker[α][P]−NF/Q(α)[O] exists if and only if eitherNF/Q(α)is an odd integer or 2|α(inOF). We call such an element ofOF unbiased. Then, with a suitable normalization, we derive the relation
(1.1) ψβ2ψα+γψα−γ −ψα2ψβ+γψβ−γ =ψα+βψα−βψγ2
forα, β, γ ∈OF provided all indexes appearing in (1.1) are unbiased (Corol- lary 3.7). Choosingγ carefully, we obtain recurrence formulas which gives an efficient algorithm to compute generalized division polynomials. Since our
Received February 14, 2003.
generalized polynomials only exist for unbiased elements inOF, it is important to construct recurrence formulas with unbiased elements. In Corollary 4.3, we prove thatψαis a polynomial of coordinate functions with coefficients inOK, the ring of integers ofK. Chooseω ∈ OF satisfyingOF = Z+ωZ. (Later in (2.2), we specifyω explicitly.) Definen+mω := max(|n|,|m|). Note NF/Q(α)=O(α2). Using integrality ofψα, we can estimate the growth rate of the coefficients ofψα to beO(α2logα)in Theorem 6.4. Combining these results, we obtain, as our main result, an estimate for the time complexity (measured by the number of bit operations) to computeψα:
Theorem. Let µ be a constant such that the number of bit operations used for multiplication of twonbit integers isO(nµ). Assume thatα∈OF is unbiased. Then, we can computeψα withO((α4logα)µ)bit operations.
In order to avoid technical difficulties, we limit ourselves to the case where End(E)is the maximal order ofF. Under this restriction, End(E)is a Dedekind domain and, in particular, every non-zero ideal has a prime ideal decomposi- tion.
Generalized division polynomials are closely related to the problem of find- ing the explicit form of complex multiplications. Stark[12] obtained the follow- ing algorithm to compute explicit complex multiplication. Let℘be the Wei- erstrass℘-function associated toE. For a givenα ∈OF, his algorithm finds polynomialsu,vwith coefficients inKsuch that℘ (αz)=u(℘ (z))/v(℘ (z)) by the continued fraction approximation. Fromv, it is possible (in theory) to obtainψα. (For example,vis a constant multiple ofψα2ifNF/Q(α)is odd.) Al- though the growth rate of the number of arithmetic operations inKto obtainv is of polynomial order w.r.t.NF/Q(α), the time complexity w.r.t. bit operations is not known. Straightforward implementation suggests that its space com- plexity grows exponentially asNF/Q(α)tends to the infinity. Hence, Stark’s algorithm is infeasible in practice.
A better method is to perform Stark’s algorithm once forω. Assume that α := m+nω ∈ OF is given. Since the mtimes map and the ntimes map are expressed in terms of ordinal division polynomials, we obtain an explicit formula for complex multiplication byα. This is what was done by Abel [1] for the caseOF = Z[√
−1 ]. (Of course, no computational complexity analysis is given in this 19th century paper.) This method performs several arithmetic operations overK(X)whose time complexities w.r.t. bit operations are difficult to estimate because they involve greatest common divisor computations over K[X].
Although our main interest is an efficient algorithm to compute generalized division polynomials, some topics related to (1.1) have independent interests.
Durst [5] obtained (1.1) in the case whereγ in (1.1) is restricted to be a unit
and whereEis of the formY2 = X3+b. Chudnovsky and Chudnovsky [4]
mentioned this relation in the context of elliptic curve primality and factoriz- ation tests, but no further relation than Durst [5] is given. As to integrality, in case that the class number ofF :=Q(√
−d )is one and thatd≥7, Joux and Morain [6, §2] proved thatd1ψ√−d(Hdin their notation) is a polynomial of the X-coordinate function with coefficients inZ. This is better than Corollary 4.3 by a factor ofd. It is an open problem that for whichF orαa similar property holds. As to the space complexity, we note that McKee [8] gave a slightly better estimate than ours for ordinal division polynomials.
The rest of this paper is organized as follows. After giving some notation, we introduce the notion of unbiasedness in Section 2 and prove some basic properties. In Section 3, generalized division polynomials are defined and we prove the recurrence formula (1.1). Section 4 is devoted to the proof of the integrality of generalized division polynomials. Section 5, which is of different nature from the preceding sections, considers the space complexity on arithmetic operations onOK. Finally in Section 6, we prove our main result Theorem 6.6.
Notation. LetEbe an elliptic curve given by (1.2) Y2=X3+aX+b
with algebraic integersaandb. TheX-coordinate function andY-coordinate function are denoted by ξ andη, respectively. The point at infinity ofE is denoted byO. We useτ := −ξ/ηas a local parameter atO unless otherwise noted. Throughout this paper, we assumeEadmits complex multiplication by the ringOF of integers of an imaginary quadratic fieldF. PutK:=F (a, b). Forα ∈ OF, there is a unique endomorphism [α] ∈ End(E) satisfyingτ ◦ [α]=ατ+O(τ2). The map [·] is a ring isomorphism (see e.g. Silverman[11, Prop. II.1.1]). For an idealᑾofOF, we put
E[ᑾ] := {P ∈E: [α]P =O for all α ∈ᑾ}.
