Abelian Varieties in Pairing-Based Cryptography

arXiv:1812.11479v3 [math.NT] 8 Apr 2020 enw ol okoe ed fsalrszswiepreservi while sizes smaller of fields over per work of could terms we in mean curves elliptic with level. competitive curv them the projective consequently, make and to smooth curves- of hyperelliptic Jacobians on operations as arise and conditions xsec hoesfrsc constructions. such for theorems existence group h eladTt arnscnb sdt embed to used be can pairings Tate and Weil The l ntesbru ceeof scheme subgroup the on sa nraigfnto fteinteger the r of The function attack. increasing Frey-Ruck an the of is modification its and attack MOV euiylvlof level security medn eret emc mle than smaller much be to degree embedding N F 1 aeteblna,nndgnrt n Galois-equivariant and non-degenerate bilinear, the have | ( q q ( scle the called is ζ o rporpi upss eaepiaiyitrse in interested primarily are we purposes, cryptographic For h otscesu erpinatcsaanttepairing the against attacks decryption successful most The o rnial oaie bla variety abelian polarized principally a For − l ) Introduction svtli arn-ae rporpy npriua,w hwthat show o we variety particular, abelian In an cryptography. of L pairing-based degree in embedding the vital of is problem the study We riayaeinvreyoe nt edwt noopimalgebra endomorphism with field finite a over variety abelian ordinary ihrsetto respect with h edo ento.W losuyacaso boueysml ihrd higher simple absolutely imaginary of over class central a are study algebras also endomorphism We whose varieties definition. of field the ∗ Hypothetically ),w lohv h non-trivial the have also we 1)), F npiigbsdcytgah,w yial hoetepri the choose typically we cryptography, based pairing In . q fdegree of ( ζ l ) ∗ hsrdcstedsrt oaih rbe in problem logarithm discrete the reduces This . medn degree embedding A ≥ npiigbsdcytgah sdtrie yteinteger the by determined is cryptography pairing-based in medn n ulebdigdegrees embedding full and embedding sn bla aite fhge iesosisedo el of instead dimensions higher of varieties abelian using , ,pecie integers prescribed 4, l n h edetningnrtdb the by generated extension field the and bla aite ihprescribed with varieties Abelian A [ l l ] trinpit.If points. -torsion × A A [ l [ ]( l of ] F −→ q A ) × aepairing Tate l ihrsetto respect with − N µ A tv Thakur Steve 1 m l ( := hr h integer the where , F Abstract l n q . { ) F /lA l n prime a and A t ot fuiyin unity of roots -th q 1 l otisaprimitive a contains trinsbrusof subgroups -torsion over ( F q ) F −→ l q nti ril,w rv e related few a prove we article, this In . rJcbas aebe piie oas so optimized been have Jacobians- ir elpairing Weil n ainlprime rational a and F l l trinpit fdegree of points -torsion q ∗ N ≡ s nrcn er,tearithmetic the years, recent In es. / gtesm euiylevel. security same the ng bsdcytsse for cryptosystem -based omnea rsrbdsecurity prescribed a at formance F bla aite htfll these fulfill that varieties abelian ntm opeiyo hsattack this of complexity time un steodrof order the is (mod 1 A q ∗ l ( . F udai fields. quadratic o rsrbdC field CM prescribed a for q F )[ l p L me t oto nt (meaning unity of root -th e nt edwhich field finite a ver A l } otesm rbe in problem same the to ] mn medn degree embedding , ( F mninlabelian imensional l q ,teeeit an exists there ), notemultiplicative the into ) ob ag n the and large be to itccre would curves liptic q l l in − N rm to prime 1 F h integer The . mn l ∗ hs the Thus, . over A r the are n q we , 1.1 Notations and background

For an abelian variety A over a field F , End0(A) denotes the endomorphism algebra of A over the field of definition. By Honda-Tate theory, we have the well-known bijection Simple abelian varieties over F up to isogeny Weil q-integers up to Gal -conjugacy { q } ←→ { Q } induced by the map sending an abelian variety to its Frobenius. For a Weil number π, we write Bπ for the corresponding simple abelian variety over Fq. The dimension of Bπ is given by

0 1/2 2dim B = [Q(π) : Q][End (Bπ) : Q(π)] . 0 0 1/2 Note that End (Bπ) is a central division algebra over Q(π) and hence, [End (Bπ) : Q(π)] is an integer. The characteristic polynomial of B on the Tate representation V (A) := T (A) Q π l l ⊗Zl l (for any prime l = p) is independent of l and is given by 6 P (X) := (X σ(π))mπ Bπ − σ GalQ ∈Y where m = [End0(B ) : Q(π)]1/2. We denote by the set of Galois conjugates of π. Hence, π π WBπ Q( Bπ ) is the splitting field of PBπ (X). The Galois group Gal(Q( Bπ )/Q) is a subgroup of W g W the wreath product (Z/2Z) ⋊ Sg, the Galois group of the generic CM field of degree 2g, where g = [Q(π + π) : Q]. Definition 1.1. An abelian variety A over a field F is simple if it does not contain a strict non-zero abelian subvariety. We say A is absolutely or geometrically simple if the base change A F to the algebraic closure is simple. ×F Definition 1.2. An abelian variety A is iso-simple if it has a unique simple abelian subvariety up to isogeny.

We state a few well-known facts about abelian varieties over finite fields. We refer the reader to notes [Oo95] for proofs and further details.

