Isogeny cycle - 橢圓曲線上SEA演算法之加速

This method is proposed by Couveignes and Morain first in 1994[5]. It takes advantage of the Elkies primes. For an Elkies prime ℓ, we find t_ℓ t ^pmod ℓ^qoriginally. And the use of isogeny cycles can help us find t_ℓ^k t ^pmod ℓ^k^q. The following are theories about the isogeny cycles.

In this section, we suppose that ℓ satisfies condition (2) of Theorem 3.8. The two roots of Φ^c_ℓ^px, j^q can be used to derive two different isogenies I₁, I₂ corresponding to the different curves E₁, and E₂. That is,

I1 : E ^ÞÑE1, I2 : E ^ÞÑE2

From the theorem of classical modular polynomials, there are two isogenies of E of degree

ℓ. These isogenies map to E1 and E2 separately, where the j-invariant of E1 and E2 are roots of Φ_ℓ^px, j^q. Besides, an isogeny from E to E₁ implies the existence of an dual isogeny from E1 to E. It means j j^pE^qis a root of Φℓ^px, j^pE1^qq. Since the field is finite, the j-invariant of curves found by isogenies are periodic. In addition, the group order of curves are the same.

Then, the curves are periodic up to isomorphism. In other words, the curves form a cycle, called the isogeny cycle, and there are two directions to walk along the cycle.

Example 4.1. Let E: y² x³ 68x 79, the curves derived from isogenies are as follows:

ra, b^s j^pEra,b^s^q

r68, 79^s 2

r27, 68^s 82

r50, 89^s 56

r31, 28^s 10

r45, 15^s 34

r47, 87^s 90

r42, 63^s 20

r97, 32^s 15

r56, 31^s 2

If direction 1 is the direction of the cycle of curves as in Example 4.2, direction 2 is in the reverse order of curves. Figure 4.1 represents explicitly the symbols used later on. Note that E1111 is E₁4 for short. The numbers on the circle are the j-invariants of elliptic curves. The clockwise is direction 1, and direction 2 is counterclockwise. Here the symbol E12 is the curve derived from direction 2 of E1. More precisely, E12is back to E since E12E.

Theorem 4.2. In a direction of the isogeny cycle, suppose from E1 to E1k does not meet E,

Figure 4.1: Isogeny cycle

that is, the j-invariant of E1i are different for i0, 1, ..., k. Then

ker(I₁kI1k1...I11I1)E^rℓ^k^s

Recall that I₁i : E1i1 ^ÞÑE1i defined by

I1i^pP^px, y^qq

k1i^px^q

ph1i^px^qq², g1i^px, y^q

ph1i^px^qq³

The points of ker(I₁₁) satisfy h₁₁^px^q, and the points of ker(I₁₁ I1) satisfy the numerator of h11I1. Hence, a factor of the division polynomial ψℓ²^px^qof E is the numerator of

h11

k1^px^q

ph1^px^qq²

Generally, a factor of the division polynomial ψ_ℓ^k^px^qof E is the numerator of h1kI1k1... I11I1. Thus, the degree of the division polynomial ψ_ℓ^k^px^qis ^ℓ^k

pℓ1^q

2 .

Suppose the characteristic of the field is greater than three. Let I be an isogeny from E to E, the method to figure out the k˜ 1^px^qof I is by use of the theories of elliptic curves over C.

First, we have the ℘-Weierstrass functions ℘^pz^q, ℘₁^pz^qof E and ˜E. Then x-coordinate of the

points in E^pC^qis ℘^pz^q, and that in ˜E^pC^qis ℘1^pz^q. Therefore, there is a relation between them

There is another strategy to compute a factor of the division polynomial[4]. Let us look at the picture below.

In the picture, i_nare the isomorphism of the curves. h₁₂is a factor of the division polynomial ψℓ^px^qof E1. Then the numerator of h12i1I112yields a factor of f112of the division polynomial ψℓ²^px^qof E₁₁. Similarly, a factor f₁₁₁₂of the division polynomial ψ_ℓ³^px^qof E₁₁₁is derived from f112i2I1112, and so on.

