Elliptic Curves in Cryptography

I.F. Blake, G. Seroussi and N.P. Smart

 To

Elizabeth, Lauren and Michael,

Lidia, Ariel and Dahlia,

Maggie, Ellie and Oliver.

 Contents

Preface Xl

Abbreviations and Standard Notation Xlll

Chapter I. Introduction 1
1.1. Cryptography Based on Groups 2
1.2. W hat Types of Group are Used 6
1.3. W hat it Means in Practice 8

Chapter II. Finite Field Arithmetic 11

II.1. Fields of Odd Characteristic 11
II.2. Fields of Characteristic Two 19

Chapter III. Arithmetic on an Elliptic Curve 29

III.1. General Elliptic Curves 30
III.2. The Group Law 31
III.3. Elliptic Curves over Finite Fields 34
III.4. The Division Polynomials 39
III.5. The Weil Pairing 42
III.6. Isogenies, Endomorphisms and Torsion 44
III.7. Various Functions and q- Expansions 46
III.8. Modular Polynomials and Variants 50

Chapter IV. Efficient Implementation of Elliptic Curves 57

IV.1. Point Addition 57
IV.2. Point Multiplication 62
IV.3. Frobenius Expansions 73
IV.4. Point Compression 76

Chapter V. The Elliptic Curve Discrete Logarithm Problem 79

V.1. The Simplification of Pohlig and Hellman 80
V.2. The MOY Attack 82
V.3. The Anomalous Attack 88
V.4. Baby Step/ Giant Step 91
V.5. Methods based on Random Walks 93
V.6. Index Calculus Methods 97
V.7. Summary 98

vii
viii CONTENTS

Chapter VI. Determining the Group Order 101

VI.1. Main Approaches 101
VI.2. Checking the Group Order 103
VI.3. The Method of Shanks and Mestre 104
VI.4. Subfield Curves 104
VI.5. Searching for Good Curves 106

Chapter VII. Schoof's Algorithm and Extensions 109

VII.1. Schoof's Algorithm 109
VII.2. Beyond Schoof 114
VII.3. More on the Modular Polynomials 118
VII.4. Finding Factors of Division Polynomials
through Isogenies: Odd Characteristic 122
VII.5. Finding Factors of Division Polynomials
through Isogenies: Characteristic Two 133
VII.6. Determining the Trace Modulo a Prime Power 138
VII.7. The Elkies Procedure 139
VII.8. The Atkin Procedure 140
VII.9. Combining the Information from Elkies and Atkin Primes 142
VII.10. Examples 144
VII.11. Further Discussion 147

Chapter VIII. Generating Curves using Complex Multiplication 149

VIII.1. The Theory of Complex Multiplication 149
VIII.2. Generating Curves over Large Prime Fields using CM 151
VIII.3. Weber Polynomials 155
VIII.4. Further Discussion 157

Chapter IX. Other Applications of Elliptic Curves 159

IX.1. Factoring Using Elliptic Curves 159
IX.2. The Pocklington-Lehmer Primality Test 162
IX.3. The ECPP Algorithm 164
IX.4. Equivalence between DLP and DHP 166

Chapter X. Hyperelliptic Cryptosystems 171

X.1. Arithmetic of Hyperelliptic Curves 171
X.2. Generating Suitable Curves 173
X.3. The Hyperelliptic Discrete Logarithm Problem 176

Appendix A. Curve Examples 181

A.1. Odd Characteristic 181
A.2. Characteristic Two 186

Bibliography 191

Author Index 199

 CONTENTS ix

Subject Index 201

x CONTENTS
 Preface

Much attention has recently been focused on the use of elliptic curves in public
key cryptography, first proposed in the work of Koblitz [62] and Miller [103].
The motivation for this is the fact that there is no known sub-exponential
algorithm to solve the discrete logarithm problem on a general elliptic curve.
In addition, as will be discussed in Chapter I, the standard protocols in cryp­
tography which make use of the discrete logarithm problem in finite fields,
such as Diffie-Hellman key exchange, ElGamal encryption and digital signa­
ture, Massey-Omura encryption and the Digital Signature Algorithm ( DSA) ,
all have analogues in the elliptic curve case.
Cryptosystems based on elliptic curves are an exciting technology because
for the same level of security as systems such as RSA [134], using the current
knowledge of algorithms in the two cases, they offer the benefits of smaller key
sizes and hence of smaller memory and processor requirements. This makes
them ideal for use in smart cards and other environments where resources
such as storage, time, or power are at a premium.
Some researchers have expressed concern that the basic problem on which
elliptic curve systems are based has not been looked at in as much detail
as, say, the factoring problem, on which systems such as RSA are based.
However, all such systems based on the perceived difficulty of a mathematical
problem live in fear of a dramatic breakthrough to some extent, and this issue
is not addressed further in this work.
This book discusses various issues surrounding the use of elliptic curves
in cryptography, including:

• The basic arithmetic operations, not only on the curves but also over
finite fields.
• Ways of efficiently implementing the basic operation of adding a point
to itself a large number of times ( point multiplication) .
• Known attacks on systems based on elliptic curves.
• A large section devoted to computing the number of rational points on
elliptic curves over finite fields.
• A discussion on the generalization of elliptic curve systems to hyperel­
liptic systems.

The book is written for a wide audience ranging from the mathematician
who knows about elliptic curves ( or has been acquainted with them) and who
wants a quick survey of the main results pertaining to cryptography, to an

xi
xii PREFACE

implementer who requires some knowledge of elliptic curve mathematics for

use in a practical cryptosystem. Clearly, aiming for such diverse audiences
is hard, and not all parts of the book will be of the same level of interest to
all readers. However, most of the important points such as implementation
issues, security issues and point counting issues can be acquired with only a
moderate understanding of the underlying mathematics.
We try and give a flavour of the mathematics involved for those who
are interested. We decided however not to include most proofs since that
not only would dramatically increase the size of the book but also would
not serve its main purpose. It is hoped that the numerous references cited
and the extensive bibliography provided will direct the interested reader to
appropriate sources for all the missing details. In fact, much of the necessary
mathematical background can be found in the books by Silverman, [147] and
[148].
Some of the topics covered in the book by Menezes [97] are expanded
upon. In particular the improvements made to the algorithm of Schoof [141]
for determining the number of rational points on an elliptic curve are ex­
plained, and the method of finding curves using the theory of complex mul­
tiplication is discussed. This latter method has other applications when one
uses elliptic curves to construct proofs of primality. We also give the first
treatment in book form of such methods as point compression (including
x-coordinate compression), the attack on anomalous curves and the general­
ization of the MOY attack to curves such as those with the trace of Frobenius
equal to two. Two chapters are devoted to implementation issues. One cov­
ers finite fields while the second covers the various techniques available for
point multiplication. In addition, the chapter on Schoof's algorithm and its
improvements provides algorithmic summaries intended to facilitate the im­
plementation of these point counting techniques.
We would like to thank D. Boneh, S. Galbraith, A.J. Menezes, K. Pater­
son, M. Rubinstein, E. Scheafer, R. Schoof and S. Zaba who have looked over
various portions of the manuscript and given us their comments. All of the
remaining mistakes and problems are our own and we apologize in advance
for any you may find. The authors would also like to thank Dan Boneh, Jo­
hannes Buchmann, Markus Maurer and Volker Muller for many discussions
on elliptic curves, their assistance with the implementation of point count­
ing algorithms and the prompt answering of many queries. Thanks are due
also to John Cremona for his g\'JEX algorithm template which we modified to
produce the algorithms in this book.
Finally thanks are due to Hewlett-Packard Company and our colleagues
and managers there for their support, assistance and encouragement during
the writing of this book.
 Abbreviations and Standard Notation

Abbreviations
The
book: following abbreviations of standard phrases are used throughout the
AES
BSGS Advanced
baby step/ Encryption
giant step Standard
method
CM
CRT Complex
Chinese multiplication
Remainder Theorem
DES
DHP Data Encryptionproblem
Diffie-Hellman Standard
DLP
DSA Discrete
Digital logarithm
Signature problem
Algorithm
ECDLP
ECM Elliptic curve
Elliptic curve discrete
factoring logarithm
method problem
ECPP
GCD Elliptic
Greatest curve primality
commonmultiple proving
divisor method
LCM
MOY Least common
Menezes-Okamoto-Vanstone attack
NAF
NFS Non-adjacent
Number field form
sievebasis
ONB
RNS Optimal
Residue normal
number system encryption scheme
RSA Rivest-Shamir-Adleman
SDSEA Signed digit
Schoof-Elkies-Atkin algorithm

xiii
xiv ABBREVIATIONS AND STANDARD NOTATION

Standard notation

out The furtherfollowing standard

definition. Othernotation
notationis used throughout
is defined locally thenearbook,
its firstoftenuse.with­
K* ' K+ ' K forandaalgebraic
field K, theclosure, multiplicative
respectively group, additive group,
Gal(K/F)
Aut(G) Galois group of group
Automorphism K overofFG
char(K)
gcd(f, g), lcm(f, g) characteristic
GCD, LCM of off Kand g
deg(!) degree ofana polynomial f
ord(g)
Z, Q, JR, C
order
integers,of element g in a group
rationals,thanrealsk; similarly
and complex numbers
z>k
Z/nZ
integers
integers greater
modulo n for � '<, �

IFTrZqP , 1pQ(x)P p-adic

finite integers
field with q
andelements
numbers, respectively
q trace of x E IFq over IFP , q = p n
(g)#S cyclic group
cardinality generated
of (equation)
the set S by g
EE(K) elliptic
group curve
of K-rational points on E to the point P
[E[mm]P] multiplication-by-m
group of m-torsionringpoints map applied
on the elliptic curve E
0
End(E) Endormorphism
point at infinity of
(onfunction E
an elliptic curve)
SJ Weierstrass
Frobenius '
map p ay'
rp
¢Eu!
GL2(R)
Euler
general totient function
linear group over the ring R: 2 2 matrices x

PGL2(K)
over R with determinant a unit in R
projective general linearidentified
group over the field K,
S L2 ( Z )
with
special scalar multiples
linear grouponeof 2 2 matrices over Z
x
with determinant
(�) Legendre symbol
Re(z), Im(z) real
1l
and
Poincare g(n) imaginary
half-plane parts of z E C, respectively
Im (z)lg(n)0 clf(n) for some
>
O(f (n)) function such that I
� I
constant c 0 and all sufficiently large n
>
o(f(n)) function g(n) such that lim n -+oo(g(n)/ f(n)) 0 =
logb x logarithm to base b of x; natural log if b omitted
 ABBREVIATIONS AND STANDARD NOTATION xv

which Oftenare wetoowilllongneed

to toonpresent
fit one binary,
line. We hexadecimal
shall use the or decimalconvention
standard numbers
oflinebreaking
indicatingthethat
number the into multiple
number is lines, with
continued in a backslash
the next line. atFortheexample
end of a
p 20
2 3 + 67
1725436586697640946858688965569256363 1 1 27772430425 \
9663879063 1055949891 .
xvi ABBREVIATIONS AND STANDARD NOTATION
 CHAPTER I
Introduction

We
many introduce the three
booksofoncommunication main
the subject, itwhilstcharacters
is assumed in
that public key cryptography.
Alice and Bobwhowishwishes As
to perform in
some form
on (oristamper with) thethatcommunications Eve is an eavesdropper
between Aliceactually
and Bob.human. to
Of coursespy
there
mayModern no assumption
(and probably Alice
will) beascomputersand Bob (or Eve) are
onthesomecommercial
network such as the They
Internet.
cryptography, applied in
with a number of problems. The most important of these are: world, is concerned
1. byConfidentiality:
anyone else. A message sent from Alice to Bob cannot be read
2. Authenticity: Bob knows that only Alice could have sent the message

3.
heIntegrity:
has just received.
Bobtransit.
knows that the message from Alice has not been tam­
pered with in
4. Non-repudiation: It is impossible for Alice to turn around later and
say she did not send the message.
To Alice
nario. see whywishes
all four
to properties
buy some itemareover
important
the considerfromtheBob.following
Internet She sce­
sends
her instruction
details. She to Bobthatwhich
requires this contains her credit
communication be card numbersinceandshepayment
confidential, wants
otherneeds
Bob peopletotoknow knowthatneither
the her creditis authentic
message card detailsin northat what
it came shefrom
is buying.
Alice
and not ssome
message' impostor.
integrity is Both Alice
preserved, for and Bobtheneedamount
example to becannot
certainbethataltered the
byrepudiation
some thirdproperty,
party whilst
meaning it isthatin Alice
transit.shouldFinally
not Bob
be requires
able to say theshenon­
did
not Insendotherthewords,
instruction.
we require transactions to take place between two mutu­
ally distrusting
tional private parties oversucha aspublic
networks, those network.
used in This is different
banking, where from conven­
there are key
hierarchies
It is and tamper
common in the proof hardware
literature to which canpublic
introduce storekeysymmetric
techniques keys.in the
area
ally of confidentiality
infeasible to use protection.
directly in this Public
context, keybeingtechniques
orders ofare,magnitude
however,slowerusu­
than symmetric techniques. Their use in confidentiality is often limited to
1
2 I. INTRODUCTION

the transmission of symmetric cipher keys. On the other hand digital signa­
tures, which give the user the authentication, integrity and non-repudiation
properties
key required in electronic commerce, seem to require the use of public
cryptography.
need A tocomputer
verify or which
create is thousands
processing ofpaymentsdigital for a bankevery
signatures or a business
second. may
This
has led toWhilst
efficient. the demandmany forschemes
publicarekeybased digitalonsignature
the schemes
discrete which problem
logarithm are very
inuse.a finite
One abelianis group,
choice the groupthereof ispoints
someondebate an as to curve
elliptic what over
type aoffinite
groupsfield.to
This choice is becoming
considerations. In this increasingly
book, we attempt popular,
to precisely the
summarize because
latestofknowledge
efficiency
available on both theoretical and practical issues related to elliptic curve
cryptosystems.
1.1. Cryptography Based on Groups
Insurveyed.
this section, some
A more detailed of the standard
discussion protocols of
of alltheofbooks public
these protocols key cryptography
andvanotherOorschot are
related
areas
and of cryptography
Vanstone [99] curves can
and Schneier be found in
[139], although by Menezes,
neither ofdiscussed
these booksherecovers
the use of elliptic in cryptography. The protocols only
berequire
cyclic.
anassume
theTheusegroup
ellipticthecurve.
of a finite
of
However,
abelianingroup
interest this G, ofisorder
work the #G, which is assumed to
additive group of points on
it is convenient for the remainder of this chapter to
isof aGprime. group
Ifgroup, is multiplicative, with generator g, and that the order, #G,
this is with
not theno case, wesecurity.
can alwaysThetakeadditive a primevs. order subgroup
issue as our loss of multiplicative
laterTheon,is, group
ofwhencourse,
Gthe just
should
one offocuses
discussion
be
notation.on theWe elliptic
presented in such
will revert
a way as curve
to
togroups.
make
additive notation
multiplication
and exponentiation
reason for this will easy, whilst
become clearer computing
below. It discretealsologarithms
should be possible is tohard. The
generate
random By elements
the from the group with an almost uniform distribution.
discrete logarithm problem (DLP) we mean the problem of deter­
mining the least positive integer, if it exists, which satisfies the equation
x,

h = gx
forof alltwo,of given,
the elementsschemes
following h and gisinthatthe ifgroup
there G.is aNotefastthat
way atocommon
solve feature
the DLP
inG isG,ofthenprimetheyorderare allsuchinsecure
a discretefor thelogarithm
group G.always Sinceexists.
we have assumed that
1.1.1. Diffie-Hellman key exchange. Alice and Bob wish to agree on a
secret random element in the group, which could be of use as a key for a
 1. 1 . CRYPTOGRAPHY BASED ON GROUPS 3

higherwish
They speedtosymmetric
make this algorithm
agreement likeovertheanData Encryption Standard (DES).
insecure channel, without having
exchanged
shared any information
amongst a group of previously.
users, are the Thegroup
onlyGpublic
and items,
an whichg EcanG beof
element
large known order.
1. Alice
Bob thegenerates
elementa random integer xA E { 1, . . . , #G 1}. She sends to
-

g XA.
2. Bob generates a random integer XB E {1, . . . , #G 1}. He sends to
-

Alice the element

3. Alice can then compute
4. Likewise, Bob can compute

The only information that Eve knows is G, g, g xA and g xs. If Eve can recover
g s from this data then Eve is said to have solved a Diffie-Hellman problem
x Ax
(DHP).
can solveIt is easy
theandDHP.to see that if
It is believedEve can find discrete
for most[94],groups logarithms in G then
incomplexity-theoretic
use in cryptographysenseshe
that
the DHP the DLP are equivalent in a
(there is a polynomial time reduction of one problem to the other, and vice
versa).
1.1.2.
Her ElGamal encryption [ 3 9]. Alice wishes to send a message to Bob.
message, m, is assumed to be encoded as an element in the group. Bob
has a public key consisting of g and h = gx, where x is the private key.
1. Alice generates a random integer k E {1, . . . , #G 1} and computes
-

a = g k, b = h km.
2. Alice sends the cipher text (a, b) to Bob.
3. Bob can recover the message from the equation
ba-x = h kmg-kx = g xk-xkm = m.
1.1.3.(Z/(#G)Z).
mE
ElGamal digital signature [ 3 9]. Here, Bob wants to sign a message
He can use the same public and private key pair, h and x,
as he used for the encryption scheme. We will need a bij ection f from G to
Z/(#G)Z.
1. Bob generates a random integer k E {1, . . . , #G 1 }, and computes
-

a = g k.
2. Bob computes a solution, b E Z/(#G)Z, to the congruence
m xf(a) +bk (mod #G).
4 I. INTRODUCTION

4.
3. Alice
Bob sends thethesignature,
verifies signature(a, b), and the message, m, to Alice.
by checking that the following equation
holds:
1 . 1 .4. Digital Signature Algorithm. A version of ElGamal signatures,
called the
nature Standard Digital Signature Algorithm (DSA), is the basis of the Digital Sig­
[FIPS186] . An elliptic curve version of DSA (ECDSA) is
described
dure in
is almost the IEEE P1363 standard
identical toasthewellElGamal draft [P1363] . The signature proce­
scheme above. It isdifferent
describedsignature
here for
the sake
verification of completeness,
procedure with as to introduce
some computational a slightly
advantages.
Bob wants to sign a message m E Z/(#G)Z. He uses the same public

biandj ective
privatemapping,
key pairf,hfrom
xand Gastobefore,
Z/(#G)Z.and both he and Alice use a common
1. Bob generates a random integer k E {1, . . . , #G - 1 }, and computes
a = g k.
2. He computes the solution, b, to the congruence
m -xf(a) +kb (mod #G).
3.4. Alice
He sendscomputes
the signature, (a, b), and the message, m, to Alice.
u = mb-1 (mod #G) , = f (a ) b-1 (mod #G).
v

5. She then computes

and verifies that

W guhv = gmb-1gvx = gmb-1+xf(a)b-1
g(m+xf(a))b-1 = lbb-1 = l
a.
Although
pears, at first theglance,
signature
more verification procedure
complicated than the implemented
one described by theAliceElGa­
for ap­
mal
notesscheme,
that theit verification
is in fact computationally
procedure simpler.forUpon
described DSA closer
requiresscrutiny,
two one
group
exponentiations,
three.In itsThestandardized while the are,one ofdescribed
two procedures course, for the ElGamalequivalent.
mathematically scheme requires
versions, the DSA requires also a secure hashing func­
tion. This is a many-to-one function that maps the original message to a
shorter
sage digest, in a way that is infeasible to invert in practice. The mes­
digest is the quantity actually operated on, in lieu of m. See, e. g ., [99]
or [P1363] for the details.
 1. 1 . CRYPTOGRAPHY BASED ON GROUPS 5

1 . 1 . 5 . Massey-Omura encryption.
tois encoded
Bob. They do not need to have a Here Aliceor public
private wishes key.
to sendThea message
message
the ' y as anme-to-you'
ou-to-me, element method.
E G. This protocol is sometimes described as
m
It requires Alice and Bob to carry out a
conversation rather than just a single transmission of encrypted text.
1. Alice computes
the element a random integer, X A , coprime to #G, and sends Bob

2. Bob computes a random integer, xB, coprime to #G, and sends back
to Alice the element
3. Alice can compute x::;:1 (mod #G) and so sends back to Bob the element
4. Finally Bob computes xB1 (mod #G) and can decrypt the message as

This algorithm, also referred

in practice but is of historical interest. to as the ' d ouble lock' algorithm, is seldom used
1 . 1 . 6 . Nyberg-Rueppel digital signature [113] . Nyberg and Rueppel
present
Below wea give
seriesa variant
of digitalof onesignature
of these schemes
schemes, which
based allow
on a messageofrecovery.
system Piveteau
[122] . However, here it is given as a standard signature scheme without any
message
otherOurschemes,recovery. For details
wefor refer the reader on how to add message
to [1 13] scheme
.
recovery, to this and to
reason
signed, different
m, is a member including the
ofElGamal following
the groupandGDSA and schemes is that
not Z/(#G)Z. the message to
This makes itbe
slightly
Oncea again from
we assume the above.
f is a bij ection from G to Z/(#G)Z. Alice wishes
toa public
sign message,
key m
x
y = g .
E G. She has a private key x E Z, coprime to #G, and

1. She computes a random integer, k, coprime to #G, and computes r

g
-k
m.
=

2. Alice then computes a solution, s, to the congruence

1 f(r)x+ sk (mod #G).
3.4. Bob
She sends the message,m, and the digital signature, (r, s), to Bob.

tion can verify that the message came from Alice by verifying the equa­
6 I. INTRODUCTION

1.1. 7. Problem
schemes is equivalent reductions. It is not proven that breaking any of the above
to solving the DLP, but this is believed to be the case.
That no proof forof this
cryptography: examplefact has
there been
is nofound
proof isthatsimilar
breakingto otherthe situations
RSA system in
([1Boneh
33] [134])
ofThere and isVenkatesan
equivalent[1to9]factoring
gives the modulus,
evidence that they although
may nottheberecent
equivalent.work
breaking arethea fewsystempubliciskeyat cryptographic
least as hard schemes
as solving forsome
whichhard one canmathematical
prove that
problem,are such
these not as factoringhere.a number or taking discrete logarithms. However,
discussed
that Webreaking
do notethethatDiffie-Hellman
for some classeskey ofexchange
finite abelian
protocol groups
is one can prove
polynomial time
equivalent
result uses toauxiliary
solvinggroups a DLP.which
Whatareis interesting
themselves about
usually thistaken
worktoisbethatelliptic
this
curves.
The The interestedinreader
requirement the should consult
signature schemes [9for4],a[9bi5],j ective
[18] and Sectionf, IX.from4.
function,
G to Z/(#G)Z
function to use may
is seem aFor
obvious. littleother
restrictive.
groups For
the the groups,thatIF; , ftheis bibijj ective
condition ective
can be weakened. What is really required is a function
f : G -----+ Z/MZ
forwhichsomeis almost
numberinjective. M, of theIn other
orderwordsof magnitude of the
its degreeareaspresented size
a map should of the group G,
be ' s(x,mall'.y),
over Forsomeelliptic curve systems
finitefields,field.IF Such the group elements
a pair represents a point on an elliptic curve. Over as pairs,
large prime
modulopoints ,P field elements are naturally represented as integers
p, and one usually just uses the x-coordinate of the curve as the map
from (group
toandbewillcloseclearly elements)
to #G,sufficeandforis thus to integers
used for For modulo
M above). p (the latter prime turns out
Thisfieldsis a ofdegree two map
two, oneinteger
performsis needed. applications.
a similarAmethod, but large
a wayused finite
of converting characteristic
theisx-coordinate
into an
representation of x relative tosimple
a given method,
basis of in practice, to take the
IF2n over IF2 , and interpret the
sameusing
are coefficients
the same as internal
the binaryrepresentation
digits of an integer.
and order Asconventions,
long as Aliceorandat least Bob
Bob knows how toshould
implementations convertbe from his internal representation into Alice's, their
interoperable.
1.2. What Types of Group are Used
All of thevarious
consider above protocols
other worktoforusea general
groups in such abelian group,However,
protocols. G, so onesincecould
the
protocolsbearesimple
should to betoimplemented
realize. One inwayhardware
of or software,thisthecondition,
interpreting group operation
but not
the only way, is to insist that the group operation be given by simple algebraic
 1.2. WHAT TYPES OF GROUP ARE USED 7

formulae.
This then Inrestricts
other words quite G must be a thecommutative
considerably types of finitegroups
such algebraicwhichgroup.are
available.
A commutative finite algebraic group is essentially equivalent to the prod­
uct
finite offields
a finiteandnumber
a finite of copiesofofabelian
number the additive
varieties. andFormultiplicative
all practical groups
purposes, of
the
that, latter
owing cantobea general
taken topurposebe Jacobians
algorithmof curves.
of It willandbeHellman,
Pohlig seen in Chapter
the group V
G should
tofinite
onlyfields have a largesingle
considering subgroup
copies ofofprime order.andThusmultiplicative
additive we can restrict ourselvesof
subgroups
The DLP orinJacobians.
some additive groups is clearly easy, e. g . the additive group
ofgroup
a finiteof anfield.ellipticFortunately,
curve. thissurprisingly,
Not is not the case, all ofasthefarabove
as is known,
protocols forwere the
originally
However, described
if one uses insuchterms of thethe finite
groups choice (multiplicative)
ofq needs to be abelian
very groupindeed,
large IF; .
because
(see [ 1 ] there[8are8]). known
and These sub-exponential
methods are methods
usually based foronsolving
the the behind
ideas DLP in theIF;
wellThis knownsituation
numberledfieldMillersieve[103]factoring
and method[62](seeto[7propose
Koblitz 7]). the technique,
common in number theory, of replacing a group such as IF; with the group,
E(IFq), of rational points on an elliptic curve, E, defined over IFq (these con­
ceptselliptic
the will becurveprecisely
factoring definedmethod
later).andThisthe technique
elliptic curvewillprimality
be seen againproving in
method.
plest case Elliptic
of a curves areItJacobians
Jacobian. turns out ofthat
dimension
the one and DLP
(additive) so areintheelliptic
sim­
curve
ing groupsinis,theat multiplicative
problem present, ordersgroup of magnitude
of a finite harder
field ofthan
a the correspond­
similar size, a fact
thatIfisonemorewantsprecisely to avoid quantified
algebraic in groups
the nextthensection. only one other type of group
is knownof which
orders number is fields.
secure and These almost
were practical.
originally These
proposed are bythe Buchmann
class groupsandof
Williams
used in [23]situation
this for classdiffergroupsslightly
of imaginary
from those quadratic
described orders. Thebutprotocols
earlier, the es­
sential features
ofThesethe forms groupremain
class can can thebe same. In imaginary
represented by reducedquadratic
binary orders the elements
quadratic forms.
algorithms which bedatemultiplied
back to using
Gauss the(seestandard
[ 2 9] andcomposition
[ 5 0]). We and
shallreduction
see in a
later chapter curve
hyperelliptic that theis closely
arithmetic on anto elliptic
related this curve and inof thebinaryJacobian
composition quadratic of a
forms.Such schemes based on class groups are particularly interesting, as break­
ing some of the proposed cryptosystems is provably as hard as factoring the
8 I. INTRODUCTION

discriminant
owing to the ofcomplexity
the order.ofHowever,
the group theoperations.
protocols areFor atotherpresent
work veryon class
slow
groupTherebasedaresystems, see [10],based
cryptosystems [20], on[22]elliptic
and [5curves
2]. which are provably as
hardelliptic
onthe as known curves mathematical
over Z/nZ, problems.
where For example there are systems based
n is the product of two primes, for which

work ability
of to break
Meyer and the system
Muller [101]). is asHowever,
hard asJoye factoring
and the modulus[57]n (see
Quisquater the
pointed
out
and that
Williamsthe system(see of Meyer
[129] and [and
1 Muller
63]). Hence,is reducible
since the toMeyer-Muller
the system ofsystem Rabin
is probably
former system slower than the Rabin-Williams system, we shall not discuss the
further.
Theresense
inKoyama
some are other
elliptic systems
curve based on elliptic
analogues of the curvesscheme
RSA over Z/nZ,
(see forwhich
exampleare
they appearet al.to[6offer
8]). noHowever,
advantage theseoverare RSA
not provably
in terms asofhard as factoring
security but do and
give
a decrease further
discussed in performance
in this when The
book. compared
reader withis referred
RSA. These schemes
instead to are[5not8],
[17],
[70], [90], [121] and [159].
1.3. What it Means in Practice
Inof athissuitably
sectionchosenwe discuss
ellipticthecurvepractical
over a implications
finite field toofimplement
using the agroup
DLF-basedE(IFq)

cryptosystem,
tive group as opposed to the more 'conventional' choice of the multiplica­
IF; of a finite field. Notice that, in the comparison, IFq and IFP need
not be the same
a senseDLPtoonbeEmade field. The key observation is that, for a well-chosen
clear later in the book), the best known method for solving curve (in
the
field elements, (IFq) is of complexity exponential in the size n = f1og2 l of the
while algorithms that are sub-exponential in N = f1og2 pl are q

available
More for the
specifically,DLP in
the IF;.
best known general algorithms for the elliptic curve
DLP are of complexity proportional to 2
CEc (n) = 2 n/
(seeDefine
ChaptertheV).function
Lp(v, c) = exp (c(logp) v (loglogp) (l- v ) ) ,
where ' l og' without base specification denotes real
v = 1, the function LP is exponential in logp, while for v = 0 it is polynomial
natural logarithms. When
inexponential,
log p. Whenand0 is referred
< <v 1, the behaviour is strictly between polynomial and
to as sub-exponential.
Discrete logarithms in IFP can be found in time proportional to Lp(l/3, c0 ),
where c0 = (64/9)113 1. 92, using a general number field sieve method ([9 9,
�
 1.3. WHAT IT MEANS IN PRACTICE 9

Elliptic Curve

400

300

200

100

Conventional
0
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000

FIGURE 1 . 1 . Elliptic curve

sizes (in bits) for similar strength. vs. conventional cryptosystem key
isCh. 3] [114]). In terms of N, and neglecting constant factors, the complexity
CcoNv (N) exp(c0 N 1 13 (1og(Nlog2)) 2 13 ),
=

where
known the subscriptfor integerstands
algorithms CONY for ' conventional'. Notice that the best
factorization are of roughly the same asymptotic
complexity
what follows (seeapply[99] also
and to[77]).conventional
Therefore,public
the discussion
key and comparisons
cryptosystems based in
on
factorization,
Equating e.g., RSA.
CEc and CcoNv (and, again, neglecting constant factors in the
complexities), it follows that for similar levels of security, we must have
n (JN 1 l3 (log(Nlog2)) 2/3
=

where (J = 2c0 /(log2) 2 13 4. 9 1. Now, the parameters n and N can be in­

�

terpreted as the
fore, with current ' key sizes',
algorithmic in bits, for
knowledge, the respective cryptosystems.
thecubekeyrootsizeofinthean correspondingThere­
elliptic curve
cryptosystem
'conventional' grows slightly
keyis size, faster
for similar than the
cryptographic strength.
The
ventional' relation plotted
keywithsizestheofdotted in
1024 and Figure 1.1, where
4096Thebitsequivalent the correspondence
(commonkeyvalues for ' c on­
forshownRSA)forhasan ellip­
been
emphasized
ticapproximations
curve cryptosystem lines.
are used,
173 andand313various
bits, constants sizes
respectively.neglected,
Given that various
are, of course, have been
approximate andthegivecomplexity
only general such
trends. A fairthecomparison figures
should also take into account of implementing
tem. While the implementation of group exponentiation is of about the same cryptosys­
10 I. INTRODUCTION

complexity
operations in both cases,areinmore
themselves termscomplex
of elementary
in the group
ellipticoperations,
curve theforgroup
case, the
same
the fieldhelps
plot size explain
( by a small constant factor - see Chapter IV) . Nevertheless,
the recent interest in elliptic curve cryptography as a
less lengths
key expensivecanalternative
translate tofaster
to the conventional systems.less power
implementations, In practice, shorter
consumption,
less silicon area, etc.
 CHAPTER II
Finite Field Arithmetic

When implementing
how toin implement an elliptic
the underlying curve system an important
field arithmetic. consideration
The problems encoun­ is
tered
being such
focused implementations
onhardware
questionsissues are addressed
whicharearise mostlyin this chapter,
in software with attention
implementations,
although some
ticular importance arerestrict briefly
whetherimplementation mentioned. Two questions
to use even ortooddfieldscharacteristic of
fields par­
andfor
secondly, whether to
efficiency, or support any type of finite field. of a special type,
11.1. Fields of Odd Characteristic
In thisbe section,
will implementation
considered. Field of arithmetic
elements will be in IFP , where
naturally p is a 'large'
represented as prime,
integers
intechniques
the rangefor0,handling
1, . . . , p-1,multi-precision
with the usualintegers
arithmetic
are notmodulo p. General
discussed, as they
are treated forveryperforming
techniques effectivelyfastelsewhere,
modular e.arithmetic.
g. [6 1]. However, we will focus on
namelyWe need to implement
addition, subtraction, themultiplication
four standardandarithmetic
division. operations
It is, however, in the
IFp,

last two follows

Inthewhat of theselet(anddenote
w
particularly
the the last) which produce the most challenge.
word size of the basic word, in bits, and b = 2w

are w
corresponding
= base. For example, typical values in present-day computers
32 and = 64. The integer b will be the base used in expressing
w
multi-precision
integers make integers.
use of However,
different bases.some
Two implementations
common for multi-precision
alternatives are:
A power of ten. These are very inefficient since powers of ten are not the
natural arithmetic
ofThis,ten however,
is usuallyischosenfor performing calculations
to make input practice within
and outputas very a computer.
of thelittle
largetime
integers A power
easier.
program poor
will be in thewhere programming
inputaandbaseoutput phase. spent by a
Mostofoftwothewilltimebewillmuchbe
spent in calculations,
moreA efficient. which is a power
base of half the word size. If we choose a base of b = 216, or
b = 2 32 , where b2 is now the base corresponding to the full word size, then
some advantages accrue. The basic multiplication step
the base b representation of the multi-precision integer can be performed veryof the coefficients in
11
12 II. FINITE FIELD ARITHMETIC

easily
b
in a will
integers language
still likein a word,
fit C. This iswith because
no the result
code to cope of with
multiplying
the twobeing
carry base
needed.
simple But now,such
operation twiceasasaddition,
many iterations
and the need to beiscarried
situation worse out operations
for for even a
where the algorithms used in practice are of non-linear complexity, such as
multiplication.
The problem
function, leadingintoa thesmalluseamount
implemented of half-words
of can becode,alleviated
machine which by having a
implements
the operation
would return theof upper,
multiplyingandtwolower,full l,word
u,
size inintegers. Such a function
portions
ub + l = W1 X W2 ,

where on the b.Pentium®,

example w 1 , w2 < For manyorprocessors
can be this eitherefficiently
performed is implementedusing on chip,
the for
floating
point
basic coprocessor,it isavailable
operation very on somethatmachines.
important it is Given thatasthisefficiently
implemented is such asa
possible.
every target Thearchitecture
trouble ofishaving
a small toprice
rewrite
to a fewfor thelineslarge
pay of machine
increase code
in for
speed
which results.
11.1.1.ofModuli
choice ' s pecial of a special form/precomputed moduli. One possible
moduli' are those of the form p bt -a, for some ' small' value
=
of a. Suchinmoduli
described the are discussed
latter reference. inThe
[37] algorithm
and [99]. The for followingmultiplication
modular arithmetic is
uses the standard
reduction procedure.multi-precision multiplication routines followed by a fast
ALG ORITHM 1 1 . 1 : Reduction Modulo p = bt - a.

INPUT : An integer x.
OUTPUT : r = x ( mod
p) .
1. q0 +-- lx/b J , r0 +-- x - q0 bt , r +-- r0 , i +-- 0 .
t
2. While qi > 0 do :
3. qi+l +-- lqi a/bt j, T'i+i +-- qi a - qi+l bt ,
4. i +-- i + 1, r +-- r + ri .
�
5 . While r p do r +-- r - p .
6 . Return r .

Firsteasynoteto compute
iswords. that the quotient
by on thedivision
shifting of an n-word
numerator to the numbera fixed
right by a number
power ofofb
aduction Also note
subtraction of a that subtraction
number shifted ofthea multiple
to left a of anumber
given power ofofbwords.
is nothing
The butre­
and a procedure is therefore
multiplication by performed using only shift and add operations
a. It therefore removes the need for any divisions to
occur.
 Il. 1 . FIELDS OF ODD CHARACTERISTIC 13

Modular generally
iscurvetherefore inversion slow is oftencompared
performedto ausing the Euclidean
multiply. Fortunately, algorithm
for and
elliptic
remove cryptosystems,
the need for one canall field
almost implement the underlying
inversions. We will curve arithmetic
elaborate on this to
issue
inlowChapter
weight, IV.by which
Furtherweimprovements
mean that the canbinary
be obtained if a is chosen
representation of to have
a has only a
few non-zeroinbits.
arithmetic, ThisII.case
Section 2 .1. isSimilar
discussed, in the contextapplyof tobinary
considerations polynomial
integers.
Anothertables
computed method, for akin to usingthe moduli
performing modular ofreduction.
a special Although
form, is totheuseprime pre­
ofmodulus
and the need not
system.
for using The have
all. Thethe disadvantage
special form,ofitthewilltables
precomputation probably
fromtoausecryptographiccan be selected
then be
viewpoint
at startup
performed
is same once
that every
person
field. This system
raises problems will have curves
of interoperability. defined over
Forthenexample the finite
if onewillbankneedis
signing a document
tonotuseyetthegenerally
same field. for passing
This although to another
implies astandards bank
level of agreement both banks
and being
standardization
address these issues. available, are currently drafted to
In
security addition,
reasons. using fixed
If everyone moduli of special
is forcedBreaking form
to use such may
the same not be preferred
field itperhaps
becomesusingan for
attractive target
specialmoreproperties for cryptanalysts.
ofconsequences
the particularthanfieldotherwise.
which might a system,
be discovered, then hasan
even
attractive serious
target for prudent
cryptanalysts one shouldpractice Although
not overestimate this may give
theirchanging
capabil­
ities.
the Nevertheless,
system parameters on somecryptographic
regular basis to would
discourage suggest
the attack of any
particular parameter set.
11.1.2. Residue number system arithmetic. Residue number system
( RNS ) arithmetic is a very old idea which relies on the Chinese Remain­
der Theorem ( CRT ) . Suppose we wish to work with a modulus p. A set of
auxiliary primes, Pi (of word size) , are chosen such that

We then represent an element, modulo p as the vector ( . . . , Xt) , where

x, x1 ,

x( mod Pi ) ·
xi

What makes this particularly

numbers ofwesizeneedveryonlymuch
compute appealing is
thethanaddition that to add and
and multiplicationmultiply
of final such
theirresult
com­
ponents,
is obtained by the CRT. smaller the original modulus. The
14 II. FINITE FIELD ARITHMETIC

we65519,Aswishanp to=example
work withconsider
16-bit p = 10727311963 and x = 1213212, and assume
words. We take the primes p 1 = 65521, p2 =
3 65497, p4 = 65479, and p5 = 65449. We then represent x in this
residue number system as
x (33834, 33870, 34266, 34590, 35130).
We can then compute x + x and x2 using simple word length arithmetic
operations and find that
x + x (2147, 2221, 3035, 3701, 4811),
and x2 (22165, 4729, 59534, 35812, 10556).
However, we still need to perform the reduction operation for both addition
itand is multiplication.
hard
Nevertheless, to compare
much
Thisthe issizeparticularly
recent work of elements
has been
difficult
and
done to
in
using
perform
this
RNSinteger
area in
arithmetic
the
as
division.
context of
ina(seesub-procedure
the[126]
context of forefficient
and [127]).
the number
hardware fieldimplementations
sieve (NFS) algorithm
for (see [3systems
RSA-based 2]) and
11.1.3.
multi-precision Barrett reduction. When using Barrett reduction, the standard
methodsisareperformed used for ininteger arithmetic operations. However,we
the
arex (modmodular reduction
givenp)a. positive integer a rather efficient way. We
x which is of size at most p2 . We wish to compute
assume
As a precomputation we compute
2
µ = lb t /pj
where bt p bt- l and b once again is the base size of the computer. We
> >
give the algorithm
to consult that bookforforcomputing x (mod p) from [ 9 9] and leave the reader
a justification.
ALG ORITHM 11.2: Barrett Reduction.
INPUT : x, p andµ such that x < b2t , bt- l < p < bt andµ = lb2t /pj .
OUTPUT : = x (mod p) .
z

1. k 1 .
qo +-- lx/b - J
2 q +-- l (µqo ) /bk + l J.
bk + l ) , r2 +-- qp .
·

3. (mod
r 1 +-- x
4 . z +-- T' 1 - T' 2
5 . If z < then z +-- z + bk + l .
•

0�
6 . While z p do z +-- z - p .
7 . Return z.

The only complicated part of this reduction is the computation of µq in Step

2. On the face of it this appears to be a full multi-precision multiplication.
 Il. 1 . FIELDS OF ODD CHARACTERISTIC 15

However, on aneed
multiplication secondnotglance we see that
be computed the least significant words of this
( see [ 9 9, Ch. 14] for more details ) .
11.1. 4 . Montgomery
plement arithmetic arithmetic. By far the most successful way to im­
modulo a large prime p is to use a representation due to
Montgomery [105]. Again assume b is the word base. Define t and R by
R = bt > p.
Every
to-one andelement
relationshipx E IFP is represented by x R ( mod p) . There is clearly a one­
between thisMontgomery
latter representation and thecanusual one. Ad­
dition
in the follow subtraction
usual way; however,in this representation be performed
multiplication is much faster. Our treatment will
again that
Beforereduction
Montgomeryin the Handbook of Applied Cryptography [ 9 9, Ch. 14].
multiplication is aexplained, thewhichprocess ofas Mont­
gomery is considered. This
an integer y with 0 y < pR and returns yR- 1 (mod p) .
�
is procedure takes input
LEMMA 11 .1 . In such a situation, if we set u -yp - 1 ( mod R) and x
=
(y + up)/R then x is an integer such that x < 2p and x yR - 1 ( modp) .
PROOF. Clearly the last modular equality holds since
= x (y + up)R - 1 yR - 1 (mod p) .

ofSo u.weToneedseetothatshowx <that2p xnotice

is indeed
that an integer, but this is clear by definition
x = (y + up)/ R < (pR + Rp) / R = 2p.
D

A summary of the procedure is given in Algorithm 11. 3 .

ALG ORITHM 1 1 . 3 : Montgomery Reduction ( Simple Case ) .

INPUT : A number y < pR .

OUTPUT : x = yR - 1 ( mod
p) .
-
1. u +-- - yp ( 1 mod
R) .
2 . x+-- (y + up)/ R .
�
3 . If x p then x+-- x - p .
4 . Return x .

Tocomputed, x we first compute u, which is easy once p - 1 (mod R) has been

computesince R is a power of the word base. Thus u can be computed
with no modular divisions, the computation of p - 1 ( mod R) being done once
and stored
precision for later use.
multiplication, To compute we need
z to perform one further multi­
a multi-precision addition and then a division by R.
But division by
spaces, since R bt.R is a simple shift of the words in y + up to the right by t
=
16 II. FINITE FIELD ARITHMETIC

In fact we can be even more efficient by setting p' = -p - 1 (mod b) and if

y is given by
Y = ( Y2t- 1 , , Y1 , Yoh = Y2t- 1 b2t- l + + Y1 b + Yo
· · ·
· · ·

then yR - 1 ( mod p) can be computed by performing the following steps from

[99, Ch. 14]:
ALG ORITHM 11.4: Montgomery Reduction.
INPUT : A number y < pR.
OUTPUT : z = yR - 1 (mod p) .
1. For i = 0 to t - 1 do:
2. u +- YiP' ( mod b) ,
3. y +-y + upbi .
4 . z+-y/R.
5 . If z � p then z +-z - p .
6 . Return z.

The operation operation.

multiplication in Step 2 aboveThe can be implemented
operation in Step
3 is using a single
performed precision
using a shift,
az +-y
scalar/Rmultiplication
is performed and then
using a an add.
shift of y It has
to the alreadybybeen
right remarked that
t words. Hence to
compute yR - 1 ( mod p) we need only perform a set of multi-precision addition,
scalarTo multiplication and - 1
shift operations.
-p (mod b) , the extended Euclidean algorithm can be
compute p'it is=rather
used. However, easy to compute x - 1 ( mod 2w) using the following
algorithm.
ALG ORITHM 11.5: Computing x- 1 (mod 2w).
INPUT : An odd integer x , 0 < x < 2w .
OUTPUT : y = x - 1 ( mod 2w).
1. y+- 1 .
2. For i = 2 to w do:
3. If 2 i - l < xy ( mod 2i) then y +-y + 2 i - l .
4 . Return y.

Toexecution
verify oftheStepcorrectness
3 we have of Algorithm 11. 5 , note that at the end of every
xy 1 ( mod 2i)
( with the initial condition corresponding to i = 1). The method is very
efficient,
holds in as only
our case. single
This precision
method arithmetic
of computing is xused, assuming 2w b which
�
- 1 ( mod 2w) is due to Dusse
and Kaliski [38].
 Il. 1 . FIELDS OF ODD CHARACTERISTIC 17

Supposei.etwo. Xelements
sentation, =
x, y E IFP are given in their Montgomery repre­
xR ( mod p) and Y = yR ( mod p) . To compute
xyR ( mod p) , first compute the standard multi-precision multiplication
ofZByXapplying
=
and Y toMontgomery = xyR2 which is a number of size at most p2 < pR .
obtain Z' reduction to the number Z' wewe need
obtainonlyZ. perform
Thus to
multiply two elements in Montgomery representation
Noa single multi-precision
divisions
Theandoperation are needed. multiplication followed by a Montgomery reduction.
cansteps.be made morethatefficient by 'interleaving' the multiplica­
tion
i.Ze. (xXYR reduction Assume X and Y are given in the form above,
t_ 1 , . . 1. , x0 ) b and ( Yt- 1 , . . . , y0 ) b . To compute the Montgomery product
= - (modp) , perform the following:

ALG ORITHM 1 1 . 6 : Montgomery Multiplication.

INPUT : X and Y as above .

OUTPUT : Z = XY R - 1 ( mod
p) .
1. Z+-- 0 .
2. For i = 0 to t do:
- 1 mod
3. u +-- (zo + XiYo )P' ( b) ,
4. Z+-- ( Z + XiY + up)/b .

6 . Return Z .
�
5 . If Z p then Z+-- Z p . -

Notice
and thatcomputation
the the computation of of u in Step can be performed in single precision
3
Z in Step 4 requires two multiplications of a multi­
precision
right integer by a word, then two multi-precision additions followed by a
shift.
DivisionEuclidean
extended in Montgomeryalgorithmrepresentation can be performed using the binary
( see, e. g ., [ 6 1], [ 2 9]). For example, given X =
xR ( mod p) , we can compute, using the standard binary extended Euclidean
algorithm, the number Y x - 1 R- 1 ( mod p) . Then to compute x - 1 R ( mod p)
=
we need only perform a Montgomery multiplication of Y and R3 ( mod p) .
Kaliski noticed
begomery
modified to compute[58] that
the the binary extended
Montgomery inverse. Euclideandefinesalgorithm
Kaliski the can
Mont­
inverse of a number x to be the integer x - 1 R ( mod p) , which is not
quite what we want, but it is useful in some contexts.
11.1.5. Solving quadratic equations in fields of odd characteristic.
Solving quadratic equations isobtain
an important operation inof thea point
contextgivenof elliptic
curves, where
coordinate. it is
In fields used to
of characteristic the y-coordinate
different fromto two, this its
is done through x­
the usual school formula, so the problem reduces that
roots. The problem for the case of a prime finite field IF , p 2, is considered.of
>
extracting square
P
18 II. FINITE FIELD ARITHMETIC

Assume we wish to solve the2 equation

x a ( mod p) .
To test whether such an equation actually has a solution, the Legendre symbol
(:) , which is equal to 1 if a is a square modulo p, 0 if a 0 (mod p) , or - 1
otherwise,
based is used. Toreciprocity,
on quadratic computecanthebeLegendre
used. symbol the following method,
ALG ORITHM 11.7: Legendre Symbol.
INPUT : a and p .
()
OUTPUT : : E {1,0,-1}.
1. If a 0 ( mod p) then return 0 .
2. x+- - a , y+- - p , L+- - 1 .
3 . x +- - x (mod y) .
4 . If x >y/2 then do:
5. x+- - y - x ,
6 . If y 3 (
7 . While x 0 (
mod44
mod ) then L+- - - L .
) do x+- - x/4 .
8 . If x 0 (
9.
mod
x+- - x/2 ,
2) then do:
10. If y ±3 ( mod 8)
11 . If x = 1 then return L .
then L+- - - L .

12. If x 3 ( mod 4 ) and y 3 (

13. Swap x and y and go to Step 3.
mod 4 ) then L+- - - L .

Alternatively we could compute a (p - l) / 2 (mod p) . It can thus be decided

whether a is or is not a square. If a 0 (mod p) then a has only one square
root modulo p, which is 0. If (:) 1 then there are two square roots modulo
=
p and we need to determine one of them. The following algorithm is based
on a method of Tonelli and Shanks (see [29]).
ALG ORITHM 11.8: Square Root Modulo p.
INPUT : a and p such that ( :) 1 . =
OUTPUT : x such that x 2 a ( mod p) .
1. Choose random n until one is found such that (�) -1 .
=
2. Let e, q be integers such that q is odd and p - 1 e
= 2 q.
3. y+- - nq (modp , ) r+- - e , x+- - a (q - l) / 2 (
modp , )
4. b +- - ax ( 2
mod mod mod p) , x +- - ax ( p) .
5. While b "=t 1 ( p) do:
6. Find the smallest m such that b2 m, 1 (
mod p) ,
7. t+- - y2 r- m,- l (
modp , modp , ) y+- - t2 ( ) r+- - m ,
 11.2. FIELDS OF CHARACTERISTIC TWO 19

8. x +-- xt (mod p) b +--by (mod p) .

,

9. Return x.

Angroupanalogue of
of even order. the above method can be used to take square roots in any
11.2. Fields of Characteristic Two
Finite
'tions fields
carry-free' of characteristic
arithmetic, 2 are attractive to implementers due to their
andcan thebe adapted
availabilityandofoptimized
different equivalent representa­
of
environment the field, which for the computational
at inhand.this section we discuss arithmetic over the finite field IF n ,
Specifically,
n � 1. Field elements are represented as binary vectors of dimension n,
2
relative
Field to a given basis
additionwhileandthesubtraction ( a0 , a1 , . . . , an_1
are implemented) of IF2n as a linear space over IF2 .
as component-wise exclusive
OR (XOR),
on the basisin chosen. implementations
Commonsections. of multiplication
practicalPolynomial,
choices andnormal and inversion
their implementations dependare
discussed the following
plus some variants on these, are considered. and subfield bases,
11.2.1.
(1, a, a
Polynomial bases. A polynomial (or standard) basis is of the form
2,. . . , an
-1
) where is a root of an irreducible polynomial f( ) of
, a x
degree n over IF2 . The field is then realized as IF2 [ ] / (! ( )) , and the arithmetic
is thatModular
of polynomials x
of degree at most n - 1, modulo f ( ) x
x .
reduction. By choosing f ( ) as a low weight polynomial, i. e .
x
one
fW( is)with
x becomes the least
a very possible
simple number
operation ofthat
non-zero
is coefficients,
performed in reduction
time modulo
0 (W n) , where
assumed the weight
that f off. It turns out that for cases of practical interest, it can be
( ) is either a trinomial or a pentanomial (i. e . , W = or 5).
x 3
The existence, distribution and other properties of irreducible trinomials over
IF2 have been extensively studied in the literature. In particular, it follows
from a theorem of Swan [156] that irreducible trinomialsordo5 (mod
n 0 (mod 8), and that they are rather scarce when n 3
not exist
8) - for
see
also
studies [9 , forCh.values
6], [47],of n[86,intoCh.the ],thousands
3 and the many ([ 1 4] references
[ 1 44]) showtherein.
that Empirical
irreducible
trinomials
the table exist[144]forshows
in over halfthat,of attheleast
valuesupoftondegree
covered.n=lOOn 000the, other
in all hand,
cases
Inwhere
odd fact, anthere
irreducible
is no trinomial
known value is not
of available, an irreducible pentanomial is.
n for which an irreducible polynomial of

openTheweight � 5odddoesweight
anyWfixedalgorithm
forfollowing not exist.
W > 3.
The general question, however, remains
exemplifies reduction of a polynomial of degree
2n-2, such as is obtained from the product of two polynomials of degree n-1,
modulo a trinomial f ( ) The extension to pentanomials is straightforward.
x .
20 II. FINITE FIELD ARITHMETIC

ALG ORITHM Il.9: Reduction Modulo f (x) = xn + xt + 1, 0<t< n.

