Prime Numbers

how to compute a complete list for any prescribed value of h. The e ective determination of such lists is an extremely interesting computational problem.

To apply the Atkin–Morain method, we want to consider discriminants ordered, say, as above, i.e., lowest h(D) first. We shall seek curve orders based on specific representations

4p = u2 + |D|v2,

whence, as we see in the following algorithm exhibition, the resulting possible curve orders will be simple functions of p, u, v. Note that for D = −3, −4 there are 6, 4 possible orders, respectively, while for other D there are two possible orders. Such representations of 4p are to be attempted via Algorithm 2.3.13. If p is prime, the “probability” that 4p is so representable, given that Dp = 1, is 1/h(D), as mentioned above. In the following algorithm, either it is assumed that our discriminant list is finite, or we agree to let the algorithm run for some prescribed amount of time.

Algorithm 7.5.9 (CM method for generating curves and orders). We assume a list of fundamental discriminants {Dj < 0 : j = 1, 2, 3, . . .} ordered, say, by increasing class number h(D), and within the same class number by increasing |D|. We are given a prime p > 3. The algorithm reports (optionally) possible curve orders or (also optionally) curve parameters for CM curves associated with the various Dj .

1. [Calculate nonresidue]

Find a random quadratic nonresidue g (mod p);

if(p ≡ 1 (mod 3) and g(p−1)/3 ≡ 1 (mod p)) goto [Calculate nonresidue]; // In case D = −3 is used, g must also be a noncube modulo p.

j = 0;

2. [Discriminant loop] j = j + 1;

D = Dj ;

if( Dp = 1) goto [Discriminant loop];

3. [Seek a quadratic form for 4p]

Attempt to represent 4p = u2 + |D|v2, via Algorithm 2.3.13, but if the attempt fails, goto [Discriminant loop];

5. [Option: Curve parameters]

if(D == −4) return {(a, b)} = {(−gk mod p, 0) : k = 0, 1, 2, 3}; if(D == −3) return {(a, b)} = {(0, −gk mod p) : k = 0, 1, 2, 3, 4, 5};

6. [Continuation for D < −4]

Compute the Hilbert class polynomial T Z[X], via Algorithm 7.5.8;

S = T mod p; // Reduce to polynomial Fp[X].

Obtain a root j Fp of S, via Algorithm 2.3.10; c = j(j − 1728)−1 mod p;

r = −3c mod p; s = 2c mod p;

7. [Return two curve-parameter pairs]

return {(a, b)} = {(r, s), (rg2 mod p, sg3 mod p)};

What the Atkin–Morain method prescribes is that for D = −4, −3 the governing cubics are given in terms of a quadratic nonresidue g, which is also a cubic nonresidue in the case D = −3, by

y2 = x3 − gkx, k = 0, 1, 2, 3, y2 = x3 − gk, k = 0, 1, 2, 3, 4, 5,

respectively (i.e., there are respectively 4, 6 isomorphism classes of curves for these two D values); while for other discriminants D the relevant curve and

its twist are

y2 = x3 − 3cg2kx + 2cg3k, k = 0, 1,

where c is given as in Step [Continuation for D < −4]. The method, while providing much more generality than closed-form solutions such as Algorithm 7.5.10 below, is more di cult to implement, mainly because of the Hilbert class polynomial calculation.

Note the important feature that prior to the actual curve parameter calculations, we already know the possible curve orders involved. Thus in both primality proving and cryptography applications, we can analyze the possible orders before entering into the laborious (a, b) calculations, knowing that if a curve order is attractive for any reason, we can get those parameters at will. We take up this issue in Sections 7.6 and 8.1.

Let us work through an example of Algorithm 7.5.9 in action. Take the

Mersenne prime

p = 289 − 1,

for which we desire some possible curves Ea,b(Fp) and their orders. In the [Seek a quadratic form for 4p] algorithm step above, we find via Algorithm 2.3.13 many representations for 4p, just a few of which being

4p = 482158326880192 + 3 · 70972660645192

=370643614901642 + 163 · 26002750985862

=356490866348202 + 51 · 48608534324382

=273471497147562 + 187 · 30398542403222

=287431183964132 + 499 · 18182515018252.