4.2 Re-ordering Atkin Primes

For an Atkin prime ℓ, suppose it produces φ^prℓ^qcandidates of tℓ. Izu et al[9, 10] define “Atkin index” of ℓ by

i^pℓ^q φ^prℓ^q

ℓ

They figured out that Atkin primes of smaller index can be used more efficiently for the com-putation of BSGS strategy. In the next chapter, we will propose another way to rank Atkin primes.

4.3 Virtual (Atkin/Isogeny cycles) Method

Izu et al proposed the virtual method in 1998[9]. The idea is simple. For a prime ℓ, no matter whether it is an Elkies prime or not, we have a set T_ℓ which contains all possible t_ℓ. Note that Tℓ contains only one candidate for the Elkies prime ℓ. Then the Tℓ² is obtained as follows.

Tℓ² ^ttℓ iℓ^|tℓ ^PTℓ, 0^¤iℓ^u

By using this method, it adds an Atkin-like prime into gathered information. However, This is a method worse than using information of Atkin primes. It means that the method does not apply to the case when it skips some information from Atkin. In this point of view, this method can just help speed up the point counting algorithm for elliptic curves defined over a finite field of small cardinality. So, we do not apply this.

4.4 Chinese and Match Method

The BSGS strategy introduced in Section 3.3 is a so-called “Match and Sort” method. The

“Chinese and Match” method is proposed by Joux and Lercier in 2000[12]. It is an alternative

way for the same problem. The advantage of this method is to reduce the space complexity.

Hence, they can count the number of points of an elliptic curve defined overF2¹⁶⁶³ on a network of four PII 300 MHz based PC’s using only 12 MB of memory.

This is a method which saves the used space by spending more time. We want to speed up SEA algorithm, so it does not apply to our implementation. However, it is useful for the point counting problem of elliptic curves defined over a finite field of large cardinality.

Chapter 5 Our Three Heuristics for SEA Algorithm

In this chapter, we will introduce our three heuristics for the use of Atkin primes, and Elkies primes, and the method to avoid the sub-exponential time BSGS strategy. We implement SEA algorithm for elliptic curves defined over the prime field Fq, where q p ^¡ 3. We will also point out some ideas, and give a brief explanation.

We use the MIRACL[27](Multiprecision Integer and Rational Arithmetic C/C++ Library) library in our implementation. More than being a big number library, MIRACL provides uni-variate and biuni-variate polynomial type with big number coefficient, the big integer modulo n arithmetic, the polynomial ring, the elliptic curve arithmetic, and some tools of number theory, such as CRT, cryptographic secure random number generator, etc. Also, MIRACL contains a simple version of SEA algorithm implementation.

5.1 Atkin Selection Heuristic

Because of the sub-exponential time complexity while using information of Atkin primes, the

‘best’ Atkin primes have to be figured out by some evaluations. The goal is to reduce the number of candidates of possible t. The first approach ranks Atkin primes ℓ in order of φ^prℓ^q. Thus, it is

straightforward to pick the Atkin primes of smaller φ^prℓ^q. Izu et al proposed the index of Atkin primes introduced in the previous chapter.

Example 5.1. Let 5, 11, and 29 be Atkin primes, and let r₅ 3, r11 12, r2915.

ℓ rℓ φ^prℓ^q i^pℓ^q

5 3 2 0.4

11 12 4 0.36

29 15 8 0.276

Here we can easily find that it is better to use 5 and 11 rather than 29 because the number of possibilities are the same while 511^¡29.

