Iterative constructions of irreducible polynomials from isogenies

Let $S$ be a rational fraction and let $f$ be a polynomial over a finite field. Consider the transform $T(f)=\operatorname{numerator}(f(S))$. In certain cases, the polynomials $f$, $T(f)$, $T(T(f))\dots$ are all irreducible. For instance, in odd characteristic, this is the case for the rational fraction $S=(x^2+1)/(2x)$, known as the $R$-transform, and for a positive density of all irreducible polynomials $f$. We interpret these transforms in terms of isogenies of elliptic curves. Using complex multiplication theory, we devise algorithms to generate a large number of other rational fractions $S$, each of which yields infinite families of irreducible polynomials for a positive density of starting irreducible polynomials $f$.


Introduction
Let S ∈ Q(x) be a rational fraction.Let F q be a finite field where the reduction of the denominator of S does not vanish.For any polynomial f ∈ F q [x] we define the S -transform of f as the polynomial T S ( f ) = numerator ( f (S (x))) and we let denote the family of polynomials obtained by applying T k S = T S • • • • • T S (the composition of k copies of T S ) to the polynomial f .We say that S induces an irreducible family from f if the polynomials in the family I S ( f ) are all irreducible.
For example, well-known transforms include the so-called Q-transform which uses the rational fraction Q(x) = x 2 +1 x and the so-called R-transform which uses the rational fraction R(x) = 1 2 x ; more explicitly, we have Those two transforms have been studied extensively and are known to induce irreducible families.
Theorem 1.1 (Q-transform [11,7,6]).Let q = 2 r and let f (x) = n i=0 a i x i be an irreducible polynomial in F q [x] with a n = 1.Let tr denote the trace from F q to F 2 .Assuming tr(a n−1 ) = tr(a 1 /a 0 ) = 1, the fraction Q induces an irreducible family from f .Theorem 1.2 (R-transform [3]).Let q be an odd prime power and let f be a monic irreducible polynomial in F q [x].Assume that f (1) f (−1) is not a square in F q and, if q = 3 mod 4, assume additionally that deg( f ) is even.The fraction R induces an irreducible family from f .
Recently there has been interest in constructing transforms T which induce irreducible families.We note the work of Bassa and Menares using Galois theory on function fields [1] and using multiplicative group theory [2].
In this article we construct such transforms from isogenies of elliptic curves.Our main results are algorithms which generate a large diversity of transforms.

General framework
We first explain the relationship between the transform T S and isogenies.Let E 0 ϕ ←− E 1 be an isogeny of elliptic curves in Weierstrass form defined over a finite field k.Consider two points P ∈ E 0 (k) and Q ∈ E 1 (k) satisfying P = ϕ(Q) and such that [k(Q) : k(P)] = deg ϕ.Since ϕ commutes with the involution endomorphism (x, y) → (x, −y), quotienting out by it yields the commutative diagram on the left where the arrows to the projective line are the projections of points on their x-coordinate and where S denotes the x-coordinate map of the isogeny ϕ.This induces the field extensions diagram on the right.If either deg ϕ is odd or [k(P) : k( ) and the latter is therefore irreducible.
To iterate this construction, we require a criteria on the isogeny ϕ which ensures that the condition [k(Q) : k(P)] = deg ϕ holds under further compositions by ϕ.We begin with a simple but key lemma which describes the action of the Frobenius endomorphism in explicit terms.Lemma 2.1.Let E 0 and E 1 be elliptic curves and E 0 ϕ ←− E 1 be a separable isogeny defined over a finite field k.Fix a point P ∈ E 0 (k) and denote by π the k(P)-Frobenius endomorphism on E 1 .If all points in the kernel of ϕ are defined over k(P), then there exists a point F ∈ ker ϕ such that, for all points Q ∈ ϕ −1 (P) we have π n (Q) = Q + nF for all n ∈ N.
Proof.Consider a point Q ∈ ϕ −1 (P).The inverse image of P by ϕ can then be written as ϕ −1 (P) = {Q + R : R ∈ ker ϕ}; in particular, all points in the fiber have the same field of definition.Since ϕ(π(Q)) = π(ϕ(Q)) = π(P) = P, there exists F ∈ ker ϕ such that We deduce the theorem below which gives precisely the criteria we required.
←− E 2 be two separable isogenies of respective degree ℓ 0 and ℓ 1 defined over a finite field k.Suppose that all prime factors of ℓ 1 divide ℓ 0 .Fix a point P ∈ E 0 (k) and assume that the kernel ker(ϕ 0 • ϕ 1 ) is cyclic and that all its points are k(P)-rational.Then, all points Q it admits a unique subgroup of order ℓ 1 , namely ℓ 0 • G, which by uniqueness is equal to ker ϕ 1 .Denote by π the k(P)-Frobenius endomorphism on E 2 .By the lemma, there exists a point We claim ord(F) = ℓ 0 ℓ 1 .Suppose otherwise that ord(F) < ℓ 0 ℓ 1 .Then, we can write F = p • T for some T ∈ G and some prime p dividing ℓ 0 ℓ 1 .As all prime divisors of ℓ 1 are divisors of ℓ 0 , we have p | ℓ 0 .This implies Note that the simplest setting where this result can be iterated is when E 0 = E 1 = E 2 and the endomorphisms ϕ 0 and ϕ 1 are identical.This yields the following corollary where we assume that deg ϕ is odd for simplicity.
Corollary 2.3.Let E be an elliptic curve, ϕ : E → E a separable endomorphism of odd degree defined over a finite field k, and P ∈ E(k) a point.Suppose that the subgroup ker(ϕ • ϕ) is cyclic and that all its points are k(P)-rational.Denote by S the x-coordinate map of ϕ and by f the minimal polynomial of x P over k.Then, if T S ( f ) is irreducible, so are all polynomials in the family I S ( f ).
Note that the condition on ker(ϕ • ϕ) being cyclic is equivalent to the isogeny ϕ not being its own dual.

