尋找橢圓曲線密碼系統之安全曲線

前言

過去 30 年，公開金鑰密碼學成為網際網路及其他形式通訊上為保護

資訊安全的重要研究領域，同時也是金鑰管理與數位簽章的基礎。在金鑰

管理方面，公開金鑰加密可用來保護通訊密鑰；在數位簽章方面，提供了

認證資料來源與確認資料不被更改的功能。在 70 年代中期，第一代的公

開金鑰演算法提供了接下來 20 年的資訊安全，最為著名的有：提供金鑰

管理與認證 IP 的 IKE 與 IPSEC，提供網路通訊安全的 SSL/TLS。

公開金鑰技術為密碼學帶來了很大的變革，陸續有許多相關研究發展，

而最近 20 年來，發展出更具有效率且安全性的密碼技術－橢圓曲線密碼

學。這些密碼系統或數位簽章技術的安全性大多是建立在解一些數學問題

的困難度之上。

在 1985 年，Koblitz 與 Miller 利用橢圓曲線的特性分別提出兩個著名

的橢圓曲線密碼系統。雖然研究橢圓曲線密碼應用理論從 1985 年就已開

始，但是與 RSA 及 ElGamal 比較起來，橢圓曲線密碼應用理論顯得比較

令人難以了解。但是橢圓曲線密碼系統能帶來的好處，如較短的金鑰長度，

仍使得橢圓曲線密碼學成為學術界越來越熱門的研究。

以二維實數平面上的橢圓曲線為例，我們可定義點與點加法。設 P、

Q 為曲線上的兩個點，我們可以畫出一條直線通過這兩點

（如果兩點相同，

就做切線）

，然後這條直線還會通過在曲線上的另外一點

R’，最後對著 R’

做 x 軸的鏡射，得到的點 R 就定為 P+Q；此外，R 與 R’互為反元素，即一

個點的反元素為自身對 x 軸的鏡射；最後，定義單位元素∞，如此一來，

橢圓曲線就形成一個加法群。設 E 為定義在有限體上的橢圓曲線，P 為曲

線上一點，Q 在 P 所生成的子群中，則尋找一個整數 k 使得 Q = kP 就是橢

圓曲線離散對數問題。橢圓曲線密碼系統的安全性就建立在橢圓曲線離散

對數問題。

根據美國國家技術標準學會(NIST)之建議，現在的安全強度要求至少

要同 RSA-2048。提高安全度的一種選擇是增加安全參數(更多位元數)的傳

統公開金鑰系統；另一種選擇則是採用橢圓曲線密碼系統。

評斷公開金鑰密碼系統所需要之金鑰長度的方法之ㄧ是將他們與傳

統加密演算法(即對稱式加密演算法－symmetric encryption algorithms，如

DES 及 AES 演算法)做比較，下表列出 NIST 所建議之金鑰長度：

Symmetric Key

Size

RSA and Diffie-Hellman

Key Size

Elliptic Curve Key Size

Prime Field / Binary Field

80

1024

192 / 163

112

2048

224 / 233

128

3072

256 / 283

192

7680

384 / 409

256

15360

521 / 571

NIST 建議之金鑰長度(單位: bit)

以安全性來說，要達到與對稱式加密演算法一樣的安全度，橢圓曲線

需要長度為對稱式加密演算法兩倍長的金鑰。使用 RSA 或 Diffie-Hellman

密碼系統保護 128 位元 AES 密鑰，依上表所建議應使用 3072 位元之金鑰

－是目前在網際網路中所使用的三倍，而相對應的橢圓曲線密碼系統所需

使用的金鑰只要 256 位元。如此便可發現，在增加相同強度安全性下，RSA

與 Diffie-Hellman 金鑰長度增加的速度，比橢圓曲線密碼系統所需增加的

速度更為驚人。也就是說，橢圓曲線密碼系統每位元所提供之安全度比

RSA 或 Diffie-Hellman 密碼系統更佳。

另外，安全度不是橢圓曲線密碼學唯一有吸引力的特點。橢圓曲線密

碼系統在計算效率上比第一代公開密碼系統(如 RSA 和 Diffie-Hellman)更

快速。雖然橢圓曲線上的運算比 RSA 或 Diffie-Hellman 所需之運算稍加複

雜，但每位元所增加之安全強度可補償額外的運算時間。下表顯示在不同

安全強度(相當於金鑰長度)下 Diffie-Hellman 與橢圓曲線運算比率：

Security Level (bits)

Ratio of DH Cost : EC Cost

80

3:1

112

6:1

128

10:1

192

32:1

256

64:1

雖然在橢圓曲線上的運算是較第一代公開密碼系統複雜的，但是得益

於其較短的金鑰長度，因此整體運算速度依然可以快於第一代的公開密碼

系統。另外，不同金鑰長度也直接影響到金鑰交換或數位簽章時所需通訊

通道的負載程度，在 NIST 建議的金鑰位元數大致上相當於通道中需要傳

送的位元數。故在受限制的通訊環境與計算能力，如無線通訊，或手機或

PDA 上的密碼系統實作，橢圓曲線提供了更好的公開金鑰演算法的選擇。

另外，在橢圓曲線上的 bilinear pairings，如 Weil pairing 與 Tate pairing

(改進過後的 Eta pairing、Ate pairing 與 generalized Ate pairing)等，也造就

了另一支 pairing-based 密碼系統，從 Boneh 與 Franklin 使用 pairing 提出的

identity-based 密碼系統開始，pairing-based 密碼系統也成為很重要的研究

領域，許多的應用也相繼而生。

除了用以建構 identity-based 密碼系統外，雙線性配對還可應用至許多

不同之密碼系統及領域，並可能因此觀察到新的性質，如存取控制[S02b]、

金鑰協定[BMP04]、非互動式金鑰發佈[DE02]、憑證[CL04]、可證明之安

全簽章[BMS03]、短簽章[BB04b]、群體簽章[BBS04]、具總和性及可驗證

之加密簽章[BGLS03]、盲簽章或部分盲簽章[ZSS04]、Proxy 簽章[ZSL03]、

具不可否認性質之簽章[ZSS03]、多人簽章[LWZ03]、有限制驗證者之簽章

[CZK04]、有門檻之密碼系統[LHKKI04]、階層式密碼系統[TYW04]、可驗

之加密演算法[DFKMY03]、不須憑證之 PKC[AP03]、找出反叛者[MSK02]、

身分認證系統[KKK02]、其他應用及密碼系統[AL03, SD03]等。

研究目的

在選擇橢圓曲線作為一個公開金鑰系統的基礎有許多安全上的考量。

NIST 提供了一份安全的橢圓曲線列表，其中五條曲線是定義於二元體上

的 Koblitz 橢圓曲線，五條是定義於相同二元體上的隨機橢圓曲線，另五

條曲線是定義在質數體上的隨機橢圓曲線。這些橢圓曲線可保護相當於長

度為 80、112、128、192 和 256 位元對稱式密碼算法的密鑰。

在公開金鑰密碼系統中，增加金鑰長度可以達到更高的安全等級，但

相對地，也要付出更久的運算時間。因此，選擇安全且高效率的橢圓曲線，

是建置實用資訊安全系統的重要議題。根據橢圓曲線密碼學的研究，一般

破解離散對數的方法中，最有效的是 Pohlig-Hellman 攻擊法，而專門針對

橢圓曲線離散對數問題的同構攻擊法(Isomorphism Attack)，包含 MOV 攻

擊、FR 攻擊法，及針對 prime-field-anomalous 曲線的攻擊法，以及 Weil

Descent 攻擊。綜合上述所有的攻擊法，我們要選擇一條定義在有限體上

適用的橢圓曲線，必須滿足以下條件：

1. 橢圓曲線的點個數

，其中 r 為至少 160-bit 長的質數

2.