Let m3be the product of Elkies primes encountered, and A be the product of selected Atkin primes. Since Elkies primes are never skipped, the Atkin primes are selected enough such that m3 A ^¡ 4^?q. So A has the lower bound 4^?q^{m3. Also, the smaller C, the number of possible t, is better. In Izu’s point of view,

C A

ℓselected Atkin primes φ^prℓ^q

ℓ

Therefore, if the smaller index of Atkin primes, the better. If the number of selected Atkin primes is fixed, this may work. However, we may use more small Atkin primes to gain the smaller ^C_A as Example 5.1.

The problem of Izu’s index is that it does not consider the length of ℓ. Here, we define the rank of an Atkin prime ℓ by

R^pℓ^qlog φ^prℓ^q{log ℓ

We can see R^pℓ^qsimply as the number of bits of C caused by each bit of ℓ averagely. Thus, the Atkin prime is ‘best’ if and only if the number of bits of C is less. Therefore, the ‘best’ Atkin prime are those of smaller R^pℓ^q.

Example 5.2. The same example as Example 5.1.

ℓ rℓ φ^prℓ^q R^pℓ^q

5 3 2 0.43

11 12 4 0.58

29 15 8 0.62

Here we can see that our method can figure out the error of the index of Atkin primes.

From the same point of view, now we consider the virtual method introduced in Section 4.3.

The new information from it causes an imaginary Atkin prime of R^pℓ^q 1. That is the worst one. We propose a real example below.

Example 5.3. Let E : y² x³ 3x 10 defined over Fq, q 2³⁸⁴ 317 is a prime.

2, 3, 13, 23, 29, 31, 43, 47, 59, 61, 67, 71, 73, 89, 101, 107, 109, 131, 137, 139, 167, 173, 223, 233, 239 are Elkies primes. The lower bound of A is about 6.6 10¹³. The following are the selected Atkin primes according to the three methods.

Rank in order of φ^prℓ^q Rank in order of i^pℓ^q Rank in order of R^pℓ^q ℓ φ^prℓ^q Selected ℓ φ^prℓ^q i^pℓ^q Selected ℓ φ^prℓ^q R^pℓ^q Selected

5 2 Drop 79 4 0.05 * 79 4 0.32 *

79 4 * 127 8 0.06 * 127 8 0.429 *

11 4 * 53 6 0.11 * 5 2 0.431 Drop

7 4 * 151 18 0.12 * 53 6 0.45 *

53 6 * 179 24 0.13 * 41 6 0.48 *

41 6 * 41 6 0.15 * 151 18 0.576 *

17 6 * 191 32 0.17 * 11 4 0.578 *

127 8 * 17 6 0.35 179 24 0.61 *

19 8 * 11 4 0.36 17 6 0.63 *

151 18 * 5 2 0.4 191 32 0.66

179 24 19 8 0.42 19 8 0.706

191 32 7 4 0.57 7 4 0.712

C 15925248 C 15925248 C 11943936

A8.210¹³ A1.110¹⁴ A 1.110¹⁴ Table 5.1: Evaluation methods of Atkin primes

The Atkin primes are selected one by one until the product A of selected ones is larger than the lower bound. Then, the check goes through the selected Atkin primes in order to drop some selected ones if they are not necessary. In other words, the product A is larger than the lower bound. In Example 5.3, we can see the comparison of A and C of the previous two methods.

The C of these are the same, but the index is much better due to the larger A. To compare the results of the last two, although the A of the two methods are almost the same, the rank of Atkin primes is better in the third by reason of the smaller C.

While using the information from Atkin primes, we just select some for the reason of avoid-ing a waste of time in BSGS strategy. We have mentioned that the complexity is O^pℓ³log³q^qto find r_ℓ for each Atkin prime ℓ. Thus, whenever we can choose enough Atkin primes such that m3A^¡4^?q, we can get the largest value R of R^pℓ^qof the selected Atkin primes. After that, we never select the Atkin primes ℓ of R^pℓ^qlarger than R. Therefore, we do not need to collect the Atkin primes ℓ of R^pℓ^q^¡R. So, this can help us save time to find rℓof ℓ if the candidate of rℓmakes R^pℓ^q^¡R.