INPUT : a(x) = ao + a 1 x + a2 x2 + · · · + a2n - 2 x2n - 2 E IF2 [x] .
OUTPUT : r ( x) a ( x) (mod
f ( x)) , deg r ( x) < n.
1.
2
For i = 2n-2 to n by -1
do :
ai - n +-- ai - n + ai , ai - n +t +-- ai - n+t + ai
Return r(x) = a0 + a 1 x + a2 x2 + + an _ 1 xn - 1 .
· ·

3. · · ·

The
storageabove algorithm
foradapted
the result operates on a(x) ' in place', obviating the need for extra
r(x) . Also, in a software environment, the algorithm
isthe easily to operate on computer words.
word size, then the algorithm scans the words containing the coefficients If n-t � w, where w is
a2n _ 2 , a2n _ 1 , . . . , am from higher order to lower order, adding each word into
two positions offset n-t and n bits back, respectively. The condition on
n-t guarantees that a word does not add to any part of itself, and is thus
processed onlysinceonce.
operations, it might Eachnotoffbesetword-aligned.
location requiresThe uptotalto number
two wordof XOR word
XOR
reductionoperations in the trinomial case is therefore at most 4 fn/w l In general,
·

XORmodulo
wordAnother an irreducible of weight W requires at most 2(W -1) In/w l
operations.
favoured choice of irreducible polynomial is one of the form
f(x) = x n + g (x) where the degree of g (x) is ' s mall' relative to n. This
istionanalogous to athesmallchoicevalueof primes t
of the form = b - a for IFP in Sec­
p
II.1.1,
reduction for of a. This case also leads to a fast modular
weightprocedure,
low Multiplication. although slightly less efficient than the one based on
irreducibles.When usingof polynomial bases, the first stage in comput­
ing the
oftiondegree product
at n-bit of two
most integers, elements
n-1 in IF2and[x] . most IF2n is the multiplication of two polynomials
This methods
is a 'carry-free' version of themultiplication
multiplica­
have of two
analogues in IF2 [x] .dueIn particular, for large
a fastis described integer
asymptoticinmethod of complex­
iCh.ty O(nlognloglogn),
4
to Schonhage,
] ) . However, in practical implementations of elliptic curve cryptogra­
[140] (see also [61 ,
phy, moderate
appropriately values
packed of
into n in
computer the low hundreds are
wordsand(typically, typical. When data
of 32oforthe fastbits),asymp­
64 this is
translates
totic methods into a small number
is seldom justified. of words,
Instead, the overhead
simpler methods arecompact
often used,
which
efficient are asymptotically
implementations inferior but
for3 ) therecursive lend themselves
range subdivision
of values of method to very
interest. first
In particular, and
thefor
old and well tried O(n1 0g
integers by Karatsuba [59]2 is often appropriate. described
 11.2. FIELDS OF CHARACTERISTIC TWO 21

IF2 [x]Assume
have degree n is even. n-1,Towecompute write the product a(x)b(x) , where a(x) , b(x) E
a(x)b(x) = (A 1 (x)X + A0 (x)) (B1 (x)X + B0 (x)) , (II. 1 )
where A0 , A 1 , B0 , B 1 are polynomials of degree n/2-1, and X = xn/2 . The
right-hand
polynomials sidein Xof, Equation
with (II. 1 ) canin IFbe[x]regarded
coefficients . This as the product
product can be of two linear
derived from
the threen/2-1; products 2
A0 B0 , A 1 B1 and (Ao + A 1 ) (B0 + B 1 ) of polynomials of
degree
size n/2. i. e ., one problem of size n is solved
Similarly, when n is odd, a problem of size n can be reduced to one ofby solving three problems of
size
leads ( n - 1) /2 and two of size ( n + 1) /2. In either case, proceeding recursively
to an overall number of operations O(n1 0g 3 ) (detailed analysis can be
found in [61 , Ch. 4] ) . In practice, the procedure is implemented on words,
2
and the multiplication
recursion, is optimized offortwotheword-sized
machine polynomials,
at hand. If ntaken
is as thethebasisrecursion
fixed, of the
can be ' unrolled',
algorithm. Also, it andis sometimes
the computation advantageous can betoexpressed
depart fromas aa straight-line
pure binary
subdivision
takes seven recursion.
word For example,usingmultiplying
multiplications a pure two three-word
Karatsuba procedure, polynomials
but canfor
bemultiplication
done in six ofwordbinary multiplications
quadratic using
polynomials a direct straight-line
-e.ing.,fact,[164]six, [76])algorithm
is the. minimum
number
Assquaringof multiplications
a final isremark for this
on multiplication problem (see,
inmultiplication
polynomial representation, recalla
that
polynomial, we much
just ' t easier
hin it than
out', general
inserting a zero between in IF [x]
every . To square
2 two original
binary
comparable coefficients. Thus, the complexity of the
to that of the modular reduction, assuming a low weight modulus squaring operation is O(n),
is used.
Inversion. The extended Euclidean algorithm is a natural choice for com­
puting inverses
asymptoticforalgorithms in polynomial
aregreatest representations.
availablecommon for thisdivisors As
computation.with multiplication,
An O(M(n) fast
logn)
algorithm
M(n) denotes computing
the complexity of compute
multiplyingmodular is described
n-bit polynomials. in [5] , where
The algo­
rithm
with can
the be
results easily
of adapted to
[140] , yields an overall complexity O(nlog2 nloglogn).
inverses and, combined
But
values again, asymptotically
ofTherefore,
n, usuallypractical fast methods
beyond implementations
those used in practicalstart being eff e ctive
ellipticvalues at fairly
curve cryptosys­ large
tems.
rely for moderate of n often
(see,Inone.any
gvariants
., [9,case,Ch.IFof2],theinversion
binary extended Euclidean algorithm for polynomials
[61 , Ch. 4] ) .
is often significantly slowerreplaced
than multiplication.
Inmultiplications.
fact, an inversion 2n can sometimes be favourably by a chain of
Such schemes derive from the field equation, which can be
22 II. FINITE FIELD ARITHMETIC

recast as
13 - 1 = 132n - 2 = (132n - l 1 r'
_
formultiplications
all /3 -=/=- 0 inin IFthis2n . computation
A technique (i.fore . , minimizing
not counting the number of
squarings, which are general
much cheaper)
on the identities is described by ltoh and Tsujii in [54] . The method is based
n
l 2 n -2 1 1 2 n -2 1 1
- -
( 2 n--2-1 1 ) 2 2l 2 n--2-l 1
n _ 13 ( - ) ( _ _ + ) = 13 - 13 - n odd,
132 - l 1 =
13132n - l _ 2 = 13 (132n - 2 _ 1 ) '
2
n even.
Denotingh =by2µ(n-
where 1) the number of multiplications required to compute 13h
n - l - 1 , we have µ(n- 1) = 1 + µ((n-1)/2) when n is odd,
and µ(n- 1) = 1 + µ(n-2) = 2 + µ((n-2)/2) when n is even. Now, setting
µ(1) = 0, µ(2) = 1 as the basis for the recursion, it is straightforward to prove
that µ(n - 1) = llog2 (n- l) J + W(n- 1) - 1 , where W(k ) denotes the weight
(numberthe ofnumber non-zeroof squarings
bits in theisbinary representation) of aapositive integer k.
Also,
towebehaven-µ(162) readily determined,
1 . As an example, consider n = 163. Then, since 162 = (10100010) 2 ,
using simple recursion,
= 7 + 3 - 1 = 9, i. e . an inverse in IF2 153 can be computed with
9 multiplications
Clearly, the and 162scheme
inversion squarings.just described is advantageous when squar­
ing
bases is areverydiscussed
inexpensive, in the asnextin thesubsection.
case when) Thenormal scheme basesmightare still
used.be (These
appro­
priate fordetails.
tation polynomial
An bases, butwaythistois trade
alternative more dependent
inversions onfor specific implemen­in
multiplications
the contextsoofsignificantly,
squarings elliptic curveis tocomputations,
use without increasing the number of
projective coordinates for the elliptic curve
points.
such With thisis approach,
operation required fieldtheinversions
at end of a arelongdeferred,
sequence andof usually only one
multiplications.
We Anwillanalogue
get backoftoMontgomery
projective coordinates multiplication in Chapter
for fieldsIV.of characteristic two
isreduction
describedis innot[6a7]computational
. We shall notbottleneck consider thisin characteristic
technique here,twoaswhen modular
low
weight irreducible polynomials are used.
11.2.2. Normal bases. A normal basis of IF2n over IF2 has the form
(a, a2 , a2 2 , . . . , a2n - l ) for some a E IF2n . It is well known (see, e. g ., [86,
Ch.
innormal2]) that such bases exist for all n � 1. Normal bases are useful mostly
hardware implementations. First, the fieldto justsquaring operation isthetrivial in
vector basis representation, as it amounts a cyclic shift of binary
therepresenting
forMassey design of the inputbit-serial
efficient
and Omura in [115] .
operand.multipliers,
More importantly,
such as the normal
one bases allowby
described
 11.2. FIELDS OF CHARACTERISTIC TWO 23

number A measure of the hardware complexity of such a multiplier is given by the

Ca of ones in the n n binary matrix T = ( Tij ) defined by
x

a1+2i = nj'"°'=-Oi · a2j 0 <- i <- n- 1 .

L...J TZJ ' (11.2)

The matrix T completely determines the structure of multiplication for the

Itnormal
is basis,thatasCait captures
clear all the information on products of basis elements.
� n2 . On the other hand, Ca satisfies the lower bound
Ca � 2n - 1 [112]. When the lower bound is attained, a is said to generate
ana generates
optimal normal basis (ONB). An alternative characterization states that
an ONB if and only if for all i i , i 2 , 0 � i i < i 2 � n - 1 , there
exist integers J i , ) 2 such that a 2 i 1 2 i 2h
+ 2 = a + a2h . It is easy to verify the
definitions
The are equivalent.
existence of optimal normal bases has been completely characterized
IFin2 [exists
1 12] andif and[45]only(seeif also one of[15,theCh.following
5]). Inconditions
particular,holds:an ONB of IF2n over
(i) n+ 1 is prime, and 2 is primitive in IFn+l ; then the n non-trivial ( n+ 1 )st
(ii) 2nroots(1)+ 12ofisisunity
prime, formandaneither
ONB of IF2n over IF2 , called a Type I ONB;
primitive in IF2n+ i or
(2) 2n + 1 3 (mod 4) and the multiplicative order of 2 in IF2n + i is
n; that is 2 generates the quadratic residues in IF2n + i;
then, a = / + , - i generates an ONB of IF2n over IF2 , where / is a
primitive (2n+ 1 )st root of unity; this is called a Type II ONB.
Apart
ofcharacterization from
the other interesting their hardware
properties complexity
of ONBs, advantages,
whichself-dual we mention
follow [readily a few
from3], i.thee . ,
Trq12 (aiand above.
aj) Tr= 11 if(z)anddenotes First, an
only ifthei trace ONB is always
= j, where ai , aj denote arbitrary basis ele­
8 6, Ch.
ments, q 2 of z E IFq over IF2 , q = 2 n . Second, when
an ONBfrom
directly of IF2properties
n exists, itofistheunique.residue Finally,
classes theof integers
matrix Tmodulocan ben+constructed
1 (Type I)
orwithout
2n+l (Type II) [15, Ch. 5]. Thus, the field algebra can be realized directly
first requiring the construction of a binary irreducible polynomial of
degreeThen.bit-serial multipliers that are very effective for ONBs in hardware
dooperations
not alwaysare map nicely intotheefficient
expensive latter. software
Also, implementations,
while efficient as singleimple­bit
bit-serial
mentations
not carry toareinversion
availableoperations.
for multiplicationIt turns inout,ONBhowever,
representation,
that by they do
applying
simple
and II permutations,
can be handled operations
through on ONB arithmetic,
polynomial representations in a of bothsimilar
manner TypestoI
the case of standard bases.
24 II. FINITE FIELD ARITHMETIC

For Type I ONBs, we observe that the{a,minimal 2 2 2

polynomial 2n - i of a is f(x) =
xn + xn - l + · · · + x + 1 , and the set a,a , . . . , a } is the same
{a, a2 , a3 , . . . an }
as the , set. . . , in ONB ,representation, . Therefore,weforcananwrite element with coordinates
(a0 , a 1 an ) _ 1 n- 1 n
'""' 2i = '""'
L...J ai a L...J a7r (j ) o? ,
.

i =O j= l
where the bij ection { 1 , 2, . . . , n} --+ {0 , 1 , . . . , n- 1 } is defined so that
7f :

7r(j) = i whenever 2 i j (mod n+l). Thus, after suitable permutation, we

canevenoperate
orexpressed simpler,on elements
modulo in(x+l)f(x)
ONB representation
= as polynomials modulo f(x) ,
xn+ 1 + 1 . The latter will give results
in terms of 1 , a, a2 , . . . , an , which are brought back to the desired
basisA setsimilar,
by using, when needed, the equality 1 = a + a2 + + an . · · .

described(ii)byalbeit
isCondition Blake slightly
above, and over et al. more
in [ involved
1 6].
let IFbe ofa pththeroot
I
Write transformation for Type II ONBs
p = 2n + 1 , where n satisfies
ofa(unity. Let2=]� adenote
<I> the vector
space of all polynomials
for j = 1 , 2, .representation
ap-aj palindromic 2 form x)
. . , n. We call the elements of palindromic polynomials.
<I>
= 1 j x i , where aj =

Inpalindromic polynomial. of IF2n , each field element corresponds to a

Additiona(x)is, defined in the usual way, and the product
of two
<I>
palindromic
such that polynomials b(x) E is the unique polynomial c(x) E
<I>

c(x) a(x) b(x) (mod xP - 1) .

· (II.3)
When we substitute x = /2 in a(x) , we obtain
n n
a( r) = L aj /j = L aj (ri + , -i ) .
j= l j= l
Itelement
followsinfrom the pairCondition (ii) that for every j E { 1 , 2, . . . , n}, exactly one
{j, p-j} can be written as 2 i modulo p, for some 0 � i �
n- 1 . Hence, we can write

i =O i =O i =O
(II.4)
where all
permutation, indices are
thea(relements taken modulo p. Equation (II. 4) implies that, up to
a 1 , a2 , . . . , an are the coefficients of the ONB rep­
resentation
efficients of ) . It follows from this simple relationship between the co­
of a(x)representation
and the ONBcanrepresentation ofpolynomial
a( r) that arithmetic opera­
tions
P
in ONB be realized
x - 1 . In particular, inverses in ONB representation can be computed using
as operations modulo
the Euclidean algorithm.
As an example of the transformation for Type II ONBs, consider the case
n = 5. It is readily verified that this case satisfies Condition (ii), with 2 being
primitive modulo p = 1 1 . We have (2°, 2 1 , 22 , 23 , 24 ) ( 1 , 2, 4, -3, 5) (mod 1 1 ) .
 11.2. FIELDS OF CHARACTERISTIC TWO 25

Thus, an element a0 a+a 1 a2 +a2 a4 +a3 a8 +a4 a 16 in ONB representation cor­

responds to the palindromic polynomial

Subfield bases. When n = n 1 n2 , we can regard IF2n as an extension

of11.2.3.
degree n2 of IF2n 1 , and represent elements of IF2n using a basis of the form
{ai/Jj : 0 � i n l , 0 � j n2 } , where /30 , /31 , . . . , /3n 2- 1 form a basis ofIF2n
< <
over
can IF2n 1 , and a0 , a 1 , . . . , an i - l form a basis ofIF2n 1 over IF2 . Thus, arithmetic
be done in two stages, with an ' outer' section doing operations on elements
ofoperations
IF2n as vectors of symbols from IF2n1 ; and an 'inner' section performing the
beinnerused,one.e.gon., normal
the symbols
basis foras thebinaryouterwords.
section,Anyandcombination
polynomial ofbasisbasesfor can the
enoughThe subfield representation
socanthatbe nmade is particularly advantageous when n 1 is large
2 is small, but n 1 is still small enough so that symbol op­
erations very fast in the computational
e.g. by implementing the IF2n1 arithmetic through look-up tables. Values of environment at hand,
n 1 between, say, 4 and 16 are typical. The IF2n inversion operation benefits
the
much mostshorterfrompolynomials,
this structure,andasthethescheme Euclidean algorithm
benefits from theis parallelization
performed on
resultingtimes
running from ofoperations
inversion onandsymbols.
multiplicationThus, typically,
is smaller thewhengapa subfield
betweenrep­ the
ofresentation
course,
Inversion is isa used,
special
methods
ascasecompared
of
based
to arepresentation
subfield
on repeated
polynomial basiswithovern =IF21. . The latter,
multiplication 1
can also bef3 Emade
more efficient
we can write when a subfield is available. Here, for any non-zero IF2n ,

f3s- 1
/3 - 1 = Ts, (II.5)
where s = (2 n - l)/(2 n1 - l ) . The key observation is that {38 is in the subfield
IF2n1 (being the norm [86, Ch. 3] of f3 over IF2n1 ). Hence, to compute 13 - 1 , we
obtain first 1
13 s- with an optimized addition chain (discussed in Chapter IV),
andfinally
then {38obtained
isresulting with anwith additional
an multiplication.
inverse in The quotient in Equation (II.5)
IF2n 1 and a scalar multiplication by the
Besides subfield
their element. Ainscheme
advantages along these
implementing linesfieldisarithmetic,
finite analysed insubfields
[49] .
can
whose helpcoefficients
in two otherarecentral
in problems
subfields allow inforelliptic
easiercurve cryptosystems:
determination of the curves
group
order
tant (as discussed
point in Section
multiplication VI.4), (asanddiscussed
operation they offerin'sSection
hortcuts'IV.for3).theUnfortu­
impor­
nately, behind the same nice algebraic structure that leads to these advantages
26 II. FINITE FIELD ARITHMETIC

bycouldsomealsoresearchers.
lurk as yet undiscovered cryptographic weaknesses, as suspected
11.2.4.
xas2 +x f3 Solving
=
quadratic equations in IF2n . An equation of the form
0 is trivially solved in IF2n by writing its (double) root x0 explicitly
0= f3 2n- i. Other non-trivial quadratic equations can always be brought
to the canonical form
x2 + x + f3 0. = (II.6)
This
solution, equation
then hasissolutions
so x 0 + 1. in IF2n if and only if Trq12 (f3) 0. If x0 is such a
=

The procedure for finding a solution varies according to the parity of n.

Iffunction,
n is odd, an explicit solution is given by x0 T(/3), where T, the half-trace
=
is defined by
( n - 1
T(/3) j=OL f322j .
=
) / 2 (II. 7)
Itverifies
can betheverified by direct inspection that T(f3) 2 +T(f3) f3+Trq12 (/3), which
=

When solution when Tr q 1 2 (f3)

= 0.
n is even, the half-trace will not do, and a solution is found using
the following
mentright can trace procedure.
be obtained Let
either <5 E IF2n be such that Trq 1 2 (<5) 1. Such an ele­
bya probability
randomly drawing =
fieldinelements untilor byonede­of
the
terministically is found
computing (with
the traces of the of one
basis half
elements each
a 0 , try),
a 1 , . . . , an-l ·
Atbasisleasttracesone canbasisbeelement must have trace
a good investment, as the vector one. In practice, computing these
= t (Trq 1 2 (ao ), Trq 1 2 (a 1 ), . . . , Trq 1 2 (an- 1 ))
issolution
useful xfor0 tocomputing
Equation traces(II.6) isofgiven
arbitrary
by field elements. With <5 at hand, a
(II.8)
To verify that x0 is indeed a solution, we compute
;
x� + x0 � (j; ov) + � (J�1 o» )
= 1 µ" µ'

J ({32n- l + {32n- 2 + + /32 ) + (J2n- l + J2n- 2 + . . . + J2 )/3

• • •

<5Trq12 (/3) + /3,

where the last equality follows from <5 2n- i +<52n- 2 +· · +<52 Trq12 (<5)+<5 1+<5. = =
Thus, x5 + x0 f3 if and only if Trq12 (f3) 0, as desired.
= =
 11.2. FIELDS OF CHARACTERISTIC TWO 27

the Virtually all theofalgorithms

implementation elliptic discussed
curve indiscussed
systems this chapter
in findremainder
the applicationof thein
book.
28 II. FINITE FIELD ARITHMETIC
 CHAPTER III
Arithmetic on an Elliptic Curve

There is
many branches an extensive
of from literature
mathematics on elliptic
andderive curves.
are closely They
linked with arise naturally
therecent in
theorypastof
elliptic
they functions,
have,s Lastfor Theorem,
instance, beenwhich they
studied their
for theoretical name. In the
usesoninstudying
the solution to
Fermat'
curves [162]. One notices immediately elliptic
arisesJustisthatasappropriate
they are not at
thetan,arcalengths
ellipses,
this point.
onstudy
and hence a brief account of how the name
a circleforgiveellipses
rise toleads the trigonometric functions,
sin, cos and similar
integrals. These are integrals of the form
one to consider elliptic

f dx
·
J4x3 - g2 x - g3
Such
defined integrals are
modulointegral multi-valued
a periodto belattice. on the complex
One canThehence numbers
consider and are
the ofvalues only well
taken
byintegral
an elliptic
is a doubly periodic on a
function torus. called ' i nverse'
ancomplex function an
elliptic function. Indeed all
elliptic
meromorphic doubly periodic functions on the
way.It turns out that every doubly periodic function SJ with periods that are numbers arise in this
independent over satisfies an equation of the form
JR

(111.1)
forreferred
sometoconstants g 2 and g 3 . For future reference, such a function
( ' )
SJ will be

in asspace,
afrompointa torus a Weierstrass
then the SJ function. If we consider the pair SJ, SJ as being
solutions
( as SJ is doubly periodic) to the curve
to Equation (111.1) provide a mapping

Y2 4X3 - g2X - g3 .
=

This is
traditional an example of
in analyticwe circlesan elliptic curve ( the 4 in front of the X 3 term is
- theit canbasicclearly be scaled away ).
curves In this chapter
that are isrequired present concepts from the theory of elliptic
The treatment far fromforcomprehensive,
developing theofmaterial course. 1inThethe reader
rest ofisthereferred
book.
1 '1t is possible to write endlessly on elliptic curves. ' S. Lang, in the foreword to [72] .
29
30 III. ARITHMETIC ON AN ELLIPTIC CURVE

to [147] here.
missing and [148] for a more comprehensive treatment, including most proofs
111 . 1 . General Elliptic Curves
Let K be
ellipticIP'2curve a field, K its algebraic closure, and K * its multiplicative group. An
plane (K) ofovera homogeneous
K will be defined as the set of solutions in the projective
Weierstrass equation of the form
E : Y2Z + a1 XYZ + a3 YZ2 = X3 + a2X2 Z + a4XZ2 + a6 Z3 , (111.2)
with a 1 , a 2 , a 3 , a 4 , a 6 E K. This equation is also referred to as the long Weier­
strass form. Such a curve should be non-singular in the sense that, if the
equation
oftaneously is written
the curveat equation in the
8F/8X,form F(X, Y, Z) = 0, then the partial derivatives
8F/8Y, and 8F/8Z should not vanish simul­
any point on the curve.
Let k be a field satisfying K k K. A point (X, Y, Z) on the
� �
curve
3K \ { is(0,K-rational if (X, Y, Z) = (X Y, Z) for some E K, (X, Y, Z) E
a , a
0, O) } , i. e ., up to projective equivalence, the coordinates of the point
are
the in k.of The
field set ofofK-rational
definition the curve, points
K, is on Efrom
clear is denoted
the by E(K).
context, we When
will refer
torational
K-rationalpoint pointscoordinate
with simply asZrational
equal points. The curve has exactly one
to zero, namely (0, 1, 0) . This is the
point at infinity, which will be denoted by 0.

strassForequation,
convenience, givenwebywill most often use the affine version of the Weier­
E : Y2 + aiXY + a3Y = X3 + a2X2 + a4X + a5 , (111.3)
where a i E K. The K-rational points in the affine case are the solutions
in Kbe2 , thought
topointE can and the ofpoint at infinity 0. Forup curves over Wethe will
reals,switch
this
freely betweeninthebothprojective as lying infinitely
andE. affine far
presentations the y-axis.
of the curve, denoting
the equation
satisfying Equation cases by For Z =J. 0, a projective point (X, Y, Z)
(111.2) corresponds to the affine point (X/Z, Y/Z) satis­
fying Equation
representation (111.3) . In Chapter IV, we will consider a different projective
which curve is convenient from a computational point of view.
Given an elliptic defined
the following constants for use in later formulae: by Equation (111.3) , it is useful to define

b2 = ai + 4a2 , b4 = ai a3 + 2a4 , b6 = a� + 4a6 , }

b8 = ai a6 + 4a2 a6 - ai a3 a4 + a2 a� - a�, (Ill.4)
C4 = b� - 24b4 , C5 = -b� + 36b2 b4 - 216b5 .
The discriminant of the curve is defined as
� = -b�b8 - 8b� - 27b� + 9b2 b4 b6 .
 III.2. THE GROUP LAW 31

When char(K) # 2, the discriminant can also be expressed as

3

� = (d - c�)/1728
(notice that 1728 = 2633) . A curve is then non-singular if and only if� # 0.
When � # 0, the j-invariant of the curve is defined as
j(E) = d /� - ( 111. 5)
The
Two j-invariant
elliptic is
curves closely
defined related to the notion of elliptic curve isomorphism.
by Weierstrass equations E (with variables X, Y)
and E' (with variables X', Y' ) are isomorphic over K if and only if there exist
constants r, s, t E K and 2u E K *, such that the change of variables
X = u X' + r , Y = u3 Y' + su 2 X' + t (
111 . 6)
transforms E intochange
asandanitsadmissible E'. Theof variables.
transformation
Clearly, inthisEquations (
111 . 6
transformation ) is referred to
is reversible,
intoinE.inverse
E'points Such alsoan isomorphism
defines an admissible
E and tothethesetfield
of rational defines a change
bi j ection ofbetween
pointsthatin E'.are not
variablesthethatset transforms
Noticeisomorphic of
that isomorphismrational
is
defined
become relative
soisomorphism
over an extension K; Curves
K K. relation. The following lemma estab­
2
over K can
lishesCurve is an equivalence
the fact that,classesoverinthethisalgebraic closure K, the j-invariant characterizes
the equivalence
found in [147]. relation. Proofs for all characteristics can be
LEMMA 111. 1 . Two elliptic curves that are isomorphic over K have the same
j -invariant. Conversely, two curves with the same j -invariant are isomorphic
over K.
111.2. The Group Law
Assume, for the moment,
change of variables given by that char(K) # 2, and consider the admissible
3,

X = X'
b2 y
= Y'
ai
(X'
b2
) a3
12 ' 2 12 2'
_ _ _ _

withlongb2 defined
the as inform
Weierstrass Equations
in Equation ) This change of variables transforms
( 111.4 .
( ) to the equation of an isomorphic
111 . 3
curve given in the short Weierstrass form,
E Y2 = X3 + aX + b,
: (III. 7)
for some
Let P a, b E K.
and Q be two distinct rational points on E. The straight line joining
P and Q musta lineintersect
intersecting with a thecubiccurve at one
curve. The further
point Rpoint,
will saybeR,rational
also since wesince
are
the line, the curve and the points P and Q are themselves all defined over K.
32 III. ARITHMETIC ON AN ELLIPTIC CURVE

FIGURE 111.1. Adding two points on an elliptic curve

Ifshallwe call
thenPreflect R in the x-axis we obtain another rational point which we
+ Q (see Figure 111.1 for a visualization over the reals).
the TocurveaddatPP.to Such
itself, aorlineto must
double P in the jargon, we take the tangent to
intersect E(K) in exactly one other point,
say
obtain R, asa point
E is defined
which by acallcubic[2]Pequation.
we = P Again we reflect R in the x-axis to
+ P (see Figure 111. 2 ). If the tangent
toP +theP point i.ise .vertical,
= 0, , P is a it 'intersects'
point of order the curve at the point at infinity and
2.
The above process of determining P + Q given P and Q is often called the
chord-tangent process. The operation on points which we have just explained
can be shown to define an additive abelian group law on E(K), for any field
K summarized
�
bezero k K, with the point at infinity,
�
in the statement that 0,
three as the onzero.theThecurvewholewill lawsumcanto
points
if and only if they lie on a straight line.
 III.2. THE GROUP LAW 33

FIGURE 111.2. Doubling a point on an elliptic curve

orTheseUsing
3, canthisdetermine
weformulae geometric explicit
definition,algebraic
which isformulae
are valid in any characteristic.
readily forextended
the to chargroup
above ( K) = 2
law.
LEMMA 111. 2 . Let E denote an elliptic curve given by
E : Y2 + a1 XY + a3 Y = X3 + a2X2 + a4X + a5
and let P1 = (x 1 , Y1 ) and P2 = (x 2 , Y2 ) denote points on the curve. Then
-Pi = (x 1 , -y1 - a i x 1 - a3 )·
Set

when x 1 =J. x2 , and set

, = 3x i + 2a2 x 1 + a4 - a i Y1 -xf + a4 x 1 + 2a5 - a3Y1
/\ µ=
2y1 + a i x 1 + a3 '
2y1 + a i x 1 + a3
34 III. ARITHMETIC ON AN ELLIPTIC CURVE

when x 1 x 2 and P2 # -Pi If

= .
P3 = (x 3 , y3 ) = P1 P2 # 0 +
then x 3 and y3 are given by the formulae
X3 >. 2 a i>. - a2 - X 1 - X 2 ,
+
Y3 = - (>. a i )x 3 -µ - a3 .+
The
theyForrespectisomorphisms
the group described
structure. earlier then become group isomorphisms as
from a positive integer
the curveTheto notation m we let [m] denote the multiplication-by-m map
itself. This[m]map takes a topointm ::=;P 0tobyPdefining
+ P + [O]+P P (m0,
· ··
summands).
and is extended
[-m]P - ( [m]P) . So for instance, as above, [2]P P + P, [3] P
= =
=
=
P + P + P, and [-3]P - (P + P + P) . This map is the basis of elliptic
=
curve
the maincryptography.
subjects in Itsthisproperties,
book. computation, and uses will be, therefore,
111.3. Elliptic Curves over Finite Fields
itOverwillabefinite
denotedfield byIFq , #E(IF
the number
q ) · The ofquantity
rationaltpoints
defined onbya curve is finite, and
#E(IFq ) q+ 1 - t
=

is called
The qtheth_power
trace of Frobenius at q.
Frobenius map, on an elliptic curve, E, defined over IFq , is
defined by
{ E(Fq ) -----+ E(Fq )
rp : ( x, y) f----+ ( x q , y q ) ,
0 f----+ 0.
Itrespects
is readily verified
theIF ,group that rp
law.toInasother maps points Eon to points on
words the map is a group endomorphism
rp
E, and that it
of ETheovertrace q referred the Frobenius endomorphism.
fundamentalofroleFrobenius
aequation in our studyand oftheelliptic
t Frobenius
curves.endomorphism
They are linked rp will play
by the
rp2 - [t]rp + [q] [O J ,
=

that is, for any point P (x, y) on the curve, we have

=

(x q2 , y q2 ) - [t] (x q , y q ) + [q] (x, y) 0,

=

whereA first
addition and subtraction
approximation denote curve operations.
known theorem
V. 1 . 1] .
of Hasse, toa the prooforder of E(IFcanq ) isbegiven
of which foundby inthe[147,
following well
Theorem
 IIl.3. ELLIPTIC CURVES OVER FINITE FIELDS 35

T HEOREM 111. 3 (H. Hasse, 1933) . The trace of Frobenius satisfies

ltl 2yq.
::;
By
ofseeq,why Hasse' s
is inthisa narrowTheorem,
range the number
of width 4yq of points
about on the curve, for large values
thehalfvalueof allq +the1. Toq possible
intuitivelyx­
coordinates should be
in corresponding so, notice that about
IFq will give rise to a solution y. All but at most three of these
will have
ofWeierstrass two
order twoform y-coordinates, the exceptions being the points
( i. e . those points with y-coordinate equal to zero in the short

weon aaddcurvethe over of the curve ) . To this expected number q of rational points
pointIF at. infinity making a total of q + 1 expected rational points
q
This observation
uniform distribution. tells us how to choose elements of E(IFq ) with an ( almost )

ALG ORITHM 111.1: Determine a Random Point in E(IFq ) ·

INPUT : An elliptic curve E(IFq ) ·
OUTPUT : A ' random ' po int P E E(IFq ) .
1 . Do
2. Pick a random x E IFq .
3. Substitute x for .X in Equat ion ( I I I . 3) .
4. Attempt to solve the result ing quadrat ic equation in
us ing the techniques in Sect ions II . 1 . 5 and I I . 2 . 4 .
Y,
5. If solutions
which y y
are found , flip a coin to decide
to choose and set P = ( x , ) y.
6. Unt il a point P is found .
7. Return P .

For curvespoints
rational over ofIFPany, where p is a prime, there is an elliptic curve with group of
given order in the interval (p + 1 2y'p, p + 1 + 2y'p).
-

Inuniform
the sub-interval
distribution. (p + 1 fa, p + 1 + y'p) each order occurs with an almost
-

This fact is the basis behind the ECM factoring algo­

rithm
some of Lenstra
very subtle ( see [78] and Section IX.1 ) . However, this distribution has
properties; see [ 8 9] for details. Over fields of characteristic
twoThere
the statement
are two is not true.classes of curves which, under certain conditions,
particular
will proveTheto becurvecryptographically
curves. weak: anomalous curves and supersingular
E(IFq ) is said to be anomalous if its trace of Frobenius
is 1, giving #E(IF
characteristic. The q)= q. These curves are weak when q
attack against such curves is discussed in p,Chapter
= the fieldV.
The curve
trace of E(IFq ) is said to be supersingular if the characteristic p divides the
Frobenius, t. Equivalently, it can be shown that a curve over IFq with
characteristic p is supersingular if and only if (i) p 2 or 3 and j (E) 0 or
= =
36 III. ARITHMETIC ON AN ELLIPTIC CURVE

(ii) � 5V,andis tparticularly

p
Chapter = 0. The MOY effe attackforonsupersingular
ctive general ellipticcurves, curves,rendering
describedthemin
unsuitable
Contrary fortocryptographic
the case of purposes.curves over Q, where the characteriza­
elliptic
tion of possibleoverranksfiniteoffields,
characterized groupswhere E(Q)weis have
an open problem, this rank is well
E(IFq ) ,...., (Z/diZ) (Z/d2Z).
x

Here, by the structure

andAsq -was1 , andapparent
we include theorem
the casefor dfinite
i = 1.
abelian groups, d i divides both d 2
often require separate from the
treatment. earlier discussion,
Practical implementationsthe cases char(K)
of elliptic= 2,
curve 3

cryptosystems
forof characteristicsare usually
large primes twoTherefore,
p.
based the on either
remainder IF2 n
of, i. e
this . , characteristic
book will two,
focus on or IF
fieldsP
case and p > 3, and will omit the separate treatment of the
three,char(K) = Most that
3.
with modifications arguments,
are well though,
documented carryineasily to characteristic
the literature.
111.3. 1 . Curves in fields of characteristic
q = pn for a prime p > 3 and an integer p > 3. Assume K = IFq , where
n � 1 . As mentioned, the curve
equation in this case can be simplified to the short Weierstrass form
Ea b : Y2 = X3 + aX + b.
'

The discriminant of the curve then reduces to � = - 1 6(4 a3 + 27b2 ), and its
j-invariant to j(E) = - 1 72 8(4 a) 3 / � - The isomorphism classes of curves over
K in this case are characterized by the relation
Ea,b ,...., Ea' ,b' if and only if a' = u 4 a, b' = u6 b,
for some u E K*.
The formulae for the group law in Lemma 111.2 simplify to
-Pi = (x i, -yi ).
When x i # x2 we set
A = XY22 -- YXii '
and when x i = x2 , Yi # 0 we set
A = x2iy+i a
3

If
P3 = (x3 ,y3 ) = Pi + P2 # 0,
then x3 and y3 are given by the formulae
X3 A 2 - X i - X 2 ,
y3 = (xi - x3 )A - Yi·
 IIl.3. ELLIPTIC CURVES OVER FINITE FIELDS 37

Write g(X) = X 3 +aX +b, so that the curve equation is Y2 = g(X). The
rational
zero points of
ofAllg(X)otherin values order two
K. Theofpolynomial on the curve
g(X) are of the
canis ahave form
zero, one, (�, 0) , where � is a
or three such
zeros.
two X for which g(X) quadratic residue in K yield
haveAdistinct
#E(K)
twist
points
s (mod
ofv2aa,curve
on the2), where
given
curve. s Therefore,
= 1 if g is counting alsoovertheK, point
irreducible 0,
0 otherwise.
we
where a' = b' = v 3 b forin some
short quadratic
Weierstrassnon-residue form Ea,b isv given by Ea' ,b'
E K. By the
characterization
morphisms over ofK,isomorphism
and it is itselfclasses
isomorphicabove, tothethetwistoriginal is unique
curve, upoverto iso­K
of(inthefact,groups
it is soof over
rational IFq2 ,points
where ofv becomes
the two curves a quadratic
satisfyresidue).
the relationThe orders
#Ea,b (K) + #Ea' ,b'(K) = 2q + 2.
ToForverify this, write g v (X) = v 3g(X/v), so that we have Ea' ,b' : Y2 = gv (X).
ofis athexnon-residue;
Ecurves.
K, if gIfv g(x)(x)= is0 athennon-zero
E
g(x/v)quadratic
= 0, contributing residue,
v a' ,b' gets two points, Ea,b gets none. Similarly, if gvv(x) is a
a single
then g(x/v) point= gto(x)/veach3
non-residue,
K contributes then E a ,
twoat infinity b gets
counts tocountedtwo points,
the sumtwice, E a' , b
#Eaa,b total ' gets
(K)+#E none. Hence,
a'+,b' (K), each element
giving, together of
with the point
This propertywhereof theit istwist is useful when searching of 2q 2 points.
for 'ofgood'the curves inof
cryptography,
rational points. This required
is a computationally to determine intensive the order
problem, whichordergroup
we deal
with extensively
been determined in Chapters VI, VII and VIII. Once the group has
Thus, we get the fororders a curve, of twoits groups
determination' for theforpricetheoftwistone'.is straightforward.
111.3.2. Curves in fields of characteristic two. We now specialize to
the case where q = 2 n2 , n � 1. In this case, the expression for the j-invariant
reduces
avery = 0,
tois j(E) = ai /to�the
equivalent - In curve
characteristic
being two, the condition
supersingular. As j(E) = 0, thisi.e.
mentioned,
1 special type of curve is avoided in cryptography (see details on the MOY
attackUnderin Chapter V).
theseoverassumptions, We assume, therefore, that j(E) =J. 0.
elliptic curves IFq is given abyrepresentative
[147]: for each isomorphism class of
(III.8)
where We arecall
1.function 6 E IF;fromandChaptera2 E {O,II/}thatwithTr/ 1a isfixedtheelement linear in IFqfrom
trace of trace
IF TrIFq12. (rThis
to )=
is not directly related to q 2 trace of Frobenius, and qno confusion
the 2
shouldThearise since they are used in quite
formulae for the group law in Lemma III. 2 then simplify to different contexts.
-Pi = (x 1 , Y1 +x 1 ).
38 III. ARITHMETIC ON AN ELLIPTIC CURVE

When x 1 # x2 we set
A = Y2 ++ Y1 '
µ=
Y1X2 + Y2X1
X2 X1 X2 + X 1
and when x 1 = x2 # 0 we set
,= x i + Y1
/\

X1
'
µ= X 21 .
If
P3 = (x3 , y3 ) = P1 + P2 # 0,
then x3 and y3 are given by the formulae
x3 A 2 + A + a2 + x 1 + x 2 ,
y3 = (A + l )x3 +µ
= (x 1 + x 3 )A + X 3 + Y i·
tionTheof thefollowing lemma class.
isomorphism restrictsRecall
the possible
that eachvalues
element of #aEaE2 ,a6IFq(IFhasq) asa aunique
func­
square root, -JO, = aq/2 , in the field.
LEMMA
n
111.
q = 2 . Then,
4 . Consider an elliptic curve defined by Equation (III. 8) over IFq ,

#Ea 2 ,a6 (IF q ) =

-
{ 20 ((mod
mod 4)4) ifif TrTrqq112 (a(a2 )) == 0,1 .
2 2
PROOF.
curve. To Setting
count X = 0 yields (0, .Ja6) , the unique point of order two on the
points with X # 0, we divide Equation (111. 8) by X 2 , and
write U = Y/X, obtaining the equivalent equation
u
2 + u = x + a2 + a5 .
x2
Itequation
is well hasknown
two ( see, e. g ., [ 8 6]) that, for a given X E IF;, this quadratic
distinct solutions U and U+ 1 in IFq if and only if Trq 1 2 (X +
a2 + a6 /X ) = 0 or, equivalently, Trq1 2 (a2 ) = Trq 1 2 (X 2 + a6 /X 2 ). If X satisfies
2
this equality, so does .Ja5/ X. These two values are different whenever X #
..ya6. Hence, the values of X in IF; - { ..ya5} contribute a number of points
divisible
two by four to #Ea 2 ,a6 (IFq)· When Trq 1 2 (a2 ) = 0, X = ..ya6 contributes

of themorelemma.
points. Counting also the points (0, .Ja6) and 0 yields the result D

a6 , the two curves Eo,a6 and Ey,a6 are twists of each

otherForanda given
their value
ordersofsatisfy the relation
#Eo,a6 (IFq) + #Ey ,a6 (IFq) = 2 q + 2.
This is verified by inspecting the proof of Lemma 111. 4 : each value of X E IF;
contributes two points to exactly one of the curves, for a total of 2q - 2 points.
 IIl.4. THE DIVISION POLYNOMIALS 39

Incounted
addition,
twicethein points
the sum, (0, .Ja5) and 0 are common to both curves and are
bringing the total up to 2q + 2.
Similarly to over
non-isomorphic the case of odd characteristic, the curves Eo,a6 and Ey,a6 are
IFq, but are isomorphic over IFq2 , as Trq2 2 ( ) = 0 for all
1 r
/ E IFq.

111.4. The Division Polynomials

The
rithm division
for polynomials
computing the are of fundamental
number of points on importance
an elliptic in Schoof'
curve over s finite
a algo­
field,
and the subject
discuss some ofof Chapter
their basic VII.properties.
In this section we define
References for theseofpolynomials
much the follow­
ing general
the are [147]caseandfollow
[72]. [The 8 1] specific
and [ 8 formulae for the division polynomials in
5].
From111.2,
Section inspection
it is clear of thatthe algebraic
the expressions
coordinates of theforsumthePgroup
+ P
lawtwogiven
of points in
1 2
onrepeated
the curve are rational functions of the coordinates of P1 and P2 . By
map application of the formulae, it follows that the multiplication-by-m
(x, y) H [m] (x, y)
wecanhave
be expressed
the followingin terms result.of rational functions in x and y. More specifically,
LEMMA 111.5. Let E be an elliptic curve defined over a field K, and let m
be a positive integer. There exist polynomials 1/Jm , Om , Wm E K[x, y] such that,
for P = (x, y) E E(K) such that [m]P =f. 0, we have
[mJ P = ( 1/JmOm((xx,, yy)) 2 1/JmWm((xx,,y)y)3 ) .
'
(111. 9 )

The polynomial 1/Jm (x, y) is called the m th division polynomial of the curve
E. As will be shown below, the sequences Om and Wm can be expressed in
termsWeofnowthe present
sequenceexplicit 1/Jm ·
(recursive) formulae for the polynomials 1/Jm , ()m
and WmK ·given
over Consider
in the general
Equation Weierstrass equation E of the elliptic curve
(111.3) , and the constants derived from the curve

mparameters
�
ables:
given in Equations (III.4). The mth division polynomial 1/Jm (x, y),
0, is defined by the following recursion, in which we suppress the vari­
1/Jo = 0, 1/J1 = 1 ,
1/J2 = 2y + aix + a3 ,
1/J 3 = 3x + b2x3 + 3b4x22 + 3b5x + bs,
4
1/J4 = (2x6 + b2 x 5 + 5b4x 4 + l 0b5x3 + 1 0bsx + (b2 bs - b4 b6 )x + b4 bs - bn 1/J2 ,
1/J2m+ i = 1/Jm+21/J!i - 1/Jm- 11/J!i+l , m � 2,
40 III. ARITHMETIC ON AN ELLIPTIC CURVE

and
( 1/Jm+21/J�- l - 1/Jm-21/J�+l ) 1/Jm , m 2.
1/J2m = 1/J2
>

Itiscandivisible
be shown, by by Therefore,
i.
induction, that, mthe�numerator 1, is a in the expression
polynomial divisible forby
1/J2 m 1/J 1/J2 m
'lj;2 . Since the division polynomials will always be evaluated at points on the
curve,
curve. the computation
In particular, of 1/Jm can be carried out modulo the equation of the
wewillcanbeassume thatassumed
the degreein the
of 1/Jsequel
m in y never exceeds
one. This reduction implicitly when dealing
with the polynomials 1/Jm · With the 1/Jm computed according to the above
recursion, the polynomials Om are given by
()m = x'lj;� - 1/Jm- 11/Jm+ i , m � 1,
and, when char(K) -=/=- 2, the polynomials Wm are defined by
21/JmWm = 1/J2m - (a 1 0m + a3 1/J� ) 1/J� , m � 1.
With
and the, Lemma
given recursion
111. 5 followsfor thedirectly
polynomials
from the1/Jm , and the formulae for Om
formulae for the group law,
Wm
and
the somerequire
symbolica manipulation
slightly different dexterity.
treatment. InThisthe case
case will
of characteristic
be addressed, two,for
Wm
non-supersingular
caseWhen can beKfound curves,
in [ 6 4]. in Section 111. 4 . 2 . Expressions for the supersingular
is the finite field IFq , E(K) is a torsion group, that is, every point
P on the curve E has finite order. For a non-negative integer m, the set of
m-torsion points of E, denoted by E[m], is defined by
E[m] = { P E E(K) I [m]P = O }.
Itin isK-rational
readily verifiedpoints thatin E[E[mm],] iswea subgroup
will use of E(K).
the notation When wemare] =interested
E(K)[ E(K) n
E[m]. Thus,
inclusion is E(K)[m] as= E[themsubgroup
interpreted ]. Clearly,relation.
E(K)[m] E[m] E(K), where
� �

By definition,
characterizes the 0
other E E[m-torsion
m] for allpoints m. Theon E,mthas division
stated inpolynomial
the 1/Jm
following
theorem.
T HEOREM 111. 6 . Let P be a point in E(K) \ { O}, and let m � 1. Then,
P E E[m] if and only if 1/Jm (P) = 0.
It turns out that the characterization
with univariate polynomials derived from the bivariate 1/Jm · Define of m-torsion points can be achieved
fm = { 1/Jm /, , m even.
m
m odd,
1/J 1/J2
Bypolynomial
observing'lj; ,that y enters into the recursion for the 1/Jm only through the
2 and that 1/Ji mod E does not depend on y, it is readily verified
 IIl.4. THE DIVISION POLYNOMIALS 41

that fm is a polynomial that depends only on x. The degree offm is at most

- 1)/2 if m is odd, and at most (m2 - 4)/ 2 if m is even (the degrees
(arem2 exact
Theorem 111.if 6char(K)
can nowdoesbe recast
not divide
in termsm forof them polynomials
odd, or m/2f for· m even).
m
C OROLLARY 111.7. Let P (x, y) be a point in E(K)-{0}, such that [2] P =f.
=
0, and let m � 2. Then, P E E[m] if and only if fm (x) 0. =

Corollary
the Let that 111.was4x73divided
partF(x) excludesout2-torsion
of points.
to obtain These
f
pointsmsatisfy
when is even.1fJ2 (P) 0,
=
1/J m m
= +b2x 2 +2b4 x+b6 . The polynomials fm satisfy the following
recursion,
before: where variables are again omitted, and 1/J2 , 'lj;3 and 'lj;4 are as defined

m odd, m � 3,

m even, m � 2,
m 2.
>

Our interest
char(K) = 2. Theinabove this book will involve
discussion the twoto cases
is specialized char(K)
these two and
cases, in3turn.
>

111. 4 .1. Characteristic

assumed in the form p > 3. For this case the curve equation can be
Y2 = X 3 + aX + b, a, b E IFP ,
and so, in the above formulae for the0, polynomials andandfm'b we have
a2 a3 0, a4
= = =
1/Jm
a, a6 = b, b2 = b4 = 2a, b6 = 4b, -a
a1
2 . The =
=

recursion for 1/Jm then simplifies to 8

1/Jo 0,
1/J1 1,
1/J2 2y,
1/J3 3x4 + 6ax2 + 12bx - a2 ,
1/J4 4y(x6 + 5ax4 + 20bx3 - 5a2x 2 - 4abx - 8b2 - a3 ),
1/J2m+ i 1/Jm+21/J!i - 1/Jm- 11/J!i+l , m � 2,
1/J2m (1/Jm+2 1/J�- l - 1/Jm-21/J�+1 ) 1/Jm /2y, m > 2.
takesFortheanform
integer � 2, and a point
m P = (x, y) E E(K) \ E [m] , Lemma 111. 5
[ml p = (x _
1/Jm- 11/Jm+ i ' 1/Jm+2 1/J�- l - 1/Jm- 21/J�+l '
n/,2 4Yn/,3
)
'f/m 'f/m
where 1/Jm 1/Jm (x, y). This formula is easily cast in terms of the univariate
=
polynomials fm ' by noting that for the particular form of the curve equation
42 III. ARITHMETIC ON AN ELLIPTIC CURVE

under 1/Jm = 2y fm when m is even, 1/Jm = fm when

m4(xis3 +odd.consideration,
The we have
recursions for the fm are as in the general case, with F(x) =
ax + b) (which is equal to 4y 2 modulo the curve equation).
111.4.2. Characteristic two. We consider only non-supersingular curves,
defined by equations of the form
Y2 + XY = X 3 + a2 X 2 + a5 .
Thus, we have a 1 = 1, a3 = a4 = 0, and consequently b2 = 1, b4 = b6 = 0,
b8 = a6 . The recursion for the polynomials 1/Jm simplifies to
1/Jo 0,
1/J1 1,
1/J2 x,
1/J3 x 4 + x 3 + a5 ,
1/J4 x 6 + a6 x 2 '
1/J2m+l 1/Jm+21/J!i + 1/Jm- 11/J!i+l , m� 2,
1/J2m (1/Jm+21/J�- l + 1/Jm-21/J�+l ) 'l/Jm /X , m > 3.
We observe that, with this recursion, all the 1/Jm are polynomials in x only.
We shall emphasize
formulae this fact[m]bythendefining,
for the mapping formcase, fm (x) = 1/Jm (x, y). The
take2 thein this
[mJ P = (x + fm-1ifm2 m+i , x + y + (x + X + y)fm- ifx!mm3fm+i + fm-2 f:/n+l ) ,
fordefined pointscaseP =satisfy,
m �in 2theandgeneral (x, y) E E(K) \ E[m]. The polynomials fm
in this case, xfm = fm when m is even,
fm = fm otherwise. In fact, in our description of point counting algorithms
in ChapterbyVII,defining
extended we shallf =usef mostly
for all them inpolynomials
the odd fm , a notation which is
characteristic case.
m m
ever, Formally,
in the theofpolynomials
cases interest 1/Jm are called the division polynomials. How­
here, the similar role of the univariate polynomials
fm will justify our referring to these also as division polynomials.
111.5. The Weil Pairing
Let E denote
torsion points. anIt elliptic
can be curve
shown overthatathere
field areK, with
m 2 suchE[mpoints
] its group
in the ofcasem­
gcd(m,p) =group
m-torsion 1, where
of anpelliptic
is the characteristic
curve is determined of the field.
by theThefollowing
structureresult:of the
m E Z>O 111.
LEMMA
· 8 . Let E be an elliptic curve over K and let char(K) = p and
• If p = 0 or p does not divide m then
E[m] ,...., (Z/mZ) (Z/mZ).
x
 III.5. THE WEIL PAIRING 43

0
• If p > then

overAnother
a finite important
field, whichfactwillabout the m-torsion
be required in a laterstructure
chapter,ofisangiven
ellipticby curve
LEMMA
mnotisequal111. 9 ([8]). Let E denote an elliptic curve over IFq , and suppose that
a prime which divides #E(IFq ) but which does not divide q - 1 and is
to the characteristic of IFq . Then E(IFqk) contains the m2 points of
order m if and only if m divides qk - 1.
K ifWechar(K)
now let m0. ETheZ>-2Weildenote
>
an integer, coprime to the characteristic of
pairing [ 1 47] is a function
E[m] E[m] -----+ µm,
X

where
the µm is the group of mth roots of unity in K, which occurs throughout
theory of elliptic curves. We can define the Weil pairing as follows. Let
S, T E E[m] and choose a function g on E whose divisor satisfies
div(g) REE[Lm] (T' + R) - (R) ,
=

with T' E E (K) such that [m] T' T. Then =

E[m] E[m] -----+

x

em: { (S, T)
g (X + S)
f----+
g (X)
forX +anyS . point
It canXthenE Ebe(Kshown
) for which g is both defined and non-zero at X and
that the following holds.
LEMMA 111. 1 0. The Weil pairing is a bilinear, alternating, non-degenerate
pairing which is Galois equivariant. In other words,
em(S1 + S2 , T) em (S1 , T)em(S2 , T) ,
em (S, Ti + T2 ) em (S, Ti )em (S, T2 ) ,
em (S, T) em (T, S) - 1 ,
em (S, T) 1 if T 0,
for all S if and only =

em (Su, Tu) E Gal(K/K).

em (S, Tt for all CJ

compute.There We
is another
let definition of the Weil pairing which makes it easier to
P and Q denote two elements of E[m] and let A, B denote
divisors of degree zero such that A and B have disjoint support and
A rv (P) - (0), B rv (Q) - (0).
InT =J.practice we choose points T, U E E such that P + T =J. U, P + T =J. Q + U,
U and T =J. Q + U. We then see that A (P + T) - (T) and B
= =
(Q + U) - (U) satisfy our requirements.
44 III. ARITHMETIC ON AN ELLIPTIC CURVE

mBWerespectively.
then let fATheandWeilfB denote pairingtwocan functions
then be defined whose bydivisors are mA and
em(P, Q) = fA (B) j fB (A),
which, owing to our choice of A and B, becomes
em (p Q) = ffA (U)
'
(Q + U) fB (T)
A JB (P + T) "
Soof Miller
all thatwhich remains is to
is explained compute
in [97] andfA and fB . This can be done by a method
[are98].non-zero
One hasattothebe careful thatpoints,
the
functions one produces are defined and
but by careful choice of T and U this can be accomplished with no problem. relevant
111.6. Isogenies, Endomorphisms and Torsion
Let E
tion fields1 and E 2 be elliptic curves
K(E1 )atandeveryK(Epoint defined over a field K, with respective func­
which is regular 2 ). Aofmorphism
E . A from E1 to Emorphism,
non-constant 2 is a rational
1the identity element on E2 is called an ¢, map
which
maps
zsogeny,
the identity element on E 1 to
¢ : E1 -----+ E2 .
The map which
Itroleis thein thezerotheory sends
isogeny,of and every point
is thecurves. on E
only constant1 to 0 on E 2 is also
isogeny.weIsogenies called an isogeny.
playthea crucial
resultsSuppose that will elliptic
betherequired later. In this section summarize main
that isogeny ¢
induces an injection of function fields which fixes K, is non-constant, i. e . ¢(E 1 ) =J. { O}. Then, ¢
¢* . { K(Ef 2 ) f---
. -----+ K(E1 )
-+ f ¢.
0

We
the say that
corresponding the isogeny
extension is separable,
of function inseparable
fields, or purely
K(Ewe1 ) /define inseparable
¢* K(Eits2 ) degree
is separable, if
inseparable or purely
zero, otherwise we define its degree byinseparable. If ¢ is constant to be
deg¢ = [K (E1 ) : ¢* K(E2)].
isogeny Everyis non-constant
always a group isogeny ¢ is surjectiveandovertheK,kernel
homomorphism, that isof¢(Ea non-constant
1 ) = E2 . An
isogenyn¢ ofis always
degree a a finiteisogeny
separable subgroup¢ isofequal E1 (K),to usually
its degreedenoted
as a by E[¢map
finite ]. Theof
curvesTheandsimplest is henceexample
equal toof thea separable
size of Eisogeny
[¢] . is the multiplication-by-m
map, [mdefined
curve ], fromovera curve K, to itself.the Ifsimplest
then K is a finite example fieldofIFqa andpurelyE isinseparable
an elliptic
isogeny is the Frobenius endomorphism If E is an elliptic curve over IFq
rp.
 IIl.6. ISOGENIES, ENDOMORPHISMS AND TORSION 45

with E(NIFqof)points
onclosure · However, then they
the isogenies
are all [1], [Nwhen
different + 1] and are identical as maps
rp
considered over the algebraic
IFq .
Some basic facts about isogenies are
T HEOREM 111.11 (Theorem 11. 66 of [60]). Let E denote an elliptic curve de­
fined over a field K and let S denote a finite subgroup of E which is Galois
stable over K. Then there exist an elliptic curve E', also defined over K, and
a unique separable isogeny cf> : E -----+ E' with kernel equal to S.
When K IFq , the subgroup S in Theorem 111.11 is Galois stable if and
=
only if itEis/Sclosed
notation is oftenunder
used thefor theoperation
curve E'ofdescribed
the Frobenius map. Also,thattheis,
in the theorem,
cf> : E -----+ EIS.
This
conveys notation
the less isobvious
obviousfactfromthata the group-theoretic
quotient pointE/Sofcorresponds
group view, but ittoalso
the
groupTo ofeverypointsnon-constant
of an ellipticisogeny,
curve.¢, there is a unique dual isogeny
cf> : E2 -----+ E1
suchA that (/> cf> is equal to multiplication by n, where n deg(cf>) , on E1 and
o =
is multiplication
cf>thatcf>being
o by n on E2 . The existence of the dual isogeny implies

We then haveisogenous is an equivalence relation on the set of all elliptic curves.

