橢圓曲線上SEA演算法之加速

國

立

交

通

大

學

資訊科學與工程研究所

碩

士

論

文

橢 圓 曲 線 上 S E A 演 算 法 之 加 速

Speeding up SEA Algorithm for Elliptic Curves

研 究 生：劉用翔

指導教授：陳榮傑 教授

橢 圓 曲 線 上 SEA 演 算 法 之 加 速

Speeding up SEA Algorithm for Elliptic Curves

研 究 生：劉用翔 Student：Yung-Hsiang Liu

指導教授：陳榮傑 Advisor：Dr. Rong-Jaye Chen

國 立 交 通 大 學

資 訊 科 學 與 工 程 研 究 所

碩 士 論 文

A Thesis

Submitted to Institute of Computer Science and Engineering College of Computer Science

National Chiao Tung University in partial Fulfillment of the Requirements

for the Degree of Master

in

Computer Science

June 2008

Hsinchu, Taiwan, Republic of China

b  ò Ú

SEA

OL(elliptic curve discrete logarithm problem)îM’ ûU—Õïåë„ãzd

O L  à d  b  ò Ú Æ ¼ û q ú ¼ d ð 㠄 O L  ê ÔRSA„ í „ Ñ p w   1ïT0RSAø„‰h ((bòÚƼûqBx ‰h'؄bòÚ/ˆÍ„xÖb òڄ¹Õq .þ(;„¹Õ/H¨_xÖbòÚ&—òڄ Þxå$šdbòÚ/&&‰hBå(bòÚƼûq„ -— bòÚ( PԄÞx1n†ˆÍ„Òr Schoof-Elkies-Atkin(SEA)—Õ/(¼—Þx́„¹Õ(,Çև-%ú

¼  — Õ -Atkinê x
Elkiesê x Ê e–' e(Baby-step-giant-step)„ V e  ( †  —š©¼'êxÔbòÚKÞx ˆ}„9o

Ü Ü

Speeding up SEA Algorithm for Elliptic Curves

Student: Yung-Hsiang Liu

Advisor: Dr. Rong-Jaye Chen

Institute of Computer Science and Engineering

National Chiao Tung University

ABSTRACT

In 1985, Miller proposed the use of elliptic curves in public-key cryptosystem, and so did Koblitz in

1987. The rational points of an elliptic curve forms an additive group. The discrete logarithm problem

of this group is called elliptic curve discrete logarithm problem (ECDLP). There is no method to solve

ECDLP efficiently. The security of elliptic curve cryptosystem (ECC) is based on ECDLP. Therefore,

The key of ECC can be shorter than that of RSA in order to reach the same secure strength.

In using the elliptic curve cryptosystem, it is important to select a secure elliptic curve. There are

three methods to select secure elliptic curves. The suggested method is counting the number of rational

points of elliptic curves generated randomly. Therefore, we can determine whether a randomly generated

elliptic curve is suitable for the security consideration. Hence, solving the point counting problem plays

a crucial role in the design of elliptic curve cryptosystems. Schoof-Elkies-Atkin(SEA) algorithm is an

important method to solve the point counting problem. In this thesis, we propose strategies of Atkin

primes, Elkies primes, and Baby-step-giant-step. It improves the original SEA algorithm a lot for elliptic

curves defined over big prime fields.

 Ç © ë Ö ‡ ý ) Œ– H  o„ ÆYˆs ®‘Y ˆ 
+ ‰  „YÆ—å†ãbòÚƼx„gµ_(Bx“rÊo
+  (v¯„gg_8`õ(
+æ_5ÁÊYˆ
J Yˆ á eZëÔû„ãfÔá(ãf-fˆ„Þúpևý  Œt_+ÍNàHsëfˆñ‡ë\„úpևý A¢ CryptanalysisæW¤„×âxw
š‡xw
†xw
¶Kxw
Òx wÊxi
`it B„ÆÖåÊj4/v; -ˆÍ„ èý`   û  - „ x w 
 x å Ê x  ¹   `  „ j 4   \  “  „  v  ;  Eæåʖ™ãfB„õ_“™«¨„ Éxû„x¹„/ B8oa¤A“(v;-_×0`„;›` Œ  _     „ ¶ º    6 Í ( B x  “  t † „ = ù    ¹ ¹ B „ Ü  `„/
ý !ŒgK‚„Bx
Œև9åd‡{fo „¶º

Contents

List of Figures vii

1 Introduction 1

2 Mathematical Backgrounds 5

2.1 Abstract Algebra . . . 5

2.1.1 Group Theory . . . 5

2.1.2 Homomorphisms and Factor Groups . . . 7

2.1.3 Rings and Integral Domains . . . 8

2.1.4 Algebraic Closure and Finite Fields . . . 10

2.1.5 Separable Extension and Galois Theory . . . 11

2.2 Elliptic Curves . . . 15

2.2.1 Algebraic Varieties . . . 15

2.2.2 General Elliptic Curves . . . 16

2.2.4 Isogenies . . . 20

2.2.5 Elliptic Curves overC . . . 22

2.3 p-adic Arithmetic . . . 24 2.3.1 p-adic Numbers . . . 24 2.3.2 Hensel’s Lemma . . . 24 3 Schoof-Elkies-Atkin Algorithm 26 3.1 Before Schoof . . . 26 3.2 Schoof’s Idea . . . 28

3.3 Atkin’s Idea and Elkies’ Idea . . . 31

3.3.1 Modular Polynomial . . . 31

3.3.2 Elkies’ Improvement . . . 33

3.3.3 Atkin’s Method . . . 37

3.3.4 Baby-step-giant-step(BSGS) Strategy . . . 39

3.3.5 Complexity Analysis . . . 41

4 Previous Improvements for SEA Algorithm 43 4.1 Isogeny Cycles . . . 43

4.2 Re-ordering Atkin Primes . . . 47

4.3 Virtual (Atkin/Isogeny cycles) Method . . . 47

4.4 Chinese and Match Method . . . 47

5 Our Three Heuristics for SEA Algorithm 49 5.1 Atkin Selection Heuristic . . . 49

5.2 Elkies Isogeny Heuristic . . . 53

5.3 Polynomial-Time BSGS Heuristic . . . 57

5.4 Numerical Results . . . 59

List of Tables

1.1 NIST Recommended Key Sizes(bits) . . . 2

5.1 Evaluation methods of Atkin primes . . . 52

5.2 Average computing time of original SEA algorithm . . . 59

5.3 Average computing time when applying Atkin selection heuristic . . . 59

5.4 Average computing time when applying Elkies isogeny heuristic . . . 60

5.5 Average computing time when applying polynomial-time BSGS heuristic . . . 60

List of Figures

2.1 E : y2

x

3

x . . . 17

2.2 Group Law(chord process) . . . 18

2.3 Group Law(tangent process) . . . 18

2.4 Lattice ΛZω1 Zω2 . . . 23

Chapter 1

Introduction

The use of elliptic curves in public-key cryptography is first proposed in the works of Koblitz[13] and Miller[17]. Each elliptic curve defined over a finite field forms an abelian group. The secure strength is based on the discrete logarithm problem(DLP) of this group, which is called elliptic curve DLP(ECDLP). The public-key cryptosystems are based on hard mathematical problems. For example, integer factorization and the DLP on finite fields are hard mathematical problems, and so is ECDLP. The previous two problems can be solved in sub-exponential time via index calculus method and the number field sieve. However, there has been no known sub-exponential algorithm to solve ECDLP so far.

Generally, in order to break the elliptic curve cryptosystem, ECDLP needs to be solved. Because ECDLP is much harder than the other hard problems, elliptic curve cryptography(ECC) can reach the same secure strength as RSA with the key of shorter length. Table 1.1 is the key size comparison[26].

Some protocols based on ECC take advantage of shorter key size. In the use of ECC in public-key cryptosystem, there are ECDSA[11], ECIES[2], and ECMQV[14] corresponding to digital signature, encryption, and key-exchange protocols. The idea of identity-based

en-Symmmetric Key 80 112 128 192 256

RSA and DH 1024 2048 3072 7680 15360

Elliptic Curve 160 224 256 384 521

Table 1.1: NIST Recommended Key Sizes(bits)

cryption scheme was proposed by Shamir in 1984. Boneh and Franklin proposed the practical scheme by using the Weil pairing, a bilinear pairing of elliptic curves. It is also called the pairing-based cryptography.

There is no efficient algorithm for solving ECDLP. Nevertheless, there are some properties which make elliptic curves weak. Let E be an elliptic curve defined over a finite fieldFq and

#EpFqq  n. The curves of n  q is called anomalous curves, and EpFqq  xFq, y. The

explicit isomorphism from EpFqqtoxFq, ycan be computed. So, ECDLP can be transformed

to a division over the finite fieldFq. Additionally, the bilinear pairings, Weil pairing and Tate

pairing, corresponding to MOV attack[16] and FR attack[7], are used for solving ECDLP. Let

r be a big prime factor of #EpFqq. ECDLP can be transformed to DLP over the extension field Fqk ofF_q, where k is the smallest positive integer, called the embedding degree of E, such that

r|q

k

1. Besides, ifFqis an extension field of a base field, the curves can be transformed to the

abelian variety by use of Weil descent method. Then, the index calculus can be applied to the DLP on the abelian variety[8]. It is feasible ifFq Fq˜s for a small s.