3.

for

4. 若

，則 m 為質數

因此，在橢圓曲線密碼系統的應用上，為了避免密碼系統被攻破，求

出有限體上橢圓曲線的有理點個數是很關鍵的，也就是點數計算問題(point

counting problem)，如果用直觀的計算方式，如 Legendre 符號(Legendre

symbol)：

(

) + + ∑ (

x

+ ax + b

)

這個方法需要指數次方

_{的時間，可見，我們需要更強而有力的工具，}

有效率的解決這個問題。

且，從 pairing-based 密碼系統上的應用之多，可見得 pairing-based 所

受之重視，但一般而言，pairing-based 密碼系統的計算量是非常大的，因

此若是未能找到合適的橢圓曲線(pairing-friendly 橢圓曲線)，來當作 pairing

計算之基礎，在實作上是有困難度的，因此在近年來即有許多的學者研究

如何找到 pairing-friendly 橢圓曲線，而這些方法都會用到複乘法。

文獻探討

現在，主要用以下三種技術來找尋適用於密碼系統的橢圓曲線：

1. 隨機曲線：隨機產生橢圓曲線的係數，並計算此曲線上點的個數，

直到找到一條適合密碼系統的橢圓曲線。

2. 複乘法。

3. 子體曲線。

本年度計畫所著重的是第二種方法。由於 pairing 之計算量頗為複雜，

因此若是無法找到適合之橢圓曲線，將會使得 pairing-based 密碼系統在實

務上淪為不可行，眾多學者紛紛提出各式各樣的方法，尋找 pairing-friendly

橢圓曲線，即橢圓曲線具有以下特性：

1. 橢圓曲線 E 定義於質數體

上，其中 q 為質數

2. 橢圓曲線的點個數

，其中

_為質數

3. 存在一個夠小的 embedding degree k 使得

4. 存在一個夠小的 D 使得

，其中

+ ，y 為整數

符合以上條件的橢圓曲線，其實是很稀疏的，因此必須有各種的策略來搜

pairing-friendly 橢圓曲線的策略，在這些學者所提出來的方法中，大致上

可分為兩種類型：一種是家族式的橢圓曲線(elliptic curves in families)，另

一種則是非家族式的橢圓曲線(elliptic curves not in families)。

在此簡短的介紹尋找 pairing-friendly 橢圓曲線的演進，首先，由 Miyaji，

Nakabayashi 及 Takano 針對 k=3、4、6 提出 MNT 橢圓曲線，2004 年 Galbraith、

Mckee、Valenca 提出了散發的 Brezing-Weng 家族式橢圓曲線(sporadic

families of Brezing-Weng curve)，2005 年 Brezing 及 Weng 提出 cyclotomic

家族橢圓曲線(cyclotomic families elliptic curve)，2006 年 Freeman 提出

Freeman 家族橢圓曲線(Freeman’s families elliptic curve)。同年，Scott 及

Barret 提出了 Scott-Barreto 家族橢圓曲線(Scott-Barreto families elliptic

curve)。

如果要找非家族式的橢圓曲線，通常只要使用學者所提的方法，就可

以找到合適的橢圓曲線，但一般來說，這個方法能找到的曲線數量是很有

限的。因此，本計畫將著重家族式橢圓曲線，在這類的方法中，先用多項

式表示橢圓曲線參數，包含係數、定義的有限體等，然後可以代入不同的

x 值，而得到不同的 pairing-friendly 橢圓曲線，但是，通常使用目前學者

所提的方法，尚不能很快找到合適的橢圓曲線，因為通常在家族式橢圓曲

線的論文中，只是找到代表橢圓曲線的一組多項式，而並未提到該代入何

值使得這些多項式真正能代表一個合適的橢圓曲線。

在找尋到適合的橢圓曲線參數後，需要用 CM 演算法求得真正橢圓曲

線的係數 a 與 b，首先介紹，對於一個複數

τ，下列式子可以計算j τ ：

τ ( + ∑

(

+

)

)

τ

τ

τ

j τ

τ +

τ

而 CM 演算法的過程簡述如下：

1. 已經有適當的橢圓曲線參數

a

，使得 –

a

，其中 D 不會太大

2. 找出所有的

a b 符合以下條件：

(1) a, b, c 為整數，且

a

(2)

a b

(3)

b

a

(4)

a

(5)

a

(6) 若

a ，則 b

3. 利用找出的

a b 計算一多項式

∏ ( j (

b + √

a

))

此多項式為整係數多項式

4. 將

看成是

上的一個多項式，在

中求解，求

出來的解即為所求橢圓曲線之 j-invariant

5. 利用此解，建構出在

上的橢圓曲線。

j

j

+

j

j

在質數體上，擁有相同 j-不變量的橢圓曲線可能是扭曲

(twist) 曲 線 ， 因 此 要 檢 查 其 點 數 為

+ a

或

+ + a

6. 如果是

+ + a

的情形，利用一個在

上沒有平方跟

的元素 d，則

₊

₊

即為點數為

+ a

之橢圓曲線

研究方法

在尋找 pairing-friendly 橢圓曲線中，最重要的一步驟就是 Complex

Multiplication 方法的計算，在本年度中，我們充分了解此方法的代數理論，

也了解此方法的相關改進，並試圖使用 Computer Science 背景，針對程式

設計部分做改良，以期能更有效率的產生適用於 pairing-based 密碼系統的

橢圓曲線。另一方面，我們也針對 pairing-based 密碼系統做一研究，了解

bilinear pairing 的原理與應用，並對現行多種 pairing-based 密碼系統之設計

做一了解，找出能將 pairing 更加推廣與應用的方法。

結果與討論(含結論與建議)

We present our experimental results of implementing the CM method. The

implementation refers to IEEE P1363 and the MIRACL (Multiprecision Integer

and Rational Arithmetic C/C++ Library) library is used. The computing

environment is Intel Xeon E5520 processor with 2.27GHz, 4G RAM on

FreeBSD 7.2 with the MIRACL library version 5.4.

由上圖可知，花最多時間的步驟就是計算 class polynomial。

2.2. 計算精準度

The bound of bit precision required to compute the Hilbert and Weber

polynomials. The bit precision required to compute the Hilbert polynomial is

結論與建議

We state the mathematical backgrounds and describe each step of the

complex complication method in this thesis. For computing the class

polynomial is one of the major part of CM method, we focus on the

computation of the class polynomial, present the experimental results, and find

some interesting differences between the prime and composite discriminants. It

seems like that the computations of the Weber polynomials of composite

discriminants have the chance to be more efficient. To confirm this effect, it

should take more experiments and observe closely.

In our experiments, we compute the class polynomial of discriminants

with at most 6 digits. Though the computation of class polynomial with more

digits would take more time, there must exist more interesting properties to be

discovered and may become the measurement of evaluating the discriminants.

Lots of researches related to computing the class polynomial are proposed

nowadays. Andrew V. Sutherland achieve the record of computing the class

polynomial with discriminant D=4058817012071 and has class number

h

=5000000 in April, 2009. For solving the large space requirement of the

polynomial, Andrew V. Sutherland proposed the computation using Chinese

Remainder Theorem.

In the future, we will implement the algorithm with CRT to overcome the

difficult of computing class polynomial with large digits. Besides, the

researches of CM method on hyperelliptic curves with genus 2 are also

ongoing.

參考文獻

1. Elliptic curves over finite fields and the computation of square roots mod p.

Schoof, R. Math Comp. 44, 483-494. (1985)

2. Counting points on elliptic curves over finite fields. Schoof, R. Journal de

Theorie des Nombres de Bordeaux 7, 219-254. (1995)

3. On the computation of modular polynomials for elliptic curvess, Ian Blake,

Janos Csirik, and Gadiel Seroussi, Hewlett-Packard Laboratories technical

report, 1999.

