The Frobenius Trace for an elliptic curve

Question

Let E be an elliptic curve defined over $\mathbb{Q}$ (coeffs. there), and consider its $n-$torsion points in $\mathbb{C}$, $E(\mathbb{C})_{\text{tors}}[n]$. We know this group is isomorphic to $\mathbb{Z}/n\mathbb{Z} \times \mathbb{Z}/n\mathbb{Z}$. Moreover, if we consider $K_n$ to be the field extension of $\mathbb{Q}$ obtained by adjoining the coordinates of the $n$-torsion points we obtain a natural action of $\text{Gal}(K_n / \mathbb{Q})$ on $E(\mathbb{C})_{\text{tors}}[n]$, so we obtain an injective representation \begin{equation*} \chi_n : \text{Gal}(K_n / \mathbb{Q}) \hookrightarrow \text{Aut}(E(\mathbb{C})_{\text{tors}}[n]) \cong \text{GL}_2(\mathbb{Z}/n\mathbb{Z}) \end{equation*}

If we consider a prime $p$ of good reduction for $E$, and let $\text{Frob}_p$ be the corresponding Frobeniu element in $\text{Gal}(K_n/\mathbb{Q})$ (I know the Frobenius elements constitute, in fact, a conjugacy class $\mathcal{C}_p$: pick any of them for our purposes), then there is a theorem (in Silverman, for example) which says that \begin{equation*} \begin{cases} \text{det}( \chi_n(\text{Frob}_p)) \equiv p \text{ (mod }n) \\ \text{Tr}(\chi_n(\text{Frob}_p)) \equiv a_p \text{ (mod }n) \end{cases} \end{equation*} where $a_p = 1+p-|E(\mathbb{F}_p)|$.

I want to apply this theorem for the elliptic curve $y^2 = x^3 - 1$; in particular I want to say something about $a_p$ for a given $p$. I think there is some result which states

1) If $p \equiv 2 \text{ (mod }3)$, then $a_p = 0$.

2) If $p \equiv 1 \text{ (mod }3)$, then $a_p = 2a$ where $a$ is such that $p = a^2+ab+b^2$ (or something similar).

Can someone give some reference on where to find such a result, or where I can find a similar study for elliptic curves of the form $y^2 = x^3 + D$? My effords from now on have been simply computing the trace by hand for some specific cases ($p=2$ and $3$), but it gets extremely tedious even for $p=3$.

Thank you very much!

Answer 1

The key fact you need is this: if $E/K$ is an elliptic curve which has complex multiplication over $K$, then the associated $\ell$-adic Galois representations $$\rho_{E,\ell}:G_K\to\mathrm{GL}_2(\overline{\mathbb Q}_\ell)$$ are reducible for all primes $\ell$. Indeed, $\mathrm{End}(E)\otimes\overline{\mathbb Q}_\ell$ embeds into the endomorphism ring of $\rho_{E,\ell}$, and the former is not a division ring.

In your case, your curve $E: y^2 = x^3-1$ does not have CM over $\mathbb Q$, but it picks up extra endomorphisms over $K=\mathbb Q(\zeta_3)$. It follows that $\rho_{E,\ell}$ is irreducible, but $\rho_{E,\ell}|_{G_K}$ becomes reducible, and representation theory kicks in to show that $$\rho_{E,\ell}\cong \mathrm{Ind}_{G_K}^{G_\mathbb Q}\chi_\ell\qquad(*)$$ where $\chi_\ell$ is a character -- actually it is the Galois character corresponding to the Hecke grossencharacter which is attached to $E$ by the theory of CM.

Finally, one can show using pure representation theory that $(*)$ is equivalent to the statement $$\rho_{E,\ell}\cong\rho_{E,\ell}\otimes\theta\qquad(**)$$ where $\theta:G_\mathbb Q\to\overline{\mathbb Q}_\ell^\times$ is the one dimensional representation which has as its kernel $G_K$. Explicitly, $\theta$ is a lift of the unique non-trivial Dirichlet character of conductor $3$.

In particular:

• If $p\equiv 2\pmod 3$, then $\theta(\mathrm{Frob}_p) = -1$ and it follows from $(**)$ that $a_p = -a_p$, so $a_p = 0$.
• If $p\equiv 1\pmod 3$, then $p$ splits in $K$ as $p = v\overline v$, and it follows from $(*)$ and the usual formula for the trace of an induced representation that $a_p = \chi_\ell(\mathrm{Frob}_v) + \chi_\ell(\mathrm{Frob}_{\overline v})$, which turns out to be the value you'd expect.

Answer 2

When $p = 2 \bmod 3$, every element $x\in \mathbb{F}_p$ has a unique cube root, which is equal to $x^{(2p-1)/3} \bmod p$. Thus, for every $y\in \mathbb{F}_p$, there is a unique $x\in\mathbb{F}_p$ such that $y^2 = x^3-1$. It follows that $E(\mathbb{F}_p)$ has exactly $p+1$ elements (one element for every value of $y$, and the neutral "point-at-infinity"). This implies $a_p = 0$.