It is proven in Silverman[11, Prop. II.1.4] thatE[ᑾ] is a freeOF/ᑾmodule of rank 1. In particular, #E[ᑾ] = N(ᑾ)whereN(·)is the norm of an ideal.
By a prime ideal, we mean a non-zero prime ideal. The principal ideal ofOF
generated byα ∈ OF is denoted byαF. For simplicity, we writeE[αF] asE[α]. ForA ∈ Eandf ∈ K(E), we denote the order of zero off atA by ordAf, whereas for a prime idealᒍof a Dedekind domainRandα ∈R, we understand ordᒍaas an additiveᒍ-adic valuation ofa. These two usages of ord are clearly distinguished by context.
Acknowledgements. Universitet i Tromsø (Norway), Aarhus universitet (Denmark), and Institut National de Recherche en Informatique et en Auto- matique (France) are gratefully thanked for their hospitality and for good re- search environments. The author would like to thank Professor François Mo- rain at École Polytechnique for valuable discussion.
2. Unbiased Ideals
In this section, we introduce the notion of unbiased groups and unbiased ideals.
Then we obtain some basic properties of unbiased ideals.
Definition2.1. A finiteAbelian groupGis said to beunbiasedif
g∈Gg=0.
Note that unbiasedness depends only on the isomorphism classes of Abelian groups.
Lemma2.2. LetGbe a finite Abelian group.
(1) Assume that G = G1 ⊕G2 where gcd(#G1,#G2) = 1. Then G is unbiased if and only if bothG1andG2are unbiased.
(2) The groupGis unbiased if#Gis odd.
(3) Assume that#Gis even. ThenGis unbiased if and only ifGcontains a subgroup isomorphic toZ/2Z⊕Z/2Z.
Proof. (1) Observe
g∈G
g =
g1∈G1
g2∈G2
(g1, g2)=
#G2
g1∈G1
g1,#G1
g2∈G2
g2
.
Hence “if part” is obvious. To prove converse, note that(#G2)a=0 fora∈G1 impliesa=0 since #G2is prime to #G1. Thus,G1is unbiased. Unbiasedness ofG2follows from the same way.
(2) Since
g∈Gg=
−g∈G−g= −
g∈Gg, we have
(2.1) 2
g∈G
g=0.
Multiplying #G+2 1 ∈Z, we have the assertion.
(3) Due to (1) and (2), we may assume thatGis isomorphic toZ/2n1Z⊕· · ·⊕
Z/2nrZwherer ∈ Nandn1, . . . , nr ∈ N. By a straightforward computation, we see that the latter group is unbiased if and only ifr ≥ 2. Assume thatG contains subgroup which is isomorphic toZ/2Z⊕Z/2Z. ThenGcontains at least three elements of order two. HenceG cannot be cyclic, which means
r ≥2. ThereforeGis unbiased. On the other hand, in case ofr ≥2, the group Z/2n1Z⊕ · · · ⊕Z/2nrZcontains a subgroup isomorphic toZ/2Z⊕Z/2Z. So doesG.
Definition2.3. We say an idealᑾofOFisunbiasedifᑾis the zero ideal or E[ᑾ] is an unbiased subgroup ofE. An elementαofOF is said to beunbiased if the principal ideal generated byαis unbiased.
Lemma2.4. Letᑾandᑿbe ideals ofOF. The following properties hold:
(1) E[ᑾ+ᑿ]=E[ᑾ]∩E[ᑿ].
(2) Ifᑾ+ᑿ=OF, thenE[ᑾ]⊕E[ᑿ]is isomorphic toE[ᑾᑿ]under the map ϕdefined byϕ(P, Q):=P +Q.
Proof. (1) Obviously, E[ᑾ+ᑿ] ⊂ E[ᑾ] andE[ᑾ+ᑿ] ⊂ E[ᑿ]. Hence E[ᑾ+ᑿ] ⊂ E[ᑾ]∩E[ᑿ]. Letγ ∈ ᑾ+ᑿ. Takeα ∈ ᑾandβ ∈ ᑿsatisfying α+β =γ. Then for anyP ∈E[ᑾ]∩E[ᑿ] it holds that [γ]P =([α]+[β])P = O, which impliesP ∈E[ᑾ+ᑿ].
(2) LetP ∈E[ᑾ] andQ∈E[ᑿ]. SinceOFis commutative,P+Q∈E[ᑾᑿ].
We proveϕ is surjective. By the assumptions, there existα ∈ ᑾand β ∈ ᑿ such thatα+β = 1. For anyA∈ E[ᑾᑿ], we have A= [β]A+[α]Awith [β]A ∈ E[ᑾ] and [α]A ∈ E[ᑿ]. Therefore, ϕis surjective. Then ϕ must be injective because #E[ᑾᑿ]=N(ᑾᑿ)=#E[ᑾ]#E[ᑿ].
Theorem2.5. Letᑾbe an ideal ofOF. Thenᑾis unbiased if and only if either2F|ᑾ(i.e.2F ⊃ᑾ) orN(ᑾ)is odd.