LEMMA 111. 1 2 (Lemma 15. 1 of [ 2 5]). Two isogenous abelian varieties (and
hence two isogenous elliptic curves) over a finite field have the same number
of rational points.
LEMMA 111. 1 3 (Lemma 8. 4 of [25]).
Suppose -----+ cf> : E
is a separable
isogeny defined over K, whose kernel has exponent d, with d coprime to the
E'
characteristic of K. Assume that the elements of the kernel of and all the
dth roots of unity are defined over K. Then all the elements in
defined over K and there is a natural non-degenerate pairing
are also E'[cf> (/>]
e <P : x E[¢] E'[(/>]
-----+ µd (K) .
When
mis sometimes the isogeny
map the pairing in the previous
is totheasWeil pairinglemma is equal to the multiplication-by­
mentioned earlier. The above pairing
Thea ring. referred
set ofThis
all isogenies the ¢-Weil pairing.
from a curve to itself, together with the zero map,
form
Clearly is
End(E)fromcontains the ring of endomorphisms of E, denoted by End(E).
aofsubring isomorphic
isstructure
an isogeny E to E degree m 2 . There toareZ,three
as multiplication
possibilities bythem
for
of the ring End(E) (see [147, Section 111. 9]).
1. End(E) Z; this does not occur for elliptic curves over a finite field.
=
46 III. ARITHMETIC ON AN ELLIPTIC CURVE

2. End(E)curvesis anareorder
such called in ordinary.
an imaginary quadratic field. Over finite fields
3. End(E) is the maximal order in a quarternion algebra. Over finite fields
such curves are
this case does not occur.called supersingular but over fields of characteristic zero
Recallonlythatif a curve, E, is supersingular over a field, IFq , of characteristic if
and p

•
p
p
=� 25 orand3 theandtrace
j (E) of= Frobenius
0. satisfies t = 0.
Inthealltracecharacteristics we have that E is supersingular if and only if
p divides
largerNowthanletof Frobenius. theIfcurve
Z,l bethena prime the curveis saidhastoanpossess
endomorphism ring which is strictly
complex multiplication (CM).
the l-power torsion, E[ l n],different
for some fromfixedthevalue
nz)-module
characteristic
of of K and consider
n. The group E[l n ] can
clearly
group, be considered as a (Z/l n of rank
G = Gal(K / K), acts on E[ l ] as a linear map. So we obtain a Galois
two. The absolute Galois
representation:
Pl,n : G -----+ Aut(E[l n ]) GL2 (Z/l n z).
c

We
(see can[147])also consider all l-power torsion at once by taking the Tate module
T1(E) = lim E[ln].
+-

This
limit isuseda rank
to two Z1-module,
produce T 1 is ' c where Z1 iswiththethel-adicinverse
ompatible' integers.
limit The
used inverse
to de­
fine finitethe quotient
arepresentation: absolute group Galoisofgroup G, in the sense that Pl,n
G. Hence, we obtain a continuous l-adic Galois
will factor through
Pl : G -----+ Aut(T1(E)) GL2 (Z1).
c

called If K = Q then sitting inside G are special elements, for each prime
thegenerate
Frobeniusthe elements. These aredecomposition
defined up to conjugation andinertia
theirp,

images
group, DP/IP =(J Gal( quotient
IFp/IFcurve of their
p )· Weis non-singular
then look atover the IFimage group
under by the
p1 ofp1((}p)
a Frobe­
nius element,
matrixtracewhose P , if the
characteristic P . The element is a
The
p.
of p((}p) we denotepolynomial by tp and isisthewelltracedefined and independent
of Frobenius at the primeof l.
If
pindependent K = IFq then
1 ((}p) is alsoofa l.matrix G is generated by the Frobenius element (}q · The element

Its tracewhoseis thecharacteristic polynomial

trace of Frobenius, is well defined and
t, mentioned earlier.
III. 7. Various Functions and q-Expansions
Itdifferential
is a standard fact [ 1 47], used in complex analysis,
equations and number theory, that an elliptic curve over defines the theory C
of partial
 111.7. VARIOUS FUNCTIONS AND q-EXPANSIONS 47

a lattice inwhere
Zw 1 +Zw2 ,
C (andw , whenceE Caaretorus). The oflattice
the periods will be denoted
the associated, doubly byperiodic
A
1 2
Weierstrass SJ-function
SJ(z) = :2 + L ( (z � w) 2 - �2 )
w EA\ O

ThisThefunction
periods,satisfies the differential Equation (111.1).
w 1 and w2 , can be suitably chosen so that the quantity
T = W-W21
lies
map in the upper half of the complex plane, 1l = {z E C : Im(z)
> O}. The
by from C (modulo A) to points on the corresponding elliptic curve is given
C/A -----+ E
z + A f------+ { 0,( (SJ'(z) - ai xA - a3 )/2 ) , zz Eti. A.A,
XA ,

where
Weierstrass= form
XA SJ(z) -ofbthe
2 /1 2 . The codomain of this map corresponds to the long
curve. The special case
z + A H (SJ(z), SJ1/2) , z tj. A,
corresponds to the short form Y 3 = X 3 + aX + b. The coefficients of the
short form are obtained with the 1formulae 1
92 = 60 z= 4, g3 = 140 z= 6,
w EA\{O } W w EA\{O } W
and a = -gof2 fthe.if4_,curve
coefficients b = -g3 . The inverse correspondence, leading from the
to the periods w 1 and w2 , can also be computed (see,
for instance,
The [29]).number T E characterizes elliptic curves up to isomor­
complex F
phism,
lattices i.Ae.=ifZwT =+ wZwi fwand
2 = wUw�, then the elliptic curves derived from the
1 2 A' = Zw� + Zw� are isomorphic. An elliptic curve
over C associatedof theto Tcurve
the j-invariant in thisas awayfunction
is denoted
on 1l byandE7.writeWe can also consider
which
What is well defined due to the invariance of j(E7) under curve isomorphisms.
examplesmakesof athis function
modular j (T) so[147].exciting is that it is one of the simplest
function
LEMMA 111. 1 4. For any matrix
A = ( � � ) E SL2 (Z)
48 III. ARITHMETIC ON AN ELLIPTIC CURVE

we have
j (�;:�) = j(T).
Also, j ( T) is periodic of period one, and has the Fourier series
j(T) = -q1 + 744 + nL>l Cnqn ,
where q = e 27riT , and the Cn are positive integers.

gers, Here, SL2 (Z) is the special linear group of 2 2 matrices over the inte­
x

of determinant 1. Any complex number T* is equivalent to a T, under

SL2 (Z) transformations, which lies in the standard fundamental region for
such transformations,
F = {T E C : Im(T) 0, -1/2 :::; Re(T) 1/2, I T I � 1}.
> <

inTherefore,
F.
Weinnow
by Lemma 111.14, when considering En we can assume that T is
present various functions and series which are defined via expan­
sions the variable q = e27riT and are related to the j-invariant above. We
shall them
have use these definedfunctions in various
in a single place. places in the book,
For example, we canso define
it is convenient to
00
�(T) = q nII=l (1 - qn) 24 '
where, again, q = e27riT . It can be shown that this series may be written as
24
�(T) = q ( l + nZ::>l (- l ) (q ( - ) / + q ( ) / ) ,
n n 3n 1 2 n 3n+l 2 )
(111.10)
Also,
is�(T)the isasdiscriminant
expected, theof thepowercurveseriesdefined
satisfies �(T)in =the�(E7),
earlier whereThethefunction
chapter. latter
also related to j(T) using the formulae
h ( T) =
�(27) (T) = (256h (T) + 1) 3
.
J
�(T) ' h (T )
The coefficients Tn of �(T) in Equation (111. 1 0) define a function, n H Tn ,
function which has theT-function.
called the Ramanujan This is a very interesting number-theoretic
following properties:
T HEOREM 111.15. The following all hold for the function Tn :
• It is multiplicative, in the sense that if m and n are coprime then
 111.7. VARIOUS FUNCTIONS AND q-EXPANSIONS 49

• If p is a prime and t � 1 then

• For all n � 1
I Tn l ::=; O"o(n)n 1112
where O"o(n) denotes the number of positive divisors of n.

proved All of these results were conjectured by Ramanujan, the first two were
�
itself bytheMordell
isTJ-function whileofthea function
24th power last wasofproved by Deligne. namely
great importance, The function
Dedekind'(T)s
TJ (T)
00
� (T) l/24 = q l/24 II ( l qn )
n=l
_
( )
e27riT/24 1 + 2:: (- l ) n (qn(3n- 1) /2 + qn(3n+ l) /2 ) .
n>l
The Dedekind TJ-function satisfies the following identities:
TJ (T + 1) = e27ri/24 TJ (T), TJ (-1/T) = v'=lTTJ (T)
where therealbranch
positive axis. inWethewillcomplex
also square root
require the function isEisenstein
following taken to series,
be on thefor
k = 0, 1, 2, ... :
k
E2k (T) = 1 - ; L 0"2k- 1 (n)qn ,
2k n>l
where Bi represents the ith Bernoulli number and O"i (n) = L:dl n di . For ex­
ample we have
n oo

'"°' nq ,
1 - 24 L...J
n=l 1 - qn
'""' 1n-3qqnn '
1 + 240 L...J
00

n=l
5n
1 - 504 z= 1n-qqn .
00

n=l
These are related to � (T) by Jacobi's formula
3 2
� (T) = E4 (T) - E5 (T)
1728
and to the function j (T) by
50 III. ARITHMETIC ON AN ELLIPTIC CURVE

111.8. Modular Polynomials and Variants

Modular
andwellElkiespolynomials
toother play a
Schoof'mores point significant
counting role in
algorithm the improvements
considered by
in ChapterAtkin
VII,
asare as in
reviewed here recent variants. The properties of these polynomials
( without proof) drawing from the references [148] , [142]
andThe[85]correspondence
.
between lattices Zw1 + Zw2 , w1 , w2 E C, and elliptic
curves over C was noted in the previous section, as was the invariance of j ( T)
under transformations of the form T1 = (aT + b) / ( T + d) , where
C
( � � ) E SL2 (Z) .
More generally, for a matrix
a= ( � � ) E GL2 (1R) , det a 0, ( ) >

define . aT + b
J O O: ( T ) = J (
.
).
CT + d
This is the j-invariant of the elliptic curve C/(Z + ZT') with T1 (aT +
b) j (cT + d) .
For a positive integer n, define
D� = { ( � � ) : a, b, c, d E Z, ad - be = n, gcd ( a, b, c, d) = 1 } ,
and
S� = { ( � � ) E D� : d 0, 0 b d }
> :::; <

It can be shown that 1

# S� = n II (1 + -)
p
pi n
whereNotice
the product
that is overn =primes
when £, a dividingwen. have #S£ = £ + 1. This case
prime,
will
the be of special
context of theinterest
point in the study
counting of isogenies,
algorithms andintheir
described application
Chapter VII. in
The
following
invariants lemma
of images establishes a
of isogenies connection between the matrices S� , and the j­
of degree n from a given curve. It is adapted
from a problem in [148] .
LEMMA 111. 1 6. Let E1 and E2 be two elliptic curves over C, with j -invariants
j (E ) = j (T) and j (E ), respectively, and let n be a positive integer. Then,
1 2
a E S� ,
 IIl.8. MODULAR POLYNOMIALS AND VARIANTS 51

if and only if there is an isogeny from

n.
E1 to E2 whose kernel is cyclic of degree
Define the modular polynomial of order n, by the equation
<I>n (x, j) II (x - j )
=
aES;',,
oa .

It<I> can
(x, be, itshown
is that <I>nandE Z[j]
symmetric of [x] and, as a polynomial in two variables,
degree in eachbyvariable. Notice that j
nin this equation is a formal function of#S�defined
y)
T, itsdegree
q-expansion. The
previous lemma then implies that there is an isogeny of n, from E1 to
E2 , Inif and
the case if <I>nn(j (E£,1 ),j(E
only that = a 2 )) there
=
prime, 0. are precisely £+ 1 subgroups of the
group of £-torsion
ofEquivalently,
an isogeny points,£,E[R]corresponding
ofeachdegree of a curve E.to Each
one suchthe subgroup
of £ + 1 is the kernel
matrices in s; .

j-invariant which issuch

a subgroup
zero of the corresponds<I>£to(x,j).
polynomial an isogenous curve with a
It can be shown that the modular polynomial <I>£ (x, y) is equal to

plus terms of the form aij xi yi , i, j ::=; £, i + j 2£, aij E Z. By the Kronecker
<
congruence relation (see [142] , [148] and [60] ) , we have

Note that
either while(rather
variable the degree
than of the(£2 modular
the - 1) /2 ofpolynomials
the division <I>polynomials),
£ (x, j) is £ +their
1 in
integer coefficients
modular polynomialscanforbecome
£ 3 andvery£ large5 areas given
= =
£ increases.
by [51] : For example, the
4 - x3 y3 + y4 + 2232 (x3 y2 + y3 x2 ) - 1069956 (x3 y + y3 x)
<I>3 (x, y) x+36864000
=
(x 3 + y32) + 2587918086 x 2 y2
+8900222976000 (x y + y2 x)
+452984832000000 (x 2 + y2 ) - 770845966336000000 xy
+1855425871872000000000 (x + y) ,
52 III. ARITHMETIC ON AN ELLIPTIC CURVE

<l>5 (x, y) x+3720

= 6 - x5y55 +4 y6 4 5
-4550940(x y
(x +
5 y x
3 + y x )
3y5 )2 5
+2028551200 (x 5 y 2
5 + x y 5)
- 24668341095080(x(xy5 ++ yxy5 ) )
+19632114892
1665999364600 x4y4 (x4y3 + x3y4)
++107878928185336800
+383083609779811215375 (x 4y2 4+ x2y4)4
+128541798906828816384000 (x y4 + xy
4 )
+1284733132841424456253440
-441206965512914835246100 x 3(xy3 + y3 )2 2 3
+26898488858380731577417728000
-192457934618928299655108231168000 (x y (x+3yx +y xy) 3)
+280244777828439527804321565297868800 2 (x2 3 + y3 )
+5110941777552418083110765199360000x
+36554736583949629295706472332656640000 y (x 2y+xy 2)
+6692500042627997708487149415015068467200 (x 2 + y 2 )
-264073457076620596259715790247978782949376xy(x+ y)
+53274330803424425450420160273356509151232000
+141359947154721358697753474691071362751004672000 .
The rate
in [31] , logarithmof growth of the
after initialofestimates coefficients
by absolute of
Mahler ( value<!> £ was characterized by
[91] [92] ) . Let h(<I> £ ) denote the
Cohen
natural the largest of a coefficient
( for example, for <!> 5 above, we have h(<I> 5 )�108. 6 , attained by its constant
of <I> £ (x, y)
coefficient ) . When £ is prime, it follows from the results in [31] that

Inwillourbe applications
aofprime to point counting algorithms for elliptic curves
taking on values of the order of log with being a prime (or
q, q
over IFq , £

athepower two ) with binary expansion a few hundreds of bits long. Although
coefficientsofofthethe field,
modulartheypolynomials are eventually reduced modulo the
characteristic
for instance, that places
the binary are often computed
expansion ofof <!>is£ atabout
q
first over Z. Assuming,
two30hundred bitsbinary
long,
the bound
lengthTo overcomeabove
of a heavy
q,
the coefficients
computational burden indeed. about times the
given alternative difficulties
modular posed by
polynomials.the large
However, coefficients
evenOther some authors
these variants have
need to bearecom­
puted with care. We give one
scribed, for example, in [108] and [40] . such variant below. de­
 IIl.8. MODULAR POLYNOMIALS AND VARIANTS 53

s=
Let12/sgcd(.£
be the least
- 1, 12).positive
Defineinteger such that v = s (.£ 1 ) /12 E Z >o · Hence,
-

where
which TJ(z) is Dedekind' s TJ-function. We then have the following theorem,
suited allows us to define variants of the modular polynomials which are more
to computations.
T HEOREM 111. 1 7 (see [110] ) . There exist coefficients ar,k E Z such that
£+ 1 v

L L ar,k j (RT) k f (TY = 0.

· ·
r=O k=O
Define the polynomial
£+ 1 v

G£ (X, y) L ar,kXryk E Z [x, y] .

= rL=O k=O
E
Let be an elliptic curve defined over IFq . Then, when interpreted over IFq , the
( x, (E)) .
polynomial G j
polyno mial <P££(x,j(E))
has the same splitting type over IFq as the .eth modular

In Theorem
of theIt turns
irreducible 111. 1 7,
factors ' s plitting type' refers
of the polynomials to the degrees
over isIFqrequired
.
and multiplicities
these out
polynomials that considerably less
since their coefficients precision
are much smaller for constructing
thaneasier
thosetoofcom­
the
standard
pute and modular
storesavingspolynomials. This
than thein thepolynomials property means they
<P£(x,ofy)the, andalgorithms are
it also leads torequire
significant
(and
use. crucial) performance that their
alsideaareisDetailed
given explanations
in of the computation of these alternative polynomi­
[110] and [74] . We shall just summarize the method. The
to compute the functions sr (T) , for r = 0, . . . , .e + 1, given by
v

s r (T) = L al+l - r,d (RT) k (111.11)

k=O
since the polynomial given by
Hl
h (X) = L sr (T)X Hl - r
r =O
has the roots, for n = 0, . . . , .e 1, -
54 III. ARITHMETIC ON AN ELLIPTIC CURVE

We can compute
of their s r (T) in the following way, keeping all functions of T in terms
q-expansions. First compute the coefficients, bi , in
f (Tr = q - V (� bi q ) '
i T

and then £1 ( )
�- j T + � T

q -VT L Ri bi qi .
00

i =O
where
the sumRi of= the£ if rthi powers
vr ( mod £) and Ri = 0 otherwise. We can then compute
of the roots of h (X) using the formula
gs T

Cr (T) = Cr, 1 (T) + ( )

f (£T)

forTheni =using
1, . . .Newton'
, £ + 1, s formulae we can express the sr (T) using the iteration,
T

s r (T) = - L Cr - i (T) s i (T) ,

i =O
where
from s 0 (T) = -1. We can then compute the desired coefficients aHi - r,k
Equation (111.11), for r = 1, . . . , £ + 1 and k = 0,
. . . v. For the other
coefficients
With the wecoefficients
have aHl ,ak r= known, . . . , v aH 1 ,0 = 1.
0 for k =the1, bivariateandpolynomial G £ (x, y) can be
,k
foundAs from an the equation
example of how given
much insmaller
Theoremthe111.coefficients
1 7 by replacing
of thesej (RT) with y.
polynomials
are, compared to the standard modular polynomials, 2 4consider the examples
G3 (x, y) = 729 + 756x - xy + 270x 2+ 36x3 + 3x , 4 5 6
G5 (x, y) = 125 + 750x - xy + 1575x + 1300x + 315x + 30x + x .
However,
over fields although
of the polynomials
characteristic two then arewe computed
may only over toC, reduce
need if we aretheworking
integer
coefficients
store them ofin the
a modularSo forpolynomials
table. fields of modulo two once
characteristic two andwillfor still
we all and
use
the standard
modular modular wepolynomials.
polynomials, For example,
find that4 modulo two theyon arecomputing
given bythe first few
<I>3 (x, y) x46 + x35y35 + y4 (2mod 22),4 6
<l>5 (x, y) x8 + x7y7 + x6y6 + x8 y + y (mod 2),
<I>7 (x, y) x 12+ x 11y +11 x y 11+ 3y (mod 10 6 2), g g 8 4 6 10
<I> n (x, y) x 4+ x y3 +11 x y12 + x y + x y + x y + x y
+x y8 + x y + y (mod 2),
 IIl.8. MODULAR POLYNOMIALS AND VARIANTS 55

(
<l>13 x, y ) x 14 + x 13 y 13 + x 13 y5 + x 12 y2 + x 10 y4 + x 8 y6 + x 6 y8 + x 5 y 13
+x 4 y 10 + x 2 y 12 + y 14(mod 2),
<l>17 (x, y ) x is + x 17 y 17 + x 17 yg + x 16 y2 + x 16 y 10 + x 14 y 12 + x 12 y 14
+x 10 y 16 + x g y 17 + x 2 y 16 + y 1s(mod 2).
56 III. ARITHMETIC ON AN ELLIPTIC CURVE
 CHAPTER IV
Efficient Implementation of Elliptic Curves

The basic building

putations of the form blocks of an elliptic curve cryptosystem over IFq are com­

Q = [k]P = P + P + · · · + P, (IV.1)
k times
where
ord(P). P isFora curve
some point,
of the and k is an arbitrary
cryptographic protocols, integerP isin athedesignated
range 1 ::=;fixed
k
<

pointis anthatarbitrary
Plies generatespointa large,
in suchprime
a order subgroup
subgroup. The of E(IFofq )the, whilecryptosystem
strength for others
and in[k]P,theitfactis hard
thattogiven the k.curve,
recover This theis thepointelliptic
P (becurveit fixed
discrete or arbitrary)
logarithm
problem
We (ECDLP),
refer to the which is discussed
computation of at length(IV.1)in Chapter
Equation as V.
point multiplication.
Efficientby analysing
start algorithmstheforcomputational
this computation are the subject
complexity of thisoperation.
of the group chapter. We
IV. 1 . Point Addition
Asdifferent
notedforms
in Chapter III, the simplified
depending oncomplexity formulae
the characteristic for the group
of the underlying law take
field. on
We
analyse the computational
acteristic 3, and for characteristic two.
p >
of these formulae separately for char­
IV. 1 . 1 . Fields of characteristic 3. Affine coordinates. We recall
p >
from Chapter III the formulae for2 point3 addition on a curve
E Y = X + aX + b
:

with Pa, b= E(xIF,qy, ) be= pointsp ainprime

q pn , greater thanaffinethree. Let P1 and 1 , y1 )
= (xwhere
and
some convention E(IF ) given in coordinates,
2 2 2 is used to representq Assume P1 , P2 =J. and P1 =J. -P2 ,
0. 0,
conditions
be computed that are all easily checked. The sum P 3 = (x 3 , y3 ) = P1 + P2 can
If P1 =/:- P2as, follows.
Y2 - y 1
X2 - X 1 '
). 2 - X 1 - X 2 ,
-
(x 1 - x 3 )>. Yi ·
57
58 IV. EFFICIENT IMPLEMENTATION OF ELLIPTIC CURVES

3x i +a
2-
2y1
>. 2 1 ,x
( - 3 ) >. - Yi ·
x1 x

When P1 # P2 , the
multiplications. We computation
will denote requires
this one field inversion
computational cost by and+ 3M,
11 threewhere
field
I and M denote, respectively, the cost of field inversion and multiplication.
Squarings
the cost are
pointofdoublingcounted as
is I + 4M. regular multiplications.
We neglect When
the(e.costg., of2 and P 1 = P2 , the cost of
field3additions, as well as
the
of >.Projective multiplication
when P1 = coordinates.
P2 ) . by small constants in the computation
more expensive than In cases itwhere
multiplications, is field inversions
efficient to are significantly
implement projective
coordinates.
introduced The conventional
in Chapter projective
III. A projective (or homogeneous) coordinates were
the homogeneous Weierstrass equation point (X, Y, Z) on the curve satisfies
Y2 Z = X 3 + aX Z2 + bZ3 ,
and, when
thattheother Z # 0, it corresponds to the affine point (X/Z, Y/Z) . It turns out
groupprojective
ofrepresentation operation representations
[ 2 7]. In lead weto will
particular, moreprefer efficienta weighted
(also referred to as Jacobian representation - [27] [30]), where
implementations
projective
aevertriplet (X, Y, Z) corresponds to the affine coordinates (X/Z2 , Y/Z3 ) when­
of theZform# 0. This is equivalent to using a weighted projective curve equation
Y2 = X 3 + aXZ4 + bZ6 .
The point at infinity 0 is represented by any triplet (12 , 13 , 0), E IF; , al­
I
though
never in a
actually practical implementation,
operatedareon,veryanynatural since the coordinates
tripletforwithelliptic of
Z = 0 would do. Weighted
this point are
projective
the division coordinates
polynomial curves.
sequences 1/J ( , y), O ( , y), ( y) defined in Sec­
m x m x wm x ,
For example, for
tion III.
remainder 4 , we have
ofand
the use [
m
chapter, ]( X , Y, Z) = (Om (X, Y) , wm (X, Y) , 1/Jm (X, Y)) . For the
and for'projective'
the sake toof conciseness, we will slightly abuse
terminology
versiondirection the term
from affinecoststo 11projective mean ' w eighted projective'.
coordinates is trivial, while conversion in the Con­
other The keyusingobservation + 4M.
is that pointonly, addition can be done inrequired.
projectiveThus,co­
ordinates
inversions field
are deferred, multiplications
andifonly onerequired with no
need bethatperformed inversions
atresult
the endbeofgiven
a pointin
multiplication operation, it is the
affine coordinates. The cost of eliminating inversions is an increased number final
 IV. 1 . POINT ADDITION 59

of multiplications,
strongly determined sobythetheappropriateness
ratio I M. :
of using projective coordinates is
The computation
description in the sequencestoin theFigures
appendices IEEEIV.1P1363
and IV.draft2 arestandard,
adapted [P1363]
from the.
A discussion ofcoordinates,
homogeneous these sequences,
and a together
comparisonwithbetween
similartheonestwofortypes
conventional
of coor­
dinates (redundant)
various can be foundmixed in [27]representations,
. This reference, as well as [30] , also discusses
e. g . (X, Y, Z, Z2 , Z3 ) , which may
haveThesomesequence
computational
in Figure advantages.
IV.1 computes the sum P3 = (X3 , Y3 , Z3 ) of two
points Pi = (Xi , Yi , Zi ) and P2 = (X2 , Y2 , Z2 ) in projective coordinates. We
assume
checked that Pi , P2 #
at cost
an early and0, that Pi # ±P2 . The latter condition is easily
stagestepofofthethecomputation, asis discussed below.right-hand
In the
figure, the
side of the step. of each computation noted at the
FIGURE IV
acteristic 3. Point
p >
. 1addition
. in projective coordinates, char­
Xi Zi
X2 Zf
2M
2M
A i - A2
Yi Z�
Y2 Zf
2M
2M
A -A 4 5
A i + A2
A4 + A5
Zi Z2 A3
A� - A 7 A�
2M
3M
A 7 A� - 2X3
(A g A5 - A s AD/2 3M
16M
The
terest total cost
arisesonewhen for general point addition is 16M. A special case
Zi = 1, i. e ., one point is given in affine coordinates, and
of in­
the other
point in projective coordinates. This case, which will occur
multiplication algorithms, costs 1 lM, and will be referred to as a mixed in the
addition.
The condition Pi = ±P2 is equivalent to A 3 = 0 in Figure IV.1. Fur­
thermore,
When this gi ven
conditionthat A 3 = 0, the condition Pi = P2 is equivalent to A 6 = 0.
is detected, acomputation
point doublingcostsroutine isThis
used,canshown in
Figure IV. 2 . The point doubling lOM.
duced to 8M when a = -3, as in this case the computation of A i can be be re­
60 IV. EFFICIENT IMPLEMENTATION OF ELLIPTIC CURVES

FIGURE IV
acteristic 3.. 2 . Point doubling in projective coordinates, char­
p >

Ai 3Xi2 + aZi4 4M
Z3 2Yi Zi lM
A2 4Xi Yi2 2M
X3 A i - 2A 2 lM
A3
Y3
8Y,4i
A i (A 2 - X3 ) - A 3
lM
lM
lOM

rearranged
the as A i = 3( Xi - Z?) (Xi + Z?) , costing 2M instead of 4M. By
characterization of-isomorphic
isomorphismsoneinEaSection 111. 3 .1, a curve Ea,b can be
transformed
has into
a fourth1 (mod an IFq
root 4)in, and
IFq . one ' ,b'
Thishalfholdsof thefor valueswith
about when a' = -3
a quarter 3of(modif and only
the valuesif -3/a
of a
whenThe q
differentincostsTableforIV.1.
pointWeaddition andin doubling q 4) .
inthatcharacteristic p > 3
are summarized
doubling observe the table
in projective coordinates is about a half of that of a general addition the cost of point
(when a = -3), whereas in affine coordinates doubling is the more expensive
operation.
TABLE IV.l. Cost of point addition, characteristic 3. p >

Operation affine Coordinates

mixed projective
General addition
Doubling (a(arbitrary 11 + 3M llM
a) 1111 ++ 4M 4M n/a
16 M

Doubling = -3) n/a lOM 8M

IV. 1.2. Fields of characteristic two. Affine coordinates.

Chapter III the formulae for point addition on a curve Recall from

with a2 , a6 E IFq , = 2 n , a5 -=/=- 0. Let Pi = (x i , Yi ) and P2 = (x 2 , Y2 ) be

q
points in
topointrepresentE(IF
0
q ) given in affine
(inthethiscurve). coordinates,
case, (0,Assume where some
0) can Pbe, Pused# for that convention is used
purpose since such a
is never on
P = (x , y ) = Pi + P is computed as follows.
i 2 0, and Pi # -P2 . The sum
3 3 3 2
 IV. 1 . POINT ADDITION 61

If P1 =/. P2 ,
A Y1 + Y2
'
X 1 + X2
X3 A 2 + A + x 1 + x 2 + a2 ,
Y3 (x 1 + x 3 )A + X 3 + Yi ·
If P1 = P2 ,
A Y1 + x ,
-
X1 1
X3 A 2 + A + a2 ,
Y3 (x 1 + x 3 )A + X 3 + Yi ·
Inplications,
either case, the computation
andofonea squaring requires
squaring,operation,
or 11 + 2M one field inversion, two field multi­
+ l S . In the case of characteristic
two, the cost
ofin afact,general multiplication. Therefore, denoted
squarings by S , is much lower than that
are counted separately, and
we will later on neglect their cost completely.
Projective coordinates. As in the case of characteristic p > 3, we
will use weighted projective coordinates, where a projective
Z =f. 0, maps to the affine point (X/Z2 , Y/Z3 ) . This corresponds to using a
point (X, Y, Z) ,
weighted projective curve equation of the form
Y2 + XYZ = X 3 + a2 X 2 Z2 + a6 Z6 .
Conversion from projective to affine coordinates costs, in this case, 11 +
3M + l S . The computation sequences for point addition in this representa­
tion are[P 1363]
from presented
.
in Figures IV. 3 and IV.4. They are adapted, as before,
The total cost for general point addition is 15M + 5S . This is reduced
toclasses
14M + 4 S when a2 = 0, which accounts for one of the two isomorphism
where of non-supersingular elliptic curves over IF2n . The mixed-addition case
Z1 = 1 costs, in the case of characteristic two, llM + 4S (lOM + 3 S
whenAsain2 =the0).odd characteristic case, the condition P = ±P is equivalent to
1 2
A 3 = 0, then P1 = P2 is equivalent to A 6 = 0. The detection of the conditions
P1 = ±P2 is similar to the odd characteristic case. The point doubling routine
is shown
- 2
in Figure IV.4, where the field element d6 is defined as d6 = � =
ar • The point doubling computation costs 5M + 5 S . Notice that, since
squaring is
doublingaddition. much faster
in projective than general multiplication
coordinateswith
is close in characteristic
to threecase,times asboth two, point
fast operations
as general
point
are The of about This
the same is contrasted
arithmetic the affine where
complexity.and doubling in characteristic two
different costs
are summarized in Table IV. 2 . for point addition
62 IV. EFFICIENT IMPLEMENTATION OF ELLIPTIC CURVES

FIGURE IV
acteristic 2. . 3 . Point addition in projective coordinates, char­

X1 Zi lM + l S
X2 Zi lM + l S
A i + A2
Y1 Z� 2M
Y2 Zf 2M
A4 + A5
Z1 A 3 lM
A5X2 + A 7 Y2 2M
A 7 Z2 lM
A 6 + Z3
a2 Zi + A5A 9 + A� 3M + 2S
A 9 X3 + A s A¥ 2M + 1S
15M + 5S

acteristicIV2. .4. Point doubling in projective coordinates, char­

FIGURE

Z3 X1 Zi lM + l S
X3 (X1 + d5Zf ) 4 1M + 2S
A Z3 + Xi + Y1 Z1 lM + l S
Y3 xtz3 + AX3 2M + 1S
5M + 5 S

TABLE IV . 2 . Cost of point addition, characteristic 2 .

Operation affine Coordinates
mixed projective
General addition (a2 =J. 0) 11 + 2M + l S llM + 4S 15M + 5S
General addition (a2 = 0) 1111 ++ 2M + l S lOM + 3S 14M + 4S
Doubling 2M + l S n/a 5M + 5S
IV.2. Point Multiplication
Point multiplication
exponentiation in in elliptic
abelian curvesAsissuch,
groups. a special
it case offrom
benefits the general
all the problem of
techniques
available forfor integers.
problem the generalTheproblem,
latter is and the asrelated
defined shortest addition chain
follows. Let k be a positive
integer (the input). Starting from the integer 1 , and computing at each step
 IV. 2 . POINT MULTIPLICATION 63

tothereachsum k?of two previous results, what is the least number of steps required
Efficient algorithms for group exponentiation have received much atten­
tion by
cryptography researchers in
(see Chapter recent years, owing
I).andThehistorical to their
interestaccount central
in the ofproblem, role in public
however,andis thekey
an­
cient. An excellent
additionto 200chainBC.problem technical
is givenbybyGordon
Knuth[4[68]1,describes exponentiation
Ch. 4], whovarioustracesfastthemethods,
problem
back
including some The survey
specialized to elliptic curve groups. Various techniques and
algorithms
in fairly for
compact exponentiation
butmethods in the
detailed ofalgorithmic context of cryptography are described,
form,canin [be99].used to compute point
Although
multiplication, general
certain idiosyncrasiesexponentiation
of faster
the elliptic curve version of the prob­
lem can
subtraction be taken into
has canvirtually account to obtain
the sametocost algorithms.
as addition, First, elliptic
so the search space for curve
fast algorithms be expanded include addition-subtraction chains and
signed representations, which are discussed in Sections IV. 2 . 4-IV. 2 . 5 . Second,
inand tuning-up
pointdepends algorithms,
doublingonhave the relative
to be considered. complexities of
Asused,we and general point
saw onin Section addition
IV.1,com­
this
relation
plexitiescurves, of fieldspecific the coordinate
inversionshortcuts system
and multiplication. Third, the relative
forsignificantly
certain families of
elliptic
the computational cost are
of pointis discussed available
multiplication. that can
An example reduce
of such a family
andFor the theassociated shortcuts
sake ofofconcreteness, in Section
whenwillanalysing IV. 3 .
computational complexity
incharacteristic
the remainder two. the
Also, section,
for we
simplicity, wefocus
will on the
neglect case
the of
costfinite
of fields of
squarings
infieldsthesewithfields.onlyTheminormainadjustments.
ideas and the analysis, however, carry to other finite
IV.2.1. The binary method. The simplest (and oldest) efficient method
for point multiplication relies on the binary expansion of k.
ALG ORITHM IV Point Multiplication: Binary Method.
.1:

INPUT : A po int P, an £-bit integer k = �j:6 kj2j , kj E {O, 1}.

OUTPUT : Q = [k ]P.
1 . Q+-- 0.
2 . For j = £- l to 0 by - l do :
3.
4.
Q+-- [ 2 ]Q,
If kj = 1 then Q +--Q + P.
5 . Return Q.
64 IV. EFFICIENT IMPLEMENTATION OF ELLIPTIC CURVES

The binary involving

(operations method requires
0 are £-1counted),
not point doublings
where £andis the -1length
W pointandadditions
W the
weight
the (number=of£/2,ones)thatoftypically
average W
the binary£ expansion
� n, and of k. Assuming
neglecting 0(1) that theon
terms,
oraverage
affine lOnM number
in of fieldrepresentation.
projective operations is 1.5nlWe + 3nM in affine representation,
assume that P is given initially in

(we alsorepresentation,
assume a2 = so0) .Step 4 above involves a mixed addition costing lOM
IV.2.2. The m-ary method. This method uses the m-ary expansion of k,
where m = 2 r for some integer r � 1. The binary method is a special case
corresponding to r = 1.
ALG ORITHM IV.2: Point Multiplication: m-ary Method.
INPUT : A po int P, an integer k = �j:6 kj mi , kj E {O, 1, . . . , m - 1}.
OUTPUT : Q = [k] P .
Precomputation.
1 . P1 +-- P .
2 . For i = 2 to m - 1 do Pi +-- Pi-l + P . (We have Pi = [i ] P . )
3 . Q +-- 0 .
Main loop.
4 . For j = d-1 t o 0 by -1 do :
5.
6.
Q +-- [m]Q . (This requires r doublings . )
Q +-- Q + pkj .
7 . Return Q.

Itrulecan[6be1]: readily verified that the algorithm computes [k] P, following Homer's
[m]( . . . [m] ( [m] ( [k£-1 ]P) + [k£-2 ]P) + ) + [k0]P = [k]P.
· ··

(the Thefirstnumber of doublings

iteration is not in the main
counted, as itloopstartsof thewithm-aryQ =method
0). is (d-1d )r=
Since
f£/ rl , where £ is the length of the binary representation of k, the number of
doublings
byin doublings, in the
the binarythemethod.m-ary method may
For typical be up to
parameters, r-1 less
this isbeingthan the
a rather £-1 required
modest gainof
general point main
additions. gains over the
The savings: binary method
doublingsbyinsplitting
the maintheloop, in the number
however, ofcan[m]Qbe
exploited
into twoThis to obtain additional
stages,leadswetocananskipimprovement
the even multiples of P method, computation
in the precomputation
phase.
For thismethod. on the m-ary
modification, we assume r 1, otherwise we revert to the original
>
shown below.
binary
 IV. 2 . POINT MULTIPLICATION 65

ALG ORITHM IV.3: Point Multiplication: Modified m-ary Method.

INPUT : A po int P, an integer k = �1:6 kjmi , kj E {O, 1, . . . , m - 1} .
OUTPUT : = [k] P .
Q
Precomputation.
1. P1 +-- P , P2 +-- [2] P .
2. For i = l t o (m-2) /2 do P2i + i +-- P2i - 1 + P2 .
3. Q +-- 0 .
Main loop.
4 . For j = d-1 t o 0 by -1 do :
5. If kj =J. 0 then do :
6. Let Sj , hj be such that kj = 2sj hj , hj odd .
7 • Q f- [2T - Sj ] Q '
8. Q +-- Q + phj .
9. Else Sj +-- r .
10. Q = [2 Sj ] Q .
11. Return Q .

Itblingis readily r verified

- 1
and 2doublings that the
-1 pointandadditionsmodified m-ary method requires one
in the precomputation phase, and at most point dou­
n-1 point
the analysis, d-1 point additions in the main loop (to simplify
we takeare aexpected
pessimisticto beview,zeroandandignore thenofactadditions).
that aboutIgnor­
one
mth
ing of the
integer digits
constraints for the purpose of require
estimating complexity, and setting
d = n/r, the total number of curve operations is estimated at
n
N(n, r) = n + - + 2 r -l - 2. (IV. 2)
r
The value of inr minimizing
Substituting satisfies r = log2 n - (2 - o(l )) log2 log2 n.
Equation (IV.N(n,2) r)yields
n
N(n, r) = n + (1 + o (l ) ) - 1 -,
og2 n
whicha lower is asymptotically
tocoordinates, bound by optimal
Erdos for a generic addition chain method, due
[41] . This optimization is appropriate in affine

A slightly where additions

different and doublings
optimization is have ifsimilar
required we usecosts.
projective coordi­
nates. One possibility is to precompute the points P2 and P2i+l , 1 ::=; i ::=;
( m - 2) /2, in affine coordinates, and then run the main loop in projective
coordinates,
rithm IV. 3 . usingtotalmixed
The cost addition
of the for multiplication
point the operation forQ +--theQ modified
+ Phj in Algo­
m-ary
method is then estimated at n
2r - 1 (2M + I ) + 10(- - l )M + 5(n - l )M,
r
66 IV. EFFICIENT IMPLEMENTATION OF ELLIPTIC CURVES

which can can

expression be optimized
be derived with
for respect
the case towhere
r given the ratio I : M . A similar
projective coordinates are used
throughout.
IV.2.3.
case Window methods. The m-ary scheme can be regarded as a special
of(windows)
a window ofmethod, where bits of the multiplier k are processed in
blocks
the windows m-ary length
are contiguous r. In the m-ary methods of the previous section,
andAlgorithm
in fixed bitIV. 3positions. Ainefficiency,
closer scrutiny of
the
the modified
fact method
that trailingat zeros in
are dropped reveals an
fromiskjstill(to constrained due to
obtain hj), butby thenewfixed
bits
are not appended the higher end, which
ofm-ary
the
digit boundary.
precomputed
following points
method,
Thus,
P J
.
whichis higher values ofThis
underutilized. hi areinefficiency
less likely,isandremedied
h processes windows up to length r disregarding
the arrayin
fixed digit boundaries, and skips runs of zeros between them. These runs are
intakenanycare
case.ofAsby before,
point doublings,
we assumewhich r 1.
>
as we have seen, need to be computed
ALG ORITHM IV.4: Point Multiplication: Sliding Window Method.
INPUT : A po int P, an integer k = l:j:6 kj2j , kj E {O, 1}.
OUTPUT : Q = [k ]P.
Precomputation.
1. P1 +-- P , P2 +--2[r2-l_]P. l do P i i +-- P i 1 + P .
2.
3.
For i = l to
j+-- £ -1, Q+-- 0. 2+ 2- 2
Main loop.
4 . While j � 0 do :
5. If kj = 0 then Q+-- [ 2]Q, j +-- j - 1 .
6. Else do :
7. Let t be the least integer such that

hj +-- j(kjkj
- t +1 1. .::=;. kth'
r and kt = 1 ,
8.
9. Q +-- [ 2 j-t+l- ]Q + phj '
10.
11. Return Q.
j +-- t - 1 .
Using sliding windows
bit larger, butfor without has an effect
increasing equivalent to using
the 'precomputation fixed
cost. windows one
An intuitive
explanation
consecutive this
sliding effect
windows is that the w hite
hasby anindependent space'
expected length of zeros between
of aone,fairwhen two
weTherefore,
assume
that the bits of k are obtained tosses of
the total number of windows processed (and consequently, the number of coin.
 IV. 2 . POINT MULTIPLICATION 67

general
to £/Ther forpointthe additions
m-ary in the This
method. mainfactloop)is formally
behaves likeproven £/(rin+[71),1].as opposed
computational cost of the sliding window method is estimated at
n
(n + -- + 2 r -l - 2)(2M + I)
r+l
for affine coordinates, and
2r- 1 (2M + I) + (5n + 10 � r + l - 15)M
for projective/mixed coordinates.
IV.2.4. the
virtually Signed Digit representations. As mentioned, subtraction has
same cost as addition in the elliptic curve group. For the canoni­
calin characteristic
curve equationstwo,of and
interest,( the group negative of a point (x, y) is (x, x+y)
x , -y) in odd characteristic. This leads naturally
tomaypointreducemultiplication
the number methods
of curve based on addition-subtraction chains, which
operations.
Consider integer representations of the form k = L:j=0 Sj2i , where Sj E
{this-1,system
0, 1}. Weincludes
call thisthea binary
(binary)representation,
signed digit (SD) representation. Clearly,
£+1 -1, are included, along with their negatives. soButallthere
2combinations, integers
are 3k,£ 10 ::=; k ::=;
+ possible
integer 3 can so represented
be the representationas (011)is orclearly
(101)redundant.
, where I =
For-1.example,
As it the
turns
out, this redundancy can be traded 2 for a sparsity
off 2 constraint that results
insentation
more efficient point multiplication algorithms. We say that
is sparse if it has no adjacent non-zero digits, i.e. SjSj+i = 0 for all an SD repre­
j � 0. A sparse SD representation is also called a non-adjacent form (NAF).
ing Several proofs of the[131];following
with Reitwiesner see alsoresult
[28],can[8 7,beCh.found10] inandthe[109].
literature, start­
LEMMA IV.1. Every integer k has a unique NAF. The NAF has the lowest
weight among all SD representations of k, and it is at most one digit longer
than the shortest SD representation of k.
The following
inandbinary algorithm
representation. computes
Thein [131], the
description NAF
here of a non-negative
follows integer
[910]9]; other given
precursors
variants can be found
the algorithm accepts general SD inputs).[ 9 3], [ 6 ], [ 8 7, Ch. and [ 5 6] (where
ALGORITHM IV.5: Conversion to NAF.
68 IV. EFFICIENT IMPLEMENTATION OF ELLIPTIC CURVES

1.
2.
Co f- 0. 0 £
For j = to do :
3.
4.
Cj +l +-- l (kj + kj +l +
Sj j
f- k + Cj - 2Cj +l .
cj)/2J (assume ki = 0 for i � £) ,
5. Return ( s£ S£- l · · · s o ) .

NAFsOlivos
and usuallyshowhaveinfewer non-zero digits than binary representations. Morain
[109] that the expected weight of an NAF of length £ is
£/3. The resultwhich
representations, is alsohaveproved
an in [6] , where
expected weight it(mis-extended
1)£/(m to m-ary SD
+ 1).
The adaptationa subtraction
straightforward: of the binaryis method
performed for inpointlieumultiplication
of an addition towhenever
NAFs is
a negative
the computation digit Sjcostis processed.
is Assuming an average NAF weight of n/3,
�n(2M + I) for affine coordinates, and 2;nM for
projective
Clearly, coordinates.
fixed window and sliding window methods can be implemented
forr isNAFs. The maximum possible absolute value of a NAF window of size
WT = � (2 T+l - 1) for r odd, and WT = � (2 T+l - 2) for r even, given
bythe theprecomputation
binary combinations step, we (1010
need . to. . 101)
computeand (1010
and . . . 010)points
store respectively.
of the In
form
[i]P, for i = 2 and all odd values of i, 3 ::=; i ::=; WT (it is easily verified
that
the WT has the same parity as r). Thus, the number of point operations in
precomputation step is � (2 T - ( - lY). To estimate the expected number
ofconsider
point additions
thethe binary in the main
sequence loop
obtained of an NAF
byresults sliding window
takingof the[109]absolute scheme,
values of the we
digits in NAF. It follows from the
sequence can be modelled by a Markov chain with transition probabilities and [6] that such a
P(O I O) = P(l l O) = � ' P(O l l) = 1, P(l l l) = 0 where P(alb) denotes the prob­
ability
before,of observing
asementary that the a symbolinteger
original a immediately following a symbol b (we assume,
k is drawn with uniform probability). El­

a run of zeros analysis [42] of this transition matrix yields the expected length of
between windows, which is given by a function
4 (-1y
v(r) = 3 - . T - 2 . (IV. 3)
32
Therefore, the
scheme is estimated at expected number of point operations in an NAF sliding window
n+ 1 2 T - (-lY
n+ + ( IV. 4)
r + v (r ) 3 - 2.
Ain similar scheme, which uses a non-sparse SD
[69] . The scheme produces SD representations of lower expected weights,
representation, is analysed
but requires
inferior trade off. more precomputation, yielding what appears to be a slightly
 IV. 2 . POINT MULTIPLICATION 69

IV.2.5. Atradesigned
ymptotic off m-ary
can be sliding window method. A slightly better as­
obtained by using a signed m-ary scheme that is a
wenatural
tion have extension
found no of the sliding
reference to window
this method
specific scheme ofinSection
the
to combine m-ary and signed methods appears in the closing remarks
IV. 2 . 3 . Although
literature, a sugges­
of [109].
Indigitthissetmethod, we use a non-redundant signed m-ary representation, i. e . ,
our is B = {-2r - 1 +1, . . . , -1, 0, 1, . . . , 2r- l } with windows of size
up to r. We decompose dthe positive multiplier k as
-1
k = L bi 2ei , bi E B \ {O}, ei E Z2:o, (IV. 5)
i=O
where
(IV. 6)
Such a decomposition is
on the binary representation of k. obtained by the following algorithm, which operates
ALGORITHM IV.6: Signed m-ary Window Decomposition
.
INPUT : An integer k = l:j£ =O kj21, kj E {0, 1} , kl = 0 .
OUTPUT : A sequence of pairs {(bi , e i)} f==-t .
1. d +-- 0 , j +-- 0 .
2 . While j ::=; do :
3.
£
If kj = 0 then j +-- j + 1 .
4. Else do :
5. t +-- {R j + r - 1} , hd +-- (ktkt- 1 · · · kj h ·
min ,
6. If hd > 2r - l then do :
7· bd +-- hd - 2r ,
8. increment the number (k£ k£- l · · · kt+ i h by 1.
9. Else bd +-- hd .
10. ed +-- j , d +-- d + 1 , j +-- t + 1 .
11. Return the sequence (b0 , e 0 ), (b 1 , e l ), . . . , (bd- 1 , ed- 1 ) .

Noticeandthatas ittheprogresses,
left, algorithmitscans
may themodify
bits (ofinkStep
from8)right ( least significant ) to
portions of the sequence
{ kj} that have not been processed yet. The correctness of the algorithm is
verified inductively by assertingd the condition
-1 £
k = z= bi 2ei + z= kj,2j' (IV. 7)
i=O j' =j
each time the loop condition in Step 2 is checked. Since the loop terminates
with j £, the second term of the sum in Equation (IV. 7) vanishes, giving
>
70 IV. EFFICIENT IMPLEMENTATION OF ELLIPTIC CURVES

the desiredbeing
servation decomposition
that when ofthek.condition
The proofinisStepstraightforward,
6 holds, Step the7 subtracts
only key2Hr
ob­
from
must theholdsumin thisin Equation
case. Notice(IV.also
7) andthat,Stepby 8construction,
adds it back,allsince t = j+r-1
bi produced are
odd, and bdthe- l point
must multiplication k 0. Once the sequence { (bi , e i ) } f�t is
be positive whenalgorithm >
obtained, is a straightforward
of the sliding window method. We assume r 1, and d � 1 (i.e . , k 0) .
>
modification
>

ALGORITHM IV.7: Point Multiplication: Signed m-ary Windows.

INPUT : A po int , P , and {(bi , ei )} f�t such that k = l:f�t bi 2ei .
OUTPUT : Q = [k] P .
Precomputation.
1. P1 +-- P , P2 +-- [2] P .
2. For i = to 2r- 2 - l do P2i+i +-- P2i - l
1 + P2 .
3. Q +-- Pbd - 1 ·
Main loop.
4.
5.
For i = d-2 to 0 by -1 do :
Q +-- [2 ei+ 1 -ei ]Q .
6. If bi 0 then Q +-- Q + Pbi ,
>
7. Else Q +-- Q - P_b i·
8. Q +-- [2 eo]Q .
9. Return Q .

Using
Section anIV.analysis
2 . 3 , we similar
can to thattheof expected
estimate the unsigned slidingof general
number windowpointschemeaddi­of
tions in the main and
ofhere,independence loopuniform
of Algorithm IV. 7 at of(n+l)/(r+l)-1.
distribution the bits The assumption
kj is more questionable
introduce sinceathecertain modification
degree of dependency.
of the sequence inHowever, Step 8 oftheAlgorithm
deviation IV.is6mini­
does
mal,much
not and the
worse assumption,
than the with respect
original assumption to actual
of values
the input usedsequence
in practice,
kj being
is
uniformly
inmethod. distributed. phase
the precomputation On theis other hand, the number of point operations
2r - 2 , i. e . , about a half that of the unsigned
Thus, the expected total number of point operations is estimated at
n+ --n+ l + 2r-2 - 2. ( IV. 8 )
r+l
Comparing
window this expression with the corresponding one
method in Equation (IV.4), we observe that the expression in Equa­ for the NAF sliding
tion ( IV. 8 ) offers a trade off with more operations in the main loop (since
v(r) 1), but fewer operations in the precomputation phase. To bring the
>
 IV. 2 . POINT MULTIPLICATION 71

trade offs to a common comparison basis, we define r ' so that 2r -2 = � 2r' ,

i.e. r' = r - (2 - log2 3). Then, Equation (IV.8)' can be rewritten as
n + r' + n3 +- log1 + -2r - 2. (IV. 9)
2 3 3
We
than conclude
the that theNAFsignedmethod
windowed m-arywhenever
window method is asymptotically better
v (r ) 3 - log2 3 1. 4 15. This
< �
holds for all r 3, by the expression for v (r) in Equation (IV.3), which has
>
v (r ) ---+ 4/3 as r ---+ oo. The margin of difference, however, is rather slim, and
fortakenpractical values ofthentwoandschemes
into account, r, once integer constraints and 0(1) terms are
are very close in complexity.
IV.2.6.
ationsAssume Example. The following example illustrates the different consider­
and trade
we needoffstoin compute
the choice[k]P,of awhere
point multiplication algorithm.
k = 741155629426723268099912038573.
53, The binaryby expansion of k, which is one hundred bits long and has weight
is given
1001 0 1011 0 1011 00 1101 1001 000 101 00 101 0 1011 0 111 00 111 0 1011 0 1001 011 00 1101 11 00\

1011 00 101 000 1111 l 000 101 0 1101 .

The underlined
sliding window segments
method indicate
of Section the ' w
IV. 2numberindows' processed
. 3 , with ofr =curve by the
4. Theoperations unsigned
number forof such
windows
method is is 21. Therefore, the total this
96 (doublings) + 20 (additions) + 8 (precomputation) = 124.
The NAF of k has length 100 and weight 42, and it is given by
101 o 1o1 oo 1o1 o 101 oo 1o1 oo l ooo 101 o 101 o 1o1 oo I oo 101 ooo 1o1 o 101 o 101 o 101 oo I oo 101 \

o 101 oo 101 oo l 0000 I oo 101 o 101 o i .

Here, themethod,
window underlined segments
applied to the indicate
NAF, ther windows
with = 3. The processed
number bywindows
of a slidingis
24. Hence, the total number of curve operations is
97 (doublings) + 23 (additions) + 3 (precomputation) = 123.
( Curiously, for this value of k, the same number of curve operations is obtained
with r = 3, 4, 5. )
list The
of pairssigned window m-ary decomposition of k, with r = 5, is given by the
{(bi , ei )}i!o = {(13, 0), (5, 5), (-1, 11), (9, 16), (-7, 21), (-13, 26), (7, 33),
(11, 38), (13, 44), (-3, 49), (-3, 54), (-9, 59), (11, 64),
(5, 70), (-7, 76), (7, 81), (11, 86), (11, 91), (9, 96)},
72 IV. EFFICIENT IMPLEMENTATION OF ELLIPTIC CURVES

satisfying k = L:�!o bi2ei , as can be readily verified using a suitable symbolic

computation package. The total number of curve operations is
96(doublings) + 18(additions) + 8(precomputation) = 122.
with Table IV. 3methods
various gives a described
more detailedin analysis
this chapter,of the
in cost ofof computing
terms field [k]P
arithmetic
operations.
The table As usual,twoM lines
includes indicates
for field multiplications
each method listed: andin the
I fieldfirstinversions.
line, we
assumewe assume
line that affinethatcoordinates
most are usedarefordoneall operations,
operations in projective while in the second
coordinates, with
precomputations
includes the cost doneconverting
of in affinetherepresentation.
final result backIn totheaffine
lattercoordinates.
case, the tally The
columns
under two under ' Totalassumptions
different cost' giveofthethecostrelation
of thebetween
computation,
the costs inof Minversion
units,
and multiplication,
overall cost is indicated namelyin boldface.
I = 3M and I = lOM. In each case, the lowest
TABLE IV.3. Cost of point multiplication: an example.
Curve Total cost
Method Coordinates r ops M I I=3M I=lOM
binary affine
projective n/a4 151n/a 151 302
1018 151 1 1021 755 1812
1028
modified m-ary affine 44 128 128 256 128 640 1536
sliding window projectiveaffine
projective n/a4 140 124
124 280
739
248 124 9 766
699 1409 700 620
726 1680
829
1488
789
binary NAF affine projective n/a4 140 908 1 911 918
windowed NAF affine projective 3 123
123 246
724 1234 615 736 1476
764
signed m-ary affine projective 55 122 122 244 679 1229 670610 1464 769
Table IV.
isTherelatively 3 confirms
low, whilestronglythat affine
projective coordinates
coordinates are better when the
are betterused,whenandtheonratioratio I : M
is high.
tationalratio depends
environment. on the representations
Exampleswhereof situations where the ofratiothe might the compu­
be high
are
routinea software implementation
have been atightly 'hand-coded' the basic primitives
in machinebut language, multiplication
or (recall
a hardware
design
one containing
cansigned
alwayswindow multiplier
realizemethods implementation
inversion(NAF
by means no
of multiplication). inverter Thetotable that
also
shows
methods. and m-ary) being superior unsigned
 IV.3. FROBENIUS EXPANSIONS 73

IV.2.7.
Diffie-Hellman Multiplying a fixed point. In some applications (e. g ., part of the
key exchange protocol), we are required to compute multiples
[k] P of a fixed point P, known in advance of the computation. In such
cases, a
by precomputing significant portion of the cost of point multiplication
and storing a table of multiples of P that is used for many can be saved
values of k. For example, for the binary method, the multiples [2 i ]P, 1 ::=;
i £, could be precomputed, eliminating all the doublings in the algorithm.
<
Similar ideas
for the[99]general can be used for m-ary and window methods. Various
problem of fixed-basis exponentiation are described in [48] techniques
and .
IV.3. Frobenius Expansions
We
interestsay we are using a subfield curve when the group of rational points of
(e.g., for implementing cryptographic protocols) is defined over a
field IFqn , n 1, but the coefficients of the curve are in IFq . In this case, the
multiplication >
procedure can be significantly accelerated by using a Frobenius
expansion. In characteristic two this is based on ideas to be found in [65] ,
[96] , [154] and [111]. The idea also works in odd characteristic [152] , where
the trick inrings.
Euclidean [154] for Euclidean endomorphism rings is also extended to non­

depends Noticeonthatthe theofconcept

set rational ofpoints
subfieldwe curve
want is operate
to a relativeon, one,
rather in than
that onit
the Throughout,
curve itself. Inwesome let sense, all curves over finite fields are subfield curves.
E denote an elliptic curve over the field IFq , which we
will
less implicitly
than 100. assume
The to be small.
extension For example, one can think of q as being
IFqn over which rational points are taken, on
the other hand, is assumed to be large (a commonly used example is q = 32 ,
n = 31 for rational points in IF ) . 2 155
We recall from Chapter III the qth-power Frobenius endomorphism,
{ E(Fq) E(Fq)
-----+

rp : ( x, y) f----+ ( x q , y q ) ,
0 f----+ 0,
which satisfies the equation 2
rp - [t]rp + [q] = [O J .
Owing
not to the results in [98] and Chapter V, we shall assume that the curve is
nius,Wesupersingular,
can expand
so the characteristic does not divide the trace of Frobe­
the multiplication
p
t = q + 1 - #E(IFq ) · By Hasse's Theorem we know that l t l ::=; 2yl(i_.
map as a polynomial in rp, with ' small'
coefficients and of bounded degree. As rp is easy to evaluate this greatly
isisspeeds up the multiplication
represented by a normal operation.
basis. In suchThisa situation
is particularly noticeable
evaluation
just a cyclic shift of the coefficients (over IFq ) of each point coordinate. For of if IFqn
rp in IFqn
74 IV. EFFICIENT IMPLEMENTATION OF ELLIPTIC CURVES

the
the Torest ofof such
this chapter
sizeeliminate we justiexpansion.
aaFrobenius fy this method and give explicit estimates on
and few problem cases assume that (q, t) =J. (5, ±4) or (7, ±5)
q � 4. Such a restriction can be eliminated if some of the statements
below
isWe are madeof End
awillsubring morelFq general. The method makes use of the fact that Z [<p]
(E) which is in turn isomorphic to a subring of C.
convenient, identify
as a <p with its image under this isomorphism, treating it, when
complex number satisfying the equation ip2 - t<p - q = 0. We
first showa relatively
obtain that an arbitrary element of Z [ip] can be trivially divided by <p to
small remainder.
1, . . . , lq/2IV.J}2 and
LEMMA . Let S E Z[ip] . Then there exist a unique integer R E {-fq/2 1 +
a unique element Q E Z [ip] such that
S = Qip + R.
P RO O F . Write S = a + b<p, with a, b E Z. Now write a = Q ' q + R, with
Q ' E Z and R in the desired range, and recall that q = t<p - ip 2 . Then,
Q = b + Q ' t - <p. D

The norm of an element S = a + b<p E Z [<p] is defined to be

Nz [rp] / z (a + bip) = a2 + abt + b2 q
We
in <pnowwhichshowis short.
that an element in Z[ip] of small norm must have an expansion
LEMMA IV. 3 . Let S E Z [ip] be such that
:S
Nz[rp] /z (S)
{ (y'q + 1) 2 , q even,
(y'q + 2) 2 /4, q odd.
Then we can write

i=O

with ai E {-fq/21 + 1, . . . , lq/2j}.

