René Schoof’s Algorithm for Determining the Order of the

René Schoof’s Algorithm for Determining the Order of the Group of Points

on an Elliptic Curve over a Finite Field

John J. McGee

Thesis submitted to the faculty of the Virginia Polytechnic Institute and StateUniversity

in partial fulfillment of the requirements for the degree of

Master of Sciencein

Mathematics

Dr. Ezra Brown, ChairDr. Charles Parry

Dr. Michael Williams

April 25, 2006Blacksburg, Virginia

Keywords: Elliptic Curve, Schoof, Cryptography

René Schoof’s Algorithmfor Determining the Order of the Group of Points

on an Elliptic Curve over a Finite Field

John McGee

ABSTRACT

Elliptic curves have a rich mathematical history dating back to Diophantus (c.250 C.E.), who used a form of these cubic equations to find right triangles ofinteger area with rational sides. In more recent times the deep mathematics ofelliptic curves was used by Andrew Wiles et. al., to construct a proof of Fermat'slast theorem, a problem which challenged mathematicians for more than 300years. In addition, elliptic curves over finite fields find practical application inthe areas of cryptography and coding theory. For such problems, knowing theorder of the group of points satisfying the elliptic curve equation is important tothe security of these applications. In 1985 René Schoof published a paper [5]describing a polynomial time algorithm for solving this problem. In this thesiswe explain some of the key mathematical principles that provide the basis forSchoof's method. We also present an implementation of Schoof's algorithm as acollection of Mathematica functions. The operation of each algorithm is illus-

trated by way of numerical examples.

Table of ContentsChapter 1 - Introduction ................................................................................ 1

1.1 Background ................................................................................ 11.2 When is f(x,y) an Elliptic Curve? .............................................. 31.3 Addition of Points on an Elliptic Curve .................................... 4

Example 1 - Elliptic Curve Point Addition ......................... 7Chapter 2 - Arithmetic in p ...................................................................... 8

2.1 Elliptic Curves over Finite Fields ............................................. 82.2 The Euclidean Algorithm ........................................................... 92.3 The Extended Euclidean Algorithm ......................................... 10

Example 2 - The Extended Euclidean Algorithm ............... 112.4 Finding the modular inverse ..................................................... 11

Example 3 - Multiplicative Inverse (mod p) ...................... 112.5 Modular Exponentiation .......................................................... 12

Example 4 - Modular Exponentiation .................................. 122.6 Square roots modulo p ............................................................. 132.7 Shanks-Tonelli Modular Square Root Algorithm ...................... 13

Example 5 - Computing Square Roots Modulo p ................ 142.8 The Chinese Remainder Theorem ............................................ 15

Example 6 - Determining the Chinese Remainder ............... 15Chapter 3 - Arithmetic of Elliptic Curves over p ...................................... 16

Example 7 - Arithmetic in EHpL ......................................... 16Chapter 4 - Computing the Order of the Group # EHqL............................... 18

4.1 A direct method of computing # EHqL ..................................... 184.2 Overview of Schoof's Algorithm ............................................... 204.3 Hasse's Theorem ......................................................................... 214.4 Reducing the problem to that for EHpL .................................... 224.5 Baby Step, Giant Step Method ................................................ 23

Example 8 - Determining Group Order using Hasse'sTheorem ................................................................. 23

Chapter 5 - Schoof's Algorithm Implementation ........................................ 245.1 Computing t Hmod 2L .................................................................. 255.2 Determining if x3 + A x + B has a root in q .............................. 26

Example 9 - Computation of tHmod 2L ................................. 275.3 The Division Polynomials ......................................................... 285.4 How many division polynomials? ............................................. 29

Example 10 - Computation of the Division Polynomials .... 305.5 Computing n P with the Division Polynomials ........................... 315.6 The Frobenius Endomorphism ................................................ 325.7 The Characteristic Equation of the Frobenius ............................ 335.8 Schoof's Algorithm: Case One ................................................. 355.9 Schoof Equation (17) ................................................................ 365.10 Schoof Equation (18) .............................................................. 375.11 Schoof's Algorithm: Case Two .............................................. 385.12 Schoof Equation (19x) .......................................................... 395.13 Schoof Equation (19y) .......................................................... 405.14 Schoof's Algorithm Summary ............................................... 42

Chapter 6 - Results of Running Schoof's Algorithm ................................... 436.1 A Detailed Example ................................................................. 436.2 Other Experiments ................................................................... 446.3 Discussion of Results ............................................................... 45

Chapter 7 - Applications .............................................................................. 467.1 The Elliptic Curve Discrete Log Problem .................................. 467.2 Anomalous Curves and the MOV attack ................................... 46

References ..................................................................................................... 47Appendix A - Dictionary of Mathematica Functions for Elliptic Curves ... 48Appendix B - Mathematica Code for Our Elliptic Curves Functions ....... 52

Number Theoretic Algorithms ......................................................... 52Elliptic Curve Arithmetic Algorithms .............................................. 56Methods to Determine the Elliptic Curve Group Order ................... 61The Functions that Comprise Schoof's Algorithm ........................... 65

iii

Chapter 1 - Introduction ................................................................................ 11.1 Background ................................................................................ 11.2 When is f(x,y) an Elliptic Curve? .............................................. 31.3 Addition of Points on an Elliptic Curve .................................... 4

Example 1 - Elliptic Curve Point Addition ......................... 7Chapter 2 - Arithmetic in p ...................................................................... 8

2.1 Elliptic Curves over Finite Fields ............................................. 82.2 The Euclidean Algorithm ........................................................... 92.3 The Extended Euclidean Algorithm ......................................... 10

Example 2 - The Extended Euclidean Algorithm ............... 112.4 Finding the modular inverse ..................................................... 11

Example 3 - Multiplicative Inverse (mod p) ...................... 112.5 Modular Exponentiation .......................................................... 12

Example 4 - Modular Exponentiation .................................. 122.6 Square roots modulo p ............................................................. 132.7 Shanks-Tonelli Modular Square Root Algorithm ...................... 13

Example 5 - Computing Square Roots Modulo p ................ 142.8 The Chinese Remainder Theorem ............................................ 15

Example 6 - Determining the Chinese Remainder ............... 15Chapter 3 - Arithmetic of Elliptic Curves over p ...................................... 16

Example 7 - Arithmetic in EHpL ......................................... 16Chapter 4 - Computing the Order of the Group # EHqL............................... 18

4.1 A direct method of computing # EHqL ..................................... 184.2 Overview of Schoof's Algorithm ............................................... 204.3 Hasse's Theorem ......................................................................... 214.4 Reducing the problem to that for EHpL .................................... 224.5 Baby Step, Giant Step Method ................................................ 23

Example 8 - Determining Group Order using Hasse'sTheorem ................................................................. 23

Chapter 5 - Schoof's Algorithm Implementation ........................................ 245.1 Computing t Hmod 2L .................................................................. 255.2 Determining if x3 + A x + B has a root in q .............................. 26

Example 9 - Computation of tHmod 2L ................................. 275.3 The Division Polynomials ......................................................... 285.4 How many division polynomials? ............................................. 29

Example 10 - Computation of the Division Polynomials .... 305.5 Computing n P with the Division Polynomials ........................... 315.6 The Frobenius Endomorphism ................................................ 325.7 The Characteristic Equation of the Frobenius ............................ 335.8 Schoof's Algorithm: Case One ................................................. 355.9 Schoof Equation (17) ................................................................ 365.10 Schoof Equation (18) .............................................................. 375.11 Schoof's Algorithm: Case Two .............................................. 385.12 Schoof Equation (19x) .......................................................... 395.13 Schoof Equation (19y) .......................................................... 405.14 Schoof's Algorithm Summary ............................................... 42

Chapter 6 - Results of Running Schoof's Algorithm ................................... 436.1 A Detailed Example ................................................................. 436.2 Other Experiments ................................................................... 446.3 Discussion of Results ............................................................... 45

Chapter 7 - Applications .............................................................................. 467.1 The Elliptic Curve Discrete Log Problem .................................. 467.2 Anomalous Curves and the MOV attack ................................... 46

References ..................................................................................................... 47Appendix A - Dictionary of Mathematica Functions for Elliptic Curves ... 48Appendix B - Mathematica Code for Our Elliptic Curves Functions ....... 52

Number Theoretic Algorithms ......................................................... 52Elliptic Curve Arithmetic Algorithms .............................................. 56Methods to Determine the Elliptic Curve Group Order ................... 61The Functions that Comprise Schoof's Algorithm ........................... 65

List of FiguresFigure 1 - René Schoof .................................................................................... 2Figure 2 - Plot of the Elliptic Curve y2 = x3 - 5 x - 2 ................................. 4Figure 3 - Number of digits in p vs. number of small primes ...................... 30

List of TablesTable 1 - Points for y2 = x3 + 46 x + 74 over 97 .......................................... 19Table 2 - Results from Schoof's Algorithm .................................................... 45

iv

Chapter 1 - Introduction

"In re mathematica ars propendi pluris facienda est quam solvendi" - Georg Cantor.

‡ 1.1 Background

Consider the following cubic polynomial in x, y over the field of real numbers :

(1)y2 = x3 + A x + B.Suppose further that the right hand side of equation (1) has distinct roots. Thenthe graph of this curve is called an elliptic curve. Elliptic curves have a rich math-ematical history dating back to Diophantus (c. 200 C.E.), who used a form ofthese cubic equations to find right triangles of integer area with rational sides. Inmore recent times some deep mathematical properties of elliptic curves wereused by Andrew Wiles et. al., to construct a proof of Fermat's last theorem, aproblem that had challenged mathematicians for more than 300 years. The Birch-Swinnerton-Dyer conjecture, one of the Clay Math Institute's million dollar prob-lems, is also a question about certain mathematical properties of elliptic curves.

In addition, elliptic curves over the finite field q for some large integer q, findpractical application in the areas of cryptography and coding theory. One exam-ple of this is the Massey-Omura encryption method which relies on the difficultyof solving the elliptic curve discrete logarithm problem for security. For suchmethods, knowing the order of the group of points satisfying (1) with coefficientsand coordinates in q , written as # EHqL, is very important because a poor choiceof curve parameters can lead to a situation that gives a potential eavesdropper theability to break the code in reasonable time.

In 1985 René Schoof ( Figure 1) published a paper entitled "Elliptic curves overfinite fields and the computation of square roots mod p" [5]. His paper describesa polynomial time algorithm for determining # EHqL. Refinements to hismethod by Elkies and Atkin have resulted in computer algorithms capable offinding results for elliptic curves over fields with orders greater than 10100[3,6].

ThesisMcGee06June2006.nb 1

Figure 1 - René Schoof

The purpose of this thesis is to explain the mathematical basis for Schoof's algo-rithm and to provide a Mathematica reference implementation of it. In order toachieve this goal we first present some background on elliptic curves in the x-yplane. In particular we will see that the set points on the curve have the structureof an algebraic group. In chapter 2 we review the finite field arithmetic neededto work with elliptic curves over finite fields. In chapter 3 we present some basicalgorithms for arithmetic in the group of points on an elliptic curve over a finitefield. Chapter 4 describes some methods for computing the elliptic curve grouporder, and includes an introduction to Schoof's algorithm. We present the detailsof Schoof's algorithm in chapter 5. For each algorithm we first give a mathemati-cal justification for the method or provide a reference to such. Next we presentnumerical examples that illustrates the operation of the algorithm. In chapter 6we present results of running Schoof's algorithm against various curves. Weconclude in chapter 7 with some applications that motivate efficient solutions tothe elliptic curve group order problem. Appendix A contains a listing of theMathematica functions that implement these algorithms, and Appendix B pre-sents the Mathematica code for their implementation.

2 ThesisMcGee06June2006.nb

‡ 1.2 When is f(x,y) an Elliptic Curve?

Much of the following discussion is based on material presented in Lawrence Washington's book "Elliptic Curves - Number Theory and Cryptography" [7]. An elliptic curve is the set of points satisfying a nonsingular cubic polynomial in two variables. If K is a field, then an elliptic curve can be specified as

(2)E : 8Hx, yL œ K äK » f Hx, yL œ F@x, yD, f Hx, yL = 0<,where f Hx, yL is a particular nonsingular polynomial in x, y of degree 3. A polyno-mial is nonsingular if it has distinct roots. If the field K has characteristic other than 2, 3, then by a transformation of variables it can be shown that E has the same behavior as an elliptic curve of the form:

(3)E : y2 = x3 + A x + B.Equation (3) is called Weierstrass equation of an elliptic curve.

Suppose a, b, c are the roots of the right hand side of (3). Then

y2 = Hx - aL Hx - bL Hx - cL = x3 - Ha + b + cL x2 + Ha b + a c + b cL x - a b c.

Since the coefficient of x2 is zero we must have a + b + c = 0. Suppose that (3) has a double root. Without loss of generality let the double root be a = b. Then 2 a + c = 0 so that a = -c ê 2, and we have

y2 = x3 - 3ÅÅÅÅ4 c2 x - 1ÅÅÅÅ4 c3.

Put A = -3ÅÅÅÅÅÅÅ4 c2, B = -1ÅÅÅÅÅÅÅ4 c3 so that y2 = x3 + A x + B then

4 A3 = - 27ÅÅÅÅÅÅÅ16 c6 = -27 B2.

Hence if (3) has a double root then 4 A2 + 27 B2 = 0. The contrapositive gives that (3) has distinct roots only if

(4)4 A2 + 27 B3 ≠ 0.The negative of the left hand side of (4) is called the discriminant of the ellipticcurve.


‡ 1.3 Addition of Points on an Elliptic Curve

For an elliptic curve E, take any two points P, Q that lie on E, then by Bezout'sTheorem, the line between P and Q will intersect the curve E at a third point R.This is illustrated in Figure 2 for the elliptic curve given by y2 = x3 - 5 x - 2.Notice that the line between two points would be vertical if the two points hadthe same x-coordinate. Such a line does not appear to intersect the curve. In thiscase we define the third point of intersection to be a special point at infinity, .This definition is justified based on a consideration of the elliptic curve in projec-tive coordinates, where is a well-defined point.

Figure 2 - Plot of the Elliptic Curve y2 = x3 - 5 x - 2

Using this idea, we can define an addition operation on the elements of E. Wedefine P + Q as follows. Let R be the third point of intersection of the line P - Qwith the elliptic curve E. Then P + Q is the reflection of R about the line of sym-metry of E, which is the x-axis for curves in Weierstrass form. If the line P - Qis vertical we define P + Q = . To add P + P, we find the line tangent to thecurve at P and intersect it with the curve to arrive at R.

With these definitions it can be shown that HE, +L actually forms an abelian groupwith identity . That is, the operation is commutative, associative, and everypoint P has an inverse -P so that P + H-PL = . In fact, for an elliptic curve inWeierstrass form if P = Hx, yL, then -P = Hx, -yL, the reflection of P about thex-axis. We have demonstrated that every element has an inverse and the proof ofcommutativity follows directly from the fact that the line through P, Q is thesame as a line through Q, P. The proof of associativity is nontrivial. Onemethod of proof is given in Washington [7] § 2.4

We can also define this addition operation using analytic geometry. Suppose thatP = Hx1, y1L, Q = Hx2, y2L are two points on the elliptic curveE : y2 = x3 + A x + B with distinct x-coordinates. Then the slope of the linebetween the two points is given by


Using this idea, we can define an addition operation on the elements of E. Wedefine P + Q as follows. Let R be the third point of intersection of the line P - Qwith the elliptic curve E. Then P + Q is the reflection of R about the line of sym-metry of E, which is the x-axis for curves in Weierstrass form. If the line P - Qis vertical we define P + Q = . To add P + P, we find the line tangent to thecurve at P and intersect it with the curve to arrive at R.

With these definitions it can be shown that HE, +L actually forms an abelian groupwith identity . That is, the operation is commutative, associative, and everypoint P has an inverse -P so that P + H-PL = . In fact, for an elliptic curve inWeierstrass form if P = Hx, yL, then -P = Hx, -yL, the reflection of P about thex-axis. We have demonstrated that every element has an inverse and the proof ofcommutativity follows directly from the fact that the line through P, Q is thesame as a line through Q, P. The proof of associativity is nontrivial. Onemethod of proof is given in Washington [7] § 2.4

We can also define this addition operation using analytic geometry. Suppose thatP = Hx1, y1L, Q = Hx2, y2L are two points on the elliptic curveE : y2 = x3 + A x + B with distinct x-coordinates. Then the slope of the linebetween the two points is given by

(5)l = Hy2 - y1L ê Hx2 - x1L.The point-slope formula of the line passing through P, Q is given by

(6)y - y1 = lHx - x1L.Substituting (6) into the elliptic curve equation (3) yields HlHx - x1L + y1L2 = x3 + A x + B.

Expanding and collecting terms in x gives the following monic polynomial in [x]

(7)x3 - l2 x2 + H2 l2 x1 - 2 l y1 + AL x+ HB - l2 x1

2 - y12 + 2 l x1 y1L = 0.

We know that x1, x2 satisfy (7) because P and Q satisfy both the line and theelliptic curve equations. So we can factor the cubic (7) asHx - x1L Hx - x2L Hx - x3L = 0,

where x3 must be the x-coordinate of the third point of intersection. Expandingand collecting terms in x we obtain


(8)x3 - Hx1 + x2 + x3L x2 + Hx1 x2 + x1 x3 + x2 x3L x - x1 x2 x3.Because (7) and (8) represent the same polynomial, the coefficients of x2 mustbe equal, giving

-l2 = -Hx1 + x2 + x3L.Hence we can compute the x-coordinate of the third point of intersection as

(9)x3 = l2 - x1 - x2.We can compute the corresponding y-coordinate using the equation of the line(6) and then negate the result to obtain the y-coordinate of P + Q,

(10)y3 = -HlHx3 - x1L + y1L = lHx1 - x3L - y1.On the other hand, if x1 = x2 then y1

2 = y22 , so either y2 = y1 or y2 = -y1. If

y2 = -y1 then the line between P and Q2 is vertical, and we define P + Q = , theidentity. Otherwise P = Q, so we want to compute P + P = 2 P. To accomplishthis we define l as the slope of the tangent to the curve at Hx1, y1L. We can com-pute this slope by implicit differentiation of (3) giving

2 y d y = H3 x2 + AL d xso that

(11)l =d yÅÅÅÅÅÅÅd x =

3 x12+AÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ2 y1

.

Using this l with equations (9) and (10), along with the fact that x1 = x2 andy1 = y2 gives

(12)Hx1, y1L + Hx1, y1L = Hl2 - 2 x1, lHx1 - x3L - y1L.Equations (5) through (12) are incorporated into the Mathematica functionEcAdd, which adds two points on an elliptic curve over or .


ü Example 1 - Elliptic Curve Point Addition

Let an elliptic curve be given by E : y2 = x3 + 2 x + 1 over the rational numbers. Then the discriminant is d = -4 A2 - 27 B3 = -4 * 4 - 27 = -43 ≠ 0, so thatEHL is a valid elliptic curve. It is easy to check, by substituting the point coordi-nates into the equation for E, that the points P = H0, 1L and Q = H1, -2L are ele-ments of EHL. Also, the x coordinates of P, Q are distinct so we can computethe slope of the line passing through P, Q using (5) so that

l = -2-1ÅÅÅÅÅÅÅÅÅÅÅÅÅ1-0 = -3.

Then equations (9) and (10) give

x3 = H-3L2 - 0 - 1 = 8 and y3 = -3 H0 - 8L - 1 = 23.

So that P + Q = H8, 23L, which is also a point in EHL since83 + 2 * 8 + 1 = 529 = 232. We obtain the same result using the Mathematicafunction EcAdd[{2,1},{0,1},{1,-2}] which returns 88, 23<.


Chapter 2 - Arithmetic in p

‡ 2.1 Elliptic Curves over Finite Fields

Suppose q is a finite field of order q, then q = pk for some integer k (see, forexample Dummit and Foote [2] §14.3). Suppose also that E : y2 = x3 + A x + B isan element of q@x, yD, which means that A, B œ q . Then, if 4 a3 + 27 b2 ≠ 0 inq it can be shown that

EHqL = 8Hx, yL œ q äq » y2 = x3 + A x + B<

is an elliptic curve. Further, equations (5) through (12) of the previous sectionstill obey the group axioms when arithmetic is done in the finite field, so thatEHqL is a finite abelian group. Since we have at most q choices for x, and foreach of these at most 2 choices for y, then EHqL contains at most 2 q points. Itturns out that the actual bound is closer to q.

Before we consider this question in detail, we introduce some of the number-theo-retic functions which are required for computation on elliptic curves over a finitefield. For the purpose of our goal, which is to determine the group order# EHqL, it turns out that it will be sufficient to work with fields of prime order,p . This allows us to perform arithmetic in the field using modular arithmetic in ê p. That is, we can perform addition, subtraction and multiplication usingordinary integer arithmetic and then reduce each result mod p by dividing it by pand keeping the remainder.