Proof. The assertion clearly holds for the zero ideal. In what follows, we assume thatᑾis not the zero ideal. The if part is a direct consequence of Lemma 2.2. To prove converse, we have to show thatᑾis a biased ideal if 2|N(ᑾ)and 2F ᑾ. We consider the following three cases.
(i) In case that 2 remains prime inOF: Any ideal ofOF with even norm is divisible by2F, hence there is nothing to prove.
(ii) In case that 2 ramifies: Let2F =ᒍ2. Then, there exists a non-negative integereand an idealᑿwhose norm is odd such thatᑾ =ᒍeᑿ. But ife = 0, then N(ᑾ) is odd and if e ≥ 2, then 2F|ᑾ. Therefore e = 1 and hence E[ᑾ]=E[ᒍ]⊕E[ᑿ]. Moreover, #E[ᒍ]=2 and #E[ᑿ] is odd. SinceE[ᒍ] is biased,E[ᑾ] is also biased.
(iii) In case that 2 splits: By the similar observation as above,ᑾdecomposes asᑾ = ᒍeᑿwheree ≥ 1,ᒍis one of prime ideals dividing2F andᑿis an ideal of odd norm. Therefore,E[ᑾ]= E[ᒍe]⊕E[ᑿ]. Since 2 splits, we have E[ᒍe]∼=OF/ᒍe ∼=Z/2eZ. HenceE[ᒍe] is biased and so isE[ᑾ].
Corollary2.6. Letα∈OF. Thenαis unbiased if and only if either2|α inOF orNF/Q(α)is odd.
Corollary2.7.Letᑾandᑿbe unbiased ideals. Thenᑾᑿis also unbiased.
Corollary 2.8. Let d be a square free positive integer such that F = Q(√
−d ). Put
(2.2) ω:=
√−d (−d ≡2,3 mod 4),
−1+√
−d
2 (−d ≡1 mod 4). Letmandnbe integers.
(1) In case ofd≡1 mod 4,m+nωis unbiased except form≡n≡1 mod 2.
(2) In case ofd ≡2 mod 4,m+nωis unbiased except form≡ 0 mod 2 andn≡1 mod 2.
(3) In case ofd ≡3 mod 8, any element ofOF is unbiased.
(4) In case ofd≡7 mod 8,m+nωis unbiased if and only ifn≡0 mod 2.
Proof. This corollary follows from Theorem 2.5 and the fact thatNF/Q(m+
nω)=m2+n2dford ≡1,2 mod 4 andNF/Q(m+nω)=m2−mn+1+d4 n2 ford ≡3 mod 4. Note 2 ramifies in case of (1) and (2), remains prime in case of (3), and splits in case of (4).
Remark2.9. The condition2F|ᑾcannot be replaced by 4|N(ᑾ). Indeed, letd≡7 mod 8 and letᒍbe a prime ideal dividing2F. Then, the idealᒍ2is biased and its norms is 4.
3. Generalized Division Polynomials
First we introduce generalized division polynomials and prove recurrence for- mulas among them. Our definition is straightforward analogue of a definition of ordinal division polynomials (see e.g. Cassels [3, Formulary]). For simplicity, we writeNF/Q(α)asN(α)forα ∈OF. To begin with, we recall a condition on a divisor which comes from a rational function. LetD:=n
i=1ai[Pi] be a divisor on an elliptic curveE. Then there exists a rational functionf onE whose divisor isDif and only ifn
i=1ai = 0 andn
i=1aiPi = O (see e.g.
Silverman [10, Cor. III.3.5]). Therefore, for a finite subgroupGofD, there exists a rational functionf onEsatisfying div(f )=
P∈G[P]−#G[O] if and only ifGis an unbiased group. Similarly, forα ∈OF − {0}, there exists a rational functionf onEsatisfying
(3.1) div(f )=
P∈Ker[α]
[P]−N(α)[O]
if and only ifαis an unbiased endomorphism. However, a divisor determined a rational function only up to constant multiple. We specify this constants as follows.
Definition3.1. Letα ∈ OF be a non-zero unbiased element. Define the α-th division polynomialψα by divψα =
P∈Ker[α][P]−N(α)[O] and the normalization condition
(3.2) ψα =(−1)N(α)−1ατ−N(α)+1+ · · ·.
We also define an auxiliary functionψ˜α for any α ∈ OF by conditions divψ˜α =
P∈Ker[α]2[P]−2N(α)[O] andψ˜α = α2τ−2N(α)+2+ · · ·. Since (2.1) holds for any finite group, such function exists and it holds thatψ˜α =ψα2 for unbiasedα. By convention, we putψ0:=0 andψ˜0:=0.
Example 3.2. For the curve Y2 = X3+5X, we seeψ2+√
−1 is a con- stant multiple ofξ2+2−√
−1 by straightforward computation (or Stark’s algorithm). Sinceξ =τ−2−5τ2+O(τ6), we have
ψ2+√
−1=(2+√
−1)ξ2+5
=(2+√
−1)τ−4−15−10√
−1+O(τ4).