P RO O F .For a proof see [111] and [152] . D

micWelength.
can now show that the Frobenius expansions exist and are of logarith­
THEOREM IV. 4 . Let S E Z[ip] . Then, we can write
k
s = L ri <pi
i=O
 IV.3. FROBENIUS EXPANSIONS 75

P RO O F . From Lemma IV.2 we can obtain an expansion of the form

S So = S1 <p + To = (S2 <p + Ti ) <p + To
j
L Ti ipi + Sj + llPj + l
i=O
Using the triangle inequality we see, defining I I · I I = JNz [r.p] /z(·), the following:
(i) q even,

llSi l l + l h l l < l l Si l l + q/2 llSo l l

1 1 81. + i l l <
-
_

U+ i 2 + � � q - i /2
l l lP l l yq -
q l / 2 i �l
< llSo l l
+
q U+ i ) / 2 y'q.
(ii) q odd,
< llSi l l + l h l l < llSi l l + (q - 1)/2 l l So l l + (q - 1) � - i /2
= q
l l lP l l -
y'q q i l /2
U+ 2 �
< llSo l l
+ y'q + 1
i
q U+ ) / 2 2
In both cases, if j � logq f2 then
2 l l So lll - 1
llSo l l
::::; 1/2.
q i ) /2
U+
Hence
Nz [r.p] /Z (Sj+l ) ::::; { ((yq + 1) 2 , q even,
yq + 2) 2 / 4, q od d,
and so by
at most 4.Lemma IV.3 we know that Sj + l has a Frobenius expansion oflength
D

To usem thisas antoelement

consider implementof Z[ip]multiplication
and computeby itsm onFrobenius
the elliptic curve, first
expansion,
k
m = Li=O Ti <pi ,
where k ::::; f2 logq 2ml + 3. The points [m]P for P E E(IFqn ) can then be
computed using Homer's method:
k
[m]P L [Ti ] IPi (P)
i=O
<p ( . . . <p ( [Tk ]ip(P) + [Tk - 1 ]P) + · · · + [T1 ]P) + [To ]P.
Note atlq/2each stage of the expansion an element of the form [T] P, where
I TI ::::; J, is added. To speed up this step a table of such multiples could
beof theprecomputed. This would be
same point were required. particularly useful if many multiplications
76 IV. EFFICIENT IMPLEMENTATION OF ELLIPTIC CURVES

using Thea trick

lengthofofSolinas
the Frobenius expansion can be reduced by nearly a half
[154] . To explain this a small generalization of the
notion of Euclidean domains is required:
D EFINITION IV. 5 . Let A be a positive real number, let A denote a commuta­
tive ring, and suppose that there exists a multiplicative function
'll : A \ {O} ---+ N.
The ring will be called A-Euclidean if for all a, b E A, with b =J. 0, we can find
q, r E A with
a = bq + r
such that either r = 0 or 'll ( r) < A 'll ( b) .
Such an idea is not new as one can see by looking at the survey article
in[75]the. Suppose
obvious Away.hasWefieldthenof fractions
have K. Then, we can extend 'll to K \ {O}
LEMMA
y E A such that
IV. 6 . The ring A will be A-Euclidean if for all x E K we can find a

'll (x - y) < A.
The main result on A-Euclidean rings that will be used is the following.
THEOREM IV. 7 . Suppose rp2 - trp + q = 0. Then, Z [rp] is A-Euclidean for
some A such that 0 < A ::::; (9 + 4q)/4.
The
tothereduce proof of the
them,length theorem is straightforward
of theto multiply
FrobeniusPexpansion ( see [152] ) . This result is used
by anaround 50%.of Z[rp]
Consider
integer,
mq2n . However,
�
n
we wish by 2as being element
q , the norm of m will be equal to m which is of order approximately
. As

for points P E E(IFqn ) we have the identity

rpn p = P.

So m can be ' divided' by rp - 1 to obtain a remainder r with

n

NQ[rpJ /Q (r ) < /\ NQ[rpJ / Q ( rp - 1 )

,
n
:S
9 + 4q NQ[rpJ /Q (rp - 1 ) q .
n
�
n+ l
4
Hence,
normFrobeniusmultiplication
roughly expansion
qn
+1
,
by m can
its Frobenius be replaced
expansion by multiplication
will be nearly by r. As r has
halfimprovement
the length inof
the
the performance of the algorithm. of m. This should provide a 50%
IV .4. Point Compression
Instorecryptographic protocols based on elliptic curves, it is often necessary to
( e. g ., in a public key directory ) or transmit ( e. g ., in a Diffie-Hellman key
exchange
are at a ) elliptic curve points. When resources such as storage or bandwidth
premium, it is desirable to represent those points using the minimum
possible number of bits. This is referred to as point compression.
 IV.4. POINT COMPRESSION 77

the Inextension
a full representation,
degree if an affine
working in IF point
, or n (x,
= y) requires
f1og pl if 2n
workingbits, where
in IF . n
The is
number of bits is trivially reduced 2n n + 1 by observing
to 2 that given Pthe x­
coordinate of a curve point, the elliptic curve equation becomes a quadratic in
ofsoy. specified
Therefore,
the quadratic oneequation,
involves
bit, used tois distinguish
sufficient
solvingin Chapter
the quadratic tobetween
specify they. Decompressing
(at most) two solutions
equation, which can be done using a point
the Intechniques described
thethecasex-coordinate,
of IF2n , Seroussi II.
[1the45] curve
observespointthathasanoddadditional bit canis thebe
saved
case in when order. This
a inlargethederive
tosavings applicationsof prime
subgroup mentionedorder,
from the following lemma.
above,
over where
which allthetheECDLP
points isinvolved
defined. belongThe
LEMMA IV. 8 Let P = (x, y) be a rational point of odd order on the curve
.

E : Y2 + XY = X3 + a2X2 + a5 ,
over IF2n . Then,
(IV.10)
(xhave1 , yx1 ) =EIfAE(IF
P RO O F . P E E(IF2n ) has odd order, then P = [2]Q for some point Q =
2 + 2An +). aFrom the point doubling formula in Section IV.1. 2 , we
2 , where A = x 1 + yifx 1 . Thus, Trq12 (x) = Trq12 (a2 ). D

ing Since
parties, the parameters
Equation of the curve
(IV.10) toposes are assumed
a fixedx, and known
linearn constraint by all communicat­
on x. Ittofollows
that
specify n-1amight bits are sufficient
point askin theif itsubgroup specify
oftointerest. bits are sufficient fully
One
Fora some values is possible
of n,areandindeed
a system represent
designed a point
to willsupport with fewer than
allshow.possible n bits.
valuess
ofTheorem, and a , n bits necessary as we
2 the6 order of the group falls in the range 2n + 1-2.J2n° ::=; #E(IF2n ) ::=; now By Hasse'
2Trn +1 (a1+2.J2n°. The order also satisfies #E(IF 2 n ) 2b (mod 4), where b = 1 if

the q 2size2 ) of= the1 andlargest

0 otherwise
prime (see Lemmaof E(IF
subgroup III.4n).) can
2
Thus,reachwhen#E(IF Trq12 (a)/22 ) =and1,
2 n
exceed n - 1
2 instance,
, requiringwithn thebitscurveto specify a subgroup element. This situation
arises, for
is definedp isover of Example 12 in Appendix A. The curve
where the IFprime
2131 , and its group of rational points is of size #E(IF2131) = 2p,
p = 2 130 + 11177216739282887043.
Similarly,
defined the
overrational curves
IF2n with of Examples
n with
= 163,orders 14, 16, 18, 21,
191, of239,the367,formand2p, 401, and 22 in the
respectively, appendix,
all have
groups of points
value of n) p is a prime satisfying p 2n- > l.
where (for each respective
78 IV. EFFICIENT IMPLEMENTATION OF ELLIPTIC CURVES

Thesuchquestion
which curvesofcanwhether
be an isinfinite
found open, sequence
and of tovalues
related the of n exists
(hard) for
question
of whether there is an infinite sequence of primes in the set
u { i 1 2i+1-2J2.i ::; 2i ::; 2i+1+2J2.i } ;
j
see When
[64] and Section VI. 5 .
Trq12n(a)/42) in= 0,thisn-1case.bitsHowever,
could suffice to represent a subgroup point,
asa representation
p ::; #E(F2 is known. no efficient method to obtain such
 CHAPTER Y
The Elliptic Curve Discrete Logarithm Problem

Let
denoteE be an elliptic curve over some finite field, IFq . In what follows let n
the order ofdiscrete
the grouplogarithmE(IFq ) and let P denote an element of E(IFq ) ·
The elliptic curve
(P) , find the integer, m, such that
problem (ECDLP) on E is, given Q E

Q = [m]P.
There
The first aretwoa number
listed of waysdepend
below of approaching
on the fact thethatsolution
the to thisof interest
group problem.is
the group ofwillpoints
approaches of an elliptic
correspond to the curve,
MOY or aanomalous
and prime orderattackssubgroup. These
respectively,
referred
two to in Chapter
approaches do not IIImakeandanydiscussed
explicit inassumption
Sections Y.about2 and the Y. 3 .underlying
The final
group.
'groups
black box Methods
groups', likeandthe infinalsometwosense
are often
are referred
the best to as beingfor applicable
possible that class toof
[146] . Complexity will be measured in terms of the number of basic
group
the The operations,
bit complexity. comparisons etc. which need to be performed rather than
methods to be covered in this chapter are:
1. terms
Using ofa Weil the pairingofonoperations
number E[n] , there is a polynomial time reduction, in
in IFqz , of the ECDLP on E(IFq ) to the
DLP in IFqzis ,thefor smallest
required some integer such l (see [98] and [44] ) . The integer l that is
that q 1 1 (mod n) , when gcd(n, q) = 1.
2. This
Suppose
Frobenius
is thenowMOYthat attack.
q is a prime. For anomalous elliptic
t = 1, and n = q), by using the q-adic elliptic logarithm one
curves (trace of
can give a linear time method to solve the ECDLP (see [153] and [136] ) .

tobyThissolve
methodthe is relatedintotheanother
ECDLP linearparttimeofmethod
q-primary
P. Anomalous curves had been proposed for use by Miyaji [104] as
the of Semaev
subgroup [143]
generated
they
3. abelian are
The BSGSgroup. particularly
method able
ofmethod to resist the
Shanks iscana standard MOY attack.
be used totime/memory
solve the DLPtrade in anyofffinite
This
has space and time complexity given by 0 ( fa) . and
4. Using random walks one can reduce the space to a constant amount
and still maintain a time complexity of 0 (fa) . This is done using
79
80 V. THE ELLIPTIC CURVE DISCRETE LOGARITHM PROBLEM

one
methods. of twoThestrategies,
second boththesedueis often
of to Pollard,
referred called
to as thethe rho and oflambda
method tame
isandthatwildit kangaroos. Anotherparallelized
can be efficiently advantage[116]of the. random walks method
achoose It shouldchosen
carefully be noted thatcurve.
elliptic none ofTotheavoidattacks
the listed
MOY above
attack willit isbeimportant
effective forto
ofit isl (notthisanpossible
iselliptic curveingroup
quantified Section
to doappropriate
orderV. 7that
).
this for supersingular Itdoes
will not
be divide q1 in-1Section
observed
curves,applications.
for smallV.values
which is the reason 2 that
they
are
curves not considered
arementioned. for cryptographic
a very smallTheclasslastoftwocurves, and listed
are avoided because Anomalous
of thebutsecond
attack
complexities on thelarge. attacks are quite
order of fa. They become infeasible when the curve general have
orderBefore
is sufficiently
discussingThroughout
these methods we ofreduce the problem to elliptic
one of prime
order subgroups.
additiveto notation for theabelian the
groupgroups. rest the chapter, we use
G, although some of the methods described curve
apply general finite
V. 1 . The Simplification of Pohlig and Hellman
Pohlig
group and Hellman [124] noticed that to solve the DLP in a finite abelian

TheGoriginal
G.Theorem one needDLPonlyis solve
then the DLPbyinappealing
solved subgroupsto oftheprime power order in
Chinese Remainder
( CRT ) . In addition, the problem can be reduced to the case of prime
order
isshouldsubgroups,
that contain
to maintain as security
will now ofbeashown.
system Anbasedobvious
on consequence
the DLP, the oforderthisoffactG
to preclude a largea DLP
solving primein divisor.
the primeHere,
orderbysubgroup.
'large' we mean large enough
Let G DLP:
following have order divisible by a prime p and suppose we wish to solve the
Q = [m]P.
If byG has
p
order n, then the problem can be restricted to a subgroup of order
solving
Q' = [n']Q = [m0] ( [n']P) = [m0]P'
1
n' = n/pc- , pc
order Solving thisis problem
ofp.where p.
the largestwillpower pof dividing
determine the value, Thus of is modulo
n. P'
m0 , m
a point
The values of m modulo p2 , p3 , . . . , pc are then computed in the following
way. Suppose m mi ( mod pi ) is known and m = mi + A.pi for some integer
A. E Z. Then
 V. 1 . THE SIMPLIFICATION OF POHLIG AND HELLMAN 81

where R and S are known and S has order s = n/pi . The value of A (modi p)
can be determined just as m (mod p) was found above. Let s ' = s/pc- - 1 .
Then, A (mod p) is obtained by solving the DLP
R' = [s']R = [A0] ( [s']S) = [A0]S',
whereContinuing
S' is a point of order
in this manner, p.
by solving DLPs in subgroups of order p,
weall prime
eventually determine
divisorsthepCRT. m modulo pc. After computing m modulo pc for
of n, the true solution, m, to the original DLP can be
obtained using
V. 1 . 1 . Example. As an example of this method consider the elliptic curve
: E Y2 = X3 + 71X + 602
over the finite field IF 100 9 . The group order of E(IF 1 009 ) is 1060 which is 2 2 ·5·53.
Suppose the two points
P = (1, 237) and Q = (190, 271)
are given and the solution to the ECDLP
Q = [m]P.
isHence
required.
by Firstabovenoticereduction
the that PofhasPohlig
orderand
530 Hellman,
= 2·5·53 thein thecomputation
group E(IF100of9m).
can be reduced to the computation of m modulo 2, 5 and 53.
The solution modulo 2. By the above method we need to multiply P and
Qof byorder530/22 can= 265thentobeobtain points of order 2. The ECDLP in
solved and hence m modulo 2 deduced. It is foundthe subgroup
that
P2 [265]P = (50, 0),
Q2 [265]Q = (50, 0).
The ECDLP becomes
Q2 = [m (mod 2)]P2 ,
and it is deduced that m 1 (mod 2).
The solution modulo 5. The points are multiplied by 530/5 = 106, to
obtain
P5 = [106]P = (639, 160),
Q5 = [106]Q = (639, 849).
Hence Q5 = -P5 and m 4 (mod 5).
82 V. THE ELLIPTIC CURVE DISCRETE LOGARITHM PROBLEM

The solution modulo 53. The points are multiplied by 530/53 = 10 to

obtain
P53 [lO] P = (32, 737) = P',
Q 53 [lO] Q = (592, 97) = Q'.
Clearly
a brute inforcethissearch.
exampleHowever,
the valuewe ofinstead
m (mod 53) could be determined using
use the ECDLP
Q' = [m0]P'
toin aillustrate the baby
later section. step/giant step method and the random walks method
V.2. The MOV Attack
We
Voloch shall now explain the method of Frey and Riic k [44] (as described by
[161]) which generalizes the result of Menezes, Okamoto and Vanstone
[98] (usually referred to as MOY). The explanation will be dependent on
the theory ofin descents,
background the to make it study
number-theoretic immediateof to those
elliptic who come from a
curves.
After Theskimming
description overgiven
the is rather vaguewe but
mathematics give itamakes
more the main
down to pointsdescrip­
earth clear.
tion
relatedof what are the can
to descents actualbe steps
foundrequired.
in [147] .Much of the notation and argument
V.2.1. Descent via isogeny. Let E denote an elliptic curve defined over
adenote
field IFtheq andfieldletwhich
n denote a prime number, which is coprime to q. Let IFq z
Assume an isogeny is obtained by adjoining the nth roots of unity to IFq .
cf> : E' -----+ E
isdefined
given,overwhoseIF z .kernel has exponent n, and the points of the kernel of cf> are
The standardq exact sequence of Galois modules is then
Gal(Ftaking
and z/IF
q q z Galois cohomology we find the long exact sequence, setting G =
),
0 ---- -+ E' (IFqz ) [cf>] -----+ E'(IFqz)
-----+ H 1 (G, E' [¢] ) -----+ H 1 (G, E'(Fqz))
The following
main sequence short
in theexact
theorysequenceof descentscan forbe elliptic
deducedcurves:
from this, which is the
 V.2. THE MOY ATTACK 83

Now Hsince
have E'[<P] E'(IFqz) theE'[¢]action
c
1 (G, E'[<P] ) = Hom(G,
of G on E'[<P] is trivial and so we
) , the group of homomorphisms from G to
E' [¢] . The first non-trivial arrow in the last exact sequence is given by

<5E . {
•
E(IFqz)/¢E'(IFqz) Hom(G, E'[¢])
p
-----+
Qu - Q
f------+ (} f------+

whereSinceP EIF E(IF q z) and Q E E'(Fqz) is chosen so that [ <P] = P . Q

qz contains90,thewe group
Hilbert's Theorem have anof isomorphism
nth roots of unity, denoted by µn (IFqz ), by
<5 . { ;z I b ;z
•
IF (IF r Hom( G' µn)
-----+
K
f------+ (} (JO"I(J
f------+

where b E IF;z , (J E Fqz is chosen so that (Jn = b, and IF;z /(IF;z r denotes the
quotient
above group ofitIFis;1 then
definitions modulo a the nthfactpowers
standard that ofthereelements
exists ina bilinear
IF;1• Given the
pairing,
K, , which is non-degenerate on the left,
fl, { E(IFqz) I<PE'(P,(IFT)qz) E[¢] H <SJ<1 (eq,IF;z(<5IE(IF(P;z r) , T)) ,
: x -----+

where eq, (R, S) is the pairing from Lemma 111. 1 3. It follows that
(P, T) fT (P) (mod (IF;z r)
K,

forJ7(some computable function on the curve, J7, defined over IFqz. The function
P ) is computed in much the same way as the Weil pairing is computed
(seeFor[147,laterTheorem
use note X. 1 . 1] , [138] and below).
that the groups IF /(IF r and µn (IFqz) are isomorphic
via the isomorphism ;z ;z

V.2.2. The reduction. Consider solving the ECDLP

Q = [m]P,
where P is a point of order n in E(IFq )· By the simplification of Pohlig
and Hellman we such
can assume thatcontains
n is prime. Choose l as before to be the
minimal
1
integer
1 (mod that IFq z the nth roots of unity,
n). curves over prime fields we have n = p + 1, therefore in particular
q
For supersingular
p2 = n2 - 2n + 1 1 (mod n), and so l can be chosen as 2. It can be shown
[98] for supersingular curves, where char(IFq ) divides the trace of Frobenius
t, that t2 can only take on the values 0, q, 2q, 3q and 4q. Thus, the elliptic
curve group orders are restricted to q + 1 ± v:Jq, j = 0, 1, 2, 3, 4, and it is
straightforward to verify that these orders divide at least one of the values
84 V. THE ELLIPTIC CURVE DISCRETE LOGARITHM PROBLEM

q1 - 1 forsincel ::=;n6.=Forp curves ofso trace two over prime fields the situation is even
worse,There - 1 and l = 1.
when lbyare
isobtained 1.twoIn cases
= adjoining to consider,
thethefollowing
x-
the firstweisletwhenIF (E[l n])1 denote
discussion >
q
and thethesecond
and y-coordinates of all the points of order n of field
E to the field IFq .
Case l 1. We have IFqz = IFq (E[n]), by Lemma 111. 9 and the definition of l.
>
Ifmap,in thethenabovethe discussion
pairing E = E' and cf> is taken to be the multiplication-by-n
.{
fl,
•
E(IFqz) /nE(IFqz) E[n] IF*q1 /IF*q1 n
X -----+

(P , 7) H T f (P )
is obtained.
order n and theChoosing map T E E[n] \ E(IFq ) we obtain that Y(f7(P)) has exact

is anover
lem injection.
to µ Hence
(IF z) and tosolve
solveitanthere
ECDLP
using inone(P)ofwetheneed onlysub-exponential
known map the prob­
methods. Clearly n q this will only be of advantage if l is relatively small.
Case l = 1. Here it may not be true that IFqz = IFq (E[n]) and a little more
care is needed.
IFq and an isogeny By Theorem 111.11, there is an elliptic curve E' defined over
(/> E E'
: -----+

�¢.ithBykernel
Lemma
(P) . So in our descent discussion above take cf> to be the dual to
111. 1 3, since IFq contains the nth roots of unity, the points of
atthethekernel of cf> areofalsothe defined
beginning over IFq , andhold.henceTheallpairing
above discussion the conditions imposed

is(P)thus, if weobtained.
choose Now as E(IFq )/cf>E'(IFq ) contains a subgroup isomorphic to
T = P then Y(f7(P)) is an element of exact order n. This
last fact follows from the non-degeneracy of the ¢-Weil pairing. The injection

isto then obtained,

µn (IFq )· and so we can solve the ECDLP in (P) by mapping it over
 V.2. THE MOY ATTACK 85

V.2.3. Description of fT(P) .

asIf labove. In practice this is an To construct
element of exacttheorder
mapnfTwhich
a pointliesTisin E(IF
chosenz ) .
=J. 1 then we insist that T does not lie in E (IFq ). Constructing such a T q
can
beby #E(IF
done byz )/ndetermining a random point, S E E(IFqz ) , and then multiplying it

T a0qvalue
ifHence= thentoofthisobtain
value T.isWith highandprobability
rejected another werandom
obtainpoint
T =J. S0.isHowever
chosen.
prime,second
A
pointTofwillisinformation
such apiece easily obtainedorderwhich
have exact n. is not equal to 0. Since n is
to T is added which is initially set to one,
hence T= ( ( y) , 1). The point [n]T is computed using an addition chain
x,
(or binary) method using the following modified addition procedure:
ALG ORITHM V . 1 : Modified Addition Algorithm

INPUT : Two points (P1 , fi) , (P2 , h) with Pi E E[n] .

OUTPUT : The sum (P3 , h).
1 . Set P3 +-- P1 + P2 using the usual addit ion formulae .
0
2 . Let l(X, Y) = denote the equat ion of the line go ing through
the po ints P1 and P2 .

and 0 , us ing the constant

0
3 . Let v (X, Y) = denote the equat ion of the line through P3
1
in lieu of v (X, Y) if P3 = 0 .
4. h
+-- fihl(X, Y)/v (X, Y) .
5 . Return (P3 , h).
Upon computing
Clearly there is [n]Tneed to(0,actually
no = fT) it follows that fT is the required function.
compute the function fT as a rational
function in IFqz (X, Y), since the above method to evaluate fT at any point P
( y) can be used by substituting the values of and y for the indeterminates
x, x
=

X and Y in the algorithm.

good However,
if no this function,
element in its J7, is only
support is defined
equal to on of' good'
any the divisors. ofdivisor
multiples TA
whichis
occur ifinitsthesupport
good additionis distinct
chain forfromcomputing
(T). f7. So, for example, a divisor is
whichThereto aispoint
an isomorphism of an elliptic curve with its divisor class group
P associates the divisor class containing the divisor
(P) - (0) . (V.1)
In the case of curves of the form2 3
Y X + AX + B,
=

athegooddivisor
divisorin Formula
can be found which is
(V.1) byandfinding equivalent
an atIFqthein
-rationalthe divisor class
point passes group
S (which does
to
not need to lie on the curve), looking
S and - P. This line should not pass through any point in (T) , other than
line which through
86 V. THE ELLIPTIC CURVE DISCRETE LOGARITHM PROBLEM

possibly
ofnot . Then let P1 and P2 denote the two other points of intersection
-Pwith
thisthelinex-coordinate
the curve. Let a denote an element in the field, IFq , which is

(itThen,doeswenothavematter of ab ispoint
that not in IF(T).as the
in Defineset Q{Q1 =, Q(a,} b)willandbe QIF2-rational).
= (a, -b)
the following representation q in the divisor 1 2 class group: q
where the divisor on the right is IFq -rational and has support distinct from
(T).Alternatively, we may be able to write
(P ) - (0) ( [a + l] P ) - ( [a] P ) ,
ifadequate
[a + l] P and [a] P do not arise in the definition of f7. This will then be
as a good divisor to apply the function fT· This alternative can be
usedBeforefor fields of characteristic
passing on it should two.noted that the papers of Menezes et al. [98]
be
toand Freyaboveandattack.
the
the above
Riick [44]
method In
cannot
contain there
addition, furtheris improvements
be applied one
no over class of
matterIF , how
and methods
elliptic curves forrelated
which
largeare aonesvaluesuchof lthatwe
take.
#E(IF These
) = are the 'anomalous' curves P which
p. To see that no integer l � 1 exists for these curves we notice
that P
p1 0 "=t 1 (mod p) .
This was noticed
tographysuchfor curves by Miyaji [104] , who proposed such curves for use in cryp­
exactlyarethisveryreason. However, as will bedifferent
shownreason.in the next
section,
The MOY attackonwillellipticweak but
first becurves for
illustrated an entirely
withfields
threeofexamples of discrete
logarithm
Two problems over prime odd characteristic.
(and examples are for curves of trace two, and one is for a curve of trace zero
hence supersingular).
V.2.4. Example 1 . Consider first the following example. Let E denote the
elliptic curve, defined over IF173 ,
E : Y2 = X3 + 146X + 33,
which has trace 2 and hence order 172. An element of order 43 is given by
P = (168, 133). The solution of the ECDLP given by Q = [m] P, where
Q = (147, 74) is required.
Take T = ( 168, 133), which has order 43, and write (P) - (0) and (Q) -
( 0) as the 'good' divisors:
(P) - (0) ( [lO]P) - ( [9]P) ,
(Q) - (0) ( [lO]Q) - ( [9] Q) .
 V.2. THE MOY ATTACK 87

Note thattonone
required of [lO]P,
multiply [9]P, [lO]Q and [9]Q appears in the binary algorithm
T by 43. Then evaluate 'll = Yo fT at these four points
and compute
'll (P) 'll'll(([l[9O]P) ]P) = 81,
'll (Q) 'll'll(([l[9O]Q) ]Q) = 139.
It is then seen that
81 19 139 (mod 173)
and it is easily checked that 19 is a solution to our DLP on the elliptic curve.
V.2.5. Example 2. We consider the supersingular elliptic curve over IF15 1
defined by
: E Y2 = X3 + 2X.
This curve has order 152. An
P = (97, 26) and the solution to the DLP given by element of order 19 in E(IF1 5 1 ) is given by
Q = (43,4) = [m]P
isE(IFsought.) . SetNotice that 151 2 1 (mod 19) and so computations are done in
151 2
K = IF151 2 = IF151 [0]/(02 + 310 + 70).
An element of order 19 in E(K) \ E(IF151 ) is given by
T = (1150 + 142, 1410 + 86).

to'llSince=beYthe(T)o fgood
has adivisors
trivial intersection
equivalent towith(P)-(P)(0)takeand([2](Q)-(0).
P)-(P) andThen([2]compute
Q)-(Q)
T as before, to obtain
( fT ([ 2 ] P00
) ) 12
'll (P) h (P) 12 = 440 + 102 = a '
'll (Q) ( fTf7(Q) ([2]Q) ) = 90 + 100 = (3 .
00

The DLP
(J = am
can then be solved in K
the ECDLP on our elliptic curve is also 10.to determine that m = 10. Hence the solution to
88 V. THE ELLIPTIC CURVE DISCRETE LOGARITHM PROBLEM

help illustrate some ofThis

V.2.6. Example 3. sectionpoints
the other is concluded
above. with an example which may
Take
: E Y2 = X3 + 16X + 27,
over
istogiven thebyfieldT IF=29(21,
. This24).hasCompute
trace 2 andthe hence orderf using
function 28. Antheelement of order
algorithm above 7
find T
fT (X' Y) = 19(19Y + 24X +(X26)+3 (3Y20) 3+(XX++17)23)(27Y + 2X + 9) .
To solve the ECDLP,
Q = (9, 1) = [m]P = [m](21, 24),
indivisors.
the group generated by
It is found that we can take P, first express (P) - (0) and (Q) - (0) as good

(P) - ( 0) = (Pi) + (P2) - (Ri) - (R2 ),

(Q) - (0) = (Q i ) + (Q2 ) - (Ri) - (R2 ),
where
and thePipoints
= (19+7 P , �Q, 7+22
and �R), Qiare=the(11conjugates = (O, �P) with
� , 1+4�) andof theRi points i, Qi eand= Ri27,.
The expressions 2fp(P)2 and 2fp(Q) can then be computed by computing fp
on'll (P)the=points4 P i , Q i and Ri· We find that 4 fp(P)
21 7 (mod 29) and 'll (Q) = 2 16 (mod 29). Solving the DLP = 21 and fp(Q) = 2, hence
7m 16 (mod 29)
it is found that m = 5.
V.3. The Anomalous Attack
The attack
Satoh and on 'anomalous'
Araki [136], is curves whichA similar
explained. was proposed
attack by been
has Smartproposed
[153], andby
Semaev [143] oftothesolvefieldtheof definition
characteristic ECDLP inof subgroups
the curve. of what
In orderfollows
p, whereusepis ismade
the
ofreaders
the theory of elliptic
unfamiliar with curves
this definedtheover
area maintheresults
p-adicarenumbers,
brieflyQp . For those
summarized.
For Onefull details
should thethinkreader
of a shouldnumber
p-adic consult asthea book
formalbybase
Silverman
p [147].which
expansion
encodes
can properties
be written in themodulo
form powers of p. If n is a non-zero p-adic number it
where a
- E Z, ni E {O, . . . ,p - 1} and n0 =J. 0. Define ordp (n) = and a
I n I P = p a . Such numbers are added and multiplied not using the power
series but using the property that the result should be the correct
we had worked modulo any given power of p when considering the numbers asanswer if
 V.3. THE ANOMALOUS ATTACK 89

rationals
you couldmodulo
use the thepower
givenseries
powerbutof pthen(seeyou[151,needChapter
to II] ) . about
worry Alternatively
various
carryLetoperations, which is not an efficient way of proceeding.
E denote an elliptic curve defined over the field of p-adic numbers,
QP , which is assumed to have good reduction at p. The set of points of
E ( QP ) which reduce to zero modulo p is denoted by E1 (QP ) which is a group.
The set of bypoints
isE(Qpdenoted in E(Qp) which reduce modulo p to an element of E(IFp )
E0 (Qp ) · In our case of E having good reduction at p we have

we shall) =stillE0 (Qpretain) butthetonotation

remain E0consistent with the more general literature
(Qp ) · There is the exact sequence

Hence multiplying
elements an element
in E(IFpE1) (Qpwill) produce of E0 (Qp) by a multiple of the number of
a resulttowhich lies inofE1pZp-valued
(Qp ) ·
The group
the one-parameter is isomorphic the group points of
isomorphism is givenformalby group associated to E (see [147, p. 175]). The
if z = 0,
otherwise, i. e . z = -x/y,
where w (z) is the power series in z, which is the formal power series solution
to the equation
Such a solution
standard can be computed
Newton-Raphson to anyUsing
iteration. desiredthe number
power of termsfor using
series the
w (z) the
Laurent series for x (z) , y(z) and w (z) can be computed, where w (z) denotes
the invariant
have their firstdifferential
few termsongivenE(pZP)
by (again see [147] ) . These Laurent series
x(z) -- z
= 1 ai
-2 - - - a2 - a3 z - (a4 + a i a3 )z2 - ·· ·
w (z) z z
y(z) -- -1
-1 = -3 + -a2i + -a2 + a3 + (a4 + ai a3)z + ·· ·
w (z) z z z
dx(z)
w (z)
2y(z) + a 1 x(z) + a3
( 1 + a i z + (ai + a2 )z2 + (af + 2a 1 a2 + a3 )z3 + ) dz ···

(1 + di z + d2 z2 + d3 z3 + · )dz. ··
90 V. THE ELLIPTIC CURVE DISCRETE LOGARITHM PROBLEM

For points on E1 (Qp) define the p-adic elliptic logarithm to be the group
homomorphism
.

iJP · { E1 (Qp) -----+ JGa (Zp) = Zp 2

p f------+ W
+ 2
dizp + 3
d2 Zp
3
+ . . .

There is another subgroup of E(Qp) which interests us, namely

E2 (Qp) = {P E E(Qp) : ordp(Px) -4} U {O}, :S
which corresponds to E( p 2Zp)· Here, Px denotes the x-coordinate of the
point P. This group also is involved in an exact sequence, namely
0 -----+ E2 (Qp) -----+ E1 (Qp) -----+ IF; -----+ 0,
which
willThe tells usan that
obtain if weofmultiply
element E ( p)· an element in E 1 ( Qp) by a multiple of p we
crucial mathematical 2 Qpoint which makes the following method work
isof that if the number of elements
IFt then we have the following isomorphism: of E(IF P ) is equal to the number of elements
Eo (Qp)/E1 (Qp) rv E1 (Qp)/E2 (Qp) rv w; .
field, It IFwillp , andbe assumed
that the that our elliptic
number of points curve,
on EE,is isequal
definedto p.overHence
a prime
the finite
trace
of Frobenius
the two points is equal
on the tocurve,
one andP the and curve
Q, and is said to bethe' anomalous'.
suppose solution is Consider
required
to the following ECDLP on E(IFP ):
Q = [m]P,
forelliptic
somecurve integerdefined
m. Anoverarbitrary
Q p , whoselift reduction
of P and isQ the to points,
elliptic Pcurve
and EQ,(IFon),anis
first computed. This is trivial in practice, since, as neither P nor Q is a P
point
ofcomputed
order two,via weHensel' can swrite P = ( x, y) where x is some lift of Px and y is

It follows that Lemma.

Note that
Eo (Qp)/E1 (Qp) ,...., E(IFp ) and E1 (Qp)/E2 (Qp) ,...., JB7 .
But
and sothe groups E(IFp )[pand IFt have the same order by assumption, namely p,
]Q - [m]([p]P) = [p]R E E2 (Qp)·
weIf theobtain
p-adic elliptic logarithm, iJp, is taken of every term in the above equation
iJp([p]Q) - miJp([p]P) = iJp([p]R) 0 (mod p2).
This is possible since for any point P E E( Q p) we have [p]P
as p = #E(IFp ), and the p-adic elliptic logarithm is defined on all points in E E 1 ( Qp),
 V.4. BABY STEP /GIANT STEP 91

· Computing
mE1 is(Qp)deduced from thetheequation
p-adic elliptic logarithm is an easy matter. The value
m -= '!9'!9pp ([([pp]P)
]Q) (mod p) .
Clearly,
servation on the assumption
will solve therequired that one
ECDLPareinthelinear knows the group order, the
time. To ofsee[p]Pthisandnotice above ob­
thatboththeof
only
which non-trivial steps
takewillO(logp) group operations computations
ondiscrete
E. Withlogarithm
probability [ p ]Q,
l/pwillthe obtain
above
method
'!9p ([p]P)to E(IF fai l to
0. However, find the required as we
reduces )P and theamethod differentrepeated. curve E(Qp) can then be chosen which
IFV.3.1.
,43 willExample. To explainthe thecurvemethod a curve over a small field, namely
be used. Consider
E : Y2 = X3 + 39X2 + X + 41.
The group E(IFgiven43 ) bycan be readily verified to have 43 elements. On this curve
the ECDLP Q = [m]P
istheseto bepoints
solved,to elements
where P of= E((0,Q16)p) using and QHensel'
= (42,s 32).
LemmaThearefollowing
found: 'lifts' of
p = (0, 16 + 20 . 43. + 0(433)),3
Q = (42, 32 + 20 43 + +0(43 )).
The computation of [43]P and 2[43]Q is required 1 and they are 2found to be
[43]P = (38 · 43 --2 + 0(43 -- 1 ),41 · 43 -3-3 + 0(43 --2)),
[43]Q = (25 . 43 + 0(43 ), 39 . 43 + 0(43 )).
A simple computation reveals that
'/943 ([43]P) 19 · 43 + 0(4322),
'/943 ([43]Q) = 17 . 43 + 0(43 ),
and so
m = '/9194433 ([([443JQ)
3]P) = 19 + 0(43).
It is concluded that m is equal to 19, which is easily verified to be correct.
V.4. Baby Step/Giant Step
We describe
abelian the baby step/giant step (BSGS) method for a general finite
can begroup,
itdescription G, with n elements. By the Pohlig-Hellman simplification
assumed that n is prime; however, this fact is not used in the
below. Let P, Q E G with
Q = [m]P.
92 V. THE ELLIPTIC CURVE DISCRETE LOGARITHM PROBLEM

The
can bevaluewrittenof masis sought. By simple Euclidean division it is known that m
m = lvnla + b
with 0:::; a, b
< f fo l. The only problem is that the values of a and b are not
known. The equation is rewritten to look for a solution in terms of a and b of
(Q - [b]P) = [a]([ Ivnl ]P).
This
standard may seem
space/time like an
trade added complication
off. Thisalgorithms but
idea is theandBSGS it allows
method us to perform
and is due to a
Shanks in the context of factoring class
A table of 'baby steps' is first computed. This is a table of all values of group computations.
Rb = Q - [b]P
where b ranges
Rbbinaryandsearch between
storedmethod. 0
in memoryThissoadds and f J71 l - 1. This table should be sorted on the
thattheit can be efficiently searched bytousing a
way complication that one needs have a
eachof element
ifelement comparinghaselements
a unique ofrepresentation
the group. Inthen practice
the thisrepresentation
bit is no problemofsince
the
Afterinhaving
the computer
computedwillthebe'bsufficient
aby steps'asthea key.' giant steps' are computed:
Sa = [a]([ Ivnl ]P).
Oniteach
Ifmethod computation
doesmust values ofofabefore
the terminate a and
giantb step
are it is seen whether
recovered. By an Searlier
a occurscomment,
in the table.
this
The complexity of the methoda reaches
is the value
roughly 0( of rVn l
·

fo) as this much time is

required
totime
compute to compute
the giant thesteps.babyIn steps
this and a maximum
complexity estimate of wethishave
amount of time
ignored the
the The neededistothat
method performit the tablethe look
requires up.ofHowever,
storage the main problem with
O(fo) group elements.
tion, rhohaveandcomplexity
also lambda methods, discussed in more detail in the next subsec­
O(fo) . The time to sort and search the look-up
table
Inbe this in case,
the BSGS
the method multiplying
constant can be eliminated if a hash table is used instead.
J71 in the asymptotic estimate can
made �-thisPollard'
However, is only s anrhoexpected
methodrunning
has a slightly
time, bettertheconstant,
given roughly
randomized �­
nature
of2, the
again method.
applied The
to lambda method,
expected running ontime.the The
otheradvantage
hand, hasofatheconstant
rho of
and
lambda methods is that their storage requirements can be made arbitrarily
small.
V.4.1. Example. As promised earlier, the elliptic curve
E : Y 2 = X 3 + 71X + 602
 V.5. METHODS BASED ON RANDOM WALKS 93

over IF1009 is again considered and the ECDLP is to determine m0 in

Q' = (592, 97) = [m0](32, 737) = [m0]P',
in thebaby
eight subgroup steps ofareorder 53 generated
required. by P' = (32, 737). Since IJ53 1 = 8
So we compute
b0 Rb =(592,Q' -97)[b]P'
12 (728, (537, 450)
34 (817, (996, 344)
154)
136)
56 (365, 715)
(627, 413)
606)
7 (150,
The giant steps [a]([8]P') are computed as
[a]([8855)
a1 (996, ]P')
23 (200, 652)
45 (378,
(609,
(304,
304)
357)
583)
6 (592, 97)
Ittheissolution
seen thatto athematch is obtained
DLP is given by with a = 6 and b = 0, which implies that

m0 = a8 + b = 6 8 + 0 48 (mod 53).
·

The
unique solution to the original problem, posed in Section V.1, is given by the
5 andpositive
2,correct. integer lessSothan
53 respectively. 530 whichis is419,congruent
the solution which istoeasily
1, 4 andchecked
48 modulo
to be
Notice that in this example, the giant
been computed. We could have halted at a = 1 and noticed that steps up to a = 6 need not have

[8]P' = -R3 = Q + [3]P' .

- '

Hence [m0]P' = Q' = [3]P' - [8]P' = [48]P',

which leads again to m0 48 (mod 53).
V.5. Methods based on Random Walks
Pollard
lem [ 1 25]
infora variety gives a number
oftogroups. The of methods
rho methodto solve the discrete
uses a single logarithm
random prob­
walk and
waits a cycle occur. By using a space-efficient
cycle, the discrete logarithm can be found. The wait for the cycle means that method to detect the
94 V. THE ELLIPTIC CURVE DISCRETE LOGARITHM PROBLEM

the single random walk can be thought of as tracing out the greek letter rho,
p.
In Pollard'twos lambda
kangaroos), random method
walks (often
are used, called
one bythea tame
methodkangaroo
of tamewhoandjumps wild
off intotwothepathswild,formdigsthea hole
The shape andofwaits
the for theletterwildlambda,
greek kangarooA. toThefall lambda
into it.
method
shortThere is suited to finding discrete logarithms which are known to lie in a
interval.
walks. is a parallel
However, despiteversion the of the rhos name,
method' method,the which
' p aths'usesdo many
not random
now look
like a rho, insincethisinstead
described section oneis what
looks foris usually
two pathsreferredthat intersect.
to as the The method
parallel rho
method.
The following intuitive explanation uses the analogy of jumping animals,
since
However, we have these found
are this
not tothebekangaroos
useful whenof explaining
Pollard' s the method
method, since in Pollard'
lectures.s
kangaroos
'snarks', perform
since they better
jump controlled
around in jumps.
a rather Weuncontrolled
shall call ourmanner.
jumping animals
largerTo number
simplify ofthesnarks.matterThewe take two two snarks.
snarks are Eventually
given a spade weandshalltoldusethata
they
depends shouldon thedig position
a hole every they tenareorcurrently
so jumps.at,Where hence each
when snark
one jumpsmeets
snark next
the
fallsIfpath
intobothofonesnarks
theof other
theareholes(orjumping
itself)
that have it willbeenfollow
dug. the original path along until it
the path of the one will intersectaround
the a fieldofofthefiniteother.size This
path then eventually
may seem
apurpose
doubtfulmethod strategyfor solving
but thediscrete philosophy can
logarithms. be easily turned into a general
We explain
Let P,Q E G with the method for a general finite abelian group, G, of order n.

Q = [m]P,
beandneeded:
again we wish to find m. For our method the following two functions will
f : G {1, . . . , s}
-----+
for some positive integer s to be determined, and
H:G -----+ Z,
af hash function from the group G to the integers. It will be assumed the map
provides an 'equidistribution' function in the sense that
� l l {g E G : f(g) = i} I - � I = O ( y'n ) .
ItH (g)willhasbe areassumed in this
between g and -g. application that the only collisions the function
 V.5. METHODS BASED ON RANDOM WALKS 95

A set of multipliers, Mi , for i 1, . . . , s, of the form

=

for random ai , bi E Z is fixed and the following function is defined:

F .· {g G -----+
f------+
G
g + Mf(g)
This function, given any starting point, in g0, G
defines a random walk,
gk = F (gk _ 1 ) . Such a walk is efficient to implement and has important
statistical properties. Practical experiment [157] has shown that choosing
s 20 gives the correct balance between statistical behaviour and efficiency,
�

forto begroup orders offoravarious

considered reasonably large size.in finite
algorithms Theseabelian
properties have(seeled[79]this, [137]
groups walk
andThe[158]method
).
goes as follows: Take two elements (snarks) in the group G
of the form
go = [x o ]P + [x�]Q,
ho = [Yo ]P + [y� ]Q.
Apply the random walk defined above to compute
gk = [x k ]P + [x � ]Q,
hk = [Yk ]P + [y� ]Q.
After about 0 ( Jmr/2) iterations we will find the paths have crossed so that
[x k ]P + [x � ]Q gk hz [yz]P + [y;JQ
= = =

for some k and l. Thus

[x k - yz]P [yf - x � ]Q [yf - x � ] [m]P,
= =

and, given theandgroup

unfortunate gcd(yf order
- x� ,
n, the DLP can be solved, unless we are very
n) =J. 1.
Thealong
travel mainonpointthe is thatroad.
same once This
the twois because
snarks pathsboth havefollowing
are crossed thetheysame
will
random walk algorithm.
letterSincelambda, A.
A diagram of their paths will look like the Greek
essary to both
store snarks
a large follow
number theofsame
points, random
g i , and walk
see algorithm,
whether it
each is not
point nec­
h i is
the same gasi (oranyhj)of thefor which
elements gi , in order to detect collisions. Instead, only those
H(gi ) satisfies some certain arithmetic prop­
erty,
be called such 'asdistinguished'
its last k bits[128]being. Ifallthiszero,is theare stored.
case thenSuchthe anexpected
elementtotal
will
storage, 0 ( J / 2 / 2k), can be made as small as can be coped with. This
isextraachieved mr

at the expense of each snark having to jump for, on average, an

2k steps.
96 V. THE ELLIPTIC CURVE DISCRETE LOGARITHM PROBLEM

k # l.
Notice
Hencethatonlya solution
one snark iscould
also obtained
be used ififwegkwanted
= g1 for some k and l with
(this is usually called
the letter
rho
Greek methodrho,asp)the. path of the snark will eventually form a shape like the
As van Oorschot
parallelized, by having andn Wiener
rather [1 1 6]twopointsnarks.
than out thisHowever,
methodunlike can bethetrivially
stan­
dard
and parallelization
Wiener provides ofa linear
the rhospeed method,
up. then snarks
So parallelization
will solveofthevanDLPOorschot
twice
as fastIn practice
as n/2 snarks.a set of client programs perform the random walks of the
snarks,
points withfindsayback
they one snark
to a per client.
server who They thethendistinguished
collects pass any distinguished
points in a
database
Some and searches for details
implementation matches.of this parallelization for elliptic curves are
discussed.as Each
parallel this client usprogram
allows to can perform
perform an a number
efficient ' p of random
arallel' inversion walks[1 06].in
Hencejusteachone.clientForprogram
not the hash is function
actually computing
the value a setthe ofx-coordinate
of random walkson and the
curve
number canofbeleastused,significant
whilst thebitsdistinguished
of the points willequalbe those
x-coordinate to with a certain
zero.
Whenfound,
already a report the is received
DLP can be which
solved. hasActually
an identical
two hash value
problems are with oneas
solved,
the function canH(g)bediscards
the answers checked information
as to which about solutiontheisy-coordinate.
the correct one.Once solved
V.5.1. Example. The elliptic curve
E Y2 = X3 + 71X + 602
:

over IF1009 is again considered and a solution to the ECDLP

Q' = (592, 97) = [m0](32, 737) = [m0]P'
inearlier
the subgroup
using theagainof order 53
BSGSusingmethod generated by P' = (32, 737), sought. It was shown
that thisofhadrandom the solution 48. This result will
be established the method walks.
andSomedefinechoices are first made. As the example is small, we choose s = 3
f . { E(x,(IF100y)9 ) (x (mod
.
{1,2,3}
3)) + 1.
The multipliers are chosen to be
M1 [2]P' + [O]Q' = (8, 623),
M2 [l]P' + [l]Q' = (654, 118),
M3 [3]P' + [4]Q' = (555, 82).
 V.6. INDEX CALCULUS METHODS 97

Sincetwothesnarks
The groupareordercalledis veryg small
and h assume
and their that everyatpoint
positions time is distinguished.
twill be denoted
by'random'
gt and walk:
ht . Initially set g0 = P' and h0 = Q' and let the snarks pursue their
t gt ht
01 [[14]P']P' ++ [[4O]Q'
]Q' == (200,
(32, 737)
357) [[l]P'
O]P' ++ [l]Q'
[ 2 ]Q' = (592, 97)
= (817, 136)
23 [[97]P']P' ++ [[88]Q'
]Q' = (759, 545) [2]P' + [3]Q' = (304, 583)
= (241, 691) [3]P' + [4]Q' = (555, 82)
[lO]P' ++ [[99]Q'
45 [12]P' ]Q' == (759,
(711, 545)
716) -[5]P' + [4]Q' = (809, 516)
So the g-snark has crossed its own path, as g2 = g5 . Its path looks like a rho.
-----.-. 3

The ECDLP is solved using the resulting equation

[7]P' + [8]Q' = g2 = g7 = [12]P' + [9]Q'
and so
[5]P' = -Q' = -[m0 ]P'.
Hence m -5 48 (mod 53), as required.
V.6. Index Calculus Methods
One
pears reason for proposing
to beusingno the
analogue elliptic curves
of the indexgroups in
calculus cryptography
methods is that there ap­
which are available for
schemes multiplicative of finite fields.
Index calculus methods usually use a set of elements, called the factor
base. On this factor base a set of relations are found. Once a full lattice of
relations is determined one can solve virtually any DLP in a straightforward
98 V. THE ELLIPTIC CURVE DISCRETE LOGARITHM PROBLEM

manner.beenAtexpressed
have least oneincantermsdo ofthistheasfactor soon asbase.the elements defining the DLP
odsThere
Thefor are twocurves.
elliptic ' philosophical'
firstgroupusesofthea functionBoth however
fact thatfield.
wayslead
the group
of designing
to indexproblems.
significant
oflikepoints
calculus type meth­
on an elliptic curve[1]is can
in factbe
the
used class
to obtain ancurves indexofcalculus Ideas
method. the function
In Chapter field sieve
X it awillsub-exponential
be seen that
formethod.
hyperelliptic
However, large genus this does indeed give
factorThebasesecond toforconsist
needs'philosophy' ellipticof allcurves
is; that the the method
points
indexreduction on the
calculusmodulo
iselliptic
very ineffective
curve.
methodsp forof the groups
as the
IF;*
make
(apart fromuse of the fact
thesmallelements that IF
whose ' i s' the
support contains the group
p) . The factor base is then
Q
chosen
from smaller to be
as Q * hasgenerators prime
infinitelybeing elements
manyeasier in
generators Q *. There
and they are a lot of
havecomputer. these to choose
an obvious ordering,
with The obvious analogue to handle in the
for elliptic curves is to look at curves E(Q) whose
reduction
infiniteE(K) modulo
number p gives our curve E(IFp )· However, E( Q) does not have an
offinitely
generators. Indeedgroup the forMordell-Weil Theorem [147] states
that
that is a generated any number field K. Not only
canbutbepoints
Erational thecomparatively
generators ofsmall.
grow
E(Q) Even couldifbe'small'
veryis afastquadratic
huge,generators
as pointsformareonadded
even thoughexistthethecoefficients
size of
together.of theThisMordell-Weil
is because
of
the
the
group. Neron-Tate
Henceneeded height
addingto represent
a point totheitself the lattice
will usually double the size of the
coordinates
For a fuller discussion of possible point.
index calculuscalculus
methods(seesee[150][149]Xedni
. There
isindeX
another possible
backwards). approach
Thisthe method called the Xedni
usessucha asnumber ;
of deep ideas from the conjec­ theory is
ofture,elliptic curves over rationals the Birch-Swinnerton-Dyer
yield seea practical
[12] and [13] . However, this method appears, at present, unlikely to
solution for the ECDLP - see [55] for a detailed discussion.
V.7. Summary
To#E(IFsummarize,
)· For E let beE used
to be anin elliptic
a cryptosystem, q , withthegroup
curve overwe IFrequire orderprop­
following n =

erties:q
1. meaning
The groupof should
' l arge' havedetermined
is a subgroup
by of large
the desired prime order where
cryptographic the
strength, r,

based on and
software the best implementations
hardware. This is of square
often taken root
to attacksa prime
mean usingofcurrent
more
than 160 bits, which compares to the security of about 1000 bits of key
 V.7. SUMMARY 99

length
rithmic inknowledge
conventional public key systems as implied by current algo­
( see Section 1.3) . From the point of view of efficient
cryptosystem
computational implementation,
cost is maximized thewhen
ratio logof cryptographic
r is close to strength
log to
n ( this is
discussed
2. are
The curve inshould
more detail
not beinanomalous,
Section VI.i.5e).. = n = p, a prime. These
q
the curves of trace one over IFP . 1 (mod n) should be large. This
3. The smallest value of l such that q
1

removes
the othercurves of trace curves.
supersingular zero and two over IFP immediately, as well as
Note that
andProperty all of
its group3order the above
have conditions
been are
computed. very easy to check as soon as a curve
at preventing ( sometimes
thefield
possibility referred
ofeasierto
embeddingas the MO V
theas done condition [P1363] ) aims
ECDLPin thein theMOYmultiplicative
group of a finite
quantify thefor meaning with an
of 'large DLP,
l' in this context, we recall the complexity
attack. To
estimates
to have the DLP and the general ECDLP from Section 1.3. The goal is
CEc (k) CcoNv (lk) ,
�

where k = f1og2 l, CEc ( k) denotes the complexity of the ECDLP for curves
q
over IFq , andforCcoNv (lk) denotes the complexity of the DLP on IFqz. Using the
estimates CEc and CcoNv from Section 1.3, it is readily verified that the
goal is achieved when
100 V. THE ELLIPTIC CURVE DISCRETE LOGARITHM PROBLEM
 CHAPTER VI
Determining the Group Order

The problem
elliptic of
curveinover determining the
a finite field order of
-astheprimalitythe group of rational points
point counting problem - is of critical
on an
importance
seenrequire applications
in the thesummary such
section of Chapter V, for and proving and
cryptographiccryptography. As
applications,
wedivisible curve
bybitsa large to be non-supersingular,
prime factor,considered
which inapractice the group
mayrequirement). order
be several hundred to be
bits
long
the (160 is sometimes
problem is difficult, andandit computationallyminimal
requires innovativeeffective. Therefore,
solutions that are both
mathematically
The point challenging
counting problem isas introduced incases
this ofchapter, where general
methods
are for finite groups, as well some ' e asier' elliptic curve groups,
are discussed.
discussed inMore advanced
Chapters VII methods
and VIII.applicable to broader classes of curves
Vl. 1 . Main Approaches
Three main
for cryptography: techniques are presently used to determine elliptic curves suitable
• Generate
propriate random
one is curves
found. and compute their group orders, until an ap­
• Generate curves(CM).
multiplication withSuchgivencurves
groupareorderusually
usingcalledthe theory of complex
CM-curves (which
isthesomewhat
Frobenius misleading,
map). as all curves over a finite field have CM through
• Use
IFwhichthe group of IFq n -rational points, E (IF q n ) , of a curve E defined over
q , forthe relatively
q
rational small.ofTaking
points interest aareviewdefined,
centeredthe curve
on theinfield
this over
case
is often referred to as a subfield curve, or a curve of Koblitz type.
Oneuse approach
isontorandom to computing
a generalization of thetheorder
either BSGS of method
a generalorfinite the abelian group
methods based
previous walks (the
chapter. To rho,end,lambda
this we and kangaroo
compute the ordermethods)
of a discussed chosen
randomly in the
element g E G, i.e. determine n so that
102 VI. DETERMINING THE GROUP ORDER

where
randomly e ischosen
the groupgroup identity.
elements Considering
will give a the orders
possible value obtained
for the for several
group order.
Toandobtain
[158]). more certain information, subtler methods are required, (see [21]
By Hasse'
elliptic curve soverTheorem it is known that the number of rational points on an
IFq satisfies
andAthenaivegroupwayofofpoints is the product of at most two cyclic subgroups.
of odd characteristiccounting rational points on curves over small finite fields
p, with curve equation given by
Y2 = X 3 + aX + b,
is to evaluate the sum
p+ 1 +
� ( x3 + ax + b )
x=O p
where (�) is the Legendre symbol. This is reasonably fast for small values
of p method
this but soonforbecomes unwieldy for large values. Cohen [29] suggests using
p 10000. He also notes that combining Shanks' s BSGS
<
method with Hasse' s Theorem will give an O (p 1 /4 +E) method, where is a E
positive
Shanks methodconstant
and Mestre, that can be made arbitrarily small. This
which is claimed to perform better than the Legendre is the method of
symbol for p 457 [ 2 9]. We discuss the Shanks-Mestre method in
>

forSection VI.curves
elliptic
The method
3 . Forforlargeusefinite
currently in fields, i.e., thea better
cryptography,
believed to yield
typicalmethod
situationis needed.
curvesselecting
least amenable
when looking
to attack
consists
thatgroup of choosing
field atorder
random a large finite field
until oneThisis found and then
whoseisgroup elliptic
of rational curves
points over
satisfies
the
the probability constraints.
of successthein number procedure
each trialof isrational outlined
estimated. in Section
Thefor procedure VI. 5 , where
requires
the
over ability
a large to determine
finite field. Thisinterest,
task isandcomputationally points an
challenging arbitrary curve
but feasible
for field
Anothersizes of practical
waytheoftheory
proceeding is towith is the main
decideCMontoa prime subject of
basecurves Chapter VII.
field ofwithlargea cyclic
order
and
subgroupthen use
of largeare prime of curves
order [73].e.g.,Again, produce
this is roots
feasibleof large
but some involved
computations
nomials still
over large finite required, computing
fields.thanNevertheless, thecounting.
CM method degree
is consideredpoly­
less
subjectcomputationally
of general
Chapterpoint taxing general point
VIII. counting on random curves, or the CM method, is This method is the
When
deemed too complex, a reasonable compromise can be found in the use of
 VI. 2 . CHECKING THE GROUP ORDER 103

subfield
larity duecurves.
to the This
ease method,
by which described
appropriate in Section
curves VI.
over4 very
below,largeenjoysfieldspopu­
can
beto theproduced.
family ofHowever,
general the family
curves over ofIF such
n , curves
offering is
less rather
choice small
in the compared
design of
a cryptosystem, andin themaking q
the curvescommunity somewhat to' special'. This has thatlead
some
sucheasier,researchers cryptographic
curvesthanmightthosebe generated
weaker, ininthea random express
sense thatway.theirTheassociated concerns
DLP might
bethe curves beingAs 'ofspecial' has beenof thisexpressed about curves same concern
generated about
withthatthe
CM method.
actuallytheexposes any the writing
weaknessesmethod. book, however, no DLP algorithm
has been found for curves generated using
eitherAtheycommonCM or the
feature subfield
of some of' candidate'
the pointvalues countingm foralgorithms presented is
that
need this produce
to check one or more the group order, and
how is done.whether m is indeed the order. In the next section, we discuss
Vl.2. Checking the Group Order
Given an
givenfirstinteger elliptic curve
m produced E defined over IFq , we wish to determine whether a
The obvious test is tobyascertain
a point counting
that m isalgorithm
within theis theHasseorderinterval
of E(IFq ).
q + 1 2yq m
- :::; :::; + 1 + 2yq.
q