Consider the following example in 7:

5 * 5 = 25 = 21 + 4 = 3 * 7 + 4 ª 4 Hmod 7L,so that in 7, 5 * 5 = 4.

Performing division in p is a little bit more complicated. To compute a êb weneed to multiply a by the modular inverse of b. For example, to compute4 ê 5 Hmod 7L we must first find c such that 5 c ª 1 Hmod 7L, then 4 ê 5 = 4 * c. Bytrial and error we can find that 5 * 3 = 15 ª 1 Hmod 7L so that4 ê 5 ª 4 * 3 ª 5 Hmod 7L. We will later see how to use the Euclidean algorithm toaccomplish this for problems involving larger integers.

We will also have occasion to compute ak Hmod pL. This can be done by directcomputation, for example 34 = 81 ª 4 Hmod 7L, so that 34 = 4 in 7. Fortunately,for large k and p, there exists a much more efficient method based on doublingand reducing the result mod p at each step. The following sections describe thesealgorithms.


Suppose q is a finite field of order q, then q = pk for some integer k (see, forexample Dummit and Foote [2] §14.3). Suppose also that E : y2 = x3 + A x + B isan element of q@x, yD, which means that A, B œ q . Then, if 4 a3 + 27 b2 ≠ 0 inq it can be shown that

EHqL = 8Hx, yL œ q äq » y2 = x3 + A x + B<

is an elliptic curve. Further, equations (5) through (12) of the previous sectionstill obey the group axioms when arithmetic is done in the finite field, so thatEHqL is a finite abelian group. Since we have at most q choices for x, and foreach of these at most 2 choices for y, then EHqL contains at most 2 q points. Itturns out that the actual bound is closer to q.

Before we consider this question in detail, we introduce some of the number-theo-retic functions which are required for computation on elliptic curves over a finitefield. For the purpose of our goal, which is to determine the group order# EHqL, it turns out that it will be sufficient to work with fields of prime order,p . This allows us to perform arithmetic in the field using modular arithmetic in ê p. That is, we can perform addition, subtraction and multiplication usingordinary integer arithmetic and then reduce each result mod p by dividing it by pand keeping the remainder.

Consider the following example in 7:

5 * 5 = 25 = 21 + 4 = 3 * 7 + 4 ª 4 Hmod 7L,so that in 7, 5 * 5 = 4.

Performing division in p is a little bit more complicated. To compute a êb weneed to multiply a by the modular inverse of b. For example, to compute4 ê 5 Hmod 7L we must first find c such that 5 c ª 1 Hmod 7L, then 4 ê 5 = 4 * c. Bytrial and error we can find that 5 * 3 = 15 ª 1 Hmod 7L so that4 ê 5 ª 4 * 3 ª 5 Hmod 7L. We will later see how to use the Euclidean algorithm toaccomplish this for problems involving larger integers.

We will also have occasion to compute ak Hmod pL. This can be done by directcomputation, for example 34 = 81 ª 4 Hmod 7L, so that 34 = 4 in 7. Fortunately,for large k and p, there exists a much more efficient method based on doublingand reducing the result mod p at each step. The following sections describe thesealgorithms.

‡ 2.2 The Euclidean Algorithm

The Euclidean Algorithm computes the greatest common divisor d of the integersa, b. It dates back to at least 300 B.C.E., where it appeared in geometric form inEuclid's Elements. The most obvious way to find the greatest common divisor isto completely factor both a and b into powers of primes such as

a = p1r1 p2

r2 ... pnrn and b = p1

s1 p2s2 ... pn

sn ,

where ri and si are integers greater than or equal to zero and ri = 0 if pi does notdivide a and si = 0 of pi does not divide b. Then the greatest common divisor dis given by

d = p1t1 p2

t2 ... pntn , where ti = minHri , siL.

For example, if a = 7960 = 23 * 5 * 199 and b = 6580 = 24 * 34 * 5, thengcdHa, bL = 23 * 5 = 40.

However the integer factoring problem is currently understood to be difficultwhen the integer has no small prime divisors. The Euclidean algorithm is farsuperior because it can compute the greatest common divisor of two integerswithout factoring them. Suppose we wish to find the greatest common divisor ofa and b, called gcdHa, bL. Let a > b and divide a by b producing

a = s0 b + r0 where 0 § r0 < b (by the division algorithm).

If r0 = 0, then b divides a so gcdHa, bL = b. Otherwise, divide b by r0 giving

b = s1 r0 + r1 where 0 § r1 < r0.

If r1 = 0 then r0 divides b and since a = s0 b + r0 then r0 also divides a givinggcdHa, bL = r0. If ri ≠ 0, we can continue the process dividing ri-1 by ri giving

r0 = s2 r1 + r2...ri-1 = si+1 ri + ri+1.

Eventually we must find rn+1 = 0 because at each step 0 § ri < ri-1. Thenrn-1 = sn+1 rn so that gcdHrn-1, rnL = rn .

Note, however, that if x = q y + r then gcdHx, yL = gcdHy, rL. This is true becausegcdHy, rL divides both y and r, so it divides x also, hence gcdHy, rL dividesgcdHx, yL. But we can write gcdHy, rL as a linear combination of y and r so that

gcdHy, rL = u y + v r = u y + vHx - q yL = Hu - v qL y + v x,

so gcdHx, yL divides gcdHy, rL, hence gcdHx, yL = gcdHy, rL. Applying this to thechain of divisions above gives gcdHri-1, riL = gcdHri-2, ri-1L, so in particulargcdHr0, r1L = gcdHb, r0L = gcdHa, bL. Therefore the last nonzero divisorrn = gcdHa, bL. Euclid's algorithm for computing the greatest common divisor isimplemented in the Mathematica function EuclideanAlgorithm.


The Euclidean Algorithm computes the greatest common divisor d of the integersa, b. It dates back to at least 300 B.C.E., where it appeared in geometric form inEuclid's Elements. The most obvious way to find the greatest common divisor isto completely factor both a and b into powers of primes such as

a = p1r1 p2

r2 ... pnrn and b = p1

s1 p2s2 ... pn

sn ,

where ri and si are integers greater than or equal to zero and ri = 0 if pi does notdivide a and si = 0 of pi does not divide b. Then the greatest common divisor dis given by

d = p1t1 p2

t2 ... pntn , where ti = minHri , siL.

For example, if a = 7960 = 23 * 5 * 199 and b = 6580 = 24 * 34 * 5, thengcdHa, bL = 23 * 5 = 40.

However the integer factoring problem is currently understood to be difficultwhen the integer has no small prime divisors. The Euclidean algorithm is farsuperior because it can compute the greatest common divisor of two integerswithout factoring them. Suppose we wish to find the greatest common divisor ofa and b, called gcdHa, bL. Let a > b and divide a by b producing

a = s0 b + r0 where 0 § r0 < b (by the division algorithm).

If r0 = 0, then b divides a so gcdHa, bL = b. Otherwise, divide b by r0 giving

b = s1 r0 + r1 where 0 § r1 < r0.

If r1 = 0 then r0 divides b and since a = s0 b + r0 then r0 also divides a givinggcdHa, bL = r0. If ri ≠ 0, we can continue the process dividing ri-1 by ri giving

r0 = s2 r1 + r2...ri-1 = si+1 ri + ri+1.

Eventually we must find rn+1 = 0 because at each step 0 § ri < ri-1. Thenrn-1 = sn+1 rn so that gcdHrn-1, rnL = rn .

Note, however, that if x = q y + r then gcdHx, yL = gcdHy, rL. This is true becausegcdHy, rL divides both y and r, so it divides x also, hence gcdHy, rL dividesgcdHx, yL. But we can write gcdHy, rL as a linear combination of y and r so that

gcdHy, rL = u y + v r = u y + vHx - q yL = Hu - v qL y + v x,

so gcdHx, yL divides gcdHy, rL, hence gcdHx, yL = gcdHy, rL. Applying this to thechain of divisions above gives gcdHri-1, riL = gcdHri-2, ri-1L, so in particulargcdHr0, r1L = gcdHb, r0L = gcdHa, bL. Therefore the last nonzero divisorrn = gcdHa, bL. Euclid's algorithm for computing the greatest common divisor isimplemented in the Mathematica function EuclideanAlgorithm.

‡ 2.3 The Extended Euclidean Algorithm

The Extended Euclidean Algorithm computes the greatest common divisor d of the integers a, b and also computes two integers r, s such that d = r a + s b. This method provides a fast way to compute multiplicative inverses in p . The algo-rithm proceeds as follows.

Starting with r0 = 1, s1 = 0 we take d0 = a = r0 a + s0 b. For step 1 we take r1 = 0, s1 = 1 so we can write d1 = b = r1 a + s1 b. At each succeeding step we compute the smallest positive di ª di-2 Hmod di-1L, so that di = di-2 - k di-1 for some positive integer k. The algorithm maintains di = ri a + si b at each step so that

di = Hri-2 a + si-2 bL - kHri-1 a + si-1 bL= Hri-2 - k ri-1L a + Hsi-2 - k si-1L b.

Hence, we must have ri = ri-2 - k ri-1 and si = si-2 - k si-1, which completes the formulation of the recursion definition. Our Mathematica implementation is based on Rosen [4] §3.3.


The Extended Euclidean Algorithm computes the greatest common divisor d of the integers a, b and also computes two integers r, s such that d = r a + s b. This method provides a fast way to compute multiplicative inverses in p . The algo-rithm proceeds as follows.

Starting with r0 = 1, s1 = 0 we take d0 = a = r0 a + s0 b. For step 1 we take r1 = 0, s1 = 1 so we can write d1 = b = r1 a + s1 b. At each succeeding step we compute the smallest positive di ª di-2 Hmod di-1L, so that di = di-2 - k di-1 for some positive integer k. The algorithm maintains di = ri a + si b at each step so that

di = Hri-2 a + si-2 bL - kHri-1 a + si-1 bL= Hri-2 - k ri-1L a + Hsi-2 - k si-1L b.

Hence, we must have ri = ri-2 - k ri-1 and si = si-2 - k si-1, which completes the formulation of the recursion definition. Our Mathematica implementation is based on Rosen [4] §3.3.

ü Example 2 - The Extended Euclidean Algorithm

If we can find the prime factorization of two numbers then we can write down the greatest common divisor directly. It is the product of the largest prime powers that divide both numbers. For example, let a = 7960 = 23 * 5 * 199 and b = 6580 = 24 * 34 * 5. Then gcdHa, bL = 23 * 5 = 40. Even for such easy prob-

lems, however, the determination of gcdHa, bL as a linear combination of a and b is best accomplished using the Extended Euclidean algorithm. Using ExtendedEu-cideanAlgorithm[ a, b ] we find

gcdH7960, 6480L = 40 = -35 * 7960 + 43 * 6480.

‡ 2.4 Finding the modular inverse

We can also use the Euclidean algorithm to find the modular inverse. The extended Euclidean algorithm finds the greatest common divisor of two numbers d = gcdHa, bL. It also computes two numbers r, s such that d = r a + s b. If a is relatively prime to p, which is always true if p is a prime and 1 < a < p, then gcdHa, pL = 1. So to find the modular inverse of a modulo p, we use the Euclid-ean algorithm to compute

gcdHa, pL = 1 = r a + s p ª r a Hmod pL, hence a-1 ª r Hmod pL.We need to compute modular inverses in order to perform the divisions in the elliptic curve point addition formulas.

ü Example 3 - Multiplicative Inverse (mod p)

As an example, lets work over 19, the field with 19 elements 80, 1, ..., 18< with arithmetic modulo 19, a prime. In a field, every nonzero element has a multiplica-tive inverse, so lets find the inverse of 7. The Euclidean algorithm gives

gcdH7, 19L = 1 = -8 * 7 + 3 * 19 ª -8 * 7 Hmod 19L. But -8 ª 11 Hmod 19L so that 11 * 7 ª 1 Hmod 19L. Hence 7-1 ª 11 Hmod 19L. This is verified by the fact that 11 * 7 = 77 = 4 * 19 + 1 ª 1 Hmod 19L.


‡ 2.5 Modular Exponentiation

This method uses the binary representation of n to construct the result.Starts with a1 ª aHmod pL, x = 1 then at each iteration k we compute

If the kth bit of n is 1 then x ª x * akHmod pL.Then a2 k ª ak * akHmod pL for the next iteration.

In this way the arithmetic is done with relatively small integers, even though an

may have hundreds or thousands of digits. In fact, at each step of the algorithmwe multiply two numbers which are less than p, so the largest product we evercompute is less than p2. Hence, if the binary representing of p requires m bits,then we need no more than 2 m bits to store the intermediate results. On the otherhand, if we compute an directly, and a has m bits then we would need n m bits tohold the intermediate result.

ü Example 4 - Modular Exponentiation

As an example, let's compute 1137 Hmod 97L. The direct method would first compute 1137 = 340039485861577398992406882305761986971 in and then find 1137 = 3505561709913169061777390539234659659 * 97 + 48 so that 1137 ª 48 Hmod 97L. However, in binary 37 = 1001012, so we can compute 1137 Hmod 97L as follows.

1137 = 1132+4+1 = 1125 +22 +1 = 11H23 +1L 22 +1 =ikjjjJIH112L2M2 * 11N2y{zzz2

* 11.

But 112 ª 24 Hmod 97L, 242 ª 91 Hmod 97L and 912 ª 36 Hmod 97L so that1137 ª HH36 * 11L2L2 * 11 Hmod 97L. Then 396 ª 8 Hmod 97L, H82L2 ª 22 Hmod97L,hence 1137 ª 22 * 11 ª 48 Hmod 97L.Notice that we performed these computations without using any number larger than 972. We will see later how this same idea, applied to polynomial arithmetic will allow us to compute f HxLk Hmod gHxLL in an efficient manner.


‡ 2.6 Square roots modulo p

One of the steps in Schoof's algorithm requires the solution of the congruence w2 ª p Hmod lL for w, with l a prime number less than è!!!!p . In other words we need to find the square root of p modulo l. Unlike the multiplicative inverse problem, this problem does not always have a solution. When it does, we say that p is a quadratic residue modulo l, else p is called quadratic nonresidue. If there is an x such that x2 ª a Hmod pL, then a is a quadratic residue mod p and

aHp-1Lê2 ª Hx2LHp-1Lê2ª xp-1 ª 1 Hmod pL by Fermat's little theorem.

Otherwise, for all i < p, gcdHi , pL = 1. Then for each i less than p, i j ª a Hmod pL has a unique solution, which can not be j = i, else i2 ª aHmod pL. Hence we can group the solutions into Hp - 1L ê 2 pairs, each with product congru-ent to a Hmod pL. Taking the product of all of the solutions gives:

aHp-1Lê2 ª Hp - 1L ! Hmod pL,since each number less than p is included exactly once in the product. Then Wilson's Theorem gives Hp - 1L ! ª -1 Hmod pL, so that

aHp-1Lê2 ª -1 Hmod pL.Note that a more efficient algorithm exists which makes use of the Quadratic Reciprocity Theorem of Gauss, but we do not need the complexity of this method because we will be testing for quadratic residues for only modest sized integers.

‡ 2.7 Shanks-Tonelli Modular Square Root Algorithm

Once we have determined that integer a is a quadratic residue modulo p, we need a method to find the square root. One method to accomplish this is called the Shanks-Tonelli modular square root algorithm. The details of the algorithm, which has performance logarithmic in the number of digits of p, are described in the paper "Square Roots from 1; 24, 51, 10 to Dan Shanks" by Ezra Brown [1].


ü Example 5 - Computing Square Roots Modulo p

We consider the following nontrivial example. Let

p = 360027784083079948259017962255826129 .

We want to find x such that x2 ª 2865 Hmod pL. The Shanks-Tonelli algorithmgives

x = 203744876602447660339212047901408164 .

We could verify that this is the correct solution using the modular exponentiationmethod described above, but since we are only computing x2Hmod pL we cancompute this directly, showing that x2 ª 2865 Hmod pL.


‡ 2.8 The Chinese Remainder Theorem

The Chinese Remainder Theorem provides a method to compute the smallest positive integer satisfying a set of congruences. It first appeared as a method of solution to a particular modular congruence problem in a third-century book by Chinese mathematician Sun Tzu [4] § 4.5. In Schoof's algorithm, we compute ti ª t Hmod liL for a set of small primes li , where t satisfies # EHpL = p + 1 - t. The Chinese Remainder Theorem allows us to recover t from this set of congru-ences, thus determining the order of the group.

We are given the following information, for the unknown z < N

ri ª z Hmod niL for i = 1, 2, ..., k

where N = n1 n2 ... nk and gcdHni , njL = 1 when i ≠ j, so that N is also the least common multiple of the 8ni<.Let ai = NÅÅÅÅÅÅni

, bi = ai-1Hmod niL. The modular inverses bi exist because ni does

not divide ai because gcdHni , nj L = 1 when i ≠ j. Then ai bi ª 1 Hmod niL and since nj divides ai when j ≠ i, hence ai bi ª 0 Hmod nj L for j ≠ i. So we can com-pute

z = H⁄i=1k ai bi riL Hmod NL,

which is the unique 0 < z < N for which all the congruences hold.

ü Example 6 - Determining the Chinese Remainder

For example, suppose we have z ª 1 Hmod 2L, z ª 0 Hmod 5L, z ª 6 Hmod 7L andz ª 7 Hmod 11L. Then N = 770 and the Chinese remainder algorithm gives

ai = 8385, 154, 110, 70<bi = ai

-1Hmod niL = 81, 4, 3, 3<ei = ai bi = 8385, 616, 330, 210<z = e ÿ r = 3835 ª 755 Hmod NL

So 755 is the smallest positive integer satisfying this set of congruences.


Chapter 3 - Arithmetic of Elliptic Curves over p

Now that we have a set of methods for performing arithmetic in p , we can applythese to performing arithmetic in the group EHpL. We provide a set of Mathemat-ica functions to implement algorithms for testing if a cubic equation is an ellipticcurve over p , for adding points on the curve, and for efficiently computing k P,the sum of k copies of the point P. In each case it is assumed, and for efficiencysake not verified, that p is a prime.

ü Example 7 - Arithmetic in EHpLWe will now review several of the mathematical ideas and methods related toelliptic curves over a prime field by way of an example. Consider the ellipticcurve E : y2 = x3 + 46 x + 74 over 97. It has discriminant

d ª -H4 a3 + 27 b2L ª -H4 * 463 + 27 * 742L ª 537196 ª 87 Hmod pL

Since the discriminant is nonzero modulop, E is a valid elliptic curve.

At x = 1 we have

x3 + 46 x + 74 = 1 + 46 + 74 = 121 ª 24 Hmod 97L

so E has a point with x = 1 if and only if 24 is a quadratic residue modulo 97.Using modular exponentiation we find with p = 97 that 24Hp-1Lê2 ª 1 Hmod pL, sothat 24 has a square root modulo p. We then employ the Shanks-Tonelli algo-rithm to find this square root giving 112 ª 24 Hmod pL so that the pointP = H1, 11L is an element of EHpL.Next let us compute P + P = 2 P using Equation (12) modulo p as

l = 3 x3 +AÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ2 y ª H3 + 46L H22-1L Hmod 97L ª 49 * 75 Hmod 97L ª 86 Hmod 97L.Then

x3 = l2 - 2 x1 ª 862 - 2 Hmod 97L ª 22 Hmod 97L, alsoy3 = lHx1 - x3L - y1 = 86 H1 - 22L - 11 Hmod 97L ª 26 Hmod 97L.

Hence 2 * H1, 11L = H22, 26L on EH97L. We can also compute 4 * H1, 11L by add-ing H22, 26L + H22, 26L giving H4, 15L or obtain the same result using the functionEcPowerMod@846, 74<, 81, 11<, 4, 97D.


Next let us compute P + P = 2 P using Equation (12) modulo p as

l = 3 x3 +AÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ2 y ª H3 + 46L H22-1L Hmod 97L ª 49 * 75 Hmod 97L ª 86 Hmod 97L.Then

x3 = l2 - 2 x1 ª 862 - 2 Hmod 97L ª 22 Hmod 97L, alsoy3 = lHx1 - x3L - y1 = 86 H1 - 22L - 11 Hmod 97L ª 26 Hmod 97L.

Hence 2 * H1, 11L = H22, 26L on EH97L. We can also compute 4 * H1, 11L by add-ing H22, 26L + H22, 26L giving H4, 15L or obtain the same result using the functionEcPowerMod@846, 74<, 81, 11<, 4, 97D.The order of a point P œ EHpL is defined as the smallest k such that k P = .One way to determine k is to compute n P for each successive n starting at 1 untilthe result is the identity. For the previous example with E : y2 = x3 + 46 x + 74over 97 and P = H1, 11L we find, using repeated application of EcAddMod, that

2 P = H2, 26L, 3 P = H27, 12L, 4 P = H4, 15L, ..., 15 P = H1, 86L.Since 86 + 11 ª 0 Hmod 97L, then 15 P = -P, so we know that 16 P = . Since 16is the smallest multiple of P for which this occurs we have the order of P is 16and we write » P » = 16. This gives a hint as to one way to determine # EHpL.By Lagrange's theorem the order of the element of a finite group must divide theorder of the group. So we know that 16 divides # EH97L for our sample curve.