Remark3.3. In caseα ∈ N, ourψα coincides with the notation used in [10, Exercise 3.7]. For a unitεofOF, we seeψε=ε(a constant function).
Lemma 3.4. Let α be an unbiased element. In case that N(α) is odd, ψα ∈ K[ξ] and degξψα = (N(α)− 1)/2. Otherwise, η1ψα ∈ K[ξ] and degξ 1ηψα
=(N(α)−4)/2.
Proof. Since Ker[α] is defined over K (recall K ⊃ F), there is f ∈ K(E)satisfying (3.1). Noting ξ ∈ K((τ))and η ∈ K((τ)), we see thatf is expanded asa−N(α)+1τ−N(α)+1+ · · ·witha−N(α)+1 ∈ K. Threfore, there exists a constantc ∈ K× satisfying ψα = cf, which impliesψα ∈ K(E). Since [−1](Ker[α])=Ker[α], there exists constantcsatisfyingψα◦[−1]= cψα. Noteτ ◦[−1] = −τ. Therefore ψα ◦[−1] = ψα for odd N(α) and ψα◦[−1]= −ψαfor evenN(α). Since [−1] is the unique non-trivial element of Gal(K(E)/K(ξ)), we seeψα ∈ K(ξ)for oddN(α)and 1ηψα ∈ K(ξ)for evenN(α). However they are regular outside of{O}. Hence we see they are polynomials ofξ. The assertions on degree follows from ordOξ = −2.
Lemma3.5. Letαandβbe non-zero unbiased elements ofOF. Then ψαβ =(ψα ◦[β])·ψβN(α).
Proof. Since char(K)= 0, every endomorphism is separable, hence un- ramified (Silverman [10, III.4.10(c)]). By a straightforward computation, we see divψαβ =div (ψα ◦[β])·ψβN(α)
. Indeed,
divψαβ =
P∈Ker[α]◦[β]
[P]−N(αβ)[O]
=[β]∗
P∈Ker[α]
[P]
−N(αβ)[O]
=[β]∗(divψα+N(α)[O])−N(α)N(β)[O]
=div([β]∗ψα)+N(α)
P∈Ker[β]
[P]
−N(α)N(β)[O]
=div(ψα◦[β])+N(α)divψβ.
Thus there exists a constantc∈K×satisfyingψαβ =c(ψα◦[β])·ψβN(α). By definition,
ψαβ =(−1)N(αβ)−1αβτ−N(α)+1+ · · · while
ψα =(−1)N(α)−1ατ−N(α)+1+ · · · ψα◦[β]=(−1)N(α)−1α(βτ+ · · ·)−N(α)+1
=(−1)N(α)−1αβ−N(α)+1τ−N(α)+1+ · · · ψβN(α)=((−1)N(β)−1βτ−N(β)+1+ · · ·)N(α)
=(−1)N(αβ)−N(α)βN(α)τ−N(αβ)+N(α)+ · · ·. Hencec=1.
The proof of the next proposition is more or less the same as the proof for the ordinal division polynomials and is already outlined in Cassels [3, Formulary].
However, in case thatα andβ ∈ OF satisfiesα+βF + α−βF = OF, the functionψα+βψα−β have a double pole. We need to handle (at least) this case separately, which is omitted in [3].
Proposition3.6. Letαandβbe non-zero elements ofOF such thatα+β andα−βare unbiased. Then
ξ◦[α]−ξ◦[β]= −ψα+βψα−β
ψ˜αψ˜β .
Proof. The assertion is obvious in case ofα = ±β. Assumeα = β and α= −βand consider the functionϕdefined by
ϕ:=(ξ◦[α]−ξ◦[β]) ψ˜αψ˜β
ψα+βψα−β. We show thatϕhas no pole. It is expanded as
((α−2−β−2)τ−2+ · · ·)(α2τ−2N(α)+2+ · · ·)(β2τ−2N(β)+2+ · · ·) ((−1)N(α+β)−1(α+β)τ−N(α+β)+1+ · · ·)
·((−1)N(α−β)−1(α−β)τ−N(α−β)+1+ · · ·) at the point at infinity. Noting
(3.3) N(α+β)+N(α−β)=2N(α)+2N(β), we see thatϕis expanded as
(3.4) ϕ= −1+O(τ)
atO. ForP ∈E[α]−E[β], we have ordP(ξ◦[α]−ξ◦[β])= −2, ordP(ψ˜α)= 2, ordP(ψ˜β) = 0, ordP(ψα+β) = ordP(ψα−β) = 0. Thus ordPϕ = 0. The similar argument applies forP ∈E[β]−E[α]. LetP ∈E[α]∩E[β]− {O}
and letVP be the translation byP map (i.e.VP(A)=P +A). Observe ξ ◦[α]◦V−P =α−2(τ◦V−P)−2+ · · ·.
Butτ◦V−P is a local parameter atP and [α]◦V−P =[α]. The same formula holds forβ. Usingα= ±β, we see ordP(ξ◦[α]−ξ◦[β])= −2. On the other hand, ordP(ψ˜α)= 2, ordP(ψ˜β)= 2, ordP(ψα+β)=1 and ordP(ψα−β)=1.