4. D. Charles, K. Lauter, Computing modular polynomials. Lond. Math. Soc. J.

Comput. Math. 8, 195–204(2005).

5. Isogeny cycles and the Schoof-Elkies-Atkin algorithm. J.-M. Conveignes, L.

Dewaghe, F. Morain. L’Ecole Polytechnique, Laboratoire D’Informatique,

CNRS, Palaiseau. August 1996.

6. Schoof’s algorithm and isogeny cycles. J.-M. Conveignes, F. Morain.

ANTS-1, 43-58. 1994.

7. Counting the number of point on elliptic curves over finite fields of

characteristic greater than three. F. Lehmann, M. Maurer, V. Mueller, et al.

ANTS-I, LNCS 877, 60-70. 1994.

8. Finding the eigenvalue in Elkies’s Algorithm. M. Maurer, V. Mueller.

Experimental Mathematics 10(2) 275-285. 2001.

9. Schoof-Elkies-Atkin 演算法的有效實現. 董軍武，胡磊，裴定一.

Communications of the CCISA, Vol. 12, No. 2. April 2006.

10. Elliptic Curves in Cryptography. I. Blake, G. Seroussi, N. P. Smart.

Cambridge University Press. 1999.

11. Counting the number of points on elliptic curves over finite fields: strategies

and performances. Advances in Cryptology—EUROCRYPT ’95 (LNCS

921), 79-94, 1995.

12. Efficient implementation of Schoof’s algorithm. Advances in

Cryptology—ASIACRYPT ’98 (LCNS 1514), 66-79, 1998.

13. The canonical lift of an ordinary elliptic curve over a prime field and its

point counting. T. Satoh. Journal of the Ramanujan Mathematical Society,

15, 247-270. 2000.

14. Guide to Elliptic Curve Cryptography, Darrel Hankerson, Alfred Menezes,

Scott Vanstone. Springer-Verlag, 2004.

15. An improved algorithm for computing logarithms over GF(p) and its

cryptographic significance. S. Pohlig, M. Hellman. IEEE Transactions on

Information Theory, 24, 106-110. 1978.

Mathematics of Computation, 32, 918-924. 1978.

17. Use of elliptic curves in cryptography. V. Miller. Advances in Cryptology,

CRYPTO ’85 (LNCS 218), 417-426. 1986.

18. On the discrete logarithm in the divisor class group of curves. H. Ruck.

Mathematics of Computation, 68, 805-806. 1999.

19. Reducing elliptic curves logarithms to logarithms in a finite field. A.

Menezes, T. Okamoto, S. Vanstone. IEEE Transactions on Information

Theory, 39, 1639-1646. 1993.

20. A remark concerning m-divisibility and the discrete logarithm in the divisor

class group of curves. G. Frey, H. Ruck. Mathematics of Computation, 62,

865-874. 1994.

21. Applications of arithmetical geometry to cryptographic constructions. G.

Frey. Proceedings of the fifth international conference on finite fields and

applications, 128-161. 2001.

22. Index calculus for Abelian varieties and the elliptic curve discrete logarithm

problem. P. Gaudry. October, 2004.

23. Fast computation of canonical lifts of elliptic curves and its application to

point counting. T. Satoh, B. Skjernaa, Y. Taguchi. Finite fields and their

applications, 9, 89-101. 2003.

24. Elliptic curves and primality proving. A. Atkin, F. Morian. Mathematics of

Computation, 61, 191-210. 1989.

25. Constructing elliptic curves with given group order over large finite fields.

G. Lay, H. Zimmer. Algorithmic Number Theory—ANTS-I (LNCS 877),

250-263. 1994.

26. A comparison and a combination of SST and AGM algorithms for counting

points of elliptic curves in characteristic 2. Advances of

Cryptology—EUROCRYPT 2000 (LNCS 2501), 311-327. 2002.

27. The elliptic curve digital signature algorithm(ECDSA). D. Johnson, A.

Menezes, S. Vanstone. International Journal of Information Security, 1,

36-63. 2001.

28. A study on the proposed Korean digital signature algorithm. Advances in

Cryptology—ASIACRYPT ’98 (LNCS 1514), 175-186. 1998.

29. Minimizing the use of random oracles in authenticated encryption schemes.

Information and Communications Security ’97 (LNCS 1334), 1-16. 1997.

30. ISO/IEC 18033-2. Information Technology—Security

Technology—Encryption Algorithms—Part 2, Asymmetric Ciphers, draft

2002.

Ooeschot, M. Wiener. Design, Codes and Cryptography, 2, 107-125. 1992.

32. An efficient protocol for authenticated key agreement. L. Law, A. Menezes,

M. Qu, J. Solinas, S. Vanstone. Designs, Codes and Cryptography, 28,

119-134. 2003.

33. Die Berechnung der Punktanzahl elliptischer Kurven ueber endlichen

Koerpern der Charackteristik groeber 3. Ph. D. thesis, Universitaet des

Saarlandes, Saarbruechen, Germany. 1995.

34. Class number, a theory of factorization, and genera. D. Shanks. 415-420,

Number Theory Institute, 1969.

35. On p-adic point counting algorithms for elliptic curves over finite fields. T.

Satoh, In: C. Fieker, D. Kohel (Eds.), Algorithmic number theory,

Proceeding of ANTS-5, 2002 (Sydney, Australia, July 2002), Lecture Notes

in Computer Science, Vol. 2369, Springer, Berlin, 2002, pp. 43–66.

36. Fast computation of canonical lifts of elliptic curves and its application to

point counting. Takakazu Satoh, Berit Skjernaa, Yuichiro Taguchi, Finite

Fields and Their Applications, Volume 9, Issue 1, January 2003, Pages

89-101, ISSN 1071-5797, DOI: 10.1016/S1071-5797(02)00013-8.

37. Point counting on elliptic curves over binary fields. Marc Masdeu Sabate.

38. Finding secure curves with the Satoh-FGHalgorithm and an early abort

strategy. Fouquet, M., Gaudry, P. and Harley, R., Advances in Cryptology -

EUROCRYPT2001, Lecture Notes in Comput. Sci. 2045 (ed. Pfitzmann, B.,

Springer, 2001) 14–29.

39. MIRACL, Multiprecision Integer and Rational Arithmetic C/C++ Library

http://www.shamus.ie/

40. Handbook of Elliptic and Hyperelliptic Curve Cryptography. R. M. Avanzi,

H. Cohen, C. Doche, G. Frey, T. Lange, K. Nguyen, and F. Vercauteren.

CRC Press, 2006.

41. On the Construction of Prime Order Elliptic Curves. E. Konstantinou, Y. C.

Stamatiou, and C. Zaroliagis. Lecture Notes in Computer Scisnce, pp.

309—322, 2003.

42. On the Use of Weber Polynomials in Elliptic Curve Cryptography. Lecture

Notes in Computer Science, pp. 335—349, 2004.

43. New Explicit Conditions of Elliptic Curve Traces for FR-Reduction. A.

Miyaji, M. Nakabayashi, and S. Takano. IEICE TRANSACTIONS on

Fundamentals of Electronics, Communications, and Computer Sciences, no.

84, pp. 1234—1243, May 2001.

44. Algebraic Number Theory. R. A. Mollin. CRC Press, 1999.

45. CM Record. A. V. Sutherland.

46. Computing Hilbert Class Polynomials with the Chinese Remainder

Theorem. Available as http://arxiv.org/pdf/0903.2785

47. Elliptic Curves: Number Theory and Cryptography, 2

ed. L. C.

Washington. CRC Press, 2003.

48. Lehrbuch der Algebra, Volume I, II, III, 3

ed. H. Weber. AMS Chelsea

Publishing, 1961.