The methods mentioned above are named “isomorphism attacks.” An elliptic curve which is suitable for cryptography needs to obstruct isomorphism attacks. Explicitly, a curve which is good for cryptography has to satisfy the following properties:

(1) n has a large prime factor r, or nr is prime.

(3) n∤ qi

1 for 1¤i¤20.

(4) q p

k_{, where p is a prime, and k is either 1 or a prime.}

There are three techniques to generate the secure curves. One is subfield curves[25], also called a curve of Koblitz type. The coefficients of this kind of curves are in a small subfield ofFq. Another technique is complex multiplication[1]. These curves also have some features.

Although there are no known attacks directed toward these curves, the security of these curves is in doubt. Nowadays, the point counting methods on random curves, a third technique, is most suggested because there is no character for these curves. By this method, we choose a finite field first, and generate the coefficients of elliptic curves randomly. Schoof gives the first polynomial time algorithm, of time complexity Oplog

8

qq, to count the number of rational points

overFq[20]. This algorithm profits from the improvements of Elkies and Atkin, and is therefore

called Schoof-Elkies-Atkin(SEA) algorithm[21]. SEA algorithm improves Schoof’s original algorithm so that the complexity is Oplog

6

qq, instead.

In this thesis, we propose three heuristics for SEA algorithm. One is for the selection of Atkin primes. Another is to determine the power of the isogeny cycle method of Elkies primes. The other is to bound the time used in the baby-step-giant-step of SEA algorithm. These three heuristics can help us speed up SEA algorithm. The following shows how the rest of the thesis organized.

In Chapter 2, we describe relevant mathematical backgrounds for this thesis, including the theories and properties of abstract algebra, the definitions of groups, rings, and fields, and the properties of the group structure. Some mathematical definition of algebra used later is also listed properly. The general elliptic curves and the elliptic curves over prime fields of charac-teristic¡ 3 are introduced. We also introduce some theories developed on the elliptic curves

overC for the reason that they are closely linked with Elkies’ improvements. The last is p-adic

numbers. In the implementation of SEA algorithm, the Hensel’s Lemma for p-adic fields is used.

In Chapter 3, we introduce the point counting problem for elliptic curves over finite fields. The Schoof’s idea for point counting, and the improvements from Atkin’s and Elkies’ works is also described here. After SEA algorithm is described, we give a rough complexity analysis of the algorithm. The previous improvements are listed in Chapter 4, including isogeny cycles[5], index of Atkin primes[9], virtual method[9], and “Chinese and Match” method[12].

In Chapter 5, we propose our two heuristics for SEA algorithm. We also describe the reason for the heuristics. Next, the implementation details and the numerical results are shown. The conclusion is given in section 6.

Chapter 2

Mathematical Backgrounds

The theories of SEA algorithm is developed from algebra and algebraic curves. Here, we intro-duce algebra first, and then elliptic curves of algebraic curves. After that, the p-adic number is also mentioned.

2.1

Abstract Algebra

The rational points of an elliptic curve forms a group. A lot of properties of elliptic curves are from the abstract algebra. So, here we introduce the theories first.

2.1.1

Group Theory

A binary operationon a set S is a function mapping SS into S. In other words, S is closed

under the operation. AndxS,yis called a binary structure. An element e P S is an identity

element forif es  se  s for all s P S. For some a P S. The inverse element of a is a1 PS such that a 1 aaa 1 e.

Definition 2.1 (Group). A groupxG,yis a binary structure such that the following axioms are

1. (Associativity) For all a, b, cPG, we have

pabqcapbcq.

2. (Identity) G contains the identity element for.

3. (Inverse) For all aPG, there exists the inverse element a 1

of a in G.

If the cardinality of a group G is finite, then G is a finite group. The number of elements in

G called the group order. A groupxG,yis abelian ifis commutative.

If H „ G andxH,yis a group, then H is a subgroup of G. It is denoted by H ¤ G or G¥H, and H  G or G ¡H means H ¤G but H G.

Theorem 2.2. LetxG,ybe a group and aPG. Denote aa by a

2_{, and so on. Then}

H ta

n

|n PZu

is a subgroup of G and is the smallest subgroup of G that contains a. H is called the cyclic subgroup of G generated by a, and denoted byxay.

If there is some element a in a group G such thatxayG, then G is cyclic. And a is called

a generator of G. Moreover, every cyclic group is abelian.

Definition 2.3 (Finitely generated group). Let G be a group and let ai P G for i P I. The

smallest subgroup of G containingtai|i P Iuis the subgroup generated by tai|i P Iu. If this

subgroup is all of G, thentai|iP Iugenerates G and ai are generators of G. If there is a finite

settai|iPIuthat generates G, then G is finitely generated.

Note that every group of finite order is finitely generated.

Theorem 2.4 (Theorem of Lagrange). Let H be a subgroup of a finite group G. Then the order

2.1.2

Homomorphisms and Factor Groups

A map φ of a groupxG,yinto a groupxG 1

,yis a homomorphism if

φpabqφpaqφpbq for all a, bP G

Definition 2.5 (Image and inverse image). Let φ : X ÞÑ Y , and let A „ X and B „ Y . The

image φrAsof A in Y under φ is tφpaq|a P Au. The set φrXsis the range of φ. The inverse

image φ
1

rBsof B in X istxP X|φpxqPBu.

Theorem 2.6. Let φ be a homomorphism of a group G into a group G1

. (1) If e is the identity element of G, then φpeqe

1

is the identity element in G1

. (2) If a P G, then φpa
1 q  φpaq
1 . (3) If H ¤ G, then φrHs ¤ G 1 . (4) If K1 ¤ G 1 , then φ
1 rK 1 s¤G. Corollary 2.7. Let φ : GÞÑ G 1

be a homomorphism of groups and let e1

be the identity of G1

. Then, φ
1

rte 1

usis a subgroup of G, called the kernel of φ, and is denoted by Ker(φ). Moreover, φ is one-to-one if and only if Ker(φ)teu.

A homomorphism of A into itself is an endomorphism of A.

Definition 2.8 (Isomorphism). Let φ : G ÞÑG 1

be a homomorphism, and φ is one-to-one and onto. Then φ is an isomorphism, and G is isomorphic to G1

, denoted by G  G

1

. G and G1

have the same group structure.

An automorphism of A into itself is an automorphism of A.

Theorem 2.9 (Fundamental Theorem of Finitely Generated Abelian Groups). Every finitely

abelian group G is isomorphic to a direct product of cyclic groups in the form

Zpr11

Z

pr22

...Zprn

where piare primes, not necessarily distinct, and ri are positive integers.

Let H ¤ G. The subset aH tah|h P Huof G is the left coset of H containing a, while

the subset Ha tha|hP Huis the right coset of H containing a. A subgroup H of a group G

is normal ifg PG

gH Hg.

Note that all subgroups of abelian groups are normal.

Theorem 2.10. Let H be a subgroup of a group G. Then left coset multiplication is well defined

by the equation

paHqpbHqpabqH

if and only if H is a normal subgroup of G.

Let H be a normal subgroup of G. Then the cosets of H form a group G{H under the binary

operationpaHqpbHqpabqH. The group G{H is the factor group (or quotient group) of G by H.

2.1.3

Rings and Integral Domains

Definition 2.11 (Ring). A ringxR, ,yis a set with two binary operations, which we called

addition and multiplication, defined on R such that the following axioms are satisfied: (1)xR, yis an abelian group.

(2) Multiplication is associative. (3)a, b, cPR,

apb cqab ac, andpa bqcac bc

For rings R and R1

, a map φ : RÞÑR 1

(1) φpa bqφpaq φpbq.

(2) φpabqφpaqφpbq.

An isomorphism φ : RÞÑR

1

is a homomorphism that is one-to-one and onto. The rings R and R1

are then isomorphic. A ring in which the multiplication is commutative is a commutative ring. The multiplication identity element of a ring is called “unity.” A ring which contains the unity is called ring with unity, and an element u is a unit of ring with unity if it has the multiplicative inverse. A division ring is a ring with unity of the property that every nonzero element is a unit.

Definition 2.12 (Field). A field is a commutative division ring. Hence, a fieldxF, ,ysatisfies

(1)xF, yis a abelian group. (2) F Fzt0u. xF  ,yis a abelian group. (3) Distributive law.

Let R be a ring. The set Rrxsof all polynomials in an indeterminate x with coefficients in R is a ring under polynomial addition and multiplication.

Definition 2.13 (Ideal). An additive subgroup N of a ring satisfying the properties

aN „N and N b „N for all a, bP R

is an ideal.