Chapter 4 - Computing the Order of the Group # EHqL‡ 4.1 A direct method of computing # EHqL

A direct approach to determining # EHqL is to compute z = x3 + A x + B for eachx œ q , and then to test if z has a square root in q . If z = 0, then Hx, 0L œ EHqL.If there exists y œ q such that y2 = z, then Hx, yL, Hx, -yL œ EHqL, else there is nopoint in EHqL with x-coordinate x. This means there are at most 2 q + 1elementsin the group. However, a theorem of finite fields states that exactly 1/2 of thenon-zero elements of q are quadratic residues. This means that, on average,there will be approximately q + 1 elements in EHqL. As we shall see next, spe-cific bounds on # EHqL can be established, and this is one key to more efficientmethods of determining the group order.

Before proceeding, we want to fully characterize all of the points in EHpL for ourexample curve E : y2 = x3 + 46 x + 74 over 97. We can do this using the Mathe-matica function FindEcPointSet which encodes the technique above to find everypoint on the curve. Then for each point we can determine its order using thetechnique outlined at the end of chapter 3. This method is encoded in the Mathe-matica function EcPointOrderMod. The results of applying these methods to ourexample are shown in the table of Figure 3. Note that for each x there are twovalues of y, which are distinct unless y = 0. This is so because each solution hasy2 ª z Hmod pL where z = x3 + A x + B for a particular value of x, so if y1

2 = zthen H-y1L2 = z. There can be no other distinct solutions because the quadraticequation y2 - z = 0 can have only two solutions. Observe that for each pair ofpoints in Figure 3 with the same value of x we have y2 ª -y1 Hmod pL, so that thepoints Hx, y1L, Hx, y2L are indeed inverses in EHpL.If we count these points we find 39 pairs of points Hx, y1L, Hx, y2L where y1 ≠ y2.We also have one point, H57, 0L, with y = 0. Including the identity , there are atotal of 2 * 39 + 1 + 1 = 80 points so that # EHpL = 80. The last column in thetable gives the order of each point. Notice also that each point order divides 80,the order of the group, as must be so by Lagrange's theorem.


Table 1 - Points for y2 = x3 + 46 x + 74 over 97

x y1 y2 Ord HPL1 11 86 164 15 82 46 9 88 808 9 88 409 21 76 1010 46 51 815 29 68 8019 12 85 8020 19 78 8022 26 71 824 8 89 4027 12 85 1630 18 79 4032 48 49 4034 28 69 8035 6 91 2037 7 90 8043 46 51 8044 46 51 8046 2 95 2049 45 52 551 12 85 1052 22 75 8057 0 0 260 14 83 4063 25 72 4064 35 62 1665 47 50 4066 24 73 2067 42 55 8070 2 95 8075 32 65 2076 41 56 8078 2 95 8083 9 88 1685 5 92 8088 17 80 4090 31 66 594 43 54 8096 30 67 80


‡ 4.2 Overview of Schoof's Algorithm

The method for determining # EHpL outlined above is feasible only for small p.In modern cryptographic applications of elliptic curves the cardinality of the fieldis typically a number with at least 50 decimal digits. Thus there is a need for anefficient means of computing # EHpL for large primes p. René Schoof's 1985paper entitled "Elliptic curves over finite fields and the computation of squareroots mod p", details a polynomial time algorithm for determining # EHqL. Ver-sions of this algorithm, enhanced by Elkies and Atkins, have been used success-fully for q with hundreds of decimal digits [3,6]. The following steps sketch theoutline of Schoof's method.

Let E be an elliptic curve over q given by

(13)E : y2 = x3 + A x + B, where A, B œ q .Hasse's Theorem tells us that the cardinality of the group of points is

(14)# EHqL = q + 1 - t, with … t … § 2 è!!!q .

Let fq : EHêêqL Ø EHêêqL such that fqHHx, yLL = Hxq , yqL. Note that this is map of

points with coordinates in the algebraic closure of q . Then fq is an endomor-phism called the Frobenius map. It has the following property, crucial toSchoof's algorithm.

(15)fq2 - t fq + q = 0 " P œ EHêêqL

We can use (15) to compute t Hmod piL for a set of L primes p1, p2, ..., pL suchthat

K = ¤i=1L pi > 4

è!!!q ,

The Chinese Remainder Theorem is then applied to compute the unique

t mod K such that … t … § 2 è!!!q .

Once we know t we can compute the order of the group as # EHqL = q + 1 - t.Schoof showed that this algorithm will run time proportional to log9 q, based onanalysis of the number of elementary operations required. The following sec-tions will explain the details of this algorithm, along with some important observa-tions that permit its efficient implementation.


We can use (15) to compute t Hmod piL for a set of L primes p1, p2, ..., pL suchthat

K = ¤i=1L pi > 4

è!!!q ,

The Chinese Remainder Theorem is then applied to compute the unique

t mod K such that … t … § 2 è!!!q .

Once we know t we can compute the order of the group as # EHqL = q + 1 - t.Schoof showed that this algorithm will run time proportional to log9 q, based onanalysis of the number of elementary operations required. The following sec-tions will explain the details of this algorithm, along with some important observa-tions that permit its efficient implementation.

‡ 4.3 Hasse's Theorem

The following theorem, first proved by Helmut Hasse in 1933, places specificbounds on # EHqL. Let EHqL be an elliptic curve over the finite field q withq = pk , k œ + and p a prime. Then there exists a unique t œ such that

(16)# EHqL = q + 1 - t where … t … < 2 è!!!q

Sketch of the ProofDefine the map Hfq - 1L : EHêê

qL Ø EHêêqL, then the set of points in EHêêqL which

are sent to the identity by this map is called the kernel. ThenkerHfq - 1L = EHqL, since fq is the identity on EHqL. Further, since fq - 1 is aseparable polynomial then

# EHqL = # kerHfq - 1L = degHfq - 1L.

Now let t = q + 1 - # EHqL. Then by Washington [7] Proposition 3.16 forr, s œ and gcdHs, qL = 1 we have degHr fq - sL

= r2Hdeg fqL + s2 degH-1L + r sHdegH fq - 1L - degHfqL - degH-1LL= r2 q + s2 + r s H # EHqL - q - 1L= rq q + s2 + r sH q + 1 - t - q - 1L.

So we can conclude that

(17)degHr fq - sL = r2 q + s2 - r s t.Since degHr fq - sL ¥ 0 and s ≠ 0 then dividing through by s2 gives

(18)q H rÅÅÅÅs L2 - t H rÅÅÅÅs L + 1 ¥ 0.Having that the set of rational numbers rÅÅÅÅs with gcdHs, qL = 1 is dense in impliesthat for all x œ we have

(19)q x2 - t x + 1 ¥ 0.So quadratic equation (19) has no real roots, hence its discriminant is less thanzero. Thus

t2 - 4 q < 0 fl … t … < 2 è!!!q ,

completing the proof of (16).


So quadratic equation (19) has no real roots, hence its discriminant is less thanzero. Thus

t2 - 4 q < 0 fl … t … < 2 è!!!q ,

completing the proof of (16).

‡ 4.4 Reducing the problem to that for EHpLA beautiful result due to Andre Weil, and explained in Washington [7] Theorem4.12, shows that if we can compute # EHpL, then we can compute # EHpn L in adirect manner.

Let # EHpL = p + 1 - t. Write X2 - t X + p = HX - aL HX - bL. Then an + bn œ and

(20)# EHpn L = pn + 1 - Han + bnL.So we only need to use Schoof's Algorithm to solve for # EHpL. Then we cancompute # EHqL = # EHpn L via (20). Of course, if p is a small prime, then it iseasy to determine # EHpL by direct counting or other simple methods, so thecomplexity of Schoof's method would not be justified. Assuming p is largeenough to warrant the use of Schoof's method we may employ another usefulresult allowing us to determine the integer Han + bnL without explicitly computinga and b. The following recursion relation computes sn = Han + bnL where

(21)s0 = 2, s1 = t, sn+1 = t sn - p sn-1.The Mathematica function ComputeOrderEFq@ t, p, n D implements equations(21) and (22).

For our example elliptic curve E : y2 = x3 + 46 x + 74 over 97 we determinedthat # EH97L = 80. By Hasse's theorem # EH97L = p + 1 - t so that80 = 97 + 1 - t, hence t = 18. Then we can determine # EH974 L usingComputeOrderEFq, giving # EHp4 L = 88531200.


‡ 4.5 Baby Step, Giant Step Method

One way to use Hasse's bound to compute # EHpL is based on Lagrange's theo-rem which states that the order of any element of a finite group must divide theorder of the group. Hence if we can find the order k of a point Q œ EHpL thenthe group order must be a multiple of k falling inside of Hasse's bounds. If wecompute the order for several different points then some common multiple ofthese orders must fall inside of Hasse's bounds. Let 8ki< be the set of orders of npoints in EHpL. By Hasse's theorem we have for some integer r thatp + 1 - 2

è!!!!p < r * lcmH8ki<< < p + 1 + 2 è!!!!p . If there is only one r for which this

is true, then we must have # EHpL = r * lcmH8ki<<.In order for this method to be efficient we need a high performance method tocompute point orders, that is, a method far better than exhaustive search to findthe smallest k such that k P = in EHpL. The Baby Step-Giant Step methodoutlined in Washington [7] § 4.3 provides such a method with runtime propor-tional to è!!!!p4 .

ü Example 8 - Determining Group Order using Hasse's Theorem

For this example we again take E : y2 = x3 + A x + B over 97. Since9 <

è!!!!!!97 < 10, Hasse's theorem gives

97 - 2 * 9 = 79 § # EHqL § 117 = 97 + 2 * 9.

We randomly found that P = H64, 35L is a point on the curve, and that » P » = 16.Since there are three multiples of 16 between 79 and 117, we need to chooseanother point. We randomly found a second point Q = H46, 95L with » Q » = 20.Then lcmH16, 20L = 80. Since 79 § 80 § 117 we can conclude that # EHqL = 80,in agreement with the direct counting method.


Chapter 5 - Schoof's Algorithm Implementation"A four-year-old child could understand that. Run out and find me a four-year-old child, I can't make head or tail out of it." - Groucho Marx (Duck Soup-1933)

In this chapter we present the algorithms that embody the key ideas of Schoof'smethod. For the curve given by E : y2 = x3 + A x + B, over p , Hasse's theoremtells us that # EHpL = p + 1 - t. The main objective of Schoof's algorithm is todetermine t Hmod lL for a set of small primes l. For the case of l = 2 we have aspecial method, so we outline this first. For l > 2 we must employ more sophisti-cated mathematics including the Frobenius endomorphism and the so-called divi-sion polynomials. We will examine these in more detail after describing themethod for computing t Hmod 2L.


‡ 5.1 Computing t Hmod 2LAs before, let E be an elliptic curve over the finite field p given byE : y2 = x3 + A x + B. A point P œ EHpL has order 2 if and only if P + P = which means that P = -P. As we have seen, this is true only if the y-coordinateof P is zero. Now y = 0 if and only if x3 + A x + B = 0.

Suppose that there exists some e œ p such that e3 + A e + B = 0 thenHe, 0L œ EHpL. Also, by the definition of elliptic curve addition, 2 He, 0L = ¶ , sothat He, 0L œ E@2D. Then EHpL has a point of order 2, so that, by Langrange'sTheorem, # EHpL = p + 1 - t is even. Since p + 1 is even then t also is even,therefore t ª 0 Hmod 2L.Alternatively, suppose that # EHqL is even. Then by Theorem 4.1 of Washington[7] either

EHpL @ n or EHpL @ n1 ⊕n2 with n, n1, n2 œ and n1 » n2.

If two groups are isomorphic, there is a 1-1 mapping between the elements of thetwo groups which preserves the group operation. This means, in particular, thatif one has a nonzero point of order 2, then the other has a nonzero point of order2.

If EHpL @ n then n is even, because # EHpL is even. We know that n is cyclicwith generator 1, and 2 * H nÅÅÅÅ2 * 1L = n ª 0 Hmod nL, so nÅÅÅÅ2 is an element of n oforder 2, therefore EHpL is cyclic with some generator Pg and2 * H nÅÅÅÅ2 * PgL = n Pg = ¶, so that P2 = nÅÅÅÅ2 Pg has order 2, therefore P2 = He, 0L forsome e œ p .

Otherwise, EHpL @ n1 ⊕n2 and n1 * n2 is even, so that either n2 is even or n1is even, which implies that n2 is even, because n1 » n2. So we have thatH0, n2ÅÅÅÅÅÅ2 L is a point of order 2 in n1 ⊕n2 ,

therefore EHpL has a point of order 2, call it P2. So we conclude that# EHqL ª 0 Hmod 2L fl $ P2 œ EHpL with 2 P2 = ¶.

The contrapositive gives that if EHpL does not have a point of order 2, then# EHqL ª 1 Hmod 2L fl t ª 1 Hmod 2L. Hence to compute t Hmod 2L it suffices todetermine if x3 + A x + B has a root in p .


As before, let E be an elliptic curve over the finite field p given byE : y2 = x3 + A x + B. A point P œ EHpL has order 2 if and only if P + P = which means that P = -P. As we have seen, this is true only if the y-coordinateof P is zero. Now y = 0 if and only if x3 + A x + B = 0.

Suppose that there exists some e œ p such that e3 + A e + B = 0 thenHe, 0L œ EHpL. Also, by the definition of elliptic curve addition, 2 He, 0L = ¶ , sothat He, 0L œ E@2D. Then EHpL has a point of order 2, so that, by Langrange'sTheorem, # EHpL = p + 1 - t is even. Since p + 1 is even then t also is even,therefore t ª 0 Hmod 2L.Alternatively, suppose that # EHqL is even. Then by Theorem 4.1 of Washington[7] either

EHpL @ n or EHpL @ n1 ⊕n2 with n, n1, n2 œ and n1 » n2.

If two groups are isomorphic, there is a 1-1 mapping between the elements of thetwo groups which preserves the group operation. This means, in particular, thatif one has a nonzero point of order 2, then the other has a nonzero point of order2.

If EHpL @ n then n is even, because # EHpL is even. We know that n is cyclicwith generator 1, and 2 * H nÅÅÅÅ2 * 1L = n ª 0 Hmod nL, so nÅÅÅÅ2 is an element of n oforder 2, therefore EHpL is cyclic with some generator Pg and2 * H nÅÅÅÅ2 * PgL = n Pg = ¶, so that P2 = nÅÅÅÅ2 Pg has order 2, therefore P2 = He, 0L forsome e œ p .

Otherwise, EHpL @ n1 ⊕n2 and n1 * n2 is even, so that either n2 is even or n1is even, which implies that n2 is even, because n1 » n2. So we have thatH0, n2ÅÅÅÅÅÅ2 L is a point of order 2 in n1 ⊕n2 ,

therefore EHpL has a point of order 2, call it P2. So we conclude that# EHqL ª 0 Hmod 2L fl $ P2 œ EHpL with 2 P2 = ¶.

The contrapositive gives that if EHpL does not have a point of order 2, then# EHqL ª 1 Hmod 2L fl t ª 1 Hmod 2L. Hence to compute t Hmod 2L it suffices todetermine if x3 + A x + B has a root in p .

‡ 5.2 Determining if x3 + A x + B has a root in q

A basic theorem of algebra tells us if gHxL is a polynomial of degree n with coeffi-cients in p then gHxL has n roots in êêp , the algebraic closure of p . In addition ifgHxL has no roots in common with g ' HxL, then the roots of gHxL are distinct.

Take gHxL = xp - x. Then g ' HxL = p xp-1 - 1 = -1, since p ª 0 Hmod pL, so g ' HxLhas no roots in êê

p . Therefore, the p roots of gHXL are distinct, and these are justthe set of elements a of êê

p satisfying ap - a = 0 fl ap-1 = 1. But the p - 1 non-zero elements of p

µ all have order p - 1, so the roots of gHXL are precisely theelements of p .

Then x3 + A x + B has a root in p if and only if it has a root in common withgHxL. So if gcdHx3 + A x + B, xp - xL = 1, then x3 + A x + B has no root in p ,else it has at least one such root. From a practical standpoint we can computexp ª xpHmod x3 + A x + BL using an efficient algorithm for modular polynomialexponentiation, and then compute

g = gcdHx3 + A x + B, xp - xL = gcdHx3 + A x + B, xp - xL,using the Euclidean algorithm for polynomials.

Given g, we determine tHmod 2L as

t ª 1 Hmod 2L if g = 1, else t ª 0 Hmod 2L.This method in encoded in the Mathematica function ComputeTModTwo.


ü Example 9 - Computation of tHmod 2LWe know from previous examples that for E : y2 = x3 + 46 x + 74 over 97 that# EHpL = 80. Hasse's theorem tells us that # EHpL = p + 1 - t, hence t = 18, sothat t ª 0 Hmod 2L. By the previous discussion EHpL has a point of order two ifand only if

gcdHxp - x, x3 + 46 x + 74L ≠ 1

where we can compute xp - x modulo x3 + 46 x + 74. We find, using modularpolynomial arithmetic, that

xp Hmod x3 + 46 x + 74L = 30 x2 + 60 x + 47 .

Then using a modular polynomial version of the Euclidean algorithm we compute

gcdH30 x2 + 59 x + 47, x3 + 46 x + 74L = x + 40 ≠ 1.

Hence EHpL has at least one point of order two. In fact, the table in Figure 3shows it has exactly one such point, namely P = H57, 0L, thus # EHpL is even.Since # EHpL = p + 1 - t, and p + 1 = 98 is even, then t is even. Hencet ª 0 Hmod 2L.


‡ 5.3 The Division Polynomials

In order to determine t Hmod liL for primes li > 2, we need to make use of what arecalled the division polynomials for E : y2 = x3 + a x + b. These are polynomialswhich go to zero on points of a particular order. We define E@nD as the set ofn-torsion points of an elliptic curve E : y2 = x3 + a x + b, that is, the set of pointsin EHêêpL with order dividing n, so that E@nD = 8P œ EHêê

pL » n P = <. Note thatthis set includes points with coordinates in êêp , the algebraic closure of p .

With this definition the division polynomials yn of an elliptic curve E are ele-ments of p@x, yD with the property that ynHx, yL = 0 if and only if Hx, yL œ [email protected] polynomials are defined recursively as follows.

y0 = 0, y1 = 1, y2 = 2 y,y3 = 3 x4 + 6 a x2 + 12 b x - a2

y4 = 4 yHx6 + 5 a x4 + 20 b x3 - 5 a2 x2 - 4 a b x - 8 b2 - a3Ly2 n = ynHyn+2 yn-1

2 - yn-2 yn+12 L n œ , n > 2

y2 n+1 = yn+2 yn3 - yn+1

3 yn-1 n œ , n > 1

Lets see why y3 is the correct polynomial. First, if P = Hx, yL œ E@3D then 3 P = 0which means that 2 P = -P, hence the x-coordinates of 2 P and -P must be thesame. Using Equations (11,12) to compute 2 P we find

x = l2 - 2 x = H3 x2 +AL2ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ4 y2 - 2 x so that

H-3 xL H4 y2L = 9 x4 + 6 A x2 + A2.

But y2 = x3 + A x + B so that -12 Hx4 + A x2 + B xL = 9 x4 + 6 A x2 + A2. Collect-ing terms and multiplying through by -1 gives

3 x4 + 6 A x2 + 12 B x - A2 = y3.

So if y3 = 0 then 2 P = ±P, meaning that P = or P is a point of order 3. Ineither case P œ [email protected] division polynomials are polynomials in x, y. Using the elliptic curve equa-tion we can replace y2 with x3 + A x + B. More generally we can replace y2 k

with Hx3 + A x + BLk . This allows us to express the division polynomials as ele-ments of p@xD or y p@xD, so that no power of y greater than 1 will appear. Itcan be further proved that we can produce polynomials in p@xD with the follow-ing replacements.

fnHxL = 9 ynHx, yL if n is oddynHx, yL ê y if n is even

These polynomials, by definition, also have the property that fnHxL = 0 if and onlyif x is the x-coordinate of a point of order n.


In order to determine t Hmod liL for primes li > 2, we need to make use of what arecalled the division polynomials for E : y2 = x3 + a x + b. These are polynomialswhich go to zero on points of a particular order. We define E@nD as the set ofn-torsion points of an elliptic curve E : y2 = x3 + a x + b, that is, the set of pointsin EHêêpL with order dividing n, so that E@nD = 8P œ EHêê

pL » n P = <. Note thatthis set includes points with coordinates in êêp , the algebraic closure of p .