Hence ordPϕ =0.
Now we consider a possible pole of ϕoutside ofE[α]∪E[β]. It comes fromψα+βψα−β, hence it lies inE[α+β]∪E[α−β]−{O}. We consider three sub-cases. In caseP ∈E[α+β]−E[α−β], we have [α](P ) = −[β](P ), which impliesξ([α](P )) = ξ([β](P )). By definition, ordPψα+β = 1 and ordP ψα−β = 0. Hence ordPϕ ≥ 0. The same is true forP ∈ E[α−β]− E[α + β]. Finally, assume P ∈ E[α + β]∩E[α− β] and P = O. By the former condition, 2[α](P ) = O and 2[β](P ) = O. However, we have assumed [α](P ) = O and [β](P ) = O. Thus [α](P ) and [β](P ) are non- trivial 2-torsion points ofE. Since
ξ([α](A−P ))=ξ(−[α](A−P ))=ξ([α](−A)+[α](P ))
=ξ([α](−A)−[α](P ))=ξ([α](−A−P ))
for allA∈E, we see thatξ◦[α]◦V−Pis an even function and that the expansion ofξ◦[α] atPwith respect to the local parameterτ◦V−Pconsists of even degree terms. The same holds for [β]. Therefore, ξ([α](P )) = ξ([β](P )) means ordP(ξ◦[α]−ξ◦[β])≥2. On the other hand, ordPψα+β =ordPψα−β =1.
Consequently, ordP ϕ≥0.
Sinceϕ has no poll at all, it is a constant function and its value is−1 by (3.4). This completes the proof.
Corollary3.7. Letα,β,γ be elements ofOF such thatα±β,β±γ, γ ±αare unbiased. Then
ψ˜βψα+γψα−γ − ˜ψαψβ+γψβ−γ =ψα+βψα−βψ˜γ.
Proof. Again, the assertion is trivial forαβγ =0. Otherwise, this follows from Proposition 3.6 and the identity(ξ◦[α]−ξ◦[γ])−(ξ◦[β]−ξ◦[γ])= ξ◦[α]−ξ ◦[β].
Letωbe as in (2.2). Forα∈F, we put (3.5) α:=max(|s|,|t|) wheres,t ∈Qare uniquely determined byα=s+tω.
Proposition3.8. Letα ∈OFbe unbiased. Then, there exist seven unbiased elementsβ1, . . . , β6∈OF,δ∈ {1,2, ω,1+ω,1−ω,1+2ω}andt ∈ {0,1,3} satisfying the following conditions:
(1) ψα =(ψβ21ψβ2ψβ3−ψβ24ψβ5ψβ6)/ψδt (2) βi ≤ 12α +2for alli
Explicitly, the following formulas holds foru∈OF: In case ofd≡3 mod 4,
(3.6)
ψ2u=ψu(ψu−2 1ψu+2−ψu+2 1ψu−2)/ψ2, ψ2u+1=ψu3ψu+2−ψu+3 1ψu−1,
ψ2u+ω =(ψu3ψu+2ω−ψu+ω3 ψu−ω)/ψω3,
ψ2u+1+ω =(ψu3ψu+2+2ω−ψu+3 1+ωψu−1−ω)/ψ13+ω. Letu=m+nωwithm, n∈Z. In case ofd≡7 mod 8, (3.7)
ψ2u=ψu(ψu−2 1ψu+2−ψu+2 1ψu−2)/ψ2 (n: even),
ψ2u=(ψu−ω2 ψu+1+ωψu−1+ω−ψu+ω2 ψu+1−ωψu−1−ω)/ψ2ω (n: odd), ψ2u+1=ψu3ψu+2−ψu+3 1ψu−1 (n: even),
ψ2u+1=(ψu−ω2 ψu+2+ωψu+ω−ψu+2 1+ωψu+1−ωψu−1−ω)/ψ1+2ω (n: odd).
In case ofd ≡1 mod 4, in addition to (3.7), we have (3.8)
ψ2u+ω=(ψu3ψu+2ω−ψu+ω3 ψu−ω)/ψω3 (m: even),
ψ2u+ω=(ψu−2 1ψu+1+2ωψu+1−ψu+2 1+ωψu−1+ωψu−1−ω)/ψω3 (m: odd).
Similarly, in case ofd≡2 mod 4, we have (3.7) and (3.9)
ψ2u+1+ω =(ψu3ψu+2+2ω−ψu+3 1+ωψu−1−ω)/ψ13+ω (m≡nmod 2), ψ2u+1+ω =(ψu+ω3 ψu+2−ω−ψu+3 1ψu−1+2ω)/ψ13−ω (m≡nmod 2).
Proof. Recurrence formulas (3.6)–(3.9) are immediate consequence of Co- rollary 3.7, which implies the existence ofβ1, . . . , β6,δandt. Unbiasedness ofβ1, . . . , β6andδfollows from Corollary 2.8. Finally, the assertion (2) is a consequence of the inequality
x+y ≤ 1
22x+z +y− z 2
for anyx, y, z∈F.