For these exemplary representations the discriminants of interest are D = −3, −163, −51, −187, −499, respectively; and we repeat that there are plenty of other values of D one may use for this p. The relevant curve orders will generally be

p + 1 ± u,

where u is the first number being squared in a given representation; yet there will be more possible orders for the D = −3 case. To illustrate the detailed algorithm workings, let us consider the case D = −499 above. Then in the [Option: curve parameters] step we obtain

T−499 = 4671133182399954782798673154437441310949376

− 6063717825494266394722392560011051008x

+3005101108071026200706725969920x2

+x3 .

Note that, as must be, the constant term in this polynomial is a cube. Now this cubic can be reduced right away (mod p) to yield

S = T−499 mod p = 489476008241378181249146744

+356560280230433613294194825x

+1662705765583389101921015x2

+x3 ,

but we are illustrating the concept that one could in principle prestore the Hilbert class polynomials T−D Z[X], reducing quickly to S Fp[X] whenever a new p is being analyzed. We are then to use Algorithm 2.3.10 to find a root j of S = T mod p. A root is found as

j = 431302127816045615339451868.

It is this value that ignites the curve parameter construction. We obtain

c = j/(j − 1728) mod p = 544175025087910210133176287,

and thus end up with two governing cubics (the required nonresidue g can be taken to be −1 for this p):

y2 = x3 + 224384983664339781949157472x ± 469380030533130282816790463,

with respective curve orders

#E = 289 ± 28743118396413.

Incidentally, which curve has which order is usually an easy computation: For given a, b parameters, find a point P E and verify that [#E]P = O, for one possibility for #E and not the other. In fact, if p > 475, Theorem 7.5.2 implies that either there is a point P on E with [#E ]P =O (where E is the twist of E) or there is a point Q on E with [#E]Q =O. Thus, randomly choosing points, first on one of the curves, then on the other, one should expect to soon be able to detect which order goes with which curve. In any case, many of the algorithms based on the Atkin–Morain approach can make use of points that simply have vanishing multiples, and it is not necessary to ascertain the full curve order.

We observe that the polynomial calculations for the deeper discriminants (i.e. possessed of higher class numbers) can be di cult. For example, there is the precision issue when using floating-point arithmetic in Algorithm 7.5.8. It is therefore worthwhile to contemplate means for establishing some explicit curve parameters for small |D|, in this way obviating the need for class polynomial calculations. To this end, we have compiled here a complete list of curve parameter sets for all D with h(D) = 1, 2:

Table 7.1 Explicit curve parameters of CM curves for class number 1 and 2

Algorithm 7.5.10 (Explicit CM curve parameters: Class numbers 1, 2).

Given prime p > 3, this algorithm reports explicit CM curves y2 = x3 + ax + b over Fp, with orders as specified in the [Option: Curve orders] step of Algorithm 7.5.9. The search herein is exhaustive over all discriminants D of class numbers

366 Chapter 7 ELLIPTIC CURVE ARITHMETIC

h(D) = 1, 2: the algorithm reports every set of CM curve parameters (a, b) for the allowed class numbers.

1.[Establish full discriminant list]

∆= {−3, −4, −7, −8, −11, −19, −43, −67, −163,

−15, −20, −24, −35, −40, −51, −52, −88, −91, −115, −123, −148, −187, −232, −235, −267, −403, −427};

2.[Loop over representations] for(D ∆) {

Attempt to represent 4p = u2 + |D|v2, via Algorithm 2.3.13, but if the attempt fails, jump to next D;

Calculate a suitable nonresidue g of p as in Step [Calculate nonresidue] of Algorithm 7.5.9;

3.[Handle D = −3, −4]

if(D == −3) return {(a, b)} = {(0, −gk) : k = 0, . . . , 5};

// Six curves y2 = x3 − gk. if(D == −4) return {(a, b)} = {(−gk, 0) : k = 0, . . . , 3};

// Four curves y2 = x3 − gkx.

4. [Parameters for all other D with h(D) = 1, 2]

Select a pair (r, s) from Table 7.1, using Algorithm 2.3.9 when square roots are required (mod p);

5. [Return curve parameters]

report {(a, b)} = {(−3rs3g2k, 2rs5g3k) : k = 0, 1};

// The governing cubic will be y2 = x3 − 3rs3g2kx + 2rs5g3k.