Möbius transforms
For any matrix m ∈ GL 2 (Z), define the rational fraction If S is a rational fraction in Q(x), we define the corresponding Möbius transform of S as the composition S ′ = M m −1 • S • M m .Note that the fraction S induces an irreducible family from a given polynomial f if and only if S ′ does.Thus we may apply Möbius transforms to any rational fraction while preserving its ability to induce irreducible families, for instance in order to try and reduce the size of its coefficients.Our efforts will from now on be focused on finding isogenies ϕ : E → E which satisfy the conditions of Corollary 2.3 and obtaining the corresponding rational fractions S ; we will purposely not look for associated points P and polynomials f .Nevertheless, in Section 6, we will compute for each selected rational fraction S , the density of irreducible polynomials of a given degree in a given finite field for which S induces irreducible families.

The Verschiebung endomorphism
Let ϕ : E → E be a separable endomorphism of prime degree ℓ defined over a finite field F q .In this section we consider the case where ℓ divides q.Since the multiplication-by-q map satisfies [q] = π π, the endomorphism is either the Frobenius π, which is purely inseparable, or its dual, the Verschiebung π, which is separable if and only if the elliptic curve E is ordinary.
We may thus specialize Corollary 2.3 to the case where q is an odd prime and ϕ = π.
Proposition 3.1.Let ϕ 0 : E 1 → E 0 be a separable isogeny of odd degree ℓ 0 p defined over a finite field F p with p 2. Suppose the subgroup ker(ϕ 0 • π) is cyclic and all its points are rational.Denote by S the x-coordinate map of the π and by f the kernel polynomial of ϕ 0 .Then, if f is irreducible, S induces an irreducible family from f .
In order to compute the x-coordinate of the Verschiebung endomorphism on an elliptic curve E, we use the following algorithm.

Algorithm 3.2 (Verschiebung map).
Input: An elliptic curve E defined over a finite field F q .Output: The x-coordinate map of the Verschiebung endomorphism.
1. Compute the division polynomial ϕ q (x) for the multiplication-by-q map on E. 2. Return ϕ q (x 1/q ).
We have computed all the rational fractions obtained using the method described above, including by composition with the Möbius map.The table below gives, for small powers of two (even though Theorem 2.2 does not apply to them, we find they still induce irreducible families; see section 6) and small odd primes q, the number N of such transforms, and a representative element selected for having lowest Hamming weight.
Note that for q = 2 this method yields the well-known Q-transform.