Once this is established,

Algorithm 111.1), and the condition a point P in E(IF q ) is selected at random (e. g ., using
[m]P = O
isthechecked.
condition Clearly, if the
holds,dependingcondition does not
there is aonhighthelikelihood hold, m is
of mofbeing not the group
the group order.
order, can If
the
exact
beapproachprobability
increasedis tobykeep drawing factorization
and checkingm further random m. The probability
points.pointOnetest,possible
at the endsurvives. all
of the algorithm candidates
draw succeedsthat pass
and checkif therandoma random
points untilalgorithm and
only oneis
candidate This approach point counting
isguaranteed to the
produce
theForcasethe forgroup the truedescribed
algorithms group orderin as and
this one theof thenextcandidates,
two chapters. which
In this case, we areorders only ofinterested
interest inin group
cryptography,
orders mtheof situation
the form is simpler.
m = s · r,
where s is a small positive integer, and r is prime. First, it is easy to check
thatbea candidate m isdivision
indeed ofandthisprimality
form. Fortesting.
values Ifofms used inofpractice, this
can done by trial
form, then it is discarded, even though it might be the true group order. If is not the desired
104 VI. DETERMINING THE GROUP ORDER

nois deemed
candidatesinappropriate
survive at forthe cryptographic
end of the pointapplications,
counting algorithm,
and another the onecurveis
tried.
the When mis
multiple [ s ]P ofchecked.
is the right Ifform, [s]P a=random
0 (this point
has Pis checked.low Ifprobability),
extremely [m]P = 0,

thenorder
the P is discarded
of P. If >
and a new random point is checked. Otherwise, r divides
r 4-Jq, this condition guarantees that m is the group
order, as ontherer iscanamplybe met
condition no other
in multipleapplications,
practical of r in thesinceHasses interval.
« r (the choice
The
of sSeveral
is discussed
related in results
more quantitative
exist in the terms in Section
literature. For VI. 5). a theorem of
example,
Mestre,defined
curve quotedoverin IF[142], , showsthe that
either curve fororpitsa twist
primewillgreater
always thanadmit461,a and
point a
offororder greater than P 4.JP. Schoof [142] extends this result by showing that
p 229 either the curve or its twist admits an IFP -rational point P with
>
the
[m]Pproperty that the only integer m E (p + 1 - 2.JP, p + 1 + 2.JP) for which
= is the group order.
0

Vl.3. The Method of Shanks and Mestre

We give a brief description of the O (q i /4 +E) BSGS-based algorithm for deter­
mining
#E(IFq )the= qgroup order of an elliptic curve. If the group order is expressed as
+ 1 - t, ltl ::=; 2-Jq, the uncertainty is of order 4-Jq and an algo­
rithm of order q i / 4+ E is not surprising. The algorithm uses an idea of Mestre
isandadapted
is referred
Determine from to[4as0].the Shanks-Mestre algorithm [29]. The discussion below
greater than 4-Jqa random (see thepoint P on E(IF
discussion q )· It isVI.assumed
in Section 2). Let Qthe= order of P is
[q + l]P and
Q i = Q + [l2.Jqj]P and let t' = t + l2.Jqj E [0 ,4.Jq]. Let m = f2q i / 4 l and
observe
baby that
steps t' = im + j for some positive integers i, j m. Compute the
[j]P,to mj =- 0,1 compute
1, 2, . . . , mthe- giant
1, andsteps storeQin some <
convenient manner.to
For i from
seestepwhich 0
one is in the table. If the ith giant i
step - [ i ]([ m ]P) and
is equal to the jth baby check
then t' = im + j and t is obtained.
The algorithm takes on the order of q i / 4+ E in both time and space, where E
istechniques
a positiveofconstant that can
Pollard,thetheasymptotic be made
space requirements arbitrarily small.
can be made As usual,
arbitrarily using the
small,
without sacrificing expected
For large q, however, the above algorithm quickly becomes impractical. running time of the algorithm.
Vl.4. Subfield Curves
Let series
the E be a curve defined over IFq , and write = #E(IFqn ) for n � 1. Define
Nn

Z(E; T) = exp (z=n> i n ) Nn

rn
 VI.4. SUBFIELD CURVES 105

for anEindeterminate
curve over T. This is referred to as the zeta function [66] of the
IFq . The following theorem, due to Hasse, shows that this func­
tion hasfroma veryknowledge
tained simple formof Ni ,
thattheallows
numberall oftherational
values ofpoints nover 1,thetoground
Nm > be ob­
field,
ally beIFq . Owing to results by Weil (see, e. g .,[ 1 47]), the theorem can actu­
extended to curves of genus higher than one, and this will be briefly
discussed in Chapter X.
T HEOREM VI.1 (see, e. g ., [ 6 6]). Let E be an elliptic curve over IFq , and let
ci denote its trace of Frobenius at q, i. e., = q + 1 - c i . The zeta function
Ni
of E over IF has the form
q
Z(E; T) =
P(T)
(1 - T) ( l - qT) '

where
P(T) = ci T + qT2 = - aT) ( l - aT).
1- (1
The discriminant of P(T) is non-positive, and the magnitude of a is -Jii .
rem Notice
VI.1. that Theorem
Also, it follows 111.3 in Chapter III follows immediately from Theo­
by straightforward series manipulations and partial
fraction expansions that, for n � 1,
(VI.1)
Clearly, this equation provides an efficient computational procedure for
#E(IFqn ), since is a quadratic imaginary integer, and can be computed
a an
using
erations a binary
on exponentiation
integers. An methodformulation,
alternative (see ChapteralsoIV),leading
involving
to an only op­
efficient
computation,
from Equationis(VI.1).given in the following corollary, which follows immediately
C OROLLARY VI. 2 . Let IFq , E and ci be defined as in Theorem Write
#E(IFqn ) = q + 1 - for n � 1. Then,
n
VI. 1 .
Cn ,

Cn =
Ci Cn - i - qcn-2 ,
where c0 = 2.
For commonly
forn =a nlargen , enough used ranges
prime#E(IFdivisor of values
of of q and n , n has to be prime to allow
#E(IFqn ). For, if n factors non-trivially as
i 2 then
rangeIt ofis common both
the largesttoprime q n 1 ) and #E(IFqn 2 ) divide #E(IFqn ), limiting the
divisorsubfield
of #E(IF qn ).
advantage ofattention consider
the efficient curves
arithmetic intwosuchisfields.in characteristic
However, two,
the many to take
troublecurves
with
restricting
definedtheover to
small finite characteristic
fields with thewayrequiredthat there
subgroup are not
ofuselargesubfield
primecurves
order
over extension field. One possible
over fields of odd characteristic (see [152]). around this is to
106 VI. DETERMINING THE GROUP ORDER

overAstheanfinite
example
fieldinIF4characteristic
, with equation
two consider an elliptic curve, E, defined
E Y 2 + XY = X 3 + () + 1.
:

Here, () 2 + () + 1 = 0 and IF4 = IF2 [e] . It is verified by direct inspection that

#E(IF4 ) = 4, and thus, the trace of Frobenius at q = 4 is c 1 = 1. Using
Equation (VI.1)
rational points or Corollary VI. 2 ,
over IF2 = IF419 is equal to
1 ss
it is seen that the group order of the
22 · 91343852333181432387730573045979447452365303319,
this last
although element
curves in the
ofappliesfactorization
trace onein this being
are anomalous a 156-bit
thisaboveprime
does curve number.
not mean Note that
the attackoveron
anomalous curves context. The is
IF4 but not over IF419 . All that the attack of Semaev, Smart, Satoh and Araki
anomalous
will give is the solution
not really a hard problem. of the DLP in the subgroup of order four, which is
Vl.5. Searching for Good Curves
The preferred
applications method
is curve for generating
basedsatisfying a '
on selectingthecurvesg ood' curve suitable
atconditions
random, and for cryptographic
determining group
orders until a
is outlined in Algorithm VI.1 below. desired is found. The method
ALG ORITHM Vl.1: Generating a 'Good' Elliptic Curve.
INPUT : A large finite field IFq , a small positive integer s.
OUTPUT : An elliptic curve E over IFq such that E(IFq ) = s · r ,
s ::=; s , r prime .
1. Draw E at random , with coefficients in IFq .
2. Determine #E(IFq ) .
3. Check the MDV and anomalous conditions (see Chapter V) .
If any of these fail , go to Step 1 .
4. Attempt to factor #E(IFq ) in ' reasonable ' time.
If the attempt fails , go to Step 1 .
5.
Else , go to Step 1 .
·
If #E(IFq ) = s r , s ::=; s , r prime , return E.

The main
that the step of this procedure,
factorization attempt inStepStep2, 4is isthenotsubject of Chapter
difficult. In fact, VII.for Notice
values
of s usedfactors
possible in practice,
up to thes, together
factorization
with can
primalitybe carried out Ifbythetrialfactorization
testing. division of
fails,Wethenoworderestimate
#E(IFq ) is not of the desired form, and the curve is discarded.
the probability of success in one iteration of Algo­
rithm VI.1. First, the term 'large', used when referring to the prime r (or
 VI. 5 . SEARCHING FOR GOOD CURVES 107

equivalently,IF 'sismall'
creteness, when toreferring
assumed be of to s) , is quantified.
characteristic two, i. For., qthe= sake
e 2 n . of con­
Similar
considerations q apply to the case where q is odd. Assuming that the ECDLP
isof indeed of exponential
bits ofissecurity' in breakcomplexity,
the cryptosystem, log 2 r is a good measure of the 'number
inOnthat a searchhand,exponential in thisis
measure needed to the system.
n, the size of a field element, and the complexity of the operations required
the other the ' k ey size'
toobtain
implement the
the logstrongest cryptosystem
possible grows
system polynomially
for theRecall with
computational n. Therefore, to
investment, we
would like r to be as large as possible.
log2 r is roughly2 bounded above by n. Define the loss of the cryptosystem as that by Hasse' s Theorem,
E = 1 - logn2 r .
--

For
orderForexample,
subgroup anofelliptic
order curve2 1cryptosystem
near 90 has a loss ofoverfive Fpercent.
2200 using a cyclic prime
1 -an2 y'integer
[q +Following q + 1s,+ let2[64]y'q],Hs, toqdenote
q, Koblitz =estimate the setand ofletmultiples
2n , and theareprobability
of s in the interval
Hsi s = { i : i · s E Hs } .
ofthedrawing a random
curve
uniformly with given
distributedloss E, two assumptions made: (i)
in H2 , and (ii) for small s, the distribution of primes order #E(IF q ) is
among
trary integers
integers of in Hsi s is similar to the distribution of primes among arbi­
the same order of magnitude as qi s. By the Prime Num­
ber Theorem,Seethethedensity
lllog(qls). discussion of primes
on in Hsi
these s is thus inassumed
assumptions to be roughly
[64] and [89] .
Let S = l 2 nE-l J. Then, under the above assumptions, and using well
known properties
or less is estimated by of the harmonic series, the probability of a curve of loss E
s s
1 . -> -1 '"°' --:-1 = -(logS 1 + O(l)) = E+ o(l).
'"°'� J. log(ql2J) logq � J logq
For
expect example,
to have forto thedetermine
target theloss order of five#E(IF
percent) forin20therandom
examplecurves above,beforewe
athe' good' one is found. In fact, since each pointq counting computation yields
be run orders
only of a curve and
ten timesestimates its
on the average. twist, the point counting procedure will need to
borne The probability
out number
by experimental above
data gathered (and the underlying
at ofHewlett-Packard assumptions)
Laboratories are
forGroup
a large
orders of elliptic
were determined curvesusingover fields the sizes
someof ofthethecurves used
pointobtained in real systems.
countingistechniques
described
in Appendix A. in Chapter VII, and a sample presented
108 VI. DETERMINING THE GROUP ORDER
 CHAPTER VII
Schoof's Algorithm and Extensions

Asablediscussed in Chapter VI, the preferred method for

for cryptographic applications depends on the ability to solve the point generating curves suit­
counting problem for arbitrary elliptic curves over large finite fields, namely,
the
this exact determination
chapter, approaches ofto thethe number
problem ofthatrational
have pointswithon success
met such curves.
are In
out­
lined.
and Theoftwolargemainprime
fields casesorder
of interest will be those fields of characteristic two
p. While much of the theory for point count­
ing
the ontwoelliptic
cases curvesdifferences.
have is quite general,
The thecases
two techniques
will be that have developed
discussed separately forin
later
possible. sections,
There although
is the discussion
considerable overlap willin thebe forbasicthetheory.
general case as much as
Recall thatcurves,
supersingular for fieldsandofitcharacteristic
is sufficient two,
to we are curve
consider only interested
equations inofnon­
the
form
Y2 + XY = X 3 + a5 , a5 E Fin ,
asthanthethree,
grouptheordercurvesof aoftwist is easily derived. For odd characteristic
interest have equations of the form greater
Y 2 = X 3 + aX + b, a, b E IB'q .

VII . 1 . Schoof's Algorithm

The genesis
ofof Schoof of the efficient general point counting algorithms
[141] . In a dramatic improvement, Schoof dropped the complexity
lies in the work
the methods for point counting from O ( q 1 /4 +E ) for every positive which E,

Oofresults from the complexity of the BSGS algorithm applied to this case, to
( log8 q) [142] . Schoof's algorithm, described in this section, forms the basis
allBycurrent efficient schemes for point counting.
ofwhere Hasse'
Schoof' s Theorem, #E(IB'q ) = q + 1 t where l t l ::=; 2y'q. The heart
-

s algorithm is the determination of t modulo primes £ for £ ::=; Rmax

Rmax is the smallest prime such that
II e > 4 .J<i.
£ prime
2� £ �lmax
Itof then follows from the Chinese Remainder Theorem
t can be recovered uniquely and the group order obtained. From the
( CRT ) that the value

109
110 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

isPrime Number Theorem it readily follows that the number of primes needed
0 (log q / log log q) and that the size of the Rmax = 0 (log q).
A brief overview of the onbasictheSchoof algorithm is first given, followed by
a more Noticedetailed discussion
thatofonefieldcanconsidered.
easily determine actual computations.
t (modof odd£) forcharacteristic,
£ = 2, for either of
the two types
t and#E(Fonlyq ) if(mod For the case we have
ifequivalent X 3 +2),3aXand+web issawirreducible
in Sectionover 111. 3F. 1 .thatThe#E(Flatter
q - X) = 1. Forq characteristic two, since
q 1 (mod 2)is
) condition
to
the Wecurvenowis consider gcd(X +
non-supersingular, aX + b,we X have t 1 (mod 2).
endomorphism rp of theprimes£ curve>is2.theRecall map from givenChapterby III that the Frobenius
rp : { E(F ( x,0y)q) f----+ E(F
-----+

(0xq , yq)q),
f----+ '
and for any P E E(Fq) it satisfies the equation
rp2 (P) - [t]rp(P) + [q]P = 0. (VII. 1 )
We consider
and t£ class this equation
t (modis taken
£), where for points
theand least in E[ R ]*
non-negative= E[R]\ { O}. Let q£ q (mod £),
representative of theis found
con­
gruence as q£
such that for a point P = (x, y) E E[R]* we have t£. If a value of T E {O, 1, . . . ,£-1}
(VII.2)
then
formula we must
denotes have T
point since = t£ , i. e ., t mod £ is obtained. The addition in the
addition onprime
the and
curve.P =J.The0.value of T satisfying Equa­
tionTo(VII.determine
2) is unique £ is
TofEEquation , £ - such
{O, 1, . . . (VII. 1}2) arearea computed.
value
tried inof turn.
T, assume
First,
Theprime£
forthethex-coordinates
x-coordinates
time being that
of theofpoint on all values
both sides
multiples
[areq£](x,rational [T](xq , yqof), forx andthey,given
y) andfunctions involvingaretheused and the value T
divisionto symbolically being
polynomials compute tested,
(see Sec­
tion
the III. 4 ).
x-coordinate The point
of (x addition formulae
q2 , yq2 ) + [q£](x, y). By clearing denominators and, if
necessary,
curve eliminating powers
2 3of y higher than 2 one by reducing
3 modulo the
the equation
ofsubstitutedform into a(x)(either
-theyb(x) y ==0xor+yax= +a(x)/b(x) b or y =results. xy + xThis,+ a6in), turn,
curve equation to eliminate y and give an equation of the
an equation
can be
form
procedure hx(x) = 0. A crucial observation in determining the complexity of the
E[R]*, isallthat,
issionin polynomial since thecomputations
polynomial postulated point can be Pcarried
satisfyingout Equation
!£, which is of degree 0(£2 ). In particular, the polynomials modulo (VII.divi­2)
the
 VII . 1 . SCHOOF'S ALGORITHM 111

q2 , yq2 , xq , yq are reduced, using f.e, and the curve equation, from degree expo­
xnential
is therefore in log0q(£to2). degree polynomial in this parameter. The degree of hx (x)
E[one,R]*,Tothenthecheckthereif hx (x)common
greatest = 0 has a solution for the x-coordinate of a point in
is Tnoissolution divisor of
intheE[RGCD hx and f.e, is
]* whichis non-trivial, computed.
satisfies Equation If the GCD
(VII.exists
2), anda is
the next value
point in E[R]* such that of tried. If then there
(VII.3)
The
since sign
the of the point onarethetheright-hand
x-coordinates same for side ofsign.the Toequation
either determine is ambiguous
the sign,
assume
the it to beareplus
equation in Equation
computed and, as (VII.
with 3).theThex-coordinates,
y-coordinatestheofdenominators
both sides of
clearedwith hyandthereduced
0,satisfying the y variable
to degree eliminated
0(£ to giveifangcd(hy,
2 ). Again, equationf.e,) of=J. the
1, formishy(x)
there a =
point
Notice that equation
for a and T,thethecorrect
given procedure sign isactually
plus; ittestsis minus±T otherwise.
and it is only
necessary
require to havetreatment,
special T run through which 0 discussed
is ::=; T ::=; (£ - 1) / 2 (the case T = 0 will
below). Generally the points
oftheseE[Rpoints,
] have coordinates
which would ininangeneral
extension be fielddifficult,
very of IFq . Actual
is avoided computation
by the GCDof
computations.
To examine the complexity of the algorithm, we note that the bulk of the
computation is takenmodulo
up withf.e,finding q q q 2
x , y , x of, ydegreeq 2 (suitably 2).reduced modulo
theq curveqequation) 2 , a polynomial 0(£ In the case of
xrequiring
and x O(log , theseq) aremultiplications
exponentiationin theoperations ring. Thein themodulus
ring IFqis[xof]/(f.e,(x)),
degree
2
0(£ )such 2
= O(log q). Hence, assuming no fast multiplication routines are used,
4
each ring multiplication requires2 O(log
ofq IFqq,2 each requiring in turn O(log q) bit operations. The complexity of the q) multiplications of elements
yequation
, y computationsthat do not isaffect
similar,the involving
asymptotics. alsoNotice
reductions that modulo
x q , yq , xqthe2 andcurveyq2
are computed
that prime. once for each
Therefore, the prime £ofandbit used
number for all needed
operations the values for of T tried thefor
obtaining
trace modulo a single prime £ is O(log 7 q). Since the number of such primes is
O(logq)
the Ifgroup (in fact, O(logq/loglogq)),
order is O(log 8 q)fieldbitarithmetic the overall complexity
operations.(as briefly mentioned in Chapter II) for determining
istions, fast
used,while polynomial
thenfield and
multiplication in IF [ x ]/ (f.e, ( x)) takes O(log 2+E q) field multiplica­
q l+
complexity, multiplications
therefore, reduces to take
O(log 5 +E) bitE operations.
O(log q) bit operations. These The
gains, overall
how­
ever, are mostly theoretical, and hard to realize in practical implementations.
112 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

Inasymptotic
practice, improvements,
log q is usuallyyetnotit sufficiently
is large largetotomake
enough benefitthe naive
from the fastest
implemen­
tationbe unacceptably
can used (e. g ., slow. Intermediate
Karatsuba solutions,
multiplication), but as discussed
they will in Chapter
generally not II,
suf­
fice for theaimedparameter
sought, mainly ranges
at of practical
finding a interest.
substitute for Better solutions will be
f.e,, of degree linear rather
than
fastThequadratic ifinthe£. These
arithmetic betterofsolutions,
parameters the in turn,
problem so could also
justified it. benefit from
basic Schoof algorithm is summarized below.
ALG ORITHM VIl.1: Basic Schoof Algorithm
INPUT: An elliptic curve E over a finite field Fq .
OUTPUT: The order of E(Fq ).
1 . M +-- 2 , £ +-- 3 and S +-- { ( t (mod 2), 2)} .
2 . While M 4-y!q do:
<
3. For T = 0, . . . , (£ - 1)/2 do:
4. Using the formulae above check whether , for P E E [R] ,
rp2 (P) + [q]P = ±[T] rp(P) .
Exactly one such T will pass this test.
5.
6.7 . S +-- S U T,
M+-- M { (£. £)}
x or S +-- S U -T, { ( £)},
as appropriate.

£+--nextprime(R) .
8 . Recover t using the set S and the CRT.
9 . Return q + 1 - t .

Inprimethe number
above algorithm
larger thannextprime(R)
£. is a function which returns the smallest
detailThetocomputations
illustrate the discussed
technique above areForconsidered
further. the now in weslightly
discussion, focus greater
on the
case
point ofmultiples
characteristic
based two,
on as thecanformulae
them be used forwithout
divisionhaving
polynomials
to m f (x) and
consider various
forparityAssume
y
cases.similar.
being We show the computations for the x-coordinate only, the ones
We search forfirsta TthatE F.e,forsuchno that
point1 P E E [R] is it true that rp2 (P) = ±[q.e,]P.
*

rp2 (P) + [q.e,]P = ± [T]rp(P) , 1 ::; T ::; (£ - 1)/2, q = 2 n .

The
the point x-coordinates of the twofromsidesSection
addition formulae of the111.equation can point
3 . 2 , and the be computed using
multiplication
1 Here, and later, we will slightly abuse notation and write [T] Q for T E lFt and a point
Q. Since the multiplication-by-T map was formally defined for T E Z , what is meant is
[T']Q for any integer T1 in the congruence class modulo £ naturally associated with T. This
will always be applied to points Q E E[£] , so there is no ambiguity.
 VII . 1 . SCHOOF'S ALGORITHM 113

formulae from Section III.4 for the characteristic two case. The x-coordinates
are, respectively,
and
(ip2 (P) + [q£J P) x = xq2 + x + fq£ -;tq£+ 1 + A2 + A '
Qi
where
A=
(yq2 + + x)xf! + fq£ -2 f� +l + (x2 + x + y)(fq£ - i fqJq£+1 ) '
Y
xf� (x + xq2 ) + xfq£ - i fqJq£+1
the
sumed subscript
argument X on the bracket indicates the x-coordinate, and x is the as­
of the various division polynomials fm. Notice that since the
latter have coefficients in IFq , we have fm(xq) = fm(x) q . The case of q£ = 1
might has be handled separately, sinceq =the1. above expression involves offq£the_2 ,
fortheAaddition
which q2 , yq2 ) and (x, y) which£is straightforward.
not
pointsThe(xpowers been defined for The case involves
2y + xy + x3 + aof6 =y 0,in totheyield equation are reduced
polynomialsby ofthedegreemodulo the
atofmost curve equation
one in y. Bothin
sides
the of the
denominatorsexpressions are multiplied LCM the
to give a relationship of the form a(x) + yb(x) = 0, wherepolynomials
inh (x)forming a(x) and b(x), polynomial computations are carried out modulo
an. interleaved
indegree In fact, thefashion,
reductionsas wemodulodo noth wish
and theto manipulate
curve equationpolynomials
logq. The relation y = a(x)/b(x) is substituted into
must occurof
the curveexponential
equation toin give
hx (x) = a2 (x) + xa(x)b(x) + b2 (x)x3 + b2 (x)a6 = 0.
If gcd(hx, !£) =J. 1 then a point P E E*[.£] exists whose x-coordinate satisfies
Equation (VII.1). In this case the y-coordinates of the two sides are checked
in aWesimilar mannerbriefly
comment to determine
on the the where
case correctthere
sign. is a point P E E* [.£] such
that ip2 (P) = ±[q£]P. This case, which was excluded in the discussion above,
arises if gcd ( (xq2 + x)f� + fq£ - i fq£+1 , f£) =J. 1.
Clearly t 0 (mod .£) if and only if ip 2 (P) = -[q£ ]P. This condition can
beverified,
testedthenby checking
2ip (P) = the y-coordinate, as before. If the condition is not
Equation (VII. 2), we have+[q£]P for some point P, and, by the characteristic
or
114 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

Applyingsatisfied
equality the Frobenius
by P, mapfollows
it to boththatsides
T2
of4qthe(mod
equation,
.£ and again the
) and, thus, that q
has distinguished
are a square root asmodulo before. .£, sayAssume
w E IFrp(P)
£ . Thus rp(P) = ±[w ]P and the cases
= [w 0 ]P, with w 0 E { +w, -w }.
Then,
said weto special
isa rather set t£ an 2weigenvalue
have 0 (mod .£w) .0 Notice that in this case, the Frobenius map
E IF£ , which we encountered while handling

map, in more case.cases,

general The forms
existence
the of suchof theeigenvalues
basis Elkies of the Frobenius
improvement of the
basic Schoof algorithm. Such eigenvalues will exist when t - 4q is a square 2
indivision
IF£ and they lead to the existence of a factor of degree (.£ - 1)/2 of the
polynomial f£ · Reducing the equations of this section modulo this
polynomial, rather
computational savings. than the division polynomial, will lead to very significant
VII.2. Beyond Schoof
To improve
eral useful the computational
techniques have efficiency
evolved, owing ofinthelargebasicpartSchoof
to algorithm,
Atkin and sev­
Elkies.
Many
recently of appeared
the crucialinobservations
non-electronic of these
form. two foremost researchers have only
2 Descriptions of their important
contributions
thesesThe[110] are [8now1 ]. available in [142] and [40], and in two key doctoral
and
minating evolution
in the of these techniques
determination of the has proved
order of the remarkably
group of successful,
rational pointscul­on
ahundred
randomlydecimal chosendigits
curve,([108],
in the[8case3]) ofanda prime
in the field
case forof aa prime
field ofcharacter­
of some five
istic two for IF213by01 Lercier
communication ([8 1], [)8.4]) and IF21663 (as reported in a recent electronic
The techniques
characteristic equation of Atkin
of theandFrobeniusElkies depend
map, on whether the roots of the
F£ (u) = u2 - t£u + q£ = 0,
taken modulo
2
�t =tot be- 4anq isElkiesa prime .£,
a squareprimemodulo lie in IF£ or not, i. e ., whether the discriminant
.e or not. In the case that it is, the prime .e is
said and in the case that it is not, an Atkin prime. Of
-forcourse, hassincetoprime
onea given the
resorttraceto t is unknown - it is what we are trying to determine
other techniques
.£. It will turnWhileout these to determine
that thepolynomials which
modular arepolynomialscase is in effect
maythebe
used
complex for this
numbers,determination.
C, as noted in Chapter III, they have integer coefficients
defined over
and hence can be interpreted over any field. As
tion VII. 2 below, the splitting type of the .£th modular polynomial <I>£ (x, y) will be noted in Proposi­
2As Birch [11] comments, Atkin's way is 'to make his work known by bush telegraph,
via e-mail, or as quoted by others.'
 VII.2. BEYOND SCHOOF 115

over thethevariables,
ofwhether ground field IFq , withwhether
determines the j-invariant
�t is a ofsquare
the curvein IF£substituted
or not, andforthus
one
lara given £ is an Elkies
polynomials is a or Atkin prime.
challenging task, Whileis atheconvenient
this computation test of decide,
to the modu­for
following curve and primewe £,outline
subsections, whichtheof theElkiestwoandpossibilities
Atkin is in effect.andInhow
approaches, the
on,theyafter
determine
coveringinformationsome additionalon t modulo
mathematical£. We willbackground.
provide more detail later
VII.2 . 1 . Elkies primes. We assume £ is an odd prime and £ is not the p,
characteristic
issaya Asquare in ofIF£ the
, and field.
the When £ is
characteristic an Elkies
polynomial prime, F the
of discriminant
rp has two roots,
� t
and µ, in IF£, which are eigenvalues of the Frobenius map modulo £.
R
The
from determination
the splitting of whether
type of the �t ismodular
£th a squarepolynomial,
in IF£ or notin acanmanner be deduced
to be
oftoconsidered
At = µ±2.J<i in the next section. Assume for convenience that A # µ. The case
E IF£ was discussed briefly at the end of Section VII.1. It corresponds
(modE[R£),], hasandtwowe ofwillitsfurther elaborate on it later. The set of
£-torsion points, £ + 1 cyclic subgroups, say C1 and C2 ,
that are stable under the Frobenius endomorphism, i. e . , rp(P1 ) = AP1 for all
P1 E C1 and rp(P2 ) = µP2 for all P2 E C2 . The characteristic polynomial
factors over IFq as
FR (u) = u2 - tu + q = (u - A) (u - µ) .
The aim in this case is to determine one of the roots, say A, since then
(VII. 4)
ToA Efind{1, 2,such. . . ,an£ -eigenvalue
1 }, such that we could test for a point P = (x, y) and a value
(xq , yq) = [A](x, y).
Notice that in this case, computation
q of x q 2 and y q 2 is not required. How­
anever
computing
the computation
onerous xtask of x isxqof2 (mod
(computing the sameh) is asymptotic
only about
q (mod !£)). In the case of an Elkies prime, it will be shown how
complexity,
twice as and stillas
complex
information
nationbe usedof a factorderived from the
ofreductions modular
degree (£needed polynomials will lead
- 1)/2 of the division polynomial f£ , which
to the determi­
can
outline for the in testing
of the method is given here with the details to follow in succeeding a potential eigenvalue A. An
sections.
Tothatconstruct such aispolynomial, ai.curve isogenous totheE, isogeny
say E1 , isis sought
such the isogeny of degree £, e .,
dinality £. The kernel of the isogeny, say C (one of the subgroups C1 orthe kernel of of car­
116 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

C2 above), is stable under the action of the Frobenius map and hence the
polynomial
±Pi EC\{O}
(VII.5)
isonlydefinedone ofovereachthepairfield±Pofi , definition
since both ofpoints
the curve,
have wheresamethex-coordinate.
the product includes The
degreeIf theof Foriginal
£ (x) is (£curve - 1)/2.has j-invariant j, then the isogenous curves have
j-invariants
case of an that areprime,
Elkies zerosoneof ofthethe£thtwomodular polynomial
j-invariants (zeros<I>£of(x,j).
the For the
modular
polynomial)curvethatandarethein thepolynomial
isogenous ground field F £ (x) IF£willis chosen.
be the Determining
major task of such anof
much
the Once remainderF £ (x) ofis thedetermined,
chapter. it can be used to efficiently compute for which
A it is true that (xq , yq) = [A](x, y), ( x, y) E C .
This
rithm, procedure is similar
but withof t polynomial to the main
operations computation in the original Schoof algo­
A, the value (mod £) is then uniquelymodulo determinedF£ (x) instead
by Equationof f£ (x).(VII.Given
4).
VII.2.2. Atkin primes. As noted, £ is an Atkin prime when t2 - 4q is
not
will a square
be determined modulo the
from prime
information£, which, as for the
onthethenextsplitting case
typeof Elkies primes,
of theinformation
modular
polynomial <I> £ (x,j). It will be noted in section that this
isisalsoofandetermines
sizeinteger
Eu!
a subset of possible values of the trace modulo £. This subset
¢ (r ) , where ¢ denotes the Euler totient function and r ::=; £ + 1
Eu!
to £)be obtained
discussedinlater. Thisofsubset is contrasted toBSGS/CRT
the exact
value of t
procedureto determine (mod
is then applied to merge the case an Elkies prime. A
primes the exact valuetheof information
t, as discussedfoundin Section
from bothVII.types9 . of
VII.2.3. Outline of the SEA algorithm. The improvements of Elkies and
Atkin to the basic Schoof algorithm are generally referred to as the Schoof­
inElkies-Atkin
greater detail(SEA) in thealgorithm.
followingThe algorithm is outlined here, and treated
sections.
ALG ORITHM VIl.2: Schoof-Elkies-Atkin (SEA) Algorithm
INPUT : An elliptic curve E over a f inite field IFq .
OUTPUT : The order of E(IFq ).
1 . M +-- 1 , £ +-- 2 , A +-- { } and E +-- { } .
2 . While M 4-y!q do : <
3. Decide whether £ is an Atkin or Elkies prime , by
finding the splitt ing type of the modular polynomial .
 VII.2. BEYOND SCHOOF 117

4.
5.
If £
is an Elkies prime then do :
Determine the polynomial F£ (x) above .
6.
7 .. Find an e igenvalue , A , modulo
t +-- A + q /A (mod £) . £.
8
9.
E +-- E U { t,
Else do :
( £)} .
10 .
11 .
Determine a (small) set T such that t
A +-- A u { (T, £)} . (mod £) E T .
12 .
13 . +-- £M +-M
x
nextprime(R) £. .
14 . Recover t using the sets A and E , the CRT and BSGS .
15 . Return q + t. 1
-

Although
are actually we performed,
are yet to discuss we can howcomment
some ofonthethecrucial steps ofcomputational
asymptotic this algorithm
inofadvantage
the of someofofElkies
processing the outlined
primes. improvements.
Here, the
x q and yq modulo the polynomial F£ (x) and the curve equation. With
Most notable
bottleneck is the arecomputation
the gains
anputational
analysiscomplexity
similar to that of the Schoof
of suchor computations algorithm, 5 we can
atfast0(£arithmetic bound
) bit operations the com­
if naive
arithmetic
7 is implemented,
4 + 0 ( £ 3+ E) using (com pare with
0(£ )ofandthis0(£speedE),up,respectively,
tage the complexity for theof obtaining
Schoof algorithm). To take advan­
F£ (x) must not exceed the
complexity
not exceed of using
0(£ it. Thus,in the
3) operations complexity of constructing F£ (x) should
IFq when naive arithmetic is used, or 0(£2+E)
inattempting
the case ofto fast
factor arithmetic. In particular, the straightforward approach of
f£ (x) to obtain F£ (x) does not seem to work, as one of
the first steps in such a factorization would involve a computation of the type
x q (mod f£ (x)), precisely what we are trying to avoid.
Since the number
allarithmetic,
complexity of the ofElkiesElkiesportion
primesofprocessed
the will beis O(log
algorithm 0 (log6q)q), the
for over­
naive
or O(log 4+E) for fast arithmetic.
portionTurning to the
is actually Atkin portion
of exponential of the
asymptotic algorithm,
complexity.it will transpire that
As will be discussed this
inmentSection VIl. 8
is to dealMonly, the complexity-theory
with Elkies way out
primes,of Frobenius of this
processingcanenough unpleasant predica­
of them to Thus,build
uptheaasymptotic
modulus from which
analysishowever, the
for the Elkies trace portion above be determined.
woulddisadvantages,
apply to the whole
algorithm.
itforwillthe turn In practice,
outofthat this
asizessubsetof interest
of the Atkin approach has several
primes canapplications.
be used to advantage and
ranges
setAtkinis carefully field
chosen to balance in cryptographic
the asoverall complexity, meaning that some The sub­
primes (eventually a majority,
Steps 10-11, and their contribution not counted in Step 12. q increases) will not be processed in
118 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

SEA Inalgorithm.
the next sections, In we provide
particular, we more details
elaborate on stepson 3,the5,main
6, 10 steps
and of theIn
14.
Section Vll.a 3method
providing modularto polynomials
implement and 3.theirTechniques
Step splitting types
for are discussed,
determining the
polynomials
tions Vll. 4 FR, which will occupy most of the effort, will be treated in Sec­
(odd characteristic) and Vll. 5 (characteristic two), respectively.
The discussion
large prime orderon p,odda characteristic
departure from in theSection
more Vll.general
4 will case
focusq on= fields of
pn , but
one that is most
polynomial relevant in practice. After describing the computation of the
FR, we return to the Elkies procedure (how the polynomial is used
ininprimes
Step
Section6)andinVII.Atkin
Section VII.
8 . Inprimes 7, andVll.to9thewedetails
Sectionis combined show of thetheAtkin
how
(Step 14).
procedurefrom(StepElkies
information
Finally, in Section
10)
Vll.10
some examples
are briefly discussed. are presented, and in Section VII.11 other recent algorithms
VIl.3. More on the Modular Polynomials
The modular
introduced polynomials
inpointSection <1> £ (x,
111. 8 . algorithms. y), for elliptic curves defined over C, were
The propertiesTheofpolynomials
these polynomials play a central
role in the
have integersections, counting
coefficients, thusneedcantobeconsider
interpreted are symmetric and
over any field.<1>£ (x,Inj)thisandandits
succeeding we will the polynomial
factorizations over a ground field IFq , where j E IFq is the j-invariant of a given
curve.
The following proposition is of interest:
PROPOSITION VII.1 (see [ 1 42]).
over IFq , with j-invariant j =J. 0, 1728. Then
Let E be a non-supersingular elliptic curve
(i) ofthethepolynomial <1>£ (x, j) has a zero j E IFqr if and only if the kernel C
corresponding isogeny
¢: E ----+ E/C
r
is a one dimensional eigenspace of in E[.£] where is the Frobenius
rp rp
endomorphism of E (here, j(E/C) = j ),
r
(ii) theas apolynomial <1>£ (x, j) splits completely in IFqr [x] if and only if acts
scalar matrix on E[.£].
rp

The following
both the Atkinis attributed proposition, from
and Elkiesbyimprovements Schoof [ 1 42] and Lercier [ 8
of the[81]basicto unpublished1], is
Schoof algorithm. critical to
The
proposition both [ 1 42] and electronic
.communications
£ + 1 in x. by Atkin. Recall from Section 111. 8 that <1>£ (x, j) is of degree
 VII.3. MORE ON THE MODULAR POLYNOMIALS 119

PROPOSITION VII. 2 ([142] [81]). Let E be a non-supersingular elliptic curve

over IFq with j-invariant j =J. 0, 1728. Let <1>£ (x, j) = h 1 h2 h s be the factor­
···
ization of <1>£ (x, j) E IFq [x] as a product of irreducible polynomials. Then there
are the following possibilities for the degrees of h 1 , h2 , . . . , h s :
( i ) either 1 and £ (in which case we set r = £) or 1, 1, . . . , 1 (in which
case
2t -4qwe set0 (mod
r = 1) - in either situation £ divides the discriminant, i.e.,
£) ;
(ii ) 1, 1, r, r, . . . , r - in this case t2 -4q is a square mod £, r divides £ - 1
and rp acts on E[R] as a matrix
(� �)
iii rr,withdivides
( )
A, µ E IF£;
r, . . . , r for some r 1 - in this case t2 -4q is not a square modulo £,
>
£ + 1 and rp acts on E [£] as a 2 2 matrix whose characteristic
x

polynomial is which is irreducible over IF£ .

FR,

In all three cases r is the order of rp in PGL2 (IF£ ) and the trace t of rp satisfies
the equation
( VII. 6)
over IF£ , for some primitive rth root of unity ( E IF£ .
Elkies First,or Atkin
we noteprime,that through
the proposition
the provides ofa way
factorization to classify £ as an
<1>£ (x,j). Cases (i) and
( ii ) of this proposition correspond to the prime £ being an Elkies prime, with
Case
the The ( i ) corresponding to the case of having a double root. Case ( iii ) of
proposition corresponds FR
to an Atkin prime.
proof of Equation ( VII. 6 ) is straightforward. Since r is the order of
rp in PGL2 (IF£ ), r isr the smallest integer such that Ar = µr , i. e . the smallest
integer such that rp is represented
2 r r by a scalar
2 multiple of the identity matrix.
Since Aµin some = q, we have A = q and hence A2 = (q for a primitive rth root of
unity extension field of IF£ . Thus t = (A + q/A) 2 = q(( + 2 + ( - 1 ).
In Case ( i ) of the proposition, take ( = 1.
Equation
it will limit ( VII. 6 ) is of particular importance for the Atkin algorithm, since
thenumber
numberisof¢ possible values that the trace can have, for the given
prime. This Eu1 (r) , the number of primitive rth roots of unity.
Sincein the
are IF £ . proposition
Each pair (
states
, ( - 1 that r divides
determines one £ + 1ofint2this
value , or case,values
two all these
oft roots
when
t£ = t (mod 2 £) =J. 0, for a total of ¢ (r) possible values of t£ . For example,
Eu1
wecase,get¢ t£ (r)= =0 when ( = -1, which can occur only when r = 2. In this
with the single possible value t = 0. In another
4 we must have ( + ( - 1 = 0. Then, t£2 2q (mod £) ,
example, Eu1
when 1,r =consistent
allowing only two possible values for t . £
120 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

VII. Notice
2 . thatalsoProposition
Notice that Step VII.
3 does 2 gives
not both Steps
require the 3 and 10 ofofAlgorithm
factorization the mod­
ular polynomial. It is sufficient to note that the degree of
gcd (xq - x, <1>£ (x,j))
isand0, degree
1, 2 or £+ 1, where degrees 1, 2 and £+ 1 correspond to an Elkies prime
0 to an Atkin prime.
It is further
irreducible shown
factors, by Schoof [142] that the parity of the number of
s, of <!>£ when q is a large prime p is easily obtained from
the Legendre symbol:
(-1)8 = (�) .
The modular polynomial <1> £ ( x , y) over C has integer coefficients, as noted
in Section 111.8. We recall that, over C, the roots of <1>£ (x,j(T)) are given by
j ( 7 ; b ) for 0 b < £, and j(RT).
:::=; (Vll.7)
These roots correspond to the £ + 1 matrices in the set
S£ = { ( � � ) : a, b, d E Z � o , ad = £, 0 b < d } . '.S

If<1>£j(T) is theisj-invariant of anofelliptic E over C, then each such root of

curveisogenous
(x,j(T)) the j-invariant a curve to E under an isogeny of
degreeIt turns£. out that a similar result holds for curves over finite fields. In this
case,
modulo thethemodular polynomials
characteristic of the arefield.interpreted
The by reducing
following theoremtheirgivescoefficients
the one­
to-one correspondence
j-invariants of isogenous between
curves, roots
and of the modular
subgroups of the polynomials,
£-torsion possible
points, over
a finite field IFq .
T HEOREM VII. 3 (see [74], [110]). Let E be an elliptic curve over IFq , £ a
prime different from the field characteristic, and Ci , 1 i £ + 1, the sub­ :::; :::;
groups of exact order £ of E(Fq)· Let <1>£ (x , y) be the £th modular polynomial,
taken overIFq . Then, all the roots of<I>£ (x,j(E)) are given by the j-invariants
of E/Ci , 1 i £+ 1 .
:S :S

cients The difficulty of working

can becomeweextremely with these
large,coefficients modular
has beenreduced polynomials,
noted inmodulo whose coeffi­
Sectionthe111.8.characteristic
Although
the polynomials require have
IFq , they are often computed, initially, over Z. In several places in the liter­
ofature,
splitting more manageable alternatives to these polynomials,
properties preserved, have been suggested (see, for instance, [108], with the essential
[40] and [110]). However, even the modified modular polynomials require
great care to compute. One set of alternatives which we have looked at in
 VII.3. MORE ON THE MODULAR POLYNOMIALS 121

Sectionthe111.same 8 is splitting
the polynomials G.e,(x, y) , due to Muller. These polynomials
have type over IFq as <I>.e,(x, y) (see Theorem 111.17), and
can
squareThe be inusedIF.e, inor lieu
not. of the modular polynomials to determine whether �t is a
sition VII.splitting
2 are type oftoa modular
related the polynomialof and
factorization the thecharacteristic
informationpolynomial
in Propo­
of theinformation
this Frobenius will mapalsoin IF.e,.bearWhen
on theit factorization
is determinedofthat the £ is an Elkies
division prime,
polynomials
inonf.e,, turn,
as willareberelated
subgroups
shown below
of They to the
the £-torsion
and in theof powers
action
points
next twoofsections.
the
ofofE.theA material
These endomorphism
Frobenius
few comments
factorizations,
ongiven,
these matters
are given
interpretation here. of the resultsduplicate some already
in the[81].different setting is a worthwhile diversion. but the
MuchSuppose of the thediscussion field is from
of ifdefinition of the curve has characteristic p. Recall
from Lemma 111. 8 that gcd (R, p) = 1 then the structure of the group of
£-torsion points is
E[R] ,...., (Z/RZ) (Z/RZ) .
x

The group E[R] is generated by two points, say P1 and P2 , and E[R] contains
the £ + 1 subgroups C1 = (P1 ), C2 = (P2 ) and Ci = (P1 + (i - 2)Pi ) for
i = 3, 4, . . . , £ + 1. The subgroups share the point at infinity and their 0
union is E[R]. Each such subgroup is the kernel of an isogeny of degree £,
and
discussed the j-invariants
previously, ofTheorem
the isogenous
Vll.3.
curves are given by the roots of <I>.e, as
Considerlet theA andactionµ beofthetheroots Frobenius map, rp, on the subgroups of E[R].
Asu2 -before of the characteristic polynomial :F.e,(u) =
t.e,u + q.e, in IF.e,. Let e 1 and e2 be the orders of A and µ, respectively.
Three cases are distinguished
on. The cases correspond to those of Proposition Vll.2: from the above discussion, which we elaborate
A = µ E IF.e, (Case (i) of Proposition
(i) nomial 2 Vll.2), i. e . , the characteristic poly­
exist a is :F.e,(u)P1 and
point = (u - A) . In this case t = ±2y'q (mod £) and there
subgroup C1 such that rp(P1 ) = [A]P1 , rp(C1 ) = C1 .
Also, there exists a point P2 not in C1 such that rp(P2) = [A]P2 + [ k]P1 ,
for(a)someif k k=f.E0IF.e,.thenThere 1
are two
rpe (P2) = P2 and
subcases:
c Ci E(IFqei ) and rp.e, (Ci) = Ci
= 2, 3, . . . , £ + 1 this corresponds to the splitting type 1, £;
(b) forifthiski=corresponds
0 then Ci toE(IF
c
-

q ei ) and rp(Ci ) = Ci , i = 2, 3, . . . , £ + 1 -

(ii) A(u=f.-µ,A)(uA,µ- Eµ)IF.e,and(Casethere(ii)theexists

of splitting
Proposition typeVll.2).
1, 1, In, 1.this case :F.e,(u) =
·· ·

points P1 , P2 E E[R] such that

rp(P1 ) = [A]P1 , rp(P2 ) = [µ]P2 .
122 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

iscancleartakethatC1P=1 and(P1 ),P2Cmust= (Plie ),in and

weItassumed different E[ .£]
subgroups
= C
E[.£], and
of. From the
2
orders of the eigenvalues it follows that2 C 1 x 2
e e2
<p 1 (P1 ) = P1 , (P2 ) = P2
<p

and the coordinates of the points in C1 lie in IFqei and those of C2 lie in
IFqe2 (where e 1 and e2 divide .£-1). Any point Q E E[l] can be expressed
as [m1 ]P1 + of[mall2]Ppoints
coordinates 2 , for some
of E[m.£] 1lie, min2 EIFqIFe£. . Thus,
If e =forlcm(eany1 ,integer
e2 ), then the
s

<p 8 (Q) = [A8m1 ]P1 + [µ8m2]P2

k
and the smallest integer
order of A/µ in IF£ , say r. It follows thatk for which ( Q) is a multiple of Q is the
<p

ipr (Ci) = Ci, i = 3,4, . . . ,.£+ 1,

whilewhere
case for i =.e is1 and
an 2 we have ip(C1 ) = C1 and ip(C2 ) = C2 . This is the
Elkies prime and the value of the trace modulo .e is
(iii) resolved by the computational method discussed later in the chapter.
A =f. µ, A, µ E IF£2 - IF£ (Case (iii) of Proposition VII. 2 ). This case
corresponds to .e being an Atkin prime and F£ (u)case, beingifirreducible over
IF£ . We can write A = µ£ . As with the previous e = lcm(e1 , e2 )
then Ci CE(IF
subgroups C qe ). Also, if r is the order of A/µ in IF£2 then for the
i of E[.£] one has
ipr (Ci ) = Ci , i = l, 2, . . . ,.£+ 1.
Inexactly
this case, since there are exactly ¢Eu! ( r) elements in IF£2 of order
trace, r, ambiguity
the there are exactlybeing ¢Eu1(r) later
resolved possibilities
in the forcomputation
the value byof thethe
merge-and-sort or BSGS routine noted.
It is finally notedelliptic
non-supersingular that,curve
fromEtheoverabove discussion, it follows that for a
<p
ei
IFq , the powers of the Frobenius
map that leave the various subgroups of E[.£] stable are given by
ei = min{ k E Z j (E/Ci ) E IFqk } .
:

VIl.4. Finding Factors of Division Polynomials

through Isogenies: Odd Characteristic
Our purpose in this section and the next is to outline the development
F (x), a divisor of the .£th division polynomial, f£ (x), of
/2 , £for the cases of odd and even characteristic, respectively.
of the polynomial
degree d = (.£-1)
The variablewilldbeistoreserved - 1)/2 in what follows. In both cases the
fora(.£curve
technique determine isogenous to the given curve, and
sufficient information about points in the kernel of the isogeny such that all obtain
 VII.4. FACTORS OF DIVISION POLYNOMIALS: ODD CHARACTERISTIC 123

the
pointsItcoefficients
in the of thewillpolynomial
kernel be the mayofbeFR determined.
roots ( x). The x-coordinates of
p a willprime.
large be assumed
It is throughout
further assumed this section
that £ isthatan Elkies
the ground
prime, fieldtheisonly
IFP , with
case
Tofor which
determine suchthefactors
factorof theF£ (x),division
of degreepolynomials are used in Algorithm VII. 2 .
d, the steps will be as follows:
(i) anGivenisogenous
a curvecurve,
over IFbyP with j-invarianta root
determining j, determine
of the a j-invariant
modular polynomialJ of
<1> £ (x, j), i.e. find J such that <1>£(J , j) 0 =
(ii) For the
nous curve, given j-invariant J, determine the coefficients a, b of an isoge-

Y2 X3 + ax + b,
=

(iii) with
From
compute
j-invariant
knowledge J.of the isogenous curves, and the kernel of the isogeny,
the sumthisoflastthequantity
x-coordinates of two
the points inderive
the kernel of the
isogeny. From
polynomial F£(x). and the curves, the desired
All
points the onadvanced
an techniques
elliptic curve currently
over IF availablethese
perform in thestepsliterature
or simplefor counting
variants
ofthesethem.steps,Thefollowing
rest ofclosely
this section P gives a glimpse intoIn the
whatlatter
is involved in
the the treatment in [142].
approach is again attributed to unpublished electronic correspondence by reference,
Atkin.Consider the curve Y2 X3 + ax + b =

over IFP . The j-invariant of this curve is

j(E) 1728 4a3 4a+ 327b2
= (VII.8)
In the case of the Elkies prime £, by Proposition VII. 2 , we have
deg (gcd(xP - x, <1>£(x,j))) > 0,
and wethewillrootsdesignate
and of the GCDone ofarethemin IFJ.P . Thus
Typically
there there
will willa becurvetwoisogenous
be such roots,to
E,E/CE/C, has with
kernelj-invariant
C of order J£. Thej(E/C)
= such thatequation
Weierstrass the isogeny
of E /Cbetween
will be Eofand
the
form Y2 X3 + ax + b .
=

The
b, j(E), nextandtaskJ.is to determine the coefficients a and b, from knowledge of a,
curve Forwillthisbedevelopment,
required. a detour
The theory through
behind thethiscomplex
detour model
is deep,of theandelliptic
a full
account of it is beyond the scope of the book. The basic facts that make it
124 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

work are theasfollowing.

interpreted integers) Associated
are complex withparameters
the original
T andcurveq Eexp(27riT).
=
(its coefficients
From
them,
are the various
derived. 3 It caninvariants
be j(q), �(q),thatE4these
established 6 (q), definedresidein Chapter
(q), Equantities in the III,
ring
of� integers
of OK of some number field K, and that there is a prime ideal
OK with residue field IFP , such that the reduction of these quantities
modulofortheinstance,
j(q), ideal �itsyields
residue integers
modulo modulo In the case of the j-invariant
p.
� yields the j-invariant j(E) E IFP of
Equation (VII.in8IF).p , Similarly,
counterparts which willthebe complex
denoted quantities
by E (q), E4 (q),
E (q) and E6 (q) haveto
respectively,
emphasize the distinction. Various relations will 6 between the
4be established
complex versions
the computations of these quantities, which carry over to IFP . Ultimately,
aresteps.actually done over IFP , the complex model used only to all
justifWey some of the
Eisensteinstartformal
by recalling
series infrom Z[[qSection
]]: III. 7 the expressions for the following

E6 (q) 1 - 504 L 1 -qq .