Proposition 1.1. For any simple abelian variety B over a finite field Fq, the abelian variety B F is iso-simple. ×Fq q With this setup, let π be a Weil number corresponding to B and let B be the unique simple component (up to isogeny) of the base change B F to the algebraic closure. Let N be the ×Fq q e smallest integer such that B has a model over the field FqN . Then B corresponds to the Weil number πN and we have an isogeny e B F = B(dim B)/N . e ×Fq q isog Proposition 1.2. Let be a Weil -integer and write 0 . Then is a central π q e Dπ := End (Bπ) Dπ division algebra over Q(π) and its Hasse invariants are given by

0 if v ∤ q. 1 invv(Dπ)=  2 if v is real. [Q(π) : Q ] v(π) if v q. v p v(q) | 0  In particular, End (Bπ) is commutative if and only if the local degrees [Q(π)v : Qp] annihilate v(π) v(π) the Newton slopes v(q) . For instance, if Bπ is ordinary, the slopes v(q) are either 0 or 1 and 0 hence, End (Bπ) is commutative.

2 1.2 A few preliminary results

The following well-known result describes the embedding degree for a fixed prime l and a simple abelian variety corresponding to a Weil number π prime to l.

Proposition 1.3. Let Bπ be a simple abelian variety over a finite field Fq corresponding to a Weil number π and let l be a prime not dividing q. The order Bπ(Fq) of the group of Fq-points is given by B (F ) = P (1) = Nm(1 π) mπ . π q Bπ −

The next few lemmas in this section might be obvious for most readers but we record them here since we will need them repeatedly in the subsequent sections.

Lemma 1.4. Let π be a Weil number and Bπ the corresponding abelian variety over a finite field Fq. For any rational prime l, the following are equivalent: (1). π 1 lies in some prime l of Q( ) lying over l. − WBπ (2). l divides the order Bπ(Fq) . Proof. (1) (2): If π 1 l, then B (F ) = Nm(1 π) l and since B (F ) is a rational ⇒ − ∈ π q − ∈ π q integer, B (F ) l Z = lZ. π q ∈ ∩ (2) (1): Fix a prime l of Q( ) lying over l. If Nm(1 π) lZ, then there exists σ Gal ⇒ WBπ − ∈ ∈ Q such that 1 σ 1(π) l. Hence, 1 π σ(l). − − ∈ − ∈ Lemma 1.5. The following are equivalent:

(1) l divides Bπ(Fq) and Bπ has embedding degree N with respect to l. (2) There exists a prime l of Q(W ) lying over l such that π 1 (mod l) and Φ (π) l. Bπ ≡ N ∈

Proof. (1) (2): Since l divides P (1), it is clear that π 1 (mod l) for some prime l lying ⇒ Bπ ≡ over l. Now, q π (mod l) and since Φ (q) l, it follows that Φ (π) l. ≡ N ∈ N ∈ (2) (1): If π 1 l, then Nm (1 π) Nm (l) = lZ and hence, l divides ⇒ − ∈ Q(π)/Q − ∈ Q(π)/Q B (F ) . Furthermore, since Φ (π) Φ (q) (mod l), it follows that Φ (q) l Z = lZ. π q N ≡ N N ∈ ∩

Lemma 1.6. Let Bπ be an abelian variety over Fq and let l be any rational prime not dividing q. Let K/Q be any number field and let l = le1 ler be the prime decomposition of l in K. OK 1 · · · r For each index i, let d be the order of q in ( /lei ) . The integer d is independent of the index i OK i ∗ i i and is the embedding degree of Bπ with respect to l. Proof. For any index i and integer d,Φ (q) l if and only if Φ (q) l Z = lZ. d ∈ i d ∈ i ∩ The following well-known theorem shows that for elliptic curves, the embedding degree coincides with the the degree of the field extension generated by the l-torsion points.

Theorem 1.7. (Koblitz) Let E be an elliptic curve over F and let l be a prime dividing E(F ) . q | q | Suppose l ∤ (q 1). Then the embedding degree with respect to l is [F (E[l]) : F ]. − q q Lemma 1.8. ([Kow03]) Let Bπ be a simple abelian variety over Fq and let n be an integer prime to q. Then the degree [Fq(Bπ[n]) : Fq] is given by [F (B [n]) : F ] = inf d 1 : n (πd 1) in End(A) . q π q { ≥ | − } The following corollary follows immediately.

3 Corollary 1.9. Let l be a prime that does not divide q and let l be a prime of L := Q( ) lying WBπ over l. For every σ Gal , let d be the order of σ(π) in ( /le ) where e is the ramification ∈ Q σ OL OL ∗ index of l in Q( )/Q . Then the degree [F (B [l]) : F ] is given by lcm(d )e . WBπ q π q σ σ Proof. We write d := lcm(d ) . Let l be any prime of Q( ) lying over l. Then there exists σ σ 1 WBπ σ Gal such that l = σ(l ). So πdσ 1 (mod le) and hence, πd 1 (mod l). ∈ Q 1 ≡ 1 ≡ Conversely, if πd1 1 (mod l) for some integer d , then in particular, πd1 1 (mod σ 1(le)) ≡ 1 ≡ − and hence, σ(π)d1 1 (mod le). So d d . ≡ | 1

Remark. The assumption that gcd(n,q) = 1 is necessary to ensure that Bπ[n] is etale. Clearly, if πd 1 (mod l ), then πd 1 (mod l ) and hence, qd 1 (mod l) since complex ≡ OQ(π) ≡ OQ(π) ≡ conjugation preserves the ideal l . So the embedding degree always divides the degree OQ(π) [Fq(Bπ[l]) : Fq]. Thus, we have the inclusion

F F n F (B [l]) F l−1 . q ⊆ q ⊆ q π ⊆ q But unlike the case of elliptic curves, the degree [Fq(Bπ[l]) : Fq] can be substantially larger than the embedding degree. In pairing based cryptography, it is eminently desirable for the prime l to be substantially larger than the embedding degree with respect to l. One way to achieve this is to construct an abelian variety B over a finite field Fq such that the full embedding degree, i.e. the degree of the extension generated by the l-torsion points is substantially larger than the embedding degree. By Koblitz’s theorem, this is not possible for elliptic curves since the two notions coincide. However, as shown in the next section, this is possible for dimension two or greater.