5.2 Elkies Isogeny Heuristic

If an Elkies prime ℓ occurs, the factor h1^px^qof the division polynomial is figured out. After that, λ, a root of the characteristic polynomial of Frobenius map overFℓ, is computed via checking the y-coordinates of ϕ^pP^q^px^q, y^q^qand^rλ^sP .

In our consideration, the curve

E^ra,b^s : y² x³ ax b, a, b^PFq,

and the division polynomials simplify to

ψ0 0, ψ1 1, ψ2 2y,

ψ3 3x⁴ 6ax² 12bxa²,

ψ4 4y^px⁶ 5ax⁴ 20bx³5a²x²4abx8b²a³^q, ψ2m 1 ψm 2ψ_m³ ψm1ψ³_{m 1}, m^¥2,

ψ2m ^pψm 2ψ²_m1ψm2ψ²_{m 1}^qψm^{2y, m^¡2

For a positive integer m ^¡2, and a point P^px, y^qof E such that^rm^sP ⁸,

rm^sP

x ψm1ψm 1

ψ_m² ,ψm 2ψ_m²1 ψm2ψ_{m 1}² 4yψ_m³

The implementation of Elkies procedure of MIRACL library hides y term of ψ_2mbut keeps it in mind. When y² occurs, it is replaced by using the curve equation. Therefore, the division polynomials are computed by the following recursion. Note that f_{2k 1} ψ2k 1and yf_2k ψ2k

f₀ 0, f₁ 1, f₂ 2,

f₃ 3x⁴ 6ax² 12bxa²,

f₄ 4x⁶ 20ax⁴ 80bx³20a²x²16abx32b²4a³, f_{4k 1} ψ2k 2ψ_2k³ ψ2k1ψ³_{2k 1}

f_{2k 2}f³_2ky⁴f_2k1f³_{2k 1}

f_{2k 2}f³_2k^px³ ax b^q²f_2k1f³_{2k 1}, f_{4k 3} ψ2k 3ψ_{2k 1}³ ψ2kψ³_{2k 2}

f_{2k 3}f³_{2k 1}f_2kf³_{2k 2}y⁴

f_{2k 3}f³_{2k 1}f_2kf³_{2k 2}^px³ ax b^q², f_4k ψ4k^{y

ppψ2k 2ψ²_2k1ψ2k2ψ_{2k 1}² ^qψ2k^{2y^q{y

ppyf_{2k 2}f²_2k1yf_2k2f²_{2k 1}^qyf_2k^{2y^q{y

pf_{2k 2}f²_2k1f_2k2f²_{2k 1}^qf_2k^{2, f_{4k 2} ψ4k 2^{y

ppψ2k 3ψ²_2kψ2k1ψ_{2k 2}² ^qψ2k 1^{2y^q{y

ppf_{2k 3}y²f²_2kf_2k1y²f²_{2k 2}^qf_{2k 1}^{2y^q{y

pf_{2k 3}f²_2kf_2k1f²_{2k 2}^qf_{2k 1}^{2.

If we pre-compute the square and cube of a division polynomial and ^px³ ax b^q², it costs five polynomial multiplication to compute a division polynomial, where two is for the pre-computation step.

The y-coordinate of ϕ^pP^px, y^qq,

y^qy^px³ ax b^q^q²¹

Hence, let Yq1 ^px³ ax b^q^q²¹. Then, y^qyYq1. The way to check the y-coordinates of

For each case above, whether the denominator and the numerator are the same, or the sum of them is 0, corresponding to λ m or λ ℓm, the check costs three polynomial multi-plications for odd m, and four for even m. The expected number of polynomial multiplication needed is^p5 ^ℓ₄ 3.5₄^ℓ^q ¹⁷₈ℓ.