4. Integrality of Division Polynomials
LetT be an indeterminate. For an unbiased elementα∈OF, define6α(T )∈ K[T] by
ψα =6α(ξ) (NF/Q(α)is odd), 1
ηψα =6α(ξ) (NF/Q(α)is even).
In this section, we prove that6α ∈ OK[T]. For a nonzero idealᑾofOF, we
put 7ᑾ(T ):=
P∈E[ᑾ]−{O}
(T −ξ(P )).
As before, we write7αF as7α forα∈OF. Note (4.1) div7ᑾ(ξ)=2
P∈E[ᑾ]
[P]−N(ᑾ)[O]
and hence
(4.2) 7α(T )=
α−26α(T )2 (NF/Q(α)is odd), α−2C(T )6α(T )2 (NF/Q(α)is even).
Here,C(T ):=T3+aT +bwitha,bdefined in (1.2). Letᑪbe a prime ideal ofOKlying above a prime idealᒍofOF. Recall thatᑪ-adic valuation has the standard extension toK(T ) in the sense of Zariski and Samuel[13, §IV.13], namely,
ordᑪ n
i=0
αiTi
:= min
0≤i≤nordᑪαi
onK[T]. In order to prove6α(T )∈OK[T], it is suffice to prove ordᑪ7α(T )≥ −2 ordᑪα
for any prime idealᑪ. The fact that #E[m]=m2form∈Ncause a difficulty to the proof of the above formula. LetAbe an torsion point ofEof orderpm. Then, as is well known (see e.g. Silverman [10, Th. VII.3.4]),
(4.3) ordᑪξ(A)≥ −2 ordᑪp pm−pm−1. This inequality implies, for example,
ordᑪ7p(T )≥ −2p2−1 p−1 ordᑪp
which is insufficient for our purpose. This problem might be solved by the sharper inequality obtained by Oshikawa [9, Th. 4] with fine arguments on hight of the formal group associated the reduction ofEatᑪ(including bad reductions). Here we employ an another method. We utilize the fact that 6n(T ) ∈ OK[T] for n ∈ N. (This is well known. See e.g. Silverman [10, Exercise 3.7]. Recall that in (1.2), we assumed that a and b are algebraic integers.)
For a prime idealᒍof the Dedekind domainRand a non-zero idealᑾof a subring ofR, we denote by ordᒍᑾthe largest integeresuch thatᒍedividesRᑾ. Lemma4.1.Letᒍbe a prime ideal ofOF andᑪa prime ideal ofOKlying aboveᒍ. Letᑾbe an ideal ofOF and pute := ordᒍᑾ. Then, ordᑪ7ᑾ(T ) = ordᑪ7ᒍe(T ).
Proof. There exists an idealᑿof OF such thatᑾ = ᒍeᑿ. RecallE[ᑾ] = E[ᒍe]⊕E[ᑿ] by Lemma 2.4. Thus
(4.4) ordᑪ7ᑾ(T )=
P∈E[ᒍe], Q∈E[ᑿ] P=O orQ=O
ordᑪ(T −ξ(P +Q))
We show ordᑪξ(P+Q)≥0 forQ=O. Letu∈ᑿ−ᒍ. PutA:=P+Qand assume ordᑪξ(A) <0. Hence,Abelongs to the group of points of the formal group associated toEover theᑪ-adic completion ofKatᑪ. Letr ∈ ᒍe be arbitrary. Since End(E)is commutative, [u][r]A=[u][r]P +[r][u]Q= O. However, uis a ᑪ-adic unit and thus [r]A = O. This implies A ∈ E[ᒍe].
Hence,Q= P −A ∈ E[ᒍe], which contradicts toQ = O by Lemma 2.4.
Therefore, ordᑪ(T −ξ(P +Q)) = 0 forQ= O and the right hand side of
(4.4) is
P∈E[ᒍe]−{O}
ordᑪ(T −ξ(P ))=ordᑪ7ᒍe(T ).
Proposition4.2.Letᑾ be a non-zero ideal ofOF. Then, ordᑪ7ᑾ(T ) ≥
−2 ordᑪᑾfor a prime idealᑪofOK.
Proof. Put ᒍ := OF ∩ᑪ ande := ordᒍᑾ. Letp be the prime number belonging toᒍ. By the preceding lemma, we have only to prove
(4.5) ordᑪ7ᒍe(T )≥ −2eordᑪᒍ. We consider three cases:
In case thatpsplits: we have ordᑪᒍ = ordᑪp andE[ᒍe] ∼= Z/peZ. For 1≤m≤ e, there are exactlypm−pm−1points inE[ᒍe] whose order ispm. By (4.3),
ordᑪ7ᒍe(T )=
P∈E[ᒍe]−{O}
min(0,ordᑪξ(P ))
≥ e m=1
(pm−pm−1)−2 ordᑪp
pm−pm−1 = −2eordᑪᒍ. In case thatpremains prime: Noting (4.2) and6pe(T )∈OK[T], we have
ordᑪ7ᒍe(T )= −2 ordᑪpe+2 ordᑪ6pe(T )≥ −2eordᑪᒍ.