2 The embedding and full embedding degree

We first show that the embedding degree can be arbitrarily large. The supersingular case will be key here. Definition 2.1. An abelian variety A over a finite field of characteristic p is supersingular if all 1 of its Newton slopes are 2 . For dimension 1 or 2, one may alternatively define a supersingular abelian variety as one with no p-torsion points or equivalently with no 0 as a Newton slope. But that does not extend to higher dimensions, as evidenced by absolutely simple abelian threefolds with Newton polygon 3 1 , 3 2 . It is a well-known fact that a g-dimensional supersingular abelian variety is isogenous × 3 × 3 over the algebraic closure to the g-th power of the supersingular elliptic curve. Lemma 2.1. Let π be a Weil q-integer corresponding to a simple abelian variety of dimension g. The following are equivalent: 1. Bπ is supersingular 2. πN Z for some integer N. ∈ 3. Bπ Fq Fq is isogenous to a power of the supersingular elliptic curve. ×0 4. End (Bπ) = Matg(Qp, ), the quaternion algebra over Q ramified only at p and ∼ ∞ ∞ Lemma 2.2. Let π1 ,π2 be Weil q-integers. The corresponding simple abelian varieties over Fq are twists of each other if and only if σ(π )π 1 is a root of unity for some σ Gal . 1 2− ∈ Q N N N Proof. ( ): Suppose Bπ1 , Bπ2 are isogenous over some extension Fq . Then π1 and π2 are ⇒ N N 1 N conjugates over Q. Choose σ GalQ such that σ(π1 )= π2 . Then (σ(π1 )π2− ) = 1 and hence, 1 ∈ σ(π1 )π2− is an N-th root of unity.

4 1 N N N ( ): Suppose (σ(π1 )π− ) = 1 for some σ GalQ. Then σ(π ) = π and hence, B N is ⇐ 2 ∈ 1 2 π1 isogenous to B N . π2

In particular, if π is a Weil q-integer corresponding to a supersingular abelian variety, then π √q is a root of unity.

Corollary 2.3. Let B be a simple supersingular abelian variety over a finite field Fq. Then φ(N) dim B = φ(N) or 2 for some integer N.

Proof. Let π be the corresponding Weil q-integer. Then π = √qζN where N is an integer and ζN 0 is a primitive N-th root of unity. For brevity, write Dπ := End (B) and let p be the characteristic 1/2 of Fq. By Honda-Tate theory, 2 dim B = [Q(π) : Q][Dπ : Q(π)] . Now,

φ(N) if √q Q(ζ ) [Q(π) : Q]= ∈ N (2φ(N) if √q / Q(ζN ). ∈ 1 1 Furthermore, the Newton slopes are all 2 . So the Hasse invariants of Dπ are 2 [Q(π)v : Qp] at the places v lying over p. Thus, the least common denominator of the Hasse invariants is either 1 or 2 and hence, [Dπ : Q(π)] = 1 or 4. If √q / Q(ζ ), then p is ramified in Q(π)/Q and hence, the Hasse invariants of D are 0 in ∈ N π Q/Z, meaning that Dπ = Q(π). This completes the proof. Proposition 2.4. Let N be any integer and let q be a prime power that is a perfect square. Then there exists a simple supersingular abelian variety B over Fq and a rational prime l such that:

-the group B(Fq) of Fq-points has order divisible by l. -the embedding degree of B with respect to l is N.

Proof. Let π be the Weil q-integer √qζ2N where ζ2N is a primitive 2N-th root of unity. Let B φ(2N) be the corresponding simple abelian variety over Fq. Note that B is a Fq-form of the 2 -th power of the supersingular elliptic curve, meaning that B is of dimension φ(2N) and B F is ×Fq p isogenous to the φ(2N)-th power of the supersingular elliptic curve. Now, the order of B(Fq) is given by: P (1) = (1 σ(π)) B − σ Gal(Q( B )/Q) ∈ YW π = (1 √qζi ) − 2N gcd(i,Y2N)=1 i = (ζ− √q) 2N − gcd(i,Y2N)=1 =Φ2N (√q).

Thus, any prime l dividing Φ2N (√q) but not dividing 2N fulfills the hypothesis of the proposition. Since such a prime always exists unless (q, N) = (4, 3), this completes the proof.

Clearly, the prime l constructed in the last proposition is 1 (mod N). So choosing a ≡ moderately large value for N results in l being a substantially large prime. φ(2N) The abelian variety constructed in the last proposition is of dimension 2 and is far from absolutely simple. Later, we shall provide a construction that yields an absolutely simple abelian variety of any prescribed dimension g with embedding degree any prescribed integer N with respect to some prime l.