Chapter 3

Complex Multiplication for

Elliptic Curve

In this chapter, we outline the complex multiplication method (CM method) first, and then describe each step in detail to show how it works.

3.1

Outline of the Complex Multiplication Method

First of all, by the property of the j-invariant of an elliptic curve over finite field Fq, where Charpqq ą 3, if we know the j-invariant, we can

construct an elliptic curve with this j-invariant.

Let j be the j-invariant and the equation of elliptic curve E be de-fined as

y2 _{“ x}3_` 3j

1728_{´ j}x`

2j

1728_{´ j}. (3.1)

Then elliptic curve E will be an elliptic curve with j_{pEq “ j.} Now we review the elliptic curves defined over C.

From Section 2.2.3, an elliptic curve EC defined over C is

isomor-phic to C_{{L, where L “ Zω}1` Zω2, ω1, ω2 P C, and ω1, ω2are linearly

independent in R. We can rewrite the lattice L as L_{“ Z ` Zτ such that} the imaginary part of τ is positive, and we get j_pECq “ j pτq.

Furthermore, the endomorphism ring of ECwill be

End_pECq » tβ P C|βL Ď Lu

i.e. corresponds to an ideal A of an order O in an imaginary quadratic field K. It can be shown that the minimal polynomial of j_pECq is

the Hilbert class polynomial

HDpxq “

hD

ź

i“1

px ´ j pAiqq

where hD is the order of the ideal class group of OK, Aiare

representa-tives of elements of the class group of OK, and jpAiq is the j-invariant

of the elliptic curve corresponding to Ai.

By Deuring’s Lifting Theorem, we can obtain an elliptic curve with complex multiplication over a finite field by reducing an elliptic curve with complex multiplication in characteristic zero.

Theorem 3.1 (Deuring’s Lifting Theorem). Let E be an elliptic curve

defined over a finite field and let α be an endomorphism of E. Then there exists an elliptic curve ˜E defined over a finite extension K of

Q and an endomorphism ˜α of ˜E such that E is the reduction of ˜E mod

some prime ideal of the ring of algebraic integers of K and the reduction of ˜α is α.

The j-invariant of the elliptic curve E over a finite field Fp reduced

from the elliptic curve EC will be the root of the Hilbert polynomial

HDpxq (mod p).

The idea of generating elliptic curve with presribed order by CM method is

1. Determine the prime order N of the elliptic curve and the finite field Fp over that E defined.

By the order N , it determined the structure of the endomorphism ring End_{pEq and the Hilbert class field.}

2. Compute the Hilbert polynomial HDpXq and find a root jp of

HDpxqp (mod p).

3. Compute the elliptic curve E_{Fpand its twist E1{Fp. Then check

which one of E and E1 has the order equal to N , and it would be the elliptic curve we want.

According to the idea of the CM method, the algorithm of gener-ating elliptic curves by CM method can be designed as below. Since the Hilbert polynomials can be computed in advance, the algorithm takes the Hilbert polynomials as input.

Algorithm : Construct elliptic curve using CM method

INPUT: A squarefree integer d_{‰ 1, 3, parameters ǫ and δ, Hilbert class polynomial H}DpXq,

desired size of p and l.

OUTPUT: A prime p of the desired size, an elliptic curve E_{Fpwith l  #E pFpq, where l is

a large prime. 1. do 2. do

3. choose prime p of desired size 4. until ǫp_{“ x}2<sub>` dy</sub>2 for some x, y<sub>P Z</sub> 5. Let n1 “ p ` 1 ´ 2x_δ , n2 “ p ` 1 ` 2x_δ

6. until n1 or n2has a large prime factor l

7. find a root jpof HDpxq (mod p)

8. compute the elliptic curve Ej{Fp by 3.1 and its twist Ej1{Fp

9. do

10. find a point P _{P E}jpFpq and compute Q “ n1P

11. if Q_{“ 8 and n}2P ‰ 8, return p and Ej

12. else if Q_{‰ 8, return p and Ej}1

3.2

Endomorphism Ring

In Section 2.1.3, we formulate some definitions related to homomor-phism. For studying the details of the CM-method, we start from intro-ducing the endomorphism ring of an elliptic curve.

Definition 3.2 (Endomorphism). Let A1 and A2 are abelian varieties

over K and HomKpA1, A2q denote the set of homomorphisms from

A_{1 to A2. Then the homomorphisms EndKpA1q :“ HomKpA1, A1q}

are the endomorphisms of A1.

) ( ) (ω iω L=Ζ +Ζ

ω

iω

Figure 3.1: Square lattice L_{“ Zω ` Ziω}

The set EndKpA1q is a ring with composition as multiplicative

structure.

Given an elliptic curve E defined over K, we say that the elliptic curve E has complex multiplication if the endomorphism ring of E,

EndKpEq, is strickly larger than Z. We now utilize the elliptic curves

defined over C as examples to illustrate the endomorphism rings, then show that all the elliptic curves defined over finite fields have complex multiplication.

We use the elliptic curve E : y2 _{“ 4x}3 _{´ 4x defined over C as} example.

As we had proved, we can find a lattice L _{“ Zω}1 ` Zω2 such that

E_{pCq » C{L. In this case, it can be computed that the lattice L can}

be written as L _{“ Zω ` Ziω for a certain ω P R. Figure 3.1 shows an} example of this square lattice.

The square lattice was symmetic, i.e. iL _{“ L. Considering the}

endomorphism α_{pxq “ ix acts on the Weierstrass ℘-function} ℘_{pizq “} 1 pizq2 ` ÿ ωPLzt0u ˆ 1 piz ´ ωq2 ´ 1 ω2 ˙ “ 1 pizq2 ` ÿ iωPLzt0u ˆ 1 piz ´ iωq2 ´ 1 piωq2 ˙ “ ´℘ pzq , ℘1_{pizq “ i℘}1_{pzq .}

Hence, we have the corresponding endomorphism on the elliptic curve

E given by

i_{px, yq “ p´x, iyq}

i.e. we get the the corresponding map of the endomorphism between E and C_{L

C_{{L :} z _{ÞÑ iz}

E_{pCq : px, yq “ p℘ pzq , ℘}1_{pzqq ÞÑ p℘ pizq , ℘}1_{pizqq “ p´x, iyq}

It shows that given α _{“ a ` bi P Z ris and px, yq P E pCq, where}

Z_{ris “ ta ` bi|a, b P Zu, then α would be an endomorphism of E}

de-fined by

px, yq ÞÑ pa ` biq px, yq “ a pxq ` b p´x, iyq

since point multiplication by integer a and b can be expressed by ratio-nal functions.

Therefore, in this cases,

Z_{ris Ď End}CpEq .

Figure 3.2 shows two examples of EndCpEq, one is multiplication

by integer and the other by i.

Now we deal with the endomorphism rings of the arbitrary elliptic curve over C. We prove the following theorem.

Theorem 3.3. Let E be an elliptic curve defined over C and L be the

lattice such that E_{pCq » C{L. Then}

EndCpEq » tβ P C|βL Ď Lu .