=
00

n=l
n
5 n

In addition, the discriminant is expressed as

00
�(q) q II (l _ q ) 24
=
n=l
n _

We also recall the relationships

j(q) E�((�))3 q1 + 744 + 196884q + 21493760q2 + . . .
= =

and - E (q) 2
�(q) E4 (q) 31728
=
5

Denoting q times the derivative of a formal power series, f(q) = 2:, n an qn , by

3In this section, we write �(·), j ( · ) , E4 (·), and E6 (·) as functions of q, rather than
functions of T, as done when these functions were defined in Chapter III. This is convenient,
since various formal derivatives, taken with respect to q, will be required. While this
notation is formally imperfect, the relation q exp(27ri T) makes the functional relations
=

unambiguous, and it helps reduce notation clutter. We will switch quite freely between the
two notations.
 VII.4. FACTORS OF DIVISION POLYNOMIALS: ODD CHARACTERISTIC 125

a variety of relations can be derived. In particular it can be shown [142] that

j' E6 (VII.9)
J E/
j' E42
j - 1 728 E5 '
and
j-" = -1 E2 - -1 -Ei - -2 -E5 . (VII.10)
j' 6 2 E6 3 E4
The following two formal power series, which can be shown to lie in
Z[(, 1/(((1 - ())] [[q]] , are crucial to the argument:

X ( ( ; q) =
1 -2 oo
qn + (qn
12 ; ( 1 - q n ) � ( 1 - (q n ) 2
2
and
y(( ; q) = 21 LEZ (qn(1 (l- (q(qn)
+

n ) 3 .
These power series can be shown tonsatisfy the following equality:
y2 = x3 _ E484 (q) x E864
+ 5 (q) .
Projected to IFP (via reduction modulo �) , the above equation means that,
for the original elliptic curve equation Y2 = X3 aX b, we have + +

a = _ E484 (q) ' b = E864 5 (q) . (VII.11)

Back in C, we also have the important relation
Pl � L x(( ; q) = 11i e (E2 (q) - RE2 (q£) ) '
( E µ£ , (#
(VII.12)
where
last µ£ is the
expression set of complex
will represent £th roots of unity.
the thesumcoefficient When
of the x-components projected to IFP , this
kernel of the isogeny, from which of x (R-3)/2 inofthepoints in the
polynomial
F£ (x)allow
will will bethedirectly
computation derived.ofThe and
p1 ,
relations
the established
rest of the for the complex
coefficients of F £ modelin
(x),
IFP . To achieve this goal, we invoke, again, the modular polynomials. We start
bypolynomials
deriving, <I>in£ (x,they).nextIn asubsection,
later formulae
subsection we based describe
briefly on the classical
similar modular
formulae
for Miiller's variant G£(x, y) [1 10] , which are more computationally friendly.
126 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

VIl.4 . 1 . Using classical modular polynomials.

acterization of roots of <I> £ (x,j) in Formula (VII. 7 )Itthat
followsif j(q)
from isthethechar­j­
invariant of the= original curve a(interpreted over q , and J (q) = j(ql ), then
<I>isogenous
£ (J (q),j(q)) 0, i. e ., given curve with j-invariant
l j(q), there exists an
Furthermorecurvethe with following j-invariant
identitiesJ (q)of power
= j(q series
) and canan isogeny of degree £.
be established:
(VII.13)
and
j" _ gJ " = _ J'2 <l>xx(j,J) + 2£j'J '<I>xy(j,J) + £2J'2 <I>yy(j,J) , (VII.14)
j' J' j'<I>x(j,J)
where the subscripts x and denote partial derivatives with respect to those
variables. y

lowing Equations (VII.13)

development, and (VII.14) are of particular importance for the fol­
if somefromof thethewhere
betionstakenobtained partialtheyderivatives
will be interpreted
equationslow become above over IFasP .some
vanish,
void. Thewithlikelihood
Someofcarethe must
ofcurves rela­
this hap­
pening,
very however, is extremely
large fields.and Inanother
case such when
a 'singularity' working
occurs,we will random
the random over
curvecases.
can
beThediscarded,
problem is discussed one selected.
in [142,a valuep. 248].Therefore, ignore these
To
considering begin the computation,
P
gcd(xand-x,one<I>£(x,j)). of J E IFP is required. This is found by
ThisrootsGCDis taken
is usually aItpolynomial of degree
two in this case, of its
that the corresponding isogenous curve is given by two as J. can then be shown
Y2 = X3 + aX + b (VII.15)
where 2 b- = - 1 (J') 3
a- = - 481 } (J (J'- )1728)
-

' 864J 2 (J - 1728) ' (VII.16)

- -----

and where we have, from Equation (VII. 1 3),

-

J
1
= - j'<I>x(j, J)
R<I>y (j, J) (VII.17)
These computations take place in IFP . For the original equation
Y2 = X3 + aX + b,
the relations incurve
the isogenous Equations
in Equations (VII.11)(VII.15)-(VII.16),
define values of theE4 (q),similar E IFP . For
E6 (q)relations
a = - E448(q£) ' b = E864 5 (q£) (VII.18)
define values of E4 (ql), E6 (q£) E IFP .
 VII.4. FACTORS OF DIVISION POLYNOMIALS: ODD CHARACTERISTIC 127

ofin the It canisogeny

furtherbetweenbe shownthesethattwothecurves sum ofcorresponds
the x-coordinates
preciselyintothethekernel
sum
IFofP ).EEquation
To(q) apply ( VII.12 ) , denoted by p 1 ( which will denote the counterpart in
the formula
.e, in Equation ( VII.12 ) , we also require counterparts

Equation 2 and(VII.10 E2 (q) , )yielding,

in IFP . These
for p1 , are obtained by using the relationship in
P1 = 2
£ (j" - £J " ) +
f J'
( VII.19 )

The
tion (VII. first term of
1 4)by, where the right-hand
j'computation. side of this equation is given
is obtained from Equation (VII. 9) . The remaining by Equa­
terms follow
Over C,under direct
if theconsideration
lattice corresponding
£-isogeny is given byto the curve is w1Z + w2Z, then the
C/(w 1 Z + w2 Z) -----+ C/(w 1 Z + £w2 Z)
z f------+ £z.
Reducing
curves overeverything
IF namely modulo
Y 2 the prime ideal � gives us the two £-isogenous
= X + aX + b and Y 2 = X 3 + aX + b. In addition,
3
the Instead P
finite fieldof theisogeny is the reduction modulo � of the complex isogeny.
isogeny above isogeny, Schoof [142] finds it easier to work with the
C/(w 1 Z + w2 Z) -----+ C/( � w 1 Z + w2 Z)
z f------+ z
for which the corresponding Weierstrass equation of the isogenous curve is
Notice that this curve is isomorphic to the one with coefficients
isogenies have the same kernel, and the preceding computation of p1 is stilla, b, the two
correct.
8J (z) denote the Weierstrass function associated with the lattice L for
the Letoriginal curve, so
1 '"' ( 1 2 - 21 ) = 1 + L...J� Ck Z2k (VII. 20)
8J ( z) = z + L...J
2 (z - )
wE L ,w o;i O W z k= l
W
2

where the coefficients ck are obtained from the following recursion:

a b
C1 = - 5 ' C2 = - 7 ' ( VII. 2 1 )
128 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

and
Ck = (k 2)(2k 3 k�- 2 CjCk- 1-j , k � 3. (VII.22)
_
+ 3)
The
using function
the 83
curve for the
coefficients isogenous curve is computed in a similar
.£4 a and .£6b. The analogous coefficients ck are
manner,
then
(VII.The2defined,
2).crucialusing a recursion similar to that given in Equations (VII. 2 1)­
observation, [142] , is that if F.e, ( x) is the polynomial with roots
corresponding to the x-coordinates of the kernel of the isogeny,
1
C/ (w 1 Z + w2 Z) -----+ C/( :e w 1 Z + w2 Z)
then F.e, satisfies the equation
z£- 1 F.e, ( SJ ( z)) - exp (- 2P1 z2 - �
_
1 � ck - £ck z2k+2) . (VII.23)
(2k + 1) ( 2k + 2)
Thus, from a, b, .£4 a, and .£6b, we obtain the sequences ck and ck using the re­
cursion in
the coefficients Equations (VII.
of F.e,(VII. 2 1
(x) 2can3) and)-(VII. 2
be determined2). From these sequences
bylikeexpanding and
thez. functionsp 1 , in turn,
on both
sides of Equation comparing powers of Let w z2 , and
=
letexpanded
A(w) denote the function on the right-hand side of Equation (VII. 2 3),
as a power series in w. Also, let C(w) SJ (z ) - w - 1 2:: � 1 ck w k ,
= =
and, for an arbitrary power series B(w), denote by [B(w)L the coefficient of
wi in B(w). If F.e, ( x) x d + L: f�t F.e,,i x i , then the coefficients of F.e, are given
=
by the following recursion, where we set F.e,,d 1 and =

F.e,,d-i [A(w)] i - k=tl ( J=Ot ( d � �� k ) [C(w) k-iJi ) F.e,,d-i+k , (VII. 24)

=
J

fordetermine
1 ::=; i ::=;thed. desired
Notice that at most dUsing
coefficients. termstheof above
each expansion
recursion, aretheneeded
first to
few
coefficients (from highest powers) of F.e, are given by
P1
2i ' c - .£c .£ - 1
P 1 1 - -c ,
8 pf c12- .£c -2 c 1- .£c .£ - 1 .£ - 3
- 48 - 2 30 2 + Pl 1 24 1 - -2-C2 + -4-C1P1 ,
The
inators calculation
in thelargeformulae of the coefficients of F.e,
above dothenotsizevanish. over IF
ThisP requires that
canof abedenominatorthe denom­
guaranteed inif ptheis
sufficiently that it exceeds of any factor
formulae. Noting that the ck (or ck ) are required only for k ::=; d O(logp), =
 VII.4. FACTORS OF DIVISION POLYNOMIALS: ODD CHARACTERISTIC 129

that
and the largest
that the other factordenominators
of a denominator involve above
only associated
small prime with ck is 2k + 3,
divisors of order
0(.£)condition
this (as they allis amply
arise from factorials
satisfied for theoflarge
numbersfieldsupIF toused.£) , wein practice
conclude(after
that
all, if P
p is small, no sophistication is needed to count points over IFP ). This
requirement
ilardescribe will
techniquesLercier'be
to largeproblematic, however,
finite tofieldsdealofwith if an
smallfieldsattempt
characteristic.is made to apply
In Section sim­
VII. 5
wegeneral s method of characteristic two. More
andTheare techniques
briefly
contents
for smallin Section
discussed
of thehowsection
characteristic
VII.11. are described by Couveignes [33],
are nowF.e, (summarized indivision
algorithmpolynomial
form to
indicate more
f.e, (x) is computed.directly the factor x) of the .£th
ALG ORITHM V I l . 3 : Division Polynomial Factor F.e, (x)
INPUT : An elliptic curve E y 2 = x 3 +ax+b over IFP :
and an Elkies prime .£.
OUTPUT : A factor F.e, (x ) of degree d = £; 1 of f.e,(x ) .
1 . Compute j = j(E) from Equat ion (VI I . 8) .
2 . Compute E 4 (q) and E 6 (q) from Equat ions (VII . 1 1) .
3 . Determine j' from Equation (VII . 9) .
4 . Set J +-- a root of <I>.e, (x, j) in IFP .
5. Compute J' from Equat ion (VII . 17) .
6 . Compute a and b from Equat ions (VII . 16) .
7 . Compute E 4 (q.e, ) and E6 (q.e, ) from Equat ions (VII . 18) .
. ,, _ ,,
8. Compute �- J
.e _ 1 from Equation (VI I . 14) .
J J
9 . Compute p 1 from Equat ion (VII . 19) .
10 . Compute ck and ck for d from Equat ions (VII . 2 1 )
k�
and (VII . 22) .
1 1 . Obtain the coeff ic ients of
in Equation (VII . 24) .
( ) from the recursion F.e, x
12 . Return ( ) F.e, x .
Incurve.StepIn4,most a rootcases,
of <I><I>.e, (.e,x,(x,j)j)ishaschosen
two as J, theroots
distinct j-invariant
in IF , of theeitherisogenous
and choice
will 2
P
p 0 (mod .£) , which can only happen
ifIF p. produce a correct
isIn athesquare in IF.e, , F.e,there
. Whenmayt be- 4either just one root, or
.e + 1 roots in
the P procedurelattermightcase,faiagain, l to any roota factor
produce may beF.e,chosen.
, e. g ., in Oncasesrarewhere
occasions,
some
denominator
<I>cannot bein the
tried.computation
.e, (x, j)bemaydetermined Ifusingall roots vanishes.
fail in the Insamesuchfashion,
cases, thea different
trace root of
modulo .e
this procedure (see [142] for a discussion of some
130 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

of theseroot),singularities).
first with random However,
curves the likelihood
over very large offinitethisfields,
occurring
is (even forlow.the
extremely
Inpolynomial
any case, F.e,in(x)a practicalproduced implementation,
by the algorithm it isis indeed
a goodaidea to check
factor of the that the
division
polynomial f.e, (x).
Example. Consider the curve over IF13 1 defined by
Y2 X3 + x + 23,
=

and computations
All assume a factorin theof theexample divisionarepolynomial
modulo 131.f.e,, From
with £the computations
= 5, is sought.
indicated
and j' in Steps
66. The 1-3 above,polynomial
modular we obtain<1>j(x, y)78,fromE4 (q)Section83,111.E68(q), reduced91,
= = =

modulo 131, and evaluated at y j 78,5yields

=
= =

<1>5 (x,j) x6 + x5 + 67x4 + 106x3 + 16x2 + 33x + 41.

=

Its GCD with the field polynomial x 131 - x is

x2 + 88x + 49 (x - 17)(x - 26) .
=

Thus, we5 isobtain

root, an Elkies J' prime48 from for thisEquationcurve. (VII.17),
We try thewhere rootweJ co17.iputed
= For this
the
necessary derivatives
=
of <1> over IF 1 1 . We next obtain a 62, :r
b 20, and
compute .e, 5 .e, 3 = =

obtain E4 (q ) 37, E6 (q ) j"119. JNext, we apply Equation (VII.14) to

= =

II
�
J
- £---::-;- 2,
J
=

and
110 then,thenfrom
is Equationderived.
immediately (VII.19),Forp1 this42.example,
= The coefficient
we only Frequire
5,1 -pthei /2first
= =

term from each of the sequences ck and ck , namely, c1 -a/5 26, and
c1 -a£4 /5 110. Finally, from the formula for the coefficient F.e,,d_2 , we
= =
= =

obtain F 5 , 0= 61. Thus, we have F 5 (x)= x 2 + llOx + 61, which is readily

verified to be a factor of1the division polynomial
f5 (x) x 2 + 9lx 10 +4 45x9 + 110x8 2+ 56x7 + 93x6
=

+21x5 + 20x + 36x3 + 12x + 16x + 103.

ofRunning the procedure
f5 (x), namely, with+the28.second root, J 26, yields a different factor
x2 + 112x =

Analysis
ity is 0(£ [81] 3 of the
) operations computation in Algorithm VII. 3 reveals
in IFP (using naive arithmetic), or 0(£ ) (using fast that 2 its complex­
methods)
steps of theof SEA . These estimates are within the complexity bounds of the
algorithm wherecomputational
F.e, is used. Thisinvestment makes thethatdescribed con­
struction F.e, ( x) a worthwhile
intended complexity gains over Schoof's original algorithm. This satisfactory achieves the
 VII.4. FACTORS OF DIVISION POLYNOMIALS: ODD CHARACTERISTIC 131

assessment
and their assumes, have
coefficients however,been that
reduced the modulo
modular polynomials are available,
p.
As mentioned
modulo primes p,
intheirSection 111.8, although the modular polynomials are used
computation is done over C, and the integers involved
can growsinceextremely
dition, presumably large,themakingpoint thecounting
computation
algorithm a daunting
will be task. In ad­
implemented
toform.run Therefore,
with varyingalthough values theof complexity
p, the polynomials of are oftenVll.3storedis acceptable,
Algorithm in integer
for sufficiently
modular large values
polynomials may beofinfeasible.
p the 'precomputation' step of obtaining the
ular Thepolynomials,
situation canwhosebe significantly
coefficients improved
do not grow byasusing variants
rapidly. One ofexample
the mod­is
given
was by Miiller'insSection
described variant 111.8.
G.e, (x, The
y) ofderivation
the modularof F.e,polynomials
based on [110] , which
these polyno­
mials slightly
differ is described from next.
those The
of this emphasis
section, istheon underlying
the computational
theory steps quite
being that
similar.
the Notice thatcomplexity
computational once the ofmodular both polynomials
methods is moduloOtherarealternatives
similar. p available,
for the modular polynomials are described, for instance, in [108] and [40] .
VIl.4.2. Using Miiller's modular polynomials. We only derive the coef­
ficient
the Assamepbefore,
1 ofmanner
the previous
as above. section. The other coefficients are derived in exactly
defined over IF itareis assumed
given, that theis coefficients
where a large prime.a, b of an elliptic curve E
Also, all the following
calculationsdefined P
are performed p
modulo even though the quantities involved are
p,
originally
thesisWe[110] over C. We just give the formulae, closely following Miiller' s
, where full explanations and proofs can be found.
first compute a root, g, of the polynomial G.e, (x,j(E)) given in Sec­
tion
prime.111.8.We Suchset a root must exist since we are assuming that £ is an Elkies
E4 = - 3a , -E6 = - 2b ,
-
We then compute, on setting j = j(E),
D9 g ( :x G.e, ( x, y)) (g, j),

Di = j ( : G.e, ( x,y)) (g,j),

Y
where the notation indicates the derivatives are to be evah:ated at (g,j). The
coefficients of the isogenous £
curve
£ � (
will be given by and b and will have the
a
) )
associated invariants E� , E� , £) , etc.12 We can first deduce that
�(£) = g- �g 12/s ,
132 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

where s = 12/ gcd(l - 1, 12).

If4 D£j = 0 then we are in a special case where E�£) = £,e-2 E4 and £ a=
-3£ E� ) . The6 j-invariant of the isogenous curve is given by j ( ) = (E� ) ) 3 /� (£)
b = ±2R J(j(R) - 1728) � (£) _ Finally in this special case we have p1 = 0.
andFrom now on we assume that Di =J. 0, we then set
-12E6 Di
-E2 = ----
sE4 D9
We then set
g' = -(s/12)E-2* g , . = -E-24-E6� - 1 , -E0 = -E6 (E-4-E2* ) - 1 ,
J
'

where E; = -12g'/sg. Then we need to compute the quantities

D� = g' (! G.e, (x,y)) (g,j)
+g [g' ( ::2 G.e, (x, y)) (g, j) + j' ( a:;y G.e, (x, y)) (g, j)] ,
Dj j' ( :y G.e, (x, y)) (g, j)
+j k (::2G.e, (x,y)) (g,j) + g' (a�;x G.e, (x,y)) (g,j) ] ,
from which we can determine
E0 = -
-/ 1 (-S-D9 - E0D
I -
'
i ).
D· 12 J

We can then compute the value of E�£) , from

E� + 6 E� - 4 E6 ] + E * 2 ) .
E4(£) = p� (E4 - E2* [12 Eo E6 E4 2
The j-invariant of the isogenous curve£ is then given by j (£) = E�£) 3 /� (£) . We
then= ,eneed
s 1 to compute the value of E� ) , which can be determined by setting
-
f g and f' = sE;J/12, and then evaluating in turn the formulae,
D* ( ! G.e, (x, y)) ( !, j (Rl ),
g

D� ( � G.e, (x, y)) (!, j (Rl ),

J

_ f'D; .
RD": J
 VII.5. FACTORS OF DIVISION POLYNOMIALS: CHARACTERISTIC TWO 133

We can now determine E�£) from the equation

(£) . £
E (£) - E4j (l)( ) 1
6 -
-
J

Finally we can compute our three desired quantities as

a - 3£4 E�££) '

b -2£6 E6( ) '

RE2*
P1 2
Noticeasthata rootin this
bepolynomials
found of caseMuller
the the j-invariant
variants of ofthethemodular
isogenouspolynomials.
curve couldThese not
efficients) as were
the designed to haveordinary
corresponding the same splitting
modular type (withbutsmaller
polynomial, the co­
roots
of G.e,The(x, rest
j) doofnotthecorrespond
computation,directly
to to j-invariants
determine the of isogenouscoefficients
remaining curves. of
F.e,the(x),theory
is thedeveloped
same as inistheintricate,
previousas subsection,
noted earlier and is omitted
in Section here. Although
VII.large2 , itrandomly
has been
successfully
chosen used to establish the number of points on very
andWhether[26].curves.usingOtherclassical
references that pursue related approaches include [40]
modular polynomials or determined
the variantsforoftheMuller,
the
ofLercierfactor F.e,
largetoprime ( x) of the division polynomial has been case
achievefields.the same
The result
next section
for fieldsshows the techniquetwo.developed by
of characteristic
VIl.5. Finding Factors of Division Polynomials
through Isogenies: Characteristic Two
The two
teristic workis ofdescribed
Lercier onin this
pointsection,
countingusingfor thecurvesreferences
over fields[80],of[8charac­
[82].As in the previous section, the goal is to find a factor F.e, (x) of 5]degree and
d = (£ - 1)/2 of the division polynomial f.e,(x), where £ is an Elkies prime.
Here
then also, the enough
obtaining probleminformation
will reduceabout
to determining
the kernel antheisogenous
of isogeny curve,
to and
produce
the Attention
desired factor.is restricted to2 the non-singular curves of the form
Ea6 : Y + XY = X 3 + a5, a5 E Fin .
RecallAs inthethediscriminant of this
odddone,characteristiccurve
case, is a 6 , and its
we starta root j-invariant
by constructing is 1/ a. 6
the isogenous
curve. This is as before, by finding J E F2n of the modular
polynomial <I>.e, (x,j). In the characteristic two case, this leads immediately
134 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

tocase.theFrom
equation of the isogenous curvecurves,Ea� , as we have a� = 1/Jmustin thisbe
obtained the
about knowledge
therelating of the
pointsanofisogeny two
the kernelwithtotheobtain sufficient information
F.e, (ofx).its kernel is given by
A key
the application result ofrefinement
Velu's Theorem points
( [160] , [80] ) for fields of characteristic two.
The theorem
ofelliptic
the isogeny is a
in terms of Theorem
of theRkernel. 111.11,
Recall giving an explicit
that forlet aPxsubgroup construction
of the
Rdenote,
curve, we set R* = \ {O}.
respectively, the x- and y-coordinates of a point P. As before, and Py
T HEOREM VII. 4 . Let R be a subgroup 2 of odd order of an elliptic curve Ea6 •
Define a� a5 + = l: s ER * (Sy + (Sy ) ). Then, there exist isogenies between Ea6
and Ea� , of kernel R. One such isogeny is
cf> p ( x, y) H (x + L (p + S) y + L (p + s)y) .
: = x'
SER* SER*

isogenyIn ourcannot
application,
be of course,
derived directly theinsubgroup
the manner is notof the
knowntheorem.
and hence On the
the
other hand, a�in the
is exploited is known,
followingandtheorem,
Theoremwhich VII.4 follows
providestheuseful information
formulation in [82]that.
T HEOREM VII. 5 . Let Ea6 and Ea be two isogenous elliptic curves defined
over IF2n , such that the isogeny cf> �Ea6 Ea� is of degree £, an odd integer.
: ---+

Let d (£ 1)/2. Then, cf> can be expressed as

= -

"' .

'!-' . (x, y) H ( Q(x) G(x)2 ' H(x) + yK(x) )

Q(x) 3
where Q(x), G(x), H(x) and K(x) are in IF n [x] with degrees d, 2d+l, 3d and
2d respectively. Furthermore, G(x) xP(x)2 2 where P(x) is a polynomial of
=
degree d such that gcd(P(x), Q(x)) 1 and =

xdQ(y'ci6/x) � =
ya� (Vei6) dP(x),
or, by applying the change of variable x ---+ yfa6/x,
xdP(y'ci6/x) _ij<i6 =yslaf_u,6 (Vei6) dQ(x).
To facilitate
Lercier. Hence reference
the to theQ(x),
polynomial sources,of degree
we haved inpreserved
Theorem theVII.notation
5 , will of
be
equated to the sought factor F.e,(x) of the division polynomial f.e,(x).
The details
applyingisVwritten of
elu's Theoremthe proof can be found
and the curvefor addition in [80] and [85] . It follows by
law.of The kernel C of the
isogeny as { O} U U 6 -6, a subset 6 size d, whose points
exhaust all distinct x-coordinate values of points in C. Notice that, since £
 VII.5. FACTORS OF DIVISION POLYNOMIALS: CHARACTERISTIC TWO 135

isThus,
odd, using
the point
the of order two
addition law isfornotpoints
in C,onandthethuscurve, and
an 6 are with
isogeny disjoint.
-6
the
given kernel can be expressed as
(x, y) H x 1+ � (x -S;x)2 ) y + � ( (xy+x 2
+
x2 ) Sx ) .
- Sx)2 (x - Sx)3
(
<P ( '

The first part of the theorem follows, after considerable detail, by letting
Q(x) = TisE 6 (x - Sx) (compare with Equation (VII. 5 )). It follows that Q(x)
divides
The thesecond
.£th division
part of polynomial,
the theorem f.e,(x).
follows by observing also that cf> [ 2 ] =
¢, where
[2] a� they
o the subscripts on the pointalsomultiplication maps indicateo a 6
the
curve
which take place in. This observation leads to the following corollary,
of the provides
polynomials constraints that will eventually lead to an explicit construction
Q(x) and P(x).
C OROLLARY VII. 6 . With the notation of the preceding theorem, the polyno­
mials P(x) and Q(x) must satisfy the conditions
xd Q(x + y'ci6/x) = Q(x)P(x), (VII.25)
and
(x + ffei6) P (x + y'ci6/x) = xP(x) 2 + �Q(x) 2 , (VII.26)
where P(x) = JP(x2) and Q(x) = jQ(x2), i.e. the polynomials whose
coefficients are the square roots of those of P(x) and Q(x) respectively.
The following corollary
(see [80] for a proof). follows from Theorem VII. 5 and Corollary VII. 6
C OROLLARY Vll. 7 . Let P(x) = l:,f=o Plxi , Q(x) = l:,f=0 qrxi , a = � and
(J = �- Then
qd = 1 qi = VcY ( vt::a.) d- 2iPd- i i E
, , {O , 1 , . . . , d} ,
. (VII. 27)
W
and
Pd = 1, Pd- 1 = a + Po = \Ja2d- 1 (J ,
(3 ,
PL1 + apd- 1 + a2 if d is odd,
{ (VII. 28)
Pd-2 =
PL1 + apd- 1 if d is even. )
Recall that the
are in IF2Comparing coefficients of the polynomial P(x) (or, equivalently,
Q(x))
n and that, by the preceding corollary, p0, Pd-2 , Pd- l and Pd are
known. the coefficients that arise from an expansion of Equa­
tion (VII. 26), and eliminating the qi coefficients using Equation (VII.27),
136 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

yields, for k = 0, 1, . . . , l d;l J,

k
Pt = a2d- 4k - l L Pd-2k - 1+2iB(d-2k- 1 + 2i, i) a2i
i=O
k
+a2d- 4k LPd-2k+2iB(d-2k + 2i, i) a2i , (VII.29)
i=O
and, for k = 1 , . . . , l� J,
k- 1
Pt k = a L Pd+1-2k+2iB(d+l -2k + 2i, i) a2i
i=O
k
+ L Pd-2k+2iB(d -2k + 2i, i) a2i , (VII.30)
i=O
where B(i, j) denotes the binomial coefficient ( � ) (mod 2) .
Several techniques to solve for p1 , p2 , . . . , Pd-3 are proposed in [80] and
[85] . Three of them are outlined next.
Method 1 . Beginning with the known Pd , Pd- 1 , Pd-2 , and Po , from
Equation (VII. 2 9), one can expand the Pi in terms of a polynomial basis of
IF2n and treat the equations as a linear system of n( d- 2) equations in n( d - 3)
binary
and variables (notice
k = 1 in theEquation that the relations
(VII.of30)thisaresystem, for k
alreadyusing = 0
covered in Equation
in Corollary (VII. 2 9)
VII. 7is).
Unfortunately complexity conventional
0(£3n3 ) = O(n6 ) elementary IF2 operations, which would defeat the purpose
methods,
of seeking the factor F R .
Method 2. An improvement stems from the observation that, from Equa­
tion (VII. 2 9), by setting k = 1 we get Pd-3 as a function of p1 . From Equa­
Iterating 30) with thek =two2, Equations
tion (VII.between in turn, we(VII.obtain 2 9) Pd- 4 as a function of Pd-3 .
and (VII. 3 0), the variables
Pd-3 , . . . , Pi+ i can be expressed as functions of P1 , . . . , Pi for i approximately
d/3. The remaining equations for k � i contain variables raised to the power
2i and thus are linear equations over IF2 , allowing reduction of a matrix one
third the previous size (but still with the same asymptotics).
Method 3. An even more effective strategy results from casting the
foregoing
indeterminates.polynomial relations
To thisthe end, as a set
the following of non-linear equations in Boolean
d + 1 additional relations are
obtained by equating coefficients of xk , k = 0, 1, . . . , d, on both sides
(VII.27):(VII.25), and eliminating the qi coefficients by means of Equa­
oftionEquation
k 2i +2k ��
0-Y Z: P;PLk+i a = efi-Jvc? L Pk -2iB(d - + 2i, i) . k (VII. 3 1)
�o �o
 VII.5. FACTORS OF DIVISION POLYNOMIALS: CHARACTERISTIC TWO 137

forgivesWe first notice

instance, starting thatfrom the equations
the equationare quadratic
the value of p0 from Corollary VII. 7) and rearranging terms, we havefor k = 1 in(asthetheunknowns
one for kPi·= 0Thus,
just
d2
Vfdip�pi + \(13( Ja) + P1 + 0i°P6PL 1 = 0.
This isquantities.
known a quadraticAfter equation in p1 , withthecoefficients
normalization, equation canexpressed be rewrittenin terms as of
Pi + bip1 + C1 = 0.
Provided that Tr q 1 2 ( ci f bi) = 0, the equation has two solutions 11 and b 1 +
IF2n that11.2can
11the, formethodssome 11of ESection . 4 . be computed
We write the explicitly
solutions using,
as p 1
for7rexample,
= 0 b 1 + 11 ,
where
and E a7r' oareis aknown ( yet undetermined ) Boolean variable. Since the curves Ea6
to be isogenous, the trace condition must always hold.
WithEquation 6
p1 at hand ( up to 7ro ) , we proceed as in Method 2 above, turning
tothus ( VII. 2 9 ) with k = 1 to obtain Pd-3 as a function of p 1 , and
ofP7r0 . asSimilarly, weofthenP turn toofEquation ( VII. 3 0 ) with k = 2, and
obtain d - 4 a function d - 4 , thus 7r 0 . Proceeding inductively, assume
Pthat
dBooleanK, after
P
-2 d-variables
KK -i , 1. . iterations
. ,p
2 + 7r0 d, 7r1 , . . . been have ( K � 2 ) the coefficients p0 ,p 1 ,p2 , . . . , PK - i , and
determined as
, 7rK_2 . Thesein IFfunctions functions of ( undetermined )
will thetakedegree
the form of
multinomials in the
ofso the7r[ ='Tri7risi ) . atCoefficients 'Tr i , with coefficients
most one (Pisincethattheare'Triexpressed n , and where
2 take on binary values,
will eventually in any
said tothebecontext.
Jr- determined, the actual set of indeterminates 'Tri being understood
as such multinomials will be
from
a quadratic equation At the Kth iteration, Equation ( VII. 3 1 ) with k = K yields

Pi- + bKPK + CK = 0,
with
efficients bK EPi·IF2Thus, n , andCKCKisa Jr-determined.
polynomial function The of previously
quadratic equationJr-determined
has solutions co­
expressed as
PK = 'TrK-l bK + /K,
where /K can beThiswritten
Jr-determined. solution explicitly
introduces as aafunction
new of bK variable,
Boolean and CK and 7rK is· thus
It is
noted in [80] , however, thathasthesolutions,
conditionveryTrq1often
2 (cK /ballows�) = 0, which must hold
-l
if'older'
the quadratic
variableslowly equation
'Tri , i withK-1.
< Thus, for
the number of 'active' Boolean variables eliminating an
grows
logarithmic rather in(VII.
K. After K. In [80] , this growth is heuristically estimated as
PK is Jr-determined, Equation (VII.29) with k = K
and Equation 3 0 ) with k = K +1 are used in turn to 7r-determinepd- 2 K -l
and Pd-2K_2 , respectively. This part is similar to the iteration in Method 2.
138 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

have Thisbeenprocess continueswhich

Jr-determined, for successive
will occur values
when ofK Kis approximately
until all coefficients
d/3, Pi
de­
pendingtheonsetstheinvalue
from of d modulo
Equations (VII. 2 3.9)-(VII.
At that30).point,TheKJr-determined
relations remainareunused sub­
Pi
stituted
the into variables
Boolean these relations, .resulting
7r0 , 7r1 , . . in a system of non-linear equations in
, 7rK_2 . Lercier describes a heuristic method
fortal solving
evidence thisindicating
system, that
whichmostiterates on back-substitutions,
variables are eventually with experimen­
isolated. When the
number
toandobtain ofaremaining
consistent unsolved
solution. variables
For more is details
small, exhaustive
of these trial can seebe used
heuristics, [80]
[85] .
A formal
nature of some complexity analysis
of the procedures of the method is difficult, due to the ad hoc
estimates the complexity at 0(.£ 3involving
) operationsthe inBoolean variables. Lercier [80]
IF2n , based on heuristics and
experimental
the otherof evidence.
byregardless steps of ThisSEA
the complexity
algorithm, wouldwhere
be within
F is theused.bounds
In dictated
any case,
the lack of ainformal prooffor ofcounting R
runningpointstime, ontheelliptic
methodcurveshas
proven
over extremely eff e ctive practice
very large fields of characteristic two (e.g., IF21301 reported in [81] and
[84] , or IF2 1663 in a recent electronic communication by Lercier).

the Solving for the ofcoefficients

determination Q(x). The Pi of P(x) leads, through Corollary VII. 7 , to
latter, in turn, constitutes the desired factor
F£ (x)Theof polynomial,
the .£th division polynomial f£ (x).
large F £ (x), has now been determined for both the cases of
Thus,prime fieldscase,(Section
for either Step VII.
5 of4Algorithm
) and characteristic two fields (this section).
VII. 2 is complete.
VIl.6. Determining the Trace Modulo a Prime Power
Beyond the computation of the trace t modulo a prime .e lies the possibility
that it might
integer k, be computed
hopefully without modulo
too a powerextraof thework.prime,This.£kproblem
much , for somehaspositive
been
considered,
magnitude andtheitlargest
of is of interest
prime since itinhasthethecomplete
required potentialalgorithm.
of reducing the
Thewheresomewhat
first, the surprising simplicity
characteristic of the fieldofistheassumed
resultstoinbe[100]two.is Recall
considered
that
in this case E[2c] ,...., Z/2cz for any positive integer c.
LEMMA VII. 8 (see [100] ) . If.£ = 2c, c � 2, then h(x) has a factor f(x) of
degree .£/4 in IF2n [x] .
The proof is immediate. Since E[.£] ,...., Z/2cz, f£ (x) has only .£/2 distinct
roots
two, (taking
(0, into account the point at infinity and the unique point of order
.Ja5)) and of these, only .£/4 are x-coordinates of points of order .£.
Since the set of such points is stable under the Frobenius map, the .£th division
 VII.7. THE ELKIES PROCEDURE 139

polynomial has a factorcanof bedegree

how these polynomials £/4. Remarkably,
constructed recursively.the next lemma shows
LEMMA VII. 9 (see [100]). Let £ = 2c and define the sequence of polynomials
{gi(x)} in IF n [x] as follows:
2
go(x) = x,
91 (x) = bi + x i - 2 where a6 = bf,
II (gj (x)) 2 where a5 = bt+ 1 , i � 2.
9i(x) = (9i- 1 (x)) 2 + bix j=l
Then gc_1 (x) is a factor of degree R/4 of f.e,(x) in JF ,,, [x]. Moreover, the roots
of 9c- 1 (x) are precisely the x-coordinates of points 2of order £.
Of course,
computation, the higher
thetwofewer the power
otherincrease of
primestheneed two that can be used
be used.ofOncomputations in
the other hand, the trace
too
high a power of would complexity
9c- l (x) above. In practice, a good choice is c log2 so that £ = 2c is of � n,
involving
the More
same generally,
order of magnitudeforandusing as the
powers largest primes used in the
of primes, the work of Couveignes [35]algorithm.
and of Couveignes Morain [36] is noted. The idea in this work is to
create
suchja curves).
ofwhere cycle of isogenies
For an betweenprime
Elkies curves£ one(finitefindssincethethere
two isroots
a finiteof number
<I> .e, ( x, j)
finds next is atherootj-invariant
of <I>.e, ( x, jof),theandgiven
so curve.The Choosing
on. process one ofto these,
leads a j1 , one
polynomial
ofthatdegree 1
gk- 1 (£ - 1)/2, which one uses to compute t modulo £k. Notice
in the case of characteristic 2, and £ = 2k, this polynomial is of degree
gk- l /2 = 2k-2 = £/4 . The reader is referred to the references [35] and [36]
for the details.
VII. 7. The Elkies Procedure
Sections VII. 4 and VII. 5 have described the construction
F.e,(x), a factor of degree (£-1)/2 of the £th division polynomial, for the Elkies
of the polynomial
prime£,
discussed in the cases
the constructionof odd and even
ofofaasimilar characteristic
polynomial, respectively.
ofsection
even lower Section VII.
degree,howfor 6
the case where £ is a power small prime.
F.e, is used to determine the trace of Frobenius modulo £. The technique was
In this we review
already mentioned
The VII.1,
computation in Section
is two VII.
veryexceptions 2 .1, so only a brief
similar to ofthatusingof thethebasic description is given
Schoof algorithm here.of
Section with the polynomials F.e,(x) in the
place f.e,(x) and the fact that, for an Elkies prime
we areofofthetorsion
£,group division polynomials
guaranteed the existence of eigenspaces
points. endomorphism has the eigenvalue A E IF.e, on C,of the Frobenius map in the
Suppose the Frobenius rp
the Galois stable subgroup of E[R] defined by the roots of F.e,. This means
140 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

that, for (x, y) E C,

( VII.32 )
Since rp satisfies the equation
rp2 - [t]rp + [q] = [OJ
weis sufficient
have t toA find + q/theA (mod .£) . Hence
eigenvalue A to compute
satisfying Equation t (mod .£) in this case, it
( VII. 3 2 ) . As before,
this can beonlydoneonebysuchchecking for values ::=; .e - 1, and, since .e is prime,
1the::=; Aequation.
one
that and
not all values of A value
need will
be satisfy
checked since, much Itforis noted,
as the however,
Atkin case,
Case
addition ( ii ) of Proposition VII. 2 also restricts the number of possible values, in
to the reduction stemming from having to check only one value from
eachTopaircheck±T.Equation (VII.32) , it is necessary to compute xq and yq modulo
the polynomial F.e,(x) and the curve equation. Using an idea similar to that
used in
characteristic,the original Schoof algorithm, one computes, in the case of large prime
h(x, y) = ( (xP - x) 1fJ� (x, y) + 1/J>.- i (x, y) 1/J>.+i (x, y) )
(mod F.e,(x), y 2 - x 3 - ax - b)
a(x) + yb(x),
where
checks inthethisexistence
case 7/Jiofarea point
the bi-variate
in division polynomials. As before, one
C that satisfies this equation by computing
H ((x)x) =# gcd(a(x),
Hfields 1 then the b(x), F.e,(x)). If H(x) = 1 then A is not an eigenvalue and if
corresponding y-coordinates are checked. The details for
Atofthischaracteristic
point, Algorithm2 are similar.
VII. 2 has been completed down to Step 8.
VIl.8. The Atkin Procedure
Insquare
whatinfollows, it is assumed that .e is an Atkin prime, i. e ., t 2 - 4q is not a
IF.e,. A slightly more detailed version of the Atkin algorithm than
thatTheoutlined in Section
previousendomorphism VII. 2
information can . 2 is given here.
be interpreted as follows. If t is the trace of
the Frobenius so that rp2 - [t]rp + [q] is the zero map, and if .e
istwoanroots
AtkinA prime, then the polynomial x2 - tx + q (mod .£) splits in IF.e,2 , with
and µ such that A,µ E IF.e,2 - IF.e,. The element A/µ = Ir is then
¢ ( )
Asan element
noted, of order
this
The elements is exactly
also the numberin IF.e,of2 and
r it comes
possible
of order in IF.e,2 can be determined
r
fromof thea settrace
values of order
in this case.
easily by first finding a
Eu! r .

2
generator g for IF£2 , and then computing Ir = g i (£ - 1 l /r , where i E {1, . . . - , r
1} is coprime to r.
 VII.8. THE ATKIN PROCEDURE 141

Enumerating
t (mod obtained fromfor theIr weequations
.£) . These allarepossibilities obtain a set of possible values for
t = A + µ (mod .£) , q = Aµ (mod .£) , and Ir = A/µ.
ToWriteshowIF the= simplicity of the technique, the steps will be explained
A = X 1 + Vdx and I = 91 + Vd9 , for a quadratic
in detail.
non-residue £2 dIFE£ [Vd],
IF£ . The values of x 1 2and x2 rare not known,2 but the possible
values for 9 1 and 9 2 are. Since µ is the conjugate of A we have µ = x 1 - Vdx2 ,
from which the following equation is derived:
+ Vd
91 92 Ir -µ - = = A = A 2
Aµ
q (xi + dx� + 2x 1x2 Jd) .
�

Hence
qgl xi + dx� (mod .£) ,
qg2 2x 1 x2 (mod .£) ,
q xi - dx� (mod .£) .
Hence, xi = q(91 + 1) /2 , from which at most two possible values for x 1
can be derived. The required value of t (mod .£) is then obtained from t
2x 1 (mod .£) . An expansion of the Atkin section of Algorithm VII. 2 (Steps 10-
11) is given below, for a fixed Atkin prime .£. as follows:
ALG ORITHM VII.4: Atkin Procedure.
INPUT : A curve E over a finite f ield IFq and a prime .£.
OUTPUT : A pair (T, .£) , T the set of the possible traces t (mod .£) .
1 . T +-- {} .
2 . Determine the splitt ing behaviour of �£ (x , j ) in IFq .
3 . Determine r using Proposition VII . 2 .
4 . Determine a generator 9 of IF£2 = IF£ [ Jd] * .
5 . S+-- { 9 i (£2 - l ) /r : (i, r) = 1 } .
6 . For each Ir E S do :
7. Write Ir = 91 + Vd 92
8. z +-- q(91 + 1)/2 (mod .£) . ·

9. If z is a square modulo .£ then do :

10 . x +-- vz (mod .£) .
11 . T +-- T U { 2x, -2x} .
12 . Return (T,.£) .

For each Atkin prime .£, a set T = {t1 , . . . , t (r) } of possible traces mod­
q, ui
E
ulo .e is obtained. In many cases r is a relatively small integer making the
142 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

search described
conscious reader later
will for theundoubtedly
have exact valuenoticed simpler.that,However,
even ifthethecomplexity­
sets T are
relatively
grows small, the number
exponentially with the ofnumber
possibleofvalues
Atkin ofprimes.
the traceThisonenumber,
needs toin check
turn,
could
means bethatabout
if the onealgorithm
half the processes
number ofallprimes the considered,
Atkin primes orencounters,
it O(logq). This the
complexity
A way is, inof effect,
out this exponential
problem, from ina logcomplexity-theoretic
q. point of view, is
topolynomials
just use Elkies
of primes.degree,
higher However,
which thisis inimplies
itself ahaving
problem. to dealSo thewithbestmodular
prac­
tical the
only compromise
' b est' Atkinis obtained
primes bye. judicious
(i. those use small
giving of thesetsAtkinT) procedure,
are retained, where
and
the overall
search for sizeexact
the of thevalueset ofof thepotential
trace traces the
among is bounded.
candidates Indefined
addition,by thethe
Atkin
cedure algorithm
described can
in be next
the significantly
section. accelerated
Thus, for by meansvalues
practical of aofBSGSlog q, pro­
the
Atkin procedure
increases, the still playsof Elkies
proportion a usefulprimes
role inusedtheneeds algorithm,
to although
increase, to as log q
maintain
athecomputational
end of Section complexity
VIl. 1 0, forbalance.
a fairly Anlargeexample
value oflogthisq.trade off is given at
of
valuesNext,obtained
we showfromhowthetoElkies combine thetoAtkin
primes, information
determine the exactwithvalue
the ofexact
the
trace of Frobenius, and hence the group order of the curve.
VIl.9. Combining the Information from Elkies and Atkin Primes
Atingthis
a point we have
sufficiently largecompleted
number ofdown
primes to has
Stepbeen13 ofconsidered
AlgorithmtoVII.satisfy
2 , assum­
Step
2. Itinformation
the remains to gathered.
complete theOuralgorithm
exposition bywillfinding thethatexactgiven
follow valueinoftMiiller'
froms
thesisThe[110]
data .
from the Elkies primes is combined via the CRT, to determine
two numbers t3 and m3 such that
t t3 (mod m3 ) .
Here, m3 is the product of all the Elkies primes used. The set of Atkin primes
ispossible
dividedtraces
into two sets thesuchrespective
that eachmoduli.
set givesAgain
roughly thethesameCRTnumber of
two modulo using
sets in turn, we determine two moduli mi and m2 and two sets Si and on these
S2 such that
t t i (mod mi ) with t i E Si ,
t t2 (mod m2 ) with t2 E S2 .
 VII.9. COMBINING THE INFORMATION FROM ELKIES AND ATKIN PRIMES 143

Clearlyandmi,Elkies
Atkin m2 and m3 are pairwise coprime. It will be assumed that enough
primes have been taken so that
m i m2 m3 4-Jq.
>

Since
exactlyl t l ::=; 2-jq, if t (mod mim2 m3 ) is determined then we will have found t
and hence theofgroup order.determined by the type of space/time trade
The exact value t is now
off seen in the BSGS. Note that we can write
=t t3 + m3 (m i r2 + m2 ri )
for some integers ri and r2 with
ri t i - t3 (mod mi),
m2 m 3
t2 - t3 (mod m ),
T'2 mim3 2
where t t i (mod mi) and t t2 (mod m2 ). But the exact values of t i and
t2 are not known; all that is known is that they come from the finite sets Si
andAlthough
S2 .
the aboveaboutformulae give ri sizes
and ofr2 rmodulo m i and m2 , they
say nothing whatever
following lemma is available: the required i and r2 . Fortunately the
LEMMA VIl.10. If we choose
then l r2 I ::=; m2 .
PROOF. Using the above equation it is seen that
r2 =
1 (t - t3 - m2m3 ri) .
mim3
--

Hence,
<
1 ( l t l + l t 3 I + m2 m3 l r i l )
mim3
--

2-jq + 2._ + m2
<
m i m3 m i 2
m2 + -
- <
1 +- m2
2 mi 2 '
since mi m2m3 4-Jq. > D

The group
we must have order of our curve is + 1 - t, and so for any point P E E(IFq )
q
144 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

Rearranging this a little yields

[q + 1 - t3 ]P - [r1 m2 m3 ]P [r2 m 1 m3 ]P.
=

ItA random
should now be
point, clear how to proceed to determine r1 and r2 , and hence t.
P, is chosen on the curve, which does not have an obviously
small order. For
ofthatr1 l r1 I (t1 -lmi/2 every possible value of t 1 (mod m 1 ) the corresponding value
t3 )/m2 m3 (mod m 1 ) is computed. Taking the value of r 1 such
::::; J, compute
= Qr 1 [q + 1 - t3 ]P - [r 1 m2 m3 ]P
and store the value ( Qri , r1 ) in a table which is sorted on the Qri . This table
beis sorted
thought so ofas asto the
Weofnowt isproceed
allowtablefor easy
with
tablephase
creation lookupof the
theandanalogue
in thebabyfollowing
steps
of the giant steps.
phase.
in BSGS. This can
Eachr possible
value 2 taken in turn the corresponding
t3 )/m 1 m3 (mod m2 ) is computed. We will need to take all such values of
value of 2 (t2 -
r2 in the set { -m2 , . . . , m2 }. The points
= Rt2 [r2 m 1 m3 ]P
are computedearlier.
computed and itIf isso,checked
then wewhether
have Rt2 is one of the elements in the table
determined a pair of ' m atching' r1 and
r2 . This pair allows the determination of a possible value for t , which in turn
gives a possible value for the group order, m.
curveThispoints, groupasorder discussedcan then be checked
in Section VI. 2 . to be correct by means of random
VII. 10. Examples
Example 1 . The number of points on the elliptic curve
E : Y2 + XY X 3 + 1
=

over
only the
is it finite
quite field
small IF26 is computed. This is a contrived example, since not
but in addition the number of points could be computed
from a recurrence
trivially, relation, once the number of points in E(IF2 ) (which is,
4) has been determined. It is nonetheless instructive.
needFirst, notice that Hence
be determined. only thethetrace
tracemodulo
moduloathenumber
primeslarger
2, 3, than 7 is found.32
5 and4.J64 =

£number.
= 2. SinceHencethetcurve1 (mod
is not2)supersingular
. we know that the trace is an odd
£factors3. The
=
over prime 3 is an Atkin prime, since the modular polynomial <I>3 (s, t)
IF26 as a product of two quadratic polynomials. The method for
Atkin primes with r 2 is then applied. Hence there is only one possibility
=
 VII.10. EXAMPLES 145

for the trace modulo 3 and that is 0.

£an eigenvalue
= 5. The prime of the5 isFrobenius
an Elkiesmorphism
prime andmodulowe can quickly 5. Hence determine
the tracethat
modulo 2 is
5 is equal to 4.
£ 7. This
=
therefore case is7.also an Elkies prime, with eigenvalue 1. The trace is
2 modulo
Using
for whichthe CRT it is found that 9 is the unique integer, t, modulo 210 = 2·3·5·7
t 1 (mod 2),
t 0 (mod 3),
t 4 (mod 5),
t 2 (mod 7).
Hence the
9. Butgroup actual
this order trace, which must
meanscanthethengroupbe verified satisfy
order iseither l t l
q
::=; 2-J<i. 16, is also equal to
+
=
equal byto using1 the- t recurrence
=
+
64 1 -sequence
9 56.
=
This
mentioned earlier or by multiplying a set of random points on E(IF26 ) by 56.
Example 2. As a more challenging example consider the curve
E : Y2 XY X3 1 () 18
+
=
+ +

over IF220 where

()20 ()3 1 0.
+ + =

The
Elkiesfourandoddtwoprimes
Atkin lessprimes.
than The 13 aredatausedforandthe itElkies
is found
primesthatis there are two
Prime Eigenvalue Trace
117 41 57
The data for the Atkin primes is summarized in the table
Prime
35 32 r-Value Possible Traces
1 or0 4 £
Usingmodulo
trace the method 8 is for determining
given by 1. the trace modulo 2 , it is found that the
Putting
various randomall thispoints
information
on E(IF together,
0 ), it is and that
seen testingthethetracepossible
is tracesto 1041.
equal with
Hence the group order is equal 22 1047536. Such an example as this takes well
to
under a second to determine
of the group order takes over ten seconds. the group order, whilst a brute force enumeration
146 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

Example 3.
use in cryptography. This is We a more takechallenging
the curve example, which is still too small for
E : Y2 X3 + 1150871587567420791922262222331X
=

+ 541310902418759379329983067119
over the field of
p = 1267650600228229401496703205653 = 2 100 + 277 el­
ements.
primes and Using
ten all theprimes.
Atkin primesTheup data to 41wewesummarize
find that below;
there arefirstfourthe Elkies
Elkies
primes,
1319 Eigenvalue
Prime -6- 2 Trace 83
2943 -13 18 36 24
and now the Atkin primes,
Prime Possible
23 11 or 2 Traces
57 01,3,4 or 6
1117 53, or6, 8,6 9, 11 or 14
2331 3,2, 5,10,7,138, or9, 10,21 12, 15, 16, 19, 21, 22, 23, 24, 26 or 28
3741 9,1, 2,10,8,15,9, 10,26, 12,31 or14,3215, 18, 19, 22, 23, 25, 27, 28, 29, 35 or 36
Putting all this data together we find that the group order is equal to
1267650600228229462216521077879
which is
13 · 97511584632940727862809313683.
Example 4. Here, we consider a 'real life' curve over a very large field of
characteristic
tion 1. 3 , this fieldtwo, JF2 43 1 . In
size probably fact, recalling the key
exceedsparameters length
the security comparisons
requirements of Sec­
ofinmost
cryptographic
amplerun23onin the applications.
the Appendix. The curve and order are listed
Thecurve.SEA algorithm, using Lercier's improvements, Ex­
was First,of theSection twist of the
valueVII.of6the. Then,
trace primemodulovalues
64 wasof £determined using the tech­Of
niques
them, the following 22 numbers were found to be Elkies primes, and the trace � 3 were considered.
 VII . 1 1 . FURTHER DISCUSSION 147

of Frobenius modulo each of them was determined:

13, 19,41,43,59,61,71,73,97, 103, 109, 113, 127,
131, 139, 167, 173, 179, 181, 193, 197, 199.
The product
of68 bits of 64
ofis uncertainty and the 22 Elkies
forthetheaid trace primes
ofAtkin is
Frobenius a 150-bit integer.
is 218. The remaining gap of The number
bits closed with of the
The following 24 numbers were found to be Atkin primes: primes.
3,5,7, 11, 17,23,29,31,37,47,53,67,79,83,89,
137, 151, 191, 211.
Due to theofcomplexity
consisting 13 of theseconsiderations
primes, and discussed
the associated in Section
possible VIl.trace8 , only a subset
values, were
kept.
the ' g Thosesteps,
iant' kept aswerediscussed
dividedinintoSection
two sets,
VII. 9one. Thefortwothe sets
' baby'aresteps,
listed onebelow.for
For
listed.eachAlso,prime, the number
the total numberofofpotential
traces fortrace
each values modulo that prime is
set is listed.
PrimeBaby # steps
Traces Giant#steps
511 42 Prime729 21 Traces
2331 41 5379 184
47151 184 89191 88
211
Total 2 Total
traces 4608 traces 9216
The product Asof theseenAtkin
asin principle
claimed. in the primes kepteven
example, is a though
70-bit integer,
the Atkin closing the gapis
procedure
management ofofexponential
the traces complexity,
kept allow thegoodBSGSutilization
for techniqueof and Atkinjudicious
primes
within very reasonable complexity limits.
VII . 1 1 . Further Discussion
Itof should
isogenies be noted that there
of characteristic.
degree £, both due are two other algorithms
tofirstCouveignes for the computation
( [34] , [33]) and both valid
over
elliptic any field
curves topolynomial, The
establish theF.e, (isogeny uses the
ofalgorithmtheory of formal
degree £, isandcharacterized groups
thence the infactor of
of
the £th division X). This [33] as

byforbeingaasignificant
of the sameconstant
asymptotic
factor. complexity
The second as Couveignes
Lercier's, butalgorithm
field of characteristic p, the pkth division polynomial is a pkth power
in practice
notesslower
that
148 VII. SCHOOF'S ALGORITHM AND EXTENSIONS

ofeven.a polynomial ]pk of degree dk (pk - 1) / 2 if p is odd and 2k - 1 if p is

=
Suppose an isogeny cf> of degree £, gcd(R,p) 1, maps the curve E1 to
=
E2 . Let P1 be a primitive point of E[pk ] in E1 . Suppose the isogeny maps
this point to a primitive point P2 in E2 [pk ]. Then the isogeny maps [m]P1 to
[m]P2 for all 1 ::=; m < pk. Let A(X) be the polynomial of degree dk - 1 such
that A(([m]P1 )x) ([m]P2 )x, 1 ::=; m ::=; dk . It follows that
=

_ -
cf>(X) FGR2£ (X)
= =
(X ) A(X) (mod fpk (X)) .