5 Proposition 2.5. Let B be a simple supersingular abelian variety of dimension g over Fq. Then for any prime l dividing B(F ) , the embedding degree of B with respect to l is 4g2 | q | ≤

Proof. Let π be the associated Weil number. Then π = √qζN where ζN is a primitive N-th root of unity and 2g = [Q(√qζ ) : Q]. Now, π 1 (mod l) for some prime l of Q( ) lying over N ≡ WB l. So q ζ 2 (mod l) and hence, l divides Φ (q) where M = N . Thus, the embedding ≡ N− M gcd(2,N) degree divides N. Now, φ(N) = 2g and hence, N 4g2. ≤ Remark: This is just a straightforward generalization of the observation that elliptic curves have embedding degrees at most 6. This arises from the fact that imaginary quadratic fields do not contain any roots of unity other than those of torsion 4 or 6. The upshot is that supersingular abelian varieties make unsuitable candidates for pairing based cryptography. The following proposition demonstrates that Koblitz’s aforementioned theorem does not generalize to higher dimensions.

Theorem 2.6. Let Bπ be an absolutely simple abelian variety such that [Q(π) : Q] > 2 and let m,n be prescribed integers. Then there exists a base change Bπe of Bπ to some finite extension and a prime l such that:

- Bπe has embedding degree n with respect to l. - [Fqe(Bπe[l]) : Fqe]= mn. Proof. We write L := Q(π) and denote its Galois closure over Q by L. Choose a conjugate π of π such that π / π, π . Because of the conditions imposed on , the subgroup of 1 1 ∈ { } WBπ L(ζmn)∗ generated by π, π,π1 is free abelian of rank 3 and hence, by Kummere theory, the field mn mn mn{ } 3 L(ζmn, √π, √π, √π1 ) is abelian over L(ζmn) with Galois group (Z/mnZ) . We choose a primee l of L(ζmn) such that: -el is of local degree one over Q. e e mn - l splits completely in L(ζmn, √π). mn n - The decomposition field of l in L(ζmn, √π) is L(ζmn, √π).

mne - l is inert in L(ζmn, √π1 ). e e Note that by the Chebotarev density theorem, the set of primes fulfilling these conditions has positive density.e Let l be the rational prime lying under l. By construction, l 1 (mod mn). l−1 l−1 ≡ We write π := π mn , q := q mn for brevity. Now, π is a Weil q-integer corresponding to the base change of B to Fe. Furthermore, π 1 (mod l) and hence, l divides B (Fe) . On the other π q ≡ | π q | hand, π hase order n ine ( Le(ζ )/l)∗ and since q eπ (mod l),e it follows that Φn(q) l. Thus, Bπe O N ≡ ∈ has embedding degree n with respecte to l. Now,e the degree [Fe(Be[l]) : Fe] is givene by infe d 1 : σ(π)d 1 (mod le) σ Gal . q π q { ≥ ≡ ∀ ∈ Q} Since l splits completely in L, the abelian group ( e/l e) is a product of [L : Q] copies of OL OL ∗ e e Fl∗. In particular, the group is (l 1)-torsion and hence, the ordere of π in ( L/l L)∗ divides l−1 − O O e mn e mn. By construction, π1 := π1 has order mn in ( Le(ζ )/l)∗. Thus, mn divides the degree O N e [Fqe(Bπe[l]) : Fqe]. e Remark. Note that the condition that [Q(π) : Q] > 2 is quite generic when the dimension is 2. The only exceptions are the abelian varieties of type IV(1, d) which we will encounter in ≥ the next section.

6 2.1 The ordinary case

Having seen why supersingular abelian varieties are unsuitable candidates, we now look at the other end of the spectrum, which is ordinary abelian varieties. The primary task of this subsection is to address the following: Problem: For prescribed integers g, N, construct an ordinary g-dimensional abelian variety B over a finite field F with embedding degree N with respect to a prime l dividing B(F ) . q | q | Clearly, for this to be possible, the prime l must split completely in Q(ζN ). We first observe that such a construction is not always possible if the prime l 1 (mod N) is prescribed. ≡ Example. Let L be a CM field of degree 2g such that L/Q is cyclic and L is linearly disjoint with Q(ζN ). Let l be a rational prime that splits completely in Q(ζN ) but is inert in L/Q.

Let π be an ordinary Weil number in L corresponding to a simple abelian variety Fq over the finite field of size q := ππ. If l divides B (F ) , then π 1 (mod l) for some prime l of L π q ≡ lying over l. But since l is assumed to be a prime ideal, it follows that π 1 (mod l). So OL ≡ π 1 (mod l) and hence, q 1 (mod l). Thus, any Weil number in L corresponds to an abelian ≡ ≡ variety with embedding degree 1 with respect to l.