In case thatp ramifies: Assume first thateis even. Then,ᒍe = pe/2F and assertion follows the same argument as above. Letebe odd. In case ofe=1, we haveE[ᒍ] ∼= Z/pZand (4.5) holds by the same reason as the split case.
Now assumee ≥ 3 and putn:= (e−1)/2 andq := pn. As is well known ξ◦[q] = ξ−ψq+1ψq−1/ψq2(which can also be proved by Proposition 3.6).
Then, by a similar proof to Lemma 3.5, we have
7ᒍe(ξ)=q2(p−1)7ᒍ(ξ◦[q])7q(ξ)p=q−27ᒍ(ξψq2−ψq−1ψq+1)ψq2.
Thus,
7ᒍe(T )=
q−27ᒍ(Gq(T ))6q(T )2 (p=2), q−27ᒍ(Gq(T ))C(T )6q(T )2 (p=2), where
Gq(T ):=
T 6q(T )2−C(T )6q−1(T )6q+1(T ) (p=2), T C(T )6q(T )2−6q−1(T )6q+1(T ) (p=2).
Because6i(T )∈OK[T] for anyi ∈N, the polynomialGq(T )also belongs toOK[T]. Thus,
ordᑪ7ᒍe(T )≥ −2 ordᑪq+ordᑪ7ᒍ(T )= −2eordᑪᒍ.
Corollary 4.3. Let α ∈ OF be unbiased. Then6α(T ) ∈ OK[T] and ψα ∈OK[ξ , η].
5. Space Complexity for Polynomial Arithmetic Operations
We estimate space complexities for arithmetic operations onOK[T] whereT is an indeterminate. Estimates for additions, subtractions and multiplication are simple. However, divisions give rise to a difficulty. For an integernand its divisorm, the bit size of the quotient n/mis not greater than that ofn. Such a property does not holds forOK[T]. In order to clarify an obstacle, let us consider the integer ringZ[√
2 ] of therealquadratic fieldQ(√
2). Then,
√2− 1 is a unit and (√
2−1)n divides 1 for any n ∈ N. But bit size of 1/(√
2−1)nis, in any sense, unbounded asntends to infinity because finitely many bits can represent finitely many elements inZ[√
2 ]. This suggests that we need to utilize the fact thatF is an imaginary quadratic field in order to bound the space complexity. Our method is based on the fact that the bit size of α ∈ OK is not that different fromLK(α) := maxilog2NF/Q(ai)where α=
iaiθi withK=F (θ).
First we note a technical lemma whose proof is given in Appendix. Although it looks like an abstract nonsense, such an abstraction is necessary because it is used twice in subsequent proofs with different coefficient rings. LetR be an integral domain. For polynomialsf andg ∈R[T] we denote by quo(f, g) (resp. rem(f, g)) the quotient (resp. remainder) of the divisionf/g in k[T] wherekis the field of fractions ofR.
Lemma5.1. LetRbe an integral domain. LetL∈Map(R,R∪ {−∞})be a map satisfying the following conditions.
(5.1) L(0)= −∞.
(5.2) There exists a constantc1≥0such thatL(α±β)≤max(L(α), L(β))+
c1for allα, β ∈R.
(5.3) There exists a constantc2≥0such thatL(αβ)≤L(α)+L(β)+c2for allα, β ∈R.
For such a mapL, we defineL˜ ∈Map(R[T],R∪ {−∞})by (5.4) L˜
n i=0
aiTi
:= max
0≤i≤nL(ai).
Then, for polynomialsf, g ∈R[T], the following inequalities hold.
(a) L(f˜ ±g)≤max(L(f ),˜ L(g))˜ +c1.
(b) L(fg)˜ ≤ ˜L(f )+ ˜L(g)+c1min(degf,degg)+c2. (c) Assumeg=0and
(5.5) L(lc(g)α)≥L(α)
for allα ∈R. Assume alsoquo(f, g)∈R[T]. Putc3 := max(L(g)˜ + c1+c2,0)andδ:=max(degf −degg,−1). Then, we have
(5.6) L(˜ quo(f, g))≤ ˜L(f )+δc3
and
(5.7) L(˜ rem(f, g))≤ ˜L(f )+(δ+1)c3.
We now consider the computational complexity of arithmetic operations on OK[T]. Letω be as in (2.2). Put ν := [K : F] and take θ ∈ K satisfying K =F (θ). Later, we requireθ to be an element ofOK, but for nowθ is not necessarily an algebraic integer. LetH be the monic minimal polynomial of θoverF. It is important to constructKas a simple extension overF, not that overQ. DefineLF ∈Map(F,R∪ {−∞})andLK ∈Map(K,R∪ {−∞})by
LF(α):=
log2NF/Q(α) (α=0)
−∞ (α=0) and
LK
ν−1 i=0
aiθi
:= max
0≤i<νLF(ai),
respectively. LetL˜F be the extension ofLF toF[T] as was done in (5.4).