Knowing the
this equationsought,polynomial A( X) and the division polynomial factor ]pk (X),
can bebysolved fortheG£Berlekamp
(X) and F£ (X) , the factor of the division
polynomial
algorithms. either
k
[9] or extended Euclidean [61]
Of course, E[p ] may not be rational and the interpolation to
find A(X) must be done over an extension field. In addition it is required to
offindtheprimitive
algorithmpk-torsion points.in Further
can be found details on these and other aspects
[84] and [33].
 CHAPTER VIII
Generating Curves using Complex Multiplication

The CM
offorcomplexmethod of
multiplicationcomputing elliptic
ofoverelliptic curves
curves over a finite
overprime field
the rationals. uses the theory
The method
finding
described elliptic
in this chapter.curves Thedetailsa field of large
case ofcancharacteristic twocharacteristic will
follows with some be
minor modification,
outlineoriginally
will be arose and
giveninbelow. the The main ideasbe found
for curvein [73] , although a brief
the largebasedprime characteristic
case the context of the elliptic primality proving
bealgorithm
found in(see[107][7] . and Chapter IX). An accessible account of the method can
VIIl. 1 . The Theory of Complex Multiplication
Only a consult
should brief outline
a of thesuchtheory
book, as will be given here. The interested reader
[148] or [29] , for the details. As remarked
earlier two elliptic
j-invariants are curvesIn discussing
equal. are isomorphic over thetwoalgebraic
j-invariants special closuregiven
cases, if theirby
j Given
= 0 and aj complex
=1728, j-invariant
need to be ansingled out.curve over C, with this j-invariant,
elliptic
can be written down using the following rule:
•If j 0 then use
=

E : y2 X3 - 1.
=

•If j 1 728 then use

=

E : Y2 X3 - X.
=

•Otherwise set j / (j - 1 728) and use

c =

E : Y2 X3 - 3cX + 2c.
=

Compare thisthewithringLemma
Consider of VIII. 3 below. End(E), of a curve, E, defined over
endomorphisms,
anEnd(E)
arbitrary fieldis equal
either K. As mentioned in Chapter III, if E is not supersingular,
to Z or is equal to an order in an imaginary quadratic
number field
number field.thenIf End(E)
the curveisisequal
said totohave
an order
CM. Inin such
an imaginary
a situationquadratic
149
150 VIII. GENERATING CURVES USING COMPLEX MULTIPLICATION

1lwhere
is T isso-called
the
part)Theoftheory
a complexPoincare
the complex
algebraichalf-plane,
number ofthedegreeuppertwo,halfsuch(positive
that T Eimaginary
plane.multiplication and j-invariants are linked, at least
1l, where
of complex
for the moment in the case of characteristic zero, via the result
T HEOREM VIIl.l. Suppose T E 1l, with T a complex algebraic number of
degree two. Then when we set ET = C/(Z + 'LT) we have
(T) = Tj)(EisT)anisorder
(1)(2) jEnd(E in Q(T), hence ET has complex multiplication,
an algebraic integer.
how Itsurprising
is the latterit seems
of theseat first
properties
sight; which
j(T) isshall
defined be exploited
by the below.series
Fourier Noticein
Chapter
algebraic III,integer?
so why should its value at a complex quadratic number be an
The main theorem is the following.
T HEOREM VIII. 2 . Let T E 1l be a complex quadratic number with discrim­
inant -D. Hence -D is the discriminant of the primitive positive definite
quadratic form Q(x, y) which has T as a root of Q(x, 1) = 0. Let hD denote
the class number of the order of discriminant -D. Then j(T) is an algebraic
number of degree hD and its minimal polynomial is given by
HD(x) = Il (x - j(a))
where a runs over all complex numbers such that (a, 1) is a zero of one of
the hD inequivalent primitive reduced forms of discriminant -D.
If
K, then Z[ T ] is the maximal order of some imaginary quadratic number field,
isextension
an extension of K of degree hD· In fact it is the maximal unramified abelian
The Galoisofgroup
K. Sinceof H is Galois over K we can consider its Galois group.
H over K is isomorphic to the class group of K. By
definition,
everyIn ideal H is called the Hilbert class field of K; it is a field under which
in Z[ T ] becomes principal when considered as an ideal in ZH.
maximal theorder
rest ofofthissomechapter it willquadratic
imaginary be assumed, as above,
number field thatsoZ[T-D] is will
and the
represent a fundamental
orshall0 modulo discriminant. Hence -D is a number congruent to 1
4 and no odd prime divides D to a power greater than one. We
refer to d as the square free positive integer such that Q(T) = Q( y' -d),
in other words if
It will betheorem.d 3 (mod 4) then D = d, otherwise D = 4d.
requiredIntoparticular
compute wethewillHilbert class polynomial, HD(x), of the
preceding need to compute, to
the values of j (T) for various T E 1l. As noted in Chapter III we can computehigh precision,
 VIII.2. GENERATING CURVES OVER LARGE PRIME FIELDS USING CM 151

j (T) efficiently using the formulae

h(T) = ��(2(T)7) ' (T) = (256h(T)
. + 1)3
J
h(T) '
where � (T) is computed using
24
1
�(T) = q (i + 2::>l (-l r (qn(3n- )/ + qn(3n )/ ,
2 +l 2 ) )
n
q = exp (27r HT). Thus HD(x) can be computed by evaluating j(a)
wherecomputing
and the product,
HD(x) = Il(x - j(a)).
This can be done with complex floating point arithmetic, albeit to a high
precision,
over all a asof the form of HD (x) must be integers. The product is taken
the coefficients
a = (-b + V-fl)/(2a)
with b2 - 4ac = -D, l b l :::; a :::; JI D l /3,2 a :::; c, gcd(a,2 b, c) = 1 and if l b l = a
a = c then b � 0. In other words ax + bxy + cy is a primitive, reduced
orpositive definite binary quadratic form of discriminant -D.
for high precision is crucial: as log IJ (a) I 7r around /a, the coeffi­
HD(x) can be huge. The precision needed will be yfl5
cientsTheofneed �

10 + ( lhD/2hD ) 1fyfl5 L ! '

J loglO a a

whereThetheabove
sumisisaover
very thegeneral
same outline
set of values
of the ofglobal
a as theory.
the aboveTo product.
look at what
happens
will be over a finite
assumed for field we need
simplicity that towelocalize
are all the above
interested in constructions.
curves defined It
over
IFP , where is a large prime number.
p

VIIl.2. Generating Curves over Large Prime Fields using CM

The method used is bound up with the arithmetic
K = Q( v'-D). The number -D, which is a fundamental discriminant, is
of complex quadratic fields,
the
the basic input
classatnumber,to the procedure. The method to be described
hD, of K is small. However, some people have expressed
is very fast if
concern
be ismore using
amenable a K with a small class number. The resulting curves may
tothesomeclassfuture attackof hDthanwillmoregrowgeneral K. On average
itclass expected
numbers that
areknown
in sometosense number
' special'. Ininaddition, as 0 ( Vf5) , so small
fields with (and
smallhence
class
numbers are well be easier to use various
possibly a future, as yet unknown, discrete logarithm algorithm). algorithms
152 VIII. GENERATING CURVES USING COMPLEX MULTIPLICATION

order Weofwishdiscriminant
to construct-D.a curve This over IFPimmediately
means with complexthatmultiplication
we are not bygoingan
tois contained
construct supersingular
in IF so a elliptic curves.-D isThesought
discriminant j-invariant
for of suchthe aHilbert
which curve
polynomial P
HD(x) has a root modulo p. So the field tower Q K H will c c

collapse
the locally to either QP or a quadratic extension of Q P . In the latter case
caseIfprime p is inert in K, whilst in the former it splits (we shall ignore the
oftheramified primes).
primebypZ[.J=]5]
is inert .then there are which
no curves modulo p with complex
multiplication
Hilbertweclasslookfieldfor ais principalThus
trivial when a prime
considered splits in p and for which the
locallyp. at p is needed. In other
words So ideals
given which ideal of K of norm
D we wish to know which prime numbers, p, split in K into
prime
expected are principal. Roughly 1/(2hD) of the primes would be
Such atoprime
have willprincipal,
be onedegree one ideal
for which divisors. equation
the diophantine
4p x2 + Dy2
=

can
which be solved.
essentially This equation can
computesIttheis easy be solved
continued by the
fraction method
expansion of Cornacchia,
of the square
root of a given rational. to see that solving 4p x2 + Dy2 is
=
equivalent to solving p u2 + dv 2 and this task can be accomplished with
=
the following method:
ALG ORITHM VIIl.1: Cornacchia's Algorithm.
INPUT : A square free integer d and a prime p .
OUTPUT : A solution to p = u2 + dv 2 , if one exists .
1 . Let p/2 < x0 < p be a solution to x 2 -d (mod p) .
2 . p +-- qoxo + x 1 , +--
3. k 0.
Unt il x� < p ::=; xL 1 do :
4 ·
Xk f- qk+l Xk+l + Xk+2 , f- + 1 . k k
5. u +-- xk > v +-- J(p - x�)/d .
6. If v E Z return ( u, v) , else return ' No Solution ' .

Torithmapplyfindsthisa pair
we can(x, y).repetitively try
By ouris found. prime numbers until Cornacchia' s
previous comment, we expect to try 1/(2hD) algo­
primes before a suitable one
Given such a triple (x, y, p), compute
m = p + l ± x.
These are going to be the possible group orders of the elliptic
which we will try to construct. It can then be checked whether m is suitable,P curves over IF
 VIII.2. GENERATING CURVES OVER LARGE PRIME FIELDS USING CM 153

innumber
that itk hassucha that
largepkprime1 (mod
factor, is) not
m , the equal tosetp and
criteria there
forth in is not aV.small
Section 7 .
pointsTo onexplain
the curvewhy is equal
m is chosen
to in this manner, recall that the number of
m = p+ l - t
where t is the trace of Frobenius.2 Recall2 that t = a + a, where±(x+FJ5y)/2
a is an element
ofnormp in K. A solution to x +Dy 4p means that
= a =
istherefore
an element be of orders
the norm p,ofwith
the trace equal
elliptic curvetoand±x.its The p + 1 ± x will
orderstwist.
quadratic
curve ForovertheIFfieldwithIFPgroup
and aorder
group order
The m,
main itideais required
is to build
contained in the anfollowing
elliptic
lemma. P m.

LEMMA VIII. 3 . The following hold for elliptic curves over IFP .
Every element in IF is the j-invariant of an elliptic curve over IF .
If D 4 then all Pelliptic curves with given j-invariant, j =J. 0, P1728,
•

• >
over IFP are given by
Y 2 X 3 + 3 k c2 x + 2 k c3
=

where k j / (1728 - j) and c is any element in IFP .

=
• Suppose E and E' have the same j-invariant but are not isomorphic
over the field IFP . If j =J. 0 and j =J. 1728, then E' is the quadratic twist
of E and if #E p + 1 - t then #E' p + 1 + t.
= =
• When j 0 or 1728, additional cubic, quartic or sextic twists have
=
to be considered. However, this case will be ignored, as in some sense
such curves are special and hence should probably be avoided.
Assume that j =J. 0 and j =J. 1728. In particular if E is given by
Y2 X3 + ax + b=

then E' can be given by

Y2 X 3 + ac2x + bc3
=

where c is any quadratic non-residue in IFP . This means that if the j-invariant
ofcana curve
be over IFdown.
written P withChecking
order canwhichbe constructed,
m
one has the then twoorder
correct candidate
is then curves
done
by means
fact, the of randomly
problem here chosen
is curve
slightly points,in that
different, as discussed
we have intheSection
order VI. 2need(in
and
to distinguish
candidate groupbetween
orders curves,
for one ascurve;opposed
the to havinghowever
method to distinguish
is the between
same).
be andThe problem
the j-invariants has hence
of an been
elliptic reduced
curve to
over computing
IF with which
given j-invariants
number of can
points
m complex multiplication by thebe maximal P order of Q(y'-D). AsHilbert
was
seen above,
polynomial HD (x).such j-invariants must the roots, modulo p, of the
154 VIII. GENERATING CURVES USING COMPLEX MULTIPLICATION

All that remains theis toroots

compute HD(x), using the method given earlier.
Finally, determining of HD(x) over IFP can be accomplished using
one of the many techniques for factoring polynomials over finite fields.
VIIl . 2 . 1 . Examples. Two examples with small numbers are given, which
canTake
be usedD =to7testandanlookimplementation of thethatideas involved.
for a prime p such
4p = x2 + Dy2
has a
rithm, solution. Picking random primes, p,and applying Cornacchia'
p = 781221660082682887337352611537,
s algo­
leads uswetofindtry atosolution
find anwhen
elliptic curve, over IFP , with group order equalwhich
to
rn = 781221660082681210712714541668,
which K = Q( y' -D) is one,
so the isHilbert
four times an odd H7(x)
polynomial prime.hasThedegree
class number
one. It isoffound to be equal to
x + 3375
which clearly has a root modulo p. An elliptic curve with j-invariant,
JE = -3375 781221660082682887337352608162
is needed. Up to IFp-isomorphism, there are two such curves, given by
E : Y2 = X 3 + 384410658135923325515205253294X
+ 777088212145737475235038576554
and
E' : Y2 = X 3 + 586337137088968521507562977329X
+ 470612877688284093511930750213.
Ittheisabove
then atwosimple matter,
curves has whichgroupis leftorderas anrn. exercise,
the The to determine
whole computation whichtakesof
awhich
fraction
has of a second.
rn.
orderexample It is in fact the latter of the above two elliptic curves
As a second take D = 292, which has class number 2 four.
2 For the
prime p = 471064017714648581743716115253 the equation x +Dy = 4p can
beof group
solvedorder
and from the solutions it is deduced that there are elliptic curves
equal to
rn = 471064017714647630725498582802.
The Hilbert4 polynomial HD(x) is given by
x 206287709860428304608000x3
93693622511929038759497066112000000x2
+ 45521551386379385369629968384000000000x
380259461042512404779990642688000000000000
 VIII.3. WEBER POLYNOMIALS 155

which has offourelliptic

invariants rootscurves
modulooverp.IF The
withfourgrouprootsordersare equal
the values
to ofOnefoursuchj­
root is j P
= 95298163105585542899076823435, from which the following two
m.

elliptic curves are computed:

E : y2 = X 3 + 469268436428246725781035134277X
+ 155824285047281623272784717767
and
E' : y2 = X 3 + 354618739573347813123389093324X
+ 314251778593054362590879954574.
The
othersecond curve has order
three rootsTheseof HD(x) m, while the first has order 2 (p + 1)
The - m.

with order m. are (mod p) also give rise to elliptic curves over IFP
E" : y 2 = X 3 + 226037567835338611569192198897X
+ 150691711890225741046128132598,
2
E"' : y = X +3 470569005626771030721528558211X
+ 7331063557219604895221098683,
E"" : y = X 3 +
2 306353065106026110803105308074X
+ 204235376737350740535403538716.
In the Appendix we give a few more examples over larger finite fields.
VIIl.3. Weber Polynomials
There
produced are two problems
are soin could with the above
some besensemore' special'. Theymethod. The
will future first is
have relatively that the
small curves
classAs
numbers
a general and
principle, it isSchoof' amenable
believeds algorithm, to some
that choosingis more randomlikely unknown attack.
curves,to produce
and computing
their
which group order
are resistant via
to specialized attacks. As of butthe writing ofwide
this book, curves
therein
isthevirtually no
community. evidence to support this belief, it enjoys support
The
the Hilbert second problem
polynomials, with the above method is that to find
HD(x), have to be computed. It has been noted that
the j-invariants
this requires
precision. computing the coefficients to what can be a prohibitively large
anotherOne
ofrelationship way toofgetthearound
generator
tocoefficients Hilbert
j ( ) The advantage
T .
thisclassis tofieldcompute
is that which
thisus second
thehasminimal
a known
polynomial
polynomial
algebraic
maypreci­
have
much smaller which would allow to use
sion. In this section a possible solution to this second problem is considered. a much smaller
156 VIII. GENERATING CURVES USING COMPLEX MULTIPLICATION

Define the following Weber functions, using Dedekind's 17-function, 17(z):

24 - 16 (h(T) 24 + 8) (h1 (T) 8 - h2 (T) 8 )

(/2 T) - h(T)h(T)8
_

(
' /3 -
_

T) h(T)8 '
where (n = e 27ri /n . These functions are not all algebraically independent since
they are all related to j via the equations (see [7])
. = (h24 - 16) 3 = (hi4 + 16 ) 3 = (h§4 + 16) 3 = /23 = /32 + 1728.
J
h24 hi4 h§4
Weber
Clearly calls µ(T) a class invariant if µ(T) lies in the Hilbert class field of Q(T).
j(T) is a class invariant. However, using the Weber functions we can
determinebya WlotDmore
denoted ( class invariants. These give rise to polynomials, usually
x ), using almost the same method as we used to compute
HD ( x) . Finding the roots of these new polynomials, which will hopefully
have smaller
Atkin coefficients,
and Morain will then
[7] suggest allow us to recover
using theRemember the
following choicesj-invariant.
of class invari­
ants to
discriminant produce the Weber polynomials: -D is a fundamental
and we have that d is the square free positive integer such that
Q(v-D) = Q(v-d). The following conditions are applied in turn (in other
words the condition on D being divisible by 3 takes priority).
•• IfIf DD 3 (mod 6) use µ = FJ513 (T).
7 (mod 8) use µ = h(T)/V'i.
•• IfIf dD ±23 (mod (mod 8) use µ = h(T).
8) use µ = h 1 (T)/.J2.
(mod 88)) use
•• IfIf dd 51 (mod h(T) 4 .
use µµ == h(T) 2 /.J2.
The
Inso that only problem
case here
thejustdegree is the
of Wsuch case when D 3 (mod 8) and D '=t 3 (mod 6) .
D ( x) is 3hD and not hD· This could be a problem,
one
detailed could
descriptions ignore
ofinvariants discriminants.
how to compute Atkin and Morain
the various Weber polynomials and also give
otherAsalternative
an example class
of thetheadvantage to use.
Atkin and Morain give followingthatexample:
using Weber polynomials can bring,
H23 ( x) = x3 + 3491750x2 - 5151296875x + 233753
while
 VIII.4. FURTHER DISCUSSION 157

VIIl.4. Further Discussion

Given a fundamental discriminant, -D, it has been shown how to choose
p, obtain a desirable group order and then construct an elliptic curve with
that
prime group order.p, Itandwasthenalsosolveproposed
numbers, the that onediophantine
relevant should randomlyequation choose
using
Cornacchia'
then s method.
the discriminant, It is often
sincean some far better
primes to
aresystem.choose the prime
more amenable to implement first and
the Somearithmetic needed
improvement forcan beelliptic
obtainedcurveby examining the possible splitting
behaviour
and its Hilbert of theclassrational
field. prime p in the quadratic extension K Q( y'-d)
This reduces to the following result: =

LEMMA VIII. 4 . Let d be square free and p a prime number such that we can
find a solution to the equation
p x2 dy2 ,
=
+

then we have the fallowing.

• Ifp 3 (mod 8) then D 2, 3 or 7 (mod 8) .
• If p 5 (mod 8) then D 1 (mod 2) .
• Ifp 7 (mod 8) then D 3, 6 or 7 (mod 8) .
In particular we must have ( --./) ( -PD ) 1. = =

In the case of characteristic

the finite field has cardinality qn 2 2 , solve=
two n
the method is
the2 equationsimilar. First, assuming
+
2 =
2
+
x Dy
forQ( y'-D),
some positive
will Thatsquare
againway, free
be used. number
However,D. The arithmetic of the quadratic field
thetheclass number hD must now be
divisible by n. when we localize field Q(jD ) which is of degree
hD and Galois,
degree n. Only therethis iswaythewillchance
in the of obtaining
residue field bea oflocalsizeextension
2n .
of Q 2 of
Again IFwen .have
definition If the anHilbert
integerpolynomial
D, a proposed group order and a field of
modulo m
2 has a degree irreducible
2 n

Iffactor
the then thispolynomial
Hilbert polynomialhascanno besuchusedfactor to define
modulo the2 extension
are Lettried.the degree irreducible factor of HD, over IF , be denoted by p(x). then anotherIF2n over IF2 .
D and n

n 2
Let
curve a denote
over a root of p(x) in IF2n . This is then the j-invariant of an elliptic
IF2n which has CM by an order of Q(y'-D). We then only need
tothegenerate
correct a curveAswith
order. given j-invariant
mentioned earlier, more anddetails
actuallyon this
test canwhether
be it hasin
found
[ 3].
7
158 VIII. GENERATING CURVES USING COMPLEX MULTIPLICATION
 CHAPTER IX
Other Applications of Elliptic Curves

Incurves
thisinchapter we discuss
cryptography, a number of
namely factoring, additional
primality applications
proving of elliptic
andcentral
provingideas
the
equivalence of the
of eachinapplication Diffie-Hellman problem to the DLP. Only the
found the referencesare cited.
discussed. More comprehensive descriptions can be
IX. 1 . Factoring Using Elliptic Curves
We shall give a brief description of Lenstra's [78] elliptic curve factoring
method, usually referred to as ECM. Let N be a number which is to be
factored and
To introduce let p denote some,
theForelliptic as yet
curve method, unknown, prime
consider factor
first of N.
Pollard' s =p p- 1
method
the of factoring. convenience, assume that N is of the form N · q,

CRTproduct
) as
of two prime numbers. The group (Z/NZ)* decomposes (via the
(Z/NZ)* rv r1; x r1; .
Take
say A an(p -element
1 ) , thena E (Z/NZ)*, (pand-l) raise it to the power of a multiple of p-1,
a>- 1 (mod p) .
It can be expected that
gcd (a>.(p-l) - 1, N) = p.
Themake
wethan problem
the with this is that
assumption that wep -need
1 is tosmooth',
' know p-i.e1. allto recover
of its p. However,
divisors are if
less
some
isbyacomputing given bound, then, if a large smooth number
chance that p - 1 will divide M. In such a situation p can be recovered M is chosen, there

gcd (aM - 1, N) = p.
aMFor (example,
mod N) =suppose 2804399N and= 12628003 and we choose a = 2 and M = 20! Then
gcd (aM - 1, N) = gcd (2804398, 12628003) = 2053.
We
settingdeduce
p = the2053,factorization
we see that Np=-2053 1 = x 6151. This example works since, on
2
•
2 33 19 divides 20! and - 1 does
• q
not divide 20!
159
160 IX. OTHER APPLICATIONS OF ELLIPTIC CURVES

For Inexamplepracticeweonecancanchoose makeMvarious to beimprovements

the number to this strategy (see [29]).
M(k) = lcm(l, 2, . . . , k).
However,
order,example it is explicitly
but notif Nall =prime relying on the fact that IF; has a smooth
factors of a large number satisfy this requirement. group
For 4268347 and we choose a = 2 and M = M ( 20) then we
pdothanandnot19.obtain
q, and pa factor
-
of N. This is because N is of the form p for primes
1 and 1 in this example both have prime factors larger
q -
· q,

curve This is where elliptic

over thealsoringlie inZ/NZ curves are effective. We first note that
is a curve with coefficients in Z/NZ and whose an elliptic
coordinates
curves, Z/NZ. We can define a natural group law on such
asovertoZ/NZcopealthough
with one occurrence
the usually givesof these
splits via the CRT into zero in termsinofZ/NZ.
divisors projectiveAncoordinates
elliptic so
curve
For
curveFirstevery value of#E(IF
forwewhich N we have various choices of E and a chance of finding a
p ) is smooth for some prime factor, p, of N.
find an elliptic curve with a projective point on it modulo N:
'
Ca b : Y 2 Z = X 3 + aXZ2 + bZ3
and (x, z) E Ca,b (Z/NZ) . We assume N is coprime to � and so, as p does
y,
not divide �Ca,b' weasknow that over
Ca,b has good reduction at p. By Hasse's Theorem,
considering a curve IFp , it has order Np, where
-
I NP (p + 1) 1 < 2 y'p.
A number k is chosen and
(xk , Yk , zk ) [M(k)] (x, z) (mod N)
y,

computed.
becomputing
found by[M(k)] If NP divides M(k) then p divides zk and a factor of N might
taking(x,gcd(z)zkas, N)some. In practice this factor will be found whilst
the The presence y,
of zero divisors inversion
in thethatringtheZ/NZ. will become impossible due to
method
ofthethecoefficients relies on the fact
group ordera andE(IFpb )·fromTherea large smooth
is considerable number
freedom M(k) is a multiple
here; weHowever,
can choosefor
prime annumbers ofcurve
between number of possibilities.
20 and 40 decimal digits one is likely to write
down elliptic
(seeTo[78]seeandwhy[89]). with a smooth group order after not too long a time
p are noted. this works efficiently, a few facts about elliptic curves modulo
 IX. 1 . FACTORING USING ELLIPTIC CURVES 161

LEMMA IX.l. There is a positive constant such that a a p2 of all pairs (a, b) E
IF x IFp, with 4a3 27b2 # 0, give a curve with
P +

#Ca,b (IFP ) E
(p - y'p, p + y'p),
and such group orders in this range are distributed in an approximately uni­
!arm manner.
With every
choosing a curve new elliptic
with order curve used,
in (p -integer we have a probability
-JP, p -JP) . Choosing the curve can be
+
of about a of
interpreted as choosing a random T from a uniform distribution on
(p - -JP, p -JP) . The elliptic curve method will have a very good chance of
+
finding
of dividing a factor
M(k).
of our number, with this choice of T, if T has a good chance

values The method is more likely to work for larger values of k, and hence larger
eachofonecurve.
forat least M(k). However, the larger the value of k the more work is needed
A
forvalue good
whichof kM(k)strategy
>
is to start with a medium
p. Then, if a factor is not found after a few
size value of k,
attempts,
successful. the is increased and the procedure
Usingbythis idea of increasing the value of k, the complexity of theis repeated until it is
method is given
O(Lp(0. 5 , J2)) ,
where we recall from Chapter I that the function LP is given by
LP (v, c) = exp ( c (logpr (loglogp) ( 1 - vl ) .
For numbers of the form N = pq, with p and of order .JN and N 10 80 ,
q >
the elliptic
field sieve curve method
methods, even is inefficient
though, for comparedof thisto theform,quadratic
integers ECM orapproxi­
has number
mately thethesamebasicasymptotic
isusedbecause operations complexity
in ECM as thefar quadratic
are more sieve method.
complicated than This
those
in themakes
What quadratic
the sieve.the most successful factoring algorithm known on
ECM
hundred todigitbe ofnumbers
number the form ispq,thatwhere
it ispvery
and q
rareare forof roughly
a randomthe hundred
same size.digitSo
forfactors
a random
before integer
a more ofadvanced
around onemethodhundred such digits
as the ECM shouldorfindnumber
quadratic the prime
field
sieves. However,
numbers for which inpcryptography
and q do have oneroughly
is usually
the interested
same size. inHence
the types
it could of
appear This thatis notthe true;
uses oftheECM large inprime
cryptography
variations areofverybothlimited.
the quadratic and
number fieldIt sieve
procedure. is at algorithms
this stage require
that the the factorization
ECM method can ofbe numbers
applied as asome
with sub­
success.
also In addition
require the it will beofseenauxiliary
factorization later that
numbers.primality Since proving
one algorithms
could expect
that any auxiliary number produced by an algorithm should be of the form
162 IX. OTHER APPLICATIONS OF ELLIPTIC CURVES

ofbe aablerandom number

to factor suchofnumbers,
the required
and size,
indeedoneit would
usuallyexpect
does. that ECM would
IX.2. The Pocklington-Lehmer Primality Test

toAsThisconstruct
mentionedelliptic
previously,
curves
elliptic curve primality
ininChapter
the
provingcontextVIII,ofthea primality
CM method was algorithm.
proving
( ECPP ) method is itself based on the
first used
Pocklington-Lehmer
Pocklington-Lehmer primality
Nreplacing test
- 1 primality ( [123] , [132] ) . To introduce ECPP, the
test IFis; therefore first discussed. It is
then
powerful shown how,
primality by
test can be the group
obtained. Only by
thethe group
very basicE(IF ),
design a more
P of the
primality
further test is
optimizations,considered, leaving
improvements the reader to
and enhancements. consult the literature for
prime Assume that
testis (a[102] the number N has already passed the Miller-Rabin
, [130] ) . There is then some confidence that the number
pseudo­
Nwillreally
achieve prime.
morewhich We
than this.merely want to
An outputsomeone verify this confidence.
from theelseprimality However,
proving isprogramwe
will
without be produced
them having will convince
to runorthecertificate
algorithmofagain. that the number
In other ofwords the prime,
algorithm
should
ofinformation produce
the numberprovided. a ' p roof' the primality N:
is easily verified, in an irrefutable manner, with the additional the primality
Consider the following theorem.
T HEOREM
p
e
IX. 2 . Suppose N is an integer and a prime divisor of N - 1,
p
p
with being the largest power of that divides N - 1. Also suppose that
there is an a such that
aN- l 1 (mod N)
and
gcd(a(N- l /P , N) 1.
) =

Then if is any divisor of N we have

q

This theorem
corollary: can be turned into a primality test by using the following
C OROLLARY IX. 3 . Write N - 1 as AB where A and B are coprime, the
factorization of A is completely known and A .JN. For each prime factor,
>
p, of A we can find an ap such that
a;- 1 ( 1 mod N) gcd(a�N- l /p - 1, N) 1,
and ) =

N
if and only if is prime.
 IX.2. THE POCKLINGTON-LEHMER PRIMALITY TEST 163

B
ToCorollary
of prove theIX.primality
3 and of Nforweeachneedprime
then to partially
factor factor
of A N-1an integer,
find into A andap,
which satisfies the conditions above. It does not matter how such values of
aP are found. Once found, their existence will guarantee the primality of N.
One problem
primality of thatnumber
another may bewillencountered
have to beis established,
that in factoring
and soNon.- 1This
the
gives
of oneAsrisenumber
to theissodependent
called down on run process whereby the proof of primality
the proof of primality of another and so on.
The integeran example
N - 1 hasthe theprimality
followingof factors:
N 105554676553297 will be proven.
=

N - 1 24 x 3 x 1048583 x 2097169.
=

= 3 x 1048583 x 2097169 and B 24 then A .JN and

Ifgcdwe(A,setB) A 1. Notice = >
= that if we set
a3 = a 104s5s3 = a2o9 71 69 = 2
then1048583
p =
the primality
and of N2097169
q =
can be established
are themselvesusingprimes.
the above corollary, assuming
This leads us to perform the following down run. Write
- 1 2 x 29 x 101 x 179.
p =

On setting
prove the A 29 ofx 101Assume
=
primality p.
and B here358,thatwethenotice
= that ofa2numbers
primality 9 a 10 1 2 will
=
less than =

1000 is proved by table lookup. We then need to prove the primality of q:

- 1 24 x 3 x 43691.
q =

Italsois need
seen that taking a3 5 and a4369 1 2 will prove the primality of We
to provecertificate=
the primality of 43691,iswhich =
is done in a similar way. q.

The following of primality thus obtained:

105554676553297
3 2
1048583 2
2097 169 2
----------
1048583
29 2
101 2
----------
2097 169
3 5
4369 1 2

4369 1
257 3
164 IX. OTHER APPLICATIONS OF ELLIPTIC CURVES

isinTheneeded.
main problem
an RSA Suppose
scheme,
with
it is this method
wished
or toorder to prove is that
the
defineof an10 100elliptic
the partialoffactorization
primality
curveit scheme a modulus
over toofbeNused
-1
IFP . This means
that p could
numberwithout be
of aroundof the . Hence may be required to factor a
task a largeoneamount
hundredof computing
decimal digits, powerandavailable.
this can be a non-trivial
IX.3. The ECPP Algorithm
InN. theSincelastNsection
is the togroup
believed be (Z/NZ)* was used to prove the primality of
prime, the order of (Z/NZ)* is expected to be
N - 1. The method will work if the number N - 1 is suitably smooth, but we
could
using be working
another with a group order which is not smooth.
group which has a chance of having a smooth group order willIn this situation
improve the
Just as with situation.
thethe elliptic curve factoring method,curvetheovergroupZ/NZ.
(Z/NZ)* can
begroupreplaced with
has a chance group of points on
of havinguntila smooth an elliptic
order, with
and even if it does This
not Thislast
curvesis
can
the continue to be chosen one is found a smooth
idea behind the elliptic curve primality proving algorithm, which is now order.
discussed.
The method is due toofGoldwasser
analogue of the method PocklingtonandandKilian
Lehmer.[46] who gave the following
T HEOREM IX. 4 . Suppose N is an integer coprime to six and larger than one.
Let E denote an elliptic curve over Z/NZ. Assume that one can compute an
integer m which has a prime divisor q with
q > (Nl/4 + l) 2 .
If a point P E E(Z/NZ) can be found such that
[m] P = 0 and [m /q ]P =f. 0,
then N is prime. Note if neither of the above multiplications is possible then
a non-trivial factor of N has been found, just as with the ECM factoring
method, and so N is not prime.
suchThea point
following result implies that, once a suitable order has been found,
P must exist.
LEMMA IX. 5 . Let E denote an elliptic curve over Z/NZ with order equal to
m and with N prime. If m has a prime divisor q such that
q > (Nl/4 + l) 2 ,
then there exists a point P E E(Z/NZ) such that [m/q]P =f. 0.
All that remains is to keep producing random elliptic curves and calculat­
ing their group orders until one is found which will prove the given number,
 IX.3. THE ECPP ALGORITHM 165

N, is prime.
follows. Just If awithsuitable
as the point P on the ellipticmethod
Pocklington-Lehmer curveaisdown found,runthestrategy
result
can be adopted if in such a process it is needed to prove another number is
prime.Goldwasser
Schoof' s algorithm andcanKilian
be suggested
used to that astheit order
compute is veryoflikely
E(Z/NZ). that NThisis prime,
order
can
proceed thenfrombe trial divided
there. As to sees ifalgorithm
Schoof' it divisiblerunsbyina large prime timeandthisonegives
polynomial q can
ustheaalgorithm
probabilistic is a polynomialoftime
certificate the primalityoftest.N which
primality Clearlycanthebe output
checked from
in a
shorterAtkin timeandthanMorain
it took[7] tonoticed
generatethatit.it would be more efficient to use the
CM-theory
ofgroup
determining of elliptic
the curvesorderto generate
group of a the required
random curve theycurve.findHowever
a curve insteada
given
They order.first find a discriminant D for which there exist elliptic curves
over IFN ( assuming N is prime) with complex multiplication by an order
ofwithQ(this
y' D). They can then compute the possible group orders of curves
-

these groupcomplex
orders multiplication
possess a large structure.
prime It is determined
factor, q, of the whichabove.
form ( if any) of
This
may
strategy.requireFinally,
callingusing
the primality
the provingmentioned
CM-theory program recursively
in Chapter inVIII,
a down a run
curve
with thewithrequired
curve the order can
required be found, and a point can be constructed on the
properties.
the This methodof numbers
primality has been with implemented
over one and is verydecimal
thousand successful.digits.It canHowever,
prove
itveryis still not a deterministic
practical. A deterministic polynomial
polynomial timetimeprimality
algorithmtest,hasalthough
been it is
given
bybeenAdleman
implemented, and Huang perhaps [3] . This latter test has to our knowledge never
because it uses the arithmetic of Jacobians of
hyperelliptic
point curvestheof genus
in preferring methodtwo.of FromAdleman a practical
and Huang viewtopointECPP. there seems no
IX. 3 . 1 . Example. Consider proving the primality of p = 2 100 + 277. Using
the methods developed to find curves using the CM method the elliptic curve
}72 = .X" 3 + 169317673849406496638751929789.X"
+ 535428649309014131591402355077
over
After IFP , is found, which has order = 1267650600228230776357544186344.
trialCalldivision it is seenp that m
m
has an 81-bit cofactor, which is probably
prime. this cofactor 1 = 1764763222984205716119937.
p1 is prime the result of Goldwasser and Kilian will show that p is prime on Assuming that
166 IX. OTHER APPLICATIONS OF ELLIPTIC CURVES

noticing that the point

p = (1223116517107234371890879608558,
348818700976692547697219665601)
satisfies
A [m]Prun strategy
down =0 but [mis/q]P =f. 0.to prove the primality of and so on. It
started p1
is left tonotation):
obvious the reader to verify that the following is a valid certificate (with an
126765060022822940 1496703205653
1693 17673849406496638751929789 5354286493090 1413 1591402355077
1223 1 16517 10723437 1890879608558 34881870097669254769721966560 1
1267650600228230776357544186344
17647632229842057161 19937

17647632229842057161 19937
1237 1060090 19141934754397 824737339346094623169598
498566265383685655850376 1698160958763013389415626
176476322298 1587729747968
2132 18387804097 19

2132 18387804097 19
5979072666605065 11093328037873283
12289991207526417 5086330291908954
2132 1839059327264
636820759

636820759
572504044 593942949
442683250 159049258
636870910
37397
This last
less than 193. number is easily seen to be prime as it is not divisible by any prime
IX.4. Equivalence between DLP and DHP
In[18])thisforsection we thedescribe
showing the ideasbetween
equivalence of Maurer,
the DLPWolfandandtheBoneh
DHP ([for94],various
[95],
special
To classesgiven
recap, of groups.
a finite abelian group G, the DLP is: given h E G, find
g,
the integer m, if it exists, such that
 IX.4. EQUIVALENCE BETWEEN DLP AND DHP 167

We write m DL 9 (h). The DHP is: given g a ,gb ,g E G, determine the

element
gab = DHPg(ga ,l).
Clearly
since if we can
we can evaluate solve the DLP
thea polynomial then
function DHP we can solve the Diffie-Hellman problem,
the function DL 9 and number9 by aofpolynomial
group numberinofG.callsTheto
operations
hardgrouppartsolves
ofwhich is showingandthata polynomial
operations we can solvenumber the DLPof calls usingtoathepolynomial
function, number
DHP 9 ,
We outline thetheDHP.various ideas of the equivalence and leave the reader to
consult
orderFirstandtheweisrelevant
generated papersby g. forLetdetails.
the orderWe ofassume
g be that G is cyclic of prime
p.
construct an elliptic curve over the field IFP of the form
E : Y 2 = X 3 + AX + B
which is cyclic and whose
polynomial in log p. In particular order is P(logp)-smooth, where P(logp) is some
#E(IFp ) = II qf]
Qj :SP(log p )

With current
whether such knowledge
curves always itexist.
is unclearIt is howlastthisfactiswhich
this actuallymakesdonetheorfollowing
indeed
method
We onlygiven
are applyh toE cyclic groups with certain prime orders.
G = (g) and we wish to compute m E Z such that
hE(IFp= gm. We let P = ( ) denote a generator of the cyclic elliptic curve
u, v

) · Let m' = m (mod p) E IFP and think of m' as the x-coordinate of

some, inunknown,
exist, which elliptic
case we curvetopoint
need take Q = ( m', n'). Such a value of n' may not
the quadratic twist of E. However, for
the
found purposes
(if we of explanation
knew m' ) . Now letsuppose
us assume
we canthatsolvesuchthea following
value of n'ECDLP could onbe
E(IFP ) :
Q = (m',n') = [s]P.
After
and we have
the original determined
DLP would s we can
havewe been computesolved. [ s ] P and hence determine
The Q.main obstacle to this m'
approach is determining s
The oftrickcallsistototheusefunction when do
the factDHPthat9 above. not even
we areFirstly, know
allowedgiven to make acanpolynomial
number g m we compute
3 +A 2 +A +B
gm m+B = g m(m ) = g z
using two calls toz
DHP 9 and
can test whether is a quadratic residue modulo a polynomial number p of group
using the operations.
equivalence We
z ( 1 ) /2 1 ( mod p) gz (p-1)/2 = g.
p-
¢::?-
168 IX. OTHER APPLICATIONS OF ELLIPTIC CURVES

This
toof theDHPcancurve
.9 beHence
testedweusing
can a polynomial
determine whethernumber we of group
need to operations
take a and twist
quadratic calls
weconsult without
do nottheneedabove actually
to take a knowingtwistwhat(forthethevalue
quadratic m
case of is.weAgain
'

where do yousuppose
should
Using the function mentioned
DHP9 papers
we can) .then compute gn where
gn2 gz gm3 +Am+B ,
= =

Sousingalthough
a technique
we dosimilar to the( method
not know '
m ,n
'
of Tonelli and Shanks in Chapter II.
) we do know
(g m' , g n' ).
Suppose (a, b), (c, d) E E(IFP ) but wed only know
(ga , l) , (gc, g ) E G x G;
then we can compute, using the function DHP 9 , the group
and the formulae for the group law of the elliptic curve in terms of two group operations in G
elements
(ge , g f ) E G x G
such that on the curve E(IFp ) we have
(e, f) (a, b) + (c, d).
=

This is done usingmodulo

multiplications the standard
p by elliptic
calls to curvefunction
the groupDHP law formulae
9 . but replacing
Since the group order of E(IFp ) is P (logp)-smooth we can easily solve the
ECDLP
Q (=
'
m ,n
'
) [s ] P
=

using Pohlig-Hellman, the BSGS

defined above.in GWeandcana polynomial algorithm
do this usingnumber and
a polynomial the ' v irtual' group operation
(in logp) number of group
operations
Hence the Diffie-Hellman of calls to the function
problem and the DLP are equivalent if we can DHP 9 .
find an elliptic curve over
Using these ideas one can prove: IFP with the required smooth number of points.

T HEOREM IX. 6 ( Maurer and Wolf, [95]) . Let G be a cyclic group of prime
order, p. Let B denote a smoothness bound which is polynomial in logp.
The Diffie-Hellman problem in G and the DLP in G are polynomial time
equivalent if one of the following expressions is B-smooth:
p± 1,
p ± 2a , p ± 2b
+1 +1
where 1 ( 4), = a2 + b2 and a + byf-I 1 ( 2 + 2yf-I);
p mod p mod
p ± 2a , p ± 2b , p ±
+1 + 1 =f a + 1 (a + b)
 IX.4. EQUIVALENCE BETWEEN DLP AND DHP 169

where p 1 (mod p), p = a2 - ab + b2 and a + bw

w 2 + w + 1 = 0.
2 (mod 3) with
170 IX. OTHER APPLICATIONS OF ELLIPTIC CURVES
 CHAPTER X
Hyperelliptic Cryptosystems

Into systems
this finalbased
chapteron hyperelliptic
the generalization
curves of systems based
is considered. on elliptic curves
The cryptography is
the same:
elliptic the only
curve bycurves change
the group is the
of pointsreplacement of the
of theforJacobian group of points
of a hyperelliptic on an
curve.
Hyperelliptic
[63] .
were first proposed use in cryptography by Koblitz
X. 1 . Arithmetic of Hyperelliptic Curves
Let C
quadratic denote a hyperelliptic curve of genus g defined over IFq , with imaginary
in the formfunction field K. A hyperelliptic curve, C, of genus g can be given
C : Y2 + H(X)Y = F(X)
where F(X) is a monic polynomial of degree 2g+ 1 and H(X) is a polynomial
ofcurvedegreeis non-singular
at most g. Both H(X) and F(X) have coefficients in IFq . Such a
if for no point on C (IFq) does there exist a point for
which the two partial derivatives,
2Y + H(X) and H' (X)Y - F' (X),
simultaneously
singular. vanish. It will always be assumed that the
In odd characteristic fields it will always be assumed that H(X) = 0 curve C is non­
andAthatdivisor F(X) is square free.
on a curve is a formal sum of points
D = PEC(Fq) L npP

where
divisor np E Z and all but finitely many of the np are zero, the degree of a
is defined to be L, np . A divisor is called effective if np � 0 for all
P and is called rational if it is stable under the action of the absolute Galois
groupEveryoverfunction
IFq .
on the curve gives rise to a divisor of degree zero, consist­
ing ofcalled
are the formal sumTheof thegrouppolesof and
principal. zerosdivisors
rational of the function.
of degree Such
zero divisors
modulo
principal
isbased
a finite divisors
abelian forms
group theandJacobian
forms of CbasisoverofIFqthe, denoted
the cryptographic )· This
by J0(IFqschemes
on hyperelliptic curves.
171
172 X. HYPERELLIPTIC CRYPTOSYSTEMS

point A divisor
P occurs oninCthewillsupport
be calledof thesemi-reduced
divisor, if ittheis point
then effectiveP does
and not,
if, when a
where
P denotes the image of P under the hyperelliptic involution. semi-reduced A
divisor, which is
a, b E Fq [ ] which satisfy
x
defined over IFq , can be represented by two polynomials
(i)(ii) deg <b deg a,
b is a solution of the congruence b2 + Hb F (mod a).
Such a divisor will be denoted by div( a, b), and it represents the IFq -rational
divisor
Xi
whereThetheJacobian,
sum is overJc , allcanrootsXi of
be represented a, each root
uniquely having multiplicity
byofreduced mi .
divisors. A
reduced
equal divisor is a semi-reduced divisor as above but degree less than or
g.canThebetog.performed
Henceofthethe polynomial
identity group law ona above will have degree less than or equal to
Jc is given by = div(l, 0), and addition
0
using the well known algorithm of Cantor and Koblitz (see
[24] and [63] ) . Cantor' s algorithm is equivalent to the usual combination and
reduction
consideration algorithm
a divisorof isbinary quadratic
essentially forms.toIna thebinaryfunction
equivalent fieldsform,
quadratic undera
fact we will return to later.
ALG ORITHM X . 1 : Cantor's Algorithm.

INPUT : Two reduced divisors

OUTPUT : The reduced divisor
and D i = div(a i , b i )
div(a3 , b3) = Di + D2 . D 2 = div(a 2 , b 2 ).
1 . Perform two extended
d = gcd(ai, a , bi + b gcd+ H) = siai + s a + s (bi + b + H) .
computat ions to compute

2 . a3 +- aia2 /d2 ,
2 2 22 3 2
3 . b3 +- (siaib2 + s 2 a2 bi + s 3 (bib2 + F))/d (mod a3 ).
4 . While deg a3 is greater than the genus of C do :
5.
6.
a 3 +- ( F - Hb 3 -
b3 +- - H - b3 (mod a3 ) .bD / a 3 ,
7 . Return div(a3 , b3 ).

It is easythistowhile
process see that
loop theand degree
so of a3 will
eventually a monotonically
reduced divisor decrease
will be as we
obtained.
The
whileinitial
the stepswhile
final are analogous
loop is to the composition
analogous to the of binarymethod
reduction quadratic
for forms,
binary
quadratic
improvements forms.andForan anextension
analysistoofrealthequadratic
complexityfunction
of the fields
aboveseemethod, [1 18]
andFor[1 19]the. rest of this section it will be assumed, for simplicity, that IF has
odd characteristic and that H(X) = 0. K is a quadratic function qfield,
As
 X.2. GENERATING SUITABLE CURVES 173

prime
ofIFq [xdivisors,
] which liesP, inbelowK come in one of three varieties. Let p denote the prime
P, in which case we have:
• PIn ramifies
•
P,P isthis caseabovep divides
lyinginert p. DenoteF andthisthere
primeisdivisor
only oneby ramified
div(p, 0).prime divisor,
In this case p does not divide F and there is no solution to the equation
y2 F(x) (mod p)
indetermined
the field byL eitherIFq [xusing
= ]/(p).a standard
Whether generalization
such a solutionof exists can be
the Legendre
symbol or factoring y 2 F over the field L.
-

• PAs splits
in the inert case p does2 not divide F but now the equation
y F(x) (mod p)
has twosplitssolutions,
then into ther1twoanddivisors
r2 , both of degree less than p. The prime, p,

P div(p, r1 ) and P div(p, r2 ) .

= =

byThe values ofythe2 polynomial

factoring - F over the r 1 (and hence r2 ) can be determined either
field L IFq [x ] / (p), or by using an obvious
=
generalization of the algorithm of Tonelli and Shanks (see Algorithm
11.8) .
X.2. Generating Suitable Curves
Just
cally as in the case
proceed#Jc(IF of elliptic
if one)wanted curves,
tocomputed there
produce incurves are many ways
suitabletime one could theoreti­
for useusingin cryptography.
The order
toizations
Adleman, Huang q can be
andof Pila (seewhich polynomial
[4] and [120] ) . These methods are general­
methods due
are of the
notsinceaware method Schoof
of any implementation is used in the
oftothisunderstand,elliptic
method forappears case.
genus very The authors
greaterhardthanto
one,
implement. the algorithm, although easy
In
Elkies. Thisaddition there
means is no known
thatanonlyalgorithm analogue
the ' naive'appearsof the
Schoofhopelessimprovements
algorithmas ais method, of Atkin
availablesince and
in genus
greater than
'naive'Onealgorithm one. Such
is farhyperelliptic
too inefficient evenusingfor anelliptic curves.of the CM method the
forin [155] can compute
elliptic. This
curves.method
This uses
has been curves
workednumbers analogue
out in ofdetail for the case of which2
g =

are complex quadraticareextensions the class

of real quadratic quartic CM
fields.modulo fields,
Analogues of the
Hilbert polynomial constructed, the zeros of which
]-invariants of the curve. The curve is then recovered from its ]-invariants. p give the
174 X. HYPERELLIPTIC CRYPTOSYSTEMS

two) Theis that

problemthe with this technique
]-invariants of a (and the reason
hyperelliptic curve ithaveonlyonlyapplies
been inworked
genus
out
which foraregenus
linked lesstothan
the three. The
classical invariantscentury
nineteenth are theinvariantsIgusa invariants
of quintic [and
53]
sexticthe polynomials.
ofout. century the Aftertothecompute
drive demiseinvariants
of classicalofinvariant
higher theoryquantics
order at the died
end
daunting Eventask.
today with the advent of computer algebra systems this seems a
Jc(IF The) forfacta general
that it curveseemsofunlikely
genus thatoranyone
four five has canledcompute
some to the orderthatof
propose
one q not worry. For example, if I do not believe that someone can
should
compute
the attacks the order, #Jc(IF
on suchof thesystems, q ), then
since I
most do not
attacks need to
suchmeans worry about
as Pohlig-Hellman many of
re­
quire knowledge
need Although
to be changed group order.
so athatpossible This
they doapproach, of
not requirecourse knowledge that the protocols
ofbetherejected
group or­as
der.
italgorithm
is assuming this is
that a infeasible
problem forin which it is probably to
thereterm.is aThisknownassumption
polynomial time
tenuous, will
evenshowsremain
if the exponent the long
in the polynomial complexity isalgorithms is quite
relatively high.
First,
high history
exponents often that the asymptotics
get improved, ifandenoughof polynomial time
research effortdiscussed is invested. with
The
Schoof
terremains algorithm
VII, provide for elliptic
a prime example. curves, its
Second, even improvements
ifofthethepolynomial in Chap­
complexity
ter I between high, comparisons
exponential in strength/key
and these
sub-exponential size,complexities, type made
apply one. in Chap­
even With
more
forcefully
problems for the
available gap between
for which the complexities
best known and
attack a ispolynomial
exponential or even
sub-exponential,
polynomial time it wouldas bethehard
attack basis toforjustia practical
fy the choice of a problem with a
cryptosystem.
curves.Just Inas other
for elliptic
words curves
the one Ccouldis defined
curve consideroversubfield-type
IF , for a hyperelliptic
small value of
q, butis that
we consider theeasier
Jacobian group J0(IF qn )orders. q
over IFqWen . The advantage of
this
this method it is then
in indetail and followto compute
on use group
from[6the6] asdiscussion shall
on zeta now explain
functions for
elliptic curves
(withLeta Cslight changeChapter
ofgenus VI.
notation). We a reference for this material
ofSection be
IFqn -rational a curve of g defined over IFq and let denote the number
Nn

VI.4, points on the curve. The zeta function for the curve is, as in
Z(C; T) = exp (z= n )
n> l
Nn
rn .
 X.2. GENERATING SUITABLE CURVES 175

For a curve of genus this zeta function can be shown to be of the following
form: g,

Z ( C· T ) =
P ( T)
( 1 - T) ( 1 - qT)
'

Here, P (T) is a polynomial with integer coefficients,

i
which can be written as
P ( T) = 1 + a i T + a2 T2 + + a9 _ i T9 - + a9 T 9
· · ·

+qa9 - i T9+1 + q2 a9- 2 T9+2 + + q9 - i aiT29 - i + q9 T29

· · ·

g
II ( 1 - ai T ) ( 1 - ai T ) , ( X.1 )
i= i
where each °'i is of absolute value -J<i_. It then follows that
g
Nn = qn + 1 - L(a� + an , � 1. n
i= i
The coefficients of P (T) can be obtained from the power series identity [66]
Z' ( T ) = i+ l - l ) Ti .
Z ( T)
'°'(N·
� z+ i - q
Iti followssufficefromtothisdetermine
� g,
identity and Equation
P ( T) ,
( X.1 )
and hence the
°'i ·
that the values Ni , for 1
Therefore, in this case, �

knowledge of
Ni, N2 , . . . , N9
Thetofactas thethatRiemann
the rootshypothesis determines
Nn
of the polynomial
P (T)
for all
n > g.
haveasmagnitude -J<i_ is re­
ferred
and properties of the(seezetae.g. function for function fields certain symmetries
follow from it, in common with the ordi­
nary zeta
forabelian function
ellipticvarieties.
curves Awasmoreconjectured [14 7] ) . This generalization of the Hasse Theorem
by Weilforandprojective
proven byvarieties
him forofcurves and
general version dimension
(seeasOur[147]
n, well as) . the Riemann hypothesis for such varieties, was proven by Deligne
interest is in the order of Jc (IFqn ) . It can be shown that
g
#Jc (IFqn ) = II l l - aj l 2 ,
j= i
and
of IFForthus the size of the Jacobian group of C defined over any extension field
q is also uniquely determined by the zeta function of the curve.
example the curve 2
c : Y + y = X 11 + X5 + 1
of genus five defined over IF2 has the following values of Ni :
Ni = 1, N2 = 9, N3 = 13, N4 = 17, N5 = 21.
This means that the polynomial Z (T) is given by
Z ( T ) = 32T 10 - 32T 9 + 32T 8 - 16T 7 + 8T 6 - 4T 5 + 4T 4 - 4T 3 + 4T 2 - 2T + 1.
176 X. HYPERELLIPTIC CRYPTOSYSTEMS

So the Jacobian of C over IF231 has order

45670532412550219104532763067859878068212400129
with a cyclic subgroup of order
p = 1985675322284792134979685350776516437748365223,
where p is a 152-bit prime number.
X.3. The Hyperelliptic Discrete Logarithm Problem
Just 'anomalous'
and as for ellipticcurves.
curves,Weonedoneeds
not to avoid
give the analogueshereofbuttherefer
details 'supersingular'
the reader
tomethods
the papersof the ofBSGS
Frey andandRiick [44] methods
kangaroo and Riickapply [135].forInJacobians
addition theof hyperel­
general
liptic curves
isthenwhenconjecturedas well. The
the genussub-exponential most interesting
is large in comparison case, from a theoretical
with the characteristic as there arestandpoint,
Inofthisoddsection, for simplicity, methods.
attention isthatrestricted to curves defined over
fields
De Marrais characteristic
and Huangofproposed and it is assumed
a (conjectured) H(X) = 0. In [2], Adleman,
sub-exponential methodwasfor
the
based DLP in
on the Jacobians
ideas hyperelliptic curves of large genus. This
of the function field sieve algorithm which can be used to method
solve
number the DLP
field in IF2n [ 1 ]. The function field sieve is itself based on Pollard' s
sieve,of (NFS), algorithm for factoring integers [77].to be only of
The
theoretical method
interest Adleman, De Marrais and Huang appears
beRecently
small soPaulus theasunderlying
that [117] for practicalgroupsystems
and Flassenberg
the genus
operations
andJacobians can is performed
be usually chosen
Paulus [4of3] hyperelliptic
have implemented
to
quickly. a
method
Flassenberg for solving
and discrete
Paulus logarithms
did not, for
however, use theusemethod of Adleman, curves.
De
Marrais
lipticanalogy and Huang
curves between directly.
correspondquadratic Instead
to degreefunctionthey made
two function of the
fieldquadraticfact that
extensions.number hyperel­
Then using
the
they fields and fields
29]).adapted
[which This,
could
the class with
combined
be applied
groupa method
sieving
to Flassenberg
of Hafner and
operation,
hyperellipticandcurves
McCurley
provided
of small a [50] (seemethod
working
genus. Itdiscrete
also
shouldlog­be
pointed out
arithmtheyproblems,that although Paulus did not solve
that do. their methods are such that they can be easily extended so
X.3.1.
proachrandom The Number Field Sieve analogue. The conceptually easier ap­
of Adleman,
erates elementsHuangof theandfunction
De Marrais
field isof explained.
the form This method gen­
f = a(x)y + b(x),
 X.3. THE HYPERELLIPTIC DISCRETE LOGARITHM PROBLEM 177

with
div(!) coover
primea apredetermined
(x), b (x) E IFq [x].setTheof prime
methoddivisors
then tries (the tofactor
factorbase).
the divisor
This
produces
matrix a relation asin arethe used
techniques, class forgroupsolving
whichdiscrete
can thenlogarithms
be used with in standard
IF� , to find
discrete
issmall
chosen logarithms
to be the in J0(IFq)·
set of all In prime
split the original
divisors presentation,
of small the factor
degree in base
K. The
factor degree
base is the essentially
would drawback toconsist
curvesofofhalfsmallof the
genus.points For onelliptic
the curvesover
curve the
IFq .
The
the factor decision as
basefactor to whether
was decided, an element
in [2], over
usingfiniteof the required form
the factfields.that Inin random factored over
polynomial
time one
factorizationscan polynomials
are expensive and sofields
one replaces them the
byhand, standard
a sieving NFS,
procedure.so
Factoring
forHowever, polynomials
a complexity-theoretic over finite
answertechnique is, on the
one does notforneed other
to usefields, inexpensive,
a sievingdeveloped
technique.by
Flassenberg in practice,
and the a sieving
Paulus,primehasdivisor
proveddecomposition function
to be particularly useful.
done Determining
via the following proposition, once the of the
factorization function
of 2
f can be
b - a2 F has
been found.
PROPOSITION X. l . Let a(x), b(x) = IFq [x] be coprime polynomials, let f de­
note the function a( x )y + b( x) and set
T

NJ = NK/lFq [xJ (a(x) y + b(x)) = b(x) 2 - a(x) 2 F(x) = IT Pi (x) mi ,

i=l
()
where Pi x E IFq [x] are irreducible. Then div(!) has only ramified or split
primes in its support and
T T

div(!) = Li=l midiv (pi , ri ) - (i=lL mi ) oo ,

where ri is the unique polynomial of degree less than the degree of Pi such that
a(x)ri (x) + b(x) 0 (modPi (x)) or - a(x)ri (x) + b(x) Pi (x)). 0 (mod
of theA method
functionis needed to find polynomials a, b E IFq [x] such that the divisor
f = ay + b
has support on
element ofa and the factor
the factor base only. Just as in the NFS, it is noticed
base lies in the support off then a congruence condition that if an
between
Wepolynomialb can be derived. This was described in Proposition X. 1 above.
organize a g(x)
sieveEinIFqthe[x] function field acasecodeasgiven
is described in [43] . To
every is associated
is a unique integer which we use to index a sieving array, which is a two by g(q) E N. This
178 X. HYPERELLIPTIC CRYPTOSYSTEMS

dimensional
initialized atmatrixthe startindexed
of thebysievethetopolynomial
the value ofcodes. Each array element is
deg(NK/lFq [xJ (ay + b)) = deg(b2 - a2 F),
where a and
indexTheof sieve b are
the array. the polynomials whose codes represent the row and column
proceeds by taking every element, P
base in turn. The sieving array element is decreased by the degree of p if
= div(p, ) of the factor
r ,

either
ar + b 0 (mod p)
or
- ar + b 0 (mod p).
bEvery polynomial,
(mod p) a
0array element which satisfies
= -a0r
0is(mod p),
computed. is taken,
The in the
degree a-direction
of p is and
subtracted the polynomial
from every
(a, b) = (a0 + eip, ±bo + e2p)
where e1 andaseto2 arehowpolynomials.
todonebe can
taken we jump This canthebearray.
through doneDetails
efficiently
of but this
how carecanneedsbe
be foundarithmetic
Polynomial in [43] . is not used to compute the jumps. This would
mean that
would have intoorder
be to deduce tothepolynomials,
converted next array element
the the currentaddition
polynomial array position
or left
shift performed,
more efficient to andimplement
then converted backaddition
polynomial to two polynomial
and left codes.directly
shift It is faron
the codescanthemselves.
addition be carried Aoutleftefficiently
shift is bysimply a multiplication
computing a base q
by whileof thean
q,
expansion
codes of the polynomials which need to be added.
X.3.2. The Hafner-McCurley analogue. In the method used by Paulus
and Flassenberg,
torization of the which isa based
element on the ideas of Hafner and McCurley, fac­
+ by is replaced by attempting to factor a divisor
equivalent
Let F to a given
denote the random
factor sumofofsplitelements
base prime ofdivisors.
the factorThebase.
idea, just as in
the previouspower
A random method,
sum isoftoelements
find relations
in F isonfirstthecomputed,
elements in this factor base.
D= L [ni ]Di .
Di EF

Ifthea factor
divisor,baseD' , ascan be found which is equivalent to D and which factors over
=D' L [mi ]Di ,
Di EF
 X.3. THE HYPERELLIPTIC DISCRETE LOGARITHM PROBLEM 179

then we have the relation

L [ni - mi ]Di = 0.
Di EF
Every function
quadratic divisor Dfield,can asbearepresented,
quadratic formas operations are in an imaginary
D ( b, c) , b, c E IFq [X] ,
= a, a,

ofbp discriminant F(X). Prime forms are those of the form (p, bp, cp) with
F(X) ( modp) , deg bp < degp.

primes inrational
The primes,ofi.De. areirreducible
the support polynomialswhich
those polynomials in IFq are[X] ,factors
which lieof below a,

a = E II Pvp ,
p
where E E IFq [X] * . If the prime divisors of are defined by
fp
fp p,
= ( bp, Cp)
then ( b, c) L [Ep vp]fp
a,
p
with
F(X).
Ep ±1 and b Ep bp (mod 2pIFq [X] ) and cP such that fp has discriminant
=

How is such a factorization of D' over the factor base obtained? Every
divisor equivalent to D is represented by a quadratic form of the shape
2 2
(
ax +b y+
x )
cy , *, * .