Let N be an ideal of a ring R. Then the additive cosets of N form a ring R{N with the

binary operations defined by

pa Nq pb Nqpa bq N

and

The ring R{N is the factor ring (or quotient ring) of R by N .

Definition 2.14 (Maximal ideal). A maximal ideal of a ring R is an ideal M different from R

such that there is no proper ideal N of R such that M €N €R.

Definition 2.15 (Prime ideal). An ideal N  R in a commutative ring R is a prime ideal if abP N implies that either aP N or bPN for a, bP R.

If a and b are two nonzero elements of a ring R such that ab  0, then a and b are zero

divisors. An integral domain is a commutative ring with unity and contains no zero divisors.

Theorem 2.16. Every finite integral domain is a field.

Theorem 2.17. For a commutative ring R with unity:

(1) An ideal M of R is maximal if and only if R{M is a field.

(2) An ideal N of R is prime if and only if R{N is an integral domain.

(3) Every maximal idea of R is a prime ideal.

Corollary 2.18. If p is a prime, thenZp is a field.

The characteristic of the ring R is the smallest positive integer n such that na0 aPR.

If no such positive integer exists, then R is of characteristic 0.

Theorem 2.19. Any integral domain D can be enlarged to a field F such that every element of

F can be expressed as a quotient of two elements of D.

2.1.4

Algebraic Closure and Finite Fields

If a subset F1

of a field F is a field, then F1

is a subfield of F . A field E is an extension field of

Definition 2.20 (Degree). If an extension field E of a field F is of finite dimension n as a vector

space over F , then E is a finite extension of degree n over F . It is denoted byrE : Fsn.

Theorem 2.21 (Kronecker’s Theorem). Let F be a field and let fpxqbe a non-constant

poly-nomial in Frxs. Then there exists an extension field E of F and an αPE such that fpαq0.

A field F is algebraically closed if every non-constant polynomial in Frxshas a root in F .

An algebraic extension F of F is the algebraic closure of F if F is algebraically closed.

Theorem 2.22. Every field has an algebraic closure.

A field of finite order is called a finite field.

Theorem 2.23. Let p be a prime. If E is a finite field of characteristic p, then E contains exactly

pn_{elements for some positive integer n.}

Theorem 2.24. Let E be a field of pnelements contained in an algebraic closureZpofZp. The

elements of E are precisely the zeros inZpof the polynomial xp

r

x inZprxs.

Theorem 2.25. The multiplicative group xF 

,y of nonzero elements of a finite field F is

cyclic.

A finite field GF(pn) of pnelements exists for every prime power pn.

Theorem 2.26. Let p be a prime and let n P Z . If E and E 1

are fields of order pn, then

E E 1

.

2.1.5

Separable Extension and Galois Theory

Definition 2.27 (Conjugate). Let E be an algebraic extension of a field F . Two elements α,

irreducible polynomial over F . Note that irrp, Fqis the irreducible polynomial ofover F .

Theorem 2.28 (Congjugation isomorphisms). Let F be a field, and let α and β be algebraic

over F with degpα, Fqn. The map ψα,β : FpαqÞÑFpβqdefined by

ψα,βpc0 c1α ... cn
1α n
1 qc0 c1β ... cn
1β n
1

for ci PF is an isomorphism of Fpαqonto Fpβqif and only if α and β are conjugate over F .

Lettσi |iP Iube a collection of automorphisms of a field E. Then the set E

tσiuof all a PE

left fixed by every σi for iPI forms a subfield of E. E

tσiuis the dixed field of

tσi |iPIu. The

set of all automorphisms of a field E is a group under function composition. The set GpE{Fq

is the collection of automorphisms of E leaving F fixed. The group AutpEqis the group of all

automorphisms of E.

Theorem 2.29. Let E be a field, and let F be a subfield of E. Then the set GpE{Fqforms a

subgroup of AutpEq. Furthermore, F ¤EG pE{Fq.

Definition 2.30 (Frobenius automorphism). Let F be a finite field of characteristic p. Then the

map σp : F ÞÑF defined by

σppaqa

p

for aPF

is the Frobenius automorphism of F . Also, Ftσpu Zp.

Theorem 2.31. Let F and F1

be two algebraic closures of F . Then F is isomorphic to F1

under an isomorphism leaving each element of F fixed.

Definition 2.32 (Index of E over F ). Let E be a finite extension of a field F . The number of

Let F be a field with algebraic closure F . Lettfipxq|iPIube a collection of polynomials

in Frxs. A field E ¤ F is the splitting field of tfipxq | i P Iu over F if E is the smallest

subfield of F containing F and all the zeros in F of each of the fipxqfor iP I. A field K ¤F

is a splitting field over F if it is the splitting field of some set of polynomials in Frxs.

Theorem 2.33. A field E, where F ¤ E ¤ F , is a splitting field over F if and only if every

automorphism of F leaving F fixed maps E onto itself and thus induces an automorphism of E leaving F fixed.

A polynomial fpxqPFrxssplits in E if it factors into a product of linear factors in Erxs.

Theorem 2.34. If E ¤F is a splitting field of finite degree over F , then

tE : Fu|GpE{Fq|

Let fpxqP Frxs. An element α of F such that fpαq0 is a zero of fpxqof multiplicity ν

if ν is the greatest integer such thatpx
αq

ν _{is a factor of f}

pxqin Frxs.

Theorem 2.35. Let fpxq be irreducible in Frxs. Then all zeros of fpxq in F have the same

multiplicity.

Theorem 2.36. If E is a finite extension of F , thentE : FudividesrE : Fs.

Definition 2.37 (Separable). A finite extension E of F is a separable extension of F if tE : Fu  rE : Fs. An element α of F is separable over F if Fpαq is a separable extension of F . An irreducible polynomial fpxq P Frxs is separable over F if every zero of fpxqin F is

separable over F .

A field is perfect if every finite extension is a separable extension. Every field of character-istic zero is perfect. Every finite field is perfect.

Definition 2.38 (Totally inseparable). A finite extension E of a field F is a totally(purely)

inseparable extension of F iftE : Fu1 rE : Fs. An element α of F is totally inseparable

over F if Fpαqis totally inseparable over F .

Theorem 2.39. Let F have characteristic p  0, and let E be a finite extension of F . Then α PE, αR F , is totally inseparable over F if and only if there is some integer t ¥1 such that αpt

P F .

Theorem 2.40 (Separable closure). Let F have characteristic p  0, and let E be a finite

extension of F . There is a unique extension K of F , with F ¤ K ¤ E, such that K is

separable over F , and either E K or E is totally inseparable over K. The unique field K is

the separable closure of F in E.

A finite extension K of F is a finite normal extension of F if K is a separable splitting field over F .

Theorem 2.41. If K is a finite normal extension of F , then

|GpK{Fq|tE : FurE : Fs.

Theorem 2.42. Let K be a finite normal extension of F , and let E be an extension of F , where

F ¤ E ¤ K ¤ F . Then K is a finite normal extension of E, and GpK{Eqis precisely the

subgroup if GpK{Fqconsists of all those automorphisms that leave E fixed.

Definition 2.43 (Galois group). If K is a finite normal extension of a field F , then GpK{Fqis

the Galois group of K over F .

Theorem 2.44 (Galois Theory). Let K be a finite normal extension of a field F , with Galois

leaving E fixed. Then λ is a one-to-one map of the set of all such intermediate fields E onto the set of all subgroups of GpK{Fq. The following properties hold for λ:

(1) λpEqGpK{Eq. (2) E KG pK{Eq Kλ pEq. (3) For H ¤GpK{Fq, λpEHqH.

(4)rK : Es |λpEq|andrE : Fs  pGpK{Fq : λpEqq, the number of left cosets of λpEqin GpK{Fq.

(5) E is a normal extension of F if and only if λpEqis a normal subgroup of GpK{Fq.

Further-more,

GpE{FqGpK{Fq{GpK{Eq.

2.2

Elliptic Curves

In the section, we introduce the elliptic curves as the algebraic curves in algebraic geometry. The important theories related to SEA algorithm are developed very well in algebraic geometry. We focus on the case of elliptic curves.

2.2.1

Algebraic Varieties

Let K be a perfect field. An algebraic set is any set of the form VI. If V is an algebraic set, the

ideal of V is given by

IpVqtf PKrXs|fpPq0 P P Vu.

If IpVqis a prime ideal in KrXs, V is called an variety.

Definition 2.45 (Coordinate ring). The coordinate ring of a variety V

KrVs

KrXs IpVq

It is an integral domain, and its quotient field, denoted by KpVq, is called the function field

of V .

2.2.2

General Elliptic Curves

Definition 2.46 (Weierstrass equation). The affine Weierstrass equation, given by

E : y2 a1xy a3yx

3 _a

2x2 a4x a6,

where ai P K, is the general equation of elliptic curves.

Note that we also use

Epx, yqy 2 a1xy a3y
x 3
a2x 2
a4x
a6 0

to express elliptic curves.

Definition 2.47 (Elliptic curves). The elliptic curve over K is defined as the set of the solutions

of E in K2_{, and the point at infinity}

8. The set is so-called K-rational points of EpKq.

Figure 2.1 shows the elliptic curve E : y2 x

3

x overR.