Theorem5.2. Forα, β ∈Kandc∈F, we have LK(cα)=LF(c)+LK(α), LK(α+β)≤max(LK(α), LK(β))+2, LK(αβ)≤LK(α)+LK(β)+(ν−1)(L˜F(H)+4).
Proof. Put P := {f ∈ F[T] : deg(f ) < ν}. Determine A and B ∈ PF by α = A(θ) and β = B(θ), respectively. By definition, LK(α) = L˜F(A)andLK(β) = ˜LF(B). Since T is mapped toθ by the mapF[T] → F[T]/HF[T] ∼= K, we have LK(α + β) = ˜LF(A + B), LK(αβ) = L˜F(rem(AB, H ))and LK(cα) = ˜LF(cA). On the other hand, it is obvious thatLF satisfies (5.1) and (5.3) withc2=0. By (3.3), we have
LF(α+β)≤max(LF(α), LF(β))+2
for α, β ∈ F, which shows that LF satisfies (5.2) with c1 = 2. Hence Lemma 5.1 is applicable toLF and the first two assertions are proved. Since H is monic, the condition (5.5) forL = LF andg = H is clearly satisfied.
Thus, the last assertion follows from Lemma 5.1.
Corollary5.3. LetL˜K ∈Map(K[T],R∪ {−∞})be the extension ofLK
as in (5.4).
(a) There exists a constantc4 > 0such thatL˜K(f +g) ≤ max(L˜K(f ), L˜K(g))+c4for allf, g∈K[T].
(b) There exists a constantc5>0such thatL˜K(fg)≤ ˜LK(f )+ ˜LK(g)+ (min(degf,degg)+1)c5for allf, g∈K[T].
(c) Let g ∈ K[T] and assumelc(g) ∈ OF. Then, there exist a constant c6> 0(depending ong) such thatL˜K(quo(f, g))≤ ˜LK(f )+δc6and that L˜K(rem(f, g)) ≤ ˜LK(f )+ (δ+1)c6 for all f ∈ K[T] where δ:=max(degf −degg,−1).
Proof. The corollary is an immediate consequence of Lemma 5.1 and Theorem 5.2.
From now on, we assume θ ∈ OK and put D := [OK : OF[θ]]. We representα∈OKas aν-tuple(α0, . . . , αν−1)∈OFνwhereα=ν−1
i=0αiθi/D. Eachu∈ OF is represented as a pair of integers(m, n)determined byu = m+nωwhereωis defined as (2.2). On the other hand, we putSF(m+nω):= log2(max(|m|,1))+log2(max(|n|,1))+6 andSK(α):= ν−1
i=0SF(αi). The valueSF(u)is considered to be the bit size to storeu ∈ OF (not including length ofmandn) by the data structure described as above.
Theorem5.4. There exist constantsc7>0andc8>0satisfying 1
2LK(α)−c7≤SK(α)≤νLK(α)+c8
for all non-zeroα ∈OK.
Proof. Let u := m+nω with m, n ∈ Zand α := ν−1
i=0αiθi/D with αi ∈ OF. Apparently, NF/Q(u) ≤ (d +3)max(m2, n2). Hence, there is a constantc9such that log2NF/Q(u)≤c9+2SF(u)for allu∈OF. Thus,
LK(Dα)= max
0≤i<νLF(αi)≤c9+2 max
0≤i<νSF(αi)≤c9+2SK(α).
The left hand side is not less thanLK(α) sinceD ∈ N. Conversely, m2 ≤
4
3NF/Q(u)andn2 ≤ 43NF/Q(u). These are obvious ford ≡ 3 mod 4 (recall F =Q(√
−d)). In case ofd≡3 mod 4, they follow from NF/Q(m+nω)=
m− n
2 2
+ d
4n2= d+1 4
n− 2 d+1m
2
+ d d+1m2. andd ≥3. Hence, there exists a constantc10such thatSF(u)≤LF(u)+c10
for allu∈OF − {0}. We haveLF(αi)≤LK(α)+log2Dfor all 0≤i < ν. Thus,
SK(α)≤
αi=0
(LF(αi)+c10)+6#{i:αi =0}
≤ν LK(α)+log2D+c10+6 . This concludes the proof.
Using the above results, we have, for example, SK(αβ) ≤ 2ν(SK(α)+ SK(β))+O(1) forα, β ∈ OK − {0}. However, this is insufficient for our purpose. In the next section, we work withLK as much as possible and use Theorem 5.4 only once during the proof on a space complexity.
6. Complexity to Compute Generalized Division Polynomials
We give time and space complexities to compute6α(T )asαtends to infinity.
Recall that E is a fixed elliptic curve Y2 = C(X) where C(T ) = T3 + aT +b (cf. (1.2)). We keep notation in the previous sections. Forf (T ) := n
i=0αiTi ∈ OK[T], we put σ (f ) := max0≤i<nSK(αi). Throughout this section, letµbe a constant such that the number of bit operations to multiply twonbit integers isO(nµ)and that the number of arithmetic operations of a coefficient ring to multiply two polynomials of degree less thannisO(nµ). In