}

There are several points of interest in connection with this algorithm. The specific parameterizations of Algorithm 7.5.10 can be calculated, of course, via the Hilbert class polynomials, as in Algorithm 7.5.8. However, having laid these parameters out explicitly means that one can proceed to establish CM curves very rapidly, with minimal programming overhead. It is not even necessary to verify that 4a3 + 27b2 = 0, as is demanded for legitimate elliptic curves over Fp. Yet another interesting feature is that the specific square roots exhibited in the algorithm always exist (mod p). What is more, the tabulated r, s parameters tend to enjoy interesting factorizations. In particular the s values tend to be highly smooth numbers (see Exercise 7.15 for more details on these various issues).

It is appropriate at this juncture to clarify by worked example how quickly Algorithm 7.5.10 will generate curves and orders. Taking the prime p = 231 + 1 /3, we find by appeal to Algorithm 2.3.13 representations 4p = u2 + |D|v2 for ten discriminants D of class number not exceeding two, namely, for D = −3, −7, −8, −11, −67, −51, −91, −187, −403, −427. The respective a, b parameters and curve orders work out, via Algorithm 7.5.10 as tabulated on the following page.

For this particular run, the requisite quadratic nonresidue (and cubic nonresidue for the D = −3 case) was chosen as 5. Note that Algorithm 7.5.10

does not tell us which of the curve parameter pairs (a, b) goes with which order (from Step [Option: Curve orders] of Algorithm 7.5.9). As mentioned above, this is not a serious problem: One finds a point P on one curve where a candidate order does not kill it, so we know that the candidate belongs to another curve. For the example in the last paragraph with p = (231 + 1)/3, the orders shown were matched to the curves in just this way.

But one can, in principle, go a little further and specify theoretically which orders go with which curves, at least for discriminants D having h(D) = 1. There are explicit curves and orders in the literature [Rishi et al. 1984], [Padma

and Ventkataraman 1996]. Many such results go back to the work of Stark, who connected the precise curve order p + 1 − u, when 4p = u2 + |D|v2 and u is allowed to be positive or negative, with the Jacobi symbol |Du | . Interesting refinements of this work are found in the modern treatment in [Morain 1998].

7.6Elliptic curve primality proving (ECPP)

We have seen in Section 4.1 that a partial factorization of n − 1 can lead to a primality proof for n. One might wonder whether elliptic-curve groups—given their variable group orders under the Hasse theorem 7.3.1—can be brought to bear for primality proofs. Indeed they can, as evidenced by a certain theorem, which is a kind of elliptic curve analogy to the Pocklington Theorem 4.1.3.

Before we exhibit the theorem, we recall Definition 7.4.1 of a pseudocurve E(Zn). Recalling, too, the caveat about elliptic multiplication on a pseudocurve mentioned following the definition, we proceed with the following central result.

Theorem 7.6.1 (Goldwasser–Kilian ECPP theorem). Let n > 1 be an integer coprime to 6, let E(Zn) be a pseudocurve, and let s, m be positive integers with s|m. Assume that there exists a point P E such that we can carry out the curve operations for [m]P to find

[m]P = O,

and for every prime q dividing s we can carry out the curve operations to obtain

[m/q]P =O.

Then for every prime p dividing n we have

#E(Fp) ≡ 0 (mod s).

Moreover, if s > n1/4 + 1 2, then n is prime.

Proof. Let p be a prime factor of n. The calculations on the pseudocurve, when reduced modulo p, imply that s divides the order of P on E(Fp).

This proves the first assertion. In addition, if s > n1/4 + 1 2, we may infer that #E(Fp) > n1/4 + 1 2. But the Hasse Theorem 7.3.1 implies that

#E(Fp) < p1/2 + 1 2. We deduce that p1/2 > n1/4, so that p > n1/2. As n has all of its prime factors greater than its square root, n must be prime.

7.6.1Goldwasser–Kilian primality test

On the basis of Theorem 7.6.1, Goldwasser and Kilian demonstrated a primality testing algorithm with expected polynomial-time complexity for conjecturally all, and provably “most,” prime numbers n. That is, a number n

could be tested in an expected number of operations O lnk n for an absolute

constant k. Their idea is to find appropriate curves with orders that have large enough “probable prime” factors, and recurse on the notion that these factors should in turn be provably prime. In each recursive level but the last, Theorem 7.6.1 is used with s the probable prime factor of the curve order. This continues for smaller and smaller probable primes, until the number is so small it may be proved prime by trial division. This, in turn, justifies all previous steps, and establishes the primality of the starting number n.