Such curves have been suggested for cryptography because they have computable pairings that map $r$-torsion elements (for $r$ a prime that divides $p+1$) into the group of $r$-th roots of unity in $\mathbb{F}_{p^2}$. Correspondingly, this means that discrete logarithm in such a curve is not harder than discrete logarithm modulo $\mathbb{F}_{p^2}$, which implies that, for cryptographic purposes, $p$ must be large (typically 1024 bits or more), which is detrimental to performance.

When $p = 1 \bmod 3$, things are more complicated. I don't know about any rule on $a_p$ (except $|a_p| \leq 2\sqrt{p}$ by Hasse's theorem) but that does not mean that there is no such rule. Curves with equation $y^2 = x^3+b$ for some constant $b$, in $\mathbb{F}_p$ where $p = 1 \bmod 3$ is prime, are in wide use. Notably, Bitcoin uses such a curve (called "secp256k1").

Answer 3

This post follows the approach outlined by @Thomas_Pornin for the case $p \equiv 1 \pmod{3}$.

For $p \equiv 1 \pmod{3}$, take a primitive root $r$, and define characters $\chi, \phi: \mathbb{Z}/p\mathbb{Z} \to \mathbb{C}^*$ as $$ \chi(r^a) = \zeta^{2a}, \quad \phi(r^a) = \zeta^{3a} $$ where $\zeta = \exp(2\pi i / 6)$.

Note that counting elements on $E(\mathbb{F}_p)$ is equivalent to counting elements satisfying $x^3 + y^2 = 1$. Let $$ Q = \#\{u + v = 1 \mid u \not\equiv 0, 1 \pmod{p}, v \not\equiv 0, 1 \pmod{p}, \text{there exist } x, y \text{ such that } u \equiv x^3, v \equiv y^2\}. $$ Adding the 5 points where $x^3$ or $y^2$ equals 0 or 1, $E(\mathbb{F}_p)$ has a total of $6Q + 5$ elements, so $$ a_p = (1 + p) - (6Q + 5) = p - 6Q - 4. $$ I claim that $a_p = p - 6Q - 4 = -2A$ where $A$ satisfies $A^2 + 3B^2 = p$ and $2A \equiv 1 \pmod{3}$.

Consider the Jacobi sum $$ J = \sum_{k=2}^{p-1} \chi(k) \phi(p + 1 - k). $$ The Jacobi sum has the property that $|J| = \sqrt{p}$. Since $J \in \mathbb{Z}\left[\frac{1 + \sqrt{-3}}{2}\right]$ in the current setting, we have $J = A + B\sqrt{-3}$ where $A^2 + 3B^2 = p$.

Define $J_{i,j} = \#\{2k \equiv i \pmod{6}, 3(p+1-k) \equiv j \pmod{6} \mid k = 2, \dots, p-1\}$. Then $$ J = J_{0,0} + J_{2,0}\zeta^2 + J_{4,0}\zeta^4 - J_{0,3} - J_{2,3}\zeta^2 - J_{4,3}\zeta^4. $$ Note that $J_{0,0} = Q$, which we want to determine.

Also, note that $K = \sum_{k=2}^{p-1} \chi(k) = -1$, implying $$ K = J_{0,0} + J_{2,0}\zeta^2 + J_{4,0}\zeta^4 + J_{0,3} + J_{2,3}\zeta^2 + J_{4,3}\zeta^4 = -1. $$ Thus, $$ \frac{J + K}{2} = \frac{J - 1}{2} = J_{0,0} + J_{2,0}\zeta^2 + J_{4,0}\zeta^4. $$ From the observation about the character, we know there appear $\frac{p-3}{2}$ terms with $\phi(k) = 1$ and $\frac{p-1}{2}$ terms with $\phi(k) = -1$. Considering this, substituting $J = A + B\sqrt{-3}$, and taking the real part, we obtain $$ \frac{A - 1}{2} = Q + \left(\frac{p-3}{2} - Q\right)\left(-\frac{1}{2}\right), $$ implying $$ 2A = 6Q + 5 - p. $$

(This is a reuse from Japanese Q&A website https://detail.chiebukuro.yahoo.co.jp/qa/question_detail/q11113731841)

EDIT: I found a description for more general cases of $y^2 = x^3 + D$ on page 177 of Silverman: Advanced topics in the Arithmetic of Elliptic Curve, or page 304 of Ireland-Rosen: A Classical Introduction to Modern Number Theory. I was directed to this book after it was referenced in relation to the cases $y^2 = x^3 - Dx$ in another post: Ireland-Rosen Hecke Character for $y^2=x^3-Dx$.