With this definition the division polynomials yn of an elliptic curve E are ele-ments of p@x, yD with the property that ynHx, yL = 0 if and only if Hx, yL œ [email protected] polynomials are defined recursively as follows.

y0 = 0, y1 = 1, y2 = 2 y,y3 = 3 x4 + 6 a x2 + 12 b x - a2

y4 = 4 yHx6 + 5 a x4 + 20 b x3 - 5 a2 x2 - 4 a b x - 8 b2 - a3Ly2 n = ynHyn+2 yn-1

2 - yn-2 yn+12 L n œ , n > 2

y2 n+1 = yn+2 yn3 - yn+1

3 yn-1 n œ , n > 1

Lets see why y3 is the correct polynomial. First, if P = Hx, yL œ E@3D then 3 P = 0which means that 2 P = -P, hence the x-coordinates of 2 P and -P must be thesame. Using Equations (11,12) to compute 2 P we find

x = l2 - 2 x = H3 x2 +AL2ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ4 y2 - 2 x so that

H-3 xL H4 y2L = 9 x4 + 6 A x2 + A2.

But y2 = x3 + A x + B so that -12 Hx4 + A x2 + B xL = 9 x4 + 6 A x2 + A2. Collect-ing terms and multiplying through by -1 gives

3 x4 + 6 A x2 + 12 B x - A2 = y3.

So if y3 = 0 then 2 P = ±P, meaning that P = or P is a point of order 3. Ineither case P œ [email protected] division polynomials are polynomials in x, y. Using the elliptic curve equa-tion we can replace y2 with x3 + A x + B. More generally we can replace y2 k

with Hx3 + A x + BLk . This allows us to express the division polynomials as ele-ments of p@xD or y p@xD, so that no power of y greater than 1 will appear. Itcan be further proved that we can produce polynomials in p@xD with the follow-ing replacements.


These polynomials, by definition, also have the property that fnHxL = 0 if and onlyif x is the x-coordinate of a point of order n.

‡ 5.4 How many division polynomials?

How many division polynomials will we need for the execution of Schoof's algo-rithm? As noted in the outline of Schoof's algorithm in chapter 4, we need to testEquation (15) for a set of primes li such the product of these primes is greaterthan 4è!!!!p . The function ComputePrimeSet determines this set. If the cardinalityof 8li< = k, then yk+2 is the highest order division polynomial required.

What is the relationship between k and p? Figure 4 contains a plot of Log10@pDvs. k, which indicates that k grows approximately logarithmically with p. Thehorizontal axis is the number of primes k, the vertical axis is the number of deci-mal digits in p, the size p . A statistical fit of this data gives the approximaterelationship for k > 10.

Log10@pD = 0.012 k2 + 3.34 k - 15.98

Given that we wish to apply Schoof's algorithm to an elliptic curve over p wecould use this graph to estimate the number of small primes k that would berequired.


Figure 3 - Number of digits in p vs. number of small primes.

ü Example 10 - Computation of the Division Polynomials

For our example E : y2 = x3 + 46 x + 74 over 97, we first compute the set ofsmall primes whose product is greater than 4

è!!!!!!97 , such that p T 1 Hmod liL forli > 2. The necessary primes are 2, 5, 7 whose product is 70 > 4

è!!!!!!97 . Thenp ª 2 Hmod 5L, and p ª 6 Hmod 7L. Therefore we will need division polynomialsup to and including y9, so we compute these at this time. Note that the oddnumbered polynomials, such as y1, y3, ... are polynomials in x only, while theeven numbered polynomials are polynomials in x multiplied by y. More pre-cisely y2 n+1 œ p@xD and y2 n œ y [email protected] our sample curve we find that the first five division polynomials are

y1 Hx, yL = 1,y2 Hx, yL = 2 y,y3 Hx, yL = 18 + 15 x + 82 x2 + 3 x4,y4 Hx, yL = H61 + 50 x + 69 x2 + 3 x3 + 47 x4 + 4 x6L y,y5 Hx, yL = 23 + 67 x + 11 x2 + 38 x3 + 77 x4 + 43 x5 + 93 x6

+26 x7 + 47 x8 + 87 x9 + 39 x10 + 5 x12.

With E : y2 = x3 + 46 x + 74 over 97 we have that H4, 15L is a point of order 4.Then we must have fn@4D = 0 if and only if 4 » n. To check the function ComputeDi-visionPolynomials we calculate fn@4D for 2 § n § 8 giving

f2@4D = 2, f3@4D = 24, f4@4D = 0, f5@4D = 47,f6@4D = 25, f7@4D = 22, f8@4D = 0,

as expected, since H4, 15L œ E@4D and E@4D Œ E@8D. Similarly the point H90, 31L isof order 5 and we find

f2@90D = 2, f3@90D = 76, f4@90D = 14, f5@90D = 0, f6@90D = 21, f7@90D = 23.

So the division polynomials are correct, at least for this particular case.


With E : y2 = x3 + 46 x + 74 over 97 we have that H4, 15L is a point of order 4.Then we must have fn@4D = 0 if and only if 4 » n. To check the function ComputeDi-visionPolynomials we calculate fn@4D for 2 § n § 8 giving

f2@4D = 2, f3@4D = 24, f4@4D = 0, f5@4D = 47,f6@4D = 25, f7@4D = 22, f8@4D = 0,

as expected, since H4, 15L œ E@4D and E@4D Œ E@8D. Similarly the point H90, 31L isof order 5 and we find

f2@90D = 2, f3@90D = 76, f4@90D = 14, f5@90D = 0, f6@90D = 21, f7@90D = 23.

So the division polynomials are correct, at least for this particular case.

‡ 5.5 Computing n P with the Division Polynomials

If P = Hx, yL is a point in EHêêpL then

(22)n P = Ix - yn-1 yn+1ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅyn2 , yn+2 yn-1

2 -yn-2 yn+12

ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ4 y yn3 M

It can be shown that multiplication by n is an endomorphism mn of EHêêpL. Thisfollows from the fact that EHêêp L is an abelian group so that nHP + QL = n P + n Q.Since n P = if and only if P œ E@nD we have that the kernel of mn is E@nD. Fur-ther, because mn is expressed as a separable rational polynomial of degree n2, wehave that # E@nD = degHmnL = n2. For a proof of (21) see Washington [7] § 9.5.

It should be noted that Equation (21) does not provide an efficient way to com-pute n P for specific points P. Rather, it provides the basis of proof for the charac-teristic equation of the Frobenius (15), one of the key equations used in Schoof'smethod.


‡ 5.6 The Frobenius Endomorphism

Let fq : EHêêqL Ø EHêêqL with fqHx, yL = Hxq , yqL, called the Frobenius endomor-phism. Since aq = a for all a œ q this map is the identity for points with coordi-nates in q . Let Hx1, y1L œ EHêêqL then

y12 = x1

3 + A x1 + B in êêq .

Now fqHx1, y1L = Hx1q , y1

qL. Substituting this into the elliptic curve equation givesHy1qL2 = Hy1

2Lq = Hx13 + A x1 + BLq .

However, for all a, b œ êê

q we have Ha + bLq = aq + bq in q so thatHy1qL2 = Hx1

3Lq + Aq x1q + HBLq = Hx1

qL3 + A x1q + B, since A, B œ q .

Hence Hx1q , y1

qL = fq Hx1, y1L œ EHêêqL, so that fq maps a point on the curve to

another point on the curve.

Let P = Hx1, y1L, Q = Hx2, y2L be two points in EHêêqL with x1 ≠ x2, then with

l = Hy2 - y1L ê Hx2 - x1L we have

P + Q = Hx3, y3L with x3 = l2 - x1 - x2, y3 = lHx1 - x3L - y1.

Using the same properties of qth powers in êêq we have

fqHP + QL = Hl2 q - x1q - x2

q , lqHx1q - x3

qL - y1qL ,

with lq = Hy2

q - y1qL ê Hx2

q - x1qL.

Therefore fqHP + QL = fqHPL + fqHQL. It can also be shown that this holds alsofor Q = P and Q = -P, so that fq is a homomorphism from EHêêqL to EHêê

qL, hencean endomorphism.


‡ 5.7 The Characteristic Equation of the Frobenius

We now proceed to the equation that provides the foundation for Schoof's algo-rithm. Remember that E@lD is the set of points in EHêêqL who's order divides l.First we show that E@lD is a subgroup of EHêêqL. Clearly œ E@lD. If P, Q œ E@lDthen, because EHêêqL is abelian, = l P + l Q = lHP + QL, so that P + Q œ [email protected],

= l = lHP + H-PLL = l P + lH-PL = + lH-PL = lH-PL,

therefore -P œ E@lD. Hence E@lD is a subgroup of EHêêqL.

Since E@lD is an abelian group of order l2, it follows from the structure theoremfor finite abelian groups that E@lD @ l ⊕l . The integer l is a prime so that l isa cyclic group generated by any number 1 § a < l, and there exists pointsb1, b2 œ E@lD such that any point in E@lD can be written as a l-linear combina-tion P = m1 b1 + m2 b2 with m1, m2 œ l . Suppose a is any homomorphism ofE@lD, then aHPL œ E@lD for all P œ E@lD because » aHPL » divides » P ». Then, inparticular, aHb1L = s b1 + t b2 and aHb2L = u b1 + v b2, so that

aHPL = aHm1 b1 + m2 b2L = m1 aHb1L + m2 aHb2L= m1 s b1 + m1 t b2 + m2 u b1 + m2 v b2.

We can express this in matrix form as

(23)aHPL = Js tu vN Jm1 b1

m2 b2N.

In particular, the action of the Frobenius on E@lD, denoted fq,l can be described bysuch a 2 µ 2 matrix. Applied to E@lD we have

degHfq - 1L ª detHfq,l - IL Hmod lL= Hs - 1L Hv - 1L - t u = s v - t u - Hs + vL + 1.

But s v - u t = detHfq,lL ª q Hmod lL (by Washington [7] Proposition 3.15).

Then by Hasse's theorem, using a instead of t to avoid conflicting variablenames, we have

# kerHfq - 1L = q + 1 - a ª q - Hs + vL + 1 Hmod lL.Hence we have the following congruences. First, a ª Hs + vL Hmod lL, the trace offq,l . Also t u ª s v - q Hmod lL.We can now compute Hfq,l L2 - a Hfq,lL + q using *, so thatJs t

u vN2 - a Js tu vN + qJ1 0

0 1N =ikjjj s2 + t u s t + t vs u + u v t u + v2

y{zzz - Ja s - q a ta y a v - qN

=ikjjjs2 + t u - a s + q s t + t v - a t

s u + u v - a u v2 + t u - a v + qy{zzz.

Applying the congruences yeild

ªikjjjs2 + s v - q - Hs + vL s + q Hs + vL t - Hs + vL tHs + vL u - Hs + vL u v2 + s v - q - Hs + vL v + q

y{zzzª J0 0

0 0N Hmod lL. .

Therefore Hfq,l L2 - a Hfq,lL + q ª 0 Hmod lL for all l such that gcdHl, qL = 1. Sincethere are an infinite number of choices for such l, the kernel of fq

2 + q - a fq isnot finite, hence, as stated in Equation (15),

fq2 + q - a fq = 0 for all P œ EHêê

qL.

In particular, if P œ E@lD then,

fq2 + k ª t fq Hmod lL where k ª q Hmod lL and t ª a Hmod lL.

So for a particular point P = Hx, yL œ E@lD it must be true that


In particular, the action of the Frobenius on E@lD, denoted fq,l can be described bysuch a 2 µ 2 matrix. Applied to E@lD we have

degHfq - 1L ª detHfq,l - IL Hmod lL= Hs - 1L Hv - 1L - t u = s v - t u - Hs + vL + 1.

But s v - u t = detHfq,lL ª q Hmod lL (by Washington [7] Proposition 3.15).

Then by Hasse's theorem, using a instead of t to avoid conflicting variablenames, we have

# kerHfq - 1L = q + 1 - a ª q - Hs + vL + 1 Hmod lL.Hence we have the following congruences. First, a ª Hs + vL Hmod lL, the trace offq,l . Also t u ª s v - q Hmod lL.We can now compute Hfq,l L2 - a Hfq,lL + q using *, so thatJs t

u vN2 - a Js tu vN + qJ1 0

0 1N =ikjjj s2 + t u s t + t vs u + u v t u + v2

y{zzz - Ja s - q a ta y a v - qN

=ikjjjs2 + t u - a s + q s t + t v - a t

s u + u v - a u v2 + t u - a v + qy{zzz.

Applying the congruences yeild

ªikjjjs2 + s v - q - Hs + vL s + q Hs + vL t - Hs + vL tHs + vL u - Hs + vL u v2 + s v - q - Hs + vL v + q

y{zzzª J0 0

0 0N Hmod lL. .

Therefore Hfq,l L2 - a Hfq,lL + q ª 0 Hmod lL for all l such that gcdHl, qL = 1. Sincethere are an infinite number of choices for such l, the kernel of fq

2 + q - a fq isnot finite, hence, as stated in Equation (15),

fq2 + q - a fq = 0 for all P œ EHêê

qL.

In particular, if P œ E@lD then,

fq2 + k ª t fq Hmod lL where k ª q Hmod lL and t ª a Hmod lL.

So for a particular point P = Hx, yL œ E@lD it must be true that

(24)Ixq2 , yq2 M + kHx, yL ª tHxq , yqL Hmod lL,where addition is performed in EHêêqL using (9) through (12), and scalar pointmultiplication is performed using the division polynomials as in Equation (22).We can simplify the computation of (24) further by noting that if Hx, yL œ E@lDthen the division polynomial ylHx, yL = 0, so we can reduce (24) mod yl withoutchanging the set of points which satisfy the equation.


where addition is performed in EHêêqL using (9) through (12), and scalar pointmultiplication is performed using the division polynomials as in Equation (22).We can simplify the computation of (24) further by noting that if Hx, yL œ E@lDthen the division polynomial ylHx, yL = 0, so we can reduce (24) mod yl withoutchanging the set of points which satisfy the equation.

‡ 5.8 Schoof's Algorithm: Case One

In order to use Equation (24) we must first test if fl2 P = ±k P for some P œ E@lD.

We can determine this by computing the test condition for the x coordinate usingSchoof (16):

xp2ª x - yk-1 yk+1ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ

yk2 Hmod fl , pL.

This is true if and only if

p16Hx, yL = Hxq2- xL yk

2 - yk-1 yk+1 ª 0 Hmod fl , pL.For k even, yk = y fk and since y2 = x3 + a x + b we obtain

p16HxL = Hxp2- xL fk2HxL Hx3 + a x + bL + fk-1HxL fk+1HxL.

For k odd, yk-1 = y fk-1 and yk+1 = y fk+1 so that

p16HxL = Hxp2- xL fk2HxL + fk-1HxL fk+1HxL Hx3 + a x + bL.

Notice that p16Hx, yL is a polynomial in x only. Hence if gcdHp16HxL, flHxLL ≠ 1then some point P exists in E@lD which satisfies fl

2 P = ±k P, so we are in case 1.Otherwise we must proceed to case 2 where we test equation (24) for variousvalues of t.


‡ 5.9 Schoof Equation (17)

Given that fl2 P = ±k P for some P œ E@lD, then t œ 80, -2 w, 2 w< where

w2 ª k Hmod lL. This is shown as follows. Suppose fl2 P = k P, then, by equation

(24) we have 2 k ª t fl . Squaring both sides gives 4 k2 = t2 fl2 = t2 k, so that

4 k = t2, then we must have that k is a quadratic residue. If so, find w such thatw2 ª k Hmod lL, then 4 w2 = t2 so that t = ±2 w. Now we can computeHfl - wL Hfl + wL = fl

2 - k = 0, so fl P = ±w P.

If k is not a quadratic residue, we can not be in this case, hence fl2 P = -k P so

that fl2 P + k P = 0 = tfl P for all P œ E@lD so that t ª 0 Hmod lL.

We can test if fl P = ± w P using the point multiplication formula (22) againyielding for the x-coordinate the test

xp ª x - yw-1 yw+1ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅyw2 Hmod fl , pL.

Multiplying through by yw2 produces Schoof equation (17)

p17Hx, yL = Hxp - xL yw2 - yw-1 yw+1.

For w even or odd this can be reduced to a polynomial in x only, as in

p17HxL = Hxp - xL fw2HxL Hx3 + a x + bL + fw-1HxL fw+1HxL w even,

p17HxL = Hxp - xL fw2HxL + fw-1HxL fw+1HxL Hx3 + a x + bL w odd.

If gcdHp17HxL, fl HxLL = 1 then we must have fl2 P = -k P so that t ª 0 Hmod lL.

Otherwise t ª ±wHmod lL and we test the y-coordinate of fl P = ± w P to deter-mine the sign.


‡ 5.10 Schoof Equation (18)

After we know that fl P = ±w P we need test the y-coordinate of fl P = w P.Equation (22) gives for the y-coordinate,

yp ªyw+2 yw-1

2 - yw-2 yw+12

ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ4 y yw3 Hmod yl , pL.

Multiplying through by the denominator of the right hand side and collectingterms gives

p18Hx, yL = 4 yw3 yp+1 - yw+2 yw-1

2 - yw-2 yw+12 .

For w even:p18HxL = 4 Hy2LHp+3Lê2

fw3HxL - fw+2HxL fw-12 HxL + fw-2HxL fw+1

2 HxL.For w odd:

p18HxL = 4 Hy2LHp-1Lê2 fw3HxL - fw+2HxL fw-1

2 HxL + fw-2HxL fw+12 HxL.

Notice that p18HxL is also a polynomial in x only since all exponents of y are even.If gcdHp18HxL, fl HxLL = 1 then there is no P œ E@lD for which fl P = w P, sot ª -2 w Hmod lL, else such a point exists and t ª 2 w Hmod lL. This completes theequations required to test for case 1.


‡ 5.11 Schoof's Algorithm: Case Two

If there is no P œ E@lD such that fl2 P = ±k P then we are in case 2 so we need to

test for each t œ ê l x if there exist P œ E@lD such that (24) holds. In order toperform this test we apply addition formulas H5L, H9L and H10L to compute polyno-mials representingHxp2 , yp2 L + kHx, yL,where kHx, yL is computed using the division polynomials and equation (22).Since we are in case 2 we know that x1 ≠ x2 so we can computel = Hy2 - y1L ê Hx2 - x1L. We find

y2 - y1 =yk+2 yk-1

2 - yk-2 yk+12

ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ4 y yk3 - yp2 ,

x2 - x1 = x - yk-1 yk+1ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅyk

2 - xp2

So then

l = y2 -y1ÅÅÅÅÅÅÅÅÅÅÅÅÅx2 -x1=

Hyk+2 yk-12 - yk-2 yk+1

2 -4 yk3 yp2 +1LÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ4 y ykH-yk-1 yk+1-yk

2Hxp2 -xLL .

Put l = a ê b thena = yk+2 yk-1

2 - yk-2 yk+12 - 4 yk

3 yp2 +1

andb = 4 y ykHyk

2Hx - xp2 L - yk-1 yk+1L.For k even we have

a = yH fk+2 fk-12 - fk-2 fk+1

2 - 4 fk3 yp2 +3Land

b = 4 y2 fk Hy2 fk2Hx - xp2 L - fk-1 fk+1L .

Otherwise, for k odd

a = y2H fk+2 fk-12 - fk-2 fk+1

2 L - 4 fk3 yp2 +1

andb = yH4 fkH fk2Hx - xp2 L - y2 fk-1 fk+1LL.

We use these equations for a and b to formulate the tests of Schoof equations(19).


If there is no P œ E@lD such that fl2 P = ±k P then we are in case 2 so we need to

test for each t œ ê l x if there exist P œ E@lD such that (24) holds. In order toperform this test we apply addition formulas H5L, H9L and H10L to compute polyno-mials representingHxp2 , yp2 L + kHx, yL,where kHx, yL is computed using the division polynomials and equation (22).Since we are in case 2 we know that x1 ≠ x2 so we can computel = Hy2 - y1L ê Hx2 - x1L. We find

y2 - y1 =yk+2 yk-1

2 - yk-2 yk+12

ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ4 y yk3 - yp2 ,

x2 - x1 = x - yk-1 yk+1ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅyk

2 - xp2

So then

l = y2 -y1ÅÅÅÅÅÅÅÅÅÅÅÅÅx2 -x1=

Hyk+2 yk-12 - yk-2 yk+1

2 -4 yk3 yp2 +1LÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ4 y ykH-yk-1 yk+1-yk

2Hxp2 -xLL .

Put l = a ê b thena = yk+2 yk-1

2 - yk-2 yk+12 - 4 yk

3 yp2 +1

andb = 4 y ykHyk

2Hx - xp2 L - yk-1 yk+1L.For k even we have

a = yH fk+2 fk-12 - fk-2 fk+1

2 - 4 fk3 yp2 +3Land

b = 4 y2 fk Hy2 fk2Hx - xp2 L - fk-1 fk+1L .

Otherwise, for k odd

a = y2H fk+2 fk-12 - fk-2 fk+1

2 L - 4 fk3 yp2 +1

andb = yH4 fkH fk2Hx - xp2 L - y2 fk-1 fk+1LL.

