Prime Numbers

Y times a polynomial in X alone. For n odd and not a multiple of p, we have deg(Ψn) = (n2 − 1)/2. For n even and not a multiple of p, we have that the degree of Ψn in the variable X is (n2 − 4)/2. For a point (x, y) E(Fp) \ E[2] we have [n]P = O if and only if Ψn(x) = 0 (when n is odd) and Ψn(x, y) = 0

(when n is even). Further, if (x, y) E(Fp) \ E[n], then

Note that in the last statement, if y = 0, then n must be odd (since y = 0 signifies a point of order 2, and we are given that (x, y) E[n]), so y2 divides the numerator of the rational expression in the second coordinate. In this case, it is natural to take this expression as 0.

It is worth remarking that for odd prime l =p, there is a unique integer t in [0, l − 1] such that

xp2 , yp2 + [p mod l](x, y) = [t] xp, yp for all (x, y) E[l] \ {O}. (7.10)

Indeed, this follows directly from (7.9) and the consequence of Theorem 7.5.5 that E(Fp) does indeed contain points of order l. If this unique integer t could be computed, we would then know that the order of E(Fp) is congruent to p + 1 − t modulo l.

The computational significance of the relation is that using the division polynomials, it is feasible to test the various choices for t to see which one works. This is done as follows:

(1)Points are pairs of polynomials in Fp[X, Y ].

(2)Since the points are on E, we may constantly reduce modulo Y 2 − X3 − aX − b so as to keep powers of Y no higher than the first power, and since the points we are considering are in E[n], we may reduce also by the polynomial Ψn to keep the X powers in check as well. Finally, the coe cients are in Fp, so that mod p reductions can be taken with the coe cients, whenever convenient. These three kinds of reductions may be taken in any order.

(3)High powers of X, Y are to be reduced by a powering ladder such as that provided in Algorithm 2.1.5, with appropriate polynomial mods taken along the way for continual degree reduction.

(4)The addition on the left side of (7.10) is to be simulated using the formulae in Definition 7.1.2.

On the face of it, explicit polynomial inversion—from the fundamental elliptic operation definition—would seem to be required. This could be accomplished via Algorithm 2.2.2, but it is not necessary to do so because of the following observation. We have seen in various elliptic addition algorithms previous that inversions can be avoided by adroit representations of coordinates. In actual practice, we have found it convenient to work either with the projective point representation of Algorithm 7.2.3 or a “rational” variant

of same. We now describe the latter representation, as it is well suited for calculations involving division polynomials, especially in regard to the pointmultiplication property in Theorem 7.5.5. We shall consider a point to be P = (U/V, F/G), where U, V, F, G are all polynomials, presumably bivariate in X, Y . There is an alternative strategy, which is to use projective coordinates as mentioned in Exercise 7.29. In either strategy a simplification occurs, that in the Schoof algorithm we always obtain any point in a particular form; for example in the P = (U/V, F/G) parameterization option used in the algorithm display below, one always has the form

P = (N (X)/D(X), Y M (X)/C(X)),

because of the division polynomial algebra. One should think of these four polynomials, then, as reduced mod Ψn and mod p, in the sense of item (2) above. Another enhancement we have found e cient in practice is to invoke large polynomial multiply via our Algorithm 9.6.1 (or see alternatives as in Exercise 9.70), which is particularly advantageous because deg(Ψn) is so large, making ordinary polynomial arithmetic painful. Yet more e ciency obtains when we use our Algorithm 9.6.4 to achieve polynomial mod for these largedegree polynomials.

Algorithm 7.5.6 (Explicit Schoof algorithm for curve order). Let p > 3

be a prime. For curve Ea,b(Fp) this algorithm returns the value of t (mod l), where l is a prime (much smaller than p) and the curve order is #E = p + 1 − t. Exact curve order is thus obtained by e ecting this algorithm for enough primes l such that l > 4√p, and then using the Chinese remainder theorem to recover the exact value of t. We assume that for a contemplated ceiling L ≥ l on the possible l values used, we have precomputed the division polynomials Ψ−1, . . . , ΨL+1 mod p, which can be made monic (via cancellation of the high coe cient modulo p) with a view to such as Algorithm 9.6.4.