As the concept indicates, there are two processes of isogeny cycles. The first one is to compute a factor of division polynomial ψ_ℓ^k^px^q, and search λ ^pmod ℓ^k^q. The expected number of polynomial multiplication needed is^p5^ℓ₄^k 3.5^ℓ₄^k^q ¹⁷₈ ℓ^k.

The second process is to find the λ ^pmod ℓⁱ^qfor each ik. That means finding λ ^pmod ℓⁱ^q by use of λ ^pmod ℓⁱ¹^q. Suppose λ a ^pmod ℓⁱ¹^q, then the candidates of λ ^pmod ℓⁱ^qare a hℓⁱ¹ for h 0, 1, ..., ℓ 1. It does not mean that the expected number of the division polynomials needed increases to^p^ℓ₂^k^qin this case. Here, we still can use the negative checking.

Example 5.4. Suppose λ3 ^pmod 13^q, then λ 3 13h ^pmod 13²^qfor some o ^¤h^¤12.

Here assume λ3 13˜h ^pmod 13²^q. ϕ^pP^q^r3 13˜h^sP . Since P ^PE^r13²^s,

ϕ^pP^q^r313˜h^sP ^r13²313˜h^sP ^r3 13^p13˜h^qsP Therefore, in this example, we can do negative checking for 7^¤h^¤12.

ϕ^pP^q^r3 137^sP ^ñ ϕ^pP^q^r3 13^p137^qsP ϕ^pP^q^r3 138^sP ^ñ ϕ^pP^q^r3 13^p138^qsP ϕ^pP^q^r3 139^sP ^ñ ϕ^pP^q^r3 13^p139^qsP ϕ^pP^q^r3 1310^sP ^ñ ϕ^pP^q^r3 13^p1310^qsP ϕ^pP^q^r3 1311^sP ^ñ ϕ^pP^q^r3 13^p1311^qsP ϕ^pP^q^r3 1312^sP ^ñ ϕ^pP^q^r3 13^p1312^qsP

Now, λ can be derived. To determine the t ^pmod ℓ^k^q, µ is needed. For the case k 1, µqℓ^{λ ^pmod ℓ^q. For the case k s ^¡ 1, we have λ ^pmod ℓ^s^q, and µ ^pmod ℓ^s¹^q. In fact, λµqℓ^s ^pmod ℓ^s^q. The µ ^pmod ℓ^s^qcan be calculated from the Hensel’s Lemma.

Example 5.5. Suppose q 157, and λ 1 ^pmod 7^q, µ 3 ^pmod 7^q. Also, λ 22

pmod 7²^q. Then, let f^px^qAxB, where A22λ ^pmod 7²^q, B 10157 ^pmod 7²^q. By Hensel’s Lemma,

sf¹^pµ^qf^pµ^q

7 ^pmod 7^q So, s6, and µ3 6745.

Therefore, in this case the expected number of polynomial multiplication needed is ^p5

ℓ^k

4 3.5 ₂^ℓ^q^p⁵₄ℓ^k ⁷₄ℓ^q

Now, we analyze the computing cost. The complexity of the polynomial multiplication reduced modulo a polynomial of degree n is O^pn log n^qvia fast Fourier transformation(FFT), say w₁n log n, where w1 is a constant.

First, we define some terms for further analysis. First, T_ℓ¹ denotes the computing time to derive t_ℓfor an Elkies prime ℓ. Then,

Tℓ¹ log qw1^pℓ 1^qlog^pℓ 1^q

Since the information from Elkies primes is definite, it is important to increase the product of these primes and prime powers. The concept is the same as Section 5.1 that we select the prime ℓ or prime powers ℓ^kwhose T_ℓⁱ^{log ℓ is small. This value represents the computing cost to gain the information caused by each bit of ℓ averagely.