We use these equations for a and b to formulate the tests of Schoof equations(19).

‡ 5.12 Schoof Equation (19x)

Using the equations we just derived for l = a ê b we can now compute the addi-tion of points using equation (22) so that ifHx3, y3L = Hxp2 , yp2 L + kHx, yLthen x3 is given by

x3 = l2 - x1 - x2 = a2ÅÅÅÅÅÅÅb2 - Hxp2

+ xL + yk-1 yk+1ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅyk

2 .Also y3 is given by

y3 = lH2 x1 + x2 - l2L - y1 = aÅÅÅÅÅb I2 xp2+ x - yk-1 yk+1ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ

yk2 - a2

ÅÅÅÅÅÅÅb2 M - yp2 .

Further, since ynHxp , ypL = ynHx, yLp we have

tHxp , ypL = IIx - yt-1 yt+1ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅyt2 Mp , I yt+2 yt-1

2 - yt-2 yt+12

ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ4 y yt3 MpM.

Then (23) holds if and only if (for the x-coordinate)

a2ÅÅÅÅÅÅÅb2 - Hxp2


2 = Ix - yt-1 yt+1ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅyt2 Mp

.

Expanding and clearing the (nonzero) denominators gives

yt2 pHa yk

2 - b2 yk2Hxp2

+ xL + b2Hyk-1 yk+1LL= yk

2 b2Hyt2 p xp - Hyt-1 yt-1LpL .

Bringing everything to the left hand side we have

p19x Hx, yL = yt2 pHb2Hyk-1 yk+1 - yk

2Hxp2+ xp + xL + a yk

2LL+ yk

2 b2Hyt-1 yt-1Lp= 0

,

which is Schoof equation (19) for the x-coordinate. Since we are testing thisequation for points in E@lD we perform all of the polynomial arithmetic modulo yl .

Now there exists a point in E@lD satisfying p19x if and only if gcdHp19x , flL ≠ 1. Ifsuch a point exist, then t ª ±tHmod lL. We use Schoof equation (19y), explainedin the next section, to determine the sign of t.


Using the equations we just derived for l = a ê b we can now compute the addi-tion of points using equation (22) so that ifHx3, y3L = Hxp2 , yp2 L + kHx, yLthen x3 is given by

x3 = l2 - x1 - x2 = a2ÅÅÅÅÅÅÅb2 - Hxp2


2 .Also y3 is given by

y3 = lH2 x1 + x2 - l2L - y1 = aÅÅÅÅÅb I2 xp2+ x - yk-1 yk+1ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ

yk2 - a2


Further, since ynHxp , ypL = ynHx, yLp we have

tHxp , ypL = IIx - yt-1 yt+1ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅyt2 Mp

, I yt+2 yt-12 - yt-2 yt+1

2ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ4 y yt

3 MpM.Then (23) holds if and only if (for the x-coordinate)

a2ÅÅÅÅÅÅÅb2 - Hxp2


2 = Ix - yt-1 yt+1ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅyt2 Mp

.

Expanding and clearing the (nonzero) denominators gives

yt2 pHa yk

2 - b2 yk2Hxp2

+ xL + b2Hyk-1 yk+1LL= yk

2 b2Hyt2 p xp - Hyt-1 yt-1LpL .

Bringing everything to the left hand side we have

p19x Hx, yL = yt2 pHb2Hyk-1 yk+1 - yk

2Hxp2+ xp + xL + a yk

2LL+ yk

2 b2Hyt-1 yt-1Lp= 0

,

which is Schoof equation (19) for the x-coordinate. Since we are testing thisequation for points in E@lD we perform all of the polynomial arithmetic modulo yl .

Now there exists a point in E@lD satisfying p19x if and only if gcdHp19x , flL ≠ 1. Ifsuch a point exist, then t ª ±tHmod lL. We use Schoof equation (19y), explainedin the next section, to determine the sign of t.

‡ 5.13 Schoof Equation (19y)

Once we know that there exists Hx, yL œ E@lD such that

Hxp2 , yp2 L + kHx, yL = ±tHxp , ypL,we must test the y-coordinate to determine the sign of t. We have from the previ-ous section,

y3 = aÅÅÅÅÅb I2 xp2+ x - yk-1 yk+1ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ

yk2 - a2


Then if (24) holds for the y-coordinate we have

aÅÅÅÅÅb I2 xp2+ x - yk-1 yk+1ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ

yk2 - a2

ÅÅÅÅÅÅÅb2 M - yp2= I yt+2 yt-1

2 - yt-2 yt+12

ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ4 y yt3 Mp

.

Multiplying through by b3 yk2 4 yp yt

3 p to clear the denominators we have

4 yp yt3 p Ha b2 Hyk

2H2 xp2+ xL - yk-1 yk+1L- yk

2Ha3 + b3 yp2 LL= b3 yk

2 Hyt+2 yt-12 - yt-2 yt+1

2 Lp .

Rearranging gives for Schoof (19y) (corrected)

p19 yHx, yL = 4 ft3 p yp HHH2 xp2

+ xL a b2 - b3 yp2- a3L fk2 - a b2 fk-1 fk+1 L

- b3 fk2 H ft-12 ft+2 - ft-2 ft+1

2 Lp .

For k even, t even, we must take a Ø y a so that,

p19 yHxL = 4 ft3 p y3 p-1 HHH2 xp2

+ xL a b2 - b3 yp2 -1 - y2 a3L y2 fk2

- a b2 fk-1 fk+1 L - b3 fk2 H ft-12 ft+2 - ft-2 ft+1

2 Lp . For k even, t odd,

p19 yHxL = 4 ft3 p HHH2 xp2

+ xL a b2 - b3 yp2 -1 - a3 y2L y2 fk2

- a b2 fk-1 fk+1 L - b3 fk2 yp+1H ft-12 ft+2 - ft-2 ft+1

2 Lp . For k odd, t even we must take b Ø y b so that,


+ xL a y2 b2 - b3 yp2 +3 - a3L fk2

- a y2 b2 fk-1 fk+1 L - b3 fk2 H ft-12 ft+2 - ft-2 ft+1

2 Lp . For k odd, t odd,


+ xL a y2 b2 - b3 yp2 +3 - a3L fk2

- a y2 b2 fk-1 fk+1 L - b3 fk2 yp+3H ft-12 ft+2 - ft-2 ft+1

2 Lp . Now if gcdHp19 y , flL ≠ 1 then E@lD has a point satisfying fl

2 P + k P = tf P, sothat t ª tHmod lL, else t = -tHmod lL.


Once we know that there exists Hx, yL œ E@lD such that

Hxp2 , yp2 L + kHx, yL = ±tHxp , ypL,we must test the y-coordinate to determine the sign of t. We have from the previ-ous section,

y3 = aÅÅÅÅÅb I2 xp2+ x - yk-1 yk+1ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ

yk2 - a2


Then if (24) holds for the y-coordinate we have

aÅÅÅÅÅb I2 xp2+ x - yk-1 yk+1ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ

yk2 - a2

ÅÅÅÅÅÅÅb2 M - yp2= I yt+2 yt-1

2 - yt-2 yt+12

ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ4 y yt3 Mp

.

Multiplying through by b3 yk2 4 yp yt

3 p to clear the denominators we have

4 yp yt3 p Ha b2 Hyk

2H2 xp2+ xL - yk-1 yk+1L- yk

2Ha3 + b3 yp2 LL= b3 yk

2 Hyt+2 yt-12 - yt-2 yt+1

2 Lp .

Rearranging gives for Schoof (19y) (corrected)

p19 yHx, yL = 4 ft3 p yp HHH2 xp2

+ xL a b2 - b3 yp2- a3L fk2 - a b2 fk-1 fk+1 L

- b3 fk2 H ft-12 ft+2 - ft-2 ft+1

2 Lp .

For k even, t even, we must take a Ø y a so that,


+ xL a b2 - b3 yp2 -1 - y2 a3L y2 fk2


2 Lp . For k even, t odd,


+ xL a b2 - b3 yp2 -1 - a3 y2L y2 fk2

- a b2 fk-1 fk+1 L - b3 fk2 yp+1H ft-12 ft+2 - ft-2 ft+1

2 Lp . For k odd, t even we must take b Ø y b so that,


+ xL a y2 b2 - b3 yp2 +3 - a3L fk2

- a y2 b2 fk-1 fk+1 L - b3 fk2 H ft-12 ft+2 - ft-2 ft+1

2 Lp . For k odd, t odd,


+ xL a y2 b2 - b3 yp2 +3 - a3L fk2

- a y2 b2 fk-1 fk+1 L - b3 fk2 yp+3H ft-12 ft+2 - ft-2 ft+1

2 Lp . Now if gcdHp19 y , flL ≠ 1 then E@lD has a point satisfying fl

2 P + k P = tf P, sothat t ª tHmod lL, else t = -tHmod lL.


‡ 5.14 Schoof's Algorithm Summary

We can now summarize Schoof's algorithm for E : y2 = x3 + a x + b over p as follows. By Hasse's theorem we have # EHpL = p + 1 - t.

1. If gcdHx3 + a x + b, xp - xL = 1 then t ª 0 Hmod 2L, else t ª 1 Hmod 2L2. Create a set of small primes S = 8li< such that ¤i=1

L li > 4 è!!!!p .3. Compute the first lL + 2 division polynomials yk .4. For each l œ S, compute k ª pH mod lL5. If gcdHp16, fl L ≠ 1 then there exists P œ E@lD such that

fl2 P = ±k P.

6. If k is not a quadratic residue mod l, then t ª 0 Hmod lL else7. Compute w such that w2 ª k Hmod lL8. If gcdHp17, flL = 1 then t ª 0 Hmod lL, else9. If gcdHp18, flL ≠ 1 then t ª 2 wHmod lL, else

t ª -2 wHmod lL. 10. else we are in case two11. For each t § Hl + 1L ê 212. If gcdHp19, flL ≠ 1 then fp

2 + k ª ±t fp Hmod lL13. for some point in E@lD so we test14. If gcdHp19, fl L ≠ 1 then t ª tHmod lL else

t ª -t Hmod lL 15. Next t16. Next l17. At this point we have computed t Hmod liL for all li œ S, 18. so we use the Chinese Remainder Theorem to compute19. T ª t Hmod NL where N = ¤i=1

L li .20. If T is within Hasse's bounds then t = T , else t ª -THmod NL and21. # EHpL = p + 1 - t.

This completes the description of Schoof's algorithm.


Chapter 6 - Results of Running Schoof's AlgorithmThis chapter contains the results of running our implementation of Schoof's algo-rithm for several different elliptic curves. We present detailed results for oneparticular curve and then summarize the results for other curves in table 1. Weconclude this section with a discussion of lessons learned from these experiments.

‡ 6.1 A Detailed Example

For our example curve E : y2 = x3 + 46 x + 74 over 97, Schoof's algorithm pro-duces the following results. First, since a4

è!!!!p q = 40, we need a product of smallprimes at least this large so the algorithm selects the primes 82, 5, 7<, with¤ li = 70.Also 9 <

è!!!!!!97 < 10, so Hasse's theorem gives 79 § # EHqL § 117.

The next step is to compute t Hmod 2L. For this step we find

xpH mod x3 + a x + bL = 47 + 60 x + 30 x2 andgcdHxp - x, x3 + a x + bL = 40 + x

Since the gcd is not equal to 1, E@2D is not empty so t ª 0 H mod 2L.Next we test fp

2 P = ±k P for k ª pHmod 5L and we find

f @5D =23 + 67 x + 11 x2 + 38 x3 + 77 x4 + 43 x5

+ 93 x6 + 26 x7 + 47 x8 + 87 x9 + 39 x10 + 5 x12

p16 = 7 + 91 x + 40 x2 + 24 x3 + 81 x4 + 69 x5

+ 43 x6 + 45 x7 + 39 x8 + 14 x9 + 30 x10 + 79 x11

gcdHp16 fl L = 1.

Hence, there is no point in E@5D satisfying fp2 P = ±k P so we proceed to case

two.

Next we test fp2 + k = t fp until we find for t = 2 that

p19 x ª 0 Hmod fl , pL and

gcdHp19 x,flL = 23 + 67 x + 11 x2 + 38 x3 + 77 x4 + 43 x5

+ 93 x6 + 26 x7 + 47 x8 + 87 x9 + 39 x10 + 5 x12.

Since the gcd is not equal to 1, we know that t = ±2 so we compute

p19y =39 + 52 x + 48 x2 + 33 x3 + 91 x4 + 3 x5

+ 23 x6 + 59 x7 + 16 x8 + 37 x9 + 33 x10 + 74 x11

gcdHp19 y , fl L = 1.

Since this gcd is 1, there is no point in E@5D satisfying fp2 + k = t fp , so we

must have t ª -2 Hmod 5L ª 3 Hmod 5L. Similarly, for l = 7 we find at t = 3 thatgcdHp19 x, f7L ≠ 1 and gcdHp19 y , f7L = 1 so that t ª -3 Hmod 7L ª 4 Hmod 7L. Thuswe have the following set of simultaneous conguences.

t ª 0 Hmod 2L, t ª 3 Hmod 5L, t ª 4 Hmod 7L.Using the Chinese Remainder theorem we find that the smallest positive integersatisfying this set of congruences is t = 18. Since p + 1 - t = 80 and 80 is withinHasse's bounds we can conclude # EHpL = 80.


For our example curve E : y2 = x3 + 46 x + 74 over 97, Schoof's algorithm pro-duces the following results. First, since a4

è!!!!p q = 40, we need a product of smallprimes at least this large so the algorithm selects the primes 82, 5, 7<, with¤ li = 70.Also 9 <

è!!!!!!97 < 10, so Hasse's theorem gives 79 § # EHqL § 117.

The next step is to compute t Hmod 2L. For this step we find

xpH mod x3 + a x + bL = 47 + 60 x + 30 x2 andgcdHxp - x, x3 + a x + bL = 40 + x

Since the gcd is not equal to 1, E@2D is not empty so t ª 0 H mod 2L.Next we test fp

2 P = ±k P for k ª pHmod 5L and we find

f @5D =23 + 67 x + 11 x2 + 38 x3 + 77 x4 + 43 x5

+ 93 x6 + 26 x7 + 47 x8 + 87 x9 + 39 x10 + 5 x12

p16 = 7 + 91 x + 40 x2 + 24 x3 + 81 x4 + 69 x5

+ 43 x6 + 45 x7 + 39 x8 + 14 x9 + 30 x10 + 79 x11

gcdHp16 fl L = 1.

Hence, there is no point in E@5D satisfying fp2 P = ±k P so we proceed to case

two.

Next we test fp2 + k = t fp until we find for t = 2 that

p19 x ª 0 Hmod fl , pL and

gcdHp19 x,flL = 23 + 67 x + 11 x2 + 38 x3 + 77 x4 + 43 x5

+ 93 x6 + 26 x7 + 47 x8 + 87 x9 + 39 x10 + 5 x12.

Since the gcd is not equal to 1, we know that t = ±2 so we compute

p19y =39 + 52 x + 48 x2 + 33 x3 + 91 x4 + 3 x5

+ 23 x6 + 59 x7 + 16 x8 + 37 x9 + 33 x10 + 74 x11

gcdHp19 y , fl L = 1.

Since this gcd is 1, there is no point in E@5D satisfying fp2 + k = t fp , so we

must have t ª -2 Hmod 5L ª 3 Hmod 5L. Similarly, for l = 7 we find at t = 3 thatgcdHp19 x, f7L ≠ 1 and gcdHp19 y , f7L = 1 so that t ª -3 Hmod 7L ª 4 Hmod 7L. Thuswe have the following set of simultaneous conguences.

t ª 0 Hmod 2L, t ª 3 Hmod 5L, t ª 4 Hmod 7L.Using the Chinese Remainder theorem we find that the smallest positive integersatisfying this set of congruences is t = 18. Since p + 1 - t = 80 and 80 is withinHasse's bounds we can conclude # EHpL = 80.

‡ 6.2 Other Experiments

For many other curves our implementation of Schoof's method also produces thecorrect results, as verified by point counting. For the curveE : y2 = x3 + 1333 x + 1129 over 3571, however, the computed point order isincorrect. The correct order, as determined by direct numerical tests is 3559,giving t = 13, so that t ª 1 Hmod 2L, t ª 2 Hmod 11L and t ª 0 Hmod 13L. Our imple-mentation of Schoof's algorithm wrongly determines that t ã -2 Hmod 11L. Analy-sis of this problem indicates that the most likely source of the error is an incor-rect computation for the y-coordinate part of Schoof equation (19). We are con-tinuing efforts to resolve this issue.

Table 1 summarizes the results of running Schoof's algorithms on several curves.The first column describes the curve y2 = x3 + A x + B over p by giving A, B, p.The second column show the results of computing ti ª t Hmod liL as pairs 8ti, li<.The third column gives the unique t within Hasses's bounds that satisfies thecongruences of column two. # EHpL is then computed as p + 1 - t. Table 2 - Results from Schoof's Algorithm

A, B, p t Hmod liL t # E HpL Correct13, 215, 229 80, 2<, 80, 5<, 84, 7< -10 240 yes106, 166, 197 80, 2<, 82, 3<, 80, 5<, 81, 11< -10 208 yes31, 16, 137 81, 2<, 80, 3<, 84, 5<, 82, 7< 9 129 yes503, 367, 523 81, 2<, 80, 5<, 86, 7<, 87, 11< -15 539 yes

1333, 1129, 3571 81, 2<, 89, 11<, 80, 13< -13 3585 no


Table 1 summarizes the results of running Schoof's algorithms on several curves.The first column describes the curve y2 = x3 + A x + B over p by giving A, B, p.The second column show the results of computing ti ª t Hmod liL as pairs 8ti, li<.The third column gives the unique t within Hasses's bounds that satisfies thecongruences of column two. # EHpL is then computed as p + 1 - t. Table 2 - Results from Schoof's Algorithm

A, B, p t Hmod liL t # E HpL Correct13, 215, 229 80, 2<, 80, 5<, 84, 7< -10 240 yes106, 166, 197 80, 2<, 82, 3<, 80, 5<, 81, 11< -10 208 yes31, 16, 137 81, 2<, 80, 3<, 84, 5<, 82, 7< 9 129 yes503, 367, 523 81, 2<, 80, 5<, 86, 7<, 87, 11< -15 539 yes

1333, 1129, 3571 81, 2<, 89, 11<, 80, 13< -13 3585 no

‡ 6.3 Discussion of Results

Schoof's method, as here implemented, has only educational value. This is so forseveral reasons. First, as noted in references [3,6], the practicality of the algo-rithm is greatly limited by the quadratic growth of the degree of the divisionpolynomials. For example, for an elliptic curve over p where p has 200 digits,we must perform modular polynomial arithmetic using the 55th division polyno-mial, which produces intermediate products of degree greater than 9 ä106. Theimprovements due to Elkies and Atkin, often called the SEA algorithm, reduce tonearly linear growth the degree of the division polynomials, making the methodapplicable to elliptic curves of with cryptographic utility. Another limitingfactor is the peformance of modular polynomial arithmetic in Mathematica.Even for the small problems presented in this section, the run-time of our imple-mention exceeded 10 minutes. Finally, the current implementation is limited byan apparent software bug in the implementation of Schoof equation (19y).

On the other hand, the major advantage of our implementation is as an explora-tion tool. All of the algorithms we implemented are well-documented, and relyonly on low-level functions with Mathematica, making the operation of the algo-rithms transparent and open to experimentation. The author plans to correct theprogramming difficiencies just cited and to make this suite of elliptic curve func-tions available as a Mathematica package.


Chapter 7 - Applications

‡ 7.1 The Elliptic Curve Discrete Log Problem

One way to apply elliptic curve methods to cryptography is via the discrete logproblem, which can be described as follows. Suppose G is a group of finiteorder and g, q are elements of G. Then suppose there exists an integer k such thatq = gk . Given the elements g, q we are asked to find the corresponding exponentk. Since this looks similar to taking logarithms, we call this the discrete log prob-lem or the DLP. For example, we could choose G = q

x , the multiplicative groupof the finite field q .

If G is a finite abelian group and g is an element of the group, then for any inte-ger k we define k ÿ g = g + g + ... + g (a total of k times). If q = k ÿ g and we givesomeone the two elements g, q and asks them to find the integer k, then we havegiven them the discrete log problem in additive notation. Since the elements ofEHqL form an abelian group we can state the discrete log problem for ellipticcurves in the following way. Given two points P, Q œ EHqL with Q = k P, findk. For a given field order q, this problem is understood to be more difficult thanthe equivalent problem in q

x .

‡ 7.2 Anomalous Curves and the MOV attack

An elliptic curve is called anomalous if # EHqL = q. When this occurs, thediscrete log problem for the group EHqL can be solved in linear time using analgorithm by Satoh & Araki, outlined in Washington [7] § 5.4.