The motivation. Let Bπ be an ordinary abelian variety of dimension g over a finite field Fq of characteristic p. Write q = pk. Suppose the number field L := Q(π) is abelian. Then p splits completely in L. Now, the principal ideals π and π have prime decompositions OL OL g g π = p , π = p OL i OL i Yi=1 Yi=1 where the p , p , , p , p are distinct primes. Let σ Gal(L/Q) be the element such that 1 1 · · · g g i ∈ σ (p )= p . Then Φ:= σ : 1 i g is a CM type for L. i 1 i { i ≤ ≤ } The reflex field. Let L be a CM field of degree 2g and let Φ = φ , , φ be a CM type { 1 · · · g} for L. Let α be a primitive element for L/Q. The reflex field L of L is the field generated by the elementary symmetric functions in φ (α), , φ (α) . The reflex type of Φ is the set { 1 · · · g } Ψ := ψ 1 : ψ Φ . b { − ∈ } The map Nm : L L, x ψ(x) Ψ −→ 7→ ψ Ψ Y∈ e e maps the field L to L. This is called the reflex norm of Ψ. In the generic case, the field L is of g g degree 2 g! and L is of degree 2 with Gal(L/L)= Sg. b e Theorem 2.7. bLet L be a fixed CM field.e Thereb exists an absolutely simple ordinary abelian variety B over a prime field Fp such that for some p-power q, there exists a prime l dividing B(F ) such that End0(B) L and B has embedding degree N with respect to l. | q | ⊆ Proof. Let K be the maximum totally real subfield of L and let K, L be the respective Galois closures over Q. We fix a CM type Φ for L and denote the reflex of (L, Φ) by (L, Ψ). We choose a prime p of L such that: e e -p has local degree one over Q. b -p splitse completelye in the Hilbert class field H(L). 1 e The set of primes fulfilling the two conditions has Dirichlet density e where Cl(L) is Cl(L) e e | | the ideal class group of L. In particular, there exist infinitely many such primes. The second e e 7 condition ensures that p is principal. We write p = α e. Define p := p L and α := Nme b(α) OL ∩ L/L e . Then p has local degree one over Q and p = α L. In particular, the prime p of L is principal. e eO e b e b e Set π := NmΨ(α). Then π L and ππ = p. Furthermore, (π, π) = (1) in L. Hence, π is an ∈ N O b ordinary Weil p-integer. By construction, the subgroup of L∗/L∗ generated by the set of Galois conjugates is isomorphic to (Z/NZ)[Q(α):Q] and hence, by Kummer theory, we have e e Gal(L(ζ , N σ(α) : σ Gal )/L(ζ )) = (Z/NZ)[Q(α):Q]. N { ∈ Q} N ∼ l p We choose a prime of eL(ζN ) such that: e -l has local degree one over Q. e -l splits completely in L(ζ , N σ(α) : σ Gal , σ(α) = α ). N { ∈ Q 6 } N -l is inert in the cyclic extensionp L(ζN , √α). e The existence of such a prime is guaranteed by the Chebotarev density theorem which implies e φ(N) that the set of such primes has Dirichlet density N 2g . Let l be the rational prime lying under l. l−1 N Set π0 := π and let B = Bπ0 be the corresponding abelian variety over Fq. Since (π0 , π0 ) = (1), l−1 this is an ordinary abelian variety with End0(B) = L. Now, α N 1 (mod l) for any conjugate ∼ 1 ≡ α1 of α other than α. In particular, π0 1 (mod l) and hence, NmL/Q(π0 1) lZ. On the l−1 ≡ − ∈ N other hand, q := π π = p has order N in ( e/l) and hence, l divides Φ (q). Thus, B has 0 0 OL ∗ N embedding degree N with respect to l.

Remark: The construction in the preceding theorem does not always yield an abelian variety of 1 dimension 2 [L : Q]. For instance, in the extreme case where L/Q is cyclic and Φ = Gal(L/L0) where L0 is the unique quadratic subfield of L, the Weil number constructed in this manner lies in L0. Hence, the abelian variety is an ordinary elliptic curve. This can easily remedied by choosing the CM type Φ so that Φ is not a subgroup of Gal(L/Q). In the more generic case, the 1 construction yields an abelian variety of dimension 2 [L : Q]. e Corollary 2.8. For arbitrary integers g, N and a prime p, there exists an absolutely simple abelian variety B of dimension g over a finite field F of characteristic p such that B(F ) has a q | q | prime divisor l. Proof. Choose L to be any CM field of degree 2g such that L has no strict CM subfield. We construct an ordinary Weil q-integer π L as in the preceding theorem. Now, Q(π ) is a CM 0 ∈ 0 field with an embedding in L. Since L has no strict CM subfields, it follows that Q(π0 ) ∼= L. Theorem 2.9. Let L be a fixed CM field of degree 2g, m,n prescribed integers and l a rational prime 1 (mod mn) that is unramified in L/Q. There exists a simple ordinary abelian variety ≡ Bπ over a prime field Fp such that: 0 - End (Bπ) ∼= L. - l divides the order Bπ(Fp) of the group of Fp-points. - B has embedding degree n with respect to l. π - [Fp(Bπ[l]) : Fp]= mn . Proof. As before, we denote the Galois closure of L over Q by L. We fix a CM type Φ for L and denote the reflex of (L, Φ) by (L, Ψ). Set g := [L(ζ ) : Q] and let l , , lb be the primes mn 1 · · · g of L lying over Q. Let m be the product of all primes of L(ζmn) thate ramify over Q. We define gb b b b the ideals m0 := m lj, m1 := ml1 and m2 := ml2. b j=3 b Q 8 di For i 1, 2 , let di be the smallest integer such that the ideal li is principal in L(ζmn) and di ∈ { } mn write li = (βi). The extension Li := L(ζmn, √βi) is cyclic of degree mn over L(ζmn) and is unramified away from the set of primes of L(ζmn) dividing mn or li. Thus, Li is ab subfield of mi the ray class field L(ζmn) . Furthermore,b since Li/L(ζmn) is totally ramified atb the primes of m0 L(ζmn) lying over li, it is linearly disjoint (overb L(ζmn)) from the ray class fields L(ζmn) and L(ζ )mj where j b 1, 2 and = i. b mn ∈ { } 6 b b b Thus, we may choose a prime p of L(ζmn) such that: b - p has local degree one over Q and splits completely in L(ζmn). b m0 - p splits completely in the ray class field L(ζmn) . m1 e - p has a decomposition field of index n in L(ζmn) . b m2 - p has a decomposition field of index mn in L(ζmn) . b By construction, p is a principal prime ideal and is generated by an element α b such ∈ OL(ζmn) that: b - α 1 (mod l ) for j = 1, 2. ≡ j 6 - has order n in ( b/l ) . OL 1 ∗ - has order mn in ( b/l ) . OL 2 ∗ Set π := Nm (α). Then π and p := ππ is a rational prime. Furthermore, (π, π) = (1) Ψ ∈ OL in and hence, π is an ordinary Weil p-integer. Now, for any σ Gal such that σ(α) = α, OL ∈ Q 6 we have σ(α) 1 (mod l). In particular, it follows that π 1 (mod l) and hence, l divides the ≡ ≡ size B (F ) of the group of F -points of B . On the other hand, π has order n in ( b/l ) . π p p π OL 1 ∗ Since p = ππ π (mod l), p has order n in ( b/l ) and hence, B has embedding degree n ≡ OL 1 ∗ π with respect to l. For each index j, let d denote the order of π in ( b/l ) . Then the order of π in ( b/l b) j OL j ∗ OL OL ∗ is the least common multiple of the integers d , , db. By construction, d = n, d = mn and 1 · · · g 1 2 d = 1 for j 3. Hence, π has order mn in ( b/l b) . Thus, the degree [F (B [l]) : F ] is j ≥ OL OL ∗ p π p mn.