) ( ) (ω iω L=Ζ +Ζ iL=L⊆L ) ( ) (ω iω L=Ζ +Ζ 2L⊂L i × 2 ×

i·(iω)

i·ω

2·(iω)

2·ω

ω

iω

ω

iω

Figure 3.2: Examples of EndCpEq » tβ P C|βL Ď Lu

P=(x, y) α(P) =(R(x), yS(x)) z α α~ α(z) ~ Φ Φ-1 E(C) C/L

Figure 3.3: The illustration of the morphisms proved of Theorem 3.3 -(1)

Proof. Let E be an elliptic curve defined over C and L _{“ Zω}1 ` Zω2

be the corresponding lattice. To prove the theorem, we need to show the followings:

1. All endomorphisms of E_{pCq can be expressed by β such that}

βL_{Ď L}

2. All such β’s define endomorphisms of E_pCq Here we start the proof.

1. Given an endomorphism α of E_{pCq, by definition of the} en-domorphism, it maps a point P _{“ px, yq P E pCq to αP “}

α_{px, yq P E pCq and can be expressed by rational functions}

α_{px, yq “ pR pxq , yS pxqq .}

Since there exists an isomorphism Φ between C_{{L and E pCq}

Φ : C_{{L ÝÑ E pCq , Φ pzq “ p℘ pzq , ℘}1_{pzqq ,}

the map

˜

α_{“ Φ}´1_{pα pΦ pzqqq}

would be an endomorphism of C_{{L. Figure 3.3 illustrates the} relations of these morphisms.

To show that ˜α_{pzq “ βz for some β P C, we focus on the action}

of the endomorphism applying on a sufficiently small area U near

z _{“ 0. Then we obtain the map from U to C such that}

˜

α_pz1` z2q ” ˜αpz1q ` ˜αpz2q mod L, @z1, z2 P U

and we may assume that ˜α_{p0q “ 0. By continuity, ˜}α_{pzq Ñ 0}

when z _{Ñ 0. If U is sufficiently small, we may assume that}

˜ α_pz1` z2q “ ˜αpz1q ` ˜αpz2q , @z1, z2 P U. Therefore, for z _{P U,} ˜ α1_{pzq “ lim} hÑ0 ˜ α_{pz ` hq ´ ˜</sub>α<sub>pzq</sub> h “ lim hÑ0 ˜ α<sub>pzq ` ˜}α_{phq ´ ˜}α_pzq h “ lim_hÑ0α˜phq ´ ˜_h αp0q “ ˜α1_{p0q .}

Let β _{“ ˜}α1_{p0q, since ˜}α1_{pzq “ β, @z P U, we have ˜}α_{pzq “}

βz,_{@z P U.}

Now let z _{P C be arbitrary. Since there exists an integer n such} that z_{{n P U,}

˜

α_{pzq ” n˜}α_{pz{nq “ n pβz{nq “ βz mod L.}

Hence, the endomorphism ˜α is given by multiplication by β.

For the definition of homomorphsim, ˜α_{pLq Ď L, it follows that}

βL_{Ď L.}

2. Given β _{P C satisfies βL Ď L, then multiplication by β is a} ho-momorphism from C_{{L to C{L. Therefore, the functions ℘ pβzq} and ℘1_{pβzq are doubly periodic with respect to L. By Theorem}

??, there exists rational functions R and S such that

℘_{pβzq “ R p℘ pzqq ,} ℘1_{pβzq “ ℘}1_{pzq S p℘ pzqq .}

Hence, multiplication by β on C_{{L corresponds to the map on E:}

px, yq ÞÑ pR pxq , yS pxqq .

Again, we use Figure 3.4 to show the illustration of the relation between the morphisms proved in this part.

z α β Φ E(C) C/L z β ( ) ( ) ( ) ( )x y z z P , ' , = ℘ ℘ = Φ ( ) ( ) ( ) ( ) ( ) ( ) ( ( )) ( ) ( ) ( ) (R x yS x ) z S z z R z z P , ' , ' , ' = ℘ ℘ ℘ = ℘ ℘ = β β

Figure 3.4: The illustration of the morphisms proved of Theorem 3.3 -(2)

By proving the above, we link the endomorphism ring EndCpEq

and the lattice L corresponding to E_{pCq together.}

Theorem 3.3 shows that the endomorphism ring of an elliptic curve over C is related closely to the lattice it corresponds to. The next theo-rem gives us a precise structure of the endomorphism ring, EndCpEq.

Theorem 3.4. Let E be an elliptic curve defined over C. Then EndCpEq

is isomorphic either to Z or to an order in an imaginary quadratic field.

Proof. Let L _{“ Zω}1 ` Zω2 be the lattice corresponding to E. By

Thoerem 3.3, let

R_{“ End}CpEq “ tβ P C|βL Ď Lu .

Then we have Z_{Ă R and R is a ring since R is closed under the} com-position laws_{` and ˆ. Given β P R, for tω}1, ω2u is a basis of lattice L,

then βω1 “ jω1` kω2, βω2 “ mω1` nω2, j, k, m, n P Z ùñ ˜ β_{´ j ´k} ´m β_{´ n} ¸ ˜ ω1 ω2 ¸ “ 0.

So the determinant of the matrix is 0,

β2_{´ pj ` nq β ` pjn ´ kmq “ 0.}

Hence, β lies in some quadratic field K and β is an algebraic integer

(7 j, k, m, n_{P Z). We deal with field K in two cases.}

1. Assume β _{P R.}

Then the equation above βω1 “ jω1 ` kω2 (or βω2 “ mω1 `

nω2) gives a dependence relation between ω1 and ω2 with real

coefficients:

βω1 “ jω1` kω2 ñ pβ ´ jq ω1 “ kω2

or βω2 “ mω1` nω2 ñ mω1 “ pβ ´ nq ω2

Since ω1 and ω2 are linearly independent over R, we have β “ j

or β _{“ n, means that R X R “ Z.}

2. Assume β _{P C and β R R. ñ β R Z}

Then β is an algebraic integer in a quadratic field and for β _{R R,}

K must be an imaginary quadratic field, denote K by Q`?´d˘.

Let β1 _{R Z be another element of R. By the same reason, β}1 _P

K1 _{“ Q}`?´d1_{˘ for some d}1_.

Since R is a ring, β_{` β}1must also be in R, implies that K _{“ K}1 and R _{Ă K. For all the elements of R are algebraic integers, we} have

R_{Ď O}K.

Therefore, the endomorphism ring EndCpEq “ R is isomorphic

either to Z or an order in an imaginary quadratic field.

After studying the structure of the endomorphism ring of the ellip-tic curves defined over C, next we discuss the endomorphism rings of elliptic curves defined over finite field Fq.

Considering the Frobenius endomorphism φq on an elliptic curve

defined over Fq, φq : $ ’ & ’ % E`Fq ˘ ÝÑ E`Fq ˘ px, yq ÞÝÑ pxq_{, y}q q 8 ÞÝÑ 8

By Corollary 2.46, the map φ2

q´ tφq` q is a zero map on elliptic curve

E over Fq, then φqwould be a root of the polynomial

X2_{´ tX ` q “ 0.}

By the Hasse theorem (Theorem 2.43), the unique integer t satisfies

|t| ď 2?q. It can be shown that if t _{“ ˘2}?q, then the endomorphism

ring would be an order in a quaternion algebra. For our application and in pratical, we restrict the discussion on the case that_{|t| ă 2}?q. Since

|t| ă 2?q, the polynomial X2_{´ tX ` q “ 0 would have only complex}

roots, therefore

Z_{‰ Z rφ}qs Ď End pEq .

From Theorem 3.4, then the endomorphism ring of an elliptic curve defined over finite field would be an order in an imaginary quadratic field. Observing the polynomial

X2_{´ tX ` q “ 0,}

the roots would lie in the imaginary quadratic field Q´at2_{´ 4q}¯_.

Hence, for choosing the parameters t and q, we can then determine the imaginary quadratic field K _{“ Q}`?´d˘ such that

End_{pEq Ď O}K.

This is an important result that allows us to choose the desired order first and then find the elliptic curve with the exactly order.

In this section, we link the relation of the order of an elliptic curve and the structure of its endomorphism ring. Following we show how to use the structure to find the desired elliptic curve.