Example 5.6. Let q 2⁵¹²569, then the following is the value Tℓⁱ^{log ℓ with respect to each

Let us review the BSGS strategy in which lie some tricks to speed up. The Atkin primes are first divided into two sets S1, and S2. Let c1 and c2 be the number of possible t corresponding

to S1 and S2. After that, the baby step performs c1 times to calculate t1, and the corresponding

|r1^| m1

2 , and then Q_r1 ^rq 1t3^sP ^rr1m2m3^sP . So, we can reduce the time of scalar multiplication of a point by pre-computation of^rm2m3^sP . Therefore, the complexity of baby step is O^pc1log m1^qelliptic curve point addition.

Similarly, in the giant step, the computation of ^rm1m3^sP reduces the time to compute

rr2m1m3^sP . Moreover, there are two r2, say r21 and r22, for a t2. Since ^|r21 r22^| m2, we can derive^rr22m1m3^sP from^rr21m1m3^sP and^rm1m2m3^sP . Thus, the complexity of giant step is O^pc2log m2^qelliptic curve point addition.

In addition, the baby step is performed completely, while the giant step is not. In proba-bilistic estimation, the giant step is half performed. Hence, it is better to choose the set of small number of possible t to perform the baby step. Hence, the computing cost B of BSGS strategy is about

B w2

3 2

C log A,

where w2is a constant.

It costs much time in BSGS strategy if C is too large. The traditional way out of this problem is to set a threshold T for C. However, it does not seem a good way to decide the time to perform BSGS strategy. If T is big, it may cost more time in BSGS strategy of the algorithm. But the small T may cause a waste of time to use the larger primes. Here, we propose a method to estimate T dynamically. After the Atkin primes selection strategy, we can estimate the computing time B used by BSGS strategy. On the other hand, we also suppose that the next prime is Elkies, and estimate the time B¹which is taken by gathering the information of the next prime, and then the BSGS strategy after we have the information from the next prime.

If B B¹, then our implementation will perform BSGS strategy. Otherwise, the informa-tion of the next prime is collected. Thus, the next stage of the algorithm depends on the gathered

information of each elliptic curve. Therefore, we can prevent from the use of larger primes, and can detect whether C is too big. This method can always be suitable for any curve.

5.4 Numerical Results

The computing environment we use is Intel Xeon 3040 Processor with 1.86GHz, 2G RAM on FreeBSD 7.0 with the MIRACL library version 5.3.2. At first, we calculated the order of 50, 40, 30, 20, 10 different elliptic curves corresponding to the prime of 160-bit, 192-bit, 256-bit, 384-bit, and 512-bit by use of the original SEA algorithm. The average time is listed in Table 5.2.

Bits of q 160 192 256 384 512

Average time(s) 9.91 26.51 90.73 607.8 2654 Table 5.2: Average computing time of original SEA algorithm

Next, we calculated the order of the same elliptic curves as before by applying the Atkin selection heuristic. The average time and the improvement rate compared with the original one are in Table 5.3.

# bits of q 160 192 256 384 512

Average time(s) 9.68 26.02 87.20 574.9 2412 Improve rate(%) 2.33 1.84 3.89 5.42 9.10

Table 5.3: Average computing time when applying Atkin selection heuristic

When the number of bits of q increases, we need to use more primes. Hence, we encounter more Atkin primes, which are almost useless for us. The Atkin selection heuristic can save the

time, whose complexity is O^pℓ³log³q^q, to find out the rℓ of the ‘bad’ Atkin primes. Therefore, the impact is more evident when q is large.

Table 5.4 shows the numerical result of applying the Elkies isogeny heuristic.

# bits of q 160 192 256 384 512

Average time(s) 9.68 25.27 83.95 557.0 2296 Improve rate(%) 2.30 4.67 7.47 8.37 13.48

Table 5.4: Average computing time when applying Elkies isogeny heuristic

The effect of the isogeny cycle is to reuse the Elkies primes. This is necessary if q is larger because of the increasing number of the encountered Atkin primes. So, the result presents that the improvement is obvious when q is large.

The result of the improvement of the polynomial-time BSGS heuristic is shown in Table 5.5.