We will need the following two results regarding ordinary abelian surfaces from [How95].

Lemma 2.10. ([How95], Lemma 12.1) Let Bπ be a simple ordinary abelian surface over a finite field Fq such that no abelian variety in its isogeny class over Fq is principally polarized. Then Q( ) is biquadratic. WBπ Theorem 2.11. ([How95], Theorem 1.3) Any principally polarized simple ordinary abelian surface over a finite field Fq is a Jacobian of a hyperelliptic curve over Fq. Corollary 2.12. Let L be a fixed CM field of degree 2g with g 2, 3 , m,n prescribed integers ∈ { } and l a rational prime 1 (mod mn) that is unramified in L/Q. There exists a smooth projective ≡ curve C of genus g over a finite field Fq such that: 0 - End (Jac(C)) ∼= L. - l divides the order Jac(C)(Fq) of the group of Fq-points. - Jac(C) has embedding degree n with respect to l.

- [Fq(Jac(C)[l]) : Fq]= mn. If g = 2 and L is not a biquadratic field, there exists a prime p and a hyperelliptic curve C over Fp fulfilling these conditions.

9 Proof. We construct a simple ordinary abelian variety Bπ of dimension g over a prime field Fp fulfilling the conditions in the preceding theorem. We treat the cases g = 2 and g = 3 separately. Case 1: g = 2 Since π is constructed as the reflex norm of a primitive CM type, we have Q(π) = L. In particular, if L is biquadratic, so is Q(π). If g = 2, it follows from Theorem 13.3 and Lemma 12.1 of [How95] that there exists a Jacobian of a curve in the same isogeny class as B over Fp. Furthermore, this curve is hyperelliptic since it is smooth projective of genus two. Case 1: g = 3 Since dim B dimension is odd, Theorem 1.2 of [How95] implies that there exists a principally polarized abelian B over Fp that is isogenous to B. It is well-known that every principally polarized abelian variety of dimension 3 over an algebraically closed field is the Jacobian of ≤ some smooth projectivee curve. Hence, there exists a prime power q such that B F is the ×Fp q Jacobian of a smooth projective genus three curve that is either hyperelliptic or planar quartic. e For a principally polarized abelian surface Bπ over a prime finite field Fp, we have #Bπ =

PBπ (1). On the other hand, if C is a genus two hyperelliptic curve with Jac(C)= B, then 2 (#C(Fp)) +#C(F 2 ) #B (F )= p p. π p 2 −

Hence, to construct such a curve, it suffices to find a curve whose sets of Fp and Fp2 -points satisfy this equation. Since #C(Fp)) and #C(Fp2 ) lie in the respective Hasse-Weil intervals, we have 2 2 4 3 2 2 #C(F )) = p+1 a ,#C(F 2 )= p +1+2a a where P (X)= X a X +a X pa X +p . p − 1 p 2 − 1 Bπ − 1 2 − 3 Algorithms for the construction of such curves using Gundlach invariants are studies in [LY10].

2.2 Newton Polygons

Let B be an abelian variety over an algebraically closed field k of characteristic p > 0. The group scheme B[p ] is a p-divisible group of rank dim B. Let D(B[p ]) denote the Dieudonne ∞ ≤ ∞ module. Then D(B[p ]) W (k)[ 1 ] is a direct sum of pure isocrystals by the Dieudonne-Manin ∞ ⊗k p classification theorem. Let λ < < λ be the distinct slopes and let m denote the multiplicity 1 · · · r i of λ . The sequence m λ , ,m λ is called the Newton polygon of B. i 1 × 1 · · · r × r Definition 2.2. A Newton polygon is admissible if it fulfills the following conditions:

1. The breakpoints are integral, meaning that for any slope λ of multiplicity mλ, we have m λ Z. λ ∈ 2. The polygon is symmetric, meaning that each slope λ, the slopes λ and 1 λ have the same − multiplicity.

Let π be a Weil q-integer and let Bπ be the corresponding simple abelian variety over Fq. Then the Newton slopes of B are given by v(π)/v(q) where v runs through the places of π { }v Q(π) lying over p. In particular, the Newton polygon is symmetric and hence, all slopes lie in the interval [0, 1]. A far more subtle fact is that the converse is also true. This was formerly known as Manin’s conjecture until proven by Serre. We refer the reader to [Tat69] for the proof.

Theorem 2.13. The Newton polygon of an abelian variety over a finite field is admissible. Conversely, any admissible polygon occurs as the Newton polygon of some abelian variety over a finite field of any prescribed characteristic.