3.3

Ideal Class Group

We have showed that the endormorphism ring of an elliptic curve is iso-morphic to Z or to an order in an imaginary quadratic field in previous section. It can be proved that for an ordinary elliptic curve E defined over Fp, the endomorphism ring EndpEq is an order in an imaginary

quadratic field. To connect the endomorphism ring and the j-invariant of an elliptic curve together, we introduce the ideal class group in this section.

Definition 3.5. Let R be a ring, I is an ideal of R if it is a nonempty

subset of R such that

• I is a subgroup of R with respect to the law_`.

• for all x_{P R and all y P I, xy P I and yx P I.}

We summarize some related definitions about ideal below.

• Prime ideal:

An ideal I _{Ĺ R is prime if for all x, y P R with xy P I, then x P I} or y_{P I.}

• Maximal ideal:

An ideal I _{Ĺ R is maximal if for any ideal J of R the inclusion}

I _{Ă J implies J “ I or J “ R.}

• Finitely generated:

An ideal I of a ring R is finitely generated if there are elements

a1,¨ ¨ ¨ , ansuch that every xP I, we can write x “ x1a1` ¨ ¨ ¨ `

xnanwith x1,¨ ¨ ¨ , xnP R.

• Principal ideal:

An ideal I is principal if I _{“ aR. And R is a principal ideal} domain (PID) if it is an integral domain and if every ideal of R is principal.

Definition 3.6 (Fractional ideal). Let K be a number field and let an

order O be a Dedekind ring. A fractional ideal of K is a submodule of

K over O.

The Dedekind ring is defined as:

Definition 3.7 ( Dedekind ring). A Dedekind ring R is an integral

do-main satisfying the following properties. (1) Every ideal of R is finitely generated. (2) Every nonzero prime ideal of R is maximal. (3) R is integrally closed in its quotient field

F _{“ tα{β : α, β P R, β ‰ 0u .}

From the definition, for a fractional ideal M of R, we have αM _{Ď R} and αM is an integral ideal of R for some nonzero α _{P R. Hence for} any fractional ideal of R, it can be expressed in the form α´1I, where I

is an integral ideal of R.

Now we state the following lemma:

Lemma 3.8 (Group of fractional ideals). If R is a Dedekind ring, then

the set of all fractional ideals forms a multiplicative abelian group, de-noted by F_{pRq. The set P pRq consisting of all principal fractional} ideals of R is a subgroup of F_pRq.

Then we can define the class group of an integral ring R.

Definition 3.9 (Class group). Let R be a Dedekind ring. Then the

quo-tient group F_{pRq {P pRq is called the class group of R, denoted by C}R.

When R_{“ O}K, we write CK.

We say that two fractional ideals are equivalent if they belong to the same coset of P_{pRq in F pRq. In other words, fractional ideals I, J are} equivalent, denoted by I _{„ J, provided that ψ pIq “ ψ pJq under the} natural map ψ : F_{pRq ÞÑ F pRq {P pRq.}

The cardinality of the class group_|CK| is called the class number of

O_K, denoted by hK. It can be proved that hK is finite.

In our case, for an elliptic curve E, the endomorphism ring End_pEq will be an order R in an imaginary quadratic field Q`?´d˘. Let Ai

be the representative of each equivalent class of CR, then jpAiq are

conjugates under the action of the Galois group of the ring class field over Q`?´d˘. And we will get the polynomial

HDpxq “

hD

ź

i“1

px ´ j pAiqq

is the Hilbert class polynomial. This will also be mentioned in the fol-lowing sections.

3.4

j-invariant

We review the mathematical background related to j-invariant and link it to the CM-method in this section.

Recall that the definition of j-invariant is defined as a function of a complex number τ on the upper half plane of complex numbers. In Definition ??, j_{pτq “ 1728}g 3 2 ∆ “ 1728 g3 2 g3 2 ´ 27g23

Given a matrix M _{P SL}2pZq, the action on the upper half plane is

M τ _“ ˜ a b c d ¸ τ _“ aτ ` b cτ <sub>` d</sub>, @τ P H

We now proved Proposition ??:

Let τ _{P H and let matrix M P SL}2pZq, then

j_{pMτq “ j}ˆ aτ ` b

cτ _{` d}

˙

“ j pτq .

Proof. From the difinition of j_pτq

j_{pτq “ 1728} g 3 2 g3 2 ´ 27g32 , where g2 “ g2pτq “ g2pLτq “ 60G4pLτq g3 “ g3pτq “ g3pLτq “ 140G6pLτq

Observing the series GkpLτq “ Gkpτq:

Gkpτq “ ÿ pm,nq‰p0,0q 1 pmτ ` nqk Gkˆ aτ ` b cτ <sub>` d</sub> ˙ “ ÿ pm,nq‰p0,0q 1 `m `aτ`b cτ`d˘ ` n˘ k “ pcτ ` dqk ÿ pm,nq‰p0,0q 1 pm paτ ` bq ` n pcτ ` dqqk “ pcτ ` dqk ÿ pm,nq‰p0,0q 1 ppma ` ncq τ ` pmb ` ndqqk. 35

Since det ˜ a b c d ¸ “ 1 ˜ a b c d ¸´1 “ ˜ d _´b ´c a ¸ , for pm1_{, n}1_{q “ pma ` nc, mb ` ndq “ pm, nq} ˜ a b c d ¸ , we have pm, nq “ pm1, n1_q ˜ d _´b ´c a ¸ .

Hence there is a one-to-one mapping between _{pm, nq and pm}1, n1_{q, so}

we can write Gkˆ aτ ` b cτ <sub>` d</sub> ˙ “ pcτ ` dqk ÿ pm,nq‰p0,0q 1 ppma ` ncq τ ` pmb ` ndqqk “ pcτ ` dqk ÿ pm1<sub>,n</sub>1<sub>q‰p0,0q</sub> 1 pm1<sub>τ ` n</sub>1_qk “ pcτ ` dqkGkpτq . Therefore g2ˆ aτ ` b cτ _{` d</sub> ˙ “ pcτ ` dq4g2pτq , g3ˆ aτ ` b cτ <sub>` d} ˙ “ pcτ ` dq6g3pτq

Put these terms into the definition of j, it follows that

jˆ aτ ` b cτ <sub>` d</sub> ˙ “ 1728 g2 `<sub>aτ`b</sub> cτ`d ˘3 g2 `_{aτ`b</sub> cτ`d ˘3 ´ 27g3 `<sub>aτ`b} cτ`d ˘2 “ 1728 pcτ ` dq 12 g2pτq 3 pcτ ` dq12`g2pτq3´ 27g3pτq2 ˘ “ j pτq .

Hence, the j-function is a modular function. By the action on two special matrices in SL2pZq M1 “ ˜ 1 1 0 1 ¸ , M2 “ ˜ 0 _´1 1 0 ¸ , 36

we have j_{pτ ` 1q “ j pτq ,} j ˆ ´1_τ ˙ “ j pτq .

These two transformations generate a modular group and play important roles in proving Corollary ??:

If z_{P C, then there is exactly one τ P F such that j pτq “ z.}

It means that given a specific value z, we can find τ1 such that

j_pτ1_{q “ z,}

and for Proposition ?? and Proposition ??, by choosing appropriate M _P

SL2pZq, we can find a transformation belonging to the modular group

to find a unique τ in the fundamental domain such that

j_{pτq “ j pMτ}1_{q “ j pτ}1_{q “ z,} τ _{P F.}

Hence, j-function is a one-to-one mapping from the fundamental do-main to the entire complex plane. Since each value of j corresponds to the field of elliptic functions with periods 1 and τ , j-function is in a one-to-one relationship with isomorphism classes of elliptic curves.

Now we conclude the material discussed as below:

Theorem 3.10. Assume that E is defined over C and has complex

mul-tiplication. Let τ be its period. Then Q_{pτq is an imaginary quadratic} field, EndQpτ qpEq “ EndCpEq is an order OE in Qτ and the absolute

invariant j_{pτq is an algebraic integer that lies in the ring class field H}O_E

over Q_pτq.