Hence we
a polynomial needax
to 2
run through a set of ( y) E IFq [X] x IFq [X] until we obtain
x,
+ b y + cy which can be factored over the polynomials
x
2

lying
as used below the prime divisors
above, canof Hafner-McCurley in the factor
be applied to thishasproblem. base. Clearly sieving techniques,
ods The method
for finding group structure, and ahence been the
discrete most successful of all
logarithms, of Jacobians meth­
oftwocurves of high
hoursmethod genus.
to compute For example
therequires
grouponlystructure curve over IF11 of genus eight may take
using BSGS type methods, but the
sieving
Itsame
shouldmethod above
be noted 17
thattotheanmethod minutes.
really requires largeofgenus curves.
The applied elliptic curve over a field size 10 5 can
take
above twomethods.
minutesTheusingcrossover
BSGS while
point itofwould
the take over
BSGS and five sieving
the hours using the
methods
described above seems to be around fields of order 10 9 , where is the genus.
g
Such Jacobians will have group orders9about
1Q 2 .
Notice that for a genus five curve over a field size of 32-bits
a cryptosystem without using large integer arithmetic and for which the above we can implement
180 X. HYPERELLIPTIC CRYPTOSYSTEMS

methods cannotside,besuchapplied
another plus successfully
Jacobians will to compute
have group discrete
orders logarithms. On
around
(232 ) 5 2160 '
=

and so canlogarithm
discrete be madealgorithms,
resistant, with
such current
as BSGS.computing power, to the general
 APPENDIX A
Curve Examples

This appendix
pointsIFcontain presents
large examples
prime of
subgroups. elliptic curves
Section whose
A. 1A.shows groups
curves of rational
overoverfinite
fields q ,
withsense that
q =
with
n
q = p, a large prime, while Section 2 shows
2 . Unless explicitly noted otherwise, the curves are ' random', in
curves IFq ,
the
probability, their relevant
andcounting coefficients
the ordersalgorithms
of their groups were drawn
of rational at random, with
pointsVII.wereIn each uniform
determined
using the point
number of random curves described in Chapter
E was generated, and the order of the group E(IFq )
case, a
determined,
suchInrandom until
trialsa satisfactory
was discussed one was
in some found.
SectionexamplesThe probability of
VI. 5 . of curves generated withsuccess in
Section
the AllCMthemethod A. 1 , we
described also present
in Chapter VIII.
primes listed in the examples were
primality proving (ECPP) method [7] described in Chapter IX. certified using the elliptic curve
A . 1 . Odd Characteristic
The
prime.examples
The curvein thisequations
sectionaredescribe
of thecurves
form over fields IFP , where p is a large
: E Y2 = X 3 + aX + b, a, b E IFP .
For each
of IFP shown curve, the values of p, a, b, and #E(IFP ) are listed, with elements
as integers in the range { O , 1, . . . ,p-1 } , in decimalwherenotation.
When #E(IFP ) is composite, it is also shown factored as
small positive integer,a backslash
and isatprime.
r Large integers s · r,

mightthatbe brokens is a
into
multiple
is continued lines, with
in1-7theshow
next 'line. the end of a line indicating the number
Examples r andom'
ples,thethe'size'valuesof aoffieldp areelement curves, ask
all ofistheself-evident.described
form 2 + The curves
c, c
above. In these
a smallinpositive exam­
integer,
sowere generated with the CM method. For these examples, the value f1og2 pl examples 8-11
isclassshown ( since p has no special form ) , as are the discriminant - D and the
number hDthe· curve initially obtained was renormalized with a trans­
In all cases,
formation of the form a u4 a, b u6b, u =J. 0, to make the coefficient a a
---+ ---+

181
182 A. CURVE EXAMPLES

tosmalltheinteger.
original Asone.discussed in Chapter III, the resulting curve is isomorphic
EXAMPLE 1.
p 2 130 + 169
1 36 1 1 29467683753853853498429727072845993 ,
a 3,
1043498 1 5 1013573 1 4 1076033 1 1 9958062900890 ,
1 36 1 1 29467683753853808807784495688874237
( a prime number) .
EXAMPLE 2.

p 2 130 + 169
1 36 1 1 29467683753853853498429727072845993 ,
a 1,
1 230929586093851 880935564157041 535079 1 94 ,
1 36 1 1 2946768375385384606053 1 1 60085896483
( a prime number) .
EXAMPLE 3 .

p 2 160 + 7
1461501 637330902918203684832716283019655932542983 ,
a 10,
1 3436327621 500924997016374389707648 18528075565078 ,
1461501 6373309029182036835 1 8 2 1 8 12681271 1 1 3700256 1
( a prime number) .
EXAMPLE 4.

p 2 160 + 7
1461501 637330902918203684832716283019655932542983 ,
a 1,
10106859255005724302068796085586429042267726159 1 9 ,
1461501 6373309029 182036830386300935244086503 19587
( a prime number) .
 A . 1 . ODD CHARACTERISTIC 183

EXAMPLE 5.
p 2 190 + 129
1569275433846670 1 9095894735580 1 9 1660402558886 1 1 160 \
08628353 ,
a 10,
b 1 34846241 14 1436 1 3 1 2 6 1 10541 1 3 1 1693 10875806949 1 86774 \
22294274 ,
#E(Fp ) 1569275433846670 1 909589473557802870403052555408969 \
46997883
(a prime number).
EXAMPLE 6.
p 2 190 + 129
1569275433846670 1 9095894735580 1 9 1660402558886 1 1 160 \
08628353 ,
a 2,
b 1 2352246712371885871866833 1484303955154914555 16523 \
489 1978 5 ,

#E(Fp ) 1 569275433846670 1 909589473557448604281 873393792782 \

341 98947
(a prime number).
EXAMPLE 7.
p 2 230 + 67
1 725436586697640946858688965569256363 1 1 27772430425 \
9663879063105594989 1 ,
a 7,
b 3076062716593 2 1 1 670800930834288601694 1 744188615122 \
8175406 19633362 5 1 5 ,
#E(Fp ) 1 7254365866976409468586889655692563495678763846462 \
09701 190542 123355279
3 · 575 14552889921364895289632 185641878318929212821 \
54032337301 80707785093 .
184 A. CURVE EXAMPLES

EXAMPLE 8. CM method: D = 120, class number hD = 4.

p 65455032684 134289 174663529622762084395449925683109 \

526515954165271 2020456264658 138887199 159 ,
299,
a 1,
b 361440494232283255048 146 1449859221 3402384746101 106 \
1544601 95032346897739382234356390248088 1 ,
65455032684 134289174663529622762084395449925575241 \
0858744956803878 193824452885839260141966
2 · 327275 1 63420671445873317648 1 138 1042 197724962787 \
620542937247840 1 9390969122264429 1 9630070983 .

EXAMPLE 9. CM method: D = 532, class number hD = 4.

p 7535 1 6301 8303 1237089471027567747356575330769048527 \

518832902 14534805784031682978700325486 1 7 ,
299,
a 5,
b 8872401 10785617224866 175385677039590284857262252 14 \
9486851 149501578553921 103683825690 1 62 ,
7535 1 6301 8303 1237089471027567747356575330769209 158 \
01977382 1 163422973 16286 1 2489372399302238
2 · 3767581509 1 5 1 5 6 1 8544735513783873678287665384604 \
57900988691058171 148658 14306244686 19965 1 1 1 9 .
 A . 1 . ODD CHARACTERISTIC 185

EXAMPLE 10. CM method: D 120, class number hD 4.

= =

p = 2 1279538842228906832073 1 78837320 107985820544239452 \

0064329055 1 5005996384305 12859070665065630773920606 \
8593671762873 15388271 ,
400,
a 3,
b 8304900900434536 1 0772294255430609809085774865 1 2 1 6 3 \
2034351346368214071 108149623100 1 6493084956 1 20 10228 \
477120368855362 1 6902 ,
2 1279538842228906832073 1 78837320 107985820544239452 \
0064329055305636884730989494285 1 909 145900824563569 \
612334595860183293074
22 · 96725 176555585940145787176533273 2 1 8 1 1 736 6 1 10 1 7 \
932730196775241 1 6531 294231770428569049 6 1 1 773102074 \
34982378845266371 967867 .

EXAMPLE 11. CM method: D 307, class number hD 3.

= =

p = 70488450694327127420028 1 64 1 86486186967538228180387 \
43742878235725906364657764309029949371 1 66271546975 \
960081758439943 1 788 7 ,
399,
a 5,
b 386662904220884846158 1 1 89787552969575 8 8 1 6 1 14458122 \
722763260847739483350876 1427897436830503346 1629194 \
63497627079364752199 ,
70488450694327127420028 1 64 1 86486186967538228180387 \
43742878233999375534968 1064547 1 1 64576003 122 183606 1 \
60284656 1 85776243884
4 . 1 7622 1 1 267358 178 1855007041046621 54674 1 884557045 \
096859357195584998438837420266 1 36779 1 1440007805459 \
01540071 1 64046444060971 .
186 A. CURVE EXAMPLES

A.2. Characteristic Two

The examples in this section describe curves over fields IFq withq = 2 n , defined
by equations of the form2
E : Y + XY X 3 + a2 X 2 + a5, a2 , a5 E IFq .
=

For
isis, theineachallirreducible
curve, thepolynomial
values of used
n, f (x), a2 , a6 , and #E(IFq ) are listed, where f (x)
to represent IFq over IF2 . The coefficient a2
n listedtheareexamples,
ofhexadecimal odd. The
digit expands
either 0 or 1a andis presented
coefficient 6
in theexpands
thus equalin tohexadecimal
its trace, asform.
natural towaythetoappropriate
four bits, except
all values
Each
possibly
the most
foran-a1 , total significant digit, which
length of Once expanded, the bits represent the coefficients of
n.
number of bits
an- 2 , . . . , a0 , respectively from left to right, where a is a root of f(x).
The
where s
groupis aordersmall #E(IFq ) is shown in decimal form, and also factored as r,
positive integer, and r is prime. In all the examples, is
s·
s
the smallest possible4 otherwise.
Tr2 ( a2 ) 1,= s =
value for theAsgiven
before, isomorphism
a backslash class,
at i.e.,end of2 awhen
the s =
line
indicates
line. All curves that thein number ( hexadecimal or decimal ) is continued in the next
this section are ' random'.
EXAMPLE 12. 131, f(x) x 131 + x8 + x3 + x2 + 1,
n = =

1,
7417501D24550DBC7735 1 632C85 1 3E8FE ,
2722258935367507707729351 29293271 1465734
2 . 136 1 12946768375385386467564646635573286 7 .

EXAMPLE 13. n = 131, f(x) = x 13 1 + x 8 + x 3 + x 2 + 1,

0,
4AC7797773F8A 77E6303D3D77655D6924 ,
27222589353675077078095 18977492775069508
4 · 68056473384 1876926952379744373 1 93767377 .

EXAMPLE 14. n = 163, f(x) = x 163 + x 7 + x 6 + x 3 + 1,

1,
1 5E6478546D92CE2625DB74 75B43689E6E40D4AD4 ,
1 169201 30986472233456294853268036044489 1092304 1922
2 · 58460065493236 1 1 6728 14742663401 80222445546 1 5209 \
61.
 A.2. CHARACTERISTIC TWO 187

EXAMPLE 15. n = 163, f(x) = x 163 + x 7 + x 6 + x 3 + 1,

0,
48419ECBC9470895FC 140C85 1849CF6F 1977FF03B ,
1 169201309864722334562948261 3505893 1 15770279035908
4 · 292300327466 1 8058364073706533764732789425697589 \
77.

EXAMPLE 16. n = 191, f(x) = x 191 + x9 + 1,

1,
7BC86E2 102902EC4D5890E8B6B498 1FF27E0482750FE \
FC03 ,
3 1 385508676933403 8 1 9 1 789471 166922999 1 6305223017355 \
90858398
2 . 1569275433846670 1909589473558346 149958 1526 1 1 508 \
67795429 199 .

EXAMPLE 17. n = 191, f(x) = x 191 + x9 + 1,

0,
3 15BB01ABA43F480142F 4E87D289C59D9754AB5200A 7 \
489 ,
3 13855086769334038 1 9 1 78947 1 1 65 6 1 509135199454636589 \
96854612
4 · 784637716923335095479473677914037728379986365 9 1 \
4749213653 .

EXAMPLE 18. n = 239, f(x) = x 239 + x 36 + 1,

1,
6BAB7A9 1D4794C8971A80A6A48B 1DF53A464297EE089 \
6C2EB097D93E4FO ,
883423532389 1 9 2 1 6479 164875037145925915902909620654 \
780009456530402909 1086
2 · 441711766194596082395824375 1857296295795 1454810 \
3273900047282652014545543 .
188 A. CURVE EXAMPLES

EXAMPLE 19. n = 239, f(x) = x239 + x36 + 1,

0,
52BCEACD 14FB3DCBCE42 1A3C6E59D4B6632 1 5EFF 1457 \
498E4ABB641 2CFA5 ,
8834235323891921 6479 1 64875037145925936882090437622 \
493 1282435296676 6 1 6 1 8 8
4 · 22085588309729804 1 1 979 1 2 1 875928648 1484220522609 \
4056232820608824 1 6 9 1 54047 .

EXAMPLE 20. n = 307, f(x) = x307 + x8 + x4 + x2 + 1,

a2 1,
a6 393C7F7D53666B5054B5E6C6D3DE94F 4296COC599E2E \
2E241050DF 18B6090BDC90186904968BB ,
2607406049708 142 1904236 1 048 1 1 64004046 1458795438640 \
6558546 1265 1 1 19232 1 8459862 1501 8738 6 6 1 8 14126
2 . 1 303703024854071095 2 1 1 8052405820020230729397719 \
320327927306325559 6 1 60922993 107509369330907063 .

EXAMPLE 21 . n = 367, f(x) = x367 + x21 + 1,

1,
43FC8AD242BOB7A6F3D 1627AD565444 7556B4 7BF6AA4 \
A64BOC2AFE42CADAB8F93D92394C79A 79755437B5699 \
5 1 36 ,
300613450595050653 16985351 638903 5 1 3950408736626026 \
4943480452858763500 1 8 1 63689413300236341658663575 1 3 \
18745406098
2 . 150306725297525326584926758 1945 1 756975204368313 \
01 3247174022642938 1 75009081 844706650 1 1 8 1 7082933 1 78 \
75659372703049 .
 A.2. CHARACTERISTIC TWO 189

EXAMPLE 22 . n = 401, f(x) = x 401 + x 152 + 1,

a2 1,
a5 = 83420635F8EA519BEC743DF9DBCA94AC950E076F90CO \
7C282 1262E3C 1 80FF8A2D2F4AF6DF2FB 1 833EFCEE99E \
8 1 1CFB 1 1 CFAO ,

if.FJ (Fq ) 5 1 64499756 1738 171793 1 1 8383440060237486594 1 1 5856584 \

4702566 1 3 1 9699242 1 5071 5677450218885459984002546145 \
032989725132571785934
2 · 25822498780869085896559 1 9 1 720030 1 18743297057928 \
292235 12830659849621075357838725109442729992001273 \
0725 16494862566285892967 .

EXAMPLE 23 . n = 43 1 , f(x) = x 431 + x 120 + 1,

a2 1,
a6 = 715C87C2294703FF4B46COBC257F89AE9E420BF6F07D \
1E80A537F7269DAE06D7CD9EDECBCCF777D7D04 1F888 \
9D5C 5 1A61 C93DCC266CE ,
554533938824 16297191 56828368286 167406872874 1 5075 1 6 \
33150340959 1 6 1 171 808908283429806884365866090618516 \
7716997076 19208876544223742366
2 · 2772669694 1208 148595784141841430837034364370753 \
758 1 6575 1 70479580585904454141 714903442 182933045309 \
258385849853809604438272 1 1 1871183 .
190 A. CURVE EXAMPLES
 Bibliography

[A-1] L.M. Adleman and M.-D. Huang, editors. ANTS- 1 : Algorithmic Number Theory.
Springer-Verlag, LNCS 877, 1994.
[A-2] H. Cohen, editor. ANTS-2: Algorithmic Number Theory. Springer-Verlag, LNCS
1122, 1996.
[A-3] J. Buhler, editor. ANTS-3: Algorithmic Number Theory. Springer-Verlag, LNCS
1423, 1998.
[A92] J. Seberry and Y. Zheng, editors. Advances in Cryptology, A USCR YPT 92.
Springer-Verlag, LNCS 718, 1993.
[A94] J. Pieprzyk and R. Safavi-Naini, editors. Advances in Cryptology, ASIA CRYPT 94.
Springer-Verlag, LNCS 917, 1995.
[A98] K. Ohta and D. Pei, editors. Advances in Cryptology, ASIA CR YPT 98. Springer­
Verlag, LNCS 1514, 1998.
[B98] D.A. Buell and J.T. Teitelbaum, editors. Computational Perspectives on Number
Theory: Proceedings of a Conference in Honor of A. O.L. Atkin, American Mathe­
matical Society International Press, 7, 1998.
[C85] H.C. Williams, editor. Advances in Cryptology, CRYPTO 85. Springer-Verlag,
LNCS 218, 1986.
[C90] A.J. Menezes and S.A. Vanstone, editors. Advances in Cryptology, CR YPTO 90.
Springer-Verlag, LNCS 537, 1991.
[C91] J. Feigenbaum, editor. Advances i n Cryptology, CRYPTO 9 1 . Springer-Verlag,
LNCS 576, 1992.
[C92] E.F. Bickell, editor. Advances in Cryptology, CR YPTO 92. Springer-Verlag, LNCS
740, 1992.
[C94] Y.G. Desmedt, editor. Advances in Cryptology, CR YPTO 94. Springer-Verlag,
LNCS 839, 1994.
[C96] N. Koblitz, editor. Advances in Cryptology, CR YPTO 96. Springer-Verlag, LNCS
1109, 1996.
[C97] B. Kaliski, editor. Advances in Cryptology, CR YPTO 97. Springer-Verlag, LNCS
1294, 1997.
[E84] F. Pichler, editor. Advances in Cryptology, EUR O CR YPT 84. Springer-Verlag,
LNCS 219, 1985.
[E89] J.-J. Quisquater and J. Vandewalle, editors. Advances in Cryptology, EUROCRYPT
89. Springer-Verlag, LNCS 434, 1990.
[E90] l.B. Damgard, editor. Advances in Cryptology, EUROCRYPT 90. Springer-Verlag,
LNCS 473, 1991.
[E91] D.W. Davies. Advances in Cryptology, EUROCRYPT 91. Springer-Verlag, LNCS
547, 1991.
[E95] L.C. Guillou and J.-J. Quisquater, editors. Advances in Cryptology, EUROCRYPT
95. Springer-Verlag, LNCS 921, 1995.
[E96] U.M. Maurer, editor. Advances in Cryptology, EUR O CR YPT 96. Springer-Verlag,
LNCS 1070, 1996.

191
192 BIBLIOGRAPHY

[E97] W. Fumy, editor. Advances in Cryptology, EUR O CR YPT 97. Springer-Verlag,

LNCS 1233, 1997.
[E98] K. Nyberg, editor. Advances in Cryptology, EUROCRYPT 98. Springer-Verlag,
LNCS 1403, 1998.
[FIPS186] FIPS 186. Digital Signature Standard. Federal Information Processing Stan­
dards Publication 186, U.S. Department of Commerce/N.l.S.T. National Technical
Information Service, 1994.
[P1363] IEEE P1363/D3 (Draft version 3 ) . Standard specifications for public key cryptog­
raphy. May 1998.
[1] L. Adleman. The function field sieve. In [A-1] , 108-121.
[2] L. Adleman, J. De Marrais, and M.-D. Huang. A sub-exponential algorithm for
discrete logarithms over the rational subgroup of the Jacobians of large genus hy­
perelliptic curves over finite fields. In [A-1] , 28-40.
[3] L. Adleman and M.-D. Huang. Primality Testing and Abelian Varieties over Finite
Fields. Springer-Verlag, LNM 1512, 1992.
[4] L. Adleman and M.-D. Huang. Counting rational points on curves and abelian
varieties over finite fields. In [A-2] , 1-16.
[5] A.V. Aho, J.E. Hopcroft and J.D. Ullman. The Design and Analysis of Computer
Algorithms. Addison-Wesley Publishing Co., 1974.
[6] S. Arno and F.S. Wheeler. Signed digit representations of minimal Hamming weight.
IEEE Trans. Comp., 42, 1007-1010, 1993.
[7] A.O.L. Atkin and F. Morain. Elliptic curves and primality proving. Math. Comp.,
61, 29-67, 1993.
[8] R. Balasubramanian and N. Koblitz. The improbability that an elliptic curve has
sub-exponential discrete log problem under the Menezes-Okamoto-Vanstone algo­
rithm. J. Crypto . , 1 1 , 141-145, 1998.
[9] E.R. Berlekamp. Algebraic Coding Theory. Aegean Park Press, 1984.
[10] I. Biehl, J. Buchmann and C. Thiel. Cryptographic protocols based on discrete
logarithms in real-quadratic orders. In [C94] , 56-60.
[11] B.J. Birch. Atkin and the Atlas Lab. In [B98] , 13-20.
[12] B.J. Birch and H.P.F. Swinnerton-Dyer. Notes on elliptic curves. I. J. Reine Angew.
Math., 212, 7-25, 1963.
[13] B.J. Birch and H.P.F. Swinnerton-Dyer. Notes on elliptic curves. II. J. Reine Angew.
Math., 218, 79-108, 1965.
[14] l.F. Blake, S. Gao and R.J. Lambert. Construction and distribution problems for
irreducible trinomials over finite fields. In Applications of Finite Fields, D. Gollman,
editor, Oxford University Press, 1996.
[15] l.F. Blake, X.H. Gao, R.C. Mullin, S.A. Vanstone and T. Yaghoobian. Applications
of Finite Fields. A.J. Menezes, Editor. Kluwer Academic Publishers, 1993.
[16] l.F. Blake, R.M. Roth, G. Seroussi. Efficient arithmetic in finite fields through
palindromic representation. Hewlett-Packard Technical Report No. HPL-98-134,
August 1998.
[17] D. Bleichenbacher. On the security of the KMOV public key cryptosystem. In [C97] ,
235-248.
[18] D. Boneh and R. Lipton. Algorithms for black-box fields and their application to
cryptography. In [C96], 283-297.
[19] D. Boneh and R. Venkatesan. Breaking RSA may not be equivalent to factoring.
In [E98] , 59-71.
[20] J. Buchmann, S. Diillman and H.C. Williams. On the complexity and efficiency of
a new key exchange system. In [E89] , 597-616.
 BIBLIOGRAPHY 193

[21] J. Buchmann, M. Jacobson and E. Teske. On some computational problems in finite

abelian groups. Math. Comp., 66, 1663-1687, 1997.
[22] J. Buchmann and S. Paulus. A one way function based on ideal arithmetic in
number fields. In [C97] , 385-394.
[23] J. Buchmann and H.C. Williams. A key-exchange system based on imaginary qua­
dratic fields. J. Crypto . , l , 107-118, 1988.
[24] D.G. Cantor. Computing in the Jacobian of a hyperelliptic curve. Math. Comp.,
48, 95-101, 1987.
[25] J.W.S. Cassels. Diophantine equations with special reference to elliptic curves. J.
LMS, 41, 193-291, 1966.
[26] L. S. Charlap, R. Coley and D. P. Robbins. Enumeration of rational points on
elliptic curves over finite fields. Preprint, 1992.
[27] D.V. Chudnovsky and G.V. Chudnovsky. Sequences of numbers generated by ad­
dition in formal groups and new primality and factorization tests. Adv. in Appl.
Math., 7, 385-434, 1987.
[28] W.E. Clark and J.J. Liang. On arithmetic weight for a general radix representation
of integers. IEEE Trans. Info. Theory, 19, 823-826, 1973.
[29] H. Cohen. A Course In Computational Algebraic Number Theory. Springer-Verlag,
GTM 138, 1993.
[30] H. Cohen, A. Miyaji and T. Ono. Efficient elliptic curve exponentiation using mixed
coordinates. In [A98] , 51-65.
[31] P. Cohen. On the coefficients of the transformation polynomials for the elliptic
modular function. Math. Proc. Camb. Phil. Soc. , 95, 389-402, 1984.
[32] J.-M. Couveignes. Computing a square root for the number field sieve. In [77] ,
95-102.
[33] J.-M. Couveignes. Computing l-isogenies using the p-torsion. In [A-2] , 59-65.
[34] J.-M. Couveignes. Quelques calculs en tMorie des nombres. These, Universite de
Bordeaux I, July 1994.
[35] J.-M. Couveignes. Isogeny cycles and the Schoof-Elkies-Atkin algorithm. L' Ecole
Polytechnique, Laboratoire D'Informatique, CNRS, Palaiseau, August, 1996.
[36] J.-M. Couveignes and F. Morain. Schoof's algorithm and isogeny cycles. In [A-1] ,
43-58.
[37] R. Crandall. Method and apparatus for public key exchange in a cryptographic
system. U.S. Patent Number 5159632, 1992.
[38] S.R. Dusse and B.S. Kaliski. A cryptographic library for the Motorola DSP56000.
In [E90] , 230-244.
[39] T. ElGamal. A public key cryptosystem and a signature scheme based on discrete
logarithms. IEEE Trans. Info. Theory, 31, 469-472, 1985.
[40] N.D. Elkies. Elliptic and modular curves over finite fields and related computational
issues. In [B98] , 21-76.
[41] P. Erdos. Remarks on number theory. III. On addition chains. Acta Arith., 77-81,
1960.
[42] W. Feller. An Introduction to Probability Theory and its Applications. John Wiley
& Sons, 1970.
[43] R. Flassenberg and S. Paulus. Sieving in function fields. Preprint, 1997.
[44] G. Frey and H.-G. Riick. A remark concerning m-divisibility and the discrete log­
arithm problem in the divisor class group of curves. Math. Comp., 62, 865-874,
1994.
[45] S. Gao and H.W. Lenstra. Optimal normal bases. Designs, Codes and Cryptography,
2, 315-323, 1992.
194 BIBLIOGRAPHY

[46] S. Goldwasser and J. Kilian. Almost all primes can be quickly certified. In Proc.
1 8th STOC, 316-329, 1986.
[47] S.W. Golomb. Shift Register Sequences. Holden-Day, 1967.
[48] D.M. Gordon. A survey of fast exponentiation methods. J. Algorithms, 27, 129-146,
1998.
[49] J. Guajardo and C. Paar. Efficient algorithms for elliptic curve cryptosystems. In
[C9 7] , 342-356.
[50] J.L. Hafner and K.S. McCurley. A rigorous sub-exponential algorithm for compu­
tation of class groups. J. AMS, 2, 837-850, 1989.
[51] 0. Herrman. Uber die Berechnung der Fourierkoeffizienten der Funktion j (T). J.
Reine Angew. Math., 274/275, 187-195, 1975.
[52] D. Hiihnlein, M. Jacobson, S. Paulus and T. Takagi. A cryptosystem based on
non-maximal imaginary quadratic orders with fast decryption. In [E98] , 279-287.
[53] J.I. Igusa. Arithmetic variety of moduli for genus two. Ann. Math. , 72, 612-649,
1960.
[54] T. Itoh and S. Tsujii. A fast algorithm for computing multiplicative inverses in
GF(2m) using normal bases. Info. and Comput., 78(3) , 171-177, 1988.
[55] M. Jacobson, N. Koblitz, J.H. Silverman, A. Stein and E. Teske. Analysis of the
Xedni calculus attack. Preprint, 1999.
[56] J. Jedwab and C.J. Mitchell. Minimum weight modified signed-digit representations
and fast exponentiation. Electronics Letters, 25, 1171-1172, 1989.
[57] M. Joye and J.-J. Quisquater. Reducing the elliptic curve cryptosystem of Meyer­
Miiller to the cryptosystem of Rabin-Williams. Designs, Codes and Cryptography,
14, 53-56, 1998.
[58] B.S. Kaliski. The Montgomery inverse and its applications. IEEE Trans. Comp.,
44, 1064-1065, 1995.
[59] A. Karatsuba. Doklady Akad. Nauk SSSR, 145, 293-294, 1962. English translation
in Soviet Physics-Doklady, 7, 595-596, 1963.
[60] A. W. Knapp. Elliptic Curves. Princeton University Press, 1993.
[61] D.E. Knuth. The Art of Computer Programming, 2 - Semi-numerical Algorithms.
Addison-Wesley, 2nd edition, 1981.
[62] N. Koblitz. Elliptic curve cryptosystems. Math. Comp., 48, 203-209, 1987.
[63] N. Koblitz. Hyperelliptic cryptosystems. J. Crypto., 1, 139-150, 1989.
[64] N. Koblitz. Constructing elliptic curve cryptosystems in characteristic 2. In [C90] ,
156-167.
[65] N. Koblitz. CM-curves with good cryptographic properties. In [C91] , 279-287.
[66] N. Koblitz, Algebraic aspects of cryptography. 3, Algorithms and Computation in
Mathematics, Springer-Verlag, Berlin, 1998.
[67] C.K. Koc; and T. Acar. Montgomery multiplication in GF(2 k ). Designs, Codes and
Cryptography, 14, 57-69, 1998.
[68] K. Koyama, U. Maurer, T. Okamoto and S.A. Vanstone. New public-key scheme
based on elliptic curves over the ring Z n . In [C91] , 252-266.
[69] K. Koyama and Y. Tsuruoka. Speeding up elliptic cryptosystems by using a signed
binary window method. In [C92] , 345-357.
[70] K. Kurosawa, K. Okada and S. Tsujii. Low exponent attack against elliptic curve
RSA. In [A94] , 376-383.
[71] K.-Y. Lam and L.C.K. Hui. Efficiency of SS(l) square-and-multiply exponentiation
algorithms. Electronics Letters, 30, 2115-2116, 1994.
[72] S. Lang. Elliptic Curves: Diophantine Analysis. Springer-Verlag, 1978.
[73] G.-J. Lay and H.G. Zimmer. Constructing elliptic curves with given group order
over large finite fields. In [A-1] , 250-263.
 BIBLIOGRAPHY 195

[74] F. Lehmann, M. Maurer, V. Muller and V. Shoup. Counting the number of points
on elliptic curves over finite fields of characteristic greater than three. In [A-1] ,
60-70.
[75] F. Lemmermeyer. The Euclidean algorithm in algebraic number fields. Expo. Math.,
13, 385-416, 1995.
[76] A. Lempel, G. Seroussi, and S. Winograd. On the complexity of multiplication in
finite fields. Theoretical Comp. Sci. , 22, 285-296, 1983.
[77] A.K. Lenstra and H.W. Lenstra, editors. The Development of the Number Field
Sieve. Springer-Verlag, LNM 1554, 1993.
[78] H.W. Lenstra. Factoring integers with elliptic curves. Ann. Math., 126, 649-673,
1987.
[79] H.W. Lenstra and C.P. Schnorr. A Monte Carlo factoring algorithm with linear
storage. Math. Comp., 43, 289-311, 1984.
[80] R. Lercier. Computing isogenies in lF2n . In [A-2] , 197-212.
[81] R. Lercier. Algorithmique des courbes elliptiques dans les corps finis. These, L' Ecole
Polytechnique, Laboratoire D'Informatique, CNRS, Paris, June, 1997.
[82] R. Lercier. Finding good random elliptic curves for cryptosystems defined over lF2n .
In [E97] , 379-392.
[83] R. Lercier and F. Morain. Counting the number of points on elliptic curves over
finite fields: strategies and performances. In [E95] , 79-94.
[84] R. Lercier and F. Morain. Algorithms for computing isogenies between elliptic
curves. In [B98] , 77-96.
[85] R. Lercier and F. Morain. Counting points on elliptic curves over lFpn using Cou­
veignes algorithm. Rapport de Recherche LIX/ RR/ 95 / 09, 1995.
[86] R. Lidl and H. Niederreiter. Finite Fields, in Encyclopedia of Mathematics and its
Applications, G.-C. Rota, editor, Addison-Wesley, 1983.
[87] J .H. van Lint. Introduction to Coding Theory. Springer-Verlag, 1982.
[88] K.S. McCurley. The discrete logarithm problem. In Cryptology and Computational
Number Theory, C. Pomerance, editor, 49-74. Proc. Symp. Applied Maths 42,
1990.
[89] J. McKee. Subtleties in the distribution of the numbers of points on elliptic curves
over a finite prime field. J. LMS, 59, 448-460, 1999.
[90] J. McKee and R.G.E. Pinch. On a cryptosystem of Vanstone and Zuccherato.
Preprint, 1998.
[91] K. Mahler. On the coefficients of the 2mth transformation polynomial for j (w).
Acta Arith. , 2 1, 89-97, 1972.
[92] K. Mahler. On the coefficients of transformation polynomials for the modular func­
tions. Bull. Austral. Math. Soc. , 10, 197-218, 1974.
[93] J.L. Massey and O.N. Garcia. Error correcting codes in computer arithmetic. In
Advances in Information Systems Science, J.L. Tou, editor, 4, 273-326. Plenum,
New York, 1971.
[94] U.M. Maurer. Towards the equivalence of breaking the Diffie-Hellman protocol and
computing discrete logarithms. In [C94] , 271-281.
[95] U.M. Maurer and S. Wolf. Diffie-Hellman oracles. In [C96] , 268-282.
[96] W. Meier and 0. Staffelbach. Efficient multiplication on certain non-supersingular
elliptic curves. In [C92] , 333-344.
[97] A.J. Menezes. Elliptic Curve Public Key Cryptosystems. Kluwer Academic Pub­
lishers, 1993.
[98] A.J. Menezes, T. Okamoto and S.A. Vanstone. Reducing elliptic curve logarithms
to a finite field. IEEE Trans. Info. Theory, 39, 1639-1646, 1993.
196 BIBLIOGRAPHY

[99] A.J. Menezes, P.C. van Oorschot and S.A. Vanstone. Handbook of Applied Cryp­
tography. CRC Press, 1996.
[100] A.J. Menezes, S.A. Vanstone and R. J. Zuccherato. Counting points on elliptic
curves over lF2n Math. Comp., 60, 407-420, 1993.
[101] B. Meyer and V. Muller. A public key cryptosystem based on elliptic curves over
'll /n'll equivalent to factoring. In [E96] , 49-59.
[102] G. Miller. Riemann's hypothesis and test for primality. J. Comp. and Sys. Sci. , 1 3 ,
300-317, 1976.
[103] V. Miller. Use of elliptic curves in cryptography. In [C85] , 417-426.
[104] A. Miyaji. Elliptic curves over lFP suitable for cryptosystems. In [A92] , 479-491 .
[105] P.L. Montgomery. Modular multiplication without trial division. Math. Comp., 44,
519-521, 1985.
[106] P.L. Montgomery. Speeding the Pollard and elliptic curve methods of factorization.
Math. Comp., 48, 243-264, 1987.
[107] F. Morain. Building cyclic elliptic curves modulo large primes. In [E91 ] , 328-336.
[108] F. Morain. Calcul du nombre de points sur une courbe elliptique dans un corps fini:
aspects algorithmiques. J. Theorie des Nombres de Bordeaux, 7, 255-282, 1995.
[109] F. Morain and J. Olivos. Speeding up the computations on an elliptic curve using
addition-subtraction chains. Info. Theory Appl. , 24, 531-543, 1990.
[110] V. Muller. Ein Algorithmus zur Bestimmung der Punktzahl elliptischer Kurven
uber endlichen Korpern der Charakteristik grosser drei. Ph.D. Thesis, Universitat
des Saarlandes, 1995.
[1 1 1] V. Muller. Fast multiplication on elliptic curves over small fields of characteristic
two. J. Crypto . , 1 1 , 219-234, 1998.
[112] R. Mullin, I. Onyszchuk, S.A. Vanstone and R. Wilson. Optimal normal bases in
GF (pn ) . Discrete Appl. Math., 22, 149-161 , 1988/89.
[113] K. Nyberg and R.A. Rueppel. Message recovery for signature schemes based on the
discrete logarithm problem. Designs, Codes and Cryptography, 7, 61-8 1 , 1996.
[114] A.M. Odlyzko. Discrete logarithms in finite fields and their cryptographic signifi­
cance. In [E84] , 417-426.
[115] J. Omura and J. Massey. Computational method and apparatus for finite field
arithmetic. U.S. Patent number 4,587,627, May 1986.
[116] P.C. van Oorschot and M.J. Wiener. Parallel collision search with cryptanalytic
applications. J. Crypto., 12, 1-28, 1999.
[117] S. Paulus. An algorithm of sub-exponential type computing the class group of
quadratic orders over principal ideal domains. In [A-2] , 243-257.
[118] S. Paulus and H.-G. Ruck. Real and imaginary quadratic representation of hyper­
elliptic function fields. Math. Comp., 68, 1233-1241, 1999.
[119] S. Paulus and A. Stein. Comparing real and imaginary arithmetics for divisor class
groups of hyperelliptic curves. In [A-3] , 576-591 .
[120] J. Pila. Frobenius maps of abelian varieties and finding roots of unity in finite fields.
Math. Comp., 55, 745-763, 1996.
[121] R.G.E. Pinch. Extending the Wiener attack to RSA-type cryptosystems. Electronics
Letters, 3 1 , 1736-1738, 1995.
[122] J.-M. Piveteau. New signature scheme with message recovery. Electronics Letters,
29, 2185, 1993.
[123] H.C. Pocklington. The determination of the prime and composite nature of large
numbers by Fermat's theorem. Proc. Camb. Phil. Soc. , 18, 29-30, 1914/16.
[124] G.C. Pohlig and M.E. Hellman. An improved algorithm for computing logarithms
over GF (p) and its cryptographic significance. IEEE Trans. Info. Theory, 24, 106-
110, 1978.
 BIBLIOGRAPHY 197

[125] J.M. Pollard. Monte Carlo methods for index computation (mod p) . Math. Comp.,
32, 918-924, 1978.
[126] K.C. Posch and R. Posch. Modulo reduction in residue number systems. IEEE
Trans. Parallel and Dist. Systems, 6, 449-454, 1995.
[127] K.C. Posch and R. Posch. Division in residue number systems involving length
indicators. J. Comp. Appl. Maths. , 66, 411-419, 1996.
[128] J.-J. Quisquater and J.-P. Delescaille. How easy is collision search? Application to
DES. In [E89] , 408-413.
[129] M. Rabin. Digitized signatures and public key functions as intractable as factoriza­
tion. MIT/L CS/TR-212, MIT Laboratory for Computer Science, 1979.
[130] M. Rabin. Probabilistic algorithms for testing primality. J. Number Theory, 12,
128-138, 1980.
[131] G. Reitwiesner. Binary arithmetic. Adv. in Comp., 1, 231-308, 1960.
[132] H. Riesel. Prime Numbers and Computer Methods for Factorization. Birkhauser,
1985.
[133] R.L. Rivest, Shamir A. and L.M. Adleman. A method for obtaining digital signa­
tures and public-key cryptosystems. Comm. A CM, 21 , 120-126, 1978.
[134] R.L. Rivest, Shamir A. and L.M. Adleman. Cryptographic communications system
and method. US Patent No 4405829, 1983.
[135] H.-G. Riick. On the discrete logarithm problem in the divisor class group of curves.
Math. Comp., 68, 805-806, 1999.
[136] T. Satoh and K. Araki. Fermat quotients and the polynomial time discrete log
algorithm for anomalous elliptic curves. Comm. Math. Univ. Sancti Pauli, 47 , 81-
92, 1998.
[137] J. Sattler and C.P. Schnorr. Generating random walks in groups. Ann. Univ. Sci.
Budapest. Sect. Comp., 6, 65-79, 1985.
[138] E.F. Schaefer. Computing a Selmer group of a Jacobian using functions on the
curve. Math. Ann. , 310, 447-471, 1998.
[139] B. Schneier. Applied Cryptography. John Wiley and Sons, 1996.
[140] A. Schonhage. Schnelle Multiplikation von Polynomen iiber Korpen der Charakter­
istik 2. Acta Info., 7, 395-398, 1977.
[141] R. Schoof. Elliptic curves over finite fields and the computation of square roots mod
p. Math. Comp., 44, 483-494, 1985.
[142] R. Schoof. Counting points on elliptic curves over finite fields. J. TMorie des Nom­
bres de Bordeaux, 7, 219-254, 1995.
[143] I.A. Semaev. Evaluation of discrete logarithms on some elliptic curves. Math.
Comp., 67 , 353-356, 1998.
[144] G. Seroussi. Table of low-weight irreducible polynomials over lF2 • Hewlett-Packard
Laboratories Technical Report No. HPL-98-135, August 1998.
[145] G. Seroussi. Compact representation of elliptic curve points over lF2n . Hewlett­
Packard Laboratories Technical Report No. HPL-98-94Rl, September 1998.
[146] V. Shoup. Lower bounds for discrete logarithm and related problems. In [E97] ,
313-328.
[147] J.H. Silverman. The Arithmetic of Elliptic Curves. Springer-Verlag, GTM 106,
1986.
[148] J.H. Silverman. Advanced Topics in the Arithmetic of Elliptic Curves. Springer­
Verlag, GTM 151, 1994.
[149] J.H. Silverman and J. Suzuki. Elliptic curve discrete logarithms and the index
calculus. In [A98] , 110-125.
[150] J.H. Silverman. The xedni calculus and the elliptic curve discrete logarithm prob­
lem. Preprint, 1998.
198 BIBLIOGRAPHY

[151] N.P. Smart. The Algorithmic Resolution of Diophantine Equations. Cambridge Uni­
versity Press, 1998.
[152] N.P. Smart. Elliptic curves over small fields of odd characteristic J. Crypto . , 12,
141-151, 1999.
[153] N.P. Smart. The discrete logarithm problem on elliptic curves of trace one. J.
Crypto., 12, 193-196, 1999.
[154] J.A. Solinas. An improved algorithm for arithmetic on a family of elliptic curves.
In [C97] , 357-371.
[155] A.-M. Spallek. Kurven vom Geschlecht 2 und ihre Anwendung in Public-Key­
Kryptosytemen Ph.D. Thesis, Universitat Essen, 1994.
[156] R.G. Swan. Factorization of polynomials over finite fields. Pacific J. Math. , 12,
1099-1106, 1962.
[157] E. Teske. Speeding up Pollard's Rho method for computing discrete logarithms. In
[A-3] , 541-554.
[158] E. Teske. A space efficient algorithm for group structure computation. Math. Comp.,
67, 1637-1663, 1998.
[159] S.A. Vanstone and R.J. Zuccherato. Elliptic curve cryptosystems using curves of
smooth order over the ring Z n . IEEE Trans. Info. Theory, 43, 1231-1237, 1997.
[160] J. Velu. Isogenies entre courbes elliptiques. Comptes Rendus l 'Acad. Sci. Paris,
Ser. A, 273, 238-241 1971.
[161] J.F. Voloch. The discrete logarithm problem on elliptic curves and descents
Preprint, 1997.
[162] A. Wiles. Modular elliptic curves and Fermat's Last Theorem. Ann. Math. , 142,
443-551, 1995.
[163] H.C. Williams. A modification of the RSA public-key encryption procedure. IEEE
Trans. Info. Theory, 26, 726-729, 1980.
[164] S. Winograd. Some bilinear forms whose complexity depends on the field of con­
stants. Math. Sys. Theory, 10, 169-180, 1977.
 Author Index

Adleman, L.M., 7, 165, 173, 176 Massey, J., 22

Araki, K., 88, 106 Maurer, M., xii
Atkin, A.O.L., 50, 114, 116, 119, 146, Maurer, U.M., 166, 168
156, 165, 173 McCurley, K.S., 7, 176
Menezes, A.J., xii, 2, 82, 86
Birch, B.J., 98, 114 Mestre, J.-F. , 102, 104
Blake, l.F., 24 Meyer, B., 8
Boneh, D., xii, 6, 166 Miller, V., xi, 7
Buchmann, J., xii, 7 Miyaji, A., 79, 86
Montgomery, P.L. , 15
Cohen, H., 102
Morain, F., 156, 165
Cremona, J., xii
Mordell, L.J., 49
De Marrais, J., 176 Muller, V., xii, 8, 121, 131, 133, 142
Deligne, P. , 49
Nyberg, K., 5
Dusse, S.R., 16
Okamoto, T., 82
Elkies, N., 50, 114, 115, 119, 139, 146, Omura, J., 22
173 van Oorschot, P., 2, 96
Erdos, P., 65
Paterson, K., xii
Flassenberg, R., 176, 177 Paulus, S., 176, 177
Frey, G., 82, 86, 176 Pila, J., 173
Galbraith, S., xii Piveteau, J.-M, 5
Goldwasser, S., 164, 165 Pohlig, G.C., 7, 80
Pollard, J.M., 80, 93, 104, 176
Hafner, J.L., 176
Hellman, M.E., 7, 80 Quisquater, J.-J., 8
Huang, M.-D., 165, 173, 176 Rabin, M., 8
Ramanujan, S., 49
Itoh, T., 22
Rubinstein, M., xii
Joye, M, 8 Riick, H.-G., 82, 86, 176
Rueppel, R.A., 5
Kaliski, B.S., 16, 17
Karatsuba, A., 20 Satoh, T., 88, 106
Kilian, J., 164, 165 Scheafer, E., xii
Knuth, D.E., 63 Schneier, B., 2
Koblitz, N., xi, 7, 107, 171 Schonhage, A., 20
Koyama, K., 8 Schoof, R., xii, 104, 109, 119, 120, 127,
165, 173
Lenstra, H.W. Jnr, 35, 159 Semaev, I.A., 79, 88, 106
Lercier, R., 119, 133-138 Seroussi, G., 77
199
200 AUTHOR INDEX

Shanks, D., 79, 92, 102, 168

Silverman, J.H., 88
Smart, N.P. , 88, 106
Solinas, J., 75
Swan, R.G., 19
Swinnerton-Dyer, H.P.F., 98

Tsujii, S., 22

Vanstone, S.A., 2, 82
Velu, J., 134
Voloch, J.F., 82

Wiener, M.J., 96
Williams, H.C., 7, 8
Wolf, S., 166, 168

Zaba, S., xii

 Subject Index
addition chain, 62
addition-subtraction chains, 63
affine coordinates, 30, 57-58, 60-61
anomalous curves, 79, 86, 88-91
Atkin primes, 116, 118-122, 140-142
authenticity, 1
baby step/giant step algorithm, 79, 91-
93, 104, 142-144, 168, 176
Barrett reduction, 14-15
Bernoulli number, 49
Birch-Swinnerton-Dyer conjecture, 98
bit-serial multipliers, 22
BSGS, see baby step/giant step algorithm
Cantor's algorithm, 172
certificate of primality, 163
Chinese Remainder Theorem, 13, 80, 109,
142, 145, 159, 160
chord-tangent process, 32
class group, 7, 92, 150, 176
class number, 151, 157, 173
CM, see complex multiplication
complex multiplication, 46, 149-157, 162,
165, 173
confidentiality, 1
Cornacchia's algorithm, 152, 157
CRT, s e e Chinese Remainder Theorem
Data Encryption Standard, 3
Dedekind's 77-function, 49, 53, 156
DES, see Data Encryption Standard
descent via isogeny, 82-83
DHP, see Diffie-Hellman problem
Diffie-Hellman key exchange, xi, 3, 6
Diffie-Hellman problem, 3, 166-169
digital signature, 2
ElGamal, xi, 3
Nyberg-Rueppel, 5
with message recovery, 5
Digital Signature Algorithm, xi, 4
201
diophantine equation, 152, 157
discrete logarithm problem, 2, 3, 6, 7, 79-
99, 166-169
anomalous curves, 79, 88-91
baby step/giant step algorithm, 79, 91-
93
elliptic curve, 57, 79-99
hyperelliptic, 176-180
index calculus methods, 97-98
MOY attack, 79, 82-88
Pohlig-Hellman, 79-82
rho, lambda and kangaroo methods, 79,
93-97
discriminant, 114, 119, 150-152, 156, 157,
165, 179
division polynomials, 39-42, 115, 135
divisor, 85, 177-179
semi-reduced, 172
divisor class group, 85
DLP, see discrete logarithm problem
DSA, see Digital Signature Algorithm
dual isogeny, 45
ECDLP, see elliptic curve, discrete loga­
rithm problem
ECM, see elliptic curve, factoring method
ECPP, see elliptic curve, primality prov-
ing method
Eisenstein series, 49, 124
ElGamal digital signature, xi, 3
ElGamal encryption, xi, 3
Elkies primes, 115-116, 118-140
elliptic curve
admissible change of variable, 31
applications, 159-169
checking group order, 103-104
determining a random point, 35
determining group order, 101-107, 109-
148
discrete logarithm problem, 7, 57, 79-
99
202 SUBJECT INDEX
discriminant, 30, 124, 133
efficient implementation, 57-76
endomorphism ring, 45, 149
examples, 181-189
characteristic two, 186-189
odd characteristic, 181-185
factoring method, 7, 159-162
generating with CM, 151-157
group law, 31-34
isomorphism, 31, 36-38, 47
j-invariant, 31, 47, 116, 120, 121, 123,
126, 133, 149, 153
non-singular, 30, 31, 133
non-supersingular, 118, 119
over a finite field, 34-38
point addition, 31-34, 57-62
point at infinity ( 0), 30
point doubling, 32, see point addition
point multiplication, 62-76
primality proving method, 7, 164-166
torsion structure, 42
elliptic function, 29
elliptic integrals, 29
elliptic logarithm, p-adic, 79
endomorphism, 34, 44
Euclidean algorithm, 13, 16, 17, 21, 24,
25
Euclidean domain, 75
factor base, 178
factoring, 92
Fermat's Last Theorem, 29
finite field arithmetic, 11-27
characteristic two, 19-27
normal bases, 22-25
palindromic polynomial, 24
palindromic representation, 24
polynomial bases, 19-22
solving quadratic equations, 26
subfield bases, 25-26
odd characteristic, 11-19
Barrett reduction, 14-15
moduli of special form, 12
Montgomery arithmetic, 15-17
residue number system, 13-14
solving quadratic equations, 17-19
square roots, 17-19
formal group, 89
Frobenius endomorphism, 34, 73, 110, 116,
118, 121, 139, 140, 144
characteristic polynomial, 115, 119, 121
Frobenius expansion, 73-76
Frobenius map, see Frobenius endomor­
phism
Frobenius, trace of, xii, 34, 46, 73, 79, 90,
105, 140, 153
function field, 176
function field sieve, 176
Galois cohomology, 82
Galois group, 46
Galois representation, 46
Goldwasser-Kilian primality test, 164
group exponentiation, 2, 62, 63
Hafner-McCurley method, 178-180
half-trace, 26
Hasse's Theorem, 34, 73, 77, 102, 107
Hensel's Lemma, 90
Hilbert class field, 150, 152, 155-157
Hilbert polynomial, 150, 152-155, 157,
173
Hilbert's Theorem 90, 83
hyperelliptic cryptosystems, 171-180
hyperelliptic curve, 171
arithmetic, 171-173
Jacobian, 8, 165, 171
]-invariant, 173
Igusa invariants, 174
imaginary quadratic number field, 149
imaginary quadratic orders, 7
index calculus methods, 97-98
integrity, 1
isogeny, 44, 116, 127, 134
computing
characteristic two, 133-138
odd characteristic, 123-133
degree, 44
kernel, 121, 123, 125, 127, 128, 134
Jacobi's formula, 49, 125
Jacobian, 7, 171, 176
Jacobian representation, 58
j-invariant, see elliptic curve, j-invariant
kangaroos, 176
Koblitz curves, 101
Kronecker congruence relation, 51
lambda method, 80, 92, 95
lattice, 46, 50, 127
Laurent series, 89
 SUBJECT INDEX
Legendre symbol, 18, 102, 120
Massey-Omura encryption, xi, 5
Massey-Omura multiplier, 22
Miller-Rabin test, 162
modular arithmetic, 11-19
polynomial, 19-22, 24
modular function, 47
modular inversion, 13, 16
polynomial, 21
modular multiplication, 12
polynomial, 19
modular polynomials, 50-55, 116, 118-
122, 144
variants, 52
modular reduction, 12
polynomial, 19
moduli of special form, 12
Montgomery arithmetic, 15-17
Montgomery multiplication, 17
Montgomery reduction, 15-16
Mordell-Weil Theorem, 98
morphism, 44
MOY attack, 82-88
MOY condition, 99
multiplication-by-m map ([m] ) , 34
NAF, see non-adjacent form
Neron-Tate height, 98
Newton-Raphson iteration, 89
non-adjacent form, 67
non-repudiation, 1
number field sieve, 7, 176
Nyberg-Rueppel digital signature, 5
ONB , see optimal normal bases
optimal normal bases, 22-25
p-adic numbers, 88
palindromic polynomial, 24
palindromic representation, 24
Pocklington-Lehmer primality test, 162-
165
Pohlig-Hellman, 80-83, 91, 168, 174
point
addition, 31-34, 57-62
affine coordinates, 57-58, 60-61
cost summary, 60, 62
projective coordinates, 59-62
at infinity ( 0), 30
compression, 76-78
203
counting, xii, 42, 50, 52, 101-107, 109-
148, 181
doubling, 32, s e e point addition
multiplication, 57, 62-76
and exponentiation, 63
binary method, 63
example of costs, 72
m-ary method, 64
modified m-ary method, 64
of fixed point, 72
precomputation, 64-66, 70, 72
relative costs, 72
signed m-ary window, 70
signed digit method, 67
sliding window method, 66
window methods, 66
with non-adjacent form representa­
tion, 68
rational, 30
polynomial multiplication, 20
Prime Number Theorem, 107
projective coordinates, 22, 30, 58-62
weighted, 58
proof of primality, 162
down run, 163
public key cryptography, 1
Ramanujan T-function, 48
random walk, 95
rational point, 30
residue number system, 13-14
rho method, 80, 92, 96
RSA, 6, 8
Schoof's algorithm, 50, 109-148, 155, 165,
173
SEA algorithm, 117
Shanks and Mestre algorithm, 104
smooth number, 159
solving quadratic equations
characteristic two, 26
odd characteristic, 17-19
subfield bases, 25-26
subfield curves, 73, 101, 104-106, 174
supersingular curve, 37, 45, 83
tame and wild kangaroos, 80
Tate module, 46
torsion group, 40
torsion points, 40-44, 120
group structure, 42, 121
204 SUBJECT INDEX

trace of Frobenius, see Frobenius, trace

of
twist, 37, 38, 104, 107, 109, 146

Weber polynomials, 155-156

Weierstrass equation, 30, 124, 127
Weierstrass form, 29
Weierstrass p-function, 29, 47, 127
Weil pairing, 42-45, 79, 84

zeta function, 105, 174