Isogenies of ordinary curves over finite fields
Let E be an ordinary elliptic curve defined over a finite field F q and denote by π its Frobenius endomorphism.Its endomorphism ring End(E) is an order in the imaginary quadratic field K = Q(π) containing Z[π].Isogenies ϕ : E → E ′ of prime degree ℓ ∤ q fall into one of two categories: 1. So-called horizontal isogenies satisfy End(E) = End(E ′ ) and are described by the theory of complex multiplication [9] which states that the ideal class group cl(O) acts faithfully and transitively on the set of isomorphism classes of elliptic curves E satisfying End(E) ≃ O.
2. Other prime-degree isogenies are said to be vertical and display the so-called volcano structure [5,4].
Connected components of degree-ℓ isogeny graphs thus have the shape illustrated by Figure 1: elliptic curves with locally maximal endomorphism ring are connected by horizontal isogenies which form a cycle (the rim of the volcano) of length the order in the class group of an ideal of norm ℓ; other elliptic curves are located on trees formed of vertical isogenies hanging from maximal curves; the graph is regular of degree ℓ + 1 except at the leaves.
The goal of this section is to exploit this structure in order to construct endomorphisms satisfying Corollary 2.3.

Prime isogenies of order one
We take an ordinary elliptic curve E over a finite field F q .We look for a rational, cyclic endomorphism of E which is not its own dual.To achieve this, we look for an isogeny of prime degree ℓ which splits into primes of order one in the class group of End(E).By complex multiplication theory, such an isogeny maps E to an isomorphic curve.
Concretely, given a prime power q and a prime ℓ, we look for small discriminants ∆ for which ℓ splits into primes of order one in the class group of Q( √ ∆) and then use the Hilbert class polynomial H ∆ to generate elliptic curves over F q with endomorphism algebra Q( √ ∆).We then compute the corresponding degree-ℓ isogeny and extract its x-coordinate.

Multiple prime isogenies
Let E be an ordinary elliptic curve over a finite field F q .An endomorphism of E may be constructed as the composition of multiple horizontal isogenies forming a cycle in the isogeny graph.Equivalently, one may search for products of prime ideals which are principal in the class groupe of End(E) and then construct the corresponding isogeny cycle through the theory complex multiplication.
Here, we simply search for such endomorphisms, select those with cyclic kernel and small degree, and apply Möbius transforms to reduce the Hamming weight of the rational fraction describing their action on the x-coordinate.Among others, we find the rational fractions of the following table.localization of α still has cyclic kernel, the reduction of α to K/p yields an endomorphism ϕ 1 to which Theorem 2.2 may be applied.By the Cebotarev density theorem, the rational fraction defining α in characteristic zero can thus be applied to a positive density of finite fields.
Endomorphisms of degree two.The simplest case concerns elliptic curves defined over the rationals and endowed with an endomorphism of degree two; those are fully described by the following result due to Silverman [10, Proposition 2.3.1].
Proposition 5.1.There are exactly three isomorphism classes of elliptic curves over C which possess an endomorphism of degree 2. The following are representatives for these curves and endomorphisms.
(ii) E : We note that the first endomorphism corresponds to the well-known Q-transform.
Endomorphisms of degree three.Similar results are known for degree-3 endomorphisms.

Proposition 5.2 ([8]
).There are exactly three isomorphism classes of elliptic curves over C which possess an endomorphism of degree 3.
There are three isomorphism classes of elliptic curves defined over the rationals possessing a cyclic degree-3 endomorphism.The explicit formulas describing these endomorphisms are much heavier than in the above case of degree-2 endomorphisms.

2
. Then E has an endomorphism of degree 3 given by ϕ • φ where

Density of irreducible families
Let Q be a rational fraction over a fixed finite field F q .We are interested in computing the density of irreducible polynomials f of small degree d from which S induces irreducible families.Through the Cebotarev density theorem, the conditions Corollary 2.3 may be used to compute these densities asymptotically.However this is burdensome and thus most entries in the tables below were obtained through exhaustive computations.
First consider Q = (x 2 + 1)/x over F 3 .The table below indicates, for selected integers i and d, the density of irreducible polynomials of degree d which remain irreducible under only just i iterations of the transform Q.Each column adds up to one.The table below gives the same information for Q = x 2 /(x + 1) over F 7 ; note that, as indicated by the line i = ∞, this rational fraction induces irreducible families from a much smaller density of irreducible polynomials.In the table below, we only state the density of irreducible polynomials of degree d over F q from which the given rational fraction induces irreducible families.This corresponds to just the line i = ∞ in the preceding tables.