1. [Check l = 2]

2. [Analyze relation (7.10)] p = p mod l;

u(X) = Xp mod (Ψl, p);

v(X) = (X3 + aX + b)(p−1)/2 mod (Ψl, p);

P1 = (u(X)p mod (Ψl, p), Y v(X)p+1 mod (Ψl, p));

// P1 = (Xp2 , Y p2 ). Cast P2 = [p](X, Y ) in rational form (N (X)/D(X), Y M (X)/C(X)), for

example by using Theorem 7.5.5;

P3 = P3 + P0;

}

In the addition tests above for matching of some coordinate between (P1 +P2) and P3, one is asking generally whether

(N1/D1, Y M1/C1) + (N2/D2, Y M2/C2) = (N3/D3, Y M3/C3),

and such a relation is to be checked, of course, using the usual elliptic addition rules. The polynomial P1 + P2 on the left can be combined—using the elliptic rules of Algorithm 7.2.2, with the coordinates in that algorithm being now, of course, our polynomial ratios—into polynomial form (N /D , Y M /C ), and this is compared with (N3/D3, Y M3/C3). For such comparison in turn one checks whether the cross products (N3D − N D3) and (M3C − M C3) both vanish mod (Ψl, p). As for the check on whether P1 + P2 = O, we are asking whether M1/C1 = −M2/C2, and this is also an easy cross product relation. The idea is that the entire implementation we are describing involves only polynomial multiplication and the mod (Ψl, p) reductions throughout. And as we have mentioned, both polynomial multiply and mod can be made quite e cient.

In case an attempt is made by the reader to implement Algorithm 7.5.6, we give here some small cases within the calculation, for purpose of, shall we say, “algorithm debugging.” For p = 101 and the curve

Y 2 = X3 + 3X + 4

over Fp, the algorithm gives, for l selections l = 2, 3, 5, 7, the results t mod 2 = 0, t mod 3 = 1, t mod 5 = 0, t mod 7 = 3, from which we infer #E = 92. (We might have skipped the prime l = 5, since the product of the other primes exceeds 4√p.) Along the way we have, for example,

Ψ3 = 98 + 16X + 6X2 + X4,

where it will be observed that every polynomial appearing in the point coordinates has been reduced mod (Ψ3, p). (Note that p in Step [Analyze

356 Chapter 7 ELLIPTIC CURVE ARITHMETIC

. . .] is 2, which is why we consider [2](X, Y ).) It turns out that the last point here is indeed the elliptic sum of the two points previous, consistent with the claim that t mod 3 = 1.

There is an important enhancement that we have intentionally left out for clarity. This is that prime powers work equally well. In other words, l = qa can be used directly in the algorithm (with the gcd for l = 2 ignored when l = 4, 8, 16, . . .) to reduce the computation somewhat. All that is required is that the overall product of all prime-power values l used (but no more than one for each prime) exceed 4√p.

We have been able to assess curve orders, via this basic Schoof scheme, for primes in the region p ≈ 1080, by using prime powers l < 100. It is sometimes said in the literature that there is little hope of using l much larger than 30, say, but with the aforementioned enhancements—in particular the large-polynomial multiply/mod algorithms covered in Chapter 8.8—the Schoof prime l can be pressed to 100 and perhaps beyond.

By not taking Algorithm 7.5.6 all the way to CRT saturation (that is, not handling quite enough small primes l to resolve the order), and by then employing a Shanks–Mestre approach to finish the calculation based on the new knowledge of the possible orders, one may, in turn, press this rough bound of 1080 further. However, it is a testimony to the power of the Schoof algorithm that, upon analysis of how far a “Shanks–Mestre boost” can take us, we see that only a few extra decimal digits—say 10 or 20 digits—can be added to the 80 digits we resolve using the Schoof algorithm alone. For such reasons, it usually makes more practical sense to enhance an existing Schoof implementation, rather than to piggyback a Shanks–Mestre atop it.

But can one carry out point counting for significantly larger primes? Indeed, the transformation of the Schoof algorithm into a “Schoof–Elkies– Atkin” (SEA) variant (see [Atkin 1986, 1988, 1992] and [Elkies 1991, 1997], with computational enhancements in [Morain 1995], [Couveignes and Morain 1994], [Couveignes et al. 1996]) has achieved unprecedented point-counting performance. The essential improvement of Elkies was to observe that for some of the l (depending on a, b, p; in fact, for about half of possible l values), a certain polynomial fl dividing Ψl but of degree only (l−1)/2 can be employed, and furthermore, that the Schoof relation of (7.10) can be simplified. The Elkies approach is to seek an eigenvalue λ with

(Xp, Y p) = [λ](X, Y ),

where all calculations are done mod (fl, p), whence #E = p + 1 − t with

t ≡ λ + p/λ (mod l).