For the Weierstrass equation of elliptic curves the definition of the constants:

b2 a 2 1 4a2, b4 a1a3 2a4, b6 a 2 3 4a6, b8 a 2 1a6 4a2a6
a1a3a4 a2a 2 3
a 2 4, c4 b 2 2
24b4, c6 
b 3 2 36b2b4
216b6.

Definition 2.48 (Discriminant). The discriminant of the curve is defined as

∆
b 2 2b8
8b 3 4
27b 2 6 9b2b4b6.

When the characteristic of K 2, 3, the discriminant can also be expressed as

∆ c3 4
c 2 6 1728 .

Figure 2.1: E : y2

x

3

x

Definition 2.49 (j-invariant). When ∆0, the j-invariant of the curve is defined by

jpEq c3

4

∆.

Theorem 2.50. Two elliptic curves that are isomorphic over K have the same j-invariant.

Con-versely, two elliptic curves with the same j-invariant are isomorphic over K.

Definition 2.51 (Group law). Let P and Q be two distinct rational points on E. The straight

line joining P and Q must intersect the curve at one further point, said R1

. Then, we reflect R1

in the x-axis to obtain another rational point R, then RP Q (See Figure 2.2). To add P to

itself, or to double P , we take the tangent to the curve at P instead of the line joining P and Q (See Figure 2.3). The group law is often called the chord-tangent process. We say that a vertical line also intersects the curve at8.

Definition 2.52 (multiplication-by-m map). For a positive integer m, we let rms denote the

Figure 2.2: Group Law(chord process)

(m summands). The notationrmsis extended to m¤0 by definingr0sP 8, andr
msP 
prmsPq.

2.2.3

Elliptic Curves over Prime Fields of Characteristic

3

Definition 2.53 (Short Weierstrass form). Assume K  Fq, where q  p ¡ 3. The curve

equation can be simplified to the short Weierstrass form

Era,bs : y

2

x

3

ax b.

The discriminant of the curve then reduces to ∆ 
16p4a

3 _27b2

q, and its j-invariant to jpEq
1728p4a 3 q{∆. Theorem 2.54. Era,bs E ra 1,b1 s if and only if a 1 u 4_{a, b}1 u 6_{b for some u} PF  q.

For points Ppx1, y1q, Qpx2, y2qPEpFqq, the formula for the group law is

P px1,
y1q. When x1 x2, we set λ y2
y1 x2
x1 ,

and when x1 x2, y1 0, we set

λ  3x2 1 a 2y1 . If Rpx3, y3qP Q8,

then x3 and y3are given by

x3 λ

2

x1
x2, y3 px1
x3qλ
y1.

Theorem 2.55. The group structure of an elliptic curve E over a finite fieldFqsatisfies

EpFqqZd

1 Zd

2.

Moreover, EpFqqis a finite abelian group, so d1divides both d2and q
1, including the case of d1 1.

Definition 2.56 (Twist curve). A twist of a curve given in short Weierstrass form Era,bs is given

by Era 1,b1 s, where a 1 v 2_{a, b}1 v

3_{b for some quadratic non-residue v}

PFq. and the j-invariant

of these two curves are the same.

The twist is unique up to isomorphisms overFq, and it is itself isomorphic to the original curve

overFq(in fact, it is so overFq2). The orders of the groups of rational points of the two curves

satisfy the relation

#Era,bs

pFqq #Era 1,b1

s

pFqq2q 2.

Definition 2.57 (Trace of Frobenius). The number of rational points of an elliptic curve E over

a finite fieldFqis finite and is denoted by #EpFqq. The quantity t defined by

tq 1
#EpFqq

is called the trace of Frobenius at q.

2.2.4

Isogenies

Definition 2.58 (Morphism). Let E1 and E2 be elliptic curves defined over a field K, with

respective function fields KpE1q and KpE2q. A morphism from E1 to E2 is a rational map

which is regular (defined) at every point of E1.

E1to the identity element on E2 is called an isogeny,

φ : E1 ÞÑE2.

The map which sends every point on E1 to the identity element 8 on E2 is called the zero

isogeny. It is the only constant isogeny. Every non-constant isogeny φ is surjective over K, that is φpE1qE2. An isogeny is always a group homomorphism, and the kernel of a non-constant

isogeny φ is always a finite subgroup of E1pKq. A non-constant isogeny φ induces an injection

of function fields which fixed K,

φ

: KpE2qÞÑKpE1q

defined by φ

pfqfφ. We say that the isogeny is separable, inseparable or purely inseparable

if the corresponding extension of function fields, KpE1q{φ 

KpE2qis separable, inseparable or

purely inseparable.

Definition 2.60 (Degree). The degree of an isogeny φ is

deg φrKpE1q: φ 

KpE2qs.

Definition 2.61 (Frobenius map). The Frobenius map(endomorphism) on an elliptic curve EpFqq

is ϕ : $ ' ' ' ' ' ' & ' ' ' ' ' ' % EpFqq Ñ EpFqq px, yq ÞÑ px q_{, y}q q 8 ÞÑ 8

The degree n of a separable isogeny φ is equal to the size of the kernel of φ. The sim-plest example of a separable isogeny is the multiplication-by-m map. If K is a finite field, the simplest example of a purely inseparable isogeny is the Frobenius endomorphism ϕ.

subgroup of E which is Galois stable over K, that is, ϕpSq  S. Then there exists an elliptic

curve E1

, also defined over K, and a unique separable isogeny φ : E ÞÑE 1

with kernel equal to

S. The notation E{S is often used for the curve E 1

.

Theorem 2.63 (Dual isogeny). To every non-constant isogeny, φ, there is a unique dual isogeny

ˆ

φ : E2 ÞÑE1.

Theorem 2.64. Two isogenous elliptic curves over a finite field have the same number of

ratio-nal points.

2.2.5

Elliptic Curves over

C

An elliptic curve overC defines a lattice in C, and hence a torus. In Figure 2.4, the lattice will

be denoted by Λ  Zω1 Zω2, where ω1, ω2 P C are the periods of the associated, doubly

periodic Weierstrass ℘-function

℘pzq 1 z2 ¸ ωPΛz0  1 pz
ωq 2
1 ω2 .

The periods, ω1 and ω2, can be suitably chosen so that the quantity

τ  ω1

ω2

lies in the upper half of the complex plane, H tz P C | Impzq ¡ 0u. The map fromC{Λ to

points on the corresponding elliptic curve Era,bs is given by

z ΛÞÑ $ ' ' & ' ' % p℘pzq, ℘ 1 pzq{2q, z R Λ, 8, z P Λ.

The coefficients of the elliptic curve are obtained with the formula

g2 60 ¸ ωPΛz0 1 ω4, g3 140 ¸ ωPΛz0 1 ω6,

ω1 ω2 Figure 2.4: Lattice ΛZω1 Zω2 and a
g2{ 3 ? 4, b
g3.

An elliptic curve overC associated to τ is denoted by Eτ. Let q e

2πiτ_.

Definition 2.65 (Dedekind’s η-function).

ηpτqq 1{24  1 8 ¸ n
1 p
1q n
qnp3n
1q{2 g np3n 1q{2  And ∆pτqηpτq 24_{. The function ∆}

pτqis also related to jpτqusing the formula hpτq ∆p2τq ∆pτq , jpτq p256hpτq 1q 3 hpτq .

Moreover, jpτq jpEτqis periodic of period one. So the complex number τ P F tτ PC |

Impτq ¡ 0,
1{2 ¤ Repτq ¤ 1{2,|τ| ¥ 1u characterizes elliptic curves up to isomorphism.

The Fourier series of jpτq

jpτq 1 q 744 8 ¸ n1 cnqn,

2.3

p-adic Arithmetic

The p-adic number system is described first by Hensel in 1897. Different from the real analysis or the complex analysis, it provides the p-adic analysis, alternatively. Here, we only introduce the basic of p-adic numbers.

2.3.1

p-adic Numbers

A p-adic number α can be uniquely written in the form

α 8 ¸

in aipi

where each of ai P r0, p
1sand the p-adic norm of the number α is defined as ||α||  p
n

. Note that the series

1 p p2 p3 ...

converges to ₁1

p

in the p-adic norm.

Taking p5, we obtain 5-adic expansion of α

1

3, which can be written in the form

1 3 .231313131....231. .2312 5 3 15 1
5 2 2
5 3  1 3.

2.3.2

Hensel’s Lemma

The first form of Hensel’s Lemma is related to our work, so I point out it here.

Lemma 2.66. Let fpxqbe a polynomial with integer coefficients, k an integer not less than two

and p a prime number. Suppose that r is a solution of the congruence

fprq0 pmod p

k
1 q

If f1

prq0 pmod pq, then there is a unique integer t, 0¤t¤p
1, such that fpr tp k
1 q0 pmod p k q with t defined by tf1 prq
fprq pk
1 pmod pq.