The MOV attack, first presented by Menezes, Okamoto and Vanstone, uses theWeil pairing to convert the discrete log problem for EHqL into a discrete logproblem for qs . When q, the characteristic of the field, divides the trace of theFrobenius t, then s will be small. In this case the index calculus can be used toattack the DLP in qs (Washington [7] §5.3). Hence, when selecting an ellipticcurve for cryptographic applications, it is important to determine the order of theresulting group to avoid cases which simplify the discrete log problem for poten-tial eavesdroppers. René Schoof's method, and in particular its extensions, pro-vide a way of efficiently determining # EHqL for large integers q, thus assistingin the creation of secure codes.


References[1] Brown, Ezra - Square Roots from 1; 24, 51, 10 to Dan Shanks, College Math Journal (1999).

[2] Dummit, D., Foote, R. Abstract Algebra, John Wiley and Sons (2004)

[3] Lercier, R. and Morain, F., Counting the number of points on elliptic curves over finite fields: strategies and performances , Advances in Cryptology, Proc. Eurocrypt'95, LNCS 921, L.C. Guillou and J.J. Quisquater, Eds., Springer-Ver-lag, 1995, pp. 79--94.

[4] Rosen, Kenneth H. - Elementary Number Theory and its Applications, Addi-son and Wesley (2000)

[5] Schoof, René - Elliptic curves over finite fields and the computation of square roots mod p, Mathematics of Computation, Vol. 44, No 170 (1985), 482-494

[6] Schoof, René - Counting points on elliptic curves over finite fields, Journal de Téorie des Nombres de Bordeaux 7 (1995), 219-254

[7] Washington, Lawrence - Elliptic Curves - Number Theory and Cryptography, Chapman & Hall (2003)


Appendix A - Dictionary of Our Mathematica Functions for Elliptic CurvesThis section gives a summary of the Mathematica functions we developed inorder to implement, test and explain Schoof's algorithm. Many of these functionshave value independent of Schoof's method and may be useful for other ellipticcurve computation projects.

ü Number Theoretic Functions

EuclideanAlgorithm[ a, b ]Compute the greatest common divisor d of the two integers a, b.

ExtendedEuclideanAlgorithm @a, bDCompute d = gcdHa, bL and return 8d, r, s< such that d = r a + s b

MultiplicativeInverse@a, pDCompute b such that a b ª 1 Hmod pL

ModularExponentiation[ a, n, p ]Computes an Hmod pL

SquareRootModPShanksTonelli[ a, p ]Computes c such that c2 ª a Hmod pL if a is a quadratic residue mod p.

EcAddMod@ 8a, b<, P1, P2, p DComputes P1 + P using elliptic curve addition in E : y2 = x3 + a x + b over p .

EcPowerMod[ 8a, b<, Q, k, p ]Computes k Q in E : y2 = x3 + a x + b over p .

DetermineChineseRemainder[ t ]Uses the Chinese Remainder Theorem to solve the set of congruencesz ª ri Hmod niL for i = 1, 2, ..., k for the unknown z,where these congruences are represented by the set of ordered pairst = 88r1, n1<, 8r2, n2<, ..., 8rk , nk<<


ü Elliptic Curve Functions

EcAdd@8 a, b<, P, QDAdd the points P, Q on the elliptic curve E : y2 = x3 + a x + b

IsEcQ@ 8a, b<, p DReturns true if E : y2 = x3 + a x + b is an elliptic curve, that is,if E has nonzero discriminant modulo p

EcPointQ[ 8a, b<, 8x, y<, p ]Return true if Hx, yL satistfies y2 = x3 + a x + b in p .

EcAddMod[ 8a, b<, P, Q, p ]Add the points P, Q on the elliptic curve E : y2 = x3 + a x + b over p

EcPowerMod[ 8a, b<, Q, k, p ]Computes k Q on the elliptic curve E : y2 = x3 + a x + b over p

EcPointOrderMod[ 8a, b<, Q, p, m ]Determines the value of k § m for which k Q = , if any.

FindEcPointSet[ 8a, b<, p ]Determines all points in EHpL for the curve y2 = x3 + a x + bby exhaustive search.

ComputeOrderEFq@ t, p, n DGiven that # EHpL = p + 1 - t, this method computes # EHpn L as

# EHpn L = pn + 1 - Han + bnL, where X2 + t X + p = HX - aL HX - bLand Han + bnL is computed using a recursion relation

EcPointOrderBabyGiant[ 8a, b<, Q, p ]Computes the order of the point Q in E : y2 = x3 + a x + b over pusing the Baby Step, Giant Step method.

GenerateRandomPointEC[ 8a, b<, p ]Finds a random point on E : y2 = x3 + a x + b over p

EcGroupOrder[ 8a, b<, p ]Determines # EHpL where E : y2 = x3 + a x + b.It uses EcPointOrderBabyGiant on random points in EHpLuntil the least common multiple of their orders implies aunique value of the group order within Hasse's bounds.


EcAdd@8 a, b<, P, QDAdd the points P, Q on the elliptic curve E : y2 = x3 + a x + b

IsEcQ@ 8a, b<, p DReturns true if E : y2 = x3 + a x + b is an elliptic curve, that is,if E has nonzero discriminant modulo p

EcPointQ[ 8a, b<, 8x, y<, p ]Return true if Hx, yL satistfies y2 = x3 + a x + b in p .

EcAddMod[ 8a, b<, P, Q, p ]Add the points P, Q on the elliptic curve E : y2 = x3 + a x + b over p

EcPowerMod[ 8a, b<, Q, k, p ]Computes k Q on the elliptic curve E : y2 = x3 + a x + b over p

EcPointOrderMod[ 8a, b<, Q, p, m ]Determines the value of k § m for which k Q = , if any.

FindEcPointSet[ 8a, b<, p ]Determines all points in EHpL for the curve y2 = x3 + a x + bby exhaustive search.

ComputeOrderEFq@ t, p, n DGiven that # EHpL = p + 1 - t, this method computes # EHpn L as

# EHpn L = pn + 1 - Han + bnL, where X2 + t X + p = HX - aL HX - bLand Han + bnL is computed using a recursion relation

EcPointOrderBabyGiant[ 8a, b<, Q, p ]Computes the order of the point Q in E : y2 = x3 + a x + b over pusing the Baby Step, Giant Step method.

GenerateRandomPointEC[ 8a, b<, p ]Finds a random point on E : y2 = x3 + a x + b over p

EcGroupOrder[ 8a, b<, p ]Determines # EHpL where E : y2 = x3 + a x + b.It uses EcPointOrderBabyGiant on random points in EHpLuntil the least common multiple of their orders implies aunique value of the group order within Hasse's bounds.

ü Functions that Comprise Schoof's Algorithm

ComputeTModTwo[ 8a, b<, p ]Determines tHmod 2L where # EHpL = p + 1 - t.

ComputePrimeSet[ p ]Determines the set of small primes 8li< such that ⁄i=1

L li > 4 è!!!!p .

ComputeDivisionPolynomials[ 8a, b<, p, k ]Computes the first k division polynomials for E : y2 = x3 + a x + b over p .

ComputeEquation16[ p, l, 8a, b< ]Computes p16Hx, yL = Hxq2

- xL yk2 - yk-1 yk+1 Hmod fl , pL..

ComputeEquation17[ p, l, w, 8a, b< ]Computes p17Hx, yL = Hxp - xL yw

2 - yw-1 yw+1 Hmod fl , pL.ComputeEquation18[ p, l, w, 8a, b< ]

Computes p18Hx, yL = 4 yw3 yp+1 - yw+2 yw-1

2 - yw-2 yw+12 Hmod fl , pL.

ComputeTmodLCaseOne[ p, l, 8a, b< ]Uses Schoof equations 16, 17, 18 to compute tHmod lL.

ComputeAlpha[ p, l, 8a, b< ]Given l = a ê b for the elliptic curve addition fp

2 P + k P,compute the polynomial representing a.

ComputeBeta[ p, l, 8a, b< ]Given l = a ê b for the elliptic curve addition fp

2 P + k P,compute the polynomial representing b.

ComputeEquation19X[ p l, t, 8a, b< ]Compute the polynomial, modulo fl representing Schoof equation (19x):p19x Hx, yL = yt

2 pHb2Hyk-1 yk+1 - yk2Hxp2

+ xp + xL + a yk2LL

+ yk2 b2Hyt-1 yt-1Lp

.

ComputeEquation19Y[ p l, t, 8a, b< ]Compute the polynomial, modulo fl representing Schoof equation (19y): p19 yHx, yL = 4 ft

3 p yp HHH2 xp2+ xL a b2 - b3 yp2

- a3L fk2


2 Lp

ComputeGroupOrderSchoof[ 8a, b<, p ]

Determines # EHpL for E : y2 = x3 + a x + b using Schoof's Algorithm


ComputeTModTwo[ 8a, b<, p ]Determines tHmod 2L where # EHpL = p + 1 - t.

ComputePrimeSet[ p ]Determines the set of small primes 8li< such that ⁄i=1

L li > 4 è!!!!p .

ComputeDivisionPolynomials[ 8a, b<, p, k ]Computes the first k division polynomials for E : y2 = x3 + a x + b over p .

ComputeEquation16[ p, l, 8a, b< ]Computes p16Hx, yL = Hxq2

- xL yk2 - yk-1 yk+1 Hmod fl , pL..

ComputeEquation17[ p, l, w, 8a, b< ]Computes p17Hx, yL = Hxp - xL yw

2 - yw-1 yw+1 Hmod fl , pL.ComputeEquation18[ p, l, w, 8a, b< ]

Computes p18Hx, yL = 4 yw3 yp+1 - yw+2 yw-1

2 - yw-2 yw+12 Hmod fl , pL.

ComputeTmodLCaseOne[ p, l, 8a, b< ]Uses Schoof equations 16, 17, 18 to compute tHmod lL.

ComputeAlpha[ p, l, 8a, b< ]Given l = a ê b for the elliptic curve addition fp

2 P + k P,compute the polynomial representing a.

ComputeBeta[ p, l, 8a, b< ]Given l = a ê b for the elliptic curve addition fp

2 P + k P,compute the polynomial representing b.

ComputeEquation19X[ p l, t, 8a, b< ]Compute the polynomial, modulo fl representing Schoof equation (19x):p19x Hx, yL = yt


+ xp + xL + a yk2LL

+ yk2 b2Hyt-1 yt-1Lp

.

ComputeEquation19Y[ p l, t, 8a, b< ]Compute the polynomial, modulo fl representing Schoof equation (19y): p19 yHx, yL = 4 ft


- a3L fk2


2 Lp

ComputeGroupOrderSchoof[ 8a, b<, p ]

Determines # EHpL for E : y2 = x3 + a x + b using Schoof's Algorithm


Appendix B - Mathematica Code for Our Elliptic Curve FunctionsThis appendix provides a listing of Mathematica code for each of the functionslisted in appendix A.

‡ Number Theoretic Algorithms

ü EuclideanAlgorithm[ a, b ]

Compute the greatest common divisor of two integers a, b using the EuclideanAlgorithm.

EuclideanAlgorithm@a_, b_D := Module@8x, y, r1, r2, m<,x = Max@a, bD; y = Min@a, bD;r1 = y; r2 = Mod@x, yD;While@r2 > 0,m = r2;r2 = Mod@r1, r2D;r1 = m;D;

Return@r1D;D;ü ExtendedEucideanAlgorithm@ a, b D

Computes d = gcdHa, bL and returns 8d, r, s< such that d = r a + s b. The resultsare returned as the list 8d, r, s< .

ExtendedEucideanAlgorithm@a_Integer, b_IntegerD :=Module@8s1, s2, t1, t2, r1, r2, q1, q2<,8s1, s2< = 81, 0<; 8t1, t2< = 80, 1<;8r1, r2< = 8a, b<; 8q1, q2< = 80, 1<;While@r2 > 0,8q1, q2< = 8q2, Quotient@r1, r2 D <;8r1, r2< = 8r2, Mod@r1, r2 D <;8s1, s2< = 8s2, s1 - s2 * q2<;8t1, t2< = 8t2, t1 - t2 * q2<;D;Return@8r1, s1, t1<D;D;


ü MultiplicativeInverse@ a, p D The following Mathematica function computes the multiplicative inverse of amodulo p, a-1Hmod pL. The function returns a-1 if gcdHa, pL = 1, otherwise d » pso that d ≠ 1 is a factor of p so we throw the message "Factor of p found = d",which of course means that p was not prime.

MultiplicativeInverse@a_Integer, p_IntegerD := Module@8d, r, s<,8d, r, s< = ExtendedEucideanAlgorithm@a, pD;If@d ≠ 1, Throw@8"Factor of p found = ", d<DD;r = Mod@r, pD;Return@rD;D;

ü ModularExponentiation[ a, n, p ] returns an Hmod pLCompute anHmod pL - equivalent to the built-in Mathematica function PowerMod

ModularExponentiation@a_Integer, n_Integer, p_IntegerD :=

ModuleA8t, x, b<,b = n;H* set tªa Hmod pL in case a < 0 or a > p *Lt = Mod@a, pD;x = 1;H* for each bit in the binary representation of n *LWhileAb ≠ 0,H* if the kth bit is 1 set x ª x*ak Hmod pL *LIf@Mod@b, 2D ≠ 0,x = Mod@x * t, pD;D;H* a2k ª Ia2k-1 M2 *L

t = Mod@t * t, pD;H* bring the next bitof n to the least significant position *L

b = Quotient@b, 2D;E;Return@xD;E;

ü QuadraticResidueQ[ a, p ]

This function uses Euler's criteria, as explained above, to determine if a is a qua-dratic residue mod p. It returns true if a is a quadratic residue, else it returnsfalse.

QuadraticResidueQ@a_, p_D :=ModularExponentiation@a, Hp - 1L ê 2, pD ã 1;


ü RandomNonResidue[ p ]

Choose a random quadratic nonresidue mod p, that is a number 1 < x < p withxHp-1Lê2 ª -1 Hmod pL. Since exactly 1 ê 2 of all elements of p

ä are quadratic non-residues, this will occur within 5 trials with better than 95% probability.

RandomNonResidue@p_D := Module@8x<,x = 3;While@QuadraticResidueQ@x, pD,x = Random@Integer, 82, p - 1<D;D;

Return@xD;Dü SquareRootModPShanksTonelli[ a, p ]

This function solves the congruence x2 ª a Hmod pL for x, which must be qua-dratic residue modulo the prime p. It returns x if it exists, else it returns {}.

SqrtModPShanksTonelli@a_, p_D :=

ModuleA8s, e, n, q, x, b, g, r, y, m <,If@! PrimeQ@pD,Print@"ShanksTonelli only works for prime p"D;Return@8<D;D;

If@! QuadraticResidueQ@a, pD,Print@a, " is not quadratic residue mod ", pD;Return@8<D;D;H* If p ª 3 Hmod 4L x ª a

p+1ÅÅÅÅÅÅÅÅ4 Hmod pL *LIf@Mod@p, 4D ã 3,x = PowerMod@a, Hp + 1L ê 4, pD;Return@xD;D;

s = p - 1; e = 0;H* Compute s,e ' p-1 = s*2e and s is odd *LWhile@EvenQ@sD, s = Quotient@s, 2D; ++e;D;H* Print@"p-1 = ",s," * 2^",eD; *LH* Find n ' nHp-1Lê2ª -1 Hmod pL *Ln = 2;q = Hp - 1L ê 2;H* ... this won' t take long since

1ÅÅÅÅ2 elements of p are quadratic nonresidues *LWhile@PowerMod@n, q, pD ≠ p - 1, ++nD;H* Print@"n = ",nD; *LH* Initialize *Lx = PowerMod@a, Hs + 1L ê 2, pD;H* guess at square root x ª aHs+1Lê2 *Lb = PowerMod@a, s, pD; H* guess at fudge factor b ª as *L

;;


g = PowerMod@n, s, pD; H* used to update x, b at each step *Lr = e;H* exponent, will decrease at each step *LH* Print@"x b g r"D; *LWhile@True,H* Print@8x,b,g,r<D; *LH* Find m < r ' b2m ª 1 *Ly = b; m = 0;While@y ≠ 1, y = Mod@y * y, pD; ++m;D;If@m ã 0, Return@xDD;H* Compute y = g2r-m-1

*Ly = g;For@i = 1, i § r - m - 1, ++i; y = Mod@y * y, pDD;H* x = x*g2r-m-1

*Lx = Mod@x * y, pD;H* b = b*g2r-m

*Ly = Mod@y * y, pD;b = Mod@b * y, pD;H* g = g2r-m , r = m *Lg = y; r = m;D;E;

ü DetermineChineseRemainder[ t ]

Solve the set of integer congruencesz ª ri Hmod niL for i = 1, 2, ..., k.

for z, where these congruences are represented by the set of ordered pairst = 88r1, n1<, 8r2, n2<, ..., 8rk , nk<<DetermineChineseRemainder@t_D := Module@8k, n, r, m, a, e<,k = Length@tD;8r, n< = Transpose@tD;H* Compute N = n1 n2 ... nk *Lm = Apply@Times, nD;Print@"N = ", mD;H* Compute ai = Nêni *La = Map@m ê # &, nD;Print@"ai = ", aD;H* Compute bi = ai-1 Hmod niL *Lb = Inner@PowerMod@#1, -1, #2D &, a, n, ListD;Print@"bi = ai-1Hmod niL = ", bD;H* Compute ei = ai*bi *Le = a * b;Print@"ei = ai bi = ", eD;H* Compute z = e.r = e1 r1+e2 r2+...+ek rk *Lz = e.r;Print@"z = e.r = ", zD;Return@Mod@z, mDD;D


‡ Elliptic Curve Arithmetic Algorithms

ü EcAdd@ 8a, b<, 8x1 , y1 <, 8x2 , y2< DThis Mathematica function performs the elliptic curve group addition P1 + P2.The parameters are 8A, B< representing E : y2 = x3 + A x + B andP1 = 8x1, y1<, P2 = 8x2, y2<. Note that the arithmetic in Mathematica is exact, sorational input will return a rational sum.

EcAdd@8a_, b_<, 8x1_, y1_<, 8x2_, y2_< D := Module@8m, x3, y3<,H* Handle identity cases *LIf@x1 ã ¶, Return@p2DD;If@x2 ã ¶, Return@p1DD;If@x1 ã x2 && y1 == -y2, Return@8¶, ¶<DD;H* If we are doubling a point *LIf@x1 ã x2 && y1 == y2,H* Compute the slope of the tangent *Lm = H3 x12 + aL ê H2 y1L;,H* else compute the slope of the chord *Lm = Hy2 - y1L ê Hx2 - x1L;D;

x3 = m2 - x1 - x2;y3 = m Hx1 - x3L - y1;Return@8x3, y3<D;D;

ü EcDiscriminant@ 8a, b<, p DThe discriminant of a polynomial is the product of the squares of the differencesbetween all distinct pairs of roots. For a cubic polynomial this isd = Hr1 - r2L2 Hr1 - r3L2 Hr2 - r3L2. For the elliptic curve y2 = x3 + a x + b over pthis is given by

d ª -H4 a3 + 27 b2L Hmod pL EcDiscriminant@8a_, b_<, p_D :=

Mod@-H4 * ModularExponentiation@a, 3, pD +27 * ModularExponentiation@b, 2, pDL, pD;

ü IsEcQ@ 8a, b<, p DE : y2 = x3 + a x + b specifies an elliptic curve EHpL if and only if the right handside has distinct roots. This is true if and only if the discriminant is nonzeromodulo p.

IsEcQ@8a_, b_<, p_D := EcDiscriminant@8a, b<, pD ≠ 0;


ü EcPointQ[ 8a, b<, 8x, y<, p ]

Returns true if Hx, yL œ EHpL if and only if y2 ª x3 + a x + b Hmod pLIsEcPointQ@8a_, b_<, 8x_, y_<, p_D :=

Mod@ModularExponentiation@x, 3, pD + a x +b - ModularExponentiation@y, 2, pD, pD ã 0;

ü EcAddMod@ 8a, b<, P1 , P2 , p DThis function performs the elliptic curve group addition P1 + P2 over the finitefield p . The parameters are 8a, b<, P1 = 8x1, y1<, P2 = 8x2, y2<, where p is thecharacteristic of the field, which must be prime. The function accepts and returns8¶, ¶< for the group identity . It returns {} if either point does not lie on theelliptic curve.