For our case, the OE is the ring of integers of Qτ. Then HO_E is

the Hilbert class field H of Qτ. And there exists a monic polynomial

with integer coefficients whose roots would be the j-invariants of the isomorphism classes of the elliptic curves. The monic integer polyno-mial, i.e. the minimal polynomial of the j-invariant, is the Hilbert class polynomial HDpxq “ hD ź i“1 px ´ j pτiqq , 37

where d is the squarefree integer such that τi P Q`?d˘, hDis the Hilbert

class number, τi are the representatives of the elements of the class

group of OK, and jpτiq are the j-invariants of corresponding τivalue.

By Theorem ??, for an elliptic curve E over C, there is a lattice Lτ

such that E_{pCq » C{L}τ and jpEq “ j pLτq “ j pτq. Therefore, the

j-invariants in above polynomial would be the j-j-invariants of the elliptic curve corresponding to τi. Since we have showed that j-function is a

function that maps the fundamental domain F to entire complex plane, we can focus on the τ ’s in F for computing the Hilbert polynomial.

3.5

Hilbert Polynomial

To connect the elliptic curves over number fields and elliptic curves over finite field, we discuss the properties of Hilbert polynomial.

According to Theorem 3.10, restate the description of Hilbert poly-nomial first:

Corollary 3.11. Let K _{“ Q}`?´d˘ be an imaginary quadratic field

with ring of integers OK. Let E be an elliptic curve with EndCpEq “

O_{K. Then the minimal polynomial of jE is the Hilbert class polynomial}

HDpxq “

hD

ź

r“1

px ´ j pτiqq ,

where j_pτiq is the j-invariant of the elliptic curve corresponding to τi,

hDis the Hilbert class number, and τiare representatives of the elements

of the class group of OK.

We know that for a j-invariant j_{pτq, the minimal polynomial of}

j_{pτq is the Hilbert polynomial. Since it can be proved that j-invariant}

is an algebraic integer, the Hilbert polynomial has integer coefficients. Therefore, by taking all the integer coefficients modulo a prime p, the Hilbert polynomial can be reduced to a polynomial HDpxqpover Fp.

HDpxqp “ hD ź r“1 px ´ j pτiqq (mod p) “ xhD<sub>` a</sub> hD´1x hD´1<sub>` ¨ ¨ ¨ ` a</sub> 1x` a0, 38

where ai P Fp. Futhermore, if p does not divides d, the polynomial

HDpxqp would have simple roots in Fp.

Let jp be a root of the polynomial HDpxqp, then it is the reduction

modulo p of one of the j-invariants j_pτiq. If jp is contained in Fpk, for

the j_pτiq are conjugate, all the roots of HDpxqpwould be in Fpk.

As mentioned in beginning, if we have the j-invariant jp P Fp, jp ‰

0, 1728, then we can find the elliptic curve over Fpwith invariant jp by

y2 _{“ x}3_` 3jp

1728_{´ j}p

x_` 2jp

1728_{´ j}p

. Computing the Hilbert Polynomial

In order to find a root of Hilbert polynomial modulo p, we need to compute Hilbert polynomial first. For computing the polynomial, it needs to find all the τi’s. Recall that each τi represents an element of

the ideal class group of OK, we use the equivalence between the ideal

classes of an algebraic number field with discriminant d and the equiv-alence classes of primitive, positive definite binary quadratic forms of discriminant d to find all τi’s.

A binary quadratic form is a quadratic form in two variables. In the case of the ideal class group of function fields, it can be proved that there is exactly one reduced binary quadratic form in each equivalence class. The reduced binary quadratic form is defined as:

Definition 3.12. A quadratic form ax2_{` bxy ` cy}2_{is called a reduced}

binary quadratic form if it satisfies

• _{|b| ď a ď c}

• b_{ě 0 if a “ |b| or a “ c}

• gcd_{pa, b, cq “ 1.}

Therefore, we search for all reduced binary quadratic forms of dis-criminant d to obtain all τi’s. For each reduced binary quadratic form

ax2_{` bxy ` cy}2_{, it corresponds to the ideal A“ Z ` Zτ where}

τ _“ b`

? ´d

2a .

On the other hand, the conditions of the redeuced binary quadratic form make the corresponding τ belonging to the fundamental domain

F . Given a τi, one can compute jpτiq by following

Definition 3.13 (Dedekind’s η-function). Let τ be a complex number

with positive imaginary part, i.e. τ _{P H, define q “ e}2πiτ and the

η-function by η_{pτq “ q}241 8 ź n“1 p1 ´ qn q “ q241 ˜ 1<sub>`</sub> ÿ ně1 p´1qn`qnp3n´1q{2 ` qnp3n`1q{2˘ ¸ . Let ∆_{pτq “ η pτq}24_{“ q} 8 ź n“1 p1 ´ qn q24 “ q ˜ 1<sub>`</sub>ÿ ně1 p´1qn`qnp3n´1q{2<sub>` q</sub>np3n`1q{2˘ ¸24 The j_{pτq is related to ∆ pτq by} h_{pτq “} ∆p2τq ∆_pτq , jpτq “ p256h pτq ` 1q3 h_pτq .

Since the computations are over C, the results would be the approx-imate value for j_pτiq. By the fact that the coefficients of the Hilbert

polynomial are all integers, we can obtain the actual polynomial by us-ing sufficient precision.

3.6

Weber Polynomial

Since the coefficients of the Hilbert polynomial grow fast when the de-gree of the polynomial increases, the computation of the Hilbert poly-nomial was suggested to be taken in advance. Another solution is to use other class invariant instead of j-invariant. Different class invariant leads different class polynomial. The Weber polynomial is used most. The Weber functions are defined as following, using the Dedekind’s η-function (see Definition 3.13),

f_{pτq “ ζ48}´1ηppτ ` 1q {2q η_pτq , f1pτq “ η_pτ{2q η_pτq , f2pτq “ ? 2ηp2τq η_pτq , 40

where ζn“ e 2πi n , and γ2pτq “ f_pτq24_{´ 16} f_pτq8 , γ3pτq “ `f pτq24 ` 8˘ `f1pτq8´ f2pτq8 ˘ f_pτq8 .

For more details, refer to [2], [15]. The relation of these functions and the j-function are

j_{pτq “} `f pτq 24 ´ 16˘3 f<sub>pτq</sub>24 “ `f1pτq 24 ` 16˘3 f1pτq24 “ `f2pτq 24 ` 16˘3 f2pτq24 “ γ2pτq3 “ γ3pτq2` 1728.

Then the Weber polynomial WDpxq is defined as

WDpxq “

h1

ź

i“1

px ´ µ pτiqq

Atkin and Morain suggest a list of the choice µ_pτiq for different

dis-criminant D in [2]: • If D_{” 3 (mod 6), use µ pτq “}?_´Dγ3pτq. • If D_{” 7 (mod 8), use µ pτq “ f pτq {}?2. • If D_{” 3 (mod 8), use µ pτq “ f pτq.} • If d_{” ˘2 (mod 8), use µ pτq “ f}1pτq { ? 2. • If d_{” 5 (mod 8), use µ pτq “ f pτq}4. • If d_{” 1 (mod 8), use µ pτq “ f pτq}2_{?2. where d_“ # D, if D_{” 3 (mod 4)} D_{{4, if D ” 0 (mod 4)}

In the case when D _{” 3 (mod 8) and D ı 3 (mod 6), the degree} of Weber polynomial will be 3hD, hD denotes the degree of the Hilbert

polynomial. Therefore, it usually avoid to choose these values for D in practice.