If, on the other hand, f1

prq0 pmod pq, and in addition, fprq0 pmod p

k q, then fpr tp k
1 q0 pmod p k q

for all integers t. Also, if f1

prq 0 pmod pqand fprq0 pmod p

k

q, then fpxq0 pmod p

k

qhas no solution

for any xr pmod p

k
1 q.

Chapter 3

Schoof-Elkies-Atkin Algorithm

It is crucial for ECC to pick an appropriate elliptic curve. The point counting problem is per-formed to determine whether a curve is suitable for ECC. Let E be an elliptic curve defined overFq, the number of rational points #EpFqq  q 1
t. Hasse pointed out an important

property of the number of the rational points of an elliptic curve in 1933.

Theorem 3.1 (Hasse’s Theorem). The t satisfies

|t|¤2 ? q In other words, q 1
2 ? q¤#EpFqq¤q 1 2 ? q.

3.1

Before Schoof

A naive way to solve the point counting problem is to check whether there are roots of y of

Epx, yq0 for all elements x of the finite field.

Example 3.2. Let E be an elliptic curve over a prime fieldFp.

E : y2 x

The number of rational points is #EpFpqp 1
p
1 ¸ x0  x3 _{ax b} p where
 p

is the Legendre symbol.

There is a sub-exponential time algorithm for point counting problem. It makes use of the concept of Shanks and Mestre Baby-step-giant-step(BSGS). First, it generates a random

point P on the curve, and computes Q  rq 1 t2

? qusP . Since rq 1
tsP  8, Q rt t2 ? qusP . In addition,
2 ? q ¤ t ¤ 2 ? q, t t2 ? qu P r0, 4 ? qs. So this problem is

reduced to search k satisfying QkP , and k Pr0, 4 ? qs. Let m r a 4? qsr2q p1{4q s. Then k can be written as a bm for a, b m. Compute eachrisP for i0, 1, ..., m
1 in the baby

step. For j  0, 1, ..., m
1, compute the giant step Q
rjsprmsPq, and findp˜i, ˜jqsuch that r˜isP  Q
r˜_j sprmsPq. Therefore, t  k
t2 ? qu ˜i ˜ jm
t2 ?

qu is obtained. The time

complexity is Opq p1{4q ǫ

q. And the method is outlined in Algorithm 1.

Algorithm 1: BSGS Algorithm for Point Counting

INPUT: An elliptic curve E over a finite fieldFq

OUTPUT: #EpFqq

1. Find a random point P PEpFqq

2. Compute Qrq 1 t2 ? qusP 3. Calculate mr2q p1{4q s, and RrmsP

4. For i0, 1, ..., m
1 (Baby step)

5. ComputerisP , and storepi,risPq

6. Sortpi,risPqpairs by the x-coordinate ofrisP

7. For j 0, 1, ..., m
1 (Giant step)

9. if there existsrisP S 10. ti jm
t2 ? qu 11. Return q 1
t

3.2

Schoof’s Idea

The BSGS algorithm for point counting introduced in the previous section is infeasible to find secure curves when q is large. The point counting problem is solved when the trace of Frobenius

t is found. In Schoof’s point of view, t can be recovered from some tℓ by Chinese Remainder

Theorem(CRT), where tℓ t pmod ℓq. Because t is bound inr
2 ?

q, 2?

qs, we have obtained

enough tℓsuch that

± ℓ¡4

?

q to determine the exact t. From the Prime Number Theorem, the

number of primes needed is Oplog q{log log qq. The largest prime needed is Oplog qq.

To find each tℓ, we use a zero map of EpFqq. The zero map is related to t. The point of order ℓ can help obtain tℓ. Here we describe some materials which are helpful to find each tℓ.

The mappϕ

2

rtsϕ rqsqis a zero map. That is,P PEpFqq, ϕ

2

pPq
rtsϕpPq rqsP 8.

The characteristic polynomial of Frobenius map is

Fpxqx

2

tx q (3.1)

However, there may be not a point P P EpFqq of order ℓ for some ℓ. We cannot

calcu-late tℓ because of lacking the point of order ℓ in the base field. The following is to avoid the

Definition 3.3 (Torsion points). For a positive integer m, m-torsion points of E, denoted by

Erms, is defined by

ErmstP P EpFqq|rmsP 8u.

Of course, Ermsis a subgroup of EpFqq. If gcdpm, qq1,

ErmsZm`Zm.

Lemma 3.4. Let m be a positive integer. There exist polynomials ψm, θm, ωm P Fqrx, ys. For P px, yqPEpFqqwherermsP 8, rmsP   θmpx, yq ψmpx, yq 2, ωmpx, yq ψmpx, yq 3 .

The polynomial ψmpx, yqis called the m-th division polynomial.

Theorem 3.5. Let P px, yqbe a point in EpFqq, wherer2sP 8, and let m¥ 3 be an odd

integer. Note that ψmpx, yqhas no y term. Use ψmpxq, instead. Then, P P Ermsif and only if ψmpxq0.

Now, the points of order ℓ satisfy ψℓpxq  0. Also, the points satisfy the equation of the

elliptic curve. So, the computation is on the polynomial ring Fqrx, ys, and is reduced modulo

the curve equation and ψℓpxq. Besides, the zero map with respect to ℓ can be written aspϕ

2

rtℓsϕ rqℓsq, here qℓ q pmod ℓq.

The remaining is the case when ℓ  2. This case is easy. If the elliptic curve is defined

over the field of characteristic two and is not supersingular, t2 1. For the curves defined over

the field of odd characteristic, #EpFqq  q 1
t, and q is odd. So t  #EpFqq pmod 2q.

According to the group structure, #EpFqq  0 pmod 2qif and only if there is a subgroup of

order 2. Moreover, the y-coordinate of the points of order 2 is 0. Therefore, if Epx, 0qhas a root

inFq, t2 0. So, t2 is obtained from the degree of gcdpEpx, 0q, x

q

This algorithm is briefly listed in Algorithm 2.

Algorithm 2: Schoof’s Algorithm

INPUT: An elliptic curve E over a finite fieldFq

OUTPUT: #EpFqq

1. Find t2, and storept2, 2q

2. M 2, ℓ3 3. While M  4 ? q 4. Calculate QpXpx, yq, Ypx, yqqϕ 2 pPq rqℓsP , where Ppx, yqPErℓs 5. Calculate RpXpx, yq, Ypx, yqqϕpPq, where Ppx, yqP Erℓs 6. For tℓ 0, 1, ..., ℓ
1 2

7. if x-coordinates ofrtℓsR and Q are the same

8. if y-coordinates of them are the same

9. storeptℓ, ℓq

10. else

11. storepℓ
tℓ, ℓq

12. break

13. M M ℓ, ℓnextprimepℓq

13. Compute t usingptℓ, ℓqpairs and CRT

14. Return q 1
t

The routine nextprime(ℓ) will return the smallest prime larger than ℓ.

For each ℓ, the computation is in the polynomial ring reduced modulo ψℓpxq of degree pℓ

2

are at most one in y of the polynomials. The computation of ϕ2pPq and ϕpPqis Opℓ

4_{log q}

q

field multiplications. The number of primes needed is Oplog q{log log qq. So the total time

complexity is Oplog

6_q

qfield multiplications, and is Oplog

8_q

qbit operations.

3.3

Atkin’s Idea and Elkies’ Idea

Though Schoof proposed a polynomial time algorithm for point counting in 1985, it is still too slow to determine the group order of an elliptic curve. After the improvements of Atkin’s and Elkies’ works, the time complexity of SEA algorithm is Oplog

6

qqbit operations.

The characteristic polynomial of Frobenius map is x2

tℓx qℓ overFℓ. If there is a root

of x2
tℓx qℓ 0 onFℓ, ℓ is an Elkies prime. In this case, we can find another curve E1, and

an isogeny from E to E1. The cardinality of the kernel of this isogeny is ℓ. If there is no root

onFℓ, ℓ is an Atkin prime. For this case, only the possible tℓare obtained. While t is unknown,

the modular polynomials can help split the type of a prime.

3.3.1

Modular Polynomial

The classical modular polynomials, Φmpx, yq, play a significant role in SEA algorithm. Here

we focus on the case: mℓ, a prime.

Definition 3.6 (Classical modular polynomial).

Φℓpx, jpτqqpx
jpℓτqq ℓ
1 ¹ k0 px
j  τ k ℓ q. Then, Φℓpx, yqPZrx, ys.

Lemma 3.7. Let E1, E2be two elliptic curves, there is an isogeny of degree ℓ from E1to E2if

Theorem 3.8. [20] Let E be a non-supersingular elliptic curve over Fq with j-invariant j  0, 1728. For an odd prime ℓ, Φℓpx, jqP Fqrxsis a univariate polynomial. Thus, there are three

cases of the number of roots of Φℓpx, jqonFq

(1) One root, or ℓ 1 roots. Elkies prime, where t2

4q0 pmod ℓq.

(2) Two roots. Elkies prime, where t2
4q is a square onFℓ.