EcAddMod@8a_, b_<, p1_, p2_, p_D :=Module@8m, x1, y1, x2, y2, x3, y3, w<,8x1, y1< = p1; 8x2, y2< = p2;H* Handle identity cases *LIf@x1 ã ¶, Return@p2DD;If@x2 ã ¶, Return@p1DD;H* p1 + H-p1L = ¶ *LIf@x1 ã x2 && Mod@y1 + y2, pD ã 0, Return@8¶, ¶<DD;H* Verify that the points lie on the curve *LIf@! IsEcPointQ@8a, b<, 8x1, y1<, pD, Return@8<DD;If@! IsEcPointQ@8a, b<, 8x2, y2<, pD, Return@8<DD;H* If we are doubling a point *LIf@p1 ã p2,H* Check for vertical tangent *LIf@y1 ã 0, Return@8¶, ¶<DD;H* Compute the slope of the tangent *Lw = MultiplicativeInverse@2 y1, pD;m = Mod@H3 x12 + aL * w, pD;,H* else compute the slope of the chord *Lw = MultiplicativeInverse@x2 - x1, pD;m = Mod@Hy2 - y1L * w, pD;D;

x3 = Mod@m2 - x1 - x2, pD;y3 = Mod@m Hx1 - x3L - y1, pD;Return@8x3, y3<D;D;


ü EcPowerMod[ 8a, b<, Q, k, p ]

Compute k Q in the abelian group of points on the elliptic curveE : y2 = x3 + a x + b over p . This algorithm is similar to the modular exponentia-tion method, in that it uses the binary representation of k to convert the probleminto a series of doublings and additions in E. The algorithm is based on Washing-ton § 2.2 under "Integer Times a Point".

EcPowerMod@8a_, b_<, q_, k_, p_D := Module@8i, r, s<,i = k; r = 8¶, ¶<; s = q;While@i ≠ 0,If@EvenQ@iD,i = Quotient@i, 2D;s = EcAddMod@8a, b<, s, s, pD;,i = i - 1;r = EcAddMod@8a, b<, r, s, pD;D;D;

Return@rD;D;ü EcJinvariant@ 8a, b<, p D

Computes the j-invariant of E : y2 = x3 + a x + b asj = 1728 4 a3

ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ4 a3 +27 b3

If two elliptic curves have the same j-invariant then there exist an isomorphismover the algebraic closure of p which transforms one into the other.

EcJinvariant@8a_, b_<, p_D := ModuleA8a3, b2, n, d, di, j<,a3 = PowerMod@a, 3, pD;b2 = PowerMod@b, 2, pD;H* denominator is 4 a3+27 b3 *Ld = Mod@4 * a3 + 27 * b2, pD;H* d-1 Hmod pL exists because p is a field and d ≠ 0for an elliptic curve *L

di = MultiplicativeInverse@d, pD;H* j = 1728 4 a3ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ4 a3 +27 b2 *Lj = Mod@1728 * 4 * a3 * di, pD;Return@jD;E;


ü EcPointOrderMod[ ec, Q, p, m ]

This function computes the order of a point Q on the elliptic curve EHpL as thesmallest

k œ p ' k Q = on EHpL.It works by direct search so is suitable only if the order is small. It tries orders upto m and returns zero if » Q » > m

EcPointOrderMod@ec_, p1_, p_, m_D := Module@8k, p2, pn3<,H* Test for special case orders 1,2 *LIf@p1 ã 8¶, ¶<, Return@1DD;p2 = EcAddMod@ec, p1, p1, pD;If@p2 ã 8¶, ¶<, Return@2DD;k = 3;H* compute -P Hmod pL *Lpn3 = Mod@p1 * 81, -1<, pD;H* while Hk-1L P ≠ -P *LWhile@p2 ≠ pn3 && k < m,H* kP = P + Hk-1L P *Lp2 = EcAddMod@ec, p2, p1, pD;++k;D;H* did not find a solution < m, return 0 *L

If@k ¥ m, Return@0DD;H* return the order of P = k *LReturn@kD;D


ü FindEcPointSet@ 8a, b<, p DFind all points in EHpL by testing every value of x œ p to determine if there arevalues of y œ p satisfying E : y2 = x3 + A x + B.

FindEcPointSet@8a_, b_<, p_D := Module@8s, x, e1, x1, y1, y2<,e1 = x3 + a x + b;s = Reap@

For@x1 = 0, x1 < p, ++x1,y2 = Mod@e1 ê. x Ø x1, pD;If@y2 ã 0,Sow@8x1, 0, 0<D;,H* If y2 has a square root mod p *LIf@QuadraticResidueQ@y2, pD,H* find the smallest y1 ' y12 ª y2 Hmod pL *Ly1 = SqrtModPShanksTonelli@y2, pD;Sow@8x1, y1, Mod@-y1, pD<D;D;D;D;D;

Return@First@Last@sDDD;D;ü ProduceEcPointTable@ 8a, b<, p D

This function produces a table of all points in EHpL, along with the order of eachpoint. It returns the order of the group # EHpL by counting the points.

ProduceEcPointTable@8a_, b_<, p_D := Module@8s, c, t<,H* Find the set of points on y2 = x3+a x + b over P *Ls = FindEcPointSet@8a, b<, pD;H* Compute # E HpL by counting the points, including *Lc = 2 * Length@sD + 1 - Length@Select@s, Last@#D ã 0 &DD;H* Determine the order of

each point an put it in the last column *Lt = Map@Append@#, EcPointOrderMod@8a, b<, Take@#, 2D, p, 2 * pDD &,

sD;H* Produce a nice table with headings *Lt2 = Prepend@t, 8"x", "\!\Hy\_1\L", "\!\Hy\_2\L", "OrdHPL"<D;Print@FrameBox@GridBox@t2, RowLines Ø True, ColumnLines Ø TrueDD êê

DisplayFormD;Return@cD;D


‡ Methods to Determine the Elliptic Curve Group Order

ü ComputeOrderEFq@ t, p, n DGiven that # E@pD = p + 1 - t, this method computes and returns # E@pn D.

ComputeOrderEFq@t_, p_, n_D := Module@8sn0, sn1, sn2, k<,sn0 = 2;sn1 = t;For@k = 2, k § n, ++k,sn2 = t * sn1 - p * sn0;sn0 = sn1;sn1 = sn2;D;

Return@pn + 1 - sn2D;D;ü EcPointOrderBabyGiant[ 8a, b<, Q, p ]

Use the BabyStep-GiantStep method to find order of the point Q, that isfind m œ q ' m Q = ¶ on the elliptic curve E : y2 = x3 + a x + b.This method is described in Washington[7] § 4.3.

EcPointOrderBabyGiant@ec_, P1_, p_D :=

ModuleA8Q1, i, j, k, m, b, t1, t2, p2,pm3, pm4, m1, f1, x1, q2, q3, pn5, pn6, pn7<,H* Check for small order directly *L

k = EcPointOrderMod@ec, P1, p, Min@100, pDD;If@k > 0, Return@kDD;H* Compute Q = Hp+1L P *LQ1 = EcPowerMod@ec, P1, p + 1, pD;H* Table size m = aè!!!!p4 q *Lm = Ceiling@Power@p, 1 ê 4DD;H* Create table of iP for i=1,m *Lt1 = 8P1<;p2 = P1;For@i = 2, i § m, ++i,p2 = EcAddMod@ec, p2, P1, pD;AppendTo@t1, p2D;D;

t2 = First@Transpose@t1DD;q2 = Q1;q3 = Q1;H* Create table of Q + 2 kmP for k=-m,...,m*Lpm3 = EcPowerMod@ec, P1, 2 * m, pD;pm4 = pm3;H* Compute -P Hmod pL *Lpn5 = Mod@P1 * 81, -1<, pD;

;;


pn6 = EcPowerMod@ec, pn5, 2 * m, pD;pn7 = pn6;k = 0;H* Compute for k=±1,±2,... *LWhile@True,H* Until Q + 2 kmP = ±jP or ... *LIf@MemberQ@t2, First@q2DD,Break@D;D;H* Until Q - 2 kmP = ±jP or ... *L

If@MemberQ@t2, First@q3DD,k = -k;q2 = q3;Break@D;D;H* Compute next Q ± 2 kmP for next k *L

q2 = EcAddMod@ec, Q1, pm4, pD;q3 = EcAddMod@ec, Q1, pn7, pD;pm4 = EcAddMod@ec, pm4, pm3, pD;pn7 = EcAddMod@ec, pn7, pn6, pD;++k;D;H* Here we have Q ± 2 kmP = ±jP, figure out j *L

j = First@Flatten@Position@t2, First@q2DDDD;H* Determine which ±j *Lp2 = t1@@jDD;If@Last@q2D ≠ Last@p2D ,If@Last@q2D ã Mod@-Last@p2D, pD,j = -j;,Print@"ERROR: Q + kmP ≠ ±jP"D;Return@0D;D;D;H* Compute M ' Order HPL » M *L

m1 = p + 1 + 2 * m * k - j;H* TBD - This fails if m1 = 0 => j = p + 1 + 2*m*k *LIf@m1 ã 0, Print@"ERROR - M == 0"D; Return@0DD;H* If M is prime, it must be the order of P *LIf@PrimeQ@m1D, Return@m1DD;H* Factor can be VERY hard if no small factors *Lf1 = FactorInteger@m1D;b = True;While@b,b = False;For@i = 1, i § Length@f1D, ++i,H* Divide out a prime factor *Lx1 = m1 ê First@f1@@iDDD;H* If x P Hmod pL = P, M = x *Lpm3 = EcPowerMod@ec, P1, x1 - 1, pD;If@pm3 ã pn5,m1 = x1;

;


b = True;If@--f1@@i, 2DD § 0, f1 = Delete@f1, iDD;Break@D;D;D;D;

Return@m1D;E;ü GenerateRandomPointEC[ 8a, b<, p ]

Generate a random point 8x, y< on the elliptic curve given by ec = 8A, B< suchthat

y2 = x3 + A x + B with all arithmetic modulo p.

GenerateRandomPointEC@8a_, b_<, p_D := Module@8x, e1, x1, y1, y2<,e1 = x3 + a x + b;y2 = 1;While@True,x1 = Random@Integer, 81, p - 1<D;y2 = Mod@e1 ê. x Ø x1, pD;H* If y2 has a square root mod p *LIf@QuadraticResidueQ@y2, pD,H* find the smallest y1 ' y12 ª y2 Hmod pL *Ly1 = SqrtModPShanksTonelli@y2, pD;Break@D;D;D;

Return@8x1, y1<D;D;ü GenerateRandomEC[ p ]

Generate a random elliptic curve over the field p where p is a prime greater than 3.The curve is of the form y2 = x3 + A x + B with 4 A2 + 27 B3 ≠ 0Returns {A,B}

GenerateRandomEC@p_D := Module@8a, b, e<,a = 0; b = 0; e = False;While@! e,a = Random@Integer, 81, p - 1<D;b = Random@Integer, 80, p - 1<D;e = IsEcQ@8a, b<, qD;D;

Return@8a, b<D;D;


ü EcGroupOrder[ 8a, b<, p ]

This function determines # EHpL by determining the order of random points onthe curve until there is only one multiple of the least common multiple of theseorders within Hasse's bounds.

EcGroupOrder@ec_, p_D :=

ModuleA8pr2, h0, h1, p1, p2, k1, k2, or1, or3, t, k<,pr2 = Floor@2 * Sqrt@pDD;h0 = p + 1 - pr2; h1 = p + 1 + pr2;Print@"Hasse's bounds ", h0, " § #EHpL § ", h1D;or1 = 0;t = 8<;WhileATrue,H* Generate a random point on E HpL *Lp1 = GenerateRandomPointEC@ec, pD;Print@"P = ", p1D;H* Determine »p1» *Lk1 = EcPointOrderBabyGiant@ec, p1, pD;Print@"P has order = ", k1D;If@k1 ≠ 0,t = Union@t, 8k1<D;D;H* Compute the LCM of all orders found *L

or1 = Apply@LCM, tD;Print@"LCM = ", or1D;H* There is a solution if p + 1 - 2

è!!!!p §

LCM § p + 1 +2 è!!!!p *L

If@h0 § or1 && or1 § h1, Return@or1DD;H* Determine # ofmultiples of the LCM within Hasse' s bounds *L

k2 = Quotient@h1, or1D - Quotient@h0, or1D;H* If there is only one multiple of the LCM withinHasse' s bounds, it must be the order of the group *L

If@k2 ã 1,or3 = Quotient@h0, or1D * or1;If@or3 < h0, or3 += or1D;Return@or3D;,Print@"There are ", k2," multiples of the LCM within Hasses's bounds"D;D;E;

Return@8<D;E;


‡ The Functions that Comprise Schoof's Algorithm

ü ComputeTModTwo[ 8a, b<, p ]

Compute t Hmod 2L by determining if E : y2 = x3 + a x + b over p has any pointsof order 2.

ComputeTModTwo@8a_, b_<, p_D := Module@8y2, xp, g<,y2 = x3 + a x + b;H* Compute xp Hmod x3 + a x + b, pL *Lxp = PolynomialPowerMod@x, p, 8y2, p<D;Print@"xp Hmod x3 + a x + bL = ", xpD;H* If GCD H xp - x, x3+ a x + bL = 1 then t ª 1 Hmod 2L,else t ª 0 Hmod 2L *L

g = PolynomialGCD@xp - x, y2, Modulus Ø pD;Print@"gcdHxp - x, x3 + a x + bL = ", gD;If@SameQ@g, 1D, Return@1D, Return@0D D;D

ü ComputePrimeSet[ p ]

Creates a set S of the first k prime numbers li with the smallest k such that M = ¤i=1

k li > 4 è!!!!p with p Hmod liL > 1

and returns 8M , 8li<<.ComputePrimeSet@p_D := ModuleA8i, x, m, r, s<,x = 2; H* li *Lm = x; H* M = ¤ li *Lr = 4 * Ceiling@Sqrt@pDD;PrintA"`4è!!!!

p p = ", rE;s = Reap@

Sow@xD;While@m § r,x = NextPrime@xD;H* Exclude li if p ª 1 mod li *LIf@Mod@p, xD > 1,m *= x;Sow@xD;D;D;D;

Print@"¤ li = ", mD;Return@8m, Flatten@Last@sDD<D;E

ü Mathematica Code to generate the plot


ü ComputeDivisionPolynomials[ 8a, b<, p, k ]

Compute the first k division polynomials for the elliptic curveE : y2 = x3 + A x + B over p .

ComputeDivisionPolynomials@8a_, b_<, p_, k_D := ModuleA8t, i, d, m<,t = 8-1, 0, 1, 2 y<;d = 3 x4 + 6 a x2 + 12 b x - a2;d = PolynomialMod@d, pD;d = Collect@d, 8x<D;AppendTo@t, dD;d = 4 y Hx6 + 5 a x4 + 20 b x3 - 5 a2 x2 - 4 a b x - 8 b2 - a3L;d = PolynomialMod@d, pD;d = Collect@d, 8y, x<D;AppendTo@t, dD;ForAi = 5, i § k + 4, ++i,If@EvenQ@iD,H* Even case *Lm = 2 + i ê 2;d = t@@mDD *Ht@@m + 2DD * Ht@@m - 1DDL2 - t@@m - 2DD * Ht@@m + 1DDL2L ê H2 y L;,H* Odd case *Lm = 2 + Hi - 1L ê 2;d = t@@m + 2DD * Ht@@mDDL3 - t@@m - 1DD * Ht@@m + 1DDL3;D;H* Replace all y2 with x3+ a x + b *L

d = d ê. yw_ ß Hx3 + a x + bLwê2 ê; EvenQ@wD;d = d ê. yw_ ß y Hx3 + a x + bLHw-1Lê2 ê; OddQ@wD;d = PolynomialMod@d, pD;d = Collect@d, 8y, x<D;AppendTo@t, dD;E;

Return@tD;E;


ü f @n D - Compute the n'th division polynomial in fn HxLWe have the following relation


NOTE: f @nD, y@nD rely on the global variable psi containing the raw informationfor the division polynomials. This can be accomplished by executing the follow-ing statement before the first call to f @nD or y@nD.

psi = ComputeDivisionPolynomials @8a, b<, p, kDf@n_D := Module@8<,

If@n < -1 »» n > HLength@psiD - 2L,Throw@"f@nD - Invalid index"DD;

Return@psi@@n + 2DD ê. y Ø 1D;D;y@n_D := psi@@n + 2DD;


ü ComputeEquation16[ p, l, {a, b} ]

Computes p16Hx, yL = Hxq2- xL yk

2 - yk-1 yk+1 Hmod fl , pL in order to test if fl

2 P = ±q P for some P œ [email protected]@p_, l_, 8a_, b_<D :=Module@8k, fl, y2, p1, p2, p3, p16x<,fl = f@lD;k = Mod@p, lD;y2 = x3 + a x + b;H* p1 = xq2 Hmod flL *Lp1 = PolynomialPowerMod@x, p, 8fl, p<D;p1 = PolynomialPowerMod@p1, p, 8fl, p<D;H* p2 = Hxq2 -xL fk2 HxL Hmod flL *Lp2 = PolynomialPowerMod@f@kD, 2, 8fl, p<D;p2 = PolynomialPowerMod@Hp1 - xL * p2, 1, 8fl, p<D;H* p3 = fk-1 HxL fk+1 HxL *Lp3 = f@k - 1D * f@k + 1D;If@EvenQ@kD,H* p16 = Hxq2 -xL fk2 HxL y2+fk-1 HxL fk+1 HxL k even *Lp16x = p2 * y2 + p3;,H* p16 = Hxq2 -xL fk2 HxL+fk-1 HxL fk+1 HxL y2 k odd *Lp16x = p2 + p3 * y2;D;

p16x = PolynomialPowerMod@p16x, 1, 8fl, p<D;Return@p16xD;D;


ü ComputeEquation17[ p, l, w, {a, b} ]

Given that fl2 P = ±q P for some P œ E@lD, then t œ 80, -2 w, 2 w< where

w2 ª q Hmod lL. If q has no square root mod l then we must have t = 0.

Otherwise we find w ' w2 ª q Hmod lL and use Schoof (17) to test if fl P = ±w Pp17HxL = Hxq - xL fw2HxL Hx3 + a x + bL + fw-1HxL fw+1HxL w evenp17HxL = Hxq - xL fw2HxL + fw-1HxL fw+1HxL Hx3 + a x + bL w odd

If gcdHp17HxL, flHxLL = 1 then neither w nor -w is an eigenvalue of fl sot ª 0 Hmod lL

ComputeEquation17@p_, l_, w_, 8a_, b_<D :=Module@8y2, fl, p1, p2, p3, p17<,y2 = x3 + a x + b;fl = f@lD;H* p2 = Hxq -xL fw2 HxL *Lp1 = PolynomialPowerMod@x, p, 8fl, p<D;p2 = Hp1 - xL * PolynomialPowerMod@f@wD, 2, 8fl, p<D;H* p3 = fw-1 HxL fw+1 HxL *Lp3 = f@w - 1D * f@w + 1D;If@EvenQ@wD,H* p HxL = Hxq-xL fw2 HxL y2 + fw-1 HxL fw+1 HxL *Lp17 = p2 * y2 + p3;,H* p HxL = Hxq-xL fw2 HxL + fw-1 HxL fw+1 HxL y2 *Lp17 = p2 + p3 * y2;D;

p17 = PolynomialPowerMod@p17, 1, 8fl, p<D;Return@p17D;D;


ü ComputeEquation18[ p, l, w, {a, b} ]

After we know from using Schoof(17) that fl P = ±w P we use Schoof (18) totest the y coordinate of fl P = w P.For w even:

p18HxL = 4 Hy2LHq+3Lê2 fw3HxL - fw+2HxL fw-1

2 HxL + fw-2HxL fw+12 HxL

For w odd:p18HxL = 4 Hy2LHq-1Lê2

fw3HxL - fw+2HxL fw-12 HxL + fw-2HxL fw+1

2 HxLComputeEquation18@p_, l_, w_, 8a_, b_<D :=

ModuleA8y2, fl, k, p1, p2, p3, p4, p18y<,y2 = x3 + a x + b;fl = f@lD;H* k = Hp+3Lê2 Hw evenL, k = Hp-1Lê2 Hw oddL *LIf@EvenQ@wD, k = Hp + 3L ê 2;, k = Hp - 1L ê 2D;H* p1 = Hx3 + a x + bLk= Hy2Lk *Lp1 = PolynomialPowerMod@y2, k, 8fl, p<D;H* p2 = fw3 HxL *Lp2 = PolynomialPowerMod@f@wD, 3, 8fl, p<D;H* p3 = fw+2 HxL fw-1

2 HxL *Lp3 = PolynomialPowerMod@f@w - 1D, 2, 8fl, p<D;p3 = PolynomialPowerMod@ f@w + 2D * p3, 1, 8fl, p<D;H* p4 = fw-2 HxL fw+1

2 HxL *Lp4 = PolynomialPowerMod@f@w + 1D, 2, 8fl, p<D;p4 = PolynomialPowerMod@f@w - 2D * p4, 1, 8fl, p<D;H* p18y = 4 y2 k fw3 HxL-fw+2 HxL fw-1

2 HxL+fw-2 HxL fw+12 HxL *L

p18y = 4 * p1 * p2 - p3 + p4;p18y = PolynomialPowerMod@p18, 1, 8fl, p<D;Return@p18yD;E;


ü ComputeTmodLCaseOne[ p, l, {a, b} ]

Compute t Hmod lL for the case when there exists P œ E@lD such that fl2 P = ±k P.