Algorithm 7.6.2 (Goldwasser–Kilian primality test). Given a nonsquare integer n > 232 strongly suspected of being prime (in particular, gcd(n, 6) = 1 and presumably n has already passed a probable prime test), this algorithm attempts to reduce the issue of primality of n to that of a smaller number q. The algorithm returns either the assertion “n is composite” or the assertion “If q is prime then n is prime,” where q is an integer smaller than n.

1. [Choose a pseudocurve over Zn]

Choose random (a, b) [0, n − 1]2 such that gcd(4a3 + 27b2, n) = 1;

2. [Assess curve order]

Via Algorithm 7.5.6 calculate the integer m that would be #Ea,b(Zn) if n is prime (however if the point-counting algorithm fails, return “n is composite”);

// If n is composite, Algorithm 7.5.6 could fail if each candidate for t

(n + 1 − 2 n, n + 1 + 2 n).

3. [Attempt to factor]

Attempt to factor m = kq where k > 1 and q is a probable prime exceeding n1/4 + 1 2, but if this cannot be done according to some time-limit

criterion, goto [Choose a pseudocurve . . .];

4. [Choose point on Ea,b(Zn)]

Choose random x [0, n − 1] such that Q = (x3 + ax + b) mod n has

Q =−1;

n

Apply Algorithm 2.3.8 or 2.3.9 (with a = Q and p = n) to find an integer y that would satisfy y2 ≡ Q (mod n) if n were prime;

if(y2 mod n =Q) return “n is composite”;

P= (x, y);

5.[Operate on point]

Compute the multiple U = [m/q]P (however if any illegal inversions occur, return “n is composite”);

if(U == O) goto [Choose point . . .];

Compute V = [q]U (however check the above rule on illegal inversions); if(V =O) return “n is composite”;

return “If q is prime, then n is prime”;

The correctness of Algorithm 7.6.2 follows directly from Theorem 7.6.1, with q playing the role of s in that theorem.

In practice one would iterate the algorithm, getting a chain of inferences, with the last number q so small it can be proved prime by trial division. If some intermediate q is composite, then one can retreat one level in the chain and apply the algorithm again. Iterating the Goldwasser–Kilian scheme not only provides a rigorous primality test but also generates a certificate of primality. This certificate can be thought of as the chain

(n = n0, a0, b0, m0, q0, P0), (q0 = n1, a1, b1, m1, q1, P1), . . .

consisting of consecutive n, a, b, m, q, P entities along the recursion. The primary feature of the certificate is that it can be published alongside, or otherwise associated with, the original n that is proven prime. This concise listing can then be used by anyone who wishes to verify that n is prime, using Theorem 7.6.1 at the various steps along the way. The reconstruction of the proof usually takes considerably less time than the initial run that finds the certificate. The certificate feature is nontrivial, since many primality proofs must be run again from scratch if they are to be checked.

It should be noted that the elliptic arithmetic in Algorithm 7.6.2 can be sped up using Montgomery coordinates [X : Z] with “Y ” dropped, as discussed in Section 7.2.

To aid in the reader’s testing of any implementations, we now report a detailed example. Let us take the prime p = 1020 + 39. On the first pass of Algorithm 7.6.2, we use n = p and obtain random parameters in Step [Choose a pseudocurve . . .] as

a = 69771859804340235254, b = 10558409492409151218,

for which 4a3 + 27b2 is coprime to n. The number that would be the order of Ea,b(Zn) if n is indeed prime is found, via Algorithm 7.5.6 to be

m = #E = 99999999985875882644 = 22 · 59 · 1182449 · q,

where 2, 59, 1182449 are known primes (falling below the threshold 232 suggested in the algorithm description), and q = 358348489871 is a probable prime. Then, in Step [Choose point . . .] the random point obtained is

P = [X : Z] = [31689859357184528586 : 1],

where for practical simplicity we have adopted Montgomery parameterization, with a view to using Algorithm 7.2.7 for elliptic multiples. Accordingly, it was found that

U = [m/q]P = [69046631243878263311 : 1] =O,

V = [q]U = O.

Therefore, p is prime if q is. So now we assign n = 358348489871 and run again through Algorithm 7.6.2. In so doing the relevant values encountered are

a = 34328822753, b = 187921935449,

m = #E = 358349377736 = 23 · 7 · 7949 · 805019,