(3) No root. Atkin prime, and all roots lie onFqr for some r|ℓ 1.

In practice, the coefficients of the classical modular polynomial are very large as ℓ increases. In 1995, M:uller proposed alternative modular polynomials, which are Φ

c ℓpx, yq. First let v  ℓ
1 gcdp12, ℓ
1q , s  12 gcdp12, ℓ
1q , fpτq  ηpτq ηpℓτq 2s .

Definition 3.9 (Alternative modular polynomials). There exist coefficients ar,k PZ such that

ℓ
1 ¸ r0 v ¸ k0 ar,kfpτq r_j pℓτq k 0

. Then the alternative modular polynomial is defined by

Φc_ℓpx, yq ℓ
1 ¸ r0 v ¸ k0 ar,kxrykP Zrx, ys.

Alternative modular polynomials satisfy Theorem 3.8. So, the degree of gcdpΦ

c

ℓpx, jq, x

q

xq is sufficient to disjoin Elkies primes and Atkin primes. For the reason that the modular

polynomials can be pre-computed, the complexity to decide the type of a prime ℓ is Opℓ

2_{log q}

q.

The following are the examples of two kinds of modular polynomials.

Φc 3px, yq x 4 _36x3 _270x2
xy 756x 729 Φc 5px, yq x 6 _30x5 _315x4 _1300x3 _1575x2
xy 750x 125 Φ3px, yq x 4
x 3_y3 _y4 ₂₂₃₂ px 3_y2 _x2_y3 q
1069956px 3_{y xy}3 q 36864000px 3 _y3 q 2587918086x 2_y2 _{8900222976000} px 2_{y xy}2 q 452984832000000px 2 _y2 q
770845966336000000xy 1855425871872000000000px yq.

Φ5px, yq x 6
x 5_y5 _y6 ₃₇₂₀ px 5_y4 _x4_y5 q
4450940px 5_y3 _x3_y5 q 2028551200px 5_y2 _x2_y5 q
246683410950px 5_{y xy}5 q 1963211489280px 5 _y5 q 1665999364600x 4_y4 107878928185336800px 4_y3 _x3_y4 q 383083609779811215375px 4_y2 _x2_y4 q 128541798906828816384000px 4_{y xy}4 q 1284733132841424456253440px 4 _y4 q
441206965512914835246100x 3_y3 26898488858380731577417728000px 3_y2 _x2_y3 q
192457934618928299655108231168000px 3_{y xy}3 q 280244777828439527804321565297868800px 3 _y3 q 5110941777552418083110765199360000x2_y2 36554736583949629295706472332656640000px 2_{y xy}2 q 6692500042627997708487149415015068467200px 2 _y2 q
264073457076620596259715790247978782949376xy 53274330803424425450420160273356509151232000px yq 141359947154721358697753474691071362751004672000

3.3.2

Elkies’ Improvement

Let ℓ be an Elkies prime. There is an elliptic curve E1 and an isogeny I1such that

I1 : E ÞÑE1.

The degree of I1 is ℓ, so is the cardinality of ker(I1). More precisely, let Ppx, yqbe a point on EpFqq, then I1pPpx, yqq  k1pxq ph1pxqq 2, g1px, yq ph1pxqq 3 PE1

Since|ker(I1)|ℓ and I1p8q8, degph1pxqqpℓ
1q{2. Note that degpk1pxqqℓ

The curve E1 and h1pxqcan be derived from the root of Φ

c

ℓpx, jq, Φ

c

ℓpx, yq, and some

in-variants of E. Here we specify how to find h1pxqfor fields of characteristic greater than three.

First, let jjpEq, and compute a root, g, of the polynomial Φ

c ℓpx, jpEqq. Set E4 
a 3, E6 
b 2, ∆ E34
E 2 6 1728 . After that, Dg g  B Bx Φc_ℓpx, yq pg, jq, Dj j  B By Φc_ℓpx, yq pg, jq

The coefficient of the isogenous curve will be given by ˜a, ˜b and have the associated invariants Epℓq 4 , E pℓq 6 , ∆ pℓq ∆pℓq ℓ
12 ∆ggcdp12,ℓ
1q If Dj 0, Epℓq 4 ℓ
2 E4, ˜a
3ℓ 4_Epℓq 4 , j pℓq 
Epℓq 4 3 ∆pℓq ˜b2ℓ 6 b pj pℓq
1728q∆ pℓq, p 1 0. Now assume Dj 0 s 12 gcdp12, ℓ
1q , E 2 
12E6Dj sE4Dg , g1 
s 12E  2g j1 
E 2 4E6∆
1 , E0 E6pE4E  2q
1

Then, we need to compute the quantities

D1 g g 1  B Bx Φc_ℓpx, yq pg, jq g  g1  B 2 Bx 2Φ c ℓpx, yq pg, jq j 1  B 2 BxBy Φc_ℓpx, yq pg, jq  D1 j j 1  B By Φc_ℓpx, yq pg, jq j  j1  B 2 By 2Φ c ℓpx, yq pg, jq g 1  B 2 ByBx Φc_ℓpx, yq pg, jq 

Now, we can determine E1 0  1 Dj

s 12D 1 g
E0D 1 j So, we have Epℓq 4  1 ℓ2  E4
E  2  12E 1 0 E0 6E 2 4 E6
4 E6 E4  E2 2 

The j-invariant of the isogenous curve

jpℓq  Epℓq3 4 ∆pℓq Setting f ℓ s_g
1 , f1 E  2f{gcdp12, ℓ
1q D g   B Bx Φc_ℓpx, yq pf, j pℓq q, D  j   B By Φc_ℓpx, yq pf, j pℓq q Finally, we compute jpℓq 1 
f1 D g ℓD j , Epℓq 6 
Epℓq 4 j pℓq 1 jpℓq

Thus, we have three desired quantities as

˜ a
3ℓ 4_Epℓq 4 , ˜b
2ℓ 6_Epℓq 6 , p1 
ℓE  2

Therefore, we can use the special value p1 and the coefficients ˜a, ˜b of curve E1, which are

derived to find h1pxq.

Let Era,bs be an elliptic curve defined over a finite fieldFq, then

℘pzq 1 z2 ¸ ωPΛz0  1 pz
ωq 2
1 ω2  1 z2 8 ¸ k1 ckz2k

where the coefficients ckare obtained from the following recursion:

c1 
a 5, c2  b 7, and ck  3 pk
2qp2k 3q k
2 ¸ j1 cjck
1
j, k ¥3.

Let the ℘-Weierstrass functions of E and E1 be ℘pzqand ℘1pzq, respectively. ℘pzq 1 z2 8 ¸ k1 ckz2k, ℘1pzq 1 z2 8 ¸ k1 ˜ ckz2k.

Then h1pxqsatisfies the equation

zℓ
1 h1p℘pzqqexp 
1 2p1z 2
8 ¸ k1 ˜ ck
ℓck p2k 1qp2k 2q z2k 2  .

Using the fact that h1pxqis a monic polynomial of degree pℓ
1q{2, we can figure out h1pxq

by the comparison of the coefficients of z, where the right hand side is expanded by Taylor’s series.

Because I1is a homomorphism, ker(I1) is a subgroup of E. Moreover,|ker(I1)|ℓ. ker(I1)

contains a subgroup of Erℓs, also a point of order ℓ. There is an important property that

ϕpPqrλsP , for P Pker(I1)

where λ is a root of the characteristic polynomial of Frobenius map overFℓ. λ is derived first,

and then another root µqℓ{λ onFℓ. Therefore tℓ λ µ pmod ℓq. Here we can only check

the y-coordinates from M:uller’s work.

Algorithm 3: Elkies Procedure

INPUT: An elliptic curve E over a finite fieldFq, and an Elkies prime ℓ

OUTPUT: tℓ

1. Compute the polynomial h1pxq

2. Calculate QpXpx, yq, Ypx, yqqϕpPq, where P PE satisfies h1pxq

3. For λ 0, 1, ...,

ℓ
1

2

4. if y-coordinates ofrλsP and Q are the same

5. µqℓ{λ

7. if the sum of y-coordinates ofrλsP and Q is 0

8. λ ℓ
λ, µqℓ{λ

9 . break

10. Returnpλ µq mod ℓ

In Schoof’s algorithm, the points of order ℓ is observed by using the division polynomial

ψℓpxqof degreepℓ

2

1q{2. Elkies improved this part by using h1pxqof degreepℓ
1q{2. Thus,

the complexity of Elkies procedure is Opℓ

2_log3

qqbit operations.

3.3.3

Atkin’s Method

Let us consider that ℓ is an Atkin prime now. There is no root of x2
tℓx qℓ 0 onFℓ. But

the two roots lie onFℓ2.

Theorem 3.10. If the roots of Φc_ℓpx, jq lie on Fqr, for the smallest r, the roots λ and µ of x2
tℓx qℓ 0 satisfy that

λ

µ is an element of order exactly r inFℓ2

Denote the r of Theorem 3.8 of an Atkin prime ℓ by rℓ. It can be found by observing

the degree of gcdpΦ

c

ℓpx, jq, x

qi

xqfor increasing i|ℓ 1. The complexity is Opℓ

3_log3_q

qbit

operations. When rℓis derived, the following is a way to find the set of all possible tℓ.