3.7

Finding Roots of Polynomial over F

After computing the Hilbert polynomial, next we want to find a root jp

in the finite field Fpto construct the corresponding elliptic curve. Before

finding a root of the Hilbert polynomial modulo p, some criteria need to be satisfied when choosing the prime field p.

Assume the prime number p is decomposed in Q`?´d˘, by the class field theory of imaginary quadratic fields, we have following the-orem.

Theorem 3.14. There is an integer π _{P Q}`?´d˘ such that ππ “ p and |p ` 1 ´ pπ ` πq| equals to #E pFpq or its twists.

From the theorem above, we have ππ _{“ p and π ` π “ #E pF}pq ´

pp ` 1q “ t, then the minimal polynomial of π would be x2<sub>´ tx ` p.</sub>

Recall the characteristic polynomial of Frobenius map φp

φ2p´ tφp` p,

where t is called the Frobenius trace. We can observe that in Theorem 3.14, the algebraic integer π is actually the Frobenius endomorphism acting on Epor its twist modulo p.

Hence, we need to choose p which can be decomposed in OK. These

primes would be the ones such that there are integer solutions to the norm equation x2 ` dy2 “ ǫp, where ǫ_“ # 1 if d_{” 1, 2} (mod 4) 4 if d_{” 3} (mod 4) .

From the equation above, we obtain that_{´d must be a square modulo}

p. To find such a suitable prime p, one usually uses the Cornacchia’s

algorithm to get a solution.

Algorithm : Cornacchia’s algorithm

INPUT: A squarefree integer d_{ą 0 and a prime p such that the Legendre symbol}´´d_p ¯_{“ 1.} OUTPUT:_{px, yq P Z}2 such that x2_{` dy}2 _{“ p if possible.}

1. compute square root a0 of´d with p{2 ă a0 ă p, i.e. a20 ” ´d (mod p)

2. a_{Ð p,} b_{Ð a}0, cÐ t?pu

3. while b_{ą c do}

4. r _{Ð a (mod b),} a _{Ð b,} b _{Ð r}

5. if d_{ffl p ´ b}2 or if z _{“ pp ´ b}2_{q {d is not a square, return ”no solution”} 6. else return_{px, yq “ pb,}?z_q

Choosing the prime p by the Cornacchia’s algorithm, now we can factor the Hilbert polynomial in Fp to find roots jp P Fp. We introduce

the general way to find roots of a polynomial, then discuss the method to find roots of Hilbert polynomial.

For finding roots of a polynomial f_{pxq, it usually needs to make} the polynomial squarefree first. Due to the characteristic of the field we deal with, we discuss this step in two cases.

(1) If the characteristic of the field is 0.

We can obtain the squarefree version of the polynomial f_{pxq by} computing

f_pxq

gcd_{pf pxq , f}1_pxqq.

(2) If the characteristic of the field is p.

Since a polynomial f_{pxq satisfies f}1_{pxq “ 0 precisely when}

f_{pxq “ w pxq}p for some polynomial w_{pxq, we write f pxq “}

v_{pxq w pxq}p (if deg_{pf pxqq ă p, then w pxq “ 1). Then use the}

same process to deal with the v_pxq.

After reducing the square part of the polynomial, we factor the polyno-mial such that

f_{pxq “ f}1pxq f2pxq ¨ ¨ ¨ fmpxq

where fipxq is the product of irreducible polynomials with degree i. For

each fipxq, applying the Cantor-Zassenhaus algorithm to find

individ-ual factors. The Cantor-Zassenhaus algorithm can factor the polynomial with all irreducible factors having the same degree.

Focus on finding roots of reduced Hilbert polynomial modulo p, since deg

´

HDpxqp

¯

ă p, reducing the square part can be done by

computing HDpxqp

gcdpHDpxqp,HD1 pxqpq

. For the roots we interest are those lie in ground field Fp, we only process the polynomial f1pxq, i.e. the product

of the irreducible polynomials with degree 1.

We also can use the fact that g_{pxq “ x}p _{´ x is the product of all} irreducible polynomial of degree 1 in Fp. The polynomial f1pxq then

can be obtained by computing

f1pxq “ gcd

´

HDpxqp, gpxq

¯ .

Finally, using the Cantor-Zassenhaus algorithm to find the roots in Fp.

Algorithm : Cantor-Zassenhaus algorithm

INPUT: A polynomial f_{pxq with all irreducible factors having the same degree. Assume}

deg_{pf pxqq “ n.}

OUTPUT: All the factors of f_pxq. 1. repeat

2. select a random polynomial r_{pxq with degree less than n} 3. if gcd_{pr pxq , f pxqq ‰ 1, then return r pxq}

4. compute s_{pxq “ r pxq}pp´1q{2 (mod f_pxq)

5. then gcd_{ps pxq ` 1, f pxqq is a factor with probability 1 ´ 2}´pn´1q 6. until factor f_{pxq successful}

3.8

Twist Curves

After finding the roots of the Hilbert polynomial (or transforming the roots of the Weber polynomial) in the finite field Fp, we can compute

the equations of the elliptic curves with the prescribed order by taking the roots as j-invariants of the curves. Since we set the discriminant

´D “ t2 _{´ 4p, the order of the curve we get might be}

#E_pFpq “ p ` 1 ´ t or # ˜EpFpq “ p ` 1 ` t.

The elliptic curve ˜E is called a twist of E. Here we introduce the twist

curves.

Lemma 3.15. Let E be an elliptic curve defined over K. Assume the

characteristic of K is prime to 6 and E is given by the simplified Weier-strass equation

E : y2 _{“ x}3_{` Ax ` B.}

The j-invariant jE depends only on the isomorphism class of E.

• jE “ 0 if and only if A “ 0.

• jE “ 1728 if and only if B “ 0.

• If jE P K is not equal to 0, 1728, then E is a quadratic twist of

the elliptic curve

˜ EjE : y 2 “ x3 ` <sub>1728</sub>3jE ´ jE x<sub>`</sub> 2jE 1728_{´ j}E .

Corollary 3.16. Let E be an elliptic curve defined over K. Assume the

characteristic of K is prime to 6 and E is given by the simplified Weier-strass equation

E : y2 _{“ x}3_{` Ax ` B.}

• If A_{“ 0, then for every B}1 _{P K}˚the curve E is isomorphic to

E1 : y2 _{“ x}3_{` B}1 over K ˜ ˆ B B1 ˙1{6¸ .

• If B_{“ 0, then for every A}1 _{P K}˚_{the curve E is isomorphic to}

E1 : y2 _{“ x}3_{` A}1x over K ˜ ˆ A A1 ˙1{4¸ . 45

• If AB _{‰ 0, then for every v P K}˚the curve E is isomorphic to

˜

Ev : y2 “ x3`A1x`B1 with A1 “ v2A, B1 “ v3B over K

`?_{v˘ .}

The curves occuring in the Corollary above are called twist of E. In the last case, the curves ˜Ev are called quadratic twists of E. Note that

E is isomorphic to ˜Ev over K if and only if v is a square in K˚.

In Corollary 3.16, by taking v _{P K}˚a quadratic nonresidue, one can define the quadratic twist of E as

˜

Ev : vy2 “ x3` Ax ` B

by dividing by v3and transforming y _{ÞÑ y{v and x ÞÑ x{v. Then it can} be seen that both E and ˜Ev contain exactly two pointspx, yiq for each

x_{P F}p. Hence we have the following proposition.

Proposition 3.17. Let E be a curve defined over Fp and let ˜E be the

quadratic twist of E. Then

#E_pFpq ` # ˜EpFpq “ 2p ` 2.

Hence, if #E_pFpq “ p`1´t then # ˜EpFpq “ p`1`t. Therefore, if

the order of the curve we get from the algorithm is not the one we want, then find a quadratic nonresidue v and the twist curve by v would be the actual curve with desired order.