This method uses Schoof equations (17) and (18) to perform these tests.

ComputeTmodLCaseOne@p_, l_, 8a_, b_<D :=Module@8j, tl, w, fl, p17, p18<,H* If p is a quadratic nonresidue of l

then t ª 0 Hmod lL *LIf@! QuadraticResidueQ@p, lD, Return@0DD;H* Else find w such that w2 ª p Hmod lL *Lw = SqrtModPShanksTonelli@p, lD;Print@"Sqrt of q mod l = ", wD;fl = f@lD;Print@"f@", l, "D = ", flD;H* Use Schoof 17 to test fl P = ±w*P Hx coordL *Lp17 = ComputeEquation17@p, l, w, 8a, b<D;Print@"p17 = ", p17D;g = PolynomialGCD@p17, fl, Modulus Ø pD;Print@"gcdHp17,flL = ", gD;H* g = 1 means no such P, so t ª 0 Hmod l L *LIf@SameQ@g, 1D, Return@0DD;H* Use Schoof 18 to test fl P = w*P Hy coordL *Lp18 = ComputeEquation18@p, l, w, 8a, b<D;Print@"p18 = ", p18D;g = PolynomialGCD@p18, fl, Modulus Ø pD;Print@"gcdHp18,flL = ", gD;H* g = 1 means no such P, so t = -2 w, else t = 2 w *LIf@SameQ@g, 1D, tl = Mod@-2 w, lD, tl = Mod@2 w, lDD;Return@tlD;D;


ü ComputeAlpha[ p, l, {a, b} ]

ComputeAlpha@p, l, 8a, b<DCompute a, where l = aÅÅÅÅÅb is the slope of the line between fl

2 P and k Pa = yk+2 yk-1

2 - yk-2 yk+12 - 4 yp2 +1 yk

3

for k even a = y I fk+2 fk-1

2 - fk-2 fk+12 - 4 Hy2LHp2 +3Lê2

fk3M however we return a ê y in this case and compensate at a higher level

for k odd a = y2H fk+2 fk-1

2 - fk-2 fk+12 L - 4 Hy2LHp2 +1Lê2

fk3

ComputeAlpha@p_, l_, 8a_, b_<D :=

ModuleA8k, fl, y2, y4, p1, p2, p3, p4, p5, a<,k = Mod@p, lD;fl = f@lD;H* y2, y4 are polynomials in x *Ly2 = x3 + a x + b;y4 = PolynomialPowerMod@y2, 2, 8fl, p<D;H* p1 = fk+2 fk-1

2 *Lp1 = PolynomialPowerMod@f@k - 1D, 2, 8fl, p<D;p1 = PolynomialPowerMod@f@k + 2D * p1, 1, 8fl, p<D;H* p2 = fk-2 fk+1

2 *Lp2 = PolynomialPowerMod@f@k + 1D, 2, 8fl, p<D;p2 = PolynomialPowerMod@f@k - 2D * p2, 1, 8fl, p<D;H* p3 = Hy2LHp2 -1Lê2

= Hy2LHp-1L Hp+1Lê2*L

p3 = PolynomialPowerMod@y2, Hp - 1L, 8fl, p<D;p3 = PolynomialPowerMod@p3, Hp + 1L ê 2, 8fl, p<D;H* p4 = fk3 *Lp4 = PolynomialPowerMod@f@kD, 3, 8fl, p<D;IfAEvenQ@kD,H* a = yIfk+2 fk-1

2 - fk-2 fk+12 - 4 Hy2LHp2 +3Lê2

fk3Mëy *Lp5 = PolynomialPowerMod@4 * y4 * p3 * p4, 1, 8fl, p<D;a = PolynomialPowerMod@p1 - p2 - p5, 1, 8fl, p<D;,H* a = y2Hfk+2 fk-1

2 - fk-2 fk+12 L - 4 Hy2LHq2 +1Lê2

fk3 *Lp5 = PolynomialPowerMod@4 * y2 * p3 * p4, 1, 8fl, p<D;a = PolynomialPowerMod@y2 * Hp1 - p2L - p5, 1, 8fl, p<D;E;

Return@aD;E


ü ComputeBeta[ p, l, {a, b} ]

ComputeBeta@p, l, 8a, b<DCompute b, where l = aÅÅÅÅÅb is the slope of the line between fl

2 P and k Pb = 4 y yk HHx - xp2 L yk

2 - yk-1 yk+1Lfor k even

b = 4 y2 fk HH x - xp2 L y2 fk2 - fk-1 fk+1Lfor k odd

b = 4 y fk HH x - xp2 L fk2 - y2 fk-1 fk+1L however we return b ê y in this case and compensate at a higher level

ComputeBeta@p_, l_, 8a_, b_<D :=Module@8k, fl, y2, p1, p2, p3, p4, b<,k = Mod@p, lD;fl = f@lD;H* y2 is a polynomial in x *Ly2 = x3 + a x + b;H* p1 = x - xp2 *Lp1 = PolynomialPowerMod@x, p, 8fl, p<D;p1 = PolynomialPowerMod@p1, p, 8fl, p<D;p1 = x - p1;H* p2 = fk-1 fk+1 *Lp2 = PolynomialPowerMod@f@k - 1D * f@k + 1D, 1, 8fl, p<D;H* p3 = fk2 *Lp3 = PolynomialPowerMod@f@kD, 2, 8fl, p<D;If@EvenQ@kD,H* b = 4 y2 fkHH x - xp2 L y2 fk2 - fk-1 fk+1L *Lp4 = PolynomialPowerMod@p1 * y2 * p3 - p2, 1, 8fl, p<D;b = PolynomialPowerMod@4 * y2 * f@kD * p4, 1, 8fl, p<D;,H* b = 4 y fkHH x - xp2 L fk2 - y2 fk-1 fk+1Lêy *Lp4 = PolynomialPowerMod@p1 * p3 - y2 * p2, 1, 8fl, p<D;b = PolynomialPowerMod@4 * f@kD * p4, 1, 8fl, p<D;D;

Return@bD;D


ü ComputeEquation19X[ p, l, t, {a, b} ]

Compute the polynomial, modulo fl representing Schoof equation (19x) asp19x Hx, yL = yt


+ xp + xL + a yk2LL

+yk2 b2Hyt-1 yt-1Lp

.

ComputeEquation19X@p_, l_, t_, 8a_, b_<D := Module@8y2, fl, k, a, b, a2, b2, p1, p2, p3, p4, p5, p6, p7, p8, p9, p19<,k = Mod@p, lD;fl = f@lD;H* y2 is a polynomial in x *Ly2 = x3 + a x + b;H* l = aêb,note these are actually aêy for k even, bêy for k odd *LH* Note a,b are globals so we can sharethem with Equation19Y *L

a = ComputeAlpha@p, l, 8a, b<D;b = ComputeBeta@p, l, 8a, b<D;H* p1 = fk-1 fk+1 *Lp1 = f@k - 1D * f@k + 1D;H* p2 = xp *Lp2 = PolynomialPowerMod@x, p, 8fl, p<D;H* p3 = xp2 *Lp3 = PolynomialPowerMod@p2, p, 8fl, p<D;H* p4 = Hxp2 + xp + xL *Lp4 = p3 + p2 + x;H* p5 = fk2 *Lp5 = PolynomialPowerMod@f@kD, 2, 8fl, p<D;H* p6 = Hft-1 ft+1Lp *Lp6 = PolynomialPowerMod@f@t - 1D * f@t + 1D, p, 8fl, p<D;H* Compute a2, b2 compensating for single y' s *LIf@EvenQ@kD,H* for k even a2 = y2 HaêyL2 *L

a2 = y2 * PolynomialPowerMod@a, 2, 8fl, p<D;b2 = PolynomialPowerMod@b, 2, 8fl, p<D;H* p7 = Hfk-1 fk+1 - y2 fk2Hxp2 +xp+xLL b2+y2 fk2 a2 *Lp7 = PolynomialPowerMod@p1 - y2 * p5 * p4, 1, 8fl, p<D;p7 = PolynomialPowerMod@p7 * b2 + y2 * p5 * a2, 1, 8fl, p<D;,H* for k odd b2 = y2 HbêyL2 *La2 = PolynomialPowerMod@a, 2, 8fl, p<D;b2 = y2 * PolynomialPowerMod@b, 2, 8fl, p<D;H* p7 = Hy2 fk-1 fk+1 - fk2Hxp2 +xp+xLL b2+fk2 a2 *Lp7 = PolynomialPowerMod@y2 * p1 - p5 * p4, 1, 8fl, p<D;p7 = PolynomialPowerMod@p7 * b2 + p5 * a2, 1, 8fl, p<D;D;

If@EvenQ@kD && EvenQ@tD,H* HHfk-1 fk+1 - y2 fk2Hxp2 +xp+xLL b2 + y2 fk2 a2L y2 p ft2 p +

ft-1p ft+1

p b2 y2 fk2 *L


p8 = PolynomialPowerMod@f@tD, 2 * p, 8fl, p<D;p9 = PolynomialPowerMod@y2, p, 8fl, p<D;p19 = PolynomialPowerMod@p7 * p9 * p8 + p6 * b2 * y2* p5, 1, 8fl, p<D;D;

If@EvenQ@kD && OddQ@tD,H* HHfk-1 fk+1 - y2 fk2Hxp2 +xp+xLL b2 + y2 fk2 a2L ft2 p +

y2 p+2 ft-1p ft+1

p b2 fk2 *Lp8 = PolynomialPowerMod@f@tD, 2 * p, 8fl, p<D;p9 = PolynomialPowerMod@y2, p + 1, 8fl, p<D;p19 = PolynomialPowerMod@p7 * p8 + p9 * p6 * b2 * p5, 1, 8fl, p<D;D;

If@OddQ@kD && EvenQ@tD,H* HHy2 fk-1 fk+1 - fk2Hxp2 +xp+xLL b2 + fk2 a2L y2 p ft2 p +

ft-1p ft+1

p b2 fk2 *Lp8 = PolynomialPowerMod@f@tD, 2 * p, 8fl, p<D;p9 = PolynomialPowerMod@y2, p, 8fl, p<D;p19 = PolynomialPowerMod@p7 * p9 * p8 + p6 * b2 * p5, 1, 8fl, p<D;D;

If@OddQ@kD && OddQ@tD,H* HHy2 fk-1 fk+1 - fk2Hxp2 +xp+xLL b2+fk2 a2L ft2 p +

y2 p ft-1p ft+1

p b2 fk2 *Lp8 = PolynomialPowerMod@f@tD, 2 * p, 8fl, p<D;p9 = PolynomialPowerMod@y2, p, 8fl, p<D;p19 = PolynomialPowerMod@p7 * p8 + p9 * p6 * b2 * p5, 1, 8fl, p<D;D;

Return@p19D;D;


ü ComputeEquation19Y[ p, l, t, {a, b} ]

Compute the polynomial, modulo fl representing Schoof equation (19y) as p19 yHx, yL = 4 ft


- a3L fk2


2 Lp

ComputeEquation19Y@q_, l_, t_, 8a_, b_<D :=

ModuleA8y2, fl, k, a, b, a2, a3, b2,b3, y4, yq, p1, p2, p3, p4, p5, p6, p19<,

fl = f@lD;k = Mod@q, lD;H* Make sure we have no junk floating around *LPrint@8q, l, t, x<D;H* y2 is a polynomial in x only *Ly2 = x3 + a x + b;H* l = aêb,note these are actually aêy for k even, bêy for k odd *LH* Use the a,b computed for Equation 19 X *L

a = ComputeAlpha@q, l, 8a, b<D;b = ComputeBeta@q, l, 8a, b<D;H* Compute a3, b2, b3 *La3 = PolynomialPowerMod@a, 3, 8fl, q<D;b2 = PolynomialPowerMod@b, 2, 8fl, q<D;b3 = PolynomialPowerMod@b, 3, 8fl, q<D;H* p1 = a b2 Hfk-1 fk+1L *Lp1 = a * b2 * f@k - 1D * f@k + 1D;p1 = PolynomialPowerMod@p1, 1, 8fl, q<D;H* p2 = fk2 *Lp2 = PolynomialPowerMod@f@kD, 2, 8fl, q<D;H* p3 = 2 xq2 + x *Lp3 = PolynomialPowerMod@x, q, 8fl, q<D;p3 = PolynomialPowerMod@p3, q, 8fl, q<D;p3 = PolynomialPowerMod@2 * p3 + x, 1, 8fl, q<D;H* p4 = 4 ft

3 q = H4 ft3Lq *L

p4 = 4 * PolynomialPowerMod@f@tD, 3 q, 8fl, q<D;H* p5 = Hft-12 ft+2 - ft-2 ft+1

2 Lq *Lp5 = f@t + 2D * PolynomialPowerMod@f@t - 1D, 2, 8fl, q<D;p5 = p5 - f@t - 2D * PolynomialPowerMod@f@t + 1D, 2, 8fl, q<D;p5 = PolynomialPowerMod@p5, q, 8fl, q<D;H* p6 = yq2 -1 = Hy2LHq-1L Hq+1Lê2

*Lp6 = PolynomialPowerMod@y2, Hq - 1L, 8fl, q<D;p6 = PolynomialPowerMod@p6, Hq + 1L ê 2, 8fl, q<D;Print@"8k,t< = ", 8k, t<D;If@EvenQ@kD,H* 4q ft

3 qHHH2 xq2 +xL a b2 - b3 yq2 -1 - y2 a3L y2 fk2 - a b2 fk-1 fk+1 L *Lp19 = PolynomialPowerMod@p3 * a * b2 - b3 * p6 - y2 * a3, 1, 8fl, q<D;p19 = PolynomialPowerMod@p4 * Hp19 * y2 * p2 - p1L, 1, 8fl, q<D;If@EvenQ@tD,


H* 4q ft3 q y3 q+1 HHH2 xq2 +xL a b2 - b3 yq2 -1 - y2 a3L y2 fk2 -

a b2 fk-1 fk+1 L - b3 y2 fk2 Hft-12 ft+2-ft-2 ft+1

2 Lq *Lp19 *= PolynomialPowerMod@y2, H3 q + 1L ê 2, 8fl, q<D;p19 = PolynomialPowerMod@p19 - b3 * y2 * p2 * p5, 1, 8fl, q<D;,H* 4q ft

3 q HHH2 xq2 +xL a b2 - b3 yq2 -1- y2 a3L y2 fk2 -

a b2 fk-1 fk+1 L -b3 fk2 Hft-12 ft+2-ft-2 ft+1

2 Lq yq+1

*Lyq = PolynomialPowerMod@y2, Hq + 1L ê 2, 8fl, q<D;p19 = PolynomialPowerMod@p19 - b3 * p2 * p5 * yq, 1, 8fl, q<D;D;D;

If@OddQ@kD,y4 = PolynomialPowerMod@y2, 2, 8fl, q<D;H* p7 = b3 Hy2LHq2 +3Lê2 = b3 Hy2L2 Hy2LHq2 -1Lê2 *Lp7 = PolynomialPowerMod@b3 * y4 * p6, 1, 8fl, q<D;p19 = PolynomialPowerMod@p3 * a * b2* y2 - p7 - a3, 1, 8fl, q<D;p19 -= PolynomialPowerMod@p4 * Hp19 * p2 - y4 * p1L, 1, 8fl, q<D;If@EvenQ@tD,H* 4q ft

3 q y3 q-3 HHH2 xq2 +xL a b2 y2 - b3 yq2 +3- a3L fk2 -

y4 a b2 fk-1 fk+1 L -b3 fk2 Hft-12 ft+2-ft-2 ft+1

2 Lq *Lp19 *= PolynomialPowerMod@y2, H3 q - 3L ê 2, 8fl, q<D;p19 = PolynomialPowerMod@p19 - b3 * p2 * p5, 1, 8fl, q<D;,H* 4 ft

3 qHHH2 xq2 +xL a b2 y2 - b3 yq2 +3 -a3 L fk2 -

a b2 y4 fk-1 fk+1 L -b3 fk2 H ft-12 ft+2 - ft-2 ft+1

2 Lq yq+3 *LH* 4q ft3 qHHHxq2 +xL a b2 y2 - b3 yq2 +3- a3L fk2 -

a y4 b2 fk-1 fk+1 L -b3 fk2 Hft-12 ft+2-ft-2 ft+1

2 Lq yq+3 *Lyq = PolynomialPowerMod@y2, Hq + 3L ê 2, 1, 8fl, q<D;p19 = PolynomialPowerMod@p19 - b3 * p2 * p5 * yq, 1, 8fl, q<D;D;D;

Return@p19D;E;


ü ComputeTmodLCaseTwo[ q, l, t, {a, b} ]

Given that fl2 P ≠ ±k P for any P œ E@lD we must test equation (12) for each t in

ê l ä as fl2 P + q P = ±t fl P. These tests are performed using the equations of

Schoof(19).

ComputeTmodLCaseTwo@q_, l_, 8a_, b_<D :=Module@8fl, k, t, g, p19x, p19y<,fl = f@lD;k = Mod@q, lD;For@t = 1, t < l, ++t,p19x = ComputeEquation19X@q, l, t, 8a, b<D;Print@"p19x = ", p19xD;g = PolynomialGCD@p19x, fl, Modulus Ø qD;Print@"gcdHp19x ,flL = ", gD;H* g ≠ 1 means such P exists, so check the y coordinate *LIf@! SameQ@g, 1D,p19y = ComputeEquation19Y@q, l, t, 8a, b<D;Print@"p19y = ", p19yD;g = PolynomialGCD@p19x, fl, Modulus Ø qD;Print@"gcdHp19y ,flL = ", gD;If@SameQ@g, 1D, Return@l - tD, Return@tDD;D;D;H* No solution for any t, return 0 *L

Return@0D;D


ü ComputeGroupOrderSchoof[ 8a, b<, p ]

Computes the order of the group of points EHpL on the elliptic curveE : y2 = x3 + A x + B over p using Schoof's Algorithm.

ComputeGroupOrderSchoof@8a_, b_<, p_D :=

ModuleA8s, t, l, fl, tl, prmprod, m,i, g, gy, t, p16, p19x, p19y, r, grpord<,H* Create a set of smallest primes S such that ¤i=1

m li > 4 è!!!!p *L8prmprod, s< = ComputePrimeSet@pD;

Print@"Primeset = ", sD;H* Compute t Hmod 2L *Ltl = ComputeTModTwo@8a, b<, pD;Print@"t Hmod 2 L = ", tl D;t = 882, tl<<;H* Create the required

division polynomials fk. psi is a global! *Lm = Last@sD;psi = ComputeDivisionPolynomials@8a, b<, p, mD;H* Now for each other l œ S compute t mod l as follows *LFor@i = 2, i § Length@sD, ++i,l = sPiT;fl = f@lD;Print @"f@", l, "D = ", flD;H* If $ P œ E@lD ' fq

2 P = ±kP we are in case 1 *Lp16 = ComputeEquation16@p, l, 8a, b<D;g = PolynomialGCD@p16, fl, Modulus Ø pD;Print@"p16 = ", p16D;Print@"gcdHp16,flL = ", gD;If@! SameQ@g, 1D,H* Determine t Hmod lL using Schoof H17L and H18L *Ltl = ComputeTmodLCaseOne@p, l, 8a, b<D;AppendTo@t, 8l, tl<D;,H* Else, we are in case 2 testing fq

2 P + kP = ±tfq P *LH* Determine if $ t < l satisfying Schoof H19L *LFor@t = 1, t < Hl + 1L ê 2, ++t,Print@"tl = ", tD;H* If H19 XL holds for some x œ E@lD *Lp19x = ComputeEquation19X@p, l, t, 8a, b<D;Print@"p19x = ", p19xD;g = PolynomialGCD@p19x, fl, Modulus Ø pD;Print@"gcdHp19 x,flL = ", gD;If@! SameQ@g, 1D,H* then fq

2 P + kP = ±tfq P,use H19 yL to determine the sign *L

p19y = ComputeEquation19Y@p, l, t, 8a, b<D;Print@"p19y = ", p19yD;gy = PolynomialGCD@p19y, fl, Modulus Ø pD;

;


Print@"gcdHp19 y,flL = ", gyD;If@! SameQ@gy, 1D, tl = t, tl = l - tD;AppendTo@t, 8l, tl<D;H* There can be only one such t for each l *LBreak@D;D;D;D;

Print@"t Hmod liL = ", tD;D;H* Convert t from 88l, t Hmod lL< to 88l<,8tl<< *Lt = Transpose@tD;Print@"t Hmod liL = ", tD;H* Use the Chinese Remainder Theorem to compute the smallest

r > 0 such that r ª ti Hmod liL for each i *Lr = DetermineChineseRemainder@Last@tD, First@tDD;H* force -2

è!!!!p § r § 2 è!!!!p *L

IfAr > 2 è!!!!p , r -= prmprodE;

Print@"t = ", rD;grpord = p + 1 - r;Return@grpordD;E;


Documents

René Schoof’s Algorithm for Determining the Order of the