We may letFℓ2 Fℓr ?

dsfor a quadratic non-residue d P Fℓ. Since λ and µ lie inFℓ2zFℓ, λ  x1

?

dx2, µ  x1
?

dx2, for some x1, x2 P Fℓ. Also, the order of f racλµ is rℓ. Let γrℓ g1

?

dg2is an element of order rℓfor some g1, g2 PFℓ, then

g1 ? dg2  γr ℓ  λ µ  λ2 λµ  1 q x 2 1 dx22 2x1x2 ? d  .

Hence qg1  x 2 1 dx22 pmod ℓq, qg2  2x1x2 pmod ℓq, q  x 2 1
dx 2 2 pmod ℓq.

x21  qpg1 1q{2, and tℓ  2x1 pmod ℓq. Hence, possible tℓ can be derived from g1 of γr

ℓ.

Therefore, the rest of the work is to find out all elements onFℓ2 of order exactly r_ℓ. It is easy

because the generator g ofFℓ2 can be searched quickly. And γ_r ℓ  g

ipℓ

2

1q

rℓ _{for 0}  i  rℓ and gcdpi, rℓq1. Note that the number of possible tℓ’s is φprℓq, where φ is Euler totient function.

The procedure is given below.

Algorithm 4: Atkin Procedure

INPUT: An elliptic curve E over a finite fieldFq, and an Atkin prime ℓ

OUTPUT: a set of tℓcandidates

1. For rℓ 2, 3, ..., ℓ 1, where rℓ|ℓ 1 (Find rℓ)

2. if gcdpΦ c ℓpx, jq, x qrℓ
xq1 3. break

4. Find a quadratic non-residue d 5. Find a generator g ofFℓr ? ds  6. S tu7. For i1, 2, ..., rℓ
1, gcdpi, rℓq1 8. Compute g1 ? dg2 g ipℓ 2
1q rℓ

9. Find a square root x1 of qpg1 1qonFℓ

10. storet2x1,
2x1uin S

3.3.4

Baby-step-giant-step(BSGS) Strategy

The information from Elkies primes is determinate, while that from Atkin primes is not. Actu-ally, the number of candidates of possible t

C  ¹

ℓis Atkin

φprℓq

There is a sub-exponential time BSGS algorithm for this part.

First, the Atkin primes are partitioned into two sets S1 and S2 such that

±

ℓPS1

φprℓq and ±

ℓPS2φ

prℓq are roughly the same. Let m1, m2 be the products of the primes in S1, S2

re-spectively, and m3 be the product of Elkies primes. And t3  t pmod m3qis determined by

CRT.

Suppose t1 t pmod m1q, t2 t pmod m2q. Of course, m1m2m3 ¡4 ? q. Let M1  1 m2m3 pmod m1q, M2  1 m1m3 pmod m2q, M3  1 m1m2 pmod m3q. By use of CRT, we obtain 1m1m2M3 m1m3M2 m2m3M1 pmod m1m2m3q t t3m1m2M3 t2m1m3M2 t1m2m3M1 pmod m1m2m3q

Let r1 pt1
t3qM1 pmod m1q, r2 pt2
t3qM2 pmod m2q, then

t t3p1
m1m3M2
m2m3M1q t2m1m3M2 t1m2m3M1 t3 m3pm1r2 m2r1q pmod m1m2m3q Now, we write tt3 m3pm1r2 m2r1q. Lemma 3.11. If 0¤t3  m3, andt
m1 2 u r1 ¤t m1 2 u, then r2  1 m1m3 pt
t3
m2m3r1q. Thus,

|r2| ¤ 1 m1m3 p|t| |t3| m2m3|r1|q ¤ 2? q m1m3 1 m1 m2 2 ¤ m2 2 1 m1 m2 2 So|r2|¤m2

Since #EpFqqq 1
t, for a point P PEpFqq, we have

rq 1sP rtsP rt3 m3pm1r2 m2r1qsP.

Therefore,

rq 1
t3sP
rr1m2m3sP rr2m1m3sP.

For each possible t1, calculate the corresponding one r1, where |r1| ¤

m1

2 , and compute the

left-hand side in the baby step. For a possible t2, calculate two r2, where|r2| ¤ m2. Find the

pairpr1, r2qsuch thatrq 1
t3sP
rr1m2m3sP  rr2m1m3sP . Then t is derived, so is the

group order. The complexity of BSGS strategy is Op ?

C log3qqbit operations.

Algorithm 5: BSGS Strategy

INPUT: EpFqq, and information gathered from Elkies and Atkin procedure

OUTPUT: #EpFqq

1. Divide Atkin primes into two sets S1, S2

2. Calculate t3 t pmod m3q

3. Find a random point P PEpFqq

4. For all possible t1

5. Calculate r1, where|r1|¤

m1

2

6. Compute Qrq 1
t3sP
rr1m2m3sP , and storepQ, r1q

8. For all possible t2

9. Calculate r2, where|r2|¤m2

10. Compute Rrr2m1m3sP

11. if there existspQ, r1qsuch that QR

12. tt3 m3pm1r2 m2r1q

13. Return q 1
t

3.3.5

Complexity Analysis

The SEA algorithm uses Schoof’s idea, and adds some improvements mentioned above. The following is the outline of SEA algorithm.

The Elkies primes make the complexity decrease. However, the number of Atkin primes is about one half the number of primes considered, which is Oplog q{log log qq. This means that C of BSGS strategy is exponential in log q. Even though we use the concept of BSGS to speed

up the algorithm, this is a sub-exponential time algorithm, unfortunately.

From a complexity-theoretic point of view, we can just use Elkies primes. On this condition, the larger primes are needed due to the skipping of Atkin ones, so are the modular polynomials of higher degree. The best practical compromise is to use some ‘best’ Atkin primes in order to avoid the use of larger primes and keep away from the sub-exponential time complexity.

Algorithm 6: SEA algorithm

INPUT: An elliptic curve E over a finite fieldFq

OUTPUT: #EpFqq

2. Find t2, and E EYpt2, 2q

3. While M  4

? q

4. Determine the type of ℓ

5. if ℓ is an Elkies prime

6. Elkies procedure

7. E EYptℓ, ℓq

8. if ℓ is an Atkin prime

9. Atkin procedure

10. A AYpTℓ, ℓq, Tℓ is a set for all possible tℓ

11. M M ℓ, ℓnextprime(ℓ)

12. BSGS strategy to determine group order #EpFqq

Chapter 4

Previous Improvements for SEA

Algorithm

There are a lot of improvements of SEA algorithm in recent years. We introduce them in this chapter.

4.1

Isogeny Cycles

This method is proposed by Couveignes and Morain first in 1994[5]. It takes advantage of the Elkies primes. For an Elkies prime ℓ, we find tℓ t pmod ℓqoriginally. And the use of isogeny

cycles can help us find tℓk t pmod ℓ

k

q. The following are theories about the isogeny cycles.

In this section, we suppose that ℓ satisfies condition (2) of Theorem 3.8. The two roots of Φc_ℓpx, jq can be used to derive two different isogenies I1, I2 corresponding to the different

curves E1, and E2. That is,

I1 : E ÞÑE1, I2 : E ÞÑE2

ℓ. These isogenies map to E1 and E2 separately, where the j-invariant of E1 and E2 are roots

of Φℓpx, jq. Besides, an isogeny from E to E1 implies the existence of an dual isogeny from E1 to E. It means j  jpEqis a root of Φℓpx, jpE1qq. Since the field is finite, the j-invariant

of curves found by isogenies are periodic. In addition, the group order of curves are the same. Then, the curves are periodic up to isomorphism. In other words, the curves form a cycle, called the isogeny cycle, and there are two directions to walk along the cycle.

Example 4.1. Let E: y2

x

3 _{68x 79, the curves derived from isogenies are as follows:}

ra, bs jpEra,b s q r68, 79s 2 r27, 68s 82 r50, 89s 56 r31, 28s 10 r45, 15s 34 r47, 87s 90 r42, 63s 20 r97, 32s 15 r56, 31s 2

If direction 1 is the direction of the cycle of curves as in Example 4.2, direction 2 is in the reverse order of curves. Figure 4.1 represents explicitly the symbols used later on. Note that

E1111 is E14 for short. The numbers on the circle are the j-invariants of elliptic curves. The

clockwise is direction 1, and direction 2 is counterclockwise. Here the symbol E12 is the curve

derived from direction 2 of E1. More precisely, E12is back to E since E12E.