Because the degrees of fl are so small, this important discovery e ectively pulls some powers of ln p o the complexity estimate, to yield O(ln6 p) rather than the original Schoof complexity O(ln8 p) [Schoof 1995]. (Note, however, that such estimates assume direct “grammar-school” multiplication of integers, and can be reduced yet further in the power of ln.) The SEA ideas certainly give

impressive performance. Atkin, for example, used such enhancements to find in 1992, for the smallest prime having 200 decimal digits, namely

p = 10000000000000000000000000000000000000000000000000\

00000000000000000000000000000000000000000000000000\

00000000000000000000000000000000000000000000000000\

00000000000000000000000000000000000000000000000153,

and the curve over Fp governed by the cubic

Y 2 = X3 + 105X + 78153,

a point order

#E = 10000000000000000000000000000000000000000000000000\

00000000000000000000000000000000000000000000000000\

06789750288004224118080314365460277641928049641888\

39991591392960032210630561760029050858613689631753.

Amusingly, it is not too hard to agree that this choice of curve is “random” (even if the prime p is not): The (a, b) = (105, 78153) parameters for this curve were derived from a postal address in France [Schoof 1995]. Subsequently, Morain was able to provide further computational enhancements, to find an explicit order for a curve over Fp, with p a 500-decimal-digit prime [Morain 1995].

Most recently, A. Enge, P. Gaudry, and F. Morain were able to count the

points on the curve

y2 = x3 + 4589x + 91128

over Fp with p = 101499 + 2001 being a 1500-digit prime. These researchers used new techniques—not yet published—for generating the relevant SEA modular equations e ciently.

In this treatment we have, in regard to the powerful Schoof algorithm and its extensions, touched merely the tip of the proverbial iceberg. There is a great deal more to be said; a good modern reference for practical point-counting on elliptic curves is [Seroussi et al. 1999], and various implementations of the SEA continuations have been reported [Izu et al. 1998], [Scott 1999].

In his original paper [Schoof 1985] gave an application of the pointcounting method to obtain square roots of an integer D modulo p in (not random, but deterministic) polynomial time, assuming that D is fixed. Though the commonly used random algorithms 2.3.8, 2.3.9 are much more practical, Schoof’s point-counting approach for square roots establishes, at least for fixed D, a true deterministic polynomial-time complexity.

Incidentally, an amusing anecdote cannot be resisted here. As mentioned by [Elkies 1997], Schoof’s magnificent point-counting algorithm was rejected in its initial paper form as being, in the referee’s opinion, somehow unimportant.

But with modified title, that title now ending with “. . . square roots mod p,” the modified paper [Schoof 1985] was, as we appreciate, finally published.

Though the SEA method remains as of this writing the bastion of hope for point counting over E(Fp) with p prime, there have been several very new—and remarkable—developments for curves E(Fpd ) where the prime p is small. In fact, R. Harley showed in 2002 that the points can be counted, for fixed characteristic p, in time

O(d2 ln2 d ln ln d),

and succeeded in counting the points on a curve over the enormous field F2130020 . Other lines of development are due to T. Satoh on canonical lifts and even p-adic forms of the arithmetic-geometric mean (AGM). One good way to envision the excitement in this new algebraic endeavor is to peruse the references at Harley’s site [Harley 2002].

7.5.3Atkin–Morain method

We have addressed the question, given a curve E = Ea,b(Fp), what is #E? A kind of converse question—which is of great importance in primality proving and cryptography is, can we find a suitable order #E, and then specify a curve having that order? For example, one might want a prime order, or an order 2q for prime q, or an order divisible by a high power of 2. One might call this the study of “closed-form” curve orders, in the following sense: for certain representations 4p = u2 + |D|v2, as we have encountered previously in Algorithm 2.3.13, one can write down immediately certain curve orders and also—usually with more e ort—the a, b parameters of the governing cubic. These ideas emerged from the seminal work of A. O. L. Atkin in the latter 1980s and his later joint work with F. Morain.

In order to make sense of these ideas it is necessary to delve a bit into some additional theoretical considerations on elliptic curves. For a more thorough treatment, see [Atkin and Morain 1993b], [Cohen 2000], [Silverman 1986].

For an elliptic curve E defined over the complex numbers C, one may consider the “endomorphisms” of E. These are group homomorphisms from the group E to itself that are given by rational functions. The set of such endomorphisms, denoted by End(E), naturally form a ring, where addition is derived from elliptic addition, and multiplication is composition. That is, if φ, σ are in End(E), then φ + σ is the endomorphism on E that sends a point P to φ(P ) + σ(P ), the latter “+” being elliptic addition; and φ · σ is the endomorphism on E that sends P to φ(σ(P )).

If n is an integer, the map [n] that sends a point P on E to [n]P is a member of End(E), since it is a group homomorphism and since Theorem 7.5.5 shows that [n]P has coordinates that are rational functions of the coordinates of P . Thus the ring End(E) contains an isomorphic copy of the ring of integers Z. It is often the case, in fact usually the case, that this is the whole story for End(E). However, sometimes there are endomorphisms of E that do not correspond to an integer. It turns out, though, that the ring End(E) is never

too much larger than Z: if it is not isomorphic to Z, then it is isomorphic to an order in an imaginary quadratic number field. (An “order” is a subring of finite index of the ring of algebraic integers in the field.) In such a case it is said that E has complex multiplication, or is a CM curve.