10 2.3 Abelian varieties of type IV(1, d)

The computational complexity grows rapidly with the size of Q( ). In this section, we WBπ study abelian varieties of type IV(1, d) over finite fields. The purpose here is to limit the size of the number field Q( ) while allowing the dimension of the (absolutely simple) abelian variety WBπ and the endomorphism algebra to be arbitrarily large. Definition 2.3. A simple abelian variety A is said to be of type IV in Albert’s classification if it satisfies the following conditions: 1. End0(A) is a central division algebra over a CM field K equipped with an involution of the ∗ second kind. 0 2. End (A) is split at all the places v of K such that v = v∗. 0 0 3. For any place v of K, we have invv(End (A)) + invv∗ (End (A)) = 0 in Q/Z.

In particular, we say A is of type IV(e, d) if the center of End0(A) is a CM field of degree 0 2 2e and End (A) is of dimension d over its center. Over a finite field of size q, Bπ is of type IV(1, d) if and only if Q(π) is an imaginary quadratic field and the least common denominator of the Newton slopes of Bπ is d. We will use these abelian varieties to demonstrate that there exist absolutely simple abelian varieties of a prescribed dimension and embedding degree with respect to some rational prime dividing the size of the group of Fq-points. Lemma 2.14. Let g be an integer 3. Let B be a simple g-dimensional abelian variety over ≥ j a finite field Fq such that one of the Newton slopes of B is g for some integer j < g such that gcd(j, g) = 1. Then B is absolutely simple. Proof. Let π be the Weil number corresponding to B. Suppose, by way of contradiction, that

B = B Fq FqN is not simple. Since B has the same Newton polygon as B, it follows that B × j has a simple abelian subvariety B′ which has g as a Newton slope. Let m be the multiplicity of e j e e the slope g in the Newton polygon of B′. Then m < dim B′ < g. Since a Newton polygon has integral breakpoints, mj Z and hence, g m. Since g

Proposition 2.17. Let Bπ be an absolutely simple abelian variety over a finite field Fq such that 2. Then B is either an elliptic curve or an abelian variety of type IV(1, d) where |WBπ | ≤ d = dim B.

Proof. Clearly, [Q(π) : Q]= B 2. The only real Weil q-integers are √q. So, if Q(π) is a W π ≤ ± totally real field, then Bπ is supersingular. Hence, we may assume Q(π) is a imaginary quadratic 0 field. Write Dπ := End (Bπ). Then

11 1/2 d = dim Bπ = [Dπ : Q(π)]

2 and hence, [Dπ : Q(π)] = d .

Proposition 2.18. Let Bπ be an abelian variety of type IV(1, d) over a finite field Fq and let l that divides B (F ) but does not divide q(q 1). The embedding degree of B with respect to l π q − π is the degree [F (B [l]) : F ]. q π q

Proof. Since l divides B (F ) , it follows that π 1 (mod l) for some prime l of Q(π) lying π q ≡ over l. Let l be the complex conjugate of l. Then π 1 (mod l). Now, the degree [F (B [l]) : F ] ≡ q π q is the smallest integer d such that πd 1 (mod l). But q π (mod l) and hence, the order of q ≡ ≡ in ( /l) is the same as the order of q in ( /l) . OQ(π) ∗ OQ(π) ∗ Proposition 2.19. Let Bπ be an abelian variety of type IV(1, d) over Fq and l be a prime such that l divides B (F ) and l ∤ q(q 1). Then the embedding degree of B with respect to l is the π q − π degree [F (B [l]) : F ]. q π q

Proof. Since l divides B (F ) , there exists a prime l of Q(π) lying over l such that π 1 π q ≡ (mod l). Let N be the embedding degree. Then q has order N in ( /l) and since q π OQ(π) ∗ ≡ (mod l), it follows that π has order N in ( /l) . Thus, πN 1 (mod l ), which implies OQ(π) ∗ ≡ OQ(π) that the degree [Fq(Bπ[l]) : Fq] divides N. Proposition 2.20. Let p be a fixed prime, d and N fixed integers. Then there exists an absolutely simple abelian variety B of dimension d over F and a prime divisor l of B(F ) such that B has q | q | embedding degree N with respect to l.

Proof. Let B be an absolutely simple abelian variety of type IV(1, d) over Fq. Then dim B = d and L := Q(π) is an imaginary quadratic field in which p splits. By construction, the subgroup of L /L N generated by π, π is isomorphic to (Z/NZ)2. From Kummer theory, it follows that ∗ ∗ { } Gal(L(ζ , N√π, N√π)/L(ζ )) (Z/NZ)2. N N ∼=

Choose a prime l of L(ζN ) such that: -l has local degree one over Q. N -l splits in L(ζN , √π). N -l is inert in L(ζN , √π). φ(N) The set of primes fulfilling these conditions has Dirichlet density N 2 and in particular, such l−1 l−1 a prime exists. Let l be the rational prime lying under l. Set π := π N , q := q N . Then π 1 0 0 0 ≡ (mod l) and hence, l divides Bπ (Fq ) . On the other hand, q0 has order N in ( L(ζ )/l)∗ and | 0 0 | O N hence, l divides Φ (q ). Thus, the abelian variety B = B F and the prime l fulfill the N 0 π0 π ×Fq q0 condition.