# bits of q 160 192 256 384 512

Average time(s) 9.49 25.43 80.02 545.1 2278 Improve rate(%) 4.19 4.07 11.81 10.31 14.16

Table 5.5: Average computing time when applying polynomial-time BSGS heuristic

# bits of q 160 192 256 384 512

Average time(s) 9.11 23.86 73.18 464.3 1899 Improve rate(%) 8.03 10.01 19.34 23.61 28.43 Table 5.6: Average computing time when applying three heuristics

This heuristic brings an effective way to improve the algorithm as we can see. The result

also tells that it can prevent from the use of larger primes, and can detect whether C is too big, indeed.

Finally, if the three heuristics are applied to original SEA algorithm, then we get the result in Table 5.6.

Chapter 6 Conclusion & Future Work

In this thesis, we propose three heuristics to speed up the SEA algorithm. These three heuristics are more effective for large q. Besides, we use the pre-computation skill to speed up the part of BSGS strategy. And we also propose the negative checking for the isogeny cycles.

Although our implementation is for the elliptic curves defined over prime fields, the heuris-tics can be applied to the SEA algorithm for elliptic curves defined over binary fieldsFq, where q2ⁿ. Furthermore, the idea of analysis in the Atkin selection heuristic and also in the Elkies isogeny heuristic may be applied to others.

There are some improvements that mentioned by Couveignes[4]. It can help find a factor of the division polynomial of smaller degree.

In the future, we will prepare to implement SEA algorithm for elliptic curves defined over binary fields. Also, we will study the theoretical part of elliptic curves, especially the part related to SEA algorithm. Moreover, there exists Satoh’s method[19], which uses p-adic analysis to find the order of elliptic curves defined over finite fields of small characteristic, such as binary fields.

Bibliography

[1] A. O. L. Atkin and F. Morain. Elliptic curves and primality proving. Mathematics of Computation, 61(203):29–68, 1993.

[2] M. Bellare and P. Rogaway. Minimizing the use of random oracles in authenticated en-cryption schemes. In ICIS: International Conference on Information and Communications Security (ICIS), LNCS, 1997.

[3] I. F. Blake and and N. P. Smart C. Seroussi. Elliptic Curves in Cryptography. Cambridge University Press, 2000.

[4] J. Couveignes, L. Dewaghe, and F. Morain. Isogeny cycles and the Schoof-Elkies-Atkin algorithm, LIX/RR/96/03, 1996.

[5] J. Couveignes and F. Morain. Schoof’s algorithm and isogeny cycles. In ANTS, pages 43–58, 1994.

[6] G. Frey. Applications of arithmetical geometry to cryptographic constructions. In Pro-ceedings of the Fifth International Conference on Finite Fields and Applications, 2001. to appear. Also available from http://www.exp-math.uni-essen.de/.

[7] G. Frey and H. R¨uck. A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Mathematics of Computation, 62(206):865–874, 1994.

[8] P. Gaudry. Index calculus for abelian varieties and the elliptic curve dis-crete logarithm problem. Cryptology ePrint Archive, Report 2004/073, 2004.

http://eprint.iacr.org/2004/073/.

[9] T. Izu, J. Kogure, M. Noro, and K. Yokoyama. Parameters for secure elliptic curve cryp-tosystem - improvements on schoof’s algorithm. In Public Key Cryptography, volume 1431, pages 253–257, 1998.

[10] T. Izu, J. Kogure, M. Noro, and K. Yokoyama. Efficient implementation of Schoof’s algorithm , Advances in Cryptology – Asiacrypt ’98, Lecture Notes in Computer Science, 1514 (1999), Springer-Verlag, 66–79.

[11] D. Johnson and A. Menezes. D. Johnson and A. Menezes, The Elliptic Curve Digital Signature Algorithm (ECDSA), Univ. of Waterloo, 1999, http://cacr.math.waterloo.ca

在文檔中橢圓曲線上SEA演算法之加速 (頁 52-73)