Suppose E is an elliptic curve defined over the rationals, and when

considered over the complex numbers has complex multiplication by an order

√

in Q( D), where D is a negative integer. Suppose p > 3 is a prime that does not divide the discriminant of E. We then may consider E over Fp by

reducing the coe cients of E modulo p. Suppose the prime p is a norm of

√

an algebraic integer in Q( D). In this case it turns out that we can easily find the order of the elliptic-curve group E(Fp). The work in computing this order does not even require the coe cients of the curve E, one only needs the numbers D and p. And this work to compute the order is indeed simple; one uses the Cornacchia–Smith Algorithm 2.3.13. There is additional, somewhat harder, work to compute the coe cients of an equation defining E, but if one can see for some reason that the order will not be useful, this extra work can be short-circuited. This, in essence, is the idea of Atkin and Morain.

We now review some ideas connected with imaginary quadratic fields, and the dual theory of binary quadratic forms of negative discriminant. Some of these ideas were developed in Section 5.6. The (negative) discriminants D relevant to curve order assessment are defined thus:

Definition 7.5.7. A negative integer D is a fundamental discriminant if the odd part of D is squarefree, and |D| ≡ 3, 4, 7, 8, 11, 15 (mod 16).

Briefly put, these are discriminants of imaginary quadratic fields. Now, associated with each fundamental discriminant is the class number h(D). As we saw in Section 5.6.3, h(D) is the order of the group C(D) of reduced binary quadratic forms of discriminant D. In Section 5.6.4 we mentioned how the baby-steps, giant-steps method of Shanks can be used to compute h(D). The following algorithm serves to do this and to optionally generate the reduced forms, as well as to compute the Hilbert class polynomial corresponding to

D. This is a polynomial of degree h(D) with coe cients in Z such that the

√

splitting field for the polynomial over Q( D) has Galois group isomorphic to

the class group C(D). This splitting field is called the Hilbert class field for

√ √

Q( D) and is the largest abelian unramified extension of Q( D). The Hilbert class field has the property that a prime number p splits completely in this field if and only if there are integers u, v with 4p = u2 + |D|v2. In particular, since the Hilbert class field has degree 2h(D) over the rational field Q, the proportion, among all primes, of primes p with 4p so representable is 1/2h(D), [Cox 1989].

We require a function (again, we bypass the beautiful and complicated foundations of the theory in favor of an immediate algorithm development)

complex q arguments. The theory shows that su cient precision for the whole algorithm is essentially

decimal digits, where the sum is over all primitive reduced forms (a, b, c) of discriminant D [Atkin and Morain 1993b]. This means that a little more than δ digits (perhaps δ + 10, as in [Cohen 2000]) should be used for the [Optional polynomial setup] phase, the ultimate idea being that the polynomial T (x)— consisting of possibly some linear factors and some quadratic factors— should have integer coe cients. Thus the final polynomial output in the form round(Re(T (x))) means that T is to be expanded, with the coe cients rounded so that T Z[X]. Algorithm 7.5.8 can, of course, be used in a multiple-pass fashion: First calculate just the reduced forms, to estimate

from the algorithm, where TD refers to the Hilbert class polynomial for discriminant D:

T−3 = X,

T−4 = X − 1728,

T−15 = X2 + 191025X − 121287375,

T−23 = X3 + 3491750X2 − 5151296875X + 12771880859375.

One notes that the polynomial degrees are consistent with the class numbers below. There are further interesting aspects of these polynomials. One is that the constant coe cient is always a cube. Also, the coe cients of TD grow radically as one works through lists of discriminants. But one can use in the Atkin-Morain approach less unwieldy polynomials—the Weber variety— at the cost of some complications for special cases. These and many more optimizations are discussed in [Morain 1990], [Atkin and Morain 1993b].

In the Atkin–Morain order-finding scheme, it will be useful to think of discriminants ordered by their class numbers, this ordering being essentially one of increasing complexity. As simple runs of Algorithm 7.5.8 would show (without the polynomial option, say),

h(D) = 1 for D = −3, −4, −7, −8, −11, −19, −43, −67, −163;

h(D) = 2 for D = −15, −20, −24, −35, −40, −51, −52, −88, −91, −115,

−123, −148, −187, −232, −235, −267, −403, −427;

h(D) = 3 for D = −23, −31, −59, . . . .

That the discriminant lists for h(D) = 1, 2 are in fact complete as given here is a profound result of the theory [Cox 1989]. We currently have complete lists for h(D) ≤ 16, see [Watkins 2000], and it is known, in principle at least,