Figure 4.1: Isogeny cycle

that is, the j-invariant of E1i are different for i

0, 1, ..., k. Then ker(I1k I1 k
1... I11I1)€Erℓ k s Recall that I1i : E1i
1 ÞÑE1 i defined by I1i pPpx, yqq  k1i pxq ph1 i pxqq 2, g1i px, yq ph1 i pxqq 3

The points of ker(I11) satisfy h11pxq, and the points of ker(I11 I1) satisfy the numerator of h11I1. Hence, a factor of the division polynomial ψℓ2pxqof E is the numerator of

h11  k1pxq ph1pxqq 2

Generally, a factor of the division polynomial ψℓkpxqof E is the numerator of h1 k

I1 k
1...

 I11I1. Thus, the degree of the division polynomial ψℓkpxqis

ℓk
1 pℓ
1q

2 .

Suppose the characteristic of the field is greater than three. Let I be an isogeny from E to

˜

E, the method to figure out the k1pxqof I is by use of the theories of elliptic curves over C.

points in EpCqis ℘pzq, and that in ˜EpCqis ℘1pzq. Therefore, there is a relation between them

through the isogeny I

℘1pzq kp℘pzqq php℘pzqqq 2 Recall that zℓ
1 hp℘pzqqexp 
1 2p1z 2
8 ¸ k1 ˜ ck
ℓck p2k 1qp2k 2q z2k 2  So we have z2ℓ
2 kp℘pzqq℘1pzq  exp 
1 2p1z 2
8 ¸ k1 ˜ ck
ℓck p2k 1qp2k 2q z2k 2 2

Then kpxqcan be derived.

There is another strategy to compute a factor of the division polynomial[4]. Let us look at the picture below.

In the picture, inare the isomorphism of the curves. h12is a factor of the division polynomial

ψℓpxqof E1. Then the numerator of h12i1I112yields a factor of f112of the division polynomial ψℓ2pxqof E11. Similarly, a factor f1112of the division polynomial ψℓ3pxqof E111is derived from f112i2I1112, and so on.

4.2

Re-ordering Atkin Primes

For an Atkin prime ℓ, suppose it produces φprℓqcandidates of tℓ. Izu et al[9, 10] define “Atkin

index” of ℓ by

ipℓq φprℓq

ℓ

They figured out that Atkin primes of smaller index can be used more efficiently for the com-putation of BSGS strategy. In the next chapter, we will propose another way to rank Atkin primes.

4.3

Virtual (Atkin/Isogeny cycles) Method

Izu et al proposed the virtual method in 1998[9]. The idea is simple. For a prime ℓ, no matter whether it is an Elkies prime or not, we have a set Tℓ which contains all possible tℓ. Note that

Tℓ contains only one candidate for the Elkies prime ℓ. Then the Tℓ2 is obtained as follows.

Tℓ2 ttℓ iℓ|tℓ PTℓ, 0¤i ℓu

By using this method, it adds an Atkin-like prime into gathered information. However, This is a method worse than using information of Atkin primes. It means that the method does not apply to the case when it skips some information from Atkin. In this point of view, this method can just help speed up the point counting algorithm for elliptic curves defined over a finite field of small cardinality. So, we do not apply this.

4.4

Chinese and Match Method

The BSGS strategy introduced in Section 3.3 is a so-called “Match and Sort” method. The “Chinese and Match” method is proposed by Joux and Lercier in 2000[12]. It is an alternative

way for the same problem. The advantage of this method is to reduce the space complexity. Hence, they can count the number of points of an elliptic curve defined overF21663 on a network

of four PII 300 MHz based PC’s using only 12 MB of memory.

This is a method which saves the used space by spending more time. We want to speed up SEA algorithm, so it does not apply to our implementation. However, it is useful for the point counting problem of elliptic curves defined over a finite field of large cardinality.

Chapter 5

Our Three Heuristics for SEA Algorithm

In this chapter, we will introduce our three heuristics for the use of Atkin primes, and Elkies primes, and the method to avoid the sub-exponential time BSGS strategy. We implement SEA algorithm for elliptic curves defined over the prime field Fq, where q  p ¡ 3. We will also

point out some ideas, and give a brief explanation.

We use the MIRACL[27](Multiprecision Integer and Rational Arithmetic C/C++ Library) library in our implementation. More than being a big number library, MIRACL provides uni-variate and biuni-variate polynomial type with big number coefficient, the big integer modulo n arithmetic, the polynomial ring, the elliptic curve arithmetic, and some tools of number theory, such as CRT, cryptographic secure random number generator, etc. Also, MIRACL contains a simple version of SEA algorithm implementation.

5.1

Atkin Selection Heuristic

Because of the sub-exponential time complexity while using information of Atkin primes, the ‘best’ Atkin primes have to be figured out by some evaluations. The goal is to reduce the number of candidates of possible t. The first approach ranks Atkin primes ℓ in order of φprℓq. Thus, it is

straightforward to pick the Atkin primes of smaller φprℓq. Izu et al proposed the index of Atkin

primes introduced in the previous chapter.

Example 5.1. Let 5, 11, and 29 be Atkin primes, and let r5 3, r11 12, r2915. ℓ rℓ φprℓq ipℓq

5 3 2 0.4

11 12 4 0.36 29 15 8 0.276

Here we can easily find that it is better to use 5 and 11 rather than 29 because the number of possibilities are the same while 511¡29.

Let m3be the product of Elkies primes encountered, and A be the product of selected Atkin

primes. Since Elkies primes are never skipped, the Atkin primes are selected enough such that

m3 A ¡ 4 ?

q. So A has the lower bound 4?

q{m3. Also, the smaller C, the number of

possible t, is better. In Izu’s point of view,

C A 

¹

ℓselected Atkin primes

φprℓq ℓ

Therefore, if the smaller index of Atkin primes, the better. If the number of selected Atkin primes is fixed, this may work. However, we may use more small Atkin primes to gain the smaller C_A as Example 5.1.

The problem of Izu’s index is that it does not consider the length of ℓ. Here, we define the rank of an Atkin prime ℓ by

Rpℓqlog φprℓq{log ℓ

We can see Rpℓqsimply as the number of bits of C caused by each bit of ℓ averagely. Thus, the

Atkin prime is ‘best’ if and only if the number of bits of C is less. Therefore, the ‘best’ Atkin prime are those of smaller Rpℓq.

Example 5.2. The same example as Example 5.1.

ℓ rℓ φprℓq Rpℓq 5 3 2 0.43 11 12 4 0.58 29 15 8 0.62

Here we can see that our method can figure out the error of the index of Atkin primes.

From the same point of view, now we consider the virtual method introduced in Section 4.3. The new information from it causes an imaginary Atkin prime of Rpℓq 1. That is the worst

one. We propose a real example below.

Example 5.3. Let E : y2  x 3
3x 10 defined over Fq, q  2 384
317 is a prime. 2, 3, 13, 23, 29, 31, 43, 47, 59, 61, 67, 71, 73, 89, 101, 107, 109, 131, 137, 139, 167, 173, 223, 233, 239 are Elkies primes. The lower bound of A is about 6.6 10

13_{. The following are the}

selected Atkin primes according to the three methods.

Rank in order of φprℓq Rank in order of ipℓq Rank in order of Rpℓq

ℓ φprℓq Selected ℓ φprℓq ipℓq Selected ℓ φprℓq Rpℓq Selected

5 2 Drop 79 4 0.05 * 79 4 0.32 * 79 4 * 127 8 0.06 * 127 8 0.429 * 11 4 * 53 6 0.11 * 5 2 0.431 Drop 7 4 * 151 18 0.12 * 53 6 0.45 * 53 6 * 179 24 0.13 * 41 6 0.48 * 41 6 * 41 6 0.15 * 151 18 0.576 * 17 6 * 191 32 0.17 * 11 4 0.578 * 127 8 * 17 6 0.35 179 24 0.61 *

19 8 * 11 4 0.36 17 6 0.63 * 151 18 * 5 2 0.4 191 32 0.66 179 24 19 8 0.42 19 8 0.706 191 32 7 4 0.57 7 4 0.712 C 15925248 C 15925248 C 11943936 A8.210 13 _A 1.110 14 _A 1.110 14

Table 5.1: Evaluation methods of Atkin primes

The Atkin primes are selected one by one until the product A of selected ones is larger than the lower bound. Then, the check goes through the selected Atkin primes in order to drop some selected ones if they are not necessary. In other words, the product A is larger than the lower bound. In Example 5.3, we can see the comparison of A and C of the previous two methods. The C of these are the same, but the index is much better due to the larger A. To compare the results of the last two, although the A of the two methods are almost the same, the rank of Atkin primes is better in the third by reason of the smaller C.

While using the information from Atkin primes, we just select some for the reason of avoid-ing a waste of time in BSGS strategy. We have mentioned that the complexity is Opℓ

3_log3_q

qto

find rℓ for each Atkin prime ℓ. Thus, whenever we can choose enough Atkin primes such that

m3A¡4 ?

q, we can get the largest value R of Rpℓqof the selected Atkin primes. After that,

we never select the Atkin primes ℓ of Rpℓqlarger than R. Therefore, we do not need to collect

the Atkin primes ℓ of Rpℓq¡R. So, this can help us save time to find rℓof ℓ if the candidate of rℓmakes Rpℓq¡R.