Example. We provide an example of an abelian variety of type IV(1, d) that arises as a Jacobian of a hyperelliptic curve. Let d be an odd prime such that l := 2d + 1 is also a prime. Consider 2 l the genus l hyperelliptic curve C : Y = 1 X over Q. The curve C Q Q(ζl) is endowed with the automorphism − × (x ,y ) (xζ ,y ) 1 1 7→ l 1 and hence, the Jacobian Jac(C) has action by the ring Z[ζl]. Since [Q(ζ ) : Q]= l 1 = dim Jac(C), l −

12 it follows that Jac(C) is simple with endomorphism ring Z[ζl]. The curve C has good reduction away from the set 2, l . Since the extension Q(ζ )/Q { } l is abelian, it follows from the theory of complex multiplication that the Newton slopes of the reduction Jac(C)p at any prime of good reduction are determined by the splitting of p in the field Q(ζl). In particular, if p is a prime of inertia degree d in Q(ζl), the Newton polygon of Jac(Cp) is given by j d j d , d − × d × d for some integer j d 1 prime to d. Thus, Jac(C ) is absolutely simple and Jac(C ) F d is ≤ − p p ×Fp p of type IV(1, d).

2.4 The minimum field of definition

Lemma 2.21. Let Bπ be an absolutely simple abelian variety over a finite field k with [D : Q(π)] = d2. Suppose the extension Q( )/Q is such that the decomposition group of a π WBπ prime of Q( ) lying over p is a normal subgroup of Gal(Q( )/Q). Then: WBπ WBπ 1. p splits completely in Q( )/Q. WBπ 2. The Newton slopes of Bπ have least common denominator d. Proof. This is lemma 5.3 of [Th17].

Remark: In particular, the hypothesis of the lemma is satisfied when Q(π)/Q is abelian.

Corollary 2.22. If there exists an abelian variety B of type IV(1, d) over F k , then d k. p | Proof. Let π be the corresponding Weil number. As noted earlier, B is absolutely simple. Furthermore, the extension Q(π)/Q is quadratic and in particular, abelian. Hence, it follows from the lemma that p splits (completely) in Q(π)/Q. From Proposition 2.14, it follows that the j d j Newton polygon is d d , d −d for some integer j < d such that gcd(j, d) = 1. The Newton v(×π) ×v(π) slopes are given by v(pk) = k v(p) where v runs through the places of Q(π) lying over p. Since p splits completely in Q(π)/Q, it follows that v(π) is an integer and hence, have d k. v(p) |

Note that the abelian variety B could have a B0 model over a proper subfield of Fpd , even though B0 would not be of type IV(1, d).

Example. For instance, let π1 be an ordinary Weil p-integer corresponding to an ordinary elliptic d d 1 curve over Fp and set π := π1− π1. Then π is a Weil p-integer corresponding to a simple abelian variety of dimension d overqFp and with the endomorphism algebra Q(π) a CM field of degree d d d 1 2d. On the other hand, the Weil p -integer π = π1− π1 is an algebraic integer of degree 2 and the corresponding abelian variety over Fpd is of type IV(1, d).

We now show that the converse to the last proposition is also true.

Proposition 2.23. Let p be a prime, d any integer 3. There exists an abelian variety of type ≥ IV(1, d) over Fpd .

Proof. Let π be a Weil p-integer corresponding to an ordinary elliptic curve over Fp, meaning that gcd(π, π) = (1). Then π and π generate distinct principal prime ideals in Q(π). Now, d 1 d π := π − π is a Weil p -integer. Let Bπe be the corresponding abelian variety over Fpd . The 1 d 1 Newton polygon of Be is d , d − . Clearly, Q(π) = Q(π) and in particular, the center of π × d × d e 13 e 0 End (Bπe) is the imaginary quadratic field Q(π). Furthermore, there are two primes in Q(π) lying over p and the Hasse invariants of End0(B) are given by

0 0 if v ∤ p invv(End (Be)) = e π v(π) [Q(π) : Q ] (mod 1) if v p. ( v(q) v p |

Since p splits (completely) in Q(π)/Q, we have [Q(π)(πe) : Qp] = [Q(π)(πe) : Qp] = 1 and hence, 0 1 d 1 End (Bπe) is ramified at the primes (π) and (π) with Hasse invariants d and −d respectively. In 0 particular, the least common denominator of the Hasse invariants is d and hence, End (Bπe) is of dimension d2 over its center.

References

[BF] Benger, Charlemagne, D. Freeman, On the security of pairing-friendly abelian varieties over non-prime fields [FFS] D. Freeman, M. Streng, P. Stevenhagen, Abelian varieties with prescribed embedding degree [Gal] S. Galbraith, Supersingular curves in Cryptography [GMV] S. Galbraith, Mckee, Valenca, Ordinary abelian varieties having small embedding degree [Hit] L. Hitt, On an Improved Definition of the Embedding Degree [How95] E. Howe, Principally polarized ordinary abelian varieties over finite fields, Transactions of the AMS, Volume 347, Number 7, July 1995 [Kow03] E. Kowalski, Some local-global applications of Kummer theory, Manuscripta Math., 111(1), 2003. [Kow06] , Weil numbers generated by other Weil numbers, J. London Math. Soc. (2) 74 (2006). [LY10] K. Lauter, T. Yang, Computing genus 2 curves from invariants on the Hilbert moduli space [MOV93] A. Menezes, T. Okamoto, and S. Vanstone. Reducing elliptic curve logarithms to logarithms in a finite field IEEE Transactions on Information Theory 39 (1993),16391646. [Oort] F. Oort, Abelian Varieties over finite fields [Shi60] G. Shimura, Abelian Varieties with Complex Multiplication and Modular Functions, Princeton University Press [ST66] J.P. Serre, J. Tate, Good reduction of abelian varieties, Ann. of Math. (2), 88, 1968 [Tat69] J. Tate, Classes disogenie des varietes abeliennes sur un corps fini [Th17] S. Thakur, On some abelian varieties of type IV , Preprint (in revision at Math Zeit.)

Email: [email protected] Steve Thakur Cybersecurity Research Group Battelle Institute Columbus, OH.

14